Leakage-resilient ring signature schemes

Leakage-resilient ring signature schemes

Theoretical Computer Science 759 (2019) 1–13 Contents lists available at ScienceDirect Theoretical Computer Science www.elsevier.com/locate/tcs Lea...
Download PDF
475KB Sizes 0 Downloads 74 Views
Report

Theoretical Computer Science 759 (2019) 1–13

Contents lists available at ScienceDirect

Theoretical Computer Science www.elsevier.com/locate/tcs

Leakage-resilient ring signature schemes Jianye Huang a , Qiong Huang a,∗ , Willy Susilo b a b

College of Mathematics and Informatics, South China Agricultural University, Guangzhou 510642, China School of Computing and Information Technology, University of Wollongong, Wollongong, NSW 2522, Australia

a r t i c l e

i n f o

Article history: Received 20 November 2017 Received in revised form 26 December 2018 Accepted 4 January 2019 Available online 9 January 2019 Communicated by X. Deng Keywords: Ring signature Anonymity Black-box construction Leakage-resilient cryptography

a b s t r a c t Ring signature schemes provide a way to sign a message without exposing the identity of authentic signer. Security of ring signature assumes that the signing keys are perfectly secret. On account of the physical imperfection of cryptosystems in practice, however, malicious attackers can easily learn partial secret information of the system by means of side-channel attacks, thus breaking the security. To overcome this problem, Wang et al. introduced the notion of leakage-resilient ring signature and presented a concrete construction. However, their scheme is only provably secure in the random oracle model and can tolerate at most (1/2 − 1/2t −  ) part leakage of the secret signing key, where t is the ring size. In this work, we focus on the constructions of leakage-resilient ring signature based on bounded leakage model, and combine Bender et al.’s security definitions of traditional ring signature with bounded leakage resilience, which is stronger than that considered in Wang et al.’s work. We then propose three constructions of leakageresilient ring signature secure under the given security models. The first one is a blackbox construction, and the second one is a concrete construction with leakage bound ((n − 2) log q − ω(log k)) whose security is reduced to the intractability of computational Diffie–Hellman problem and leakage-resilient hard relation without random oracles. The third construction enjoys better efficiency and higher leakage bound, e.g. ((n − 1) log q − ω(log k)), but its security proof resorts to the random oracle model. © 2019 Elsevier B.V. All rights reserved.

1. Introduction Ring signature [32] enables a signer to “hide” itself in a group of arbitrarily picked signers and convince verifiers that a signature was signed by one of members in this group without revealing its identity. Exposing users’ identities or other private information is highly undesired in privacy-sensitive cryptographic systems, which include electronic voting [3,12], digital lotteries [20,27], e-cash systems [7,10] and etc. Technically, the signer can pick members as it wishes to form an arbitrary ring, which is generally represented by the collection of their verification (public) keys. Then the signer use its signing key to generate a signature on a message s.t. verifiers can judge whether the signature was signed by one of the ring members without being aware of the identity of real signer. Comparing with another similar primitive, group signature schemes [11], the decentralization and controllability for ring members of ring signature schemes provides more flexibility in many cryptographic applications. Another issue we consider in this paper is the leakage of secret state in a cryptosystem. Traditional cryptography assumes the perfect privacy of secret keys. However, many realistic attacks, such as side-channel attacks, are powerful method for

*

Corresponding author. E-mail addresses: [email protected] (J. Huang), [email protected] (Q. Huang), [email protected] (W. Susilo).

https://doi.org/10.1016/j.tcs.2019.01.008 0304-3975/© 2019 Elsevier B.V. All rights reserved.

2

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

the malicious attackers to obtain fractional information of the secret keys through physical means and completely break the cryptosystems. Leakage-resilient cryptography [18] is a powerful countermeasure against such attacks. 1.1. Side-channel attacks and leakage-resilient models Halderman et al. presented the well-known cold-boot attack on encryptions keys that are stored in the memory [21]. They presented that it is feasible to extract sensitive information that store in the memory even when the machines loss power. Recently, Fox-IT Group B.V. company proposed a tempest attack against AES [30]. They showed how to furtively recover the secret keys from realistic AES-256 implementations while attacking at a distance of up to only 1 meter and needing only a few minutes. Moreover, their equipment product is pocket-size and costs less €200. Such physical attacks allow malicious attackers to acquire secret key (or other private information, e.g. randomness) from the cryptosystem, which is a grave threat for existing cryptographic systems. Unfortunately, traditional cryptography cannot capture side channel attacks and countermeasures are needed. To construct secure cryptographic primitives against side-channel attacks, Dziembowski et al. introduced the notion of leakage-resilient cryptography (LRC) in 2008 [18]. Micali and Reyzin [29] proposed the well-known atom, only computation leaks information, which gives a heuristic solution for formalizing the leakage. However, Halderman et al. [21] presented that secret keys can be easily recovered even though it is not used to perform some cryptographic operations. Inspired by L [1], leakage is defined as additionally giving the adversary a leakage oracle Ostate which, on input an adversarially chosen function f , outputs fractional private state of cryptographic system. (Bounded leakage model [2,1]). In this model, if there is no limit on f , no cryptosystem could be secure. There must be sufficient secrecy left so that the system is not fully ruined. Namely, the amount of leakage information should not exceed a certain bound. (Noisy leakage model [15,18]). Instead of restricting the amount of leakage to a concrete bound λ, the noisy leakage model allows arbitrarily large leakage, while the secret key remains sufficient min-entropy. It is more accurate to model leakage in the reality, and thus can capture more practice attacks comparing with bounded leakage model. (Auxiliary input model [16,40]). It is a generalization of bounded leakage model and noisy leakage model, in which the leakage is formalized as a computationally hard-to-invert function. Roughly speaking, the model assumes that given AF(sk) where AF(·) is a function randomly selected from the set of admissible (efficiently computable) functions, it is infeasible to fully recover sk. (Continual leakage model [6,25]). In the continual leakage model, the secret key is able to be refreshed without modifying the corresponding public key, which allows the adversary to obtain in total arbitrarily many bits of the private state of the cryptosystem as long as the leakage between two invocations of the secret key refreshing algorithms is bounded. 1.2. Related works (Ring signature). Rivest et al. [31] introduced the notion of ring signature in 2001 and proposed a concrete construction. From then on, ring signature schemes have been intensively studied. In 2002, Bresson et al. [8] presented a construction for threshold scenarios to improved Rivest et al.’s work. In 2003, Herranz et al. [22] proposed a ring signature scheme that provides unconditional anonymity and existential unforgeability under adaptive chosen-message attacks. However, they are all under random oracle. To remove the dependence on random oracles, Xu et al. [39] proposed a ring signature scheme based on bilinear pairings. Bender et al. [4] proposed a ring signature scheme based on trapdoor permutations which in turn are based on ZAPs for NP language. To optimize the efficiency, Dodis et al. [17] and Chandran et al. [9] proposed ring signature schemes with sub-linear size signatures. (Leakage-resilient signature). There has been impressive progress in leakage-resilient cryptography. We call a signature scheme is leakage-resilient if and only if it remains UF-CMA while partial secret state is exposed to the adversary. Katz et al. presented the secure constructions of signature schemes in the bounded leakage model in 2009 [26]. Many other leakage-resilient models are studied in literatures, for example, [28,19]. Boyle [5] and Yuen [40] considered the fully leakageresilient unforgeability, which considers leakage on both signing and private randomness. Wang et al. [36,37] and Huang et al. [24] studied the construction of leakage-resilient signature schemes with strong unforgeability in different leakage settings. (Leakage-resilient ring signature). To the best of our knowledge, however, there are seldom works on leakage-resilient ring signature. Zhang et al. [41] proposed constructions of leakage-resilient threshold cryptography with security against various key-exposure attacks, and further presented a leakage-resilient threshold ring signature scheme. Wang et al. [35] proposed a bounded leakage resilient ring signature scheme based on the n-representation problem in the random oracle model. Unfortunately, their security definitions for leakage-resilient ring signature do not consider the case that secret keys of honest users are exposed, which is also a realistic attack. Moreover, the leakage rate of their construction is (1/2 − 1/2t −  ) where t is the ring size. That is, their signature scheme can tolerate up to 1/2-leakage of the signing key.

