group signatures with almost for free revocation
play

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas - PowerPoint PPT Presentation

Jan 09, 2023 •397 likes •605 views

Group Signatures with Almost-for-free Revocation t Libert 1 Thomas Peters 1 Moti Yung 2 Beno 1 Universit e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL

  1. Group Signatures with Almost-for-free Revocation ıt Libert 1 Thomas Peters 1 Moti Yung 2 Benoˆ 1 Universit´ e catholique de Louvain, Crypto Group (Belgium) 2 - Google Inc. and Columbia University (USA) Santa Barbara, August 22, 2012 UCL Crypto Group Group Signatures - Crypto 2012 1 Microelectronics Laboratory

  2. Outline 1. Introduction Background and Prior Work The Revocation Problem 2. NNL-Based Revocation in Group Signatures Description and Efficiency Analysis 3. Our Contribution: Construction with Short Private Keys Overview of the Scheme Efficiency and Security Analysis UCL Crypto Group Group Signatures - Crypto 2012 2 Microelectronics Laboratory

  3. Group Signatures Group members anonymously and accountably sign messages on behalf of a group (Chaum-Van Heyst, 1991) Applications in trusted computing platforms, auction protocols, . . . UCL Crypto Group Group Signatures - Crypto 2012 3 Microelectronics Laboratory

  4. Security Properties Full anonymity of signatures ◮ Users’ signatures are anonymous and unlinkable Security against misidentification attacks ◮ Infeasibility of producing a signature which traces outside the set of unrevoked corrupted users Non-frameability of a group signature ◮ Infeasibility of claiming falsely that a member produced a given signature UCL Crypto Group Group Signatures - Crypto 2012 4 Microelectronics Laboratory

  5. Group Signatures Chaum-van Heyst (Eurocrypt’91): introduction of the primitive Ateniese-Camenisch-Joye-Tsudik (Crypto’00): a scalable coalition-resistant construction. . . but analyzed w.r.t. a list of security requirements Bellare-Micciancio-Warinschi (Eurocrypt’03): security model; construction based on general assumptions Bellare-Shi-Zhang (CT-RSA’05), Kiayias-Yung (J. of Security and Networks 2006): extensions to dynamic groups Boyen-Waters (Eurocrypt’06 - PKC’07), Groth (Asiacrypt’06 -’07): in the standard model UCL Crypto Group Group Signatures - Crypto 2012 5 Microelectronics Laboratory

  6. Revocation in Group Signatures Trivial approach: O ( N − r ) cost for the GM at each revocation Bresson-Stern (PKC’01): signature size and signing cost in O ( r ) Brickell and Boneh-Shacham (CCS’04): verifier-local revocations, linear verification in O ( r ) Nakanishi-Fuji-Hira-Funabiki (PKC’09): O (1)-cost signing and verification time but O ( N )-size group public keys Camenisch-Lysyanskaya (Crypto’02): based on accumulators, optimal asymptotic efficiency but requires users ◮ To update their credentials at every revocation ◮ To know of all changes in the population of the group UCL Crypto Group Group Signatures - Crypto 2012 6 Microelectronics Laboratory

  7. Current Situation So far, despite 20 years of research: No system has a mechanism where the revocation is truly scalable (contrast with CRLs in regular signatures) Situation is only worse in schemes in the standard model (e.g., accumulator-based approaches do not always scale well) Recent approach (Libert-Peters-Yung; Eurocrypt 2012): Revocation mechanism based on broadcast encryption Starts from a revocation structure and adapt it (algebraically) in the group signature scenario UCL Crypto Group Group Signatures - Crypto 2012 7 Microelectronics Laboratory

  8. NNL-Based Revocation in Group Signatures Features of our approach (Eurocrypt’12) History-independent revocation / verification Provable in the standard model ( i.e. , no random oracle ) Efficiency: Signature size / Verification cost in O (1) Revocation list of size O ( r ) as in standard PKIs At most O ( polylog N ) complexity elsewhere Disadvantage : membership certificates of size O (log 3 N ) UCL Crypto Group Group Signatures - Crypto 2012 8 Microelectronics Laboratory

  9. NNL-Based Revocation in Group Signatures Using the Naor-Naor-Lotspiech framework (Crypto’01): Broadcast (symmetric) encryption / revocation Users are assigned to a leaf Subset Cover: find a cover S 1 , . . . , S m of the unrevoked set N\R and compute an encryption for each S i UCL Crypto Group Group Signatures - Crypto 2012 9 Microelectronics Laboratory

  10. NNL-Based Revocation in Group Signatures Subset Difference (SD) method: each S i is the difference between two subtrees; m = O ( r ) subsets are needed in the partition Public-key variant of NNL (Dodis-Fazio, DRM’02) ◮ SD method uses Hierarchical Identity-Based Encryption (HIBE) ◮ O ( r )-size ciphertexts and O (log 3 N ) private keys ◮ Improvements (Halevy-Shamir, Crypto’02) give O (log 2+ ǫ N )-size keys UCL Crypto Group Group Signatures - Crypto 2012 10 Microelectronics Laboratory

