1 / 19

Cascaded Authorization with Anonymous-Signer Aggregate Signatures

Cascaded Authorization with Anonymous-Signer Aggregate Signatures. Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF–0311510, CNS–0303577 and IIS–0324846. Outline . Motivation for anonymity and aggregation

graham-harding
Download Presentation

Cascaded Authorization with Anonymous-Signer Aggregate Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF–0311510, CNS–0303577 and IIS–0324846 IAW 2006

  2. Outline • Motivation for anonymity and aggregation • Construction of Anonymous-Signer Aggregate Signature Scheme • Security properties of the scheme • Applications

  3. Digital credential • Digital credential is signed by the issuer with a digital signature scheme • To certify the credential holder • Digital signature scheme • Signing uses the private key • Verification uses the public key Bob’s credential Bob is a university professor University Bob University’s signature Public key Public key Private key The credential can be verified against university’s public key Private key

  4. Motivation: Anonymous authorization 2. Request to sign Cashier’s check Bank • Group signature schemes • [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04,Camenisch Lysyanskaya 04] • Support anonymity 1. Certify membership 3. Authorization Bank cashiers

  5. Motivation: Aggergation 2. Authorization 1. Request 4. Authorization 3. Authorization [Boneh Gentry Shacham Lynn 03]

  6. Our goal: Aggregate anonymous signatures • Signing anonymity • Signature aggregation Delegation Delegation Delegation Aggregate Signature Delegation Signatures Aggregate

  7. Anonymous authorization chain 2. Authorization 1. Request 4. Authorization 3. Authorization

  8. Anonymous-signer aggregate signature scheme • Properties • Aggregation: Bob’s signature can be added with Alice’s • Anonymity: No one can tell that a signature is from Bob • Unlinkability: No one can tell that two signatures are from Bob • Non-framing: Alice cannot sign on behalf of Bob • Traceability: Bob’s boss can find out that Bob is the signer • Existing signature schemes do not satisfy all the requirements • Aggregate signature scheme • Group signature scheme • Challenge: extending existing schemes is non-trivial

  9. Aggregate signature scheme • Aggregate signature scheme [Boneh Gentry Shacham Lynn 03] • The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes • Verification is linear in the number of individual signatures PK1,SK1 Bob PK2,SK2 PK3,SK3 Eve Alice Sign m1 Sign m2 Sign m3 S1 S2 S3 S1 S2 S3 SA Bob aggregates + + = How to make the aggregate signature scheme support anonymity?

  10. Please sign my check Sa Verifies with signing keys + = Sc Sm Sa Signs and aggregates An attempt to support anonymity using the existing aggregate signatures • Signers sign with certified one-time signing keys Cashier picks (one-time) pub/private key pair Bank admin Authenticates and sends Certifies with aggregate signature One-time member certificate Sm Pub key Does not satisfy the non-framing requirement! Private Key

  11. Our solution: anonymous-signer aggregate signature scheme • Signing key has two parts • Long-term public key certified by CA • Random one-time secret • Combined to become the signing key • Supports • Signature aggregation • Anonymous authorization • Based on the aggregate signature scheme [Boneh Gentry Shacham Lynn 03] • Standard assumptions for pairing-based cryptography

  12. Bank admin Combine One-time secret Certifies with aggregate signature One-time member certificate Sm Cannot frame others Please sign my check Sa Verifies with signing key Signs with Sc + = Sm Sa Aggregates Overview: Anonymous-signer aggregate signature scheme Trusted third-party Long-term public-key Certifies with aggregate signature Public-key certificate Ck

  13. Entities and Operations in Our Scheme • Entities • Role manager (cashier in this talk) • Role member (bank admin in this talk) • Setup: Each entity chooses long-term public/private key pair • Join: A user becomes a role member • Obtains membership certificates • Sign: An entity signs on behalf of the role • Operation Sign produces a role signature • Aggregate: Multiple role signatures are aggregated • Verify: Aggregate role signatures are verified • Open: A role manager revokes the anonymity of a signer by revealing his or her identity

  14. Private key sa Public key Pa = sa Sm Certifies sa H( ) Sc Signature suxu H(m) Obtains Sc Sm Sa Aggregates + = Verifies Sa Role signature; may be aggregated further with others Sa Some math about the operations  Public parameter Private key su Public key Pu = su One-time signing secret xu One-time signing public key suxu Framing is hard – equivalent to computational Diffie-Hellman Problem

  15. Security Our anonymous-signer aggregate signature scheme satisfies the following requirements: correctness, unforgeability, anonymity, unlinkability, traceability, non-framing, coalition-resistance, and aggregation assuming random oracle model, bilinear map, and gap groups.

  16. Need to access Need to access Collaborate Collaborate Engineers at a lab collaborate with researchers Researchers at a company collaborate with Bob An application: Anonymous role-based delegation The access to the digital library at a hospital is controlled University prof. can access Hospital’s policy Bob can access Bob is a university professor and can access

  17. Another application: Protecting whistleblower • Protects the identity of whistleblowers • The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter • Supports efficiently certification of a series of reports Signed reports of whistleblower(s) Enron scandal: day 101 Enron scandal: day 102 Enron scandal: day 103 Aggregated signature … S1 S2 S3 SA

  18. Non-framing property • Our scheme protects a cashier from being framed by anyone including bank admin • Consider a simple attack by an admin • Picks random x* and s* and uses x*s* to sign • Admin cannot misattribute a signature to a cashier u • u with pub keyPu = su • e(s*x*, ) ≠ e(Pu, x*) • In general, framing is equivalent to • Computing b, given q, a, and c such that ab = c mod q known equivalence to CDH problem [Chen Zhang Kim 03]

More Related