Realization of the Proposed Scheme

We now describe the details of the proposed scheme in the following.

System Setup

The group manager computes the following values to obtain the group secret key and the group public key.

• n = p₁p₂, where both p_i = 2q_i+ 1 and q_i are primes for i = 1, 2.

• An RSA public key (q1q2, eR) and secret key dR.

• Integer g ∈ Z^∗_n with ord_ng = q₁q₂.

• f = g^r1, u = g^r2, t = u^a, S_b = g^b, where r₁, r₂, a, b ∈_R Z^∗_q1q2, and all arithmetics are modulo n.

• e, d ∈ Z^∗_q1q2 such that ed ≡ 1 (mod q₁q₂).

• S_d= f^d mod n.

It is important that n be chosen such that factoring n and solving the DL problem in Z^∗_n are intractable. By Fact 2.2.24, we can obtain g with order q₁q₂. By Fact 2.2.10(1), the orders of f, u, t, Sb, and Sd are all q1q2. The group manager keeps (a, b, d, e, dR, p1, p2) as the group secret key and publishes (g, f, u, t, eR, Sd, Sb, n) as the group public key.

Join

When user i wants to join the group, he chooses a secret key y_i ∈_RZ_n and computes his membership key z_i = g^yi mod n. We assume that gcd(y_i, q₁q₂) = 1. User i sends z_i to the group manager and proves to the group manager that she knows the discrete logarithm of zi without revealing yi (see [43, 98] for the protocol). Next the group manager picks ci ∈ Z^∗_q1q2 such that (zig^ci)^q1 6≡ 1 (mod n) and (zig^ci)^q2 6≡ 1 (mod n).

Lemma 5.2.2 shows that gcd(y_i+c_i, q₁q₂) = 1, and by Lemma 5.2.3 c_i can be obtained by testing at most three consecutive integers. Then the group manager computes user i’s membership certificate as (x_i, v_i, w_i), where

x_i = g^ci mod n,

v_i = (c_i+ b)^dR mod q₁q₂, wi = (zixi)^dmod n,

and sends (x_i, v_i, w_i) to user i. Note that

wi = (zixi)^dmod n = (g^yi+ci)^dmod n. (5.1) The 4-tuple (y_i, x_i, v_i, w_i) is called a valid signing key. It is important to note that the group manager must choose distinct c_i’s for different joining users and must not reveal c_i to anybody. Fact 2.2.10(1) implies ord(z_i) = ord(x_i) = ord(w_i) = q₁q₂.

Sign

Given a message m, user i can generate signature S by computing the following values:

• ˆg = g^r mod n for r ∈_RZ_n (assume gcd(r, q₁q₂) = 1).

• Z₀ = S_b^r mod n.

• Z1 = ˆg^yi mod n.

• Z₂ = x^r_i mod n.

• A₁ = g^yiu^r mod n.

• A₂ = t^r mod n.

• S₀ = SKREP [ (α, β) : ˆg = g^β mod n ∧ Z₀ = S_b^β mod n ∧ Z₁ = ˆg^α mod n ∧ A₁ = g^αu^β mod n ∧ A₂ = t^β mod n ](m).

• S1 = SKRDL[ γ : Z2Z0 ≡ ˆg^γeR (mod n) ](m).

• S₂ = w_i^r mod n.

User i’s group undeniable signature for m is

S = (ˆg, Z₀, Z₁, Z₂, A₁, A₂, S₀, S₁, S₂).

Note that Z₂Z₀ ≡ ˆg^ciˆg^b ≡ ˆg^ci+b (mod n), Z₁Z₂ ≡ ˆg^yi+ci (mod n) and

S2 ≡ w_i^r≡ ((g^yi+ci)^d)^r ≡ ((ˆg)^yi+ci)^d≡ (Z1Z2)^d (mod n). (5.2) Because gcd(y_i+ c_i, q₁q₂) = 1 and gcd(d, q₁q₂) = 1, the orders of Z₁Z₂ and S₂ are q₁q₂ by Fact 2.2.10(1). In addition, the orders of ˆg, Z₀, Z₁, Z₂, A₂ are also q₁q₂. We call

S a valid group undeniable signature if S₀ and S₁ are correct and S₂ = (Z₁Z₂)^d mod n. Obviously, if S is generated using a valid signing key, then S is a valid group undeniable signature.

