5.1 Features
Here we show that our scheme satisfies all features necessary for group signatures. Unforgeability : From the proof of Theorem 2, a set of is an
unconditional binding commitment to a valid membership certificate and corresponding membership key Under the Assumption 2, it is infea- sible to find a certificate corresponding a membership key without knowledge of the group manager’s secret key. Therefore, only group members who have a valid membership certificate are able to generate a signature on a message;
Exculpability : GM knows a member’s membership certificate, but he can not get any information about the corresponding membership key Hence, even if GM colludes with some group members, they cannot sign on behalf of
Anonymity : Assuming that the function is a random function, the SPKs of and do not leak any information since their interactive counterparts are based on the honest-verifier perfect zero-knowledge. To decide whether some group member with certificate generated, it is required to decide whether or
However, these are impossible under the decision Diffie-Hellman assumption[12], and hence anonymity is guaranteed.
Traceability : When the signature is valid, is coincident with the en- cryption of the membership certificate which can be uniquely recovered by GM. Therefore, a member can be traced in case of dispute. On the other hand, in order to impersonate another signer with they must forge the membership certificate Under the Assumption 2, it is infeasible.
Unlinkability : In order to decide whether or not two signatures
and were generated by the same group
member, we need to decide whether or not
or holds. However,
these are impossible under the decision Diffie-Hellman assumption[12], and hence group signatures are unlinkable each other.
Revocability : Each group signature must prove the knowledge of with where GM publishes revoked member’s membership certificate as Therefore, if a signer is a revoked member (i.e.,
then for some V holds. The verifier can check the equation and judge whether the signer has been revoked or not. In order to forge the group signature that passes verification, a revoked member must substitute another for a part of membership certificate but it is impossible under Assumption 2. We can say that a revoked member can not generate a valid group signature.
Anonymity after revocation : A CRL certificate, however do not leak any infor- mation of group member. Therefore nobody can identify a group member who generated a signature on a message even after a group member was revoked.
Unlinkability after revocation : In order to decide whether or not two signatures and based on different-time CRL CRL and were generated by the same member whose certificate is in we need to decide whether or not holds. However, this is impossible under the decision Diffie-Hellman assumption [12], and thus group signatures are unlinkable even after a group member was revoked.
5.2 Efficiency
We compare our scheme with previous schemes [3] from the viewpoints of both computational work and signature size in Table 1. Let P or be 1200 or 160 bits, respectively. Here M denotes the computational work of a multiplication over an 1200-bit modulus. We assume the binary method or the extended binary method to compute the exponentiation or multiple exponentiations[13], respectively.
Table 1 shows that our scheme reduces both of signature size and verification work by about 1/3 than [3], maintaining the same security level. Furthermore, our scheme is slightly more efficient than even the group signature scheme based on known-order cyclic groups proposed by G. Ateniese and B. de Medeiros[2], which does not satisfy the feature of revocability as mentioned in Section 1. Although revocability can be easily added in a simple way[3], it just increases both the signature size and computational work. Our scheme is optimized under such a condition that realizes all features, including the revocability. Therefore, our scheme is much better than a scheme combined [2] with the revocation function of [3].
Since our scheme uses the SPK of double discrete logarithms, it seems to require much computational work in contrast to group signature schemes with
revocation[5,6] which do not use SPK of double discrete logarithms. However, their group public key and signature size depend on the number of group mem- bers, and thus these schemes are less efficient than our scheme for large groups like of 1000 members.
6
Conclusion
We have proposed the group signature with CRL-based revocation. In our scheme, the membership certificate is constructed by using improved Nyberg- Rueppel signature with appendix. As a result, the signature size and computa- tional work of signature generation and verification can be reduced because all secret data can be computed by using the knowledge of order of group.
Our scheme uses the proof of knowledge involving double discrete logarithm in the same way as previous group signatures, which requires many computa- tional work. Furthermore our scheme uses a membership certificate based on a special assumption of Multiple DLP. Developing a membership certificate based on standard assumptions is a challenging open problem. Another interesting open question is to find the relation ship among the Multiple DLP, DLP.
References
1. 2. 3. 4. 5.G. Ateniese and J. Camenisch and M. Joye and G. Tsudik, “A practical and prov- ably secure Coalition-Resistant group signature scheme”, Advances in Cryptology- Proceedings of CRYPTO2000, LNCS 1880(2000), pp. 255-270.
