Privacy in signatures. Hiding in rings, hiding in groups

  • View
    37

  • Download
    3

Embed Size (px)

DESCRIPTION

Privacy in signatures. Hiding in rings, hiding in groups. Message authenticity. Amélie. Baptiste. Message authenticity. Baptiste is waiting for a message from Amélie. How can he make sure it’s really from her?. Why sign. v irus definitions. viruses. trojans. Baptiste. updates. - PowerPoint PPT Presentation

Text of Privacy in signatures. Hiding in rings, hiding in groups

Slide 1

Privacy in signatures. Hiding in rings, hiding in groupsRennes, 24/10/2014Cristina OneteCIDRE/INRIA

Message authenticityCristina Onete || 24/10/2014 || 2

Amlie

Baptiste

Baptiste is waiting for a message from Amlie

Message authenticityHow can he make sure its really from her? 2Why signMore importantly: Telling good content from bad

updatesvirusdefinitions

BaptistemalwaretrojansvirusesUpdates vs. malware and trojansMessage should be sent by authorized partyCristina Onete || 24/10/2014 || 3 So far: MACs

Amlie

Baptiste

Shared

Message authentication codesUsually implemented as a keyed hash functionMSCheme = (KGen, MAC, Vf)Repudiation: anyone with sk can generate a tag (at least two people)

Cristina Onete || 24/10/2014 || 4 Now: PK digital signatures

Amlie

Baptiste

A

SScheme = (KGen, Sign, Vf)Anyone can verify the signature!Non-repudiation: signer can never deny generating a real signature

Cristina Onete || 24/10/2014 || 5 ContentsSignatures vs. PK EncryptionA common misconceptionThe Hash and Sign methodPrivacy-preserving signaturesRing signaturesSignature Scheme securityGroup signaturesRings vs. Groups Common misconception

Amlie

Baptiste

Amlie

BaptistePublic-Key EncryptionDigital Signatures

B

A

Secret

B

Inverse mechanisms?

SecretCristina Onete || 24/10/2014 || 7 Common misconceptionCan we build signatures from encryption?Completely different functionality and goals!Property

EncryptionschemesSignaturesschemesMessage integrityMessage confidentialityNon-repudiationSender authentication

Using one primitive to get the other is dangerous!Single receiver

Cristina Onete || 24/10/2014 || 8

Digital Signatures StructureSSchemes = (KGen, Sign, Verify)

ASecurity parameter:determines key sizeEveryone

Cristina Onete || 24/10/2014 || 9

Signature SecurityFunctionality correctness:Security: unforgeability

B

A

AVerify

Cristina Onete || 24/10/2014 || 10 Inverse mechanisms?PK EncryptionSignaturesKey Generation:EncryptDecrypt:Key Generation:SignVerify:?Cristina Onete || 24/10/2014 || 11 Abuse encryption stepCristina Onete || 24/10/2014 || 12 Inverse mechanisms?PK EncryptionSignaturesKey Generation:EncryptDecrypt:Key Generation:SignVerify:?Cristina Onete || 24/10/2014 || 13 Choosing messages wellCristina Onete || 24/10/2014 || 14 Attacks against SignaturesThe more knows, the harder it is to get security Security depends on what the attacker knows

Random-message attack:

Lots of users all aroundTheir messages are randomAdv. gets (m, signa-ture) pairsForge signature on new message!Cristina Onete || 24/10/2014 || 15 Attacks against SignaturesThe more knows, the harder it is to get security Security depends on what the attacker knows

Known-message attack:

Lots of users all aroundKnows messages in advance, before re-ceiving any signatureAdv. gets (m, signa-ture) pairsForge signature on new message!

Hi, how are you?Im fine, thanks.How are you?Im very well, thank youCristina Onete || 24/10/2014 || 16 Attacks against SignaturesThe more knows, the harder it is to get security Security depends on what the attacker knows

Chosen-message attack:

Lots of users all aroundCan choose messages that will be signedAdv. gets (m, signa-ture) pairsForge signature on new message!

Cristina Onete || 24/10/2014 || 17 Attacks against SignaturesPower of

AttackUnf-RMAUnf-KMAUnf-CMAWeakNot strong/ Not weakStrongCristina Onete || 24/10/2014 || 18 Hash and Sign in generalUse the same thing in generalSignature schemeHash functionKey generation:

Signing: Verifying:Cristina Onete || 24/10/2014 || 19 ContentsSignatures vs. PK EncryptionA common misconceptionThe Hash and Sign methodPrivacy-preserving signaturesRing signaturesGroup signaturesRings vs. GroupsSignature Scheme security So far: integrity & authenticity

A

Successful verification means identifying signer!Cristina Onete || 24/10/2014 || 21 Ring Signatures

Cristina Onete || 24/10/2014 || 22 Ring SignaturesRing Signatures:Regular Signatures:

Cristina Onete || 24/10/2014 || 23 Ring Signature PropertiesAnonymity:Flavours of anonymity depend on how much we let the adver-sary control the ring and the keys in it.

???Cristina Onete || 24/10/2014 || 24 Ring Signature PropertiesUnforgeability:

Could do this for a fixed ring, a chosen subring, or even allo-wing insider corruptions (the adversary learns secret keys)Cristina Onete || 24/10/2014 || 25 Aside: pairingsBilinear:Non-degenerate:Computable: Pairings exist for many groups. Not all are efficiently computable!Cristina Onete || 24/10/2014 || 26 Ring Signature 2-RingKey generation:Cristina Onete || 24/10/2014 || 27 Ring vs. GroupRing Signatures:Signer remains completely untraceable, even if he misbehaves No accountabilityGroup signaturesOther ring members independent of signer, unaware of himSigner registers into a group of arbitrarily many signersOptional anonymity revocation : can extract signer if neededCristina Onete || 24/10/2014 || 28 Ring Signatures

Cristina Onete || 24/10/2014 || 29 Group Signatures

GCristina Onete || 24/10/2014 || 30 Optional Anonymity Revocation

G

Cristina Onete || 24/10/2014 || 31 Group SignaturesSyntaxRegistration keyRevocation keyCristina Onete || 24/10/2014 || 32 Group Signature PropertiesFull-anonymity:

???

G

Cristina Onete || 24/10/2014 || 33 Group Signature PropertiesFull-traceability:

G

Cristina Onete || 24/10/2014 || 34 General strategyPublic key is a function of all the keysTraceability: use a ZK proof of knowledge then use extractability to trace Further Reading:[BMW03] Bellare, Micciancio, Warinschi: Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions, CRYPTO 2003[BMW04] Boneh, Boyen, Shacham: Short Group Signatures, CRYPTO 2004Cristina Onete || 24/10/2014 || 35 Thanks!CIDRE