This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

Slides:



Advertisements
Similar presentations
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advertisements

Advanced Piloting Cruise Plot.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
Chapter 1 The Study of Body Function Image PowerPoint
Secret Sharing Protocols [Sha79,Bla79]
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
Cerner Presentation to S&I esMD Workgroup – Industry Scan
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.
1 Term 2, 2004, Lecture 9, Distributed DatabasesMarian Ursu, Department of Computing, Goldsmiths College Distributed databases 3.
Adaptively Attribute-Hiding ( Hierarchical ) Inner Product Encryption
Randomized Algorithms Randomized Algorithms CS648 1.
Data Structures Using C++
ABC Technology Project
Shadow Prices vs. Vickrey Prices in Multipath Routing Parthasarathy Ramanujam, Zongpeng Li and Lisa Higham University of Calgary Presented by Ajay Gopinathan.
E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Kerberos and X.509 Fourth Edition by William Stallings
CSCE 815 Network Security Lecture 10 KerberosX.509 February 13, 2003.
VOORBLAD.
15. Oktober Oktober Oktober 2012.
Protecting Location Privacy: Optimal Strategy against Localization Attacks Reza Shokri, George Theodorakopoulos, Carmela Troncoso, Jean-Pierre Hubaux,
Do you have the Maths Factor?. Maths Can you beat this term’s Maths Challenge?
© 2012 National Heart Foundation of Australia. Slide 2.
Graphing Ax + By = C Topic
Understanding Generalist Practice, 5e, Kirst-Ashman/Hull
Addition 1’s to 20.
25 seconds left…...
Exponential and Logarithmic Functions
Week 1.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
We will resume in: 25 Minutes.
©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.
1 Unit 1 Kinematics Chapter 1 Day
PSSA Preparation.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
Introduction to Recursion and Recursive Algorithms
The Plan Member Secure Site Key features that will help you manage your benefits plan.
Securing Critical Unattended Systems with Identity Based Cryptography A Case Study Johannes Blömer, Peter Günther University of Paderborn Volker Krummel.
Off-the-Record Communication, or, Why Not To Use PGP
User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.
Cryptography and Network Security
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
Bob can sign a message using a digital signature generation algorithm
Cryptology Digital Signatures and Digital Certificates Prof. David Singer Dept. of Mathematics Case Western Reserve University.
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.
29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.
Author : Guilin Wang Source : Information Processing Letters
Foundations of Fully Dynamic Group Signatures
Presentation transcript:

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012

1 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. OUTLINE 1. VLR Group Signatures 2. From Backward Unlinkability to Cross-Unlinkability 3. Our Construction 4. Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 2 / VLR Group Signatures /01/ Alain Patey / 13/09/2012 / EuroPKI 2012

3 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. DIGITAL SIGNATURES VS GROUP SIGNATURES Alain Patey / 13/09/2012 / EuroPKI Anonymity

4 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SETTING Alain Patey / 13/09/2012 / EuroPKI 2012  Group Manager (GM)  Sets up public parameters  Owns the master secret key  Issues users secret keys  Can raise anonymity of a signature  Can revoke users

5 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VERIFIER-LOCAL REVOCATION (VLR)  GM manages a public Revocation List (RL) Alain Patey / 13/09/2012 / EuroPKI 2012

6 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: REVOCATION Alain Patey / 13/09/2012 / EuroPKI 2012 User i Revocation Revocation token of user i (rt i ) added to RL rt i

7 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: SIGNATURE AND VERIFICATION Alain Patey / 13/09/2012 / EuroPKI 2012 User signs using his secret key Verifier (≠ GM) 1)Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user)

8 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR GS COMPONENTS  KeyGen (GM): set group parameters  Join (GM, User): issue keys for a new group member  Sign (User): sign a message on behalf of the group  Verify (Verifier): verify a signature  Open (GM): reveal the identity of the creator of a given signature  Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012

9 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. BACKWARD UNLINKABILITY  Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures  Solution: Make signatures and revocation dependent of time  Does not change (much) complexity of signatures, only a public information per period must be published Alain Patey / 13/09/2012 / EuroPKI 2012 ……… Time Period 1 Time Period i Time Period j Time Period k …

10 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY PROPERTIES  Correctness: Every signature correctly issued by an unrevoked member is checked as valid  Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user  Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition.  Exculpability: Nobody (including GM) is able to issue another’s member signature Alain Patey / 13/09/2012 / EuroPKI 2012

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 11 / From Backward Unlinkability to Cross- Unlinkability /02/ Alain Patey / 13/09/2012 / EuroPKI 2012

12 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. HIERARCHICAL SETTING  Several groups in a tree structure  One group signature per group  Independent Group Managers  Requirement: To join a group, one must previously be a member the parent group  Applications: Identity Management, attribute-based credentials Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License

13 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CASCADE REVOCATION  Revocation follows the tree structure:  Revocation in a parent group ⇒ Revocation in the children groups (Downwards Revocation)  Child group can signal a revoked user to the parent group (Upwards Revocation, optional)  Parent group is not forced to also revoke Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Upwards Revocation (optional) Downwards Revocation (compulsory)

