COMPGA99 Dissertation
Efficienct Fully Anonymous Group Signatures based on
the Groth Group Signature Scheme [Gro07]
Saqib A Kakvi(946318)
Supervisor: Dr. Jens Groth
Year of Submission: 2010
This report is submitted as part requirement for the MSc Degree in Information Security
at University College London. It is substantially the result of my own work except where
explicitly indicated in the text.
The report may be freely copied and distributed provided the source is explicitly acknowledged.
Abstract
Recently, group signature schemes with constant size signatures have emerged, most notably
[Gro06], [Gro07], [BW07]. This work examines the scheme presented in [Gro07] and builds
more efficient schemes by using asymmetric bilinear groups. We begin by presented a direct
translation of the Groth scheme into a Type 2 and Type 3 bilinear group, in terminology
of [GPS08]. We then make modifications to the underlying components to make the schemes
more efficient. We prove all of our schemes in the standard model.
Acknowledgements
We would like to thank Jens Groth for his invaluable advice and guidance on this. We
would also like to thank our colleauges for thier inputs and support. Finally, we would like
to thank Fatima Nassir and Nidhi Shah for thier assitance in proofreading this work.
2
Contents
1 Introduction
5
2 Definitions
2.1 Original Definitions and Refinements . . . . . . . . . . . . . . . . . . . . . .
2.2 Formalisations for static groups . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Formalisations for dynamic groups . . . . . . . . . . . . . . . . . . . . . . .
7
7
8
9
3 Assumptions
3.1 Bilinear Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Number-Theoretic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Random Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
12
12
13
14
4 Previous Work
4.1 Considerations . . . . . . . .
4.1.1 Efficiency . . . . . . .
4.1.2 Functionality . . . . .
4.1.3 Security Improvements
4.2 Comparison . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
15
15
15
16
16
17
5 The Groth Signature Scheme
5.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.1 Certified Digital Signatures . . . . . . . . . . . .
5.1.2 Tag-based Encryption . . . . . . . . . . . . . . .
5.1.3 Collision-Free Hash functions . . . . . . . . . . .
5.1.4 Non-Interactive Zero Knowledge proofs . . . . . .
5.1.5 Non-Interactive Witness Indistinguishable proofs
5.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
18
18
18
19
19
19
20
21
6 Our Contributions
6.1 Scheme 1 . . . . . .
6.1.1 Components
6.1.2 The Scheme
6.2 Scheme 2 . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
23
23
23
28
31
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
3
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
6.3
6.4
6.2.1 Components
6.2.2 The Scheme
Scheme 3 . . . . . .
Scheme 4 . . . . . .
6.4.1 Components
6.4.2 The Scheme
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7 Conclusions & Future Work
7.1 Conclusions . . . . . . . . . . . . . . . .
7.2 Future Work . . . . . . . . . . . . . . . .
7.2.1 Further Efficiency Improvements
7.2.2 Revocation . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
31
33
37
37
37
41
.
.
.
.
45
45
46
46
46
A Sizes of the DDH/DLIN Groth-Sahai Proofs
51
B Proofs
B.1 q-Unfakeablity Type 2b Assumption (q-U-2b) . . . . . . . . . . . . . . . . .
B.2 q-Unfakeablity Type 3b Assumption (q-U-3a) . . . . . . . . . . . . . . . . .
B.3 q-Unfakeablity Type 3b Assumption (q-U-3b) . . . . . . . . . . . . . . . . .
52
52
53
54
C Scheme 3
C.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
56
59
4
Chapter 1
Introduction
Signatures have been used for several years before the advent of cryptography and indeed
computers themselves. A signature, in the classical sense, is a way of a person writing their
name, such that only they can produce it accurately. Signatures on documents, both handwritten and printed, serve as a means of authenticating the source of said document. This
does not necessarily mean they produced the document themselves, but they did intend to
convey that message.
Classical signatures are static and do not change. The security was provided by the
difficulty in forging a signature. With the advent of computing and digital communications,
people developed several methods of digitally “signing” documents. These ranged from
scanning their signature and appending it to documents, to directly signing the document
using a graphics tablet. These all suffer from the same weakness; that is they can easily be
copied.
What all these solutions did was essentially to add an arbitrary bit string at the end
of each message. This string could be intercepted and copied and added to any message.
This allowed any adversary to forge signatures on any message, given just 1 message and
signature. It can be seen that there is no security even from the most passive adversary, who
simply intercepts the communications, and does not modify them. The solution to this is a
digital signature.
This was first posited by Diffie and Hellman in [DH76], where they theorised the existence
of such schemes. A digital signature is a message-dependant bit string, which can only be
generated by the signer, that is appended to the message. These schemes are based on a
private signing key and public verification key. Shortly after that, Rivest, Shamir & Adelman
proposed the first concrete digital scheme [RSA78]. Over the years, several digital signature
schemes have been created. For a further treatment of digital signatures, we refer the reader
to [Lys02].
5
We now consider the following scenario. A company X has a purchasing department with
4 clerks, A,B,C & D. Any of these clerks are authorised to purchase raw materials and office
supplies for the company. The purchase orders are sent out in digital format and are digitally
signed by the clerk who issued the order. The supplier receives the purchase order, verifies
the signature and then dispatches the order. In this scenario, each clerk has their own signing
key, but is it really necessary?
Each public key is linked to a single clerk, which tells the supplier which of the 4 clerks
placed the order. However, this information is not needed by the supplier, they simply need
to know that it was 1 of the 4, but not which specific clerk. The simplest solution is to give
all 4 clerks access to the same signing key. This however presents the problem that if one
of the clerks orders personal items on the company account, you cannot trace which clerk
signed the message. Here there is no security against any of the clerks misusing the secret
key.
The solution to this was proposed by Chaum and van Heyst in [CvH91]. They presented
what was called a group signature scheme. The principal was that each group member had
a unique signing key and signatures generated by any of these verified under the same public
key. They also stated that a designated party could, possibly with the help of a secret key,
take a signature and “open” it to show which member produced the signature in case of
misuse.
We can see that this solves the problems in the scenario above, as well as many other scenarios. Several other scenarios have been presented in literature, but they all have common
motivations. Above and beyond the security of a digital signature scheme, we wish to have
anonymity and traceability.
We shall now proceed to discuss the state of the art in group signatures at the present time.
In Chapter 2, we discuss the definitions and formalisations of group signatures. Chapter 3
then deals with the cryptographic assumptions involved in these group signatures. We then
cover previous work and do a comparison of what we believe to be critical signature schemes
in Chapter 4. In Chapter 5, we present the Groth Signature Scheme [Gro07]. We then
proceed to present our schemes in Chapter 6. Finally in Chapter 7 we discuss possible
future research areas.
6
Chapter 2
Definitions
2.1
Original Definitions and Refinements
The original definition of a group signatures stated that a group signature scheme is one
which allows the members of the group to sign messages on behalf of the group anonymously.
This anonymity could be undone by a designated authority, called the group manager or
opener. We now explain the details and refinements of this definition. We denote the
number of group members by n and each member is uniquely identified by 1 ≤ i ≤ n. We
also define k as the security parameter.
In the original definition of a group signature [CvH91], Chaum and van Heyst stated 3
properties that are required for a group signature scheme, namely:
1. Only members of the group can sign messages on behalf of the group
2. The receiver can verify that a member of the group signed a message, but not which
member.
3. Any signatures made by group members can be opened.
As research in the area grew, more security requirements were added. We shall discuss these
in more detail later. In some of their schemes they needed a trusted party (Z), who would
choose the keys for the users. This concept was later formalised to be know as the group
manager or in some cases the group managers.
Group Managers
Chaum & van Heyst used the familiar concept of a Trusted Third Party (TTP) in some
of their schemes. The foundations and powers of this TTP varied from scheme to scheme.
The research community soon realised that there was need for a party, who is not part of
the group, but in essence manages the group. Hence the concept of a group manager was
born.
7
The group manager initially had two duties, namely generating the keys at setup and
opening signatures. To this effect, they are issued with a secret group manager’s key SKGM .
However, some scheme employed two managers, an issuer and an opener. The issuer was
responsible with key generation and the opener was responsible for key opening signatures.
To implement this, there are now 2 distinct manager keys; the issuer’s secret key ik and the
opener’s secret key ok.
Security Definitions
Several authors have posited their own security requirements for group signature schemes.
Some of these were related, some were stronger than others. We shall now briefly discuss
the security requirements listed by Ateniese and Tsudik in [AT99]. As we shall see later, all
of these can be reduced to two properties that were formalised by Bellare, Micciancio and
Warinschi [BMW03] and Bellare, Shi and Zhang [BSZ05].
• Unforgeability: No person other than a member of the group, can produce a valid
signature under the group’s public key.
• Anonymity: No person not in possession of the secret opening, other than the signer,
can know which group member produced a signature.
• Unlinkability: If a member signs more than 1 message, nobody can link these signatures
as having been signed by the same member of the group.
• Exculpability: Neither group member(s) nor the group manager(s) can sign a message
on behalf of another member of the group.
• Traceability: Any valid signature made by a group member can be traced back to them
by the group manager, using their secret opening key.
• Coalition-Resistance: No subset of colluding group members and group managers can
produce a valid signature, that will not be traced back to at least 1 of the colluding
group members.
2.2
Formalisations for static groups
Definitions
The concepts of security for group signatures were only formalised in 2003 by Bellare,
Micciancio & Warinschi [BMW03]. They formalised the exact security requirements for group
signatures. Up until this point, authors used their own notations and security requirements.
They defined the properties of full-traceability and full-anonymity. We shall briefly discuss
these requirements. It must be noted that Bellare et al treated the case of a single group
manager.
8
In this scenario, we shall consider the following algorithms:
• KeyGen, which generates the group public key gpk, the group manager’s secret key
SKGM and all the user’s secret keys SKi for all 0 ≤ i ≤ n
• Sign, which takes in a message m and a user’s signing key SKi and outputs a signature
σ
• Verify, which takes in a message m, a signature σ and the public key gpk and outputs
1 if σ is valid, else 0
• Open, which takes in a signature σ and the manager’s secret key SKGM and outputs
the signer’s identity i.
Full-Anonymity
This property states that no verifier or Adversary can determine which group member
signed which message, given past message-signature pairs and the group’s public key. We define the advantage the Adversary has over the full-anonymity property as: Advantageanon
Adv (k, n)
Full-Traceability
This property states that no subset of the group, even possession of the group manager’s
secret key SKGM can generate a valid signature that cannot be opened and traced to at least
one of the colluding members. The advantage the Adversary has over the full-traceability
property is defined as: Advantagetrace
Adv (k, n)
For a more detailed formalisation, we refer the reader to [BMW03]. [BMW03] showed
that having full-anonymity implies having both anonymity and unlinkability, while having
full-traceability implies having unforgeability, exculpability, traceability, coalition resistant
and framing. For any group signature scheme to be deemed secure, Advantageanon
Adv (k, n) &
trace
AdvantageAdv (k, n) must be negligible. We will not formalise these as our scheme is secure
under the BSZ-model [BSZ05], which we will now describe.
2.3
Formalisations for dynamic groups
Definitions
The work of [BMW03] only covered the case of static groups, which is not very practical.
Most applications have dynamic groups, where members can join and leave as time proceeds.
This case was treated by Bellare, Shi & Zhang [BSZ05]. In this case, the treated the Key
Issuer and Signature Opener as separate entities, as a rule.
9
They also introduced a new concept of “trust levels” for the authorities. They posited 3
levels of corruptness, which are uncorrupt, partially corrupt and fully corrupt. An uncorrupt
authority is one who will perform their duty in a completely honest manner. A partially
corrupt authority is one whose secret key has been exposed, but they do not deviate from
their designated protocol. A fully corrupt authority is one whose key has been exposed and
may deviate from their protocol.
They also outline three assumptions about the schemes. They assume that each potential
member has a certified public/private key pair independent of any group authority. How
they obtained these keys is irrelevant. Secondly they require that the Join protocol can be
done with many users concurrently. Finally they require that all openings be accompanied
by a publicly verifiable proof-string that any opening was indeed done correctly.
Bellare, Shi & Zhang defined what is known as the registry, denoted by Reg. This contains
information about the users, which are identified by a unique i ∈ N. Regi is the identity
information of user i. Reg is writeable by the Issuer and readable by the Opener, who uses
the information to identify the signer. We require the algorithms defined in 2.2 as well as
the following: UserKeyGen which is used by the user to generate a public/private key pair,
denoted by U P Ki and U SKi for use in the Join protocol; Join, Iss is the interactive protocol
in which the user joins the group and the Issuer issues them a key SKi ; Judge where an
opening and the accompanying proof string are checked for validity.
In terms of security, they defined three properties that need to be satisfied, namely
anonymity, traceability and non-frameability. Although we have seen that traceability implies non-frameability, it was made as a separate requirement, as the two properties can
be achieved with different trust levels of the authorities. The trust levels required for each
property are given in [BSZ05]. The definitions for these are as above, but now the Adversary
is allowed to enrol new corrupted users, as well as corrupt old users. For a more formal
treatment, we refer the reader to [BSZ05].
We will now present the formalisations of the three properties. To do so, we need to
define some new oracles, to model adversarial attacks not considered in [BMW03].Before we
define the oracles, we need to define some extra variables. We maintain two sets HU and
CU , which contain the identities of the Honest and Corrupt Users respectively. We say an
identity i is valid if 1 ≤ i ≤ n and i ∈ HU . We also maintain GSet, which is the set of all
message-signature pairs generated by Chb .
• AddU(·): Adds an honest user to the group.
• CrptU(·): On input of a valid identity i, and string U P K 0 , corrupts user i and sets
U P Ki to U P K 0 .
10
• SndToI(·): This oracle allows the adversary to send a corrupted user i ∈ CU to the
issuer to join the group, via the Join, Iss. If the protocol is successfully completed, then
user i now has a valid signing key SKi and the relevant information is entered in Regi .
• SndToU(·): This oracle models when the adversary has corrupted the issuer. This
oracle engages in the Join, Iss with some honest user i ∈ HU .
• USK(·): On input of a valid identity i ∈ N, it outputs the user’s secret keys U SKi and
SKi . We note the U P Ki is assumed to be public.
• RReg(·): On input of a valid identity i ∈ N, the oracle outputs Regi .
• Wreg(·): On input of a valid identity i ∈ N and an entry Reg0i , Regi is replaced by
Reg0i .
• GSig(·): On input of a valid identity i ∈ N and a message m, the oracle outputs a
group signature on m made using SKi .
• Chb (·): This is the challenger oracle, provided for and adversary attacking anonymity
and depends on b ∈R {0, 1}, which is chosen by the oracle. On input of two valid
identities i0 , i1 ∈ N and a message m∗ , the oracle outputs σ ∗ ← GSig(ib , m). (m∗ , σ ∗ )
is added to GSet. In the rest of the work, we denote to all variables associated with
the challenge group signature σ ∗ with a asterisk superscript
• Open(·): On input of a message-signature pair (m, σ) 6∈ GSet, the oracle returns the
identity of the signer.
It is worth noting that [BSZ05] did not cover the case of member revocation. This is
due to the complexities involved in the revocation, which tend to be scheme specific. Some
schemes require recomputation of the public key, some issue revocation list, while some
take other approaches. We shall not discuss this problem any further and refer the reader
to [Koc98] & [Gen03] for a general treatment of the revocation problem in digital signatures.
We also refer the reader to [AST02], [BBS04] and [BS04] for examples of revocation in group
signature schemes.
