G , G , T are finite cyclic groups of prime order p , where G = G - PowerPoint PPT Presentation

S HORT S TRUCTURE -P RESERVING S IGNATURES Essam Ghadafi e.ghadafi@ucl.ac.uk Department of Computer Science, University College London CT-RSA 2016 S HORT S TRUCTURE -P RESERVING S IGNATURES

O UTLINE B ACKGROUND 1 O UR S CHEME 2 E FFICIENCY C OMPARISON 3 S OME A PPLICATIONS 4 S UMMARY & O PEN P ROBLEMS 5 S HORT S TRUCTURE -P RESERVING S IGNATURES

(P RIME -O RDER ) B ILINEAR G ROUPS G , ˜ G , T are finite cyclic groups of prime order p , where G = � G � and ˜ G = � ˜ G � Pairing ( e : G × ˜ G − → T ) : The function e must have the following properties: Bilinearity: ∀ P ∈ G , ∀ ˜ Q ∈ ˜ G , ∀ x , y ∈ Z , we have e ( P x , ˜ Q y ) = e ( P , ˜ Q ) xy Non-Degeneracy: The value e ( G , ˜ G ) � = 1 generates T The function e is efficiently computable Type-III [GPS08]: G � = ˜ G and no efficiently computable homomorphism between G and ˜ G in either direction S HORT S TRUCTURE -P RESERVING S IGNATURES 2 / 19

S TRUCTURE -P RESERVING S IGNATURES Some History: The term “Structure-Preserving” was coined by Abe et al. 2010 Earlier constructions: Groth 2006 and Green and Hohenberger 2008 Many constructions in the 3 different main types of bilinear groups Optimal Type-III constructions are the most efficient S HORT S TRUCTURE -P RESERVING S IGNATURES 3 / 19

S TRUCTURE -P RESERVING S IGNATURES What are they? D EFINITION (A S TRUCTURE -P RESERVING S IGNATURE ) A signature scheme (defined over bilinear groups) where: m , vk and σ are elements of G and/or ˜ G Verifying signatures only involves deciding group membership and evaluating pairing-product equations (PPE): B j ) c i , j = Z , � � e ( A i , ˜ i j B j ∈ ˜ where A i ∈ G , ˜ G and Z ∈ T are group elements appearing in P , m , vk , σ , whereas c i , j ∈ Z p are constants S HORT S TRUCTURE -P RESERVING S IGNATURES 4 / 19

S TRUCTURE -P RESERVING S IGNATURES Why Structure-Preserving Signatures? Compose well with other pairing-based schemes • Easy to encrypt Compose well with ElGamal/BBS linear encryption • Easy to combine with NIZK proofs Compose well with Groth-Sahai proofs S HORT S TRUCTURE -P RESERVING S IGNATURES 5 / 19

A PPLICATIONS OF S TRUCTURE -P RESERVING S IGNATURES Applications of Structure-Preserving Signatures: Blind signatures Group signatures Malleable signatures Tightly secure encryption schemes Anonymous credentials Oblivious transfer Network coding . . . S HORT S TRUCTURE -P RESERVING S IGNATURES 6 / 19

E XISTING L OWER B OUNDS Lower Bounds (for unilateral messages) in Type-III Bilinear Groups (Abe et al. 2011): Signatures contain at least 3 group elements Signatures cannot be unilateral (must contain elements from both G and ˜ G ) • Note: Size of elements of ˜ G are at least twice as big as those of G At least 2 PPE verification equations S HORT S TRUCTURE -P RESERVING S IGNATURES 7 / 19

O UR C ONTRIBUTION A new signature scheme in Type-III bilinear groups with shorter signatures than existing ones: • Signatures consist of 3 elements from G (i.e. unilateral) • 2 PPE verification equations (5 pairings in total) • Message space is the set of Diffie-Hellman pairs (Abe et al. 2010): The set ˆ G = { ( M , ˜ N ) | ( M , ˜ N ) ∈ G × ˜ G , e ( M , ˜ G ) = e ( G , ˜ N ) } More efficient instantiations of some existing cryptographic protocols (e.g. DAA) S HORT S TRUCTURE -P RESERVING S IGNATURES 8 / 19

O UR S CHEME The Underlying Idea: Can be viewed as an extension of the non-structure-preserving scheme of Pointcheval and Sanders (CT-RSA 2016) Can be viewed as a more efficient variant of Ghadafi (ACISP 2013) Camenisch-Lysyanskaya based structure-preserving scheme S HORT S TRUCTURE -P RESERVING S IGNATURES 9 / 19

O UR S CHEME The Scheme: KeyGen: Choose x , y ← Z p , set sk := ( x , y ) and pk := (˜ X := ˜ G x , ˜ Y := ˜ G y ) ∈ ˜ G 2 N ) ∈ ˆ Sign: To sign ( M , ˜ G , p , σ := ( A := G a , B := M a , C := A x · B y ) ∈ G 3 • Choose a ← Z × N ) ∈ ˆ Verify: Check that A � = 1 G and ( M , ˜ G and e ( A , ˜ N ) = e ( B , ˜ G ) e ( C , ˜ G ) = e ( A , ˜ X ) e ( B , ˜ Y ) Randomize: Choose r ← Z × p , return σ ′ := ( A ′ := A r , B ′ := B r , C ′ := C r ) S HORT S TRUCTURE -P RESERVING S IGNATURES 10 / 19

