Transcript Group signature - UCL Computer Science

Fully Anonymous Group Signatures
without Random Oracles
Jens Groth
University College London
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Issuer
Member
Anonymous
signature
Group
Issuer
Opener
Group manager
Group
signature
Group
Anonymity?
• Can group signatures made by the same member
be linked?
• What happens if somebody loses his secret group
membership key, are all his signatures suddenly
identifiable?
• What happens if somebody gets the opener to
trace the signers of selected group signatures?
(think chosen ciphertext attack)
Full anonymity
Issuer is corrupt
All members’ group signature keys are exposed
Opener is honest (otherwise anonymity not possible)
but willing to open group signatures
• Two honest members’ group signatures on the
same message are indistinguishable
Unlinkable, key-exposure resilient, CCA-anonymous
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Previous work
• Many papers [ACJT00, CL02, CL04 BBS04,
CG04,FI05,KY05, etc.]
Random oracle model
• Boyen, Waters 06, 07
CPA-anonymous
• Ateniese, Camenisch, Hohenberger, de Medeiros 06
Key-exposure
• Bellare, Micciancio, Warinschi 03
Bellare, Shi, Zhang 05
Groth 06
Fully anonymous inefficient group signatures
Our contribution
•
•
•
•
Fully anonymous group signature
Separate Issuer and Opener
Partially dynamic – the group can grow
Efficient
Group signature is around 2kB
50 group elements from elliptic curve
• Based on bilinear groups
Decisional
linearschemes
assumption
More efficient
exist[BBS04]
in the
q-Strongrandom
Diffie Hellman
assumption [BB04]
oracle model
q-Unfakeability assumption [ZL06]
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
New member joining the group
Issuer
Member
Signature key pair:
(vk,sk)
Issuer’s certificate on vk:
cert
Signature – not anonymous
cert, vk, signsk(m)
Member
Anonymous signature
NIZK(cert, vk, signsk(m))
Member
Non-interactive zero-knowledge proof of
knowledge of (cert, vk, signsk(m))
- guarantees certified signature exists
- reveal nothing about contents
Anonymous signature
NIWI(cert, vk, signsk(m))
Member
Non-interactive witness-indistinguishable
proof of knowledge of (cert, vk, signsk(m))
- guarantees certified signature exists
- does not reveal signer
Opening
CCA2-secure
pk
Opener
NIWI(cert, vk, signsk(m))
Epk(vk)
Member
NIZK(vk)
Non-interactive zero-knowledge proof that
NIWI(cert,vk,signsk(m)) and Epk(vk)
use the same vk
Group signature
vksots
NIWI(cert, vk, signsk(vk
(m)sots
) ))
Epk(vk)
Member
NIZK(vk)
Signsots(vksots,m,NIWI,E,NIZK)
Strong one-time signature on message and
everything else
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Bilinear groups
•
•
•
•
Prime p
Groups G, GT of order p
g generates G
Bilinear map e: G × G → GT
- e(g,g) generates GT
- e(ga,gb) = e(g,g)ab
• Efficiently computable group operations, group
membership, bilinear map, etc.
GS proofs [Groth, Sahai 06]
Efficient NIZK and NIWI proofs for bilinear-group statements
Statements of the form
 x,y,z,... G
 φ,θ,...  Zp
e(a,x) e(y,z) = T
bφ y5θ+2 z = t
3φ + 2φθ = 8 mod p
Security based on Decisional Linear Assumption
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Signature
BB signature [Boneh, Boyen 04]
vk = gsk
signsk(m) = g1/(sk+m)
Verify e(sig,gmvk) = e(g,g)
Use BB signature for both
vksots, signsots(vk,m,NIWI,E,NIZK)
vk, signsk(vksots)
Security based on q-Strong Diffie Hellman Assump.
Certified signature
Certificate [Zhou, Lin 06]
Public issuer key:
f, h  G , T  GT
Certificate on vk:
(a,b) so e(a,hvk) e(f,b) = T
Certified signature
Forgeable!
Unforgeable
in combination
with BB signature
2h
[Boldyreva,
Fischlin,
VK
Palacio,
=
vk
Warinschi
07]
Security based on q-Strong
Diffie
Hellman
and
1/2,hVK) e(f,b) = T
e(a
Hard to forge
both certificate and
q-Unfakeability
assumptions
signature at the same time
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Selective-tag weak CCA-secure encryption
Instead of full-blown CCA2-secure encryption, use
selective-tag weak CCA-secure encryption
[Kiltz 06]
We use tag = hash(vksots)
pk = (F,H,K,L)
Epk(tag,m) = ( Fr, Hs , gr+sm , (gtagK)r , (gtagL)s )
Security based on the Decisional Linear Assumption
Agenda
• Introduction
– Group signatures
– Full anonymity
– Previous work and our results
• Generic construction
–
–
–
–
Certified signatures
Anonymization through NIZK proofs
Opening through CCA2-secure encryption
Generic group signature
• Pairing-based construction
–
–
–
–
GS proofs
BB signatures and ZL certificates
Tag-based CCA2-secure encryption
Our group signature
Fully anonymous group signature
vksots
NIWI(cert,vk,signsk(vksots))
tag=vksots
Epk(tag,vk)
NIZK(same vk)
signsots(m,above)
BB-key
certified sign.[ZL] + GS proof
Use bilinear groups for all
tools to get efficient NIWI
and NIZK proofs
Group signature size
50 group elements from
elliptic curve
Kiltz-encryption
GS-proof
BB-signature
Thank you
• Conclusion
–
–
–
–
–
–
Pairing based group signature
Fully anonymous
Separate Issuer and Opener
Partially dynamic group
Size: 50 elements from elliptic curve
Standard type cryptographic assumptions
(no random oracles)