Cryptographic Privacy Enhancing Technologies
Total Page:16
File Type:pdf, Size:1020Kb
NIVERSITY U OF WOLLONGONG Cryptographic Privacy Enhancing Technologies A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY OF WOLLONGONG by Lan Duy Nguyen School of Information Technology and Computer Science March 2005 °c Copyright 2005 by Lan Duy Nguyen All Rights Reserved ii Dedicated to My Family and Fleur iii Declaration This is to certify that the work reported in this thesis was done by the author, unless specified otherwise, and that no part of it has been submitted in a thesis to any other university or similar institution. Lan Duy Nguyen November 9, 2005 iv Abstract Cryptographic Privacy Enhancing Technologies The growth of information and communication technology creates difficulties for in- dividuals to monitor and control their private information which can be copied, trans- ferred from one location to another within a second and accessible to many people. This thesis focuses on a number of cryptographic technologies, which have been introduced and developed to protect user privacy, including anonymous signatures, anonymous authentication, anonymous credentials and anonymous routing. Our contributions to these technologies are in three aspects: more efficiency, more security and better func- tionality. We identify and formalize new security requirements, and improve and build for- mal security models for a number of privacy-preserving primitives. We construct new anonymous routing systems whose security relies on complexity assumptions different from those of previous systems. We propose several anonymous signature schemes with constant computation costs, very short signatures and keys and compact system parameters that can be shared by multiple groups. These schemes can be converted into anonymous authentication schemes and used as building blocks for anonymous credential systems. Our systems provide diversified properties, such as anonymity re- vocability, ad-hoc group formation, signature traceability, identity-based and limitation on the number of anonymous signatures, that allow applications in many realistic sce- narios. We prove security of all proposed schemes and compare their efficiencies with previous schemes. v Acknowledgements I would like to express my deep gratitude to my supervisor, Professor Reihaneh Safavi- Naini. She has been providing me great support, guidance, motivation and knowledge through different aspects of research since the beginning of my PhD. I appreciate sup- port from my co-supervisor, Associate Professor Tadeusz Wysocki, who has helped to enhance my knowledge in other areas of computing and telecommunication. I would like to extend my gratitude to Professor Kaoru Kurosawa and Associate Professor Fangguo Zhang, who gave me fruitful experience in doing research. I would like to thank the staff, both academic and general, of SITACS and other research students of CIS for their support. More thanks go to my former lecturers at Vietnam academic institutes, University of New South Wales, Australian National University and Uni- versity of Western Sydney. Warm gratitude also goes to my friends at University of Wollongong and University of New South Wales, and Ming Ye; my student life would be so bored without them and her. I cannot thank my father and mother enough for their great love and endless sup- port. I also thank my brothers, sisters, nephews and uncles very much for their en- couragements and love. Lan Duy Nguyen University of Wollongong March 2005 vi List of publications Publications, which have been included in this thesis, are listed as follows. - Lan Nguyen and Rei Safavi-Naini. Dynamic k-Times Anonymous Authentication. Applied Cryptography and Network Security (ACNS) 2005, Springer-Verlag, LNCS 3531, 2005. - Lan Nguyen. Accumulators from Bilinear Pairings and Applications. RSA Confer- ence 2005, Cryptographers’ Track (CT-RSA), Springer-Verlag, LNCS 3376, pp. 275- 292, 2005. - Lan Nguyen and Rei Safavi-Naini. Efficient and Provably Secure Trapdoor-free Group Signature Schemes from Bilinear Pairings. ASIACRYPT 2004, Springer-Verlag, LNCS 3329, pp. 372-386, 2004. - Lan Nguyen, Rei Safavi-Naini, and Kaoru Kurosawa. Verifiable Shuffles: A Formal Model and a Paillier-based Efficient Construction with Provable Security. Applied Cryptography and Network Security (ACNS) 2004, Springer-Verlag, LNCS 3089, pp. 61-75, 2004. - Lan Nguyen, Rei Safavi-Naini, and Kaoru Kurosawa. A Provably Secure and Efficient Verifiable Shuffle based on a Variant of Paillier Cryptosystem. Journal of Universal Computer Science, Springer, to appear. Other publications, which have not been included in this thesis, are listed as follows. - Lan Nguyen and Rei Safavi-Naini. An Efficient Verifiable Shuffle with Perfect Zero- knowledge Proof