Research Article  Open Access
Keita Emura, Goichiro Hanaoka, Yutaka Kawai, Takahiro Matsuda, Kazuma Ohara, Kazumasa Omote, Yusuke Sakai, "Group Signatures with MessageDependent Opening: Formal Definitions and Constructions", Security and Communication Networks, vol. 2019, Article ID 4872403, 36 pages, 2019. https://doi.org/10.1155/2019/4872403
Group Signatures with MessageDependent Opening: Formal Definitions and Constructions
Abstract
This paper introduces a new capability for group signatures called messagedependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with messagedependent opening (GSMDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GSMDO and proposes a generic construction of it from identitybased encryption and adaptive noninteractive zeroknowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the messagedependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded messagedependent opening property. Furthermore, we also demonstrate that GSMDO implies identitybased encryption, thus implying that identitybased encryption is essential for designing GSMDO schemes.
1. Introduction
Group signatures [1] are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group. Signatures are verified with a single group public key, and the verification process does not reveal the identity of the signer. A designated authority, called the opener, identifies the actual signer in various exceptional cases. However, ordinary group signatures provide the opener with an extreme privilege; i.e., the opener can freely identify the originator of any signature that he chooses. In other words, ordinary group signature schemes provide absolutely no assurance of privacy against the opener. For example, in an anonymous auction the opener can extract all bidders’ identities, which will be explained later in more detail.
This paper investigates a way of “decentralizing” this strong authority of the opener. Towards this end, we propose a new kind of group signatures involving the messagedependent opening (MDO) property. It divides (or decentralizes) the strong authority of the opener by introducing another authority called the admitter. In exceptional cases that a signature on a problematic message is found, the admitter issues a token that corresponds to the message (as opposed to all signed messages). The opener extracts the signer’s identity from the signature using this token, whereas without it, he is not able to do so. For instance, in an anonymous bulletin board system using our group signature scheme, if the admitter decides that the message “Mr. XXX is a fool!” should not be publicized as a signed message by an anonymous group member, he issues a token for this message. Then, by using it, the opener can immediately identify the signer’s identity of any signature if it corresponds to this message.
At first glance, one may think that the popular thresholding technique (i.e., thresholding the opener into multiple lesstrusted openers) [2] would already be sufficient to achieve the above property. However, this is not true. Namely, in our context, the token is generated on the message that the admitter chooses but not the signature for such messages. Therefore, once a token for a message (which is chosen by the admitter) is issued, the signers’ identities for all signatures on this message can immediately be extracted by the opener without him having to interact with any other party. Consequently, the opener can noninteractively identify the signer’s identity for a message that has already been specified as problematic. Furthermore if the admitter considers that there is no longer any need to specify further messages that should be opened, then he can erase his memory to avoid having his secret leaked. Note that even when the admitter has erased his secret, the opener can still open the signer’s identity of any signature provided that its corresponding message was previously specified by the admitter.
1.1. Contributions
This paper proposes group signatures with a new additional capability, called group signatures with messagedependent opening (GSMDO). We introduce an admitter in GSMDO, as previously mentioned, that issues tokens for specific messages, and by using these tokens, the opener can extract signers’ identities from signatures only if their corresponding messages have been specified. We can flexibly restrict the capabilities of the opener utilizing this property without implementing any complicated interactive procedures (e.g., threshold decryption).
The main contributions of this paper are threefold. First, we provide a formal model and a security definition for GSMDO. Our model and security definition are extensions of the BellareMicciancioWarinschi (BMW) model [3], which is considered to be the basic security definition for group signatures in the static setting. More specifically, our security model is a natural modification of this model extended according to the difference between a standard group signature scheme and ours which introduces the MDO property. In addition, we demonstrate that it is possible to derive identitybased encryption (IBE) from any GSMDO scheme in a blackbox manner if the underlying GSMDO is secure in the above sense.
Secondly, we present a generic construction of GSMDO from a public key encryption (PKE) scheme, an IBE scheme, and an adaptive noninteractive zeroknowledge (NIZK) proof system. (Technically, we use a tagbased KEM (key encapsulation mechanism) and an identitybased KEM instead of a PKE scheme and an IBE scheme). Given the above result that GSMDO implies IBE, it is expected to be quite hard to construct GSMDO without using IBE or similar primitives as a building block. We note that simulationsoundness [4] is not required for NIZK in our generic construction, while the generic construction of the (ordinary) group signature [3] requires this strong property.
