Practical Round-Optimal Blind Signatures in the Standard Model from - PowerPoint PPT Presentation

Practical Round-Optimal Blind Signatures in the Standard Model from Weaker Assumptions G. Fuchsbauer ∗ , C. Hanser † C. Kamath ‡ , and D. Slamanig † ∗ ´ Ecole Normale Sup´ erieure, Paris † IAIK, Graz University of Technology, Austria ‡ Institute of Science and Technology Austria September 2, 2016 1 / 22

Blind Signatures Unforgeability! Blindness! xkcd.com 2 / 22

Overview ◮ Desiderata: 1. Round-optimality (hence efficiency and composability) 2. No heuristic assumptions 3. No set-up assumptions ◮ Hard to construct: [FS10] ◮ Possibility: [GG14,GRS+11] ◮ First practical scheme: [FHS15] SPS-EQ + commitments ◮ CDH, EUF-CMA = ⇒ Unforgeability ◮ Interactive variant of DDH = ⇒ Blindness ◮ ◮ Our contribution: weaker assumptions! 3 / 22

Preliminaries ◮ Asymmetric pairing e : G 1 × G 2 → G T ◮ Bilinearity : e ( aP , b ˆ P ) = e ( P , ˆ P ) ab ◮ Non-degeneracy : e ( P , ˆ P ) � = 1 G T ◮ Efficiency : e ( · , · ) efficiently computable ◮ Structure-Preserving Signatures [AFG+10] ◮ Signing vector of group elements ◮ Signatures and PKs consist only of group elements ◮ Verification via 1. pairing-product equations 2. group membership tests 4 / 22

SPS on Equivalence Classes σ N [(1 , 1)] p R e R g N h C σ M ] ) 1 , 2 R ( n [ g i S M Q ◮ Equivalence relation ∼ R on G ℓ : M ∼ R N ⇔ ∃ µ ∈ Z ∗ p : N = µ · M ◮ SPS-EQ := SPS + “change representative” functionality 5 / 22

SPS-EQ: Security σ N [(1 , 1)] R n g i S p R e R g N h C ≈ σ M R n g i S M ◮ Class-hiding: ChgRep R ( M , σ, µ, pk ) ≈ Sign R ( µ M , sk ) ◮ Malicious keys: ChgRep R ( M , σ, µ, pk ) uniform in space of signatures on µ M Unforgeability: EUF-CMA w.r.t ∼ R 6 / 22

SPS-EQ: Security [(1 , 1)] [(1 , 2)] ] ) 4 , 1 ( [ ] ) 1 , 2 ( [ [(4 , 1)] ◮ Class-hiding: ChgRep R ( M , σ, µ, pk ) ≈ Sign R ( µ M , sk ) ◮ Malicious keys: ChgRep R ( M , σ, µ, pk ) uniform in space of signatures on µ M ◮ Unforgeability: EUF-CMA w.r.t ∼ R 7 / 22

Blind Signatures from SPS-EQ 8 / 22

FHS Blind Signature ◮ Bob: 1. Commits to m using Pedersen commitment C = mP + rQ 2. Obtains signature π from Alice on random M ∼ [( C , P )] R 3. Derives σ on ( C , P ) using ChgRep R 4. Outputs τ = ( σ , opening of C ) to Charlie [( C , P )] π 2 3 M σ 2 ( C , P ) 1 m 9 / 22

pk = ( pk R , ( Q , ˆ Q ) = q · ( P , ˆ P )) Pedersen Commitment M = s · ( mP + rQ , P ) m ∈ Z ∗ p sk = ( sk R , q ) r , s ∈ Z ∗ p π ← Sign R ( M , sk ) σ ← ChgRep R ( M , π, 1 / s , pk R ) τ ← ( σ, R = rP , T = rQ ) Opening ( m , τ ) ? Verify R (( mP + T , P ) , σ, pk R ) = 1 ? e ( R , ˆ = e ( T , ˆ Q ) P ) 10 / 22

Blindness: Honest-Key Model ( m 0 , m 1 ) ( pk , sk ) b ∗ �U ( m b , pk ) , ·� b ∼ { 0 , 1 } �U ( m ¯ b , pk ) , ·� ( τ 0 , τ 1 ) 11 / 22

Blindness: Honest-Key Model... Embed DDH instance ( P , rP , sP , tP ) ( m 0 , m 1 ) (( pk R , ( Q , ˆ Q )) , ( sk R , q )) b ∗ · · · ( m b ( s b P ) + q ( r b s b P ) , P ) · · · b ∼ { 0 , 1 } r b , s b ∼ Z ∗ p · · · ( m ¯ b ( s ¯ b P ) + q ( r ¯ b s ¯ b P ) , P ) · · · b ∼ Z ∗ r ¯ b , s ¯ p ( τ 0 , τ 1 ) τ = ( σ, R , T ) : σ = ChgRep R ( · , · , 1 / s , · ) Sign R instead of ChgRep R 12 / 22

Blindness: Malicious-Key Model ( m 0 , m 1 ) pk ( pk , sk ) b ∗ �U ( m b , pk ) , ·� b ∼ { 0 , 1 } sk �U ( m ¯ b , pk ) , ·� ( τ 0 , τ 1 ) 13 / 22

