Presentation is loading. Please wait.

Presentation is loading. Please wait.

Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland.

Published byQuentin Watts Modified over 9 years ago

Similar presentations

Presentation on theme: "Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland."— Presentation transcript:

1 Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland

2 Blind Signatures [Chaum] Enables a user to obtain a signature from a signer on a message m, without the signer learning anything about m Motivation: e-cash, e-voting Useful when values need to be certified, yet anonymity should be preserved

3 Example: e-cash (simplified) Bank has public key PK User: Sends its account information to the bank Obtains a signature  on a coin c When the user later presents (c,  ) to a merchant, the merchant can verify  Should be infeasible to trace a coin to a particular user

4 Example: e-voting (simplified) Registration authority has public key PK Voter: Proves she is a valid voter… Obtains signature  i on public key pk i (generated and used for this application only) Voter can later cast her vote v (on a public bulletin board) by posting (pk i,  i, v,  ) Should be infeasible to trace a public key to a particular voter

5 Requirements Need to consider security requirements of both the signer and the user Protection of signer: Unforgeability Protection of user: Blindness

6 Unforgeability Intuitively: If a malicious user interacts with the (honest) signer n times, it should be infeasible for the user to output valid signatures on n+1 distinct messages Note: these interactions might be Sequential Parallel Concurrent Easy to show a protocol secure against parallel attacks, but not concurrent ones

7 Blindness Intuitively: Malicious signer should be unable to link a (message, signature) pair to any particular execution of the protocol A bit messy to formalize…

8 Blindness (“standard” def’n) (Malicious) signer outputs PK, m 0, m 1 Random bit b selected; signer interacts concurrently with U(m b ), U(m 1-b ) If either user-instance aborts, signer gets nothing If neither user-instances aborts, signer gets the computed signatures on m 0, m 1 Pr[Signer guesses b] – ½ = negl

9 Necessity of dealing with abort Say signer can induce a message-dependent abort I.e., can act so that user aborts if using m 0 but not if using m 1 Consider the following attack: Act as above in first session; act honestly in second session Learning whether users abort or not enables correct guess of b Leads to “real-world” attack

10 Extending blindness def’n It is not clear how to extend the “stand- alone” definition to the general case of polynomially-many users Issue is how to deal with aborts…

11 Rethinking the definition Let us recall what we want… Signer should be unable to link (m i,  i ) with any particular completed session, any better than random guessing Equivalently (2-user case), want: In applications, messages chosen by user, not signer Pr[guess b | both sessions completed] – ½ = negl

12 More generally… Signer outputs PK, D {m i } chosen according to D Signer interacts with U(m 1 ), …, U(m l ); given (m i,  i ) for completed sessions (lex order) Signer succeeds if it identifies a message/signature pair with its correct session Require: for all i, Pr[Succ ٨ #completed = i] – 1/i (Pr[#completed = i]) < negl Equivalently: Exp[Succ · (# completed)] ≤ 1 + negl

13 Prior work I Blind signatures introduced by Chaum Chaum’s construction later proved secure by [BNPS02] based on the “one-more-RSA” assumption in the RO model Provably-secure schemes (RO model) [PS96] – logarithmically-many sigs [P97] –poly-many sigs [A01, BNPS02, B03] – concurrently-secure

14 Prior work II Provably-secure schemes (standard model) [JLO97] – using generic secure 2PC [CKW04] – efficient protocol Both give sequential unforgeability only

15 Prior work III [L03] – impossibility of concurrently-secure blind signatures (without setup)! Lindell’s impossibility result has recently motivated the search for concurrently-secure signatures in the CRS model E.g., [O’06, KZ’06, F’06] Circumventing [L03] explicitly mentioned as justification for using a CRS

16 Is a CRS really necessary…? The impossibility result seems to suggest so… …but in fact, [L04] only rules out simulation-based security (with black-box reductions) Question: can we circumvent the impossibility result by moving to game-based definitions?

17 Main result We show the first concurrently-secure blind signature scheme Standard assumptions, no trusted setup Remark: work of [BS05] could seemingly be used as well Would require super-poly hardness assumptions, which we avoid here

18 Perspective Our work gives (further?) evidence that game-based definitions give a viable approach for concurrent security Rather than imposing additional assumptions (CRS, PKI, network delay,…) …or other relaxations (bounded concurrency, super-poly simulation, …)

19 The construction Preliminaries Fischlin’s approach to blind signatures A partial solution (Using complexity leveraging) The PRS cZK protocol The full solution

20 Preliminaries I ZAPs [DN00] ≤2-round WI proofs for NP; 1 st message independent of statement Constructions given in [DN00,BOV03,GOS06a,GOS06b]

21 Preliminaries II Ambiguous commitment (cf. DN02]) Two types of keys One type gives perfect hiding; other type gives perfect binding (with trapdoor for extraction) Easy constructions based on standard number- theoretic assumptions (e.g., DDH)

