A Provably Secure Group Signature Scheme from Code-Based Assumptions

Size: px

Start display at page:

Download "A Provably Secure Group Signature Scheme from Code-Based Assumptions"

Hilary Atkins
6 years ago
Views:

1 A Provably Secure Group Signature Scheme from Code-Based Assumptions Martianus Frederic Ezerman, Hyung Tae Lee, San Ling, Khoa Nguyen, Huaxiong Wang NTU, Singapore ASIACRYPT 15-01/12/15

2 Group Signatures [CH91] U 1... U i... U N Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11

3 Group Signatures [CH91] (Σ, ) U 1... U i... U N Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11

4 Group Signatures [CH91] (Σ, ) Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11

5 Group Signatures [CH91] (Σ, ) U i Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 2 / 11

6 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11

7 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). 3 requirements: correctness, anonymity, traceability. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11

8 The [BMW 03] Model 4 algorithms: 1 KeyGen(λ, N) ( gpk, gmsk, {gsk[j]} N 1 j=0 2 Sign(gsk[j], M) Σ. 3 Verify(gpk, M, Σ) {0, 1}. 4 Open(gmsk, M, Σ) {j, }. ). 3 requirements: correctness, anonymity, traceability. 3 cryptographic ingredients: ordinary digital signature, encryption scheme, zero-knowledge protocol. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 3 / 11

9 Post-Quantum Group Signatures Shor s quantum algorithm [Shor 94] post-quantum cryptography. 6 candidates of post-quantum group signatures have been published in the last 5 years [GKV 10,CNR 12,LLLS 13,LLNW 14,LNW 15,NZZ 15]. [NZZ 15] is arguably the most efficient in the asymptotic sense. All are based on lattice assumptions. Large key and signature sizes. No implementation so far. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 4 / 11

10 Post-Quantum Group Signatures Shor s quantum algorithm [Shor 94] post-quantum cryptography. 6 candidates of post-quantum group signatures have been published in the last 5 years [GKV 10,CNR 12,LLLS 13,LLNW 14,LNW 15,NZZ 15]. [NZZ 15] is arguably the most efficient in the asymptotic sense. All are based on lattice assumptions. Large key and signature sizes. No implementation so far. Open questions: 1 More diversity? 2 More practical construction? E.g., an easy-to-implement and competitively efficient code-based group signature scheme would be desirable. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 4 / 11

11 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11

12 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11

13 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. 2 Encryption scheme: Provably secure variants of McEliece s [McE 78] and Niederreiter s [Nie 86] schemes. E.g., randomized McEliece [NIKM 08]. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11

14 A Provably Secure Code-Based Group Signature? Needed ingredients: 1 Ordinary signature: CFS [CFS 01] and variants: No known convincing security proof. Stern s protocol [Ste 96] + Fiat-Shamir transform [FS 86]. 2 Encryption scheme: Provably secure variants of McEliece s [McE 78] and Niederreiter s [Nie 86] schemes. E.g., randomized McEliece [NIKM 08]. 3 The bottleneck is a ZK protocol connecting the first two layers. The signer should demonstrate that the given group signature is generated by certain certified group user who honestly encrypts his identifying information while keeping both the certificate and the identity secret! An open question in code-based cryptography. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 5 / 11

15 Our Results A code-based GS scheme provably secure in the ROM: CPA-anonymity: Learning Parity with (fixed-weight) Noise + McEliece. Traceability: Syndrome Decoding. Implementation results: The first ones for post-quantum group signatures. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 6 / 11

16 Our Results A code-based GS scheme provably secure in the ROM: CPA-anonymity: Learning Parity with (fixed-weight) Noise + McEliece. Traceability: Syndrome Decoding. Implementation results: The first ones for post-quantum group signatures. Efficiency comparison with recent lattice-based schemes: Asymptotically, ours is less efficient: O(N) vs. O(log N). Practically: (rough estimation) N Public key Signature KB 1.07 MB Our scheme MB 2.21 MB GB 294 MB [NZZ 15] GB 579 MB Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 6 / 11

