Slide - Cristina Onete

advertisement
Privacy in signatures. Hiding in rings,
hiding in groups
Rennes, 24/10/2014
CIDRE/
INRIA
Cristina Onete
 Message authenticity
Amélie
Baptiste
 Message authenticity
• Baptiste is waiting for a message from Amélie
• How can he make sure it’s really from her?
Cristina Onete ||
24/10/2014
||
2
 Why sign
Baptiste
 More importantly: Telling good content from bad
• Updates vs. malware and trojans
• Message should be sent by authorized
party
Cristina Onete ||
24/10/2014
||
3
 So far: MACs
Shared
Amélie
Baptiste
 Message authentication codes
• Usually implemented as a keyed hash function
• MSCheme = (KGen, MAC, Vf)
𝑠𝑘 ← KGen 1𝑛 ; 𝑡𝑎𝑔 ← MAC 𝑠𝑘, 𝑚 ;
0,1 ← Vf(𝑠𝑘, 𝑚, 𝑡𝑎𝑔)
Repudiation: anyone with sk can generate a tag (at least two people)
Cristina Onete ||
24/10/2014
||
4
 Now: PK digital signatures
A
Amélie
Baptiste
 SScheme = (KGen, Sign, Vf)
(𝑠𝑘, 𝑝𝑘) ← KGen 1𝑛 ; 𝜎 ← Sign 𝑠𝑘, 𝑚 ; 0,1 ← Vf(𝑝𝑘, 𝑚, 𝜎)
Anyone can verify the signature!
Non-repudiation: signer can never deny generating a real signature
Cristina Onete ||
24/10/2014
||
5
 Contents
 Signatures vs. PK Encryption
• A common misconception
• Signature Scheme security
• The Hash and Sign method
 Privacy-preserving signatures
• Ring signatures
• Rings vs. Groups
• Group signatures
 Common misconception
• Public-Key Encryption
B
B
Amélie
Baptiste
Inverse mechanisms?
• Digital Signatures
A
Amélie
Baptiste
Cristina Onete ||
24/10/2014
||
7
 Common misconception
 Can we build signatures from encryption?
• Completely different functionality and goals!
Property
Encryption
schemes
Signatures
schemes
Message integrity
Message confidentiality
Non-repudiation
Sender authentication
Single receiver
 Using one primitive to get the other is dangerous!
Cristina Onete ||
24/10/2014
||
8
 Digital Signatures – Structure
 SSchemes = (KGen, Sign, Verify)
KGen(1𝑘 )
Security parameter:
determines key size
Everyone
A
𝑝𝑘
𝑠𝑘
Sign(s𝑘, 𝑚)
𝑚, 𝜎
Vf(𝑝𝑘, 𝑚, 𝜎)
𝑚
Cristina Onete ||
24/10/2014
||
9
 Signature Security
 Functionality – correctness:
∀ B
KGen(1𝑘 )
Verify( A ,
Sign(
)
,
)
 Security: unforgeability
Verify
A
Cristina Onete ||
24/10/2014
||
10
 Inverse mechanisms?
PK Encryption
• Key Generation:
𝑝𝑘
Signatures
• Key Generation:
𝑠𝑘
• Encrypt
𝑐 = 𝐸𝑛𝑐𝑝𝑘 (𝑚)
• Decrypt:
𝑚 = 𝐷𝑒𝑐𝑠𝑘 (𝑐)
𝑝𝑘
𝑠𝑘
• Sign
σ = 𝐷𝑒𝑐𝑠𝑘 (𝑚)
• Verify:
?
𝑚=
𝐸𝑛𝑐𝑝𝑘 (σ)
 Exercise: Find a forgery (𝒎, 𝝈) given only 𝒑𝒌 (no signatures)
Cristina Onete ||
24/10/2014
||
11
 Abuse encryption step
 Input: 𝒑𝒌
 Choose random signature: 𝝈
 Find the message: encrypt signature 𝒎 = 𝑬𝒏𝒄𝒑𝒌 (𝝈)
 Output: (𝒎, 𝝈)
 Now verify: 𝑬𝒏𝒄𝒑𝒌 𝝈 = 𝒎
 Note: this message is “random”, it doesn’t mean we can forge a
signature for ANY message 𝒎
Cristina Onete ||
24/10/2014
||
12
 Inverse mechanisms?
PK Encryption
Signatures
• Key Generation:
𝑝𝑘
• Key Generation:
𝑠𝑘
• Encrypt
𝑐 = 𝐸𝑛𝑐𝑝𝑘 (𝑚)
• Decrypt:
𝑚 = 𝐷𝑒𝑐𝑠𝑘 (𝑐)
𝑝𝑘
𝑠𝑘
• Sign
σ = 𝐷𝑒𝑐𝑠𝑘 (𝑚)
• Verify:
?