Finally, we propose two efficient instantiations of GSMDO, one in the standard model and one in the random oracle model. Our scheme in the standard model uses the GrothSahai proof system [5] as an NIZK proof system in our generic construction. To utilize the GrothSahai proof system in our generic construction, we note that an IBE scheme that is compatible with the GrothSahai proof (such as structurepreserving signatures [6]) is necessary since our generic construction requires IBE. To be compatible with the GrothSahai proof system, an IBE scheme needs to be able to encrypt a basegroup element and to have its ciphertext consist of only basegroup elements. Although Libert and Joye [7] proposed an IBE scheme whose plaintext space is a base group, and the IBE scheme is compatible with the GrothSahai proof, the size of the group signature of the resulting GSMDO scheme depends on the number of group members. In order to construct a GSMDO scheme with constantsize signature, we also construct a new IBE scheme that has only resilient security [8]. Therefore, the resulting GSMDO scheme inherits this restriction (i.e., the admitter can issue at most tokens). The size of a signature is approximately 10 kilobytes when a 170bit primeorder group is used. (We adopt the estimates of bit sizes for group elements used in [9]). Our scheme in the random oracle model, on the other hand, is based on the BonehBoyenShacham (BBS) group signature [10] and uses the BonehFranklin (BF) IBE scheme [11] and a variant of the CramerShoup encryption scheme [12, 13]. As we can use IBE (which is not resilient) in the random oracle model, GSMDO with an unbounded MDO property (i.e., the number of tokens issued by the admitter is unlimited) can thus be constructed. The idea behind this construction is based on our generic construction, but the instantiation is not straightforward since the PKE scheme and the IBE scheme cannot directly be combined. Hence, we modify the building blocks and the construction to combine them. To be more precise, we design a dedicated extension of the linear encryption scheme [10] with chosenciphertext security and public verifiability to enable our efficient construction. The size of the signature of the scheme is 3636 bits in 80bit security, which is times smaller than that of our standard model scheme.
Note that our security notions and proposed schemes assume that the system setup is carried out honestly. This setup includes the generation of a common reference string, the opener’s and the admitter’s secret keys, and the group members’ signing keys. However, the goal of the current paper is to provide a feasibility study of the MDO property in group signatures. Namely, we study the possibility of constructing a GSMDO scheme in a simple setting where several parameters and secret keys are generated honestly. We defer to future work a more comprehensive study on the possibility of constructing a scheme with a more complicated and realistic scenario such as that allowing maliciously generated parameters and on providing a hedge against this types of attack.
1.2. Applications
As previously mentioned, a straightforward application of GSMDO schemes is in detecting the originators of inappropriate messages in anonymous bulletin board systems. We further discuss more potential applications of GSMDO schemes in what follows.
The first application we discuss is anonymous auctions, where bidders form a group of anonymous signers. Each bidder produces a group signature on his bidding price. The admitter issues a token for opening signatures on the highest price to detect the winner(s). The opener is then only able to open the signatures on the highest price.
The main advantage (of the MDO approach) over the threshold approach becomes clear in this application. Suppose that there are many winners who all have bid the highest price resulting in a tie. As an interaction will be needed for each winner in the threshold approach, the total communication cost will be proportional to the number of winners. In contrast, if one takes the MDO approach, only a small communication bandwidth from the admitter to the opener is needed. The communication cost does not depend on the number of winners.
Another application in which the MDO property is useful is identity escrow. Although our primitive is a rather general purpose primitive for identity escrow scenarios, for the ease of understanding, let us discuss this with a concrete example. Consider a customer who enters an automated parking garage [14], where he generates a group signature on a message that encodes the date when he enters the car park (say, the string “20120220”). Let us assume a felony has been committed (e.g., a person is murdered) in the garage. The opener in this case will open the signatures on the date when the murder occurred to identify who was there on that day.
The opener in this application needs to open many signatures on the same message. If one adopts the threshold technique to decentralize the authority, many interactions are required to open all the signatures. The MDO property removes interactions between authorities, i.e., the admitter issues a token for the day, and the opener opens all the signatures without interactions.
As an application of GSMDO, Arai et al. [15] proposed a privacypreserving anomaly detection framework. In their framework, the admitter plays the role of analyzing data, and the opener plays the role of detecting adversarial users. Briefly, a user generates a group signature on data, and sends it to the admitter. Then, the admitter can detect anomaly data without identifying users. For detecting adversarial users who generate anomaly data, the admitter generates tokens that correspond to the anomaly data, and sends them to the opener. This framework allows the admitter to detect adversarial users, while other honest users are kept anonymous.
