Dissertation

COMPGA99 DissertationEfficienct Fully Anonymous Group Signatures based on

the Groth Group Signature Scheme [Gro07]

Saqib A Kakvi(946318)Supervisor: Dr. Jens GrothYear of Submission: 2010

This report is submitted as part requirement for the MSc Degree in Information Securityat University College London. It is substantially the result of my own work except whereexplicitly indicated in the text.

The report may be freely copied and distributed provided the source is explicitly acknowl-edged.

Abstract

Recently, group signature schemes with constant size signatures have emerged, most notably[Gro06], [Gro07], [BW07]. This work examines the scheme presented in [Gro07] and buildsmore efficient schemes by using asymmetric bilinear groups. We begin by presented a directtranslation of the Groth scheme into a Type 2 and Type 3 bilinear group, in terminologyof [GPS08]. We then make modifications to the underlying components to make the schemesmore efficient. We prove all of our schemes in the standard model.

Acknowledgements

We would like to thank Jens Groth for his invaluable advice and guidance on this. Wewould also like to thank our colleauges for thier inputs and support. Finally, we would like

to thank Fatima Nassir and Nidhi Shah for thier assitance in proofreading this work.

2

Contents

1 Introduction 5

2 Definitions 72.1 Original Definitions and Refinements . . . . . . . . . . . . . . . . . . . . . . 72.2 Formalisations for static groups . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Formalisations for dynamic groups . . . . . . . . . . . . . . . . . . . . . . . 9

3 Assumptions 123.1 Bilinear Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.2 Number-Theoretic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133.3 Random Oracle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Previous Work 154.1 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.1.1 Efficiency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154.1.2 Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164.1.3 Security Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4.2 Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

5 The Groth Signature Scheme 185.1 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

5.1.1 Certified Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . 185.1.2 Tag-based Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . 195.1.3 Collision-Free Hash functions . . . . . . . . . . . . . . . . . . . . . . 195.1.4 Non-Interactive Zero Knowledge proofs . . . . . . . . . . . . . . . . . 195.1.5 Non-Interactive Witness Indistinguishable proofs . . . . . . . . . . . 20

5.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6 Our Contributions 236.1 Scheme 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.1.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236.1.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

6.2 Scheme 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

3


6.3 Scheme 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376.4 Scheme 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37


7 Conclusions & Future Work 457.1 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

7.2.1 Further Efficiency Improvements . . . . . . . . . . . . . . . . . . . . 467.2.2 Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

A Sizes of the DDH/DLIN Groth-Sahai Proofs 51

B Proofs 52B.1 q-Unfakeablity Type 2b Assumption (q-U-2b) . . . . . . . . . . . . . . . . . 52B.2 q-Unfakeablity Type 3b Assumption (q-U-3a) . . . . . . . . . . . . . . . . . 53B.3 q-Unfakeablity Type 3b Assumption (q-U-3b) . . . . . . . . . . . . . . . . . 54

C Scheme 3 56C.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56C.2 The Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

4

Chapter 1

Introduction

Signatures have been used for several years before the advent of cryptography and indeedcomputers themselves. A signature, in the classical sense, is a way of a person writing theirname, such that only they can produce it accurately. Signatures on documents, both hand-written and printed, serve as a means of authenticating the source of said document. Thisdoes not necessarily mean they produced the document themselves, but they did intend toconvey that message.

Classical signatures are static and do not change. The security was provided by thedifficulty in forging a signature. With the advent of computing and digital communications,people developed several methods of digitally “signing” documents. These ranged fromscanning their signature and appending it to documents, to directly signing the documentusing a graphics tablet. These all suffer from the same weakness; that is they can easily becopied.

What all these solutions did was essentially to add an arbitrary bit string at the endof each message. This string could be intercepted and copied and added to any message.This allowed any adversary to forge signatures on any message, given just 1 message andsignature. It can be seen that there is no security even from the most passive adversary, whosimply intercepts the communications, and does not modify them. The solution to this is adigital signature.

This was first posited by Diffie and Hellman in [DH76], where they theorised the existenceof such schemes. A digital signature is a message-dependant bit string, which can only begenerated by the signer, that is appended to the message. These schemes are based on aprivate signing key and public verification key. Shortly after that, Rivest, Shamir & Adelmanproposed the first concrete digital scheme [RSA78]. Over the years, several digital signatureschemes have been created. For a further treatment of digital signatures, we refer the readerto [Lys02].

5

We now consider the following scenario. A company X has a purchasing department with4 clerks, A,B,C & D. Any of these clerks are authorised to purchase raw materials and officesupplies for the company. The purchase orders are sent out in digital format and are digitallysigned by the clerk who issued the order. The supplier receives the purchase order, verifiesthe signature and then dispatches the order. In this scenario, each clerk has their own signingkey, but is it really necessary?

Each public key is linked to a single clerk, which tells the supplier which of the 4 clerksplaced the order. However, this information is not needed by the supplier, they simply needto know that it was 1 of the 4, but not which specific clerk. The simplest solution is to giveall 4 clerks access to the same signing key. This however presents the problem that if oneof the clerks orders personal items on the company account, you cannot trace which clerksigned the message. Here there is no security against any of the clerks misusing the secretkey.

The solution to this was proposed by Chaum and van Heyst in [CvH91]. They presentedwhat was called a group signature scheme. The principal was that each group member hada unique signing key and signatures generated by any of these verified under the same publickey. They also stated that a designated party could, possibly with the help of a secret key,take a signature and “open” it to show which member produced the signature in case ofmisuse.

We can see that this solves the problems in the scenario above, as well as many other sce-narios. Several other scenarios have been presented in literature, but they all have commonmotivations. Above and beyond the security of a digital signature scheme, we wish to haveanonymity and traceability.

We shall now proceed to discuss the state of the art in group signatures at the present time.In Chapter 2, we discuss the definitions and formalisations of group signatures. Chapter 3then deals with the cryptographic assumptions involved in these group signatures. We thencover previous work and do a comparison of what we believe to be critical signature schemesin Chapter 4. In Chapter 5, we present the Groth Signature Scheme [Gro07]. We thenproceed to present our schemes in Chapter 6. Finally in Chapter 7 we discuss possiblefuture research areas.

6

Chapter 2

Definitions

2.1 Original Definitions and Refinements

The original definition of a group signatures stated that a group signature scheme is onewhich allows the members of the group to sign messages on behalf of the group anonymously.This anonymity could be undone by a designated authority, called the group manager oropener. We now explain the details and refinements of this definition. We denote thenumber of group members by n and each member is uniquely identified by 1 ≤ i ≤ n. Wealso define k as the security parameter.

In the original definition of a group signature [CvH91], Chaum and van Heyst stated 3properties that are required for a group signature scheme, namely:

1. Only members of the group can sign messages on behalf of the group

2. The receiver can verify that a member of the group signed a message, but not whichmember.

3. Any signatures made by group members can be opened.

As research in the area grew, more security requirements were added. We shall discuss thesein more detail later. In some of their schemes they needed a trusted party (Z), who wouldchoose the keys for the users. This concept was later formalised to be know as the groupmanager or in some cases the group managers.

Group Managers

Chaum & van Heyst used the familiar concept of a Trusted Third Party (TTP) in someof their schemes. The foundations and powers of this TTP varied from scheme to scheme.The research community soon realised that there was need for a party, who is not part ofthe group, but in essence manages the group. Hence the concept of a group manager wasborn.

7

The group manager initially had two duties, namely generating the keys at setup andopening signatures. To this effect, they are issued with a secret group manager’s key SKGM .However, some scheme employed two managers, an issuer and an opener. The issuer wasresponsible with key generation and the opener was responsible for key opening signatures.To implement this, there are now 2 distinct manager keys; the issuer’s secret key ik and theopener’s secret key ok.

Security Definitions

Several authors have posited their own security requirements for group signature schemes.Some of these were related, some were stronger than others. We shall now briefly discussthe security requirements listed by Ateniese and Tsudik in [AT99]. As we shall see later, allof these can be reduced to two properties that were formalised by Bellare, Micciancio andWarinschi [BMW03] and Bellare, Shi and Zhang [BSZ05].

• Unforgeability: No person other than a member of the group, can produce a validsignature under the group’s public key.

• Anonymity: No person not in possession of the secret opening, other than the signer,can know which group member produced a signature.

• Unlinkability: If a member signs more than 1 message, nobody can link these signaturesas having been signed by the same member of the group.

• Exculpability: Neither group member(s) nor the group manager(s) can sign a messageon behalf of another member of the group.

• Traceability: Any valid signature made by a group member can be traced back to themby the group manager, using their secret opening key.

• Coalition-Resistance: No subset of colluding group members and group managers canproduce a valid signature, that will not be traced back to at least 1 of the colludinggroup members.

2.2 Formalisations for static groups

Definitions

The concepts of security for group signatures were only formalised in 2003 by Bellare,Micciancio & Warinschi [BMW03]. They formalised the exact security requirements for groupsignatures. Up until this point, authors used their own notations and security requirements.They defined the properties of full-traceability and full-anonymity. We shall briefly discussthese requirements. It must be noted that Bellare et al treated the case of a single groupmanager.

8

In this scenario, we shall consider the following algorithms:

• KeyGen, which generates the group public key gpk, the group manager’s secret keySKGM and all the user’s secret keys SKi for all 0 ≤ i ≤ n

• Sign, which takes in a message m and a user’s signing key SKi and outputs a signatureσ

• Verify, which takes in a message m, a signature σ and the public key gpk and outputs1 if σ is valid, else 0

• Open, which takes in a signature σ and the manager’s secret key SKGM and outputsthe signer’s identity i.

Full-Anonymity

This property states that no verifier or Adversary can determine which group membersigned which message, given past message-signature pairs and the group’s public key. We de-fine the advantage the Adversary has over the full-anonymity property as: AdvantageanonAdv (k, n)

Full-Traceability

This property states that no subset of the group, even possession of the group manager’ssecret key SKGM can generate a valid signature that cannot be opened and traced to at leastone of the colluding members. The advantage the Adversary has over the full-traceabilityproperty is defined as: AdvantagetraceAdv (k, n)

For a more detailed formalisation, we refer the reader to [BMW03]. [BMW03] showedthat having full-anonymity implies having both anonymity and unlinkability, while havingfull-traceability implies having unforgeability, exculpability, traceability, coalition resistantand framing. For any group signature scheme to be deemed secure, AdvantageanonAdv (k, n) &AdvantagetraceAdv (k, n) must be negligible. We will not formalise these as our scheme is secureunder the BSZ-model [BSZ05], which we will now describe.

2.3 Formalisations for dynamic groups

Definitions

The work of [BMW03] only covered the case of static groups, which is not very practical.Most applications have dynamic groups, where members can join and leave as time proceeds.This case was treated by Bellare, Shi & Zhang [BSZ05]. In this case, the treated the KeyIssuer and Signature Opener as separate entities, as a rule.

9

They also introduced a new concept of “trust levels” for the authorities. They posited 3levels of corruptness, which are uncorrupt, partially corrupt and fully corrupt. An uncorruptauthority is one who will perform their duty in a completely honest manner. A partiallycorrupt authority is one whose secret key has been exposed, but they do not deviate fromtheir designated protocol. A fully corrupt authority is one whose key has been exposed andmay deviate from their protocol.

They also outline three assumptions about the schemes. They assume that each potentialmember has a certified public/private key pair independent of any group authority. Howthey obtained these keys is irrelevant. Secondly they require that the Join protocol can bedone with many users concurrently. Finally they require that all openings be accompaniedby a publicly verifiable proof-string that any opening was indeed done correctly.

Bellare, Shi & Zhang defined what is known as the registry, denoted by Reg. This containsinformation about the users, which are identified by a unique i ∈ N. Regi is the identityinformation of user i. Reg is writeable by the Issuer and readable by the Opener, who usesthe information to identify the signer. We require the algorithms defined in 2.2 as well asthe following: UserKeyGen which is used by the user to generate a public/private key pair,denoted by UPKi and USKi for use in the Join protocol; Join, Iss is the interactive protocolin which the user joins the group and the Issuer issues them a key SKi; Judge where anopening and the accompanying proof string are checked for validity.

