Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Size: px

Start display at page:

Download "Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures"

Randall Webb
5 years ago
Views:

1 Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

2 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

3 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

4 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

5 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

6 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

7 Anonymous Consecutive Delegation of Signing Rights Fuchsbauer, Pointcheval: Anonymous Proxy Signatures [SCN'08] Delegation Consecutiveness Anonymity A delegator delegates his signing rights to a proxy signer (or delegatee) who can then sign on the delegator's behalf A delegatee may re-delegate the received signing rights intermediate delegators All intermediate delegators and the proxy signer remain anonymous After verifying a proxy signature one knows that someone entitled signed but nothing more. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

8 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

9 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

10 Application: GRID computing User authenticates herself and starts process which needs to authenticate to resources / start subprocesses Delegation and re-delegation of signing rights No need to know that it was not the user herself to be authenticated Relation to Other Primitives Anonymous proxy signatures are a generalization of Proxy signatures (consecutive delegation) formalized by [BPW03] (Dynamic) Group signatures (anonymity) formalized by [BSZ05] and satisfy the respective security notions. recently: Delegatable Anonymous Credentials [BCCKLS09] Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

11 (Dynamic) Group Signatures Group public key: pk Issuer (ik) Opener (ok) Reg Group members (sk i ) open Verication: Verify(pk, msg, σ) = 1 sign msg σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

12 Proxy Signatures Delegator (pk D ) delegate Verify(pk D, msg, σ) Delegatee/Signer msg sign σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

13 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 3 Proxy Signer σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

14 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 3 ANONYMOUS Proxy Signer σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

15 Proxy Signatures, Consecutive Delegations Delegator (pk D ) 3 Delegator 2 3 Delegator 3 ANONYMOUS 3 Proxy Signer Opener (ok) open σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

16 Algorithms of Anonymous Proxy Signature Scheme 1 λ Setup pp, ik, ok Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

17 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

18 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

19 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

20 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ pk x, M, σ PVer b {0, 1} Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

21 Algorithms of Anonymous Proxy Signature Scheme Issuer (ik) Reg pk pk, sk User 1 λ Setup pp, ik, ok sk x, [warr x, ] pk y Del warr [ ]x y sk y, warr x... y, M PSig σ pk x, M, σ PVer b {0, 1} ok, M, σ Open a list of users or (failure) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

22 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

23 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

24 Security for Anonymous Proxy Signatures Anonymity Traceability Non-Frameability intermediate delegators and proxy signer remain anonymous every valid signature can be traced to its intermediate delegators and proxy signer no one can produce a signature that, when opened, wrongfully reveals a delegator or signer Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

25 Generic Construction, Ingredients Generic Construction using Digital signatures (EUF-CMA) Public-key encryption (IND-CPA) Non-interactive zero-knowledge proofs Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

26 Generic Construction, Ingredients Generic Construction using Digital signatures (EUF-CMA) Public-key encryption (IND-CPA) Non-interactive zero-knowledge proofs (existence follows from trapdoor permutations) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

27 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

28 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

29 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

30 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

31 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

32 Generic Construction, Overview Setup Register Delegate Proxy-Sign Verify Open Generates decryption key for opening authority; signing key for issuer Parameters: resp. public keys, crs for NIZK Issuer signs user's public key certicate Sign delegatee's public key warrant Re-delegate: additionally forward received warrants Sign message, encrypt delegators' verication keys and certicates warrants signature on message NIZK that plaintext contains valid signatures Verify NIZK Decrypt ciphertext Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

33 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

34 The Subgroup Decision Assumption and BGN Encryption Let G = (n, G, G T, e, g) be a bilinear group of order G = n = pq, where p, q prime. Subgroup Decision Assumption (SD) No p.p.t. adversary can distinguish a random element of G from a random element of G q, the subgroup of order q. Boneh-Goh-Nissim (BGN) Encryption [TCC'05] KeyGen Generate bilinear group G with G = n = pq, choose h G q. sk = q. Encrypt Choose r Z n Set C := g m h r. Decrypt C q = (g m h r ) q = (g q ) m, thus log g q C q = m. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

35 The Subgroup Decision Assumption and BGN Encryption Let G = (n, G, G T, e, g) be a bilinear group of order G = n = pq, where p, q prime. Subgroup Decision Assumption (SD) No p.p.t. adversary can distinguish a random element of G from a random element of G q, the subgroup of order q. Boneh-Goh-Nissim (BGN) Encryption [TCC'05] KeyGen Generate bilinear group G with G = n = pq, choose h G q. sk = q. Encrypt Choose r Z n Set C := g m h r. Decrypt C q = (g m h r ) q = (g q ) m, thus log g q C q = m. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

36 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

37 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

38 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

39 Boyen Waters Group Signatures [PKC'07] I Hybrid Scheme Setup Extract Choose bilinear group G Choose parameters for Waters signatures (g, g 2, u) G m+3 Choose ω, α Z p, Dene pp = (g, g 2, u, Ω = g ω, A = e(g, g) α ) mk = (ω, g α ) Choose s i Z p Return K i = ((g α ) 1 ω+s i, g s i, g s i 2 ) Sign Choose r Z p let F(M) := u 0 m i=1 um i i Return S = (K 1, K 2, K 3 F(M) r, g r ) G 4 Verify e(s 1, S 2 Ω) A 1? = 1 e(s 2, g 2 ) 1 e(g, S 3 ) e(s 4, F(M))? = 1 Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

