Professional Documents
Culture Documents
log
log
. The problem is
called Computational Die-Hellman Problem (CDHP).
Denition 2. Given a multiplicative group (G, ), an element G, having order n
and three elements , , , determine whether log
log
log
G
1
Z
q
and H
2
: 0, 1
G
1
G
1
are secure one-way hash functions.
1. Setup
KGC chooses a generator P of G
1
, picks a random s Z
q
, and sets P
pub
= sP. The
group public key is (P, P
pub
, e, q, G
1
, G
2
, H
1
, H
2
). KGC keeps s secret as the master key.
2. Extract
The user Alice with identity information ID picks a random number r Z
q
as her
private key, then computes rP, and sends rP together with ID to KGC. KGC computes
D
ID
= sH
2
(ID[[rP) and sends it to the user as the users private key associated to ID via
a secure channel. Thus the user has a private key pair (r , S
ID
). We call S
ID
and rP
pseudo-secret, since KGC is no longer trustful and it may expose them to other members.
In addition, the user has an associated public key Q
ID
= H
2
(ID[[rP).
3. Join
A user Alice in the ID-based system performs the following protocol and becomes a
member of the group.
A Novel Identity-based Group Signature Scheme from Bilinear Maps 253
Alice chooses a random x Z
q
, then sends rxP, rP, ID, xP to KGC and proves to
KGC that she knows S
ID
. If KGC is convinced that the user knows S
ID
and e(rxP, P) =
e(xP, rP), KGC sends secretly S = sH
2
(ID[[rxP). Thus, Alice has her secret keys x and
rx, her member key xP, and the member certicates (rxP, S). The member key and the
member certicates are pseudo-secret.
4. Sign
To sign a message m, Alice chooses a random k Z
q
, and uses her two secret keys and
certicates to compute the following values:
-U = k
1
rxP, k
1
R
Z
q
;
-W = (q k
1
)xP;
-R = k
2
H
2
(ID[[U +W +R), k
2
R
Z
q
k
1
;
-h = H
1
(m[[U +W);
-V = hk
2
S +k
1
rxH
2
(m[[U +W +R).
The resulting signature on the message m is (U, W, R, V ).
5. Verify
To verify a group signature (U, W, R, V ) of the message m, the receiver of the signature
rst computes h = H
1
(m[[U +W) and checks whether
e(V, P) = e(R, P
pub
)
h
e(H
2
(m[[U +W +R), U). (1)
6. Open
Given a valid group signature, KGC can easily identify the user. The signer cannot deny
her signature after KGC presents a zero knowledge proof:
e(U, P) e(W, rP) = e(rxP, P), (2)
e(S, P) = e(H
2
(ID[[rxP), P
pub
), (3)
e(S
ID
, P) = e(H
2
(ID[[rP), P
pub
). (4)
4. Cryptanalysis
In this section, we prove the security of our group signature scheme on the assumption
that G
1
is a Gap DH group.
Theorem 1 If there is an adversary / (without colluding with KGC) who can forge a
valid tuple (ID, rP, rxP, S
ID
, S) with non-negligible probability , then we can solve CDHP
in G
1
with non-negligible probability .
Proof: The adversary / forges a valid pseudo secret key and certicate with non-
negligible probability through the following process. First, he queries the random oracle
H
2
() several times, then he outputs a tuple (ID,rP, rxP, S
ID
, S) in which ID,rP, rxP were
not queried.
If the tuple is valid, it must satisfy the Open functions (3) and (4):
e(S, P) = e(H
2
(ID[[rxP), P
pub
), e(S
ID
, P) = e(H
2
(ID[[rP), P
pub
).
Let H
2
(ID[[rP)=aP or H
2
(ID[[rxP)=aP, P
pub
= bP. Then by running the adversary,
we can solve CDHP in G
1
for S
ID
(or S)=abP with non-negligible probability . 2
Theorem 2 A group member cannot impersonate other group members to sign the
message m with non-negligible probability.
Proof: The impersonation problem can be categorized into two aspects:
254 Zuo-Wen Tan, Zhuo-Jun Liu
Case 1. Impersonation without colluding with the group manager.
A user with identity information ID
i
wants to impersonate another user with identity
information ID
j
to sign the message m. He chooses R, W and computes h. In order to
make it easy to compute e(V, P), the user chooses U = P
pub
. Because he does not know
the certicate S
j
of the member with ID
j
, he has to determine V through the verication
equation (1): e(V, P) = e(R, P
pub
)
h
e(H
2
(m[[U+W+R), U). The equation holds if and only
if V = s(hR + H
2
(m[[U + W + R)). If the group managers private key s is not comprised,
the user(adversary) can forge a valid group signature with probability at most
1
q
.
Case 2. Impersonation with colluding with KGC.
By colluding with the group manager, a member with identity information ID
j
obtains
another members pseudo secrets r
i
P, x
i
P, r
i
x
i
P. He chooses a random k
1
, k
2
Z
q
and
computes
U = k
1
r
i
x
i
P, W = (q k
1
)x
i
P, (5)
R = k
2
H
2
(ID
j
[[r
j
x
j
P) or R = k
2
H
2
(ID
i
[[r
i
x
i
P), (6)
V = hk
2
S
j
+k
1
r
j
x
j
H
2
(m[[U +W +R). (7)
It is easy to obtain the left side of the equation (1):
e(V, P) = e(hk
2
S
j
+k
1
r
j
x
j
H
2
(m[[U +W +R), P)
= e(k
2
S
j
, P)
h
e(k
1
r
j
x
j
H
2
(m[[U +W +R), P)
= e(k
2
S
j
, P)
h
e(H
2
(m[[U +W +R), k
1
r
j
x
j
P).
