Download presentation

Presentation is loading. Please wait.

Published byLewis Byland Modified about 1 year ago

1
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012

2
1 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. OUTLINE 1. VLR Group Signatures 2. From Backward Unlinkability to Cross-Unlinkability 3. Our Construction 4. Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

3
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 2 / VLR Group Signatures /01/ Alain Patey / 13/09/2012 / EuroPKI 2012

4
3 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. DIGITAL SIGNATURES VS GROUP SIGNATURES Alain Patey / 13/09/2012 / EuroPKI Anonymity

5
4 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SETTING Alain Patey / 13/09/2012 / EuroPKI 2012 Group Manager (GM) Sets up public parameters Owns the master secret key Issues users secret keys Can raise anonymity of a signature Can revoke users

6
5 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VERIFIER-LOCAL REVOCATION (VLR) GM manages a public Revocation List (RL) Alain Patey / 13/09/2012 / EuroPKI 2012

7
6 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: REVOCATION Alain Patey / 13/09/2012 / EuroPKI 2012 User i Revocation Revocation token of user i (rt i ) added to RL rt i

8
7 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: SIGNATURE AND VERIFICATION Alain Patey / 13/09/2012 / EuroPKI 2012 User signs using his secret key Verifier (≠ GM) 1)Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user)

9
8 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR GS COMPONENTS KeyGen (GM): set group parameters Join (GM, User): issue keys for a new group member Sign (User): sign a message on behalf of the group Verify (Verifier): verify a signature Open (GM): reveal the identity of the creator of a given signature Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012

10
9 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. BACKWARD UNLINKABILITY Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures Solution: Make signatures and revocation dependent of time Does not change (much) complexity of signatures, only a public information per period must be published Alain Patey / 13/09/2012 / EuroPKI 2012 ……… Time Period 1 Time Period i Time Period j Time Period k …

11
10 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY PROPERTIES Correctness: Every signature correctly issued by an unrevoked member is checked as valid Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition. Exculpability: Nobody (including GM) is able to issue another’s member signature Alain Patey / 13/09/2012 / EuroPKI 2012

12
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 11 / From Backward Unlinkability to Cross- Unlinkability /02/ Alain Patey / 13/09/2012 / EuroPKI 2012

13
12 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. HIERARCHICAL SETTING Several groups in a tree structure One group signature per group Independent Group Managers Requirement: To join a group, one must previously be a member the parent group Applications: Identity Management, attribute-based credentials Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License

14
13 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CASCADE REVOCATION Revocation follows the tree structure: Revocation in a parent group ⇒ Revocation in the children groups (Downwards Revocation) Child group can signal a revoked user to the parent group (Upwards Revocation, optional) Parent group is not forced to also revoke Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Upwards Revocation (optional) Downwards Revocation (compulsory)

15
14 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNLINKABILITY Cascade Revocation ⇒ Key derivation, link between the keys in parent/child groups BUT: We aim at maximal anonymity Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process We call this property CROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012

16
15 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FROM BACKWARD UNLINKABILITY TO CROSS- UNLINKABILITY Idea: Transpose the Backward Unlinkability property Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012 Student ID College 1 College 2 Group Signatur e Period 1 Period 2 Unlinkability ⇒

17
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 16 / Our Construction /03/ Alain Patey / 13/09/2012 / EuroPKI 2012

18
17 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE MODEL KeyGen: The GM’s set the groups parameters Enrolment (M i, G l ): M i gets keys for the group G l Derivation (M i,G k,G l ): Key derivation for a user M i, applying to join G l, child of G k Includes a proof of G k membership Sign (M i,m,G l ): User M i signs message m on behalf of G l Verify (s,m,G l ): Verifier checks a signature s for G l Revocation (M i,G l ): Local Revocation Downwards Revocation (Optional) Upwards Revocation Alain Patey / 13/09/2012 / EuroPKI 2012

19
18 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. REQUIREMENTS Correctness Traceability Cross-Unlinkability Exculpability Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012

20
19 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CROSS-UNLINKABILITY Game-based definition (as Traceability and Exculpability) Queries (before and after Challenge): Enrol to G 0, Derivation, Sign, User Corruption, GM Corruption, Revocation Challenge: Adv. outputs m, m’, M 0, M 1, G k, G l such that: M 0 and M 1 are both registered to G k and G l M 0 and M 1 are not corrupted At most one of the GM’s is corrupted M 0 and M 1 are revoked from at most one group (the same if they are both revoked) and the GM of the other group is not corrupted C chooses two bits b, b’ and signs m for M b in group G k and m’ for M b’ in group G l Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012

21
20 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNDERLYING GROUP SIGNATURE VLR Group Signature with Backward Unlinkability Group Parameters: gpk Public/secret key for GM of G l : mpk, msk User M i ’s key for G l : sk i = f i, x i, A i f i is chosen by Mi (not known by GM l ) x i is chosen by GM l A i =f(f i,x i,msk) is computed by GM l Revocation token of M i for G l : Global: rt i = x i Period j: rt ij = h j ^(rt i ) (h j is a public token) (for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012

22
21 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION KeyGen: GM 0 fixes gpk Every GM l chooses mpk l, msk l compatible with gpk For every group G k, one « period » k-l per child group G l must be set up Join If G l =G 0, run the Join algorithm of GM 0 Otherwise, run the Derivation algorithm. If all checks succeed, run an adapted Join algorithm for G l, where x i l is chosen as the output of the Derivation algorithm (instead of being random) Alain Patey / 13/09/2012 / EuroPKI 2012 Common group parameters Independent GM keys Common group parameters Independent GM keys Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm

23
22 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION II Derivation (G l is child of G k ) GM l sends a challenge message m to M i M i signs it at period k-l M i sends his revocation token rt i k-l =h k-l rtil GM l checks the validity of the signature and the validity of rt i k-l GMl derives x i l =H(msk l ||rt i k-l ) Alain Patey / 13/09/2012 / EuroPKI 2012 Join algorithm

24
23 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION III Sign, Join and Open are direct applications of the group signature algorithms Revocation: Local: Run the Revocation algorithm of the underlying group signature Downwards: For every a child group G m of G l: GM m looks at the updated revocation list RL l of G l and reads the new rt GM m checks if there is a registered user i in G m such that x i m =H(msk m ||rt) If there is one, GM m recursively runs Revocation Upwards (optional): GM l sends the period revocation token rt i k-l to GM k. If GM k wants to revoke the user, he computes rt i’ k-l for every M i’ in G k. When he finds the corresponding user, he starts a Revocation process Alain Patey / 13/09/2012 / EuroPKI 2012

25
24 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY Random Oracle Model Requirements are game-based We reduce an attack against our construction to an attack against the underlying group signature scheme In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game Alain Patey / 13/09/2012 / EuroPKI 2012

26
25 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT Group signatures can be used for biometric anonymous authentication Keys stored on a smartcard, biometric verification needed to sign Adaptable to our hierarchical setting → identity management system Groups are identity domains, GM’s are identity providers J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008 J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT Alain Patey / 13/09/2012 / EuroPKI 2012

27
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 26 / Conclusion /04/ Alain Patey / 13/09/2012 / EuroPKI 2012

28
27 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CONCLUSION From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties New model Security only relies on the security of the underlying group signature (+ ROM) Open Issues: Improve the construction to enable Backward Unlinkability Change the group set structure (any ordered set…) Full version available on the IACR ePrint archive: Alain Patey / 13/09/2012 / EuroPKI 2012

29
28 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THANK YOU FOR YOUR ATTENTION Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google