Anonymous Proxy Signature with Restricted Traceability

Similar documents
Ring Group Signatures

Katz, Lindell Introduction to Modern Cryptrography

Authentication. Chapter Message Authentication

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

A short identity-based proxy ring signature scheme from RSA

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

Short Signatures Without Random Oracles

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Transitive Signatures Based on Non-adaptive Standard Signatures

A DAA Scheme Requiring Less TPM Resources

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Essam Ghadafi CT-RSA 2016

Notes on Zero Knowledge

Schnorr Signature. Schnorr Signature. October 31, 2012

John Hancock enters the 21th century Digital signature schemes. Table of contents

Security of Blind Signatures Revisited

Anonymous Credentials Light

Group Undeniable Signatures

A Security Proof of KCDSA using an extended Random Oracle Model

Computing on Authenticated Data for Adjustable Predicates

A Pairing-Based DAA Scheme Further Reducing TPM Resources

A Strong Identity Based Key-Insulated Cryptosystem

Digital Signatures. Adam O Neill based on

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Constructing Provably-Secure Identity-Based Signature Schemes

Efficient Identity-based Encryption Without Random Oracles

Lecture 18: Message Authentication Codes & Digital Signa

Lecture 7: Boneh-Boyen Proof & Waters IBE System

ECash and Anonymous Credentials

Foundations of Cryptography

Anonymous Credentials Light

REMARKS ON IBE SCHEME OF WANG AND CAO

Research Article A Novel Anonymous Proxy Signature Scheme

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Entity Authentication

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

18734: Foundations of Privacy. Anonymous Cash. Anupam Datta. CMU Fall 2018

Group Undeniable Signatures

VI. The Fiat-Shamir Heuristic

Efficient Public-Key Distance Bounding

A New Certificateless Blind Signature Scheme

Multi-key Hierarchical Identity-Based Signatures

Sub-linear Blind Ring Signatures without Random Oracles

Improving the Security of an Efficient Unidirectional Proxy Re-Encryption Scheme

Applied cryptography

Boneh-Franklin Identity Based Encryption Revisited

Provable security. Michel Abdalla

A DL Based Short Strong Designated Verifier Signature Scheme with Low Computation

A Novel Strong Designated Verifier Signature Scheme without Random Oracles

Augmented Black-Box Simulation and Zero Knowledge Argument for NP

Advanced Topics in Cryptography

Multi-Key Homomorphic Signatures Unforgeable under Insider Corruption

Simple Schnorr Multi-Signatures with Applications to Bitcoin

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Lattice-based Multi-signature with Linear Homomorphism

CPSC 467b: Cryptography and Computer Security

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

New Constructions of Convertible Undeniable Signature Schemes without Random Oracles

An Efficient ID-based Digital Signature with Message Recovery Based on Pairing

Anonymous and Publicly Linkable Reputation Systems

II. Digital signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Type-based Proxy Re-encryption and its Construction

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Uncloneable Quantum Money

1 Number Theory Basics

Anonymous Signatures Made Easy

RSA-OAEP and Cramer-Shoup

Threshold Undeniable RSA Signature Scheme

On Security of Two Nonrepudiable Threshold Multi-proxy Multi-signature Schemes with Shared Verification

Signatures and DLP-I. Tanja Lange Technische Universiteit Eindhoven

Memory Lower Bounds of Reductions Revisited

Attribute-Based Ring Signatures

A New Proxy Signature Scheme for a Specified Group of Verifiers

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Cryptanalysis of Threshold-Multisignature Schemes

From Secure MPC to Efficient Zero-Knowledge

Short Group Signatures with Efficient Flexible Join

Lecture 7: CPA Security, MACs, OWFs

Digital Signatures from Challenge-Divided Σ-Protocols

Convertible Group Undeniable Signatures

ID-Based Blind Signature and Ring Signature from Pairings

Tightly-Secure Signatures From Lossy Identification Schemes

Certificateless Signcryption without Pairing

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

White-Box Security Notions for Symmetric Encryption Schemes

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Impossibility and Feasibility Results for Zero Knowledge with Public Keys

CPSC 467b: Cryptography and Computer Security

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

A New Approach to Threshold Attribute Based Signatures

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

New Framework for Secure Server-Designation Public Key Encryption with Keyword Search

Digital Signatures. p1.

