Abstract
This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.
1. Introduction
Group signatures [1] are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group. Signatures are verified with a single group public key, and the verification process does not reveal the identity of the signer. A designated authority, called the opener, identifies the actual signer in various exceptional cases. However, ordinary group signatures provide the opener with an extreme privilege; i.e., the opener can freely identify the originator of any signature that he chooses. In other words, ordinary group signature schemes provide absolutely no assurance of privacy against the opener. For example, in an anonymous auction the opener can extract all bidders’ identities, which will be explained later in more detail.
This paper investigates a way of “decentralizing” this strong authority of the opener. Towards this end, we propose a new kind of group signatures involving the message-dependent opening (MDO) property. It divides (or decentralizes) the strong authority of the opener by introducing another authority called the admitter. In exceptional cases that a signature on a problematic message is found, the admitter issues a token that corresponds to the message (as opposed to all signed messages). The opener extracts the signer’s identity from the signature using this token, whereas without it, he is not able to do so. For instance, in an anonymous bulletin board system using our group signature scheme, if the admitter decides that the message “Mr. XXX is a fool!” should not be publicized as a signed message by an anonymous group member, he issues a token for this message. Then, by using it, the opener can immediately identify the signer’s identity of any signature if it corresponds to this message.
At first glance, one may think that the popular thresholding technique (i.e., thresholding the opener into multiple less-trusted openers) [2] would already be sufficient to achieve the above property. However, this is not true. Namely, in our context, the token is generated on the message that the admitter chooses but not the signature for such messages. Therefore, once a token for a message (which is chosen by the admitter) is issued, the signers’ identities for all signatures on this message can immediately be extracted by the opener without him having to interact with any other party. Consequently, the opener can noninteractively identify the signer’s identity for a message that has already been specified as problematic. Furthermore if the admitter considers that there is no longer any need to specify further messages that should be opened, then he can erase his memory to avoid having his secret leaked. Note that even when the admitter has erased his secret, the opener can still open the signer’s identity of any signature provided that its corresponding message was previously specified by the admitter.
1.1. Contributions
This paper proposes group signatures with a new additional capability, called group signatures with message-dependent opening (GS-MDO). We introduce an admitter in GS-MDO, as previously mentioned, that issues tokens for specific messages, and by using these tokens, the opener can extract signers’ identities from signatures only if their corresponding messages have been specified. We can flexibly restrict the capabilities of the opener utilizing this property without implementing any complicated interactive procedures (e.g., threshold decryption).
The main contributions of this paper are threefold. First, we provide a formal model and a security definition for GS-MDO. Our model and security definition are extensions of the Bellare-Micciancio-Warinschi (BMW) model [3], which is considered to be the basic security definition for group signatures in the static setting. More specifically, our security model is a natural modification of this model extended according to the difference between a standard group signature scheme and ours which introduces the MDO property. In addition, we demonstrate that it is possible to derive identity-based encryption (IBE) from any GS-MDO scheme in a black-box manner if the underlying GS-MDO is secure in the above sense.
Secondly, we present a generic construction of GS-MDO from a public key encryption (PKE) scheme, an IBE scheme, and an adaptive noninteractive zero-knowledge (NIZK) proof system. (Technically, we use a tag-based KEM (key encapsulation mechanism) and an identity-based KEM instead of a PKE scheme and an IBE scheme). Given the above result that GS-MDO implies IBE, it is expected to be quite hard to construct GS-MDO without using IBE or similar primitives as a building block. We note that simulation-soundness [4] is not required for NIZK in our generic construction, while the generic construction of the (ordinary) group signature [3] requires this strong property.
Finally, we propose two efficient instantiations of GS-MDO, one in the standard model and one in the random oracle model. Our scheme in the standard model uses the Groth-Sahai proof system [5] as an NIZK proof system in our generic construction. To utilize the Groth-Sahai proof system in our generic construction, we note that an IBE scheme that is compatible with the Groth-Sahai proof (such as structure-preserving signatures [6]) is necessary since our generic construction requires IBE. To be compatible with the Groth-Sahai proof system, an IBE scheme needs to be able to encrypt a base-group element and to have its ciphertext consist of only base-group elements. Although Libert and Joye [7] proposed an IBE scheme whose plaintext space is a base group, and the IBE scheme is compatible with the Groth-Sahai proof, the size of the group signature of the resulting GS-MDO scheme depends on the number of group members. In order to construct a GS-MDO scheme with constant-size signature, we also construct a new IBE scheme that has only -resilient security [8]. Therefore, the resulting GS-MDO scheme inherits this restriction (i.e., the admitter can issue at most tokens). The size of a signature is approximately 10 kilobytes when a 170-bit prime-order group is used. (We adopt the estimates of bit sizes for group elements used in [9]). Our scheme in the random oracle model, on the other hand, is based on the Boneh-Boyen-Shacham (BBS) group signature [10] and uses the Boneh-Franklin (BF) IBE scheme [11] and a variant of the Cramer-Shoup encryption scheme [12, 13]. As we can use IBE (which is not -resilient) in the random oracle model, GS-MDO with an unbounded MDO property (i.e., the number of tokens issued by the admitter is unlimited) can thus be constructed. The idea behind this construction is based on our generic construction, but the instantiation is not straightforward since the PKE scheme and the IBE scheme cannot directly be combined. Hence, we modify the building blocks and the construction to combine them. To be more precise, we design a dedicated extension of the linear encryption scheme [10] with chosen-ciphertext security and public verifiability to enable our efficient construction. The size of the signature of the scheme is 3636 bits in 80-bit security, which is times smaller than that of our standard model scheme.
Note that our security notions and proposed schemes assume that the system setup is carried out honestly. This setup includes the generation of a common reference string, the opener’s and the admitter’s secret keys, and the group members’ signing keys. However, the goal of the current paper is to provide a feasibility study of the MDO property in group signatures. Namely, we study the possibility of constructing a GS-MDO scheme in a simple setting where several parameters and secret keys are generated honestly. We defer to future work a more comprehensive study on the possibility of constructing a scheme with a more complicated and realistic scenario such as that allowing maliciously generated parameters and on providing a hedge against this types of attack.
1.2. Applications
As previously mentioned, a straightforward application of GS-MDO schemes is in detecting the originators of inappropriate messages in anonymous bulletin board systems. We further discuss more potential applications of GS-MDO schemes in what follows.
The first application we discuss is anonymous auctions, where bidders form a group of anonymous signers. Each bidder produces a group signature on his bidding price. The admitter issues a token for opening signatures on the highest price to detect the winner(s). The opener is then only able to open the signatures on the highest price.
The main advantage (of the MDO approach) over the threshold approach becomes clear in this application. Suppose that there are many winners who all have bid the highest price resulting in a tie. As an interaction will be needed for each winner in the threshold approach, the total communication cost will be proportional to the number of winners. In contrast, if one takes the MDO approach, only a small communication bandwidth from the admitter to the opener is needed. The communication cost does not depend on the number of winners.
Another application in which the MDO property is useful is identity escrow. Although our primitive is a rather general purpose primitive for identity escrow scenarios, for the ease of understanding, let us discuss this with a concrete example. Consider a customer who enters an automated parking garage [14], where he generates a group signature on a message that encodes the date when he enters the car park (say, the string “2012-02-20”). Let us assume a felony has been committed (e.g., a person is murdered) in the garage. The opener in this case will open the signatures on the date when the murder occurred to identify who was there on that day.
The opener in this application needs to open many signatures on the same message. If one adopts the threshold technique to decentralize the authority, many interactions are required to open all the signatures. The MDO property removes interactions between authorities, i.e., the admitter issues a token for the day, and the opener opens all the signatures without interactions.
As an application of GS-MDO, Arai et al. [15] proposed a privacy-preserving anomaly detection framework. In their framework, the admitter plays the role of analyzing data, and the opener plays the role of detecting adversarial users. Briefly, a user generates a group signature on data, and sends it to the admitter. Then, the admitter can detect anomaly data without identifying users. For detecting adversarial users who generate anomaly data, the admitter generates tokens that correspond to the anomaly data, and sends them to the opener. This framework allows the admitter to detect adversarial users, while other honest users are kept anonymous.
1.3. Related Work
Since group signatures were first proposed by Chaum and van Heyst [1], many efficient constructions have been proposed, most of which depend on a random oracle [10, 16–23]. Many earlier schemes were based on the strong RSA assumption [24, 25]. Group signature schemes based on assumptions related to the discrete-logarithm type were achieved, to name a few, by Camenisch and Lysyanskaya [17] and by Boneh, Boyen, and Shacham [10]. The former scheme is based on the LRSW assumption [26], while the latter is based on the -strong Diffie-Hellman (-SDH) assumption [27].
Group signature schemes without random oracles were also achieved. Ateniese et al. [28] first proposed a group signature scheme from interactive assumptions avoiding random oracles. Following this scheme, Groth proposed a group signature scheme that avoids random oracles and interactive assumptions [29], but his scheme has a very large signature size. Boyen and Waters [30, 31] proposed highly efficient constructions, although the security guarantees of their schemes are not very strong, i.e., they only achieve so-called CPA-anonymity. Groth [32] proposed another group signature scheme, which is almost as efficient as the Boyen-Waters schemes and satisfies higher security guarantee of the Bellare-Shi-Zhang (BSZ) model [33]. Libert et al. [34] proposed a group signature scheme secure in the standard model from standard assumptions.
Regarding decentralizing and distributing the power of the group manager, the separability of a cryptographic protocol was introduced by Kilian and Petrank [14] in the context of identity escrow. Later, this notion was refined and adopted to the context of group signature by Camenisch and Michels [35]. The separability notion requires that keys of several entities involved in a cryptographic primitive be generated independently of each other. In their setting, the power of a group manager is separated into two authorities. The first authority is able to allow a new member to join the group but is not able to identify the originator of a group signature, and the other authority is able to identify the originator of a group signature but is not able to allow a new member to join the group. More formal modeling of these separated authorities has been proposed by Bellare et al. [33] and Kiayias and Yung [36]. Sakai et al. [37] further extended the BSZ model by considering signature hijacking attacks.
Libert et al. [38, 39] proposed scalable group signature schemes with revocation, and Attrapadung et al. [40] and Nakanishi et al. [41] also proposed revocable group signature schemes with a compact revocation list.
Traceable signatures are an extended notion of group signatures and were introduced by Kiayias, Tsiounis, and Yung [42]. This primitive allows the group manager to specify a group member as “misbehaving”. Once a member is specified by the manager, anyone becomes able to detect the signatures of the specified user without interacting with the manager. In this case, signatures of other group members continue to be anonymous. In our terminology, this primitive achieves a somewhat “signer-dependent opening” property, but the MDO property is not achieved. A contractual anonymity system [43] based on group signatures with verifier-local revocation [44] has been proposed. In this system, when a user breaks a contract, an accountability server revokes the anonymity of the user and notifies the identity of the user to the service provider. (In this system, a user is said to break a contract when the user sends a message breaking the contract policy of the service provider). Since this scheme uses a conventional open algorithm, this system also differs from MDO.
