Designing a Dynamic Group Signature Scheme using Lattices

Size: px

Start display at page:

Download "Designing a Dynamic Group Signature Scheme using Lattices"

Dwayne Elliott
6 years ago
Views:

Benoît Libert ÉNS de Lyon, Team AriC, LIP 06/24/2015

1 Designing a Dynamic Group Signature Scheme using Lattices M2 Internship Defense Fabrice Mouhartem Supervised by Benoît Libert ÉNS de Lyon, Team AriC, LIP 06/24/2015 Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 1/26

2 Introduction Example Smart cars Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

3 Introduction Example Smart cars Anyone Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

4 Introduction Example Smart cars Authenticity Integrity Anyone Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

5 Introduction Example Smart cars Authenticity Integrity Anonymity Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

6 Introduction Example Smart cars Authenticity Integrity Anonymity Dynamicity Add cars Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

7 Introduction Example Smart cars Authenticity Integrity Anonymity Dynamicity Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

8 Introduction Example Smart cars Authenticity Integrity Anonymity Dynamicity Traceability Trace POLICE Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 2/26

9 Introduction Motivation Definition A dynamic group signature allows a member of a group to anonymously sign a message on behalf of the group, and allow new users to join at any time. Applications: smart cars, control in public transportation, anonymous access control (e.g. in public transportation)... Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 3/26

10 Introduction Motivation Definition A dynamic group signature allows a member of a group to anonymously sign a message on behalf of the group, and allow new users to join at any time. Applications: smart cars, control in public transportation, anonymous access control (e.g. in public transportation)... Main Differences Static Group GM distributes keys GM must be trusted Cannot add new users Dynamic Group U i makes his secret certified Even colluding GM/OA cannot sign on behalf of a honest group member Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 3/26

11 Introduction Motivation Advantages of dynamically growing groups: Add users without re-running the Setup phase; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 4/26

12 Introduction Motivation Advantages of dynamically growing groups: Add users without re-running the Setup phase; Even if everyone, including authorities, is dishonest, no one can sign in your name. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 4/26

13 Introduction History 1991 Introduced by Chaum and Van Heyst 2003 Formal model and definitions by Bellare, Micciancio and Warinschi for static groups. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 5/26

14 Introduction History 1991 Introduced by Chaum and Van Heyst 2000 First scalable solution by Ateniese, Camenisch, Joye and Tsudik 2003 Formal model and definitions by Bellare, Micciancio and Warinschi for static groups Model for dynamic groups by Bellare, Shi and Zhang 2006 Model for dynamic groups by Kiayias and Yung Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 5/26

15 Introduction History 1991 Introduced by Chaum and Van Heyst 2000 First scalable solution by Ateniese, Camenisch, Joye and Tsudik 2003 Formal model and definitions by Bellare, Micciancio and Warinschi for static groups Model for dynamic groups by Bellare, Shi and Zhang 2006 Model for dynamic groups by Kiayias and Yung 2010 First scheme based on lattices by Gordon, Katz and Vaikuntanathan with linear size in the max. size of the group 2013 Down to log-size by Laguillaumie, Langlois, Libert and Stehlé Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 5/26

16 Introduction History 1991 Introduced by Chaum and Van Heyst 2000 First scalable solution by Ateniese, Camenisch, Joye and Tsudik 2003 Formal model and definitions by Bellare, Micciancio and Warinschi for static groups Model for dynamic groups by Bellare, Shi and Zhang 2006 Model for dynamic groups by Kiayias and Yung 2010 First scheme based on lattices by Gordon, Katz and Vaikuntanathan with linear size in the max. size of the group 2013 Down to log-size by Laguillaumie, Langlois, Libert and Stehlé No dynamic group signature scheme based on lattices Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 5/26

17 Introduction Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n. Can be seen as integer linear combinations of a finite set of vectors. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 6/26

18 Introduction Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n. Can be seen as integer linear combinations of a finite set of vectors. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 6/26

19 Introduction Lattice-Based Cryptography Lattice A lattice is a discrete subgroup of R n. Can be seen as integer linear combinations of a finite set of vectors. Find a short vector in a lattice is hard. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 6/26

20 Introduction Lattice-Based Cryptography Why? Simple and efficient; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 7/26

21 Introduction Lattice-Based Cryptography Why? Simple and efficient; Conjectured resistant to a quantum adversary; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 7/26

22 Introduction Lattice-Based Cryptography Why? Simple and efficient; Conjectured resistant to a quantum adversary; Secure under worst-case hardness assumptions; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 7/26

23 Introduction Lattice-Based Cryptography Why? Simple and efficient; Conjectured resistant to a quantum adversary; Secure under worst-case hardness assumptions; Powerful functionalities. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 7/26

24 Definition Outline 1 Introduction 2 Definition 3 Presentation of the Scheme 4 Conclusion Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 8/26

25 Definition Presentation GM Sign Verify Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 9/26

26 Definition Presentation Anonymity Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 9/26

27 Definition Presentation S GM Join (cert i, sec i ) Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 9/26

28 Definition Presentation OA Open S OA Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/2015 9/26

29 Definition Dynamic Group Signature Dynamic Group Signature It is a tuple of algorithms (Setup, Join, Sign, Verify, Open) acting according to their name. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

