Research Article | Open Access
Keita Emura, Goichiro Hanaoka, Yutaka Kawai, Takahiro Matsuda, Kazuma Ohara, Kazumasa Omote, Yusuke Sakai, "Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions", Security and Communication Networks, vol. 2019, Article ID 4872403, 36 pages, 2019. https://doi.org/10.1155/2019/4872403
Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions
This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.
Group signatures  are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group. Signatures are verified with a single group public key, and the verification process does not reveal the identity of the signer. A designated authority, called the opener, identifies the actual signer in various exceptional cases. However, ordinary group signatures provide the opener with an extreme privilege; i.e., the opener can freely identify the originator of any signature that he chooses. In other words, ordinary group signature schemes provide absolutely no assurance of privacy against the opener. For example, in an anonymous auction the opener can extract all bidders’ identities, which will be explained later in more detail.
This paper investigates a way of “decentralizing” this strong authority of the opener. Towards this end, we propose a new kind of group signatures involving the message-dependent opening (MDO) property. It divides (or decentralizes) the strong authority of the opener by introducing another authority called the admitter. In exceptional cases that a signature on a problematic message is found, the admitter issues a token that corresponds to the message (as opposed to all signed messages). The opener extracts the signer’s identity from the signature using this token, whereas without it, he is not able to do so. For instance, in an anonymous bulletin board system using our group signature scheme, if the admitter decides that the message “Mr. XXX is a fool!” should not be publicized as a signed message by an anonymous group member, he issues a token for this message. Then, by using it, the opener can immediately identify the signer’s identity of any signature if it corresponds to this message.
At first glance, one may think that the popular thresholding technique (i.e., thresholding the opener into multiple less-trusted openers)  would already be sufficient to achieve the above property. However, this is not true. Namely, in our context, the token is generated on the message that the admitter chooses but not the signature for such messages. Therefore, once a token for a message (which is chosen by the admitter) is issued, the signers’ identities for all signatures on this message can immediately be extracted by the opener without him having to interact with any other party. Consequently, the opener can noninteractively identify the signer’s identity for a message that has already been specified as problematic. Furthermore if the admitter considers that there is no longer any need to specify further messages that should be opened, then he can erase his memory to avoid having his secret leaked. Note that even when the admitter has erased his secret, the opener can still open the signer’s identity of any signature provided that its corresponding message was previously specified by the admitter.
This paper proposes group signatures with a new additional capability, called group signatures with message-dependent opening (GS-MDO). We introduce an admitter in GS-MDO, as previously mentioned, that issues tokens for specific messages, and by using these tokens, the opener can extract signers’ identities from signatures only if their corresponding messages have been specified. We can flexibly restrict the capabilities of the opener utilizing this property without implementing any complicated interactive procedures (e.g., threshold decryption).
The main contributions of this paper are threefold. First, we provide a formal model and a security definition for GS-MDO. Our model and security definition are extensions of the Bellare-Micciancio-Warinschi (BMW) model , which is considered to be the basic security definition for group signatures in the static setting. More specifically, our security model is a natural modification of this model extended according to the difference between a standard group signature scheme and ours which introduces the MDO property. In addition, we demonstrate that it is possible to derive identity-based encryption (IBE) from any GS-MDO scheme in a black-box manner if the underlying GS-MDO is secure in the above sense.
Secondly, we present a generic construction of GS-MDO from a public key encryption (PKE) scheme, an IBE scheme, and an adaptive noninteractive zero-knowledge (NIZK) proof system. (Technically, we use a tag-based KEM (key encapsulation mechanism) and an identity-based KEM instead of a PKE scheme and an IBE scheme). Given the above result that GS-MDO implies IBE, it is expected to be quite hard to construct GS-MDO without using IBE or similar primitives as a building block. We note that simulation-soundness  is not required for NIZK in our generic construction, while the generic construction of the (ordinary) group signature  requires this strong property.
