E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia)
[email protected] University of Bristol
Latincrypt 2014
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
O UTLINE
1
BACKGROUND
2
S ECURITY M ODEL
3
A D ISTRIBUTED TAG -BASED E NCRYPTION S CHEME
4
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY
5
I NSTANTIATIONS IN THE S TANDARD M ODEL
6
S UMMARY
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
G ROUP S IGNATURES Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group. msk
tsk
TM
GM
Sig
Signer ID
Sig
Group E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
1
H ISTORY AND R ELATED WORK
Group Signatures introduced by Chaum and van Heyst [CH91]. Extensive existing work include: • Security Definitions (Static Groups) by Bellare et al. [BMW03]. • Security Definitions (Dynamic Groups) by Bellare et al.
[BSZ05]. • Opening Soundness by Sakai et al. [SSE+12]. • Many constructions, e.g. [CS97,CM98,BBS04,KY05,
BW06,BW07,DP06,G07,BB08, . . .]. • Either informal or constructions meeting weaker security notions
for distributed traceability, e.g. [FY04, BCL+08].
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
2
S ECURITY OF G ROUP S IGNATURES
Besides correctness, the security requirements [BSZ05] are: Anonymity: Signatures does not reveal the identity of the member. Traceability: All signatures trace to a member in the group. Non-Frameability: No one can accuse an honest member of producing a signature she did not produce. • Protects against a corrupt tracing manager, i.e. T M must prove
his decision.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
3
T HE P ROBLEM
Issue: The Tracing Manager has strong power which it can abuse! Solution: Distribute the tracing capability among n authorities as considered by other works, e.g. [FY04,ZLM+08]. Challenge: Realizing distributed traceability efficiently + strong security: • • • •
Full (i.e. CCA ) anonymity. Concurrent Join protocol, i.e. 1 round. Non-frameability against dishonest tracing managers. Tracing soundness.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
4
O UR C ONTRIBUTION
1
A security model for dynamic group signatures with distributed traceability.
2
A generic construction for dynamic group signatures with distributed traceability.
3
Efficient instantiations in the standard model.
4
Efficient instantiations of distributed/threshold tag-based encryption scheme in the standard model.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
5
G ROUP S IGNATURES WITH D ISTRIBUTED T RACEABILITY tsk1
tskn
TM1
msk
...
TMn GM
Sig
Signer ID
Sig
Gro up
F IGURE : A Group Signature with Distributed Traceability E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
6
S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Anonymity: Signatures do not reveal who signed them. AddU AddU CrptU CrptU
BTL gpk, msk, {tsk_i}i∈BTL
SndU SndU WReg WReg
uid0, uid1, m Ch Ch
ModifyReg RevealU ModifyReg RevealU
Σ
TraceShare TraceShare Trace Trace
b←{0,1} b←{0,1}
b*
• Adversary wins if: b = b∗ .
I Captures full key exposure. I Adversary can learn κ − 1 tracing shares of Σ. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
7
S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Traceability: All signatures trace to a member in the group. AddU AddU
gpk, {tsk_i}
CrptU CrptU SndM SndM RevealU RevealU Sign Sign RReg RReg
Σ*,m*
Adversary wins if: • Σ∗ verifies on m∗ and either: Σ∗ is untraceable, i.e. an invalid share or TraceVerify does not accept. Σ does not open to a signer in the group. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
8
S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it.
Sign Sign
gpk, msk, {tsk_i}
CrptU CrptU SndU SndU WReg WReg RevealU RevealU
m*, Σ*, uid*, θ*Trace
Adversary wins if all the following holds: • Σ∗ verifies on m∗ and was not obtained from the Sign oracle. • Θ∗Trace is accepted by TraceVerify. • uid∗ is honest. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
9
S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Tracing Soundness: Even if all entities are corrupt, they cannot produce a signature that traces to different members.
gpk, msk, {tsk_i}
CrptU CrptU WReg WReg
m*,Σ*,uid*1,θ*Tace1,uid*2,θ*Tace2 Adversary wins if all the following holds: • Σ∗ verifies on m∗ . • Θ∗Trace1 and Θ∗Trace2 are accepted by TraceVerify. • uid∗1 6= uid∗2 6=⊥. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
10
D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION I Selective-Tag weakly IND-CCA DTBE: n decryption servers each with a secret/verification key pair (ski , svki ). n-out-of-n: A ciphertext can be decrypted only if all n servers compute their shares correctly. (One can have k-out-of-n instead).
