Efficient Group Signatures in the Standard Model Laila El Aimani and Olivier Sanders ⋆ Technicolor, Security & Content Protection Labs 1 avenue de Belle Fontaine, 35576 Cesson-Sévigné Cedex, France Abstract. In a group signature scheme, group members are able to sign on behalf of the group. Since the introduction of this cryptographic authentication mechanism, several schemes have been proposed but only few of them enjoy a security in the standard model. Moreover, those provided in the standard model suffer the recourse to non standard-assumptions, or the expensive cost and bandwidth of the resulting signature. We provide three practical group signature schemes that are provably secure in the standard model under standard assumptions. The three schemes permit dynamic enrollment of new members while keeping a constant size for both keys and group signatures, and they improve the state-of-the art by several orders of magnitude. Key words: Group signature, bilinear groups, standard model, non-interactive zero-knowledge. 1 Introduction Group signatures, introduced in 1991 by Chaum and Van Heyst [16] allow members of a group to anonymously sign messages on behalf of the whole group. However, to prevent abuses, the group is controlled by a group manager that has the ability to open the group signature, i.e. to identify the signer of a message. Group signatures have proved to be extremely useful in various applications, for example keycard access to restricted areas, where it is necessary to secure areas to only employees of the group without tracking individual employee’s movements. Related works. Since their introduction, a great number of security properties that group signatures should meet have been introduced until Bellare, Micciancio and Warinschi [5] provided appropriate definitions and formalized the intuitive informal requirements of previous works. In fact, they proposed two properties for static groups, namely full anonymity and full traceability, that captured all previous requirements. Full anonymity requires that group signatures reveal no information about the signer, even in the presence of a powerful adversary who has access to an opening oracle and to all users secret keys. Full traceablity requires that the group manager is always able to identify the signer of a valid group signature or a member of the coalition that issued it. Bellare, Shi and Zhang [6] extended these notions to dynamic groups and added the notion of non-frameability, which requires that even a dishonest group manager and a coalition of group members cannot falsely accuse an honest user of having issued some group signature. Boneh and Shacham [10] proposed a weaker notion of anonymity, called selfless anonymity, where signers can trace their own signatures. Further schemes ([11], [12]) introduced another weak version of anonymity, namely the CPA-anonymity where the adversary does not have access to an opening oracle. As mentioned in [7], this is a much more serious limitation because the opening functionality becomes virtually useless. Most practical group signatures schemes ([7], [17]) that have been proposed are proven secure in the random oracle model (ROM). Indeed, despite its inherent flaws ([14], [4]), the ROM compares much better than the standard model with respect to efficiency. Ateniese et al. [3] gave an efficient group signature scheme in the standard model but proved its security under non-standard assumptions. Moreover, the security proof of anonymity (lemma A.2 of their paper) does not mention any access to opening oracles by the adversary and thus differs from the standard CCA-anonymity experiment. Actually, this CCA-anonymity seems hard to reach since their group signatures are partially re-randomizable, so any adversary against the selfless ⋆ Laila El Aimani is now an independent researcher and Olivier Sanders is with Orange Labs. anonymity is able to re-randomize the first part of the challenge group signature and make an opening request on the result. In 2007, Groth [19] gave the first efficient realization, achieving full anonymity in the standard model, where the size of group signatures is about 50 elements. Our contributions. We propose three groups signatures schemes, proven secure in the standard model under standard assumptions, that improve the size of group signatures and the number of pairings required for the signature verification. In our constructions, each user joining the group receives a certificate on a key while the group manager receives some information allowing him to open the group signatures produced by this user. To produce a group signature on a message, the user will use his key to sign, with a digital signature scheme, the message, a randomized part of the certificate and the verification key of a strong one-time signature. Then he will produce a non-interactive zero-knowledge proof (NIZK) to prove that the key used to sign the message is certified. Finally, to prevent anyone else to randomize his group signature, the user will sign some of its elements with the strong one-time signature scheme. Our first group signature scheme, whose group signatures comprise only 22 group elements, achieves selfless anonymity without the need for encryption. Indeed, the use of the Camenish-Lysyanskaya signature scheme [13] makes it possible to disclose the digital signature on the message in the group signature, and thus to decrease the cost and size of the non-interactive proof of knowledge. The scheme resorts however to a trusted party to set up the system parameters. Moreover the cost of the opening algorithm is linear in the number of members. Our second group signature scheme overcomes the drawbacks of the first scheme but at the expense of a slight increase in the size of the group signature (28 group elements). In fact, users certify now their verification keys (instead of their siging keys), allowing the group manager to set up the system parameters and to extract the identity of the group signature issuer using his extraction key. Since the verification keys are group elements, we now require that our certificate scheme is structure-preserving [1], which explains the extra-cost of the scheme. Finally we propose a generic group signature scheme that generalizes Groth’s scheme, and which achieves full anonymity. The construction makes use of an encryption scheme in order to be able to use any EUFCMA digital signature scheme, which increases the size/cost of the group signature. An instantiation of this construction results in a group signature with 30 group elements. We summarize in Figure the signature sizes (number of group elements), the verification costs (number of pairings) and the opening cost (as a function of the number of participants, denoted r) of our contributions (GS1, GS2, GS3) and compare them with the state of the art. Scheme Signature size Verification cost Opening cost Standard model? BCNSW [7] 5 2 O(r) No DP [17] 9 1 O(1) No Groth [19] 50 246 O(1) Yes GS1 (Section 4) 22 73 O(r) Yes GS2 (Section 5) 28 124 O(1) Yes GS3 (Section 6) 30 92 O(r) Yes Fig. 1. Comparison between group signatures performances Outline of the paper. The rest of this paper is organized as follows. In section 2 we recall definitions of the notions that we use in our schemes. Section 3 defines the syntax and the security model of a secure group signature scheme. Following sections present our group signature schemes. We defer the security proofs to the appendix. 2 2 Preliminaries In this section we recall some necessary bricks that will be used throughout the document, namely bilinear maps, Camenisch-Lysyanskaya’s signatures, and signatures on committed values. Note that we defer in Appendix A the recall of further primitives such as (one-time, structure-preserving) signatures, tag-based encryption, and non-interactive proofs of knowledge. 2.1 Bilinear groups Our constructions use cyclic groups of prime order that have a non-degenerate efficiently computable bilinear map e. We use the following notations: – G1 , G2 , GT are cyclic groups of prime order q. – We write the group operations multiplicatively in each group. – A bilinear map e : G1 × G2 → GT has the following properties: 1. For all x ∈ G1 , y ∈ G2 and a, b ∈ Zq we have e(xa , y b ) = e(x, y)ab . 2. For x 6= 1G1 or y 6= 1G2 , e(x, y) 6= 1GT . 3. e is efficiently computable. The Symmetric External Diffie-Hellman (SXDH) assumption: We say SXDH holds in the bilinear groups G1 and G2 if DDH is hard in both groups, where DDH (Decisional Diffie-Hellman) is the following problem: Given (g, g a , g b , g c ) it is hard to decide whether c = ab mod q or random. 