11
Chapter 3
Assumptions
3.1
Bilinear Groups
Most group signature schemes are built using what are called bilinear mappings. These
are essentially modified Weil Pairings or Tate pairings. To build a pairing we require 3
finite cyclic groups, which we will call G1 , G2 , and GT . We define a map e which takes
a ∈ G1 , b ∈ G2 and maps it to e(a, b) ∈ GT . A mapping is said to be admissible if:
• ∀a ∈ G1 , b ∈ G2 , x, y ∈ Z; e(ax , by ) = e(a, b)xy
• Given G1 =< g1 >, G2 =< g2 >; e(g1 , g2 ) 6= 1
• GT =< e(g1 , g2 ) >
We must note that as both groups are finite cyclic groups of the same order, there trivially
exists the homomorphism ψ1 : G1 → G2 and ψ2 : G2 → G1 . However we only consider the
case of ψ2 , which we simply denote as ψ. Although this homomorphism exists, it may not
be efficiently computable. Where ψ1 is computable but psi2 is not, we simply switch the
groups to maintain our notation.
Another point to note is that we have two possible setting with respect to the groups,
i.e. G1 = G2 and G1 6= G2 ,which are now as symmetric and asymmetric bilinear groups
respectively
From these two properties, we get 3 types of groups, as defined by Galbraith, Paterson and
Smart in [GPS08]. We use their terminology throughout this work. The 3 types of group
are defined as:
• Type 1: G = G1 = G2
• Type 2: G1 6= G2 and ψ is efficiently computable
12
• Type 3: G1 6= G2 and ψ is not efficiently computable
We note the case where both ψ1 and ψ2 are computable is treated as a Type 1 group.
We define G as the Bilinear group generator. On input of 1k , it outputs a description of a
bilinear group of the required type, denoted by gk.
3.2
Number-Theoretic
For this chapter, we will consider a finite cyclic multiplicative group G of prime order p
and generator g. Although there are a large number of assumptions used in several schemes,
we will only detail the ones required for security proofs in [Gro07].
Discrete Logarithm Problem (DLP) We shall now briefly discuss the Discrete Logarithm Problem. In the real number domain, calculating the logarithm of a number a ∈ Z,
wrt to any base is trivial. With cyclic groups, the base we are using is not always apparent
and the calculations are not as trivial. The statement of the DLP is as follows:
Given x ∈ G, find y such that x = g y
Decision Diffie-Hellman Assumption (DDH) The Decision and Computational DiffieHellman Problems were both introduced in [DH76]. We shall only cover the decisional
variant, which is:
Given g, g x , g y , g z ∈ G;
decide if z = xy mod p or z ∈R Zp
The DDH is said to hold in a group when it is hard to solve this problem in that group. It
is worth noting that the DDH does not hold in Type 1 groups and in G2 of Type 2 groups.
q-Strong Decision Diffie-Hellman Assumption (q-SDH) This assumption was introduced by Boneh and Boeyn in [BB04]. Which is stated as:
2
3
q(k)
Given a polynomial q and g, g x , g x , g x . . . , g x
1
find a pair (m, g 1+x ) ∈ Zp × G
∈ G;
The q-SDH is said to hold in a group when the above problem is intractable.
13
Decision Linear Assumption (DLIN) This assumption was introduced by Boneh,
Boeyn and Shacham in [BBS04]. It is stated as follows:
Given generators g, g1 , g2 ∈ G and g1r , g2s , g t ;
decide if t = r + s or t ∈R Zp
This assumption only applies to a single group and was shown to hold for generic bilinear
groups. It was also shown that this gives rise to what is known as a Linear Encryption
system.
The q-Unfakeability Assumption This assumption was introduced by Groth in [Gro07].
It is stated as follows:
Given a polynomial q, the description of a Type 1 group gk,
public elements f, h ∈R G, T = e(f, z), private elements z ∈R G,
for 1 ≤ i ≤ q(k), we have xi , ri ∈R Zp , ai = f ri , bi = hri g xi ri z;
Find (V, A, B, m, S) such that V 6∈ {g x1 , g x1 , . . . , g xq(k) }, e(A, hV )e(f, B) = T and
e(S, V g m ) = e(g, g)
Symmetric External Diffie-Hellman (SXDH) and Symmetric External Decision
Linear (SXDLIN) Assumptions The SXDH holds, when the DDH holds in both G1
and G2 . Clearly, this is only applicable to Type 3 groups. When the DLIN holds, when
the DLIN holds in both G1 and G2 . This can be true in both Type 2 and Type 3 groups.
The word ”External” in both names indicates that these properties are independent of each
other.
3.3
Random Oracle
The use of The Random Oracle Model was popularised by Bellare & Rogaway [BR93].
Ever since its introduction, several schemes have been proven secure under this model. One
of the main techniques used is the Fiat-Shamir heuristic [FS86]. The Fiat-Shamir heuristic
allows the user to take a 3-round interactive protocol and turn it into a non-interactive 1round protocol. This is achieved by the use of a hash function as a simulator, assuming it
is a psudeorandom function. It has been debated as to whether results under the Random
Oracle Model are valid. There is currently no reduction from the Random Oracle Model to
the Standard Model.
Most notably, Canneti, Goldreich & Halevi showed schemes that are secure in the Random
Oracle Model, but not in the Standard Model ( [CGH98], [CGH04]). An extensive knowledge
of this model is not needed, hence we shall not enter into any further details of it. It is
mentioned as it forms part of our comparison later.
14
Chapter 4
Previous Work
In this chapter, we first look at the considerations in creating group signature schemes,
and the research in that area. We then proceed to compare some schemes based on these
properties.
4.1
Considerations
As stated before, the introductory work in this field was done by Chaum & van Heyst
in [CvH91]. Since then, there has been a great amount of research. The focus of the research
split into 3 nearly distinct issues, namely:
1. Efficiency
2. Functionality
3. Improvements in security
We shall discuss the research advancements and the state of the art in all of these are.
4.1.1
Efficiency
In terms of efficiency, we need to consider the speed of signing, verifying and opening
the signatures, in terms of time. As with all cryptographic schemes, we want to be able to
efficiently perform all our computations. This is especially true of the pairing-based schemes,
for details of the implementation issues, we refer the reader to [GPS08]. It is important to
note that computational complexity and big-O notation do not suffice. When considering
speed, we need empirical numbers in seconds (or divisions thereof) or number of operations.
We refer the reader to such a study, done on 5 schemes by Hansen & Pagels [HP06], with
the caveat that the text is in Danish.
15
The second issue is that the size of the signature and keys seemed to be dependant on the
number of members in the group. As stated in [AT99], most schemes have signatures sizes
which grow as a function of the number of members. This starts to become impractical for
larger groups. The first constant size scheme was shown by Atiense et al. [ACHdM05], but
it provided only secure against non-adaptive adversaries. It was shown by Groth in [Gro06]
that it is possible to have group signatures with constant size of both signatures and keys
secure against adaptive adversaries Although the signature scheme was constant size, it was
highly impractical, as signatures were composed of thousands of group elements. This was
later refined in [Gro07], where Groth proposed a scheme with constant signature size of 50
group elements, or less, depending on the security required.
4.1.2
Functionality
With respect to functionality, the main focus has been on making partly- and fully-dynamic
groups. A partly-dynamic group is one that allows us to add members or remove members
from the group, but not both. A fully-dynamic group is one that allows us to do both. Most
advances in this area have been in groups which allow us to add members, as groups in which
we remove members suffers from the Key Revocation Problem.
Although [CP94] showed two schemes which could have group members added or removed,
they had the drawback that the group manager could falsely accuse a group member of having
made the signature, as well as the users having to “double sign” messages. [Cam97] & [CS97]
also showed an increasing membership group signature schemes, but again we see that the
size of the signature increase as a function of the number of members.
The first group signature scheme with revocation was introduced by Bresson & Stern
in [BS01]. However, this scheme had the drawback that the signature size was linear in the
number of revoked users. [AST02] showed revocation mechanisms for the schemes presented
in [ACJT00].
4.1.3
Security Improvements
A large number of group signature scheme are proven secure under the random oracle
model. After [CGH98], some people have moved away from this model and have turned to
the standard model. We have already discussed the assumptions in Chapter 3. This has
driven some of the security-based research in the field and most of the more recent group
signature schemes rely on the standard model.
The first group signature schemes proven secure in the standard model was [BB04] and
[CL04]. Since then there has a shift from the Random Oracle Model to the Standard Model.
However it is worth noting that not all authors made this shift, most notably [ACHdM05] is
16
in the Random Oracle model. As mentioned before the validity of this model and its results
are debatable. For further considerations, we refer the reader to [CGH04].
Another major issue has been making equivalent security statements. Although it fine in
its own right to prove that a system is secure, it is very useful to compare it to a classical
digital signature scheme. This allows people familiar with digital signatures to draw a
parallel and have some sort of comparative idea. For example, [BBS04] showed their scheme
to have security equivalent to that of a 1024-bit RSA signature, with 1.5 times the length.
Such security equivalences are a useful consideration when choosing to implement a group
signature scheme.
It must also be noted that one major area of research is finding more efficient security
assumptions. As we can see from Chapter 3, there have been a large number of changes
in the assumptions, which may allow more efficient protocols, both in terms of size and
computation.
4.2
Comparison
In this section, we compare a large number of group signature schemes in light of the items
discussed above i.e., security assumptions, dynamic or static and signature sizes. The table
below summarises these properties:
SCHEME
MODEL JOIN
[CP94]
[ACJT00]
[AST02]
[BBS04]
[BS04]
[CL04]
[ACHdM05]
[BW06]
[Gro06]
[BW07]
[Gro07]
RO
RO
RO
RO
RO
SM
SM
SM
SM
SM
SM
√
√
√
√
X
√
√
√
√
√
√
REVOKE
X
X
√
√
√
X
X
X
X
X
X
SINGLE
SIGNATURE
MANAGER
SIZE
√
O(m)
√
O(n)
√
O(r)
√
O(r)
√
O(r)
X
O(log n)
√
Constant†
X
O(log n)
X
Constant
X
Constant
X
Constant
Table 4.1: Comparison of group signature schemes
Notations: RO = Random Oracle; SM = Standard Model; r = Number of revoked users; m
= Number of messages
† - Only secure against non-adaptive adversaries.
17
Chapter 5
The Groth Signature Scheme
In this chapter, we cover the Groth Signature Scheme [Gro07]. We examine all the tools
used and then detail the scheme itself. We omit the security proofs here and refer the reader
to [Gro07] for the proofs.
5.1
Tools
In this section, we will cover the tools used in the construction of the Groth Signature Scheme [Gro07]. We will cover the key components of the scheme, that is, certified
digital signatures, one-time signatures, tag-based encryption, collision-free hash functions,
Non-Interactive Zero Knowledge(NIZK) proofs and Non-Interactive Witness Indistinguishable(NIWI) proofs
5.1.1
Certified Digital Signatures
As mentioned before, a digital signature is a message dependant bit-string, generated
privately by the signer. However the issue becomes as to how we can safely say that party A
signed this message? It is possible that an Adversary, Adv, sent this message masquerading
as A. A commonly used solution to this is to attach a digital certificate.
A digital certificate is another bit-string generated by a Trusted Third Party, known as
a Certification Authority (CA), which proves that the sender is indeed in possession of the
secret key corresponding to the public key contained in the certificate. The CA has a public
certification key, which can be used to verify the validity of certificate and indeed the key
contained within.
A certificate may be a digitally signed text file or may be elements of a finite cyclic group,
or indeed even a bilinear group. In the scheme, the Zhou-Lin [ZL06] certificates are used for
Boneh-Boyen signatures [BB04].
18
5.1.2
Tag-based Encryption
Tag-based encryption is essentially a public-key encryption system, but the encryption
takes in an additional value, called the tag. A new tag is used for each ciphertext and is
transmitted with the ciphertext. The tag is then used in conjunction with the secret key to
decrypt the ciphertext. Tags can take any form as required by the scheme.
For this scheme we need a selective-tag weak CCA-secure Tag-based encryption scheme
scheme, combined with a strong one-time signature. Using these, we can build a CCA-secure
encryption system, using a result presented by Kiltz [Kil06]. Selective tag CCA(stag-CCA)
security requires the adversary to output a target tag, t∗ before they see the public key or
any decryptions. To formalise this,we define and adversary Adv for the following game:
Adv(1k ) → t∗
Setup(1k ) → gk
Keygen(gk) → (pk, sk)
Adv Dec(·) (pk) → (M0 , M1 )
b ∈R {0, 1}; C ∗ = Encpk (Mb , t∗ )
Adv Dec(·) (C ∗ ) → b0 ∈ {0, 1}
We must also note Adv cannot query any ciphertext encrypted with t∗ to Dec(·) as well as
only making q(k) queries, where q is a polynomial and that |M0 | = |M1 |. We define the
advantage the adversary has over the stag-ind-cca security as:
0
Advantagestag
Adv (k) = Pr[b = b] −
1
2
For a tag-based encryption system to be deemed stag-ind-cca secure, Advantagestag
Adv must be
a negligible function in k.
5.1.3
Collision-Free Hash functions
H is a generator of cryptographic hash functions H : {0, 1}∗ → {0, 1}l(k) . A hash function
Hash ← H(1k ) is said to be collision-free if a probabilistic polynomial time Adversary Adv
has a negligible probability of finding x 6= y such that Hash(x) = Hash(y). There are
several such functions publically available, such as the SHA-family of hash functions.
5.1.4
Non-Interactive Zero Knowledge proofs
A Zero-Knowledge Proof(ZKP) is a way of one party proving a statement to another,
without revealing any confidential information. We consider two parties A and B, who are
engaged in some sort of protocol. A has their secret input to the function x, which is in a
given NP-language L. If at some point B suspects that A is being dishonest in the protocol,
they can challenge A.
19
At this point A has to prove that they are being honest. The simplest way to do that is
to reveal x. However, A does not want to do this. They can then engage in another protocol
which allows A to convince B that x ∈ L but reveals nothing more. To do this, A needs an
additional value, w, known as a witness.
A ZKP must satisfy the following properties:
• Completeness: A prover who knows a valid witness w and x ∈ L can prove to the
verifier that x ∈ L.
• Soundness: No prover can output a valid proof if x 6∈ L.
• Zero-Knowledge: The verifier learns nothing from the proof other than that x ∈ L.
This considers the interactive case, where the prover an verifier are engaged in a protocol.
It may sometimes be infeasible to do this, hence the motivation for Non-Interactive ZeroKnowledge (NIZK) proofs. This is the case where the prover computes a proof string and
sends it to the verifier. The verifier can then verify the validity of this proof string without
any further interaction from the prover.
A NIZK proof system has 4 probabilistic polynomial time algorithms, which we will now
describe. We have the key generator K, which on input of 1k generates all the secret keys and
public information. We then have the Prover P, which on input of the public information,
the secret value x and witness w outputs a NIZK proof χ. We also have the Verifier V, which
takes in the public information, the proof χ and outputs 1 if it accepts the proof,or 0 if does
not accept the proof. Finally we have the Extractor X,which on input of a proof χ and an
extraction xk return x.
5.1.5
Non-Interactive Witness Indistinguishable proofs
Witness Indistinguishable Proofs (WIPs) can be thought of as a variant of ZKPs. Recall
we required a witness w for the statement x ∈ L. We observe that there may be more than
1 witness for each statement. In a WIP we require that not only does the verifier not learn
any confidential information, but they should also not be able to know which witness was
used. To this end, we define a new property:
• Witness Indistinguishabilty: The verifier does not learn anything about which
witness was used to produce the proof.
We will now formalise the witness indistinguishability(WI) property. We define
K(1k ) → (crs, xk)
Adv(crs) → (x∗ , w0 , w1 )
b ∈R {0, 1}; P (x, wb ) → π ∗
Adv(π ∗ ) → b0
20
We require that w1 and w0 are valid witness to the fact that x ∈ L. We define the advantage
the adversary has over WI security as:
I
0
AdvantageW
Adv (k) = Pr[b = b] −
1
2
For a proof system to be deemed to have witness indistinguishability, we require that
I
AdvantageW
Adv is a negligible function in k. If there exists a simulator S that is computationally indistinguishable from K, we have what is know as composable WI.
