slides - DI ENS

Comment

Report 8 Downloads 230 Views

Structure-Preserving Signatures and Commitments to Group Elements

Masayuki Abe

1

Georg Fuchsbauer

Kristiyan Haralambiev

4

2

Jens Groth

Miyako Ohkubo

3

5

CRYPTO, 16.08.2010

1 2 3 4 5

Information Sharing Platform Laboratories, NTT Corporation, Japan École Normale Supérieure, CNRS - INRIA, France University College London, UK Computer Science Department, New York University, USA National Institute of Information and Communications Technology, Japan

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

1 / 23

Our Contributions New commitment and signature schemes in bilinear groups Homomorphic trapdoor commitments to group elements Signatures on group elements, consisting of group elements

structure-preserving)

(

Structure-preserving signatures signing their own public keys

automorphic)

(

Simulatable signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

2 / 23

Our Contributions New commitment and signature schemes in bilinear groups Homomorphic trapdoor commitments to group elements Signatures on group elements, consisting of group elements

structure-preserving)

(

Structure-preserving signatures signing their own public keys

automorphic)

(

Simulatable signatures

Applications Constant-size trapdoor commitments with sublinear keys First ecient round-optimal blind signatures (UC secure) First ecient group signatures with concurrent join w/o ROM First ecient anonymous proxy signatures Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

2 / 23

Outline of the talk

1

Commitments

2

Automorphic Signatures

3

Signatures on Vectors of Group Elements

4

Applications of Our Signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

3 / 23

1

Commitments

2

Automorphic Signatures

3

Signatures on Vectors of Group Elements

4

Applications of Our Signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

4 / 23

Commitments

A commitment scheme consists of setup and algorithm

Com

takes a

Com

message and randomness and outputs a commitment

Message and randomness are called opening.

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

5 / 23

Commitments

A commitment scheme consists of setup and algorithm

Com

takes a

Com

message and randomness and outputs a commitment

Message and randomness are called opening. Our scheme is

hiding: a commitment reveals nothing about the message binding: hard to nd a commitment and two openings with

dierent

messages

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

5 / 23

Commitments

A commitment scheme consists of setup and algorithm

Com

takes a

Com

message and randomness and outputs a commitment

Message and randomness are called opening. Our scheme is

hiding: a commitment reveals nothing about the message binding: hard to nd a commitment and two openings with

dierent

messages trapdoor: given a trapdoor, a commitment can be opened to any message homomorphic: the product of two commitments is a commitment to the product of the messages length-reducing: a commitment is shorter than the message

The messages are elements of a bilinear group Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

5 / 23

Bilinear Groups and the DP Assumption

Bilinear group:

(p , G1 , G2 , GT , e , G , H )

G1 , G2 , GT

with

cyclic groups of prime order

p

e : G × G → GT bilinear, ie ∀X ∈ G , ∀Y ∈ G , ∀a, b ∈ Z: e (X a , Y b ) = e (X , Y )ab G = hG i, G = hH i, GT = he (G , H )i 1

2

1

1

2

2

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

6 / 23

Bilinear Groups and the DP Assumption

Bilinear group:

(p , G1 , G2 , GT , e , G , H )

G1 , G2 , GT

with

cyclic groups of prime order

p

e : G × G → GT bilinear, ie ∀X ∈ G , ∀Y ∈ G , ∀a, b ∈ Z: e (X a , Y b ) = e (X , Y )ab G = hG i, G = hH i, GT = he (G , H )i 1

2

1

1

2

2

Double Pairing Assumption

GR , GT ∈ G it is hard to nd non-trivial R , T ∈ G e (GR , R ) e (GT , T ) = 1

Given random satisfying

1

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

2

CRYPTO'10

6 / 23

Bilinear Groups and the DP Assumption

Bilinear group:

(p , G1 , G2 , GT , e , G , H )

G1 , G2 , GT

with

cyclic groups of prime order

p

e : G × G → GT bilinear, ie ∀X ∈ G , ∀Y ∈ G , ∀a, b ∈ Z: e (X a , Y b ) = e (X , Y )ab G = hG i, G = hH i, GT = he (G , H )i 1

2

1

1

2

2

Double Pairing Assumption

GR , GT ∈ G it is hard to nd non-trivial R , T ∈ G e (GR , R ) e (GT , T ) = 1

Given random satisfying

1

2

Lemma DDH in

G1

implies the double pairing assumption

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

6 / 23

Commitment Scheme for Setup: Generate

n

Messages

(p , G1 , G2 , GT , e , G , H ).

