Commuting signatures and verifiable encryption eserved@d ...fuchsbau/EUROslides.pdf · New primitive:Commuting signatures (and veri able encryption) New functionality E cient instantiation

Commuting signatures and veri�able encryption

Georg Fuchsbauer

University of Bristol

EUROCRYPT 17.05.2011

Results

New primitive: Commuting signatures (and veri�able encryption)

New functionality

E�cient instantiation in pairing groups

Application: Delegatable anonymous credentials

Non-interactive delegation

Signi�cant e�ciency improvements

Other results: Groth-Sahai proofs

Properties of proofs

Stronger notion of simulation

G. Fuchsbauer (Bristol) Commuting signatures EUROCRYPT '11 1 / 15

Results


New functionality









Results


New functionality









Outline of this talk

1 Commuting signatures

2 Delegatable anonymous credentials

3 Instantiating commuting signatures






Commuting signatures and veri�able encryption I

Signature Msk−→ Σ Veri�cation: vk, M, Σ

Veri�able encryption

vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃

Veri�cation: vk, M, Σ , π̃

−→ M , π̄

−→ M , π̄

Veri�cation: vk, M , Σ, π̄

−→ M , Σ , π

−→ M , Σ , π

Veri�cation: vk, M , Σ , π

−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂

Veri�cation: vk , M , Σ , π̂

Commuting signature and veri�able encryption

Proof adaptation: π̃π̄

}←→ π ←→ π̂

Sign M given M : Msk−→ Σ

π Veri�cation: vk, M , Σ , π

XSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π

Sign plaintext then encrypt ⇐⇒ encrypt then sign plaintext





vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂








Randomizable Veri�able encryption

vk,M,Σ −→

{ −→ Σ , π̃ −→ Σ , π̃


−→ M , π̄ −→ M , π̄


−→ M , Σ , π −→ M , Σ , π


−→ vk , M , Σ , π̂ −→ vk , M , Σ , π̂




}←→ π ←→ π̂









vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂









vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂









vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂


π Veri�cation: vk, M , Σ , πXSign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π






vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂



X

Sign M given M : Msk−→ Σ , π Veri�cation: vk, M , Σ , π






vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂



X







vk,M,Σ −→

{ −→ Σ , π̃

−→ Σ , π̃


−→ M , π̄

−→ M , π̄


−→ M , Σ , π

−→ M , Σ , π


−→ vk , M , Σ , π̂

−→ vk , M , Σ , π̂




}←→ π ←→ π̂



X




Commuting signatures and veri�able encryption II

6

6

?

6

��9��

��

��:

��

��:

XXXXXXXXz

`̀`̀X XXz

��

��

��XXXXXXXXXz

��

��

��XXXXXXXXXz

M, Σ

M

M µ

M µ ,Σ, π̄

M, Σ σ , π̃

M µ , Σ σ , π

(sk)

(σ)

(µ)

(sk)



6

6

?

6

��9��

��

��:

��

��:

XXXXXXXXz

`̀`̀X XXz

��

��

��XXXXXXXXXz

��

��

��XXXXXXXXXz

M, Σ

M

M µ

M µ ,Σ, π̄

M, Σ σ , π̃

M µ , Σ σ , π

(sk)

(σ)

(µ)

(sk)



6

6

?

6

��9��

��

��:

��

��:

XXXXXXXXz

`̀`̀X XXz

��

��

��XXXXXXXXXz

��

��

��XXXXXXXXXz

M, Σ

M

M µ

M µ ,Σ, π̄

M, Σ σ , π̃

M µ , Σ σ , π

(sk)

(σ)

(µ)

(sk)



6

6

?

6

��9��

��

��:

��

��:

XXXXXXXXz

`̀`̀X XXz

��

��

��XXXXXXXXXz

��

��

��XXXXXXXXXz

M, Σ

M

M µ

M µ ,Σ, π̄

M, Σ σ , π̃

M µ , Σ σ , π

(sk)

(σ)

(µ)

(sk)






Delegatable anonymous credentials

Delegatable anonymous credentials [BCCKLS09]

Users can prove to hold credential w/o revealing their identity

Credentials can be issued/delegated and obtained anonymously

Model

Each user holds a secret key and can

. . . produce arbitrarily many (unlinkable) pseudonyms from it

. . . can publish pseudonym as public key for a credential

. . . run interactive protocol to issue/delegate credentials to other users

. . . prove to hold credentials for every pseudonym






Model











Model











Model







Non-interactively delegatable anonymous credentials

��

��

��

----

-- ��

Nym(O)A

Nym(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability

Anonymity (simulation-based)



