Group Signature

The Internet of Things (IoT) employs smart devices as its building blocks for developing a ubiquitous communication
framework. It thus supports a wide variety of application domains, including public safety, healthcare, education, and public transportation. While offering a novel communication paradigm, IoT finds its requirements closely connected to the security issues. The role of security following the fact that a new type of devices known as wearables constitute an emerging area. This paper delivers an applicability study of the state-of-the-art cryptographic primitives for wearable IoT devices, including the pairingbased cryptography. Pairing-based schemes are well-recognized as fundamental enablers for many advanced cryptographic applications, such as privacy protection and identity-based encryption. To deliver a comprehensive view on the computational power of modern wearable devices (smart phones, watches, and embedded devices), we perform an evaluation of a variety of them utilizing bilinear pairing for real-time communication. In order to deliver a complete picture, the obtained bilinear pairing results are complemented with performance figures for classical cryptography (such as block ciphers, digital signatures, and hash functions). Our findings show that wearable devices of today have
the needed potential to efficiently operate with cryptographic
primitives in real time. Therefore, we believe that the data
provided during this research would shed light on what devices
are more suitable for certain cryptographic operations.

Over the decade, the usage of data had increased exponentially, which led to the demand for its effective storage and retrieval. The cloud environment has developed to handle that demand with its huge storage space and easy accessibility. However, the open nature of the cloud resulted in the data integrity issues and multiuser cloud enriched it. The other issues like group signature and user revocation took the central part to ensure integrity of data in the cloud. The present study summarizes various techniques that were developed in recent times to address the security issues on data integrity, user revocation, and group signature. To reflect on the novelty of each approach, along with its performance in providing integrity for the cloud data stands as the primary objective of the study. From the extensive study, it was found that the overhead on the computational and communication overhead increase proportionally with an increase in the number of the user during the group signature generation and recurrent user revocation. There was a need for an effective cryptic mechanism with effective cloud storage and recovery of data. Finally, it was suggested to develop a robust framework that can provide enhanced security with reduced overhead and ensure data integrity.

This article is a position paper on the current security issues in Vehicular Ad hoc Networks (VANETs). VANETs face many interesting research challenges in multiple areas, from privacy and anonymity to the detection and eviction of misbehaving nodes and many others in between. Multiple solutions have been proposed to address those issues. This paper surveys the most relevant while discussing its benefits and drawbacks. The paper explores the newest trends in privacy, anonymity, misbehaving nodes, the dissemination of false information and secure data aggregation, giving a perspective on how we foresee the future of this research area.First, the paper discusses the use of Public Key Infrastructure (PKI) (and certificates revocation), location privacy, anonymity and group signatures for VANETs. Then, it compares several proposals to identify and evict misbehaving and faulty nodes. Finally, the paper explores the differences between syntactic and semantic aggregation techniques, cluster and non-cluster based with fixed and dynamic based areas, while presenting secure as well as probabilistic aggregation schemes.

The existing authentication protocols to secure vehicular ad hoc networks (VANETs) raise challenges such as certificate distribution and revocation, avoidance of computation and communication bottlenecks, and reduction of the strong reliance on tamper-proof devices. This paper efficiently cope with these challenges with a decentralized group authentication protocol in the sense that the group is maintained by each RSU rather than by a centralized authority as in most existing protocols employing group signatures. In our proposal, we employ each roadside unit (RSU) to maintain and manage an on-the-fly group within its communication range. Vehicles entering the group can anonymously broadcast vehicle-to-vehicle (V2V) messages, which can be instantly verified by the vehicles in the same group (and neighbor groups). Later, if the message is found to be false, a third party can be invoked to disclose the identity of the message originator. Our protocol efficiently exploits the specific features of vehicular mobility, physical road limitations and properly distributed RSUs. Our design leads to a robust VANET since, if some RSUs occasionally collapse, only the vehicles driving in those collapsed areas will be affected. Due to the numerous RSUs sharing the load to maintain the system, performance does not significantly degrade when more vehicles join the VANET; hence, the system is scalable.