Finally, we propose two efficient instantiations of GS-MDO, one in the standard model and one in the random oracle model. Our scheme in the standard model uses the Groth-Sahai proof system  as an NIZK proof system in our generic construction. To utilize the Groth-Sahai proof system in our generic construction, we note that an IBE scheme that is compatible with the Groth-Sahai proof (such as structure-preserving signatures ) is necessary since our generic construction requires IBE. To be compatible with the Groth-Sahai proof system, an IBE scheme needs to be able to encrypt a base-group element and to have its ciphertext consist of only base-group elements. Although Libert and Joye  proposed an IBE scheme whose plaintext space is a base group, and the IBE scheme is compatible with the Groth-Sahai proof, the size of the group signature of the resulting GS-MDO scheme depends on the number of group members. In order to construct a GS-MDO scheme with constant-size signature, we also construct a new IBE scheme that has only -resilient security . Therefore, the resulting GS-MDO scheme inherits this restriction (i.e., the admitter can issue at most tokens). The size of a signature is approximately 10 kilobytes when a 170-bit prime-order group is used. (We adopt the estimates of bit sizes for group elements used in ). Our scheme in the random oracle model, on the other hand, is based on the Boneh-Boyen-Shacham (BBS) group signature  and uses the Boneh-Franklin (BF) IBE scheme  and a variant of the Cramer-Shoup encryption scheme [12, 13]. As we can use IBE (which is not -resilient) in the random oracle model, GS-MDO with an unbounded MDO property (i.e., the number of tokens issued by the admitter is unlimited) can thus be constructed. The idea behind this construction is based on our generic construction, but the instantiation is not straightforward since the PKE scheme and the IBE scheme cannot directly be combined. Hence, we modify the building blocks and the construction to combine them. To be more precise, we design a dedicated extension of the linear encryption scheme  with chosen-ciphertext security and public verifiability to enable our efficient construction. The size of the signature of the scheme is 3636 bits in 80-bit security, which is times smaller than that of our standard model scheme.
Note that our security notions and proposed schemes assume that the system setup is carried out honestly. This setup includes the generation of a common reference string, the opener’s and the admitter’s secret keys, and the group members’ signing keys. However, the goal of the current paper is to provide a feasibility study of the MDO property in group signatures. Namely, we study the possibility of constructing a GS-MDO scheme in a simple setting where several parameters and secret keys are generated honestly. We defer to future work a more comprehensive study on the possibility of constructing a scheme with a more complicated and realistic scenario such as that allowing maliciously generated parameters and on providing a hedge against this types of attack.
As previously mentioned, a straightforward application of GS-MDO schemes is in detecting the originators of inappropriate messages in anonymous bulletin board systems. We further discuss more potential applications of GS-MDO schemes in what follows.
The first application we discuss is anonymous auctions, where bidders form a group of anonymous signers. Each bidder produces a group signature on his bidding price. The admitter issues a token for opening signatures on the highest price to detect the winner(s). The opener is then only able to open the signatures on the highest price.
The main advantage (of the MDO approach) over the threshold approach becomes clear in this application. Suppose that there are many winners who all have bid the highest price resulting in a tie. As an interaction will be needed for each winner in the threshold approach, the total communication cost will be proportional to the number of winners. In contrast, if one takes the MDO approach, only a small communication bandwidth from the admitter to the opener is needed. The communication cost does not depend on the number of winners.
Another application in which the MDO property is useful is identity escrow. Although our primitive is a rather general purpose primitive for identity escrow scenarios, for the ease of understanding, let us discuss this with a concrete example. Consider a customer who enters an automated parking garage , where he generates a group signature on a message that encodes the date when he enters the car park (say, the string “2012-02-20”). Let us assume a felony has been committed (e.g., a person is murdered) in the garage. The opener in this case will open the signatures on the date when the murder occurred to identify who was there on that day.
The opener in this application needs to open many signatures on the same message. If one adopts the threshold technique to decentralize the authority, many interactions are required to open all the signatures. The MDO property removes interactions between authorities, i.e., the admitter issues a token for the day, and the opener opens all the signatures without interactions.
As an application of GS-MDO, Arai et al.  proposed a privacy-preserving anomaly detection framework. In their framework, the admitter plays the role of analyzing data, and the opener plays the role of detecting adversarial users. Briefly, a user generates a group signature on data, and sends it to the admitter. Then, the admitter can detect anomaly data without identifying users. For detecting adversarial users who generate anomaly data, the admitter generates tokens that correspond to the anomaly data, and sends them to the opener. This framework allows the admitter to detect adversarial users, while other honest users are kept anonymous.
