An Efficient Group Signature Based on the Discrete Logarithm Problem Fuw-Yi Yang and Jinn-Ke Jan* Department of Applied Mathematics, National Chung Hsing University Taichung 402, Taiwan, R.O.C., Email:
[email protected] *
Department of Computer Science, National Chung Hsing University Taichung 402, Taiwan, R.O.C., Email:
[email protected]
Abstract Group signature schemes permit a group member signing on messages anonymously and unlinkably on behalf of a group. The anonymity can be revoked when arguments occurred. This paper proposes an efficient group signature scheme based on the discrete logarithm problem, which means no trapdoor functions are used in the settings of cryptographic parameters. Both the group public key and signature size are fixed length. The signing procedure/verifying procedure requires only 9/5 modular multi-exponentiations to generate/verify a signature. It is more efficient than previous schemes based on the same cryptographic assumption.
1. Introduction Group signature schemes grant a group member the authority to sign messages on behalf of the group. Only the group’s public key is required when verifying the validity of a signature. Thus, the signer conceals his identity from the verifiers, the group member signs anonymously on a message. All signatures generated by the group members are indistinguishable; no one can link a particular signature to a certain group member. 1.1. Related work Since D. Chaum and E. van Heyst [10] proposed the group signature scheme in 1991, much research has been published in these fields [1-2, 5-8, 11]. Schemes in [5, 10-11] have the undesired property that either the size of signature or the size of group’s public key depends on the number of the group members. As a consequence of this unfavorable property, these schemes are not fit for large groups or growing groups. The undesired properties stated above are removed in the schemes in [8]; these group signature schemes have fixed size in private key and public key. Based on the strong RSA assumption [15],
schemes in [1, 6-7] also remedy the undesired properties and have a more efficient implementation than [8]. The computational cost is about 13’000 multiplications modulo a 1,200 bits modulus to generate a signature, and the signature size is about 1 K bytes. Scheme [2] is the first group signature scheme without using trapdoor functions. The scheme operates in several groups; some of them are unknown order. This complicates the implementation [2, 4]. The signature size (about 3.4 K bytes, if the modulus is 1024 bits.), computational cost for signing message (requires about 50 modular exponentiations) and verifying signature (requires about 39 modular exponentiations) are quite inefficient as compared to the schemes in [1, 6-8]. Discounts its inefficiency, schemes use no trapdoor functions have some special features that do not hold in schemes which use trapdoor functions. Since no trapdoors, several organizations can share the same public parameters without worry about their privacy. Designing the interfaces for the message exchanges and systems interactions between organizations becomes simple. The cost of system development may be cheaper than the cost of systems using trapdoor functions. 1.2. Our Contributions In the paper, we will propose a practical group signature scheme based on the discrete logarithm problem. The proposed scheme is more efficient than those schemes in [1-2, 5-8]. The length of the group public key and the size of signatures are 7,680 bits and 6,816 bits respectively. The length does not depend on the number of group members. The group members can sign on messages anonymously and the signatures constructed by the group members are unlinkable. In case of mistrust, a group manager can reveal the identity of the signer, and show that the signer signed the signature. The signing algorithm requires 9 modular multi-exponentiations, and the verifying procedure costs 5 modular multi-exponentiations. Both procedures are more efficient than the scheme in [2]. 1.3. Organization Section 2 describes building blocks used in the paper. The proposed scheme is described in section 3. Section 4 discusses the security properties. Finally, Section 5 concludes this paper.
2. Building blocks The following cryptographic primitive functions are used in our scheme: the ElGamal public-key cryptosystem in [12], the message recoverable signature scheme in [16], and the signature of knowing discrete logarithm in [9, 13-14, 18-20]. For convenience, we briefly describe them below. Assume that p is a large prime such that (p - 1) is divisible by another large prime q. g ∈ Z *p is an element of order q. m ∈ Zp is the message to be encrypted or signed. A user U has a private key
x ∈ Z *q and the corresponding public key y = gx mod p. H() is a collision freeness hash function, which maps an arbitrary bit string to a bit string having fixed length k, e.g., k=160. 2.1 ElGamal public-key cryptosystem If somebody wants to send a message m to user U, he sends ciphers (C1, C2) to U. The ciphers are expressed as follows: C1 = g a mod p , a ∈R Z *q , C2 = my a mod p .
