Convertible Group Undeniable Signatures
Yuh-Dauh Lyuu1 and Ming-Luen Wu21 Dept. of Computer Science & Information Engineering and Dept. of Finance, National Taiwan University, Taiwan
lyuu@csie.ntu.edu.tw
2 Dept. of Computer Science & Information Engineering, National Taiwan University, Taiwan
d5526009@csie.ntu.edu.tw
Abstract. Group undeniable signatures are like ordinary group signa-tures except that verifying signasigna-tures needs the help of the group man-ager. In this paper, we propose a convertible group undeniable signature scheme in which the group manager can turn all or selective signatures, which are originally group undeniable signatures, into ordinary group signatures without compromising security of the secret key needed to generate signatures. The proposed scheme also allows the group man-ager to delegate the ability to confirm and deny to a limited set of parties without providing them the capability of generating signatures. For busi-ness applications, convertible group undeniable signatures can be widely used to validate price lists, press release or digital contracts when the signatures are commercially sensitive or valuable to a competitor. Our scheme is unforgeable, signature-simulatable and coalition-resistant. The confirmation and denial protocols are also zero-knowledge. Furthermore, the time, space and communication complexity are independent of the group size.
1
Introduction
In electronic life, digital signatures are used to verify whether one message really comes from the alleged signer or not. Like human signatures, standard digital signatures must be nonrepudiatable and universally verifiable. However, univer-sal verifiability might not suit the circumstances under which verifying signature is a valuable action. Chaum and van Antwerpen [5] initiate an undeniable
sig-nature scheme in which anyone must interact with the signer to verify a valid
signature and the signer can disavow an invalid signature through a denial pro-tocol. The important property of non-repudiation still holds because the signer cannot disavow the signature through a denial protocol except that the signature is indeed invalid.
With undeniable signatures, anyone needs the cooperation of the signer for verifying the signatures. This is not satisfactory because the signer might pass away or be occupied. Boyar et al. [2] first introduce the concept of
convert-ible undeniable signatures: By releasing appropriate verification keys, the signer
into ordinary digital signatures without compromising security of the secret key needed to generate signatures. The convertible schemes in [2, 7] consider convert-ing valid undeniable signatures to universal verifiable ones. Michels and Stadler [9] present a convertible undeniable signature scheme in which the signer can not only convert valid undeniable signatures into ordinary signatures, but also convert invalid undeniable signatures into universal verifiable statements about the fact.
A group signature scheme allows a group member to sign messages on behalf of the group without revealing his or her identity. Nevertheless, in case of a later dispute, a designated group manager can open the signature, thus tracing the signer. At the same time, any one—including the group manager—cannot mis-attribute a valid signature. The concept of group signature schemes is initiated by Chaum and van Heyst [6], while Camenisch and Stadler [3] present the first scheme in which the size of the public key and signatures is independent of the group size. Analogous to standard digital signatures, group signatures are both nonrepudiatable and universal verifiable.
A group undeniable signature is like an ordinary group signature except that verifying signatures needs the help of the group manager. In this paper, we propose a convertible group undeniable signature scheme in which the group manager can convert all or selective signatures, which are originally group un-deniable signatures, into universally verifiable ones without compromise of se-curity of the signing key. The notions of convertible group undeniable tures combine those of group signatures [6] and convertible undeniable signa-tures [9]. The proposed scheme also allows the group manager to delegate the ability to confirm and deny to a limited set of parties without providing them the capability of generating signatures. Our scheme is based on signatures of knowledge [3] and undeniable signature schemes [4]. We can show the present scheme is existentially unforgeable against adaptive chosen message attacks and is both signature-simulatable and coalition-resistant under reasonable number-theoretical complexity assumptions and in the random oracle model [1]. The signature confirmation and denial protocols can be zero-knowledge by applying the commitment techniques.
This paper is organized as follows. In Section 2, the convertible group un-deniable signature model is introduced. Then, in Section 3, useful facts and assumptions in number theory are presented. Section 4 defines basic signatures of knowledge. Section 5 describes our scheme and discusses its security. Conclu-sions are given in Section 6.
2
Model
In this section we give the definition of a convertible group undeniable signature scheme, the related security requirements, and the significant efficiency consider-ations. First, we define group undeniable signature schemes. A group undeniable signature scheme consists of the following six components:
System setup: The group secret and group public keys are generated for the group manager.
Join: To become a group member, a user generates his secret key and
member-ship key, and registers the membermember-ship key with the group manager. Then,
the group manager sends to him the membership certificate.
Sign: A group member can sign messages using his secret key, his membership certificate, and the group public key.
