fmouhart
/
thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chapter

This commit is contained in:
Fabrice Mouhartem 2018-06-13 18:12:48 +02:00
parent f4d1b3bd43
commit d64ed1df22
3 changed files with 27 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
chap-GS-LWE.tex
View File

@ -1,4 +1,4 @@
In this Chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
In this chapter, we present the first dynamic group signature scheme that relies on lattice assumptions.
This construction relies on a signature scheme with efficient protocols as in~\cref{ch:sigmasig}, and it is used in a similar fashion.
As a consequence, it is possible to construct lattice-based anonymous credential from this building block.
The group signature scheme relies on the Gentry, Peikert and Vaikuntanathan identity-based encryption~\cite{GPV08} with the Canetti, Halevi and Katz~\cite{CHK04} in order to obtain a CCA2-secure public key encryption scheme which will be used to provide full-anonymity.

39
chap-GS-background.tex
View File

@ -1,42 +1,43 @@
In this Part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} into the random oracle model to gain efficiency, while keeping the assumptions simple.
In this part, we will present two constructions for dynamic group signatures.
The construction that will be explained in \cref{ch:sigmasig} is an adaptation of the Libert, Peters and Yung short group signature in the standard model from classical pairing assumptions~\cite{LPY15} to the random oracle model, which allows us to gain efficiency while keeping the assumptions simple.
This gives us a constant-size group signature scheme that is shown to be competitive with other constructions based on less standard assumptions.
An implementation is available and detailed in \cref{ch:sigmasig}.
The second construction, described in \cref{ch:gs-lwe}, is a lattice-based dynamic group signature where the scheme from Ling, Nguyen and Wang~\cite{LNW15} for static groups has been improved to match requirements for dynamic groups.
This construction has been the first fully secure group signature scheme from lattices.
Before describing those scheme, let us recall in this Chapter the definition of dynamic group signatures and their related security definitions.
Before describing those schemes, let us recall in this chapter the definition of dynamic group signatures and their related security definitions.
\section{Background} \label{sse:gs-background}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Historique}
Dynamic group signatures are a solution to allow a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}) that can be publicly verified while remaining anonymous inside its group.
On the other hand, the user remains accountable for the signatures it provides as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using its own secret key.
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to enroll the group after an interaction with it.
Dynamic group signatures are a primitive that allows a user to authenticate a message on behalf of a set of users it belongs to (the \textit{group}). This can be publicly verified while the user remains anonymous inside his group.
On the other hand, the user remains accountable for the signatures he generates as there exists an authority, the \textit{opening authority}, that can lift the anonymity of a given signature using his own secret key.
In the dynamic setting, a group signature scheme has a second authority: the \textit{group manager}, that allows a user to join the group after an interaction with him.
These interactions are summarized in Figure~\ref{fig:gs-relations}.
The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}, but the works of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures.
In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed a formal definition for \textit{static} group signatures, where the group is defined once and for all at the setup phase.
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. Those two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
The concept of group signatures was introduced by Chaum and van Heyst in 1991~\cite{CVH91}. Nevertheless, the work of Ateniese, Camenisch, Joye and Tsudik in 2001~\cite{ACJT00} were the first to provide scalable and secure group signatures.
In 2003, Bellare, Micciancio and Warinschi~\cite{BMW03} proposed formal security definitions for \textit{static} group signatures, where the group is defined \textit{once-and-for-all} at the setup phase.
This model was extended to dynamic groups by Bellare, Shi and Zhang (BSZ) and Kiayias and Yung~(KY) in 2005~\cite{BSZ05,KY06}. These two security models are slightly different, and we choose in this thesis to build our proofs in the~\cite{KY06} model as described in~\cref{sse:gs-definitions}.