1.3. Related Work
Since group signatures were first proposed by Chaum and van Heyst , many efficient constructions have been proposed, most of which depend on a random oracle [10, 16–23]. Many earlier schemes were based on the strong RSA assumption [24, 25]. Group signature schemes based on assumptions related to the discrete-logarithm type were achieved, to name a few, by Camenisch and Lysyanskaya  and by Boneh, Boyen, and Shacham . The former scheme is based on the LRSW assumption , while the latter is based on the -strong Diffie-Hellman (-SDH) assumption .
Group signature schemes without random oracles were also achieved. Ateniese et al.  first proposed a group signature scheme from interactive assumptions avoiding random oracles. Following this scheme, Groth proposed a group signature scheme that avoids random oracles and interactive assumptions , but his scheme has a very large signature size. Boyen and Waters [30, 31] proposed highly efficient constructions, although the security guarantees of their schemes are not very strong, i.e., they only achieve so-called CPA-anonymity. Groth  proposed another group signature scheme, which is almost as efficient as the Boyen-Waters schemes and satisfies higher security guarantee of the Bellare-Shi-Zhang (BSZ) model . Libert et al.  proposed a group signature scheme secure in the standard model from standard assumptions.
Regarding decentralizing and distributing the power of the group manager, the separability of a cryptographic protocol was introduced by Kilian and Petrank  in the context of identity escrow. Later, this notion was refined and adopted to the context of group signature by Camenisch and Michels . The separability notion requires that keys of several entities involved in a cryptographic primitive be generated independently of each other. In their setting, the power of a group manager is separated into two authorities. The first authority is able to allow a new member to join the group but is not able to identify the originator of a group signature, and the other authority is able to identify the originator of a group signature but is not able to allow a new member to join the group. More formal modeling of these separated authorities has been proposed by Bellare et al.  and Kiayias and Yung . Sakai et al.  further extended the BSZ model by considering signature hijacking attacks.
Libert et al. [38, 39] proposed scalable group signature schemes with revocation, and Attrapadung et al.  and Nakanishi et al.  also proposed revocable group signature schemes with a compact revocation list.
Traceable signatures are an extended notion of group signatures and were introduced by Kiayias, Tsiounis, and Yung . This primitive allows the group manager to specify a group member as “misbehaving”. Once a member is specified by the manager, anyone becomes able to detect the signatures of the specified user without interacting with the manager. In this case, signatures of other group members continue to be anonymous. In our terminology, this primitive achieves a somewhat “signer-dependent opening” property, but the MDO property is not achieved. A contractual anonymity system  based on group signatures with verifier-local revocation  has been proposed. In this system, when a user breaks a contract, an accountability server revokes the anonymity of the user and notifies the identity of the user to the service provider. (In this system, a user is said to break a contract when the user sends a message breaking the contract policy of the service provider). Since this scheme uses a conventional open algorithm, this system also differs from MDO.
As follow-up works to our results [45, 46], Libert and Joye  proposed an unbounded GS-MDO scheme in the standard model with logarithmic signature size. They proposed a partially structure-preserving IBE scheme and used it as a building block of GS-MDO. The signature of their scheme consists of group elements, where is the number of group members, whereas our GS-MDO schemes achieve constant-size signatures, though our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GS-MDO scheme secure in the standard model with constant-size signatures is an interesting open problem. Libert, Mouhartem, and Nguyen  proposed a lattice-based (unbounded) GS-MDO scheme in the random oracle model. Their scheme was proved secure from the short integer solution (SIS) assumption and the learning with errors (LWE) assumption. The signature size of this scheme is still logarithmic in the number of signers, whereas our two constructions have constant-size signatures.
Preliminary versions of this paper were presented at the 5th International Conference on Pairing-Based Cryptography (Pairing 2012)  and at the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) . This is the merged full version. In this version, we give security proofs omitted in the proceedings versions.
1.4. Paper Organization
The rest of this paper is structured as follows. Section 2 briefly describes definitions and security notions of several building blocks. Section 3 presents the notion of GS-MDO, its syntax and security definitions. Section 4 discusses difficulties behind constructing efficient GS-MDO schemes. Specifically, we argue the use of IBE in a construction of GS-MDO is essential by showing a generic construction of IBE from GS-MDO. In Section 5, we propose a generic construction of GS-MDO, and Sections 6 and 7 show reasonably efficient instantiations in the standard model and the random oracle model, respectively. In Section 8, we compare the efficiency of our GS-MDO schemes with previous group signatures. In Section 9, we conclude the paper and list open problems.
