![Page 1: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/1.jpg)
A group signature scheme in the generic
group model
Remi Clarisse (joint work with Olivier Sanders)
CARAMBA seminar – January 13th, 2020
IRMAR – Univ. de Rennes
Orange Labs – Cesson-Sevigne
![Page 2: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/2.jpg)
Table of contents
1. Building blocks
2. Introduction to group signatures
3. PS signatures
4. FHS signatures
5. Our construction
6. Comparison
1
![Page 3: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/3.jpg)
Building blocks
![Page 4: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/4.jpg)
Public Key Encryption
Public key encryption scheme
• Γ.Keygen(1λ)→ [sk, pk]
• Γ.Encrypt(pk,m)→ c
• Γ.Decrypt(sk, c)→ {m,⊥}
IND-CCA2 security
indistinguishability under adaptive chosen ciphertext attacks
2
![Page 5: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/5.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
3
![Page 6: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/6.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
3
![Page 7: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/7.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
{c}
{m = Decrypt(c)}
({m}, {c})
b← {0, 1}c∗
({m′}, {c′})
3
![Page 8: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/8.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})
m0,m1
c∗ = Encrypt(mb)
b← {0, 1}c∗
({m′}, {c′})
3
![Page 9: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/9.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
{c′ 6= c∗}
{m′ = Decrypt(c′)}
({m′}, {c′})
3
![Page 10: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/10.jpg)
IND-CCA2
Challenger
[sk, pk]
Adversary
pk
({m}, {c})b← {0, 1}c∗
({m′}, {c′})
b∗
is b∗ = b?
3
![Page 11: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/11.jpg)
Digital Signature
Digital signature scheme
• Σ.Setup(1λ)→ pp
• Σ.Keygen(pp)→ [sk, pk]
• Σ.Sign(sk,m)→ σ
• Σ.Verify(pk,m, σ)→ {0, 1}
EUF-CMA security [GMR88]
existential unforgeability under chosen message attacks
4
![Page 12: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/12.jpg)
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
({m}, {σ})
5
![Page 13: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/13.jpg)
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
pk
({m}, {σ})
5
![Page 14: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/14.jpg)
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
{m}
{σ = Sign(m)}
({m}, {σ})
5
![Page 15: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/15.jpg)
EUF-CMA [GMR88]
Challenger
[sk, pk]
Adversary
pk
({m}, {σ})
m∗ 6= m,σ∗
is Verify(m∗, σ∗) = 1?
5
![Page 16: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/16.jpg)
Zero-knowledge proof of knowledge
ZK proof of knowledge
Completeness: if the statement is true, an honest verifier will be
convinced by an honest prover
Soundness: if the statement is false, no cheating prover can
convince an honest verifier
Zero-knowledge: if the statement is true, no verifier learns
anything other than the fact that the statement is
true
6
![Page 17: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/17.jpg)
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
![Page 18: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/18.jpg)
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
![Page 19: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/19.jpg)
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
![Page 20: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/20.jpg)
Schnorr identification protocol (HVZK) [Sch90]
Verifier
public y = gx
Prover
secret x
commitment z = gr
random r
challenge c
random c
answer t = r + cx
check whether gt = zyc
7
![Page 21: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/21.jpg)
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
![Page 22: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/22.jpg)
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
![Page 23: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/23.jpg)
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
![Page 24: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/24.jpg)
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
![Page 25: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/25.jpg)
