Upload
dillan
View
43
Download
0
Embed Size (px)
DESCRIPTION
Traceable Signatures. Aggelos Kiayias University of Connecticut joint work with Moti YungYiannis Tsiounis Columbia University Etolian. Privacy advocates are vocal about loss of privacy in the electronic society. Authorities are worried about the - PowerPoint PPT Presentation
Citation preview
Traceable SignaturesTraceable Signatures
Aggelos KiayiasAggelos KiayiasUniversity of ConnecticutUniversity of Connecticut
joint work withjoint work with
Moti YungMoti Yung Yiannis TsiounisYiannis TsiounisColumbia University Columbia University EtolianEtolian
Theme:Theme:Balancing Privacy and IdentificationBalancing Privacy and IdentificationThe state of things in multi-user environments:The state of things in multi-user environments:
CRYPTO: can it be used to reconciliate the two sides?CRYPTO: can it be used to reconciliate the two sides?
Privacy advocates are vocal about lossPrivacy advocates are vocal about loss
of privacy in the electronic society.of privacy in the electronic society.
Authorities are worried about theAuthorities are worried about thepotential abuse of anonymity systems.potential abuse of anonymity systems.
GoalsGoals
User’s actions must remain anonymous.User’s actions must remain anonymous.Nevertheless a primitive must offer various Nevertheless a primitive must offer various
mechanisms that allow the mechanisms that allow the conditional conditional revocation of anonymityrevocation of anonymity..
Methodology: develop primitives allowing Methodology: develop primitives allowing various various tradeoffstradeoffs between privacy and between privacy and identification.identification.
A basic building block for A basic building block for anonymity systems: signatures and anonymity systems: signatures and
identificationidentification
In a transaction-based environment: In a transaction-based environment: Digital Signatures and Identification Digital Signatures and Identification Mechanisms.Mechanisms.
Goal #1: Provide PrivacyGoal #1: Provide PrivacyGoal #2: Develop a sufficient set of Goal #2: Develop a sufficient set of tracingtracing
mechanisms.mechanisms.
Related PrimitivesRelated Primitives Related primitives:Related primitives:
Group SignatureGroup Signature / / Identity EscrowIdentity Escrow: a user can sign/ : a user can sign/ get identified “on behalf” of the group. get identified “on behalf” of the group.
The Group Manager can open a signature / id The Group Manager can open a signature / id transcript.transcript.
anonymity-unlinkability.anonymity-unlinkability. Verification is performed using the group’s public-Verification is performed using the group’s public-
key.key. Opening is an Opening is an anonymity revocation mechanismanonymity revocation mechanism..
Is it sufficient?Is it sufficient?
MotivationMotivation
Consider the following settingConsider the following settingUnderlying network infrastructure provides Underlying network infrastructure provides
sufficient anonymity. sufficient anonymity. Typical Abstract Large System:Typical Abstract Large System:
Many usersMany usersMany remote verification points.Many remote verification points.Users issue (anonymous/group) signatures Users issue (anonymous/group) signatures
that get aggregated and verified in various that get aggregated and verified in various points.points.
Anonymity SystemAnonymity SystemUsers
Users
Use
rsU
sers
Accumulationof transactionsanonymously
DistributedVerificationPoints
Scenario #1: Suspicious Scenario #1: Suspicious TransactionsTransactions
DistributedVerificationPoints
Input: This trans-action is suspicious!!
OPEN!
Group Signature does exactly this!!!
But…But…
Scenario #2: Suspicious USERScenario #2: Suspicious USER
DistributedVerificationPoints
I WILL OPEN ALL OF
THEM!!!!!!!!!
INPUT: UserX is engagingin illegal activity
NO!!!!!!!!!!!!!!
ShortcomingsShortcomings Signatures from remote verification points must Signatures from remote verification points must
be aggregated. be aggregated. Load Balancing ConcernsLoad Balancing Concerns Authority must open all signatures thus severely Authority must open all signatures thus severely
(and (and unnecessarilyunnecessarily) violating the privacy of many ) violating the privacy of many users. users. Privacy ConcernsPrivacy Concerns
Authority is typically a distributed entity so that Authority is typically a distributed entity so that opening requires the collaboration of many opening requires the collaboration of many agents. agents. Efficiency ConcernsEfficiency Concerns
OutcomeOutcome: group signatures insufficient for : group signatures insufficient for dealing with the above tracing request / dealing with the above tracing request / anonymity revocation functionality.anonymity revocation functionality.
