E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND ITS A PPLICATION TO G ROUP S IGNATURES WITH E FFICIENT D ISTRIBUTED T RACEABILITY Essam Ghadafi (Presented by Enrique Larraia) [email protected] University of Bristol

Latincrypt 2014

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

O UTLINE

1

BACKGROUND

2

S ECURITY M ODEL

3

A D ISTRIBUTED TAG -BASED E NCRYPTION S CHEME

4

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY

5

I NSTANTIATIONS IN THE S TANDARD M ODEL

6

S UMMARY

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

G ROUP S IGNATURES Group Signatures [CH91] allow a member to anonymously and accountably sign on behalf of a group. msk

tsk

TM

GM

Sig

Signer ID

Sig

Group E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

1

H ISTORY AND R ELATED WORK

Group Signatures introduced by Chaum and van Heyst [CH91]. Extensive existing work include: • Security Definitions (Static Groups) by Bellare et al. [BMW03]. • Security Definitions (Dynamic Groups) by Bellare et al.

[BSZ05]. • Opening Soundness by Sakai et al. [SSE+12]. • Many constructions, e.g. [CS97,CM98,BBS04,KY05,

BW06,BW07,DP06,G07,BB08, . . .]. • Either informal or constructions meeting weaker security notions

for distributed traceability, e.g. [FY04, BCL+08].

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

2

S ECURITY OF G ROUP S IGNATURES

Besides correctness, the security requirements [BSZ05] are: Anonymity: Signatures does not reveal the identity of the member. Traceability: All signatures trace to a member in the group. Non-Frameability: No one can accuse an honest member of producing a signature she did not produce. • Protects against a corrupt tracing manager, i.e. T M must prove

his decision.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

3

T HE P ROBLEM

Issue: The Tracing Manager has strong power which it can abuse! Solution: Distribute the tracing capability among n authorities as considered by other works, e.g. [FY04,ZLM+08]. Challenge: Realizing distributed traceability efficiently + strong security: • • • •

Full (i.e. CCA ) anonymity. Concurrent Join protocol, i.e. 1 round. Non-frameability against dishonest tracing managers. Tracing soundness.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

4

O UR C ONTRIBUTION

1

A security model for dynamic group signatures with distributed traceability.

2

A generic construction for dynamic group signatures with distributed traceability.

3

Efficient instantiations in the standard model.

4

Efficient instantiations of distributed/threshold tag-based encryption scheme in the standard model.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

5

G ROUP S IGNATURES WITH D ISTRIBUTED T RACEABILITY tsk1

tskn

TM1

msk

...

TMn GM

Sig

Signer ID

Sig

Gro up

F IGURE : A Group Signature with Distributed Traceability E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

6

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Anonymity: Signatures do not reveal who signed them. AddU AddU CrptU CrptU

BTL gpk, msk, {tsk_i}i∈BTL

SndU SndU WReg WReg

uid0, uid1, m Ch Ch

ModifyReg RevealU ModifyReg RevealU

Σ

TraceShare TraceShare Trace Trace

b←{0,1} b←{0,1}

b*

• Adversary wins if: b = b∗ .

I Captures full key exposure. I Adversary can learn κ − 1 tracing shares of Σ. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

7

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Traceability: All signatures trace to a member in the group. AddU AddU

gpk, {tsk_i}

CrptU CrptU SndM SndM RevealU RevealU Sign Sign RReg RReg

Σ*,m*

Adversary wins if: • Σ∗ verifies on m∗ and either: Σ∗ is untraceable, i.e. an invalid share or TraceVerify does not accept. Σ does not open to a signer in the group. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

8

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Non-Frameability: The adversary cannot output a signature that traces to an honest member who did not produce it.

Sign Sign

gpk, msk, {tsk_i}

CrptU CrptU SndU SndU WReg WReg RevealU RevealU

m*, Σ*, uid*, θ*Trace

Adversary wins if all the following holds: • Σ∗ verifies on m∗ and was not obtained from the Sign oracle. • Θ∗Trace is accepted by TraceVerify. • uid∗ is honest. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

9

S ECURITY OF GS WITH D ISTRIBUTED T RACEABILITY Tracing Soundness: Even if all entities are corrupt, they cannot produce a signature that traces to different members.

gpk, msk, {tsk_i}

CrptU CrptU WReg WReg

m*,Σ*,uid*1,θ*Tace1,uid*2,θ*Tace2 Adversary wins if all the following holds: • Σ∗ verifies on m∗ . • Θ∗Trace1 and Θ∗Trace2 are accepted by TraceVerify. • uid∗1 6= uid∗2 6=⊥. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

10

D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION I Selective-Tag weakly IND-CCA DTBE: n decryption servers each with a secret/verification key pair (ski , svki ). n-out-of-n: A ciphertext can be decrypted only if all n servers compute their shares correctly. (One can have k-out-of-n instead).