Some Security Comparisons of GOST R and ECDSA Signature Schemes

Improved Structure Preserving Signatures under Standard Bilinear Assumptions

A Fully-Functional group signature scheme over only known-order group

Transcription:

Anonymous Proxy Signature with Restricted Traceability Jiannan Wei Joined work with Guomin Yang and Yi Mu University of Wollongong

Outline Introduction Motivation and Potential Solutions Anonymous Proxy Signature with Restricted Traceability Formal Definition Security Requirement Our APSRT Construction Adversary Type Security Model Security Proof Conclusion

Introduction Proxy Signature: When the original signer was not available or leave and he/she will delegate the signing rights to proxy signature. Original signer Proxy signature Verifier

Motivation Signer anonymity: user privacy in many applications We study signer anonymity for proxy signature which allows a signer delegate the signing right to another signer, since the proxy signer is the actual signer, we are interested in protecting the proxy signer s identity.

Ring and Group Signature Figure: Ring signature Group signature: the group manager is able to reveal the identity of the signer for any valid group signature. Ring signature: any ring members can sign messages on behalf of the whole ring without reveal the identity of his/her real identity.

Potential Solutions In the proxy signature, traceability is an very important property, since the proxy signer may abuse the signing right. Combine a group signature with the proxy signature Problem: The group manager has too strong a tracebility that can trace any signature include the signature generated by honest signer. Use a ring signature combine with the proxy signature Problem: It has nothing to restrict anonymity and is vulnerable to malicious signers.

Traceable Ring Signature Traceable Ring Signature: A ring signature with a gentle anonymity restriction, which consider one-more unforgeability and double-spending traceability. Unforgeability Anonymity Publicly Traceability: dishonest signer can be publicly traced by anyone. Exculpability: it is against the framing attack, i.e. an honest user cannot be framed by other users in the system.

Potential Solution Combine the proxy signature with traceability ring signature Advantage: Traceability ring signature is a tag-based signature, a signer can sign messages only once per tag. Problem: If the ring members sign messages twice with the same tag, his identity can be publicly traced.

Contribution Our anonymous proxy signature with restricted traceability Allows the original signer to trace the dishonest signer and at the same time protect the identity of the honest signer even against the original signer.

Formal Definition APSTR signature scheme consists following algorithms. Parameter generation(pg): P aram PG(κ). Key generation(kg): (Y, x) KG(P aram). Delegation signing(ds): σ 0 DS(m ω, x 0 ) Delegation verification(dv): 0/1 DV(Y 0, m ω, σ 0 ) APS generation(ps): σ PS(m, Y 0, L = (issue, Y N ), x i, σ 0 ), where Y N = {Y 1,, Y n }. APS verification(pv): 0/1 PV(m, Y 0, σ, L, m ω ) Tracing(T R): indep/linked/y i Y N T R((m, σ), (m, σ ), L, m ω, σ 0 )

Security requirement 1 Unforgeability 2 Anonymity 3 Restricted Traceability: If the proxy signer is dishonest, no outsider is able to link signatures generated by the dishonest proxy signer. 4 Exculpability

Anonymous Proxy Signature with Restricted Traceability(APSRT): General idea: Challenge problem: develop new techniques that could disallow outsiders to perform the trace operation. We try to randomize each proxy signature so that only the original signer or another proxy signer who has also been delegated the same signing right has the secret to de-randomize the proxy signature. Our APSRT which can guarantee the anonymity against original signer and the restricted traceability against outsider.

