Pairing-Based Cryptography – Pairing 2009: Third International Conference Palo Alto, CA, USA, August 12-14, 2009 Proceedings [1 ed.] 3642032974, 9783642032974

Citation preview

Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany

5671

Hovav Shacham Brent Waters (Eds.)

Pairing-Based Cryptography – Pairing 2009 Third International Conference Palo Alto, CA, USA, August 12-14, 2009 Proceedings

13

Volume Editors Hovav Shacham University of California at San Diego Department of Computer Science and Engineering 9500 Gilman Drive, MC 0404 La Jolla, CA 92093-0404, USA E-mail: [email protected] Brent Waters University of Texas at Austin Department of Computer Science 1 University Station C0500, Taylor Hall 2.124 Austin, TX 78712-1188, USA E-mail: [email protected]

Library of Congress Control Number: 2009930958 CR Subject Classification (1998): E.3, D.4.6, F.2.2, G.2, K.6.5 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN ISBN-10 ISBN-13

0302-9743 3-642-03297-4 Springer Berlin Heidelberg New York 978-3-642-03297-4 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12723874 06/3180 543210

Preface

Pairing 2009, the Third International Conference on Pairing-Based Cryptography, was held at Stanford University in Palo Alto during August 12–14, 2009. The conference was sponsored by Voltage Security and Microsoft Corporation. Terence Spies served as General Chair of the Conference and we had the privilege of serving as Program Co-chairs. The conference received 38 submissions. These were reviewed by a committee of 23 members. The committee had a three-week individual review phase followed by three weeks of discussion. After careful deliberation, the committee chose 16 papers for the Pairing 2009 conference. Detailed reviews were given to the authors, and the authors were given three weeks to submit the final version. These final versions were not subject to external review and the authors bear full responsibility for their contents. We are delighted to have had three invited speakers for Pairing 2009. Victor Miller spoke on the origins of pairing-based cryptography. His talk was complemented by Tanja Lange’s, who covered the evolution of the mathematics behind pairings and shared recent results. Finally, Amit Sahai spoke on his work (with Jens Groth and Rafi Ostrovksy) realizing non-interactive zero knowledge proofs from pairings. This work has been highly influential and multiple papers accepted at this conference built upon it. In addition, there was a “Hot Topics” session at this conference where we asked several researchers to give 10-minute presentations of recent results. We would like to thank everyone who contributed to the conference. First, thanks to the members of our Program Committee for their excellent reviews, the difficult decisions they made in a short time, and their conscientious, thorough shepherding. Second, thanks to the Pairing Conference Steering Committee and the Chairs of previous Pairing conferences and workshops. We would like to extend a particular thanks to Steven Galbraith and Kenny Paterson, Program Chairs of Pairing 2008, whose experience and advice were invaluable to us in our planning of this conference. Third, we would like to thank Shai Halevi, whose wonderful Web Submission and Review Software we used and who hosted and administered the submission and review site for us on the IACR’s servers. Fourth, we are grateful for Voltage Security and Microsoft for their generous support. Finally, we are especially indebted to Terence Spies for his service as General Chair. Without him the conference would not have been possible. August 2009

Hovav Shacham Brent Waters

Pairing 2009

The Third International Conference on Pairing-Based Cryptography Stanford, California August 12–14, 2009 Sponsored by Voltage Security and Microsoft

General Chair Terence Spies

Voltage Security

Program Chairs Hovav Shacham Brent Waters

UC San Diego, USA UT Austin, USA

Program Committee Michel Abdalla Paulo Barreto Xavier Boyen Melissa Chase David Mandell Freeman Steven Galbraith Pierrick Gaudry Matthew Green Jens Groth Florian Hess Tanja Lange Kristin Lauter Gregory Neven Tatsuaki Okamoto Dan Page Kenny Paterson Michael Scott Hovav Shacham Elaine Shi Nigel Smart Tsuyoshi Takagi Fr´e Vercauteren Brent Waters

´ Ecole Normale Sup´erieure, France University of S˜ ao Paulo, Brazil Stanford, USA Microsoft Research, USA CWI; Universiteit Leiden, The Netherlands Royal Holloway, University of London, UK CNRS, INRIA, Nancy Universit´e, France Johns Hopkins, USA University College London, UK TU Berlin, Germany TU Eindhoven, The Netherlands Microsoft Research, USA IBM Zurich Research Laboratory, Switzerland NTT, Japan University of Bristol, UK Royal Holloway, University of London, UK Dublin City University, Ireland UC San Diego, USA PARC, USA University of Bristol, UK Future University Hakodate, Japan KU Leuven, Belgium UT Austin, USA

VIII

Organization

External Reviewers John Bethencourt S´ebastien Canard Scott E. Coull Yuto Kawahara Benoˆıt Libert Mark Manulis

Atsuko Miyaji Peter Montgomery Yasuyuki Nogami Pascal Paillier Emily Shen Masaaki Shirase

Katsuyuki Takashima Damien Vergnaud Ali Zandi

Table of Contents

Signature Security Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem . . . . . . . David Jao and Kayo Yoshida

1

Security of Verifiably Encrypted Signatures and a Construction without Random Oracles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Markus R¨ uckert and Dominique Schr¨ oder

17

Multisignatures as Secure as the Diffie-Hellman Problem in the Plain Public-Key Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Duc-Phong Le, Alexis Bonnecaze, and Alban Gabillon

35

Curves On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Naomi Benger, Manuel Charlemagne, and David Mandell Freeman

52

Generating Pairing-Friendly Curves with the CM Equation of Degree 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hyang-Sook Lee and Cheol-Min Park

66

Pairing Computation On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa

78

Faster Pairings on Special Weierstrass Curves . . . . . . . . . . . . . . . . . . . . . . . Craig Costello, Huseyin Hisil, Colin Boyd, Juan Gonzalez Nieto, and Kenneth Koon-Ho Wong

89

Fast Hashing to G2 on Pairing-Friendly Curves . . . . . . . . . . . . . . . . . . . . . . Michael Scott, Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez, and Ezekiel J. Kachisa

102

NIZKs and Applications Compact E-Cash and Simulatable VRFs Revisited . . . . . . . . . . . . . . . . . . . Mira Belenkiy, Melissa Chase, Markulf Kohlweiss, and Anna Lysyanskaya

114

X

Table of Contents

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Georg Fuchsbauer and David Pointcheval

132

Group Signatures Identity Based Group Signatures from Hierarchical Identity-Based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nigel P. Smart and Bogdan Warinschi

150

Forward-Secure Group Signatures from Pairings . . . . . . . . . . . . . . . . . . . . . Toru Nakanishi, Yuta Hira, and Nobuo Funabiki

171

Efficient Traceable Signatures in the Standard Model . . . . . . . . . . . . . . . . . Benoˆıt Libert and Moti Yung

187

Protocols Strongly Secure Certificateless Key Agreement . . . . . . . . . . . . . . . . . . . . . . . Georg Lippold, Colin Boyd, and Juan Gonzalez Nieto

206

Universally Composable Adaptive Priced Oblivious Transfer . . . . . . . . . . . Alfredo Rial, Markulf Kohlweiss, and Bart Preneel

231

Conjunctive Broadcast and Attribute-Based Encryption . . . . . . . . . . . . . . Nuttapong Attrapadung and Hideki Imai

248

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

267

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem David Jao and Kayo Yoshida⋆ Department of Combinatorics and Optimization University of Waterloo, Waterloo ON, N2L 3G1, Canada {djao,k2yoshid}@ecc.math.uwaterloo.ca

Abstract. The Boneh-Boyen signature scheme is a pairing based short signature scheme which is provably secure in the standard model under the q-Strong Diffie-Hellman assumption. In this paper, we prove the converse of this statement, and show that forging Boneh-Boyen signatures is actually equivalent to solving the q-Strong Diffie-Hellman problem. Using this equivalence, we exhibit an algorithm which, on the vast majority of pairing-friendly curves, recovers Boneh-Boyen private keys in 2 1 O(p 5 +ε ) time, using O(p 5 +ε ) signature queries. We present implementation results comparing the performance of our algorithm and traditional discrete logarithm algorithms such as Pollard’s lambda algorithm and Pollard’s rho algorithm. We also discuss some possible countermeasures and strategies for mitigating the impact of these findings.

1

Introduction

The q-SDH assumption was proposed by Boneh and Boyen [5,6] as a tool to assist in the security analysis of the Boneh-Boyen short signature scheme. Versions of this assumption are also used in Mitsunari et al. [19], Dodis and Yampolskiy [12], and in the Boneh-Boyen IBE scheme [4]. The survey article of Boyen [7] lists the q-SDH assumption as one of the first in a family of new assumptions that have appeared in the context of pairing-based cryptography, and the first of these to be analyzed in the generic group model. Prior to this work, no equivalence was known between the security of the qSDH assumption and the security of the Boneh-Boyen signature scheme. Boneh and Boyen [5,6] provide a security reduction with a running time of Θ(q 2 ), but it only goes in one direction: namely, if the q-SDH assumption holds, then BonehBoyen signatures are unforgeable. There are two reasons why one might desire to prove the converse result. One reason is practical: Cheon [10]has shown √ that, in groups of size p, the q-SDH problem can be solved in O( p/d + d) √ exponentiations, instead of the O( p) operations required for discrete log, for any divisor d ≤ q of p − 1 (a similar result holds for p + 1). Knowing that q-SDH and Boneh-Boyen are equivalent thus allows one to forge Boneh-Boyen signatures in faster than square root time; in our case this is possible via a known or chosen ⋆

The authors were partially supported by NSERC.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 1–16, 2009. c Springer-Verlag Berlin Heidelberg 2009 

2

D. Jao and K. Yoshida

message attack. Although the resulting algorithm remains exponential, a lower exponent is still interesting in the context of a short signature scheme, especially for extremely short signature lengths at the lower margins of security. A further motivation for proving equivalence is given by Koblitz and Menezes [14,15]. They argue that an equivalence result is preferable from a philosophical standpoint, since researchers have more incentive to solve the underlying hard problem (that is, q-SDH) if such solutions lead immediately to cryptanalysis of a concrete scheme. In this paper, we present an algorithm for performing existential forgeries of Boneh-Boyen signatures using a q-SDH oracle, whose running time is also Θ(q 2 ). This shows that the security of Boneh-Boyen cannot be proved under any weaker assumption than SDH; in other words, the security of the BonehBoyen scheme is equivalent to the intractability of the q-SDH problem. Our reduction holds for both the “basic” and “full” versions of the Boneh-Boyen scheme. Together with Cheon’s algorithm, our result allows a total break (i.e. recovery of the private key) of the full (resp., basic) Boneh-Boyen scheme in 2 time O(p 5 +ε ), under a chosen (resp., known) message attack, whenever p ± 1 has a divisor of appropriate size (which in practice is almost always the case; see Section 6.3). This running time is slightly higher than the generic group bound 1 of Ω(p 3 ) given by Boneh and Boyen [5,6], because of the quadratic runtime of our reduction. Nevertheless, it represents a significant improvement over the 1 O(p 2 +ε ) time required to calculate discrete logarithms. The techniques we use are not entirely new, although we did discover them independently. A simplified version of Proposition 4.1 appears in Mitsunari et al. [19], a paper which is cited by Boneh and Boyen [5,6] and Cheon [10]. However, we are quite confident that our overall result is new. For example, Cheon [10] applies his results to the cryptanalysis of several different cryptosystems, but omits the Boneh-Boyen scheme from such consideration, indicating that no such cryptanalysis was available. In addition, the survey article of Boyen [7] asserts that the MSDH assumption (which amounts to forging BonehBoyen signatures) is “an actually weaker statement” than q-SDH. This sentence implies that no equivalence between Boneh-Boyen and q-SDH was known at the time of that writing. We note here that the abovementioned generic group analysis already yields 1 a bound of Ω(p 3 ) on the security of the q-SDH assumption for large q. Thus, it would be reasonable for a conservative adopter to view the Boneh-Boyen scheme as having cube root security under large scale chosen message attacks, even in the absence of any concrete algorithm that runs faster than discrete log. However, an explicit result showing that forging signatures reduces to the q-SDH problem is still useful, precisely because such a reduction yields concrete algorithms for forging signatures, and hence helps to validate the conservative viewpoint. 1.1

Organization of the Paper

The rest of this paper is organized as follows. Section 2 contains background material such as security definitions, bilinear pairings, and the q-SDH and related

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

3

problems. Section 3 presents the basic and full versions of the Boneh-Boyen short signature scheme [5,6]. In Section 4, we give a security analysis of the signature scheme, and show how to forge Boneh-Boyen signatures using a q-SDH oracle. In Section 5 we review Cheon’s algorithm [10] for solving the q-SDH problem, and describe how Cheon’s algorithm can be used to compute the private key in the Boneh-Boyen scheme. Section 6 contains theoretical and experimental runtime figures showing that a Boneh-Boyen private key can be computed in 2 O(p 5 +ε ) time, given access to a signing oracle. We conclude with an analysis of the proportion of curves for which a divisor of the suitable form exists, together with a list of related open problems.

2 2.1

Preliminaries Security Definitions

We begin by reviewing the two security definitions used in the proof of security for the Boneh-Boyen signature scheme [5,6]. Strong Existential Unforgeability. Strong existential unforgeability is defined via the following game between a challenger and an adversary A. 1. The challenger generates a key pair (PK, SK) and gives PK to the adversary. 2. The adversary A can adaptively make up to qS queries for signatures of messages m1 , . . . , mqS of its choice. The challenger must respond to the queries with valid signatures σ1 , . . . , σqS of the messages m1 , . . . , mqS . 3. Eventually, the adversary A outputs a pair (m∗ , σ∗ ), and wins the game if (m∗ , σ∗ ) = (mi , σi ) for i = 1, . . . , qS and Verify(m∗ , σ∗ , PK) = true. The adversary A’s advantage, denoted Adv Sig(A) is defined as the probability that A wins the above game, where the probability is taken over the coin tosses made by A and the challenger. Definition 2.1. An adversary A is said to (t, qS , ǫ)-break a signature scheme if A runs in time at most t, makes at most qS signature queries, and Adv Sig(A) ≥ ǫ. We say that a signature scheme is (t, qS , ǫ)-existentially unforgeable under an adaptive chosen message attack if there is no adversary that (t, qS , ǫ)-breaks it. Weak Existential Unforgeability. Weak existential unforgeability is defined via the following game between a challenger and an adversary A. 1. The challenger generates a key pair (PK, SK). 2. The adversary A chooses up to qS messages m1 , . . . , mqS and sends them to the challenger. 3. The challenger gives A the public key PK and valid signatures σ1 , . . . , σqS for the messages m1 , . . . , mqS . 4. Eventually, the adversary A outputs a pair (m∗ , σ∗ ), and wins the game if m∗ = mi for i = 1, . . . , qS and Verify(m∗ , σ∗ , PK) = true.

4

D. Jao and K. Yoshida

The adversary A’s advantage, denoted Adv Sig W(A), is defined as the probability that A wins the above game, where the probability is taken over the coin tosses made by A and the challenger. Definition 2.2. An adversary A is said to (t, qS , ǫ)-weakly break a signature scheme if A runs in time at most t, makes at most qS signature queries, and Adv Sig W(A) ≥ ǫ. We say that a signature scheme is (t, qS , ǫ)-existentially unforgeable under a weak chosen message attack if there is no adversary that (t, qS , ǫ)-weakly breaks it. 2.2

Bilinear Pairings

The Boneh-Boyen short signature scheme makes use of bilinear pairings. Let G1 , G2 , and GT be cyclic groups of prime order |G1 | = |G2 | = |GT | = p. The operations in G1 , G2 , and GT are written multiplicatively. Recall that a function e : G1 ×G2 → GT is called a bilinear pairing if it satisfies the following conditions: – Bilinearity: For any u1 , u2 , u ∈ G1 and v1 , v2 , v ∈ G2 , e(u1 u2 , v) = e(u1 , v) · e(u2 , v), e(u, v1 v2 ) = e(u, v1 ) · e(u, v2 ).

and

– Non-degeneracy: There exists u ∈ G1 and v ∈ G2 such that e(u, v) = 1. We assume that the pairing function and the group operations are efficiently computable. The pair (G1 , G2 ) is called a bilinear group pair. 2.3

SDH and Related Problems

The q-SDH problem and its variants provide the underlying basis for security in several pairing-based protocols [4,5,6,7,12,19]. Throughout this section, let (G1 , G2 ) be a bilinear group pair of prime order p, and let g1 and g2 be generators of G1 and G2 , respectively. q-SDH Problem. In the full version of the Boneh-Boyen paper [6], the q-Strong Diffie-Hellman (q-SDH) problem on the bilinear group pair (G1 , G2 ) is defined as follows: q

×G22 as input, output Given a (q+3)-tuple (g1 , g1x , . . . , g1x , g2 , g2x ) ∈ Gq+1 1 1

(c, g1x+c ) for some c ∈ Zp such that x + c ≡ 0 (mod p).

The advantage Adv q-SDH(A) of an algorithm A in solving the q-SDH problem in (G1 , G2 ) is defined as   1 q Adv q-SDH(A) = Pr A(g1 , g1x , . . . , g1x , g2 , g2x ) = (c, g1x+c ) , where the probability is taken over the random choices of generators g1 ∈ G1 and g2 ∈ G2 , the random choice of x ∈ Z∗p , and the coin tosses made by A.

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

5

Definition 2.3. An algorithm A is said to (t, ǫ)-break the q-SDH problem in (G1 , G2 ) if A runs in time t and Adv q-SDH(A) ≥ ǫ. We say that the (q, t, ǫ)SDH assumption holds in (G1 , G2 ) if there is no algorithm that (t, ǫ)-breaks the q-SDH problem in (G1 , G2 ). The definition of the q-SDH problem given in the original version of the BonehBoyen paper [5] is slightly different. The original version uses a (q + 2)-tuple q q (g1 , g2 , g2x , . . . , g2x ) as input rather than (g1 , g1x , . . . , g1x , g2 , g2x ), and it also assumes an efficiently computable isomorphism ψ : G2 → G1 is available. In this paper, we adopt the definition given in the full version of the Boneh-Boyen paper. Related Problems. A notable variation of the q-SDH problem for our purposes is the MSDH problem [7,8]. The Modified q-SDH or q-MSDH problem on a group G is the following computational problem: given g, g x ∈ G, and a (q − 1)1

1

1

tuple (c1 , g x+c1 ), . . . , (cq−1 , g x+cq−1 ) where each ci ∈ Zp , output (c, g x+c ) for some c ∈ Zp \ {c1 , . . . , cq−1 }. Over a group equipped with a type 1 pairing [13], solving the q-MSDH problem is equivalent to existential forgery of the BonehBoyen basic signature scheme under a known message attack using q signature queries. Boyen remarks in [7] that the MSDH assumption is weaker than SDH. Our results, however, imply that in groups with a type 1 pairing the q-MSDH problem is equivalent to the q-SDH problem via a Θ(q 2 ) reduction.

3

Boneh-Boyen Signature Scheme

Let G1 , G2 , and GT be cyclic groups of prime order p, and let e : G1 × G2 → GT be a bilinear pairing. In [5,6], Boneh and Boyen present two versions of their signature schemes, a basic scheme and a full scheme, with the former being used to prove the security of the latter. The protocols in the original version [5] of their paper are slightly different from those in the full version [6]. Here we use only the schemes from the full version of the paper [6]. The Basic Signature Scheme – Key generation: KeyGen outputs random generators g1 and g2 of G1 and G2 , respectively, and a random integer x ∈ Z∗p . Let ζ ← e(g1 , g2 ) ∈ GT . The public key is PK = (g1 , g2 , g2x , ζ), and the private key is SK = (g1 , x). – Signing: Given a message m ∈ Zp and a private key SK, Sign(m, SK) 1

outputs a signature σ ← g1x+m , where the exponent is calculated modulo p. In the unlikely event that x + m ≡ 0 (mod p), Sign(m, SK) outputs σ ← 1. – Verification: Verify(m, σ, PK) = true if and only if e(σ, g2x · g2m ) = ζ. The Full Signature Scheme

– Key generation: KeyGen outputs random generators g1 and g2 of G1 and G2 , respectively, and random integers x, y ∈ Z∗p . Let ζ ← e(g1 , g2 ) ∈ GT . The public key is PK = (g1 , g2 , g2x , g2y , ζ), and the private key is SK = (g1 , x, y).

6

D. Jao and K. Yoshida

– Signing: Given a message m ∈ Zp and a private key SK, Sign(m, SK) randomly picks r ∈ Zp such that x + m + yr ≡ 0 (mod p), and calculates 1

σ ← g1x+m+yr . The signature is (σ, r). – Verification: Verify(m, (σ, r), PK) = true if and only if e(σ, g2x · g2m · (g2y )r ) = ζ.

The element g1 can be omitted from the public key with no loss of functionality. None of our proofs use g1 , except for the proof of Theorem 4.3, and even this theorem can be modified to hold without g1 (see remarks at the end of the proof of Theorem 4.3).

4

Security Analysis of the Boneh-Boyen Signature Scheme

We present our equivalence results in this section. We begin with a partial fraction decomposition which refines and generalizes a formula given in [19]. Proposition 4.1. Let F be a field, and x ∈ F. Let d, k ∈ Z be such that d ≥ 1, k ≥ 0. Let mi for i = 1, . . . , d be distinct elements of F such that x + mi = 0. Then, ⎧ d

⎪ (−mi )k ⎪ ⎪  ⎪ ⎪ ⎪ ⎪ i=1 (x + mi ) j =i (mj − mi ) ⎪ ⎪ d ⎨

xk (−mi )d  = 1+ d ⎪ (x + mi ) j =i (mj − mi ) ⎪ i=1 (x + mi ) i=1 ⎪  ⎪ ⎪ d d+1 ⎪

⎪ ) (−m i ⎪x + ⎪  −mi + ⎩ (x + mi ) j =i (mj − mi ) i=1

for 0 ≤ k < d for k = d for k = d + 1

Proof. By the principle of permanence of identity [1, p. 456], it suffices to prove that the equations hold when F = C, since they then form an algebraic identity. Thus, we let xk f (x) = , (x + m1 ) · · · (x + md ) and treat f (x) as a complex function in x. We can write f (x) as a partial fraction of the form f (x) = ak x + bk +

c2 cd c1 + + ···+ x + m1 x + m2 x + md

where

ak =

1 0

if k = d + 1, otherwise,

⎧ d ⎪ ⎨− i=1 mi bk = 1 ⎪ ⎩ 0

if k = d + 1, if k = d, and otherwise,

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

and each ci is a constant. By symmetry, we only need to prove c1 =

7

k  (−m1 ) . j=1 (mj −m1 )

cd c1 c2 = ak x + bk + x+m + · · · + x+m has an analytic Taylor Note that f (x) − x+m 1 2 d series expansion about x = −m1 . Thus c1 is the residue of f at the simple pole φ(x) xk , then φ(x) is where φ(x) = (x+m2 )···(x+m x = −m1 . If we write f (x) = x+m 1 d) analytic and nonzero at x = −m1 . A standard theorem in complex analysis (see [9, p. 234] or [2, p. 115]) gives

(−m1 )k j =1 (mj − m1 )

c1 = φ(−m1 ) = 

as desired. Corollary 4.2. Let G be a cyclic group of order p, let g ∈ G be a generator, and let x ∈ Zp . Let mi for i = 1, . . . , d be distinct elements of Zp such that x + mi ≡ 0 (mod p). Then, ⎧ d (−mi )k   ⎪ ⎪ ⎪ g (x+mi ) j=i (mj −mi ) for 0 ≤ k ≤ d − 1 ⎪ ⎪ ⎪ ⎪i=1 ⎪ ⎪ d ⎨  xk (−mi )d d  (x+mi ) g i=1 = g· g (x+mi ) j=i (mj −mi ) for k = d ⎪ ⎪ i=1 ⎪ ⎪ ⎪ d (−mi )d+1 ⎪    ⎪ ⎪g x · g − di=1 mi · ⎪ for k = d + 1 g (x+mi ) j=i (mj −mi ) ⎩ i=1

1

Assume that all the values mi and g x+mi are known. Furthermore, assume for k = d and k = d + 1 that g is known, and for k = d + 1 that g x is known. d

xk

Then calculating g i=1 (x+mi ) for a single value of k takes Θ(dT + d2 Tp ) time, where T is the maximum time needed for a single exponentiation in G, and Tp is the maximum time needed for one operation in Zp . Calculating all of g

1 d (x+mi ) i=1

,g

x d (x+mi ) i=1

,...,g

xd+1 d (x+mi ) i=1

takes Θ(d2 T ) time.

Proof. The proof of this Corollary is straightforward from Proposition 4.1. 4.1

Security of the Basic Signature Scheme

In this section, we analyze the security of the basic Boneh-Boyen signature scheme. We show that existential forgery of the basic scheme under a weak chosen message attack (indeed, under a known message attack) reduces to the q-SDH problem. This result is the converse of [6, Lemma 9], and it also illustrates the main idea behind the corresponding result for the full scheme (Theorem 4.4). Theorem 4.3. If there is an algorithm that (t′ , ǫ′ )-breaks the q-SDH problem, then we can (t, qS , ǫ)-weakly break the Boneh-Boyen basic signature scheme provided that p−1−q ′ t ≥ t′ + Θ(q 2 T ), qS ≥ q, ǫ, and ǫ ≤ p−1

where T is the maximum time needed for one exponentiation in G1 .

8

D. Jao and K. Yoshida

Proof. Let A be an algorithm that (t′ , ǫ′ )-breaks the q-SDH problem. We show that an adversary B can perform existential forgeries of the basic signature scheme under a weak chosen message attack. In fact, it turns out that a list of valid message-signature pairs suffices. Accordingly, the adversary B receives a public key (g1 , g2 , g2x , ζ) and a list of distinct messages m1 , . . . , mqS together 1/(x+m1 )

with their valid signatures (σ1 , . . . , σqS ) = (g1 qS ≥ q.

1/(x+mqS )

, . . . , g1

), where

xk (x+m )···(x+m )

q 1 Let hk ← g1 for each k = 0, . . . , q. The adversary B calculates (h0 , h1 , . . . , hq ) using Corollary 4.2, and runs the algorithm A on the input 1 (x+m )···(x+m )(x+m )

q ∗ 1 ) (h0 , h1 , . . . , hq , g2 , g2x ). With probability ǫ′ , A returns (m∗ , g1 for some m∗ ∈ Zp . We claim that m∗ is not equal to any of the mi except with negligible probability. To show this, observe that g1 is not disclosed to A and that g1 = (x+m1 )···(x+mq )

xk hk for all k = 0, . . . , q. Thus, from the point of view of A, any combination of m1 , . . . , mq is equally likely to give rise to a fixed input (h0 , h1 , . . . , hq ). That is, A has no better than random chance of choosing an m∗ which coincides with one of m1 , . . . , mq . Therefore, m∗ = mi for all i = 1, . . . , q with probability at least p−1−q p−1 . If m∗ = mi for some 1 ≤ i ≤ q, then B aborts. Otherwise, by Proposition 4.1,

1 1 q = (x + m1 ) · · · (x + mq )(x + m∗ ) (x + m∗ ) j=1 (mj − m∗ ) +

q

i=1

1

(x + mi )

1



j =i (mj

− mi )

.

Using this equation, B can calculate σ∗ = g1x+m∗ as follows: 

1 (x+m1 )···(x+mq )(x+m∗ )

σ∗ ← g1

/

q 

i=1

(σi )



1 j=i mj −mi

 qj=1 (mj −m∗ )

1

= g1x+m∗ .

In this way B outputs (m∗ , σ∗ ) which is a forgery for the basic signature scheme. The bounds for ǫ and qS are obvious from the above construction. The run1 (x+m1 )···(x+mq )

ning time is bounded by the calculation of g1 xq (x+m1 )···(x+mq )

x (x+m1 )···(x+mq )

, g1

, ...,

, which takes Θ(q 2 T ) time by Corollary 4.2, and the query of A, g1 which takes time t′ . The above proof requires knowledge of the element g1 . If g1 is not part of the public key, Theorem 4.3 remains valid, provided that q is replaced by q + 1 in the inequalities. In this case B uses q + 1 signature queries, and calculates xk (x+m1 )...(x+mq+1 )

h′k ← g1

for k = 0, . . . , q, in place of h0 , . . . , hq .

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

4.2

9

Security of the Full Signature Scheme

We now show that strong existential forgery of the full Boneh-Boyen signature scheme under chosen message attack reduces to the q-SDH problem. This result is the converse of [6, Theorem 8]. Theorem 4.4. If there is an algorithm that (t′ , ǫ′ )-breaks the q-SDH problem, then we can (t, qS , ǫ)-break the Boneh-Boyen full signature scheme provided that     (p − 2 − q) p − 1 − q 2 + q /2 ′ ′ 2 t ≥ t + Θ(qS T ), qS ≥ q + 1, and ǫ ≤ ǫ, (p − 1)2 where T is the maximum time needed for one exponentiation in G1 . Proof. Let A be an algorithm that (t′ , ǫ′ )-breaks the q-SDH problem. Using A, we show that an adversary B can perform existential forgeries for the full signature scheme under a chosen message attack. First, B receives the public key (g1 , g2 , g2x , g2y , ζ) from the challenger. Next, B randomly selects a message m∗ ∈ Zp , and queries the challenger for qS different signatures of m∗ . Each time the challenger receives m∗ , it sends back a valid 1/(x+m∗ +yri ) , ri ) to B, where ri is chosen at random so signature (σi , ri ) = (g1 that x + m∗ + yri ≡ 0 mod p. In this way, B obtains qS valid (and hopefully distinct) signatures (σ1 , r1 ), . . . , (σqS , rqS ) of the message m∗ . If {r1 , . . . , rqS } does not contain q + 1 distinct elements of Zp , then B aborts. Otherwise, let 1/y ∗ h ← g1 and z ← x+m y . Without loss of generality (reindexing if necessary), assume r1 , r2 , . . . , rq+1 are distinct. Then, for each i = 1, . . . , q + 1, we have 1 x+m∗ +yri

σi = g1

 1  x+m1 ∗ +r 1 i y = h z+ri . = g1y

Hence, for each k = 1, . . . , q, the adversary B can calculate zk

h (z+r1 )···(z+rq+1 ) =

q+1 



σi

(−ri )k j=i (rj −ri )

i=1

using Corollary 4.2, since B knows each σi and each ri . Also note that if we z let g2′ ← g2y , then g2x g2m∗ = g2′ . When B runs the algorithm A on the input 1

zq

z

z

(h (z+r1 )···(z+rq+1 ) , h (z+r1 )···(z+rq+1 ) , . . . , h (z+r1 )···(z+rq+1 ) , g2′ , g2′ ), the algorithm A 1 (z+r1 )···(z+rq+1 )(z+r∗ )

returns (r∗ , h ) for some r∗ ∈ Zp with probability ǫ′ . If r∗ = ri for some 1 ≤ i ≤ q + 1, then B aborts, but this event occurs with only negligible probability, by the same argument as in Theorem 4.3. Otherwise, by Proposition 4.1, 1 = (z + r1 ) · · · (z + rq+1 )(z + r∗ )

q+1

1 1  + q+1  (rj − ri ) i=1 (z + ri ) (z + r∗ ) (rj − r∗ ) j =i j=1

10

D. Jao and K. Yoshida

and thus B can calculate 

σ∗ ← h

1 (z+r1 )···(z+rq+1 )(z+r∗ )

/

q+1  i=1



(σi )

1 j=i rj −ri

 q+1 j=1 (rj −r∗ )

1

1

= h z+r∗ = g1x+m∗ +yr∗

In this way B outputs (m∗ , (σ∗ , r∗ )) which, as indicated below, is with high probability an existential forgery for the full signature scheme. The bound for qS is obvious from the above construction. The running time z

1

is determined by the time needed to calculate h (z+r1 )···(z+rq+1 ) , h (z+r1 )···(z+rq+1 ) , zq (z+r1 )···(z+rq+1 )

, which is Θ(q 2 T ) by Corollary 4.2, and the query of A, which ..., h ′ takes time t . The probability that B succeeds is P1 P2 ǫ′ where P1 is the probability that the sequence of random elements {r1 , . . . , rqS } chosen by the signing oracle comprises at least q + 1 distinct elements, and P2 is the probability that the r∗ returned by A differs from the q + 1 values ri used by B. We know that P2 ≥ p−2−q p−1 using the argument from the proof of Theorem 4.3. Moreover, P1 ≥ 1 − Q where Q is the probability that among the original r1 , . . . , rq+1 there exist 1 ≤ i < j ≤ q + 1 such that ri = rj . We have Q≤

q+1

j=2

so P1 ≥ 1 − Q ≥

5

Pr (∃i < j such that ri = rj ) ≤ p−1−q(q+1)/2 , p−1

q+1

j−1 q(q + 1) = p − 1 2(p − 1) j=2

which yields the bound for ǫ.

Cheon’s Algorithms

In [10], Cheon presents an algorithm which in certain cases computes the secret exponent x from the input of an instance of the q-SDH problem. Specifically, Cheon proves the following: Theorem 5.1. Let G be a cyclic group of prime order p and let g be a generator. Let T denote the maximum time needed for one exponentiation in G. d

1. Let d divide p − 1. Given thegroup elements g, g x , and g x , the value of x √ can be recovered in time O(( p/d + d)T ). x x2 x2d 2. Let d divide p + 1. Given the group  elements g, g , g , . . . , g , the value of x can be recovered in time O(( p/d + d)T ).

Note that, if q ≥ d in the first case or q ≥ 2d in the second, then the algorithm in the theorem can solve the q-SDH problem; in fact, such an algorithm will reveal the secret exponent x. We show in this section that the algorithm can be applied to find the secret exponent in the Boneh-Boyen signature scheme over a bilinear group pair (G1 , G2 ).

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

11

Theorem 5.2. (Basic scheme) Let T and Tp denote the maximum time needed to perform one group exponentiation in G1 and one modular multiplication mod p, respectively. 1. Let d divide p − 1. Given d + 1 valid message-signature key  x in the basic Boneh-Boyen signature scheme can be O(( p/d + d)T + d2 Tp ). 2. Let d divide p + 1. Given 2d + 1 valid message-signature key  x in the basic Boneh-Boyen signature scheme can be O(( p/d + d2 )T ).

pairs, the private computed in time pairs, the private computed in time

If g1 is included in the public key, then d and 2d message-signature pairs are sufficient for the above two parts respectively. Theorem 5.3. (Full scheme) Let T and Tp be as in Theorem 5.2. 1. Let d divide p − 1. Then the private key pair (x, y) of the full Boneh-Boyen signature scheme can be computed  under a chosen message attack, using 2d + 2 signature queries, in time O(( p/d + d)T + d2 Tp ), with probability at 2  . least p−1−d(d+1)/2 p−1 2. Let d divide p + 1. Then the private key pair (x, y) of the full Boneh-Boyen signature scheme can be computed under a chosen message attack, using  4d + 2 signature queries, in time O(( p/d + d2 )T ), with probability at least  2 p−1−d(2d+1) . p−1

Proof. The proofs of these two theorems are similar. We will give the proof for Theorem 5.3. (1) Let d be a positive divisor of p−1. We will construct an algorithm A which recovers the private key of the signature scheme under a chosen message attack, using Cheon’s algorithm. Suppose A is given the public key (g1 , g2 , g2x , g2y , ζ). The algorithm A randomly selects a message ma ∈ Zp , and queries for signatures of this same message d + 1 times. As a result, A obtains d + 1 valid (and hopefully 1 x+ma +yri

distinct) signatures (σ1 , r1 ), . . . , (σd+1 , rd+1 ), where σi = g1 1/y a 1, . . . , d + 1. Let h ← g1 and za ← x+m y . Then, we have σi =

for each i =

 1  x+m1 a +r 1 i y = h za +ri g1y

for each i = 1, . . . , d + 1. If the set {r1 , . . . , rd+1 } does not consist of distinct elements, then A aborts. Otherwise, assume r1 , . . . , rd+1 are distinct. Using Corollary 4.2, the algorithm A calculates 1

za

d za

h (za +r1 )···(za +rd+1 ) , h (za +r1 )···(za +rd+1 ) , and h (za +r1 )···(za +rd+1 ) . Then, it runs Cheon’s algorithm in G1 with these inputs, and obtains za = as output.

x+ma y

12

D. Jao and K. Yoshida

Next, A repeats the above process with a different random message mb , and b obtains zb = x+m y . Since A knows za , zb , ma , and mb , it can solve a linear system of equations to obtain the private exponents x and y. 1

zd

z

Since calculating h (z+r1 )···(z+rd+1 ) , h (z+r1 )···(z+rd+1 ) , and h (z+r1 )···(z+rd+1 ) for z = za and zb takes√time Θ(dT + d2 Tp ) and Cheon’salgorithm has a running time of Θ(( p/d + d)T ), the overall runtime is Θ(( p/d + d)T + d2 Tp ). The attack succeeds if the set {r1 , . . . , rd+1 } for ma consists of distinct elements (and likewise for mb ). Using an argument analogous to the one used in Theorem 4.4, 2  we see that a lower bound for this probability is p−1−d(d+1)/2 . p−1

(2) We now suppose d is a divisor of p + 1. The proof here is similar, except that A needs to calculate z

1

z 2d

h (z+r1 )···(z+r2d+1 ) , h (z+r1 )···(z+r2d+1 ) , . . . , h (z+r1 )···(z+r2d+1 ) . 1

1

from the signatures h z+r1 , . . . , h z+r2d+1 , for eachof z = za and zb . This takes Θ(d2 T ) time, and  Cheon’s algorithm takes Θ(( p/d + d)T ) time, for a total runtime of Θ(( p/d + d2 )T ). The attack succeeds if the set {r1 , . . . , r2d+1 } for each of za and zb consists of distinct elements, and the probability of this is at 2  . least p−1−d(2d+1) p−1

6

Runtime Analysis

In this section we calculate, both theoretically and experimentally, the complexity of recovering a Boneh-Boyen private key using the algorithms of Theorems 5.2 and 5.3, for various values of d. We also determine, both theoretically and experimentally, the optimal values of d for a given p. To simplify the analysis, we only consider divisors d of p − 1. In what follows, we refer to this algorithm as the “SDH algorithm” and consider only the case of the basic scheme, where d+ 1 valid signatures are required (assuming that g1 is not included in the public key). The running time and signature requirements for breaking the full scheme are almost exactly twice as large as for the basic scheme. 6.1

Experimental Analysis

Using a 2.4 GHz Core 2 duo, we implemented the SDH algorithm on a collection of 14 different Barreto-Naehrig curves [3] ranging in size from 32 bits to 60 bits, and compared its running time to that of Pollard’s lambda and Pollard’s rho algorithms for discrete logarithms1 . We chose Barreto-Naehrig curves because they are highly suitable for pairing-based short signature schemes. For Cheon’s 1

All comparisons took place over the base field, i.e., the group G1 in the pairing e : G1 × G2 → GT . Such a comparison is valid even though the public key in the Boneh-Boyen scheme lies in G2 , because given a single valid message-signature pair one can recover the secret key of the basic scheme using a discrete log in G1 .

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

13

algorithm, we chose the Pollard’s lambda variant of Cheon’s algorithm instead of the baby-step-giant-step variant or variants such as Kozaki et al. [16]; the use of the lambda variant saves memory and is also necessary in order to benefit from parallelization. Implementing the SDH algorithm is straightforward. We wrote a small program based on the PBC library [17] to compute the products listed in Corollary 4.2. Our program is multithreaded and makes use of multiple processor cores, with parallelization being achieved by dividing the main product into subproducts and computing each subproduct separately. For Cheon’s algorithm, we used the existing sdhkangaroo program [20], which is also based on PBC. The original sdhkangaroo program maintains a list of distinguished points, defined as those for which the MD5 hash of the point ends in a sufficiently long string of zeros. To improve performance, we modified this program to change the distinguished points to those for which the x-coordinate itself ends in a long string of zeros. For comparison purposes, we also conducted trials of Pollard’s lambda and Pollard’s rho algorithms for discrete logarithms. Our implementation of Pollard’s lambda algorithm was obtained by modifying the sdhkangaroo program, and for Pollard’s rho algorithm we used the optimized implementation included in the MAGMA Computer Algebra System [18], based on Teske’s work [21]. All programs, except for the MAGMA implementation of Pollard’s rho algorithm, supported multithreading and made use of both processor cores. For each curve, we performed a number of trials of the SDH algorithm (at least 50 for each curve), from which we determined empirically the optimal value of the divisor d to use in Cheon’s algorithm. In general, this optimal value does not correspond to an actual divisor of p − 1, but using nearby divisors we were able to estimate the hypothetical performance of the SDH algorithm at the optimal choice of d. (Note that, even when the optimal value of d does not divide p − 1, near-optimal divisors almost always exist, c.f. Section 6.3.) Figure 1 compares the measured performance of Pollard’s lambda and Pollard’s rho algorithms against the empirically determined optimal runtime of the SDH algorithm for each curve. Based on the best fit curves, we estimate that the SDH algorithm with the optimal d outperforms Pollard’s lambda (resp., Pollard’s rho) algorithm for curve sizes greater than 32.5 bits (resp., 50.8 bits). 6.2

Theoretical Analysis

We now calculate the theoretical cost of computing Boneh-Boyen private keys using the SDH algorithm. The most optimized version of Pollard’s lambda algo√ rithm requires ≈ 3.3 p random walk steps [11]; our implementation, however, √ averaged 7.9 p steps. Each step represents an elliptic curve scalar multiplication, and hence requires 1.5 log p elliptic curve operations if naive methods are used. Over a prime field, each elliptic curve operation takes roughly 15 field multiplications [11]. Hence, our running time for Cheon’s algorithm is roughly  √ 7.9( d + p/d)(1.5 log p) · 15Tp where Tp represents the cost of a field multiplid cation. In addition, we also need to compute a triplet of the form g, g x , and g x . This requires three applications of Corollary 4.2, at a cost of ≈ 3d2 Tp ; however,

14

D. Jao and K. Yoshida

time sec 104

time sec 104

1000

1000 Pollard' s Λ

100

100 SDH algorithm

SDH algorithm

10

10

35

40

45

50

55

60

size bits

Pollard' s Ρ

35

40

45

50

55

60

size bits

Fig. 1. Log-log plots comparing the optimal running time of the SDH algorithm to Pollard’s lambda (left) and Pollard’s rho (right) algorithms for discrete log, for BarretoNaehrig curves of various bit sizes

curve size optimal d optimal d (bits) (predicted) (observed) 32.95 1527 1173 34.68 1985 1545 37.20 2900 2351 40.03 4428 3773 42.05 5977 5676 43.98 7956 7599 46.24 11112 10722 47.34 13066 14508 49.81 18781 19873 51.82 25202 26564 54.23 35828 43795 56.04 46668 56469 57.95 61669 71572 59.97 82715 98733

Fig. 2. Table comparing the optimal values of d predicted in Section 6.2 vs. those observed in Section 6.1

since almost all of the multiplications in each computation are identical, the true cost is only ≈ d2 Tp . (Note also that this step parallelizes linearly, since one can compute subproducts of the outer product on different processors.) Thus the total cost t of the SDH algorithm is  √ (1) t = (7.9( d + p/d)(1.5 log p) · 15 + d2 )Tp . 1

2

This cost is minimized by taking d = Θ(p 5 (log p) 5 ), yielding a corresponding 4 2 overall running time of Θ(p 5 (log p) 5 Tp ) for the SDH algorithm. In Figure 2 we compare the optimal values of d predicted by Equation (1) to those observed 2 4 in Section 6.1. We remark that the asymptotic running time of Θ(p 5 (log p) 5 Tp ) for optimal d is independent of the precise assumptions used in deriving Equation (1). 6.3

Existence of Suitable Divisors

Other than increasing the key length, the most obvious defense against the above attack is to use a curve of order p for which p − 1 and p + 1 admit no divisors of suitable size. We can estimate the prevalence of such curves using Equation (1). Examining the graph of this equation reveals that the curve is fairly flat for a wide range of values surrounding the optimal value of d. Hence, most sufficiently large pairing-friendly curves admit a divisor d of p − 1 for which the SDH algorithm runs in nearly optimal time. As an experiment, we enumerated for each of 280 , 290 , . . . , 2160 the 100 smallest Barreto-Naehrig curves having at least that many points. Out of these 900 curves, all curves except one (the curve with 1461501641662054988059088728056207736278975404329 points) admit a divisor for which the runtime predicted by Equation (1) is within a factor of 4 of the optimal time. These results indicate that pairing-friendly curves are unlikely to resist the SDH algorithm unless specifically chosen with this property in mind.

Boneh-Boyen Signatures and the Strong Diffie-Hellman Problem

7

15

Conclusion

In this paper, we show that the existential forgery of signatures for both the basic and full versions of the Boneh-Boyen signature scheme can be reduced to the q-SDH problem via an algorithm which is quadratic in q. This result establishes the equivalence of the q-SDH assumption and the security of BonehBoyen signatures, thus resolving an open problem posed in [7,15]. Together with Cheon’s solution to q-SDH, the reduction algorithm allows us to recover Boneh2 Boyen private keys in time O(p 5 +ε ) for groups of order p whenever p ± 1 satisfies certain divisibility properties. It would be worthwhile to design a new short signature scheme whose security can be proved in the standard model under a weaker assumption than q-SDH. Our proofs of equivalence rely on the fact that the denominator in the exponent 1 of g x+m+yr is linear in both m and r. One natural starting point would be to look for signature schemes with nonlinear denominators. One example of such a signature scheme is given in [22], and another example is the scheme 1

2

σ ← (g1x+mr+yr , r). We emphasize that we have not checked the security proofs for any of these modified schemes, nor have we made any systematic effort to examine the security assumptions underlying them.

References 1. Artin, M.: Algebra. Prentice Hall, United States (1991) 2. Bak, J., Newman, D.J.: Complex Analysis, 2nd edn. Springer, Heidelberg (1996) 3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 4. Boneh, D., Boyen, X.: Efficient selective-ID identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 5. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 6. Boneh, D., Boyen, X.: Short signatures without random oracles and the SDH assumption in bilinear groups. Journal of Cryptology 21(2), 149–177 (2008) 7. Boyen, X.: The uber-assumption family – a unified complexity framework for bilinear groups. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008), http://www.cs.stanford.edu/˜xb/pairing08/ 8. Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) 9. Brown, J.W., Churchill, R.V.: Complex Variables and Applications, 7th edn. McGraw-Hill, New York (2004) 10. Cheon, J.H.: Security analysis of the Strong Diffie-Hellman problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006)

16

D. Jao and K. Yoshida

11. Cohen, H., Frey, G., Avanzi, R., Doche, C., Lange, T., Nguyen, K., Vercauteren, F. (eds.): Handbook of elliptic and hyperelliptic curve cryptography. Discrete Mathematics and its Applications. Chapman & Hall/CRC, Boca Raton (2006) 12. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005) 13. Galbraith, S.D., Paterson, K.G., Smart, N.P.: Pairings for cryptographers. Discrete Applied Mathematics 156(16), 3113–3121 (2008) 14. Koblitz, N., Menezes, A.: Another look at generic groups. Advances in Mathematics of Communications 1(1), 13–28 (2007) 15. Koblitz, N., Menezes, A.: Another look at non-standard discrete log and DiffieHellman problems. Journal of Mathematical Cryptology 2(4), 311–326 (2008) 16. Kozaki, S., Kutsuma, T., Matsuo, K.: Remarks on Cheon’s algorithms for pairingrelated problems. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 302–316. Springer, Heidelberg (2007) 17. Lynn, B.: The Pairing-Based Cryptography Library, version 0.4.18 (2008), http://crypto.stanford.edu/pbc/ 18. MAGMA Computational Algebra System, http://magma.maths.usyd.edu.au/magma/ 19. Mitsunari, S., Sakai, R., Kasahara, M.: A new traitor tracing. IEICE Trans. Fundamentals E85-A(2), 481–484 (2002) 20. Reardon, J.: Sdhkangaroo: A kangaroo attack against the strong Diffie Hellman problem (2007), http://www.cs.uwaterloo.ca/˜jreardon/programs.html 21. Teske, E.: On random walks for Pollard’s rho method. Math. Comp. 70(234), 809– 825 (2001) 22. Wei, V.K., Yuen, T.H.: More short signatures without random oracles. Cryptology ePrint Archive, Report 2005/463 (2005), http://eprint.iacr.org/2005/463

Security of Verifiably Encrypted Signatures and a Construction without Random Oracles Markus R¨ uckert⋆ and Dominique Schr¨ oder⋆⋆ TU Darmstadt, Germany [email protected], [email protected]

Abstract. In a verifiably encrypted signature scheme, signers encrypt their signature under the public key of a trusted third party and prove that they did so correctly. The security properties, due to Boneh et al. (Eurocrypt 2003), are unforgeability and opacity. This paper proposes two novel fundamental requirements for verifiably encrypted signatures, called extractability and abuse-freeness, and analyzes its effects on the established security model. Extractability ensures that the trusted third party is always able to extract a valid signature from a valid verifiably encrypted signature and abuse-freeness guarantees that a malicious signer, who cooperates with the trusted party, is not able to forge a verifiably encrypted signature. We further show that both properties are not covered by the model of Boneh et al. The second main contribution of this paper is a verifiably encrypted signature scheme, provably secure without random oracles, that is more efficient and greatly improves the public key size of the only other construction in the standard model by Lu et al. (Eurocrypt 2006). Moreover, we present strengthened definitions for unforgeability and opacity in the spirit of strong unforgeability of digital signature schemes.

1

Introduction

The concept of verifiably encrypted signature (VES) schemes was proposed by Boneh, Gentry, Lynn, and Shacham [5]. There, a signer encrypts its signature under the public key a trusted third party, called the adjudicator, and then attaches a proof about its content. The purpose of this proof is that verification will then confirm that the signer has truly signed a certain object. The necessity for such verification can be exemplified by a popular application, namely online contract signing, which is a type of optimistic fair exchange protocol [1,4,8]. Suppose Alice and Bob wish to sign the same contract. Both want to be sure that the other party will also produce a signature before revealing their own. Following the protocol, Alice and Bob exchange verifiably encrypted signatures. After they ascertained the correctness of the encrypted signature, they reveal the corresponding ordinary signature. If, for example, Alice is not willing to disclose ⋆ ⋆⋆

This work was supported by CASED (www.cased.de). Dominique Schr¨ oder was supported by the Emmy Noether Program Fi 940/2-1 of the German Research Foundation (DFG).

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 17–34, 2009. c Springer-Verlag Berlin Heidelberg 2009 

18

M. R¨ uckert and D. Schr¨ oder

her signature, then Bob can take her verifiably encrypted signature together with the transcript to the adjudicator, who uncovers Alice’s ordinary signature. This fail-safe mechanism prevents Alice from misusing this one-sided commitment to a contract for purposes such as: legal actions, blackmail, or simply negotiating a better deal elsewhere. The security of verifiably encrypted signatures is defined via unforgeability and opacity [5]. Roughly speaking, unforgeability ensures that a malicious user cannot produce signatures on behalf of another party. Opacity guarantees that only the adjudicator and the signer can disclose an ordinary signature from a verifiably encrypted signature. Boneh et al. illustrated their concept with a first construction (BGLS), provably secure in the random oracle model [5]. Later, Zhang et al. presented a more efficient solution (ZSNS) [16], also in the random oracle model. As the uninstantiability result of Canetti, Goldreich, and Halevi [7] disputes the soundness of the random oracle methodology, it has inspired many researchers to find secure and efficient schemes outside the random oracle model. To the best of our knowledge, Lu et al. [13] presented the first verifiably encrypted signature scheme (LOSSW), which is secure in the standard model, at Eurocrypt 2006. Their scheme is based on the Waters signature scheme [15] and its major drawback is that they need a large public key (approximately 160 group elements). Our Contribution. Surprisingly, the original security model for verifiably encrypted signature schemes does not guarantee that the adjudicator is always able to extract a valid signature from a valid verifiably encrypted signature. Considering again a protocol based on VES for optimistic fair exchange. We show that every VES can easily be turned into a scheme which remains secure, but where a malicious signer can output a verifiably encrypted signature such that the ordinary signature is hidden irrecoverably. This implies that a VES that does not support extractability is not suitable for such protocols. Thus, as our first result, we extend the model of [5] to ensure extractability. Subsequently, we study the effect of extractability on Boneh et al.’s security model. Though no explicit proof of extractability exists for previous constructions, they already support the property due to a close similarity of the signature verification algorithm and the verification algorithm for encrypted signatures. Extractability of the BGLS and of the LOSSW scheme can be proven analogously to the proof of Theorem 6. Furthermore, we propose a definition of abuse-freeness in the VES context. Basically, an abuse-free VES guarantees that an adversary who colludes with the adjudicator is not able to derive a verifiably encrypted signature on behalf of another signer. We show that for a “natural” class of VES schemes, abusefreeness is already implied. Since the instantiation of [5] and [13] fall into this class, our results give more confidence about the security of their schemes. As a round-up of the model discussion, we introduce strengthened definitions for unforgeability and opacity, namely strong unforgeability and strong opacity, which is closely related to the need for strong unforgeability in digital signature schemes. It prevents eavesdroppers from replaying the fair exchange protocol with re-randomized verifiably encrypted signatures.

Security of Verifiably Encrypted Signatures

19

Note that neither BGLS nor LOSSW satisfy these stronger notions, as one can re-randomize the encrypted signature. We show how a slight modification of our construction in Section 6 yields a scheme that is provably secure in the stronger model. As our second result, we present a new verifiably encrypted signature scheme based on the Boneh-Boyen signature [3]. This scheme greatly improves the key size and efficiency of LOSSW, while achieving the same signature size. Table 1 compares our work with previous schemes. Note that the construction in Section 6 involves a public key size of four group elements (in comparison to the LOSSW instantiation, our scheme reduces the key size by a factor of 40), and only needs two pairing computations for the verification (rather than three in LOSSW). Another extension to the security model is to give the adversary access to the adjudication oracle for different users as proposed by Hess [12]. Here, however, we follow the model of Boneh et al. concerning only the two user setting. Organization. We start out by introducing our notation and some basic definitions in Section 2. In Section 3, we recall the model for verifiably encrypted signatures, along with the corresponding security definitions. Subsequently, in Section 4 and Section 5, we introduce extractability and abuse-freeness thereby extending the model due to Boneh et al., and we argue why these notions are necessary. The stronger security model, with strong unforgeability and strong opacity is described in Appendix C. Our verifiably encrypted signature scheme is presented in Section 6, along with the security proofs. We show in the full version of this paper that a modified version of the construction satisfies the stronger model [14]. Table 1. Comparison between the different verifiably encrypted signature schemes. The column “ROM” states whether security is proven in the random oracle model. The column “Strongly Secure” determines whether the scheme is secure in our stronger model. Let ham(m ) be the hamming weight of a bit string m , I an inversion, M a multiplication, and E an exponentiation. Let P be the cost for a pairing evaluation. Since pairings dominate the computational costs, other operations were omitted in the “Verification” column. We instantiate the schemes using Barreto-Naehrig curves [6] with a 160-bit point representation. (∗) This value is taken from [13]. They need approximately 160 group elements.

Scheme

ROM

Strongly secure

Key size (sk/ pk)

Signature size

VES creation

Vf

BGLS

Yes

No

160 / 160 bits

320 bits

2 E +1 M

3P

LOSSW

No

No

160 bits / 10 KB (∗)

480 bits

Section 6

No

No

320 / 640 bits

480 bits

1 I+3 E+1 M

2P

Full version [14]

No

Yes

640 / 960 bits

800 bits

2 I+4 E+1 M

3P

4E + 3P (ham(m ) + 3) M

20

2

M. R¨ uckert and D. Schr¨ oder

Notation and Basic Definitions

Bilinear Maps. Let (G1 , ∗), (G2 , ∗), and (GT , ∗) denote three groups of prime order p with the following properties: all group actions can be computed efficiently; g1 is a generator of G1 and g2 is a generator of G2 ; ψ is a group homomorphism from G2 to G1 , with ψ(g2 ) = g1 ; e : G1 × G2 → GT is an efficiently computable and non-degenerate, i.e. ∀u ∈ G1 ∀v ∈ G2 ∀a, b ∈ Z: map. e is bilinear  ab e ua , v b = e (u, v) and z = e (g1 , g2 ) = 1 generates GT . We assume that G1 , G2 , GT , p, g1 , g2 , e, and z are fixed and public parameters. By a1  . . . aℓ we denote the encoding of a1 , . . . , aℓ such that a1 , . . . , aℓ $

are uniquely recoverable. With x ← X we denote choosing x uniformly at ranq dom from the finite set X. {xi }1 is the set of x1 , . . . , xq . Furthermore, n always denotes the security parameter. Secure Signature Schemes. Security of signature schemes DSig = (Kg, Sign, Vf) is proven against existential forgery under chosen message attacks (EU-CMA) [10]. In this model, an adversary adaptively invokes a signing oracle and is successful if it outputs a signature on a new message. A stronger notion is strong unforgeability under chosen message attacks (SU-CMA), where it is sufficient for an adversary to output a new message-signature pair. Boneh-Boyen Signature Scheme. We recall the strongly unforgeable Boneh$ Boyen (BB) signature scheme. Key Generation: Kg(1n ) selects x, y ← Z∗p , comy x putes u ← g2 and v ← g2 . The public key is spk ← (u, v) and the private key is ssk ← (x, y); Signing: Sign(ssk, m) takes as input the secret key (x, y) as well as $

1/(x+m+y r)

, a message m ∈ Zp . It picks r ← Zp \{− x+m y } and computes σ ← g1 where 1/(x + m + y r) is computed modulo p. The output is (r, σ); Signature Verification: Vf(spk, (r, σ), m) returns 1 iff e (σ, u g2m v r ) = z, otherwise returns 0.

3

Verifiably Encrypted Signatures

According to [5] verifiably encrypted signature schemes are defined as VES = (Kg, AdjKg, Sign, Vf, Create, VesVf, Adj) with the following specification and security model: Key Generation: Kg(1n ) outputs a private signing key sk and a public verification key pk; Signing Sign(sk, m) outputs a signature σ under sk on a message m chosen from the message space M; Verification: Vf(pk, σ, m) outputs 1 iff σ is a valid signature on m under pk; Adjudicator Key Generation: AdjKg(1n ) outputs a key pair (ask, apk), where ask is the private key and apk the corresponding public key of the adjudicator; VES Creation: Create(sk, apk, m) receives a secret key sk, the adjudicator’s public key apk, and a message m ∈ M. It returns a verifiably encrypted signature ω on m; VES Verification: VesVf(apk, pk, ω, m) gets the adjudicator’s public key apk, a public key pk, a verifiably encrypted signature ω, and a message m. It returns a bit, indicating the validity of ω; Adjudication: Adj(ask, apk, pk, ω, m) accepts as input the key pair (ask, apk) of the adjudicator,

Security of Verifiably Encrypted Signatures

21

the public key pk of a signer, a verifiably encrypted signature ω, and a message m. If ω is valid, it extracts an ordinary signature1 σ on m and returns σ. A scheme VES is complete 2 if for all adjudication key pairs (ask, apk) ← AdjKg(1n ) and for all signature key pairs (sk, pk) ← Kg(1n ) the following holds: VesVf(apk, pk, Create(sk, apk, m), m) = 1 and Vf(pk, Adj(ask, apk, pk, Create(sk, apk, m)), m) = 1 for all m ∈ M. Security Model. The security of verifiably encrypted signatures is defined by unforgeability and opacity [5]. Unforgeability requires that it is hard to forge a verifiably encrypted signature and opacity implies that it is hard to extract ordinary signatures. Both intuitions are formalized in experiments, where the adversary A is given the public keys of the signer and the adjudicator. Moreover, A has access to two oracles: a verifiably-encrypted-signature creation oracle C that, upon input of a message m, returns a corresponding verifiably encrypted signature ω; and an adjudication oracle A that extracts and returns a signature σ when queried with a message/verifiably encrypted signature pair (m, ω). Definition 1. A scheme VES is secure if the following holds: Unforgeability: For any efficient algorithm A, the probability that the following experiment evaluates to 1 is negligible (as a function of n). Experiment VesForgeVES A (n) (ask, apk) ← AdjKg(1n ) (sk, pk) ← Kg(1n ) (m∗ , ω ∗ ) ← AC(sk,apk,·),A(ask,apk,pk,·,·) (pk, apk) Return 1 iff VesVf(apk, pk, ω ∗ , m∗ ) = 1 and A has never queried C(sk, apk, ·) or A(ask, apk, pk, ·, ·) about m∗ . Opacity: For any efficient algorithm A, the probability that the following experiment evaluates to 1 is negligible (as a function of n). Experiment OpacVES A (n) (ask, apk) ← AdjKg(1n ) (sk, pk) ← Kg(1n ) (m∗ , σ ∗ ) ← AC(sk,apk,·),A(ask,apk,pk,·,·) (pk, apk) Return 1 iff Vf(pk, σ ∗ , m∗ ) = 1 and A has never queried A(ask, apk, pk, ·, ·) about m∗ . A scheme is called (t, qC , qA , ǫ)-unforgeable (-opaque), if no adversary, running in time at most t, making at most qC verifiably-encrypted-signature oracle queries C, and at most qA queries to the adjudication oracle A, can succeed with probability at least ǫ in the VesForge (respectively Opac) experiment. 1 2

Not necessarily the same signature, cf. [13]. Note that in [5] this condition is called validity.

22

M. R¨ uckert and D. Schr¨ oder

Simplification. As a first modification of this security model, we state and prove that it is possible to remove a redundant restriction from the definition of unforgeability. One might think that an adversary can succeed by modifying some “ciphertext” ω such that the adjudicator extracts a fresh signature that can be encrypted once again to obtain a fresh ω ∗ . We prove that the constraint that the adversary is not allowed to output a forgery for a message m∗ already queried to A, without having queried m∗ to C before, is unnecessary. In other words, A does not help to forge verifiably encrypted signatures. Let VesForge′ be the unforgeability experiment, in which an adversary is allowed to query everything to A, even its final output m∗ . The idea is that a forger which is able to invoke the oracle A with a fresh tuple (m, ω), i.e. without having queried m to C beforehand, can already be used to break unforgeability. Theorem 1. VES is unforgeable w.r.t. to VesForge′ if and only if it is unforgeable w.r.t. to VesForge. Proof. The first step is to prove that an adversary which breaks unforgeability in VesForge can be used to break unforgeability in VesForge′ . Since this direction follows easily, we omit it. In the second part of the proof, consider an adversary A that succeeds in the unforgeability experiment VesForge′ with noticeable probability ǫ(n). We then construct an algorithm B against unforgeability in VesForge, which runs A as a black-box. Algorithm B answers all oracle queries with its own oracles, i.e, it relays the entire communication between A and the oracles. Whenever A invokes the adjudication oracle A on a “fresh” and valid pair (m∗ , ω ∗ ) (i.e., the adversary has not queried m∗ to C before), then B stops, outputting this pair as its forgery. Otherwise, if A never performs such queries, B forwards the final output of A. For the analysis, observe that A may query the adjudication oracle on a “fresh” and valid pair (m∗ , ω ∗ ). On the one hand, the adversary A would still succeed in experiment VesForge′ , outputting a verifiably encrypted signature ω ∗ on m∗ , but on the other hand, A cannot succeed in VesForge as VesForge does not allow A to query the adjudication oracle about the final output of A. But if A is in position to perform a query consisting of a “fresh” and valid pair (m∗ , ω ∗ ), then B directly outputs this tuple as its successful forgery. This tuple is a valid forgery, because B never actually queried A about (m∗ , ω ∗ ). Additionally, note that B is efficient as A runs in polynomial time and B can handle all queries efficiently. ⊓ ⊔ The following two sections justify the need for two additional security requirements, namely extractability and abuse-freeness.

4

The Need for Extractability

In the following, we formalize what should be a fundamental requirement for verifiably encrypted signatures, namely extractability. This property entails that if a verifiably encrypted signature ω is valid, then the adjudicator is able to extract a valid signature σ with overwhelming probability.

Security of Verifiably Encrypted Signatures

23

Definition 2 (Extractability). A verifiably encrypted signature scheme VES is extractable if for any efficient algorithm A, the probability that the following experiment evaluates to 1 is negligible (as a function of n). Experiment ExtractVES A (n) (ask, apk) ← AdjKg(1n ) (m∗ , ω ∗ , pk∗ ) ← AA(ask,apk,·,·,·) (apk) Let σ ∗ ← Adj(ask, apk, pk∗ , ω ∗ , m∗ ) Return 1 iff VesVf(apk, pk∗ , ω ∗ , m∗ ) = 1 and Vf(pk∗ , σ ∗ , m∗ ) = 0. Observe that, in this case, the adjudication oracle A takes as input the adjudicator key pair (ask, apk), to which A attaches tuples (pk∗ , ω ∗ , m∗ ) which consist of: a public key pk∗ , a verifiably encrypted signature ω ∗ , and a message m∗ . Thus, extractability as defined above must hold for all pairs (m∗ , ω ∗ ), even for those not properly generated (i.e. ω ∗ was not created for m∗ ) and even in case pk∗ is not chosen honestly. Note that pk∗ serves as A’s public key and that A may not have a corresponding secret key sk∗ . If we do not allow the adversary to choose its public key dishonestly, we may still consider a model similar to the one above and we call the corresponding property weak-extractability. Note that a scheme that satisfies weakextractability can always be turned into an extractable scheme by having the signer prove the correct form of its public key to the (universally trusted) adjudicator. This could be done, for example, by letting the signer hand its private key over to the trusted third party, using rewinding techniques, or using NIZKs such as in [11]. The adjudicator may then sign the public key or otherwise vouch for its validity. We motivate the need for extractability, showing that every verifiably encrypted signature scheme, that is secure in the model of [5], can easily be turned into one which is not extractable. Theorem 2. If there exists a secure scheme VES in the sense of [5], then there exists a scheme VES′ which is secure but not extractable. The basic idea is that the verifiably encrypted signature may consist of two independent parts. The first part is used in the VesVf verification process and the second part is an encryption of the signature. As the parts are independent, a malicious signer can easily set the second part to an empty string, while computing the first part honestly. Proof. We assume that the bit length of a verifiably encrypted signature is out(n). VES′ is defined as follows: Key Generation, Signing, Verification: Same as in VES; VES Creation: Given a message m ∈ M, a signing key sk, and the public key of the adjudicator apk, Create′ computes ω ′ ← Create(sk, apk, m) and outputs (ω1 ω2 ) ← (ω ′ ω ′ ) ∈ {0, 1}2 out(n) ; VES Verification: Given a verifiably encrypted signature ω1 ω2 on m, algorithm VesVf ′ outputs 1 iff VesVf(apk, pk, ω1 , m) evaluates to 1 and 0 otherwise; Adjudication: Adj′ (ask, apk, pk, ω1 ω2 , m) outputs σ ← Adj(ask, apk, pk, ω2 , m). Obviously, if VES is complete, unforgeable, and opaque, so is VES′ . However, now the following adversary A contradicts extractability, and even weakextractability.

24

M. R¨ uckert and D. Schr¨ oder

Setup: A receives the adjudicator’s public key apk and honestly generates (sk, pk) ← Kg(1n ). VES Creation: When A signs a message m, it calls (ω1 ω2 ) ← Create′ (sk, apk, m) and outputs (m∗ , ω ∗ , pk∗ ) ← (m, ω1 0out(n) , pk). Since ω1 remains unchanged in Create′ , VesVf ′ always returns 1. The algorithm Adj′ , however, cannot extract a valid (ordinary) signature out of the second part because it is 0out(n) . Thus, A breaks extractability with probability 1. Observe that the adjudicator Adj′ does not fail because 0out(n) is “some” special string, but simply because 0out(n) = ω1 . ⊓ ⊔ Relation to the Security Model. In the following, we show a helpful implication that facilitates security proofs in our extended model that entails unforgeability, opaqueness, and extractability. We mainly rely on the verifiably encrypted signature schemes having a common property, which we call key-independence. This property states that computing the encrypted signature can be performed, independently, by the following algorithms: one that computes the signature σ as in DSig, and a second algorithm that computes ω, the verifiable encryption of σ. In other words, one can use an oracle Sign(ssk, ·) and transform its output into a verifiably encrypted signature independently of ssk. Definition 3 (Key-Independence). Let a signer’s private key sk consist of two independent elements sk = (kisk, ssk) and let pk = (kipk, spk) be the corresponding public key pair. VES is key-independent if there exists an efficient (encryption) algorithm KI-Enc such that KI-Enc(apk, kipk, kisk, Sign(ssk, m), m) ≡ Create(sk, apk, m) for all m ∈ M. Note that the keys kisk and kipk are possibly the empty string, as in the case of the (key-independent) schemes of Boneh et al. [5] and of Lu et al. [13]. There, the algorithm KI-Enc is the encryption algorithm of the El Gamal public key encryption scheme. Theorem 3. Let VES be an extractable and key-independent verifiably encrypted signature scheme. VES is unforgeable if and only if the underlying signature scheme DSig is unforgeable. Proof. We have to show two directions. We begin with the (interesting) direction, showing that the existence of an algorithm A1 that successfully forges a verifiably encrypted signature implies the existence of an adversary B that successfully breaks DSig. B gets as input the public key spk of the underlying signature scheme DSig and has access to a signing oracle Sign(ssk, ·), that upon input a message m returns the corresponding signature. Subsequently, B picks a key pair for the simulation of the adjudicator (ask, apk) ← AdjKg(1n ) and a VES key pair (sk, pk) ← Kg(1n ). It then replaces the signature verification key in pk with spk, i.e., pk = (kipk, spk), and runs A1 in a black-box simulation on input (apk, pk). During the simulation, A1 may invoke its creation oracle C on a message m. Algorithm B answers this query as follows. It first generates the signature σ ← Sign(ssk, m) with the help of its external signing oracle and

Security of Verifiably Encrypted Signatures

25

outputs ω ← KI-Enc(apk, kipk, kisk, σ, m). Whenever A1 invokes its adjudication oracle A on a valid tuple (m, ω), B returns σ ← Adj(ask, apk, pk, ω, m). Eventually, A1 stops, outputting a tuple (m∗ , ω ∗ ); then B computes σ ∗ ← Adj(ask, apk, pk, ω ∗ , m∗ ) and outputs (m∗ , σ ∗ ) as its forged signature. For the analysis, it is assumed that A1 succeeds with non-negligible probability ǫ(n). Observe that B performs a perfect simulation from A1 ’s point of view because VES is key-independent, i.e., B can choose the keys for KI-Enc independently of ssk. Note that A1 succeeds if it outputs a “fresh” tuple (m∗ , ω ∗ ). Here, the freshness condition means that A1 has neither queried its creation oracle nor the adjudication oracle about m∗ . But if A1 has never sent m∗ to one of the oracles, then B has never queried its signing oracle about m∗ . Since the scheme VES is extractable, B always outputs a valid message-signature pair (m∗ , σ ∗ ) whenever A1 provides a valid verifiably encrypted signature. This, however, contradicts the assumption that DSig is unforgeable. The other direction shows how to break unforgeability of the verifiably encrypted signature scheme with the help of an adversary A2 that forges the underlying signature scheme. The idea of the proof is to output the key-independent ⊓ ⊔ encryption (using KI-Enc) of the forgery obtained from A2 .

5

The Need for Abuse-Freeness

Garay, Jakobsson, and MacKenzie already consider abuse-freeness for optimistic fair exchange [9]. Their definition demands that no single signer should be able to prove to any third party that he can determine the outcome of the protocol. Since VES schemes are typically non-interactive, and since the verification equation ensures that the contained signature is valid, this definition seems inapplicable to the VES scenario. Intuitively, abuse-freeness means that an adversary who may covertly cooperate with the adjudicator is unable to compute a verifiably encrypted signature on behalf of another party. We model this in an experiment where the malicious signer A receives the private key of an adjudicator and the public key of the honest signer which we model as oracle C. The adversary A succeeds if it outputs a “fresh” tuple (m∗ , ω ∗ ), i.e., a message m∗ and an encrypted signature ω ∗ s.t. A has never queried m∗ to C. Observe that giving A access to an adjudication oracle would be redundant, since A can be simulated with ask. Definition 4 (Abuse-freeness). VES is abuse-free if for any efficient algorithm A the probability that experiment Abuse evaluates to 1 is negligible (as a function of n), where Experiment AbuseVES A (n) (apk, ask) ← AdjKg(1n ) (sk, pk) ← Kg(1n ) (m∗ , ω ∗ ) ← AC(sk,apk,·) (apk, ask, pk) Return 1 iff VesVf(apk, pk, ω ∗ , m∗ ) = 1 and A has never queried C(sk, apk, ·) about m∗ .

26

M. R¨ uckert and D. Schr¨ oder

This definition can be strengthened even further as A could be allowed to choose the public key apk. We call schemes satisfying the stronger notion strongly abusefree (see [14]). Relation to the Security Model. We discuss the relation between abuse-freeness and the other security requirements. The interesting point is that for key-independent, extractable schemes, abuse-freeness is already guaranteed. In addition, we can separate abuse-free VES schemes from those satisfying the model of Boneh et al. For the separation, we need to recall the definition of public-key encryption schemes. A public-key encryption scheme E is a tuple of efficient algorithms (Pk-Kg, Enc, Dec), where (pkE , skE ) ← Pk-Kg(1n ) is a key-generation algorithm that outputs a public-encryption key pkE and a private-decryption key skE . The encryption algorithm C ← Enc(pk, m) takes as input a message m from some underlying plaintext space M and outputs a ciphertext C. The decryption algorithm m ← Dec(skE , C). upon input the private key skE and a ciphertext C, returns the plaintext m. It is assumed that Prob[ Dec(skE , Enc(pk, m)) = m] = 1 (except for a negligible amount). Definition 5 (CPA Indistinguishability). A public key encryption scheme E = (Pk-Kg, Enc, Dec) is indistinguishable under chosen plaintext attacks (INDCPA) if for any efficient algorithm A the probability that the experiment INDCPAEA evaluates to 1 is negligibly close to 1/2, where Experiment INDCPAEA (n) (pkE , skE ) ← Pk-Kg(1n ) b ← {0, 1} b∗ ← AEnc(pkE ,b,·,·) (pkE ) // Enc takes m0 , m1 ∈ M, s.t. |m0 | = |m1 | as input. Return 1 iff b∗ = b. Theorem 4. If an IND-CPA secure public-key encryption scheme E, and a secure verifiably encrypted signature scheme VES exist, then there is a secure scheme VES′ , which is not abuse-free. Proof. We build the scheme VES′ out of VES, such that VES′ is unforgeable and opaque, but such that a malicious adjudicator is able to reveal the private signing key. VES′ is defined as: Key Generation: Kg′ ≡ Kg. AdjKg′ calls (ask, apk) ← AdjKg(1n ) and (skE , pkE ) ← Pk-Kg(1n ). It outputs (ask′ , apk′ ) ← ((ask, skE ), (apk, pkE )). VES Creation: Create′ (sk, apk′ , m) executes ω ′ ← Create(sk, apk, m) and a ← Enc(pkE , sk). It returns ω ′ ← (ω, a). VES Verification: VesVf ′ (apk′ , pk, ω ′ , m) outputs VesVf(apk, pk, ω, m). Adjudication: Adj′ (ask′ , apk′ , pk, ω ′ , m) outputs the result of Adj(ask, pk, ω, m). Completeness, unforgeability, and opacity of VES′ directly carry over from VES. Observe that the encryption scheme E is a IND-CPA secure public-key encryption scheme, thus it does not reveal a single bit of the signing key. With the help of a malicious adjudicator, however, this is indeed possible.

Security of Verifiably Encrypted Signatures

27

Concerning abuse-freeness, the adversary A gets an adjudication key pair (ask, apk) together with a public key pk. It selects two messages m1 and m2 , and invokes the creation oracle C on m1 , obtaining (ω ′ , a). Subsequently, A extracts the private key sk ← Dec(skE , a) and uses the private key sk to forge ω ∗ ← Create(sk, apk, m2 ). A straightforward analysis shows that A is efficient and always succeeds. ⊓ ⊔ In the following, we show that any key-independent, extractable verifiably encrypted signature scheme is also abuse-free. Again, this result helps reduce the effort of proving security. Theorem 5. A key-independent, extractable, and secure scheme VES is abusefree if the underlying signature scheme DSig is unforgeable. Proof. Suppose that there exists an adversary A that successfully breaks abusefreeness with noticeable probability. We then show that A can be used to forge ordinary signatures in DSig. The reduction B against the unforgeability of DSig receives a public key spk. It generates (ask, apk) ← AdjKg(1n ), (sk, pk) ← Kg(1n ), replaces the public signature verification key for DSig in pk with spk (the resulting key is pk′ ), and runs A(apk, ask, pk′ ) as a black-box. Whenever A queries m to C, B calls its signing oracle σ ← Sign(sk, m) and computes ω ← KI-Enc(apk, kipk, kisk, σ, m). Finally, A stops and outputs (m∗ , ω ∗ ). B extracts the corresponding signature σ ∗ ← Adj(ask, apk, pk′ , ω ∗ , m∗ ) and returns (m∗ , σ ∗ ). Assuming that A succeeds with noticeable probability ǫ(n), then A has not queried m∗ to C; as a consequence, B’s attack is legitimate and it simulates A’s environment perfectly, because VES is key-independent. Furthermore, B is efficient, and as VES is extractable, B succeeds with the same probability ǫ(n) (except for a negligible part). This, however, is a contradiction. ⊓ ⊔

6

An Efficient Instantiation

In this section, we present an efficient verifiably encrypted signature scheme that is based on the Boneh-Boyen (BB) signature scheme. It is secure, extractable, and abuse-free in the standard model. For a simpler notation, we omit the generation of publicly known system parameters, and recall that z = e (g1 , g2 ). Construction 1. Our instantiation works as follows. Adjudicator Key Generation: AdjKg(1n ) returns apk ← ua = g2β , and ask ← $

β, for β ← Z∗p . Key Generation: Kg(1n ) calls ((x, y), (u, v)) ← BB.Kg(1n ), computes ρ1 ← (apk)x , ρ2 ← (apk)y , and returns the key pair ((x, y), (u, v, ρ1 , ρ2 )), where sk = (x, y), pk = (u, v, ρ1 , ρ2 ). Signing, Verification: Defined as in the BB digital signature scheme. VES Creation: Create(sk, apk, m) parses sk = (x, y) and apk = ua . It computes $

(r, σ) using BB.Sign((x, y), m), selects s ← Zp and sets μ ← ψ(g2 )s , σ ′ ← ψ(ua )s . Then, it encrypts σ as ̟ = σ σ ′ and returns (r, ̟, μ).

28

M. R¨ uckert and D. Schr¨ oder

VES Verification: VesVf(apk, pk, ω, m) parses apk = ua , pk = (u, v, ρ1 , ρ2 ), −1 ω = (r, ̟, μ). It returns 1 iff e (̟, u g2m v r )·e (μ, ρ1 ρr2 um = z, e (g1 , ρ1 ) = a ) e (ψ(ua ), u), and e (g1 , ρ2 ) = e (ψ(ua ), v). Adjudication: Adj(ask, apk, pk, ω, m) parses ask = β, apk = ua , pk = (u, v, ρ1 , ρ2 ), and ω = (r, ̟, μ). If VesVf(apk, pk, ω, m)=1, then output σ ← ̟/μβ . Note that Construction 1 is key-independent, because we use the El Gamal encryption. Furthermore, it is complete (see Appendix B). A Word on Efficiency. Note that we create ρ1 and ρ2 in Kg, which is originally not permitted by the model because Kg does not have access to apk. It is, however, reasonable to assume the existence of a unique adjudicator, whose parameter are known and set before the initialization of the key generation. Otherwise, one could compute ρ1 and ρ2 in Create, which would be less efficient due to larger computational costs and an increased output size. Similarly, we eliminate the need to check the soundness of ρ1 and ρ2 in VesVf by assuming that all user keys are registered and that the universally trusted registration authority already verified them. 6.1

Proof of Security

For the following security proofs, let TAdjKg , TKg be cost functions for adjudication and signature key generation, and let TCreate , TAdj be the cost functions for creation and adjudication of verifiably encrypted signatures. The next theorem proves extractability, which implies unforgeability by Theorem 3. Theorem 6. Construction 1 is extractable. Proof. We show that if a verifiably encrypted signature ω verifies, then it is always possible to extract a valid BB signature. From VesVf, we have V1 V2

−1 = z; e (̟, u g2m v r ) · e (μ, ρ1 ρr2 um a ) e (g1 , ρ1 ) = e (ψ(ua ), u) and e (g1 , ρ2 ) = e (ψ(ua ), v) .

After applying the adjudication algorithm on ω, Vf evaluates:   −β e ̟/μβ , u g2m v r = e (̟, u g2m v r ) · e (μ, u g2m v r ) V1

−β

m r = e (μ, ρ1 ρr2 um a ) · z · e (μ, u g2 v )   V2 −β = e μ, uβ v rβ g2βm · z · e (μ, u g2m v r ) = z .

⊓ ⊔

Corollary 1. If the BB signature scheme is (t+TAdjKg (n)+TKg (n)+qC TCreate (n)+ (qA +1)TAdj (n), qC , ǫ)-unforgeable, then Construction 1 is (t, qS , qA , ǫ)-unforgeable. Proof. The proof follows immediately from Theorem 3 in conjunction with Theorem 6. ⊓ ⊔

Security of Verifiably Encrypted Signatures

29

The opacity of our verifiably encrypted signature scheme depends on the as1/(x+ci ) sumption that, given q tuples (ci , g1 ), i = 2, . . . , q + 1, it is difficult to 1/(x+c1 ) β s+1/(x+c1 ) extract the value g1 from an El Gamal encryption (c1 , g1 ). It is well known that the El Gamal encryption is provably one-way if the computational Diffie-Hellman (CDH) problem is hard, and that the scheme is a CPA secure encryption scheme if the decisional Diffie-Hellman (DDH) holds. More formally, we require that the following problem is computational infeasible: Definition 6 (q-SDH Extraction Problem). In the q-SDH extraction problem (SDHE), an adversary gets as input    q+1  β s+1/(x+c1 ) 1/(x+ci ) β s x βx , ci , g 1 g 1 , g 1 , g 2 , g 2 , g 2 , g 2 , c1 , g 1 i=2

 1/(x+c1 ) . and is required to compute c1 , g1 

Definition 7. The q-SDHE problem is (t, ǫ)-hard if no t-time algorithm Ahas advantage at least ǫ in solving the q-SDHE problem, i.e., no such algorithm has advantage Prob



c 1, g

1/(x+c1 ) 1



 ← A g 1, g 1s, g 2, g 2β, g 2x, g

βx 2 ,



c 1, g

β s+1/(x+c1 ) 1

  , c i, g

1/(x+ci ) 1

q+1  i=2

≥ǫ .

We assume that q-SDHE is (t, ǫ)-hard for any polynomial t in n and a negligible ǫ. Based on this assumption, we can now prove that Construction 1 is opaque. Theorem 7. If the qC -SDHE extraction problem is (t + TKg (n) + qC TCreate (n) + qA TAdj (n), ǫ/qC )-hard then our scheme is (t, qC , qA , ǫ)-opaque. Proof. A natural observation is that there are two possibilities to break opacity. One is to directly forge the underlying signature scheme; the second one is to extract an ordinary signature. Since the case that the adversary forges the underlying BB signature is already covered, we concentrate on the second class, of adversaries that “decrypt” a given verifiably encrypted signature. We show how to use such an adversary in order to refute the qC -SDHE assumption. The proof follows [2, Lemma 10] in the way of simulating adaptive queries, but differs in the point that the adversary extracts a previously queried encrypted element. We distinguish two classes of adversaries. We say that an algorithm A is a 1. type-1 adversary, denoted A1 , if it (a) makes a verifiably encryption query for a message m = −x, or 1/(x+y r ∗ +m∗ ) (b) outputs an extraction (m∗ , r∗ , g1 ), where m∗ + y r∗ ∈ {c1 , . . . , cq+1 }. 2. type-2 adversary, denoted A2 , if it (a) never makes a verifiably encryption query for a message m = −x, and 1/(x+y r ∗ +m∗ ) ), (b) outputs an extraction (m∗ , r∗ , g1 where m∗ + y r∗ ∈ {c1 , . . . , cq+1 }.

