Practical Round-Optimal Blind Signatures in the Standard Model

Similar documents
EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials

Essam Ghadafi CT-RSA 2016

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Round Optimal Blind Signatures

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Efficient Two-Move Blind Signatures in the Common Reference String Model

Short Structure-Preserving Signatures

Sub-linear Blind Ring Signatures without Random Oracles

Commuting Signatures and Verifiable Encryption

Short Signatures Without Random Oracles

A New Approach To Efficient Revocable Attribute-Based Anonymous Credentials

Systèmes de preuve Groth-Sahai et applications

Round Optimal Blind Signatures

Improved Structure Preserving Signatures under Standard Bilinear Assumptions

Policy-based Signature

Structure Preserving CCA Secure Encryption

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Tampering attacks in pairing-based cryptography. Johannes Blömer University of Paderborn September 22, 2014

Anonymous Credentials Light

Improved Algebraic MACs and Practical Keyed-Verification Anonymous Credentials

Efficient Identity-based Encryption Without Random Oracles

Computing on Authenticated Data: New Privacy Definitions and Constructions

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Efficient Cryptographic Primitives for. Non-Interactive Zero-Knowledge Proofs. and Applications

Cryptography from Pairings

Structure-Preserving Signatures from Standard Assumptions, Revisited

On the Impossibility of Structure-Preserving Deterministic Primitives

Automorphic Signatures and Applications

An Efficient Transform from Sigma Protocols to NIZK with a CRS and Non-Programmable Random Oracle

Cryptographic e-cash. Jan Camenisch. IBM Research ibm.biz/jancamenisch. IACR Summerschool Blockchain Technologies

A lattice-based partially blind signature

Constant Size Ring Signature Without Random Oracle

Anonymous Credentials Light

Efficient Smooth Projective Hash Functions and Applications

4-3 A Survey on Oblivious Transfer Protocols

Structure-Preserving Signatures from Type II Pairings

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures

The Kernel Matrix Diffie-Hellman Assumption

Security Analysis of Some Batch Verifying Signatures from Pairings

Universally Composable Adaptive Oblivious Transfer

Short Randomizable Signatures

Identification Schemes of Proofs of Ability Secure against Concurrent Man-in-the-Middle Attacks

Anonymous Proxy Signature with Restricted Traceability

Short Signature Scheme From Bilinear Pairings

Short Randomizable Signatures

Concise Multi-Challenge CCA-Secure Encryption and Signatures with Almost Tight Security

ID-Based Blind Signature and Ring Signature from Pairings

Session 4: Efficient Zero Knowledge. Yehuda Lindell Bar-Ilan University

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS

Schnorr Signature. Schnorr Signature. October 31, 2012

Fair Blind Signatures without Random Oracles

On the (Im)possibility of Projecting Property in Prime-Order Setting

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Fang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University

Short Signatures from Diffie-Hellman, Revisited: Sublinear Public Key, CMA Security, and Tighter Reduction

Short Signatures From Diffie-Hellman: Realizing Short Public Key

Attribute-Based Signatures for Circuits from Bilinear Map

Pairing-Based Cryptography An Introduction

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Born and Raised Distributively: Fully Distributed Non-Interactive Adaptively-Secure Threshold Signatures with Short Shares

Anonymous Credential Schemes with Encrypted Attributes

Recent Advances in Identity-based Encryption Pairing-based Constructions

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Computing on Authenticated Data: New Privacy Definitions and Constructions

