Decentralized and Collaborative Tracing for Group Signatures
Nisansala Perera
Chen-Mou ChengProceedings of the 2022 ACM on Asia Conference on Computer and Communications Security
Sign up for access to the world's latest research
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Abstract
We propose a decentralized but collaborative attribute-based tracing mechanism (a signer-identifying mechanism) for group signatures. Instead of a central tracing party in our scheme, a set of tracers satisfying the attribute set used for generating the group signature can identify the signer. Thus our proposal limits the parties who can identify the signer. On the other hand, it decentralized the tracing authority. CCS CONCEPTS • Security and privacy → Public key encryption; Digital signatures.
Related papers
Decentralized Traceable Attribute-Based Signatures
Attribute-based signatures allow a signer owning a set of attributes to anonymously sign a message w.r.t. some signing policy. A recipient of the signature is convinced that a signer with a set of attributes satisfying the signing policy has indeed produced the signature without learning the identity of the signer or which set of attributes was used in the signing. Traceable attribute-based signatures add anonymity revocation mechanisms to attribute-based signatures whereby a special tracing authority equipped with a secret key is capable of revealing the identity of the signer. Such a feature is important in settings where accountability and abuse prevention are required. In this work, we first provide a formal security model for traceable attribute-based signatures. Our focus is on the more practical case where attribute management is distributed among different authorities rather than relying on a single central authority. By specializing our model to the single attribute authority setting, we overcome some of the shortcomings of the existing model for the same setting. Our second contribution is a generic construction for the primitive which achieves a strong notion of security. Namely, it achieves CCA anonymity and its security is w.r.t. adaptive adversaries. Moreover, our framework permits expressive signing polices. Finally, we provide some instantiations of the primitive whose security reduces to falsifiable intractability assumptions and without relying on idealized assumptions.
Fair traceable multi-group signatures
2008
This paper presents fair traceable multi-group signatures (FTMGS), which have enhanced capabilities, compared to group and traceable signatures, that are important in real world scenarios combining accountability and anonymity. The main goal of the primitive is to allow multiple groups that are managed separately (managers are not even aware of the other ones), yet allowing users (in the spirit of the Identity 2.0 initiative) to manage what they reveal about their identity with respect to these groups by themselves. This new primitive incorporates the following additional features.
Decentralized Attribute-Based Signatures
Public-Key Cryptography – PKC 2013, 2013
We present the first decentralized multi-authority attributebased signature (DMA-ABS) scheme, in which no central authority and no trusted setup are required. The proposed DMA-ABS scheme for a large class of (non-monotone) predicates is fully secure (adaptive-predicate unforgeable and perfectly private) under a standard assumption, the decisional linear (DLIN) assumption, in the random oracle model. Our DMA-ABS scheme is comparably as efficient as the most efficient ABS scheme. As a by-product, this paper also presents an adaptively secure DMA functional encryption (DMA-FE) scheme under the DLIN assumption.
Who Let the $$\mathcal {DOGS}$$ Out: Anonymous but Auditable Communications Using Group Signature Schemes with Distributed Opening
Lecture Notes in Computer Science, 2020
Over the past two decades, group signature schemes have been developed and used to enable authenticated and anonymous peerto-peer communications. Initial protocols rely on two main authorities, Issuer and Opener, which are given substantial capabilities compared to (regular) participants, such as the ability to arbitrarily identify users. AQ1 Building efficient, fast, and short group signature schemes has been the focus of a large number of research contributions. However, only a few dealt with the major privacy-preservation challenge of group signatures; this consists in providing user anonymity and action traceability while not necessarily relying on a central and fully trusted authority. In this paper, we present DOGS, a privacy-preserving Blockchain-supported group signature scheme with a distributed Opening functionality. In DOGS, participants no longer depend on the Opener entity to identify the signer of a potentially fraudulent message; they instead collaborate and perform this auditing process themselves. We provide a high-level description of the DOGS scheme and show that it provides both user anonymity and action traceability. Additionally, we prove how DOGS is secure against message forgery and anonymity attacks.
