Essam Ghadafi CT-RSA 2016

Transcription

1 SHORT STRUCTURE-PRESERVING SIGNATURES Essam Ghadafi Department of Computer Science, University College London CT-RSA 2016 SHORT STRUCTURE-PRESERVING SIGNATURES

2 OUTLINE 1 BACKGROUND 2 OUR SCHEME 3 EFFICIENCY COMPARISON 4 SOME APPLICATIONS 5 SUMMARY & OPEN PROBLEMS SHORT STRUCTURE-PRESERVING SIGNATURES

3

4 (PRIME-ORDER) BILINEAR GROUPS G, G,Tare finite cyclic groups of prime order p, whereg = G and G = G Pairing(e : G G T) : The function e must have the following properties: Bilinearity: P G, Q G, x, y Z, we have e(p x, Q y ) = e(p, Q) xy Non-Degeneracy: The value e(g, G) 1 generatest The function e is efficiently computable Type-III [GPS08]: G G and no efficiently computable homomorphism betweengand G in either direction SHORT STRUCTURE-PRESERVING SIGNATURES 2 / 19

5 STRUCTURE-PRESERVING SIGNATURES Some History: The term Structure-Preserving was coined by Abe et al Earlier constructions: Groth 2006 and Green and Hohenberger 2008 Many constructions in the 3 different main types of bilinear groups Optimal Type-III constructions are the most efficient SHORT STRUCTURE-PRESERVING SIGNATURES 3 / 19

6 STRUCTURE-PRESERVING SIGNATURES What are they? DEFINITION (A STRUCTURE-PRESERVING SIGNATURE) A signature scheme (defined over bilinear groups) where: m, vk andσ are elements ofgand/or G Verifying signatures only involves deciding group membership and evaluating pairing-product equations (PPE): e(a i, B j ) c i,j = Z, i j where A i G, B j G and Z T are group elements appearing inp, m, vk,σ, whereas c i,j Z p are constants SHORT STRUCTURE-PRESERVING SIGNATURES 4 / 19

7 STRUCTURE-PRESERVING SIGNATURES Why Structure-Preserving Signatures? Compose well with other pairing-based schemes Easy to encrypt Compose well with ElGamal/BBS linear encryption Easy to combine with NIZK proofs Compose well with Groth-Sahai proofs SHORT STRUCTURE-PRESERVING SIGNATURES 5 / 19

8 APPLICATIONS OF STRUCTURE-PRESERVING SIGNATURES Applications of Structure-Preserving Signatures: Blind signatures Group signatures Malleable signatures Tightly secure encryption schemes Anonymous credentials Oblivious transfer Network coding... SHORT STRUCTURE-PRESERVING SIGNATURES 6 / 19

9 EXISTING LOWER BOUNDS Lower Bounds (for unilateral messages) in Type-III Bilinear Groups (Abe et al. 2011): Signatures contain at least 3 group elements Signatures cannot be unilateral (must contain elements from both G and G) Note: Size of elements of G are at least twice as big as those ofg At least 2 PPE verification equations SHORT STRUCTURE-PRESERVING SIGNATURES 7 / 19

10 OUR CONTRIBUTION A new signature scheme in Type-III bilinear groups with shorter signatures than existing ones: Signatures consist of 3 elements fromg(i.e. unilateral) 2 PPE verification equations (5 pairings in total) Message space is the set of Diffie-Hellman pairs (Abe et al. 2010): The setĝ = {(M, Ñ) (M, Ñ) G G, e(m, G) = e(g, Ñ)} More efficient instantiations of some existing cryptographic protocols (e.g. DAA) SHORT STRUCTURE-PRESERVING SIGNATURES 8 / 19

11 OUR SCHEME The Underlying Idea: Can be viewed as an extension of the non-structure-preserving scheme of Pointcheval and Sanders (CT-RSA 2016) Can be viewed as a more efficient variant of Ghadafi (ACISP 2013) Camenisch-Lysyanskaya based structure-preserving scheme SHORT STRUCTURE-PRESERVING SIGNATURES 9 / 19

12 OUR SCHEME The Scheme: KeyGen: Choose x, y Z p, set sk := (x, y) and pk := ( X := G x, Ỹ := G y ) G 2 Sign: To sign(m, Ñ) Ĝ, Choose a Z p,σ := (A := G a, B := M a, C := A x B y ) G 3 Verify: Check that A 1 G and(m, Ñ) Ĝ and e(a, Ñ) = e(b, G) e(c, G) = e(a, X)e(B, Ỹ) Randomize: Choose r Z p, return σ := (A := A r, B := B r, C := C r ) SHORT STRUCTURE-PRESERVING SIGNATURES 10 / 19

13 PROPERTIES OF THE SCHEME Some Properties of the Scheme: The scheme is secure in the generic group model alternatively can be based on an interactive assumption Unilateral signatures (Perfectly) Fully re-randomizable Only M part of the message is needed for signing SHORT STRUCTURE-PRESERVING SIGNATURES 11 / 19

