View
219
Download
2
Category
Tags:
Preview:
Citation preview
Rennes, 24/10/2014 Cristina OneteCIDRE/INRIA
Privacy in signatures. Hiding in rings, hiding in groups
Message authenticity
Cristina Onete || 24/10/2014 || 2
Amélie Baptiste
• Baptiste is waiting for a message from Amélie
Message authenticity
• How can he make sure it’s really from her?
Why sign
More importantly: Telling good content from bad
updates
virusdefinitionsBaptiste
malwaretro
jansviru
ses
• Updates vs. malware and trojans
• Message should be sent by authorized party
Cristina Onete || 24/10/2014 || 3
So far: MACs
Amélie Baptiste
Shared
Message authentication codes• Usually implemented as a keyed hash function
• MSCheme = (KGen, MAC, Vf)
𝑠𝑘←KGen (1𝑛 ) ;𝑡𝑎𝑔←MAC (𝑠𝑘 ,𝑚 ); {0,1 }←Vf (𝑠𝑘 ,𝑚 , 𝑡𝑎𝑔)Repudiation: anyone with sk can generate a tag (at least two people)
Cristina Onete || 24/10/2014 || 4
Now: PK digital signatures
Amélie Baptiste
A
SScheme = (KGen, Sign, Vf)
(𝑠𝑘 ,𝑝𝑘)←KGen (1𝑛) ;𝜎←Sign (𝑠𝑘 ,𝑚) ; {0,1 }←Vf (𝑝𝑘 ,𝑚 ,𝜎 )
Anyone can verify the signature!
Non-repudiation: signer can never deny generating a real signature
Cristina Onete || 24/10/2014 || 5
Contents
Signatures vs. PK Encryption• A common misconception
• The Hash and Sign method
Privacy-preserving signatures
• Ring signatures
• Signature Scheme security
• Group signatures
• Rings vs. Groups
Common misconception
Amélie Baptiste
Amélie Baptiste
• Public-Key Encryption
• Digital Signatures
B
A
Secret
B
Inverse mechanisms?
Secret
Cristina Onete || 24/10/2014 || 7
Common misconception
Can we build signatures from encryption?• Completely different functionality and goals!
Property Encryptionschemes
Signaturesschemes
Message integrity
Message confidentiality
Non-repudiation
Sender authentication
Using one primitive to get the other is dangerous!
Single receiver
Cristina Onete || 24/10/2014 || 8
Digital Signatures – Structure
SSchemes = (KGen, Sign, Verify)
KGen()
A
Security parameter:determines key size
Everyone
𝑝𝑘 𝑠𝑘
Vf()
𝑚
𝑚 ,𝜎 Sign()
Cristina Onete || 24/10/2014 || 9
Signature Security
Functionality – correctness:
Security: unforgeability
B KGen()∀ Sign( )
Verify( )A
A
Verify
Cristina Onete || 24/10/2014 || 10
Inverse mechanisms?
PK Encryption Signatures
• Key Generation:
𝑝𝑘 𝑠𝑘• Encrypt
𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)
• Decrypt:
𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )
• Key Generation:
𝑝𝑘 𝑠𝑘• Sign
σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)
• Verify:
𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?
Exercise: Find a forgery () given only (no signatures)
Cristina Onete || 24/10/2014 || 11
Abuse encryption step
Input: Choose random signature: Find the message: encrypt signature
Output:
Note: this message is “random”, it doesn’t mean we can forge a signature for ANY message
Now verify:
Cristina Onete || 24/10/2014 || 12
Inverse mechanisms?
PK Encryption Signatures
• Key Generation:
𝑝𝑘 𝑠𝑘• Encrypt
𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)
• Decrypt:
𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )
• Key Generation:
𝑝𝑘 𝑠𝑘• Sign
σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)
• Verify:
𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?
Exercise: You are answered two signature queries for any two messages you want. Forge a signature for any
Suppose: for any
Cristina Onete || 24/10/2014 || 13
Choosing messages well
Input: Choose random message: . Get signature Second message is: . Get signature
Output forgery:
Now verify:
𝑬𝒏𝒄𝒑𝒌 (𝒎𝟏 )∗𝑬𝒏𝒄𝒑𝒌 (𝒎𝟐)=𝑬𝒏𝒄𝒑𝒌 (𝒎𝟏𝒎𝟐 )
=
¿𝒎𝟏𝒎𝟐=𝒎𝟏𝒎𝒎𝟏
=𝒎
How likely is it to get signatures ?
Cristina Onete || 24/10/2014 || 14
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Random-message attack:
• Lots of users all around
• Their messages are “random”
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
Cristina Onete || 24/10/2014 || 15
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Known-message attack:
• Lots of users all around
• Knows messages in advance, before re-ceiving any signature
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
Hi, how are you?
I’m fine, thanks.How are you?