In terms of security, they defined three properties that need to be satisfied, namelyanonymity, traceability and non-frameability. Although we have seen that traceability im-plies non-frameability, it was made as a separate requirement, as the two properties canbe achieved with different trust levels of the authorities. The trust levels required for eachproperty are given in [BSZ05]. The definitions for these are as above, but now the Adversaryis allowed to enrol new corrupted users, as well as corrupt old users. For a more formaltreatment, we refer the reader to [BSZ05].

We will now present the formalisations of the three properties. To do so, we need todefine some new oracles, to model adversarial attacks not considered in [BMW03].Before wedefine the oracles, we need to define some extra variables. We maintain two sets HU andCU , which contain the identities of the Honest and Corrupt Users respectively. We say anidentity i is valid if 1 ≤ i ≤ n and i ∈ HU . We also maintain GSet, which is the set of allmessage-signature pairs generated by Chb.

• AddU(·): Adds an honest user to the group.

• CrptU(·): On input of a valid identity i, and string UPK ′, corrupts user i and setsUPKi to UPK ′.

10

• SndToI(·): This oracle allows the adversary to send a corrupted user i ∈ CU to theissuer to join the group, via the Join, Iss. If the protocol is successfully completed, thenuser i now has a valid signing key SKi and the relevant information is entered in Regi.

• SndToU(·): This oracle models when the adversary has corrupted the issuer. Thisoracle engages in the Join, Iss with some honest user i ∈ HU .

• USK(·): On input of a valid identity i ∈ N, it outputs the user’s secret keys USKi andSKi. We note the UPKi is assumed to be public.

• RReg(·): On input of a valid identity i ∈ N, the oracle outputs Regi.

• Wreg(·): On input of a valid identity i ∈ N and an entry Reg′i, Regi is replaced byReg′i.

• GSig(·): On input of a valid identity i ∈ N and a message m, the oracle outputs agroup signature on m made using SKi.

• Chb(·): This is the challenger oracle, provided for and adversary attacking anonymityand depends on b ∈R {0, 1}, which is chosen by the oracle. On input of two valididentities i0, i1 ∈ N and a message m∗, the oracle outputs σ∗ ← GSig(ib,m). (m∗, σ∗)is added to GSet. In the rest of the work, we denote to all variables associated withthe challenge group signature σ∗ with a asterisk superscript

• Open(·): On input of a message-signature pair (m,σ) 6∈ GSet, the oracle returns theidentity of the signer.

It is worth noting that [BSZ05] did not cover the case of member revocation. This isdue to the complexities involved in the revocation, which tend to be scheme specific. Someschemes require recomputation of the public key, some issue revocation list, while sometake other approaches. We shall not discuss this problem any further and refer the readerto [Koc98] & [Gen03] for a general treatment of the revocation problem in digital signatures.We also refer the reader to [AST02], [BBS04] and [BS04] for examples of revocation in groupsignature schemes.

11

Chapter 3

Assumptions

3.1 Bilinear Groups

Most group signature schemes are built using what are called bilinear mappings. Theseare essentially modified Weil Pairings or Tate pairings. To build a pairing we require 3finite cyclic groups, which we will call G1, G2, and GT . We define a map e which takesa ∈ G1, b ∈ G2 and maps it to e(a, b) ∈ GT . A mapping is said to be admissible if:

• ∀a ∈ G1, b ∈ G2, x, y ∈ Z; e(ax, by) = e(a, b)xy

• Given G1 =< g1 >,G2 =< g2 >; e(g1, g2) 6= 1

• GT =< e(g1, g2) >

We must note that as both groups are finite cyclic groups of the same order, there triviallyexists the homomorphism ψ1 : G1 → G2 and ψ2 : G2 → G1. However we only consider thecase of ψ2, which we simply denote as ψ. Although this homomorphism exists, it may notbe efficiently computable. Where ψ1 is computable but psi2 is not, we simply switch thegroups to maintain our notation.

Another point to note is that we have two possible setting with respect to the groups,i.e. G1 = G2 and G1 6= G2,which are now as symmetric and asymmetric bilinear groupsrespectively

From these two properties, we get 3 types of groups, as defined by Galbraith, Paterson andSmart in [GPS08]. We use their terminology throughout this work. The 3 types of groupare defined as:

• Type 1: G = G1 = G2

• Type 2: G1 6= G2 and ψ is efficiently computable

12

• Type 3: G1 6= G2 and ψ is not efficiently computable

We note the case where both ψ1 and ψ2 are computable is treated as a Type 1 group.

We define G as the Bilinear group generator. On input of 1k, it outputs a description of abilinear group of the required type, denoted by gk.

3.2 Number-Theoretic

For this chapter, we will consider a finite cyclic multiplicative group G of prime order pand generator g. Although there are a large number of assumptions used in several schemes,we will only detail the ones required for security proofs in [Gro07].

Discrete Logarithm Problem (DLP) We shall now briefly discuss the Discrete Loga-rithm Problem. In the real number domain, calculating the logarithm of a number a ∈ Z,wrt to any base is trivial. With cyclic groups, the base we are using is not always apparentand the calculations are not as trivial. The statement of the DLP is as follows:

Given x ∈ G, find y such that x = gy

Decision Diffie-Hellman Assumption (DDH) The Decision and Computational Diffie-Hellman Problems were both introduced in [DH76]. We shall only cover the decisionalvariant, which is:

Given g, gx, gy, gz ∈ G;decide if z = xy mod p or z ∈R Zp

The DDH is said to hold in a group when it is hard to solve this problem in that group. Itis worth noting that the DDH does not hold in Type 1 groups and in G2 of Type 2 groups.

q-Strong Decision Diffie-Hellman Assumption (q-SDH) This assumption was in-troduced by Boneh and Boeyn in [BB04]. Which is stated as:

Given a polynomial q and g, gx, gx2, gx

3. . . , gx

q(k) ∈ G;

find a pair (m, g1

1+x ) ∈ Zp ×G

The q-SDH is said to hold in a group when the above problem is intractable.

13

Decision Linear Assumption (DLIN) This assumption was introduced by Boneh,Boeyn and Shacham in [BBS04]. It is stated as follows:

Given generators g, g1, g2 ∈ G and gr1, gs2, g

t;decide if t = r + s or t ∈R Zp

This assumption only applies to a single group and was shown to hold for generic bilineargroups. It was also shown that this gives rise to what is known as a Linear Encryptionsystem.

The q-Unfakeability Assumption This assumption was introduced by Groth in [Gro07].It is stated as follows:

Given a polynomial q, the description of a Type 1 group gk,public elements f, h ∈R G, T = e(f, z), private elements z ∈R G,

for 1 ≤ i ≤ q(k), we have xi, ri ∈R Zp, ai = f ri , bi = hrigxiriz;Find (V,A,B,m, S) such that V 6∈ {gx1 , gx1 , . . . , gxq(k)}, e(A, hV )e(f,B) = T and

e(S, V gm) = e(g, g)

Symmetric External Diffie-Hellman (SXDH) and Symmetric External DecisionLinear (SXDLIN) Assumptions The SXDH holds, when the DDH holds in both G1

and G2. Clearly, this is only applicable to Type 3 groups. When the DLIN holds, whenthe DLIN holds in both G1 and G2. This can be true in both Type 2 and Type 3 groups.The word ”External” in both names indicates that these properties are independent of eachother.

3.3 Random Oracle

The use of The Random Oracle Model was popularised by Bellare & Rogaway [BR93].Ever since its introduction, several schemes have been proven secure under this model. Oneof the main techniques used is the Fiat-Shamir heuristic [FS86]. The Fiat-Shamir heuristicallows the user to take a 3-round interactive protocol and turn it into a non-interactive 1-round protocol. This is achieved by the use of a hash function as a simulator, assuming itis a psudeorandom function. It has been debated as to whether results under the RandomOracle Model are valid. There is currently no reduction from the Random Oracle Model tothe Standard Model.

Most notably, Canneti, Goldreich & Halevi showed schemes that are secure in the RandomOracle Model, but not in the Standard Model ( [CGH98], [CGH04]). An extensive knowledgeof this model is not needed, hence we shall not enter into any further details of it. It ismentioned as it forms part of our comparison later.

14

Chapter 4

Previous Work

In this chapter, we first look at the considerations in creating group signature schemes,and the research in that area. We then proceed to compare some schemes based on theseproperties.

4.1 Considerations

As stated before, the introductory work in this field was done by Chaum & van Heystin [CvH91]. Since then, there has been a great amount of research. The focus of the researchsplit into 3 nearly distinct issues, namely:

1. Efficiency

2. Functionality

3. Improvements in security

We shall discuss the research advancements and the state of the art in all of these are.

4.1.1 Efficiency

In terms of efficiency, we need to consider the speed of signing, verifying and openingthe signatures, in terms of time. As with all cryptographic schemes, we want to be able toefficiently perform all our computations. This is especially true of the pairing-based schemes,for details of the implementation issues, we refer the reader to [GPS08]. It is important tonote that computational complexity and big-O notation do not suffice. When consideringspeed, we need empirical numbers in seconds (or divisions thereof) or number of operations.We refer the reader to such a study, done on 5 schemes by Hansen & Pagels [HP06], withthe caveat that the text is in Danish.

15

The second issue is that the size of the signature and keys seemed to be dependant on thenumber of members in the group. As stated in [AT99], most schemes have signatures sizeswhich grow as a function of the number of members. This starts to become impractical forlarger groups. The first constant size scheme was shown by Atiense et al. [ACHdM05], butit provided only secure against non-adaptive adversaries. It was shown by Groth in [Gro06]that it is possible to have group signatures with constant size of both signatures and keyssecure against adaptive adversaries Although the signature scheme was constant size, it washighly impractical, as signatures were composed of thousands of group elements. This waslater refined in [Gro07], where Groth proposed a scheme with constant signature size of 50group elements, or less, depending on the security required.

4.1.2 Functionality

With respect to functionality, the main focus has been on making partly- and fully-dynamicgroups. A partly-dynamic group is one that allows us to add members or remove membersfrom the group, but not both. A fully-dynamic group is one that allows us to do both. Mostadvances in this area have been in groups which allow us to add members, as groups in whichwe remove members suffers from the Key Revocation Problem.

Although [CP94] showed two schemes which could have group members added or removed,they had the drawback that the group manager could falsely accuse a group member of havingmade the signature, as well as the users having to “double sign” messages. [Cam97] & [CS97]also showed an increasing membership group signature schemes, but again we see that thesize of the signature increase as a function of the number of members.

The first group signature scheme with revocation was introduced by Bresson & Sternin [BS01]. However, this scheme had the drawback that the signature size was linear in thenumber of revoked users. [AST02] showed revocation mechanisms for the schemes presentedin [ACJT00].

4.1.3 Security Improvements

A large number of group signature scheme are proven secure under the random oraclemodel. After [CGH98], some people have moved away from this model and have turned tothe standard model. We have already discussed the assumptions in Chapter 3. This hasdriven some of the security-based research in the field and most of the more recent groupsignature schemes rely on the standard model.

The first group signature schemes proven secure in the standard model was [BB04] and[CL04]. Since then there has a shift from the Random Oracle Model to the Standard Model.However it is worth noting that not all authors made this shift, most notably [ACHdM05] is

16

in the Random Oracle model. As mentioned before the validity of this model and its resultsare debatable. For further considerations, we refer the reader to [CGH04].

Another major issue has been making equivalent security statements. Although it fine inits own right to prove that a system is secure, it is very useful to compare it to a classicaldigital signature scheme. This allows people familiar with digital signatures to draw aparallel and have some sort of comparative idea. For example, [BBS04] showed their schemeto have security equivalent to that of a 1024-bit RSA signature, with 1.5 times the length.Such security equivalences are a useful consideration when choosing to implement a groupsignature scheme.

It must also be noted that one major area of research is finding more efficient securityassumptions. As we can see from Chapter 3, there have been a large number of changesin the assumptions, which may allow more efficient protocols, both in terms of size andcomputation.