The \cite{BMW03}~model summarize the security of a group signature scheme in two notions: \textit{anonymity} and \textit{traceability}.
The former notions models the fact that without the opening authority's secret, even if everyone colludes, no one can trace back a user from a signature; the latter sum up the fact that even if everyone is corrupted (even the opening authority), it is impossible to forge a valid signature that does not open to a valid user.
The \cite{BMW03}~model summarizes the security of a group signatures in two notions: \textit{anonymity} and \textit{traceability}.
The former notions models the fact that, without the opening authority's secret, even if everyone colludes, no one can trace a user from a signature; the latter sums up the fact that, even if everyone is corrupted (even the opening authority), it is infeasible to forge a valid signature that does not open to a valid user.
In the dynamically growing group setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
In this context, the two notions of the BMW model are kept, and a third one is added: the ``\textit{non-frameability}''.
This notion expresses the impossibility to frame a group of honest users in order to provide a signature that opens to one on them, \textit{even if the group manager and the opening authority are colluding}.
In the dynamic setting, the \textit{group private keys issuing} phase is replaced by an interactive \textit{join} protocol where a user that wants to join the group interacts with the group manager.
In this context, the two notions of the BMW model are retained, and a third one is added: the ``\textit{non-frameability}'' property.
This notion expresses the impossibility to frame a group of honest users (which can be reduced to a singleton) in order to provide a signature that opens to one of them, \textit{even if the group manager and the opening authority are colluding}.
One application of this primitive can be to handle anonymous access control for public transportation systems.
In order to commute, a person should prove the possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of \emph{users with a valid subscription} and when it takes the transport, it is asked to sign the timestamp of its entry in the name of the group.
One possible application of this primitive is anonymous access control for public transportation systems.
In order to commute, a person should prove possession of a valid subscription to the transportation service.
Thus, at registration to the service, the commuter joins the group of ``\emph{users with a valid subscription}'' and when it uses the transportation service, it is asked to sign the timestamp of its entry in the name of the group.
In case of misbehavior, another entity --\,let say the police\,-- is able to lift the anonymity of the signatures logged by the reading machine.
Then, the public transportation company is unable to learn anything from seeing the signatures, except the validity of the subscription of a user, and on the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
Then, the public transportation company is unable to learn anything from the signatures, except the validity of the subscription of a user. On the other hand, the police does not have access to the logs except if the public transportation company hands them to it.
Other applications of group signatures can be advocated as authentication of low-range communications for intelligent cars or anonymous access control of a building.
As we can see, most applications necessitate the use of \textit{dynamically growing} groups in order to be meaningful.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rise the problem of revocation and proposed a model that handle the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures, but as the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of interest~\cite{LNWX17}.
Bootle, Cerulli, Chaidos, Ghadafi and Groth~\cite{BCC+16} rose the problem of revocation and proposed a model that handles the issues that arose from the introduction of revocation called ``\textit{fully-dynamic}'' group signatures.
As the main difficulty is to allow users to dynamically enroll to the group --\,as revocation has been known to be implemented in a modular manner~\cite{LLNW14}\,-- this approach is not considered here, even if it is of some interests~\cite{LNWX17}.
\section{Formal Definition and Correctness} \label{sse:gs-definitions}
\addcontentsline{tof}{section}{\protect\numberline{\thesection} Définition formelle et correction}

