Short Randomizable Signatures

Transcription

1 SESSION ID: CRYP-W02 Short Randomizable Signatures David Pointcheval Senior Researcher ENS/CNRS/INRIA Paris, France Joint work with Olivier Sanders

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27 S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1, David Derler 2, Daniel Slamanig 2, Raphael Spreitzer 2 1 Université de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria

28 Group Signature Schemes [CvH91] Group Signer i (xi) Signed by someone of group! Group signature σ Verifier (pk) 2

29 Group Signature Schemes [CvH91] Group Group Manager (pk) Issuer (mik) Signer i (xi) Group signature σ Verifier (pk) 2

30 Group Signature Schemes [CvH91] Group Group Manager (pk) Issuer (mik) Opener (mok) Signer i (xi) Group signature σ Verifier (pk) 2

31 Controllable Linkability [HLhC + 11, SSU14] Group Manager (pk) Produced by same signer? Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) No idea who signed them! Linker (mlk) 3

32 Controllable Linkability [HLhC + 11, SSU14] Group Manager (pk) But can I trust the Linker? Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) No idea who signed them! Linker (mlk) 3

33 Verifiable Controllable Linkability Group Manager (pk) Prove it! Issuer (mik) Verifier (pk) (σ1, M1),(σ2, M2) Opener (mok) Still no idea who signed them! Linker (mlk) 4

34 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) 5

35 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) 5

36 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge 5

37 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), 5

38 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, 5

39 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s 5

40 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s Join User s secret: x i 5

41 Sign-Encrypt-Prove Paradigm Basic building blocks DS = (KG s, Sign, Verify) AE = (KG e, Enc, Dec) Signature of Knowledge Keys gpk (pk e, pk s ), gmsk sk e, gmik sk s Join User s secret: x i Issuer computes: cert Sign(gmik, f (x i )) 5

42 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) 6

43 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) 6

44 Sign-Encrypt-Prove Paradigm I Sign T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) 6

45 Sign-Encrypt-Prove Paradigm I Sign Verify T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) verification of π 6

46 Sign-Encrypt-Prove Paradigm I Sign Verify Open T Enc(pk e, cert) π SoK {(x i, cert) : cert = Sign(sk s, f (x i )) T = Enc(pk e, cert))}(m) σ (T, π) verification of π cert Dec(sk e, T ) 6

47 Contributions 1. Generic proof system for plaintext (in-)equality 7

48 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 7

49 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 3. Group signatures with verifiable controllable linkability 7

50 Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 3. Group signatures with verifiable controllable linkability 4. Extend GSs with verifiable controllable linkability (VCL) 7

51 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme 8

52 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor 8

53 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) 8

54 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) Semantic security without trapdoor 8

55 Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor Link: 1/0 Com(T, T, gmlk) Semantic security without trapdoor One-way security for trapdoor holders 8

56 Setting certi certj 9

57 Setting =? certi certj Verifier (pk) 9

58 Setting =? certi certj Link (π1, ), (π2, ) Verifier (pk) Linker (mlk) 9

59 Setting =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) 9

60 Setting =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) Non-interactive plaintext (in-)equality proofs 9

61 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 10

62 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 10

63 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 2. Com = 1 (membership) or Com = 0 (non-membership) 10

64 Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T under pk Proof system Π 1. Prove knowledge of trapdoor tk 2. Com = 1 (membership) or Com = 0 (non-membership) 3. Without revealing trapdoor tk 10

65 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] 11

66 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership 11

67 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L 11

68 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly 11

69 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly Efficient instantiations (GS and SPHFs) 11

70 (Non-)Membership Proofs Com = 1 defines language L for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / for non-membership Idea [BCV15] Π 1 : Failing membership proof for L Π 2 : Proof that Π 1 has been computed honestly Efficient instantiations (GS and SPHFs) Technicalities: m, r must be known [BCV15] 11

