Privacy in signatures. Hiding in rings, hiding in groups

36
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups

description

Privacy in signatures. Hiding in rings, hiding in groups. Message authenticity. Amélie. Baptiste. Message authenticity. Baptiste is waiting for a message from Amélie. How can he make sure it’s really from her?. Why sign. v irus definitions. viruses. trojans. Baptiste. updates. - PowerPoint PPT Presentation

Transcript of Privacy in signatures. Hiding in rings, hiding in groups

Page 1: Privacy in signatures. Hiding in rings, hiding in groups

Rennes, 24/10/2014 Cristina OneteCIDRE/INRIA

Privacy in signatures. Hiding in rings, hiding in groups

Page 2: Privacy in signatures. Hiding in rings, hiding in groups

Message authenticity

Cristina Onete || 24/10/2014 || 2

Amélie Baptiste

• Baptiste is waiting for a message from Amélie

Message authenticity

• How can he make sure it’s really from her?

Page 3: Privacy in signatures. Hiding in rings, hiding in groups

Why sign

More importantly: Telling good content from bad

updates

virusdefinitionsBaptiste

malwaretro

jansviru

ses

• Updates vs. malware and trojans

• Message should be sent by authorized party

Cristina Onete || 24/10/2014 || 3

Page 4: Privacy in signatures. Hiding in rings, hiding in groups

So far: MACs

Amélie Baptiste

Shared

Message authentication codes• Usually implemented as a keyed hash function

• MSCheme = (KGen, MAC, Vf)

𝑠𝑘←KGen (1𝑛 ) ;𝑡𝑎𝑔←MAC (𝑠𝑘 ,𝑚 ); {0,1 }←Vf (𝑠𝑘 ,𝑚 , 𝑡𝑎𝑔)Repudiation: anyone with sk can generate a tag (at least two people)

Cristina Onete || 24/10/2014 || 4

Page 5: Privacy in signatures. Hiding in rings, hiding in groups

Now: PK digital signatures

Amélie Baptiste

A

SScheme = (KGen, Sign, Vf)

(𝑠𝑘 ,𝑝𝑘)←KGen (1𝑛) ;𝜎←Sign (𝑠𝑘 ,𝑚) ; {0,1 }←Vf (𝑝𝑘 ,𝑚 ,𝜎 )

Anyone can verify the signature!

Non-repudiation: signer can never deny generating a real signature

Cristina Onete || 24/10/2014 || 5

Page 6: Privacy in signatures. Hiding in rings, hiding in groups

Contents

Signatures vs. PK Encryption• A common misconception

• The Hash and Sign method

Privacy-preserving signatures

• Ring signatures

• Signature Scheme security

• Group signatures

• Rings vs. Groups

Page 7: Privacy in signatures. Hiding in rings, hiding in groups

Common misconception

Amélie Baptiste

Amélie Baptiste

• Public-Key Encryption

• Digital Signatures

B

A

Secret

B

Inverse mechanisms?

Secret

Cristina Onete || 24/10/2014 || 7

Page 8: Privacy in signatures. Hiding in rings, hiding in groups

Common misconception

Can we build signatures from encryption?• Completely different functionality and goals!

Property Encryptionschemes

Signaturesschemes

Message integrity

Message confidentiality

Non-repudiation

Sender authentication

Using one primitive to get the other is dangerous!

Single receiver

Cristina Onete || 24/10/2014 || 8

Page 9: Privacy in signatures. Hiding in rings, hiding in groups

Digital Signatures – Structure

SSchemes = (KGen, Sign, Verify)

KGen()

A

Security parameter:determines key size

Everyone

𝑝𝑘 𝑠𝑘

Vf()

𝑚

𝑚 ,𝜎 Sign()

Cristina Onete || 24/10/2014 || 9

Page 10: Privacy in signatures. Hiding in rings, hiding in groups

Signature Security

Functionality – correctness:

Security: unforgeability

B KGen()∀ Sign( )

Verify( )A

A

Verify

Cristina Onete || 24/10/2014 || 10

Page 11: Privacy in signatures. Hiding in rings, hiding in groups

Inverse mechanisms?

