Group Signatures

Group signatures with reduced bandwidth

S. Zhou and D. Lin

Abstract: Group signatures are generalised credential/member authentication schemes withwide applications. Membership revocation problem is a major issue of group signatures, andis often resolved through an additional protocol which would encumber the whole groupsignature both in computation and storage, as Camenisch et al. did to ACJT’s groupsignature scheme (the first ever practical group signature based on RSA problem put forwardby Ateniese et al. at Crypto’00) by dynamic accumulator. Boneh et al. applied Camenischet al.’s dynamic accumulator based revocation reversely, resulted in short group signature.We formally define the method used by Boneh et al., named reversed dynamic accumulator inthis paper, and apply it on some previous group signatures to obtain improved ones withrevocation capability, reduced bandwidth (signature size) and less signature generationcomputations. We also address the problems unsolved in Boneh et al.’s work, e.g. how toopen a group signature since the current certificate may no longer be the one stored when it isfirstly generated.

1 Introduction

Group signature [1] is motivated by enabling membersof a group to sign on behalf of the group, without leak-ing their own identities; but the signer’s identity can beopened by the group manager when a dispute occurs, sothat the signing member can take the responsibility forhis/her behaviour. Various applications of group signa-tures include anonymous authentication, internet voting,bidding. But inefficiency has prevented group signaturesfrom being widely applied in real world.

In brief, a group signature at least includes the fol-lowing five algorithms: SETUP, JOIN, SIGN, VERIFYand OPEN. SETUP is executed by a group manager(GM); JOIN is an interactive protocol between groupmembers and GM; SIGN is an algorithm run by groupmembers; any one can execute VERIFY to check thevalidity of a given group signature; OPEN is used byGM,or a separate ‘opener’ when available, to open a givensignature for the identity of its signer. The security req-uirements for a group signature have been described andformalised in [2–4] etc.

1.1 Membership revocationMembership revocation is pointed out as a majorproblem preventing proposed group signatures fromwidely applied in real world in [5].

The resolutions to the problem can be classed intotwo categories. One is based on certificate revocation list(CRL) as [6,7]. In this category, generally GM issuesa revocation list of identities (i.e. public membershipkeys). Any group member proves in a zero-knowledgeway that his identity encrypted in the signature is not

equal to any one in the revocation list. The drawback isthat signature size is linearly dependent on the size ofrevocation list [6].

[7] improved the CRL based revocation resolutionso that signature size and computation were constant,while complexity of VERIFY was linearly dependent onthe size of revocation list. GM publishes a CRL whichincludes Vi ¼ f(pcerti), evaluations of one way function fon partial certificate information pcerti unique to eachgroup member. In signing a message, j-th memberincludes R,T ¼ f 0(Vj, R) (f

0 is another one way function)in the signature. Verifiers check if T ¼ f0(Vi,R) by tryingevery Vi in the current CRL.

Another category is based on witness, specificallydynamic accumulator [8, 9]. GM publishes a single acc-umulated value a, every group member proves in a zero-knowledge way that he knows corresponding witnessw to a. It should be hard for users outside of the groupto forge such witnesses. Revocations in this category aremore efficient than CRL based resolutions, but theyhave a common drawback that previously signed sig-natures might not being able to pass VERIFY algorithmunder the current verification keys (i.e. public keys).This inconvenience can be overcome by keeping tracksof the public keys changes, running VERIFY with cor-responding proper public key. Even in CRL basedgroup signatures with membership revocation, verifyingwith proper CRL is also important.

The following literature review and our improvementsare in witness-based category.

As far as we know, [2] plus [8] and [10] plus [9] are theonly group signature schemes that have efficient revo-cation algorithms, constant signature size, and constantverification complexity.

[8] initiated the idea of dynamic accumulator and anefficient revocation scheme for ACJT scheme. Whenevermembership change occurs, GM publishes an accu-

mulated value u ¼ u0

Qj2S

ej (S is the set of all currentmembers) along with the identities (ei) of changedmembers. [9] is in the same line of [8], that a newdynamic accumulator from bilinear maps is proposed.

ª The Institution of Engineering and Technology 2006

IEE Proceedings online no. 20055141

doi:10.1049/ip-ifs:20055141

Paper first received 1st December 2005 and in revised form 16th August2006

The authors are with SKLOIS Lab, Institute of Software, Chinese

Academy of Sciences, 100080, Beijing, People’s Republic of China

E-mail: [email protected]

146 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006

Authorized licensed use limited to: KINGS COLLEGE LONDON. Downloaded on November 30, 2009 at 10:35 from IEEE Xplore. Restrictions apply.

On the same direction, [11] put forward a new groupsignature with membership revocation based on q-Strong Diffie–Hellman assumption [12], with a changethat the revoked members instead of remained legit-imate members are accumulated, and the accumulatedvalue is part of GM’s public key, thus no additionalvalues have to be published in contrast to [8]. Andwhenever new member addition occurs, the system andother members do not have to update except that secretkeys of new members are to be generated according tothe current partly updated public keys.

But they did not deal with OPEN algorithm if suchdynamic revocation is adopted, because the latestcertificate of members, such as Ai, may no longer bethe same one stored in the registration table after groupmembers joining and leaving. So if previous OPENalgorithms are still used, they will fail to rediscover theidentity of the signer.

In this paper, we formally define the revocationmethod proposed in [11] and apply it on [2] and [10],resulting in shorter signature than [8] and [9]. Wepresent new OPEN algorithms in these cases andanalyse the correctness of them.

