Presentation is loading. Please wait.

Presentation is loading. Please wait.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

Published byLewis Byland Modified over 9 years ago

Similar presentations

Presentation on theme: "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."— Presentation transcript:

1 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. Cross-Unlinkable Hierarchical Group Signatures Julien Bringer 1, Hervé Chabanne 12, Alain Patey 12 1 Morpho, 2 Télécom ParisTech 13/09/2012

2 1 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. OUTLINE 1. VLR Group Signatures 2. From Backward Unlinkability to Cross-Unlinkability 3. Our Construction 4. Conclusion Alain Patey / 13/09/2012 / EuroPKI 2012

3 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 2 / VLR Group Signatures /01/ Alain Patey / 13/09/2012 / EuroPKI 2012

4 3 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. DIGITAL SIGNATURES VS GROUP SIGNATURES Alain Patey / 13/09/2012 / EuroPKI 2012 + Anonymity

5 4 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SETTING Alain Patey / 13/09/2012 / EuroPKI 2012  Group Manager (GM)  Sets up public parameters  Owns the master secret key  Issues users secret keys  Can raise anonymity of a signature  Can revoke users

6 5 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VERIFIER-LOCAL REVOCATION (VLR)  GM manages a public Revocation List (RL) Alain Patey / 13/09/2012 / EuroPKI 2012

7 6 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: REVOCATION Alain Patey / 13/09/2012 / EuroPKI 2012 User i Revocation Revocation token of user i (rt i ) added to RL rt i

8 7 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR: SIGNATURE AND VERIFICATION Alain Patey / 13/09/2012 / EuroPKI 2012 User signs using his secret key Verifier (≠ GM) 1)Signature Check: Validity of the signature 2) Revocation Check: Is the signer revoked ? (Revocation Check: one operation (exponentiation, pairing) per revoked user)

9 8 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. VLR GS COMPONENTS  KeyGen (GM): set group parameters  Join (GM, User): issue keys for a new group member  Sign (User): sign a message on behalf of the group  Verify (Verifier): verify a signature  Open (GM): reveal the identity of the creator of a given signature  Revoke (GM): revoke a user from the group Alain Patey / 13/09/2012 / EuroPKI 2012

10 9 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. BACKWARD UNLINKABILITY  Problem: Once a user is revoked, using his revocation token, everyone can trace all his previous signatures  Solution: Make signatures and revocation dependent of time  Does not change (much) complexity of signatures, only a public information per period must be published Alain Patey / 13/09/2012 / EuroPKI 2012 ……… Time Period 1 Time Period i Time Period j Time Period k …

11 10 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY PROPERTIES  Correctness: Every signature correctly issued by an unrevoked member is checked as valid  Backward Unlinkability: Signatures do not reveal anything (to anyone but the signer and the GM) about their author and they remain anonymous even after the revocation of the user  Traceability: No group of attackers can forge a signature that can not be traced to one of the members of the coalition.  Exculpability: Nobody (including GM) is able to issue another’s member signature Alain Patey / 13/09/2012 / EuroPKI 2012

12 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 11 / From Backward Unlinkability to Cross- Unlinkability /02/ Alain Patey / 13/09/2012 / EuroPKI 2012

13 12 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. HIERARCHICAL SETTING  Several groups in a tree structure  One group signature per group  Independent Group Managers  Requirement: To join a group, one must previously be a member the parent group  Applications: Identity Management, attribute-based credentials Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License

14 13 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CASCADE REVOCATION  Revocation follows the tree structure:  Revocation in a parent group ⇒ Revocation in the children groups (Downwards Revocation)  Child group can signal a revoked user to the parent group (Upwards Revocation, optional)  Parent group is not forced to also revoke Alain Patey / 13/09/2012 / EuroPKI 2012 National ID Student ID Driver’s License College 1 College 2 Car Insurance HGV License Upwards Revocation (optional) Downwards Revocation (compulsory)

