formalizing group blind signatures and practical ... · formalizing group blind signatures and...

FORMALIZING GROUP BLIND SIGNATURES AND

PRACTICAL CONSTRUCTIONS WITHOUT

RANDOM ORACLES

Essam Ghadafi

[email protected] of Bristol

ACISP 2013

FORMALIZING GROUP BLIND SIGNATURES . . .

OUTLINE

1 BACKGROUND

2 SECURITY MODEL

3 BUILDING BLOCKS

4 OUR CONSTRUCTIONS

5 FULL ANONYMITY

6 SUMMARY & OPEN PROBLEMS

FORMALIZING GROUP BLIND SIGNATURES . . .

GROUP BLIND SIGNATURES

Group Signatures [CH91] preserve the anonymity of the signer.

Blind Signatures [Cha83] preserve the privacy of the messageto be signed.

Group Blind Signatures [LZ98] combine properties of theabove and thus preserve both the anonymity of the signer + theprivacy of the message.

FORMALIZING GROUP BLIND SIGNATURES . . . 1


User

Group

IssuerOpener

gpk

ok ik



User

Group

IssuerOpener

gpk

ok ik

Sig


HISTORY AND RELATED WORK

The primitive which combines the properties of a blind signature[Cha83] and a group signature [CH91] was introduced byLysyanskaya and Zulfikar [LZ98].

Existing constructions:I Lysyanskaya and Zulfikar, 1998.

Based on Camenisch-Stadler group signatures [CL97].I K. Q. Nguyen, Y. Mu, and V. Varadharajan, 1999.

Uses divertible zero-knowledge proofs [OO90].


APPLICATIONS OF GROUP BLIND SIGNATURES

Group blind signatures provide bi-directional privacy and are thususeful for applications where such a requirement is needed.

Example applications:

I Distributed e-cash, e.g. [LZ98]: The e-coin reveals neither theidentity of its holder nor that of the issuing bank/branch.

I Other applications include: multi-authority e-voting ande-auction systems.


OUR CONTRIBUTION

I A formal security model for the primitive.

I A generic construction.

I The first instantiations without random oracles.

I Other useful building blocks and observations.


SECURITY DEFINITION CHALLENGES

The signing protocol is blind, i.e. the message is not known to thesigner and the signature is not well defined, so:

1 How to define Full Anonymity, i.e. CCA2 Anonymity?⇒ How to identify the challenge signature?

2 How to define non-frameability?

3 How to extend blindness to the group setting?


SYNTAX OF GROUP BLIND SIGNATURES

A GROUP BLIND SIGNATURE

GKg(1λ): Outputs gpk, ik and ok.

UKg: Outputs a pair of personal secret/public keys(ssk[i], spk[i]) for a signer.

〈Join(gpk, i, ssk[i]), Issue(ik, i, spk[i])〉: If successful, Signeribecomes a member and obtains a group signing key gsk[i].

〈Obtain(gpk,m),Sign(gsk[i])〉: If successful, the user obtains asignature Σ; Otherwise, it outputs ⊥.

GVf(gpk,m,Σ): Verifies if Σ is valid on the message m.

Open(gpk,ok, reg,m,Σ): Returns the identity of the signerplus a proof τ .

Judge(gpk, i, spk[i],m,Σ, τ): Verifies the Opener’s decision.


SECURITY OF GROUP BLIND SIGNATURES

I Correctness: If all parties are honest, we have that:

Signatures are accepted by the GVf algorithm.The Opener can identify the signer.The Judge algorithm accepts the Opener’s decision.



I Anonymity: Signatures do not reveal who signed them.

Open†Open†

SSKSSK

CrptSCrptS

SndToSSndToS

b*

ModifyRegModifyReg

ModifyRegModifyReg ...

i0, i1Ch

b←{0,1}

Ch

b←{0,1}

gpk,ik

Adversary wins if: b = b∗.

I † Similarly to IND-RCCA [CKN03], the Open oracle returns ⊥if the signature opens to i0 or i1.



I Traceability: The adversary cannot output an untraceablesignature.

AddSAddS

CrptSCrptS

ReadRegReadReg

SSKSSK

SndToISndToI

gpk,ok

Σ,m

Adversary wins if all the following holds:Σ verifies on m.Either Σ does not open to a signer in the group or Judge doesnot accept the Opener’s decision on Σ.



I Non-Frameability: The adversary cannot output a signature thattraces to an honest member who did not produce it.

gpk,ik,ok

CrptSCrptS

ModifyRegModifyReg

SSKSSK id,Σ1,m1,...,Σn+1,mn+1

SndToSSndToS

... OSignOSign

Adversary wins if all the following holds:∀i ∈ {1, . . . , n + 1}, Σi verifies on mi, opens to id and theopening is accepted by Judge.The adversary asked for only n signatures by signer id.If weak unforgeability, the messages are distinct.



I Blindness: Group members do not learn the message beingsigned.