2.2 Camenisch-Lysyanskaya Signatures Our group signature schemes make use of the pairing-based Camenish-Lysyankaya signature schemes [13] (scheme A and scheme C in their paper), which are provably secure under the LSRW assumption [21]. The two schemes operate in three cyclic groups G1 , G2 and GT of prime order q, equipped with a pairing e : G1 × G2 → GT , and two generators g ∈ G1 and ge ∈ G2 . Lysyanskaya-Sahai-Rivest-Wolf (LSRW) assumption: Let ge ∈ G2 , x e = geα , ye = geβ and Oxe,ey (.) be an oracle that, on input a value u ∈ Zq , outputs A = β α+uαβ (a, a , a ) ∈ G31 for a randomly chosen a ∈ G1 . Then for all probabilistic polynomial time adversaries A, the quantity ǫ is negligible: e y e ǫ = Pr[α, β ← Zq ; x e ← geα , ye ← geβ ; (u, a, b, c) ← AOx, (e x, ye) : u∈ / Q ∧ a ∈ G1 ∧ b = aβ ∧ cα+uαβ ] where Q is the set of queries asked by A to his oracle Oxe,ey (.). R [Key generation] Choose α, β ← − Zd then compute X ← geα and Y ← geβ set pk ← {X, Y } and sk ← {α, β}. [Signature on m] Choose a random a ∈ G1 and outputs : σ = (a, aβ , aα+mαβ ) [Verification] Given pk, m and σ = (a, b, c) check if the following equations holds: e(a, Y ) = e(b, ge) and e(a, X).e(b, X)m = e(c, ge) Fig. 2. Camenisch-Lysyanskaya’s signature A 3 R Choose α, β, zi ← − Zd then compute X ← geα , Y ← geβ zi and Zi ← ge for 1 ≤ i ≤ l set pk ← {X, Y, Zi }1≤i≤l and sk ← {α, β, zi }1≤i≤l . [Signature on (m0 , ..., ml )] Choose a random a ∈ G1 Ai = azi for 1 ≤ i ≤ l b = aβ , Bi = (Ai )β l Q Aαβmi c = aα+αβm0 [Key generation] i=1 and outputs the signature σ = (a, {Ai }, b, {Bi }, c) Given pk, m and σ check if the following verification equations holds: e(a, Zi ) = e(Ai , ge) e(a, Y ) = e(b, ge) and e(Ai , Y ) = e(Bi , ge) l Q e(a, X).e(b, X)m0 e(Bi , X)mi = e(c, ge) [Verification] i=1 Fig. 3. Camenisch-Lysyanskaya’s signature C 2.3 Re-randomizable signatures on committed values Our constructions use i.e. digital signature schemes Σ with the following properties: – The signature scheme is re-randomizable i.e. it admits a function SigRand such that for each signature σ on a message m, SigRand(σ) = σ ′ , where σ ′ is a valid signature on m and such that no probabilistic polynomial time adversary A, with access to a signing oracle, is able, given a signature σ, to distinguish a randomized version of σ from a signature on a random element of the message space. – Σ admits an algorithm comSign to obtain signatures on committed values which, on input c (where (c, r) ← Commit(m)) and π ← POK{(m, r) : (c, r) = Commit(m)}(c), outputs σ such that Σ.verify(σ, (m, r)) = 1. We define EUF-CMA security the same way as the standard digital signature schemes (a re-randomizable signature scheme cannot obviously reach the SEUF-CMA security). As shown in [13] the signature scheme described in figure 3 is EUF-CMA secure and admits an efficient protocol (described in Fig. 4) for obtaining signature on committed value. Moreover, using a proof similar to that of [7], this scheme is re-randomizable if the DDH-assumption holds in G1 . 3 3.1 Defining Group Signatures Syntax A group signature scheme consists of a set of users, identified by a unique index i, that can produce signatures on behalf of the group. Users must interact with a certification authority and the group manager to join the group. At the end of this interaction, each user obtains a signature key pair and the group manager obtains some information that will allow him to identify the group signatures issuers. The syntax that we require is as follows. – Keygen(λ): This algorithm inputs a security parameter λ and outputs (gpk, skcert , skM ,Sreg,reg), where gpk is the group public key, skcert is the issuer’s secret key, skM is the group manager’s secret key, Sreg is the group manager’s secret register and reg is a public register. – Join(gpk, upki ): The Join protocol is used to add a new user to the group. It consists of one interactive protocol between the user and the issuer and another one between the user and the group manager. The 4 Signer (input: sk, pk) Ui ← g zi for 1 ≤ i ≤ k User (input: m1 , m2 , ..., mk and pk) Ui − −−−−−−−−−−−−−−− −−−−−−−−−−−− → R l← − Zq C ← gl k Q i=1 Uimi π ← POK{(l, m1 , ..., mk ) : C = g l k Q i=1 Uimi }(C) C, π ← −−−−−−−−−−−−−−−−−−−−−−−−−−− − R x← − Zq a ← gx Ai = azi for 1 ≤ i ≤ k b = aβ , Bi = (Ai )β c = aα C xαβ σ ← (a, {Ai }, b, {Bi }, c) − −−−−−−−−−−−−−−−−−−−−−−−−−−− → Fig. 4. Protocol for obtaining a CL signature C on committed values common inputs of this protocol is gpk and the user’s public key upki . The private input of the user is uski whereas the private inputs of the issuer and the group manager are skcert and skM respectively. As a result of the first interaction, the user obtains his group signing key ski , the verification key vki and a certificate, σcert (i), proving membership of the group. Then he uses uski to compute σi , a digital signature on vki . At the end of the second interaction, the group manager obtains and stores vki and σi in Sreg[i] and publishes upki in reg[i]. – Sign(gpk, ski , σcert (i), m) : This algorithm inputs a message m, the user’s secret key and certificate and outputs a group signature µ on m. – Verify(gpk, µ, m) : This algorithm inputs a message m and a group signature µ and outputs 1 if µ is a valid group signature on m, and 0 otherwise. – Open(gpk, m, µ, skM ) : This algorithm inputs a message m, a group signature µ and the group manager’s secret data sk M and Sreg. If µ is a valid group signature on m from user i it returns a proof τ of this statement and the identity i, else it returns ⊥. – Judge(gpk, m, µ, i, τ ) : This algorithm inputs a message m, a group signature µ, an identity i and a proof of knowledge τ . It returns 1 if τ is a valid proof that µ is a group signature on m, issued by user i. Otherwise it returns 0. 3.2 Security model In this section we give the security definitions that we require for group signature schemes. We adhere to the model defined by [6], except that we use the selfless anonymity notion from [10] instead of the full anonymity for our first two group signature schemes. Informally, selfless anonymity, contrarily to full anonymity, does not protect dishonest users, i.e. the adversary does not know the private keys of the identities he wishes to be challenged on. As in [7], we consider a setting with n users divided statically into sets HU and DU of honest and dishonest users respectively ( i.e an honest user cannot be corrupted during the experiment). This static division implies, by guessing the indices of ”target” users in the anonymity and non-frameability experiment, security in the dynamic corruption case. The security notions make use of the following oracles: 5 – OJoinU D (gpk, upki , skM ) is an oracle that executes the user’s side of the join protocol for the input user i ∈ HU . This oracle will be used by an adversary playing the role of the corrupted group manager. – OJoinDM (gpk, upki , uski ) is an oracle that executes the join protocol with the honest group manager. This oracle will be used by an adversary to register a corrupted user. – OSign(i, m) is an oracle that accepts as input an identity i and a message m and returns a group signature µ if user i is honest and registered. – OOpen(m, µ) inputs a message-signature pair (m, µ) and returns the result of the function call Open(Sreg, skM , µ, m). We use the notation OOpen¬(m, µ) when the query (m, µ) is not allowed. Correctness: We define the correctness of a group signature scheme through a game in which an adversary is allowed to request a signature on some message by any of the honest group members. The adversary wins if either the resulting signature does not pass the verification test, the signature is opened as if it were produced by a different user, or the judging algorithm returns 0. The group signature scheme is correct if for any adversary A and any security parameter λ (we keep this notation in the following experiments), corr Pr[Expcorr A (λ) = 1] is negligible in λ, where ExpA (λ) is defined as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. HU ← {1..n}. (gpk, skcert , skM ) ← Keygen(λ). (ski , vki , σcert (i)) ← Join(gpk, skcert , skM ) for each user i ∈ HU . (i, m) ← AOSign,OOpen (gpk). If i ∈ / HU then return 0. µ ← Sign(ski , m). If Verify(gpk, m, µ) = 0 then return 1. If Open(Sreg, skM , µ, m) = (j, τ ) and j 6= i then return 1. If Judge(m, µ, τ, i) = 0 then return 1. Anonymity: Informally, anonymity requires that group signatures do not reveal the signer’s identity. In the selfless-anonymity game the adversary’s goal is to determine which of the two users generated the challenge signature. The difference with the full anonymity of [6] consists in not giving the adversary A access to either anon−b (λ) as follows: private key. As in [10] and [7] we define the selfless-anonymity experiment ExpA 1. 2. 3. 4. 5. 6. 7. 