We briefly explain what roles some of the elements in S play. First, S₀ proves that the same random number r is used in the computation of ˆg, Z₀, A₁, and A₂, and that the same exponent y ∈ Z is used in Z₁ = ˆg^y mod n and A₁ = g^yu^r mod n. S₁ proves that user i knows the knowledge of an e_R-th root of the discrete logarithm of Z2Z0 to base ˆg. Finally, the verifier must interact with the group manager to verify whether S2 = (Z1Z2)^dmod n via the signature confirmation and denial protocols.

Signature Confirmation Protocol

A signature confirmation protocol is an interactive protocol between the group man-ager and the verifier whereby the group manman-ager can convince the verifier that the signature is valid. However, the group manager cannot deceive the verifier into ac-cepting an invalid signature as valid except with a very small probability. In the following, we denote by P the group manager and by V the verifier. In the signature confirmation protocol, common inputs to P and V include the message m, the group public key, and the alleged signature S. The secret input to P is the group secret key.

To be convinced that S is valid, V first verifies S₀ and S₁. If either is incorrect, then V recognizes that S is invalid. Otherwise, P and V perform the following steps:

Step 1: V chooses e₁, e₂ ∈_R Z_n and computes A = S₂^e1S_d^e2 mod n. Then V sends A to P.

Step 2: P computes B = A^emod n and sends B to V.

Step 3: V verifies whether B = (Z₁Z₂)^e1f^e2 mod n. If the equality holds, then V accepts S as a valid signature for m.

In the following, we first show that V accepts valid signatures. We then show that P cannot make V accept invalid signatures as valid except with a very small probability.

Theorem 5.3.1. If S is a valid group undeniable signature, then the verifier will accept S as a valid signature.

Proof. S₀ and S₁ must be correct. Because S₂ = (Z₁Z₂)^d mod n, we have B ≡ A^e≡ ((S₂)^e1(S_d)^e2)^e ≡ (Z₁Z₂)^e1f^e2 (mod n).

Theorem 5.3.2. If S is not a valid group undeniable signature, then the verifier will accept S as a valid signature with probability ≤ 1/(q₁q₂).

Proof. If either S0 or S1 is incorrect, the verifier recognizes S as invalid. Now suppose S₀ and S₁ are correct. Because S is invalid, S₂ 6= (Z₁Z₂)^d mod n. P can make V accept the signature S only if P can find a B such that

B = (Z₁Z₂)^e1f^e2 mod n (5.3)

A = S₂^e1S_d^e2 mod n. (5.4)

As the order of f is q₁q₂, we let A = fⁱ, B = f^j, S₂ = f^k, and Z₁Z₂ = f<sup>`</sup>, where 0 ≤ i, j, k, ` < q₁q₂ and all arithmetics are modulo n. Recall S_d = f^dmod n. From Eqs. (5.3) and (5.4), we have

j ≡ `e₁+ e₂ (mod q₁q₂), i ≡ ke₁+ de₂ (mod q₁q₂).

As f^k 6≡ f<sup>`d</sup> (mod n), we have k 6≡ `d (mod q₁q₂) and the linear equations have a unique solution for (e1, e2) for 0 ≤ e1, e2 < q1q2.

Because the orders of S₂ and S_d are q₁q₂, there are q₁q₂ pairs (e₁, e₂) for 0 ≤ e_,e₂ < q₁q₂ satisfying Eq. (5.4). P cannot identify which among them was used to compute A by V. In addition, because the orders of Z₁Z₂ and f are q₁q₂, each of these possible q₁q₂ pairs (e₁, e₂) corresponds to a different j and hence B. Consequently, the probability that P will give V the correct B is 1/(q₁q₂).