14 EFFICIENCY COMPARISON Scheme Size Verification R? Assumptions σ vk P m PPE Pairing [GH08] a G 4 G G 2 - G Y q-hlrsw 4 8 [Fuc09] G 3 G 2 G G G 3 Ĝ N q-adhsdh+awfcdh 3 9 [AFG+10] I G 5 G 2 G 10 G 4 - G P q-sfp 2 12 [AFG+10] II G 2 G 5 G 10 G 4 - G P q-sfp 2 12 [AGH+11] I G 2 G G G 3 - G G N GGM 2 7 [AGH+11] II G 2 G G G - G Y GGM 2 5 [Gha13] G 4 G 2 - Ĝ Y DH-LRSW 3 7 [CM14] I G G 2 G 2 - G N GGM 2 5 [CM14] II G G 2 G 2 - G Y GGM 2 6 [CM14] III G 2 G G 2 - G Y GGM 2 6 [AGO+14] I G 3 G G G G Y GGM 2 6 [AGO+14] II G 2 G G G G N GGM 2 6 [BFF15] G G 2 G 2 - G Y GGM 2 5 [Gro15] I G G 2 G G G Y GGM 2 6 [Gro15] II G G 2 G G G N GGM 2 7 Ours G 3 G 2 - Ĝ Y GGM 2 5 a This scheme is only secure against a random message attack. SHORT STRUCTURE-PRESERVING SIGNATURES 12 / 19

15 EFFICIENCY COMPARISON Comparison with schemes with the same message space Scheme Size Verification R? Assumptions σ vk P PPE Pairing [Fuc09] G 3 G 2 G G G 3 N q-adhsdh+awfcdh 3 9 or (7 & 2 ECAdd) [Gha13] G 4 G 2 - Y DH-LRSW 3 7 or (6 & 1 ECAdd) Ours G 3 G 2 - Y GGM 2 5 * Cost does not include checking well-formedness of the message SHORT STRUCTURE-PRESERVING SIGNATURES 13 / 19

16 GENERIC CONSTRUCTION OF DAA Bernhard et al gave a generic construction of DAA which requires the following tools: Randomizable Weakly Blind Signatures (RwBS) Used by the Issuer to issue certificates as credentials when users join the group Linkable Indistinguishable Tags (LIT) Needed to provide the linkability of signatures when the same basename is signed by the same user Signatures of Knowledge (SoK) Used by users to prove they have a credential and that the signature on the basename verifies w.r.t. thier certified secret key SHORT STRUCTURE-PRESERVING SIGNATURES 14 / 19

17 BLIND SIGNATURES SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

18 BLIND SIGNATURES Sig SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

19 BLIND SIGNATURES Sig Sig Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

20 BLIND SIGNATURES Sig Sig Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures SHORT STRUCTURE-PRESERVING SIGNATURES 15 / 19

21 RANDOMIZABLE WEAKLY BLIND SIGNATURES (RWBS) Similar to blind signatures but: Randomizability: Given a signatureσ, anyone can produce a new signatureσ on the same message Weak Blindness: Same as blindness but the adversary never sees the messages The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message SHORT STRUCTURE-PRESERVING SIGNATURES 16 / 19

22 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

23 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

24 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

25 EFFICIENT RWBS WITHOUT RANDOM ORACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing To request a signature on (M, Ñ), send M and a NIZKPoKπ of Ñ L User : { (M, Ñ ) : e(g, Ñ) = e(m, G ) G G = 1 G } The signer produces a signatureσ and a NIZK proofω(without knowing Ñ) for the validity ofσ L Signer :{ ((A, B, M), Ã ) : e(g, Ã) = e(a, G ) e(m, Ã) = e(b, G ) G G = 1 G } Fully re-randomizable User verifiesωand the final signature is a re-randomization ofσ SHORT STRUCTURE-PRESERVING SIGNATURES 17 / 19

26 EFFICIENT RWBS WITHOUT RANDOM ORACLES Security of the RwBS Scheme: Unforgeability of the SPS Scheme+SXDH Efficiency of the RwBS Scheme: Scheme Signature Verification PPE Pairing Bernhard et al I G or (6&1ECAdd) Ours G SHORT STRUCTURE-PRESERVING SIGNATURES 18 / 19

27 SUMMARY & OPEN PROBLEMS Summary: A new unilateral SPS scheme with short signatures More efficient instantiations of building blocks for DAA without random oracles Open Problems: More efficient constructions of unilateral structure-preserving signatures Constructions based on standard assumptions (e.g. DDH, DLIN, etc.) (Constant-size?) constructions for a vector of Diffie-Hellman pairs SHORT STRUCTURE-PRESERVING SIGNATURES 19 / 19

28 THE END Thank you for your attention! Questions? SHORT STRUCTURE-PRESERVING SIGNATURES