14 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNLINKABILITY  Cascade Revocation ⇒ Key derivation, link between the keys in parent/child groups  BUT: We aim at maximal anonymity  Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process  We call this property CROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012

15 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FROM BACKWARD UNLINKABILITY TO CROSS- UNLINKABILITY  Idea: Transpose the Backward Unlinkability property  Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012 Student ID College 1 College 2 Group Signatur e Period 1 Period 2 Unlinkability ⇒

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 16 / Our Construction /03/ Alain Patey / 13/09/2012 / EuroPKI 2012

17 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE MODEL  KeyGen: The GM’s set the groups parameters  Enrolment (M i, G l ): M i gets keys for the group G l  Derivation (M i,G k,G l ): Key derivation for a user M i, applying to join G l, child of G k  Includes a proof of G k membership  Sign (M i,m,G l ): User M i signs message m on behalf of G l  Verify (s,m,G l ): Verifier checks a signature s for G l  Revocation (M i,G l ):  Local Revocation  Downwards Revocation  (Optional) Upwards Revocation Alain Patey / 13/09/2012 / EuroPKI 2012

18 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. REQUIREMENTS  Correctness  Traceability  Cross-Unlinkability  Exculpability  Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012

19 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CROSS-UNLINKABILITY  Game-based definition (as Traceability and Exculpability)  Queries (before and after Challenge): Enrol to G 0, Derivation, Sign, User Corruption, GM Corruption, Revocation  Challenge: Adv. outputs m, m’, M 0, M 1, G k, G l such that:  M 0 and M 1 are both registered to G k and G l  M 0 and M 1 are not corrupted  At most one of the GM’s is corrupted  M 0 and M 1 are revoked from at most one group (the same if they are both revoked) and the GM of the other group is not corrupted  C chooses two bits b, b’ and signs m for M b in group G k and m’ for M b’ in group G l  Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012

20 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNDERLYING GROUP SIGNATURE  VLR Group Signature with Backward Unlinkability  Group Parameters: gpk  Public/secret key for GM of G l : mpk, msk  User M i ’s key for G l : sk i = f i, x i, A i  f i is chosen by Mi (not known by GM l )  x i is chosen by GM l  A i =f(f i,x i,msk) is computed by GM l  Revocation token of M i for G l :  Global: rt i = x i  Period j: rt ij = h j ^(rt i ) (h j is a public token)  (for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012

21 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION  KeyGen:  GM 0 fixes gpk  Every GM l chooses mpk l, msk l compatible with gpk  For every group G k, one « period » k-l per child group G l must be set up  Join  If G l =G 0, run the Join algorithm of GM 0  Otherwise, run the Derivation algorithm.  If all checks succeed, run an adapted Join algorithm for G l, where x i l is chosen as the output of the Derivation algorithm (instead of being random) Alain Patey / 13/09/2012 / EuroPKI 2012 Common group parameters Independent GM keys Common group parameters Independent GM keys Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm

22 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION II  Derivation (G l is child of G k )  GM l sends a challenge message m to M i  M i signs it at period k-l  M i sends his revocation token rt i k-l =h k-l rtil  GM l checks the validity of the signature and the validity of rt i k-l  GMl derives x i l =H(msk l ||rt i k-l ) Alain Patey / 13/09/2012 / EuroPKI 2012 Join algorithm

23 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION III  Sign, Join and Open are direct applications of the group signature algorithms  Revocation:  Local: Run the Revocation algorithm of the underlying group signature  Downwards:  For every a child group G m of G l:  GM m looks at the updated revocation list RL l of G l and reads the new rt  GM m checks if there is a registered user i in G m such that x i m =H(msk m ||rt)  If there is one, GM m recursively runs Revocation  Upwards (optional):  GM l sends the period revocation token rt i k-l to GM k.  If GM k wants to revoke the user, he computes rt i’ k-l for every M i’ in G k.  When he finds the corresponding user, he starts a Revocation process Alain Patey / 13/09/2012 / EuroPKI 2012

24 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY  Random Oracle Model  Requirements are game-based  We reduce an attack against our construction to an attack against the underlying group signature scheme  In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game Alain Patey / 13/09/2012 / EuroPKI 2012

25 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT  Group signatures can be used for biometric anonymous authentication  Keys stored on a smartcard, biometric verification needed to sign  Adaptable to our hierarchical setting → identity management system  Groups are identity domains, GM’s are identity providers  J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008  J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT Alain Patey / 13/09/2012 / EuroPKI 2012

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 26 / Conclusion /04/ Alain Patey / 13/09/2012 / EuroPKI 2012

27 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CONCLUSION  From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties  New model  Security only relies on the security of the underlying group signature (+ ROM)  Open Issues:  Improve the construction to enable Backward Unlinkability  Change the group set structure (any ordered set…)  Full version available on the IACR ePrint archive: Alain Patey / 13/09/2012 / EuroPKI 2012

28 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THANK YOU FOR YOUR ATTENTION  Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.