unified, minimal and selectively randomizable structure-preserving signatures masayaki abe, ntt jens...
Post on 12-Jan-2016
218 Views
Preview:
TRANSCRIPT
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Masayaki Abe, NTT
Jens Groth, University College London
Miyako Ohkubo, NICT
Mehdi Tibouchi, NTT
• Unified
• Minimal– Small signatures and low verification complexity– Single group element public verification keys
• Selectively randomizable– Strong existential unforgeability– Randomizability
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Type I Type II Type III
Mathematical structures in cryptography
• Cyclic prime order group
• Useful mathematical structure– ElGamal encryption– Pedersen commitments– Schnorr proofs– …
Pairing-based cryptography
• Groups with pairing
• Additional mathematical structure– One-round tripartite key exchange– Identity-based encryption– Short digital signatures– NIZK proofs– …
Structure-preserving cryptography
• Preserve mathematical structure of pairing groups– Communication consists of group elements in – Use generic group operations
• Multiplication, membership testing, pairing
– Avoid structure-destroying operations• No cryptographic hash-functions
• Modular design– Structure-preserving
building blocks easy to combine
Bilinear group setup
– Groups of prime order – Bilinear map
• , ,
• Types– Type I: and – Type II: but there is efficient – Type III: and no efficient homomorphism
Symmetric settingConceptually simple
Asymmetric settingMost efficient
Structure-preserving signatures
• Setup describes bilinear group and random group elements in
• Verification key has group elements in • Messages consist of group elements in • Signatures consist of group elements in • Verifier uses pairing product equations to check
validity of signatures, e.g.,
Composition with other structure-preserving primitives
• Easy to compose structure-preserving signatures with other structure-preserving primitives
• ElGamal encryption is structure-preserving– Can encrypt signature
• Groth-Sahai proofs are structure preserving– Can give NIZK proof that message has been signed
• And vice versa– Can sign ElGamal ciphertexts and Groth-Sahai proofs
Lower bounds for Type I and III pairings
• Theorem– A structure-preserving signature scheme must have at
least 2 verification equations– A structure-preserving signature created by a signer
that only uses generic group operations must be at least 3 group elements
• Holds even for– Existential unforgeability under random message attack– Single group element messages
Sketch of proof
• Cannot have a single verification equation– Two signatures can be combined to forgery on third message
• Each message must have many potential signatures– Signer using generic group operations must compute signature as
linear combination of group elements from setup and message– If signatures are (quasi-)unique then possible to create forgery as
linear combination of two previous signatures
• A signature must have at least 3 group elements– Suppose the signature has only 1 or 2 group elements– Verification involves 2 equations in 1 or 2 unknowns– For a given message we have at most 4 solutions– This makes the signature scheme quasi-unique
New structure-preserving signature scheme
• Return ;
• Return
• : Return
• Accept if and only if
Security
• Theorem– The signature scheme is strongly existentially
unforgeable under adaptive chosen messageattack in the generic group model
Need 4 group elements to base security on non-interactive assumptions [AGHO11], so strong assumption necessary to get optimal size signatures
Optimal
• Signature: 3 group elements• Verification: 2 verification equations
– Prior art gave optimality in the asymmetric setting, but new in the symmetric setting
– Shows attacker’s extra capability in the symmetric setting does not necessitate extra signature size
• For one-time signatures the picture is different– Asymmetric setting: 1 verification equation
possible– Symmetric setting: 2 verification equations necessary
Minimal verification key
• Setup: • Public verification key:
– Single group element in verification key
• Certification chains– Use to sign , use to sign , etc.– Symmetric setting
• Automorphic: Verification keys can be signed
– Asymmetric setting• Can build certification chain by alternating between and
Unified
• The signature scheme works in all types of bilinear groups, both symmetric and asymmetric– Separation of elements and operations in
– Therefore possible to use it even in asymmetric groups
• Security holds in all types of groups– Even in the symmetric setting , which enables the
adversary to mix and match components
Unified
• Conceptual simplicity– A single signature scheme that works in all settings
• Resistance towards cryptanalysis– Use scheme in the asymmetric setting– Even if cryptanalysts discover an efficiently computable
isomorphism between the scheme may still be secure
Type I Type II Type III
Randomization
• Strong existential unforgeability– Cannot forge signature on new message– Cannot change signature on previously signed message
• Existential unforgeability + randomizability– Cannot forge signature on new message– Can randomize signature on previously signed message
• Perfect randomization when randomized signature looks like fresh random signature on the same message
Selective randomizability
• Signer can make randomization token for signature– Randomization token makes it possible to randomize– Without randomization token not possible to randomize
• Strong existential unforgeability under adaptive chosen message and token attack– Adversary can get signatures with or without tokens– Cannot forge signature on new message– Cannot create new signature on previously signed
message unless it has a randomization token
Selective randomizability
• Accept if and only if
• Randomization token
• Randomization with randomization token
• Minimal– Signature: 3 group elements– Verification key: 1 group element– Verification: 2 equations
• Unified
• Selectively randomizable– Strong existential unforgeability– Randomizable with token
Summary
Type I Type II Type III
top related