#### Abstract

This paper introduces a new capability for group signatures called* message-dependent opening*. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an* admitter* that is not able to extract any user’s identity but* admits* the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.

#### 1. Introduction

Group signatures [1] are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group. Signatures are verified with a single group public key, and the verification process does not reveal the identity of the signer. A designated authority, called the opener, identifies the actual signer in various exceptional cases. However, ordinary group signatures provide the opener with an extreme privilege; i.e., the opener can freely identify the originator of any signature that he chooses. In other words, ordinary group signature schemes provide absolutely no assurance of privacy against the opener. For example, in an anonymous auction the opener can extract all bidders’ identities, which will be explained later in more detail.

This paper investigates a way of “decentralizing” this strong authority of the opener. Towards this end, we propose a new kind of group signatures involving* the message-dependent opening (MDO) property*. It divides (or decentralizes) the strong authority of the opener by introducing another authority called the* admitter*. In exceptional cases that a signature on a problematic message is found, the admitter issues a* token* that corresponds to the message (as opposed to all signed messages). The opener extracts the signer’s identity from the signature using this token, whereas without it, he is not able to do so. For instance, in an anonymous bulletin board system using our group signature scheme, if the admitter decides that the message “Mr. XXX is a fool!” should not be publicized as a signed message by an anonymous group member, he issues a token for this message. Then, by using it, the opener can immediately identify the signer’s identity of any signature if it corresponds to this message.

At first glance, one may think that the popular thresholding technique (i.e., thresholding the opener into multiple less-trusted openers) [2] would already be sufficient to achieve the above property. However, this is not true. Namely, in our context, the token is generated on* the message that the admitter chooses* but not the signature for such messages. Therefore, once a token for a message (which is chosen by the admitter) is issued, the signers’ identities for all signatures on this message can immediately be extracted by the opener without him having to interact with any other party. Consequently, the opener can noninteractively identify the signer’s identity for a message that has already been specified as problematic. Furthermore if the admitter considers that there is no longer any need to specify further messages that should be opened, then he can erase his memory to avoid having his secret leaked. Note that even when the admitter has erased his secret, the opener can still open the signer’s identity of any signature provided that its corresponding message was previously specified by the admitter.

##### 1.1. Contributions

This paper proposes group signatures with a new additional capability, called* group signatures with message-dependent opening* (GS-MDO). We introduce an* admitter* in GS-MDO, as previously mentioned, that issues tokens for specific messages, and by using these tokens, the opener can extract signers’ identities from signatures only if their corresponding messages have been specified. We can flexibly restrict the capabilities of the opener utilizing this property without implementing any complicated interactive procedures (e.g., threshold decryption).

The main contributions of this paper are threefold. First, we provide a formal model and a security definition for GS-MDO. Our model and security definition are extensions of the Bellare-Micciancio-Warinschi (BMW) model [3], which is considered to be the basic security definition for group signatures in the static setting. More specifically, our security model is a natural modification of this model extended according to the difference between a standard group signature scheme and ours which introduces the MDO property. In addition, we demonstrate that* it is possible to derive identity-based encryption (IBE) from any GS-MDO scheme in a black-box manner* if the underlying GS-MDO is secure in the above sense.

Secondly, we present a generic construction of GS-MDO from a public key encryption (PKE) scheme, an IBE scheme, and an adaptive noninteractive zero-knowledge (NIZK) proof system. (Technically, we use a tag-based KEM (key encapsulation mechanism) and an identity-based KEM instead of a PKE scheme and an IBE scheme). Given the above result that GS-MDO implies IBE, it is expected to be quite hard to construct GS-MDO without using IBE or similar primitives as a building block. We note that simulation-soundness [4] is not required for NIZK in our generic construction, while the generic construction of the (ordinary) group signature [3] requires this strong property.

Finally, we propose two efficient instantiations of GS-MDO, one in the standard model and one in the random oracle model. Our scheme in the standard model uses the Groth-Sahai proof system [5] as an NIZK proof system in our generic construction. To utilize the Groth-Sahai proof system in our generic construction, we note that an IBE scheme that is compatible with the Groth-Sahai proof (such as structure-preserving signatures [6]) is necessary since our generic construction requires IBE. To be compatible with the Groth-Sahai proof system, an IBE scheme needs to be able to encrypt a base-group element and to have its ciphertext consist of only base-group elements. Although Libert and Joye [7] proposed an IBE scheme whose plaintext space is a base group, and the IBE scheme is compatible with the Groth-Sahai proof, the size of the group signature of the resulting GS-MDO scheme depends on the number of group members. In order to construct a GS-MDO scheme with constant-size signature, we also construct a new IBE scheme that has only -resilient security [8]. Therefore, the resulting GS-MDO scheme inherits this restriction (i.e., the admitter can issue at most tokens). The size of a signature is approximately 10 kilobytes when a 170-bit prime-order group is used. (We adopt the estimates of bit sizes for group elements used in [9]). Our scheme in the random oracle model, on the other hand, is based on the Boneh-Boyen-Shacham (BBS) group signature [10] and uses the Boneh-Franklin (BF) IBE scheme [11] and a variant of the Cramer-Shoup encryption scheme [12, 13]. As we can use IBE (which is not -resilient) in the random oracle model, GS-MDO with an unbounded MDO property (i.e., the number of tokens issued by the admitter is unlimited) can thus be constructed. The idea behind this construction is based on our generic construction, but the instantiation is not straightforward since the PKE scheme and the IBE scheme cannot directly be combined. Hence, we modify the building blocks and the construction to combine them. To be more precise, we design a dedicated extension of the linear encryption scheme [10] with chosen-ciphertext security and public verifiability to enable our efficient construction. The size of the signature of the scheme is 3636 bits in 80-bit security, which is times smaller than that of our standard model scheme.

Note that our security notions and proposed schemes assume that the system setup is carried out honestly. This setup includes the generation of a common reference string, the opener’s and the admitter’s secret keys, and the group members’ signing keys. However, the goal of the current paper is to provide a feasibility study of the MDO property in group signatures. Namely, we study the possibility of constructing a GS-MDO scheme in a simple setting where several parameters and secret keys are generated honestly. We defer to future work a more comprehensive study on the possibility of constructing a scheme with a more complicated and realistic scenario such as that allowing maliciously generated parameters and on providing a hedge against this types of attack.

##### 1.2. Applications

As previously mentioned, a straightforward application of GS-MDO schemes is in detecting the originators of inappropriate messages in anonymous bulletin board systems. We further discuss more potential applications of GS-MDO schemes in what follows.

The first application we discuss is* anonymous auctions*, where bidders form a group of anonymous signers. Each bidder produces a group signature on his bidding price. The admitter issues a token for opening signatures on the highest price to detect the winner(s). The opener is then only able to open the signatures on the highest price.

The main advantage (of the MDO approach) over the threshold approach becomes clear in this application. Suppose that there are* many* winners who all have bid the highest price resulting in a tie. As an interaction will be needed for each winner in the threshold approach, the total communication cost will be proportional to the number of winners. In contrast, if one takes the MDO approach, only a small communication bandwidth from the admitter to the opener is needed. The communication cost does not depend on the number of winners.

