generic homomorphic undeniable signatures
play

Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay - PowerPoint PPT Presentation

Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE Asiacrypt 04 - December 8, 2004 J. Monnerat,


  1. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Generic Homomorphic Undeniable Signatures J. Monnerat S. Vaudenay ÉCOLE POLYTECHNIQUE FÉDÉRALE DE LAUSANNE Asiacrypt ’04 - December 8, 2004 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  2. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Outline Introduction 1 Interpolation of Group Homomorphisms 2 Our Signature Scheme 3 Conclusion 4 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  3. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Introduction J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  4. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Undeniable Signature (1) Properties: Public key algorithm Binding some information or a document with an entity Verifiable only with the cooperation of the signer Non repudiation property still holds! J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  5. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Undeniable Signature (2) Public Key K P Setup Secret Key K S Confirmation Protocol Verifier Signature Prover Denial Protocol Σ Σ m Σ m m Message m m J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  6. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Related Work Undeniable Signatures , Chaum and van Antwerpen, Crypto’89. Zero-knowledge Undeniable Signatures , Chaum, Eurocrypt ’90. New Convertible Undeniable Signatures , Dåmgard and Pedersen, Eurocrypt ’96. RSA-Based Undeniable Signatures , Gennaro, Rabin and Krawczyk, Crypto ’97. Identity Based Undeniable Signatures , Libert and Quisquater, CT-RSA ’04. Undeniable Signatures Based on Characters , Monnerat and Vaudenay, PKC ’04. (MOVA Scheme) J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  7. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Interpolation of Group Homomorphisms J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  8. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Interpolation Problems GHI Problem (Group Homomorphism Interpolation Problem) Parameters: two Abelian groups G and H , a set of s points S ⊆ G × H . Input: x ∈ G . Problem: find y ∈ H such that S ∪ { ( x, y ) } interpolates in a group homomorphism i.e., for S = { ( x 1 , y 1 ) , . . . , ( x s , y s ) } there exists a group homomorphism Hom such that Hom( x i ) = y i , i = 1 , . . . , s and Hom( x ) = y . GHID Problem (Group Homomorphism Interpolation Decisional Problem) Parameters: two Abelian groups G and H , a set of s points S ⊆ G × H . Input: ( x, y ) ∈ G × H . Problem: does S ∪ { ( x, y ) } interpolate in a group homomorphism? J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  9. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Geometrical Interpretation Homomorphism Set of points S GHI Input y 1 y y s y 2 x 1 x 2 x x s J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  10. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Relation to Well-known Problems DLP. G := < g > cyclic group of order q , H := Z q . S = { ( g, 1) } interpolates in a unique homomorphism, namely the discrete logarithm w.r.t. g . RSA. Let n = pq be a RSA modulus, e ∈ Z ∗ ϕ ( n ) the encryption exponent and G = H = Z ∗ n . Let S := { ( x e i mod n, x i ) i =1 ,...,s } such that the first coordinates generate Z ∗ n . The RSA decryption problem corresponds to the GHIP . Other examples such as, the quadratic residuosity problem, Diffie-Hellman problem, bilinear Diffie-Hellman problem, MOVA problem, . . . J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  11. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Proof of Interpolation Let d := # H . GHIproof ( { ( x j , y j ); j = 1 , . . . , J } ) with parameter I Prover Verifier pick r i ∈ G , a i,j ∈ Z d u i = dr i + � j a i,j x j u ← − − − − − − − − − − − − − − w i = � j a i,j y j commit( v ) − − − − − − − − − − − − − − → v i = Hom( u i ) r,a check u ← − − − − − − − − − − − − − − open( v ) − − − − − − − − − − − − − − → check commitment, v = w J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  12. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Security of GHIproof The GHIproof I ( S ) protocol satisfies the following properties: Completeness. The protocol always succeeds when the prover and the verifier follow the protocol. Zero-knowledge The protocol is perfectly black-box zero-knowledge. Proof of membership. If the protocol succeeds, then S interpolates in a group homomorphism. Proof of knowledge. If the protocol succeeds, there exists an extractor which computes an interpolating homomorphism. J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  13. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Proof of Non-Interpolation Let p be the smallest prime factor of d = # H . ` ´ coGHIproof { ( x j , y j ); j = 1 , . . . , J } , { ( x ′ k , z k ); k = 1 , . . . , K } with parameter I Prover Verifier pick r i,k ∈ G , a i,j,k ∈ Z d , λ i ∈ Z p j a i,j,k x j + λ i x ′ u i,k = dr i,k + P k w i,k = P j a i,j,k y j + λ i z k u,w compute v i,k = Hom( u i,k ) ← − − − − − − − − deduce λ i from commit( λ ) w i,k − v i,k = λ i ( z k − Hom( x ′ k )) − − − − − − − − → r,a check u, w ← − − − − − − − − open( λ ) − − − − − − − − → check commitment, λ J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  14. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Uniqueness of the Homomorphism Theorem Let G , H be two finite Abelian groups. We denote d the order of H . Let x 1 , . . . , x s ∈ G which span G ′ . The following properties are equivalent. In this case, we say that x 1 , . . . , x s H -generate G . For all y 1 , . . . , y s ∈ H , there exists at most one group 1 homomorphism Hom : G − → H such that Hom( x i ) = y i for all i = 1 , . . . s . G ′ + dG = G . 2 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  15. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Our Signature Scheme J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  16. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Using Group Homomorphisms in Cryptography DL-based cryptography y = g x fixed homomorphism secret input − − − − − − − − − − − − − − − − − − − − − − − − → public key Our approach y = Hom( x ) secret homomorphism − − − − − − − − − − − − − − − − − − − − − − − − → fixed input public key J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  17. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Basic Description Setup Select two groups Xgroup and Ygroup ( Ygroup small) Select a secret group homomorphism Hom : Xgroup − → Ygroup Select some base points to characterize Hom Signature Generate some x i ’s from the message Compute the group homomorphism on the x i ’s Verification: prove/disprove the interpolation J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  18. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Geometrical Interpretation Homomorphism Base points Signature points y 2 y 1 x 2 x 1 J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  19. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Setups without Validation Setup Variant 1. The signer selects Abelian groups Xgroup , Ygroup and an homomorphism Hom . He computes the order d of Ygroup . He then picks a random string SeedK and computes the Lkey first values Xkey j from Gen 1 (SeedK) and Ykey j = Hom(Xkey j ) , j = 1 , . . . , Lkey . Setup Variant 2. (signer with a Registration Authority) The role of RA consists of making sure that a key was randomly selected. This works similarly as the variant 1 except that RA picks SeedK at random after the signer have sent his identity Id . The RA sends SeedK with a signature C for (Id , Xgroup , Ygroup , d, SeedK) . J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

  20. Introduction Interpolation of Group Homomorphisms Our Signature Scheme Conclusion Signature Generation Let M be a message to be signed. Compute Gen 2 ( M ) → (Xsig 1 , . . . , Xsig Lsig ) Compute Ysig 1 = Hom(Xsig 1 ) , . . . , Ysig Lsig = Hom(Xsig Lsig ) The signature is [Ysig 1 , . . . , Ysig Lsig ] J. Monnerat, S. Vaudenay Generic Homomorphic Undeniable Signatures

Recommend


More recommend