1.2 Related workThe idea of [13], another membership revocationmethod for ACJT’s scheme, is to prevent membersfrom frequent updating secret keys. This idea hasalready been used in an earlier literature, where a signeris supposed to prove that his certificate does not equal toany one in the revocation list. The disadvantage is thatthe computation complexity and signature size aredirectly proportional to revoked members number. Infact, it is still the case in [13], where a signer is to provethe knowledge of one value ei co-prime to E (a publishedvalue of products of all ej in revocation list). In the proofof knowledge, a, b satisfying eiaþEb ¼ 1 are calculated;the resulting signature includes a value s whose size isproportional to E, i.e. the number of revoked members.

1.3 Our contributionWe present improved schemes for [2, 8] and [9, 10],respectively. As shown in Table 1, the signature length,i.e. bandwidth, and computation of signature generationand verification are nearly halved, at the cost of morecomputation in opening algorithm, which is far lessfrequently executed than other algorithms. A similarresult can be concluded about our improved scheme 6and the scheme of [9, 10].

The idea behind our proposals is reversing the securedynamic accumulator adopted in previous group signa-ture schemes to support membership revocation.

1.4 OrganisationWe introduce the idea of reversed dynamic accumulatorin Section 2; then describe ACJT’s group signatureand CL’s membership revocation scheme in Section 3;our proposed improvement appears in Section 4. Theoriginal scheme of [9, 10] is reviewed in Section 5,following with our proposed improvement in Section 6.

1.5 NotationsThe following notations and definitions will appear inthe paper.

� PK{(a, b, . . . ) : R(a, b, . . . )} denotes a proof ofknowledge the values of (a, b, . . . ) satisfying the relationR(a, b, . . . ).

� SK{(a, b, . . . ) : R(a, b, . . . )}{m} denotes a signature ofknowledge, a non-interactive version of the above proofof knowledge. Because of the ease of transformationbetween PK and SK, they might be mentionedinterchangeably.

2 Dynamic accumulators

A one-way accumulator is a function mapping multipleitems into a single value, and the value has nothing to dowith the order of the items being evaluated. It is oftenused in member authentication as follows: everymember is given (wi, ci), the system runs a proper one-way accumulator f on every ci to get a single value C,where (wi, ci, C) satisfies f (wi, ci) ¼ C, every memberauthenticates himself by providing a zero-knowledgeproof of knowledge of the witness wi. When a newmember applies for joining in the system, the systemassigns a new (wj, cj) to him then update C as in C f(C, cj), the other members’ witnesses can be updated bythemselves as in wi f (wi, cj).

Let fðu0; ciÞ ¼ u0ci mod n, it is easy to see that it is a

one way accumulator with the features described above.But it has a disadvantage that if any member is to leavethe system, the system has to be reestablished fromscratch. [8] proposed the idea of dynamic accumulatorsthat supports dynamic members changes. It is achievedby restricting ci to different primes in a certain range,thus when a member is to join in the system, the systemmanager (the other members) can run Da (Wa) to updateC (wi) exactly as before; when a member holding cj is tobe excluded from the system, the system manager can

run Dd to update C as C C1=cj mod n since he knowsthe trapdoor of f, i.e. the factorisation of n, all membersexcept the excluded member can update their witnesseswi by running Extended GCD algorithm without helpfrom the system manager.

We present a general definition of a ‘secure dynamicaccumulator’ provided in [8, 9]. We extends the domainand range of an accumulator from a single value to avector of values, the witness w from a single valuesatisfying f (w,x) ¼ v, to a vector of values satisfying R(w,x,v) ¼ 1.

Definition 1. Let fXkgk2N be a sequence of sets of values,fF kgk2N a sequence of sets of functions from U f �Xk toset U f, and {Rk}k2N a sequence of sets of relations. As in[8], U f is an efficiently samplable input domain for thefunction F k, and Xk is the intended input domain whoseelements are to be accumulated. For v 2 Uf, and x 2 Xk,a vector of values w 2 UR is called a witness for x in vwith R 2 Rk if it satisfies the relationship R, i.e. R(w,x,v)¼ 1. ffXkgk2N; fF kgk2N; fRkgk2Ng is called a securedynamic accumulator if they have the followingproperties:

� Efficient generation: There exists an efficient prob-abilistic algorithm G(1k) to output a random functionf 2 F k : Uf � Xk ! Uf, and a corresponding relationRðUR;Xk;U fÞ, possibly along with some auxiliaryinformation auxf(trapdoor). Note that here U f can bea set of vectors.

� Efficient evaluation: f 2 F k is a polynomial-sizecircuit that on input ðu; xÞ 2 U f � Xk, output v.

� Quasi-commutativity: For all k, for all f 2 F k,for all u 2 U f, for all x1; x2 2 Xk; fðfðu; x1Þ; x2Þ ¼f ð fðu; x2Þ; x1Þ. That is, for X ¼ fx1; x2; :::; xmg � Xk,

IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 147


the value vector f ( f ( . . . (u,x1), . . . ), xm) is independentof the order of xi, therefore can be denoted by f (u,X)without confusion.

� Coalition resistance: For all probabilistic polynomial-time adversary A, the following probability is negligible:

Pr½ðf, RÞ Gð1kÞ, u Uf, ðx;w;XÞ Aðf, R, Uf, uÞ :

X � Xk, x =2 X;w 2 UR, Rðw, x, fðu, XÞÞ ¼ 1�

� Efficient addition: There exist polynomial algorithmsDa;Wa that if v ¼ f(u,X), x 2 X, x 0=2X, and R(w,x,v) ¼ 1,then (1)Daðv; x

0Þ ¼ v0 such that f(u,X[ {x 0})¼ v 0; and (2)Waðf;R; v; v

0; x; x0;wÞ ¼ w0 such that R(w 0, x, v 0) ¼ 1.

