E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA IN THE S TANDARD M ODEL David Bernhard Georg Fuchsbauer Essam Ghadafi ghadafi@cs.bris.ac.uk Department of Computer Science, University of Bristol ACNS 2013 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
O UTLINE B ACKGROUND 1 S ECURITY M ODEL OF DAA 2 A B LUEPRINT FOR DAA 3 B UILDING B LOCKS 4 O UR C ONSTRUCTIONS 5 E FFICIENCY C OMPARISON 6 S UMMARY & O PEN P ROBLEMS 7 E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . .
W HAT IS DAA? A protocol standardized by TCG (Trusted Computing Group) that allows a user possessing a TPM (Trusted Platform Module) to attest to this fact to a verifier, i.e. the TPM anonymously authenticates itself to the verifier. ◮ Direct: Without a third party. ◮ Anonymous: The identity of the user is not revealed. ◮ Attestation: A proof, i.e. convinces the verifier. TPM delegates the non-critical operations to its more powerful host. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 1
DAA User 1 User 2 Join DAA Signature User x User 3 User 4 Verifier Manager Group E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 2
F EATURES OF DAA ◮ The user remains anonymous, i.e. verifiers do not know which TPM produced the signature. ◮ Rogue (i.e. compromised) TPMs can be traced. ◮ The user can opt to have some of his transactions (targeted at the same verifier) to be linkable. However, anonymity is still preserved. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 3
A BIT OF H ISTORY The first DAA protocol (RSA-based) was proposed by Brickell, Camenisch and Chen [BCC04] in 2004 and was standardized by TCG as TPM 1.2. Other (pairing-based) constructions followed: ◮ Brickell, Chen and Li [BCL08] 2008. ◮ Chen [C09] 2009. ◮ Chen, Morrissey and Smart [CMS09] 2009. ◮ Chen, Page and Smart [CPS10] 2010. ◮ Bernhard, Fuchsbauer, Ghadafi, Smart and Warinschi [BFG11] 2011. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 4
PRE -DAA To simplify the security model and constructions, [BFG11] proceed in two steps: 1 Consider a pre-DAA scheme: a fully functional DAA but the user is regarded as one entity (i.e. not split into a powerful untrusted Host and a computationally-constrained trusted TPM). 2 Convert the pre-DAA into a DAA by delegating the non-critical operations to the Host without compromising the security. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 5
S YNTAX OF A PRE -DAA S CHEME A PRE -DAA S CHEME Setup ( 1 λ ) : Creates common public parameters param . GKg ( param ) : Creates a key pair ( gmpk , gmsk ) for the Issuer. UKg ( param ) : Creates a secret key sk for a user. � Join ( gmpk , sk ) , Issue ( gmsk ) � : If completed successfully, the user obtains a group signing key gsk . GSig ( sk , gsk , bsn , m ) : Creates a signature σ on message m and basename bsn . bsn could be empty, i.e. bsn = ⊥ . Verify ( gmpk , σ, m , bsn ) : Verifies a signature. Link ( gmpk , m 0 , σ 0 , m 1 , σ 1 , bsn ) : Checks if σ 0 on ( m 0 and bsn ) and σ 1 on ( m 1 and bsn ) where bsn � = ⊥ are by the same user. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 6
S YNTAX OF A PRE -DAA S CHEME A PRE -DAA S CHEME * Identify T ( gmpk , T , sk ) : Checks if transcript T matchs the secret key sk . * Identify S ( gmpk , σ, m , bsn , sk ) : Checks if σ was produced by the owner of sk . E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 7
S ECURITY OF PRE -DAA We use the model of [BFG11]: C ORRECTNESS If all parties are honest, we have that: 1 Signatures are accepted by the Verify algorithm. 2 Signatures can be traced. 3 Signatures that are linkable link. A NONYMITY Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 8
S ECURITY OF PRE -DAA We use the model of [BFG11]: C ORRECTNESS If all parties are honest, we have that: 1 Signatures are accepted by the Verify algorithm. 2 Signatures can be traced. 3 Signatures that are linkable link. A NONYMITY Signatures do not reveal who signed them and unlinkable signatures do not link even if the Issuer is corrupt. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 8
S ECURITY OF PRE -DAA T RACEABILITY 1 The adversary cannot output an untraceable signature. 2 The adversary cannot output two signatures which should link but they do not. N ON -F RAMEABILITY 1 The adversary cannot output a signature that traces to an honest user who did not produce it. 2 The adversary cannot output signatures that link but they should not. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 9
S ECURITY OF PRE -DAA T RACEABILITY 1 The adversary cannot output an untraceable signature. 2 The adversary cannot output two signatures which should link but they do not. N ON -F RAMEABILITY 1 The adversary cannot output a signature that traces to an honest user who did not produce it. 2 The adversary cannot output signatures that link but they should not. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 9
G ENERIC C ONSTRUCTION OF PRE -DAA [BFG11] noted that all previous DAA constructions require the following tools: ◮ Randomizable Weakly Blind Signatures (RwBS) Used by the Issuer to issue certificates as credentials when users join the group. ◮ Linkable Indistinguishable Tags (LIT) Needed to provide the linkability of signatures when the same basename is signed by the same user. ◮ Signatures of Knowledge (SoK) Used by users to prove they have a credential and that the signature on the basename verifies w.r.t. their certified secret key. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 10
B LIND S IGNATURES pk sk USER SIGNER E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 11
B LIND S IGNATURES pk sk ... Sig USER SIGNER E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 11
B LIND S IGNATURES pk sk ... Sig Sig USER SIGNER S ECURITY R EQUIREMENTS [JLO97, PS00] ◮ Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session. ◮ Unforgeability: An adversary (i.e. a user) cannot forge new signatures. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 11
B LIND S IGNATURES pk sk ... Sig Sig USER SIGNER S ECURITY R EQUIREMENTS [JLO97, PS00] ◮ Blindness: An adversary (i.e. a signer) who chooses the messages, does not learn which message being signed and cannot link a signature to its signing session. ◮ Unforgeability: An adversary (i.e. a user) cannot forge new signatures. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 11
R ANDOMIZABLE W EAKLY B LIND S IGNATURES (R W BS) Similar to blind signatures but: ◮ Randomizability: Given a signature σ , anyone can produce a new signature σ ′ on the same message. ◮ Weak Blindness: Same as blindness but the adversary never sees the messages ⇒ The adversary cannot tell if he was given a signature on a different message or a re-randomization of a signature on the same message. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 12
L INKABLE I NDISTINGUISHABLE T AGS (LIT) sk sk m τ←LITTag(sk,m) m, τ Accept if LITTag(sk,m)=τ Alice Bob S ECURITY R EQUIREMENTS [BFG11] ◮ Indistinguishability: An adversary cannot distinguish between a tag on a message of his choice and a tag produced under a random key. ◮ Linkability: Two tags are identical iff both produced using the same key and are on the same message. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 13
L INKABLE I NDISTINGUISHABLE T AGS (LIT) sk sk m τ←LITTag(sk,m) m, τ Accept if LITTag(sk,m)=τ Alice Bob S ECURITY R EQUIREMENTS [BFG11] ◮ Indistinguishability: An adversary cannot distinguish between a tag on a message of his choice and a tag produced under a random key. ◮ Linkability: Two tags are identical iff both produced using the same key and are on the same message. E FFICIENT S IGNATURES OF K NOWLEDGE AND DAA . . . 13
Recommend
More recommend