Linkable Democratic Group Signatures

Linkable Democratic Group Signatures

Mark Manulis??_{, Ahmad-Reza Sadeghi, and J¨org Schwenk}

Horst-G¨ortz Institute Ruhr-University of Bochum

D-44801, Germany

{mark.manulis, joerg.schwenk}@nds.rub.de, [email protected]

Abstract. In a variety of group-oriented applications cryptographic primitives like group signatures or ring signatures are valuable methods to achieve anonymity of group members. However, in their classical form, these schemes cannot be deployed for applications that simultaneously require (i) to avoid centralized management au-thority like group manager and (ii) the signer to be anonymous only against non-members while group non-members have rights to trace and identify the signer.

The idea of recently introduceddemocratic group signaturesis to provide these prop-erties. Based on this idea we introduce a group-oriented signature scheme that allows the group members to trace the identity of any other group member who issued a signature while non-members are only able to link the signatures issued by the same signer without tracing. For this purpose the signature scheme assigns to every group member a unique pseudonym that can be used by any non-member verifier to commu-nicate with the anonymous signer from the group. We present several group-oriented application scenarios where this kind of linkability is essential.

We propose a concrete linkable democratic group signature scheme for two-parties, prove its security in the random oracle model, and describe how to modularly extend it to the multi-party case.

Key words:democratic group signatures, anonymity, pseudonymity, linkability, group communication

1

Introduction

Designing anonymity-preserving cryptographic schemes for group-oriented applications, such as group signatures and ring signatures (c.f. Section 2), has been an appealing sub-ject of the research. In this paper we consider group communication scenarios between members of a group and non-members where the anonymity of group members should be preserved only against non-members, but is not desired within the group. In other words, signed messages on behalf of the group must be verifiable by group members and non-members, but the signer’s identity should be revealed only by other group members. Since a non-member may receive signed messages from different group members, it is essential for non-members to distinguish between signatures produced by the same signer (linkabil-ity of signatures) in order to respond accordingly. In this context it is likely that the unique pseudonyms of group members may be used to provide this kind of linkability for non-members. Further, we consider communication scenarios where no central management authorities needed who controls the initialisation of the group and the communication pro-cess.

In their classical form group and ring signatures cannot be deployed for those applications that require the mentioned properties. Recently the idea of ademocratic group signature was introduced in [20] that allows group members to initialise the group and maintain it over dynamic group changes in a collective manner without relying on any centralized

?

This is the full version of the paper which appears at ISPEC 2006, Lecture Notes of Computer Science, Volume 3903. cSpringer-Verlag, 2006.

??

authority like group manager. However, the proposed model is too strong for the communi-cation scenarios considered in this paper. This is because the model in [20] requires unlink-ability of issued group signatures. Clearly, if signatures are unlinkable then non-members are not able to distinguish between messages signed by the anonymous communication partner from the group, and are, therefore, not able to respond to the signer. Therefore, in this paper we propose a relaxed model forlinkable democratic group signatures. As a consequence more efficient schemes can be designed. In the following we describe some communication scenarios for linkable democratic group signatures.

Consultative Group Decision.Consider a group of peopleGwho has to make their common decision based on anonymous consultations with third parties inT. Every member ofG is allowed to initiate an anonymous consultation with any party ti ∈ T such that only other group members can identify it and follow the consultation process. Any party ti may be queried from different members at the same time and must, therefore, be able to determine the sender to respond accordingly. Concrete applications are: anonymous review and discussion of submitted papers by the program committee, selection of participants for a project tender based on their proposals. Group members may use linkable democratic group signatures to sign their queries toti. If referees want to discuss several topics of the submitted paper with its authors without revealing their identities, then they can use the scheme to sign their messages. The authors are able to distinguish between queries of different referees using pseudonyms and respond accordingly.

Distributed Group Control.Consider a scenario of the distributed control, e.g., in a battle-field. Given setF of field devices and setC of control devices, such that any device inC can send its orders to any device inFwith respect to some control policyP. Any field de-vice that receives an order must be able to respond to the control dede-vice that has issued the order. For strategic reasons field devices should not know, which control device has issued the order, but still must be able to verify that the order comes from an authentic control device inC. Any other device inCmust know which orders have been sent and also which control device is the issuer of a certain order. The latter allows the control devices to ex-clude a malicious control device whose orders are not conform withP. The solution based on linkable democratic group signatures is that all control devices fromC form a group, whereas field devices are considered as non-members. Any control devicecibroadcasts its signed order so that upon its reception any party inCand inFcan verify whether the order is from aci∈ Cbut only members ofCcan determine the identity ofciwhile members of Fcan communicate withciover its pseudonym.

Organization In Section 2 we discuss the main differences between linkable democratic group signatures and other known group-oriented signatures. The formal model and secu-rity requirements of linkable democratic group signatures are described in Section 3. We propose a concrete scheme for two parties and prove its security in the random oracle model in Section 4. In Section 5 we describe a straightforward extension for the multi-party case.

2

Related Work

Although there exist various group-oriented digital signatures, linkable democratic group signatures differ from them in trust relationship and signer’s anonymity as discussed in the following.

Group signaturesintroduced by Chaumet. al.[11] and later studied and improved in [10, 9, 2, 7, 4, 8, 16] allow members of a group to sign messages on behalf of the group so that it is not possible to distinguish who the actual signer is. Nevertheless, there exists a des-ignatedgroup manager that can open the signature, i.e., reveal the identity of its signer. We are interested in two security requirements of group signatures, namely the unlinka-bilityand theanonymity. The first one means that no party except for the group manager should be able to relate two or more signatures as being produced by the same signer. The second one means that no party except for the group manager should be able to reveal the signer’s identity [2]. There are several differences between group signatures and link-able democratic group signatures: Firstly, in group signatures all group members trust the group manager that computes all group secrets. This is obviously is not the case in the trust model of linkable democratic group signatures. Secondly, group signatures are unlinkable. Thus, group members and non-members that receive a signed message are not able to relate it to any previously received signed message. The only party that is able to do this is the group manager. Obviously, this is an obstacle for the communication in scenarios described above. Thirdly, the anonymity requirement of group signatures allows only the group man-ager to reveal the identity of the signer from the signature. In linkable democratic group signatures, however, all group members are allowed to do this.

Ring signatures introduced by Rivestet. al. [21] and further studied in [18] and [5] do not require any group manager to form a group. For the signature generation every user builds a set of public keys that includes his public key and the public keys of other users. A generated signature does not reveal the public key of the signer, but a set of public keys of all possible signers. Therefore, ring signatures cannot be used for a direct communi-cation between a verifier and a signer. Additionally, ring signatures provide unconditional anonymity, i.e., no party can reveal the signer’s identity. Linkable democratic group sig-natures are similar to ring sigsig-natures in the sense that no group manager is required to initialise a group, and that a verifier knows the set of possible signers without being able to identify the signer. However, the differences are that in linkable democratic group signa-tures: (i) every member actively participates in the initialisation process, (ii) a non-member verifier is able to respond to the signer using the signer’s pseudonym, and (iii) group mem-bers are able to identify the signer.

Democratic group signaturesintroduced recently in [20] result from changes to the stan-dard model of group signatures caused by elimination of the group manager’s role and distribution of the tracing rights to individuals. Group members initialise the group and control it over dynamic changes in a collective manner. Every group member has indi-vidual right to trace issued signatures to their signers. To provide indiindi-vidual tracing rights group members agree on a tracing trapdoor. The signer’s anonymity is provided against non-members. However, the model in [20] requires unlinkability of signatures. This prop-erty is an obstacle for the direct communication between a non-member and an anonymous group member, because the non-member would no more be able to distinguish the mes-sages of the same signer. Therefore, we relax the model of democratic group signatures to provide the linkability of generated signatures. Additionally, this results in a more effi-cient construction, i.e., the signatures in our scheme have the length ofO(1)whereas the signatures in [20] have the length ofO(n).