By the equation (1), we have
e(H
2
(m[[U +W +R), k
1
r
j
x
j
P) = e(H
2
(m[[U +W +R), U). (8)
Through the equation (5), the equation (8) holds if and only if r
i
x
i
P = r
j
x
j
P. The
probability that r
i
x
i
r
j
x
j
mod q for r
i
, x
i
, r
j
, x
j
Z
q
is
1
q1
. If he wants to choose r
j
, x
j
in Z
q
through the equation r
i
x
i
P = r
j
x
j
P, he will have to face a DLP in G
1
. 2
As for the forgery of the KGC, we have already obtained the following the theorem.
Theorem 3 Under the assumption of hardness of DLP in G
1
, KGC cannot impersonate
a group member to sign the message m with non-negligible probability.
From the three theorems above, it is easy to deduce that our scheme satises the security
properties of group signatures: unforgeability,anonymity,unlink-ability,traceability, exculpa-
bility and coalition-resistance.
Our group signature scheme overcomes the drawback that a user(signer) should have a
new key pair for each message if he wants to sign many message. To some extent, we solve
the open problem of designing an ID-based group signature scheme from bilinear pairings
with one key pair.
5. Summary and Future Work
We proposed a novel identity-based group signature scheme from a Gap Die-Hellman
group. The group signature is based on the CDHP assumption. Furthermore, if dishonest
KGC impersonates an honest user to sign the message, the member can nd the imperson-
ation only through performing the Open procedure. In addition, the size of the group public
key and the length of the signature are independent on the number of the group members.
A Novel Identity-based Group Signature Scheme from Bilinear Maps 255
Once a user joins the group, it can sign many messages using the same key pair. However,
the standard identity-based cryptosystem has a weakness in that the entities keys are com-
pletely controlled by KGC. In respect of the problem, can one nd a better method than
the one adopted in this paper? Although we give some security analyses about the proposed
scheme, how to design a theoretically-secure identity-based group signature scheme from
bilinear maps remains an open problem.
References
[1] D. Chaum and E. van Heyst. Group signatures. Advances in Cryptology-EUROCRYPTO91,
Springer-Verlag, 1991, pp.196-198.
[2] A. Lysyanskaya and Z. Ramzan. Group Blind Digital Signatures: A scalable solution to electronic
cash. Financial Cryptology 1998, LNCS 1465, Springer-Verlag, 1998, pp.184-197.
[3] L. Chen, T. Pedersen. On the eciency of group signatures providing information-theoretic
anonymity. In Advances in Cryptology-CRYPTO91, Springer-Verlag, 1991, pp.196-198.
[4] L. Chen, T. Pedersen. New group signature schemes. Proceedings of EUROCRYPTO94 , LNCS
950, Springer-Verlag, 1994, pp.171-181.
[5] J. Camenisch. Ecient and generalized group signatures. Advances in Cryptology-
EUROCRYPTO97, LNCS 1233, Springer-Verlag, 1997, pp.465-479.
[6] D. Chaum and T. Pedersen. Wallet datebases with observes. Advances in Cryptology-
CRYPTO92, LNCS 205, Springer-Verlag, 1992.
[7] J. Camenisch and M. Stadler. Ecient group signature schemes for large groups. Advances in
Cryptology-CRYPTO97, LNCS 1294, Springer-Verlag, 1997, pp.410-424.
[8] G. Atenriwse, J. Camenisch, M. Joye, G. Tsudik. A practical and provably secure coalition-
resistant group signature scheme. Advances in Cryptology-CRYPTO 2000, LNCS 1880, Springer-
Verlag, 2000, pp.255-270.
[9] M. Bellare, D. Micciancio, B. Warinschi. Foundations of group signatures: formal deni-
tions, simplied requirements, and a construction based on general assumptions. Advances in
Cryptology-Eurocrypt 2003, LNCS 2656, Springer-Verlag, 2003, pp.614-629.
[10] A Shamir. Identity-based cryptosystems and signature schemes. Proceedings of CRYPTO84,
LNCS 196, Springer-Verlag, 1985, pp.47-53.
[11] S. Park, S. Kim and D. Won. ID-based group signature. Electronics Letters, 33(19), 1997, pp.1613-
1617.
[12] Y. Tseng and J. Jan. A novel ID-based group signature. International computer symposium,
workshop on cryptology and information security, 1998, pp.159-164.
[13] X. Chen, F. Zhang and K. Kim. A new ID-based group signature scheme from bilinear pairings.
http://eprint.iacr.org/2003/116. 2003.
[14] Douglasr, Stinson. Theory and Practice. CRC Press, 2002.
[15] M. Joye, S. Kim and N. Lee. Cryptanalysis of two group signature schemes. Information Security
1999,LNCS 1729, Spinger-Verlag, 1999, pp.271-275.
[16] D. Boneh and M. Franklin. Identity-based encryption from the Weil pairings. Advances in
Cryptology-CRYPTO 2001, LNCS 2139, Springer-Verlag, 2001, pp.213-229.