� Efficient deletion: There exist polynomial algorithmsDd;Wd that if v ¼ f (u,X ), x, x0 2 X, x 6¼ x0, and R(w,x,v)¼ 1, then (1) Ddðauxf; v; x

0Þ ¼ v0 such thatfðu;X n fx0gÞ ¼ v0; and (2) Wdðf;R; v; v

0; x; x0;wÞ ¼ w0

such that R(w0,x,v0) ¼ 1.Note that Dd is executable in polynomial time only

when the trapdoor is available.

2.1 Secure reversed dynamic accumulatorsIf F k in the above definition is a family of bijectivefunctions, we get a new accumulator by reversing all thefunctions in F k. The new accumulator with F�1k , ordischarger, has the following properties if the originalaccumulator is secure dynamic:

� Efficient generation: The efficient generation for F k isstill available for F�1k :� Efficient evaluation: v ¼ f �1(u, x) is polynomialcomputable by running Ddðauxf; u; xÞ.� Quasi-commutativity: For all k, for all f 2 F k, for allu 2 U f, for all x1; x2 2 Xk, if a ¼ f�1( f�1(u, x1), x2), b ¼f�1( f�1 (u, x2), x1), then a ¼ b. The equality is obtainedby checking u ¼ f ( f(a, x2), x1) ¼ f ( f(b, x1), x2) andbijective f. That is, for X ¼ fx1; x2; :::; xmg � Xk, thevalue vector f �1 (f�1 ( . . . (u, x1), . . . ), xm) is independentof the order of xi, therefore can be denoted by f�1 (u, X)without confusion.

� Efficient witness: There exist a polynomial algorithmRWðauxf; x; u; Þ to calculate w that R(w,x,u) ¼ 1.

� Security: For all probabilistic polynomial-time adver-sary A, the following probability is negligible:

Pr½ðf;RÞ Gð1kÞ; u U f; ðxi;wiÞ OracleðRW; uÞ;

i 2 ½1; t�; j 2R ½1; t�; u0 Oracleðf�1ðu; xjÞÞ;

w Aðf;R;Uf; u; u0Þ :

w 2 UR;Rðw; xj; u0Þ ¼ 1�

Otherwise the coalition resistance of the originalaccumulator will not hold.

� Efficient discharge: There exist polynomial algorithmsRDd;RWd that if v ¼ f�1 (u, X), y, x0 =2 X, y 6¼ x0, andR(w, y, v) ¼ 1, then (1) RDdðauxf; v; x

0Þ ¼ v0 such thatf�1(u, X [ {x0}) ¼ v 0; and (2) RWdðf;R; v; v

0; y;x0;wÞ ¼ w0 such that R(w0, y, v0) ¼ 1. Precisely, RDd

can be computed by running Ddðauxf; v;x0Þ, RWd by

invoking Wdðf;R; v; v0; y; x0;wÞ.

� Efficient recharge: There exist polynomial algorithmsRDr;RWr that if v ¼ f�1(u, X ), y =2 X, x0 2 X, andR(w, y, v) ¼ 1, then (1) RDrðv; x

0Þ ¼ v0 such thatf�1ðu;X n fx0gÞ ¼ v0; and (2) RWrðf;R; v; v

0; y; x0;wÞ ¼w0 such that R(w0,y,v0) ¼ 1. Actually, RDr can becomputed by running Daðv; x

0Þ;RWr by invokingWað f;R; v; v

0; y; x0;wÞ.

The witness of x in v ¼ f (u, X) defined in securedynamic accumulator becomes witness of x not in u ¼f�1 (v,X) defined in the reversed accumulator.

Theorem 1. If f is a secure dynamic accumulator, thenf�1 is a secure reversed dynamic accumulator.

The proof is provided in Section 10.1.

2.2 ComparisonsFor an ordinary dynamic accumulator, the evaluation isefficient and available to every one, while for an reverseddynamic accumulator, the evaluation is only efficientlyavailable to some authority who knows the trapdoor inexecuting Dd defined in its ordinary version, but thecorrectness of Dd is verifiable by every one checking therelation R.

Discharge and recharge algorithms of a reverseddynamic accumulator are similar to deletion andaddition algorithms of the dynamic accumulator respec-tively, except that the order of them being invoked isreversed.

An extra algorithm calculating witnesses RW isadded in definition of reversed dynamic accumulator,while it is not explicitly defined in ordinary dynamicaccumulator for the current accumulator u is the witnessof the next x to be accumulated.

2.3 Examples of secure reverseddynamic accumulatorsWe reverse the secure dynamic accumulator construc-tion defined in [8], see Section 10.2 for the securityproof.

Scheme 1. Let f 2 F k be fðu; eÞ ¼ ue mod n;u 2 QRðnÞ; e 2 X , where n is a product of two safeprimes with length k/2. X ¼ fe : e 2 Z�ng \ fPrimesg.Then f�1ðu; eÞ ¼ u1=emod n is a secure reverseddynamic accumulator. Witness of e not in u is knowl-edge of x that xe ¼ umod n. The trapdoor of factorisa-tion of n, i.e. auxf, is known only to the operator ofreversed accumulator.