3

Model

3.1 Notations and Terminology

For a stringx,|x|denotes its length. For a finite set or tupleX,|X|denotes its size. We use{,}to specify a set, and(,)to specify a tuple.denotes an empty string, tuple or set according to the context. We usex:=yto define value ofxto beywhereycan be a value, a tuple or a set. Ifyis a tuple thenx:=$ yspecifies a random permutation of values iny. IfTis a randomized algorithm or protocol then[T(X)]denotes the set of random variables having positive probability of being output byT on inputX, andY ←$ T(X)denotes a concrete output ofT on the same input with freshly generated coins. For a finite setX,

x←$ Xdenotes the algorithm that samples an element uniformly at random fromX. IfT

is deterministic thenY ←T(X)denotes the output ofT on inputX.

We say one-argument functionv:N→Nis negligible if for any positive polynomialpoly

there existsl0 ∈N, such that for alll∈N,l > l0:v(l)<1/poly(l). We say two-argument

functionw:N×N→Nis negligible if for any polynomial time functionf :N→Nfor

that exists a positive polynomialpoly, such thatf(k)≤poly(k),∀k∈N, the one-argument

functionwf(l) = w(l, f(l))is negligible for alll ∈ N. This definition of two-argument

negligibility introduced in [2] is used in our scheme to show the negligibility of functions which are parameterized with a security parameter and a number of group members. In the context of the security requirement<req>we useExp<req>

A to denote an experi-ment with an algorithmAaiming to break this requirement. ByAdv<req>

A we denote the advantage function ofA.

3.2 Linkable Democratic Group Signatures: Algorithms and Protocols

– A randomized protocolSetupbetween all members that takes as input a security pa-rameterl∈Nand a number of membersn∈N. The public output is a set ofidentities IDand a set ofpseudonyms PSof group members. The identity and the pseudonym of a memberiare denotedidiandpsi, respectively. The private output for each member

iis the individual secret signing keyskifrom the setSK.

– A randomized algorithmSignthat on input a secret signing keysk∈SKand a message

m, outputs a signatureσonm.

– A deterministic algorithmVerifythat on input a candidate signatureσ, a messagem, and the set of pseudonymsPSoutputs either a pseudonympsif it accepts the signature or⊥if it rejects it.

– A deterministic algorithmTracethat on input a candidate signatureσ, a messagem, any secret signing keysk∈SK, the set of pseudonymsPS, and the set of identitiesID outputs either an identityidor the symbol⊥if a failure occurs. Since everyski ∈SK can be used as input to the signing and tracing algorithms there should exist atracing trapdooras part of everyski.

Remark 1. In linkable democratic group signatures the scheme is initialised in a collective manner by all group members. Note that members may be in possession of certified public keys for the authentication of their messages during theSetupprotocol, but we stress that no third trusted party like a certification authority (CA) is actively involved in the protocol. Note that the stronger model of democratic group signatures in [20] that requires unlinka-bility of signatures considers additional protocols for dynamic groups, i.e., protocols that handle joins and exclusions of group members. However, in dynamic groups the property of linkability would allow non-members to reveal identities of group members that have joined to the group or have been excluded from it. In case of join a non-member may record the identity of the joining member. Then it can simply figure out which pseudonyms in the changed group formation are linkable to pseudonyms of the previous group forma-tion, and so find out the pseudonym which cannot be linked, i.e. the pseudonym of the joined member. Similar, in case of the exclusion a non-member can record the identity of the excluded group member, then relate the pseudonyms from the previous group formation to the pseudonyms of the changed group formation, and figure out the pseudonym of the excluded member. Therefore, we consider linkable democratic group signatures only for static groups.

3.3 Trust Model and Assumptions

After the scheme is initialised every group member must be trusted not to reveal its secret signing key or any information that can be used to link anyidi andpsifor the sameito any other party. The setup protocol must also be resistant against attacks that aim to reveal such links. We require also the existence of at least one honest group member who acts according to the setup protocol and does not take part in any collusion of group members trying to cheat against non-members.

3.4 Security Requirements

Definition 2 (Correctness).A linkable democratic group signature schemeLDGS from Definition 1 is correct if for all l, n ∈ N, (ID,PS,SK) ∈ [Setup(l, n)], ski,skj ∈ SK, idi∈ID, ps_i∈PS,m∈ {0,1}∗_{, andσ} $

←Sign(ski, m) :

Verify(σ, m,PS) =psi∧Trace(σ, m,skj,PS,ID) =idi

Anonymity Informally, in an anonymity attack against a linkable democratic group sig-nature scheme the adversary tries to figure out the identityidiof the signer of a signature. The formal definition is given by experimentExpanon−b

A (l, n)in Figure 1. AdversaryA operates in two stages:chooseandguess. In thechoosestage it is given the set of identi-tiesID, the set of pseudonymsPSproduced by the protocolSetup(l, n), and outputs two identitiesid0,id1, a messagem ∈ {0,1}∗, and some state information St to be used in

the second stage of the attack. In theguessstageAis given St, and a signatureσb of the member withidbonmwherebis a random bit. In order to cover chosen message attacksA is also allowed to query oracleSign∗on any messagem∗of its choice. The oracle answers with the signatureσb∗onm∗. At the end of the stageAoutputs bitdas a guess forb.

Definition 3. The anonymity advantage of A is given by the function

Advanon_A (l, n) = Pr[Expanon_A −1(l, n) = 1]−Pr[Expanon_A −0(l, n) = 1].

A linkable democratic group signature schemeLDGS from Definition 1 is anonymous if for any polynomial time adversary A the anonymity advantageAdvanon_A (l, n)is negligible in terms of negligibility of two-argument functions.

Traceability Informally, in a traceability attack against a linkable democratic group sig-nature scheme the adversaryAis allowed to corrupt members (obtain their secret signing keys), and tries to generate a forged signature that either cannot be traced to any member or can be traced to an uncorrupted member. The formal definition is given by experiment Exptrace_A (l, n)in Figure 1. AdversaryAoperates in two stages:corruptandforge.Astarts its attack by adaptively corrupting a setIDc of members. The adversary has free choice of the identities and the number of corrupted members. At the end of thecorruptstage the set IDccontains identities of corrupted members. In the stageforgeadversary knowing the set SKcof secret signing keys of corrupted members outputs a forgery(σ, m). The experiment returns 1 ifσfulfils verification requirements, but the tracing algorithm outputs either⊥or an identityidiof an uncorrupted member. In both stages adversary is given access to the signing oracleSignthat outputs a signature of the member withidion a query(idi, m0).

Definition 4. The traceability advantage of A is given by the function

Advtrace_A (l, n) = Pr[Exptrace_A (l, n) = 1].

A linkable democratic group signature schemeLDGSfrom Definition 1 is traceable if for any polynomial time adversary A the traceability advantageAdvtrace_A (l, n)is negligible in terms of negligibility of two-argument functions.

3.5 Discussion on Sizes

Since every member has its unique identity, pseudonym and secret signing key we follow that the lower size bounds ofID,PSandSKare equal ton. To the contrary, it is preferable that the size of a generated signatureσremains constant, i.e., does not grow withn.