P ROPERTIES OF THE S CHEME Some Properties of the Scheme: The scheme is secure in the generic group model • ⇒ alternatively can be based on an interactive assumption Unilateral signatures (Perfectly) Fully re-randomizable Only M part of the message is needed for signing S HORT S TRUCTURE -P RESERVING S IGNATURES 11 / 19

E FFICIENCY C OMPARISON Size Verification Scheme R? Assumptions vk PPE Pairing P m σ G 4 × ˜ [GH08] a G 2 ˜ G - G Y q -HLRSW 4 8 G 3 × ˜ G 2 G × ˜ G 3 ˆ [Fuc09] G G N q -ADHSDH+AWFCDH 3 9 G 5 × ˜ G 10 × ˜ G 2 G 4 [AFG+10] I - G P q -SFP 2 12 G 2 × ˜ G 10 × ˜ G 5 G 4 ˜ [AFG+10] II - G P q -SFP 2 12 G 2 × ˜ G × ˜ G 3 G × ˜ [AGH+11] I G - G N GGM 2 7 G 2 × ˜ G × ˜ ˜ [AGH+11] II G G - G Y GGM 2 5 G 4 G 2 ˜ ˆ [Gha13] - G Y DH-LRSW 3 7 G × ˜ G 2 G 2 ˜ G [CM14] I - N GGM 2 5 G × ˜ G 2 G 2 ˜ G [CM14] II - Y GGM 2 6 G 2 × ˜ G 2 ˜ G G [CM14] III - Y GGM 2 6 G 3 × ˜ ˜ [AGO+14] I G G G G Y GGM 2 6 G 2 × ˜ ˜ [AGO+14] II G G G G N GGM 2 6 G × ˜ ˜ G 2 G 2 [BFF15] - G Y GGM 2 5 G × ˜ ˜ ˜ G 2 [Gro15] I G G G Y GGM 2 6 G × ˜ ˜ ˜ G 2 [Gro15] II G G G N GGM 2 7 ˜ ˆ G 3 G 2 Ours - G Y GGM 2 5 a This scheme is only secure against a random message attack. S HORT S TRUCTURE -P RESERVING S IGNATURES 12 / 19

E FFICIENCY C OMPARISON Comparison with schemes with the same message space Size Verification Scheme R? Assumptions vk PPE Pairing P σ G 3 × ˜ G 2 G × ˜ G 3 [Fuc09] G N q -ADHSDH+AWFCDH 3 9 or (7 & 2 ECAdd) ˜ G 4 G 2 [Gha13] - Y DH-LRSW 3 7 or (6 & 1 ECAdd) ˜ G 3 G 2 Ours - Y GGM 2 5 * Cost does not include checking well-formedness of the message S HORT S TRUCTURE -P RESERVING S IGNATURES 13 / 19

G ENERIC C ONSTRUCTION OF DAA Bernhard et al. 2013 gave a generic construction of DAA which requires the following tools: Randomizable Weakly Blind Signatures (RwBS) • Used by the Issuer to issue certificates as credentials when users join the group Linkable Indistinguishable Tags (LIT) • Needed to provide the linkability of signatures when the same basename is signed by the same user Signatures of Knowledge (SoK) • Used by users to prove they have a credential and that the signature on the basename verifies w.r.t. thier certified secret key S HORT S TRUCTURE -P RESERVING S IGNATURES 14 / 19

B LIND S IGNATURES �� �� ���� ������ S HORT S TRUCTURE -P RESERVING S IGNATURES 15 / 19

B LIND S IGNATURES �� �� ���� Sig ���� ������ S HORT S TRUCTURE -P RESERVING S IGNATURES 15 / 19

B LIND S IGNATURES �� �� ���� Sig Sig ���� ������ Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures S HORT S TRUCTURE -P RESERVING S IGNATURES 15 / 19

B LIND S IGNATURES �� �� ���� Sig Sig ���� ������ Security Requirements: Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session Unforgeability: An adversary (i.e. a user) cannot forge new signatures S HORT S TRUCTURE -P RESERVING S IGNATURES 15 / 19

R ANDOMIZABLE W EAKLY B LIND S IGNATURES (R W BS) Similar to blind signatures but: Randomizability: Given a signature σ , anyone can produce a new signature σ ′ on the same message Weak Blindness: Same as blindness but the adversary never sees the messages ⇒ The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message S HORT S TRUCTURE -P RESERVING S IGNATURES 16 / 19

E FFICIENT R W BS WITHOUT R ANDOM O RACLES The Idea: Combine the new scheme with SXDH-based Groth-Sahai proofs Only M is needed for signing ⇒ To request a signature on ( M , ˜ N ) , send M and a NIZKPoK π of ˜ N G ′ · ˜ �� � N ) = e ( M , ˜ G ′ ) ∧ ˜ M , ˜ : e ( G , ˜ � L User : G = 1 ˜ N G The signer produces a signature σ and a NIZK proof Ω (without knowing ˜ N ) for the validity of σ �� ( A , B , M ) , ˜ : e ( G , ˜ A ) = e ( A , ˜ � G ′ ) L Signer : A G ′ · ˜ � ∧ e ( M , ˜ A ) = e ( B , ˜ G ′ ) ∧ ˜ G = 1 ˜ G Fully re-randomizable ⇒ User verifies Ω and the final signature is a re-randomization of σ S HORT S TRUCTURE -P RESERVING S IGNATURES 17 / 19