30

M. R¨ uckert and D. Schr¨ oder

Note that these types cover all possible adversaries, and observe that they are identical to the partitions in [3]. As already pointed out by Boneh and Boyen, the type-1 adversary directly leads to a forgery of the underlying signature scheme, thus we omit this part of the proof and refer the reader to [3]. Now we show how to solve the qC -SDHE problem by giving a reduction B2 black-box access to a type-2 adversary A2 . The idea of the proof is that we use the technique of Boneh and Boyen in order to answer the queries adaptively. We guess which answer of C that A2 will decrypt and inject the SDHE challenge β s+1/(x+c1 ) (c1 , g1 ). Type-2 adversary. We describe the simulator B2 interacting with a type-2 adversary, denoted by A2 , in order to solve qC -SDHE. Setup: The algorithm B2 gets as input g1 , g1s , g2 , g2β , g2x , g2βx , together with the    qC +1 $ β s+1/(x+c1 ) 1/(x+ci ) values c1 , g1 , ci , g 1 . It selects y ← Zp and sets i=2

u ← g2x , v ← g2y , ρ1 ← g2βx , ρ2 ← g2βy . Furthermore, B2 picks a random index $

– the guess j ← {1, . . . , qC + 1} – and initializes a counter ℓ ← 1 together with a list Q ← ∅. It runs A2 on input (apk, pk) ← (ψ(g2β ), (u, v, ρ1 , ρ2 )). VES Queries: Whenever A2 queries m to C, B2 increments ℓ ← ℓ + 1. Case 1 βs+1/(x+c1 ) (ℓ = j): B2 sets: rℓ ← (c1 − m)/y, μℓ ← g1s , and ̟ ← g1 . Case $

2 (ℓ = j): B2 selects sℓ ← Zp , sets: μℓ ← g1sℓ and rℓ ← (cℓ − m)/y, and 1/(x+cℓ ) 1/(x+cℓ ) . B2 stores (mℓ ← m, rℓ , g1 ) in Q. In computes ̟ ← g1βsℓ g1 either case, B2 returns (rℓ , ̟ℓ , μℓ ). Adjudication Queries: Whenever A2 queries a tuple (m, (r, ̟, μ)) to A, B2 checks that the tuple is valid and returns fail if this is not the case. Let’s assume that (m, (r, ̟, μ)) is valid. According to Theorem 1 we know that algorithm A2 must have queried m to C. If i = j, then B2 aborts. Otherwise, if i = j, let i ∈ {1, . . . , |Q|} be the corresponding index of the query. Then, 1/(x+cℓ ) B2 returns (rℓ , g1 ). 1/(x+m∗ +yr ∗ ) Output: Finally, A2 stops, outputting a tuple (m∗ , r∗ , g1 ). B2 sets c∗ ← m∗ + yr∗ . It aborts if c1 = c∗ , and otherwise stops, outputting 1/(x+c∗ ) (c∗ , g1 ). Analysis. Algorithm B2 performs a perfect simulation of C. Note that rℓ is ℓ uniformly distributed over Zp \{− x+m y } and that for the oracle answers of C, we have: −1

ℓ e (̟ℓ , u g2mℓ v rℓ ) · e (μℓ , ρ1 ρr2ℓ um = a )   −1  β(y+mℓ r) =z. e σℓ g1β sℓ , u g2mℓ+y rℓ · e μℓ , uβ g2

B2 also simulates the oracle A perfectly (for i = j) because for its output (rℓ , σℓ ), we have    c  m +y rj = e σℓ , u g2j = z . e (σℓ , u g2mℓ v rj ) = e σℓ , u g2 ℓ

Security of Verifiably Encrypted Signatures

31

Observe that A2 can never query the adjudication oracle A without having invoked C before due to Theorem 1, i.e. qA ≤ qC . The same argument is applicable if A2 sends valid tuple (m, (r, ̟, μ)) to A, such that m is in the query list Q, but with a different value r. Both cases would contradict the strong unforgeability of the BB signature scheme. Assuming A2 succeeds with non-negligible probability ǫ(n). According to the partition of adversaries, we know that A2 “decrypts” a given ̟ obtained from C. Since B2 guesses the index of the corresponding query, its success probability is lessened by a factor of 1/qC . However, it still succeeds with non-negligible probability ǫ(n)/qC in the qC -SDHE problem — a contradiction. ⊓ ⊔ Corollary 2. If the BB signature scheme is unforgeable, then Construction 1 is abuse-free. Proof. The proof follows immediately from Theorem 6 and Theorem 5.

⊓ ⊔

Acknowledgments We thank Heike Busch, Marc Fischlin, Cristina Onete, Michael Schneider, and the anonymous reviewers for their valuable comments.

References 1. Asokan, N., Shoup, V., Waidner, M.: Optimistic Fair Exchange of Digital Signatures. IEEE Journal on Selected Areas in Communications 18(4), 593–610 (2000) 2. Boneh, D., Boyen, X.: Short Signatures Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 3. Boneh, D., Boyen, X.: Short Signatures Without Random Oracles and the SDH Assumption in Bilinear Groups. Journal of Cryptology 21(2), 149–177 (2008) 4. Bao, Deng, Mao: Effcient and Practical Fair Exchange Protocols with Off-Line TTP. In: RSP: 19th IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos (1998) 5. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 6. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 7. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM 51(4), 557–594 (2004) 8. Dodis, Y., Lee, P.J., Yum, D.H.: Optimistic fair exchange in a multi-user setting. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 118–133. Springer, Heidelberg (2007) 9. Garay, J.A., Jakobsson, M., MacKenzie, P.D.: Abuse-Free Optimistic Contract Signing. In: Wiener, M. (ed.) CRYPTO 1999, vol. 1666, pp. 449–466. Springer, Heidelberg (1999)

32

M. R¨ uckert and D. Schr¨ oder

10. Goldwasser, S., Micali, S., Rivest, R.L.: A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. SIAM J. Comput. 17(2), 281–308 (1988) 11. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006) 12. Hess, F.: On the Security of the verifiably-encrypted signature scheme of Boneh, Gentry, Lynn and Shacham. Information Processing Letters 89(3), 111–114 (2004) 13. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006) 14. R¨ uckert, M., Schr¨ oder, D.: Security of Verifiably Encrypted Signatures and a Construction Without Random Oracles (Extended Version). Number 2009/027 in Cryptology eprint archive (2009), eprint.iacr.org 15. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 16. Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature and partially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003, vol. 2904, pp. 191–204. Springer, Heidelberg (2003)

A

Secure Signature Schemes

Recall that a digital signature scheme DSig is defined as: Definition 8. A signature scheme consists of a triple of efficient algorithms DSig = (Kg, Sign, Vf), where: Key Generation: Kg(1n ) outputs a private signing key sk and a public verification key pk. Signature Generation: Sign(ssk, m) outputs a signature σ under ssk, on a message m chosen from the message space M. Signature Verification: The algorithm Vf(spk, σ, m) outputs 1 iff σ is a valid signature on m under spk. Signature schemes are complete if for any (ssk, spk) ← Kg(1n ), any message m ∈ M, and any σ ← Sign(ssk, m), we have: Vf(spk, σ, m) = 1. The security of signature schemes is proven against existential forgery under adaptive chosen message attacks (EU-CMA) [10]. In this model, an adversary adaptively invokes a signing oracle and is successful if it outputs a signature on a fresh message. In the following, we use a slightly stronger notion, known as strong unforgeability (SU-CMA). Here, the adversary also succeeds if it computes a fresh message-signature pair. Definition 9. A signature scheme DSig is strongly unforgeable under adaptive chosen message attacks (SU-CMA) if for any efficient algorithm A the probability evaluates to 1 is negligible (as a function of n). that the experiment sForgeDSig A

Security of Verifiably Encrypted Signatures

33

Experiment sForgeDSig A (n) (ssk, spk) ← Kg(1n ) (m∗ , σ ∗ ) ← ASign(ssk,·) (pk) let (mi , σi ) be the answer returned by Sign(ssk, ·) on input mi , for i=1, . . . , k. Return 1 iff Vf(spk, m∗ , σ ∗ ) = 1 and (m∗ , σ ∗ ) ∈ {(m1 , σ1 ), . . . , (mk , σk )}. A signature scheme DSig is (t, qS , ǫ)-secure if no adversary running in time at most t, invoking the signing oracle at most qS times, outputs a valid forgery (m∗ , σ ∗ ) with probability larger than ǫ.

B

Completeness in Section 6

Concerning completeness, we prove the following proposition. Proposition 1. Construction 1 is complete. Proof. We show that for all honestly generated key pairs, for all messages m ∈ M, and for any verifiably encrypted signature generated by the Create algorithm, the VesVf algorithm returns 1. We have: −1

e (̟, u g2m v r ) · e (μ, ρ1 ρr2 um = a )   −1 1 βm = e g1x+m+yr ψ(ua )s , u g2m v r · e μ, uxa uyr a g2  −1  1 β(x+m+yr) = e g1x+m+yr , g2x g2m g2yr · e (ψ(ua )s , u g2m v r ) · e μ, g2 x+m+yr −1    =z . = e (g1 , g2 ) x+m+yr · e μβ , u g2m v r · e μβ , u g2m v r

We further show that if the adjudicator extracts a signature σ, then σ can be verified as a valid BB signature, i.e., running the BB verification algorithm yields:   −β e ̟/μβ , u g2m v r = e (σ ψ(ua )s , u g2m v r ) · e (μ, u g2m v r ) −1    = e σ, g2x+m+yr · e (ψ(ua )s , u g2m v r ) · e μβ , u g2m v r x+m+yr −1    = e (g1 , g2 ) x+m+yr · e μβ , u g2m v r · e μβ , u g2m v r =z . ⊓ ⊔

C

A Stronger VES Model

In the following, we discuss how the security definition of VES schemes can be strengthened even further. We apply the idea of strong unforgeability in the digital signature context to the definitions of unforgeability and opacity in the VES context. We show in the full version of this paper that the new model is strictly stronger and give a first instantiation.

34

M. R¨ uckert and D. Schr¨ oder

Definition 10. A verifiably encrypted signature scheme VES is called strongly unforgeable if for any efficient algorithm A, the probability that the following experiment evaluates to 1 is negligible (as a function of n). Experiment VesSForgeVES A (n) (sk, pk) ← Kg(1n ) (ask, apk) ← AdjKg(1n ) (m∗ , ω ∗ ) ← AC(sk,apk,·),A(ask,apk,pk,·,·) (pk, apk) Let C = {(mC1 , ωC1 ), . . . , (mCk , ωCk )} be the query-answer pairs of C. Return 1 iff VesVf(apk, pk, ω ∗ , m∗ ) = 1 and (m∗ , ω ∗ ) ∈ C. The main difference to unforgeability is that the adversary is allowed to output a forgery ω ∗ for a message m∗ that has already been sent to C, as long as the forged verifiably encrypted signature is different from the corresponding answer of C. This last condition ensures that verifiably encrypted signatures cannot be reused by simply re-randomizing them. Moreover, the adversary is allowed to query A on m∗ in order to obtain an ordinary signature σ ∗ . In this scenario, however, we require that reusing ordinary signatures as verifiably encrypted signatures without having knowing some secret information should be hard. Definition 11. A verifiably encrypted signature scheme VES is called strongly opaque if for any efficient algorithm A, the probability that the following experiment evaluates to 1 is negligible (as a function of n). Experiment SOpacVES A (n) (sk, pk) ← Kg(1n ) (ask, apk) ← AdjKg(1n ) (m∗ , σ ∗ ) ← AC(sk,apk,·),A(ask,apk,pk,·,·) (pk, apk) Let A = {(mA1 , σA1 ), . . . , (mAℓ , σAℓ )} be the query-answer pairs of A. Return 1 iff Vf(apk, σ ∗ , m∗ ) = 1 and (m∗ , σ ∗ ) ∈ A. Here again, as opposed to opacity, the adversary is allowed to query the oracles on the message it is about to output as a forgery. The forgery, however, must be different from what the adversary obtained from A on that message. Definition 12 (Strong Security of VES). A verifiably encrypted signature scheme VES is called strongly secure if it is strongly unforgeable and strongly opaque. We show in the full version of this paper that a modification of our construction satisfies the stronger notion.

Multisignatures as Secure as the Diffie-Hellman Problem in the Plain Public-Key Model Duc-Phong Le1 , Alexis Bonnecaze2 , and Alban Gabillon3 1

2

Laboratoire LIUPPA, Universit´e de Pau et des Pays de l’Adour, 64013 Pau Cedex, France [email protected] Laboratoire IML, Universit´e de M´edit´eran´ee, 13288 Marseille cedex 09 France [email protected] 3 Laboratoire GePaSud, Universit´e de la Polyn´esie Fran¸caise, 98702 FAA’A - Tahiti - Polyn´esie fran¸caise [email protected]

Abstract. A multisignature scheme allows a group of signers to cooperate to generate a compact signature on a common document. The length of the multisignature depends only on the security parameters of the signature schemes and not on the number of signers involved. The existing state-of-the-art multisignature schemes suffer either from impractical key setup assumptions, from loose security reductions, or from inefficient signature verification. In this paper, we present two new multisignature schemes that address all of these issues, i.e., they have efficient signature verification, they are provably secure in the plain public-key model, and their security is tightly related to the computation and decisional DiffieHellman problems in the random oracle model. Our construction derives from variants of EDL signatures.

1

Introduction

A multisignature scheme enables multiple signers to jointly authenticate a document producing a fixed length of digital signature. The goal of a multisignature is to prove that each member of the stated group signed the message. Multisignatures can be applied to provide efficient batch verification of several signatures of the same message under different public keys, e.g. applications concerning the multi-cast communication: IP Multi-cast, Peer-to-Peer file sharing, mobile ad hoc networks, etc. The notion of multisignatures was first introduced by Itakura and Nakamura in [12], and has been followed by many other research works [7, 18]. Those initial schemes were not very efficient and in particular there was no formal notion of security. In fact, some effective attacks on multisignature schemes , like the rogue key attack, have succeeded due to some weaknesses in the key setup protocol. A rogue key attack attack can be realized whenever an adversary is allowed to choose his public key as he wishes. Typically, the adversary chooses his public key as a function of public keys of honest user, allowing him to produce forgeries easily. H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 35–51, 2009. c Springer-Verlag Berlin Heidelberg 2009 

36

D.-P. Le, A. Bonnecaze, and A. Gabillon

The first formal security model for multisignatures was formalized by Micali et al. in [16]. They showed how to avoid such rogue key attacks under so-called “Knowledge of Secret Key” (KOSK) assumption, which requires the adversary to essentially provide a secret key for every public key it chooses. Their scheme implemented the KOSK assumption via an interactive pre-processing protocol involving all potential signers. This make their scheme impractical. Another way to realize the KOSK assumption is to employ so-called Key Registration Model (KR) for Public Key Infrastructure (PKI), introduced in the context of multisignatures by Ristenpart and Yilek [19]. In the KR model, a Certification Authority (CA) can certify a public key only if its owner passes a special key registration procedure, called a proof of possession of the secret key (POP). The KR model thus shifts the proof verification overhead from multisignature verifiers to the CA’s. This imposes a limitation on the use of those multisignatures. Then, Bagherzandi and Jarecki [1] removed this limitation by considering an alternative mode of PKI operation which we call the Key Verification (KV) Model. In the KV model each private key owner also produces a (POP) string, but instead of handing it to the CA during the key registration process she attaches it to her key (or a PKI certificate on the key). This POP message is then verified by a multisignature receiver instead of by the CA, for example together with verification of PKI certificates on that key [1]. Plain public key model. In setting for multisignature schemes, the set of potential users should be dynamic. Users can choose their public key as they wish and may register keys at any time. In [4], Bellare and Neven discuss the drawbacks of KOSK assumption in detail and show that it is possible to dispense with this assumption. They presented a multisignature scheme which is provably secure against rogue-key attacks in the plain public-key model, meaning that key registration with a Certification Authority (CA) requires nothing more than that each signer has a (certified) public key. Their model allows users to register keys at any time, concurrently with other users. Tight reduction. As Micali and Reyzin [17] put it, if the reduction is efficient and hence the relative hardness of forging and that of breaking the underlying computational assumption is close, we call the reduction tight. If the reduction is less efficient, we call it close, and if it is significantly less efficient, we call it loose. Intuitively, a tight reduction means that the underlying cryptographic problem is almost as hard to solve as the scheme to break. Our contribution. In this paper, we propose two multisignature schemes which are interactive and their security is tightly related in the random oracle model (ROM) to, respectively, the CDH and DDH problems. In particular, our schemes are secure in the plain public-key model. In the same model, compared to the BN scheme [4], the cost of multisignature verifications of our schemes is higher than that in BN scheme. On the other hand, our schemes have tight reductions from CDH/DDH problems while the security reduction of [4] encounters a security degradation due to the use of the forking lemma. In comparison with the BNN/BGLS scheme [3, 5], our schemes have constant number

Multisignatures as Secure as the Diffie-Hellman Problem

37

Table 1. MS scheme comparisons. For each scheme (the two last are ours) we show the assumption used to prove security, the security degradation, the protocol rounds, the type of key setup, the computational cost of verification of a multi-signature, the computational cost of signing (per signer), and the size of a multi-signature. Signature length is measured in bits, where n is the number of signers, κ is the security parameter in the BJ scheme, |G| is the number of bits required to represent elements in group G, q is the group order, and G1 and G2 are two groups of points on an elliptic curve with asymmetrical bilinear maps e : G1 × G2 → GT . We assume we work over a 160-bit elliptic-curve (EC) group for the DL-based schemes. For example κ = 80, |G| = |q| = |G1 | = 160 and |G2 | = 6 · 160. By “exp” we mean an exponentiation. (Some of the exponentiations are actually multi-exponentiations, but these have the same cost as single exponentiations.) By “pr” we mean a pairing, whose cost estimate is five 512-bit exponentiations [2]. MS Scheme

Assump Degradation Protocol Key Verify in Security Rounds Setup RY+Bo [19] GDH 1/qs 1 POP 2 pr RY+LOSSW[19] GDH 1/qs 1 POP 2 pr MOR [16] DL 1/qs qh2 2 POP 1 exp BN [4] DL 1/qh 3 Plain 1 exp BNN+BGLS [3] GDH 1/qs 1 Plain n pr BNN+BGLS [3] GDH tight 1 Plain n pr BJ-CDH [1] CDH tight 3 POP 1 exp BJ-DDH [1] DDH tight 3 POP 1 exp OCDH GDH tight 3 Plain 1 exp+2 pr ODDH DDH tight 3 Plain 2 exp

Sign 1 3 1 1 1 1 1 1 1 2

exp exp exp exp exp exp exp exp exp exp

Signature Length |G1 | |G1 | + |G2 | 2|q| |G| + |q| |G1 | |G1 | + n bits |G| + 2|q| + 2κ 2|q| 2|G1 | + |q| 2|G| + |q|

of multi-exponentiations and pairings, while the multisignature verification of BNN/BGLS scheme make O(n) pairing operations. Table 1 summarizes the comparison between ours and previous multisignature schemes. Organization. The rest of the paper is organized as follows. Section 2 provides some preliminaries about bilinear maps, Diffie-Hellman problems and the security model for multisignatures. In Section 3, we briefly recall the notion of multisignatures and their security. Section 4 presents our construction based on CDH problem and we analyze its security in Section 5. We present our multisignature scheme based on DDH problem in Section 6. Finally, we conclude the paper in Section 7.

2 2.1

Preliminary Bilinear Map

Our first multisignature scheme uses a bilinear map, which is often called a pairing, to implement a decision procedure for the Diffie-Hellman problem. Typically, the pairing used is a modified Weil or Tate pairing. In this section, we briefly review the necessary facts about bilinear maps.

38

D.-P. Le, A. Bonnecaze, and A. Gabillon

Let G, GT be cyclic groups of prime order p. A map e : G × G → GT is called an admissible pairing if it satisfies the following properties: 1. bilinearity: for all g1 , g2 ∈ G and a, b ∈ Z, e(g1a , g2b ) = e(g1 , g2 )ab ; 2. non-degeneracy: if g is a generator of G, then e(g, g) is a generator of GT ; 3. computable: there exists an efficient algorithm to compute e(g1 , g2 ) for all g1 , g2 ∈ G. While pairing computation is expensive, on-going algorithmic advances and hardware implementations may bring this cost down. Readers can see [6, 14] for a more detailed discussion about bilinear maps and bilinear groups. 2.2

Computational Assumptions

The security of our schemes is based on the hardness of the Diffie-Hellman problems. Let G be a cyclic group of prime order p and let g be a generator of G. Computational Diffie-Hellman. Informally, the CDH problem is to find g ab , $ given (g a , g b ) ∈ G as inputs, where a, b ← Z∗p . An algorithm A has an advantage ǫ in solving the CDH problem in G if   R R P r A(g, g a , g b ) = g ab : g ← G ; a, b ← Z∗p is at least ǫ. We say that the CDH problem is (t, ǫ) − hard in G if there exists no algorithm A which running in time at most t have advantage ǫ in solving the CDH problem in G. Decisional Diffie-Hellman. The DDH problem is informally to distinguish between tuples of the form (g a , g b , g ab ) (called DDH triples or DDH tuples), R R where a, b ← Z∗p and tuples of the form (g a , g b , g c ), where a, b, c ← Z∗p . A distinguishing algorithm A has an advantage ǫ in solving the DDH problem in G if       R   P r A(g a , g b , g ab ) = 1 − P r A(g a , g b , g c ) = 1 : a, b, c ← Z∗p 

is at least ǫ. We say that the DDH problem is (t, ǫ) − hard in G if there exists no distinguishing algorithm A which running in time at most t have advantage ǫ in solving the DDH problem in G. The DDH assumption is stronger than the CDH assumption, that is, if the CDH problem is efficiently solved in G then the DDH problem is also solved efficiently in G. The inverse of these statements is not believed to be true in general. Indeed, Joux and Nguyen [14] showed that there are groups (called gap Diffie-Hellman (GDH) groups) for which the DDH is easy by using an efficiently computable bilinear map e, yet the CDH in the group is still believed to be hard.

Multisignatures as Secure as the Diffie-Hellman Problem

3

39

Multisignature Scheme and Its Security Model

3.1

Multisignature Scheme

Formally, a multisignature scheme consists of four algorithms MS = Setup, KGen, MSign, Vrfy. - params → Setup(1k ). A central authority, on input the security parameter k, runs the algorithm Setup to produces the global information params. Algorithm Setup is probabilistic. - (sk, pk) ← KGen, executed by each signer on input params, generates this signer’s secret key sk, the corresponding public key pk. Algorithm KGen is probabilistic. - The multi-signing algorithm MSign might be a probabilistic algorithm which, given a message m, the global information params and a list of signers L along with their public and secret keys, produces a multisignature σ. The multi-signing can be interactive or non-interactive. - {0, 1} ← Vrfy(params, m, L, σ) verifies whether σ is a valid multisignature on the message m with respect to L. This algorithm is deterministic. 3.2

Multisignature Security in Plain Public-Key Model

The attacks of an adversary A against multisignature schemes are to forge a group of signers L and a multisignature of some message such that the latter is accepted by a verifier whereas some signers of the group L did not sign the message. We give the adversary the power to request the private key on all but one signer and its goal is to frame this honest signer. The adversary can choose their public keys arbitrarily, even as a function of the public key of the honest signer. The adversary A is given the global information params, a challenging public key pk ∗ corresponding to the honest signer and signing and hash oracles. His goal is to output a forged message-group-multisignature tuple (m, L, σ), such that the honest signer, who did not complete the multisignature generation protocol on the input message m, is in L and MS.Vrfy(params, m, L, σ) = 1. Let A be an adversary against the multisignature scheme, which consists of four algorithms Setup, KGen, MSign, and Vrfy. As in the previous works on multisignatures, e.g. [1, 16], we define multisignature security as Universal Unforgeability (UU) under a Chosen Message Attack (CMA) against a single honest uu−cma (A) to be the probability that experiment player. Namely, we define AdvMS uu−cma ExpMS (A) described in Table 2 outputs 1. A multisignature scheme is said uu−cma (A) ≤ ǫ to be (t, qS , qH , N, ǫ)-secure in the random oracle model if AdvMS for every adversary A that runs in time at most t, makes at most qS signing queries with the honest signer, at most qH random oracle queries, and the number of signers in L involved in any signing query or in the forgery is at most N .

40

D.-P. Le, A. Bonnecaze, and A. Gabillon

Table 2. Chosen Message Attack against Multisignature in the Plain public-key model Experiment Expuu−cma (A) : MS params ← Setup(1k); (sk∗ , pk∗ ) ← KGen(params); List ← ∅; Run A(params, pk∗ ), and for every signature query m made by A do the following: 1. List ← List ∪ {(m, L)}, where L is the list of users participating in signing the message m; 2. Execute protocol MSign on behalf of an honest player on inputs (params, m, sk∗ , L), forwarding messages to and from A. When A halt; parse its outputs as (m, L, σ). If (m, L) ∈ / List, pk1 = pk∗ and Vrfy(params, m, L, σ) = 1 then return 1. Otherwise return 0.

A Multisignature Scheme Based on the CDH Problem

4 4.1

The Chevallier-Mames Signature Scheme

In order to give some intuition into our scheme, we briefly recall the variant of EDL signature scheme presented in [9]. Let G be a cyclic group of prime order p, g be a generator of G and let H, G be two collision-resistant hash functions. To sign a message m, a signer U , having private/public key pair (x, y), does as follows: – – – –

chooses k ∈ Zp at random; computes u = g k , h = H(u), z = hx and v = hk ; queries c = G(m, g, h, y, z, u, v) and computes s = k + cx; outputs σ = (z, s, c) ∈ G × Z2p as the signature of m.

To verify a signature σ = (z, s, c) for m, one computes u′ = g s y −c , h′ = H(u′ ) and v ′ = h′s z −c . The signature σ is accepted iff c = G(m, g, h′ , y, z, u′ , v ′ ). The Chevallier-Mames signature scheme [9] is the most efficient in variants of EDL scheme [8, 10, 11, 13, 15] under CDH assumption. 4.2

Our Multisignature Scheme

In our multisignature generation protocol, each signer computes and uses an independent challenge ci = G(yi , L, u, m, g, h) in the proofs of knowledge of equality of discrete logarithms. This way pointed out by Bellare and Neven [4], allows us to avoid KOSK and KR models. Thus, we first modify the Chevallier-Mames signatures as follows: let a signature of a message m under public key y ∈ G be a quadruplet (u, v, z, s) ∈ G3 × Zp such that g s = uy c and hs = vz c , where h = H(u) and c = G(m, g, h, y, z, u, v). In order to aggregate individual signatures of a common message m, (ui , vi , zi , si ), for 1 ≤ i ≤ n under public keys P K = {y1 , y2 , · · · , yn }, we may let a multisignature be a tuple (u, v, s, {zi }ni=1 ) such that:

Multisignatures as Secure as the Diffie-Hellman Problem

41

    g s = u · ni=1 yici and hs = v · ni=1 zici , where u = ni=1 ui , v = ni=1 vi and n s = i=1 si . Because challenges ci are different, we cannot aggregate individual shares zi . The size of the multisignature thereby grows linearly with the number of signers. To solve this problem, we propose to use a pairing. A multisignature n may  be a triple (u, z, s) ∈ G2 × Zp such that: g s = u · i=1 yici and e(z, g) = n e(h, i=1 yi ), where h = H(u), ci = G(yi , L, u, m, g, h). The values of u, z (and s) are typically computed as the product (the sum resp.) of individual shares of ui , zi (of si resp.) contributed by each signer. In describing the scheme, we assume the signers directly send and receive messages to each other over a point-to-point network. Like in [4], to avoid using the rewinding technique in security proof, our scheme requires an additional communication round between signers, in which each signer first makes an additional random oracle query on its individual share u and then sends this challenge to every other signer before sending u. This prevents the forger to know the value of individual share u before the simulator does. The simulator thereby could imitate the oracle so as to produce commitments and challenges simultaneously. Let G, GT be cyclic groups of prime order p in which G provides admissible parings, let k be a security parameter. Three cryptographic hash functions: H0 : G → {0, 1}l0 , H1 : G → G and G : {0, 1}∗ → Zp . We remark that H0 , H1 and G will be viewed as random oracles in our security proof. The multisignature scheme MS = Setup, KGen, MSign, Vrfy works as follows: Parameter generation (Setup): A trusted center generates a random generator g ∈ G∗ and publishes params = (G, GT , e, g, H0 , H1 , G) as system wide parameters. Key generation (KGen): On input 1k , each signer picks a random number R x ← Zp as his private key. The corresponding public key is y = g x . Signing (MSign): Suppose that L = {P1 , P2 , . . . , Pn } is a group of n signers that wish to sign a common message m, each having as input its own public and secret key as well as a multiset of public keys P k = {y1 , y2 , . . . , yn } of the other signers. We also stress that the signers P1 , . . . , Pn are merely local references to co-signers, defined by one signer within one protocol instance. The signing process, which is interactive, consists of three rounds: Round 1. Each signer Pi ∈ L: - picks a random number ri ∈ Zp ; - computes its individual commitment ui = g ri ; - queries H0 to compute the challenge hi = H0 (ui ); - sends hi to every other signer. Round 2. Each signer Pi ∈ L: - receives hj from signer j, for 1 ≤ j ≤ n, j = i; - sends ui to signer j. Round 3. Each signer Pi ∈ L: - receives uj from signer j, for 1 ≤ j ≤ n, j = i; - checks whether hj = H0 (uj ) for all 1 ≤ j ≤ n, j = i. If not, abort the protocol. Otherwise, n - computes u = i=1 ui , h = H1 (u) and zi = hxi .

42

D.-P. Le, A. Bonnecaze, and A. Gabillon

- queries ci = G(yi , u, P k, m, g, h) and computes si = ri + xi ci mod p. - sends to signer j: zi , si , for 1 ≤ j ≤ n, j = i. sj from signer After receiving zj ,  nj, for 1 ≤ j ≤ n, j = i, each signer Pi ∈ L: n - computes z = i=1 zi , s = i=1 si mod p; - outputs the signature σ = (u, z, s); Verification (Vrfy): To verify a signature σ of a message m of a group L, whose public keys is the multiset P k = {y1 , . . . , yn }, one does as follows: - Compute h = H1 (u); - Compute ci = G(yi , u, P k, m, g, h) for all 1 ≤ i ≤ n; - Check whether: n n yi ). yici and e(z, g) = e(h, gs = u · i=1

5

i=1

Security Analysis

In this section, we reduce the security of the proposed multisignature scheme to the CDH problem in the group G with bilinear map e. The main technique used to obtain a tight proof of security is to prove equality of discrete logarithms (see [11] for a discussion more details). Let N be the maximum number of signers which participate in signing in one protocol instance, the following theorem implies that the proposed multisignature scheme is secure if the CDH assumption is held in G. Theorem 1. The proposed multisignature scheme is (t, qH , qS , N, ǫ)-unforgeable if the CDH problem is (t′ , ǫ′ )-unforgeable in G, where ǫ′ ≥ ǫ −

qS ((N + 1)qH + 2qS ) (qH + N qS + 1)2 − , 2 l0 q

and t′ ≤ t + 6qS texp + O((qS + qH )(1 + qH + N qS )), where texp is the time of an exponentiation in G. Proof. We are given a group G and a CDH challenge (g, g x , g a ). Let A be a polynomial time forger that (t, qH , qS , ǫ)-breaks the proposed scheme. We need to construct an algorithm B which, by interacting with the adversary A, (t′ , ǫ′ )breaks this challenge, i.e. to find g ax . The forger A, after qH hash queries to random oracles (H0 , H1 and G) and qS signature queries, is able to produce a multisignature forgery with probability ǫ within time t. Assume that A is trying to attack the honest signer P ∗ . B runs the forger A on input system parameters and target public key y ∗ = g x . Like [4], we make use of a list T which assigns a unique index 1 ≤ i ≤ qH + N qS to each public key y occurring either as a cosigner’s public key in one of A’s signature queries, or as the first item in the argument of one of A’s queries to G and a table G[· , ·] which is used to simulate the random oracle G. Algorithm B uses a counter ctr indicating the current index of this list, initially set to zero. B assigns T[y ∗ ] ← 0. It responds to A’s oracle queries, essentially, at random as follows:

Multisignatures as Secure as the Diffie-Hellman Problem

43

Queries to H0 . In response to a query H0 (ui ), B first checks if the output of H0 on this input has been previously defined. If so, B returns the previously assigned value. Otherwise, B returns with a value chosen uniformly at random from {0, 1}l0 . All queries ui are stored in a called list H. Queries to H1 . In response to a query from the forger A to H1 (u), algorithm B generates a random number d ∈ Zp , and returns (g a )g d . All queries u are stored in a list called U. Queries to G. In response to a query G, we first parse the argument of the query into two portions as y and Q. If T[y] is undefined then B increases ctr and sets T[y] ← ctr. If G[ctr, Q] has not yet been defined, then B assigns G[i, Q], for all 1 ≤ i ≤ qH + N qS with random numbers, and picks in advance at random e1 , . . . , eqH +qS ∈ Zp to assign for G[0, Q]. Signing query on m with group of users L: Signature queries to the honest signer P ∗ consists of three rounds. First, the adversary provides m, L to P ∗ and receives the individual challenge h∗ from P ∗ in response. Second, playing the role of rest signer, the adversary A provides the challenges hi to P ∗ and receives u∗ from P ∗ in response. Third, the adversary provides the commitments ui to P ∗ and receives z ∗ , s∗ from P ∗ in response. Note that in the simulation, rewinding is not required since the joint commitment u is not provided to the simulator by the adversary. In detail, answering signature queries works as follows: First, B checks whether P ∗ ∈ / L, if so algorithm B returns ⊥ to A. If not, it parses the public keys of signers in L as P k = {y1 = y ∗ , y2 , . . . , yn }. Then, B checks whether T[yi ], for i ∈ {2, . . . , n}, has already been defined. If not, it increases ctr and sets T[yi ] ← ctr. Then, B sets c1 at random as e1 , . . . , eqH +qS in advance. B generates (γ, s1 ) ∈ Z2p at random, computes u1 = g s1 y −c1 . It sets h1 = H0 (u1 ) and sends it to all signers. After receiving h2 , · · · , hn from the adversary A, B looks up in the list H for values uj such that hi = H0 (uj ). If multiple such values are found for some i, the algorithm B stops (Event 1). If no such value was found for some i then it setsalert ← true and sends u1 to all co-signers; otherwise, n B computes u = i=1 ui . If H1 (u) is already set, algorithm B fails and stops (Event 2). Else, algorithm B sets h = H1 (u) = g γ and computes z1 = y1γ = (g x )γ = hx , remark that DLg (y) = DLh (z)(= x). Then, B checks whether G[0, Q] has already been defined for Q = u, P k, m, g, h . If so, it fails and stops (Event 3). If not, it sets G(y1 , u, P k, m, g, h) = G[0, Q] = c1 , R randomly chooses G[i, Q] ← Zp for all 1 ≤ i ≤ qH + N qS and sends u1 to all co-signers. After receiving u2 , . . . , un from A, B verifies that hi = H0 (ui ) for all 1 ≤ i ≤ n. If not, it returns ⊥ to A. If alert = true, B fails and stops (Event 4). Else, it sends (z1 , s1 ) to all co-signers. (z2 , s2 ), · · · , (zn , sn ) from co-signers (A), B computes z = nAfter receiving  n z and s = i=1 si and returns the valid signature (u, z, s). All u’s i=1 i computed during signature queries are stored in a list called Y.

44

D.-P. Le, A. Bonnecaze, and A. Gabillon

As we can see, this simulator is valid, except for some events: – Event 1: In this case, there exist two values ui = u′i such that hi = H0 (ui ) = H0 (u′i ) for some i, i.e, there is at least one collision occurred in H0 . As outputs of H0 are chosen at random from {0, 1}l0 and since there are at most qH0 + N qS queries to H0 , the probability that at least one collision (q

+N q )(q

+N q +1)/2

(q

+N q +1)2

S S H0 ≤ H0 2l0 +1S . occurs is upper bounded by H0 2l0 – Event 2: As u is a random element in G, the probability that the H1 (u) is q +q already set is less than H1p S , for one signature query. For qS signature

q (q

+q )

queries, the failure probability is thus upper bounded by S Hp1 S . – Event 3: Algorithm B only aborts at event 3 if it has run into an input string 0, u, P k, m, g, h = 0, u, P k, m, g, g γ on which G has been already queried, for γ ∈ Z∗q . But as Event 2 did not happened, H1 (u) have not yet been defined, and so γ is absolutely unknown for the adversary. Then, S , for the probability that G(0, u, P k, m, g, h) is already set is less than qG +q p one signature query. For qS signature queries, the failure probability is thus upper bounded by qS (qGp+qS ) . – Event 4: In this case, A must have predicted the value of H0 (ui ) for at least one 1 ≤ i ≤ n, which it can do with probability at most N/2l0 , for one signature query. For qS signature queries, the failure probability is thus upper bounded by qS N/2l0 . As a conclusion, except with a failure probability: qS (qH1 + qS ) qS (qG + qS ) qS N (qH0 + N qS + 1)2 + + l0 + l +1 0 2 p p 2 qS (qH1 + qG + 2qS ) (qH0 + N qS + 1)2 , + ≤ 2 l0 p

δstop =

the simulation is successful. Eventually, A halts and outputs an attempted forgery σ = (ˆ u, zˆ, sˆ) on some message m ˆ along with L = {P ∗ , P2 , · · · , Pn }. It must not previously have requested a signature on m ˆ with L. In addition, it outputs the private keys (x2 , · · · , xn ) for all secret keys except the key x of the challenge P ∗ . Algoˆ g, ˆh) rithm B first computes additional random oracle queries G1 (yi , uˆ, P k, m, for 1 ≤ i ≤ n, thereby making sure that T[yi ] is defined. We divide into two cases : either u ˆ belongs to the list U or u ˆ belongs to the list Y. ˆ = H1 (ˆ In the first case, the algorithm B first computes h u), and then zˆ1 = n ˆ xi u, zˆ, sˆ, ˆh, zˆ1 ). We zˆ/ i=2 h . If A’s forgery is valid, the algorithm B returns (ˆ x ˆ argue that, with all but negligible probability, zˆ1 = h ; if so, say zˆ1 is good. Indeed, if zˆ1 is not good then for any A, B there is at most one possible value ˆ s zˆc (lemma 1 in of c for which there exists an s satisfying A = g s y c and B = h 1 ˆ made by ˆ, P k, m, ˆ g, h) [11]). If zˆ1 is not good, then, for any hash query G(y1 , u B the probability that the query returns a c for which there exists an s as above is

Multisignatures as Secure as the Diffie-Hellman Problem

45

at most 1/p. It follows that the probability that B outputs a valid forgery where zˆ1 is not good is at most qG /p. Otherwise, the problem CDH is solved as follows: ˆ x1 zˆ1 h (g a g d )x = = = g ax , (g x )d y1d y1d As a conclusion, in the first case, except with a failure probability δ1 = qpG , the forgery will be used to successfully solve the CDH problem. In the second case, u ˆ is a member of Y. This case can happen, as there is no message in the input of H1 , and so we can imagine that the attacker reuses a u that corresponds to a u of a signature given by the signature oracle. Then, the algorithm B can recover from its log files all quantities that correspond to this u=u ˆ, i.e., (h, {(zi , si , ci )}i=1..n , m). n n At this moment, we can see that we have u = g s i=1 yi−ci = uˆ = g sˆ i=1 yi−ˆci . It is exactly the kind of hypothesis that is used by the forking lemma to prove a (loose) security. But here, this equality is not obtained by restarting the attacker (as it is done in the forking lemma), but just by construction. More precisely, we can recover easily the private key x, as far as cˆi = ci mod p. As the message-list of signer pair (Pˆk, m) ˆ is new, ci = cˆi for 1 ≤ i ≤ n or a collision on G function happened, between a G returned the signature simulation and a G returned by a direct G query, which occurs with a probability smaller than N qSp·qG . Hence, except an error with a probability smaller than δ2 = N qSp ·qG , n we have private key x. Equation s− i=1 xi ci =  n cˆi = ci , and so we can recover thes−ˆ n ci sˆ − i=1 xi cˆi (mod p) gives x = x1 = c1 −ˆsc1 − i=2 xi cc1i −ˆ −ˆ c1 mod p. We can see that this second case gives not only the solution to the CDH challenge, but also the solution to the discrete logarithm. Summing the probabilities, we can see that in both cases, the algorithm B can use the forgery given by the adversary to solve the CDH. The success probability ǫ′ satisfies ǫ′ ≥ ǫ − δstop − max(δ1 , δ2 ). Thus, qS (qH1 + qG + 2qS ) qG N qS · qG (qH0 + N qS + 1)2 − max( , ) − 2 l0 q q q qS (qH1 + (N + 1)qG + 2qS ) (qH0 + N qS + 1)2 − ≥ǫ− 2 l0 q 2 qS ((N + 1)qH + 2qS ) (qH + N qS + 1) , − ≥ǫ− 2 l0 q

ǫ′ ≥ ǫ −

and the running time t′ satisfies t′ ≤ t + 6qS texp + O((qS + qH )(1 + qH + N qS )), where qH = qH0 + qH1 + qG , texp is the time of an exponentiation in G.

6

A Multisignature Scheme Based on the DDH Problem

In the previous scheme, our scheme makes use of GDH groups. In this section, we present a more efficient multisignature scheme which relies on decisional

46

D.-P. Le, A. Bonnecaze, and A. Gabillon

Diffie-Hellman problem, stronger than CDH assumption, in non-pairing groups. Our construction is based on Katz-Wang signature scheme [15] that works as follows: Let G be a cyclic group of prime order p, g be a generator of G, h ∈ G chosen randomly and let H : {0, 1}∗ → {0, 1}l0 be a hash function. A KatzWang signature of a message m under public keys (y1 , y2 ) is a triplet (A, B, s), such that g s = Ay1c and hs = By2c , where A = g r , B = hr and c = H(A, B, m). We slightly modify the Katz-Wang signature [15] scheme for easily extending it to multisignatures. The idea of using the Katz-Wang signatures for constructing multisignatures was first suggested by Bellare and Neven in section 6 of [4] as further results. 6.1

Our Multisignature Scheme

As before, we assume that G, GT be cyclic groups of prime order p, k be a security parameter. Two cryptographic hash functions: H : G → {0, 1}l0 and G : {0, 1}∗ → Zp . Our second scheme is defined as follows: Parameter generation. A trusted center chooses a generator g ∈ G∗ and h ∈ G at random. It then publishes params = (G, e, g, h, H, G) as system wide parameters. R Key generation. On input 1k , each signer picks a random number xi ← Zp as his private key. The corresponding public keys are P Ki = (yi , zi )(= (g xi , hxi )). Signing. Suppose that L = {P1 , P2 , . . . , Pn } is a group of n signers that wish to sign a common message m, each having as input its own public and secret key as well as a multiset of public keys P k = {P K1 , . . . , P Kn } of the other signers. We also stress that the signers P1 , . . . , Pn are merely local references to co-signers, defined by one signer within one protocol instance. The signing process, which is interactive, consists of four rounds, where in each round signers send (and receive) a message to (from resp.) each other signer. Round 1. Each signer Pi ∈ L: - picks a random number ri ∈ Zp ; - computes its individual commitments ui = g ri and vi = hri , then queries H to compute challenges hi = H(ui ) and ti = H(vi ); - sends hi , ti to every other signer. Round 2. Each signer Pi ∈ L: - receives hj , tj from signer j, for 1 ≤ j ≤ n, j = i; - sends ui , vi to signer j. Round 3. Each signer Pi ∈ L: - receives uj , vj from signer j, for 1 ≤ j ≤ n, j = i; - checks whether hj = H(uj ) and tj = H(vj ) for all 1 ≤  j ≤ n, j = i. n If not, abort the protocol. Otherwise, computes u = i=1 ui and n v = i=1 vi . - queries ci = G(P Ki , u, v, P k, m, g, h) and computes si = ri + xi ci mod p. - sends to signer j: si .

Multisignatures as Secure as the Diffie-Hellman Problem

47

After receiving sj  from signer j, each signer Pi ∈ L: n - computes s = i=1 si mod p; - outputs the signature σ = (u, v, s); Verification. Given the valid signature σ, list of group of users L and message m, the verifier computes g, h) for all 1 ≤ i ≤ n and m, nci = G(P Ki , u, v, P k, n tests whether: g s = u · i=1 yici and hs = v · i=1 zici . 6.2

Security

Theorem 2. The proposed multisignature scheme is (t, qH , qS , N, ǫ)-unforgeable if the DDH problem is (t′ , ǫ′ )-unforgeable in G, where ǫ′ ≥ ǫ −

2qS (qH + N qS ) + qG + 1 (qH + N qS + 1)2 − l 0 2 p

and t′ ≤ t + O(qS texp ). The proof of this theorem is found in Appendix A.

7

Conclusion

At CCS’06, Bellare and Neven introduced the first multisignature scheme provably secure against rogue-key attacks in the plain public-key model. Their scheme is, however, loosely related to the CDH problem in the random-oracle model; the security proof was relied on the general forking lemma. In this paper, we have presented two efficient multisignature schemes that are proven secure against rogue-key attack in the plain public-key model. Their security is also tightly related to either the CDH or the DDH problem in the randomoracle model. This means that they are almost as secure as Diffie-Hellman problems. Our signatures are the first to provide exact security while assuring security against rogue-key attacks in the plain public-key model.

Acknowledgments The authors thank Gregory Neven for his detailed and helpful comments on the manuscript, and the anonymous referees for valuable feedback. This work was supported by Conseil G´en´eral des Landes and the French Ministry for Research under Project ANR-07-SESU-FLUOR.

References 1. Bagherzandi, A., Jarecki, S.: Multisignatures using proofs of secret key possession, as secure as the diffie-hellman problem. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 218–235. Springer, Heidelberg (2008)

48

D.-P. Le, A. Bonnecaze, and A. Gabillon

2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002) 3. Bellare, M., Namprempre, C., Neven, G.: Unrestricted aggregate signatures. In: Arge, L., Cachin, C., Jurdzi´ nski, T., Tarlecki, A. (eds.) ICALP 2007. LNCS, vol. 4596, pp. 411–422. Springer, Heidelberg (2007) 4. Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 390–399. ACM Press, New York (2006) 5. Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) 6. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 7. Boyd, C.: Digital multisignatures. In: Cryptography and Coding, pp. 241–246. Oxford University Press, Oxford (1989) 8. Chaum, D., Pedersen, T.P.: Wallet Databases with Observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993) 9. Chevallier-Mames, B.: An Efficient CDH-Based Signature Scheme with a Tight Security Reduction. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 511– 526. Springer, Heidelberg (2005) 10. Goh, E.-J., Jarecki, S.: A signature scheme as secure as the Diffie-Hellman problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 401–415. Springer, Heidelberg (2003) 11. Goh, E.-J., Jarecki, S., Katz, J., Wang, N.: Efficient signature schemes with tight security reductions to the diffie-hellman problems. Journal of Cryptology 20(4), 493–514 (2007) 12. Itakura, K., Nakamura, K.: A public key cryptosystem suitable for digital multisignatures. NEC Research and Development 71, 1–8 (1983) 13. Jakobsson, M., Schnorr, C.-P.: Efficient Oblivious Proofs of Correct Exponentiation. In: CMS 1999: Communications and Multimedia Security. IFIP Conference Proceedings, vol. 152, pp. 71–86. Kluwer, Dordrecht (1999) 14. Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from Computational Diffie-Hellman in cryptographic groups. J. Cryptology 16(4), 239–247 (2003) 15. Katz, J., Wang, N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS 2003: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 155–164 (2003) 16. Micali, S., Ohta, K., Reyzin, L.: Accountable-subgroup multisignatures. In: CCS 2001: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 245–254. ACM Press, New York (2001) 17. Micali, S., Reyzin, L.: Improving the exact security of digital signature schemes. J. Cryptology 15(1), 1–18 (2002) 18. Okamoto, T.: A digital multisignature scheme using bijective public-key cryptosystems. ACM Trans. Comput. Syst. 6(4), 432–441 (1988) 19. Ristenpart, T., Yilek, S.: The power of proofs-of-possession: Securing multiparty signatures against rogue-key attacks. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 228–245. Springer, Heidelberg (2007)

Multisignatures as Secure as the Diffie-Hellman Problem

A

49

Proof of Theorem 2

Proof. Assume we have a polynomial time forger that runs in time at most t, makes at most qH hash queries and at most qS signature queries and outputs a valid multisignature with probability at least ǫ. We need to construct an algorithm B which, by interacting with the forger A, solves DDH problem with probability ǫ′ within time t′ . Informally, the aim of Algorithm B is to determine whether a tuple (g, h, y1 , z1 ) is a random tuple or a DH tuple. Assume that A is trying to attack the honest signer P ∗ who have the public keys P K ∗ = (y1 , z1 ). B sets P K1 = (y1 , z1 ) and runs A on input P K ∗ . Algorithm B simulates the signing and hash oracle for A as follows: First, algorithm B maintains initially empty associative lists H and G which are used to simulate random oracles H, G, respectively. We also make use of a list T which assigns a unique index 1 ≤ i ≤ qH + N qS to each public key P K occurring either as a cosigner’s public key in one of A’s signature queries, or as the first item in the argument of one of A’s queries to G. Algorithm B uses a counter ctr indicating the current index of this list, initially set to zero. B assigns T[P K ∗ ] ← 0. It responds to A’s oracle queries, essentially, at random as follows: Queries to H. In response to a query H(ui ) or H(vi ), B first checks if the output of H on this input has been previously defined. If so, B returns the previously assigned value. Otherwise, B returns with a value chosen uniformly at random from {0, 1}l0 . All queries ui , vi are stored in the list H. Queries to G. In response to a query G, we first parse the argument of the query into two portions as P K and Q. If T[P K] is undefined then B increases ctr and sets T[P K] ← ctr. If G[ctr, Q] is undefined, then B assigns G[i, Q], for all 1 ≤ i ≤ qH + N qS with random numbers, and picks in advance at random e1 , . . . , eqH +qS ∈ Zp to assign for G[0, Q]. Signing query on m with group of users L. Signature queries to the honest signer P ∗ consists of three rounds. First, the adversary provides m, L to P ∗ and receives the individual challenge h∗ , t∗ from P ∗ in response. Second, playing the role of rest signer, the adversary A provides the challenges hi , ti to P ∗ and receives u∗ , v ∗ from P ∗ in response. Third, the adversary provides the commitments ui , vi to P ∗ and receives s∗ from P ∗ in response. As stated above, in the simulation, it is not the adversary providing the joint commitment u, v to simulator, we do not thus need to use rewinding. In detail, answering signature queries works as follows: First, B checks whether P ∗ ∈ / L, if so algorithm B returns ⊥ to A. If not, it parses the public keys of signers in L as P k = {P K1 = P K ∗ , P K2 , . . . , P Kn }. Then, B checks whether T[P Ki ], for i ∈ {2, . . . , n}, has already been defined. If not, it increases ctr and sets T[P Ki ] ← ctr. Then, B sets c1 at random

50

D.-P. Le, A. Bonnecaze, and A. Gabillon

as e1 , . . . , eqH +qS in advance. B generates (γ, s1 ) ∈ Z2p at random, computes u1 = g s1 y1−c1 and v1 = hs1 z1−c1 . It sets h1 = H(u1 ), v1 = H(v1 ) and sends to all signers. After receiving h2 , · · · , hn and t2 , · · · , tn from the adversary A, B looks up in the list H for values uj , vj such that hi = H(uj ) and ti = H(vj ). If multiple such values are found for some i, the algorithm B stops (Event 1). If no such value was found for some i then it sets nsends u1 , v1 to nalert ← true and all cosigners; otherwise, B computes u = i=1 ui and v = i=1 vi . Then, B checks whether G[0, Q] has already been defined for Q = u, v, P k, m, g, h . If so, it fails and stops (Event 2). If not, it sets G(P K1 , u, v, P k, m, g, h) = R

G[0, Q] = c1 , randomly chooses G[i, Q] ← Zp for all 1 ≤ i ≤ qH + N qS and sends u1 , v1 to all cosigners. After receiving u2 , v2 , . . . , un , vn from A, B verifies that hi = H(ui ) and ti = H(vi ) for all 1 ≤ i ≤ n. If not, it returns ⊥ to A. If alert = true, B fails and stops (Event 3). Else, it sends s1 to all cosigners. n After receiving s2 , · · · , sn from cosigners (A), B computes s = i=1 si and returns the valid signature (u, v, s). As we can see, this simulator is valid, except for some events: – Event 1: In this case, there exist two values ui = u′i or vi = vi′ such that hi = H(ui ) = H(u′i ) or ti = H(vi ) = H(vi′ ) for some i, i.e, there is at least one collision occurred in H. As outputs of H are chosen at random from {0, 1}l0 and since there are at most qH + N qS queries to H, the probability that +N qS +1)/2 ≤ at least one collision occurs is upper bounded by (qH +N qS )(q2H l0 (qH +N qS +1)2 . 2l0 +1

– Event 2: Algorithm B only aborts at event 2 if it has run into an input string 0, u, v, P k, m, g, h on which G has been already queried. We distinguish between the case that H(u1 ) and H(v1 ) were previously queried by the forger, and the case that they were not. In the first case, A probably knows u, v and may have deliberately queried G(P K, u, v, P k, m, g, h) for some P K. But since u1 , v1 was chosen by B independently from A’s view at the beginning of the signing protocol, the probability that A queried H(u1 ) qS , for one signature query. In the second case, and H(v1 ) is at most qH +N p A’s view is completely independent of u1 and v1 , and hence of u and v. The probability that u and v occurred by chance in a previous query to G or was set by B in one of the i − 1 previous signature simulations is at most qG +qS , for one signature query. For qS signature queries, the failure probabilp +1)qS ) ity is thus upper bounded by qS ((qH +N qSp )+(qG +qS )) ≤ qS (qH +(N , where p qH = qH + qG . – Event 3: In this case, A must have predicted the value of H(ui ) or H(vi ) for at least one 1 ≤ i ≤ n, which it can do with probability at most 2Nl0 , for one signature query. For qS signature queries, the failure probability is thus . upper bounded by q2SlN 0

Multisignatures as Secure as the Diffie-Hellman Problem

51

As a conclusion, except with a failure probability: (qH + N qS + 1)2 qS (qH + (N + 1)qS ) qS N + l0 + 2l0 +1 p 2 2 qS (qH + (N + 1)qS ) (qH + N qS + 1) + , ≤ 2 l0 p

δstop =

the simulation is successful. Eventually, A halts and outputs an attempted forgery σ = (ˆ u, vˆ, sˆ, {si }i=2..n )) on some message m ˆ along with L = {P ∗ , P2 , · · · , Pn }. It must not previously have requested a signature on m ˆ with L. In addition, it outputs the private keys (x2 , · · · , xn ) for all secret keys except the key x of the challenge P ∗ . Algorithm B first computes additional random oracle queries G1 (P Ki , u ˆ, vˆ, P k, m, ˆ g, h) for 1 ≤ i ≤ n, thereby making sure that T[P Ki ] is defined. n n If A’s forgery is valid, i.e. g, h, y, z, where y = i=1 yi and z = i=1 zi and (g, h, yi , zi ) for each Pi are Diffie-Hellman tuples, and then (g, h, y1 , z1 ) is a Diffie-Hellman tuple, the algorithm B outputs 1 with the probability ǫ − δstop ; otherwise it outputs 0. On the other hand, if (g, h, y, z) is a random tuple, then it is not a DiffieHellman tuple with probability 1 − 1/p. In this case, for any u, v and any query G(P K1 , u, v, P k, m, g, h) made by A then there is at most one possible value of c for which there exists an s satisfying u = g s y1c and v = hs y2c (lemma 1 in [11]). Thus, A outputs a forgery (and hence B outputs 1) with probability at most qG qG +1 1 p + p ≤ p . Summing the probabilities, we see that: |P r [B(g, g x, g y , g xy ) = 1] − P r [B(g, g x, g y , g z ) = 1] : x, y, z ← Zp | qG + 1 ≥ ǫ − δstop − p qS (qH + (N + 1)qS ) (qG + 1) (qH + N qS + 1)2 − − ≥ǫ− 2 l0 p p 2 qS (qH + (N + 1)qS ) + qG + 1 (qH + N qS + 1) − ≥ǫ− 2 l0 p and the running time t′ satisfies t′ ≤ t + O(qS texp ), where texp is the time of an exponentiation in G.

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields Naomi Benger1 , Manuel Charlemagne1 , and David Mandell Freeman2 1

School of Computing, Dublin City University, Ireland {nbenger,mcharlemagne}@computing.dcu.ie 2 CWI and Universiteit Leiden, Netherlands [email protected]

Abstract. Let A be an abelian variety defined over a non-prime finite field Fqthat has embedding degree k with respect to a subgroup of prime order r. In this paper we give explicit conditions on q, k, and r that imply that the minimal embedding field of A with respect to r is Fqk . When these conditions hold, the embedding degree k is a good measure of the security level of a pairing-based cryptosystem that uses A. We apply our theorem to supersingular elliptic curves and to supersingular genus 2 curves, in each case computing a maximum ρ-value for which the minimal embedding field must be Fqk . Our results are in most cases stronger (i.e., give larger allowable ρ-values) than previously known results for supersingular varieties, and our theorem holds for general abelian varieties, not only supersingular ones.

1

Introduction

Suppose we wish to implement a pairing-based cryptosystem using the Weil or Tate pairing on an abelian variety A defined over a finite field Fq of q elements. For our implementation to be both efficient and secure, we need (1) the group A(Fq ) to contain a subgroup of large prime order r, and (2) the group of rth roots of unity μr ⊂ Fq to be contained in an extension field Fqk that is both large enough for the discrete logarithm problem in F∗qk to be computationally infeasible and small enough for the pairing to be computed efficiently. The degree k of this extension is known as the embedding degree of A (with respect to r). The embedding degree of A is commonly used as a measure of the security level of our pairing-based cryptosystem. However, Rubin and Silverberg [15] and Hitt [10] observed that when the field size q is not prime, the rth roots of unity may be contained in a proper subfield F ⊂ Fqk . If F has cardinality ′ q k , where k ′ is rational and k ′ ≤ k, it follows that the security level is more accurately determined by k ′ than k. Thus when given an abelian variety A/Fq with embedding degree k and q not prime, to determine the security level of cryptosystems using A one must check whether the smallest F ⊂ Fqk containing μr — known as the minimal embedding field of A (with respect to r) — is in fact Fqk . H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 52–65, 2009. c Springer-Verlag Berlin Heidelberg 2009 

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

53

The purpose of this paper is to answer the following question: given an abelian variety A/Fq that has embedding degree k with respect to r, how can we guarantee that the minimal embedding field of A with respect to r is Fqk ? Rubin and Silverberg [16] have given an answer to this question in the case where A is supersingular by demonstrating a lower bound on r that guarantees that the minimal embedding field is Fqk . Their bound depends on q and on the dimension g of the supersingular abelian variety, but does not depend on k. The main result of this paper is to give explicit conditions on q, r, and k that guarantee that the minimal embedding field of an abelian variety A/Fq — supersingular or not — that has embedding degree k with respect to r is in fact Fqk . The conditions lead to a lower bound on r that depends on q and k, but not on the dimension g. When A is a supersingular elliptic curve or abelian surface, our bound improves on the result of Rubin and Silverberg in most of the cases relevant to cryptography. Our result thus guarantees more abelian varieties are suitable for use in pairing-based cryptography than any previous result had done. Our main theorem appears in Section 2. In Section 3 we apply our main theorem to the case of supersingular elliptic curves, which are known to have embedding degree k ∈ {1, 2, 3, 4, 6}. We conclude that when k is even and either the group order r is sufficiently large or the extension degree m is prime, then the minimal embedding field is Fqk . In particular, we deduce that the observation of Hitt and Rubin and Silverberg has no effect on the supersingular elliptic curves in characteristic 2 or 3 that are preferred for the implementation of pairingbased cryptosystems. When k is odd and r is sufficiently large we show that the minimal embedding field is either Fqk or Fqk/2 , depending on the sign of the trace of Frobenius. (In this case q is necessarily a square.) Section 4 gives analogous results for some supersingular abelian varieties of dimension g ≥ 2. Finally, in Section 5 we present some open problems related to this work.

2

A Framework for Analyzing the Minimal Embedding Field

In this section we set up the framework for our analysis of the minimal embedding field of abelian varieties. After giving formal definitions, we discuss the results of Hitt [10] and Rubin and Silverberg [15], and then state our main theorem. We first recall some standard terminology and notation. If K is a field then K denotes an algebraic closure of K. If q is a prime power then Fq denotes a field of q elements. We assume that we have fixed in advance a model of each finite field Fq (e.g. [2]) as well as embeddings Fq ֒→ Fqd for every positive integer d. An abelian variety is a smooth, projective, geometrically integral group variety. If A is an abelian variety defined over a field K, we denote by A(K) the group of K-rational points of A. An elliptic curve is a one-dimensional abelian variety. An elliptic curve E over a field K of characteristic p is supersingular if E(K) has no p-torsion points. A general abelian variety is supersingular if it is isogenous (over K)

54

N. Benger, M. Charlemagne, and D.M. Freeman

to a product of supersingular elliptic curves. An abelian variety A defined over K is simple if it is not isogenous over K to a product of lower-dimensional abelian varieties. Definition 2.1. Let A be an abelian variety defined over Fq , where q = pm for some prime p and integer m. Let r = p be a prime dividing #A(Fq ). The embedding degree of A with respect to r is the smallest integer k such that r divides q k − 1. Definition 2.2. Let A, q, and r be as above. The minimal embedding field of A with respect to r is the smallest extension of Fp containing the rth roots of unity μr ⊂ Fp . If A/Fq has embedding degree k with respect to r, then Fqk is the smallest extension of Fq containing the rth roots of unity. In particular, the r-Weil pairing ([17, §III.8] and [14, §16]) and the r-Tate pairing [4] take values in a subgroup and a quotient group of F∗qk , respectively. The key observation made by Rubin and Silverberg [15] and Hitt [10] is that these pairings actually take values in the minimal embedding field and that this field may be a proper subfield of Fqk . This observation, found in different forms in each paper, is expressed by Hitt as follows: Lemma 2.3 ([10, Lemma 1]). Let q = pm for some prime p and positive integer m, let r = p be a prime, and let k be the smallest integer such that r divides q k − 1. Then ordr (p) , k= gcd(ordr (p), m) where ordr (p) is the order of p in (Z/rZ)∗ . A result of this lemma is that the minimal embedding field of an abelian variety A/Fq is Fqk′ , where k ′ = ordr (p)/m ∈ Q , which is not necessarily the same as Fqk . Since the security of a pairing-based cryptosystem using A is determined by k ′ , this result implies that such a cryptosystem could be significantly less secure than previously believed. Indeed, Hitt gives examples of abelian varieties where k/k ′ = m, which is the largest possible ratio for these parameters [10, §4]. It is important to note that when the abelian variety is defined over a prime field (i.e., when m = 1) Hitt’s lemma has no effect, as the minimal embedding field is always Fqk . A natural question following from Lemma 2.3 is in what cases the embedding degree k is an accurate indicator of security. More precisely, we have: Question 2.4. Let A be an abelian variety over Fq that has embedding degree k with respect to r. Is the minimal embedding field of A with respect to r equal to Fqk ? Our goal is to give explicit conditions on q, r, and k such that the answer to Question 2.4 is yes.

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

55

In the case where A/Fq is supersingular and elementary (i.e., isogenous over Fq to a power of a simple abelian variety), Rubin and Silverberg have given conditions on q, r, and k that imply an affirmative answer to Question 2.4. Their theorem is phrased in terms of the cryptographic exponent cA , which is defined only for supersingular varieties. When A has embedding degree k with respect to a prime r and r ∤ 2k, the cryptographic exponent is the smallest halfinteger cA such that r divides q cA − 1. Thus cA is equal to either k or k/2; the latter can only occur when q is a square and k is odd [16, Definition 4.1 and Theorem 6.1]. Theorem 2.5 ([15, Theorem 7] and [16, Theorem 6.3]). Suppose A is an elementary supersingular abelian variety of dimension g over Fq , q = pm , r = p is a prime divisor of #A(Fq ), and s is the multiplicative order of p mod r. Let FA (x) ∈ Z[x] be the characteristic polynomial of Frobenius for A, and let f be the unique integer such that FA (x)1/f is irreducible in Z[x]. If q is a square, assume √ r > (1 + p)mg/2f . If q is not a square, assume r > (1 + p)2mg/3f and r > 7. Then ps = q cA , q , so Fqc A , q is the smallest extension of Fp whose multiplicative group has a subgroup of order r. We now turn our attention to proving our own bounds, which will apply to all abelian varieties, not just supersingular ones, and will improve on the bounds in Theorem 2.5 in many cases. Our theorem depends crucially on some results about cyclotomic polynomials. For k ∈ N , the kth cyclotomic polynomial Φk ∈ Z[x] is the minimal polynomial of a primitive kth root of unity in Q. The following lemma demonstrates the relevance of these polynomials to our problem. Lemma 2.6. Let q = pm be a prime power, and A/Fq be an abelian variety. Let r = p be a prime dividing #A(Fq ), and let k, s be integers not divisible by r. Then 1. A has embedding degree k with respect to r if and only if r | Φk (q). 2. The minimal embedding field of A with respect to r is Fps if and only if r | Φs (p). Proof. The first statement appears e.g. as [5, Proposition 2.4]; we observe that the same proof applies to the second statement. ⊓ ⊔ Lemma 2.6 allows us to rephrase Question 2.4 as follows: given that r divides Φk (pm ), does r divide Φkm (p)? To answer the question in this form we will use the following properties of cyclotomic polynomials, which appear in or can be easily derived from the discussion of [12, §VI.3]. Fact 2.7. Let Φk (x) denote the kth cyclotomic polynomial. Then  1. xk − 1 = d|k Φd (x). 2. The degree of Φk (x) is ϕ(k) := #{e ∈ Z : 1 ≤ e ≤ k and gcd(e, k) = 1}.

56

N. Benger, M. Charlemagne, and D.M. Freeman

3. If ℓ is a prime not dividing k, then Φk (xℓ ) = Φkℓ (x)Φk (x). 4. If ℓ is a prime dividing k, then Φk (xℓ ) = Φkℓ (x). We will also use the following lemma, an alternative proof of which can be found in [16, Lemma 5.2]. Lemma 2.8. If k and m are coprime, then  Φkd (x). Φk (xm ) =

(2.1)

d|m

Proof. We first compare the degrees of the polynomials on each side of (2.1). Clearly the left hand side has degree mϕ(k). Now for any coprime numbers x and y we have ϕ(xy) = ϕ(x)ϕ(y). Since (k, m) = 1 by assumption it is also true that (k, d) = 1 for all d | m. It follows that the degree of the right hand side of (2.1) is ϕ(k) d|m ϕ(d), which by Fact 2.7 (1) and (2) is equal to mϕ(k). We next compare the roots of the two polynomials. First, we observe that by Fact 2.7 (1) the right hand side divides xkm − 1 and thus has only simple roots. Now suppose ζ is a root of Φkd (x) for some d | m. Since ζ is a primitive kdth root of unity, ζ d is a primitive kth root of unity. Write m = de. Since gcd(k, e) = 1, it follows that (ζ d )e = ζ m is also a primitive kth root of unity, so ζ is also a root of Φk (xm ). Since the two polynomials in (2.1) are both monic and have the same degree, and furthermore all roots of the right hand side are simple and are also roots of the left hand side, we conclude that the two polynomials are equal. ⊓ ⊔ We are now prepared to give our main theorem, which we state as a fact about cyclotomic polynomials only, without reference to abelian varieties. Theorem 2.9. Let k be a positive integer, pm a prime power, and r a prime. Write m = αβ, where every prime dividing α also divides k and gcd(k, β) = 1. (This factorization is unique.) Denote by e the smallest prime factor of β. Suppose r | Φk (pm ) and that one of the following holds: 1. 2. 3. 4.

m = α (and β = 1); β is prime and r > Φkα (p); r > pkm/e ; or 4 | m or 2 | k, and r > pkm/2e + 1.

Then r | Φkm (p). Proof. We first note that Fact 2.7 (4) implies Φk (pm ) = Φkα (pβ ).

(2.2)

Since kα and β are coprime, Lemma 2.8 implies that Φk (pm ) has Φkm (p) as a factor. Our strategy in each case is to show that the remaining factors of Φk (pm ) are all smaller than r. Since r is prime, it then follows that if r divides Φk (pm ) then r divides Φkm (p).

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

57

We now consider each case separately: 1. Since m = α it follows immediately that Φk (pm ) = Φkm (p). 2. Since β is a prime not dividing kα, equation (2.2) and Fact 2.7 (3) imply that Φk (pm ) = Φkαβ (p)Φkα (p) = Φkm (p)Φkα (p). Since r > Φkα (p), it follows that r | Φkm (p). 3. By equation (2.2) and Lemma 2.8 we have   Φk (pm ) = Φkm/d (p). Φkdα (p) = d|β

(2.3)

d|β

By assumption we have r > pkm/d for all d | β except for d = 1, and by Fact 2.7 (1) we have pkm/d > Φkm/d (p) for all such d. It follows that r | Φkm (p). 4. Given the factorization of Φk (pm ) as in (2.3), the same analysis as in Case 3 shows that r > Φkm/d (p) for all d | β with d ≥ 2e. Since e is the smallest prime dividing β, if d | β and 1 < d < 2e then d is prime, so it suffices to show that r > Φkm/d (p) for all primes d dividing β. Let d be such a prime. The assumption 4 | m or 2 | k then implies that km/d is even. In this case we have xkm/d − 1 = (xkm/2d + 1)(xkm/2d − 1), and Φkm/d (x) must divide the first factor by Fact 2.7 (1). Since d ≥ e, if r > pkm/2e + 1 then r > Φkm/d (p). ⊓ ⊔ Using Lemma 2.6 to interpret Theorem 2.9 in the context of abelian varieties, we obtain the following corollary: Corollary 2.10. Let A be an abelian variety over Fq , where q = pm with p prime. Let r = p be a prime dividing #A(Fq ), and suppose A has embedding degree k with respect to r. Assume that r ∤ km. If q, k, and r satisfy any of the conditions (1)–(4) of Theorem 2.9, then the minimal embedding field of A with respect to r is Fpkm . We note that the case where m is prime, which is usually recommended for cryptographic applications in order to prevent Weil descent attacks (e.g., [8,9]), we usually have r ≈ pmg (where g = dim A) and m ≫ k, so we are in case (2) of Theorem 2.9. If p is small (p = 2 and p = 3 are common choices) then in this situation the bound on r given by the theorem is very weak; i.e., A will have minimal embedding field Fpkm with respect to any r that is even remotely close to cryptographic size. Ideally we would also like to apply Theorem 2.9 to abelian varieties over finite fields that are not pairing-friendly. Specifically, if A/Fq is an abelian variety chosen for a non-pairing-based cryptographic protocol, one wants to make sure that the discrete logarithm problem in A(Fq )[r] cannot be reduced to a more tractable discrete logarithm problem in a finite field. Thus one must ensure not only that the embedding degree k is sufficiently large, but also that the minimal embedding field is sufficiently large. However, if k ≫ m and the dimension g is small then none of the conditions of Theorem 2.9 can be expected to hold: condition (1) is very unlikely and conditions (2)–(4) would require r ≫ q g , which is impossible.

58

N. Benger, M. Charlemagne, and D.M. Freeman

Remark 2.11. If k is odd and m is even then Φk (xm ) = Φk (xm/2 )Φ2k (xm/2 ). Since ϕ(k) = ϕ(2k) for odd k, these two factors have the same degree and we cannot use the above techniques to show that r divides Φkm (p) and does not divide Φkm/2 (p). Applying Theorem 2.9 recursively to each factor allows us to determine conditions on q, k, and r guaranteeing that r divides one of the two expressions Φkm (p) and Φkm/2 (p), but additional information is needed to determine which one. In the context of pairing-friendly curves, this situation rarely occurs as even embedding degrees are preferred as are prime values for m. However, see Propositions 3.6 and 3.8 below for some specific cases where it does occur.

3

Supersingular Elliptic Curves over Non-prime Fields

In this section we focus on supersingular elliptic curves, which are the most well known pairing-friendly abelian varieties defined over non-prime fields. If E is an elliptic curve defined over the finite field Fq , then the number of Fq -rational points is given by #E(Fq ) = q + 1 − t, where t is the trace of the q-power Frobenius endomorphism. A theorem of Hasse (the “Hasse-Weil bound”) says √ that |t| ≤ 2 q [17, Theorem V.1.1]. An elliptic curve E is supersingular if and only if gcd(t, q) > 1 [17, Ex. 5.10]. Menezes, Okamoto and Vanstone [13] gave a complete classification of supersingular elliptic curves over finite fields Fq , with q = pm . They showed that five possible embedding degrees k can occur, corresponding to five possible absolute values of the trace of Frobenius t: k t #E(Fq ) p, m √ √ 1 ±2 q q ∓ 2 q + 1 any p, m even 2 0 q+1 any p, any m √ √ 3 ± q q ∓ q + 1 p ≡ 2 mod 3, m even √ √ 4 ± 2q q ∓ 2q + 1 p = 2, m odd √ √ 6 ± 3q q ∓ 3q + 1 p = 3, m odd When comparing the sizes of r and q as in Theorem 2.5, it is useful to introduce a parameter ρ, which roughly approximates the ratio of the bit size of the entire group A(Fq ) to the bit size of r. Definition 3.1. Let A be a g-dimensional abelian variety over Fq , and suppose log q r divides #A(Fq ). The ρ-value of A (with respect to r), denoted ρ(A), is glog r . Since the speed of computations on A(Fq ) is, to an extent, determined by #A(Fq ) ≈ q g but security is determined by the size of r, for fast implementations one usually wishes to choose an A with r as close to #A(Fq ) as possible; that is, with ρ-value as close to 1 as possible. In practice one must also take into account the required balance of security required for a fixed k [5, Table 1.1] as well as the cost of arithmetic and pairing operations on the elliptic curves under consideration.

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

59

We first consider the families of supersingular elliptic curves with embedding degrees 4 and 6, in characteristic 2 and 3 respectively. These families are often proposed for use in pairing-based cryptography as their embedding degrees are the maximum possible for supersingular elliptic curves, it is easy to generate curves of near-prime order, and there has been much work on optimizing curve arithmetic in small characteristic (e.g., [3, §13.3]). We conclude in both cases that if either m is prime or r is sufficiently large (though not necessarily close to q), then the minimal embedding field is Fqk . In actual pairing-based cryptosystems at least one of these conditions always holds, so we deduce that the observation of Hitt (Lemma 2.3) and Rubin and Silverberg has no effect in practice. Proposition 3.2 (k = 4). Let q = 2m with m odd, and let E be a supersingular elliptic curve over Fq that has embedding degree 4 with respect to a prime r ∤ 2m. If either   1 3 1− , or – ρ< 2 log2 r – m is prime and r > 5, then E has minimal embedding field Fq4 . Proof. If we write m = αβ as in Theorem 2.9, then the smallest prime dividing β must be at least 3. Thus if r > q 2/3 + 1 then condition (4) of Theorem 2.9 is satisfied. If m is prime and r > 5 = Φ4 (2) then condition (2) of Theorem 2.9 is satisfied. In both cases, by Corollary 2.10 E has minimal embedding field Fq4 . An easy calculation shows that if ρ < 23 (1 − log1 r ) then r > q 2/3 + 1. ⊓ ⊔ 2

m

Proposition 3.3 (k = 6). Let q = 3 with m odd, and let E be a supersingular elliptic curve over Fq that has embedding degree 6 with respect to a prime r ∤ 6m. If either   1 5 1− , or – ρ< 3 log2 r – m is prime and r > 7, then E has minimal embedding field Fq6 . Proof. The proof is entirely analogous to that of Proposition 3.2.

⊓ ⊔

Remark 3.4. In both of the above cases the cryptographic exponent cA,q defined by Rubin and Silverberg is equal to k. Rubin and Silverberg’s result (Theorem 2.5) thus implies that when k = 4, the conclusion of Proposition 3.2 holds 3 log 2√ ≈ 1.18, and that when k = 6, the conclusion of Propowhenever ρ < 2 log(1+ 2)

3 log 3√ ≈ 1.64. Thus in both cases our result sition 3.3 holds whenever ρ < 2 log(1+ 3) is stronger (i.e., requires a weaker upper bound on ρ) for sufficiently large r. In particular, since ρ ≈ 3/2 is recommended for k = 4 curves to achieve a security level equivalent to an 80-bit symmetric-key system [5, Table 1.1], our result shows that supersingular k = 4 curves are appropriate for this security level for any extension degree m.

60

N. Benger, M. Charlemagne, and D.M. Freeman

For some implementations one may wish to use supersingular elliptic curves with very small embedding degrees. We thus continue our analysis by investigating the cases 1 ≤ k ≤ 3. The case k = 2 is the most straightforward. Proposition 3.5 (k = 2). Let q = pm , and let E be a supersingular elliptic curve over Fq that has embedding degree 2 with respect to a prime r ∤ 2m. If either   1 , or – ρ p + 1,

then E has minimal embedding field Fq2 . Proof. The proof is entirely analogous to that of Proposition 3.2.

⊓ ⊔

Rubin and Silverberg’s result (Theorem 2.5) says that the conclusion of Proposition 3.5 holds whenever ρ < 2 − ǫ when m is even and whenever ρ < 3 − ǫ when m is odd, with ǫ → 0 as p → ∞. Thus our result is stronger when m is even. The cases k = 1 and k = 3 are more subtle, as we cannot avoid the possibility that the minimal embedding field is Fpk/2 even when r is very large. However, if we know the sign of the trace we can apply Theorem 2.9 to determine when the minimal embedding field is Fpk or Fpk/2 . Proposition 3.6 (k = 1). Let q = pm with m even, and let E be a supersingular elliptic curve over Fq that has embedding degree 1 with respect to a prime r ∤ m. If E has trace −2pm/2 and ρ < 6(1 − log1 r ), then E has minimal embedding field 2

Fq . If E has trace 2pm/2 and ρ < 4, then E has minimal embedding field Fq1/2 . ′

′

Proof. Let m′ = m/2. Suppose E has trace −2pm . Then #E(Fq ) = (pm + 1)2 , ′ so r divides Φ2 (pm ). We now apply Theorem 2.9 with k = 2 and m = m′ . ′ If we write m = αβ as in the theorem, then the smallest prime dividing the ′ β of Theorem 2.9 must be at least 3. Thus if r > pm /3 + 1 = q 1/6 + 1 then condition (4) of the theorem is satisfied, so by Corollary 2.10 E has minimal embedding field Fp2m′ = Fq . An easy calculation shows that if ρ < 6(1 − log1 r ) 2

then r > q 1/6 + 1. ′ ′ Now suppose E has trace 2pm . Then #E(Fq ) = (pm − 1)2 , so r divides ′ ′ Φ1 (pm ). We now apply Theorem 2.9 with k = 1 and m = m′ . If r > pm /2 = q 1/4 (or equivalently, if ρ < 4) then condition (3) of the theorem is satisfied, so by Corollary 2.10 E has minimal embedding field Fpm′ = Fq1/2 . ⊓ ⊔ When k = 1, Rubin and Silverberg’s cryptographic exponent cA is equal to 1 when E has negative trace and 1/2 when E has positive trace; in both cases the integer f of Theorem 2.5 is equal to 2. Thus Theorem 2.5 says that the conclusion of Proposition 3.6 holds whenever ρ < 4 − ǫ, with ǫ → 0 as p → ∞. Our result is stronger for the first case as well as for small p. Remark 3.7. Proposition 3.6 demonstrates the somewhat surprising fact that the minimal embedding field of an elliptic curve E can be smaller than the

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

61

field of definition of E. In fact such a curve is easy to construct. Let p > 3 be prime, and let E/Fp be a supersingular elliptic curve over Fp . Let E ′ /Fp2 be a quadratic twist of E over Fp2 ; that is, a curve equipped with an isomorphism between (Weierstrass models of) E and E ′ given by (x, y) → (ux, u3/2 y) for some non-square1 u ∈ F∗p2 . Then #E ′ (Fp2 ) = (p − 1)2 , and the minimal embedding field of E ′ with respect to any r | p − 1 is Fp . Finally, we consider the case of embedding degree k = 3. As with k = 1, the minimal embedding field can be determined from the sign of the trace. Proposition 3.8 (k = 3). Let q = pm with m even, and let E be a supersingular elliptic curve over Fq that has embedding degree 3 with respect to a prime r ∤ 3m. 1 If E has trace pm/2 and ρ < 10 3 (1 − log r ), then E has minimal embedding field 2

Fq3 . If E has trace −pm/2 and ρ < 4/3, then E has minimal embedding field Fq3/ 2 . Proof. The proof is entirely analogous to that of Proposition 3.6.

⊓ ⊔

When k = 3, Rubin and Silverberg’s cryptographic exponent cA is equal to 3 when E has positive trace and 3/2 when E has negative trace. Thus Theorem 2.5 says that the conclusion of Proposition 3.8 holds whenever ρ < 2 − ǫ, with ǫ → 0 as p → ∞. Our result is stronger for the first case.

4

Higher-Dimensional Supersingular Abelian Varieties

In this section we briefly sketch the application of our main result to supersingular abelian varieties of dimension g ≥ 2 defined over non-prime fields. Such varieties have been proposed for use in pairing-based cryptography as they have the potential to be more efficient than supersingular elliptic curves. We first consider simple supersingular abelian varieties of dimension g = 2. Such varieties, known as abelian surfaces, can be described as Jacobians of genus 2 curves. Cardona and Nart [1] give a detailed description of the possible group orders and embedding degrees for simple supersingular abelian surfaces, analogous to the Menezes-Okamoto-Vanstone classification for elliptic curves. Table 1 lists each isogeny class of simple supersingular abelian surfaces over Fq (with q = pm ) and its embedding degree k, as calculated by Cardona and Nart. The isogeny classes are described by a pair of integers (s, t), which correspond to the coefficients of the characteristic polynomial of Frobenius x4 + sx3 + tx2 + sqx + q 2 . An asterisk next to the embedding degree indicates that the minimal embedding field is Fqk/2 , not Fqk . When the extension degree m is prime, as is most often the case in cryptography, Corollary 2.10 tells us that if r > Φk (p) then the minimal embedding field of a supersingular abelian surface with respect to r is Fpk . For the cases of small characteristic most often proposed for cryptography, we have the following: 1

If j(E) = 0 then u must also be a cube; if j(E) = 1728 then u must be a square but not a fourth power.

62

N. Benger, M. Charlemagne, and D.M. Freeman

Proposition 4.1. Let A be a simple supersingular abelian surface over Fq , where q = pm , p ∈ {2, 3, 5}, and m is prime. Suppose A has embedding degree k with respect to a prime r > m. If r > 781 then the minimal embedding field of A with respect to r is Fqk . For more general situations, Table 1 gives two parameters for each isogeny class that are related to the minimal embedding field. A value of a in the column “Cor. 2.10 max ρ” indicates that whenever r ∤ km is prime and ρ < a, Corollary 2.10 implies that an abelian variety in the isogeny class has minimal embedding field Fqk with respect to r (or Fqk/2 in the asterisked cases). When the value is a − ǫ one can take ǫ = a/ log2 r. A value of b in the column “RS max ρ” indicates that whenever r is prime and ρ < b, Rubin and Silverberg’s result (Theorem 2.5) implies that an abelian variety in the isogeny class has minimal embedding field Fqk with respect to r (or Fqk/2 in the asterisked cases). When p is not fixed, the values b are limits as p → ∞. Table 1. Maximal ρ-values guaranteeing a simple supersingular abelian surface over Fq (q = pm) with embedding degree k has minimal embedding field Fqk (Fqk/2 in the cases marked with a *) (s, t) (0, −2q) (0, 2q) √ (2 q, 3q) √ (−2 q, 3q) (0, 0) (0, 0) (0, q) (0, −q) (0, −q) √ ( q, q) √ (− √ q, q) (± √5q, 3q) (± 2q, q)

conditions on p and m m odd m even, p ≡ 1 (mod 4) m even, p ≡ 1 (mod 3) m even, p ≡ 1 (mod 3) m odd, p = 2 m even, p ≡ 1 (mod 8) m odd m odd, p = 3 m even, p ≡ 1 (mod 12) m even, p ≡ 1 (mod 5) m even, p ≡ 1 (mod 5) m odd, p = 5 m odd, p = 2

k Cor. 2.10 max ρ RS max ρ 1 6 6 2 6−ǫ 4 3* 8/3 4 3 20/3 − ǫ 4 4 3−ǫ 3 4 3−ǫ 2 3 10/3 3 6 10/3 − ǫ 3 6 10/3 − ǫ 2 5* 8/5 2 5 12/5 − ǫ 2 5 6/5 2.06 12 5/3 − ǫ 1.18

We conclude our analysis by applying our main result to a particularly interesting case of a supersingular abelian variety in dimension g = 4. Rubin and Silverberg [15, §5.1] show that if q = 3m and E is a supersingular elliptic curve over Fq with embedding degree 6, then there is a simple 4-dimensional abelian variety A/Fq with embedding degree k = 30. This A can be constructed as a subvariety of the restriction of scalars ResFq5 /Fq E. The ratio k/g = 7.5 is the largest known for a supersingular abelian variety, which makes the variety appealing for practical use as it allows for higher security levels using fewer bits than a k = 6 elliptic curve or a k = 12 abelian surface.

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

63

Proposition 4.2. Let q = 3m with m odd, and let A be a simple supersingular 4-dimensional abelian variety over Fq that has embedding degree 30 with respect to a prime r ∤ 30m. If either   28 1 – ρ< 1− , or 15 log2 r – m is prime and r > 8400, then A has minimal embedding field Fq30 . Proof. The proof is entirely analogous to that of Proposition 3.2.

⊓ ⊔

We note that if A is an abelian variety as in Proposition 4.2, Rubin and Silverberg’s result (Theorem 2.5) shows that the result holds whenever r > (1 + √ 3)8m/3 , or ρ  1.64. Thus our result (ρ  1.87) is stronger.

5

Conclusion

Given an abelian variety A defined over a finite field Fq such that A has embedding degree k with respect to a subgroup of prime order r, we consider the question of whether the minimal embedding field of A with respect to r is Fqk . A positive answer to this question implies that the embedding degree k is a good measure of the security level of a pairing-based cryptosystem that uses A. Our main results, Theorem 2.9 and Corollary 2.10, give explicit conditions on the field size q, the embedding degree k, and the subgroup order r that imply an affirmative answer to our question. We have applied our theorem to supersingular elliptic curves (Section 3) and to supersingular genus 2 curves (Section 4), in each case computing a maximum ρ-value for which the minimal embedding field must be Fqk . Our results are in most cases stronger (i.e., give larger allowable ρ-values) than the corresponding result of Rubin and Silverberg (Theorem 2.5). Our result thus guarantees more abelian varieties are suitable for use in pairing-based cryptography than any previous result had done. Our theorem holds for general abelian varieties, not only supersingular ones. There are several results demonstrating the existence of non-supersingular abelian varieties over non-prime fields with small embedding degree [7,10], but at present there is only a single explicit construction of such varieties. This construction, due to Hitt O’Connor et al. [11, Algorithm 3], produces abelian surfaces over Fp2 with p-rank 1 (i.e., neither ordinary nor supersingular) and ρ ≈ 16. These ρ-values are far too large both for practical use and for Corollary 2.10 to provide a useful result. It is thus an open problem to construct non-supersingular abelian varieties — including elliptic curves — over non-prime fields with small embedding degree and ρ < 16. Such a construction would not only expand our library of pairing-friendly abelian varieties but could potentially lead to improvement in the performance of pairing-based protocols, in the same way that elliptic curves over non-prime fields can lead to performance improvements for standard elliptic curve cryptography [6]. Once such varieties are constructed, our results can be used to determine whether the embedding degree also describes the minimal embedding field of these varieties.

