Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts."— Presentation transcript:

1 Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AAA A A

2 In an anonymous fast-food chain

3 Whistleblowing

4 Ring signature vk 1 vk 3 vk 2 sk 2 signature

5 Properties Parties with public verification keys Parties with public verification keys A ring is any subset of the parties A ring is any subset of the parties Any party can choose a ring that includes herself and make a ring signature Any party can choose a ring that includes herself and make a ring signature...without the other parties cooperating or even being aware of the ring signature being formed...without the other parties cooperating or even being aware of the ring signature being formed The ring signature is anonymous The ring signature is anonymous

6 Related work Rivest, Shamir and TaumanAsiacrypt 2001 O(N) elements in random oracle model Rivest, Shamir and TaumanAsiacrypt 2001 O(N) elements in random oracle model Dodis, Kiayias, Nicolosi and ShoupEurocrypt 2004 O(1) elements in random oracle model Dodis, Kiayias, Nicolosi and ShoupEurocrypt 2004 O(1) elements in random oracle model Bender, Katz and MorselliTCC 2006 Construction without random oracles Bender, Katz and MorselliTCC 2006 Construction without random oracles Chow, Wei, Liu and YuenASIACCS 2006 Shacham and WatersePrint 2006 O(N) elements Chow, Wei, Liu and YuenASIACCS 2006 Shacham and WatersePrint 2006 O(N) elements BoyenEurocrypt 2007 O(N) elements, perfect anonymity BoyenEurocrypt 2007 O(N) elements, perfect anonymity Our contribution O(√N) elements, perfect anonymity Our contribution O(√N) elements, perfect anonymity

7 Ring signature functionality Common reference string: CRSGen(1 k ) ! ½ Key pair: Gen( ½ ) ! (vk, sk) Ring signature for R=(vk 1,...,vk N ): Sign ½, sk (m, R) ! sig Verification: Verify ½, R (m, sig)  {0,1}

8 Informal definition Perfect correctness: Any member of a ring can make a ring signature Perfect correctness: Any member of a ring can make a ring signature Perfect anonymity: Ring signature leaks no information about which ring member signed the message Perfect anonymity: Ring signature leaks no information about which ring member signed the message Computational unforgeability: Poly-time adversary without knowledge of any ring member’s secret key cannot forge signature. Not even when given access to adaptive chosen (message, ring, signer)-attack Computational unforgeability: Poly-time adversary without knowledge of any ring member’s secret key cannot forge signature. Not even when given access to adaptive chosen (message, ring, signer)-attack

9 Bilinear group of order n G, G T cyclic groups of order n = pq G = G p  G q g generator for G bilinear map e: G  G  G T e(u a, v b ) = e(u, v) ab e(g, g) generates G T

10 Commitment [Boneh-Goh-Nissim] Public key: hord(h) = n or q Commitment to m c = mh r where r  Z n Perfect hiding if ord(h) = n Perfect binding in G p if ord(h) = q : m q = c q Subgroup decision problem: ord(h) = n or ord(h) = q

11 Signature [Boneh-Boyen] Verification key: v = g x Signature on y|y|< |p| (  |√n|) s = g 1/(x+y) Verification e(vg y, s) = e(g, g) Strong Diffie-Hellman assumption in G p Hard to compute (y, g 1/(x+y) ) given input g, g x, g x 2,..., g x l

12 Common reference string:(n, G, G T, e, g, h) Verification keys:v = g x Ring signature (m, x, v  R=(v 1,...,v N ) 1.make one-time signature on (m, R) using one-time verification key y 2. sign y as s = g 1/(x+y) 3.commit to v and s as C = vh r, L = sh t 4.make perfect WI proof (C, L) sign on y 5.make perfect WI proof C contains v  R Ring signature scheme

13 Perfect Witness-Indistinguishable proof for commited signature on y [Groth-Sahai] Commitments C = vh r, L = sh t WI proof: ¼ = (g y v) t s r h rt Verify:e(g y C, L) = e(g, g) e(h, ¼ ) Complete:e(g y vh r, sh t ) = e(g y v, s) e(h, (g y v) t s r h rt ) Perfect WI (ord(h)=n): All (v, r, s, t) give same ¼ Sound (ord(h)=q): e((g y C) q, L q ) = e(g q, g q )

14 WI proof for commitment to v  R v 1 v 2... v √N v √N+1 v √N+2... v 2√N  v N-√N+1 v N-√N+2... v N 1 g  1 = e(g,v 2 ) e(g,v √N+2 )  e(g,v N-√N+2 ) h r 1 h r 2 h r √N e(h,*) Commitment C = vh r and ring R = (v 1,...,v N ) WI proof that PIR-request is well-formedWI proof that v is in one of those

15 Sketch of security proof Perfect anonymity Perfect anonymity Commitments are perfectly hiding (ord(h) = n)... so they can contain Boneh-Boyen signature for any honest party... and the proofs are perfectly witness indistinguishable Computational unforgeability Computational unforgeability Switch to ord(h) = q Commitments are perfectly extractable... so they must contain valid signature in G p... so we can forge Boneh-Boyen signatures

16 CRS = (n, G, G T, e, g, h)ord(h) = n Malicious authority can select h of order q Key generation: v i = g x i, h i chosen at random in G When signing pick t at random and use With overwhelming probability ord(h) = n Overcoming a bad CRS

17 Summary Ring signature scheme PIR-techniques + GS proofs Ring signature scheme PIR-techniques + GS proofs Size O(√N) group elements Size O(√N) group elements Relies on composite order bilinear groups subgroup decision strong Diffie-Hellman in G p Relies on composite order bilinear groups subgroup decision strong Diffie-Hellman in G p Common reference string perfect anonymity Common reference string perfect anonymity Untrusted common reference string statistical anonymity Untrusted common reference string statistical anonymity

Download ppt "Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts."

Similar presentations

Perfect Non-interactive Zero-Knowledge for NP

Perfect Non-interactive Zero-Knowledge for NP
Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.

Short Pairing-based Non-interactive Zero-Knowledge Arguments Jens Groth University College London TexPoint fonts used in EMF. Read the TexPoint manual.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.

The Contest between Simplicity and Efficiency in Asynchronous Byzantine Agreement Allison Lewko The University of Texas at Austin TexPoint fonts used in.
Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.

Efficient Non-interactive Proof Systems for Bilinear Groups Jens Groth University College London Amit Sahai University of California Los Angeles TexPoint.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.

Efficient Non-Interactive Zero Knowledge Arguments for Set Operations Prastudy Fauzi, Helger Lipmaa, Bingsheng Zhang University of Tartu, University of.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.

One-out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin Jens Groth University College London Markulf Kohlweiss Microsoft Research TexPoint fonts.
Identity Based Encryption

Identity Based Encryption
An Efficient and Spontaneous Privacy-Preserving Protocol for Secure Vehicular Communications Hu Xiong, Konstantin Beznosov, Zhiguang Qin, Matei Ripeanu.

An Efficient and Spontaneous Privacy-Preserving Protocol for Secure Vehicular Communications Hu Xiong, Konstantin Beznosov, Zhiguang Qin, Matei Ripeanu.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

Similar presentations

Ads by Google