Policy-based Signature

Transcription

1 Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU November 2, 2013

2 1 2 3

3 1. Bellare M, Fuchsbauer G. s[r]. Cryptology eprint Archive, Report 2013/413, [GS08] Jens Groth, Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. 3. Abe M, Fuchsbauer G, Groth J, et al. Structure-preserving signatures and commitments to group elements[m]//advances in CryptologyCCRYPTO Springer Berlin Heidelberg, 2010: Groth J. Simulation-sound NIZK proofs for a practical language and constant size group signatures[m]//advances in CryptologyCASIACRYPT Springer Berlin Heidelberg, 2006:

4 s (PBS), where a signer s secret key sk p is associated to a policy p {0, 1} that allows the signer to produce a valid signature σ of a message m only if the message satisfies the policy, meaning (p, m) belongs to a policy language l {0, 1} {0, 1} associated to the scheme.

5 WHY PBS offers value along two fronts, practical and theoretical. On the practical side, the setup of PBS is natural in a corporate or other hierarchical environment. On the theoretical side, PBS decreases rather than increases complexity in the area because it serves as an umbrella notion that unies existing notions by capturing some as special cases and allows others to be derived in simple and natural ways.

6 Structure-preserving signature A signature scheme is structure-preserving if its verification keys, signatures, and messages are elements in a bilinear group, and the verification equation is a conjunction of pairing-product equations.

7 Simulatability Simulatability, that says that real signatures look like ones a simulator could generate without knowledge of the policy or any key derived from the policy. FE, impossibility results show that the strongest and most desirable simulation-based definitions are not achievable. PBS we will show that our simulatability notion is achievable in the standard model under standard assumptions.

8 Simulatability+extractability Simulatability implies indistinguishability, and simulatability+extractability implies unforgeability. Simulatability+extractability emerges as a powerful security notion that enables a wide range of applications.

9 WHAT PBS provide(1)? Consider the example of a company implementing a scheme where each employee gets a signing key and there is one public key which is used by outsiders to verify signatures in the name of the company. A group-signature scheme would allow every employee holding a key to sign on behalf of the company, but there is no ne-grained control over who is allowed to sign which documents.

10 WHAT PBS provide(2)? This can be achieved using attribute-based signatures, where each user is assigned attributes, and a message is signed with respect to a policy like (CEO or (board member and general manager)). However, it is questionable whether a verifier needs to know the company-internal policy used to sign a specific message, and there is no apparent reason he should know; all he needs to be assured of is that the message was signed by someone entitled to, but not who this person is, what she is entitled to sign, nor whether two messages were signed by the same person. This is what PBS provides.

11 Two generic constructions: The first uses ordinary signatures, IND-CPA encryption and standard non-interactive zero-knowledge (NIZK) proofs. Much simpler construction of PBS by relying on a more advanced cryptographic primitive: simulation-extractable (SE) NIZK proofs

12 Use of general NIZKs makes them inefficient Combine Groth-Sahai proofs [GS08] and structure-preserving signatures to design ecient PBS schemes for policy languages expressible via equations over a bilinear group.

13 Efficient Construction via Groth-Sahai Proofs Efficient construction of PBS will be defined over a bilinear group. This is a tuple (p, G, H, T, G, H), where G, H and T are groups of prime order p, generated by G and H, respectively, and e : G H T is a bilinear map such that e(g, H) generates T. We denote the group operation multiplicatively and let 1 G, 1 H and 1 T denote the neutral elements of G, H and T.

14 Pairing-product equation Groth-Sahai proofs [GS08] let us prove that there exists a set of elements (X, Y) = (X 1,, X n, Y 1,, Y l ) G n H l which satisfy equations E(X, Y) of the form k l n n l e(p i, Q i ) e(a j, Y j ) e(x i, B i ) e(x i, Y j ) γ i,j i=1 j=1 i=1 i=1 j=1 = 1 T (1) Such an equation E is called a pairing-product equation (PPE) and is uniquely defined by its constants P, Q, A, B Γ = {γ i,j } i=[n],j=[l].