G. Ateniese and B. de Medeiros, “Efficient group signatures without trapdoors”, Cryptology ePrint Archive, available from
http://citeseer.nj.nec.com/ateniese02efficient.html.
G. Ateniese and G. Tsudik, “Quasi-efficient revocation of group signatures”, In the proceeding of FC2002, 2002.
E. Bresson and J. Stern, “Group signatures with efficient revocation”, In proceed- ing of PKC2001, LNCS 1992(2001), pp. 190-206.
J. Camenisch, “Efficient and generalized group signature”, Advances in Cryptology – Proceedings of EUROCRYPT’97, LNCS 1233(1997), pp. 465-479.
6. 7. 8. 9.
J. Camenisch, “Group signature schemes and payment systems based on the dis- crete logarithm problem”, PhD thesis, vol. 2 of ETH-Series in Information Security an Cryptography, Hartung-Gorre Verlag, Konstanz, 1998, ISBN 3-89649-286-1. J. Camenisch and A. Lysyanskaya, “Dynamic accumulators and application to ef- ficient revocation of anonymous credentials”, Advances in Cryptology-Proceedings of CRYPTO2002, LNCS 2442(2002), pp. 61-76.
J. Camenisch and M. Michels, “A group signature scheme based on an RSA- variant” , preliminary version in Advances in Cryptology - ASIACRYPT’98, Tech. Rep., RS-98-27, BRICS, 1998.
J. Camenisch and M. Stadler, “Efficient group signature schemes for large group”, Advances in Cryptology-Proceedings of CRYPTO’97, LNCS 1296(1997), pp. 410-
424.
D. Chaum and E. van Heyst, “Group signatures”, Advances in Cryptology- Proceedings of EUROCRYPT’91, LNCS 547(1991), pp. 257-265.
D. Chaum, J. H. Evertse and J. van de Graaf, “An improved protocol for demon- stration possession of discrete logarithms and some generalizations”, Advances in Cryptology-Proceedings of EUROCRYPT’87, LNCS 304(1987), pp. 127-141. W. Diffie and M. E. Hellman, “New directions in cryptography”, IEEE Transaction on Information Theory IT-22, 1976, pp. 664-654.
D. E. Knuth, “The Art of Computer Programming”, Addison-Wesley Publishing
Co.,, 1981.
K. Nyberg and R. A. Rueppel, “Message recovery for signature scheme based on the discrete logarithm problem”, Advances in Cryptology-Proceedings of EURO- CRYPT’94, 1994, pp. 182-193.
C. P. Schnorr, “Efficient signature generation for smart cards”, Journal of Cryp- tology, Vol. 4(3), 1991, 239-252.
D. Song, “Practical Forward-Secure group signature schemes”, In proceeding of 2001 ACM Symposium on Computer and Communication Security, 2001.
10. 11. 12. 13. 14. 15. 16.
Yunlei Zhao1,2, C.H. Lee1, Yiming Zhao2, and Hong Zhu2
1 Department of Computer Science
City University of Hong Kong HONG KONG
{csylzhao, chlee}@cityu.edu.hk Department of Computer Science
Fudan University, Shanghai P. R. China
{zhym, hzhu}@fudan.edu.cn
Abstract. In this paper we make some observations on the zaps and their applications developed by Dwork and Naor [13]. We clarify the relations among public-coin witness indistinguishability (WI), public-coin honest verifier zero-knowledge (HVZK) and public-coin special honest verifier zero-knowledge (SHVZK). Specifically, we observe that the existence of zaps under the existence of one-way permutations actually strictly separates public-coin WI and public-coin SHVZK assuming We also show that public-coin HVZK does not implies WI assuming the existence of one-way permutations. For zap-based applications, we present an improved Dwork-Naor 2-round timed deniable authentication scheme that improves the communication and computation complexity of the original protocol presented by Dwork and Naor [13]. Specifically, in the improved protocol the first message (from the verifier to the authenticator) is independent on the message to be authenticated by the authenticator.
Keywords: Zap, public-coin honest verifier zero-knowledge, deniable au- thentication, timed commitment, witness indistinguishability
1
Introduction
Zap, first introduced by Dwork and Naor [13], is itself a 2-round public-coin witness indistinguishable (WI) proof system for Zaps are a very power- ful cryptographic tool to significantly simplify many cryptographic tasks. As a notable example, it is used to achieve the first 2-round timed deniable authenti- cation scheme [13].
Deniable authentication first appears in [10,12], and is then formalized in [14]. Roughly speaking, a deniable authentication scheme is a public-key interactive authentication scheme in which an authenticator AP convinces a second party V, * This research is supported by a research grant of City University of Hong Kong (No.
7001358).
M. Jakobsson, M. Yung, J. Zhou (Eds.): ACNS 2004, LNCS 3089, pp. 180–193, 2004. © Springer-Verlag Berlin Heidelberg 2004
only accessing to AP’s public-key, that AP is willing to authenticate a message However, different from the case of digital signatures, deniable authentication does not permit V to convince a third party that AP has authenticated That is, there is no “paper trail” of the conversation other than what could be produced by V alone. Several 4-round timed deniable authentication protocols appear in [14,15] and the first 2-round timed deniable authentication is presented by Dwork and Naor in [13].
We remark that before the emergence of zaps, when we use public-coin WI proofs in fulfilling cryptographic tasks we actually use public-coin special hon- est verifier zero-knowledge (SHVZK) proofs. Public-coin honest verifier zero- knowledge (HVZK) and public-coin SHVZK are introduced by Cramer, Damgard and Schoenmakers [5] and it is shown there that any public-coin SHVZK pro- tocol is also WI1. Roughly, a public-coin protocol is called honest verifier zero- knowledge if there is a simulator S such that the output of S on input is com- putationally indistinguishable from the real transcript between honest prover and honest verifier on common input A public-coin protocol is called SHVZK if for any given random challenges of honest verifier the simulator S can take the given random challenges as inputs and output a transcript that is consistent with the given random challenges and is computationally indistinguishable from the real transcript between the honest prover and the honest verifier. We re- mark that public-coin SHVZK protocols are a very powerful cryptographic tool and are widely used in numerous important cryptographic applications. As a notable example, which are 3-round public-coin SHVZK protocols with some special (knowledge-extraction) soundness property, play a critical role in achieving secure digital signatures in the random oracle model (by using the famous Fiat-Shamir methodology [18]) and efficient electronic payment systems [4]. For a good survey of and their applications, readers are referred to [7,4].
1.1 Our Contributions
In this paper, we clarify the relations among public-coin WI, public-coin SHVZK and public-coin HVZK. Specifically, we have the following observations:
Observation 1. The existence of zaps (under the existence of one-way per- mutations) actually strictly separates public-coin WI and public-coin SHVZK. Specifically, we show that although any public-coin SHVZK is also public-coin WI [5], but the zap, which is itself a 2-round public-coin WI proof system for and can be constructed under the existence of one-way permutations, can- not be public-coin SHVZK assuming This observation is proven by showing that only languages in have a 2-round public-coin SHVZK protocol.
1 The fact that any public-coin SHVZK protocol is also WI is proved in the Proposition 1 of [5]. We note that the Proposition states that any public-coin honest verifier zero-knowledge (rather than any public-coin SHVZK) is WI. But the proof of the Proposition in [5] is actually for the public-coin SHVZK case. In this paper we show that public-coin HVZK does not necessarily imply WI.
Observation 2. Public-coin HVZK does not necessarily imply WI. Specifically, we show that under the existence of one-way permutations there exists a 2-round public-coin proof system for that is public-coin HVZK but not WI.
For the first zap-based 2-round Dwork-Naor timed deniable authentication protocol [13], we have the following observation:
Observation 3. In the first message (from the verifier to the authenticator) of the 2-round timed deniable authentication scheme [13], the verifier needs to send a public-key encryption (using the authenticator’s public-key) of the message, to be authenticated by the authenticator. This implicitly means that the first (verifier’s) message depends on the message to be authenticated by the au- thenticator. Since in practice the message to be authenticated is normally large and public-key encryption may also be time-consuming so the inclusion of the public-key encryption of may increase both the communication complexity and the computation complexity. In this paper we observe that the above de- pendence in the first verifier message can be avoided by using collision-resistant hash functions.
2
Preliminaries
In this section we recall the definitions and the cryptographic tools used in this paper.
We use standard notations and conventions below for writing probabilistic al- gorithms and experiments. If A is a probabilistic algorithm, then
is the result of running A on inputs and coins We let denote the experiment of picking at random and letting be
If S is a finite set then is the operation of picking an element uniformly from S. If is neither an algorithm nor a set then is a simple assignment statement.