1.3. Related Work
Since group signatures were first proposed by Chaum and van Heyst [1], many efficient constructions have been proposed, most of which depend on a random oracle [10, 16–23]. Many earlier schemes were based on the strong RSA assumption [24, 25]. Group signature schemes based on assumptions related to the discretelogarithm type were achieved, to name a few, by Camenisch and Lysyanskaya [17] and by Boneh, Boyen, and Shacham [10]. The former scheme is based on the LRSW assumption [26], while the latter is based on the strong DiffieHellman (SDH) assumption [27].
Group signature schemes without random oracles were also achieved. Ateniese et al. [28] first proposed a group signature scheme from interactive assumptions avoiding random oracles. Following this scheme, Groth proposed a group signature scheme that avoids random oracles and interactive assumptions [29], but his scheme has a very large signature size. Boyen and Waters [30, 31] proposed highly efficient constructions, although the security guarantees of their schemes are not very strong, i.e., they only achieve socalled CPAanonymity. Groth [32] proposed another group signature scheme, which is almost as efficient as the BoyenWaters schemes and satisfies higher security guarantee of the BellareShiZhang (BSZ) model [33]. Libert et al. [34] proposed a group signature scheme secure in the standard model from standard assumptions.
Regarding decentralizing and distributing the power of the group manager, the separability of a cryptographic protocol was introduced by Kilian and Petrank [14] in the context of identity escrow. Later, this notion was refined and adopted to the context of group signature by Camenisch and Michels [35]. The separability notion requires that keys of several entities involved in a cryptographic primitive be generated independently of each other. In their setting, the power of a group manager is separated into two authorities. The first authority is able to allow a new member to join the group but is not able to identify the originator of a group signature, and the other authority is able to identify the originator of a group signature but is not able to allow a new member to join the group. More formal modeling of these separated authorities has been proposed by Bellare et al. [33] and Kiayias and Yung [36]. Sakai et al. [37] further extended the BSZ model by considering signature hijacking attacks.
Libert et al. [38, 39] proposed scalable group signature schemes with revocation, and Attrapadung et al. [40] and Nakanishi et al. [41] also proposed revocable group signature schemes with a compact revocation list.
Traceable signatures are an extended notion of group signatures and were introduced by Kiayias, Tsiounis, and Yung [42]. This primitive allows the group manager to specify a group member as “misbehaving”. Once a member is specified by the manager, anyone becomes able to detect the signatures of the specified user without interacting with the manager. In this case, signatures of other group members continue to be anonymous. In our terminology, this primitive achieves a somewhat “signerdependent opening” property, but the MDO property is not achieved. A contractual anonymity system [43] based on group signatures with verifierlocal revocation [44] has been proposed. In this system, when a user breaks a contract, an accountability server revokes the anonymity of the user and notifies the identity of the user to the service provider. (In this system, a user is said to break a contract when the user sends a message breaking the contract policy of the service provider). Since this scheme uses a conventional open algorithm, this system also differs from MDO.
As followup works to our results [45, 46], Libert and Joye [7] proposed an unbounded GSMDO scheme in the standard model with logarithmic signature size. They proposed a partially structurepreserving IBE scheme and used it as a building block of GSMDO. The signature of their scheme consists of group elements, where is the number of group members, whereas our GSMDO schemes achieve constantsize signatures, though our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GSMDO scheme secure in the standard model with constantsize signatures is an interesting open problem. Libert, Mouhartem, and Nguyen [47] proposed a latticebased (unbounded) GSMDO scheme in the random oracle model. Their scheme was proved secure from the short integer solution (SIS) assumption and the learning with errors (LWE) assumption. The signature size of this scheme is still logarithmic in the number of signers, whereas our two constructions have constantsize signatures.
Preliminary versions of this paper were presented at the 5th International Conference on PairingBased Cryptography (Pairing 2012) [45] and at the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) [46]. This is the merged full version. In this version, we give security proofs omitted in the proceedings versions.
1.4. Paper Organization
The rest of this paper is structured as follows. Section 2 briefly describes definitions and security notions of several building blocks. Section 3 presents the notion of GSMDO, its syntax and security definitions. Section 4 discusses difficulties behind constructing efficient GSMDO schemes. Specifically, we argue the use of IBE in a construction of GSMDO is essential by showing a generic construction of IBE from GSMDO. In Section 5, we propose a generic construction of GSMDO, and Sections 6 and 7 show reasonably efficient instantiations in the standard model and the random oracle model, respectively. In Section 8, we compare the efficiency of our GSMDO schemes with previous group signatures. In Section 9, we conclude the paper and list open problems.