As follow-up works to our results [45, 46], Libert and Joye [7] proposed an unbounded GS-MDO scheme in the standard model with logarithmic signature size. They proposed a partially structure-preserving IBE scheme and used it as a building block of GS-MDO. The signature of their scheme consists of group elements, where is the number of group members, whereas our GS-MDO schemes achieve constant-size signatures, though our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GS-MDO scheme secure in the standard model with constant-size signatures is an interesting open problem. Libert, Mouhartem, and Nguyen [47] proposed a lattice-based (unbounded) GS-MDO scheme in the random oracle model. Their scheme was proved secure from the short integer solution (SIS) assumption and the learning with errors (LWE) assumption. The signature size of this scheme is still logarithmic in the number of signers, whereas our two constructions have constant-size signatures.
Preliminary versions of this paper were presented at the 5th International Conference on Pairing-Based Cryptography (Pairing 2012) [45] and at the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) [46]. This is the merged full version. In this version, we give security proofs omitted in the proceedings versions.
1.4. Paper Organization
The rest of this paper is structured as follows. Section 2 briefly describes definitions and security notions of several building blocks. Section 3 presents the notion of GS-MDO, its syntax and security definitions. Section 4 discusses difficulties behind constructing efficient GS-MDO schemes. Specifically, we argue the use of IBE in a construction of GS-MDO is essential by showing a generic construction of IBE from GS-MDO. In Section 5, we propose a generic construction of GS-MDO, and Sections 6 and 7 show reasonably efficient instantiations in the standard model and the random oracle model, respectively. In Section 8, we compare the efficiency of our GS-MDO schemes with previous group signatures. In Section 9, we conclude the paper and list open problems.
2. Preliminaries
In this section, we describe the syntax of building blocks and some computational assumptions we use for constructing GS-MDO. Throughout the paper, we use the following notations: denotes that is uniformly and independently sampled from the set . For an algorithm , an input , and a randomness we denote to run with an input and a randomness and let be the output. When the randomness is implicit, we denote . For an integer , let .
2.1. Signatures
A signature scheme consists of the following three algorithms:(i)SigKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a verification key and a signing key.(ii)Sign: this is the signing algorithm that takes as inputs a signing key and a message and outputs a signature on the message .(iii)Verify: this is the verification algorithm that takes as inputs a verification key , a message , and a signature and outputs or , which, respectively, indicate “accept” or “reject.”
For correctness, we require that for all , all pairs ← SigKg(), and all messages , it is satisfied that Verify(, Sign()) = .
A signature scheme is said to be existentially unforgeable under chosen-message attacks (EUF-CMA), if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary adaptively issues signing queries in an arbitrary order. For each signing query , the challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if is not queried as a signing query, and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
A signature scheme is said to be a strongly unforgeable one-time signature scheme, if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary issues a signing query only once. The challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
2.2. Tag-Based Key Encapsulation Mechanism
A tag-based key encapsulation mechanism (tag-based KEM) (Tag-based encryption, an encryption analogue of tag-based KEM, is originally introduced as “encryption with labels” by Shoup and Gennaro [49]. Tag-based KEM is different from “tag-KEM”, introduced by Abe, Gennaro, Kurosawa, and Shoup [50]. However, any chosen-ciphertext secure tag-KEM can be immediately converted to a tag-based KEM satisfying security that is sufficient for our purpose) [51, 52] scheme consists of the following three algorithms:(i)TKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a public key and a secret key.(ii)TEnc: this is the encapsulation algorithm that takes as inputs a public key and a tag and outputs where a ciphertext for a tag encapsulates a session key and is the session key space associated with the scheme.(iii)TDec: this is the deterministic decapsulation algorithm that takes as inputs a secret key , a tag , and a ciphertext and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all ()←TKg(), all tags , and all ()←TEnc(), it holds that TDec() = .
A tag-based KEM is said to be selective-tag weakly chosen-ciphertext secure if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the adversary is given a security parameter and outputs a challenge tag . The challenger runs ()←TKg(), then the challenger gives the adversary the public key .(ii)Query (Phase I): the adversary issues decryption queries in an arbitrary order. The challenger runs ← TDec( and returns to the adversary. Here the adversary is not allowed to issue queries with .(iii)Challenge: at some point the adversary requests a challenge. The challenger chooses a random bit , runs ()←TEnc(), chooses , and sends .(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue decryption queries. The same restriction for queries is applied as before.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
2.3. Identity-Based KEM and Its -Resilient Variant
An identity-based KEM [8] consists of the following four algorithms:(i)ISetup: this is the setup algorithm that takes as inputs a security parameter and a collusion threshold and outputs a pair of a public parameter and a master secret key.(ii)IExt: this is the key extraction algorithm that takes as inputs a master secret key and an identity and outputs a user decapsulation key .(iii)IEnc: this is the encapsulation algorithm that takes as inputs a public parameter and an identity and outputs where a ciphertext for an identity encapsulates a session key and is the session key space associated with the scheme.(iv)IDec: this is the deterministic decapsulation algorithm that takes as inputs , , and and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all , all ()←ISetup(), all identities , all ←IExt(), and all ()←IEnc(), it holds that IDec() = .
An identity-based KEM is said to be -resilient if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←ISetup(), then the challenger gives the adversary the public parameter .(ii)Query (Phase I): the adversary issues extraction queries in an arbitrary order. The challenger runs ← IExt() and returns to the adversary. The total number (the summation of those in Phase I and Phase II) of extraction queries during the game is restricted to be smaller than or equal to .(iii)Challenge: at some point the adversary requests a challenge with an identity . The challenger chooses a random bit , runs ()←IEnc(), chooses , and sends . The adversary is not allowed to request a challenge with an identity whose user decapsulation key is queried before.(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue extraction queries. This time querying a user decapsulation key for is disallowed.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
A fully secure IBE scheme is defined analogously with the difference that the setup algorithm does not take as an input and in the game the number of extraction queries is unbounded.
2.4. Adaptive Noninteractive Zero-Knowledge Proofs
A noninteractive proof system for a polynomial-time computable relation consists of the following three algorithms:(i): this is the common reference string generation algorithm that takes as an input a security parameter and outputs a common reference string .(ii): this is the proof algorithm that takes as inputs a common reference string , a statement , and a witness , where and outputs a proof .(iii): this is the verification algorithm that takes as inputs a common reference string , a statement , and a proof and outputs either or .
We say that a noninteractive proof system has perfect completeness, if for all , for all such that , for all , for all it holds that .
A noninteractive proof system is said to have adaptive perfect soundness, if for any probabilistic polynomial-time adversary the advantage in the following game is equal to zero:(i)Setup: the challenger runs and gives the adversary the common reference string .(ii)Forge: the adversary outputs a pair of a statement and a proof. The adversary wins if and for any .
The advantage of the adversary is defined by the probability that the adversary wins and is denoted by .
We say that a noninteractive proof system is adaptively zero-knowledge if there is a pair of algorithms such that for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)Setup: the challenger generates a bit . If the challenger runs . If the challenger runs . Then the challenger gives the adversary the common reference string .(ii)Query: the adversary is allowed to issue a query such that only once. If the challenger runs . If the challenger runs . The challenger gives the adversary .(iii)Guess: finally the adversary outputs a bit .
The advantage of the adversary is defined by and is denoted by .
2.5. Computational Assumptions
Let be a probabilistic polynomial-time algorithm that takes a security parameter as an input and generates a parameter of bilinear groups, where is a -bit prime, and are groups of order , is a bilinear map from to , and is a generator of . We then describe several computational assumptions on which the proposed schemes are based.
The -Strong Diffie-Hellman Assumption [27]. Let and let , and for . The -strong Diffie-Hellman problem in is stated as follows: given , output where . The advantage of an algorithm in solving the -strong Diffie-Hellman problem is defined as We say that the -strong Diffie-Hellman (-SDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
For some fixed base and a fixed group element we say that a pair is an SDH pair if is equal to .
The Decision Linear Assumption [10]. Let , , , , , , and . The decision linear problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision linear problem is defined as We say that the decision linear (DLIN) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
For some fixed bases , , , we say that a tuple is a linear tuple if there exist exponents , that satisfy .
The Decision Bilinear Diffie-Hellman Assumption [53]. Let and , , , . The decision bilinear Diffie-Hellman problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision bilinear Diffie-Hellman problem is defined as We say that the decision bilinear Diffie-Hellman (DBDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
The Simultaneous Flexible Pairing Assumption [54]. Let , , , , are generators of and , . For , let which satisfies and . The simultaneous flexible pairing problem is stated as follows: given and , output where and satisfying and for every . The advantage of an algorithm in solving the simultaneous flexible pairing problem is defined asWe say that the simultaneous flexible pairing (SFP) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .
3. Group Signatures with Message-Dependent Opening
In this section we introduce the syntax and security definitions for GS-MDO. As an ordinary group signature scheme, a GS-MDO scheme allows group members to sign a message anonymously, that is, without revealing their identities but only showing that one of the group members actually signed. In exceptional cases, a designated third party, called the opener, can “open” exceptional signatures to identify the originator of the signatures. In contrast to ordinary group signature schemes, a GS-MDO scheme requires the opener to cooperate with another authority, called the admitter, to open signatures. The admitter issues a message-specific token, and the opener is able to open a signature on the message only when a token for the message is issued from the admitter.
In this section, we define the formal model and the security requirements of GS-MDO.
3.1. The Model of GS-MDO
Formally, a GS-MDO scheme consists of the following five probabilistic polynomial-time algorithms:(i)GKg: this is the key generation algorithm that takes as inputs a security parameter , the number of group members , and the maximum number of message-specific tokens that can be issued and outputs a group public key , an admitting key , an opening key , and group signing keys . We note that the input is omitted when the number of message-specific tokens that can be issued is unbounded.(ii)GSig: this is the signing algorithm that takes as inputs a group public key , a group signing key , and a message and outputs a group signature .(iii)Td: this is the message-specific token generation algorithm that takes as inputs a group public key , an admitting key , and a message and outputs a token for .(iv)GVf: this is the verification algorithm that takes as inputs a group public key , a message , and a group signature and outputs (that means accept) or (that means reject).(v)Open: this is the opening algorithm that takes as inputs a group public key , an opening key , a message , a group signature , and a message-specific token and outputs a user index or .
For correctness, we require that for all , , , for all ()←GKg(), for all messages and all user , it holds that GVf(, , GSig()) = and Open(, , , GSig(), Td()) = .
In the above scenario, the signing keys , the opening key , and the admitting key are generated by the GKg algorithm in the setup phase. Then, is given to the opener and is given to the admitter. A signer can make a group signature by using the GSig algorithm, and all entities can verify the group signature by the GVf algorithm and public key . This setting is the same as ordinary group signatures, except the group manager’s key is divided into and . In exceptional cases, the admitter issues a message-specific token by using the Td algorithm. Moreover, the opener can identify the signer of a group signature by using the Open algorithm only when the opener received from the admitter.
3.2. Security Requirements
We introduce the security notion for GS-MDO. In contract to ordinary group signatures, we need to take care of the MDO property.
