Get Shorty via Group Signatures without Encryption

P. Bichsel1 , J. Camenisch1 , G. Neven1 , N.P. Smart2 , B. Warinschi2
1 IBM Research – Zurich; 2 University of Bristol
15 September 2010

SCN 2010, Amalﬁ, Italy

Get Shorty via Group Signatures
without Encryption


Motivation

Group Signatures are..
.. a cryptographic authentication mechanism, which is ..
.. useful for implementing scenarios, for example, in vehicular
communication networks ..
.. in a privacy-preserving way.
.. not used.

2 / 28 P. Bichsel1 , J. Camenisch1 , G. Neven1 , N.P. Smart2 , B. Warinschi2 | Get Shorty via Group Signatures without Encryption | 15 September 2010 | ibmStyle.tex 2010-09-12 pbi © 2010 IBM Coorporation


Outline
Motivation

Current Situation
Security Notion
Current Constructions

This Paper
Our Security Model
Our Construction

Comparison



Group Signature Security Notion



Current Constructions



Evolving to More Efﬁcient Group Signatures

+ auction with private bids
+ vote and prove
- key loss



Our Construction



Pairings

Asymmetric pairings with G1 , G2 , GT cyclic groups of prime order q.
There exists a efﬁciently computable map

ˆ
e : G1 × G2 → GT .

˜
For all x ∈ G1 , y ∈ G2 and α, β ∈ Zq we have
ˆ ˜ ˆ ˜
e(x α , y β ) = e(x, y )αβ .
ˆ ˜
e(g, g ) = 1.



Our Construction – Simpliﬁed
Join
interactive protocol Verify
issues a CL signature verify Σ as well as
(a ← g ρ , b ← g ρβ , c ← g ρα(1+β ξi ) ) ˆ ˜ ˆ ˜
e(d, g β ) ≡ e(e, g )
Sign Open
re-randomize the CL signature for all i check
(d ← aζ , e ← bζ , f ← c ζ ) ˆ ˜ ?
e(f , g β ) =
issue ˆ ˜ ˆ ˜
e(d, g α )e(e, g ξi )
ˆ ˜
e(f ,g )
Σ ← SPK{(ξi ) : ˆ ˜
e(d,x )
ˆ ˜
= e(e, x )ξi }(m)



Properties of our Construction - Recap

+ dynamic groups
+ selﬂess anonymity
+ traceability
+ non-frameability
- linear opening
- combined opener and group manager



LRSW [Lysyanskaya et al., 1999]
˜ ˜ ˜ ˜
Given (x ← g α , y ← g β ) ∈ G2 and an oracle Ox ,y (·) that, on input of
˜˜

µ ∈ Zq , outputs a triple (a, aβ , aα(1+µβ ) ) ∈ G3 . For all
1
PPT-adversaries it is hard to output (µ, b ∈ G1 ∧ bβ ∧ bα(1+µβ ) ).

XDDH
XDDH holds if DDH is hard in G1 , i.e., if given a tuple (g, g µ , g ν , g ω )
for µ, ν ← Zq it is hard to decide whether ω = µν mod q or random.

q-SDH [Boneh and Boyen, 2004]
2 q
˜ ˜ ˜
Given a q-tuple (g γ , g γ , . . . , g γ ) for some hidden value of γ, it is
hard to output a pair (g 1/(γ+α) , α) for some α ∈ Zq .



