Upload
lewis-byland
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
Cross-Unlinkable Hierarchical Group Signatures
Julien Bringer1, Hervé Chabanne12, Alain Patey12 1Morpho, 2Télécom ParisTech
13/09/2012
2 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
OUTLINE
1. VLR Group Signatures
2. From Backward Unlinkability to Cross-Unlinkability
3. Our Construction
4. Conclusion
Alain Patey / 13/09/2012 / EuroPKI 2012
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
3 /
VLR Group Signatures
/01/
Alain Patey / 13/09/2012 / EuroPKI 2012
4 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
DIGITAL SIGNATURES VS GROUP SIGNATURES
Alain Patey / 13/09/2012 / EuroPKI 2012
+ Anonymity
5 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
SETTING
Alain Patey / 13/09/2012 / EuroPKI 2012
Group Manager (GM) Sets up public parameters Owns the master secret key Issues users secret keys Can raise anonymity of a signature Can revoke users
6 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
VERIFIER-LOCAL REVOCATION (VLR)
GM manages a public Revocation List (RL)
Alain Patey / 13/09/2012 / EuroPKI 2012
7 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
VLR: REVOCATION
Alain Patey / 13/09/2012 / EuroPKI 2012
User i
Revocation
Revocation token of user i (rti) added to RL
rti
8 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
VLR: SIGNATURE AND VERIFICATION
Alain Patey / 13/09/2012 / EuroPKI 2012
User signs using his secret key
Verifier(≠ GM)
1) Signature Check: Validity of the signature
2) Revocation Check: Is the signer revoked ?
(Revocation Check: one operation (exponentiation, pairing) per revoked user)
9 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
VLR GS COMPONENTS
KeyGen (GM): set group parameters
Join (GM, User): issue keys for a new group member
Sign (User): sign a message on behalf of the group
Verify (Verifier): verify a signature
Open (GM): reveal the identity of the creator of a given signature
Revoke (GM): revoke a user from the group
Alain Patey / 13/09/2012 / EuroPKI 2012
10 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
BACKWARD UNLINKABILITY
Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures
Solution: Make signatures and revocation dependent of time
Does not change (much) complexity of signatures, only a public information per period must be published
Alain Patey / 13/09/2012 / EuroPKI 2012
… … …
Time Period 1
Time Period i
Time Period j
Time Period k
…
11 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
SECURITY PROPERTIES
Correctness: Every signature correctly issued by an unrevoked member is checked as valid
Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user
Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition.
Exculpability: Nobody (including GM) is able to issue another’s member signature
Alain Patey / 13/09/2012 / EuroPKI 2012
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
12 /
From Backward Unlinkability to Cross-Unlinkability
/02/
Alain Patey / 13/09/2012 / EuroPKI 2012
13 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
HIERARCHICAL SETTING Several groups in a tree structure
One group signature per group
Independent Group Managers
Requirement: To join a group, one must previously be a member the parent group
Applications: Identity Management, attribute-based credentials
Alain Patey / 13/09/2012 / EuroPKI 2012
National ID
Student IDDriver’s License
College 1 College 2Car
InsuranceHGV
License
14 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
CASCADE REVOCATION
Revocation follows the tree structure:
Revocation in a parent group Revocation in the children groups ⇒(Downwards Revocation)
Child group can signal a revoked user to the parent group (Upwards Revocation, optional)
Parent group is not forced to also revoke
Alain Patey / 13/09/2012 / EuroPKI 2012
National ID
Student IDDriver’s License
College 1 College 2Car
InsuranceHGV
License
Upwards Revocation (optional)
DownwardsRevocation (compulsory)
15 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
UNLINKABILITY
Cascade Revocation Key derivation, link between the keys in ⇒parent/child groups
BUT: We aim at maximal anonymity
Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process
We call this property CROSS-UNLINKABILITY
Alain Patey / 13/09/2012 / EuroPKI 2012
16 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
FROM BACKWARD UNLINKABILITY TO CROSS-UNLINKABILITY
Idea: Transpose the Backward Unlinkability property
Time periods are transposed to children of a given group
Alain Patey / 13/09/2012 / EuroPKI 2012
Student ID
College 1
College 2
Group Signatur
e
Period 1 Period 2
UnlinkabilityUnlinkability
⇒
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
17 /
Our Construction
/03/
Alain Patey / 13/09/2012 / EuroPKI 2012
18 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
THE MODEL
KeyGen: The GM’s set the groups parameters
Enrolment (Mi, Gl): Mi gets keys for the group Gl
Derivation (Mi,Gk,Gl): Key derivation for a user Mi, applying to join Gl, child of Gk