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

7 / 23

Commitment Scheme for

n

Messages

(p , G1 , G2 , GT , e , G , H ). ∗ generation: Pick GR ← G1 and x1 , . . . , xn ← Zp . Return ck = (GR , G1 = GRx , . . . , Gn = GRxn ) and tk = (x1 , . . . , xn ). Setup: Generate

Key

1

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

7 / 23

Commitment Scheme for

n

Messages

(p , G1 , G2 , GT , e , G , H ). ∗ generation: Pick GR ← G1 and x1 , . . . , xn ← Zp . Return ck = (GR , G1 = GRx , . . . , Gn = GRxn ) and tk = (x1 , . . . , xn ). Setup: Generate

Key

1

Commitment: On input

ck , (M , . . . , Mn ) ∈ Gn , R ∈ G 1

c = e (GR , R )

2,

2

n Y i =1

return

e (Gi , Mi )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

7 / 23

Commitment Scheme for

n

Messages

(p , G1 , G2 , GT , e , G , H ). ∗ generation: Pick GR ← G1 and x1 , . . . , xn ← Zp . Return ck = (GR , G1 = GRx , . . . , Gn = GRxn ) and tk = (x1 , . . . , xn ). Setup: Generate

Key

1

Commitment: On input

ck , (M , . . . , Mn ) ∈ Gn , R ∈ G 1

c = e (GR , R ) Trapdoor opening: Given

c

for

(M10 , . . . , Mn0 ) as

e (GR , R

2,

2

n Y i =1

return

e (Gi , Mi )

(M1 , . . Q . , Mn ) and R . Open c 0 R = R ni=1 (Mi /Mi0 )xi :

to

Y Y Y e (Gi , Mi0 ) = e (GR , R ) e (Gi , Mi ) = c (Mi /Mi0 )xi )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

7 / 23

Commitment Scheme for

n

Messages

(p , G1 , G2 , GT , e , G , H ). ∗ generation: Pick GR ← G1 and x1 , . . . , xn ← Zp . Return ck = (GR , G1 = GRx , . . . , Gn = GRxn ) and tk = (x1 , . . . , xn ). Setup: Generate

Key

1

Commitment: On input

ck , (M , . . . , Mn ) ∈ Gn , R ∈ G 1

c = e (GR , R ) Trapdoor opening: Given

c

for

(M10 , . . . , Mn0 ) as

2,

2

n Y i =1

return

e (Gi , Mi )

(M1 , . . Q . , Mn ) and R . Open c 0 R = R ni=1 (Mi /Mi0 )xi :

to

Theorem

xi 0 The scheme above is a 0homomorphic, perfectly hiding, trapdoor

e (GR , R

Y Y Y e (Gi , Mi ) = e (GR , R ) e (Gi , Mi ) = c (Mi /Mi ) )

commitment scheme; under the double pairing assumption it is computationally binding.

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

7 / 23

Application

Commitments to Pedersen commitments Pedersen commitment

C = Hr

Q

Hi mi

to

(m1 , . . . , mk ) ∈ Zkp

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

8 / 23

Application

Commitments to Pedersen commitments

C = H r Hi mi to (m , . . . , mk ) ∈ Zkp c commitment to (C , . . . , Cn ) where Ci commitment to (mi, , . . . , mi,k ) ⇒ can commit to m ∈ Znp·k ; key: n + k + 2 group elements, c ∈ GT Pedersen commitment