Traceable signatures schemes were introduced by Kiayias, Tsiounis and Yung in order to solve traceability issues in group signature schemes. They wanted to enable authorities to delegate some of their detection capabilities to tracing sub-authorities. Instead of opening every single signatures and then threatening privacy, tracing sub-authorities are able to know if a signature was emitted by specific users only. In 2008, Libert and Yung proposed the first traceable signature schemes proven secure in the standard model. We design another scheme in the standard model, with two instantiations based either on the SXDH or the DLin assumptions. Our construction is far more efficient, both in term of group elements for the signature, and pairing computation for the verification. Besides the "step-in" (confirmation) feature that allows a user to prove he was indeed the signer, our construction provides the "step-out" (disavowal) procedure that allows a user to prove he was not the signer. Since list signature schemes are closely related to this primitive, we consider them, and answer an open problem: list signature schemes are possible without random oracles.

In an Optimistic Fair Exchange (OFE) for digital signatures, two parties exchange their signatures fairly without requiring any online trusted third party. The third party is only involved when a dispute occurs. In all the previous work, OFE has been considered only in a setting where both of the communicating parties are individuals. There is little work discussing about the fair exchange between two groups of users, though we can see that this is actually a common scenario in actual OFE applications. In this paper, we introduce a new variant of OFE, called Group-Oriented Optimistic Fair Exchange (GOFE). A GOFE allows two users from two different groups to exchange signatures on behalf of their groups in a fair and anonymous manner. Although GOFE may be considered as a fair exchange for group signatures, it might be inefficient if it is constructed generically from a group signature scheme. Instead, we show that GOFE is backward compatible to the Ambiguous OFE (AOFE). Also, we propose an efficient and concrete construction of GOFE, and prove its security under the security models we propose in this model. The security of the scheme relies on the decision linear assumption and strong Diffie-Hellman assumption under the random oracle model.

Group signatures allow a group member to sign anonymously on behalf of a group. In the dynamic case, a group manager can add and revoke group members. An opening manager can revoke the anonymity of a signature and trace it back to the original group member. We introduce limited-linkable group signatures: two signatures on identical messages by the same group member can be efficiently linked. Furthermore, we show how to distribute the opening manager, so that no trusted third party is required to guarantee anonymity. Our system generates short and efficient signatures, and is provably secure in the random oracle model.

A great deal of variation is known to underlie the vocalizations of animals. Calls can for example vary between individuals or between social and behavioural contexts. Calls also have the potential to vary between groups. Many group-living animals are known to produce stereotyped group-specific calls and such group signatures are thought to play a role in territory defence or indeed mate choice. Group signatures are generally found in long-distance call variants that work to maintain contact between group members, sometimes referred to as ‘contact calls’. Cooperatively breeding, territorial meerkats, Suricata suricatta, also use contact calls, potentially to maintain social organization during foraging. However, these contact calls are generally quieter than long-distance calls in other species, and better described as ‘close calls’. We investigated whether these similar call types also possess group-specific signatures and whether any such variation is used by receivers. We recorded close calls from 71 individuals belonging to 10 meerkat groups. We found that such close calls indeed possessed group signatures, but that this underlying variation did not appear to be used by receivers, possibly because meerkats use other sensory systems to identify nongroup members. We stress the importance of conducting playback experiments when investigating group-specific vocal signatures and use our results as a basis for predicting which animals may rely on group information encoded within close calls.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

Group signatures are a useful cryptographic construct for privacy-preserving non-repudiable authentication, and there have been many group signature schemes. In this paper, we introduce a variant of group signatures that offers two new security properties called leak-freedom and immediate-revocation.

Vocal learning is well known among passerine and psittacine birds, but most data on mammals are equivocal. Speci¢c bene¢ts of vocal learning are poorly understood for most species. One case where vocal learning should be favoured by selection is where calls indicate group membership and group mates are unrelated. Female greater spear-nosed bats, Phyllostomus hastatus, live in stable groups of unrelated bats and use loud, broadband calls to coordinate foraging movements of social group mates. Bats bene¢t from group foraging. Calls di¡er between female social groups and cave colonies, and playback experiments demonstrate that bats perceive these acoustic di¡erences. Here I show that the group distinctive structure of calls arises through vocal learning. Females change call structure when group composition changes, resulting in increased similarity among new social group mates. Comparisons of transfers with agematched half-sibs indicate that call changes are not simply due to maturation, the physical environment or heredity. These results suggest that studies testing vocal learning in mammals could pro¢t by focusing on vocalizations that signify group membership.

Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'Threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's [1] and Pedersen's [2] schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity.

Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'Threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's [1] and Pedersen's [2] schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity.

Group Inside Signature (GIS) is a signature scheme that allows the signer to designate his signature to be verified by a group of people, so that members other than the designated group cannot verify the signature generated by him. In Broadcast Group Oriented Signature (BGOS), an user from one group can designate his signature to be verified by members of other group. The GIS and BGOS schemes [5], [6] and [7] which we consider are certificateless schemes. An Adaptable Designated Group Signature (ADGS), is one in which an user can designate his signature to be verified by a selected set of members who are from different groups. The ADGS scheme [8] which we consider here is an identity based scheme. In this paper, we present the cryptanalysis of four schemes that appeared in [5], [6], [7] and [8]. We show that, both GIS schemes [5], [6] and BGOS scheme [7] suffers from Type-I and Type-II vulnerabilities and ADGS [8] is universally forgeable.

Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely "ad-hoc" and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and give separation results proving that our new notions are strictly stronger than previous ones. Second, we show the first constructions of ring signature schemes in the standard model. One scheme is based on generic assumptions and satisfies our strongest definitions of security. Two additional schemes are more efficient, but achieve weaker security guarantees and more limited functionality.

McEliece is one of the oldest known public key cryptosys- tems. Though it was less widely studied than RSA, it is remarkable that all known attacks are still exponential. It is widely believed that code-based cryptosystems like McEliece do not allow practical digital signatures. In the present paper we disprove this belief and show a way to build a practical

We propose a short traceable signature scheme based on bilinear pairings. Traceable signatures, introduced by Kiayias, Tsiounis and Yung (KTY), support an extended set of fairness mechanisms (mechanisms for anonymity management and revocation) when compared with the traditional group signatures. Designing short signatures based on the power of pairing has been a current activity of cryptographic research, and is especially needed for long constructions like that of traceable signatures. The size of a signature in our scheme is less than one third of the size in the KTY scheme and about 40% of the size of the pairing based traceable signature (which has been the shortest till today). The security of our scheme is based on the Strong Diffie-Hellman assumption and the Decision Linear Diffie-Hellman assumption. We prove the security of our system in random oracle model using the security model given by KTY.

Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'Threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's [1] and Pedersen's [2] schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

Background: Discriminating threatening individuals from non-threatening ones allow territory owners to modulate their territorial responses according to the threat posed by each intruder. This ability reduces costs associated with territorial defence. Reduced aggression towards familiar adjacent neighbours, termed the dear-enemy effect, has been shown in numerous species. An important question that has never been investigated is whether territory owners perceive distant neighbours established in the same group as strangers because of their unfamiliarity, or as dear-enemies because of their group membership.

David Chaum introduced Visual Voting scheme in which a voter obtains a paper receipt from a voting machine. This receipt can be used to verify that his vote was counted in the final tally, but cannot be used for vote selling. The Chaum's system requires sophisticated printers and application of randomized partial checking (RPC) method. We propose a complete design of a voting system that preserves advantages of the Chaum's scheme, but eliminates the use of special printers and RPC.

Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'Threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's [1] and Pedersen's [2] schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity.

Group signatures are an interesting and appealing cryptographic construct with many promising potential applications. This paper is motivated by attractive features of group signatures, particularly, the potential to serve as foundation for anonymous credential systems. We re-examine the whole notion of group signatures from a systems perspective and propose two new requirements: leak-freedom and immediate-revocation, which are crucial for a large class of enterprise-centric applications. We then present a new group signature scheme that achieves all identified properties. Our scheme is based on the so-called systems architecture approach. It is appreciably more efficient than the stateof-the-art, easy to implement and reflects the well-known separation-of-duty principle. Another benefit of our scheme is the obviated reliance on underlying anonymous communication channels, which has been a requirement in all previous group signature schemes.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