Includes a proof of Gk membership
Sign (Mi,m,Gl): User Mi signs message m on behalf of Gl
Verify (s,m,Gl): Verifier checks a signature s for Gl
Revocation (Mi,Gl): Local Revocation Downwards Revocation (Optional) Upwards Revocation
Alain Patey / 13/09/2012 / EuroPKI 2012
19 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
REQUIREMENTS
Correctness
Traceability
Cross-Unlinkability
Exculpability
Adaptations of the VLR Group Signatures properties to the hierarchical setting
Alain Patey / 13/09/2012 / EuroPKI 2012
20 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
CROSS-UNLINKABILITY
Game-based definition (as Traceability and Exculpability)
Queries (before and after Challenge): Enrol to G0, Derivation, Sign, User Corruption, GM Corruption, Revocation
Challenge: Adv. outputs m, m’, M0, M1, Gk, Gl such that: M0 and M1 are both registered to Gk and Gl
M0 and M1 are not corrupted At most one of the GM’s is corrupted M0 and M1 are revoked from at most one group (the same if they are both revoked)
and the GM of the other group is not corrupted
C chooses two bits b, b’ and signs m for Mb in group Gk and m’ for Mb’ in group Gl
Adv. tries to guess if b=b’
Alain Patey / 13/09/2012 / EuroPKI 2012
21 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
UNDERLYING GROUP SIGNATURE
VLR Group Signature with Backward Unlinkability
Group Parameters: gpk
Public/secret key for GM of Gl: mpk, msk
User Mi’s key for Gl: ski = fi, xi, Ai
fi is chosen by Mi (not known by GMl)
xi is chosen by GMl
Ai=f(fi,xi,msk) is computed by GMl
Revocation token of Mi for Gl: Global: rti = xi
Period j: rtij = hj^(rti) (hj is a public token)
(for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.)
Alain Patey / 13/09/2012 / EuroPKI 2012
22 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
THE CONSTRUCTION
KeyGen: GM0 fixes gpk
Every GMl chooses mpkl, mskl compatible with gpk
For every group Gk, one « period » k-l per child group Gl must be set up
Join If Gl=G0, run the Join algorithm of GM0
Otherwise, run the Derivation algorithm. If all checks succeed, run an adapted Join
algorithm for Gl, where xil is chosen as the
output of the Derivation algorithm (instead of being random)
Alain Patey / 13/09/2012 / EuroPKI 2012
Common group parameters
Independent GM keys
Call Derivation to- Check that the user
belongs to the parent group
- Derive a signing key
Run the GS Join algorithm
23 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
THE CONSTRUCTION II
Derivation (Gl is child of Gk) GMl sends a challenge
message m to Mi
Mi signs it at period k-l
Mi sends his revocation token rti
k-l=hk-lrtil
GMl checks the validity of the signature and the validity of rti
k-l
GMl derives xil=H(mskl||rti
k-l)
Alain Patey / 13/09/2012 / EuroPKI 2012
Join algorithm
24 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
THE CONSTRUCTION III
Sign, Join and Open are direct applications of the group signature algorithms
Revocation: Local: Run the Revocation algorithm of the underlying group signature
Downwards: For every a child group Gm of Gl:
GMm looks at the updated revocation list RLl of Gl and reads the new rt
GMm checks if there is a registered user i in Gm such that xim=H(mskm||rt)
If there is one, GMm recursively runs Revocation
Upwards (optional): GMl sends the period revocation token rti
k-l to GMk.
If GMk wants to revoke the user, he computes rti’k-l for every Mi’ in Gk.
When he finds the corresponding user, he starts a Revocation process
Alain Patey / 13/09/2012 / EuroPKI 2012
25 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
SECURITY
Random Oracle Model
Requirements are game-based
We reduce an attack against our construction to an attack against the underlying group signature scheme
In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game
Alain Patey / 13/09/2012 / EuroPKI 2012
26 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT Group signatures can be used for biometric anonymous authentication
Keys stored on a smartcard, biometric verification needed to sign
Adaptable to our hierarchical setting → identity management system Groups are identity domains, GM’s are identity providers
J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008
J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT 2012.
Alain Patey / 13/09/2012 / EuroPKI 2012
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
27 /
Conclusion
/04/
Alain Patey / 13/09/2012 / EuroPKI 2012
28 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
CONCLUSION
From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties
New model
Security only relies on the security of the underlying group signature (+ ROM)
Open Issues: Improve the construction to enable Backward Unlinkability Change the group set structure (any ordered set…)
Full version available on the IACR ePrint archive: http://eprint.iacr.org/2012/407
Alain Patey / 13/09/2012 / EuroPKI 2012
29 /
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.
THANK YOU FOR YOUR ATTENTION
Questions ?
Alain Patey / 13/09/2012 / EuroPKI 2012