Efficient and Generalized Group Signatures
Jan Camenisch1997, Lecture Notes in Computer Science
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
. The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It allows a member of a group to sign messagesanonymously on behalf of the group. In case of a later dispute adesignated group manager can revoke the anonymity and identify theoriginator of a signature. In this paper we propose a new efficient groupsignature scheme. Furthermore we
Related papers
Group Signatures in Practice
Advances in Intelligent Systems and Computing, 2015
Group signature schemes allow a user to sign a message in an anonymous way on behalf of a group. In general, these schemes need the collaboration of a Key Generation Center or a Trusted Third Party, which can disclose the identity of the actual signer if necessary (for example, in order to settle a dispute). This paper presents the results obtained after implementing a group signature scheme using the Integer Factorization Problem and the Subgroup Discrete Logarithm Problem, which has allowed us to check the feasibility of the scheme when using big numbers.
A New Group Signature Scheme with Efficient Membership Revocation
International Journal of Science and Engineering Applications, 2014
In group signature schemes, the members of the group are allowed to sign messages anonymously on the behalf of the group. In this case, other group members and the outsiders from the group cannot see which member signed the messages. The organizational structure which should support the safety of privacy may need to provide a degree of anonymity to the individuals conducting the transactions. Moreover, the current methods of revocation property of the group signature scheme do not revoke to allow valid signature under an old secret key of the group manager. And it is remaining as a challenge to be independent on the size of the group public key when the group size is increasing. For this above facts, this paper will be proposed to achieve anonymous revocation based on the concept of group signature more effectively.
Security Analysis of Several Group Signature Schemes
Lecture Notes in Computer Science, 2003
At Eurocrypt'91, Chaum and van Heyst introduced the concept of group signature. In such a scheme, each group member is allowed to sign messages on behalf of a group anonymously. However, in case of later disputes, a designated group manager can open a group signature and identify the signer. In recent years, researchers have proposed a number of new group signature schemes and improvements with different levels of security. In this paper, we present a security analysis of five group signature schemes proposed in [25, 27, 18, 30, 10]. By using the same method, we successfully identify several universally forging attacks on these schemes. In our attacks, anyone (not necessarily a group member) can forge valid group signatures on any messages such that the forged signatures cannot be opened by the group manager. We also discuss the linkability of these schemes, and further explain why and how we find the attacks.
Security Remarks on a Group Signature Scheme with Member Deletion
Information and Communications Security, 2003
A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable fashion. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on the Camenisch-Michels group signature scheme [7, 8], Kim, Lim and Lee proposed the first group signature scheme with a member deletion procedure at ICISC 2000 [15]. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper, we first identify an effective way that allows any verifier to determine whether two valid group signatures are signed by the same group member. Secondly, we find that in their scheme a deleted group member can still update his signing key and then generate valid group signatures after he was deleted from the group. In other words, the Kim-Lim-Lee group signature scheme [15] is linkable and does not support secure group member deletion.
On the Security of a Group Signature Scheme with Forward Security
Lecture Notes in Computer Science, 2004
A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable way. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on Song's forward-secure group signature schemes, Zhang, Wu, and Wang proposed a new group signature scheme with forward security at ICICS 2003. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper we present a security analysis to show that their scheme is linkable, untraceable, and forgeable.
Accumulating Composites and Improved Group Signing
Lecture Notes in Computer Science, 2003
Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. . In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the state-of-the-art.
One-Way Signature Chaining: a new paradigm for group cryptosystems
International Journal of Information and Computer Security, 2008
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures (CS). We give precise definitions of chain signatures and discuss some applications in trust transfer. We then present a practical construction of a CS scheme that is secure (in the random oracle model) under the Computational Diffie-Hellman (CDH) assumption in bilinear maps.
Fair traceable multi-group signatures
2008
This paper presents fair traceable multi-group signatures (FTMGS), which have enhanced capabilities, compared to group and traceable signatures, that are important in real world scenarios combining accountability and anonymity. The main goal of the primitive is to allow multiple groups that are managed separately (managers are not even aware of the other ones), yet allowing users (in the spirit of the Identity 2.0 initiative) to manage what they reveal about their identity with respect to these groups by themselves. This new primitive incorporates the following additional features.