Song geographic variation and Neighbour-Stranger (N-S) discrimination have been intensively but separately studied in bird species, especially in those with small-to medium-sized repertoires. Here, we establish a link between the two phenomena by showing that dialect features are used for N-S recognition in a territorial species with a large repertoire, the skylark Alauda arvensis. In this species, during the breeding season, many pairs settle in stable and adjoining territories gathered in locations spaced by a few kilometres. In a first step, songs produced by males established in different locations were recorded, analyzed and compared to identify possible microgeographic variation at the syntax level. Particular common sequences of syllables (phrases) were found in the songs of all males established in the same location (neighbours), whereas males of different locations (strangers) shared only few syllables and no sequences. In a second step, playback experiments were conducted and provided evidence for N-S discrimination consistent with the dear-enemy effect, i.e. reduced aggression from territorial birds towards neighbours than towards strangers. In addition, a similar response was observed when a ʻchimericʼ signal (shared phrases of the location artificially inserted in the song of a stranger) and a neighbour song were broadcast, indicating that shared sequences were recognized and identified as markers of the group identity. We thus show experimentally that the shared phrases found in the songs of neighbouring birds constitute a group signature used by birds for N-S discrimination, and serve as a basis for the dear-enemy effect.

The complexity of voting procedures make it challenging to design a secure electronic voting system. In many proposals, the security of the system relies mainly on a black box voting machine. Meanwhile, the most advanced proposals base their security arguments on (complicated) cryptographic protocols, e.g. blind signatures or homomorphic schemes. Canard and Traoré proposed cryptographic primitives dedicated to provide anonymous services using smart cards. Among these primitives, list signatures are specially suitable for e-voting, as they provide specific properties such as multiple vote detection. Moreover, unlike blind signatures, they do not involve a signing authority during the ballot creation process. The purpose of this paper is to present an e-voting system, whose security relies on a tamper-resistant smart card embedding several cryptographic primitives, including list signatures.

Group signatures (GSs) is an elegant approach for providing privacy-preserving authentication. Unfortunately, modern GS schemes have limited practical value for use in large networks due to the high computational complexity of their revocation check procedures. We propose a novel GS scheme called the Group Signatures with Probabilistic Revocation (GSPR), which significantly improves scalability with regard to revocation. GSPR employs the novel notion of probabilis-tic revocation, which enables the verifier to check the revocation status of the private key of a given signature very efficiently. However, GSPR's revocation check procedure produces probabilistic results, which may include false positive results but no false negative results. GSPR includes a procedure that can be used to iteratively decrease the probability of false positives. GSPR makes an advantageous trade-off between computational complexity and communication overhead, resulting in a GS scheme that offers a number of practical advantages over the prior art. We provide a proof of security for GSPR in the random oracle model using the decisional linear assumption and the bilinear strong Diffie-Hellman assumption.

Constructing practical and provably secure group signature schemes has been a very active research topic in recent years. A group signature can be viewed as a digital signature with certain extra properties. Notably, anyone can verify that a signature is generated by a legitimate group member, while the actual signer can only be identified (and linked) by a designated entity called a group manager. Currently, the most efficient group signature scheme available is due to Camenisch and Lysyanskaya [CL02]. It is obtained by integrating a novel dynamic accumulator with the scheme by Ateniese, et al. . In this paper, we construct a dynamic accumulator that accumulates composites, as opposed to previous accumulators that accumulated primes. We also present an efficient method for proving knowledge of factorization of a committed value. Based on these (and other) techniques we design a novel provably secure group signature scheme. It operates in the common auxiliary string model and offers two important benefits: 1) the Join process is very efficient: a new member computes only a single exponentiation, and 2) the (unoptimized) cost of generating a group signature is 17 exponentiations which is appreciably less than the state-of-the-art.

We introduce a new way for generating strong keys from biometric data. Contrary to popular belief, this leads us to biometric keys which are easy to obtain and renew. Our solution is based on two-factor authentication: a low-cost card and a biometric trait are involved. Following the Boneh and Shacham group signature construction, we introduce a new biometric-based remote authentication scheme. Surprisingly, for ordinary uses no interactions with a biometric database are needed in this scheme. As a side effect of our proposal, privacy of users is easily obtained while it can possibly be removed, for instance under legal warrant.

