- 78 Views
- Uploaded on
- Presentation posted in: General

Short Traceable Signatures Based on Bilinear Pairings

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Short Traceable Signatures Based on Bilinear Pairings

Seung Geol Choi

Columbia University

joint work with

Kunsoo Park

Seoul National University

Moti Yung

Columbia University

- Overview of Traceable Signatures
- Motivation
- Preliminaries
- ZK for SDH Representation
- Construction
- Security
- Conclusion

Overview of Traceable Signatures

- Can be regarded as an extension of group signatures.
- Provides all the operations of group signatures- setup, join, sign, verify, open
- Provides stronger revocation of anonymity- tracing (reveal, trace)
- Provides claiming (claim, claim_verify)

- Consider following setting:
- Anonymous Users
- Typical Abstract Large System:
- Many users
- Many remote verification points.
- Users issue signatures that get aggregated and verified in remote points.

Verification Points

Authority

Tracing Request:

“open signature”

Verification Points

Tracing

Request:

“USER X” needs

to be traced

Authority

Using the opening mechanism from scenario #1:

all signatures must be aggregated and the Authority

will have to Open all to discover the ones signed by user X

- Signatures from remote verification points must be aggregated. Load Balancing Concerns
- Authority must open all signatures thus severely (and unnecessarily) violating the privacy of many users. Privacy Concerns
- Authority is typically a distributed entity so that opening requires the collaboration of many agents. Efficiency Concerns
- Outcome: Scenario #1 is insufficient for dealing with the above tracing request.

User wants

to claim a

signature as his

- Anonymity
- A user (group member) signs on behalf of the group.
- Verification is done using the group’s public-key.

- Claiming
- A user can claim his own signature.

- Revocation of Anonymity
- The group manager can opena problematic signature and find out who signed it.
- The tracing agents can trace all the signatures of a suspicious user.

Motivation

- Previous constructions were quite long.
- [KTY04] : 1206 bytes
- [NS04]: 917 bytes

- Adapt the short group signature [BBS04] to traceable signature.
- Ours: 362 bytes
- 1.5 ~ 3 times the length of the RSA sig.

- Ours: 362 bytes

Basic Tools

- Bilinear Pairings
- One more SDH (Strong Diffie-Hellman) representation problem
- Linear Encryption Scheme

- G1, G2, GT : cyclic groups of prime order p
- P1 , P2 : generator of G1 , G2
- ψ: G2 G1 (isomorphism mapping)

- Def: Bilinear pairing e : G1 x G2 GT is:
- Bilinear: e(aP1, bP2) = e(P1, P2)ab for all a, b Z
- Non-degenerate: e(P1, P2) ≠ 1
- Efficiently computable

- SDH Representation
- Given P1, P2, Q, R where Q G1 , R = γP2
- SDH Representation: (A, x, t) s.t. A = (xP1 + Q)/ (t+γ) or equivalently e(A, tP2+R) = e(xP1 + Q, P2)

- One more SDH representation problem
- Given K SDH representations, output another valid SDH representation

- Under q-SDH Assumption, One more representation problem is hard.
- q-SDH Assumption [BB04]
- The following q-SDH problem is hard: P1, P2, γP2, γ2P2, …, γqP2? (A, x) s.t.(γ +x)A = P1 where A G1 , x Zp

- Keys:
- Encryption Key: X, Y, Z G1
- Decryption Key: ξ1, ξ2 s.t. ξ1 X = Z, ξ2 Y=Z

- Encryption/Decryption
- E(M) = ( r1X, r2Y, M+(r1+r2)Z )
- D(C1, C2, C3) = C3 – ξ1C1 – ξ2C2

- Semantic Security:
- Under DLDH (Decisional Linear Diffie-Hellman) Assumption [BBS04], linear encryption is semantically secure.

- DLDH Assumption
- The following problem is hard:
- Given X, Y, Z, aX, bY, cZc = a + b? or c is randomly chosen?