4

A Two-Party Linkable Democratic Group Signature Scheme

Expanon−b

A (l, n): Exp

trace A (l, n):

(ID,PS,SK)←$ Setup(l, n); (ID,PS,SK)←$ Setup(l, n);

(St,id0,id1, m)

$

←A(choose, ID, PS); St:= (ID,PS);IDc:=;SKc:=;next:= 1; b← {$ 0,1};σ←$ Sign(skb, m); Until(next= 0)do

d←$ ASign∗(·)

(guess,St, σ); (next,St,idi)←$ ASign(·,·)

(corrupt,St,SKc);

returnd; Ifnext= 1thenIDc←IDc∪ {idi};SKc←SKc∪ {ski}EndIf EndUntil;

(σ, m)←$ ASign(·,·)₍

forge,St);

IfVerify(σ, m,PS) =⊥then return 0 EndIf;

IfTrace(σ, m,PS,skj) =⊥for any0≤j < nthen return 1 EndIf;

idi←Trace(σ, m,PS,skj);

Ifidi6∈IDcandSign(·,·)was not queried on(idi, m)then return 1 else return 0 EndIf;

Fig. 1.Experiments used to define anonymity and traceablity ofLDGS

4.1 Cryptographic Primitives

Proof of the Equality of Two Discrete Logarithms LetG :=< g, p, q > be a cyclic

subgroup of the multiplicative groupZ∗p with generatorgand orderq, whereqandpare large prime numbers withq|(p−1). In our scheme we use a non-interactive zero-knowledge (NIZK) proof system (P,V)for the equality of two discrete logarithms. A probabilistic proving algorithm P on inputx = (g0, g1, y0, y1) ∈ G4 and w ∈ Zq outputs a non-interactive proofπfor the equalityw= log_g

0(y0) = logg1(y1). A deterministic verifying

algorithm Von input x, and a proof π checks whetherπ is a correct proof and outputs either 1 or 0 (1 ifVaccepts the proof). Both algorithms have access to a random oracleR from the family of random oracles (c.f. [3]). The proof system(P,V)must satisfy the usual requirements of completeness, soundness and zero-knowledge.

Note that the equality of two discrete logarithms in the context of digital signature schemes has already been used by Goh and Jarecki in [13]. Their scheme utilizes a NIZK proof sys-tem for the signature generation and is proven to be secure in the random oracle model. Our scheme is designed to work with any NIZK proof system for the equality of two discrete logarithms in the random oracle model, e.g., the efficient scheme used in [13] can be ap-plied. In this case the random oracleRin the description of our algorithms can be replaced by a cryptographic secure hash function.

Due to some technical reasons concerning the zero-knowledge simulation we have to use adaptive NIZK proof systems in our security proof. In Appendix A we provide a more detailed description and the definition of adaptive NIZK proof systems in the random oracle model based on the description of these systems in the common reference string model along the lines in [12] and [22].

Simultaneous Decisional Diffie-Hellman Assumption In the following we introduce a cryptographic assumption which we call asimultaneous decisional Diffie-Hellman (SDDH) assumption. This assumption is an extension of a well-known Decisional Diffie-Hellman (DDH) assumption [6] and is essential for the anonymity property of our scheme as shown below.

Definition 5 (SDDH Assumption).Given a cyclic subgroupG:=< g, p, q >and security parameterl as above. Let Asbe a polynomial time distinguisher that tries to distinguish between two distributionsD0

Expsddh−b

As (l): n∈N;y←$ Zq;

Fori= 0ton−1doxi, ri

$

←ZqEndFor;

D00 := (g, gx0, . . . , gxn−1, gy, gr0, . . . , grn−1);

D10 := (g, gx0, . . . , gxn−1, gy, gx0y, . . . , gxn−1y);

b← {$ 0,1}; d←$ As(D0b);

returnd;

The advantage function of Asis defined as

Advsddh_As (l) = Pr[Expsddh_As −1(l) = 1]−Pr[Expsddh_As −0(l) = 1] (1)

The SDDH assumption is thatAdvsddh_As (l)is negligible.

Theorem 1 (SDDH ⇔ DDH). The SDDH assumption is equivalent to the Decisional Diffie-Hellman (DDH) assumption. Formally, for all distinguishers A, Asand for alll∈N: Advsddh_As (l) =Advddh_A (l).

Proof. The proof is given in Appendix B.1.

The idea of SDDH assumption in the context of our scheme is that every group member

i has a temporary private keyxi ∈ Zq and the corresponding public keygxi which is used as identityidi. In our scheme both group members compute the same tracing trap-doork∈Zq as part of their secret signing keys and the blinded versiongkis public. The pseudonymps_i of a group member icontains a valuegxik_{. According to Definition 1 a} verifier obtains the signer’s pseudonym. In order to provide anonymity the verifier must not be able to distinguish which temporary public key gxi _{corresponds to the obtained} signer’s pseudonym. Considered thaty is the tracing trapdoork, the distributionD01from

the experimentExpsddh_As −b(l)consists of public keys and pseudonyms of all group mem-bers. Intuitively, if an adversary is able to distinguish betweenD0₁andD0₀then it is able to distinguish which pseudonym corresponds to which temporary public key.

4.2 Parameters

All computations in our scheme are performed in the cyclic subgroupG :=< g, p, q >

of the multiplicative groupZ_p∗with generatorgand prime orderq, such thatq|(p−1). In our scheme we use a NIZK proof system(P,V)with arandom oracle Ras described in Section 4.1 and a publicly known strong collision-resistant hash functionH : {0,1}∗ _→ Zp. We assume that members agree on the description ofG,RandH before they begin

with the setup procedure. All protocols and algorithms of our scheme implicitly know the description ofGandR.

Every participantiis equipped with an identity certificate that contains its authenticated public keypkeyi. The corresponding private keyskeyiis known only to this participant. We assume that the key pair(pkeyi,skeyi)is used by memberito authenticate his messages during the setup protocol. Each secret signing keyskiconsists of the member’s temporary private keyxi and thetracing trapdoorkthat is known only to the group members. For simplicity the identityidi of memberiis given by its temporarypublic keyyi, such that

yi←gxi, henceID :={y0, y1}. The pseudonympsiof memberiis a tuple(bk,y˜i), where

bk←gk_{is theblinded common tracing trapdoor, andy˜}

i←yki is itspseudonym token. 4.3 Protocols and Algorithms

Member0 Member1

x0

$

←Zq; y0 ←gx0 x1

$

←Zq; y1←gx1

−

(y0,Sigskey 0(y0))

−−−−−−−−−−−−−→−

← −

(y1,Sigskey 1(y1))

−−−−−−−−−−−−−− k←yx0

1 ; bk←g

k _k←yx1

0 ;bk←g k

∀i= 0,1 : ˜yi←yki, psi:= (bk,y˜i) ∀i= 0,1 : ˜yi←yki, psi:= (bk,y˜i) ID:={y0, y1}; PS:={ps0,ps1}; ID:={y0, y1}; PS:={ps0,ps1};

sk0:= (x0, k,ps₀); sk1:= (x1, k,ps₁);

Fig. 2.ProtocolSetupwithn:= 2

signature scheme using its private keyskeyi, denoted_Sigskey i

(), and is verified by every recipient. For simplicity we omit the indication of the verification procedure.

In the beginning of the protocol both participants 0 and 1 choose own temporary key pairs

(x0, y0) and(x1, y1), respectively, exchange the temporary public keys in an authentic

manner and compute the tracing trapdoorkas a secret shared key according to the authen-ticated Diffie-Hellman key agreement. Every member blinds the tracing trapdoor tobkand computes the pseudonym tokensy˜0andy˜1. In order to allow third parties to verify

signa-tures, the setsIDandPShave to be made public in an authentic manner such that no third party can relate any ps_i ∈ PStoidi ∈ IDfor the samei. For this purpose the order of pseudonyms inPSmust be randomized, denotedPS :=$ {ps₀,ps₁}. A simple possibility to provide authenticity ofIDandPSis that one member, w.l.o.g. member 0, publishes the computed sets signed withskey0and member 1 verifies the correctness of the published sets

and complains upon any inconsistency. If no complains occur thenIDandPSare authentic. Remark 2. To simplify the security proof we assume that published setsIDandPSremain correct during the whole lifetime of the scheme.

