Group Signatures: Provable Security, Efficient Constructions and Anonymity from Trapdoor-Holders

To date, a group signature construction which is efficient, scalable, allows dynamic adversarial joins, and proven secure in a formal model has not been suggested. In this work we give the first such construction in the random oracle model. The demonstration of an efficient construction proven secure in a formal model that captures all intuitive security properties of a certain primitive is a basic goal in cryptographic design. To this end we adapt a formal model for group signatures capturing all the basic requirements that have been identified as desirable in the area and we construct an efficient scheme and prove its security. Our construction is based on the Strong-RSA assumption (as in the work of Ateniese et al.). In our system, due to the requirements of provable security in a formal model, we give novel constructions as well as innovative extensions of the underlying mathematical requirements and properties. Our task, in fact, requires the investigation of some basic number-theoretic techniques for arguing security over the group of quadratic residues modulo a composite when its factorization is known. Along the way we discover that in the basic construction, anonymity does not depend on factoring-based assumptions, which, in turn, allows the natural separation of user join management and anonymity revocation authorities. Anonymity can, in turn, be shown even against an adversary controlling the join manager. ∗Research partly supported by NSF Career Award CNS-0447808.

[1]  Amit Sahai,et al.  Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[2]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[3]  Moni Naor,et al.  Non-Malleable Cryptography (Extended Abstract) , 1991, STOC 1991.

[4]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[5]  Jan Camenisch,et al.  An Identity Escrow Scheme with Appointed Verifiers , 2001, CRYPTO.

[6]  Joe Kilian,et al.  Identity Escrow , 1998, CRYPTO.

[7]  Yiannis Tsiounis,et al.  On the Security of ElGamal Based Encryption , 1998, Public Key Cryptography.

[8]  Jan Camenisch,et al.  A Group Signature Scheme with Improved Efficiency , 1998, ASIACRYPT.

[9]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[10]  Gene Tsudik,et al.  Some Open Issues and New Directions in Group Signatures , 1999, Financial Cryptography.

[11]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[12]  Daniel R. Simon,et al.  Non-Interactive Zero-Knowledge Proof of Knowledge and Chosen Ciphertext Attack , 1991, CRYPTO.

[13]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[14]  Tatsuaki Okamoto,et al.  A Practical and Provably Secure Scheme for Publicly Verifiable Secret Sharing and Its Applications , 1998, EUROCRYPT.

[15]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[16]  Jan Camenisch,et al.  Separability and Eciency for Generic Group Signature Schemes (Extended Abstract) , 1999 .

[17]  Aggelos Kiayias,et al.  Extracting Group Signatures from Traitor Tracing Schemes , 2003, EUROCRYPT.

[18]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[19]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[20]  David Pointcheval,et al.  Threshold Cryptosystems Secure against Chosen-Ciphertext Attacks , 2001, ASIACRYPT.

[21]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[22]  Ronald Cramer,et al.  Signature schemes based on the strong RSA assumption , 2000, TSEC.

[23]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.

[24]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[25]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[26]  Silvio Micali,et al.  A "Paradoxical" Solution to the Signature Problem (Extended Abstract) , 1984, FOCS.

[27]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[28]  Lidong Chen,et al.  New Group Signature Schemes (Extended Abstract) , 1994, EUROCRYPT.

[29]  Oded Goldreich,et al.  On the Foundations of Modern Cryptography , 1997, CRYPTO.

[30]  Juan A. Garay,et al.  Strengthening Zero-Knowledge Protocols Using Signatures , 2003, Journal of Cryptology.

[31]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[32]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[33]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[34]  Kevin S. McCurley,et al.  A key distribution system equivalent to factoring , 1988, Journal of Cryptology.

[35]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[36]  Aggelos Kiayias,et al.  Efficient Secure Group Signatures with Dynamic Joins and Keeping Anonymity Against Group Managers , 2005, Mycrypt.

[37]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.