4.2 Comparison

In this section, we compare a large number of group signature schemes in light of the itemsdiscussed above i.e., security assumptions, dynamic or static and signature sizes. The tablebelow summarises these properties:

SCHEME MODEL JOIN REVOKE SINGLE SIGNATUREMANAGER SIZE

[CP94] RO√

X√

O(m)[ACJT00] RO

√X

√O(n)

[AST02] RO√ √ √

O(r)[BBS04] RO

√ √ √O(r)

[BS04] RO X√ √

O(r)[CL04] SM

√X X O(log n)

[ACHdM05] SM√

X√

Constant†

[BW06] SM√

X X O(log n)[Gro06] SM

√X X Constant

[BW07] SM√

X X Constant[Gro07] SM

√X X Constant

Table 4.1: Comparison of group signature schemes

Notations: RO = Random Oracle; SM = Standard Model; r = Number of revoked users; m= Number of messages† - Only secure against non-adaptive adversaries.

17

Chapter 5

The Groth Signature Scheme

In this chapter, we cover the Groth Signature Scheme [Gro07]. We examine all the toolsused and then detail the scheme itself. We omit the security proofs here and refer the readerto [Gro07] for the proofs.

5.1 Tools

In this section, we will cover the tools used in the construction of the Groth Signa-ture Scheme [Gro07]. We will cover the key components of the scheme, that is, certifieddigital signatures, one-time signatures, tag-based encryption, collision-free hash functions,Non-Interactive Zero Knowledge(NIZK) proofs and Non-Interactive Witness Indistinguish-able(NIWI) proofs

5.1.1 Certified Digital Signatures

As mentioned before, a digital signature is a message dependant bit-string, generatedprivately by the signer. However the issue becomes as to how we can safely say that party Asigned this message? It is possible that an Adversary, Adv, sent this message masqueradingas A. A commonly used solution to this is to attach a digital certificate.

A digital certificate is another bit-string generated by a Trusted Third Party, known asa Certification Authority (CA), which proves that the sender is indeed in possession of thesecret key corresponding to the public key contained in the certificate. The CA has a publiccertification key, which can be used to verify the validity of certificate and indeed the keycontained within.

A certificate may be a digitally signed text file or may be elements of a finite cyclic group,or indeed even a bilinear group. In the scheme, the Zhou-Lin [ZL06] certificates are used forBoneh-Boyen signatures [BB04].

18

5.1.2 Tag-based Encryption

Tag-based encryption is essentially a public-key encryption system, but the encryptiontakes in an additional value, called the tag. A new tag is used for each ciphertext and istransmitted with the ciphertext. The tag is then used in conjunction with the secret key todecrypt the ciphertext. Tags can take any form as required by the scheme.

For this scheme we need a selective-tag weak CCA-secure Tag-based encryption schemescheme, combined with a strong one-time signature. Using these, we can build a CCA-secureencryption system, using a result presented by Kiltz [Kil06]. Selective tag CCA(stag-CCA)security requires the adversary to output a target tag, t∗ before they see the public key orany decryptions. To formalise this,we define and adversary Adv for the following game:

Adv(1k)→ t∗

Setup(1k)→ gkKeygen(gk)→ (pk, sk)AdvDec(·)(pk)→ (M0,M1)

b ∈R {0, 1};C∗ = Encpk(Mb, t∗)

AdvDec(·)(C∗)→ b′ ∈ {0, 1}

We must also note Adv cannot query any ciphertext encrypted with t∗ to Dec(·) as well asonly making q(k) queries, where q is a polynomial and that |M0| = |M1|. We define theadvantage the adversary has over the stag-ind-cca security as:

AdvantagestagAdv (k) = Pr[b′ = b]− 12

For a tag-based encryption system to be deemed stag-ind-cca secure, AdvantagestagAdv must bea negligible function in k.

5.1.3 Collision-Free Hash functions

H is a generator of cryptographic hash functions H : {0, 1}∗ → {0, 1}l(k). A hash functionHash← H(1k) is said to be collision-free if a probabilistic polynomial time Adversary Advhas a negligible probability of finding x 6= y such that Hash(x) = Hash(y). There areseveral such functions publically available, such as the SHA-family of hash functions.

5.1.4 Non-Interactive Zero Knowledge proofs

A Zero-Knowledge Proof(ZKP) is a way of one party proving a statement to another,without revealing any confidential information. We consider two parties A and B, who areengaged in some sort of protocol. A has their secret input to the function x, which is in agiven NP-language L. If at some point B suspects that A is being dishonest in the protocol,they can challenge A.

19

At this point A has to prove that they are being honest. The simplest way to do that isto reveal x. However, A does not want to do this. They can then engage in another protocolwhich allows A to convince B that x ∈ L but reveals nothing more. To do this, A needs anadditional value, w, known as a witness.

A ZKP must satisfy the following properties:

• Completeness: A prover who knows a valid witness w and x ∈ L can prove to theverifier that x ∈ L.

• Soundness: No prover can output a valid proof if x 6∈ L.

• Zero-Knowledge: The verifier learns nothing from the proof other than that x ∈ L.

This considers the interactive case, where the prover an verifier are engaged in a protocol.It may sometimes be infeasible to do this, hence the motivation for Non-Interactive Zero-Knowledge (NIZK) proofs. This is the case where the prover computes a proof string andsends it to the verifier. The verifier can then verify the validity of this proof string withoutany further interaction from the prover.

A NIZK proof system has 4 probabilistic polynomial time algorithms, which we will nowdescribe. We have the key generator K, which on input of 1k generates all the secret keys andpublic information. We then have the Prover P, which on input of the public information,the secret value x and witness w outputs a NIZK proof χ. We also have the Verifier V, whichtakes in the public information, the proof χ and outputs 1 if it accepts the proof,or 0 if doesnot accept the proof. Finally we have the Extractor X,which on input of a proof χ and anextraction xk return x.

5.1.5 Non-Interactive Witness Indistinguishable proofs

Witness Indistinguishable Proofs (WIPs) can be thought of as a variant of ZKPs. Recallwe required a witness w for the statement x ∈ L. We observe that there may be more than1 witness for each statement. In a WIP we require that not only does the verifier not learnany confidential information, but they should also not be able to know which witness wasused. To this end, we define a new property:

• Witness Indistinguishabilty: The verifier does not learn anything about whichwitness was used to produce the proof.

We will now formalise the witness indistinguishability(WI) property. We define

K(1k)→ (crs, xk)Adv(crs)→ (x∗, w0, w1)b ∈R {0, 1};P (x,wb)→ π∗

Adv(π∗)→ b′

20

We require that w1 and w0 are valid witness to the fact that x ∈ L. We define the advantagethe adversary has over WI security as:

AdvantageWIAdv(k) = Pr[b′ = b]− 1

2

For a proof system to be deemed to have witness indistinguishability, we require thatAdvantageWI

Adv is a negligible function in k. If there exists a simulator S that is compu-tationally indistinguishable from K, we have what is know as composable WI.

Again as with ZKPs, interaction may not be feasible, hence the need for non-interactiveproofs. Thus, we have NIWIs in a similar manner to NIZKs. For this scheme, we employthe Groth-Sahai proof system [GS08], with the improvements by Ghadaffi et al [GSW10] forboth the NIWI and NIZK proof. We must point out that these proof systems are in theCommon Reference String model. This model requires a public Common Reference String,(crs), which is shared between the Prover and the Verifier.

As NIZK and NIWI systems have the same component algorithms with he same namingscheme, we distinguish them by subscripting them with NIZK or NIWI i.e. PNIZK andPNIWI are the Provers for the NIZK and NIWI respectively

5.2 The Scheme

The main components of the scheme is certified signature scheme as described above. Theissuer will be the CA in this case and generate a certificate for the member wishing to enrolWhen a user wishes to produce a group signature on a message, they will generate a newkey pair for a strong one-time signature (vksots, sksots). The strong signature scheme used isthe Boneh-Boyen signature scheme [BB04].

To anonymise the signatures, we include a NIWI on the certified signature on vksots. Herethe member’s certificate, and through that their identity, is treated as the witness. Giventhe witness indistinguishability property, we can see that the signatures will be anonymous.The Opener will hold the extraction key for the NIWI, which will act as ok. They will beable to extract the certificate and thus the signer’s identity.

To ensure the users are still anonymous when the Adversary has access to an Open(·)oracle, we encrypt the the signature on vksots using Kiltz’ cryptosystem, using vksots itselfas a tag. We will then provide a NIZK proof that the signature that has been encrypted isindeed the same as the signature encapsulated in the NIWI proof.

21

We will now explain the NIWI and NIZK proofs in more detail. The NIWI are basedon what Groth and Sahai called Pairing Product Equations (PPEs). The PPEs in thiscase are the verification pairings. The NIZK proofs are based on Multi-Scalar MultiplicationEquations (MSMEs). These equations are based on between y1, y2 and y3 from the ciphertext.The original scheme uses the DLIN instantiation of proof system. For further details, werefer the reader to [Gro07] and [GS08].

Finally, we make a note on the collision-resistant hash function. We need to hash into Zp,thus we require that l(k) < p.

We now present the full scheme below:

Setup(1k)G(1k)→ gk;H(1k)→ HashCertKey(gk)→ ((f, h, T ), z)KNI(gk)→ (crs, xk);K,L ∈R GParse(crs) → (F,H, the rest); pk =(F,H,K,L)gpk = (gk,Hash, f, h, T, crs, pk)ik = z; ok = xkReturn (gpk, ik, ok)

Join/Isssue(Useri: gpk,Issuer: gpk, ik)〈User, Issuer〉 → ((vi, xi, ai, bi), (vi, ai, bi))User: If e(ai, hvi)e(f, bi) = T setReg[i] = vi;SKi = (xi, ai, bi)

Sign(gpk, SKi,m)KeyGensots(1

k)→ (vksots, sksots)(Repeat until Hash(vksots 6= −xiρ ∈r Zp; a = aif

−ρ; b = bi(hvi)ρ

σ = g1

xi+Hash(vksots)

π = PNIWI(crs, (gpk, a,Hash(vksots)),(b, vi, σ))y = Encpk(Hash(vksots), σ)χ = PNIZK(crs, (gpk, π, y), (r, s, t))σsots = Signsots(vksots,m, a, π, y, χ)Return Σ = ((vksots, , a, π, y, χ, σsots)Verify(gpk,m,Σ)

Return 1 if all the following return 1:Versots((vksots,m, a, π, y, χ), σsots)VNIWI(crs, (gpk, a,Hash(vksots)), π)VNIZK(crs, (gpk, π, y), χ)VerEnc(pk,Hash(vksots, y)Else Return 0Open(gpk, ok,m,Σ)Xxk(crs, (gpk, a,Hash(vksots)), π) →(b, v, σ)If there is i such that v = vi, Return (i, σ)Else Return (0, σ)

Judge(PKGroup, i,Reg[i]m,Σ, σ)If i 6= 0 ∧ e(σ, vigHash(vksots)) = e(g, g)Return 1 Else Return 0

Figure 5.1: The Groth Group Signature Scheme

22

Chapter 6

Our Contributions

Having examined the Groth Signature Scheme [Gro07], we immediately observe that allthe cryptographic protocols can be directly translated in to a Type 2 group. We will detail allthe components needed to construct our scheme and the proceed to present the scheme. Wethen make a minor modification to the scheme, to get a slightly smaller signature. Finallywe present a scheme which maps directly into a Type 3 Group and modification of it.

6.1 Scheme 1

6.1.1 Components

We begin with the certified signature scheme. We modify the scheme to suit a Type 2group. The resulting scheme is described in Figure 6.1.

Setup(1k)gk = (p,G1, G2, GT , e, g1, g2, ψ)← G(1k)Return gk

CertKey(gk)f ∈R G1, h, z ∈R G2

T = e(f, z)Return (ak, ck) = ((gk, f, h, T ), (ak, z))

Signsk(m)If x = −m return ⊥Else return σ = g

1x+m

1

〈User(gk, ak), Issuer(gk, ck)〉〈User(gk), Issuer(gk)〉 → (x, v)r ∈R Zpa = f−r

b = (vh)rzvk = v, sk = x, cert = (a, b)User output: (vk, sk, cert)Issuer output: (vk, cert)

Ver(gk, ak, vk, cert,mσ)Return 1 ife(a, vh)e(f, b) = Te(σ, vgm2 ) = e(g1, g2)Else return 0

Figure 6.1: The Type-2 Certified Signature Scheme

23

Theorem 1. The certified signature scheme in Figure 6.1 has prefect correctness ∀m ∈Zp\{x}.

Proof. Correctness of the protocol follows from correctness of the key generation. We usethe same key generation protocol as in the original scheme.