In order to state the protocol clearly, the above steps omit the zero-knowledge part.

However, there are well-known techniques [27, 106, 108] to add the zero-knowledge property to the above protocol as follows. Instead of P sending B in Step 2, he sends

a commitment of B to V using a commitment scheme [27, 168], after which V reveals to P the values of e1 and e2. After checking that B ≡ (Z1Z2)^e1f^e2 (mod n), P sends B to V. V checks that B corresponds to the value committed by P and then performs the test of Step 3. In this way, if V knows e₁ and e₂, he can compute B. Hence, the zero-knowledge property is achieved through the following two characteristics of the commitment scheme: (1) It is infeasible for V to derive B from the commitment of B, and (2) P cannot find B⁰ such that B⁰ and B have the same commitment.

Signature Denial Protocol

A signature denial protocol allows P to convince V of the fact that an invalid signature is indeed invalid. However, P cannot make V believe that a valid signature is invalid except with a very small probability. In the denial protocol, the common inputs to P and V include two system global constants C₁ and C₂, the message m, the group public key, and the alleged signature S. The secret input to P is the group secret key.

We now present how P can make V accept an invalid signature S as invalid. V starts by checking S0and S1. If either is incorrect, then V recognizes that S is invalid.

Otherwise, P and V repeat the following steps C2 times.

Step 1: V chooses e₁ ∈_R Z_C1, e₂ ∈_R Z_n and computes D₁ = (Z₁Z₂)^e1f^e2 mod n and D₂ = S₂^e1S_d^e2 mod n. Then V sends D₁ and D₂ to P.

Step 2: P finds B such that D1/D^e₂ ≡ (Z1Z2/S₂^e)^B (mod n) by trying B = 0, 1, . . . , C1− 1 and sends B to V.

Step 3: V checks whether B = e₁. If the equality holds, then V is convinced that S is invalid.

If V is convinced of S’s invalidity C2 times, V will accept S as invalid. It is noteworthy that P performs O(C₁C₂) operations.

The protocol satisfies the following two properties. First, P can convince V of the fact that an invalid signature is indeed invalid. Second, P cannot fool V into accepting a valid signature as invalid except with a small probability.

Theorem 5.3.3. If S is not a valid group undeniable signature, then the verifier will accept S as an invalid signature.

Proof. If S0 or S1 is incorrect, the verifier will recognize S as an invalid signature.

Suppose S₀ and S₁ are both correct. Because S is invalid, S₂ 6= (Z₁Z₂)^d mod n and therefore S₂^e 6≡ Z₁Z₂ (mod n). As D₁/D₂^e ≡ ((Z₁Z₂)^e1f^e2)/(S₂^e1S_d^e2)^e ≡ (Z₁Z₂/S₂^e)^e1 (mod n), P can always find the required e₁ as B. So V will accept S as an invalid signature.

Theorem 5.3.4. If S is a valid group undeniable signature, then the verifier will accept S as an invalid signature with probability 1/C₁^C2.

Proof. Because S is valid, S0 and S1 are correct and S2 = (Z1Z2)^dmod n. There-fore S₂^e ≡ Z₁Z₂ (mod n). As D₁/D₂^e ≡ ((Z₁Z₂)^e1f^e2)/(S₂^e1S_d^e2)^e ≡ (Z₁Z₂/S₂^e)^e1 ≡ (Z₁Z₂/(Z₁Z₂)^de)^e1 ≡ 1 (mod n), P will guess e₁ correctly with probability 1/C₁ in each round. So V will accept S as an invalid signature with probability 1/C₁^C2.

For simplicity the above protocol omits the zero-knowledge part. We can add the zero-knowledge property to the above protocol as follows: Instead of P sending B in Step 2, he sends a commitment of B to V using a commitment scheme [27, 168], after which V reveals to P the value of e₁. After checking that B = e₁, P sends B to V. V checks that B corresponds to the value committed by P and then performs the test of Step 3. Consequently, the zero-knowledge property is achieved as explained in the signature confirmation protocol.

