Group Signatures Concepts cepts, , Applic licati tions* ons*, - PowerPoint PPT Presentation

Group Signatures Concepts cepts, , Applic licati tions* ons*, and new Advan ances ces** ** Anja Lehmann IBM Research – Zurich *Zone Encryption with Anonymous Authentication for V2V Communication. J Camenisch, M Drijver, A Lehmann, G Neven, P Towa **Group Signatures with Selective Linkability. PKC 2019 L Garms, A Lehmann

Roadmap ▪ Introduction to Group Signatures ▪ Setting & Security Properties ▪ Schemes ▪ Similar Concepts ▪ Anonymous Credentials ▪ Direct Anonymous Attestation (DAA) ▪ Enhanced Privacy ID (EPID) ▪ Group Signatures & V2X Communication ▪ Group Signatures with Selected Linkability for V2Cloud

Standard Signatures Signed by Alice! 𝐿𝐻𝑓𝑜 1 𝜐 → 𝑡𝑙, 𝑞𝑙 pk sk 𝑊𝑔 𝑞𝑙, 𝑛, σ → 0/1 𝑇𝑗𝑕𝑜 𝑡𝑙, 𝑛 → σ ▪ Security property: unforgeability ▪ Important primitive for strong authentication: – Server-side authentication, certified updates, eID cards, …. ▪ Bad for privacy – “leaks” the identity of the signer – Membership based online newsportal, vehicle-to- vehicle (V2V) communication, IoT,… 3

Group Signatures | Naive Approach Who was that?? Signed by someone in the “group”! 𝑇𝑗𝑕𝑜 𝑡𝑙, 𝑛 → σ pk 𝑊𝑔 𝑞𝑙, 𝑛, σ → 0/1 ▪ Privacy : Doesn’t leak any information about signer ▪ Security : Access to “group” not controlled No way to reveal signer in case of abuse (bug or feature?) 4

Group Signatures | High-Level Idea Group public key 𝑕𝑞𝑙 Chaum & van Heyst’91 Group up Manager/ Issuer 𝑗𝑡𝑙 JOIN 𝑇𝑗𝑕𝑜 𝑕𝑡𝑙[𝑗], 𝑛 SIGN → σ Signed by someone in the Issuer’s group ! 𝑊𝑔 𝑕𝑞𝑙, 𝑛, σ → 0/1 ▪ Variants: – Static vs dynamic groups – Issuer = opener vs dedicated opener OPEN – Verifiable Opening ▪ Priva vacy Opener 𝑝𝑡𝑙 ▪ Security ty 5

Group Signatures | Anonymity Corruption Setting ▪ Issuer corrupt* Issuer (if dedicated entity) ▪ Opener honest JOIN SIGN Signed by Alice or Bob ? Signed by the same user ? ▪ Signatures don’t leak info about signer – Unlinkability of signatures ▪ Full/CCA anonymity: access to Opener OPEN 6

Group Signatures | Unforgeability (Naïve Approach) Issuer JOIN SIGN ▪ Forgery = signature on fresh message ▪ Achievable only if all users are honest OPEN → very weak notion 7

Group Signatures | Unforgeability Issuer JOIN SIGN Is the signature coming from or ??? ▪ Realistic model with corrupt users OPEN 8

Group Signatures | Unforgeability (Traceability) Issuer JOIN SIGN Corruption Setting ▪ Issuer honest ▪ Opener (somewhat) corrupt ▪ Forgery = valid signature that: – does not open, or OPEN – opens to a user that has never joined 9

Group Signatures | Non-Frameability Issuer JOIN SIGN Corruption Setting ▪ Issuer corru rrupt pt ▪ Opener (somewhat) corrupt ▪ Forgery = valid signature on m that: – opens to an honest user U OPEN – but U has never signed m 10

Group Signatures | Security Properties Bellare, Shi, Zhang, '05 Anonymity nymity Tracea eabi bili lity ty Non- Framea eabil ility ity Issuer er Corrupt* Honest Corrupt** Open ener er Honest Corrupt* Corrupt ▪ *Only when Issuer ≠ Opener ▪ ** Only for dynami mic group signatures. Issuer honest in static ones. ▪ Traceability + Non-frameability = unforgeability 11

