Sigmasig intro continue

This commit is contained in:
Fabrice Mouhartem 2018-04-19 15:05:11 +02:00
parent 51dab3fb67
commit 7afe13529e

View File

@ -1,8 +1,27 @@
%-------------------------------------------------- % \chapter{Pairing-Based Dynamic Group Signatures}
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction. % \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message. % \label{ch:sigmasig}
Akin to blind signatures, while being less restrictive, this scheme allows is a building block that can be used to construct anonymous credentials~\cite{Cha85,CL01}, compact e-cash~\cite{CHL05a}, revocable group signatures~\cite{NFHF09}, oblivious transfer with access control~\cite{CDN09} or certified private set intersection protocols~\cite{CZ09}. %-------------------------------------------------
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements.
This signature length is made possible by using $\QANIZK$
%-------------------------------------------------- %--------------------------------------------------
@ -751,7 +770,7 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i
%~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~% %~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%
\section{Our Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig} \section{The Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique}
We adapt the protocol of section~\ref{scal-sig} to build a dynamic group We adapt the protocol of section~\ref{scal-sig} to build a dynamic group
@ -886,16 +905,16 @@ with prospective users. However, this limitation can be removed using an extract
R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta}, R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta},
\end{aligned}\\ \end{aligned}\\
&\begin{aligned} &\begin{aligned}
R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta} \\ & ~\qquad R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta}
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID} \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID}
\end{aligned} \end{aligned}
\end{eqnarray*} \end{eqnarray*}
and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$. and then define $c$ as $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$.
Finally compute $ s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~in~$\Zp$. Finally compute the two responses $s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~both in~$\Zp$.
\item Return the signature $\Sigma $ which consists of \item Return the signature $\Sigma $ which consists of
\begin{equation} \label{gsig-sigma} \begin{equation} \label{gsig-sigma}
\hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta) \hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)
\in\GG^7\times\Zp^3 \vspace{-1mm} \in\GG^7\times\Zp^3
\end{equation} \end{equation}
% %
\end{enumerate} \end{enumerate}
@ -938,14 +957,16 @@ with prospective users. However, this limitation can be removed using an extract
\end{gathered} \end{gathered}
\end{eqnarray} \end{eqnarray}
and the element $R_4\in\GT$ as and the element $R_4\in\GT$ as
\begin{align} \nonumber \begin{equation}
\label{gsig-verif-2}
\begin{aligned}
\lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta} \lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta}
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} \cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} \\
\\ \label{gsig-verif-2}
& \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1) & \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1)
\cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \nonumber \\ \cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5)
& \qquad \cdot e(\Omega, \hat g_6) \big)^{-c} . \cdot e(\Omega, \hat g_6) \big)^{-c}.
\end{align} \end{aligned}
\end{equation}
\item Return $1$ if \item Return $1$ if
$ $
@ -959,8 +980,13 @@ with prospective users. However, this limitation can be removed using an extract
\begin{enumerate} \begin{enumerate}
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$. %\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing \item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
$\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$, % $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
$ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$. % $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
\begin{gather*}
\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, \qquad
\pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z},\\
V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}.
\end{gather*}
%\begin{align*} %\begin{align*}
% \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, & % \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, &
% r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\ % r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\
@ -997,7 +1023,10 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
%--------------------------------------------------------------------- %---------------------------------------------------------------------
\subsection{Security} \subsection{Security}
\begin{theorem} \label{gsig-anon} The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
\begin{theorem} \label{th:sgsig-anonymity}
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm} If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
\end{theorem} \end{theorem}
@ -1174,10 +1203,9 @@ extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. T
simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment. simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment.
\begin{theorem} \begin{theorem} \label{th:sgsig-mis-identification}
In the ROM, the scheme is secure against In the ROM, the scheme is secure against
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$. mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
\vspace{-1mm}
\end{theorem} \end{theorem}
% %
\begin{proof} \begin{proof}
@ -1245,9 +1273,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
\begin{theorem} %[Non-frameability] \begin{theorem} %[Non-frameability]
\label{non-frame} \label{th:sgsig-non-frameability}
In the ROM, the scheme is secure against framing attacks under the SDL assumption \vspace{-1mm} In the ROM, the scheme is secure against framing attacks under the SDL assumption.
\end{theorem} \end{theorem}
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\ \begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$. \indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1. To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
@ -1394,3 +1423,7 @@ number $N$ of group users (like \cite{BCN+10}).
\section{Implementation results} \section{Implementation results}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation} \addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.