Another application in which the MDO property is useful is* identity escrow*. Although our primitive is a rather general purpose primitive for identity escrow scenarios, for the ease of understanding, let us discuss this with a concrete example. Consider a customer who enters an automated parking garage [14], where he generates a group signature on a message that encodes the date when he enters the car park (say, the string “2012-02-20”). Let us assume a felony has been committed (e.g., a person is murdered) in the garage. The opener in this case will open the signatures on the date when the murder occurred to identify who was there on that day.

The opener in this application needs to open* many* signatures on the* same* message. If one adopts the threshold technique to decentralize the authority, many interactions are required to open all the signatures. The MDO property removes interactions between authorities, i.e., the admitter issues a token for the day, and the opener opens all the signatures without interactions.

As an application of GS-MDO, Arai et al. [15] proposed a privacy-preserving anomaly detection framework. In their framework, the admitter plays the role of analyzing data, and the opener plays the role of detecting adversarial users. Briefly, a user generates a group signature on data, and sends it to the admitter. Then, the admitter can detect anomaly data without identifying users. For detecting adversarial users who generate anomaly data, the admitter generates tokens that correspond to the anomaly data, and sends them to the opener. This framework allows the admitter to detect adversarial users, while other honest users are kept anonymous.

##### 1.3. Related Work

Since group signatures were first proposed by Chaum and van Heyst [1], many efficient constructions have been proposed, most of which depend on a random oracle [10, 16–23]. Many earlier schemes were based on the strong RSA assumption [24, 25]. Group signature schemes based on assumptions related to the discrete-logarithm type were achieved, to name a few, by Camenisch and Lysyanskaya [17] and by Boneh, Boyen, and Shacham [10]. The former scheme is based on the LRSW assumption [26], while the latter is based on the -strong Diffie-Hellman (-SDH) assumption [27].

Group signature schemes without random oracles were also achieved. Ateniese et al. [28] first proposed a group signature scheme from interactive assumptions avoiding random oracles. Following this scheme, Groth proposed a group signature scheme that avoids random oracles and interactive assumptions [29], but his scheme has a very large signature size. Boyen and Waters [30, 31] proposed highly efficient constructions, although the security guarantees of their schemes are not very strong, i.e., they only achieve so-called CPA-anonymity. Groth [32] proposed another group signature scheme, which is almost as efficient as the Boyen-Waters schemes and satisfies higher security guarantee of the Bellare-Shi-Zhang (BSZ) model [33]. Libert et al. [34] proposed a group signature scheme secure in the standard model from standard assumptions.

Regarding decentralizing and distributing the power of the group manager, the separability of a cryptographic protocol was introduced by Kilian and Petrank [14] in the context of identity escrow. Later, this notion was refined and adopted to the context of group signature by Camenisch and Michels [35]. The separability notion requires that keys of several entities involved in a cryptographic primitive be generated independently of each other. In their setting, the power of a group manager is separated into two authorities. The first authority is able to allow a new member to join the group but is not able to identify the originator of a group signature, and the other authority is able to identify the originator of a group signature but is not able to allow a new member to join the group. More formal modeling of these separated authorities has been proposed by Bellare et al. [33] and Kiayias and Yung [36]. Sakai et al. [37] further extended the BSZ model by considering signature hijacking attacks.

Libert et al. [38, 39] proposed scalable group signature schemes with revocation, and Attrapadung et al. [40] and Nakanishi et al. [41] also proposed revocable group signature schemes with a compact revocation list.

Traceable signatures are an extended notion of group signatures and were introduced by Kiayias, Tsiounis, and Yung [42]. This primitive allows the group manager to specify a group member as “misbehaving”. Once a member is specified by the manager, anyone becomes able to detect the signatures of the specified user without interacting with the manager. In this case, signatures of other group members continue to be anonymous. In our terminology, this primitive achieves a somewhat “signer-dependent opening” property, but the MDO property is not achieved. A contractual anonymity system [43] based on group signatures with verifier-local revocation [44] has been proposed. In this system, when a user breaks a contract, an accountability server revokes the anonymity of the user and notifies the identity of the user to the service provider. (In this system, a user is said to* break a contract* when the user sends a message breaking the contract policy of the service provider). Since this scheme uses a conventional open algorithm, this system also differs from MDO.

As follow-up works to our results [45, 46], Libert and Joye [7] proposed an unbounded GS-MDO scheme in the standard model with logarithmic signature size. They proposed a partially structure-preserving IBE scheme and used it as a building block of GS-MDO. The signature of their scheme consists of group elements, where is the number of group members, whereas our GS-MDO schemes achieve constant-size signatures, though our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GS-MDO scheme secure in the standard model with constant-size signatures is an interesting open problem. Libert, Mouhartem, and Nguyen [47] proposed a lattice-based (unbounded) GS-MDO scheme in the random oracle model. Their scheme was proved secure from the short integer solution (SIS) assumption and the learning with errors (LWE) assumption. The signature size of this scheme is still logarithmic in the number of signers, whereas our two constructions have constant-size signatures.

Preliminary versions of this paper were presented at the 5th International Conference on Pairing-Based Cryptography (Pairing 2012) [45] and at the 8th ACM Symposium on Information, Computer and Communications Security (ASIACCS 2013) [46]. This is the merged full version. In this version, we give security proofs omitted in the proceedings versions.

##### 1.4. Paper Organization

The rest of this paper is structured as follows. Section 2 briefly describes definitions and security notions of several building blocks. Section 3 presents the notion of GS-MDO, its syntax and security definitions. Section 4 discusses difficulties behind constructing efficient GS-MDO schemes. Specifically, we argue the use of IBE in a construction of GS-MDO is essential by showing a generic construction of IBE from GS-MDO. In Section 5, we propose a generic construction of GS-MDO, and Sections 6 and 7 show reasonably efficient instantiations in the standard model and the random oracle model, respectively. In Section 8, we compare the efficiency of our GS-MDO schemes with previous group signatures. In Section 9, we conclude the paper and list open problems.

#### 2. Preliminaries

In this section, we describe the syntax of building blocks and some computational assumptions we use for constructing GS-MDO. Throughout the paper, we use the following notations: denotes that is uniformly and independently sampled from the set . For an algorithm , an input , and a randomness we denote to run with an input and a randomness and let be the output. When the randomness is implicit, we denote . For an integer , let .

##### 2.1. Signatures

A signature scheme consists of the following three algorithms:(i)SigKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a verification key and a signing key.(ii)Sign: this is the signing algorithm that takes as inputs a signing key and a message and outputs a signature on the message .(iii)Verify: this is the verification algorithm that takes as inputs a verification key , a message , and a signature and outputs or , which, respectively, indicate “accept” or “reject.”

For correctness, we require that for all , all pairs *←* SigKg(), and all messages , it is satisfied that Verify(, Sign()) = .