  11. NNL-Based Revocation in Group Signatures Broadcast encryption ciphertext is turned into a revocation list RL ⇒ RL is a set of HIBE ciphertexts C 1 , . . . , C m Signer shows the ability to decrypt one of these HIBE ciphertexts Proof that he can decrypt a committed C i , which is in the RL Can be achieved with O (1)-size signatures UCL Crypto Group Group Signatures - Crypto 2012 11 Microelectronics Laboratory

  12. NNL-Based Revocation in Group Signatures Using HIBE and the public-key NNL entails membership certificates of size O (log 3 N ). ⇒ Important overhead w.r.t. schemes without revocation and ordinary signatures e.g. , for N = 1000, private keys may contain > 1000 elements This paper : getting competitive with ordinary group signatures - O (1)-size membership certificates in the NNL framework - Carrying out all operations in constant time How is it possible? O (log N ) dependency seems inevitable with a tree-based approach. UCL Crypto Group Group Signatures - Crypto 2012 12 Microelectronics Laboratory

  13. Construction with Short Private Keys Uses concise vector commitments (Libert-Yung, TCC 2010): Constant-size commitments to ( m 1 , . . . , m ℓ ) that can be opened for individual coordinates i ∈ { 1 , . . . , ℓ } using short openings Commitments to vectors of dimension ℓ = log N are included in membership certificates Signatures prove properties about individual coordinates ⇒ Concise openings give us constant-size signatures The “essential” O (log N ) factor is pushed to the public key size only! UCL Crypto Group Group Signatures - Crypto 2012 13 Microelectronics Laboratory

  14. Construction with Short Private Keys Combination of the SD method and vector commitments Each member is assigned to a leaf v and obtains a signature on C where C = g I 1 ℓ · · · g I ℓ 1 is a commitment to the path I 1 , . . . , I ℓ to v RL encodes a cover { S 1 , . . . , S m } and specifies two node identifiers ( L j , i 1 , L j , i 2 ), with i 1 , i 2 ∈ { 1 , . . . , ℓ } , for each S j Unrevoked members prove their belonging to one of the S j ’s by proving that ( I 1 , . . . , I ℓ ) satisfies I i 1 = L j , i 1 and I i 2 � = L j , i 2 UCL Crypto Group Group Signatures - Crypto 2012 14 Microelectronics Laboratory

  15. Construction with Short Private Keys Combination of the SD method and vector commitments Each member is assigned to a leaf v and obtains a signature on C where C = g I 1 ℓ · · · g I ℓ 1 is a commitment to the path I 1 , . . . , I ℓ to v RL encodes a cover { S 1 , . . . , S m } and specifies two node identifiers ( L j , i 1 , L j , i 2 ), with i 1 , i 2 ∈ { 1 , . . . , ℓ } , for each S j Unrevoked members prove their belonging to one of the S j ’s by proving that ( I 1 , . . . , I ℓ ) satisfies I i 1 = L j , i 1 and I i 2 � = L j , i 2 UCL Crypto Group Group Signatures - Crypto 2012 14 Microelectronics Laboratory

  16. Efficiency Outcome Complexity is essentially optimal O (1)-size signatures and O (1) signing / verification time O ( r )-size revocation lists at each period as in standard PKIs O (log N )-size group public keys O (1)-size membership certificates Concrete signature length: 144 group elements, or about 9 kB at the 128-bit security level Only 3 times as long as Groth’s group signatures (Asiacrypt’07) UCL Crypto Group Group Signatures - Crypto 2012 15 Microelectronics Laboratory

  17. Security Security is proved under the same assumptions as in Eurocrypt’12 and an extra assumption (for q = O (log N )): The q -Flexible Diffie-Hellman Exponent Problem : given ( g , g 1 , . . . , g q , g q +2 , . . . , g 2 q ) with g i = g ( α i ) , find a non-trivial triple 2 q ) ∈ ( G \{ 1 G } ) 3 ( g µ , g µ q +1 , g µ At the expense of O (log 2 N )-size public keys, the Catalano-Fiore commitment allows using a weaker assumption: The Flexible Squared Diffie-Hellman Problem : given ( g , g a ), find a non-trivial triple ( g µ , g a · µ , g ( a 2 ) · µ ) ∈ ( G \{ 1 G } ) 3 . UCL Crypto Group Group Signatures - Crypto 2012 16 Microelectronics Laboratory

  18. Conclusion Revocable schemes are now competitive with ordinary group signatures: only overhead is a O (log N )-size group public key Our revocation approach Allows security proofs in the standard model Applies in other settings: traceable signatures, anonymous credentials, . . . Open problem: weakening the hardness assumptions without degrading the efficiency Alternative construction relies on weaker assumptions but has O (log 2 N )-size public keys. Can we avoid this? UCL Crypto Group Group Signatures - Crypto 2012 17 Microelectronics Laboratory

  19. Thanks! UCL Crypto Group Group Signatures - Crypto 2012 18 Microelectronics Laboratory

Recommend

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect

Revocation Methods Explicit: CRL - Certificate Revocation List Sources: CRL-DP, indirect CRL, dynamic CRL-DP Delta-CRL, windowed CRL, etc. Certificate Revocation Tree (CRT) and other Authenticated Data Structures OCSP

