Yao and Tamassia argue that role-based delegation raises privacy concerns because the identity of users may be sensitive information, especially in e-commerce, e-medicine, and peer-to-peer (P2P) file sharing. They propose an anonymous-signer aggregate signature scheme, to protect the identity of users and delegators.
Role-based authorization is a method for access control whereas privileges are based on roles and each user holds at least one role. Role-based delegation enables a flexible management of access control because privileges, as well as the membership to a certain role, can be delegated to other users.
According to the authors, “anonymous role-based [authorization] ... can be implemented with group signatures, in which a digital signature proves the membership of a signer,” without privacy drawbacks. While group signatures are an effective measure for privacy protection, this method is too resource hungry for distributed environments with limited resources. Yao and Tamassia thus propose an aggregated signature scheme that aims to improve the resource related shortcomings of group signatures. The authors’ novel aggregated signature scheme supports anonymous signing in role-based authorization and is based on bilinear maps within gap groups. The main advantage of aggregated signatures is a reduction of resource requirements for digital signatures, as an authorization chain of digital signatures can be merged into a single signature of constant size.
The authors argue that a secure anonymous-signer aggregate signature scheme must satisfy eight properties: correctness, unforgeability, anonymity, unlinkability, traceability, exculpability, coalition-resistance, and aggregation. Their understanding of correctness is that produced signatures must be accepted by a verification operation and that a designated operation recovers a specific signer’s identity. The unforgeability property dictates that “only valid role members can sign messages on behalf of the role.” Furthermore, it must be computationally hard to identify the signer (anonymity) and to decide if “two different valid signatures were computed by the same role member” (unlinkability), except for the role manager. A special user, namely the role manager, must always be able to identify the signer of the valid signature, in order to fulfill the traceability property. Regarding the authors’ scheme, exculpability is ensured when the role manager, together with other members, cannot sign on behalf of an uninvolved member. Yet another important security feature of their scheme is the coalition-resistance property that states: “a colluding subset of role members must furthermore not be able to produce a valid signature that cannot be opened by the role manager.” Finally, the aggregation property must ensure that digital signatures can be aggregated by anyone into a single signature of constant length.
The authors provide formal definitions of the eight security properties and illustrate how the proposed scheme fulfills them. A brief introduction to an anonymous role-based cascaded delegation protocol finally illustrates how Yao and Tamassia’s scheme can be used in distributed systems.