A signature scheme is said to be* existentially unforgeable under chosen-message attacks (EUF-CMA)*, if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)*Setup*: the challenger runs ()*←*SigKg() and gives the adversary .(ii)*Query*: the adversary adaptively issues signing queries in an arbitrary order. For each signing query , the challenger runs *←* Sign() and returns to the adversary.(iii)*Forge*: finally the adversary outputs a forgery . The adversary wins the game if is not queried as a signing query, and Verify() = .

The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .

A signature scheme is said to be* a strongly unforgeable one-time signature scheme*, if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)*Setup*: the challenger runs ()*←*SigKg() and gives the adversary .(ii)*Query*: the adversary issues a signing query * only once*. The challenger runs *←* Sign() and returns to the adversary.(iii)*Forge*: finally the adversary outputs a forgery . The adversary wins the game if and Verify() = .

The advantage of the adversary is defined as the probability that the adversary wins and is denoted by .

##### 2.2. Tag-Based Key Encapsulation Mechanism

A tag-based key encapsulation mechanism (tag-based KEM) (Tag-based encryption, an encryption analogue of tag-based KEM, is originally introduced as “encryption with labels” by Shoup and Gennaro [49]. Tag-based KEM is different from “tag-KEM”, introduced by Abe, Gennaro, Kurosawa, and Shoup [50]. However, any chosen-ciphertext secure tag-KEM can be immediately converted to a tag-based KEM satisfying security that is sufficient for our purpose) [51, 52] scheme consists of the following three algorithms:(i)TKg: this is the key generation algorithm that takes as an input a security parameter and outputs a pair of a public key and a secret key.(ii)TEnc: this is the encapsulation algorithm that takes as inputs a public key and a tag and outputs where a ciphertext for a tag encapsulates a session key and is the session key space associated with the scheme.(iii)TDec: this is the deterministic decapsulation algorithm that takes as inputs a secret key , a tag , and a ciphertext and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.

For correctness, we require that for all , all ()*←*TKg(), all tags , and all ()*←*TEnc(), it holds that TDec() = .

A tag-based KEM is said to be* selective-tag weakly chosen-ciphertext secure* if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)*Setup*: the adversary is given a security parameter and outputs a challenge tag . The challenger runs ()*←*TKg(), then the challenger gives the adversary the public key .(ii)*Query (Phase I)*: the adversary issues decryption queries in an arbitrary order. The challenger runs *←* TDec( and returns to the adversary. Here the adversary is not allowed to issue queries with .(iii)*Challenge*: at some point the adversary requests a challenge. The challenger chooses a random bit , runs ()*←*TEnc(), chooses , and sends .(iv)*Query (Phase II)*: after receiving the challenge the adversary is again allowed to issue decryption queries. The same restriction for queries is applied as before.(v)*Guess*: finally the adversary outputs a bit . The adversary wins the game if .

The advantage of the adversary is defined by and is denoted by .

##### 2.3. Identity-Based KEM and Its -Resilient Variant

An identity-based KEM [8] consists of the following four algorithms:(i)ISetup: this is the setup algorithm that takes as inputs a security parameter and a collusion threshold and outputs a pair of a public parameter and a master secret key.(ii)IExt: this is the key extraction algorithm that takes as inputs a master secret key and an identity and outputs a user decapsulation key .(iii)IEnc: this is the encapsulation algorithm that takes as inputs a public parameter and an identity and outputs where a ciphertext for an identity encapsulates a session key and is the session key space associated with the scheme.(iv)IDec: this is the deterministic decapsulation algorithm that takes as inputs , , and and outputs a decapsulated session key or a special symbol indicating an invalid ciphertext.

For correctness, we require that for all , all , all ()*←*ISetup(), all identities , all *←*IExt(), and all ()*←*IEnc(), it holds that IDec() = .

An identity-based KEM is said to be *-resilient* if for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)*Setup*: the challenger runs ()*←*ISetup(), then the challenger gives the adversary the public parameter .(ii)*Query (Phase I)*: the adversary issues extraction queries in an arbitrary order. The challenger runs *←* IExt() and returns to the adversary. The total number (the summation of those in Phase I and Phase II) of extraction queries during the game is restricted to be smaller than or equal to .(iii)*Challenge*: at some point the adversary requests a challenge with an identity . The challenger chooses a random bit , runs ()*←*IEnc(), chooses , and sends . The adversary is not allowed to request a challenge with an identity whose user decapsulation key is queried before.(iv)*Query (Phase II)*: after receiving the challenge the adversary is again allowed to issue extraction queries. This time querying a user decapsulation key for is disallowed.(v)*Guess*: finally the adversary outputs a bit . The adversary wins the game if .

The advantage of the adversary is defined by and is denoted by .

A* fully secure* IBE scheme is defined analogously with the difference that the setup algorithm does not take as an input and in the game the number of extraction queries is unbounded.

##### 2.4. Adaptive Noninteractive Zero-Knowledge Proofs

A noninteractive proof system for a polynomial-time computable relation consists of the following three algorithms:(i): this is the common reference string generation algorithm that takes as an input a security parameter and outputs a common reference string .(ii): this is the proof algorithm that takes as inputs a common reference string , a statement , and a witness , where and outputs a proof .(iii): this is the verification algorithm that takes as inputs a common reference string , a statement , and a proof and outputs either or .

We say that a noninteractive proof system has perfect completeness, if for all , for all such that , for all , for all it holds that .

A noninteractive proof system is said to have adaptive perfect soundness, if for any probabilistic polynomial-time adversary the advantage in the following game is equal to zero:(i)*Setup*: the challenger runs and gives the adversary the common reference string .(ii)*Forge*: the adversary outputs a pair of a statement and a proof. The adversary wins if and for any .

The advantage of the adversary is defined by the probability that the adversary wins and is denoted by .

We say that a noninteractive proof system is adaptively zero-knowledge if there is a pair of algorithms such that for any probabilistic polynomial-time adversary the advantage in the following game is negligible:(i)*Setup*: the challenger generates a bit . If the challenger runs . If the challenger runs . Then the challenger gives the adversary the common reference string .(ii)*Query*: the adversary is allowed to issue a query such that * only once*. If the challenger runs . If the challenger runs . The challenger gives the adversary .(iii)*Guess*: finally the adversary outputs a bit .

The advantage of the adversary is defined by and is denoted by .

##### 2.5. Computational Assumptions

Let be a probabilistic polynomial-time algorithm that takes a security parameter as an input and generates a parameter of* bilinear groups*, where is a -bit prime, and are groups of order , is a bilinear map from to , and is a generator of . We then describe several computational assumptions on which the proposed schemes are based.

*The **-Strong Diffie-Hellman Assumption [27]*. Let and let , and for . The -strong Diffie-Hellman problem in is stated as follows: given , output where . The advantage of an algorithm in solving the -strong Diffie-Hellman problem is defined as We say that the -strong Diffie-Hellman (-SDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .

For some fixed base and a fixed group element we say that a pair is an* SDH pair* if is equal to .

*The Decision Linear Assumption [10]*. Let , , , , , , and . The decision linear problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision linear problem is defined as We say that the decision linear (DLIN) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .

For some fixed bases , , , we say that a tuple is a* linear tuple* if there exist exponents , that satisfy .

