On the security of mix-nets and hierarchical group signatures

In this thesis we investigate two separate cryptographic notions: mix-nets and hierarchical group signatures. The former notion was introduced by Chaum (1981). The latter notion is introduced in this thesis, but it generalizes the notion of group signatures which was introduced by Chaum and Heyst (1991). Numerous proposals for mix-nets are given in the literature, but these are presented with informal security arguments or at best partial proofs. We illustrate the need for a rigorous treatment of the security mix-nets by giving several practical attacks against a construction of Golle et al. (2002). Then we provide the first definition of security of a mix-net in the universally composable security framework (UC-framework) introduced by Canetti (2001). We construct two distinct efficient mix-nets that are provably secure under standard assumptions in the UC-framework against an adversary that corrupts any minority of the mix-servers and any set of senders. The first construction is based on the El Gamal cryptosystem (1985) and is secure against a static adversary, i.e., an adversary that decides which parties to corrupt before the execution of the protocol. This is the first efficient UC-secure mix-net in the literature and the first sender verifiable mix-net that is robust. The second construction is based on the Paillier cryptosystem (1999) and secure against an adaptive adversary, i.e., an adversary that decides which parties to corrupt during the execution of the protocol. This is the first efficient adaptively secure mix-net in any model. An important subprotocol in the above constructions is a zero-knowledge proof of knowledge of a witness that a party behaves as expected. There are two known approaches for constructing such a protocol given by Neff (2002) and Furukawa and Sako (2002) respectively. We present a third independent approach. We introduce the notion of hierarchical group signatures. This is a generalization of group signatures. There are several group managers, and the signers and group managers are organized in a tree in which the signers are the leaves and the group managers are internal nodes. Given a signature, a group manager learns if it is an ancestor of the signer, and if so to which of its immediate subtrees the signer belongs, but it learns nothing else. Thus, the identity of the signer is revealed in a hierarchical way. We provide a definition of security of hierarchical group signatures and give two provably secure constructions. The first construction is secure under general assumptions. It is impractical and of purely theoretical interest. The second construction is provably secure under standard complexity assumptions and almost practical.

[1]  Chae Hoon Lim,et al.  A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroupp , 1997, CRYPTO.

[2]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[3]  Jacques Traoré,et al.  Efficient Publicly Verifiable Secret Sharing Schemes with Fast or Delayed Recovery , 1999, ICICS.

[4]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[5]  Anna Lysyanskaya,et al.  Adaptive Security in the Threshold Setting: From Cryptosystems to Signature Schemes , 2001, ASIACRYPT.

[6]  Satoshi Obana,et al.  An Implementation of a Universally Verifiable Electronic Voting Scheme based on Shuffling , 2002, Financial Cryptography.

[7]  Markus Jakobsson,et al.  Mix and Match: Secure Function Evaluation via Ciphertexts , 2000, ASIACRYPT.

[8]  Simon Singh,et al.  The Code Book , 1999 .

[9]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[10]  Yehuda Lindell,et al.  Universally composable two-party and multi-party secure computation , 2002, STOC '02.

[11]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[12]  Jun Furukawa,et al.  Efficient, Verifiable Shuffle Decryption and Its Requirement of Unlinkability , 2004, Public Key Cryptography.

[13]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[14]  Douglas Wikström,et al.  Five Practical Attacks for "Optimistic Mixing for Exit-Polls" , 2003, Selected Areas in Cryptography.

[15]  Moti Yung,et al.  Finding Length-3 Positive Cunningham Chains , 1998, ANTS.

[16]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[17]  Ian F. Blake,et al.  Elliptic curves in cryptography , 1999 .

[18]  Ronald Cramer,et al.  A secure and optimally efficient multi-authority election scheme , 1997, Eur. Trans. Telecommun..

[19]  Manuel Blum,et al.  Coin Flipping by Telephone. , 1981, CRYPTO 1981.

[20]  Michael J. Fischer,et al.  A robust and verifiable cryptographically secure election scheme , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[21]  Matthew K. Franklin,et al.  Efficient generation of shared RSA keys , 2001, JACM.

[22]  Serge Vaudenay,et al.  Minding your p's and q's , 1996, ASIACRYPT.

[23]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[24]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[25]  Kazue Sako,et al.  Efficient Receipt-Free Voting Based on Homomorphic Encryption , 2000, EUROCRYPT.