Open

Given a valid signature S, the group manager can compute A₁A^−(a₂ ^{−1mod q1q2)}mod n, which equals

(g^yiu^r)((u^a)^r)^{−(a−1mod q1q2)} mod n = g^yi mod n.

The signer with the membership key z_i = g^yi mod n can be traced.

Conversion

In the phase, the group manager converts all or select group undeniable signatures into group signatures. Details of operations are described below.

1. Individual receipt generation.

Let S be a signature for message m. The group manager chooses r ∈R Z^∗_q1q2 and computes S’s individual receipt as R = ( ˜f , R1, R2, R3), where

f = fˆ ^rmod n, R₁ = (Z₁Z₂)^r mod n,

H = H(m k ˆf k R₁) (assume gcd(H, q₁q₂) = 1),

R₂ = SKREP [ α : R₁ = (Z₁Z₂)^α mod n ∧ ˆf = f^α mod n, ](m), R₃ = (r − Hd) mod q₁q₂.

Obviously it is infeasible to derive the secret key d from the individual receipt.

2. Individual verification.

Note that f^R3S_d^H ≡ f^R3f^Hd (mod n). Hence, f^R3S_d^H ≡ f^r (mod n) if and only if R₃ ≡ (r − Hd) (mod q₁q₂). To validate R, the verifier checks the correctness of R₂ and tests whether f^R3S_d^H ≡ ˆf (mod n). If both succeed, then the receipt R is valid; otherwise, the receipt is invalid. If R is valid, then the alleged signature S can be verified by checking the correctness of S₀ and S₁ and testing whether (Z1Z2)^R3S₂^H ≡ R1 (mod n) (see Lemma 5.3.1 below). Hence, with a valid individual receipt, the alleged signature can be verified.

Lemma 5.3.1. Assume R is valid. Then, (Z₁Z₂)^R3S₂^H ≡ R₁ (mod n) if and only if S₂ = (Z₁Z₂)^dmod n.

Proof. Because R is valid, we have R₃ ≡ (r − Hd) (mod q₁q₂) and thus (Z₁Z₂)^R3S₂^H ≡ (Z₁Z₂)^(r−Hd)S₂^H (mod n). Suppose (Z₁Z₂)^R3S₂^H ≡ R₁ (mod n).

Then (Z1Z2)^(r−Hd)S₂^H ≡ (Z1Z2)^r (mod n). So S₂^H ≡ (Z1Z2)^Hd (mod n). Thus S2 = (Z1Z2)^dmod n. For the opposite direction, if S2 = (Z1Z2)^dmod n, then (Z₁Z₂)^R3S₂^H ≡ (Z₁Z₂)^(r−Hd)((Z₁Z₂)^d)^H ≡ (Z₁Z₂)^r (mod n).

3. Universal receipt generation.

To make all signatures universally verifiable, the group manager releases secret e as the universal receipt. According to the basic assumption behind RSA, this does not compromise the security of the secret key d.

4. Universal verification.

To validate e, the verifier tests whether f = S_d^e mod n. If the equality holds, then e is valid; otherwise, e is invalid. If e is valid, then all alleged signatures can be verified by checking the correctness of S₀ and S₁ and testing whether S₂^e ≡ Z1Z2 (mod n). This works because S2 = (Z1Z2)^d mod n if and only if S₂^e ≡ Z₁Z₂ (mod n) because ed ≡ 1 (mod q₁q₂). Consequently, the group undeniable signature scheme can be converted into a group signature scheme by releasing the universal receipt e. In addition, our scheme allows the group manager to delegate the ability to confirm and deny signatures to trusted parties by issuing e to them only.

5.4 Security Analysis

Under the random oracle model, the security of our scheme is based on the standard cryptographic assumptions described in Section 5.2. In the following we show that the proposed scheme satisfies the security properties of group undeniable signatures.