8. DU ← A(λ). HU ← {1..n} \ DU . (gpk, skcert , skM ) ← Keygen(λ). (ski , vki , σcert (i)) ← Join(gpk, skcert , skM ) for each user i ∈ HU . (m, i0 , i1 ) ← AOSign,OOpen,OJoinDM (gpk) with (i0 , i1 ∈ HU ). R µ ← Sign(skib , m) for b ← − {0, 1}. ∗ OSign,OOpen¬(m,µ),OJoinDM b ←A (gpk). Return b∗ . anon−b We define AdvA (λ) = |Pr[b = b∗ ]− 21 |. The group signature scheme is anonymous if for any probabilistic polynomial time adversary, this advantage is a negligible function of λ. In the full-anonymity experiment, we no longer require that i0 , i1 ∈ HU , we then say that the group signature scheme is fully-anonymous. Traceability: Traceability requires that no adversary is able to create a valid signature that cannot be traced to some user already registered. We define the traceability experiment as follows: 1. 2. 3. 4. DU ← {1..n}. (gpk, skcert , skM ) ← Keygen(λ). (m, µ) ← AOOpen,OJoinDM (gpk). If Verify(gpk, m, µ) = 1 and Open(Sreg, skM , µ, m) =⊥ then return 1. 6 5. Return 0. We define Advtrace (λ) = Pr[Exptrace (λ) = 1]. The group signature scheme is traceable if for any probaA A bilistic polynomial time adversary, this advantage is a negligible function of λ. Non-frameability: Informally, non-frameability requires that a cheating group manager cannot falsely accuse an honest user of having signed a given message m. We define the non-frameability experiment as follows: 1. 2. 3. 4. 5. 6. 7. 8. 9. DU ← A(λ). HU ← {1..n} \ DU . (gpk, skcert , skM ) ← Keygen(λ). (ski , vki , σcert (i)) ← Join(gpk, skcert , skM ) for each user i ∈ HU . (i, m, µ) ← AOSign,OJoinU D (skM , gpk). If i ∈ / HU or Verify(gpk, m, µ) = 0 then return 0. If m was queried to OSign then return 0. If Judge(m, µ, τ, i) = 0 then return 0. Return 1. nf We define Advnf A (λ) = Pr[ExpA (λ) = 1]. The group signature scheme is non-frameable if for any probabilistic polynomial time adversary, this advantage is a negligible function of λ. Remark: We can also define the strong non-frameability experiment in which the adversary’s goal is to accuse an honest user of having created a given signature µ (we replace the line 7 by: if µ was produced by OSign then returns 0). 4 4.1 A group signature without encryption Description The core of this group signature scheme is the combination of a re-randomizable signature scheme Σcert and the signature scheme Σ1 described in Figure 2. We assume that the system parameters are set up by a trusted party and that each user i has a key pair (uski , upki ) for a signature scheme Σ0 where upki is public and associated to i. At the end of the Keygen algorithm, the issuer receives skcert . When a new member joins the group, he creates a key pair (ski , vki ) for Σ1 , then gets a certificate σcert (i) on ski (using the protocol for obtaining signatures on committed values) and finally sends vki and a signature on it (using uski ) to the group manager who records it in his secret register Sreg. When making a group signature on a message m, the member will first re-randomize his certificate and generate a key pair (skots , vkots ) for a strong one-time signature. Then he will use his secret key ski to sign the concatenation of m, the certificate and vkots and give a non-interactive zero-knowledge proof of knowledge that the certificate is a valid signature on ski . To prevent an adversary from randomizing the signature or the non-interactive proof, the user will sign them with the strong one-time signature. We use the following notations to describe our group signature scheme: Notations: – λ is the security parameter. – G is a probabilistic polynomial time algorithm that, on input λ, generates (G1 , G2 , GT , e, g, ge) where g ∈ G1 and ge ∈ G2 . – KN I is a probabilistic polynomial time algorithm that, on input (G1 , G2 , GT , e, g, ge), generates a common reference string crs for the Groth-Sahai proof system. – reg is a public register. – Sreg is the secret register of the group manager. – gpk is the group public key. The algorithms defining our group signature scheme are described in figure 5. 7 Keygen(λ) gk ← G(λ) crs ← KN I (gk) (skcert , pkcert ) ← Σcert .keygen(gk) gpk ← (gk, pkcert , crs, reg) Verify(m, µ) If VN I (crs, µ, m, π) = 1 ∧ Σots .verify(vkots , σots , akπ) = 1 then return 1 Else return 0. Join(user: uski , issuer: skcert , group manager: Sreg) (ski , vki ) ← Σ1 .Keygen(gk) σcert (i) ← Σcert .comSign(skcert , Commit(ski ), π) σi ← Σ0 .sign(uski , vki ) Sreg[i]← (vki , σi ) reg[i] ← (i, upki ) Open(Sreg, m, µ) If Verify(m, µ) = 0 then return 0. Parse µ as (m, vkots , σots , σ1 , σcert , π) for vki in Sreg[i]: if Σ1 .Verify(vki , mkvkots kσcert , σ1 ) = 1 return i and a proof τ . with τ ← POK{(vki , σi ) : Σ1 .Verify(vki , mkvkots kσcert , σ1 ) = 1 ∧ Σ0 .Verify(upki , vki , σi ) = 1 }(m, µ, reg) Sign(ski , σcert (i), m) σcert (i) ← Σcert .sigRand(σcert (i)) (skots , vkots ) ← Σots .keygen (a, b, c) ← Σ1 .sign(ski , mkvkots kσcert (i)) π ← POK{(ski ) : (a, b, c) = Σ1 .sign(ski , mkvkots kσcert (i)) ∧ σcert (i) = Σcert .sign(skcert , ski ) }(m, (a, b, c), σcert (i)) σots ← Σots .sign(skots , akπ) µ ← (m, vkots , σots , (a, b, c), σcert (i), π) Judge(m, µ, τ, i) If VN IZK (crs, m, µ, τ, i) = 1 return 1. Else return 0. Fig. 5. Group signature scheme 1 4.2 Security proofs Theorem 1. If Σcert is a EUF-CMA secure signature scheme and (P, V ) is a sound zero-knowledge proof system, then the group signature is fully traceable. Theorem 2. If Σ0 and Σ1 are EUF-CMA secure signature schemes, Σots is a strong one-time signature scheme and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is strongly non-frameable. Theorem 3. If Σ0 and Σ1 are EUF-CMA secure signature schemes, Σots is a strong one-time signature and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is anonymous under the SXDH assumption. The proofs are provided in appendix B. 4.3 A concrete realization We instantiate this system with the Λsxdh setting which refers to the case of asymmetric pairings for which the DDH assumption holds in both G1 and G2 . We use the CL signature scheme described in Fig. 3 for Σcert , the weakly secure Boneh-Boyen signature scheme described in Fig. 8 for Σots and the structure-preserving signature described in Fig. 9 for Σ0 . We use the following notations to describe the proofs of knowledge: Notations: – – – – (ski , pki ) ← ((αi , βi ), (e g αi , geβi )) (skcert , pkcert ) ← ((u, v, z1 , z2 ), (U, V, Z1 , Z2 )) e 1 , X2 , X e2 )) (skM , pkM ) ← ((x1 , x e1 , x2 , x e2 ), (X1 , X σ1 ← (a1 , b1 , c1 ); σcert ← (a, A1 , A2 , b, B1 , B2 , c) 8 – η ← mkvkots kσcert A group signature, (vkots , σots , (a, b, c), σcert (i)) involves 13 group elements, and a proof π of the following equations (the variables are underlined): e(a1 , ge)βi = e(b1 , ge) (e(a1 , ge).e(b1 , ge)η )αi = e(c1 , ge) (1) (2) l e(c, ge) = e(a, U ).e(b, U ) .e(B1 , U ) αi .e(B2 , U ) βi (3) where η is mkvkots kσcert and l is the randomness used by user i in the join stage to obtain signature on the committed values αi and βi . These equations involve 3 variables (αi , βi , l) and thus increase the size of the proof by 6 group elements. Equations (1) and (2) proves that (a1 , b1 , c1 ) is a valid Camenisch-Lysyanskaya signature from user i on η. These two equations cost 1 group element each. Equation (3) proves that the certificate is a valid signature on αi and βi and costs 1 group element. The total size of the proof is then 9 group elements. The total size of the group signature is thus 22 group elements, which amounts to 700 Bytes if we consider an implementation using 256-bit groups sizes. Using naive computations, equation (1) needs for the verification 18 pairings, equation (2), 19 pairings and equation (3), 25 pairings. Checking the consistency of the certificate and of the one-time signature adds 11 pairings. The total cost of the Verify algorithm is then 73 pairings. Remark: We can further reduce the size of the group signature if the group manager and the certificate issuer are the same entity. Indeed, in the Join protocol we no longer need to use the hiding randomness l which decreases both the size of the certificate and the size of the proof by two elements. The size of the group signature is then 18 group elements. 