3 Review of ACJT’s group signatureand CL’s membership revocation

The ACJT scheme [2] begins by choosing securityparameters " > 1; k; lp, as well as a collision resistentHash function H : f0; 1g� ! f0; 1gk, let D ¼ ½2l1 � 2l2 ;2l1 þ2l2 �; G¼ ½2g1 �2g2 ;2g1 þ2g2 �, where l1 > " ðl2þkÞþ2;l2 > 4lp;g1 > 2 ðg2þkÞþ2;g2 > l1þ2.

3.1 SETUPGM randomly chooses two safe primes p, q, i.e. p0 =(p � 1)/2 and q0 ¼ ðq� 1Þ=2 are large primes too anda;a0;g;h2RQRn;x2RZp0q0 , calculates n¼pq;y¼gxmodn.Group public keys are Y¼fn;a;a0;y;g;hg. GM’s secretkeys are S¼fp0;q0;xg.

3.2 JOINWhen user U wants to join the group, he runs aninteractive protocol with GM, and in the end, U obtainshis secret keys xu 2 D, his certificate (Au, eu), whereeu 2R G, and Au :¼ ða

xua0Þ1=eu mod n:ðAu; eu; xuÞ is the

signing key of U. (Au, eu) and transcripts generated aswell as the identity of U are stored in a registrationdatabase.



3.3 SIGN and VERIFYU signs on m by generating an honest verifier zero-knowledge proof of ðAu; eu 2 G; xu 2 DÞ, which is for-mulated specifically as follows

SKfða; b; g; dÞ : a0 ¼ Ta1=a

byg mod n;T2 ¼ gd mod n;

1 ¼ T a2=g

g mod n;T3 ¼ gahd mod n; a 2 G; b 2 Dgfmg;

The verification of the group signature is the verificationof the above proof.

3.4 OPENGM calculates A :¼ T1=T

x2 mod n, compares it with the

registration database, the signature signer is then traced;then GM generates a proof of knowledge PK fx : y ¼gx mod n;T1=Au ¼ Tx

2 mod ng to support his judgement.

3.5 Revocation [8]An accumulated value u ¼ u0

Pj2S ej is published, where Sis the set of all current group members. Each legitimatemember has to prove his knowledge of wi 2 Z�n such thatweii ¼ umod n, (called witness of U) additionally.

� Members addition: When members in Eadd are to beadded into the group, GM updates u: u uPej ; ej 2Eadd. An old member ei updates his witness wi: wi

wPeji ; ej 2 Eadd.

� Members deletion: When members in Edel are to berevoked from the group, GM updates U: u u1=Pej ;ej 2 Edel. An old member ei =2 Edel updates his witnesswi: wi wt

ius, where sei þ tej ¼ 1; ej 2 Edel.

To combine all the proofs of knowledge togetherefficiently, [8] introduced 3 more values: Ce ¼ geiht1 ;Cu ¼ wih

t2 ;Cr ¼ gt2ht3 , where t1; t2; t3 2R Zbn=4c. And thecomplete group signature becomes

SKfða;b; g;d;g1;g2; g3;’1;’2Þ : a0 ¼ Ta1=a

bygmodn;

T2 ¼ gdmodn;1¼ Ta2=g

gmodn;T3 ¼ gahdmodn;

Cr ¼ gg2hg3 modn;Ce ¼ gahg1 modn;u¼ Cua=h’1 modn;

1¼ Cra=ðg’1h’2Þmodn;a 2 G;b 2 Dg:

The complication of the proof of knowledge abovelies in the difficulty of proving knowledge of an exponentand a root [i.e. (Ai,ei) and (wi,ei)] at the same time.

4 Reducing bandwidth of ACJT-CL’s groupsignature

The idea behind our proposal is to view f�12 ða; a0; eÞ ¼ða1=e; a

1=e0 Þ as a reversed extended dynamic accumulator,

where witness of e in (a,a0) is (A,x) so that Ae ¼axa0 mod n.

In fact, [7] had proposed a simple revocation similarto our proposal. They let a, a0 change sequentially everytime membership revocation took place. But theirscheme was so inefficient (the reason lay in the waya, a0were changed) that it was abandoned by the authors.Our scheme could be seen as an efficient version of [7].

Scheme 2. The chosen security parameters and algo-rithms of SETUP, JOIN, SIGN, VERIFY are exactlythe same as the original ACJT group signature revie-wed in Section 3, except that a, a0 can be differentwhen a membership revocation occurs, so we omitthem here.

1. UPDATE. The UPDATE algorithm comprisestwo parts, each executed by GM and concerned

group members, respectively. See Section 10.3 for itscorrectness.

� UPDATE-GM

—When member revocation occurs, take Uj0 withcertificate ðAj0 ; ej0Þ as an example, GM is able to updatea,a0 as follows because he knows the factorisation ofn: a a1=ej0 mod n; a0 a0

1=ej0 mod n—When member addition occurs, a, a0 are unchan-

ged. GM just runs normal JOIN protocols with newmembers under current values of a, a0, the othermembers are not affected at all.

� UPDATE-MEMBER

—When member revocation occurs, take Uj0 withcertificate ðAj0 ; ej0Þ as an example, now part of the publickey a,a0 have been updated to a0; a00, the i-th memberði 6¼ j0Þ can update his certificate as follows: he firstcalculates s,t, so that sei þ tej0 ¼ 1, then computesA0i ¼ At

iða0xia00Þ

smod n. The computation does not

require group secret key, i.e. factorisation of n, so anyunrevoked group member is able to run UPDATE-MEMBER.

