Signatures of Knowledge

Using the techniques introduced in [87, 90], every three-round proof of knowledge that is honest-verifier zero-knowledge can be turned into a signature scheme by replacing the verifier with a hash function. We call the schemes “signatures based on proofs of knowledge”, or “signatures of knowledge” for short. A signature of knowledge allows a signer to prove the knowledge of a secret with respect to some public information noninteractively. The signer can also tie his knowledge of a secret to a message being signed. In [184], it is proved that in the random oracle model all such signatures are simulatable and secure against existential forgery under adaptively chosen-message attacks. Simulatability means that the distribution of the strings that can be effi-ciently generated without knowledge of the secret signing key are indistinguishable from the distribution of the actual signatures. Note that though such signatures are simulatable, they are not deniable zero-knowledge [178].

All signatures of knowledge presented in this section have the corresponding three-round protocols similar to Schnorr’s identification protocol. These protocols can be shown to be honest-verifier zero-knowledge proofs of knowledge. We first describe the algebraic setting used here. Let G be a finite cyclic group of prime order q, k an integer, and let g, h, g₁, g₂, . . . , g_k ∈ G be generators of G such that computing discrete logarithms of any group element with respect to any one of the generators is infeasible. Furthermore, the generators are chosen in a random manner, such that none of the discrete logarithms of any generator with respect to another is known.

Then the computation of a representation of a group element with respect to multiple generators is as hard as the discrete logarithm problem.

We introduce our notation about signatures of knowledge. Suppose the signer (prover) chooses α, β ∈_R Z^∗_q as secret keys and compute her public keys y₁ = g^α and y₂ = g^βh^α. Let ∧ denote the logical conjunction. An expression such as

sok[(α, β) : y₁ = g^α∧ y₂ = g^βh^α](m)

denotes a signature based on a proof of knowledge of secret keys α and β such that the statement to the right of the colon is true. This is equal to proving the knowledge of the discrete logarithm of y₁ to the base g and a representation of y₂ to the bases g and h and, in addition, that the h-part of this representation of y2 equals the discrete logarithm of y1 to the base g. The Greek letters denote the knowledge of the signer. The variable sok can be thought of as reference to the definition of a particular signature of knowledge. If the message is the null message, then the term (m) after the ‘]’ is omitted. In addition, we denote by k the concatenation of two strings and let H : {0, 1}^∗ → {0, 1}^` be a collision-resistant hash function.

Signatures of Knowledge of a Discrete Logarithm

The signature proves the knowledge of the discrete logarithm of a public key y to the base g.

Definition 3.4.2. A pair (c, s) ∈ {0, 1}^`× Zq satisfying c = H(m k g k y k g^sy^c)

is a signature of knowledge of the discrete logarithm of a group element y to the base g of the message m ∈ {0, 1}^∗ and is denoted by SKDL[ α : y = g^α](m).

Basically, SKDL[ α : y = g^α](m) is the Schnorr signature with a slightly different argument to the hash function. If the value α = log_g(y) is known, such a signature can be computed by choosing a random integer r ∈ Z_q and computing t = g^r and then c and s according to

c = H(m k g k y k g^r), s = r − cα mod q.

Anyone can verify (c, s) by checking c = H(m k g k y k g^{? s}y^c).

Although the signature of knowledge is not interactive, it is reasonable to call t the commitment, c the challenge, and s the response.

Signatures of Knowledge of a Representation

The signature proves the knowledge of a representation of a public key. The corre-sponding proof systems are first introduced in [43].

Definition 3.4.3. A (k + 1)-tuple (c, s₁, . . . , s_k) ∈ {0, 1}^`× (Z_q)^k satisfying

c = H(m k g₁ k . . . k g_k k y k y^c Yk

i=1

g^s_iⁱ)

is a signature of knowledge of a representation of a element y with respect to the bases g₁, . . . , g_k of the message m ∈ {0, 1}^∗. It is denoted by

Because a public key y_i can be formed using only a subset of the generators g₁, . . . , g_k, later we use a set J_i ⊆ {1, . . . , k} such that y_i =Q

j∈Jig_j^αi,j holds, where α_i,j are secret keys with respect to the public key y_i. Note that the secret keys α_i,j are in general not numbered consecutively but take a tuple (i, j), where i is the index of the public key yi and j is the index of the respective generator gj. In particular, the secret keys α_i,j for j 6∈ J_i are not defined.

