IAW 2006IAW 2006
Cascaded Authorization with Anonymous-Cascaded Authorization with Anonymous-Signer Aggregate SignaturesSigner Aggregate Signatures
Danfeng YaoDanfeng YaoDepartment of Computer ScienceDepartment of Computer Science
Brown UniversityBrown University
Joint work with Roberto TamassiaJoint work with Roberto Tamassia
NSF grants CCF–0311510, CNS–0303577 and IIS–0324846NSF grants CCF–0311510, CNS–0303577 and IIS–0324846
OutlineOutline
Motivation for anonymity and aggregation Motivation for anonymity and aggregation Construction of Anonymous-Signer Aggregate Construction of Anonymous-Signer Aggregate
Signature SchemeSignature Scheme Security properties of the schemeSecurity properties of the scheme ApplicationsApplications
Digital credentialDigital credential Digital credential is signed by the issuer with a digital signature Digital credential is signed by the issuer with a digital signature
schemescheme To certify the credential holderTo certify the credential holder
Digital signature scheme Digital signature scheme Signing uses the private keySigning uses the private key Verification uses the public keyVerification uses the public key
Bob is a university Bob is a university professorprofessor
Public keyPublic key
Private keyPrivate key
BobBobUniversity’s signatureUniversity’s signature
Public keyPublic key
Private keyPrivate key
Bob’s credentialBob’s credential
UniversityUniversity
The credential can be verified The credential can be verified against university’s public keyagainst university’s public key
Motivation: Anonymous authorization Motivation: Anonymous authorization
Bank
Group signature schemes Group signature schemes [[Chaum van Heijst 91Chaum van Heijst 91, , Ateniese Camenisch Joye Tsudik 00Ateniese Camenisch Joye Tsudik 00, , Boneh Boneh
Boyen Shacham 04Boyen Shacham 04,, Camenisch Lysyanskaya 04Camenisch Lysyanskaya 04]] Support anonymitySupport anonymity
Bank cashiers
2. Request to sign Cashier’s check
1. Certify membership
3. Authorization
Motivation: Aggergation Motivation: Aggergation
1. Request
2. Authorization
3. Authorization 4. Authorization
[[Boneh Gentry Shacham Lynn 03Boneh Gentry Shacham Lynn 03]]
Our goal: Aggregate anonymous signaturesOur goal: Aggregate anonymous signatures
Signing anonymitySigning anonymity
Signature aggregationSignature aggregation
AggregateSignature
DelegationDelegation
DelegationDelegation
Signatures
AggregateAggregate
Anonymous authorization chainAnonymous authorization chain
1. Request
2. Authorization
3. Authorization 4. Authorization
Anonymous-signer aggregate signature Anonymous-signer aggregate signature schemescheme
Properties Properties AggregationAggregation: Bob’s signature can be added with Alice’s : Bob’s signature can be added with Alice’s AnonymityAnonymity: No one can tell that a signature is from Bob : No one can tell that a signature is from Bob UnlinkabilityUnlinkability: No one can tell that two signatures are from Bob: No one can tell that two signatures are from Bob Non-framingNon-framing: Alice cannot sign on behalf of Bob : Alice cannot sign on behalf of Bob TraceabilityTraceability: Bob’s boss can find out that Bob is the signer: Bob’s boss can find out that Bob is the signer
Existing signature schemes do not satisfy all the Existing signature schemes do not satisfy all the requirementsrequirements
Aggregate signature scheme Aggregate signature scheme Group signature schemeGroup signature scheme
Challenge: extending existing schemes is non-trivialChallenge: extending existing schemes is non-trivial
Aggregate signature schemeAggregate signature scheme Aggregate signature scheme [Aggregate signature scheme [Boneh Gentry Shacham Lynn 03Boneh Gentry Shacham Lynn 03]]
The size of signatures and public keys 170 bits with security The size of signatures and public keys 170 bits with security comparable to 1024 bit RSA and 320 bit DSA schemes comparable to 1024 bit RSA and 320 bit DSA schemes
Verification is linear in the number of individual signaturesVerification is linear in the number of individual signatures
BobBob PKPK11,SK,SK11 AliceAlicePKPK22,SK,SK22 PKPK33,SK,SK33
Sign Sign mm11
SS11
Sign Sign mm22
SS22 SS33
Bob aggregates + + = Bob aggregates + + =
How to make the aggregate signature scheme support anonymity?How to make the aggregate signature scheme support anonymity?
Sign Sign mm33
EveEve
SS22SS11 SS33 SSAA
An attempt to support anonymity using the An attempt to support anonymity using the existing aggregate signaturesexisting aggregate signatures
Signers sign with certified one-time signing keysSigners sign with certified one-time signing keys
Does not satisfy the non-framing requirement!Does not satisfy the non-framing requirement!
