Privacy in signatures. Hiding in rings, hiding in groups Rennes, 24/10/2014 CIDRE/ INRIA Cristina Onete Message authenticity Amélie Baptiste Message authenticity • Baptiste is waiting for a message from Amélie • How can he make sure it’s really from her? Cristina Onete || 24/10/2014 || 2 Why sign Baptiste More importantly: Telling good content from bad • Updates vs. malware and trojans • Message should be sent by authorized party Cristina Onete || 24/10/2014 || 3 So far: MACs Shared Amélie Baptiste Message authentication codes • Usually implemented as a keyed hash function • MSCheme = (KGen, MAC, Vf) 𝑠𝑘 ← KGen 1𝑛 ; 𝑡𝑎𝑔 ← MAC 𝑠𝑘, 𝑚 ; 0,1 ← Vf(𝑠𝑘, 𝑚, 𝑡𝑎𝑔) Repudiation: anyone with sk can generate a tag (at least two people) Cristina Onete || 24/10/2014 || 4 Now: PK digital signatures A Amélie Baptiste SScheme = (KGen, Sign, Vf) (𝑠𝑘, 𝑝𝑘) ← KGen 1𝑛 ; 𝜎 ← Sign 𝑠𝑘, 𝑚 ; 0,1 ← Vf(𝑝𝑘, 𝑚, 𝜎) Anyone can verify the signature! Non-repudiation: signer can never deny generating a real signature Cristina Onete || 24/10/2014 || 5 Contents Signatures vs. PK Encryption • A common misconception • Signature Scheme security • The Hash and Sign method Privacy-preserving signatures • Ring signatures • Rings vs. Groups • Group signatures Common misconception • Public-Key Encryption B B Amélie Baptiste Inverse mechanisms? • Digital Signatures A Amélie Baptiste Cristina Onete || 24/10/2014 || 7 Common misconception Can we build signatures from encryption? • Completely different functionality and goals! Property Encryption schemes Signatures schemes Message integrity Message confidentiality Non-repudiation Sender authentication Single receiver Using one primitive to get the other is dangerous! Cristina Onete || 24/10/2014 || 8 Digital Signatures – Structure SSchemes = (KGen, Sign, Verify) KGen(1𝑘 ) Security parameter: determines key size Everyone A 𝑝𝑘 𝑠𝑘 Sign(s𝑘, 𝑚) 𝑚, 𝜎 Vf(𝑝𝑘, 𝑚, 𝜎) 𝑚 Cristina Onete || 24/10/2014 || 9 Signature Security Functionality – correctness: ∀ B KGen(1𝑘 ) Verify( A , Sign( ) , ) Security: unforgeability Verify A Cristina Onete || 24/10/2014 || 10 Inverse mechanisms? PK Encryption • Key Generation: 𝑝𝑘 Signatures • Key Generation: 𝑠𝑘 • Encrypt 𝑐 = 𝐸𝑛𝑐𝑝𝑘 (𝑚) • Decrypt: 𝑚 = 𝐷𝑒𝑐𝑠𝑘 (𝑐) 𝑝𝑘 𝑠𝑘 • Sign σ = 𝐷𝑒𝑐𝑠𝑘 (𝑚) • Verify: ? 𝑚= 𝐸𝑛𝑐𝑝𝑘 (σ) Exercise: Find a forgery (𝒎, 𝝈) given only 𝒑𝒌 (no signatures) Cristina Onete || 24/10/2014 || 11 Abuse encryption step Input: 𝒑𝒌 Choose random signature: 𝝈 Find the message: encrypt signature 𝒎 = 𝑬𝒏𝒄𝒑𝒌 (𝝈) Output: (𝒎, 𝝈) Now verify: 𝑬𝒏𝒄𝒑𝒌 𝝈 = 𝒎 Note: this message is “random”, it doesn’t mean we can forge a signature for ANY message 𝒎 Cristina Onete || 24/10/2014 || 12 Inverse mechanisms? PK Encryption Signatures • Key Generation: 𝑝𝑘 • Key Generation: 𝑠𝑘 • Encrypt 𝑐 = 𝐸𝑛𝑐𝑝𝑘 (𝑚) • Decrypt: 𝑚 = 𝐷𝑒𝑐𝑠𝑘 (𝑐) 𝑝𝑘 𝑠𝑘 • Sign σ = 𝐷𝑒𝑐𝑠𝑘 (𝑚) • Verify: ? 