Compact Group Signatures Without Random Oracles - PowerPoint PPT Presentation

About This Presentation
Title:

Compact Group Signatures Without Random Oracles

Description:

1. Compact Group Signatures. Without Random Oracles. Xavier Boyen and Brent Waters. 2 ... Any member can sign for group. Anonymous to Outsiders / Authority can ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 22
Provided by: danb180
Category:

less

Transcript and Presenter's Notes

Title: Compact Group Signatures Without Random Oracles


1
Compact Group Signatures Without Random Oracles
Xavier Boyen and Brent Waters
2
Vehicle Safety Communication (VSC)
  • Embedded chips sign status
  • Integrity- No outsider can spoof
  • Anonymity- Cant track person

65 mph
breaking
8 mpg
3
Vehicle Safety Communication (VSC)
  • Traceability by Authority

120 mph
65 mph
breaking
8 mpg
4
Group Signatures CvH91
  • Group of N users
  • Any member can sign for group
  • Anonymous to Outsiders / Authority can trace
  • Applications
  • VSC
  • Remote Attestation

5
Prior Work
  • Random Oracle Constructions
  • RSA ACJT00, AST02,CL02
  • Bilinear Map BBS04,CL04
  • Generic BMW03
  • Formalized definitions
  • Open Efficient Const. w/o Random Oracles

6
This work
Hierarchical ID-Based Signatures in Bilinear Group
GOS 06 Style NIZK Techniques


Efficient Group Signatures w/o ROs
7
Hierarchical Identity-Based Sigs
ID-based signature where derive down further
levels
Authority
Alice
8
Our Approach
  • Setup
  • N users
  • Assign identities 0,1,,n-1
  • User i gets HIBS on i


0
1
n-1
n-2
9
Our Approach
  • Sign (i,M)
  • User i signs Message by deriving i
    Message
  • Encrypts first level to authority and proves
    well formed

i Message Proof
i Message
i
10
Bilinear groups of order Npq BGN05
  • G group of order Npq. (p,q)
    secret.
  • bilinear map e G ? G ? GT

11
BGN encryption, GOS NIZK GOS06
  • Subgroup assumption G ?p Gp
  • E(m) r ? ZN , C ? gm (gp)r ? G
  • GOS NIZK Statement C ? G
  • Claim C E(0) or C E(1)
  • Proof ? ? G
  • idea IF C g ? (gp)r or C
    (gp)r
  • THEN e(C , Cg-1) e(gp,gp)r ?
    (GT)q

12
Our Group Signature
  • Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
    Ae(g,g)? 2GT , h 2 Gq
  • Sign (KID, M)
  • g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
    g-r
  • g? Cr (v ?ki1 vMi)r , g-r , g-r
  • Proofs- For i 1 to lg(n) ci uiIDi hti,
    ?i(u2IDi-1hti)ti
  • C ?i1lg(n) ci

C is a BGN enc of ID
13
Verification
  • Sig (s1,s2,s3), (c1, ?1),, (clg(n),?lg(n) )
  • Check Proofs (c1, ?1),, (clg(n),?lg(n) )
  • C ?i1lg(n) ci Know this is an enc. of ID
  • e(s_1,g) e(s_2,C) e(s_3, v ?ki1 vMi ) A
  • Doesnt know what 1st level signature is on

14
Traceability And Anonymity
  • Proofs
  • ci uiIDi hti, ?i(u2IDi-1hti)ti
  • Traceability
  • Authority can decrypt (know factorization)
  • Proofs guarantee that it is well formed
  • Anonymity
  • BGN encryption
  • IF h 2 G (and not Gq) leaks nothing

15
Open Issues
  • CCA Security
  • Tracing key Factorization of Group
  • Separate the two
  • Smaller Signatures
  • Currently lg(n) size
  • Stronger than CDH Assumption?
  • Should be Refutable Assumption !
  • Strong Excupability

16
Summary
  • Group Signature Scheme w/o random oracles
  • lg(n) elements
  • Several Extensions
  • Partial Revelation
  • Applied GOS proofs
  • Bilinear groups popular
  • Proofs work natively in these groups

17
THE END
18
A 2-level Sig Scheme W05
  • Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
    Ae(g,g)? 2 GT ,
  • Enroll (ID) (K1,K2) g?(u ?ki1 uIDi)r, g-r
    0 ID lt n
  • Sign (KID, M) (s1,s2,s3) (K1 (v ?ki1
    vMi)r , K2, g-r )
  • g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
    g-r
  • Verify e(s1,g) e( s2, u ?ki1 uIDi ) e(s3,
    v ?ki1 vMi ) A

19
Extensions
  • Partial Revelation
  • Prime order group proofs
  • Hierarchical Identities

20
Our Group Signature
  • Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
    Ae(g,g)? 2GT , h 2 Gq
  • Enroll (ID) KID (K1,K2 ,K3) g?(u ?ki1
    uIDi)r, g-r , hr
  • Sign (KID, M)
  • Proofs- For i 1 to lg(n) ci uiIDi hti,
    ?i(u2IDi-1hti)ti
  • C ?i1lg(n) ci
  • (s1,s2,s3) g? Cr (v ?ki1 vMi)r , g-r
    , g-r

C is a BGN enc of ID
21
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com