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

3

1.3. Our contributions In this work we present a new black-box construction of ring signature scheme that is secure under an even stronger leakage model. To be more concrete, we make the following contributions in this paper. 1. First of all, we revisit the security models of leakage-resilient ring signature, and combine the stronger definitions of anonymity and unforgeability introduced in [4]. The resulting security models are thus stronger than those considered in [35]. 2. Second, we present a new construction of ring signature scheme via black-box method, which utilizes an unbounded simulation-sound non-interactive zero knowledge (NIZK) proof and a leakage-resilient signature scheme. Following the proof technique of [36,37,24], we show that in the leakage setting, the resulting ring signature scheme is anonymous and unforgeable with same leakage rate as the underlying signature scheme. 3. Third, we propose a concrete construction of ring signature scheme, which has ((n − 2) log q − ω(log k))-leakage bound and is secure based on CDH assumption and the leakage-resilient hard relation [38] without random oracles. 4. Fourth, we propose another concrete construction which is proved to be secure based on the leakage-resilient hard relation using forking lemma in the random oracle model. It is more efficient while its leakage bound remains ((n − 1) log q − ω(log k)), higher than the second construction. 2. Preliminaries and definitions We say a function f is negligible if for every positive polynomial poly(·) there exists a positive integer K s.t. ∀k > K , 1 . We denote by negl(k) a negligible function in the rest of this paper, and denote by A(x1 , x2 , · · · ; r ) the poly(k) output of evaluating probabilistic polynomial-time algorithm A on input x1 , x2 , · · · along with randomness r. If S is a finite

| f (k)| <

$

set, we denote by x ← S the operation of uniformly picking a random element from S. 2.1. Unbounded simulation-sound non-interactive zero knowledge Definition 1 (Unbounded simulation-sound NIZK [33,13]). Let  = (l := l(k), P , V , S = (S1 , S2 )) be an unbounded simulationsound NIZK proof argument for the language L ∈ N P with relation R where P , V , S1 , S2 are PPT algorithms that satisfies the following properties. Completeness. V (x, P (x, w , r ), r ) = 1 always hold if (x, w ) ∈ {(x, w )| R (x, w ) = 1} and r is any string of length l(k). Simulation soundness. Let T be the transcripts generated by S2 and Succ be the event π ∈ / T∧x∈ / T ∧ V (x, π , r ) = 1. Then k S2 (·,r ,ρ ) (r )] ≤ negl(k).  satisfies simulation-soundness if for all PPT adversaries A , Pr [ Succ : ( r , ρ ) ← S ( 1 ), ( x , π ) ← A 1   b Unbounded zero knowledge. For all PPT adversaries A, Pr[Expt0A (k) = 1] − Pr[Expt1A (k) = 1] ≤ negl(k), where Expt A (k) is defined as below. ExptbA (k)

r ← {0, 1}l

 P (x, w , r ) b = 0 r ,ρ (x, w ) := S2 (x, r , ρ ) b = 1

S



Return ASr ,ρ (·,·) (r ). 2.2. Multi-generator programmable hash functions Definition 2 (Group hash function [23]). A group hash function  = (Kg, Eval) for group G and with input length n := n(k) consists of two polynomial-time algorithms as below. Kg(1k ) → s. Given security parameter 1k , return a key s. Eval(s, M ) → J s ( M ). Given the key s and a message M ∈ {0, 1}n , output the deterministic evaluation J s ( M ) for M.

Then we consider another two polynomial-time algorithm TrapKg and TrapEval as below. TrapKg(1k , g , h) → (s, td). On input security parameter 1k and two generators g , h ∈ G, the trapdoor generation algorithm produces a key s along with a trapdoor td. TrapEval(td, M ) → (a M , b M ). For any M ∈ {0, 1}n , the deterministic trapdoor evaluation algorithm outputs a M , b M ∈ Z.

Definition 3 (Multi-generator PHF [23]). A group hash function  = (Kg, Eval) is a (c , q, γ , δ)-programmable hash function if there exist two polynomial-time algorithms TrapKg and TrapEval satisfying the following conditions.

4

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

Kg(1k ). Returns n + 1 uniformly random group generators s := ( g 0 , g 1 , · · · gn ) ∈ Gn+1 . n M Eval(s, M := ( M 1 , · · · , M n ) ∈ {0, 1}n ). Outputs J ( M ) = g 0 i =1 g i i . $

$

$

TrapKg(1k , g , h). Outputs (s, td) := ({ g ai hbi }ni=0 , {(ai , b i )}ni=0 ) where a0 ← {−2, −1, 0}, {ai }ni=1 ← {−1, 0, 1}n , {b i }ni=0 ← Znq +1 .

n

TrapEval(td := {(ai , b i )}ni=0 , M ). Outputs (a M , b M ) := (a0 +

i =1 ai M i , b 0 +

n

i =1 b i M i ).

Fig. 1. Hofheinz–Kiltz programmable hash function.

 x • Kg(1k ). Output ( y , x) := ( ni=1 g i i ∈ G, {xi }ni=1 ) where x1 , · · · , xn ← Zq .  x n • R( y , x := {xi }i =1 ). Output 1 if y = ni=1 g i i holds. Otherwise output 0.

Fig. 2. A construction of SPR relation.

Correctness. For any generators g , h ∈ G, ∀ M ∈ {0, 1}n , J s ( M ) = g a M hb M where (s, td) ← TrapKg(1k , g , h) and (a M , b M ) ← TrapEval(td, M ). $

Statistically close keys. For any generators g , h ∈ G and randomness space R, the distributions S1 := {s|∀r ← R, s ← $

Kg(1k ; r )} and S2 := {s|∀r ← R, (s, td) ← TrapKg(1k , g , h; r )} are statistically γ -close, i.e. S1 ≈γ S2 . Well-distribution. Let M 1 , · · · M c , m1 , · · · mq ∈ {0, 1}n where ∀i ∈ [c ], j ∈ [q], M i = m j . Then for all generators g , h ∈ G and (s, td) ← TrapKg(1k , g , h), ∀i ∈ [c ], j ∈ [q], (a M i , b M i ) ← TrapEval(td, M i ), (am j , bm j ) ← TrapEval(td, m j ), we have





Pr a M 1 = · · · = a M c = 0 ∧ am1 , · · · , amq = 0 ≥ δ .



Lemma 1 ([23,34]). The scheme  = (Kg, Eval, TrapKg, TrapEval) in Fig. 1 is a (1, q, 0, P q,n )-PHF scheme where P q,n = O ((q n)−1 ).

2.3. Leakage-resilient hard relation $

Let (R, Kg, Ver) be a relation s.t. ∀( y , x) ← Kg(1k ), ( y , x) ∈ R holds and Ver(x, y) = 1 iff. ( y , x) ∈ R. Let Oxλ (·) be a leakage oracle where x is the private key and λ is the leakage bound. 4 (Leakage-resilient (LR) hard relation [15]). We Definition call R is a λ-leakage-resilient hard relation if for any PPT adversary  λ A, Pr R( y , x∗ ) = 1 : ( y , x) ← Kg(1k ); x∗ ← AOx (·) ( y ) ≤ negl(k) holds. Lemma 2 ([15]). The scheme (Kg, R) in Fig. 2 is a λ-LR hard relation for λ = (n − 1) log q − ω(log k). 3. Ring signature We refer to a set of distinct verification keys R = ( vk1 , · · · , vkn ) as a ring of n members. Definition 5 (Ring signature). A ring signature scheme consists of the following PPT algorithms. RKg(1k ) → ( vk, sk). The key generation algorithm takes as input the security parameter k (in unary representation) and outputs a verification/signing pair ( vk, sk). RSig(sk, m, R) → σ . On input a signing key sk, a message m and a ring R where ∃ vk ∈ R, ( vk, sk) is a valid key pair, the signing algorithm outputs a signature σ . RVer(R, m, σ ) → 0/1. On input a ring R, a message m and a signature σ , if σ as a valid signature on m under the ring R, the verification algorithm outputs 1, otherwise output 0. Generally, we say that a ring signature scheme is correct if a correctly generated signature should always be verified. That is, for any m ∈ {0, 1}∗ , any key pair ( vk, sk) ← RKg(1k ) and any ring R with vk ∈ R, it holds that Pr[RVer(R, m, RSig(sk, m, R)) = 1] = 1. (Security models). Let S L , C L be lists of adversary’s signing queries and corrupt queries respectively and L be the leakage amount. Initially set S L = C L = φ and L = 0. Consider the following oracles. OSig(·, ·, ·) The signing oracle takes as input an index of specific user i and a message m along with a ring R where vki ∈ R, returns the corresponding signature. Update S L = S L ∪ {(i , m, R)}. OCorrupt(·) The corrupt oracle takes as input a specific user index i and returns the user’s signing key ski . Update C L = C L ∪ {i } .