5 5.1 A group signature without encryption and without trusted parties Description The main drawbacks of the previous scheme lie in requiring a trusted party to set up the system parameters, and having the cost of the algorithm Open linear in the number of users. To solve these two problems, users will now certify their verification keys (instead of their siging keys), allowing thus the group manager to set up the system parameters and to use the extraction keys ek of the Groth-Sahai proofs to extract the identity behind a group signature. This construction is similar to the previous scheme except that we require a different signature scheme for Σcert . We now assume that any digital signature σ, generated using Σcert on an arbitrary message m can be efficiently transformed in a reversible way to a pair (r, s) where r (r may be the empty string) is information theoretically independent from m, i.e. there exists an algorithm Simulate that inputs Σcert .sk and a message from the message space and outputs a string indistinguishable from r. We require further the partial randomizability property for Σcert , i.e. Σcert admits two algorithms SigPrand0 and SigPrand1 , defined as follows: For each signature σ → (r, s) on a message m: – (r′ , state) ← SigPrand0 (r) – s′ ← SigPrand1 (s, state) where r′ is unlinkable to r and σ ′ ← (r′ , s′ ) is a valid signature on m. We use the same notations as in the previous scheme to define in figure 6 the algorithms of our second group signature scheme. XN I will be the extraction algorithm for the non-interactive Groth-Sahai proofs. 9 Keygen(λ) gk ← G(λ) (crs, ek) ← KN I (gk) (skcert , pkcert ) ← Σcert .keygen(gk) gpk ← (gk, pkcert , crs, reg) Verify(m, µ) If VN I (crs, µ, m, π) = 1 ∧ Σots .verify(vkots , σots , akπ) = 1 then return 1 Else return 0. Join(user: uski , issuer: skcert , group manager: Sreg) Open(Sreg, ek, m, µ) (ski , vki ) ← Σ1 .Keygen(gk) vki ← XN I (crs, µ) σcert (i) ← Σcert .sign(skcert , vki ) If vki is registered in Sreg σi ← Σ0 .sign(uski , vki ) return i and τ Sreg[i]← (vki , σi ) Else return ⊥ reg[i] ← (i, upki ) with τ ← POK{(vki , σi ) : Σ1 .Verify(vki , mkvkots kr′ , σ1 ) = 1 ∧ Sign(ski , σcert (i), m) Σ0 .Verify(upki , vki , σi ) = 1 (r, s) ← σcert (i) }(m, µ, reg) (r′ , state) ← SigPrand0 (r) s′ ← SigPrand1 (s, state) Judge(m, µ, τ, i) (skots , vkots ) ← Σots .keygen(λ) If VN IZK (crs, m, µ, τ, i) = 1 (a, b, c) ← Σ1 .sign(ski , mkvkots kr′ ) return 1. π ← POK{(vki , s′ ) : Else return 0. (a, b, c) = Σ1 .sign(ski , mkvkots kr′ ) ∧ (r′ , s′ ) = Σcert .sign(skcert , vki ) }(m, (a, b, c), r′ ) σots ← Σots .sign(skots , akπ) µ ← (m, vkots , σots , (a, b, c), r′ , π) Fig. 6. Group signature scheme 2 5.2 Security proofs Theorem 4. If Σcert is a EUF-CMA secure signature scheme and (P, V ) is a sound zero-knowledge proof system, then the group signature is fully traceable. Theorem 5. If Σ0 and Σ1 are EUF-CMA secure signature schemes, Σots is a strong one-time signature scheme and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is strongly non-frameable. Theorem 6. If Σ0 and Σ1 are EUF-CMA secure signature schemes, Σots is a strong one time signature and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is anonymous under the SXDH assumption. The proofs are provided in appendix C. 5.3 A concrete realization We use the Λsxdh setting and the structure-preserving signature scheme described in Fig. 9 for Σcert . We further use the weakly secure Boneh-Boyen signature scheme described in Fig 8 for Σots . e Ye ) ← (e Using the same notations as in section 4 (with (X, g αi , geβi )) and [1], π is a proof of the following equations: e(a1 , Y ) = e(b1 , ge) ′ ′ ′ e(a1 , X).e(b1 , X)η = e(c1 , ge) ′ e(gz , z )e(gr , r )e(s , t )e(g1 , X)e(g2 , Y ) = A e(hz , z ′ )e(hu , u′ )e(v ′ , w′ )e(h1 , X)e(h2 , Y ) = B 10 (1) (2) (3) (4) where σcert ← (z ′ , r′ , s′ , t′ , u′ , v ′ , w′ ) and η is mkvkots k(s′ , t′ , v ′ , w′ ). The authors of [1] proved that (s′ , t′ , v ′ , w′ ) are information theoretically independant of the signature element z ′ and (X, Y ). These equations involve then 5 variables (X, Y, z ′ , r′ , u′ ) and thus increase the size of the proof by 10 group elements. Equations (1) and (2) prove that (a1 , b1 , c1 ) is a valid Camenisch-Lysyanskaya signature from user i on η. These two equations costs 2 group elements each. Equation (3) and (4) prove that the certificate is a valid signature on X and Y and cost 2 group elements each. The total size of the proof is then 18 group elements. A group signature, (vkots , σots , (a, b, c), (s′ , t′ , v ′ , w′ )) involves 10 group elements, the total size is thus 28 group elements, which amounts to 900 Bytes if we consider an implementation using 256-bit groups size. Using naive computations, equation (1) involves 22 pairings, equation (2), 27 pairings and equation (3) and (4), 37 pairings each. Verifying the one-time signature adds 1 pairing. The total cost of the Verify algorithm is then 124 pairings. 6 6.1 A generic construction with encryption Description It is possible, using a tag-based encryption scheme Γ , to modify the first group signature scheme to construct a generic scheme. This modification increases the size of the group signature but the new scheme reaches the full anonymity. We now assume that Σ1 is an EUF-CMA secure digital signature scheme. The difference with the first scheme is that the signature produced by Σ1 is now encrypted, using Γ , under the tag vkots . The group manager owns the encryption secret key and is then able to decrypt the ciphertext and proceeds as in the Open algorithm of the first scheme. We assume that any digital signature σ, generated using Σ1 on an arbitrary message m can be efficiently transformed in a reversible way to a pair (s, r) where r (r may be the empty string) reveals no information about Σ1 .vk, i.e. there exists an algorithm that inputs a key from the key space and outputs a string indistinguishable from r. This technical detail will improve the efficiency of the construction as it will not necessitate encrypting the entire signature σ. The algorithms defining this new group signature are described in Figure 7. 6.2 Security proofs Theorem 7. If Γ is an IND-st-wCCA secure tag-based encryption scheme, Σots is a strong one-time signature scheme and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is fully anonymous. Theorem 8. If Σcert is a EUF-CMA secure signature scheme and (P, V ) is a sound zero-knowledge proof system, then the group signature is fully traceable. Theorem 9. If Σ0 and Σ1 are EUF-CMA secure signature schemes, Σots is a strong one-time signature and (P, V ) is a sound, zero-knowledge proof system, then the group signature scheme is strongly non-frameable. The proofs are provided in appendix D. 6.3 A concrete realization We instantiate the construction with the following bricks: 1. The tag-based encryption scheme described in Figure 10 with G = G1 . 2. The signature scheme described in Figure 2 for Σ1 and the signature scheme described in Figure 3 for Σcert . 11 Keygen(λ) gk ← G(λ) crs ← KN I (gk) (skcert , pkcert ) ← Σcert .keygen(gk) (skM , pkM ) ← Γ.keygen(λ) gpk ← (gk, pkcert , pkM , crs, reg) Verify(m, µ) If VN I (crs, µ, m, π) = 1 ∧ Σots .verify(vkots , σots , Ckπ) = 1 then return 1 Else return 0. Join(user: uski , issuer: skcert , group manager: Sreg) (ski , vki ) ← Σ1 .Keygen(gk) σcert (i) ← Σcert .comSign(skcert , Commit(ski ), π) σi ← Σ0 .sign(uski, vki ) Sreg[i]← (vki , σi ) reg[i] ← (i, upki ) Sign(ski , σcert (i), m) σcert (i) ← Σcert .sigRand(σcert (i)) (skots , vkots ) ← Σots .keygen(λ) σ1 ← Σ1 .sign(ski , mkvkots kσcert (i)) (r, s) ← σ1 C ← Γ.encryptpkM (vkots , s) π ← POK{(ski , s, l) : σ1 ← (r, s) σ1 = Σ1 .sign(ski , mkvkots kσcert (i)) ∧ σcert (i) = Σcert .sign(skcert , (l, ski )) }(m, r, C, σcert (i)) σots ← Σots .sign(skots , Ckrkπ) µ ← (m, vkots , σots , r, C, σcert (i), π) Open(Sreg, skM , m, µ) If Verify(m, µ) = 0 then return 0. s ← Γ.decryptskM (vkots , C) σ1 ← (r, s) for vki in Sreg[i]: if Σ1 .Verify(vki , mkvkots kσcert , σ1 ) = 1 return i and a proof τ . with τ ← POK{(vki , σi , σ1 ) : Σ1 .Verify(vki , mkvkots kσcert , σ1 ) = 1 ∧ Σ0 .Verify(upki , vki , σi ) = 1 }(m, µ, reg) Judge(m, µ, τ, i) If VN IZK (crs, m, µ, τ, i) = 1 return 1. Else return 0. Fig. 7. Group signature scheme 3 3. The structure-preserving signature scheme described in Fig. 9 for Σ0 . 