Again as with ZKPs, interaction may not be feasible, hence the need for non-interactive
proofs. Thus, we have NIWIs in a similar manner to NIZKs. For this scheme, we employ
the Groth-Sahai proof system [GS08], with the improvements by Ghadaffi et al [GSW10] for
both the NIWI and NIZK proof. We must point out that these proof systems are in the
Common Reference String model. This model requires a public Common Reference String,
(crs), which is shared between the Prover and the Verifier.
As NIZK and NIWI systems have the same component algorithms with he same naming
scheme, we distinguish them by subscripting them with N IZK or N IW I i.e. PNIZK and
PNIWI are the Provers for the NIZK and NIWI respectively
5.2
The Scheme
The main components of the scheme is certified signature scheme as described above. The
issuer will be the CA in this case and generate a certificate for the member wishing to enrol
When a user wishes to produce a group signature on a message, they will generate a new
key pair for a strong one-time signature (vksots , sksots ). The strong signature scheme used is
the Boneh-Boyen signature scheme [BB04].
To anonymise the signatures, we include a NIWI on the certified signature on vksots . Here
the member’s certificate, and through that their identity, is treated as the witness. Given
the witness indistinguishability property, we can see that the signatures will be anonymous.
The Opener will hold the extraction key for the NIWI, which will act as ok. They will be
able to extract the certificate and thus the signer’s identity.
To ensure the users are still anonymous when the Adversary has access to an Open(·)
oracle, we encrypt the the signature on vksots using Kiltz’ cryptosystem, using vksots itself
as a tag. We will then provide a NIZK proof that the signature that has been encrypted is
indeed the same as the signature encapsulated in the NIWI proof.
21
We will now explain the NIWI and NIZK proofs in more detail. The NIWI are based
on what Groth and Sahai called Pairing Product Equations (PPEs). The PPEs in this
case are the verification pairings. The NIZK proofs are based on Multi-Scalar Multiplication
Equations (MSMEs). These equations are based on between y1 , y2 and y3 from the ciphertext.
The original scheme uses the DLIN instantiation of proof system. For further details, we
refer the reader to [Gro07] and [GS08].
Finally, we make a note on the collision-resistant hash function. We need to hash into Zp ,
thus we require that l(k) < p.
We now present the full scheme below:
Setup(1k )
G(1k ) → gk; H(1k ) → Hash
CertKey(gk) → ((f, h, T ), z)
KN I (gk) → (crs, xk); K, L ∈R G
Parse(crs) → (F, H, the rest); pk =
(F, H, K, L)
gpk = (gk,Hash, f, h, T, crs, pk)
ik = z; ok = xk
Return (gpk, ik, ok)
Return 1 if all the following return 1:
Versots ((vksots , m, a, π, y, χ), σsots )
VNIWI (crs, (gpk, a, Hash(vksots )), π)
VNIZK (crs, (gpk, π, y), χ)
VerEnc(pk, Hash(vksots , y)
Else Return 0
Open(gpk, ok, m, Σ)
Xxk (crs, (gpk, a, Hash(vksots )), π)
→
(b, v, σ)
If there is i such that v = vi , Return (i, σ)
Else Return (0, σ)
Join/Isssue(Useri: gpk,Issuer: gpk, ik)
hUser, Issueri → ((vi , xi , ai , bi ), (vi , ai , bi ))
User: If e(ai , hvi )e(f, bi ) = T set
Reg[i] = vi ; SKi = (xi , ai , bi )
Judge(P KG roup, i, Reg[i]m, Σ, σ)
If i 6= 0 ∧ e(σ, vi g Hash(vksots ) ) = e(g, g)
Return 1 Else Return 0
Sign(gpk, SKi , m)
KeyGensots (1k ) → (vksots , sksots )
(Repeat until Hash(vksots 6= −xi
ρ ∈r Zp ; a = ai f −ρ ; b = bi (hvi )ρ
1
σ = g xi +Hash(vksots )
π = PNIWI (crs, (gpk, a, Hash(vksots )),
(b, vi , σ))
y = Encpk (Hash(vksots ), σ)
χ = PNIZK (crs, (gpk, π, y), (r, s, t))
σsots = Signsots (vksots , m, a, π, y, χ)
Return Σ = ((vksots , , a, π, y, χ, σsots )
Verify(gpk, m, Σ)
Figure 5.1: The Groth Group Signature Scheme
22
Chapter 6
Our Contributions
Having examined the Groth Signature Scheme [Gro07], we immediately observe that all
the cryptographic protocols can be directly translated in to a Type 2 group. We will detail all
the components needed to construct our scheme and the proceed to present the scheme. We
then make a minor modification to the scheme, to get a slightly smaller signature. Finally
we present a scheme which maps directly into a Type 3 Group and modification of it.
6.1
6.1.1
Scheme 1
Components
We begin with the certified signature scheme. We modify the scheme to suit a Type 2
group. The resulting scheme is described in Figure 6.1.
Setup(1k )
gk = (p, G1 , G2 , GT , e, g1 , g2 , ψ) ← G(1k )
Return gk
hUser(gk, ak), Issuer(gk, ck)i
hUser(gk), Issuer(gk)i → (x, v)
r ∈R Zp
a = f −r
b = (vh)r z
vk = v, sk = x, cert = (a, b)
User output: (vk, sk, cert)
Issuer output: (vk, cert)
CertKey(gk)
f ∈R G1 , h, z ∈R G2
T = e(f, z)
Return (ak, ck) = ((gk, f, h, T ), (ak, z))
Signsk (m)
If x = −m return ⊥1
Else return σ = g1x+m
Ver(gk, ak, vk, cert, mσ)
Return 1 if
e(a, vh)e(f, b) = T
e(σ, vg2m ) = e(g1 , g2 )
Else return 0
Figure 6.1: The Type-2 Certified Signature Scheme
23
Theorem 1. The certified signature scheme in Figure 6.1 has prefect correctness ∀m ∈
Zp \{x}.
Proof. Correctness of the protocol follows from correctness of the key generation. We use
the same key generation protocol as in the original scheme.
In the original scheme [Gro07], Groth used the q-U assumption. We introduce a variant of
this assumption in a Type 2 group, which we shall call the q-Unfakeability Thype 2a (q-U-2a)
Assumption. We define the description of a Type 2 groups as gk = (p, G1 , G2 , GT , g1 , g2 , e, ψ),
where p is the prime order of the groups, and g1 and g2 are generators of G1 and G2 respectively, e is the bilinear map and ψ is the homomorphism The assumption is stated as
follows:
Given a polynomial q, the description of a Type 2 group gk,
public elements f ∈R G1 , h ∈ G2 , T = e(f, z), private elements z ∈R G2 ,
for 1 ≤ i ≤ q(k), we have xi , ri ∈R Zp , ai = f ri , bi = hri g2xi ri z;
x
Find (V, A, B, m, S) such that V 6∈ {g2x1 , g2x2 , . . . , g2 q(k) }, e(A, hV )e(f, B) = T and
e(S, V g2m ) = e(g1 , g2 )
Theorem 2. The q-U-2a assumption holds in the generic group model.
We will use the generic group model to prove the assumption. In the generic group
model, we do not give the adversary access to the actual elements, but instead we give them
random encodings of their discrete logarithms. To do this we employ random bijections
[·]1 : ZP → G1 , [·]2 : ZP → G2 and [[·]] → GT . We also give the adversary access to an oracle
O, which is defined as:
• On (exp,x), return [x]i .
• On (bilinear,[x]1 , [y]2 ) return [[xy]].
• On (multiply,[x]i , [y]i ) return [x + y]i .
• On (homomorphism, [x]2 ) return [x]1
• On (multiply,[[x]], [[y]]) return [[x + y]].
Where i ∈ {1, 2}. For notational simplicity, we drop the subscripts. These bijections are
accessed by the adversary via an oracle O. We note that the oracle allows us to calculate
linear combinations of elements.
Proof. We first restate the problem in the generic group model as follows for and adversary
A:
Pr [gk ← G(1k ); x1 , r1 , . . . , xq(k) , rq(k) ∈R Zp ; γ, φ, η, ζ ∈R Zp ;
[·]1 ← Zp ↔ G1 ; [·]2 ← Zp ↔ G2 ; [[·]] ← Zp ↔ GT ;
24
[v], [a], [b], m, [s]) ← AO(·) (gk, [γ1 ], [γ2 ][φ], [η], [[φζ]]
, x1 , [φr1 ], [ηr1 + x1 γ2 r1 + ζ], . . . , xq(k) , [φrq(k) ], [ηrq(k) + xq(k) γ2 rq(k) + ζ]) :
[v] 6∈ {[γ2 x1 ], . . . , [γ2 xq(k) ]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ2 m)]] = [γ1 γ2 ]] ≈ 0.
We observe that Acan generate elements in the
groups using the oracle to encode low-degree
polynomials in Zp γ, φ, η, ζ, r1 , . . . , . . . , rq(k) . Based on this, we can set the conditions for
success as [[s(v + γ2 m) − γ1 γ2 ]] = [[0]] (1) and [[a(η + v) + φb − φζ]] = [[0]] (2). For A to succeed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippel
theorem states that therefore is a negligible probability of a low-degree polynomial evaluating
to 0 for randomly chosen γ, φ, η, ζ, r1 , . . . , rq(k) , unless they are identical to 0. Thus to prove
that this problem is intractable, we show that (A) cannot construct such zero-polynomials
using v 6∈ {γ2 x1 , . . . , γ2 xq(k) }.
We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp and
uses the oracle to compute [vg γ2 ]]. We assume that A has been given to φ, η, ζ, r1 , . . . , rq(k)
as extra input. We now write s = sd + sg γ1 and v = vd + vg γ2 , for known v, vg , sd , sg ∈ Zp ,
giving us:
sd vd + sd (vg + m)γ2 + sg vd γ1 + (sg (vg + m) − 1)γ1 γ2 = 0
Assume for contradiction vd 6= 0. We then have sd vd = 0 which implies sd = 0. Examining
the coefficient for γ1 , we get sg vd = 0 this implies sg = 0. Thus we have s = 0. But this then
contradicts S(v + mγ2 ) = γ1 γ2 . Thus we conclude A can only be successful if v = vg γ2 .
We now consider equation (2): a(η + vg γ2 ) + φb − φζ = 0. Since a, b are constructed by calls
to O, we can write them as:
a = ad + af φ + ag γ1 + ah η +
q(k)
X
b = bd + bg γ2 + bh η +
aai φri +
q(k)
X
abi (ηri + xi γ1 ri )
i=1
q(k)
i=1
X
bbi (ηri + xi γ2 ri + ζ)
i=1
for known ad , af , ag , ah , aai , abi , bd , bh , bai , bbi . If we examine the coefficient of φζ, we see that
q(k)
X
bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2 ri gives us aai +bbi = 0, which
i=1
implies aai = −bbi . Finally the coefficient of φγ2 ri shows us that aai vg +bbi xi = bbi (xi −vg ) = 0,
for bbi 6= 0 , we have xi = vg . Therefore vg ∈ {x1 , . . . , xq(k) }.
Theorem 3. The scheme in Figure 6.1 is a certified signature scheme which is unfakeable
under the q-U-2a assumption and is existentially unforgeable under weak chosen message
attack under the q-SDH assumption
Proof. Assume for contradiction there exists δ > 0 such that for an infinite k ∈ N, adversary
A has a probability of at least 2k −δ of forging a signature that has not be certified, that is:
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); (vk, cert, m, σ) ← AKeyReg (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > 2k −δ .
25
Let q(k) be a polynomial upper bound of the number of queries the A can make to KeyReg.
Part of the key registration is an interactive protocol. We can black-box simulate the view
1
of the adversarial user with an error of up to q(k)k
δ . This allows us to pick x1 , . . . , xq(k) in
advance to simulate this protocol, thus assigning adversary i the signing key xi . We call this
modified oracle SimKeyReg, which gives us
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); x1 , . . . , xq(k) ∈R Zp :
(vk, cert, m, σ) ← ASimKeyReg(x1 ,...,xq(k) (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > k −δ .
With this modified oracle, A only see certificates on vi = g2xi , which are of the form ai =
f −ri , bi = hri g xi ri z, for 1 ≤ i ≤ q(k). It follows directly from the q-U-2 assumption that the
probability of this is negligible, which gives us a contradiction. Therefore we conclude that
the scheme is unfakeable.
We now show existential unforgeabilituy. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has probability of at least 2k −δ of forging a message,
giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); ((v, x, a, b, ), St2 ) ← hU ser(gk, ak), A(St1 )i;
(a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > 2k −δ ,
under weak chosen message attack. Part of the key generation protocol. It is possible to
black-box simulate a malicious issuer’s view. After the keys are generated, we can simulate
the certification part, as only the adversary acts. The error in this simulation can be set to
not exceed k −δ , giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); x ∈R Zp , v = g2x ;
A(St )
g u , St2 ← SI 1 ; (a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > k −δ ,
where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosen
Boneh-Boyen verification key and A only has access to weak chosen message attack. For a
signature made by A to be valid, we must have g2u 6= ⊥, therefore v = g1u . We also have a
valid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signature
scheme is secure against weak chosen message attack [BB08] and therefore the probability
above must be negligible This gives a contradiction. Therefore we conclude the certified
scheme is existentially unforgeable under weak chosen message attack.
We now move to the cryptosystem. Again we translate the scheme proposed by Kiltz
[Kil06] into a Type 2 setting. The modified scheme is described in Figure 6.2.
Theorem 4. The cryptosystem in Figure 6.2 is selective-tag CCA-secure under the DLIN
assumption in G1 .
26
Setup(1k )
gk = (p, G1 , G2 , GT , e, g1 , g2 , ψ) ← G(1k )
Return gk
Encpk (t, M )
r, s ∈R Zp y1 = F r , y2 = H s , y3 = g1r+s M,
y4 = (g2t K)r , y5 = (g2t L)s
Return C = (y1 , y2 , y3 , y4 , y5 )
KeyGen(gk)
φ, η ∈R Zp
F = g1φ , H = g1η , K, L ∈R G2
Return (pk, sk) = ((gk, F, H, K, L), (φ, η))
Decs k(C, t)
If Ver(pk, C, t) = 1
−1
− η1
Return M = y3 y1 φ y2
Else Return ⊥
Ver(pk, C, t)
If e(y1 , g2t K) = e(F, y4 ) ∧ e(y2 , g2t L) =
e(H, y5 )
Return 1
Else Return 0
Figure 6.2: The Type-2 Tag-Based Encryption Scheme
Proof. Consider the following game:
Adversary A is an DLIN solver and Adversary B breaks the stag-ind-cca security of the
scheme. We can show that A can use B to solve the DLIN.
∗
∗
INIT STAGE: A runs IN IT (1k ) → (gk, (g1 , F, H, F r , H s , w)) and then calls B(1k ) → t∗
∗
FIND STAGE: A picks c1 , c2 ∈R (Z)p and then selects K, L ∈ G2 such that ψ(K) = g1−t F c1
∗
and ψ(L) = g1−t H c2 . This now defines pk = (gk, F, H, K, L). For any valid ciphertext C,
encrypted under tag t 6= t∗ , we get the following:
∗
Given ψ(K) = g1−t F c1 , we get:
∗
∗
ψ(y4 ) = ψ(K r g2tr ) = ψ(K r )ψ(g2tr ) = g1−t r F c1 r g1tr = (g1r )t−t y1c1
∗
Similarly, we get ψ(y4 ) = (g1s )t−t y2c2 .