We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

Group Inside Signature (GIS) is a signature scheme that allows the signer to designate his signature to be verified by a group of people. Members other than the designated group cannot verify the signature generated by the signer. In Broadcast Group Oriented Signature (BGOS), a user from one group can designate his signature to be verified by members of another group. An Adaptable Designated Group Signature (ADGS), is one in which an user can designate his signature to be verified by a selected set of members who are from different groups. The two GIS schemes [5], [6] and the BGOS scheme [7], we consider are certificateless schemes and the ADGS scheme [8] which we consider here is an identity based scheme. In this paper, we present the cryptanalysis of all the four schemes that appeared in [5], [6], [7] and [8]. We also present a new identity based ADGS (N-ADGS) scheme and prove its security in the random oracle model. The existing model described in [8] for ADGS did not consider unlinkability which is one of the key properties required for ADGS.We provide the security model for unlinkability and also prove our scheme is unlinkable.

A Zero-knowledge protocol provides provably secure entity authentication based on a hard computational problem. Among many schemes proposed since 1984, the most practical rely on factoring and discrete log, but still they are practical schemes based on NP-hard problems. Among them, the problem SD of decoding linear codes is in spite of some 30 years of research effort, still exponential. We study a more general problem called MinRank that generalizes SD and contains also other well known hard problems. MinRank is also used in cryptanalysis of several public key cryptosystems such as birational schemes (Crypto'93), HFE (Crypto'99), GPT cryptosystem (Eurocrypt'91), TTM (Asiacrypt'2000) and Chen's authentication scheme (1996). We propose a new Zero-knowledge scheme based on MinRank. We prove it to be Zero-knowledge by black-box simulation. An adversary able to fraud for a given MinRank instance is either able to solve it, or is able to compute a collision on a given hash function. MinRank is one of the most efficient schemes based on NP-complete problems. It can be used to prove in Zero-knowledge a solution to any problem described by multivariate equations. We also present a version with a public key shared by a few users, that allows anonymous group signatures (a.k.a. ring signatures).

Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely "ad-hoc" and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and give separation results proving that our new notions are strictly stronger than previous ones. Second, we show the first constructions of ring signature schemes in the standard model. One scheme is based on generic assumptions and satisfies our strongest definitions of security. Two additional schemes are more efficient, but achieve weaker security guarantees and more limited functionality.

We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme.

We propose a dynamic accumulator scheme from bilinear pairings, whose security is based on the Strong Diffie-Hellman assumption. We show applications of this accumulator in constructing an identitybased (ID-based) ring signature scheme with constant-size signatures and its interactive counterpart, and providing membership revocation to group signature, traceable signature and identity escrow schemes and anonymous credential systems. The ID-based ring signature scheme and the group signature scheme have extremely short signature sizes. The size of our group signatures with membership revocation is only half the size of the well-known ACJT00 scheme, which does not provide membership revocation. The schemes do not require trapdoor, so system parameters can be shared by multiple groups belonging to different organizations. All schemes proposed are provably secure in formal models. We generalize the definition of accumulators to model a wider range of practical accumulators. We provide formal models for ID-based ad-hoc anonymous identification schemes and identity escrow schemes with membership revocation, based on existing ones.

We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme.

A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal functionality is appealing because a mechanism that is indistinguishable from an ideal functionality is therefore guaranteed secure in any larger system that uses it. We relate ideal functionalities to games by defining the set of ideal functionalities associated with a game condition and show that under this definition, which reflects accepted use and known examples, bit commitment, a form of group signatures, and some other cryptographic concepts do not have any realizable ideal functionality.

Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's (1987) and Pedersen's (1992) schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity

In many applications, it is desirable to work with signatures that are both short, and yet where many messages from different signers be verified very quickly. RSA signatures satisfy the latter condition, but are generally thousands of bits in length. Recent developments in pairingbased cryptography produced a number of "short" signatures which provide equivalent security in a fraction of the space. Unfortunately, verifying these signatures is computationally intensive due to the expensive pairing operation. In an attempt to simultaneously achieve "short and fast" signatures, Camenisch, Hohenberger and Pedersen (Eurocrypt 2007) showed how to batch verify two pairing-based schemes so that the total number of pairings was independent of the number of signatures to verify.