2. Preliminaries
In this section, we describe the syntax of building blocks and some computational assumptions we use for constructing GSMDO. Throughout the paper, we use the following notations: denotes that is uniformly and independently sampled from the set . For an algorithm , an input , and a randomness we denote to run with an input and a randomness and let be the output. When the randomness is implicit, we denote . For an integer , let .
2.1. Signatures
A signature scheme consists of the following three algorithms:(i)SigKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a verification key and a signing key.(ii)Sign: this is the signing algorithm that takes as inputs a signing key and a message and outputs a signature on the message .(iii)Verify: this is the verification algorithm that takes as inputs a verification key , a message , and a signature and outputs or , which, respectively, indicate “accept” or “reject.”
For correctness, we require that for all , all pairs ← SigKg(), and all messages , it is satisfied that Verify(, Sign()) = .
A signature scheme is said to be existentially unforgeable under chosenmessage attacks (EUFCMA), if for any probabilistic polynomialtime adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary adaptively issues signing queries in an arbitrary order. For each signing query , the challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if is not queried as a signing query, and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
A signature scheme is said to be a strongly unforgeable onetime signature scheme, if for any probabilistic polynomialtime adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←SigKg() and gives the adversary .(ii)Query: the adversary issues a signing query only once. The challenger runs ← Sign() and returns to the adversary.(iii)Forge: finally the adversary outputs a forgery . The adversary wins the game if and Verify() = .
The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .
2.2. TagBased Key Encapsulation Mechanism
A tagbased key encapsulation mechanism (tagbased KEM) (Tagbased encryption, an encryption analogue of tagbased KEM, is originally introduced as “encryption with labels” by Shoup and Gennaro [49]. Tagbased KEM is different from “tagKEM”, introduced by Abe, Gennaro, Kurosawa, and Shoup [50]. However, any chosenciphertext secure tagKEM can be immediately converted to a tagbased KEM satisfying security that is sufficient for our purpose) [51, 52] scheme consists of the following three algorithms:(i)TKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a public key and a secret key.(ii)TEnc: this is the encapsulation algorithm that takes as inputs a public key and a tag and outputs where a ciphertext for a tag encapsulates a session key and is the session key space associated with the scheme.(iii)TDec: this is the deterministic decapsulation algorithm that takes as inputs a secret key , a tag , and a ciphertext and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all ()←TKg(), all tags , and all ()←TEnc(), it holds that TDec() = .
A tagbased KEM is said to be selectivetag weakly chosenciphertext secure if for any probabilistic polynomialtime adversary the advantage in the following game is negligible:(i)Setup: the adversary is given a security parameter and outputs a challenge tag . The challenger runs ()←TKg(), then the challenger gives the adversary the public key .(ii)Query (Phase I): the adversary issues decryption queries in an arbitrary order. The challenger runs ← TDec( and returns to the adversary. Here the adversary is not allowed to issue queries with .(iii)Challenge: at some point the adversary requests a challenge. The challenger chooses a random bit , runs ()←TEnc(), chooses , and sends .(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue decryption queries. The same restriction for queries is applied as before.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
2.3. IdentityBased KEM and Its Resilient Variant
An identitybased KEM [8] consists of the following four algorithms:(i)ISetup: this is the setup algorithm that takes as inputs a security parameter and a collusion threshold and outputs a pair of a public parameter and a master secret key.(ii)IExt: this is the key extraction algorithm that takes as inputs a master secret key and an identity and outputs a user decapsulation key .(iii)IEnc: this is the encapsulation algorithm that takes as inputs a public parameter and an identity and outputs where a ciphertext for an identity encapsulates a session key and is the session key space associated with the scheme.(iv)IDec: this is the deterministic decapsulation algorithm that takes as inputs , , and and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.
For correctness, we require that for all , all , all ()←ISetup(), all identities , all ←IExt(), and all ()←IEnc(), it holds that IDec() = .
An identitybased KEM is said to be resilient if for any probabilistic polynomialtime adversary the advantage in the following game is negligible:(i)Setup: the challenger runs ()←ISetup(), then the challenger gives the adversary the public parameter .(ii)Query (Phase I): the adversary issues extraction queries in an arbitrary order. The challenger runs ← IExt() and returns to the adversary. The total number (the summation of those in Phase I and Phase II) of extraction queries during the game is restricted to be smaller than or equal to .(iii)Challenge: at some point the adversary requests a challenge with an identity . The challenger chooses a random bit , runs ()←IEnc(), chooses , and sends . The adversary is not allowed to request a challenge with an identity whose user decapsulation key is queried before.(iv)Query (Phase II): after receiving the challenge the adversary is again allowed to issue extraction queries. This time querying a user decapsulation key for is disallowed.(v)Guess: finally the adversary outputs a bit . The adversary wins the game if .
