Short Traceable Signatures
Based on Bilinear Pairings
Seung Geol Choi
Columbia University
joint work with
Kunsoo Park
Moti Yung
Seoul National
University
Columbia University
Contents







Overview of Traceable Signatures
Motivation
Preliminaries
ZK for SDH Representation
Construction
Security
Conclusion
Overview of Traceable
Signatures
Traceable Signatures

Can be regarded as an extension of group
signatures.



Provides all the operations of group signatures
- setup, join, sign, verify, open
Provides stronger revocation of anonymity
- tracing (reveal, trace)
Provides claiming (claim, claim_verify)
Why do we need traceable sig.?

Consider following setting:


Anonymous Users
Typical Abstract Large System:



Many users
Many remote verification points.
Users issue signatures that get aggregated and verifi
ed in remote points.
Scenario #1:
Verification Points
Authority
Tracing Request:
“open signature”
Scenario #2
Authority
Verification Points
Tracing
Request:
“USER X” needs
to be traced
Using the opening mechanism from scenario #1:
all signatures must be aggregated and the Authority
will have to Open all to discover the ones signed by user X
Shortcomings of group sig.




Signatures from remote verification points must
be aggregated. Load Balancing Concerns
Authority must open all signatures thus severely
(and unnecessarily) violating the privacy of many
users. Privacy Concerns
Authority is typically a distributed entity so that
opening requires the collaboration of many agents.
Efficiency Concerns
Outcome: Scenario #1 is insufficient for dealing
with the above tracing request.
Scenario #3
User wants
to claim a
signature as his
Features of Traceable Sig.(1)

Anonymity



A user (group member) signs on behalf of the
group.
Verification is done using the group’s public-key.
Claiming

A user can claim his own signature.
Features of Traceable Sig.(1)

Revocation of Anonymity


The group manager can open a problematic
signature and find out who signed it.
The tracing agents can trace all the signatures
of a suspicious user.
Motivation
Motivation

Previous constructions were quite long.



[KTY04] : 1206 bytes
[NS04]: 917 bytes
Adapt the short group signature [BBS04]
to traceable signature.

Ours: 362 bytes

1.5 ~ 3 times the length of the RSA sig.
Basic Tools
Three main basic tools



Bilinear Pairings
One more SDH (Strong Diffie-Hellman)
representation problem
Linear Encryption Scheme
Basic Tools – Bilinear Pairings

G1, G2, GT : cyclic groups of prime order p



P1 , P2 : generator of G1 , G2
ψ: G2  G1 (isomorphism mapping)
Def: Bilinear pairing e : G1 x G2  GT is:



Bilinear:
e(aP1, bP2) = e(P1, P2)ab for all a, b  Z
Non-degenerate:
e(P1, P2) ≠ 1
Efficiently computable
Basic Tools – One More SDH
Representation Problem (1)

SDH Representation



Given P1, P2, Q, R where Q  G1 , R = γP2
SDH Representation:
(A, x, t) s.t. A = (xP1 + Q)/ (t+γ)
or equivalently e(A, tP2+R) = e(xP1 + Q, P2)
One more SDH representation problem

Given K SDH representations, output another
valid SDH representation
Basic Tools – One More SDH
Representation Problem (2)


Under q-SDH Assumption, One more
representation problem is hard.
q-SDH Assumption [BB04]

The following q-SDH problem is hard:
P1, P2, γP2, γ2P2, …, γqP2 ? (A, x) s.t.
(γ +x)A = P1 where A  G1 , x  Zp
Basic Tools –
Linear Encryption [BBS04] (1)

Keys:



Encryption Key: X, Y, Z  G1
Decryption Key: ξ1, ξ2 s.t. ξ1 X = Z, ξ2 Y=Z
Encryption/Decryption


E(M) = ( r1X, r2Y, M+(r1+r2)Z )
D(C1, C2, C3) = C3 – ξ1C1 – ξ2C2
Basic Tools –
Linear Encryption [BBS04] (2)

Semantic Security:


Under DLDH (Decisional Linear Diffie-Hellman)
Assumption [BBS04], linear encryption is
semantically secure.
DLDH Assumption

The following problem is hard:

Given X, Y, Z, aX, bY, cZ
c = a + b? or c is randomly chosen?
ZK for SDH Representation
Basic Idea

Why do we need this?