—When member addition occurs, the other membersdo nothing.

2. OPEN. GM or Opener calculates A :¼ T1=Tx2 mod n,

compares it with items in the registration database T, ifa match is found, GM generates a proof of knowledgePKfx : y ¼ gx mod n;T1=A ¼ T x

2 mod ng to support hisjudgement.

Else if no match is found, GM sets B A, computesB Bej mod n and searches in T for a match, for eachej 2 Edel in the reverse order (i.e. if e1 is revoked beforee2, then compute Be2 first) until a match is found.

In other words, if Edel ¼ fej1 ; ::::; ejDg whereejk ; k 2 ½1;D� is in the order of revocation time, GMcomputes AejDþ1 ejD :::ejk mod n, from k ¼ D+1 to k ¼ 1 (setejDþ1 ¼ 1), and searches in T for a match after eachcomputation; if a match is found, then stops, outputsthe Ai and the sequence of ej, generates a proof ofknowledge PKfx : y ¼ gx mod n;T1=A ¼ Tx

2 mod ng. Ifno match is found at last, then output failure.

4.1 The OPEN algorithmA disadvantage of our proposed scheme is that runningOPEN algorithm on a group signature with encryptedcertificate, e.g. Ai, might result in a different value fromthe stored certificates by GM, because the membersmight have updated their certificates when membersdeletion occurs. This problem is fixed in the aboveOPEN algorithm.

It might be doubtful that multiple matches exist inOPEN. Suppose a user with (x,A, e) joined in the groupwhen public key is a, a0, and A is stored in T; after someupdates, the public key has been updated to a00; a000, theuser generates a group signature using current certificateA00 where A00

e ¼ a00xa000 mod n. After A00 is decrypted,

if OPEN is executed on A00, the correct A and identityof user should be recovered when rolling back to a, a0,but what if in an intermediate status, e.g. a matchis found when rolling back to a0; a00 between (a, a0)and ða00; a000Þ

Suppose ða0; a00Þ ¼ ða1=E; a

1=E0 Þ, and ða00; a000Þ ¼

ða01=F; a001=FÞ, where E and F are co-prime products

of primes in G. If a match is found ahead of correct time,i.e. there exists a A0 ¼ A00

Fin T, then there must be



a ðex; eeÞ satisfying A0~e ¼ a0

~xa00, so

A00eF¼ a0

xa00 mod n

A00F~e¼ a0

~xa00 mod n

When x 6¼ ex (the probability of x ¼ ex is negligible, soonly inequality is considered here), A00

Fe~x�F~ex ¼a00

~x�xmod n is obtained, if a 00 ¼ b1=C from some random

b, and C is product of some primes G, which is availablefrom published revocation list, then the RSA problem ofb is resolvable by the user A and A0 since the leftexponent is larger than the right one, a contradiction toRSA assumption. The argument shows the correctnessof above OPEN algorithm.

4.2 SecurityTheorem 2. The underlying reversed dynamic accumu-lator is secure (the proof is in Section 10.5).

Theorem 3. In the proposed scheme, revoked member isnot able to forge valid certificates in polynomial time(the proof is in Section 10.6).

4.3 Efficiency comparisonsTable 1 is a comparison of our scheme and [7, 8] withrespect to signature bandwidth and required computa-tions (in terms of number of modulus exponent androot extraction, denoted as ‘e’ and ‘r’, respectively) inUPDATE, SIGN, VERIFY and OPEN algorithms,under the parameters of lp ¼ 512; k ¼ 160; " ¼ 1:1;l2 ¼ 2048; l1 ¼ 2430; g2 ¼ 2432; g1 ¼ 2854. Computa-tions in UPDATE, i.e., Add and Delete, are summed forGM and group member (M) separately. Note: BW,short for bandwidth, i.e. signature size; gpk denotesgroup public key; R is the number of revoked members.

5 Review of Nguyen-Naini’s group signatureand Nguyen’s membership revocation

Nguyen-Naini’s group signature [10] is essentially thesame as the one with non-frameablity in [11] (Section 7),except with different description.

It begins by choosing security parameters l, as well asa collision resistent Hash function H : f0; 1g� ! Zp, anda bilinear map e :G1�G1!GM;ordðGMÞ¼p;G1¼<P>.

SETUP. GM randomly chooses x; x0 2 Z�p;P0;G;H 2R G1, computes Ppub ¼ xP;Y ¼ eðG;GÞx0. Grouppublic keys are fP;P0;Ppub;H;G;Yg, GM’s secret keysare fx; x0g.

JOIN. When a user denoted as i want to join thegroup, he runs an interactive protocol with GM, and inthe end, user i holds secret key xi, and (ai,Si) calleda certificate from GM, Di as his identity, whereeðaiPþ Ppub;SiÞ ¼ eðP; xiPþ P0Þ, and Di ¼ eðP;SiÞ.

SIGN. A signature of user i on m is to show hisknowledge of ðai;Si; xiÞ such that eðaiPþ Ppub;SiÞ ¼eðP; xiPþ P0Þ, and he has correctly encrypted hisidentity Di in ðE ¼ tG;L ¼ DiY

tÞ, without revealingany information about his identity, except for theopener, who can decrypt (E, L) to get Di.

VERIFY. Verifier accept a signature by checking thecorrectness of the signature of proof.

OPEN & JUDGE. Omitted here.Revocation [9]. Publish an accumulated value V,

which is initialised to V0 ¼ uQ, where u 2R Z�p. AddQpub ¼ sQ to the public key.