Short Group Signatures with Ecient Flexible Join
2006
We present a short group signature scheme with an ecient (concurrent) join protocol. Signatures in our scheme are almost as short as Boneh, Boyen and Shacham's Short Group Signatures (BBS04) that has no join protocol, and the computational costs of our scheme are also almost as ecient as BBS04. The security of our group signature is based on the Decision Linear Die-Hellman assumption and the 2 Variable Strong Die-Hellman (2SDH) assumption, which is a slightly strong variant of the Strong Die-Hellman (SDH) assumption. We prove the security of our system, in the random oracle model, using a security definition for group signatures recently given by Bellare, Shi, and Zhang. tures (with or without random oracles) with (ecient concurrent) join protocols are much less ecient/longer than the BBS04 signatures. We propose a provably secure group signature scheme that is ecient and whose signature length is almost as short as BBS04. Moreover, it is secure even if users con- currently join...
Decentralized and Collaborative Tracing for Group Signatures
Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security
We propose a decentralized but collaborative attribute-based tracing mechanism (a signer-identifying mechanism) for group signatures. Instead of a central tracing party in our scheme, a set of tracers satisfying the attribute set used for generating the group signature can identify the signer. Thus our proposal limits the parties who can identify the signer. On the other hand, it decentralized the tracing authority. CCS CONCEPTS • Security and privacy → Public key encryption; Digital signatures.
Related papers
Group-oriented fair exchange of signatures
Information Sciences, 2011
In an Optimistic Fair Exchange (OFE) for digital signatures, two parties exchange their signatures fairly without requiring any online trusted third party. The third party is only involved when a dispute occurs. In all the previous work, OFE has been considered only in a setting where both of the communicating parties are individuals. There is little work discussing about the fair exchange between two groups of users, though we can see that this is actually a common scenario in actual OFE applications. In this paper, we introduce a new variant of OFE, called Group-Oriented Optimistic Fair Exchange (GOFE). A GOFE allows two users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. Although GOFE may be considered as a fair exchange for group signatures, it might be inefficient if it is constructed generically from a group signature scheme. Instead, we show that GOFE is backward compatible to the Ambiguous OFE (AOFE). Also, we propose an efficient and concrete construction of GOFE, and prove its security under the security models we propose in this model. The security of the scheme relies on the decision linear assumption and strong Diffie-Hellman assumption under the random oracle model.
Efficient Group Signatures in the Standard Model
Lecture Notes in Computer Science, 2013
In a group signature scheme, group members are able to sign on behalf of the group. Since the introduction of this cryptographic authentication mechanism, several schemes have been proposed but only few of them enjoy a security in the standard model. Moreover, those provided in the standard model suffer the recourse to non standard-assumptions, or the expensive cost and bandwidth of the resulting signature. We provide three practical group signature schemes that are provably secure in the standard model under standard assumptions. The three schemes permit dynamic enrollment of new members while keeping a constant size for both keys and group signatures, and they improve the state-of-the art by several orders of magnitude.
Get Shorty via Group Signatures without Encryption
Lecture Notes in Computer Science, 2010
Group signatures allow group members to anonymously sign messages in the name of a group such that only a dedicated opening authority can reveal the exact signer behind a signature. In many of the target applications, for example in sensor networks or in vehicular communication networks, bandwidth and computation time are scarce resources and many of the existent constructions simply cannot be used. Moreover, some of the most efficient schemes only guarantee anonymity as long as no signatures are opened, rendering the opening functionality virtually useless. In this paper, we propose a group signature scheme with the shortest known signature size and favorably comparing computation time, whilst still offering a strong and practically relevant security level that guarantees secure opening of signatures, protection against a cheating authority, and support for dynamic groups. Our construction departs from the popular sign-and-encrypt-and-prove paradigm, which we identify as one source of inefficiency. In particular, our proposal does not use standard encryption and relies on re-randomizable signature schemes that hide the signed message so as to preserve the anonymity of signers. Security is proved in the random oracle model assuming the XDDH, LRSW and SDLP assumptions and the security of an underlying digital signature scheme. Finally, we demonstrate how our scheme yields a group signature scheme with verifier-local revocation.
