Attribute-Based Signatures for Unbounded Languages from Standard - PowerPoint PPT Presentation

Attribute-Based Signatures for Unbounded Languages from Standard Assumptions Yusuke Sakai (AIST, Japan) Shuichi Katsumata (AIST, Japan / U. Tokyo, Japan) Nuttapong Attrapadung (AIST, Japan) Goichiro Hanaoka (AIST, Japan) 1

Our Contribution • Propose attribute-based signature scheme for Turing machines – A key-policy variant – The policy is described by a Turing machine (TM) – The attribute is an input to a TM The scheme allows policies that accept unbounded inputs! 2

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 3

Attribute-Based Signatures (ABS) P sk P sk P a b c d e q sk Pʹ 4

Attribute-Based Signatures x a b c d e sk x q x=x 1 x 2 x 3 … sk P σ ß AttrSign(pp,sk P ,M,x) sk Pʹ 5

Attribute-Based Signatures x x=x 1 x 2 x 3 … sk x 1/0 ß AttrVerify(pp,M,x,σ) sk P M, x, σ σ is made by someone whose policy P satisfy P(x) = 1 sk Pʹ 6

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 7

Anonymity x Cannot tell who made σ among sk x signers who satisfy P(x) = 1 sk P M, x, σ sk Pʹ 8

Unforgeability x Cannot make valid σ sk x if P(x) = 0 sk P M, x, σ sk Pʹ 9

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 10

Certificate Approach (1/2) msk x Each signer receives a sk P signature on his policy sk P = θ P = Sign(msk, P) sk Pʹ = θ Pʹ = Sign(msk, Pʹ) 11

Certificate Approach (2/2) msk x Prove knowledge of (P, θ): sk P (1) Verify(P, θ) = 1 (2) P(x) = 1 sk P = θ P = Sign(msk, P) M, x, σ sk Pʹ = θ Pʹ = Sign(msk, Pʹ) 12

Difficulty Prove knowledge of (P, θ P ): (1) Verify(P, θ x ) = 1 (2) P(x) = 1 ? ? • How to prove the complex condition P(x) = 1 ! – Remind that P is a Turing machine • General zero-knowledge is inefficient, so we will decompose the statement 13

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 14

Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 q 0 15

Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 q 0 q 1 16

Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 wʹ 1 wʹ 2 w 3 w 4 w 5 q 0 q 1 q 2 17

Idea: History of Computation • While a TM’s computation is complex, the computation proceeds sequentially • The computation defines a sequence of “snapshots” of the machine w 1 w 2 w 3 w 4 w 5 wʹ 1 w 2 w 3 w 4 w 5 wʹ 1 wʹ 2 w 3 w 4 w 5 q 0 … q 1 q 2 18

Implement the Certificate Approach • Using the sequence of the snapshot (s 1 , …, s T ) we can rephrase the proof as follows: Prove knowledge of (s 1 , …, s T ): (1) s i → s i+1 follows the transition function • To enforce validity of transition, the KGC signs on all possible valid transition: θ[s,sʹ] ß Sign(msk, (s,sʹ)) ∀ s à sʹ: valid transition 19

Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 0 , s 1 , θ 1 ): Verify(vk, (s 0 , s 1 ), θ 1 ) = 1 20

Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 0 , s 1 , θ 1 ): Prove knowledge of (s 1 , s 2 , θ 2 ): Verify(vk, (s 0 , s 1 ), θ 1 ) = 1 Verify(vk, (s 1 , s 2 ), θ 2 ) = 1 21

Signing Every Possible Transition s 0 : s 1 : s 2 : valid valid transition transition Prove knowledge of (s 1 , …, s T , θ 1 , …, θ T ): (1) Verify((s i-1 ,s i ), θ i ) = 1 22

Main Difficulty Prove knowledge of (s 1 , …, s T , θ 1 , …, θ T ): (1) Verify((s i-1 ,s i ), θ i ) = 1 • Possible pairs of snapshots are infinitely many, – since snapshots have unbounded lengths • We further decompose this condition 23