- The following problem is hard:

ZK for SDH Representation

- Why do we need this?
- Come up with zk proof for the rep, and use the proof as a sig (FS transform) Anonymity
- The rep is a witness of a proof a signing key

- Proof:
- PK{(A,x,t): e(xP1 + Q, P2) = (A, tP2+R)}
- Instance: P1, Q, P2, R
- Where P1 (gen. of G1), Q (random point) P2 (gen. of G2), R (= γP2)

- Prover’s aux input (SDH rep./witness): (A, x, t) s.t. e(xP1 + Q, P2) = (A, tP2+R)
- Other Public Parameters
- For linear enc. : X, Y, Z (gen. of G1)
- Etc. : W (gen. of G2)

- Prover constructs T1, … T5:
- T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z (linear enc. of A)T4 = r3W, T5 = e(P1, T4)x(DLP of x )

- Sub-proof
- PK{(a1, a2, b1, b2, u, v): T1 = a1X, T2 = a2Y, uT1 = b1X, uT2 = b2Y, T5 = e(P1, T4)v , e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) }

- Exists a Simulator (i.e. it is ZK)
- T1, …, T5 :
- From semantic security of linear enc:- Pick a random A’- T1 = r1X, T2 = r2Y, T3 = A’ + (r1+r2)Z
- From DDH:- pick a random x’ - T4 = r3W, T5 = e(P1, T4)x’
- Indistinguishable from the original transcript

- Sub-Proof:
- Runs the simulator of Sub-Proof

- T1, …, T5 :

- Exists an extractor (i.e. it is POK)
- Sub-Proof: Simple 3-move honest verifier DLP ZK-POK exists an extractor for the Sub-Proof
- Using the extractor of DLP proof, we can also extract an SDH Rep.
- Specifically
- Let (a1, a2, b1, b2, u, v) be the extracted witness.
- b1 + b2 = u(a1 + a2)

e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) e(T3, uP2+R) = e(Z, (b1+b2)P2+(a1+a2) R) • e(vP1+Q, P2)e(T3, uP2+R) / e(Z, u(a1+a2)P2+(a1+a2) R) = e(vP1+Q, P2)e(T3, uP2+R) / e((a1+a2)Z, uP2+ R) = e(vP1+Q, P2)e(T3 - (a1+a2)Z, uP2+ R) = e(vP1+Q, P2)

If we Let A = T3 – (a1+a2)Z, e(A, uP2+ R) = e(vP1+Q, P2) (A, u, v) is an SDH rep.

Construction

- Setup
- Join/Iss
- Sign/Verify
- Open
- Reveal/Trace
- Claim/Claim_Verify

- Generate public parameters for ZK for SDH Rep.
- P1, Q, P2, R, X, Y, Z, W
- For SDH rep. : P1, Q, P2, R
- For linear enc. : X, Y, Z s.t. ξ1 X = Z, ξ2 Y=Z
- Etc. : W

- The group manager’s private key:(γ, ξ1, ξ2)
- γ : for the generation of SDH rep (join proc.)
- ξ1, ξ2 : dec. key for linear enc. (opening)

- P1, Q, P2, R, X, Y, Z, W

- Interactive Protocol between a user (Join) and the group manager (Iss)
- Ui (user i) GM : xiP1
- GM Ui: (Ai, ti) s.t. e(Ai, tiP2+ R) = e(xiP1+Q, P2)

- Note that GM can generate (Ai, ti) without knowing the value xi.
- Let Ci = xiP1
- A = (Ci + Q)/ (t+γ)

- Ui now has an SDH rep: (Ai, xi, ti)
- GM stores the joining record: (Ai, Ci, ti)

- Big Picture of ZK Protocol for SDH Rep:
- 3 move honest verifier proof for DLP
- Instance: T1, …, T5
- P (Prover) V (Verifier): B1, …, B6
- V P : c
- P V : sa1, sa2, sb1, sb2, su, sv
- V : checks if sa1, sa2, sb1, sb2, su, sv are consistent.