I’m very well, thank you
Cristina Onete || 24/10/2014 || 16
Attacks against Signatures
The more knows, the harder it is to get security
Security depends on what the attacker knows
Chosen-message attack:
• Lots of users all around
• Can choose messages that will be signed
• Adv. gets (m, signa-ture) pairs
• Forge signature on new message!
𝑚1
𝑚𝑛
……………
Cristina Onete || 24/10/2014 || 17
Attacks against Signatures
Power of
AttackUnf-RMA Unf-KMA Unf-CMA
Weak
Not strong/ Not weak
Strong
Cristina Onete || 24/10/2014 || 18
Hash and Sign in general
Use the same thing in general Signature scheme(𝐾𝐺𝑒𝑛𝑆𝑖𝑔 ,𝑆𝑖𝑔𝑛 ,𝑉𝑓 ) Hash function(𝑮𝒆𝒏𝑯 ,𝑯 )
Key generation:
• Run and
• Signing:
σ=𝑆𝑖𝑔𝑛(𝑠𝑘 ,𝑯 𝒔 (𝑚))• Verifying:
Compute: Return
Cristina Onete || 24/10/2014 || 19
Contents
Signatures vs. PK Encryption• A common misconception
• The Hash and Sign method
Privacy-preserving signatures
• Ring signatures
• Group signatures
• Rings vs. Groups
• Signature Scheme security
So far: integrity & authenticity
A
Each corresponds to its owner Successful verification means identifying signer!
Cristina Onete || 24/10/2014 || 21
Ring Signatures
Cristina Onete || 24/10/2014 || 22
Ring Signatures
Ring Signatures:
Regular Signatures:
(𝑠𝑘 ,𝑝𝑘)←KGen (1𝑛) ;𝜎←Sign (𝑠𝑘 ,𝑚) ; {0,1 }←Vf (𝑝𝑘 ,𝑚 ,𝜎 )
•
•
Cristina Onete || 24/10/2014 || 23
Ring Signature Properties
Anonymity:
• Flavours of anonymity depend on how much we let the adver-sary control the ring and the keys in it.
𝐾𝐺𝑒𝑛
? ? ?
Cristina Onete || 24/10/2014 || 24
Ring Signature Properties
Unforgeability:
𝐾𝐺𝑒𝑛
0
• Could do this for a fixed ring, a chosen subring, or even allo-wing insider corruptions (the adversary learns secret keys)
Cristina Onete || 24/10/2014 || 25
Aside: pairings
Two groups: , all of prime order
• Generators: of , of
Pairing: a map which is:
• Bilinear:
∀𝑎 ,𝑏∈𝑍𝑝 :𝑒 (𝑔1𝑎 ,𝑔2𝑏)=𝑒(𝑔1 ,𝑔2)𝑎𝑏
• Non-degenerate:
𝑒 (𝑔1 ,𝑔2 )≠1• Computable:
should be efficiently computable
Pairings exist for many groups. Not all are efficiently computable!
Cristina Onete || 24/10/2014 || 26
Ring Signature – 2-Ring
Three groups: , all of prime order
• Generator: of
Key generation:Choose . Set .
Signature on given , , :
Choose , set . Output
Signature on given ’, , :Choose , set . Output
Verification of on message
Output 1 iff. AND
Cristina Onete || 24/10/2014 || 27
Ring vs. Group
Ring Signatures:• Signer needs to get others
• Signer remains completely untraceable, even if he misbehaves
No accountability
Group signatures
• Other ring members “independent” of signer, unaware of him
• Signer registers into a group of arbitrarily many signers
• Sign on behalf of a group (with just one )
• Optional anonymity revocation : can extract signer if needed
Cristina Onete || 24/10/2014 || 28
Ring Signatures
Cristina Onete || 24/10/2014 || 29
Group Signatures
G
Cristina Onete || 24/10/2014 || 30
Optional Anonymity Revocation
G
Cristina Onete || 24/10/2014 || 31
Group Signatures
Syntax
•
•
•
• {}
Sometimes
Registration key
Revocation key
Cristina Onete || 24/10/2014 || 32
Group Signature Properties
Full-anonymity:
𝐾𝐺𝑒𝑛
? ? ?
G
Cristina Onete || 24/10/2014 || 33
Group Signature Properties
Full-traceability:
𝐾𝐺𝑒𝑛G
Cristina Onete || 24/10/2014 || 34
General strategy
Public key is a function of all the keys Traceability: use a ZK proof of knowledge
then use extractability to trace
Further Reading:
• [BMW03] Bellare, Micciancio, Warinschi: “Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions”, CRYPTO 2003
• [BMW04] Boneh, Boyen, Shacham: “Short Group Signatures”, CRYPTO 2004
Cristina Onete || 24/10/2014 || 35
CIDRE
Thanks!
Recommended