In the original scheme [Gro07], Groth used the q-U assumption. We introduce a variant ofthis assumption in a Type 2 group, which we shall call the q-Unfakeability Thype 2a (q-U-2a)Assumption. We define the description of a Type 2 groups as gk = (p,G1, G2, GT , g1, g2, e, ψ),where p is the prime order of the groups, and g1 and g2 are generators of G1 and G2 re-spectively, e is the bilinear map and ψ is the homomorphism The assumption is stated asfollows:

Given a polynomial q, the description of a Type 2 group gk,public elements f ∈R G1, h ∈ G2, T = e(f, z), private elements z ∈R G2,

for 1 ≤ i ≤ q(k), we have xi, ri ∈R Zp, ai = f ri , bi = hrigxiri2 z;Find (V,A,B,m, S) such that V 6∈ {gx12 , gx22 , . . . , g

xq(k)2 }, e(A, hV )e(f,B) = T and

e(S, V gm2 ) = e(g1, g2)

Theorem 2. The q-U-2a assumption holds in the generic group model.

We will use the generic group model to prove the assumption. In the generic groupmodel, we do not give the adversary access to the actual elements, but instead we give themrandom encodings of their discrete logarithms. To do this we employ random bijections[·]1 : ZP → G1, [·]2 : ZP → G2 and [[·]]→ GT . We also give the adversary access to an oracleO, which is defined as:

• On (exp,x), return [x]i.

• On (bilinear,[x]1, [y]2) return [[xy]].

• On (multiply,[x]i, [y]i) return [x+ y]i.

• On (homomorphism, [x]2) return [x]1

• On (multiply,[[x]], [[y]]) return [[x+ y]].

Where i ∈ {1, 2}. For notational simplicity, we drop the subscripts. These bijections areaccessed by the adversary via an oracle O. We note that the oracle allows us to calculatelinear combinations of elements.

Proof. We first restate the problem in the generic group model as follows for and adversaryA:

Pr [gk ← G(1k);x1, r1, . . . , xq(k), rq(k) ∈R Zp; γ, φ, η, ζ ∈R Zp;[·]1 ← Zp ↔ G1; [·]2 ← Zp ↔ G2; [[·]]← Zp ↔ GT ;

24

[v], [a], [b],m, [s])← AO(·)(gk, [γ1], [γ2][φ], [η], [[φζ]], x1, [φr1], [ηr1 + x1γ2r1 + ζ], . . . , xq(k), [φrq(k)], [ηrq(k) + xq(k)γ2rq(k) + ζ]) :

[v] 6∈ {[γ2x1], . . . , [γ2xq(k)]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ2m)]] = [γ1γ2]] ≈ 0.

We observe that A can generate elements in the groups using the oracle to encode low-degreepolynomials in Zp

[γ, φ, η, ζ, r1, . . . , . . . , rq(k)

]. Based on this, we can set the conditions for

success as [[s(v+ γ2m)− γ1γ2]] = [[0]] (1) and [[a(η+ v) +φb−φζ]] = [[0]] (2). For A to suc-ceed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippeltheorem states that therefore is a negligible probability of a low-degree polynomial evaluatingto 0 for randomly chosen γ, φ, η, ζ, r1, . . . , rq(k), unless they are identical to 0. Thus to provethat this problem is intractable, we show that (A) cannot construct such zero-polynomialsusing v 6∈ {γ2x1, . . . , γ2xq(k)}.We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp anduses the oracle to compute [vgγ2]]. We assume that A has been given to φ, η, ζ, r1, . . . , rq(k)as extra input. We now write s = sd + sgγ1 and v = vd + vgγ2, for known v,vg, sd, sg ∈ Zp,giving us:sdvd + sd(vg +m)γ2 + sgvdγ1 + (sg(vg +m)− 1)γ1γ2 = 0Assume for contradiction vd 6= 0. We then have sdvd = 0 which implies sd = 0. Examiningthe coefficient for γ1, we get sgvd = 0 this implies sg = 0. Thus we have s = 0. But this thencontradicts S(v +mγ2) = γ1γ2. Thus we conclude A can only be successful if v = vgγ2.We now consider equation (2): a(η+ vgγ2) +φb−φζ = 0. Since a, b are constructed by callsto O, we can write them as:

a = ad + afφ+ agγ1 + ahη +

q(k)∑i=1

aaiφri +

q(k)∑i=1

abi(ηri + xiγ1ri)

b = bd + bgγ2 + bhη +

q(k)∑i=1

bbi(ηri + xiγ2ri + ζ)

for known ad, af , ag, ah, aai , abi , bd, bh, bai , bbi . If we examine the coefficient of φζ, we see thatq(k)∑i=1

bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2ri gives us aai +bbi = 0, which

implies aai = −bbi . Finally the coefficient of φγ2ri shows us that aaivg+bbixi = bbi(xi−vg) = 0,for bbi 6= 0 , we have xi = vg. Therefore vg ∈ {x1, . . . , xq(k)}.

Theorem 3. The scheme in Figure 6.1 is a certified signature scheme which is unfakeableunder the q-U-2a assumption and is existentially unforgeable under weak chosen messageattack under the q-SDH assumption

Proof. Assume for contradiction there exists δ > 0 such that for an infinite k ∈ N, adversaryA has a probability of at least 2k−δ of forging a signature that has not be certified, that is:

Pr[gk ← G(1k); (ak, ck)← CertKey(gk); (vk, cert,m, σ)← AKeyReg(gk, ak) :vk 6∈ Q ∧ Ver(gk, ak, vk, cert,m, σ) = 1] > 2k−δ.

25

Let q(k) be a polynomial upper bound of the number of queries the A can make to KeyReg.Part of the key registration is an interactive protocol. We can black-box simulate the viewof the adversarial user with an error of up to 1

q(k)kδ. This allows us to pick x1, . . . , xq(k) in

advance to simulate this protocol, thus assigning adversary i the signing key xi. We call thismodified oracle SimKeyReg, which gives us

Pr[gk ← G(1k); (ak, ck)← CertKey(gk);x1, . . . , xq(k) ∈R Zp :(vk, cert,m, σ)← ASimKeyReg(x1,...,xq(k)(gk, ak) :vk 6∈ Q ∧ Ver(gk, ak, vk, cert,m, σ) = 1] > k−δ.

With this modified oracle, A only see certificates on vi = gxi2 , which are of the form ai =f−ri , bi = hrigxiriz, for 1 ≤ i ≤ q(k). It follows directly from the q-U-2 assumption that theprobability of this is negligible, which gives us a contradiction. Therefore we conclude thatthe scheme is unfakeable.

We now show existential unforgeabilituy. Assume for contradiction there exists δ > 0 suchthat for an infinite k ∈ N, adversary A has probability of at least 2k−δ of forging a message,giving us:

Pr[gk ← G(1k); (St1, ak)← A(gk); ((v, x, a, b, ), St2)← 〈User(gk, ak),A(St1)〉;(a′, b′,m, σ)← AMessageSign(·)(St2) :

m 6∈ Q ∧ Ver(gk, ak, v, a′, b′,m, σ) = 1] > 2k−δ,

under weak chosen message attack. Part of the key generation protocol. It is possible toblack-box simulate a malicious issuer’s view. After the keys are generated, we can simulatethe certification part, as only the adversary acts. The error in this simulation can be set tonot exceed k−δ, giving us:

Pr[gk ← G(1k); (St1, ak)← A(gk);x ∈R Zp, v = gx2 ;

gu, St2 ← SA(St1)I ; (a′, b′,m, σ)← AMessageSign(·)(St2) :

m 6∈ Q ∧ Ver(gk, ak, v, a′, b′,m, σ) = 1] > k−δ,

where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosenBoneh-Boyen verification key and A only has access to weak chosen message attack. For asignature made by A to be valid, we must have gu2 6= ⊥, therefore v = gu1 . We also have avalid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signaturescheme is secure against weak chosen message attack [BB08] and therefore the probabilityabove must be negligible This gives a contradiction. Therefore we conclude the certifiedscheme is existentially unforgeable under weak chosen message attack.

We now move to the cryptosystem. Again we translate the scheme proposed by Kiltz[Kil06] into a Type 2 setting. The modified scheme is described in Figure 6.2.

Theorem 4. The cryptosystem in Figure 6.2 is selective-tag CCA-secure under the DLINassumption in G1.

26


KeyGen(gk)φ, η ∈R ZpF = gφ1 , H = gη1 , K, L ∈R G2

Return (pk, sk) = ((gk, F,H,K,L), (φ, η))

Ver(pk, C, t)If e(y1, g

t2K) = e(F, y4) ∧ e(y2, gt2L) =

e(H, y5)Return 1Else Return 0

Encpk(t,M)r, s ∈R Zp y1 = F r, y2 = Hs, y3 = gr+s1 M,y4 = (gt2K)r, y5 = (gt2L)s

Return C = (y1, y2, y3, y4, y5)

Decsk(C, t)If Ver(pk, C, t) = 1

Return M = y3y− 1φ

1 y− 1η

2

Else Return ⊥

Figure 6.2: The Type-2 Tag-Based Encryption Scheme

Proof. Consider the following game:Adversary A is an DLIN solver and Adversary B breaks the stag-ind-cca security of thescheme. We can show that A can use B to solve the DLIN.

INIT STAGE: A runs INIT (1k)→ (gk, (g1, F,H, Fr∗ , Hs∗ , w)) and then calls B(1k)→ t∗

FIND STAGE: A picks c1, c2 ∈R (Z)p and then selects K,L ∈ G2 such that ψ(K) = g−t∗

1 F c1

and ψ(L) = g−t∗

1 Hc2 . This now defines pk = (gk, F,H,K,L). For any valid ciphertext C,encrypted under tag t 6= t∗, we get the following:Given ψ(K) = g−t

∗

1 F c1 , we get:ψ(y4) = ψ(Krgtr2 ) = ψ(Kr)ψ(gtr2 ) = g−t

∗r1 F c1rgtr1 = (gr1)

t−t∗yc11Similarly, we get ψ(y4) = (gs1)

t−t∗yc22 .Using these relationships, we can construct our decryption oracle:

KE =(

y4y5yc11 y

c22

) 1t−t∗

, where y3 = KEM . This allows us to get M = y3K−1E and thus answer

decryption queries.

GUESS STAGE: B returns two different messages M0,M1 of equal length. A selects b ∈r{0, 1} and generates the challenge ciphertext C∗ = (F r∗ , Hs∗ , wMb, (g

t∗2 K)r

∗, (gt

∗2 L)s∗). Ad-

versary B is then given C∗. We answer decryption queries as before. After making its queries,B outputs b′ ∈ {0, 1}. If b′ = b then we have a valid ciphertext, thus w = gr+s1 , therefore Aoutputs 1, else 0.

27

With respect to the NIZK and NIWI, we use a DDH/DLIN hybrid scheme of [GS08] asdescribed by [GSW10], although no details are given. We leave it to the reader to expandon the exact construction of the schemes if they so choose, but we do include a table of thenumber of elements required for each type of proof in Appendix A.

We observe that moving from a Type 1 to a Type 2 group does not affect the requirementsof the collision-free hash function in any way. Thus we do not need to change anything fromthe original requirements.

6.1.2 The Scheme

Having now described all the cryptographic primitives needed, we proceed to detail ourscheme. The scheme is detailed in Figure 6.3.

We now proceed to prove correctness and the security of our scheme.

Lemma 1. The group signature scheme is anonymous under the DLIN assumption andassuming the one-time is secure against weak chosen message attack and the hash functionis collision-resistant.

Proof. Consider the probability:

Pr[(gpk, ik, ok)← G(1k) : AChb,Open,CrptU,SndToI,AddU,USK(gpk, ik) = 1]

from the definition of anonymity [BSZ05]. For our scheme to have anonymity, we requirethat the probabilities for b = 0 and b = 1 has a negligible difference.

We begin by modifying the game such that we abort if the strong-one time signature inan group signature submitted to the Open(·) oracle. By the existential unforgability of thestrong one-time signature we see that there is negligible probability that we will abort forthis reason. Thus we can now assume that vk∗sots is not used for any valid queries to Open(·).

We also abort, if there is a collision with Hash(vk∗sots). The collision-resistance propertyof the hash function implies that the probability of this is negligible Thus we assume thatno such collision has occurred from now on.