Scenario #3: Who owns your Scenario #3: Who owns your privacy?privacy?
DistributedVerificationPoints
YOU HAVE BEEN
NEGLECTING
YOUR DUTIES!!
Privacy is a personally managed good….(in many cases it is very important that)User should be able to prove that he did something if he wishes.
NO!!`
Possible ApproachPossible Approach
User can prove in ZK that he knows the User can prove in ZK that he knows the randomness of his signature.randomness of his signature. User needs to remember the randomness for all his User needs to remember the randomness for all his
signatures: unreasonable storage requirement.signatures: unreasonable storage requirement. A A statelessstateless technique must be provided. technique must be provided.
Our Solution: Our Solution: Traceable SignaturesTraceable SignaturesAnonymous Signature Scheme.Anonymous Signature Scheme.deal deal efficientlyefficiently
Scenario #1: opening a signature.Scenario #1: opening a signature.(as in group signatures)(as in group signatures)
Scenario #2: tracing all signatures of a named Scenario #2: tracing all signatures of a named user (with load balancing).user (with load balancing).
Scenario #3: allowing a user to claim a Scenario #3: allowing a user to claim a signature.signature.
Our ResultsOur Results
Formal Security Model of the notion of Traceable Formal Security Model of the notion of Traceable Signatures.Signatures.
Efficient Construction Efficient Construction of a secure Traceable of a secure Traceable Signature Scheme.Signature Scheme.
Traceable Signatures : an extension of Group Traceable Signatures : an extension of Group Signatures Signatures bonus: our construction provides a bonus: our construction provides a secure group signature in the sense of ACJT secure group signature in the sense of ACJT 2000.2000.
First construction that is provably secure on a First construction that is provably secure on a formal model.formal model.
Traceable SignaturesTraceable Signatures
ParticipantsParticipantsUsers.Users.Group Manager (responsible for group Group Manager (responsible for group
administration and tracing functions.administration and tracing functions.
OperationsOperations
1.1. SetupSetup2.2. Join (interactive protocol)Join (interactive protocol)3.3. SignSign4.4. VerifyVerify5.5. OpenOpen (given a signature reveals identity)(given a signature reveals identity)6.6. Reveal (reveals the tracing trapdoor of user i)Reveal (reveals the tracing trapdoor of user i)7.7. Trace (given a tracing trapdoor tests whether a Trace (given a tracing trapdoor tests whether a
given signature matches the trapdoor)given signature matches the trapdoor)8.8. Claim (to claim a signature by owner)Claim (to claim a signature by owner)9.9. Claim_VerifyClaim_Verify
Our Security ModelOur Security Model
Abstract Attack:Abstract Attack:pubQ
keyQ
joinaQ
joinpQ
joinbQ
corrQ
signQ
revealQ
Adversary Interface
Representsa perspectiveof the systemIn the realworld
Differentsubsetsof queriesclassify possible attacks
AdversarialGoal.
QueriesQueriespubQ
keyQ
joinaQ
joinpQ joinbQ
signQ
Returns thePublic-key
Returns theGM’s secretkey
Causes theInterface toExecute a JOINdialog and return the transcriptto the adversary
Causes theinterface toexecute a JOINdialog with the adversary,playing the role of the GM
Causes theinterface toexecute a JOINdialog with the adversary, playingthe role of a User
Given <i>interface returns the tracing trapdoor of i.
Given <i,m>Interface returnsreturns a signature on mgenerated by the i-th user
revealQ
The MISIDENTIFICATION attackThe MISIDENTIFICATION attackpubQ
joinpQ
signQ
revealQ
Adversary Interface
Forges a traceable signature thatEITHER•Does not open with the controlled group.OR•Does not trace to at least one of the membersof the controlled group.