(a ∈R G denotes that a is selected randomly from the set G.) User U extracts the message m by calculating m = C2 / (C1)x mod p. 2.2 Signature with message recovery The signature scheme in [16] provides receivers the ability to recover message from any received signature. It is essentially an extension of the ElGamal digital signature [12]. The signed message is embedded in the resulting signature (r, s), and thus a verifier can get the message back. There are many variants of message recoverable digital signature in [16], we only describe the scheme of type 3, and more types of signature should refer to the original paper. r = m g − k mod p , k ∈R Z *q
s = k − r x mod q
A verifier can recover the message by the following verification equation. m = r g s y r mod p
2.3 Signature of knowledge of discrete logarithm A signature scheme can be transformed from an honest verifier zero-knowledge identification protocol, which shows that the prover knows the secret key used to identity himself, i.e., all the square roots of a set of quadratic residue numbers (mod n) [13-14], the factors of a composite number n [18] or the discrete logarithm of the public key y [8-9, 19-20]. In the followings, we show the signature schemes used in [8], which are based on the Schnorr signature scheme [19]. Let SKm denote the signature signed by the user U on the message m. (The symbol || denotes the string concatenation.) SK m = [( x ) : y = g x ]( m ) = ( c , s )
c = H ( m || g || y || g r ), r ∈R Z *q
s = r – c x mod q The validity of the signature SKm can be verified by the equation below. c = H ( m || g || y || g s y c )
The scheme can be extended to show that the signer knows simultaneous discrete logarithms [9]. Let h ∈ Zp be an element of order q, z=hv mod p, v ∈ Z *q .
SK m = [( x ,v ) : y = g x ∧ z = h v ]( m ) = ( c ,s x ,sv ) c = H ( m || g || h || y || z || g rx || h rv ), rx , rv ∈R Z *q
sx = rx – cx mod q, sv = rv – cv mod q The validity of the signature SKm can be verified by the next equation. c = H ( m || g || h || y || z || g s x y c || h s v z c )
3. Scheme Proposed Group membership manager, revocation manager and group members are participants in a group signature scheme. Group membership manager plays the role to set up the system and issue membership certificates. Group revocation manager is responsible for opening signatures (removing anonymity). Group members sign on messages on behalf of the group by means of the membership certificate. The proposed scheme consists of five procedures: system setup, joining the group, signing the messages, verifying the signatures, and opening the signatures. These procedures are described as follows. 3.1 The system setup To setup the system, group membership manager generates large primes ˆp , p and q, such that pˆ = 2 p + 1 , p = 2q + 1. Let hˆ ∈ Z *ˆp be an element of order p, hR ,hG , g ∈ Z *p be elements with order q.
The discrete logarithm of hR to the base hG and g, hG to the base hR and g, and g to the base hR and hG are unknown. H is a collision resistant hash function, H:{0, 1}* {0, 1}k. After generating these cryptographic parameters, the group membership manager selects his secret key xG randomly
from Z *q , and computes his public key yG = hGx G mod p . By the same way, the revocation manager )
has his secret key xR and public key yR. The group membership manager can now publishes { p , p, q, hˆ , g, hG, hR, yG, yR} as systems-wide parameters. These parameters consists of 7,680 bits long ) (Assume that the bit length of q is 512 bits, and parameters p and p are derived from q.). 