Q

1

1

1

Resulting scheme still homomorphic and trapdoor

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

8 / 23

Application

Commitments to Pedersen commitments

C = H r Hi mi to (m , . . . , mk ) ∈ Zkp c commitment to (C , . . . , Cn ) where Ci commitment to (mi, , . . . , mi,k ) ⇒ can commit to m ∈ Znp·k ; key: n + k + 2 group elements, c ∈ GT

Pedersen commitment

Q

1

1

1

Resulting scheme still homomorphic and trapdoor

Variant We give another scheme based on an assumption implied by DLIN

⇒

instantiable in symmetric bilinear groups

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

8 / 23

1

Commitments

2

Automorphic Signatures

3

Signatures on Vectors of Group Elements

4

Applications of Our Signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

9 / 23

Groth-Sahai Proofs

X1 , . . . , Xm ∈ G1 , Y1 , . . . , Yn ∈ G2 m n YY e (Ai , Yi ) e (Xi , Bi ) e (Xi , Yj )γi ,j = t , (E) i =1 i =1 i =1 j =1

Pairing-product equation over variables

n Y

determined by

m Y

Ai ∈ G , Bi ∈ G , γi ,j ∈ Zp 1

2

and

t ∈ GT

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

10 / 23

Groth-Sahai Proofs

X1 , . . . , Xm ∈ G1 , Y1 , . . . , Yn ∈ G2 m n YY e (Ai , Yi ) e (Xi , Bi ) e (Xi , Yj )γi ,j = t , (E) i =1 i =1 i =1 j =1

Pairing-product equation over variables

n Y

determined by

m Y

Ai ∈ G , Bi ∈ G , γi ,j ∈ Zp 1

2

and

t ∈ GT

Groth, Sahai [GS08]: Non-interactive witness-indistinguishable (and NIZK) proof of knowledge of (Given a

X , . . . , Xm , Y , . . . , Yn 1

1

satisfying E

trapdoor for CRS, one can extract the witness)

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

10 / 23

Motivation

Structure-preserving signatures Messages, signatures and verication keys are in

G1

and

G2

Verication: evaluate PPEs on message, signature and key Unforgeable (under chosen-message attack)

Combined with Groth-Sahai proofs: Prove knowledge of a valid signature (and message)

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

11 / 23

Motivation

Structure-preserving signatures Messages, signatures and verication keys are in

G1

and

G2

Verication: evaluate PPEs on message, signature and key Unforgeable (under chosen-message attack)

Combined with Groth-Sahai proofs: Prove knowledge of a valid signature (and message)

Automorphic signatures Structure-preserving Verication keys lie in the message space

Prove knowledge of chain of keys and certicates Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

11 / 23

A Variant of SDH and a Variant of CDH The strong Die-Hellman (SDH) assumption [BB04] implies hardness of

Given

G, Gx

1

and

q − 1 pairs (G x +ci , ci ), output a new pair (G x +c , c )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

1

CRYPTO'10

12 / 23

A Variant of SDH and a Variant of CDH The strong Die-Hellman (SDH) assumption [BB04] implies hardness of

G , K , G x , (K · G vi ) x +ci , ci , vi iq=− 1

Given

1

1

, output a new

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

((K · G v ) x +c , c , v ) 1

CRYPTO'10

12 / 23

A Variant of SDH and a Variant of CDH The strong Die-Hellman (SDH) assumption [BB04] implies hardness of

G , K , G x , (K · G vi ) x +ci , ci , vi iq=− 1

Given

1

1

((K · G v ) x +c , c , v ) 1

, output a new

Analogously to [BW07] we dene a hidden variant

q

- Asymm. Double Hidden SDH

Given

G , F , K , X = G x ∈ G , H, Y = Hx ∈ G 1

2

and

q − 1 tuples

((K · G vi ) x +ci , F ci , H ci , G vi , H vi ) 1

it is hard to output

((K · G v ) x +c , F c , H c , G v , H v ) 1

with

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

(c , v ) 6= (ci , vi )

CRYPTO'10

12 / 23

A Variant of SDH and a Variant of CDH The strong Die-Hellman (SDH) assumption [BB04] implies hardness of