30 Definition Dynamic Group Signature Dynamic Group Signature It is a tuple of algorithms (Setup, Join, Sign, Verify, Open) acting according to their name. Setup: Input: security parameter λ, bound on group size N Output: public parameters Y, group manager s secret key S GM, the opening authority s secret key S OA ; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

31 Definition Dynamic Group Signature Dynamic Group Signature It is a tuple of algorithms (Setup, Join, Sign, Verify, Open) acting according to their name. Join: interactive protocols between U i GM. Provide (cert i, sec i ) to U i. Where cert i attests the secret sec i. Update the user list along with the certificates; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

32 Definition Dynamic Group Signature Dynamic Group Signature It is a tuple of algorithms (Setup, Join, Sign, Verify, Open) acting according to their name. Sign and Verify proceed in the obvious way; Open: Input: OA s secret S OA, M and Σ Output: i. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

33 Definition Security Notions Three security notions Anonymity Only OA can open a signature; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

34 Definition Security Notions Three security notions Anonymity Only OA can open a signature; Traceability Security of honest GM against malicious users who want to escape from traceability; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

35 Definition Security Notions Three security notions Anonymity Only OA can open a signature; Traceability Security of honest GM against malicious users who want to escape from traceability; Non-frameability Security of honest members against malicious GM/OA authorities. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

36 Definition Security Assumptions: SIS and LWE Parameters: n dimension, m n, q modulus. For A Z m n q : Small Integer Solution x Learning With Errors A = 0[q] A, A s m + e n s Z n q, e a small error. Goal: Given A Z m n q, Goal: Given ( A, A s + e ), find x Z m small. find s Z n q. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

37 Definition Lattice-based cryptography? Lattice hard problems find a short vector in a lattice. Worst-case Hardness assumptions LWE, SIS. Average-case Security properties anonymity, traceability, non-frameability. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

38 Presentation of the Scheme Outline 1 Introduction 2 Definition 3 Presentation of the Scheme 4 Conclusion Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

39 Presentation of the Scheme From Static to Dynamic Designed from a recent static group signature proposed by Ling, Nguyen and Wang [LNW15]. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

40 Presentation of the Scheme From Static to Dynamic Designed from a recent static group signature proposed by Ling, Nguyen and Wang [LNW15]. Other solutions [GKV10,LLLS13] use membership certificates made of a complete basis which is problematic here. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

41 Presentation of the Scheme From Static to Dynamic Difficulties Separate the secrets between OA and GM; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

42 Presentation of the Scheme From Static to Dynamic Difficulties Separate the secrets between OA and GM; Bind the user to a unique public syndrome v i = D T z i Z n q for some matrix D Z m n q ; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

43 Presentation of the Scheme From Static to Dynamic Difficulties Separate the secrets between OA and GM; Bind the user to a unique public syndrome v i = D T z i Z n q for some matrix D Z m n q ; Previous schemes based on [LLLS13] do not interact well with the non-homogeneous terms v i needed for non-frameability purposes; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

44 Presentation of the Scheme From Static to Dynamic Difficulties Separate the secrets between OA and GM; Bind the user to a unique public syndrome v i = D T z i Z n q for some matrix D Z m n q ; Previous schemes based on [LLLS13] do not interact well with the non-homogeneous terms v i needed for non-frameability purposes; Be secure against framing attacks without compromising previous security properties; Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

45 Presentation of the Scheme From Static to Dynamic Our solution Ingredients Boyen s signature (PKC 10) Given A Z m n q and {A i } l i=0 Zm n q, the signature is a small [ ] d Z 2m q s.t. d T A A 0 + l i=1 m ia i The private key is a short T A Z m m q In our context: GM s secret is T A. = 0[q]. s.t. T A A = 0[q]. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

46 Presentation of the Scheme From Static to Dynamic Our solution Ingredients Boyen s signature (PKC 10) Given A Z m n q and {A i } l i=0 Zm n q, the signature is a small [ ] d Z 2m q s.t. d T A A 0 + l i=1 m ia i The private key is a short T A Z m m q In our context: GM s secret is T A. = 0[q]. s.t. T A A = 0[q]. The Böhl et al. variant (Eurocrypt 13) cert i sec i [ ] T A d i A 0 + l i=1 m = z T i D + u T [q] ia i Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

47 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

48 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i GM Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

49 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i z i,0 short vector in Z m v T i,0 = zt i,0 D GM Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

50 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i z i,0 short vector in Z m v T i,0 = zt i,0 D v i,0 GM id i identity {0, 1} l z i,1 short vector in Z m Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

51 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i z i,0 short vector in Z m v T i,0 = zt i,0 D z i = z i,0 + z i,1 v T i = z T i D Authenticate v i, id i and z i v i,0 (id i, z i,1) GM id i identity {0, 1} l z i,1 short vector in Z m Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

52 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i z i,0 short vector in Z m v T i,0 = zt i,0 D z i = z i,0 + z i,1 v T i = z T i D Authenticate v i, id i and z i v i,0 (id i, z i,1) v i GM id i identity {0, 1} l z i,1 short vector in Z m d i, s.t. d T i [ A A 0 + l i=1 id i A i ] = v T i + u T [q] Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

