Traceable Signatures

We present, implement and apply a new privacy primitive that we call “Traceable Signatures.” To this end we develop the underlying mathematical and proto col t ols, present the concepts and the underlying security model, and then realize the scheme a nd its security proof. Traceable signatures support an extended set of fairness mechanisms (mec hanisms for anonymity management and revocation) when compared with the traditional group si gnature mechanism. We demonstrate that this extended function is needed for proper operation a nd adequate level of privacy in various settings and applications. For example, the new notion allo ws (distributed) tracing of all signatures by a single (misbehaving) party without opening signatures and revealing identities of any other user in the system. In contrast, if such tracing is implement ed by a state of the art group signature system, such wide opening of all signatures of a single user i s a (centralized) operation that requires the opening ofall anonymous signatures and revealing the users associated wi th them, an act that violates the privacy of all users. Our work includes a novel modeling of security in privacy sys tems that leads to simulationbased proofs. Security notions in privacy systems are typic ally more complex than the traditional security of cryptographic systems, thus our modeling metho dology may find future applications in other settings. To allow efficient implementation of our s cheme we develop a number of basic tools, zero-knowledge proofs, protocols, and primitives t hat we use extensively throughout. These novel mechanisms work directly over a group of unknown order , contributing to the efficiency and modularity of our design, and may be of independent inter es . The interactive version of our signature scheme yields the notion of “traceable (anonymou s) identification.” Computer Science and Eng. Dept., University of Connecticut, Storrs, C T, USA,aggelos@cse.uconn.edu. Etolian Capital, New York, NY, USA, yiannist@etolian.com. Research supported in part by NIST under grant SB1341-02-W-1113 Computer Science Dept., Columbia University, NY, USA moti@cs.columbia.edu

[1]  J. Camenisch,et al.  A Group Signature Scheme Based on an RSA-Variant , 1998 .

[2]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[3]  Chanathip Namprempre,et al.  From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security , 2002, EUROCRYPT.

[4]  Dawn Xiaodong Song,et al.  Quasi-Efficient Revocation in Group Signatures , 2002, Financial Cryptography.

[5]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[6]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[7]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[8]  Lidong Chen,et al.  New Group Signature Schemes (Extended Abstract) , 1994, EUROCRYPT.

[9]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[10]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[11]  Jan Camenisch,et al.  Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials , 2002, CRYPTO.

[12]  Jan Camenisch,et al.  A Group Signature Scheme with Improved Efficiency , 1998, ASIACRYPT.

[13]  Gene Tsudik,et al.  Some Open Issues and New Directions in Group Signatures , 1999, Financial Cryptography.

[14]  Aggelos Kiayias,et al.  Extracting Group Signatures from Traitor Tracing Schemes , 2003, EUROCRYPT.

[15]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[16]  Ivan Damgård,et al.  A Statistically-Hiding Integer Commitment Scheme Based on Groups with Hidden Order , 2002, ASIACRYPT.

[17]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[18]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[19]  Jan Camenisch,et al.  An Identity Escrow Scheme with Appointed Verifiers , 2001, CRYPTO.

[20]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[21]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[22]  Adi Shamir,et al.  The Discrete Logarithm Modulo a Composite Hides O(n) Bits , 1993, J. Comput. Syst. Sci..