1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters

2 Vehicle Safety Communication (VSC)  Embedded chips sign status  Integrity- No outsider can spoof  Anonymity- Can’t track person 65 mph breaking 8 mpg

3 Vehicle Safety Communication (VSC)  Traceability by Authority 65 mph breaking 8 mpg 120 mph

4 Group Signatures [CvH’91]  Group of N users  Any member can sign for group  Anonymous to Outsiders / Authority can trace  Applications VSC Remote Attestation

5 Prior Work  Random Oracle Constructions RSA [ACJT’00, AST’02,CL’02…] Bilinear Map [BBS’04,CL’04]  Generic [BMW’03] Formalized definitions  Open – Efficient Const. w/o Random Oracles

6 This work Hierarchical ID- Based Signatures in Bilinear Group GOS ’06 Style NIZK Techniques Efficient Group Signatures w/o ROs

7 Hierarchical Identity-Based Sigs ID-based signature where derive down further levels Authority “Alice” “Alice” : ”Hi Bob” “Alice” : ”Transfer $45”

8 Our Approach Setup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i” … “0”“1”“n-1”“n-2”

9 Our Approach Sign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well formed “i” : ”Message” “i” “i” : ”Message” + Proof

10 Bilinear groups of order N=pq [BGN’05]  G : group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T

11 BGN encryption, GOS NIZK [GOS’06]  Subgroup assumption: G  p G p  E(m) : r  Z N, C  g m (g p ) r  G  GOS NIZK: Statement: C  G Claim: “ C = E(0) or C = E(1) ’’ Proof:   G idea: IF: C = g  (g p ) r or C = (g p ) r THEN : e(C, Cg -1 ) = e(g p,g p ) r  (G T ) q

12 Our Group Signature  Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g)  2 G T, h 2 G q  Sign (K ID, M): g  (u’  k i =1 u ID i ) r (v’  k i =1 v M i ) r’, g -r, g -r’ g  C r (v’  k i =1 v M i ) r’, g -r, g -r’ Proofs- For i= 1 to lg(n): c i = u i ID i h t i,  i =(u 2ID i -1 h t i ) t i C=  i=1 lg(n) c i C is a BGN enc of ID ID part

13 Verification  Sig = (s 1,s 2,s 3 ), (c 1,  1 ),…, (c lg(n),  lg(n) ) 1) Check Proofs: (c 1,  1 ),…, (c lg(n),  lg(n) ) 2) C=  i=1 lg(n) c i Know this is an enc. of ID 3) e(s_1,g) e(s_2,C) e(s_3, v’  k i =1 v M i ) = A Doesn’t know what 1 st level signature is on

14 Traceability And Anonymity  Proofs: c i = u i ID i h t i,  i =(u 2ID i -1 h t i ) t i  Traceability Authority can decrypt (know factorization) Proofs guarantee that it is well formed  Anonymity BGN encryption IF h 2 G (and not G q ) leaks nothing

15 Open Issues  CCA Security Tracing key = Factorization of Group Separate the two  Smaller Signatures Currently lg(n) size Stronger than CDH Assumption? Should be Refutable Assumption !  Strong Excupability

16 Summary  Group Signature Scheme w/o random oracles ~lg(n) elements  Several Extensions Partial Revelation …  Applied GOS proofs Bilinear groups popular Proofs work “natively” in these groups

17 THE END

18 A 2-level Sig Scheme [W’05]  Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g)  2 G T,  Enroll (ID): (K 1,K 2 ) = g  (u’  k i =1 u ID i ) r, g -r 0 · ID < n  Sign (K ID, M): (s 1 ’,s 2 ’,s 3 ’)= (K 1 (v’  k i =1 v M i ) r’, K 2, g -r ’ ) = g  (u’  k i =1 u ID i ) r (v’  k i =1 v M i ) r’, g -r, g -r’  Verify: e(s 1 ’,g) e( s 2 ’, u’  k i =1 u ID i ) e(s 3 ’, v’  k i =1 v M i ) = A

19 Extensions  Partial Revelation  Prime order group proofs  Hierarchical Identities

20 Our Group Signature  Params: g, u’,u 1,…,u lg(n), v’,v 1,…,v m, 2 G, A=e(g,g)  2 G T, h 2 G q  Enroll (ID): K ID (K 1,K 2,K 3 ) = g  (u’  k i =1 u ID i ) r, g -r, h r  Sign (K ID, M): Proofs- For i= 1 to lg(n): c i = u i ID i h t i,  i =(u 2ID i -1 h t i ) t i C=  i=1 lg(n) c i (s 1 ’,s 2 ’,s 3 ’) = g  C r (v’  k i =1 v M i ) r’, g -r, g -r’ C is a BGN enc of ID

21