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

5

OLeak(·) The leakage oracle takes as input a leakage function f (·) and computes := f (state ) where state contains all secrets and randomnesses used in signing phase. If L +   ≤ λ, return and update L = L +  . Otherwise, return ⊥. Anonymity. Any PPT verifier could not learn the identity of actual signer from a given ring signature. That is, even t members of a ring collude together, they cannot correctly identify the authentic signer with probability better than 1/ (n − t ), where n is the ring size. Formally, let F be a forger who tries to break the anonymity of . Consider the following experiment.

Anonymity Experiment: Setup. The challenger C generates n := n(k) key pairs {( vki , ski )}ni=1 by running RKg(1k ). The set of verification keys { vki }ni=1 is given to F . Query 1. F adaptively accesses to OSig, OCorrupt and OLeak. Challenge. F outputs a challenge message m, distinct challenge indices i 0 , i 1 ∈ [n], and a challenge ring R for which $

vki 0 , vki 1 ∈ R ⊆ { vki }ni=1 . Then C returns RSig(skib , m, R) to F where b ← {0, 1}. Query 2. F is able to access to OSig, OCorrupt and OLeak. Guess. At last, F outputs a bit b . F succeeds if and only if b = b.

Anonymity with bounded leakage resilience. We call a ring signature scheme achieves λ-leakage resilience and anonymity against attribution attacks if the probability that any PPT forger F wins in the experiment above is  Pr b = b : b ← F OSig,OCorrupt,OLeak ({ vki }ni=1 ) ≤ 1/2 + negl(k). Full key exposure. If {i 0 , i 1 } ∩ C L = 2, we say achieves anonymity against full key exposure. Unconditional anonymity. is unconditional (or, perfect) anonymity if for any PPT F , the probability F wins in the experiment above is 1/2, i.e. Pr[b = b : b ← F OSig,OCorrupt,OLeak ({ vki }ni=1 )] = 1/2. Unforgeability. The unforgeability requires that it is computationally difficult for any PPT adversary to forge a valid signature for a new message-ring pair unless the adversary is one of ring members. It is formally described in the experiment as follows. Unforgeability Experiment: Setup. The challenger C runs ( vki , ski ) ← RKg(1k ) for i = 1, · · · n. The set of verification keys { vki }ni=1 is given to F . Query. F adaptively accesses to OSig, OCorrupt and OLeak. ˆ ,m ˆ , σˆ ) and wins if event Succ occurs where Succ is defined as follows. (a) Challenge. Finally, F outputs a forgery (R ˆ ,m ˆ , σˆ ) = 1, (b) (∗, m ˆ , Rˆ ) ∈ RVer(R / S L, and (c) Rˆ ⊆ { vki }ni=1 \ C L.

achieves λ-leakage-resilient unforgeability if for any PPT forger F , the probability that F wins in the experiment above ˆ ,m ˆ , σˆ ) ← F OSig,OCorrupt,OLeak ({ vki }ni=1 )] ≤ negl(k). is negligible, i.e. Pr[Succ : (R 4. A generic construction of leakage-resilient ring signature 4.1. The construction Let  = (EKg, Enc, Dec) be a CPA-secure dense public-key encryption scheme [14,4], = (Kg, Sig, Ver) be a standard existentially unforgeable signature scheme, and N IZK := (l, P , V , S = (S1 , S2 )) be an unbounded simulation-sound NIZK proof argument for N P -language

L := {(VKList, EKList, m, C ) : ∃( vk ∈ VKList, σ , w ), s.t . Ver( vk, mVKListEKList, σ ) = 1 ∧ C

= MEnc(EKList, σ ; w )}, where MEnc(EKList, σ ) is the encryption algorithm that takes as input an encryption public key list EKList := {ek1 , · · · , ekt }

t −1 and a message m, and outputs (Enc(ek1 , r1 ), · · · , Enc(ekt −1 , rt −1 ), Enc(ekt , σ ⊕ j =1 r j )). The corresponding decryption al-

t

gorithm is MDec(DKList, C := {C i }ti=1 ) → i =1 Dec(dk i , C i ) where ∀i ∈ [t ], dk i ∈ DKList. Informally, MEnc is CPA-secure as long as at least one of the corresponding decryption key is unknown. Put things differently, (VKList, EKList, m, C ) ∈ L holds only when C is an encryption under MEnc of a valid signature σ on mVKListEKList w.r.t. some verification key vk ∈ VKList. $

Let r ← {0, 1}l(k) be a public parameter. Consider the following ring signature scheme R = (RKg, RSig, RVer).

6

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

Construction 1. $

RKg(1k ). Given the security parameter 1k , invoke ( vk, sk) ← Kg(1k ) and sample ek ← {0, 1}|ek| . Then output the verification key vk := ( vk, ek) and signing key sk := sk. RSig(sk, m, R). Given sk, a message m and R := (vk1 , · · · , vkt ), compute C := MEnc(R.EKList, σ ; w ) where

σ ←

$

Sig(sk, mR) and w ← . and π ← P ((R.VKList, R.EKList, m, C ), ( vk, σ , w ); r ) where r is a common reference string. Then output the signature σR := (C , π ).

Note: We denote the set of verification keys of R (resp. the set of encryption keys of R) in a ring R by R.VKList (resp. R.EKList) throughout this paper. RVer(R, m, σR ). Given a message m, a purported signature outputs V ((R.VKList, R.EKList, m, C ), π ; r ).

σR := (C , π ), and a ring R, the verification algorithm

4.2. Security analysis Theorem 1. If  is CPA-secure, is UF-CMA secure with λ-bounded leakage resilience, and N IZK is an unbounded simulationsound NIZK proof argument as described above, then R is anonymous and unforgeable w.r.t. insider corruption with λ-bounded leakage resilience. Proof. First we prove the anonymity of R . Consider the following anonymity experiments and denote the probability that F outputs 0 in Anonymity Experiment i by p i .  AExpt0 . It is exactly the same as the anonymity experiment of Definition 5 with b = 0. Then we have p 0 = Pr 0 ←  F OSig,OCorrupt,OLeak ({ vki }ni=1 )|b = 0 . AExpt1 . It is the same as Experiment 0 except that the common reference string r of the N IZK is generated by running (r , τ ) ← S1 (1k ). Furthermore, the challenge signature is now generated as follows: to sign m, compute π as π ← S2 ((R.VKList, R.EKList, m, C ), τ ). This follows the (unbounded) zero-knowledge property of N IZK that | p 0 − p 1 | ≤ negl(k). AExpt2 . It is the same as Experiment 1 except that in the challenge phase, to generate the challenge signature, compute C ← MEnc(R.EKList, σ ) where σ ← Sig(ski 1 , mR) and then compute π as in Experiment 1. CPA-security of the encryption scheme implies that | p 2 − p 1 | ≤ negl(k). AExpt3 . It is the same as Experiment 2 except that in the challenge phase, we sample the random common string $

r ← {0, 1}l . Then, to sign a quired message m, generate C as Experiment 2, but compute π by running P ((R.VKList, R.EKList, m, C ), ( vk, σ , w ); r ). From the zero-knowledge property of N IZK, we have | p 3 − p 2 | ≤ negl(k). Furthermore, this experiment is exactly the same as anonymity experiment of Definition 5 with b = 1. That is, p 3 =   Pr 0 ← F OSig,OCorrupt,OLeak ({ vki }ni=1 )|b = 1 . From above we have | p 0 − p 3 | ≤ negl(k) and thus,





Pr b = b : b ← F OSig,OCorrupt,OLeak ({ vki }ni=1 ) = p 0 · Pr[b = 0] + (1 − p 3 ) · Pr[b = 1]