Representsthe systemCollectively:good users and GM
joinaQ
Captures: Unforgeability, Coalition Resistance
The FRAMING attackThe FRAMING attack
pubQ
keyQ
signQ
Adversary Interface
Forges a traceable signature thatEITHER•Does open to one of the good users.OR•Does trace to at least one of the good users.
RepresentsA handfulOf good usersIn a hostileEnvironment.
joinbQ
Captures: Exculpability
Adversary
Interface
The adversary operates in two stages. Reminiscent of a CCA2 attack on the “Reveal Function”
Selects two usersi0 i1 (by name)
RepresentsThe GM
pubQ
joinaQ
joinpQ
revealQ
signQ
Returns a Signature usingOne-of-the-twoMembership secrets
},{ 10 iirevealQ
Guesses which of theTwo users signed. joinaQ joinpQ signQ
The ANONYMITY attackThe ANONYMITY attack
Captures: Anonymity/ Unlinkability (even against tracing agents)
Basic ToolsBasic Tools
Basic tools need to be developed and Basic tools need to be developed and investigated:investigated:Discrete-Log Relation Sets : A useful Discrete-Log Relation Sets : A useful
notational tool for planning complex ZK proofs notational tool for planning complex ZK proofs over groups of unknown order.over groups of unknown order.
Drawing Random Powers : how to select a Drawing Random Powers : how to select a random power in QR(n) in an random power in QR(n) in an ideal ideal fashion.fashion.
Discrete-Log Relation SetsDiscrete-Log Relation Sets over over QR(n)QR(n)
Definition. Let G = Definition. Let G = QRQR((nn)) Objects AObjects A11, …, A, …, Amm of G. of G. Set of relations defined as tuples:Set of relations defined as tuples: Each tuple element is an integer or selected among a set Each tuple element is an integer or selected among a set
of free-variables.of free-variables. Relation is defined based on each tuple:Relation is defined based on each tuple: Each free variable assumed to belong to a specified Each free variable assumed to belong to a specified
integer interval.integer interval. Discrete-log relation set is the logical-and of all relations Discrete-log relation set is the logical-and of all relations
PLUS the interval relations.PLUS the interval relations. Theorem. For a given discrete-log relation set there Theorem. For a given discrete-log relation set there
exists a 3-move ZK proof that allows proving the exists a 3-move ZK proof that allows proving the knowledge of a witness-tuple for the free variables.knowledge of a witness-tuple for the free variables.
im
ii aaa ,...,, 21
ia2 1...1
mj
ai
ijA
Drawing Random PowersDrawing Random Powers
Two-player Game.Two-player Game. Ideal Implementation:Ideal Implementation:
Player A transmits request to TTP.Player A transmits request to TTP. TTP responds with a random TTP responds with a random xx.. Player A responds with C=Player A responds with C=aaxx
TTP checks that C=TTP checks that C=aaxx
TTP gives to player B the value CTTP gives to player B the value C There exists an efficient implementation of the There exists an efficient implementation of the
above game over QR(n) when x is selected from above game over QR(n) when x is selected from a specified integer range.a specified integer range.
Discrete-Log Representations of Discrete-Log Representations of Arbitrary PowersArbitrary Powers
A discrete-log representation of an arbitrary power A discrete-log representation of an arbitrary power inside inside GG is a tuple is a tuple over the base:over the base:
That satisfies the conditionThat satisfies the condition
Theorem. Strong-RSA => Any adversary that is given K Theorem. Strong-RSA => Any adversary that is given K discrete-log representations of arbitrary powers can discrete-log representations of arbitrary powers can find a new (different) discrete-log representation of find a new (different) discrete-log representation of arbitrary power only with negligible probability of arbitrary power only with negligible probability of success.success.
',:, xxeA
'0
xxe baaA
)(,,0 nQRbaa
Our Construction: The Basic Our Construction: The Basic SetupSetup
Basic Ideas:Basic Ideas: GM’s public-key: GM’s public-key: nn RSA-modulus, RSA-modulus, Also :Also : Every user will possess a discrete-log representation of Every user will possess a discrete-log representation of
an arbitrary power inside an arbitrary power inside QR(n).QR(n).
