290 likes | 457 Views
Cross- Unlinkable Hierarchical Group Signatures. Julien Bringer 1 , Hervé Chabanne 12 , Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012. Outline. VLR Group Signatures From Backward Unlinkability to Cross- Unlinkability Our Construction Conclusion. / 01 /.
E N D
Cross-Unlinkable Hierarchical Group Signatures Julien Bringer1, Hervé Chabanne12, Alain Patey121Morpho, 2Télécom ParisTech 13/09/2012
Outline VLR Group Signatures FromBackwardUnlinkability to Cross-Unlinkability Our Construction Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012
/01/ VLR Group Signatures Alain Patey / 13/09/2012 / EuroPKI 2012
Digital Signatures vs Group Signatures + Anonymity Alain Patey / 13/09/2012 / EuroPKI 2012
Setting Alain Patey / 13/09/2012 / EuroPKI 2012 • Group Manager (GM) • Sets up public parameters • Owns the master secret key • Issues users secret keys • Can raiseanonymity of a signature • Can revokeusers
Verifier-Local Revocation (VLR) GM manages a public RevocationList (RL) Alain Patey / 13/09/2012 / EuroPKI 2012
VLR: Revocation Revocation User i rti Revocationtoken of user i (rti) added to RL Alain Patey / 13/09/2012 / EuroPKI 2012
VLR: Signature and Verification Verifier (≠ GM) User signsusinghis secret key Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user) Alain Patey / 13/09/2012 / EuroPKI 2012
VLR GS Components KeyGen (GM): set group parameters Join (GM, User): issue keys for a new group member Sign(User): sign a message on behalf of the group Verify (Verifier): verify a signature Open (GM): reveal the identity of the creator of a given signature Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012
BackwardUnlinkability Time Period k Time Period 1 Time Period i Time Period j … … … … Problem: Once a user isrevoked, usinghisrevocationtoken, everyonecan trace all hisprevious signatures Solution: Make signatures and revocationdependent of time Does not change (much) complexity of signatures, only a public information per period must bepublished Alain Patey / 13/09/2012 / EuroPKI 2012
Security Properties Correctness: Every signature correctlyissued by an unrevokedmemberischeckedas valid BackwardUnlinkability: Signatures do not revealanything (to anyone but the signer and the GM) about theirauthor and theyremainanonymousevenafterthe revocation of the user Traceability: No group of attackerscan forge a signature thatcan not betracedto one of the members of the coalition. Exculpability: Nobody (including GM) is able to issue another’smember signature Alain Patey / 13/09/2012 / EuroPKI 2012
/02/ From Backward Unlinkability to Cross-Unlinkability Alain Patey / 13/09/2012 / EuroPKI 2012
Hierarchical Setting National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Several groups in a tree structure One group signature per group Independent Group Managers Requirement: To join a group, one must previouslybe a member the parent group Applications: Identity Management, attribute-basedcredentials Alain Patey / 13/09/2012 / EuroPKI 2012
Cascade Revocation National ID Downwards Revocation (compulsory) UpwardsRevocation (optional) Student ID Driver’s License College 1 College 2 Car Insurance HGV License • Revocationfollows the tree structure: • Revocation in a parent group ⇒ Revocation in the children groups (DownwardsRevocation) • Child group can signal a revoked user to the parent group (UpwardsRevocation, optional) • Parent group is not forced to alsorevoke Alain Patey / 13/09/2012 / EuroPKI 2012
Unlinkability Cascade Revocation ⇒ Key derivation, linkbetween the keys in parent/child groups BUT: Weaimat maximal anonymity Anonymity in a given group shouldbepreservedtowardsGM’s of other groups (even parent group, sibling groups…) despite the revocationprocess We call thispropertyCROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012
FromBackwardUnlinkability to Cross-Unlinkability Group Signature Student ID ⇒ Period 1 Period 2 College 1 College 2 Unlinkability Unlinkability Idea: Transpose the BackwardUnlinkabilityproperty Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012
/03/ Our Construction Alain Patey / 13/09/2012 / EuroPKI 2012
The Model • KeyGen: The GM’s set the groups parameters • Enrolment (Mi, Gl): Migetskeys for the group Gl • Derivation (Mi,Gk,Gl): Key derivation for a user Mi, applying to joinGl, child of Gk • Includes a proof of Gkmembership • Sign (Mi,m,Gl): User Misigns message m on behalf of Gl • Verify (s,m,Gl): Verifierchecks a signature s for Gl • Revocation (Mi,Gl): • Local Revocation • DownwardsRevocation • (Optional) UpwardsRevocation Alain Patey / 13/09/2012 / EuroPKI 2012