4. We use the weakly-secure Boneh-Boyen signature scheme descibed in Fig. 8 for Σots . In a group signature µ, (vkots , σots , r, C, σcert ) involve 16 group elements and π is a proof for the following equations (we use the notations of section 4 and C ← (C1 , C2 , C3 , C4 )): e1 )k , (X vkots X e 2 )k ) (C1 , C2 , C3 ) = (g k , (X1vkots X 2 η αi (e(a1 , ge).e(b1 , ge) ) e(a1 , ge) βi = e(C4 , ge) = e(b1 , ge) (1) .e(X1−1 , ge)k l e(c1 , ge) = e(a, U ).e(b, U ) .e(B1 , U ) (2) (3) αi .e(B2 , U ) βi (4) where l is the randomness used by user i in the join stage to obtain signature on the committed value αi and βi . These equations involve 4 variables (αi , βi , l, k) and thus increase the size of the proof by 8 group elements. Equations (1), (2) and (3) prove that r and the value encrypted in C is a valid Camenisch-Lysyanskaya signature from user i on η. Equation (1) comprises three sub-equations which cost 1 group element each (linear equation). Equations (2) and (3) cost 1 group element each. Equation (5) proves that the certificate is a valid signature on αi and βi and costs 1 group element. The total size of the proof is then 14 group elements. The size of the group signature is thus 30 group elements, which amounts to 1 kB if we consider an implementation using 256-bit groups size, which is more compact that the realization in [19] where the total size of the group signature is 50 elements. We use naive the computation [8] for the proof verification. Equation (1) involves three sub-equations requiring 16 pairing each. Equation (2) involves 4 pairings + 18 pairings for the proof verification. Equation (3) 12 requires 2 + 16 = 18 pairings and equation (4), 25 pairings. The verification cost for these equations is then 81 pairings but the Verify algorithm requires 11 more pairings (to check the consistency of the certificate and the one-time signature). The total cost of the Verify algorithm is then 92 pairings. References 1. Masayuki Abe, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. Structure-preserving signatures and commitments to group elements. In Tal Rabin, editor, CRYPTO, volume 6223 of Lecture Notes in Computer Science, pages 209–236. Springer, 2010. 2. Laila El Aimani and Marc Joye. Toward practical group encryption. Cryptology ePrint Archive, Report 2012/155, 2012. 3. Giuseppe Ateniese, Jan Camenisch, Susan Hohenberger, and Breno de Medeiros. Practical group signatures without random oracles. IACR Cryptology ePrint Archive, 2005:385, 2005. 4. Mihir Bellare, Alexandra Boldyreva, and Adriana Palacio. An uninstantiable random-oracle-model scheme for a hybrid-encryption problem. In Christian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 of Lecture Notes in Computer Science, pages 171–188. Springer, 2004. 5. Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Eli Biham, editor, EUROCRYPT, volume 2656 of Lecture Notes in Computer Science, pages 614–629. Springer, 2003. 6. Mihir Bellare, Haixia Shi, and Chong Zhang. Foundations of group signatures: The case of dynamic groups. In Alfred Menezes, editor, CT-RSA, volume 3376 of Lecture Notes in Computer Science, pages 136–153. Springer, 2005. 7. Patrik Bichsel, Jan Camenisch, Gregory Neven, Nigel P. Smart, and Bogdan Warinschi. Get shorty via group signatures without encryption. In Juan A. Garay and Roberto De Prisco, editors, SCN, volume 6280 of Lecture Notes in Computer Science, pages 381–398. Springer, 2010. 8. Olivier Blazy, Georg Fuchsbauer, Malika Izabachène, Amandine Jambert, Hervé Sibert, and Damien Vergnaud. Batch groth-sahai. In Jianying Zhou and Moti Yung, editors, ACNS, volume 6123 of Lecture Notes in Computer Science, pages 218–235, 2010. 9. Dan Boneh and Xavier Boyen. Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptology, 21(2):149–177, 2008. 10. Dan Boneh and Hovav Shacham. Group signatures with verifier-local revocation. In Vijayalakshmi Atluri, Birgit Pfitzmann, and Patrick Drew McDaniel, editors, ACM Conference on Computer and Communications Security, pages 168–177. ACM, 2004. 11. Xavier Boyen and Brent Waters. Compact group signatures without random oracles. In Serge Vaudenay, editor, EUROCRYPT, volume 4004 of Lecture Notes in Computer Science, pages 427–444. Springer, 2006. 12. Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signatures. In Tatsuaki Okamoto and Xiaoyun Wang, editors, Public Key Cryptography, volume 4450 of Lecture Notes in Computer Science, pages 1–15. Springer, 2007. 13. Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymous credentials from bilinear maps. In Matthew K. Franklin, editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 56–72. Springer, 2004. 14. Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodology, revisited (preliminary version). In Jeffrey Scott Vitter, editor, STOC, pages 209–218. ACM, 1998. 15. David Cash, Eike Kiltz, and Victor Shoup. The twin diffie-hellman problem and applications. In Smart [23], pages 127–145. 16. David Chaum. Some weaknesses of ”weaknesses of undeniable signatures”. In Donald W. Davies, editor, EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages 554–556. Springer, 1991. 17. Cécile Delerablée and David Pointcheval. Dynamic fully anonymous short group signatures. In Phong Q. Nguyen, editor, VIETCRYPT, volume 4341 of Lecture Notes in Computer Science, pages 193–210. Springer, 2006. 18. Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J. Comput., 17(2):281–308, 1988. 19. Jens Groth. Fully anonymous group signatures without random oracles. In Kaoru Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notes in Computer Science, pages 164–180. Springer, 2007. 20. Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In Smart [23], pages 415–432. 21. Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan Wolf. Pseudonym systems. In Howard M. Heys and Carlisle M. Adams, editors, Proceedings of the Sixth Annual International Workshop on Selected Areas in Cryptography 1999, volume 1758 of Lecture Notes in Computer Science, pages 184–199. Springer. 13 22. Victor Shoup and Rosario Gennaro. Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptology, 15(2):75–96, 2002. 23. Nigel P. Smart, editor. Advances in Cryptology - EUROCRYPT 2008, 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Istanbul, Turkey, April 13-17, 2008. Proceedings, volume 4965 of Lecture Notes in Computer Science. Springer, 2008. A A.1 Building Blocks Digital signature schemes A digital signature scheme Σ comprises three algorithms, namely the key generation algorithm keygen, the signing algorithm sign, and the verification algorithm verify. The standard security notion for a signature scheme is existential unforgeability under chosen message attacks (EUF-CMA), which was introduced in [18]. Informally, this notion refers to the hardness of, given a signing oracle, producing a valid pair of message and corresponding signature such that message has not been queried to the signing oracle. There exists also a stronger notion, SEUF-CMA (strong existential unforgeability under chosen message attack), which allows the adversary to produce a forgery on a previously queried message, however the corresponding signature must not be obtained from the signing oracle. A.2 Boneh-Boyen’s weakly secure signature scheme We recall in Fig. 8 the Boneh-Boyen’s weakly secure signature scheme [9], proven secure under the q-SDH (Strong Diffie-Hellman) assumption: The q-SDH assumption: Let G1 and G2 be two cyclic groups of prime order q, respectively generated by g1 and g2 . The q-SDH problem is stated as follows: 2 q Given as input a (q + 3)-tuple of elements (g1 , g1x , g1x , ..., g1x , g2 , g2x ) ∈ Gq+1 × G22 , 1 1 x+c output a pair (c, g1 ) ∈ Zq × G1 for a freely chosen value c ∈ Zq \ {−x}. We say that the (q, ǫ)-SDH assumption holds in (G1 , G2 ) if no polynomial-time algorithm solves the q-SDH problem with probability greater than ǫ. [Key generation] Select random generators g1 ∈ G1 and g2 ∈ G2 . R Choose x ← − Zq then compute v ← g2x and z ←∈ e(g1 , g2 ). set pk ← {g1 , g2 , v, z} and sk ← {x}. 1 [Signature on m] Return σ ← g x+m [Verification] Given pk, m and σ, check if the following verification equation holds: e(σ, v.g2m ) = z. If the equality holds, or if σ = 1 and v.g2m = 1, return 1. Fig. 8. Boneh-Boyen weakly secure signature scheme A.3 Structure preserving signature We recall in Fig. 9 the digital signature scheme proposed by Abe et al [1], allowing to sign messages of n group elements. The scheme was proved EUF-CMA secure under the q-SFP (Simultaneous Flexible Pairing) assumption: The q-SFP assumption: Let gz , hz , gr and hu be random generators of G1 . Let (a, e a), (b, eb) be random pairs in G1 × G2 . For j = 1, .., q, let Rj = (z, r, s, tu, v, w) that satisfies: 14 e(a, e a) = e(gz , z)e(gr , r)e(s, t) and e(b, eb) = e(hz , z)e(hu , u)e(v, w) Given gz , hz , gr , hu , (a, e a), (b, eb) and R1 , ..., Rq it is hard to find (z ∗ , r∗ , s∗ , t∗ , u∗ , v ∗ , w∗ ) that fulfill the previous relations under the restriction that z ∗ 6= 1 and z ∗ 6= z ∈ Rj for 1 ≤ j ≤ q. R [Key generation] R g, gr , gu ← − G1 and ge ← − G2 . R γi , δ i ← − Zq and gi ← grγi , hi ← hδui for i = 1, .., k. R γz , δ z ← − Zq and gz ← grγz , hz ← hδuz . R α, β ← − Zq and A ← e(gr , geα ), B ← e(hu , geβ ) pk ← (gz , hz , gr , hu , {gi , hi }ki=1 , A, B) sk ← (α, β, γz , δz , {γi , δi }ki=1 ). R [Signature on (m1 , ..., mk )] ζ, ρ, τ, φ, ω ← − Zq . Q i z ← geζ , r ← geα−ρτ −γz ζ ki=1 m−γ , s ← grρ , t ← geτ i Q −δi k β−φω−δz ζ φ u ← ge , v ← hu , w ← geω i=1 mi Return σ ← (z, r, s, t, u, v, w) [Verification] Check if the following verification equations hold: Q A = e(gz , z)e(gr , r)e(s, t) ki=1 e(gi , mi ). Q B = e(hz , z)e(hu , u)e(v, w) ki=1 e(hi , mi ). Fig. 9. Structure preserving signature A.4 Strong one-time signatures Strong one-time digital