Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 - PowerPoint PPT Presentation

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Outline Round-Optimal Waters Blind Signatures David Pointcheval 1 Introduction Joint work with Olivier Blazy, Georg Fuchsbauer and Damien Vergnaud 2 Cryptographic Tools Ecole normale sup´ erieure, CNRS & INRIA 3 Signatures on Randomizable Ciphertexts 4 Blind Signatures Institute of Advanced Studies of Tsinghua University Beijing – China – October 18th, 2010 David Pointcheval – 1/45 David Pointcheval – 2/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Electronic Cash Outline Electronic Cash Electronic Coins [Chaum, 1981] Expected properties: Introduction 1 Electronic Cash coins are signed by the bank, for unforgeability Blind Signatures coins must be distinct to detect/avoid double-spending the bank should not know to whom it gave a coin, for anonymity 2 Cryptographic Tools Electronic Cash 3 Signatures on Randomizable Ciphertexts The process is the following one: Withdrawal: the user gets a coin c from the bank 4 Blind Signatures Spending: the user spends a coin c in a shop Deposit: the shop gives back the money to the bank David Pointcheval – 3/45 David Pointcheval – 4/45

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Blind Signatures Blind Signatures Blind Signatures Blind Signatures We thus want: We thus want: Anonymity: the bank cannot link a withdrawal to a deposit Anonymity: the bank cannot link a withdrawal to a deposit to know where a user spent a coin to know where a user spent a coin → blind signature → blind signature No double-spending: a coin should not be used twice No double-spending: a coin should not be used twice → fair blind signature → fair blind signature Perfectly Blind Signatures Computationally/Fair Blind Signatures A blind signature allows a user to get a message m Unlinkability between the signing process and the pair ( m , σ ) is signed by an authority into σ so that the authority (even powerful) either computational, or even revocable (fair blind signatures). cannot recognize later the pair ( m , σ ) . The latter property allows to know/trace the defrauder after double-spending detection. David Pointcheval – 5/45 David Pointcheval – 6/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Blind Signatures Blind Signatures Blind RSA Blind Signatures and NIZK [Chaum, 1981] [Fischlin, 2006] The easiest way for blind signatures, is to blind the message: Fischlin Approach To get an FDH RSA signature on m under RSA public key ( n , e ) , To get a signature on m , The user computes a blind version of the hash value: The user commits m into c M = H ( m ) and M ′ = M · r e mod n The signer signs c into σ The signer signs M ′ into σ ′ = M ′ d mod n The user generates a NIZK proof of knowledge of c and σ , The user unblinds the signature: σ = σ ′ / r mod n valid with respect to m and the signer public key Indeed, This can be instantiated within the Groth-Sahai methodology σ = σ ′ / r = M ′ d / r = ( M · r e ) d / r = M d · r / r = M d mod n This method is in the same vein as the Blind RSA: The user commits m into c : blinding of the message → Proven under the One-More RSA Assumption The signer signs c into σ : signature on the blinded message [Bellare, Namprempre, Pointcheval, Semanko, 2001] The user generates a NIZK proof of knowledge of c and σ → Perfectly blind signature → Could we do an unblinding? David Pointcheval – 7/45 David Pointcheval – 8/45

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Computational Assumptions Outline Assumptions: Diffie-Hellman Definition (The Computational Diffie-Hellman problem ( CDH )) Introduction 1 G a cyclic group of prime order p . The CDH assumption in G states: Cryptographic Tools for any generator g $ ← G , and any scalars a , b $ 2 ← Z ∗ p , Computational Assumptions given ( g , g a , g b ) , it is hard to compute g ab . Signature & Encryption Security Definition (The Decisional Diffie-Hellman problem ( DDH )) Groth-Sahai Methodology G a cyclic group of prime order p . The DDH assumption in G states: Signatures on Randomizable Ciphertexts 3 for any generator g $ ← G , and any scalars a , b , c $ ← Z ∗ p , given ( g , g a , g b , g c ) , it is hard to decide whether c = ab or not. Blind Signatures 4 In some pairing-friendly groups, the latter assumption is wrong. David Pointcheval – 9/45 David Pointcheval – 10/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Computational Assumptions Signature & Encryption Assumptions: Linear Problem General Tools: Signature Definition (Decision Linear Assumption ( DLin )) Definition (Signature Scheme) G a cyclic group of prime order p . S = ( Setup , SKeyGen , Sign , Verif ) : The DLin assumption states: Setup ( 1 k ) → global parameters param ; for any generator g $ ← G , and any scalars a , b , x , y , c $ ← Z ∗ p , SKeyGen ( param ) → pair of keys ( sk , vk ) ; given ( g , g x , g y , g xa , g yb , g c ) , Sign ( sk , m ; s ) → signature σ , using the random coins s ; it is hard to decide whether c = a + b or not. Verif ( vk , m , σ ) → validity of σ Equivalently, given a reference triple ( u = g x , v = g y , g ) and a new triple ( U = u a = g xa , V = v b = g yb , T = g c ) , If one signs F = F ( M ) , for any function F , one extends the above decide whether T = g a + b or not (that is c = a + b ). definitions: Sign ( sk , ( F , F , Π M ); s ) and Verif ( vk , ( F , F , Π M ) , σ ) where F details the function that is applied to the message M yielding F , and Π M is a proof of knowledge of a preimage of F under F . David Pointcheval – 11/45 David Pointcheval – 12/45

Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Signature & Encryption Signature & Encryption Signature: Example General Tools: Encryption In a group G of order p , with a generator g , Definition (Encryption Scheme) and a bilinear map e : G × G → G T E = ( Setup , EKeyGen , Encrypt , Decrypt ) : Waters Signature [Waters, 2005] Setup ( 1 k ) → global parameters param ; For a message M = ( M 1 , . . . , M k ) ∈ { 0 , 1 } k , EKeyGen ( param ) → pair of keys ( pk , dk ) ; u = ( u 0 , . . . , u k ) $ � k i = 1 u M i we define F ( M ) = u 0 i , where � ← G k + 1 . Encrypt ( pk , m ; r ) → ciphertext c , using the random coins r ; For an additional generator h $ ← G . Decrypt ( dk , c ) → plaintext, or ⊥ if the ciphertext is invalid. SKeyGen : vk = X = g x , sk = Y = h x , for x $ ← Z p ; Sign ( sk = Y , M ; s ) , for M ∈ { 0 , 1 } k and s $ ← Z p Homomorphic Encryption � σ 1 = Y · F ( M ) s , σ 2 = g − s � → σ = ; For some group laws: ⊕ on the plaintext, ⊗ on the ciphertext, Verif ( vk = X , M , σ = ( σ 1 , σ 2 )) checks whether and ⊙ on the randomness e ( g , σ 1 ) · e ( F ( M ) , σ 2 ) = e ( X , h ) . Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 ) = Encrypt ( pk , m 1 ⊕ m 2 ; r 1 ⊙ r 2 ) Decrypt ( sk , Encrypt ( pk , m 1 ; r 1 ) ⊗ Encrypt ( pk , m 2 ; r 2 )) = m 1 ⊕ m 2 David Pointcheval – 13/45 David Pointcheval – 14/45 Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Introduction Cryptographic Tools Signatures on Ciphertexts Blind Signatures Signature & Encryption Security Encryption: Example Security Notions: Signature In a group G of order p , with a generator g : Signature: EF-CMA Linear Encryption [Boneh, Boyen, Shacham, 2004] Existential Unforgeability EKeyGen : dk = ( x 1 , x 2 ) $ under Chosen-Message ← Z 2 p , pk = ( X 1 = g x 1 , X 2 = g x 2 ) ; Attacks Encrypt ( pk = ( X 1 , X 2 ) , m ; ( r 1 , r 2 )) , for m ∈ G and ( r 1 , r 2 ) $ ← Z 2 p An adversary should not be c 1 = X r 1 1 , c 2 = X r 2 2 , c 3 = g r 1 + r 2 · m � � → c = ; able to generate a new valid m = c 3 / c 1 / x 1 c 1 / x 2 message-signature pair Decrypt ( dk = ( x 1 , x 2 ) , c = ( c 1 , c 2 , c 3 )) → . 1 2 even if it is allowed to ask signatures on any message Homomorphism of its choice ( ⊕ M = × , ⊗ C = × , ⊙ R = +) -homomorphism With m = g M → ( ⊕ M = + , ⊗ C = × , ⊙ R = +) -homomorphism Impossibility to forge signatures Waters signature reaches EF-CMA under the CDH assumption David Pointcheval – 15/45 David Pointcheval – 16/45