group signatures ch91 preserve the anonymity of the
play

Group Signatures [CH91] preserve the anonymity of the signer. Blind - PowerPoint PPT Presentation

Oct 16, 2022 •134 likes •566 views

F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . . O UTLINE B ACKGROUND 1 S ECURITY M

  1. F ORMALIZING G ROUP B LIND S IGNATURES AND P RACTICAL C ONSTRUCTIONS WITHOUT R ANDOM O RACLES Essam Ghadafi ghadafi@cs.bris.ac.uk University of Bristol ACISP 2013 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  2. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  3. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  4. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  5. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  6. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  7. O UTLINE B ACKGROUND 1 S ECURITY M ODEL 2 B UILDING B LOCKS 3 O UR C ONSTRUCTIONS 4 F ULL A NONYMITY 5 S UMMARY & O PEN P ROBLEMS 6 F ORMALIZING G ROUP B LIND S IGNATURES . . .

  8. G ROUP B LIND S IGNATURES Group Signatures [CH91] preserve the anonymity of the signer. Blind Signatures [Cha83] preserve the privacy of the message to be signed. Group Blind Signatures [LZ98] combine properties of the above and thus preserve both the anonymity of the signer + the privacy of the message. F ORMALIZING G ROUP B LIND S IGNATURES . . . 1

  9. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  10. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  11. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk Sig User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  12. G ROUP B LIND S IGNATURES ok ik Opener Issuer gpk Sig User Group F ORMALIZING G ROUP B LIND S IGNATURES . . . 2

  13. H ISTORY AND R ELATED WORK The primitive which combines the properties of a blind signature [Cha83] and a group signature [CH91] was introduced by Lysyanskaya and Zulfikar [LZ98]. Existing constructions: ◮ Lysyanskaya and Zulfikar, 1998. Based on Camenisch-Stadler group signatures [CL97]. ◮ K. Q. Nguyen, Y. Mu, and V. Varadharajan, 1999. Uses divertible zero-knowledge proofs [OO90]. F ORMALIZING G ROUP B LIND S IGNATURES . . . 3

  14. A PPLICATIONS OF G ROUP B LIND S IGNATURES Group blind signatures provide bi-directional privacy and are thus useful for applications where such a requirement is needed. Example applications: ◮ Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither the identity of its holder nor that of the issuing bank/branch. ◮ Other applications include: multi-authority e-voting and e-auction systems. F ORMALIZING G ROUP B LIND S IGNATURES . . . 4

  15. O UR C ONTRIBUTION ◮ A formal security model for the primitive. ◮ A generic construction. ◮ The first instantiations without random oracles. ◮ Other useful building blocks and observations. F ORMALIZING G ROUP B LIND S IGNATURES . . . 5

  16. S ECURITY D EFINITION C HALLENGES The signing protocol is blind, i.e. the message is not known to the signer and the signature is not well defined, so: 1 How to define Full Anonymity, i.e. CCA2 Anonymity? ⇒ How to identify the challenge signature? 2 How to define non-frameability? 3 How to extend blindness to the group setting? F ORMALIZING G ROUP B LIND S IGNATURES . . . 6

  17. S YNTAX OF G ROUP B LIND S IGNATURES A G ROUP B LIND S IGNATURE GKg ( 1 λ ) : Outputs gpk , ik and ok . UKg : Outputs a pair of personal secret/public keys ( ssk [ i ] , spk [ i ]) for a signer. � Join ( gpk , i , ssk [ i ]) , Issue ( ik , i , spk [ i ]) � : If successful, Signer i becomes a member and obtains a group signing key gsk [ i ] . � Obtain ( gpk , m ) , Sign ( gsk [ i ]) � : If successful, the user obtains a signature Σ ; Otherwise, it outputs ⊥ . GVf ( gpk , m , Σ) : Verifies if Σ is valid on the message m . Open ( gpk , ok , reg , m , Σ) : Returns the identity of the signer plus a proof τ . Judge ( gpk , i , spk [ i ] , m , Σ , τ ) : Verifies the Opener’s decision. F ORMALIZING G ROUP B LIND S IGNATURES . . . 7

  18. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Correctness: If all parties are honest, we have that: Signatures are accepted by the GVf algorithm. The Opener can identify the signer. The Judge algorithm accepts the Opener’s decision. F ORMALIZING G ROUP B LIND S IGNATURES . . . 8

  19. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Anonymity: Signatures do not reveal who signed them. gpk,ik Open† Open† i 0 , i 1 SSK SSK Ch Ch ... ModifyReg ModifyReg ModifyReg ModifyReg b←{0,1} b←{0,1} CrptS CrptS SndToS SndToS b * Adversary wins if: b = b ∗ . ◮ † Similarly to IND-RCCA [CKN03], the Open oracle returns ⊥ if the signature opens to i 0 or i 1 . F ORMALIZING G ROUP B LIND S IGNATURES . . . 9