= 1/2 + ( p 0 − p 3 )/2 ≤ 1/2 + negl(k). Therefore, R is anonymous against full-key exposure. Next, we prove the unforgeability of R . Assume that there exists a PPT forger F that breaks the unforgeability of R with non-negligible probability, then we can construct another PPT forger F  that breaks the unforgeability of with non-negligible probability as well. Consider the algorithm F  as follows. Algorithm F  . Given a verification key vk∗ along with a signing oracle Os (·) and a leakage oracle O L (·), F  does as follows. $ Setup. Uniformly select a random number i ∗ ← [n]. Then generate {eki }ni=1 and {( vki , ski )}ni=1 where (eki , dki ) ← EKg(1k )

and ( vki , ski ) ← Kg(1k ) for all i = i ∗ and ( vki , ski ) := ( vk∗ , ⊥) for i = i ∗ . ∀i ∈ [n], set (vki , ski ) := (( vki , eki ), ski ). Sample $

r ← {0, 1}|l(k)| and set the leakage amount L = 0. The set of verification keys {vki }ni=1 and public parameter r are given to F . Query. F  answers queries from F as follows. $

On input a tuple (i , m, R), compute C := MEnc(R.EKList, σ ; w ) where w ←  and generate σ ← Sig(sk, mR) for all i = i ∗ and σ ← Os (m) otherwise. Then generate π ← P ((R.VKList, R.EKList, mR, C 0 ), ( vk, σ , w s ); r ). Finally, output the signature σR := (C , π ) and update S L = S L ∪ {(i , m, R)}. OCorrupt. On input a user index i, if i = i ∗ , abort. Otherwise, return ski and update C L = C L ∪ {i }. OLeak. On input a leakage function f (·), construct another equivalent leakage function f  that embeds all terms of {ski }i ∈[n],i =i ∗ and issues a query f  to O L (·). Let the answer be . If L +   ≤ λ, return and update L = L +  . Otherwise, return ⊥. OSig.

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

U1

⏐ ut =CH(mut −1 ;rt )⏐

u 1 =CH(m ut ;r1 )

−−−−−−−−−−→ u 1 =CH(mut ;r1 )

7

u 2 =CH(mu 1 ;r2 )

U 2 −−−−−−−−−−→ U 3

⏐ ⏐u =CH(mu ;r )

3 2 3

U t ←−−−−−−−−−−−−− · · · ←−−−−−−−−−− U 4 ut −1 =CH(mut −2 ;rt −1 )

u 4 =CH(mu 3 ;r4 )

Fig. 3. Initiation of our concrete constructions.

ˆ ,m ˆ , (Cˆ , πˆ )). F  decrypts Cˆ by running σˆ ← MDec(DKList, Cˆ ) where DKList := Challenge. Finally, F outputs a forgery (R k ˆ Rˆ , σˆ ). {dk|(ek, dk) ← EKg(1 ) s.t . ek ∈ Rˆ .EKList}, and outputs (m ˆ , Rˆ ). This implies that (a) (∗, m ˆ , Rˆ ) ∈ / Let Succ be the event that (Cˆ , πˆ ) is a valid signature of message-ring pair (m ˆ ⊆ { vki }n \ C L. Let Ext be the event that Succ occurs and S L, (b) V ((R.VKList, R.EKList, mR, C ), π ; r )) = 1, and (c) R i =1

ˆ .VKList s.t. Ver( vk, m ˆ Rˆ , σˆ ) = 1. Unbounded simulation soundness of the NIZK proof system implies furthermore, ∃ vk ∈ R that | Pr[Succ] − Pr[Ext]| is negligible. The probability that F  wins is

 = Pr[Ver( vk∗ , mˆ Rˆ , σˆ ) = 1 ∧ (∗, mˆ , Rˆ ) ∈/ S L ∧ Rˆ ⊆ { vki }ni=1 \ C L ] = Pr[Ext ∧ vk = vk∗ ] = Pr[Ext]/n. Then we have Pr[ Succ ] = n + negl(k) ≤ negl (k), which results from the fact that is λ-leakage-resilient.

2

4.3. Instantiation Our transformation is allowed to be initialized with different existing leakage-resilient signature schemes. On the other hand, the efficiency and leakage resilience of the resulting scheme depend highly on the underlying signature scheme. Initializing Construction 1 with [5], we obtain a ring signature scheme with (1 − o(1))|sk|-leakage resilience Moreover, initializing Construction 1 with [28], we have a scheme that is unforgeable with (1 − o(1))|sk|-continual-leakage resilience. The proof is similar to that of Theorem 1 and thus we omit it here. 5. A concrete construction of leakage-resilient ring signature In this section, we present a concrete construction of ring signature scheme with bounded leakage based on CDH assumption and LR hard relation. 5.1. Intuition We apply the idea of Chameleon Hash Function to form a ring shown in Fig. 3. W.l.o.g., suppose the real signer is U 1 who computes the output u 1 of Chameleon Hash Function CH on input uniform randomnesses m , ut and r1 . Then, U 1 computes u i (2 ≤ i ≤ t ) terms applying CH function on input m, ut −1 and random value r i . Finally, using the trapdoor of U 1 to find the another random value r1 s.t. u 1 = CH(m ut ; r1 ) = CH(mut ; r1 ). We have proven that such signatures are unconditionally anonymous since all ring members have same power to form the same signatures with same possibilities. Therefore, it is convenient to prove its security by constructing unconditionally anonymous ring in leaking setting. 5.2. The construction We assume that there are n users in the system. Let HPF := (Kg, Eval, TrapKg, TrapEval) be the programmable hash function described in Fig. 1, and h, g , g 0 , g 1 , · · · , gn be (n + 3) random generators of group G of order q where { g i }ni=0 ← HPF.Kg(1k ). Set (n, q, h, g , { g i }ni=0 ) as publicly accessible global system parameters with a symmetric bilinear group (G, g , G T , q, e ). Assume two cryptographic hash functions H 1 , H 2 where H 1 : {0, 1}∗ → Zq∗ and H 2 : {0, 1}∗ → {0, 1}n .

8

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

Construction 2. $

RKg(1k ) → (vk, sk). Given a security parameter 1k , choose at random xi ← Zq for all i ∈ [n + 1], and output sk :=

n  x {xi }ni=0 and vk := ( ni=1 g i i , g i=0 xi ) ∈ G2 . RSig(sks , m, R) → σ . Given sks := {xs,i }ni=0 , a message m and a ring R = {vki }ti=1 , it works as follows.

1. Compute u s := (vks,1 ·

→ −

n

i =1

r s,i H (u   v  m R ) 1 s−1 s

gi

)

$ − → $ where (u s−1  v s m R ) ← G × G × {0, 1}∗ × Gt and r s ← Znq .

− →

$

2. For i = s + 1, · · · , t , 1, · · · , s − 1, randomly choose ( r i , r i ) ← Znq +1 , and compute v i = g ri , u i = (vki ,1 ·

n

j =1

→ −

r i , j H (u 1 i −1  v i mR)

gj

) − →

, where u 0 is set to be u 0 := ut .

− →

3. ∀i ∈ [n], r s,i ≡ H 1 (u s−1  v s m R )(xs,i + r s,i )/ H 1 (u s−1  v s mR) − xs,i mod q. $

4. Set M := H 2 (u 1  · · · ut ), and compute v t +1 := g rt +1 where rt +1 ← Zq and v s := (h · J ( M )−rt +1 )1/

n

x s ,i

. 5. Output the signature i =0

u i = (vki ,1 ·

n

→ −

r i , j H (u i −1  v i mR)

gj

j =1

→ −

)

r 1, j H (u  v mR) ) 1 t 1 j =1 g j

−r i i ∈[t ]\{s} vki ,2

·

→ t +1 σ := (u 1 , {− r i }i =1 , { v i }ti = ). 1 → t +1 t σ := (u 1 , {− r i }i =1 , { v i }ti = 1 ) and a ring R := {vki }i =1 , calculate

RVer(R, m, σ ). Given a message m, a signature

n



for i = 2, · · · , t and set M = H 2 (u 1  · · · ut ). Output 1 iff. u 1 = (vk1,1 ·

and e ( g , h) = e ( J ( M ), v t +1 ) ·

t

i =1 e (vki ,2 , v i )

hold. Otherwise, output 0.