AlgorithmsSign,Verify,Trace: AlgorithmsSign,Verify, andTracein Figure 3 allow mem-bers to generate and verify signatures and trace signer’s identities according to Definition 1. The signeriuses its secret signing keyski to generate a signature on a messagem. It hashes the messagemwith a random stringrto obtainh, and computesz←hxi_{, wherex}

Sign(ski, m): Verify(σ, m,PS):

Parseskias(xi, k,psi); Parsepsias(bk,y˜i); Parseσas(r, z,ps, π); Parsepsas(bk,y˜);

r←$ Zp;h

$

←H(m, r);z←hxi_{; Ifps6∈PSthen return⊥EndIf;} π←$ P(R, h, bk, z,y˜i, xi); h

$

←H(m, r);

σ:= (r, z,psi, π); returnσ; IfV(R, h, bk, z,y, π˜ ) = 1then returnps

else return⊥EndIf;

Trace(σ, m,sk,PS,ID):

IfVerify(σ, m,PS) =⊥then return⊥EndIf;

Parseσas(r, z,ps, π); Parsepsas(bk,y˜); Parseskas(x, k,ps0);y←y˜1/k_;

Ify∈IDthen returnyelse return⊥EndIf;

Fig. 3.AlgorithmsSign, Verify, Trace

4.4 Security Analysis

Let(P,V)be an adaptive1NIZK proof system for the equality of two discrete logarithms in the random oracle model, and let2−LDGS = (Setup,Sign,Verify,Trace)be a two-party linkable democratic group signature scheme from our construction in Section 4.3.

Theorem 2. The two-party linkable democratic group signature scheme2−LDGSis cor-rect.

Proof. According to Definition 2 we have to show that

Verify(σ, m,PS) =psi∧Trace(σ, m,skj,PS,ID) =idi

for all l, n ∈ N, (ID,PS,SK) ∈ [Setup(l, n)], ski,skj ∈ SK, idi ∈ ID, psi ∈ PS,

m ∈ {0,1}∗_{, andσ} $

← Sign(ski, m). The proof of the correctness is obvious from the constructions given in figures 2 and 3. The signature can be parsed asσ = (r, z,ps_i, π). After the verification of the pseudonym (i.e.,ps_i∈PS) and of the proofπ, the pseudonym ps_i is returned by the verification algorithm. The tracing algorithm checks first whether the signatureσis verifiable. This step ensures also the validity of the pseudonymps_i. The computation of the identity yi ← y˜

1/k

i from the pseudonym tokeny˜i is valid according to the constructiony˜i ←yki. The identityidiis returned by the tracing algorithm after its verification (i.e.,idi∈ID). Thus,2−LDGSis correct.

In the following we prove anonymity and traceability of our linkable democratic group signature scheme in the random oracle model.

Theorem 3. The two-party linkable democratic group signature scheme2−LDGSis anony-mous in the random oracle model assuming that (P,V)is an adaptive NIZK proof sys-tem for the equality of two discrete logarithms and that the SDDH assumption holds in G=< g, p, q > .

Proof (Sketch).The complete proof is given in Appendix C.1. To prove the anonymity of

2−LDGS in the random oracle model we suppose thatHis a random oracle and show that for any polynomial time adversaryAagainst the anonymity property it is possible to construct a polynomial time distinguisherD against the zero-knowledge property of the NIZK proof system(P,V)(i.e.,D distinguishes between simulated and real proofs), and adversaryAsthat is able to break the SDDH assumption, such that for alll∈N

Advanon_A (l,2)<2Adv_Dzk(l) + 2Advsddh_As (l) + 2

poly(l)

Obviously,Advanon_A (l,2)is negligible in terms of the negligibility of a two-argument func-tion. Hence,2−LDGSis anonymous.

1

Theorem 4. The two-party linkable democratic group signature scheme2−LDGSis trace-able in the random oracle model assuming that(P,V)is an adaptive NIZK proof system for the equality of two discrete logarithms and that the Computational Diffie-Hellman (CDH) assumption holds inG=< g, p, q >.

Proof (Sketch).The complete proof is given in Appendix C.2. To prove the traceability of

2−LDGS in the random oracle model we suppose thatH is a random oracle and show that for any polynomial time adversaryAagainst the traceability property it is possible to construct a polynomial time adversaryActhat is able to break the CDH [6] assumption in the random oracle model, such that for alll∈_N

Advtrace_A (l,2)<2Advcdh_Ac(l) + 3

poly(l)

Obviously, Advtrace_A (l,2) is negligible in terms of the negligibility of a two-argument function. Hence,2−LDGSis traceable.

5

Extension to a Multi-Party Linkable Democratic Group Signature

Obviously, the tracing process in2−LDGSis trivial, because one member upon receiving a signature which it has not generated immediately knows that another member is the signer, i.e., the execution of the tracing algorithm is not required. However, tracing becomes more interesting in a multi-party case. Our2−LDGSscheme can be immediately extended to a multi-party case using the idea proposed for democratic group signatures in [20]. The clue is to replace an authenticated Diffie-Hellman protocol in the computation of the tracing trapdoor by an authenticated Diffie-Hellman based group key agreement protocol. Amongst so-calledcontributory group key agreement(CGKA) protocols there exists protocols like [14] and [17] where each membericontributes its temporary public keyyi =gxifor the interactive computation of the secret shared keyk(common tracing trapdoor). To keep the extendedn−LDGSscheme secure the applied CGKA protocol should satisfy the security requirements stated in [14]. For some practical details and comparison of known CGKA protocols we refer to [1]. Note that the algorithms Sign,Verify andTraceof 2−LDGS remain unchanged in2−LDGS becausexi, andkare part of the secret signing keyski, andy˜ican still be computed asyik.

6

Conclusion

In this paper we have proposed a model for linkable democratic group signatures that can be applied in communication scenarios for groups where a centralized control by a trusted au-thority is undesirable and the anonymity of the signer is required only against non-members while other group members have rights to trace and identify the signer. By the assignment of a unique pseudonym to every group member any non-member verifier is able to com-municate with the anonymous signer from the group.

References

1. Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik. On the performance of group key agreement protocols.ACM Transactions on Information and System Security, 7(3):457–488, 2004. 2. M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal

defini-tions, simplified requirements, and a construction based on general assumptions. InAdvances in Cryptology (EUROCRYPT 2003),Lecture Notes in Computer Science, volume 2656, pages 614–629. Springer-Verlag, 2003.

4. M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case of dynamic groups. InCT-RSA, Lecture Notes in Computer Science, volume 2656, pages 136–153. Springer-Verlag, 2005.

5. A. Bender, J. Katz, and R. Morselli. Ring signatures: Stronger definitions, and constructions without random oracles. InTheory of Cryptography Conference 2006 (to appear), Lecture Notes in Computer Science. Springer-Verlag, 2006.

6. D. Boneh. The Decision Diffie-Hellman problem. InANTS-III: Proceedings of the Third Inter-national Symposium on Algorithmic Number Theory, pages 48–63. Springer-Verlag, 1998. 7. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. InAdvances in Cryptology—

CRYPTO 2004, volume 3152 ofLecture Notes in Computer Science, pages 41–55. Springer-Verlag, 2004.

8. J. Camenisch and J. Groth. Group signatures: Better efficiency and new theoretical aspects. In

SCN, Lecture Notes in Computer Science, volume 3352, pages 120–133. Springer-Verlag, 2004. 9. J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In Pro-ceedings of the International Conference on the Theory and Applications of Cryptology and Information Security, pages 160–174. Springer-Verlag, 1998.

10. J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. InProceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology, Lecture Notes in Computer Science, volume 1294, pages 410–424. Springer-Verlag, 1997.

11. D. Chaum and E. van Heyst. Group signatures. InAdvances in Cryptology (EUROCRYPT 1991),Lecture Notes in Computer Science, volume 547, pages 257–265. Springer-Verlag, 1991. 12. U. Feige, D. Lapidot, and A. Shamir. Multiple non-interactive zero knowledge proofs under

general assumptions.SIAM Journal on Computing, 29(1):1–28, September 1999.

13. E.-J. Goh and S. Jarecki. A signature scheme as secure as the Diffie-Hellman problem. In Ad-vances in Cryptology - EUROCRYPT 2003, volume 2656 ofLecture Notes in Computer Science, pages 401–415. Springer-Verlag, 2003.