Using these relationships, we can construct our decryption oracle:
t−t1 ∗
, where y3 = KE M . This allows us to get M = y3 KE−1 and thus answer
KE = yyc14 yy5c2
1 2
decryption queries.
GUESS STAGE: B returns two different messages M0 , M1 of equal length. A selects b ∈r
∗
∗
∗
∗
∗
{0, 1} and generates the challenge ciphertext C ∗ = (F r , H s , wMb , (g2t K)r , (g2t L)s∗ ). Adversary B is then given C ∗ . We answer decryption queries as before. After making its queries,
B outputs b0 ∈ {0, 1}. If b0 = b then we have a valid ciphertext, thus w = g1r+s , therefore A
outputs 1, else 0.
27
With respect to the NIZK and NIWI, we use a DDH/DLIN hybrid scheme of [GS08] as
described by [GSW10], although no details are given. We leave it to the reader to expand
on the exact construction of the schemes if they so choose, but we do include a table of the
number of elements required for each type of proof in Appendix A.
We observe that moving from a Type 1 to a Type 2 group does not affect the requirements
of the collision-free hash function in any way. Thus we do not need to change anything from
the original requirements.
6.1.2
The Scheme
Having now described all the cryptographic primitives needed, we proceed to detail our
scheme. The scheme is detailed in Figure 6.3.
We now proceed to prove correctness and the security of our scheme.
Lemma 1. The group signature scheme is anonymous under the DLIN assumption and
assuming the one-time is secure against weak chosen message attack and the hash function
is collision-resistant.
Proof. Consider the probability:
Pr[(gpk, ik, ok) ← G(1k ) : AChb ,Open,CrptU,SndToI,AddU,USK (gpk, ik) = 1]
from the definition of anonymity [BSZ05]. For our scheme to have anonymity, we require
that the probabilities for b = 0 and b = 1 has a negligible difference.
We begin by modifying the game such that we abort if the strong-one time signature in
an group signature submitted to the Open(·) oracle. By the existential unforgability of the
strong one-time signature we see that there is negligible probability that we will abort for
∗
is not used for any valid queries to Open(·).
this reason. Thus we can now assume that vksots
∗
We also abort, if there is a collision with Hash(vksots
). The collision-resistance property
of the hash function implies that the probability of this is negligible Thus we assume that
no such collision has occurred from now on.
We now modify how we generate the public key in the cryptosystem. We pick κ, λ ∈R Zp
and set K = g2κ , L = g2λ and we store κ and λ. Whenever Open receives a valid group
signature, we use κ, λ to decrypt the tag-based cryptosystem. By the tag-based validity
checks and the perfect soundness of the of the NIZK proof χ, this gives us the same signature
σ as would be extracted from the NIWI π. We can now check Reg if there exists i such
Hash(vksots )
that e(σ, vi g2
= e(g1 , g2 ). If this is the case, we return (i, σ). This equation defines
vi such that we get the same vi when we run the extract on the NIWI proof π. If we find
no such vi , we return (0, σ) and accuse the Issuer. The perfect soundness of the NIWI and
NIZK imply that these probabilities do not change when the value of b changes.
28
Setup(1k )
G(1k ) → gk; H(1k ) →Hash
CertKey(gk) → ((f, h, T ), z)
KN I (gk) → (crs, xk); K, L ∈R G2
Parse(crs) → (F, H, the rest); pk =
(F, H, K, L)
gpk = (gk, Hash, f, h, T, crs, pk)
ik = z; ok = xk
Return (gpk, ik, ok)
Verify(gpk, m, Σ)
Return 1 if all the following return 1:
Versots ((vksots , m, a, π, y, χ), σsots )
VNIWI (crs, (gpk, a, Hash(vksots )), π)
VNIZK (crs, (gpk, π, y), χ)
VerEnc(pk, Hash(vksots , y)
Else Return 0
Open(gpk, ok, m, Σ)
Xxk (crs, (gpk, a, Hash(vksots )), π)
→
(b, v, σ)
If there is i such that v = vi , Return (i, σ)
Else Return (0, σ)
Join/Isssue(Useri: gpk,Issuer: gpk, ik)
hUser, Issueri → ((vi , xi , ai , bi ), (vi , ai , bi ))
User: If e(ai , hvi )e(f, bi ) = T set
Reg[i] = vi ; SKi = (xi , ai , bi )
Judge(P KG roup, i, Reg[i]m, Σ, σ)
Hash(vksots )
If i 6= 0 ∧ e(σ, vi g2
) = e(g1 , g2 )
Return 1
Else Return 0
Sign(gpk, SKi , m)
KeyGensots (1k ) → (vksots , sksots )
(Repeat until Hash(vksots 6= −xi )
ρ ∈R Zp ; a = ai f −ρ ; b = bi (hvi )ρ
1
x +Hash(vk
)
sots
σ = g1 i
π = PNIWI (crs, (gpk, a, Hash(vksots )),
(b, vi , σ))
y = Encpk (Hash(vksots ), σ)
χ = PNIZK (crs, (gpk, π, y), (r, s, t))
σsots = Signsots (vksots , m, a, π, y, χ)
Return Σ = (vksots , , a, π, y, χ, σsots )
Figure 6.3: The Type-2 Group Signature Scheme
Due our changes to the Open oracle, we no longer need xk. This allows us to switch
to a simulated common reference string, that give perfect witness-indistinguishability and
perfect zero-knowledge. Since simulated a crs is computationally indistinguishable from a
real crs, this does not change the probability that A will output 1. The perfect witnessindistinguishability impels that A can gain no information about which identity, and through
it which secret key was used to create the group signature.
This leads us to the ciphertext y. We now show, based on the stag-ind-cca property of
the cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use the
group signature adversary to construct an adversary that attacks the stag-ind-cca security
of the cryptosystem. The public key of the cryptosystem is pk = (gk, F, H, K, L). Using
29
gk, F, H we can construct a simulated crs with perfect witness-indistinguishabilty and perfect
zero-knowledge. This simulated crs will have a trapdoor key tk which will be the discrete
logarithms of other elements with respect to g1 , g2 , F, H. We can build from pk a valid
group signature public key gpk. We can also emulate the oracles CrptU, SndToI, AddU, USK.
Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in y
is never Hash(vksots ), so we can use the alternative decryption as in the proof of security,
which will give us σ.
We now construct a challenge group signature from a challenge ciphertext. We first pick
(vksots , sksots ) and use Hash(vksots ) as t∗ . These are chosen independent of pk. We now pick
pk and run the group signature game as described above. A will output i0 , i1 , m for the challenge group signature. We produce group signatures σb on Hash(vksots and encrypt it into
y ∗ . As the simulated crs gives us perfect zero-knowledge and witness-indistinguishability, we
can produce valid NIWI and NIZK proof to complete the group signature. If the anonymity
probabilities are different for b = 0 and b = 1, then we can distinguish if y encrypts σ0
or σ1 . But by the stag-ind-cca security, we have probabilities for b = 0 and b = 1 are
indistinguishable.
Lemma 2. The group signature scheme is traceable if the q-U-2a assumption holds.
Proof. We have to show that valid signatures lead to the provable identification of the signer.
To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ ) ← ACrptU,SndToI (gpk, ok; (i, σ) ←
Open(gpk, ok, Reg, m∗ , Σ∗ ) :
V erif y(gpk, m∗ , Σ∗ ) = 1 ∧ (Judge(gpk, i, Regi , m∗ , Σ∗ , sigma) =) ∨ i = 0)] ≈ 0.
by the soundness of the NIWI proof, a valid group signature Σ implies that there is a valid
certified signature on Hash(vksots ). Using the extraction key for he NIWI, xk, we can extract
the signature. The unfakeability property of the certified signature scheme, the certified
signature was made under one of the vi ’s issued by the issuer. This thus leads us to user i,
who produced the group signature. The perfect soundness of the NIWI proof of knowledge
implies that the extracted one-time signature is indeed a signature on Hash(vksots ) under
the verification vi . This implies that Judge will output 1.
Lemma 3. The group signature scheme has non-frameability under the q-SDH assumption
and assuming the one-time signature is secure against weak chosen message attack and the
hash function is collision-resistant.
Proof. We have to show that no member can be framed for making a signature they did not
make. To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ , i∗ , σ ∗ ) ← AAddU,USK,GSig (gpk, ik, ok :
V erif y(gpk, m, Σ) = 1 ∧ (Judge(gpk, i∗ , Regi∗ , m, Σ∗ , sigma∗ ) = 1 ∧ i∗ ∈ HU ∧ (m∗ , Σ∗ ) 6∈
GSet] ≈ 0.
30
By the strong unforgeabilty of the one-time signature scheme under weak chosen message
attack, there is a negligible probability that A would have produced a group signature reusing one of the vksots produced by GSig. The collision-resistance of the hash function implies
∗
) collides with any vksots used by the
that there is a negligible probability that Hash(vksots
GSig oracle. We can then assume that any attempt to frame a user requires producing a
certified signature on a value of Hash(vksots that they have not previously signed.
Let n(k) be the polynomial upper-bound of the number of AddU queries made. We have at
least n(k)−1 chance of guessing the user identity that the A will attempt to frame. However
for each honest user, the probability that A can produce a valid σ on Hash(vksots is negligible,
by the existential unforgeability against weak chosen message attack of the Boneh-Boyen
signature scheme.
Theorem 5. The group signature scheme with perfect correctness and has anonymity, traceability and non-frameablity under the DLIN, q-SDH, q-U-2a and assuming the one-time
signature is secure against weak chosen message attack and the hash function is collisionresistant.
Proof. Perfect correctness follows from perfect correctness of the Join/Issue secure function
evaluation, the certified signature scheme, the tag-based cryptosystem, the NIWI and NIZK
proofs and the strong one-time signature. The proof of anonymity, traceability and nonfreamablitiy follow from Lemmas 1,2,3.
6.2
Scheme 2
When working in asymmetric bilinear groups, one needs to be cognisant of the fact that
elements in G1 are much larger than elements in G2 . Thus when working towards efficiency,
its is paramount that we not only use a minimum of group elements, but also a minimum
of elements in G1 . We observe that by taking the certified signature scheme and in effect
reversing it, that is taking all the taking all the elements from G1 and placing them in G2
and vice-versa. We detail the scheme below.
6.2.1
Components
We begin by changing the certified signature scheme from scheme 1. The new scheme is
given in Figure 6.4.
We observe that when we translate this scheme to the generic group model, the results
come out similar. We need to prove a new assumption, which is a minor variation of the
q-U-2a assumption, which we will call the q-U-2b Assumption.
Theorem 6. The q-U-2b assumption holds in the generic group model.
31
Setup(1k )
gk = (p, G1 , G2 , GT , e, g1 , g2 , ψ) ← G(1k )
Return gk
hUser(gk, ak), Issuer(gk, ck)i
hUser(gk), Issuer(gk)i → (x, v)
r ∈R Zp
a = f −r
b = (vh)r z
vk = v, sk = x, cert = (a, b)
User output: (vk, sk, cert)
Issuer output: (vk, cert)
CertKey(gk)
f ∈R G2 , h, z ∈R G1
T = e(z, f )
Return (ak, ck) = ((gk, f, h, T ), (ak, z))
Signsk (m)
If x = −m return ⊥1
Else return σ = g2x+m
Ver(gk, ak, vk, cert, mσ)
Return 1 if
e(vh, a)e(b, f ) = T
e(vg2m , σ) = e(g1 , g2 ) Else return 0
Figure 6.4: The Modified Type-2 Certified Signature Scheme
The proof of the q-U-2b Assumption is simialr to the proof for the q-U-2a Assumption.
The proof can is in Appendix B.1.
Theorem 7. The scheme in Figure 6.4 is a certified signature scheme with perfect correctness
and is unfakeable under the q-U-2b assumption and is existentially unforgeable under weak
chosen message attack under the q-SDH assumption.
Proof. Perfect correctness follows from perfect correctness of the key generation protocol.
We use the same protocol as in [Gro07]. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has a probability of at least 2k −δ of forging a signature
that has not be certified, that is:
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); (vk, cert, m, σ) ← AKeyReg (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > 2k −δ .
Let q(k) be a polynomial upper bound of the number of queries the A can make to KeyReg.
Part of the key registration is an interactive protocol. We can black-box simulate the view
1
of the adversarial user with an error of up to q(k)k
δ . This allows us to pick x1 , . . . , xq(k) in
advance to simulate this protocol, thus assigning adverser i the signing key xi . We call this
modified oracle SimKeyReg, which gives us
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); x1 , . . . , xq(k) ∈R Zp :
(vk, cert, m, σ) ← ASimKeyReg(x1 ,...,xq(k) ) (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > k −δ .
With this modified oracle, A only see certificates on vi = g2xi , which are of the form ai =
f −ri , bi = hri g xi ri z, for 1 ≤ i ≤ q(k). It follows directly from the q-U-2 assumption that the
probability of this is negligible, which gives us a contradiction. Therefore we conclude that
the scheme is unfakeable.
32
We now show existential unforgeability. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has probability of at least 2k −δ of forging a message,
giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); ((v, x, a, b, ), St2 ) ← hU ser(gk, ak), A(St1 )i;
(a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > 2k −δ ,
under weak chosen message attack. Part of the key generation protocol. It is possible to
black-box simulate a malicious issuer’s view. After the keys are generated, we can simulate
the certification part, as only the adversary acts. The error in this simulation can be set to
not exceed k −δ , giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); x ∈R Zp , v = g1x ;
A(St )
g1u , St2 ← SI 1 ; (a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > k −δ ,
where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosen
Boneh-Boyen verification key and A only has access to weak chosen message attack. For a
signature made by A to be valid, we must have g u 6= ⊥, therefore v = g u . We also have a
valid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signature
scheme is secure against weak chosen message attack [BB08] and therefore the probability
above must be negligible This gives a contradiction. Therefore we conclude the certified
scheme is existentially unforgeable under weak chosen message attack.
We can no longer directly encrypt the signature σ using Kiltz’ scheme, as σ ∈ G2 and we
require that σ ∈ G1 . What we do to address this problem is utilise the homomorphism ψ and
commit to ψσ. If we look at the second verification equation, we have e(vg1m , σ) = e(g1 , g2 ).
We also observe that e(vg1m ψ(σ), g2 ) = (g1 , g2 ). We will use this equation in the NIWI and
we will commit to the value of ψ(σ).
In the NIZK, we will also commit to ψ(σ) and encrypt it using Kiltz’ scheme. This way
the equations involved in the NIZK remain the same and we can proceed as before. However
now that we have ψ(σ) in the NIWI, the opener will not return (i, σ), but (i, ψ(σ)). This is
still sufficient to identify the signer, as we have the identity i and we can verify using ψ(σ)
6.2.2
The Scheme
We now describe the modified scheme in full in Figure 6.5.
We now prove correctness and security of the scheme.
Lemma 4. The group signature scheme is anonymous under the DLIN assumption and
assuming the one-time is secure against weak chosen message attack and the hash function
is collision-resistant.