The proof of correctness is straightforward, and therefore we omit it here. 5.3. Security analysis Below we prove the anonymity and unforgeability of Construction 2. Theorem 2. Construction 2 is unconditionally anonymous. Proof. Fix a ring R of t verification keys and randomly choose two different indices s, z ∈ [t ]. Consider a ring signature

→ t +1 σ := (u 1 , {− r i }i =1 , { v i }ti = ) generated by using skz . Suppose that the u-terms and r-terms of σ are generated using skz with 1 $ − → randomness (u z−1  v z mz Rz ), r z . Now, we randomly pick a tuple (u s−1  v s ms Rs ) ← G × G × {0, 1}∗ × Gt , and compute − → − → − → − → − →  r s := ( r s,1 , · · · , r s,n ) s.t. ∀i ∈ [n], r s,i ≡ H 1 (u s−1  v s mR)( r s,i + xs,i )/ H 1 (u s−1  v s m R ) − xs,i mod q. This ensures

that u s = (vks,1 ·

n

− →

(u s−1  v s m R ), r of

→ −

r s , i H (u 1 s−1  v s mR)

gi

i =1 s

)

= (vks,1 ·

n

→ −

i =1

r s,i H (u   v  m R ) 1 s−1 s

gi

)

is able to generate the same u-terms and r-terms of

t

σ . According to the signing process, we have v z = (h ·

i =1,i = z

, which means U s using initial randomness

σ . On the other hand, we consider the v-terms

−r

vki ,2i · J ( M )−rt +1 )

1/

n

j =0

n

x z, j

and v s = g r s . Since G is a

cyclic group with prime order q, there exists w ∈ Zq and b M = b0 + i =1 M i b i with b i ∈ Zq s.t. h = g w and J ( M ) = g b M . To t n n n generate the u-terms of σ using sks , we set r z = ( w − i =1,i =z r i j =0 xi , j − rt +1 b M )/ i =0 x z,i . Then we have r z i =0 x z,i =

t

w − i =1,i =z,i =s r i we have

n

v z = grz = g

j =0 xi , j

t

(w−

− rs

i =1,i = z r i

n

j =0 xs, j

n

j =0

− rt +1 b M . That is, r s = ( w −

xi , j −rt +1 b M )/

n

j =0

x z, j

= (h ·

t 

t

i =1,i =s r i

n

j =0 xi , j

−r

vki ,2i · J ( M )−rt +1 )

1/

− rt +1 b M )/

n

j =0

x z, j

n

j =0 xs, j .

Therefore,

,

i =1,i = z

v s = (h ·

t 

−r

vki ,2i · J ( M )−rt +1 )

1/

n

j =0

xs, j

t

= g(w−

i =1,i =s r i

n

j =0

xi , j −rt +1 b M )/

n

j =0

xs, j

= g rs . 2

i =1,i =s

Theorem 3. Suppose that CDH assumption and ((n − 1) log q − ω(log k))-LR hard relation assumption hold. Then the Construction 2 achieves ((n − 1) log q − ω(log k))-leakage resilient unforgeability. Initiation. Assume that there exists an adversary F that breaks the unforgeability of Construction 2. Consider the following experiments. Let Pr[Succi ] denote the success probability that a PPT forger F succeeds in outputting a valid ring signature in Unforgeability Experiment i.

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

9

− →

+1 ˆ , Rˆ ). We can calcuExpt0 . This is the unforgeability experiment as Definition 5. F outputs σˆ := (uˆ1 , { rˆ i }ti=1 , { vˆ i }ti = ) on (m 1 late uˆ2 , · · · , uˆt and M = H 2 (uˆ 1  · · · uˆ t ) as before. Denote the signing query list as S L ⊆ M × R × U ×  × V (message – ring – u terms – r terms – v terms). Then we have

ˆ ,m ˆ , σˆ ) = 1]. Pr[Succ0 ] = Pr[RVer(R

(1)

Next we consider the following two cases. CDHSucc : Succ0 ∧ (∗, ∗, {uˆi }ti=1 , ∗, ∗) ∈ / S L. That is, the terms {uˆi }ti=1 are different from corresponding terms in queries in

the signing query phase. In this case we can construct another PPT algorithm A that breaks the CDH assumption.

LRSucc : Succ0 ∧ (∗, ∗, {uˆi }ti=1 , ∗, ∗) ∈ S L. That is, there exists a tuple of signing query record in S L whose u-terms are

exactly same as {uˆi }ti=1 . In this case, we can construct a PPT adversary B that breaks the leakage-resilient hard relation. Obviously, Pr[Succ0 ] = Pr[CDHSucc0 ∨ LRSucc0 ] ≤ Pr[CDHSucc0 ] + Pr[LRSucc0 ]. We would like to prove that Pr[CDHSucc0 ] and Pr[LRSucc0 ] are negligible, and thus proving the theorem. Claim 1. Pr[CDHSucc0 ] ≤ negl(k). Proof. Consider the following unforgeability experiments. Expt1 . This experiment is the same as Expt0 except that A simulates the global parameters and the signing/verification $

keys using the HPF and the terms (G, q, gˆ , gˆ a , gˆ b ) from CDH challenger. A randomly chooses {(ai , b i )}ni=0 ← {−1, 0, 1}2(n+1) and sets a0 ← a0 − 1. Then A sets PP :=

(n, q, h, g , { g i }ni=0 )

ˆa

ˆb

ˆ bi

where g := g , h := g , and g i := h g $

ai

for i = 0, 1, · · · , n.

Znq +1

Then A generates every single user’s keys by randomly choosing sk := ← and computing vk = (vk1 , vk2 ) := n  x ( ni=1 g i i , gˆ i=0 xi ). The distribution of the simulated keys is the same as the distribution of real keys in the Expt0 , which results from the properties of (1, q, 0, P q,n )-HPF in Lemma 1. Therefore, the view of adversary in Expt1 is the same as that

{xi }ni=0

in Expt0 . That is,

Pr[CDHSucc1 ] = Pr[CDHSucc0 ].

(2)

Expt2 . Now, A simulates the challenger in the unforgeability experiment. It invokes F ({vki }iN=1 ) and answers F ’s sign-

− →

− →

ing queries (m, R := (vk1 , · · · , vkt )) as follows. A first calculates u 1 , · · · , ut , r 1 , · · · , r t , M = H 2 (u 1  · · · ut ), a M = n n a0 + i =1 ai M i and b M = b0 + i =1 b i M i as before, and checks whether a M = 0. If a M = 0 holds, A outputs an abort $

symbol At1 and aborts. Otherwise A calculates ( gˆ  , h ) := (h w , gˆ w ) where w ← Zq , which implies e ( gˆ  , gˆ ) = e (h w , gˆ ) = e (h, gˆ w ) = e (h , h). The aim of A is to simulate the v-terms { v i }ti=1 s.t.

e( g , h) = e( g0

n 

M

g i i , v t +1 ) ·

i =1

t 

e (vki ,2 , v i ) = e ( gˆ ba M +b M , v t +1 ) · e ( gˆ ,

i =1

t 

n

vi

j =0

xi , j

)

i =1

= e (ha M , v t +1 ) · e ( gˆ b M , v t +1 ) · e ( gˆ ,

t 

n

vi

j =0

xi , j

),

i =1

⇒ e ( g · v t−+a1M , h) = e ( gˆ , v tb+M1 ·

t 

n

vi

j =0

xi , j

).

i =1 $

To achieve this, A randomly chooses s ∈ [t ] (the index of the real signer) and ∀i ∈ [t ] \ {s}, selects v i ← G. The values  −b

v t +1 , v s are computed as v t +1 = ( gh−1 )1/a M , v s = ( gˆ  · v t +1M ·

σ :=

+1 (u 1 , {r i }ti=1 , { v i }ti = ). 1





i ∈[t ]\{s}

vi

n j =0

xi , j 1/ n x c =0 s,c

)

. A outputs the ring signature −a

It is easy to see that all the v-terms of the simulated ring signature is valid since e ( g · v t +1M , h) =

M e ( g · ( gh−1 )−1 , h) = e (h , h) and e ( gˆ , v t + 1 ·

t

n

xi , j



n

xi , j

n

xs, j

) = e ( gˆ , i ∈[t ]\{s} v i j=0 ) · e ( gˆ , v tb+M1 · v s j=0 ) = e ( gˆ , gˆ  ) hold. n t −a bM j =0 x i , j Since e ( gˆ  , gˆ ) = e (h , h), then e ( g · v t +1M , h) = e ( gˆ , v t + · v ) holds, which implies the second equation of verifii =1 i 1 cation process holds as well. Furthermore, all the terms { v i }i ∈[t +1]\{s} are uniformly random elements in group G, and v s b

i =1

vi

j =0

is a random group element of the same form as in Expt1 , which is related to all the other v-terms and the signing key. Therefore, the view of A is the same as that in Expt1 , and the probability for A to win is

Pr[CDHSucc2 ] = Pr[CDHSucc1 ∧ At1 ].