Comparison

CL [Camenisch and Lysyanskaya, 2004]
CL signature & Cramer-Shoup encryption
XDDH & LRSW assumption
BBS∗ [Boneh et al., 2004, Shacham, 2007]
BBS signature & Cramer-Shoup encryption
XDDH & q-SDH assumption
´
DP [Delerablee and Pointcheval, 2006]
BBS signature & two ElGamal encryptions
XDDH & q-SDH assumption



Well... how efﬁcient?
1
∼ 2 signature length
1
< 2 signature computation time
≈ signature veriﬁcation time



Comparison - Signature Size & Signing Time

Scheme Size of Sig. Sign Cost

G1 Zq G5
T G3
T G2
T GT G2
1 G1
Ours 3 2 1 3
CL 7 4 1 1 11
DP 4 5 1 1 6
BBS* 4 5 1 3 5



Comparison - Veriﬁcation

Scheme Veriﬁcation Cost

P2 P G3
T G2
2 G4
1 G3
1 G2
1 G1
Ours 2 1 1
CL 2 1 2 2 1
DP 1 1 1 1 2
BBS* 1 1 1 4



Thank you!



?



Security Model Development

1991..2003
unlinkability
unforgeability
anonymity
traceability
non-frameability
2003 (static groups) [Bellare et al., 2003]
full-anonymity
full-traceability



Security Model Development

2004 (verifier-local revocation) [Boneh and Shacham, 2004]
selfless anonymity
2005 (dynamic groups) [Bellare et al., 2005]
non-frameability
2010 (combination) [Bichsel et al., 2010]
dynamic groups
selfless anonymity
traceability
non-frameability



Comparison - Assumptions

Separate Underlying Hard Problems
Scheme GM & Opener for Anonymity and Traceability
Ours XDDH and LRSW
CL XDDH and LRSW
DP XDDH and q-SDH
BBS∗ XDDH and q-SDH



Bellare, M., Micciancio, D., and Warinschi, B. (2003).
Foundations of group signatures: Formal deﬁnitions, simpliﬁed
requirements, and a construction based on general
assumptions.
In Biham, E., editor, EUROCRYPT ’03, volume 2656 of LNCS,
pages 614–629. Springer.
Bellare, M., Shi, H., and Zhang, C. (2005).
Foundations of group signatures: The case of dynamic groups.
In Menezes, A., editor, CT-RSA ’05, volume 3376 of LNCS,
pages 136–153, San Francisco, CA, USA. Springer.
Bichsel, P., Camenisch, J., Neven, G., Smart, N. P., and
Warinschi, B. (2010).



Get shorty via group signatures without encryption.
In Garay, J. A. and De Prisco, R., editors, SCN ’10, volume
6280 of LNCS, pages 381–398. Springer.
Boneh, D. and Boyen, X. (2004).
Short signatures without random oracles.
In Cachin, C. and Camenisch, J., editors, EUROCRYPT ’04,
volume 3027 of LNCS, pages 54–73. Springer.
Boneh, D., Boyen, X., and Shacham, H. (2004).
Short group signatures.
In Franklin, M. K., editor, CRYPTO ’04, volume 3152 of LNCS,
Boneh, D. and Shacham, H. (2004).



Group signatures with veriﬁer-local revocation.
In Atluri, V., Pﬁtzmann, B., and McDaniel, P., editors, Proc. 11th
ACM CCS, pages 168–177. ACM Press.
Camenisch, J. and Lysyanskaya, A. (2004).
Signature schemes and anonymous credentials from bilinear
maps.
In Franklin, M. K., editor, CRYPTO ’04, volume 3152 of LNCS,
´
Delerablee, C. and Pointcheval, D. (2006).
Dynamic fully anonymous short group signatures.
In Nguyen, P. Q., editor, VIETCRYPT ’06, volume 4341 of
LNCS, pages 193–210, Hanoi, Vietnam. Springer.



Lysyanskaya, A., Rivest, R., Sahai, A., and Wolf, S. (1999).
Pseudonym systems.
In Heys, H. and Adams, C., editors, Selected Areas in
Cryptography, volume 1758 of LNCS. Springer.
Shacham, H. (2007).
A Cramer-Shoup encryption scheme from the linear
assumption and from progressively weaker linear variants.
Cryptology ePrint Archive, Report 2007/074.
http://eprint.iacr.org/.


Get Shorty via Group Signatures without Encryption

More Related Content

Recently uploaded (20)

Featured (20)

Get Shorty via Group Signatures without Encryption