Short traceable signatures based on bilinear pairings
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Short Traceable Signatures Based on Bilinear Pairings PowerPoint PPT Presentation


  • 77 Views
  • Uploaded on
  • Presentation posted in: General

Short Traceable Signatures Based on Bilinear Pairings. Seung Geol Choi Columbia University. joint work with. Kunsoo Park Seoul National University. Moti Yung Columbia University. Contents. Overview of Traceable Signatures Motivation Preliminaries ZK for SDH Representation Construction

Download Presentation

Short Traceable Signatures Based on Bilinear Pairings

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Short traceable signatures based on bilinear pairings

Short Traceable Signatures Based on Bilinear Pairings

Seung Geol Choi

Columbia University

joint work with

Kunsoo Park

Seoul National University

Moti Yung

Columbia University


Contents

Contents

  • Overview of Traceable Signatures

  • Motivation

  • Preliminaries

  • ZK for SDH Representation

  • Construction

  • Security

  • Conclusion


Overview of traceable signatures

Overview of Traceable Signatures


Traceable signatures

Traceable Signatures

  • Can be regarded as an extension of group signatures.

    • Provides all the operations of group signatures- setup, join, sign, verify, open

    • Provides stronger revocation of anonymity- tracing (reveal, trace)

    • Provides claiming (claim, claim_verify)


Why do we need traceable sig

Why do we need traceable sig.?

  • Consider following setting:

    • Anonymous Users

    • Typical Abstract Large System:

      • Many users

      • Many remote verification points.

      • Users issue signatures that get aggregated and verified in remote points.


Scenario 1

Scenario #1:

Verification Points

Authority

Tracing Request:

“open signature”


Scenario 2

Scenario #2

Verification Points

Tracing

Request:

“USER X” needs

to be traced

Authority

Using the opening mechanism from scenario #1:

all signatures must be aggregated and the Authority

will have to Open all to discover the ones signed by user X


Shortcomings of group sig

Shortcomings of group sig.

  • Signatures from remote verification points must be aggregated. Load Balancing Concerns

  • Authority must open all signatures thus severely (and unnecessarily) violating the privacy of many users. Privacy Concerns

  • Authority is typically a distributed entity so that opening requires the collaboration of many agents. Efficiency Concerns

  • Outcome: Scenario #1 is insufficient for dealing with the above tracing request.


Scenario 3

Scenario #3

User wants

to claim a

signature as his


Features of traceable sig 1

Features of Traceable Sig.(1)

  • Anonymity

    • A user (group member) signs on behalf of the group.

    • Verification is done using the group’s public-key.

  • Claiming

    • A user can claim his own signature.


Features of traceable sig 11

Features of Traceable Sig.(1)

  • Revocation of Anonymity

    • The group manager can opena problematic signature and find out who signed it.

    • The tracing agents can trace all the signatures of a suspicious user.


Motivation

Motivation


Motivation1

Motivation

  • Previous constructions were quite long.

    • [KTY04] : 1206 bytes

    • [NS04]: 917 bytes

  • Adapt the short group signature [BBS04] to traceable signature.

    • Ours: 362 bytes

      • 1.5 ~ 3 times the length of the RSA sig.


Basic tools

Basic Tools


Three main basic tools

Three main basic tools

  • Bilinear Pairings

  • One more SDH (Strong Diffie-Hellman) representation problem

  • Linear Encryption Scheme


Basic tools bilinear pairings

Basic Tools – Bilinear Pairings

  • G1, G2, GT : cyclic groups of prime order p

    • P1 , P2 : generator of G1 , G2

    • ψ: G2 G1 (isomorphism mapping)

  • Def: Bilinear pairing e : G1 x G2 GT is:

    • Bilinear: e(aP1, bP2) = e(P1, P2)ab for all a, b  Z

    • Non-degenerate: e(P1, P2) ≠ 1

    • Efficiently computable


Basic tools one more sdh representation problem 1

Basic Tools – One More SDH Representation Problem (1)

  • SDH Representation

    • Given P1, P2, Q, R where Q  G1 , R = γP2

    • SDH Representation: (A, x, t) s.t. A = (xP1 + Q)/ (t+γ) or equivalently e(A, tP2+R) = e(xP1 + Q, P2)

  • One more SDH representation problem

    • Given K SDH representations, output another valid SDH representation


Basic tools one more sdh representation problem 2

Basic Tools – One More SDH Representation Problem (2)

  • Under q-SDH Assumption, One more representation problem is hard.

  • q-SDH Assumption [BB04]

    • The following q-SDH problem is hard: P1, P2, γP2, γ2P2, …, γqP2? (A, x) s.t.(γ +x)A = P1 where A  G1 , x  Zp


Basic tools linear encryption bbs04 1

Basic Tools – Linear Encryption [BBS04] (1)

  • Keys:

    • Encryption Key: X, Y, Z  G1

    • Decryption Key: ξ1, ξ2 s.t. ξ1 X = Z, ξ2 Y=Z

  • Encryption/Decryption

    • E(M) = ( r1X, r2Y, M+(r1+r2)Z )

    • D(C1, C2, C3) = C3 – ξ1C1 – ξ2C2


Basic tools linear encryption bbs04 2

Basic Tools – Linear Encryption [BBS04] (2)

  • Semantic Security:

    • Under DLDH (Decisional Linear Diffie-Hellman) Assumption [BBS04], linear encryption is semantically secure.