*The Decision Bilinear Diffie-Hellman Assumption [53]*. Let and , , , . The decision bilinear Diffie-Hellman problem in is stated as follows: distinguish the distribution from the distribution . The advantage of an algorithm in solving the decision bilinear Diffie-Hellman problem is defined as We say that the decision bilinear Diffie-Hellman (DBDH) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .

*The Simultaneous Flexible Pairing Assumption [54]*. Let , , , , are generators of and , . For , let which satisfies and . The simultaneous flexible pairing problem is stated as follows: given and , output where and satisfying and for every . The advantage of an algorithm in solving the simultaneous flexible pairing problem is defined asWe say that the simultaneous flexible pairing (SFP) assumption holds if is negligible in for any probabilistic polynomial-time algorithm .

#### 3. Group Signatures with Message-Dependent Opening

In this section we introduce the syntax and security definitions for GS-MDO. As an ordinary group signature scheme, a GS-MDO scheme allows group members to sign a message anonymously, that is, without revealing their identities but only showing that one of the group members actually signed. In exceptional cases, a designated third party, called the opener, can “open” exceptional signatures to identify the originator of the signatures. In contrast to ordinary group signature schemes, a GS-MDO scheme requires the opener to cooperate with another authority, called the admitter, to open signatures. The admitter issues a message-specific token, and the opener is able to open a signature on the message* only when a token for the message is issued from the admitter*.

In this section, we define the formal model and the security requirements of GS-MDO.

##### 3.1. The Model of GS-MDO

Formally, a GS-MDO scheme consists of the following five probabilistic polynomial-time algorithms:(i)GKg: this is the key generation algorithm that takes as inputs a security parameter , the number of group members , and the maximum number of message-specific tokens that can be issued and outputs a group public key , an admitting key , an opening key , and group signing keys . We note that the input is omitted when the number of message-specific tokens that can be issued is unbounded.(ii)GSig: this is the signing algorithm that takes as inputs a group public key , a group signing key , and a message and outputs a group signature .(iii)Td: this is the message-specific token generation algorithm that takes as inputs a group public key , an admitting key , and a message and outputs a token for .(iv)GVf: this is the verification algorithm that takes as inputs a group public key , a message , and a group signature and outputs (that means accept) or (that means reject).(v)Open: this is the opening algorithm that takes as inputs a group public key , an opening key , a message , a group signature , and a message-specific token and outputs a user index or .

For correctness, we require that for all , , , for all ()*←*GKg(), for all messages and all user , it holds that GVf(, , GSig()) = and Open(, , , GSig(), Td()) = .

In the above scenario, the signing keys , the opening key , and the admitting key are generated by the GKg algorithm in the setup phase. Then, is given to the opener and is given to the admitter. A signer can make a group signature by using the GSig algorithm, and all entities can verify the group signature by the GVf algorithm and public key . This setting is the same as ordinary group signatures, except the group manager’s key is divided into and . In exceptional cases, the admitter issues a message-specific token by using the Td algorithm. Moreover, the opener can identify the signer of a group signature by using the Open algorithm only when the opener received from the admitter.

##### 3.2. Security Requirements

We introduce the security notion for GS-MDO. In contract to ordinary group signatures, we need to take care of the MDO property.

Ordinary group signatures are required to ensure two security notions, anonymity and traceability, whereas we have to further ensure two types of anonymity in the case of GS-MDO that are related to the original motivation for the introduction of the admitter. The introduction of the admitter is intended to strengthen signers’ anonymity against the authorities as much as possible. To capture this intention, we define the indistinguishability of the originator of a signature in the strong setting where the opening key is given to the adversary (opener anonymity). As a counterpart of this, we also define indistinguishability in the setting where the admitting key is given to the adversary (admitter anonymity). Note that we do not consider the situation in which the adversary obtains both the opening key and the admitting key because in this situation the adversary can open any signature by itself.

For traceability, we use the same definition as for the ordinary group signatures, in which the authorities are entirely corrupted by the adversary, since even ordinary group signature schemes ensure this level of traceability against entirely corrupted openers.

###### 3.2.1. Opener Anonymity

Here we give the formal definition of anonymity against the opener, which we call* opener anonymity*. It is formalized as the indistinguishability of signatures of two different signers of the adversary’s choice. Opener anonymity is defined by requiring that no adversary has nonnegligible advantage in distinguishing signatures. We again remark that contrary to ordinary group signatures, the adversary is allowed to have the opening key. This is intended for modeling “anonymity against the opener.”

*Definition 1. *A GS-MDO scheme is said to have* opener anonymity* if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)*Setup*: the challenger runs GKg() to obtain . The challenger sends to .(ii)*Token Query (Phase I)*: adaptively issues token queries in an arbitrary order. The challenger runs *←*Td() and returns to .(iii)*Challenge*: at some point requests a challenge for , , and a message . The challenger chooses a random bit , runs *←* GSig(), and sends to . is not allowed to request a challenge with a message whose token is previously queried.(iv)*Token Query (Phase II)*: after receiving the challenge is again allowed to issue token queries. This time querying a token for is disallowed.(v)*Guess*: finally outputs a bit . wins the game if . wins the game if .

The advantage of is defined by and is denoted by . We also say that a GS-MDO scheme has* opener anonymity with **-bounded tokens* if any probabilistic polynomial-time adversary which issues at most token queries in total has negligible advantage.

###### 3.2.2. Admitter Anonymity

We next give the definition of anonymity against the admitter, which we call* admitter anonymity*. It is formalized in a similar manner to opener anonymity. That is, admitter anonymity requires signatures of two different signers to be indistinguishable even when the adversary is given the admitting key. We emphasize that our definition of opener anonymity is categorized as so-called* CCA-anonymity*. This means that the adversary in the security game is allowed to access the opening oracle. The formal definition is as follows:

*Definition 2. *A GS-MDO scheme is said to have* admitter anonymity* if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)*Setup*: the challenger runs GKg() to obtain . The challenger sends to .(ii)*Open Query (Phase I)*: adaptively issues open queries in an arbitrary order. The challenger finds a recorded which is a token for , and if not found, runs *←*Td(), and stores . The challenger runs *←*GSig() and returns to .(iii)*Challenge*: at some point requests a challenge for , and a message . The challenger chooses a random bit , runs *←*GSig() and sends to .(iv)*Open Query (Phase II)*: after receiving the challenge is again allowed to issue open queries. This time querying an opening of is disallowed.(v)*Guess*: finally outputs a bit . wins the game if .

The advantage of is defined by and is denoted by .

Notice that the number of opening queries the adversary issues is unbounded (but of course polynomially many).

###### 3.2.3. Traceability

The last notion is* traceability*, which requires that even if the opener and the admitter collude and they further adaptively corrupt some group members, the corrupted parties can produce neither forged signatures nor untraceable signatures. We stress that in contrast to the case of the anonymity notions, this case considers the collusion of two authorities.