Dynamic Privacy Protecting Short Group Signature Scheme
International Journal on Cybernetics & Informatics, 2016
Group Signature, extension of digital signature, allows members of a group to sign messages on behalf of the group, such that the resulting signature does not reveal the identity of the signer. The controllable linkability of group signatures enables an entity who has a linking key to find whether or not two group signatures were generated by the same signer, while preserving the anonymity. This functionality is very useful in many applications that require the linkability but still need the anonymity, such as sybil attack detection in a vehicular ad hoc network and privacy preserving data mining. This paper presents a new signature scheme supporting controllable linkability.The major advantage of this scheme is that the signature length is very short, even shorter than this in the best-known group signature scheme without supporting the linkability. A valid signer is able to create signatures that hide his or her identity as normal group signatures but can be anonymously linked regardless of changes to the membership status of the signer and without exposure of the history of the joining and revocation. From signatures, only linkage information can be disclosed, with a special linking key. Using this controllable linkability and the controllable anonymity of a group signature, anonymity may be flexibly or elaborately controlled according to a desired level.
Securing an Authenticated Privacy Preserving Protocol in a Group Signature Scheme Based on a Group Ring
Mathematics
Group signatures are a leading competing signature technique with a substantial amount of research. With group settings, group signatures provide user anonymity. Any group member with access to the group can generate a signature while remaining anonymous. The group manager, however, has the authority to expose and identify the signer if required. Since the privacy of the sender should be preserved, this is a conflict between privacy and accountability. Concerning high performance on security, we propose a novel, well-balanced security and privacy group signature scheme based on a general linear group over group ring. To the best of our knowledge, our work represents the first comprehensive framework for a group signature scheme that utilizes generic linear groups over group rings. We demonstrate that the competing security goals of message trustworthiness, privacy, and accountability are effectively resolved by our protocol. The results of the performance evaluation and simulation d...
Practical group signatures without random oracles
2005
We provide a construction for a group signature scheme that is provably secure in a universally composable framework, within the standard model with trusted parameters. Our proposed scheme is fairly simple and its efficiency falls within small factors of the most efficient group signature schemes with provable security in any model (including random oracles). Security of our constructions require new cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model.
Implementing group signature schemes with smart cards
Proceedings of the 5th conference on Smart Card …, 2002
Group signature schemes allow a group member to sign messages on behalf of the group. Such signatures must be anonymous and unlinkable but, whenever needed, a designated group manager can reveal the identity of the signer. During the last decade group signatures have been playing an important role in cryptographic research; many solutions have been proposed and some of them are quite efficient, with constant size of signatures and keys ([1], [6], [7] and [15]). However, some problems still remain among which the large number of computations during the signature protocol and the difficulty to achieve coalition-resistance and to deal with member revocation. In this paper we investigate the use of a tamper-resistant device (typically a smart card) to efficiently solve those problems.
Signature Scheme to Secure Multisignature Generation for Group Communication
International journal of engineering research and technology, 2020
Multisignature threshold schemes combine the properties of threshold group-oriented signature schemes and Multisignature schemes to yield a signature scheme that allows more group members to collaboratively sign an
Cryptanalysis of two group signature schemes
1999
Group signature schemes allow a group member to anonymously sign on group's behalf. Moreover, in case of anonymity misuse, a group authority can recover the issuer of a signature. This paper analyzes the security of two group signature schemes recently proposed by Tseng and Jan. We show that both schemes are universally forgeable, that is, anyone (not necessarily a group member) is able to produce a valid group signature on an arbitrary message, which cannot be traced by the group authority.
One-Way Signature Chaining - A New Paradigm For Group Cryptosystems And E-Commerce
2005
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by dierent users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.