14. J. Katz and M. Yung. Scalable protocols for authenticated group key exchange. InAdvances in Cryptology (CRYPTO 2003),Lecture Notes in Computer Science, volume 2729 ofLecture Notes in Computer Science, pages 110–125. Springer-Verlag, 2003.

15. A. Kiayias, Y. Tsiounis, and M. Yung. Traceable signatures. InAdvances in Cryptology (EURO-CRYPT 2004), volume 3027 ofLecture Notes in Computer Science, pages 571–589. Springer-Verlag, 2004.

16. A. Kiayias and M. Yung. Group signatures with efficient concurrent join. InAdvances in Cryptol-ogy - EUROCRYPT 2005, volume 3494 ofLecture Notes in Computer Science, pages 198–214. Springer-Verlag, 2005.

17. Y. Kim, A. Perrig, and G. Tsudik. Tree-based group key agreement. ACM Transactions on Information and System Security, 7(1):60–96, 2004.

18. J. K. Liu, V. K. Wei, and D. S. Wong. Linkable spontaneous anonymous group signature for ad hoc groups (extended abstract). InInformation Security and Privacy: 9th Australasian Con-ference, ACISP 2004., volume 3108 ofLecture Notes in Computer Science, pages 325–335. Springer-Verlag, 2004.

19. A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf. Pseudonym systems. InProceedings of the 6th Annual International Workshop on Selected Areas in Cryptography, pages 184–199. Springer-Verlag, 2000.

20. M. Manulis. Democratic Group Signatures (On an Example of Joint Ventures - Fast Abstract). In

Fast Abstracts Proceedings of ACM Symposium on Information, Computer and Communications Security (ASIACCS’06). ACM Press, 2006. Full version at: http://eprint.iacr.org/2005/446. 21. R. L. Rivest, A. Shamir, and Y. Tauman. How to leak a secret. InASIACRYPT ’01: Proceedings of

the 7th International Conference on the Theory and Application of Cryptology and Information Security, volume 2248 ofLecture Notes in Computer Science, pages 552–565. Springer-Verlag, 2001.

A

Adaptive Non-Interactive Zero-Knowledge Proof Systems in the

Random Oracle Model

For the security proof of our scheme we use an adaptive non-interactive zero-knowledge (NIZK) proof system of membership inN P languages as part of sign and verify algo-rithms. In the following we give a short description of such proof systems in the random oracle model. Our description is similar to the description of adaptive NIZK proof systems in the common reference string model as presented in [12] and [22].

We start with the description of the binaryN Prelationρ:{0,1}∗_{× {0,1}}∗_{. It is required}

that the membership of(x, w)∈ρis decidable in polynomial time and that there exists a polynomialpoly, such that|w| ≤ poly(|x|). Let valuel ← |x|be the security parameter for the hardness ofρ. The valuexis called atheorem, andwitswitness. For any suchN P relationρthere exists an associatedN Planguage

Lρ={x|∃w: (x, w)∈ρ}.

A non-interactive (NI) proof system forN P languages consists of two polynomial time algorithmsPandV, where proving algorithmPis randomized and verifying algorithmV deterministic. Both algorithms have access to therandom oracle R: {0,1}∗ _{→ {0,1}}∞

from the family of random oracles, denoted2∞. On input a random oracleR, a theoremx, and its witnessw, such that(x, w)∈ρ, algorithmPoutputs a non-interactive proofπof the membership ofx∈Lρwith respect toR. The input to the algorithmVis a random oracle R, a theoremxand a proofπ.Vverifies whetherπis a correct proof for the membership of

x∈Lρand outputs either 1 or 0 (1 ifVaccepts the proof). NI proof systems must satisfy the requirements oncompleteness(ifx∈Lρthen proofπcomputed byPmust be accepted byV) andsoundness(ifx6∈Lρthen for any proving algorithmP∗ the probability thatV accepts its proofπis negligible).

Non-interactive zero-knowledge (NIZK) proof systems have additionally azero-knowledge requirement, which involves the existence of the probabilistic polynomial time algorithm S, called asimulator. The input to the simulatorSis the theoremx(equivalent to the input toP andV), however, without its associated witness w. The output ofS consists of the simulation of the random oracle2 _R0_{and the simulated non-interactive proofπ}0_{, such that}

algorithmVacceptsπ0ifx∈Lρ. Another part of the requirement is that the simulated ran-dom oracle and simulated non-interactive proofs must be computationally indistinguishable from the real random oracle and the real proofs computed byP.

AdaptiveNIZK proof systems strengthen the notion of NIZK proof systems in two ways. The soundness requirement is changed so that any proving algorithm P∗ is allowed to choose a theoremx 6∈ Lρ after having access to the random oracleRand thatVstill ac-cepts its proofs only with negligible probability. For the zero-knowledge requirement the simulatorShas to output the simulation of the random oracle before it is given a theoremx, for which it has then to simulate the non-interactive proofπ0. For this purpose we assume that the simulator operates in two stages,generateandprove, as shown in Definition 6. In the stagegenerateSoutputsR0. In the stageprovethe simulator is given the theoremx, and has to output the simulated proof.

Definition 6 (An Adaptive NIZK Proof System).An adaptive non-interactive zero-know-ledge proof system for a N P language Lρ is given by two polynomial time algorithms

(P,V)if there exists a polynomial poly such that the following conditions are satisfied:

2

Since random oracle is an infinite object the simulator cannot output it directly. Bellare et. al.

1. Completeness:∀(x, w)∈ρ,∀l∈N,|x| ≤l

Pr[R←$ 2∞;π←$ P(R, x, w) :V(R, x, π) = 1] = 1

2. Soundness:∀P∗,∀l∈N,|x| ≤l

Pr[R←$ 2∞; (x, π)←$ P∗(R) :V(R, x, π) = 1∧x6∈Lρ]<

1

poly(l)

3. Zero-Knowledge: Let S and D be two algorithms. Consider the following experiments where D may query a black-box oracleProve()on any(x, w)∈ρ:

Expzk−1

D (l): Exp

zk−0 D (l):

R←$ 2∞; R0←$ S(generate, l);

d←$ DProve(·,·)(R); d←$ DProve(·,·)(R0);

returnd; returnd;

Prove(x, w): Prove(x, w):

π←$ P(R, x, w); π0←$ S(prove,R0, x); returnπ; returnπ0;

We require that there exists a polynomial time simulator S such that for any polynomial time distinguisher D the following is negligible inl:

Advzk_D(l) = Pr[Expzk_D−1(l) = 1]−Pr[Expzk_D−0(l) = 1] (2)

Advzk_D(l)denotes the advantage of D in distinguishing the real experimentExpzk_D−1(l)

from the simulated experimentExpzk_D−0(l). (Note that inExpzk_D−1(l)oracleProve()

contains the proving algorithm P, whereas inExpzk−0

D (l)it contains the simulator S.)

This definition of the advantage function is intuitively equivalent to the requirement of in-distinguishability between random oracles and their simulation, and between real proofs and simulated proofs. The output bitdof the distinguisher Dis a guess of the environ-ment (experienviron-ment) in which it is running, either simulated (d = 0) or real (d = 1). The experiments in the zero-knowledge part of the definition represent theadaptive indistin-guishabilitytest from [12].

According to [12] and [22] an adaptive NIZK proof system exists for anyN P language

Lρunder the assumption that one-way trapdoor permutations exist for the associatedN P relationρ.

The N P relation ρwhich is used in our construction can be formally described as ρ :

G4×Zqwith

(x, w)∈ρ⇐⇒x:= (g0, g1, y0, y1),{gi, yi} ∈G, i∈ {0,1}∧w:= logg0(y0) = logg1(y1),

and the associatedN Planguage isLρ:={x|∃w: (x, w)∈ρ}.