The advantage of the adversary is defined by and is denoted by .
A fully secure IBE scheme is defined analogously with the difference that the setup algorithm does not take as an input and in the game the number of extraction queries is unbounded.
2.4. Adaptive Noninteractive ZeroKnowledge Proofs
A noninteractive proof system for a polynomialtime computable relation consists of the following three algorithms:(i): this is the common reference string generation algorithm that takes as an input a security parameter and outputs a common reference string .(ii): this is the proof algorithm that takes as inputs a common reference string , a statement , and a witness , where and outputs a proof .(iii): this is the verification algorithm that takes as inputs a common reference string , a statement , and a proof and outputs either or .
We say that a noninteractive proof system has perfect completeness, if for all , for all such that , for all , for all it holds that .
A noninteractive proof system is said to have adaptive perfect soundness, if for any probabilistic polynomialtime adversary the advantage in the following game is equal to zero:(i)Setup: the challenger runs and gives the adversary the common reference string .(ii)Forge: the adversary outputs a pair of a statement and a proof. The adversary wins if and for any .
The advantage of the adversary is defined by the probability that the adversary wins and is denoted by .
We say that a noninteractive proof system is adaptively zeroknowledge if there is a pair of algorithms such that for any probabilistic polynomialtime adversary the advantage in the following game is negligible:(i)Setup: the challenger generates a bit . If the challenger runs . If the challenger runs . Then the challenger gives the adversary the common reference string .(ii)Query: the adversary is allowed to issue a query such that only once. If the challenger runs . If the challenger runs . The challenger gives the adversary .(iii)Guess: finally the adversary outputs a bit .
The advantage of the adversary is defined by and is denoted by .
2.5. Computational Assumptions
Let be a probabilistic polynomialtime algorithm that takes a security parameter as an input and generates a parameter of bilinear groups, where is a bit prime, and are groups of order , is a bilinear map from to , and is a generator of . We then describe several computational assumptions on which the proposed schemes are based.
The Strong DiffieHellman Assumption [27]. Let and let , and for . The strong DiffieHellman problem in is stated as follows: given , output where . The advantage of an algorithm in solving the strong DiffieHellman problem is defined as We say that the strong DiffieHellman (SDH) assumption holds if is negligible in for any probabilistic polynomialtime algorithm .
For some fixed base and a fixed group element we say that a pair is an SDH pair if is equal to .
The Decision Linear Assumption [10]. Let , , , , , , and . The decision linear problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision linear problem is defined as We say that the decision linear (DLIN) assumption holds if is negligible in for any probabilistic polynomialtime algorithm .
For some fixed bases , , , we say that a tuple is a linear tuple if there exist exponents , that satisfy .
The Decision Bilinear DiffieHellman Assumption [53]. Let and , , , . The decision bilinear DiffieHellman problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision bilinear DiffieHellman problem is defined as We say that the decision bilinear DiffieHellman (DBDH) assumption holds if is negligible in for any probabilistic polynomialtime algorithm .
The Simultaneous Flexible Pairing Assumption [54]. Let , , , , are generators of and , . For , let which satisfies and . The simultaneous flexible pairing problem is stated as follows: given and , output where and satisfying and for every . The advantage of an algorithm in solving the simultaneous flexible pairing problem is defined asWe say that the simultaneous flexible pairing (SFP) assumption holds if is negligible in for any probabilistic polynomialtime algorithm .
3. Group Signatures with MessageDependent Opening
In this section we introduce the syntax and security definitions for GSMDO. As an ordinary group signature scheme, a GSMDO scheme allows group members to sign a message anonymously, that is, without revealing their identities but only showing that one of the group members actually signed. In exceptional cases, a designated third party, called the opener, can “open” exceptional signatures to identify the originator of the signatures. In contrast to ordinary group signature schemes, a GSMDO scheme requires the opener to cooperate with another authority, called the admitter, to open signatures. The admitter issues a messagespecific token, and the opener is able to open a signature on the message only when a token for the message is issued from the admitter.
In this section, we define the formal model and the security requirements of GSMDO.