64

N. Benger, M. Charlemagne, and D.M. Freeman

Acknowledgments The authors thank Mike Scott for advice and support and Rob Granger, Laura Hitt O’Connor, Gary McGuire, and the anonymous referees for helpful comments on earlier versions of this work. The first and second authors are supported by Science Foundation Ireland under Grant No. 07/RFP/CMSF428. The third author is supported by a National Science Foundation International Research Fellowship, with additional support from the Office of Multidisciplinary Activities in the NSF Directorate for Mathematical and Physical Sciences.

References 1. Cardona, G., Nart, E.: Zeta function and cryptographic exponent of supersingular curves of genus 2. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 132–151. Springer, Heidelberg (2007) 2. de Smit, B., Lenstra, H.W.: Standard models for finite fields. Lecture notes (2008), http://www.math.leidenuniv.nl/~ desmit/papers/standard_models.pdf 3. Doche, C., Lange, T.: Arithmetic of elliptic curves. In: Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp. 267–302. Chapman & Hall/CRC, Boca Raton (2006) 4. Duquesne, S., Frey, G.: Background on pairings. In: Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp. 115–124. Chapman & Hall/CRC, Boca Raton (2006) 5. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. To appear in Journal of Cryptology (preprint, 2009), http://eprint.iacr.org/2006/372 6. Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009) 7. Galbraith, S., McKee, J., Valen¸ca, P.: Ordinary abelian varieties having small embedding degree. Finite Fields and their Applications 13, 800–814 (2007) 8. Gaudry, P.: Index calculus for abelian varieties and the elliptic curve discrete logarithm problem. To appear in J. Symbolic Computation. Preprint, http://www.loria.fr/~ gaudry/publis/indexcalc.pdf 9. Gaudry, P., Hess, F., Smart, N.P.: Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology 15, 19–46 (2002) 10. Hitt, L.: On the minimal embedding field. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 294–301. Springer, Heidelberg (2007) 11. Hitt O’Connor, L., McGuire, G., Naehrig, M., Streng, M.: CM construction of genus 2 curves with p-rank 1. Cryptology ePrint Archive, Report 2008/491 (2008), http://eprint.iacr.org/2008/491 12. Lang, S.: Algebra, revised third edn. Graduate Texts in Mathematics, vol. 211. Springer, New York (2002) 13. Menezes, A., Okamoto, T., Vanstone, S.: Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Transactions on Information Theory 39, 1639– 1646 (1993)

On the Security of Pairing-Friendly Abelian Varieties over Non-prime Fields

65

14. Milne, J.S.: Abelian varieties. In: Gornell, G., Silverman, J. (eds.) Arithmetic Geometry, pp. 103–150. Springer, New York (1986) 15. Rubin, K., Silverberg, A.: Supersingular abelian varieties in cryptology. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 336–353. Springer, Heidelberg (2002) 16. Rubin, K., Silverberg, A.: Using abelian varieties to improve pairing-based cryptography. Journal of Cryptology 22, 330–364 (2009) 17. Silverman, J.: The Arithmetic of Elliptic Curves. Graduate Texts in Mathematics, vol. 106. Springer, New York (1986)

Generating Pairing-Friendly Curves with the CM Equation of Degree 1 Hyang-Sook Lee and Cheol-Min Park⋆ Department of Mathematics, Ewha Womans University, Seoul 120-750, S. Korea {hsl,mpcm}@ewha.ac.kr

Abstract.

Refinements of the Brezing-Weng method have provided

families of pairing-friendly curves with improved ρ-values by using noncyclotomic polynomials that define cyclotomic fields. We revisit these methods via a change-of-basis matrix and completely classify a basis for a cyclotomic field to produce a family of pairing-friendly curves with a CM equation of degree 1. Using this classification, we propose a new algorithm to construct Brezing-Weng-like elliptic curves having the CM equation of degree 1, and we present new families of curves with larger discriminants.

1

Introduction

Research on pairing-based cryptography has been getting a great deal of attention over the past few years. Since 2000, a number of new protocols have been proposed based on the cryptographic pairings, such as identity-based key exchange [17], one-round tripartite key agreement [11], identity-based encryption [4], and short digital signature [5]. For the practical realization of these protocols, they must be implemented using some special curves, so called pairing-friendly curves with a large prime order subgroup whose embedding degree is small enough that computations in the finite field are feasible. One approach using pairing-friendly curves relies on supersingular elliptic curves. Over these curves, however, the embedding degrees are limited to {1, 2, 3, 4, 6}. Another approach is to use the ordinary elliptic curves with small embedding degree. However, since these curves are rare, according to the result of Balasubramania and Koblitz [2], it is necessary to develop algorithms to construct suitable pairing-friendly curves. Many algorithms have been proposed to construct pairing-friendly ordinary elliptic curves. One general method is the Brezing and Weng method [6], which generates polynomial families of curves by using a defining polynomial r(x) of a cyclotomic field or its extension field. Usually, the defining polynomial of cyclotomic field Q(ζk ) for a primitive kth root of unity ζk is the kth cyclotomic polynomial Φk (x). But if ⋆

This work was supported by the Korea Research Foundation Grant funded by the Korean Government(MOEHRD, Basic Research Promotion Fund)(KRF-2008-1645-1-1).

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 66–77, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

67

we use an irreducible factor of Φk (u(x)) for some u(x) ∈ Q[x], we can obtain a different defining polynomial of the cyclotomic field Q(ζk ) or its extension field. Using this idea, Galbraith, Mckee, and Valenca demonstrated the existence of ordinary abelian varieties of dimension 2 having small embedding degrees [10]. Building on this work, Barreto and Naehrig [3], and Freeman [8] constructed pairing-friendly elliptic curves of prime order. If we choose an irreducible factor r(x) of Φk (u(x)) such that the degree of r(x) is ϕ(k), r(x) will define the same cyclotomic field Q(ζk ). But in some cyclotomic fields, a careful choice of r(x) can produce a pairing-friendly curve with better ρ-values than curves constructed from Φk (x). Working from this idea, Kachisa, Schaefer and Scott [13] developed a method for constructing pairing-friendly elliptic curves with better ρ-values. In a method that uses the factorization of Φk (u(x)), the difficult part is how to choose a u(x) that will produce an irreducible factor of Φk (u(x)). Lemma 1 in Galbraith, Mckee and Valenca [10] offers one solution to this problem by providing the criterion for u(x) to give a factorization of Φk (u(x)). Another solution is provided by Tanaka and Nakamula [18]. They proposed a method of finding u(x) such that Φk (u(x)) has an irreducible factor of degree ϕ(k), reducing the problem of finding an appropriate u(x) to solving a system of multivariate polynomial equations for the coefficients of u(x) using a matrix. We observe that Tanaka and Nakamula’s method can be also described via a change-of-basis matrix, because finding an irreducible factor of Φk (u(x)) with degree ϕ(k) is equivalent to finding a basis for Q(ζk ). Based on this idea, we completely classify a basis for Q(ζk ) which gives pairing-friendly elliptic curves with the CM equation of degree 1. From this classification, we can avoid the exhaustive search to find u(x) such that Φk (u(x)) has an irreducible factor of degree ϕ(k) and the CM equation of curves constructed from u(x) has degree 1. Using a change-of-basis matrix and this classification of a basis for Q(ζk ), we propose a new algorithm to construct Brezing-Weng-like elliptic curves with the CM equation of degree 1. Unlike the previous Brezing-Weng-like elliptic curves with small discriminants, we present new families of curves with larger discriminants which are less than 1010 . The paper is organized as follows: Section 2 reviews the basic definitions related to pairing-friendly curves and methods involved in the construction of the curves. Section 3 reviews the method that uses the factorization of Φk (u(x)) via a change-of-basis matrix. Section 4 presents the complete classification of a basis for Q(ζk ) which gives pairing-friendly elliptic curves with the CM equation of degree 1 and also gives an algorithm and examples. Section 5 discusses further works regarding our results and offers a conclusion.

2

Pairing-Friendly Elliptic Curves

In this section, we briefly review the definitions and methods involved in the construction of pairing-friendly curves. For a good survey, see [9].

68

H.-S. Lee and C.-M. Park

Let E be an elliptic curve defined over a prime finite field Fq . Let r be a large prime factor of #E(Fq ), and let k be the smallest integer such that r|(q k − 1); such a k is called the embedding degree with respect to r. A pairing-friendly curve is formally defined as follows [9]. Definition 1. We say that E is pairing-friendly if the following two conditions hold: √ (1) there is a prime r ≥ q dividing #E(Fq ), and (2) the embedding degree of E with respect to r is less than log2 (r)/8. There are a number of methods for constructing pairing-friendly elliptic curves with the prescribed embedding degree k. These methods all have the following essential steps: (1) Look for suitable values of the parameters, including the embedding degree, k; the cardinality of the finite field, q; the trace of the Frobenius endomorphism of the curve, t; the prime order of the subgroup, r. (2) Use the Complex Multiplication(CM) method to find the equation of the curve [1]. Like Proposition 2.4 in [9], if we assume k ∤ r, the definition of the embedding degree k with respect to r is equivalent to Φk (q) ≡ 0 (mod r) where Φk (x) is the kth cyclotomic polynomial. Since r is a factor of #E(Fq ) = q + 1 − t, it is also equivalent to Φk (t − 1) ≡ 0 (mod r). For the step (2), we need an additional parameter, the CM discriminant which is defined as the square-free part D of the nonnegative integer 4q − t2 . For practical reasons, D must be less than 1013 by recent work of Sutherland [16]. Brezing and Weng constructed a family of pairing-friendly curves using polynomials to represent the parameters q, t and r. To describe this method, we first need the following definitions. Definition 2. ([9]) Let f (x) be a polynomial with rational coefficients. We say f represent primes if the following conditions are satisfied: (1) f (x) is non-constant. (2) f (x) has positive leading coefficients. (3) f (x) is irreducible. (4) f (x) ∈ Z for some x ∈ Z. (5) gcd{f (x)|x, f (x) ∈ Z} = 1. Definition 3. ([9]). Let t(x), r(x), q(x) be polynomials with rational coefficients. For a given positive integer k and positive square-free integer D, the triple (t, r, q) represents a family of elliptic curves with embedding degree k and discriminant D if the following conditions are satisfied:

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

69

(1) q(x) = p(x)d for some d ≥ 1 and p(x) that represents primes. (2) r(x) = c · r(x), where r(x) represents primes and c ∈ N is a constant. (3) q(x) = h(x)r(x) − 1 + t(x) for some h(x) ∈ Q[x]. (4) r(x) divides Φk (t(x) − 1), where Φk is the kth cyclotomic polynomial. (5) The equation Dy 2 = 4q(x)−t(x)2 has infinitely many integer solutions (x, y). The equation in condition (5) is called the CM equation. Note that since q(x) + 1 − t(x) = h(x)r(x), the CM equation is equivalent to Dy 2 = f (x) = 4h(x)r(x) − (t(x) − 2)2 . If c and h(x) are equal to 1 in conditions (2) and (3), respectively, the elliptic curve group has prime order. This is the ideal case for security and efficiency. The ρ-value that represents how close a given family of curves is to the ideal curve is defined as follow: Definition 4. ([9]) Let t(x), r(x), q(x) ∈ Q[x], and suppose that (t(x), r(x), q(x)) represents a family of elliptic curves with embedding degree k. The ρ-value of the family represented by (t(x), r(x), q(x)) is: ρ = lim

x→∞

deg q(x) log(q(x)) = . log(r(x)) deg r(x)

The Brezing-Weng method [6,9] is summarized below as Algorithm 1. Algorithm 1. The Brezing-Weng method INPUT: embedding degree k, CM discriminant D. OUTPUT: t(x), r(x), q(x) √ 1: Choose a number field K containing −D and a primitive kth root of unity ζ k . 2: Find an irreducible polynomial r (x ) ∈ Z[x ] such that Q[x ]/(r(x)) ∼ = K. 3: Let t(x) ∈ Q[x] be a polynomial mapping to ζk + 1 ∈ K. √ 4: Let y(x) ∈ Q[x] be a polynomial mapping to (ζk − 1)/ −D ∈ K. 5: Let q(x) = (t(x)2 + Dy(x)2 )/4. If q(x) and r(x) represent primes, 6: then output t(x), r(x), q(x).

3

A Change-of-Basis Matrix in Q(ζk)

Since the work of Brezing and Weng, a number of algorithms have been proposed for the construction of a family of pairing-friendly curves using factorization of cyclotomic polynomials [10,3,8,13,18]. These methods rely on using a polynomial r(x) that defines a cyclotomic field but is not a cyclotomic polynomial. In this section, we revisit the method in [18] via a change-of-basis matrix in Q(ζk ). Throughout the paper, we will consider two sets, Bθ and Bζk , defined as: Bθ = {1, θ, θ2 , . . . , θϕ(k)−1 },

ϕ(k)−1

Bζk = {1, ζk , ζk2 , . . . , ζk

}

where ζk is a primitive kth root of unity and θ is an element of Q(ζk ). We also assume that k is greater than or equal to 3.

70

H.-S. Lee and C.-M. Park

Lemma 1. Let ζk be a primitive kth root of unity and Q(ζk ) be the kth cyclotomic field. Let u(x) be a polynomial with rational coefficients. Then u(x) = ζk has a solution in Q(ζk ) if and only if Φk (u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k). Proof. Refer to Lemma 5.1 in [10]. Lemma 2. Let u(x) be a polynomial with rational coefficients. Then the following statements are equivalent. (1) Φk (u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) for u(x). (2) Q(ζk ) has a basis Bθ such that ζk = u(θ). Proof. Let θ be the root of r(x). Since Φk (u(θ)) = 0 and r(x) has degree ϕ(k), we have u(θ) = ζk and Q(θ) = Q(ζk ). Hence Bθ become a basis for Q(ζk ). Conversely, if Bθ is a basis for Q(ζk ), ζk can be written as c0 + c1 θ + · · · + cϕ(k)−1 θϕ(k)−1 for some c0 , . . . , cϕ(k)−1 ∈ Q and so u(x) = c0 + c1 x + · · · + cϕ(k)−1 xϕ(k)−1 = ζk has a solution in Q(ζk ). Then (1) follows from Lemma 1. ⊓ ⊔ Therefore, to find u(x) satisfying the condition of Lemma 1 is equivalent to finding a basis Bθ for Q(ζk ) and a representation of ζk by elements in Bθ . ϕ(k)−1 for some To find a basis for Q(ζk ), let θ be a0 1 + a1 ζk + · · · + aϕ(k)−1 ζk  ϕ(k) i j−1 = i=1 Pij ζk for j = 1, . . . , ϕ(k) where Pij a0 , . . . , aϕ(k)−1 ∈ Q. We have θ is a polynomial of a0 , a1 , . . . , aϕ(k)−1 . We consider the ϕ(k) × ϕ(k) matrix P whose i, j entry is Pij . It is easy to see that a necessary and sufficient condition for Bθ to be a basis for Q(ζk ) is that the determinant of P is nonzero. Definition 5. A matrix P that is constructed as above will be referred as a transition matrix from Bθ to Bζk . If Bθ is a basis for Q(ζk ), then P is also referred as a change-of-basis matrix [14]. Definition 6. Let B = {v1 , v2 , . . . , vn } be an ordered basis for Q(ζk ) and let x be an element in Q(ζk ) such that x = c1 v1 + c2 v2 + · · · + cn vn . The coordinate vector of x relative to B is (c1 , c2 , . . . , cn ). and we will denote it by [x]B . We will also use the notation v T to refer to the transpose of a vector v. Then Lemma 2 can be restated as follows. Lemma 3. Φk (u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) for u(x) ∈ Q[x] if and only if there exist a set Bθ in Q(ζk ) such that det(P ) = 0 and the coefficient vector of u(x) is P −1 · [ζk ]TBζ where P is the transition matrix k from Bθ to Bζk .

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

71

Proof. This follows directly from Theorem 4.20 in [14], along with Lemma 1 and Lemma 2. Remark 1. (1) Since [ζk ]Bζk = (0, 1, 0, . . . , 0), the coefficient vector of u(x) is the second column vector of P −1 . (2) In general, Lemma 1 also holds under the condition of u(x) = ζkl for some l ∈ (Z/kZ)∗ . Hence Φk (u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) for u(x) ∈ Q[x] with a coefficient vector P −1 · [ζkl ]TBζ . k

4

New Families of Pairing-Friendly Curves with the CM Equation of Degree 1

Proposition 1. Let θ = a0 − 2a1 ζkl + a1 ζk2l for some a0 , a1 (= 0) ∈ Q and l ∈ (Z/kZ)∗ . Let Pl be the transition matrix from Bθ to Bζk . Then (1) Bθ is a basis for Q(ζk ). (2) For u(x) with a coefficient vector Pl−1 · [ζkl ]TBζ , Φk (u(x)) has an irreducible k factor r(x) ∈ Q[x] of degree ϕ(k). (3) Let d(x) be −(u(x) − 1)2 (mod r(x)). Then d(x) = (−1/a1 )x − (a1 − a0 )/a1 . (4) Let t(x) be u(x) + 1 and q(x) be (t(x)2 + d(x))/4. If q(x) and r(x) represent primes, then (t(x), r(x), q(x)) represents a family of elliptic curves with an embedding degree k and the CM equation 4q(x) − t(x)2 = d(x). Proof. (1) Consider the Galois group of Q(ζk ) over Q, AutQ Q(ζk ). Then σi (ζk ) = ζki for σi ∈ AutQ Q(ζk ) and i ∈ (Z/kZ)∗ by Theorem 8.1 in [12]. Since θ = a1 (ζkl − 1)2 + a0 − a1 and (σi (ζkl ) − 1)2 = (σj (ζkl ) − 1)2 for i = j ∈ (Z/kZ)∗ , we have σi (θ) = σj (θ). Thus, if g(x) is a minimal polynomial of θ, g(x) must have at least ϕ(k) roots. Hence Q(ζk ) = Q(θ) and Bθ is a basis for Q(ζk ). (2) This follows from (1) and Lemma 3. (3) Let d(x) = b0 + b1 x + · · · + bϕ(k)−1 xϕ(k)−1 . Since u(θ) = ζkl and r(θ) = 0 by (2), d(θ) = −(ζkl − 1)2 . From the condition on θ, we have (1/a1 )θ + (a1 − a0 )/a1 = (ζkl − 1)2 . Since the representation of (ζkl − 1)2 by Bθ is unique, b0 = −(a1 − a0 )/a1 , b1 = −1/a1 , b2 = · · · = bϕ(k)−1 = 0. (4) This follows from [6]. The converse of Proposition 1 also holds. Proposition 2. Suppose Φk (u(x)) has an irreducible factor r(x) ∈ Q[x] of degree ϕ(k) for some u(x) ∈ Q[x]. Let t(x) = u(x)+1 and q(x) = r(x)·h(x)+t(x)−1 for some h(x) ∈ Q[x]. If d(x) = 4q(x) − t(x)2 has degree 1, then there exists a basis Bθ for Q(ζk ) such that θ = a0 − 2a1 ζkl + a1 ζk2l for some a0 , a1 (= 0) ∈ Q and l ∈ (Z/kZ)∗

72

H.-S. Lee and C.-M. Park

Proof. Since q(x) = r(x)·h(x)+t(x)−1, we have d(x) = 4r(x)·h(x)−(u(x)−1)2 . Let θ be the root of r(x) in Q(ζk ) and d(x) = b0 + b1 x ∈ Q[x]. Then Bθ is a basis for Q(ζk ). Since Φk (u(θ)) = 0, u(θ) = ζkl for some l ∈ Z∗k . Hence we have b0 + b1 θ = d(θ) = −(ζkl − 1)2 . If we set a0 = −(1 + b0 )/b1 , a1 = −1/b1 , this finishes the proof. Remark 2. (1) Since σl (a0 − 2a1 ζk + a1 ζk2 ) = a0 − 2a1 ζkl + a1 ζk2l for σl ∈ AutQ Q(ζk ), P1−1 · [ζk ]TBζ = Pl−1 · [ζkl ]TBζ . k

k

Therefore, we obtain the same u(x) in each case of l ∈ (Z/kZ)∗ . This means that we only have to consider the case of l = 1 in the condition for θ. (2) Since a1 θ + a0 = −(ζk − 1)2 for some a0 , a1 (= 0) ∈ Q, two θ and θ′ obtained by changing a0 , a1 have the following relation: θ ′ = b1 θ + b0

for b0 , b1 (= 0) ∈ Q.

Therefore, changing a0 , a1 will correspond to applying an affine change of variable to the polynomials (q(x), r(x), t(x)), thus not produce anything new. Algorithm 2 INPUT: embedding degree k, primitive kth root of unity ζk . OUTPUT: t(x), r(x), q(x) 1: Choose random numbers a0 , a1 ∈ Q with a1 = 0. 2: θ ← a0 − 2a1 ζk + a1 ζk2 . 3: Construct a transition matrix P from Bθ = {1, θ, θ2 , . . . , θ ϕ ϕ (k )−1 }. Bζ k = {1, ζk , ζk 2 , . . . , ζk −1 T 4: v ← P · [ζk ]B ζ .

(k )−1

} to

k

5: u(x) ← (1, x, . . . , xϕ (k )−1 ) ⊙ v. (⊙ means dot product) 6: Find an irreducible (but not necessarily monic) polynomial r(x) ∈ Z[x] such that r(θ) = 0. 7: t(x) ← u(x) + 1, d(x) ← −(u(x) − 1)2 (mod r(x)). 8: q(x) ← (t(x)2 + d(x))/4. 9: If q(x) is irreducible and q(x0 ) is an integer for some x0 ∈ Z, 10: then output t(x), r(x), q(x).

4.1

Remark on Algorithm 2

For any rational numbers a0 , a1 where a1 is nonzero, Algorithm 2 defines a potential family of pairing-friendly curves with the CM equation of degree 1. But the problem is that in many cases, q(x) in the step 8 is not an integervalued polynomial. There are two ways to obtain a q(x) that is an integer-valued polynomial. The first is to set a0 and a1 to be variables instead of random chosen rational numbers. Then the coefficients of q(x) are rational functions in two variables a0 , a1 . We can solve a system of multivariate polynomial equations for a0 , a1 to obtain integer coefficients of q(x). The second approach is to use the method of Kachisa, Schaefer, and Scott [13]:

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

73

1 Find the smallest positive integer n ∈ Z, such that n · q(x) ∈ Z[x]. 2 Find the smallest factor m of n and the residue classes b modulo m such that q(x) ∈ Z[x] for x ≡ b mod m. 3 Find the subset of those residue classes for which t(x) ∈ Z for x ≡ b mod m. (If a0 and a1 are selected such that d(x) ∈ Z[x], then this step is not necessary.) 4 Let r(mx + b) = c r(mx + b) for some constant c. If r(mx + b) and q(mx + b) represent primes, then output t(mx + b), r(mx + b), q(mx + b).

To construct curves using the CM method, we need the CM discriminant D, which must be less than about 1013 for practical reasons. Since our method produces a family of pairing-friendly curves with the CM equation of degree 1, we can obtain D from the square-free part of the CM equation: If Algorithm 2 outputs a pairing-friendly curves with embedding degree k such that ϕ(k) is greater than or equal to 6, then r(x) has a degree of at least 6. Since the size r of the subgroup of elliptic curve must be around 160 bits to ensure security, we must find a prime q(x0 ) and r(x0 ) for the parameter x0 that is around 227 ∼ 108 . Since the CM equation in our example is linear in x, it is also about 108 . For a 256-bit prime r(x0 ), the parameter x0 is around 243 ∼ 1012 . Therefore, from the square-free part of the CM equation, we can obtain a discriminant D less than 1013 . Since the degree of the CM equation is fixed by 1 in our method, the size of x that we can choose for a 160-bit prime r(x) decreases as the degree of r(x) increases. This does not mean, however, that Algorithm 2 can produce more pairing-friendly curves with higher embedding degrees. As the size of x decreases, the probability that r(x) and q(x) are primes also decreases. Therefore, when searching for curves with higher embedding degrees and a 160-bit prime r(x), the square-free part of the CM equation can be larger than 1013 even if the CM equation has degree 1. There is an another approach to obtain the proper CM discriminant D. Since our curves have the CM equation d(x) = ax + b, we choose some D and make 2 the substitution x → Dxa −b in (q(x), r(x), t(x)). Then the the CM equation become d(x) = Dx2 . After this substitution, if q(x) represents prime, then (q, r, t) represents a family of pairing-friendly curves with the discriminant D. 4.2

Examples

We implemented Algorithm 2 in Magma [7] and found some new families of pairing-friendly curves. All the examples have d(x) = 4q(x) − t(x)2 = x − 2. This is because we choose a0 = 1, a1 = −1 in step 1 of Algorithm 2. This CM equation also provides an efficient pairing computation: Let Ti be q(x)i (mod r(x)) for 0 < i < k. Since 4q(x) − t(x)2 = x − 2 and q(x) ≡ t(x) − 1 (mod r(x)), we have x − 2 ≡ 4q(x) − t(x)2

(mod r(x))

2

≡ −(t(x) − 1) + 2(t(x) − 1) − 1

≡ −T2 + 2T1 − 1 (mod r(x)).

(mod r(x))

74

H.-S. Lee and C.-M. Park

Since x − 2 and −T2 + 2T1 − 1 have degree strictly less than r(x), we obtain T2 = 2T1 − x + 1.

(1)

Therefore, by equation (1), the R-ate pairing [15] attains the lower bound log2 r/ϕ(k) of the loop length in Miller’s algorithm. Example 1. k = 5 r = x4 − 3x3 + 4x2 − 12x + 41

q = (x6 + 2x5 + 39x4 + 78x3 + 401x2 + 3785x − 5650)/12100 t = (x3 + x2 + 19x + 20)/55

ρ = 1.5 When x ≡ −3 mod 220, t(x) represents integers, q(x) and r(x) = r(x)/275 represent primes. For x0 = 220 · 103905194262 − 3, we find a 252-bit prime q(x0 ), a 169-bit prime r(x0 ) and a 9-digit discriminant D. Example 2. k = 7

r = x6 − 5x5 + 11x4 − 13x3 + 23x2 − 129x + 239 q = (2304x10 − 9888x9 + 35569x8 − 32248x7 + 383212x6 − 572200x5 + 1818280x4 +2146496x3 + 14573512x2 + 83076033x − 151555486)/304781764 t = (48x5 − 103x4 + 260x3 + 222x2 + 3764x + 914)/8729

ρ = 1.67

When x ≡ 93 mod 34916, t(x) represents integers, q(x) and r(x) = r(x)/61103 represent primes. For x0 = 34916 · 44124 + 93, we find a 288-bit prime q(x0 ), a 167-bit prime r(x0 ) and a 8-digit discriminant D. Example 3. k = 9

r = x6 − 6x5 + 9x4 + 11x3 − 6x2 − 135x + 199

q = (25x10 − 170x9 + 309x8 + 552x7 − 414x6 − 8418x5 + 14448x4 + 19788x3 −7647x2 − 69455x + 26782)/116964

t = (5x5 − 17x4 + 2x3 + 62x2 + 169x − 292)/171 ρ = 1.67

When x ≡ 5 mod 228, t(x) represents integers, q(x) and r(x) = r(x)/3249 represent primes. For x0 = 228 · 2112858 + 5, we find a 276-bit prime q(x0 ), a 161-bit prime r(x0 ) and a 7-digit discriminant D. Example 4. k = 14

r = x6 − 9x5 + 39x4 − 113x3 + 247x2 − 361x + 239 q = (112896x10 − 1512672x9 + 10413433x8 − 49081848x7 + 177965900x6 −509878376x5 + 1154173284x4 − 2058571856x3 + 2820840912x2

−2614606087x + 1154058254)/16957924

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

75

t = (336x5 − 2251x4 + 7956x3 − 19738x2 + 38404x − 34096)/2059

ρ = 1.67

When x ≡ −4103 mod 8236, t(x) represents integers, q(x) and r(x) = r(x)/2059 represent primes. For x0 = 8236 · 64315 − 4103, we find a 282-bit prime q(x0 ), a 162-bit prime r(x0 ) and a 7-digit discriminant D. Example 5. k = 18

r = x6 − 6x5 + 21x4 − 53x3 + 114x2 − 219x + 199 q = (874225x10 − 6662810x9 + 34936749x8 − 128600664x7 + 416829522x6 −1120371430x5 + 2498783092x4 − 4623410524x3 + 7114427969x2

−9203489499x + 6261741218)/343805764 t = (935x5 − 3563x4 + 11894x3 − 23446x2 + 57907x − 80210)/9271

ρ = 1.67

When x ≡ −299 mod 37084, t(x) represents integers, q(x) and r(x) = r(x)/9271 represent primes. For x0 = 37084 · 33364 − 299, we find a 293-bit prime q(x0 ), a 168-bit prime r(x0 ) and a 7-digit discriminant D. Example 6. k = 20

r = x8 − 6x7 + 13x6 − 20x5 + 26x4 + 10x3 + 152x2 − 812x + 841 q = 1/40174756782736 (92708070400x14 −714143833920x13 +2255402671569x12 −5210892379116x11 + 10022557272354x10 − 8342884990396x9 +35392168251935x8 − 204576745286458x7 + 415829812712022x6

−683623117562634x5 + 927144884880025x4 + 408959682852398x3 +2182740233494449x2 − 14256792204764844x + 13847701403612408)

t = (304480x7 − 1172727x6 + 1445274x5 − 2990457x4 +1510380x3 + 6311911x2 + 60575089x − 117761576)/3169178

ρ = 1.75

r(x) When x ≡ 134125 mod 6338356, t(x) represents integers, q(x) and r(x) = 45953081 represent primes. For x0 = 6338356 · 136400 + 134125, we find a 546-bit prime q(x0 ), a 291-bit prime r(x0 ) and a 10-digit discriminant D.

We have tried searching for pairing-friendly curves with embedding degree k ∈ {8, 10, 12, 15, 16, 24, 30} and the CM equation of degree 1. But we can’t find an integer-valued polynomial q(x).

5

Conclusion

We have completely classified a basis for Q(ζk ) used to produce a family of pairing-friendly curves with the CM equation of degree 1. Using a change-ofbasis matrix and this classification of a basis for Q(ζk ), we have proposed a new

76

H.-S. Lee and C.-M. Park

algorithm that can be used to construct a family of pairing-friendly curves with the CM equation of degree 1, and we present new families of curves with larger discriminants. An obvious next step is to study construction of curves with the CM equation of degree 2 and the curves of prime order. In this case, however, it seems to be difficult to determine what conditions should be for a basis for Q(ζk ). We leave this as an open problem. Acknowledgement. We thank anonymous referees for their helpful comments.

References 1. Avanzi, R.M., Cohen, H., Doche, C., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman & Hall/CRC, Sydney (2006) 2. Balasubramanian, R., Koblitz, N.: The improbability that an elliptic curve has subexponential discrete log problem under the Menezes-Okamoto-Vanstone algorithm. Journal of Cryptology 11, 141–145 (1998) 3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 4. Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 5. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001) 6. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs, Codes and Cryptography 37, 133–141 (2005) 7. Bosma, W., Cannon, J., Playoust, C.: The Magma algebra system. I. The user language. J. Symbolic Comput. 24(3-4), 235–265 (1997) 8. Freeman, D.: Constructing Pairing-Friendly Elliptic Curves with Embedding Degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) 9. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves (2006) (preprint), http://eprint.iacr.org/2006/372 10. Galbraith, S., McKee, J., Valenca, P.: Ordinary abelian varieties having small embedding degree. Finite Fields and Applications 13, 800–814 (2007) 11. Joux, A.: A one round protocol for tripartite Diffie-Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000) 12. Hungerford, T.W.: Algera. Graduate Texts in Mathematics, vol. 73. Springer, Heidelberg (1996) 13. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing friendly elliptic curves using elements in the cyclotomic elements. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) 14. Larson, R., Edwards, H., Falvo, C.: Elementary linear algebra, 5th edn. Houghton Mifflin Company (2004)

Generating Pairing-Friendly Curves with the CM Equation of Degree 1

77

15. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and Generalized Pairing Computation on Abelian Varieties. IEEE Transactions on Information Theory 55(4) (2009) 16. Sutherland, A.V.: Computing Hilbert class polynomials with the Chinese Remainder Theorem. preprint: arXiv:0903.2785v1 17. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security(SCIS 2000) (2000) 18. Tanaka, S., Nakamula, K.: Constructing pairing-friendly elliptic curves using factorization of cyclotomic polynomials. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 136–145. Springer, Heidelberg (2008)

On the Final Exponentiation for Calculating Pairings on Ordinary Elliptic Curves Michael Scott⋆ , Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez⋆⋆ , and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin 9, Ireland [email protected]

Abstract. When performing a Tate pairing (or a derivative thereof) on an ordinary pairing-friendly elliptic curve, the computation can be looked at as having two stages, the Miller loop and the so-called final exponentiation. As a result of good progress being made to reduce the Miller loop component of the algorithm (particularly with the discovery of “truncated loop” pairings like the R-ate pairing [18]), the final exponentiation has become a more significant component of the overall calculation. Here we exploit the structure of pairing-friendly elliptic curves to reduce to a minimum the computation required for the final exponentiation. Keywords: Tate pairing, addition sequences, addition chains.

1

Introduction

The most significant parameter of a pairing-friendly elliptic curve is its embedding degree. For an elliptic curve over a field Fq , q = pm , p prime, there must exist a large subgroup of points on the curve of prime order r, such that k is the smallest integer for which r | q k − 1. This integer k is then the embedding degree with respect to r, and to be considered useful it should be in the range 2-50 [13]. In fact, this condition can be simplified to k being the smallest integer such that r | Φk (q) [2], where Φk (.) is the kth cyclotomic polynomial. We will restrict our attention to the case of even embedding degrees, which are more useful and practical, as they support the important denominator elimination optimization [2]. The Tate pairing e(P, Q) (and its variants) takes as parameters two linearly independent points P and Q, at least one of which must be of order r, on E(Fqk ), and the pairing e(P, Q) evaluates as an element of order r in the multiplicative group of the extension field Fqk . In many cases the points P and Q can be over smaller extension fields, and at least one of them can be defined over Fq [4], [5]. ⋆

⋆⋆

Research supported by the Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006. This author acknowledges support from the Consejo Nacional de Ciencia y Tecnolog´ıa.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 78–88, 2009. c Springer-Verlag Berlin Heidelberg 2009 

On the Final Exponentiation for Calculating Pairings

79

Pairing based cryptography on elliptic curves depends on the existence of pairing-friendly curves. Two basic choices are available, the supersingular curves over any finite field, and ordinary pairing-friendly elliptic curves over Fp . In the former case we are strictly limited in terms of the available embedding degree; a maximum of k = 6 is possible, but only on curves over fields of characteristic 3. Note that the embedding degree relates the two types of “hard problem” which support the security of pairing based cryptography. We need both the elliptic curve discrete logarithm problem (ECDLP) in the subgroup of size r and the finite field discrete logarithm problem (DLP) in the multiplicative group of the extension field Fqk to be equivalently hard. There exist subexponential algorithms to solve the DLP, but only square root algorithms to solve the ECDLP, so to achieve 80-bit level of security (defined as requiring an attacker to perform at least 280 operations to break), we need r ≈ 160 bits and q k ≈ 1024 bits. For an efficient implementation we would like k = 6 ≈ 1024/160, the maximum possible for supersingular elliptic curves; but this level of security is already being questioned. At higher levels of security, a larger value of k would be desirable. Indeed, at the standard 128-bit level of security, it has been suggested that pairing-friendly curves with an embedding degree of k = 12 would be ideal [9], [15]. Fortunately, ordinary pairing-friendly elliptic curves also exist, for which (contrary to the supersingular curves) we have an unlimited choice of k. Given that we can construct pairing-friendly elliptic curves with any embedding degree, it seems that the long term viability of pairing-based cryptosystems is largely dependent on the efficient use of these curves.

2

Ordinary Pairing-Friendly Elliptic Curves

One of the first suggested methods for the construction of non-supersingular pairing-friendly elliptic curves E(Fp ) was by Cocks and Pinch [6]. Their method easily generates curves of any embedding degree k, but with one major disadvantage – the ratio ρ = lg(p)/ lg(r) is approximately 2. This ρ-value is a useful yardstick for pairing-friendly curves, and we would prefer it to be closer to 1, as this results in faster implementations. It is normal to choose one of the parameters of the pairing to be a point on the base field E(Fp ), and we would therefore like p to be as small as possible in relation to r. With a Cocks-Pinch curve, however, p will have twice as many bits as necessary to support a pairing-friendly group of order r. If we exclude the Cocks-Pinch curves, we are left with numerous “families” of pairing-friendly curves which have been discovered, each of which has a ρ-value usually much closer to 1 than to 2. Many such families of ordinary pairingfriendly elliptic curves have been suggested – see the Freeman, Scott and Teske taxonomy for details [13]. These families have one striking feature in common – the prime characteristic p and the group r are described as rather simple polynomials with relatively small integer coefficients. It is our aim to exploit

80

M. Scott et al.

this simple form in a systematic way to speed up the final exponentiation for all families of non-supersingular pairing-friendly elliptic curves.

3

The Final Exponentiation

After the main Miller loop – with which we are not concerned here, see [10] for details – the Tate pairing (and its variants) must all carry out an extra step to ensure a unique result of the pairing. To this end the output of the Miller loop m must be raised to be power of (pk − 1)/r to obtain a result of order r. Note that this exponent is determined by fixed system parameters, and therefore methods of exponentiation optimised for fixed exponents are applicable here. This final exponent can be broken down into three components. Let d = k/2. Then (pk − 1)/r = (pd − 1) · [(pd + 1)/Φk (p)] · [Φk (p)/r]. For example if k = 12 the final exponent becomes (p12 − 1)/r = (p6 − 1) · (p2 + 1) · [(p4 − p2 + 1)/r]. The first two parts of the exponentiation are “easy” as raising to the power of p is an almost free application of the Frobenius operator, as p is the field characteristic. The first part of the exponentiation is not only cheap (although it does require an extension field division), it also simplifies the rest of the final exponentiation. After raising to the power of (pd − 1) the field element becomes “unitary” [24], that is, an element α with norm NFp k /Fpd (α) = 1. This has important implications, as squaring of unitary elements is significantly cheaper than squaring of non-unitary elements, and any future inversions can be implemented by simple conjugation [25], [24], [15], [21]. This brings us to the “hard part” of the final exponentiation, raising to the power of Φk (p)/r. The usual continuation is to express this exponent to the base p as λn−1 · pn−1 + ... + λ1 · p + λ0 , where n = φ(k), and φ(.) is the Euler Totient function. If the value to be exponentiated is m, then we need to calculate n−1

mλn−1 ·p

....mλ1 ·p · mλ0 ,

which is the same as n−1

(mp i

)λn −1 .....(mp )λ1 · mλ0 .

The mp can be calculated using the Frobenius, and the hard part of the final exponentiation can be calculated using a fast multi-exponentiation algorithm [16], [14], [19]. These methods, however, do not exploit the polynomial description of p and r. It is our intention to do so, and hence obtain a faster hard-part of the final exponentiation. Each family is different in detail, so we will proceed on a case-by-case basis.

On the Final Exponentiation for Calculating Pairings

4

81

The MNT Curves

The MNT pairing-friendly elliptic curves were reported by Miyaji et al. [20]. For the k = 6 case the prime p and the group order r parameters are expressed as: p(x) = x2 + 1; r(x) = x2 − x + 1; t(x) = x + 1. In this case the hard part of the final exponentiation is to the power of (p2 − p + 1)/r. Substituting from the above one might anticipate an exponentiation to the power of (x4 + x2 + 1)/(x2 − x + 1) = x2 + x + 1. Expressing this to the base p, it becomes simply (p + x). So the hard part of the final exponentiation is mp .mx – an application of the Frobenius and a simple exponentiation to the power of x. The advantage of deriving the hard part of the exponentiation in terms of the family parameter x is clearly illustrated.

5

The BN Curves

The BN family of pairing-friendly curves [5] has an embedding degree of 12, and is parameterised as follows: p(x) = 36x4 + 36x3 + 24x2 + 6x + 1; r(x) = 36x4 + 36x3 + 18x2 + 6x + 1; t(x) = 6x2 + 1. In this case the hard part of the final exponentiation is to the power of (p4 − p2 + 1)/r. After substituting the polynomials for p and r this can be expressed to the base p as λ3 .p3 + λ2 .p2 + λ1 .p + λ0 , where λ3 (x) = 1; λ2 (x) = 6x2 + 1; λ1 (x) = −36x3 − 18x2 − 12x + 1; λ0 (x) = −36x3 − 30x2 − 18x − 2. Now we take a new approach. BN curves are very plentiful, and it already helps the Miller loop if we choose x to have a low Hamming weight. In fact Nogami et al. [22] have suggested the nice choice of x = −408000000000000116 for a curve appropriate for the 128-bit level of security. Next we compute mx , 2 3 2 mx = (mx )x and mx = (mx )x . These are simple exponentiations, and the low Hamming weight of x ensures that each requires a minimum of multiplications when using a simple square-and-multiply algorithm. We next calculate mp , 2 3 2 3 2 2 mp , mp , (mx )p , (mx )p , (mx )p and (mx )p using the Frobenius. Now group the elements of the exponentiation together, and the expression becomes:

82

M. Scott et al. 2

3

2

2

2

2

3

3

[mp · mp · mp ]· [1/m]2 · [(mx )p ]6 · [(mx )p ]12 · [mx /((mx )p )]18 · [1/mx ]30 · [mx · (mx )p ]36 .

The individual components between the square brackets are then calculated with just 4 multiplications (recalling that division costs the same as a multiplication, as inversion is just a conjugation), and we end up with a calculation of the form: y0 · y1 2 · y2 6 · y3 12 · y4 18 · y5 30 · y6 36 . Note that the exponents here are simply the coefficients that arise in the λi equations above. Now how best to evaluate this expression? In fact there is a well known algorithm to evaluate expressions of this form, which minimizes the number of required multiplications. See Olivos [23], and also [1, Section 9.2] for a nice worked example. The starting point is to find an addition sequence: an addition chain which includes within it the elements of the set of integers which occur as exponents. In this case it is not hard to see that an optimal addition sequence (the shortest sequence containing all values) is given by: {1, 2, 3, 6, 12, 18, 30, 36}. Note that 3 is the only member of the addition chain which is not a member of the set of exponents. This is certainly serendipitous, as it means less work to do the evaluation. Observe here that an addition-subtraction chain is also a possibility (as divisions are as cheap as multiplications as a consequence of the unitary property). But we don’t require one here. Application of the Olivos algorithm results in the following vectorial addition chain: (1 (0 (0 (0 (0 (0 (0 (2 (2 (2 (0 (2 (2 (4 (6 (12 (12 (12 (24 (36

0 1 0 0 0 0 0 0 0 1 1 2 1 4 5 10 10 10 20 30

0 0 1 0 0 0 0 0 1 1 0 1 1 2 3 6 6 6 12 18

0 0 0 1 0 0 0 0 0 0 1 1 0 2 2 4 4 4 8 12

0 0 0 0 1 0 0 0 0 0 0 0 1 0 1 2 2 2 4 6

0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 2 2

0) 0) 0) 0) 0) 0) 1) 0) 0) 0) 0) 0) 0) 0) 0) 0) 0) 1) 0) 1)

On the Final Exponentiation for Calculating Pairings

83

which in turn allows us to evaluate the expression as follows, using just two temporary variables: T0 ← (y6 )2

T 0 ← T 0 · y4 T 0 ← T 0 · y5

T 1 ← y3 · y5 T1 ← T1 · T0

T 0 ← T 0 · y2 T1 ← (T1 )2

T1 ← T1 · T0 T1 ← (T1 )2

T 0 ← T 1 · y1 T 1 ← T 1 · y0

T0 ← (T0 )2 T0 ← T0 · T1 The final result is in T0 . This part of the calculation requires only 9 multiplications and 4 squarings. We find this approach to the hard part of the final exponentiation for the BN curves to be about 4% faster than the rather ad hoc method proposed by Devegili et al. [9] (7156 modular multiplications/squarings over Fp compared to 7426 for the choice of x suggested above). Moreover our more general method is applicable to all families of pairing-friendly curves.

6

Freeman Curves

In [12] a construction is suggested for pairing-friendly elliptic curves of embedding degree 10. The parameters for this family are as follows: p(x) = 25x4 + 25x3 + 25x2 + 10x + 3; r(x) = 25x4 + 25x3 + 15x2 + 5x + 1; t(x) = 10x2 + 5x + 3. These curves are much rarer than the BN curves, and unfortunately it is not feasible to choose x to have a particularly small Hamming weight. Nevertheless proceeding as above we find: λ3 (x) = 1; λ2 (x) = 10x2 + 5x + 5; λ1 (x) = −5x2 − 5x − 3;

λ0 (x) = −25x3 − 15x2 − 15x − 2.

84

M. Scott et al.

In this case the coefficients form a perfect addition chain: {1, 2, 3, 5, 10, 15, 25}. The optimal vectorial addition chain in this case requires 10 multiplications and 2 squarings.

7

KSS Curves

Recently Kachisa et al. [17] described a new method for generating pairingfriendly elliptic curves. 7.1

The k = 8 Family of Curves

Here are the parameters for the family of k = 8 KSS curves: p(x) = (x6 + 2x5 − 3x4 + 8x3 − 15x2 − 82x + 125)/180; r(x) = (x4 − 8x2 + 25)/450; t(x) = (2x3 − 11x + 15)/15.

For these curves ρ = 3/2. As in the case of the BN curves, x can be chosen to have a low Hamming weight. Proceeding as above we find: λ3 (x) = (15x2 + 30x + 75)/6; λ2 (x) = (2x5 + 4x4 − x3 + 26x2 − 55x − 144)/6;

λ1 (x) = (−5x4 − 10x3 − 5x2 − 80x + 100)/6; λ0 (x) = (x5 + 2x4 + 7x3 + 28x2 + 10x + 108)/6.

A minor difficulty arises due to the common denominator of 6 which occurs here. We suggest a simple solution – since 6 is co-prime to r – evaluate instead the sixth power of the pairing. This does not affect the important properties of the pairing when r is of cryptographic size, and now we can simply ignore the denominator. We find by brute-force computer search that we can construct the following optimal addition sequence which contains all the exponents in the above equations: {1, 2, 4, 5, 7, 10, 15, 25, 26, 28, 30, 36, 50, 55, 75, 80, 100, 108, 144}. The underlined numbers are the extra numbers added in order to complete the sequence. Proceeding as in the BN case we find that the vectorial addition chain derived from this addition sequence requires just 27 multiplications and 6 squarings to complete the calculation of the hard part of the final exponentiation.

On the Final Exponentiation for Calculating Pairings

7.2

85

The k = 18 Family of Curves

Here are the parameters for the family of k = 18 KSS curves: p(x) = (x8 + 5x7 + 7x6 + 37x5 + 188x4 + 259x3 + 343x2 + 1763x + 2401)/21; r(x) = (x6 + 37x3 + 343)/343; t(x) = (x4 + 16x + 7)/7. In this case ρ = 4/3 but nonetheless this curve might make a good choice for a pairing at the 192-bit level of security. Again, as for the case of the BN curves, x can in practise be chosen with a low Hamming weight, for example x = 15000001502A042AA16, although we are somewhat constrained here in our choice by the extra requirement that p(x), r(x) and t(x) evaluate as integers and x ≡ 14 mod 42 [17]. Proceeding again as above, we find: λ5 (x) = (49x2 + 245x + 343)/3; λ4 (x) = (7x6 + 35x5 + 49x4 + 112x3 + 581x2 + 784x)/3; λ3 (x) = (−5x7 − 25x6 − 35x5 − 87x4 − 450x3 − 609x2 + 54)/3; λ2 (x) = (−49x5 − 245x4 − 343x3 − 931x2 − 4802x − 6517)/3; λ1 (x) = (14x6 + 70x5 + 98x4 + 273x3 + 1407x2 + 1911x)/3;

λ0 (x) = (−3x7 − 15x6 − 21x5 − 62x4 − 319x3 − 434x2 + 3)/3. Using the same argument as in the KSS k = 8 curves case, we evaluate the cube of the pairing to remove the awkward denominator of 3. In this case the coefficients again “nearly” form a natural addition chain. Our best attempt to find an addition sequence containing all of the exponents in the above, is: {1,2,3,4,5,7,8,14,15,16,21,25,28,35,42,49,54,62,70,87,98,112,147,245,273,294, 319,343,392,434,450,581,609,784,931,1162,1407,1862,1911,3724,4655,4802,6517}. Proceeding as in the BN case we find that the vectorial chain derived from this addition sequence requires just 56 multiplications and 14 squarings to complete the calculation of the hard part of the final exponentiation. In fact we did eventually find (by partial computer search) an addition sequence one element shorter than the above, but as it required 61 multiplications and only 7 squarings, we prefer to use the solution above as the computations are performed over an extension field and squarings are therefore notably cheaper than multiplications.

8

Discussion

Here we make a few general observations. First, it seems that the proposed method results in surprisingly compact addition sequences. We note also that the coefficients in the λi tend to be “smooth” numbers, having only relatively small factors. This may facilitate the construction of addition sequences. Other

86

M. Scott et al.

intriguing patterns emerge – observe for example that for the KSS k = 18 curves the three most significant coefficients of the λi are all in the same ratio 1:5:7. Coefficients also appear to follow the same kind of distribution as numbers in a typical addition chain. We have also used the proposed method for other families of pairing-friendly curves, and have observed that for example for the k = 8, ρ = 5/4 curve proposed by Brezing and Weng [8], and the k = 12, ρ = 3/2 curve found by Barreto et al. [3], the resulting addition sequence is often as easy as: {1, 2, 3}. Since squarings are significantly faster than multiplications (as our computations are over extension fields) it may, as we have seen, be sometimes preferable to select a slightly longer addition sequence which trades additions for doublings. Addition-subtraction sequences may also be an attractive alternative in other cases. Finding the shortest addition sequence is an NP-complete problem [11] but since the values we obtained in each set are relatively small, and the sets themselves already contained some addition ‘subchains,’ it was not too difficult to generate, either with a computer or manually, addition sequences containing the specific entries with length close to the lower bound given for the length of addition chains [7]. Should a particular curve result in larger or more numerous coefficients to be constructed into a sequence, Bos and Coster suggest an algorithm for that scenario in [7].

9

Conclusions

We have suggested a general method for the implementation of the hard part of the final exponentiation in the calculation of the Tate pairing and its variants, which is faster, generally applicable, and which requires less memory than previously described methods. The most efficient variant of the Tate pairing is currently the R-ate pairing [18]. An intriguing possibility is that, given only the polynomial equations defining a pairing-friendly family of elliptic curves, it should now be possible, and indeed appropriate, to write a computer program which would automatically generate very efficient R-ate pairing code.

Acknowledgement We would like to acknowledge the anonymous referees for their suggestions.

References 1. Avanzi, R., Cohen, H., Doche, D., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman and Hall/CRC, Boca Raton (2006)

On the Final Exponentiation for Calculating Pairings

87

2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002) 3. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) 4. Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004) 5. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 6. Blake, I.F., Seroussi, G., Smart, N.P.: Advances in Elliptic Curve Cryptography, vol. 2. Cambridge University Press, Cambridge (2005) 7. Bos, J., Coster, M.: Addition chain heuristics. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 400–407. Springer, Heidelberg (1990) 8. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Designs, Codes and Cryptology 37, 133–141 (2005) 9. Devegili, A.J., Scott, M., Dahab, R.: Implementing cryptographic pairings over Barreto-Naehrig curves. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 197–207. Springer, Heidelberg (2007) 10. Doche, C., Lange, T.: Arithmetic of elliptic curves. In: Handbook of Elliptic and Hyperelliptic Curve Cryptography, pp. 267–302. Chapman & Hall/CRC, Boca Raton (2006) 11. Downey, L., Sethi: Computing sequences with addition chains. Siam Journal of Computing 3, 638–696 (1981) 12. Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) 13. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing friendly elliptic curves. Cryptology ePrint Archive, Report 2006/372 (2006), http://eprint.iacr.org/2006/372 14. Granger, R., Page, D., Smart, N.P.: High security pairing-based cryptography revisited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 480–494. Springer, Heidelberg (2006) 15. Hankerson, D., Menezes, A., Scott, M.: Software implementation of pairings. CACR Technical Report (2008), http://www.cacr.math.uwaterloo.ca/ 16. Hei, L., Dong, J., Pei, D.: Implementation of cryptosystems based on Tate pairing. J. Comput. Sci. & Technology 20(2), 264–269 (2005) 17. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) 18. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008), http://eprint.iacr.org/2008/040 19. Menezes, A., van Oorschot, P., Vanstone, S.: Handbook of applied cryptography. CRC Press, Boca Raton (1996), http://cacr.math.uwaterloo.ca/hac 20. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals E84-A(5), 1234– 1243 (2001)

88

M. Scott et al.

21. Naehrig, M., Barreto, P.S.L.M., Schwabe, P.: On compressible pairings and their computation. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 371–388. Springer, Heidelberg (2008) 22. Nogami, Y., Akane, M., Sakemi, Y., Kato, H., Morikawa, Y.: Integer variable Xbased ate pairing. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 178–191. Springer, Heidelberg (2008) 23. Olivos, J.: On vectorial addition chains. Journal of Algorithms 2, 13–21 (1981) 24. Scott, M., Barreto, P.: Compressed pairings. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 140–156. Springer, Heidelberg (2004), http://eprint.iacr.org/2004/032/ 25. Stam, M., Lenstra, A.K.: Efficient subgroup exponentiation in quadratic and sixth degree extensions. In: Kaliski Jr., B.S., Ko¸c, C ¸ .K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 318–332. Springer, Heidelberg (2003)

Faster Pairings on Special Weierstrass Curves Craig Costello⋆ , Huseyin Hisil, Colin Boyd, Juan Gonzalez Nieto, and Kenneth Koon-Ho Wong Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane QLD 4001, Australia {craig.costello,h.hisil,c.boyd,j.gonzaleznieto,kk.wong}@qut.edu.au Abstract. This paper presents efficient formulas for computing cryptographic pairings on the curve y 2 = cx3 + 1 over fields of large characteristic. We provide examples of pairing-friendly elliptic curves of this form which are of interest for efficient pairing implementations. Keywords: Tate pairing, Miller’s algorithm, elliptic curves.

1

Introduction

Bilinear pairings have found many applications in cryptography, such as the identity-based encryption scheme of Boneh and Franklin [11], the one-round tripartite key agreement scheme of Joux [18] and the short signature scheme of Boneh, Lynn and Shacham [12]. To implement pairing-based protocols in practice, it is necessary to match curves which are pairing-friendly with an efficient pairing algorithm. The most efficient method of computing pairings is Miller’s algorithm [23]. Each iteration of this process requires three significant computations: (i) point operations, i.e. point doubling and/or point addition; (ii) Miller line function computations and (iii) updating the Miller function value. In this paper we explore the j-invariant zero curve y 2 = cx3 + 1 and provide new formulas that facilitate a faster pairing computation on this curve by decreasing the number of computationally expensive field operations encountered in stage (ii). For pairing computations with even embedding degree k, the curve y 2 = 3 cx +1 allows the Miller doubling stage to be computed in (k+3)m+5s+1M+1S, where m and s denote the costs of multiplication and squaring in the base field while M and S denote the costs of multiplication and squaring in the extension field of degree k. For the more general j-invariant zero curve y 2 = x3 + b, the fastest Miller doubling operation count recorded to date is (k+3)m+8s+1M+1S [1], meaning that the special curve y 2 = cx3 + 1 offers an advantage of 3s at the doubling stage. We provide practically useful examples of the curve y 2 = cx3 + 1 for different embedding degrees. For the majority of embedding degrees k ≤ 50, the ⋆

This author acknowledges funding from the Queensland Government Smart State PhD Scholarship.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 89–101, 2009. c Springer-Verlag Berlin Heidelberg 2009 

90

C. Costello et al.

curve generation technique we adopt achieves ρ-values similar to the best values presented in [14]. We draw comparisons between the curve we employ and other special curves and discuss where this curve model would be optimal in practice. The remainder of this paper is organised as follows. §2 gives a brief overview of pairings. §3 explains our search for a faster Weierstrass model and efficient group operations. §4 presents the optimization of the new formulas for the computation of the Tate pairing. §5 discusses curve generation and provides some practical examples and §6 summarizes our contributions and compares them with the literature. In the appendices, we share our scripts that verify the main claims of §3 and §4. The appendices also provide more intrinsic details on the realization of the proposed formulas.

2

Background on Pairings

This section gives a brief background on pairings. Galbraith gives a more comprehensive survey [15]. Let Fq be a finite field with q = pn elements where p ≥ 5 is prime and let E be an elliptic curve defined over Fq . Let O denote the identity on E. Let r be a large prime that is coprime to q such that r|#E(Fq ) and let k be the embedding degree of E with respect to r. For practical purposes we assume that k > 1. We call Fq the base field and Fqk the extension field. Let fi,P ∈ Fq (E) be a function with divisor div(fi,P ) = i(P ) − ([i]P ) − (i − 1)(O). The Tate pairing. Choose a point P ∈ E(Fq )[r], this implies div(fr,P ) = r(P ) − r(O). Let Q ∈ E(Fqk )/rE(Fqk ) and let µr denote the group of r-th roots of unity in F∗qk . The reduced Tate pairing er [4] is defined as er : (P, Q) → fr,P (Q)(q

k

−1)/r

∈ µr .

Algorithm 1. Miller’s algorithm Input: P ∈ E(Fqk )[r], Q ∈ E(Fqk ), r = (rm−1 . . . r1 r0 )2 with rm−1 = 1. Output: fr,P (Q) ← fvar . 1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12:

R ← P , fvar ← 1. for i = m − 2 down to 0 do Compute lines ldbl and vdbl for doubling R. R ← [2]R. 2 · ldbl (Q)/vdbl (Q). fvar ← fvar if ri = 1 then Compute lines ladd and vadd for adding R and P . R ← R + P. fvar ← fvar · ladd (Q)/vadd (Q). end if end for return fvar .

Faster Pairings on Special Weierstrass Curves

91

Miller’s algorithm [23] computes the paired value iteratively by taking advantage of the fact that fi+j,P can be written as fi+j,P = fi · fj · l/v, where l and v are the lines used in the computation of [i]P + [j]P = [i + j]P . That is, l is the line that intersects E at [i]P , [j]P and −[i + j]P , and v is the vertical line that intersects E at both [i + j]P and −[i + j]P . This enables us to compute the function f2i,P from fi,P directly by evaluating the lines that are used in point doubling of P . Similarly, we can compute the function fi+1,P from fi,P so that fr,P can be computed in log2 r steps, as summarised in Algorithm 1. There are many other optimizations which speed up the computation of the Miller loop in certain settings, including the denominator elimination technique [4], uses of efficiently computable endomorphisms [27], [16], and loop shortening techniques [2], [17], [3], [22], [30], [21], [29].

3

Choice of Curve

In this section we specify the choice of curve that facilitates an efficient iteration of the Miller loop. Let E be a Weierstrass form elliptic curve y 2 = x3 + ax + b. Let (x1 , y1 ) be a point in E(Fq )− {O}. We then have (x1 , y1 )+ (x1 , −y1 ) = O. Further let (x2 , y2 ) be a point in E(Fq ) − {O} such that y2 = 0 and (x2 , y2 ) = (x1 , −y1 ). We then have (x1 , y1 ) + (x2 , y2 ) = (x3 , y3 ) where x3 = λ y

with

λ =



3

2

= λ (x

−x 1

1

− x 2,

− x 3) − y

(1) 1

(2)

(y 1 − y 2 )/(x1 − x2 ) if (x1 , y1 ) = (x2 , y2 ) . if (x1 , y1 ) = (x2 , y2 ) (3x21 + a)/(2y1 )

In the literature, addition using (1) and (2) in the case (x1 , y1 ) = (x2 , y2 ) is named point doubling. Similarly the case (x1 , y1 ) = (x2 , y2 ) is named point addition. We shall follow the same nomenclature. In our experiments we have observed that it is possible to rewrite the doubling formulas as follows provided that b = 0 is a square in Fq such that c2 = b. We have [2](x1 , y1 ) = (x3 , y3 ) where x3 = x1 (µ − µ2 ) + aσ, 3

y3 = (y1 − c)µ + aδ − c

(3) (4)

with μ = (y1 + 3c)/(2y1 ), σ = (a − 3x21 )/(2y1 )2 , δ = (3x1 (y1 − 3c)(y1 + 3c) − a(9x21 + a))/(2y1 )3 . Computer aided proofs of the correctness of formulas (3) and (4) are provided in Appendix A. In the derivation of these formulas we have consulted [24]. The new point doubling formulas strike us with an interesting property: the total degrees1 of x3 and y3 are lower than those of the original point doubling formulas. Furthermore the total degrees of the new formulas are minimal. This can be verified using 1

The total degree is defined as the sum of the degrees of the numerator and denominator of a rational function.

92

C. Costello et al.

Algorithm 2 of [24, §4]. In particular, the total degree of x3 and y3 drops from 6 to 5 and from 9 to 7, respectively. The evaluation of lower degree functions often requires less field operations. However, it seems that the original point doubling formulas still win in affine coordinates. On the other hand, we will eventually be forced to switch to homogeneous projective or Jacobian coordinates in order to prevent costly inversions. Therefore it is worthwhile to check operation counts on these coordinates. We will delay the details until §4. If we work on the elliptic curve y 2 = x3 + c2 , i.e. a = 0, the formulas (3) and (4) become much simpler. In addition, in order to prevent the computational disadvantage of field operations with c in doubling formulas we prefer to work with another representation of the same curve given by y 2 = cx3 + 1. This curve is isomorphic over Fq to the Weierstrass curve v 2 = u3 + c2 . The isomorphism from y 2 = cx3 + 1 to v 2 = u3 + c2 is given by σ : (x, y) → (u, v) = (cx, cy) with the inverse σ −1 : (u, v) → (x, y) = (u/c, v/c). Again, we denote the identity on y 2 = cx3 + 1 by O and point negation is performed by negating the y coordinate. Using the same notation as in the original formulas, we have [2](x1 , y1 ) = (x3 , y3 ) where x3 = x1 (µ − µ2 ), 3

y3 = (y1 − 1)µ − 1

(5) (6)

with µ = (y1 + 3)/(2y1 ) and we have (x1 , y1 ) + (x2 , y2 ) = (x3 , y3 ) where x3 = c−1 λ2 − x1 − x2 , y3 = λ(x1 − x3 ) − y1

(7) (8)

with λ = (y1 −y2 )/(x1 −x2 ). The point (0, 1) is of order 3. Computer aided proofs of the correctness of formulas (5), (6), (7), and (8) are provided in Appendix B.

4

Tate Pairing Computation on y 2 = cx3 + 1

In this section we further investigate the arithmetic of y 2 = cx3 + 1 to assist efficient computation of the Tate pairing. We first derive suitable line equations to compute the Miller value at both the doubling and addition stages. We then eliminate unnecessary computations before converting all computations to projective representation to avoid inversions. We provide several appendices that verify our claims. Barreto et al. [6] show that it is possible to eliminate costly operations in Miller’s algorithm provided the point where the Miller function is evaluated is chosen suitably. In the Tate pairing, the vertical line functions v (vdbl and vadd ) in Algorithm 1 are evaluated at the point Q = (xQ , yQ ). These vertical line functions take the form v = xR − xQ , where R = (xR , yR ) is the intermediate point in Algorithm 1. The computations in Miller’s algorithm can be simplified if v takes a value in a proper subfield Fqd ⊂ Fqk . When computing the Tate pairing on curves with even embedding degrees k = 2d, we choose Q to enable this simplification by choosing a point Q′ on the quadratic twist E ′ of E and

Faster Pairings on Special Weierstrass Curves

93

mapping√Q′ to Q under the twisting isomorphism, meaning that xQ ∈ Fqd and yQ = y˜Q ν, where y˜Q ∈ Fqd and ν is some quadratic non-residue in Fqd . The Miller values. If we derive the line equations arising from the addition of (x1 , y1 ) and (x2 , y2 ) we obtain gadd = c

λ(x2 − xQ ) − y2 + yQ c(x1 + x2 + xQ ) − λ2

(9)

where λ = (y1 − y2 )/(x1 − x2 ) and gadd = ladd (Q)/vadd (Q) (refer to Line 9 of Algorithm 1). This formula shares several common subexpressions with (7) and (8). For the case (x1 , y1 ) = (x2 , y2 ), we propose a new formula for the line computation which uses several shared common subexpressions with the new point doubling formulas (5) and (6). The new formula is given by gdbl =

2cy1 (x1 − xQ )2 , x21 (3cxQ ) − y12 + 3 + 2y1 yQ

(10)

where gdbl = ldbl (Q)/vdbl (Q) (refer to Line 5 of Algorithm 1). Furthermore, if (x1 , y1 ) = −(x2 , y2 ) we have gvert = −c(x1 − xQ ).

(11)

Computer aided proofs of the correctness of our formulas are provided in Appendix C. Irrelevant factors. We now focus on eliminating the terms in equations (9) and (10) by adopting the denominator elimination technique [7]. Recall that yQ is the only element that appears in the formulas above2 that is in the full extension field Fqk . We immediately notice that the denominator of gadd in equation (9) is completely contained in Fqd and can therefore be eliminated, to give ′ gadd = (y1 − y2 )(x2 − xQ ) − (x1 − x2 )(y2 − yQ ).

(12)

With identical reasoning we can omit the numerator of gdbl in equation (10). These since yQ is of the form yQ = √ eliminations are standard. Now, observe that √ y˜Q ν, we can write the denominator as 1/(t1 + t2 ν) where t1 = x21 (3cxQ ) − y12 + 3 and t2 = 2y1 y˜Q . If the Miller value is computed in this fashion there will be an inversion at the end of the Miller loop. Even worse, both the numerator and the denominator of fvar would have to be updated at each iteration of the Miller loop since the addition step produces a non-trivial numerator.√To prevent this we multiply the numerator and the denominator of 1/(t1 + t2 ν) by the √ √ conjugate expression t1 − t2 ν to give (t1 − t2 ν)/(t21 − t22 ν). Since t21 − t22 ν ∈ Fqd we can simply omit the denominator to give ′ gdbl = x21 (3cxQ ) − y12 + 3 − 2y1 yQ . 2

(13)

The point (x2 , y2 ) represents P ∈ E(Fq ) and the point (x1 , y1 ) represents R ∈ E(Fq ) in Algorithm 1, a multiple of P , so that x1 , x2 , y1 , y2 ∈ Fq .

94

C. Costello et al.

′ It also follows that if (x1 , y1 ) = −(x2 , y2 ) we have gvert = 1. If r is odd, the Miller loop always finishes in this fashion so we ignore the point addition in the final iteration. We next present point doubling and point addition formulas together with their associated line formulas in homogeneous projective coordinates. Our experiments gave the best results in homogeneous coordinates rather than Jacobian coordinates for doubling and additions. While additions generally favour projective coordinates it is interesting to note that also doublings on this curve are faster in projective coordinates. In particular the number of field operations for the doubling is 4m + 3s while the best known doubling speeds so far are 2m + 5s but in Jacobian coordinates. So this representation achieves the best addition speed and the best doubling speed (up to some m/s tradeoffs) in the same coordinate system.

Homogeneous projective coordinates. In homogeneous projective coordinates each point (x, y) is represented by the triplet (X : Y : Z) which satisfies the projective equation Y 2 Z = cX 3 + Z 3 and corresponds to the affine point (X/Z, Y /Z) with Z = 0. The identity element is represented by (0 : 1 : 0). The negative of (X : Y : Z) is (X : − Y : Z). Point doubling with line computation. Given (X1 : Y1 : Z1 ) with Z1 = 0 the point doubling can be performed as [2](X1 : Y1 : Z1 ) = (X3 : Y3 : Z3 ) where X3 = 2X1 Y1 (Y12 − 9Z12 ),

Y3 = (Y1 − Z1 )(Y1 + 3Z1 )3 − 8Y13 Z1 ,

(14)

Z3 = 8Y13 Z1 .

These formulas are derived from (5) and (6) in Section 3. Point doubling without line computation needs 4m + 3s using the following sequence of operations. A = Y12 , B = Z12 , C = (Y1 + Z1 )2 − A − B, Z3 = 4A · C, X3 = 2X1 · Y1 · (A − 9B), Y3 = (A − 3B + C) · (A + 9B + 3C) − Z3 .

The line formula derived from (13) is given by ′′ gdbl = X12 (3cxQ ) − Y12 + 3Z12 − 2Y1 Z1 yQ

(15)

= E · (3cxQ ) − A + 3B − 2C · yQ

where E = X12 . Assume that 3cxQ is precomputed. If Q is chosen according to the discussion at the start of this section, then multiplication with 3cxQ or with yQ counts as (k/2)m. The point doubling with line computation needs (k + 3)m + 5s if k is even. In this operation count we have further exploited an additional m/s tradeoff when calculating 2X1 Y1 in the point doubling formulas, which can now be computed as (X1 + Y1 )2 − E − A. See Appendix D for furter justifications and details on the operation scheduling.

Faster Pairings on Special Weierstrass Curves

95

Point addition with line computation. Given (X1 : Y1 : Z1 ) and (X2 : Y2 : Z2 ) with Z1 = 0 and Z2 = 0 and (X1 : Y1 : Z1 ) = (X2 : Y2 : Z2 ), an addition can be performed as (X1 : Y1 : Z1 ) + (X2 : Y2 : Z2 ) = (X3 : Y3 : Z3 ) where X3 = (X1 Z2 − Z1 X2 )(Z1 Z2 (Y1 Z2 − Z1 Y2 )2 − c(X1 Z2 + Z1 X2 )(X1 Z2 − Z1 X2 )2 ),

Y3 = (Y1 Z2 − Z1 Y2 )(c(2X1 Z2 + Z1 X2 )(X1 Z2 − Z1 X2 )2 − Z1 Z2 (Y1 Z2 − Z1 Y2 )2 ) − cY1 Z2 (X1 Z2 − Z1 X2 )3 ,

(16)

Z3 = cZ1 Z2 (X1 Z2 − Z1 X2 )3 .

These formulas are derived from (1) and (2) in Section 3. Point addition without line computation needs 12m + 2s + 1c if Z2 is arbitrary and 9m + 2s + 1c if Z2 = 1. Note that c stands for a multiplication with c. The line formula derived from (12) is given by ′′ gadd = (Y1 Z2 − Z1 Y2 )(X2 − xQ Z2 ) −

(X1 Z2 − Z1 X2 )Y2 + (X1 Z2 − Z1 X2 )Z2 yQ .

(17)

Assuming that Q is chosen according to the discussion at the start of this section, multiplication with (X2 − xQ Z2 ) or with Z2 yQ counts as (k/2)m each. Assume that Z2 = 1. Point addition with line computation needs (k + 10)m + 2s + 1c if k is even. Assume that Z2 is arbitrary. Assume that (X2 − xQ Z2 ) and Z2 yQ are precomputed. The point addition with line computation needs (k+13)m+2s+1c if k is even. The algorithm that we use for the point addition part is a slightly modified version of Cohen/Miyaji/Ono algorithm [13]. We omit details here and refer to Appendix D for justifications and details on the operation scheduling.

5

Curve Generation

This section discusses generating pairing-friendly curves of the form y 2 = cx3 +1. We also point out a minor adjustment to be made to the pairing definition when employing this curve in the supersingular setting. Implementing the Tate pairing on the curve y 2 = cx3 + 1 requires the construction of the j-invariant zero curve y 2 = x3 + b where b = c2 for c ∈ Fq . All j-invariant zero curves have a special endomorphism ring and such curves have CM discriminant D = 3. In Construction 6.6 of [14], Freeman et al. extend on the results of Barreto et al. [5] and Brezing and Weng [10] to efficiently construct D = 3 curves for all values of k where 18 ∤ k. Freeman et al. discuss that this construction achieves the best ρ-value curve families for the majority of embedding degrees k ≤ 50. Our experiments showed that for most embedding degrees this method of construction will efficiently produce a curve of the desired form with the best ρ-value, however the extra condition we impose on the curve constant (being a quadratic residue) is restrictive. For instance, we were unable to obtain a k = 8 curve with b as a square using this construction. For k = 12, constructing the curve y 2 = cx3 + 1 gives ρ ≈ 3/2, which is significantly larger than what can

96

C. Costello et al.

be obtained for BN curves [10] where b is non-square, for which D is also 3 but which have the optimal ρ-value of ρ = 1. Nevertheless, there is a wide range of useful embedding degrees that would welcome the speedups offered on the curve y 2 = cx3 + 1. We present two pairingfriendly examples of the curve using Construction 6.6 of [14]. k = 12, ρ ≈ 3/2, c = 1, q = 0x55555583E6AAB5415B22F364648CF7D4A1A9716C687F053\ 39126A5FC2A09 (239 bits), r = 0x10000005D24000CB530E5C544B4E84E5B34F41BD1 (161 bits), t = 0x1000000174A (41bits). k = 24, ρ ≈ 5/4, c = 3, q = 0x577380D96AF284FCF9200C2CC966EC756D86B4CBF2A3AAD\ 3C1 (199 bits), r = 0x105121CA61CB6CAF9EF3A835A4442784FFF816AF1 (161 bits), t = 0x100A0F (21 bits).

Supersingular curves. When the characteristic of the underlying field is p ≡ 2 mod 3, the curve y 2 = cx3 + 1 is supersingular with k = 2. We would usually define the symmetric pairing as eˆ : G × G → GT where eˆ(P, Q) = e(P, φ(Q)) and φ is the distortion map φ(x, y) = (ξx, y) for some non-trivial cube root of unity ξ ∈ Fp2 . However, using the distortion map in this manner would not allow the use of the formulas derived in §4, since these formulas were derived under the assumption that it was the y-coordinate of the second argument in the pairing that was in the extension field. Instead, we follow Scott’s technique [26] and define the supersingular pairing as e˜ : G × G → GT where e˜(P, Q) = e(P, θ(Q)) and θ is defined as θ(Q) = φ(Q) − πp (φ(Q)), where πp is the p-power Frobenius endomorphism. For Q = (xQ , yQ ), we have that πp (φ(Q)) = πp (ξxQ , yQ ) = (ξ 2 xQ , yQ ) so that θ(Q) becomes θ(xQ , yQ ) = (ξxQ , yQ )− (ξ 2 xQ , yQ ). The map θ is an isomorphism from the base field subgroup to the trace zero subgroup, where the x-coordinates lie in the base field and the y-coordinates are in the extension field so that we can apply the formulas from §4 [26]. The inverse map from the trace zero subgroup to the base field subgroup is defined as θ−1 (Q) = Tr(φ(Q)), where Tr is the trace map.

6

Comparison and Conclusion

We have studied pairing computations on a non-standard Weierstrass curve of the form y 2 = cx3 + 1. This is the most specific curve model studied so far since there are only 3 isomorphism classes of curves for this shape in the general case where p ≡ 1 mod 3. The main contribution of this paper is a faster computation of the Tate pairing on this special curve. Practical examples of such curves can be achieved using Construction 6.6 of [14]. There are many examples of embedding

Faster Pairings on Special Weierstrass Curves

97

degrees for which this construction gives the best known ρ-value [14], however it remains an open question to find suitable curves of this form having ρ-values very close to 1 with practically interesting embedding degrees, e.g. k = 8. The following table summarizes the advantage of employing this new curve in the Tate pairing by comparing our results with the fastest results achieved on other j-invariant zero curves documented prior to this work. The formulas given by Ar`ene et al. [1] for j-invariant zero curves give an operation count that improves the operation count originally presented in [17], so we draw comparisons against these improved formulas below. We follow the trend of presenting the operation count for even k [20], since this is generally preferred in practice [4], [7]. We do not include the multiplications and squarings that take place in the extension field Fqk , since these are common to all operation counts (see lines 5 and 9 of Algorithm 1). Tate pairing DBL mADD ADD Ar`ene et al. [1] (k + 3)m + 8s (k + 6)m + 6s (k + 12)m + 5s This work (k + 3)m + 5s (k + 10)m + 2s + 1c (k + 13)m + 2s + 1c As k gets large in the Tate pairing, the overall speed up that is achieved through using the curve y 2 = cx3 + 1 becomes less, since the more difficult operations in Fqk consume more computation relative to those operations in the base field. Lastly, we note that the EFD [9] reports 2m + 5s point doubling formulas in Jacobian coordinates for j-invariant zero curves. Therefore a protocol requiring scalar multiplications should use Jacobian coordinates and should only switch to our proposal when the pairing is being computed. This conversion comes at the cost of 2m + 1s + 1c by taking (X : Y : Z) in Jacobian coordinates to (XZ : Y : cZ 3 ) in homogeneous projective coordinates on the curve y 2 = cx3 + 1.

Acknowledgements The authors wish to thank Tanja Lange and the anonymous referees for helpful comments and corrections.

References 1. Ar`ene, C., Lange, T., Naehrig, M., Ritzenthaler, C.: Faster pairing computation. Cryptology ePrint Archive, Report 2009/155 (2009), http://eprint.iacr.org/2009/155 ´ H´eigeartaigh, C., Scott, M.: Efficient pairing 2. Barreto, P.S.L.M., Galbraith, S.D., O’ computation on supersingular Abelian varieties. Cryptology ePrint Archive, Report 2004/375 (2004), http://eprint.iacr.org/2004/375 ´ H´eigeartaigh, C., Scott, M.: Efficient pairing 3. Barreto, P.S.L.M., Galbraith, S.D., O’ computation on supersingular Abelian varieties. Des. Codes Cryptography 42(3), 239–271 (2007) 4. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–369. Springer, Heidelberg (2002)

98

C. Costello et al.

5. Barreto, P.S.L.M., Lynn, B., Scott, M.: Constructing elliptic curves with prescribed embedding degrees. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 257–267. Springer, Heidelberg (2003) 6. Barreto, P.S.L.M., Lynn, B., Scott, M.: Efficient implementation of pairing-based cryptosystems. Journal of Cryptology 17(4), 321–334 (2004) 7. Barreto, P.S.L.M., Lynn, B., Scott, M.: On the selection of pairing-friendly groups. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 17–25. Springer, Heidelberg (2004) 8. Barreto, P.S., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 9. Bernstein, D.J., Lange, T.: Explicit-formulas database, http://www.hyperelliptic.org/EFD 10. Brezing, F., Weng, A.: Elliptic curves suitable for pairing based cryptography. Des. Codes Cryptography 37(1), 133–141 (2005) 11. Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003) 12. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. Journal of Cryptology 17(4), 297–319 (2004) 13. Cohen, H., Miyaji, A., Ono, T.: Efficient elliptic curve exponentiation using mixed coordinates. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 51–65. Springer, Heidelberg (1998) 14. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. Cryptology ePrint Archive, Report 2006/372 (2006), http://eprint.iacr.org/2006/372 15. Galbraith, S.D.: Pairings. London Mathematics Society Lecture Note Series, vol. 317, pp. 183–213. Cambridge University Press, Cambridge (2005) 16. Galbraith, S.D., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008) 17. Hess, F., Smart, N.P., Vercauteren, F.: The Eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006) 18. Joux, A.: A one round protocol for tripartite Diffie-Hellman. Journal of Cryptology 17(4), 263–276 (2004) 19. Kachisa, E.J., Schaefer, E.F., Scott, M.: Constructing Brezing-Weng pairingfriendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) 20. Koblitz, N., Menezes, A.: Pairing-based cryptography at high security levels. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 13–36. Springer, Heidelberg (2005) 21. Lee, E., Lee, H.S., Park, C.M.: Efficient and generalized pairing computation on Abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008), http://eprint.iacr.org/2008/040 22. Matsuda, S., Kanayama, N., Hess, F., Okamoto, E.: Optimised versions of the Ate and twisted Ate pairings. In: Galbraith, S.D. (ed.) Cryptography and Coding 2007. LNCS, vol. 4887, pp. 302–312. Springer, Heidelberg (2007), http://eprint.iacr.org/2007/013 23. Miller, V.S.: The Weil pairing, and its efficient calculation. Journal of Cryptology 17(4), 235–261 (2004)

Faster Pairings on Special Weierstrass Curves

99

24. Monagan, M., Pearce, R.: Rational simplification modulo a polynomial ideal. In: ISSAC 2006, pp. 239–245. ACM, New York (2006) 25. Perez, L.J.D., Kachisa, E.J., Scott, M.: Implementing cryptographic pairings: a MAGMA tutorial. Cryptology ePrint Archive, Report 2009/072 (2009), http://eprint.iacr.org/2009/072 26. Scott, M.: Faster identity based encryption. Electronics Letters 40(14), 861–862 (2004) 27. Scott, M.: Faster pairings using an elliptic curve with an efficient endomorphism. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 258–269. Springer, Heidelberg (2005) 28. Scott, M., Benger, N., Charlemagne, M., Perez, L.J.D., Kachisa, E.J.: Fast hashing to G2 on pairing friendly curves. Cryptology ePrint Archive, Report 2008/530 (2008), http://eprint.iacr.org/2008/530 29. Vercauteren, F.: Optimal pairings. Cryptology ePrint Archive, Report 2008/096 (2008), http://eprint.iacr.org/2008/096 30. Zhao, C.A., Zhang, F., Huang, J.: A note on the Ate pairing. Cryptology ePrint Archive, Report 2007/247 (2007), http://eprint.iacr.org/2007/247

A

Appendix

This Maple script verifies that (3) and (4) commute with the original point doubling formulas. b:=c^2: W:=(x,y)->y^2-(x^3+a*x+b): #The short Weierstrass curve, W. L:=(3*x1^2+a)/(2*y1): x3:=L^2-2*x1: y3:=L*(x1-x3)-y1: #Double on W. mu:=(y1+3*c)/(2*y1): sigma:=(a-3*x1^2)/(2*y1)^2: #Double on W with new formulas. delta:=(3*x1*(y1-3*c)*(y1+3*c)-a*(9*x1^2+a))/(2*y1)^3: #Double on W with new formulas. x3new:=x1*(mu-mu^2)+ a*sigma: y3new:=(y1-c)*mu^3+a*delta-c: #Double on W with new formulas. simplify(x3-x3new,[W(x1,y1)]); simplify(y3-y3new,[W(x1,y1)]); #Check.

B

Appendix

This Maple script verifies that (5), (6), (7), and (8) commute with the original doubling and addition formulas. Q:=(x,y)->y^2-(c*x^3+1): #The curve considered in this work, Q. W:=(u,v)->v^2-(u^3+c^2): #The short Weierstrass curve, W. QtoW:=(x,y)->c*x,(x,y)->c*y: #The map from Q to W. WtoQ:=(u,v)->u/c,(u,v)->v/c: #The map from W to Q. ##Verify the correctness of point additon formulas. u1,v1:=QtoW(x1,y1): u2,v2:=QtoW(x2,y2): #Map the points (x1,y1) and (x2,y2) on Q to W. L:=(v1-v2)/(u1-u2): u3:=L^2-u1-u2: v3:=L*(u1-u3)-v1: #Add on W with the original formulas. x3,y3:=WtoQ(u3,v3): #Map the sum (u3,v3) on W to Q. simplify(W(u3,v3),[Q(x1,y1),Q(x2,y2)]); #Check. Lnew:=(y1-y2)/(x1-x2): x3new:=c^(-1)*Lnew^2-x1-x2: y3new:=Lnew*(x1-x3)-y1: ##Add on Q. simplify(x3-x3new,[Q(x1,y1),Q(x2,y2)]); simplify(y3-y3new,[Q(x1,y1),Q(x2,y2)]); #Check. unassign(’Lnew’,’L’,’u2’,’v2’,’u3’,’v3’,’x3’,’y3’,’x3new’,’y3new’); ##Verify the correctness of point doubling formulas. L:=3*u1^2/(2*v1): u3:=L^2-2*u1: v3:=L*(u1-u3)-v1: #Double on W with the original formulas. x3,y3:=WtoQ(u3,v3): #Map the sum (u3,v3) on W to Q. simplify(W(u3,v3),[Q(x1,y1)]); #Check. mu:=(y1+3)/(2*y1): x3new:=x1*(mu-mu^2): y3new:=(y1-1)*mu^3-1: #Double on Q. simplify(x3-x3new,[Q(x1,y1)]); simplify(y3-y3new,[Q(x1,y1)]); #Check.

100

C

C. Costello et al.

Appendix

This Maple script verifies the correctness of (9), (10), and (11). Q:=(x,y)->y^2-(c*x^3+1): #The curve considered in this work, Q. W:=(u,v)->v^2-(u^3+c^2): #The short Weierstrass curve, W. QtoW:=(x,y)->c*x,(x,y)->c*y: #The maps from Q to W. WtoQ:=(u,v)->u/c,(u,v)->v/c: #The maps from W to Q. ##Verify the correctness of the line formulas for addition. u1,v1:=QtoW(x1,y1): u2,v2:=QtoW(x2,y2): uQ,vQ:=QtoW(xQ,yQ): ##(xi,yi) on Q to (ui,vi) on W. L:=(v1-v2)/(u1-u2): l:=L*(u1-uQ)+vQ-v1: v:=uQ-(L^2-u1-u2): #Compute the addition-line on W. Lnew:=(y1-y2)/(x1-x2): gadd:=c*(Lnew*(x2-xQ)-y2+yQ)/(c*(x1+x2+xQ)-Lnew^2): #New line on Q. simplify(l/v-gadd,[Q(x1,y1),Q(x2,y2),Q(xQ,yQ)]); #Check. ##Verify the correctness of the line formulas for doubling. L:=3*u1^2/(2*v1): l:=L*(u1-uQ)+vQ-v1: v:=uQ-(L^2-2*u1): #Compute the doubling-line on W. gdbl:=2*c*y1*(x1-xQ)^2/(x1^2*(3*c*xQ)-y1^2+3+2*y1*yQ): #New line on Q. simplify(l/v-gdbl,[Q(x1,y1),Q(xQ,yQ)]); #Check. ##Verify the correctness of the line formulas for the sum of negatives. l:=uQ-u1: v:=1: #The vertical line on W. gvert:=-c*(x1-xQ): #The new line on Q. simplify(l/v-gvert,[Q(x1,y1),Q(x2,y2),Q(xQ,yQ)]); #Check.

