Sigmasig intro continue
This commit is contained in:
parent
51dab3fb67
commit
7afe13529e
@ -1,8 +1,27 @@
|
|||||||
%--------------------------------------------------
|
% \chapter{Pairing-Based Dynamic Group Signatures}
|
||||||
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction.
|
% \addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Signatures de groupe dynamique à base de couplages}
|
||||||
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message.
|
% \label{ch:sigmasig}
|
||||||
Akin to blind signatures, while being less restrictive, this scheme allows is a building block that can be used to construct anonymous credentials~\cite{Cha85,CL01}, compact e-cash~\cite{CHL05a}, revocable group signatures~\cite{NFHF09}, oblivious transfer with access control~\cite{CDN09} or certified private set intersection protocols~\cite{CZ09}.
|
%-------------------------------------------------
|
||||||
|
|
||||||
|
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
|
||||||
|
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
|
||||||
|
|
||||||
|
This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
||||||
|
|
||||||
|
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
|
||||||
|
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
|
||||||
|
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
|
||||||
|
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
|
||||||
|
|
||||||
|
We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
||||||
|
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
||||||
|
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
|
||||||
|
|
||||||
|
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
|
||||||
|
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
|
||||||
|
From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements.
|
||||||
|
|
||||||
|
This signature length is made possible by using $\QANIZK$
|
||||||
|
|
||||||
|
|
||||||
%--------------------------------------------------
|
%--------------------------------------------------
|
||||||
@ -751,7 +770,7 @@ Since a malicious signer may know the simulation trapdoor $\mathsf{tk}=\{\chi_i
|
|||||||
|
|
||||||
|
|
||||||
%~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%
|
%~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%
|
||||||
\section{Our Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig}
|
\section{The Dynamic Group Signatures Scheme} \label{sse:sigmagis-gsig}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Construction de la signature de groupe dynamique}
|
||||||
|
|
||||||
We adapt the protocol of section~\ref{scal-sig} to build a dynamic group
|
We adapt the protocol of section~\ref{scal-sig} to build a dynamic group
|
||||||
@ -886,16 +905,16 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta},
|
R_3 &= v^{r_\ID} \cdot X_\ID^{r_\theta},
|
||||||
\end{aligned}\\
|
\end{aligned}\\
|
||||||
&\begin{aligned}
|
&\begin{aligned}
|
||||||
R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta} \\ & ~\qquad
|
R_4 &= \big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{r_\theta}
|
||||||
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID}
|
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-r_\ID}
|
||||||
\end{aligned}
|
\end{aligned}
|
||||||
\end{eqnarray*}
|
\end{eqnarray*}
|
||||||
and then $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$.
|
and then define $c$ as $c = H(M, C_{\mathsf{CS}},\tilde{\sigma}_2,\tilde{\sigma}_3, R_1, R_2, R_3, R_4)$.
|
||||||
Finally compute $ s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~in~$\Zp$.
|
Finally compute the two responses $s_\theta = r_\theta + c \cdot \theta$, $s_\ID = r_\ID + c \cdot \ID$~both in~$\Zp$.
|
||||||
\item Return the signature $\Sigma $ which consists of
|
\item Return the signature $\Sigma $ which consists of
|
||||||
\begin{equation} \label{gsig-sigma}
|
\begin{equation} \label{gsig-sigma}
|
||||||
\hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)
|
\hspace{-1.25em} \Sigma=(C_{\mathsf{CS}}, \tilde \sigma_2, \tilde \sigma_3, c, s_\ID, s_\theta)
|
||||||
\in\GG^7\times\Zp^3 \vspace{-1mm}
|
\in\GG^7\times\Zp^3
|
||||||
\end{equation}
|
\end{equation}
|
||||||
%
|
%
|
||||||
\end{enumerate}
|
\end{enumerate}
|
||||||
@ -938,14 +957,16 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\end{gathered}
|
\end{gathered}
|
||||||
\end{eqnarray}
|
\end{eqnarray}
|
||||||
and the element $R_4\in\GT$ as
|
and the element $R_4\in\GT$ as
|
||||||
\begin{align} \nonumber
|
\begin{equation}
|
||||||
|
\label{gsig-verif-2}
|
||||||
|
\begin{aligned}
|
||||||
\lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta}
|
\lefteqn{\big( e(X_z, \hat g_z) \cdot e(X_\sigma, \hat g_1) \big)^{s_\theta}
|
||||||
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}}
|
\cdot \big(e(\tilde \sigma_2, \hat g_2) \cdot e(\tilde \sigma_3, \hat g_4) \big)^{-s_\ID}} \\
|
||||||
\\ \label{gsig-verif-2}
|
|
||||||
& \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1)
|
& \quad \cdot \big(e(C_z, \hat g_z) \cdot e(C_\sigma, \hat g_1)
|
||||||
\cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5) \nonumber \\
|
\cdot e(\tilde \sigma_2, \hat g_3) \cdot e(\tilde \sigma_3, \hat g_5)
|
||||||
& \qquad \cdot e(\Omega, \hat g_6) \big)^{-c} .