A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity
Cryptography
This survey reviews the two most prominent group-oriented anonymous signature schemes and analyzes the existing approaches for their problem: balancing anonymity against traceability. Group signatures and ring signatures are the two leading competitive signature schemes with a rich body of research. Both group and ring signatures enable user anonymity with group settings. Any group user can produce a signature while hiding his identity in a group. Although group signatures have predefined group settings, ring signatures allow users to form ad-hoc groups. Preserving user identities provided an advantage for group and ring signatures. Thus, presently many applications utilize them. However, standard group signatures enable an authority to freely revoke signers’ anonymity. Thus, the authority might weaken the anonymity of innocent users. On the other hand, traditional ring signatures maintain permanent user anonymity, allowing space for malicious user activities; thus achieving the req...
Group-oriented fair exchange of signatures
Information Sciences, 2011
In an Optimistic Fair Exchange (OFE) for digital signatures, two parties exchange their signatures fairly without requiring any online trusted third party. The third party is only involved when a dispute occurs. In all the previous work, OFE has been considered only in a setting where both of the communicating parties are individuals. There is little work discussing about the fair exchange between two groups of users, though we can see that this is actually a common scenario in actual OFE applications. In this paper, we introduce a new variant of OFE, called Group-Oriented Optimistic Fair Exchange (GOFE). A GOFE allows two users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. Although GOFE may be considered as a fair exchange for group signatures, it might be inefficient if it is constructed generically from a group signature scheme. Instead, we show that GOFE is backward compatible to the Ambiguous OFE (AOFE). Also, we propose an efficient and concrete construction of GOFE, and prove its security under the security models we propose in this model. The security of the scheme relies on the decision linear assumption and strong Diffie-Hellman assumption under the random oracle model.
Dynamic Privacy Protecting Short Group Signature Scheme
International Journal on Cybernetics & Informatics, 2016
Group Signature, extension of digital signature, allows members of a group to sign messages on behalf of the group, such that the resulting signature does not reveal the identity of the signer. The controllable linkability of group signatures enables an entity who has a linking key to find whether or not two group signatures were generated by the same signer, while preserving the anonymity. This functionality is very useful in many applications that require the linkability but still need the anonymity, such as sybil attack detection in a vehicular ad hoc network and privacy preserving data mining. This paper presents a new signature scheme supporting controllable linkability.The major advantage of this scheme is that the signature length is very short, even shorter than this in the best-known group signature scheme without supporting the linkability. A valid signer is able to create signatures that hide his or her identity as normal group signatures but can be anonymously linked regardless of changes to the membership status of the signer and without exposure of the history of the joining and revocation. From signatures, only linkage information can be disclosed, with a special linking key. Using this controllable linkability and the controllable anonymity of a group signature, anonymity may be flexibly or elaborately controlled according to a desired level.
Efficient and Generalized Group Signatures
Lecture Notes in Computer Science, 1997
. The concept of group signatures was introduced by Chaumet al. at Eurocrypt "91. It allows a member of a group to sign messagesanonymously on behalf of the group. In case of a later dispute adesignated group manager can revoke the anonymity and identify theoriginator of a signature. In this paper we propose a new efficient groupsignature scheme. Furthermore we
Real Traceable Signatures
Lecture Notes in Computer Science, 2009
Traceable signature scheme extends a group signature scheme with an enhanced anonymity management mechanism. The group manager can compute a tracing trapdoor which enables anyone to test if a signature is signed by a given misbehaving user, while the only way to do so for group signatures requires revealing the signer of all signatures. Nevertheless, it is not tracing in a strict sense. For all existing schemes, T tracing agents need to recollect all N signatures ever produced and perform RN "checks" for R revoked users. This involves a high volume of transfer and computations. Increasing T increases the degree of parallelism for tracing but also the probability of "missing" some signatures in case some of the agents are dishonest. We propose a new and efficient way of tracing-the tracing trapdoor allows the reconstruction of tags such that each of them can uniquely identify a signature of a misbehaving user. Identifying N signatures out of the total of N signatures (N << N) just requires the agent to construct N small tags and send them to the signatures holder. N here gives a trade-off between the number of unlinkable signatures a member can produce and the efforts for the agents to trace the signatures. We present schemes with simple design borrowed from anonymous credential systems. Our schemes are proven secure respectively in the random oracle model and in the common reference string model (or in the standard model if there exists a trusted party for system parameters initialization).
