Presentation is loading. Please wait.

Presentation is loading. Please wait.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

Similar presentations


Presentation on theme: "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."— Presentation transcript:

1 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012

2 1 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. OUTLINE 1. VLR Group Signatures 2. From Backward Unlinkability to Cross-Unlinkability 3. Our Construction 4. Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

3 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 2 / VLR Group Signatures /01/ Alain Patey / 13/09/2012 / EuroPKI 2012

4 3 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. DIGITAL SIGNATURES VS GROUP SIGNATURES Alain Patey / 13/09/2012 / EuroPKI Anonymity

5 4 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SETTING Alain Patey / 13/09/2012 / EuroPKI 2012  Group Manager (GM)  Sets up public parameters  Owns the master secret key  Issues users secret keys  Can raise anonymity of a signature  Can revoke users

6 5 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VERIFIER-LOCAL REVOCATION (VLR)  GM manages a public Revocation List (RL) Alain Patey / 13/09/2012 / EuroPKI 2012

7 6 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: REVOCATION Alain Patey / 13/09/2012 / EuroPKI 2012 User i Revocation Revocation token of user i (rt i ) added to RL rt i

8 7 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: SIGNATURE AND VERIFICATION Alain Patey / 13/09/2012 / EuroPKI 2012 User signs using his secret key Verifier (≠ GM) 1)Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user)

9 8 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR GS COMPONENTS  KeyGen (GM): set group parameters  Join (GM, User): issue keys for a new group member  Sign (User): sign a message on behalf of the group  Verify (Verifier): verify a signature  Open (GM): reveal the identity of the creator of a given signature  Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012

10 9 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. BACKWARD UNLINKABILITY  Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures  Solution: Make signatures and revocation dependent of time  Does not change (much) complexity of signatures, only a public information per period must be published Alain Patey / 13/09/2012 / EuroPKI 2012 ……… Time Period 1 Time Period i Time Period j Time Period k …

11 10 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY PROPERTIES  Correctness: Every signature correctly issued by an unrevoked member is checked as valid  Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user  Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition.  Exculpability: Nobody (including GM) is able to issue another’s member signature Alain Patey / 13/09/2012 / EuroPKI 2012

12 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 11 / From Backward Unlinkability to Cross- Unlinkability /02/ Alain Patey / 13/09/2012 / EuroPKI 2012

13 12 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. HIERARCHICAL SETTING  Several groups in a tree structure  One group signature per group  Independent Group Managers  Requirement: To join a group, one must previously be a member the parent group  Applications: Identity Management, attribute-based credentials Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License

14 13 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CASCADE REVOCATION  Revocation follows the tree structure:  Revocation in a parent group ⇒ Revocation in the children groups (Downwards Revocation)  Child group can signal a revoked user to the parent group (Upwards Revocation, optional)  Parent group is not forced to also revoke Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Upwards Revocation (optional) Downwards Revocation (compulsory)

15 14 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNLINKABILITY  Cascade Revocation ⇒ Key derivation, link between the keys in parent/child groups  BUT: We aim at maximal anonymity  Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process  We call this property CROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012

16 15 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FROM BACKWARD UNLINKABILITY TO CROSS- UNLINKABILITY  Idea: Transpose the Backward Unlinkability property  Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012 Student ID College 1 College 2 Group Signatur e Period 1 Period 2 Unlinkability ⇒

17 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 16 / Our Construction /03/ Alain Patey / 13/09/2012 / EuroPKI 2012

18 17 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE MODEL  KeyGen: The GM’s set the groups parameters  Enrolment (M i, G l ): M i gets keys for the group G l  Derivation (M i,G k,G l ): Key derivation for a user M i, applying to join G l, child of G k  Includes a proof of G k membership  Sign (M i,m,G l ): User M i signs message m on behalf of G l  Verify (s,m,G l ): Verifier checks a signature s for G l  Revocation (M i,G l ):  Local Revocation  Downwards Revocation  (Optional) Upwards Revocation Alain Patey / 13/09/2012 / EuroPKI 2012

