Practical Round-Optimal Blind Signatures in the Standard Model

Size: px

Start display at page:

Download "Practical Round-Optimal Blind Signatures in the Standard Model"

Beatrix Roberts
6 years ago
Views:

Christian Hanser and Daniel Slamanig, Institute of Science and

1 W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology Austria IAIK, Graz University of Technology, Austria IAIK

2 Blind Signatures Important building block: e-voting, e-cash, ABCs,... 2

3 Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] 3

4 Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] Round-optimality desirable Efficiency Concurrent security 3

5 Contribution 1. New way to build Round-optimal blind sigs from structure-preserving sigs on equivalence classes (SPS-EQ) 1 st practically efficient standard-model construction + extension to partially blind signatures 1 st one-show ABC in the standard model Caveat: blindness under interactive DDH variant 4

6 Contribution (ctd) 2. New results on SPS-EQ: 1 st standard-model construction SPS-EQ implies SPS Optimality criteria from SPS carry over 5

7 Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) 6

8 Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) Structure-Preserving Signatures [AFG+10] signing group element vectors sigs and PKs consist only of group elements verification solely via pairing-product equations + group membership tests 6

9 Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R 7

10 Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R IND of classes iff DDH holds on G 7

11 Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives 8

12 Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives Plus: ChgRep R (M, σ, µ, pk): Given σ for M, return σ for µm 8

13 Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding 9

14 Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding EUF-CMA defined w.r.t. equivalence classes: Pr [ BG BGGenR(1 κ ), (sk, pk) KeyGen R (BG, l), (M, σ ) A O(sk, ) (pk) : [M ] R [M] R queried M Verify R (M, σ, pk) = 1 ] ɛ(κ), 9

15 Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) 10

16 Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) Perfect adaption of sigs (malicious keys): σ ChgRep R (M, σ, µ, pk) uniform in space of sigs on µm 10

17 Blind Signatures from SPS-EQ Outline: Black-box from any EUF-CMA-secure, perfectly adapting SPS-EQ Blind under plausible interactive DDH variant (Honest-key-blind under DDH) 11

18 Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq 12

19 Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R 12

20 Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) 12

21 Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) Output σ + opening of C 12

22 Blind Signatures from SPS-EQ (ctd) 13

23 Blind Signatures from SPS-EQ (ctd) 13

24 Blind Signatures from SPS-EQ (ctd) 13

25 Blind Signatures from SPS-EQ (ctd) 13

26 Blind Signatures from SPS-EQ (ctd) 13

27 Blind Signatures from SPS-EQ (ctd) 13

28 Blind Signatures from SPS-EQ (ctd) 13

29 Blind Signatures from SPS-EQ (ctd) 13

30 Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption 14

31 Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption Blind under interactive DDH variant (malicious keys) in the standard model 14

32 Warmup: Proving Blindness (honest keys) 15

33 Warmup: Proving Blindness (honest keys) 15

34 Warmup: Proving Blindness (honest keys) 15

35 Warmup: Proving Blindness (honest keys) 15

36 Warmup: Proving Blindness (honest keys) 15

37 Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) 16

38 Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) 16

39 Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously 16

40 Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously m b, m 1 b perfectly hidden in Game 2 16

41 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 17

42 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) 17

43 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) 17

44 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? 17

45 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! 17

46 Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! t = rs Game 0; t random Game 1 17

47 Proving Blindness Blindness under malicious keys: pk determined by A No access to sk 18

48 Proving Blindness Blindness under malicious keys: pk determined by A No access to sk Rest stays the same 18

49 Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! 19

50 Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH 19

51 Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) 19

52 Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! 19

53 Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! Use A as signing oracle by rewinding! 19

54 Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) 20

55 Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) t in (rp, rq, sp, tq) random, or t = rs? Hard in generic-group model 20

56 Proving Blindness (ctd) Simulating U(m b, pk) (1 st run): 21

57 Proving Blindness (ctd) Simulating U(m b, pk) (2 nd run): 22

58 Efficiency Instantiated w/ SPS-EQ from [FHS14]: U, S: few scalar mult. Verify: 7 pairings 1 scalar mult. 23

59 Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p 24

60 Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p One-show ABCs in vein of Brands: Use generalized Pedersen commitments comitting to msg vectors PoKs over attributes during issuing + showing 24

61 New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA 25

62 New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification 25

63 New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification [AGO11] no reduction from optimally-short SPS-EQ to non-interactive assumptions 25

64 Standard-Model SPS-EQ Construction Using trick of Abe et al. [AGHO11] add 2 random elements to msg no perfect adaption; only class-hiding EUF-CMA proof more involved than [AGHO11] 26

65 Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model 27

66 Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model New results on SPS-EQ Standard-model construction New properties SPS from SPS-EQ (and implications) 27

67 Thank you for your attention! Supported by: 28

68 References AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo Structure-Preserving Signatures and Commitments to Group Elements. CRYPTO 2010 AGHO11 M. Abe, J. Groth, K. Haralambiev, M. Ohkubo Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups. CRYPTO 2011 AGO11 M. Abe, J. Groth, M. Ohkubo Separating Short Structure-Preserving Signatures from Non-interactive Assumptions. ASIACRYPT 2011 FHS14 G. Fuchsbauer, C. Hanser and D. Slamanig. EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes. Cryptology eprint Archive

69 References (ctd) FS10 M. Fischlin and D. Schröder. On the Impossibility of Three-Move Blind Signature Schemes. EUROCRYPT 2010 GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures. EUROCRYPT 2014 GRS+11 S. Garg, V. Rao, A. Sahai, D. Schröder and D. Unruh. Round Optimal Blind Signatures. CRYPTO 2011 HS14 C. Hanser and D. Slamanig. Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials. ASIACRYPT

EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes

EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes Georg Fuchsbauer Christian Hanser 2 Daniel Slamanig 2 IST Austria georg.fuchsbauer@ist.ac.at 2 Institute for Applied Information Processing