G , K , G x , (K · G vi ) x +ci , ci , vi iq=− 1

Given

1

1

((K · G v ) x +c , c , v ) 1

, output a new

Analogously to [BW07] we dene a hidden variant

q

- Asymm. Double Hidden SDH

Given

G , F , K , X = G x ∈ G , H, Y = Hx ∈ G 1

2

and

q − 1 tuples

((K · G vi ) x +ci , F ci , H ci , G vi , H vi ) 1

it is hard to output

((K · G v ) x +c , F c , H c , G v , H v ) 1

Asymm. Weak Flexible CDH Given

G, Ga

and

H

it is hard to output

with

(c , v ) 6= (ci , vi )

(G r , G ar , H r , H ar )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

with

r 6= 0

CRYPTO'10

12 / 23

Automorphic Signatures: Instantiation

Setup:

Choose

G, K, F, T ← G , H ← G DH := {(G m , H m ) | m ∈ Zp }, 1

2

Message space:

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

13 / 23

Automorphic Signatures: Instantiation

G, K, F, T ← G , H ← G DH := {(G m , H m ) | m ∈ Zp }, KeyGen: Secret key x ← Zp , public key (X := G x , Y := H x ) Setup:

Choose

1

2

Message space:

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

13 / 23

Automorphic Signatures: Instantiation

G, K, F, T ← G , H ← G DH := {(G m , H m ) | m ∈ Zp }, KeyGen: Secret key x ← Zp , public key (X := G x , Y := H x ) Sign(x , (M , N )): Choose c , r ← Zp , return Setup:

Choose

1

2

Message space:

( (K · T r · M ) x +c , F c , H c , G r , H r ) 1

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

13 / 23

Automorphic Signatures: Instantiation

G, K, F, T ← G , H ← G DH := {(G m , H m ) | m ∈ Zp }, KeyGen: Secret key x ← Zp , public key (X := G x , Y := H x ) Sign(x , (M , N )): Choose c , r ← Zp , return Setup:

Choose

1

2

Message space:

( (K · T r · M ) x +c , F c , H c , G r , H r ) 1

Ver((X , Y ), (M , N ), (A, C , D , R , S )):

Return 1 if

e (A, Y · D ) = e (K · M , H ) e (T , S )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

e (C , H ) = e (F , D ) e (R , H ) = e (G , S )

CRYPTO'10

13 / 23

Automorphic Signatures: Instantiation

G, K, F, T ← G , H ← G DH := {(G m , H m ) | m ∈ Zp }, KeyGen: Secret key x ← Zp , public key (X := G x , Y := H x ) Sign(x , (M , N )): Choose c , r ← Zp , return Setup:

Choose

1

2

Message space:

( (K · T r · M ) x +c , F c , H c , G r , H r ) 1

Ver((X , Y ), (M , N ), (A, C , D , R , S )):

Return 1 if

e (A, Y · D ) = e (K · M , H ) e (T , S ) Theorem

e (C , H ) = e (F , D ) e (R , H ) = e (G , S )

The scheme is strongly unforgeable under ADH-SDH and AWF-CDH.

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

13 / 23

1

Commitments

2

Automorphic Signatures

3

Signatures on Vectors of Group Elements

4

Applications of Our Signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

14 / 23

A Variant of the Double Pairing Assumption Double Pairing problem: nd non-trivial is malleable: one solution

⇒

Z, R

s.t. 1

= e (GZ , Z ) e (GR , R )

multiple solutions

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

15 / 23

A Variant of the Double Pairing Assumption Double Pairing problem: nd non-trivial is malleable: one solution

⇒

Z, R

s.t. 1

= e (GZ , Z ) e (GR , R )

multiple solutions

Make 2 simultaneous equations with common element

⇒

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

Z implied by DLIN

CRYPTO'10

15 / 23

A Variant of the Double Pairing Assumption Double Pairing problem: nd non-trivial is malleable: one solution