Fiat-Shamir transform of Schnorr protocol (NIZK) [FS87]
Verifier
public y = gx
Prover
secret x
commit z = gr
challenge c = H(g, y, z)
answer t = r + cx
z, t
compute c
check whether gt = zyc
8
![Page 26: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/26.jpg)
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
![Page 27: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/27.jpg)
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
![Page 28: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/28.jpg)
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
![Page 29: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/29.jpg)
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
![Page 30: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/30.jpg)
Signature of knowledge (SoK)
Verifier
message m
public y = gx
Prover
message m
secret x
commit z = gr
challenge c = H(g, y, z,m)
answer t = r + cx
z, t
compute c
check whether gt = zyc
9
![Page 31: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/31.jpg)
Bilinear pairing [GPS08]
G1 = 〈g〉, G2 = 〈g〉 and GT groups of order `
map e : G1 ×G2 −→ GT
Bilinear: e(ga, gb) = e(g, g)ab
Non-degenerate: e(g, g) 6= 1GT
Computable: computable by a polynomial time algorithm
type-3: no easily computable isomorphism between G1 and
G2 in either way
10
![Page 32: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/32.jpg)
Introduction to group signatures
![Page 33: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/33.jpg)
Idea: sketch [BSZ05]
Group Members
Non-member
Group Manager
Opening Authority
[sk, pk, usk] [gsk, gpk]
[osk, opk]
11
![Page 34: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/34.jpg)
Idea: security model [BMW03]
Correctness: each group member can produce valid signature
Anonymity: a valid signature cannot be tied to its issuer
Traceability: a valid signature must have been produce by a
group member and its anonymity can be lifted
Non-frameability: no group member can be falsely accused of
having produced a signature
12
![Page 35: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/35.jpg)
Joining the group
Group Member Group Manager
[sk, pk] [gsk, gpk]
Interactive protocol
get certificate τ/usk on id register user
13
![Page 36: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/36.jpg)
SEP framework [BMW03]
Sign: σ ← Σ.Signsk(m)
Encrypt: c← Γ.Encryptopk(σ, τ, pk)
Prove: NIZK proof π that everything is well formed
Signature on m is (c, π)
14
![Page 37: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/37.jpg)
Bichsel et al. [BCN+10]
Remove encryption
• Randomize certificate τ ′
• SoK π on m that τ ′ certifies user
Signature on m is (τ ′, π)
15
![Page 38: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/38.jpg)
PS signatures
![Page 39: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/39.jpg)
Randomizable signature
PS signature [PS16]
• Σ.Setup(1λ)→ pp
pp = (G1 = 〈g〉,G2 = 〈g〉,GT , e,X = gx, X = gx)
• Σ.Keygen(pp)→ [sk = gy, pk = gy]
• Σ.Sign(sk,m)→ (σ1 = gr, σ2 = Xr(sk)rm)
• Σ.Verify(pk,m, σ)→ is e(σ1, X(pk)m) = e(σ2, g)?
Same verification equation holds for (σs1, σs2)
16
![Page 40: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/40.jpg)
A variant of PS signatures
Remember sk = gy
Σ.Sign(gy,m)→ (σ1 = gr, σ2 = Xr/mgyr)
“Remove” Xr/m, then (σ1, σ2) = (gr, gyr) in same “projective
equivalence-class” as (g, gy)
17
![Page 41: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/41.jpg)
FHS signatures
![Page 42: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/42.jpg)
FHS signature on equivalence-class
Equivalence relation on G1 ×G1
(m1,m2) ∼ (n1, n2)⇐⇒ ∃r scalar, (m1,m2) = (nr1, nr2)
FHS signature scheme [FHS19]
• Σ.Setup(1λ)→ (G1 = 〈g〉,G2 = 〈g〉,GT , e)
• Σ.Keygen(pp)→ [sk, pk]
sk = (α1, α2) scalars, pk = (A1, A2) = (gα1 , gα2)
• Σ.Sign(sk, (m1,m2))→ (τ1, τ2, τ)
τ1 = (mα11 mα2
2 )t, τ2 = g1/t, τ = g1/t
• Σ.Verify(pk, (m1,m2), (τ1, τ2, τ))→ are
e(τ1, τ) = e(m1, A1)e(m2, A2) and e(τ2, g) = e(g, τ)? 18
![Page 43: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/43.jpg)
Randomizing FHS signatures
Reminder:
• Σ.Sign(sk, (m1,m2))→ (τ1, τ2, τ)
τ1 = (mα11 mα2
2 )t, τ2 = g1/t, τ = g1/t
• Σ.Verify(pk, (m1,m2), (τ1, τ2, τ))→ are
e(τ1, τ) = e(m1, A1)e(m2, A2) and e(τ2, g) = e(g, τ)?