15 Pairing-product equation In order to hide a policy, we need to swap the roles of constants and variables in an equation, as this will enable us to hide the policy defined by the constants. We first need to transform equations as in (1) into a set of equivalent equations without exponents. To do so, we introduce auxiliary variables Ŷ, add i j new equations and define the set E (no exp) as follows: k e(p i, Q i ) i=1 l e(a j, Y j ) j=1 n e(x i, B i ) i=1 n i=1 j=1 l e(x i, Ŷ i,j ) = 1 T e(g, Ŷ i,j ) = e(g γ i,j, Ŷ j ).(3) A witness (X, Y) satisfies E in (2) iff (X, Y, (Ŷ i,j = Y γ j ) i,j ) satisfies the set of equations E (no exp) in (3).

16 Pairing-product equation we can show that a (clear) message (M, N) satisfies a hidden policy defined by equation E, witnessed by elements (V, W), since we can express policies as sets of group elements.

17 Policy checkers for PPEs. e(mi, N j ) γ i,j e(m i, W j ) δ i,j e(v i, N j ) φ i,j e(v i, W j ) ψ i,j = 1 T Consider a policy p describing (for simplicity) a single equation defined by p = (P, Q, A, B, K, L, Γ = γ i,j, = δ i,j, Φ = φ i,j, Ψ = ψ i,j ) Let m = (M, N) G nm H lm be a message ω = (V, W) G nω H lω be a witness. Then the policy checker PC for our construction is defined as follows: PC((p, m), ω) e(pi, Q i ) e(a j, N j ) e(m i, B i ) e(k j, W j ) e(v i, L i )

18 Policy checkers for PPEs. which is the most general form of a PPE over variables M,N,V,W. Assume that all policies are of a fixed length, since we cannot hide the form of the set of equations they define.

19 Policy checkers for PPEs. We start with expressing a policy in terms of group elements only. Abusing notation slightly, we replace the matrices Γ = γ i,j, = δ i,j, Φ = φ i,j, Ψ = ψ i,j Z n l p in the policy description by matrices of G-elementsΓ = (Γ i,j := G γ i,j ), = ( i,j := G δ i,j ), Φ = (Φ i,j := G φ i,j ), Ψ = (Ψ i,j := G ψ i,j ). Applying the transformation E E (no exp) from Equation PC no exp ((p, m), ω) e(pi, Q i ) e(a j, N j ) e(m i, B i ) e(k j, W j ) e(v i, L i ) e(mi, ˆN (1) ) e(m i, Ŵ (1) ) δ i,j e(v i, ˆN (1) ) e(v i, Ŵ (1) ) = 1 T i,j e(g, ˆN (1) ) = e(g γ i,j, N ) i,j e(g, Ŵ (1) ) = e(g δ i,j, W )

20 Policy checkers for PPEs i,j e(g, ˆN (2) ) = e(g φ i,j, N ) i,j e(g, Ŵ (2) ) = e(g ψ i,j, W ) where we introduced new variables ˆN (1), ˆN (2), Ŵ (1), Ŵ (2) and corresponding equations. Note that these equations contain the elements from Γ,, Φ, Ψ as variables.

21 Policy checkers for PPEs PC no exp ((p, m), ω)(t ) e(pi, Q i ) e(a j, N j i) e(m i, B i ) e(k j, W j ) e(v i, L i ) e(mi, ˆN (1) ) e(m i, Ŵ (1) ) δ i,j e(v i, ˆN (1) ) e(v i, Ŵ (1) ) = 1 T i,j i,j e(t, ˆN (1) ) = e(γ i,j, N ) i,j e(t, ˆN (2) ) = e(φ i,j, N ) i,j e(t, Ŵ (1) ) = e( i,j, W ) e(t, Ŵ (2) ) = e(ψ i,j, W )

22 Policy checkers for PPEs E (disj) (mvk, p, S 1, S 2, ω, ovk, T 1, T 2 ) : e(t 1 T 2 G 1, H) = 1 V (Sim) (mvk, (G, P, Q, A, B, K, L, Γ,, Φ, Ψ,S 1 ))(T 1 ) = 1 PC (Sim) ((P, Q, A, B, K, L, Γ,, Φ, Ψ,), (M, N), (V, W))(T 1 ) = 1 V (sim) (mvk, (1, ovk), S 2 )(T 2 ) = 1

23 Thank you Rongxing s Homepage: PPT Ximeng s Homepage: