Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures - PowerPoint PPT Presentation

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael Spreitzer 2 1 Universit´ e de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria CT-RSA 2016, San Francisco, 2nd March 2016 www.iaik.tugraz.at

www.iaik.tugraz.at Group Signature Schemes [CvH91] Group Manager (pk) Group Issuer (mik) Opener (mok) Signer i (x i ) Group signature σ Verifier (pk) Blazy, Derler, Slamanig, Spreitzer 2 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Controllable Linkability [HLhC + 11, SSU14] Group Manager (pk) But can I trust the Linker? Issuer (mik) Verifier (pk) Opener (mok) No idea ( σ 1 , M 1 ),( σ 2 , M 2 ) who signed them! Linker (mlk) Blazy, Derler, Slamanig, Spreitzer 3 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Verifiable Controllable Linkability Group Manager (pk) Prove it! Issuer (mik) Verifier (pk) Opener (mok) Still no ( σ 1 , M 1 ),( σ 2 , M 2 ) idea who signed them! Linker (mlk) Blazy, Derler, Slamanig, Spreitzer 4 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Sign-Encrypt-Prove Paradigm Basic building blocks DS = ( KG s , Sign , Verify ) AE = ( KG e , Enc , Dec ) Signature of Knowledge Keys gpk ← ( pk e , pk s ) , gmsk ← sk e , gmik ← sk s Join User’s secret: x i Issuer computes: cert ← Sign ( gmik , f ( x i )) Blazy, Derler, Slamanig, Spreitzer 5 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Sign-Encrypt-Prove Paradigm I Sign T ← Enc ( pk e , cert ) π ← SoK { ( x i , cert ) : cert = Sign ( sk s , f ( x i )) ∧ T = Enc ( pk e , cert )) } ( m ) σ ← ( T , π ) Verify “verification of π ” Open cert ← Dec ( sk e , T ) Blazy, Derler, Slamanig, Spreitzer 6 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Contributions 1. Generic proof system for plaintext (in-)equality 2. Efficient instantiation of this proof system 3. Group signatures with verifiable controllable linkability 4. Extend GSs with verifiable controllable linkability (VCL) Blazy, Derler, Slamanig, Spreitzer 7 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Controllable Linkability Public key encryption with equality tests [Tan12, SSU14] Conventional public key encryption scheme + Com algorithm for equality tests using trapdoor ⇒ Link: 1 / 0 ← Com ( T , T ′ , gmlk ) Semantic security without trapdoor One-way security for trapdoor holders Blazy, Derler, Slamanig, Spreitzer 8 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Setting ? = cert i cert j Link ( π 1 , ), ( π 2 , ) Verifier (pk) Yes/No, π Linker (mlk) Non-interactive plaintext (in-)equality proofs Blazy, Derler, Slamanig, Spreitzer 9 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Non-Interactive Plaintext (In-)Equality Proofs Given any PKEQ and ciphertexts T and T ′ under pk Proof system Π 1. Prove knowledge of trapdoor tk 2. Com = 1 (membership) or Com = 0 (non-membership) 3. Without revealing trapdoor tk Blazy, Derler, Slamanig, Spreitzer 10 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at (Non-)Membership Proofs Com = 1 defines language L ∈ for membership Witnessed by trapdoor tk Standard techniques [GS08] Com = 0 defines language L / ∈ for non-membership Idea [BCV15] Π 1 : Failing membership proof for L ∈ Π 2 : Proof that Π 1 has been computed honestly Efficient instantiations (GS and SPHFs) Technicalities: m , r must be known [BCV15] Blazy, Derler, Slamanig, Spreitzer 11 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Smooth Projective Hash Functions (SPHFs) Blazy, Derler, Slamanig, Spreitzer 12 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Construction - Non-Membership Proof Blazy, Derler, Slamanig, Spreitzer 13 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Example of Efficient Instantiation ElGamal with equality tests (as in [SSU14]) ( sk , pk ) ← ( x , g x ) ∈ Z p × G 1 Keypair: r x ) ∈ G 2 × G 2 (ˆ r , ˆ Trapdoor: ( g r , m · g x · r ) ∈ G 1 × G 1 Encryption of m : Pairing-based equality test ( g r , m · g x · r ) , ( g r ′ , m ′ · g x · r ′ ) Ciphertexts: = e ( m ′ · g x · r ′ , ˆ ⇒ e ( m · g x · r , ˆ r ) r ) m = m ′ ⇐ e ( g r , ˆ e ( g r ′ , ˆ r x ) r x ) Blazy, Derler, Slamanig, Spreitzer 14 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Instantiation of Π ∈ Com = 1: plaintext equality proof (( g r , m · g x · r ) , ( g r ′ , m ′ · g x · r ′ ) , g x ) ∈ L ∈ ⇐ ⇒ = e ( m ′ · g x · r ′ , ˆ e ( m · g x · r , ˆ r ) r ) ∧ e ( g r , ˆ r x ) e ( g r ′ , ˆ r x ) r x ) = e ( g x , ˆ e ( g , ˆ r ) 2 Y i ) = e ( m · g x · r · ( m ′ · g x · r ′ ) − 1 , ˆ r ) e ( A i , ˆ � = 1 G T e ( g r · g − r ′ , ˆ r x ) i = 1 Blazy, Derler, Slamanig, Spreitzer 15 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Instantiation of Π / ∈ Com = 0: plaintext inequality proof (( g r , m · g x · r ) , ( g r ′ , m ′ · g x · r ′ ) , g x ) ∈ L / ∈ ⇐ ⇒ � = e ( m ′ · g x · r ′ , ˆ e ( m · g x · r , ˆ r ) r ) ∧ e ( g r , ˆ r x ) e ( g r ′ , ˆ r x ) r x ) = e ( g x , ˆ e ( g , ˆ r ) ⇒ Our construction for non-membership proofs Blazy, Derler, Slamanig, Spreitzer 16 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at NIPEI Proof System Proof system Π = (Π ∈ , Π / ∈ ) ? = cert i cert j Link ( π 1 , ), ( π 2 , ) Verifier (pk) Yes/No, π Linker (mlk) Blazy, Derler, Slamanig, Spreitzer 17 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at GSSs with Verifiable Controllable Linkability Extended security model for VCL-GS Algorithms: Link and Link Judge Property: linking soundness Instantiation based on NIPEI Link: Π . Proof Link Judge : Π . Verify Blazy, Derler, Slamanig, Spreitzer 18 CT-RSA 2016, San Francisco, 2nd March 2016