*Definition 3. *A GS-MDO scheme is said to have* traceability* if for any probabilistic polynomial-time adversary the advantage in the following game is negligible: (i)* Setup*: the challenger runs GKg() to obtain . The challenger sends to .(ii)* Query*: adaptively issues the following two types of queries:(1) issues a* key revealing query *. The challenger returns to .(2) issues a* signing query *. The challenger runs *←*GSig() and returns .(iii)* Forge*: finally outputs a forgery . wins if GVf() = and one of the following two conditions holds:(a) Open(, Td()) = , or(b)all the following conditions hold, Open(, Td()) = , and neither a key revealing query for the user nor a signing query for is submitted.

The advantage of is defined by and denoted by .

#### 4. Difficulty in Designing Efficient Constructions

In this section we discuss several difficulties in designing efficient GS-MDO schemes. We first observe the relationships between GS-MDO and other cryptographic primitives, and then we discuss the difficulty that lies in designing efficient constructions.

Regarding the relationship with other primitives, we show that the existence of a GS-MDO scheme implies that of an IBE scheme. In other words, we will present a black-box construction of IBE from any GS-MDO scheme. The same holds for the -resilient versions.

This fact means that constructing a GS-MDO scheme is harder than IBE. Moreover, IBE is well known as a strong primitive. For example, there is no black-box construction of IBE from a trapdoor permutation or chosen-ciphertext secure PKE [55]. Therefore, GS-MDO is also strong and difficult to construct.

We note that Box 1 only shows a construction of an identity-based* key encapsulation mechanism* rather than identity-based* encryption*. However, it suffices since we can obtain a secure encryption scheme by combining the construction with an appropriate data encapsulation mechanism.

The formal theorems are as follows:

Theorem 4. *If the underlying GS-MDO scheme satisfies opener anonymity, the identity-based KEM in Box 1 is fully secure.*

Theorem 5. *If the underlying GS-MDO scheme satisfies opener anonymity with -bounded tokens, the identity-based KEM in Box 1 is -resilient.*

The intuition behind the construction in Box 1 is as follows. In the IEnc algorithm, each is a group signature of either or . Therefore, by the opener anonymity of the GS-MDO scheme, the entity who does not have (corresponding to the admitter’s key) cannot identify which signing key is used to make . The receiver can get (corresponding to the message-dependent token), and only the receiver can open the group signature and get by using the . Formal proofs can be given by a straightforward modification of the proof by Abdalla and Warinschi [56] or the similar technique to that used by Ohtake, Fujii, Hanaoka, and Ogawa [57], hence we omit detailed proofs.

From Theorems 4 and 5, we make the following observation about the difficulty in constructing GS-MDO.(i)*Inevitability of using IBE: *these theorems suggest that using IBE is essential for constructing a GS-MDO scheme. Considering the fact that a black-box construction of IBE from a trapdoor permutation is impossible [55], we can conclude that it is almost unavoidable for a GS-MDO scheme to rely on an IBE scheme or its equivalence, not only on a trapdoor permutation and an NIZK proof system. Otherwise one could construct an IBE scheme from surprisingly weaker primitives.(ii)*Difficulty in constructing efficient GS-MDO in the standard model: *another important aspect of establishing an* efficient* GS-MDO scheme in the standard model is the necessity of realizing a “Groth-Sahai compatible” IBE scheme. This is because the only known construction of NIZK proof systems with reasonable efficiency in the standard model is limited to the Groth-Sahai proof system. Also note that an NIZK proof system has been an important building block for almost all group signature schemes ever.

We show a generic construction of GS-MDO using a NIZK proof system and IBE in Section 5. However, currently no known IBE scheme is Groth-Sahai compatible in the sense that the Groth-Sahai proof system cannot prove a kind of the well-formedness of an IBE ciphertext in zero-knowledge. (Libert and Joye [7] proposed an IBE scheme where we are able to prove the well-formedness of a ciphertext using the Groth-Sahai proof system. However, at the time of the publication of the conference version, there were no known IBE scheme with this property). This is because an IBE scheme in a bilinear group is typically able to encrypt a target-group element. In addition, the ciphertext of such a scheme includes a target-group element. Unfortunately, the Groth-Sahai proof system is not always able to prove a statement involving target-group elements* in zero-knowledge*.

Here we provide two methods of overcoming this gap. The first one is to adopt -resilient IBE instead of fully secure IBE. In particular, we design a -resilient IBE scheme from the DLIN assumption by modifying the Heng-Kurosawa scheme [8] for this purpose. (We also note that a similar construction can be obtained from the key-insulated encryption scheme proposed by Dodis, Katz, Xu, and Yung [58]). The construction of GS-MDO using -resilient IBE is shown in Section 6.

The second method is to apply random oracles. We construct a GS-MDO scheme based on the BBS group signature scheme [10], which is one of the most efficient group signature schemes in the random oracle model. The opening procedure is implemented by the linear encryption scheme [10, 13], and a user’s certificate is implemented by the Boneh-Boyen short signature scheme [27]. The MDO property is realized by adopting the BF IBE scheme [11]. In order to combine the short group signature scheme and the BF IBE scheme, we replace the linear encryption scheme with a certain type of -out-of- multiple encryption. This construction is shown in Section 7.

#### 5. Generic Construction

In this section, we give a generic construction of a GS-MDO scheme. The construction is built on an EUF-CMA secure signature scheme, a strongly unforgeable one-time signature scheme, a selective-tag weakly chosen-ciphertext secure tag-based KEM, a -resilient identity-based KEM, and an adaptive NIZK proof system.

At a first glance, there are various building blocks. However, our generic construction only relies on the existence of an IBE scheme and that of an NIZK proof system. Indeed, signature schemes and a chosen-ciphertext secure tag-based encryption scheme can be constructed from a fully secure IBE scheme.

##### 5.1. Underlying Ideas

The proposed construction shares an underlying idea with the generic construction of Bellare, Micciancio, and Warinschi (the BMW construction) [3] except that we do not need “simulation-soundness” for the underlying NIZK proof system. Instead of this strong security requirement, we combine (ordinary) NIZK proofs with a strongly unforgeable one-time signature scheme. We remark that essentially the same techniques have been used in a variety of contexts. To name a few, Groth [32] used this technique for an efficient group signature scheme in a very similar manner. Camenisch, Chandran, and Shoup [59] used it to construct simulation-sound NIZK proofs, improving the result of Groth [29].

##### 5.2. Construction

In this section, we present our generic construction of GS-MDO. Our construction uses an identity-based KEM (ISetup, IExt, IEnc, IDec), tag-based KEM (TKg, TEnc, TDec), an EUF-CMA secure signature scheme (SigKg, Sign, Verify), a one-time signature scheme (, , ), and an NIZK proof system . In addition, we require that the session key spaces and be the same set, and be associated with a group operation .

In our construction, a group member has a key pair of the signature scheme, in which is authorized by another verification key at the setup time. When a member generates a group signature, the member simply signs a message by . To be anonymous, the member further encrypts the signature together with the certificate (of the member), which authorizes the verification key , and attaches a noninteractive proof that demonstrates that a signature of an authorized member has been encrypted. To encrypt a signature, the member uses a multiple encryption technique to ensure that neither the opener nor the admitter can reveal the identity as long as the admitter has not issued a token to the opener. We need two requirements on the session key spaces of the tag-based KEM and the (-resilient) IBE scheme. We require that be equal to as a set, and that they form a finite group with group operation . These requirements are needed because we use a one-time pad to encrypt a signature of the group member. This group operation also needs to fall into the class of relations that can be represented by the used noninteractive proof system.