Ordinary group signatures are required to ensure two security notions, anonymity and traceability, whereas we have to further ensure two types of anonymity in the case of GS-MDO that are related to the original motivation for the introduction of the admitter. The introduction of the admitter is intended to strengthen signers’ anonymity against the authorities as much as possible. To capture this intention, we define the indistinguishability of the originator of a signature in the strong setting where the opening key is given to the adversary (opener anonymity). As a counterpart of this, we also define indistinguishability in the setting where the admitting key is given to the adversary (admitter anonymity). Note that we do not consider the situation in which the adversary obtains both the opening key and the admitting key because in this situation the adversary can open any signature by itself.
For traceability, we use the same definition as for the ordinary group signatures, in which the authorities are entirely corrupted by the adversary, since even ordinary group signature schemes ensure this level of traceability against entirely corrupted openers.
3.2.1. Opener Anonymity
Here we give the formal definition of anonymity against the opener, which we call opener anonymity. It is formalized as the indistinguishability of signatures of two different signers of the adversary’s choice. Opener anonymity is defined by requiring that no adversary has nonnegligible advantage in distinguishing signatures. We again remark that contrary to ordinary group signatures, the adversary is allowed to have the opening key. This is intended for modeling “anonymity against the opener.”
Definition 1. A GS-MDO scheme is said to have opener anonymity if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Token Query (Phase I): adaptively issues token queries in an arbitrary order. The challenger runs ←Td() and returns to .(iii)Challenge: at some point requests a challenge for , , and a message . The challenger chooses a random bit , runs ← GSig(), and sends to . is not allowed to request a challenge with a message whose token is previously queried.(iv)Token Query (Phase II): after receiving the challenge is again allowed to issue token queries. This time querying a token for is disallowed.(v)Guess: finally outputs a bit . wins the game if . wins the game if .
The advantage of is defined by and is denoted by . We also say that a GS-MDO scheme has opener anonymity with -bounded tokens if any probabilistic polynomial-time adversary which issues at most token queries in total has negligible advantage.
3.2.2. Admitter Anonymity
We next give the definition of anonymity against the admitter, which we call admitter anonymity. It is formalized in a similar manner to opener anonymity. That is, admitter anonymity requires signatures of two different signers to be indistinguishable even when the adversary is given the admitting key. We emphasize that our definition of opener anonymity is categorized as so-called CCA-anonymity. This means that the adversary in the security game is allowed to access the opening oracle. The formal definition is as follows:
Definition 2. A GS-MDO scheme is said to have admitter anonymity if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Open Query (Phase I): adaptively issues open queries in an arbitrary order. The challenger finds a recorded which is a token for , and if not found, runs ←Td(), and stores . The challenger runs ←GSig() and returns to .(iii)Challenge: at some point requests a challenge for , and a message . The challenger chooses a random bit , runs ←GSig() and sends to .(iv)Open Query (Phase II): after receiving the challenge is again allowed to issue open queries. This time querying an opening of is disallowed.(v)Guess: finally outputs a bit . wins the game if .
The advantage of is defined by and is denoted by .
Notice that the number of opening queries the adversary issues is unbounded (but of course polynomially many).
3.2.3. Traceability
The last notion is traceability, which requires that even if the opener and the admitter collude and they further adaptively corrupt some group members, the corrupted parties can produce neither forged signatures nor untraceable signatures. We stress that in contrast to the case of the anonymity notions, this case considers the collusion of two authorities.
Definition 3. A GS-MDO scheme is said to have traceability if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i) Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii) Query: adaptively issues the following two types of queries:(1) issues a key revealing query . The challenger returns to .(2) issues a signing query . The challenger runs ←GSig() and returns .(iii) Forge: finally outputs a forgery . wins if GVf() = and one of the following two conditions holds:(a) Open(, Td()) = , or(b)all the following conditions hold, Open(, Td()) = , and neither a key revealing query for the user nor a signing query for is submitted.
The advantage of is defined by and denoted by .
4. Difficulty in Designing Efficient Constructions
In this section we discuss several difficulties in designing efficient GS-MDO schemes. We first observe the relationships between GS-MDO and other cryptographic primitives, and then we discuss the difficulty that lies in designing efficient constructions.
Regarding the relationship with other primitives, we show that the existence of a GS-MDO scheme implies that of an IBE scheme. In other words, we will present a black-box construction of IBE from any GS-MDO scheme. The same holds for the -resilient versions.
This fact means that constructing a GS-MDO scheme is harder than IBE. Moreover, IBE is well known as a strong primitive. For example, there is no black-box construction of IBE from a trapdoor permutation or chosen-ciphertext secure PKE [55]. Therefore, GS-MDO is also strong and difficult to construct.
We note that Box 1 only shows a construction of an identity-based key encapsulation mechanism rather than identity-based encryption. However, it suffices since we can obtain a secure encryption scheme by combining the construction with an appropriate data encapsulation mechanism.
The formal theorems are as follows:
Theorem 4. If the underlying GS-MDO scheme satisfies opener anonymity, the identity-based KEM in Box 1 is fully secure.
Theorem 5. If the underlying GS-MDO scheme satisfies opener anonymity with -bounded tokens, the identity-based KEM in Box 1 is -resilient.
The intuition behind the construction in Box 1 is as follows. In the IEnc algorithm, each is a group signature of either or . Therefore, by the opener anonymity of the GS-MDO scheme, the entity who does not have (corresponding to the admitter’s key) cannot identify which signing key is used to make . The receiver can get (corresponding to the message-dependent token), and only the receiver can open the group signature and get by using the . Formal proofs can be given by a straightforward modification of the proof by Abdalla and Warinschi [56] or the similar technique to that used by Ohtake, Fujii, Hanaoka, and Ogawa [57], hence we omit detailed proofs.
From Theorems 4 and 5, we make the following observation about the difficulty in constructing GS-MDO.(i)Inevitability of using IBE: these theorems suggest that using IBE is essential for constructing a GS-MDO scheme. Considering the fact that a black-box construction of IBE from a trapdoor permutation is impossible [55], we can conclude that it is almost unavoidable for a GS-MDO scheme to rely on an IBE scheme or its equivalence, not only on a trapdoor permutation and an NIZK proof system. Otherwise one could construct an IBE scheme from surprisingly weaker primitives.(ii)Difficulty in constructing efficient GS-MDO in the standard model: another important aspect of establishing an efficient GS-MDO scheme in the standard model is the necessity of realizing a “Groth-Sahai compatible” IBE scheme. This is because the only known construction of NIZK proof systems with reasonable efficiency in the standard model is limited to the Groth-Sahai proof system. Also note that an NIZK proof system has been an important building block for almost all group signature schemes ever.
We show a generic construction of GS-MDO using a NIZK proof system and IBE in Section 5. However, currently no known IBE scheme is Groth-Sahai compatible in the sense that the Groth-Sahai proof system cannot prove a kind of the well-formedness of an IBE ciphertext in zero-knowledge. (Libert and Joye [7] proposed an IBE scheme where we are able to prove the well-formedness of a ciphertext using the Groth-Sahai proof system. However, at the time of the publication of the conference version, there were no known IBE scheme with this property). This is because an IBE scheme in a bilinear group is typically able to encrypt a target-group element. In addition, the ciphertext of such a scheme includes a target-group element. Unfortunately, the Groth-Sahai proof system is not always able to prove a statement involving target-group elements in zero-knowledge.
Here we provide two methods of overcoming this gap. The first one is to adopt -resilient IBE instead of fully secure IBE. In particular, we design a -resilient IBE scheme from the DLIN assumption by modifying the Heng-Kurosawa scheme [8] for this purpose. (We also note that a similar construction can be obtained from the key-insulated encryption scheme proposed by Dodis, Katz, Xu, and Yung [58]). The construction of GS-MDO using -resilient IBE is shown in Section 6.
The second method is to apply random oracles. We construct a GS-MDO scheme based on the BBS group signature scheme [10], which is one of the most efficient group signature schemes in the random oracle model. The opening procedure is implemented by the linear encryption scheme [10, 13], and a user’s certificate is implemented by the Boneh-Boyen short signature scheme [27]. The MDO property is realized by adopting the BF IBE scheme [11]. In order to combine the short group signature scheme and the BF IBE scheme, we replace the linear encryption scheme with a certain type of -out-of- multiple encryption. This construction is shown in Section 7.
5. Generic Construction
In this section, we give a generic construction of a GS-MDO scheme. The construction is built on an EUF-CMA secure signature scheme, a strongly unforgeable one-time signature scheme, a selective-tag weakly chosen-ciphertext secure tag-based KEM, a -resilient identity-based KEM, and an adaptive NIZK proof system.
At a first glance, there are various building blocks. However, our generic construction only relies on the existence of an IBE scheme and that of an NIZK proof system. Indeed, signature schemes and a chosen-ciphertext secure tag-based encryption scheme can be constructed from a fully secure IBE scheme.
5.1. Underlying Ideas
The proposed construction shares an underlying idea with the generic construction of Bellare, Micciancio, and Warinschi (the BMW construction) [3] except that we do not need “simulation-soundness” for the underlying NIZK proof system. Instead of this strong security requirement, we combine (ordinary) NIZK proofs with a strongly unforgeable one-time signature scheme. We remark that essentially the same techniques have been used in a variety of contexts. To name a few, Groth [32] used this technique for an efficient group signature scheme in a very similar manner. Camenisch, Chandran, and Shoup [59] used it to construct simulation-sound NIZK proofs, improving the result of Groth [29].
5.2. Construction
In this section, we present our generic construction of GS-MDO. Our construction uses an identity-based KEM (ISetup, IExt, IEnc, IDec), tag-based KEM (TKg, TEnc, TDec), an EUF-CMA secure signature scheme (SigKg, Sign, Verify), a one-time signature scheme (, , ), and an NIZK proof system . In addition, we require that the session key spaces and be the same set, and be associated with a group operation .
In our construction, a group member has a key pair of the signature scheme, in which is authorized by another verification key at the setup time. When a member generates a group signature, the member simply signs a message by . To be anonymous, the member further encrypts the signature together with the certificate (of the member), which authorizes the verification key , and attaches a noninteractive proof that demonstrates that a signature of an authorized member has been encrypted. To encrypt a signature, the member uses a multiple encryption technique to ensure that neither the opener nor the admitter can reveal the identity as long as the admitter has not issued a token to the opener. We need two requirements on the session key spaces of the tag-based KEM and the (-resilient) IBE scheme. We require that be equal to as a set, and that they form a finite group with group operation . These requirements are needed because we use a one-time pad to encrypt a signature of the group member. This group operation also needs to fall into the class of relations that can be represented by the used noninteractive proof system.
Let us explain the noninteractive proof that appears in the construction. The signature of the proposed scheme is of the form , and, as mentioned above, the proof demonstrates that a valid signature of an authorized group member has been encrypted into in a kind of a “multiple encryption” manner. More specifically, the proof proves that there exist a randomness (for tag-based KEM), another randomness (for identity-based KEM), a user index , and the verification key , a certificate , and a signature on a message , such that
Finally, two encoding functions are needed to complete the description of the generic construction. The first is used to encode the user index of a group member and his verification key into the message space of the signature scheme when generating certificates of group members. The second one is used to encode into , where is the user index of a group member and , , and are his verification key, certificate, and signature, respectively. It is used when issuing a group signature, especially when encrypting his signature in order to hide his identity.