3.1. The Model of GSMDO
Formally, a GSMDO scheme consists of the following five probabilistic polynomialtime algorithms:(i)GKg: this is the key generation algorithm that takes as inputs a security parameter , the number of group members , and the maximum number of messagespecific tokens that can be issued and outputs a group public key , an admitting key , an opening key , and group signing keys . We note that the input is omitted when the number of messagespecific tokens that can be issued is unbounded.(ii)GSig: this is the signing algorithm that takes as inputs a group public key , a group signing key , and a message and outputs a group signature .(iii)Td: this is the messagespecific token generation algorithm that takes as inputs a group public key , an admitting key , and a message and outputs a token for .(iv)GVf: this is the verification algorithm that takes as inputs a group public key , a message , and a group signature and outputs (that means accept) or (that means reject).(v)Open: this is the opening algorithm that takes as inputs a group public key , an opening key , a message , a group signature , and a messagespecific token and outputs a user index or .
For correctness, we require that for all , , , for all ()←GKg(), for all messages and all user , it holds that GVf(, , GSig()) = and Open(, , , GSig(), Td()) = .
In the above scenario, the signing keys , the opening key , and the admitting key are generated by the GKg algorithm in the setup phase. Then, is given to the opener and is given to the admitter. A signer can make a group signature by using the GSig algorithm, and all entities can verify the group signature by the GVf algorithm and public key . This setting is the same as ordinary group signatures, except the group manager’s key is divided into and . In exceptional cases, the admitter issues a messagespecific token by using the Td algorithm. Moreover, the opener can identify the signer of a group signature by using the Open algorithm only when the opener received from the admitter.
3.2. Security Requirements
We introduce the security notion for GSMDO. In contract to ordinary group signatures, we need to take care of the MDO property.
Ordinary group signatures are required to ensure two security notions, anonymity and traceability, whereas we have to further ensure two types of anonymity in the case of GSMDO that are related to the original motivation for the introduction of the admitter. The introduction of the admitter is intended to strengthen signers’ anonymity against the authorities as much as possible. To capture this intention, we define the indistinguishability of the originator of a signature in the strong setting where the opening key is given to the adversary (opener anonymity). As a counterpart of this, we also define indistinguishability in the setting where the admitting key is given to the adversary (admitter anonymity). Note that we do not consider the situation in which the adversary obtains both the opening key and the admitting key because in this situation the adversary can open any signature by itself.
For traceability, we use the same definition as for the ordinary group signatures, in which the authorities are entirely corrupted by the adversary, since even ordinary group signature schemes ensure this level of traceability against entirely corrupted openers.
3.2.1. Opener Anonymity
Here we give the formal definition of anonymity against the opener, which we call opener anonymity. It is formalized as the indistinguishability of signatures of two different signers of the adversary’s choice. Opener anonymity is defined by requiring that no adversary has nonnegligible advantage in distinguishing signatures. We again remark that contrary to ordinary group signatures, the adversary is allowed to have the opening key. This is intended for modeling “anonymity against the opener.”
Definition 1. A GSMDO scheme is said to have opener anonymity if for any probabilistic polynomialtime adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Token Query (Phase I): adaptively issues token queries in an arbitrary order. The challenger runs ←Td() and returns to .(iii)Challenge: at some point requests a challenge for , , and a message . The challenger chooses a random bit , runs ← GSig(), and sends to . is not allowed to request a challenge with a message whose token is previously queried.(iv)Token Query (Phase II): after receiving the challenge is again allowed to issue token queries. This time querying a token for is disallowed.(v)Guess: finally outputs a bit . wins the game if . wins the game if .
The advantage of is defined by and is denoted by . We also say that a GSMDO scheme has opener anonymity with bounded tokens if any probabilistic polynomialtime adversary which issues at most token queries in total has negligible advantage.
3.2.2. Admitter Anonymity
We next give the definition of anonymity against the admitter, which we call admitter anonymity. It is formalized in a similar manner to opener anonymity. That is, admitter anonymity requires signatures of two different signers to be indistinguishable even when the adversary is given the admitting key. We emphasize that our definition of opener anonymity is categorized as socalled CCAanonymity. This means that the adversary in the security game is allowed to access the opening oracle. The formal definition is as follows:
Definition 2. A GSMDO scheme is said to have admitter anonymity if for any probabilistic polynomialtime adversary the advantage in the following game is negligible: (i)Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii)Open Query (Phase I): adaptively issues open queries in an arbitrary order. The challenger finds a recorded which is a token for , and if not found, runs ←Td(), and stores . The challenger runs ←GSig() and returns to .(iii)Challenge: at some point requests a challenge for , and a message . The challenger chooses a random bit , runs ←GSig() and sends to .(iv)Open Query (Phase II): after receiving the challenge is again allowed to issue open queries. This time querying an opening of is disallowed.(v)Guess: finally outputs a bit . wins the game if .