(3)

10

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

→ +1 ˆ , Rˆ , σˆ := (uˆ 1 , {− Expt3 . In this experiment, A uses F ’s forgery (m rˆ i }ti=1 , { vˆ i }ti = )) to break the CDH assumption. A calculates 1 ˆ = H 2 (uˆ 1  · · · uˆ t ) as before and checks whether a ˆ = 0. If not, A outputs an abort symbol At2 and aborts. uˆ 1 , · · · , uˆ t and M M We have Pr[CDHSucc3 ] = Pr[CDHSucc2 ∧ At2 ]. bˆ

M Otherwise, A returns ( vˆ n+ 1 ·

−a ˆ b Mˆ vˆ t +1M , h) = e ( gˆ , vˆ t + 1

have

x

vˆ i0 ) as the solution to the corresponding CDH problem. If the forgery is valid, e ( g n i =1 i

ˆi 1v i = n

j =0

·

xi , j

xi , j

) holds, which implies the second equation of verification. Moreover, since a Mˆ = 0, we n t xi , j b Mˆ ˆ i j=0 ). Then we have ) = e ( g , h) = e ( gˆ a , gˆ b ) = e ( gˆ , gˆ ab ). That is, g ab = ( vˆ n+ i =1 v 1·

Pr[CDHSucc3 ] = C D H .

(5)

b Mˆ e ( gˆ , vˆ n+ 1

·

t

·

t

t

(4)

i =1

vˆ i

j =0

Now, we analyze the probabilities that the experiment aborts (i.e. At1 and At2 occurs). Since J ( M ) is a group hash function in the Hofheinz’s multi-generator PHF as defined in Sect. 2.2, by the well-distributed logarithms property of multi-generator  PHF, we have Pr At1 ∧ At2 ≥ P qs ,n . Putting Equation (2-4) together, then we have C D H = Pr[CDHSucc0 ∧ At1 ∧ At2 ] = Pr[CDHSucc0 |At1 ∧ At2 ] · Pr[At1 ∧ At2 ] ≥  · P qs ,n . That is,  ≤ C D H / P qs ,n ≤ negl(k). 2 Remark 1. Since A samples {xi }ni=0 as the signing key, A can correctly answer F ’s the leakage queries. Claim 2. Pr[LRSucc0 ] ≤ negl(k). Proof. Algorithm B simulates the challenger in the unforgeability experiment and uses F ’s forgery to break the ((n − n xj 1) log q − ω(log q))-leakage resilience of R describe in Fig. 2. Given leakage oracle O L and the public key y = j =1 g i , B $

$

randomly selects s ← [ N ] and prepares every user’s U i (1 ≤ i ≤ N ) keys as follows. If i = s, randomly pick ski := {xi , j }nj=0 ←

n  x $ Znq +1 and compute vki = (vki ,1 , vki ,2 ) := ( nj=1 g j i, j , g j=0 xi, j ). If i = s, randomly choose x ← Zq and set sks =⊥, vks =   ( y , g x ). Here we implicitly set xs,0 = x − nj=1 x j and xs, j := x j for j ∈ [n] where {x j }nj=1 is challenge term from challenger. To answer F ’s signing query (m, R), B randomly selects a user who is not U s and uses its signing key to generate the ring signature. Due to the prefect anonymity, the signature is identical to a real one. To answer F ’s leakage query f on state := ({xi , j }1≤i ≤ N ,0 ≤ j ≤n , ) where  is the set of randomness used in the signing process, B constructs another n n n   leakage function f  (x − j =1 x j , {x j } j =1 ) that embeds all terms state \ {xs, j } j =1 ∪ {x } and returns O L ( f ) to F . Finally, F → +1 ˆ , Rˆ , σˆ := (uˆ1 , {− outputs (m rˆ i }ti=1 , { vˆ i }ti = )). B calculates uˆ 1 , · · · , uˆ t as before. Again, if σˆ is valid and (∗, ∗, {uˆ i }ti=1 , ∗, ∗) ∈ S L 1 − → occurs, i.e., there exists a query (m, R) with the corresponding signature (u 1 , { r i }ti=1 , { v i }ti=0 ) and its u-terms u 2 , · · · , ut ˆ Rˆ ). Since (m ˆ , Rˆ ) has not been s.t. ∀i ∈ [t ], u i = uˆ i . By convenience, we set c i := H 1 (u i −1  v i mR) and cˆ i := H 1 (uˆ i −1  vˆ i m ˆ , Rˆ ) = (m, R), and H 1 is a collision-resilient hash function that maps any binary string to Zq∗ , c i − cˆ i ≡ 0 queried before, i.e. (m ˆ and let i s denote the index of U s in Rˆ , we have u i s = uˆ i s ⇔ mod q holds for all i ∈ [n]. If the user U s is in the forged ring R → − → − x∗ n n  r is , j c rˆ i s , j cˆ (vki s ,1 · j =1 g j ) i s = ( y · j =1 g j ) i s . The aim of B is to output {x∗j }nj=1 s.t. y = nj=1 g j j . To output a solution to the leakage-resilient hard relation, B does as follows. → − → −  n c i (x j + r i s , j ) cˆ (x + rˆ ) − → − → If vk = y, then we have g s = n g i s j i s , j . B outputs {x∗ }n where x∗ ≡ (c r − cˆ rˆ )/(c − is 1

cˆ i s ) mod q for all j ∈ [n].

j =1

j =1

j

j j =1

j

is

is , j

is

is , j

is

→ −  cˆ (x + rˆ ) − → − → = nj=1 g j i s j i s , j . B outputs {x∗j }nj=1 where x∗j ≡ c i s (xi s , j + r i s , j )/ˆc i s − rˆ i s , j mod q for all j ∈ [n]. Note that cˆ i s ∈ Zq∗ , thus cˆ i s ≡ 0 mod q. n n x∗ x It is easily to verify that y = i =1 g i i = i =1 g i i . Thus, the probability that B breaks the leakage-resilient hard relation is L R = Pr[LRSucc0 ∧ y ∈ Rˆ ] = Pr[LRSucc0 ] · Pr[ y ∈ Rˆ ] = t / N · Pr[LRSucc0 ]. Then we have Pr[LRSucc0 ] = N /t · L R ≤ negl(k). 2

If vki s 1 = y, then we have

n

j =1

→ −

j

c i ( xi s j + r

gj s

is , j )

6. A more efficient construction in the random oracle model To obtain a more efficient leakage-resilient ring signature scheme, we present a concrete construction based on LR hard relation in the random oracle model. 6.1. The construction Suppose that there are N users in all. Let g 1 , · · · , gn be generators of group G of order q. Let (n, q, g 1 , · · · , gn ) be the publicly accessible global system parameters. Let H be a strongly collision-resistant hash function H : {0, 1}∗ → Zq∗ .

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

Construction 3. $

RKg(1k ). Given the security parameter 1k , output sk := {xi }ni=0 ← Znq +1 and vk :=

11

n

i =1

x

g i i ∈ G.

RSig(sk, m, R). Given sk := {xs,i }ni=0 , a message m and a ring R := {vki }ti=1 , the signing algorithm works as follows. $ − → − → $ 1. Randomly select (u s−1  r s−1 m R ) ← G × Znq × {0, 1}∗ × Gt and r s ← Znq , then compute u s := (vks ·

→ −

n

i =1

− r s,i H (u  →   s−1 r s−1 m R )

gi

)

.

− →

$

2. For i = s + 1, · · · , t , 1, · · · , s − 1, uniformly choose random numbers ( r i , r i ) ← Znq +1 and compute u i = (vki · → −

n

j =1

→ − r i , j H (u i −1  r i −1 mR)

gj

) − →

3. Compute r

s

(we set u 0 := ut ). − → − → := ( r s,1 , · · · , r s,n ) where ∀i ∈ [n],

− →

− →

− →

− →

r s,i ≡ H (u s−1  r s−1 m R )(xs,i + r s,i )/ H (u s−1  r s−1 mR) − xs,i − → 4. Output the signature σ := (u 1 , { r i }ti=1 ). RVer(R, m, σ ). Given a message m, a signature

n

j =1

→ −

→ − r i , j H (u i −1  r i −1 mR)

gj

)

?

u 1 = (vk1 ·

n 

mod q.