signature schemes can be used to sign, at most, one message; otherwise, signatures can be forged. A new public key is required for each message that is signed. They are, similarly to normal digital signatures, defined by the key generation algorithm, the signing algorithm, and the verification algorithm. We say the one-time signature is strong, if the adversary can neither forge a signature on different message nor create a different signature on the message already signed. A.5 Tag-based encryption (TBE) Tag-based encryption, also referred to as encryption with labels, was first introduced in [22]. In these schemes, the encryption algorithm takes as input, in addition to the public key pk and the message m intended to be encrypted, a tag t which specifies information related to the message m and its encryption context. Similarly, the decryption algorithm takes additionally to the ciphertext and the private key the tag under which the ciphertext was created. Security notions are then defined as usual except that the adversary specifies to his challenger the tag to be used in the challenge ciphertext, and in case he (the adversary) is allowed to query oracles, then he cannot query them on the pair formed by the challenge ciphertext and the tag used to form it. There are also weakened security models for this type of encryption where the adversary specifies the challenge tag before getting the parameters of the scheme, and during the game, he (the adversary) is not allowed to query the allowed oracles w.r.t. the challenge tag; we talk in this case about selective tag security. We specify in the following the formal definition of IND-st-wCCA security for tag-based encryption: Let Γ be a tag-based encryption scheme scheme. Let further A denote a probabilistic polynomial time algorithm. We write Adecrypt(sk ,.) to denote that A has access to oracle decrypt(sk , .). When a query q is ¬q IND−st−wCCA (λ) : not allowed, we use the symbol ¬: Adecrypt (sk ,.) . We define the experiment ExpA 1. param ← setup(λ); 2. t ← A(param); 3. (sk , pk ) ← Γ.keygen(param, λ); 15 ¬(−,t) (sk ,.) 4. (m0 , m1 ) ← Adecrypt (pk ); R 5. b ← − {0, 1}; eb ← Γ.encryptpk (mb , t); ¬(−,t) (sk ,.) 6. b⋆ ← Adecrypt (eb ); 7. If b = b⋆ return 1 else 0. h i ind-st-wCCA We define A’s advantage as Advind-st-wCCA (λ) = Pr Exp (λ) = 1 − Γ,A Γ,A 1 2 . 2 Given (t, qd ) ∈ N and ε ∈ [0, 1], A is called a (t, ε, qd )-ind-st-wCCA adversary against Γ if, running in time ind−st−wCCA t and issuing qd decryption queries, A has AdvΓ,A (λ) ≥ ε. The scheme Γ is said to be (t, ε, qd )-indst-wCCA secure if no (t, ε, qd )-ind-st-wCCA adversary against it exists. The Twin Diffie-Hellman problem was introduced in [15] as a slight modification to the original DiffieHellman (DH) problem which is as hard as the ordinary DH problem, even given access to a corresponding decision oracle. It is defined as follows. Let G be a prime-order cyclic group generated by some g. Let dh further denotes the Diffie-Hellman function (it inputs (X, Y ) ∈ G 2 and returns Z such that (g, X, Y, Z) is Diffie-Hellman quadruple). The Twin DH function is defined as follows: 2dh : G3 → G2 (X1 , X2 , Y ) → (dh(X1 , Y ), dh(X2 , Y )) Cash et al. define further a corresponding twin DH predicate: ? 2dhp(X1 , X2 , Ŷ , Ẑ1 , Ẑ2 ) := 2dh(X1 , X2 , Ŷ ) = (Ẑ1 , Ẑ2 ). Finally the Strong Twin Diffie-Hellman assumption states that distinguishing the two distributions (X1 , X2 , Y, dh(X1 , Y )) and (X1 , X2 , Y, Z) for random X1 , X2 , Y, Z ∈ G is hard even in the presence of a decision oracle for the predicate 2dhp(X1 , X2 , −, −, −) which on input (Ŷ , Ẑ1 , Ẑ2 )) returns 2dhp(X1 , X2 , Ŷ , Ẑ1 , Ẑ2 ). Theorem 10. The DDH assumption holds if and only if the Strong Twin DDH assumptions holds. Proof. The proof is given in [15]. [Setup] Choose a group (G, ·) generated by g with prime order d. R ei ← g xei for i = 1, 2 [Key generation] Choose x1 , x e1 , x2 , x e2 ← − Zd then compute Xi ← g xi and X ei }i=1,2 and sk ← {xi , x set pk ← {Xi , X ei }i=1,2 . [Encryption] For a message m ∈ G and a tag t ∈ Zd : R [Decryption] choose r ← − Zd , e1 )r , c3 ← (X2t X e2 )r , and c4 = mX1r , compute c1 ← g r , c2 ← (X1t X set the ciphertext to (c1 , c2 , c3 , c4 ). Given a ciphertext c = (c1 , c2 , c3 , c4 ) and a tag t: x1 x2 1 +e 2 +e check that c2 = ctx and that c3 = ctx 1 1 if it is not the case, return ⊥, otherwise: 1 compute the plaintext as m ← c4 c−x . 1 Fig. 10. TBE variant of the Modified Cramer-Shoup [15] Theorem 11. The encryption scheme in Figure 10 is IND-st-wCCA secure under the Strong Twin DiffieHellman assumption. Proof. The proof is given in [2]. 16 A.6 Non-interactive proofs of knowledge Let R be an efficiently computable ternary relation. Given some gk we let L be the language consisting of statements x that have a witness w so (gk, x, w) ∈ R. As in [20], such a system is modeled by four probabilistic polynomial time algorithms: a setup algorithm GN I , a common reference string (crs) generation algorithm KN I , a prover PN I and a verifier VN I . The setup outputs a setup (gk, ek) (ek, the trapdoor, may be the empty string) that KN I takes as input to produce the common reference string crs. The prover PN I takes as input (gk, crs, x, w) and produces a proof π. The verifier takes as inputs (gk, crs, x, π) and outputs 1 if the proof is valid and 0 if rejecting the proof. In the following, we use the notation P OK{(w) : (gk, x, w) ∈ R}(gk, crs, x) for PN I (gk, crs, x, w). A non-interactive proof should satisfy completeness which denotes that an honest prover is able to convince an honest verifier whenever the statement belongs to the language and the prover holds a witness testifying to this fact. A further required property is soundness which captures the inability of a cheating prover P to convince the verifier V with an invalid statement. Informally, a zero-knowledge proof is a proof that shows the statement is true without revealing anything else. This is defined by having a simulator (S1 , S2 ) whose first part, S1 , outputs a simulated crs and a simulation trapdoor t and whose second part, S2 , simulates, using t, proofs for statements without knowing the corresponding witnesses. Real proofs on a real crs have to be computationally indistinguishable from simulated proofs on a simulated crs. The Groth-Sahai (GS) proof system [20] gives efficient non-interactive zero knowledge (NIZK) and noninteractive witness-indistinguishable (NIWI) proofs for algebraic statements involving elements in groups equipped with a bilinear map e : G1 × G2 ← GT (we assume that ), e.g. A pairing-product equation over variables X1 , . . . , Xm ∈ G1 and Y1 , . . . , Yn ∈ G2 n Y e(Ai , Yi ) · m Y e(Xi , Bi ) · e(Xi , Yi )γi,j = tT , i=1 j=1 i=1 i=1 n m Y Y for constants A1 , . . . , An ∈ G1 , B1 , . . . , Bm ) ∈ G1 , and Γ = (γi,j ) 1 ≤ i ≤ m ∈ Zdm×n , and tT ∈ GT . 1≤j≤n A multi-scalar multiplication over variables y1 , . . . , ym ∈ Zd and X1 , . . . , Xm ∈ G1 n Y Ayi i · i=1 m Y i=1 Xibi · n m Y Y y γi,j Xj i = T, i=1 j=1 for constants A1 , . . . , An ∈ G1 , b1 , . . . , bm ∈ Zd , Γ ∈ Zdm×n , and T ∈ G1 . A multi-scalar multiplication equation over variables in G2 is defined analogously. A quadratic equation over variables x1 , . . . , xm and y1 , . . . , yn in Zd n X i=1 a i yi + m X x i bi + n m X X γi,j xi yj = t, i=1 j=1 i=1 For constants a1 , . . . , an and b1 , . . . , bm in Zd , constant matrix Γ ∈ Zdm×n , and t ∈ Zd . The principle of the GS proof system consists in using the setup parameters and the common reference string (CRS) to commit to the witness components, then generate proof elements that these values committed to satisfy the equations underlying the statement to be proved. Note that proofs for pairing-product equations are only (WI) when tT ∈ GT has no particular structure. They can be however transformed into ZK proofs (at the expense of an additional cost) if tT is equal to 1GT or its representation as a pairing product equation is known. The GS proof system could be instantiated under different (mild) assumptions, in particular the Λsxdh setting which refers to the case of asymmetric pairings for which the DDH assumptions holds in both G1 and G2 . 