Come up with zk proof for the rep,
and use the proof as a sig (FS transform)
 Anonymity
The rep is a witness of a proof
 a signing key
Basic Setting

Proof:


PK{(A,x,t): e(xP1 + Q, P2) = (A, tP2+R)}
Instance: P1, Q, P2, R



Where P1 (gen. of G1), Q (random point)
P2 (gen. of G2), R (= γP2)
Prover’s aux input (SDH rep./witness): (A, x, t)
s.t. e(xP1 + Q, P2) = (A, tP2+R)
Other Public Parameters


For linear enc. : X, Y, Z (gen. of G1)
Etc. :
W (gen. of G2)
ZK for SDH Representation (1)

Prover constructs T1, … T5:


T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
(linear enc. of A)
T4 = r3W, T5 = e(P1, T4)x
(DLP of x )
Sub-proof

PK{(a1, a2, b1, b2, u, v):
T1 = a1X, T2 = a2Y, uT1 = b1X, uT2 = b2Y,
T5 = e(P1, T4)v ,
e (T3, P2)u e(T3, R) =
e(Z, P2) (b1+b2) e(Z, R) (a1+a2) e(P1, P2)v e(Q, P2) }
ZK for SDH Representation (2)

Exists a Simulator (i.e. it is ZK)

T1, …, T5 :




From semantic security of linear enc:
- Pick a random A’
- T1 = r1X, T2 = r2Y, T3 = A’ + (r1+r2)Z
From DDH:
- pick a random x’
- T4 = r3W, T5 = e(P1, T4)x’
Indistinguishable from the original transcript
Sub-Proof:

Runs the simulator of Sub-Proof
ZK for SDH Representation (3)

Exists an extractor (i.e. it is POK)



Sub-Proof: Simple 3-move honest verifier DLP
ZK-POK
 exists an extractor for the Sub-Proof
Using the extractor of DLP proof, we can also
extract an SDH Rep.
Specifically


Let (a1, a2, b1, b2, u, v) be the extracted witness.
b1 + b2 = u(a1 + a2)
ZK for SDH Representation (4)

e (T3, P2)u e(T3, R) =
e(Z, P2) (b1+b2) e(Z, R)
(a1+a2)
e(P1, P2)v e(Q, P2)
e(T3, uP2+R) = e(Z, (b1+b2)P2+(a1+a2) R) • e(vP1+Q, P2)
e(T3, uP2+R) / e(Z, u(a1+a2)P2+(a1+a2) R) = e(vP1+Q, P2)
e(T3, uP2+R) / e((a1+a2)Z, uP2+ R) = e(vP1+Q, P2)
e(T3 - (a1+a2)Z, uP2+ R) = e(vP1+Q, P2)

If we Let A = T3 – (a1+a2)Z, e(A, uP2+ R) = e(vP1+Q, P2)
 (A, u, v) is an SDH rep.
Construction
Procedures of Traceable sig.






Setup
Join/Iss
Sign/Verify
Open
Reveal/Trace
Claim/Claim_Verify
Construction - Setup

Generate public parameters for ZK for
SDH Rep.

P1, Q, P2, R, X, Y, Z, W




For SDH rep. : P1, Q, P2, R
For linear enc. : X, Y, Z s.t. ξ1 X = Z, ξ2 Y=Z
Etc. : W
The group manager’s private key:(γ, ξ1, ξ2)


γ : for the generation of SDH rep (join proc.)
ξ1, ξ2 : dec. key for linear enc. (opening)
Construction – Join/Iss

Interactive Protocol between a user (Join)
and the group manager (Iss)



Note that GM can generate (Ai, ti) without
knowing the value xi.




Ui (user i)  GM : xiP1
GM  Ui: (Ai, ti) s.t. e(Ai, tiP2+ R) = e(xiP1+Q, P2)
Let Ci = xiP1
A = (Ci + Q)/ (t+γ)
Ui now has an SDH rep: (Ai, xi, ti)
GM stores the joining record: (Ai, Ci, ti)
Construction – Sign/Verify (1)

Big Picture of ZK Protocol for SDH Rep:

3 move honest verifier proof for DLP





Instance: T1, …, T5
P (Prover)  V (Verifier): B1, …, B6
VP:c
P  V : sa1, sa2, sb1, sb2, su, sv
V : checks if sa1, sa2, sb1, sb2, su, sv are consistent.
Construction – Sign/Verify (2)

Details




T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
T4 = r3W, T5 = e(P1, T4)x
d1 = r1t , d2 = r2t
B1 = br1X, B2 = br2X,
B3 = btT1 – bd1X, B4 = btT2 – bd2Y
B5 = e(P1, T4) bx
B6 = e(T3, P2)bt e(Z, P2)-bd1-bd2 e(Z, R)-br1-br2 e(P1, P2)-bx
sr1 = br1 + cr1, sr2 = br2 + cr2,
sd1 = bd1 + cd1, sd2 = bd2 + cd2,
sx = bx + cx, st = bt + ct,
Construction – Sign/Verify (3)

Apply the variant of Fiat-Shamir to the
protocol (Schnorr type sig.)

