Traceable SignaturesTraceable Signatures

Aggelos KiayiasAggelos KiayiasUniversity of ConnecticutUniversity of Connecticut

joint work withjoint work with

Moti YungMoti Yung Yiannis TsiounisYiannis TsiounisColumbia University Columbia University EtolianEtolian

Theme:Theme:Balancing Privacy and IdentificationBalancing Privacy and IdentificationThe state of things in multi-user environments:The state of things in multi-user environments:

CRYPTO: can it be used to reconciliate the two sides?CRYPTO: can it be used to reconciliate the two sides?

Privacy advocates are vocal about lossPrivacy advocates are vocal about loss

of privacy in the electronic society.of privacy in the electronic society.

Authorities are worried about theAuthorities are worried about thepotential abuse of anonymity systems.potential abuse of anonymity systems.

GoalsGoals

User’s actions must remain anonymous.User’s actions must remain anonymous.Nevertheless a primitive must offer various Nevertheless a primitive must offer various

mechanisms that allow the mechanisms that allow the conditional conditional revocation of anonymityrevocation of anonymity..

Methodology: develop primitives allowing Methodology: develop primitives allowing various various tradeoffstradeoffs between privacy and between privacy and identification.identification.

A basic building block for A basic building block for anonymity systems: signatures and anonymity systems: signatures and

identificationidentification

In a transaction-based environment: In a transaction-based environment: Digital Signatures and Identification Digital Signatures and Identification Mechanisms.Mechanisms.

Goal #1: Provide PrivacyGoal #1: Provide PrivacyGoal #2: Develop a sufficient set of Goal #2: Develop a sufficient set of tracingtracing

mechanisms.mechanisms.

Related PrimitivesRelated Primitives Related primitives:Related primitives:

Group SignatureGroup Signature / / Identity EscrowIdentity Escrow: a user can sign/ : a user can sign/ get identified “on behalf” of the group. get identified “on behalf” of the group.

The Group Manager can open a signature / id The Group Manager can open a signature / id transcript.transcript.

anonymity-unlinkability.anonymity-unlinkability. Verification is performed using the group’s public-Verification is performed using the group’s public-

key.key. Opening is an Opening is an anonymity revocation mechanismanonymity revocation mechanism..

Is it sufficient?Is it sufficient?

MotivationMotivation

Consider the following settingConsider the following settingUnderlying network infrastructure provides Underlying network infrastructure provides

sufficient anonymity. sufficient anonymity. Typical Abstract Large System:Typical Abstract Large System:

Many usersMany usersMany remote verification points.Many remote verification points.Users issue (anonymous/group) signatures Users issue (anonymous/group) signatures

that get aggregated and verified in various that get aggregated and verified in various points.points.

Anonymity SystemAnonymity SystemUsers

Users

Use

rsU

sers

Accumulationof transactionsanonymously

DistributedVerificationPoints

Scenario #1: Suspicious Scenario #1: Suspicious TransactionsTransactions

DistributedVerificationPoints

Input: This trans-action is suspicious!!

OPEN!

Group Signature does exactly this!!!

But…But…

Scenario #2: Suspicious USERScenario #2: Suspicious USER

DistributedVerificationPoints

I WILL OPEN ALL OF

THEM!!!!!!!!!

INPUT: UserX is engagingin illegal activity

NO!!!!!!!!!!!!!!

ShortcomingsShortcomings Signatures from remote verification points must Signatures from remote verification points must

be aggregated. be aggregated. Load Balancing ConcernsLoad Balancing Concerns Authority must open all signatures thus severely Authority must open all signatures thus severely

(and (and unnecessarilyunnecessarily) violating the privacy of many ) violating the privacy of many users. users. Privacy ConcernsPrivacy Concerns

Authority is typically a distributed entity so that Authority is typically a distributed entity so that opening requires the collaboration of many opening requires the collaboration of many agents. agents. Efficiency ConcernsEfficiency Concerns

OutcomeOutcome: group signatures insufficient for : group signatures insufficient for dealing with the above tracing request / dealing with the above tracing request / anonymity revocation functionality.anonymity revocation functionality.

Scenario #3: Who owns your Scenario #3: Who owns your privacy?privacy?

DistributedVerificationPoints

YOU HAVE BEEN

NEGLECTING

YOUR DUTIES!!

Privacy is a personally managed good….(in many cases it is very important that)User should be able to prove that he did something if he wishes.

NO!!`

Possible ApproachPossible Approach

User can prove in ZK that he knows the User can prove in ZK that he knows the randomness of his signature.randomness of his signature. User needs to remember the randomness for all his User needs to remember the randomness for all his

signatures: unreasonable storage requirement.signatures: unreasonable storage requirement. A A statelessstateless technique must be provided. technique must be provided.

Our Solution: Our Solution: Traceable SignaturesTraceable SignaturesAnonymous Signature Scheme.Anonymous Signature Scheme.deal deal efficientlyefficiently

Scenario #1: opening a signature.Scenario #1: opening a signature.(as in group signatures)(as in group signatures)

Scenario #2: tracing all signatures of a named Scenario #2: tracing all signatures of a named user (with load balancing).user (with load balancing).

Scenario #3: allowing a user to claim a Scenario #3: allowing a user to claim a signature.signature.

Our ResultsOur Results

Formal Security Model of the notion of Traceable Formal Security Model of the notion of Traceable Signatures.Signatures.

Efficient Construction Efficient Construction of a secure Traceable of a secure Traceable Signature Scheme.Signature Scheme.

Traceable Signatures : an extension of Group Traceable Signatures : an extension of Group Signatures Signatures bonus: our construction provides a bonus: our construction provides a secure group signature in the sense of ACJT secure group signature in the sense of ACJT 2000.2000.

First construction that is provably secure on a First construction that is provably secure on a formal model.formal model.

Traceable SignaturesTraceable Signatures

ParticipantsParticipantsUsers.Users.Group Manager (responsible for group Group Manager (responsible for group

administration and tracing functions.administration and tracing functions.

OperationsOperations

1.1. SetupSetup2.2. Join (interactive protocol)Join (interactive protocol)3.3. SignSign4.4. VerifyVerify5.5. OpenOpen (given a signature reveals identity)(given a signature reveals identity)6.6. Reveal (reveals the tracing trapdoor of user i)Reveal (reveals the tracing trapdoor of user i)7.7. Trace (given a tracing trapdoor tests whether a Trace (given a tracing trapdoor tests whether a

given signature matches the trapdoor)given signature matches the trapdoor)8.8. Claim (to claim a signature by owner)Claim (to claim a signature by owner)9.9. Claim_VerifyClaim_Verify

Our Security ModelOur Security Model

Abstract Attack:Abstract Attack:pubQ

keyQ

joinaQ

joinpQ

joinbQ

corrQ

signQ

revealQ

Adversary Interface

Representsa perspectiveof the systemIn the realworld

Differentsubsetsof queriesclassify possible attacks

AdversarialGoal.

QueriesQueriespubQ

keyQ

joinaQ

joinpQ joinbQ

signQ

Returns thePublic-key

Returns theGM’s secretkey

Causes theInterface toExecute a JOINdialog and return the transcriptto the adversary

Causes theinterface toexecute a JOINdialog with the adversary,playing the role of the GM

Causes theinterface toexecute a JOINdialog with the adversary, playingthe role of a User

Given <i>interface returns the tracing trapdoor of i.

Given <i,m>Interface returnsreturns a signature on mgenerated by the i-th user

revealQ

The MISIDENTIFICATION attackThe MISIDENTIFICATION attackpubQ

joinpQ

signQ

revealQ

Adversary Interface

Forges a traceable signature thatEITHER•Does not open with the controlled group.OR•Does not trace to at least one of the membersof the controlled group.

Representsthe systemCollectively:good users and GM

joinaQ

Captures: Unforgeability, Coalition Resistance

The FRAMING attackThe FRAMING attack

pubQ

keyQ

signQ

Adversary Interface

Forges a traceable signature thatEITHER•Does open to one of the good users.OR•Does trace to at least one of the good users.

RepresentsA handfulOf good usersIn a hostileEnvironment.

joinbQ

Captures: Exculpability

Adversary

Interface

The adversary operates in two stages. Reminiscent of a CCA2 attack on the “Reveal Function”

Selects two usersi0 i1 (by name)

RepresentsThe GM

pubQ

joinaQ

joinpQ

revealQ

signQ

Returns a Signature usingOne-of-the-twoMembership secrets

},{ 10 iirevealQ

Guesses which of theTwo users signed. joinaQ joinpQ signQ

The ANONYMITY attackThe ANONYMITY attack

Captures: Anonymity/ Unlinkability (even against tracing agents)

Basic ToolsBasic Tools

Basic tools need to be developed and Basic tools need to be developed and investigated:investigated:Discrete-Log Relation Sets : A useful Discrete-Log Relation Sets : A useful

notational tool for planning complex ZK proofs notational tool for planning complex ZK proofs over groups of unknown order.over groups of unknown order.

Drawing Random Powers : how to select a Drawing Random Powers : how to select a random power in QR(n) in an random power in QR(n) in an ideal ideal fashion.fashion.

Discrete-Log Relation SetsDiscrete-Log Relation Sets over over QR(n)QR(n)

Definition. Let G = Definition. Let G = QRQR((nn)) Objects AObjects A11, …, A, …, Amm of G. of G. Set of relations defined as tuples:Set of relations defined as tuples: Each tuple element is an integer or selected among a set Each tuple element is an integer or selected among a set

of free-variables.of free-variables. Relation is defined based on each tuple:Relation is defined based on each tuple: Each free variable assumed to belong to a specified Each free variable assumed to belong to a specified

integer interval.integer interval. Discrete-log relation set is the logical-and of all relations Discrete-log relation set is the logical-and of all relations

PLUS the interval relations.PLUS the interval relations. Theorem. For a given discrete-log relation set there Theorem. For a given discrete-log relation set there

exists a 3-move ZK proof that allows proving the exists a 3-move ZK proof that allows proving the knowledge of a witness-tuple for the free variables.knowledge of a witness-tuple for the free variables.

im

ii aaa ,...,, 21

ia2 1...1

mj

ai

ijA

Drawing Random PowersDrawing Random Powers

Two-player Game.Two-player Game. Ideal Implementation:Ideal Implementation:

Player A transmits request to TTP.Player A transmits request to TTP. TTP responds with a random TTP responds with a random xx.. Player A responds with C=Player A responds with C=aaxx

TTP checks that C=TTP checks that C=aaxx

TTP gives to player B the value CTTP gives to player B the value C There exists an efficient implementation of the There exists an efficient implementation of the

above game over QR(n) when x is selected from above game over QR(n) when x is selected from a specified integer range.a specified integer range.

Discrete-Log Representations of Discrete-Log Representations of Arbitrary PowersArbitrary Powers

A discrete-log representation of an arbitrary power A discrete-log representation of an arbitrary power inside inside GG is a tuple is a tuple over the base:over the base:

That satisfies the conditionThat satisfies the condition

Theorem. Strong-RSA => Any adversary that is given K Theorem. Strong-RSA => Any adversary that is given K discrete-log representations of arbitrary powers can discrete-log representations of arbitrary powers can find a new (different) discrete-log representation of find a new (different) discrete-log representation of arbitrary power only with negligible probability of arbitrary power only with negligible probability of success.success.

',:, xxeA

'0

xxe baaA

)(,,0 nQRbaa

Our Construction: The Basic Our Construction: The Basic SetupSetup

Basic Ideas:Basic Ideas: GM’s public-key: GM’s public-key: nn RSA-modulus, RSA-modulus, Also :Also : Every user will possess a discrete-log representation of Every user will possess a discrete-log representation of

an arbitrary power inside an arbitrary power inside QR(n).QR(n).

Known to the GM exceptKnown to the GM except User’s tracing trapdoorUser’s tracing trapdoor Employ drawing random powers to implement the Join Employ drawing random powers to implement the Join

protocol protocol

)(,,0 nQRbaa )(, nQRhg

',:, iiii xxeA

ix'ix

'0

xxe baaA wherewhere

Anatomy of a Signature: the Anatomy of a Signature: the headerheader

For a signature or identification the following For a signature or identification the following values are computed:values are computed:

TT11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T77

ElGamalEncryption

of AControlElement

Commitmentto x value

Commitmentof x value

Tracing

Claiming

Opening

wewwi hgTgTyAT i 321 ,,

'7

''654 ,,, kkxkkx gTgTgTgT ii

Anatomy of a Signature: the restAnatomy of a Signature: the rest The user needs to prove in ZK that the header is well-The user needs to prove in ZK that the header is well-

formed.formed. Employ discrete-log relation set.Employ discrete-log relation set.

Signature: Fiat-Shamir Transform.Signature: Fiat-Shamir Transform. 0001''00000

10000000'0000

010000000000

00000000000'

00100000000

000000000010

.

1''

0

6'

7

45

'2

3

2

64301

1751

2

xxehTybaa

xTT

xTT

ehgT

wehgT

wgT

TTTabaTyTTThg

ehxx

x

x

he

we

w

Opening a Signature.Opening a Signature.

Given a signature, TGiven a signature, T11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T77

The GM employs his ElGamal secret-key The GM employs his ElGamal secret-key to recover to recover AA from T from T11, T, T22..

recall: A recall: A is part of the certificate of a user.is part of the certificate of a user.AA is matched to some Join protocol is matched to some Join protocol

transcript transcript signer is identified. signer is identified.

Tracing a userTracing a user

RevealReveal::Given the identity of a certain user.Given the identity of a certain user.The GM obtains his Join protocol The GM obtains his Join protocol

transcript and recovers the user’s tracing transcript and recovers the user’s tracing trapdoor trapdoor xx..

TraceTrace::given given xx and a signature and a signature T T11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T7 7 we return Twe return T44 = =?? T T55

xx

Claiming a SignatureClaiming a Signature

Given a signatureGiven a signature TT11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T7 7

the signer computes a claim certificate as a the signer computes a claim certificate as a NIZK proof of knowledge of the discrete-NIZK proof of knowledge of the discrete-logarithm of Tlogarithm of T66 base T base T77..

proof can be “designated verifier” to avoid claim proof can be “designated verifier” to avoid claim adoption by the receiver.adoption by the receiver.

SecuritySecurity

Both interactive / non-interactive ROMBoth interactive / non-interactive ROMTheorem.Theorem.

Security against Misidentification (Strong-Security against Misidentification (Strong-RSA,DDH)RSA,DDH)

Anonymity (DDH)Anonymity (DDH) Security against Framing (DLog over a prime-order Security against Framing (DLog over a prime-order

subgroup of QR(n)).subgroup of QR(n)). Random Oracle Model for the Signature Version.Random Oracle Model for the Signature Version.

ConclusionConclusion New Primitive:New Primitive:

Traceable Signatures and Identification.Traceable Signatures and Identification. Technical Tools:Technical Tools:

Discrete-Log Relation Set Notation and ZK-proofs.Discrete-Log Relation Set Notation and ZK-proofs. Drawing Random Powers.Drawing Random Powers.

Formal Model + Security Proof: subsumes Group Formal Model + Security Proof: subsumes Group Signatures.Signatures.

Main Applications:Main Applications: Traceable Identification and Signing.Traceable Identification and Signing. Fair anonymity in large systems.Fair anonymity in large systems. Traceability can be used directly to implement Traceability can be used directly to implement CRL-based CRL-based

member revocation member revocation coupled with the “Camenisch-Lysyaskanya revocation” it is coupled with the “Camenisch-Lysyaskanya revocation” it is

possible to capture both types of revocation:possible to capture both types of revocation: forward (CL) and backwards (CRL)forward (CL) and backwards (CRL)