33
Setup(1k )
G(1k ) → gk; H(1k ) →Hash
CertKey(gk) → ((f, h, T ), z)
KN I (gk) → (crs, xk); K, L ∈R G2
Parse(crs) → (F, H, the rest); pk =
(F, H, K, L)
gpk = (gk,Hash, f, h, T, crs, pk)
ik = z; ok = xk
Return (gpk, ik, ok)
Return 1 if all the following return 1:
Versots ((vksots , m, a, π, y, χ), σsots )
VNIWI (crs, (gpk, a, Hash(vksots )), π)
VNIZK (crs, (gpk, π, y), χ)
VerEnc(pk, Hash(vksots , y)
Else Return 0
Open(gpk, ok, m, Σ)
Xxk (crs, (gpk, a, Hash(vksots )), π)
→
(b, v, ψ(σ))
If there is i such that v = vi , Return
(i, ψ(σ)) Else Return (0, ψ(σ))
Join/Isssue(Useri: gpk,Issuer: gpk, ik)
hUser, Issueri → ((vi , xi , ai , bi ), (vi , ai , bi ))
User: If e(hvi , ai )e(bi , f ) = T set
Reg[i] = vi ; SKi = (xi , ai , bi )
Judge(P KG roup, i, Reg[i]m, Σ, ψ(σ))
Hash(vksots )
If i 6= 0 ∧ e(vi g1
ψ(σ), g2 ) =
e(g1 , g2 )
Return 1 Else Return 0
Sign(gpk, SKi , m)
KeyGensots (1k ) → (vksots , sksots )
(Repeat until Hash(vksots 6= −xi )
ρ ∈R Zp ; a = ai f −ρ ; b = bi (hvi )ρ
1
x +Hash(vk
)
sots
σ = g2 i
π = PNIWI (crs, (gpk, a, Hash(vksots )),
(b, vi , ψ(σ)))
y = Encpk (Hash(vksots ), ψ(σ))
χ = PNIZK (crs, (gpk, π, y), (r, s, t))
σsots = Signsots (vksots , m, a, π, y, χ)
Return Σ = ((vksots , a, π, y, χ, σsots )
Verify(gpk, m, Σ)
Figure 6.5: The Modified Type 2 Group Signature Scheme
Proof. Consider the probability:
Pr[(gpk, ik, ok) ← G(1k ) : AChb ,Open,CrptU,SndToI,AddU,USK (gpk, ik) = 1]
from the definition of anonymity [BSZ05]. For our scheme to have anonymity, we require
that the probabilities for b = 0 and b = 1 has a negligible difference.
We begin by modifying the game such that we abort if the strong-one time signature in
an group signature submitted to the Open(·) oracle. By the existential unforgability of the
strong one-time signature we see that there is negligible probability that we will abort for
∗
is not used for any valid queries to Open(·).
this reason. Thus we can now assume that vksots
34
∗
We also abort, if there is a collision with Hash(vksots
). The collision-resistance property
of the hash function implies that the probability of this is negligible Thus we assume that
no such collision has occurred from now on.
We now modify how we generate the public key in the cryptosystem. We pick κ, λ ∈R Zp
and set K = g2κ , L = g2λ and we store κ and λ. Whenever Open receives a valid group
signature, we use κ, λ to decrypt the tag-based cryptosystem. By the tag-based validity
checks and the perfect soundness of the of the NIZK proof χ, this gives us the same signature
σ as would be extracted from the NIWI π. We can now check Reg if there exists i such
Hash(vksots )
that e(σ, vi g2
= e(g1 , g2 ). If this is the case, we return (i, σ). This equation defines
vi such that we get the same vi when we run the extract on the NIWI proof π. If we find
no such vi , we return (0, σ) and accuse the Issuer. The perfect soundness of the NIWI and
NIZK imply that these probabilities do not change when the value of b changes.
Due our changes to the Open oracle, we no longer need xk. This allows us to switch
to a simulated common reference string, that give perfect witness-indistinguishability and
perfect zero-knowledge. Since simulated a crs is computationally indistinguishable from a
real crs, this does not change the probability that A will output 1. The perfect witnessindistinguishability impels that A can gain no information about which identity, and through
it which secret key was used to create the group signature.
This leads us to the ciphertext y. We now show, based on the stag-ind-cca property of
the cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use the
group signature adversary to construct an adversary that attacks the stag-ind-cca security
of the cryptosystem. The public key of the cryptosystem is pk = (gk, F, H, K, L). Using
gk, F, H we can construct a simulated crs with perfect witness-indistinguishabilty and perfect
zero-knowledge. This simulated crs will have a trapdoor key tk which will be the discrete
logarithms of other elements with respect to g1 , g2 , F, H. We can build from pk a valid
group signature public key gpk. We can also emulate the oracles CrptU, SndToI, AddU, USK.
Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in y
is never Hash(vksots ), so we can use the alternative decryption as in the proof of security,
which will give us σ.
We now construct a challenge group signature from a challenge ciphertext. We first pick
(vksots , sksots ) and use Hash(vksots ) as t∗ . These are chosen independent of pk. We now pick
pk and run the group signature game as described above. A will output i0 , i1 , m for the challenge group signature. We produce group signatures σb on Hash(vksots and encrypt it into
y ∗ . As the simulated crs gives us perfect zero-knowledge and witness-indistinguishability, we
can produce valid NIWI and NIZK proof to complete the group signature. If the anonymity
probabilities are different for b = 0 and b = 1, then we can distinguish if y encrypts σ0
or σ1 . But by the stag-ind-cca security, we have probabilities for b = 0 and b = 1 are
indistinguishable.
35
Lemma 5. The group signature scheme is traceable if the q-U-2b assumption holds.
Proof. We have to show that valid signatures lead to the provable identification of the signer.
To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ ) ← ACrptU,SndToI (gpk, ok; (i, σ) ←
Open(gpk, ok, Reg, m∗ , Σ∗ ) :
∗
∗
V erif y(gpk, m , Σ ) = 1 ∧ (Judge(gpk, i, Regi , m∗ , Σ∗ , sigma) =) ∨ i = 0)] ≈ 0.
by the soundness of the NIWI proof, a valid group signature Σ implies that there is a valid
certified signature on Hash(vksots ). Using the extraction key for he NIWI, xk, we can extract
the signature. The unfakeability property of the certified signature scheme, the certified
signature was made under one of the vi ’s issued by the issuer. This thus leads us to user i,
who produced the group signature. The perfect soundness of the NIWI proof of knowledge
implies that the extracted one-time signature is indeed a signature on Hash(vksots ) under
the verification vi . This implies that Judge will output 1.
Lemma 6. The group signature scheme has non-frameability under the q-SDH assumption
and assuming the one-time signature is secure against weak chosen message attack and the
hash function is collision-resistant.
Proof. We have to show that no member can be framed for making a signature they did not
make. To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ , i∗ , σ ∗ ) ← AAddU,USK,GSig (gpk, ik, ok :
V erif y(gpk, m, Σ) = 1 ∧ (Judge(gpk, i∗ , Regi∗ , m, Σ∗ , sigma∗ ) = 1 ∧ i∗ ∈ HU ∧ (m∗ , Σ∗ ) 6∈
GSet] ≈ 0.
By the strong unforgeabilty of the one-time signature scheme under weak chosen message
attack, there is a negligible probability that A would have produced a group signature reusing one of the vksots produced by GSig. The collision-resistance of the hash function implies
∗
) collides with any vksots used by the
that there is a negligible probability that Hash(vksots
GSig oracle. We can then assume that any attempt to frame a user requires producing a
certified signature on a value of Hash(vksots that they have not previously signed.
Let n(k) be the polynomial upper-bound of the number of AddU queries made. We have at
least n(k)−1 chance of guessing the user identity that the A will attempt to frame. However
for each honest user, the probability that A can produce a valid σ on Hash(vksots is negligible,
by the existential unforgeability against weak chosen message attack of the Boneh-Boyen
signature scheme.
Theorem 8. The group signature scheme with perfect correctness and has anonymity, traceability and non-frameablity under the DLIN, q-SDH, q-U-2b and assuming the one-time
signature is secure against weak chosen message attack and the hash function is collisionresistant.
36
Proof. Perfect correctness follows from perfect correctness of the Join/Issue secure function
evaluation, the certified signature scheme, the tag-based cryptosystem, the NIWI and NIZK
proofs and the strong one-time signature. The proof of anonymity, traceability and nonfreamablitiy follow from Lemmas 4,5,6.
6.3
Scheme 3
Upon further observation, we note that it is possible to move Scheme 1 to a Type 3 group
without any changes This gives us the advantage of being able to use the SXDH instantiation of the Groth-Sahai proof systems [GS08], which are more efficient than the SXDLIN
instantiation, or indeed even the DDH/DLIN instantiation. We mention this scheme only as
it forms a starting point for Scheme 4. For completeness, scheme 3 is given in Appendix C.
6.4
Scheme 4
As with Scheme 2, we flip the certified signature scheme, but this time, we also flip the
tag-based encryption scheme. In the Type 2 setting if we had done so, it would habe lead
to the NIZK being in the DLIN group and thus increasing it size and the size of the group
signature. As we are now in a SXDH setting, we can flip the scheme and need not worry
about size of the scheme. We now describe the modified Type 3 scheme.
6.4.1
Components
We begin with the certified signature scheme. We will need to prove a variant of the q-U
assumption, for a Type 3 group, which we will call the q-U-3b assumption. We define the
description of a Type 3 groups as gk = (p, G1 , G2 , GT , g1 , g2 , e), where p is the prime order
of the groups, and g1 and g2 are generators of G1 and G2 respectively and e is the bilinear
map The assumption is stated as follows:
Given a polynomial q, the description of a Type 3 group gk,
public elements f ∈R G1 , h ∈ G2 , T = e(f, z), private elements z ∈R G2 ,
for 1 ≤ i ≤ q(k), we have xi , ri ∈R Zp , ai = f ri , bi = hri g2xi ri z;
x
Find (V, A, B, m, S) such that V 6∈ {g2x1 , g2x2 , . . . , g2 q(k) }, e(A, hV )e(f, B) = T and
e(S, V g2m ) = e(g1 , g2 )
Theorem 9. The q-U-3b assumption holds in the generic group model.
We will use the generic group model to prove the assumption as before, barring the homomorphism. The proof is similar to that of the q-U-2b assumption and is given in Appendix
B.3
37
Setup(1k )
gk = (p, G1 , G2 , GT , e, g1 , g2 ) ← G(1k )
Return gk
hUser(gk, ak), Issuer(gk, ck)i
hUser(gk), Issuer(gk)i → (x, v)
r ∈R Zp
a = f −r
b = (vh)r z
vk = v, sk = x, cert = (a, b)
User output: (vk, sk, cert)
Issuer output: (vk, cert)
CertKey(gk)
f ∈R G2 , h, z ∈R G1
T = e(z, f )
Return (ak, ck) = ((gk, f, h, T ), (ak, z))
Signsk (m)
If x = −m return ⊥1
Else return σ = g2x+m
Ver(gk, ak, vk, cert, mσ)
Return 1 if
e(vh, a)e(b, f ) = T
e(vg2m , σ) = e(g1 , g2 ) Else return 0
Figure 6.6: The Modified Type-3 Certified Signature Scheme
Theorem 10. The scheme described in FIgure 6.6 is a certified signature scheme with perfect
correctness and is unfakeable under the q-U-3 assumption and is existentially unforgeable
under weak chosen message attack under the q-SDH assumption
Proof. Perfect correctness follows from perfect correctness of the key generation protocol.
We use the same protocol as in [Gro07]. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has a probability of at least 2k −δ of forging a signature
that has not be certified, that is:
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); (vk, cert, m, σ) ← AKeyReg (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > 2k −δ .
Let q(k) be a polynomial upper bound of the number of queries the A can make to KeyReg.
Part of the key registration is an interactive protocol. We can black-box simulate the view
1
of the adversarial user with an error of up to q(k)k
δ . This allows us to pick x1 , . . . , xq(k) in
advance to simulate this protocol, thus assigning adversery i the signing key xi . We call this
modified oracle SimKeyReg, which gives us
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); x1 , . . . , xq(k) ∈R Zp :
(vk, cert, m, σ) ← ASimKeyReg(x1 ,...,xq(k) (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > k −δ .
With this modified oracle, A only see certificates on vi = g2xi , which are of the form ai =
f −ri , bi = hri g xi ri z, for 1 ≤ i ≤ q(k). It follows directly from the q-U-2 assumption that the
probability of this is negligible, which gives us a contradiction. Therefore we conclude that
the scheme is unfakeable.
38
We now show existential unforgeabilituy. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has probability of at least 2k −δ of forging a message,
giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); ((v, x, a, b, ), St2 ) ← hU ser(gk, ak), A(St1 )i;
(a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > 2k −δ ,
under weak chosen message attack. Part of the key generation protocol. It is possible to
black-box simulate a malicious issuer’s view. After the keys are generated, we can simulate
the certification part, as only the adversary acts. The error in this simulation can be set to
not exceed k −δ , giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); x ∈R Zp , v = g1x ;
A(St )
g1u , St2 ← SI 1 ; (a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > k −δ ,
where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosen
Boneh-Boyen verification key and A only has access to weak chosen message attack. For a
signature made by A to be valid, we must have g u 6= ⊥, therefore v = g u . We also have a
valid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signature
scheme is secure against weak chosen message attack [BB08] and therefore the probability
above must be negligible This gives a contradiction. Therefore we conclude the certified
scheme is existentially unforgeable under weak chosen message attack.
Again we see that we can no longer encrypt the signature using the tag-based cryptosystem.
As we do not have acces to the homomorphism ψ, we simply flip the tag-based system, as
we did with the certified signature scheme. We did not do this in scheme 2, as it would put
the NIZK in the DLIN group, which make our group signature larger. Now that we are in an
SXDH group, the size of NIZK is identical in both groups. This allows us to flip the scheme
with no overhead. We now describe the modified tag-based encryption scheme.
We realise that we can no longer use the DLIN and introduce a new assumption, which is
a variant of the SXDLIN, called the Symmetric Decision Linear Assumption (SDLIN). We
express this assumption in G2 wlog and note that it can hold similarly in G1 . It is stated as
follows:
Given a description of a Type 3 Group gk, F, H, F r , H s , w2 ∈ G2 and w1 ∈ G1 , where
wi = git ;
Decide if t = r + s or t ∈R Zp .
We do not present a formal proof of the intractability of this assumption, but we present
a sketch of the proof. We can see that g2 , F, H, F r , H s , w2 form a vaild DLIN tuple. We
know that the DLIN is intractable [BB04]. Which leaves us with g1 , w1 , which forms a valid
DLOG tuple. We also see that the only possible way to compare elements in G1 and G2
39
Setup(1k )
Return gk = (p, G1 , G2 , GT , e, g1 , g2 )
Encpk (t, M )
r, s ∈R Zp
y1 = F r , y2 = H s , y3 = g2r+s M, y4 =
(g1t K)r , y5 = (g1t L)s
Return C = (y1 , y2 , y3 , y4 , y5 )
Decs k(C, t)
KeyGen(gk)
φ, η ∈R Zp
F = g2φ , H = g2η , K, L ∈R G1
Return (pk, sk) = ((gk, F, H, K, L), (φ, η)
If Ver(pk, C, t) = 1
−1
− η1
Return M = y3 y1 φ y2
Else Return ⊥
Ver(pk, C, t)
If e(g1t K, y1 ) = e(y4 , F ) ∧ e(g1t L, y2 ) =
e(y5 , H)
Return 1
Else Return 0
Figure 6.7: The Modified Type-3 Tag-Based Encryption Scheme
is by mapping them into GT . We see that e(w1 , g2 ) = e(g2 , w2 ). Thus if we can decide if
t = r + s in either group, we can solve the SDLIN.
Theorem 11. The scheme decribed in Figure 6.7 is a tag-based encryption scheme with
perfect correctness and selective-tag weak CCA security for polynomial sized message space
M, under the SDLIN Assumption in G2 .
Proof. Consider the following game:
Adversary A is an SDLIN solver in G2 and Adversary B breaks the stag-ind-cca security of
the scheme. We can show that A can use B to solve the SDLIN.
