ICICS2002, Singapore A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering Okayama University, Japan
ICICS2002, Singapore A group signature Traceable only by TTP What’s group signature？ He/she is a group member! But, who? applied to anonymous e-cash, auction ...
ICICS2002, Singapore signature Group ID is traceable only by TTP Our contribution • A group signature scheme with new characteristic Universal group He/she is a member in some group But, which group? Group 1 … Group T divided to multiple groups Committing the membership group
ICICS2002, Singapore Outline of this presentation • Definition of group signature scheme committing the group • Based conventional group signature scheme • Proposed scheme • Security • Application
ICICS2002, Singapore Definition of group signature scheme committing the group • Participants except signer and verifier • Membership Manager(MM)…has authority to decide whether an entity may join a group • Revocation Manager(RM)…has authority to trace identity and group ID from the signature • Important requirements • Unforgeability of signature • Anonymity, and secrecy of group ID • Traceability of identity and group ID by RM
ICICS2002, Singapore Based group signature scheme • Ateniese et al.’s scheme in Crypto2000 (ACJT scheme) • Most efficient Efficient in signing/verification and even registration • Provably secure Coalition resistance against an adaptive adversary (Strong adversary reflecting the reality) Why is our scheme based on this?
ICICS2002, Singapore Unforgeable Traceable by RM ACJT scheme: Overview • In advance, MM & RM set up keys and parameters • Registration (joining a group) • Signature PK ID, MM SK Membership certificate (Sig. for PK) EncRM( ) Proof( ) (Zero-knowledge) Anonymous
ICICS2002, Singapore ACJT scheme: Setup • MM and RM set up the following: • n=pq: RSA modulus (only MM knows p and q) • a, b, g, h: public elements in QRn (Set of quadratic residues in Zn*) • y=gx: public key (only RM knows x)
ICICS2002, Singapore ACJT scheme: Registration PK: ax ID, MM SK: x Membership certificate: (A, e) s.t. A = (axb)1/e (mod n) This is an RSA signature that MM only generates
ICICS2002, Singapore ACJT scheme: Signature • Signature for messege m consists of • T = EncRM(A): ElGamal ciphertext w.r.t. y • S = SPK[(x, A, e) s.t. T= EncRM(A) ∧ A = (axb)1/e](m) SPK: Signature converted from zero-knowledge proof of knowledge (Only one with knowledge can make SPK without revealing information on knowledge) EncRM( ) Proof( )
ICICS2002, Singapore Our scheme: Basic idea • Registration (joining a group) • Signature PK ID, MM SK Membership certificate (Sig. for PK and Group ID) EncRM(Group ID) EncRM( ) Proof( ) (Zero-knowledge)
ICICS2002, Singapore Our scheme: Setup and Registration • Setup • Another c∈QRn • Group IDs E1,…ET • Registration for group ID Et PK: ax ID, MM SK: x Membership certificate: (A, e) s.t. A = (axbcEt)1/e (mod n) (This form is also provably unforgeable…explained later)
ICICS2002, Singapore Our scheme: Signature and revocation • Signature for messege m consists of • T = EncRM(A) • T’= EncRM(hEｔ) • S = SPK[(x, A, e, Eｔ) s.t. T= EncRM(A) ∧ T’=EncRM(hEt) ∧ A = (axbcEt)1/e](m) • Group ID can be identified by RM’s decrypting T’ For using Et in exponent, we can construct efficient SPK using known SPKs for secret exponent
ICICS2002, Singapore Security : Coalition resisitance • Certificate (A,e) is unforgeable even if valid members collude. • Formally, this means the unforgeability against adaptive adversary After obtaining valid certificates from MM a constant times, this adversary forges a new certificate This paper provides the security proof under strong RSA assumption For RSA modulus n and z∈QRn, it is infeasible to compute (u,e>1) s.t. ue = z
ICICS2002, Singapore Security: Others • Unforgeability of group signature ← Unforgeability of cert. and SPK proving cert. • Anonymity, and secrecy of group ID ←zero-knowledge-ness of SPK and encryption
ICICS2002, Singapore Application: Anonymous survey • Anonymous survey to generate statistics on users’ attributes • Background Commercial service provider User(Customer) Man or Woman ? Anonymously Young or Old? Marketing This system generates statistics on attributes secretly
ICICS2002, Singapore Male Female 10% 90% Group Signature Group Signature Group Signature Group Signature Problem on previous survey system • Previous survey system [Nakanishi&Sugiyama, ACISP01] User(Customer) Commercial service provider Statistics TTP Vast computation depending on number of all registering users So, inefficient Secure comp.
ICICS2002, Singapore Efficient system using proposed scheme(1/2) • Setup • Group ID E1,..,ET are assigned to attribute values (e.g., E1: Female, E2:Male) • Registration (e.g., E1:Female) PK ID, MM SK Membership certificate (Sig. for PK and E1)
ICICS2002, Singapore Male Female 10% 90% Group Signature Efficient system using proposed scheme(2/2) User(Customer) Commercial service provider EncRM(E1) EncRM(E2) … including EncRM(E1) EncRM(E2) E2, E2…E1 （shuffled) TTP The cost is independent from number of registering users So, more efficient Known efficient shuffle protocol
ICICS2002, Singapore Conclusion • Group signature scheme committing the group is proposed • Efficient and provably secure • Useful for applications (e.g., Anonymous survey) • Further works • Application to e-cash • Improving anonymous survey