��

��

��

----

-- ��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

--

--

-- ��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

--

--

--

��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

--

--

-- ��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

----

-- ��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

----

--

��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability




��

��

��

----

--

��

Nym(O)A Nym

(B)A

Nym

(C)

A

Nym(A)B B

Nym

(C)

B

A

CNym(A)C Nym

(B)C

credO→Nym

(O)A

credO→Nym

(A)B

credO→Nym

(C)A

credO→Nym

(C)B

O

Security

Unforgeability



Black-box instantiation of NIDAC

In a nutshell

Pseudonym: encryption of user veri�cation key

Credential: veri�ably encrypted signature

Non-interactive delegation: commuting signature

Delegation of signing rights ---Σ1

vk1vk0 vkn• • •

Σ2 Σn

Signatures credential

Anonymous show --- vknvk1vk0 • • •

Σ1 Σ2 Σn

π1 π2 πn


Anonymous delegation -- vk1vk0 vk2

Σ1 Σ2

π1 π2

π1 π2

vk3

Commuting signatures

Sign encrypted value vk3 ⇒`vk2, Σ3 , vk3 , π′

3

´

Adapt proof for vk2 ⇒`vk2 , Σ3 , vk3 , π3

´Randomize previous encryptions/proofs

Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´



Delegation of signing rights

---Σ1


Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´



Delegation of signing rights

--

-Σ1

vk1vk0

vkn• • •

Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´



Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3

´Adapt proof for vk2 ⇒

`vk2 , Σ3 , vk3 , π3

´

Randomize previous encryptions/proofs

Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3


`vk2 , Σ3 , vk3 , π3


Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´





Σ2 Σn



Σ1 Σ2 Σn

π1 π2 πn



Σ1 Σ2

π1 π2

π1 π2

vk3



3


`vk2 , Σ3 , vk3 , π3


Send credential`

Σ1 , π1, vk1 , Σ2 , π2, vk2 , Σ3 , π3´






Building blocks

Bilinear group: (p,G1,G2,GT , e,G ,H) with

Pairing: e : G1 ×G2 → GT bilinear

Pairing-product equation (PPE)

over variables X1, . . . ,Xm ∈ G1, Y1, . . . ,Yn ∈ G2

n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1

e(Xi ,Yj)γi,j = t , (E)

de�ned by Ai ∈ G1,Bi ∈ G2, γi,j ∈ Zp and t ∈ GT

Groth�Sahai proofs [GS08]

E�cient non-interactive zero-knowledge (randomizable [BCCKLS09])

proof of knowledge of X1, . . . ,Xm,Y1, . . . ,Yn satisfying E

1 Make

encryptionsencryptions

commitments ci to Xi and dj to Yj

2 Construct proof π that committed values satisfy Ewithout revealing anything else

Given extraction key, one can extract the committed values Xi , Yj

Automorphic signatures [AFGHO10]

• Messages and signatures are group elements

• Veri�cation by pairing-product equation

}�structure preserving�

• Veri�cation keys lie in message space

Groth-Sahai proofs + structure-pres. signatures= veri�ably encrypted signatures


Building blocks





n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks





n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks





n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make












Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make encryptions

encryptionscommitments

ci to Xi and dj to Yj










Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make

encryptions

encryptions

commitments











Building blocks



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1






1 Make

encryptions

encryptions

commitments











Building blocks




1 Make

encryptions

encryptions

commitments











Building blocks




1 Make

encryptions

encryptions

commitments











Building blocks




1 Make

encryptions

encryptions

commitments











Building blocks




1 Make

encryptions

encryptions

commitments











Building blocks




1 Make

encryptions

encryptions

commitments











Properties of Groth-Sahai proofs

n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1

e(Xi ,Yj)γi,j = t (E)

IndependenceProofs do not depend on t

Proofs for linear equations (γij = 0) do not depend on encrypted values

AdaptingProofs can be adapted when constants are turned into variables or vice versa

HomomorphicLet π be proof for E and ciphertexts (c1, . . . , cm,d1, . . . ,dn)Let π′ be proof for E′ and ciphertexts (c′

1, . . . , c′

m′ ,d′1, . . . ,d′

n′)