∗
∗
INIT STAGE: A runs IN IT (1k ) → (gk, (g1 , g2 , F, H, F r , H s , w1 , w2 )) and then calls B(1k ) →
t∗
FIND STAGE: A picks κ, λ ∈R (Z)p and then sets K = g1κ , L = g1λ . This now defines
pk = (gk, F, H, K, L). For any valid ciphertext C, encrypted under tag t 6= t∗ , we get the
following:
1
1
y4 = (g1t K)r = (g1t+κ )r = (g1r )t+κ . Thus we get y4t+κ = g1r . By a similar argument, y5t+λ = g1s .
From here we can get g1r+s . Let M = g2µ , giving us e(g1 , y3 ) = e(g1 , g2r+s g2µ ) = e(g1 , g2r+s+µ ) =
e(g1 , g2r+s )e(g1 , g2µ ). Using these relationships, we can construct our decryption oracle. We
see that:
e(g1 ,y3 )
e(g1 ,g2 )r+s e(g1 ,M )
=
= e(g1 , M ). Because our message space M is
1
1
e(g1 ,g2 )r+s
t+λ
t+κ
e(g1 ,y5 y4 )
polynomial in size, we can find M in polynomial time and thus answer decryption queries.
40
GUESS STAGE: B returns two different messages M0 , M1 of equal length. A selects b ∈r
∗
∗
∗
∗
∗
{0, 1} and generates the challenge ciphertext C ∗ = (F r , H s , w2 Mb , (g2t K)r , (g2t L)s∗ ). Adversary B is then given C ∗ . We answer decryption queries as before. After making its queries,
B outputs b0 ∈ {0, 1}. If b0 = b then we have a valid ciphertext, thus w2 = g2r+s , therefore A
outputs 1, else 0.
As stated before, we will use the SXDH instatiation of the Groth-Sahai proof system
[GS08]. Again no changes are made to the requirements of the hash funcion.
6.4.2
The Scheme
Having now described all the cryptographic primitives needed, we proceed to detail our
scheme. The scheme is detailed in Figure 6.8.
We now proceed to prove correctness and the security of our scheme.
Lemma 7. The group signature scheme is anonymous under the DLIN assumption and
assuming the one-time is secure against weak chosen message attack and the hash function
is collision-resistant.
Proof. Consider the probability:
Pr[(gpk, ik, ok) ← G(1k ) : AChb ,Open,CrptU,SndToI,AddU,USK (gpk, ik) = 1]
from the definition of anonymity [BSZ05]. For our scheme to have anonymity, we require
that the probabilities for b = 0 and b = 1 has a negligible difference.
We begin by modifying the game such that we abort if the strong-one time signature in
an group signature submitted to the Open(·) oracle. By the existential unforgability of the
strong one-time signature we see that there is negligible probability that we will abort for
∗
is not used for any valid queries to Open(·).
this reason. Thus we can now assume that vksots
∗
We also abort, if there is a collision with Hash(vksots
). The collision-resistance property
of the hash function implies that the probability of this is negligible Thus we assume that
no such collision has occurred from now on.
We now modify how we generate the public key in the cryptosystem. We pick κ, λ ∈R Zp
and set K = g2κ , L = g2λ and we store κ and λ. Whenever Open receives a valid group
signature, we use κ, λ to decrypt the tag-based cryptosystem. By the tag-based validity
checks and the perfect soundness of the of the NIZK proof χ, this gives us the same signature
σ as would be extracted from the NIWI π. We can now check Reg if there exists i such
Hash(vksots )
that e(σ, vi g2
= e(g1 , g2 ). If this is the case, we return (i, σ). This equation defines
vi such that we get the same vi when we run the extract on the NIWI proof π. If we find
no such vi , we return (0, σ) and accuse the Issuer. The perfect soundness of the NIWI and
NIZK imply that these probabilities do not change when the value of b changes.
41
Setup(1k )
G(1k ) → gk; H(1k ) →Hash
CertKey(gk) → ((f, h, T ), z)
KN I (gk) → (crs, xk); K, L ∈R G2
Parse(crs) → (F, H, the rest); pk =
(F, H, K, L)
gpk = (gk,Hash, f, h, T, crs, pk)
ik = z; ok = xk
Return (gpk, ik, ok)
Verify(gpk, m, Σ)
Return 1 if all the following return 1:
Versots ((vksots , m, a, π, y, χ), σsots )
VNIWI (crs, (gpk, a, Hash(vksots )), π)
VNIZK (crs, (gpk, π, y), χ)
VerEnc(pk, Hash(vksots , y)
Else Return 0
Open(gpk, ok, m, Σ)
Xxk (crs, (gpk, a, Hash(vksots )), π)
→
(b, v, σ)
If there is i such that v = vi , Return (i, σ)
Else Return (0, σ)
Join/Isssue(Useri: gpk,Issuer: gpk, ik)
hUser, Issueri → ((vi , xi , ai , bi ), (vi , ai , bi ))
User: If e(ai , hvi )e(f, bi ) = T set
Reg[i] = vi ; SKi = (xi , ai , bi )
Judge(P KG roup, i, Reg[i]m, Σ, σ)
Hash(vksots )
If i 6= 0 ∧ e(σ, vi g2
) = e(g1 , g2 )
Return 1
Else Return 0
Sign(gpk, SKi , m)
KeyGensots (1k ) → (vksots , sksots )
(Repeat until Hash(vksots 6= −xi )
ρ ∈R Zp ; a = ai f −ρ ; b = bi (hvi )ρ
1
x +Hash(vk
)
sots
σ = g1 i
π = PNIWI (crs, (gpk, a, Hash(vksots )), (b, vi , σ))
y = Encpk (Hash(vksots ), σ)
χ = PNIZK (crs, (gpk, π, y), (r, s, t))
σsots = Signsots (vksots , m, a, π, y, χ)
Return Σ = ((vksots , , a, π, y, χ, σsots )
Figure 6.8: The Modified Type-3 Group Signature Scheme
Due our changes to the Open oracle, we no longer need xk. This allows us to switch
to a simulated common reference string, that give perfect witness-indistinguishability and
perfect zero-knowledge. Since simulated a crs is computationally indistinguishable from a
real crs, this does not change the probability that A will output 1. The perfect witnessindistinguishability impels that A can gain no information about which identity, and through
it which secret key was used to create the group signature.
This leads us to the ciphertext y. We now show, based on the stag-ind-cca property of
the cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use the
group signature adversary to construct an adversary that attacks the stag-ind-cca security
of the cryptosystem. The public key of the cryptosystem is pk = (gk, F, H, K, L). Using
gk, F, H we can construct a simulated crs with perfect witness-indistinguishabilty and perfect
42
zero-knowledge. This simulated crs will have a trapdoor key tk which will be the discrete
logarithms of other elements with respect to g1 , g2 , F, H. We can build from pk a valid
group signature public key gpk. We can also emulate the oracles CrptU, SndToI, AddU, USK.
Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in y
is never Hash(vksots ), so we can use the alternative decryption as in the proof of security,
which will give us σ.
We now construct a challenge group signature from a challenge ciphertext. We first pick
(vksots , sksots ) and use Hash(vksots ) as t∗ . These are chosen independent of pk. We now pick
pk and run the group signature game as described above. A will output i0 , i1 , m for the challenge group signature. We produce group signatures σb on Hash(vksots and encrypt it into
y ∗ . As the simulated crs gives us perfect zero-knowledge and witness-indistinguishability, we
can produce valid NIWI and NIZK proof to complete the group signature. If the anonymity
probabilities are different for b = 0 and b = 1, then we can distinguish if y encrypts σ0
or σ1 . But by the stag-ind-cca security, we have probabilities for b = 0 and b = 1 are
indistinguishable.
Lemma 8. The group signature scheme is traceable if the q-U-2a assumption holds.
Proof. We have to show that valid signatures lead to the provable identification of the signer.
To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ ) ← ACrptU,SndToI (gpk, ok; (i, σ) ←
Open(gpk, ok, Reg, m∗ , Σ∗ ) :
∗
∗
V erif y(gpk, m , Σ ) = 1 ∧ (Judge(gpk, i, Regi , m∗ , Σ∗ , sigma) =) ∨ i = 0)] ≈ 0.
by the soundness of the NIWI proof, a valid group signature Σ implies that there is a valid
certified signature on Hash(vksots ). Using the extraction key for he NIWI, xk, we can extract
the signature. The unfakeability property of the certified signature scheme, the certified
signature was made under one of the vi ’s issued by the issuer. This thus leads us to user i,
who produced the group signature. The perfect soundness of the NIWI proof of knowledge
implies that the extracted one-time signature is indeed a signature on Hash(vksots ) under
the verification vi . This implies that Judge will output 1.
Lemma 9. The group signature scheme has non-frameability under the q-SDH assumption
and assuming the one-time signature is secure against weak chosen message attack and the
hash function is collision-resistant.
Proof. We have to show that no member can be framed for making a signature they did not
make. To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ , i∗ , σ ∗ ) ← AAddU,USK,GSig (gpk, ik, ok :
V erif y(gpk, m, Σ) = 1 ∧ (Judge(gpk, i∗ , Regi∗ , m, Σ∗ , sigma∗ ) = 1 ∧ i∗ ∈ HU ∧ (m∗ , Σ∗ ) 6∈
GSet] ≈ 0.
43
By the strong unforgeabilty of the one-time signature scheme under weak chosen message
attack, there is a negligible probability that A would have produced a group signature reusing one of the vksots produced by GSig. The collision-resistance of the hash function implies
∗
) collides with any vksots used by the
that there is a negligible probability that Hash(vksots
GSig oracle. We can then assume that any attempt to frame a user requires producing a
certified signature on a value of Hash(vksots that they have not previously signed.
Let n(k) be the polynomial upper-bound of the number of AddU queries made. We have at
least n(k)−1 chance of guessing the user identity that the A will attempt to frame. However
for each honest user, the probability that A can produce a valid σ on Hash(vksots is negligible,
by the existential unforgeability against weak chosen message attack of the Boneh-Boyen
signature scheme.
Theorem 12. The group signature scheme with perfect correctness and has anonymity,
traceability and non-frameablity under the SDLIN, q-SDH, q-U-3b and assuming the one-time
signature is secure against weak chosen message attack and the hash function is collisionresistant.
Proof. Perfect correctness follows from perfect correctness of the Join/Issue secure function
evaluation, the certified signature scheme, the tag-based cryptosystem, the NIWI and NIZK
proofs and the strong one-time signature. The proof of anonymity, traceability and nonfreamablitiy follow from Lemmas 7,8,9.
44
Chapter 7
Conclusions & Future Work
7.1
Conclusions
We now comment on the efficiency of our scheme. In terms of computational efficiency,
our schemes are identical to the Groth Signature Scheme [Gro07]. However in terms of the
size of the group signatures, our schemes are more efficient. The table below summarizes the
sizes of the signature schemes.
Component [Gro07] Scheme 1
G
G1 G2
NIWI
27
10
18
NIZK
15
9
0
y
5
3
2
a
1
1
0
vksots
1
0
1
σsots
1
1
0
Subtotals
50
24
21
Total
50
45
Scheme 2
G1 G2
12
15
9
0
3
2
0
1
1
0
0
1
25
19
44
Scheme 3 Scheme 4
G1 G2 G1 G2
10
12
12
10
9
0
0
9
3
2
2
3
1
0
0
1
0
1
1
0
1
0
0
1
24
15
16
23
39
39
Table 7.1: Comparative sizes of the schemes
Groth [Gro07] pointed out that if we only require CPA-Anonymity, we can do away with
the ciphertext and the NIZK. Furthermore, we can simply sign Hash(m) and do away with
the strong one-time signature. The same is true of our schemes, as summarized in the table
below.
45
Component [Gro07] Scheme 1 Scheme 2
G
G1 G2 G1 G2
NIWI
27
10
18
12
15
a
1
1
0
0
1
Subtotals
28
11
18
12
16
Total
28
29
28
Scheme 3
G1 G2
10
12
1
0
11
12
23
Table 7.2: Comparative sizes of the CPA-Anonymous schemes
7.2
7.2.1
Future Work
Further Efficiency Improvements
Future work continuing on the ideas presented in this work would be to find a scheme with
even smaller signatures, with the same level of security. We posit that the most apparent
way to do this would be to find more efficient primitives. It is conceivable that there exists a
publicly verifiable tag-based system which requires fewer elements than the one we employ.
We also believe that it may be possible to find a certified signature scheme which can be
expressed in fewer PPE’s or even expressed as MSME’s. Both of these developments would
potentially reduce the size of the NIWI proof and the NIZK proof.
On a small tangent, it is also possible to improve the efficiency of our scheme by using
NIWI and NIZK systems based on other intractability assumptions. Groth and Sahai put
forward some possible ways of doing this in [GS08]. Alternatively a whole new system of
producing proofs may come to light which costs less elements to prove our equations.
7.2.2
Revocation
An interesting question we have not addressed is the issue of revocation. It may come
to pass that a group member’s signing key needs to be revoked, for any of a number of
reasons. There are two research question which arise from here, that is, formalisations
and methods. Although there have been formalisations for both static groups [BMW03]
and growing membership groups [BSZ05], we put forward the question if there can be such a
formalisation for reducing membership, or indeed fully dynamic groups. Such a formalisation
would define new attack scenarios and properties we require for a group signature scheme to
be deemed to have a revocation property.
With or without such a formalisation, another open problem is effective revocation of any
group signature scheme. It remains to be seen if there is an efficient way to revoke signing
keys of group members. Issuing a revocation list implies the signatures grow linearly in the
number of revoked members. We put it forward that it may be possible to have constant
size group signatures with revocation.
46
Bibliography
[ACHdM05] Giuseppe Ateniese, Jan Camenisch, Susan Hohenberger, and Breno
de Medeiros. Practical group signatures without random oracles. Cryptology
ePrint Archive, Report 2005/385, 2005. http://eprint.iacr.org/.
[ACJT00]
Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik. A practical and provably secure coalition-resistant group signature scheme. In Mihir
Bellare, editor, CRYPTO, volume 1880 of Lecture Notes in Computer Science,
pages 255–270. Springer, 2000.
[AST02]
Giuseppe Ateniese, Dawn Xiaodong Song, and Gene Tsudik. Quasi-efficient
revocation in group signatures. In Matt Blaze, editor, Financial Cryptography,
volume 2357 of Lecture Notes in Computer Science, pages 183–197. Springer,
2002.
[AT99]
Giuseppe Ateniese and Gene Tsudik. Some open issues and new directions
in group signatures. In Matthew K. Franklin, editor, Financial Cryptography,
volume 1648 of Lecture Notes in Computer Science, pages 196–211. Springer,
1999.
[BB04]
Dan Boneh and Xavier Boyen. Short signatures without random oracles. In
Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of
Lecture Notes in Computer Science, pages 56–73. Springer, 2004.
[BB08]
Dan Boneh and Xavier Boyen. Short signatures without random oracles and
the sdh assumption in bilinear groups. J. Cryptology, 21(2):149–177, 2008.
[BBS04]
Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In
Franklin [Fra04], pages 41–55.
[Bih03]
Eli Biham, editor. Advances in Cryptology - EUROCRYPT 2003, International
Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, May 4-8, 2003, Proceedings, volume 2656 of Lecture Notes in
Computer Science. Springer, 2003.
[BMW03]
Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of
group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Biham [Bih03], pages 614–629.
47
[BR93]
Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigm
for designing efficient protocols. In ACM Conference on Computer and Communications Security, pages 62–73, 1993.
[BS01]
Emmanuel Bresson and Jacques Stern. Efficient revocation in group signatures.
In Kwangjo Kim, editor, Public Key Cryptography, volume 1992 of Lecture
Notes in Computer Science, pages 190–206. Springer, 2001.
