Lattice-Based Group Signatures with Logarithmic Signature Size - PowerPoint PPT Presentation

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benoît Libert 3 Damien Stehlé 2 1 LIP, Université Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group Signature December 4, 2013 1/ 15

Our main result with N members The first lattice-based group signature with logarithmic signature size, and security under the SIS and LWE assumptions in the Random Oracle Model. logarithmic in N hard problems Laguillaumie et al. LB Group Signature December 4, 2013 2/ 15

Group Signatures [ChaumVanHeyst91] Group signatures allow any member of a group to anonymously and accountably sign on behalf of this group. ◮ Group manager ( mpk, msk ) + sk i KeyGen, Open ◮ Group members ( sk i ) Sign ◮ Anyone Verify KeyGen Open Security: • Anonymity Sign Group Members • Traceability Group Manager Verify Anyone Laguillaumie et al. LB Group Signature December 4, 2013 3/ 15

Security: Anonymity and Traceability Security requirements [BellareMicciancioWarinschi03] ◮ Anonymity A given signature does not leak the identity of its originator. � Two types: weak and full. weak full Given sk i for all users opening oracle Goal distinguish between two users ◮ Traceability No collusion of malicious users can produce a valid signature that cannot be traced to one of them. Given msk and sk i of users in the collusion, Goal create a valid signature that doesn’t trace to someone not in the collusion (or nobody). Laguillaumie et al. LB Group Signature December 4, 2013 4/ 15

Applications Need for authenticity and anonymity ◮ Anonymous credentials: anonymous use of certified attributes ◮ E.g.: student card - name, picture, date, grade... ◮ Traffic management (Vehicle Safety Communications project of the U.S. Dept. of Transportation). ◮ Restrictive area access. Laguillaumie et al. LB Group Signature December 4, 2013 5/ 15

Prior works ◮ Introduced by [ChaumVanHest91] , ◮ Generic construction [BellareMicciancioWarinschi03] . signature size Realization based [BoyenWaters07] constant number of elements on bilinear maps and [Groth07] of a large algebraic group [GordonKatz Lattice-based linear in N Vaikuntanathan10] (number of group members) [CamenischNeven Rückert10] constructions Our result logarithmic in N Laguillaumie et al. LB Group Signature December 4, 2013 6/ 15

Lattice-Based Cryptography From basic to very advanced primitives ◮ Public key encryption [Regev05, ...] , ◮ Lyubashevsky signature scheme [Lyubashevsky12] , ◮ Identity-based encryption [GentryPeikertVaikuntanathan08, ...] , ◮ Attribute-based encryption [Boyen13, GorbunovVaikuntanathanWee13] , ◮ Fully homomorphic encryption [Gentry09, ...] . Advantages of lattice-based primitives ◮ (Asymptotically) efficient, ◮ Security proofs from the hardness of LWE and SIS , ◮ Likely to resist quantum attacks. Laguillaumie et al. LB Group Signature December 4, 2013 7/ 15

SIS β and LWE α Parameters: n dimension, m ≥ n , q modulus. For A ← U ( Z m × n ) : q Small Integer Solution Learning With Errors x m s A A A + e = 0 mod q , n s ← U ( Z n q ) , e a small error ≈ αq . Goal: Given A ← U ( Z m × n ) , Goal: Given ( A , A s + e ) , q find x s.t. 0 < � x � ≤ β . find s . Laguillaumie et al. LB Group Signature December 4, 2013 8/ 15

Lattice-Based Cryptography Toolbox: Trapdoors ◮ TrapGen � ( A , T A ) such that T A is a short basis of the lattice q ( A ) = { x ∈ Z m : x T · A = 0 Λ ⊥ (mod q ) } . � A public description of the lattice T A short basis, kept secret ◮ Note that: 1. Computing T A given A is hard, 2. Constructing A together with T A is easy. ◮ With T A , we can sample short vectors in Λ ⊥ q ( A ) . ◮ Can add constraints: find B such that B T · A = 0 (with trapdoor for A and B ). Laguillaumie et al. LB Group Signature December 4, 2013 9/ 15

Group Signatures A generic construction [BellareMicciancioWarinschi03] Ingredients: ◮ Signature & Encryption schemes. ◮ Non-Interactive Zero Knowledge proof system. Scheme: ◮ Public key : pk of Enc (pk e ) and Sign (pk s ). ◮ Opening key : secret key of Enc sk e . ◮ User sk : signing key sk i and Sign sk s ( i ) from group manager. ◮ To sign a message m by a member i : 1. c = Enc pk e ( i, Sign sk s ( i ) , Sign s k i ( m )) , 2. π : ZKPoK of valid plaintext. 3. Output Σ = ( c, Π) . Construction not efficient (Generic ZKPoK). First attempt with lattices [GKV10]: size of signature = O ( N ) . Laguillaumie et al. LB Group Signature December 4, 2013 10/ 15

Our construction Ingredients Certificate of users � key to produce temporary certificate, ◮ [Boyen2010] ’s signature (standard model), ◮ [GenPeiVai2008] variant of Dual-Regev encryption, ◮ ZKPoK adapted from Lyubashevsky’s signature. ◮ KeyGen ◮ N = 2 ℓ group members, ◮ ℓ public matrices A , A i ’s and B i ’s such that B T i · A i = 0 mod q . ◮ Each user is given a short basis T id of a public lattice associated to its identity (using T A ): � A � A id = . A 0 + � ℓ i =1 id [ i ] A i ◮ Group manager secret key is { T B i } i . Laguillaumie et al. LB Group Signature December 4, 2013 11/ 15