The complete description of the scheme is shown in Box 2.
As stated in the following theorem, our generic construction has desirable security properties when all building blocks satisfy appropriate security properties.
Theorem 6. The proposed scheme has opener anonymity with -bounded tokens if the identity-based KEM is -resilient and the noninteractive proof system is adaptively zero-knowledge. The proposed scheme satisfies opener anonymity if the identity-based KEM is fully secure and the noninteractive proof system is adaptively zero-knowledge.
Theorem 7. The proposed scheme has admitter anonymity when the a tag-based KEM is selective-tag weakly chosen-ciphertext secure, the noninteractive proof system is adaptively zero-knowledge, and the one-time signature scheme is strongly unforgeable.
Theorem 8. The proposed scheme has traceability when the noninteractive proof system is adaptively sound and the signature scheme is EUF-CMA secure.
All the proofs of the theorems will appear in Appendix B.
6. Construction in the Standard Model
In this section, we show an instantiation of GS-MDO in the standard model. Our scheme in this section satisfies the requirements of Section 3.2 under the DLIN assumption and the SFP assumption. Because of the incompatibility between the Groth-Sahai NIZK proof system and known (pairing-based) IBE schemes, we use -resilient IBE and thus the MDO property is bounded to be . Note that the instantiation is not straightforward even though we have the generic construction in Section 5, since it is not obvious whether there exist building blocks which fit the generic construction. Of course, if we use a general NIZK proof system, we obtain an instantiation, but it is far from an efficient construction.
6.1. Underlying Ideas
Towards an efficient scheme, we discuss how to instantiate the building blocks used in our generic construction in the previous section.
Regarding the noninteractive proof system, an obvious choice is the Groth-Sahai proof system, since there is no known practical construction of an NIZK proof system except the Groth-Sahai proof system. However, upon adopting the Groth-Sahai proof system, due to the limitation of the type of theorems that the Groth-Sahai proof system can prove, other building blocks are subjected to restrictions. More specifically, other building blocks need to be structure preserving [60], and in particular, a statement to be proven should not involve elements of , where is the target group of the underlying bilinear groups. Hence, we have to choose an IBE scheme which fulfills this requirement as a building block, but unfortunately, no such scheme is known (except for the Libert-Joye scheme). This means that it is not straightforward to construct an efficient instantiation of our generic construction from the Groth-Sahai proof system.
In this section, we give an efficient instantiation by constructing a structure-preserving IBE scheme and choosing other appropriate building blocks. However, we must also honestly mention that our IBE does not provide full security but only -resilience [8].
Our structure-preserving -resilient IBE scheme is obtained by means of modifying the Heng-Kurosawa scheme [8] which is secure in the sense of -resilient security under the decision Diffie-Hellman (DDH) assumption. Since the DDH assumption does not hold in (symmetric) bilinear groups, it is not possible to utilize it as it is, and thus, we construct a modified version of this scheme which is secure under the DLIN assumption.
6.2. Construction
As described above, an efficient instantiation is not straightforward even from our generic construction in Section 5, since it is not obvious whether there exist schemes which can be plugged into the generic construction. Therefore, we select concrete building blocks for the instantiation:(i)Groth-Sahai Proofs [5, 61]. This is an efficient noninteractive proof system for groups with a bilinear map. This proof system can demonstrate the validity of a broad range of algebraic equations in a zero-knowledge manner and is useful for avoiding an expensive blowup from general NIZK techniques. We choose the DLIN-based instantiation of the Groth-Sahai proof system, which was proved to be perfectly sound with adaptive zero-knowledge from the DLIN assumption.(ii)Abe-Haralambiev-Ohkubo Signature [6, 60]. This is a structure-preserving signature scheme, in the sense that the signing and verification procedures have no use of nonalgebraic operations. This property is essential when the scheme is used together with the Groth-Sahai proof system that has the restriction that it is unable to treat nonalgebraic relations such as a verification equation of a signature scheme which involves hashing. This signature scheme was proven secure from the SFP assumption.(iii)DLIN Variant of Cramer-Shoup scheme [13]. The Groth-Sahai proof system is highly reliant on its use of pairing operations, and thus we need to choose the type of pairing on which we base our scheme. Type III or II may allow an efficient instantiation. However, in this setting a signature of the Abe-Haralambiev-Ohkubo scheme is bilateral, namely, it contains elements of both source groups. To encrypt such a bilateral message, we need to set up the encryption scheme in both source groups, which makes the scheme inefficient. Hence, we choose all the building blocks to be instantiated in Type I curves. For this reason, we choose a modification of Shacham’s DLIN variant [13] of the Cramer-Shoup encryption scheme as the tag-based KEM. We modify this scheme to be tag-based KEM to fit into our generic construction. (A possible alternative choice here is Kiltz’ tag-based encryption [52], which could reduce the size of NIZK proofs owning to its public verifiability. One drawback of this scheme is that, to the best of our knowledge, it does not allow the encryption of multiple group elements with a constant ciphertext overhead. On the other hand, the Cramer-Shoup scheme (and its DLIN variant by Shacham) allow such a modification. See Section C.3 for the details of this modification).
We then show a more concrete description of our generic construction when being instantiated with the above building blocks. Notice that a signature of our concrete instantiation based on the above building blocks, is of the following form:As explained above, is represented by 29 group elements, which we denote by . A more detailed description of each element is as follows:where CR is a collision resistant hash function and is a Groth-Sahai proof.
In (7), is the encoding of , corresponds to the session key of the tag-based KEM based on a DLIN variant of the Cramer-Shoup PKE scheme, and corresponds to the session key of the -resilient identity-based KEM based on the Heng-Kurosawa IBE scheme. and are ciphertexts of the tag-based KEM and the identity-based KEM, respectively. is Wee’s one-time signature on .
The signature size of the construction in Section 6 is described in Table 1. The column “Cost” is the number of group elements of a statement to be proven, and the number of group elements of the Groth-Sahai NIZK proof per a statement. The abbreviations “var(s).”, “lin. eq.”, “mult”, and “pair. prod.” mean “variable(s)”, “linear equation”, “multiplication” and “pairing product”, respectively. The total number of group elements is shown in the column “”. As shown in Table 1, the standard model scheme achieves reasonably efficient performance.
From Theorems 6, 7, and 8, the following theorems hold.
Theorem 9. When instantiating the identity-based KEM and the NIZK proof system in Box 2 with our DLIN variant of the Heng-Kurosawa -resilient IBE scheme and the Groth-Sahai proof system, the resulting scheme satisfies opener anonymity with -bounded tokens under the DLIN assumption.
Theorem 10. When instantiating the tag-based KEM, the NIZK proof system and the one-time signature scheme in Box 2 with the DLIN variant of the Cramer-Shoup PKE, the Groth-Sahai proof system and the Wee one-time signature scheme, the resulting scheme satisfies admitter anonymity under the DLIN assumption.
Theorem 11. When instantiating the signature scheme in Box 2 with the Abe-Haralambiev-Ohkubo signature scheme, the resulting scheme satisfies traceability under the SFP assumption.
7. Construction in the Random Oracle Model
The previous section explained a GS-MDO scheme in the standard model, but it only allows at most tokens to be issued. In this section, we remove this restriction by using random oracles, and present a concrete GS-MDO scheme that allows an unbounded number of tokens. Moreover, its signature size is times smaller than that of the scheme in Section 6, and it is also secure under the DLIN, DBDH, and -SDH assumptions. We give the description of the proposed scheme in Box 3.
7.1. Underlying Ideas
Our standard model instantiation uses the Groth-Sahai proof system as the NIZK proof system, and therefore the building block identity-based KEM needs to be compatible with the Groth-Sahai proof system (see Section 6.1). Unfortunately, the only IBE scheme with this property is Libert et al.’s [7], however, this scheme has a ciphertext containing a linear number of group elements in the security parameter. We overcome this weakness by avoiding the use of the Groth-Sahai proof system. More specifically, we construct an NIZK proof system in the random oracle model based on the Fiat-Shamir heuristics, and choose the building block IBE scheme that is fully secure (i.e., fully collusion resilient).
We start with the Boneh-Boyen-Shacham (BBS) group signature scheme [10], which is one of the most popular (standard) group signature schemes, to achieve the above idea. Each group member in this scheme is provided with an (ordinary) signature [27] of the Boneh-Boyen signature scheme, which certifies that the owner is a group member. A group signature of this scheme consists of two parts. The first part involves the linear encryption scheme of the certificate, whereas the second part involves the “signature of knowledge” [62] of the encrypted certificate. The decryption key for the linear encryption scheme is held by the opener, with which he can revoke the anonymity of any group signature.
We extend the BBS group signature scheme by replacing the linear encryption scheme with a certain type of -out-of- multiple encryption of ordinary PKE and IBE schemes. The multiple encryption is designed to ensure that one can decrypt an entire ciphertext only when he is able to decrypt ciphertexts of both the PKE scheme and the IBE scheme. Such multiple encryption can be accomplished by simple -out-of- secret sharing.
This feature enables us to achieve the MDO property as follows. In our construction, the opener only possesses a decryption key for the PKE scheme, and the admitter holds the master secret of the IBE scheme. To anonymously sign a message , a signer encrypts his certificate using as the identity of the IBE encryption. A decryption key (of the IBE scheme) under a message can serve as a message-specific token for .
7.2. Construction
In this subsection, we describe the proposed GS-MDO scheme in the random oracle model in detail. The complete description of the proposed scheme is shown in Box 3. As described above, our scheme is constructed by modifying the BBS group signature scheme in such a way that the linear encryption scheme in the BBS group signature scheme is replaced with 2-out-of-2 multiple encryption by PKE and IBE, which are instantiated with the linear encryption scheme and the BF IBE scheme [11], respectively. Specifically, the values generated in the signing algorithm are of the following form where the first four components constitute (a chosen-ciphertext secure variant of) the linear encryption of a 2-out-of-2 secret sharing of . Here and are the randomness for the linear encryption scheme and is the randomness for the 2-out-of-2 secret sharing. The other components, and , constitute an encryption by the BF IBE scheme of the other share of the 2-out-of-2 secret sharing.
As mentioned above, our linear encryption scheme is not identical to that used in the BBS group signature scheme and is modified to achieve CCA-anonymity. It is obtained by modifying the linear encryption scheme (in the BBS scheme) to a linear analogue of the “double encryption” [20, 63, 64] scheme and proving the “well-formedness” by a Schnorr-type proof. This can be seen as a variant of (the DLIN variant [13] of) the Cramer-Shoup encryption scheme [12, 65] in which the validity-check property is realized by a Schnorr-type proof.