3.2 Joining the group Assume that a legitimate user U wants to join the group (U applies for a membership certificate.). In order to prove himself to the group membership manager, he should have to obtain a certificate CERTTA,U from some trusted certification authority. Then, user U randomly selects xU from Z *q as his secret key, and computes his public key yU = g xU mod p . User U also constructs a proof SKU, which proves to the group membership manager that U knows the discrete logarithm of yU without revealing the secret xU. The details of CERTTA,U and SKU can be expressed as follows: CERTTA,U={IDU, PKU, SigTA(IDU, PKU)} SKU= SK [ xU : yU = g xU ]( yU , IDU , PKU ) = (c, s) IDU denotes the identity of U, PKU is user U’s public key issued by the trusted certification authority. Then, user U sends CERTTA,U, SKU and SIGU (user U’s signature on CERTTA,U , SKU) to the group membership manager. After verifying the validity of CERTTA,U, SKU and SIGU, the group membership manager issues a membership certificate (r, s) to user U. The group membership manager also records CERTTA,U, SKU, (r, s), and SIGU in membership database. In case of arguments, querying the database can reveal the signer’s identity. Constructing the membership certificate (r, s) for IDU, the group membership manager has to sign on yU. We use the third type message recovery signature scheme (other types are also applicable to our scheme), since no inverse operations are required in both signing and verifying algorithm. The quantities of r and s are calculated by the membership manager in the following way: r = yU hGk mod p , k ∈R Z *q s = − k − r * xG mod q
To verify the validity of the membership certificate (r, s), user U checks whether the following equation holds. x r
yU = r * hGs hGG = r * hGs yG r mod p
This signature scheme is vulnerable to the attack: if (r, s) is a signature for yU, then, for any chosen e ∈ Z q , (r, s + e) is a valid signature for message yU * hGe . Since the discrete logarithm of hG to the base g and g to the base hG are unknown, a forger is not able to solve the discrete logarithm of yU * hGe . The scheme benefits from the predefined format on yU, an adversary cannot counterfeit the signature. To increase the immunity against forging, the group membership manager may demand that the member’s public key should be of the form yU = g xU 1 + g1xU 2 , where the discrete logarithm of g1 to the base g should be unknown. This prevents the signature scheme from the homomorphism attacking. 3.3 Signing the messages Equipped with the membership certificate (r, s) and xU (the discrete logarithm of the public key yU), the user U can sign messages on behalf of the group anonymously, unlinkably. To sign anonymously, the public key yU should be in an encrypted form. To enable the revocation manager removing the anonymity of a signature, the public key yU should encrypt under the public key of revocation manager yR. In order to achieve the unlinkable property, we also require to blind hGs . We show how to encrypt yU, how to decrypt the cipher to yU and how to blind hGs below. Encryption: C1 = hRa mod p , C2 = yU y R a mod p , a ∈R Z *q Decryption: yU = C 2 / C1x R mod p Blinding hGs : C3 = g − a hGs mod p User U must prove to the verifiers that C1 and C2 can decrypt to yU, s commits to the commitment C3 and he is an eligible member of the group. This can be shown that the message recovered from the membership certificate (r, s) is identical to the message decrypted from (C1, C2). Hence, we have the following equations. a = rh s y r y a = rC g a y r y a = rC W mod p C 2 = g xU y R 3 3 G G R G R
(1)
r y a mod p W = g a yG R
(2)
Thus user U’s signature on the message m is SKm, which is the knowledge proof of equations (1)
and (2). a ∧ C = y y a ∧ C = g − a h s ∧ W = g a y r y a ∧ C = rC W ]( m ) = SK m = SK [( a ,r ,s , xU ) : C1 = h R 2 U R 2 3 3 G R G r y a ∧ hˆ C 2 / C 3W = hˆ r ]( m ) = SK [(a, r , s, xU ) : C1 = hRa ∧ C2 = g xU y Ra ∧ C3 = g − a hGs ∧ W = g a yG R
(3)
( c, s a , s r , s s , s x ) r r r r r Where c = H ( M || h Ra || g rx y Ra || g − ra hGs || g ra yGr y Ra || hˆ rr ) ,
M = m || g || hG || hR || hˆ || yG || y R || C1 || C 2 || C3 ||W , ra ,rs ,rx ∈R Z *q , rr ∈R Z *p , sa = ra − ca mod q , s r = rr − cr mod p , s s = rs − cs mod q , s x = rx − cxU mod q .
