Presentation is loading. Please wait.

Presentation is loading. Please wait.

A New Life for Group Signatures Dan Boneh Stanford University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A New Life for Group Signatures Dan Boneh Stanford University."— Presentation transcript:

1 A New Life for Group Signatures Dan Boneh Stanford University

2 Group Signatures: intuition Simple solution: give all users same private key … … but, extra requirements:  Ability to revoke signers when needed.  Tracing Authority: trapdoor for undoing sig privacy. Key Issuer User 1 User 2 Is sig from user 1 or 2? msg sig

3 History  D. Chaum and E. van Heyst. [EC ’91]  N. Baric and B. Pfitzman [EC ’97]  G. Ateniese, J. Camenisch, M. Joye, G. Tsudik [EC ’00]  J. Camenisch and A. Lysyanskaya. [Cr ’02]  G. Ateniese, D. Song, and G. Tsudik [FC ’02]  M. Bellare, D. Micciancio, and B. Warinschi [EC ’03]

4 This talk Recent real-world applications. Privacy definitions and models.  Zoology: 9 models for group sigs … New group sig constructions [BBS ’04]  Very short. Very efficient.  Based on Strong-DH (using bilinear maps)

5 Basic group signatures [BMW’03] Basic: tracing, but no revocation (static groups). Group sig system consists of four algorithms:  Setup(,n): = sec param. n = #users. Output:group-pub-key ( GPK ), ( GSK 1, …, GSK n ), group-tracing key ( GTK )  Sign(M, GSK i ): outputs group signature  on M.  Verify(M, , GPK ): outputs `yes’ or `no’  Trace(M, , GTK ): outputs i  {1,…,n} or `fail’ Precise security requirements: later …

6 Recent Applications for Group Sigs Two recent “real-world” applications: 1.Trusted Computing (TCG, NGSCB) 2.Vehicle Safety Communications (VSC)

7 App. 1: Trusted Computing TCG : Trusted Computing Group (aka TCPA ). NGSCB : Next Gen Secure Comp Base (aka Palladium) Provides new capability: Attestation.  Enables an application to authenticate its executable code to a remote server.  Uses: home banking, online games, …, DRM

8 (Very) High level architecture SSC: Security Support Component (“tamper resistant” chip)  Issues: cert NXS = [ hash(nexus-code), nxs-pub-key, sig-ssc ] priv, pub APP, cert APP Nexus App 1 App 2 App Untrusted OS Untrusted SideSecure Side User spc Kernel HAL SSC priv, pub SSC, cert SSC Nexus: Protects and isolates apps on secure side.  Issues: cert APP = [ hash(app-code), app-pub-key, sig-nxs ] priv, pub NXS, cert NXS Attestation:app uses cert-chain = [ cert APP, cert NXS, cert SSC ] in key exchange with remote server.

9 Privacy Problem SSC’s cert is sent to remote server on every attestation.  SSC’s cert identifies machine (recall Intel unique x86 ID’s)  Attestation breaks privacy tools (e.g. anonymizer.com)  Simple solution: give all SSC’s same priv-key and cert ssc. Bad idea: no way to revoke compromised SSC.  Initial TCG Solution: Privacy CA. Trusted online service that anonymizes SSC’s cert.  Better solution: group signatures. No online service [Brickell] Group is set of all SSC’s. Manufacturer embeds a group priv-key ( GSK ) in each SSC. cert NXS issued by SSC does not reveal machine ID. Trace and revoke SSC key in case of SSC compromise.

10 App. 2: Vehicle Safety Comm. (VSC) Car 1Car 2Car 3Car 4 brake 1. 2. Car Ambulance out of my way !!  Require authenticated (signed) messages from cars.  Prevent impersonation and DoS on traffic system.  Privacy problem: cars broadcasting signed (x,y, v ).  Clean solution: group sigs. Group = set of all cars.  Project requirement: msg-size < 300 bytes  Need short group signatures.

11 Characteristics of both applications Signing key in tamper resistant chip in user’s hands.  Signing key embedded at manufacturing time. Revocation only needed for tamper resistance failure.  Infrequent. (unlike a private subscription service)  Tracing may or may not be needed.

12 Group signatures: basic definitions Def: A Basic Group Signature (static groups & tracing) (setup, sign, verify, trace) is secure if it has: 1.full-privacy property, and 2.full-traceability property. [BMW’03]

13 (CCA) Full-Privacy No poly. time alg. wins the following game with non-negligible advantage: Run Setup GTK GPK, (GSK 1, …, GSK n )  Trace( GTK,  )  * = Sign( M *, GSK i b ) M *, i 0, i 1 b  {0,1} Challnger Attacker b’  {0,1} b = b’ ? Open problem: efficiently handle CCA2 tracing attack. Instead, will use: CPA -full-privacy  ≠  *

14 Full-Traceability No poly. time alg. wins the following game with non-negligible probability: Run Setup GSK 1 …GSK n GPK, GTK j 1, j 2, j 3, … GSK j 1, GSK j 2, GSK j 3, … Challnger Attacker (m 1, i 1 ), (m 2, i 2 ), (m 3, i 3 ), …  1,  2,  3, … (m *,  * ) 1.Verify( m *,  *, GPK ) = ‘ yes ’ 2.(m *,  * )  { (m 1,  1 ), … } 3.Trace( m *,  *, GTK )  { j 1, … } Attacker wins if :

15 Resulting properties (informal) Unforgeability. Group sig is existentially unforgeable under a chosen message attack. Unlinkable. Given two group sigs it is not possible to tell whether they were generated by same user. No Framing. A coalition of users cannot create a signature that traces to a user outside the coalition. Note: no exculpability. Key-Issuer might be able to forge signatures on behalf of a given user.  ACJT’00, BBS’04 provide exculpability.  May not be needed in real world (e.g., none in std. PKI )

16 Revocation Mechanisms Revocation goal (intuition):  After users {i 1, …, i r } are revoked they cannot issue new valid group sigs. For now, ignore validity/privacy of old group sigs.