D

Appendix

This Maple script verifies the correctness of (14) and (15). Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): x1:=X1/Z1: y1:=Y1/Z1: x3:=x1*(y1^2-9)/(2*y1)^2: y3:=(y1-1)*(y1+3)^3/(2*y1)^3-1: Line:=x1^2*(3*c*xQ)-y1^2+3-2*y1*yQ: ##Point doubling formulas in homogenous projective coordinates. X3:=2*X1*Y1*(Y1^2-9*Z1^2): Y3:=(Y1-Z1)*(Y1+3*Z1)^3-8*Z1*Y1^3: Z3:=(2*Y1*Z1)*(2*Y1)^2: gDBL:=X1^2*(3*c*xQ)-Y1^2+3*Z1^2-2*Y1*Z1*yQ: #Line formulas. simplify(x3-X3/Z3,[Q(X1,Y1,Z1)]); simplify(y3-Y3/Z3,[Q(X1,Y1,Z1)]); #Check. factor(Line-gDBL/Z1^2); #Check.

This Maple script shows how to schedule operations for (14). The point doubling without line computation needs 4m + 3s + 0c. Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): ##Point doubling formulas with register allocations. X3:=2*X1: X3:=X3*Y1: Z3:=3*Z1: t1:=Y1+Z3: t1:=t1^2: Y3:=Y1^2: Z3:=Z3^2: t2:=Y3-Z3: t2:=3*t2: X3:=X3*t2: t2:=t2+Z3: t2:=t2+Z3: Z3:=Y3+Z3: Z3:=t1-Z3: t2:=t2+Z3: Z3:=Y3*Z3: Z3:=4*Z3: Y3:=t1*t2: Y3:=Y3-Z3: simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1)]); #Check.

This Maple script shows how to schedule operations for (14) and (15). Multiplication with c1 or with yQ counts as (k/2)m. Assume that c1 is precomputed. The point doubling with line computation needs 5m + 5s if k = 2 or more generally (k + 3)m + 5s if k is even. Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): Line:=X1^2*(3*c*xQ)-Y1^2+3*Z1^2-2*Y1*Z1*yQ: c1:=3*c*xQ: #Precomputed value. ##Point doubling formulas and line computation with register allocations. t1:=X1+Y1: t2:=Y1+Z1: t1:=t1^2: t2:=t2^2: X3:=X1^2: Y3:=Y1^2: Z3:=Z1^2: t1:=t1-X3: t1:=t1-Y3: t2:=t2-Y3: t2:=t2-Z3: Z3:=3*Z3: t3:=Y3-Z3: gDBL:=X3*c1-t3-t2*yQ: t3:=t3+t2: t4:=3*Z3: X3:=Y3-t4: X3:=t1*X3: t1:=3*t2: t2:=t1+t2: Z3:=t2*Y3: Y3:=Y3+t4: t1:=t1+Y3: Y3:=t3*t1: Y3:=Y3-Z3: simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1)]); simplify(Line-gDBL); #Check.

Faster Pairings on Special Weierstrass Curves

101

This Maple script verifies the correctness of (16) and (17). Q1:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): x1:=X1/Z1: y1:=Y1/Z1: x2:=X2/Z2: y2:=Y2/Z2: L:=(y1-y2)/(x1-x2): x3:=c^(-1)*L^2-x1-x2: y3:=L*(x1-x3)-y1: Line:=(y1-y2)*(x2-xQ)-(x1-x2)*(y2-yQ): ##Point addition formulas in homogenous projective coordinates. X3:=(X1*Z2-Z1*X2)*(Z1*Z2*(Y1*Z2-Z1*Y2)^2-c*(X1*Z2+Z1*X2)*(X1*Z2-Z1*X2)^2): Y3:=(Y1*Z2-Z1*Y2)*(c*(2*X1*Z2+Z1*X2)*(X1*Z2-Z1*X2)^2-Z1*Z2*(Y1*Z2-Z1*Y2)^2) c*Y1*Z2*(X1*Z2-Z1*X2)^3: Z3:=c*Z1*Z2*(X1*Z2-Z1*X2)^3: gADD:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*Y2+(X1*Z2-Z1*X2)*Z2*yQ: #Line formulas. simplify(x3-X3/Z3,[Q1(X1,Y1,Z1),Q1(X2,Y2,Z2)]); #Check. simplify(y3-Y3/Z3,[Q1(X1,Y1,Z1),Q1(X2,Y2,Z2)]); factor(Line-gADD/Z1/Z2^2); #Check.

This Maple script shows how to schedule operations for (16) and (17) with Z2 = 1. Z2:=1: Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): Line:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*(Y2-yQ*Z2): c1:=X2-xQ: c2:=Y2-yQ: #Precomputed values. ##Point addition formulas and line computation with register allocations. t1:=Z1*X2: t1:=X1-t1: t2:=Z1*Y2: t2:=Y1-t2: gADD:=c1*t2-t1*Y2+t1*yQ: t3:=t1^2: t3:=c*t3: X3:=t3*X1: t3:=t1*t3: t4:=t2^2: t4:=t4*Z1: t4:=t3+t4: t4:=t4-X3: t4:=t4-X3: X3:=X3-t4: t2:=t2*X3: Y3:=t3*Y1: Y3:=t2-Y3: X3:=t1*t4: Z3:=Z1*t3: simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1),Q(X2,Y2,Z2)]); simplify(Line-gADD); #Check.

This Maple script shows how to schedule operations for (16) and (17). Q:=(X,Y,Z)->Y^2*Z-(c*X^3+Z^3): Line:=(Y1*Z2-Z1*Y2)*(X2-xQ*Z2)-(X1*Z2-Z1*X2)*(Y2-yQ*Z2): c1:=X2-xQ*Z2: c2:=Y2-yQ*Z2: #Precomputed values. ##Point addition formulas and line computation with register allocations. t1:=Z1*X2: X3:=X1*Z2: t1:=X3-t1: t2:=Z1*Y2: Y3:=Y1*Z2: t2:=Y3-t2: gADD:=c1*t2-t1*Y2+t1*Z2*yQ: Z3:=Z1*Z2: t3:=t1^2: t3:=c*t3: X3:=t3*X3: t3:=t1*t3: t4:=t2^2: t4:=t4*Z3: t4:=t3+t4: t4:=t4-X3: t4:=t4-X3: X3:=X3-t4: t2:=t2*X3: Y3:=t3*Y3: Y3:=t2-Y3: X3:=t1*t4: Z3:=Z3*t3: simplify(Q(X3,Y3,Z3),[Q(X1,Y1,Z1),Q(X2,Y2,Z2)]); simplify(Line-gADD); #Check.

Fast Hashing to G2 on Pairing-Friendly Curves Michael Scott⋆ , Naomi Benger, Manuel Charlemagne, Luis J. Dominguez Perez⋆⋆ , and Ezekiel J. Kachisa School of Computing Dublin City University Ballymun, Dublin 9, Ireland [email protected]

Abstract. Pairings on elliptic curves usually take as input a point in a subgroup G1 of an elliptic curve group E(Fp ) and a point in a subgroup G2 of E ′ (Fpd ) for some twist E ′ of E. In this paper we consider the problem of hashing to G2 when the group G2 has prime order. The naive approach requires multiplication in the group E ′ (Fpd ) by a large cofactor. Our main result is to describe a fast method to compute this cofactor multiplication; our method exploits an efficiently computable homomorphism. Keywords: Tate pairing, addition chains.

1

Introduction

When using ordinary elliptic curves to implement identity-based protocols, there is often a need to hash identities to points on one or both of the two elliptic curve groups involved in the pairing. The first group, denoted G1 , consists of points on a pairing-friendly elliptic curve E that are defined over the base field Fp . The second group, denoted G2 , is instantiated as a group of points on a twisted curve E ′ that have coordinates in some extension field Fpd , where d divides the embedding degree k. The Tate pairing and its variants only require one of the input points to be of prime order, as it is sufficient for the other argument to be a coset representative. For the Weil pairing, both input points must have prime order. The most efficient pairings to date are the ate [10] and R-ate [12] pairings, both of which are variants of the Tate pairing and which specifically require a point from G2 of prime order. Whereas hashing to a point of prime order in G1 is relatively easy, hashing to a prime order point in G2 requires an additional multiplication by a large cofactor. In this paper we consider the problem of reducing the cost of hashing ⋆

⋆⋆

Research supported by the Claude Shannon Institute, Science Foundation Ireland Grant 06/MI/006. This author acknowledges support from the Consejo Nacional de Ciencia y Tecnolog´ıa.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 102–113, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Fast Hashing to G2 on Pairing-Friendly Curves

103

to a point of prime order in G2 . This step may be necessary to ensure efficient implementations of protocols using Weil, ate or R-ate pairings. Pairing-friendly ordinary elliptic curves can be constructed to have arbitrary embedding degree. This compares favourably with the case of supersingular elliptic curves, which have a maximum embedding degree of 6. On a supersingular curve, however, we have a distortion map, which in effect means that the two arguments to a modified pairing can be linearly dependent and thus can both be points in G1 defined over the base field Fp . In contrast, on ordinary elliptic curves we must be prepared to handle points in the potentially more cumbersome group G2 , defined over an extension field. In a recent paper, however, Galbraith and Scott [8] observe that arithmetic in G2 is not as difficult as might be thought, as an efficient homomorphism can be exploited. In this paper we extend the ideas of [8] to the related problem of cofactor multiplication in E ′ (Fpd ), which is required to hash an identity to a point of prime order in G2 .

2

Elliptic Curves over Extension Fields

Let E be an elliptic curve defined over a finite field Fp that has embedding degree k > 1 with respect to a prime r. This means that r divides #E(Fp ) and that k is the smallest positive integer such that r divides pk − 1. Let E ′ be a twist of E of such that r divides #E ′ (Fpd ) for some d | k. If d < k we define G2 to be the unique subgroup of order r on E ′ (Fpd ) [10]. If d = k (in which case E ∼ = E′) we define G2 to be the cyclic subgroup of E[r] on which the p-power Frobenius of E acts as multiplication by p. The degree d of the extension field can always be k/2 if k is even. In fact we prefer k to be even as it enables the important denominator elimination optimization in the pairing calculation [2]. Furthermore if the elliptic curve has a complex multiplication (CM) discriminant of −3 and 6 | k, then we can choose d = k/6. Similarly if the curve has a CM discrimant of −4, and 4 | k, then we can choose d = k/4. Clearly the smaller the degree of the extension field Fpd , the easier it will be to manipulate points on G2 . It is well known that the number of points on an elliptic curve E satisfies #E(Fp ) = p + 1 − t, where t is the trace of the Frobenius, which obeys the Hasse √ bound | t |≤ 2 p. Consider now points whose coordinates are defined over an extension field Fpm , and the number of such points on the same elliptic curve [13]. It is well known for example, that #E(Fp2 ) = p2 + 1 − (t2 − 2p), #E(Fp3 ) = p3 + 1 − (t3 − 3tp). In the general case the number of points can be calculated by the following simple algorithm [13]:

104

M. Scott et al.

Algorithm 1. Returns #E(Fpm ) Input: m, p, t: m a positive integer, p a prime, t the trace of Frobenius of an elliptic curve E defined over Fp . Output: #E(Fpm ). 1: τ0 ← 2 2: τ1 ← t 3: for i ← 1 to m − 1 do 4: τi+1 ← t · τi − p · τi−1 5: end for 6: q ← pm 7: τ ← τm 8: return q + 1 − τ

To represent the group G2 we like to use an isomorphic group on a twisted curve over the smallest possible extension field. The number of points on the twisted curve can also easily be determined from the output of Algorithm 1. For example the following formulæ are for quadratic, quartic and sextic twists: quadratic: #E ′ (Fq ) = q + 1 + τ ;  quartic: #E ′ (Fq ) = q + 1 − f1 where f1 = 4q − τ 2 ; ′ sextic: #E (Fq ) = q + 1 − (3f2 + τ )/2 where f2 = (4q − τ 2 )/3,

where q = pm and τ is the trace of the q-power Frobenius on E as calculated in Algorithm 1. See [10] for more details. To hash to a point in G2 , the standard approach would be to first hash to a general point on E ′ (Fpd ) and then multiply by the cofactor c = #E ′ (Fpd )/r. Consider now a pairing-friendly curve with k = 10, d = 5 and r ≈ p. In this case, using the quadratic twist, this cofactor c would be of a size in bits approximately the same as p4 . This would be prohibitively slow. Here we will show, that the same outcome can be achieved in all cases with the equivalent work of a multiplication by a value less than p, and in some cases much less than p.

3

A Fast Cofactor Multiplication Algorithm for G2

The issue of fast cofactor multiplication of points on E ′ (Fpd ) was briefly considered for the case of Barreto-Naehrig (BN) curves [3] by Galbraith and Scott [8, Section 8]. Here we generalise and extend their idea. In that paper the authors introduce the homomorphism ψ = φ−1 πp φ, where φ : E ′ → E is the isomorphism which takes us from the twisted curve E ′ (Fpd ) to the isomorphic group on E(Fpk ) as actually required by the pairing algorithm, and πp is the p-power Frobenius map on E. Note that ψ(P ) can be calculated very quickly. General points on E ′ (Fpd ) obey the identity [7, Theorem 1]: ψ 2 (P ) − [t]ψ(P ) + [p]P = 0.

Fast Hashing to G2 on Pairing-Friendly Curves

105

Our main idea is to first express the cofactor c to the base p c = c0 + c1 · p + c2 · p2 ... and then use the identity [p]P = [t]ψ(P ) − ψ 2 (P )

(1)

repeatedly if necessary to reduce the cofactor multiplication to a form [c0 + p(c1 + p(c2 + ...))]P = [g0 ]P + [g1 ]ψ(P ) + [g2 ]ψ 2 (P ) + ........

(2)

where all of the gi are less than p. Observe that [c1 ·p]P = [c1 ·t]ψ(P )−[c1 ]ψ 2 (P ), and that c1 ·t may be of a size in bits 50% larger than p (recall that t can be up to half the size of p as a consequence of the Hasse condition). Further applications of the homomorphism may therefore be necessary to effect a complete reduction. The end result is a recoding of c from a base p representation to a base ψ(·) representation, with all coefficients less than p. The number of terms in the representation increases with each application of the identity (1) so in some circumstances we will also find the following identity to be useful: Φk (ψ(P )) = 0,

(3)

where Φk is the kth cyclotomic polynomial. This identity allows terms of degree greater than or equal to ϕ(k) (the Euler totient function) to be replaced with terms of lower degree. In the case that k = de and (d, e) = 1, we observe that the twisting isomorphism φ defining a twist of degree e can be chosen so that the twisted curve E ′ is actually defined over Fp (in this case φ is defined over Fpe ). In this case, the cofactor c can be factored into h · c1 , where c1 = #E ′ (Fp ). The endomorphism πp′ − 1 (where πp′ is the p-power Frobenius map on E ′ ) projects into the subgroup of #E ′ (Fpd ) of order h · r, thus we only need to perform a multiplication by h to obtain a point of order r. In this case, our algorithm only needs to be applied to the smaller factor h.

4

The Application to Ordinary Pairing-Friendly Elliptic Curves

The most general method to construct a pairing-friendly elliptic curve is to use the method of Cocks-Pinch [4]. These curves, however, suffer from a ρ ratio that is close to 2, where ρ = lg(p)/ lg(r). It is more efficient to use the smallest possible field which supports a pairing-friendly group, so we would prefer ρ to be close to 1. It is therefore usually preferred to choose instead from one of the families of pairing-friendly curves identified by numerous authors, and collated together in the taxonomy paper of Freeman et al. [6]. These often have a ρ value closer to 1, and many are of the desirable low CM discriminant form. These families also share another feature – the prime modulus p, the group r and the trace t are all described as

106

M. Scott et al.

rather simple polynomials. It is our aim to exploit this simple form in a systematic way to further speed up the cofactor multiplication required for hashing to G2 . Before proceeding we need to formally describe the method of the previous section as an algorithm for reducing the cofactor multiplication to the evaluation of a polynomial of the powers ψ i (P ), with coefficients less than p. When p is itself expressed as a polynomial p(x), these coefficients can in turn be calculated as polynomials in x, and this we choose to do as it leads to further optimizations. In these cases the cofactor c itself can also be calculated and presented as a polynomial in x. However we emphasise that the basic idea (with minor modifications) applies equally to non-parameterised Cocks-Pinch curves. See algorithm 2. For a step-by-step walk-through of the algorithm, see the section on MNT curves below. Algorithm 2. Reduction of the cofactor c(x) to base ψ(·) Input: k, p(x), t(x), and c(x) : embedding degree k and polynomials p(x), t(x), c(x) parameterising the field size, trace, and G2 cofactor of a pairing-friendly elliptic curve, respectively. Output: g0 (x), g1 (x).....gϕ(k)−1 (x): deg gi (x) < deg p(x) will be coefficients of a base ψ(·) representation of the cofactor c(x). 1: f ← ⌊deg(c(x))/ deg(p(x))⌋ 2: ♦ First express c(x) to the base p 3: for i ← 0 to f do 4: ci (x) ← c(x) mod p(x) 5: c(x) ← c(x) div p(x) 6: end for 7: ♦ Make first pass to determine the coefficients gi of c(x) to the base ψ(·), using equation (1). 8: for j ← 0 to f do 9: g2j ← 0, g2j+1 ← 0 10: for i ← 0 to j do   11: gj+i ← gj+i + ji t(x)j−i (−1)i cj (x) 12: end for 13: end for 14: ♦ Make a second pass to finally force all coefficients to have degree < deg p 15: g2f +1 ← 0, g2f +2 ← 0 16: for j ← 1 to 2f do 17: w(x) ← gj (x) div p(x) 18: gj (x) ← gj (x) mod p(x) 19: gj+1 (x) ← gj+1 (x) + t(x)w(x) 20: gj+2 (x) ← gj+2 (x) − w(x) 21: end for 22: ♦ Finally exploit equation (3); ai is the coefficient of xi in Φk (x) 23: for j ← 2f + 2 downto ϕ(k) do 24: for i ← 1 to ϕ(k) do 25: gj−i (x) ← gj−i (x) − aϕ(k)−i · gj (x) 26: end for 27: gj (x) ← 0 28: end for

Fast Hashing to G2 on Pairing-Friendly Curves

4.1

107

Algorithm 2 Summary

Algorithm 2 takes the integer k, and the polynomials p(x), t(x) and c(x), where p(x) and t(x) parameterise the field size of definition and trace respectively of pairing-friendly curve with embedding degree k. The polynomial c(x) parameterises the hard part of the multiplication to be performed to obtain a point of order r on the twist of the elliptic curve. The first step is to recode c(x) to the base p(x) (lines 3–6) then using this representation of c(x), recode c(x) to the base ψ(·) (lines 8–13). The coefficients of the base ψ(·) representation are computed using the coefficients of the base p(x) representation and the appropriate coefficients of the equation [pl ]P =

l  l  i

t(x)l−i (−1)i ψ l+i (P ),

i=0

obtained by applying induction on equation (1). Once c(x) has been written to base ψ(·), the coefficients gi (x) are checked. If deg gi (x) ≥ deg p(x) then the identity [p]P = [t]ψ(P ) − ψ 2 (P ) is reapplied (lines 15–20). Finally the relation (3) is exploited to obtain a base ψ(·) representation of c(x) of degree < φ(k) (lines 22–27). We now proceed to use this algorithm to find a faster way to perform the cofactor multiplication required to hash to a point of order r in G2 . We proceed on a case-by-case basis for certain selected popular families of pairing-friendly elliptic curves.

5

The MNT Curves

The MNT pairing-friendly elliptic curves were introduced by Miyaji et al. [14]. MNT curves can have embedding degrees 3, 4 or 6 and ρ = 1. For the k = 6 case the prime p, the group order r and the trace of Frobenius parameters are expressed as: p(x) = x2 + 1; r(x) = x2 − x + 1; t(x) = x + 1.

There exists no x such that the curve generated using these parameters has a CM discriminant of −3, so only a quadratic twist is possible. Here G2 is a group of points of order r on E ′ (Fp3 ). The cofactor is c(x) = (p(x)3 + 1 + t(x)3 − 3t(x)p(x))/r(x), which in this case works out to be c(x) = x4 + x3 + 3x2 . Applying algorithm 2 step-by-step we first represent c(x) to the base p(x) (lines 3–6 of algorithm 2): c(x) = p2 (x) + (x + 1)p(x) + (−x − 2).

108

M. Scott et al.

Now apply equation (1) to each term involving a power of p(x), and use it to express [c(x)]P in base ψ(·) form (lines 8–13 of the algorithm). [−x − 2]P + [x2 + 2x + 1]ψ(P ) + [x2 + x]ψ 2 (P ) + [−2x − 2]ψ 3 (P ) + ψ 4 (P ). As can be seen some of the coefficients are still of the same degree as p(x), so apply equation (1) again (lines 15–20) to get [−x − 2]P + [2x]ψ(P ) + [2x]ψ 2 (P ) + [−x − 2]ψ 3 (P ). All of the polynomial coefficients are now fully reduced modulo p(x). From equation (3) we know that ψ 2 (P ) = ψ(P ) − P , and by substituting this identity twice for ψ 2 (P ) into the above (lines 22–27), we find that multiplication of a general point P by c(x) can be completed by calculating the point ψ(4xP ) − 2xP, which requires only one multiplication by x, two point doublings, one application of the homomorphism and a further point addition. The savings compared with a direct multiplication of P by c(x) are obvious. We can do slightly better still. As discussed in Section (3), since k = 2 · 3 and gcd(2, 3) = 1 it is possible to choose the quadratic twist E ′ to be defined over Fp . As such, there must be a subgroup of points of E ′ (Fp3 ) which are defined over Fp (that is, the points of E ′ (Fp )). The number of points on E ′ (Fp3 ) must therefore have as a factor p(x) + 1 + t(x), and indeed in this case c(x) = (p(x) + 1 + t(x)) · x2 . As explained in Section (3), the first part of the cofactor multiplication by p(x) + 1 + t(x) can be performed by using the Frobenius endomorphism on the twisted curve P ← π ′ (P ) − P, leaving only a further multiplication by x2 . Using our algorithm this can be evaluated as simply ψ(xP ).

6

The BN Curves

The BN family of pairing-friendly curves [3] has embedding degree 12, and is parameterised as follows: p(x) = 36x4 + 36x3 + 24x2 + 6x + 1; r(x) = 36x4 + 36x3 + 18x2 + 6x + 1; t(x) = 6x2 + 1. In this case the cofactor multiplication can be effected as [8] ψ(6x2 P ) + 6x2 P + ψ(P ) − ψ 2 (P ). The major work here is the point multiplication by 6x2 . Since BN curves are plentiful it is not hard to find a value of x with a very low Hamming weight

Fast Hashing to G2 on Pairing-Friendly Curves

109

(as is already commonly done to optimize the main Miller loop of the pairing algorithm), and this will further speed the calculation, as the point multiplication will consist largely of point doublings, which are significantly faster than point additions in most curve and point representations.

7

Freeman Curves

In [5] a construction is suggested for pairing-friendly elliptic curves of embedding degree 10. p(x) = 25x4 + 25x3 + 25x2 + 10x + 3; r(x) = 25x4 + 25x3 + 15x2 + 5x + 1; t(x) = 10x2 + 5x + 3. These curves are much rarer than the BN curves, and unfortunately it is not feasible to choose x to have a particularly small Hamming weight. Furthermore since the embedding degree is 10, the best that can be done for G2 is to represent it as a group of points on E ′ (Fp5 ). This is a particularly large and rather awkward extension, and the cofactor multiplication threatens to be a large one. In fact c(x) in this case works out as the rather intimidating polynomial: c(x) = 390625x16 + 1562500x15 + 4062500x14 + 7421875x13 + 10750000x12 + 12593750x11 + 12356250x10 + 10203125x9 + 7178125x8 + 4284375x7 + 2171000x6 + 920250x5 + 322400x4 + 89875x3 + 19120x2 + 2740x + 217. Again this has p(x) + 1 + t(x) as a factor; if we use again the idea in Section (3) and choose the quadratic twist E ′ to be defined over Fp then the multiplication by p(x) + 1 + t(x) can be handled by the transformation P ← π ′ (P ) − P , and so the “hard-part” of the cofactor can be reduced to: h(x) = 15625x12 + 46875x11 + 93750x10 + 128125x9 + 138125x8 + 116875x7 + 80875x6 + 44875x5 + 20225x4 + 7075x3 + 1880x2 + 325x + 31. Applying our algorithm we find that multiplying P by h(x) can be expressed as: [g0 (x)]P + [g1 (x)]ψ(P ) + [g2 (x)]ψ 2 (P ) + [g3 (x)]ψ 3 (P ), where g0 (x) = −5x2 − 10x − 2;

g1 (x) = −25x3 − 20x2 − 10x − 4; g2 (x) = 3; g3 (x) = −25x3 − 10x2 − 5x.

110

M. Scott et al.

At this stage we could substitute for x and use a simultaneous multiple point multiplication algorithm [9]. A better idea is to instead calculate xP , x2 P = x · xP , x3 P = x · x2 P , and then ψ i (P ), ψ i (xP ), ψ i (x2 P ) and ψ i (x3 P ) for i = 1 to 3. Then the calculation becomes [25](−ψ 3 (x3 P ) − ψ(x3 P )) + [20](−ψ(x2 P )) + [10](−ψ 3 (x2 P ) − ψ(xP ) − xP ) +[5](−ψ 3 (xP ) − x2 P ) + [4](−ψ(P )) + [3]ψ 2 (P ) + [2](−P ), which can be considered as 25A + 20B + 10C + 5D + 4E + 3F + 2G, when A, B, C, D, E, F and G are calculated using just 4 extra point additions. The optimal way to proceed is to form the smallest addition sequence which includes all of the small multipliers in the above: {1, 2, 3, 4, 5, 10, 20, 25}. In this case it is easily done – only a 1 needs to be added to the start. Now we apply the Olivos algorithm [15], (see also [1, Section 9.2]) to find the optimal sequence of point additions and doublings to finally effect the cofactor multiplication. T0 ← A + B T1 ← A + D

T0 ← 2 · T0 T0 ← T0 + C

T0 ← 2 · T0 T1 ← T0 + T1 T0 ← T1 + E T0 ← 2 · T0

T0 ← T0 + G T0 ← T0 + F

T1 ← T1 + F T0 ← 2 · T0

T0 ← T0 + T1 .

The final result is in T0 . This part of the calculation requires only 9 extra point additions and 4 point doublings.

8

KSS Curves

Kachisa et al. [11] described a new method for generating pairing-friendly elliptic curves.

Fast Hashing to G2 on Pairing-Friendly Curves

8.1

111

The k = 8 Family of Curves

Here are the parameters for the family of k = 8 KSS curves: p(x) = (x6 + 2x5 − 3x4 + 8x3 − 15x2 − 82x + 125)/180; r(x) = (x4 − 8x2 + 25)/450; t(x) = (2x3 − 11x + 15)/15.

For these curves ρ = 3/2. As for BN curves, x can be chosen to have a low Hamming weight. Proceeding as above we find g0 (x) = (2x5 + 4x4 − x3 + 50x2 + 65x − 36)/6;

g1 (x) = (2x5 + 4x4 − x3 − 7x2 − 25x + 75)/6; g2 (x) = (−15x2 − 30x − 75)/6.

A minor difficulty arises due to the common denominator of 6 which occurs here. We suggest a simple solution – complete the hashing to G2 with the point multiplication [6 · c(x)]P ; this still results in a point of order r as 6 and r are coprime. Now the denominator can be ignored. To complete the calculation we need an addition sequence which includes all of the integer coefficients that arise here: {1, 2, 4, 5, 6, 7, 10, 15, 25, 30, 36, 50, 65, 75}, where the underlined numbers are the extra numbers included to complete the sequence. Proceeding as for the Freeman curve case, the computation using this addition sequence can be completed with 18 point additions and 5 point doublings. 8.2

The k = 18 Family of Curves

Here are the parameters for the family of k = 18 KSS curves: p(x) = (x8 + 5x7 + 7x6 + 37x5 + 188x4 + 259x3 + 343x2 + 1763x + 2401)/21; r(x) = (x6 + 37x3 + 343)/343; t(x) = (x4 + 16x + 7)/7. For these curves ρ = 4/3 and again, as for the BN curves x can in practise be chosen with a low Hamming weight. Proceeding again as above we find g0 (x) = (−5x7 − 26x6 − 98x5 − 381x4 − 867x3 − 1911x2 − 5145x − 5774)/3;

g1 (x) = (−5x7 − 18x6 − 38x4 − 323x3 − 28x2 + 784x)/3; g2 (x) = (−5x7 − 18x6 − 38x4 − 323x3 + 1029x + 343)/3;

g3 (x) = (−11x6 − 70x5 − 98x4 − 176x3 − 1218x2 − 2058x − 686)/3;

g4 (x) = (28x2 + 245x + 343)/3.

112

M. Scott et al.

Using the same reasoning as in the KSS k = 8 case, we actually evaluate [3 · c(x)]P to remove the awkward denominator of 3. In this case the best addition sequence we could find that includes all of the coefficients was: {1, 2, 3, 5, 7, 8, 11, 18, 26, 28, 31, 38, 45, 69, 70, 78, 98, 176, 245, 253, 323, 343, 381, 389, 686, 784, 829, 867, 1029, 1218, 1658, 1911, 2058, 4116, 5145, 5774}, which can be used to complete the calculation in 51 point additions and 5 point doublings.

9

Discussion

It may be sometimes preferable to select a slightly longer addition sequence which trades additions for doublings since in most cases (dependent on the curve representation and the projective coordinate method used) point doublings are significantly faster than point additions. The situation is complex, however, and requires further study. For example, if doubling or adding a point on E ′ (Fp5 ) it is likely that affine coordinates will in fact be faster than any kind of projective coordinates, in which case, using the standard short Weierstrass representation, additions may actually be faster than doublings [9]. Addition-subtraction sequences may also be an attractive alternative in other cases.

10

Conclusions

We have suggested a method for deriving a point in G2 , a point on E ′ (Fpd ) of order r, given an initial hashing to a general point on E ′ (Fpd ), the twist of an ordinary pairing-friendly elliptic curve. The proposed method is significantly faster than the naive approach which would require multiplication by a very large cofactor.

Acknowledgement Thanks to Robert Granger and Steven Galbraith for suggestions and comments. We would also like to acknowledge the anonymous referees for their suggestions. We would especially like to thank David Freeman, whose support and guidance is much appreciated.

References 1. Avanzi, R., Cohen, H., Doche, D., Frey, G., Lange, T., Nguyen, K., Vercauteren, F.: Handbook of Elliptic and Hyperelliptic Curve Cryptography. Chapman and Hall/CRC, Boca Raton (2006) 2. Barreto, P.S.L.M., Kim, H.Y., Lynn, B., Scott, M.: Efficient algorithms for pairingbased cryptosystems. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 354–368. Springer, Heidelberg (2002)

Fast Hashing to G2 on Pairing-Friendly Curves

113

3. Barreto, P.S.L.M., Naehrig, M.: Pairing-friendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2006) 4. Blake, I.F., Seroussi, G., Smart, N.P. (eds.): Advances in Elliptic Curve Cryptography, vol. 2. Cambridge University Press, Cambridge (2005) 5. Freeman, D.: Constructing pairing-friendly elliptic curves with embedding degree 10. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 452–465. Springer, Heidelberg (2006) 6. Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing friendly elliptic curves. Cryptology ePrint Archive, Report 2006/372 (2006), http://eprint.iacr.org/2006/372 7. Galbraith, S., Lin, X., Scott, M.: Endomorphisms for faster elliptic curve cryptography on a large class of curves. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 518–535. Springer, Heidelberg (2009) 8. Galbraith, S., Scott, M.: Exponentiation in pairing-friendly groups using homomorphisms. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 211–224. Springer, Heidelberg (2008) 9. Hankerson, D., Menezes, A., Vanstone, S.: Guide to Elliptic Curves Cryptography. Springer, Heidelberg (2004) 10. Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Transactions on Information Theory 52(10), 4595–4602 (2006) 11. Kachisa, E., Schaefer, E., Scott, M.: Constructing Brezing-Weng pairing-friendly elliptic curves using elements in the cyclotomic field. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 126–135. Springer, Heidelberg (2008) 12. Lee, E., Lee, H.-S., Park, C.-M.: Efficient and generalized pairing computation on abelian varieties. Cryptology ePrint Archive, Report 2008/040 (2008), http://eprint.iacr.org/2008/040 13. Menezes, A.: Elliptic Curve Public Key Cryptosystems. Kluwer Academic Publishers, Dordrecht (1993) 14. Miyaji, A., Nakabayashi, M., Takano, S.: New explicit conditions of elliptic curve traces for FR-reduction. IEICE Transactions on Fundamentals E84-A(5), 1234– 1243 (2001) 15. Olivos, J.: On vectorial addition chains. Journal of Algorithms 2, 13–21 (1981)

Compact E-Cash and Simulatable VRFs Revisited Mira Belenkiy1 , Melissa Chase1 , Markulf Kohlweiss2, and Anna Lysyanskaya3 1

Microsoft Research {mibelenk,melissac}@microsoft.com 2 KU Leuven, ESAT-COSIC / IBBT [email protected] 3 Brown University [email protected]

Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a random oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter).

1

Introduction

Since their invention [BFM88] non-interactive zero-knowledge proofs played an important role in obtaining feasibility results for many interesting cryptographic primitives [BG90, GO92, Sah99], such as the first chosen ciphertext secure public key encryption scheme [BFM88, RS92, DDN91]. The inefficiency of these constructions often motivated independent practical instantiations that were arguably conceptually less elegant, but much more efficient ([CS98] for chosen ciphertext security). We revisit two important cryptographic results of pairing-based cryptography, compact e-cash [CHL05] and simulatable verifiable random functions [CL07], that have very elegant constructions based on non-interactive zero-knowledge proof systems, but less elegant practical instantiations. Our results combine the best of both worlds, a clean design and an efficient implementation. Compact e-cash. Electronic cash (e-cash) was introduced by Chaum [Cha83] as an electronic analogue of physical money and has been a subject of ongoing research since then [CFN90, FY92, CP93, Bra93, SPC95, FTY96, Tsi97]. The participants in an e-cash system are users who withdraw and spend e-cash; a H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 114–131, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Compact E-Cash and Simulatable VRFs Revisited

115

bank that creates e-cash and accepts it for deposit, and merchants who offer goods and services in exchange for e-cash, and then deposit the e-cash to the bank. The main security requirements are (1) anonymity: even if the bank and the merchant and all the remaining users collude with each other, they still cannot distinguish Alice’s purchases from Bob’s; (2) unforgeability: even if all the users and all the merchants collude against the bank, they still cannot deposit more money than they withdrew. Unfortunately, it is easy to see that, as described above, e-cash is useless. The problem is that here money is represented by data, and it is possible to copy data. Unforgeability will guarantee that the bank will only honor at most one of copy of a given coin for deposit and will reject the others. Anonymity will guarantee that there is no recourse against such a cheating Alice. So one of the merchants will be cheated. There are two known remedies against this doublespending behavior. The first remedy is on-line e-cash [Cha83], where the bank is asked to vet a coin before the spend protocol can terminate successfully. The second remedy is off-line e-cash, introduced by Chaum, Fiat and Naor [CFN90]. The additional requirement of an offline e-cash system is (informally) that no coin can be double-spent without revealing the identity of the perpetrator. A further development in the literature on e-cash was compact e-cash [CHL05]. In compact e-cash, the user withdraws N coins in a withdrawal protocol whose complexity is O(log N ) rather than O(N ). Similarly, the resulting wallet requires storage size (log N ) rather than O(N ). The main idea is as follows: in the withdrawal protocol, a user obtains the Bank’s signature on (x, s, t), where s and t are random seeds of a pseudorandom function (PRF) F(·) (·) and x is the user’s identifier. In the spend protocol, a serial number of the ith coin is computed as S = Fs (i), and a double spending equation is computed as T = x+RFt (i), where R is a random challenge by the merchant. The coin itself consists of (S, T, R, π), where π is a non-interactive zero-knowledge proof of knowledge of the following values: x, s, t, i, σ where σ is the Bank’s signature on (x, s, t), 1 ≤ i ≤ N , S = Fs (i) and T = x + RFt (i) mod q. If g is a generator of a group G of order q, and G is the range of the PRF F(·) (·), then the double-spending equation can instead be computed as T = g x Ft (i)R . It is easy to see that two doublespending equations for the same t, i but different R’s allow us to compute g x . It was shown that this approach yields a compact e-cash scheme [CHL05]. Later, this was extended to so-called e-tokens [CHK+ 06] that allow up to k anonymous transactions per time period (for example, this would correspond to subscriptions to interactive game sites or anonymous sensor reports). Thus, we see that compact e-cash and variants such as e-tokens can be obtained from a signature scheme, a pseudorandom function, and a non-interactive zero-knowledge (NIZK) proof system for the appropriate language. However, until now no efficient instantiations of the NIZK proofs could be given, and all practical instantiations of compact e-cash had to derive the non-interactive proofs from interactive proofs via the Fiat-Shamir heuristic [FS87] which is known not to yield provably secure constructions [GK03]. It seemed that, perhaps, random

116

M. Belenkiy et al.

oracle based techniques were necessary to achieve such schemes efficiently. We show here that this is not the case. Challenges and Techniques. Until the recent proof system of Groth and Sahai [GS07], there were no efficient NIZK proof systems for languages most heavily used in cryptographic constructions (such as languages of true statements about discrete logarithm representations and bilinear pairings). However, constructing an efficient provably-secure compact e-cash scheme is not simply a matter of replacing the Fiat-Shamir based NIZK proofs with the Groth-Sahai system. There are several issues that arise when we attempt to apply the Groth-Sahai proofs. First, recall that the Groth-Sahai system only works for proofs of particular types of statements. Thus, we must find a PRF and a signature scheme where verification can be phrased in terms of such statements. In the case of the PRF, we use a modification of the Dodis-Yampolskiy VRF [DY05], which outputs elements of bilinear group G1 . We show that this is secure under the assumption that DDHI holds in this group.1 For the signature scheme, we note that verification of Boneh-Boyen signatures [BB04b] can be phrased as a pairing product equation. However, as noted in Belenkiy et al. [BCKL08], because Groth-Sahai proofs are only partially extractable, we need a stronger unforgeability. Here we need that it be impossible to produce F (m), Signsk (m) for an unsigned message m, where F (m) is a value that can be extracted from a commitment to m. Belenkiy et al. gave a construction which satisfies this definition, but only allows signatures on a single message. We need the bank to be able to sign multiple message blocks, thus we extend that construction to construct a multi-block P-signature scheme. We also show that issuing can be done efficiently using more recent techniques given in [BCC+ 09]. (The original [BCKL08] construction relied on general two party computation for arithmetic circuits.) We also need to be able to prove that the coin value falls within a given range. The original Camenisch et al. construction uses a technique by [Bou00], which relies on the fact that the underlying RSA group has unknown order. Groth-Sahai proofs, on the other hand, rely on the cryptographic bilinear group model, and it is not known how to construct such groups with unknown order. Thus, we must use a different technique for our range proofs. We follow the basic concept of [TS06, CCS08], and implement the range proofs using the new P-signatures mentioned above. Finally, while Groth and Sahai present a NIZK proof system for a large class of statements, their simpler witness indistinguishable proof system is much more efficient. Thus, we specifically design our protocols to use NIZK proofs only when necessary. As a result, we obtain a construction that is almost competitive in efficiency with the original Camenisch et al. construction. E-cash construction. Our construction is in the common parameters model and relies on several number-theoretic assumptions. Our first building block is a signature scheme and an unconditionally binding commitment scheme that 1

We note that the original Camenisch et al. [CHL05] construction used a similar PRF based on DDHI in a standard prime order group (without a bilinear map). They then proved correctness of each PRF output using the Fiat-Shamir heuristic.

Compact E-Cash and Simulatable VRFs Revisited

117

allows for an efficient proof of knowledge of a signature on a set of committed values, as well as for an efficient protocol for getting a committed value signed. This is done by extending the P-signature construction of Belenkiy et al. [BCKL08], which only allows to sign single values, and incorporating the techniques from [BCC+ 09]. In our construction we will also use P-signatures, together with the techniques of [CCS08] (that relied on interactive proofs) to obtain efficient non-interactive interval proofs. Our second building block is a pseudorandom function and an unconditionally binding commitment scheme Com(., .) (the same as for the P-signature scheme) with an efficient proof system for the serial number S and the double spending tag T . Simulatable verifiable random functions. Our main observation is that the NIZK proof for a compact e-cash serial number, a proof of the language LF = {S, Cy , Cs | ∃s, y, rs , ry such that S = Fs (y), Cy = Com(y, ry ), Cs = Com(s, rs )} is a special case of a simulatable verifiable random function (sVRF), introduced by Chase and Lysyanskaya [CL07]. Chase and Lysyanskaya gave an efficient construction of a multi-theorem non-interactive zero-knowledge proof system for any language L from a single-theorem one for the same language (while other single-theorem to multi-theorem transformations required the CookLevin reduction [Coo71] to an NP-complete language first). Chase and Lysyanskaya [CL07] gave two constructions for sVRFs. The first is based on generic non-interactive zero-knowledge proofs and is therefore impractical. The second construction is based on composite order bilinear pairings [BGN05, FST06], and has several shortcomings. In particular, its range is either only logarithmic in the security parameter or it is only weakly simulatable. Our fully simulatable construction is thus more efficient by a factor of the security parameter; it is also designed in a way that is more modular and therefore easier to understand (and improve). Finally, it relies on a somewhat weaker assumption. Therefore, we believe this result will be of independent interest. Our contribution and outline of the paper. We present the first P-signature scheme for multiple messages, the first fully simulatable VRF with polynomial sized output domain, and the first efficient compact e-cash scheme that does not rely on random oracles. (The security of conventional e-cash was, e.g., studied in [JLO97, STS99, Tro05].) The rest of the paper is organized as follows. In Section 2 we discuss our assumptions and recall useful results about non-interactive zero-knowledge. In Section 3 we define and construct our new P-signature scheme for message blocks. Section 4 and Section 5 revisit simulatable verifiable random functions and compact e-cash respectively.

2

Preliminaries

In this section we list our assumptions and recall some useful results about noninteractive zero-knowledge proofs (NIZK).

118

M. Belenkiy et al.

A function ν is negligible if, for every integer c, there exists an integer K such that for all k > K, |ν(k)| < 1/k c. A problem is said to be hard (or infeasible) if there exists no probabilistic polynomial time (p.p.t.) algorithm to solve it. Bilinear Pairings. Let G1 , G2 , and GT be groups of prime order p. The map e : G1 × G2 → GT must satisfy the following properties: (a) Bilinearity: a map e : G1 × G2 → GT is bilinear if e(ax , by ) = e(a, b)xy ; (b) Non-degeneracy: for all generators g ∈ G1 and h ∈ G2 , e(g, h) generates GT ; (c) Efficiency: There exists a p.p.t. algorithm BMGen(1k ) that outputs (p, G1 , G2 , GT , e, g, h) to generate the bilinear map and an efficient algorithm to compute e(a, b) for any a ∈ G1 , b ∈ G2 . Assumptions. The security of our scheme is based on previously proposed number-theoretic assumptions. The unforgeability of our P-signature construction relies on the TDH [BCKL08] and the HSDH [BW07] assumptions; pseudorandomness is based on the q-DDHI assumption [BB04a, CHL05]; and the zero-knowledge of the Groth-Sahai proof system rests on the XDH or DLIN assumption [GS07]. Defi nition 1 (Triple DH). On input g, g x , g y ∈ G1 , h, hx ∈ G2 , and {ci , g 1/(x+ci ) }i=1...q for random x, y, and c1 , . . . , cq , it is computationally infeasible to output a tuple (hµx , g µy , g µxy ) for µ = 0. Definition 2 (Hidden SDH). On input g, g x, u ∈ G1 , h, hx ∈ G2 and {g 1/(x+cℓ) , hcℓ , ucℓ }ℓ=1...q for random x and c1 , . . . cq , it is computationally infeasible to output a new tuple (g 1/(x+c) , hc , uc ). 2

q

Definition 3 (q-DDHI). On input g, g α , g α , . . . g α ∈ G for a random α ← 1 Zp , it is computationally infeasible to distinguish g α from a random element of G with probability non-negligibly better than 1/2. Our sVRF requires that the q-DDHI assumption holds either in G1 or G2 . Without loss of generality we fix this group to be G1 . Note that this is slightly stronger than the assumption used in [DY05] to construct an efficient VRF (there the 1 challenge is e(g, h) α or a random element of GT ). However, it is still weaker than the BDHBI assumption used in the sVRF construction in [CL07]. Composable Non-Interactive Proofs. We review composable non-interactive proof systems. Let R(·, ·) be any polynomial-time computable relation. A noninteractive proof system for an NP language allows a prover to convince a verifier of the truth of the statement ∃x : R(y, x) about instance y using witness x. Non-interactive proof systems use a common reference string params as output by Setup(1k ) that is common input to both the π ← Prove(params, y, x) and accept/reject ← Verify(params, x, π) algorithms. This notion can be generalized for a relation R(params, y, x) parameterized by params. Informally, zero-knowledge captures the notion that a verifier learns nothing from the proof but the truth of the statement. Witness-indistinguishability is a weaker notion that guarantees that the verifier learns nothing about which witness was used in the proof.

Compact E-Cash and Simulatable VRFs Revisited

119

In a composable (under the definition of Groth and Sahai [GS07]) noninteractive witness indistinguishable proof system there exists a SimSetup algorithm that outputs params together with a trapdoor sim, such that (1) params output by SimSetup are indistinguishable from those output by Setup; (2) the output of Prove using these parameters is perfectly witness-indistinguishable (in other words, even if there are two witnesses to a statement, they induce identical distributions on the proofs). Composable non-interactive zero-knowledge further means that there exists an algorithm SimProve that outputs a simulated proof using sim and the output of SimProve is distributed identically to that of Prove when given the simulated parameters. The big advantage of a composable definition is that it is fairly simple and easy to work with, and yet it still implies the standard multi-theorem definitions. Composable proofs about commitments. The prover and verifier frequently get some set of commitments (C1 , . . . , Cn ) as common input. The prover wants to show that a statement about instance y = (C1 , . . . , Cn , Condition) holds. The witness to the statement is (x1 , open1 , . . . , xn , openn , z), where (xi , openi ) is the opening of commitment Ci , while z is some value that has nothing to do with the commitments. The relation is R = {(params, y, x)|C1 = Com(params, x1 , open1 ) ∧ . . . ∧ Cn = Com(params, xn , openn ) ∧ Condition (params, x1 , . . . , xn , z)}. Summary of Groth-Sahai proofs. Groth and Sahai [GS07] give a composable witness-indistinguishable proof system that lets us efficiently prove statements in the context of groups with bilinear maps. Let params BM = (p, G1 , G2 , GT , e, g, h) be the setup for pairing groups of prime order p. In a Groth-Sahai proof, the prover and the verifier both know {aq }q=1...Q ∈ G1 , {bq }q=1...Q ∈ G2 , t ∈ GT , and {αq,m }q=1...Q,m=1...M , {βq,n }q=1...Q,n=1...N ∈ Zp . In addition, they both know commitments {Cm }m=1...M and {Dn }n=1...N to values in G1 and G2 respectively. For each commitment Cm and Dn the prover knows the opening information and the committed value xm ∈ G1 or yn ∈ G2 respectively (m = 1...M , n = 1...N ). Groth-Sahai proofs prove that the values in these commitments fulfill the Q M N α β pairing product equation q=1 e(aq m=1 xmq,m , bq n=1 ynq,n ) = t.

Groth-Sahai commitments. Throughout the paper we will use Groth-Sahai commitments (GSCom) in our constructions. Under the parameters output by Setup they are perfectly binding. We will sometimes make use of the fact that they are also extractable.

3

A Multi-block P-Signature Scheme

Belenkiy et al. [BCKL08] intruduced signatures with efficient non-interactive proofs of signature possession. Their construction can only be used to sign a single message block. In this section, we briefly review the definition of a Psignature scheme and construct a multi-block P-signature scheme.

120

M. Belenkiy et al.

Before defining and constructing P-signatures, we recall some particulars about the way Belenkiy et al. use Groth Sahai proofs. In addition to the zeroknowledge or witness indistinguishability property they rely on the fact that they are partially extractable (f -extractable [BCKL08]) proofs of knowledge about committed values. By ‘x in C’ we denote that there exists open such that C = Com(x, open ). Following Camenisch and Stadler [CS97a] and Belenkiy et al. [BCKL08], we use the following notation to express an f -extractable NIPK for instance y = (C1 , . . . , Cn , Condition) with witness w = (x1 , open1 , . . . , xn , openn , z): π ← NIPK[x1 in C1 , . . . , xn in Cn ]{( f (params , (x1 , open1 , . . . , xn , openn , y) ) ) :

Condition(params , x1 , . . . , xn , z)}.

For such a proof there exists a polynomial-time extractor (ExtractSetup, Extract). ExtractSetup(1k ) outputs (td , params ) where params is distributed identically to the output of Setup(1k ). For all p.p.t. adversaries A, the probability that A(1k , params ) outputs (y, π) such that Verify(params , y, π) = accept and Extract(td , y, π) fails to extract f (params , (x1 , open1 , . . . , xn , openn , z)), such that xi is the content of the commitment Ci , and Condition(params , x1 , . . . , xn , z) is satisfied is negligible in k. Groth-Sahai proofs use commitments GSCom(x, open) that allow to extract the value x but not the opening open. In short, Groth-Sahai proofs are f extractable proofs of the following form M  N  NIPK[ xm in Cm m=1 , yn in Dn n=1 ]{(x1 , ..., xM , y1 , ..., yN ) : Q  q=1

e(aq

M  m=1

q,m , bq xα m

N 

ynβq,n ) = t}.

n=1

In our P-signature scheme we will commit to a message m ∈ Zp as Com(m, (open1 , open2 )) = (GSCom(hm , open1 ), GSCom(um , open2 )). Such a commitment allows to extract F (m) = (hm , um ). 3.1

Definition of Multi-block P-Signatures

A signature scheme consists of four algorithms: Setup, Keygen, Sign, and VerifySig. Setup(1k ) generates the public parameters params. Keygen(params) generates a signing key pair (pk , sk ). Sign(params, sk , m) computes a signature σ on m. VerifySig(params, pk , m, σ) outputs accept if σ is a valid signature on m, reject otherwise. We extend this definition to support multi-block messages m = (m1 , . . . mn ). Definition 4 (F -Secure Signature Scheme [BCKL08]). Let F be an efficiently computable bijection. With not necessarily efficient inverse F −1 . We say that a signature scheme is F -secure (against adaptive chosen message attacks) if it has the following properties: (a) Correctness: VerifySig always accepts a

Compact E-Cash and Simulatable VRFs Revisited

121

signature σ obtained using the Sign algorithm; (b) F -Unforgeability: no adversary should be able to output values (F1 , . . . , Fn , σ) such that for m = (F −1 (F1 ), . . . , F −1 (Fn )) algorithm VerifySig(params, pk , m, σ) = accept unless he has previously obtained a signature on m. Definition 5 (P-Signature Scheme [BCKL08]). A P-Signature scheme combines an F -secure signature scheme with a commitment scheme and three protocols: 1. An algorithm SigProve(params, pk , σ, m = (m1 , . . . , mn )) that generates commitments (C1 , . . . , Cn ) and a NIZK proof π ← NIPK[m1 in C1 , . . . , mn in Cn ]{ (F (m1 ), . . . F (mn ), σ) : VerifySig(params, pk , m, σ) = accept}, and the corresponding VerifyProof(params, pk , π, (C1 , . . . , Cn )) algorithm. 2. A composable non-interactive zero-knowledge proof system for proving equality of committed values, i.e., a proof of relation R = {(params, (x, y), (openx , openy )) | C = Com(params, x, openx ) ∧ D = Com(params, y, openy ) ∧ x = y}. 3. A secure two party computation [JS07] that lets a signer issue a signature on a committed message vector m without learning any information about m. The protocol consists of interactive algorithms SigIssue(params, sk , C1 , . . . Cn ) and SigObtain(params, pk , m, open1 , . . . , openn ). 3.2

Construction of a Multi-block P-Signature Scheme

We first construct an F -secure multi-block signature scheme. Setup(1k ). Let (p, G1 , G2 , GT , e, g, h) ← BMGen(1k ) be the parameters of a bilinear map, let u be an additional generator for G1 , and let params GS be the parameters for the corresponding Groth-Sahai NIZK proof system (either in the XDH or the DLIN setup). Output parameters params = ((q, G1 , G2 , GT , g, h), u, params GS , z = e(g, h)). Keygen(params) picks random α, β1 , . . . , βn ← Zp . The signer calculates v = hα , v˜ = g α , wi = hβi , w˜i = g βi , 1 ≤ i ≤ n. The secret-key is sk = (α, β). The public-key is pk = (v, w, v˜, w). ˜ The public key can be verified by checking that e(g, v) = e(˜ v , h) and e(g, wi ) = e(w˜i , h) for all i. Sign(params, (α, β), m) chooses a random r ← Zp \ {−(α + β1 m1 + · · · + βn mn )} and calculates σ1 = g 1/(α+r+β1 m1 +···+βn mn ) , σ2 = hr , σ3 = ur . The signature is (σ1 , σ2 , σ3 ). accept if VerifySig(params, ˜ m, (σ1 , σ2 , σ3 )) outputs n (v, w, v˜, w), e(σ1 , vσ2 i=1 wimi ) = z and e(u, σ2 ) = e(σ3 , h).

Theorem 1. Let F (m) = (hm , um ). The above signature scheme is F -secure given the HSDH and TDH assumptions. See the full version for the proof. We need to augment the multi-block signature scheme with the three P-Signature protocols.

122

M. Belenkiy et al.

1. SigProve(params, (v, w, v˜, w), ˜ (σ1 , σ2 , σ3 ), m) is defined as follows: We use Com to commit to the mi as follows: Com(mi , (openi,1 , openi,2 )) = (GSCom (hmi , openi,1 ), GSCom(umi , openi,2 )) = (Hi , Ui ) = Ci ; then we form the Groth-Sahai proof: π ← NIZK[hm1 in Hi , um1 in U1 , . . . , hmn in Hn , umn in Un ]{

(hm1 , um1 , w1m1 , . . . , hmn , umn , wnmn , σ1 , σ2 , σ3 ) : n e(σ1 , vσ2 i=1 wimi ) = z∧

˜i , hmi )e(g −1 , wimi ) = 1∧ e(u, σ2 )e(σ3 , h−1 ) = 1∧ {e(w e(u, hmi )e(umi , h−1 ) = 1}ni=1 } VerifyProof(params, pk , π, (C1 , . . . , Cn )) simply verifies the proof π. To see that the witness indistinguishable proof π is also zero-knowledge, the simulation setup sets u = g a . The simulator can then pick s,m1 , . . . mn ← Zp and compute σ1 = g 1/s . We implicitly set r = s − (α + ni=1 mi βi ). Note that the does not know  r and α. However, he can compute hr = nsimulator n mi r s s v i=1 w˜i mi )a . Now he can use hm1 , um1 , h /(v i=1 wi ) and u = u /(˜ m1 w1 ,. . . , hmn , umn , wnmn , σ1 , σ2 = hr , σ3 = ur as a witness and construct the proof π in the same way as the real Prove protocol. By the witness indistinguishability, a proof using the faked witnesses is indistinguishable from a proof using a real witness. See also [BCKL08]. 2. The second protocol is a proof of equality of committed values. It is of the form NIPK[x in C; y in D]{(x, y, hθ ) : e(x/y, hθ ) = 1 ∧ e(g, hθ ) = e(g, h)}. Groth and Sahai [GS07] show that such witness-indistinguishable proofs are also zero-knowledge. A simulator that knows the simulation trapdoor sim for the GS proof system can simulate the two conditions by setting θ to 0 and 1 respectively. In this way he can fake the proofs for arbitrary commitments. 3. The third protocol is a secure two-party computation for signing a committed value. One could use the same technique as in Belenkiy et al. [BCKL08] to reduce computing a signature to computing an arithmetic circuit using the Jarecki and Shmatikov [JS07] secure two-party computation protocol. Alternatively, we suggest the use of a more efficient protocol based on homomorphic encryption as for example done in [BCC+ 09, CKW04]. Theorem 2. The above construction is a secure P-Signature scheme given the HSDH and TDH assumption, either the SXDH or DLIN assumption, and the security of the two-party computation protocol. The proof follows from the F -unforgeability of the multi-block signature scheme and the security of the Groth-Sahai proofs, which depend on either the SXDH or DLIN assumptions. The zero-knowledge simulations are done as sketched above. For details we refer to [GS07, BCKL08, BCC+ 09].

Compact E-Cash and Simulatable VRFs Revisited

4

123

Strongly Simulatable Verifiable Random Functions

Here we present our new construction for sVRFs. Later, we will show that an extension of this construction (as described in sections 4.2 and 4.3) can be used to construct provably secure e-cash. At a high level, a sVRF is an extension of a pseudorandom function (PRF) (and also of a slightly weaker extension, called a VRF [MRV99]). It includes a key generation procedure that generates a seed for the PRF along with a corresponding public key. It also includes a proof system for proving that a particular output is correct with respect to a given input and a given public key. We require fairly strong hiding properties from this proof system – in particular, we do not want it to interfere with the pseudorandomness properties of the PRF. For the full definition, see [CL07]. 4.1

A New sVRF Construction

Our construction will be in the bilinear group setting where (p, G1 , G2 , GT , e, g, 1 h) ← BMGen(1k ). We will use the function Fs (x) = g s+x to build an effi2 cient Simulatable VRF. Note that the base function is similar to1 the DodisYampolskiy VRF [DY05], which uses the function Fs (x) = e(g, h) s+x and thus gives output in GT . Moving our function to output elements in G1 is the crucial step which allows us to use the Groth-Sahai proof techniques. Theorem 3. Let Dk ⊂ Z denote a family of domains of size polynomial in k. Let p, g, e, G1 , G2 , GT be as described above where |p| = k. If the DDHI as1 sumption holds in G1 , then the set {g s+x }x∈Dk is indistinguishable from the set {g rx }x∈Dk where s, {rx }x∈Dk are chosen at random from Zp . The proof is very similar to that in [DY05]. We will build an sVRF based on this function as follows: Setup(1k ). Let (p, G1 , G2 , GT , e, g, h) ← BMGen(1k ) be the parameters of a bilinear map and let params GS be the parameters for the corresponding GrothSahai NIZK proof system (either in the XDH or the DLIN setup). Output parameters params VRF = ((p, G1 , G2 , GT , g, h), params GS ). Keygen(params VRF ). Pick a random seed s ← Zp and random opening information opens , and output secret key sk = (s, opens ) and public key pk = GSCom(hs , opens ). Eval(params VRF , sk = (s, opens ), x). Compute y = g 1/(s+x) . Prove(params VRF , sk = (s, opens ), x). Compute y = g 1/(s+x) and Cy = GSCom( y, openy ) from random opening openy . Next create the following two proofs: π1 , a composable NIZK proof that Cy is a commitment to y; this is proof that the value v committed to in Cy fulfills the pairing product equation e(v/y, hθ ) = 1 ∧ e(g, hθ ) = e(g, h) (see [GS07] for details); π2 , a GS composable witness indistinguishable proof that Cy is a commitment to Y and pk is a commitment to S such that e(Y, Shx ) = e(g, h). Output π = (C, π1 , π2 ). 2

This function is also known as a Weak Boneh-Boyen signature [BB04b].

124

M. Belenkiy et al.

Verify(params, pk , x, y, π = (C, π1 , π2 )). Use the Groth-Sahai verification to Verify π1 , π2 with respect to C, x, pk , y. Theorem 4. This construction with domain size p is a strong sVRF under the q-DDHI for G1 and under the assumption that the Groth-Sahai proof system is secure. For proof, consult the full version of the paper. 4.2

A NIZK Protocol for Pseudo-random Functions

In some applications, we need something stronger than an sVRF. In our e-cash application, we need to be certain that the proofs will reveal no information about which wallet was used, which means that they should completely hide the seed used. Furthermore, we do not want to reveal which coin in the wallet is being spent, thus we also want to hide the input x. Thus, we will build a composable NIZK proof for the following language: LS = {Cs , Cx , y|∃x, s, openx , opens such that

Cs = Com(s, opens ) ∧ Cx = Com(x, openx ) ∧ y = Fs (x)}

Note that there are four points where an sVRF proof is weaker than a full NIZK proof. First, the sVRF public key is not guaranteed to hide the secret key, only to hide enough information to preserve the pseudorandomness of the output values. However, this is not a problem in the above construction, since our public key is formed as a commitment. Second, an sVRF has a fixed public key, while we want to be able to compute unlinkable proofs for many different values of the PRF. This again is not relevant in the above construction: since we form our public key using a commitment scheme, we can easily use a different value in each proof. Third, in the sVRF proof, the input x is given in the clear. We can fix this fairly easily by replacing x by a commitment and proof. The final difference is that the sVRF proof need not be fully zero knowledge - the sVRF simulator is given the secret key as input (in our construction, the opening of the commitment Cs ). We resolve this last point by adding extra commitments Cs′ , Cx′ (whose opening the zero-knowledge simulator will know), and zero-knowledge proofs that they commit to the same values as Cs , Cx . On input (Cs , Cx , y) and (x, s, openx , opens ) a NIZK proof of membership in LS is done as follows: We first compute commitment Cs′ to hs . Then we compute Cy , π1 as in the sVRF Prove protocol, with pk = Cs′ . Next we compute a commitment Cx′ to hx , and a GS composable witness-indistinguishable proof π2 that Cy is a commitment to Y , Cx′ is a commitment to X, and Cs′ is a commitment to S such that e(Y, SX) = e(g, h). Finally, to make the construction zero-knowledge, we add composable NIZK proofs πs and πx that Cs and Cs′ , and Cx and Cx′ are commitments to the same values. Let v be s or x, respectively. Then each proof is a proof that the values v and v ′ committed to in Cv and Cv fulfill the pairing product equation e(v/v ′ , hθ ) = 1 ∧ e(g, hθ ) = e(g, h). See [GS07] for why this is zero-knowledge. The final proof is π = (Cs′ , Cx′ , Cy′ , π1 , π2 , πs , πx ).

Compact E-Cash and Simulatable VRFs Revisited

125

The proof is verified using the Groth-Sahai verification techniques to check π1 , π2 , π3 , π4 with respect to Cs , Cx , y, Cs′ , Cx′ , Cy′ . Theorem 5. The above proof system is a secure composable zero knowledge proof system for the language LS (params), where params is output by Setup. For proof appears in the full version. 4.3

NIZK Proofs Doublespending Equations: A More Complex Language

In our application, we use NIZKs about PRFs in two different places. The first is to prove that a given serial number has been computed correctly as Fs (x) according to a committed seed s and committed input x. That can be done using the NIZK protocol described in the previous section. However, we also need to be able to prove that the doublespending value T has been computed correctly. Thus, we also need a proof system for the following language: LT = {Cs , Cx , Csk , tag, ch | ∃x, s, sk , openx , opens , opensk such that Cs = Com(s, opens ) ∧ Cx = Com(x, openx ) ∧ Csk = Com(sk , opensk ) ∧ tag = (g sk )ch Fs (x)} We can generalize our above proof system to handle this as well. For the construction see the full version. 4.4

Efficiency Comparison with Previous sVRF Construction

As described above, our sVRF proof requires 1 commitment in G1 , 1 GrothSahai proof, and one zero-knowledge proof of equality of values in G1 . Thus, if we instantiate the proofs under the SXDH assumption, our construction requires 14 elements of G1 and 14 elements of G2 to give a proof, and the sVRF outputs a random element of the group G1 . Note that the group size is exponential in the security parameter k, so this really produces k bits of pseudorandomness. We compare this to the previous contruction of sVRFs given by Chase and Lysyanskaya [CL07]. That construction was based on composite order bilinear groups. For the order of such groups to resist factorization they must be of a much greater size to achieve the same security as prime order groups. We assume a conservative factor of 5 for this difference3 . As pairing operations (and exponentiation) have cubic complexity, it is fair to assume that composite order pairings are at least two orders of magnitude slower than prime order pairings. In addition, the basic construction of [CL07] is only weakly simulatable: for each input value there was a certain restricted set of outputs for which the simulator could output a simulated proof. Finally, the simulator also required some trapdoor information about the desired output value (in the construction it was a discrete logarithm). In order to obtain full simulatability, in which the simulator 3

http://www.keylength.com/en/3/

126

M. Belenkiy et al.

could produce a simulated proof for any output value in the range of the function with no additional information, this result applied an extractor to the output of the weak sVRF to extract a single bit. The simulator could then sample values from the simulatable range together with some trapdoor information, until it had found one on which the extractor produced the appropriate bit. Clearly extending this approach to achieve more than O(log k) bits of randomness would be infeasible. Each proof generated by this construction requires 3 elements of the composite order group G. Thus, in order to produce k bits of randomness, even if we assume that we extended the construction to extract log k bits, we would need k/ log k proofs, for a total of 3 ∗ k/ log k elements of G.

5

New Compact E-Cash Scheme

We construct a compact e-cash scheme using our multi-block P-signatures and sVRF protocols. Compact e-cash as defined by Camenisch et al. [CHL05] lets a user withdraw multiple e-coins simultaneously. There are three types of players: a bank B as well as many users U and merchants M (though merchants are treated as a special type of user). Please refer to [CHL05] for protocol specifications and a definition of security.4 We now show how to construct compact e-cash. CashSetup(1k ). The setup runs SigSetup(1k ) and returns the P-signature parameters params. Our construction is non-blackbox: we reuse the GS NIPK proof system parameters params GS that are contained in params. The parameters params GS in turn contain the setup for a bilinear pairing params BM = (p, G1 , G2 , GT , e, g, h) for a paring e : G1 × G2 → GT for groups of prime order p. BankKG(params, n). The bank creates two P-signature key pairs, (pk w , sk w ) ← SigKeygen(params) for issuing wallets and (pk c , sk c ) ← SigKeygen(params) for signing coin indices. Then the bank computes a P-signature on the n coin indices Σ1 , . . . , Σn , where Σi = SigSign(sk c , i).5 The bank’s secret-key is sk B = (sk w , sk c ) and the bank’s public-key is (pk w , pk c , Σ1 , . . . , Σn ). UserKG(params). The user picks sk U ← Zp∗ and returns (pk U = e(g, h)sk U , sk U ). Merchants generate their keys in the same way but also have a publicly known identifier idM = f (pk M ) associated with their public keys (f is some publicly known mapping). 4

5

The original [CHL05] definition had an interactive Spend protocol, while we break it up into two non-interactive protocols: SpendCoin(params, W , pk M, info) and VerifyCoin(params, pk M, pk B, coin). The merchant sends the user a info, the user runs SpendCoin and gives the resulting e-coin for the merchant to verify using VerifyCoin. We prefer to use a non-interactive spend protocol because often twoway communication is not available or impractical, e.g. when sending an e-coin by email. This will allow us to use the range proof approach from [TS06] and [CCS08], where a user proves that a value (the coin index) is in a list (the list {1, . . . , N }) by proving knowledge of a signature on that value.

Compact E-Cash and Simulatable VRFs Revisited

127

Withdraw(U(params, pk B , sk U , n), B(params, pk U , sk B , n)). The user withdraws a wallet of coins from the bank. 1. The user picks s′ , t′ ← Zp ; computes commitments commsk = Com(sk U , opensk U ), comms′ = Com(s′ , opens′ ), and commt′ = Com(t′ , opent′ ); and sends commsk , comms′ , and commt′ to the bank. The user proves in zero-knowledge that he knows the opening to these values, and that commsk corresponds to the secret key used for computing pk U .6 2. If the proofs verify, the bank sends the user random values s′′ , t′′ ∈ Zp . 3. The user picks random opens , opent , commits to comms = Com(s′ + s′′ , opens ), and commt = Com(t′ + t′′ , opent ), sends comms and commt to the bank, and proves that they are formed correctly. Let s = s′ + s′′ and t = t′ + t′′ . 4. The user and bank run SigObtain(params, pk w , (sk U , s, t), (opensk , opens , opent )) ↔ SigIssue(params, sk w , (commsk , comms , commt )) respectively. The user obtains a P-signature σ on (sk U , s, t). The user stores the wallet W = (s, t, pk B , σ, n); the bank stores tracing information TW = pk U . SpendCoin(params, (s, t, pk B , σ, J), pk M , info). The user calculates a serial number S = Fs (J) = g 1/(s+J) . The user needs to prove that he knows a signature σ on (sk U , s, t) and a signature ΣJ on J such that S = Fs (J). Next the user constructs a double-spending equation T = (g idM info )sk U Ft (J).7 The user proves that T is correctly formed for the sk U , t, J, signed in σ and ΣJ . All these proofs need to be done non-interactively. We now give more details. The user runs SigProve, first on σ and pk w to obtain commitments and proof ((Cid , Cs , Ct ), π1 ) ← SigProve(params, pk w , σ, (sk U , s, t)) for sk U , s, t respectively and second on ΣJ and pk c to obtain commitment and proof (CJ , π2 ) ← SigProve(params, pk c , ΣJ , J) for J. Then the user constructs non-interactive zero-knowledge proofs that indeed (S, T, Cid , Cs , Ct , CJ , idM info) are well formed. This is done by computing two proofs πF and πT : πF proves that (Cs , CJ , S) ∈ LS and is computed as described in Section 4.2, where LS is defined as: LS = {Cs , Cx , y|∃x, s, openx , opens such that Cs = Com(s, opens ) ∧ Cx = Com(x, openx ) ∧ y = Fs (x)}; 6

7

These and the rest of the proofs in the issue protocol can be done using efficient sigma protocols [CS97b, Dam02] and their zero-knowledge compilers [Dam00]. The merchant is responsible for assuring that info is locally unique. Coins which have the same serial number and the same idMinfo cannot be deposited and the damage lies with the merchant. The dangers that users get cheated by verifiers that do not accept coins with correct info can be mitigated using techniques such as endorsed e-cash [CLM07].

128

M. Belenkiy et al.

πT proves that (Ct , CJ , Cid , T, (idM |info)) ∈ LT and is computed as described in Section 4.3, where LT is defined as: LT = {Cs , Cx , Csk , tag, ch | ∃x, s, sk , openx , opens , opensk such that Cs = Com(s, opens ) ∧ Cx = Com(x, openx )∧ Csk = Commit(sk , openxsk ) ∧ tag = (g sk )ch Fs (x)} . The user outputs a coin = (S, T, Cid , Cs , Ct , CJ , π1 , π2 , πS , πT , idM info). VerifyCoin(params, pk M , pk B , coin). To verify parses coin as (S, (T, Cid , Cs , Ct , CJ , π1 , π2 , πS , πT ), idM ′ info) and checks that the following checks succeed: (1) Check that idM ′ = f (pk M ). (2) SigVerify(params, pk w , π1 , (Cid , Cs , Ct )) = accept. (3) SigVerify(params, pk c , π2 , CJ ) = accept. (4) VerifyLS ( params GS , (Cs , CJ , S), πS ) = accept. (5) VerifyLT (params GS , (Ct , CJ , Cid , T, (idM info)), πT ) = accept. Note that the merchant is responsible for assuring that info is unique over all of his transactions. Otherwise his deposit might get rejected by the following algorithm. Deposit(params, pk B , pk M , coin, state B ). The algorithm parses the coin as coin = (S, T, Cid , Cs , Ct , CJ , π1 , π2 , πS , πT , idM info) and performs the same checks as VerifyCoin. The bank maintains a database state B of all previously accepted coins. The output of the algorithm is an updated database state ′B = state B ∪ {coin} and the flag result, that is computed as follows: (i) If the coin verifies and if no coin with serial number S is stored in state B , result = accept to indicate that the coin is correct and fresh. The bank deposits the value of the e-coin into the merchant’s account and adds coin to state B . (ii) If the coin doesn’t verify or if there is a coin with the same serial number and the same idM info already stored in state B , result = merchant to indicate that the merchant cheated. The bank refuses to accept the e-coin because the merchant failed to properly verify it. (iii) If the coin verifies but there is a coin with the same serial number S but different idM info in state B , result = user to indicate that a user doublespent. The bank pays the merchant (who accepted the e-coin in good faith) and punishes the double-spending user. Identify(params, pk B , coin 1 , coin 2 ) allows the bank to identify a doublespender. Parse coin 1 = (S, (T, Cid , Cs , Ct , CJ , π1 , π2 , πS , πT ), idM1 info 1 ) ′ , Cs′ , Ct′ , CJ′ , π1′ , and coin 2 = (S ′ , (T ′ , Cid ′ ′ ′ π2 , πS , πT ), idM 2 info 2 ). The algorithm aborts if one of the coins doesn’t verify, if S = S ′ , or if idM 1 info 1 = idM 2 info 2 . Otherwise, the algorithm outputs TW = pk U = e((T /T ′ )1/(idM 1 info 1 −idM 2 info 2 ) , h) , which the bank compares to the trace information it stores after each withdrawal transaction.

Compact E-Cash and Simulatable VRFs Revisited

129

Theorem 6. This e-cash scheme is a secure compact e-cash scheme given the security of the P-signature scheme, the PRF, and the Groth-Sahai NIZK proof system. In the full version we provide a proof and a performance analysis of our scheme. Acknowledgements. Belenkiy, Chase, and Lysyanskaya acknowledge the support of NSF grants 0831293, 0627553, and 0347661. Markulf Kohlweiss was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy), and in part by the European Commission through the ICT and IST programmes under the following contracts: ICT-216483 PRIMELIFE, ICT-216676 ECRYPT II, and IST-015964 AEOLUS.

References [BB04a]

[BB04b] [BCC+ 09]

[BCKL08]

[BFM88]

[BG90]

[BGN05]

[Bou00]

[Bra93] [BW07]

[CCS08]

Boneh, D., Boyen, X.: Efficient selective id secure identity based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56– 73. Springer, Heidelberg (2004) Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS. Springer, Heidelberg (2009) Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008) Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications (extended abstract). In: STOC 1988, Chicago, Illinois, May 2-4, pp. 103–112 (1988) Bellare, M., Goldwasser, S.: New paradigms for digital signatures and message authentication based on non-interative zero knowledge. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 194–211. Springer, Heidelberg (1990) Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-dnf formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005) Boudot, F.: Efficient proofs that a committed number lies in an interval. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000) Brands, S.: An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, CWI (April 1993) Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008)

130

M. Belenkiy et al.

[CFN90]

Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990) [Cha83] Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, pp. 199–203. Plenum Press, New York (1999) [CHK+ 06] Camenisch, J., Hohenberger, S., Kohlweiss, M., Lysyanskaya, A., Meyerovich, M.: How to win the clonewars: efficient periodic n-times anonymous authentication. In: CCS 2006, pp. 201–210. ACM Press, New York (2006) [CHL05] Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005) [CKW04] Camenisch, J., Koprowski, M., Warinschi, B.: Efficient blind signatures without random oracles. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 134–148. Springer, Heidelberg (2005) [CL07] Chase, M., Lysyanskaya, A.: Simulatable vrfs with applications to multitheorem nizk. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 303–322. Springer, Heidelberg (2007) [CLM07] Camenisch, J., Lysyanskaya, A., Meyerovich, M.: Endorsed e-cash. In: IEEE Symposium on Security and Privacy, pp. 101–115 (2007) [Coo71] Cook, S.A.: The complexity of theorem-proving procedures. In: STOC 1971, pp. 151–158. ACM, New York (1971) [CP93] Chaum, D., Pedersen, T.P.: Transferred cash grows in size. In: Rueppel, R.A. (ed.) EUROCRYPT 1992. LNCS, vol. 658, pp. 390–407. Springer, Heidelberg (1993) [CS97a] Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) [CS97b] Camenisch, J., Stadler, M.: Proof systems for general statements about discrete logarithms. Technical Report TR 260, Institute for Theoretical Computer Science, ETH Z¨ urich (March 1997) [CS98] Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) [Dam00] Damg˚ ard, I.: Efficient concurrent zero-knowledge in the auxiliary string model. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 431–444. Springer, Heidelberg (2000) [Dam02] Damg˚ ard, I.: On Σ-protocols (2002), http://www.daimi.au.dk/~ivan/Sigma.ps [DDN91] Dolev, D., Dwork, C., Naor, M.: Non-malleable cryptography (extended abstract). In: STOC 1991, pp. 542–552 (1991) [DY05] Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005) [FS87] Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) [FST06] Freeman, D., Scott, M., Teske, E.: A taxonomy of pairing-friendly elliptic curves. Cryptology ePrint Archive, Report 2006/372 (2006), http://eprint.iacr.org/

Compact E-Cash and Simulatable VRFs Revisited [FTY96]

[FY92]

[GK03]

[GO92]

[GS07] [JLO97]

[JS07]

[MRV99] [RS92]

[Sah99]

[SPC95]

[STS99]

[Tro05]

[TS06]

[Tsi97]

131

Frankel, Y., Tsiounis, Y., Yung, M.: Indirect discourse proofs: Achieving efficient fair off-line E-cash. In: Kim, K.-c., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 286–300. Springer, Heidelberg (1996) Franklin, M., Yung, M.: Towards provably secure efficient electronic cash. Technical Report TR CUSC-018-92, Columbia University, Dept. of Computer Science (April 1992); Also in: Lingas, A., Carlsson, S., Karlsson, R. (eds.): ICALP 1993. LNCS, vol. 700. Springer, Heidelberg (1993) Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS 2003, pp. 102–115. IEEE Computer Society Press, Los Alamitos (2003) Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993) Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups (2007), http://eprint.iacr.org/2007/155 Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures (extended abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997) Jarecki, S., Shmatikov, V.: Efficient two-party secure computation on committed inputs. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 97–114. Springer, Heidelberg (2007) Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: FOCS 1999, pp. 120–130. IEEE Computer Society Press, Los Alamitos (1999) Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991, vol. 576, pp. 433–444. Springer, Heidelberg (1992) Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE Computer Society Press, Los Alamitos (1999) Stadler, M., Piveteau, J.-M., Camenisch, J.: Fair blind signatures. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 209–219. Springer, Heidelberg (1995) Sander, T., Ta-Shma, A.: Auditable, anonymous electronic cash extended abstract. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 555– 572. Springer, Heidelberg (1999) Trolin, M.: A universally composable scheme for electronic cash. In: Maitra, S., Veni Madhavan, C.E., Venkatesan, R. (eds.) INDOCRYPT 2005. LNCS, vol. 3797, pp. 347–360. Springer, Heidelberg (2005) Teranishi, I., Sako, K.: k-times anonymous authentication with a constant proving cost. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T.G. (eds.) PKC 2006. LNCS, vol. 3958, pp. 525–542. Springer, Heidelberg (2006) Tsiounis, Y.S.: Efficient Electonic Cash: New Notions and Techniques. Ph.D thesis, Northeastern University, Boston, Massachusetts (1997)

Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures Georg Fuchsbauer and David Pointcheval ´ Ecole normale sup´erieure, LIENS - CNRS - INRIA, Paris, France http://www.di.ens.fr/{~fuchsbau,~pointche}

Abstract. We give a generic methodology to unlinkably anonymize cryptographic schemes in bilinear groups using the Boneh-Goh-Nissim cryptosystem and nizk proofs in the line of Groth, Ostrovsky and Sahai. We illustrate our techniques by presenting the first instantiation of anonymous proxy signatures (in the standard model), a recent primitive unifying the functionalities and strong security notions of group and proxy signatures. To construct our scheme, we introduce various efficient nizk and witness-indistinguishable proofs.

1

Introduction

One of the major concerns of modern cryptography is anonymity. Group signatures [CvH91] for example allow members to sign on behalf of a group while remaining anonymous. Other concepts to which anonymity is central are hierarchical group signatures [TW05], identity escrow [KP98] and anonymous credentials [Cha85], to mention only a few. The main issue of these concepts is to demonstrate that a user is entitled to perform a certain task, while not revealing anything about his identity. Zero-knowledge proofs provide the means to do so: prove something without leaking any further information. In particular, non-interactive zero-knowledge (nizk) proofs [BFM88] have enjoyed numerous applications to achieve anonymity. Substantial progress has been made in recent years in making nizk proofs efficient and thus applicable to practical schemes: Groth et al. [GOS06b] show how to efficiently non-interactively prove that a bgn-ciphertext [BGN05] (cf. Sect. 2) encrypts 0 or 1. Although conceived for purely theoretical purposes, their techniques were used by Boyen and Waters in [BW06] to construct compact group signatures, which they improve in [BW07]. In a different line of research—which has been unified with the one based on bgn in [GS08]—, Groth et al. [GOS06a] based nizk proofs on a commitment scheme building on linear encryption [BBS04]. The latter is an extension of ElGamal encryption to bilinear groups1 and is semantically secure under the decisional linear assumption (dlin). Keys for gos-commitments are basically linear encryptions of either 0 or 1, with the encrypted value determining whether 1

The decisional Diffie-Hellman assumption (ddh), on which ElGamal relies, does not hold in symmetric bilinear groups.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 132–149, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Proofs on Encrypted Values in Bilinear Groups

133

the resulting commitments are perfectly hiding or perfectly binding. Since both types of keys are indistinguishable by dlin, they inherit a computational version of the other’s property from one another. This scheme has given rise to a multitude of practical nizk proof systems (see e.g. the full version of [Gro06] for an impressive demonstration of its power), practical implementations of fully-secure group signatures [Gro07] without random oracles [BR93], as well as the introduction of new primitives such as noninteractive anonymous credentials in [BCKL08]. Our Contributions. All the above analyses required ad-hoc security proofs. When extending anonymity to more complex protocols, these proofs quickly become too intricate—unless one manages to provide a generic way to anonymize a large class of proofs. Such a generic anonymization is our first contribution; we generalize the ideas of [BW06, BW07] to bgn-encrypt proofs (and in particular signatures) and prove validity of the encrypted values, for the following category of schemes: the relations checked by the verification algorithm are equations consisting exclusively of products of pairings. (Actually, this is the case for most signature schemes in bilinear groups such as Boneh-Boyen’s short signatures [BB04] or Waters’ scheme [Wat05].) We give a methodology to construct proofs demonstrating that encrypted values satisfy certain relations, and show that these proofs do not leak information on the plaintexts, nor additional relations about the plaintexts—providing thus anonymity (unlinkability and untraceability). Moreover, given a set of ciphertexts and a corresponding proof, then without knowledge of the plaintexts, one can re-encrypt (or re-randomize) the ciphertexts and adapt the proof to the new encryptions. In particular, re-randomizations of two sets of ciphertexts and proofs are indistinguishable. This yields a generic method to anonymize schemes in an unlinkable way, such as group signatures (“full anonymity” of the schemes in [BW06] and [BW07] is an immediate consequence of our results), fair contract signing [ASW00], or verifiable encryption [BGLS03], as shown in Sect. 3.2. Since we use encryption to achieve anonymity, the decryption key provides a trapdoor to revoke anonymity in case of abuse, as required by primitives such as group signatures. In order to illustrate our methodology and to demonstrate its power, our second contribution is the first concrete implementation of anonymous proxy signatures in the standard model. This primitive was recently introduced by Fuchsbauer and Pointcheval [FP08a], who while giving practical applications merely prove theoretical feasibility. It merges group signatures with proxy signatures [MUO96], generalizing the strong security notions of both (in particular, [BMW03, BSZ05] for group signatures and [BPW03] for proxy signatures). Proxy signatures allow consecutive delegation of signing rights while publicly providing the identities of the delegators and the signer with the signed document. Anonymous proxy signatures require that these identities remain hidden: nobody can tell who actually signed or re-delegated, but still anyone can verify that the proxy signer was indeed entitled (via a chain of delegations) to do so. Traceability, i.e. the fact that an authority can revoke anonymity, deters from misuse.

134

G. Fuchsbauer and D. Pointcheval

We slightly simplify the model of [FP08a], in that we consider one general opener (instead of having each user choose his own) and anonymity against adversaries without opening oracles (c pa -anonymity [BBS04], a common notion for practical standard-model group signature schemes). Furthermore, we introduce a maximal number of possible delegations. We emphasize that this variant still directly yields dynamic hierarchical group signatures satisfying non-frameability (i.e., the group manager cannot produce signatures that open to a user), while [BW07] only consider the static and non-hierarchical case where the group manager knows every member’s secret key. Overview. We recall some results from the literature on pairing-based cryptography in Sect. 2 and present our methodology in Sect. 3. Before presenting our full scheme in Sect. 5, we mainly focus on constructing a (non-anonymous) scheme for consecutive signature delegations (Sect. 4) to which our methodology can then readily be applied. Its main building block is a signature scheme secure against existential forgeability under chosen message attacks (euf-cma) [GMR88], capable of signing public keys for the scheme itself, and whose verification procedure falls in a certain class. The security of the scheme relies on a new assumption presented in Sect. 4.3. The scheme uses a zero-knowledge proof of knowledge [DP92], which we introduce in Sect. 4.2 and of which we sketch an instantiation in Sect. 6. In order to achieve the strong security notions, we design the proof system to satisfy weak simulation soundness, a relaxation of the concept introduced by Sahai [Sah99].

