Practical forward secure group signature schemes

A group signature scheme allows a group member to sign messages anonymously on behalf of the group, while in case of a dispute, a designated entity can reveal the identity of a signature's originator. Group signature schemes can be used as a basic building block for many security applications such as electronic banking systems and electronic voting. Two important issues -- forward security and efficient revocation -- have not been addressed by prior schemes. We construct the first forward-secure group signature schemes. While satisfying all the security properties proposed in previous group signature schemes, our schemes provide a new desired security property, forward-security: while the group public key stays fixed, a group signing key of a group member evolves over time such that compromise of a group signing key of the current time period does not enable an attacker to forge group signatures pertaining to the past time periods. Such forward-security is important to mitigate the damage caused by key exposure and particularly desirable for group signature schemes because the risk of signing key exposure escalates as the size of the group increases. Our schemes are provably secure in the random oracle model and under the strong RSA and decisional Diffie Hellman assumptions.Furthermore, we extend our forward-secure group signature scheme to provide a solution for the problem of group member exclusion without the need to re-key all other group members. When a group member is excluded, he should not be able to generate valid signatures any more and yet his previous signatures remain anonymous. We provide the first solutions which support both retroactive public revocation and backward unlinkability and the signature size is independent of the number of revoked members.

[1]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[2]  David Chaum,et al.  An Improved Protocol for Demonstrating Possession of Discrete Logarithms and Some Generalizations , 1987, EUROCRYPT.

[3]  Jan Camenisch,et al.  Separability and Efficiency for Generic Group Signature Schemes , 1999, CRYPTO.

[4]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..

[5]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[6]  Joe Kilian,et al.  Identity Escrow , 1998, CRYPTO.

[7]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[8]  R. Nicoll,et al.  Invited lecture , 1997, Neuroscience Research.

[9]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[10]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[11]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[12]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[13]  Stefan A. Brands,et al.  An Efficient Off-line Electronic Cash System Based On The Representation Problem. , 1993 .

[14]  Chanathip Namprempre,et al.  Forward-Secure Threshold Signature Schemes , 2001, CT-RSA.

[15]  Jan Camenisch,et al.  A Group Signature Scheme with Improved Efficiency , 1998, ASIACRYPT.

[16]  David Chaum,et al.  Wallet Databases with Observers , 1992, CRYPTO.

[17]  Gene Tsudik,et al.  Some Open Issues and New Directions in Group Signatures , 1999, Financial Cryptography.

[18]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[19]  Zulfikar Ramzan,et al.  Group Blind Digital Signatures: A Scalable Solution to Electronic Cash , 1998, Financial Cryptography.

[20]  Chanathip Namprempre,et al.  Forward Security in Threshold Signature Schemes , 2000, IACR Cryptol. ePrint Arch..

[21]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[22]  Jacques Stern,et al.  Efficient Revocation in Group Signatures , 2001, Public Key Cryptography.

[23]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[24]  Tatsuaki Okamoto,et al.  Statistical Zero Knowledge Protocols to Prove Modular Polynomial Relations , 1997, CRYPTO.

[25]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[26]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[27]  Birgit Pfitzmann,et al.  Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees , 1997, EUROCRYPT.

[28]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[29]  Ivan Damgård,et al.  Efficient Concurrent Zero-Knowledge in the Auxiliary String Model , 2000, EUROCRYPT.