Our Construction of APSRT(1) Parameter generation. Taking κ as input, outputs (G, q, P ), G is a cyclic group of prime order q and P is a generator of G. Let H 0 : {0, 1} G Z q, H : {0, 1} G, H : {0, 1} G and H : {0, 1} Z q. P aram = (G, q, P, H 0, H, H, H ). Key generation. User i randomly selects x i Z q and computes Y i = x i P. (x i, Y i ) is the key pair of the user. Delegation sign. The original signer first generates a warrant m ω. Original signer randomly chooses α Z q and computes W o = αp.

Our Construction of APSRT(2) Delegation sign. Proxy signer picks another random r Z q and computes R = rp, s = r + x 0 H 0 (m ω, R, W o ) mod q. Finally, the proxy signer sends (m ω, α, R, s) to all the proxy signers in U = {u 1, u 2,..., u n } via a secure channel. Delegation verification. Upon receiving (m ω, α, R, s), the proxy signer u i checks if sp = R + H 0 (m ω, R, W o = αp )Y 0. If it holds, the proxy signer u i computes his/her proxy signing secret key psk i = s + x i H 0 (m ω, R, W o ) = r + H 0 (m ω, R, W o )(x 0 + x i ) mod q. For simplicity, let pk i = psk i P = R + H 0 (m ω, R, W o )(Y 0 + Y i ) denote the corresponding proxy signing public key. Proxy Sign To sign m {0, 1} with respect to a tag L = (issue, Y N ) where Y N are public keys of some proxy signers described in the the warrant m ω, the real proxy signer u i proceeds as follows:

Our Construction of APSRT(3) Proxy Sign Randomly choose β Z q, compute F = H(L), W p = (W p1, W p2) = (αβp, βf ) and σ i = αβf + psk if = (αβ + psk i)f. Set A 0 = H (L, m) and A 1 = 1 (σi A0). i For all j i, compute σ j = A 0 + ja 1 G. Note that every (j, log F (σ j)) is on the line defined by (0, log F (A 0)) and (i, psk i + αβ). Generate (c N, z N ) based on a (non-interactive) zero-knowledge proof of knowledge for the language L = {(L, F, σ N ) i N s.t. log P (pk i) = log F (σ i)} where σ N = (σ 1, σ 2,..., σ n) and pk i = W p1 + pk i as follows:

Our Construction of APSRT(4) Proxy Sign Generate (c N, z N ) based on a NIZK proof of knowledge for the language L as follows: 1 Pick random ω i Z q and set a i = ω i P, b i = ω i F G. 2 Pick random z j, c j Z q, and set a j = z j P + c j pk j, b j = z j F + c j σ j G for every j i. 3 Set c = H (L, m, A 0, A 1, a N, b N ) where a N = (a 1,..., a n) and b N = (b 1,..., b n). 4 Set c i = c Σ j i c j mod q and z i = ω i c i (αβ + psk i ) mod q. 5 Return (c N, z N ), where c N = (c 1,..., c n) and z N = (z 1,..., z n), as a proof for L.

Our Construction of APSRT(5) Proxy Sign Perform another (non-interactive) zero-knowledge proof of knowledge for as follows L = {(F, W p2, W o, W p1) log Wo W p1 = log F W p2} 1 Pick random ω Z p and set ã = ωw o, b = ωf G. 2 Set c = H (L, m, A 0, A 1, ã, b). 3 Set z = ω cβ. 4 Return ( c, z) as a proof for L. Return σ = (A 1, R, W o, W p, c N, z N, c, z) as the signature on (L, m).