Sign:




Replace B1, …, B6 of the verifier with hash function:
c = H(m, T1, …, T5, B1, …, B6)
The signature will be:
(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
362 bytes: T5 = 1024 bits, all others 170 bits.
Verification:


construct B’1, …, B’6 from the signature.
check if H(m, T1, …, T5, B’1, …, B’6) =? c.
Construction – Open

Given a signature:


(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
The GM use his decryption key for linear
enc. to recover A from T1, T2, T3.



T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
Dec(T1, T2, T3) = T3 – ξ1T1 – ξ2T2 = A
Look up the user j from the join records
{(Ai, Ci, ti)} such that Aj = A
Construction –
Tracing a user (Reveal/Trace)

Reveal

Given the identity j of a certain user Uj ,
returns an information to be used for tracing


The GM returns Cj from his join record (Aj, Cj, tj).
Trace

Given Cj (from Reveal) the tracing info of Uj,
and a sig. (T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx ),
decides whether it’s Uj’s sig. or not.

e(Cj, T4) =? T5
( Note that T5 = e(P1, T4)x )
Construction - Claiming a Sig.
(Claim/Claim_Verify)

Claim:



Given a sig.
(T1, … ,T5, c, sr1, sr2, sr1, sr2, st, sx )
The signer returns a NIZK proof.
PK{ y: T5 = e(P1, T4)y}
Claim_Verify: Verify the proof.
Security
Security Model [KTY04]

There are three kind of attacks




Misidentification: the adv. forges a valid
signature that is opened/traced to no one.
Framing: the adv. forges a valid signature that
is opened/traced to an innocent user even if
the adv. corrupts the GM.
Anonymity: the adv. distinguishes a sig. of user
A from a sig. of user B.
The adv. is allowed to access oracles.
Oracles
QY
Returns the
Public-key
Qs
Returns the
GM’s private
key
Executes a join
Qp-join dialog internally
Qsig
Given <i, m>, returns
a signature on m
by the i-th user
Qa-join
Qb-join
Executes a Iss procedure.
(Adv is playing the role of user.
Oracle is playing the role of GM.)
Executes a Join procedure.
(Adv is playing the role of GM.
Oracle is playing the role of user.)
Qreveal
Given <i>,
returns the tracing info. Ci.
Misidentification attack
Oracles
Adv
QY, Qp-join, Qa-join, Qsig, Qreveal
Forges a sig. satisfying
• it opens to none of the controlled group or
• it traces to none of the controlled group.
Represents the
system collectively:
good users and GM
Secure against Misidentification from the
hardness of one-more SDH rep. problem
Framing attack
Adv
T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
T4 = r3W, T5 = e(P1, T4)x
Oracles
QY, QS, Qb-join, Qsig
Forges a sig. satisfying
• it opens to an innocent user or
• it traces to an innocent user.
Represents the
system collectively:
good users and GM
Secure against Framing
from the hardness of DLP.
Anonymity attack
Adv
T1 = r1X, T2 = r2Y, T3 = A + (r1+r2)Z
T4 = r3W, T5 = e(P1, T4)x
Oracles
QY, Qp-join, Qa-join, Qsig, Qreveal
Selects two users
i0 i1 (by name)
Guess b
i0, i1
σ
Pick b randomly from {0,1}
Generate a sig. σ of ib
• The adv is not allowed to call Qreveal(i0) or Qreveal(i1)
before or after i0 and i1 are chosen.
Secure against Anonymity from semantic
security of linear encryption and the DDH
Security of Our scheme

Theorem : Under the q-SDH and DLDH
assumption, our scheme is secure in the
random oracle model.
Conclusion
Conclusion

Invented a New Technical Tool


One more SDH rep. problem based on q-SDH
assumption
Constructed a Short Scheme

Ours: 362 bytes



1.5 ~ 3 times the length of the RSA sig.
[KTY04] : 1206 bytes, [NS04]: 917 bytes
Proved the security formally