Let us explain the noninteractive proof that appears in the construction. The signature of the proposed scheme is of the form , and, as mentioned above, the proof demonstrates that a valid signature of an authorized group member has been encrypted into in a kind of a “multiple encryption” manner. More specifically, the proof proves that there exist a randomness (for tag-based KEM), another randomness (for identity-based KEM), a user index , and the verification key , a certificate , and a signature on a message , such that

Finally, two encoding functions are needed to complete the description of the generic construction. The first is used to encode the user index of a group member and his verification key into the message space of the signature scheme when generating certificates of group members. The second one is used to encode into , where is the user index of a group member and , , and are his verification key, certificate, and signature, respectively. It is used when issuing a group signature, especially when encrypting his signature in order to hide his identity.

The complete description of the scheme is shown in Box 2.

As stated in the following theorem, our generic construction has desirable security properties when all building blocks satisfy appropriate security properties.

Theorem 6. *The proposed scheme has opener anonymity with -bounded tokens if the identity-based KEM is -resilient and the noninteractive proof system is adaptively zero-knowledge. The proposed scheme satisfies opener anonymity if the identity-based KEM is fully secure and the noninteractive proof system is adaptively zero-knowledge.*

Theorem 7. *The proposed scheme has admitter anonymity when the a tag-based KEM is selective-tag weakly chosen-ciphertext secure, the noninteractive proof system is adaptively zero-knowledge, and the one-time signature scheme is strongly unforgeable.*

Theorem 8. *The proposed scheme has traceability when the noninteractive proof system is adaptively sound and the signature scheme is EUF-CMA secure.*

All the proofs of the theorems will appear in Appendix B.

#### 6. Construction in the Standard Model

In this section, we show an instantiation of GS-MDO in the standard model. Our scheme in this section satisfies the requirements of Section 3.2 under the DLIN assumption and the SFP assumption. Because of the incompatibility between the Groth-Sahai NIZK proof system and known (pairing-based) IBE schemes, we use -resilient IBE and thus the MDO property is bounded to be . Note that the instantiation is not straightforward even though we have the generic construction in Section 5, since it is not obvious whether there exist building blocks which fit the generic construction. Of course, if we use a general NIZK proof system, we obtain an instantiation, but it is far from an efficient construction.

##### 6.1. Underlying Ideas

Towards an efficient scheme, we discuss how to instantiate the building blocks used in our generic construction in the previous section.

Regarding the noninteractive proof system, an obvious choice is the Groth-Sahai proof system, since there is no known practical construction of an NIZK proof system except the Groth-Sahai proof system. However, upon adopting the Groth-Sahai proof system, due to the limitation of the type of theorems that the Groth-Sahai proof system can prove, other building blocks are subjected to restrictions. More specifically, other building blocks need to be* structure preserving* [60], and in particular, a statement to be proven should not involve elements of , where is the target group of the underlying bilinear groups. Hence, we have to choose an IBE scheme which fulfills this requirement as a building block, but unfortunately, no such scheme is known (except for the Libert-Joye scheme). This means that* it is not straightforward to construct an efficient instantiation of our generic construction from the Groth-Sahai proof system*.

In this section, we give an efficient instantiation by constructing a* structure-preserving* IBE scheme and choosing other appropriate building blocks. However, we must also honestly mention that our IBE does not provide full security but only -resilience [8].

Our structure-preserving -resilient IBE scheme is obtained by means of modifying the Heng-Kurosawa scheme [8] which is secure in the sense of -resilient security under the decision Diffie-Hellman (DDH) assumption. Since the DDH assumption does not hold in (symmetric) bilinear groups, it is not possible to utilize it as it is, and thus, we construct a modified version of this scheme which is secure under the DLIN assumption.

##### 6.2. Construction

As described above, an efficient instantiation is not straightforward even from our generic construction in Section 5, since it is not obvious whether there exist schemes which can be plugged into the generic construction. Therefore, we select concrete building blocks for the instantiation:(i)*Groth-Sahai Proofs [5, 61]*. This is an efficient noninteractive proof system for groups with a bilinear map. This proof system can demonstrate the validity of a broad range of algebraic equations in a zero-knowledge manner and is useful for avoiding an expensive blowup from general NIZK techniques. We choose the DLIN-based instantiation of the Groth-Sahai proof system, which was proved to be perfectly sound with adaptive zero-knowledge from the DLIN assumption.(ii)*Abe-Haralambiev-Ohkubo Signature [6, 60]*. This is a structure-preserving signature scheme, in the sense that the signing and verification procedures have no use of nonalgebraic operations. This property is essential when the scheme is used together with the Groth-Sahai proof system that has the restriction that it is unable to treat nonalgebraic relations such as a verification equation of a signature scheme which involves hashing. This signature scheme was proven secure from the SFP assumption.(iii)*DLIN Variant of Cramer-Shoup scheme [13]*. The Groth-Sahai proof system is highly reliant on its use of pairing operations, and thus we need to choose the type of pairing on which we base our scheme. Type III or II may allow an efficient instantiation. However, in this setting a signature of the Abe-Haralambiev-Ohkubo scheme is bilateral, namely, it contains elements of both source groups. To encrypt such a bilateral message, we need to set up the encryption scheme in both source groups, which makes the scheme inefficient. Hence, we choose all the building blocks to be instantiated in Type I curves. For this reason, we choose a modification of Shacham’s DLIN variant [13] of the Cramer-Shoup encryption scheme as the tag-based KEM. We modify this scheme to be tag-based KEM to fit into our generic construction. (A possible alternative choice here is Kiltz’ tag-based encryption [52], which could reduce the size of NIZK proofs owning to its public verifiability. One drawback of this scheme is that, to the best of our knowledge, it does not allow the encryption of multiple group elements with a constant ciphertext overhead. On the other hand, the Cramer-Shoup scheme (and its DLIN variant by Shacham) allow such a modification. See Section C.3 for the details of this modification).

We then show a more concrete description of our generic construction when being instantiated with the above building blocks. Notice that a signature of our concrete instantiation based on the above building blocks, is of the following form:As explained above, is represented by 29 group elements, which we denote by . A more detailed description of each element is as follows:where CR is a collision resistant hash function and is a Groth-Sahai proof.

In (7), is the encoding of , corresponds to the session key of the tag-based KEM based on a DLIN variant of the Cramer-Shoup PKE scheme, and corresponds to the session key of the -resilient identity-based KEM based on the Heng-Kurosawa IBE scheme. and are ciphertexts of the tag-based KEM and the identity-based KEM, respectively. is Wee’s one-time signature on .