15 14 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNLINKABILITY  Cascade Revocation ⇒ Key derivation, link between the keys in parent/child groups  BUT: We aim at maximal anonymity  Anonymity in a given group should be preserved towards GM’s of other groups (even parent group, sibling groups…) despite the revocation process  We call this property CROSS-UNLINKABILITY Alain Patey / 13/09/2012 / EuroPKI 2012

16 15 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. FROM BACKWARD UNLINKABILITY TO CROSS- UNLINKABILITY  Idea: Transpose the Backward Unlinkability property  Time periods are transposed to children of a given group Alain Patey / 13/09/2012 / EuroPKI 2012 Student ID College 1 College 2 Group Signatur e Period 1 Period 2 Unlinkability ⇒

17 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 16 / Our Construction /03/ Alain Patey / 13/09/2012 / EuroPKI 2012

18 17 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE MODEL  KeyGen: The GM’s set the groups parameters  Enrolment (M i, G l ): M i gets keys for the group G l  Derivation (M i,G k,G l ): Key derivation for a user M i, applying to join G l, child of G k  Includes a proof of G k membership  Sign (M i,m,G l ): User M i signs message m on behalf of G l  Verify (s,m,G l ): Verifier checks a signature s for G l  Revocation (M i,G l ):  Local Revocation  Downwards Revocation  (Optional) Upwards Revocation Alain Patey / 13/09/2012 / EuroPKI 2012

19 18 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. REQUIREMENTS  Correctness  Traceability  Cross-Unlinkability  Exculpability  Adaptations of the VLR Group Signatures properties to the hierarchical setting Alain Patey / 13/09/2012 / EuroPKI 2012

20 19 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CROSS-UNLINKABILITY  Game-based definition (as Traceability and Exculpability)  Queries (before and after Challenge): Enrol to G 0, Derivation, Sign, User Corruption, GM Corruption, Revocation  Challenge: Adv. outputs m, m’, M 0, M 1, G k, G l such that:  M 0 and M 1 are both registered to G k and G l  M 0 and M 1 are not corrupted  At most one of the GM’s is corrupted  M 0 and M 1 are revoked from at most one group (the same if they are both revoked) and the GM of the other group is not corrupted  C chooses two bits b, b’ and signs m for M b in group G k and m’ for M b’ in group G l  Adv. tries to guess if b=b’ Alain Patey / 13/09/2012 / EuroPKI 2012

21 20 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. UNDERLYING GROUP SIGNATURE  VLR Group Signature with Backward Unlinkability  Group Parameters: gpk  Public/secret key for GM of G l : mpk, msk  User M i ’s key for G l : sk i = f i, x i, A i  f i is chosen by Mi (not known by GM l )  x i is chosen by GM l  A i =f(f i,x i,msk) is computed by GM l  Revocation token of M i for G l :  Global: rt i = x i  Period j: rt ij = h j ^(rt i ) (h j is a public token)  (for an efficient instantiation see: J. Bringer, A. Patey. VLR Group Signatures: How to Achieve Both Backward Unlinkability and Efficient Revocation Checks. SECRYPT 2012.) Alain Patey / 13/09/2012 / EuroPKI 2012

22 21 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION  KeyGen:  GM 0 fixes gpk  Every GM l chooses mpk l, msk l compatible with gpk  For every group G k, one « period » k-l per child group G l must be set up  Join  If G l =G 0, run the Join algorithm of GM 0  Otherwise, run the Derivation algorithm.  If all checks succeed, run an adapted Join algorithm for G l, where x i l is chosen as the output of the Derivation algorithm (instead of being random) Alain Patey / 13/09/2012 / EuroPKI 2012 Common group parameters Independent GM keys Common group parameters Independent GM keys Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm Call Derivation to -Check that the user belongs to the parent group -Derive a signing key Run the GS Join algorithm

23 22 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION II  Derivation (G l is child of G k )  GM l sends a challenge message m to M i  M i signs it at period k-l  M i sends his revocation token rt i k-l =h k-l rtil  GM l checks the validity of the signature and the validity of rt i k-l  GMl derives x i l =H(msk l ||rt i k-l ) Alain Patey / 13/09/2012 / EuroPKI 2012 Join algorithm

