Construction

In this section we construct an ABGS scheme based on Boneh et al ’s. work in “Short Group Signatures” in [20]. We add the prefix AGSC to distinguish between algorithms in this section and other sections. The algorithms are described below:

• AGSC.Setup(k): Consider a bilinear map e : G₁× G₂ → G₃ with all three groups multiplicative and of prime order. A computable isomorphism ψ is be- tween G1 and G2. Furthermore, the q-SDH (See Definition 2.2.11 and Assump-

tion 2.2.12) is hard to solve in G1 and G2 and the linear problem (See Defini-

tion 2.2.14) is hard to solve in G1. Select a hash function H : {0, 1}∗→ Z∗p. Select

a generator g2 ∈RG2 and then set g1 = ψ(g2). Select h ∈RG1 and ξ1, ξ2 ∈RZ∗p.

The tracing key tk = hξ1, ξ2i will be used later in the open algorithm. Set

u, v ∈ G1 such that uξ1 = vξ2 = h (by computing u = h−ξ1 and v = h−ξ2). Let

γ ∈RZ∗p. Define a universe of attributes U = {1, 2, ..., m} and for each attribute

j ∈ U choose a number tj ∈R Z∗p. Let Spub = hG1, G2,G3,e,H,g1,g2,h,u,v i.

Spri= hγ, tki.

• AGSC.M.KeyGen(Spri, Spub): Calculate the main public key base w = g2γ.

Using γ in Spri generate for each user i a private key base bsk[i] = hAi, xii. The

bsk[i] should be a SDH pair where xi ∈RZ∗p and Ai = g1/(γ+x1 i)∈ G1.

• AGSC.A.KeyGen_pub(Γ, Spri, Spub, t1, ..., tκ): To generate a public key for a

certain attribute tree Γ the B is calculated. The B is the set of public attribute keys for attributes used in Γ. Each attribute public is bpkj = g

tj

2 .

The algorithm D = T Create(Γ, γ, B) is run. D = {D1,...,Dκ} where Dj =

bpkqj(0)

j . Sending γ as the second argument in T Create implies that qroot = γ.

The public key will be gpk=hg1, g2, h, u, v, w, D, h1,...,hκi where hj = h1/tj.

• AGSC.A.KeyGen_pri(bsk[i], Υi, t1, ..., tµ) For every attribute j that user i owns

(i.e. j ∈ Υi) calculate Ti,j = A1/t_i j = g11/(tj(γ+xi)). The private key for a user i

will be the tuple gsk = hAi,xi,Ti,1,...,Ti,µi.

• AGSC.Sign(gpk, gsk, M): For signing user i, starts with choosing the set =i

5.3. Attribute Based Group Signature 5. Attribute Authentication Schemes

Let ζ, β, α ∈RZ∗p.

Compute the linear encryption (Definition 2.3.2) of Ai and Ti,j where j ∈ =i.

The ciphertext of the encryption will equal C1 = uζ, C2 = vβ, C3= Aihζ+β, and

CTj = (Ti,jhζ+β_j )α. The variable α is used to avoid linkability of the signature,

otherwise the ratio between CTj and C3 is constant. In other words if α did not

exist an adversary can compare two signatures by dividing CTj

C3 . If the result is

equal for the two signatures then the signatures must have been created by the same signer. Let δ1 = xiζ, δ2= xiβ. Let rζ,rβ,rx,rδ1 and rδ2 ∈RZ ∗ p. Calculate R1 = urζ, R2 = vrβ, R4 = C1rxu −r_δ1,

R3 = e(C3, g2)rxe(h, w)−rζ−rβe(h, g2)−rδ1−rδ2

R5 = C2rxv−rδ2.

Let c = H(M, C1, C2, C3, R1, R2, R3, R4, R5) ∈ Z∗p.

Construct the values sζ = (rζ + cζ), sβ = (rβ + cβ), sx = (rx + cxi), sδ1 =

(rδ1 + cδ1), and sδ2 = (rδ2 + cδ2).

Let the trapdoor used in verifying the tree satisfaction be td = wα (Section 5.2). The signature equals σ = hC1, C2, C3, c, CT1,...,CTτ, sζ, sβ, sx, sδ1, sδ2, td, =ii.

• AGSC.Verify(gpk, M, σ, =i): The verifier needs to run the algorithm

Froot= T V erif y(D, =i, ¯T ) where ¯T = {CT1,...,CTτ} as shown in Section 5.2.

Note that in SignN ode(leaf ) the value returned is e(CTj, Dj) = e(Aihζ+β, g2α)qj(0).

Note that the value of the root polynomial when evaluated at 0 is qroot(0) = γ,

therefore if the tree is satisfied Froot = e(C3, td).

Calculate ¯ R1 = usζC1−c, ¯ R2 = vsβC2−c, ¯ R4 = C₁sxu−sδ1, ¯ R5 = C2sxv −s_δ2 , ¯

R3=e(C3, g2)sxe(h, w)−sζ−sβe(h, g2)−sδ1−sδ2(e(C_e(g13_,g,w)₂₎)c.

If c = H(M, C1, C2, C3, ¯R1, ¯R2, ¯R3, ¯R4, ¯R5) then accept the signature, otherwise

reject it.

• AGSC.Open(S_pub, gpk, tk, t1, ..., tτ, M, σ, =i): This algorithm traces a signa-

g2, h, u, v, Γ, wi derived from Spub and gpk.

Step one in the tracing will be verifying the signature. Afterwards, the group manager can recover Ai by calculating Ai = C3/(C1ξ1C

ξ2

2 ). Now the manager can

look up the user with index Ai. The manager can also verify the attributes. For

each attribute, he checks the following equality e(CTj, w) = e((AiC1ξ1C ξ2

2 )1/tj, td).

If the equality holds for an attribute j then the j is said to be traced to the same user i.

The reason behind limiting the possibility of being the group manager to the key generator is the need to use tj when calculating j. Furthermore, the key genera-

tor can not convey tj in an encrypted matter to the group manager because that

implies that he can create private attribute keys therefore increasing the number of authorities we need to trust other than the key generator.