The advantage of is defined by and is denoted by .
Notice that the number of opening queries the adversary issues is unbounded (but of course polynomially many).
3.2.3. Traceability
The last notion is traceability, which requires that even if the opener and the admitter collude and they further adaptively corrupt some group members, the corrupted parties can produce neither forged signatures nor untraceable signatures. We stress that in contrast to the case of the anonymity notions, this case considers the collusion of two authorities.
Definition 3. A GSMDO scheme is said to have traceability if for any probabilistic polynomialtime adversary the advantage in the following game is negligible: (i) Setup: the challenger runs GKg() to obtain . The challenger sends to .(ii) Query: adaptively issues the following two types of queries:(1) issues a key revealing query . The challenger returns to .(2) issues a signing query . The challenger runs ←GSig() and returns .(iii) Forge: finally outputs a forgery . wins if GVf() = and one of the following two conditions holds:(a) Open(, Td()) = , or(b)all the following conditions hold, Open(, Td()) = , and neither a key revealing query for the user nor a signing query for is submitted.
The advantage of is defined by and denoted by .
4. Difficulty in Designing Efficient Constructions
In this section we discuss several difficulties in designing efficient GSMDO schemes. We first observe the relationships between GSMDO and other cryptographic primitives, and then we discuss the difficulty that lies in designing efficient constructions.
Regarding the relationship with other primitives, we show that the existence of a GSMDO scheme implies that of an IBE scheme. In other words, we will present a blackbox construction of IBE from any GSMDO scheme. The same holds for the resilient versions.
This fact means that constructing a GSMDO scheme is harder than IBE. Moreover, IBE is well known as a strong primitive. For example, there is no blackbox construction of IBE from a trapdoor permutation or chosenciphertext secure PKE [55]. Therefore, GSMDO is also strong and difficult to construct.
We note that Box 1 only shows a construction of an identitybased key encapsulation mechanism rather than identitybased encryption. However, it suffices since we can obtain a secure encryption scheme by combining the construction with an appropriate data encapsulation mechanism.

The formal theorems are as follows:
Theorem 4. If the underlying GSMDO scheme satisfies opener anonymity, the identitybased KEM in Box 1 is fully secure.
Theorem 5. If the underlying GSMDO scheme satisfies opener anonymity with bounded tokens, the identitybased KEM in Box 1 is resilient.
The intuition behind the construction in Box 1 is as follows. In the IEnc algorithm, each is a group signature of either or . Therefore, by the opener anonymity of the GSMDO scheme, the entity who does not have (corresponding to the admitter’s key) cannot identify which signing key is used to make . The receiver can get (corresponding to the messagedependent token), and only the receiver can open the group signature and get by using the . Formal proofs can be given by a straightforward modification of the proof by Abdalla and Warinschi [56] or the similar technique to that used by Ohtake, Fujii, Hanaoka, and Ogawa [57], hence we omit detailed proofs.
From Theorems 4 and 5, we make the following observation about the difficulty in constructing GSMDO.(i)Inevitability of using IBE: these theorems suggest that using IBE is essential for constructing a GSMDO scheme. Considering the fact that a blackbox construction of IBE from a trapdoor permutation is impossible [55], we can conclude that it is almost unavoidable for a GSMDO scheme to rely on an IBE scheme or its equivalence, not only on a trapdoor permutation and an NIZK proof system. Otherwise one could construct an IBE scheme from surprisingly weaker primitives.(ii)Difficulty in constructing efficient GSMDO in the standard model: another important aspect of establishing an efficient GSMDO scheme in the standard model is the necessity of realizing a “GrothSahai compatible” IBE scheme. This is because the only known construction of NIZK proof systems with reasonable efficiency in the standard model is limited to the GrothSahai proof system. Also note that an NIZK proof system has been an important building block for almost all group signature schemes ever.
