This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho.

Cross-Unlinkable Hierarchical Group Signatures

Julien Bringer1, Hervé Chabanne12, Alain Patey12 1Morpho, 2Télécom ParisTech

13/09/2012

2 /


OUTLINE

1. VLR Group Signatures

2. From Backward Unlinkability to Cross-Unlinkability

3. Our Construction

4. Conclusion

Alain Patey / 13/09/2012 / EuroPKI 2012


3 /

VLR Group Signatures

/01/


4 /


DIGITAL SIGNATURES VS GROUP SIGNATURES


+ Anonymity

5 /


SETTING


Group Manager (GM) Sets up public parameters Owns the master secret key Issues users secret keys Can raise anonymity of a signature Can revoke users

6 /


VERIFIER-LOCAL REVOCATION (VLR)

GM manages a public Revocation List (RL)


7 /


VLR: REVOCATION


User i

Revocation

Revocation token of user i (rti) added to RL

rti

8 /


VLR: SIGNATURE AND VERIFICATION


User signs using his secret key

Verifier(≠ GM)

1) Signature Check: Validity of the signature

2) Revocation Check: Is the signer revoked ?

(Revocation Check: one operation (exponentiation, pairing) per revoked user)

9 /


VLR GS COMPONENTS

KeyGen (GM): set group parameters

Join (GM, User): issue keys for a new group member

Sign (User): sign a message on behalf of the group

Verify (Verifier): verify a signature

Open (GM): reveal the identity of the creator of a given signature

Revoke (GM): revoke a user from the group


10 /


BACKWARD UNLINKABILITY

Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures

Solution: Make signatures and revocation dependent of time

Does not change (much) complexity of signatures, only a public information per period must be published


… … …

Time Period 1

Time Period i

Time Period j

Time Period k

…

11 /


SECURITY PROPERTIES

Correctness: Every signature correctly issued by an unrevoked member is checked as valid

Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user

Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition.

Exculpability: Nobody (including GM) is able to issue another’s member signature



12 /

From Backward Unlinkability to Cross-Unlinkability

/02/


13 /


HIERARCHICAL SETTING Several groups in a tree structure

One group signature per group

Independent Group Managers

Requirement: To join a group, one must previously be a member the parent group

Applications: Identity Management, attribute-based credentials


National ID

Student IDDriver’s License

College 1 College 2Car

InsuranceHGV

License

14 /


CASCADE REVOCATION

Revocation follows the tree structure:

Revocation in a parent group Revocation in the children groups ⇒(Downwards Revocation)

Child group can signal a revoked user to the parent group (Upwards Revocation, optional)

Parent group is not forced to also revoke


National ID

Student IDDriver’s License

College 1 College 2Car

InsuranceHGV

License

Upwards Revocation (optional)

DownwardsRevocation (compulsory)

15 /


UNLINKABILITY

Cascade Revocation Key derivation, link between the keys in ⇒parent/child groups

BUT: We aim at maximal anonymity

Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process

We call this property CROSS-UNLINKABILITY


16 /


FROM BACKWARD UNLINKABILITY TO CROSS-UNLINKABILITY

Idea: Transpose the Backward Unlinkability property

Time periods are transposed to children of a given group


Student ID

College 1

College 2

Group Signatur

e

Period 1 Period 2

UnlinkabilityUnlinkability

⇒


17 /

Our Construction

/03/


18 /


THE MODEL

KeyGen: The GM’s set the groups parameters

Enrolment (Mi, Gl): Mi gets keys for the group Gl

Derivation (Mi,Gk,Gl): Key derivation for a user Mi, applying to join Gl, child of Gk

Includes a proof of Gk membership

Sign (Mi,m,Gl): User Mi signs message m on behalf of Gl

Verify (s,m,Gl): Verifier checks a signature s for Gl

Revocation (Mi,Gl): Local Revocation Downwards Revocation (Optional) Upwards Revocation


19 /


REQUIREMENTS

Correctness

Traceability

Cross-Unlinkability

Exculpability

Adaptations of the VLR Group Signatures properties to the hierarchical setting


20 /


CROSS-UNLINKABILITY

Game-based definition (as Traceability and Exculpability)

Queries (before and after Challenge): Enrol to G0, Derivation, Sign, User Corruption, GM Corruption, Revocation

Challenge: Adv. outputs m, m’, M0, M1, Gk, Gl such that: M0 and M1 are both registered to Gk and Gl

M0 and M1 are not corrupted At most one of the GM’s is corrupted M0 and M1 are revoked from at most one group (the same if they are both revoked)

and the GM of the other group is not corrupted

C chooses two bits b, b’ and signs m for Mb in group Gk and m’ for Mb’ in group Gl

Adv. tries to guess if b=b’


21 /


UNDERLYING GROUP SIGNATURE

VLR Group Signature with Backward Unlinkability

Group Parameters: gpk

Public/secret key for GM of Gl: mpk, msk

User Mi’s key for Gl: ski = fi, xi, Ai

fi is chosen by Mi (not known by GMl)

xi is chosen by GMl

Ai=f(fi,xi,msk) is computed by GMl

Revocation token of Mi for Gl: Global: rti = xi

Period j: rtij = hj^(rti) (hj is a public token)

(for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.)


22 /


THE CONSTRUCTION

KeyGen: GM0 fixes gpk

Every GMl chooses mpkl, mskl compatible with gpk

For every group Gk, one « period » k-l per child group Gl must be set up

Join If Gl=G0, run the Join algorithm of GM0

Otherwise, run the Derivation algorithm. If all checks succeed, run an adapted Join

algorithm for Gl, where xil is chosen as the

output of the Derivation algorithm (instead of being random)


Common group parameters

Independent GM keys

Call Derivation to- Check that the user

belongs to the parent group

- Derive a signing key

Run the GS Join algorithm

23 /


THE CONSTRUCTION II

Derivation (Gl is child of Gk) GMl sends a challenge

message m to Mi

Mi signs it at period k-l

Mi sends his revocation token rti

k-l=hk-lrtil

GMl checks the validity of the signature and the validity of rti

k-l

GMl derives xil=H(mskl||rti

k-l)


Join algorithm

24 /


THE CONSTRUCTION III

Sign, Join and Open are direct applications of the group signature algorithms

Revocation: Local: Run the Revocation algorithm of the underlying group signature

Downwards: For every a child group Gm of Gl:

GMm looks at the updated revocation list RLl of Gl and reads the new rt

GMm checks if there is a registered user i in Gm such that xim=H(mskm||rt)

If there is one, GMm recursively runs Revocation

Upwards (optional): GMl sends the period revocation token rti

k-l to GMk.

If GMk wants to revoke the user, he computes rti’k-l for every Mi’ in Gk.

When he finds the corresponding user, he starts a Revocation process


25 /


SECURITY

Random Oracle Model

Requirements are game-based

We reduce an attack against our construction to an attack against the underlying group signature scheme

In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game


26 /


APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT Group signatures can be used for biometric anonymous authentication

Keys stored on a smartcard, biometric verification needed to sign

Adaptable to our hierarchical setting → identity management system Groups are identity domains, GM’s are identity providers

J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008

J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT 2012.



27 /

Conclusion

/04/


28 /


CONCLUSION

From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties

New model

Security only relies on the security of the underlying group signature (+ ROM)

Open Issues: Improve the construction to enable Backward Unlinkability Change the group set structure (any ordered set…)

Full version available on the IACR ePrint archive: http://eprint.iacr.org/2012/407


29 /


THANK YOU FOR YOUR ATTENTION

Questions ?


Documents

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written