Desirable Properties: • Public Verifiability: Well-formedness of ciphertexts is publicly
verifiable. • Non-Interactiveness: Decryption requires no interaction among
the servers. • Robustness: Invalid decryption shares can be identified by the
combiner. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
11
D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION
DTBE ~ = (svk1 , . . . , svkn ) and Setup(1λ , n): Outputs pk, svk ~ sk = (sk1 , . . . , skn ). Enc(pk, t, m): Outputs a ciphertext Cdtbe . IsValid(pk, t, Cdtbe ): Outputs 1 if the ciphertext is valid under the tag t. ShareDec(pk, ski , t, Cdtbe ): Outputs the i-th server decryption share νi or ⊥. ShareVerify(pk, svki , t, Cdtbe , νi ): Outputs 1 if the decryption share νi is valid or 0 otherwise. Combine(pk, {svki }ni=1 , {νi }ni=1 , Cdtbe , t): Outputs either m or ⊥.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
12
D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION S ECURITY OF DTBE ST-wIND-CCA: Similar to IND-CCA for PKE but the adversary: 1 2
Must choose the target tag t∗ before it gets pk. Cannot ask for decryption queries on ciphertexts under t∗ .
Decryption Consistency: A ciphertext cannot be opened in two different ways.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
13
(P RIME -O RDER ) B ILINEAR G ROUPS
˜ T are finite cyclic groups of prime order p. G := hGi and G, G, ˜ := hGi. ˜ G ˜ −→ T) : Pairing (e : G × G The function e must have the following properties: ˜ ∀x, y ∈ Z, we have ˜ ∈ G, Bilinearity: ∀H ∈ G , ∀H ˜ y ) = e(H, H) ˜ xy . e(H x , H ˜ 6= 1. Non-degeneracy: e(G, G) e is efficiently computable. ˜ and no efficiently computable Type-III [GPS08]: G 6= G ˜ isomorphism between G and G.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
14
O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION Based on Kiltz scheme [Kil06] and its threshold variant [AT09] but ours is more efficient as it is in asymmetric groups. D EFINITION (DLING ) Given a bilinear group P and (H, V, U, R, S, T) = (Gh , Gv , Gu , Grh , Gsv , Gut ) ∈ G6 is t = r + s ? D EFINITION (E XTERNAL DLIN (XDLING ) [A BE et al. 2012]) ˜ in the input Same as DLING but include the tuple (H, V, U, R, S) in G as well. Idea of Construction: Convert [AT09] into Type-III setting and base it on XDLING instead of DLING .
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
15
O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION Setup(1λ , n): • h, w, z, {ui }ni=1 , {vi }ni=1 ← Zp . Pn Pn ˜ h ), ˜ := (Gh , G • u := i=1 ui , v := i=1 vi , (H, H) 1
1
˜ := (H u , H ˜ u ), (V, V) ˜ := (U v , U ˜ v ), (U, U) w ˜ := (H , H ˜ w ), (Z, Z) ˜ := (V z , V ˜ z ). (W, W) • Server Secret Key is ski := (ui , vi ). ˜i := H ˜ ui , V ˜i := V ˜ vi ). • Server Verification Key is svki := (U ˜ U, U, ˜ V, V, ˜ W, W, ˜ Z, Z). ˜ • Public Key is pk := (P, H, H,
Enc(pk, t, M): • r1 , r2 ← Zp . • C1 := H r1 , C2 := V r2 , C3 := MU r1 +r2 , C4 := (U t W)r1 ,
C5 := (Ut Z)r2 .
∈ G5 . • To check validity of Cdtbe , check ˜ t W) ˜ = e(C4 , H) ˜ and e(C2 , U ˜ t Z) ˜ = e(C5 , V) ˜ e(C1 , U
• Cdtbe := C1 , C2 , C3 , C4 , C5
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
16
O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION ShareVerify(pk, svki , t, Cdtbe , νi ): ˜ i, V ˜i ), νi as (Ci,1 , Ci,2 ) and Cdtbe as • Parse svki as (U (C1 , C2 , C3 , C4 , C5 ).
