1 / 29

Cross- Unlinkable Hierarchical Group Signatures

Cross- Unlinkable Hierarchical Group Signatures. Julien Bringer 1 , Hervé Chabanne 12 , Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012. Outline. VLR Group Signatures From Backward Unlinkability to Cross- Unlinkability Our Construction Conclusion. / 01 /.

esme
Download Presentation

Cross- Unlinkable Hierarchical Group Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross-Unlinkable Hierarchical Group Signatures Julien Bringer1, Hervé Chabanne12, Alain Patey121Morpho, 2Télécom ParisTech 13/09/2012

  2. Outline VLR Group Signatures FromBackwardUnlinkability to Cross-Unlinkability Our Construction Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

  3. /01/ VLR Group Signatures Alain Patey / 13/09/2012 / EuroPKI 2012

  4. Digital Signatures vs Group Signatures + Anonymity Alain Patey / 13/09/2012 / EuroPKI 2012

  5. Setting Alain Patey / 13/09/2012 / EuroPKI 2012 • Group Manager (GM) • Sets up public parameters • Owns the master secret key • Issues users secret keys • Can raiseanonymity of a signature • Can revokeusers

  6. Verifier-Local Revocation (VLR) GM manages a public RevocationList (RL) Alain Patey / 13/09/2012 / EuroPKI 2012

  7. VLR: Revocation Revocation User i rti Revocationtoken of user i (rti) added to RL Alain Patey / 13/09/2012 / EuroPKI 2012

  8. VLR: Signature and Verification Verifier (≠ GM) User signsusinghis secret key Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user) Alain Patey / 13/09/2012 / EuroPKI 2012

  9. VLR GS Components KeyGen (GM): set group parameters Join (GM, User): issue keys for a new group member Sign(User): sign a message on behalf of the group Verify (Verifier): verify a signature Open (GM): reveal the identity of the creator of a given signature Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012

  10. BackwardUnlinkability Time Period k Time Period 1 Time Period i Time Period j … … … … Problem: Once a user isrevoked, usinghisrevocationtoken, everyonecan trace all hisprevious signatures Solution: Make signatures and revocationdependent of time Does not change (much) complexity of signatures, only a public information per period must bepublished Alain Patey / 13/09/2012 / EuroPKI 2012

  11. Security Properties Correctness: Every signature correctlyissued by an unrevokedmemberischeckedas valid BackwardUnlinkability: Signatures do not revealanything (to anyone but the signer and the GM) about theirauthor and theyremainanonymousevenafterthe revocation of the user Traceability: No group of attackerscan forge a signature thatcan not betracedto one of the members of the coalition. Exculpability: Nobody (including GM) is able to issue another’smember signature Alain Patey / 13/09/2012 / EuroPKI 2012

  12. /02/ From Backward Unlinkability to Cross-Unlinkability Alain Patey / 13/09/2012 / EuroPKI 2012

  13. Hierarchical Setting National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Several groups in a tree structure One group signature per group Independent Group Managers Requirement: To join a group, one must previouslybe a member the parent group Applications: Identity Management, attribute-basedcredentials Alain Patey / 13/09/2012 / EuroPKI 2012

  14. Cascade Revocation National ID Downwards Revocation (compulsory) UpwardsRevocation (optional) Student ID Driver’s License College 1 College 2 Car Insurance HGV License • Revocationfollows the tree structure: • Revocation in a parent group ⇒ Revocation in the children groups (DownwardsRevocation) • Child group can signal a revoked user to the parent group (UpwardsRevocation, optional) • Parent group is not forced to alsorevoke Alain Patey / 13/09/2012 / EuroPKI 2012

  15. Unlinkability Cascade Revocation ⇒ Key derivation, linkbetween the keys in parent/child groups BUT: Weaimat maximal anonymity Anonymity in a given group shouldbepreservedtowardsGM’s of other groups (even parent group, sibling groups…) despite the revocationprocess We call thispropertyCROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012

  16. FromBackwardUnlinkability to Cross-Unlinkability Group Signature Student ID ⇒ Period 1 Period 2 College 1 College 2 Unlinkability Unlinkability Idea: Transpose the BackwardUnlinkabilityproperty Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012

  17. /03/ Our Construction Alain Patey / 13/09/2012 / EuroPKI 2012

  18. The Model • KeyGen: The GM’s set the groups parameters • Enrolment (Mi, Gl): Migetskeys for the group Gl • Derivation (Mi,Gk,Gl): Key derivation for a user Mi, applying to joinGl, child of Gk • Includes a proof of Gkmembership • Sign (Mi,m,Gl): User Misigns message m on behalf of Gl • Verify (s,m,Gl): Verifierchecks a signature s for Gl • Revocation (Mi,Gl): • Local Revocation • DownwardsRevocation • (Optional) UpwardsRevocation Alain Patey / 13/09/2012 / EuroPKI 2012