2

Preliminaries

We briefly recapitulate the employed concepts from the literature and refer to the cited works for more details. A (symmetric) bilinear group is a tuple (n, G, GT , e(·, ·), g) where G and GT are two cyclic groups of order n and g is a generator of G. Furthermore, e(·, ·) is a non-degenerate bilinear map G × G → GT , i.e. ∀ u, v ∈ G ∀ a, b ∈ Z : e(ua , v b ) = e(u, v)ab and e(g, g) is a generator of GT . The Subgroup Decision Assumption and BGN-Encryption [BGN05] Let the group order |G| = n = pq be a product of two primes p and q. The subgroup decision assumption (sd) states that no probabilistic polynomial-time (p.p.t.) adversary not knowing the factorization of n can with non-negligible probability distinguish a random element of G from a random element of Gq , the subgroup of order q. The subgroup decision assumption implies semantic security of the following encryption scheme: The public key is the bilinear group (not revealing the factors of its order) and an element h ∈ Gq . The secret key is q, i.e. the factorization of the group order. To encrypt a message m ∈ {0, . . . , T }, with T < p, choose r ← Zn and compute the ciphertext C := g m hr . Since h is of order q, we have C q = (g m hr )q = (g q )m , so m can be recovered by computing loggq C q = m. The Decisional Linear Assumption and Linear Encryption [BBS04] Let (p, G, GT , e) be a bilinear group; let f, h, g be generators of G. We call a

Proofs on Encrypted Values in Bilinear Groups

135

triple (c1 , c2 , c3 ) ∈ G3 linear w.r.t. to the basis (f, h, g) iff there exist r, s ∈ Zp such that c1 = f r , c2 = hs , c3 = g r+s . The decisional linear assumption (dlin) states that no p.p.t. adversary can distinguish random linear triples w.r.t. a random basis from random triples; that is, given (g, g x , g y , g xr , g ys ) for random x, y, r, s, it is hard to distinguish g r+s from a uniformly random element in G. Assuming dlin, the following encryption scheme is secure: Choose a secret key (x, y) ← (Z∗p )2 and publish pk := (f := g x , h := g y , g). To encrypt a message m ∈ G, choose r, s ← Zp and compute Enc(pk, m; (r, s)) := (f r , hs , mg r+s ). Any −1 −1 (u, v, w) can be decrypted by computing u−x v −y w = g −r g −s mg r+s = m. GOS-Commitments [GOS06a]. The following homomorphic commitment scheme is based on linear encryption: The commitment key is a public key for linear encryption (f, h, g) and a triple (u, v, w) which is an encryption of either 1 or g (i.e., (f ru , hsv , g ru +sv ) or (f ru , hsv , g ru +sv +1 ) for random ru , sv ∈ Zp ). The first leads to a perfectly hiding key, while the latter constitutes a perfectly binding key. Now Com((f, h, g, u, v, w), m; (r, s)) := (um f r , v m hs , wm g r+s ) is a commitment to m ∈ Zp for random r, s. Note that for perfectly hiding keys for any message m this is a random encryption of 0 while in the binding case, it encrypts g m .

3

The Leak-Tightness Lemma

In [BW07], Boyen and Waters use the following strategy to construct efficient group signatures without random oracles: First, they construct two-level hierarchical signatures (a.k.a. certified signatures) that satisfy unforgeability (“traceability”), such that signatures consist of group elements only and can be verified by checking pairing-product equations (cf. Lemma 1). They then convert the scheme into a group signature scheme, obtaining anonymity by bgn-encrypting the signature components and adding proofs for the plaintexts satisfying the verification equations. Considerable effort is then dedicated to showing that their specific proofs do not leak information on the plaintexts. In fact, as shown by the following lemma, proofs of this kind generally do not leak any additional information on the encrypted values. Thus, full anonymity of [BW06] and [BW07] follows immediately from the lemma. We first state the—somewhat technical—results and clarify their relevance in the subsequent discussion. Lemma 1 (Leak tightness). Let (n, G, GT , e, g) be a bilinear group, and let m satisfy a aj , bj ∈ G, δj,i , εj,i ∈ Zn for 1 ≤ j ≤ ℓ, 1 ≤ i ≤ m. Let (Xi )m i=1 ∈ G pairing-product equation E(aj ,bj )j that is E(aj

,bj )j

(X1 , . . . , Xm ) :

ℓ

j=1

 m m ε  δ e aj i=1 Xi j,i , bj i=1 Xi j,i = 1l .

ρi m  1. Let H ∈ G, (ρi )m for 1 ≤ i ≤ m satisfy i=1 ∈ Zn . Then Xi := Xi H    δ      εj,i = e H, PE (Xi ), (ρi ) ,  j,i , bj  X e aj i X i i i j

˜ (E)

136

G. Fuchsbauer and D. Pointcheval

  where PE (Xi ), (ρi ) :=    δ      ε  (aj i Xi j,i ) εj,i ρi (bj i Xi j,i ) δj,i ρi H ( δj,i ρi )( εj,i ρi ) . j

2. Given (Xi ) and (Xi′ ) both satisfying E, and (ρi ), (ρ′i ), s.t. for all 1 ≤ i ≤ m: ′ Xi H ρi = Xi′ H ρi , then     PE (Xi ), (ρi ) = PE (Xi′ ), (ρ′i ) . 3. Let |G| = pq, let aj , bj , Xi ∈ Gp ; cj , dj , Yi ∈ Gq for all i, j. If (Xi ) satisfy E(aj ,bj )j and (Yi ) satisfy E(cj ,dj )j , then (Xi Yi ) satisfy E(aj cj ,bj dj )j . 4. Let furthermore H ∈ Gq and θ ∈ N be such that θ ≡ 1 (mod p) and θ ≡ 0  θ ) satisfy i ) ∈ G satisfy E ˜(a c ,b d ) for some PE , then (X (mod q). If (X i j j j j j E(aj ,bj )j . See the full version [FP08b] for the proof. We give a brief description of the lemma’s content: Let (Xi ) be a vector of group elements satisfying relation E; think of the Xi ’s as components of a digital signature and E being the verification i as defined in (1) is a bgn-encryption of Xi using relation. If H ∈ Gq then X  randomness ρi . Given (Xi ), the element PE can be seen as a proof that the i ) satisfy E, which is verified by checking E.  plaintexts in (X While (1) states that every proof constructed as described passes verification, i ) and PE satisfy E  in (4) ensures soundness: if there exists a PE such that (X θ  G, then their projections (Xi ) into Gp satisfy E in Gp . We will use this fact to reduce a forgery in an “anonymized” scheme in G to a forgery in an underlying scheme in Gp ; in [BW06] for example a forged group signature is translated to a forgery of a certified signature this way. If we have equations E(aj ,bj )j in Gp and E(cj ,dj )j in Gq , and values (Xi ), (Yi ) satisfying them respectively, then their products satisfy equation E(aj cj , bj dj )j in G due to (3), which we will be useful in our simulations. Now the main result is (2): Assume H ∈ G, rather than in Gq , which is i indistinguishable by the subgroup decision (sd) assumption. In this case each X i , then for any potential plaintext is perfectly random: Given an “encryption” X i /Xi ) leading to X i . Now, (2) states Xi , there exists randomness ρi := logH (X  that given (Xi ), any vector of such pairs of plaintexts/randomness (Xi , ρi )m i=1 i ) leads to exactly the same proof PE , which means that the “explaining” (X proof leaks no information on the plaintext. Remark 1 (Unlinkably re-randomizing randomized values). Consider a vector (Xi ) satisfying E, but with right-hand side e(H, P ′ ) instead of 1l. Again, i ) satisfies E  with e(H, P ′ · PE ((Xi ), (ρi ))) as i := Xi H ρi for all i. Then (X let X  one can i ) satisfying E, right-hand side. So, given a proof P for randomized (X ′  re-randomize the (Xi ) using fresh ρi and adapt the proof (without knowledge of  (ρ′ )). If ((X i ), P ) and ((Yi ), P ′ ) the plaintexts!) by setting Pnew := P · PE ((X), i  then their re-randomizations are indistinguishable by sd and both satisfy E, Lemma 1(2).

Proofs on Encrypted Values in Bilinear Groups

3.1

137

The Waters Signature Scheme

We review the scheme from [Wat05] to sign messages M = (M1 , . . . , Mm ) ∈ {0, 1}m, which will be used several times in the remainder of the paper. Setup. Choose a bilinear group (n, G, GT , e, g). The parameters are g2 ← G∗ and a vector u := (u0 , u1 , . . . , um ) ← Gm+1 . Choose a secret key x ← Zm , and define the public key as X := g x .  Mi For convenience, we define the following function F (M ) := m i=1 ui . Signing. Choose r ← Zp and define the signature as σ := (g2x (u0 F (M ))r , g −r ). Verification. A signature σ = (σ1 , σ2 ) is accepted for a message M iff e(σ1 , g) e(u0 F (M ), σ2 ) = e(g2 , X) . Security. euf-cma follows from hardness of the computational Diffie-Hellman assumption (cdh) in the underlying group. 3.2

Applying Lemma 1 to Construct Verifiable Encryption

To exemplify our techniques, we construct a verifiable-encryption scheme in the standard model, which we only sketch due to space limitations. Suppose, we want to encrypt a signature and prove that the plaintext satisfies the signature verification relation. Lemma 1 lets us do so if the verification procedure consists merely of verifying pairing-product equations, as is the case for Waters’ scheme. Moreover, if the signatures are euf-cma then a similar property holds for encryption/proof pairs: Even after querying such pairs for messages of its choice, no adversary can produce a valid pair for a new message. We construct a scheme ES for encrypted signatures: Given a plain signature in scheme S, independently bgn-encrypt all its components and add a proof PE for each verification equation E, as defined in Lemma 1(1). Indistinguishability of the hidden elements follows from the sd assumption combined with (2): Replacing H ∈ Gq by a random element from the entire group G is indistinguishable by sd. Now the encryptions are perfectly random and the proofs do not reveal i ) leads to any information either; every hypothesis (Xi ) on the plaintexts of (X the same proof. Unforgeability of ES is inherited from scheme S defined in subgroup Gp : Lemma 1(3) allows us to simulate all oracle queries and (4) lets us transform a forgery in ES to a forgery in S; more precisely: Given an adversary A against ES in G, we construct B against S in Gp as follows: After receiving the parameters of S, B produces parameters and the public key for a twin instance TS of S, but in subgroup Gq (knowing thus the secret key). Then B constructs scheme ES in G whose parameters are the products of those of S and TS. Whenever A performs an oracle query, B splits all involved group elements (if any) into their components in Gp (by raising them to the θ-th power as in (4)) and their components in Gq by raising them to the power of θq , with θq ≡ 0 (mod p) and θq ≡ 1 (mod q). The p-parts are submitted to B’s own oracle, while

138

G. Fuchsbauer and D. Pointcheval

the action on the q-parts can be performed by B itself. The two results are then combined to a solution in G by multiplying them component-wise. (3) guarantees validity as the products satisfy the equations in group G when both components satisfy the equations in their respective subgroups. Finally, a forgery returned by A can be translated to one for S, again via (4), giving B the same success probability as A.

To further illustrate our methodology, we give an instantiation of “anonymous proxy signatures”. We first construct a (non-anonymous) delegation scheme whose verification relations satisfy the requirements of Lemma 1. To instantiate the generic concept of such a scheme, the most important tool is the following: a Lemma-1-compatible euf-cma-secure signature scheme, where the messages to be signed are vectors of public keys of the scheme itself.2 This is the main difference to previous certified-signature schemes (on which group signatures build), where the certification and the signature itself are not based on the same mechanism, excluding thus consecutive delegation. In order to motivate our proceeding we briefly review the notions from [FP08a] in the next section. 3.3

Definition and Security of Anonymous Proxy Signatures

In an anonymous proxy signature scheme, there are the following protagonists: The issuer enrolls users in the system, the users can delegate and sign on behalf of other users, and the opener is able to trace the hidden delegators and the signer from a proxy signature in case of misuse. The scheme consists of 7 algorithms: Setup produces the public parameters, the issuer’s secret key and the opening key. Algorithm UKGen is run by the users in order to produce a key pair, the public key of which is registered by the issuer running Enroll. A user can delegate her signing rights by producing a warrant with Dlg taking as input her secret key and the delegatee’s public key. Dlg also provides the possibility to re-delegate when given a warrant as additional argument. Now using a warrant, users can “proxy sign” messages running PSig, whereas the resulting signatures are verifiable via PVer using the first (“original”) delegator’s public key only. Algorithm Open allows the opener holding the opening key to reveal the delegators and the signer. We overview the required security notions and refer to the full version or [FP08a] for the rigorous definitions: Anonymity. The experiment for anonymity is the following: Consider an adversary getting the issuer’s key and who in a first phase returns an original delegator’s public key, two pairs consisting of a warrant and a secret key each, and a message. Now, flip a random bit and depending on the outcome give the adversary a signature produced using either the first or the second warrant/secret-key pair. Then as long as both warrants result from the same number of delegations 2

Note that we cannot simply hash the vector of messages and sign the hash value, as we will later encrypt the messages and prove that the signature is valid on the plaintexts.

Proofs on Encrypted Values in Bilinear Groups

139

and both lead to valid signatures, the adversary cannot decide the value of the flipped bit with probability more than a half. Traceability. No adversary, after enrolling arbitrarily many users via an Enrolloracle, can produce a signature which cannot be opened. Thus, every valid signature can be traced to registered users. Non-Frameability. No adversary, even when colluding with the issuer and the opener, can frame honest users. More precisely, give the adversary all keys returned by Setup, and oracles to create honest users and ask delegations and signatures of them—or adaptively corrupt them by asking their secret key. Then the adversary is not able to produce a valid signature whose opening yields an honest user for a delegation or a signing he has not been queried for. Remark 2. Remark 1 hints that our scheme actually achieves a stronger notion of anonymity where even to a delegatee the preceding delegators are anonymous.

4 4.1

A Consecutive Signature-Delegation Scheme Overview

A Generic Construction. The issuer and each user create a key pair for an euf-cma-secure signature scheme. To enroll a user, the issuer signs her public key, creating thus a certificate sent to the user. If user U1 wants to delegate U2 , she sends him a signature on her own and U2 ’s public key, called warrant. To re-delegate to U3 , U2 sends her his certificate cert2 received from the issuer, the warrant warr1→2 received from U1 , and warr1→2→3 , a signature on (pk1 , pk2 , pk3 ), the user’s public keys. Now to sign a message M on behalf of U1 , U3 produces a signature σ on (pk1 , pk2 , pk3 , M ). The (non-anonymous) proxy signature is Σ := (warr1→2 , pk2 , cert2 , warr1→2→3 , pk3 , cert3 , σ). Remark 3 (Delegating for specific tasks only). The scheme can easily be extended, so that delegation of signing rights can be done for specific tasks only— as proposed by [FP08a]—as follows: When delegating, sign (pk1 , . . . , pki , task) rather than the public keys only; likewise for proxy signing. The verification procedure takes the task tag as additional argument and the verification relations are adapted respectively. Instantiation. We instantiate the generic scheme by choosing Waters’ signature scheme (cf. Sect. 3.1) as euf-cma-secure scheme, which supports the hierarchical nature of the messages to be signed. Unfortunately, at the same time, this limits us to a fixed maximal number of delegations. The messages in the Waters scheme are bit-strings, while we need to sign vectors of public keys (i.e., group elements) for the scheme itself. We solve this shortcoming as follows: Instead of signing public keys, we sign the bits of the private keys—which the signer should obviously not learn. We take thus advantage of the fact that Waters signatures can be computed and verified without

140

G. Fuchsbauer and D. Pointcheval

 Mi is given inknowledge of the message if its hash value F = F (M ) = m i=1 ui stead. On the other hand, the assumption we introduce in Sect. 4.3 implies that the hash value hides enough information about the secret key. In particular, it states that the public key and the secret key’s hash look unrelated. The private key’s hash value can be precomputed by its owner and then be used directly by the delegator to produce a signature. We define thus the following two functions:3 FSig(x, F ) := (g2x (u0 F )r , g −r ) for random r ← Zp , FVer(X, F, (σ1 , σ2 )) = 1 iff e(σ1 , g) e(u0 F, σ2 ) = e(g2 , X) . Now we need to add a nizk proof of consistency of the hash with the corresponding public key, which we discuss in the next section. Anticipating, we note that the secret key must be extractable from such a proof, so we can reduce unforgeability of delegations (i.e., non-frameability) of our scheme to security of Waters signatures. We emphasize the fact that verifying the nizk proof must exclusively consist of checking pairing-product equations to be compatible with the Leak-Tightness Lemma. 4.2

ZK Proof of Equality of Logarithm and Hash Preimage

As mentioned above, in order to prove consistency of a public key X = g x with the hash value of its private key F = F (x), in Sect. 6 we construct a zero-knowledge proof system ΠX↔F for np-relation

 RX↔F := ((X, F ), x) X = g x , F = F (x) . The np-language LX↔F defined by it is then indistinguishable from G2 by the xf-assumption given in the next section. We require ΠX↔F to have the following properties: – Verification of a proof consists of checking pairing-product equations. – The proof is a proof of knowledge at the same time, i.e., we can extract witness x. Furthermore, extraction must be efficient and consequently cannot rely on rewinding techniques. – We can simulate proofs for any (possibly false) statements (g x1 , F (x2 )) without knowledge of (x1 , x2 ) – Even after seeing a simulated proof of a random (not necessarily true) statement, no adversary can produce a proof for a false statement; in addition, from every valid proof, the witness can still be extracted. This property, defined below, is a relaxation of the standard notion of simulation soundness where it is the adversary that chooses the statement to be simulated. 3

Note that FSig, FVer do not constitute a secure signature scheme on their own; a successful forgery must include the message’s bits (Mi )m i=1 s.t. F = F(. . . , Mi , . . .) in order to be reducible to cdh.

Proofs on Encrypted Values in Bilinear Groups

141

A nizk proof of knowledge is a tuple (K, P, V, Sim1 , Sim2 , Ext), where K generates the common reference string (crs) crs and P produces proofs that are verified via V. Simulator Sim1 outputs a crs, a trapdoor tr which allows Sim2 to simulate proofs, and an extraction key ek, used by Ext to extract the witness. Definition 2. A proof of knowledge Π = (K, P, V, Sim1 , Sim2 , Ext) for np- language L is weakly simulation sound if for every p.p.t. A the following probability is negligible in the security parameter λ:  Pr (crs, tr, ek) ← Sim1 (1λ ); y ← L ∪ L; π ← Sim2 (tr, y);

(y ∗ , π ∗ ) ← A(crs, (y, π)); w∗ ← Ext(ek, (y ∗ , π ∗ )) : y ∗ = y ∧ (y ∗ , w∗ ) ∈ / RL ∧ V(crs, y ∗ , π ∗ ) = 1



Weak simulation soundness (wss) is implied by the following strengthening of zero-knowledge, where the adversary trying to distinguish between a real and a simulated proof is now provided with an extraction oracle. Definition 3. A proof of knowledge Π = (K, P, V, Sim1 , Sim2 , Ext) is extraction zero knowledge if for every p.p.t. adversary A = (A1 , A2 ) we have:   zk-S Pr Expzk = negl(λ) , Π,A (λ) = 1] − Pr ExpΠ,A (λ) = 1]

with Expzk Π,A (λ)

λ

(crs, ek) ← K(1 ) (y, w, st) ← A1 (crs : Ext(ek, ·, ·)) π ← P(crs, y, w) b ← A2 (st, π : Ext(ek, ·, ·))

Expzk-S Π,A (λ) (crs, ek, tr) ← Sim1 (1λ ) (y, w, st) ← A1 (crs : Ext(ek, ·, ·)) π ← Sim2 (crs, tr, y) b ← A2 (st, π : Ext(ek, ·, ·))

Claim 1 (ezk implies wss). Let L be a language which no p.p.t. adversary can decide with non-negligible probability; let Π be an extraction-zero-knowledge proof of knowledge for L. Then Π is weakly simulation sound. Proof. Consider the following game: Game 0 (crs, ek) ← K(1λ ); (y, w) ← RL ; π ← P(crs, y, w); (y ∗ , π ∗ ) ← A(crs, (y, π)); w∗ ← Ext(ek, (y ∗ , π ∗ )); / RL ∧ V(crs, y ∗ , π ∗ ) = 1 return 1 iff y ∗ = y ∧ (y ∗ , w∗ ) ∈ Soundness of Π implies that A can win Game 0 with at most negligible probability. Now define Game 1 replacing K and P by Sim1 and Sim2 , respectively. Games 0 and 1 are indistinguishable by ezk, since a distinguisher can perfectly simulate the games because of its extraction oracle. Finally, a distinguisher between Game 1 and the wss game would contradict the assumption on L (neither game uses the witness w). ⊓ ⊔

142

4.3

G. Fuchsbauer and D. Pointcheval

The XF-Assumption

The x f -assumption basically states that for someone seeing a public key X = g x without knowing the secret key x, the hash F (x) of the latter looks random. We will utilize this when reducing non-frameability of our delegation scheme to unforgeability of Waters signatures, where we will have to produce hashes corresponding to unknown secret keys. Proof system ΠX↔F allows us to simulate the consistency proofs, but however, replacing an element of LX↔F by one outside the language must be indistinguishable to guarantee simulation. Moreover, having to simulate hash values for all delegation levels (cf. Sect. 4.4 for the details), we will generalize our assumption: Given X = g x0 and Λ hash values Fi = Fi (xi ), for different hash functions Fi , it is hard to tell whether all xi ’s are equal. Intuitively, the assumption states that values Fi do not reveal more information about x than X. Definition 4. Let Λ, m ∈ N, (n, G, GT , e, g) ← G(1λ ) be a bilinear group, let Λ Λ×m ((ui,j )m . We define the ith hash of (x1 , . . . , xm ) ∈ {0, 1}m: j=1 )i=1 ∈ G m x Fi (x1 , . . . , xm ) := j=1 ui,jj We say the (Λ, m)–XF-Assumption holds for G if it is difficult to distinguish the np-language  Λ+1 ∃ x := (x1 , . . . , xm ) ∈ {0, 1}m : LX↔F := (X, (Fi )Λ i=1 ) ∈ G

Λ 

i−1 Fi = Fi (x) X = g xi 2 ∧ i=1

Λ+1

from G , that is, for all p.p.t. adversaries A, the following function is negligible in λ:  Pr (n, G, GT , e, g) ← G(1λ ); u ← GΛ×m ; x ← {0, 1}m :    i i−1  =1 A n, G, GT , e, g, u, g xi 2 , ux1,ii , . . . , uxΛ,i  − Pr (n, G, GT , e, g) ← G(1λ ); u ← GΛ×m ; X, F1 , . . . , FΛ ← G :   A n, G, GT , e, g, u, X, F1 , . . . , FΛ = 1 Note that the assumption satisfies Naor’s falsifiability criterion [Nao03]. We give some more intuition on the assumption. Comparison to DDH and DLIN. Consider the (1, m)–xf-Assumption in a group G with 2λ−1 ≤ |G| < 2λ , and m = λ − 1: Given (g, u1 , . . . , um , X, F ),   i−1 decide whether there exist xi ∈ S := {0, 1}, s.t. X = g xi 2 and F = uxi i . If we set m = 1 and S = Z2λ , we get ddh—which is easy in bilinear groups. λ/2 ? However, case m = 2, S = Z2λ/2 (i.e., X = g x1 +x2 2 ⇒ F = ux1 1 ux2 2 ) can already be considered hard, since it is implied by a variant of dlin, where r, s are randomly chosen from a smaller set S: An instance (Y = g y , Z = g z , R = g yr , S = g zs , T ∈ {g r+s , g t }) of dlin with r, s ∈ S can be decided by running λ/2 the xf-decider on (u1 = Y, u2 = Z, X = T, F = R · S 2 ).

Proofs on Encrypted Values in Bilinear Groups

143

Now, if we continue the process of increasing m while at the same time reducing the set of possible values for xi , we end up with the xf-assumption. Relation to the DL Problem with Auxiliary Information. Consider the problem of computing x = log X oninput (X, F ) ∈ Lu , i.e., in addition to instance X, a hash value F = Fu (x) := uxi i of the logarithm is given. Suppose,  there exists an algorithm A that on input (u, X, F ) decides whether F = uxi i for x := log X, thus breaking the xf-assumption. Then we can construct an algorithm B that given (X,  F ) ∈ Lu computes x = log X: For 1 ≤ i ≤ m, choose random u∗i and run A on Ui := (u1 , . . . , ui−1 , u∗i , ui+1 , . . . , um ), X, F . If xi = 0, then (X, F ) ∈ LUi , whereas this is only the case with negligible probability if xi = 1. B can thus extract x bit-by-bit. 4.4

Implementation of the Delegation Scheme DS

Based on the ideas from Sect. 4.1, we give implementations of the algorithms introduced in Sect. 3.3 in Fig. 1 (where λ is the security parameter and Λ − 1 is the maximum delegation “depth”, that is, the number of possible delegations from the original delegator to the proxy signer). Claim 2. Scheme DS is non-frameable We give an overview of the proof and refer to [FP08b] for the quite technical proof. Our strategy is to reduce a “framing” proxy signature to a forgery of a Waters signature: An euf-cma adversary B against Waters’ scheme receives a public key X from its environment and sets out to simulate the non-frameability game for adversary A against DS, setting X as the public key of a random honest user U ∗ . Now to do so, without knowledge of the secret key, it must simulate the hash values (Fi ) corresponding to X. We define thus a sequence of indistinguishable games: The first game is the original non-frameability game. In the next one, we simulate the zk-proofs (Pi ) in the public key of U ∗ . In the third game, relying on the xf assumption, we substitute the (Fi ) by random values. Now the last game can be simulated by B, given the fact that the signatures required to answer Dlg and PSig queries can be forwarded to B’s own signing oracle. If A wins the non-frameability game by framing U ∗ , then the signature output by A contains a Waters forgery. However, to win the euf-cma game, B is required to return the bits of the message rather than its hash value—in fact, B’s oracle queries also require messages. This is why we need ΠX↔F to be an extractable proof system; moreover, extraction must be possible even after having simulated proofs—which is the reason for ΠX↔F to be weakly simulation sound. Claim 3. Scheme DS is traceable Proof. The claim follows by a reduction to unforgeability of the Waters signature scheme for messages of length Λ · m using the following fact: Let 0i denote a string of i·m zeroes. Then for any x ∈ {0, 1}m and any ∗ ∗ Λ i∗ , a signature on (0i −1  x  0Λ−i ) w.r.t. parameters ((ui,j )m j=1 )i=1 is a Λ signature on x w.r.t. parameters (ui∗ ,j )j=1 .

144

G. Fuchsbauer and D. Pointcheval

Setup(1λ , Λ) – Choose a bilinear group gPar := (p, G, GT , e, g) ← G(1λ ). – Define m, the maximal length of messages to be signed, as m := λ − 1. – Choose Waters parameters to sign messages consisting of Λ · m bits: Λm+2 sPar := (g2 , u0 , (ui,1 , . . . , ui,m )Λ i=1 ) ← G – For 1 ≤ i ≤ Λ, choose crsi , a common reference string for ΠX↔F for parameters (ui,j )m j=1 . The issuer chooses an issuing key ik := ω ← Zp and defines Ω := g ω . The public parameters are   pp := gPar, sPar, (crsi )Λ i=1 , Ω .

UKGen(pp) Choose a random x ← Z2m and set X := g x . Define the public key th pk := (X, (Fi , Pi )Λ hash (cf. Def. 4) and Pi := i=1 ), where Fi := Fi (x), is the i PX↔F (crsi , (X, Fi ), x) is a proof for X and Fi containing the same x. Enroll(pp, ik, pk) Parse pk as (X, (Fi , Pi )Λ i=1 ). 1. Check all proofs Pi ; if one is invalid, return ⊥. 2. certi := FSig(ω, Fi ) for 1 ≤ i ≤ Λ. Λ 3. Add (X, (Fi , Pi , certi )Λ i=1 ) to UList and return (certi )i=1 . Λ The user defines her secret key as sk := (X, (Fi , Pi , certi )i=1 , x). Dlg(pp, ski , [warr→i ], pki+1 ) Let the user holding ski be the ith delegator. 1. Parse ski as (Xi , (Fi,j , Pi,j , certi,j )Λ j=1 , xi ), pki+1 as (Xi+1 ,(Fi+1,j , Pi+1,j )Λ j=1 )  ′ ′ ′ and warr→i as (Xj , Fj,j , Pj,j , certj,j , σj )i−1 j=1 , (Xi , Fi,i , Pi,i ) , in case i = 1, define warr→1 := (X1 , F1,1 , P1,1 ) 2. If one of the proofs in warr→i or pki+1 is invalid or if ′ ′ , Pi,i ) = (Xi , Fi,i , Pi,i ) then return ⊥. (Xi′ , Fi,i 3. Define σi ← FSig(xi , F1,1 · · · Fi,i · Fi+1,i+1 ). Return warr→i+1 := warr→i  (certi,i , σi , (Xi+1 , Fi+1,i+1 , Pi+1,i+1 )). PSig(pp, ski , warr→i , M ) Let the user holding ski be the (i − 1)st delegatee. 1. and 2. as for Dlg (but ignoring the commands for pki+1 ). 3. Define σi := FSig(xi , F1,1 · · · Fi,i · FΛ (M )). The proxy signature is   Σ := σ1 , (Xj , Fj,j , Pj,j , certj,j , σj )ij=2 .   PVer(pp, pk, M, Σ) Let pk = (X1 , F1,1 , P1,1 , . .), Σ = σ1 , (Xi , Fi,i , Pi,i , certi,i , σi )ki=2 . Return 0 if any of the following returns 0, otherwise return 1. 1. VX↔F (crsi , (Xi , Fi,i ), Pi,i ), for 1 ≤ i ≤ k, 2. FVer(Ω, Fi,i , certi,i ), for 2 ≤ i ≤ k, 3. FVer(Xi , F1,1 · · · Fi+1,i+1 , σi ), for 1 ≤ i < k, FVer(Xk , F1,1 · · · Fk,k · FΛ (M ), σk ). Open(pp, pk, M, Σ, UList)   If Σ is valid, parse it as σ1 , (Xi , Fi,i , Pi,i , certi,i , σi )ki=2 . If for all i, Xi ∈ UList, return (X2 , . . . , Xk ), otherwise return ⊥. Fig. 1. Implementation of the Delegation Scheme DS

Proofs on Encrypted Values in Bilinear Groups

145

The simulator sets Ω to the public key it is challenged on and deals with Enroll(X, (Fi , Pi )) queries as follows: If one of the Pi is invalid, return ⊥, otherwise extract x from one of them. To produce certi , query a signature on the message (0i−1  x  0Λ−i ). Open the signature returned by the adversary to X2 , . . . , Xk . If Xi ∈ / UList for some i, return certi from the signature, together with the extracted bits. ⊓ ⊔

5

The Anonymous Delegation Scheme

Now using the techniques derived from the Leak Tightness Lemma as discussed in Sect. 3, we can convert the scheme DS in Fig. 1 into an anonymous proxy signature scheme APS. We give the necessary modifications to DS: Setup(1λ , Λ) Choose a bilinear group of composite order (p, q, G, GT , e, g) ← Gc (1λ ) and define gPar := (n = pq, G, GT , e, g). Add H ← Gq , a subgroup element for bgn-encryptions, to pp and additionally output the opening key ok := q. Enroll(pp, ik, (X, . . .)) The opener approves 4 a new public key by verifying that X q = (X ′ )q for all X ′ ∈ UList before adding X to UList.   PSig(pp, skk , warr→k , M ) After producing Σ = σ1 , (Xi , Fi,i , Pi,i , certi,i , σi )ki=2 , blind Σ by bgn-encrypting all elements of Σ under H and adding one proof π (cf. Lemma 1) per pairing-product equation to be satisfied in PVer. Denote    := σ i , Fi,i , Pi,i , cert  i,i , σ the result as Σ 1 , (X i )ki=2 , (πi ) .  Instead of verifying the pairing-product equations directly, PVer(pp, pk, M, Σ) verify the proofs (πi ) on the encrypted values.  UList) If Σ  passes verification, do the following for 2 ≤ i ≤ Open(pp, ok, M, Σ, q ′ q  Λ: if Xi = (X ) for some X ′ ∈ UList, then set Xi := X ′ , otherwise return ⊥. Finally, return (X2 , . . . , Xk ). Anonymity. Consider two “plain” proxy signatures Σ1 and Σ2 , both valid under the same public key and resulting from the same number of delegations (and consequently of the same size). If we blind both signatures and add proofs (πi ), then they are indistinguishable: replacing H by a random element in G is indistinguishable by sd. Now the signature components are perfectly blinded and the πi ’s do not leak any information on the cleartexts besides validity by Lemma 1(2). As a consequence, APS satisfies anonymity as defined in Sect. 3.3. Traceability and Non-Frameability. Traceability and non-frameability both follow from a reduction to the respective notions for DS in the subgroup Gp using the techniques of Lemma 1. Given an adversary A against APS, we construct B 4

If X q = (X ′ )q then the sets of ciphertexts of X and X ′ coincide, making correct tracing impossible. Note that for random keys this is very improbable. It occurs if X was maliciously set to X ′ H ρ for some ρ, which makes the key useless anyway, as to compute the corresponding secret key one would have to know logg H.

146

G. Fuchsbauer and D. Pointcheval

against DS: After receiving ppDS , B defines ppAPS by first creating parameters pp′ , ik′ for a new instance of DS in group Gq , and then multiplying all parameters from ppDS with the new ones, resulting thus in correctly distributed parameters in G, e.g., g ∈ pp and g ′ ∈ pp′ yield g := gg ′ ∈ G. Finally, B adds H ∈ Gq to ppAPS . A’s oracle queries are dealt with in the following way: PK queries. Run the PK oracle for DS to get pk := (X, (Fi , Pi )), then choose  ′ ′ a secret key x′ ∈ {0, 1}m and compute X ′ := (g ′ )x and Fi′ := (u′i,j )xj for 1 ≤ i ≤ Λ, as well as the corresponding proofs w.r.t. parameters pp′ . Let the result be pk′ and define (X, (F i , P i )) by multiplying all components of pk with the respective ones of pk′ . First, note that due to Lemma 1(3), all proofs P i satisfy all pairingproduct equations of VX↔F . Second, (X, (F i )) is indistinguishable from an honestly computed one by the xf-assumption in G, Gp and Gq .5 Enroll, Dlg, PSig queries. Answering these queries basically consists of simulating FSig(y, F1 · · · Fk ) for some y, F1 , . . . , Fk . Define θp , θq suchthat θp ≡p θp ′ xi 1, θp ≡q 0, θq ≡p 0, θq ≡q 1. If F = m = uxi i ∈ Gp i=1 (ui ui ) , then F  θ θ and F θq = (u′i )xi ∈ Gq . Now, B submits F1 p · · · Fk p to its own oracle to get σ and—knowing all secret keys for the q-components—computes σ ′ in Gq on its own. Finally, B returns σ = σ · σ ′ which is a valid signature according to Lemma 1(3). When A eventually returns (pk, M, Σ), B “translates” the result back to Gp by raising everything to the power of θp and outputs it. It follows from Lemma 1(4) that B’s output passes verification. If A wins its game then so does B: Traceability. If A wins the game then for some i we have: ∀ X ′ ∈ UListAPS :  q = (X ′ )q , which implies X  θp = (X ′ )θp . On the other hand we have X i i  θp ∈ UListDS = {X θp | X ∈ UListAPS }. Together, this means X / UListDS , i the condition for B winning the game. Non-frameability. Analogously: A wins the game if in the returned signature, there is one delegation step it has not queried. Since we compare “openings” of the signature and the warrants, the argument works as for traceability.

6

The Proof of Equality of Exponent and Hash Preimage

In order to construct ΠX↔F , introduced in Sect. 4.2, we will use the following proof systems, for the details of which we refer to [FP08b]. 5

  An element g x , (Fi (x)) ∈ LG is indistinguishable from a random element in GΛ+1 in G. Now the latter is indistinguishable from elements byx the′ xxf-Assumption ′ ′  by the xf-Assumption in Gp , whereas the g ·(g ) 1 , (Fi (x)·(g ′ )x2 in LGp · GΛ+1 q one in Gq guarantees indistinguishability of LGp·GΛ+1 from LGp ·LGq . q

Proofs on Encrypted Values in Bilinear Groups

147

Π1L A perfect w i (witness indistinguishable) proof system similar to the one from [GOS06a]: Given two triples, it proves that at least one of them is linear w.r.t. a given basis. We generalize their method, in that the bases for each triple are not necessarily the same. Πb,eq From Π1L we directly derive a proof of the following: Given a g o s commitment to some x and a linear encryption of some g y , prove that x, y ∈ {0, 1} and x = y. ΠcX Given a vector of g o s -commitments to bits (ci )m i=1 and X ∈ G, ΠcX is a nizk proof for the committed values being the bits of log X. ΠcF Given a vector of commitments to bits (ci )m i=1 and F ∈ G, ΠcF is a nizk proof for the committed values being a hash preimage of F , i.e., if ci commits to xi for all i, then F = F (x1 , . . . , xm ). ΠG Given (pk, pk′ , d, d′ , ck, c, v), ΠG is a wi proof for either d and d′ being linear encryptions of the same message under pk, pk′ , resp., or c being a commitment to v under ck. We will also use a one-time signature scheme Sots = (KGenots , Sigots , Verots ) (cf. [Gro06] for an implementation). All verification procedures of the above systems consist exclusively of checking pairing-product equations. We give an overview of our construction detailed in [FP08b]. Let ((X, F ), x) ∈ RX↔F , i.e., X = g x and F = F (x). Aiming for an extractable proof, we first produce vectors of commitments cX and cF to the bits of x and prove consistency with X and F via ΠcX and ΠcF , resp. The proofs can be simulated by replacing the commitment keys for cX and cF by perfectly hiding keys. However, to achieve extraction-zero knowledge (ezk), we must extract from proofs queried to the oracle, even after replacing the crs by a simulated one. We thus add linear encryptions d′i and d′′i under public keys pk′ , pk′′ of the bits in cX i and cF i , resp., and prove that we did so via Πb,eq . At the same time this proves that cX i , cF i are commitments to bits and that d′i , d′′i are encryptions of either g 0 or g 1 . The latter enables us to ensure equality of the plaintexts in d′i and d′′i for   i−1 i−1 all i at once, by proving that d′P := (d′i )2 and d′′P := (d′′i )2 decrypt to the same plaintext. However, this proof must contain some kind of trapdoor, because in the proof of ezk, d′i and d′′i might contain different plaintexts. To do so, we borrow a trick Groth uses to build rca-secure encryption in [Gro06]: Add a commitment cG under key ckG of a signature verification key vkG to the crs of ΠX↔F and require the prover to choose a one-time signature key pair (vk, sk), and to add vk and a signature on (X, F ) to the proof. The proof of consistency of d′P and d′′P is a ΠG proof of (pk′ , pk′′ , d′P , d′′P , ckG , cG , vk). Now we can (one-time) simulate proofs by choosing vk := vkG and using the corresponding signing key which is unknown to the adversary.

Acknowledgments This work was supported in part by EADS, the French ANR-07-SESU-008-01 PAMPA Project and the European Commission through Contract ICT-2007216646 ECRYPT II.

148

G. Fuchsbauer and D. Pointcheval

References [ASW00]

Asokan, N., Shoup, V., Waidner, M.: Optimistic fair exchange of digital signatures. IEEE J. Selected Areas in Comm. 18(4), 593–610 (2000) [BCKL08] Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Non-interactive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008) [BMW03] Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003) [BR93] Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: ACM Conference on Computer and Communications Security 1993, pp. 62–73. ACM, New York (1993) [BSZ05] Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: The case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005) [BFM88] Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC 1988, pp. 103–112. ACM, New York (1988) [BPW03] Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. IACR ePrint Archive: Report 2003/096 (2003) [BB04] Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) [BBS04] Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) [BGLS03] Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003) [BGN05] Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005) [BW06] Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006) [BW07] Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) [Cha85] Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Communications of the ACM 28(10), 1030–1044 (1985) [CvH91] Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991) [DP92] De Santis, A., Persiano, G.: Zero-knowledge proofs of knowledge without interaction. In: FOCS 1992, pp. 427–436. IEEE Computer Society, Los Alamitos (1992) [FP08a] Fuchsbauer, G., Pointcheval, D.: Anonymous proxy signatures. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 201–217. Springer, Heidelberg (2008)

Proofs on Encrypted Values in Bilinear Groups [FP08b]

149

Fuchsbauer, G., Pointcheval, D.: Encrypting proofs on pairings and an application to anonymity of signatures (full version). Cryptology ePrint Archive, Report 2008/528 (2008), http://eprint.iacr.org/2008/528 [GMR88] Goldwasser, S., Micali, S., Rivest, R.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988) [GOS06a] Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006) [GOS06b] Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006) [Gro07] Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007) [Gro06] Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006) [GS08] Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) [KP98] Kilian, J., Petrank, E.: Identity escrow. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 169–185. Springer, Heidelberg (1998) [MUO96] Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures for delegating signing operation. In: Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS). ACM, New York (1996) [Nao03] Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003) [Sah99] Sahai, A.: Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In: FOCS 1999, pp. 543–553. IEEE Computer Society, Los Alamitos (1999) [TW05] Trolin, M., Wikstr¨ om, D.: Hierarchical group signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 446–458. Springer, Heidelberg (2005) [Wat05] Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)

Identity Based Group Signatures from Hierarchical Identity-Based Encryption Nigel P. Smart and Bogdan Warinschi Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB, United Kingdom {nigel,bogdan}@cs.bris.ac.uk

Abstract. A number of previous papers explored the notion of identitybased group signature. We present a generic construction of identity-based group signatures. Our construction is based on the Naor transformation of a identity-based signature out of an identity-based encryption, adjusted to hierarchical identity-based encryption. We identify sufficient conditions on the underlying HIBE so that the scheme that results from our transformation meets our security definitions. Finally, we suggest a couple of extensions enabled by our construction, one of which is to hierarchical identity-based group signatures.

1

Introduction

Identity-based cryptography as envisioned by Shamir [23] aims to ease the key distribution problem associated to standard PKIs used for asymmetric cryptosystems. The key insight is that parties can use their identities as their public keys, which in turn makes secure repositories for public keys unnecessary. This idea had been thoroughly explored in the context of standard encryption [4,6,11,13,20,21,22] and signature schemes [2,9,16] as well as in that of more complex primitives like traitor tracing [1]. In the context of group signatures, a primitive with multiple practical uses, a large proportion of the prior work did not consider the appropriate extension of the primitive to the ID-based setting. Specifically, the schemes proposed in many previous papers under the name of identity-based group signatures still use a standard public key for the group key. This is clearly a departure from the original motivation for identity based cryptography, does not properly extend identity-based signature schemes, and suffers from the standard PKI related difficulties. The reason for the name of the primitive was that the identity of group members was allowed to be an unstructured identity. Examples of such proposals include [12,17,18,19,25]. In [27] a more correct syntax and security definition is given in which identifier strings are used for both the users, and the group names themselves. Recall that H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 150–170, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Identity Based Group Signatures from HIBE

151

in a group signature, multiple signers can produce signatures on behalf of the group without revealing information about the origin of the signature. Only a designated opener can later link these signatures to their authors using a special secret key, whereas a group manager is in charge of adding users to the group. In [27] these two functionalities are seperated, in our work we simplify the model somewhat by requiring the opener and the group manager to be the same. Our contributions. We provide the following results on identity-based group signatures. Security and Syntax of the primitives. We provide a simplified identitybased group signature model, which is a subset of the model in [27]. Since we work in the ID-based setting we consider a trusted authority that generates system-wide parameters. We model and explore the realistic scenario where the same set of system parameters is shared by multiple groups of signers. Users can join existent groups, and we allow for the same user can belong to multiple groups. Our security models are those of full-anonymity and full-traceability. Full-anonymity captures the idea that the identity of the signers is not revealed by signatures, and full-traceability says that the group manager can determine who created a given valid signature. In this paper we model a simple setting where the roles of the group manager and signature openers are merged (very much like in [3]). Also in our model users do not have public keys (or independent identity based keys) and therefore no secrets, hence the group manager (opener) can always add users to groups and produce signatures on their behalf, undetected. Our simplified definition facilitates our direct HIBE based construction, which itself then can be easily seen to extend to a construction which enables hierarchies of groups. It is this HIBE based construction and its extension which is the most novel part of our work. Generic construction based on HIBE. Clearly, one can construct an IDbased group signature schemes by appending certificates for the group public key to each signature in a standard group signature scheme. Our models can be used to analyze such constructions. However, the flexibility afforded by our syntax may lead to more efficient and/or schemes with enhanced functionality. One interesting example is schemes with group hierarchies alluded to above, and discussed further below. We provide a generic construction based on hierarchical identity-based encryption (HIBE) [14]. The transformation that we present adapts the Naor transformation of an identity-based encryption scheme into an identity-based signature scheme and shares ideas with the Boyen-Waters construction of a standard group signature scheme out of a HIBE. Next, we sketch our construction and provide further details on the transformation that we designed. Recall that in HIBEs users at the lower levels of the hierarchy can compute the decryption keys for users at the higher levels. The idea behind our construction is to set up a 4-level HIBE: on the first level we place group identities, on the second level user identities, on the third level the messages to be signed, and

152

N.P. Smart and B. Warinschi

the fourth level is reserved for some sort of randomizers. A new group is created by extracting the key associated to the identity grpID which is then given to the group manager. To add user userID to group grpID, the manager extracts the key associated to identity (grpID, userID) which becomes the signing key of user userID for group grpID. One tempting way to produce a signature on a message m using this key, is to extract the secret key associated to hierarchical identity (grpID, userID, m). This is essentially the approach taken by the construction of [7] which encrypts the resulting signature under the public key and uses (efficient) non-interactive zero-knowledge proofs to ensure that the construction followed the prescribed recipe. Notice that encrypting the signature is indeed needed, as the signature may leak information about userID (for example when the extraction algorithm is deterministic.) To hide the identity of the signer we use a different approach based on properties that we observe in existent HIBE constructions. Specifically, to produce a signature on message m on behalf of group grpID, a user userID extracts the secret key d associated to (grpID, userID, m, rID ), for a randomly chosen randomizer rID . We observe that for existent constructions the resulting decryption key hides all information about the hierarchical identity to which it corresponds (provided that rID is from a big enough space). A remaining problem is that in order to verify the signature, one needs to first encrypt a message under the identity (grpID, userID, m, rID ) and then test that the decryption with d succeeds. Clearly, this verification procedure leaks information about userID. Instead, we observe that the encryption process of HIBEs usually compute an encryption key e associated to the hierarchical identity which is then used in an encryption algorithm. We can therefore let (e, d) play the role of a signature, provided they indeed do not reveal information about userID. We call this property that we identify and demand from the underlying HIBE random identity hiding. It is worth noting that all of the existent HIBE constructions, Boneh-Boyen [4], Waters [26] and Boneh-BoyenGoh [5] satisfy this property. In addition to (e, d) a signature also contains an encryption of userID under grpID and a non-interactive proof that all of the parts fit together. We analyze a construction where this proof is obtained via the Fiat–Shamir transform, and therefore our construction is under the random oracle model. Instantiation based on the Boneh-Boyen-Goh HIBE. We use the BonehBoyen-Goh HIBE to instantiate our construction. We show that our theoretical construction yields in this case an explicit identity-based group signature scheme which has a signature of fixed length, irrespective of the size of the group to which the signature is attached. Furthermore, the signature is relatively short, and computationally very efficient. Extensions. Finally, we sketch a couple of variants of our basic construction. First, we note that by eliminating the first level of the HIBE (the level that contains group identities) we obtain a standard group signature with a standard public key as the verification key. A more interesting extension is that to a hierarchical identity-based group signatures. For standard group signatures the extension to hierarchical group managers has been investigated by Trolin and

Identity Based Group Signatures from HIBE

153

Wikstr¨ om[24]. The analogous extension for the case of identity-based group signatures is beyond the goals of this paper. We sketch however how to extend our construction as to meet the intuitive goals of such an extension. The idea is to introduce additional group identity levels. Group managers can then add users to any of the subgroups of the group he manages, users can sign on behalf of any of the groups to which they belong, and signatures can be opened by the managers of these groups, or indeed any other levels in the hierarchy. On the use of the random oracle. We end the introduction with a note on the usage of the random oracles in our construction. In our construction we use non-interactive zero-knowledge proofs obtained via the Fiat–Shamir heuristic from Σ-protocols, and thus our construction is in the random oracle model. An alternative that would yield schemes secure in the standard model could employ standard model NIZKPOKs (based on a common random string which can be placed in the system parameters), such as those in [15]. However, whilst such NIZKPOKs run in polynomial time, their performance is not very efficient when compared to constructions obtained from Σ-protocols via the Fiat–Shamir heuristic. Indeed, we have chosen to carry out our work in the random oracle model to be able to obtain the efficient implementation based on BBG, which itself requires the random oracle model to obtain non-selective ID security.

2

Preliminaries

Sigma protocols. A Σ-protocol (P, V) for an NP-language L is a three-move, public coin interactive proof. We typically write (r, c, s) for a transcript of the conversation between the prover and the verifier, where r and s are the messages sent by the prover and c is the message sent by the verifier. We call r the commitment message, c the challenge message, and s the response. We write CommitSpace for the space to which r belongs, ChallSpace for the space from where c is drawn. We call a transcript accepting for x if the verification algorithm employed by the verifier, V((r, c, s), x) returns 1. Notice that we abuse notation and write V for both the verifier and its verification algorithm. In this paper we use Σ-protocols that satisfy special-soundness: we require that there exists an extraction algorithm E which given two accepting transcripts (r, c, s) and (r, c′ , s′ ) for x returns a witness w that x ∈ L. Furthermore, we require that the protocol be special-zero-knowledge, that is: there exists a simulator S which on input x and challenge c outputs (r, s) such that (r, c, s) is an accepting transcript for x. If c is selected at random from ChallSpace then (r, c, s) is distributed as true transcripts. In addition, we also require that (P, V) have perfect completeness: for any witness w that x ∈ L the interaction (P(x, w), V(x)) is accepting. The Fiat–Shamir transform. The Fiat–Shamir transform is a heuristic that transforms a three move public coin into a signature. The heuristic can be used to create “signatures of knowledge” [10]: constructs which in addition to being signatures on messages, also prove knowledge of a certain secret. Essentially, given

154

N.P. Smart and B. Warinschi

a Σ protocol (P, V) for some language L and a hash function H one can build a signature of knowledge scheme as follows. Given an element x ∈ L and a corresponding witness w, one can produce a signature of knowledge FSH P ((w, x))(m) by running locally the interactive proof that x ∈ L, using c ← H(r||x||m) as challenge. Here r is the first message produced by the prover. A bit more formally, we define FSH P ((w, x), m) as the algorithm: (r, state) ← P(w)(x); c ← H(r||x||m), s ← P(state, c)(x); output (r, s). To verify that (r, s) is a signature of knowledge on message m given public information x, one runs V(r, H(r||x||m), s) and accepts if the output is 11 . We do not formalize the properties signatures of knowledge satisfy. Instead, when we use them in constructions, we reduce the security of the constructions to the properties of the underlying Σ-protocol. In particular, in order for the Fiat–Shamir heuristic to work, we further require from the Σ-protocol that it has high-entropy commitments, and high-entropy challenges. Since the challenge is selected at random from the challenge space, the second condition is satisfied whenever this space is sufficiently large. We simplify the first requirement and ask that the commitment space to also be large, and that commitments are randomly distributed over this space.

3

Hierarchical Identity Based Encryption (HIBE)

In this section we recall the notion of HIBE, and introduce its variant that concerns us. Throughout the remainder of the paper we assume a set of basic identities IdSp ⊆ {0, 1}∗. We call ID ∈ IdSpl an l-level hierarchical identity. For clarity we denote elements of IdSp by lower case variables (e.g., id, id′ , id1 , id2 , . . .) and hierarchical identities by upper-case variables (e.g. ID, ID′ , ID1 , ID2 , . . .). H ierarchical Identity Based Encryption (HIBE). A HIBE consists of four polynomial time algorithms (Setup, Extract, Encrypt, Decrypt): – Setup(1k , L). The setup algorithm, on input a security parameter k and a maximal number of levels L generates a master public/private key pair (mpk, msk) and a message space description M for an L-level HIBE. – Extract(mpk, ID, dID′ ). The secret key extraction algorithm takes as input an identity ID and the secret key associated to a parent ID′ of ID and derives a secret key dID for ID. By convention, we let d() (the key associated to identity ′′ ′′ () ) to be msk. – Encrypt(mpk, ID, m; r). The randomized encryption algorithm, on input the master public key mpk, a hierarchical identity ID, and message m outputs an encryption enc of the message m for identity ID using randomness r. – Decrypt(dID , c). The decryption algorithm takes as input a secret key dID that corresponds to some hierarchical identity ID, and a ciphertext enc and returns the underlying plaintext (assuming that the ciphertext was encrypted using some identity ID′ to which ID is a parent). 1

Notice that throught the paper we avoid cluttered notation by assuming that the statement to be verified is an implicit input to the verifier.

Identity Based Group Signatures from HIBE

155

Notice that the extraction algorithm works with the secret key of any parent of the target identity (and not only with the master secret key). For correctness we require that ciphertexts created using some identity can be decrypted using a secret key associated to the identity of any of its parents, i.e. Decrypt(Extract(mpk, ID2 , dID1 ), Encrypt(mpk, ID3 , m; r)) = m whenever ID1 is a parent of ID2 which in turn is a parent of ID3 and dID1 is a secret key associated to ID1 . In the variant of HIBE that we introduce we would like to allow parties to encrypt messages for identities which he does not know. We enable this property by making the assumption that the Encrypt(mpk, ID, m; r) algorithm works in two phases. First the encryptor obtains an encryption key eID out of the identity ID and the master public key and then the ciphertext is obtained using an underlying encryption algorithm. More precisely, we assume that Encrypt(mpk, ID, m; r) = Encr(Distill(mpk, ID), m; r) for some algorithm Distill for distilling keys out of identities, and some underlying encryption algorithm Encr. To define a HIBE, it is therefore required to give two algorithms Distill, Encr instead of the single Encrypt. We call schemes defined this way canonical. The BBG HIBE [5] will be used as our example throughout since it is very efficient, and thus results in a highly efficient identity-based group signature scheme. 3.1

Security Notions

Our construction for ID-based group signatures is based on a HIBE which satisfies two security properties. In addition to the standard notion of indistinguishability against chosen-plaintext/chosen-ciphertext, the scheme should also hide the identity of a random identity. We first recall the former notion and then formalise the latter. Definition 1 (Indistinguishability under CPA and CCA). Indistinguishability under chosen-plaintext, and chosen-ciphertext attacks of a HIBE scheme Π, are security notions defined through the experiments -id-cpa−b (k) and Expind-id-cca−b (k) that we describe below. The experiExpind Π,A Π,A ments depend on an adversary A, and are parametrised by a bit b. In a first phase, the adversary is given as input the master public key mpk of a freshly $ generated key pair (mpk, msk) ← Setup(1k , L) as input. In a chosen-plaintext attack (IND-ID-CPA), the adversary is given access to a key derivation oracle that on input of an identity ID = (id1 , . . . , idℓ ), returns the secret key $

dID ← Extract(msk, ID) corresponding to identity ID. In a chosen-ciphertext attack (IND-ID-CCA), the adversary is additionally given access to a decryption oracle that for a given identity ID = (id1 , . . . , idℓ ) and a given ciphertext enc returns the decryption m ← Decrypt(Extract(msk, ID), c).

156

N.P. Smart and B. Warinschi

At the end of the first phase, the adversary outputs a challenge messages m∗ ∈ {0, 1}∗ and a challenge identity ID∗ = (id∗1 , . . . , id∗ℓ∗ ), where 0 ≤ ℓ∗ ≤ L. Both $

experiments then generate a challenge ciphertext c∗ ← Encrypt(mpk, ID∗ , m∗b ; r), ∗ where b is the parameter bit, m∗0 = 0|m | and m∗1 = m∗ , and gives c∗ as input to the adversary for the second phase.2 In the second phase the adversary has access to the same oracles and has to output a bit d. The experiment outputs the d. We require that in both experiment the adversary never queries the key derivation oracle on a parent identity of ID∗ , and that in the CCA experiment the pair (ID∗ , c∗ ) is never sent to the decryption oracle. The advantage of the adversary is defined by:     ind-id-xxx -id-xxx−1 (k) = 1 − Pr Expind-id-xxx−0 (k) = 1 (k) = Pr Expind AdvΠ,A Π,A Π,A for xxx ∈ {cpa, cca}. We say that Π is IND-ID-CCA secure (respectively IND-ID-CPAsecure) if for ind-id-cpa ind-id-cca (k) (respectively AdvΠ,A all p.p.t. adversaries its advantage AdvΠ,A (k)) is negligible. Random-Identity Hiding. Informally, the notion of random identity hiding requires that the key distilled from a hierarchical identity ID = (id1 , id2 , . . . , idl ) together with an associated decryption key, does not reveal any information about ID, as long as at least one of the basic identities idi is chosen at random. The formalisation of this notion uses patterns. An l-level pattern is simply element of the set (IdSp ∪ {⋆})l , i.e. a hierarchical identity where some components are replaced by ⋆. We call a pattern non-trivial if it contains ⋆ on at least one position. For a pattern P we write Pˆ for the set Pˆ = {ID | ID ∈ IdSpl , Pi = ⋆ ⇒ Pi = IDi } of hierarchical identities that coincide with the entries in the pattern on all positions that are not ⋆ in P . The security game that defines random identity hiding is as follows. The adversary selects a non-trivial patterns P of level l ≤ L. The adversary is then given the pair (dID , eID ) = (Extract(mpk, ID, ()), Distill(mpk, ID)) for either a random identity ID of level l, or an identity ID ∈ Pˆ . The task of the adversary is to determine whether its input has been obtained from the given pattern, or a truly random identity. In his game, the adversary has access to essentially all the information in the system (i.e. the master secret key msk grants access to the secret key of any identity), except to the randomness used to obtain ID. Definition 2 (Random identity hiding). Consider the following experiment for a L-level HIBE scheme Π = (Setup, Distill, Extr, Encr, Decrypt) and adversary A: 2

The definition that we use asks the adversary to tell apart encryptions of the message from the encryptions of the all-0 string of the same length. This notion is equivalent to the one in the literature.

Identity Based Group Signatures from HIBE

157

ExpRIdH−b (1k ) Π,A $

(mpk, msk) ← Setup(1k .L) (P, St) ← A(mpk, msk) b ← {0, 1} $ If b = 0 then ID∗ ← Pˆ ; $

else ID∗ ← IdSpl where P is an l-level pattern. e∗ ← Distill(mpk, ID∗ ) d∗ ← Extract(mpk, ID∗ , d() ) b′ ← A(St, e∗ , d∗ ) Return b′ We insist that the pattern P output by the adversary has at least one ⋆ in it. We say that the scheme Π is random identity hiding if for any probabilistic polynomial time adversary A its advantage:     RIdH−1 k k (1 ) = 1 − Pr ExpRIdH−0 (1k ) = 1 AdvRIdH Π,A (1 ) = Pr ExpΠ,A Π,A is negligible. An important observation related to the generality of our results is that most of the existing HIBE constructions (e.g. BB [4],BBG [5] and Waters [26]) are both canonical and random identity hiding. We prove this for our running example of the BBG HIBE (the proof is in the full version of the paper). Theorem 1. The Boneh-Boyen-Goh HIBE is random identity hiding.

4

Identity Based Group Signatures

As discussed in the introduction much prior work on ID-Based group signatures has looked at the case where group members are given by “unstructured” identities, but the verification key used by the group is still a public key in the classical sense of the word. In this section we present a concept of group signatures in the ID-based setting, our security models and syntax are a subset of those of Wei et al [27]. We concentrate on the two security notions full-anonymity (the identity of the signer is hidden) and full-traceability (a signer can be identified by the group manager). We model a setting where the same set of public parameters (generated by a trusted centre) is used to setup multiple groups of signers (for different group identities). Syntax. An ID-based group signature scheme consists of six polynomial time algorithms: (Setup, GrpSetUp, Join, Sign, Verify, Open), – Setup(1k ). This generates a master public/private key pair (mpk, msk). – GrpSetUp(grpID, msk). This algorithm on input of a string, which identifies the group; outputs a group secret key gsk. This secret key is then given to the group manager.

158

N.P. Smart and B. Warinschi

– Join(userID, gsk). This algorithm executed by the group manager outputs a user secret key usk, which is passed to the group member. We assume that the group manager keeps a list of the member identities (say be adding them into gsk). – Sign(m, usk). This algorithm produces a signature σ on the message m from the group for which usk corresponds. – Verify(m, σ, mpk, grpID). This outputs true if the signature σ is on the message m and was issued by the someone in the group grpID, otherwise it should output false. – Open(gsk, σ, m). This returns the identifier of the user who produced the signature σ on the message m. Note that in some situations the message m need not be input to the Open algorithm. This algorithm is run by the group manager. For correctness we require that if gsk is the group secret key corresponding the group with identifier grpID, then 1. Verify (m, Sign(m, Join(userID, gsk)), mpk, grpID) = true 2. Open (msk, Sign(m, Join(userID, gsk)), m) = userID. Security models. To define the security of ID-based group signatures we extend the model introduced by Bellare et. al. [3] to this setting. Specifically, we cast the properties of full-anonymity (signatures do not reveal information about the signer) and full-traceability (the identity of the signer can be recovered by the group manager) to the ID-based setting. These security notions are wellestablished by now, so we will not repeat the ideas behind their design. Anonymity is captured by an indistinguishability experiment between an adversary and the group signature. The adversary has full control over the scheme: can create new groups (and obtain the group manager’s key), can add users to group (and obtain their signing keys), open signatures at will etc. These capabilities are modelled by appropriate access to several oracles. At some point the adversary outputs a group identity, two identities of group members and a message. It receives in return a signature on that messages, created with the secret key an identity selected at random between the two output by the adversary. The goal of the adversary is to guess which of the users created the signature. Of course, we impose the minimal requirements that the adversary does not know the master secret used for setup, and the opening key associated to the group under attack. Definition 3 (Full-Anonymity). Let Π = (Setup, GrpSetUp, Join, Sign, Verify, Open) be an identity based group signature. Consider the experiment k Expanon−b Π,A (1 ) that involves an adversary A and is parametrised by bit b. The experiment uses msk, mpk as global variables. It also maintains two lists grpIDs (used to record the manager secret keys of the groups) and userIDs (used to record the secret signing keys of users, for the various groups to which they belong), as global variables. Initially both these lists are empty. During the experiment, the adversary has access to the following three oracles:

Identity Based Group Signatures from HIBE

159

– Oracle GrpSetUp(·) on input a query grpID ∈ IdSp the oracle checks the list grpIDs for an entry (grpID, gsk). If such an entry is found, then gsk is returned to the adversary. Otherwise, the oracle executes gsk ← GrpSetUp(msk, grpID), adds (grpID, msk) to the list grpIDs and returns gsk to the adversary. – Oracle Join(·) is given as input a pair (grpID, userID). If the list grpIDs does not contain an element of the form (grpID, gsk) then the oracle executes gsk ← GrpSetUp(msk, grpID) and adds (grpID, gsk) to grpIDs. Assuming now that grpIDs contains an element of the form (grpID, gsk), if the list userIDs contains an element of the form ((grpID, userID), usk) then usk is returned to the adversary. Otherwise, the oracle runs usk ← Join(gsk, userID) to obtain a signing key for user identity returns the user signing key for that group. – The Open(·) oracle on input a tuple (grpID, σ, m) that consists of a group identity, a message m and a signature σ on m (valid for the group grpID), finds a pair (grpID, gsk) in grpIDs and then returns to the adversary userID ← Open(gsk, σ, m). The experiment proceeds as follows: k Expanon−b Π,A (1 ) (mpk, msk) ← Setup(1k ). (grpID∗ , userID0 , userID1 , m, state) ← AGrpSetUp(),Join(),Open() (mpk) b ← {0, 1} σ ∗ ← Sign(m, usk), where ((grpID∗ , userIDb ), usk) is an entry in userIDs. GrpSetUp(),Join(),Open() ∗ (σ , state). d ← A2 Return d = b.

The experiment only makes sense if the adversary is not allowed to call the GrpSetUp oracle on grpID∗ and is not allowed to call the Open oracle on (grpID, σ ∗ , m∗ ). We call such an adversary a proper one. We say that scheme Π is fully-anonymous if for any proper adversary A, its advantage:     anon−1 anon−0 Advanon A,Π (k) = Pr ExpA,Π (k) = 1 − Pr ExpA,Π (k) = 1 , is negligible. The second security property that we demand from group signatures is fulltraceability: a signer, or a group of signers cannot produce a valid signature which the group manager cannot trace to one of the signers. This is a notion which itself implies the notion of unforgeability of the resulting signatures. The game that we consider involves an adversary with similar powers as the one in the previous experiment. The adversary can setup groups, add users to groups, see signatures of users of his choice, and open arbitrary signatures. In this experiment however we keep track of the set of corrupt users (users for which the adversary learns the signing key). The goal of the adversary is to produce a valid signature on a message of his choosing, which when opened by the group manager is not traced to one of the corrupt users.

160

N.P. Smart and B. Warinschi

Definition 4 (Full-Traceability). The experiment Exptrace Π,A (k) used to define full traceability of IDGS scheme Π = (Setup, GrpSetUp, Extract, Sign, Verify, Open) involves an adversary A. The experiment maintains three lists: corrgrpIDs keeps track of the corrupt identities in each of the groups of signers, and grpIDs and userIDs have the same use as in the experiment for anonymity). During the experiment the adversary may access the following five oracles: – Oracle GrpSetUp(·) on input a query (grpID, type) ∈ IdSp × {h, c} the oracle checks the list grpIDs for an entry (grpID, gsk). If such an entry is found, then gsk is returned to the adversary. Otherwise, the oracle executes gsk ← GrpSetUp(msk, grpID), adds (grpID, msk) to the list grpIDs. If type = c then it the oracle returns gsk. – Oracle Join(·) is given as input ((grpID, userID), type) ∈ (IdSp × IdSp) × {h, c}. If the list grpIDs does not contain an element of the form (grpID, gsk) then the oracle computes gsk via gsk ← GrpSetUp(msk, grpID) and adds (grpID, gsk) to grpIDs. Assuming that grpIDs contains an element of the form (grpID, gsk), the oracle runs usk ← Join(gsk, userID), and it adds the tuple ((grpID, userID), usk) to userIDs. If type = c then the oracle adds (grpID, userID) to corrgrpIDs and returns usk. – Oracle Sign on input a tuple ((grpID, userID), m) the oracle searches userIDs for an entry of the form ((grpID, userID), usk). If such an entry does not exist it returns ⊥. Otherwise, the oracle computes σ ← Sign(usk, m) and returns σ. – Oracle Open on input a tuple (grpID, σ, m) searches the grpIDs for an entry (grpID, gsk). If such an entry does not exist, it returns ⊥. Otherwise it returns the result of Open(gsk, σ, m). The experiment that defines security is as follows: Exptrace Π,A (k) (mpk, msk) ← Setup(1k ) (m, σ, grpID∗ ) ← AGrpSetUp(),Join(),Sign(),Open() (mpk). Let gsk∗ = Extract(msk, grpID∗ ) If Verify(m, σ, mpk, grpID∗ ) = false or (grpID∗ , Open(gsk∗ , σ, m)) ∈ corrgrpIDs Then Return 0 Else Return 1 The experiment only makes sense if the adversary does not request the group manager key for group grpID∗ (i.e. it does not make a query (grpID∗ , c) to the GrpSetUp oracle). We call such an adversary proper. The scheme Π is a fully traceable if for any proper adversary its advantage, defined by: trace Advtrace Π,A (k) = Pr[ExpΠ,A (k) = 1],

is negligible.

Identity Based Group Signatures from HIBE

5

161

Generic HIBE-Based Construction of an ID-Based Group Signature

In this section we detail a generic construction of a ID-based group signature from a HIBE. Outline: The construction is based on the following idea. We setup a four level HIBE and identify the root with the trusted authority that generates the parameters of the systems. Then, the first level corresponds to the various groups of signers. To create a new group of signers with public key grpID, the trusted authority produces the secret key associated to identity (grpID) in the HIBE and hands that as the group manager’s key. This key is to be used for both adding members to the group, and as opening signatures to discover the underlying signer. To add a new group member userID to the group grpID, the group manager uses its secret key to compute the secret key associated to the hierarchical identity (grpID, userID). The resulting key d(grpID,userID) is the key that user userID uses to sign messages on behalf of the group grpID. User userID member of the group grpID, signs a message m as follows: it selects a random basic identity rID in IdSp, computes a distilled key e associated to identity (grpID, userID, m, rID ), and then uses its secret key to compute the decryption key d associated to e. The pair (e, d) is part of the signature that is output. The idea here is that since the HIBE is random identity hiding, the key e does not reveal any information about (grpID, userID, m, rID ) which is a random identity (due to the randomisation introduced by rID .) We also need to ensure that the manager is able to recover the identity of the signer. For this we ask that the signer encrypts his identity under the identity of the group manager (i.e. under grpID) and then proves in zero-knowledge that the identity userID that had been encrypted under grpID is the same as the identity used in (grpID, userID, m, rID ) to distill e. Here, we use a non-interactive proof obtained from a Σ protocol via the Fiat–Shamir transform. As pointed out in the introduction, one could avoid the random oracle by using a non-interactive simulation sound zero knowledge protocol. However, finding practically efficient instantiations of such proofs for the language that we need for our construction seems to be difficult. However, we note that using the random oracle model not only produces a gain in efficiency, the proof also becomes conceptually simpler due to the stronger properties of the proof of knowledge. Secondly, our specific constructions via the BBG HIBE uses the random oracle model, thus using the random oracle model in the overall construction does not loose us anything. We however point out that a proof of the generic construction in the standard model can be given. The construction: We first define the NP-language that captures the desired relation between distilled keys and encrypted identities sketched above. For a fixed public key mpk, part of the parameters of a HIBE scheme (Setup, Distill, Encr, Extr, Decrypt), and a bijection f between the space of basic identities IdSp and the plaintext space for the HIBE, we define the following NP relation:

162

N.P. Smart and B. Warinschi

R((e, enc, grpID, m), (userID, rID , r) = 1 if and only if e = Distill((grpID, userID, m, rID ), mpk) ∧ enc = Encrypt(grpID, f (userID); r)) Informally, an element (e, enc, grpID, m) of the language LR defined by the relation R in the usual way satisfies the property that the user identity userID used to obtain the distilled key e equals the identity that had been encrypted under grpID to produce the ciphertext enc. Given a canonical HIBE scheme (SetupH, Distill, Extr, Encr, Decrypt), a Σprotocol (P, V) for the language LR above, and a hash function H (which we model as a random oracle) we construct an ID-based group signature scheme GS(HIBE, (P, V), H) = (SetupG, GrpSetUp, Join, Sign, Verify, Open). SetupG(1k ) (mpk, msk) ← SetupH (1k , 4) Return (mpk, msk)

GrpSetUp(msk, grpID) e ← Distill((grpID)); dgrpID ← Extr(msk, e) Return (grpID, dgrpID )

Sign(m, (grpID, userID, dID )) Verify(m, σ, mpk, grpID) rID ← IdSp Parse σ as (e, d, enc, (r, s)). e ← Distill((grpID, userID, m, rID ), mpk) If V(r, H(mpk||e||enc||m||r), s) = 0 d ← Extr(dID , e) Then Return 0 enc ← Encrypt(mpk, grpID, f (userID); r) Else π ← FSP ((e, enc, grpID, m), m←M (userID, rID , r))(m) If m = Decrypt(d, Encr(e, m)) Return (e, d, enc, π) Then Return 1 Else Return 0 Open(gsk, σ, m) Parse σ as (e, d, enc, (r, s)) Output f −1 (Decrypt(gsk, c))

Join((grpID, dgrpID ), userID) e ← Distill((grpID, userID), mpk) d ← Extr(dgrpID , (grpID, userID)) Return (grpID, userID, d)

Fig. 1. Generic construction of an ID-based group signature scheme from a canonical HIBE

The algorithms are summarised in Figure 1. They work as follows. S e tup.The parameter setup algorithm SetupG simply runs the setup algorithm for the underlying HIBE scheme, and sets up a 4-level HIBE with public key mpk and secret key msk. The secret key of the trusted authority is set to msk. Group setup. To setup a new group for identity grpID, the authority hands over to the group manager the secret key dgrpID associated to the hierarchical identity (grpID). User userID is added to the group of signers with public identity grpID by giving him the key d(grpID,userID) associated to the hierarchical identity (grpID, userID). Notice that this key enables the user userID to compute the associated key of any hierarchical identity to which (grpID, userID) is a parent.

Identity Based Group Signatures from HIBE

163

Signing. To produce a signature on message m, user userID uses distills the public key e associated to (grpID, userID, m, rID ) (for a randomly chosen rID ) and uses his secret key to compute an associated decryption key d. Next, he encrypts the identity userID under the identity of the group. Finally, it uses the Fiat–Shamir transform to produce a non-interactive zero knowledge proof Σ that (e, d, enc, grpID, m) belong to the language LR described above. The signature is then (e, d, enc, Σ). Verification. A signature (e, d, enc, Σ) for message m and public key grpID is verified by first checking that Σ proves that (e, enc, grpID, m) ∈ LR , and then checking that d is a valid decryption key for e. The second part of the verification is done by encrypting a random message under e and decrypting the resulting ciphertext with d. Open. To open a signature (e, d, enc, Σ) for message m, the group manager grpID decrypts e using his secret key, and obtains the encrypted identity which it then outputs. Instantiation based on BBG HIBE. In Appendix A we present our generic construction applied to the BBG HIBE in detail.

6

Security of Our Construction

In this section we discuss the security of our generic construction. we start with the anonymity property. The intuition here is that a signature (e, d, enc, Σ) does not leak information about the identity of its creator since e is obtained from a random identity, the encryption enc hides its underlying plaintext, and Σ is a zero-knowledge proof. Since our construction uses the Fiat–Shamir heuristic, in addition to the above conditions we also need to require that the underlying proof system has high-entropy commitment and challenges (or alternatively, that the commitments and challenges are distributed uniformly over large enough spaces). These requirements ensure that rewinding strategies work in extracting necessary secrets. Theorem 2. Let HIBE be a HIBE scheme, (P, V) a proof system for the language LR (defined above), and H a random oracle. If HIBE is an IND-ID-CCA, (respectively IND-ID-CPA) HIBE scheme which is random identity hiding, the proof system (P, V) has high-entropy commitments and challenges, and satisfies special soundness and special zero-knowledge, then GS(HIBE, (P, V), H) is a fully-anonymous (respectively fully-anonymous under CPA attacks) identitybased group signature scheme. Proof. The proof can be found in the full version of this paper. Next we show that our scheme is fully-traceable. The intuition is that the signature produced by a coalition of signers needs to contain the encryption enc of some identity grpID. At the same time in a well-formed signature the distilled key e that is part of the signature has to be obtained from a hierarchical

164

N.P. Smart and B. Warinschi

identity of the form grpID, userID, m, rID for the same userID as encrypted in enc. However,the only way one can compute a key d associated to e is if one knows the secret key associated to some identity on the path from the root to (grpID, userID, m, rID ). Theorem 3. Let HIBE be a HIBE, (P, V) a proof system for the language LR and H a random oracle. If HIBE is an IND-ID-CCA secure HIBE, and (P, V) satisfies special soundness and has high-entropy challenges, then GS(HIBE, (P, V), H) is fully-traceable. Proof. The proof can be found in the full version of this paper.

7

Extensions: Standard and Hierarchical Groups Signatures from HIBE

We conclude with an application of the core idea of our paper to a couple of extensions. Recall that the structure that we use to setup identity-based group signature is as follows. We use a four-level HIBE scheme where on the first level we place group identities, on the second level we place user identities, on the third level messages to be signed, while the fourth level is reserved to a randomiser. The group manager of group grpID can add user userID to the group by handing over the secret key associated to hierarchical identity (grpID, userID). A signature by this user on a message m is then a pair of encryption, decryption keys that correspond to the hierarchical identity (grpID, userID, m, rID ) together with extra information to allow for the recovery of the signer and that ensure the signature is well-formed. Standard group signatures. The first observation that we make is that by eliminating the first layer, that of group identities, we obtain a standard group signature in a non PKI setting. More precisely, the public key of the group is the public key mpk of the underlying HIBE. The group manager who has the corresponding secret key msk adds users by extracting the secret keys associated to their identity. Signatures can then be formed as before, with the difference that the encryption enc is under mpk, as opposed to group identity. The resulting scheme shares with standard group signature schemes the idea of having a “standard” public-key, and with ID-based signature scheme, as defined in this paper (and as previously considered in the literature) the idea that parties are identified by unstructured identities. The intuition regarding the security of the resulting scheme follows the same lines as those of the construction we detailed in this paper. Hierarchical group signatures. The second extension that we propose is to hierarchical group signatures. Here, we would like for groups of signers be organised in a hierarchy so that users at the lower level can sign on behalf of any of the groups to which they belong. For example, in a university UniId, one could

Identity Based Group Signatures from HIBE

165

have subgroups faculty and admin. The faculty could then be divided into research group research1,research2,..., where as the admin group could be on specialised departments finance,undergraduate,.... Finally, individual users user1,user2,... belong to one of these lower level subgroups. In a hierarchical identity based signature, we would like that managers of groups be permitted to add users to the group that it manages, or to any of his group’s subgroups. Also, we would like for a user to be able to produce, anonymously, signatures for any of the groups to which he belongs. Finally, a group manager should be able to open signatures created by any of the users in the group that it manages, no matter on behalf of which of subgroups of the group the signature was produced. Our construction can be easily extended to this more complex setting. Instead of working with a four-level HIBE, we work with a k + 4 level HIBE, where k is the maximal number of subgroups that a group can have (for k = 0 we fall on the setting of our main construction). The construction that we suggest is to place on the first k levels the group identities, in a way that reflects the desired hierarchy. Creating new groups, and adding group members is then done as before: the group managers extracts a key for the appropriate hierarchical identity. For example, the manager of the group UniId creates the group faculty by extracting the key associated to the hierarchical identity (UniId,faculty). The key of a user would be the key associated to (level1,level2,...,levelk,user). Signatures in this construction generalise ours, with one exception. The user can choose for which of the groups to which it belongs produces the signature, and in particular, under which of the subgroup identities it encrypts his own identity. There is flexibility also who can open a signature: any group manager that is a parent identity to the one under which the user encrypts his identity can identify the signer. For our example, a faculty members that belongs to the group research can sign on behalf of that group, on behalf of the whole group faculty, or on behalf of the university UniId. Furthermore, only the manager of the group for which the signature is produced (or a parent of the manger) can identify the signer. The security of this construction relies on the same basic idea as that of our main construction of this paper. Acknowledgements. The authors would like to thank G. Neven for various discussions whilst the work in this paper was carried out. The authors would like to acknowledge the support of the eCrypt-2 Network of Excellence. The first author was supported by a Royal Society Wolfson Merit Award.

References 1. Abdalla, M., Dent, A.W., Malone-Lee, J., Neven, G., Phan, D.H., Smart, N.P.: Identity-based traitor tracing. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 361–376. Springer, Heidelberg (2007) 2. Barreto, P.S.L.M., Libert, B., McCullagh, N., Quisquater, J.-J.: Efficient and provably-secure identity-based signatures and signcryption from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 515–532. Springer, Heidelberg (2005)

166

N.P. Smart and B. Warinschi

3. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003) 4. Boneh, D., Boyen, X.: Efficient selective-ID secure identity based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 5. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005) 6. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 7. Boyen, X., Waters, B.: Compact group signatures. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006) 8. Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) 9. Cha, J.C., Cheon, J.H.: An identity-based signature from gap Diffie-Hellman groups. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 18–30. Springer, Heidelberg (2003) 10. Chase, M., Lysyanskaya, A.: On signatures of knowledge. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 78–96. Springer, Heidelberg (2006) 11. Chen, L., Cheng, Z., Malone-Lee, J., Smart, N.P.: Efficient ID-KEM based on the Sakai-Kasahara key construction. IEE Proceedings - Information Security 153, 19–26 (2006) 12. Chen, X., Zhang, F., Kim, K.: A new ID-based group signature scheme from bilinear pairings. IACR e-Print (2003), http://eprint.iacr.org/2003/116.pdf 13. Cocks, C.: An identity-based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001) 14. Gentry, C., Silverberg, A.: Hierarchical ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 15. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) 16. Hess, F.: Efficient identity based signature schemes based on pairings. In: Nyberg, K., Heys, H.M. (eds.) SAC 2002. LNCS, vol. 2595, pp. 310–324. Springer, Heidelberg (2003) 17. Han, S., Wang, J., Liu, W.: An efficient identity-based group signature scheme over elliptic curves. In: Freire, M.M., Chemouil, P., Lorenz, P., Gravey, A. (eds.) ECUMN 2004. LNCS, vol. 3262, pp. 417–429. Springer, Heidelberg (2004) 18. Park, S., Kim, S., Won, D.: ID-based group signature. Electronics Letters 33, 1616– 1617 (1997) 19. Popescu, C.: An efficient ID-based group signature scheme. Studia Univ. BabesBolyai Info. 47, 29–36 (2002) 20. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: The 2000 Symposium on Cryptography and Information Security, Okinawa, Japan (January 2000)

Identity Based Group Signatures from HIBE

167

21. Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing over elliptic curve (in Japanese). In: The 2001 Symposium on Cryptography and Information Security, Oiso, Japan (January 2001) 22. Sakai, R., Kasahara, M.: ID based cryptosystems with pairing on elliptic curve. Cryptology ePrint Archive, Report 2003/054 (2003) 23. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 24. Trolin, M., Wikstr¨ om, D.: Hierarchical group signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 446–458. Springer, Heidelberg (2005) 25. Tseng, Y., Jan, J.: A novel ID-based group signature. In: Int. Comp. Symp. on Crypto and Info. Sec., pp. 159–164 (1998) 26. Waters, B.R.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 27. Wei, V.K., Yuen, T.H., Zhang, F.: Group signature where group manager, members and open authority are identity-based. In: Boyd, C., Gonz´ alez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 468–480. Springer, Heidelberg (2005)

A

Instantiation Using the BBG HIBE

In this appendix we detail how our generic construction applies to the BBG HIBE. A similar construction can be given for other HIBE constructions, by following the same basic principles. ˆ −→ Our explicit constructions are all based on an asymmetric pairing tˆ : G × G ˆ GT , between three groups of prime order q. We assume that G = g and G = ˆ g. ˆ will be Elements of G will be denoted by lower case letters a, b, c etc, elements of G denoted by a ˆ, ˆb, cˆ etc, elements of GT will be denoted by gothic letters a, b, c etc. The original Boneh-Boyen-Goh HIBE is proved secure in the selective ID setting, this is turned into full security via replacing the identities with calls to a hash function, which is then modelled as a random oracle. Hence, to obtain a group signature scheme which is anon-ID-CPA secure we introduce a hash function G to hash the identities to elements of Zq . We also require a hash function H : {0, 1}∗ → Zq for our proof of knowledge proof, which we also model as a random oracle. In addition the following scheme is only secure in the sense of anon-ID-CPA, i.e. Open are not allowed in the adversary queries. A fully secure version is possible to construct, but we present the simpler version here for clarity. In addition we have performed some elementary optimisations on the scheme which results from the generic construction. These do not affect security, but make use of the properties of the Distill function of the BBG HIBE. In particular the signature only contains the unknown part of the Distill function, since the other public part can be reconstructed by the verifier. This not only makes the presentation simpler, it also simplifies the proof of knowledge.

168

N.P. Smart and B. Warinschi

A.1

The Required Proof of Knowledge

We present the proof of knowledge and its verification which are required in the Sign and Verify operations. To aid exposition we set G(grpID) fˆ = (ˆ u0 · u ˆ1 ) and g = tˆ(h1 , gˆ2 ).

Our proof of knowledge is then given by the underlying Σ protocol for the language   L = cˆ6 = u ˆx2 · uˆy4 ∧ e1 = g z ∧ eˆ2 = fˆz ∧ e3 = nx · gz : (x, y, z) , where all values bar x, y, z are public. The naming of the variables is to aid the reader in seeing how this proofs fits in with the variables in the ID-based group signature below. Standard techniques provide the following construction of a non-interactive proof of knowledge, assuming H is modelled as a random oracle. Prover’s Algorithm: The prover generates k1 , k2 , k3 ∈ Zq at random and sets rˆ1 ← u ˆk21 · u ˆk42 , r2 ← g k3 , rˆ3 ← fˆk3 , r4 ← nk1 · gk3 . Then the prover computes ˆ c ← H(grpIDˆ u0 ˆ u1 ˆ u2 ˆ u4 gfngˆ c6e1 ˆ e2 e3 ˆ r1 r2 ˆ r3 r4 ). Finally the prover computes s1 ← k1 + c · x, s2 ← k2 + c · y and s3 ← k3 + c · z. The proof of knowledge is then given by (c, s1 , s2 , s3 ). Verifier’s Algorithm: To verify the proof the verifier computes the values −c ′ s3 s3 ′ s1 ˆs21 · uˆs42 · cˆ−c · e−c ˆ3′ ← fˆs3 · eˆ−c rˆ1′ ← u 6 , r2 ← g 1 , r 2 , r4 ← n · g · e3 ,

and then checks whether c = H(grpIDˆ u0 ˆ u1 ˆ u2 ˆ u4 gfˆngˆ c6e1 ˆ e2 e3 ˆ r1′ r2′ ˆ r3′ r′4 ). A.2

An ID-Based Group Signature from the BBG HIBE

ˆ0 , u ˆ1 , uˆ2 , u ˆ3 , u ˆ4 ∈ Setup(1k ): The trusted authority chooses random values gˆ2 , u ˆ and a value α ∈ Zq . The trusted authority then computes h1 ← g α , ˆh2 ← gˆα , G 2 generates an element n at random from GT , and sets ˆ 2. mpk ← (g, gˆ2 , h1 , u ˆ0 , u ˆ1 , u ˆ2 , u ˆ3 , u ˆ4 , n) and msk ← h

Identity Based Group Signatures from HIBE

169

GrpSetUp(grpID, msk): On input of a group identifier string grpID, the trust authority generates a random value r1 ∈ Zq and sets gsk ← (ˆ a0 , a ˆ2 , a ˆ3 , a ˆ4 , a5 ), where r  G(grpID) 1 ˆ2 · u a ˆ0 ← h , a ˆ2 ← uˆr21 , a ˆ3 ← u ˆr31 , a ˆ4 ← u ˆr41 , a5 ← g r1 . ˆ0 · u ˆ1 Extract(userID, gsk): On input of a user identifier string userID the group manager takes its key gsk = (ˆ a0 , a ˆ2 , a ˆ3 , a ˆ4 , a5 ), generates a random value r2 ∈ Zq , and computes the user secret key via usk ← (ˆb0 , ˆb3 , ˆb4 , b5 ) where r  G(userID) 2 G(grpID) G(userID) ˆb0 ← a ·u ˆ2 · u ˆ0 · u ˆ1 ˆ0 · a ˆ2   r r r ·G(userID) G(grpID) G(userID) 2 G(grpID) 1 ˆ2 · u · uˆ21 · uˆ0 · u ˆ1 ·u ˆ2 =h ˆ0 · uˆ1 r +r  G(grpID) G(userID) 1 2 ˆ2 · u , =h ˆ0 · uˆ1 · uˆ2 ˆb3 ← a ˆ3r1 +r2 , ˆ3 · u ˆr32 = u

ˆb4 ← a ˆ4 · u ˆr42 = uˆ4r1 +r2 ,

b5 ← a5 · g r2 = g r1 +r2 .