Cashier picks (one-time) pub/private key pair
One-time member certificate
Bank admin
Authenticates and sendsCertifies with aggregatesignature Sm
Sm
Signs and aggregates
Please sign my check
Sc+ = Sa
Verifies with signing keys
Sa
Pub key
Private Key
Our solution: anonymous-signer aggregate Our solution: anonymous-signer aggregate signature schemesignature scheme
Signing key has two partsSigning key has two parts Long-term public key certified by CALong-term public key certified by CA Random one-time secretRandom one-time secret Combined Combined to become the signing keyto become the signing key
Supports Supports Signature aggregationSignature aggregation Anonymous authorizationAnonymous authorization
Based on the aggregate signature scheme [Based on the aggregate signature scheme [Boneh Boneh Gentry Shacham Lynn 03Gentry Shacham Lynn 03]]
Standard assumptions for pairing-based cryptographyStandard assumptions for pairing-based cryptography
Overview: Anonymous-signer aggregate Overview: Anonymous-signer aggregate signature scheme signature scheme
Long-term Long-term public-keypublic-key
Public-key certificatePublic-key certificate
Trusted third-partyTrusted third-party
Certifies Certifies with aggregatewith aggregatesignature signature CCkk
One-timeOne-time secret secret
One-time member certificateOne-time member certificate
Bank adminBank admin
Certifies Certifies with aggregatewith aggregatesignature signature SSmm
Cannot frame othersCannot frame others
Combine Combine
SSmmAggregatesAggregates
Please sign my checkPlease sign my check
SScc + = + = SSaa
Verifies Verifies with signing key with signing key
SSaaSigns with Signs with
Entities and Operations in Our SchemeEntities and Operations in Our Scheme
EntitiesEntities Role manager (cashier in this talk)Role manager (cashier in this talk) Role member (bank admin in this talk)Role member (bank admin in this talk)
Setup: Each entity chooses long-term public/private key pairSetup: Each entity chooses long-term public/private key pair Join: A user becomes a role memberJoin: A user becomes a role member
Obtains Obtains membership certificatesmembership certificates Sign: An entity signs on behalf of the role Sign: An entity signs on behalf of the role
Operation Sign produces a Operation Sign produces a role signaturerole signature Aggregate: Multiple role signatures are aggregatedAggregate: Multiple role signatures are aggregated Verify: Aggregate role signatures are verifiedVerify: Aggregate role signatures are verified Open: A role manager revokes the anonymity of a signer by Open: A role manager revokes the anonymity of a signer by
revealing his or her identityrevealing his or her identity
Some math about the operationsSome math about the operations
Private key sPrivate key suu
Public key PPublic key Puu = s = suu
One-time signing secret xOne-time signing secret xuu
One-time signing public key One-time signing public key ssuuxxuu
Public parameterPublic parameter
Sm ssa a H( )H( )
Private key sPrivate key saa
Public key PPublic key Paa = s = saa
CertifiesCertifies
ObtainsObtains
SaVerifiesVerifies
Sc Signature Signature ssuuxxu u H(m)H(m)
+ =
Sa
Sc Sm AggregatesAggregatesSa
Role signature; may be Role signature; may be aggregated further with othersaggregated further with others
Framing is hard – equivalent to computational Diffie-Hellman ProblemFraming is hard – equivalent to computational Diffie-Hellman Problem
SecuritySecurity Our anonymous-signer aggregate signature scheme satisfies Our anonymous-signer aggregate signature scheme satisfies
the following requirements:the following requirements:
correctness, correctness,
unforgeability, unforgeability,
anonymity, anonymity,
unlinkability, unlinkability,
traceability, traceability,
non-framing, non-framing,
coalition-resistance, coalition-resistance,
and aggregation and aggregation
assuming assuming
random oracle model, bilinear map, and gap groups.random oracle model, bilinear map, and gap groups.
An application: Anonymous role-based An application: Anonymous role-based delegationdelegation
The access to the digitalThe access to the digitallibrary at a hospital is controlledlibrary at a hospital is controlled
Bob is a university Bob is a university professor and can accessprofessor and can access
Bob can accessBob can access
Researchers at a companyResearchers at a companycollaborate with Bobcollaborate with Bob
Need to accessNeed to access
CollaborateCollaborate
Engineers at a labEngineers at a labcollaborate with researcherscollaborate with researchers
Need to accessNeed to access
CollaborateCollaborate
Hospital’s policyHospital’s policy
University prof. can accessUniversity prof. can access
Another application: Protecting Another application: Protecting whistleblowerwhistleblower
Protects the identity of whistleblowersProtects the identity of whistleblowers The verifier only knows that the whistleblower is a certified FBI The verifier only knows that the whistleblower is a certified FBI
agent or a New York Times reporteragent or a New York Times reporter
Supports efficiently certification of a series of reportsSupports efficiently certification of a series of reports
Signed reports of whistleblower(s)Signed reports of whistleblower(s)
Enron scandal: day 101 Enron scandal: day 101
Enron scandal: day 102Enron scandal: day 102 Enron scandal: day 103 Enron scandal: day 103
Aggregated signature Aggregated signature ……
SS22
SS11
SS33
SSAA
Non-framing propertyNon-framing property
Our scheme protects a cashier from being framed by Our scheme protects a cashier from being framed by anyone including bank adminanyone including bank admin
Consider a simple attack by an adminConsider a simple attack by an admin Picks random Picks random x*x* and and s*s* and uses and uses x*s*x*s* to sign to sign
Admin cannot misattribute a signature to a cashier Admin cannot misattribute a signature to a cashier u u uu with pub key with pub key PPu u = s= suu e(s*x*e(s*x*, , ) ) ≠ ≠ e(Pe(Puu, x*, x*) )
In general, framing is equivalent to In general, framing is equivalent to Computing Computing bb, given , given qq, , aa, and , and cc such that such that
ab = c ab = c modmod q q
known equivalence to CDH problem [Chen Zhang Kim 03]known equivalence to CDH problem [Chen Zhang Kim 03]