|
\cdot e(\Omega, \hat g_6) \big)^{-c}.
|
||||||
\end{align}
|
\end{aligned}
|
||||||
|
\end{equation}
|
||||||
|
|
||||||
\item Return $1$ if
|
\item Return $1$ if
|
||||||
$
|
$
|
||||||
@ -959,8 +980,13 @@ with prospective users. However, this limitation can be removed using an extract
|
|||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
%\item Parse the signature $\Sigma$ as per~\eqref{gsig-sigma} and $\mathcal{S}_\OA$ as $ \bigl(x_z, y_z, x_r, y_r, x_\sigma, y_\sigma, x_\ID, y_\ID \bigr)$.
|
||||||
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
|
\item Decrypt $C_{\mathsf{CS}}=(C_1, C_2, C_z, C_\sigma, C_\ID)$ by computing
|
||||||
$\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
|
% $\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}$,
|
||||||
$ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
|
% $ \pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z}$ and $V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}$.
|
||||||
|
\begin{gather*}
|
||||||
|
\sigma_1 = C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, \qquad
|
||||||
|
\pi = C_z \cdot C_1^{-x_z} \cdot C_2^{-y_z},\\
|
||||||
|
V_\ID =C_\ID \cdot C_1^{-x_\ID} C_2^{-y_\ID}.
|
||||||
|
\end{gather*}
|
||||||
%\begin{align*}
|
%\begin{align*}
|
||||||
% \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, &
|
% \tilde \sigma_1 &= C_\sigma \cdot C_1^{-x_\sigma} \cdot C_2^{-y_\sigma}, &
|
||||||
% r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\
|
% r &= C_r \cdot C_1^{-x_r} \cdot C_2^{-y_r},& \\
|
||||||
@ -997,7 +1023,10 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
|
|||||||
%---------------------------------------------------------------------
|
%---------------------------------------------------------------------
|
||||||
\subsection{Security}
|
\subsection{Security}
|
||||||
|
|
||||||
\begin{theorem} \label{gsig-anon}
|
The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
|
||||||
|
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
|
||||||
|
|
||||||
|
\begin{theorem} \label{th:sgsig-anonymity}
|
||||||
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %\vspace{-1mm}
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
@ -1174,10 +1203,9 @@ extract $\ID$ without rewinding the user at each execution of $\mathsf{Join}$. T
|
|||||||
simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment.
|
simulate the proof of knowledge of $\ID$ (by programming a random oracle) and rely on the hiding property of the extractable commitment.
|
||||||
|
|
||||||
|
|
||||||
\begin{theorem}
|
\begin{theorem} \label{th:sgsig-mis-identification}
|
||||||
In the ROM, the scheme is secure against
|
In the ROM, the scheme is secure against
|
||||||
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
|
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
|
||||||
\vspace{-1mm}
|
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
%
|
%
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
@ -1245,9 +1273,10 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|||||||
|
|
||||||
|
|
||||||
\begin{theorem} %[Non-frameability]
|
\begin{theorem} %[Non-frameability]
|
||||||
\label{non-frame}
|
\label{th:sgsig-non-frameability}
|
||||||
In the ROM, the scheme is secure against framing attacks under the SDL assumption \vspace{-1mm}
|
In the ROM, the scheme is secure against framing attacks under the SDL assumption.
|
||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
|
\begin{proof} Let us assume that a PPT adversary $\adv$ can create, with advantage $\varepsilon$, a forgery $(M^\star,\sigma^\star)$ that opens to some honest user $i\in U^b$ who did not sign $M^\star$. We give a reduction $\bdv$ that uses $\adv$ to break SDL. \\
|
||||||
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
|
\indent Algorithm $\bdv$ takes as input an SDL instance $(g,\hat{g},g^a,\hat{g}^a)$ and uses its interaction with the adversary $\adv$ to compute $a \in \Zp$.
|
||||||
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
To generate the group public key $\gspk$, $\bdv$ runs all the steps of the real setup algorithm $\textsf{Keygen}$ except step 1.
|
||||||
@ -1394,3 +1423,7 @@ number $N$ of group users (like \cite{BCN+10}).
|
|||||||
|
|
||||||
\section{Implementation results}
|
\section{Implementation results}
|
||||||
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}
|
||||||
|
|
||||||
|
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
|
||||||
|
|
||||||
|
The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.
|
||||||
|
Loading…
Reference in New Issue
Block a user