Compact Group Signatures Without Random Oracles

1. Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters

2. Vehicle Safety Communication (VSC) • Embedded chips sign status • Integrity- No outsider can spoof • Anonymity- Can’t track person 65 mph breaking 8 mpg

3. Vehicle Safety Communication (VSC) • Traceability by Authority 120 mph 65 mph breaking 8 mpg

4. Group Signatures [CvH’91] • Group of N users • Any member can sign for group • Anonymous to Outsiders / Authority can trace • Applications • VSC • Remote Attestation

5. Prior Work • Random Oracle Constructions • RSA [ACJT’00, AST’02,CL’02…] • Bilinear Map [BBS’04,CL’04] • Generic [BMW’03] • Formalized definitions • Open – Efficient Const. w/o Random Oracles

6. This work Hierarchical ID-Based Signatures in Bilinear Group GOS ’06 Style NIZK Techniques + = Efficient Group Signatures w/o ROs

7. “Alice” : ”Hi Bob” “Alice” : ”Transfer $45” Hierarchical Identity-Based Sigs ID-based signature where derive down further levels Authority “Alice”

8. Our Approach Setup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i” … “0” “1” “n-2” “n-1”

9. Our Approach Sign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well formed “i” : ”Message” + Proof “i” : ”Message” “i”

10. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  GT

11. BGN encryption, GOS NIZK [GOS’06] • Subgroup assumption: G p Gp • E(m) : r  ZN , C  gm (gp)r  G • GOS NIZK: Statement: C  G Claim: “ C = E(0) or C = E(1) ’’ Proof:   G idea: IF: C = g  (gp)r or C = (gp)r THEN: e(C , Cg-1) = e(gp,gp)r  (GT)q

12. ID part Our Group Signature • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2GT , h 2 Gq • Sign (KID, M): g(u’ ki=1 uIDi)r(v’ ki=1 vMi)r’ , g-r , g-r’ gCr (v’ ki=1 vMi)r’ , g-r , g-r’ Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti C= i=1lg(n) ci C is a BGN enc of ID

13. Verification • Sig = (s1,s2,s3), (c1, 1),…, (clg(n),lg(n) ) • Check Proofs: (c1, 1),…, (clg(n),lg(n) ) • C= i=1lg(n) ci Know this is an enc. of ID • e(s_1,g) e(s_2,C) e(s_3, v’ ki=1 vMi ) = A Doesn’t know what 1st level signature is on

14. Traceability And Anonymity • Proofs: • ci= uiIDihti, i=(u2IDi-1hti)ti • Traceability • Authority can decrypt (know factorization) • Proofs guarantee that it is well formed • Anonymity • BGN encryption • IF h2 G (and not Gq) leaks nothing

15. Open Issues • CCA Security • Tracing key = Factorization of Group • Separate the two • Smaller Signatures • Currently lg(n) size • Stronger than CDH Assumption? • Should be Refutable Assumption ! • Strong Excupability

16. Summary • Group Signature Scheme w/o random oracles • ~lg(n) elements • Several Extensions • Partial Revelation … • Applied GOS proofs • Bilinear groups popular • Proofs work “natively” in these groups

17. THE END

18. A 2-level Sig Scheme [W’05] • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2 GT , • Enroll (ID): (K1,K2) = g(u’ ki=1 uIDi)r, g-r 0· ID < n • Sign (KID, M): (s1’,s2’,s3’)= (K1 (v’ ki=1 vMi)r’ , K2, g-r’ ) = g(u’ ki=1 uIDi)r (v’ ki=1 vMi)r’ , g-r , g-r’ • Verify: e(s1’,g) e( s2’, u’ ki=1 uIDi) e(s3’, v’ ki=1 vMi ) = A

19. Extensions • Partial Revelation • Prime order group proofs • Hierarchical Identities

20. Our Group Signature • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2GT , h 2 Gq • Enroll (ID): KID (K1,K2 ,K3) = g(u’ ki=1 uIDi)r, g-r , hr • Sign (KID, M): Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti C= i=1lg(n) ci (s1’,s2’,s3’) = gCr(v’ ki=1 vMi)r’ , g-r , g-r’ C is a BGN enc of ID