1 / 20

A Group Signature Scheme Committing the Group

A Group Signature Scheme Committing the Group. Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering Okayama University, Japan. A group. signature. Traceable only by TTP. What’s group signature ?. He/she is a group member! But, who?.

consuelad
Télécharger la présentation

A Group Signature Scheme Committing the Group

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ICICS2002, Singapore A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering Okayama University, Japan

  2. ICICS2002, Singapore A group signature Traceable only by TTP What’s group signature? He/she is a group member! But, who? applied to anonymous e-cash, auction ...

  3. ICICS2002, Singapore signature Group ID is traceable only by TTP Our contribution • A group signature scheme with new characteristic Universal group He/she is a member in some group But, which group? Group 1 … Group T divided to multiple groups Committing the membership group

  4. ICICS2002, Singapore Outline of this presentation • Definition of group signature scheme committing the group • Based conventional group signature scheme • Proposed scheme • Security • Application

  5. ICICS2002, Singapore Definition of group signature scheme committing the group • Participants except signer and verifier • Membership Manager(MM)…has authority to decide whether an entity may join a group • Revocation Manager(RM)…has authority to trace identity and group ID from the signature • Important requirements • Unforgeability of signature • Anonymity, and secrecy of group ID • Traceability of identity and group ID by RM

  6. ICICS2002, Singapore Based group signature scheme • Ateniese et al.’s scheme in Crypto2000 (ACJT scheme) • Most efficient Efficient in signing/verification and even registration • Provably secure Coalition resistance against an adaptive adversary (Strong adversary reflecting the reality) Why is our scheme based on this?

  7. ICICS2002, Singapore Unforgeable Traceable by RM ACJT scheme: Overview • In advance, MM & RM set up keys and parameters • Registration (joining a group) • Signature PK ID, MM SK Membership certificate (Sig. for PK) EncRM( ) Proof( ) (Zero-knowledge) Anonymous

  8. ICICS2002, Singapore ACJT scheme: Setup • MM and RM set up the following: • n=pq: RSA modulus (only MM knows p and q) • a, b, g, h: public elements in QRn (Set of quadratic residues in Zn*) • y=gx: public key (only RM knows x)

  9. ICICS2002, Singapore ACJT scheme: Registration PK: ax ID, MM SK: x Membership certificate: (A, e) s.t. A = (axb)1/e (mod n) This is an RSA signature that MM only generates

  10. ICICS2002, Singapore ACJT scheme: Signature • Signature for messege m consists of • T = EncRM(A): ElGamal ciphertext w.r.t. y • S = SPK[(x, A, e) s.t. T= EncRM(A) ∧ A = (axb)1/e](m) SPK: Signature converted from zero-knowledge proof of knowledge (Only one with knowledge can make SPK without revealing information on knowledge) EncRM( ) Proof( )

  11. ICICS2002, Singapore Our scheme: Basic idea • Registration (joining a group) • Signature PK ID, MM SK Membership certificate (Sig. for PK and Group ID) EncRM(Group ID) EncRM( ) Proof( ) (Zero-knowledge)

  12. ICICS2002, Singapore Our scheme: Setup and Registration • Setup • Another c∈QRn • Group IDs E1,…ET • Registration for group ID Et PK: ax ID, MM SK: x Membership certificate: (A, e) s.t. A = (axbcEt)1/e (mod n) (This form is also provably unforgeable…explained later)

  13. ICICS2002, Singapore Our scheme: Signature and revocation • Signature for messege m consists of • T = EncRM(A) • T’= EncRM(hEt) • S = SPK[(x, A, e, Et) s.t. T= EncRM(A) ∧ T’=EncRM(hEt) ∧ A = (axbcEt)1/e](m) • Group ID can be identified by RM’s decrypting T’ For using Et in exponent, we can construct efficient SPK using known SPKs for secret exponent

  14. ICICS2002, Singapore Security : Coalition resisitance • Certificate (A,e) is unforgeable even if valid members collude. • Formally, this means the unforgeability against adaptive adversary After obtaining valid certificates from MM a constant times, this adversary forges a new certificate This paper provides the security proof under strong RSA assumption For RSA modulus n and z∈QRn, it is infeasible to compute (u,e>1) s.t. ue = z

  15. ICICS2002, Singapore Security: Others • Unforgeability of group signature ← Unforgeability of cert. and SPK proving cert. • Anonymity, and secrecy of group ID ←zero-knowledge-ness of SPK and encryption

  16. ICICS2002, Singapore Application: Anonymous survey • Anonymous survey to generate statistics on users’ attributes • Background Commercial service provider User(Customer) Man or Woman ? Anonymously Young or Old? Marketing This system generates statistics on attributes secretly

  17. ICICS2002, Singapore Male Female 10% 90% Group Signature Group Signature Group Signature Group Signature Problem on previous survey system • Previous survey system [Nakanishi&Sugiyama, ACISP01] User(Customer) Commercial service provider Statistics TTP Vast computation depending on number of all registering users So, inefficient Secure comp.

  18. ICICS2002, Singapore Efficient system using proposed scheme(1/2) • Setup • Group ID E1,..,ET are assigned to attribute values (e.g., E1: Female, E2:Male) • Registration (e.g., E1:Female) PK ID, MM SK Membership certificate (Sig. for PK and E1)

  19. ICICS2002, Singapore Male Female 10% 90% Group Signature Efficient system using proposed scheme(2/2) User(Customer) Commercial service provider EncRM(E1) EncRM(E2) … including EncRM(E1) EncRM(E2) E2, E2…E1 (shuffled) TTP The cost is independent from number of registering users So, more efficient Known efficient shuffle protocol

  20. ICICS2002, Singapore Conclusion • Group signature scheme committing the group is proposed • Efficient and provably secure • Useful for applications (e.g., Anonymous survey) • Further works • Application to e-cash • Improving anonymous survey

More Related