Sign(m, usk): To sign a message m ∈ Zq using the secret key usk = (ˆb0 , ˆb3 , ˆb4 , b5 ) the user generates a random values r3 ∈ Zq , and a random identity r4 . The value r3 acts very much like the values r1 and r2 in the GrpSetUp and the Extract algorithms, whilst the value r4 is used to create a blinding identity, so as to maintain user anonymity. In addition the signer picks an additional random values k ∈ Zq , so as to encrypt its identity to the group manager. A signature is given by σ ← (ˆ c0 , c5 , cˆ6 , e1 , eˆ2 , e3 , Σ) where r  G(r ) G(grpID) G(userID) G(r ) 3 cˆ0 ← ˆb0 · ˆbm ˆ4 4 · uˆ0 · u ˆ1 ·u ˆ2 ·u ˆm ˆ4 4 3 ·a 3 ·u r +r  m(r +r ) G(r )·(r +r ) G(grpID) G(userID) 1 2 ˆ2 · u ·u ˆ3 1 2 · u ˆ4 4 1 2 · =h ˆ0 · u ˆ1 · uˆ2 r  G(r4 ) 3 G(userID) G(grpID) uˆ0 · u ·u ˆm · u ˆ ·u ˆ2 ˆ1 3 4 r +r +r  G(r4 ) 1 2 3 G(userID) G(grpID) ˆ2 · u , ·u ˆm · u ˆ · uˆ2 =h ˆ0 · u ˆ1 3 4

c5 ← b5 · g r3 = g r1 +r2 +r3 ,

G(userID)

cˆ6 ← u ˆ2

G(grpID) k ) , uˆ1

G(r4 )

·u ˆ4

,

e3 ← nG(userID) · tˆ(h1 , gˆ2 )k , eˆ2 ← (ˆ u0 ·  z  G(grpID) cˆ6 = uˆx2 · u ∧ ˆy4 ∧ e1 = g z ∧ eˆ2 = u ˆ0 · u ˆ1 Σ ← POK . e3 = nx · tˆ(h1 , gˆ2 )z : (G(userID), G(r4 ), k)

e1 ← g k ,

Note, that the value of tˆ(h1 , gˆ2 ) can be precomputed, we shall indeed denote this value by g in what follows. Thus, signing requires no pairing computations.

170

N.P. Smart and B. Warinschi

Verify(m, σ, mpk, grpID): We verify the signature by essentially encrypting a random message under the underlying HIBE and then checking whether it decrypts to the correct value. On input of a signature σ = (ˆ c0 , c5 , cˆ6 , e1 , eˆ2 , e3 , Σ) on a message m, as issued by a member of the group grpID, the verifier generates the following random values t ∈ Zq , m ∈ GT and computes d1 ← g t ,

t  G(grpID) dˆ2 ← u ˆ0 · uˆ1 · uˆm ˆ6 , 3 ·c

d3 ← m · tˆ(h1 , gˆ2 )t .

The verifier then checks whether m = d3 ·

tˆ(c5 , dˆ2 ) and verifies the POK Σ. tˆ(d1 , cˆ0 )

That a valid signature will verify follows from the following set of equations: t  G(grpID) m ˆ(g r , u ) · u ˆ · c ˆ t ˆ · u ˆ ˆ 6 0 ˆ 3 1 t(c5 , d2 ) r   =  G(grpID) G(userID) G(r4 ) tˆ(d1 , cˆ0 ) tˆ g t , ˆ h2 · u ˆ0 · u ˆ1 ·u ˆ2 · uˆm · u ˆ 3 4  t G(grpID) G(userID) G(r4 ) tˆ(g r , uˆ0 · u ˆ1 ·u ˆ2 · uˆm · u ˆ ) 3 4 r   =  G(grpID) G(userID) G(r ) tˆ g t , ˆ h2 · u ˆ0 · u ˆ1 ·u ˆ2 · uˆm ˆ4 4 3 ·u =

1 1 1 1 = . = = ˆ 2) tˆ(g t , gˆ2α ) tˆ(g α , gˆ2 )t tˆ(h1 , gˆ2 )t tˆ(g t , h

where r = r1 + r2 + r3 . Open(gsk, σ): On input of a valid signature σ = (ˆ c0 , c5 , cˆ6 , e1 , eˆ2 , e3 , Σ) the group manager computes r  G(grpID) 1 k ˆ ˆ ) , h · u ˆ · u ˆ t (g 2 0 1 ˆ0 ) tˆ(e1 , a t← = G(grpID) k tˆ(a5 , eˆ2 ) u0 · u ˆ1 ) ) tˆ(g r1 , (ˆ =

G(grpID) k ˆ 2 ) · tˆ(g r1 , (ˆ u0 · uˆ1 ) ) tˆ(g k , h G(grpID) u0 · u ˆ1 )k ) tˆ(g r1 , (ˆ

ˆ 2 ) = tˆ(h1 , gˆ2 )k . = tˆ(g k , h

The Group manager goes through all user identifiers userID issued to the group grpID and checks which one is satisfies the equation e3 = nG(userID) · t.

Forward-Secure Group Signatures from Pairings Toru Nakanishi, Yuta Hira, and Nobuo Funabiki Department of Communication Network Engineering, Okayama University, 3-1-1 Tsushima-Naka, Okayama 700-8530, Japan {nakanisi,funabiki}@cne.okayama-u.ac.jp

Abstract. To reduce the damage of key exposures, forward-secure group signature schemes have been first proposed by Song. In the forwardsecure schemes, a secret key of a group member is updated by a one-way function every interval and the previous secret key is erased. Thus, even if a secret key is exposed, the signatures produced by the secret keys of previous intervals remain secure. Since the previous forward-secure group signature schemes are based on the strong RSA assumption, the signatures are longer than pairing-based group signatures. In addition, the complexity of the key update or signing/verification is O(T), where Tis the total number of intervals. In this paper, a forward-secure group signature scheme from pairings is proposed. The complexity of our key update and signing/verification is O(log T). Keywords: anonymity, group signatures, forward-security, pairings.

1 1.1

Introduction Backgrounds and Previous Works

Group signatures [11] allow a signer to sign a message anonymously as a group member. The difference from ring signatures [17] with similar characteristics are the involvement with entities with special authority. One of the entities is a group manager (GM ) who permits a user to join the group. The other is an opening manager (OM ) who can identify the signer from the signature, in case of disputes. The applications of group signatures include anonymous credentials, direct anonymous attestations, and ID management reported in [9,8,16]. Toward making the group signatures practicable, Boneh et al. have proposed a short group signature scheme from pairings [5], where signatures are shorter than existing RSA-based group signature schemes. With the advance of the implementations of pairings (e.g., [1,15]), we can obtain the implementations of the group signatures with practical computation times and data sizes. One of great threats in cryptosystems is exposure of secret keys. This may happen by virus, human errors and so on. One of the cryptographic countermeasures to reduce the damage of the exposure is the forward-security. In case of group signatures, a forward-secure group signature scheme has been proposed due to Song in [18]. In the forward-secure scheme, the secret key of a signer is updated every interval using a one-way function. Let uskt be the secret key at H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 171–186, 2009. c Springer-Verlag Berlin Heidelberg 2009 

172

T. Nakanishi, Y. Hira, and N. Funabiki

interval t for 0 ≤ t ≤ T , where T is the total number of intervals. The signer initially obtains usk0 . At the beginning of interval t, the user updates uskt−1 to uskt . At the update, uskt−1 is deleted, and cannot be restored due to the oneway-ness. The signature at interval t is computed using uskt . Then, consider the exposure of uskt at interval t. Since the previous keys before the exposure cannot be obtained even by the signer, the previous signatures before the exposure cannot be forged. Thus, the damage of the exposure is reduced. In [18], two forward-secure group signature schemes (Scheme I and Scheme II) have been first proposed, which are based on the strong RSA assumption. Since 2,048 bits or more are currently required for the RSA assumption, one weakness of the previous schemes is that the signatures are long. Another problem is the asymptotic efficiency w.r.t. T (the total number of time intervals). In Scheme I, the signing and verification algorithms are inefficient due to O(T ) complexity. In Scheme II, the key update algorithm has O(T ) complexity. On the other hand, in the setting of public-key encryption, an efficient forwardsecure scheme has been proposed in [10], where the complexity of all algorithms (and sizes of all parameters) are O(log T ). Remark 1. In [21], a forward-secure scheme has been proposed, but [19] shows that the scheme is insecure. 1.2

Our Contributions

This paper proposes a forward-secure group signature scheme from pairings. In our scheme, the signing/verification and key-update algorithms all have O(log T ) complexity. Our scheme is constructed on the base of Boyen-Waters pairing-based group signature scheme [7]. Although the underlying scheme utilizes groups with composite orders, our scheme utilizes groups with prime orders to achieve the more efficiency. In addition, we employ the binary tree approach similar to [10] to obtain O(log T ) efficiency. We formally define forward-secure traceability that implies the forward-secure unforgeability in the setting of group signatures, and prove that our construction satisfies this security.

2

Model and Security Definitions

Forward-secure group signature scheme consists of the following algorithms: KeyGen: This probabilistic key generation algorithm for GM and OM , on inputs, security parameter 1ℓ , the maximum time T , and N that is the maximum number of members, outputs the group public key gpk, GM ’s master secret key msk and OM ’s secret key osk, and members’ initial secret keys usk0 [i] for all i ∈ [1, N ]. KeyUpdate: This probabilistic algorithm, on inputs gpk, uskt−1 [i] that is the member i’s secret key at time t − 1, and the time t, outputs the secret key uskt [i] at time t.

Forward-Secure Group Signatures from Pairings

173

Sign: This probabilistic algorithm, on inputs gpk, uskt [i], t, and signed message M , outputs the signature σ. Verify: This is a deterministic algorithm for verification. The input is gpk, t, a signature σ, and the message M . Then the output is ’valid’ or ’invalid’. Open: This deterministic algorithm, on inputs gpk, osk, t, σ and M , outputs i, which indicates the signer of σ. The security requirements, forward-secure traceability and CPA-anonymity are defined as follows. Forward-Secure Traceability. The conventional traceability [2] requirement captures the unforgeability of group signatures. This new requirement additionally captures the forward-security. Consider the following forward-secure traceability game between an adversary A and a challenger, where A tries to forge a signature that cannot be traced to one of members corrupted by A or to forge a signature at interval t∗ that is traced to a member corrupted by A at interval t s.t. t > t∗ . Setup: The challenger runs KeyGen, and obtains gpk, msk, osk and usk0 [i] for all i ∈ [1, N ]. He provides A with gpk and osk, and run A. He sets t = 0 and CU with empty, where CU denotes the set of IDs of users corrupted by A. Queries: At the beginning of every interval t ∈ [1, T ], the challenger announces the beginning of t to A, where t is incremented. At the current interval t, A can query the challenger about the followings. Signing: A requests a signature on a message M for a member i. The challenger responds the corresponding signature at the current t, if i ∈ / CU . Corruption: A requests the secret key of a member i at the current t. The / CU . The challenger adds i to CU . challenger responds uskt [i] if i ∈ Output: At the current interval t, A stops and outputs a message M ∗ and a signature σ ∗ at the target interval t∗ ∈ [0, T ] that A chooses. Then, A wins if 1. Verify(gpk, t∗ , σ ∗ , M ∗ ) = valid, 2. A did not obtain σ ∗ by making a signing query at M ∗ , and 3. for i∗ = Open(gpk, osk, t∗ , σ ∗ , M ∗ ), (a) i∗ ∈ / CU , or (b) i∗ = CU but A did not obtain uskt [i∗ ] such that t ≤ t∗ . Forward-secure traceability requires that for all PPT A, the probability that A wins the forward-secure traceability game is negligible. CPA-Anonymity. As the analogy of IND-CCA2 security of public-key encryption, the anonymity of group signatures is defined in [2]. On the other hand, in [5], the relaxed definition capturing IND-CPA security is adopted. Since our scheme follows the opening mechanism of [5], the anonymity satisfies the relaxed

174

T. Nakanishi, Y. Hira, and N. Funabiki

version, called CPA-anonymity. Since our extension from the underlying scheme to the forward-secure scheme does not have a great influence on the anonymity, the CPA-anonymity is informally defined here. Consider an adversary given access to the signing oracle and corruption oracle. In the case of the CPA-anonymity, it is not allowed to access to the opening oracle. Then, the adversary tries to decide whether a challenged signature on a message is issued from user i0 or i1 , where the message, i0 , i1 are chosen by the adversary. The CPA-anonymity requires that all adversary cannot decide it with non-negligible probability over 1/2.

3

Preliminaries

3.1

Bilinear Groups

Our scheme utilizes the following bilinear groups: 1. G and T are multiplicative cyclic groups of prime order p, 2. g is randomly chosen generators of G, 3. e is an efficiently computable bilinear map: G × G → T , i.e., (1) for all u, u′ , v, v ′ ∈ G, e(uu′ , v) = e(u, v)e(u′ , v) and e(u, vv ′ ) = e(u, v)e(u, v ′ ), and thus for all u, v ∈ G and a, b ∈ Z, e(ua , v b ) = e(u, v)ab , and (2) e(g, g) = 1. 3.2

Assumptions

Our scheme is based on the q-HSDH assumption [7]. Definition 1 (Hidden Strong DH (q-HSDH) assumption). For all PPT algorithm A, the probability Pr[A(g, h, g θ , (g 1/(θ+ξ1 ) , g ξ1 , hξ1 ), . . . , (g 1/(θ+ξq ) , g ξq , hξq )) = (g 1/(θ+ξ) , g ξ , hξ ) ∧∀i ∈ [1, q] : g ξ = g ξi ] is negligible, where g, h ∈R G and θ, ξi , ξ ∈R Zp . In addition, we utilize the DLIN assumption [5]. Definition 2 (Decision Linear (DLIN) assumption). For all PPT algorithm A, the probability |Pr[A(g, h, f, g θ , hξ , f θ+ξ ) = 0] − Pr[A(g, h, f, g θ , hξ , f ζ ) = 0]| is negligible, where g, h, f ∈R G and θ, ξ, ζ ∈R Zp . 3.3

Proving Relations on Representations

As well as [5,6,12], we adopt signatures converted by Fiat-Shamir heuristic from zero-knowledge proofs of knowledge (P K). We call the signatures SP Ks. The SP Ks we adopt are the generalization of the Schnorr signature. We introduce the following notation.

Forward-Secure Group Signatures from Pairings

175

SP K{(x1 , . . . , xt ) : R(x1 , . . . , xt )}(M ), which means a signature of message M by a signer who knows secret values x1 , . . . , xt satisfying a relation R(x1 , . . . , xt ). This paper utilizes an SP K proving the knowledge of a representation of C ∈ G to the bases g1 , g2 , . . . , gt ∈ G on message M , which is denoted as SP K{(x1 , . . . , xt ) : C = g1x1 · · · gtxt }(M ). This can be also constructed on group T . The SP K can be extended to proving multiple representations with equal parts.

4 4.1

Proposed Scheme Construction Idea

Conventional group signature scheme is informally as follows. When a member joins, GM issues the member a membership certificate S = Sign(x), where Sign is a signing function of GM and x is a value that is unique to each member. Then, the group signature consists of E = Enc(x), where Enc is an encryption function using OM ’s public key, and the following SP K on the signed message M . SP K{(x, S) : S = Sign(x) ∧ E = Enc(x)}(M ). Note that (x, S) is a secret key of the member. When opening the group signature, the manager decrypts E. On the other hand, in the setting of ordinary public-key encryptions (or signatures), an efficient forward-secure scheme has been invented in [10], which is constructed from an HIBE (Hierarchical Identity-Based Encryption). The scheme achieves at most logarithmical dependency on T by using an HIBE-like key update based on a binary tree approach. Thus, if the secret key (x, S) in the group signature can be updated by using the HIBE-like key update, we can obtain a forward-secure group signature by the similar methodology to [10]. Now, examine concrete underlying group signature schemes. The first candidate is the state-of-the-art pairing-based group signature scheme due to Boneh et al. [5]. In the scheme, a BB signature [4] is used as the certificate Sign(x), and the signature is computed as g 1/(X+x) , where X ∈R Zp is the secret key of GM and g ∈ G, Y = g X are the corresponding public key. We consider the update of the signed secret x , since it is not easy to update the signature g 1/(X+x) . However, in the underlying HIBE such as [13,3,20], the master key is g x where the exponent x should be unknown. Thus, it is not simple to adapt it to the group signature scheme [5] where the member has to know the exponent. The next candidate is Boyen-Waters group signature scheme [7] based on the HSDH assumption, where the member’s secret key consists of g x , hx (h ∈ G) for the same membership certificate S = g 1/(X+x) , where x is unknown to the member. Therefore, by adapting the HIBE-like key update to the HSDH-based group signature scheme, we can obtain the forward-secure scheme.

176

T. Nakanishi, Y. Hira, and N. Funabiki

The next step to obtain the forward-secure group signatures is to find out how to ensure the correctness of the updated key anonymously in the group signatures. In the underlying group signature scheme [7], in order to exclude the random oracle, an NIZK (Non-Interactive Zero-Knowledge) proof without the random oracle is used. However, due to the use of groups with a composite order, the scheme is inefficient. In this paper, we aim to obtain an efficient forwardsecure scheme to allow the random oracle, and adopt the efficient Schnorr-type SP Ks for representations. Thus, we newly design the SP K proving S = Sign(x) and E = Enc(x) together with the correctness of the updates. The point of the design is that the signer have to prove the sameness on the representations without knowing the exponent x of g x , and thus we utilize the pairing to construct the SP K without knowing the exponent. As the final remark, we need E = Enc(x) part in the signature for opening. Since the DDH assumption does not always hold in bilinear groups, we adopt a linear encryption [5] based on the DLIN assumption. In the adoption, we also have to care about the SP K proving E = Enc(x) without knowing the exponent. 4.2

Proposed Algorithms

KeyGen: The inputs of this algorithm are security parameter 1ℓ , the maximum time T , and N that is the maximum number of members, and the outputs are the group public key gpk, GM ’s secret keys msk, osk, and members’s initial secret keys usk0 [i] for all i ∈ [1, N ]. 1. Select bilinear group G with prime order p of length ℓ, and the bilinear map e. Select hash function H : {0, 1}∗ → Zp . 2. Let d = ⌈log2 T ⌉. Select g, g1 , u, w1,0 , . . . , wd,0 , w1,1 , . . . , wd,1 ∈R G. 3. Select X ∈R Zp and compute Y = g X . 4. Select X1 , X2 ∈R Zp and compute Y1 = g X1 and Y2 = g X2 . 5. For all i ∈ [1, N ], select xi ∈R Zp and compute Ki,1 = g 1/(X+xi ) , Ki,2 = g xi , Ki,3 = uxi . 6. Output gpk = (p, G, e, H, d, g, g1 , u, w1,0 , . . . , wd,0 , w1,1 , . . . , wd,1 , Y, Y1 , Y2 ), msk = X, osk = (X1 , X2 ), and usk0 [i] = (Ki,1 , Ki,2 , Ki,3 ). KeyUpdate: The inputs of this algorithm are gpk, t and uskt−1 [i], and the output is uskt [i]. Consider a binary tree of depth d, where the root node is denoted as ǫ (empty string), and for a parent node τ = τ1 · · · τδ , the lefthand (resp., righthand) child is denoted as τ ′ = τ1 · · · τδ 0 (resp., τ ′ = τ1 · · · τδ 1). Then, we assign each node to time t according to a pre-order traversal. I.e, time 0 is assigned to ǫ. For an internal node τ corresponding to time t, the time t + 1 is assigned to the lefthand child node τ 0. For a leaf node τ corresponding to time t, the time t + 1 is assigned to the node τ ′ 1, where τ ′ is the longest string such that τ ′ 0 is a prefix

Forward-Secure Group Signatures from Pairings

177

of τ . Hereafter, to clarify the connection between time t and the corresponding node τ , we denote τ t as the node τ corresponding to t. To each node, a node key is assigned. The key of node τ t is denoted as nkτ t . Then, we consider that uskt [i] is a stack of node keys, where the top of the stack is nkτ t . uskt [i] additionally consists of node keys of all right siblings of nodes on the path from the root to τ t . These node keys are needed for obtaining node keys after t. Then, KeyUpdate algorithm is executed as follows, according to the type of the node τ t−1 . Case of leaf node τ t−1 : Pop nkτ t−1 from the stack uskt−1 [i], and erase nkτ t−1 . Then, the top of the stack is nkτ t . Output the popped stack as uskt [i]. Case of internal node τ t−1 1. Let b be the depth of node τ t . Then, pop nkτ t−1 from the stack uskt−1 [i]. nkt−1 consists of Ki,1 , Ki,2 , Ki,3 , K i,4 . In case of nkǫ , K i,4 is empty. Otherwise, K i,4 = (κi,1 , . . . , κi,b−1 ). (1) (0) 2. Select rb,0 , rb,1 ∈R Zp and compute Ki,3 = Ki,3 · wb,0 rb,0 and Ki,3 = Ki,3 · wb,1 rb,1 . (0) (0) (1) (0) 3. Compute κi,b = g rb,0 and κi,b = g rb,1 . Let K i,4 = (κi,1 , . . . , κi,b−1 , κi,b ) and (1)

(1)

(0)

(0)

K i,4 = (κi,1 , . . . , κi,b−1 , κi,b ). Let nkτ t−1 0 = (Ki,1 , Ki,2 , Ki,3 , K i,4 ) and (1)

(1)

nkτ t−1 1 = (Ki,1 , Ki,2 , Ki,3 , K i,4 ). 4. Push nkτ t−1 1 , and then push nkτ t−1 0 . 5. Erase nkτ t−1 . Then, output the stack as uskt [i]. As the result of the update, for τ t = τ1 · · · τb , we obtain Ki,3 = uxi K i,4 = (g

b 

wj,τj rj,τj ,

j=1 r1,τ1

, . . . , g rb,τb ).

Sign: The inputs of this algorithm are gpk, uskt [i], t and M ∈ {0, 1}∗, and the output is the signature σ. 1. Retrieve the node key nkτ t from the stack uskt [i]. Let nkτ t = (Ki,1 , Ki,2 , Ki,3 , K i,4 ), where K i,4 = (κi,1 , . . . , κi,b ). Let τ t = τ1 · · · τb . 2. Select ρ1 , ρ2 , ρ3 , ρ4,1 , . . . , ρ4,b ∈R Zp , compute γ = ρ1 ρ2 mod p, and compute commitments C1 = Ki,1 g1ρ1 , C2 = Ki,2 g1ρ2 , C3 = Ki,3 g1ρ3 , and C4,1 = ρ ρ κi,1 g1 4,1 , . . . , C4,b = κi,b g1 4,b , C5 = g ρ1 g1ρ5 , and C6 = g γ g1ρ6 . 3. Select randoms δ1 , δ2 ∈R Zp , and compute ciphertext T1 = Ki,2 g δ1 +δ2 , T2 = Y1δ1 , and T3 = Y2δ2 .

178

T. Nakanishi, Y. Hira, and N. Funabiki

4. Compute the following SP K V : SP K{(ρ1 , ρ2 , ρ3 , ρ4,1 , . . . , ρ4,b , ρ5 , ρ6 , γ, γ ′ , δ1 , δ2 ) : e(C1 , Y C2 )/e(g, g) = e(g1 , Y C2 )ρ1 e(C1 , g1 )ρ2 /e(g1 , g1 )γ ∧e(u, C2 )

b 

e(C4,j , wj,τj )/e(g, C3 )

j

= e(u, g1 )ρ2

b 

e(g1 , wj,τj )ρ4,j /e(g, g1)ρ3

j ′ ∧C5 = g ρ1 g1ρ5 ∧ C6 = g γ g1ρ6 ∧ C6 = C5ρ2 g1γ ∧C2 /T1 = g1ρ2 /g (δ1 +δ2 ) ∧ T2 = Y1δ1 ∧ T3 = Y2δ2 }(M )

5. Output σ = (C1 , C2 , C3 , C4,1 , . . . , C4,b , C5 , C6 , T1 , T2 , T3 , V ). Remark 2. This SP K proves e(Ki,1 , Y Ki,2 ) = e(g, g), e(u, Ki,2 )

b 

e(κi,j , wj,τj ) = e(g, Ki,3 ),

j=1

T1 = Ki,2 g δ1 +δ2 ,

T2 = Y1δ1 ,

T3 = Y2δ2 ,

due to the lemma 1 in the following section. These relations mean the the correctness of Ki,1 (i.e., BB signature of Ki,2 = g xi ), the correctness of the updated key b Ki,3 (i.e, Ki,3 = uxi j=1 wj,τj rj,τj ), and the correctness of the linear encryption (T1 , T2 , T3 ) of Ki,2 . How to compute this SP K is described in Appendix A. Verify: The inputs are gpk, t, a target signature σ, and the message M . Check the SP K V . Output ’valid’ (resp., ’invalid’) if it is correct (resp., incorrect). Open: The inputs are gpk, the secret key osk = (X1 , X2 ), t, a target signature σ = (C1 , C2 , C3 , C4,1 , . . . , C4,b , C5 , C6 , T1 , T2 , T3 , V ) and the message M . 1. Verify σ. If it is invalid, abort. 1/X 1/X 2. Using X1 , X2 , compute T1 /(T2 1 T3 2 ) to obtain Ki,2 . 3. Output i. Signature Size and Performance: Let Size(G) and Size(Zp ) be the sizes of a G element and a Zp element, respectively. Then, the signature size is (b + 8)Size(G) + (b + 10)Size(Zp). This is O(log T ), due to b ≤ d = ⌈log2 T ⌉.

Forward-Secure Group Signatures from Pairings

179

The computational cost of key update is mainly 4 exponentiations on G, i.e., O(1) cost. The signature generation needs (b + 19) exponentiations on G, (b + 5) exponentiation on T , and (b + 5) pairings (some of the pairings can be precomputed). The verification cost is 15 exponentiations on G, (b + 7) exponentiation on T , and (2b + 9) pairings (some of the pairings can be precomputed, and the multi-pairing can be accelerated [14]). The performance of both algorithms is O(log T ).

5

Security

Before proving the forward-security traceability, we prepare the following lemma on the SP K. Lemma 1. Under the DL assumption, the SP K V proves the knowledge of Ki,1 , Ki,2 , Ki,3 , κi,1 , . . . , κi,b , δ1 , δ2 s.t. e(Ki,1 , Y Ki,2 ) = e(g, g), e(u, Ki,2 )

b 

e(κi,j , wj,τj ) = e(g, Ki,3 ),

j=1

T1 = Ki,2 g δ1 +δ2 ,

T2 = Y1δ1 ,

T3 = Y2δ2 .

Proof. From V , we can extract (ρ1 , ρ2 , ρ3 , ρ4,1 , . . . , ρ4,b , ρ5 , ρ6 , γ, γ ′ , δ1 , δ2 ) s.t. e(C1 , Y C2 )/e(g, g) = e(g1 , Y C2 )ρ1 e(C1 , g1 )ρ2 /e(g1 , g1 )γ , e(u, C2 )

b 

e(C4,j , wj,τj )/e(g, C3 ) = e(u, g1 )ρ2

j

C5 = C6 = C6 = C2 /T1 = T2 = T3 =

b 

(1)

e(g1 , wj,τj )ρ4,j /e(g, g1)ρ3 ,(2)

j ρ1 ρ5 g g1 , g γ g1ρ6 , ′ C5ρ2 g1γ , g1ρ2 /g (δ1 +δ2 ) , Y1δ1 , Y2δ2 .

(3) (4) (5) (6) (7) (8)

Then, from the equations (3) and (5), we obtain ′

′

C6 = (g ρ1 g1ρ5 )ρ2 g1γ = g ρ1 ρ2 g1ρ5 ρ2 +γ . ′

Thus, using the equation (4), this means g γ g1ρ6 = g ρ1 ρ2 g1ρ5 ρ2 +γ . Based on the DL assumption, since the DL of g1 to base g cannot be computed, the equation γ = ρ1 ρ2 has to hold.

180

T. Nakanishi, Y. Hira, and N. Funabiki

Next, from the equation (1), using γ = ρ1 ρ2 , we obtain e(C1 , Y C2 )/e(g1 , Y C2 )ρ1 = e(g, g)e(C1 , g1 )ρ2 /e(g1 , g1 )ρ1 ρ2 e(C1 , Y C2 )/e(g1ρ1 , Y C2 ) = e(g, g)e(C1 , g1ρ2 )/e(g1ρ1 , g1ρ2 ) e(C1 /g1ρ1 , Y C2 ) = e(g, g)e(C1 /g1ρ1 , g1ρ2 ) e(C1 /g1ρ1 , Y C2 /g1ρ2 ) = e(g, g) Thus, letting Ki,1 = C1 /g1ρ1 and Ki,2 = C2 /g1ρ2 , we obtain e(Ki,1 , Y Ki,2 ) = e(g, g). From the equation (2), we obtain e(u, C2 )

b 

ρ2

e(C4,j , wj,τj )/(e(u, g1 )

b 

e(g1 , wj,τj )ρ4,j ) = e(g, C3 )/e(g, g1 )ρ3

j

j

e(u, C2 )

b 

e(C4,j , wj,τj )/(e(u, g1ρ2 )

b 

ρ

e(g1 4,j , wj,τj )) = e(g, C3 )/e(g, g1ρ3 )

j

j

e(u, C2 /g1ρ2 )

b 

ρ

e(C4,j /g1 4,j , wj,τj ) = e(g, C3 /g1ρ3 )

j

ρ

Thus, letting Ki,3 = C3 /g1ρ3 and κi,j = C4,j /g1 4,j for all 1 ≤ j ≤ b, we obtain e(u, Ki,2 )

b 

e(κi,j , wj,τj ) = e(g, Ki,3 ).

j

Finally, substituting C2 = Ki,2 g1ρ2 to the equation (6), we obtain Ki,2 g1ρ2 /T1 = g1ρ2 /g (δ1 +δ2 ) T1 = Ki,2 g1ρ2 g (δ1 +δ2 ) /g1ρ2 T1 = Ki,2 g (δ1 +δ2 )

⊓ ⊔

Theorem 1. The proposed scheme satisfies the forward-secure traceability under the q-HSDH assumption, in the random oracle model. Proof. Assume an adversary A for the forward-secure traceability game, and we will construct the adversary B in the q-HSDH assumption. We separate A into 2 types, and construct B for each types. Type-1: This type of A is correspondent to the case that the signer i∗ of the signature σ ∗ outputted by A is different from signers i requested in queries. The inputs of B are g, h, g θ , (g 1/(θ+ξ1 ) , g ξ1 , hξ1 ), . . ., (g 1/(θ+ξq ) , g ξq , hξq ), where g, h ∈R G and θ, ξi ∈R Zp . Using the inputs, conduct the forward-secure traceability game with A, as follows.

Forward-Secure Group Signatures from Pairings

181

Setup: KeyGen is simulated as follows. 1. Set u = h and Y = g θ , and define X = θ, where θ is unknown to B. Select g1 ∈R G. Select ρj,0 , ρj,1 ∈R Zp , and compute wj,0 = g ρj,0 , wj,1 = g ρj,1 for all 1 ≤ j ≤ d. 2. Compute X1 , X2 , Y1 , Y2 as usual. 3. Set Ki,1 = g 1/(θ+ξi ) , Ki,2 = g ξi , Ki,3 = hξi . Then, provides A with gpk, osk and run A. Queries: The response to any query can be treated as usual, using uskt [i] that is updated as usual. Output: Finally, A outputs a forged signature σ ∗ for the signer i∗ at interval t∗ . Then, using the extractor of the SP K V , with a non-negligible probability, we can obtain (Ki∗ ,1 , Ki∗ ,2 , Ki∗ ,3 , K i∗ ,4 ) s.t. e(Ki∗ ,1 , Y Ki∗ ,2 ) = e(g, g), e(u, Ki∗ ,2 )

b∗ 

(9)

e(κi∗ ,j , wj,τj∗ ) = e(g, Ki∗ ,3 ),

(10)

j=1 ∗

where τ t = τ1∗ · · · τb∗∗ . Since i∗ is not any requested i, Ki∗ ,2 = Ki,2 . Thus, we can set Ki∗ ,2 = g ξ for some ξ ∈ Zp (ξ = ξi ). From the equation (9), this means Ki∗ ,1 = g 1/(θ+ξ) . On the other hand, from the equation (10), ∗

ξ

e(u, g )

b 

e(κi∗ ,j , g

ρj,τ ∗ j

) = e(g, Ki∗ ,3 )

j=1

e(u

∗

ξ

b 

ρj,τ ∗

κi∗ ,jj , g) = e(g, Ki∗ ,3 )

j=1

Thus, we can set Ki∗ ,3 = uξ

b∗

ρj,τ ∗

j=1

Ki∗ ,3 ·

κi∗ ,jj . Then, compute ∗

b 

−ρj,τ ∗

κi∗ ,j

j

,

j=1

which is equal to uξ = hξ . Therefore, output (g 1/(θ+ξ) , g ξ , hξ ), where ξ = ξi . Type-2: This type of A is correspondent to the case that the signer i∗ of the signature σ ∗ outputted by A was requested in the queries. The inputs of B are g, h, g θ , (g 1/(θ+ξ1 ) , g ξ1 , hξ1 ), . . ., (g 1/(θ+ξq ) , g ξq , hξq ), where g, h ∈R G and θ, ξi ∈R Zp . Using the inputs, conduct the forward-secure traceability game with A as follows. Setup: KeyGen is simulated as follows. ∗ 1. Guess targets i∗ ∈R [1, N ] and t∗ ∈R [0, T ]. Let τ t = τ1∗ · · · τb∗∗ . 2. Set u = h and Y = g θ , and define X = θ, where θ is unknown to B. Select α ∈R Zp and compute f = Y −1 g α .

182

T. Nakanishi, Y. Hira, and N. Funabiki ρ

∗

3. Select ρ1,0 , . . . , ρd,0 , ρ1,1 , . . . , ρd,1 ∈R Zp , and compute wj,τj∗ = g j,τj for τj∗ of all j ∈ [1, b∗ ]. For other wj,τj , compute wj,τj = f g ρj,τj . 4. Compute X1 , X2 , Y1 , Y2 as usual. 5. For i except i∗ , set Ki,1 = g 1/(θ+ξi ) , Ki,2 = g ξi , Ki,3 = hξi . For i∗ , compute Ki∗ ,1 = g 1/α , Ki∗ ,2 = f . However, Ki∗ ,3 is unknown. Set xi∗ = α − θ, which is also unknown. Then, Ki∗ ,1 = g 1/(θ+xi∗ ) = g 1/(X+xi∗ ) , and Ki∗ ,2 = Y −1 g α = g −θ+α = g xi∗ . Then, provides A with gpk, osk and run A. Queries: Except the queries for i∗ , the response to any query can be treated as usual, using uskt [i] that is updated as usual. The queries for i∗ are simulated as follows. Let τ t = τ1 · · · τb for the current interval t. Signing for i∗ : The commitments and SP K in the group signature can be easily simulated without uskt [i]. The ciphertext (T1 , T2 , T3 ) can be simulated using Ki∗ ,2 . Corruption for i∗ : If t ≤ t∗ , abort. Otherwise, consider two cases: ∗ τ t is a descendant node of τ t : In this case, b > b∗ and τ1 = ∗ ∗ τ1 , . . . , τb∗ = τb∗ . Select rj,τj ∈R Zp for 1 ≤ j ≤ b. Simulate Ki∗ ,3 , K i∗ ,4 = (κi,1 , . . . , κi,b ) as follows. Ki∗ ,3 = u

−ρb∗ +1,τb∗ +1

b 

rj,τ

wj,τjj ,

j=1

κi∗ ,j = g

rj,τj

(1 ≤ j ≤ b and j = b∗ + 1),

κi∗ ,b∗ +1 = u−1 g

rb∗ +1,τb∗ +1

.

Then, setting r˜b∗ +1,τb∗ +1 = rb∗ +1,τb∗ +1 − dlogg (u), ∗

Ki∗ ,3 = u

−ρb∗ +1,τb∗ +1

(

b 

rb∗ +1,τ

rj,τ

b 

∗

+1 · wj,τjj ) · wb∗ +1,τbb∗ +1

j=b∗ +1

j=1 ∗

=u

−ρb∗ +1,τb∗ +1

(

b 

r˜b∗ +1,τ

rj,τ

∗

+1 wj,τjj ) · wb∗ +1,τbb∗ +1

j=1

·(f g

ρb∗ +1,τb∗ +1 dlogg (u)

)

b 

·

rj,τ

wj,τjj

j=b∗ +1 ∗

=u

−ρb∗ +1,τb∗ +1

(

b 

r˜b∗ +1,τ

rj,τ

∗

+1 wj,τjj ) · wb∗ +1,τbb∗ +1

j=1

·((g xi∗ )dlogg (u) u

ρb∗ +1,τb∗ +1

)·

b 

= uxi∗ (

j=1

rj,τ

r˜b∗ +1,τ

∗

+1 · wj,τjj ) · wb∗ +1,τbb∗ +1

b 

j=b∗ +1

rj,τ

rj,τ

wj,τjj

j=b∗ +1 b∗ 

wj,τjj

rj,τ

wj,τjj

Forward-Secure Group Signatures from Pairings

κi∗ ,b∗ +1 = u−1 g = u−1 g =g

183

rb∗ +1,τb∗ +1 r˜b∗ +1,τb∗ +1 +dlogg (u)

r˜b∗ +1,τb∗ +1

The distributions are the same as ones outputted by the real algorithm. Respond (Ki∗ ,1 , Ki∗ ,2 , Ki∗ ,3 , K i∗ ,4 ). ∗ τ t is not a descendant node of τ t : Note that τ t is also not an t∗ ancestor node of τ . In this case, for some j˜ ∈ [1, min(b, b∗ )], we necessarily have τj˜ = τj˜∗ . Select rj,τj ∈R Zp for 1 ≤ j ≤ b. Simulate Ki∗ ,3 , K i∗ ,4 = (κi,1 , . . . , κi,b ) as follows. Ki∗ ,3 = u−ρj˜,τj˜

b 

rj,τ

wj,τjj ,

j=1

κi∗ ,j = g rj,τj κi∗ ,˜j = u

(1 ≤ j ≤ b and j = j˜),

−1 rj˜,τj˜

g

.

Then, by the similar discussion, the distributions are the same as ones outputted by the real algorithm. Respond (Ki∗ ,1 , Ki∗ ,2 , Ki∗ ,3 , K i∗ ,4 ). Output: If the guess of t∗ fails, abort. Otherwise (the guess is correct with a non-negligible probability), A outputs a forged signature σ ∗ at the interval t∗ . Then, using the extractor of the SP K V , with a non-negligible probability, obtain (Ki∗ ,1 , Ki∗ ,2 , Ki∗ ,3 , K i∗ ,4 ) satisfying the equations (9), (10). If the guess of i∗ fails, abort. Otherwise (the guess is correct with a non-negligible probability), set ξ = xi∗ and thus Ki∗ ,1 = g 1/(θ+ξ) ρ ∗ and Ki∗ ,2 = g ξ , where ξ = ξi . Then, since wj,τj∗ are all g j,τj , from the equation (10), ∗

ξ

e(u, g )

b 

e(κi∗ ,j , g

ρj,τ ∗ j

) = e(g, Ki∗ ,3 )

j=1

e(u

∗

ξ

b 

ρj,τ ∗

κi∗ ,jj , g) = e(g, Ki∗ ,3 )

j=1

b∗ ρj,τ ∗ Thus, similarly, we can set Ki∗ ,3 = uξ j=1 κi∗ ,jj . Thus, by Ki∗ ,3 · b∗ −ρj,τj∗ , obtain uξ (= hξ ). Finally, output (g 1/(θ+ξ) , g ξ , hξ ), where j=1 κi∗ ,j ξ = ξi . Therefore, with a non-negligible probability, we can break the q-HSDH assumption in both types. Thus, by randomly choosing one among Type-1 and Type-2, and by playing it again and again, we can break the assumption with a nonnegligible probability. ⊓ ⊔

184

T. Nakanishi, Y. Hira, and N. Funabiki

Theorem 2. The proposed scheme satisfies the CPA-anonymity under the DLIN assumption, in the random oracle model. The proof of this theorem is similar to that in [5]. By the similar proof to the security proof of ElGamal encryption under the DDH assumption, it is shown that the linear encryption is semantically secure under the DLIN assumption. In both the original scheme in [5] and our scheme, the signature consists of the linear encryption (T1 , T2 , T3 ) of g xi , an SP K V and statistically hiding commitments (C1 , C2 , C3 , C4,1 , . . . , C4,b , C5 , C6 , ). Since the SP K and commitments can be easily simulated, we can reduce the CPA-anonymity game of our scheme to the IND-CPA game of the linear encryption.

6

Conclusion

We have proposed a forward-secure group signature scheme from pairings. Since the proposed scheme excludes the RSA-type assumptions, it is more efficient than the previous scheme [18]. Due to the HIBE-like key update algorithm, the signing/verification achieves O(log T ) computational costs. The dominant cost is O(log T ) pairings, which can be efficiently computed by the multi-pairing technique [14]. An open problem is to explore a forward-secure scheme with the signing and verification requiring only O(1) pairings.

References 1. Barreto, P.S.L.M., Galbraith, S.D., O’hEigeartaigh, C., Scott, M.: Efficient pairing computation on supersingular abelian varieties. Designs, Codes and Cryptography 42(3), 239–271 (2007) 2. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003) 3. Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 4. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 5. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) 6. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Proc. 11th ACM Conference on Computer and Communications Security (ACM-CCS 2004), pp. 168–177 (2004) 7. Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007)

Forward-Secure Group Signatures from Pairings

185

8. Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proc. 11th ACM Conference on Computer and Communications Security (ACM-CCS 2004), pp. 132–145 (2004) 9. Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system. In: Proc. 9th ACM Conference on Computer and Communications Security (ACM-CCS 2002), pp. 21–30 (2002) 10. Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003) 11. Chaum, D., van Heijst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991) 12. Furukawa, J., Imai, H.: An efficient group signature scheme from bilinear maps. In: Boyd, C., Gonz´ alez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 455–467. Springer, Heidelberg (2005) 13. Gentry, C., Silverberg, A.: Hierarchical id-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 548–566. Springer, Heidelberg (2002) 14. Granger, R., Smart, N.: On computing products of pairings. Cryptology ePrint Archive: Report 2006/172 (2006) 15. Hess, F., Smart, N., Vercauteren, F.: The eta pairing revisited. IEEE Trans. Information Theory 52(10), 4595–4602 (2006) 16. Isshiki, T., Mori, K., Sako, K., Teranishi, I., Yonezawa, S.: Using group signatures for identity management and its implementation. In: Proc. 2nd ACM Workshop on Digital Identity Management, pp. 73–78 (2006) 17. Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001) 18. Song, D.X.: Practical forward secure group signature schemes. In: Proc. 8th ACM Conference on Computer and Communications Security (ACM-CCS 2001), pp. 225–234 (2001) 19. Wang, G.: On the security of a group signature scheme with forward security. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 27–39. Springer, Heidelberg (2003) 20. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 21. Zhang, J., Wu, Q., Wang, Y.: A novel efficient group signature scheme with forward security. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 292–300. Springer, Heidelberg (2003)

A

Detail of SP K

Here, we describe the SP K V in the proposed scheme, using the SP K for the representations. V has to prove knowledge of (ρ1 , ρ2 , ρ3 , ρ4,1 , . . . , ρ4,b , ρ5 , ρ6 , γ, γ ′ , δ1 , δ2 ) s.t. e(C1 , Y C2 )/e(g, g) = e(g1 , Y C2 )ρ1 e(C1 , g1 )ρ2 /e(g1 , g1 )γ , e(u, C2 )

b 

e(C4,j , wj,τj )/e(g, C3 ) = e(u, g1 )ρ2

j

C5 = g ρ1 g1ρ5 , C6 = ρ2 (δ1 +δ2 ) C2 /T1 = g1 /g ,

b 

e(g1 , wj,τj )ρ4,j /e(g, g1)ρ3 ,

j

g γ g1ρ6 , T2 =

C6 δ1 Y1 ,

=

′ C5ρ2 g1γ ,

T3 = Y2δ2 .

186

T. Nakanishi, Y. Hira, and N. Funabiki

The SP K is computed as follows. 1. Select rρ1 , rρ2 , rρ3 , rρ4,1 , . . . , rρ4,b , rρ5 , rρ6 , rγ , rγ ′ , rδ1 , rδ2 ∈R Zp , and compute R1 = e(g1 , Y C2 )rρ1 e(C1 , g1 )rρ2 /e(g1 , g1 )rγ , R2 = e(u, g1 )rρ2 R3 = R6 =

b 

e(g1 , wj,τj )rρ4,j /e(g, g1 )rρ3 ,

j rρ1 rρ5 R4 g g1 , rρ2 (rδ1 +rδ2 ) , g1 /g

rρ

rρ

= g rγ g 1 6 ,

r

′

R5 = C5 2 g1γ , r

R7 = Y1 δ1 ,

r

R8 = Y2 δ2 .

2. Compute c = H(gpk, M, C1 , C2 , C3 , C4,1 , . . . , C4,b , C5 , C6 , T1 , T2 , T3 , R1 , R2 , R3 , R4 , R5 , R6 , R7 , R8 ). 3. Compute sρ1 = rρ1 + cρ1 , sρ2 = rρ2 + cρ2 , sρ3 = rρ3 + cρ3 , sρ4,1 = rρ4,1 + cρ4,1 , . . . , sρ4,b = rρ4,b + cρ4,b , sρ5 = rρ5 + cρ5 , sρ6 = rρ6 + cρ6 , sδ1 = rδ1 + cδ1 , sδ2 = rδ2 + cδ2 .

sγ = rγ + cγ,

sγ ′ = rγ ′ + cγ ′ ,

4. Output V = (c, sρ1 , sρ2 , sρ3 , sρ4,1 , . . . , sρ4,b , sρ5 , sρ6 , sγ , sγ ′ , sδ1 , sδ2 ). The verification is as follows. 1. Retrieve ˜ 1 = e(g1 , Y C2 )sρ1 e(C1 , g1 )sρ2 /e(g1 , g1 )sγ (e(C1 , Y C2 )/e(g, g))−c , R ˜ 2 = e(u, g1 )sρ2 R

b 

e(g1 , wj,τj )sρ4,j /e(g, g1)sρ3 (e(u, C2 )

j

·

b 

e(C4,j , wj,τj )/e(g, C3 ))−c ,

j

˜ 3 = g sρ1 g sρ5 C −c , ˜ 4 = g sγ g sρ6 C −c , ˜ 5 = C sρ2 g sγ ′ C −c , R R R 1 1 5 5 6 1 6 ˜ 6 = g sρ2 /g (sδ1 +sδ2 ) (C2 /T1 )−c , ˜ 7 = Y sδ1 T −c , ˜ 8 = Y sδ2 T −c . R R R 2 3 1 1 2 2. Check ˜1, R ˜2, R ˜3, R ˜4 , c = H(gpk, M, C1 , C2 , C3 , C4,1 , . . . , C4,b , C5 , C6 , T1 , T2 , T3 , R ˜5, R ˜6, R ˜7, R ˜ 8 ). R

Efficient Traceable Signatures in the Standard Model Benoˆıt Libert1,⋆ and Moti Yung2 1

Universit´e Catholique de Louvain, Crypto Group, Belgium 2 Google Inc. and Columbia University, USA

Abstract. Traceable signatures (TS), suggested by Kiayias, Tsiounis and Yung, extend group signatures to address various basic traceability issues beyond merely identifying the anonymous signer of a rogue signature. Namely, they enable the efficient tracing of all signatures produced by a misbehaving party without opening the identity of other parties. They also allow users to provably claim ownership of a previously signed anonymous signature. To date, known TS systems all rely on the random oracle model. In this work we present the first realization of the primitive that avoids resorting to the random oracle methodology in its security proofs. Furthermore, our realization’s efficiency is comparable to that of nowadays’ fastest and shortest standard model group signatures. Keywords: Traceable signatures, anonymity, standard model.

1

Introduction

G r oup Signatures Background. Group signatures, introduced by Chaum and van Heyst [19], allow members of a group to sign messages without revealing their identity. When the necessity arises, an authority holding some privileged piece of information can “open” signatures and uncover the signer’s identity. Such primitives find applications in electronic auctions or trusted computing platforms where anonymity is a central issue. The first scalable coalition-resistant system was proposed by Ateniese et al. [4]. The recent years saw a continued interest in the primitive with the appearance of pairing-based constructions (e.g. [12,36]). In general, when it comes to signatures, pairing has been employed to achieve two goals: (1) short signatures and (2) realizations in the standard model, not relying on the random oracle idealization. Notably, Boneh, Boyen and Shacham [12] showed the first scheme featuring signatures shorter than 200 bytes. Its security was analyzed in (a relaxation of) the model of Bellare, Micciancio and Warinschi (BMW) [7], which captures the requirements of group signatures in three properties but assumes static groups. The setting of dynamic groups was formalized by Bellare-Shi-Zhang (BSZ) [9] ⋆

This author acknowledges the Belgian National Fund for Scientific Research (F.R.S.F.N.R.S.) for their financial support and the BCRYPT Interuniversity Attraction Pole.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 187–205, 2009. c Springer-Verlag Berlin Heidelberg 2009 

188

B. Libert and M. Yung

and, independently, by Kiayias-Yung [33] while efficient systems were given in [33,36,25,22]. Forementioned practical proposals all rely on the random oracle model [8]. In the standard model, the theoretical constructions of [7,9] were “only” proofs of concept (plausibility results), since the main interest is in getting efficient schemes. Using improved non-interactive zero-knowledge (NIZK) techniques [30,29] inspired by an earlier homomorphic encryption scheme [13], Boyen and Waters [16] showed a fairly efficient realization with logarithmic-size signatures in the static BMW model. They subsequently improved [17] it to get rid of the dependency of signatures’ size on the group cardinality. Ateniese et al. [3] independently constructed another scheme relying on on stronger interactive assumptions. Meanwhile, Groth [27] came up with constant-size signatures without random oracles in the (dynamic) BSZ model but signatures remained too long for practical use. In 2007, Groth showed [28] another standard model scheme with signatures shorter than 2 kB and full anonymity in the BSZ model. Traceable Signatures. In group signatures, if we are given a member’s name and his public key, scanning all signatures and verify which ones were signed by that member is only doable by revoking the anonymity of all signatures (in particular, signatures of honest users). To overcome this and allow further tracing properties, Kiayias, Tsiounis and Yung [32] introduced traceable signatures (TS). They still allow the group manager (GM) to open signatures individually. In addition, however, the GM can reveal a trapdoor allowing clerks to trace suspicious members’ signatures without having to revoke anonymity of every single signature. Misbehaving users can thus be traced without affecting the anonymity of honest ones. Moreover, such a traceability results in increased scalability since tracing agents can run in parallel whereas traditional group signatures involve a centralized tracing authority1 . Traceable signatures also support a mechanism enabling users to claim (and prove) the authorship of their own anonymously generated signatures. Kiayias, Tsiounis and Yung (KTY) formalized the security of traceable signatures via three properties termed misidentification security, non-frameability and anonymity. They suggested a first implementation of the primitive (using the Fiat-Shamir heuristic [24] and thus the random oracle model) and proved its security under the Strong RSA and the Decision Diffie-Hellman assumptions. Later on, efficiency improvements were suggested by Ge and Tate [26]. Meanwhile, Nguyen and Safavi-Naini [36] and Choi, Park and Yung [20] gave pairingbased constructions with shorter signatures. More recently, Benjumea el al. [10] considered traceable signatures with extended capabilities in the multi-group setting and implemented them in the random oracle model. Our Contribution. Constructions with security proofs in the random oracle model are known to sometimes have realizability problems [18]. Primitives that 1

Group signatures with verifier-local revocation [14] are an exception as verification entails to publicly run some implicit tracing mechanism to make sure that the signer is not revoked.

Efficient Traceable Signatures in the Standard Model

189

are initially presented with proofs under the random oracle idealization thus deserve further investigations towards instantiations in the standard model. In this paper we construct the first efficient traceable signature in the standard model, where we employ the Groth-Sahai [31] non-interactive witness indistinguishable (NIWI) proof systems as part of the construction. We prove it secure in the KTY sense under non-interactive (and thus falsifiable) assumptions. As far as efficiency goes, our scheme is on par with most efficient standard model group signatures: for recommended parameters, we obtain signatures of less than 2.6 kB, which is close to the size of Groth’s signatures [28]. Organization. In the following, section 2 first describes the model of the TS primitive and the various tools and assumptions that we use. The scheme is described in section 3 and its security results are proved in appendix.

2

Background $

Throughout the paper, when S is a set, x ← S denotes the action of choosing x uniformly at random in S. By a ∈ poly(λ), we mean that a is a polynomial in λ while b ∈ negl(λ) says that b is a negligible function of λ (i.e., a function that decreases faster than the inverse of any a ∈ poly(λ)). When a and b are binary strings, a||b stands for their concatenation. 2.1

Complexity Assumptions

We use groups (G, GT ) of prime order p and endowed with an efficiently computable map e : G × G → GT such that e(g a , hb ) = e(g, h)ab for any elements (g, h) ∈ G × G, a, b ∈ Z and e(g, h) = 1GT whenever g, h = 1G . In this algebraic setting, we rely on hardness assumptions that are all falsifiable [35]. The first one, introduced by Boneh, Boyen and Shacham [12], allows constructing NIWI proofs as pointed out in [31]. Definition 1. In a group G = g of prime order p > 2λ , the Decision Linear Problem (DLIN) is to distinguish the distributions (g a , g b , g ac , g bd , g c+d) $ $ and (g a , g b , g ac , g bd , g z ), with a, b, c, d ← Z∗p , z ← Z∗p . The Decision Linear Assumption asserts that, for any PPT distinguisher D, a b ac bd c+d ) = 1|a, b, c, d ← Z∗p ] AdvDLIN G,D (λ) = |Pr[D(g , g , g , g , g $

− Pr[D(g a , g b , g ac , g bd , g z ) = 1|a, b, c, d ← Z∗p , z ← Z∗p ]| ∈ negl(λ). $

$

→ → This problem amounts to deciding whether vectors − g1 = (g a , 1, g), − g2 = (1, g b , g) − → and g3 are linearly dependent or not. We also use a variant, first considered by Boyen and Waters [17], of the Strong Diffie-Hellman assumption [11]. Definition 2 ([17]). In a group G of prime order p, the ℓ-Hidden Strong $ Diffie-Hellman problem (ℓ-HSDH) is, given elements (g, Ω = g ω , u) ← G3

190

B. Libert and M. Yung

and ℓ distinct triples (g 1/ω+si , g si , usi ) with s1 , . . . , sℓ ∈ Z∗p , to find another triple (g 1/ω+s , g s , us ) such that s = si for i = 1, . . . , ℓ. We finally need a variant of the problem, called Triple Diffie-Hellman, recently considered by Belenkiy et al. [6]. Definition 3. Let G be a group of prime order p. The (modified) ℓ-Triple Diffie-Hellman Problem (ℓ-mTDH) is, given (g, g a , g b ) ∈ G3 , for randomly $ chosen a, b ← Z∗p , and ℓ distinct pairs (g 1/(a+ci ) , ci ) with c1 , . . . , cℓ ∈ Z∗p , to output a triple (g µ , g bµ , g abµ ) for some non-zero μ ∈ Z∗p . The original Triple Diffie-Hellman problem [6] was to find a triple (g aµ , g bµ , g abµ ) given the same inputs. In the paper, we only need these to comprise of a single pair (c, g 1/(a+c) ) (i.e., ℓ = 1). A related assumption, called BB-CDH [5], asserts the infeasibility of finding g ab on input of (g a , g b ) as well as pairs (g 1/(a+ci ) , ci ) with c1 , . . . , cℓ ∈ Z∗p . Under the knowledge of exponent assumption (KEA)2 [21], the ℓ-mTDH problem is equivalent to the BB-CDH problem. The generic hardness of ℓ-mTDH is thus implied by that of KEA [23,1] and BB-CDH. 2.2

Model and Security Notions

A traceable signature consists of the following algorithms or protocols. Setup: given a security parameter λ ∈ N, this algorithm (possibly run by a trusted party) generates a group public key Y, that is widely distributed, and the matching private key S which is handed to the group manager. Join(GM,Ui ) : is an interactive protocol, between the group manager GM and the prospective user Ui , whereby the latter obtains a membership secret seci , that nobody else knows, and a membership certificate certi . The GM stores the whole transcript in a database called transcripts, which is a private database also containing the coin tosses that were used by the GM. Sign: given a certificate membership certi , a membership secret seci and a message M , this algorithm outputs a traceable signature σ of M . Verify: on input of a signature σ, a message M and a group public key Y, this deterministic algorithm returns 0 or 1. Open: takes as input a signature σ that verifies under the group public key Y, the corresponding private key S and the database transcripts of all transcripts of join protocols. It outputs the identity i of a group member. Reveal: takes as input the group manager’s private key S, the index i of a group member and the join transcript transcripti of user i. It outputs the latter’s tracing trapdoor tracei . Trace: on input of a valid traceable signature σ, the group public key Y and a tracing trapdoor tracei for user i, this algorithm outputs either 0 or 1. Claim: takes as input the group public key Y, a valid signature σ issued by user i, the latter’s membership secret seci and certificate certi . The output is an authorship claim τ of user i for σ. 2

This assumption states that, given g, g a ∈ G, the only way to generate a pair (h, ha ) ∈ G2 is to raise g and g a to some power and thus know x = logg (h).

Efficient Traceable Signatures in the Standard Model

191

Claim-Verify: given a group public key Y, a signature σ and a claim τ , this deterministic algorithm outputs 0 or 1. Security properties are formalized by experiments where the adversary is granted access to oracles sharing certain variables: - state: contains the join transcripts, membership certificates and secrets that have been defined so far. - N is the number of users in the group. - Sigs: is the database of signatures issued by the Qsig oracle. - Revs: is the set of members that have been the input of a Qreveal query. - U p : is the set of honest users introduced in the system via a Qp-join query. - U a : is the set of adversarially-controlled users in the system. - U b : is the set of users that were introduced by the adversary acting as a dishonest group manager. For such users, the transcript of the join protocol is leaked to the adversary. The various oracles that adversaries are given access to are listed below. - QY : returns the public information (N, Y) of the system. - QS : returns the group manager’s private key and thereby allows the adversary to corrupt the latter. - Qp-join : is an oracle that privately introduces new honest users in the group. It simulates the join protocol in private, adds index N into U p , increases N by 1, sets state ← state||(N, transcriptN , certN , secN ) and transcripts ← transcripts||(N, transcriptN ). - Qa-join : allows the adversary to introduce users under her control in the group. The oracle, acting as the group manager, interacts with the malicious prospective user in the join protocol. If the protocol successfully terminates, the oracle increments N, sets state ← state||(N, transcriptN , certN , ⊥), transcripts ← transcripts||(N, transcriptN ) and adds N into U a . - Qb-join : allows the adversary, acting as a dishonest group manager, to introduce new group members. The oracle, acting on behalf of the prospective user, interacts with the malicious group manager in the join protocol. If the latter successfully terminates, the oracle increases N by 1, sets state ← state||(N, transcriptN , certN , ⊥), and adds N into U b . - Qsig : on input of a message M and a user index i, the oracle checks if state contains an entry of the form (i, ·, certi , seci ). If no such record is found or if i ∈ U a , it returns ⊥. Otherwise, it generates and returns a traceable signature on behalf of user i using certi and seci . It also sets Sigs ← Sigs||(i, M, σ). - Qreveal : on input of a user index i, this oracle returns ⊥ if user i does not exist or if i ∈ U b . Otherwise, it returns the output of Reveal(i, transcripts) and adds i to Revs. Misidentification Attacks. In a misidentification attack, the adversary is allowed to control a number of group members. Through the Qp-join and Qsig oracles, she can observe operations while users are added and generate signatures. She is also given access to users’ tracing information via the Qreveal oracle. Her

192

B. Libert and M. Yung

goal is to produce a non-trivial valid signature that does not open to any of the users under her control or that cannot be traced back to one of them. Definition 4. A traceable signature is secure against misidentification attacks (λ) = Pr[Exptmis-id (λ) = 1] ∈ negl(λ) for any PPT adversary A if Advmis-id A A involved in the experiment below. Experiment Exptmis-id (λ) A (Y, S) ← Setup(λ); (M ⋆ , σ ⋆ ) ← A(QY , Qp-join , Qa-join , Qsig , Qreveal ); If Verify(M ⋆ , σ ⋆ , Y) = 0 then  return 0;  ⋆ ⋆ a If (Open(σ , Y, S) ∈  U ) ∨ ( i∈U a Trace(σ , Reveal(i)) = 0)   ∧ i∈U p (i, M ⋆ , ∗) ∈ Sigs then return 1; Return 0; Framing Attacks. In a framing attack, the adversary can corrupt the group manager (via the QS oracle) and observe the system while users are added and produce signatures. Two kinds of framing attacks are considered. First, the adversary is deemed successful if she manages to produce a signature that opens or traces to an innocent group member. Second, she also wins if she can successfully claim a signature produced by another user as her own. The model of non-frameability considered in [33,20] implicitly captures a flavor of strong unforgeability [2] in that it can only be satisfied when adversaries are unable to randomize existing signatures and turn them into other signatures on the same message. Here, due to the use of NIWI proof systems where proofs are publicly re-randomizable, we will need to consider a slightly relaxed flavor of nonframeability. To this end, we define an equivalence relation over the signature space. In our scheme, each signature consists of a number of traceability values, several commitments and a set of proofs elements. We say that two messagesignature pairs (M1 , σ1 ), (M2 , σ2 ) belong to the same equivalence class, which we denote by (M1 , σ1 ) ≡s (M2 , σ2 ), if they pertain to the same message (i.e., M1 = M2 ) and comprise identical traceability values. Definition 5. A traceable signature is secure against framing attacks if, for any fra PPT adversary A, Advfra A (λ) = Pr[ExptA (λ) = 1] is negligible. Experiment Exptfra A (λ) (Y, S) ← Setup(λ); (M ⋆ , σ ⋆ , τ ⋆ ) ← A(QY , QS , Qb-join , Qsig ); If Verify(M ⋆ , σ ⋆ , Y) = 0 then return 0;  ⋆ ⋆ If (Open(σ , Y, S) = i ∈ U b ) ∨ (∃i ∈ U b s.t. Trace(σ , Reveal(i)) = 1)   ∧  ∃(i, M, σ) ∈ Sigs s.t. (M ⋆ , σ ⋆ ) ≡s (M, σ) then return 1; If (∃i ∈ U b s.t. (i, M, σ) ∈ Sigs and (M ⋆ , σ ⋆ ) ≡s (M, σ)) ∧(Claim-Verify(σ ⋆ , τ ⋆ ) = 1) then return 1 ; Return 0; Anonymity. An anonymity adversary runs in two stages called play and guess. In the first one, the adversary is allowed to join the system via Qa-join -queries on polynomially-many occasions. Using the Qp-join , Qsig oracles, she can observe the

Efficient Traceable Signatures in the Standard Model

193

system while users are privately introduced and sign messages. She can finally obtain tracing trapdoors for users of her choice. At the end of the play stage, she chooses two privately introduced users i⋆0 , i⋆1 that were not the input of a Qreveal query and obtains a signature on behalf of one of them. In the guess stage, she aims at finding out who the signer was among i⋆0 and i⋆1 . Definition 6. A traceable signature is anonymous if, for any PPT adversary A, we have Advanon (A) := |Pr[Exptanon (λ) = 1] − 1/2| ∈ negl(λ), where A Experiment Exptanon (λ) A (Y, S) ← Setup(λ); (aux, M ⋆ , i0 , i1 ) ← A(play : QY , Qp-join , Qa-join , Qsig , Qreveal ); If (i⋆0 ∈ U p ) ∨ (i⋆1 ∈ U p ) ∨ (i⋆0 ∈ Revs) ∨ (i⋆1 ∈ Revs) then return 0; $ d⋆ ← {0, 1}; σ ⋆ ← Sign(M ⋆ , Y, certi⋆d⋆ , seci⋆d⋆ ); d′ ← A(guess, σ ⋆ , aux : QY , Qp-join , Qa-join , Qsig , Qreveal ); If (i⋆0 ∈ Revs) ∨ (i⋆1 ∈ Revs) then return 0; If d′ = d⋆ then return 1; Return 0; The KTY model does not provide adversaries with an opening oracle in the definition of anonymity. On the other hand, since tracing is a distributed operation, the model considers (via the Qreveal oracle) the threat of corrupted tracing agents. In the following, we will stick to that model. In applications where anonymity should be preserved when opening queries are allowed, it is not hard to modify our scheme (using the technique of [28]) to obtain anonymity in the CCA2 sense. 2.3

Groth-Sahai Commitments

In the following, for equal-dimension vectors or matrices A and B containing group elements, A ⊙ B stands for their component-wise product. When based on the DLIN assumption, the Groth-Sahai proof systems [31] − − → g2 , → g3 ∈ G3 where, for use a common reference string comprising vectors − g1 , → − → − → some elements g1 , g2 ∈ G, g1 = (g1 , 1, g), g2 = (1, g2 , g). To commit to a group − → $ → → → element X ∈ G, one sets C = (1, 1, X) ⊙ − g1 r ⊙ − g2 s ⊙ − g3 t with r, s, t ← Z∗p . − → When the proof system is chosen to provide perfectly sound proofs, g3 is chosen $ → → → g2 ξ2 with ξ1 , ξ2 ← Z∗p . Commitments are then Boneh-Boyeng1 ξ1 ⊙ − as − g3 = − − → Shacham (BBS) encryptions since C = (g1r+ξ1 t , g2s+ξ2 t , X · g r+s+t(ξ1 +ξ2 ) ) and decryption is possible using α1 = logg (g1 ), α2 = logg (g2 ). In the WI setting, − → − → → → g ,− g ,− g are linearly independent and C is a perfectly hiding commitment. 1

2

3

Under the DLIN assumption, the two reference strings are indistinguishable. → → − To commit to exponents x ∈ Zp , one uses vectors − ϕ,− g1 , → g2 and computes − → − − → − → − → → − → − → x r s C = ϕ ⊙ g1 ⊙ g2 . In the soundness setting ϕ , g1 , g2 are linearly independent → → → g2 ξ2 gives a perfectly vectors whereas, in the WI setting, choosing − ϕ =− g1 ξ1 ⊙ − − → hiding commitment as C is a BBS encryption of 1G regardless of the value x. To give evidence that committed variables satisfy a set of relations, the idea is to start from the relations themselves and replace variables by commitments.

194

B. Libert and M. Yung

The prover then generates a proof (consisting of a set of group elements) for each relation. The whole proof consists of one commitment per variable and one proof for each relation.

3

Construction

Intuition. The group manager has a public key comprising (Ω = g ω , h0 , h1 , h2 ) and uses ω ∈ Z∗p to generate membership certificates. These consist of 5 elements (K1 , K2 , K3 , K4 , y) and are reminiscent of users’ private keys in [17]. Namely, K1 is derived as K1 = (h0 · hx1 · hy2 )1/(ω+sID ) , where sID is chosen by GM and identifies the user U while x is only known to U as his membership secret. The last element y is chosen by GM as part the tracing trapdoor for U. The certificate also contains K3 = g sID and K4 = us0ID as in [17]. Security proofs also require to include K2 = g 1/(ω+sID ) (so that, as in [15], ω and sID simultaneously appear more than once as denominators in the exponent). To ensure traceability, each signature must contain “traceability values” that make it possible to link the signature to its issuer using the appropriate trapdoor. One of the technical points to address is to get these traceability values to interact with Groth-Sahai proof systems in a simple manner. Indeed, at some step of the proof of anonymity, knowledge of the underlying values will have to be simulated in a zero-knowledge way (i.e., without knowing the actual witnesses). Previously used approaches using pairings (e.g., [20]) would require the traceability components to satisfy some pairing-product equation [31], for which zero-knowledge proofs usually come at some additional cost. As such traceability values, we rather let the signer include pieces of a linear tuple (T1 , T2 , T3 ) = (g xδ1 , g yδ2 , g δ1 +δ2 ) – which is a set of multi-exponentiation equations in the Groth-Sahai terminology – in each signature in such a way that the tracing trapdoor (X = g x , y) allows testing whether a signature stems from 1/y user U by checking if e(T1 , g) = e(X, T3 /T2 ). Thanks to the use of multiexponentiation equations, knowledge of the underlying δ1 , δ2 will be simulatable (in the WI setting) in a simple way in the proof of anonymity, which eventually relies on the sole Decision Linear assumption. In traceability concerns, attention must be paid to the fact that users may be tempted to alter their certificate and modify X, y so as to defeat tracing attempts. Therefore, we require each signature to include (commitments to) quantities hx1 · hy2 and hx3 · hy4 , for some group elements h3 and h4 , which renders certificate randomizations infeasible (as established by the proof against Type III forgeries in the security analysis against misidentification attacks). Signers are able to claim their signatures by proving knowledge of x, y such 1/y 1/x that T3 = T1 · T2 . Such proofs are also non-interactive and use an independent common reference string that must be generated by a trusted party (and not by the group manager as the latter could claim honest users’ signatures if it were allowed to generate this reference string itself) . In [17], group members sign messages by choosing r at random and computing pairs (θ1 , θ2 ) = (us0ID · G(m)r , g r ) using Waters’ technique [37] and a

Efficient Traceable Signatures in the Standard Model

195

suitable hash function G. In non-frameability concerns, we force signers to also use their membership secret x and generate such pairs (θ1 , θ2 ) somewhat in the fashion of the Waters-based multi-signature of Lu et al. [34]. Instead of signing m as (θ1 , θ2 ) = (us0ID · ux1 · G(m)r , g r ), we need to generate such pairs as 1 (θ1 , θ2 ) = (us0ID · uxδ · G(m)r , g r ) for the proof of non-frameability to work. Of 1 course, u1 and the set of group elements that implement the number theoretic hash function G(.) are assumed to come from a trusted key generation procedure. In particular, the discrete logarithm logg (u1 ) must be held back from the group manager as, otherwise, a dishonest GM could frame honest users. To ensure non-repudiation, we also assume that users have a public key upk registered in some PKI and use the private key usk to sign (using a regular signature scheme) parts (X, K1 , K2 , K3 , y) of their membership certificate. This actually follows [9] that explicitly requires such a PKI to implement the usually assumed private authenticated channels in group signatures. Description. In notations hereafter, it is convenient to define the coordinate− → 3 3 wise  pairing  E : G × G → GT such that, for any h ∈ G and g = (g1 , g2 , g3 ), − → E h, g = e(h, g1 ), e(h, g2 ), e(h, g3 ) . We also use a symmetric bilinear map − → F : G3 × G3 → GT such that, for any vectors X = (X1 , X2 , X3 ) ∈ G3 and − → − → − → − → − → − → − → Y = (Y1 , Y2 , Y3 ) ∈ G3 , F ( X , Y ) = F˜ ( X , Y )1/2 · F˜ ( Y , X )1/2 , where the non− → − → commutative mapping F˜ : G3 × G3 → G9T sends ( X , Y ) onto the matrix − → − → F˜ ( X , Y ) of entry-wise pairings (i.e., containing e(Xi , Yj ) in its entry (i, j)). Also, for any z ∈ GT , ιT (z) denotes the 3 × 3 matrix containing z in position (3, 3) and 1 everywhere else. For X ∈ G, the notation ι(X) will sometimes denote the vector (1, 1, X) ∈ G3 . Setup(λ, n): for security parameters λ and n ∈ poly(λ), choose bilinear groups $ $ (G, GT ) of order p > 2λ , with g, h0 , h2 , h3 , h4 , u0 , u1 ← G. Select γ1 , ω ← Z∗p $ and set h1 = g γ1 , Ω = g ω . Select v = (v0 , v1 , . . . , vn ) ← Gn+1 . Choose − → − → − → → − → 3 − vectors g = ( g1 , g2 , g3 ) such that g1 = (g1 , 1, g) ∈ G , g2 = (1, g2 , g) ∈ G3 , $ $ → → → g2 ξ2 , with g1 = g α1 , g2 = g α2 and α1 , α2 ← Z∗p , ξ1 , ξ2 ← Zp . and − g3 = − g1 ξ1 ⊙ − → − → − → − → − → − → − It also chooses f = ( f , f1 , f2 ) so that f , f1 , f2 are linearly independent. The algorithm also specifies a hash function H : {0, 1}∗ → {0, 1}n from a collision-resistant family. The group public key is defined to be   Y := g, h0 , h1 = g γ1 , h2 , h3 , h4 , Ω = g ω , u0 , u1 , v, g, f , H   while the private key S := γ1 , ω, α1 , α2 is given to the group manager.

Join(GM,Ui ): the prospective group member Ui and the group manager GM run an interactive protocol whereby the user obtains a membership certificate certi and a membership secret seci . The protocol is the following: 1. User Ui and the GM execute an interactive protocol (such as Groth’s protocol [28, Section 4.1] recalled in appendix A) allowing them to jointly generate X = g x so that x ∈ Zp is randomly distributed and known only to the user while GM learns the corresponding public value X.

196

B. Libert and M. Yung

2. GM computes hx1 = X γ1 and uses it to compute K1 = (h0 ·hx1 ·hy2 )1/(ω+sID ) , K2 = g 1/(ω+sID ) , K3 = g sID and K4 = us0ID , for newly chosen random val$ ues sID , y ← Z∗p . Elements K1 , K2 , K3 and y are sent to the user. 3. Ui checks that received elements (K1 , K2 , K3 , y) satisfy e(K1 , Ω · K3 ) = e(h0 , g) · e(h1 , X) · e(h2 , g)y , e(K2 , Ω · K3 ) = e(g, g).   If so, he generates a signature sigi = Signusk[i] X||K1 ||K2 ||K3 ||g y and sends it back to GM.   4. If Verifyupk[i] X||K1 ||K2 ||K3 ||g y , sigi = 1, GM sends K4 = us0ID to Ui and stores the record transcripti := (X, K1 , K2 , K3 , K4 , y, sigi ) in its database transcripts. User Ui checks that e(K3 , u0 ) = e(g, K4 ). If so, he sets his membership certificate is certi := (K1 , K2 , K3 , K4 , y) and his membership secret as seci := x. Sign(M, Y, certi , seci ): to sign M , user Ui parses certi as (K1 , K2 , K3 , K4 , y) and seci as x ∈ Z∗p and conducts the following steps. $ 1. Choose δ1 , δ2 ← Z∗p and compute the traceability values T1 = g xδ1 T3 = g δ1 +δ2 T2 = g yδ2 n m 2. Set G(m) = v0 · j=1 vj j with m = m1 . . . mn = H(M ||T1 ||T2 ||T3 ). $ 3. Pick rs ← Z∗p and compute θ1 θ2 θ3 θ4

= K1 = (h0 · hx1 · hy2 )1/(ω+sID ) = K2 = g 1/(ω+sID ) = K3 = g sID 1 = K4 · uxδ · G(m)rs 1 sID xδ1 = u0 · u1 · G(m)rs

θ5 θ6 θ7 θ8 θ9

= g rs = hx1 · hy2 = hx3 · hy4 = gx = gy

so that e(θ1 , Ω · θ3 ) = e(h0 , g) · e(θ6 , g) e(θ2 , Ω · θ3 ) = e(g, g)

(1) (2)

e(θ4 , g) = e(u0 , θ3 ) · e(u1 , T1 ) · e(G(m), θ5 ). e(θ6 , g) = e(h1 , θ8 ) · e(h2 , θ9 )

(3) (4)

e(θ7 , g) = e(h3 , θ8 ) · e(h4 , θ9 )

(5)

4. Commit to variables θi , for i = 1, . . . , 9. That is, for i = 1, . . . , 9, choose $ → → → → g3 ti . Then, commit to δ1 , δ2 g2 si ·− σi = (1, 1, θi )·− g1 ri ·− ri , si , ti ← Z∗p and set − $ → → − →δ1 · − ∗ g2 s10 , g1 r10 · − σ→ by choosing r10 , s10 , r11 , s11 ← Zp and setting − 10 = ϕ − → − → → → − → − → s11 r11 − δ2 − σ11 = ϕ · g1 · g2 , where ϕ = g3 ⊙ (1, 1, g). 5. Give proofs that committed variables θ1 , . . . , θ9 satisfy (1)-(5) and that − −→ σ→ 10 , σ11 are commitment to values δ1 , δ2 satisfying T1 = θ8δ1

T2 = θ9δ2

T3 = g δ1 +δ2

(6)

Efficient Traceable Signatures in the Standard Model

197

a. Relations (1)-(2) are quadratic pairing-product equations (in the terminology of [31]) over variables θ1 , θ2 , θ3 , θ6 . Each relation requires a proof consisting of 9 group elements. Let us call these proofs → − − → → → π 1,1 , → π 1,2 , → π 1,3 ), π2 = (− π 2,1 , − π 2,2 , − π 2,3 ). Relations (6) are π1 = (− multi-exponentiation equations. The first two ones are quadratic and → − − → → → proofs π6 = (− π 6,1 , → π 6,2 , → π 6,3 ) and π7 = (− π 7,1 , − π 7,2 , − π 7,3 ) both 3 consist of 3 vectors of G . The third relation of (6) is a linear multiexponentiation equation and the proof π8 = (π8,1 , π8,2 ) is just 2 group elements. b. Relations (3)-(5) are linear pairing-product equations over variables θ3 , . . . , θ9 . Corresponding proofs cost 3 group elements each and π3 , π4 , π5 are all vectors of G3 . For clarity, we abstract away the construction of these proofs from the present description and refer to [31] for details. →, . . . , − σ σ→, π , . . . , π ). The signature finally consists of σ = (T , T , T , − 1

2

3

1

11

1

8

→, . . . , − Verify(M, σ, Y): parse the signature σ as (T1 , T2 , T3 , − σ σ→ . . , π8 ). Set 1 11 , π1 , . m n m = m1 . . . mn = H(M ||T1 ||T2 ||T3 ) and compute G(m) = v0 · j=1 vj j . Verifying π1 , . . . , π8 entails to check whether the following equations (some → → of which bear resemblance with relations (1)-(5)), where − ϕ =− g3 ⊙ (1, 1, g), are all satisfied. The verifier returns 1 if they are and 0 otherwise. → →, ι(g) → = ι e(h , g) ⊙ F − σ 1) F − σ1 , ι(Ω) ⊙ − σ 0 6 T 3 −   → −  → − → − → g3 , → g2 , → π 1,3 π 1,2 ⊙ F − ⊙F g1 , π 1,1 ⊙ F − →  → →  → → = ι e(g, g) ⊙ F − → → → σ2 , ι(Ω) · − 2) F − g1 , − g2 , − σ π 2,1 ⊙ F − π 2,2 ) ⊙ F (− g3 , − π 2,3 3 T     →  → → σ σ3 ⊙ E u1 , ι(T1 ) ⊙ E G(m), − 3) E g, − σ4 = E u0 , − 5       → − → − → g3 ⊙E π3,1 , g1 ⊙ E π3,2 , g2 ⊙ E π3,3 , −  →  →  → σ9 σ8 ⊙ E h2 , − 4) E g, − σ6 = E h1 , −       → → − → ⊙E π4,1 , g1 ⊙ E π4,2 , − g3 g2 ⊙ E π4,3 , −  →  →  → 5) E g, − σ7 = E h3 , − σ8 ⊙ E h4 , − σ9       − → → → ⊙E π5,1 , g1 ⊙ E π5,2 , − g2 ⊙ E π5,3 , − g3 → −→   → −  → −   → − → 6) F − σ8 , σ10 = F ι(T1 ), − g3 , → π 6,3 g2 , → π 6,2 ⊙ F − g1 , → π 6,1 ⊙ F − ϕ ⊙F −   → −  → −   → − → −→ → g3 , → g2 , → π 7,3 π 7,2 ⊙ F − ϕ ⊙F − g1 , → π 7,1 ⊙ F − 7) F − σ9 , σ11 = F ι(T2 ), −  → −→     → → → 8) E g, − σ ⊙σ g = E(T , − ϕ)⊙ E π ,− g ⊙ E π ,− 10

11

3

8,1

1

8,2

2

→, . . . , − Open(σ, Y, S): parse σ as (T1 , T2 , T3 , − σ σ→ 1 11 , π1 , . . . , π8 ) and the private key → σi as (σi,1 , σi,2 , σi,3 ) ∈ G3 and S as {γ1 , ω, α1 , α2 }. For i = 3, 8, 9 parse, − −1/α2 −1/α1 . Check whether transcripts contains · σi,2 compute θi = σi,3 · σi,1 a record transcripti = (X, K1 , K2 , K3 , K4 , y, sigi ) such that θ3 = K3 , θ8 = X and θ9 = g y . If yes, return i as the signer’s index. Otherwise, return ⊥. Reveal(i, transcripts): to reveal the tracing trapdoor for user Ui , scan transcripts to find transcripti = (X, K1 , K2 , K3 , K4 , y, sigi ) and output tracei := (X, y).

198

B. Libert and M. Yung

→, . . . , − Trace(σ, tracei , Y): parse σ as (T1 , T2 , T3 , − σ σ→ 1 11 , π1 , . . . , π8 ) and tracei as 1/y ∗ (X, y) ∈ G × Zp . Return 1 if e(T3 /T2 , X) = e(g, T1 ) and 0 otherwise. →, . . . , − Claim(M, σ, sec , Y): given σ = (T , T , T , − σ σ→, π , . . . , π ), sec = x and i

1

2

3

1

11

1

8

1/x

i

1/y

part y of certi , prove knowledge of x, y such that T3 = T1 · T2 using the − → → − → − → − reference string f . That is, generate commitments C1 = f 1/x ⊙ f1 r1 ⊙ f2 s1 , − → → − → − → − $ C2 = f 1/y ⊙ f1 r2 ⊙ f2 s2 , with r1 , s1 , r2 , s2 ← Z∗p , and proofs τ1 = T1r1 · T2r2

τ2 = T1s1 · T2s2

− → − → The claim is τ := (C1 , C2 , τ1 , τ2 ). →, . . . , − σ σ→ Claim-Verify(M, σ, τ, Y): given σ = (T1 , T2 , T3 , − 1 11 , π1 , . . . , π8 ), to verify  − → − → τ = C1 , C2 , τ1 , τ2 , return 1 iff  −  −  −  −  → → → − → → E T1 , C1 ⊙ E T2 , C2 = E T3 , f ⊙ E τ1 , f1 ⊙ E τ2 , f2 . Comments. The opening algorithm performs BBS decryptions on ciphertexts − →, − → − → − → σ 3 σ8 and σ9 . Theoretically, decrypting only σ3 could suffice (since sID must be → simpli→ and − σ unique in the database transcripts). However, also decrypting − σ 8 9 fies the proofs of security against misidentification attacks and framing attacks. In the former for instance, a failure of the implicit tracing mechanism implies a failure of the opening algorithm and reduces the number of cases to consider. We note that the claiming system does not prevent eavesdroppers from copying claims in an attempt to be recognized as the author of a signature. The model assumes that the claimed message is transferred either (1) when the receiver is trusted, or (2) the claim is done on a public board so that the commitment to the signature is public and recorded. If no such board is available and we are worried about the receiver of the claim abusing it, the signer can still claim signatures using non-transferable interactive zero-knowledge proofs of knowledge of x, y. Efficiency. From an efficiency point of view, each signature consists of 83 group elements. Using a symmetric pairing configuration with 256-bit prime order groups, we obtain signatures of 2.593 kB. Signing requires a few tens of exponentiations. While a number of pairing evaluations seem necessary to verify at first glance, probabilistic batch verification techniques allow for dramatic improvements (at the expense of a small probability of wrongly accepting an invalid signature) w.r.t. naive implementations where each pairing is calculated individually. When suitably processed altogether, verification equations 3-5 and 8 require to compute a product of no more than 9 pairings and a few multi-exponentiations. Verification equations 1-2 and 6-7 can be handled by first translating them into a randomized product of several bilinear maps of the type F (·, ·). The structure of matrices F (·, ·) then makes it possible the decrease the overall verification cost of conditions 1-2 and 6-7 to the equivalent of a product of 15 pairings and some multi-exponentiations.

Efficient Traceable Signatures in the Standard Model

199

Security. We establish the security of the scheme in the standard model under the assumptions of section 2.1. Due to space limitations, we only detail part of the proof of security against misidentification attacks in this version and defer other proofs to the full version of the paper. Theorem 1. The scheme satisfies misidentification security, non-frameability and anonymity if the HSDH, mTDH and DLIN assumptions all hold in G.

Acknowledgements We thank the anonymous referees for their comments.

