|
|
|
|
@ -4,25 +4,34 @@
|
|
|
|
|
%-------------------------------------------------
|
|
|
|
|
|
|
|
|
|
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
|
|
|
|
|
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures that comes with companion zero-knowledge proofs that allows a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
|
|
|
|
|
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
|
|
|
|
|
|
|
|
|
|
This building block proved useful in the design of many efficient anonymity-related protocols as anonymous credentials~\cite{CL01}, which is similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
|
|
|
|
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
|
|
|
|
|
|
|
|
|
|
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
|
|
|
|
|
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
|
|
|
|
|
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
|
|
|
|
|
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
|
|
|
|
|
|
|
|
|
|
We note that beside the scheme presented in this section, we are only aware of two schemes based on a fixed-size assumption: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
|
|
|
|
We note that beside the scheme presented in this section, we are only aware of two schemes based on fixed-size assumptions: (1) a variant of the Camenisch and Lysyanskaya scheme~\cite{CL04} due to Gerbush, Lewko, O'Neill and Waters~\cite{GLOW12} in composite order groups.
|
|
|
|
|
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
|
|
|
|
|
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
|
|
|
|
|
|
|
|
|
|
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
|
|
|
|
|
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
|
|
|
|
|
From an efficiency point of view, the signature size for an $\ell$-block message consists of only $4$ groups elements.
|
|
|
|
|
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
|
|
|
|
|
|
|
|
|
|
This signature length is made possible by using $\QANIZK$
|
|
|
|
|
This signature length is made possible by using efficient $\QANIZK$ arguments -- as presented in~\cref{sse:zk-nizk} and formally defined in~\cite{JR13} -- to prove the belonging to some linear subspace spanned by the rows of a matrix.
|
|
|
|
|
For this purpose, it was shown that for this specific task, the size of the argument may be independent of the dimension of the considered subspace~\cite{JR14,LPJY14,KW15}.
|
|
|
|
|
The signature scheme described in this chapter (\cref{scal-sig}) crucially takes advantage of this observation as $\ell$-block messages are certified using a $\QANIZK$ argument for a subspace of dimension $\bigO(\ell)$.
|
|
|
|
|
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
|
|
|
|
|
|
|
|
|
|
As another showcase for this signature, we also design another primitives.
|
|
|
|
|
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
|
|
|
|
|
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
|
|
|
|
|
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
|
|
|
|
|
|
|
|
|
|
In this Chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
|
|
|
|
|
|
|
|
|
|
%--------------------------------------------------
|
|
|
|
|
\section{Building blocks}
|
|
|
|
|
@ -111,7 +120,7 @@ Moreover, we show that their scheme remains unforgeable under the $\SXDH$ assump
|
|
|
|
|
\setlength{\arraycolsep}{0.3em}\def\arraystretch{1.3}
|
|
|
|
|
\left(\begin{array}{c|c|c|c}
|
|
|
|
|
g & \mathbf{1}_{{}_{\ell+1}} & \mathbf{1}_{{}_{\ell+1}} & h \\ \hline
|
|
|
|
|
\vec{v}^\top & g^{\mathbf{I_{\ell+1}}} & h^{\mathbf{I_{\ell+1}}}
|
|
|
|
|
\vec{v}^\top & g^{\mathbf{I}_{\ell+1}} & h^{\mathbf{I}_{\ell+1}}
|
|
|
|
|
& \mathbf{1}_{{}_{\ell+1}}^\top
|
|
|
|
|
\end{array}\right) ,
|
|
|
|
|
\end{equation}
|
|
|
|
|
@ -1023,8 +1032,8 @@ This results in a modified opening algorithm which takes $O(N)$ in the worst-cas
|
|
|
|
|
%---------------------------------------------------------------------
|
|
|
|
|
\subsection{Security}
|
|
|
|
|
|
|
|
|
|
The security of the above dynamic group signature scheme, namely full anonymity, security against mis-identifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
|
|
|
|
|
The security relies on the \SXDH assumption for anonymity and mis-identification, and on the \SDL assumption for non-frameability.
|
|
|
|
|
The security of the above dynamic group signature scheme, namely full anonymity, security against misidentifications and security against framing attacks that are defined in \cref{sse:gs-sec-notions} are expressed in \cref{th:sgsig-anonymity}, \cref{th:sgsig-mis-identification} and~\cref{th:sgsig-non-frameability} respectively.
|
|
|
|
|
The security relies on the \SXDH assumption for anonymity and misidentification, and on the \SDL assumption for non-frameability.