17 Variables x ∈ Zd , X ∈ G1 Variables y ∈ Zd , Y ∈ G2 Pairing product equations Q - Linear equations: Qn i=1 e(Ai , Yi ) = tT - Linear equations: n i=1 e(Xi , Bi ) = tT Multi-scalar multiplication equations in G1 Q - Linear equations: n Ayi i = T1 i=1 Q bi - Linear equations: n i=1 Xi = T1 Multi-scalar multiplication equations in G2 Q ai - Linear equations: Qn Y = T2 i=1 i xi - Linear equations: n B i = T2 i=1 Quadratic equationsPin Zd - Linear equations: Pn i=1 ai yi = t - Linear equations: m i=1 xi bi = t G1 2 0 4 2 0 2 1 0 4 0 0 2 0 0 G2 0 2 4 0 2 4 0 0 2 0 1 2 0 0 Zd 0 0 0 0 0 0 0 2 0 2 0 0 1 1 Fig. 11. Cost of each variable and equation in terms of group elements from G1 , G2 , and Zd Pairing product equations Multi-scalar multiplication equations in G1 Multi-scalar multiplication equations in G2 Quadratic equations in Zd Naive computation Batch computation 5m + 3n + 16 m + 2n + 8 8m + 2n + 14 min(2n + 9, 2m + n + 7) 8n + 2m + 14 min(2m + 9, 2n + m + 7) 8m + 8n + 12 2 min(m, n) + 8 Fig. 12. Number of pairings per proof verification (m and n refer to the number of different types of involved variables - see [8]) B B.1 Security proofs of section 4 Proof of theorem 1 Proof. Let A be an adversary against the traceability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σcert . [keygen] R runs the Keygen algorithm as usual, except that she does not run Σcert .keygen and gets the issuer public key pkcert from her EUF-CMA challenger. [opening queries] R proceeds as the standard algorithm. [joining queries] When R receives a joining query, she uses her signing oracle to produce the user’s certificate. Then, she proceeds as the standard algorithm to simulate the interaction between the group manager and the new user. [Final output] A returns an untraceable group signature µ on a message m, which contains a certificate σcert on sk, the secret key used to sign with Σ1 , such that sk 6= ski for all registered user i (else, the group signature is traceable). Using the assumption that (P, V ) is a sound proof system, A has to forge a new certificate on sk, and R will run the extractor on the NIZK proof π to get sk and returns the pair (sk, σcert ) to her challenger. R EUF-CMA breaks the digital signature scheme Σcert with advantage ǫ. B.2 Proof of theorem 2 Proof. Let A be an adversary against the non-frameability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σ1 . [keygen] R runs the Keygen algorithm as usual, except that she computes a simulated common reference string crs. R chooses at random i ∈ HU and computes (upkj , uskj ) ← Σ0 .keygen for j ∈ HU . 18 [joining queries] R has to simulate the user part of the join protocol with the group manager (simulated by A). If j 6= i, R generates a key pair (pkj , skj ) ← Σ1 .keygen and proceeds as in the standard algorithm. If j = i then R gets the verification key from her challenger and uses the simulated common reference string to produce the proofs of knowledge. [signing queries] R proceeds as the standard algorithm if j 6= i, else, she uses her signing oracle to produce a signature and uses the simulated common reference string to produce the proofs of knowledge. [Final output] A returns a group signature µ = (σots , vkots , σ1 , σcert , π) on a message m and an identity j. If j 6= i, then R aborts the experiment. Otherwise we proceed as follows We first assume that σ1 is a valid signature w.r.t vkib . We distinguish the following two cases: 1. OSign oracle was already requested on (i, m), returning µ∗ . Then there are two possibilities: – vk ots or σcert are different from those in µ∗ , which implies that A successfully forge a new signature σ1 . Then, R forwards (mkvk ots kσcert , σ1 ) to her challenger. – σ1 or π are different from those in µ∗ , then σ1 or π have been re-randomized and A has to forge a new one-time signature Σots . Then A can be turned in an attacker against the security of Σots . 2. There were no oracle request on (i, m), then σ1 is a forged signature on mkvk ots kσcert . If σ1 is not a valid signature w.r.t vkib then A has produced a signature σ1 on mkvkots kt and a verification key vk such that Σ1 .Verify(vk, mkvkots kt, σ1 ) = 1 and wants to prove in the Judge algorithm that vk is the verification key for user i. Then he has to prove knowledge of a signature σ0,i on vk such that Σ0 .Verify(upki , vk, σ0,i ) = 1. Because of the soundness of the proof, it means that the adversary has produced a forgery on Σ0 and then, can be turned in an attacker against the EUF-CMA security of Σ0 . Let m be the number of honest users, R is able to break the EUF-CMA security of Σ1 with advantage A’s advantage ǫ is then negligible. 1 m ǫ. B.3 Proof of theorem 3 Proof. Let A be an adversary against the anonymity with advantage ǫ, we construct R a reduction using A against the DDH problem in G1 . R gets the DDH challenge (g, g x , g y , g z ) from her challenger and has to decide whether z = xy or random. [keygen] R runs K.keygen algorithm as usual and generates a pair (αi , βi ) , for each honest user i. In the experiment R will act as if ski = (αi , yβi ), then has to generate a certificate σcert (i) on it. Let (u, v, z1 , z2 ) be the secret certificate key, R proceeds as follows: i (a, A1 , A2 , b, B1 , B2 , c) ← (g ρ , g ρz1 , g ρz2 , g v , g ρvz1 , g ρvz2 , au+uvr Auvα (g y )ρz2 uvβi ) 1 which is a valid signature on (αi , yβi ) (for random ρ and r). [joining queries] R proceeds as the standard algorithm. [signing queries] Receiving a request OSign(i, m) from A, R proceeds as follows: 1. 2. 3. 4. 5. 6. 7. (skots , vkots ) ← Σots .keygen σ ← Σcert .sigRand(σcert (i)) η ← mkvkots kσ y ραi βi η ) (a, b, c) ← (g ρ , (g y )ρβi , aα i (g ) R simulates the proof π. σots ← Σots .sign(skots , akπ) µ ← (vkots , σots , (a, b, c), σ, π) for a random ρ. The produced signature (a, b, c) is valid and R records (i, m, µ) then returns it to A. [open queries] R distinguishes two cases: – If the signature originates from a dishonest user, R proceeds as the standard algorithm. – In case the signature was created on the behalf of an honest user then, because of the non-frameability property of our scheme, the signature is a previous output of the OSign oracle. R looks in her record and outputs the corresponding identity i with a simulated proof π ′ . 19 [Challenge] A sends m, i0 , i1 to R who computes b ← {0, 1}. To produce a signature on behalf of user ib , R proceeds as follows: 1. 2. 3. 4. 5. 6. (skots , vkots ) ← Σots .keygen σ ← Σcert .sigRand(σcert (ib )) (a, b, c) ← (g x , (g z )βib , aαib (g z )αib βib η ) R simulates the proof π. σots ← Σots .sign(skots , akπ) µ ← (vkots , σots , (a, b, c), σ, π) [Post challenge phase] R answers signing, joining and opening queries as previously. [Final output] Finally, A outputs a bit b0 . If b = b0 R returns 1, else she returns 0. If (g, g x , g y , g z ) is a DDH tuple, the group signature is valid, else µ is an element indistinguishable from a random element in the group signature space since z is random, the certificate is generated with the rerandomizable signature scheme Σcert and the proof is zero-knowledge. Let b∗ be the bit computed by the challenger, then R’s advantage in breaking the DDH problem is: 1 Adv(R) = |Pr[b = b0 | b∗ = 1].Pr[b∗ = 1] + Pr[b 6= b0 | b∗ = 0].Pr[b∗ = 0] − | 2 ǫ 1 1 1 =| + + − | 4 2 4 2 ǫ = 2 C C.1 Security proofs of section 5 Proof of theorem 4 Proof. Let A be an adversary against the traceability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σcert . [keygen] R runs the Keygen algorithm as usual, except that she does not run Σcert .keygen and gets the issuer public key pkcert from her EUF-CMA challenger. [opening queries] R proceeds as the standard algorithm. [joining queries] When R receives a joining query, she uses his signing oracle to produce the user’s certificate. Then, she proceeds as the standard algorithm to simulate the interaction between the group manager and the new user. [Final output] A returns an untraceable group signature µ on a message m, which contains a proof of knowledge of a certificate σcert on vk, the verification key corresponding to the signature produced by Σ1 , such that vk 6= vki for all registered user i (else, the group signature is traceable). Using the assumption that (P, V ) is a sound proof system, A has to forge a new certificate on vk, and R will run the extractor on the NIZK proof π to get vk and σcert and returns the pair (vk, σcert ) to her challenger. R EUF-CMA breaks the digital signature scheme Σcert with advantage ǫ. C.2 Proof of theorem 5 Proof. Let A be an adversary against the non-frameability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σ1 . [keygen] R runs the Keygen algorithm as usual, except that she chooses i ∈ HU and computes (upkj , uskj ) ← Σ0 .keygen for j ∈ HU . [joining queries] R has to simulate the user part of the join protocol with the group manager (simulated by A). If j 6= i, R generates a key pair (pkj , skj ) ← Σ1 .keygen and proceeds as in the standard algorithm. If j = i then R gets the verification key vk from her challenger, signs it with uski , and sends vk and the 20 signature to A. [signing queries] R proceeds as the standard algorithm if j 6= i, else, she uses her signing oracle to produce the signature. [Final output] A returns a group signature µ = (σots , vkots , σ1 , r, π) on a message m and an identity j. If j 6= i, then R aborts the experiment. Else we assume that σ1 is a valid signature w.r.t vk (else, as in the previous scheme, it involves a forgery on Σ0 ). We distinguish the two following cases: 1. OSign oracle was already requested on (i, m), returning µ∗ . Then there are two possibilities: – vk ots or r are different from those in µ∗ , which implies that A successfully forge a new signature σ1 . Then, R forwards (mkvk ots kr, σ1 ) to her challenger. – σ1 or π are different from the one in µ∗ , then σ1 or π has been re-randomized and A has to forge a new one-time signature Σots . Then A can be turned in an attacker against the security of Σots . 