The signature size of the construction in Section 6 is described in Table 1. The column “Cost” is the number of group elements of a statement to be proven, and the number of group elements of the Groth-Sahai NIZK proof per a statement. The abbreviations “var(s).”, “lin. eq.”, “mult”, and “pair. prod.” mean “variable(s)”, “linear equation”, “multiplication” and “pairing product”, respectively. The total number of group elements is shown in the column “”. As shown in Table 1, the standard model scheme achieves reasonably efficient performance.

From Theorems 6, 7, and 8, the following theorems hold.

Theorem 9. *When instantiating the identity-based KEM and the NIZK proof system in Box 2 with our DLIN variant of the Heng-Kurosawa -resilient IBE scheme and the Groth-Sahai proof system, the resulting scheme satisfies opener anonymity with -bounded tokens under the DLIN assumption.*

Theorem 10. *When instantiating the tag-based KEM, the NIZK proof system and the one-time signature scheme in Box 2 with the DLIN variant of the Cramer-Shoup PKE, the Groth-Sahai proof system and the Wee one-time signature scheme, the resulting scheme satisfies admitter anonymity under the DLIN assumption.*

Theorem 11. *When instantiating the signature scheme in Box 2 with the Abe-Haralambiev-Ohkubo signature scheme, the resulting scheme satisfies traceability under the SFP assumption.*

#### 7. Construction in the Random Oracle Model

The previous section explained a GS-MDO scheme in the standard model, but it only allows at most tokens to be issued. In this section, we remove this restriction by using random oracles, and present a concrete GS-MDO scheme that allows an unbounded number of tokens. Moreover, its signature size is times smaller than that of the scheme in Section 6, and it is also secure under the DLIN, DBDH, and -SDH assumptions. We give the description of the proposed scheme in Box 3.

##### 7.1. Underlying Ideas

Our standard model instantiation uses the Groth-Sahai proof system as the NIZK proof system, and therefore the building block identity-based KEM needs to be compatible with the Groth-Sahai proof system (see Section 6.1). Unfortunately, the only IBE scheme with this property is Libert et al.’s [7], however, this scheme has a ciphertext containing a linear number of group elements in the security parameter. We overcome this weakness by avoiding the use of the Groth-Sahai proof system. More specifically, we construct an NIZK proof system in the random oracle model based on the Fiat-Shamir heuristics, and choose the building block IBE scheme that is fully secure (i.e., fully collusion resilient).

We start with the Boneh-Boyen-Shacham (BBS) group signature scheme [10], which is one of the most popular (standard) group signature schemes, to achieve the above idea. Each group member in this scheme is provided with an (ordinary) signature [27] of the Boneh-Boyen signature scheme, which certifies that the owner is a group member. A group signature of this scheme consists of two parts. The first part involves the linear encryption scheme of the certificate, whereas the second part involves the “signature of knowledge” [62] of the encrypted certificate. The decryption key for the linear encryption scheme is held by the opener, with which he can revoke the anonymity of any group signature.

We extend the BBS group signature scheme by replacing the linear encryption scheme with a certain type of -out-of- multiple encryption of ordinary PKE and IBE schemes. The multiple encryption is designed to ensure that one can decrypt an entire ciphertext only when he is able to decrypt ciphertexts of* both* the PKE scheme and the IBE scheme. Such multiple encryption can be accomplished by simple -out-of- secret sharing.

This feature enables us to achieve the MDO property as follows. In our construction, the opener only possesses a decryption key for the PKE scheme, and the admitter holds the master secret of the IBE scheme. To anonymously sign a message , a signer encrypts his certificate using as the identity of the IBE encryption. A decryption key (of the IBE scheme) under a message can serve as a message-specific token for .

##### 7.2. Construction

In this subsection, we describe the proposed GS-MDO scheme in the random oracle model in detail. The complete description of the proposed scheme is shown in Box 3. As described above, our scheme is constructed by modifying the BBS group signature scheme in such a way that the linear encryption scheme in the BBS group signature scheme is replaced with 2-out-of-2 multiple encryption by PKE and IBE, which are instantiated with the linear encryption scheme and the BF IBE scheme [11], respectively. Specifically, the values generated in the signing algorithm are of the following form where the first four components constitute (a chosen-ciphertext secure variant of) the linear encryption of a 2-out-of-2 secret sharing of . Here and are the randomness for the linear encryption scheme and is the randomness for the 2-out-of-2 secret sharing. The other components, and , constitute an encryption by the BF IBE scheme of the other share of the 2-out-of-2 secret sharing.

As mentioned above, our linear encryption scheme is not identical to that used in the BBS group signature scheme and is modified to achieve CCA-anonymity. It is obtained by modifying the linear encryption scheme (in the BBS scheme) to a linear analogue of the “double encryption” [20, 63, 64] scheme and proving the “well-formedness” by a Schnorr-type proof. This can be seen as a variant of (the DLIN variant [13] of) the Cramer-Shoup encryption scheme [12, 65] in which the validity-check property is realized by a Schnorr-type proof.

Note that the BF IBE scheme is also slightly modified in such a way that the scheme does not use a hash function for deriving the DEM key that masks a plaintext. Instead of using a hash function, we employ the slightly stronger assumption of the DBDH assumption (rather than the computational variant, on which the original BF scheme is based). This is due to the incompatibility of the use of a hash function of this type and Schnorr-type proofs. We also remark that our anonymity notion does not require the IBE scheme to be chosen-ciphertext secure, and hence we use a chosen-plaintext secure version of the BF scheme.

We further remark that , , , , , , , , , , and in Box 3 come from a Schnorr-type protocol that proves the knowledge of , , , , and satisfying the equationsThe first three equations prove the knowledge of and that are used for the linear encryption part, and furthermore prove the “well-formedness” of the ciphertext (in other words, they prove that constitutes a linear tuple). We note that the latter (proving the “well-formedness”) is crucial for achieving CCA-anonymity. The last two equations prove the knowledge of and that are used for the BF IBE scheme. Here is the randomness for the BF IBE scheme, and is the randomness for the 2-out-of-2 secret sharing. The fourth equation proves that the group element encrypted in satisfies the verification equation of the Boneh-Boyen signature scheme. Recall that , where is a Boneh-Boyen signature which certifies the membership of the signer. In other words, this equation proves that when the randomness that hides is removed from , is verified as valid by the verification equation of the Boneh-Boyen signature scheme.

More concretely, introducing four intermediate variables , , , and (which are intended to be , , , and ), the underlying protocol proves the knowledge of , , , , , , , , and satisfying the equationsWe explain these ten equations one by one. The first three equations are exactly the same as those of (9). Equation (10d) comes from expanding the equation to obtain replacing with , with , and with to obtain and rearranging them to obtain which is identical to (10d). We then need to prove that the intermediate variables surely have appropriate values, namely, that , , and . Equations (10g)–(10j) are for this purpose. To prove , we introduce (10g). This equation, together with (10a), proves that . Specifically, (10a) ensures that is equal to , and then (10g) in turn ensures that Since is a generator, we have that which is what we want to prove. Similarly, (10h) together with (10b) proves that . To prove , we need to introduce another intermediate variable which is intended to be equal to . Towards this end, (10e) and (10i) prove that . Using this, (10f) and (10j) prove that . Specifically, (10f) ensures that , and then (10j) in turn ensures that Since (10e) and (10i) ensure that , canceling out and , (10j) further ensures that since is a generator, this equation ensures that which is what we want to prove.