˜ = e(C1 , U ˜ i ) and • Return 1 iif Cdtbe is valid and e(Ci,1 , H) ˜ = e(C2 , V ˜i ). e(Ci,2 , V)
ShareDec(pk, ski , t, Cdtbe ) • Return ⊥ if Cdtbe is invalid. • Parse Cdtbe as (C1 , C2 , C3 , C4 , C5 ) and ski as (ui , vi ). • Return νi := (Ci,1 := C1ui , Ci,2 := C2vi ).
Combine(pk, {svki }ni=1 , {νi }ni=1 , Cdtbe , t): • Return ⊥ if Cdtbe or any of the shares νi are invalid. • M := Qn CC3 C . i=1
i,1
i,2
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
17
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY
I Tools used: 1 2 3 4 5 6
A NIZK proof of knowledge system NIZK. Two digital signature schemes DS1 and DS2 (one can use the same signature scheme). A digital signature scheme WDS unforgeable against a weak chosen-message attack. A strongly unforgeable one-time signature scheme OTS. A selective-tag weakly IND-CCA distributed tag-based encryption scheme DTBE. A collision-resistant hash function H : {0, 1}∗ → TDTBE .
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
18
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY
I Group Key Generation • • • •
Generate (pkDTBE , {svki }κi=1 , {ski }κi=1 ) for DTBE. Generate (pkGM , skGM ) for DS1 . Generate crs for NIZK. Choose a collision-resistant hash function H : {0, 1}∗ → TDTBE .
Set tski := ski , gpk := (1λ , crs, pkGM , pkDTBE , {svki }κi=1 , H) and msk := skGM .
I User Key Generation • Generate a key pair (upk[uid], usk[uid]) for DS2 .
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
19
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY I Joining the group (gpk, uid, usk[uid])
(msk, uid, upk[uid])
User
Group Manager
- Generate (pkuid , skuid ) for WDS - siguid ← DS2 .Sign(usk[uid], pkuid ) - Send siguid , pkuid - Abort if siguid is invalid - certuid ← DS1 .Sign(msk, pkuid ) - Send certuid - Abort if certuid is invalid - gsk[uid] := (skuid , pkuid , certuid ) E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
- reg[uid] := (pkuid , siguid ) 20
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY
I Signing Choose a fresh key pair (otsvk, otssk) for OTS. Encrypt pkuid under pkDTBE and tag H(otsvk) (possibly using some randomness τ ) to get Cdtbe . 3 σ ← WDS.Sign(skuid , H(otsvk)). 4 Produce a NIZK proof π of pkuid , certuid , σ, and τ that: 1 2
Cdtbe is an encryption of pkuid under tag H(otsvk) (possibly using randomness τ ). σ is a valid WDS signature on H(otsvk) w.r.t. pkuid . certuid is a valid DS1 signature from GM on pkuid . 5
σots ← OTS.Sign(otssk, (m, Cdtbe , π, otsvk)).
The signature is Σ := (σots , π, Cdtbe , otsvk).
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
21
G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY
I Tracing Tracing Manager T Mi uses his tski to get the decryption share of Cdtbe . Given all shares, anyone can recover the signer identity.
I TraceVerify Verify all the tracing shares. Check that siguid on pkuid verifies w.r.t. the accused signer’s personal public key upk[uid].
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
22
S ECURITY OF THE G ENERIC C ONSTRUCTION Anonymity: Zero-Knowledge of NIZK. ST-wIND-CCA of DTBE. Unforgeability of OTS. Collision-resistance of H.
Non-Frameability: Soundness of NIZK. Unforgeability of DS2 , WDS and OTS. Collision-resistance of H.
Traceability: Soundness of NIZK. Unforgeability of DS1 .
Tracing Soundness: Decryption-Consistency of DTBE. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
23
B UILDING B LOCKS Groth-Sahai proofs [GS08]: G ι1 ↓↑ ρ1 H := G2
f ˜ G → T ι2 ↓↑ ρ2 ιT ↓↑ ρT F ˜ := G ˜ 2 −→ × H S := T4
×
The system works by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting ⇒ perfectly hiding proofs. The extraction setting ⇒ perfectly sound proofs.