Signatures of Knowledge of Equality of the Discrete Logarithms

The signature proves that the discrete logarithms of two public keys with respect to two different bases are equal. Such a scheme is introduced in [45].

Definition 3.4.4. A pair (c, s) ∈ {0, 1}^`× Z_q satisfying c = H(m k g k h k y k z k g^sy^ck h^sz^c)

is a signature of the message m ∈ {0, 1}^∗ based on a proof of knowledge and of equality of the discrete logarithm of z with respect to the base h and of the discrete logarithm of y with respect to the base g. It is denoted by

SKEDL[α : y = g^α∧ z = h^α](m).

If α = log_g(y) is known and if log_g(y) = log_h(z) holds, such a signature (c, s) can be computed as follows. One chooses a random integer r from Z_q and computes t₁ = g^r and t₂ = h^r. Then, c and s are calculated according to

c = H(m k g k h k y k z k t1 k t2) and

s = r − cα mod q.

Anyone can verify the signature by checking c = H(m k g k h k y k z k g^{? s}y^ck h^sz^c).

SKEDL[α : y = g^α∧z = h^α](m) can be seen as two parallel signatures SKDL[α : y = g^α] and SKDL[α : z = h^α], where the exponent for the commitments, the chal-lenges, and the responses are the same. This technique can be generalized to signa-tures of knowledge of representations of several public keys: Whenever two elements of the representations are equal, the respective responses are the same by choosing the same exponent for the commitments and the same challenge. Signatures of knowledge of representations are described in the next subsection.

Signatures of Knowledge of Representations

The signature proves the knowledge of representations of several, say w, public keys at the same time. Of course, this can be done by computing w separate signatures

SKAREP [(α_i,j)_j∈Ji : y_i = Q

j∈Jig_j^αi,j](m). However, it is possible to merge these signatures by using the same challenge for all of them and choosing the same exponent for two commitments whenever the respective elements of the representations are equal. Thus we can make the resulting signature shorter.

Definition 3.4.5. A (u + 1)-tuple (c, s₁, . . . , s_u) ∈ {0, 1}^`× (Z_q)^u satisfying

is a signature of the message m ∈ {0, 1}^∗ based on a proof of knowledge of representa-tions of y₁, . . . , y_w with respect to some of the bases g₁, . . . , g_k and that , additionally, some of the elements of the representations are equal. It is denoted by

SKREP

Anyone can verify the signature by checking

c= H(m k g^? ₁ k . . . k g_k k y₁ k . . . k y_w k J₁ k . . . k J_w k {e_ij}i=1,...,w;j∈Ji

Example 3.4.1. Suppose we want to obtain a signature of knowledge that we know α1, α2, and α3 such that, given y1, y2, y3 and g1, g2, g3, the following holds:

y1 = g^α₁¹g^α₃², y₂ = g^α₂¹g^α₃³, y₃ = g^α₁¹g^α₂³g₃^α2. The signature

SKREP [(α₁, α₂, α₃) : y₁ = g₁^α1g₃^α2 ∧ y₂ = g^α₂¹g₃^α3 ∧ y₃ = g₁^α1g^α₂³g^α₃²] (m)

is a 4-tuple (c, s₁, s₂, s₃), where e₁₁ = 1, e₁₂ = 2, e₂₁ = 1, e₂₂ = 3, e₃₁ = 1, e₃₂ = 3, e₃₃ = 2, J₁ = {1, 3}, J₂ = {2, 3}, and J₃ = {1, 2, 3} in Eq. (3.1).

A Fully Public-Key Traitor-Tracing Scheme

A fully public-key traitor-tracing scheme is a public-key traitor-tracing scheme that allows a subscriber to choose his own private decryption key without others learning the key. In this chapter we propose such a scheme and discuss its efficiency and security.

4.1 Introduction

In an open broadcast network, a distributor transmits digital contents to a large number of users in such a way that only subscribers are authorized to extract the contents. Applications include such fee-based services as pay-per-view television and Web financial information channel. Clearly, anyone connected to the open network is able to pick up the data that flow through the broadcast channel, whether authorized or not. A straightforward solution to this problem is for the distributor to separately encrypt the contents with each subscriber’s key before broadcasting the ciphertext.