Group Signatures | Schemes issues membership credential on committed user key JOIN SIGN proof of knowledge of user key & membership credential OPEN 12

Group Signatures | Schemes 𝑇𝐽𝐻. 𝐿𝐻𝑓𝑜 1 𝜐 → 𝑡𝑡𝑙, 𝑡𝑞𝑙 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 𝑑𝑠𝑓𝑒 = 𝑇𝑗𝑕𝑜 𝑡𝑡𝑙, 𝑣𝑞𝑙 𝑗𝑡𝑙 = 𝑡𝑡𝑙 Choose random usk JOIN 𝑕𝑡𝑙 𝑗 = (𝑣𝑡𝑙, 𝑑𝑠𝑓𝑒) SIGN 𝑣𝑡𝑙, 𝑣𝑞𝑙, 𝑑𝑠𝑓𝑒: 𝑊𝑔 𝑡𝑞𝑙, 𝑑𝑠𝑓𝑒, 𝑣𝑞𝑙 = 1 ∧ 𝜌 = 𝑂𝐽𝑎𝐿 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 ∧ 𝐷 = 𝐹𝑜𝑑(𝑓𝑞𝑙, 𝑣𝑞𝑙) (𝑛) 𝑕𝑞𝑙 = 𝑡𝑞𝑙 𝑛, 𝜏 = 𝜌 13

𝑭𝑶𝑫. 𝑳𝑯𝒇𝒐 𝟐 𝝊 → 𝒇𝒕𝒍, 𝒇𝒒𝒍 Group Signatures | Schemes 𝑇𝐽𝐻. 𝐿𝐻𝑓𝑜 1 𝜐 → 𝑡𝑡𝑙, 𝑡𝑞𝑙 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 𝑑𝑠𝑓𝑒 = 𝑇𝑗𝑕𝑜 𝑡𝑡𝑙, 𝑣𝑞𝑙 𝑗𝑡𝑙 = 𝑡𝑡𝑙 Choose random usk JOIN 𝑕𝑡𝑙 𝑗 = (𝑣𝑡𝑙, 𝑑𝑠𝑓𝑒) SIGN 𝑣𝑡𝑙, 𝑣𝑞𝑙, 𝑑𝑠𝑓𝑒: 𝑊𝑔 𝑡𝑞𝑙, 𝑑𝑠𝑓𝑒, 𝑣𝑞𝑙 = 1 ∧ 𝜌 = 𝑂𝐽𝑎𝐿 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 ∧ 𝑫 = 𝑭𝒐𝒅(𝒇𝒒𝒍,𝒗𝒒𝒍) (𝑛) 𝑕𝑞𝑙 = 𝑡𝑞𝑙, 𝒇𝒒𝒍 𝑫 = 𝑭𝒐𝒅 𝒇𝒒𝒍, 𝒗𝒒𝒍 𝑛, 𝜏 = (𝜌, 𝑫) OPEN 𝒏, 𝝉 = (𝝆, 𝑫) 𝒗𝒒𝒍 = 𝑬𝒇𝒅(𝒇𝒕𝒍, 𝑫) 𝒑𝒕𝒍 = 𝒇𝒕𝒍 14

𝑭𝑶𝑫. 𝑳𝑯𝒇𝒐 𝟐 𝝊 → 𝒇𝒕𝒍, 𝒇𝒒𝒍 Group Signatures | Schemes 𝑇𝐽𝐻. 𝐿𝐻𝑓𝑜 1 𝜐 → 𝑡𝑡𝑙, 𝑡𝑞𝑙 ▪ Non-Frameability: PKGen hiding 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 𝑑𝑠𝑓𝑒 = 𝑇𝑗𝑕𝑜 𝑡𝑡𝑙, 𝑣𝑞𝑙 𝑗𝑡𝑙 = 𝑡𝑡𝑙 Choose random usk JOIN 𝑕𝑡𝑙 𝑗 = (𝑣𝑡𝑙, 𝑑𝑠𝑓𝑒) SIGN 𝑣𝑡𝑙, 𝑣𝑞𝑙, 𝑑𝑠𝑓𝑒: 𝑊𝑔 𝑡𝑞𝑙, 𝑑𝑠𝑓𝑒, 𝑣𝑞𝑙 = 1 ∧ 𝜌 = 𝑂𝐽𝑎𝐿 𝑣𝑞𝑙 = 𝑄𝐿𝐻𝑓𝑜 𝑣𝑡𝑙 ∧ 𝑫 = 𝑭𝒐𝒅(𝒇𝒒𝒍,𝒗𝒒𝒍) (𝑛) 𝑕𝑞𝑙 = 𝑡𝑞𝑙, 𝒇𝒒𝒍 𝑫 = 𝑭𝒐𝒅 𝒇𝒒𝒍, 𝒗𝒒𝒍 𝑛, 𝜏 = (𝜌, 𝑫) OPEN 𝒏, 𝝉 = (𝝆, 𝑫) ▪ Traceability: Unforgeability of SIG & 𝒗𝒒𝒍 = 𝑬𝒇𝒅(𝒇𝒕𝒍, 𝑫) Soundness of NIZK 𝒑𝒕𝒍 = 𝒇𝒕𝒍 15

