Building Blocks

Our group undeniable signature scheme employs signatures of knowledge as building blocks. Based on DL and representation problem assumptions, all these signatures of knowledge used can be showed to be simulatable and existentially unforgeable against adaptively chosen message attacks in the random oracle model [38, 184]. Simulatabil-ity means that the distribution of the strings that can be efficiently generated without

knowledge of the secret signing key are indistinguishable from the distribution of the actual signatures. Existential unforgeability against adaptively chosen message at-tacks means that an adversary cannot obtain a new message-signature pair even if he can obtain signatures on chosen messages.

We now introduce some notations used in this chapter. Assume G = hgi is a cyclic group with order M, where M is the product of two large primes. The parameters M, G, and g are chosen such that computing discrete logarithms in G to the base g is infeasible. In addition, computing roots in Z^∗_M is also infeasible without knowing the factorization of M. We denote by Greek letters the elements whose knowledge is to be proved and by all other letters the elements that are publicly known. Denote by k the concatenation of two strings and by ∧ the logical conjunction.

Let H : {0, 1}^∗ → {0, 1}<sup>`</sup>(` ≈ 160) be a coalition-resistant hash function throughout the chapter. A signature of knowledge is said to be correct if it passes the associated verification procedure. In the following we describe the signatures of knowledge used in our scheme.

Signatures of Knowledge of Discrete Logarithms and Representations Note the algebraic setting in the current chapter is slightly different from that in Section 3.4.4. In particular, the order M of G is the product of two large primes and the signer does not know the value M. We present how the two signatures of knowledge SKDL and SKREP described in Section 3.4.4 must be adapted in order to remain secure in the random oracle model, i.e., in order that the corresponding interactive protocols remain honest-verifier zero-knowledge proofs of knowledge.

First consider the case M = q₁q₂where q₁and q₂are two large primes. Because the order M is not prime, the challenge c must be smaller than both prime-factors of M , i.e., an upper bound 2<sup>`</sup> on the challenge c is needed. This is to prevent the difference of two random challenges from being congruent to 0 modulo one of the prime factors of M; otherwise, the knowledge extractor would fail to find a witness. An example of an upper bound is ` = 0.4 log₂(M) assuming that q1 and q2 are ≈ 0.5 log₂(M).

On the other hand c must not be too small, i.e., |c| must be polynomial in the input length. Otherwise, the success probability of the knowledge extractor would be too small.

The other case to consider is that the order M is unknown. If the challenge c Anyone can verify the signature by checking

c = H(m k g₁ k . . . k g_kk y₁ k . . . k y_w k J₁ k . . . k J_w k {e_ij}i=1,...,k;j∈Ji

Signatures of Knowledge of a Root of a Discrete Logarithm

Such signatures can prove the knowledge of an e-th root of a discrete logarithm of a public key. An e-th root of the discrete logarithm of y ∈ G to the base g is an integer x satisfying

g^(x)e = y,

if such an x exists. When the order M of G is known, the signature described in the following definition works for all exponents e but is not very efficient. For small exponents e, even if M is unknown, one can construct more efficient signatures that are presented later. Let c[i] denote the i-th bit of a string counting from the right-hand end.

Definition 5.2.1. Let k ≤ ` be a security parameter. A (k + 1) tuple (c, s<sub>1</sub>, . . . , s<sub>k</sub>) ∈ {0, 1}<sup>`</sup>× (Z^∗_M)^k satisfying

c = H(m k g k y k e k t₁ k . . . k t_k) where

ti =

( g^sei if c[i] = 0, y^sei if c[i] = 1.

is a signature of the message m ∈ {0, 1}^∗ based on a proof of an e-th root of the discrete logarithm of y to the base g, and is denoted by

SKRDL_M[α : y = g^αe](m).

Such a signature can be computed if values M and α satisfying y = g^αe are known.

One first chooses ri ∈R Z^∗_M and then computes

c = H(m k y k g k e k g^re1 k · · · g^rek), si =

( r_i if c[i] = 0,

ri

α mod M otherwise.

One can verify the signature by checking whether c=H(m k y k g k e k t^? ₁ k · · · k t_k)

with t_i =

( g^sei if c[i] = 0, y^sei if c[i] = 1.

Lemma 5.2.7. The identification protocol corresponding to the SKRDL_M is honest-verifier zero-knowledge and a proof of knowledge of an e-th root of the discrete loga-rithm of y with respect to the base g.

Proof. (sketch) Proof of knowledge: The proof is analogous to that of Schnorr’s iden-tification protocol. We only show how an α with y = g^αe can be computed from two different views having the same commitments. Without loss of generality we assume that the j-th bits of c and ˜c differ and that c[j] = 0. Then we have

t_j = g^sej = y^˜sej = g^αes˜ej and thus

α = s_j

˜ sj

mod M because all s_j’s and ˜s_j’s are relatively prime to M.

Honest-verifier zero-knowledge: The simulator can be constructed clearly.

For small exponents e, one can construct a more efficient signature of knowledge of an e-th root of a discrete logarithm even though the order M of G is unknown.

Assume that h ∈ G is another generator of G, the discrete logarithm to the base g of which is unknown. We first introduce the following signature.

Definition 5.2.2. An (e − 1)-tuple (v1, . . . , ve−1) ∈ G^e−1 and a signature SKREP [ (γ1, γ2. . . , γe, δ) : v1 = h^γ1g^δ∧ v2 = h^γ2v^δ₁∧ · · · ∧ ve−1 = h^γe−1v^δ_e−2

∧ v = h^γev_e−1^δ ](m)

is a signature of the message m ∈ {0, 1}^∗ based on a proof of knowledge of an e-th root of the g-part of a representation of v to the bases h and g. It is denoted by

SKRREP [ (α, β) : v = h^αg^βe](m)

Such a signature can be computed efficiently if values α, β satisfying v = h^αg^βe are known. Let b = 2^{|M |}− 1 be public. One first computes the values v_i = h^rig^βi for i = 1, . . . , e − 1 with randomly chosen r_i ∈_R {0, . . . , b}. As r_i ∈_R {0, . . . , 2^{|M |}− 1}, numbers v_i are truly random element in G. Furthermore, because of equations v_i = h^rig^βi and v = h^αg^βe, we let γ1 = r1, γi = ri−βri−1for i = 2, . . . , e−1, γe = α−βre−1, and δ = β. Thus SKREP can be derived.

Using SKRREP , we now construct a more efficient signature of knowledge of an e-root of a discrete logarithm for small exponent e.

Definition 5.2.3. A signature

SKRREP [ (α, β) : y = h^αg^βe](m) and a signature

SKDL[ γ : y = g^γ](m)

is a signature of the message m ∈ {0, 1}^∗ based on a proof of knowledge of the e-th root of the discrete logarithm of y to the base g. It is denoted by

SKRDL[ α : y = g^αe](m).

With the secret x, the signer knows a representation (0, x^e) of y = h⁰g^xe to bases h and g. This implies that α = 0, β = x, and γ = x^e, and the two underlying signatures can be calculated. To verify SKRDL, one checks the correctness of the two components.

5.3 Proposed Scheme