Suppose the current group accumulator value is Vj,when user i with ðxi; ai;SiÞ has joined the group, GMupdates the value Vj to Vjþ 1: Vjþ1 ¼ ðai þ sÞVj.

User i sets his current membership witnessWi;jþ1 to beVj. While the other members update their membershipwitnesses as follows (take user i0 with ðai0 ;Si0 ; xi0Þ as anexample): Wi0, jþ1 ¼ Vj þ ðai � ai0ÞWi0;j.

Suppose the current group accumulator value is Vj,when user i with ðxi; ai;SiÞ has been revoked from thegroup, the GM or issuer updates the value Vj to Vjþ 1:

Vjþ1 ¼1

ai þ sVj

User i0 6¼ i with ðai0 ;Si0 ; xi0Þ updates his membershipwitness as follows:

Wi0;jþ1 ¼1

ai � ai0ðWi0;j � VjÞ

The group signature includes an additional proof ofknowledge of (ai,Wi) that eðaiQþQpub;WiÞ ¼ eðQ;VÞ,so the complexity is nearly twice that of the revocation-free scheme.

6 Reducing bandwidth of Nguyen-Naini’sgroup signature with revocation

Scheme 3. The chosen security parameters and algo-rithms of SETUP, JOIN, SIGN, VERIFY are exactlythe same as the original Nguyen-Naini’s group signaturescheme [10] reviewed in Section 5 except that P;P0;Ppub

can be different when a membership revocation occurs,so we omit them here.

1. UPDATE. The UPDATE algorithm comprises twoparts, each executed by GM and concerned groupmembers respectively. See Section 10.4 for its correctness.

� UPDATE-GM

—When member revocation occurs, suppose user j0with certificate ðSj0 ; aj0Þ is to be deleted, GM is able toupdate P;P0;Ppub since it knows group secret key x:

P 1

aj0 þ xP;P0

1

aj0 þ xP0;Ppub xP

—When member addition occurs, P,P0 are unchan-ged. GM just runs normal JOIN protocols with newmembers under current values of P,P0, the othermembers are not affected at all.

� UPDATE-MEMBER

—When member revocation occurs, suppose user j0with certificate ðSj0 ; aj0Þ has been deleted, now P,P0 hasbeen updated to P0;P00, the ith member ði 6¼ j0Þcomputes:

S0i ¼1

aj0 � ai½Si � ðxiP

0 þ P00Þ�

Note that the computation does not require groupsecret key x, so is available to any unrevoked groupmember.

—When member addition occurs, the other membersdo nothing.

Table 1: Comparison of ACJT scheme with variousmembership revocations

Standard BW gpk Add Delete SIGN VERIFY OPEN

[Ast02] O(k) 6288 Not required 14e O(R) 1e

[CL02] 20399 7312 GM:1e/M:1e GM:1r/M:2e 24e 24e 1e

Ours 14261 6288 GM:0/M:0 GM:2r/M:3e 11e 11e Re



2. OPEN. The decryption is same as Nguyen-Naini’s.After D is obtained from decryption, GM compares itwith items in the registration database T; if a match isfound, output the identity and a proof of correctdecryption as in [10].

Else if no match is found, GM sets B D, computesB BðajþxÞ

2

and searches in T for a match, for eachaj 2 Edel in the reverse order (i.e. if a1 is revoked beforea2, then compute Ba2 first) until a match is found.

In other words, if Edel ¼ faj1 ; ::::; ajDg whereajk ; k 2 ½1;D� is in the order of revocation time,GM computes D

ðajDþ1þxÞ2ðajDþxÞ

2:::ðajkþxÞ2

, from k ¼ D +1 to k ¼ 1 (set ajDþ1 ¼ 1), and searches in T for a matchafter each computation; if a match is found, then stops,outputs the Di, the identity and the sequence of aj,generates a proof of correct decryption. If no match isfound at last, then output failure.

6.1 Correctness of OPENThe correctness of above OPEN can be verified asfollows. Suppose a group member joined the group atðP;P0;PpubÞ, obtained a certificate Si and Di ¼ eðP;SiÞwas stored in T. After some time public key ðP;P0;PpubÞhas been updated to ðP0;P00;P

0pubÞ because of revocation

of aj. The group member generates signatures undercurrent public key, encrypts D ¼ eðP0;S0iÞ in the groupsignature.

DðajþxÞ

2

¼ eððaj þ xÞP0; ðaj � ai þ ai þ xÞS0iÞ

¼ eðP; ðaj � aiÞS0i þ xiPþ P0Þ

¼ eðP;SiÞ ¼ Di

It might be doubtful that multiple matches exist inOPEN. Suppose a group member with secret key andcertificate ðxi;Si; aiÞ joined the group when public key isðP;P0;PpubÞ, and Di ¼ eðP;SiÞ is stored in T; after someupdates, the public key has been updated toðP00;P000;P

00pubÞ, the member generates a group signature

using current certificate S00i where S00i ¼1

aiþxðxiP

00 þ P000Þ.After eðP00;S00i Þ is decrypted, if OPEN is executed, thecorrect Di and identity of user should be recovered whenrolling back to ðP;P0;PpubÞ, but what if a match isfound in an intermediate status between (P,P0,Ppub) andðP00;P000;P

00pubÞ, say ðP

0;P00;P0pubÞ:

Suppose (P0, P00;P0pubÞ ¼ ð

1EP; 1

EP0;

1EPpubÞ, and

ðP00;P000;P00pubÞ ¼ ð

1FP0; 1

FP00;

1FP0pubÞ, where E and F are

products of akþx, aks are published in revocation listand it is said k 2 E if ak þ x is included in E, E \ F ¼ Ø.Denote E ¼

Qk2E ðak þ xÞ;F ¼

Qk2F ðak þ xÞ.