17 Revocation Mechanisms (easiest  hardest) Type 0: For each revocation event, generate new GPK. G ive each unrevoked user its new private key. Type 1: For each revocation event, send a short broadcast message RL to all signers and all verifiers. (msg-len independent of group size)  Implementation: [CL’02] verifiers:( GPK old, RL)  GPK new active user i:( GSK i,old, RL)  GSK i,new Type 2: For each revocation, send msg to verifiers only.  Implementation:Verify( GPK, (m,  ), RL )  Note: old sigs of revoked users are no longer private.

18 Tracing Mechanisms (easiest  hardest) Type 0: No tracing possible. Type 1: Given a black box signing device, can identify at least one member of coalition that created device.  Note: Trace sig(.) ( GTK ) is now an oracle alg.  Definition: similar to full-traceability. Type 2: Full-traceability. Given a signature, can identify at least one member of coalition that created sig.

19 Zoology: Group signature types [ 3 rd dimension: exculpability (yes/no) ] RT0RT1RT2 TT0 Global Secret Key Global key with NNL broadcast enc. BBS’03 AST’02 (built in tracing) TT1BBS’04 Lite TT2 BMW ‘03 ACJT ‘00 CL’02 BBS’04 revoke Trace Each square below requires precise def (as for RT0-TT2 )

20 Constructions : Construction from general primitives [BMW’03]  Usespublic key encryption, Signature scheme, Non-Interactive Zero Knowledge. Specific constructions (using Fiat-Shamir heuristic) :  Based on the Strong-RSA assumption [ACJT’00, … ]  New: Based on the Strong-DH assumption [BBS’04] Much shorter sigs than Strong-RSA counter-part.

21 Strong Diffie-Hellman [BB ’04, BBS ’04] n-SDH problem: let G be a group of prime order p.  Input: g, g x, g (x 2 ), g (x 3 ), …, g (x n )  G  Output: (A, e) s.t. A x+e = g [ Strong-RSA: given (N,s) output (A,e) s.t. A e =s (N) ] n-SDH Assumption: “ n-SDH problem is hard for rand x ” Evidence n-SDH is a hard problem: Thm: An algorithm that solves n-SDH with prob.  in a generic group of order p requires time  (   p/n )

22 App: Short sigs without RO [BB’04] Setup: x,y  Z p ; PK = (g, g x, g y ) ; SK = (x,y) Sign(m, (x,y) ): r  Z p ;  = ( g 1/(x+ry+m), r ) Verify(m,  = (h,r) ): test e(h, g x  (g y ) r  g m ) = e(g,g) Thm: Signature scheme is existentially unforgeable under an n-chosen message attack, assuming (n+1)-SDH holds Signature is as short as DSA, but has a complete proof of security without random oracles.

23 Encryption of A j Group sigs from SDH (RT1-TT2) [BBS ’04] Setup(n): random a, b, c  {1,…,p-1} GPK  (g, h, h a, h b, g c ) ; GTK  (a,b) GSK j  ( x j, A j = g 1/(c+x j ) ) for j = 1,…, n Sign(m, GSK j ) = random d, e  {1,…,p-1} T 1 = (h a ) d ; T 2 = (h b ) e ; T 3 = A j  h d+e Proof  ZKPK m ( d, e, x j, dx j, ex j ) satisfying 5 relations. sig = [T 1, T 2, T 3, Proof ] (9 elements) Trace( , (a,b) ) = T 3 / (T 1 a  T 2 b ) = A i Decryption

24 New group sig properties Security:  Full-Traceability: based on n-SDH  CPA-Full-Privacy: based on Decision Linear. Supports simple Type 1 revocation. Length:   same length as standard RSA signature.  In practice  200 bytes (!) for 1024-bit security.

25 Revocation (Type 1) Recall GPK  (g, h, h a, h b, g c ) To revoke GSK 1 = ( x 1, A 1 = g 1/(c+x 1 ) ) do:  Publish GSK 1 in the clear.  GPK new  ( A 1, h, h a, h b, A 1 c )  GSK i,new  ( x i, A 1 1/(c+x i ) ) Main point: all unrevoked users can compute GSK i,new.  Revoked user can no longer issue sigs (under SDH).

26 Conclusions Lots of group signature models.  Three tracing models. Three revocation models.  Use most efficient system that meets your needs … New constructions:  Short group signatures (same as std. RSA sigs).  Flexible: can be adapted to all trace/revoke models. Open problems:  Efficient group sigs (RT0-TT2) without random oracles.  Efficient CCA-full-privacy with/without random oracles.

Download ppt "A New Life for Group Signatures Dan Boneh Stanford University."

Similar presentations

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
Vpn-info.com.

Vpn-info.com.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.

Public Key Management Brent Waters. Page 2 Last Time  Saw multiple one-way function candidates for sigs. OWP (AES) Discrete Log Trapdoor Permutation.
Identity Based Encryption

Identity Based Encryption
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:

Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

1 CPSC156: The Internet Co-Evolution of Technology and Society Lectures 19,20, and 21: April 5, 10, and 12, 2007 Cryptographic Primitives.

Similar presentations

Ads by Google