Now, only the subscribers have the corresponding private keys to decrypt the cipher-text. This issue of secure broadcasting is first addressed in [56]; however, the proposed method carries out n-times encryptions for one copy of data, where n is the number of subscribers. Later, broadcast encryption is proposed [12, 89, 127]. A broadcast-encryption scheme prevents nonsubscribers from extracting the contents. By properly

77

generating keys, the distributor can encrypt the contents with the encryption key de-rived from all subscribers’ secret keys, and the subscribers have the decryption key to decrypt the ciphertext. The tradeoff between the bandwidth requirement and the keys’ storage space is studied in [16, 17, 143, 212].

A broadcast-encryption scheme remains prone to the collusion attack. Some sub-scribers may collude to create new decryption keys, and the resulting pirate de-coder allows nonsubscribers to extract the contents. To discourage subscribers to reveal their private keys, traitor tracing is initiated in [57, 58] and studied further in [96, 181, 211, 213]. The idea is an algorithm that uses the confiscated pirate decoder to track down at least one colluder without wrongly accusing noncolluders with high probability. Most of these schemes are so-called black-box traceable. This means that the pirate decoder can be queried on different inputs as an oracle but cannot be opened to reveal its private key. Most of the traitor-tracing schemes are secret-key systems. Although they can be founded on public secret-keys, complex protocols may result [181]. More recent work in [19] proposes a public-key traitor-tracing scheme;

furthermore, as long as the number of colluders is below some threshold, the tracing algorithm catches all and only traitors. The scheme has two disadvantages: It is only partially black-box traceable, and the secret keys of the subscribers are generated by a trusted center (the system is hence not fully public-key). We will present a traitor-tracing scheme with these following strong features: The tracing algorithm is black-box traceable, it tracks down all the colluders regardless of their size, and the subscribers generate their own secret keys (it is thus fully public-key).

Key management is a critical issue. Subscribers’ keys are affected for at least two reasons. First, a key must be discarded if it is found to be pirated or if its user leaves the system. But then the remaining subscribers’ keys may be subject to changes when even one user’s key is discarded. Second, when a new subscriber joins the system, the existing subscribers’ keys may need to be changed to prevent the new subscriber from decrypting the ciphertext received before the new user joins the system. Both scenarios become problematic if pirating is frequent or if the subscriber base is fluid. In order for the subscribers to easily manage their own keys, the system should minimize the need to regenerate subscribers’ secret keys. Such a scheme is said to be long-lived. This attribute is studied in [97]. In that proposed scheme, some

subscribers may need to be rekeyed when a sufficient number of keys are discarded.

In contrast, our scheme does not require the regeneration of the secret keys in the above two scenarios. It is therefore perfectly long-lived.

Anonymity is another critical issue for any traitor-tracing schemes because the promise of anonymity usually promotes subscription [127]. We list two cases which may compromise anonymity. When new subscribers join the service, their identi-ties may be revealed because of their interaction with the distributor. Second, the broadcast contents themselves may disclose the subscribers’ identities, which makes eavesdropping threaten the privacy of the subscribers. Our scheme solves both prob-lems: Registering with the service is noninteractive, and analyzing the transmissions does not reveal the subscribers’ identities. Thus, the subscribers’ identities are not known to anyone except the distributor.

We now summarize the features of our traitor-tracing scheme. The traitor-tracing scheme is perfectly long-lived and achieves anonymity. It is a fully public-key system, without relying on a trusted center to generate the keys. The scheme is based on the following ideas. Each subscriber randomly selects a secret key to compute a number which is sent to the distributor. After the distributor receives the numbers from all the subscribers, it combines them to create a single encryption key. Using the ElGamal encryption scheme, digital contents are encrypted with the encryption key.

Henceforth, each subscriber uses his or her own secret key to decrypt the ciphertext.

This chapter is organized as follows. In Section 4.2, basic terms are defined. Then in Section 4.3, useful facts in number theory are presented. Section 4.4 describes our scheme and discusses its security. Important attributes of our scheme are analyzed in Section 4.5. Conclusions are given in Section 4.6.