Ring Signatures of Sub-linear Size without Random Oracles
description
Transcript of Ring Signatures of Sub-linear Size without Random Oracles
Ring Signatures of Ring Signatures of Sub-linear Size Sub-linear Size
without Random without Random OraclesOracles
Nishanth ChandranNishanth Chandran
Jens GrothJens Groth
Amit SahaiAmit Sahai
University of California Los University of California Los AngelesAngeles
In an anonymous fast-In an anonymous fast-food chainfood chain
WhistleblowingWhistleblowing
Ring signatureRing signature
vk1
vk3
vk2
sk2
signature
PropertiesProperties
Parties with public verification keysParties with public verification keys A ring is any subset of the partiesA ring is any subset of the parties Any party can choose a ring that Any party can choose a ring that
includes herself and make a ring includes herself and make a ring signaturesignature
...without the other parties ...without the other parties cooperating or even being aware of cooperating or even being aware of the ring signature being formedthe ring signature being formed
The ring signature is anonymousThe ring signature is anonymous
Related workRelated work Rivest, Shamir and TaumanRivest, Shamir and Tauman Asiacrypt Asiacrypt
20012001O(N) elements in random oracle modelO(N) elements in random oracle model
Dodis, Kiayias, Nicolosi and ShoupDodis, Kiayias, Nicolosi and Shoup Eurocrypt Eurocrypt 20042004
O(1) elements in random oracle modelO(1) elements in random oracle model Bender, Katz and MorselliBender, Katz and Morselli TCC 2006TCC 2006
Construction without random oraclesConstruction without random oracles Chow, Wei, Liu and YuenChow, Wei, Liu and Yuen ASIACCS 2006ASIACCS 2006
Shacham and WatersShacham and Waters ePrint 2006ePrint 2006O(N) elementsO(N) elements
BoyenBoyen Eurocrypt 2007Eurocrypt 2007O(N) elements, perfect anonymityO(N) elements, perfect anonymity
Our contributionOur contributionO(√N) elements, perfect anonymityO(√N) elements, perfect anonymity
Ring signature Ring signature functionalityfunctionality
Common reference string:
CRSGen(1k) ! ½
Key pair:
Gen(½) ! (vk, sk)
Ring signature for R=(vk1,...,vkN):
Sign½,sk(m, R) ! sig
Verification:
Verify½,R(m, sig) {0,1}
Informal definitionInformal definition Perfect correctness:Perfect correctness:
Any member of a ring can make a ring Any member of a ring can make a ring signaturesignature
Perfect anonymity:Perfect anonymity:Ring signature leaks no information about Ring signature leaks no information about which ring member signed the messagewhich ring member signed the message
Computational unforgeability:Computational unforgeability:Poly-time adversary without knowledge of Poly-time adversary without knowledge of any ring member’s secret key cannot forge any ring member’s secret key cannot forge signature. Not even when given access to signature. Not even when given access to adaptive chosen (message, ring, signer)-adaptive chosen (message, ring, signer)-attackattack
Bilinear group of order nBilinear group of order n
G, GT cyclic groups of order n = pq
G = Gp Gq
g generator for G
bilinear map e: G G GT
e(ua, vb) = e(u, v)ab
e(g, g) generates GT
Commitment [Boneh-Goh-Commitment [Boneh-Goh-Nissim]Nissim]
Public key: h ord(h) = n or q
Commitment to m
c = mhr where r Zn
Perfect hiding if ord(h) = n
Perfect binding in Gp if ord(h) = q : mq = cq
Subgroup decision problem:
ord(h) = n or ord(h) = q
Signature [Boneh-Boyen]Signature [Boneh-Boyen]Verification key: v = gx
Signature on y |y|< |p| (|√n|)
s = g1/(x+y)
Verification
e(vgy, s) = e(g, g)
Strong Diffie-Hellman assumption in Gp
Hard to compute (y, g1/(x+y)) given input
g, gx, gx2, ..., gxl
Common reference string: (n, G, GT, e, g, h)
Verification keys: v = gx
Ring signature (m, x, v R=(v1,...,vN)
1. make one-time signature on (m, R) using one-time verification key y
2. sign y as s = g1/(x+y)
3. commit to v and s as C = vhr, L = sht
4. make perfect WI proof (C, L) sign on y
5. make perfect WI proof C contains v R
Ring signature schemeRing signature scheme
Perfect Witness-Perfect Witness-Indistinguishable proof for Indistinguishable proof for
commited signature on y commited signature on y [Groth-Sahai][Groth-Sahai]
Commitments C = vhr, L = sht
WI proof: ¼ = (gyv)tsrhrt
Verify: e(gyC, L) = e(g, g) e(h, ¼)
Complete:e(gyvhr, sht) = e(gyv, s) e(h, (gyv)tsrhrt)
Perfect WI (ord(h)=n): All (v, r, s, t) give same ¼
Sound (ord(h)=q): e((gyC)q, Lq) = e(gq, gq)
WI proof for commitment to WI proof for commitment to v v R R
v1 v2 . . . v√N
v√N+1 v√N+2 . . . v2√N
vN-√N+1 vN-√N+2 . . . vN
1
g
1
=
e(g,v2)
e(g,v√N+2
)
e(g,vN-
√N+2)
hr1
hr2
hr√N
e(h,*)
e(h,*)
e(h,*)
Commitment C = vhr and ring R = (v1,...,vN)
WI proof that PIR-request is well-formed
WI proof that v is in one of those
Sketch of security proofSketch of security proof Perfect anonymityPerfect anonymity
Commitments are perfectly hiding (ord(h) Commitments are perfectly hiding (ord(h) = n)= n)
... so they can contain Boneh-Boyen ... so they can contain Boneh-Boyen signature for signature for any honest partyany honest party
... and the proofs are perfectly witness ... and the proofs are perfectly witness indistinguishable indistinguishable
Computational unforgeabilityComputational unforgeabilitySwitch to ord(h) = qSwitch to ord(h) = qCommitments are perfectly extractableCommitments are perfectly extractable... so they must contain valid signature in ... so they must contain valid signature in
GGpp
... so we can forge Boneh-Boyen signatures... so we can forge Boneh-Boyen signatures
CRS = (n, G, GT, e, g, h) ord(h) = n
Malicious authority can select h of order q
Key generation:
vi = gxi , hi chosen at random in G
When signing pick t at random and use
With overwhelming probability ord(h) = n
Overcoming a bad CRSOvercoming a bad CRS
h=QN
i=1hti ¡ 1
i
SummarySummary Ring signature schemeRing signature scheme
PIR-techniques + GS proofsPIR-techniques + GS proofs Size O(√N) group elementsSize O(√N) group elements Relies on composite order bilinear Relies on composite order bilinear
groupsgroupssubgroup decisionsubgroup decisionstrong Diffie-Hellman in Gstrong Diffie-Hellman in Gpp
Common reference stringCommon reference stringperfect anonymityperfect anonymity
Untrusted common reference stringUntrusted common reference stringstatistical anonymitystatistical anonymity