PK Encryption Signatures

• Key Generation:

𝑝𝑘 𝑠𝑘• Encrypt

𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)

• Decrypt:

𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )

• Key Generation:

𝑝𝑘 𝑠𝑘• Sign

σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)

• Verify:

𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?

Exercise: Find a forgery () given only (no signatures)

Cristina Onete || 24/10/2014 || 11

Page 12: Privacy in signatures. Hiding in rings, hiding in groups

Abuse encryption step

Input: Choose random signature: Find the message: encrypt signature

Output:

Note: this message is “random”, it doesn’t mean we can forge a signature for ANY message

Now verify:

Cristina Onete || 24/10/2014 || 12

Page 13: Privacy in signatures. Hiding in rings, hiding in groups

Inverse mechanisms?

PK Encryption Signatures

• Key Generation:

𝑝𝑘 𝑠𝑘• Encrypt

𝑐=𝐸𝑛𝑐𝑝𝑘(𝑚)

• Decrypt:

𝑚=𝐷𝑒𝑐𝑠𝑘(𝑐 )

• Key Generation:

𝑝𝑘 𝑠𝑘• Sign

σ=𝐷𝑒𝑐 𝑠𝑘(𝑚)

• Verify:

𝑚=𝐸𝑛𝑐𝑝𝑘(σ )?

Exercise: You are answered two signature queries for any two messages you want. Forge a signature for any

Suppose: for any

Cristina Onete || 24/10/2014 || 13

Page 14: Privacy in signatures. Hiding in rings, hiding in groups

Choosing messages well

Input: Choose random message: . Get signature Second message is: . Get signature

Output forgery:

Now verify:

𝑬𝒏𝒄𝒑𝒌 (𝒎𝟏 )∗𝑬𝒏𝒄𝒑𝒌 (𝒎𝟐)=𝑬𝒏𝒄𝒑𝒌 (𝒎𝟏𝒎𝟐 )

=

¿𝒎𝟏𝒎𝟐=𝒎𝟏𝒎𝒎𝟏

=𝒎

How likely is it to get signatures ?

Cristina Onete || 24/10/2014 || 14

Page 15: Privacy in signatures. Hiding in rings, hiding in groups

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Random-message attack:

• Lots of users all around

• Their messages are “random”

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

Cristina Onete || 24/10/2014 || 15

Page 16: Privacy in signatures. Hiding in rings, hiding in groups

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Known-message attack:

• Lots of users all around

• Knows messages in advance, before re-ceiving any signature

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

Hi, how are you?

I’m fine, thanks.How are you?

I’m very well, thank you

Cristina Onete || 24/10/2014 || 16

Page 17: Privacy in signatures. Hiding in rings, hiding in groups

Attacks against Signatures

The more knows, the harder it is to get security

Security depends on what the attacker knows

Chosen-message attack:

• Lots of users all around

• Can choose messages that will be signed

• Adv. gets (m, signa-ture) pairs

• Forge signature on new message!

𝑚1

𝑚𝑛

……………

Cristina Onete || 24/10/2014 || 17

Page 18: Privacy in signatures. Hiding in rings, hiding in groups

Attacks against Signatures

Power of

AttackUnf-RMA Unf-KMA Unf-CMA

Weak

Not strong/ Not weak

Strong

Cristina Onete || 24/10/2014 || 18

Page 19: Privacy in signatures. Hiding in rings, hiding in groups

Hash and Sign in general

Use the same thing in general Signature scheme(𝐾𝐺𝑒𝑛𝑆𝑖𝑔 ,𝑆𝑖𝑔𝑛 ,𝑉𝑓 ) Hash function(𝑮𝒆𝒏𝑯 ,𝑯 )

Key generation:

• Run and

• Signing:

σ=𝑆𝑖𝑔𝑛(𝑠𝑘 ,𝑯 𝒔 (𝑚))• Verifying:

Compute: Return

Cristina Onete || 24/10/2014 || 19

Page 20: Privacy in signatures. Hiding in rings, hiding in groups

Contents

Signatures vs. PK Encryption• A common misconception

• The Hash and Sign method

Privacy-preserving signatures

• Ring signatures

• Group signatures

• Rings vs. Groups

• Signature Scheme security

Page 21: Privacy in signatures. Hiding in rings, hiding in groups

So far: integrity & authenticity

A

Each corresponds to its owner Successful verification means identifying signer!

