Presentation is loading. Please wait.

Presentation is loading. Please wait.

Foundations of Fully Dynamic Group Signatures

Published byCora Sharp Modified over 6 years ago

Similar presentations

Presentation on theme: "Foundations of Fully Dynamic Group Signatures"β€” Presentation transcript:

1 Foundations of Fully Dynamic Group Signatures
Jonathan Bootle, Andrea Cerulli, Pyrros Chaidos, Essam Ghadafi and Jens Groth University College London

2 Contribution New model for fully dynamic group signatures:
Strong: minimal level of trust required General: not restricted to a particular design approach Realistic: satisfied by practical constructions Relaxed model assuming trusted setup Backward compatibility with existing models Suitable for more efficient constructions Identify minor issues in the security of some constructions and suggest possible fixes

3 Outline Overview of Group Signatures
A new model for Fully Dynamic Group Signatures A relaxed model and how it relates with previous ones

4 Group Signatures Group Manager Group of Users Tracing Manager

5 Group Signatures

6 Group Signatures 𝑖𝑑, πœ‹ π‘š, 𝜎

7 Group Signatures Static Groups Partially Dynamic Groups
Fully Dynamic Groups

8 Formal Security Models for Group Signatures
Static Groups: [BMW] Partially Dynamic Groups: [BSZ], [KY] Fully Dynamic Groups: Lack of rigour / Informally stated Design specific definitions No unified formal model Assume a completely trusted setup

9 Fully Dynamic Group Signatures
Two main approaches for revocation: Cryptographic Accumulators Revocation lists π‘Žπ‘π‘ π‘Žπ‘π‘ 0 π‘Žπ‘π‘ 1 π‘Žπ‘π‘ 2 π‘Žπ‘π‘ 𝜏 ● ● ● 𝐿 0 =βˆ… 𝐿 1 = 𝐿 2 = , , , ● ● ●

10 Fully Dynamic Group Signatures
Main idea behind revocation: Need to introduce time intervals: epochs GM periodically updates information about active members in the group Updates might follow different format

11 Our Model - Features Does not restrict the format of updates to the group Keeps track of the active users in each epoch Interactive key generation for GM, TM and the users Minimise the level of trust in the authorities

12 Our Model – Algorithms and Protocols
Setup: trusted setup of public parameters KeyGen: Interactive protocol between GM and TM Generates group public key and managers’ secret keys Join/Issue: Interactive protocol between a user and GM User obtains a group secret key GM registers user public key in the group

13 Our Model - Algorithms and Protocols
Update GroupInfo: Run by GM to update active group members Updates to the group trigger a new epoch Sign: members sign messages with respect to an epoch Verify: Checks validity of a signature on message and epoch

14 Our Model - Algorithms and Protocols
Trace: Run by TM to identify authorship of a signature Output proof linking signature and identity Judge: Checks validity of tracing proofs

15 Our Model – Data Structures
Registration table: GM has writing access TM has reading access Linear in number of join calls Group Info: Updated by GM Publicly available Linear in number of epochs

16 Our Model - Security Notions
Correctness Anonymity Non-Frameability Traceability Tracing Soundness

17 Security Definitions - Correctness
Honest and active users can produce valid signatures KeyGen ● ● ● π‘šπ‘ π‘˜ π‘š, 𝜎,𝜏

18 Security Definitions - Anonymity
Honest signatures do not reveal identity of signer KeyGen ● ● ● π‘š,𝜏 𝜎 𝐴𝑑𝑣 π‘”π‘ π‘˜ 0 , π‘”π‘ π‘˜ 1

19 Security Definitions - Non-Frameability
Honest users cannot be linked to signatures they have not produced KeyGen ● ● ● π‘š,𝜎,𝜏 ,πœ‹ 𝐴𝑑𝑣

20 Security Definitions - Traceability
TM can always trace signatures to active members KeyGen ● ● ● π‘‘π‘ π‘˜ π‘š,𝜎,𝜏 ,πœ‹

21 Security Definitions - Tracing Soundness
It is not possible to link one signature to two members KeyGen ● ● ● , πœ‹ 1 π‘š,𝜎 , πœ‹ 0 𝐴𝑑𝑣

22 A Very Strong Model! Lowest possible level of Trust in the Managers
Can be relaxed to accommodate honest setup Construction from Accountable Ring Signatures (w/o honest setup) KeyGen KeyGen ● ● ● ● ● ● π‘šπ‘ π‘˜

23 Accountable Ring Signatures [Xu Yung]
Users include themselves in a β€œRing” Offer Accountability Mechanism Signers decide preferred Opener No trusted Setup required

24 Accountable Ring Signatures
Reg Join/Issue InfoG ● ● ● ● ● ● 𝑅 1 𝑅 2 𝑅 𝜏 π‘š,𝜎,𝜏

25 Relaxed Model – Backward compatibility
Covers weaker models (Static and Partially dynamic) Satisfied by Accumulator based constructions Subtle issues in Revocation list based constructions Might not be a problem for practical applications Can satisfy the model providing small modifications

26 Minor issue in Traceability
𝐿 𝜏+2 = , , , ● ● ● 𝜏 𝜏+1 𝜏+2 π‘š,𝜎,𝜏

27 Recovering Revocation list Constructions
Relax further the model to accommodate past signatures Trivial fixes: Initialise users as revoked Might be expensive Need to know in advance maximum number of users Ad-hoc modifications: Inexpensive for state of the art constructions [LPY12], [NFHF09]

28 Thanks!

Download ppt "Foundations of Fully Dynamic Group Signatures"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.

Analysis of Direct Anonymous Attestation (DAA) Sudip Regmi Ilya Pirkin.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research.

Accumulators and U-Prove Revocation Tolga Acar, Intel Sherman S.M. Chow, The Chinese University of Hong Kong Lan Nguyen, XCG – Microsoft Research.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.

1 Asynchronous Broadcast Protocols in Distributed System Oct. 10, 2002 JaeHyrk Park ICU.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.

Opening Presentation of Notary Reqs 8/5/2004 Tobias Gondrom.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Similar presentations

Ads by Google