Blindness: Malicious-Key Model... ( pk R , ( Q , ˆ Q )) ( m 0 , m 1 ) Unknown to Bob b ∗ · · · ( m b ( s b P ) + q ( r b s b P ) , P ) · · · b ∼ { 0 , 1 } r b , s b ∼ Z ∗ ( sk R , q ) p · · · ( m ¯ b ( s ¯ b P ) + q ( r ¯ b s ¯ b P ) , P ) · · · b ∼ Z ∗ r ¯ b , s ¯ p ( τ 0 , τ 1 ) τ cannot be computed without sk ◮ Solution: 1. Interactive variant of DDH needed 2. Rewind Alice to generate signatures ( ChgRep R uniform) 14 / 22

Our construction ◮ Idea: Bob chooses parameters for commitment ◮ Must be perfectly binding ◮ Bob: 1. Chooses “one-time” keys ( P , Q ) for El-Gamal encryption 2. Commits to m using C = mP + rQ 3. Obtains signature π from Alice on M ∼ [( C , rP , Q , P )] R 4. Derives σ on ( C , rP , Q , P ) using ChgRep R 5. Outputs τ = ( σ , opening of C ) to Charlie 15 / 22

sR allows verification! ? = e ( M 2 , ˆ e ( M 1 − mM 4 ) Q ) pk = pk R M = s · ( mP + rQ , R , Q , P ) m ∈ Z ∗ p r , s ∈ Z ∗ p , R = rP sk = sk R q ∈ Z ∗ p , Q := qP π ← Sign R ( M , sk ) σ ← ChgRep R ( M , π, 1 / s , pk R ) τ ← ( σ, R , Q , Z = rQ , ˆ Q = q ˆ P ) Solution: split q ( m , τ ) ? Verify R (( mP + Z , R , Q , P ) , σ, pk R ) = 1 ? ? e ( Q , ˆ = e ( P , ˆ Q ), e ( Z , ˆ = e ( R , ˆ P ) P ) Q ) 16 / 22

pk = pk R M = s · ( mP + rQ , R , Q , P ) m ∈ Z ∗ p r , s ∈ Z ∗ p , R = rP sk = sk R u , v ∈ Z ∗ p , Q := uvP π ← Sign R ( M , sk ) σ ← ChgRep R ( M , π, 1 / s , pk R ) τ ← ( σ, R , Q , Y = rQ , U = uP , X = ruP , ˆ U = u ˆ P , ˆ V = v ˆ P ) ( m , τ ) Verify R (( mP + Y , R , Q , P ) , σ, pk R ) ? = 1 P ) ? P ) ? e ( Q , ˆ = e ( U , ˆ V ), e ( U , ˆ = e ( P , ˆ U ) P ) ? P ) ? e ( X , ˆ = e ( R , ˆ U ), e ( Y , ˆ = e ( X , ˆ V ) 17 / 22

Blindness: Malicious-Key Model ( m 0 , m 1 ) pk R b ∗ Embed ABDDH+ instance ( m b ( sP ) + rsuvP , rsP , suvP , sP ) b ∼ { 0 , 1 } r , s ∼ Z ∗ sk R p �U ( m ¯ b , pk ) , ·� u , v ∼ Z ∗ p ( τ 0 , τ 1 ) Compute τ by rewinding ◮ ABDDH+ assumption: hard to distinguish ruvP from random given: rP , uP , uvP , u ˆ P , v ˆ P ◮ ABDDH+ = ⇒ DDH ◮ Hard in generic group model 18 / 22

Blindness: Malicious-Key Model... ( m 0 , m 1 ) pk No embedding �U ( m c , pk ) , ·� c , pk ) , ·� �U ( m ¯ ∗ 0 ) σ 0 , σ 1 c ∼ { 0 , 1 } ( 0 ( m 0 , m 1 ) pk b ∼ { 0 , 1 } b ∗ �U ( m b , pk ) , ·� �U ( m ¯ b , pk ) , ·� ( τ 0 , τ 1 ) Embed ChgRep R ( ∗ ) ◮ Multiple rewinds required: fails for single rewind! 19 / 22

Comparison [GG14] [FHS15] This work Assumption DLIN Interactive DDH ABDDH+ Public-key 43 G 1 G 1 + 3 G 2 4 G 2 Communication > 41 G 4 G 1 + 1 G 2 6 G 1 + 1 G 2 Signatures 183 G 4 G 1 + 1 G 2 7 G 1 + 3 G 2 Computation 9 e 7 e 14 e 20 / 22

References AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo Structure-Preserving Signatures and Commitments to Group Elements . FHS15 G. Fuchsbauer, C. Hanser and D. Slamanig. Practical Round-Optimal Blind Signatures in the Standard Model . CRYPTO 2015 FS10 M. Fischlin and D. Schr¨ oder. On the Impossibility of Three-Move Blind Signature Schemes . EUROCRYPT 2010 GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures . EUROCRYPT 2014 GRS+11 S. Garg, V. Rao, A. Sahai, D. Schr¨ oder and D. Unruh. Round Optimal Blind Signatures . CRYPTO 2011 21 / 22