Signature confirmation protocol: To verify a signature requires interacting with the group manager.
Signature denial protocol: The group manager can prove to anyone that an invalid signature is invalid through a signature denial protocol.
Open: The group manager can trace the identity of the member who actually signs a given message.
A convertible group undeniable signature scheme is a group undeniable sig-nature scheme with the following additional components:
Individual receipt generation: Given a message, an alleged signature and the group secret key, the group manager can generate the individual receipt by which anyone can verify whether the alleged signature is valid or not. A group undeniable signature can be converted into an ordinary group signa-ture by releasing its individual receipt.
Individual verification. Given a message, an alleged signature, an individual receipt, and the group public key, one can check the receipt is valid or in-valid with respect to the alleged signature; in case of the former, the alleged signature can be verified using the receipt.
Universal receipt generation. With the group secret key, the group manager can generate the universal receipt by which anyone can verify whether sig-natures are valid or not. A group undeniable signature scheme can totally be converted into an ordinary group signature scheme by releasing the universal receipt.
Universal verification. With the group public key, one can check the given universal receipt is valid or invalid. Suppose the receipt is valid. Given a message and an alleged signature, anyone can verify the signature using the receipt.
In general, a group undeniable signature scheme has the following security considerations:
Unforgeability: Only the group member can sign on behalf of the group. Unlinkability: No one except the group manager can recognize whether two
different signatures are generated by the same group member. Anonymity: No one except the group manager can identify the signer. Non-transferability: No one can prove the validity or invalidity of signatures
except the group manager.
Zero knowledge: The confirmation and denial protocols reveal no extra infor-mation beyond the validity or invalidity of signatures.
Exculpability: Neither the group manager nor a group member can sign on behalf of another group member.
Traceability. The group manager can identify the signer of a valid signature. Coalition-resistance: A colluding subset of group members can not generate
valid signatures that can not be traced by the group manager.
The efficiency of a group undeniable signature scheme involves the following interest parameters:
– The size of the group signature. – The size of the group public key.
– The efficiency of System setup, Join and Open.
– The efficiency of Sign and Verify (including the confirmation and deniable protocols).
3
Number-theoretic Preliminaries
We present some number-theoretic results and assumptions. See [11, 12] for ad-ditional information.
Notations. For integer n, Zn denotes the ring of integers modulo n, and
Z∗
n denotes the multiplicative group modulo n. Let φ(n) denote Euler’s phi
function, which gives the number of positive integers m ∈ {1, 2, . . . , n − 1} such that gcd(m, n) = 1. Let r ∈R I represent that r is chosen randomly from a set
I. The least positive integer d such that gd ≡ 1 (mod n) is called the order of
g modulo n, and is denoted by ordng or ord(g). A universal exponent of n is a
positive integer u such that gu≡ 1 (mod n) for all g relatively prime to n. The
minimal universal exponent of n is denoted by λ(n).
Fact 1. If q and p = 2q + 1 are both primes and a is a positive integer with 1 < a < p − 1, then −a2 is a quadratic nonresidue and a primitive root modulo
p.
Fact 2. Let M be a positive integer with odd prime factorization M = p1p2· · · pn.
(1)
λ(M ) = lcm(φ(p1), φ(p2), . . . , φ(pn)).
(2) There exists an integer g such that ordMg = λ(M ), the largest possible order
of an integer modulo M . (3) Let ri be a primitive root modulo pi. The solution
of simultaneous congruences x ≡ ri (mod pi), i = 1, 2, . . . , n, produces such an
integer g.
Fact 3. Let G =< g > be a cyclic group generated by g. If ord(g) = n and if r
is a positive integer, then
Thus, if we choose a positive integer a such that gcd(a, n) = 1, then ga has
the same order as g.
Let G =< g > be a cyclic group generated by g with order n. Next, we present some number-theoretic problems. These problems are assumed to be intractable whether n is known or not.
Discrete Logarithm (DL): Given y ∈R G and the base g, find the discrete
logarithm x of y = gxto the base g.
Representation (Rep): Given y ∈RG and the base gifor i = 1, . . . , k, find the
representation (x1, x2, . . . , xk) of y = g1x1g2x2· · · gxkk to the bases g1, . . . , gk.
Equality of Discrete Logarithm (EDL): Given x, y ∈R G and the bases
f, g, determine the equality of logfx and loggy over Zn.
Root of Discrete Logarithm (RDL): Given y ∈RG, an exponent e and the
base g, find the e-th root x of y = g(xe)
to the base g.