If a match is found ahead of correct time, i.e. thereexists a eðP0;S0Þ ¼ eðP00;S00i Þ

F2

in T, then there must bea ðxj; aj 6¼ aiÞ satisfying S0 ¼ 1

ajþxðxjP

0 þ P00Þ, so

1

aj þ xðxjP

0 þ P00Þ ¼ S0 ¼ FS00i ¼1

ai þ xðxiP

0 þ P00Þ

If P00 ¼ gP0, g is unknown to GM, then from aboveequation it follows that

g ¼ajxi � aixj þ ðxi � xjÞx

ai � aj

It means if multiple matches for one decrypted D

occurs with non-negligible probability, then it can beused to resolve the discrete logarithm problem in acertain group, which is a contradiction to ourassumption since q-SDH assumption implies discretelogarithm assumption.

6.2 SecurityThe security of our scheme can be reduced to theoriginal scheme of [10] and adopted secure reverseddynamic accumulator, which we omit here for itssimilarity with ACJT’s scheme.

6.3 Efficiency comparisonsObviously SIGN here is more efficient than the originalscheme with membership revocation, since an additionalproof of knowledge of his witness Wi;jþ1 is missing.UPDATE algorithm is also efficient especially whenmember addition occurs, since no updates are neededat all.

7 Conclusions

We formally defined reversed dynamic accumulator,which has been used in some short group signaturesto provide revocation efficient [11]; we then applied it to[2, 8] and [9, 10] to obtain short group signature schemeswith revocation.

We deal with some problems occurring when reverseddynamic accumulators are adopted, which has not beenconsidered and solved in [11], such as opening a groupsignature correctly.

Opening a signature is inefficient compared withregular dynamic accumulator based schemes, but it isacceptable under the condition that OPEN is far lessexecuted than SIGN and VERIFY, and it is very usefulin some applications where short signature size andefficient revocation are all important.

8 Acknowledgments

The work reported here was supported by 973 Project ofChina (No.2004CB318004), 863 Project of China (No.2003AA144030) and NSFC90204016.

9 References

1 Chaun, and van Heyst, E.: ‘Group signatures’. EUROCRYPT’91.1991, (LNCS, 547), pp. 257–265

2 Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G.: ‘A practicaland provably secure coalition-resistant group signature scheme’.CRYPTO’00, 2000, (LNCS, 1880), pp. 255–270

3 Bellare, M., Shi, H., and Zhang, C.: ‘Foundations of groupsignatures: The case of dynamic groups’. CT-RSA’05. 2005,(LNCS, 3376), pp. 136–153. Full Paper at http://www-cse.ucsd.edu/~mihir/papers/dgs.html.

4 Kiayias, A., and Yung, M.: ‘Group signatures: Provable security,efficient constructions and anonymity from trapdoor-holders’.Cryptology ePrint Archive, Report 2004/076, 2004

5 Ateniese, G., and Tsudik, G.: ‘Some open issues and new directionsin group signature schemes’. Financial Cryptography’99, 1999,(LNCS, 1648)

6 Bresson, E., and Stern, J.: ‘Efficient revocation in group signatures’.PRC’01, 2001, (LNCS, 1992)

7 Ateniese, G., Song, D., and Tsudik, G.: ‘Quasi-efficient revocationin group signatures’. Financial Cryptography’02, 2002, (LNCS,2357)

8 Camenisch, J., and Lysyanskaya, A.: ‘Dynamic accumulatorsand application to efficient revocation of anonymous credentials’.CRYPTO’02, pp. 61–76, (LNCS, 2442)

9 Nguyen, L.: ‘Accumulators from bilinear pairings and applications’.CT-RSA’05, 2005, (LNCS, 3376), pp. 275–292. A modified versionis available at Cryptology ePrint Archive: Report 2005/123

10 Nguyen, L., and Safavi-Naini, R.: ‘Efficient and provably securetrapdoor-free group signature schemes from bilinear pairings’.ASIACRYPT’04, 2004, (LNCS, 3329), pp. 372–386

11 Boneh, D., Boyen, X., and Shacham, H.: ‘Short group signatures’.CRYPTO’04, 2004, (LNCS, 3152), pp. 45–55

12 Boneh, D., and Boyen, X.: ‘Short signatures without randomoracles’. EUROCRYPT’04, 2004, (LNCS, 3027), pp. 56–73



13 Chen, Z., Wang, J., Wang, Y., Huang, J., and Huang, D.: ‘Anefficient revocation algorithm in group signatures’. ICISC’03, 2003,(LNCS, 2971), pp. 339–351

10 Appendixes

10.1 Proof of Theorem 1Proof. Suppose f�1 is not secure, given a randomlychosen u, polynomial number of ðxi;wiÞ thatRðxi;wi; uÞ ¼ 1, there exist an adversary A to calculatew� that Rðxj;w

�; u0Þ ¼ 1, where xj is chosen by A fromthe queries, and u0 is a reply from Oracleðf�1ðxj; uÞÞ.