⇒

Z, R

s.t. 1

= e (GZ , Z ) e (GR , R )

multiple solutions

Make 2 simultaneous equations with common element

⇒

Z implied by DLIN

exible)

Multiply random pairings to both sides of equation (

⇒

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

non-malleable

CRYPTO'10

15 / 23

A Variant of the Double Pairing Assumption Double Pairing problem: nd non-trivial is malleable: one solution

⇒

Z, R

s.t. 1

= e (GZ , Z ) e (GR , R )

multiple solutions

Make 2 simultaneous equations with common element

⇒

Z implied by DLIN

exible)

Multiply random pairings to both sides of equation (

⇒

q

non-malleable

- Simultaneous Flexible Pairing assumption (SFP)

GZ , FZ , GR , FU , A, B ∈ G (Zi , Ri , Si , Ti , Ui , Vi , Wi ) s.t. Given

1

and

A˜ , B˜ ∈ G

2

and

q

tuples

e (A, A˜ ) = e (GZ , Zi ) e (GR , Ri ) e (Si , Ti ) e (B , B˜ ) = e (FZ , Zi ) e (FU , Ui ) e (Vi , Wi ) it is hard to nd such a tuple

Z 6= Zi

for all

i

(Z , R , S , T , U , V , W )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

with

Z 6= 1 and CRYPTO'10

15 / 23

A Variant of the Double Pairing Assumption

q

- Simultaneous Flexible Pairing assumption (SFP)

GZ , FZ , GR , FU , A, B ∈ G (Zi , Ri , Si , Ti , Ui , Vi , Wi ) s.t.

Given

1

and

A˜ , B˜ ∈ G

2

and

q

tuples

e (A, A˜ ) = e (GZ , Zi ) e (GR , Ri ) e (Si , Ti ) e (B , B˜ ) = e (FZ , Zi ) e (FU , Ui ) e (Vi , Wi ) it is hard to nd such a tuple

Z 6= Zi

for all

i

(Z , R , S , T , U , V , W )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

with

Z 6= 1 and

CRYPTO'10

15 / 23

A Variant of the Double Pairing Assumption

q

- Simultaneous Flexible Pairing assumption (SFP)

GZ , FZ , GR , FU , A, B ∈ G (Zi , Ri , Si , Ti , Ui , Vi , Wi ) s.t.

Given

1

and

A˜ , B˜ ∈ G

2

and

q

tuples

e (A, A˜ ) = e (GZ , Zi ) e (GR , Ri ) e (Si , Ti ) e (B , B˜ ) = e (FZ , Zi ) e (FU , Ui ) e (Vi , Wi ) it is hard to nd such a tuple

Z 6= Zi

for all

i

(Z , R , S , T , U , V , W )

with

Z 6= 1 and

Theorem For a generic algorithm the probability of breaking SFP with bounded by

O(q 2 + `2 )/p

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

`

operations is

CRYPTO'10

15 / 23

Scheme Signing

Setup:

k G2

Elements at Once

Choose a bilinear group

(p , G1 , G2 , GT , e , G , H )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

16 / 23

Scheme Signing

k G2

Elements at Once

Setup: Choose a bilinear group (p , G1 , G2 , GT , e , G , H ) KeyGen: Message Space: Gk2 ∗ 2k +4 Choose secret key (α, β, γZ , δZ , γ1 , δ1 , . . . , γk , δk ) ← (Zp ) γZ γi k ∗ α Public key: GR ← G1 , GZ = GR , {Gi = GR }i =1 , a = e (GR , H ) FU ← G∗1 , FZ = FUδZ , {Fi = FUδi }ki=1 , b = e (FU , H β )

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

16 / 23

Scheme Signing

k G2

Elements at Once

Setup: Choose a bilinear group (p , G1 , G2 , GT , e , G , H ) KeyGen: Message Space: Gk2 ∗ 2k +4 Choose secret key (α, β, γZ , δZ , γ1 , δ1 , . . . , γk , δk ) ← (Zp ) γZ γi k ∗ α Public key: GR ← G1 , GZ = GR , {Gi = GR }i =1 , a = e (GR , H ) FU ← G∗1 , FZ = FUδZ , {Fi = FUδi }ki=1 , b = e (FU , H β ) Sign(sk , (M1 , . . . , Mk )):