References 1. Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007) 2. An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002) 3. Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive: Report 2005/385 (2005) 4. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000) 5. Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable Proofs and Delegatable Anonymous Credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009) 6. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008) 7. Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003) 8. Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: 1st ACM Conference on Computer and Communications Security (ACM CCS 1993), pp. 62–73. ACM Press, New York (1993) 9. Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: The case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005) 10. Benjumea, V., Choi, S.G., Lopez, J., Yung, M.: Fair traceable multi-group signatures. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 231–246. Springer, Heidelberg (2008) 11. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)

200

B. Libert and M. Yung

12. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) 13. Boneh, D., Goh, E.-J., Nissim, K.: Evaluating 2-DNF formulas on ciphertexts. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 325–341. Springer, Heidelberg (2005) 14. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACM Conference on Computer and Communications Security (ACM CCS 2004), pp. 168–177. ACM Press, New York (2004) 15. Boyen, X., Delerabl´ee, C.: Expressive subgroup signatures. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 185–200. Springer, Heidelberg (2008) 16. Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006) 17. Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) 18. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Journal of the ACM 51(4), 557–594 (2004) 19. Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991) 20. Choi, S.G., Park, K., Yung, M.: Short traceable signatures based on bilinear pairings. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S.-i. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 88–103. Springer, Heidelberg (2006) 21. Damg˚ ard, I.: Towards practical public key systems secure against chosen ciphertext attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992) 22. Delerabl´ee, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyˆen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006) 23. Dent, A.: The hardness of the DHK problem in the generic group model. Cryptology ePrint Archive: Report 2006/156 (2006) 24. Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1986) 25. Furukawa, J., Imai, H.: An efficient group signature scheme from bilinear maps. In: Boyd, C., Gonz´ alez Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 455–467. Springer, Heidelberg (2005) 26. Ge, H., Tate, S.-R.: Traceable signature: better efficiency and beyond. In: Gavrilova, M.L., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Lagan´a, A., Mun, Y., Choo, H. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 327–337. Springer, Heidelberg (2006) 27. Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006) 28. Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007) 29. Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006)

Efficient Traceable Signatures in the Standard Model

201

30. Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 339–358. Springer, Heidelberg (2006) 31. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) 32. Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004) 33. Kiayias, A., Yung, M.: Efficient secure group signatures with dynamic joins and keeping anonymity against group managers. In: Dawson, E., Vaudenay, S. (eds.) Mycrypt 2005. LNCS, vol. 3715, pp. 151–170. Springer, Heidelberg (2005) 34. Lu, S., Ostrovsky, R., Sahai, A., Shacham, H., Waters, B.: Sequential aggregate signatures and multisignatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 465–485. Springer, Heidelberg (2006) 35. Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003) 36. Nguyen, L., Safavi-Naini, R.: Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 372–386. Springer, Heidelberg (2004) 37. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)

A

Groth’s Key Generation Protocol

In [28], Groth described the following 5-move protocol that allows a prospective group member U and a group manager GM to jointly generate X = g x ∈ G in such a way that only the user knows x ∈ Z∗p and the latter is further guaranteed to be uniformly distributed. The user U first generates g a . Both parties run a coin-flipping protocol to generate a random value b + c, that also serves as a challenge when U proves knowledge of a, and the common output finally consists of X = g a+b+c , whereas only U happens to know x = a + b + c. U picks a, r ← Zp , η ← Z∗p and sends A = g a , R = g r , h = g η to GM. $ GM picks b, s ← Zp and sends a commitment B = g b · hs to U. $ U sends c ← Zp to GM. GM opens the commitment B and sends the values b, s back to U. U checks that B = g b · hs . If so, U sends z = (b + c)a + r mod p and η to GM and outputs x = a + b + c. 6. GM finally checks that η ∈ Z∗p , h = g η and Ab+c · R = g z . If so, GM outputs X = A · g b+c . 1. 2. 3. 4. 5.

$

$

Under the discrete logarithm assumption in G, this protocol has black-box simulators that can emulate the view of a malicious user or a malicious group manager. In the former case, the simulator has rewind access to the malicious user and can force his private output to be a given value x ∈ Zp . In the latter case, the view of the malicious issuer can be simulated to get his output to be a given X ∈ G. Moreover, the simulator does not need to know x = logg (X).

202

B

B. Libert and M. Yung

Proofs of Security

Due to space limitations, we only partially outline the proof of security against misidentification attacks. As for anonymity and security against framing attacks, proofs will be available in the full version. Theorem 2 (Misidentification). The scheme is secure against misidentification attacks assuming that the ℓ-HSDH problem, where ℓ is the total number of Qa-join and Qp-join -queries, and the 1-mTDH problem are both hard in G. Proof. To win the misidentification game, the adversary must output a nontrivial signature for which the opening algorithm or the implicit tracing algorithm fail to point to an adversarially-controlled group member. →⋆ , . . . , − ⋆ ⋆ ⋆ σ→ Let σ ⋆ = (T1⋆ , T2⋆ , T3⋆ , − σ 11 , π1 , . . . , π8 ) denote the adversary’s forgery 1 ⋆ and let us first assume that Open(σ , Y, S) ∈ U a . We distinguish three cases: →⋆ - Type I forgeries are those for which the BBS decryption θ⋆ = g sID of − σ 3

3

does not appear anywhere in transcripts. We distinguish Type I-A forgeries, where the underlying θ3⋆ = g sID never appears at any time during the game, from Type I-B forgeries for which θ3⋆ does not correspond to any record of transcripts but did appear (implicitly, as part of K3 ) in a join protocol (triggered by a Qa-join query) that aborted before reaching its last step. →⋆ decrypts to a value θ⋆ = g sID that was - Type II forgeries are such that − σ 3 3 assigned to some honest user i ∈ U p (initialized via a Qp-join -query). Such forgeries thus include those for which the opening algorithm points to some user i ∈ U p that did not sign the associated message. →⋆ decrypts to the θ⋆ -value of - Type III forgeries open in such a way that − σ 3 3 →⋆ , − →⋆ an adversarially-controlled user in transcripts but (− σ 8 σ9 ) does not. These forgeries include those that would defeat the implicit tracing algorithm. Lemmas 1, 2 and 3 show that, if the adversary could produce either of such forgeries, it would be possible to break the HSDH or the 1-mTDH assumption. Finally, one can readily check that an adversary cannot come up with a fake signature defeating the implicit tracing algorithm without being one of the above kinds of forgeries. Indeed, let σ ⋆ be such a forgery and let us consider the decryp→⋆ . If it differs from any K appearing in transcripts, σ ⋆ is actually a tion θ3⋆ of − σ 3 3 Type I forgery. If θ3⋆ matches K3 in transcripti for some i ∈ U p , we have a Type II forgery. We are left with the case where θ3⋆ matches K3 in transcripti for some i ∈ U a . Here, a failure of the implicit tracing necessarily means that A, acting as a cheating group member, was able to twist her membership certificate so as to keep the same sID and alter the membership secret x or the “traceability component” y. We thus have a Type III forgery. ⊓ ⊔ Lemma 1. The advantage of any Type I forger A is bounded by mis-id-I (λ) ≤ 2 · ℓa · Adv(ℓa +ℓp )-HSDH (λ) AdvA

where ℓa and ℓp denote the number of Qa-join and Qp-join -queries respectively. Proof. Given in the full version of the paper.

⊓ ⊔

Efficient Traceable Signatures in the Standard Model

203

Lemma 2. The scheme is secure against Type II forgeries under the HDSH assumption. The advantage of any Type II adversary A is at most  ℓa −1 · Advℓa -HSDH (λ) (λ, n) ≤ 4 · n · ℓs · 1 − Advmis-id-II A p where ℓa and ℓs stand for the number of Qa-join and Qsig -queries. Proof. Detailed in the full version of the paper.

⊓ ⊔

Lemma 3. The advantage of any Type III adversary A is bounded by  1 −1 mis-id-III AdvA · Adv1-mTDH (λ) (λ, n) ≤ ℓa · 1 − p where ℓa is the number of Qa-join -queries. →⋆ to a value Proof. In a Type III forgery σ ⋆ , the opening algorithm decrypts − σ 3 ⋆ −1/α2 ⋆ ⋆ ⋆ −1/α1 that equals some K3 appearing in the transcript · σ3,2 θ3 = σ3,3 · σ3,1 →⋆ →⋆ , − of a user in U a whereas the BBS decryption of (− σ 8 σ9 ) does not match the values (X, y) that were assigned to that user. The simulator B receives a modified 1-Triple Diffie-Hellman instance consisting of (g, A = g a , B = g b ) ∈ G3 and a single pair (C = g 1/(a+c) , c) ∈ G × Z∗p . To $ prepare the public key Y, it picks ω, ρu,0 , ρu,1 , β0 , . . . , βn ← Z∗p . It sets Ω = g ω , vi = g βi , for i = 0, . . . , n, and ui = g ρu,i for i = 0, 1. Then, it draws new random $ values ρ, γ0 , γ1 , γ2 , γ3 , γ4 , x⋆ , y ⋆ ← Z∗p and defines h1 = g ρ · B γ1 , h2 = g ρ · B γ2 , ⋆

⋆

h3 = g γ3 · Aρ , h4 = g γ4 · Aρ and h0 = g γ0 · h−x · h2−y . It finally chooses vector 1 sets g, f to have perfectly sound proof systems. The group public key is   Y := g, {hi }i=0,...,4 , Ω, u0 , u1 , {vi }i=0,...,n , g, f . At the outset of the simulation, B draws an index i⋆ ← {1, . . . , ℓa } and initializes variables ctra , ctra′ , ctrp ← 0. $

- Qa-join -queries: B increments ctra′ and considers the following two cases. - If ctra′ = i⋆ , B acts as the group manager as specified by the protocol (recall that it knows ω and can always properly generate certificates). - If ctra′ = i⋆ , B simulates A’s view in the first step of the join protocol to force A’s membership secret to be x⋆ (so that the public value is ⋆ 1 X = g x ). The simulation implicity defines sIDi⋆ = a+c − ω (and thus 1/(sIDi⋆ + ω) = a + c) by setting ⋆

⋆

1

K1 = (h0 · hx1 · hy2 ) ω+sIDi⋆ = (A · g c )γ0 K2 = g

1 ω+sID ⋆ i

= A · gc

K3 = g sIDi⋆ = C · g −ω sIDi⋆

K4 = u0

= (C · g −ω )ρu,0

204

B. Libert and M. Yung ⋆

⋆

1

K1 = (h0 · hx1 · hy2 ) ω+si⋆ = (A · g c )γ0 1

K2 = g ω+si⋆ = A · g c

K3 = g si⋆ = g 1/(a+c) · g −ω = C · g −ω K4 = u0si⋆ = (C · g −ω )ρu,0

In step 2, B first sends K1 , K2 , K3 , y ⋆ to A and aborts if she fails to send ⋆ back a valid signature on X||K1 ||K2 ||K3 ||g y . If A correctly answers, B hands her K4 , increments ctra and stores a record (N, transcriptsN ), with N = ctra + ctrp in transcripts. - Qp-join -queries and Qsig -queries: to answer Qp-join -queries, B follows the join protocol using the group secret key S := (γ1 , ω, p) and increments ctrp . It can also perfectly answer signing queries on behalf of honest user since it knows their membership certificates and secrets. - QY and Qreveal (i)-queries: can be handled according to the specification of the scheme since B always knows the values requested by A. - Qsig -queries: always involve users in U p and B thus always knows private elements that it needs to answer the query. Eventually, A outputs a message M ⋆ along with a valid traceable signature →⋆ , . . . , − ⋆ ⋆ ⋆ σ→ σ ⋆ = (T1⋆ , T2⋆ , T3⋆ , − σ 11 , π1 , . . . , π8 ) that must be a type III forgery. At 1 − → ⋆ this stage, B fails if the decryption of σ3 differs from the element K3 = C · g −ω that B calculated at the i⋆ th Qa-join -query (as it guessed the wrong i⋆ ). → Otherwise, for all i ∈ {1, . . . , 9}\{3}, it decrypts other − σi ⋆ into θi⋆ . Since the proof system is configured for the perfect soundness setting, it comes that ′

′

1

θ1⋆ = (h0 · hx1 · hy2 ) ω+sIDi⋆  ′ ⋆ a+c (x′ −x⋆ ) · hy2 −y = g γ0 · h 1

θ8⋆ = g x

′

′

θ6⋆ = hx1 · hy2 ′

′

θ7⋆ = hx3 · hy4 θ9⋆ = g y

′

′

for some x′ , y ′ ∈ Z∗p that B does not know. However, if we set ∆x = x′ − x⋆ and ∆y = y ′ − y ⋆ , B can compute   a+c ∆y a+c Z1 = θ1⋆ /K1 = h∆x = g ρ(∆x+∆y) · B γ1 ∆x+γ2 ∆y 1 · h2 ⋆

⋆

∆y γ3 ∆x+γ4 ∆y · Aρ(∆x+∆y) Z2 = θ7⋆ /(hx3 · hy4 ) = h∆x 3 · h4 = g ⋆

Z3 = θ8⋆ /g x = g ∆x ⋆

Z4 = θ9⋆ /g y = g ∆y ⋆

⋆

∆y ρ(∆x+∆y) · B γ1 ∆x+γ2 ∆y Z5 = θ6⋆ /(hx1 · hy2 ) = h∆x 1 · h2 = g

which in turn reveal   Z6 = (A · g c )ρ(∆x+∆y) = Z2 /(Z3γ3 · Z4γ4 ) · (Z3 · Z4 )ρc Z7 = B γ1 ∆x+γ2 ∆y = Z5 · (Z3 · Z4 )ρ

Efficient Traceable Signatures in the Standard Model

205

and finally Z8 = g ab(γ1 ∆x+γ2 ∆y) = B a(γ1 ∆x+γ2 ∆y) = Z1 /(Z6 · Z7c ), so that, if we implicitly set µ = γ1 ∆x + γ2 ∆y, B has eventually found a triple (g µ , g bµ , g abµ ) = (Z3γ1 · Z4γ2 , Z7 , Z8 ). Since γ1 and γ2 are perfectly hidden from A’s view, we have g µ = 1G (i.e., γ1 ∆x + γ2 ∆y = 0 mod p) with overwhelming probability (greater than 1 − 1/p) and the triple is non-trivial. We easily check that, if A is successful, so is B as ⊓ ⊔ long as it correctly guesses i⋆ ∈ {1, . . . , ℓa }.

Strongly Secure Certificateless Key Agreement⋆ Georg Lippold, Colin Boyd, and Juan Gonzalez Nieto Information Security Institute, Queensland University Of Technology, GPO Box 2434, Brisbane QLD 4001, Australia {g.lippold,c.boyd,j.gonzaleznieto}@qut.edu.au

Abstract. We introduce a formal model for certificateless authenticated key exchange (CL-AKE) protocols. Contrary to what might be expected, we show that the natural combination of an ID-based AKE protocol with a public key based AKE protocol cannot provide strong security. We provide the first one-round CL-AKE scheme proven secure in the random oracle model. We introduce two variants of the Diffie-Hellman trapdoor introduced by [4]. The proposed key agreement scheme is secure as long as each party has at least one uncompromised secret. Thus, our scheme is secure even if the key generation centre learns the ephemeral secrets of both parties.

1

Introduction

Certificateless encryption introduced by Al-Riyami and Paterson [1] is a variant of identity based encryption that limits the key escrow capabilities of the key generation centre, which is inherent in identity based encryption [3]. Dent [6] published a survey of more than twenty certificateless encryption schemes that focuses on the different security models and the efficiency of the respective schemes. In certificateless cryptography schemes, there are three secrets per party: – The key issued by the key generation centre (Dent [6] calls it “partial private key”). We assume in the following that this key is ID-based, although it does not necessarily have to be ID-based. – The user generated private key xI D (Dent calls it “secret value”). – The ephemeral value chosen randomly for each session. Key agreement schemes provide an efficient means for two parties to communicate over an adversarial controlled channel. An overview of almost twenty identity based key agreement protocols has been compiled by Chen, Cheng and Smart [5]; they also provide security proofs for two of the surveyed protocols. Many ID-based schemes guarantee full privacy for both parties as long as the key generation centre (KGC) does not learn any of the ephemeral secrets used in computing the session key. But as Krawczyk [10] points out, the leakage of ⋆

Research funded by the Australian Research Council through Discovery Project DP0773348.

H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 206–230, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Strongly Secure Certificateless Key Agreement

207

ephemeral keys should not be neglected as they are usually precomputed and not stored in secure memory. In the context of identity based key agreement protocols, this means that as soon as the ephemeral key of either party leaks, a malicious KGC is able to compute the session key. A n overview of current certificateless key agreement schemes has been compiled by Swanson [18]. Certificateless key agreement schemes attempt to provide full privacy even if the ephemeral secrets of the parties leak to the key generation centre or if the key generation centre actively interferes with the messages that are exchanged (e.g. does a man-in-the-middle attack). The first certificateless key agreement scheme was published by Al-Riyami and Paterson [1] as a side note to their certificateless encryption scheme. However, they provided neither a security model for certificateless key agreement schemes nor a proof of security for the scheme. Other certificateless key agreement schemes were published by Mandt and Tan [16] and improved by Xia et al. [21], Wang, Cao and Wang [20], and Shao Zu-hua [24], but the respective authors gave only heuristic arguments as to why their schemes would be secure. Swanson [18] analysed these certificateless schemes and showed generic attacks that break the notions of security claimed by the respective authors. Swanson also posed three open questions in the last chapter of her thesis that we will answer in this paper. By combining an ID-based scheme with a public key based scheme, certificateless encryption [22], [14], certificateless signatures [23], and certificateless key encapsulation mechanisms [2] can be readily constructed from existing protocols. Contrary to what would be expected, we show that a certificateless key agreement protocol cannot be securely constructed by a natural combination of an ID-based key agreement protocol with a public key based key agreement protocol. The security model is an extension of Swanson’s [18] modified version of the extended Canetti and Krawczyk model presented in [12] for certificateless key agreement. In this paper, we strengthen the model further (thus giving more power to the adversary) and provide the first formal proof for a strongly secure certificateless key agreement scheme in the random oracle model. Moreover, the protocol we propose is a one round protocol that withstands all of Swanson’s attacks, although the messages exchanged in our protocol are exactly the same messages as in Mandt and Tan’s protocol [16]. To withstand the attacks we use a modified version of the technique presented by Xia et al. [21]. We prove that our certificateless key agreement protocol is secure even if the key generation centre actively tries to break the scheme: it may either reveal ephemeral secrets or reveal secret values / replace public keys but not both. In fact, we show that as long as each party still has at least one uncompromised secret, our scheme is still secure in the random oracle model assuming that the computational Diffie-Hellman assumption and the computational bilinear Diffie-Hellman assumption hold. Our proofs are in the strongest security model available for certificateless schemes, i.e. it corresponds to Dent’s [6] Strong Type I and Strong Type II security where the adversary is allowed to replace certificateless public keys and the challenger still has to answer all oracle queries.

208

G. Lippold, C. Boyd, and J. Gonzalez Nieto

The main contributions of this paper are: – Strongest formal model for secure authenticated certificateless key exchange protocols today. We provide the equivalent of a strong decryption oracle [6] for reveal queries. – An analysis of why certificateless key establishment schemes (CL-AKE) cannot be readily composed by combining an ID-based authenticated key establishment (ID-AKE) scheme with a public key authenticated key establishment (PK-AKE) scheme in our security model. – First one-round protocol for certificateless key agreement with a security proof in the random oracle model that fulfills all notions of security of our model and withstands recent attacks on certificateless key agreement protocols. The organization of the paper is as follows: we introduce the security model in Section 2 and relate it to existing notions of security for key agreement schemes and certificateless encryption. We also show why a generic composition of ID-AKE with PK-AKE does not have sufficient security guarantees in our model. A description of the scheme is given in Section 3. Section 5 discusses the security proof of the new protocol. We conclude our paper by answering some open questions in Section 6.

2

Security Model for Certificateless Key Agreement Schemes

The following security properties are commonly required of key establishment protocols in general. Resistance to basic impersonation attacks. An adversary who does not know the private key of party A should not be able to impersonate A. Resistance to Unknown Key-Share (UKS) attacks. An adversary M interferes with two honest parties A and B such that both parties accept the session and compute the same key. However, while A thinks that the key is shared with B, B is convinced that the key is shared with M. Known key security. Each run of a key agreement protocol between two parties A and B should produce a unique session key. A protocol should not become insecure if the adversary has learned some of the session keys [13]. Weak Perfect Forward Secrecy (wPFS). A key-exchange protocol provides weak PFS (wPFS) if an attacker M cannot distinguish from random a key of any session for which the session and its matching session are clean1 even if M has learned the private keys of both peers to the session [10, Definition 22]. Resistance to Key-Compromise Impersonation (KCI) attacks. We say that a KE-attacker M that has learned the private key of party Aˆ succeeds in a Key-compromise impersonation (KCI) attack against Aˆ if M 1

Roughly speaking clean is the same as fresh in Definition 1.

Strongly Secure Certificateless Key Agreement

209

is able to distinguish from random the session key of a complete session at Aˆ for which the session peer is uncorrupted and the session and its matching session (if it exists) are clean [10, Definition 20]. Resistance to disclosure of ephemeral secrets. The protocol should be resistant to the disclosure of ephemeral secrets. The disclosure of an ephemeral secret should not compromise the security of sessions where the ephemeral secret was not used. ID-based protocols usually require the following property in addition to these properties: KGC forward secrecy. The key generation centre (KGC) should be unable to compute the session key knowing all publicly available information. For certificateless protocols, we will additionally require the following property. Mandt & Tan [16] call this property “Resistance to known session-specific temporary information”, but they provide only an informal definition. It is not possible to provide this property in an ID-based key agreement scheme since a KGC who knows the ephemeral secrets has all inputs to the session key. Resistance to leakage of ephemeral secrets to the KGC. If a malicious KGC learns the ephemeral secrets of any session, the KGC should not be able to compute the session key. 2.1

Formal Definition of the Security Model

We present a strengthened version of Swanson’s [18] model, which in turn is based on LaMacchia, Lauter & Mityagin’s [12] extended Canetti-Krawczyk (eCK) model. We discuss the changes to the respective models in Section 2.2. Let U = {U1 , . . . Un } be a set of parties. The protocol may be run between any two of these parties. For each party there exists an identity based public key that can be derived from its identifier. There is a key generation centre that issues identity based private keys to the parties through a secure channel. Additionally, the parties generate their own secret values and certificateless public keys. The adversary is in control of the network over which protocol messages are exchanged. Πi,t j represents the tth protocol session which runs at party i with intended partner party j. Additionally, the adversary is allowed to replace certificateless public keys that are used to compute the session key. The adversary does not have to disclose the private key matching the replaced certificateless public key to the respective party. A session Πi,t j enters an accepted state when it computes a session key SKi,t j . Note that a session may terminate without ever entering into an accepted state. The information of whether a session has terminated with acceptance or without acceptance is assumed to be public. The session Πi,t j is assigned a partner ID pid = (IDi , IDj ). The session ID sid of Πi,t j at party i is the transcript of the messages exchanged with party j during the session. Two sessions Πi,t j and Πj,u i are considered matching if they have the same pid (and sid).

210

G. Lippold, C. Boyd, and J. Gonzalez Nieto

The game runs in two phases. During the first phase of the game, the adversary M is allowed to issue the following queries in any order: Send(Πi,t j , x): If the session Πi,t j does not exist, it will be created as initiator at party i if x = λ, or as a responder at party j otherwise. If the participating parties have not been initiated before, the respective private and public keys are created. Upon receiving the message x, the protocol is executed. After party i has sent and received the last set of messages specified by the protocol, it outputs a decision indicating accepting or rejecting the session. In the case of one-round protocols, party i behaves as follows: x = λ: Party i generates an ephemeral value and responds with an outgoing message only. x = λ: If party i is a responder, it generates an ephemeral value for the session and responds with an outgoing message m and a decision indicating acceptance or rejection of the session. If party i as an initiator, it responds with a decision indicating accepting or rejecting the session. In this work, we require i = j, i.e. a party will not run a session with itself. Reveal master key: The adversary is given access to the master secret key. Session key reveal(Πi,t j ): If the session has not accepted, it returns ⊥, otherwise it reveals the accepted session key. Reveal ID-based secret(i): Party i responds with its ID-based private key, e.g. sH1 (IDi ). Reveal secret value(i): Party i responds with its secret value xi that corresponds to its certificateless public key. If i has been asked the replace public key query before, it responds with ⊥. Replace public key(i, pk): Party i’s certificateless public key is replaced with pk chosen by the adversary. Party i will use the new public key for all communication and computation. Reveal ephemeral key(Πi,t j ): Party i responds with the ephemeral secret used in session Πi,t j . We can group the key reveal queries into three types: the reveal master key and reveal ID-based secret queries try to undermine the security of the ID-based part of the scheme, the reveal secret value and replace public key queries try to undermine the security of the public key based part of the scheme, and the reveal ephemeral key query tries to undermine the security of one particular session. We define the state fully corrupt as a session that was asked all three types of reveal queries: the reveal master key or reveal ID-based secret, the reveal secret value or the replace public key, and the reveal ephemeral key query. Once the adversary M decides that the first phase is over, it starts the second phase by choosing a fresh session Πi,t j and issuing a Test(Πi,t j ) query, where the fresh session and test query are defined as follows: Definition 1 (Fresh session). A session Πi,t j is fresh if (1) Πi,t j has accepted; (2) Πi,t j is unopened (not being issued the session key reveal query); (3) the session state at neither party participating in this session is fully corrupted; (4) there is no opened session Πju, i which has a matching conversation to Πi,t j .

Strongly Secure Certificateless Key Agreement

211

Test(Πi,t j ): The input session Πi,t j must be fresh. A bit b ∈ {0, 1} is randomly chosen. If b = 0, the adversary is given the session key, otherwise it randomly samples a session key from the distribution of valid session keys and returns it to the adversary. After the test(Πi,t j ) query has been issued, the adversary can continue querying except that the test session Πi,t j should remain fresh. We emphasize here that partial corruption is allowed as this is a benefit of our security model. Additionally, replace public key queries may be issued to any party after the test session has been completed. At the end of the game, the adversary outputs a guess ˆb for b. If ˆb = b, we say that the adversary wins. The adversary’s advantage in winning the game is defined as    1 Adv M (k) = Pr[M wins] −  2 Definition 2 (Strong Type I secure key agreement scheme). A certificateless key agreement scheme is Strong Type I secure if every probabilistic, polynomial-time adversary M has negligible advantage in winning the game described in Section 2.1 subject to the following constraints:

– M may corrupt at most two out of three types of secrets per party involved in the test session, – M is allowed to replace public keys of any party; however, this counts as the corruption of one secret, – M may not reveal the secret value of any identity for which it has replaced the certificateless public key, – M is allowed to ask session key reveal queries even for session keys computed by identities where M replaced the identity’s public key. – M is allowed to replace public keys of any party after the test query has been issued. Definition 3 (Strong Type II secure key agreement scheme). A certificateless key agreement scheme is Strong Type II secure if every probabilistic, polynomial-time adversary M has negligible advantage in winning the game described in Section 2.1 subject to the following constraints: – M is given the master secret key s at the start of the game, – M may corrupt at most one additional type of secret per party participating in the test query, – M is allowed to replace public keys of any party; however, this counts as the corruption of one secret, – M may not reveal the secret value of any identity for which it has replaced the certificateless public key, – M is allowed to ask session key reveal queries even for session keys computed by identities where he replaced the identity’s public key. – M is allowed to replace public keys of any party after the test query has been issued.

212

2.2

G. Lippold, C. Boyd, and J. Gonzalez Nieto

Relation to Existing Notions of Security

Swanson’s [18] replace public key query is weaker in assuming that the party whose key was replaced continues to make its computations with its original (unreplaced) public key (and its matching private key). Although it seems that Swanson’s model is more “natural” than our model, strong certificateless encryption has been the goal of many papers, a discussion of the benefits and drawbacks can be found in [7]. As it gives more power to the adversary, we think that schemes that are strongly secure are preferable to those in a weaker security model. When checking for a matching conversation, Swanson omits the certificateless public keys from the conversation transcript. This weakens the adversary compared to our model, as the adversary would not be allowed to replace public keys and try to replay the conversation with the replaced keys of the test query after the test query has been issued. With respect to LaMacchia et al. [12], the main difference of our definition is that instead of having only four pieces of secret information, in certificateless protocols there are six: the ID-based secret keys, the user’s secret value, and the ephemeral private keys of both parties. We require a certificateless AKE to be secure as long as each party still holds at least one uncompromised secret. We note that as the challenger has to answer session key reveal queries even for keys where the respective certificateless public keys have been replaced, the adversary has access to the equivalent of a “Strong Decrypt” oracle in certificateless encryption. Strong decryption oracles were first introduced by Al-Riyami and Paterson [1]. Dent [6] defines the Strong Decryption Oracle as follows. Definition 4 (Strong Decryption Oracle). The adversary supplies an identity ID and a ciphertext C, and the challenger responds with the decryption of C under the private key skI D . Note that if the attacker has replaced the public key for ID, then this oracle should return the correct decryption of C using the private key that inverts the public key pkI D currently associated with the identity ID (or ⊥ if no such private key exists). A strong decryption oracle in public key cryptography is able to return the plaintext for a given ciphertext (which does not necessarily mean that the plaintext has been decrypted using the correct key, as with double encryption). We note that in a session key reveal query the correct key for a given session has to be revealed, which is a stronger requirement. The scheme in Section 3 is both Strong Type I and Strong Type II secure with respect to Dent’s definitions. In the security proof in Section 5 and Section 5.4 we do not differentiate between these two types of adversarial behaviour but treat them together. If the adversary was split to be either Strong Type I or Strong Type II, then a Strong Type II adversary would be applicable only for the Strategies 1, 2, 3, and 4 in Section 5.1. Being able to distinguish between Type I and Type II adversaries would thus increase the probability of success for the challenger.

Strongly Secure Certificateless Key Agreement

2.3

213

Why a Natural Composition of CL-AKE from ID-AKE and PK-AKE Is Not Possible in Our Model

In the security model, a session can only be fresh as long as each party still has at least one uncompromised secret. A composition of an ID-AKE with a PK-AKE is depicted in Figure 1. A natural way to achieve such a composition consists of running the two protocols in parallel and deriving the session key of the overall composition as a publicly known function of solely the two component session keys. This composition cannot offer the desired level of security, because no security guarantees exist if party A still has an uncompromised key in the PK-AKE and party B still has an uncompromised key in the ID-AKE (both AKE schemes are broken at this moment). This may explain why no CL-AKE schemes with a proof of security have been published before.

Public Key AKE Party A pkA

ID-based AKE

Party B eph discl

Party A

Certificateless AKE

Party B

Party A

pkB

pkA +

= IDA

K K C CI I

Party B

eph discl

IDB

IDA

wPFS

ephpkB

ephIDA

wPFS

I KC

eph + pk

KCI

ephpkA

pkB

eph + ID discl KC I

IDB

discl KCI

ephIDB

ephpkA , ephIDA

wPFS

ephpkB , ephIDB

The lines indicate what combination of secrets gives resistance against which attack type. Examples for public key schemes applicable to this diagram would be NAXOS [12] and CMQV [19], an example for an ID-based scheme would be the ASIACCS09 [9] scheme. However, a combination of these schemes would not have any security guarantees about the dashed lines in the certificateless part of the diagram. Fig. 1. PK-AKE + ID-AKE = CL-AKE

3

Description of the Certificateless Key Agreement Scheme

We describe the phases of our certificateless authenticated key exchange protocol in this section. Our protocol consists of three phases: setup, message exchange and key computation. We also briefly address the efficiency of the proposed protocol. 3.1

Setup

– The KGC publishes a generator P ∈ and an admissible bilinear pairings map e : × → T that fulfills the following criteria: Let and T be groups of prime order p. A bilinear pairings map e : × → and T satisfies the following properties: T between the groups × → T is bilinear if e(aP, bP ) = Bilinear: We say that a map e : e(P, P )a b for all P ∈ and a, b ∈ p .

214

G. Lippold, C. Boyd, and J. Gonzalez Nieto

Non-degenerate: We say that e is non-degenerate if it does not send all pairs in × to the identity in T . Since and T are groups of prime is a generator of , then e(P, P ) is a order p, it follows that if P ∈ generator of T . Computable: There is an efficient algorithm to compute e(P, Q) for any P, Q ∈ . Suitable pairing groups for this protocol would be Type 1 and Type 4 pairings (see Chen, Cheng & Smart [5] for a discussion). Asymmetric pairings are not possible because we use the non-interactive ID-based key agreement of Sakai, Ohgishi and Kasahara (SOK) [17] as part of our protocol. This requires hashing to both 1 and 2 . The SOK protocol has been proven by Dupont and Enge [8] using gap assumptions. As an added benefit of our proof, we show how to prove the SOK protocol secure under the weaker computational bilinear Diffie-Hellman assumption using the twin bilinear Diffie-Hellman trapdoor [4] in section 5.4, Strategy 9. – The KGC picks a random s ∈ p as master secret key and sets its public key to sP – The KGC selects three cryptographic hash functions H1 : {0, 1}∗ →

H2 : {0, 1}∗ × {0, 1}∗ × → H3 :

8

×

T

6

→ {0, 1}n for some integer n > 0

H2 is the key derivation function for our scheme. Each party participating in the key agreement protocol additionally computes a private key and a matching certificateless public key: – Each user U generates a secret value xU ← p and a public key xU P ∈ – Each user U gets an ID-based private key {sH1 (IDU ), sH3 (H1 (IDU ))} ∈ from the key generation centre. $

3.2

2

Message Exchange

To establish a common key, user A generates the ephemeral secret rA ← p and $

$

user B generates the ephemeral secret rB ← messages: A → B : EA = (rA P, xA P )

p . They exchange the following

B → A : EB = (rB P, xB P )

We note that the certificateless public keys can be stripped from the messages if they are published in a public online directory. This will save bandwidth, but at the same time may make the scheme more vulnerable to the equivalent of denial of decryption attacks in certificateless encryption: an adversary may manipulate the entries of the directory more easily than the message exchange between two parties.

Strongly Secure Certificateless Key Agreement

215

As we propose a one-round protocol, our protocol achieves only implicit authentication. Krawczyk [10, Section 8] shows that explicit authentication is possible with three half rounds. To achieve explicit authentication, this protocol can be patched in the same way that HMQV is patched to HMQV-C. In the following we require implicitly that each party always checks subgroup membership for all elements of messages that are exchanged in the protocol to defend against small subgroup attacks [15]. 3.3

Key Computation

To compute the certificateless session key, each user computes KA = e(H1 (IDB ), sP )rA e(sH1 (IDA ), rB P ) = e(H1 (IDB ), P )rA s e(H1 (IDA ), P )rB s = KB = K ′ KA = e(H3 (H1 (IDB )), sP )rA e(sH3 (H1 (IDA )), rB P ) ′ = e(H3 (H1 (IDB )), P )rA s · e(H3 (H1 (IDA )), P )rB s = KB = K′

LA = e(H1 (IDB ), sP )xA e(sH1 (IDA ), xB P ) = e(H1 (IDB ), P )xA s e(H1 (IDA ), P )xB s = LB = L

L′A = e(H3 (H1 (IDB )), sP )xA e(sH3 (H1 (IDA )), xB P ) = e(H3 (H1 (IDB )), P )xA s e(H3 (H1 (IDA )), P )xB s = L′B = L′ NA = e(H1 (IDB ), sH1 (IDA )) = e(H1 (IDB ), H1 (IDA ))s = NB = N NA′ = e(H3 (H1 (IDB )), sH3 (H1 (IDA ))) = e(H3 (H1 (IDB )), H3 (H1 (IDA )))s = NB′ = N ′ The session key is then computed as SK = H2 (A, B, EA , EB , rA rB P, xA xB P, rA xB P, xA rB P, K, K ′ , L, L′ , N, N ′ ). In Section 5 and Section 5.4 the challenger B uses the adversary M to solve either the computational Diffie-Hellman (CDH) or the computational bilinear Diffie-Hellman (CBDH) problem. K, L, and N are used in the proof to embed the input to the CBDH challenge into the test session. Each of these values is necessary to defend against one possible attack strategy of the adversary M. K is the product of two encapsulated BonehFranklin session keys, L′ is similar but with certificateless long-term keys. N ′ is the non-interactive ID-based key agreement scheme proposed by [17]. K ′ , L′ , and N ′ are needed to answer reveal queries of the adversary M consistently. To answer reveal queries, the challenger B makes use of the twin bilinear DiffieHellman problem as introduced by Cash, Kiltz and Shoup [4]. The twin bilinear Diffie-Hellman “backdoor” is embedded in K ′ , L′ and N ′ . 3.4

Efficiency Considerations

Although the protocol is one round, the computational overhead imposed on the parties is rather high: each party has to compute 5 exponentiations in and 10 pairings. We would like to note that we need the H3 hash function in the proof for full computational bilinear Diffie-Hellman security. If the gap

216

G. Lippold, C. Boyd, and J. Gonzalez Nieto

bilinear Diffie-Hellman assumption is used (see Kudla and Paterson [11] for gap assumptions), the H3 hash function can be omitted which saves 2 hash queries and reduces the complexity of the protocol to 3 exponentiations in and 5 pairing computations (as K ′ , L′ , and N ′ do not have to be computed). If there are multiple runs of the protocol between the same users (e.g. for rekeying in VPN’s), then the complexity can be reduced by caching xA xB P , L, L′ , N , and N ′ in secure memory which then reduces the complexity for successive runs to 4 exponentiations and 4 pairing computations (or 2 exponentiations and 2 pairing computations if the gap bilinear Diffie-Hellman assumption is used). It may be possible to do better in terms of computational efficiency. However, the aim of this paper is to provide a strong model for certificateless key agreement and to show that schemes corresponding to the model exist. We introduce the theorems that we later use as decisional oracles to be able to answer the H2 queries of the adversary consistently (and to determine when the adversary submits the solution to a hard problem to the H2 oracle). We continue then by embedding a hard problem in each of the uncorrupted secrets that are available in the respective strategies.

4

The Twin Bilinear Diffie-Hellman Trapdoor Theorems

The proof in section 5.4 for Strategy 5 to 8 relies heavily on the following theorem: × → T be a bilinear pairing, Theorem 1 (Trapdoor Test). Let e : be a generator where , T are two cyclic groups of prime order p. Let P ∈ of . Suppose B1 ∈ , y, z ∈ p are mutually independent random variables. Define B2 := yP − zB1 . Further, suppose that A, C are random variables in and T1 , T2 are random variables in T , each of which is defined as some function of B1 and B2 . Then we have: 1. B2 is uniformly distributed over . 2. B1 and B2 are independent. 3. If B1 = b1 P and B2 = b2 P , then the probability that the truth value of ?

T1z · T2 = e(A, C)y

(1)

does not agree with the truth value of ?

?

T1 = e(A, C)b1 ∧ T2 = e(A, C)b2

(2)

is at most 1/p, moreover, if Equation 2 holds, then Equation 1 certainly holds. See [4], [9] for an explanation and a proof. Additionally we need the “Additive double BDH Trapdoor Test” and the “Multiplicative double BDH Trapdoor Test” for Strategy 9:

Strongly Secure Certificateless Key Agreement

217

Theorem 2 (Additive double BDH Trapdoor Test). Let e : × → T be a bilinear pairing, where , T are two cyclic groups of prime order p. Let be a generator of . Suppose B1 , D1 ∈ , y1 , y2 , z ∈ p are mutually P ∈ independent random variables. Define B2 := y1 P − zB1 and D2 := y2 P − zD1 . and T1 , T2 are random Further, suppose that A, C are random variables in variables in T , each of which is defined as some function of (A, C, B1 , D1 ) and (A, C, B2 , D2 ). Then we have: (i) B2 and D2 are uniformly distributed over (guaranteed by y1 and y2 ), as is B2 + D2 . (ii) B1 and B2 are independent and D1 and D2 are independent and B2 and D2 are independent, and B1 + D1 and B2 + D2 are independent (also due to y1 and y2 ). (iii) If B1 = b1 P, B2 = b2 P, D1 = d1 P, D2 = d2 P , then the probability that the truth value of ? (3) T1z T2 = e(A, C)y1 +y2 does not agree with the truth value of ?

?

T1 = e(A, C)b1 e(A, C)d1 ∧ T2 = e(A, C)b2 e(A, C)d2

(4)

is at most 1/p, moreover, if Equation 4 holds, then Equation 3 certainly holds. Proof. This proof is a rewrite of Cash, Kiltz and Shoup’s [4] trapdoor test proof. Observe that y1 + y2 = z(b1 + d1 ) + (b2 + d2 ). It is easy to verify that B2 + D2 is uniformly distributed over , and that B1 + D1 , B2 + D2 , z are mutually independent, from which (i) and (ii) follow. To prove (iii), condition on fixed values of B1 + D1 and B2 + D2 . In the resulting conditional probability space, z is uniformly distributed over p , while (b1 + d1 ), (b2 + d2 ), e(A, C), T1 and T2 are fixed. If Equation 4 holds, then by multiplying together the two equations in Equation 4, we see that Equation 3 certainly holds. Conversely, if Equation 4 does not hold, we show that Equation 3 holds with probability at most 1/p. Observe that Equation 3 is equivalent to z  T1 e(A, C)b2 +d2 = . (5) b +d 1 1 e(A, C) T2 It is not hard to see that if T1 = e(A, C)b1 +d1 and T2 = e(A, C)b2 +d2 , then Equation 5 certainly does not hold. This leaves us with the case T1 = e(A, C)b1 +d1 . But in this case, the left hand side of Equation 5 is a random element of T (since z is uniformly distributed in p ), but the right hand side is a fixed element of T . Thus, Equation 5 holds with probability 1/p in this case. Theorem 3 (Multiplicative double BDH Trapdoor Test). 2 Let e : × → T be a bilinear pairing, where , T are two cyclic groups of prime 2

If this test was implemented with B2 = y1 P− z1 bP and C2 = y2 P− z2 cP, then the probability that Equation 7 holds would be p12 . We use zinstead of z1 and z2 because we need Theorem 2 simultaneously.

218

G. Lippold, C. Boyd, and J. Gonzalez Nieto

order p. Let P ∈ be a generator of . Suppose B1 , C1 ∈ , y1 , y2 , z ∈ p are mutually independent random variables. Define B2 := y1 P − zB1 and C2 := and T1 , T2 are y2 P − zC1 . Further, suppose that A is a random variables in random variables in T , each of which is defined as some function of (A, B1 , C1 ) and (A, B2 , C2 ). Then we have: (i) B2 and C2 are uniformly distributed over (guaranteed by y1 and y2 ), and e(B2 , C2 ) is uniformly distributed over T . (ii) B1 and B2 are independent and C1 and C2 are independent and B2 and C2 are independent, and e(B1 , C1 ) and e(B2 , C2 ) are independent (also due to y1 and y2 ). (iii) If B1 = b1 P, B2 = b2 P, C1 = c1 P, C2 = c2 P , then the probability that the truth value of T2 ? e(A, P )y1 y2 = (6) 2 e(A, C1 )y1 e(A, B1 )y2 T1 z does not agree with the truth value of ?

?

T1 = e(A, P )b1 c1 ∧ T2 = e(A, P )b2 c2

(7)

is at most 2/p, moreover, if Equation 7 holds, then Equation 6 certainly holds. Proof. Observe that y1 y2 = (zb1 + b2 )(zc1 + c2 ) = z 2 b1 c1 + zb1 c2 + zb2 c1 + b2 c2 . It is easy to verify that e(B2 , C2 ) is uniformly distributed over T , and that e(B1 , C1 ), e(B2 , C2 ), z are mutually independent, from which (i) and (ii) follow. To prove (iii), condition on fixed values of e(B1 , C1 ) and e(B2 , C2 ). In the resulting conditional probability space, z is uniformly distributed over p , while b1 c1 , b2 c2 , A, T1 and T2 are fixed. If Equation 7 holds, then by multiplying together the two equations in Equation 7, we see that Equation 6 certainly holds. Conversely, if Equation 7 does not hold, we show that Equation 6 holds with probability at most 2/p. Observe that Equation 6 is equivalent to z2  T1 e(A, P )b2 c2 = . (8) b c e(A, P ) 1 1 T2 It is not hard to see that if T1 = e(A, P )b1 c1 and T2 = e(A, P )b2 c2 , then Equation 8 certainly does not hold. This leaves us with the case T1 = e(A, P )b1 c1 . But in this case, the left hand side of Equation 8 is the square of a random element of 2 T . Since z is uniformly distributed in p , z is uniformly distributed over half of p as half of the elements of p are quadratic residues. On the other hand, the right hand side of 8 is a fixed element of T . Thus, Equation 8 holds with probability 2/p in this case.

5

Security Proof for the Certificateless Key Agreement Scheme

We will prove that the certificateless key agreement scheme is a secure key agreement scheme in the random oracle model under the computational bilinear

Strongly Secure Certificateless Key Agreement

219

Diffie-Hellman (CBDH) assumption and the computational Diffie-Hellman (CDH) assumption. The CBDH the assumption states that given {aP, bP, cP } ∈ 3 it is hard to compute e(P, P )abc ∈ T . Let Z be an algorithm that takes as input a triple {aP, bP, cP } ∈ 3 , and outputs an element Z ∈ T . We define the CBDH advantage of Z to be   $ Pr a, b, c ← p : Z(aP, bP, cP ) = e(P, P )abc The CDH assumption states that given {aP, bP } ∈ 2 it is hard to compute abP ∈ . Let Z be an algorithm that takes as input the pair {aP, bP } ∈ 2 , and outputs an element T ∈ . We define the CDH advantage of Z to be   $ Pr a, b ← p : Z(aP, bP ) = abP To relate the advantage of an adversary against our protocol to the above assumptions, we use a classical reduction approach. We assume that an adversary M has an advantage in winning the game outlined in Section 2.1. Additionally, the adversary M may query the random oracles H1 , H2 , and H3 . In the following, the challenger B is interested to use the adversary M to turn M’s advantage in distinguishing a random session key from the correct session key in an advantage to solve either the computational Diffie-Hellman problem or the computational bilinear Diffie-Hellman problem. Let q0 be the maximum number of sessions that any one party may have. We assume that the adversary M makes at most q1 distinctive H1 queries. The adversary may make any number of H2 queries or H3 queries. At the end of the game, M outputs its guess ˆb ∈ {0, 1} for b. Let Adv M (k)[Π] be the advantage that the adversary M has against the protocol, i.e. the event that ˆb = b and M wins the game. Theorem 4. If there exists an adversary that has an advantage against our certificateless key agreement scheme (Adv M (k)[Π]), the challenger B can use this adversary to solve either the computational Diffie-Hellman or the computational bilinear Diffie-Hellman problem. We show that the success probability of any adversary against the scheme is limited by   Adv M (k)[Π] ≤ 9q0 q12 max Adv B (k)[CDH], Adv B (k)[CBDH] where Adv B (k)[CDH] is the advantage that the challenger gets in solving the computational Diffie-Hellman problem given security parameter k using the adversary and Adv B (k)[CBDH] is the advantage that the challenger gets in solving the computational bilinear Diffie-Hellman problem given security parameter k using the adversary.

We note that the CBDH problem is strictly weaker than the CDH problem. Thus, an adversary that is able to solve the CDH problem will also be able to solve the CBDH problem. We differentiate between these two problems because security against a Type II adversary is based solely on the CDH problem, whereas security against a Type I adversary is based on both the CDH problem and the CBDH problem.

220

G. Lippold, C. Boyd, and J. Gonzalez Nieto

5.1

Possible Strategies for the Challenger

Before the game starts, the challenger B tries to guess the test session. To this end, B randomly selects two indexes I, J ∈ {1, . . . , q1 } : I = J that represent the I th and the J th distinct query to the H1 oracle. The probability that B chooses I and J correctly is (as there are at most q1 entries in H1 ) 1 1 > 2 q1 (q1 − 1) q1 T B chooses T ∈ {1, . . . , q0 } and thus determines the test oracle ΠI,J , which is 1 correct with probability larger than q0 q2 . If B did not guess the test session 1 correctly, B aborts the game. In order to use the adversary M to gain an advantage in computing the CBDH or the CDH challenge, the challenger B will guess the parts of the key in the session corresponding to the test query that the adversary may not learn. Depending on the chosen strategy, B aborts the game whenever M’s queries target one of the forbidden elements. Otherwise, the game proceeds as usual. There are nine choices for B (see also Table 1):

Table 1. Possible corrupt queries sorted by strategy Strategy 1 2 3/4(mirr.) 5/6(mirr.) Value at party p I J I J I J I J sH1 (IDp ) c c c c c c c sH3 (H1 (IDp )) c c c c c c c xp / xp P c/r c/r c/r c/r rp c c c c c Embedding in xI xJ P rI rJ P rI xJ P/rJ xI P K Problem type CDH CDH CDH CBDH c = corrupt, r = replace, mirr. = swap columns

7/8(mirr.) 9 I J I J c c c/r c/r c/r c/r c c c L N CBDH CBDH I and J

Strategy 1 - 4 are related to the computational Diffie-Hellman problem, Strategies 5 - 9 are related to the computational bilinear Diffie-Hellman problem. In the proof, the problem is always embedded in the values that the adversary may not corrupt or replace.

1. The adversary may neither learn the secret value of IDI nor of IDJ . 2. The adversary may neither learn the ephemeral private key of IDI nor of IDJ . 3. The adversary may neither learn the secret value of IDJ nor replace the public key of IDJ and may also not learn the ID-based private key of IDI . 4. The adversary may neither learn the ephemeral private key of IDJ nor the secret value of IDI . 5. The adversary may neither learn the ephemeral private key of IDI nor the secret value of IDJ .

Strongly Secure Certificateless Key Agreement

221

6. The adversary may neither learn the secret value of IDI nor replace the secret value of IDI and may also not learn the ID-based private key of IDJ . 7. The adversary may neither learn the ephemeral private key of IDJ nor the ID-based private key of IDI . 8. The adversary may neither learn the ephemeral private key of IDI nor the ID-based private key of IDJ . 9. The adversary may neither learn the ID-based private key of IDI nor of IDJ . As there are nine strategies, the probability that B does not abort the game after B selected the strategy and the test session beforehand is now larger than 1 . The adversary may learn the key generation centre’s master secret only 9q0 q12 in Strategy 1,2,3, and 4. Furthermore, B replaces the H2 oracle by a table which records input/output pairs. If a query is made that matches one of the previous inputs, the corresponding output is returned, otherwise, a value from the respective output domain is chosen at random, the new input/output pair is added to the list and the value is returned. The H1 and H3 oracle operate as explained in Table 2 and Table 3 respectively. Relation to the security model. We gave a list of desirable notions of security in Section 2 and would like to analyse the security of the protocol in relation to the strategies. We note that UKS attacks are not a problem as the key derivation function H2 uses the identities of the parties as input and would output different keys in the event of an UKS attack. Furthermore, the identitybased public keys are derived from the identity’s name and prevent UKS attacks, too. Basic impersonation attacks are not possible as it is necessary to know the private keys of a party to compute K, K ′ , L, L′ , N and N ′ which are inputs to the key derivation function H2 . Weak perfect forward secrecy is guaranteed by Table 2. Modified H1 oracle ID ID1 ... IDI ... IDJ ...

H1 (ID) l1 P ... bP ... cP ...

$

l← l1 ... ⊥ ... ⊥ ...

p



Instead of choosing H1 (IDi ) at random from , B chooses li ∈ p at random, records it, and sets H1 (IDi ) to li P . For Strategy 5, 7 and 9, the I th entry is set to H1 (IDI ) = bP ; for Strategy 6 and 8, the J th entry is set to H1 (IDJ ) = bP . For Strategy 9 the J th entry is set to H1 (IDJ ) = cP . bP and cP are taken from the inputs to the BDH challenge. As bP and cP are random in , this modification is indistinguishable for any adversary. The table above shows the H1 oracle for Strategy 9 as an example.



222

G. Lippold, C. Boyd, and J. Gonzalez Nieto

the proof for Strategy 2. Resistance to key compromise impersonation attacks is also proved using Strategy 2. Resistance to (partial) disclosure of ephemeral secrets is proven in all strategies except Strategy 2, where Strategies 1, 3 and 9 are most important: Strategy 1 also provides security against leakage of ephemeral secrets to the key generation centre or an adversary who compromised both identity based private keys, Strategy 3 provides security against leakage of ephemeral secrets to an adversary who replaced the certificateless public key of one identity and corrupted the ID-based public key of the other identity, Strategy 9 provides security against leakage of ephemeral secrets to a adversary who replaces the certificateless public keys of both identities. 5.2

Behaviour of the Challenger Based on the Chosen Strategy

To solve the computational DH problem using M, B is given the values (aP, bP ) and B’s task is to compute abP . To solve this problem, B uses the H2 oracle. The bilinear pairing is used for consistency checks. To solve the computational BDH problem using M, B is given the values (aP, bP, cP ) and B’s task is to compute e(P, P )abc . To solve this problem, B uses the H2 and the H1 oracle. The H3 oracle is used for consistency checks and operates as in Table 3. Table 3. Modified H3 oracle suitable for twin bilinear Diffie-Hellman



gi ∈ H1 (IDI ) = bP H1 (IDJ ) = cP g1 ...

$

$

H3 (gi ) yi ← ytbdh1 P − zbP ytbdh1 ytbdh2 P − zcP ytbdh2 y1 P y1 ... ...



p

z← z z ⊥ ⊥

p



Instead of choosing H3 (gi ) for gi ∈ at random from , B chooses yi ∈ p at random, records it, and sets H3 (gi ) to yi P . For Strategy 5, 6, 7, 8 and 9, the oracle is patched before the game starts by setting H3 (bP ) = ytbdh1 P − zbP . For Strategy 9, the oracle is additionally patched before the game starts with H3 (cP ) = ytbdh2 P − zcP . bP and cP are taken from the inputs to the BDH challenge. As the pre-patched values are completely re-randomized, this modification is indistinguishable for any adversary. The table above shows the H3 oracle for Strategy 9 as an example.

The session key SK is generated by querying H2 on (IDi , IDj , ri P, xi P, rj P, xj P, ri rj P, xi xj P, ri xj P, rj xi P, K, K ′ , L, L′ , N, N ′ ) where K = e(H1 (IDj ), P )ri s · e(H1 (IDi ), P )rj s ,



 K2

K1

L = e(H1 (IDj ), P )sxi · e(H1 (IDi ), P )sxj ,



 L1

N = e(H1 (IDi ), H1 (IDj ))s

L2

Depending on the chosen strategy, B embeds the challenge in the test query and answers the test query as specified in Section 2.1.

Strongly Secure Certificateless Key Agreement

223

Patching the H2 oracle B has to maintain consistency between the H2 oracle and session key reveal queries, as B will not be able to compute all data necessary to query the H2 oracle for a valid session key in some instances (e.g. if certificateless public keys have been replaced by the adversary). If B has been asked on the H2 oracle first and is then later asked a matching session key reveal query, B is always able to answer these requests correctly (it uses its decisional oracles that are explained in the proofs for respective strategies, see Section 5.4). However, if B is asked a session key reveal query for which no matching H2 query exists yet, B proceeds as follows: B inserts all available data and all data that B is able to compute (see also section 5.3) into the H2 oracle but may have to leave some fields (like K and K ′ or L and L′ or N and N ′ ) empty. B chooses a random value from H2 ’s output domain as the session key and records that value together with the incomplete H2 query data. For the following H2 queries, B first checks if one of the incomplete entries of the H2 oracle matches M’s query data by using the respective decisional oracle(s). If that is the case, B records the complete information submitted by M and returns the H2 entry. B additionally fills up all long term values that it can determine (even if it is not able to fill a H2 entry completely). If B finds no matching entry, B simply generates a new H2 entry as usual. 5.3

t Handling a Session Key Reveal Query for Sessions Πi,j Where Party i and j Are Not Participating in the Test Query

Without loss of generality, we assume that i is the initiator of the session. Given party i that has incoming message (rMj P, xMj P ) (where Mj indicates that the values may be adversarial controlled) and that thus accepts, the challenger knows at least the identity based private keys and the ephemeral private key of party i, i.e. the challenger knows sH1 (IDi ), sH3 (H1 (IDi )), ri . The adversary may have replaced the certificateless public key of party i with xMi P . To obtain a session key, party i has to query the H2 oracle with the session data (as explained in Section 3.3) on the following elements: SK = H2 (i, j, ri P, xMi P, rMj P, xMj P, ri rMj P, xMi xMj P, ri xMj P, xMi rMj P, K, K ′ , L, L′ , N, N ′ ) Besides the public values i, j, ri P, xMi P, rMj P, xMj P that are part of the H2 query, the challenger acting as party i is able to compute the following values knowing its (possibly corrupted) private information sH1 (IDi ), sH3 (H1 (IDi )), ri : ri rMj P trivially, by computing ri (rMj P ) ri xMj P by computing ri (xMJ P ) K due to the patched H1 oracle (see Table 2), the challenger knows logP H1 (IDi ) = li and logP H1 (IDj ) = lj . Thus K can be computed as K = e(H1 (IDj ), sP )ri e(li sP, rMj P )

224

G. Lippold, C. Boyd, and J. Gonzalez Nieto

K ′ just like for K, the challenger knows logP H3 (H1 (IDi )) = yi and logP H3 ( H1 (IDj )) = yj (see Table 3). Thus K ′ can be computed as K ′ = e(H3 (H1 (IDj )), sP )ri e(yi sP, rMj P ) L Knowing li and lj from the H1 oracle computing L is easy: L = e(lj (xMi P ), sP )e(li sP, xMj P ) L′ can be computed similarly, just like K ′ above. N and N ′ are easy as the ID-based private keys are known. The only missing values are xMi xMj P and xMi rMj P which cannot be computed by the challenger. However, as we point out in the proof for Strategy 1 in Section 5.4, the challenger is still able to answer session state reveal and H2 queries consistently: If the challenger is asked a H2 query first and then later asked a matching session state reveal query, the challenger can identify the corresponding H2 entry by checking for all entries if e(xi P, xj P ) = e(xi xj P, P ) and if e(xMi P, rMj P ) = e(xMi rMj P ). If the challenger is asked a session state reveal query, but there is no matching H2 entry, the challenger can create a new random value from the output domain of H2 and assign it to the incomplete entry. The challenger checks the subsequent queries of the adversary to the H2 oracle and is able to answer the queries correctly by using the pairing as above. In the following, we will split the challenger’s behaviour based on the strategy chosen in Section 5.1. Additionally, we omit the indices ti,j with respect to key computations for specific sessions to increase readability. Usually it is evident for which particular session the computations are needed. For the proof we assume that the adversary M does not get an advantage in outputting its guess ˆb for b unless M queries the H2 oracle on the session key. 5.4

Proofs for Strategy 1 to 9

Strategy 1. The allowed corrupt queries for the adversary are listed in Table 1. The challenger B wants to use the adversary M to solve the computational Diffie-Hellman problem. The input for B is (aP, bP ) ∈ 2 and B’s goal is to compute abP . To this end, B sets the certificateless public key of IDI to aP and the certificateless public key of IDJ to bP . B uses the pairing to check whether the queries of the adversary to the H2 oracle are valid: by computing e(aP, bP ) = e(abP, P ), B is able to identify valid queries. As soon as B finds such a query, B aborts the game and returns abP as solution of the CDH challenge. The probability that B is able to find a solution to the CDH challenge is Adv B (k)[CDH] ≥

Adv M (k)[Π] 9q0 q12

B is able to compute all other elements (xI xJ P, K, K ′ , L, L′ , N, N ′ ) that are necessary for H2 queries as the respective private values are under B’s control. If

Strongly Secure Certificateless Key Agreement

225

M is a Type II adversary as explained in Section 2.1, B gives s to M at the start of the game. We note that as B knows s, B is able to generate ID-based private keys for any identity; thus the game does not have to be changed for Type II adversaries. We note that M is allowed to replace the certificateless public key of IDI and/or IDJ after the test query has been issued. If M replaces the certificateless public keys of other identities and asks reveal queries, B first uses the pairing to check for matching queries to the H2 oracle. If no matching query is found, B first generates a random value v of the output domain of H2 , inserts the available session data together with v into the H2 table as described in Section 5.2 (i.e. everything including the certificateless public keys; except xi xj P which B cannot compute) and returns v. If B is then later asked H2 queries containing the correct xi xj P and the certificateless keys xi P and xj P , B is able to tell so by using the pairing computation and completes the entries in the H2 table wherever possible. Strategy 2. The allowed corrupt queries for the adversary are listed in Table 1. The challenger B wants to use the adversary M to solve the computational DiffieHellman problem. The input for B is (aP, bP ) ∈ 2 and B’s goal is to compute abP . To this end, B sets the ephemeral key of IDI to aP and the ephemeral key of IDJ to bP in the test query. B uses the pairing to check whether the queries of the adversary to the H2 oracle are valid: by computing e(aP, bP ) = e(abP, P ), B is able to identify valid queries. As soon as B find such a query, B aborts the game and returns abP as solution of the CDH challenge. The probability that B is able to find a solution to the CDH challenge is Adv B (k)[CDH] ≥

Adv M (k)[Π] 9q0 q12

As M is allowed to replace the certificateless public keys of any identity, B uses the technique described in Strategy 1 to decide how to answer reveal queries and H2 queries. Strategy 3 and 4. The allowed corrupt queries for the adversary are listed in Table 1. For Strategy 3, we want to embed the CDH challenge in rI xJ P , because the input to other values used in the key derivation function can be corrupted $ by the adversary. Here, B selects the master private key s ← p . B is able to provide ID-based secret keys for all identities, as B is in possession of the master secret key. Furthermore, B sets the certificateless public key of IDI to xI P = aP T . If the and the ephemeral public key of party IDJ to rJ P = bP in session ΠI,J adversary is a Type II adversary as described in Section 2.1, then B gives s to M at the start of the game. Similar to Strategy 1 and 2, B checks the H2 queries for entries where ?

e(P, rJ xI P ) = e(aP, bP ) As soon as B finds such an entry, B aborts the game and returns rJ xI P as solution to the BDH challenge. The probability that this happens is lower bounded by

226

G. Lippold, C. Boyd, and J. Gonzalez Nieto

Adv B (k)[CDH] ≥

Adv M (k)[Π] 9q0 q12

B uses the techniques described in Strategy 1 to deal with replaced certificateless keys of identities other than IDI . We note that M is allowed to replace the certificateless public key of IDI after the test query has been issued. We note that as Strategy 4 is symmetric to Strategy 3, its probability of success is equal to the probability of success for Strategy 3. Only IDI and IDJ are exchanged and the computational BDH challenge is embedded in rI xJ P instead of rJ xI P . Strategy 5 and 6. The allowed corrupt queries for Strategy 5 for the adversary are listed in Table 1. The BDH challenge can only be embedded in L2 if Strategy 5 is chosen, because the input to all other values used in the key derivation function can be corrupted by the adversary. To accomplish this, the challenger B sets the master public key to aP and implements the H1 oracle as described in Table 2, thus H1 (IDI ) = bP . B patches the H3 oracle as described in Table 3, thus H3 (H1 (IDI )) = H3 (bP ) = ytb d h 1 P −zbP . B can still generate private keys for all identities except IDI by computing sH(IDi ) = li aP and sH3 (H1 (IDi )) = yi aP . Additionally, B sets the certificateless public key of IDJ to cP . A problem for B arises when the adversary asks session key reveal queries for other sessions than the test session that include IDI and IDJ , or for sessions that include IDI and another party for which the adversary issued a replace public key query. Whenever B is asked a reveal query, B first checks if the key derivation function H2 was asked with a matching session string involving both IDI and IDJ . As B is unable to compute L, B uses the twin bilinear DiffieHellman trapdoor (see Theorem 1) to check if M submitted a valid query, i.e. if the query should be answered with a record from H2 (if such a record exists). The challenger extracts the discrete logarithm for IDJ ’s private keys, lJ and yJ from the H1 and H3 oracle respectively (H3 (H1 (IDJ )) = H3 (lJ P ) = yJ P and B is able to extract both lJ and yJ ). Then, B extracts L and L′ from each entry that matches the session for which the reveal query is being asked, computes L1 = e(lJ aP, xI P ), L′1 = e(yJ aP, xI P ) and checks if  z  z e(H1 (IDJ ), P )s xI · e(H1 (IDI ), P )s x J L′ L · ′ = L1 L1 e(lJ aP, xI P ) e(H3 (H1 (IDJ )), P )s x I · e(H3 (H1 (IDI )), P )s x J · e(yJ aP, xI P )  z xI e(lJ P, aP ) · e(bP, P )a c = e(lJ aP, xI P ) e(yJ P, P )a x I · e(ytbdh 1 P − zbP, P )ac · e(yJ aP, xI P ) acz1 · e(ytbdh1 P − zbP, P )ac = e(bP, P ) = e(P, P )z1 abc e(P, P )ytbdh1 ac−z1 abc = e(P, P )ytbdh1 ac ?

= e(aP, cP )ytbdh1

Strongly Secure Certificateless Key Agreement

227

As soon as M submits such an entry to the H2 oracle, B aborts the game and returns L e(H1 (IDJ ), P )sxI · e(H1 (IDI ), P )sxJ e(lJ P, aP )xI · e(bP, P )ac = = L1 e(lJ aP, xI P ) e(lJ aP, xI P ) = e(P, P )abc as solution to the BDH challenge. B uses the same strategy for reveal queries to sessions of IDI where the adversary replaced the certificateless public key of IDj , except that B does not abort the game if a matching H2 query is found but returns the correct H2 value. If no matching H2 query is found, B proceeds as in Section 5.2. If the adversary replaces the certificateless public key of IDI , B additionally uses the strategy described in Strategy 1. We note that M is allowed to replace the certificateless public key of IDJ after the test query has been issued. The probability that B is able to find a solution to the CBDH challenge is Adv B (k)[CBDH] ≥

Adv M (k)[Π] 9q0 q12

Strategy 6 is symmetric to Strategy 5, so it has the same probability (only IDI and IDJ are exchanged). The BDH challenge is embedded in L1 instead of L2 . Strategy 7 and 8. The allowed corrupt queries for the adversary are listed in Table 1. The BDH challenge can only be embedded in K2 , because the input to all other values used in the key derivation function can be corrupted by the adversary. Using this strategy, the challenger sets the master public key sP to aP (notice that B does not know s). B changes the mode of operation of the H1 oracle so that H1 operates as in Table 2, thus H1 (IDI ) = bP . B patches the H3 oracle as described in Table 3, thus H3 (H1 (IDI )) = H3 (bP ) = ytbdh1 P − zbP . B can still generate private keys for all identities except IDI by computing sH(IDi ) = li aP and sH3 (H1 (IDi )) = yi aP . As queries for IDI ’s private keys were ruled out, this does not affect the overall success probability. Additionally, B sets the ephemeral public key of party J = I that participates in the T th T oracle ΠI,J to cP . If the adversary has an advantage in this strategy, then M needs to query the H2 oracle on the session key. To distinguish this entry from other H2 queries, B re-computes K1 = e(aP, P )lJ rI and similarly the K1′ = e(aP, P )yJ rI . Then, B searches in the table of the H2 oracle for an entry where z  K K′ · ′ = e(aP, cP )ytbdh1 K1 K1 B aborts the game as soon as such an entry is submitted to the H2 oracle and returns K/K1 as solution to the computational bilinear Diffie-Hellman challenge. The probability that this happens is lower bounded by Adv B (k)[CBDH] ≥

Adv M (k)[Π] 9q0 q12

228

G. Lippold, C. Boyd, and J. Gonzalez Nieto

A problem for B occurs if M replaces certificateless public keys. As B knows the ID-based private keys for all identities except IDI , B can compute K, K ′ , L, L′ , N and N ′ for any session except for sessions involving IDI . B may be unable to compute xi xj P if M replaced both xi P and xj P but can use the pairing as described in Strategy 1. For reveal queries involving IDI and replaced certificateless public keys, B uses the H3 oracle as described in Strategy 5. Strategy 8 is symmetric to Strategy 7, so it has the same probability (only IDI and IDJ are exchanged). The BDH challenge is embedded in K1 instead of K2 . Strategy 9. The allowed corrupt queries for the adversary are listed in Table 1. The BDH challenge will be embedded in N . To accomplish this, the challenger sets the master secret key to aP , H1 (IDI ) = bP , and H1 (IDJ ) = cP . Additionally, the H3 oracle (see Table 3) is modified before the game starts so that H3 (H1 (IDI )) = H3 (bP ) = ytbdh1 P − zbP and H3 (H1 (IDJ )) = H3 (cP ) = ytbdh2 P − zcP . A problem for B arises when the adversary asks session key reveal queries for other sessions than the test session that include IDI and IDJ , or for sessions where the adversary M replaces the certificateless public keys of any of the target identities. In these cases the challenger is unable to computer neither N nor L. Whenever B is asked a session key reveal query, B first checks if H2 was asked with a matching session string involving both IDI and IDJ . As B is generally unable to compute either L or N , B uses the trapdoor as explained in Theorem 3 for N and Theorem 2 for L to check if M submitted a valid query, i.e. if the query should be answered with a record from H2 (if such a record exists). To this end, B extracts L, L′ , N and N ′ from each entry that matches the session for which y y ′ e(aP,P ) tbdh1 tbdh2 the reveal query is being asked, and checks if NNz2 = e(cP,aP y y ) tbdh1 e(bP,aP ) tbdh2 z ′ ytbdh1 +ytbdh2 and if L L = e(aP, cP ) . If no matching record exists, B patches the H2 oracle as explained in Section 5.2. As soon as M submits such an entry to the H2 oracle, B aborts the game and returns N as solution to the BDH challenge. The probability that this happens is lower bounded by Adv B (k)[CBDH] ≥

Adv M (k)[Π] 9q0 q12

B is able to distinguish between H2 queries that have correct session data and H2 queries that have invalid session data and is thus able to operate the H2 oracle consistently. B may have to use the techniques explained in Strategy 1 and Strategy 5 to operate the H2 oracle. Theorem 1 follows from the above strategies. ⊓ ⊔

6

Conclusion

We give the strongest security model for certificateless encryption and relate it to Type I and Type II adversaries [6]. We give the first construction for a strongly secure one round certificateless key agreement scheme that is proven to be secure in the random oracle model, if the computational bilinear DiffieHellman and the computational Diffie-Hellman assumptions hold. This enables

Strongly Secure Certificateless Key Agreement

229

us to positively answer Swanson’s [18, Chapter 7] first question, whether it is even possible to construct a certificateless key agreement scheme that meets the extended eCK model. The protocol is compatible with existing certificateless key infrastructures and can thus be deployed easily. It is furthermore a natural complement to certificateless encryption, which brings us to Swanson’s second question: We show that a practical protocol for CL-AKE exists, although it is computationally expensive. We also show how the computational cost can be reduced if we use gap assumptions. We prove our scheme to be more secure than ID-based schemes, in the sense that the KGC can be more actively trying to learn secrets. To answer Swanson’s third question, whether the flexibility of certificateless schemes is worth the increased likeliness of vulnerabilities, we note that the ability of the adversary to replace public keys does not necessarily have to introduce vulnerabilites. CL-AKE schemes therefore combine user flexibility with enhanced privacy. It remains to devise computationally more efficient one round protocols for certificateless key agreement proven secure with respect to standard computational problems such as DH or BDH. Furthermore, a proof for a certificateless key agreement scheme in the standard model would be very interesting.

References 1. Al-Riyami, S.S., Paterson, K.G.: Certificateless Public Key Cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003), http://eprint.iacr.org/2003/126.pdf 2. Bentahar, K., Farshim, P., Malone-Lee, J., Smart, N.P.: Generic Constructions of Identity-Based and Certificateless KEMs. J. Cryptology 21(2), 178–199 (2008) 3. Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. SIAM Journal of Computing 32(3), 586–615 (2003), http://crypto.stanford.edu/~ dabo/papers/bfibe.pdf 4. Cash, D., Kiltz, E., Shoup, V.: The Twin Diffie-Hellman Problem and Applications. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 127–145. Springer, Heidelberg (2008) 5. Chen, L., Cheng, Z., Smart, N.P.: Identity-based key agreement protocols from pairings. Int. J. Inf. Sec. 6(4), 213–241 (2007) 6. Dent, A.W.: A survey of certificateless encryption schemes and security models. International Journal of Information Security 7(5), 349–377 (2008) 7. Dent, A.W., Libert, B., Paterson, K.G.: Certificateless encryption schemes strongly secure in the standard model. In: Cramer, R. (ed.) PKC 2008. LNCS, vol. 4939, pp. 344–359. Springer, Heidelberg (2008) 8. Dupont, R., Enge, A.: Practical non-interactive key distribution based on pairings. Cryptology ePrint Archive, Report 2002/136 (2002), http://eprint.iacr.org/2002/136 9. Huang, H., Cao, Z.: An ID-based Authenticated Key Exchange Protocol Based on Bilinear Diffie-Hellman Problem. Cryptology ePrint Archive, Report 2008/224 (2008), http://eprint.iacr.org/2008/224 (to be published, ASIACCS 2009) 10. Krawczyk, H.: HMQV: A High-Performance Secure Diffie-Hellman Protocol. Cryptology ePrint Archive, Report 2005/176 (2005), http://eprint.iacr.org/2005/176

230

G. Lippold, C. Boyd, and J. Gonzalez Nieto

11. Kudla, C., Paterson, K.G.: Modular Security Proofs for Key Agreement Protocols. In: Roy, B.K. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 549–565. Springer, Heidelberg (2005) 12. LaMacchia, B.A., Lauter, K., Mityagin, A.: Stronger Security of Authenticated Key Exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007) 13. Law, L., Menezes, A., Qu, M., Solinas, J., Vanstone, S.: An Efficient Protocol for Authenticated Key Agreement. Des. Codes Cryptography 28(2), 119–134 (2003) 14. Libert, B., Quisquater, J.-J.: On Constructing Certificateless Cryptosystems from Identity Based Encryption. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 474–490. Springer, Heidelberg (2006) 15. Lim, C.H., Lee, P.J.: A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 249–263. Springer, Heidelberg (1997) 16. Mandt, T.K., Tan, C.H.: Certificateless Authenticated Two-Party Key Agreement Protocols. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435, pp. 37–44. Springer, Heidelberg (2006) 17. Sakai, R., Oghishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Proceedings of Symposium on Cryptography and Information Security (SCIS 2000), pp. 233–238 (2000) 18. Swanson, C.M.: Security in Key Agreement: Two-Party Certificateless Schemes. Master Thesis, University of Waterloo (2009), http://uwspace.uwaterloo.ca/bitstream/10012/4156/1/Swanson_Colleen.pdf (Download, 2009-01-29) 19. Ustaoglu, B.: Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Des. Codes Cryptography 46(3), 329–342 (2008) 20. Wang, S., Cao, Z., Wang, L.: Efficient Certificateless Authenticated Key Agreement Protocol from Pairings. Wuhan University Journal of Natural Sciences 11(5), 1278– 1282 (2006) 21. Xia, L., Wang, S., Shen, J., Xu, G.: Breaking and repairing the certificateless key agreement protocol from ASIAN 2006. Wuhan University Journal of Natural Sciences 13(5), 562–566 (2008) 22. Yum, D.H., Lee, P.J.: Generic Construction of Certificateless Encryption. In: Lagan` a, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 802–811. Springer, Heidelberg (2004) 23. Yum, D.H., Lee, P.J.: Generic Construction of Certificateless Signature. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 200– 211. Springer, Heidelberg (2004) 24. Zu-hua, S.: Efficient authenticated key agreement protocol using self-certified public keys from pairings. Wuhan University Journal of Natural Sciences 10(1), 262–270 (2005)

Universally Composable Adaptive Priced Oblivious Transfer Alfredo Rial, Markulf Kohlweiss, and Bart Preneel Katholieke Universiteit Leuven, ESAT/SCD/COSIC and IBBT {alfredo.rialduran,markulf.kohlweiss,bart.preneel}@esat.kuleuven.be Abstract. An adaptive k-out-of-N Priced Oblivious Transfer (POT) scheme is a two-party protocol between a vendor and a buyer. The vendor sells a set of messages m1 , . . . , mN with prices p1 , . . . , pN . In each transfer phase i = 1, . . . , k, the buyer chooses a selection value σ i ∈ {1, . . . , N } and interacts with the vendor to buy message mσ i in such a way that the vendor does not learn σi and the buyer does not get any information about the other messages. We present a POT scheme secure under pairing-related assumptions in the standard model. Our scheme is universally composable and thus, unlike previous results, preserves security when it is executed with multiple protocol instances that run concurrently in an adversarially controlled way. Furthermore, after an initialization phase of complexity O(N ), each transfer phase is optimal in terms of rounds of communication and it has constant computational and communication cost. To achieve these properties, we design the first efficient non-interactive proof of knowledge that a value lies in a given interval we are aware of. Keywords: Universally composable security, priced oblivious transfer, bilinear maps, non-interactive range proofs of knowledge.

1

Introduction

A number of studies [1] show that transaction security and privacy concerns are among the main reasons that discourage the use of e-commerce. Although sometimes it is argued that users who claim to be worried about their privacy do not consistently take actions to protect it, recent research [2] demonstrates that, when they are confronted to a prominent display of private information, they not only prefer vendors that offer better privacy protection but also are willing to pay higher prices to purchase from more privacy protective websites. Therefore, it is of interest for vendors to deploy e-commerce applications where buyers need to disclose the minimum information needed to carry out their transactions. So far, the solutions proposed to develop privacy-enhancing e-commerce of digital goods can roughly be divided into two categories: those that hide the identity of the buyer from the vendor (anonymous purchase), and those that hide which goods are bought (oblivious purchase). Anonymous purchase [3,4] usually employs anonymous e-cash [5,6,7] to construct systems where buyers can withdraw coins from a bank and spend them without revealing their identity. These H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 231–247, 2009. c Springer-Verlag Berlin Heidelberg 2009 

232

A. Rial, M. Kohlweiss, and B. Preneel

systems have several shortcomings. First, they hinder customer management (e.g. the vendor cannot easily apply marketing techniques like giving discounts to regular buyers). Second, they do not allow for other methods of payment. Finally, strong anonymity is difficult to achieve and there exist several attacks to reduce it [8]. Oblivious purchase is thus more appealing in scenarios where full anonymity cannot be obtained or when the disadvantages that anonymity causes are important. Oblivious purchase permits effective customer management and allows for every method of payment. Like for anonymous purchase [3,4], it has also been shown how to integrate it into existing Digital Rights Management systems [9]. One can argue that, since the vendor does not know which items are sold, he can find it difficult to discover which products are more demanded. However, we note that this information can be obtained from other sources, e.g., by conducting marketing researches. Oblivious purchase employs the Priced Oblivious Transfer (POT) [10] primitive, which is a generalization of the well-known Oblivious Transfer (OT) [11] primitive intended to permit private purchases. OT is a two-party protocol between a sender S and a receiver R, where S offers a set of messages m1 , . . . , mN to R. R chooses selection values σ1 , . . . , σk ∈ {1, . . . , N } and interacts with S in such a way that R learns mσ1 , . . . , mσk and nothing about the other messages, and S does not learn anything about σ1 , . . . , σk. POT is a two-party protocol between a vendor V and a buyer B, where V sells a set of messages m1 , . . . , mN with prices p1 , . . . , pN to B. Besides the requirements that V must not learn σ1 , . . . , σk and B must not learn anything about the other messages, in POT B must pay prices pσ1 , . . . , pσk without V learning anything about the amount of money paid. N N ,P OTk×1 ) where, Both OT and POT admit an adaptive variant [12] (OTk×1 in transfer phase i, R or B may choose σi after receiving mσi−1 . The adaptive variant is more suitable for constructing an oblivious database, enabling applications of OT such as medical record storage or location-based services [12,13], and the deployment of privacy-preserving e-commerce. Previous work. The universally composable security paradigm [14] provides a framework for representing cryptographic protocols and analyzing their security. Protocols that are proven UC-secure maintain their security even when they are run concurrently with an unbounded number of arbitrary protocol instances controlled by an adversary. Traditionally, security in OT was analyzed under a half-simulation model, where simulation security is required against R, but just stand-alone privacy is required against S. This notion was showed to admit practical attacks against receiver’s security [12]. Camenisch et al. [15], as well as subsequent works [16], present efficient adaptive OT schemes in a full-simulation model. However, these works are not UC-secure because they use black-box simulation with adversarial rewinding in their security proofs. Recently, an adaptive UC-secure OT scheme was proposed [17]. They utilize the approach of assisted decryption used in [15,16], where S sends to R a

Universally Composable Adaptive Priced Oblivious Transfer

233

collection of ciphertexts and in each transfer phase helps R to decrypt one of them. As pointed out in [17], this approach allows for transfer phases with constant computational and communication complexity, and it is suitable to ensure that S does not change the messages in each transfer phase, which are important properties for constructing an oblivious database. This is in contrast to the approach used in other non-adaptive UC-secure OT schemes [18,19], where, in each transfer phase, R hands a set of keys to S, who sends back a collection of ciphertexts such that R is able to decrypt only one of them. Despite this recent progress in OT, so far there are no efficient POT schemes whose security is proven within the UC security paradigm. The first POT scheme [10], as well as subsequent works [20], analyze security in the half-simulation model. In [18] it is explained why these protocols fail even under sequential composition and a practical attack is shown. The existing conditional oblivious transfer schemes [21,22], where sender with input x and receiver with input y interact in such a way that a transfer is completed only when q(x, y) = 1 for some public predicate q(·, ·), are non-adaptive and employ the half-simulation model. On the other hand, security of both the non-adaptive [23,24] and the adaptive [25] Generalized Oblivious Transfer schemes proposed so far, which can be instantiated as non-adaptive and adaptive POT schemes respectively, depends on the underlying OT scheme utilized to implement them, but we note that these solutions are rather inefficient. Finally, access control schemes for OT based on stateful anonymous credentials [26] are not UC-secure either. N scheme that is UC-secure under the Our contribution. We present a P OTk×1 assumption that there is an honestly generated common reference string. Security is proven in a static corruption model without relying on random oracles. After an initialization phase of complexity O(N ), each transfer phase is optimal in terms of rounds of communication and has constant computational and communication cost. Our construction follows the approach in [10] of building a prepaid mechanism where B makes an initial deposit to V. In each transfer phase, B chooses a selection value σi , proves that she has enough funds to buy message mσi and subtracts price pσi from her deposit, while V learns neither pσi nor the new value of the deposit. For this purpose, B employs a zero-knowledge proof of knowledge that she updates her account correctly and that the new account is non-negative. To allow for the latter we design a non-interactive range proof of knowledge by applying the efficient interactive range proof recently proposed in [27] to the non-interactive proof system due to Groth and Sahai [28]. This is the first efficient non-interactive proof of knowledge in the standard model to prove that a value lies in a given interval we are aware of. We also employ the assisted decryption approach and some techniques utilized in the adaptive UC-secure OT scheme in [17]. Specifically, we use double trapdoor encryption and we prove security of ciphertexts under the DLIN [29] assumption. Nonetheless, unlike [17], we make extensive use of P-signatures [30], i.e., signature schemes that have efficient non-interactive proofs of signature

234

A. Rial, M. Kohlweiss, and B. Preneel

possession, to let B prove that she computes her requests honestly. In particular, we employ a slightly modified variant of the P-signature scheme for signing blocks of messages proposed in [7], which is secure under the HSDH [31] and TDH [30] assumptions. (P-signatures also utilize Groth-Sahai proofs, which we instantiate using the DLIN assumption.) The use of multi-block P-signatures allows our scheme to have a smaller ciphertext size than the one in [17]. We note that our POT scheme can easily be simplified to obtain an OT scheme, which constitutes an alternative to the one in [17]. Outline of the paper. In Section 2 we briefly review the universally composable security paradigm and we define the ideal functionality for POT. The security assumptions we use, the Groth-Sahai proof system, and other cryptographic building blocks are described in Section 3. In Section 4 we show how to construct a non-interactive range proof. Finally, in Section 5 we depict the multi-block Psignature scheme and our POT scheme.

2

Definitions

N Adaptive k-out-of-N priced oblivious transfer (P OT N k×1 ). A P OT k×1 scheme is a two-party protocol between a vendor V and a buyer B. In the initialization phase, V receives messages (m1 , . . . , mN ) with prices (p1 , . . . , pN ) as input. B receives an initial deposit ac 0 as input. B stores state information B0 and V stores state information V0 and outputs ac 0 . After that, V and B engage in up to k transfer phases. In the ith transfer, V gets state information Vi−1 as input, and  B gets state information Bi−1 and selection value σi ∈ {1, . . . , N }. If ac 0 − j∈S pσj ≥ 0, where S contains the indices of all transfers that ended successfully, then V stores state information Vi and B stores state information Bi and outputs mσi . Otherwise V stores Vi = Vi−1 and B stores Bi = Bi−1 .

Universally composable security. We use the universally composable security framework [14] with static corruptions to prove security of our construction. In this framework, parties are modeled as probabilistic polynomial time interactive Turing machines. A protocol ψ is UC-secure if there exists no environment Z that can distinguish whether it is interacting with adversary A and parties running protocol ψ or with the ideal process for carrying out the desired task, where ideal adversary E and dummy parties interact with an ideal functionality Fψ . More formally, we say that protocol ψ emulates the ideal process when, for all environments Z, the ensembles IDEALFψ ,E,Z and REALψ,A,Z are computationally indistinguishable. We refer to [14] for a more detailed description of the UC framework. Our construction operates in the FCRS -hybrid plain model, where parties have access to an honestly-generated common reference string crs and to authenticated channels. As in [17], we assume that Z obtains crs from A. This allows the simulator E to set up a crs with trapdoor information to be able to simulate A in the security proof.

Universally Composable Adaptive Priced Oblivious Transfer

235

Below we recall the description of the ideal functionality for generating common reference strings FCRS [32]. FCRS is parameterized with a distribution D and a set of participants P, which is restricted to contain the buyer B and the vendor V of the POT scheme only. We also describe an ideal functionality for POT FP OT based on the ideal functionality for OT given in [17]. FCRS . On input (sid , crs) from party P , if P ∈ / P it aborts. Otherwise, if there is no value r recorded, it picks r ← D and records r . It sends (sid , crs, r ) to P .

FP OT . Parameterized with integers (N , l ), a maximum price pmax , and a deposit upper bound A, and running with a vendor V and a buyer B, FP OT works as follows: - On input a message (sid , vendor, m1 , . . . , mN , p1 , . . . , pN ) from V, where each mi ∈ {0, 1}l and each pi ∈ [0, pmax ], it stores (m1 , . . . , mN ) and (p1 , . . . , pN ) and sends (sid , p1 , . . . , pN ) to B and to the adversary. - On input a message (sid , buyerdep, deposit ), where deposit ∈ [0, A), if a (sid , vendor, . . .) message was not received before, then it does nothing. Otherwise, it stores deposit and sends (sid , deposit ) to V. - On input a message (sid , buyerreq, σ) from B, where σ ∈ {1, . . . , N }, if either messages (sid , vendor, m1 , . . . , mN , p1 , . . . , pN ) and (sid , buyerdep, deposit ) were not received before or deposit − pσ < 0, then it does nothing. Otherwise, it sends (sid , request) to V and receives (sid , b) in response. It hands (sid , b) to the adversary. If b = 0, it sends (sid , ⊥) to B. If b = 1, it updates deposit = deposit − pσ and sends (sid , mσ ) to B.