  • DLDH Assumption

    • The following problem is hard:

      • Given X, Y, Z, aX, bY, cZc = a + b? or c is randomly chosen?


Zk for sdh representation

ZK for SDH Representation


Basic idea

Basic Idea

  • Why do we need this?

    • Come up with zk proof for the rep, and use the proof as a sig (FS transform)  Anonymity

    • The rep is a witness of a proof a signing key


Basic setting

Basic Setting

  • Proof:

    • PK{(A,x,t): e(xP1 + Q, P2) = (A, tP2+R)}

    • Instance: P1, Q, P2, R

      • Where P1 (gen. of G1), Q (random point) P2 (gen. of G2), R (= γP2)

    • Prover’s aux input (SDH rep./witness): (A, x, t) s.t. e(xP1 + Q, P2) = (A, tP2+R)

    • Other Public Parameters

      • For linear enc. : X, Y, Z (gen. of G1)

      • Etc. : W (gen. of G2)


Zk for sdh representation 1

ZK for SDH Representation (1)

  • Prover constructs T1, … T5:

    • T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z (linear enc. of A)T4 = r3W, T5 = e(P1, T4)x(DLP of x )

  • Sub-proof

    • PK{(a1, a2, b1, b2, u, v): T1 = a1X, T2 = a2Y, uT1 = b1X, uT2 = b2Y, T5 = e(P1, T4)v , e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) }


Zk for sdh representation 2

ZK for SDH Representation (2)

  • Exists a Simulator (i.e. it is ZK)

    • T1, …, T5 :

      • From semantic security of linear enc:- Pick a random A’- T1 = r1X, T2 = r2Y, T3 = A’ + (r1+r2)Z

      • From DDH:- pick a random x’ - T4 = r3W, T5 = e(P1, T4)x’

      • Indistinguishable from the original transcript

    • Sub-Proof:

      • Runs the simulator of Sub-Proof


Zk for sdh representation 3

ZK for SDH Representation (3)

  • Exists an extractor (i.e. it is POK)

    • Sub-Proof: Simple 3-move honest verifier DLP ZK-POK exists an extractor for the Sub-Proof

    • Using the extractor of DLP proof, we can also extract an SDH Rep.

    • Specifically

      • Let (a1, a2, b1, b2, u, v) be the extracted witness.

      • b1 + b2 = u(a1 + a2)


Zk for sdh representation 4

e (T3, P2)u e(T3, R) = e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) e(T3, uP2+R) = e(Z, (b1+b2)P2+(a1+a2) R) • e(vP1+Q, P2)e(T3, uP2+R) / e(Z, u(a1+a2)P2+(a1+a2) R) = e(vP1+Q, P2)e(T3, uP2+R) / e((a1+a2)Z, uP2+ R) = e(vP1+Q, P2)e(T3 - (a1+a2)Z, uP2+ R) = e(vP1+Q, P2)

If we Let A = T3 – (a1+a2)Z, e(A, uP2+ R) = e(vP1+Q, P2) (A, u, v) is an SDH rep.

ZK for SDH Representation (4)


Construction

Construction


Procedures of traceable sig

Procedures of Traceable sig.

  • Setup

  • Join/Iss

  • Sign/Verify

  • Open

  • Reveal/Trace

  • Claim/Claim_Verify


Construction setup

Construction - Setup

  • Generate public parameters for ZK for SDH Rep.

    • P1, Q, P2, R, X, Y, Z, W

      • For SDH rep. : P1, Q, P2, R

      • For linear enc. : X, Y, Z s.t. ξ1 X = Z, ξ2 Y=Z

      • Etc. : W

    • The group manager’s private key:(γ, ξ1, ξ2)

      • γ : for the generation of SDH rep (join proc.)

      • ξ1, ξ2 : dec. key for linear enc. (opening)


Construction join iss

Construction – Join/Iss

  • Interactive Protocol between a user (Join) and the group manager (Iss)

    • Ui (user i)  GM : xiP1

    • GM  Ui: (Ai, ti) s.t. e(Ai, tiP2+ R) = e(xiP1+Q, P2)

  • Note that GM can generate (Ai, ti) without knowing the value xi.

    • Let Ci = xiP1

    • A = (Ci + Q)/ (t+γ)

  • Ui now has an SDH rep: (Ai, xi, ti)

  • GM stores the joining record: (Ai, Ci, ti)


Construction sign verify 1

Construction – Sign/Verify (1)

  • Big Picture of ZK Protocol for SDH Rep:

    • 3 move honest verifier proof for DLP

      • Instance: T1, …, T5

      • P (Prover)  V (Verifier): B1, …, B6

      • V  P : c

      • P  V : sa1, sa2, sb1, sb2, su, sv

      • V : checks if sa1, sa2, sb1, sb2, su, sv are consistent.