The above intractable problems are used for signatures of knowledge de-scribed in the next section. Security of our signature scheme is also based on them.
4
Signatures of Knowledge
Signatures of knowledge allow a prover to prove the knowledge of a secret with respect to some public information noninteractively. This cryptographic tool has been used in many group signature schemes. In this section, we review the important signatures of knowledge, which are employed as building blocks in our signature scheme. Now, we explain the notation used in the following signatures of knowledge. Let G be a cyclic group generated by g with order M , where M is an RSA modulus. We denote by Greek letters the elements whose knowledge is proven and by all other letters the elements that are publicly known. Denote by k the concatenation of two binary strings and by ∧ the conjunction symbol. Assume H is a collision resistant hash function which maps a binary string of arbitrary length to a hash value of fixed length.
Knowledge of a discrete logarithm. A signature of knowledge of the discrete logarithm of y = gx ∈ G to the base g on the message m is a pair (c, s), which
can be generated as follows. Choose r ∈ Z. Compute
c = H(m k y k g k gr),
s = r − cx.
Such a signature can be computed by a signer who knows the secret x. We denote the signature by
SKDL[α : y = gα](m).
Knowledge of a representation. Let y1= Q`1 j=1g xe1j b1j , . . . , yw= Q`w j=1g xewj bwj ,
where eij ∈ {1, . . . , u} and bij ∈ {1, . . . , v}. A signature of knowledge of a
representation (x1, . . . , xu) of y1, . . . , yw with respect to the bases g1, . . . , gv on
the message m is (c, s1, s2, . . . , su), which can be generated as follows. Choose
ri∈ Z for i = 1, . . . , u. Compute c =H(m k y1k . . . k ywk g1k . . . k gvk {{eij, bij}`j=1i }wi=1 k `1 Y j=1 grb1je1j k · · · k `w Y j=1 gbrwjewj), si=ri− cxi, for i = 1, . . . , u.
Such a signature can be computed by a signer who knows a representation (x1, . . . , xu). We denote this signature by
SKREP[(α1, . . . , αu) : (y1= `1 Y j=1 gαe1j b1j ) ∧ · · · ∧ (yw= `w Y j=1 gαewj bwj )](m).
Any one can verify the signature by testing c = H(m k y? 1 k . . . k gv k
{{eij, bij}`j=1i }wi=1k Q`1 j=1g se1j b1j y1ck · · · k Q`w j=1g sewj bwj y c w).
Knowledge of roots of representations. Such a signature is used to prove that one knows the e-th root x of the g-part of a representation of v = fwgxe
∈ G
to the bases f and g. A signature of knowledge of the pair (w, x) of v = fwgxe
on the message m consists of two components: – (v1, . . . , ve−1), where vi= frigx
i
for i = 1, . . . , e − 1 and ri∈ Z,
– SKREP[(γ1, γ2. . . , γe, δ) : v1= fγ1gδ∧ v2= fγ2vδ1∧ · · · ∧ ve−1= fγe−1vδe−2∧
v = fγevδ
e−1](m).
To generate the signature efficiently, a small integer e is chosen. A signer who knows (w, x) can generate such a signature. The first component is computed directly. Because ri ∈R Z, we know vi ∈R G. Furthermore, according to the
equations vi = frigx
i
and v = fwgxe
, we actually have γ1= r1, γi= ri− xγi−1
for i = 2, . . . , e − 1, γe= w − xγe−1, and δ = x. Hence, the second component
can be obtained. We denote this whole signature by SKRREP[(α, β) : v = fαgβe
](m).
Knowledge of roots of discrete logarithms. Let e be a small integer. Assume
f is also a generator of G and loggf is not known. A signature of knowledge of
the e-th root x of the discrete logarithm of y = gxe
to the base g on the message
m comprises two components:
– SKRREP[(α, β) : y = fαgβe
](m), – SKDL[γ : y = gγ](m).
With the secret x, the signer knows a representation (0, xe) of y = f0gxe
to the bases f and g. This is the only representation the signer knows; otherwise, he
would be able to compute loggf . Therefore, we have α = 0, β = x, and γ = xe;
the two underlying signatures can be computed. To verify such a signature, one must check the correctness of the two components. We denote the signature by
SKRDL[α : y = gαe](m).
According to the further results in [10, Section 3], in the random oracle model, the signatures SKDL and SKREP are simulatable and they are existentially unforgeable against adaptive chosen message attacks under the related number-theoretic complexity assumptions. Thus, SKRREP and SKRDL clearly have the same properties.