745 views • 35 slides
Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties

Signatures Lecture 22 Signatures Signatures Signatures with various functionality/properties Signatures Signatures with various functionality/properties Constructions come in different flavors (well sample each flavor): Signatures

1.55k views • 131 slides
Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And

Digital Signatures Digital Signatures And Putting It All Together Digital Signatures And Putting It All Together Lecture 12 Digital Signatures Digital Signatures Syntax: KeyGen, Sign SK and Verify VK . Security: Same experiment as MAC s,

1.72k views • 142 slides
Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge

Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge

Recommendation Overview KNOWLEDGE ACADEMIES REVOCATION APPEALS OCTOBER 28, 2019 Statutory Charge REVOCATIONS AND REVOCATION APPEALS The Revocation Decision Pursuant to T.C.A. 49-13-122(b), a charter school authorizer may revoke a

386 views • 35 slides
Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects

Lets Revoke Public key infrastructure prevents Man-in-the-Middle attacks Revocation protects clients from compromised certificates Without revocation, these attacks would go undetected 2 Certificate Revocation Lists (CRLs) Lists of

544 views • 27 slides
Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in

Efficient, Scalable, and Resilient Vehicle-Centric Certificate Revocation List Distribution in VANETs Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS) www.ee.kth.se/nss Royal Institute of Technology (KTH)

700 views • 35 slides
Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from

Motivation Research Question Results Conclusion Notes Construction of Universal Designated-Verifier Signatures and Identity-Based Signatures from Standard Signatures Siamak Shahandashti 1 Rei Safavi-Naini 2 1 SCSSE & CCISR, Uni

465 views • 46 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP

Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP

Digital / Electronic Signatures PET Workshop 2003 Dresden Henry Krasemann ICPP Schleswig-Holstein Use of Pseudonyms in Digital Signatures Pseudonym instead of name in certificate (no further data) States are free to allow use of

304 views • 15 slides
Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils

Efficient Unlinkable Sanitizable Signatures from Signatures with Re-Randomizable Keys Nils Fleischhacker Johannes Krupp Giulio Malavolta Jonas Schneider Dominique Schr oder Mark Simkin March 7, 2016 Sanitizable Signatures

577 views • 46 slides
Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler

Introduction & background Path-key-enabled attacks Secure path-key revocation Conclusions Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks Tyler Moore and Jolyon Clulow University of Cambridge

505 views • 22 slides
Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular

KTH ROYAL INSTITUTE OF TECHNOLOGY Scalable & Resilient Vehicle-Centric Certificate Revocation List Distri- bution in Vehicular Communication Systems Mohammad Khodaei and Panos Papadimitratos Networked Systems Security Group (NSS)

981 views • 52 slides
Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s

Lecture 12 Digital Signatures from one-way functions Signatures vs. MACs Signatures MAC s users require only secretkeys users require n 2 secretkeys Privately verifiable and non-transferable Same signature

764 views • 53 slides
Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the

Leptophilic Higgs Leptophilic Higgs Signatures at the LHC Signatures at the LHC (And the Importance of Leptonic Decays for Higgs Discovery) Brooks Thomas (The University of Arizona) Shufang Su & BT [arXiv:0903.0667] What do we know about

375 views • 26 slides
Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures without Trapdoors t Libert 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 Beno 1 Ecole Normale Sup erieure de Lyon (France) 2

681 views • 33 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-02-25 1 Outline Recap: security experiments Message space extension One-time signatures One-time signatures from one-way functions Digital

1.07k views • 48 slides
Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

257 views • 23 slides
Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976

Proving tight security for Rabin-Williams signatures D. J. Bernstein Public-key signatures 1976 Diffie Hellman: Public-key signatures would allow verification by anyone, not just signer. Cool! Can we build a signature system? 1977 Rivest

743 views • 33 slides
Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael

345 views • 21 slides
Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures

Digital Signatures Dennis Hofheinz (slides based on slides by Bjrn Kaidel) Digital Signatures 2020-03-03 1 Outline Why assumptions? Efficient one-time signatures Digital Signatures 2020-03-03 2 Recap: Lamport EUF-1-CMA secure

1.14k views • 37 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*,

An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*,

An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*, Liang Zhang*, David Choffnes*, Dave Levin , Bruce Maggs , Alan Mislove*, Aaron Schulman , Christo Wilson* University of Maryland

1.32k views • 67 slides
An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*,

An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*,

An End-to-End Measurement of Certificate Revocation in the Webs PKI Yabing Liu*, Will Tome*, Liang Zhang*, David Choffnes*, Dave Levin , Bruce Maggs , Alan Mislove*, Aaron Schulman , Christo Wilson* *Northeastern University

1.33k views • 65 slides
CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens

CSI-FiSh: Efficient Isogeny based Signatures through Class Group Computations Ward Beullens Thorsten Kleinjung Frederik Vercauteren imec - COSIC December 3, 2019 Introduction : CSIDH [Castryck et al.] 1/34 Take the supersingular elliptic

1.2k views • 86 slides

More recommend