Construction sign verify 2

Construction – Sign/Verify (2)

  • Details

    • T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x

    • d1 = r1t , d2 = r2t

    • B1 = br1X, B2 = br2X, B3 = btT1 – bd1X, B4 = btT2 – bd2YB5 = e(P1, T4) bxB6 = e(T3, P2)bt e(Z, P2)-bd1-bd2 e(Z, R)-br1-br2 e(P1, P2)-bx

    • sr1 = br1 + cr1,sr2 = br2 + cr2,sd1 = bd1 + cd1, sd2 = bd2 + cd2,sx = bx + cx,st = bt + ct,


Construction sign verify 3

Construction – Sign/Verify (3)

  • Apply the variant of Fiat-Shamir to the protocol (Schnorr type sig.)

    • Sign:

      • Replace B1, …, B6 of the verifier with hash function: c = H(m, T1, …, T5, B1, …, B6)

      • The signature will be:(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )

      • 362 bytes: T5 = 1024 bits, all others 170 bits.

    • Verification:

      • construct B’1, …, B’6 from the signature.

      • check if H(m, T1, …, T5, B’1, …, B’6) =? c.


Construction open

Construction – Open

  • Given a signature:

    • (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )

  • The GM use his decryption key for linear enc. to recover A from T1, T2,T3.

    • T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z

    • Dec(T1, T2, T3) = T3 – ξ1T1 – ξ2T2 = A

    • Look up the user j from the join records {(Ai, Ci, ti)} such that Aj = A


Construction tracing a user reveal trace

Construction – Tracing a user (Reveal/Trace)

  • Reveal

    • Given the identity j of a certain user Uj , returns an information to be used for tracing

      • The GM returns Cj from his join record (Aj, Cj, tj).

  • Trace

    • Given Cj (from Reveal) the tracing info of Uj,and a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx ), decides whether it’s Uj’s sig. or not.

      • e(Cj, T4) =? T5 ( Note that T5 = e(P1, T4)x )


Construction claiming a sig claim claim verify

Construction - Claiming a Sig.(Claim/Claim_Verify)

  • Claim:

    • Given a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )

    • The signer returns a NIZK proof.PK{ y: T5 = e(P1, T4)y}

  • Claim_Verify: Verify the proof.


Security

Security


Security model kty04

Security Model [KTY04]

  • There are three kind of attacks

    • Misidentification: the adv. forges a valid signature that is opened/traced to no one.

    • Framing: the adv. forges a valid signature that is opened/traced to an innocent user even if the adv. corrupts the GM.

    • Anonymity: the adv. distinguishes a sig. of user A from a sig. of user B.

  • The adv. is allowed to access oracles.


Oracles

Oracles

Executes a Iss procedure.

(Adv is playing the role of user.

Oracle is playing the role of GM.)

QY

Returns the

Public-key

Qa-join

Returns the

GM’s private

key

Qs

Executes a join

dialog internally

Qb-join

Executes a Join procedure.

(Adv is playing the role of GM.

Oracle is playing the role of user.)

Qp-join

Given <i, m>, returns

a signature on m by the i-th user

Qsig

Given <i>,

returns the tracing info. Ci.

Qreveal


Misidentification attack

Misidentification attack

Oracles

Adv

QY, Qp-join, Qa-join, Qsig, Qreveal

Represents the system collectively: good users and GM

  • Forges a sig. satisfying

  • it opens to none of the controlled group or

  • it tracesto none of the controlled group.

  • Secure against Misidentification from the hardness of one-more SDH rep. problem


Framing attack

Framing attack

T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x

Oracles

Adv

QY, QS, Qb-join, Qsig

Represents the system collectively: good users and GM

  • Forges a sig. satisfying

  • it opens to an innocent useror

  • it traces to an innocent user.

  • Secure against Framing

  • from the hardness of DLP.


Anonymity attack

Anonymity attack

Oracles

Adv

T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z T4 = r3W, T5 = e(P1, T4)x

QY, Qp-join, Qa-join, Qsig, Qreveal

i0, i1

Selects two users

i0 i1 (by name)

Pick b randomly from {0,1}

Generate a sig. σ of ib

σ

Guess b

  • The adv is not allowed to call Qreveal(i0) or Qreveal(i1) before or after i0 and i1 are chosen.

  • Secure against Anonymity from semantic security of linear encryption and the DDH


Security of our scheme

Security of Our scheme

  • Theorem : Under the q-SDH and DLDH assumption, our scheme is secure in the random oracle model.


Conclusion

Conclusion


Conclusion1

Conclusion

  • Invented a New Technical Tool

    • One more SDH rep. problem based on q-SDH assumption

  • Constructed a Short Scheme

    • Ours: 362 bytes

      • 1.5 ~ 3 times the length of the RSA sig.

    • [KTY04] : 1206 bytes, [NS04]: 917 bytes

  • Proved the security formally


  • Login