In this section, we describe the syntax of building blocks and some computational assumptions we use for constructing GS-MDO. Throughout the paper, we use the following notations: denotes that is uniformly and independently sampled from the set . For an algorithm , an input , and a randomness we denote to run with an input and a randomness and let be the output. When the randomness is implicit, we denote . For an integer , let .
A signature scheme consists of the following three algorithms:(i)SigKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a verification key and a signing key.(ii)Sign: this is the signing algorithm that takes as inputs a signing key and a message and outputs a signature on the message .(iii)Verify: this is the verification algorithm that takes as inputs a verification key , a message , and a signature and outputs or , which, respectively, indicate “accept” or “reject.”
For correctness, we require that for all , all pairs ← SigKg(), and all messages , it is satisfied that Verify(, Sign()) = .
A signature scheme is said to be existentially unforgeable under chosen-message attacks (EUF-CMA), if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary adaptively issues signing queries in an arbitrary order. For each signing query , the challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if is not queried as a signing query, and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
A signature scheme is said to be a strongly unforgeable one-time signature scheme, if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary issues a signing query only once. The challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
2.2. Tag-Based Key Encapsulation Mechanism
A tag-based key encapsulation mechanism (tag-based KEM) (Tag-based encryption, an encryption analogue of tag-based KEM, is originally introduced as “encryption with labels” by Shoup and Gennaro . Tag-based KEM is different from “tag-KEM”, introduced by Abe, Gennaro, Kurosawa, and Shoup . However, any chosen-ciphertext secure tag-KEM can be immediately converted to a tag-based KEM satisfying security that is sufficient for our purpose) [51, 52] scheme consists of the following three algorithms:(i)TKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a public key and a secret key.(ii)TEnc: this is the encapsulation algorithm that takes as inputs a public key and a tag and outputs where a ciphertext for a tag encapsulates a session key and is the session key space associated with the scheme.(iii)TDec: this is the deterministic decapsulation algorithm that takes as inputs a secret key , a tag , and a ciphertext and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all ()←TKg(), all tags , and all ()←TEnc(), it holds that TDec() = .
A tag-based KEM is said to be selective-tag weakly chosen-ciphertext secure if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the adversary is given a security parameter and outputs a challenge tag . The challenger runs ()←TKg(), then the challenger gives the adversary the public key .(ii)Query (Phase I): the adversary issues decryption queries in an arbitrary order. The challenger runs ← TDec( and returns to the adversary. Here the adversary is not allowed to issue queries with .(iii)Challenge: at some point the adversary requests a challenge. The challenger chooses a random bit , runs ()←TEnc(), chooses , and sends .(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue decryption queries. The same restriction for queries is applied as before.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
2.3. Identity-Based KEM and Its -Resilient Variant
An identity-based KEM  consists of the following four algorithms:(i)ISetup: this is the setup algorithm that takes as inputs a security parameter and a collusion threshold and outputs a pair of a public parameter and a master secret key.(ii)IExt: this is the key extraction algorithm that takes as inputs a master secret key and an identity and outputs a user decapsulation key .(iii)IEnc: this is the encapsulation algorithm that takes as inputs a public parameter and an identity and outputs where a ciphertext for an identity encapsulates a session key and is the session key space associated with the scheme.(iv)IDec: this is the deterministic decapsulation algorithm that takes as inputs , , and and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all , all ()←ISetup(), all identities , all ←IExt(), and all ()←IEnc(), it holds that IDec() = .
An identity-based KEM is said to be -resilient if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←ISetup(), then the challenger gives the adversary the public parameter .(ii)Query (Phase I): the adversary issues extraction queries in an arbitrary order. The challenger runs ← IExt() and returns to the adversary. The total number (the summation of those in Phase I and Phase II) of extraction queries during the game is restricted to be smaller than or equal to .(iii)Challenge: at some point the adversary requests a challenge with an identity . The challenger chooses a random bit , runs ()←IEnc(), chooses , and sends . The adversary is not allowed to request a challenge with an identity whose user decapsulation key is queried before.(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue extraction queries. This time querying a user decapsulation key for is disallowed.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
A fully secure IBE scheme is defined analogously with the difference that the setup algorithm does not take as an input and in the game the number of extraction queries is unbounded.