The signing procedure requires 9 modular multi-exponentiations (around 13,163 multiplications modulo a 1024 bit modulus). The group signature consists of the tuple (C1, C2, C3, W, c, sa, sr, ss, sx) with length 6’816 bits. As compared with schemes [1-2, 6-8], our scheme is the most efficient implementation. In equation (3), C1 = hRa and C 2 = g xU y Ra confirm that user U encrypts yU under the public key yR, and he does know the discrete logarithm of yU. The term C3 = g − a hGs verifies that s commits to C3, and the term C2= r C3 W shows that the message encrypted is exactly like the message recovered from the membership certificate. Therefore, SKm proves to the verifiers that the signer is a legal membership, i.e., the revocation manager can disclose the signer who constructs the signature SKm, the signer knows the discrete logarithm of the public key yU, and the signer has membership certificate for yU. 3.4 Verifying the signatures Checking that a given group signature (C1, C2, C3, W, c, sa, sr, ss, sx) is a valid one, a verifier should verify whether the following tests holds true. s s s s s c = H ( M || h Ra C1c || g s x y Ra C 2c || g − s a hGs C 3c || g s a y Gr y Ra W c || hˆ s r hˆ cC 2 / C 3W )
The verifying procedure requires 5 modular multi-exponentiations. 3.5 Opening the signatures
(4)
Given a group signature S = (C1, C2, C3, W, c, sa, sr, ss, sx), the revocation manager can reveal (when arguments occurred and asked by the group membership manager) the signer’s public key yU by computing yU = C 2 / C1x R mod p . The revocation manager also generates the signature SKR that gives a proof to the correctness of opening the signature S. x
x
SK R = [( x R ) : y R = hR R ∧ C 2 / yU = C1 R ]( m )
Having yU, the group membership manager can find the signer’s identity by searching membership database. SKR and SKm prove that user U constructs the signature S.
4. Security analysis A secure group signature scheme should satisfy several security properties, we examine the security of our scheme according to the requirements stated in [6]. Unforgeability: Under the random oracle model in [3], the security of the signature schemes transformed from an honest verifier zero-knowledge identification protocol had been proved to be resistant to the adaptively chosen message attacks [17]. The proposed scheme thus satisfies the unforgeable property. Anonymity: For a given a group signature S=(C1, C2, C3, W, c, sa, sr, ss, sx), C3 and W are blinded by random number and thus distribute uniformly in Zp. The tuple (c, sa, sr, ss, sx) is a probabilistic signature with uniform probability distribution [13], all of the signer’s dependent parameters (yU, r, s) are treated as secret and does not reveal to the verifier. Reveal the signer’s identity yU from (C1, C2) is to break the ElGamal cryptosystem. Therefore, a signer can sign on the messages anonymously. Unlinkability: Given a group signature S = (C1, C2, C3, W, c, sa, sr, ss, sx), all of the items are distributed uniformly in their operation groups. Therefore, all the group signatures are indistinguishable. As a consequence of indistinguishableness, the signatures signing by the group members are unlinkable. No framing: A group signature proves to the verifiers that the signer knows the discrete logarithm of the signer’s public key yU and the corresponding group membership certificate. The signer keeps both of them secret. Even the group membership manager who issued the group membership certificate to the signer does not have any knowledge about the discrete logarithm of yU except he can solve the discrete logarithm problem. Thus, no one can sign a signature on the signer’s behalf. Traceability: The group revocation manager is able to open any valid group signature and construct a proof of the correctness for the opening of signature as shown in Section 3.5. Obtaining the
signer’s public key yU from the revocation manager, the group membership manager is capable of revealing the owner of yU by searching the membership database.
5. Conclusions We have proposed an efficient “group signature scheme without using trapdoor functions”. The proposed scheme satisfies all the requirements of unforgeability, anonymity, unlinkability, no framing and traceability. Scheme in [1] has recently suggested another security property for the group signature scheme -- coalition-resistant, which means that a subset of the group members cannot collude to generate a valid group signature such that the group membership manager cannot catch one of them. Among the schemes in [1-2, 5-8, 10-11], only the scheme in [1] provides this property. Our further study will be a secure coalition-resistant group signature scheme without trapdoor functions.
References [1]. Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G., “A practical and provably secure coalition-resistant group signature scheme”, Advances in Cryptology-CRYPTO'2000, LNCS Vol. ?, pp. 255-270, Springer-Verlag, 2000. [2].
