Certificate Based Linkable Ring Signature

1
Certificate Based (Linkable) Ring Signature

• Man Ho Au, Willy Susilo, Tsz Hon Yuen
• University of Wollongong, Australia
• Joseph K. Liu
• University of Bristol, UK

2
Agenda

• Introduction
• Certificate Based Cryptography
• (Linkable) Ring Signature
• Security Definition
• Scheme Construction
• Security
• Conclusion

3
Introduction Certificate Based Cryptography

• PKI Problem of explicit certificate (e.g.
  certificate chain verification)
• ID-Based Problem of Key Escrow (Private Key
  Generator (PKG) is too powerful)
• Certificate Based (CB) Solve the problem of Key
  Escrow in ID-based Cryptography, yet eliminate
  explicit certificate
• (Alternative) Certificateless Public Key
  Cryptography

4
Introduction Certificate Based Cryptography

• Certificate Based Cryptography
• User generates private key and public key
• CA generates a certificate
• Sign / Decryption require BOTH private key and
  certificate
• Certificate is part of the secret information
• Verify / Encryption require only public key

5
Introduction Ring Signature

• A user signs a message on behalf of the whole
  group
• Verifier only knows that the signature is
  generated by someone, yet cannot determine who is
  the actual signer
• Anonymity is preserved, No revokation
• No trusted party needed, no group manager
• No setup is required Spontaneous
• Verification Public keys of all users of the
  group

6
Introduction Linkable Ring Signature

• Normal ring signature not linkable
• No one can determine whether two given signatures
  are generated by the same signer unlinkability
• Sometimes linkability is desirable e-voting
• Linkable Ring Signature contains linkability in
  addition to the basic properties of a normal ring
  signature

7
Security Definition

• GEN_IBS (1k) ? SKC, PKC, param
• GEN_PKS (1k) ? SKU, PKU,
• UPD (param, SKC, PKU) ? cert
• RING-SIGN(SKC, cert, P) ? s
• P list of public key of all users in the ring
• VERIFY(s,P) ? valid / invalid
• LINK (s1, s2) ? link / unlink

8
Security Definition

• Unforgeability Two Games
• Game I Adversary acts as an uncertified user
• Adversary is only given the user private key, but
  not given the certificate, and is asked to
  produce a valid signature
• Game II Adversary acts as the certifier
• Adversary is only given the master secret key,
  but not given the user private key, and is asked
  to produce a valid signature

9
Security Definition

• Anonymity An adversary should not be able to
  tell the identity of the signer with a
  probability larger than 1/n
• We also allow the adversary to have the
  certifier's secret key.

10
Security Definition

• Linkability An adversary should not be able to
  form two signatures with the same secret key
  without being linked by the Link protocol.

11
Construction
12
Construction
13
Construction ( SPK )
14
Security

• Unforgeability Our scheme is unforgeable under
  the q-SDH assumption in the random oracle model.
  (Game I relies on q-SDH while Game II relies on
  DL assumption).
• Anonymity Our scheme is anonymous if the XDH
  assumption for bilinear pairing e G_1 X G_2 ?
  G_T holds (that is, the DDH assumption in G_1
  holds) in the random oracle model.
• Linkability Our scheme possesses linkability
  under the DL assumption in the random oracle
  model.

15
Conclusion

• Introduced a new notion Certificate Based Ring
  Signature
• Provided a security definition and concrete
  implementation (in the random oracle model)
• Also introduce the linkable version at the same
  time