We now modify how we generate the public key in the cryptosystem. We pick κ, λ ∈R Zpand set K = gκ2 , L = gλ2 and we store κ and λ. Whenever Open receives a valid groupsignature, we use κ, λ to decrypt the tag-based cryptosystem. By the tag-based validitychecks and the perfect soundness of the of the NIZK proof χ, this gives us the same signatureσ as would be extracted from the NIWI π. We can now check Reg if there exists i suchthat e(σ, vig

Hash(vksots)2 = e(g1, g2). If this is the case, we return (i, σ). This equation defines

vi such that we get the same vi when we run the extract on the NIWI proof π. If we findno such vi, we return (0, σ) and accuse the Issuer. The perfect soundness of the NIWI andNIZK imply that these probabilities do not change when the value of b changes.

28

Setup(1k)G(1k)→ gk;H(1k)→HashCertKey(gk)→ ((f, h, T ), z)KNI(gk)→ (crs, xk);K,L ∈R G2

Parse(crs) → (F,H, the rest); pk =(F,H,K,L)gpk = (gk,Hash, f, h, T, crs, pk)ik = z; ok = xkReturn (gpk, ik, ok)



k)→ (vksots, sksots)(Repeat until Hash(vksots 6= −xi)ρ ∈R Zp; a = aif


σ = g1

xi+Hash(vksots)

1

π = PNIWI(crs, (gpk, a,Hash(vksots)),(b, vi, σ))y = Encpk(Hash(vksots), σ)χ = PNIZK(crs, (gpk, π, y), (r, s, t))σsots = Signsots(vksots,m, a, π, y, χ)Return Σ = (vksots, , a, π, y, χ, σsots)

Verify(gpk,m,Σ)Return 1 if all the following return 1:Versots((vksots,m, a, π, y, χ), σsots)VNIWI(crs, (gpk, a,Hash(vksots)), π)VNIZK(crs, (gpk, π, y), χ)VerEnc(pk,Hash(vksots, y)Else Return 0

Open(gpk, ok,m,Σ)Xxk(crs, (gpk, a,Hash(vksots)), π) →(b, v, σ)If there is i such that v = vi, Return (i, σ)Else Return (0, σ)

Judge(PKGroup, i,Reg[i]m,Σ, σ)

If i 6= 0 ∧ e(σ, vigHash(vksots)2 ) = e(g1, g2)Return 1Else Return 0

Figure 6.3: The Type-2 Group Signature Scheme

Due our changes to the Open oracle, we no longer need xk. This allows us to switchto a simulated common reference string, that give perfect witness-indistinguishability andperfect zero-knowledge. Since simulated a crs is computationally indistinguishable from areal crs, this does not change the probability that A will output 1. The perfect witness-indistinguishability impels that A can gain no information about which identity, and throughit which secret key was used to create the group signature.

This leads us to the ciphertext y. We now show, based on the stag-ind-cca property ofthe cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use thegroup signature adversary to construct an adversary that attacks the stag-ind-cca securityof the cryptosystem. The public key of the cryptosystem is pk = (gk, F,H,K,L). Using

29

gk, F,H we can construct a simulated crs with perfect witness-indistinguishabilty and perfectzero-knowledge. This simulated crs will have a trapdoor key tk which will be the discretelogarithms of other elements with respect to g1, g2, F,H. We can build from pk a validgroup signature public key gpk. We can also emulate the oracles CrptU, SndToI,AddU,USK.Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in yis never Hash(vksots), so we can use the alternative decryption as in the proof of security,which will give us σ.

We now construct a challenge group signature from a challenge ciphertext. We first pick(vksots, sksots) and use Hash(vksots) as t∗. These are chosen independent of pk. We now pickpk and run the group signature game as described above. A will output i0, i1,m for the chal-lenge group signature. We produce group signatures σb on Hash(vksots and encrypt it intoy∗. As the simulated crs gives us perfect zero-knowledge and witness-indistinguishability, wecan produce valid NIWI and NIZK proof to complete the group signature. If the anonymityprobabilities are different for b = 0 and b = 1, then we can distinguish if y encrypts σ0or σ1. But by the stag-ind-cca security, we have probabilities for b = 0 and b = 1 areindistinguishable.

Lemma 2. The group signature scheme is traceable if the q-U-2a assumption holds.

Proof. We have to show that valid signatures lead to the provable identification of the signer.To formalise:

Pr (gpk, ik, ok ← KeyGen1k; (m∗,Σ∗)← ACrptU,SndToI(gpk, ok; (i, σ)←Open(gpk, ok,Reg,m∗,Σ∗) :

V erify(gpk,m∗,Σ∗) = 1 ∧ (Judge(gpk, i,Regi,m∗,Σ∗, sigma) =) ∨ i = 0)] ≈ 0.

by the soundness of the NIWI proof, a valid group signature Σ implies that there is a validcertified signature on Hash(vksots). Using the extraction key for he NIWI, xk, we can extractthe signature. The unfakeability property of the certified signature scheme, the certifiedsignature was made under one of the vi’s issued by the issuer. This thus leads us to user i,who produced the group signature. The perfect soundness of the NIWI proof of knowledgeimplies that the extracted one-time signature is indeed a signature on Hash(vksots) underthe verification vi. This implies that Judge will output 1.

Lemma 3. The group signature scheme has non-frameability under the q-SDH assumptionand assuming the one-time signature is secure against weak chosen message attack and thehash function is collision-resistant.

Proof. We have to show that no member can be framed for making a signature they did notmake. To formalise:

Pr (gpk, ik, ok ← KeyGen1k; (m∗,Σ∗, i∗, σ∗)← AAddU,USK,GSig(gpk, ik, ok :V erify(gpk,m,Σ) = 1 ∧ (Judge(gpk, i∗,Regi∗ ,m,Σ

∗, sigma∗) = 1 ∧ i∗ ∈ HU ∧ (m∗,Σ∗) 6∈GSet] ≈ 0.

30

By the strong unforgeabilty of the one-time signature scheme under weak chosen messageattack, there is a negligible probability that A would have produced a group signature re-using one of the vksots produced by GSig. The collision-resistance of the hash function impliesthat there is a negligible probability that Hash(vk∗sots) collides with any vksots used by theGSig oracle. We can then assume that any attempt to frame a user requires producing acertified signature on a value of Hash(vksots that they have not previously signed.

Let n(k) be the polynomial upper-bound of the number of AddU queries made. We have atleast n(k)−1 chance of guessing the user identity that the A will attempt to frame. Howeverfor each honest user, the probability thatA can produce a valid σ onHash(vksots is negligible,by the existential unforgeability against weak chosen message attack of the Boneh-Boyensignature scheme.

Theorem 5. The group signature scheme with perfect correctness and has anonymity, trace-ability and non-frameablity under the DLIN, q-SDH, q-U-2a and assuming the one-timesignature is secure against weak chosen message attack and the hash function is collision-resistant.

Proof. Perfect correctness follows from perfect correctness of the Join/Issue secure functionevaluation, the certified signature scheme, the tag-based cryptosystem, the NIWI and NIZKproofs and the strong one-time signature. The proof of anonymity, traceability and non-freamablitiy follow from Lemmas 1,2,3.

6.2 Scheme 2

When working in asymmetric bilinear groups, one needs to be cognisant of the fact thatelements in G1 are much larger than elements in G2. Thus when working towards efficiency,its is paramount that we not only use a minimum of group elements, but also a minimumof elements in G1. We observe that by taking the certified signature scheme and in effectreversing it, that is taking all the taking all the elements from G1 and placing them in G2

and vice-versa. We detail the scheme below.

6.2.1 Components

We begin by changing the certified signature scheme from scheme 1. The new scheme isgiven in Figure 6.4.

We observe that when we translate this scheme to the generic group model, the resultscome out similar. We need to prove a new assumption, which is a minor variation of theq-U-2a assumption, which we will call the q-U-2b Assumption.

Theorem 6. The q-U-2b assumption holds in the generic group model.

31



T = e(z, f)Return (ak, ck) = ((gk, f, h, T ), (ak, z))


1x+m

2



Ver(gk, ak, vk, cert,mσ)Return 1 ife(vh, a)e(b, f) = Te(vgm2 , σ) = e(g1, g2) Else return 0

Figure 6.4: The Modified Type-2 Certified Signature Scheme

The proof of the q-U-2b Assumption is simialr to the proof for the q-U-2a Assumption.The proof can is in Appendix B.1.

Theorem 7. The scheme in Figure 6.4 is a certified signature scheme with perfect correctnessand is unfakeable under the q-U-2b assumption and is existentially unforgeable under weakchosen message attack under the q-SDH assumption.

Proof. Perfect correctness follows from perfect correctness of the key generation protocol.We use the same protocol as in [Gro07]. Assume for contradiction there exists δ > 0 suchthat for an infinite k ∈ N, adversary A has a probability of at least 2k−δ of forging a signaturethat has not be certified, that is:




advance to simulate this protocol, thus assigning adverser i the signing key xi. We call thismodified oracle SimKeyReg, which gives us

Pr[gk ← G(1k); (ak, ck)← CertKey(gk);x1, . . . , xq(k) ∈R Zp :(vk, cert,m, σ)← ASimKeyReg(x1,...,xq(k))(gk, ak) :vk 6∈ Q ∧ Ver(gk, ak, vk, cert,m, σ) = 1] > k−δ.


32

We now show existential unforgeability. Assume for contradiction there exists δ > 0 suchthat for an infinite k ∈ N, adversary A has probability of at least 2k−δ of forging a message,giving us:





gu1 , St2 ← SA(St1)I ; (a′, b′,m, σ)← AMessageSign(·)(St2) :


where u ∈ {⊥, x}. However, we are now in a situation where v is an honestly chosenBoneh-Boyen verification key and A only has access to weak chosen message attack. For asignature made by A to be valid, we must have gu 6= ⊥, therefore v = gu. We also have avalid Boneh-Boyen signature in the certified signature. However, the Boneh-Boyen signaturescheme is secure against weak chosen message attack [BB08] and therefore the probabilityabove must be negligible This gives a contradiction. Therefore we conclude the certifiedscheme is existentially unforgeable under weak chosen message attack.

We can no longer directly encrypt the signature σ using Kiltz’ scheme, as σ ∈ G2 and werequire that σ ∈ G1. What we do to address this problem is utilise the homomorphism ψ andcommit to ψσ. If we look at the second verification equation, we have e(vgm1 , σ) = e(g1, g2).We also observe that e(vgm1 ψ(σ), g2) = (g1, g2). We will use this equation in the NIWI andwe will commit to the value of ψ(σ).

In the NIZK, we will also commit to ψ(σ) and encrypt it using Kiltz’ scheme. This waythe equations involved in the NIZK remain the same and we can proceed as before. Howevernow that we have ψ(σ) in the NIWI, the opener will not return (i, σ), but (i, ψ(σ)). This isstill sufficient to identify the signer, as we have the identity i and we can verify using ψ(σ)

6.2.2 The Scheme

We now describe the modified scheme in full in Figure 6.5.

We now prove correctness and security of the scheme.


33



Join/Isssue(Useri: gpk,Issuer: gpk, ik)〈User, Issuer〉 → ((vi, xi, ai, bi), (vi, ai, bi))User: If e(hvi, ai)e(bi, f) = T setReg[i] = vi;SKi = (xi, ai, bi)




σ = g1

xi+Hash(vksots)

2

π = PNIWI(crs, (gpk, a,Hash(vksots)),(b, vi, ψ(σ)))y = Encpk(Hash(vksots), ψ(σ))χ = PNIZK(crs, (gpk, π, y), (r, s, t))σsots = Signsots(vksots,m, a, π, y, χ)Return Σ = ((vksots, a, π, y, χ, σsots)Verify(gpk,m,Σ)

Return 1 if all the following return 1:Versots((vksots,m, a, π, y, χ), σsots)VNIWI(crs, (gpk, a,Hash(vksots)), π)VNIZK(crs, (gpk, π, y), χ)VerEnc(pk,Hash(vksots, y)Else Return 0

Open(gpk, ok,m,Σ)Xxk(crs, (gpk, a,Hash(vksots)), π) →(b, v, ψ(σ))If there is i such that v = vi, Return(i, ψ(σ)) Else Return (0, ψ(σ))

Judge(PKGroup, i,Reg[i]m,Σ, ψ(σ))

If i 6= 0 ∧ e(vigHash(vksots)1 ψ(σ), g2) =

e(g1, g2)Return 1 Else Return 0

Figure 6.5: The Modified Type 2 Group Signature Scheme





34






This leads us to the ciphertext y. We now show, based on the stag-ind-cca property ofthe cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use thegroup signature adversary to construct an adversary that attacks the stag-ind-cca securityof the cryptosystem. The public key of the cryptosystem is pk = (gk, F,H,K,L). Usinggk, F,H we can construct a simulated crs with perfect witness-indistinguishabilty and perfectzero-knowledge. This simulated crs will have a trapdoor key tk which will be the discretelogarithms of other elements with respect to g1, g2, F,H. We can build from pk a validgroup signature public key gpk. We can also emulate the oracles CrptU, SndToI,AddU,USK.Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in yis never Hash(vksots), so we can use the alternative decryption as in the proof of security,which will give us σ.