19 18 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. REQUIREMENTS  Correctness  Traceability  Cross-Unlinkability  Exculpability  Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012

20 19 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CROSS-UNLINKABILITY  Game-based definition (as Traceability and Exculpability)  Queries (before and after Challenge): Enrol to G 0, Derivation, Sign, User Corruption, GM Corruption, Revocation  Challenge: Adv. outputs m, m’, M 0, M 1, G k, G l such that:  M 0 and M 1 are both registered to G k and G l  M 0 and M 1 are not corrupted  At most one of the GM’s is corrupted  M 0 and M 1 are revoked from at most one group (the same if they are both revoked) and the GM of the other group is not corrupted  C chooses two bits b, b’ and signs m for M b in group G k and m’ for M b’ in group G l  Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012

21 20 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNDERLYING GROUP SIGNATURE  VLR Group Signature with Backward Unlinkability  Group Parameters: gpk  Public/secret key for GM of G l : mpk, msk  User M i ’s key for G l : sk i = f i, x i, A i  f i is chosen by Mi (not known by GM l )  x i is chosen by GM l  A i =f(f i,x i,msk) is computed by GM l  Revocation token of M i for G l :  Global: rt i = x i  Period j: rt ij = h j ^(rt i ) (h j is a public token)  (for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012

22 21 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION  KeyGen:  GM 0 fixes gpk  Every GM l chooses mpk l, msk l compatible with gpk  For every group G k, one « period » k-l per child group G l must be set up  Join  If G l =G 0, run the Join algorithm of GM 0  Otherwise, run the Derivation algorithm.  If all checks succeed, run an adapted Join algorithm for G l, where x i l is chosen as the output of the Derivation algorithm (instead of being random) Alain Patey / 13/09/2012 / EuroPKI 2012 Common group parameters Independent GM keys Common group parameters Independent GM keys Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm

23 22 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION II  Derivation (G l is child of G k )  GM l sends a challenge message m to M i  M i signs it at period k-l  M i sends his revocation token rt i k-l =h k-l rtil  GM l checks the validity of the signature and the validity of rt i k-l  GMl derives x i l =H(msk l ||rt i k-l ) Alain Patey / 13/09/2012 / EuroPKI 2012 Join algorithm

24 23 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION III  Sign, Join and Open are direct applications of the group signature algorithms  Revocation:  Local: Run the Revocation algorithm of the underlying group signature  Downwards:  For every a child group G m of G l:  GM m looks at the updated revocation list RL l of G l and reads the new rt  GM m checks if there is a registered user i in G m such that x i m =H(msk m ||rt)  If there is one, GM m recursively runs Revocation  Upwards (optional):  GM l sends the period revocation token rt i k-l to GM k.  If GM k wants to revoke the user, he computes rt i’ k-l for every M i’ in G k.  When he finds the corresponding user, he starts a Revocation process Alain Patey / 13/09/2012 / EuroPKI 2012

25 24 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY  Random Oracle Model  Requirements are game-based  We reduce an attack against our construction to an attack against the underlying group signature scheme  In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game Alain Patey / 13/09/2012 / EuroPKI 2012

26 25 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT  Group signatures can be used for biometric anonymous authentication  Keys stored on a smartcard, biometric verification needed to sign  Adaptable to our hierarchical setting → identity management system  Groups are identity domains, GM’s are identity providers  J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008  J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT Alain Patey / 13/09/2012 / EuroPKI 2012

27 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 26 / Conclusion /04/ Alain Patey / 13/09/2012 / EuroPKI 2012

28 27 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CONCLUSION  From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties  New model  Security only relies on the security of the underlying group signature (+ ROM)  Open Issues:  Improve the construction to enable Backward Unlinkability  Change the group set structure (any ordered set…)  Full version available on the IACR ePrint archive: Alain Patey / 13/09/2012 / EuroPKI 2012

29 28 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THANK YOU FOR YOUR ATTENTION  Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012


Download ppt "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."

Similar presentations


Ads by Google