Note that the BF IBE scheme is also slightly modified in such a way that the scheme does not use a hash function for deriving the DEM key that masks a plaintext. Instead of using a hash function, we employ the slightly stronger assumption of the DBDH assumption (rather than the computational variant, on which the original BF scheme is based). This is due to the incompatibility of the use of a hash function of this type and Schnorr-type proofs. We also remark that our anonymity notion does not require the IBE scheme to be chosen-ciphertext secure, and hence we use a chosen-plaintext secure version of the BF scheme.
We further remark that , , , , , , , , , , and in Box 3 come from a Schnorr-type protocol that proves the knowledge of , , , , and satisfying the equationsThe first three equations prove the knowledge of and that are used for the linear encryption part, and furthermore prove the “well-formedness” of the ciphertext (in other words, they prove that constitutes a linear tuple). We note that the latter (proving the “well-formedness”) is crucial for achieving CCA-anonymity. The last two equations prove the knowledge of and that are used for the BF IBE scheme. Here is the randomness for the BF IBE scheme, and is the randomness for the 2-out-of-2 secret sharing. The fourth equation proves that the group element encrypted in satisfies the verification equation of the Boneh-Boyen signature scheme. Recall that , where is a Boneh-Boyen signature which certifies the membership of the signer. In other words, this equation proves that when the randomness that hides is removed from , is verified as valid by the verification equation of the Boneh-Boyen signature scheme.
More concretely, introducing four intermediate variables , , , and (which are intended to be , , , and ), the underlying protocol proves the knowledge of , , , , , , , , and satisfying the equationsWe explain these ten equations one by one. The first three equations are exactly the same as those of (9). Equation (10d) comes from expanding the equation to obtain replacing with , with , and with to obtain and rearranging them to obtain which is identical to (10d). We then need to prove that the intermediate variables surely have appropriate values, namely, that , , and . Equations (10g)–(10j) are for this purpose. To prove , we introduce (10g). This equation, together with (10a), proves that . Specifically, (10a) ensures that is equal to , and then (10g) in turn ensures that Since is a generator, we have that which is what we want to prove. Similarly, (10h) together with (10b) proves that . To prove , we need to introduce another intermediate variable which is intended to be equal to . Towards this end, (10e) and (10i) prove that . Using this, (10f) and (10j) prove that . Specifically, (10f) ensures that , and then (10j) in turn ensures that Since (10e) and (10i) ensure that , canceling out and , (10j) further ensures that since is a generator, this equation ensures that which is what we want to prove.
The security of our proposed scheme is proved as follows.
Theorem 12. If the DBDH assumption holds, the proposed construction has opener anonymity in the random oracle model.
Theorem 13. If the DLIN assumption holds, the proposed construction has admitter anonymity in the random oracle model.
Theorem 14. If the -SDH assumption holds, the proposed construction has traceability in the random oracle model.
The proofs of Theorems 12, 13, and 14 are given in Appendix D.
8. Efficiency Comparison with Pairing-Based Group Signatures
Finally, we give a brief efficiency comparison between the proposed schemes and existing pairing-based group signature schemes (with and without the MDO property). Table 2 shows a detailed comparison among such schemes.
The signature size of our standard model scheme is 10 times larger than that of Groth scheme [32]. We believe that this is a reasonably practical performance and can be implemented in practice.
Compared with our scheme in the standard model, our scheme in the random oracle model is improved in two aspects: the first is the removal of the a priori upper bound on the number of tokens the admitter can issue, and the second is the substantial reduction of the signature size. When a 170-bit prime-order group is used, the signature size of our GS-MDO scheme in the standard model is 79364 bits, and that of our GS-MDO scheme in the random oracle model is 3636 bits, while that of the BBS scheme [10] is 1548 bits. (We adopt the estimates of bit sizes for group elements used in [9]). We also include more details of the performance of these schemes in Table 2. These two improvements are achieved at the cost of using random oracles, as indicated in the “Without RO” column in the table.
In the Libert-Joye scheme, a signature contains group elements, whereas our schemes contain a constant number of group elements. However, our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GS-MDO scheme secure in the standard model with a constant-signature size is an interesting open problem.
Compared with the BBS scheme, we believe that the proposed scheme in the random oracle model achieves the MDO property at a reasonable cost given the increase in the signature size. As shown in Table 2, the signature size of the proposed scheme is almost twice that of the BBS scheme. We also note that our random oracle model scheme achieves CCA-anonymity, which guarantees a markedly higher level of security than CPA-anonymity, which is achieved by the BBS scheme.
9. Conclusion and Open Problems
In this paper we proposed a new anonymous authentication primitive called group signatures with message-dependent opening. This primitive is an extension of ordinary group signatures, which relaxes the strong assumption that the opener, who is able to trace the identity of the signer of a signature, does not misuse his strong capability of breaking anonymity. The primitive does this by introducing another authority called the admitter, who is able to admit the opening of signatures on some specific messages to the opener.
We formalized this new primitive by providing the syntax and security requirements of the primitive. Furthermore, we discussed the difficulties in constructing an efficient instantiation of the primitive, in particular, showed that IBE is inevitable for an instantiation. We provided one generic construction and two specific constructions. The first specific construction was proven to be secure in the standard model, while the other was proven to be secure in the random oracle model. Finally, we compared two specific constructions and known group signature schemes (with and without the message-dependent opening property).
We list some open problems. We assumed that the setup of the scheme is executed honestly and that the entity who runs the setup does not collude with an adversary. An open problem is to provide a formal security requirement that does not require this assumption and an instantiation for it. Our schemes do not provide security against an adversary which may maliciously generate the opener’s or the admitter’s keys. Achieving this security is another open problem.
Appendix
A. Bellare and Neven’s Forking Lemma
Here we recall Bellare and Neven’s forking lemma [66].
Lemma A.1. Fix an integer and a set of size . Let be a randomized algorithm that we call the input generator. Let be a randomized algorithm that takes generated by and ,..., as inputs, and returns a pair . The accepting probability of , denoted , is defined as the probability that in the experiment The associated to is the randomized algorithm that takes input and proceeds as follows: Let Then Alternatively,
B. Security Proofs for the Construction in Section 5
B.1. Proof of Theorem 6
We prove the theorem for the case that message-dependent tokens are issued at most times. The theorem for the case of an unbounded number of tokens can be proved similarly.
Proof. Let be an adversary against the opener anonymity of the proposed scheme. The proof proceeds with a sequence of games.(i)Game 0: This is identical to the opener anonymity game of the proposed scheme.(ii)Game 1: In this game the common reference string in is generated by , and the zero-knowledge proof in the challenge signature is generated by .(iii)Game 2: In this game is sampled randomly and independently.
Let be the event that wins in Game . From the triangle inequality, we have thatWe then bound each term in this equation.
Lemma B.1. is negligible, provided that the non-interactive proof system is adaptively zero-knowledge.
Proof (of Lemma B.1). Using we construct an algorithm against the zero-knowledge property of the proof system. The construction is as follows. (i)Setup: receives a common reference string . Then sets up , , , and except that for the common reference string in uses the common reference string received from its challenger. Then sends to .(ii)Token Query (Phase I): When issues a token query , responds with generated with .(iii)Challenge: When request a challenge for , , and , chooses a random bit . Using , generate a challenge signature as in the opener anonymity game with an exception that the proof in the challenge signature is obtained by querying the statement and the witness to ’s challenger.(iv)Token Query (Phase II): Token queries from are responded as in Phase I.(v)Guess: When outputs a guess , outputs if and outputs otherwise.Observe that if receives a proof generated by , simulates ame 0 perfectly. If receives a proof generated by , simulates ame 1 perfectly. Then we have that , which is negligible.
Lemma B.2. is negligible, provided that the identity-based KEM is -resilient.
Proof (of Lemma B.2). Using we construct an algorithm against the -resilience of the identity-based KEM. The construction of is as follows. (i)Setup: receives a public parameter . Then sets up , , following the description of Game 1 with an exception that for the public parameter in uses sent from its challenger. Then sends to .(ii)Token Query (Phase I): When issues a token query , issues an extraction query to its challenger and receives a decryption key . Then returns to .(iii)Challenge: When requests a challenge for , , and , chooses a random bit . Then requests a challenge to its challenger under the identity . Using these and as and , generates a challenge signature as in ame 1. Notice that due to the change in ame 1, in order to generate a proof , no longer needs to know the randomness behind . Then returns a challenge signature to .(iv)Token Query (Phase II): In this phase, token queries from are responded as in Phase I.(v)Guess: When outputs a guess , outputs if , and outputs otherwise.Observe that if receives a session key (encapsulated in ), perfectly simulates Game 1. Furthermore, if receives a session key (independently sampled), perfectly simulates Game 2. This is because is independent of any other values, hence is distributed randomly and independently. Furthermore, issues at most token queries and does not issue as a token query. Therefore, we have that , which is negligible.
Lemma B.3. .
Proof (of Lemma B.3). Consider the process of generating the challenge signature in ame 2. In this process, the only variable that directly depends on the challenge bit is ← Sign(). However this is no longer used to generate a challenge signature any more, and thus the challenge signature is independent of the challenge bit . Hence the lemma holds.
Finally, we have that all the three terms in Eq. (B.1) are negligible, hence the advantage of in the opener anonymity game is negligible.
This complete the proof of Theorem 6.
B.2. Proof of Theorem 7
Proof. Let be an admitter anonymity adversary against the proposed scheme. The proof proceeds with a sequence of games. We define the following four games.(i)Game 0. The initial game is identical to the game defined in the definition of admitter anonymity. For the subsequent games, is generated before running the adversary .(ii)Game 1. In this game, an opening query which contains a valid one-time signature with is responded with .(iii)Game 2. In this game, we replace the common reference string with a simulated string generated by and the NIZK proof, included in challenge, with a simulated proof using of the NIZK proof system.(iv)Game 3. In this game, we change of the challenge signature to be a random element.
For , we define the following two events: Let denote the event that the adversary successfully guesses the challenge bit in Game . Let denote the event that submits an open query in Game where and .
The advantage of is from the definition. From the triangle inequality, the following inequality holds.
In what follows, we prove that each term of the above inequality is negligible.
Lemma B.4. is negligible if the underlying one-time signature scheme is strongly unforgeable.
Proof (of Lemma B.4). By the difference lemma [67], ame 0 and ame 1 are equivalent if the event does not occur. Therefore,We then prove is negligible.
To prove is negligible, we will construct another adversary , which attacks strong unforgeability of the one-time signature scheme, and relate its success probability with the probability of the event . The construction of is as follows: (i)Setup: The adversary first receives a verification key for the one-time signature scheme. The adversary then runs GKg() to obtain a group public key , the opening key , the admitting key , and user signing keys for all . Then runs .(ii)Open Query (Phase I): Queries are answered with the opening key and the admitting key . In addition, when queries a group signature in which and Verify() = , records the pair and responds with .(iii)Challenge: To respond to the challenge request , chooses a random bit and generates a group signature in exactly the same way as the construction with one exception that is obtained by issuing a signing query to the challenger.(iv)Open Query (Phase II): Further open queries are answered as in Phase I.(v)Guess: When outputs a guess and halts, if there is a recorded tuple, outputs this tuple as a forgery. Otherwise outputs . This adversary perfectly simulates ame 0 (or ame 1) until the event (or ) occurs. Furthermore, whenever the event happens, this adversary successfully outputs a forgery and wins the game (because must be different from , and it consists of a legitimate forgery). Then we can conclude is negligible, because of the security of the underlying one-time signature scheme. This completes the proof of Lemma B.4.