35

Lemma 5. The group signature scheme is traceable if the q-U-2b assumption holds.








∗, sigma∗) = 1 ∧ i∗ ∈ HU ∧ (m∗,Σ∗) 6∈GSet] ≈ 0.



Theorem 8. The group signature scheme with perfect correctness and has anonymity, trace-ability and non-frameablity under the DLIN, q-SDH, q-U-2b and assuming the one-timesignature is secure against weak chosen message attack and the hash function is collision-resistant.

36


6.3 Scheme 3

Upon further observation, we note that it is possible to move Scheme 1 to a Type 3 groupwithout any changes This gives us the advantage of being able to use the SXDH instanti-ation of the Groth-Sahai proof systems [GS08], which are more efficient than the SXDLINinstantiation, or indeed even the DDH/DLIN instantiation. We mention this scheme only asit forms a starting point for Scheme 4. For completeness, scheme 3 is given in Appendix C.

6.4 Scheme 4

As with Scheme 2, we flip the certified signature scheme, but this time, we also flip thetag-based encryption scheme. In the Type 2 setting if we had done so, it would habe leadto the NIZK being in the DLIN group and thus increasing it size and the size of the groupsignature. As we are now in a SXDH setting, we can flip the scheme and need not worryabout size of the scheme. We now describe the modified Type 3 scheme.

6.4.1 Components

We begin with the certified signature scheme. We will need to prove a variant of the q-Uassumption, for a Type 3 group, which we will call the q-U-3b assumption. We define thedescription of a Type 3 groups as gk = (p,G1, G2, GT , g1, g2, e), where p is the prime orderof the groups, and g1 and g2 are generators of G1 and G2 respectively and e is the bilinearmap The assumption is stated as follows:

Given a polynomial q, the description of a Type 3 group gk,public elements f ∈R G1, h ∈ G2, T = e(f, z), private elements z ∈R G2,

for 1 ≤ i ≤ q(k), we have xi, ri ∈R Zp, ai = f ri , bi = hrigxiri2 z;Find (V,A,B,m, S) such that V 6∈ {gx12 , gx22 , . . . , g

xq(k)2 }, e(A, hV )e(f,B) = T and

e(S, V gm2 ) = e(g1, g2)

Theorem 9. The q-U-3b assumption holds in the generic group model.

We will use the generic group model to prove the assumption as before, barring the homo-morphism. The proof is similar to that of the q-U-2b assumption and is given in AppendixB.3

37

Setup(1k)gk = (p,G1, G2, GT , e, g1, g2)← G(1k)Return gk


T = e(z, f)Return (ak, ck) = ((gk, f, h, T ), (ak, z))


1x+m

2



Ver(gk, ak, vk, cert,mσ)Return 1 ife(vh, a)e(b, f) = Te(vgm2 , σ) = e(g1, g2) Else return 0

Figure 6.6: The Modified Type-3 Certified Signature Scheme

Theorem 10. The scheme described in FIgure 6.6 is a certified signature scheme with perfectcorrectness and is unfakeable under the q-U-3 assumption and is existentially unforgeableunder weak chosen message attack under the q-SDH assumption

Proof. Perfect correctness follows from perfect correctness of the key generation protocol.We use the same protocol as in [Gro07]. Assume for contradiction there exists δ > 0 suchthat for an infinite k ∈ N, adversary A has a probability of at least 2k−δ of forging a signaturethat has not be certified, that is:




advance to simulate this protocol, thus assigning adversery i the signing key xi. We call thismodified oracle SimKeyReg, which gives us



38






gu1 , St2 ← SA(St1)I ; (a′, b′,m, σ)← AMessageSign(·)(St2) :



Again we see that we can no longer encrypt the signature using the tag-based cryptosystem.As we do not have acces to the homomorphism ψ, we simply flip the tag-based system, aswe did with the certified signature scheme. We did not do this in scheme 2, as it would putthe NIZK in the DLIN group, which make our group signature larger. Now that we are in anSXDH group, the size of NIZK is identical in both groups. This allows us to flip the schemewith no overhead. We now describe the modified tag-based encryption scheme.

We realise that we can no longer use the DLIN and introduce a new assumption, which isa variant of the SXDLIN, called the Symmetric Decision Linear Assumption (SDLIN). Weexpress this assumption in G2 wlog and note that it can hold similarly in G1. It is stated asfollows:

Given a description of a Type 3 Group gk, F,H, F r, Hs, w2 ∈ G2 and w1 ∈ G1, wherewi = gti ;

Decide if t = r + s or t ∈R Zp.

We do not present a formal proof of the intractability of this assumption, but we presenta sketch of the proof. We can see that g2, F,H, F

r, Hs, w2 form a vaild DLIN tuple. Weknow that the DLIN is intractable [BB04]. Which leaves us with g1, w1, which forms a validDLOG tuple. We also see that the only possible way to compare elements in G1 and G2

39

Setup(1k)Return gk = (p,G1, G2, GT , e, g1, g2)


Return (pk, sk) = ((gk, F,H,K,L), (φ, η)

Ver(pk, C, t)If e(gt1K, y1) = e(y4, F ) ∧ e(gt1L, y2) =e(y5, H)Return 1Else Return 0

Encpk(t,M)r, s ∈R Zpy1 = F r, y2 = Hs, y3 = gr+s2 M, y4 =(gt1K)r, y5 = (gt1L)s

Return C = (y1, y2, y3, y4, y5)Decsk(C, t)

If Ver(pk, C, t) = 1


1 y− 1η

2

Else Return ⊥

Figure 6.7: The Modified Type-3 Tag-Based Encryption Scheme

is by mapping them into GT . We see that e(w1, g2) = e(g2, w2). Thus if we can decide ift = r + s in either group, we can solve the SDLIN.

Theorem 11. The scheme decribed in Figure 6.7 is a tag-based encryption scheme withperfect correctness and selective-tag weak CCA security for polynomial sized message spaceM, under the SDLIN Assumption in G2.

Proof. Consider the following game:Adversary A is an SDLIN solver in G2 and Adversary B breaks the stag-ind-cca security ofthe scheme. We can show that A can use B to solve the SDLIN.INIT STAGE:A runs INIT (1k)→ (gk, (g1, g2, F,H, F

r∗ , Hs∗ , w1, w2)) and then calls B(1k)→t∗

FIND STAGE: A picks κ, λ ∈R (Z)p and then sets K = gκ1 , L = gλ1 . This now definespk = (gk, F,H,K,L). For any valid ciphertext C, encrypted under tag t 6= t∗, we get thefollowing:

y4 = (gt1K)r = (gt+κ1 )r = (gr1)t+κ. Thus we get y

1t+κ

4 = gr1. By a similar argument, y1t+λ

5 = gs1.From here we can get gr+s1 . Let M = gµ2 , giving us e(g1, y3) = e(g1, g

r+s2 gµ2 ) = e(g1, g

r+s+µ2 ) =

e(g1, gr+s2 )e(g1, g

µ2 ). Using these relationships, we can construct our decryption oracle. We

see that:e(g1,y3)

e(g1,y1t+λ5 y

1t+κ4 )

= e(g1,g2)r+se(g1,M)e(g1,g2)r+s

= e(g1,M). Because our message space M is

polynomial in size, we can find M in polynomial time and thus answer decryption queries.

40

GUESS STAGE: B returns two different messages M0,M1 of equal length. A selects b ∈r{0, 1} and generates the challenge ciphertext C∗ = (F r∗ , Hs∗ , w2Mb, (g

t∗2 K)r

∗, (gt

∗2 L)s∗). Ad-

versary B is then given C∗. We answer decryption queries as before. After making its queries,B outputs b′ ∈ {0, 1}. If b′ = b then we have a valid ciphertext, thus w2 = gr+s2 , therefore Aoutputs 1, else 0.

As stated before, we will use the SXDH instatiation of the Groth-Sahai proof system[GS08]. Again no changes are made to the requirements of the hash funcion.

6.4.2 The Scheme

Having now described all the cryptographic primitives needed, we proceed to detail ourscheme. The scheme is detailed in Figure 6.8.











41







σ = g1

xi+Hash(vksots)

1

π = PNIWI(crs, (gpk, a,Hash(vksots)), (b, vi, σ))y = Encpk(Hash(vksots), σ)χ = PNIZK(crs, (gpk, π, y), (r, s, t))σsots = Signsots(vksots,m, a, π, y, χ)Return Σ = ((vksots, , a, π, y, χ, σsots)


Open(gpk, ok,m,Σ)Xxk(crs, (gpk, a,Hash(vksots)), π) →(b, v, σ)If there is i such that v = vi, Return (i, σ)Else Return (0, σ)


If i 6= 0 ∧ e(σ, vigHash(vksots)2 ) = e(g1, g2)Return 1Else Return 0

Figure 6.8: The Modified Type-3 Group Signature Scheme


This leads us to the ciphertext y. We now show, based on the stag-ind-cca property ofthe cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use thegroup signature adversary to construct an adversary that attacks the stag-ind-cca securityof the cryptosystem. The public key of the cryptosystem is pk = (gk, F,H,K,L). Usinggk, F,H we can construct a simulated crs with perfect witness-indistinguishabilty and perfect

42

zero-knowledge. This simulated crs will have a trapdoor key tk which will be the discretelogarithms of other elements with respect to g1, g2, F,H. We can build from pk a validgroup signature public key gpk. We can also emulate the oracles CrptU, SndToI,AddU,USK.Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in yis never Hash(vksots), so we can use the alternative decryption as in the proof of security,which will give us σ.










∗, sigma∗) = 1 ∧ i∗ ∈ HU ∧ (m∗,Σ∗) 6∈GSet] ≈ 0.

43



Theorem 12. The group signature scheme with perfect correctness and has anonymity,traceability and non-frameablity under the SDLIN, q-SDH, q-U-3b and assuming the one-timesignature is secure against weak chosen message attack and the hash function is collision-resistant.


44

Chapter 7

Conclusions & Future Work

7.1 Conclusions

We now comment on the efficiency of our scheme. In terms of computational efficiency,our schemes are identical to the Groth Signature Scheme [Gro07]. However in terms of thesize of the group signatures, our schemes are more efficient. The table below summarizes thesizes of the signature schemes.

Component [Gro07] Scheme 1 Scheme 2 Scheme 3 Scheme 4G G1 G2 G1 G2 G1 G2 G1 G2

NIWI 27 10 18 12 15 10 12 12 10NIZK 15 9 0 9 0 9 0 0 9

y 5 3 2 3 2 3 2 2 3a 1 1 0 0 1 1 0 0 1

vksots 1 0 1 1 0 0 1 1 0σsots 1 1 0 0 1 1 0 0 1

Subtotals 50 24 21 25 19 24 15 16 23

Total 50 45 44 39 39

Table 7.1: Comparative sizes of the schemes

Groth [Gro07] pointed out that if we only require CPA-Anonymity, we can do away withthe ciphertext and the NIZK. Furthermore, we can simply sign Hash(m) and do away withthe strong one-time signature. The same is true of our schemes, as summarized in the tablebelow.