71 Smooth Projective Hash Functions (SPHFs) 12

72 Construction - Non-Membership Proof 13

73 Construction - Non-Membership Proof 13

74 Construction - Non-Membership Proof 13

75 Construction - Non-Membership Proof 13

76 Construction - Non-Membership Proof 13

77 Construction - Non-Membership Proof 13

78 Construction - Non-Membership Proof 13

79 Construction - Non-Membership Proof 13

80 Construction - Non-Membership Proof 13

81 Construction - Non-Membership Proof 13

82 Construction - Non-Membership Proof 13

83 Construction - Non-Membership Proof 13

84 Construction - Non-Membership Proof 13

85 Construction - Non-Membership Proof 13

86 Example of Efficient Instantiation ElGamal with equality tests (as in [SSU14]) Keypair: (sk, pk) (x, g x ) Z p G 1 Trapdoor: (ˆr, ˆr x ) G 2 G 2 Encryption of m: (g r, m g x r ) G 1 G 1 14

87 Example of Efficient Instantiation ElGamal with equality tests (as in [SSU14]) Keypair: (sk, pk) (x, g x ) Z p G 1 Trapdoor: (ˆr, ˆr x ) G 2 G 2 Encryption of m: (g r, m g x r ) G 1 G 1 Pairing-based equality test Ciphertexts: (g r, m g x r ), (g r, m g x r ) m = m e(m gx r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) 14

88 Instantiation of Π Com = 1: plaintext equality proof ((g r, m g x r ), (g r, m g x r ), g x ) L e(m g x r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 15

89 Instantiation of Π Com = 1: plaintext equality proof ((g r, m g x r ), (g r, m g x r ), g x ) L e(m g x r, ˆr) e(g r, ˆr x ) = e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 2 e(a i, Ŷi) = i=1 e(m gx r (m g x r ) 1, ˆr) e(g r g r, ˆr x ) = 1 GT 15

90 Instantiation of Π / Com = 0: plaintext inequality proof ((g r, m g x r ), (g r, m g x r ), g x ) L / e(m g x r, ˆr) e(g r, ˆr x ) e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) 16

91 Instantiation of Π / Com = 0: plaintext inequality proof ((g r, m g x r ), (g r, m g x r ), g x ) L / e(m g x r, ˆr) e(g r, ˆr x ) e(m g x r, ˆr) e(g r, ˆr x ) e(g, ˆr x ) = e(g x, ˆr) Our construction for non-membership proofs 16

92 NIPEI Proof System Proof system Π = (Π, Π / ) 17

93 NIPEI Proof System Proof system Π = (Π, Π / ) =? certi certj Verifier (pk) Link (π1, ), (π2, ) Yes/No, π Linker (mlk) 17

94 GSSs with Verifiable Controllable Linkability Extended security model for VCL-GS Algorithms: Link and Link Judge Property: linking soundness 18

95 GSSs with Verifiable Controllable Linkability Extended security model for VCL-GS Algorithms: Link and Link Judge Property: linking soundness Instantiation based on NIPEI Link: Π.Proof Link Judge : Π.Verify 18

96 Take-Home Message Proposed generic approach for (in-)equality proof 19

97 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting 19

98 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free) 19

99 Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free) Novel application GSSs with verifiable controllable linkability 19

100 S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1, David Derler 2, Daniel Slamanig 2, Raphael Spreitzer 2 1 Université de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria

101 Bibliography I [BCV15] Olivier Blazy, Céline Chevalier, and Damien Vergnaud. Non-Interactive Zero-Knowledge Proofs of Non-Membership. In CT-RSA, [CvH91] David Chaum and Eugène van Heyst. Group Signatures. In EUROCRYPT, [GS08] Jens Groth and Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT, [HLhC + 11] Jung Yeon Hwang, Sokjoon Lee, Byung ho Chung, Hyun Sook Cho, and DaeHun Nyang. Short Group Signatures with Controllable Linkability. In LightSec. IEEE, [SSU14] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer. Adding Controllable Linkability to Pairing-Based Group Signatures for Free. In ISC, [Tan12] Qiang Tang. Public Key Encryption Supporting Plaintext Equality Test and User-Specified Authorization. Security and Communication Networks, 5(12),