- 3 move honest verifier proof for DLP

- Details
- T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x
- d1 = r1t , d2 = r2t
- B1 = br1X, B2 = br2X, B3 = btT1 – bd1X, B4 = btT2 – bd2YB5 = e(P1, T4) bxB6 = e(T3, P2)bt e(Z, P2)-bd1-bd2 e(Z, R)-br1-br2 e(P1, P2)-bx
- sr1 = br1 + cr1,sr2 = br2 + cr2,sd1 = bd1 + cd1, sd2 = bd2 + cd2,sx = bx + cx,st = bt + ct,

- Apply the variant of Fiat-Shamir to the protocol (Schnorr type sig.)
- Sign:
- Replace B1, …, B6 of the verifier with hash function: c = H(m, T1, …, T5, B1, …, B6)
- The signature will be:(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
- 362 bytes: T5 = 1024 bits, all others 170 bits.

- Verification:
- construct B’1, …, B’6 from the signature.
- check if H(m, T1, …, T5, B’1, …, B’6) =? c.

- Sign:

- Given a signature:
- (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )

- The GM use his decryption key for linear enc. to recover A from T1, T2,T3.
- T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
- Dec(T1, T2, T3) = T3 – ξ1T1 – ξ2T2 = A
- Look up the user j from the join records {(Ai, Ci, ti)} such that Aj = A

- Reveal
- Given the identity j of a certain user Uj , returns an information to be used for tracing
- The GM returns Cj from his join record (Aj, Cj, tj).

- Given the identity j of a certain user Uj , returns an information to be used for tracing
- Trace
- Given Cj (from Reveal) the tracing info of Uj,and a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx ), decides whether it’s Uj’s sig. or not.
- e(Cj, T4) =? T5 ( Note that T5 = e(P1, T4)x )

- Given Cj (from Reveal) the tracing info of Uj,and a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx ), decides whether it’s Uj’s sig. or not.

- Claim:
- Given a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
- The signer returns a NIZK proof.PK{ y: T5 = e(P1, T4)y}

- Claim_Verify: Verify the proof.

Security

- There are three kind of attacks
- Misidentification: the adv. forges a valid signature that is opened/traced to no one.
- Framing: the adv. forges a valid signature that is opened/traced to an innocent user even if the adv. corrupts the GM.
- Anonymity: the adv. distinguishes a sig. of user A from a sig. of user B.

- The adv. is allowed to access oracles.

Executes a Iss procedure.

(Adv is playing the role of user.

Oracle is playing the role of GM.)

QY

Returns the

Public-key

Qa-join

Returns the

GM’s private

key

Qs

Executes a join

dialog internally

Qb-join

Executes a Join procedure.

(Adv is playing the role of GM.

Oracle is playing the role of user.)

Qp-join

Given <i, m>, returns

a signature on m by the i-th user

Qsig

Given <i>,

returns the tracing info. Ci.

Qreveal

Oracles

Adv

QY, Qp-join, Qa-join, Qsig, Qreveal

Represents the system collectively: good users and GM

- Forges a sig. satisfying
- it opens to none of the controlled group or
- it tracesto none of the controlled group.

- Secure against Misidentification from the hardness of one-more SDH rep. problem

T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x

Oracles

Adv

QY, QS, Qb-join, Qsig

Represents the system collectively: good users and GM

- Forges a sig. satisfying
- it opens to an innocent useror
- it traces to an innocent user.

- Secure against Framing
- from the hardness of DLP.

Oracles

Adv

T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x

QY, Qp-join, Qa-join, Qsig, Qreveal

i0, i1

Selects two users

i0 i1 (by name)

Pick b randomly from {0,1}

Generate a sig. σ of ib

σ

Guess b

- The adv is not allowed to call Qreveal(i0) or Qreveal(i1) before or after i0 and i1 are chosen.

- Secure against Anonymity from semantic security of linear encryption and the DDH

- Theorem : Under the q-SDH and DLDH assumption, our scheme is secure in the random oracle model.

Conclusion

- Invented a New Technical Tool
- One more SDH rep. problem based on q-SDH assumption

- Constructed a Short Scheme
- Ours: 362 bytes
- 1.5 ~ 3 times the length of the RSA sig.

- [KTY04] : 1206 bytes, [NS04]: 917 bytes

- Ours: 362 bytes
- Proved the security formally