Our construction ◮ Create a temporary membership certificate: Boyen’s signature of id (using T id ). ◮ Encrypt this certificate: { c i } 0 ≤ i ≤ ℓ . ◮ Prove that the ciphertext encrypts a valid certificate belonging to a group member: π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K . ◮ Message? � � Σ = { c i } 0 ≤ i ≤ ℓ , π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K Laguillaumie et al. LB Group Signature December 4, 2013 12/ 15

Our construction ◮ Produce ( x 1 || x 2 ) T short such that: x 1 T · A + x 2 T · ( A 0 + � ℓ i =1 id [ i ] · A i ) = 0 (mod q ) ◮ Encrypt this certificate: { c i } 0 ≤ i ≤ ℓ . ◮ Prove that the ciphertext encrypts a valid certificate belonging to a group member: π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K . ◮ Message? � � Σ = { c i } 0 ≤ i ≤ ℓ , π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K Laguillaumie et al. LB Group Signature December 4, 2013 12/ 15

Our construction ◮ Produce ( x 1 || x 2 ) T short such that: x 1 T · A + x 2 T · ( A 0 + � ℓ i =1 id [ i ] · A i ) = 0 (mod q ) ◮ Encrypt x 2 as c 0 = B 0 · s 0 + x 2 ֓ U ( Z n q ) s 0 ← ◮ For all i = 1 , . . . , ℓ encrypt id i · x 2 as c i = B i · s + p · e i + id i · x 2 poly ( n ) ≪ p ≪ q ◮ Prove that the ciphertext encrypts a valid certificate belonging to a group member: π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K . ◮ Message? � � Σ = { c i } 0 ≤ i ≤ ℓ , π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K Laguillaumie et al. LB Group Signature December 4, 2013 12/ 15

Our construction ◮ Produce ( x 1 || x 2 ) T short such that: x 1 T · A + x 2 T · ( A 0 + � ℓ i =1 id [ i ] · A i ) = 0 (mod q ) ◮ Encrypt x 2 as c 0 = B 0 · s 0 + x 2 ֓ U ( Z n q ) s 0 ← ◮ For all i = 1 , . . . , ℓ encrypt id i · x 2 as c i = B i · s + p · e i + id i · x 2 poly ( n ) ≪ p ≪ q ◮ Generate a proof π 0 : c 0 close to a point in the Z q -span of B 0 . � c i and c 0 encrypt the same x 2 ( id i = 1) We have that or c i encrypts 0 ( id i = 0) Generate a proof π OR ,i of these relations (disjunctions). Generate a proof π K of knowledge of the e i ’s and id i · x 2 ’s with their corresponding relation. ◮ Message? � � Σ = { c i } 0 ≤ i ≤ ℓ , π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K Laguillaumie et al. LB Group Signature December 4, 2013 12/ 15

Our construction ◮ Produce ( x 1 || x 2 ) T short such that: x 1 T · A + x 2 T · ( A 0 + � ℓ i =1 id [ i ] · A i ) = 0 (mod q ) ◮ Encrypt x 2 as c 0 = B 0 · s 0 + x 2 ֓ U ( Z n q ) s 0 ← ◮ For all i = 1 , . . . , ℓ encrypt id i · x 2 as c i = B i · s + p · e i + id i · x 2 poly ( n ) ≪ p ≪ q ◮ Generate a proof π 0 : c 0 close to a point in the Z q -span of B 0 . � c i and c 0 encrypt the same x 2 ( id i = 1) We have that or c i encrypts 0 ( id i = 0) Generate a proof π OR ,i of these relations (disjunctions). Generate a proof π K of knowledge of the e i ’s and id i · x 2 ’s with their corresponding relation. ◮ ZKPoK � made non-interactive ZKPoK via Fiat-Shamir, (incorporating the message in π K ). � � Σ = { c i } 0 ≤ i ≤ ℓ , π 0 , { π OR ,i } 1 ≤ i ≤ ℓ , π K Laguillaumie et al. LB Group Signature December 4, 2013 12/ 15

Our construction Verify: ◮ Check the proofs. Open: ◮ Decrypt c 0 ( � x 2 ) and check whether p − 1 c i or p − 1 ( c i − x 2 ) is close to the Z q -span of B i . Laguillaumie et al. LB Group Signature December 4, 2013 13/ 15

Our construction Verify: ◮ Check the proofs. Open: ◮ Decrypt c 0 ( � x 2 ) and check whether p − 1 c i or p − 1 ( c i − x 2 ) is close to the Z q -span of B i . ◮ Size of the signatures: ˜ O ( λ · log( N )) . ◮ Size of the key of member i : ˜ O ( λ 2 ) . ◮ λ = Θ( n ) is the security parameter. Laguillaumie et al. LB Group Signature December 4, 2013 13/ 15

Anonymity and Traceability In the random oracle model Anonymity Weak anonymity under LWE, and the simulation of the ZKPoK. Traceability Traceability under SIS, and extraction of information in the ZKPoK. ◮ We also provide a variant with full-anonymity, ⇒ the adversary has an opening oracle. ◮ Find a way to open adversarially chosen signatures, ⇒ using IND-CCA encryption. Laguillaumie et al. LB Group Signature December 4, 2013 14/ 15