  20. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Traceability: The adversary cannot output an untraceable signature. gpk,ok AddS AddS CrptS CrptS SndToI SndToI ReadReg ReadReg SSK Σ,m SSK Adversary wins if all the following holds: Σ verifies on m . Either Σ does not open to a signer in the group or Judge does not accept the Opener’s decision on Σ . F ORMALIZING G ROUP B LIND S IGNATURES . . . 10

  21. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it. gpk,ik,ok CrptS CrptS SndToS ... SndToS OSign OSign ModifyReg ModifyReg SSK id,Σ 1 ,m 1 ,...,Σ n+1 ,m n+1 SSK Adversary wins if all the following holds: ∀ i ∈ { 1 , . . . , n + 1}, Σ i verifies on m i , opens to id and the opening is accepted by Judge . The adversary asked for only n signatures by signer id. If weak unforgeability, the messages are distinct. F ORMALIZING G ROUP B LIND S IGNATURES . . . 11

  22. S ECURITY OF G ROUP B LIND S IGNATURES ◮ Blindness: Group members do not learn the message being signed. gpk,ik m 0 ,m 1 Open† Open† b←{0,1} Σ b SSK SSK Obtain(gpk,m b ) Obtain(gpk,m b ) ModifyReg ReadReg Σ 1-b ModifyReg ReadReg Obtain(gpk,m 1-b ) CrptS Obtain(gpk,m 1-b ) CrptS (Σ 0 ,Σ 1 ) or (┴,┴) SndToS SndToS b * Adversary wins if: b = b ∗ . ◮ † If strong unforgeability, the Open oracle returns ⊥ if ( m , Σ) = ( m b , Σ b ) or ( m , Σ) = ( m 1 − b , Σ 1 − b ) . ◮ If weak unforgeability, the Open oracle returns ⊥ if m ∈ { m 0 , m 1 } . F ORMALIZING G ROUP B LIND S IGNATURES . . . 12

  23. C ONSTRUCTION C HALLENGES How to realize the subtle dual privacy requirement and 1 Maintain round optimality 2 Avoid idealized assumptions ? F ORMALIZING G ROUP B LIND S IGNATURES . . . 13

  24. (P RIME -O RDER ) B ILINEAR G ROUPS G 1 , G 2 , G T are finite cyclic groups of prime order p , where G 1 := � G 1 � and G 2 := � G 2 � . Pairing ( e : G 1 × G 2 − → G T ) : The function e must have the following properties: ◮ Bilinearity: ∀ H 1 ∈ G 1 , H 2 ∈ G 2 x , y ∈ Z , we have e ( H x 1 , H y 2 ) = e ( H 1 , H 2 ) xy . ◮ Non-degeneracy: The value e ( G 1 , G 2 ) � = 1 generates G T . ◮ The function e is efficiently computable. Type-3 [GPS08]: G 1 � = G 2 and no efficiently computable isomorphism between G 1 and G 2 . F ORMALIZING G ROUP B LIND S IGNATURES . . . 14

  25. G ROTH -S AHAI PROOFS Groth-Sahai proofs [GS08]: f × → G 1 G 2 G T ι 1 ↓↑ ρ 1 ι 2 ↓↑ ρ 2 ι T ↓↑ ρ T F H 1 := G 2 H 2 := G 2 H T := G 4 × − → 1 2 T The system work by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: ◮ The simulation setting ⇒ perfectly hiding proofs. ◮ The extraction setting ⇒ perfectly sound proofs. The limitations: 1 Can only extract one-way function (i.e. G w i ) of an exponent witness w . 2 Cannot simulate and extract at the same time. F ORMALIZING G ROUP B LIND S IGNATURES . . . 15

  26. G ROTH -S AHAI PROOFS Useful Properties of Groth-Sahai Proofs: ◮ Independence of public terms (Also, independently observed by [Fuc11]): Example: n m m n e ( X i , Y j ) γ i , j = t T , � � � � E := e ( A j , Y j ) e ( X i , B i ) j = 1 i = 1 i = 1 j = 1 a proof Π for E is independent of t T ⇒ we can transform Π into a NIZK/NIWI proof for a related equation without knowledge of the original witness. ◮ Re-randomizability of proofs [BCCKLS09]: Re-randomize the GS commitments and update the proofs ⇒ the new proof is unlinkable to the old one. F ORMALIZING G ROUP B LIND S IGNATURES . . . 16

  27. A NEW STRUCTURE - PRESERVING SIGNATURE SCHEME NCL is based on the CL signature scheme [CL04]: T HE NCL S IGNATURE S CHEME KeyGen: Choose x , y ← Z p , set sk := ( x , y ) and 2 , Y := G y pk := ( X := G x 2 ) . Sign: To sign ( M 1 , M 2 ) ∈ G 1 × G 2 , return ⊥ if e ( M 1 , G 2 ) � = e ( G 1 , M 2 ) ; otherwise, compute 1 , B := A y , C := M ay ∈ G 4 � A := G a 1 , D := ( A · C ) x � σ := 1 . Verify: Check that A � = 1 G 1 and e ( B , G 2 ) = e ( A , Y ) e ( C , G 2 ) = e ( B , M 2 ) e ( D , G 2 ) = e ( A · C , X ) F ORMALIZING G ROUP B LIND S IGNATURES . . . 17

Recommend

Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group.