Known to the GM exceptKnown to the GM except User’s tracing trapdoorUser’s tracing trapdoor Employ drawing random powers to implement the Join Employ drawing random powers to implement the Join
protocol protocol
)(,,0 nQRbaa )(, nQRhg
',:, iiii xxeA
ix'ix
'0
xxe baaA wherewhere
Anatomy of a Signature: the Anatomy of a Signature: the headerheader
For a signature or identification the following For a signature or identification the following values are computed:values are computed:
TT11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T77
ElGamalEncryption
of AControlElement
Commitmentto x value
Commitmentof x value
Tracing
Claiming
Opening
wewwi hgTgTyAT i 321 ,,
'7
''654 ,,, kkxkkx gTgTgTgT ii
Anatomy of a Signature: the restAnatomy of a Signature: the rest The user needs to prove in ZK that the header is well-The user needs to prove in ZK that the header is well-
formed.formed. Employ discrete-log relation set.Employ discrete-log relation set.
Signature: Fiat-Shamir Transform.Signature: Fiat-Shamir Transform. 0001''00000
10000000'0000
010000000000
00000000000'
00100000000
000000000010
.
1''
0
6'
7
45
'2
3
2
64301
1751
2
xxehTybaa
xTT
xTT
ehgT
wehgT
wgT
TTTabaTyTTThg
ehxx
x
x
he
we
w
Opening a Signature.Opening a Signature.
Given a signature, TGiven a signature, T11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T77
The GM employs his ElGamal secret-key The GM employs his ElGamal secret-key to recover to recover AA from T from T11, T, T22..
recall: A recall: A is part of the certificate of a user.is part of the certificate of a user.AA is matched to some Join protocol is matched to some Join protocol
transcript transcript signer is identified. signer is identified.
Tracing a userTracing a user
RevealReveal::Given the identity of a certain user.Given the identity of a certain user.The GM obtains his Join protocol The GM obtains his Join protocol
transcript and recovers the user’s tracing transcript and recovers the user’s tracing trapdoor trapdoor xx..
TraceTrace::given given xx and a signature and a signature T T11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T7 7 we return Twe return T44 = =?? T T55
xx
Claiming a SignatureClaiming a Signature
Given a signatureGiven a signature TT11, T, T22, T, T33, T, T44, T, T55, T, T66, T, T7 7
the signer computes a claim certificate as a the signer computes a claim certificate as a NIZK proof of knowledge of the discrete-NIZK proof of knowledge of the discrete-logarithm of Tlogarithm of T66 base T base T77..
proof can be “designated verifier” to avoid claim proof can be “designated verifier” to avoid claim adoption by the receiver.adoption by the receiver.
SecuritySecurity
Both interactive / non-interactive ROMBoth interactive / non-interactive ROMTheorem.Theorem.
Security against Misidentification (Strong-Security against Misidentification (Strong-RSA,DDH)RSA,DDH)
Anonymity (DDH)Anonymity (DDH) Security against Framing (DLog over a prime-order Security against Framing (DLog over a prime-order
subgroup of QR(n)).subgroup of QR(n)). Random Oracle Model for the Signature Version.Random Oracle Model for the Signature Version.
ConclusionConclusion New Primitive:New Primitive:
Traceable Signatures and Identification.Traceable Signatures and Identification. Technical Tools:Technical Tools:
Discrete-Log Relation Set Notation and ZK-proofs.Discrete-Log Relation Set Notation and ZK-proofs. Drawing Random Powers.Drawing Random Powers.
Formal Model + Security Proof: subsumes Group Formal Model + Security Proof: subsumes Group Signatures.Signatures.
Main Applications:Main Applications: Traceable Identification and Signing.Traceable Identification and Signing. Fair anonymity in large systems.Fair anonymity in large systems. Traceability can be used directly to implement Traceability can be used directly to implement CRL-based CRL-based
member revocation member revocation coupled with the “Camenisch-Lysyaskanya revocation” it is coupled with the “Camenisch-Lysyaskanya revocation” it is
possible to capture both types of revocation:possible to capture both types of revocation: forward (CL) and backwards (CRL)forward (CL) and backwards (CRL)