Attribute-Based Signatures [Maji et al. 2008] . Users have - PowerPoint PPT Presentation

D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Essam Ghadafi 1 Ali El Kaafarani 2 Dalia Khader 3 1 University of Bristol , 2 University of Bath, 3 University of Luxembourg ghadafi@cs.bris.ac.uk CT-RSA 2014 D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES

O UTLINE B ACKGROUND 1 A S ECURITY M ODEL 2 G ENERIC C ONSTRUCTIONS 3 I NSTANTIATIONS 4 S UMMARY 5 D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES

A TTRIBUTE -B ASED S IGNATURES Attribute-Based Signatures [Maji et al. 2008] . Users have attributes (e.g. “Departmental Manager”, “Chairman”, “Finance Department”, etc.). A user can sign a message w.r.t. a policy Ψ only if she owns attributes A s.t. Ψ( A ) = 1. The verifier learns nothing other than that some signer with attributes satisfying the policy has produced the signature. Sig - Finance Dept. Chairman - Manager OR Manager AND Finance OR Supervisor AND Materials D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 1 / 21

A PPLICATIONS OF A TTRIBUTE -B ASED S IGNATURES Example applications: Attribute-Based Messaging: Recipients are assured the sender satisfies a certain policy. Leaking Secrets: Ring Signatures [RST01] allow a signer to sign a message on behalf of an ad-hoc group. ABS allow more expressive predicates for leaking a secret ⇒ The leaker satisfies some policy vs. the leaker is in the ring. Many other applications: . . . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 2 / 21

S ECURITY OF A TTRIBUTE -B ASED S IGNATURES Security of Attribute-Based Signatures [Maji et al. 2008] ◮ (Perfect) Privacy (Anonymity): The signature hides: 1 The identity of the signer. 2 The attributes used in the signing (i.e. how Ψ was satisfied). ◮ Unforgeability: A signer cannot forge signatures w.r.t. signing policies her attributes do not satisfy even if she colludes with other signers. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 3 / 21

R ELATED WORK ON A TTRIBUTE -B ASED S IGNATURES ◮ Maji et al. 2008 & 2011. ◮ Shahandashti and Safavi-Naini 2009. ◮ Li et al. 2010. ◮ Okamoto and Takashima 2011 & 2012. ◮ Gagné et al. 2012. ◮ Herranz et al. 2012. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 4 / 21

T RACEABLE A TTRIBUTE -B ASED S IGNATURES Traceable Attribute-Based Signatures (TABS) [Escala et al. 2011] : Extend ABS by adding an anonymity revocation mechanism. A tracing authority can reveal the identity of the signer. Crucial in enforcing accountability and deterring abuse. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 5 / 21

O UR C ONTRIBUTION 1 A security model for Decentralized Traceable Attribute-Based Signatures (DTABS). 2 Two generic constructions for DTABS. 3 Example instantiations in the standard model. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 6 / 21

D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Tracing Authority Sig Professor at Bristol OR IACR Member D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 7 / 21

D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES Features of Our Model: Multiple attribute authorities, e.g. Company A, University B, Organization C, Government D, etc. ◮ Need not trust one another or even be aware of each other. Signers and attribute authorities can join the system at any time. A tracing authority can reveal the identity of the signer. Tracing correctness is publicly verifiable. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 8 / 21

S ECURITY OF DTABS ◮ Correctness: If all parties are honest: Signatures verify correctly. The tracing authority can identify the signer. The Judge algorithm accepts the tracing decision. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 9 / 21

S ECURITY OF DTABS ◮ Anonymity: Signatures do not reveal the identity of the signer or the attributes used. param Add Signer Add Signer Add Auth Add Auth Add Corrupt Auth (sid 0 ,A 0 ),(sid 1 ,A 1 ),m,ψ Add Corrupt Auth CH Reveal Signer Key CH b←{0,1} Reveal Signer Key b←{0,1} σ Reveal Auth Key Reveal Auth Key Trace Signature Trace Signature b * Adversary wins if: b = b ∗ . The CH oracle returns ⊥ if Ψ( A 0 ) � = 1 or Ψ( A 1 ) � = 1. The Trace oracle returns ⊥ if queried on σ . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 10 / 21

S ECURITY OF DTABS ◮ Full Unforgeability: Even if signers collude, they cannot produce a signature on behalf of a signer whose attributes do not satisfy the policy. Covers non-frameability. Param, tk Add Signer Add Signer Add Auth Add Auth Add Corrupt Auth Add Corrupt Auth Reveal Signer Key Reveal Signer Key Reveal Auth Key Reveal Auth Key Sign Sign m * , σ * , ψ * , sid * , π * Adversary wins if: σ ∗ is valid and π ∗ accepted by Judge . No corrupt subset of attributes A ∗ sid ∗ s.t. Ψ ∗ ( A ∗ sid ∗ ) =1. ( sid ∗ , · , m ∗ , σ ∗ , Ψ ∗ ) was not obtained from the signing oracle. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 11 / 21