Desirable Properties: • Public Verifiability: Well-formedness of ciphertexts is publicly

verifiable. • Non-Interactiveness: Decryption requires no interaction among

the servers. • Robustness: Invalid decryption shares can be identified by the

combiner. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

11

D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION

DTBE ~ = (svk1 , . . . , svkn ) and Setup(1λ , n): Outputs pk, svk ~ sk = (sk1 , . . . , skn ). Enc(pk, t, m): Outputs a ciphertext Cdtbe . IsValid(pk, t, Cdtbe ): Outputs 1 if the ciphertext is valid under the tag t. ShareDec(pk, ski , t, Cdtbe ): Outputs the i-th server decryption share νi or ⊥. ShareVerify(pk, svki , t, Cdtbe , νi ): Outputs 1 if the decryption share νi is valid or 0 otherwise. Combine(pk, {svki }ni=1 , {νi }ni=1 , Cdtbe , t): Outputs either m or ⊥.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

12

D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION S ECURITY OF DTBE ST-wIND-CCA: Similar to IND-CCA for PKE but the adversary: 1 2

Must choose the target tag t∗ before it gets pk. Cannot ask for decryption queries on ciphertexts under t∗ .

Decryption Consistency: A ciphertext cannot be opened in two different ways.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

13

(P RIME -O RDER ) B ILINEAR G ROUPS

˜ T are finite cyclic groups of prime order p. G := hGi and G, G, ˜ := hGi. ˜ G ˜ −→ T) : Pairing (e : G × G The function e must have the following properties: ˜ ∀x, y ∈ Z, we have ˜ ∈ G, Bilinearity: ∀H ∈ G , ∀H ˜ y ) = e(H, H) ˜ xy . e(H x , H ˜ 6= 1. Non-degeneracy: e(G, G) e is efficiently computable. ˜ and no efficiently computable Type-III [GPS08]: G 6= G ˜ isomorphism between G and G.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

14

O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION Based on Kiltz scheme [Kil06] and its threshold variant [AT09] but ours is more efficient as it is in asymmetric groups. D EFINITION (DLING ) Given a bilinear group P and (H, V, U, R, S, T) = (Gh , Gv , Gu , Grh , Gsv , Gut ) ∈ G6 is t = r + s ? D EFINITION (E XTERNAL DLIN (XDLING ) [A BE et al. 2012]) ˜ in the input Same as DLING but include the tuple (H, V, U, R, S) in G as well. Idea of Construction: Convert [AT09] into Type-III setting and base it on XDLING instead of DLING .

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

15

O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION Setup(1λ , n): • h, w, z, {ui }ni=1 , {vi }ni=1 ← Zp . Pn Pn ˜ h ), ˜ := (Gh , G • u := i=1 ui , v := i=1 vi , (H, H) 1

1

˜ := (H u , H ˜ u ), (V, V) ˜ := (U v , U ˜ v ), (U, U) w ˜ := (H , H ˜ w ), (Z, Z) ˜ := (V z , V ˜ z ). (W, W) • Server Secret Key is ski := (ui , vi ). ˜i := H ˜ ui , V ˜i := V ˜ vi ). • Server Verification Key is svki := (U ˜ U, U, ˜ V, V, ˜ W, W, ˜ Z, Z). ˜ • Public Key is pk := (P, H, H,

Enc(pk, t, M): • r1 , r2 ← Zp . • C1 := H r1 , C2 := V r2 , C3 := MU r1 +r2 , C4 := (U t W)r1 ,

C5 := (Ut Z)r2 .



∈ G5 . • To check validity of Cdtbe , check ˜ t W) ˜ = e(C4 , H) ˜ and e(C2 , U ˜ t Z) ˜ = e(C5 , V) ˜ e(C1 , U

• Cdtbe := C1 , C2 , C3 , C4 , C5

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

16

O UR D ISTRIBUTED /T HRESHOLD TAG -BASED E NCRYPTION ShareVerify(pk, svki , t, Cdtbe , νi ): ˜ i, V ˜i ), νi as (Ci,1 , Ci,2 ) and Cdtbe as • Parse svki as (U (C1 , C2 , C3 , C4 , C5 ).