𝑚=
𝐸𝑛𝑐𝑝𝑘 (σ)
 Suppose: 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 ∗ 𝑬𝒏𝒄𝒑𝒌 𝒎𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 𝒎𝟐 for any 𝒎𝟏 , 𝒎𝟐
 Exercise: You are answered two signature queries for any two
messages you want. Forge a signature for any 𝒎
Cristina Onete ||
24/10/2014
||
13
 Choosing messages well
 Input: 𝒎, 𝒑𝒌
 Choose random message: 𝒎𝟏 . Get signature 𝝈𝟏 = 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 )
 Second message is: 𝒎𝟐 =
𝒎
𝒎𝟏 .
Get signature 𝝈𝟐 = 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 )
 Output forgery: 𝝈 = 𝝈𝟏 𝝈𝟐
 Now verify: 𝑬𝒏𝒄𝒑𝒌 𝝈𝟏 𝝈𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 )𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 )
= 𝑬𝒏𝒄𝒑𝒌 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 ) 𝑬𝒏𝒄𝒑𝒌 (𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 ))=
𝒎
= 𝒎𝟏 𝒎𝟐 = 𝒎𝟏
=𝒎
𝒎𝟏
𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 ∗ 𝑬𝒏𝒄𝒑𝒌 𝒎𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 𝒎𝟐
 How likely is it to get signatures 𝜎1 , 𝜎2 ?
Cristina Onete ||
24/10/2014
||
14
 Attacks against Signatures
 Security depends on what the attacker knows
 The more
knows, the harder it is to get security
 Random-message attack:
• Lots of users all
around
• Their messages are
“random”
• Adv. gets (m, signature) pairs
• Forge signature on
new message!
Cristina Onete ||
24/10/2014
||
15
 Attacks against Signatures
 Security depends on what the attacker knows
 The more
knows, the harder it is to get security
 Known-message attack:
• Lots of users all
around
• Knows messages in
advance, before receiving any signature
• Adv. gets (m, signature) pairs
• Forge signature on
new message!
Hi, how are you?
I’m fine, thanks.
How are you?
I’m very well,
thank you
Cristina Onete ||
24/10/2014
||
16
 Attacks against Signatures
 Security depends on what the attacker knows
 The more
knows, the harder it is to get security
 Chosen-message attack:
𝑚1
• Lots of users all
around
• Can choose messages
that will be signed
• Adv. gets (m, signature) pairs
• Forge signature on
new message!
……………
𝑚𝑛
Cristina Onete ||
24/10/2014
||
17
 Attacks against Signatures
Power of
Strong
Not strong/
Not weak
Weak
Unf-RMA
Unf-KMA
Unf-CMA
Cristina Onete ||
Attack
24/10/2014
||
18
 Hash and Sign in general
 Use the same thing in general
 Signature scheme (𝐾𝐺𝑒𝑛𝑆𝑖𝑔 , 𝑆𝑖𝑔𝑛, 𝑉𝑓)
 Hash function (𝑮𝒆𝒏𝑯 , 𝑯)
 Key generation:
• Run (𝑠𝑘𝑆𝑖𝑔 , 𝑝𝑘𝑆𝑖𝑔 ) ← 𝐾𝐺𝑒𝑛𝑆𝑖𝑔 and 𝒔 ← 𝐺𝑒𝑛𝐻
• Signing:
σ = 𝑆𝑖𝑔𝑛(𝑠𝑘, 𝑯𝒔 (𝑚))
• Verifying:
Compute:
𝑚 = 𝑯𝒔 (𝑚)
Return
𝑉𝑓(𝑝𝑘, 𝑚, 𝜎)
Cristina Onete ||
24/10/2014
||
19
 Contents
 Signatures vs. PK Encryption
• A common misconception
• Signature Scheme security
• The Hash and Sign method
 Privacy-preserving signatures
• Ring signatures
• Rings vs. Groups
• Group signatures
 So far: integrity & authenticity
A
 Each 𝑝𝑘 corresponds to its owner
 Successful verification means identifying signer!
Cristina Onete ||
24/10/2014
||
21
 Ring Signatures
Cristina Onete ||
24/10/2014
||
22
 Ring Signatures
 Regular Signatures:
(𝑠𝑘, 𝑝𝑘) ← KGen 1𝑛 ; 𝜎 ← Sign 𝑠𝑘, 𝑚 ; 0,1 ← Vf(𝑝𝑘, 𝑚, 𝜎)
 Ring Signatures:
•
𝑆𝐾, 𝑃𝐾 ← KGen 1𝑛 ;
• 𝜎 ← Sign 𝑖, 𝑆𝐾; 𝑚, 𝑅 ; with 𝑅 = 𝑃𝐾1 , … , 𝑃𝐾𝑛 and
𝑆𝐾, 𝑃𝐾𝑖 ← KGen 1𝑛 ;
•
0,1 ← Vf(𝑅, 𝑚, 𝜎)
Cristina Onete ||
24/10/2014
||
23
 Ring Signature Properties
 Anonymity:
𝐾𝐺𝑒𝑛
?? ?
• Flavours of anonymity depend on how much we let the adversary control the ring and the keys in it.