www.iaik.tugraz.at Take-Home Message Proposed generic approach for (in-)equality proof Efficient instantiation in the pairing setting Rather independent of encryption scheme Various DDH/DLIN ElGamal variants CCA2: Naor-Yung and Cramer-Shoup (for free) Novel application GSSs with verifiable controllable linkability Blazy, Derler, Slamanig, Spreitzer 19 CT-RSA 2016, San Francisco, 2nd March 2016

S C I E N C E P A S S I O N T E C H N O L O G Y Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability Olivier Blazy 1 , David Derler 2 , Daniel Slamanig 2 , Raphael Spreitzer 2 1 Universit´ e de Limoges, XLim, France 2 IAIK, Graz University of Technology, Austria CT-RSA 2016, San Francisco, 2nd March 2016 www.iaik.tugraz.at

www.iaik.tugraz.at Bibliography I [BCV15] Olivier Blazy, C´ eline Chevalier, and Damien Vergnaud. Non-Interactive Zero-Knowledge Proofs of Non-Membership. In CT-RSA , 2015. [CvH91] David Chaum and Eug` ene van Heyst. Group Signatures. In EUROCRYPT , 1991. [GS08] Jens Groth and Amit Sahai. Efficient Non-interactive Proof Systems for Bilinear Groups. In EUROCRYPT , 2008. [HLhC + 11] Jung Yeon Hwang, Sokjoon Lee, Byung ho Chung, Hyun Sook Cho, and DaeHun Nyang. Short Group Signatures with Controllable Linkability. In LightSec . IEEE, 2011. [SSU14] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterluggauer. Adding Controllable Linkability to Pairing-Based Group Signatures for Free. In ISC , 2014. [Tan12] Qiang Tang. Public Key Encryption Supporting Plaintext Equality Test and User-Specified Authorization. Security and Communication Networks , 5(12), 2012. Blazy, Derler, Slamanig, Spreitzer 21 CT-RSA 2016, San Francisco, 2nd March 2016