[26]  Neal Koblitz,et al.  Algebraic aspects of cryptography , 1998, Algorithms and computation in mathematics.

[27]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[28]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[29]  Andrew M. Odlyzko,et al.  Discrete Logarithms: The Past and the Future , 2000, Des. Codes Cryptogr..

[30]  Birgit Pfitzmann,et al.  Breaking Efficient Anonymous Channel , 1994, EUROCRYPT.

[31]  Ernest F. Brickell,et al.  Fast Exponentiation with Precomputation (Extended Abstract) , 1992, EUROCRYPT.

[32]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[33]  Douglas Wikström On the security of mix-nets and related problems , 2004 .

[34]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[35]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[36]  Dongho Won,et al.  Group Signatures for Hierarchical Multigroups , 1997, ISW.

[37]  Rafail Ostrovsky,et al.  Robust Non-interactive Zero Knowledge , 2001, CRYPTO.

[38]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[39]  C. A. Neff Verifiable Mixing (Shuffling) of ElGamal Pairs , 2004 .

[40]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[41]  Manuel Blum,et al.  Non-interactive zero-knowledge and its applications , 1988, STOC '88.

[42]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..

[43]  Alfred Menezes,et al.  Another Look at "Provable Security" , 2005, Journal of Cryptology.

[44]  Kazue Sako,et al.  Fault tolerant anonymous channel , 1997, ICICS.

[45]  Birgit Pfitzmann,et al.  How to Break the Direct RSA-Implementation of Mixes , 1990, EUROCRYPT.

[46]  Markus Jakobsson,et al.  A Practical Mix , 1998, EUROCRYPT.

[47]  Markus Jakobsson,et al.  An optimally robust hybrid mix network , 2001, PODC '01.

[48]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[49]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[50]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[51]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[52]  Douglas Wikström,et al.  Hierarchical Group Signatures , 2005, ICALP.

[53]  Jan Camenisch,et al.  A Group Signature Scheme with Improved Efficiency , 1998, ASIACRYPT.

[54]  Leonid A. Levin,et al.  A hard-core predicate for all one-way functions , 1989, STOC '89.

[55]  Zulfikar Ramzan,et al.  Group Blind Digital Signatures: A Scalable Solution to Electronic Cash , 1998, Financial Cryptography.

[56]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[57]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[58]  Gene Tsudik,et al.  Some Open Issues and New Directions in Group Signatures , 1999, Financial Cryptography.

[59]  Ed Dawson,et al.  Simple and Efficient Shuffling with Provable Correctness and ZK Privacy , 2005, CRYPTO.

[60]  Yvo Desmedt,et al.  How to Break a Practical MIX and Design a New One , 2000, EUROCRYPT.

[61]  Silvio Micali,et al.  Secure Computation (Abstract) , 1991, CRYPTO.

[62]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[63]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[64]  Johannes Buchmann,et al.  A Survey on {IQ} Cryptography , 2001 .

[65]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[66]  Patrick Horster,et al.  Some Remarks on a Receipt-Free and Universally Verifiable Mix-Type Voting Scheme , 1996, ASIACRYPT.

[67]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[68]  Douglas Wikström,et al.  A Universally Composable Mix-Net , 2004, TCC.

[69]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[70]  Douglas Wikström How to Break, Fix, and Optimize "Optimistic Mix for Exit-Polls" , 2002 .

[71]  Jacques Stern,et al.  Practical multi-candidate election system , 2001, PODC '01.

[72]  Douglas Wikström,et al.  A Sender Verifiable Mix-Net and a New Proof of a Shuffle , 2005, ASIACRYPT.

[73]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[74]  David Chaum,et al.  Cryptographically Strong Undeniable Signatures, Unconditionally Secure for the Signer , 1991, CRYPTO.

[75]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[76]  Oded Goldreich,et al.  Foundations of Cryptography: Basic Tools , 2000 .

[77]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[78]  Valtteri Niemi,et al.  How to Prevent Buying of Votes in Computer Elections , 1994, ASIACRYPT.

[79]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[80]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[81]  Jan Camenisch,et al.  Group Signatures: Better Efficiency and New Theoretical Aspects , 2004, SCN.