2.4. Adaptive Noninteractive Zero-Knowledge Proofs
A noninteractive proof system for a polynomial-time computable relation consists of the following three algorithms:(i): this is the common reference string generation algorithm that takes as an input a security parameter and outputs a common reference string .(ii): this is the proof algorithm that takes as inputs a common reference string , a statement , and a witness , where and outputs a proof .(iii): this is the verification algorithm that takes as inputs a common reference string , a statement , and a proof and outputs either or .
We say that a noninteractive proof system has perfect completeness, if for all , for all such that , for all , for all it holds that .
A noninteractive proof system is said to have adaptive perfect soundness, if for any probabilistic polynomial-time adversary the advantage in the following game is equal to zero:(i)Setup: the challenger runs and gives the adversary the common reference string .(ii)Forge: the adversary outputs a pair of a statement and a proof. The adversary wins if and for any .
The advantage of the adversary is defined by the probability that the adversary wins and is denoted by .
We say that a noninteractive proof system is adaptively zero-knowledge if there is a pair of algorithms such that for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger generates a bit . If the challenger runs . If the challenger runs . Then the challenger gives the adversary the common reference string .(ii)Query: the adversary is allowed to issue a query such that only once. If the challenger runs . If the challenger runs . The challenger gives the adversary .(iii)Guess: finally the adversary outputs a bit .
The advantage of the adversary is defined by and is denoted by .
2.5. Computational Assumptions
Let be a probabilistic polynomial-time algorithm that takes a security parameter as an input and generates a parameter of bilinear groups, where is a -bit prime, and are groups of order , is a bilinear map from to , and is a generator of . We then describe several computational assumptions on which the proposed schemes are based.
The -Strong Diffie-Hellman Assumption . Let and let , and for . The -strong Diffie-Hellman problem in is stated as follows: given , output where . The advantage of an algorithm in solving the -strong Diffie-Hellman problem is defined as We say that the -strong Diffie-Hellman (-SDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
For some fixed base and a fixed group element we say that a pair is an SDH pair if is equal to .
The Decision Linear Assumption . Let , , , , , , and . The decision linear problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision linear problem is defined as We say that the decision linear (DLIN) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
For some fixed bases , , , we say that a tuple is a linear tuple if there exist exponents , that satisfy .
The Decision Bilinear Diffie-Hellman Assumption . Let and , , , . The decision bilinear Diffie-Hellman problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision bilinear Diffie-Hellman problem is defined as We say that the decision bilinear Diffie-Hellman (DBDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
The Simultaneous Flexible Pairing Assumption . Let , , , , are generators of and , . For , let which satisfies and . The simultaneous flexible pairing problem is stated as follows: given and , output where and satisfying and for every . The advantage of an algorithm in solving the simultaneous flexible pairing problem is defined asWe say that the simultaneous flexible pairing (SFP) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
3. Group Signatures with Message-Dependent Opening
In this section we introduce the syntax and security definitions for GS-MDO. As an ordinary group signature scheme, a GS-MDO scheme allows group members to sign a message anonymously, that is, without revealing their identities but only showing that one of the group members actually signed. In exceptional cases, a designated third party, called the opener, can “open” exceptional signatures to identify the originator of the signatures. In contrast to ordinary group signature schemes, a GS-MDO scheme requires the opener to cooperate with another authority, called the admitter, to open signatures. The admitter issues a message-specific token, and the opener is able to open a signature on the message only when a token for the message is issued from the admitter.
In this section, we define the formal model and the security requirements of GS-MDO.
3.1. The Model of GS-MDO
Formally, a GS-MDO scheme consists of the following five probabilistic polynomial-time algorithms:(i)GKg: this is the key generation algorithm that takes as inputs a security parameter , the number of group members , and the maximum number of message-specific tokens that can be issued and outputs a group public key , an admitting key , an opening key , and group signing keys . We note that the input is omitted when the number of message-specific tokens that can be issued is unbounded.(ii)GSig: this is the signing algorithm that takes as inputs a group public key , a group signing key , and a message and outputs a group signature .(iii)Td: this is the message-specific token generation algorithm that takes as inputs a group public key , an admitting key , and a message and outputs a token for .(iv)GVf: this is the verification algorithm that takes as inputs a group public key , a message , and a group signature and outputs (that means accept) or (that means reject).(v)Open: this is the opening algorithm that takes as inputs a group public key , an opening key , a message , a group signature , and a message-specific token and outputs a user index or .
