(MDL Assumption) There is no probabilistic polynomial time algorithm P that can solve the Problem 1.

3.3 The Modified Nyberg-Rueppel Signature Scheme

Let us summarize the original Nyberg-Rueppel signature scheme[14]. For a element a signer chooses his secret key and computes his

public key A signature on a message

is computed as and for a random integer

which is verified by recovering the message as

Message recovery signature schemes are subject to an existential forgery, in which an attacker cannot control a message. In a sense, it is not a serious problem because we can avoid such a forgery by restricting a message to a particular format. However, suppose that we want to use it for a membership certificate of DLP-based key like Then, by using a valid signature for a message with a known discrete logarithm it is easy to obtain a forged signature for some known message in which an attacker can control a message of Therefore, we must remove such a defect from the original Nyberg-Rueppel signature to generate a membership certification of a DLP-based key.

In order to generate a membership certificate of a DLP-based key securely, we introduce another base with order such that the discrete logarithm of to the base is unknown. We restrict the message space for Nyberg-Rueppel signature to In our scheme, GM or computes each public

key as or respectively. Then, a membership

certificate of public key is given as

3.4 Functional Description

A group signature scheme with CRL-based revocation consists of the following procedures:

Setup: A probabilistic polynomial-time algorithm that on input a security pa-

rameter outputs the group public key (including all system parameters), the secret key of the group manager, and the initial certificate revocation list

Registration: A protocol between the group manager and a user that registers a user as a new group member. The group manager outputs the renewed member list The user outputs a membership key with a membership certificate.

Revocation: A probabilistic polynomial-time algorithm that on input the re-

newed revoked member list outputs a renewed certificate revocation list corresponding to

Sign: A probabilistic polynomial-time algorithm that on input a group public

key a membership key, a membership certificate, and a message outputs a group signature

Verification: A boolean-valued algorithm that on input a message a group

signature a group public key and a current certificate revocation list returns 1 if and only if was generated by some valid group member.

Tracing: An algorithm that on input a valid group signature a group public

key the group manager’s secret key, and the member list outputs the identity of a signer.

3.5 Scheme Intuition

Our scheme must permit to prove knowledge of his membership certificate corresponding his membership key without revealing any information of or However, there has not been any SPK which proves the knowledge of the membership certificate directly. So, we modify Nyberg-Rueppel signature

as follows. Let be a prime with and and

elements and GM issues a membership certificate of

public key as This exactly means

that our membership certificate is based on MDLP. To forge a valid membership certificate is equivalent to solve MDLP. Under the Assumption 1, it is difficult

to find a set of such that without knowing

the discrete logarithm of and based on each other elements. Therefore, the membership certificate corresponding to a membership key can be obtained by only the interactive protocol between GM and In the signing phase, we employ a base with order P to protect any information of the membership certificate and corresponding membership key

computes a random base for a random integer and

generates a signature based on the proof of knowledge of such that holds. This can be constructed by using SPK which defined in Section 2.2.

3.6 Our Group Signature Scheme

We present a new group signature scheme with CRL-based revocation, which uses only known-order groups. Let be the security parameter and the initial member list the initial revoked member list and the initial member- ship certificate revocation list be null.

1. 2. 3. 4. 5. 6. 7.

Choose a random prime a random prime of such that and set

Choose a random prime of such that

Set each cyclic subgroup with order and with order P.

Choose random elements and such that the

discrete logarithms based on each other elements are unknown. Choose a random element

Compute and for a secret key

Output the group public key and the

secret key 1. 2. 3. 4. 5. 6.

chooses a membership key sets and sends

with to

GM checks the validity of chooses a random integer

computes and and sends

to through a secure cannel.

GM adds with identity to the member list verifies that

GM outputs the renewed member list

possesses a membership key and a membership certificate

In order to revoke a new subset of members whose revoked member list is with GM renews the certificate revocation list by running the following Revocation protocol.

1. 2. 3.

Choose a new revocation base and update

Compute for

Output the renewed certificate revocation list 1.

2. 3.

Choose a random integer Compute

and Generate

as follows:

1 _{We can also add an interactive protocol to make a member’s secret key jointly by a}

choose random integers for compute and for and for 4. Generate as follows: choose compute and and

5. Output a group signature

1. 2.

Check the validity of and

If for then accept the signature otherwise reject the signature.

1. 2.

3. Identify a signer Output the signer’s identityfrom by using the member list

In our scheme, in order to realize the features of anonymity and unlinkability, GM has to keep secretly and send a membership certificate to a group member through a secure cannel. This assumption is required in the CRL-based revocation as in [3]. To reduce the features of anonymity and unlinkability to GM, GM may be separated to two managers, the group manager and the es- crow manager by applying techniques of multi-party computation to generate a membership certificate.