Then an adversary B of f can be constructed asfollows: run Wdðf;R; u; u

0; xi; xj;wiÞ ¼ w0i for all xi; i 6¼ j,such that Rðw0i; xi; u

0Þ ¼ 1. Let X ¼ fxi; i 6¼ jg, there existu0 that fðu0;XÞ ¼ u, then ðxj;w

�;XÞ is the output of B,Rðxj;w

�; fðu0;XÞÞ ¼ 1 while xj =2 X, a violation of securedynamic accumulator f. &

10.2 Security proof of reversed dynamicaccumulator scheme 1Scheme 4. Let f1 2 F kbe f1ðu; eÞ ¼ ue mod n; u 2 QRðnÞ;e 2 X , where n is a product of two safe primeswith length k/2. X ¼ fe : e 2 Z�ng \ fPrimesg. Thenf�11 ðu; eÞ ¼ u1=e mod n is a secure reversed dynamicaccumulator. Witness of e not in u is knowledge of xthat xe ¼ umod n. The trapdoor of factorisation of n,i.e. auxf1 , is known only to the operator of reversedaccumulator.

� Efficient evaluation when trapdoor is known:

f�11 ðu;XÞ ¼ u1

e1e2:::el ;X ¼ ei; ei 2 X is efficient if p,q areknown.

� Efficient witness: Given u, e and p, q, it is efficientto calculate w such that we ¼ u mod n by w ¼ue�1 mod ðp�1Þðq�1Þmod n.

� Discharge: to discharge e1 from v, computes v0 ¼f�11 ðv; e1Þ ¼ v1=e1 mod n efficiently by knowledge of fac-torisation of n. For a member holding ðe2;w2Þ wheree2 6¼ e1 and w2

e2 ¼ vmod n, new witness w02 is comput-able by the extended GCD algorithm as described in [8].

� Security: For the discharged or revoked memberholding e1;w1;w1

e1 ¼ v, it is not polynomially comput-able to get the new witness w01 that w01

e1 ¼v0 ¼ v1=e1 mod n, otherwise strong RSA assumption isbroken.

Proof. Suppose a challenge of strong RSA problem isy 2R Z�n, simulator of OracleðRWÞ and Oracleðf�11 Þ isrun as follows: let u ¼ yPi ei mod n; i 2 ½1;Q� (Q is thequery number to OracleðRWÞ), then responds to queriesare ðei;wi ¼ yPk 6¼i ekÞmod n. Adversary may select anyone out of feig randomly, suppose it is ej, queriesOracleðf�1Þ about ej and u, and get the return u0 ¼yPi 6¼j ei mod n. The adversary wins if it can come out w* so

that w�ej ¼ u0mod n. That is w�ej ¼ yPi 6¼j ei mod n, sincefeig are different primes, we can compute y ¼ðysw�tÞej mod n, where sej þ tPi6¼j ei ¼ 1. &

10.3 Correctness of UPDATE in Section 4

A0iei ¼ ðAt

iða0xia00Þ

sÞei ¼ Aiteiða0

xia00Þ1�tej0

¼ a0xia00½

Aiei

ða0xia00Þej0�t

¼ a0xia00½

Aiei

ðaxia0Þ�t

¼ a0xia00 mod n:

10.4 Correctness of UPDATE in Section 6

ðaiþxÞS0i ¼aiþx

aj0 � ai½Si�ðxiP

0þP00Þ�

¼aiþx

aj0 � ai½

1

aiþxðxiPþP0Þ� ðxiP

0þP00Þ�

¼aiþx

aj0 � ai½

1

aiþxðxiðaj0 þxÞP0þðaj0 þxÞP00Þ

� ðxiP0þP00Þ�

¼aiþx

aj0 � ai½xiðaj0 þxÞ

aiþx�xi�P

0

þaiþx

aj0 � ai½aj0 þx

aiþx� 1�P00

¼ xiP0þP00:

10.5 Proof of Theorem 2Proof. The security of f�12 as a reversed accumulator isbased on the secure reversed accumulator defined as f�11

in Scheme 1. Suppose f�12 is not secure, we can constructan adversary A1 of f�11 from adversary A2 of f�12 . Leta0 ¼ u, a ¼ aPi ei

0 mod n; i 2 ½1;Q�(Q is the query numberto Oraclef2ðRWÞ). Oraclef2ðRWÞ responds each querywith ðxi;Ai; eiÞ. fðAi=a

xiPj 6¼i ej0 ; eiÞg are returned to the

adversary A1 as responds of Oraclef1ðRWÞ. Suppose f�12

is not secure, adversary A2 successfully computedðA�; x�Þ where A�ej ¼ a0

x�a00 mod n; j 2R ½1;Q�, and

ða0; a00Þ ¼ Oracleðf�12 ðej; a; a0ÞÞ. Then A1 wins by output-

ting w� ¼ A�a00�x�Pk 6¼j ek mod n because w�ej ¼ a00 mod n,

where a00 ¼ a1=ej0 mod n. &

10.6 Proof of Theorem 3Proof. If a member with certificate and secret keyðAi; ei; xiÞ is revoked, suppose he can forge a validcertificate ðA0; e0; x0Þ compatible to the current publickey ða0; a00Þ where a0 ¼ a1=ei mod n, a00 ¼ a0

1=ei mod n.

Case e0 6¼ ei: In this case,

Ai ¼ a0xia00 mod n

A0e0¼ a0

x0a00 mod n:

It is a contradiction to the unforgeability and coalitionresistance of the original ACJT scheme with public keysa0; a00 [2].

Case e0 ¼ ei: In this case, a forgery is a contradiction tothe based secure reversed dynamic accumulator. &



Group Signatures

Documents

Transcript of Group Signatures