3.7 Zero-Knowledge Proofs and Signatures of Knowledge
4.1.1 The BMW Scheme
The BMW scheme utilizes the following generic cryptographic building blocks: • A digital signature scheme Σ = (Kg, Sign, Vrfy) specified in Section 3.4. • A public-key encryption scheme Θ = (Kg, Enc, Dec) specified in Section 3.5.
• A non-interactive zero-knowledge proof of knowledge (NIZKPoK) scheme (K, P, V ) speci fied in Section 3.7.2. The underlying NP relation R contains statement-witness pairs of the form ((pke, pks, m, c), (i, pki, certi, s)) with Vrfy(pks, (i, pki), certi) = 1, Vrfy(pki, m, s) =
1, and Enc(pke, (i, pki, certi, s)) = c, where pke is a public key suitable for Θ, pks is a public key suitable for Σ, pki is the public key of user i suitable for Σ, certi and s are digital signatures, m is a message, and c is a ciphertext.
The NP relation underlying the NIZKPoK proof motivates at a high level the actual con struction of the BMW scheme. Namely, the secret signing key of a member i consists of a secret key ski and a digital signature certi issued by the group manager on the pair (i, pki). That is certi can be seen as group manager’s certificate on the member’s public key pki. In order to produce a group signature σ on some message m, member i encrypts (i, pki, certi) under the group manager’s public key pke, computes an ordinary signature s on m using own secret key
ski, and proves the correctness of these computations as well as the possession of a valid certi through the NIZKPoK proof. In the following we detail the BMW construction, following the specification from [22].
Key generation. The key generation algorithm GKg on input the security parameter 1κ, κ ∈ N and the number of members n ∈ N performs the following steps:
1. Compute the common reference string ρ ←R K(1κ).
2. Compute the private/public key pair (sks, pks) ←R Σ.Kg(1κ) for the digital signature scheme Σ.
3. Compute the private/public key pair (ske, pke) ←RΘ.Kg(1κ) for the public key encryption scheme Θ.
4. For i = 1 to n: compute (ski, pki) ←RΣ.Kg(1κ) and certi ←R Sign(sks, (i, pki)). 5. Output (gpk, gmsk, gsk) such that:
• group public key gpk = (ρ, pks, pke)
• group manager’s secret key gmsk = (gpk, ske)
• member i’s secret signing key gsk[i] = (gpk, ski, pki, certi).
Algorithms K and Kg are assumed to use internally security parameters that are polynomially related to the overall security parameter κ. The key generation algorithm is executed in a trusted way. In particular, the private key sks should be erased as it is not part of gmsk. Alternatively, one can assume two distributed authorities, the issuer and the opener, where the issuer would generate (sks, pks) and issue certificates certi, while the opener would generate (ske, pke). This distributed approach is explicitly used in the dynamic version of the scheme, which we introduce in Section 4.2. Within the static BMW scheme such issuer would be required during the key generation procedure only.
Signature generation. The signing algorithm GSign takes as input the secret signing key gsk[i] = (gpk, ski, pki, certi) of member i, where gpk = (ρ, pk , pk ), and a message m ∈ {0, 1}∗,
s e and proceeds as follows:
2. Compute π as a non-interactive zero-knowledge proof of knowledge
⎡ ⎤
Vrfy(pks, (i, pki), certi) = 1
⎣ ⎦
NIZKPoK i, pki, certi, s : Vrfy(pki, m, s) = 1 .
Enc(pke, (i, pki, certi, s)) = c 3. Output group signature σ = (c, π).
The ciphertext c encrypts the certificate certi, the public key pki of member i and his signature s under the public key pke of the group manager. Additionally, the NIZKPoK proof π proves in zero-knowledge fashion that c encrypts these values and that, furthermore, certi is a valid signature on (i, pki) issued by the group manager and that member’s signature s can be indeed verified using the encrypted public key pki, thus implicitly meaning that s was computed by i using the corresponding private key ski. This is the essence of the “sign-and-encrypt-and prove” paradigm that is realized by many modern group signature schemes using concrete cryptographic settings and number theory.
Signature verification. The signature verification algorithm GVrfy takes as input the group public key gpk = (ρ, pks, pke), a message m, and a candidate group signature σ, and proceeds as follows:
1. Parse σ as (c, π).
2. If π is a valid NIZKPoK proof then output 1; otherwise output 0.
Opening procedure. The opening algorithm Open takes as input the group manager’s secret key gmsk = (gpk, ske), message m, and a group signature σ, and proceeds as follows:
1. If GVrfy(gpk, m, σ) = 0 then output 0. 2. Decrypt (i, pki, certi, s) ← Dec(ske, c).
3. If n < i or Vrfy(pki, m, s) = 0 or Vrfy(pks, (i, pki), certi) = 0 then output 0; otherwise output i.
The opening procedure verifies that the decrypted tuple (i, pki, certi, s) is correctly formed. In particular, that certi is indeed a valid certificate on (i, pki) and that signature s is a valid signature under pki.
Remark 4.1.1 The BMW scheme comes without verifiability of the opening procedure. It seems, however, possible to extend the scheme towards this property using an additional NIZKPoK proof for the NP relation given by statement-witness pairs ((pke, c, i, pki, certi, s), ske) for which Dec(ske, c) = (i, pki, certi, s). In this case the opening algorithm would output, in addition to i, a proof τ containing (pki, certi, s, J) where J would be the mentioned NIZKPoK proof. The judgement algorithm would then verify the validity of J, in addition to the validity of the group signature σ, certi and s (as in the opening procedure). In fact this approach was used by Bellare, Shi, and Zhang [25] in the context of their dynamic group signature scheme,
which we describe in Section 4.2. Furthermore, as mentioned by Galindo et al. [96], verifiabil ity of the opening procedure in group signature schemes that follow the design principle of the BMW scheme and its dynamic variant from [25] can be obtained by using a different flavor of public key encryption schemes that in addition to being IND-CCA secure have the property of
non-interactive opening (the so-called PKENO schemes). These schemes implicitly allow the decrypting party, being in possession of ske, to actually prove that some message was encrypted in the ciphertext in a non-interactive way.