Ateniese,
G.
and
Medeiros,
B.,
“Efficient
group
signatures
without
trapdoors”,
Advances
in
Cryptology-ASIACRYPT 2003, LNCS Vol. 2894, pp. 246-268, Springer-Verlag, 2003. [3]. Bellare, M. and Rogaway, P., “Random oracles are practical: a paradigm for designing efficient protocols”, Proc. of the 1st ACM Conference on Computer and Communications Security CCS’93, ACM press, pp. 62-73, 1993. [4].
Boudot,
F.,
“Efficient
proofs
that
a
committed
number
lies
in
an
interval”,
Advances
in
Cryptology-EUROCRYPT'00, LNCS Vol. 1807, pp. 431-444, Springer-Verlag, 2000. [5]. Camenisch, J., “Efficient and generalized group signatures”, Advances in Cryptology- EUROCRYPT'97, LNCS Vol. 1233, pp. 465-479, Springer-Verlag, 1997. [6]. Camenisch, J. and Michels, M., “A group signature scheme with improved efficiency”, Advances in Cryptology-ASIACRYPT'98, LNCS Vol. 1514, pp. 160-174, Springer-Verlag, 1998. [7]. Camenisch, J. and Michels, M., “A group signature scheme based on a RSA-variant”, Technical Report RS-98-27, BRICS, University of Aarhus, November 1998. [8]. Camenisch, J. and Stadler, M., “Efficient group signature schemes for large groups”, Advances in Cryptology-CRYPTO'97, LNCS Vol. 1296, pp. 410-424, Springer-Verlag, 1997. [9]. Chaum, D., Evertse, J. H., and van de Graaf, J., “An improved protocol for demonstrating possession of discrete logarithms and some generalization”, Advances in Cryptology- EUROCRYPT'87, LNCS Vol. 304, pp. 127-141, Springer-Verlag, 1988.
[10]. Chaum, D. and van Heyst, E., “Group signatures”, Advances in Cryptology-EUROCRYPT' 91, LNCS Vol. 547, pp. 257-265, Springer-Verlag, 1991. [11]. Chen, L. and Pedersen, T. P., “New group signature schemes”, Advances in Cryptology- EUROCRYPT'94, LNCS Vol. 950, pp. 171-181, Springer-Verlag, 1995. [12]. ElGamal, T., “A public key cryptosystem and a signature scheme based on discrete logarithms”, IEEE Trans. Inform, Theory, Vol. IT-31, No. 4, pp. 469-472, 1985. [13]. Fiat, A. and Shamir, A., ”How to prove yourself: Practical solutions to identification and signature problems”, Advances in Cryptology-CRYPTO'86, LNCS Vol. 263, pp. 186-194, Springer- Verlag, 1987. [14]. Feige, U., Fiat, A., and Shamir, A., ”Zero-knowledge proof of identity”, Journal of Cryptology, Vol. 1, pp. 77-94, 1988. [15]. Fujisaki, E. and Okamoto, T., “Statistical zero knowledge protocols to prove modular polynomial relations”, Advances in Cryptology-CRYPTO'97, LNCS Vol. 1294, pp. 16-30, Springer-Verlag, 1997. [16]. Nyberg, K. and Rueppel, R. A., “Message recovery for signature schemes based on the discrete logarithm problem”, Designs, Codes and Cryptography, Vol. 7, pp. 61-81, 1996. [17]. Pointcheval, D. and Stern, J., “Security proofs for signature schemes”, Advances in Cryptology-EUROCRYPT'96, LNCS Vol. 1070, pp. 387-398, Springer-Verlag, 1996. [18]. Poupard, G. and Stern, J., ”On the fly Signatures based on Factoring”, Proc. of the 6th ACM Conference on Computer and Communications Security CCS’99, ACM press, pp. 37-45, 1999. [19]. Schnorr, C. P., ”Efficient signature generation by smart cards”, Journal of Cryptology, Vol. 4, pp. 161-174, 1991. [20]. Stadler, M., “Publicly verifiable secret sharing”, Advances in Cryptology-EUROCRYPT'96, LNCS Vol. 1070, pp. 190-199, Springer-Verlag, 1996.