𝑚= 𝐸𝑛𝑐𝑝𝑘 (σ) Suppose: 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 ∗ 𝑬𝒏𝒄𝒑𝒌 𝒎𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 𝒎𝟐 for any 𝒎𝟏 , 𝒎𝟐 Exercise: You are answered two signature queries for any two messages you want. Forge a signature for any 𝒎 Cristina Onete || 24/10/2014 || 13 Choosing messages well Input: 𝒎, 𝒑𝒌 Choose random message: 𝒎𝟏 . Get signature 𝝈𝟏 = 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 ) Second message is: 𝒎𝟐 = 𝒎 𝒎𝟏 . Get signature 𝝈𝟐 = 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 ) Output forgery: 𝝈 = 𝝈𝟏 𝝈𝟐 Now verify: 𝑬𝒏𝒄𝒑𝒌 𝝈𝟏 𝝈𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 )𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 ) = 𝑬𝒏𝒄𝒑𝒌 𝑫𝒆𝒄𝒔𝒌 (𝒎𝟏 ) 𝑬𝒏𝒄𝒑𝒌 (𝑫𝒆𝒄𝒔𝒌 (𝒎𝟐 ))= 𝒎 = 𝒎𝟏 𝒎𝟐 = 𝒎𝟏 =𝒎 𝒎𝟏 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 ∗ 𝑬𝒏𝒄𝒑𝒌 𝒎𝟐 = 𝑬𝒏𝒄𝒑𝒌 𝒎𝟏 𝒎𝟐 How likely is it to get signatures 𝜎1 , 𝜎2 ? Cristina Onete || 24/10/2014 || 14 Attacks against Signatures Security depends on what the attacker knows The more knows, the harder it is to get security Random-message attack: • Lots of users all around • Their messages are “random” • Adv. gets (m, signature) pairs • Forge signature on new message! Cristina Onete || 24/10/2014 || 15 Attacks against Signatures Security depends on what the attacker knows The more knows, the harder it is to get security Known-message attack: • Lots of users all around • Knows messages in advance, before receiving any signature • Adv. gets (m, signature) pairs • Forge signature on new message! Hi, how are you? I’m fine, thanks. How are you? I’m very well, thank you Cristina Onete || 24/10/2014 || 16 Attacks against Signatures Security depends on what the attacker knows The more knows, the harder it is to get security Chosen-message attack: 𝑚1 • Lots of users all around • Can choose messages that will be signed • Adv. gets (m, signature) pairs • Forge signature on new message! …………… 𝑚𝑛 Cristina Onete || 24/10/2014 || 17 Attacks against Signatures Power of Strong Not strong/ Not weak Weak Unf-RMA Unf-KMA Unf-CMA Cristina Onete || Attack 24/10/2014 || 18 Hash and Sign in general Use the same thing in general Signature scheme (𝐾𝐺𝑒𝑛𝑆𝑖𝑔 , 𝑆𝑖𝑔𝑛, 𝑉𝑓) Hash function (𝑮𝒆𝒏𝑯 , 𝑯) Key generation: • Run (𝑠𝑘𝑆𝑖𝑔 , 𝑝𝑘𝑆𝑖𝑔 ) ← 𝐾𝐺𝑒𝑛𝑆𝑖𝑔 and 𝒔 ← 𝐺𝑒𝑛𝐻 • Signing: σ = 𝑆𝑖𝑔𝑛(𝑠𝑘, 𝑯𝒔 (𝑚)) • Verifying: Compute: 𝑚 = 𝑯𝒔 (𝑚) Return 𝑉𝑓(𝑝𝑘, 𝑚, 𝜎) Cristina Onete || 24/10/2014 || 19 Contents Signatures vs. PK Encryption • A common misconception • Signature Scheme security • The Hash and Sign method Privacy-preserving signatures • Ring signatures • Rings vs. Groups • Group signatures So far: integrity & authenticity A Each 𝑝𝑘 corresponds to its owner Successful verification means identifying signer! Cristina Onete || 24/10/2014 || 21 Ring Signatures Cristina Onete || 24/10/2014 || 22 Ring Signatures Regular Signatures: (𝑠𝑘, 𝑝𝑘) ← KGen 1𝑛 ; 𝜎 ← Sign 𝑠𝑘, 𝑚 ; 0,1 ← Vf(𝑝𝑘, 𝑚, 𝜎) Ring Signatures: • 𝑆𝐾, 