24 23 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THE CONSTRUCTION III  Sign, Join and Open are direct applications of the group signature algorithms  Revocation:  Local: Run the Revocation algorithm of the underlying group signature  Downwards:  For every a child group G m of G l:  GM m looks at the updated revocation list RL l of G l and reads the new rt  GM m checks if there is a registered user i in G m such that x i m =H(msk m ||rt)  If there is one, GM m recursively runs Revocation  Upwards (optional):  GM l sends the period revocation token rt i k-l to GM k.  If GM k wants to revoke the user, he computes rt i’ k-l for every M i’ in G k.  When he finds the corresponding user, he starts a Revocation process Alain Patey / 13/09/2012 / EuroPKI 2012

25 24 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. SECURITY  Random Oracle Model  Requirements are game-based  We reduce an attack against our construction to an attack against the underlying group signature scheme  In particular, an adversary with a non-negligible advantage in the Cross-Unlinkability game has a non-negligible advantage in the Backward Unlinkability game Alain Patey / 13/09/2012 / EuroPKI 2012

26 25 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. APPLICATION TO BIOMETRIC IDENTITY MANAGEMENT  Group signatures can be used for biometric anonymous authentication  Keys stored on a smartcard, biometric verification needed to sign  Adaptable to our hierarchical setting → identity management system  Groups are identity domains, GM’s are identity providers  J. Bringer, H. Chabanne, D. Pointcheval, S. Zimmer. An Application of the Boneh and Shacham Group Signature Scheme to Biometric Authentication. IWSEC 2008  J. Bringer, H. Chabanne, A. Patey. An Application of a Group Signature Scheme with Backward Unlinkability to Biometric Identity Management. SECRYPT 2012. Alain Patey / 13/09/2012 / EuroPKI 2012

27 This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. 26 / Conclusion /04/ Alain Patey / 13/09/2012 / EuroPKI 2012

28 27 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. CONCLUSION  From VLR Group Signatures with BU, we set hierarchical group signatures with strong anonymity properties  New model  Security only relies on the security of the underlying group signature (+ ROM)  Open Issues:  Improve the construction to enable Backward Unlinkability  Change the group set structure (any ordered set…)  Full version available on the IACR ePrint archive: http://eprint.iacr.org/2012/407 Alain Patey / 13/09/2012 / EuroPKI 2012

29 28 / This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written authorization of Morpho. THANK YOU FOR YOUR ATTENTION  Questions ? Alain Patey / 13/09/2012 / EuroPKI 2012

Download ppt "This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written."

Similar presentations

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Advanced Piloting Cruise Plot.

Advanced Piloting Cruise Plot.
Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.

Feichter_DPG-SYKL03_Bild-01. Feichter_DPG-SYKL03_Bild-02.
A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.

A Role-Based Delegation Model and some extensions By: Ezedin S.Barka Ravi Sandhu George Mason University.
Chapter 1 The Study of Body Function Image PowerPoint

Chapter 1 The Study of Body Function Image PowerPoint
Secret Sharing Protocols [Sha79,Bla79]

Secret Sharing Protocols [Sha79,Bla79]
1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.
Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Chapter 1 Image Slides Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-12G 1 RXQ.11.4.1 Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.

Document #07-12G 1 RXQ Customer Enrollment Using a Registration Agent Process Flow Diagram (Switch) Customer Supplier Customer authorizes Enrollment.
Document #07-2I RXQ.11.4.1 Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.
Cerner Presentation to S&I esMD Workgroup – Industry Scan

Cerner Presentation to S&I esMD Workgroup – Industry Scan
Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.

Secure Naming structure and p2p application interaction IETF - PPSP WG July 2010 Christian Dannewitz, Teemu Rautio and Ove Strandberg.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Title Subtitle.

Title Subtitle.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

Similar presentations

Ads by Google