Download presentation
Presentation is loading. Please wait.
1
1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters
2
2 Vehicle Safety Communication (VSC) Embedded chips sign status Integrity- No outsider can spoof Anonymity- Can’t track person 65 mph breaking 8 mpg
3
3 Vehicle Safety Communication (VSC) Traceability by Authority 65 mph breaking 8 mpg 120 mph
4
4 Group Signatures [CvH’91] Group of N users Any member can sign for group Anonymous to Outsiders / Authority can trace Applications VSC Remote Attestation
![4 Group Signatures [CvH’91] Group of N users Any member can sign for group Anonymous to Outsiders / Authority can trace Applications VSC Remote Attestation](http://images.slideplayer.com./31/9670792/slides/slide_4.jpg "4 Group Signatures [CvH’91] Group of N users Any member can sign for group Anonymous to Outsiders / Authority can trace Applications VSC Remote Attestation")
5
5 Prior Work Random Oracle Constructions RSA [ACJT’00, AST’02,CL’02…] Bilinear Map [BBS’04,CL’04] Generic [BMW’03] Formalized definitions Open – Efficient Const. w/o Random Oracles
![5 Prior Work Random Oracle Constructions RSA [ACJT’00, AST’02,CL’02…] Bilinear Map [BBS’04,CL’04] Generic [BMW’03] Formalized definitions Open – Efficient Const.](http://images.slideplayer.com./31/9670792/slides/slide_5.jpg "w/o Random Oracles.")
6
6 This work Hierarchical ID- Based Signatures in Bilinear Group GOS ’06 Style NIZK Techniques Efficient Group Signatures w/o ROs
7
7 Hierarchical Identity-Based Sigs ID-based signature where derive down further levels Authority “Alice” “Alice” : ”Hi Bob” “Alice” : ”Transfer $45”
8
8 Our Approach Setup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i” … “0”“1”“n-1”“n-2”
9
9 Our Approach Sign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well formed “i” : ”Message” “i” “i” : ”Message” + Proof
10
10 Bilinear groups of order N=pq [BGN’05] G : group of order N=pq. (p,q) – secret. bilinear map: e: G G G T
![10 Bilinear groups of order N=pq [BGN’05] G : group of order N=pq.](http://images.slideplayer.com./31/9670792/slides/slide_10.jpg "(p,q) – secret. bilinear map: e: G G G T.")
11
11 BGN encryption, GOS NIZK [GOS’06] Subgroup assumption: G p G p E(m) : r Z N, C g m (g p ) r G GOS NIZK: Statement: C G Claim: “ C = E(0) or C = E(1) ’’ Proof: G idea: IF: C = g (g p ) r or C = (g p ) r THEN : e(C, Cg -1 ) = e(g p,g p ) r (G T ) q
![11 BGN encryption, GOS NIZK [GOS’06] Subgroup assumption: G p G p E(m) : r Z N, C g m (g p ) r G GOS NIZK: Statement: C G Claim: C = E(0) or C = E(1) ’’ Proof: G idea: IF: C = g (g p ) r or C = (g p ) r THEN : e(C, Cg -1 ) = e(g p,g p ) r (G T ) q](http://images.slideplayer.com./31/9670792/slides/slide_11.jpg "11 BGN encryption, GOS NIZK [GOS’06] Subgroup assumption: G p G p E(m) : r Z N, C g m (g p ) r G GOS NIZK: Statement: C G Claim: C = E(0) or C = E(1) ’’ Proof: G idea: IF: C = g (g p ) r or C = (g p ) r THEN : e(C, Cg -1 ) = e(g p,g p ) r (G T ) q")