→ t σ := (u 1 , {− r i }i =1 ) and a ring R := {vki }ti=1 , calculate u i = (vki ·

for i = 2, · · · , t, and output 1 iff.

→ −

− r 1, j H (ut → r t mR)

gj

)

j =1

hold. Otherwise, output 0.

The proof of correctness is straightforward, and therefore we omit it here. 6.2. Security analysis Theorem 4. Construction 3 is unconditionally anonymous. Proof. Fix a ring R of t verification keys and randomly choose two different indices s, z ∈ [t ]. We consider a ring signature

$ − → − → − → − → (u 1 , { r i }ti=1 ) generated using skz and initial randomness (u z−1  r z−1 mz Rz ), r z . Randomly pick (u s−1  r s−1 ms Rs ) ← − → − → − → − → − → − → G × Znq × {0, 1}∗ × Gt and compute r s := ( r s,1 , · · · , r s,n ) where ∀i ∈ [n], r s,i ≡ H (u s−1  r s−1 mR)( r s,i + xs,i )/ − →    H (u s−1  r s−1 ms Rs ) − xs,i mod q, which implies

u s = (vks1 ·

n 

→ −

− r s,i H (u s−1 → r s−1 mR)

gi

)

i =1

= (vks1 ·

n 

→ −

− r s,i H (u  →   s−1 r s−1 m s Rs )

gi

)

.

i =1

− → − → This means U s using initial randomness (u s−1  r s−1 ms Rs ), r s is able to generate the same ring signature.

2

Theorem 5. Suppose ((n − 1) log q − ω(log k))-LR hard relation assumption holds. Then Construction 3 achieves unforgeability with ((n − 1) log q − ω(log k))-leakage resilience in the random oracle model. Proof. Assume there exists an adversary F that breaks the unforgeability of Construction 3. Let Pr[Succ] denote the success probability that a PPT forger F succeeds in outputting a valid ring signature in the unforgeability experiment of Definition 5.

→ ˆ , Rˆ ). We can calculate uˆ 2 , · · · , uˆ t . Now, B simulates the challenger in the unforgeability F outputs σˆ := (uˆ 1 , {− rˆ i }ti=1 ) on (m experiment and uses F ’s forgery to break the ((n − 1) log q − ω(log k))-leakage resilience of R describe in Fig. 2. B is given n xj $ access to the leakage oracle O L and the public key y = j =1 g j . It randomly selects s ← [ N ] and initials keys for every n xj $ user U i (1 ≤ i ≤ N ) as follows. If i = s, randomly choose ski := {xi , j }nj=0 ← Znq +1 and compute vki := j =1 g j . If i = s, set sks =⊥, vks = y. To answer F ’s signing query (m, R), B randomly selects a user who is not U s and uses the corresponding signing key to generate the ring signature. B can do this since Construction 3 is unconditionally anonymous. To answer F ’s leakage query f on state := ({xi , j }1≤i ≤ N ,0≤ j ≤n , ) where  is the set of randomness used in the signing process. Notice that B knows the whole state except U s ’s signing key {xs, j }nj=0 . Then B constructs another leakage function f  ({xs, j }nj=1 ) → ˆ , Rˆ , σˆ := (uˆ , {− that embeds all terms state \ {x }n and returns O ( f  ) to F . When F outputs (m rˆ }t )), B calculates s, j j =1

L

1

i i =1

12

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

Table 1 Communication efficiency comparison. Scheme

RO

Leakage Bound

#PP

#sk

#vk

#Signature

Wang et al. [35] Construction 2 Construction 3

✓ ✕ ✓

( 12 − 2t1 −  )|sk| |sk| − 2p − ω(log k) |sk| − p − ω(log k)

(n + 3) p (n + 5) p (n + 2) p

np (n + 1) p np

p 2p p

(nt + 1) p (nt + t + 2) p (nt + 1) p

RO: random oracle; #Element: the size of Element; PP: public parameters; p = log q.

Table 2 Computation efficiency comparison. Scheme

RKg

RSig

RVer

Wang et al. [35] Construction 2 Construction 3

nE + (n − 1) M G (n + 1) E + (n − 1) M G nE + (n − 1) M G

(tn + t − 1) E + (nt − 1) M G + t H + nM Z (tn + 2t + 4) E + (nt + t + n) M G + (t + 2) H + 2nM Z t (n + 1) E + nt M G + (t + 1) H + 2nM Z

t (n + 1) E + nt M G + t H t (n + 1) E + (tn + n) M G + (t + 1) H + (t + 2) P t (n + 1) E + nt M G + t H

E , H , P , M Z , M G are the evaluation of a modular exponentiation, a hash function, a bilinear pairing, a multiplication over Zq and G, respectively.

− →

− →

uˆ 1 , · · · , uˆ t as before and sets h i = H (u i  r i mR), R i = (u i , r i ) for all i ∈ [t ]. We have ∀i = j , R i = R j occurs with negligible

− →

$

probability, which results from the fact that (u i , r i ) is randomly chosen from Znq +1 , ∀i ∈ [t ] and Pr[ R = R i | R ←  R ] = ((n + 1)q)−1 ≤ 1/2log q−1 , and the signature

σ is fully determined by m and {(hi , R i )}ti=1 . Then if the forgery is valid, by the forking 

→ ˆ , Rˆ , σˆ  := (uˆ 1 , {− lemma [22], we can obtain another valid forgery (m rˆ i }ti=1 )) within time T  ≤ 144823V q H ,t ( T + q s T s )/ via − → − → ˆ oracle replay s.t. ∀i ∈ [t ], R i = Rˆ i , i .e .(u i , r i ) = (uˆ i , r i ), h i ∗ = hˆ i ∗ for some i ∗ ∈ [t ], and h i = hˆ i for any i ∈ [t ] \ {i ∗ }. If the user ˆ (i.e. vki ∗ = y), we have (vki ∗ · U s is in the forged ring R → −

hˆ i ∗ ·(x j + rˆ i ∗ j ) . B outputs {x∗j }nj=1 where for all j =1 g j n n x∗ xi that y = i =1 g i = i =1 g i i . Thus, the probability

n

n

j =1

→ −

r i∗ j h ∗ i

gj

)

− →∗ ∗

j ∈ [n], x∗j ≡ (h i r

i

= (y ·

n

j =1

→ − rˆ ∗

gj

i j

ˆ

)hi∗ . We have

n

j =1

→ −

h i ∗ ·(x j + r i ∗ j )

gj

=

→ ˆ ˆ − ˆ −1 mod q. It is easily to verify j − h i ∗ r i ∗ j ) ·(h i ∗ − h i ∗ )

that B breaks the leakage-resilient hard relation is

ˆ ] = Pr[Succ0 ] · Pr[ y ∈ Rˆ ] = t / N · Pr[LRSucc0 ]. Therefore, we have Pr[Succ] = N /t ·  L R ≤ negl(k). R

L R = Pr[Succ0 ∧ y ∈

2

7. Efficiency comparison The comparison among [35], Construction 1 and Construction 2 is presented in Table 1. We can learn from the comparison that the leakage-rates of our two constructions are higher than Wang et al.’s construction [35] whose leakage-rate is at most 1/2. Furthermore, the computational efficiency (Table 2) and communicational efficiency (Table 1) of our second construction are comparable to those of Wang et al.’s construction [35], which are both secure in the random oracle model. 8. Conclusion In this work we studied ring signature schemes in the leakage setting, and improved Wang et al.’s work by considering stronger definitions of anonymity and unforgeability of ring signature schemes. We proposed a new black-box construction of ring signature in the bounded leakage model using an NIZK and a leakage-resilient signature scheme as building blocks. We showed that if the signature scheme used in the construction is unforgeable and bounded leakage resilient, the resulting ring signature scheme is then anonymous and unforgeable and shares the same leakage bound as the underlying signature scheme. Then we proposed a concrete construction with leakage bound ((n − 2) log q − ω(log k)) without random oracles, and another more efficient construction with leakage bound ((n − 1) log q − ω(log k)) secure in the random oracle model. Acknowledgements This work was supported by the National Natural Science Foundation of China (Nos. 61472146, 61872152), Guangdong Natural Science Funds for Distinguished Young Scholar (No. 2014A030306021), Guangdong Program for Special Support of Top-notch Young Professionals (No. 2015TQ01X796), and Pearl River Nova Program of Guangzhou (No. 201610010037). References [1] Adi Akavia, Shafi Goldwasser, Vinod Vaikuntanathan, Simultaneous hardcore bits and cryptography against memory attacks, in: Theory of Cryptography, Springer, 2009, pp. 474–495. [2] Joel Alwen, Yevgeniy Dodis, Daniel Wichs, Public key cryptography in the bounded retrieval model and security against side-channel attacks, in: Proceedings of Crypto, vol. 5677, 2009, pp. 36–54. [3] Olivier Baudron, Pierre-Alain Fouque, David Pointcheval, Jacques Stern, Guillaume Poupard, Practical multi-candidate election system, in: Proceedings of the Twentieth Annual ACM Symposium on Principles of Distributed Computing, ACM, 2001, pp. 274–283.