E FFICIENT D ISTRIBUTED T AG -B ASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia) ghadafi@cs.bris.ac.uk University of Bristol Latincrypt 2014 E

348 views • 33 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing

Cryptocurrency Technologies Bitcoin and Anonymity Bitcoin and Anonymity Anonymity Basics How to de-anonymize Bitcoin Mixing Decentralized Mixing Zerocoin and Zerocash Tor and the Silk Road Bitcoin and Anonymity

524 views • 39 slides
Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity,

Measures of Anonymity/Privacy: k-Anonymity, L-Diversity, t-Closeness CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 4 : 590.03 Fall 12 1

647 views • 61 slides
but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian

Not all is lost for anonymity but quite a lot is. Coordination among users can help with anonymity. Debajyoti Das 1 Sebastian Meiser 2 Esfandiar Mohammadi 3 Aniket Kate 1 1 Purdue University 2 Visa Research 3 ETH Zurich 1 Sender Anonymity

551 views • 44 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity

Online Anonymity Andrew Lewman andrew@torproject.org June 8, 2010 What is anonymity? Anonymity isnt cryptography Cryptography protects the contents in transit You still know who is talking to whom, how often, and how much data is

764 views • 54 slides
To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case

To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case

To Preserve or Not to Preserve Invalid Solutions in Search-Based Software Engineering: A Case Study in Cloud Cost Optimization Jianmei Guo Alibaba Group 2018.11.17 @CSBSE [Guo and Shi, ICSE18] 1 Search-based software engineering (SBSE) 2

231 views • 20 slides
Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous =

Anonymity in Bitcoin Tumbler/Mixer Oct 9, 2019 Anonymity and Pseudonymity anonymous = Nameless, unidentifiable pseudonymous = Fake name, still traceable Tracing Bitcoin transactions Normal redeem script: Provide public key pk and proof

438 views • 33 slides
Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not

Anonymity Jiayi Fu What is Anonymity - Describe the situation in which someone's name is not given or known - Anonymity != Privacy != Security - Anonymity: they can see what you do, but not who you are - Privacy: they can see

379 views • 33 slides
How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is,

How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is,

1 2 How cryptographic benchmarking About PRESERVE: The goes wrong mission of PRESERVE is, to design, implement, and Daniel J. Bernstein test a secure and scalable Thanks to NIST 60NANB12D261 V2X Security Subsystem for for funding

1.2k views • 109 slides
Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 24 Anonymity and Privacy Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Miller and Baileys ECE 422 Anonymity Anonymity: Concealing your identity In the context of the Internet, we

860 views • 61 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity

11-830 Computational Ethics for NLP Lecture 11: Privacy and Anonymity Privacy and Anonymity Being on-line without giving up everything about you Ensuring collected data doesnt reveal its users data Privacy in Structured Data:

766 views • 49 slides
Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008

Anonymity in Cryptocurrencies Foteini Baldimtsi Bitcoin Anonymity? Satoshi Nakamoto, 2008 Bitcoin is only pseudonymous Public Key Address 133GT5661q8RuSKrrv8q2Pb4RwS 146KL5461d8KuSPxvv8q2Nd6K2q Posted on the ... Blockchain Alice

821 views • 40 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti

Slicing the licing the Onion: Onion: Anonymity Without PKI Anonymity Without PKI Sachin Katti Dina Katabi & Katya Puchala State of the art: Onio Onion Rout n Routing over P2P ing over P2P n Routing over P2P ing over P2P Bob Onion

705 views • 43 slides
Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh |

Applications for Measurement: Improving Anonymity Online Rishab Nithyanand | Rachee Singh | Shinyoung Cho | Phillipa Gill Stony Brook University 1 Anonymity on the Internet Tor Network 2 Anonymity on the Internet Does not know the source

261 views • 15 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1 Universit e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL

605 views • 19 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith

CyLab Identity and Identity and anonymity anonymity Engineering & Public Policy Lorrie Faith Cranor October 29, 2013 y & c S a e v c i u r P r i t e y l b L a a s b U o 8-533 / 8-733 / 19-608 / 95-818:

467 views • 46 slides

More recommend