Black-Box Accumulation: Collecting Incentives in a Privacy-Preserving Way

Efficient Completely Context-Hiding Quotable and Linearly Homomorphic Signatures

Applied cryptography

On Two Round Rerunnable MPC Protocols

Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme

Logarithmic-Size Ring Signatures With Tight Security from the DDH Assumption

Provably Secure Partially Blind Signatures

Security of Blind Signatures Revisited

Disjunctions for Hash Proof Systems: New Constructions and Applications

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

G Advanced Cryptography April 10th, Lecture 11

Non-interactive Designated Verifier Proofs and Undeniable Signatures

Extractable Perfectly One-way Functions

Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05

Practical Adaptive Oblivious Transfer from Simple Assumptions

On The Security of The ElGamal Encryption Scheme and Damgård s Variant

REMARKS ON IBE SCHEME OF WANG AND CAO

Ring Group Signatures

Groth Sahai proofs revisited

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

An Efficient Signature Scheme from Bilinear Pairings and Its Applications

Certificateless Signcryption without Pairing

Highly-Efficient Universally-Composable Commitments based on the DDH Assumption

One-Round ID-Based Blind Signature Scheme without ROS Assumption

On Tightly Secure Non-Interactive Key Exchange

A Fully-Functional group signature scheme over only known-order group

PAPER An Identification Scheme with Tight Reduction

A Pairing-Based DAA Scheme Further Reducing TPM Resources

Efficient Zero-Knowledge Arguments from Two-Tiered Homomorphic Commitments

Non-interactive zero-knowledge proofs in the quantum random oracle model

Circular chosen-ciphertext security with compact ciphertexts

Transcription:

W I S S E N T E C H N I K L E I D E N S C H A F T IAIK Practical Round-Optimal Blind Signatures in the Standard Model Georg Fuchsbauer, Christian Hanser and Daniel Slamanig, Institute of Science and Technology Austria IAIK, Graz University of Technology, Austria IAIK www.iaik.tugraz.at

Blind Signatures Important building block: e-voting, e-cash, ABCs,... 2

Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] 3

Motivation Round-optimal blind signatures in the standard model notoriously hard to construct Only 2 out of 50+ constructions in SM (in 30+ years of research) [GRS+11,GG14] Difficulty: malicious key model Underlined by impossibility result [FS10] Round-optimality desirable Efficiency Concurrent security 3

Contribution 1. New way to build Round-optimal blind sigs from structure-preserving sigs on equivalence classes (SPS-EQ) 1 st practically efficient standard-model construction + extension to partially blind signatures 1 st one-show ABC in the standard model Caveat: blindness under interactive DDH variant 4

Contribution (ctd) 2. New results on SPS-EQ: 1 st standard-model construction SPS-EQ implies SPS Optimality criteria from SPS carry over 5

Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) 6

Preliminaries Asymmetric bilinear map e : G 1 G 2 G T e(ap, b ˆP) ab = e(p, ˆP) (Bilinearity) e(p, ˆP) 1 GT e(, ) efficiently computable (Non-degeneracy) (Efficiency) Structure-Preserving Signatures [AFG+10] signing group element vectors sigs and PKs consist only of group elements verification solely via pairing-product equations + group membership tests 6

Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R 7

Signing Equivalence Classes [HS14] As with projective space, we can partition G l into projective equivalence classes: M G l R N G l k Z p : N = k M Functionality: σ on M allows deriving σ on M [M] R IND of classes iff DDH holds on G 7

Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives 8

Signing Equivalence Classes (ctd) [HS14] SPS-EQ: As SPS: BGGen R, KeyGen R, Sign R, Verify R but msgs = representatives Plus: ChgRep R (M, σ, µ, pk): Given σ for M, return σ for µm 8

Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding 9

Signing Equivalence Classes (ctd) [HS14] Security Properties: Correctness EUF-CMA security Class-hiding EUF-CMA defined w.r.t. equivalence classes: Pr [ BG BGGenR(1 κ ), (sk, pk) KeyGen R (BG, l), (M, σ ) A O(sk, ) (pk) : [M ] R [M] R queried M Verify R (M, σ, pk) = 1 ] ɛ(κ), 9

Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) 10

Signature Distribution Perfect adaption of sigs: ChgRep R (M, σ, µ, pk) Sign R (µm, sk) Perfect adaption of sigs (malicious keys): σ ChgRep R (M, σ, µ, pk) uniform in space of sigs on µm 10

Blind Signatures from SPS-EQ Outline: Black-box from any EUF-CMA-secure, perfectly adapting SPS-EQ Blind under plausible interactive DDH variant (Honest-key-blind under DDH) 11

Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq 12

Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R 12

Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) 12

Blind Signatures from SPS-EQ (ctd) Idea: Commit to m w/ Pedersen com. C = mp + rq Obtain sig π on M R [(C, P)] R Derive σ on (C, P) Output σ + opening of C 12

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) 13

Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption 14

Blind Signatures from SPS-EQ (ctd) Security: Unforgeable under EUF-CMA security of SPS-EQ + Diffie-Hellman-Inversion assumption Blind under interactive DDH variant (malicious keys) in the standard model 14

Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15

Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15

Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15

Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15

Warmup: Proving Blindness (honest keys) www.iaik.tugraz.at 15

Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) 16

Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) 16

Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously 16

Warmup: Proving Blindness (honest keys; ctd) Game 0: Original game: U(m b, pk) sends (s m b P + rsq, sp) U(m 1 b, pk) sends (s m 1 b P + r s Q, sp) Game 1: U(m b, pk) sends (s m b P + tq, sp) Game 2: U(m 1 b, pk) analogously m b, m 1 b perfectly hidden in Game 2 16

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 17

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) 17

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) 17

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? 17

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! 17

Warmup: Proving Blindness (honest keys; ctd) DDH Game 0 c Game 1 c Game 2 Simulating U(m b, pk): Embed DDH instance (P, sp, rp, tp) q in sk send (m b sp + q tp, sp) How to unblind w/o s? sk recompute σ b on (m b P + q rp, P) Distribution of σ b? Perfect adaption! t = rs Game 0; t random Game 1 17

Proving Blindness Blindness under malicious keys: pk determined by A No access to sk 18

Proving Blindness Blindness under malicious keys: pk determined by A No access to sk Rest stays the same 18

Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! 19

Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH 19

Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) 19

Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! 19

Proving Blindness (ctd) No access to sk: Perfect adaption under malicious keys! (Q, ˆQ) determined by A Can t embed DDH Interactive DDH variant: relative to (Q, ˆQ) Still can t recompute σ! Use A as signing oracle by rewinding! 19

Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) 20

Proving Blindness (ctd) Interactive DDH variant: Given (Q, ˆQ) output by A: e(q, ˆP) = e(p, ˆQ) t in (rp, rq, sp, tq) random, or t = rs? Hard in generic-group model 20

Proving Blindness (ctd) Simulating U(m b, pk) (1 st run): 21

Proving Blindness (ctd) Simulating U(m b, pk) (2 nd run): 22

Efficiency Instantiated w/ SPS-EQ from [FHS14]: U, S: few scalar mult. Verify: 7 pairings 1 scalar mult. 23

Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p 24

Partially Blind Signatures and One-show ABCs Partially Blind Signatures: Obtain sig on [(mp, γp, P)] for common info γ Z p One-show ABCs in vein of Brands: Use generalized Pedersen commitments comitting to msg vectors PoKs over attributes during issuing + showing 24

New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA 25

New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification 25

New Insights on SPS-EQ SPS-EQ implies SPS: Sign (M, P) to sign M, Only 1 valid representative per class standard EUF-CMA Optimality from [AGHO11] apply to SPS-EQ: 3 bilateral sig elements 2 PPEs for verification [AGO11] no reduction from optimally-short SPS-EQ to non-interactive assumptions 25

Standard-Model SPS-EQ Construction Using trick of Abe et al. [AGHO11] add 2 random elements to msg no perfect adaption; only class-hiding EUF-CMA proof more involved than [AGHO11] 26

Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model 27

Conclusions Practically efficient round-optimal (partially) blind signatures in the standard model One-show ABC in the standard model New results on SPS-EQ Standard-model construction New properties SPS from SPS-EQ (and implications) 27

Thank you for your attention! christian.hanser@iaik.tugraz.at Supported by: 28

References AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo Structure-Preserving Signatures and Commitments to Group Elements. CRYPTO 2010 AGHO11 M. Abe, J. Groth, K. Haralambiev, M. Ohkubo Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups. CRYPTO 2011 AGO11 M. Abe, J. Groth, M. Ohkubo Separating Short Structure-Preserving Signatures from Non-interactive Assumptions. ASIACRYPT 2011 FHS14 G. Fuchsbauer, C. Hanser and D. Slamanig. EUF-CMA-Secure Structure-Preserving Signatures on Equivalence Classes. Cryptology eprint Archive 2014 29

References (ctd) FS10 M. Fischlin and D. Schröder. On the Impossibility of Three-Move Blind Signature Schemes. EUROCRYPT 2010 GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures. EUROCRYPT 2014 GRS+11 S. Garg, V. Rao, A. Sahai, D. Schröder and D. Unruh. Round Optimal Blind Signatures. CRYPTO 2011 HS14 C. Hanser and D. Slamanig. Structure-Preserving Signatures on Equivalence Classes and their Application to Anonymous Credentials. ASIACRYPT 2014 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback