• Exculpability is covered through full traceability. If the group manager or the user2defeats exculpability then there exist an adversary that can break full trace- ability. In the former case the adversary simply produces a signature that is a forgery and can not be traced to the person who actually created it. In the latter case the adversary can ask for the private key for user i, assuming user i is the one who defeats exculpability, and creates a signature that is not traced to the member i thus breaking full traceability.
• Coalition Resistance is covered through full traceability. If the scheme was not coalition resistant the adversary can query the oracle PriKey to obtain a number of private keys that are enough to create a coalition. The coalition can create a signature that fails to open or does not trace to a member in the group and that also implies breaking full traceability.
In the next section we will give some examples of constructions of different group signatures.
4.3
Static Group Signatures-Constructions
In this section we give explicitly two constructions of group signature schemes; The first was proposed by Boneh, Boyen and Shacham (Section 4.3.1) and the other was proposed by Boneh and Shacham (Section 4.3.2). Recall from section 4.1 that we consider the following schemes as static since they do not have a join protocol unlike the schemes in Section 4.4. A better naming would have been “owned-key” group signatures since the authority in both constructions can add users later on and the signing keys are created by the authority without the involvement of the users.
4.3.1 Boneh, Boyen, and Shacham Scheme
In Crypto’04 Boneh, Boyen and Shacham proposed a group signature scheme that is secure under the assumption that the Strong Diffie–Hellman problem (Definition 2.2.11) is hard and the Decision Linear problem (Definition 2.2.14) [20] is hard. In this section we will go through the construction of their scheme. The algorithms are described below and the prefix BBS is used to distinguish them from other algorithms in this thesis:
• BBS.Setup(k) : This algorithm takes a security parameter k that is used to gen- erate a bilinear map e : G1× G2 → G3 where G1, G2 and G3 are of prime order p
(p is determined using the parameter k as mention in section 2.2). Furthermore
2
The trusted third party that plays the role of the key generator can defeat exculpability since it has all private keys of all users.
there exists a computable isomorphism ψ from G2 to G1. Suppose that the De-
cision Linear Problem (Definition 2.2.14) is hard to solve in G1 and the q-Strong
Diffie–Hellman (see Definition 2.2.11) is hard to solve (as defined by security pa- rameter k) in both G1 and G2. Choose a hash function H : {0, 1}∗ → Z∗p. Select
a generator g2 ∈ G2 uniformly at random and set g1 = ψ(g2). Select γ ∈R Z∗p.
Spri = γ. Spub = (e, G1, G2, g1, g2, H).
• BBS.KeyGen(Spri, Spub) : Select h ∈RG1 and ζ1, ζ2 ∈RZ∗p. Set u, v ∈ G1 such
that uζ1 = vζ2 = h. This can be computed by assigning u = h1/ζ1 and v = h1/ζ2.
Calculate w = gγ2. Generate for each user a private key bsk[i] = (Ai, xi), where
Ai = g1/(γ+x1 i) ∈ G1 and xi ∈ Z∗p\{−γ}. Then gpk = (h, u, v, w) and the tracing
key is tk = (ζ1, ζ2).
• BBS.Sign(Spub, gpk, bsk[i], M) : The signer chooses α, β, rα, rβ, rx, rδ1, rδ2 ∈R
Z∗p.
He computes T1 = uα,T2 = vβ, and T3 = Aihα+β. He calculates δ1 = xiα
and δ2= xiβ.
He then computes R1 = urα,
R2 = vrβ,
R3 = e(T3, g2)rxe(h, w)−rα−rβe(h, g2)−rδ1−rδ2,
R4 = T1rxu−rδ1,
R5 = T2rxv −rδ2.
The signer calculates c = H(M, T1, T2, T3, R1, R2, R3, R4, R5) ∈ Z∗p.
Then computes sα = rα+ cα, sβ = rβ + cβ, sx = rx + cxi, sδ1 = rδ1 + cδ1,
and sδ2 = rδ2+ cδ2.
The signature will be σ = (T1, T2, T3, c, sα, sβ, sx, sδ1, sδ2).
• BBS.Verify(gpk, Spub, M, σ) : The verifier re-derives the following: ¯ R1 = usαT1−c, ¯ R2 = vsβT2−c, ¯ R4 = T1sxu−sδ1, ¯ R5 = T2sxv −sδ2,
4.3. Static Group Signatures-Constructions 4. Group Signature Schemes
¯
R3 = e(T3, g2)sxe(h, w)−sα−sβe(h, g2)−sδ1−sδ2(e(ge(T13,g,w)2))c.
To verify the signature check whether c = H(M, T1, T2, T3, ¯R1, ¯R2, ¯R3, ¯R4, ¯R5)
holds. If it is true then accept signature otherwise reject it.
• BBS.Open(M, σ, tk, Spub, gpk) : To trace a signature σ to a signer. The au- thority first verifies its validity. The second step is to recover Ai = T3/(T1ζ1T2ζ2)
and compare it to a list of Ai of the members of the group.
This scheme has been proven secure under full anonymity and full traceability defi- nitions (Section 4.2.2). It is efficient since the size of the signature is constant. The work done in that paper was a fundamental building block of our constructions in later chapters because of its security and efficiency.
4.3.2 Boneh and Shacham’s Scheme
After the publication of Boneh et al.’s work in Crypto’04 (previous section), Boneh and Shacham decided to modify the scheme further so that it enables revocation [25]. The revocation is done by having a list that contains a token representing each revoked user. Using that list a verifier can test whether the signature belongs to a revoked user. Using the revocation algorithm the authority can identify the signer of any valid signature. The authority has all the tokens of members of the group. It creates a fake revocation list containing all members’ tokens and runs the revocation algorithm on the fake list. It should trace to a member in that list. In other words the Open algorithm is replaced with Revoke. When a verifier is running Revoke he is checking whether signer is revoked or not. On the other hand, when the authority runs the Revoke algorithm on the fake list it is tracing the signature to a signer. The scheme proposed is secure under the assumption that the q-SDH problem (See Section 2.2.11) and the Decision Linear problem (See Section 2.2.14) are hard.
A description of their method follows and a prefix BS is used to distinguish the algo- rithms in this section from ones in other sections:
• BS.Setup(k) : This algorithm takes a security parameter k and generates a bi- linear map e : G1× G2 → G3 where G1, G2 are of prime order and G1, G2 have
a computable isomorphism ψ from G2 to G1. Suppose further that the Decision
Linear is hard to solve in G1 and the SDH is hard to solve in both (G1, G2).
Choose the hash functions H1: {0, 1}∗→ Z∗p and H2 with range G22. A generator
g2 ∈ G2 is randomly chosen and g1 = ψ(g2) is computed. Select γ ∈R Z∗p. Let
• BS.KeyGen(Spri, Spub) : Set w = gγ2. For each user i generate the private key
bsk[i] = (Ai, xi), where Ai = g11/(γ+xi). The public key is gpk = (g1, g2, w). The
revocation token is Ai.
• BS.Sign(M, σ, Spub, Spri) : The signer picks r ∈RZ∗p and obtains
(¯u, ¯v) = H2(gpk, M, r). The signer computes the images in G1 so that u = ψ(¯u)
and v = ψ(¯v).
The signer selects an exponent α ∈RZ∗p then computes T1 = uα and T2 = Aivα.
Let δ = xiα. Let rα, rx, rδ ∈RZ∗p.
The signer computes R1 = urα
R3 = T1rx.u−rδ
R2 = e(T2, g2)rxe(v, w)−rδe(v, g2)−rδ.
Let c = H1(gpk, M, r, T1, T2, R1, R2, R3).
Then computes sα= rα+ cα, sx = rx+ cxi, and sδ = rδ+ cδ.
Signature is σ = (r, T1, T2, c, sα, sx, sδ).
• BS.Verify(M, σ, Spub, gpk) : The verifier starts with recomputing ¯u, ¯v, u, and v, and then deriving
¯
R1 = usα/T1c
¯
R3 = T1sxu−sδ
¯
R2 = e(T2, g2)sxe(v, w)−sαe(v, g2)−sδ(e(ge(T12,g,w)2))c.
To accept a signature the equality c = H2(gpk, M, r, T1, T2, ¯R1, ¯R2, ¯R3) must hold,
else reject the signature.
• BS.Revoke(σ, [..A..]) : For each element A in the revocation list [..A..] check if e(T2/A, ¯u) = e(T1, ¯v), if it is true then that user is revoked.
The constructions in Section 4.3.1 and 4.3.2 are strongly related with the main differ- ence being that the bases of the exponents (i.e. u and v) are randomized each time using the hash function H2. This randomization makes it possible to remove an ele-
ment T3 and possible to have an element T2 that can be tested against revoked users
in algorithm Revoke. The scheme is still fully traceable and fully anonymous.
In this section we have explained static group signatures, their definition, their secu- rity notions, and we have given two examples for recent constructions. The following section we go through the same discussion for dynamic group signatures.