unified, minimal and selectively randomizable structure-preserving signatures masayaki abe, ntt jens...
TRANSCRIPT
![Page 1: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/1.jpg)
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Masayaki Abe, NTT
Jens Groth, University College London
Miyako Ohkubo, NICT
Mehdi Tibouchi, NTT
![Page 2: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/2.jpg)
• Unified
• Minimal– Small signatures and low verification complexity– Single group element public verification keys
• Selectively randomizable– Strong existential unforgeability– Randomizability
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Type I Type II Type III
![Page 3: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/3.jpg)
Mathematical structures in cryptography
• Cyclic prime order group
• Useful mathematical structure– ElGamal encryption– Pedersen commitments– Schnorr proofs– …
![Page 4: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/4.jpg)
Pairing-based cryptography
• Groups with pairing
• Additional mathematical structure– One-round tripartite key exchange– Identity-based encryption– Short digital signatures– NIZK proofs– …
![Page 5: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/5.jpg)
Structure-preserving cryptography
• Preserve mathematical structure of pairing groups– Communication consists of group elements in – Use generic group operations
• Multiplication, membership testing, pairing
– Avoid structure-destroying operations• No cryptographic hash-functions
• Modular design– Structure-preserving
building blocks easy to combine
![Page 6: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/6.jpg)
Bilinear group setup
– Groups of prime order – Bilinear map
• , ,
• Types– Type I: and – Type II: but there is efficient – Type III: and no efficient homomorphism
Symmetric settingConceptually simple
Asymmetric settingMost efficient
![Page 7: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/7.jpg)
Structure-preserving signatures
• Setup describes bilinear group and random group elements in
• Verification key has group elements in • Messages consist of group elements in • Signatures consist of group elements in • Verifier uses pairing product equations to check
validity of signatures, e.g.,
![Page 8: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/8.jpg)
Composition with other structure-preserving primitives
• Easy to compose structure-preserving signatures with other structure-preserving primitives
• ElGamal encryption is structure-preserving– Can encrypt signature
• Groth-Sahai proofs are structure preserving– Can give NIZK proof that message has been signed
• And vice versa– Can sign ElGamal ciphertexts and Groth-Sahai proofs
![Page 9: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/9.jpg)
Lower bounds for Type I and III pairings
• Theorem– A structure-preserving signature scheme must have at
least 2 verification equations– A structure-preserving signature created by a signer
that only uses generic group operations must be at least 3 group elements
• Holds even for– Existential unforgeability under random message attack– Single group element messages
![Page 10: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/10.jpg)
Sketch of proof
• Cannot have a single verification equation– Two signatures can be combined to forgery on third message
• Each message must have many potential signatures– Signer using generic group operations must compute signature as
linear combination of group elements from setup and message– If signatures are (quasi-)unique then possible to create forgery as
linear combination of two previous signatures
• A signature must have at least 3 group elements– Suppose the signature has only 1 or 2 group elements– Verification involves 2 equations in 1 or 2 unknowns– For a given message we have at most 4 solutions– This makes the signature scheme quasi-unique
![Page 11: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/11.jpg)
New structure-preserving signature scheme
• Return ;
• Return
• : Return
• Accept if and only if
![Page 12: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/12.jpg)
Security
• Theorem– The signature scheme is strongly existentially
unforgeable under adaptive chosen messageattack in the generic group model
Need 4 group elements to base security on non-interactive assumptions [AGHO11], so strong assumption necessary to get optimal size signatures
![Page 13: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/13.jpg)
Optimal
• Signature: 3 group elements• Verification: 2 verification equations
– Prior art gave optimality in the asymmetric setting, but new in the symmetric setting
– Shows attacker’s extra capability in the symmetric setting does not necessitate extra signature size
• For one-time signatures the picture is different– Asymmetric setting: 1 verification equation
possible– Symmetric setting: 2 verification equations necessary
![Page 14: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/14.jpg)
Minimal verification key
• Setup: • Public verification key:
– Single group element in verification key
• Certification chains– Use to sign , use to sign , etc.– Symmetric setting
• Automorphic: Verification keys can be signed
– Asymmetric setting• Can build certification chain by alternating between and
![Page 15: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/15.jpg)
Unified
• The signature scheme works in all types of bilinear groups, both symmetric and asymmetric– Separation of elements and operations in
– Therefore possible to use it even in asymmetric groups
• Security holds in all types of groups– Even in the symmetric setting , which enables the
adversary to mix and match components
![Page 16: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/16.jpg)
Unified
• Conceptual simplicity– A single signature scheme that works in all settings
• Resistance towards cryptanalysis– Use scheme in the asymmetric setting– Even if cryptanalysts discover an efficiently computable
isomorphism between the scheme may still be secure
Type I Type II Type III
![Page 17: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/17.jpg)
Randomization
• Strong existential unforgeability– Cannot forge signature on new message– Cannot change signature on previously signed message
• Existential unforgeability + randomizability– Cannot forge signature on new message– Can randomize signature on previously signed message
• Perfect randomization when randomized signature looks like fresh random signature on the same message
![Page 18: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/18.jpg)
Selective randomizability
• Signer can make randomization token for signature– Randomization token makes it possible to randomize– Without randomization token not possible to randomize
• Strong existential unforgeability under adaptive chosen message and token attack– Adversary can get signatures with or without tokens– Cannot forge signature on new message– Cannot create new signature on previously signed
message unless it has a randomization token
![Page 19: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/19.jpg)
Selective randomizability
• Accept if and only if
• Randomization token
• Randomization with randomization token
![Page 20: Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures Masayaki Abe, NTT Jens Groth, University College London Miyako Ohkubo, NICT](https://reader036.vdocument.in/reader036/viewer/2022062423/56649e9e5503460f94b9f84c/html5/thumbnails/20.jpg)
• Minimal– Signature: 3 group elements– Verification key: 1 group element– Verification: 2 equations
• Unified
• Selectively randomizable– Strong existential unforgeability– Randomizable with token
Summary
Type I Type II Type III