Then π · π′ is a proof for E · E′ and (c1, . . . , cm, c′1, . . . , c′

m′ ,d1, . . . . . . ,d′n′)Q

e(Aj ,Yj )Qe(A′

j,Y ′

j)Qe(Xi ,Bi )

Qe(X ′

i,B′

i)QQ

e(Xi ,Yj )γi,jQQ

e(X ′i,Y ′

j)γ′i,j = t · t′

(E · E′)



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1


IndependenceProofs do not depend on tProofs for linear equations (γij = 0) do not depend on encrypted values



1, . . . , c′

m′ ,d′1, . . . ,d′

n′)


m′ ,d1, . . . . . . ,d′n′)Q

e(Aj ,Yj )Qe(A′

j,Y ′

j)Qe(Xi ,Bi )

Qe(X ′

i,B′

i)QQ

e(Xi ,Yj )γi,jQQ

e(X ′i,Y ′

j)γ′i,j = t · t′

(E · E′)



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1





1, . . . , c′

m′ ,d′1, . . . ,d′

n′)


m′ ,d1, . . . . . . ,d′n′)Q

e(Aj ,Yj )Qe(A′

j,Y ′

j)Qe(Xi ,Bi )

Qe(X ′

i,B′

i)QQ

e(Xi ,Yj )γi,jQQ

e(X ′i,Y ′

j)γ′i,j = t · t′

(E · E′)



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1





1, . . . , c′

m′ ,d′1, . . . ,d′

n′)


m′ ,d1, . . . . . . ,d′n′)Q

e(Aj ,Yj )Qe(A′

j,Y ′

j)Qe(Xi ,Bi )

Qe(X ′

i,B′

i)QQ

e(Xi ,Yj )γi,jQQ

e(X ′i,Y ′

j)γ′i,j = t · t′

(E · E′)



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1





1, . . . , c′

m′ ,d′1, . . . ,d′

n′)


m′ ,d1, . . . . . . ,d′n′)Q

e(Aj ,Yj )Qe(A′

j,Y ′

j)Qe(Xi ,Bi )

Qe(X ′

i,B′

i)QQ

e(Xi ,Yj )γi,jQQ

e(X ′i,Y ′

j)γ′i,j = t · t′

(E · E′)



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1


Stronger notion of simulatability

[GS08]: NIZK proof of satis�ability:Given E, simulator can produce (c1, . . . , cm,d1, . . . ,dn) and π

Now: Proof for given ciphertexts:Given E, (c1, . . . , cm), simulator can produce (d1, . . . ,dn) and π

Application: Given pseudonyms of delegator and delegatee ⇒ simulate credential



n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1








n∏i=j

e(Aj ,Yj)m∏i=1

e(Xi ,Bi )m∏i=1

n∏j=1







Instantiating commuting signatures

Round-optimal blind signature

Protocol to sign M from [AFGHO10]:

User sends

Randomization M̃ of M

Encryptions M , R

Proof of consistency τ

Signer sends �pre-signature� Σ′

(using M̃)

User, knowing R, turns Σ′ into Σ on M

Blind signature:

Verif. encryption of Σ:(M, Σ , π̃

)

1 User could produce(M , Σ ,π

)

Goal: Msk−→ Σ , π

2 De�ne:}def= encryption of M

3 M̃ −→ Σ′ −→ Σ′

4 Encryptions homomorphic

R and Σ′ −→ Σ

5 Properties of GS proofsτ −→ π





User sends


Encryptions M , R



(using M̃)


Blind signature:


)1 User could produce

(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:


)

1 User could produce(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′








User sends


Encryptions M , R



(using M̃)


Blind signature:



(M , Σ ,π

)



3 M̃ −→ Σ′ −→ Σ′





Conclusion

Commuting signatures imply

Veri�ably encrypted signatures

Blind signatures

CL signatures and P-signatures

Applications


First instantiation with non-interactive issuing/delegationE�ciency improvements: • No complex 2-party computation

• Size of credentials less than half

Receipt-free e-voting [BFPV11]

Fully anonymous transferable e-cash [BCFGST11]

Updated full version in June: eprint.iacr.org/2010/233


Conclusion



Blind signatures


Applications








Conclusion



Blind signatures


Applications








Conclusion



Blind signatures


Applications








Thank you! ©̂̈


Commuting signatures and verifiable encryption eserved@d ...fuchsbau/EUROslides.pdf · New primitive:Commuting signatures (and veri able encryption) New functionality E cient instantiation

Documents