12
12 Our Group Signature Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g) 2 G T, h 2 G q Sign (K ID, M): g (u’ k i =1 u ID i ) r (v’ k i =1 v M i ) r’, g -r, g -r’ g C r (v’ k i =1 v M i ) r’, g -r, g -r’ Proofs- For i= 1 to lg(n): c i = u i ID i h t i, i =(u 2ID i -1 h t i ) t i C= i=1 lg(n) c i C is a BGN enc of ID ID part
13
13 Verification Sig = (s 1,s 2,s 3 ), (c 1, 1 ),…, (c lg(n), lg(n) ) 1) Check Proofs: (c 1, 1 ),…, (c lg(n), lg(n) ) 2) C= i=1 lg(n) c i Know this is an enc. of ID 3) e(s_1,g) e(s_2,C) e(s_3, v’ k i =1 v M i ) = A Doesn’t know what 1 st level signature is on
14
14 Traceability And Anonymity Proofs: c i = u i ID i h t i, i =(u 2ID i -1 h t i ) t i Traceability Authority can decrypt (know factorization) Proofs guarantee that it is well formed Anonymity BGN encryption IF h 2 G (and not G q ) leaks nothing
15
15 Open Issues CCA Security Tracing key = Factorization of Group Separate the two Smaller Signatures Currently lg(n) size Stronger than CDH Assumption? Should be Refutable Assumption ! Strong Excupability
16
16 Summary Group Signature Scheme w/o random oracles ~lg(n) elements Several Extensions Partial Revelation … Applied GOS proofs Bilinear groups popular Proofs work “natively” in these groups
17
17 THE END
18
18 A 2-level Sig Scheme [W’05] Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g) 2 G T, Enroll (ID): (K 1,K 2 ) = g (u’ k i =1 u ID i ) r, g -r 0 · ID < n Sign (K ID, M): (s 1 ’,s 2 ’,s 3 ’)= (K 1 (v’ k i =1 v M i ) r’, K 2, g -r ’ ) = g (u’ k i =1 u ID i ) r (v’ k i =1 v M i ) r’, g -r, g -r’ Verify: e(s 1 ’,g) e( s 2 ’, u’ k i =1 u ID i ) e(s 3 ’, v’ k i =1 v M i ) = A
![18 A 2-level Sig Scheme [W’05] Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g) 2 G T, Enroll (ID): (K 1,K 2 ) = g (u’ k i =1 u ID i ) r, g -r 0 · ID < n Sign (K ID, M): (s 1 ’,s 2 ’,s 3 ’)= (K 1 (v’ k i =1 v M i ) r’, K 2, g -r ’ ) = g (u’ k i =1 u ID i ) r (v’ k i =1 v M i ) r’, g -r, g -r’ Verify: e(s 1 ’,g) e( s 2 ’, u’ k i =1 u ID i ) e(s 3 ’, v’ k i =1 v M i ) = A](http://images.slideplayer.com./31/9670792/slides/slide_18.jpg "18 A 2-level Sig Scheme [W’05] Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g) 2 G T, Enroll (ID): (K 1,K 2 ) = g (u’ k i =1 u ID i ) r, g -r 0 · ID < n Sign (K ID, M): (s 1 ’,s 2 ’,s 3 ’)= (K 1 (v’ k i =1 v M i ) r’, K 2, g -r ’ ) = g (u’ k i =1 u ID i ) r (v’ k i =1 v M i ) r’, g -r, g -r’ Verify: e(s 1 ’,g) e( s 2 ’, u’ k i =1 u ID i ) e(s 3 ’, v’ k i =1 v M i ) = A")
19
19 Extensions Partial Revelation Prime order group proofs Hierarchical Identities
20
20 Our Group Signature Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g) 2 G T, h 2 G q Enroll (ID): K ID (K 1,K 2,K 3 ) = g (u’ k i =1 u ID i ) r, g -r, h r Sign (K ID, M): Proofs- For i= 1 to lg(n): c i = u i ID i h t i, i =(u 2ID i -1 h t i ) t i C= i=1 lg(n) c i (s 1 ’,s 2 ’,s 3 ’) = g C r (v’ k i =1 v M i ) r’, g -r, g -r’ C is a BGN enc of ID
21
21
Similar presentations