S ECURITY OF DTABS ◮ Traceability: Signatures are traceable, i.e. the tracing authority can always identify the signer. Param, tk Add Signer Add Signer Add Auth Add Auth Reveal Signer Key Reveal Signer Key Sign Sign m * , σ * , ψ * Adversary wins if all the following holds: σ ∗ is a valid signature on m ∗ w.r.t. Ψ ∗ and either : σ ∗ opens to a signer who was never added. The Judge algorithm rejects the tracing proof. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 12 / 21

G ENERIC C ONSTRUCTIONS Construction I ◮ Tools used: Two NIZK systems NIZK 1 and NIZK 2 . ◮ NIZK 1 needs to be simulation-sound and a proof of knowledge . A tagged signature scheme T S : a digital signature scheme that signs a tag and a message. A digital signature scheme DS . An IND-CCA2 public key encryption scheme PKE . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 13 / 21

G ENERIC C ONSTRUCTIONS (C ONSTRUCTION I) ◮ Setup: Generate ( epk , esk ) for PKE , ( vk , sk ) for DS , crs 1 for NIZK 1 , and crs 2 for NIZK 2 . Set tk := esk and param := ( crs 1 , crs 2 , vk , epk , H ) . ◮ Attribute Authority Join: Generate ( aavk aid , assk aid ) for T S . ◮ Attribute Key Generation: To generate a key sk sid , a for attribute a for signer sid , compute sk sid , a ← T S . Sign ( assk aid ( a ) , sid , a ) . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 14 / 21

G ENERIC C ONSTRUCTIONS (C ONSTRUCTION I) ◮ Signing: To sign m w.r.t. Ψ : 1 C ← PKE . Enc ( epk , sid ) . 2 Produce a proof π of A and sid that: 1 C is an encryption of sid . 2 Either owns attributes A s.t. Ψ( A ) = 1 ⇒ Has a valid tagged signature on ( sid , a ) for each a ∈ A OR Has a special digital signature on H (Ψ , m , C ) , i.e. a pseudo-attribute. The signature is σ := ( C , π ) . ◮ Tracing: The tracing authority uses esk to decrypt C to obtain sid . Produces a proof π Trace of esk that decryption was done correctly. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 15 / 21

G ENERIC C ONSTRUCTIONS Construction II ◮ Changes from Construction I: NIZK 1 need not be simulation-sound. Replace PKE with a selective-tag weakly IND-CCA tag-based encryption scheme T PKE . Need a strongly unforgeable one-time signature OT S . Another collision-resistant hash function ˆ H to hash into the tag space of T PKE . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 16 / 21

G ENERIC C ONSTRUCTIONS (C ONSTRUCTION II) ◮ Signing: To sign m w.r.t. Ψ : 1 Choose a fresh key pair ( otsvk , otssk ) for OT S . 2 C tbe ← T PKE . Enc ( epk , ˆ H ( otsvk ) , sid ) . 3 Produce a proof π of A and sid that: 1 C tbe is an encryption of sid under tag ˆ H ( otsvk ) . 2 Either owns attributes A s.t. Ψ( A ) = 1 ⇒ Has a valid tagged signature on ( sid , a ) for each a ∈ A OR Has a special digital signature on H (Ψ , m , C tbe , ˆ H ( otsvk )) . 4 Compute σ ots ← OT S . Sign ( otssk , ( π, C tbe , otsvk )) . The signature is σ := ( σ ots , π, C tbe , otsvk ) . ◮ Tracing: The tracing authority uses esk to decrypt C tbe to obtain sid . Produces a proof π Trace of esk that decryption was done correctly. D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 17 / 21

G ENERIC C ONSTRUCTIONS (C ONSTRUCTION II) Security of the Construction: ◮ Anonymity: NIZK of NIZK 1 and NIZK 2 . ST-IND-CCA of T PKE . Unforgeability of OT S . Collision-resistance of H and ˆ H . ◮ Full Unforgeability: Soundness of NIZK 1 and NIZK 2 . Unforgeability of T S , DS and OT S . Collision-resistance of H and ˆ H . ◮ Traceability: Soundness of NIZK 1 . Unforgeability of T S and DS . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 18 / 21

G ENERIC C ONSTRUCTIONS How to prove that one owns A s.t. Ψ( A ) = 1 ? ◮ Use a span program: Represent Ψ by a | Ψ | × β span matrix S . z S = [ 1 , 0 , . . . , 0 ] Prove you know a vector � z s.t. � ⇒ { a i | z i � = 0 } satisfies Ψ . D ECENTRALIZED T RACEABLE A TTRIBUTE -B ASED S IGNATURES 19 / 21