We use the SXDH instantiation which is the most efficient [GSW10]. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
24
B UILDING B LOCKS F ULL B ONEH -B OYEN (FBB) S IGNATURE S CHEME KeyGen: Choose x, y ← Zp , set sk := (x, y) and pk := (X := Gx , Y := Gy ). 1
˜ x+ry+m . Sign: Choose r ← Zp s.t. x + ry + m 6= 0, σ ˜ := G ˜ Verify: Return 1 iff e(XY r Gm , σ ˜ ) = e(G, G).
W EAK B ONEH -B OYEN (WBB) S IGNATURE S CHEME KeyGen: Choose x ← Zp , set sk := x and pk := X := Gx . 1
˜ x+m . Sign: If x + m 6= 0, σ ˜ := G ˜ Verify: Return 1 iff e(XGm , σ ˜ ) = e(G, G). Both secure under the q-SDH assumption. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
25
B UILDING B LOCKS
A BE et al. [AGO+14] S IGNATURE S CHEME Setup: Choose a bilinear group P. F ← G. param := (P, F). ˜ x , sk := x and pk := X. ˜ := G ˜ KeyGen: Choose x ← Zp . Set X x
˜ 1 := G ˜ r , Ω2 := M xr F 1r , Ω3 := Ω r G 1r , Sign: Choose r ← Zp , Ω 2 1 the randomization token is Ω4 := G r . Verify: Return 1 if ˜ 1 ) = e(M, X)e(F, ˜ ˜ e(Ω2 , Ω G) ˜ 1 ) = e(Ω2 , X)e(G, ˜ ˜ e(Ω3 , Ω G)
Fully re-randomizable and secure under an interactive assumption. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
26
B UILDING B LOCKS A BE et al. [AGH+11] S IGNATURE S CHEME Setup: Choose a bilinear group P. param := P. ˜ w, X ˜ x, ˜ := G ˜ := G KeyGen: Choose w, x, y1 , y2 ← Zp , W y y ˜ ˜ 1 2 ˜ ˜ ˜ ˜ Y˜1 , Y˜2 ). Y1 := G , Y2 := G . sk := (w, x, y1 , y2 ), pk := (W, X, ˜ 1a , Sign: Choose Ω1 ← G, a ← Zp . Ω2 := Ga , Ω˜3 := G 1 −y2 . Ω4 := Gx−aw Ω−y 1 M ˜ Return 1 if e(Ω2 , Ω˜3 ) = e(G, G) Verify: ˜ ˜ ˜ and e(G, X) = e(Ω2 , W)e(Ω4 , G)e(Ω 1 , Y˜1 )e(M, Y˜2 ) D EFINITION (q-AGHO [AGH+11]) ˜ 4 , and q random tuples (Ai , Bi , ˜ W, ˜ X, ˜ Y) ˜ ∈G×G Given a tuple (G, G, ˜ ˜ ˜ satisfying e(Ai , Di ) = e(G, G) Ri , D˜i ) ∈ G3 × G, ˜ ˜ = e(Ai , W)e(B ˜ ˜ e(G, X) i , G)e(Ri , Y), ∗ ∗ ∗ ∗ ˜ hard to output a new tuple (A , B , R , D ) satisfying the relation. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
27
I NSTANTIATIONS
I Instantiation I Groth-Sahai for NIZK. Abe et al. [AGO+14] signature scheme for DS1 and DS2 . WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING , and q-SDH.
˜ 21 + Z5 ). • The Pros ,: More efficient (signature size is G24 + G p • The Cons /: Involves an interactive intractability assumption
(underlying the Abe et al. [AGO+14]).
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
28
I NSTANTIATIONS
I Instantiation II Groth-Sahai for NIZK. Abe et al. [AGH+11] signature scheme for DS1 and DS2 . WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING , q-AGHO, and q-SDH.
• The Pros ,: Only relies on falsifiable intractability assumptions.
• The Cons /: Less efficient than I (signature size is
˜ 24 + Z3 ). G28 + G p
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
29
S UMMARY
A formal security model for group signatures with distributed traceability. A generic construction of group signatures with distributed traceability. Concrete constructions without idealized assumptions. An efficient distributed/threshold tag-based encryption scheme in Type-III setting.
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
30
T HE E ND
Thank you for your attention! Questions? Email:
[email protected]
E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .
31