For correctness, we require that for all , , , for all ()←GKg(), for all messages and all user , it holds that GVf(, , GSig()) = and Open(, , , GSig(), Td()) = .
In the above scenario, the signing keys , the opening key , and the admitting key are generated by the GKg algorithm in the setup phase. Then, is given to the opener and is given to the admitter. A signer can make a group signature by using the GSig algorithm, and all entities can verify the group signature by the GVf algorithm and public key . This setting is the same as ordinary group signatures, except the group manager’s key is divided into and . In exceptional cases, the admitter issues a message-specific token by using the Td algorithm. Moreover, the opener can identify the signer of a group signature by using the Open algorithm only when the opener received from the admitter.
3.2. Security Requirements
We introduce the security notion for GS-MDO. In contract to ordinary group signatures, we need to take care of the MDO property.
Ordinary group signatures are required to ensure two security notions, anonymity and traceability, whereas we have to further ensure two types of anonymity in the case of GS-MDO that are related to the original motivation for the introduction of the admitter. The introduction of the admitter is intended to strengthen signers’ anonymity against the authorities as much as possible. To capture this intention, we define the indistinguishability of the originator of a signature in the strong setting where the opening key is given to the adversary (opener anonymity). As a counterpart of this, we also define indistinguishability in the setting where the admitting key is given to the adversary (admitter anonymity). Note that we do not consider the situation in which the adversary obtains both the opening key and the admitting key because in this situation the adversary can open any signature by itself.
For traceability, we use the same definition as for the ordinary group signatures, in which the authorities are entirely corrupted by the adversary, since even ordinary group signature schemes ensure this level of traceability against entirely corrupted openers.
3.2.1. Opener Anonymity
Here we give the formal definition of anonymity against the opener, which we call opener anonymity. It is formalized as the indistinguishability of signatures of two different signers of the adversary’s choice. Opener anonymity is defined by requiring that no adversary has nonnegligible advantage in distinguishing signatures. We again remark that contrary to ordinary group signatures, the adversary is allowed to have the opening key. This is intended for modeling “anonymity against the opener.”
Definition 1. A GS-MDO scheme is said to have opener anonymity if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Token Query (Phase I): adaptively issues token queries in an arbitrary order. The challenger runs ←Td() and returns to .(iii)Challenge: at some point requests a challenge for , , and a message . The challenger chooses a random bit , runs ← GSig(), and sends to . is not allowed to request a challenge with a message whose token is previously queried.(iv)Token Query (Phase II): after receiving the challenge is again allowed to issue token queries. This time querying a token for is disallowed.(v)Guess: finally outputs a bit . wins the game if . wins the game if .
The advantage of is defined by and is denoted by . We also say that a GS-MDO scheme has opener anonymity with -bounded tokens if any probabilistic polynomial-time adversary which issues at most token queries in total has negligible advantage.
3.2.2. Admitter Anonymity
We next give the definition of anonymity against the admitter, which we call admitter anonymity. It is formalized in a similar manner to opener anonymity. That is, admitter anonymity requires signatures of two different signers to be indistinguishable even when the adversary is given the admitting key. We emphasize that our definition of opener anonymity is categorized as so-called CCA-anonymity. This means that the adversary in the security game is allowed to access the opening oracle. The formal definition is as follows:
Definition 2. A GS-MDO scheme is said to have admitter anonymity if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Open Query (Phase I): adaptively issues open queries in an arbitrary order. The challenger finds a recorded which is a token for , and if not found, runs ←Td(), and stores . The challenger runs ←GSig() and returns to .(iii)Challenge: at some point requests a challenge for , and a message . The challenger chooses a random bit , runs ←GSig() and sends to .(iv)Open Query (Phase II): after receiving the challenge is again allowed to issue open queries. This time querying an opening of is disallowed.(v)Guess: finally outputs a bit . wins the game if .
The advantage of is defined by and is denoted by .
Notice that the number of opening queries the adversary issues is unbounded (but of course polynomially many).
The last notion is traceability, which requires that even if the opener and the admitter collude and they further adaptively corrupt some group members, the corrupted parties can produce neither forged signatures nor untraceable signatures. We stress that in contrast to the case of the anonymity notions, this case considers the collusion of two authorities.
Definition 3. A GS-MDO scheme is said to have traceability if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i) Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii) Query: adaptively issues the following two types of queries:(1) issues a key revealing query . The challenger returns to .(2) issues a signing query . The challenger runs ←GSig() and returns .(iii) Forge: finally outputs a forgery . wins if GVf() = and one of the following two conditions holds:(a) Open(, Td()) = , or(b)all the following conditions hold, Open(, Td()) = , and neither a key revealing query for the user nor a signing query for is submitted.
The advantage of is defined by and denoted by .
4. Difficulty in Designing Efficient Constructions
In this section we discuss several difficulties in designing efficient GS-MDO schemes. We first observe the relationships between GS-MDO and other cryptographic primitives, and then we discuss the difficulty that lies in designing efficient constructions.
Regarding the relationship with other primitives, we show that the existence of a GS-MDO scheme implies that of an IBE scheme. In other words, we will present a black-box construction of IBE from any GS-MDO scheme. The same holds for the -resilient versions.
This fact means that constructing a GS-MDO scheme is harder than IBE. Moreover, IBE is well known as a strong primitive. For example, there is no black-box construction of IBE from a trapdoor permutation or chosen-ciphertext secure PKE . Therefore, GS-MDO is also strong and difficult to construct.
We note that Box 1 only shows a construction of an identity-based key encapsulation mechanism rather than identity-based encryption. However, it suffices since we can obtain a secure encryption scheme by combining the construction with an appropriate data encapsulation mechanism.
The formal theorems are as follows:
Theorem 4. If the underlying GS-MDO scheme satisfies opener anonymity, the identity-based KEM in Box 1 is fully secure.
Theorem 5. If the underlying GS-MDO scheme satisfies opener anonymity with -bounded tokens, the identity-based KEM in Box 1 is -resilient.
The intuition behind the construction in Box 1 is as follows. In the IEnc algorithm, each is a group signature of either or . Therefore, by the opener anonymity of the GS-MDO scheme, the entity who does not have (corresponding to the admitter’s key) cannot identify which signing key is used to make . The receiver can get (corresponding to the message-dependent token), and only the receiver can open the group signature and get by using the . Formal proofs can be given by a straightforward modification of the proof by Abdalla and Warinschi  or the similar technique to that used by Ohtake, Fujii, Hanaoka, and Ogawa , hence we omit detailed proofs.
From Theorems 4 and 5, we make the following observation about the difficulty in constructing GS-MDO.(i)Inevitability of using IBE: these theorems suggest that using IBE is essential for constructing a GS-MDO scheme. Considering the fact that a black-box construction of IBE from a trapdoor permutation is impossible , we can conclude that it is almost unavoidable for a GS-MDO scheme to rely on an IBE scheme or its equivalence, not only on a trapdoor permutation and an NIZK proof system. Otherwise one could construct an IBE scheme from surprisingly weaker primitives.(ii)Difficulty in constructing efficient GS-MDO in the standard model: another important aspect of establishing an efficient GS-MDO scheme in the standard model is the necessity of realizing a “Groth-Sahai compatible” IBE scheme. This is because the only known construction of NIZK proof systems with reasonable efficiency in the standard model is limited to the Groth-Sahai proof system. Also note that an NIZK proof system has been an important building block for almost all group signature schemes ever.
We show a generic construction of GS-MDO using a NIZK proof system and IBE in Section 5. However, currently no known IBE scheme is Groth-Sahai compatible in the sense that the Groth-Sahai proof system cannot prove a kind of the well-formedness of an IBE ciphertext in zero-knowledge. (Libert and Joye  proposed an IBE scheme where we are able to prove the well-formedness of a ciphertext using the Groth-Sahai proof system. However, at the time of the publication of the conference version, there were no known IBE scheme with this property). This is because an IBE scheme in a bilinear group is typically able to encrypt a target-group element. In addition, the ciphertext of such a scheme includes a target-group element. Unfortunately, the Groth-Sahai proof system is not always able to prove a statement involving target-group elements in zero-knowledge.