Open†Open†

SSKSSK

CrptSCrptS

SndToSSndToS

b*

ModifyRegModifyRegReadRegReadReg

Obtain(gpk,mb)Obtain(gpk,mb)

gpk,ik

Obtain(gpk,m1-b)Obtain(gpk,m1-b)

m0,m1

Σb

Σ1-b

b←{0,1}

(Σ0,Σ1) or (┴,┴)

Adversary wins if: b = b∗.I † If strong unforgeability, the Open oracle returns ⊥ if

(m,Σ) = (mb,Σb) or (m,Σ) = (m1−b,Σ1−b).I If weak unforgeability, the Open oracle returns ⊥ if

m ∈ {m0,m1}.FORMALIZING GROUP BLIND SIGNATURES . . . 12

CONSTRUCTION CHALLENGES

How to realize the subtle dual privacy requirement and

1 Maintain round optimality

2 Avoid idealized assumptions

?


(PRIME-ORDER) BILINEAR GROUPS

G1, G2, GT are finite cyclic groups of prime order p, whereG1 := 〈G1〉 and G2 := 〈G2〉.

Pairing (e : G1 ×G2 −→ GT) :The function e must have the following properties:

I Bilinearity: ∀H1 ∈ G1 , H2 ∈ G2 x, y ∈ Z, we have

e(Hx1,H

y2) = e(H1,H2)xy.

I Non-degeneracy: The value e(G1,G2) 6= 1 generates GT .I The function e is efficiently computable.

Type-3 [GPS08]: G1 6= G2 and no efficiently computableisomorphism between G1 and G2.


GROTH-SAHAI PROOFS

Groth-Sahai proofs [GS08]:

G1 × G2f→ GT

ι1 ↓↑ ρ1 ι2 ↓↑ ρ2 ιT ↓↑ ρT

H1 := G21 × H2 := G2

2F−→ HT := G4

T

The system work by first committing to (encrypting) the witness andthen producing a proof for the statement.

The system can be instantiated in either:I The simulation setting⇒ perfectly hiding proofs.I The extraction setting⇒ perfectly sound proofs.

The limitations:1 Can only extract one-way function (i.e. Gw

i ) of an exponentwitness w.

2 Cannot simulate and extract at the same time.FORMALIZING GROUP BLIND SIGNATURES . . . 15

GROTH-SAHAI PROOFS

Useful Properties of Groth-Sahai Proofs:I Independence of public terms (Also, independently observed by

[Fuc11]):Example:

E :=

n∏j=1

e(Aj,Yj)

m∏i=1

e(Xi,Bi)

m∏i=1

n∏j=1

e(Xi,Yj)γi,j = tT ,

a proof Π for E is independent of tT ⇒ we can transform Π intoa NIZK/NIWI proof for a related equation without knowledge ofthe original witness.

I Re-randomizability of proofs [BCCKLS09]:Re-randomize the GS commitments and update the proofs⇒ thenew proof is unlinkable to the old one.


A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME

NCL is based on the CL signature scheme [CL04]:

THE NCL SIGNATURE SCHEME

KeyGen: Choose x, y← Zp, set sk := (x, y) andpk := (X := Gx

2,Y := Gy2).

Sign: To sign (M1,M2) ∈ G1 ×G2, return ⊥ ife(M1,G2) 6= e(G1,M2); otherwise, computeσ :=

(A := Ga

1, B := Ay, C := May1 , D := (A · C)x

)∈ G4

1.

Verify: Check that A 6= 1G1 and

e(B,G2) = e(A,Y)

e(C,G2) = e(B,M2)

e(D,G2) = e(A · C,X)


A NEW STRUCTURE-PRESERVING SIGNATURE SCHEME

NCL is secure under the (interactive) DH-LRSW assumption:

DEFINITION (DUAL-HIDDEN LRSW (DH-LRSW) ASSUMPTION)

Given (Gx2,G

y2) for x, y← Zp and an oracle that on input a pair

(M1,M2) ∈ G1 ×G2 outputs:I ⊥ if e(M1,G2) 6= e(G1,M2).I A DH-LRSW tuple

(Ga

1,Gay1 ,M

ay1 ,A

x ·Maxy1

)for a← Zp

otherwise.

, it is infeasible to compute a DH-LRSW tuple for (M′1,M′2) that was

never queried to the oracle.


THE BLIND SIGNATURE SCHEME [FUC09]

As an example, we use the blind signature scheme by [Fuc09] basedon the following automorphic signature scheme:

THE AUTOMORPHIC SIGNATURE SCHEME [FUC09]

Setup: Given (e,G1,G2,GT ,G1,G2, p), choose F,K,T ← G1.

KeyGen: Choose s← Zp and set pk := (S1, S2) = (Gs1,G

s2).

Sign: To sign (M1,M2) ∈ G1 ×G2 wheree(M1,G2) = e(G1,M2), choose r, c← Zp and compute:

H := (K · Tr ·M1)1

x+c ,R1 := Gr1,R2 := Gr

2,C1 := Fc,C2 := Gc2.

The signature is σ := (H,R1,C1,R2,C2) ∈ G31 ×G2

2.

Verify: Check that

e(H, S2 · C2) = e(K ·M1,G2)e(T,R2)

e(C1,G2) = e(F,C2)

e(R1,G2) = e(G1,R2)


THE BLIND SIGNATURE SCHEME [FUC09]

The automorphic signature scheme is secure under:

DEFINITION (AWFCDH ASSUMPTION)

Given (G1,Ga1,G2) ∈ G×1

2 ×G×2 for a← Zp, it is infeasible to outputa tuple (Gb

1,Gab1 ,G

b2,G

ab2 ) ∈ G×1

2 ×G×22 for an arbitrary b ∈ Zp.

DEFINITION (q-ADHSDH ASSUMPTION)

Given (G1,F,K,Gx1,G2,Gx

2) ∈ G×14 ×G×2

2 for x← Zp, and q− 1

tuples (Ai := (K · Gri1 )

1x+ci ,C1,i := Fci ,C2,i := Gci

2 ,R1,i := Gri1 ,R2,i :=

Gri2 )q−1

i=1 , where ci, ri ← Zp, it is infeasible to output a new tuple (A∗,C∗1 ,C

∗2 ,R∗1,R∗2).


FISCHLIN’S GENERIC CONSTRUCTION FOR BLIND SIGNATURES

To get a round-optimal blind signature, Fischlin’s framework [Fis06]:

1 The user sends a commitment C to the message M to the signer.

2 The signer responds with a signature σ on the commitment C.3 The final blind signature Σ is a NIZK PoK Π of C and σ s.t.

1 σ is a valid signature on C w.r.t. pk.2 C is a commitment to M.


SIGNER-ANONYMOUS BLIND SIGNATURES

In Fischlin’s framework If:

1 The PoK used is re-randomizable and independent of the publicterms, e.g. Groth-Sahai proofs.

2 The signature scheme has the property that all the termsinvolving the message in the verification equations areindependent of the signature components relying on the signingkey, e.g. [Fuc09].

, we obtain a signer-anonymous blind signature.



Modify the Fischlin’s framework as follows:

1 The user sends a commitment C to the message M.2 The signer signs C and responds with a PoK Π′ of σ and pk s.t.

1 σ is a valid signature on C w.r.t. pk.3 The user proceeds as follows:

1 Re-randomizes Π′ into a fresh proof Π.2 Adds to Π a proof that C is a commitment to M.

The final signer-anonymous blind signature Σ is Π.



Security:

I Unforgeability: As in Fischlin’s framework.I Blindness: As in Fischlin’s framework + Re-randomizability of

the PoK.I Anonymity: The hiding (i.e. NIWI/NIZK) properties of the

PoK.


FROM A SIGNER-ANONYMOUS BS TO A GBS

To extend the signer-anonymous BS to a GBS, we need:

1 A signature scheme CERT to certify members’ public keyswhen they join.

⇒ Give skCERT to the Issuer as ik.

2 Give the PoK extraction key to the Opener as ok.

3 The signer additionally needs to prove that he has a certificate onhis public key w.r.t. pkCERT, i.e. that he is a member of the group.


INSTANTIATIONS

I Instantiation IThe Join Protocol: Uses the NCL signature scheme.The Signing Protocol: Based on the BS by [Fuc09] (i.e. Theautomorphic signature scheme + GS proofs).

Assumptions: DH-LRSW, SXDH, AWFCDH and q-ADHSDH.

I The Pros ,: More efficient (signature size is G381 + G36

2 ).I The Cons /: Involves some interactive intractability

assumptions (i.e. the DH-LRSW assumption).


INSTANTIATIONS

I Instantiation IIThe Join Protocol: Uses the automorphic signature scheme [Fuc09].The Signing Protocol: Based on the BS by [Fuc09] (i.e. theautomorphic signature scheme [Fuc09] + GS proofs).

Assumptions: SXDH, AWFCDH and q-ADHSDH.

I The Pros ,: Only relies on falsifiable intractability assumptions.I The Cons /: Less efficient (signature size is G42

1 + G382 ).


ACHIEVING FULL ANONYMITY

Groth-Sahai proofs are not simulation-sound⇒ when simulating, wecan no longer answer Open queries.

Q: How to achieve full anonymity?A: One way is to combine Groth-Sahai proofs with an IND-CCA2encryption scheme.I ⇒ The signer additionally encrypts the witness and proves that it

was done correctly. When simulating, decrypt the ciphertext torecover the witness.

The encryption scheme needs to be re-randomizable, e.g. maybe wecould use an IND-RCCA encryption scheme.


SUMMARY

I A formal security model for the primitive.I Round-optimal constructions.I The first constructions without idealized assumptions.


OPEN PROBLEMS

I Efficient fully-anonymous instantiations.I More efficient constructions without idealized assumptions.


THE END

Thank you for your attention!Questions?


formalizing group blind signatures and practical ... · formalizing group blind signatures and...

Documents