Our Construction of APSRT(6) Verification To verify a proxy signature σ = (A 1, R, W o, W p, c N, z N, c, z) on message m and tag L, check the following: 1 Parse L as (issue, Y N ), and compute pk i = W p1 + pk i = W p1 + R + H 0(m ω, R, W o)(y 0 + Y i) for all i N. 2 Set F = H(L) and A 0 = H (L, m), and compute σ i = A 0 + ia 1 G for all i N. 3 Compute a i = z ip + c ipk i, b i = z if + c iσ i, for all i N. 4 Check that H (L, m, A 0, A 1, a N, b N ) = Σ i N c i mod q, where a N = (a 1,..., a n) and b N = (b 1,..., b n). 5 Compute ã = zw o + cw p1, b = zf + cw p2. 6 Check if H (L, m, A 0, A 1, ã, b) = c. 7 If all the above checks are successful, outputs accept; otherwise, outputs reject.

Our Construction of APSRT(7) Tracing To check the relation between (m, σ) and (m, σ ) under the same warrant m ω and the same tag L where σ = (A 1, R, W o, W p, c N, z N, c, z) and σ = (A 1, R, W o, W p, c N, z N, c, z ), check the following: 1 Parse L as (issue, Y N ). Set F = H(L) and A 0 = H (L, m). Compute σ i = A 0 + ia 1 G for all i N. Since W p = (αβp, βf ), with the secret α, the original signer or any proxy signer specified in the warrant m ω can compute σ i = σ i αβf = psk if G for all i N. Do the same operation for σ to get σ i for all i N. 2 For all i N, if σ i = σ i, store pki in TList, where TList is initially empty. 3 Output pk if pk is the only entry in TList; linked if TList = Y N ; indep otherwise.

Our Construction of APSRT(8) Correcness: z ip + c ipk i [ [ = ω i c i αβ + (r + H0(m ω, R, W o)(x 0 + x ]] i)) P + c ipk i =ω ip c i [ αβ + r + H0(m ω, R, W o)(x 0 + x i) ] P + c i[αβp + R + H 0(m ω, R, W o)(y 0 + Y i)] =ω ip =a i z if + c iσ i [ [ = ω i c i αβ + (r + H0(m ω, R, W o)(x 0 + x ]] i)) F + c i(αβf + psk if ) ( =ω if c i αβ + (r + H0(m ω, R, W o)(x 0 + x ) i)) F + c iαβf + c if (r + H 0(m ω, R, W o)(x 0 + x i)) =ω if =b i

Our Construction of APSRT(9) Correcness: zw o + cw p1 = (ω cβ)αp + cαβp = ωαp = ã zf + cw p2 = (ω cβ)f + cβf = ωf = b

Adversary Type Type I: Outsider. (Y 0, Y 1,... Y n ) Type II: Adversary is a proxy signer. (Y 0, Y 1,... Y n, x 1,... x n ) Type III: Adversary is the original signer. (Y 0, Y 1,... Y n, x 0 )

Security Model Unforgeability Unforgeability against type II adversary Unforgeability against type III adversary Restricted Traceability Tag-linkability Untraceability against outsider Anonymity against original signer Exculpability

Unforgeability against proxy signer Setup: C runs the algorithm to obtain the secret key and public key pairs (x 0, Y 0 ), (x 1, Y 1 ),..., (x n, Y n ) of the original signer and n proxy signers. C then sends (Y 0, Y 1,..., Y n, x ik ) (i k ) {1,..., n} to the adversary A II. Delegation signing query: A II can request a signature on a warrant he chooses. In response, C outputs a signature σ on m ω. Output: Finally, A II outputs a target warrant m ω and σ such that σ is a valid delegation signature on m ω. m ω has never been requested in delegation signature queries.

Untraceability against outsider Setup: C runs the algorithm to obtain the (x 1, Y 1 ),..., (x n, Y n ) representing the keys of n proxy signers, which will be send to adversary A. Key selection: The adversary A outputs (Y i, Y j ) as the two target proxy signer s public keys, let b {i, j} be a random hidden bit. A sends the (Y i, Y j ) to C. Proxy signing query: A may access 3 signing oracles: Sig pskb, Sig pski, Sig pskj for the warrant m ω and the tag, where Sig pskb is the signing oracle with respect to proxy signer b(b {i, j}) who has a valid proxy signing key psk b ; Sig pski (resp. Sig pskj ) is the signing oracle with respect to proxy signer i who has a valid proxy signing key psk i. Output: Finally, A outputs a bit b, A wins the game if b = b.