Z = Hζ

Choose

ζ, ρ, τ , ϕ, ω ← Z∗p ,

Q R = H ρ−γZ ζ ki=1 Mi −γi Q U = H ϕ−δZ ζ ki=1 Mi −δi

S = GR τ V = FU ω

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

return

T = H (α−ρ)/τ W = H (β−ϕ)/ω

CRYPTO'10

16 / 23

Scheme Signing

k G2

Elements at Once

Setup: Choose a bilinear group (p , G1 , G2 , GT , e , G , H ) KeyGen: Message Space: Gk2 ∗ 2k +4 Choose secret key (α, β, γZ , δZ , γ1 , δ1 , . . . , γk , δk ) ← (Zp ) γZ γi k ∗ α Public key: GR ← G1 , GZ = GR , {Gi = GR }i =1 , a = e (GR , H ) FU ← G∗1 , FZ = FUδZ , {Fi = FUδi }ki=1 , b = e (FU , H β ) Sign(sk , (M1 , . . . , Mk )):

Z = Hζ

Choose

ζ, ρ, τ , ϕ, ω ← Z∗p ,

Q R = H ρ−γZ ζ ki=1 Mi −γi Q U = H ϕ−δZ ζ ki=1 Mi −δi

S = GR τ V = FU ω

return

T = H (α−ρ)/τ W = H (β−ϕ)/ω

Ver(vk , (M1 , . . . , Mk ), (Z , R , S , T , U , V , W )): Return 1 if Q a = e (GZ , Z ) e (GR , R ) e (S , T ) ki=1 e (Gi , Mi ) Q b = e (FZ , Z ) e (FU , U ) e (V , W ) ki=1 e (Fi , Mi ) Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

16 / 23

Scheme Signing

k G2

Elements at Once

Setup: Choose a bilinear group (p , G1 , G2 , GT , e , G , H ) KeyGen: Message Space: Gk2 ∗ 2k +4 Choose secret key (α, β, γZ , δZ , γ1 , δ1 , . . . , γk , δk ) ← (Zp ) γZ γi k ∗ α Public key: GR ← G1 , GZ = GR , {Gi = GR }i =1 , a = e (GR , H ) FU ← G∗1 , FZ = FUδZ , {Fi = FUδi }ki=1 , b = e (FU , H β ) Sign(sk , (M1 , . . . , Mk )):

Z = Hζ

Choose

ζ, ρ, τ , ϕ, ω ← Z∗p ,

Q R = H ρ−γZ ζ ki=1 Mi −γi Q U = H ϕ−δZ ζ ki=1 Mi −δi

S = GR τ V = FU ω

return

T = H (α−ρ)/τ W = H (β−ϕ)/ω

Ver(vk , (M1 , . . . , Mk ), (Z , R , S , T , U , V , W )): Return 1 if Q a = e (GZ , Z ) e (GR , R ) e (S , T ) ki=1 e (Gi , Mi ) scheme is existentially unforgeable under theQ SFP assumption b = e (FZ , Z ) e (FU , U ) e (V , W ) ki=1 e (Fi , Mi )

Theorem The

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

16 / 23

Variants of the Scheme

(Z , R , S , T , U , V , W ), we can randomise (R , S , T , U , V , W ) ˜ 0 , A1 , A ˜ 1 with a = e (A0 , A ˜ 0 ) e (A1 , A ˜ 1) Replace a by random A0 , A Given

and

⇒

b

analogously

Verication key from

G1

and

G2

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

⇒

structure preserving

CRYPTO'10

17 / 23

Variants of the Scheme

(Z , R , S , T , U , V , W ), we can randomise (R , S , T , U , V , W ) ˜ 0 , A1 , A ˜ 1 with a = e (A0 , A ˜ 0 ) e (A1 , A ˜ 1) Replace a by random A0 , A Given