2. There were no oracle request on (i, m), then σ1 is a forged signature on mkvk ots kr. Let m be the number of honest users, R is able to break the EUF-CMA security of Σ1 with advantage A’s advantage ǫ is then negligible. 1 m ǫ. C.3 Proof of theorem 6 Proof. Let A be an adversary against the anonymity with advantage ǫ, we construct R a reduction using A against the DDH problem. R gets the DDH challenge (g, g x , g y , g z ) from her challenger and has to decide whether z = xy or random. [keygen] R runs K.keygen algorithm as usual, generates a pair (αi , βi ) and computes ri ← Simulate(skcert ) for each honest user i. In the experiment R will act as if ski = (αi , yβi ). [joining queries] R proceeds as the standard algorithm. [signing queries] Receiving a request OSign(i, m) from A, R proceeds as follows: 1. 2. 3. 4. 5. 6. 7. (skots , vkots ) ← Σots .keygen r ← Simulate(skcert ) η ← mkvkots kr y ραi βi η (a, b, c) ← (g ρ , (g y )ρβi , aα ) i (g ) R simulates the proof π. σots ← Σots .sign(skots , akπ) µ ← (vkots , σots , (a, b, c), r, π) for a random ρ. The produced signature (a, b, c) is valid and R records (i, m, µ) then returns it to A. [open queries] R distinguishes two cases: – If the signature originate from a dishonest user, R proceeds as the standard algorithm. – In case the signature was created on the behalf of an honest user then, because of the non-frameability property of our scheme, the signature is a previous output of the OSign oracle. R looks in her record and outputs the corresponding identity i with a simulated proof π ′ . [Challenge] A sends m, i0 , i1 to R who computes b ← {0, 1}. To produce a signature on behalf of user ib , R proceeds as follows: 1. 2. 3. 4. 5. 6. 7. (skots , vkots ) ← Σots .keygen σ ← Simulate(skcert ) η ← mkvkots kr (a, b, c) ← (g x , (g z )βi , aαi (g z )αi βi η ) R simulates the proof π. σots ← Σots .sign(skots , akπ) µ ← (vkots , σots , (a, b, c), r, π) 21 then simulates the proof π ′ . [Post challenge phase] R answers signing, joining and opening queries as previously. [Final output] Finally, A outputs a bit b0 . If b = b0 R returns 1, else she returns 0. If (g, g x , g y , g z ) is a DDH tuple, the group signature is valid, else µ is an element indistinguishable from a random element in the group signature space since z is random and r is information theoretically independent from σcert and m. Let b∗ be the bit computed by the challenger, then R’s advantage in breaking the DDH problem is: 1 Adv(R) = |Pr[b = b0 | b∗ = 1].Pr[b∗ = 1] + Pr[b 6= b0 | b∗ = 0].Pr[b∗ = 0] − | 2 ǫ 1 1 1 =| + + − | 4 2 4 2 ǫ = 2 D D.1 Security proofs of section 7 Proof of theorem 9 Proof. Let A be an adversary against the anonymity with advantage ǫ, we construct R a reduction using A against the IND-st-wCCA security of Γ . [keygen] R gets the parameters of Γ , computes (skots , vkots ) ← Σots .keygen and sends t∗ ← vkots to his challenger. Then, she receives pk, the public key of Γ , and runs K.keygen algorithm as usual, except that she sets pkM = pk and computes a simulated common reference string. [{signing, joining} queries] R proceeds as the standard algorithms. [opening queries] R runs Verify on the group signature. If it outputs 1, then she checks the tag t used for encryption. If t 6= t∗ , R uses her decryption oracle on C and then proceeds as the standard Open algorithm, else, she returns ⊥. This simulation differs if t∗ = t, but this event appears for each query with probability 1 ∗ |T | (where T is the tag space) because A does not know t . R [Challenge] A sends m, i0 , i1 to R who computes b0 ← − {0, 1}, σcert ← Σcert .sigRand(σcert (ib0 ), σb ← Σ1 .sign(skib , mkt∗ kσcert ) and (rb , sb ) ← σb for b ∈ {0, 1}. She sends s0 and s1 to her challenger who R computes b∗ ← − {0, 1} and returns C ∗ , an encryption of sb∗ under the tag t∗ . R sets r ← rb0 and uses the simulated common reference string to produce the proof π, then computes σots ← Σots .sign(skots , C ∗ krkπ) and sends µ ← (m, t∗ , σots , r, C ∗ , σcert , π) to A. Recalling the properties of Σcert and Σ1 , σcert is computationally indistinguishable from σcert (i0 ) or σcert (i1 ) (we denote by ǫ0 the probability that A is able to distinguish σcert (i0 ) from σcert (i1 ), ǫ0 is negligible under the DDH assumption) and r is indistinguishable from r0 or r1 . Moreover, since the proof is zero-knowledge, the distribution of this challenge is the same as in the full anonymity experiment. [Post challenge phase] R can answer signing, joining and opening (with a tag different from t∗ ) queries as previously. If the tag is t∗ then she returns ⊥. Indeed, to produce a valid group signature with the tag t∗ = vkots , A has to forge a new signature σots because each modification on the challenge group signature involves a different C ∗ or a different proof π. Since Σots is a strong one-time signature, this event appears with negligible probability. [Final output] Finally, A outputs a bit b′ that R forwards to her challenger. R’s behavior is the same as the challenger in the full anonymity experiment, his advantage in breaking the IND-st-wCCA security of Γ is then (1 − ǫ0 )ǫ. D.2 Proof of theorem 8 Proof. Let A be an adversary against the traceability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σcert . 22 [keygen] R runs the Keygen algorithm as usual, except that she does not run Σcert .keygen and gets the issuer public key pkcert from her EUF-CMA challenger. [opening queries] R proceeds as the standard algorithm. [joining queries] When R receives a joining query, she uses his signing oracle to produce the user’s certificate. Then, she proceeds as the standard algorithm to simulate the interaction between the group manager and the new user. [Final output] A returns an untraceable group signature µ on a message m, which contains a certificate σcert on sk, the secret key used to sign with Σ1 , such that sk 6= ski for all registered user i (else, the group signature is traceable). Using the assumption that (P, V ) is a sound proof system, A has to forge a new certificate, and R will run the extractor on the NIZK proof π to get sk and returns the pair (sk, σcert ) to her challenger. R EUF-CMA breaks the digital signature scheme Σcert with advantage ǫ. D.3 Proof of theorem 9 Proof. Let A be an adversary against the non-frameability with advantage ǫ, we construct R a reduction using A that EUF-CMA breaks the underlying digital signature scheme Σ1 . [keygen] R runs the Keygen algorithm as usual, except that she computes a simulated common reference string crs. R chooses i ∈ HU and computes (upkj , uskj ) ← Σ0 .keygen for j ∈ HU . [joining queries] R has to simulate the user part of the join protocol with the group manager (simulated by A). If j 6= i, R generates a key pair (pkj , skj ) ← Σ1 .keygen and proceeds as in the standard algorithm. If j = i then R gets the verification key from her challenger and uses the simulated common reference string to produce the proofs of knowledge. [signing queries] R proceeds as the standard algorithm if j 6= i, else, she uses her signing oracle to produce a signature and uses the simulated common reference string to produce the proofs of knowledge. [Final output] A returns a group signature µ on a message m and an identity j. If j 6= i, then R aborts the experiment. Else we assume that σ1 is a valid signature w.r.t vk (else, as in the previous scheme, it involves a forgery on Σ0 ). We distinguish the two following cases: 1. OSign oracle was already requested on (i, m), returning µ∗ . Then there are two possibilities: – vk ots or σcert are different from those in µ∗ , which implies that A successfully forge a new signature σ1 . Then, R forwards (mkvk ots kσcert , σ1 ) to her challenger. – C or π are different from those in µ∗ , then C or π have been re-randomized and A has to forge a new one-time signature Σots . Then A can be turned in an attacker against the security of Σots . 2. There were no oracle request on (i, m), then σ1 is a forged signature on mkvk ots kσcert . Let m be the number of honest users, R is able to break the EUF-CMA security of Σ1 with advantage A’s advantage ǫ is then negligible. 23 1 m ǫ.