˜ = e(C1 , U ˜ i ) and • Return 1 iif Cdtbe is valid and e(Ci,1 , H) ˜ = e(C2 , V ˜i ). e(Ci,2 , V)

ShareDec(pk, ski , t, Cdtbe ) • Return ⊥ if Cdtbe is invalid. • Parse Cdtbe as (C1 , C2 , C3 , C4 , C5 ) and ski as (ui , vi ). • Return νi := (Ci,1 := C1ui , Ci,2 := C2vi ).

Combine(pk, {svki }ni=1 , {νi }ni=1 , Cdtbe , t): • Return ⊥ if Cdtbe or any of the shares νi are invalid. • M := Qn CC3 C . i=1

i,1

i,2

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

17

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY

I Tools used: 1 2 3 4 5 6

A NIZK proof of knowledge system NIZK. Two digital signature schemes DS1 and DS2 (one can use the same signature scheme). A digital signature scheme WDS unforgeable against a weak chosen-message attack. A strongly unforgeable one-time signature scheme OTS. A selective-tag weakly IND-CCA distributed tag-based encryption scheme DTBE. A collision-resistant hash function H : {0, 1}∗ → TDTBE .

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

18

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY

I Group Key Generation • • • •

Generate (pkDTBE , {svki }κi=1 , {ski }κi=1 ) for DTBE. Generate (pkGM , skGM ) for DS1 . Generate crs for NIZK. Choose a collision-resistant hash function H : {0, 1}∗ → TDTBE .

Set tski := ski , gpk := (1λ , crs, pkGM , pkDTBE , {svki }κi=1 , H) and msk := skGM .

I User Key Generation • Generate a key pair (upk[uid], usk[uid]) for DS2 .

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

19

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY I Joining the group (gpk, uid, usk[uid])

(msk, uid, upk[uid])

User

Group Manager

- Generate (pkuid , skuid ) for WDS - siguid ← DS2 .Sign(usk[uid], pkuid ) - Send siguid , pkuid - Abort if siguid is invalid - certuid ← DS1 .Sign(msk, pkuid ) - Send certuid - Abort if certuid is invalid - gsk[uid] := (skuid , pkuid , certuid ) E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

- reg[uid] := (pkuid , siguid ) 20

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY

I Signing Choose a fresh key pair (otsvk, otssk) for OTS. Encrypt pkuid under pkDTBE and tag H(otsvk) (possibly using some randomness τ ) to get Cdtbe . 3 σ ← WDS.Sign(skuid , H(otsvk)). 4 Produce a NIZK proof π of pkuid , certuid , σ, and τ that: 1 2

Cdtbe is an encryption of pkuid under tag H(otsvk) (possibly using randomness τ ). σ is a valid WDS signature on H(otsvk) w.r.t. pkuid . certuid is a valid DS1 signature from GM on pkuid . 5

σots ← OTS.Sign(otssk, (m, Cdtbe , π, otsvk)).

The signature is Σ := (σots , π, Cdtbe , otsvk).

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

21

G ENERIC C ONSTRUCTION OF GS WITH D ISTRIBUTED T RACEABILITY

I Tracing Tracing Manager T Mi uses his tski to get the decryption share of Cdtbe . Given all shares, anyone can recover the signer identity.

I TraceVerify Verify all the tracing shares. Check that siguid on pkuid verifies w.r.t. the accused signer’s personal public key upk[uid].

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

22

S ECURITY OF THE G ENERIC C ONSTRUCTION Anonymity: Zero-Knowledge of NIZK. ST-wIND-CCA of DTBE. Unforgeability of OTS. Collision-resistance of H.

Non-Frameability: Soundness of NIZK. Unforgeability of DS2 , WDS and OTS. Collision-resistance of H.

Traceability: Soundness of NIZK. Unforgeability of DS1 .

Tracing Soundness: Decryption-Consistency of DTBE. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

23

B UILDING B LOCKS Groth-Sahai proofs [GS08]: G ι1 ↓↑ ρ1 H := G2

f ˜ G → T ι2 ↓↑ ρ2 ιT ↓↑ ρT F ˜ := G ˜ 2 −→ × H S := T4

×

The system works by first committing to (encrypting) the witness and then producing a proof for the statement. The system can be instantiated in either: The simulation setting ⇒ perfectly hiding proofs. The extraction setting ⇒ perfectly sound proofs.