3

Technical Preliminaries

A function ν is negligible if, for every integer c, there exists an integer K such that for all k > K, |ν(k)| < 1/k c . A problem is said to be hard (or intractable) if there exists no probabilistic polynomial time (p.p.t.) algorithm that solves it with non-negligible probability (in the size of the input or the security parameter). Bilinear maps. Let G and GT be groups of prime order p. A map e : G×G → GT must satisfy the following properties: (a) Bilinearity. A map e : G × G → GT is bilinear if e(ax , by ) = e(a, b)xy ; (b) Non-degeneracy. For all generators g ∈ G, e(g, g) generates GT ; (c) Efficiency. There exists an efficient algorithm that outputs the pairing group setup (p, G, GT , e, g) and an efficient algorithm to compute e(a, b) for any a, b ∈ G. 3.1

Assumptions

The security of our scheme relies on the Hidden Strong DH assumption [31], the Triple DH assumption [30], and the Decision Linear assumption [29]: Definition 1 (HSDH). On input (g, g α ) ∈ G2 , u ∈ G, and a set of tuples (g 1/(α+ci ) , g ci , u ci )li=1 , the l -HSDH assumption holds if it is computationally hard to output a new tuple (g 1/(α+c) , g c , u c ).

236

A. Rial, M. Kohlweiss, and B. Preneel

Definition 2 (TDH). On input (g, g x , g y ) ∈ G3 and a set of tuples (g 1/(x +ci ) , ci )li=1 , the l -TDH assumption holds if it is computationally hard to output a tuple (g µx , g µy , g µxy ) for µ ∈ Zp /{0}. Definition 3 (DLIN). On input (g, g a , g b , g ac , g bd , z) ∈ G6 for random exponents a, b, c, d ∈ Zp , the DLIN assumption holds if it is computationally hard to decide whether z = g c+d . 3.2

Non-interactive Zero-Knowledge Proofs of Knowledge

Let R be an efficiently computable relation and L = {y : ∃w |R(y, w ) = accept} be an NP-language. For tuples (y, w ) ∈ R, we call y the instance and w the witness. A non-interactive proof of knowledge system [33] consists of algorithms PKSetup, PKProve and PKVerify. Algorithm PKSetup(1κ ) outputs a common reference string crs P K . PKProve(crs P K , y, w ) computes a proof pok of instance y by using witness w . Algorithm PKVerify(crs P K , y, pok ) outputs accept if pok is correct. Zero-knowledge captures the notion that a verifier learns nothing from the proof but the truth of the statement. Witness indistinguishability is a weaker property that guarantees that the verifier learns nothing about which witness was used in the proof. In either case, we will also require soundness, meaning that an adversarial prover cannot convince an honest verifier of a false statement, and completeness, meaning that all correctly computed proofs are accepted by the honest verification algorithm. See [34,35,36,37] for formal definitions. In addition, a proof of knowledge needs to be extractable, which means that there exists a polynomial time extractor (PKExtractSetup, PKExtract). Algorithm PKExtractSetup(1κ ) generates parameters crs P K that are identically distributed to the ones generated by algorithm PKSetup and an extraction trapdoor tdext . PKExtract(crs P K , tdext , y, pok ) extracts the witness w with all but negligible probability when PKVerify(crs P K , y, pok ) outputs accept. We recall the notion of f-extractability defined by Belenkiy et al. [30], which is an extension of the original definition of extractability (as given by De Santis et al. [33]). In an f -extractable proof system the extractor PKExtract extracts a value z such that ∃w : z = f (w) ∧ (y, w ) ∈ R. If f (·) is the identity function, we get the usual notion of extractability. Commitment schemes. A non-interactive commitment scheme consists of the algorithms ComSetup and Commit. ComSetup(1κ ) generates the parameters of the commitment scheme paramsCom . Commit(paramsCom , x, open) outputs a commitment C to x using auxiliary information open. A commitment is opened by revealing (x, open) and checking Commit(paramsCom , x, open) = C. A commitment scheme has a hiding property and a binding property. Informally speaking, the hiding property ensures that a commitment C to x does not reveal any information about x, whereas the binding property ensures that C cannot be opened to another value x′ . (When it is clear from the context, we omit the commitment parameters paramsCom .)

Universally Composable Adaptive Priced Oblivious Transfer

237

A notation for f -extractable non-interactive proofs of knowledge (NIPK). We are interested in NIPK about (unconditionally binding) commitments. By ‘x in C’ we denote that there exists open such that C = Commit(paramsCom , x, open). Following Camenisch and Stadler [38] and Belenkiy et at. [30], we use the following notation to express an f -extractable NIPK for instance (C1 , . . . , Cn , Condition) with witness (x1 , open1 , . . . , xn , openn , s) that allows to extract all the witness except the openings of the commitments (s denotes the part of the witness that is not related to the commitments in the instance): NIPK{ (x1 , . . . , xn , s) : Condition(crs, x1 , . . . , xn , s) ∧ x1 in C1 ∧ . . . ∧ xn in Cn } The f -extractability of a NIPK ensures that, with overwhelming probability over the choice of crs, if PKVerify accepts then we can extract (x1 , . . . , xn , s) from π, such that xi is the content of the commitment Ci , and Condition(crs, x1 , . . . , xn , s) is satisfied. To further abbreviate this notation, we omit crs when it is clear from the context. Applying the notation to Groth-Sahai proofs. Groth-Sahai proofs [28] allow proving statements about pairing product equations. The pairing group setup (p, G, GT , e, g) is part of the common reference string crs P K as output by PKSetup(1κ ) and the instance consists of the coefficients {aq , bq }q=1...Q ∈ G, Q t ∈ GT , {αq,i , βq,i }q=1...Q,i=1...m ∈ Zp of the pairing product equation: q=1 e(aq  m αq,i βq,i ) = t. The prover knows {xi }m , bq m i=1 that satisfy this i=1 xi i=1 xi equation. Internally Groth-Sahai proofs prove relations between commitments. A homomorphism guarantees that the same relations also hold for the committed values. Normally, as the first step in creating the proof, the prover prepares commitments {Ci }i=1...m for all values xi in G. Then, the instance, known to the prover and the verifier, is the pairing product equation alone (i.e., its coefficients). In addition, it is possible to add pre-existing Groth-Sahai commitments {Ci }i=1...n , n ≤ m, to the instance for some of the xi values. The corresponding openings openi become part of the witness. The proof will be computed in the same way, except that for values with existing commitments no fresh commitments need to be computed. We will write Ci ← Commit(xi , openi ) to create Groth-Sahai commitments. Note that they use parameters contained in the crs P K of the Groth-Sahai proof system. The Groth-Sahai proof system generates f-extractable witness indistinguishable1 NIPK of the form: NIPK{(x1 , . . . , xn , xn+1 , . . . xm ) :

Q 

q=1

∧ x1 in C1 ∧ · · · ∧ xn in Cn } 3.3

e(aq

n 

i=1

α xi q,i , bq

m 

β

xi q,m ) = t

i=1

P-Signature Schemes

A signature scheme consists of the algorithms Keygen, Sign and VerifySig. Keygen outputs a secret key sk and a public key pk . Sign(sk , m) outputs a signature s 1

Some classes of pairing product equations also admit zero-knowledge proofs.

238

A. Rial, M. Kohlweiss, and B. Preneel

of message m. VerifySig(pk , m, s) outputs accept if s is a valid signature of m and reject otherwise. (This definition can be extended to support multi-block messages m = {m1 , . . . , mn }.) A signature scheme must be correct and unforgeable [39]. Informally speaking, correctness implies that the VerifySig algorithm always accepts an honestly generated signature. Unforgeability means that no p.p.t adversary should be able to output a message-signature pair (s, m) unless he has previously obtained a signature on m. P-Signatures are defined by Belenkiy et al. [30] as signature schemes equipped with a common reference string crs Sig and a NIPK that allows proving possession of a signature of a committed message. Belenkiy et al. show how to use the GrothSahai proof system to build this proof. Since in their constructions m ∈ Zp and Groth-Sahai proofs prove knowledge of a witness in G, they need to compute a bijection F (m) ∈ G and prove knowledge of F (m). To avoid that given a secure signature scheme an adversary may still be able to compute a forgery (s, F (m)) even though he is unable to compute (s, m), [30] defines F -unforgeability, which means that no p.p.t adversary can output (s, F (m)) without previously obtaining a signature on m.

4

Non-interactive Range Proof

We construct an efficient non-interactive range proof that a committed value σ ∈ Zp lies in an interval [0, A). Our scheme is based on the efficient interactive range proof recently proposed in [27]. The technique of [27] consists in writing σ in base-d to show that it lies in an interval [0, d a ). First, the verifier sends the proversignatures Ai on d -ary digits, i.e., i ∈ Zd . Then the prover proves that σ = j∈Za σj d j and that all σj are d -ary digits. For the latter, she proves possession of a verifier’s signature on σj . Our idea consists in employing Psignatures, which allow for a non-interactive proof of signature possession, to construct a non-interactive range proof following this approach. A handy P-signature scheme. We employ the P-signature scheme of [30] that is based on the strong Boneh-Boyen signature scheme [40]. Setup(1κ ) runs the Groth-Sahai PKSetup(1κ ) to obtain crs P K for pairing groups (p, G, GT , e, g), picks random u ∈ G, and outputs crs Sig = (crs P K , u). Keygen(crs Sig ) picks a secret key sk = (α, β) ← Zp and computes a public key pk = (v , w) = (g α , g β ). } and computes s = (s1 , s2 , s3 ) = Sign(crs Sig , sk , m) picks r ← Zp /{ α−msg β (g 1/(α+m+βr) , wr , u r ). VerifySig(crs Sig , pk , m, s) outputs accept when e(s1 , vg m s2 ) = e(g, g), e(u, s2 ) = e(s3 , w). Otherwise, it outputs reject. Using Groth-Sahai proofs, [30] shows how to construct a NIPK of such a signature. This is a proof of a pairing product equation of the form NIPK{(g m , u m , s1 , s2 , s3 ) : e(s1 , vg m s2 ) = e(g, g) ∧ e(u, s2 ) = e(s3 , w) ∧ e(u, g m ) = e(u m , g)}

Universally Composable Adaptive Priced Oblivious Transfer

239

We abbreviate this expression by using NIPK{(g m , u m , s) : VerifySig(pk , s, m) = accept}. This scheme is F -unforgeable (F (m) = (g m , u m )) under the HSDH and TDH assumptions. Range proof. This is a proof that σ ∈ Zp lies in an interval [0, A). The range proof uses a common reference string crs Sig as output by Setup. In addition, we require that the verifier can distribute public parameters paramsRange ← RPInitVerifier(crs Sig , A). These parameters do not need to be honestly generated, as they can be verified by the prover using RPInitProver. RPInitVerifier(crs Sig , A). On input A = d a , it executes Keygen(crs Sig ) to obtain (sk , pk ), and, ∀i ∈ Zd , it computes Ai = Sign(crs Sig , sk , i). It outputs paramsRange = (pk , {Ai }i∈Zd ). RPInitProver(crs Sig , paramsRange ). It parses paramsRange to get {Ai }i∈Zd and pk . It verifies the signatures by computing, for all i ∈ Zd , VerifySig(crs Sig , pk , i, Ai ). If these verifications succeed, it outputs accept. Otherwise it outputs reject. RangeProve(crs Sig , paramsRange , g˜, σ, openσ ) computes the following proof for a commitment Cσ = Commit(˜ g σ , openσ ): NIPK{(˜ g σ , {g σj , u σj , Aσj }a−1 j=0 ) : {VerifySig(pk , σj , Aσj ))}a−1 j=0 ∧ e(g, g˜σ )

a−1 

j

e(˜ g −d , g σj ) = 1 ∧ g˜σ in Cσ }

(1) (2)

j=0

Intuitively, (1) ensures that each σj is a d -ary digit by proving that the value was used by the verifier to compute a signature Aσj , and (2) proves that σ  is correctly decomposed, i.e., that σ = j∈Za σj d j . We use the short form NIPK{(˜ g σ ) : 0 ≤ σ < A ∧ g˜σ in Cσ } to refer to this proof. This proof is only witness indistinguishable. While this is sufficient for our application, it is possible to make the proof zero-knowledge using techniques described in [28]. This proof can be extended to handle intervals of the form [A, B) in the same way as in [27].

5 5.1

UC-Secure Adaptive k-Out-of-N Priced Oblivious Transfer Intuition Behind Our Construction

Our priced oblivious transfer scheme is based on the oblivious transfer scheme by Green and Hohenberger [17]. Specifically, it is an assisted decryption scheme that employs double trapdoor encryption (based on the linear encryption scheme in [29]). The ciphertext of message m contains values (w1r1 , w2r2 , h1r1 , h2r2 , m ·h3r1 +r2 ),

240

A. Rial, M. Kohlweiss, and B. Preneel

where (w1 , w2 ) are public parameters generated by vendor V and (h1 , h2 , h3 ) belong to the common reference string. (w1r1 , w2r2 ) are used by buyer B to generate the request message in each transfer phase, whereas (h1r1 , h2r2 ) are used in the security proof by the ideal protocol adversary E to obtain the messages from V without the necessity of extracting a secret key from a proof of knowledge. This is useful because if the secret key is a value in Zp , then Groth-Sahai proofs do not permit its extraction. In order to be able to decrypt, E creates trapdoor information when generating the crs. (We note that the environment learns crs through the adversary. As mentioned in [17], there are impossibility results for realizing UC-secure OT if E cannot craft crs.) In addition, by using double trapdoor encryption we also prove the security of ciphertexts under the DLIN assumption. The message space is {0, 1}l , but we abuse notation and also write m to denote the corresponding group element in G according to some efficient and invertible mapping. We will do the same when encrypting the account ac 0 that is a value in Zp using linear encryption. For such a mappings between a bit string {0, 1}l and an element in G see, e.g., [41]. The ciphertexts also contain signatures of (w1r1 , w2r2 ) that are used to ensure that B generates her requests honestly. Green and Hohenberger [17] employ signature schemes that sign elements in G. However, we use a multi-block Psignature scheme that signs elements in Zp , and thus we sign values (r1 , r2 ). Consequently, we need to provide B with the values F (r1 , r2 ) = (g1r1 , g2r2 , u1r1 , u2r2 ) of this signature scheme. Nonetheless, we note that in our scheme the ciphertexts have less group elements than in [17]. N In order to permit oblivious purchases, our P OT N k×1 extends the OT k×1 construction sketched above. We follow the approach of [10] of building a prepaid scheme, where in the initialization phase the buyer B pays an initial deposit ac 0 to the vendor V, and in subsequent transfer phases this deposit is subtracted by the price pσ of the message that is being bought. The POT scheme must ensure that V learns neither the price of the message nor the new value of the account, but also that B pays the right price for the message and that she has enough funds to buy it. To achieve this, in the initialization phase B sends a commitment to the deposit. In the ith transfer, B sends a commitment to the new value of the account ac i and proves that (1) this value is correct, i.e., that ac i = ac i−1 − pσ , and that (2) it is non-negative. In order to allow for (1), we need to ensure that B uses the right price. To accomplish this, V adds the price of the message to the message block (r1 , r2 , pσ ). Thanks to that, when B proves possession of the signature, B can include in this proof a pairing product equation to prove that ac i = ac i−1 − pσ . To verify this proof, V employs the commitment to ac i−1 that he got in the previous transfer phase. To achieve (2), in the initialization phase V computes parameters of the range proof and hands then to B. In each transfer phase, B proves that the new value of the account ac i belongs to [0, A), where A is the deposit upper bound.

Universally Composable Adaptive Priced Oblivious Transfer

5.2

241

P-Signatures for Blocks of Messages

We describe an F -unforgeable P-signature scheme for signing multiple message blocks that is based on the single block scheme presented in [7]. Let m = m1 , . . . , mn denote n message blocks. Setupn (1κ ) executes the Groth-Sahai PKSetup(1κ ) to obtain crs P K for pairing groups (p, G, GT , e, g), picks random u ∈ G, and outputs crs Sig = (crs P K , u). Keygenn (crs Sig ) picks random (α, β1 , . . . , βn , λ1 , . . . , λn ) ← Zp and sets a public key Pk = (v , g1 , . . . , gn , u1 , . . . , un ) = (g α , g β1 , . . . , g βn , u λ1 , . . . , u λn ) and a secret key Sk = (α, β1 , . . . , βn ). Signn (crs Sig , Sk , m) chooses random r ← Zp /{−(α + β1 m1 + . . . + βn mn )} and m1 +...+βn mn ) r , g , u r ). computes a signature s = (s1 , s2 , s3 ) = (g 1/(α+r +β1 n VerifySign (crs Sig , Pk , m , s) outputs accept if e(s1 , vs2 i=1 gimi ) = e(g, g) and e(u, s2 ) = e(s3 , g). We extend the multi-block signature scheme with a protocol for proving possession of a signature. NIPK{({gimi , uimi }ni=1 , s1 , s2 , s3 ) : {e(ui , gimi )e(uimi , gi−1 ) = 1}ni=1 ∧ n  e(u, s2 )e(s3 , g −1 ) = 1 ∧ e(s1 , vs2 gimi ) = e(g, g)} i=1

We use the short form to refer to this proof.

NIPK{({gimi , uimi }ni=1 , s)

: VerifySign (Pk , m, s) = accept}

Theorem 1. Let F (m1 , . . . , mn ) = (g1m1 , u1m1 , . . . , gnmn , unmn ). This P-signature scheme is F -unforgeable under the HSDH and TDH assumptions. We prove Theorem 1 in the full version. We make use of the observation that an F-unforgeable signature scheme can also be verified using the F (mi ) values alone, i.e., without knowing mi . Like in the proof, an additional check of the equations {e(ui , gimi )e(uimi , gi−1 ) = 1}ni=1 is needed to verify that the F (mi ) values are constructed correctly. Moreover, the F (mi ) values are sufficient to create a proof of possession of a signature. We write, e.g., VerifySign (Pk , m1 , F (m2 ), m3 , s) to indicate that the signature s is verified using only the F value of message m2 . 5.3

Construction

We begin with a high level description of the priced oblivious transfer scheme. The vendor V and the buyer B interact in the initialization phase and in several transfer phases. Details on the algorithms can be found below. We recall that the scheme is parameterized with integers (N , l ) for the number of messages and their length, an upper bound pmax for the prices and an upper bound A = d a for the deposit.

242

A. Rial, M. Kohlweiss, and B. Preneel

Initialization phase. On input (sid , vendor, m1 , . . . , mN , p1 , . . . , pN ) for the vendor and (sid , buyerdep, ac 0 ) for the buyer (that fulfill the restrictions imposed by the parameters of the scheme): 1. V queries FCRS with (sid , crs). FCRS runs POTGenCRS(1κ , pmax , A) and sends (sid , crs, crs) to V. 2. B queries FCRS with (sid , crs). FCRS sends (sid , crs, crs) to B. 3. V runs POTInitVendor(crs, m1 , . . . , mN , p1 , . . . , pN , A) to get a database commitment T and a secret key sk , and sends (sid , T ) to B. (priv ) ) ← POTInitBuyer(crs, T , ac 0 ). 4. B gets (sid , T ) and computes (P , D0 B aborts if the output is reject. Otherwise, B sends (sid , P ) to V. (B also needs to pay an amount of ac 0 to V through an arbitrary payment channel.) 5. (Upon receiving the money) V runs (D0 , ac 0 ) ← POTGetDeposit(crs, P , A) and checks that ac 0 corresponds to the amount of money received. V stores state information V0 = (T , sk , D0 ) and outputs (sid , ac 0 ), and B (priv ) ). stores state information B0 = (T , D0 Transfer phase. In the ith transfer, V with state information Vi−1 and input (sid , vendor, b) and B with state information Bi−1 and input (sid , buyerreq, σi ) interact as follows: (priv ) 1. B runs POTRequest(crs, T , Di−1 , σi ) to get a request Q and private (priv )

state (Q (priv ) , Di ). B sends (sid , Q ) to V and stores (sid , Q (priv ) , (priv ) Di ). 2. V obtains (sid , Q ). If b = 0, V sends (sid , ⊥) to B. Otherwise V executes POTRespond(crs, T , sk , Di−1 , Q ) to obtain a response R and state Di . V sends (sid , R) to B. 3. B receives (sid , R) and runs POTComplete(crs, T , R, Q (priv ) ) to obtain mσi . V stores state information Vi = (T , sk , Di ), and B stores state information (priv ) Bi = (T , Di ) and outputs (sid , mσi ). POTGenCRS(1κ , pmax , A). Given security parameter κ, it generates two GrothB Sahai reference strings crs V P K and crs P K for the same pairing group setup (p, G, GT , e, g) such that −pmax > A mod p holds. (In the proof of security the two setups allow the simulator to simultaneously make use of knowledge extraction and simulation for the first and the second proof respectively.) It picks random a, b, c ← Zp and computes (h1 , h2 , h3 ) = (g a , g b , g c ). It picks B 2 random u ← G. It outputs crs = (crs V P K , crs P K , u, h1 , h2 , h3 ). POTInitVendor(crs, m1 , . . . , mN , p1 , . . . , pN , A). On input the messages (m1 , . . . , mN ) with prices (p1 , . . . , pN ): 1. It parses crs to obtain crs Sig = (crs B P K , u) and (h1 , h2 , h3 ). 1/x 1/x 2. It picks random x1 , x2 ← Zp and sets (w1 , w2 ) = (h3 1 , h3 2 ). 2

Note that the set crs Sig = (crs B P K , u) is used as common reference string for both the multi-block signature scheme and the single-message signature scheme, which is used for running the range proof.

Universally Composable Adaptive Priced Oblivious Transfer

243

3. It runs Keygenn to obtain (Pk , Sk ), where Pk = (v , g1 , g2 , g3 , u1 , u2 , u3 ) and Sk = (α, β1 , β2 , β3 ). 4. For i = 1, . . . , N , it encrypts m as follows: (a) It picks random r1 , r2 ← Zp . (b) It computes (s1 , s2 , s3 ) = Signn (crs Sig , Sk, (r1 , r2 , pi )). (c) It sets Ci = (w1r1 , w2r2 , h1r1 , h2r2 , mi · h3r1 +r2 , g1r1 , g2r2 , u1r1 , u2r2 , s1 , s2 , s3 , pi ). 5. V runs RPInitVerifier(crs Sig , A) to obtain paramsRange . 6. It sets pk = (w1 , w2 , Pk , paramsRange ), sk = (x1 , x2 ) and T = (pk , C1 , . . . , CN ). It outputs (T , sk ). POTInitBuyer(crs, T , ac 0 ). On input a database commitment T and a deposit ac 0 ∈ [0, A): 1. It parses crs to obtain crs Sig = (crs B P K , u), T as (pk , C1 , . . . , CN ), pk as (w1 , w2 , Pk , paramsRange ) and Pk as (v , g1 , g2 , g3 , u1 , u2 , u3 ). 2. It runs RPInitProver(crs Sig , paramsRange ) to verify paramsRange . 3. For i = 1, . . . , N : (a) It parses Ci = (c1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 , c9 , s1 , s2 , s3 , pi ). (b) It runs VerifySign (Pk , (c6 , c8 ), (c7 , c9 ), pi , s), where s = (s1 , s2 , s3 ). (c) It checks that e(c1 , h1 ) = e(c3 , w1 )∧e(c2 , h2 ) = e(c4 , w2 )∧e(h1 , c6 ) = e(c3 , g1 ) ∧ e(h2 , c7 ) = e(c4 , g2 ). 4. If not all these checks verify, it outputs reject. Otherwise it picks random (priv ) (l1 , l2 ) ← Zp and sets P = (w1l1 , w2l2 , ac 0 · h3l1 +l2 ) and D0 = (ac 0 , (priv ) ). openac0 = 0). It outputs (P , D0 POTGetDeposit(crs, P , A). It works as follows: 1. It parses P as (c1 , c2 , c3 ). 2. It computes ac 0 = c3 /(cx11 cx22 ) and checks that ac 0 ∈ [0, A). 3. It sets D0 = Commit(g3ac 0 , 0). It outputs (D0 , ac 0 ). (priv ) POTRequest(crs, T , Di−1 , σ). On input a database commitment T and a selection value σ ∈ {1, . . . , N }, it works as follows: 1. It parses T as (pk , C1 , . . . , CN ), pk as (w1 , w2 , Pk , paramsRange ), crs to get (crs B P K , u, h3 ) and Cσ as (c1 , c2 , c3 , c4 , c5 , c6 , c7 , c8 , c9 , s1 , s2 , s3 , pσ ). 2. It picks random y1 , y2 ← Zp and computes (d1 , d2 ) = (c1 · w1y1 , c2 · w2y2 ) and (t1 , t2 ) = (h3y1 , h3y2 ). (priv ) 3. It parses Di−1 as (ac i−1 , openaci−1 ) to execute algorithm Di−1 = ac i−1 Commit(g3 , openaci−1 ). It also picks a fresh openaci to compute Di = Commit(g3ac i , openaci ), for ac i = ac i−1 − pσ . 4. It runs PKProve on input crs B P K to compute a witness-indistinguishable proof pok 1 : ac i−1

NIPK{(c6 , c8 , c7 , c9 , g3pσ , u3pσ , s1 , s2 , s3 , g3ac i , g3

, c1 , c2 , t1 , t2 ) :

VerifySign (Pk , (c6 , c8 ), (c7 , c9 ), (g3pσ , u3pσ ) , (s1 , s2 , s3 )) = accept∧ e(w1−1 , c6 )e(c1 , g1 ) = 1 ∧ e(w2−1 , c7 )e(c2 , g2 ) = 1∧ e(c1 , h3 )e(t1 , w1 ) = e(d1 , h3 ) ∧ e(c2 , h3 )e(t2 , w2 ) = e(d2 , h3 )∧ ac i−1

e(g, g3

)e(g −1 , g3ac i )e(g −1 , g3pσ ) = 1∧ ac i−1

∧ 0 ≤ ac i < A ∧ g3ac i in Di ∧ g3

in Di−1 }

244

A. Rial, M. Kohlweiss, and B. Preneel (priv )

= (ac i , 5. It sets Q = (d1 , d2 , pok 1 , Di ), Q (priv ) = (Q , σ, y1 , y2 ) and Di (priv ) ). openaci ). It outputs (Q , Q (priv ) , Di POTRespond(crs, T , sk , Di−1 , Q ). On input a database commitment T , a secret key sk , private state Di−1 , and a request Q , it works as follows: B 1. It parses crs to obtain (crs V P K , crs P K , u, h3 ), T as (pk , C1 , . . . , CN ), pk as (w1 , w2 , Pk , paramsRange ), sk as (x1 , x2 ), Q as (d1 , d2 , pok 1 , Di ). 2. It verifies pok 1 by running PKVerify on input crs B P K and it aborts if the output is reject. For this verification, it uses the commitments Di−1 and Di . 3. It computes (z1 , z2 ) = (d1x1 , d2x2 ) and z = z1 · z2 . 4. It runs PKProve on input crs V P K to compute a zero-knowledge proof of knowledge3 pok 2 : NIPK{(z1 , z2 ) : e(z1 , w1 ) = e(d1 , h3 ) ∧ e(z2 , w2 ) = e(d2 , h3 ) ∧ e(z1 , h3 )e(z2 , h3 ) = e(z , h3 )} 5. It outputs R = (z , pok 2 ) and Di . POTComplete(crs, T , R, Q (priv ) ). On input a database commitment T , a response R and private state Q (priv ) : 1. It parses crs to obtain (crs V P K , h3 ), T as (pk , C1 , . . . , CN ), R as (z , pok 2 ) and Q (priv ) as (Q , σ, y1 , y2 ). 2. It verifies pok 2 by running PKVerify on input crs V P K . If verification fails, it outputs reject. 3. It parses Cσ to obtain c5 and it outputs the message mσ = c5 /(z · h3−y1 · h3−y2 ). Theorem 2. This POT scheme securely realizes FP OT under the DLIN, HSDH and TDH assumptions. We prove Theorem 2 in the full version. 5.4

Properties and Extensions

This scheme offers extra features over previous ones [10]. Namely, it permits that several messages have the same price without scaling up prices and accounts, and it allows the vendor to charge different prices for the same message to different buyers, which can be used to apply marketing techniques like making discounts to regular or underage buyers. This can be done by recomputing the signatures included in the ciphertexts on different prices depending on the particular buyer. In order to allow for a precomputed database, V can assign buyers to ℓ different groups and associate to each group j ∈ {1, . . . , ℓ} a different price for each message mi by signing s (j) = Signn (crs Sig , Sk , (r1 , r2 , j, pij )). (Note that r1 and r2 have the same value in the signatures of all the groups in order to reuse the same encryption of mi .) In the transfer phase, when proving possession of the multi-block P-signature s (j) for their group, buyers must reveal the attribute j. 3

To let this proof be zero-knowledge we introduce a new variable z3 . The set of equations is e(z1 , w1 )e(d1−1 , z3 ) = 1∧e(z2 , w2 )e(d2−1 , z3 ) = 1∧e(z1 z2 , z3 )e(z −1 , z3 ) = 1 ∧ e(w1 , z3 ) = e(w1 , h3 ).

Universally Composable Adaptive Priced Oblivious Transfer

245

The POT scheme can be simplified to obtain an OT scheme, which constitutes an alternative to the one in [17]. Additionally, the multi-block signature scheme provides high flexibility to implement other access control policies for oblivious transfer beyond those required for POT. For example, if an index i is signed instead of price pi , then access control methods based on stateful anonymous credentials [26], which support a wide variety of policies, can be applied. 5.5

Efficiency Analysis and Comparison

In Table 1 we compare the performance of our POT scheme with the performance of the OT scheme in [17] and with the OT scheme obtained by simplifying our POT scheme. We show the number of group elements in the crs, in the database T , in the request message, and in the response message. (We recall that the deposit upper bound is A = d a .) See the full version for more details. Table 1. Performance comparison with the OT scheme in [17] POT scheme OT scheme [17] Our underlying OT scheme crs 23 16 23 Database T 12N + 3d + 11 18N + 11 12N + 7 Request 86 + 30a 66 65 Response 28 35 28

Albeit we analyze the POT scheme as a two-party protocol between a vendor and a buyer, we would also want to use it in applications where a single vendor interacts with multiple buyers. Although this can be achieved by making the vendor run different protocol instances with each buyer, for efficiency reasons it is more appropriate if the vendor can publish a single database for every buyer. Moreover, this ensures consistency, i.e., all the buyers that share a database obtain the same messages and pay the same prices. In our scheme, this is possible to accomplish by modifying FCRS such that it returns common reference strings crs that share the same bilinear setup and the same values (u, h1 , h2 , h3 ). In the proof, this permits the simulator to obtain all messages from a database T intended for multiple buyers, and the fact that they share a crs with common values can be addressed by applying the universal composition with joint state theorem [42].

References 1. Koargonkar, P., Wolin, L.: A multivariate analysis of web usage. Journal of Advertising Research, 53–68 (March/April 1999) 2. Tsai, J., Egelman, S., Cranor, L., Acquisti, R.: The effect of online privacy information on purchasing behavior: An experimental study, working paper (June 2007) 3. Grimm, R., Aichroth, P.: Privacy protection for signed media files: a separation-ofduty approach to the lightweight drm (lwdrm) system. In: Dittmann, J., Fridrich, J.J. (eds.) MM&Sec, pp. 93–99. ACM, New York (2004)

246

A. Rial, M. Kohlweiss, and B. Preneel

4. Lee, D.G., Oh, H.G., Lee, I.Y.: A study on contents distribution using electronic cash system. In: EEE 2004: Proceedings of the 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE 2004), Washington, DC, USA, pp. 333–340. IEEE Computer Society, Los Alamitos (2004) 5. Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203. Plenum Press, New York (1999) 6. Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-Cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005) 7. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact e-cash and simulatable VRFs revisited. Cryptology ePrint Archive, Report 2009/107 (2009), http://eprint.iacr.org/ 8. Berthold, O., Federrath, H., K¨ ohntopp, M.: Project anonymity and unobservability in the internet. In: CFP 2000: Proceedings of the tenth conference on Computers, freedom and privacy, pp. 57–65. ACM, New York (2000) 9. Sun, H.-M., Wang, K.-H., Hung, C.-F.: Towards privacy preserving digital rights management using oblivious transfer 10. Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: How to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001) 11. Rabin, M.O.: How to exchange secrets by oblivious transfer (1981) 12. Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 573–590. Springer, Heidelberg (1999) 13. Kohlweiss, M., Faust, S., Fritsch, L., Gedrojc, B., Preneel, B.: Efficient oblivious augmented maps: Location-based services with a payment broker. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 77–94. Springer, Heidelberg (2007) 14. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001: Proceedings of the 42nd IEEE symposium on Foundations of Computer Science, Washington, DC, USA, p. 136. IEEE Computer Society, Los Alamitos (2001) 15. Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007) 16. Green, M., Hohenberger, S.: Blind identity-based encryption and simulatable oblivious transfer. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 265–282. Springer, Heidelberg (2007) 17. Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. Cryptology ePrint Archive, Report 2008/163 (2008), http://eprint.iacr.org/ 18. Damg˚ ard, I., Nielsen, J.B., Orlandi, C.: Essentially optimal universally composable oblivious transfer. Cryptology ePrint Archive, Report 2008/220 (2008), http://eprint.iacr.org/ 19. Wagner, D. (ed.): CRYPTO 2008. LNCS, vol. 5157. Springer, Heidelberg (2008) 20. Tobias, C.: Practical oblivious transfer protocols. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 415–426. Springer, Heidelberg (2003) 21. Crescenzo, G.D., Ostrovsky, R., Rajagopalan, S.: Conditional oblivious transfer and timed-release encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 74–89. Springer, Heidelberg (1999) 22. Blake, I.F., Kolesnikov, V.: Strong conditional oblivious transfer and computing on intervals. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 515–529. Springer, Heidelberg (2004) 23. Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: Proc. of 5th ISTCS, pp. 174–183 (1997)

Universally Composable Adaptive Priced Oblivious Transfer

247

24. Shankar, B., Srinathan, K., Rangan, C.P.: Alternative protocols for generalized oblivious transfer. In: Rao, S., Chatterjee, M., Jayanti, P., Murthy, C.S.R., Saha, S.K. (eds.) ICDCN 2008. LNCS, vol. 4904, pp. 304–309. Springer, Heidelberg (2008) 25. Herranz, J.: Restricted adaptive oblivious transfer. Cryptology ePrint Archive, Report 2008/182 (2008), http://eprint.iacr.org/ 26. Coull, S., Green, M., Hohenberger, S.: Controlling access to an oblivious database using stateful anonymous credentials. Cryptology ePrint Archive, Report 2008/474 (2008), http://eprint.iacr.org/ 27. Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008) 28. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) 29. Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) 30. Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008) 31. Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007) 32. Canetti, R.: Obtaining universally compoable security: Towards the bare bones of trust. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 88–112. Springer, Heidelberg (2007) 33. Santis, A.D., Di Crescenzo, G., Persiano, G.: Necessary and sufficient assumptions for non-interactive zero-knowledge proofs of knowledge for all NP relations. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 451–462. Springer, Heidelberg (2000) 34. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989) 35. Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, New York (2000) 36. Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC 1988: Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 103–112. ACM Press, New York (1988) 37. Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM Journal on Computing 29(1), 1–28 (1999) 38. Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 39. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988) 40. Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004) 41. Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID tags via insubvertible encryption. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 92–101. ACM, New York (2005) 42. Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)

Conjunctive Broadcast and Attribute-Based Encryption Nuttapong Attrapadung and Hideki Imai Research Center for Information Security (RCIS), National Institute of Advanced Industrial Science and Technology (AIST) Akihabara-Daibiru Room 1003, 1-18-13, Sotokanda, Chiyoda-ku, Tokyo 101-0021, Japan {n.attrapadung,h-imai}@aist.go.jp

Abstract. Attribute-based encryption (ABE) system enables an access control mechanism over encrypted data by specifying access policies among private keys and ciphertexts. There are two flavors of ABE, namely key-policy and ciphertext-policy, depending on which of private keys or ciphertexts that access policies are associated with. In this paper we propose a new cryptosystem called Broadcast ABE for both flavors. Broadcast ABE can be used to construct ABE systems with direct revocation mechanism. Direct revocation has a useful property that revocation can be done without affecting any non-revoked users; in particular, it does not require users to update keys periodically. For key-policy variant, our systems appear to be the first fully-functional directly revocable schemes. For ciphertext-policy variant, our systems improve the efficiency from the previously best revocable schemes; in particular, one of our schemes admits ciphertext and private key sizes roughly the same as the currently best (non-revocable) ciphertext-policy ABE. Broadcast ABE can also be utilized to construct multi-authority ABE in the disjunctive setting. Keywords: Attribute-based encryption, Ciphertext policy, Key policy, Broadcast encryption, Revocable ABE, Disjunctive multi-authority ABE.

1

Introduction

Background. Attribute-based encryption (ABE) enables an access control mechanism over encrypted data using access policies and ascribed attributes among private keys and ciphertexts. ABE comes in two flavors called Ciphertext-Policy ABE and Key-Policy ABE. In Ciphertext-Policy ABE, an encryptor can express any access policy, stating what kind of receivers will be able to decrypt the message, directly in the encryption algorithm (which can be run by anyone knowing the universal public key issued priorly by an authority). Such a policy is specified in terms of access structure over attributes. A user is ascribed by an attribute set, in the sense that each attribute corresponds to one of her credential, and H. Shacham and B. Waters (Eds.): Pairing 2009, LNCS 5671, pp. 248–265, 2009. c Springer-Verlag Berlin Heidelberg 2009 

Conjunctive Broadcast and Attribute-Based Encryption

249

is priorly given the private key from the authority. Such a user can decrypt a ciphertext if her attribute satisfies the access policy associated to the ciphertext. An example application of CP-ABE is secure mailing list system with access policy. There, a private key will be assigned for an attribute set, such as {“manager”, “age:30”, “institute:ABC”}, while policies over attributes such as “manager” ∨ (“trainee” ∧ “age:25”) will be associated to ciphertexts. In Key-Policy ABE, the roles of an attribute set and an access policy are swapped from what we described for CP-ABE. Attribute sets are used to annotate the ciphertexts and access policies over these attributes are associated to users’ secret keys. An example application of KP-ABE is pay-TV system with package policy (called target broadcast system in [16]). There, a ciphertext will associate with an attribute set, such as ω = {“title:24”, “genre:suspense”, “season:2”, “episode:13” }, while a policy such as A = “soccer”∨(“title:24” ∧ “season:5”) will be associated to TV program package keys that user receives when subscribes. Previous Works. ABE was introduced by Sahai and Waters [21] in the context of a generalization of ID-based encryption (IBE) called Fuzzy IBE, which is an ABE that allows only single threshold access structures. The first (and still being stateof-the-art) KP-ABE that allow any monotone access structures was proposed by Goyal et al. [16], while the first such CP-ABE, albeit with the security proof in the generic bilinear group model, was proposed by Bethencourt, Sahai, and Waters [5]. Ostrovsky, Sahai, and Waters [20] then subsequently extended both schemes to handle also any non-monotone structures; therefore, negated clauses can be specified in policies. Goyal et al. [15] presented bounded CP-ABE in the standard model. Waters [23] recently proposed the first fully expressive CP-ABE in the standard model. Chase [10] presented KP-ABE in multi-authority setting. 1.1

Two Motivating Problems

Motivation 1: Revocation Scheme for ABE. Revocation mechanism is necessary for any encryption schemes that involve many users, since some private keys might get compromised at some point. In simpler primitives such as public key infrastructure and IBE, there are many revocation methods proposed in the literature [17,1,18,7,13,6]. In attribute-based setting, Boldyreva et al. [6] only recently proposed a revocable KP-ABE scheme. Their scheme uses a key update approach roughly as follows. Consider the package pay-TV system example as above. The sender will encrypt to the attribute set ω ∪ {“time:2009.week3”}, where it also includes the present time slot attribute. The key authority periodically announces a key update material at each time slot so that only non-revoked users can update their key, e.g., a user with a key for policy A can compute a key for A ∧ “time:2009.week3”, which can be used to decrypt ciphertexts encrypted at this time slot. We call this approach an indirect revocation, since the authority indirectly enables revocation by forcing revoked users to be unable to update their keys.

250

N. Attrapadung and H. Imai

While the indirect revocation has an elegant property that senders do not need to know the revocation list, it also has a disadvantage that the key update phase can be a bottleneck for both the key authority and all non-revoked users. It is thus left as an open problem to find an efficient revocation mechanism which can be done without affecting any non-revoked users and public key. With this restriction, it must be that the sender obtains the revocation list (and somehow will embed it into the ciphertext), since otherwise revocation cannot take effect after all. This setting (where sender knows the revocation list) is reasonable especially in the package pay-TV system example, where the sender is the program distributor company, who should possess the pirate key list to be revoked. We will call such solution where a sender directly specifies the revocation list when encrypting a direct revocation. For KP-ABE, a direct revocation approach is, however, not possible yet for the normal present form of KP-ABE algorithm since a normal KP-ABE scheme allows only specifying attribute set associated to the ciphertext, not access policy. This motivates us to model and construct such a scheme in this paper. We note that Goll´e et al. [14] proposed a directly revocable KP-ABE but their scheme is heuristic and works only when the number of attributes associated to each ciphertext is exactly half of the universe size. On the other hand, for CP-ABE, such direct revocation can be done by using ABE that supports negative clauses, proposed by Ostrovsky, Sahai, Waters [20]. To do so, one just adds conjunctively the AND of negation of revoked user identities (where each is considered as an attribute here). However, this solution still somewhat lacks efficiency performance. In particular, their CP-ABE scheme1 will pose overhead O(|R|) group elements additively to the size of ciphertext and O(log n) multiplicatively to the size of private key over the original CPABE scheme of Bethencourt et al. [5], where n is the maximum size of revoked attributes set R. This motivates us to look for more efficient revocation schemes for CP-ABE. We note that Sahai and Waters [22] recently proposed ABE that support negative clauses which has efficiency improvement over the Ostrovsky et al. scheme [20]. However, their paper included only a KP-ABE variant. Motivation 2: Disjunctive Multi-Authority ABE. One limitation in ABE systems is the need to trust single central authority. A natural extension of ABE to avoid this is to have many authorities where each can derive a private key. Consider the policy-based secure mailing list example described in the usage of CP-ABE above. Suppose that the sender wishes to send an email encrypted under some policy and she only trusts authorities say A1 , . . . , At . She wishes to encrypt the email so that only user who possesses a key such that its attribute set satisfies the policy and it is generated from one of those t trusted authority can decrypt. Using a trivial approach would require ciphertext of size O(t · c) where c is the ciphertext size in the basic ABE. Our goal is to obtain more efficient scheme that requires ciphertext of size only O(c), which is independent of t. A similar problem to this was indeed recently addressed by Boneh and Hamburg [9]. In their paper, they proposed a framework called Generalized IBE 1

The mentioned scheme was implicitly introduced in §3.5 of [20].

Conjunctive Broadcast and Attribute-Based Encryption

251

(GIBE) and gives a concrete construction of its special case called Spatial Encryption. One property of their framework is that any primitive that is casted as GIBE can be efficiently augmented to its disjunctive multi-authority version. In their paper, they showed that KP-ABE also falls into the GIBE framework. However, the key size of the KP-ABE instantiated from Spatial Encryption is linear to the access structure size, which may be exponentially large. We note that Chase [10] also proposed Multi-Authority ABE, albeit in the conjunctive setting. In conjunctive setting, the attribute space for each authority is disjoint, while in our disjunctive setting, the attribute space is the same for all authorities. Also, in conjunctive setting, a private key will be created by gathering elements from all authorities, while in our disjunctive setting, a private key can be derived solely by each authority. 1.2

Our Contributions

We propose a new primitive called Conjunctive Broadcast and Attributed Based Encryption, or simply Broadcast ABE for shorthand. Roughly speaking, it adds conjunctively a broadcast dimension ´ a la Broadcast Encryption (BE) to ABE. Broadcast ABE efficiently solves both motivated problems: it can be used as an ABE system that has a direct revocation mechanism and a disjunctive multiauthority ABE. We refer to [12,19,18,11,2,8,22] for historic details on BE. In Broadcast ABE, a private key will be associated also with a user index ID and the ciphertext will be associated also with a user index set S, besides a set of attributes and an access structure (respectively if CP-ABE is considered, or vice versa if KP-ABE is considered). The decryption can be done if the condition on attributes on the ABE part holds as usual and, in addition, ID ∈ S. Broadcast ABE also realizes private key delegation in proper ways. To realize a directly revocable ABE scheme, we set ID to be used as a unique serial number for each private key. To encrypt with a revoked serial number set R the sender just sets S = U \ R, where U is the universe of user indexes, while the attribute related part is done as usual. To realize a disjunctive multi-authority ABE scheme, we set ID to be used as each authority’s identity. To derive a private key for a user, an authority delegates its key by specifying the attribute part properly. Our Approach. We propose two concrete Broadcast Key-Policy ABE schemes and two concrete Broadcast Ciphertext-Policy ABE schemes. Each Broadcast Key-Policy ABE scheme is based on state-of-the-art Broadcast Encryption scheme either by Boneh-Gentry-Waters [8] or Sahai-Waters [22] combined algebraically with Goyal et al. KP-ABE [16]. Similarly, each Broadcast CiphertextPolicy ABE scheme is based on Broadcast Encryption scheme either by Boneh-Gentry-Waters or Sahai-Waters combined algebraically with Waters’ CPABE [23]. Each of four combinations is non-trivial at the first place, since, for example, one may think of obtaining Broadcast ABE by using AND-double encryption (even in a secure way) of BE and ABE. However, one can easily find out that

252

N. Attrapadung and H. Imai

this mislead method is insecure due to collusion attacks of two attackers. Our schemes algebraically combine those schemes in a more sophisticated way. Efficiency. Our first broadcast KP-ABE scheme has almost the same efficiency in ciphertext and private key sizes to that of original KP-ABE of Goyal et al.[16], albeit it has a large pubic key size linear to n, where n is the size of user index universe. Our second broadcast KP-ABE scheme reduces the public key size to almost the same of the original KP-ABE while the ciphertext requires only 2|R| group elements additively. Note that these are the first fully functional directly revocable KP-ABE schemes in the literature. The performance also holds similarly for broadcast CP-ABE variant. In particular, our revocable CP-ABE schemes outperform the previous method applied from [20]. Organization of the Paper. We first provide preliminary materials in §2. We present the definition of Broadcast ABE in §3. In §4 and §5, we present our four concrete broadcast ABE schemes for Key-policy and Ciphertext-policy variant respectively. We give a brief security proof overview in §6 and postpone the full proofs to the full version. The key delegation algorithms for each scheme are described in §7. Finally, in §8, we present efficiency performance comparison.

2 2.1

Preliminaries Access Structures and Linear Secret Sharing

We first provide the notion of access structure and linear secret sharing scheme as follows. Such formalization is recapped from [23]. Definition 1 (Access Structures). Let P = {P1 , P2 , . . . , Pn } be a set of parties. A collection A ⊆ 2P is monotone if for all B, C we have that if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively, monotonic access structure) is a collection (respectively, monotone collection) A ⊆ 2P \ {∅}. The sets in A are called the authorized sets, and the sets not in A are called the unauthorized sets. Definition 2 (Linear Secret Sharing Schemes (LSSS)). Let P be a set of parties. Let M be a matrix of size ℓ × k. Let ρ : {1, . . . , ℓ} → P be a function that maps a row to a party for labeling. A secret sharing scheme Π for access structure A over a set of parties P is a linear secret-sharing scheme in Zp and is represented by (M, ρ) if it consists of two polynomial-time algorithms: Share(M,ρ) : The algorithm takes as input s ∈ Zp which is to be shared. It randomly chooses y2 , . . . , yk ∈ Zp and let v = (s, y2 , . . . , yk ). It outputs M v as the vector of ℓ shares. The share λρ(i) := Mi · v belongs to party ρ(i), where we denote Mi as the ith row in M . Recon(M,ρ) : The algorithm takes as input S ∈ A. Let I = {i| ρ(i) ∈ S}. It outputs reconstruction constants {(i, μi )}i∈I which has a linear reconstruction  property: i∈I μi · λρ(i) = s.

Conjunctive Broadcast and Attribute-Based Encryption

2.2

253

Bilinear Maps and Some Assumptions

Bilinear Maps. We briefly review facts about bilinear maps. Let G, GT be multiplicative groups of prime order p. Let g be a generator of G. A bilinear map is a map e : G × G → GT for which the following hold: (1) e is bilinear; that is, for all u, v ∈ G, a, b ∈ Z, we have e(ua , v b ) = e(u, v)ab . (2) The map is non-degenerate: e(g, g) = 1. We say that G is a bilinear group if the group action in G can be computed efficiently and there exists GT for which the bilinear map e : G × G → GT is efficiently computable. Decision BDHE Assumption. Let G be a bilinear group of prime order p. The Decision q-BDHE (Bilinear Diffie-Hellman Exponent) problem [8] in G is stated as follows: first the challenger picks a generator g ∈ G and random exponent s, α. The attacker is given a vector   2 q q+2 2q Y = g, g s , g α , g (α ) , . . . , g (α ) , g (α ) , . . . , g (α ) q+1

and an element Z ∈ GT as input, determine if Z = e(g, g)α s . We denote gi = i g (α ) ∈ G for shorthand. An algorithm A that outputs b ∈ {0, 1} has advantage ǫ       q+1  in solving Decision q-BDHE in G if | Pr A Y , e(g, g)α s = 0 −Pr A Y , Z = 0 | ≥ ǫ. We refer to the distribution on the left as PBDHE and the distribution on the right as RBDHE . We say that the Decision q-BDHE assumption holds in G if no polynomial-time algorithm has a non-negligible advantage in solving the problem. Decision MEBDH Assumption. Let G be a bilinear group of prime order p. The Decision q-MEBDH (Multi-Exponent Bilinear Diffie-Hellman) problem [22] in G is stated as follows: first the challenger picks a generator g ∈ G and random exponent s, α, a1 , . . . , ar . The attacker is given a vector X = g, g s , e(g, g)α 2

∀1≤i,j≤q

g ai , g ai s , aai aj , g α/ai

∀1≤i,j,k≤q,i=j

g ai aj s , g αaj /ai , g αai aj /ak , g αai /aj

2

2

2

2

and an element Z ∈ GT as input, determine if Z = e(g, g)αs . An algorithm A that outputs b ∈ {0, 1} has advantage ǫ in solving Decision q-MEBDH in G if   | Pr A(X, e(g, g)αs ) = 0 − Pr A(X, Z) = 0 | ≥ ǫ. We refer to the distribution on the left as PMEBDH and the distribution on the right as RMEBDH . We say that the Decision q-MEBDH assumption holds in G if no polynomial-time algorithm has a non-negligible advantage in solving the problem.

3 3.1

Definitions and Applications Broadcast Key-Policy ABE

Let U denote the set of all user indexes. Let N be the set of all attributes. Note that both U and N are possibly of exponential sizes. Let A denote the set of

254

N. Attrapadung and H. Imai

access structures over N which are allowed to be used. A (U, A) Broadcast KeyPolicy Attribute-Based Encryption (BKP-ABE) scheme consists of four default algorithms Setup, Encrypt, KeyGen, Decrypt and may also include one optional additional algorithm Delegate. Setup → (pk, msk). This is a randomized algorithm that takes no input other than the implicit security parameter. It outputs the public key pk and a master key msk. Encrypt(S, ω, M, pk) → ct. This is a randomized algorithm that takes as input a user index set S ⊆ U, a set of attributes ω ⊆ N , a message M, and the public key pk. It outputs a ciphertext ct. KeyGen(ID, A, msk, pk) → sk(ID,A) . This is a randomized algorithm that takes as input a user index ID ∈ U, an access structure A ∈ A, the master key msk, and the public key pk. It outputs a private decryption key sk(ID,A) , which we sometimes simply denote as sk when its subscript is unambiguous. Decrypt(ct, (S, ω), sk(ID,A) , (ID, A), pk) → M. This algorithm takes as input the ciphertext ct that was encrypted under a user set S with a set ω of attributes, the decryption key sk(ID,A) for user index ID with access control structure A, and the public key pk. It outputs the message M if ω ∈ A and ID ∈ S.  Delegate (x, y), sk(x,y) , (x′ , y′ ), pk → sk(x′ ,y′ ) . This is a randomized algorithm that takes as input a secret key sk(x,y) (with its subscript) and a new subscript (x′ , y′ ). It outputs a key sk(x′ ,y′ ) . Let ⊤ be a special symbol. If we write this operation as sk(x,y) → sk(x′ ,y′ ) and denote msk = sk(⊤,⊤) , then this algorithm is defined over the sequences sk(⊤,⊤) → sk(ID,⊤) → sk(ID,A) ,

sk(⊤,⊤) → sk(⊤,A) → sk(ID,A) ,

sk(x,A) → sk(x,A′ ) ,

for any ID ∈ U; A, A′ ∈ A where A ⊆ A′ and x can be either ⊤ or any ID ∈ U. We requirethe standard correctness of decryption, that is, if Setup → (pk, msk)  then Decrypt Encrypt(S, ω, M, pk), (S, ω), KeyGen(ID, A, msk, pk), (ID, A), pk → M for all M in message space; ID ∈ U; A ∈ A; ω ∈ N ; S ⊆ U. For the scheme with Delegate defined, we also require that sk(ID,A) output from this algorithm has the same distribution as the one from KeyGen algorithm. The selective security notion for BKP-ABE is defined in the following game. Init. The adversary declares the target set of user indexes S ⋆ and the target attribute set ω ⋆ . Setup. The challenger runs the Setup algorithm of ABE and gives the public key pk to the adversary. Phase 1. The adversary is allowed to issue queries for private keys for pairs of user index and access structure (ID, A) such that ω ⋆ ∈ A or ID ∈ S ⋆ , i.e., the negated condition of that of a legitimate key which can be used to decrypt a challenge ciphertext.

Conjunctive Broadcast and Attribute-Based Encryption

255

For the scheme with Delegate defined, the adversary can also query the key for sk(ID,⊤) such that ID ∈ S ⋆ , and the key for sk(⊤,A) such that ω ⋆ ∈ A. Challenge. The adversary submits two equal length messages M0 and M1 . The challenger flips a random bit b and computes the challenge ciphertext ct⋆ of Mb on the target pair (S⋆ , ω ⋆ ) of user set and target attribute set and then gives ct⋆ to the adversary. Phase 2. Phase 1 is repeated. Guess. The adversary outputs a guess b′ of b. The advantage of an adversary in this game is defined as Pr[b = b′ ]− 21 . Note that this can be extended to handle chosen-ciphertext attacks by allowing decryption queries in Phase 1,2. Definition 3. A BKP-ABE scheme is secure in the selective security notion if all polynomial time adversaries have at most a negligible advantage in the above game. 3.2

Broadcast Ciphertext-Policy ABE

Let U, N , A denote the same values as before. A (U, A) Broadcast CiphertextPolicy Attribute-Based Encryption (BCP-ABE) scheme is defined in exactly the same way as BKP-ABE except only that the role of the access structure and the set of attribute is swapped. That is, the private key is assigned to a pair of user index ID ∈ U and attribute set ψ ⊆ N , and the ciphertext corresponds to a pair of user set S ⊆ U and access structure A ∈ A. The decryption can be done iff ψ ∈ A and ID ∈ S. The definition of security notion can be adapted from the key-policy case straightforwardly. 3.3

Solutions to Motivating Problems

Directly Revocable ABE. We apply broadcast ABE for realizing a direct revocation on ABE as follows. We use ID as a unique serial number for each private key (e.g., ID can be the number of keys distributed so far). That is, when a user request a key for y for appropriate y depending on KP-ABE or CP-ABE, the authority picks an unused ID, and returns sk(ID,y) . When encrypting, a sender associates the set S = U \ R, where R is the revoked serial number set, together with the usual attribute-based part. In particular, whether users in S can decrypt or not is a don’t care condition, which is left to be evaluated solely from the attribute-based part. The only care condition is that users in R cannot decrypt. Disjunctive Multi-authority ABE. We apply Broadcast ABE for realizing disjunctive multi-authority ABE as follows. We use broadcast ABE in which the key sk(ID,⊤) is defined (and its corresponding Delegate). sk(ID,⊤) will be the key for the authority of identity ID. To generate key for a user, an authority delegates key sk(ID,y) for appropriate y depending on KP-ABE or CP-ABE. To encrypt under a set of trusted authority S, the sender encrypt under user index set S and appropriate attribute set or access structure depending on KP-ABE or CP-ABE.

256

4

N. Attrapadung and H. Imai

Broadcast Key-Policy ABE

We now present our two broadcast key-policy ABE schemes. The first scheme BKP-ABE1 is a combination of broadcast encryption of Boneh-Gentry-Waters [8] and KP-ABE of Goyal et al. [16]. The second scheme BKP-ABE2 is a combination of broadcast encryption of Sahai-Waters [22] and KP-ABE of Goyal et al. [16]. The first scheme BKP-ABE1 has user index universe U = [n] = {1, . . . , n}. BKP-ABE2 has user index universe U = Zp . We note that the universe being U = Zp implies that one can think of the primitive as an identity-based version in the broadcast dimension, where we can hash any string in {0, 1}∗ into Zp in the real usage. ID-based version implicitly implies the dynamic aspect of our scheme since a key for every user (∈ {0, 1}∗ ) will be well-defined from initialization. Both schemes have attribute universe N = Zp and can deal with any linear secret-sharing access structure which we denote its universe as ALSSS . Consequently, we let an access structure in its LSSS matrix form (cf. Definition 2) be input directly to the algorithms in the scheme. In each scheme, let m be the maximum size of objective attribute set allowed to be associated with a ciphertext, i.e., we restrict |ω| ≤ m. Let m′ = m − 1. The intuition behind each combination that recurs throughout this paper is that we combine the “core key” of both underlying schemes algebraically into single element so as to prevent collusion attacks. (Recall that such attack could be mounted in the case of simple combination by AND-double encryption in the mislead method described in §1). We will describe the intuition for only the first scheme. For the readers who are familiar with Boneh-Gentry-Waters BE [8], ID we recall that g α γ is the private key element of user ID. To combine this key seamlessly to the core part of the KP-ABE scheme, we use the secret exponent αID γ as the secret to be shared in the LSSS of the Goyal et al. [16] KP-ABE. We note that this technique is somewhat reminiscent of the scheme in [4]. 4.1

Construction BKP-ABE1

◮ Setup: The algorithm first picks a random generator g ∈ G and a random α ∈ i Zp . It computes gi = g (α ) ∈ G for i = 1, 2, . . . , n, n+2, . . . , 2n. Next, it randomly picks γ ∈ Zp and sets v = g γ ∈ G. It then randomly picks h0 ,. . . , hm′ ∈ G. The public key is pk = g, g1 , . . . , gn , gn+2 , . . . , g2n , v, h0 , . . . , hm′ . The master key is msk = (α, γ). It outputs (pk, msk). Define a function F : Zp → G by ′ (xj ) . F (x) = m j=0 hj

◮ Encrypt(S, ω, M, pk): Inputs to the encryption algorithm are a user index set S ⊆ U and an attribute set ω ⊆ N . Pick a random s ∈ Zp . It then computes the   (2) ciphertext as ct = C, C (1) , {Ck }k∈ω , C (3) where

(2) C = M · e(gn , g1 )s , C (1) = g s , Ck = F (k)s , C (3) = (v gn+1−j )s . j∈S

◮ KeyGen(ID, (N, π), msk, pk): Inputs to the encryption algorithm are a user index ID ∈ U and a LSSS access structure (N, π) ∈ ALSSS . Let N be ℓo × ko

Conjunctive Broadcast and Attribute-Based Encryption

257

matrix. The algorithm first randomly chooses z2 . . . , zko ∈ Zp and lets v = (αID γ, z2 , . . . , zko ). For i = 1 to ℓo , it calculates σi = Ni · v, where Ni is the vector corresponding to ith row of N . It also randomly chooses r1 , . . . , rℓo ∈ Zp .   (1) (2) It outputs the private key as sk(ID,(N,π)) = {Di }i∈[1,ℓo ] , {Di }i∈[1,ℓo ] where (1)

Di

(2)

= g σi F (π(i))ri ,

Di

= g ri .

(1)

◮ Decrypt(ct, (S, ω), sk(ID,(N,π)), (ID, (N, π)), pk): Suppose that the attribute set ω satisfies the access structure (N, π) and the user index ID ∈ S (so that the decryption is possible). Let Io = {i| π(i) ∈ ω}. It then calculates corresponding sets of reconstruction constants {(i, νi )}i∈Io = Recon(N,π) (ω). Then it computes the following ⎛ ⎞νi (2) (2) ℓo

e(Cπ(i) , Di ) e(gID , C (3) ) ⎝ ⎠ , K= gn+1−j+ID , C (1) ) i=1 e(D(1) , C (1) ) e( i j∈S j =ID

and obtains message M = C/K. Correctness. We can verify its correctness as νi ℓo  e(gID , (v j∈S gn+1−j )s )

e(F (π(i))s , g ri ) · K= gn+1−j+ID , g s ) e( e(g σi F (π(i))ri , g s ) i=1 j∈S j =ID

ID e(g (α ) , (g γ j∈S gn+1−j )s ) 1 · ℓo = s s·σi ·νi e( gn+1−j+ID , g ) i=1 e(g, g) j∈S j =ID ID

=

e(g, g)(α

e(

γs)



e(g,

j∈S j =ID



j∈S

gn+1−j+ID )s

gn+1−j+ID , g)s

·

1 = e(g, gn+1 )s . e(g, g)s·(αID γ)

Theorem 1. If an adversary can break the BKP-ABE1 scheme with advantage ǫ in the selective security model for (U = [n], ALSSS )-BKP-ABE, then a simulator with advantage ǫ in solving the Decision n-BDHE problem can be constructed. 4.2

Construction BKP-ABE2

◮ Setup: The algorithm first picks a random g, v, h0 , . . . , hm′ ∈ G and   generator 2 random α, b ∈ Zp . The public key is pk = g, g b , g b , v, v b , h0 , . . . , hm′ , e(g, g)α . The master key is msk = (α, b). It outputs (pk, msk). Define a function F : Zp → m′ (xj ) G by F (x) = j=0 hj .

◮ Encrypt(S, ω, M, pk): Inputs to the encryption algorithm are a user index set S ⊆ U and an attribute set ω ⊆ N . Let R = U \ S. Denote R = {ID1 , . . . , IDr }.

258

N. Attrapadung and H. Imai

Pick a random s ∈ Zp . Choose random s1 , . . . , sr ∈ Zp such that s = s1 +· · ·+sr .   (4) (2) (3) It computes ciphertext ct = C, C (1) , {Ck }k∈ω , {Cj }j∈[1,r] , {Cj }j∈[1,r] as C = M · (e(g, g)α )s ,

C (1) = g s , (3)

Cj

(2)

= F (k)s ,

(4)

= (g b

Ck

= g b·sj ,

Cj

2

·IDj b sj

v ) .

◮ KeyGen(ID, (N, π), msk, pk): Inputs to the encryption algorithm are a user index ID ∈ U and a LSSS access structure (N, π) ∈ ALSSS . Let N be ℓo × ko matrix. The algorithm first randomly chooses t, z2 . . . , zko ∈ Zp and lets v = (α + b2 t, z2 , . . . , zko ). For i = 1 to ℓo , it calculates σi = Ni · v, where Ni is the vector corresponding to ith row of N . It also randomly chooses r1 , . . . , rℓo ∈ Zp .   (1) (2) It outputs the private key as sk = {Di }i∈[1,ℓo ] , {Di }i∈[1,ℓo ] , D(3) , D(4) where (1)

(2)

= g σi F (π(i))ri ,

Di

Di

D(3) = (g b·ID v)t ,

= g ri

(2)

D(4) = g t .

◮ Decrypt(ct, (S, ω), sk, (ID, (N, π)), pk): Suppose that the attribute set ω satisfies the access structure (N, π) and the user index ID ∈ S (so that the decryption is possible). Let Io = {i| π(i) ∈ ω}. It then calculates corresponding sets of reconstruction constants {(i, νi )}i∈Io = Recon(N,π)(ω). Then it computes

K=

⎞νi (1) (1) ⎝ e(Di , C ) ⎠ (2) (2) e(Cπ(i) , Di ) i=1 ℓo

⎛

·

r

j=1



(4)

e(D(4) , Cj ) (3)

e(D(3) , Cj )

1/(ID−IDj )

,

where it can compute since ID = IDj for all j = 1, . . . , r. It then obtains message M = C/K. Correctness. We can verify its correctness as  ⎞1/(ID−IDj ) ⎛  νi

t b2 ·IDj b sj ℓo  r e g s ri σi v ) , (g

e(g F (π(i)) , g ) ⎝ ⎠ K= · e(F (π(i))s , g ri ) e ((g b·ID v)t , g b·sj ) i=1 j=1 =

ℓo

e(g, g)s·σi ·νi ·

r

j=1

i=1 2

= e(g, g)s·(α+b

t)

·

1

2 ·t

e (g, g)sj ·b 1 s·b2 ·t

e (g, g)

= e(g, g)αs .

Theorem 2. If an adversary can break the BKP-ABE2 scheme with advantage ǫ in the selective security model for (U = Zp , ALSSS )-BKP-ABE, then a simulator with advantage ǫ in solving the Decision q-MEBDH problem can be constructed, where the size of target revoked set |R⋆ | ≤ q.

Conjunctive Broadcast and Attribute-Based Encryption

5

259

Broadcast Ciphertext-Policy ABE

We now present our two broadcast ciphertext-policy ABE schemes. The first scheme BCP-ABE1 is a combination of broadcast encryption of Boneh-GentryWaters [8] and CP-ABE of Waters [23] (the random-oracle-free large-universe scheme). The second scheme BCP-ABE2 is a combination of broadcast encryption of Sahai-Waters [22] and CP-ABE of Waters. Both schemes have universes as U = N = Zp and can deal with any linear secret-sharing access structure ALSSS . For each scheme, let m be the maximum size of subjective attribute set allowed to be assigned to a key, i.e., we restrict |ψ| ≤ m. Let ℓs,max be the maximum number of rows allowed in a subjective access structure matrix. Let m′ = m + ℓs,max − 1. Also, We will restrict ρ to be an injective function as in [23], but we can extend to an unrestricted scheme similarly also as in [23]. 5.1

Construction BCP-ABE1

◮ Setup: The algorithm first picks a random generator g ∈ G and a random α ∈ i Zp . It computes gi = g (α ) ∈ G for i = 1, 2, . . . , n, n+2, . . . , 2n. Next, it randomly picks γ ∈ Zp and sets v = g γ ∈ G. It then randomly picks h0 ,. . . , hm′ ∈ G. The public key is pk = g, g1 , . . . , gn , gn+2 , . . . , g2n , v, h0 , . . . , hm′ . The master key is msk = (α, γ). It outputs (pk, msk). Define a function F : Zp → G by m′ (xj ) F (x) = j=0 hj .

◮ Encrypt(S, (M, ρ), M, pk): Inputs to the encryption algorithm are a user index set S ⊆ U and a LSSS access structure (M, ρ) for subjective policy. Let M be ℓs × ks matrix. The algorithm first randomly chooses s, y2 , . . . , yks ∈ Zp and lets u = (s, y2 , . . . , yks ). For i = 1 to ℓs , it calculates λi = Mi · u, where Mi is the vector corresponding to ith row of M . The ciphertext ct is set to (2) ct = (C, C (1) , {Ci }i∈[1,ℓs ] , C (3) ), where C = M · e(gn , g1 )s ,

C (1) = g s ,

(2)

Ci

= (g1 )λi F (ρ(i))−s ,

C (3) = (v



gn+1−j )s .

j∈S

◮ KeyGen(ID, ψ, msk, pk): Inputs to the encryption algorithm are a user index ID ∈ U and an attribute set ψ ⊆ N . The algorithm randomly chooses r ∈ Zp . It   (3) outputs the private key as sk = D(1) , D(2) , {Dx }x∈ψ where ID

D(1) = g α

γ+αr

,

D(2) = g r ,

Dx(3) = F (x)r .

(3)

◮ Decrypt(ct, (S, (M, ρ)), sk, (ID, ψ), pk): Suppose that the attribute set ψ satisfies the access structure (M, ρ) and the user index ID ∈ S (so that the decryption is possible). Let Is = {i| ρ(i) ∈ ψ}. It then calculates corresponding sets of reconstruction constants {(i, μi )}i∈Is = Recon(M,ρ) (ψ). Then it computes the following and obtains message M = C/K.

260

N. Attrapadung and H. Imai

e(gID , C (3) ) K= · gn+1−j+ID , C (1) ) e(

µi ℓs  (3) (2) (2) ) · e(C (1) , Dρ(i) ) i=1 e(Ci , D e(C (1) , D(1) )

.

j∈S j =ID

We leave the correctness verification to readers due to limited space here. Theorem 3. If an adversary can break the BCP-ABE1 scheme with advantage ǫ in the selective security model for (U = [n], ALSSS )-BCP-ABE with a challenge subjective access structure matrix of size ℓ⋆s × ks⋆ such that n ≥ m + ks⋆ , then a simulator with advantage ǫ in solving the Decision n-BDHE problem can be constructed. 5.2

Construction BCP-ABE2

◮ Setup: The algorithm first picks a random generator  b b2 g, v, bh0 ,a. . . , hm′ ∈ G and random α, a, b ∈ Z . The public key is pk = g, g , g , v, v , g , h0 , . . . , hm′ , p  α e(g, g) . The master key is msk = (α, b). It outputs (pk, msk). Define a function m′ (xj ) F : Zp → G by F (x) = j=0 hj .

◮ Encrypt(S, (M, ρ), M, pk): Inputs to the encryption algorithm are a user index set S ⊆ U and a LSSS access structure (M, ρ) for subjective policy. Let M be ℓs × ks matrix. Let R = U \ S. Denote R = {ID1 , . . . , IDr }. The algorithm first randomly chooses s, y2 , . . . , yks ∈ Zp and lets u = (s, y2 , . . . , yks ). For i = 1 to ℓs , it calculates λi = Mi · u, where Mi is the vector corresponding to ith row of M . It also chooses random s1 , . . . , sr ∈ Zp such that s = s1 + · · ·+ sr . The ciphertext (4) (3) (2) ct is set to ct = (C, C (1) , {Ci }i∈[1,ℓs ] , {Cj }j∈[1,r] , {Cj }j∈[1,r] ), where C = M · (e(g, g)α )s ,

C (1) = g s , (3)

Cj

= g b·sj ,

(2)

= g aλi F (ρ(i))−s ,

(4)

= (g b

Ci

Cj

2

·IDj b sj

v ) .

◮ KeyGen(ID, ψ, msk, pk): Inputs to the encryption algorithm are a user index ID ∈ U and an attribute set ψ ⊆ N . The algorithm randomly chooses t, r ∈ Zp .   (3) It outputs the private key as sk = D(1) , D(2) , {Dx }x∈ψ , D(4) , D(5) where 2

D(1) = g α+b t · g ar ,

D(2) = g r ,

Dx(3) = F (x)r ,

D(4) = (g b·ID v)t ,

D(5) = g t .

(4)

◮ Decrypt(ct, (S, (M, ρ)), sk, (ID, ψ), pk): Suppose that the attribute set ψ satisfies the access structure (M, ρ) and the user index ID ∈ S (so that the decryption is possible). Let Is = {i| ρ(i) ∈ ψ}. It then calculates corresponding sets of reconstruction constants {(i, μi )}i∈Is = Recon(M,ρ) (ψ). Then it computes  1/(ID−IDj ) (4) r

e(D(5) , Cj ) e(C (1) , D(1) )  µi · K= , (2) ℓs (4) , C (3) ) (2) ) · e(C (1) , D (3) ) e(D e(C , D j=1 j i i=1 ρ(i)

where it can compute since ID = IDj for j = 1, . . . , r. It then obtains M = C/K.

Conjunctive Broadcast and Attribute-Based Encryption

261

Theorem 4. If an adversary can break the BCP-ABE2 scheme with advantage ǫ in the selective security model for (U = Zp , ALSSS )-BCP-ABE with a challenge subjective access structure matrix of size ℓ⋆s × ks⋆ such that q ≥ m+ ks⋆ , then a simulator with advantage ǫ in solving the Decision q-MEBDH problem can be constructed.

6

Security Proof Overview

Due to limited space, we only give the security proof overview for the proposed schemes here and postpone the full proofs to the the full version of this paper. Since each system is based on the combination of two underlying schemes, the security proof will be based on both proofs of underlying schemes. It is natural to prove the security by reducing to the stronger assumption out of two base assumptions. To do so, we must extract a problem instance for the other (weaker) base assumption out of the stronger one, so that we can also embed that weaker assumption for the corresponding part of primitive. We summarize the assumptions and the extracted part in Table 1. The assumption at the graycolor slot, which is the stronger one, is the actual underlying assumption for the security of each of our schemes to be reduced to. Note that the extracted assumption for the fourth scheme is indeed not a problem instance for Decision BDHE; however, we are able to prove the ABE part using this assumption. Table 1. Assumptions in our broadcast ABE and their underlying BE and ABE Scheme

BE

BKP-ABE1 BGW[8] BDHE

ABE GPSW[16] BDH

BKP-ABE2 SW[22] MEBDH GPSW[16] BDH BCP-ABE1 BGW[8] BDHE BCP-ABE2 SW[22] MEBDH

W[23] W[23]

Extracted assumption q

?

(g s , g α , g α , Z = e(g, g)α 2 1

(gs , g a , g α

BDHE BDHE (gs , ∀1≤i , j

/ a

2 1

s

)

?

, Z = e(g, g)α s ) 2

≤q ;i =j ?

q+1

ga i , gα

2 2 / a 2 i , gα a i / a j ,

Z = e(g, g)α s )

7

Adding Key Delegation

In this section, we describe the key delegation algorithm for each of our four schemes. Due to limited space, we postpone those of the two broadcast CP-ABE schemes to the full-length version of this paper. They can be done quite similarly to the cases of broadcast KP-ABE below with some proper re-randomization. We can say that our schemes subsume the original BE [8,22] and ABE [16,23], since one can delegate keys in these schemes to our broadcast ABE schemes. 7.1

Delegation in BKP-ABE1

This scheme supports delegation of type sk(⊤,⊤) → sk(ID,⊤) → sk(ID,(N,π)) . Note that we can base our KP-ABE portion of BKP-ABE on the access tree based approach instead of the LSSS based approach [16] and obtain a BKP-ABE which supports delegation also of type sk(x,A) → sk(x,A′ ) . We omit that details here.

262

N. Attrapadung and H. Imai

  ◮ Delegate sk(⊤,⊤) → sk(ID,⊤) → sk(ID,(N,π)) : From the master key msk = ID sk(⊤,⊤) it computes the key sk(ID,⊤) = g (α γ) . The key sk(ID,⊤) can be delegated   (1) (2) to sk(ID,(N,π)) = {Di }i∈[1,ℓo ] , {Di }i∈[1,ℓo ] by randomly choosing z2 , . . . , zko , r1 , . . . , rℓo ∈ Zp and setting  Ni,1  ko Ni,j zj (2) (1) Di = sk(ID,⊤) Di = g ri . g j=2 F (π(i))ri , We can show that this key has the same distribution as the one from Key(1) Gen by implicitly defining v = (αID γ, z2 , . . . , zko ) and observing that Di = g Ni ·v F (π(i))ri as required.

7.2

Delegation in BKP-ABE2

This scheme supports delegation of both types: sk(⊤,⊤) → sk(ID,⊤) → sk(ID,(N,π)) and sk(⊤,⊤) → sk(⊤,(N,π)) → sk(ID,(N,π)). Again, we can base our scheme on the access tree approach and obtain the delegation of type sk(x,A) → sk(x,A′ ) .   ◮ Delegate sk(⊤,⊤) → sk(ID,⊤) → sk(ID,(N,π)) : From the master key msk =  (1) (3) (4)  sk(⊤,⊤) it computes the key sk(ID,⊤) = D , D , D by randomly choosing t ∈ Zp and setting 2

D(1) = g α+b t ,

D(3) = (g b·ID v)t ,

D(4) = g t .  ′(1) The key sk(ID,⊤) can then be delegated to the key sk(ID,(N,π)) = {Di }i∈[1,ℓo ] ,  ′(2) {Di }i∈[1,ℓo ] , D′(3) , D′(4) by randomly choosing z2 , . . . , zko , r1 , . . . , rℓo , t′ ∈ Zp and setting  2 ′ Ni,1  ko ′(2) ′(1) Di = g ri g j=2 Ni,j zj F (π(i))ri , Di = D(1) · (g b )t ′

′

D′(3) = D(3) · (g b·ID v)t ,

D′(4) = D(4) · g t .

We can show that this key has the same distribution as the one from KeyGen ′(1) by implicitly defining v = (α + b2 (t + t′ ), z2 , . . . , zko ) and observing that Di = Ni ·v ri g F (π(i)) as required. The other terms are immediate.   ◮ Delegate sk(⊤,⊤) → sk(⊤,(N,π)) → sk(ID,(N,π)) : From the master key msk =   (1) (2) sk(⊤,⊤) it computes the key sk(⊤,A) = {Di }i∈[1,ℓo ] , {Di }i∈[1,ℓo ] as follows. It randomly chooses z2 . . . , zko , r1 , . . . , rℓo ∈ Zp and lets u = (α, z2 , . . . , zko ). For i = 1 to ℓo , it calculates σi = Ni · u. It then lets (1)

= g σi F (π(i))ri ,

(1)

· (g b )tNi,1 g

(2)

= g ri .  ′(1) The key sk(⊤,A) can then be delegated to the key sk(ID,(N,π)) = {Di }i∈[1,ℓo ] ,  ′(2) {Di }i∈[1,ℓo ] , D′(3) , D′(4) by randomly choosing z2′ , . . . , zk′ o , r1′ , . . . , rℓ′ o , t ∈ Zp and setting Di

′(1)

Di

= Di

D′(3) = (g b·ID v)t ,

2

 ko

j=2

Di

Ni,j zj′

′

F (π(i))ri ,

′(2)

Di

(2)

= Di

D′(4) = g t .

′

· g ri

Conjunctive Broadcast and Attribute-Based Encryption

263

We can show that this key has the same distribution as the one from KeyGen by implicitly defining v = (α + b2 t, z2 + z2′ , . . . , zko + zk′ o ) and observing that ′(1)

Di

8

′

= g Ni ·v F (π(i))ri +ri as required. The other terms are immediate.

Efficiency

Table Description. In this section, we give an efficiency comparison using Table 2. Each amount in the table shows the number of group elements in G, which is a bilinear group with bilinear map G×G → GT . The exception is that for those values with † , one element of GT is included in that amount. |cipher|, |priv|, |pub| are the sizes of ciphertext for key encapsulation, private key and public key respectively. Here r is the number of revoked user, n is the number of all users. Let t be the size of rows in LSSS access structure matrix, which is equal to the number of attributes appeared in the access structure. Recall that an access structure is associated with ciphertext in the case of ciphertext-policy ABE and with private key in the case of key-policy ABE. Let ℓ be the maximum size allowed for t. Let k be the size of the attribute set (associated with private key in the case of ciphertext-policy ABE and with ciphertext in the case of key-policy ABE). Let m be the maximum size allowed for k. The OSW scheme refers to the scheme mentioned implicitly in §3.5 of [20]. The amount in the column in gray color shows the overhead of the present revocable scheme to its underlying original (non-revocable) ABE schemes: the underlying CP-ABE of OSW scheme [20] is Bethencourt et al. scheme [5] (in which security proof is done only in the generic group and random oracle model); the underlying CP-ABE of both BCP-ABE1,2 is Waters’ CP-ABE [23]; the underlying KP-ABE of both BKP-ABE1,2 is KP-ABE of Goyal et al. [16]. In particular, the amount excluding the gray column is the efficiency of those original schemes. Efficiency of Revocable ABE. BKP-ABE1 scheme has almost the same efficiency in ciphertext and private key sizes to that of the original (non-revocable) Table 2. Efficiency comparison among directly revocable ABE schemes

Previous

Ours

Revocable CP-ABE OSW [20] |cipher| = (2t + 1) +O(r) |priv| = (2k + 2) ·(log n) |pub| = (3† · log n) + O(n) BCP-ABE1 |cipher| = (t + 1) +1 |priv| = (k + 2) |pub| = (m + ℓ + 3)† +(2n − 1) BCP-ABE2 |cipher| = (t + 1) +2r |priv| = (k + 2) +2 |pub| = (m + ℓ + 3)† +4

Revocable KP-ABE None

BKP-ABE1 |cipher| = (k + 1) |priv| = (2t) |pub| = (m + 4) BKP-ABE2 |cipher| = (k + 1) |priv| = (2t) |pub| = (m + 4)

+1 +(2n − 2) +2r +2 +3†

264

N. Attrapadung and H. Imai

KP-ABE of Goyal et al.[16], albeit it has a large pubic key size linear to n. BKP-ABE2 scheme reduces the public key size to almost the same of the original (non-revocable) KP-ABE while the ciphertext requires only 2r group elements additively. Note that these are the first fully functional directly revocable KPABE schemes in the literature. The efficiency performance also holds similarly for revocable CP-ABE variant. In particular, it performs better than the previous OSW scheme, whose ciphertext requires O(r) elements additively and private key requires log n overhead multiplicatively to the original scheme. Note that we can improve all the four proposed schemes by using random oracle; the resulting schemes reduce the public key size by m elements. We finally note two implicit possible schemes. Applying Sahai-Waters negated clause framework [22] to Waters’ CP-ABE (analogously to the KP case described in §5 of [22]), one can obtain CP-ABE that supports negated clauses, which can be used as revocable CP-ABE as described in §1. This improves the OSW scheme but is still less efficient than our dedicated BCP-ABE. Furthermore, concurrently to this paper, Attrapadung and Imai [3] recently proposed a new variant of ABE called dual-policy ABE (DP-ABE), which is a conjunctively combined scheme from KP and CP ABE. By using negated clauses in CP part, DP-ABE gives a revocable KP-ABE, but our dedicated BKP-ABE schemes are more efficient. Efficiency of Disjunctive Multi-authority ABE. The efficiency from Table 2 translates to the disjunctive multi-authority ABE application as it is, where n is the number of all authorities and r = n − |S| is the number of revoked authorities. For ciphertext-policy case, the only previous scheme is the trivial concatenated scheme, whose ciphertext requires |S| overhead multiplicatively to the original ABE scheme. For key-policy case, a simple multi-authority scheme which is better than the trivial one can be constructed from KP-ABE by setting the authority key using policy ID. The key for policy A derived from this authority is set using policy ID ∧ A. Encrypting to attribute set ω is done by associating ω ∪ {S} to ciphertext. This scheme poses overhead |S| additively to ciphertext size. Our first BCP and BKP ABE is more efficient: its ciphertext size is roughly the same as its original ABE.

References 1. Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation (extended abstract). In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 137–152. Springer, Heidelberg (1998) 2. Attrapadung, N., Imai, H.: Graph-decomposition-based frameworks for subsetcover broadcast encryption and efficient instantiations. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 100–120. Springer, Heidelberg (2005) 3. Attrapadung, N., Imai, H.: Dual-policy attribute based encryption. In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D. (eds.) ACNS 2009. LNCS, vol. 5536, pp. 168–185. Springer, Heidelberg (2009) 4. Attrapadung, N., Furukawa, J., Imai, H.: Forward-secure and searchable broadcast encryption with short ciphertexts and private keys. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 161–177. Springer, Heidelberg (2006)

Conjunctive Broadcast and Attribute-Based Encryption

265

5. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: IEEE Symposium on Security and Privacy 2007, pp. 321–334 (2007) 6. Boldyreva, A., Goyal, V., Kumar, V.: Identity-based encryption with efficient revocation. In: ACM Conference on Computer and Communications Security 2008, pp. 417–426 (2008) 7. Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 8. Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005) 9. Boneh, D., Hamburg, M.: Generalized identity based and broadcast encryption schemes. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455–470. Springer, Heidelberg (2008) 10. Chase, M.: Multi-authority attribute based encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 515–534. Springer, Heidelberg (2007) 11. Dodis, Y., Fazio, N.: Public-key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2002) 12. Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1993) 13. Gentry, C.: Certificate-based encryption and the certificate revocation problem. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 272–293. Springer, Heidelberg (2003) 14. Goll´e, P., Staddon, J., Gagne, M., Rasmussen, P.: A content-driven access control system. In: Symposium on Identity and Trust on the Internet — IDtrust 2008, pp. 26–35 (2008) 15. Goyal, V., Jain, A., Pandey, O., Sahai, A.: Bounded ciphertext policy attributebased encryption. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 579–591. Springer, Heidelberg (2008) 16. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data. In: ACM Conference on Computer and Communications Security 2006, pp. 89–98 (2006) 17. Micali, S.: Efficient certificate revocation. Tech. Report MIT/LCS/TM-542b (1996) 18. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001) 19. Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001) 20. Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based encryption with nonmonotonic access structures. In: ACM Conference on Computer and Communications Security 2007, pp. 195–203 (2007) 21. Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) 22. Sahai, A., Waters, B.: Revocation systems with very small private keys. Cryptology ePrint archive: report 2008/309 (2008) 23. Waters, B.: Ciphertext-policy attribute-based encryption: an expressive, efficient, and provably secure realization. Cryptology ePrint archive: report 2008/290 (2008)

Author Index

Attrapadung, Nuttapong

248

Belenkiy, Mira 114 Benger, Naomi 52, 78, 102 Bonnecaze, Alexis 35 Boyd, Colin 89, 206 Charlemagne, Manuel Chase, Melissa 114 Costello, Craig 89

52, 78, 102

Freeman, David Mandell Fuchsbauer, Georg 132 Funabiki, Nobuo 171

Hira, Yuta 171 Hisil, Huseyin 89 Imai, Hideki Jao, David

78, 102 52

89, 206

171

Park, Cheol-Min 66 Pointcheval, David 132 Preneel, Bart 231 Rial, Alfredo 231 R¨ uckert, Markus 17 Schr¨ oder, Dominique 17 Scott, Michael 78, 102 Smart, Nigel P. 150 Warinschi, Bogdan 150 Wong, Kenneth Koon-Ho

248 1

78, 102 114, 231

Le, Duc-Phong 35 Lee, Hyang-Sook 66 Libert, Benoˆıt 187 Lippold, Georg 206 Lysyanskaya, Anna 114 Nakanishi, Toru

Dominguez Perez, Luis J.

Gabillon, Alban 35 Gonzalez Nieto, Juan

Kachisa, Ezekiel J. Kohlweiss, Markulf

Yoshida, Kayo 1 Yung, Moti 187

89