[BS04]
Dan Boneh and Hovav Shacham. Group signatures with verifier-local revocation. In Vijayalakshmi Atluri, Birgit Pfitzmann, and Patrick Drew McDaniel,
editors, ACM Conference on Computer and Communications Security, pages
168–177. ACM, 2004.
[BSZ05]
Mihir Bellare, Haixia Shi, and Chong Zhang. Foundations of group signatures:
The case of dynamic groups. In Alfred Menezes, editor, CT-RSA, volume 3376
of Lecture Notes in Computer Science, pages 136–153. Springer, 2005.
[BW06]
Xavier Boyen and Brent Waters. Compact group signatures without random
oracles. In Serge Vaudenay, editor, EUROCRYPT, volume 4004 of Lecture
Notes in Computer Science, pages 427–444. Springer, 2006.
[BW07]
Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constantsize group signatures. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Public
Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pages
1–15. Springer, 2007.
[Cam97]
Jan Camenisch. Efficient and generalized group signatures. In EUROCRYPT,
pages 465–479, 1997.
[CGH98]
Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited (preliminary version). In STOC, pages 209–218, 1998.
[CGH04]
Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited. J. ACM, 51(4):557–594, 2004.
[CL04]
Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous
credentials from bilinear maps. In Franklin [Fra04], pages 56–72.
[CP94]
Lidong Chen and Torben P. Pedersen. New group signature schemes (extended
abstract). In EUROCRYPT, pages 171–181, 1994.
[CS97]
Jan Camenisch and Markus Stadler. Efficient group signature schemes for large
groups (extended abstract). In Burton S. Kaliski Jr., editor, CRYPTO, volume
1294 of Lecture Notes in Computer Science, pages 410–424. Springer, 1997.
48
[CvH91]
David Chaum and Eugène van Heyst. Group signatures. In Donald W. Davies,
editor, EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages
257–265. Springer, 1991.
[DH76]
Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, 22(6):644–654, 1976.
[Fra04]
Matthew K. Franklin, editor. Advances in Cryptology - CRYPTO 2004, 24th
Annual International CryptologyConference, Santa Barbara, California, USA,
August 15-19, 2004, Proceedings, volume 3152 of Lecture Notes in Computer
Science. Springer, 2004.
[FS86]
Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identification and signature problems. In Andrew M. Odlyzko, editor, CRYPTO,
volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer,
1986.
[Gen03]
Craig Gentry. Certificate-based encryption and the certificate revocation problem. In Biham [Bih03], pages 272–293.
[GPS08]
Steven D. Galbraith, Kenneth G. Paterson, and Nigel P. Smart. Pairings for
cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008.
[Gro06]
Jens Groth. Simulation-sound nizk proofs for a practical language and constant
size group signatures. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT,
volume 4284 of Lecture Notes in Computer Science, pages 444–459. Springer,
2006.
[Gro07]
Jens Groth. Fully anonymous group signatures without random oracles. In
Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notes in Computer Science, pages 164–180. Springer, 2007.
[GS08]
Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear
groups. In Nigel P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notes
in Computer Science, pages 415–432. Springer, 2008.
[GSW10]
Essam Ghadafi, Nigel P. Smart, and Bogdan Warinschi. Groth-sahai proofs
revisited. In Phong Q. Nguyen and David Pointcheval, editors, Public Key
Cryptography, volume 6056 of Lecture Notes in Computer Science, pages 177–
192. Springer, 2010.
[HP06]
Henrik Slot Hansen and Kristoffer Kjrvik Pagels. Implementation and analysis
of five group signature systems. Master’s thesis, Datalogisk Institut, Århus
Universitet, 2006.
49
[Kil06]
Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In Shai
Halevi and Tal Rabin, editors, TCC, volume 3876 of Lecture Notes in Computer
Science, pages 581–600. Springer, 2006.
[Koc98]
Paul C. Kocher. On certificate revocation and validation. In Rafael Hirschfeld,
editor, Financial Cryptography, volume 1465 of Lecture Notes in Computer
Science, pages 172–177. Springer, 1998.
[Lys02]
Anna Lysyanskya. Signature Scheme and Applications to Cryptographic Protocol Design. PhD thesis, Massachusett Institute of Technology, 2002.
[RSA78]
Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for
obtaining digital signatures and public-key cryptosystems. Commun. ACM,
21(2):120–126, 1978.
[ZL06]
Sujing Zhou and Dongdai Lin. Shorter verifier-local revocation group signatures
from bilinear maps. In David Pointcheval, Yi Mu, and Kefei Chen, editors,
CANS, volume 4301 of Lecture Notes in Computer Science, pages 126–143.
Springer, 2006.
50
Appendix A
Sizes of the DDH/DLIN Groth-Sahai
Proofs
Based on [GSW10], we present the following table which contains the number of group
elements required for each type of proof in a DDH/DLIN group. We use the same notation
as in [GS08].
Assumption: DDH/DLIN
Variables x ∈ Zp , X ∈ G1
Variables y ∈ Zp , Y ∈ G2
Pairing Product Equations
~·Y
~ = tT
- Linear Equation A
- Linear Equation X~ · B~ = tT
Multi-scalar multiplication equations in G1
~ · ~y = T1
- Linear Equation A
- Linear Equation X~ · ~b = T1
Multi-scalar multiplication equations in G2
~ = T2
- Linear Equation ~a · Y
- Linear Equation ~x · B~ = T2
51
G1
2
0
4
2
0
2
1
0
4
0
0
G2
0
3
6
0
3
6
0
0
3
0
2
Zp
0
0
0
0
0
0
0
2
0
3
0
Appendix B
Proofs
B.1
q-Unfakeablity Type 2b Assumption (q-U-2b)
Proof of Theorem 6. We first restate the problem in the generic group model as follows for
and adversary A:
Pr [gk ← G(1k ); x1 , r1 , . . . , xq(k) , rq(k) ∈R Zp ; γ, φ, η, ζ ∈R Zp ;
[·]1 ← Zp ↔ G1 ; [·]2 ← Zp ↔ G2 ; [[·]] ← Zp ↔ GT ;
[v], [a], [b], m, [s]) ← AO(·) (gk, [γ1 ], [γ2 ][φ], [η], [[φζ]]
, x1 , [φr1 ], [ηr1 + x1 γ1 r1 + ζ], . . . , xq(k) , [φrq(k) ], [ηrq(k) + xq(k) γ1 rq(k) + ζ]) :
[v] 6∈ {[γ1 x1 ], . . . , [γ1 xq(k) ]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ1 m)]] = [γ1 γ2 ]] ≈ 0.
We observe that Acan generate elements in the
groups using the oracle to encode low-degree
polynomials in Zp γ, φ, η, ζ, r1 , . . . , . . . , rq(k) . Based on this, we can set the conditions for
success as [[s(v + γ2 m) − γ1 γ2 ]] = [[0]] (1) and [[a(η + v) + φb − φζ]] = [[0]] (2). For A to succeed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippel
theorem states that therefore is a negligible probability of a low-degree polynomial evaluating
to 0 for randomly chosen γ, φ, η, ζ, r1 , . . . , rq(k) , unless they are identical to 0. Thus to prove
that this problem is intractable, we show that (A) cannot construct such zero-polynomials
using v 6∈ {γ2 x1 , . . . , γ2 xq(k) }.
We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp and
uses the oracle to compute [vg γ1 ]]. We assume that A has been given to φ, η, ζ, r1 , . . . , rq(k)
as extra input. We now write s = sd + sg γ2 and v = vd + vg γ1 , for known v, vg , sd , sg ∈ Zp ,
giving us:
sd vd + sd (vg + m)γ1 + sg vd γ2 + (sg (vg + m) − 1)γ1 γ2 = 0
Assume for contradiction vd 6= 0. We then have sd vd = 0 which implies sd = 0. Examining
the coefficient for γ1 , we get sg vd = 0 this implies sg = 0. Thus we have s = 0. But this then
contradicts S(v + mγ1 ) = γ1 γ2 . Thus we conclude A can only be successful if v = vg γ2 .
We now consider equation (2): a(η + vg γ1 ) + φb − φζ = 0. Since a, b are constructed by calls
to O, we can write them as:
52
a = ad + af φ + ag γ2 +
q(k)
X
aai φri +
i=1
b = bd + bf φ + bg γ1 + bh η +
q(k)
X
bai φri +
i=1
q(k)
X
abi (+xi γ2 ri )
i=1
q(k)
X
bbi (ηri + xi γ1 ri + ζ)
i=1
for known ad , af , ag , aai , abi , bd , bf , bg , bh , bai , bbi . If we examine the coefficient of φζ, we see
q(k)
X
that
bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2 ri gives us aai + bbi = 0,
i=1
which implies aai = −bbi . Finally the coefficient of φγ2 ri shows us that aai vg + bbi xi =
bbi (xi − vg ) = 0, for bbi 6= 0 , we have xi = vg . Therefore vg ∈ {x1 , . . . , xq(k) }.
B.2
q-Unfakeablity Type 3b Assumption (q-U-3a)
Theorem 13. The q-U-3a Assumption holds in the generic group model
Proof. We first restate the problem in the generic group model as follows for and adversary
A:
Pr [gk ← G(1k ); x1 , r1 , . . . , xq(k) , rq(k) ∈R Zp ; γ, φ, η, ζ ∈R Zp ;
[·]1 ← Zp ↔ G1 ; [·]2 ← Zp ↔ G2 ; [[·]] ← Zp ↔ GT ;
[v], [a], [b], m, [s]) ← AO(·) (gk, [γ1 ], [γ2 ][φ], [η], [[φζ]]
, x1 , [φr1 ], [ηr1 + x1 γ2 r1 + ζ], . . . , xq(k) , [φrq(k) ], [ηrq(k) + xq(k) γ2 rq(k) + ζ]) :
[v] 6∈ {[γ2 x1 ], . . . , [γ2 xq(k) ]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ2 m)]] = [γ1 γ2 ]] ≈ 0.
We observe that Acan generate elements in the
groups using the oracle to encode low-degree
polynomials in Zp γ, φ, η, ζ, r1 , . . . , . . . , rq(k) . Based on this, we can set the conditions for
success as [[s(v + γ2 m) − γ1 γ2 ]] = [[0]] (1) and [[a(η + v) + φb − φζ]] = [[0]] (2). For A to succeed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippel
theorem states that therefore is a negligible probability of a low-degree polynomial evaluating
to 0 for randomly chosen γ, φ, η, ζ, r1 , . . . , rq(k) , unless they are identical to 0. Thus to prove
that this problem is intractable, we show that (A) cannot construct such zero-polynomials
using v 6∈ {γ2 x1 , . . . , γ2 xq(k) }.
We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp and
uses the oracle to compute [vg γ2 ]]. We assume that A has been given to φ, η, ζ, r1 , . . . , rq(k)
as extra input. We now write s = sd + sg γ1 and v = vd + vg γ2 , for known v, vg , sd , sg ∈ Zp ,
giving us:
sd vd + sd (vg + m)γ2 + sg vd γ1 + (sg (vg + m) − 1)γ1 γ2 = 0
Assume for contradiction vd 6= 0. We then have sd vd = 0 which implies sd = 0. Examining
the coefficient for γ1 , we get sg vd = 0 this implies sg = 0. Thus we have s = 0. But this then
contradicts S(v + mγ2 ) = γ1 γ2 . Thus we conclude A can only be successful if v = vg γ2 .
We now consider equation (2): a(η + vg γ2 ) + φb − φζ = 0. Since a, b are constructed by calls
53
to O, we can write them as:
a = ad + af φ + ag γ1 + ah η +
q(k)
X
b = bd + bg γ2 + bh η +
aai φri +
q(k)
X
abi (ηri + xi γ1 ri )
i=1
q(k)
i=1
X
bbi (ηri + xi γ2 ri + ζ)
i=1
for known ad , af , ag , ah , aai , abi , bd , bh , bai , bbi . If we examine the coefficient of φζ, we see that
q(k)
X
bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2 ri gives us aai +bbi = 0, which
i=1
implies aai = −bbi . Finally the coefficient of φγ2 ri shows us that aai vg +bbi xi = bbi (xi −vg ) = 0,
for bbi 6= 0 , we have xi = vg . Therefore vg ∈ {x1 , . . . , xq(k) }.
B.3
q-Unfakeablity Type 3b Assumption (q-U-3b)
Proof of Theorem 9. We first restate the problem in the generic group model as follows for
and adversary A:
Pr [gk ← G(1k ); x1 , r1 , . . . , xq(k) , rq(k) ∈R Zp ; γ, φ, η, ζ ∈R Zp ;
[·]1 ← Zp ↔ G1 ; [·]2 ← Zp ↔ G2 ; [[·]] ← Zp ↔ GT ;
[v], [a], [b], m, [s]) ← AO(·) (gk, [γ1 ], [γ2 ][φ], [η], [[φζ]]
, x1 , [φr1 ], [ηr1 + x1 γ2 r1 + ζ], . . . , xq(k) , [φrq(k) ], [ηrq(k) + xq(k) γ2 rq(k) + ζ]) :
[v] 6∈ {[γ2 x1 ], . . . , [γ2 xq(k) ]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ2 m)]] = [γ1 γ2 ]] ≈ 0.
We observe that Acan generate elements in the
groups using the oracle to encode low-degree
polynomials in Zp γ, φ, η, ζ, r1 , . . . , . . . , rq(k) . Based on this, we can set the conditions for
success as [[s(v + γ2 m) − γ1 γ2 ]] = [[0]] (1) and [[a(η + v) + φb − φζ]] = [[0]] (2). For A to succeed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippel
theorem states that therefore is a negligible probability of a low-degree polynomial evaluating
to 0 for randomly chosen γ, φ, η, ζ, r1 , . . . , rq(k) , unless they are identical to 0. Thus to prove
that this problem is intractable, we show that (A) cannot construct such zero-polynomials
using v 6∈ {γ2 x1 , . . . , γ2 xq(k) }.
We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp and
uses the oracle to compute [vg γ2 ]]. We assume that A has been given to φ, η, ζ, r1 , . . . , rq(k)
as extra input. We now write s = sd + sg γ1 and v = vd + vg γ2 , for known v, vg , sd , sg ∈ Zp ,
giving us:
sd vd + sd (vg + m)γ2 + sg vd γ1 + (sg (vg + m) − 1)γ1 γ2 = 0
Assume for contradiction vd 6= 0. We then have sd vd = 0 which implies sd = 0. Examining
the coefficient for γ1 , we get sg vd = 0 this implies sg = 0. Thus we have s = 0. But this then
contradicts S(v + mγ2 ) = γ1 γ2 . Thus we conclude A can only be successful if v = vg γ2 .
We now consider equation (2): a(η + vg γ2 ) + φb − φζ = 0. Since a, b are constructed by calls
54
to O, we can write them as:
a = ad + af φ + ag γ1 +
q(k)
X
aai φri +
q(k)
X
abi (xi γ1 ri )
i=1
q(k)
i=1
X
bbi (ηri + xi γ2 ri + ζ)
b = bd + bg γ2 + bh η +
i=1
for known ad , af , ag , aai , abi , bd , bh , bai , bbi . If we examine the coefficient of φζ, we see that
q(k)
X
bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2 ri gives us aai +bbi = 0, which
i=1
implies aai = −bbi . Finally the coefficient of φγ2 ri shows us that aai vg +bbi xi = bbi (xi −vg ) = 0,
for bbi 6= 0 , we have xi = vg . Therefore vg ∈ {x1 , . . . , xq(k) }.
55
Appendix C
Scheme 3
In this Appendix, we detail Scheme 3, which is a direct translation of [Gro07] into a Type
3 group.
C.1
Components
We begin with the certified signature scheme. We modify the scheme to suit a Type 3
group. The resulting scheme is described in Figure C.1.