J. Huang et al. / Theoretical Computer Science 759 (2019) 1–13

13

[4] Adam Bender, Jonathan Katz, Ruggero Morselli, Ring signatures: stronger definitions, and constructions without random oracles, in: Theory of Cryptography Conference, Springer, 2006, pp. 60–79. [5] Elette Boyle, Gil Segev, Daniel Wichs, Fully leakage-resilient signatures, J. Cryptology 26 (3) (2013) 513–558. [6] Zvika Brakerski, Yael Tauman Kalai, Jonathan Katz, Vinod Vaikuntanathan, Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage, in: 51st Annual IEEE Symposium on Foundations of Computer Science, FOCS 2010, IEEE, 2010, pp. 501–510. [7] Stefan Brands, Untraceable off-line cash in wallet with observers, in: Annual International Cryptology Conference, Springer, 1993, pp. 302–318. [8] Emmanuel Bresson, Jacques Stern, Michael Szydlo, Threshold ring signatures and applications to ad-hoc groups, in: Annual International Cryptology Conference, Springer, 2002, pp. 465–480. [9] Nishanth Chandran, Jens Groth, Amit Sahai, Ring signatures of sub-linear size without random oracles, in: International Colloquium on Automata, Languages, and Programming, Springer, 2007, pp. 423–434. [10] David Chaum, Torben Pryds Pedersen, Wallet databases with observers, in: Annual International Cryptology Conference, Springer, 1992, pp. 89–105. [11] David Chaum, Eugène Van Heyst, Group signatures, in: Workshop on the Theory and Application of Cryptographic Techniques, Springer, 1991, pp. 257–265. [12] Ronald Cramer, Matthew Franklin, Berry Schoenmakers, Moti Yung, Multi-authority secret-ballot elections with linear work, in: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 1996, pp. 72–83. [13] Alfredo De Santis, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano, Amit Sahai, Robust non-interactive zero knowledge, in: Annual International Cryptology Conference, Springer, 2001, pp. 566–598. [14] Alfredo De Santis, Giovanni Di Crescenzo, Giuseppe Persiano, Necessary and sufficient assumptions for non-interactive zero-knowledge proofs of knowledge for all NP relations, in: International Colloquium on Automata, Languages, and Programming, Springer, 2000, pp. 451–462. [15] Yevgeniy Dodis, Kristiyan Haralambiev, Adriana López-Alt, Daniel Wichs, Efficient public-key cryptography in the presence of key leakage, in: International Conference on the Theory and Application of Cryptology and Information Security, Springer, 2010, pp. 613–631. [16] Yevgeniy Dodis, Yael Tauman Kalai, Shachar Lovett, On cryptography with auxiliary input, in: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, ACM, 2009, pp. 621–630. [17] Yevgeniy Dodis, Aggelos Kiayias, Antonio Nicolosi, Victor Shoup, Anonymous identification in ad hoc groups, in: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 2004, pp. 609–626. [18] Stefan Dziembowski, Krzysztof Pietrzak, Leakage-resilient cryptography, in: IEEE 49th Annual IEEE Symposium on Foundations of Computer Science, 2008, FOCS’08, IEEE, 2008, pp. 293–302. [19] Sebastian Faust, Carmit Hazay, Jesper Buus Nielsen, Peter Sebastian Nordholt, Angela Zottarel, Signature schemes secure against hard-to-invert leakage, J. Cryptology 29 (2) (2016) 422–455. [20] David Goldschlag, Stuart Stubblebine, Publicly verifiable lotteries: applications of delaying functions, in: Financial Cryptography, Springer, 1998, pp. 214–226. [21] J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten, Lest we remember: cold-boot attacks on encryption keys, Commun. ACM 52 (5) (2009) 91–98. [22] Javier Herranz, Germán Sáez, Forking lemmas for ring signature schemes, in: International Conference on Cryptology in India, Springer, 2003, pp. 266–279. [23] Dennis Hofheinz, Eike Kiltz, Programmable hash functions and their applications, J. Cryptology 25 (3) (2012) 484–527. [24] Jianye Huang, Qiong Huang, Chunhua Pan, A black-box construction of strongly unforgeable signature schemes in the bounded leakage model, in: Provable Security, Springer Nature, 2016, pp. 320–339. [25] Yael Tauman Kalai, Bhavana Kanukurthi, Amit Sahai, Cryptography with tamperable and leaky memory, in: Annual Cryptology Conference, Springer, 2011, pp. 373–390. [26] Jonathan Katz, Vinod Vaikuntanathan, Signature schemes with bounded leakage resilience, in: Advances in Cryptology–ASIACRYPT 2009, Springer, 2009, pp. 703–720. [27] Eyal Kushilevitz, Tal Rabin, Fair e-lotteries and e-casinos, in: Cryptographers’ Track at the RSA Conference, Springer, 2001, pp. 100–109. [28] Tal Malkin, Isamu Teranishi, Yevgeniy Vahlis, Moti Yung, Signatures resilient to continual leakage on memory and computation, in: Theory of Cryptography Conference, Springer, 2011, pp. 89–106. [29] Silvio Micali, Leonid Reyzin, Physically observable cryptography, in: Theory of Cryptography, Springer, 2004, pp. 278–296. [30] Craig Ramsay, TEMPEST Attacks Against AES Covertly Stealing Keys for €200, 2017. [31] Ronald L. Rivest, Adi Shamir, Yael Tauman, How to leak a secret, in: International Conference on the Theory and Application of Cryptology and Information Security, Springer, 2001, pp. 552–565. [32] Ronald L. Rivest, Adi Shamir, Yael Tauman, How to leak a secret: theory and applications of ring signatures, in: Theoretical Computer Science, Springer, 2006, pp. 164–186. [33] Amit Sahai, Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security, in: 40th Annual Symposium on Foundations of Computer Science, 1999, IEEE, 1999, pp. 543–553. [34] Sven Schäge, Jörg Schwenk, A CDH-based ring signature scheme with short signatures and public keys, in: International Conference on Financial Cryptography and Data Security, Springer, 2010, pp. 129–142. [35] Huaqun Wang, Qianhong Wu, Bo Qin, Futai Zhang, Josep Domingo-Ferrer, A provably secure ring signature scheme with bounded leakage resilience, in: International Conference on Information Security Practice and Experience, Springer, 2014, pp. 388–402. [36] Yuyu Wang, Keisuke Tanaka, Generic transformation to strongly existentially unforgeable signature schemes with leakage resiliency, in: International Conference on Provable Security, Springer, 2014, pp. 117–129. [37] Yuyu Wang, Keisuke Tanaka, Generic transformation to strongly existentially unforgeable signature schemes with continuous leakage resiliency, in: Australasian Conference on Information Security and Privacy, Springer, 2015, pp. 213–229. [38] Yuyu Wang, Keisuke Tanaka, Generic transformations for existentially unforgeable signature schemes in the bounded leakage model, Secur. Commun. Netw. 9 (12) (2016) 1829–1842. [39] Jing Xu, Zhenfeng Zhang, Dengguo Feng, A ring signature scheme using bilinear pairings, in: International Workshop on Information Security Applications, Springer, 2004, pp. 160–169. [40] Tsz Hon Yuen, Siu Ming Yiu, Lucas CK Hui, Fully leakage-resilient signatures with auxiliary inputs, in: Australasian Conference on Information Security and Privacy, Springer, 2012, pp. 294–307. [41] Cong Zhang, Tsz Hon Yuen, Hao Xiong, Sherman SM Chow, Siu Ming Yiu, Yi-Jun He, Multi-key leakage-resilient threshold cryptography, in: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ACM, 2013, pp. 61–70.