17 Our Construction McEliece para (n, k, t); SD para (m, r, ω); maximum group size N = 2 l. Notations: B(m, ω) = {s {0, 1} m wt(s) = ω}; B(n, t) is defined similarly. KeyGen: 1 (G F k n 2, dk) McE.Kg; H $ F r m $ 2 ; j [0, N 1]: s j B(m, ω), y j = H s j. 2 Output gpk = (G, H, y 0,..., y N 1 ); gmsk = dk; and gsk[j] = s j, j. Sign(gsk[j] = s, M): 1 Encrypt I2B(j) {0, 1} l - the bin. rep. of j [0, N 1] - using randomized McEliece [NIKM 08]: Sample u $ F k l 2, e $ B(n, t), and compute c = ( u I2B(j) ) G e F n 2. 2 Generate a NIZK argument Π to show the knowledge of (j, s, u, e) s.t.: s = gsk[j] and c is a correct encryption of I2B(j) with randomness (u, e). (Π is made non-interactive via Fiat-Shamir, with M included in the RO hashing.) 3 Output Σ = (c, Π). Verify: check Π. Open: decrypt c using dk. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 7 / 11

18 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11

19 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. H s = y j H s A x = 0 Transform c = ( u I2B(j) ) G e c = ( u f ) (1) Ĝ e, A = [ y 0 y N 1] ; and x = δ N j - the N-dim. unit-vector with 1 at j-th pos. f = Encode(j)=(1 j 0, j 0,..., 1 j l 1, j l 1 ) F 2l 2 - ext. of I2B(j)=(j 0,..., j l 1 ) and Ĝ - extension of G. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11

20 The Underlying Zero-Knowledge Argument of Knowledge Common input: G F k n 2 ; H F r m 2 ; y 0,..., y N 1 F r 2 ; c Fn 2. Prover s input: (j, s, u, e) [0, N 1] B(m, ω) F k l 2 B(n, t). Prover s goal: Prove in ZK that H s = y j and c = ( u I2B(j) ) G e. H s = y j H s A x = 0 Transform c = ( u I2B(j) ) G e c = ( u f ) (1) Ĝ e, A = [ y 0 y N 1] ; and x = δ N j - the N-dim. unit-vector with 1 at j-th pos. f = Encode(j)=(1 j 0, j 0,..., 1 j l 1, j l 1 ) F 2l 2 - ext. of I2B(j)=(j 0,..., j l 1 ) and Ĝ - extension of G. Now, the task is to prove in ZK that: (1) holds with s B(m, ω); u F k l 2 ; e B(n, t); x = δ N j ; f = Encode(j). Green: Can be done with Stern s protocol. Red: Needs additional technique! Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 8 / 11

21 Proving that x = δ N j & f = Encode(j) for some hidden j Let B2I : {0, 1} l [0, N 1] be the inverse function of I2B( ). For every b {0, 1} l, we carefully define 2 permutations T b : F N 2 F N 2 and T b : F 2l 2 F 2l 2, s.t. the following equivalences hold: j [0, N 1] and b {0, 1} l, x = δj N T b (x) = δb2i(i2b(j) b) N f = Encode(j) T b(f) = Encode(B2I(I2B(j) b)). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 9 / 11

22 Proving that x = δ N j & f = Encode(j) for some hidden j Let B2I : {0, 1} l [0, N 1] be the inverse function of I2B( ). For every b {0, 1} l, we carefully define 2 permutations T b : F N 2 F N 2 and T b : F 2l 2 F 2l 2, s.t. the following equivalences hold: j [0, N 1] and b {0, 1} l, x = δj N T b (x) = δb2i(i2b(j) b) N f = Encode(j) T b(f) = Encode(B2I(I2B(j) b)). To prove that the LHS holds in ZK: sample b $ {0, 1} l, send b 1 = I2B(j) b, x 1 = T b (x), f 1 = T b(f), and let the verifier check that the RHS holds. Idea: b acts as a one-time pad j is completely hidden (inspired by a method proposed by [LLNW 14]). Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 9 / 11

23 Implementation Results Testing platform: PC with 3.5 GHz CPU, 16 GB RAM. To achieve 80-bit security, repeat Stern s protocol 140 times. McEliece para: (n, k, t) = (2 11, 1696, 32); SD para: (m, r, ω) = (2756, 550, 121). N Public key Signature KeyGen Sign Verify Open KB 111 KB KB 114 KB KB 159 KB MB 876 KB MB 12.4 MB GB 196 MB Unit for time: second. Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 10 / 11

24 Summary of our contributions: 1 A provably secure code-based GS scheme. 2 Implementation results. Open questions: Code-based GS with 1 CCA-anonymity? 2 Logarithmic-size signature? 3 Revocation? Dynamic enrollment of users? Thank you! Khoa Nguyen, NTU Code-Based Group Signature ASIACRYPT 15-01/12/15 11 / 11

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based