40 Boyen Waters Group Signatures [PKC'07] II Group Signatures Setup Choose a bilinear group G of order n = pq Choose keys pp and mk for hybrid scheme Publish an additional element h G q Set the tracing key as tk = q Z Enroll Choose s i Z p, s.t. ω + s i Z n Return K i = ((g α ) 1 ω+s i, g s i, g s i ) 2 Sign Make hybrid signature (S 1, S 2, S 3, S 4 ) BGN-encrypt components: S i := S i h ρ i for ρ i Z n Add proofs π 1, π 2 for each verication relation Verify e(s 1, S 2 Ω) A 1? = e(h, π 1 ) e(s 2, g 2) 1 e(g, S 3 ) e(s 4, F(M))? = e(h, π 2 ) Trace for each s i, check (S 2 )q? = (g s i ) q Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

41 Boyen Waters Group Signatures [PKC'07] III Security of Group Signature Anonymity. Replace h by a random element in G (indist. by SD). Lemma: If h G then signer id is statistically hidden, i.e. π 1 and π 2 do not leak information. Full Traceability. Reduction to unforgeability of hybrid signatures in G p Get parameters, build twin scheme in G q. Parameters of group signature are products of parameters of schemes in G p and G q. Forgery (S 1, S 2, S 3, S 4 ) is projected to G p by raising elements to the power of θ with θ 1 (mod p) and θ 0 (mod q). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

42 Boyen Waters Group Signatures [PKC'07] III Security of Group Signature Anonymity. Replace h by a random element in G (indist. by SD). Lemma: If h G then signer id is statistically hidden, i.e. π 1 and π 2 do not leak information. Full Traceability. Reduction to unforgeability of hybrid signatures in G p Get parameters, build twin scheme in G q. Parameters of group signature are products of parameters of schemes in G p and G q. Forgery (S 1, S 2, S 3, S 4 ) is projected to G p by raising elements to the power of θ with θ 1 (mod p) and θ 0 (mod q). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

43 1 Motivation 2 Preliminaries 3 Results Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

44 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

45 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. 1 Form of a proof Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

46 The Leak-Tightness Lemma I Let (n, G, G T, e, g) be a bilinear group, and let a j, b j G, δ j,i, ε j,i Z n for 1 j l, 1 i m. Let (X i ) m i=1 Gm satisfy a pairing-product that is equation E (aj,b j ) j E (aj,b j ) j (X 1,..., X m ) : l ( e m a j j=1 i=1 X δ j,i i, b j m i=1 X ε j,i i ) = 1. 1 Let H G, (ρ i ) m Z m i=1 n. Then X i := X i H ρ i for 1 i m satisfy (a j e X δ ) ( j,i j i i, b X ε ( j,i j i i = e H, P E (Xi ), (ρ i ) )), (Ẽ ) ( where P E (Xi ), (ρ i ) ) := ((a j j i X δ j,i i ) P ε j,i ρ i (b j i X ε j,i i ) P δ j,i ρ i H (P δ j,i ρ i )( P ε j,i ρ i ) ). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

47 The Leak-Tightness Lemma II 2 Proofs do not leak info on plaintexts Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

48 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

49 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Simulation Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

50 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

51 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. 4 Projection Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

52 The Leak-Tightness Lemma II 2 Given (X i ) and (X i ) both satisfying E, and (ρ i), (ρ i ), s.t. for all 1 i m: X i H ρ i = X i Hρ i, then P E ( (Xi ), (ρ i ) ) = P E ( (X i ), (ρ i) ). 3 Let G = pq, let a j, b j, X i G p ; c j, d j, Y i G q for all i, j. If (X i ) satisfy E (aj,b j ) j and (Y i ) satisfy E (cj,d j ) j, then (X i Y i ) satisfy E (aj c j,b j d j ) j. 4 Let furthermore H G q and θ N be such that θ 1 (mod p) and θ 0 (mod q). If ( X i ) G satisfy Ẽ (aj c j,b j d j ) j for some P E, then ( X θ i ) satisfy E (aj,b j ) j. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

53 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = 1 ) ( = e (H, P E (Xi ), (ρ i ) )) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

54 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = e(h, P ) ) = e (H, P P ( E (Xi ), (ρ i ) )) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

55 Re-randomization (X i ) satisfy ( X i ) satisfy j e (a j j e (a j i X δ j,i i i X δ j,i i, b j i X ε j,i, b j i X ε j,i i i ) = e(h, P ) ) = e (H, P P ( E (Xi ), (ρ i ) )) So, given a proof P for ( X i ) satisfying Ẽ, one can re-randomize the ( X i ): X i := X i H ρ i with ρ i Z p and adapt the proof (without knowledge of the plaintexts!): P new := P P E (( X ), (ρ i)) If (( X i ), P) and ((Ỹi), P ) both satisfy Ẽ, then their re-randomizations are indistinguishable by SD and the Lemma. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

56 Application of Re-randomization Intermediate Delegator Anonymity Even the delegatee cannot distinguish warrants from dierent previous delegators. Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

57 Compatible Signature Scheme A signature scheme with the following properties: EUF-CMA secure verication keys lie in message space messages and signatures are G-elements verication by checking pairing-product equations. (ecient?) Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

58 Compatible Signature Scheme A signature scheme with the following properties: EUF-CMA secure verication keys lie in message space messages and signatures are G-elements verication by checking pairing-product equations. (ecient?) This paper: not quite ecient, based on new kind of assumption. Ecient implementation: F: Automorphic Signatures in Bilinear Groups Messages and public keys in G 2. Signatures in G 5 Verication: 7 pairing evaluations. q-sdh-style Assumption Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

59 Thank you! Fuchsbauer, Pointcheval (ENS) Proofs on Encrypted Values Pairing'09, / 24

Automorphic Signatures and Applications

École normale supérieure Département d Informatique Université Paris 7 Denis Diderot Automorphic Signatures and Applications PhD thesis Georg Fuchsbauer 13 October 2010 Abstract We advocate modular design