System. Cryptographic Algorithms and their Uses 2004, pp. 40-56, 2004. - Lan Nguyen. Privacy-Enhancing Technologies. Chapter 4 in “Towards Securing vii Cyber World” (Commercially in Confidence), pp. 60-80, 2004. - Lan Nguyen and Rei Safavi-Naini. Breaking and Mending Resilient Mix-nets. Privacy Enhancing Technologies (PET) 2003, Springer-Verlag, LNCS 2760, pp. 66-80, 2003. - Lan Nguyen, Rei Safavi-Naini, Willy Susilo, and Tad Wysocki. Secure Authoriza- tion, Access Control and Data Integrity in Bluetooth. The 10th IEEE International Conference on Network (ICON 2002), pp. 428-433, 2002. - Rajeev Gore and Lan Duy Nguyen. CardKt: Automated Multi-modal Deduction on Java Cards for Multi-application Security. Java Card 2000, Springer-Verlag, LNCS 2041, pp. 38-51, 2000. viii Contents Abstract v Acknowledgements vi List of publications vii 1 Introduction 1 1.1 Motivations ................................. 5 1.2 Structure and Contributions of the Thesis ................ 7 2 Preliminaries 10 2.1 Introduction ................................. 10 2.2 Mathematical Background ......................... 11 2.2.1 Groups ................................ 11 2.2.2 Bilinear Pairings .......................... 12 2.3 Algorithms .................................. 13 2.3.1 Deterministic and Probabilistic Polynomial-Time algorithms . 14 2.3.2 Interactive machines ........................ 15 2.3.3 Adversary model and Oracle machines . 17 2.4 Computational Problems .......................... 17 ix 2.4.1 One-way Functions ......................... 18 2.4.2 Indistinguishable Distributions ................... 19 2.4.3 Complexity Assumptions ...................... 20 2.5 Hashing ................................... 25 2.6 Provable Security .............................. 27 2.6.1 Providing provable security .................... 28 2.6.2 Random oracle model ........................ 29 2.6.3 Forking lemma ........................... 30 2.7 Proof Systems ................................ 32 2.7.1 Interactive Proof Systems ..................... 32 2.7.2 Non-interactive Proof Systems ................... 33 2.8 Public-key Encryption ........................... 35 2.8.1 Formal security model ....................... 36 2.8.2 Twin Encryption Paradigm .................... 41 2.8.3 El Gamal Public-key Encryption scheme . 42 2.8.4 Bilinear Pairing versions of El Gamal Public-key Encryption . 43 2.8.5 Paillier Public-key Encryption scheme . 45 2.9 Digital Signatures .............................. 46 2.9.1 Formal security model ....................... 47 2.10 Cryptographic Privacy Enhancing Technologies . 48 2.10.1 Group Signatures .......................... 48 2.10.2 Identity Escrow ........................... 55 2.10.3 Traceable Signatures ........................ 56 2.10.4 ID-based Ring Signatures ..................... 58 x 2.10.5 k-Times Anonymous Authentication . 61 2.10.6 Robust Mix-nets and Verifiable Shuffles . 67 3 New Schemes for Group Signatures, Traceable Signatures and Iden- tity Escrow 71 3.1 Introduction ................................. 71 3.2 A Group Signature scheme ......................... 73 3.2.1 Overview .............................. 73 3.2.2 Descriptions ............................. 73 3.2.3 Correctness and Security ...................... 76 3.3 Variations .................................. 77 3.3.1 Weak Anonymity requirement ................... 78 3.3.2 A Variant Group Signature scheme . 78 3.3.3 Do ACJT00 and GS2 provide Anonymity? . 79 3.3.4 Variants based on the DDH assumption . 79 3.4 Security Proofs ............................... 80 3.4.1 The Signing protocol is zero-knowledge . 80 3.4.2 Coalition-Resistance ........................ 82 3.4.3 Proof of GS1’s Anonymity and GS2’s Weak Anonymity . 86 3.4.4 Proof of Traceability for GS1 and GS2 . 89 3.4.5 Proof of Non-frameability for GS1 and GS2 . 90 3.5 Extensions .................................. 91 3.5.1 A Traceable Signature scheme ................... 91 3.5.2 Identity Escrow schemes ...................... 93 3.6 Efficiency .................................. 93 xi 3.7 Summary .................................. 94 4 A New Dynamic Accumulator Scheme and Applications to ID-based Ring Signatures and Group Membership Revocation 95 4.1 Introduction ................................. 95 4.2 Models .................................... 96 4.2.1 Accumulators ............................ 96 4.2.2 ID-based Ad-hoc Anonymous Identification . 99 4.2.3 Identity Escrow with Membership Revocation . 103 4.3 A Dynamic Accumulator scheme from Bilinear Pairings . 108 4.4 An ID-based Ad-hoc Anonymous Identification scheme . 109 4.4.1 Descriptions ............................. 110 4.4.2 Security ............................... 111 4.4.3 Constant-size ID-based Ring Signatures . 115 4.5 Application to Membership Revocation . 116