B

SDDH assumption

B.1 Proof of Theorem 1 (SDDH⇔DDH)

The proof of equivalence of both assumptions consists of two reductions, SDDH≤DDH and DDH ≤SDDH. LetExpddh−b

A (l)denote the experiment where a polynomial time distinguisher A tries to distinguish between two distributions D0 = (g, gx, gy, gr) and

D1 = (g, gx, gy, gxy)withx, y, r ∈ Zq, i.e.,Atries to break the DDH assumption [6] by guessing which distributionDbit has received. ByAdvddh_A (l) = Pr[Expddh_A −1(l) =

1]−Pr[Expddh_A −0(l) = 1]we denote the success probability ofA. The hardness of the DDH assumption requires thatAdvddh_A (l)is negligible.

The reduction SDDH≤DDH is trivial:AsreceivesD0_b= (g, gx0_{,. . .,g}xn−1_,gy_,gs0_{,. . .,g}sn−1₎

where for allj ∈[0, n−1]sj is either a random value fromZq (caseb= 0) or a product

xjy(caseb= 1);Aspicksi $

← {0, . . . , n−1}, and passes the tupleDb = (g,gxi,gy,gsi) over toAin the experimentExpddh−b

A (l). The output ofAis also the output ofAs. In the following we show that for anyAsbeing able to break the SDDH assumption, one can construct a polynomial time distinguisherAagainst the DDH assumption (Figure 4), such that∀l ∈N:Advddh_A (l) =Advsddh_As (l).AusesAsas a black-box. The input toAis

A(g, gx, gy, gs):

n←$ N; Fori= 1ton−1doui

$

←ZqEndFor;

Db0 := (g,(gx)u0,(gx)u1, . . . ,(gx)un−1, gy,(gs)u0,(gs)u1, . . . ,(gs)un−1);

d←$ As(D0b);

returnd;

Fig. 4.Construction of the distinguisherA(DDH≤SDDH)

a distributionDbfrom experimentExpddh_A −b(l). In caseb = 0valuesis a random value fromZq, whereas in caseb= 1it equals to the productxy.Aextends the distributionDbto a distributionD_b0 by picking random valuesui

$

←Zqfor alli∈[0, n−1]and using them as exponents forgx_andgs_{, i.e., computing the valuesg}xui _andgsui_{, such thatsu}

iis either a random value fromZqor the productxyuidepending on the initial value forb. The SDDH distributionD0_bis then passed over toAsthat outputs bitd, which is also the output ofA. In case thatsis a random value fromZq the distributionD0bis indistinguishable from the distributionD₀0 inExpsddh−b

As (l)in Definition 5 because the valuesg

xui_andgsui_are indis-tinguishable for anyi∈[0, n−1]. In case thatsis a productxythe distributionD0_bis indis-tinguishable from the distributionD01since the same dependencies betweengxuiandgsui

are preserved. It is obvious, thatAguesses correctly the distributionDbit has been given, exactly whenAs guesses correctly the distributionD0

b it has received fromA, i.e., if As wins in the experimentExpsddh−b

As (l), no matter whatbis. In the following we compute the advantage ofA, i.e.,Advddh_A (l) = Pr[Expddh_A −1(l) = 1]−Pr[Expddh_A −0(l) = 1], where

Pr[Expddh_A −1(l) = 1] = Pr[As(D0₁) = 1]andPr[Expddh_A −0(l) = 1] = Pr[As(D0₀) = 1].

Considering that Pr[As(D0₁) = 1] = Pr[Expsddh−1

As (l) = 1]and Pr[As(D

0

0) = 1] =

Pr[Expsddh−0

As (l) = 1]with Equation (1) we obtain: Advddh_A (l) = Pr[Expsddh−1

As (l) = 1]−Pr[Exp

sddh−0

As (l) = 1] =Adv

sddh

C

Security Proof of

2

−LDGS

C.1 Proof of Theorem 3 (Anonymity)

By the assumption(P,V)is an adaptive NIZK proof system for the equality of two discrete logarithms (Definition 6), and setsIDandPSremain correct after being published in the Setupprotocol (Remark 2), such that∀yi∈ID,psi ∈PS:psi= (bk,y˜i)∧bk =gk∧y˜i=

yk i.

We show that for any polynomial time adversaryAbeing able to attack the anonymity of

2−LDGS it is possible to construct a polynomial time distinguisherDthat distinguishes between simulated and real proofs, and an adversaryAsthat is able to break the SDDH assumption (Definition 5) in the random oracle model, such that for alll∈_N

Advanon_A (l,2)<2Adv_Dzk(l) + 2Advsddh_As (l) + 2

poly(l) (3)

By the assumption on the security of(P,V)and SDDH, all advantage functions on the right side are negligible, and so is the function on the left. Thus,Advanon_A (l,2)is negligible in terms of negligibility of a two-argument function, and it follows that2−LDGSis anony-mous. Besides the random oracleRAcan query oracleH(for the hash functionHfrom algorithmsSignandVerify) on tuples of the form(r, m).

THE DISTINGUISHER FOR ZERO-KNOWLEDGE. The distinguisherD(Figure 5) starts by initialising the scheme withSetupprotocol that it performs for both members 0 and 1.D

chooses the description of_G:=< g, p, q >. The random oracleRis supplied toDby the environment in which it is run, so that it can be either simulated or real. All new queries of Ato the random oracleHare answered by D at random. AfterD has initialised the scheme it runsAagainst the anonymity of2−LDGS.D passes the tuple(G,R,PS,ID)

over toA. In thechoosestageAoutputs a messagem.D computes the signatureσb on

musing a secret signing keyskb for a randomb ← {$ 0,1}as follows. First,D computes valuesr,handz according toSignalgorithm, and then queries black-boxProve on the tuple((h, bk, z,y˜b), xb), and obtains a proofπfor logh(z) = logbk(˜yb), which is either simulated or real depending on the environment in whichDis running.D includesπin

σb. In theguessstageAmay query oracle Sign∗ on any messagem∗ of its choice. The oracle answers with the signatureσb∗ onm∗ computed asσ_b above. At the end of the

stageAoutputs bitd. The output ofDis 1 ifd =band 0 otherwise. In the following we compute the advantage ofDin breaking the zero-knowledge property of(P,V,S)according to Equation (2).

First, we consider experimentExpzk−1

D (l). In this experiment the random oracleRis real andπis computed by the real proving algorithmP. Thus,σbperfectly emulates the signa-ture returned by the signing algorithmSign.Doutputs 1 wheneverAis able to distinguish between these signatures. We write A(guess)for the outcome of the guess stage ofA, whenσbis a perfectly emulated signature. In the following we compute the probability of Ddistinguishing its environment for this case, i.e. ouputting 1:

Pr[Expzk_D−1(l) = 1] = Pr[A(guess) = 1|b= 1]Pr[b= 1] + Pr[A(guess) = 0|b= 0]Pr[b= 0]

=1

2Pr[Exp anon−1

A (l,2) = 1] +

1

2Pr[Exp anon−0

A (l,2) = 0]

=1

2Pr[Exp anon−1

A (l,2) = 1] +

1

2(1−Pr[Exp anon−0

A (l,2) = 1])

=1 2 +

1

2(Pr[Exp anon−1

A (l,2) = 1]−Pr[Exp

anon−0

A (l,2) = 1])

=1 2 +

1 2Adv

anon

A (l,2)

Secondly, we consider experimentExpzk−0

D (l). In this experimentDis running in the sim-ulated environment, i.e., the random oracle Rand proofπare produced by the simulator

S. Thus,σis a signature-like looking tuple. We classify these tuples into two distributions

Eb,b={0,1}, depending on the pseudonympsbthat is part ofσb.Doutputs 1 whenever

Ais able to distinguish between these signature-like looking tuples. We writeA(E0)and

A(E1)for the outcome of theguessstage ofA, whenσbis sampled from distributionE0

andE1, respectively.

