190 likes | 341 Views
Cascaded Authorization with Anonymous-Signer Aggregate Signatures. Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF–0311510, CNS–0303577 and IIS–0324846. Outline . Motivation for anonymity and aggregation
E N D
Cascaded Authorization with Anonymous-Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with Roberto Tamassia NSF grants CCF–0311510, CNS–0303577 and IIS–0324846 IAW 2006
Outline • Motivation for anonymity and aggregation • Construction of Anonymous-Signer Aggregate Signature Scheme • Security properties of the scheme • Applications
Digital credential • Digital credential is signed by the issuer with a digital signature scheme • To certify the credential holder • Digital signature scheme • Signing uses the private key • Verification uses the public key Bob’s credential Bob is a university professor University Bob University’s signature Public key Public key Private key The credential can be verified against university’s public key Private key
Motivation: Anonymous authorization 2. Request to sign Cashier’s check Bank • Group signature schemes • [Chaum van Heijst 91, Ateniese Camenisch Joye Tsudik 00, Boneh Boyen Shacham 04,Camenisch Lysyanskaya 04] • Support anonymity 1. Certify membership 3. Authorization Bank cashiers
Motivation: Aggergation 2. Authorization 1. Request 4. Authorization 3. Authorization [Boneh Gentry Shacham Lynn 03]
Our goal: Aggregate anonymous signatures • Signing anonymity • Signature aggregation Delegation Delegation Delegation Aggregate Signature Delegation Signatures Aggregate
Anonymous authorization chain 2. Authorization 1. Request 4. Authorization 3. Authorization
Anonymous-signer aggregate signature scheme • Properties • Aggregation: Bob’s signature can be added with Alice’s • Anonymity: No one can tell that a signature is from Bob • Unlinkability: No one can tell that two signatures are from Bob • Non-framing: Alice cannot sign on behalf of Bob • Traceability: Bob’s boss can find out that Bob is the signer • Existing signature schemes do not satisfy all the requirements • Aggregate signature scheme • Group signature scheme • Challenge: extending existing schemes is non-trivial
Aggregate signature scheme • Aggregate signature scheme [Boneh Gentry Shacham Lynn 03] • The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes • Verification is linear in the number of individual signatures PK1,SK1 Bob PK2,SK2 PK3,SK3 Eve Alice Sign m1 Sign m2 Sign m3 S1 S2 S3 S1 S2 S3 SA Bob aggregates + + = How to make the aggregate signature scheme support anonymity?
Please sign my check Sa Verifies with signing keys + = Sc Sm Sa Signs and aggregates An attempt to support anonymity using the existing aggregate signatures • Signers sign with certified one-time signing keys Cashier picks (one-time) pub/private key pair Bank admin Authenticates and sends Certifies with aggregate signature One-time member certificate Sm Pub key Does not satisfy the non-framing requirement! Private Key
Our solution: anonymous-signer aggregate signature scheme • Signing key has two parts • Long-term public key certified by CA • Random one-time secret • Combined to become the signing key • Supports • Signature aggregation • Anonymous authorization • Based on the aggregate signature scheme [Boneh Gentry Shacham Lynn 03] • Standard assumptions for pairing-based cryptography
Bank admin Combine One-time secret Certifies with aggregate signature One-time member certificate Sm Cannot frame others Please sign my check Sa Verifies with signing key Signs with Sc + = Sm Sa Aggregates Overview: Anonymous-signer aggregate signature scheme Trusted third-party Long-term public-key Certifies with aggregate signature Public-key certificate Ck
Entities and Operations in Our Scheme • Entities • Role manager (cashier in this talk) • Role member (bank admin in this talk) • Setup: Each entity chooses long-term public/private key pair • Join: A user becomes a role member • Obtains membership certificates • Sign: An entity signs on behalf of the role • Operation Sign produces a role signature • Aggregate: Multiple role signatures are aggregated • Verify: Aggregate role signatures are verified • Open: A role manager revokes the anonymity of a signer by revealing his or her identity
Private key sa Public key Pa = sa Sm Certifies sa H( ) Sc Signature suxu H(m) Obtains Sc Sm Sa Aggregates + = Verifies Sa Role signature; may be aggregated further with others Sa Some math about the operations Public parameter Private key su Public key Pu = su One-time signing secret xu One-time signing public key suxu Framing is hard – equivalent to computational Diffie-Hellman Problem
Security Our anonymous-signer aggregate signature scheme satisfies the following requirements: correctness, unforgeability, anonymity, unlinkability, traceability, non-framing, coalition-resistance, and aggregation assuming random oracle model, bilinear map, and gap groups.
Need to access Need to access Collaborate Collaborate Engineers at a lab collaborate with researchers Researchers at a company collaborate with Bob An application: Anonymous role-based delegation The access to the digital library at a hospital is controlled University prof. can access Hospital’s policy Bob can access Bob is a university professor and can access
Another application: Protecting whistleblower • Protects the identity of whistleblowers • The verifier only knows that the whistleblower is a certified FBI agent or a New York Times reporter • Supports efficiently certification of a series of reports Signed reports of whistleblower(s) Enron scandal: day 101 Enron scandal: day 102 Enron scandal: day 103 Aggregated signature … S1 S2 S3 SA
Non-framing property • Our scheme protects a cashier from being framed by anyone including bank admin • Consider a simple attack by an admin • Picks random x* and s* and uses x*s* to sign • Admin cannot misattribute a signature to a cashier u • u with pub keyPu = su • e(s*x*, ) ≠ e(Pu, x*) • In general, framing is equivalent to • Computing b, given q, a, and c such that ab = c mod q known equivalence to CDH problem [Chen Zhang Kim 03]