Definition 1 (interactive proof system). A pair of probabilistic machines, is called an interactive proof system for a language L if V is polynomial- time and the following conditions hold:
Completeness. For every
Soundness. For all sufficiently large and every of length and every interactive machine B (even with unbounded computational power),
is negligible in
An interactive protocol is called a public-coin system if at each round the prescribed (honest) verifier can only toss coins (random string) and send their outcomes to the prover. An interactive protocol is called an argument if the soundness is only guaranteed for probabilistic polynomial-time (PPT) malicious provers.
Definition 2 (public-coin HVZK and SHVZK). Let be a public-coin interactive protocol (argument or proof) for a language in which the prescribed honest verifier V is supposed to send random challenges,
and let be the corresponding witness relation for L. Denote by the random challenge of the honest verifier and
the message of honest prover. We denote by a random variable describing the transcript of all messages exchanged between the honest verifier V and the honest prover P in an execution of the protocol on common input while P has the auxiliary input
Such a public-coin protocol is called honest verifier zero-knowledge (HVZK) if there exists a probabilistic polynomial time simulator S such that for any sufficiently large and its witness (satisfying the following ensembles are computationally indistinguishable: and This public-coin protocol is called special honest verifier zero-knowledge (SHVZK) if for any sufficiently large and for any given random challenges of the honest verifier, the following en-
sembles are computationally indistinguishable: and
where is of the following forms:
for the case that the prover sends the first
message, or for the case that the verifier sends the
first message.
Definition 3 (witness indistinguishability WI).Let be an interac- tive proof system for a language and let be the fixed wit- ness relation for L. That is if there exists a such that
We denote by a random variable describing the transcript of all messages exchanged between a (possibly malicious) verifier V* and the honest prover P in an execution of the protocol on common input when P has aux- iliary input and V* has auxiliary input We say that is witness indistinguishability for if for every PPT interactive machine V*, and every
two sequences and so that and
the following two probability distributions are computationally in- distinguishable by any non-uniform PPT algorithm:
and
Definition 4 (zap [13]). Under a security parameter a zap is a 2-round public-coin witness-indistinguishable interactive proof system for proving mem- bership of of length where L is a language in Furthermore the first round (verifier to prover) message, denoted which is assumed to be a random string, can be fixed once and for all common inputs of length Denote by the second-round (prover to verifier) response. Formally, a zap satisfies the following conditions:
Completeness. Given and a witness and a first-round the prover, running in time polynomial in can generate a proof that will be accepted by the verifier with overwhelming probability.
Soundness. With overwhelming probability over choice of there exists no and round-2 message such that verifier accepts
Witness-Indistinguishability. Let for Then the
distribution on when the prover has input and the distribution on when the prover has input are non-uniform polynomial-time indistin- guishable.
We remark that zaps are a very powerful cryptographic tool to greatly sim- plify many cryptographic tasks, such as deniable authentication schemes, oblivi- ous transfer, verifiable pseudorandom generator, concurrent-zero-knowledge, re- settable zero-knowledge, quasi-polynomial time simulatable zero-knowledge and so on [13, 16, 24, 26].
Definition 5 (non-interactive zero-knowledge NIZK). Let NIP and NIV be two interactive machines and NIV is also probabilistic polynomial-time, and let be a positive polynomial. We say that is an NIZK proof system for an language L, if the following conditions hold:
Completeness. For any of length any of length and for it holds that
Soundness. of length
is negligible in Zero-Knowledgeness. simulator NIS such that, sufficiently large
of length and for the following two distribu- tions are computationally indistinguishable:
and
Non-interactive zero-knowledge proof systems for can be constructed based on any one-way permutation [17]. An efficient implementation based on any one- way permutation is presented in [21] and readers are referred to [8] for recent advances of NIZK.
Definition 6 (NIZK proof of knowledge [9]). An NIZK proof system for a language with witness relation (as defined above) is NIZK proof of knowledge (NIZKPOK) if there exists a pair of PPT machines
and a negligible function such that for all sufficiently large
Reference-String Uniformity. The distribution on reference strings produced by has statistical distance at most from the uniform distribution on
Witness Extractability. For all adversaries A, we have that where the experiments and are defined as follows:
NIZK proofs of knowledge for can be constructed assuming the existence of one-way permutations and dense secure public-key cryptosystems [9].