Cristina Onete ||
24/10/2014
||
24
 Ring Signature Properties
 Unforgeability:
𝐾𝐺𝑒𝑛
0
• Could do this for a fixed ring, a chosen subring, or even allowing insider corruptions (the adversary learns secret keys)
Cristina Onete ||
24/10/2014
||
25
 Aside: pairings
 Two groups: G1 , G2 , G 𝑇 , all of prime order 𝑝
• Generators: 𝑔1 of G1 , 𝑔2 of G2
 Pairing: a map e: G1 × G2 → G 𝑇 which is:
• Bilinear:
∀ 𝑎, 𝑏 ∈ 𝑍𝑝 : 𝑒 𝑔1𝑎 , 𝑔2𝑏 = 𝑒(𝑔1 , 𝑔2 )𝑎𝑏
• Non-degenerate:
𝑒 𝑔1 , 𝑔2 ≠ 1
• Computable:
𝑒 should be efficiently computable
Pairings exist for many groups. Not all are efficiently computable!
Cristina Onete ||
24/10/2014
||
26
 Ring Signature – 2-Ring
 Three groups: G = G1 = G2 , G 𝑇 , all of prime order 𝑝
• Generator: 𝑔 of G
 Key generation:
Choose 𝑠𝑘 ← 𝑍𝑝 . Set 𝑃𝐾 = 𝑔 𝑠𝑘 .
 Signature on m ∈ 𝑍𝑝 , given 𝑠𝑘, 𝑃𝐾, 𝑃𝐾′ = 𝑔
𝑠𝑘 ′
:
Choose 𝑟 ← 𝑍𝑝 , set 𝑎 = 𝑔𝑟 . Output 𝜎 = (𝑎, (𝑃𝐾′)𝑟 , 𝑎 𝑠𝑘 (𝑃𝐾′)𝑚 𝑠𝑘 𝑟 )
 Signature on m ∈ 𝑍𝑝 , given 𝑠𝑘’, 𝑃𝐾′, 𝑃𝐾 = 𝑔 𝑠𝑘 :
′
′
Choose 𝑟 ← 𝑍𝑝 , set 𝑎 = 𝑔𝑟 . Output 𝜎 = (𝑎, 𝑎 𝑠𝑘 , 𝑃𝐾 𝑟+ 𝑚 𝑠𝑘 𝑟 )
 Verification of 𝜎 = (𝑎, 𝑏, 𝑐) on message 𝑚
Output 1 iff. 𝑒 𝑎, 𝑃𝐾 ′ = 𝑒(𝑔, 𝑏) AND 𝑒 𝑃𝐾, 𝑎 𝑒(𝑃𝐾, 𝑏)𝑚 = 𝑒(𝑔, 𝑐)
Cristina Onete ||
24/10/2014
||
27
 Ring vs. Group
 Ring Signatures:
• Signer needs to get 𝑅 − 1 other 𝑃𝐾s
• Other ring members “independent” of signer, unaware of him
• Signer remains completely untraceable, even if he misbehaves
No accountability
 Group signatures
• Signer registers into a group of arbitrarily many signers
• Sign on behalf of a group (with just one 𝑠𝑘)
• Optional anonymity revocation : can extract signer if needed
Cristina Onete ||
24/10/2014
||
28
 Ring Signatures
Cristina Onete ||
24/10/2014
||
29
 Group Signatures
G
Cristina Onete ||
24/10/2014
||
30
 Optional Anonymity Revocation
G
Cristina Onete ||
24/10/2014
||
31
 Group Signatures
 Syntax
•
𝐺𝑆𝐾 = {𝑔𝑠𝑘1 , … , 𝑔𝑠𝑘𝑙 }, 𝐺𝑃𝐾, 𝐺𝑀𝑆𝐾 ← KGen 1𝑛 , 1𝑙 ;
• 𝜎 ← GSign 𝑔𝑠𝑘𝑖 ; 𝑚 ;
•
0,1 ← GVf(𝐺𝑃𝐾, 𝑚, 𝜎)
• {𝑖, 𝐹𝐴𝐼𝐿} ← Open(𝐺𝑀𝑆𝐾, 𝑚, 𝜎)
 Sometimes 𝐺𝑀𝑆𝐾 = 𝐺𝑀𝐾, 𝐺𝑅𝐾
Revocation key
Registration key
Cristina Onete ||
24/10/2014
||
32
 Group Signature Properties
 Full-anonymity:
𝐾𝐺𝑒𝑛
G
?? ?
Cristina Onete ||
24/10/2014
||
33
 Group Signature Properties
 Full-traceability:
𝐾𝐺𝑒𝑛
G
Cristina Onete ||
24/10/2014
||
34
 General strategy
 Public key is a function of all the keys
 Traceability: use a ZK proof of knowledge
then use extractability to trace
 Further Reading:
• [BMW03] Bellare, Micciancio, Warinschi: “Foundations
of Group Signatures: Formal Definitions, Simplified
Requirements, and a Construction Based on General
Assumptions”, CRYPTO 2003
• [BMW04] Boneh, Boyen, Shacham: “Short Group
Signatures”, CRYPTO 2004
Cristina Onete ||
24/10/2014
||
35
Thanks!
CIDRE
Download