Fully anonymous attribute tokens from lattices

Transcription

1 Fully anonymous attribute tokens from lattices Jan Camenisch (IBM Research Zurich) Gregory Neven (IBM Research Zurich) Markus Rückert

2 Elevator pitch Goal: Anonymous credentials from lattices Starting point: GKV group signatures [Gordon, Katz, Vaikuntanathan, Asiacrypt 2010] Our contributions: Anonymous attribute tokens (AAT) anonymous credentials light Scheme without opening (AAT O) Scheme with opening (AAT+O), full CCA anonymity Extension adding non-frameability Open problems: Constant token size, currently O(#users) Full-fledged anonymous credentials 2

3 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction sketch Our AAT+O scheme: construction idea Conclusion & open problems 3

4 Usage scenario Group Manager John Doe Name: John Doe City: Springfield SSN: User City: Springfield access 2012/09/05 Open Verifier 1 Name: John Doe SSN: I agree to ToS. Verifier 2 unlinkable 4

5 Anonymous attribute tokens without opening (AAT O) Group Manager MKeyGen(1 n,u) (mpk,msk) Issue(msk,u,a 1,,a l ) cred u mpk mpk User u cred u Verifier (a i ) i R,M,t GenToken(mpk,cred u,r,m) t where R [1,l] VToken(mpk,t,R,(a i ) i R,M) 0/1 cf. minimal disclosure tokens (U-Prove), anonymous credentials [Cha81], attribute-based signatures [MPR11] 5

6 Anonymous attribute tokens with opening (AAT+O) Group Manager MKeyGen(1 n,u) (mpk,msk) Issue(msk,u,a 1,,a l ) cred u Open(msk,t,R,(a i ) i R,M) u mpk mpk User u cred u (a i ) i R,M,t Verifier (a i ) i R,M,t GenToken(mpk,cred u,r,m) t where R [1,l] VToken(mpk,t,R,(a i ) i R,M) 0/1 cf. anonymous credentials [Cha81], attribute-based group signatures 6

7 Security of anonymous attribute tokens With opening (AAT+O) Full anonymity (CCA): Tokens are unlinkable, modulo revealed attributes Input mpk Oracles Init(u,a 1,,a l ), Issue(u) cred u, Open(t,R,(a i ) i R,M) u Output (u 0,u 1,R,M) where a 0,i = a 1,i for all i R Challenge t* GenToken(mpk,cred ub,r,m) Guess b Traceability: Can t create token with new attributes or opening to honest user Input mpk Oracles Init, Issue, Open, GenToken(u,R,M) t Output t*, R*, (a i *) i R*, M* such that t* opens to u* and u* was never queried to Issue, or u* was initialized with a i a i * Without opening (AAT O): anonymity & unforgeability 7

8 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 8

9 Lattice preliminaries Trapdoor one-way function from short integer solution (SIS) [GPV08] A Z q n m with trapdoor T Z q m m y = Ax (mod q) for x short, Gaussian distribution invert using trapdoor T short preimage x Gaussian elimination long preimage x FDH-signature: Aσ = H(M) and σ short Verifiable encryption from learning with errors (LWE) [Reg09,GKV10] B Z q n m with trapdoor S Z q m m Enc B (σ) = т such that Aт = H(M) mod q decrypt using S 9

10 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 10

11 GKV group signatures: construction idea Key generation For all users u = 1,,U generate (A u,t u ), (B u,s u ) mpk = (A u,b u ) u=1 U ; msk = (S u ) u=1 U ; sk u = T u Group signature by user u on message M Compute short σ u : A u σ u = H(M) using T u For v u compute long σ v : A v σ v = H(M) using Gaussian elimination For v = 1,,U encrypt т v = Enc Bv (σ v ) Non-interactive witness-indistinguishable proof (NIWIP) π OR NIWIP{т 1 encrypts short σ 1 т U encrypts short σ U} Return (т 1,,т U,π OR ) Verification For v = 1,,U check Aт v = H(M) Verify π OR Opening For v = 1,,U decrypt σ v = Dec Sv (т v ) until σ v short 11

