Download
1 / 21
210 likes | 295 Vues
This work presents a secure vehicle safety communication system with group signatures without random oracles, ensuring integrity and anonymity. The proposed scheme enables traceability by authority for efficient remote attestation in vehicle safety applications. The hierarchical identity-based signature system complements the existing protocols with efficient NIZK techniques.
E N D
Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters
Vehicle Safety Communication (VSC) • Embedded chips sign status • Integrity- No outsider can spoof • Anonymity- Can’t track person 65 mph breaking 8 mpg
Vehicle Safety Communication (VSC) • Traceability by Authority 120 mph 65 mph breaking 8 mpg
Group Signatures [CvH’91] • Group of N users • Any member can sign for group • Anonymous to Outsiders / Authority can trace • Applications • VSC • Remote Attestation
Prior Work • Random Oracle Constructions • RSA [ACJT’00, AST’02,CL’02…] • Bilinear Map [BBS’04,CL’04] • Generic [BMW’03] • Formalized definitions • Open – Efficient Const. w/o Random Oracles
This work Hierarchical ID-Based Signatures in Bilinear Group GOS ’06 Style NIZK Techniques + = Efficient Group Signatures w/o ROs
“Alice” : ”Hi Bob” “Alice” : ”Transfer $45” Hierarchical Identity-Based Sigs ID-based signature where derive down further levels Authority “Alice”
Our Approach Setup: N users Assign identities 0,1,…,n-1 User i gets HIBS on “i” … “0” “1” “n-2” “n-1”
Our Approach Sign (i,M): User i signs “Message” by deriving “i” : “Message” Encrypts first level to authority and proves well formed “i” : ”Message” + Proof “i” : ”Message” “i”
Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G G GT
BGN encryption, GOS NIZK [GOS’06] • Subgroup assumption: G p Gp • E(m) : r ZN , C gm (gp)r G • GOS NIZK: Statement: C G Claim: “ C = E(0) or C = E(1) ’’ Proof: G idea: IF: C = g (gp)r or C = (gp)r THEN: e(C , Cg-1) = e(gp,gp)r (GT)q
ID part Our Group Signature • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2GT , h 2 Gq • Sign (KID, M): g(u’ ki=1 uIDi)r(v’ ki=1 vMi)r’ , g-r , g-r’ gCr (v’ ki=1 vMi)r’ , g-r , g-r’ Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti C= i=1lg(n) ci C is a BGN enc of ID
Verification • Sig = (s1,s2,s3), (c1, 1),…, (clg(n),lg(n) ) • Check Proofs: (c1, 1),…, (clg(n),lg(n) ) • C= i=1lg(n) ci Know this is an enc. of ID • e(s_1,g) e(s_2,C) e(s_3, v’ ki=1 vMi ) = A Doesn’t know what 1st level signature is on
Traceability And Anonymity • Proofs: • ci= uiIDihti, i=(u2IDi-1hti)ti • Traceability • Authority can decrypt (know factorization) • Proofs guarantee that it is well formed • Anonymity • BGN encryption • IF h2 G (and not Gq) leaks nothing
Open Issues • CCA Security • Tracing key = Factorization of Group • Separate the two • Smaller Signatures • Currently lg(n) size • Stronger than CDH Assumption? • Should be Refutable Assumption ! • Strong Excupability
Summary • Group Signature Scheme w/o random oracles • ~lg(n) elements • Several Extensions • Partial Revelation … • Applied GOS proofs • Bilinear groups popular • Proofs work “natively” in these groups
A 2-level Sig Scheme [W’05] • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2 GT , • Enroll (ID): (K1,K2) = g(u’ ki=1 uIDi)r, g-r 0· ID < n • Sign (KID, M): (s1’,s2’,s3’)= (K1 (v’ ki=1 vMi)r’ , K2, g-r’ ) = g(u’ ki=1 uIDi)r (v’ ki=1 vMi)r’ , g-r , g-r’ • Verify: e(s1’,g) e( s2’, u’ ki=1 uIDi) e(s3’, v’ ki=1 vMi ) = A
Extensions • Partial Revelation • Prime order group proofs • Hierarchical Identities
Our Group Signature • Params: g, u’,u1,…,ulg(n), v’,v1,…,vm, 2 G, A=e(g,g)2GT , h 2 Gq • Enroll (ID): KID (K1,K2 ,K3) = g(u’ ki=1 uIDi)r, g-r , hr • Sign (KID, M): Proofs- For i= 1 to lg(n): ci= uiIDi hti, i=(u2IDi-1hti)ti C= i=1lg(n) ci (s1’,s2’,s3’) = gCr(v’ ki=1 vMi)r’ , g-r , g-r’ C is a BGN enc of ID