Lemma B.5. is negligible if the underlying non-interactive proof system is adaptively zero-knowledge.
It is straightforward to prove that the difference between and is negligible from the adaptive zero-knowledge property of the NIZK proof system, hence we omit the detailed proof of Lemma B.5.
Lemma B.6. is negligible if the underlying tag-based KEM is selective-tag weakly chosen-ciphertext secure.
Proof (of Lemma B.6). We will construct an adversary which attacks the underlying tag-based KEM. The construction of is as follows: (i)Setup: The adversary first runs to generate a verification/signing key pair , outputs as the challenge tag, and then receives the public key of the tag-based KEM. The adversary then generates the rest of a group public key as , , , user signing keys for all , and their certificates for all . The adversary then sets and for all and runs with the input .(ii)Open Query (Phase I): When the adversary submits an open query for a signature and a message , the adversary responds as follows: (i) when , makes a decapsulation query for the ciphertext with a tag to obtain a session key (note that this query is legitimate), and then extracts a user decryption key (of the identity-based KEM) from by running , decrypts with to obtain a session key by running , and verifies whether = ⊤ and hold. If both of them hold, further computes and responds with . Otherwise responds with . (ii) When , responds with .(iii)Challenge: At some time requests a challenge for , then computes a challenge as follows: generates a signature for a random bit , requests a challenge to obtain , generates a ciphertext and a session key as , computes , and generates a fake proof by computing . Finally signs with the one-time signing key to obtain and sends to .(iv)Open Query (Phase II): Again submits more open queries and responds as before.(v)Guess: When outputs a bit , outputs if , otherwise outputs .Let denote the advantage of .
The adversary perfectly simulates Game 2 and Game 3 when is the real key and a random value, respectively, so that ’s challenge bit is . Therefore, outputs 1 when successfully guesses the challenge bit in each game.
Hence, we have that . When the tag-based KEM is secure, is negligible and therefore is also negligible.
Lemma B.7. .
Proof (of Lemma B.7). In Game 3, is a random value. That is, ’s view is completely independent of the challenge bit in Game 3, and therefore the challenge signature does not contain the information of .
From the above, the proof of Theorem 7 is completed.
B.3. Proof of Theorem 8
Proof. Let be a traceability adversary against the proposed scheme. Let be the event that wins the traceability game. Let be the output of . Furthermore we denote as .
We define the following events:(i): The adversary satisfies the winning condition.(ii): The statement that proves is in the language.
Let be where and be the decapsulated session key computed in the Open algorithm. Let be the user ’s signing key generated in the game. We further define the following events:(i): The event occurs and the adversary wins the game satisfying the winning condition (i).(ii): The event occurs and the adversary wins the game satisfying the winning condition (ii).(a): The event occurs and none of satisfies .(b): The event occurs and it holds that for some .
Then we have that Since , , , and are exclusive, we have thatWe then bound each term.
Lemma B.8. is negligible provided that the proof system is adaptively sound.
Proof. Given the adversary we construct an algorithm that attacks the soundness of the proof system. The construction of is as follows: receives as an input a common reference string; then sets up a group public key, an opening key, an admitting key, and signing keys; executes the traceability game using these keys; when terminates with output where is parsed as outputs together with the statement.
Whenever the event occurs, successfully outputs a statement/proof pair which is verified as valid but the statement is outside of the language. Hence, since the assumption that the proof system is sound, is negligible.
Lemma B.9. is negligible provided that the signature scheme is EUF-CMA secure.
Proof. Given the adversary we construct an algorithm that attacks the unforgeability of the signature scheme. The construction of is as follows: receives as an input a verification key of the signature scheme; using this as , it sets up a group public key, an opening key, and signing keys; for generating the signing key for the user , issues a signing query for the message to obtain a signature on that message, and uses this signature as in the signing key of the user ; then runs with the input the group public key, opening key, and admitting key; all the key revealing queries and signing queries are responded with the signing keys for the users generated by ; when outputs a pair , parses as , decrypts and parses the plaintext by running ⊙ ⊙ , and finally outputs as a forgery; if either or outputs , outputs .
We then argue that whenever occurs, successfully outputs a forgery for the signature scheme.
Let us assume occurs. There are five possibilities that Open outputs : (i),(ii),(iii),(iv), or(v). The first two possibilities in fact never occur, since the statement proves is in the language, and then the correctness condition ensures that these two ciphertexts are correctly decrypted. The third and fourth possibilities never occur, since the winning condition requires that be verified as valid by GVf, in which and are verified. Therefore whenever occurs, we have that . Since the condition that occurs ensures that is verified as valid under , and only issues signing queries of the form for some and some , the output of is a legitimate forgery for .
Then let us assume occurs. In this case the event ensures that is a valid message-signature pair under . Furthermore, the condition ensures that but . Thus, the output of is again a legitimate forgery for .
Therefore, whenever occurs, successfully outputs a forgery. Hence the unforgeability of the signature scheme ensures that is negligible.
Lemma B.10. is negligible provided the signature scheme is EUF-CMA secure.
Proof. Given the adversary we construct an algorithm that attacks the unforgeability of the signature scheme. The construction of is as follows: receives as an input a verification key of the underlying signature scheme; chooses a random index of a signer and sets ; then generates a group public key, an opening key, an admitting key, and signing keys for . runs with the input the group public key, the opening key, and the admitting key. Key revealing queries are responded as in the traceability game, and key revealing queries are responded with . Signing queries where are responded using the signing keys generated by itself. Signing queries for any are responded by querying as ’s signing query, receiving as its reply, using to generate a group signature , and responding with this ; when outputs a forgery , decrypts by running ⊙ ⊙ , confirms that , where is the part of the user ’s signing key. If then outputs , and otherwise outputs .
We then bound the probability by the probability that produces a forgery.
Towards this end we argue that whenever the event occurs, successfully outputs a forgery for the signature scheme. Let us assume occurs. The event ensures that is a valid message-signature pair under . Furthermore, the event ensures that , where is the verification key included in the user ’s signing key. Moreover, the event ensures that is in fact , which is the verification key that is given to . In addition, the winning condition of the traceability game ensures that did not issue the signing query , which in turn ensures that did not issue the signing query . Therefore, we can conclude that whenever occurs, successfully outputs a legitimate forgery.
Since is information-theoretically hidden from , we have Then we have thatwhich is negligible.
Finally we have that all the three terms in Eq. (B.5) are negligible, thus is negligible.
This complete the proof of Theorem 8.
C. Building Blocks and Their Security Proofs
C.1. -Resilient Identity-Based KEM from the DLIN Assumption
In the following presentation of the identity-based KEM, denotes the upper bound for the number of the corrupted users, while denotes the message length (in group elements) to be encrypted. Our proposed -resilient identity-based KEM based on the Heng-Kurosawa scheme is shown in Box 4.
Theorem C.1. The construction in Box 4 is a -resilient identity-based KEM if the DLIN assumption holds.
Proof. Given an adversary which attacks the scheme in Box 4, we bound its advantage by constructing the reduction below: (i)Setup. The simulator receives an instance of the DLIN problem, where is either or an independently chosen random element of . generates random polynomials (, , of degree , sets and for all and , and runs with an input .(ii)Query (Phase I). When queries an identity , returns .(iii)Challenge. When requests a challenge for an identity , chooses a random bit . Then computes . If , computes = ,…, . If , chooses a random group elements . These and are given to as a challenge.(iv)Query (Phase II). Again, may request a decryption key for and responds as before.(v)Guess. Finally outputs a bit and outputs if . Otherwise outputs .Let us assume . Since generates the master secret key by itself, and the random exponents and in the instance correspond to the random exponents of the encapsulation algorithm, the reduction perfectly simulates the experiment. Otherwise when and , we will show that is distributed uniformly and independently from all other values seen by . To see this, let , , be the decapsulation key queries issued by during the simulation, and observe that the queries reveal the values , , to , but , , and are not revealed. However, further reveals the value and , where and . The equations can observe are represented as in (C.1) where this matrix is nonsingular, and hence is uniformly distributed. This distribution is identical to the case of , hence is independent of ’s view. Therefore, assuming the DLIN assumption, we have thatis negligible. This is identical to the advantage of , hence the theorem is proven.
C.2. Abe-Haralambiev-Ohkubo Signature
The Abe-Haralambiev-Ohkubo signature scheme, which is a structure-preserving signature scheme based on the SFP assumption [6, 60] is shown in Box 5 In the box, the algorithm is given a pair of group elements and produces the pair uniformly random under the constraint that the pairing of the new pair is unchanged from . The algorithm is given a pair and produces a set of pairs and which is uniformly distributed under the constraint that .
The security of the scheme is as follows.
Theorem C.2. The construction in Box 5 is EUF-CMA secure if the SFP assumption holds.
C.3. Shacham’s Variant of Cramer-Shoup Encryption
Shacham [13] proposed a variant of the Cramer-Shoup encryption scheme [12, 65] modified to be based on the DLIN assumption. The scheme below further modifies the Shacham’s variants in two points: (1) Used as a tag-based KEM and (2) modified to encapsulate a long session key in a constant-size ciphertext. We omit the proof that this scheme is secure under the DLIN assumption, which can be easily obtained by modifying the original proof by Shacham [13]. This modified Shacham’s variant is shown in Box 6.
Theorem C.3. The construction in Box 6 is a selective-tag weakly chosen-ciphertext secure if the DLIN assumption holds.
D. Security Proofs for the Construction in Section 7
D.1. Proof of Theorem 12
Proof. The proof proceeds with a sequence of games. Let be an adversary against the opener anonymity. We consider the following games, which plays. We denote by the event in which outputs a bit which is equal to the challenge bit flipped by the challenger. We assume that before issuing a token query issues the query . We do not lose generality, since given any adversary which not necessarily meets this restriction, we can easily modify to one that meets this restriction.(i) Game 0. This initial game is identical to the game defined in the description of the opener anonymity. We assume the challenger to maintain two hash lists for and , which, respectively, contain tuples of the form and the form to represent and . The value is used to answer the random oracle query and the token query in the subsequent games.(ii) Game 1. In this game we replace the zero-knowledge proof of the challenge signature with a simulated proof. More specifically, when the adversary asks a challenge signature by sending , the challenger computes it as follows: the challenger flips the bit , computes as specified in the construction with the signing key , generates random integers , , , , , , , , , , and computes The challenger adds the tuple to the hash list for . At this point if the list for already contains a tuple of the form for some , the challenger outputs and halts. Otherwise the challenger sends to as the challenge signature. We will argue that this change introduces only a negligible difference in ’s advantage.(iii) Game 2. In this game we change the -component of the challenge signature to be a random element in . This change also introduces a difference of a negligible amount in the ’s advantage.
We then prove that in the last game has no information about the bit , and hence the advantage is zero.
