Masayaki Abe NTT Jens Groth University College London Miyako Ohkubo NICT Mehdi Tibouchi NTT Unified Minimal Small signatures and low verification complexity Single group element public verification keys ID: 277838
Download Presentation The PPT/PDF document "Unified, Minimal and Selectively Randomi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Masayaki
Abe, NTT
Jens Groth, University College London
Miyako
Ohkubo, NICT
Mehdi
Tibouchi, NTTSlide2
Unified
Minimal
Small signatures and low verification complexitySingle group element public verification keysSelectively randomizableStrong existential unforgeabilityRandomizability
Unified, Minimal and Selectively Randomizable Structure-Preserving Signatures
Type I
Type II
Type IIISlide3
Mathematical structures in cryptography
Cyclic prime order group
Useful mathematical structure
ElGamal
encryption
Pedersen commitmentsSchnorr
proofs…
Slide4
Pairing-based cryptography
Groups
with pairing
Additional mathematical structure
One-round tripartite key exchange
Identity-based encryption
Short digital signatures
NIZK proofs
…
Slide5
Structure-preserving cryptography
Preserve mathematical structure of pairing groups
Communication consists of group elements in
Use generic group operations
Multiplication, membership testing, pairingAvoid structure-destroying operationsNo cryptographic hash-functionsModular designStructure-preserving building blocks easy to combine
Slide6
Bilinear group setup
Groups
of prime order
Bilinear map
,
,
Types
Type I:
and
Type
II:
but there is efficient
Type III:
and no efficient homomorphism
Symmetric setting
Conceptually simple
Asymmetric setting
Most efficientSlide7
Structure-preserving signatures
Setup describes bilinear group and random group elements in
Verification key has group elements in
M
essages consist of group elements in
S
ignatures consist of group elements in
Verifier uses pairing product equations to check validity of signatures, e.g.,
Slide8
Composition with other structure-preserving primitives
E
asy to compose structure-preserving signatures with other structure-preserving primitivesElGamal encryption is structure-preservingCan encrypt signature
Groth-Sahai proofs are structure preservingCan give NIZK proof that message has been signedAnd vice versaCan sign ElGamal ciphertexts and Groth-Sahai proofsSlide9
Lower bounds for Type I and III pairings
Theorem
A structure-preserving signature scheme must have at least 2 verification equationsA structure-preserving signature created by a signer that only uses generic group operations must be at least 3 group elementsHolds even for
Existential unforgeability under random message attackSingle group element messagesSlide10
Sketch of proof
Cannot have a single verification equation
Two signatures can be combined to forgery on third messageEach message must have many potential signaturesSigner using generic group operations must compute signature as linear combination of group elements from setup and message
If signatures are (quasi-)unique then possible to create forgery as linear combination of two previous signaturesA signature must have at least 3 group elementsSuppose the signature has only 1 or 2 group elements
Verification involves 2 equations in 1 or 2 unknownsFor a given message we have at most 4 solutionsThis makes the signature scheme quasi-uniqueSlide11
New structure-preserving signature scheme
Return
;
Return
: Return
Accept if and only if
Slide12
Security
Theorem
The signature scheme is strongly existentially unforgeable under adaptive chosen messageattack in the generic group model
N
eed 4 group elements to base security on non-interactive assumptions [AGHO11], so strong assumption necessary to get optimal size signaturesSlide13
Optimal
Signature: 3 group elements
Verification: 2 verification equationsPrior art gave optimality in the asymmetric setting, but new in the symmetric settingShows attacker’s extra capability in the symmetric setting does not necessitate extra signature sizeFor one-time signatures the picture is different
Asymmetric setting: 1 verification equation possibleSymmetric setting: 2 verification equations necessarySlide14
Minimal verification key
Setup:
Public verification key:
Single group element in verification key
C
ertification chains
Use
to sign , use
to sign
, etc.Symmetric settingAutomorphic: Verification keys can be signedAsymmetric settingCan build certification chain by alternating between
and
Slide15
Unified
The signature scheme works in all types of bilinear groups, both symmetric and asymmetric
Separation of elements and operations in
Therefore possible to use it even in asymmetric groups
Security holds in all types of groupsEven in the symmetric setting
, which enables the adversary to mix and match components
Slide16
Unified
Conceptual simplicity
A single signature scheme that works in all settingsResistance towards cryptanalysisUse scheme in the asymmetric settingEven if cryptanalysts discover an efficiently computable isomorphism
between
the scheme may still be secure
Type I
Type II
Type IIISlide17
Randomization
Strong existential unforgeability
Cannot forge signature on new messageCannot change signature on previously signed messageExistential unforgeability + randomizabilityCannot forge signature on new message
Can randomize signature on previously signed messagePerfect randomization when randomized signature looks like fresh random signature on the same messageSlide18
Selective randomizability
Signer can make randomization token for signature
Randomization token makes it possible to randomizeWithout randomization token not possible to randomizeStrong existential unforgeability under adaptive chosen message and token attackAdversary can get signatures with or without tokens
Cannot forge signature on new messageCannot create new signature on previously signed message unless it has a randomization tokenSlide19
Selective randomizability
Accept if and only if
Randomization token
Randomization with randomization token
Slide20
MinimalSignature: 3 group elements
Verification key: 1 group element
Verification: 2 equationsUnifiedSelectively randomizableStrong existential unforgeabilityRandomizable with token
Summary
Type I
Type II
Type III