45

Component [Gro07] Scheme 1 Scheme 2 Scheme 3G G1 G2 G1 G2 G1 G2

NIWI 27 10 18 12 15 10 12a 1 1 0 0 1 1 0

Subtotals 28 11 18 12 16 11 12

Total 28 29 28 23

Table 7.2: Comparative sizes of the CPA-Anonymous schemes

7.2 Future Work

7.2.1 Further Efficiency Improvements

Future work continuing on the ideas presented in this work would be to find a scheme witheven smaller signatures, with the same level of security. We posit that the most apparentway to do this would be to find more efficient primitives. It is conceivable that there exists apublicly verifiable tag-based system which requires fewer elements than the one we employ.We also believe that it may be possible to find a certified signature scheme which can beexpressed in fewer PPE’s or even expressed as MSME’s. Both of these developments wouldpotentially reduce the size of the NIWI proof and the NIZK proof.

On a small tangent, it is also possible to improve the efficiency of our scheme by usingNIWI and NIZK systems based on other intractability assumptions. Groth and Sahai putforward some possible ways of doing this in [GS08]. Alternatively a whole new system ofproducing proofs may come to light which costs less elements to prove our equations.

7.2.2 Revocation

An interesting question we have not addressed is the issue of revocation. It may cometo pass that a group member’s signing key needs to be revoked, for any of a number ofreasons. There are two research question which arise from here, that is, formalisationsand methods. Although there have been formalisations for both static groups [BMW03]and growing membership groups [BSZ05], we put forward the question if there can be such aformalisation for reducing membership, or indeed fully dynamic groups. Such a formalisationwould define new attack scenarios and properties we require for a group signature scheme tobe deemed to have a revocation property.

With or without such a formalisation, another open problem is effective revocation of anygroup signature scheme. It remains to be seen if there is an efficient way to revoke signingkeys of group members. Issuing a revocation list implies the signatures grow linearly in thenumber of revoked members. We put it forward that it may be possible to have constantsize group signatures with revocation.

46

Bibliography

[ACHdM05] Giuseppe Ateniese, Jan Camenisch, Susan Hohenberger, and Brenode Medeiros. Practical group signatures without random oracles. CryptologyePrint Archive, Report 2005/385, 2005. http://eprint.iacr.org/.

[ACJT00] Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene Tsudik. A practi-cal and provably secure coalition-resistant group signature scheme. In MihirBellare, editor, CRYPTO, volume 1880 of Lecture Notes in Computer Science,pages 255–270. Springer, 2000.

[AST02] Giuseppe Ateniese, Dawn Xiaodong Song, and Gene Tsudik. Quasi-efficientrevocation in group signatures. In Matt Blaze, editor, Financial Cryptography,volume 2357 of Lecture Notes in Computer Science, pages 183–197. Springer,2002.

[AT99] Giuseppe Ateniese and Gene Tsudik. Some open issues and new directionsin group signatures. In Matthew K. Franklin, editor, Financial Cryptography,volume 1648 of Lecture Notes in Computer Science, pages 196–211. Springer,1999.

[BB04] Dan Boneh and Xavier Boyen. Short signatures without random oracles. InChristian Cachin and Jan Camenisch, editors, EUROCRYPT, volume 3027 ofLecture Notes in Computer Science, pages 56–73. Springer, 2004.

[BB08] Dan Boneh and Xavier Boyen. Short signatures without random oracles andthe sdh assumption in bilinear groups. J. Cryptology, 21(2):149–177, 2008.

[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. InFranklin [Fra04], pages 41–55.

[Bih03] Eli Biham, editor. Advances in Cryptology - EUROCRYPT 2003, InternationalConference on the Theory and Applications of Cryptographic Techniques, War-saw, Poland, May 4-8, 2003, Proceedings, volume 2656 of Lecture Notes inComputer Science. Springer, 2003.

[BMW03] Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations ofgroup signatures: Formal definitions, simplified requirements, and a construc-tion based on general assumptions. In Biham [Bih03], pages 614–629.

47

http://eprint.iacr.org/

[BR93] Mihir Bellare and Phillip Rogaway. Random oracles are practical: A paradigmfor designing efficient protocols. In ACM Conference on Computer and Com-munications Security, pages 62–73, 1993.

[BS01] Emmanuel Bresson and Jacques Stern. Efficient revocation in group signatures.In Kwangjo Kim, editor, Public Key Cryptography, volume 1992 of LectureNotes in Computer Science, pages 190–206. Springer, 2001.

[BS04] Dan Boneh and Hovav Shacham. Group signatures with verifier-local revoca-tion. In Vijayalakshmi Atluri, Birgit Pfitzmann, and Patrick Drew McDaniel,editors, ACM Conference on Computer and Communications Security, pages168–177. ACM, 2004.

[BSZ05] Mihir Bellare, Haixia Shi, and Chong Zhang. Foundations of group signatures:The case of dynamic groups. In Alfred Menezes, editor, CT-RSA, volume 3376of Lecture Notes in Computer Science, pages 136–153. Springer, 2005.

[BW06] Xavier Boyen and Brent Waters. Compact group signatures without randomoracles. In Serge Vaudenay, editor, EUROCRYPT, volume 4004 of LectureNotes in Computer Science, pages 427–444. Springer, 2006.

[BW07] Xavier Boyen and Brent Waters. Full-domain subgroup hiding and constant-size group signatures. In Tatsuaki Okamoto and Xiaoyun Wang, editors, PublicKey Cryptography, volume 4450 of Lecture Notes in Computer Science, pages1–15. Springer, 2007.

[Cam97] Jan Camenisch. Efficient and generalized group signatures. In EUROCRYPT,pages 465–479, 1997.

[CGH98] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodol-ogy, revisited (preliminary version). In STOC, pages 209–218, 1998.

[CGH04] Ran Canetti, Oded Goldreich, and Shai Halevi. The random oracle methodol-ogy, revisited. J. ACM, 51(4):557–594, 2004.

[CL04] Jan Camenisch and Anna Lysyanskaya. Signature schemes and anonymouscredentials from bilinear maps. In Franklin [Fra04], pages 56–72.

[CP94] Lidong Chen and Torben P. Pedersen. New group signature schemes (extendedabstract). In EUROCRYPT, pages 171–181, 1994.

[CS97] Jan Camenisch and Markus Stadler. Efficient group signature schemes for largegroups (extended abstract). In Burton S. Kaliski Jr., editor, CRYPTO, volume1294 of Lecture Notes in Computer Science, pages 410–424. Springer, 1997.

48

[CvH91] David Chaum and Eugene van Heyst. Group signatures. In Donald W. Davies,editor, EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages257–265. Springer, 1991.

[DH76] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEETransactions on Information Theory, 22(6):644–654, 1976.

[Fra04] Matthew K. Franklin, editor. Advances in Cryptology - CRYPTO 2004, 24thAnnual International CryptologyConference, Santa Barbara, California, USA,August 15-19, 2004, Proceedings, volume 3152 of Lecture Notes in ComputerScience. Springer, 2004.

[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to iden-tification and signature problems. In Andrew M. Odlyzko, editor, CRYPTO,volume 263 of Lecture Notes in Computer Science, pages 186–194. Springer,1986.

[Gen03] Craig Gentry. Certificate-based encryption and the certificate revocation prob-lem. In Biham [Bih03], pages 272–293.

[GPS08] Steven D. Galbraith, Kenneth G. Paterson, and Nigel P. Smart. Pairings forcryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008.

[Gro06] Jens Groth. Simulation-sound nizk proofs for a practical language and constantsize group signatures. In Xuejia Lai and Kefei Chen, editors, ASIACRYPT,volume 4284 of Lecture Notes in Computer Science, pages 444–459. Springer,2006.

[Gro07] Jens Groth. Fully anonymous group signatures without random oracles. InKaoru Kurosawa, editor, ASIACRYPT, volume 4833 of Lecture Notes in Com-puter Science, pages 164–180. Springer, 2007.

[GS08] Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilineargroups. In Nigel P. Smart, editor, EUROCRYPT, volume 4965 of Lecture Notesin Computer Science, pages 415–432. Springer, 2008.

[GSW10] Essam Ghadafi, Nigel P. Smart, and Bogdan Warinschi. Groth-sahai proofsrevisited. In Phong Q. Nguyen and David Pointcheval, editors, Public KeyCryptography, volume 6056 of Lecture Notes in Computer Science, pages 177–192. Springer, 2010.

[HP06] Henrik Slot Hansen and Kristoffer Kjrvik Pagels. Implementation and analysisof five group signature systems. Master’s thesis, Datalogisk Institut, ArhusUniversitet, 2006.

49

[Kil06] Eike Kiltz. Chosen-ciphertext security from tag-based encryption. In ShaiHalevi and Tal Rabin, editors, TCC, volume 3876 of Lecture Notes in ComputerScience, pages 581–600. Springer, 2006.

[Koc98] Paul C. Kocher. On certificate revocation and validation. In Rafael Hirschfeld,editor, Financial Cryptography, volume 1465 of Lecture Notes in ComputerScience, pages 172–177. Springer, 1998.

[Lys02] Anna Lysyanskya. Signature Scheme and Applications to Cryptographic Proto-col Design. PhD thesis, Massachusett Institute of Technology, 2002.

[RSA78] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method forobtaining digital signatures and public-key cryptosystems. Commun. ACM,21(2):120–126, 1978.

[ZL06] Sujing Zhou and Dongdai Lin. Shorter verifier-local revocation group signaturesfrom bilinear maps. In David Pointcheval, Yi Mu, and Kefei Chen, editors,CANS, volume 4301 of Lecture Notes in Computer Science, pages 126–143.Springer, 2006.

50

Appendix A

Sizes of the DDH/DLIN Groth-SahaiProofs

Based on [GSW10], we present the following table which contains the number of groupelements required for each type of proof in a DDH/DLIN group. We use the same notationas in [GS08].

Assumption: DDH/DLIN G1 G2 ZpVariables x ∈ Zp,X ∈ G1 2 0 0Variables y ∈ Zp,Y ∈ G2 0 3 0Pairing Product Equations 4 6 0

- Linear Equation ~A · ~Y = tT 2 0 0

- Linear Equation ~X · ~B = tT 0 3 0Multi-scalar multiplication equations in G1 2 6 0

- Linear Equation ~A · ~y = T1 1 0 0

- Linear Equation ~X ·~b = T1 0 0 2Multi-scalar multiplication equations in G2 4 3 0

- Linear Equation ~a · ~Y = T2 0 0 3

- Linear Equation ~x · ~B = T2 0 2 0

51

Appendix B

Proofs

B.1 q-Unfakeablity Type 2b Assumption (q-U-2b)

Proof of Theorem 6. We first restate the problem in the generic group model as follows forand adversary A:

Pr [gk ← G(1k);x1, r1, . . . , xq(k), rq(k) ∈R Zp; γ, φ, η, ζ ∈R Zp;[·]1 ← Zp ↔ G1; [·]2 ← Zp ↔ G2; [[·]]← Zp ↔ GT ;[v], [a], [b],m, [s])← AO(·)(gk, [γ1], [γ2][φ], [η], [[φζ]]

, x1, [φr1], [ηr1 + x1γ1r1 + ζ], . . . , xq(k), [φrq(k)], [ηrq(k) + xq(k)γ1rq(k) + ζ]) :[v] 6∈ {[γ1x1], . . . , [γ1xq(k)]} ∧ [[α(η + v) + φb]] = [[φζ] ∧ [[s(v + γ1m)]] = [γ1γ2]] ≈ 0.


[γ, φ, η, ζ, r1, . . . , . . . , rq(k)


success as [[s(v+ γ2m)− γ1γ2]] = [[0]] (1) and [[a(η+ v) +φb−φζ]] = [[0]] (2). For A to suc-ceed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippeltheorem states that therefore is a negligible probability of a low-degree polynomial evaluatingto 0 for randomly chosen γ, φ, η, ζ, r1, . . . , rq(k), unless they are identical to 0. Thus to provethat this problem is intractable, we show that (A) cannot construct such zero-polynomialsusing v 6∈ {γ2x1, . . . , γ2xq(k)}.We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp anduses the oracle to compute [vgγ1]]. We assume that A has been given to φ, η, ζ, r1, . . . , rq(k)as extra input. We now write s = sd + sgγ2 and v = vd + vgγ1, for known v,vg, sd, sg ∈ Zp,giving us:sdvd + sd(vg +m)γ1 + sgvdγ2 + (sg(vg +m)− 1)γ1γ2 = 0Assume for contradiction vd 6= 0. We then have sdvd = 0 which implies sd = 0. Examiningthe coefficient for γ1, we get sgvd = 0 this implies sg = 0. Thus we have s = 0. But this thencontradicts S(v +mγ1) = γ1γ2. Thus we conclude A can only be successful if v = vgγ2.We now consider equation (2): a(η+ vgγ1) +φb−φζ = 0. Since a, b are constructed by callsto O, we can write them as:

52

a = ad + afφ+ agγ2 +

q(k)∑i=1

aaiφri +

q(k)∑i=1

abi(+xiγ2ri)

b = bd + bfφ+ bgγ1 + bhη +

q(k)∑i=1

baiφri +

q(k)∑i=1


for known ad, af , ag, aai , abi , bd, bf , bg, bh, bai , bbi . If we examine the coefficient of φζ, we see

that

q(k)∑i=1

bbi = 1, therefore there exists bbi 6= 0. The coefficient of φγ2ri gives us aai + bbi = 0,

which implies aai = −bbi . Finally the coefficient of φγ2ri shows us that aaivg + bbixi =bbi(xi − vg) = 0, for bbi 6= 0 , we have xi = vg. Therefore vg ∈ {x1, . . . , xq(k)}.