and

⇒

b

analogously

Verication key from

G1

and

G2

Dual scheme for signing messages in

⇒

⇒ Gk1

combine both schemes to sign messages in

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

structure preserving

Gk1 × Gk2 1

2

CRYPTO'10

17 / 23

Variants of the Scheme

(Z , R , S , T , U , V , W ), we can randomise (R , S , T , U , V , W ) ˜ 0 , A1 , A ˜ 1 with a = e (A0 , A ˜ 0 ) e (A1 , A ˜ 1) Replace a by random A0 , A Given

and

⇒

b

analogously

Verication key from

G1

and

G2

Dual scheme for signing messages in

⇒

⇒ Gk1

combine both schemes to sign messages in

Gk1 × Gk2

Chaining signatures to sign unbounded messages

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

structure preserving

1

2

⇒

automorphic

CRYPTO'10

17 / 23

Variants of the Scheme

(Z , R , S , T , U , V , W ), we can randomise (R , S , T , U , V , W ) ˜ 0 , A1 , A ˜ 1 with a = e (A0 , A ˜ 0 ) e (A1 , A ˜ 1) Replace a by random A0 , A Given

and

⇒

b

analogously

Verication key from

G1

and

G2

Dual scheme for signing messages in

⇒

⇒ Gk1

combine both schemes to sign messages in

structure preserving

Gk1 × Gk2

Chaining signatures to sign unbounded messages

1

2

⇒

automorphic

Simulatable Signatures Signature scheme in the common reference string (CRS) model Trapdoor for CRS allows making signatures for any public key

Can use WI instead of ZK proofs, since signatures can be simulated directly

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

17 / 23

1

Commitments

2

Automorphic Signatures

3

Signatures on Vectors of Group Elements

4

Applications of Our Signatures

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

18 / 23

Round-Optimal Blind Signatures A blind signature scheme allows a message hidden from the

signer S

Round optimal: Signature issuing:

user U

to obtain a signature on a

m → U −−→ S U ←−− S . Σ

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures A blind signature scheme allows a message hidden from the

signer S

user U

to obtain a signature on a

m → U −−→ S

Round optimal: Signature issuing:

U ←−− S . Σ Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

Blind signature: proof of knowledge (PoK) of

• C

• σ

•

an opening of

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

C

to

m

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures A blind signature scheme allows a message hidden from the

signer S

user U

to obtain a signature on a

m → U −−→ S

Round optimal: Signature issuing:

U ←−− S . Σ Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

(Pedersen) (structure-preserving)

Blind signature: proof of knowledge (PoK) of

• C

• σ

•

an opening of

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

(Groth-Sahai)

C

to

m

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

Blind signature: proof of knowledge (PoK) of

• C

• σ

•

an opening of

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

C

to

m

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

Blind signature: proof of knowledge (PoK) of

• C Variant I

• σ

•

an opening of

C

to

m

Round-opt. automorphic blind signature

Message from group, user gets signature

on message

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment

C

m M

to the message

C pre-signature; User recovers σ

Signer makes signature σon

on

M

Blind signature: proof of knowledge (PoK) of

• C Variant I

• σ

•an opening of Cto m

Round-opt. automorphic blind signature

Message from group, user gets signature

on message

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

Blind signature: proof of knowledge (PoK) of

• C Variant I

• σ

•

an opening of

C

to

m

Round-opt. automorphic blind signature

Message from group, user gets signature

on message

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

Blind signature: proof of knowledge (PoK) of

• C Variant I

• σ

•

an opening of

Use

to

m

Round-opt. automorphic blind signature

Message from group, user gets signature

Variant II

C

on message

Universally composable round-opt. blind signature

simulatable signature

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Round-Optimal Blind Signatures

Sketch of the scheme [Fis06] User makes a commitment Signer makes signature

σ

C

on

to the message

m

C

(simulatable!)