Group Signatures | Schemes Bellare , Micciancio, Warinschi‘03 ▪ Sign & Encrypt pt & Prove ve most common approach, mainly differ in signature scheme – Signatures on committed messages 𝑑𝑠𝑓𝑒 = 𝑇𝑗𝑕𝑜 𝑗𝑡𝑙, 𝑣𝑞𝑙) = "𝑇𝑗𝑕𝑜(𝑗𝑡𝑙, 𝑣𝑡𝑙 " – Efficient proofs of knowledge of a signature – Instantiations: CL‘01 (strong RSA), CL‘04 (LRSW), BBS‘04 (q - SDH), PS‘16 (q -MSDH-1) ▪ Opening flexible: verifiable decryption, threshold decryption ▪ Disadvantage: opening increases signature size, yet is hardly needed ▪ More compact group signatures: GetShor horty ty (Bichsel et al, SCN’10) – Join creates user-specific opening secret at Issuer/Opener – To open, Issuer/Opener iterates through all opening secrets & test against signature – Disadvantage: ▪ Opening gets very expensive (feature?) ▪ Issuer = Opener (inherently weaker security guarantees) 16

Roadmap ▪ Introduction to Group Signatures ▪ Setting & Security Properties ▪ Schemes ▪ Similar Concepts ▪ Anonymous Credentials ▪ Direct Anonymous Attestation (DAA) ▪ Enhanced Privacy ID (EPID) ▪ Group Signatures & V2X Communication ▪ Group Signatures with Selected Linkability for V2Cloud

Envisioned by Chaum in 1981, Anonymous Credentials first full scheme by Camenisch & Lysyanskaya in 2001 ▪ Membership credentials contain user attributes Name Alice Doe Date Of Birth Dec 12, 1978 Address Waterdrive 22 City Berlin Country Germany Expiry Date Aug 4, 2020 Attribute-based authentication = group signature on nonce & context wrt attributes-based credential Name Alice Doe Date Of Birth Dec 12, 1978 Address Waterdrive 22 City Berlin Country Germany Expiry Date Aug 4, 2020 18

Anonymous Credentials ▪ Membership credentials contain user attributes ▪ User can selecti tive vely ly disclo lose se each attribute ▪ User can prove predicate tes over the attribute butes , e.g., “I'm over 18” Name Alice Doe ▪ Revocati ation of credentials (issuer/verifier-driven) Date Of Birth Dec 12, 1978 Address Waterdrive 22 ▪ User-controlled linkability via pseudony City Berlin donyms ms Country Germany → Unlink nkabl able authentication as default, linkability as an option Expiry Date Aug 4, 2020 ▪ Construction very similar to group signatures (CL/BBS/PS-based) Pseudonym Moviefan Name Alice Doe Date of Birth > 18 18 years ago ago Address 7 Waterdrive City 8003 Zurich Country Germany Expiry Date > today 19

Direct Anonymous Attestation (DAA) ▪ Hardware-based attestation using a Trusted Platform Module (TPM) – Secure crypto processor creates, stores, uses cryptographic keys – Makes anonymous remote attestations of host status ▪ Split between host & TPM → shift heavy computations to host ▪ Unlinkability steered via “ basename ” and pseudonyms. No Opener. Host JOIN SIGN Attestation comes TPM from a certified TPM Platform 20