A New Approach to Keep the Privacy Information of the Signer in a Digital Signature Scheme
Information
In modern applications, such as Electronic Voting, e-Health, e-Cash, there is a need that the validity of a signature should be verified by only one responsible person. This is opposite to the traditional digital signature scheme where anybody can verify a signature. There have been several solutions for this problem, the first one is we combine a signature scheme with an encryption scheme; the second one is to use the group signature; and the last one is to use the strong designated verifier signature scheme with the undeniable property. In this paper, we extend the traditional digital signature scheme to propose a new solution for the aforementioned problem. Our extension is in the sense that only a designated verifier (responsible person) can verify a signer’s signature, and if necessary (in case the signer refuses to admit his/her signature) the designated verifier without revealing his/her secret key is able to prove to anybody that the signer has actually generated the signatu...
One-Way Signature Chaining: a new paradigm for group cryptosystems
International Journal of Information and Computer Security, 2008
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by different users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added to the chain. However, it is computationally infeasible to remove any intermediate links without removing all the links. The signatures so created are called chain signatures (CS). We give precise definitions of chain signatures and discuss some applications in trust transfer. We then present a practical construction of a CS scheme that is secure (in the random oracle model) under the Computational Diffie-Hellman (CDH) assumption in bilinear maps.
On the Security of a Group Signature Scheme with Forward Security
Lecture Notes in Computer Science, 2004
A group signature scheme allows a group member of a given group to sign messages on behalf of the group in an anonymous and unlinkable way. In case of a dispute, however, a designated group manager can reveal the signer of a valid group signature. Based on Song's forward-secure group signature schemes, Zhang, Wu, and Wang proposed a new group signature scheme with forward security at ICICS 2003. Their scheme is very efficient in both communication and computation aspects. Unfortunately, their scheme is insecure. In this paper we present a security analysis to show that their scheme is linkable, untraceable, and forgeable.
Attribute-Based Signatures for Supporting Anonymous Certification
Computer Security – ESORICS 2016, 2016
This paper presents an anonymous certification (AC) scheme, built over an attribute based signature (ABS). After identifying properties and core building blocks of anonymous certification schemes, we identify ABS limitations to fulfill AC properties, and we propose a new system model along with a concrete mathematical construction based on standard assumptions and the random oracle model. Our solution has several advantages. First, it provides a data minimization cryptographic scheme, permitting the user to reveal only required information to any service provider. Second, it ensures unlinkability between the different authentication sessions, while preserving the anonymity of the user. Third, the derivation of certified attributes by the issuing authority relies on a non interactive protocol which provides an interesting communication overhead.
Anonymous attribute certificates based on traceable signatures
Internet Research, 2006
Purpose -To provide a cryptographic protocol for anonymously accessing services offered on the web. Such anonymous accesses can be disclosed or traced under certain conditions. Design/methodology/approach -The "traceable signature" scheme was used in conjunction with the "privilege management infrastructure". Findings -The cryptographic primitive provides a suitable tool for anonymous and unlinkable access to web resources based on the privileges that users hold. Moreover, the scheme allows for anonymity revocation and tracing of unlinkable accesses.