Cristina Onete || 24/10/2014 || 21

Page 22: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signatures

Cristina Onete || 24/10/2014 || 22

Page 23: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signatures

Ring Signatures:

Regular Signatures:

(𝑠𝑘 ,𝑝𝑘)←KGen (1𝑛) ;𝜎←Sign (𝑠𝑘 ,𝑚) ; {0,1 }←Vf (𝑝𝑘 ,𝑚 ,𝜎 )

Cristina Onete || 24/10/2014 || 23

Page 24: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signature Properties

Anonymity:

• Flavours of anonymity depend on how much we let the adver-sary control the ring and the keys in it.

𝐾𝐺𝑒𝑛

? ? ?

Cristina Onete || 24/10/2014 || 24

Page 25: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signature Properties

Unforgeability:

𝐾𝐺𝑒𝑛

0

• Could do this for a fixed ring, a chosen subring, or even allo-wing insider corruptions (the adversary learns secret keys)

Cristina Onete || 24/10/2014 || 25

Page 26: Privacy in signatures. Hiding in rings, hiding in groups

Aside: pairings

Two groups: , all of prime order

• Generators: of , of

Pairing: a map which is:

• Bilinear:

∀𝑎 ,𝑏∈𝑍𝑝 :𝑒 (𝑔1𝑎 ,𝑔2𝑏)=𝑒(𝑔1 ,𝑔2)𝑎𝑏

• Non-degenerate:

𝑒 (𝑔1 ,𝑔2 )≠1• Computable:

should be efficiently computable

Pairings exist for many groups. Not all are efficiently computable!

Cristina Onete || 24/10/2014 || 26

Page 27: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signature – 2-Ring

Three groups: , all of prime order

• Generator: of

Key generation:Choose . Set .

Signature on given , , :

Choose , set . Output

Signature on given ’, , :Choose , set . Output

Verification of on message

Output 1 iff. AND

Cristina Onete || 24/10/2014 || 27

Page 28: Privacy in signatures. Hiding in rings, hiding in groups

Ring vs. Group

Ring Signatures:• Signer needs to get others

• Signer remains completely untraceable, even if he misbehaves

No accountability

Group signatures

• Other ring members “independent” of signer, unaware of him

• Signer registers into a group of arbitrarily many signers

• Sign on behalf of a group (with just one )

• Optional anonymity revocation : can extract signer if needed

Cristina Onete || 24/10/2014 || 28

Page 29: Privacy in signatures. Hiding in rings, hiding in groups

Ring Signatures

Cristina Onete || 24/10/2014 || 29

Page 30: Privacy in signatures. Hiding in rings, hiding in groups

Group Signatures

G

Cristina Onete || 24/10/2014 || 30

Page 31: Privacy in signatures. Hiding in rings, hiding in groups

Optional Anonymity Revocation

G

Cristina Onete || 24/10/2014 || 31

Page 32: Privacy in signatures. Hiding in rings, hiding in groups

Group Signatures

Syntax

• {}

Sometimes

Registration key

Revocation key

Cristina Onete || 24/10/2014 || 32

Page 33: Privacy in signatures. Hiding in rings, hiding in groups

Group Signature Properties

Full-anonymity:

𝐾𝐺𝑒𝑛

? ? ?

G

Cristina Onete || 24/10/2014 || 33

Page 34: Privacy in signatures. Hiding in rings, hiding in groups

Group Signature Properties

Full-traceability:

𝐾𝐺𝑒𝑛G

Cristina Onete || 24/10/2014 || 34

Page 35: Privacy in signatures. Hiding in rings, hiding in groups

General strategy

Public key is a function of all the keys Traceability: use a ZK proof of knowledge

then use extractability to trace

Further Reading:

• [BMW03] Bellare, Micciancio, Warinschi: “Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions”, CRYPTO 2003

• [BMW04] Boneh, Boyen, Shacham: “Short Group Signatures”, CRYPTO 2004

Cristina Onete || 24/10/2014 || 35

Page 36: Privacy in signatures. Hiding in rings, hiding in groups

CIDRE

Thanks!