ICICS2002, Singapore
1
A Group Signature Scheme
Committing the Group
Toru Nakanishi, Masayuki Tao,
and Yuji Sugiyama
Dept. of Communication Network Engineering
Okayama University, Japan
ICICS2002, Singapore
2
What’s group signature？
A group
He/she is a group member!
But, who?
signature
Traceable
only by
TTP
applied to anonymous e-cash, auction ...
ICICS2002, Singapore
3
Our contribution

A group signature scheme with new characteristic
Universal group
He/she is a member in some group
But, which group?
Group 1
signature
…
Group T
divided to
multiple groups
Group ID is
traceable
only by TTP
Committing the membership group
ICICS2002, Singapore
Outline of this presentation
1.
2.
3.
4.
5.
Definition of group signature scheme
committing the group
Based conventional group signature
scheme
Proposed scheme
Security
Application
4
ICICS2002, Singapore
Definition of group signature scheme
committing the group

Participants except signer and verifier



Membership Manager(MM)…has authority to
decide whether an entity may join a group
Revocation Manager(RM)…has authority to trace
identity and group ID from the signature
Important requirements



Unforgeability of signature
Anonymity, and secrecy of group ID
Traceability of identity and group ID by RM
5
ICICS2002, Singapore
Based group signature scheme

Ateniese et al.’s scheme in Crypto2000 (ACJT
scheme)
Why is our scheme based on this?


Most efficient
Efficient in signing/verification and even registration
Provably secure
Coalition resistance against an adaptive adversary
(Strong adversary reflecting the reality)
6
ICICS2002, Singapore
7
ACJT scheme: Overview


In advance, MM & RM set up keys and parameters
Registration (joining a group)
ID,
PK
MM
SK
Membership certificate (Sig. for PK)

Signature
EncRM(
Proof(
Traceable
by RM
)
)
(Zero-knowledge)
Anonymous
Unforgeable
ICICS2002, Singapore
ACJT scheme: Setup

MM and RM set up the following:



n=pq: RSA modulus (only MM knows p and q)
a, b, g, h: public elements in QRn (Set of quadratic
residues in Zn*)
y=gx: public key (only RM knows x)
8
ICICS2002, Singapore
9
ACJT scheme: Registration
PK: ax
ID,
MM
SK: x
Membership certificate:
(A, e) s.t. A = (axb)1/e (mod n)
This is an RSA signature that MM only generates
ICICS2002, Singapore
10
ACJT scheme: Signature

Signature for messege m consists of


T = EncRM(A) : ElGamal ciphertext w.r.t. y
S = SPK[(x, A, e) s.t. T= EncRM(A) ∧ A = (axb)1/e](m)
SPK: Signature converted from
zero-knowledge proof of knowledge
(Only one with knowledge can make SPK
without revealing information on knowledge)
EncRM(
)
Proof(
)
ICICS2002, Singapore
11
Our scheme: Basic idea

Registration (joining a group)
ID,
PK
MM
SK
Membership certificate (Sig. for PK and Group ID)

Signature
EncRM(
Proof(
EncRM(Group ID)
)
)
(Zero-knowledge)
ICICS2002, Singapore
12
Our scheme: Setup and Registration

Setup



Another c∈QRn
Group IDs E1,…ET
Registration for group ID Et
ID,
PK: ax
MM
SK: x
Membership certificate:
(A, e) s.t. A = (axbcEt)1/e (mod n)
(This form is also provably unforgeable…explained later)
ICICS2002, Singapore
13
Our scheme: Signature and revocation

Signature for messege m consists of



T = EncRM(A)
T’= EncRM(hEｔ)
S = SPK[(x, A, e, Eｔ) s.t. T= EncRM(A) ∧
T’=EncRM(hEt) ∧ A = (axbcEt)1/e](m)
For using Et in exponent, we can construct efficient SPK
using known SPKs for secret exponent

Group ID can be identified by RM’s decrypting T’
ICICS2002, Singapore
Security : Coalition resisitance

Certificate (A,e) is unforgeable even if valid
members collude.

Formally, this means the unforgeability against
adaptive adversary
After obtaining valid certificates
from MM a constant times,
this adversary forges a new certificate
This paper provides the security proof
under strong RSA assumption
For RSA modulus n and z∈QRn,
it is infeasible to compute (u,e>1) s.t. ue = z
14
ICICS2002, Singapore
Security: Others


Unforgeability of group signature
← Unforgeability of cert. and SPK proving cert.
Anonymity, and secrecy of group ID
←zero-knowledge-ness of SPK and encryption
15
ICICS2002, Singapore
16
Application: Anonymous survey

Anonymous survey to generate statistics on
users’ attributes

Background
User(Customer)
Anonymously
Commercial service provider
Man or Woman ?
Young or Old?
Marketing
This system generates statistics on attributes secretly
ICICS2002, Singapore
17
Problem on previous survey system

Previous survey system [Nakanishi&Sugiyama, ACISP01]
User(Customer)
Commercial service provider
Group
Signature
Group
Group
Signature
Group
Male Female Signature
Signature
90%
10%
Statistics TTP
Vast computation
depending on number of all registering users
So, inefficient
Secure comp.
ICICS2002, Singapore
18
Efficient system using proposed
scheme(1/2)

Setup


Group ID E1,..,ET are assigned to attribute values
(e.g., E1: Female, E2:Male)
Registration (e.g., E1:Female)
ID,
PK
MM
SK
Membership certificate (Sig. for PK and E1)
ICICS2002, Singapore
19
Efficient system using proposed
scheme(2/2)
User(Customer)
Commercial service provider
Group
Signature
including
EncRM(E1)
The cost is independent from
number of registering users
So, more efficient
Male Female
90% 10%
E2, E2…E1
（shuffled)
EncRM(E1)
EncRM(E2)
…
EncRM(E2)
TTP
Known efficient
shuffle protocol
ICICS2002, Singapore
Conclusion

Group signature scheme committing the group
is proposed



Efficient and provably secure
Useful for applications (e.g., Anonymous survey)
Further works


Application to e-cash
Improving anonymous survey
20