Blind signature: proof of knowledge (PoK) of

• C Variant I

• σ

•

an opening of

Use

to

m

Round-opt. automorphic blind signature

Message from group, user gets signature

Variant II

C

on message

Universally composable round-opt. blind signature

simulatable signature

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

19 / 23

Group Signatures A group signature scheme lets a

group manager enrol users who can then

sign on behalf of the group anonymously. The anonymity is revocable by an

opener

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

20 / 23

Group Signatures A group signature scheme lets a

group manager enrol users who can then

sign on behalf of the group anonymously. The anonymity is revocable by an

opener

Automorphic signatures enable ecient instantiation of the following (satisfying model from [BSZ05])

Group signatures with concurrent join

Opener generates CRS for proof system, keeps trapdoor Group manager (GM) generates verication key, keeps signing key

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

20 / 23

Group Signatures A group signature scheme lets a

group manager enrol users who can then

sign on behalf of the group anonymously. The anonymity is revocable by an

opener

Automorphic signatures enable ecient instantiation of the following (satisfying model from [BSZ05])

Group signatures with concurrent join

Opener generates CRS for proof system, keeps trapdoor Group manager (GM) generates verication key, keeps signing key Enrol: User creates signature key pair (uvk , usk ), GM signs uvk

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

20 / 23

Group Signatures A group signature scheme lets a

group manager enrol users who can then

sign on behalf of the group anonymously. The anonymity is revocable by an

opener

Automorphic signatures enable ecient instantiation of the following (satisfying model from [BSZ05])

Group signatures with concurrent join

Opener generates CRS for proof system, keeps trapdoor Group manager (GM) generates verication key, keeps signing key Enrol: User creates signature key pair (uvk , usk ), GM signs uvk Group signature on M: Make signature σ on M with usk , and PoK of • uvk

•

signature on

uvk

by GM

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

• σ

CRYPTO'10

20 / 23

Group Signatures A group signature scheme lets a

group manager enrol users who can then

sign on behalf of the group anonymously. The anonymity is revocable by an

opener

Automorphic signatures enable ecient instantiation of the following (satisfying model from [BSZ05])

Group signatures with concurrent join

Opener generates CRS for proof system, keeps trapdoor Group manager (GM) generates verication key, keeps signing key Enrol: User creates signature key pair (uvk , usk ), GM signs uvk Group signature on M: Make signature σ on M with usk , and PoK of • uvk

•

Open: Opener extracts

signature on

uvk

and

uvk

by GM

• σ

σ

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

20 / 23

Anonymous Proxy Signatures

Anonymous proxy signatures [FP08] Generalisation of

group signatures and proxy signatures

Users hold signature key pairs

delegate signing rights to other users Users can re-delegate and make proxy signatures anonymously Users can

Anonymity revocable by openers

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

21 / 23

Anonymous Proxy Signatures

Anonymous proxy signatures [FP08] Generalisation of

group signatures and proxy signatures

Users hold signature key pairs

delegate signing rights to other users Users can re-delegate and make proxy signatures anonymously Users can

Anonymity revocable by openers

Instantiation Automorphic signatures GS proof

⇒

⇒

delegation by signing public keys

proxy signature is PoK of delegation chain

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

21 / 23

Conclusion

Commitments First homomorphic trapdoor commitments to group elements Used them to construct more ecient schemes

Signatures First signature schemes that are fully Groth-Sahai compatible Various extensions Exemplied their usefulness Combined with Groth-Sahai proofs, structure-preserving signatures lead to modular instantiations of more complex primitives

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

22 / 23

Conclusion

Commitments First homomorphic trapdoor commitments to group elements Used them to construct more ecient schemes

Signatures First signature schemes that are fully Groth-Sahai compatible Various extensions Exemplied their usefulness Combined with Groth-Sahai proofs, structure-preserving signatures lead to modular instantiations of more complex primitives

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

22 / 23

Thank you! ^ ¨

Abe,Fuchsbauer,Groth,Haralambiev,Ohkubo ubo: Sign () and Commit to Group Elements

CRYPTO'10

23 / 23

Recommend Documents

slides - DI ENS

Slides - DI ENS

slides - DI ENS