Anonymous and Traceable Group Data Sharing in Cloud Computing
IEEE Transactions on Information Forensics and Security
Group data sharing in cloud environments has become a hot topic in recent decades. With the popularity of cloud computing, how to achieve secure and efficient data sharing in cloud environments is an urgent problem to be solved. In addition, how to achieve both anonymity and traceability is also a challenge in the cloud for data sharing. This paper focuses on enabling data sharing and storage for the same group in the cloud with high security and efficiency in an anonymous manner. By leveraging the key agreement and the group signature, a novel traceable group data sharing scheme is proposed to support anonymous multiple users in public clouds. On the one hand, group members can communicate anonymously with respect to the group signature, and the real identities of members can be traced if necessary. On the other hand, a common conference key is derived based on the key agreement to enable group members to share and store their data securely. Note that a symmetric balanced incomplete block design is utilized for key generation, which substantially reduces the burden on members to derive a common conference key. Both theoretical and experimental analyses demonstrate that the proposed scheme is secure and efficient for group data sharing in cloud computing.
One-Way Signature Chaining - A New Paradigm For Group Cryptosystems And E-Commerce
2005
In this paper, we describe a new cryptographic primitive called (One-Way) Signature Chaining. Signature chaining is essentially a method of generating a chain of signatures on the same message by dierent users. Each signature acts as a "link" of the chain. The one-way-ness implies that the chaining process is one-way in the sense that more links can be easily added
Group Signatures in Practice
Advances in Intelligent Systems and Computing, 2015
Group signature schemes allow a user to sign a message in an anonymous way on behalf of a group. In general, these schemes need the collaboration of a Key Generation Center or a Trusted Third Party, which can disclose the identity of the actual signer if necessary (for example, in order to settle a dispute). This paper presents the results obtained after implementing a group signature scheme using the Integer Factorization Problem and the Subgroup Discrete Logarithm Problem, which has allowed us to check the feasibility of the scheme when using big numbers.
Practical group signatures without random oracles
2005
We provide a construction for a group signature scheme that is provably secure in a universally composable framework, within the standard model with trusted parameters. Our proposed scheme is fairly simple and its efficiency falls within small factors of the most efficient group signature schemes with provable security in any model (including random oracles). Security of our constructions require new cryptographic assumptions, namely the Strong LRSW, EDH, and Strong SXDH assumptions. Evidence for any assumption we introduce is provided by proving hardness in the generic group model.
Securing an Authenticated Privacy Preserving Protocol in a Group Signature Scheme Based on a Group Ring
Mathematics
Group signatures are a leading competing signature technique with a substantial amount of research. With group settings, group signatures provide user anonymity. Any group member with access to the group can generate a signature while remaining anonymous. The group manager, however, has the authority to expose and identify the signer if required. Since the privacy of the sender should be preserved, this is a conflict between privacy and accountability. Concerning high performance on security, we propose a novel, well-balanced security and privacy group signature scheme based on a general linear group over group ring. To the best of our knowledge, our work represents the first comprehensive framework for a group signature scheme that utilizes generic linear groups over group rings. We demonstrate that the competing security goals of message trustworthiness, privacy, and accountability are effectively resolved by our protocol. The results of the performance evaluation and simulation d...
Hidden identity-based signatures
IET Information Security, 2009
This paper introduces Hidden Identity-based Signatures (Hidden-IBS), a type of digital signatures that provide mediated signer-anonymity on top of Shamir's Identity-based signatures. The motivation of our new signature primitive is to resolve an important issue with the kind of anonymity offered by "group signatures" where it is required that either the group membership list is public or that the opening authority is dependent on the group manager for its operation. Contrary to this, Hidden-IBS do not require the maintenance of a group membership list and they enable an opening authority that is totally independent of the group manager. As we argue this makes Hidden-IBS much more attractive than group signatures for a number of applications. In this paper, we provide a formal model of Hidden-IBS as well as two efficient constructions that realize the new primitive. Our elliptic curve construction that is based on the SDH/DLDH assumptions produces signatures that are merely half a Kbyte long and can be implemented very efficiently.
Related topics
Loading Preview
Sorry, preview is currently unavailable. You can download the paper by clicking the button above.