53 Presentation of the Scheme From Static to Dynamic Our solution Setup: Y = (A, {A i } l i=0, B, D, u) l = log(n) (e.g. l = 30) Where: A, A 0,..., A l, B, D Z m n q and u Z n q Join algorithm: U i z i,0 short vector in Z m v T i,0 = zt i,0 D z i = z i,0 + z i,1 v T i = z T i D Authenticate v i, id i and z i (cert i ; sec i ) = ((id i, d i ); z i ) v i,0 (id i, z i,1) v i d i GM id i identity {0, 1} l z i,1 short vector in Z m d i, s.t. d T i [ A A 0 + l i=1 id i A i ] = v T i + u T [q] Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

54 Presentation of the Scheme From Static to Dynamic Our solution Sign algorithm: c := Enc(id i, d i ) Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

55 Presentation of the Scheme From Static to Dynamic Our solution Sign algorithm: c := Enc(id i, d i ) d T i π K := proof that c is correct and [ ] A A 0 + l i=1 id = vi T + u T [q] ia i Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

56 Presentation of the Scheme From Static to Dynamic Our solution Sign algorithm: c := Enc(id i, d i ) d T i π K := proof that c is correct and [ ] A A 0 + l i=1 id = vi T + u T [q] ia i Difference with the Ling et al. scheme We encrypt d and id i not only id i to enable signature openings. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

57 Presentation of the Scheme From Static to Dynamic Our solution Open algorithm: OA decrypts c to get (id, d); Using id and d, OA computes the associated syndrome v; =Sign usk[i] (v i,id i ) {}}{ OA checks that (v, id, i, upk[i], sig ) is in the records and that sig is correct. If so then return i; otherwise return. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

Presentation of the Scheme Efficiency Remark We use the smudging technique: making 2 distributions centered around 0 statistically close using a huge noise.

58 Presentation of the Scheme Efficiency Remark We use the smudging technique: making 2 distributions centered around 0 statistically close using a huge noise. Goal: D 0 + D 1 D 1 in Z or R Statistical distance: (D 0 + D 1, D 1 ) σ(d 0) σ(d 1 ) D 0 D 1 Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

59 Presentation of the Scheme Efficiency Remark We use the smudging technique: making 2 distributions centered around 0 statistically close using a huge noise. Goal: D 0 + D 1 D 1 in Z or R Statistical distance: (D 0 + D 1, D 1 ) σ(d 0) σ(d 1 ) D 0 D 1 D 0 +D 1 Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

60 Presentation of the Scheme Efficiency Consequence We need an exponential-size modulus q in the security parameter λ. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

61 Presentation of the Scheme Efficiency Consequence We need an exponential-size modulus q in the security parameter λ. Problem Our protocol is somewhat costly. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

62 Conclusion Outline 1 Introduction 2 Definition 3 Presentation of the Scheme 4 Conclusion Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

63 Conclusion Conclusion Main contribution First dynamic group signature based on lattice assumptions. Technical contribution We combine the Böhl et al. variant of Boyen s signature and the Ling et al. NIZK proofs. Extensions Possible extension supporting proofs of correct opening [BSZ05]. Possible use of the join protocol to certify hidden data. Open problem Prove the security without smudging: possibly more efficient parameters. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

64 Bibliography References Mihir Bellare, Haixia Shi, Chong Zhang. Foundations of group signatures: The case of dynamic groups (CT-RSA 05) Aggelos Kiayias and Moti Yung. Secure scalable group signature with dynamic joins and separable authorities (International Journal of Security and Networks) Fabien Laguillaumie, Adeline Langlois, Benoit Libert, Damien Stehlé. Lattice-based group signature scheme with verifier-local revocation (Asiacrypt 13) San Ling, Khoa Nguyen, and Huaxiong Wang. Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based (PKC 15) Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

65 Thanks Question Time Thank you all for your attention! Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

66 One-Time Signature Definition A one-time signature scheme consists of a triple of algorithms Π ots = (G, S, V). Behaves like a digital signature scheme. Strong unforgeability: impossible to forge a valid signature even for a previously signed message. Usage We use one-time signature to provide CCA anonymity using Canetti-Halevi-Katz methodology. Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

67 CCA anonymity Definition No PPT adversary A can win the following game with non negligible probability: A makes open queries. A chooses M and two different (cert i, sec i ) i {0,1} A receives σ = Sign cert b,sec b (M ) for some b {0, 1} A makes other open queries A returns b, and wins if b = b Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

68 ZK Proofs Σ-protocol [Dam10] 3-move scheme: (Commit, Challenge, Answer) between 2 users. Fiat-Shamir Heuristic Make the Σ-protocol non-interactive by setting the challenge to be H(Commit, Public) Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

69 Smudging σ 2 0 = 1 σ 2 1 = 2 σ 2 = 3 Fabrice Mouhartem Dynamic Group Signature using Lattices 06/24/ /26

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benoît Libert 1,2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 É.N.S. de Lyon, France