[82]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[83]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[84]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[85]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[86]  Silvio Micali,et al.  Zero-knowledge sets , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[87]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[88]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[89]  Kaoru Kurosawa,et al.  Efficient Anonymous Channel and All/Nothing Election Scheme , 1994, EUROCRYPT.

[90]  Aggelos Kiayias,et al.  Group Signatures: Provable Security, Efficient Constructions and Anonymity from Trapdoor-Holders , 2004, IACR Cryptol. ePrint Arch..

[91]  Josh Benaloh,et al.  Receipt-Free Secret-Ballot Elections , 1994, STOC 1994.

[92]  Jacques Stern,et al.  Fully Distributed Threshold RSA under Standard Assumptions , 2001, ASIACRYPT.

[93]  Ivan Damgård,et al.  Non-interactive and reusable non-malleable commitment schemes , 2003, STOC '03.

[94]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[95]  Donald Beaver,et al.  Foundations of Secure Interactive Computing , 1991, CRYPTO.

[96]  Alfred Menezes,et al.  Another Look at "Provable Security". II , 2006, INDOCRYPT.

[97]  Markus Jakobsson,et al.  Mix-Based Electronic Payments , 1998, Selected Areas in Cryptography.

[98]  Markus Jakobsson,et al.  Flash mixing , 1999, PODC '99.

[99]  Silvio Micali,et al.  How to sign given any trapdoor permutation , 1992, JACM.

[100]  Leonid A. Levin,et al.  Fair Computation of General Functions in Presence of Immoral Majority , 1990, CRYPTO.

[101]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[102]  Kaoru Kurosawa,et al.  Attack for Flash MIX , 2000, ASIACRYPT.

[103]  Bodo Möller Public key cryptography: theory and practice , 2003 .

[104]  Ran Canetti,et al.  Towards Realizing Random Oracles: Hash Functions That Hide All Partial Information , 1997, CRYPTO.

[105]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[106]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[107]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[108]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[109]  Michael Backes,et al.  How to Break and Repair a Universally Composable Signature Functionality , 2004, ISC.

[110]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[111]  Serge Fehr,et al.  Adaptively Secure Feldman VSS and Applications to Universally-Composable Threshold Cryptography , 2004, CRYPTO.

[112]  Hideki Imai,et al.  Flaws in Some Robust Optimistic Mix-Nets , 2003, ACISP.

[113]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[114]  Ronald Cramer,et al.  A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack , 1998, CRYPTO.

[115]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[116]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[117]  Ronald Cramer,et al.  Non-interactive Distributed-Verifier Proofs and Proving Relations among Commitments , 2002, ASIACRYPT.

[118]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[119]  Andrew Chi-Chih Yao,et al.  Theory and application of trapdoor functions , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[120]  Markus Jakobsson,et al.  Optimistic Mixing for Exit-Polls , 2002, ASIACRYPT.

[121]  Aggelos Kiayias,et al.  The Vector-Ballot e-Voting Approach , 2004, Financial Cryptography.

[122]  Reihaneh Safavi-Naini,et al.  A Provably Secure and Efficient Verifiable Shuffle based on a Variant of the Paillier Cryptosystem , 2005, J. Univers. Comput. Sci..

[123]  Ran Canetti,et al.  Universally composable signature, certification, and authentication , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[124]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[125]  Ivan Damgård,et al.  Universally Composable Efficient Multiparty Computation from Threshold Homomorphic Encryption , 2003, CRYPTO.

[126]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[127]  Reihaneh Safavi-Naini,et al.  Verifiable Shuffles: A Formal Model and a Paillier-Based Efficient Construction with Provable Security , 2004, ACNS.

[128]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[129]  Moti Yung,et al.  Distributing the power of a government to enhance the privacy of voters , 1986, PODC '86.

[130]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[131]  J. Markus,et al.  Millimix: Mixing in Small Batches , 1999 .

[132]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[133]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[134]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[135]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[136]  Ralph C. Merkle,et al.  Protocols for Public Key Cryptosystems , 1980, 1980 IEEE Symposium on Security and Privacy.

[137]  P. Ribenboim The new book of prime number records , 1996 .

[138]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[139]  Jan Camenisch,et al.  Mix-Network with Stronger Security , 2005, Privacy Enhancing Technologies.

[140]  Lidong Chen,et al.  New Group Signature Schemes (Extended Abstract) , 1994, EUROCRYPT.