12 Overview Anonymous attribute tokens Lattice preliminaries GKV group signatures Our AAT O scheme: construction idea Our AAT+O scheme: construction idea Conclusion & open problems 12

13 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M For i R use σ u,i from cred u For v u, i R compute σ v,i : Aσ v,i = H(v,i,a i ) using Gaussian elimination Same-signer aggregation If Aσ i = H(M i ) with short σ i Then Aα = A σ i = H(M i ) with somewhat short α 13

14 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T u Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gaussian elim. For v = 1,,U encrypt т v = Enc B (α v ) Not a real encryption linkable! т u = Enc B (α) = B T s + α Encrypt twice т u т u = B T (s s ) is lattice point 14

15 Our AAT O scheme: construction sketch Master key generation mpk = A ; msk = T ; common reference string B Issuance for attributes a 1,,a l For i = 1,,l compute short σ u,i : Aσ u,i = H(u,i,a i ) using T u Return cred u = (a 1,,a l, σ u,1,,σ u,l ) Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gauss elimination Choose short random x, compute y = Ax For v = 1,,U encrypt т v = Enc B (α v +x) π OR NIWIP{т 1 encrypts short α 1 т U encrypts short α U} Compute signature of knowledge [Lyu08] Return t = (y,т 1,,т U,π OR,π y ) π y SoK{x : Ax = y}(m) 15

16 Our AAT O scheme: construction sketch Token generation by user u revealing attributes R [1,l], message M Compute short α u i R σ u,i For v u, compute long α v : Aα v = i R H(v,i,a i ) using Gauss elimination Choose short random x, compute y = Ax For v = 1,,U encrypt т v = Enc B (α v +x) π OR NIWIP{т 1 encrypts short α 1 т U encrypts short α U} Compute signature of knowledge [Lyu08] Return t = (y,т 1,,т U,π OR,π y ) π y SoK{x : Ax = y}(m) Token verification for revealed attributes (a i ) i R, message M For v = 1,,U check Aт v = i R H(v,i,a i ) + y Verify π OR and π y (M) 16

17 Our AAT O scheme: security Anonymity Learning with errors (LWE) hard in the random-oracle model Unforgeability Short integer solution (SIS) and learning with errors (LWE) hard in the random-oracle model 17

18 Our AAT+O scheme: construction idea Correlated trapdoor one-way function [RS09, Pei09] Enc B0 k (s,ρ 1,, ρ k ) = ( B it s + ρ i ) i=0 k CCA2 encryption: B i = B i,vki for one-time verification key vk AAT+O token generation: For v=1,,u let B vk [ B 0 B 1,vk1 B k,vkk ] ρ v [α v + x ρ v,1 ρ v, vk ] where ρ v,i short random т v B vkt s v + ρ v Then have that ρ u somewhat short, so π OR NIWIP{т 1 encrypts short ρ 1 т U encrypts short ρ U} proves correct correlation for free AAT+O opening: Decrypt т v using S 0 (trapdoor for B 0 ) until ρ v,0 short 18

19 Our AAT+O scheme: security Anonymity Learning with errors (LWE) hard and one-time signature scheme existentially unforgeable in the random-oracle model Traceability Short integer solution (SIS) and learning with errors (LWE) hard in the random-oracle model 19

20 Conclusion & open problems Contributions AAT schemes as anonymous credentials light without opening (AAT O): anonymity cannot be lifted with opening (AAT+O): full anonymity (CCA) first fully anonymous group signature scheme Schemes based on SIS and LWE in the random-oracle model Extension: non-frameability Open problems Full-fledged credential systems from lattices attribute predicates, pseudonyms, blind issuing, Token/signature size independent of total #users 20

21 Lattice preliminaries Trapdoor one-way function from short integer solution (SIS) [GPV08] A Z n m q with trapdoor T Z m m q such that AT 0(mod q) uniform short, Gaussian f A (x) = Ax (mod q), invert using Gaussian elimination long x trapdoor T short x short Encryption from learning with errors (LWE) [Reg09] B Z q n m with trapdoor S Z q m m such that AS 0(mod q) Enc(s) = B T s + e (mod q), decrypt using S short, Gaussian Related trapdoor sampling [GKV10] Given B, generate A with trapdoor T such that AB T 0 (mod q) 21