1

Compact Group Signatures Without Random Oracles

Xavier Boyen and Brent Waters

2

Vehicle Safety Communication (VSC)

Embedded chips sign status

Integrity- No outsider can spoof

Anonymity- Can’t track person65 mph

breaking8 mpg

3

Vehicle Safety Communication (VSC)

Traceability by Authority

65 mphbreakin

g8 mpg

120 mph

4

Group Signatures [CvH’91] Group of N users

Any member can sign for group

Anonymous to Outsiders / Authority can trace

Applications•VSC•Remote Attestation

5

Prior Work Random Oracle Constructions

•RSA [ACJT’00, AST’02,CL’02…]•Bilinear Map [BBS’04,CL’04]

Generic [BMW’03]•Formalized definitions

Open – Efficient Const. w/o Random Oracles

6

This work

Hierarchical ID-Based

Signatures in Bilinear Group

GOS ’06 StyleNIZK

Techniques

Efficient Group Signatures w/o

ROs

7

Hierarchical Identity-Based SigsID-based signature where derive down further levels

Authority

“Alice”“Alice” : ”Hi Bob”

“Alice” : ”Transfer $45”

8

Our ApproachSetup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i”

…“0” “1” “n-1”“n-2”

9

Our ApproachSign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well formed

“i” : ”Message”“i”

“i” : ”Message” + Proof

10

Bilinear groups of order N=pq [BGN’05]

G: group of order N=pq. (p,q) – secret.bilinear map: e: G G GT

11

BGN encryption, GOS NIZK [GOS’06]

Subgroup assumption: G p Gp

E(m) : r ZN , C gm (gp)r G

GOS NIZK: Statement: C GClaim: “ C = E(0) or C = E(1) ’’Proof: G

idea: IF: C = g (gp)r or C = (gp)r

THEN: e(C , Cg-1) = e(gp,gp)r (GT)q

12

Our Group Signature Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2GT , h

2 Gq

Sign (KID, M): g(u’ k

i=1 uIDi)r (v’ ki=1 vMi)r’ , g-r , g-r’

g Cr (v’ ki=1 vMi)r’ , g-r , g-r’

Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti

C= i=1lg(n) ci C is a BGN enc of ID

ID part

13

Verification Sig = (s1,s2,s3), (c1, 1),…, (clg(n),lg(n) )

1) Check Proofs: (c1, 1),…, (clg(n),lg(n) )

2) C= i=1lg(n) ci Know this is an enc. of ID

3) e(s_1,g) e(s_2,C) e(s_3, v’ ki=1 vMi ) = A

Doesn’t know what 1st level signature is on

14

Traceability And Anonymity Proofs:

•ci= uiIDi hti, i=(u2IDi-1hti)ti

Traceability •Authority can decrypt (know factorization)•Proofs guarantee that it is well formed

Anonymity•BGN encryption• IF h 2 G (and not Gq) leaks nothing

15

Open Issues CCA Security

•Tracing key = Factorization of Group•Separate the two

Smaller Signatures•Currently lg(n) size•Stronger than CDH Assumption?•Should be Refutable Assumption !

Strong Excupability

16

Summary Group Signature Scheme w/o random oracles

•~lg(n) elements

Several Extensions•Partial Revelation …

Applied GOS proofs •Bilinear groups popular•Proofs work “natively” in these groups

17

THE END

18

A 2-level Sig Scheme [W’05] Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2 GT ,

Enroll (ID): (K1,K2) = g(u’ ki=1 uIDi)r, g-r 0· ID < n

Sign (KID, M): (s1’,s2’,s3’)= (K1 (v’ ki=1 vMi)r’ , K2, g-r’ )

= g(u’ ki=1 uIDi)r (v’ k

i=1 vMi)r’ , g-r , g-r’

Verify: e(s1’,g) e( s2’, u’ ki=1 uIDi ) e(s3’, v’ k

i=1 vMi ) = A

19

Extensions Partial Revelation

Prime order group proofs

Hierarchical Identities

20

Our Group Signature Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g) 2GT , h 2

Gq

Enroll (ID): KID (K1,K2 ,K3) = g(u’ ki=1 uIDi)r, g-r , hr

Sign (KID, M): Proofs- For i= 1 to lg(n): ci= ui

IDi hti, i=(u2IDi-1hti)ti

C= i=1lg(n) ci (s1’,s2’,s3’) = g Cr (v’ k

i=1 vMi)r’ , g-r , g-r’

C is a BGN enc of ID

21