Setup(1k )
gk = (p, G1 , G2 , GT , e, g1 , g2 ) ← G(1k )
Return gk
hUser(gk, ak), Issuer(gk, ck)i
hUser(gk), Issuer(gk)i → (x, v)
r ∈R Zp
a = f −r
b = (vh)r z
vk = v, sk = x, cert = (a, b)
User output: (vk, sk, cert)
Issuer output: (vk, cert)
CertKey(gk)
f ∈R G1 , h, z ∈R G2
T = e(f, z)
Return (ak, ck) = ((gk, f, h, T ), (ak, z))
Signsk (m)
If x = −m return ⊥1
Else return σ = g1x+m
Ver(gk, ak, vk, cert, mσ)
Return 1 if
e(a, vh)e(f, b) = T
e(σ, vg2m ) = e(g1 , g2 ) Else return 0
Figure C.1: The Type-3 Certified Signature Scheme
Theorem 14. The scheme in Figure C.1 is a certified signature scheme which is unfakeable
under the q-U-3a assumption and is existentially unforgeable under weak chosen message
attack under the q-SDH assumption
56
Proof. Assume for contradiction there exists δ > 0 such that for an infinite k ∈ N, adversary
A has a probability of at least 2k −δ of forging a signature that has not be certified, that is:
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); (vk, cert, m, σ) ← AKeyReg (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > 2k −δ .
Let q(k) be a polynomial upper bound of the number of queries the A can make to KeyReg.
Part of the key registration is an interactive protocol. We can black-box simulate the view
1
of the adversarial user with an error of up to q(k)k
δ . This allows us to pick x1 , . . . , xq(k) in
advance to simulate this protocol, thus assigning adversary i the signing key xi . We call this
modified oracle SimKeyReg, which gives us
Pr[gk ← G(1k ); (ak, ck) ← CertKey(gk); x1 , . . . , xq(k) ∈R Zp :
(vk, cert, m, σ) ← ASimKeyReg(x1 ,...,xq(k) (gk, ak) :
vk 6∈ Q ∧ Ver(gk, ak, vk, cert, m, σ) = 1] > k −δ .
With this modified oracle, A only see certificates on vi = g2xi , which are of the form ai =
f −ri , bi = hri g xi ri z, for 1 ≤ i ≤ q(k). It follows directly from the q-U-2 assumption that the
probability of this is negligible, which gives us a contradiction. Therefore we conclude that
the scheme is unfakeable.
We now show existential unforgeabilituy. Assume for contradiction there exists δ > 0 such
that for an infinite k ∈ N, adversary A has probability of at least 2k −δ of forging a message,
giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); ((v, x, a, b, ), St2 ) ← hU ser(gk, ak), A(St1 )i;
(a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > 2k −δ ,
under weak chosen message attack. Part of the key generation protocol. It is possible to
black-box simulate a malicious issuer’s view. After the keys are generated, we can simulate
the certification part, as only the adversary acts. The error in this simulation can be set to
not exceed k −δ , giving us:
Pr[gk ← G(1k ); (St1 , ak) ← A(gk); x ∈R Zp , v = g2x ;
A(St )
g u , St2 ← SI 1 ; (a0 , b0 , m, σ) ← AMessageSign(·) (St2 ) :
m 6∈ Q ∧ Ver(gk, ak, v, a0 , b0 , m, σ) = 1] > k −δ ,
where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosen
Boneh-Boyen verification key and A only has access to weak chosen message attack. For a
signature made by A to be valid, we must have g u 6= ⊥, therefore v = g u . We also have a
valid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signature
scheme is secure against weak chosen message attack [BB08] and therefore the probability
above must be negligible This gives a contradiction. Therefore we conclude the certified
scheme is existentially unforgeable under weak chosen message attack.
57
Setup(1k )
Return gk = (p, G1 , G2 , GT , e, g1 , g2 )
Encpk (t, M )
r, s ∈R Zp
y1 = F r , y2 = H s , y3 = g1r+s M, y4 =
(g2t K)r , y5 = (g2t L)s
Return C = (y1 , y2 , y3 , y4 , y5 )
KeyGen(gk)
φ, η ∈R Zp
F = g1φ , H = g1η , K, L ∈R G2
Return (pk, sk) = ((gk, F, H, K, L), (φ, η)
Decs k(C, t)
If Ver(pk, C, t) = 1
−1
− η1
Return M = y3 y1 φ y2
Else Return ⊥
Ver(pk, C, t)
If e(y1 , g2t K) = e(F, y4 ) ∧ e(y2 , g2t L) =
e(H, y5 )
Return 1
Else Return 0
Figure C.2: The Type-3 Tag-Based Encryption Scheme
We now move to the cryptosystem. We translate the scheme proposed by Kiltz [Kil06]
into a Type 3 setting. The modified scheme is described in Figure C.2.
Theorem 15. The scheme decribed in Figure C.2 is a tag-based encryption scheme with
perfect correctness and selective-tag weak CCA security for polynomial sized message space
M, under the SDLIN Assumption in G1 .
Proof. Consider the following game:
Adversary A is an SDLIN solver in G1 and Adversary B breaks the stag-ind-cca security of
the scheme. We can show that A can use B to solve the SDLIN.
∗
∗
INIT STAGE: A runs IN IT (1k ) → (gk, (g1 , g2 , F, H, F r , H s , w1 , w2 )) and then calls B(1k ) →
t∗
FIND STAGE: A picks κ, λ ∈R (Z)p and then sets K = g2κ , L = g2λ . This now defines
pk = (gk, F, H, K, L). For any valid ciphertext C, encrypted under tag t 6= t∗ , we get the
following:
1
1
y4 = (g2t K)r = (g2t+κ )r = (g2r )t+κ . Thus we get y4t+κ = g2r . By a similar argument, y5t+λ = g2s .
From here we can get g2r+s . Let M = g1µ , giving us e(y3 , g2 ) = e(g1r+s g1µ , g2 ) = e(g1r+s+µ , g2 ) =
e(g1 , g2r+s )e(g1 , g2µ ). Using these relationships, we can construct our decryption oracle. We
see that:
e(g1 ,y3 )
e(g1 ,g2 )r+s e(g1 ,M )
=
= e(g1 , M ). Because our message space M is
1
1
e(g1 ,g2 )r+s
t+λ
t+κ
e(g1 ,y5 y4 )
polynomial in size, we can find M in polynomial time and thus answer decryption queries.
58
GUESS STAGE: B returns two different messages M0 , M1 of equal length. A selects b ∈r
∗
∗
∗
∗
∗
{0, 1} and generates the challenge ciphertext C ∗ = (F r , H s , w1 Mb , (g2t K)r , (g2t L)s∗ ). Adversary B is then given C ∗ . We answer decryption queries as before. After making its queries,
B outputs b0 ∈ {0, 1}. If b0 = b then we have a valid ciphertext, thus w1 = g1r+s , therefore A
outputs 1, else 0.
Now that we are in a Type 3 group, we will use the SXDH instatiation of the Groth-Sahai
proof system [GS08]. Again no changes are made to the requirements of the hash funcion.
C.2
The Scheme
Having now described all the cryptographic primitives needed, we proceed to detail our
scheme. The scheme is detailed in Figure C.3.
We now proceed to prove correctness and the security of our scheme.
Lemma 10. The group signature scheme is anonymous under the SDLIN assumption and
assuming the one-time is secure against weak chosen message attack and the hash function
is collision-resistant.
Proof. Consider the probability:
Pr[(gpk, ik, ok) ← G(1k ) : AChb ,Open,CrptU,SndToI,AddU,USK (gpk, ik) = 1]
from the definition of anonymity [BSZ05]. For our scheme to have anonymity, we require
that the probabilities for b = 0 and b = 1 has a negligible difference.
We begin by modifying the game such that we abort if the strong-one time signature in
an group signature submitted to the Open(·) oracle. By the existential unforgability of the
strong one-time signature we see that there is negligible probability that we will abort for
∗
is not used for any valid queries to Open(·).
this reason. Thus we can now assume that vksots
bibsource = DBLP, http://dblp.uni-trier.de We also abort, if there is a collision with
∗
Hash(vksots
). The collision-resistance property of the hash function implies that the probability of this is negligible Thus we assume that no such collision has occurred from now
on.
We now modify how we generate the public key in the cryptosystem. We pick κ, λ ∈R Zp
and set K = g2κ , L = g2λ and we store κ and λ. Whenever Open receives a valid group
signature, we use κ, λ to decrypt the tag-based cryptosystem. By the tag-based validity
checks and the perfect soundness of the of the NIZK proof χ, this gives us the same signature
σ as would be extracted from the NIWI π. We can now check Reg if there exists i such
Hash(vksots )
that e(σ, vi g2
= e(g1 , g2 ). If this is the case, we return (i, σ). This equation defines
59
Setup(1k )
G(1k ) → gk; H(1k ) →Hash
CertKey(gk) → ((f, h, T ), z)
KN I (gk) → (crs, xk); K, L ∈R G2
Parse(crs) → (F, H, the rest); pk =
(F, H, K, L)
gpk = (gk,Hash, f, h, T, crs, pk)
ik = z; ok = xk
Return (gpk, ik, ok)
Verify(gpk, m, Σ)
Return 1 if all the following return 1:
Versots ((vksots , m, a, π, y, χ), σsots )
VNIWI (crs, (gpk, a, Hash(vksots )), π)
VNIZK (crs, (gpk, π, y), χ)
VerEnc(pk, Hash(vksots , y)
Else Return 0
Join/Isssue(Useri: gpk,Issuer: gpk, ik)
hUser, Issueri → ((vi , xi , ai , bi ), (vi , ai , bi ))
User: If e(ai , hvi )e(f, bi ) = T set
Reg[i] = vi ; SKi = (xi , ai , bi )
Open(gpk, ok, m, Σ)
Xxk (crs, (gpk, a, Hash(vksots )), π)
→
(b, v, σ)
If there is i such that v = vi , Return (i, σ)
i
Else Return (0, σ)
Sign(gpk, SKi , m)
KeyGensots (1k ) → (vksots , sksots )
(Repeat until Hash(vksots 6= −xi )
ρ ∈R Zp ; a = ai f −ρ ; b = bi (hvi )ρ
Judge(P KG roup, i, Reg[i]m, Σ, σ)
Hash(vksots
If i 6= 0 ∧ e(σ, vi g2
)) = e(g1 , g2 )
Return 1
Else Return 0
1
x +Hash(vk
)
sots
σ = g1 i
π = PNIWI (crs, (gpk, a, Hash(vksots )), (b, vi , σ))
y = Encpk (Hash(vksots ), σ)
χ = PNIZK (crs, (gpk, π, y), (r, s, t))
σsots = Signsots (vksots , m, a, π, y, χ)
Return Σ = ((vksots , , a, π, y, χ, σsots )
Figure C.3: The Type-3 Group Signature Scheme
vi such that we get the same vi when we run the extract on the NIWI proof π. If we find
no such vi , we return (0, σ) and accuse the Issuer. The perfect soundness of the NIWI and
NIZK imply that these probabilities do not change when the value of b changes.
Due our changes to the Open oracle, we no longer need xk. This allows us to switch
to a simulated common reference string, that give perfect witness-indistinguishability and
perfect zero-knowledge. Since simulated a crs is computationally indistinguishable from a
real crs, this does not change the probability that A will output 1. The perfect witnessindistinguishability impels that A can gain no information about which identity, and through
it which secret key was used to create the group signature.
60
This leads us to the ciphertext y. We now show, based on the stag-ind-cca property of
the cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use the
group signature adversary to construct an adversary that attacks the stag-ind-cca security
of the cryptosystem. The public key of the cryptosystem is pk = (gk, F, H, K, L). Using
gk, F, H we can construct a simulated crs with perfect witness-indistinguishabilty and perfect
zero-knowledge. This simulated crs will have a trapdoor key tk which will be the discrete
logarithms of other elements with respect to g1 , g2 , F, H. We can build from pk a valid
group signature public key gpk. We can also emulate the oracles CrptU, SndToI, AddU, USK.
Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in y
is never Hash(vksots ), so we can use the alternative decryption as in the proof of security,
which will give us σ.
We now construct a challenge group signature from a challenge ciphertext. We first pick
(vksots , sksots ) and use Hash(vksots ) as t∗ . These are chosen independent of pk. We now pick
pk and run the group signature game as described above. A will output i0 , i1 , m for the challenge group signature. We produce group signatures σb on Hash(vksots and encrypt it into
y ∗ . As the simulated crs gives us perfect zero-knowledge and witness-indistinguishability, we
can produce valid NIWI and NIZK proof to complete the group signature. If the anonymity
probabilities are different for b = 0 and b = 1, then we can distinguish if y encrypts σ0
or σ1 . But by the stag-ind-cca security, we have probabilities for b = 0 and b = 1 are
indistinguishable.
Lemma 11. The group signature scheme is traceable if the q-U-3a assumption holds.
Proof. We have to show that valid signatures lead to the provable identification of the signer.
To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ ) ← ACrptU,SndToI (gpk, ok; (i, σ) ←
Open(gpk, ok, Reg, m∗ , Σ∗ ) :
V erif y(gpk, m∗ , Σ∗ ) = 1 ∧ (Judge(gpk, i, Regi , m∗ , Σ∗ , sigma) =) ∨ i = 0)] ≈ 0.
by the soundness of the NIWI proof, a valid group signature Σ implies that there is a valid
certified signature on Hash(vksots ). Using the extraction key for he NIWI, xk, we can extract
the signature. The unfakeability property of the certified signature scheme, the certified
signature was made under one of the vi ’s issued by the issuer. This thus leads us to user i,
who produced the group signature. The perfect soundness of the NIWI proof of knowledge
implies that the extracted one-time signature is indeed a signature on Hash(vksots ) under
the verification vi . This implies that Judge will output 1.
Lemma 12. The group signature scheme has non-frameability under the q-SDH assumption
and assuming the one-time signature is secure against weak chosen message attack and the
hash function is collision-resistant.
Proof. We have to show that no member can be framed for making a signature they did not
make. To formalise:
Pr (gpk, ik, ok ← KeyGen1k ; (m∗ , Σ∗ , i∗ , σ ∗ ) ← AAddU,USK,GSig (gpk, ik, ok :
61
V erif y(gpk, m, Σ) = 1 ∧ (Judge(gpk, i∗ , Regi∗ , m, Σ∗ , sigma∗ ) = 1 ∧ i∗ ∈ HU ∧ (m∗ , Σ∗ ) 6∈
GSet] ≈ 0.
By the strong unforgeabilty of the one-time signature scheme under weak chosen message
attack, there is a negligible probability that A would have produced a group signature reusing one of the vksots produced by GSig. The collision-resistance of the hash function implies
∗
) collides with any vksots used by the
that there is a negligible probability that Hash(vksots
GSig oracle. We can then assume that any attempt to frame a user requires producing a
certified signature on a value of Hash(vksots that they have not previously signed.
Let n(k) be the polynomial upper-bound of the number of AddU queries made. We have at
least n(k)−1 chance of guessing the user identity that the A will attempt to frame. However
for each honest user, the probability that A can produce a valid σ on Hash(vksots is negligible,
by the existential unforgeability against weak chosen message attack of the Boneh-Boyen
signature scheme.
Theorem 16. The group signature scheme with perfect correctness and has anonymity,
traceability and non-frameablity under the DLIN, q-SDH, q-U-3a and assuming the one-time
signature is secure against weak chosen message attack and the hash function is collisionresistant.
Proof. Perfect correctness follows from perfect correctness of the Join/Issue secure function
evaluation, the certified signature scheme, the tag-based cryptosystem, the NIWI and NIZK
proofs and the strong one-time signature. The proof of anonymity, traceability and nonfreamablitiy follow from Lemmas 10,11,12.
62