12
chap-sigmasig.tex
View File

@ -3,18 +3,18 @@
% \label{ch:sigmasig}
%-------------------------------------------------
In this Chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
In this chapter, we aim at lifting the \textit{signature with efficient protocols} from~\cite{LPY15} into the random oracle model in order to get an efficient construction~\cite{BR93}.
Signatures with efficient protocols in the Camenish and Lysyanskaya fashion~\cite{CL04a} are digital signatures which come with companion zero-knowledge proofs that allow a signature holder to prove knowledge of the signature of a commited message as well as proving possession of a hidden message-signature pair in a zero-knowledge manner.
This building block proved useful in the design of many efficient anonymity-related protocols such as anonymous credentials~\cite{Cha85,CL01}, which are similar to group signatures except that anonymity is irrevocable (meaning that there is no opening authority).
In other words, an anonymous credential scheme involves one (or more) credential issuer(s) and a set of users who have a long term secret key which can be seen as their digital identity, and pseudonyms that can be seen as commitments to their secret key.
Users can dynamically obtain credentials from an issuer that only knows users' pseudonyms and obliviously sign users' secret keys as well as a set of attributes.
Later on, users can make themselves known to verifiers under a different pseudonym and demonstrate possession of the issuer's certificate on their secret key withour revealing neither the signature nor the key.
Later on, users can make themselves known to verifiers under a different pseudonym and demonstrate possession of the issuer's certificate on their secret key without revealing neither the signature nor the key.
In this context, signature with efficient protocols can typically be used as follows:
the user obtains the issuer's signature on a committed message via an interactive protocol, and uses a protocol for proving that two commitments open to the same value (which allows proving that the same secret underlies two distinct pseudonyms) and finally a protocol for proving possession of a secret message-signature pair.
As explained in \cref{ch:proofs}, the \textit{quality} of a scheme depends on both its efficiency and the simplicity of the assumptions it relies on.
Before the works described in this Chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
Before the works described in this chapter, most signature schemes rely on groups of hidden order~\cite{CL04a} or non-standard assumptions in groups with bilinear maps~\cite{CL04, Oka06}.
To illustrate this multi-criteria quality evaluation, we can see that Camenisch and Lysyanskaya proposed a signature scheme that is secure in pairing-friendly groups but relies on the non-interactive LRSW assumption~\cite{LRSW99}; but this signature scheme requires $\mathcal{O}(n)$ group elements to encode an $\ell$-block message.
Pointcheval and Sanders improved this signature to go down to $\bigO(1)$ group elements for an $\ell$-block message, but which is only proven secure in the generic group model (a model where group accesses are handled by an oracle that performs the group operations).
@ -22,7 +22,7 @@ We note that beside the scheme presented in this section, we are only aware of t
Due to this assumption, the groups that are used are inherently bigger and leads to less efficient representations than in prime order groups: for equivalent security level, Freeman~\cite{Fre10} estimates that computing a pairing over a group $N = pq$ is at least $50$ times slower than the same pairing in the prime order group setting.
(2) A construction by Yuen, Chow, Zhang and Yu~\cite{YCZY14} under the decision linear assumption~\cite{BBS04} which unfortunately does not support ``randomizable signature'', which is an important property in privacy-enhancing cryptography. An application of this property is, in the context of group signatures, the re-randomization of credentials accross distinct privacy-preserving authentication.
In this Chapter, we provide a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
In this chapter, we describe a new signature scheme with efficient protocols and re-randomizable signatures under a simple and well studied assumption.
Namely, the security of our scheme relies on the \SXDH assumption in groups of prime order with a bilinear map.
From an efficiency point of view, the signature for an $\ell$-block message consists of only $4$ groups elements.
@ -31,12 +31,12 @@ For this purpose, it was shown that for this specific task, the size of the argu
The signature scheme described in this chapter (\cref{scal-sig}) crucially takes advantage of this observation as $\ell$-block messages are certified using a $\QANIZK$ argument for a subspace of dimension $\bigO(\ell)$.
This construction natively supports efficient protocols to enhance privacy as described in \cref{new-proto}. Hence, our signature scheme enables the design of an efficient anonymous credentials system based on the sole \SXDH assumption.
As another showcase for this signature, we also design another primitives.
As another showcase for this signature, we also design another primitive.
Namely, a dynamic group signature scheme, as described in \cref{ch:gs-background}, which is practical and relies on simple assumptions (namely \SXDH and \SDL).
This construction is competitive both in term of signature size and computation time with the best solutions based on non-interactive assumptions~\cite{BBS04,DP06} (in these cases, the Strong Diffie-Hellman assumption~\cite{BB04}).
Concretely, at the 128-bits security, each signature fits within $320$ bytes while providing the strongest sense of anonymity (meaning the definition in \cref{sec:RGSdefsecAnon}).
In this Chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
In this chapter, we will first recall the useful building blocks that are used to design and prove our signature scheme that supports efficient protocols in the~\cite{CL02a} fashion. Then we describe this scheme and we next give the construction and the proof for the group signature scheme for dynamically growing groups. Finally, we show the experimental results we obtain for this group signature scheme.
%--------------------------------------------------
\section{Building blocks}