Pr[Expzk_D−0(l) = 1] = Pr[A(E1) = 1]Pr[b= 1] + Pr[A(E0) = 0]Pr[b= 0]

=1

2(Pr[A(E1) = 1] + Pr[A(E0) = 0])

(5)

In order to estimate this probability precisely we relate it to the probability of breaking the SDDH assumption by the adversaryAsthat usesA, assuming thatAis able to distinguish between signatures sampled fromEb. The construction of suchAsis given in Figure 5 and described in the following.

ADVERSARY AGAINSTSDDHASSUMPTION. The idea is to constructAsthat challenges

Aon signature-like looking tuples from distributionsEb,b={0,1}. According to experi-mentExpsddh−b

As (l)from Definition 5Asis given a distributionD

0 _{= (g,g}x0_,gx1_,gy_,gs0_,gs1_),

such thatsi,i∈ {0,1}is either a random value fromZq or equals to the productxiy.As knows the description ofG:=< g, p, q >from the environment that has producedD’.As obtains random oracleRfrom the simulator’sSgeneratestage, definesyi ←gxi,bk←gy (unknownyis considered to be the tracing trapdoork) andy˜i ←gsi, and passes the tuple

(_G,R,PS,ID)over toA.AssimulatesHby answering any new query ofAat random. In order to compute the signature-like looking tuple from distributionEbadversaryAsselects

r, u ←$ Zq, computesh ← bkuandz ← y˜ub, obtains fromS the simulated proofπfor

logh(z) = logbk(˜yb), setsH(r, m)tohand returnsσb := (r, z,psb, π)toA. In theguess stageAmay query oracleSign∗on any messagem∗_{of its choice. The oracle answers with}

the signatureσb∗ onm∗computed asσ_babove. At the end of the stageAoutputs bitd. The

output ofAsis 1 ifd=band 0 otherwise. In the following we compute the advantage of

Asin breaking the SDDH assumption according to Equation (1).

First, we consider experimentExpsddh−1

As (l). In this experimentAsreceives distribution D0 = (g,gx0_,gx1_,gy_,gx0y_,gx1y_{), hencey˜}

i = yik holds. The signature σb thatAspasses over toAcontains real value forpsbbut simulated proofπ, and is therefore sampled from distributionEb.Asoutputs 1 wheneverAis able to distinguish between these signatures-like looking tuples. In the following we compute the probability ofAsbreaking the SDDH assumption in this case, i.e.,Expsddh_As −1(l)outputs 1:

Pr[Expsddh_As −1(l) = 1] = Pr[A(E1) = 1]Pr[b= 1] + Pr[A(E0) = 0]Pr[b= 0]

= 1

2(Pr[A(E1) = 1] + Pr[A(E0) = 0])

With Equation (5) we obtain:

Pr[Expsddh−1

As (l) = 1] = Pr[Exp

zk−0

D (l) = 1] (6)

Secondly, we consider the experimentExpsddh_As −0(l). In this experimentAsreceives dis-tributionD0 = (g,gx0_,gx1_,gy_,gr0_,gr1_{), wherer}

looking tuples we specify further two distributionsE0

b,b={0,1}.Asoutputs 1 whenever

Ais able to distinguish between signature-like looking tuples sampled fromE_b0. We write

A(E₀0)andA(E₁0)for the outcome of theguessstage ofA, whenσis sampled from dis-tributionE₀0 andE0₁, respectively. Since signatures ofE_b0 consist of all random values and simulated proofsAcan distinguish them only with a probability that is negligibly greater than that of a random guess. Hence,

Pr[Expsddh−0

As (l) = 1] = Pr[A(E

0

1) = 1]Pr[b= 1] + Pr[A(E 0

0) = 0]Pr[b= 0]

= 1

2(Pr[A(E 0

1) = 1] + Pr[A(E00) = 0])

< 1

2

₁

2 + 1

poly(l)+ 1 2 +

1

poly(l)

= 1 2+

1

poly(l)

(7)

DistinguisherDProve(·,·)(R, l): AdversaryAs(D0):

ChooseG:=< g, p, q >;(ID,PS,SK)←$ Setup(l,2); ParseD0as(g, gx0_{, g}x1_{, g}y_{, g}s0_{, g}s1_{); GetG:=< g, p, q >;}

(St, m)←$ AH(·,·)

(choose,G,R,PS,ID); R←$ S(generate, l);bk←gy;

b← {$ 0,1}; ∀i∈ {0,1}:yi←gxi,y˜i←gsi,psi:= (bk,y˜i);

r←$ Zp;h

$

←H(r, m);z←hxb_{; ID:={y}

i};PS

$

:={ps_i}; π←$ Prove((h, bk, z,y˜b), xb); [black-box query] (St, m)

$ ←AH(·,·)

(choose,G,R,PS,ID); σb:= (r, z,psb, π);d

$

←ASign∗(·), H(·,·)

(guess,St, σb); b

$ ← {0,1};

Ifd=bthen return1else return0EndIf; r←$ Zp, untilH(r, m)has not been previously queried;

u←$ Zq;h←bku;z←y˜bu; defineH(r, m) :=h;

π←$ S(prove,(h, bk, z,y˜b)); [note,logh(z) = logbk(˜yb)]

σb:= (r, z,psb, π);d

$

←ASign∗(·), H(·,·)₍

guess,St, σb);

Ifd=bthen return1else return0EndIf;

Fig. 5.DistinguisherDand adversaryAs

PUTTING IT ALL TOGETHER. In the following we show how to relate the probabilities for the outcome of experiments described above with the advantage ofAin breaking the anonymity of2−LDGS. We start with the advantage of distinguisherDaccording to Equa-tion (2):

Advzk_D(l) = Pr[Expzk_D−1(l) = 1]−Pr[Expzk_D−0(l) = 1]

With Equations (4) and (6) we get:

Advzk_D(l) =1 2 +

1 2Adv

anon

A (l,2)−Pr[ExpsddhAs −1(l) = 1]

Now, we add to both sides of the above equation the left side of Equation (7) and transform it:

Advzk_D(l) + Pr[Expsddh_As −0(l) = 1]

= 1 2+

1 2Adv

anon

A (l,2)−(Pr[ExpAssddh−1(l) = 1]−Pr[Exp

sddh−0

With Equation (1) and additional transformations we get:

Advanon_A (l,2) = 2Advzk_D(l) + 2Advsddh_As (l) + 2Pr[Expsddh−0

As (l) = 1]−1

We obtain the desired inequality using (7):

Advanon_A (l,2)<2Adv_Dszk (l) + 2Advsddh_As (l) + 2

₁

2 + 1

poly(l)

−1

= 2Advzk_D(l) + 2Advsddh_As (l) + 2

poly(l)

C.2 Proof of Theorem 4 (Traceability)

By the assumption(P,V)is an adaptive NIZK proof system for the equality of two discrete logarithms, and setsIDandPSremain correct after being published in theSetupprotocol, such that∀yi∈ID,psi∈PS:psi= (bk,y˜i)∧bk =gk∧y˜i =yki.

We show that for any polynomial time adversary Aagainst the traceability of2−LDGS it is possible to construct a polynomial time adversaryAc that is able to break the CDH assumption ([6]) in the random oracle model, such that for alll∈N

Advtrace_A (l,2)<2Advcdh_Ac(l) + 3

poly(l). (8)

All functions on the right side are negligible, and so is the function on the left. Thus, Advtrace_A (l,2)is negligible in terms of negligibility of a two-argument function, and it fol-lows that2−LDGSis traceable.

LetAbe a traceability adversary against2−LDGSand letIDcbe a set of identities of mem-bers corrupted byAduring its attack.Awins the traceability experiment, i.e.,Exptrace_A (l) = 1, if it returns(σ, m)according to

Case 0: Verify(σ, m,PS) =psandTrace(σ, m,PS,sk) =⊥or

Case 1: Verify(σ, m,PS) =psandTrace(σ, m,PS,sk) =idandid6∈IDcand Sign(·,·)was not queried on(id, m)

With respect to the construction of2−LDGSAwins in the traceability experiment if it can produce forgeries of the following types.