Theorems Theorem If there exists a type II adversary A II which can break the proposed APSRT scheme, then we can construct another adversary B who can use A II to solve DL problem. Theorem If there exists an adversary D who can correctly guess b with an non-negligible advantage ɛ, we can construct another algorithm B that can solve DDH problem.

Security Proof of Unforgeability 1 Proof. Given (P, x P ) for some unknown x Z p as an instance of DL problem. B can solve the DL problem with the help of A II. B sets original signer s public key Y 0 = Y = x P, and generate the keys for proxy signers honestly. Then B sends (Y 0, Y 1,... Y n, x 1,... x n ) to adversary A. H 0 hash query: A II send the query (m ω, R, W o ), B will check the H 0 list. If query tuple ((m ω, R, W o ), h i ) in the H o list, B returns h i to A II. Otherwise, B choose a random number h i Z p. Add ((m ω, R, W o ), h i ) to H o list, return h i to A II.

Security Proof of Unforgeability 2 Delegation signing queries: A II send a query of m ωi, B performs the following: Randomly choose c, s, α Z q and compute R = sp cy. Set W o = αp, H 0 = (m ω, R, W o ) = c and store ((m ω, R, W o ), c) into the hash list H 0. Return σ 0 = (α, R, s) as the delegation signing key for m ω. Output: A output σ 0 = (α, R, s ) which is a valid delegation signing key for warrant m ω. m ω should not have been queried before. Forking lemma: rewinding A II, B can obtain s 1 = r + c 1x 0, s 2 = r + c 2x 0. c 1 and c 2 are two hash outputs of H 0. B can output x 0 = s 1 s 2 c 1 c 2 mod q as the value of x and the solution of DL problem.

Security Proof of Untraceability 1 Proof. If D can correctly guess b with ɛ, we can construct B who can solve DDH problem. Setup: B generate all the public and private keys by running the key generation algorithm. B sends all the public keys to the adversary D. Key selection: D outputs a m ω, a tag L and two target proxy signer s public keys (Y i, Y j ), i, j N. B then sets W o = ap and F = H(L) = bp, randomly selects r Z q and computes R = rp and s = r + x 0 H 0 (m ω, R, W o ). B also randomly selects b {i, j}, and answer D s queries as follows.

Security Proof of Untraceability 2 Hash queries: All the hash queries made by D are answered as in the previous proof where B maintains a hash table for each hash oracle. Proxy signing queries: When D makes a proxy signing query to Sig pski on message m, B randomly selects β Z q, and computes W p = (βw o, βf ) and σ i = βzp + psk i F. β generate A 0, A 1 and σ j (j i) by following the proxy signing algorithm. B also simulates the NIZK proof for language L using the following simulator.

Security Proof of Untraceability 3 NIZK Simulator: 1 For all i N, uniformly pick up at random z i, c i Z p, and compute a i = z i P + c i pk i, b i = z i F + c i σ i G. 2 Set H (L, m, A 0, A 1, a N, b N ) as c:= i N c i where a N = (a 1, a 2,..., a n ), b N = (b 1, b 2,..., b N ). 3 Output (c N, z N ), where c N = (c 1, c 2,..., c N ) and z N = (z 1, z 2,..., z N ). B also simulates the NIZK proof ( c, z) for language L honestly using the knowledge of β. Finally, B returns σ = (A 1, R, W o, W p, c N, z N, c, z) to D. Output: Finally, D outputs b. If b = b, B outputs 1; Otherwise, B outputs 0.

Conclusion We put forward to the notion of APSRT. We proposed a new concrete APSRT scheme which ensure the requirement of anonymity against the original signer, restricted untraceability against outsider. We also provided formal security proof to demonstrate that our APSRT is provable secure.

Thanks. Any questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback