From 7afe13529ed720dfbb89e71fd15c9fd87d19c265 Mon Sep 17 00:00:00 2001 From: Fabrice Mouhartem Date: Thu, 19 Apr 2018 15:05:11 +0200 Subject: [PATCH] Sigmasig intro continue --- chap-sigmasig.tex | 109 ++++++++++++++++++++++++++++++---------------- 1 file changed, 71 insertions(+), 38 deletions(-) diff --git a/chap-sigmasig.tex b/chap-sigmasig.tex index dca1d5b..57f1108 100644 --- a/chap-sigmasig.tex +++ b/chap-sigmasig.tex @@ -1,8 +1,27 @@ -%-------------------------------------------------- -In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction. -Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message. -Akin to blind signatures, while being less restrictive, this scheme allows is a building block that can be used to construct anonymous credentials~\cite{Cha85,CL01}, compact e-cash~\cite{CHL05a}, revocable group signatures~\cite{NFHF09}, oblivious transfer with access control~\cite{CDN09} or certified private set intersection protocols~\cite{CZ09}. +% \chapter{Pairing-Based Dynamic Group Signatures} +% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages} +% \label{ch:sigmasig} +%------------------------------------------------- +In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}. +Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner. + +This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority). + +As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on. +Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}. +To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message. +Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations). + +We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups. +Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting. +(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication. + +In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption. +Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map. +From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements. + +This signature length is made possible by using $\QANIZK$ %-------------------------------------------------- @@ -751,7 +770,7 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i %~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~% -\section{Our Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig} +\section{The Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique} We adapt the protocol of section~\ref{scal-sig} to build a dynamic group @@ -871,41 +890,41 @@ with prospective users. However, this limitation can be removed using an extract C_2 & = h^\theta, & C_\ID & = v^\ID \cdot X_\ID^\theta, %\quad \end{align*} - % and + % and \begin{align*} %\label{sham-rel-3} \lefteqn{\big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \cdot e(\Omega, \hat g_6) \big)} \\ %\nonumber - & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} + & = \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{\theta} \cdot\big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-\ID} . - \end{align*} - Namely, sample random $r_\ID, r_\theta \sample \U(\Zp)$, compute - \begin{eqnarray*} + \end{align*} + Namely, sample random $r_\ID, r_\theta \sample \U(\Zp)$, compute + \begin{eqnarray*} &\begin{aligned} R_1 &= g^{r_\theta}, & R_2 &= h^{r_\theta}, & R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta}, - \end{aligned}\\ + \end{aligned}\\ &\begin{aligned} - R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta} \\ & ~\qquad - \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID} - \end{aligned} + R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta} + \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID} + \end{aligned} \end{eqnarray*} - and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. - Finally compute $ s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~in~$\Zp$. + and then define $c$ as $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. + Finally compute the two responses $s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~both in~$\Zp$. \item Return the signature $\Sigma $ which consists of \begin{equation} \label{gsig-sigma} \hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta) - \in\GG^7\times\Zp^3 \vspace{-1mm} + \in\GG^7\times\Zp^3 \end{equation} % \end{enumerate} % -\begin{description} - \item[\textsf{Verify}$(\gspk, M, \Sigma)$:] - Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as - $(C_1, C_2, C_z, C_\sigma, C_\ID)$. - Then, output 1 if the the zero-knowledge proof verifies. Namely, -\end{description} + \begin{description} + \item[\textsf{Verify}$(\gspk, M, \Sigma)$:] + Parse the signature $\Sigma$ as in \eqref{gsig-sigma} and $C_{\mathsf{CS}}$ as + $(C_1, C_2, C_z, C_\sigma, C_\ID)$. + Then, output 1 if the the zero-knowledge proof verifies. Namely, + \end{description} \begin{enumerate} \item Compute the group elements $R_1$, $R_2$, $R_3\in\GG$ as: %\begin{eqnarray} @@ -925,7 +944,7 @@ with prospective users. However, this limitation can be removed using an extract %\qquad \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \big)^{-c} %\end{aligned} \label{gsig-verif-2} %\end{eqnarray} - % + % \begin{eqnarray} &\begin{gathered} \begin{aligned} @@ -937,15 +956,17 @@ with prospective users. However, this limitation can be removed using an extract \end{aligned} \end{gathered} \end{eqnarray} - and the element $R_4\in\GT$ as - \begin{align} \nonumber + and the element $R_4\in\GT$ as + \begin{equation} + \label{gsig-verif-2} + \begin{aligned} \lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} - \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} - \\ \label{gsig-verif-2} + \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} \\ & \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) - \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \nonumber \\ - & \qquad \cdot e(\Omega, \hat g_6) \big)^{-c} . - \end{align} + \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) + \cdot e(\Omega, \hat g_6) \big)^{-c}. + \end{aligned} + \end{equation} \item Return $1$ if $ @@ -959,8 +980,13 @@ with prospective users. However, this limitation can be removed using an extract \begin{enumerate} %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing - $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, - $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. + % $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, + % $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. + \begin{gather*} + \sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, \qquad + \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z},\\ + V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}. + \end{gather*} %\begin{align*} % \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, & % r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\ @@ -997,7 +1023,10 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas %--------------------------------------------------------------------- \subsection{Security} -\begin{theorem} \label{gsig-anon} +The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively. +The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability. + +\begin{theorem} \label{th:sgsig-anonymity} If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} \end{theorem} @@ -1174,10 +1203,9 @@ extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. T simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment. -\begin{theorem} +\begin{theorem} \label{th:sgsig-mis-identification} In the ROM, the scheme is secure against mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$. - \vspace{-1mm} \end{theorem} % \begin{proof} @@ -1245,9 +1273,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re \begin{theorem} %[Non-frameability] -\label{non-frame} - In the ROM, the scheme is secure against framing attacks under the SDL assumption \vspace{-1mm} + \label{th:sgsig-non-frameability} +In the ROM, the scheme is secure against framing attacks under the SDL assumption. \end{theorem} + \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. @@ -1394,3 +1423,7 @@ number $N$ of group users (like \cite{BCN+10}). \section{Implementation results} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation} + +An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}. + +The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.