Pick (mr1,m
r2) ∼ (m1,m2) and a random scalar t′:
(τ1, τ2, τ) signs (m1,m2)⇒ (τ rt′
1 , τ1/t′
2 , τ1/t′) signs (mr
1,mr2)
19
![Page 44: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/44.jpg)
Our construction
![Page 45: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/45.jpg)
Intuition: combining PS and FHS signatures
ΣvPS .Sign(gy,m)→ (σ1, σ2) = (gr, Xr/mgyr)
• remove Xr/m: multiply σ2 by X−r/m
• so (σ1, X−r/mσ2) ∼ (g, gy)
• choose certificate to be a FHS signature on (g, gy)
ΣFHS .Sign(gsk, (g, gy))→ (τ1, τ2, τ)
Equations ΣFHS .Verify(gpk, (gr, gyr), (τ r1 , τ2, τ)) are
e(τ1, τ) = e(gr, A1)e(gyr, A2) and e(τ2, g) = e(g, τ)
on the public key (A1, A2) = (gα1 , gα2)
20
![Page 46: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/46.jpg)
Intuition: combining PS and FHS signatures
How to really remove Xr/m from (σ1, σ2) = (gr, Xr/mgyr)?
e(τ1, τ) = e(gr, A1)e(gyr, A2)
= e(σ1, A1)e(σ2X−r/m, A2)
= e(σ1, A1)e(σ2, A2)e(g−rx/m, A2)
= e(σ1, A1)e(σ2, A2)e(σ1, B−1/m)
Add B = Xα2 to FHS public key from the PS one
21
![Page 47: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/47.jpg)
Our group signature scheme [CS18]
• Setup(1λ)→ pp (type-3 pairing and X, X)
• GKeygen(pp)→ [gsk, gpk]
gsk = (α1, α2) scalars, gpk = (A1, A2, B) = (gα1 , gα2 , Xα2)
• upon joining, user gets (τ1, τ2, τ) certifying (g, gy): set their
group signing key to usk = (τ1, τ2, τ , gy)
• Group Manager keeps Encryptopk(gy)
• Sign(usk,m)→ (τ ′1, τ′2, τ′, σ1, σ2)
(τ ′1, τ′2, τ′) = (τ rs1 , τ
1/s2 , τ1/s) and (σ1, σ2) = (gr, Xr/mgyr)
• Verify(gpk,m, (τ ′1, τ′2, τ′, σ1, σ2)) checks whether
e(τ ′1, τ′) = e(σ1, A1B
−1/m)e(σ2, A2) and e(τ ′2, g) = e(g, τ ′)
22
![Page 48: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/48.jpg)
Comparison
![Page 49: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/49.jpg)
Comparison with other schemes
Scheme Size Cost
GS
model Anonymity
[BCN+10] 1664 3 e1 + 1 eT BMW selfless
[PS16] 1280 2 e1 + 1 eT BMW selfless
[DS18] 2816 5 e1 + 1 e2 BSZ CPA
[DS18]* 4608 5 e1 + 6 e2 BSZ full
[BHK+18] 4992 9 e1 + 2 e2 BMW full
Ours 2304 5 e1 + 1 e2 BSZ CPA & selfless
Ours* 2304 5 e1 + 1 e2 BMW full
Table 1: Efficiency and security comparisons (see [CS18])
23
![Page 50: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/50.jpg)
Thank you for your attention!
23
![Page 51: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/51.jpg)
References
Patrik Bichsel, Jan Camenisch, Gregory Neven,
Nigel P. Smart, and Bogdan Warinschi. “Get Shorty
via Group Signatures without Encryption”. In: SCN
10. Ed. by Juan A. Garay and Roberto De Prisco.
Vol. 6280. LNCS. Springer, Heidelberg, Sept. 2010,
pp. 381–398. doi:
10.1007/978-3-642-15317-4_24.