|
|
|
|
|
|
|
|
|
|
\begin{theorem} \label{th:sgsig-anonymity}
|
|
|
|
|
If $\SXDH$ holds in $(\GG, \Gh, \GT)$, the scheme is CCA-anonymous in the random oracle model. %
|
|
|
|
|
@ -1205,7 +1214,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|
|
|
|
|
|
|
|
|
\begin{theorem} \label{th:sgsig-mis-identification}
|
|
|
|
|
In the ROM, the scheme is secure against
|
|
|
|
|
mis-identification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
|
|
|
|
|
misidentification attacks under the $\SXDH$ assumption in $(\GG,\Gh)$.
|
|
|
|
|
\end{theorem}
|
|
|
|
|
%
|
|
|
|
|
\begin{proof}
|
|
|
|
|
@ -1216,7 +1225,7 @@ simulate the proof of knowledge of $\ID$ (by programming a random oracle) and re
|
|
|
|
|
the reduction can extract witnesses of which knowledge is demonstrated by the signature of knowledge.\\
|
|
|
|
|
%After the extraction, the reduction can then call the corresponding oracles to simulate the game without having
|
|
|
|
|
%information it does not hold.
|
|
|
|
|
\indent Let us assume an attacker $\adv$ against the mis-identification game that wins with non-negligible
|
|
|
|
|
\indent Let us assume an attacker $\adv$ against the misidentification game that wins with non-negligible
|
|
|
|
|
probability $\varepsilon$. We build an adversary $\bdv$ against the chosen-message security of the signature
|
|
|
|
|
scheme of section~\ref{scal-sig}. \medskip
|
|
|
|
|
\\
|
|
|
|
|
@ -1417,13 +1426,31 @@ Their scheme provides signatures composed of only $2$ group elements in $\GG$ an
|
|
|
|
|
Our main contribution compared to these schemes is to provide size-comparable signatures --\,we recall that our scheme is
|
|
|
|
|
composed of $7$ group elements and $3$ scalars in $\Zp$\,-- while relying on standard, constant-size assumptions.
|
|
|
|
|
Moreover, we can notice that we can save one element in $\GG$ at the expense of a linear-time opening algorithm in the
|
|
|
|
|
number $N$ of group users (like \cite{BCN+10}).
|
|
|
|
|
number $\Ngs$ of group users (like \cite{BCN+10}).
|
|
|
|
|
|
|
|
|
|
%On the other hand, the comparison of computational cost is not straightforward, as it is not clear if the computation of $e(x^\alpha, \hat x) \cdot e(y^\beta, \hat y)$ is easier than the computation
|
|
|
|
|
|
|
|
|
|
\section{Implementation results}
|
|
|
|
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats d'implantation}
|
|
|
|
|
\section{Experimental Results}
|
|
|
|
|
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Résultats expérimentaux}
|
|
|
|
|
|
|
|
|
|
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
|
|
|
|
|
An implementation of the aforementioned group signature scheme has been made in \texttt{C} using the \textit{Relic toolkit} for pairing-based cryptography~\cite{AG} and is available at the following address:~\url{https://gforge.inria.fr/projects/sigmasig-c/}.
|
|
|
|
|
|
|
|
|
|
The relic toolkit provides implementation for pairing computations, hash functions implementations (here SHA-256) as well as benchmarking macros.
|
|
|
|
|
The benchmarking was made on a single-core of an \textit{Intel\textregistered{} Core\texttrademark{} i5-7500 CPU @ 3.40GHz} (Kaby Lake architecture) with 6MB of cache.
|
|
|
|
|
To implement pairings, the relic library implements the Barreto-Naehrig~\cite{BN06} curve over a 256 bits curve.
|
|
|
|
|
Figures are available in Table~\ref{ta:sigmasig-figures}.
|
|
|
|
|
|
|
|
|
|
\begin{table}
|
|
|
|
|
\centering
|
|
|
|
|
\begin{tabular}{|c|r|r|}
|
|
|
|
|
\hline
|
|
|
|
|
\textbf{Algorithm/Protocol} & \textbf{Our scheme} & \textbf{Standard deviation}\\
|
|
|
|
|
\hline \hline
|
|
|
|
|
\textsf{Keygen} & 9.70 ms & 2.18 ms \\ \hline
|
|
|
|
|
\textsf{Join} & 23.16 ms & 0.11 ms \\ \hline
|
|
|
|
|
\textsf{Sign} & 15.70 ms & 0.04 ms \\ \hline
|
|
|
|
|
\textsf{Verify} & 26.91 ms & 0.04 ms \\ \hline
|
|
|
|
|
\end{tabular}
|
|
|
|
|
\caption{Experimental results for the Pairing-Base group signature scheme}
|
|
|
|
|
\label{ta:sigmasig-figures}
|
|
|
|
|
\end{table}
|
|
|
|
|
|