TYPE 0. The forgery is given by (σ = (r, z,ps, π), m)where ps = (bk,y˜) such that case 0 is occured, i.e., Verify(σ,m,PS) = ps andTrace(σ, m,PS,sk) = ⊥. According to algorithm Tracein Figure 3 case 0 can only occur ify = ˜y1/k _{andy 6∈ ID. By the} assumption that setsIDandPSremain correct after being published in theSetupprotocol the probability that such y exists is negligible, thus for any security parameterl we can bound the probability that A produces a forgery of type 0 (event is denoted by F0) as

follows:

Pr[F0] = Pr[∃y6∈ID∃ps= (bk,y˜)∈PS: ˜y=yk]< 1

poly(l) (9)

In case 1 we distinguish between the following two types of a forgery(σ= (r, z,ps, π), m):

Aproduces a forgery of type 1 (event is denoted byF1) for any security parameterl as

follows:

Pr[F1] = Pr[Aoutputs(σ, m), σ= (r, z,ps, π), ps= (bk,y˜), h←H(m, r) :

V(R, h, bk, z,y, π˜ ) = 1 and logh(z)6= logbk(˜y)]<

1

poly(l) (10)

TYPE 2. The forgery is given by(σ = (r, z,ps, π), m)according to case 1 whereps = (bk,y˜)withV(R, h, bk, z,y, π˜ ) = 1andlog_h(z) = log_bk(˜y).

LetExpcdh_Ac(l)denote the experiment where a polynomial time adversaryAcgiven a tuple

(ga_{, g}b_{)witha, b∈}

Zq tries to computegab, and lets say succeeds ifExpcdh_Ac(l)returns 1. Obviously,Atries to break the CDH assumption [6]. ByAdvcdh_Ac(l) = Pr[Expcdh_Ac(l) = 1]

we denote the success probability ofA. The hardness of the CDH assumption requires that Advcdh_Ac(l)is negligible.

In the following we show that for any polynomial time adversaryAbeing able to construct forgeries of type 2 (event is denoted byF2) there exists a polynomial time adversaryAc

against the CDH assumption in the random oracle model, such that for anyl∈_N

Pr[F2]<Advcdh_Ac(l) + 1

poly(l) (11)

ADVERSARY AGAINST THE CDH ASSUMPTION. Ac in Figure 6 uses A as black-box. We show that ifAoutputs a forgery(σ, m)of type 2 according to experimentExptrace

A (l) thenAc is able to break the CDH assumption.Acis given a pair(ga, gb)and obtains the description ofG:=< g, p, q >from the environment. It obtains a random oracleRfrom

the simulator, chooses bitw, and sets the temporary public keyyw:=ga(noteAcdoes not knowxw =a). With this choiceActries to guess the identityidwthat will be returned by algorithmTraceon input the forgery(σ, m)produced byAat the end of the interaction. ThenAc generates temporary private and public keys of the second member, i.e.,x1−w andy1−w, computes the tracing trapdoorkand its blinded versionbk, and corresponding setsID,PSandSK.Ac passes the tuple(G,R,PS,ID)over toA. In its corruptstageA

is allowed to request secret signing keysski ∈ SK(note that ifskw is requested thenAc aborts, since it failed to guess the identity of a member whose signature will be forged).

A’s requests of the type(m, r)to the oracleHare handled byAcas follows. On every new queryAc picks randomd

$

← Zq, computesh ← (gb)d, saves tuple((m, r), h, d)in the history list ofH, and returnsh.A’s requests of the type(idi, m)to the signing oracleSign are answered byAcas follows. Ifidi =id1−wthenAccomputesσusing original signing algorithmSign, because the corresponding secret signing keysk1−wwas generated byAc. If, however,idi=idwthenAchas to create a signature without knowing the secret signing keyskw. For this purpose it selects randomr←$ Zp, such thatHhas not yet been queried on

(m, r), then it selects randomt←$ _Zq, computesz←ywt,h←gtand setsH(m, r) :=h, then simulates the proofπforlog_h(z) = log_bk(˜yw), and returnsσ := (r, z,psw, π). It is obvious thatScan be used to simulateπbecauselog_h(z) = log_bk(˜yw)is a valid theorem, i.e,y˜w=ykw= (ga)k=bkaandz=ywt = (ga)t=ha. At the end of stageforgeAreturns a valid forgery(σ= (r, z,ps, π), m).Actries to translate it into computinggabas follows: ifTrace(σ, m,PS,sk) = ⊥then abort, elseidi ← Trace(σ, m,PS,sk); ifidi 6=idworA

AdversaryAc(ga, gb):

GetG:=< g, p, q >;R←$ S(generate, l);

w← {$ 0,1}; yw←ga;x1−w

$

←Zq;y1−w←gx1−w;ID:={yw, y1−w};

k←yx1−w

w ;bk←gk;y˜w←ykw;y˜1−w←y1k−w;psw:= (bk,y˜w);ps1−w:= (bk,y˜1−w);PS

$

:={psw,ps1−w}; skw:= (⊥, k,ps_w);sk1−w:= (x1−w, k,ps1−w);SK:={skw,sk1−w};

RunA:

– if in thecorruptstageArequestsskwthen abort; – whenAmakes aSign-oracle query(id1−w, m)doσ

$

←Sign(sk1−w, m); returnσtoA;

– whenAmakes aSign-oracle query(idw, m)do

r←$ Zp; IfHhas already been queried on(m, r)then retry EndIf;

t←$ Zq;z←ywt;h←gt; defineH(m, r) :=h;π

$

←S(prove,(h, bk, z,y˜w)); returnσ:= (r, z,psw, π)toA;

– whenAmakes aH-oracle query(m, r)do

IfHhas already been queried on(m, r)then returnhfrom the history list toAEndIf;

d←$ Zq;h←(gb)d; defineH(m, r) :=h; save((m, r), h, d)in the history list; returnhtoA;

UntilAstops and returns(σ, m); Parseσas(r, z,psi, π);

IfTrace(σ, m,PS,sk) =⊥then abort EndIf;

idi←Trace(σ, m,PS,sk); Ifidi6=idwthen abort EndIf;

IfHhas not been queried on(m, r)then abort EndIf;

Find tupel((m, r), h, d)in the history list ofH; Returngab_←z1/d

;

Fig. 6.AdversaryAc

Trace(σ, m,PS,sk)andlog_h(z) = log_bk(˜yw)(notice this is equivalent to type 2 forgeries, i.e, eventF2), and oracleHhas been queried on(m, r)(event is denoted HQ), andAchas correctly guessedw. The probability thatAccorrectly guesseswis1/2and is independent from other events, thus we obtain:

Advcdh_Ac (l) = Pr[Expcdh_Ac(l) = 1] = 1

2Pr[F2∧HQ]

(12) Observe thatPr[F2∧HQ] = Pr[F2]−Pr[F2∧ ¬HQ].Pr[F2∧ ¬HQ]is given by the

probability thatAoutputs a forgery of type 2 without querying oracleH. Thus,Ahas to findzsuch thatz−a _{=h =H(m, r)(noteAis not in possession ofa). This probability} is negligible. With Equation (12) we obtainPr[F2∧ ¬HQ] = Pr[F2]−2Advcdh_Ac(l) < 1/poly(l).This is equivalent to

Pr[F2]<2Advcdh_Ac(l) + 1

poly(l)

(13) PUTTING IT ALL TOGETHER. Using Equations (9), (10) and (13) we can bound the advan-tage ofAas desired in Equation (8):

Advtrace_A (l,2) = Pr[Awins experimentExptrace_A (l)] = Pr[F0 or F1 or F2]

< 1 poly(l)+

1

poly(l)+ 2Adv cdh

Ac(l) +

1

poly(l)

= 2Advcdh_Ac(l) + 3