  19. Requirements Correctness Traceability Cross-Unlinkability Exculpability Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012

  20. Cross-Unlinkability • Game-baseddefinition (as Traceability and Exculpability) • Queries (before and after Challenge): Enrol to G0, Derivation, Sign, User Corruption, GM Corruption, Revocation • Challenge: Adv. outputs m, m’, M0, M1, Gk, Glsuchthat: • M0 and M1 are bothregistered to Gk and Gl • M0 and M1 are not corrupted • Atmost one of the GM’siscorrupted • M0 and M1 are revokedfromatmost one group (the same if they are bothrevoked) and the GM of the other group is not corrupted • C choosestwo bits b, b’ and signs m for Mb in group Gk and m’ for Mb’ in group Gl • Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012

  21. Underlying Group Signature • VLR Group Signature withBackwardUnlinkability • Group Parameters: gpk • Public/secret key for GM of Gl: mpk, msk • User Mi’skey for Gl: ski = fi, xi, Ai • fi ischosen by Mi (not known by GMl) • xiischosen by GMl • Ai=f(fi,xi,msk) iscomputed by GMl • Revocationtoken of Mi for Gl: • Global: rti = xi • Period j: rtij = hj^(rti) (hjis a public token) • (for an efficient instantiationsee: J. Bringer, A. Patey. VLR Group Signatures: How to AchieveBothBackwardUnlinkability and Efficient RevocationChecks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012

  22. The Construction Common group parameters Independent GM keys • Call Derivation to • Check that the user belongs to the parent group • Derive a signingkey • Run the GS Joinalgorithm • KeyGen: • GM0 fixes gpk • EveryGMlchoosesmpkl, mskl compatible withgpk • For every group Gk, one « period » k-l per child group Gl must be set up • Join • If Gl=G0, run the Joinalgorithm of GM0 • Otherwise, run the Derivationalgorithm. • If all checkssucceed, run an adaptedJoinalgorithm for Gl, wherexilischosen as the output of the Derivationalgorithm (instead of beingrandom) Alain Patey / 13/09/2012 / EuroPKI 2012

  23. The Construction II Joinalgorithm • Derivation (Glischild of Gk) • GMlsends a challenge message m to Mi • Misignsitatperiodk-l • Misendshisrevocationtokenrtik-l=hk-lrtil • GMlchecks the validity of the signature and the validity of rtik-l • GMlderivesxil=H(mskl||rtik-l) Alain Patey / 13/09/2012 / EuroPKI 2012

  24. The Construction III • Sign, Join and Open are direct applications of the group signature algorithms • Revocation: • Local: Run the Revocationalgorithm of the underlying group signature • Downwards: • For every a child group Gm of Gl: • GMm looks at the updatedrevocationlistRLl of Gl and reads the new rt • GMmchecks if thereis a registered user i in Gmsuchthatxim=H(mskm||rt) • If thereis one, GMmrecursivelyrunsRevocation • Upwards (optional): • GMlsends the periodrevocationtokenrtik-l to GMk. • If GMkwants to revoke the user, hecomputesrti’k-l for every Mi’ in Gk. • Whenhefinds the corresponding user, hestarts a Revocationprocess Alain Patey / 13/09/2012 / EuroPKI 2012

  25. Security • Random Oracle Model • Requirements are game-based • Wereduce an attackagainstour construction to an attackagainst the underlying group signature scheme • In particular, an adversarywith a non-negligibleadvantage in the Cross-Unlinkabilitygame has a non-negligibleadvantage in the BackwardUnlinkabilitygame Alain Patey / 13/09/2012 / EuroPKI 2012

  26. Application to BiometricIdentity Management • Group signatures canbeused for biometricanonymousauthentication • Keysstored on a smartcard, biometricverificationneeded to sign • Adaptable to ourhierarchical setting → identity management system • Groups are identitydomains, GM’s are identity providers • J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to BiometricAuthentication. IWSEC 2008 • J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature SchemewithBackwardUnlinkability to BiometricIdentityManagement. SECRYPT 2012. Alain Patey / 13/09/2012 / EuroPKI 2012

  27. /04/ Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

  28. Conclusion • From VLR Group Signatures with BU, we set hierarchical group signatures withstronganonymityproperties • New model • Security only relies on the security of the underlying group signature (+ ROM) • Open Issues: • Improve the construction to enableBackwardUnlinkability • Change the group set structure (anyordered set…) • Full version available on the IACR ePrint archive: http://eprint.iacr.org/2012/407 Alain Patey / 13/09/2012 / EuroPKI 2012

  29. Thankyou for your attention Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012

More Related