Lemma D.1. .
Proof (of Lemma D.1). In Game 2 ’s view is completely independent of the bit . The component which is computed using (and hence has information about ) is in the challenge signature. Actually it is distributed independently of (uniformly over ) due to the random integer .
Finally we prove that any of the game-hopping does not change ’s advantage nonnegligibly.
The difference between ame 0 and ame 1 is bounded by a standard argument of the zero-knowledge simulation of the underlying protocol, which is as follows.
Lemma D.2. is negligible.
Proof (of Lemma D.2). We claim that the distribution of the challenge in Game 1 is identical to that in Game 0 except for the cases in which the challenger outputs . This follows from a standard argument of zero-knowledge simulation. To see this, we can observe that in Game 1 corresponds to in Game 0, and similar correspondences hold for all the other ’s and ’s. We can also see that both and are uniformly distributed over . We will then see that the challenger in Game 1 outputs only with negligible probability. This is because are distributed uniformly over a set with cardinality (at least) , that is, the queries to issued before the challenge phase contain with probability (at most) where denotes the number of oracle queries to issued by .
The difference between Game 1 and Game 2 is bounded by extending the original proof of the BF IBE scheme to that based on the decision assumption.
Lemma D.3. is negligible under the DBDH assumption.
Proof (of Lemma D.3). We describe a distinguishing algorithm for the DBDH problem to bound the quantity . The construction of the algorithm is as follows: (i) Setup. receives a problem instance , in which is either or a random integer . lets , and the rest of the components of the group public key and the signing keys for all are generated by following the description of the scheme. sends , , and to .(ii) query. When issues an query , retrieves a record for some , , and . If such a record is found, replies with . Otherwise, to respond to the query to the random oracle , first flips a biased coin which is with probability and is with probability (the exact quantity of is determined later). Then chooses a random integer , computes as stores in the hash list for , and returns to .(iii) query. When receiving a query to the random oracle , if the response to this query is recorded in the hash list for , responds with the corresponding the record. Otherwise chooses a random integer , records to the hash list, and returns to .(iv) Token query. When asks the token for a message , picks the record regarding the same query to the random oracle . Such a record will be found since we modify (if necessary) to meet the restriction introduced at the beginning of the proof. If immediately outputs random and halts. Otherwise if then returns to .(v) Challenge. When asks the challenge signature for , picks the record regarding the query to the random oracle . If immediately outputs and halts. Otherwise chooses random , , , , and computes , , , , , . Finally computes a zero-knowledge proof as in Game 1. If there is a record for some , halts with output . Otherwise it sends to .(vi) Guess. Finally outputs a guess and halts. outputs if holds, otherwise outputs .We define two bad events. The event denotes the event that halts in the challenge phase due to the condition for the record of . The event denotes the event in which halts because of the failure of responding to (one of) the token queries. Since B outputs 0 if or occurs, we have that The event occurs when (with probability ) for all in the token query phase. Let denote the number of token queries issued by . If , it holds thatand the event occurs when (with probability ) for in the challenge phase. Hence, if , it holds thatNote that the events and are independent since each biased coin is flipped independently. Moreover, whether or , the distributions of the values that receives are identical, and hence ’s view does not change. It means that the value of does not affect the behavior of . Therefore, the event and have no effect on the probability that succeeds in guessing the challenge bit. That is, the event of , , are mutually independent.
From the above, we have the following equality. where the last equality follows from the fact that given correctly simulates ame 1 for . The detail follows. Firstly, the distribution of ’s responses to the queries are identical to those of Game 1. This is because and are both distributed uniformly over . Secondly, the responses to queries are also distributed identically to those of Game 1. Thirdly, the responses to token queries are also distributed identically. Notice that in Game 1 a token for a message is computed as , while that in ’s simulation is computed as (if the simulation proceeds without an abort). Then we have thatwhere the last equality comes from the two facts that we set in ’s simulation, which corresponds to in Game 1, and that we set in the response of the query . Lastly, the response to the challenge query is also distributed identically to that of Game 1. Notice that in Game 1 and for some , . Further, notice that in ’s simulation, and (if the simulation proceeds without an abort). Therefore, in ame 1 corresponds to in ’s simulation. Hence if , we have that Therefore, we can conclude that given correctly simulates ame 1.
Similarly, if , namely receives a random tuple, we have that where the last equality comes from the fact that given that correctly simulates Game 2. The correctness of the responses to the queries, queries, and token queries follows from a similar argument to that of the case of . The correctness of the response to the challenge query also follows from a similar argument to that of the same case but replacing with ensures that is distributed uniformly and independently.
Finally we obtainand hencewhen substituting with , which minimizes . Since , the lemma follows.
These three lemmas conclude the entire proof.
This complete the proof of Theorem 12.
D.2. Proof of Theorem 13
Proof. The proof proceeds with a sequence of games. Let be an adversary against the admitter anonymity. We define the following games, which plays. In the following we denote by the event that in Game successfully guesses the bit picked by the challenger.(i) Game 0. The initial game is identical to the game defined in the definition of admitter anonymity. In order to respond to hash queries, the challenger maintains a hash list, which contains tuples of the form for the hash function and similarly for .(ii) Game 1. In Game 1, we replace the zero-knowledge proof, included in the challenge, with a simulated proof. More concretely, when the adversary asks a challenge by sending , the challenger proceeds as follows. The challenger first flips a bit and encrypts (a part of ) to obtain a ciphertext as in Game 0. Then the challenger generates random integers , , , , , , , , , , computes and adds the tuple to the list for . If the hash list for contains a tuple of the form with arbitrary , the challenger outputs and halts. If this is not the case, the challenge is returned to the adversary. This change only causes a negligible difference to the advantage of . See Lemma D.4 for the details.(iii) Game 2. In this game we modify the linear encryption in the challenge to be “invalid.” More precisely, to compute the challenge signature , the challenger selects random integers , and , and computes where , , and are the part of the group public key , is the bit flipped for the challenge, is the part of the group signing key of the member , and is the random integer which is also used to compute . Notice that the challenger uses the opening key (actually its components , , and ) to compute the challenge. All the other components of the challenge are generated as in Game 1. This modification also does not change ’s winning probability nonnegligibly, provided that the DLIN assumption holds. See Lemma D.5 for the details.(iv) Game 3. In this game we modify the responses to opening queries in such a way that the challenger responds with if a queried signature satisfies the following two conditions: that is, the components , , in the query are reused from the challenge signature, and where is the group elements reproduced in the verification process. This change does not affect ’ advantage nonnegligibly. See Lemma D.6 for the details.(v) Game 4. We further introduce another rejection rule in the responses to opening queries. This game rejects a signature that contains a ciphertext whose linear encryption components does not constitute a linear tuple. Specifically when , , and satisfy , , , the challenger immediately rejects queries if , and all other queries are treated as before. This modification does not affect the behavior of , as the adversary can issue such an invalid query with a valid proof (that passes the verification) only with a negligible probability. See Lemma D.7 for details.
The advantage of is , and from the triangle inequality we can bound the advantage as the following:
To complete the proof it remains to prove the following lemmas.
The difference between ame 0 and ame 1 is bounded by a quite similar argument to that of Lemma D.2, hence we omit a detailed proof.
Lemma D.4. is negligible.
We then bound the differences in ’s success probability of the remaining game-hops and prove that ’s advantage is zero in the last game.
Lemma D.5. is negligible, provided that the DLIN assumption holds.
Proof (of Lemma D.5). We will describe an algorithm of the DLIN problem to bound the absolute difference . receives a tuple , in which is either or not, together with the description of the bilinear groups. sets up the scheme by choosing , , , , , (), setting , , , , and (), and letting , , , and . Then runs with an input . Queries from to the random oracles and are responded in the ordinary manner, that is, all fresh queries are responded with a random hash value and are recorded together with the hash value, while previously issued queries are responded in the same way as in the previous query. Opening queries from are responded as specified in the scheme, that is, first verifies the NIZK proof. If the proof passes the verification, decrypts the “linear encryption” part using , , and . If the signature does not pass the verification, returns . When requests a challenge regarding , proceeds as follows: To compute the challenge , flips a bit , chooses random integers , , and sets The zero-knowledge proof is computed as in ame 1. Then sends the challenge signature computed as above to . After receiving the challenge, further makes queries to the random oracles and opening queries, which are responded as before by . Finally outputs the guess . outputs if , outputs otherwise.
Observe that when receives a tuple satisfying , the adversary’s view is equivalent to that of Game 2. In contrast, when receives a linear tuple, we can see that ’s view is identical to that of Game 1, as the equation holds. Finally, it holds that When the DLIN assumption holds is negligible, therefore is negligible.
Lemma D.6. .
Proof (of Lemma D.6). Since Game 3 differs from Game 2 only when a queried signature, when verified, produces the same as the used in the challenge phase, we examine the mapping ↦, implicitly defined by the verification algorithm (notice that the mapping implicitly depends on the group public key and the signature to be verified), and argue that it is injective with overwhelming probability. Since can issue queries satisfying (D.15) and (D.16) only when the mapping is not injective. Then, to complete the proof we bound the probability that is not injective.Since the mapping is a linear function, by calculating the determinant of a matrix of (D.20), we can see that is not injective if and only if Since can issue queries satisfying (D.15) and (D.16) only when the mapping is not injective, the difference is bounded by the probability that the above equation holds. Actually, (D.21) holds with probability at most . This is because if (D.21) holds, there is satisfyingFor a fixed the probability that (D.22) holds is , which can be seen by fixing all the variables except and seeing that is still distributed uniformly. Hence from the union bound the probability that (D.21) holds is at most .
Lemma D.7. is negligible.
Proof (of Lemma D.7). Game 4 differs from Game 3 when issues an opening query which is not rejected in Game 3 but is rejected in Game 4. We thus bound the probability that issues such a query. More precisely, the event we consider is that issues a signature as an opening query such that (i)it is verified as valid by GVf,[ii] , in which is the group elements computed in GVf as in Box 3 and are the group elements used for generating the challenge signature as in (D.12), and[iii] does not constitute a linear tuple. If issues such a query, there should be a query in (issued by explicitly or issued during the verification process of an opening query) such that does not constitute a linear tuple, and the hash value coincides with the unique challenge that is determined from the public information and the commitment . Hence for concluding the proof it is sufficient to bound the probability of this event. Notice that in this case any query to in question is different from , for which the hash value is set in the challenge phase. Hence in this case, the output of is chosen from uniformly. Thus the hash value coincides with the unique value with probability . Therefore, by the union bound, the probability that there is an opening query which satisfies the above three conditions is at most , where is the number of queries issued by , and is the number of opening queries issued by .
Lemma D.8. .
Proof (of Lemma D.8). Here we prove that in ame 4 the value is uniformly random even when conditioned on ’s view. To this end we examine the distribution of ’s view related to the randomness , , and under the condition where all the other randomness involved in the game are fixed. obtains information related to , , and from the part of the group public key and and the responses to the opening queries. As for the responses to the opening queries, any query whose , , and components do not constitute the linear tuple will be rejected, thus gains no information on , , and from such responses. A query with a linear tuple also gives no information to . When issues a signature , the game computes a group element (the rest of the calculation is done without referring to , , and ), which is what learns from this query. It in fact does not increase the information knows, because the above equation can be rewritten as when we write , , and . The last formula of the equation shows that responses of this type give no information to , since all the values that appear in the formula are already known to .