22 Fischlin’s approach Previous blind signature schemes define a protocol to generate some “standard” signature “Blinding” [Chaum, …] Secure computation approach Fischlin takes a different route

23 Fischlin’s approach CRS: pk, r Signer(SK)User(PK, m) com = Com(m)  = Sign SK (com)  C = E pk (com |  ) NIZK proof  : {C correct for m}

24 Removing the CRS… Removing r: Use ZAP instead of NIZK Need to introduce “extra” witness in protocol Use Feige-Shamir trick… Removing pk: Want semantic security, yet extraction! Use complexity leveraging… Commitment scheme that is hiding for PPT adversaries, but allows extraction in time T(k) Other components should have T(k)-time security

25 A partial solution PK: pk’, y 0, y 1, r SignerUser(m) com = Com(m)  = Sign SK (com)  C 1 = Com*(com |  ) C 2 = Com*(0 k ) ZAP  : {C 1 correct for m} or {C 2 correct} WI-PoK: x 0 or x 1

26 Toward a full solution… In our full solution, we use (a modification of) the cZK protocol of [PRS02] Modified to be an argument of knowledge (in stand-alone sense) (Unfortunately…) we cannot use cZK as a “black- box” but instead must use specific properties of the PRS simulation strategy Look-aheads and straight-line simulation Fixed schedule

27 Main idea Instead of using complexity leveraging, use an ambiguous commitment scheme Signer includes commitment key as part of its public key To prevent cheating, signer must give cZK proof that the key is of the correct type

28 First try PK: pk’, pk*, r SignerUser(m) com = Com(m)  = Sign SK (com)  C = Com pk* (com |  ) ZAP  : {C correct for m} or {pk* correct} cZK: pk* correct

29 Proof? Fairly straightforward to show the following: Given user U who interacts with the (honest) signer and outputs n+1 signatures on distinct messages with non-neg probability… …can construct forger F who interacts with a (standard) signing oracle and outputs n+1 signatures on distinct messages with non-neg probability Problem: F might make >n queries (even if U does not)!

30 Modification The signer will append a random nonce to what is being signed The forger F we construct will still output n+1 signatures but make >n oracle queries… …but the signatures output by F are (in some sense) independent of the nonces used during rewinding With high probability, one of the signatures output by F will be a forgery

31 The protocol PK: pk’, pk*, r SignerUser(m) com = Com(m) nc  {0,1} k  = Sign SK (nc|com) nc,  C = Com pk* (nc|com|  ) ZAP  : {C correct for m} or {pk* correct} cZK: pk* correct

32 Analysis (unforgeability) Given a user who outputs n+1 forgeries: Simlate cZK protocol… Replace pk* by a commitment key that allows extraction… With roughly equal probability, we obtain a forger F who outputs n+1 valid signatures on distinct messages But makes more than n signing queries!

33 Analysis (unforgeability) F(pk’) U U Sign sk’ nc|com  Sign sk’ nc|com  Only these affect the final output of U! (assuming simulation is successful…) Successful simulation may depend on these Upshot: The n+1 signatures output by U include a nonce used in the “look-ahead” phase with only negligible probability I.e., they yield an actual forgery for F with overwhelming probability

34 Analysis (blindness) Key point: if any sessions are successful, then pk* is (with overwhelming probability) a key that gives perfectly-hiding commitment So C leaks no information! Perfect hiding needed here By extracting the witness for pk*, can give a ZAP independent of m The rest of the analysis is straightforward…

35 Conclusion Concurrently-secure blind signatures are possible without setup assumptions If we are satisfied with a game-based definition… Is the use of cZK inherent? In particular, can we improve the round complexity? One bottleneck is the lack of secure signatures… Can we hope for efficient protocols?

Download ppt "Blind Signatures: Definitions and Constructions Carmit Hazay Yehuda Lindell Bar-Ilan University Jonathan Katz Chiu-Yuen Koo University of Maryland."

Similar presentations

Dov Gordon & Jonathan Katz University of Maryland.

Dov Gordon & Jonathan Katz University of Maryland.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Coin Tossing With A Man In The Middle Boaz Barak.

Coin Tossing With A Man In The Middle Boaz Barak.
Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.

Strict Polynomial-Time in Simulation and Extraction Boaz Barak & Yehuda Lindell.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.

1 Identity-Based Zero-Knowledge Jonathan Katz Rafail Ostrovsky Michael Rabin U. Maryland U.C.L.A. Harvard U.
Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.

Dominique Unruh Non-interactive zero-knowledge with quantum random oracles Dominique Unruh University of Tartu With Andris Ambainis, Ansis Rosmanis Estonian.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.

1 Vipul Goyal Abhishek Jain Rafail Ostrovsky Silas Richelson Ivan Visconti Microsoft Research India MIT and BU UCLA University of Salerno, Italy Constant.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.

Impossibility Results for Concurrent Two-Party Computation Yehuda Lindell IBM T.J.Watson.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.

Similar presentations

Ads by Google