1 / 17

Ring Signatures of Sub-linear Size without Random Oracles

Ring Signatures of Sub-linear Size without Random Oracles. Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A. In an anonymous fast-food chain. Whistleblowing.

faxon
Download Presentation

Ring Signatures of Sub-linear Size without Random Oracles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ring Signatures of Sub-linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAA

  2. In an anonymous fast-food chain

  3. Whistleblowing

  4. Ring signature sk2 vk2 signature vk3 vk1

  5. Properties • Parties with public verification keys • A ring is any subset of the parties • Any party can choose a ring that includes herself and make a ring signature • ...without the other parties cooperating or even being aware of the ring signature being formed • The ring signature is anonymous

  6. Related work • Rivest, Shamir and Tauman Asiacrypt 2001 O(N) elements in random oracle model • Dodis, Kiayias, Nicolosi and Shoup Eurocrypt 2004 O(1) elements in random oracle model • Bender, Katz and Morselli TCC 2006 Construction without random oracles • Chow, Wei, Liu and Yuen ASIACCS 2006Shacham and Waters ePrint 2006 O(N) elements • Boyen Eurocrypt 2007 O(N) elements, perfect anonymity • Our contribution O(√N) elements, perfect anonymity

  7. Ring signature functionality Common reference string: CRSGen(1k) !½ Key pair: Gen(½) ! (vk, sk) Ring signature for R=(vk1,...,vkN): Sign½,sk(m, R) ! sig Verification: Verify½,R(m, sig)  {0,1}

  8. Informal definition • Perfect correctness:Any member of a ring can make a ring signature • Perfect anonymity:Ring signature leaks no information about which ring member signed the message • Computational unforgeability:Poly-time adversary without knowledge of any ring member’s secret key cannot forge signature. Not even when given access to adaptive chosen (message, ring, signer)-attack

  9. Bilinear group of order n G, GT cyclic groups of order n = pq G = Gp  Gq g generator for G bilinear map e: G  G  GT e(ua, vb) = e(u, v)ab e(g, g) generates GT

  10. Commitment [Boneh-Goh-Nissim] Public key: h ord(h) = n or q Commitment to m c = mhr where r Zn Perfect hiding if ord(h) = n Perfect binding in Gp if ord(h) = q : mq = cq Subgroup decision problem: ord(h) = n or ord(h) = q

  11. Signature [Boneh-Boyen] Verification key: v = gx Signature on y |y|< |p| (|√n|) s = g1/(x+y) Verification e(vgy, s) = e(g, g) Strong Diffie-Hellman assumption in Gp Hard to compute (y, g1/(x+y)) given input g, gx, gx2, ..., gxl

  12. Ring signature scheme • Common reference string: (n, G, GT, e, g, h) • Verification keys: v = gx • Ring signature (m, x, v  R=(v1,...,vN) • make one-time signature on (m, R) using one-time verification key y • sign y as s = g1/(x+y) • commit to v and s as C = vhr, L = sht • make perfect WI proof (C, L) sign on y • make perfect WI proof C contains v  R

  13. Perfect Witness-Indistinguishable proof for commited signature on y [Groth-Sahai] Commitments C = vhr, L = sht WI proof: ¼ = (gyv)tsrhrt Verify: e(gyC, L) = e(g, g) e(h, ¼) Complete: e(gyvhr, sht) = e(gyv, s) e(h, (gyv)tsrhrt) Perfect WI (ord(h)=n): All (v, r, s, t) give same ¼ Sound (ord(h)=q): e((gyC)q, Lq) = e(gq, gq)

  14. WI proof for commitment to v  R Commitment C = vhr and ring R = (v1,...,vN) v1 v2 . . . v√N v√N+1 v√N+2 . . . v2√N  vN-√N+1 vN-√N+2 . . . vN e(g,v2) e(g,v√N+2)  e(g,vN-√N+2) 1 g  1 hr1 hr2 hr√N e(h,*) e(h,*) e(h,*) = WI proof that PIR-request is well-formed WI proof that v is in one of those

  15. Sketch of security proof • Perfect anonymity Commitments are perfectly hiding (ord(h) = n) ... so they can contain Boneh-Boyen signature for any honest party ... and the proofs are perfectly witness indistinguishable • Computational unforgeability Switch to ord(h) = q Commitments are perfectly extractable ... so they must contain valid signature in Gp ... so we can forge Boneh-Boyen signatures

  16. Overcoming a bad CRS CRS = (n, G, GT, e, g, h) ord(h) = n Malicious authority can select h of order q Key generation: vi = gxi , hi chosen at random in G When signing pick t at random and use With overwhelming probability ord(h) = n

  17. Summary • Ring signature scheme PIR-techniques + GS proofs • Size O(√N) group elements • Relies on composite order bilinear groups subgroup decision strong Diffie-Hellman in Gp • Common reference string perfect anonymity • Untrusted common reference string statistical anonymity

More Related