Title: Compact Group Signatures Without Random Oracles
1Compact Group Signatures Without Random Oracles
Xavier Boyen and Brent Waters
2Vehicle Safety Communication (VSC)
- Embedded chips sign status
- Integrity- No outsider can spoof
- Anonymity- Cant track person
65 mph
breaking
8 mpg
3Vehicle Safety Communication (VSC)
- Traceability by Authority
120 mph
65 mph
breaking
8 mpg
4Group Signatures CvH91
- Group of N users
- Any member can sign for group
- Anonymous to Outsiders / Authority can trace
- Applications
- VSC
- Remote Attestation
5Prior Work
- Random Oracle Constructions
- RSA ACJT00, AST02,CL02
- Bilinear Map BBS04,CL04
- Generic BMW03
- Formalized definitions
- Open Efficient Const. w/o Random Oracles
6This work
Hierarchical ID-Based Signatures in Bilinear Group
GOS 06 Style NIZK Techniques
Efficient Group Signatures w/o ROs
7Hierarchical Identity-Based Sigs
ID-based signature where derive down further
levels
Authority
Alice
8Our Approach
- Setup
- N users
- Assign identities 0,1,,n-1
- User i gets HIBS on i
0
1
n-1
n-2
9Our Approach
- Sign (i,M)
- User i signs Message by deriving i
Message - Encrypts first level to authority and proves
well formed -
i Message Proof
i Message
i
10Bilinear groups of order Npq BGN05
- G group of order Npq. (p,q)
secret. - bilinear map e G ? G ? GT
11BGN encryption, GOS NIZK GOS06
- Subgroup assumption G ?p Gp
- E(m) r ? ZN , C ? gm (gp)r ? G
- GOS NIZK Statement C ? G
- Claim C E(0) or C E(1)
- Proof ? ? G
- idea IF C g ? (gp)r or C
(gp)r - THEN e(C , Cg-1) e(gp,gp)r ?
(GT)q
12Our Group Signature
- Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
Ae(g,g)? 2GT , h 2 Gq - Sign (KID, M)
- g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
g-r - g? Cr (v ?ki1 vMi)r , g-r , g-r
- Proofs- For i 1 to lg(n) ci uiIDi hti,
?i(u2IDi-1hti)ti - C ?i1lg(n) ci
C is a BGN enc of ID
13Verification
- Sig (s1,s2,s3), (c1, ?1),, (clg(n),?lg(n) )
- Check Proofs (c1, ?1),, (clg(n),?lg(n) )
- C ?i1lg(n) ci Know this is an enc. of ID
- e(s_1,g) e(s_2,C) e(s_3, v ?ki1 vMi ) A
- Doesnt know what 1st level signature is on
14Traceability And Anonymity
- Proofs
- ci uiIDi hti, ?i(u2IDi-1hti)ti
- Traceability
- Authority can decrypt (know factorization)
- Proofs guarantee that it is well formed
- Anonymity
- BGN encryption
- IF h 2 G (and not Gq) leaks nothing
15Open Issues
- CCA Security
- Tracing key Factorization of Group
- Separate the two
- Smaller Signatures
- Currently lg(n) size
- Stronger than CDH Assumption?
- Should be Refutable Assumption !
- Strong Excupability
16Summary
- Group Signature Scheme w/o random oracles
- lg(n) elements
- Several Extensions
- Partial Revelation
- Applied GOS proofs
- Bilinear groups popular
- Proofs work natively in these groups
17THE END
18A 2-level Sig Scheme W05
- Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
Ae(g,g)? 2 GT , - Enroll (ID) (K1,K2) g?(u ?ki1 uIDi)r, g-r
0 ID lt n - Sign (KID, M) (s1,s2,s3) (K1 (v ?ki1
vMi)r , K2, g-r ) - g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
g-r - Verify e(s1,g) e( s2, u ?ki1 uIDi ) e(s3,
v ?ki1 vMi ) A
19Extensions
- Partial Revelation
- Prime order group proofs
- Hierarchical Identities
20Our Group Signature
- Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
Ae(g,g)? 2GT , h 2 Gq - Enroll (ID) KID (K1,K2 ,K3) g?(u ?ki1
uIDi)r, g-r , hr - Sign (KID, M)
- Proofs- For i 1 to lg(n) ci uiIDi hti,
?i(u2IDi-1hti)ti -
- C ?i1lg(n) ci
- (s1,s2,s3) g? Cr (v ?ki1 vMi)r , g-r
, g-r
C is a BGN enc of ID
21(No Transcript)