Signatures with Flexible Public Key: Introducing Equivalence Classes for Public Keys Michael Backes, Lucjan Hanzlik, Kamil Kluzcniak, Jonas Schneider
This Talk ▪ New primitive! Signatures with Flexible Public Key ▪ Applications to • sub-linear size Ring Signatures from falsifiable assumptions without trusted setup • efficient standard model Group Signatures in combination with SPS-EQ
Ring Signatures [Rivest-Shamir-Tauman, 2001]
Ring Signatures [Rivest-Shamir-Tauman, 2001] ℛ Ring vk 1 vk 2 vk i sk i … vk n
Ring Signatures [Rivest-Shamir-Tauman, 2001] ℛ Ring vk 1 vk 2 vk i sk i … vk n σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ )
Ring Signatures [Rivest-Shamir-Tauman, 2001] ℛ Ring vk 1 vk 2 vk i sk i … vk n σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) 𝚋𝚍𝚍𝚏𝚚𝚞 / 𝚜𝚏𝚔𝚏𝚍𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( σ , m , ℛ )
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006]
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Corruption Oracle
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Corruption Oracle i , m , ℛ σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) σ
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Corruption Oracle i i , m , ℛ σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) sk i σ
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Corruption Oracle i i , m , ℛ σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) sk i σ m *, σ *, ℛ *
Ring Signatures: Unforgeability [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Corruption Oracle i i , m , ℛ σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) sk i σ wins if m *, σ *, ℛ * 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( σ *, m *, ℛ *) only honest keys in ℛ * ( m *, ℛ *) never queried
Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l
Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle i , m , ℛ σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) σ
Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Challenge Oracle i , m , ℛ i 0 , i 1 , m , ℛ b ← {0,1} σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) σ σ * ← 𝖳𝗃𝗁𝗈 ( sk i b , m , ℛ ) σ *, ω 1 , …, ω l
̂ Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Challenge Oracle i , m , ℛ i 0 , i 1 , m , ℛ b ← {0,1} σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) σ σ * ← 𝖳𝗃𝗁𝗈 ( sk i b , m , ℛ ) σ *, ω 1 , …, ω l b
̂ Ring Signatures: Anonymity [Bender-Katz-Morselli, 2006] vk 2 vk 1 … vk l Signing Oracle Challenge Oracle i , m , ℛ i 0 , i 1 , m , ℛ b ← {0,1} σ ← 𝖳𝗃𝗁𝗈 ( sk i , m , ℛ ) σ σ * ← 𝖳𝗃𝗁𝗈 ( sk i b , m , ℛ ) σ *, ω 1 , …, ω l b wins if b = ̂ b
Ring Signatures: Desiderata ▪ Standard Model security, falsifiable assumptions, no ROM ▪ Small signatures for efficiency ▪ No form of trusted setup!
Ring Signatures: Generic Approach Prove Ring Sign the Message Membership
Ring Signatures: Generic Approach Prove Ring Sign the Message Membership
Ring Signatures: [Malavolta-Schröder, 2017]
Ring Signatures: [Malavolta-Schröder, 2017] sk ′ � ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫 ( sk , r ) σ m ← Σ . 𝖳𝗃𝗁𝗈 ( sk ′ � , m || ℛ ) Σ : Signature Scheme with Rerandomizable Keys [Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016]
Ring Signatures: [Malavolta-Schröder, 2017] sk ′ � ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫 ( sk , r ) ( ) vk ′ � = Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖶𝖫 ( vk , r ) π ← Π . 𝖰𝗌𝗉𝗐𝖿 σ m ← Σ . 𝖳𝗃𝗁𝗈 ( sk ′ � , m || ℛ ) vk in ℛ σ = ( vk ′ � , σ m , π ) Σ : Signature Scheme with Rerandomizable Keys [Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016] Π : tailored NIZK-PoK with shared setup