B.2 q-Unfakeablity Type 3b Assumption (q-U-3a)

Theorem 13. The q-U-3a Assumption holds in the generic group model

Proof. We first restate the problem in the generic group model as follows for and adversaryA:




[γ, φ, η, ζ, r1, . . . , . . . , rq(k)


success as [[s(v+ γ2m)− γ1γ2]] = [[0]] (1) and [[a(η+ v) +φb−φζ]] = [[0]] (2). For A to suc-ceed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippeltheorem states that therefore is a negligible probability of a low-degree polynomial evaluatingto 0 for randomly chosen γ, φ, η, ζ, r1, . . . , rq(k), unless they are identical to 0. Thus to provethat this problem is intractable, we show that (A) cannot construct such zero-polynomialsusing v 6∈ {γ2x1, . . . , γ2xq(k)}.We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp anduses the oracle to compute [vgγ2]]. We assume that A has been given to φ, η, ζ, r1, . . . , rq(k)as extra input. We now write s = sd + sgγ1 and v = vd + vgγ2, for known v,vg, sd, sg ∈ Zp,giving us:sdvd + sd(vg +m)γ2 + sgvdγ1 + (sg(vg +m)− 1)γ1γ2 = 0Assume for contradiction vd 6= 0. We then have sdvd = 0 which implies sd = 0. Examiningthe coefficient for γ1, we get sgvd = 0 this implies sg = 0. Thus we have s = 0. But this thencontradicts S(v +mγ2) = γ1γ2. Thus we conclude A can only be successful if v = vgγ2.We now consider equation (2): a(η+ vgγ2) +φb−φζ = 0. Since a, b are constructed by calls

53

to O, we can write them as:

a = ad + afφ+ agγ1 + ahη +

q(k)∑i=1

aaiφri +

q(k)∑i=1

abi(ηri + xiγ1ri)


q(k)∑i=1


for known ad, af , ag, ah, aai , abi , bd, bh, bai , bbi . If we examine the coefficient of φζ, we see thatq(k)∑i=1



B.3 q-Unfakeablity Type 3b Assumption (q-U-3b)

Proof of Theorem 9. We first restate the problem in the generic group model as follows forand adversary A:




[γ, φ, η, ζ, r1, . . . , . . . , rq(k)


success as [[s(v+ γ2m)− γ1γ2]] = [[0]] (1) and [[a(η+ v) +φb−φζ]] = [[0]] (2). For A to suc-ceed, we see that it must have 2 low-degree polynomials evaluate to 0. The Schwarz-Zippeltheorem states that therefore is a negligible probability of a low-degree polynomial evaluatingto 0 for randomly chosen γ, φ, η, ζ, r1, . . . , rq(k), unless they are identical to 0. Thus to provethat this problem is intractable, we show that (A) cannot construct such zero-polynomialsusing v 6∈ {γ2x1, . . . , γ2xq(k)}.We start with equation (1). We show the only way this is possible, is if A picks vg ∈R zp anduses the oracle to compute [vgγ2]]. We assume that A has been given to φ, η, ζ, r1, . . . , rq(k)as extra input. We now write s = sd + sgγ1 and v = vd + vgγ2, for known v,vg, sd, sg ∈ Zp,giving us:sdvd + sd(vg +m)γ2 + sgvdγ1 + (sg(vg +m)− 1)γ1γ2 = 0Assume for contradiction vd 6= 0. We then have sdvd = 0 which implies sd = 0. Examiningthe coefficient for γ1, we get sgvd = 0 this implies sg = 0. Thus we have s = 0. But this thencontradicts S(v +mγ2) = γ1γ2. Thus we conclude A can only be successful if v = vgγ2.We now consider equation (2): a(η+ vgγ2) +φb−φζ = 0. Since a, b are constructed by calls

54

to O, we can write them as:

a = ad + afφ+ agγ1 +

q(k)∑i=1

aaiφri +

q(k)∑i=1

abi(xiγ1ri)


q(k)∑i=1


for known ad, af , ag, aai , abi , bd, bh, bai , bbi . If we examine the coefficient of φζ, we see thatq(k)∑i=1



55

Appendix C

Scheme 3

In this Appendix, we detail Scheme 3, which is a direct translation of [Gro07] into a Type3 group.

C.1 Components

We begin with the certified signature scheme. We modify the scheme to suit a Type 3group. The resulting scheme is described in Figure C.1.

Setup(1k)gk = (p,G1, G2, GT , e, g1, g2)← G(1k)Return gk


T = e(f, z)Return (ak, ck) = ((gk, f, h, T ), (ak, z))


1x+m

1



Ver(gk, ak, vk, cert,mσ)Return 1 ife(a, vh)e(f, b) = Te(σ, vgm2 ) = e(g1, g2) Else return 0

Figure C.1: The Type-3 Certified Signature Scheme

Theorem 14. The scheme in Figure C.1 is a certified signature scheme which is unfakeableunder the q-U-3a assumption and is existentially unforgeable under weak chosen messageattack under the q-SDH assumption

56

Proof. Assume for contradiction there exists δ > 0 such that for an infinite k ∈ N, adversaryA has a probability of at least 2k−δ of forging a signature that has not be certified, that is:




advance to simulate this protocol, thus assigning adversary i the signing key xi. We call thismodified oracle SimKeyReg, which gives us








gu, St2 ← SA(St1)I ; (a′, b′,m, σ)← AMessageSign(·)(St2) :



57

Setup(1k)Return gk = (p,G1, G2, GT , e, g1, g2)


Return (pk, sk) = ((gk, F,H,K,L), (φ, η)

Ver(pk, C, t)If e(y1, g

t2K) = e(F, y4) ∧ e(y2, gt2L) =

e(H, y5)Return 1Else Return 0

Encpk(t,M)r, s ∈R Zpy1 = F r, y2 = Hs, y3 = gr+s1 M, y4 =(gt2K)r, y5 = (gt2L)s

Return C = (y1, y2, y3, y4, y5)

Decsk(C, t)If Ver(pk, C, t) = 1


1 y− 1η

2

Else Return ⊥

Figure C.2: The Type-3 Tag-Based Encryption Scheme

We now move to the cryptosystem. We translate the scheme proposed by Kiltz [Kil06]into a Type 3 setting. The modified scheme is described in Figure C.2.

Theorem 15. The scheme decribed in Figure C.2 is a tag-based encryption scheme withperfect correctness and selective-tag weak CCA security for polynomial sized message spaceM, under the SDLIN Assumption in G1.

Proof. Consider the following game:Adversary A is an SDLIN solver in G1 and Adversary B breaks the stag-ind-cca security ofthe scheme. We can show that A can use B to solve the SDLIN.INIT STAGE:A runs INIT (1k)→ (gk, (g1, g2, F,H, F

r∗ , Hs∗ , w1, w2)) and then calls B(1k)→t∗

FIND STAGE: A picks κ, λ ∈R (Z)p and then sets K = gκ2 , L = gλ2 . This now definespk = (gk, F,H,K,L). For any valid ciphertext C, encrypted under tag t 6= t∗, we get thefollowing:

y4 = (gt2K)r = (gt+κ2 )r = (gr2)t+κ. Thus we get y

1t+κ

4 = gr2. By a similar argument, y1t+λ

5 = gs2.From here we can get gr+s2 . Let M = gµ1 , giving us e(y3, g2) = e(gr+s1 gµ1 , g2) = e(gr+s+µ1 , g2) =e(g1, g

r+s2 )e(g1, g

µ2 ). Using these relationships, we can construct our decryption oracle. We

see that:e(g1,y3)

e(g1,y1t+λ5 y

1t+κ4 )

= e(g1,g2)r+se(g1,M)e(g1,g2)r+s

= e(g1,M). Because our message space M is

polynomial in size, we can find M in polynomial time and thus answer decryption queries.

58

GUESS STAGE: B returns two different messages M0,M1 of equal length. A selects b ∈r{0, 1} and generates the challenge ciphertext C∗ = (F r∗ , Hs∗ , w1Mb, (g

t∗2 K)r

∗, (gt

∗2 L)s∗). Ad-

versary B is then given C∗. We answer decryption queries as before. After making its queries,B outputs b′ ∈ {0, 1}. If b′ = b then we have a valid ciphertext, thus w1 = gr+s1 , therefore Aoutputs 1, else 0.

Now that we are in a Type 3 group, we will use the SXDH instatiation of the Groth-Sahaiproof system [GS08]. Again no changes are made to the requirements of the hash funcion.

C.2 The Scheme

Having now described all the cryptographic primitives needed, we proceed to detail ourscheme. The scheme is detailed in Figure C.3.


Lemma 10. The group signature scheme is anonymous under the SDLIN assumption andassuming the one-time is secure against weak chosen message attack and the hash functionis collision-resistant.





bibsource = DBLP, http://dblp.uni-trier.de We also abort, if there is a collision withHash(vk∗sots). The collision-resistance property of the hash function implies that the prob-ability of this is negligible Thus we assume that no such collision has occurred from nowon.



59







σ = g1

xi+Hash(vksots)

1

π = PNIWI(crs, (gpk, a,Hash(vksots)), (b, vi, σ))y = Encpk(Hash(vksots), σ)χ = PNIZK(crs, (gpk, π, y), (r, s, t))σsots = Signsots(vksots,m, a, π, y, χ)Return Σ = ((vksots, , a, π, y, χ, σsots)


Open(gpk, ok,m,Σ)Xxk(crs, (gpk, a,Hash(vksots)), π) →(b, v, σ)If there is i such that v = vi, Return (i, σ)iElse Return (0, σ)


If i 6= 0 ∧ e(σ, vigHash(vksots2 )) = e(g1, g2)Return 1Else Return 0

Figure C.3: The Type-3 Group Signature Scheme



60

This leads us to the ciphertext y. We now show, based on the stag-ind-cca property ofthe cryptosystem, that the probabilities for b = 1 and b = 0 differ negligibly We will use thegroup signature adversary to construct an adversary that attacks the stag-ind-cca securityof the cryptosystem. The public key of the cryptosystem is pk = (gk, F,H,K,L). Usinggk, F,H we can construct a simulated crs with perfect witness-indistinguishabilty and perfectzero-knowledge. This simulated crs will have a trapdoor key tk which will be the discretelogarithms of other elements with respect to g1, g2, F,H. We can build from pk a validgroup signature public key gpk. We can also emulate the oracles CrptU, SndToI,AddU,USK.Whenever we have a valid query to Open, it contains a ciphertext y. The tag used in yis never Hash(vksots), so we can use the alternative decryption as in the proof of security,which will give us σ.









Pr (gpk, ik, ok ← KeyGen1k; (m∗,Σ∗, i∗, σ∗)← AAddU,USK,GSig(gpk, ik, ok :

61

V erify(gpk,m,Σ) = 1 ∧ (Judge(gpk, i∗,Regi∗ ,m,Σ∗, sigma∗) = 1 ∧ i∗ ∈ HU ∧ (m∗,Σ∗) 6∈

GSet] ≈ 0.



Theorem 16. The group signature scheme with perfect correctness and has anonymity,traceability and non-frameablity under the DLIN, q-SDH, q-U-3a and assuming the one-timesignature is secure against weak chosen message attack and the hash function is collision-resistant.


62

Documents

Dissertation