The security of our proposed scheme is proved as follows.

Theorem 12. *If the DBDH assumption holds, the proposed construction has opener anonymity in the random oracle model.*

Theorem 13. *If the DLIN assumption holds, the proposed construction has admitter anonymity in the random oracle model.*

Theorem 14. *If the -SDH assumption holds, the proposed construction has traceability in the random oracle model.*

The proofs of Theorems 12, 13, and 14 are given in Appendix D.

#### 8. Efficiency Comparison with Pairing-Based Group Signatures

Finally, we give a brief efficiency comparison between the proposed schemes and existing pairing-based group signature schemes (with and without the MDO property). Table 2 shows a detailed comparison among such schemes.

The signature size of our standard model scheme is 10 times larger than that of Groth scheme [32]. We believe that this is a reasonably practical performance and can be implemented in practice.

Compared with our scheme in the standard model, our scheme in the random oracle model is improved in two aspects: the first is the removal of the a priori upper bound on the number of tokens the admitter can issue, and the second is the substantial reduction of the signature size. When a 170-bit prime-order group is used, the signature size of our GS-MDO scheme in the standard model is 79364 bits, and that of our GS-MDO scheme in the random oracle model is 3636 bits, while that of the BBS scheme [10] is 1548 bits. (We adopt the estimates of bit sizes for group elements used in [9]). We also include more details of the performance of these schemes in Table 2. These two improvements are achieved at the cost of using random oracles, as indicated in the “Without RO” column in the table.

In the Libert-Joye scheme, a signature contains group elements, whereas our schemes contain a constant number of group elements. However, our standard model scheme does not achieve the unbounded MDO property. Constructing an unbounded GS-MDO scheme secure in the standard model with a constant-signature size is an interesting open problem.

Compared with the BBS scheme, we believe that the proposed scheme in the random oracle model achieves the MDO property at a reasonable cost given the increase in the signature size. As shown in Table 2, the signature size of the proposed scheme is almost twice that of the BBS scheme. We also note that our random oracle model scheme achieves CCA-anonymity, which guarantees a markedly higher level of security than CPA-anonymity, which is achieved by the BBS scheme.

#### 9. Conclusion and Open Problems

In this paper we proposed a new anonymous authentication primitive called group signatures with message-dependent opening. This primitive is an extension of ordinary group signatures, which relaxes the strong assumption that the opener, who is able to trace the identity of the signer of a signature, does not misuse his strong capability of breaking anonymity. The primitive does this by introducing another authority called the admitter, who is able to admit the opening of signatures on some specific messages to the opener.

We formalized this new primitive by providing the syntax and security requirements of the primitive. Furthermore, we discussed the difficulties in constructing an efficient instantiation of the primitive, in particular, showed that IBE is inevitable for an instantiation. We provided one generic construction and two specific constructions. The first specific construction was proven to be secure in the standard model, while the other was proven to be secure in the random oracle model. Finally, we compared two specific constructions and known group signature schemes (with and without the message-dependent opening property).

We list some open problems. We assumed that the setup of the scheme is executed honestly and that the entity who runs the setup does not collude with an adversary. An open problem is to provide a formal security requirement that does not require this assumption and an instantiation for it. Our schemes do not provide security against an adversary which may maliciously generate the opener’s or the admitter’s keys. Achieving this security is another open problem.

#### Appendix

#### A. Bellare and Neven’s Forking Lemma

Here we recall Bellare and Neven’s forking lemma [66].

Lemma A.1. *Fix an integer and a set of size . Let be a randomized algorithm that we call the input generator. Let be a randomized algorithm that takes generated by and ,..., as inputs, and returns a pair . The accepting probability of , denoted , is defined as the probability that in the experiment The associated to is the randomized algorithm that takes input and proceeds as follows: Let Then Alternatively, *

#### B. Security Proofs for the Construction in Section 5

##### B.1. Proof of Theorem 6

We prove the theorem for the case that message-dependent tokens are issued at most times. The theorem for the case of an unbounded number of tokens can be proved similarly.

*Proof*. Let be an adversary against the opener anonymity of the proposed scheme. The proof proceeds with a sequence of games.(i)*Game **0*: This is identical to the opener anonymity game of the proposed scheme.(ii)*Game **1*: In this game the common reference string in is generated by , and the zero-knowledge proof in the challenge signature is generated by .(iii)*Game **2*: In this game is sampled randomly and independently.

Let be the event that wins in Game . From the triangle inequality, we have thatWe then bound each term in this equation.

Lemma B.1. * is negligible, provided that the non-interactive proof system is adaptively zero-knowledge.*

*Proof (of Lemma B.1). *Using we construct an algorithm against the zero-knowledge property of the proof system. The construction is as follows. (i)*Setup*: receives a common reference string . Then sets up , , , and except that for the common reference string in uses the common reference string received from its challenger. Then sends to .(ii)*Token Query (Phase I)*: When issues a token query , responds with generated with .(iii)*Challenge*: When request a challenge for , , and , chooses a random bit . Using , generate a challenge signature as in the opener anonymity game with an exception that the proof in the challenge signature is obtained by querying the statement and the witness to ’s challenger.(iv)*Token Query (Phase II)*: Token queries from are responded as in Phase I.(v)*Guess*: When outputs a guess , outputs if and outputs otherwise.Observe that if receives a proof generated by , simulates ame 0 perfectly. If receives a proof generated by , simulates ame 1 perfectly. Then we have that , which is negligible.

Lemma B.2. * is negligible, provided that the identity-based KEM is -resilient.*

*Proof (of Lemma B.2). *Using we construct an algorithm against the -resilience of the identity-based KEM. The construction of is as follows. (i)*Setup*: receives a public parameter . Then sets up , , following the description of Game 1 with an exception that for the public parameter in uses sent from its challenger. Then sends to .(ii)*Token Query (Phase I)*: When issues a token query , issues an extraction query to its challenger and receives a decryption key . Then returns to .(iii)*Challenge*: When requests a challenge for , , and , chooses a random bit . Then requests a challenge to its challenger under the identity . Using these and as and , generates a challenge signature as in ame 1. Notice that due to the change in ame 1, in order to generate a proof , no longer needs to know the randomness behind . Then returns a challenge signature to .(iv)*Token Query (Phase II)*: In this phase, token queries from are responded as in Phase I.(v)*Guess*: When outputs a guess , outputs if , and outputs otherwise.Observe that if receives a session key (encapsulated in ), perfectly simulates Game 1. Furthermore, if receives a session key (independently sampled), perfectly simulates Game 2. This is because is independent of any other values, hence is distributed randomly and independently. Furthermore, issues at most token queries and does not issue as a token query. Therefore, we have that , which is negligible.

Lemma B.3. *.*

*Proof (of Lemma B.3). *Consider the process of generating the challenge signature in ame 2. In this process, the only variable that directly depends on the challenge bit is *←* Sign(