![Page 52: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/52.jpg)
Michael Backes, Lucjan Hanzlik, Kamil Kluczniak,
and Jonas Schneider. “Signatures with Flexible Public
Key: Introducing Equivalence Classes for Public
Keys”. In: ASIACRYPT 2018, Part II. Ed. by
Thomas Peyrin and Steven Galbraith. Vol. 11273.
LNCS. Springer, Heidelberg, Dec. 2018, pp. 405–434.
doi: 10.1007/978-3-030-03329-3_14.
Mihir Bellare, Daniele Micciancio, and
Bogdan Warinschi. “Foundations of Group Signatures:
Formal Definitions, Simplified Requirements, and a
Construction Based on General Assumptions”. In:
EUROCRYPT 2003. Ed. by Eli Biham. Vol. 2656.
LNCS. Springer, Heidelberg, May 2003, pp. 614–629.
doi: 10.1007/3-540-39200-9_38.
![Page 53: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/53.jpg)
Mihir Bellare, Haixia Shi, and Chong Zhang.
“Foundations of Group Signatures: The Case of
Dynamic Groups”. In: CT-RSA 2005. Ed. by
Alfred Menezes. Vol. 3376. LNCS. Springer,
Heidelberg, Feb. 2005, pp. 136–153. doi:
10.1007/978-3-540-30574-3_11.
Remi Clarisse and Olivier Sanders. Short Group
Signature without Random Oracles. Cryptology
ePrint Archive, Report 2018/1115.
https://eprint.iacr.org/2018/1115. 2018.
David Derler and Daniel Slamanig. “Highly-Efficient
Fully-Anonymous Dynamic Group Signatures”. In:
ASIACCS 18. Ed. by Jong Kim, Gail-Joon Ahn,
Seungjoo Kim, Yongdae Kim, Javier Lopez, and
Taesoo Kim. ACM Press, Apr. 2018, pp. 551–565.
![Page 54: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/54.jpg)
Georg Fuchsbauer, Christian Hanser, and
Daniel Slamanig. “Structure-Preserving Signatures on
Equivalence Classes and Constant-Size Anonymous
Credentials”. In: Journal of Cryptology 32.2 (Apr.
2019), pp. 498–546. doi:
10.1007/s00145-018-9281-4.
Freepik. All avatars icons made by Freepik from
www.flaticon.com.
https://www.flaticon.com/authors/freepik.
Amos Fiat and Adi Shamir. “How to Prove Yourself:
Practical Solutions to Identification and Signature
Problems”. In: CRYPTO’86. Ed. by
Andrew M. Odlyzko. Vol. 263. LNCS. Springer,
Heidelberg, Aug. 1987, pp. 186–194. doi:
10.1007/3-540-47721-7_12.
![Page 55: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/55.jpg)
Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest.
“A Digital Signature Scheme Secure Against Adaptive
Chosen-message Attacks”. In: SIAM Journal on
Computing 17.2 (Apr. 1988), pp. 281–308.
Steven D. Galbraith, Kenneth G. Paterson, and
Nigel P. Smart. “Pairings for cryptographers”. In:
Discrete Applied Mathematics 156.16 (2008),
pp. 3113–3121. doi: 10.1016/j.dam.2007.12.010.
url:
https://doi.org/10.1016/j.dam.2007.12.010.
David Pointcheval and Olivier Sanders. “Short
Randomizable Signatures”. In: CT-RSA 2016. Ed. by
Kazue Sako. Vol. 9610. LNCS. Springer, Heidelberg,
Feb. 2016, pp. 111–126. doi:
10.1007/978-3-319-29485-8_7.
![Page 56: A group signature scheme in the generic group model · A group signature scheme in the generic group model R emi Clarisse (joint work with Olivier Sanders) CARAMBA seminar { January](https://reader034.vdocument.in/reader034/viewer/2022042102/5e7f14258c39135bb261a94a/html5/thumbnails/56.jpg)
Claus-Peter Schnorr. “Efficient Identification and
Signatures for Smart Cards”. In: CRYPTO’89. Ed. by
Gilles Brassard. Vol. 435. LNCS. Springer, Heidelberg,
Aug. 1990, pp. 239–252. doi:
10.1007/0-387-34805-0_22.