Requirements Correctness Traceability Cross-Unlinkability Exculpability Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012
Cross-Unlinkability • Game-baseddefinition (as Traceability and Exculpability) • Queries (before and after Challenge): Enrol to G0, Derivation, Sign, User Corruption, GM Corruption, Revocation • Challenge: Adv. outputs m, m’, M0, M1, Gk, Glsuchthat: • M0 and M1 are bothregistered to Gk and Gl • M0 and M1 are not corrupted • Atmost one of the GM’siscorrupted • M0 and M1 are revokedfromatmost one group (the same if they are bothrevoked) and the GM of the other group is not corrupted • C choosestwo bits b, b’ and signs m for Mb in group Gk and m’ for Mb’ in group Gl • Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012
Underlying Group Signature • VLR Group Signature withBackwardUnlinkability • Group Parameters: gpk • Public/secret key for GM of Gl: mpk, msk • User Mi’skey for Gl: ski = fi, xi, Ai • fi ischosen by Mi (not known by GMl) • xiischosen by GMl • Ai=f(fi,xi,msk) iscomputed by GMl • Revocationtoken of Mi for Gl: • Global: rti = xi • Period j: rtij = hj^(rti) (hjis a public token) • (for an efficient instantiationsee: J. Bringer, A. Patey. VLR Group Signatures: How to AchieveBothBackwardUnlinkability and Efficient RevocationChecks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012
The Construction Common group parameters Independent GM keys • Call Derivation to • Check that the user belongs to the parent group • Derive a signingkey • Run the GS Joinalgorithm • KeyGen: • GM0 fixes gpk • EveryGMlchoosesmpkl, mskl compatible withgpk • For every group Gk, one « period » k-l per child group Gl must be set up • Join • If Gl=G0, run the Joinalgorithm of GM0 • Otherwise, run the Derivationalgorithm. • If all checkssucceed, run an adaptedJoinalgorithm for Gl, wherexilischosen as the output of the Derivationalgorithm (instead of beingrandom) Alain Patey / 13/09/2012 / EuroPKI 2012
The Construction II Joinalgorithm • Derivation (Glischild of Gk) • GMlsends a challenge message m to Mi • Misignsitatperiodk-l • Misendshisrevocationtokenrtik-l=hk-lrtil • GMlchecks the validity of the signature and the validity of rtik-l • GMlderivesxil=H(mskl||rtik-l) Alain Patey / 13/09/2012 / EuroPKI 2012
The Construction III • Sign, Join and Open are direct applications of the group signature algorithms • Revocation: • Local: Run the Revocationalgorithm of the underlying group signature • Downwards: • For every a child group Gm of Gl: • GMm looks at the updatedrevocationlistRLl of Gl and reads the new rt • GMmchecks if thereis a registered user i in Gmsuchthatxim=H(mskm||rt) • If thereis one, GMmrecursivelyrunsRevocation • Upwards (optional): • GMlsends the periodrevocationtokenrtik-l to GMk. • If GMkwants to revoke the user, hecomputesrti’k-l for every Mi’ in Gk. • Whenhefinds the corresponding user, hestarts a Revocationprocess Alain Patey / 13/09/2012 / EuroPKI 2012
Security • Random Oracle Model • Requirements are game-based • Wereduce an attackagainstour construction to an attackagainst the underlying group signature scheme • In particular, an adversarywith a non-negligibleadvantage in the Cross-Unlinkabilitygame has a non-negligibleadvantage in the BackwardUnlinkabilitygame Alain Patey / 13/09/2012 / EuroPKI 2012
Application to BiometricIdentity Management • Group signatures canbeused for biometricanonymousauthentication • Keysstored on a smartcard, biometricverificationneeded to sign • Adaptable to ourhierarchical setting → identity management system • Groups are identitydomains, GM’s are identity providers • J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to BiometricAuthentication. IWSEC 2008 • J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature SchemewithBackwardUnlinkability to BiometricIdentityManagement. SECRYPT 2012. Alain Patey / 13/09/2012 / EuroPKI 2012
/04/ Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012
Conclusion • From VLR Group Signatures with BU, we set hierarchical group signatures withstronganonymityproperties • New model • Security only relies on the security of the underlying group signature (+ ROM) • Open Issues: • Improve the construction to enableBackwardUnlinkability • Change the group set structure (anyordered set…) • Full version available on the IACR ePrint archive: http://eprint.iacr.org/2012/407 Alain Patey / 13/09/2012 / EuroPKI 2012
Thankyou for your attention Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012