compact group signatures without random oracles
DESCRIPTION
Compact Group Signatures Without Random Oracles. Xavier Boyen and Brent Waters. Vehicle Safety Communication (VSC). Embedded chips sign status Integrity - No outsider can spoof Anonymity - Can’t track person. 65 mph. breaking. 8 mpg. Vehicle Safety Communication (VSC). - PowerPoint PPT PresentationTRANSCRIPT
1
Compact Group Signatures Without Random Oracles
Xavier Boyen and Brent Waters
2
Vehicle Safety Communication (VSC)
Embedded chips sign status
Integrity- No outsider can spoof
Anonymity- Can’t track person
65 mphbreakin
g8 mpg
3
Vehicle Safety Communication (VSC)
Traceability by Authority
65 mphbreakin
g8 mpg
120 mph
4
Group Signatures [CvH’91]
Group of N users
Any member can sign for group
Anonymous to Outsiders / Authority can trace
Applications•VSC•Remote Attestation
5
Prior Work
Random Oracle Constructions•RSA [ACJT’00, AST’02,CL’02…]•Bilinear Map [BBS’04,CL’04]
Generic [BMW’03]•Formalized definitions
Open – Efficient Const. w/o Random Oracles
6
This work
Hierarchical ID-Based
Signatures in Bilinear Group
GOS ’06 Style
NIZK Techniques
Efficient Group Signatures w/o
ROs
7
Hierarchical Identity-Based Sigs
ID-based signature where derive down further levels
Authority
“Alice”“Alice” : ”Hi Bob”
“Alice” : ”Transfer $45”
8
Our Approach
Setup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i”
…
“0” “1” “n-1”“n-2”
9
Our Approach
Sign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well
formed
“i” : ”Message”
“i”“i” : ”Message” + Proof
10
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
11
BGN encryption, GOS NIZK [GOS’06]
Subgroup assumption: G p Gp
E(m) : r ZN , C gm (gp)r G
GOS NIZK: Statement: C G
Claim: “ C = E(0) or C = E(1) ’’
Proof: G
idea: IF: C = g (gp)r or C = (gp)r
THEN: e(C , Cg-1) = e(gp,gp)r (GT)
q
12
Our Group Signature
Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2GT , h 2 Gq
Sign (KID, M):
g(u’ ki=1 uIDi)r (v’ k
i=1 vMi)r’ , g-r , g-r’
g Cr (v’ ki=1 vMi)r’ , g-r , g-r’
Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti
C= i=1lg(n) ci C is a BGN enc of ID
ID part
13
Verification
Sig = (s1,s2,s3), (c1, 1),…, (clg(n),lg(n) )
1) Check Proofs: (c1, 1),…, (clg(n),lg(n) )
2) C= i=1lg(n) ci Know this is an enc. of ID
3) e(s_1,g) e(s_2,C) e(s_3, v’ ki=1 vMi ) = A
Doesn’t know what 1st level signature is on
14
Traceability And Anonymity
Proofs:
•ci= uiIDi hti, i=(u2IDi-1hti)ti
Traceability •Authority can decrypt (know factorization)•Proofs guarantee that it is well formed
Anonymity•BGN encryption
• IF h 2 G (and not Gq) leaks nothing
15
Open Issues
CCA Security•Tracing key = Factorization of Group•Separate the two
Smaller Signatures•Currently lg(n) size•Stronger than CDH Assumption?•Should be Refutable Assumption !
Strong Excupability
16
Summary
Group Signature Scheme w/o random oracles•~lg(n) elements
Several Extensions•Partial Revelation …
Applied GOS proofs •Bilinear groups popular•Proofs work “natively” in these groups
17
THE END
18
A 2-level Sig Scheme [W’05]
Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2 GT ,
Enroll (ID): (K1,K2) = g(u’ ki=1 uIDi)r, g-r 0· ID < n
Sign (KID, M): (s1’,s2’,s3’)= (K1 (v’ ki=1 vMi)r’ , K2, g
-r’ )
= g(u’ ki=1 uIDi)r (v’ k
i=1 vMi)r’ , g-r , g-r’
Verify: e(s1’,g) e( s2’, u’ ki=1 uIDi ) e(s3’, v’ k
i=1 vMi ) = A
19
Extensions
Partial Revelation
Prime order group proofs
Hierarchical Identities
20
Our Group Signature
Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2GT , h 2 Gq
Enroll (ID): KID (K1,K2 ,K3) = g(u’ ki=1 uIDi)r, g-r , hr
Sign (KID, M):
Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti
C= i=1lg(n) ci
(s1’,s2’,s3’) = g Cr (v’ ki=1 vMi)r’ , g-r , g-r’
C is a BGN enc of ID
21