W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology Austria IAIK, Graz University of Technology, Austria IAIK www.iaik.tugraz.at
Blind Signatures Important building block: e-voting, e-cash, ABCs,... 2
Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] 3
Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] Round-optimality desirable Efficiency Concurrent security 3
Contribution 1. New way to build Round-optimal blind sigs from structure-preserving sigs on equivalence classes (SPS-EQ) 1 st practically efficient standard-model construction + extension to partially blind signatures 1 st one-show ABC in the standard model Caveat: blindness under interactive DDH variant 4
Contribution (ctd) 2. New results on SPS-EQ: 1 st standard-model construction SPS-EQ implies SPS Optimality criteria from SPS carry over 5
Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) 6
Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) Structure-Preserving Signatures [AFG+10] signing group element vectors sigs and PKs consist only of group elements verification solely via pairing-product equations + group membership tests 6
Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R 7
Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R IND of classes iff DDH holds on G 7
Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives 8
Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives Plus: ChgRep R (M, σ, µ, pk): Given σ for M, return σ for µm 8
Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding 9
Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding EUF-CMA defined w.r.t. equivalence classes: Pr [ BG BGGenR(1 κ ), (sk, pk) KeyGen R (BG, l), (M, σ ) A O(sk, ) (pk) : [M ] R [M] R queried M Verify R (M, σ, pk) = 1 ] ɛ(κ), 9
Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) 10
Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) Perfect adaption of sigs (malicious keys): σ ChgRep R (M, σ, µ, pk) uniform in space of sigs on µm 10
Blind Signatures from SPS-EQ Outline: Black-box from any EUF-CMA-secure, perfectly adapting SPS-EQ Blind under plausible interactive DDH variant (Honest-key-blind under DDH) 11
Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq 12
Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R 12
Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) 12
Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) Output σ + opening of C 12
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) 13
Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption 14
Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption Blind under interactive DDH variant (malicious keys) in the standard model 14
Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15
Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15
Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15
Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15
Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15
Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) 16
Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) 16
Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously 16
Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously m b, m 1 b perfectly hidden in Game 2 16
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 17
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) 17
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) 17
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? 17
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! 17
Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! t = rs Game 0; t random Game 1 17
Proving Blindness Blindness under malicious keys: pk determined by A No access to sk 18
Proving Blindness Blindness under malicious keys: pk determined by A No access to sk Rest stays the same 18
Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! 19
Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH 19
Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) 19
Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! 19
Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! Use A as signing oracle by rewinding! 19
Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) 20
Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) t in (rp, rq, sp, tq) random, or t = rs? Hard in generic-group model 20
Proving Blindness (ctd) Simulating U(m b, pk) (1 st run): 21
Proving Blindness (ctd) Simulating U(m b, pk) (2 nd run): 22
Efficiency Instantiated w/ SPS-EQ from [FHS14]: U, S: few scalar mult. Verify: 7 pairings 1 scalar mult. 23
Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p 24
Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p One-show ABCs in vein of Brands: Use generalized Pedersen commitments comitting to msg vectors PoKs over attributes during issuing + showing 24
New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA 25
New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification 25
New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification [AGO11] no reduction from optimally-short SPS-EQ to non-interactive assumptions 25
Standard-Model SPS-EQ Construction Using trick of Abe et al. [AGHO11] add 2 random elements to msg no perfect adaption; only class-hiding EUF-CMA proof more involved than [AGHO11] 26
Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model 27
Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model New results on SPS-EQ Standard-model construction New properties SPS from SPS-EQ (and implications) 27
Thank you for your attention! christian.hanser@iaik.tugraz.at Supported by: 28
References AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo Structure-Preserving Signatures and Commitments to Group Elements. CRYPTO 2010 AGHO11 M. Abe, J. Groth, K. Haralambiev, M. Ohkubo Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups. CRYPTO 2011 AGO11 M. Abe, J. Groth, M. Ohkubo Separating Short Structure-Preserving Signatures from Non-interactive Assumptions. ASIACRYPT 2011 FHS14 G. Fuchsbauer, C. Hanser and D. Slamanig. EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes. Cryptology eprint Archive 2014 29
References (ctd) FS10 M. Fischlin and D. Schröder. On the Impossibility of Three-Move Blind Signature Schemes. EUROCRYPT 2010 GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures. EUROCRYPT 2014 GRS+11 S. Garg, V. Rao, A. Sahai, D. Schröder and D. Unruh. Round Optimal Blind Signatures. CRYPTO 2011 HS14 C. Hanser and D. Slamanig. Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials. ASIACRYPT 2014 30