𝑃𝐾 ← KGen 1𝑛 ; • 𝜎 ← Sign 𝑖, 𝑆𝐾; 𝑚, 𝑅 ; with 𝑅 = 𝑃𝐾1 , … , 𝑃𝐾𝑛 and 𝑆𝐾, 𝑃𝐾𝑖 ← KGen 1𝑛 ; • 0,1 ← Vf(𝑅, 𝑚, 𝜎) Cristina Onete || 24/10/2014 || 23 Ring Signature Properties Anonymity: 𝐾𝐺𝑒𝑛 ?? ? • Flavours of anonymity depend on how much we let the adversary control the ring and the keys in it. Cristina Onete || 24/10/2014 || 24 Ring Signature Properties Unforgeability: 𝐾𝐺𝑒𝑛 0 • Could do this for a fixed ring, a chosen subring, or even allowing insider corruptions (the adversary learns secret keys) Cristina Onete || 24/10/2014 || 25 Aside: pairings Two groups: G1 , G2 , G 𝑇 , all of prime order 𝑝 • Generators: 𝑔1 of G1 , 𝑔2 of G2 Pairing: a map e: G1 × G2 → G 𝑇 which is: • Bilinear: ∀ 𝑎, 𝑏 ∈ 𝑍𝑝 : 𝑒 𝑔1𝑎 , 𝑔2𝑏 = 𝑒(𝑔1 , 𝑔2 )𝑎𝑏 • Non-degenerate: 𝑒 𝑔1 , 𝑔2 ≠ 1 • Computable: 𝑒 should be efficiently computable Pairings exist for many groups. Not all are efficiently computable! Cristina Onete || 24/10/2014 || 26 Ring Signature – 2-Ring Three groups: G = G1 = G2 , G 𝑇 , all of prime order 𝑝 • Generator: 𝑔 of G Key generation: Choose 𝑠𝑘 ← 𝑍𝑝 . Set 𝑃𝐾 = 𝑔 𝑠𝑘 . Signature on m ∈ 𝑍𝑝 , given 𝑠𝑘, 𝑃𝐾, 𝑃𝐾′ = 𝑔 𝑠𝑘 ′ : Choose 𝑟 ← 𝑍𝑝 , set 𝑎 = 𝑔𝑟 . Output 𝜎 = (𝑎, (𝑃𝐾′)𝑟 , 𝑎 𝑠𝑘 (𝑃𝐾′)𝑚 𝑠𝑘 𝑟 ) Signature on m ∈ 𝑍𝑝 , given 𝑠𝑘’, 𝑃𝐾′, 𝑃𝐾 = 𝑔 𝑠𝑘 : ′ ′ Choose 𝑟 ← 𝑍𝑝 , set 𝑎 = 𝑔𝑟 . Output 𝜎 = (𝑎, 𝑎 𝑠𝑘 , 𝑃𝐾 𝑟+ 𝑚 𝑠𝑘 𝑟 ) Verification of 𝜎 = (𝑎, 𝑏, 𝑐) on message 𝑚 Output 1 iff. 𝑒 𝑎, 𝑃𝐾 ′ = 𝑒(𝑔, 𝑏) AND 𝑒 𝑃𝐾, 𝑎 𝑒(𝑃𝐾, 𝑏)𝑚 = 𝑒(𝑔, 𝑐) Cristina Onete || 24/10/2014 || 27 Ring vs. Group Ring Signatures: • Signer needs to get 𝑅 − 1 other 𝑃𝐾s • Other ring members “independent” of signer, unaware of him • Signer remains completely untraceable, even if he misbehaves No accountability Group signatures • Signer registers into a group of arbitrarily many signers • Sign on behalf of a group (with just one 𝑠𝑘) • Optional anonymity revocation : can extract signer if needed Cristina Onete || 24/10/2014 || 28 Ring Signatures Cristina Onete || 24/10/2014 || 29 Group Signatures G Cristina Onete || 24/10/2014 || 30 Optional Anonymity Revocation G Cristina Onete || 24/10/2014 || 31 Group Signatures Syntax • 𝐺𝑆𝐾 = {𝑔𝑠𝑘1 , … , 𝑔𝑠𝑘𝑙 }, 𝐺𝑃𝐾, 𝐺𝑀𝑆𝐾 ← KGen 1𝑛 , 1𝑙 ; • 𝜎 ← GSign 𝑔𝑠𝑘𝑖 ; 𝑚 ; • 0,1 ← GVf(𝐺𝑃𝐾, 𝑚, 𝜎) • {𝑖, 𝐹𝐴𝐼𝐿} ← Open(𝐺𝑀𝑆𝐾, 𝑚, 𝜎) Sometimes 𝐺𝑀𝑆𝐾 = 𝐺𝑀𝐾, 𝐺𝑅𝐾 Revocation key Registration key Cristina Onete || 24/10/2014 || 32 Group Signature Properties Full-anonymity: 𝐾𝐺𝑒𝑛 G ?? ? Cristina Onete || 24/10/2014 || 33 Group Signature Properties Full-traceability: 𝐾𝐺𝑒𝑛 G Cristina Onete || 24/10/2014 || 34 General strategy Public key is a function of all the keys Traceability: use a ZK proof of knowledge then use extractability to trace Further Reading: • [BMW03] Bellare, Micciancio, Warinschi: “Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions”, CRYPTO 2003 • [BMW04] Boneh, Boyen, Shacham: “Short Group Signatures”, CRYPTO 2004 Cristina Onete || 24/10/2014 || 35 Thanks! CIDRE