The above discussion shows that the responses to the opening queries do not leak any information of , , and beyond the equations of andto . Finally we show that the value is uniformly distributed conditioned on the elements and . This can be seen by considering the following equation Since the matrix in the right-hand side has the determinant the value is distributed uniformly and independently of and . This shows that the challenge signature is independent of and hence of the challenge bit . This completes the proof of Lemma D.8.
From the above, the proof of Theorem 13 is completed.
D.3. Proof of Theorem 14
Proof. Suppose is an adversary that attacks the traceability of the GS-MDO scheme. We assume that if the adversary outputs a message-signature pair , issued the query in which , , are the reproduced -values in the verification of the output signature. We also assume that before issuing query issues the query . We do not lose generality by these restrictions, since given an adversary which not necessarily meets this restrictions, we can modify to one that meets the restrictions. In addition, we assume that issues queries, queries, and signing queries. Let be the number of the group members.
We consider the following sequence of games.(i) Game 0. The initial game is identical to the traceability game.
Let be the event that in Game satisfies the winning condition. We have that We then bound each term.
The difference between ame 0 and ame 1 is bounded by a similar argument to Lemma D.2. Hence we omit the proof.
Lemma D.9. is negligible.
We then bound the difference between ame 1 and ame 2.
Lemma D.10. is negligible if the -SDH assumption holds.
Proof. Let be the event that outputs a valid forgery which satisfies the clause (i) in the traceability game. By the difference lemma [67] we have that . We bound this by constructing an -SDH adversary .
The construction proceeds with the forking lemma [66]. We first construct an instance generator: It first generates a description of bilinear group ; then chooses a random integer and outputs . Given the adversary , we construct another algorithm , which takes as an input an -SDH instance and a sequence of random exponents and outputs a tuple where . Here we assume that if outputs a forgery then issues a query that will be issued during the verification of the forged signature . The construction of is as follows.(i) Setup. takes as inputs an -SDH instance and a sequence of random exponents , and sets up SDH pairs where and together with group elements and (in the same way as done in the proof of emma 9 of [27]). chooses random group elements , , and random exponents , , , , and sets , , and . It then sets a counter . It generates a random tape for . It finally sets , , and , and runs the adversary .(ii) query. When the adversary issues an query , searches for a recorded tuple and returns if one is found. If not, generates a random , records , and returns to .(iii) query. When the adversary issues an query searches for a recorded tuple for some and , and returns if such a tuple is found. If not, increments the counter , records , and returns to (iv) Key Revealing Query. When the adversary issues a key revealing query for the user , returns to .(v) Signing Query. When the adversary issues a signing query , generates a signature as in (14), and confirms whether for some and some is recorded. If recorded, outputs and halts. If not, records , and returns to .(vi) Output. When the adversary outputs a forgery , let be and , , be the values reproduced in the verification of . Then decrypts with , , , and by computing and searches for such that is recorded. Finally, if(a),(b), and(c)such is found, outputs . Otherwise it outputs . The first condition (a) is well-defined, since we assume that the query will be issued during the verification of , and then to verify the condition (a) we do not need any extra query. Now we argue that whenever happens, outputs for some . We can see that perfectly simulates ame 2 for (and ame 3). Let us assume happens in this simulation. Then in the simulation by , the first two conditions (a) and (b) are satisfied. To claim that the condition (c) is satisfied, we argue that the tuple is not recorded when responding to the signing queries. It follows from the fact that encrypts none of ’s, while any which is recorded when responding to the signing queries encrypts one of ’s. Hence whenever happens, outputs with some .
We then apply the forking lemma [66] (See Appendix A for the statement) to and obtain the forking algorithm . Here, the number of queries is assigned to in the lemma, while is assigned to the set . All the randomness but that for determining the responses to queries is assigned to . The forking algorithm outputs with probability such that . Notice that is equal to in the forking lemma.
We then construct an algorithm which solves the -SDH problem whenever outputs . The construction of is as follows. Given -SDH instance , runs the forking algorithm . If outputs a tuple , outputs and halts. If outputs a tuple , where and it computes , and computes , , , , , , , and in a similar way, where , , , and are supposedly equal to , , , and , respectively. Then computesand obtains an SDH pair . Finally, obtains a solution for the SDH instance from the SDH pair (again, in the same way as done in the proof of emma 9 of [27]) and outputs this solution.
We show that whenever outputs , obtains a new SDH pair and thus solves the SDH problem.
Firstly, we argue that . This is due to the construction of and . Since we are assuming that outputs , the first run of outputs where , and the second run of outputs where . Therefore, is the -th query in the first run, while is the -th query in the second run. Furthermore, since outputs , we have that and .
Secondly, to establish that successfully computes , , , , , , , and , we show that if the forking algorithm outputs , the equationholds, where , , , and , are the reproduced values in the verification of and , respectively. The equation holds because the random tapes of both runs are equal, the first (and , respectively) responses of the queries are equal, -queries are issued before -th (and -th) -queries are issued, where and are the outputs of the first and second runs of in the forking algorithm . Then (D.32) holds because is the -th query in the first run, is the -th query in the second run, and query (and ) is issued before the -th (and -th) query.
Thirdly, we show that the extracted pair (in (D.31)) constitutes a new SDH pair. To show this, we claim that in which the , , and in the left-hand side are what extracts, and the right-hand side is what computes when confirming the winning condition of . This equation can be verified from the fact that there is the witness that satisfies (10a), (10b), (10c), (10d), (10e), (10f), (10g), (10h), (10i), and (10j). Now we are considering the event that is successful in forking, and thus is successful in satisfying the clause (i) in the traceability game. Therefore, the right-hand side is not equal to any of (). This assures that the extracted SDH pair is a new pair.
Finally we have that whenever is successful in forking, we can successfully obtain a solution to the SDH instance. This implies that is negligible, and thus is negligible.
Lemma D.11. is negligible if the -SDH assumption holds.
Proof. Using the adversary , we construct an algorithm that solves the -SDH problem. The proof again proceeds with the forking lemma [66] (Also see Appendix A).
Given the adversary we construct another algorithm which takes as an input an -SDH instance and a sequence of random exponents and outputs a tuple such that . The construction of is as follows. (i) Setup. takes as an input an -SDH instance and a sequence of random exponents . Then chooses a random integer and sets up SDH pairs where together with group elements , , as in the proof of Lemma D.10. The algorithm then chooses a random group element . It then chooses , , , chooses , , , and sets , , and . The algorithm sets up a counter . It finally sets , , , and for all , chooses a random tape for , and runs .(ii) query. When the adversary issues an query , searches for a recorded tuple and returns if one is found. Otherwise, generates a random , records , and returns to .(iii) query. When the adversary issues an query searches for a recorded tuple for some and and returns if one is found. If not, increments the counter , records , and returns .(iv) Key Revealing Query. When the adversary issues a key revealing query for the user , if , returns to . If , outputs and halts.(v) Signing Query. When the adversary issues a signing query , generates a signature as in (14), and confirms whether for some and is recorded. If recorded, outputs and halts. Otherwise, records , and returns to .(vi) Output. When the adversary outputs a forgery , let be and , , be the -values reproduced in the verification of . Then decrypts with , , , and by computing and searches for such that is recorded. Finally, if(a)the clause (ii) of the winning condition is satisfied,(b), and(c)such is found, outputs . Otherwise it outputs . Now we argue that with probability , outputs for some and . Let denote the output of . We want to show that where the last equality follows from the fact that is independent of ’s view. The simulation by is perfect except for the abort in the simulation of the responses to key revealing queries. Therefore, to show the first equality, it is sufficient to show that if the conditions (a) and (b) hold, the condition (c) also holds. Let us assume the conditions (a) and (b) hold. Then we can assume is not queried as a signing query. Hence when responding to the signing queries, only tuples of the form such that or does not encrypt are recorded. Therefore, when the query of the form where , , are taken from the forgery , and , , are the reproduced values in the verification of , the tuple of the form is not recorded for none of and . Thus when responding to such an query a new tuple of such form is recorded. This shows that when the conditions (a) and (b) hold the condition (c) also holds.
We then apply the forking lemma to . Here, the number of queries is assigned to , the set is assigned to , and all the randomness used by except for that used to determine the responses to queries is set to . We can obtain the forking algorithm which outputs some with probability such that . Notice that is equal to in the forking lemma.
We then construct an algorithm which solves the -SDH problem using . The construction of is as follows. Given an -SDH instance , runs the forking algorithm . If outputs a tuple , outputs and halts. If outputs , where and , it computes and computes , , , , , , , and in a similar manner, where , , , and are supposedly equal to , , , and , respectively. Then computesand obtains a new SDH pair . Finally obtains a solution to the SDH instance from the new SDH pair and outputs this solution, as in the proof of Lemma D.10.
Firstly we argue that when the forking algorithm outputs , it holds that . This is due to the constructions of and . Since outputs , the first run of outputs for some , and the second run of outputs for some . Therefore, due to the construction of , is the -th query in the first run, and is the -th query in the second run. Furthermore, due to the construction of , we have that and .
Secondly we claim that when the forking algorithm outputs , the equationholds, where , , and , , are the reproduced values in the verification of and , respectively. This equation holds because the random tapes of both runs are equal, the responses to the first (and ) queries are equal, and the queries (of both runs) are issued before the -th (and -th) queries. Then (D.37) holds because is the -th query, and is the -th query.
Thirdly we claim that the pair obtained (as in (D.36)) constitutes a new SDH pair. To show this we claim that where the left-hand side is what extracts in (D.36), while the right-hand side is what computes for verifying the winning condition of . This equation is verified by a simple calculation as in the proof of Lemma D.10. This equation ensures that extracted is equal to , because the right-hand side is equal to , due to the constructions of . Note that the corresponding exponent of is unknown to , hence the extracted SDH pair is a new SDH pair.
Eventually, we have that whenever the forking is successful, successfully obtains a new SDH pair. This implies that is negligible, and thus is negligible.
From the above lemmas, the proof of Theorem 14 is completed.
Data Availability
The data used to support the findings of this study are included within the article.
Disclosure
Preliminary versions of this paper are presented at the 5th International Conference on Pairing-Based Cryptography (Pairing 2012) and at the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013). The present address of Kazuma Ohara is NEC Corporation, 1753 Shimonumabe, Nakahara-ku, Kawasaki, Kanagawa 211-8666, Japan.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
Acknowledgments
The authors are grateful to Hovav Shacham for pointing out the possibility of using random oracles to achieve unbounded security. The authors would like to thank Shin-Akarui-Angou-Benkyou-Kai for valuable discussions and comments. A part of this work was supported by JSPS KAKENHI Grants numbers 18K18055 and 19H04107, Japan, and JST CREST Grant number JPMJCR19F6, Japan.