Compact Group Signatures Without Random Oracles

1
Compact Group Signatures Without Random Oracles
Xavier Boyen and Brent Waters
2
Vehicle Safety Communication (VSC)

• Embedded chips sign status
• Integrity- No outsider can spoof
• Anonymity- Cant track person

65 mph
breaking
8 mpg
3
Vehicle Safety Communication (VSC)

• Traceability by Authority

120 mph
65 mph
breaking
8 mpg
4
Group Signatures CvH91

• Group of N users
• Any member can sign for group
• Anonymous to Outsiders / Authority can trace
• Applications
• VSC
• Remote Attestation

5
Prior Work

• Random Oracle Constructions
• RSA ACJT00, AST02,CL02
• Bilinear Map BBS04,CL04
• Generic BMW03
• Formalized definitions
• Open Efficient Const. w/o Random Oracles

6
This work
Hierarchical ID-Based Signatures in Bilinear Group
GOS 06 Style NIZK Techniques


Efficient Group Signatures w/o ROs
7
Hierarchical Identity-Based Sigs
ID-based signature where derive down further
levels
Authority
Alice
8
Our Approach

• Setup
• N users
• Assign identities 0,1,,n-1
• User i gets HIBS on i

0
1
n-1
n-2
9
Our Approach

• Sign (i,M)
• User i signs Message by deriving i
  Message
• Encrypts first level to authority and proves
  well formed

i Message Proof
i Message
i
10
Bilinear groups of order Npq BGN05

• G group of order Npq. (p,q)
  secret.
• bilinear map e G ? G ? GT

11
BGN encryption, GOS NIZK GOS06

• Subgroup assumption G ?p Gp
• E(m) r ? ZN , C ? gm (gp)r ? G
• GOS NIZK Statement C ? G
• Claim C E(0) or C E(1)
• Proof ? ? G
• idea IF C g ? (gp)r or C
  (gp)r
• THEN e(C , Cg-1) e(gp,gp)r ?
  (GT)q

12
Our Group Signature

• Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
  Ae(g,g)? 2GT , h 2 Gq
• Sign (KID, M)
• g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
  g-r
• g? Cr (v ?ki1 vMi)r , g-r , g-r
• Proofs- For i 1 to lg(n) ci uiIDi hti,
  ?i(u2IDi-1hti)ti
• C ?i1lg(n) ci

C is a BGN enc of ID
13
Verification

• Sig (s1,s2,s3), (c1, ?1),, (clg(n),?lg(n) )
• Check Proofs (c1, ?1),, (clg(n),?lg(n) )
• C ?i1lg(n) ci Know this is an enc. of ID
• e(s_1,g) e(s_2,C) e(s_3, v ?ki1 vMi ) A
• Doesnt know what 1st level signature is on

14
Traceability And Anonymity

• Proofs
• ci uiIDi hti, ?i(u2IDi-1hti)ti
• Traceability
• Authority can decrypt (know factorization)
• Proofs guarantee that it is well formed
• Anonymity
• BGN encryption
• IF h 2 G (and not Gq) leaks nothing

15
Open Issues

• CCA Security
• Tracing key Factorization of Group
• Separate the two
• Smaller Signatures
• Currently lg(n) size
• Stronger than CDH Assumption?
• Should be Refutable Assumption !
• Strong Excupability

16
Summary

• Group Signature Scheme w/o random oracles
• lg(n) elements
• Several Extensions
• Partial Revelation
• Applied GOS proofs
• Bilinear groups popular
• Proofs work natively in these groups

17
THE END
18
A 2-level Sig Scheme W05

• Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
  Ae(g,g)? 2 GT ,
• Enroll (ID) (K1,K2) g?(u ?ki1 uIDi)r, g-r
  0 ID lt n
• Sign (KID, M) (s1,s2,s3) (K1 (v ?ki1
  vMi)r , K2, g-r )
• g?(u ?ki1 uIDi)r (v ?ki1 vMi)r , g-r ,
  g-r
• Verify e(s1,g) e( s2, u ?ki1 uIDi ) e(s3,
  v ?ki1 vMi ) A

19
Extensions

• Partial Revelation
• Prime order group proofs
• Hierarchical Identities

20
Our Group Signature

• Params g, u,u1,,ulg(n), v,v1,,vm, 2 G,
  Ae(g,g)? 2GT , h 2 Gq
• Enroll (ID) KID (K1,K2 ,K3) g?(u ?ki1
  uIDi)r, g-r , hr
• Sign (KID, M)
• Proofs- For i 1 to lg(n) ci uiIDi hti,
  ?i(u2IDi-1hti)ti
• C ?i1lg(n) ci
• (s1,s2,s3) g? Cr (v ?ki1 vMi)r , g-r
  , g-r

C is a BGN enc of ID
21
(No Transcript)