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 24

Configuration • A snapshot is encoded into a single string, configuration w 1 w 2 w 3 w 4 w 5 q … w 1 w 2 q w 3 w 4 w 5 … • Consists of (1) the content of the tape interleaved with (2) the state symbol q – the position of q encodes the position of the head 25

Locality of Rewriting step t: w 1 w 2 q w 3 w 4 w 5 step t+1: w 1 qʹ w 2 wʹ 3 w 4 w 5 • Each symbol in a new configuration is determined by neighbors in the old configuration • Four neighbors are sufficient for any case 26

The General Cases • Each cell will be determined by the four neighbors in the old configuration Case 6 Case 5 Case 1 Case 2 Case 3 a b c d b c d e c d e q Case 4 Case 3 q Õ q Õ a b c d b c d c d e Case 2 Case 1 Case 4 Case 5 Case 6 old: d e q x e q x f q x f g a b c d e q x f g q Õ x Õ q Õ x Õ x Õ d e e f e f g new: q Õ x Õ a b c d e f g 27

Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) • The signer proves the knowledge of signature for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 28

Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (w 1 , w 2 , q, w 3 , qʹ, θ 1 ): • The signer proves the knowledge of θ Verify(vk, (w 1 , w 2 , q, w 3 , qʹ), θ 1 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 29

Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (w 2 , q, w 3 , w 4 , w 2 , θ 2 ): • The signer proves the knowledge of θ Verify(vk, (w 2 , q, w 3 , w 4 , w 2 ), θ 2 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 30

Enforcing Validity of Transition • To enforce validity of transition KGC signs on every valid 5-tuple: w 1 w 2 w 3 w 4 θ[w 1 , w 2 , w 3 , w 4 , u] u ß Sign(msk, (w 1 , w 2 , w 3 , w 4 , u)) Prove knowledge of (q, w 3 , w 4 , w 5 , wʹ 3 , θ 3 ): • The signer proves the knowledge of θ Verify(vk, (q, w 3 , w 4 , w 5 , wʹ 3 ), θ 3 ) = 1 for every symbol in the new configuration old: w 1 w 2 q w 3 w 4 w 5 new: w 1 qʹ w 2 wʹ 3 w 4 w 5 31

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 32

Putting All Together Verify((wʹ 5 , q 2 , w 6 , w 7 , wʹ 5 ), θ) = 1 w 1 w 2 w 3 w 4 q 1 w 5 w 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 w 4 wʹ 5 q 2 w 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 w 4 q 3 wʹ 5 wʹʹ 6 w 7 w 8 w 9 w 10 w 1 w 2 w 3 q 4 w 4 wʹʹ 5 w 6 w 7 w 8 w 9 w 10 • Proves the knowledge of signatures on the neighbors (quadratic in running time of TM) • Every symbol is hidden as a witness 33

The Scheme • Setup: w 1 w 2 w 3 w 4 – crs ß CRSGen(1 k ), (vk, sk) ß SigKg(1 k ) • KeyGen: u – for every valid 5-tuple (w 1 , w 2 , w 3 , w 4 , u): • θ [w1, w2, w3, w4, u] ß SigSign(sk, (w 1 , w 2 , w 3 , w 4 , u)) • Sign: {w i,j } i,j : 2D arrangement of configurations – π i,j ß Prove(crs, (w i-1,j-2 , w i-1,j-1, , w i-1,j , w i+1,j , w i,j , θ)) • Verify: for all (i,j) verify π i,j 34

Main Theorem Theorem If the non-interactive proof system is witness-indistinguishable and extractable, the signature scheme is unforgeable, the proposed scheme is anonymous and unforgeable Instantiate this with GS proofs in SXDH setting and structure-preserving signatures Theorem If SXDH assumption holds, ! the proposed scheme satisfies anonymity and unforgeability 35

Efficiency Signing key Signature Verification length length time O(|Γ| 4 ) O(T 2 ) O(T 2 ) |Γ|: The size of the tape alphabet T: The running time of the TM • The scheme is reasonably efficient! 36

Agenda • Attribute-Based Signatures • Security Requirement • Certificate Approach • Idea 1: History of Computation • Idea 2: Locality of Rewriting • Overview of the Scheme • Conclusion 37