Here we provide two methods of overcoming this gap. The first one is to adopt -resilient IBE instead of fully secure IBE. In particular, we design a -resilient IBE scheme from the DLIN assumption by modifying the Heng-Kurosawa scheme  for this purpose. (We also note that a similar construction can be obtained from the key-insulated encryption scheme proposed by Dodis, Katz, Xu, and Yung ). The construction of GS-MDO using -resilient IBE is shown in Section 6.
The second method is to apply random oracles. We construct a GS-MDO scheme based on the BBS group signature scheme , which is one of the most efficient group signature schemes in the random oracle model. The opening procedure is implemented by the linear encryption scheme [10, 13], and a user’s certificate is implemented by the Boneh-Boyen short signature scheme . The MDO property is realized by adopting the BF IBE scheme . In order to combine the short group signature scheme and the BF IBE scheme, we replace the linear encryption scheme with a certain type of -out-of- multiple encryption. This construction is shown in Section 7.
5. Generic Construction
In this section, we give a generic construction of a GS-MDO scheme. The construction is built on an EUF-CMA secure signature scheme, a strongly unforgeable one-time signature scheme, a selective-tag weakly chosen-ciphertext secure tag-based KEM, a -resilient identity-based KEM, and an adaptive NIZK proof system.
At a first glance, there are various building blocks. However, our generic construction only relies on the existence of an IBE scheme and that of an NIZK proof system. Indeed, signature schemes and a chosen-ciphertext secure tag-based encryption scheme can be constructed from a fully secure IBE scheme.
5.1. Underlying Ideas
The proposed construction shares an underlying idea with the generic construction of Bellare, Micciancio, and Warinschi (the BMW construction)  except that we do not need “simulation-soundness” for the underlying NIZK proof system. Instead of this strong security requirement, we combine (ordinary) NIZK proofs with a strongly unforgeable one-time signature scheme. We remark that essentially the same techniques have been used in a variety of contexts. To name a few, Groth  used this technique for an efficient group signature scheme in a very similar manner. Camenisch, Chandran, and Shoup  used it to construct simulation-sound NIZK proofs, improving the result of Groth .
In this section, we present our generic construction of GS-MDO. Our construction uses an identity-based KEM (ISetup, IExt, IEnc, IDec), tag-based KEM (TKg, TEnc, TDec), an EUF-CMA secure signature scheme (SigKg, Sign, Verify), a one-time signature scheme (, , ), and an NIZK proof system . In addition, we require that the session key spaces and be the same set, and be associated with a group operation .
In our construction, a group member has a key pair of the signature scheme, in which is authorized by another verification key at the setup time. When a member generates a group signature, the member simply signs a message by . To be anonymous, the member further encrypts the signature together with the certificate (of the member), which authorizes the verification key , and attaches a noninteractive proof that demonstrates that a signature of an authorized member has been encrypted. To encrypt a signature, the member uses a multiple encryption technique to ensure that neither the opener nor the admitter can reveal the identity as long as the admitter has not issued a token to the opener. We need two requirements on the session key spaces of the tag-based KEM and the (-resilient) IBE scheme. We require that be equal to as a set, and that they form a finite group with group operation . These requirements are needed because we use a one-time pad to encrypt a signature of the group member. This group operation also needs to fall into the class of relations that can be represented by the used noninteractive proof system.
Let us explain the noninteractive proof that appears in the construction. The signature of the proposed scheme is of the form , and, as mentioned above, the proof demonstrates that a valid signature of an authorized group member has been encrypted into in a kind of a “multiple encryption” manner. More specifically, the proof proves that there exist a randomness (for tag-based KEM), another randomness (for identity-based KEM), a user index , and the verification key , a certificate , and a signature on a message , such that
Finally, two encoding functions are needed to complete the description of the generic construction. The first is used to encode the user index of a group member and his verification key into the message space of the signature scheme when generating certificates of group members. The second one is used to encode into , where is the user index of a group member and , , and are his verification key, certificate, and signature, respectively. It is used when issuing a group signature, especially when encrypting his signature in order to hide his identity.
The complete description of the scheme is shown in Box 2.