We use the SXDH instantiation which is the most efficient [GSW10]. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

24

B UILDING B LOCKS F ULL B ONEH -B OYEN (FBB) S IGNATURE S CHEME KeyGen: Choose x, y ← Zp , set sk := (x, y) and pk := (X := Gx , Y := Gy ). 1

˜ x+ry+m . Sign: Choose r ← Zp s.t. x + ry + m 6= 0, σ ˜ := G ˜ Verify: Return 1 iff e(XY r Gm , σ ˜ ) = e(G, G).

W EAK B ONEH -B OYEN (WBB) S IGNATURE S CHEME KeyGen: Choose x ← Zp , set sk := x and pk := X := Gx . 1

˜ x+m . Sign: If x + m 6= 0, σ ˜ := G ˜ Verify: Return 1 iff e(XGm , σ ˜ ) = e(G, G). Both secure under the q-SDH assumption. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

25

B UILDING B LOCKS

A BE et al. [AGO+14] S IGNATURE S CHEME Setup: Choose a bilinear group P. F ← G. param := (P, F). ˜ x , sk := x and pk := X. ˜ := G ˜ KeyGen: Choose x ← Zp . Set X x

˜ 1 := G ˜ r , Ω2 := M xr F 1r , Ω3 := Ω r G 1r , Sign: Choose r ← Zp , Ω 2 1 the randomization token is Ω4 := G r . Verify: Return 1 if ˜ 1 ) = e(M, X)e(F, ˜ ˜ e(Ω2 , Ω G) ˜ 1 ) = e(Ω2 , X)e(G, ˜ ˜ e(Ω3 , Ω G)

Fully re-randomizable and secure under an interactive assumption. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

26

B UILDING B LOCKS A BE et al. [AGH+11] S IGNATURE S CHEME Setup: Choose a bilinear group P. param := P. ˜ w, X ˜ x, ˜ := G ˜ := G KeyGen: Choose w, x, y1 , y2 ← Zp , W y y ˜ ˜ 1 2 ˜ ˜ ˜ ˜ Y˜1 , Y˜2 ). Y1 := G , Y2 := G . sk := (w, x, y1 , y2 ), pk := (W, X, ˜ 1a , Sign: Choose Ω1 ← G, a ← Zp . Ω2 := Ga , Ω˜3 := G 1 −y2 . Ω4 := Gx−aw Ω−y 1 M ˜ Return 1 if e(Ω2 , Ω˜3 ) = e(G, G) Verify: ˜ ˜ ˜ and e(G, X) = e(Ω2 , W)e(Ω4 , G)e(Ω 1 , Y˜1 )e(M, Y˜2 ) D EFINITION (q-AGHO [AGH+11]) ˜ 4 , and q random tuples (Ai , Bi , ˜ W, ˜ X, ˜ Y) ˜ ∈G×G Given a tuple (G, G, ˜ ˜ ˜ satisfying e(Ai , Di ) = e(G, G) Ri , D˜i ) ∈ G3 × G, ˜ ˜ = e(Ai , W)e(B ˜ ˜ e(G, X) i , G)e(Ri , Y), ∗ ∗ ∗ ∗ ˜ hard to output a new tuple (A , B , R , D ) satisfying the relation. E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

27

I NSTANTIATIONS

I Instantiation I Groth-Sahai for NIZK. Abe et al. [AGO+14] signature scheme for DS1 and DS2 . WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING , and q-SDH.

˜ 21 + Z5 ). • The Pros ,: More efficient (signature size is G24 + G p • The Cons /: Involves an interactive intractability assumption

(underlying the Abe et al. [AGO+14]).

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

28

I NSTANTIATIONS

I Instantiation II Groth-Sahai for NIZK. Abe et al. [AGH+11] signature scheme for DS1 and DS2 . WBB signature for WDS. FBB signature for OTS. Our efficient DTBE for DTBE. Assumptions: SXDH, XDLING , q-AGHO, and q-SDH.

• The Pros ,: Only relies on falsifiable intractability assumptions.

• The Cons /: Less efficient than I (signature size is

˜ 24 + Z3 ). G28 + G p

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

29

S UMMARY

A formal security model for group signatures with distributed traceability. A generic construction of group signatures with distributed traceability. Concrete constructions without idealized assumptions. An efficient distributed/threshold tag-based encryption scheme in Type-III setting.

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

30

T HE E ND

Thank you for your attention! Questions? Email: [email protected]

E FFICIENT D ISTRIBUTED TAG -BASED E NCRYPTION AND . . .

31