Ring Signatures: [Malavolta-Schröder, 2017] sk ′ � ← Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖳𝖫 ( sk , r ) ( ) vk ′ � = Σ . 𝖲𝖿𝗌𝖻𝗈𝖾𝖶𝖫 ( vk , r ) π ← Π . 𝖰𝗌𝗉𝗐𝖿 σ m ← Σ . 𝖳𝗃𝗁𝗈 ( sk ′ � , m || ℛ ) vk in ℛ σ = ( vk ′ � , σ m , π ) Σ : Signature Scheme with Rerandomizable Keys [Fleischhacker-Krupp-Malavolta-Simkin-S-Schröder, 2016] Π : tailored NIZK-PoK with shared setup •No Setup •Security under q-Strong DH assumption + Linear-KEA (GGM) •O(n) signature size
Signatures with Flexible Public Key (SFPK)
Signatures with Flexible Public Key (SFPK) ( sk , vk ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) σ ← 𝖳𝗃𝗁𝗈 ( sk , m ) 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( vk , σ , m ) 𝚜𝚏𝚔𝚏𝚍𝚞
Signatures with Flexible Public Key (SFPK) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫 ( vk , r ) ( sk , vk ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ ← 𝖳𝗃𝗁𝗈 ( sk , m ) vk ′ � ∼ vk 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( vk , σ , m ) 𝚜𝚏𝚔𝚏𝚍𝚞
Signatures with Flexible Public Key (SFPK) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫 ( vk , r ) ( sk , vk ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ ← 𝖳𝗃𝗁𝗈 ( sk , m ) vk ′ � ∼ vk 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( vk , σ , m ) 𝚜𝚏𝚔𝚏𝚍𝚞 ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) 𝚣𝚏𝚝 ← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊 ( τ , vk , vk ′ � ) 𝚘𝚙
Signatures with Flexible Public Key (SFPK) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖶𝖫 ( vk , r ) ( sk , vk ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ ← 𝖳𝗃𝗁𝗈 ( sk , m ) vk ′ � ∼ vk 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( vk , σ , m ) 𝚜𝚏𝚔𝚏𝚍𝚞 Example vk , vk ′ � ∈ ℓ ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) vk ∼ vk ′ � if there is r ∈ ℤ * p 𝚣𝚏𝚝 ← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊 ( τ , vk , vk ′ � ) ( vk r 1 , … vk r ℓ ) = ( vk ′ � 1 , … vk ′ � ℓ ) 𝚘𝚙
SFPK: Unforgeability
SFPK: Unforgeability ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) ( τ , vk )
SFPK: Unforgeability ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) ( τ , vk ) m , r sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ σ ← 𝖳𝗃𝗁𝗈 ( sk ′ � , m )
SFPK: Unforgeability ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) ( τ , vk ) m , r sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ σ ← 𝖳𝗃𝗁𝗈 ( sk ′ � , m ) ( vk *, m *, σ *)
SFPK: Unforgeability ( τ , sk , vk ) ← 𝖴𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ) ( τ , vk ) m , r sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk , r ) σ σ ← 𝖳𝗃𝗁𝗈 ( sk ′ � , m ) wins if 𝚋𝚍𝚍𝚏𝚚𝚞 ← 𝖶𝖿𝗌𝗃𝗀𝗓 ( vk *, σ *, m *) ( vk *, m *, σ *) m * never queried 𝚣𝚏𝚝 ← 𝖣𝗂𝖿𝖽𝗅𝖲𝖿𝗊 ( τ , 𝗐𝗅 , 𝗐𝗅 *)
SFPK: Class-Hiding
SFPK: Class-Hiding ( sk 0 , vk 0 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 0 ) ( sk 1 , vk 1 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 1 )
SFPK: Class-Hiding ( sk 0 , vk 0 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 0 ) b ← {0,1} ( sk 1 , vk 1 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 1 )
SFPK: Class-Hiding ( sk 0 , vk 0 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 0 ) b ← {0,1} ( sk 1 , vk 1 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 1 ) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫 ( vk b , r ) r ← R sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk b , r )
SFPK: Class-Hiding ( sk 0 , vk 0 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 0 ) b ← {0,1} ( sk 1 , vk 1 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 1 ) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫 ( vk b , r ) r ← R sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk b , r ) ( vk ′ � , ω 0 , ω 1 )
SFPK: Class-Hiding ( sk 0 , vk 0 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 0 ) b ← {0,1} ( sk 1 , vk 1 ) ← 𝖫𝖿𝗓𝖧𝖿𝗈 (1 λ ; ω 1 ) vk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖰𝖫 ( vk b , r ) r ← R sk ′ � ← 𝖣𝗂𝖻𝗈𝗁𝖿𝖲𝖿𝗊𝖳𝖫 ( sk b , r ) ( vk ′ � , ω 0 , ω 1 ) m σ ← 𝖳𝗃𝗁𝗈 ( sk ′ � , m ) σ
Recommend
More recommend