We show a generic construction of GSMDO using a NIZK proof system and IBE in Section 5. However, currently no known IBE scheme is GrothSahai compatible in the sense that the GrothSahai proof system cannot prove a kind of the wellformedness of an IBE ciphertext in zeroknowledge. (Libert and Joye [7] proposed an IBE scheme where we are able to prove the wellformedness of a ciphertext using the GrothSahai proof system. However, at the time of the publication of the conference version, there were no known IBE scheme with this property). This is because an IBE scheme in a bilinear group is typically able to encrypt a targetgroup element. In addition, the ciphertext of such a scheme includes a targetgroup element. Unfortunately, the GrothSahai proof system is not always able to prove a statement involving targetgroup elements in zeroknowledge.
Here we provide two methods of overcoming this gap. The first one is to adopt resilient IBE instead of fully secure IBE. In particular, we design a resilient IBE scheme from the DLIN assumption by modifying the HengKurosawa scheme [8] for this purpose. (We also note that a similar construction can be obtained from the keyinsulated encryption scheme proposed by Dodis, Katz, Xu, and Yung [58]). The construction of GSMDO using resilient IBE is shown in Section 6.
The second method is to apply random oracles. We construct a GSMDO scheme based on the BBS group signature scheme [10], which is one of the most efficient group signature schemes in the random oracle model. The opening procedure is implemented by the linear encryption scheme [10, 13], and a user’s certificate is implemented by the BonehBoyen short signature scheme [27]. The MDO property is realized by adopting the BF IBE scheme [11]. In order to combine the short group signature scheme and the BF IBE scheme, we replace the linear encryption scheme with a certain type of outof multiple encryption. This construction is shown in Section 7.
5. Generic Construction
In this section, we give a generic construction of a GSMDO scheme. The construction is built on an EUFCMA secure signature scheme, a strongly unforgeable onetime signature scheme, a selectivetag weakly chosenciphertext secure tagbased KEM, a resilient identitybased KEM, and an adaptive NIZK proof system.
At a first glance, there are various building blocks. However, our generic construction only relies on the existence of an IBE scheme and that of an NIZK proof system. Indeed, signature schemes and a chosenciphertext secure tagbased encryption scheme can be constructed from a fully secure IBE scheme.
5.1. Underlying Ideas
The proposed construction shares an underlying idea with the generic construction of Bellare, Micciancio, and Warinschi (the BMW construction) [3] except that we do not need “simulationsoundness” for the underlying NIZK proof system. Instead of this strong security requirement, we combine (ordinary) NIZK proofs with a strongly unforgeable onetime signature scheme. We remark that essentially the same techniques have been used in a variety of contexts. To name a few, Groth [32] used this technique for an efficient group signature scheme in a very similar manner. Camenisch, Chandran, and Shoup [59] used it to construct simulationsound NIZK proofs, improving the result of Groth [29].
5.2. Construction
In this section, we present our generic construction of GSMDO. Our construction uses an identitybased KEM (ISetup, IExt, IEnc, IDec), tagbased KEM (TKg, TEnc, TDec), an EUFCMA secure signature scheme (SigKg, Sign, Verify), a onetime signature scheme (, , ), and an NIZK proof system . In addition, we require that the session key spaces and be the same set, and be associated with a group operation .
In our construction, a group member has a key pair of the signature scheme, in which is authorized by another verification key at the setup time. When a member generates a group signature, the member simply signs a message by . To be anonymous, the member further encrypts the signature together with the certificate (of the member), which authorizes the verification key , and attaches a noninteractive proof that demonstrates that a signature of an authorized member has been encrypted. To encrypt a signature, the member uses a multiple encryption technique to ensure that neither the opener nor the admitter can reveal the identity as long as the admitter has not issued a token to the opener. We need two requirements on the session key spaces of the tagbased KEM and the (resilient) IBE scheme. We require that be equal to as a set, and that they form a finite group with group operation . These requirements are needed because we use a onetime pad to encrypt a signature of the group member. This group operation also needs to fall into the class of relations that can be represented by the used noninteractive proof system.
Let us explain the noninteractive proof that appears in the construction. The signature of the proposed scheme is of the form , and, as mentioned above, the proof demonstrates that a valid signature of an authorized group member has been encrypted into in a kind of a “multiple encryption” manner. More specifically, the proof proves that there exist a randomness (for tagbased KEM), another randomness (for identitybased KEM), a user index , and the verification key , a certificate , and a signature on a message , such that
Finally, two encoding functions are needed to complete the description of the generic construction. The first is used to encode the user index of a group member and his verification key into the message space of the signature scheme when generating certificates of group members. The second one is used to encode into , where is the user index of a group member and , , and are his verification key, certificate, and signature, respectively. It is used when issuing a group signature, especially when encrypting his signature in order to hide his identity.
The complete description of the scheme is shown in Box 2.