5
The Scheme
Now we present our scheme and discuss its security. 5.1 System Setup
To derive the group secret and group public keys, the group manager computes the following values:
– n = p1p2, where both pi= 2qi+ 1 and qiare primes for i = 1, 2,
– an RSA public key (q1q2, eR) and secret key dR,
– an integer g ∈ Z∗
n such that ordng = q1q2, – f = ga, S
f = fd, Sg = gb, u = gh, t = uρ, where a, d, b, h, ρ ∈RZ∗q1q2, and all
arithmetic is modulo n,
– (e, d) for e, d ∈RZ∗q1q2 such that ed ≡ 1 (mod q1q2),
It is noteworthy that n must be chosen such that factoring n and solving DL in Z∗
n are intractable. By Fact 1 and 2, we can obtain g0 with order λ(n) = 2q1q2, and then have g = g02 with order q1q2 by Fact 3. Moreover, the order of
f, Sf, Sg, u, and t is also q1q2. The group manager keeps (b, d, dR, e, ρ−1, p1, p2) as the group secret key and opens (n, eR, f, g, Sf, Sg, u, t) as the group public
key. 5.2 Join
When one, say Alice, wants to join the group, she chooses the secret key y ∈R
Z∗
n and computes her membership key z = gy mod n. We can assume that
gcd(y, q1q2) = 1. Alice sends z to the group manager, and proves to the group manager that she knows the discrete logarithm of z without revealing y. Next, the group manager chooses c ∈ Z∗
q1q2such that (zgc)q1 6= 1 (mod n) and (zgc)q2 6= 1
(mod n) (this can be done by testing at most three continuous integers). Note that gcd(y + c, q1q2) = 1. Then the group manager computes Alice’s member-ship certificate (x = gcmod n, v = (c + b)dR mod q
1q2, w = (zx)dmod n), and sends (x, v, w) to Alice. Such a (y, x, v, w) is called a valid signing key. It is important to note that the group manager must choose distinct c’s for different registers and prevent anyone from knowing c’s. In addition , by Fact 3, we have ord(z) = ord(x) = ord(w) = q1q2.
5.3 Sign
Given a message m, Alice can generate the signature S by computing the fol-lowing nine values:
– ˆg = grfor r ∈ RZ∗n, – Z0= Srg, – Z1= ˆgy, – Z2= xr, – A1= gyur, – A2= tr,
– S0= SKREP[(α, β) : ˆg = gβ∧Z0= Sgβ∧Z1= ˆgα∧A1= gαuβ∧A2= tβ](m), – S1= SKRDL[γ : Z2Z0= ˆgγeR](m),
– S2= wr.
The above arithmetic is modulo n. Alice’s group undeniable signature on m is
S = (ˆg, Z0, Z1, Z2, A1, A2, S0, S1, S2). We call S a valid group undeniable
sig-naure if S is generated using a valid signing key. The correctness of S is the
conjunction of the correctness of S0, S1, and S2.
Now we explain the roles of the elements in S. First, considering S0, it proves that the same random number is used in the computation of ˆg, Z0, A1, and A2, and proves that the same exponent y0 is used in Z
1 = ˆgy 0 and A1 = gy 0 ur for some y0 ∈
R Z∗n. If S0 is correct, (A1, A2) is an ElGamal encryption of z = gy
0
with respect to the public key (u, t). The element S1 proves that Alice knows the knowledge of an eR-th root of the discrete logarithm of Z2Z0 to the base ˆ
g. Finally, considering S2, the verifier must interact with the group manager to check whether S2= (Z1Z2)d or not.
5.4 Signature Confirmation Protocol
A signature confirmation protocol is an interactive protocol between the group manager and a verifier, in which the group manager can convince a verifier of the fact that a signature is valid. However, the group manager cannot cheat the verifier into accepting an invalid signature as valid except with a very small probability. In the sequel, we denote by P the group manager and by V the verifier. Let X −→ Y : Z represent that X sends Z to Y . In the confirmation protocol, common inputs to P and V include the message m, the group public key and the alleged signature S. The secret input to P is the group secret key. Now, we present how V can be convinced that S is valid. First, V checks S0and
S1. If either is incorrect, then V recognizes that S is invalid. Otherwise, P and
V do the following steps:
1. V −→ P : A
V chooses e1, e2∈RZ∗n, and computes A = S2e1Se2f mod n.
2. P −→ V : B
3. V verifies that (Z1Z2)e1fe2= B mod n.?
If equality holds, then V accepts S as a valid signature for m. Otherwise S is undetermined.
Our confirmation protocol is based on Chaum’s method [4]. To illustrate the protocol clearly, the above steps omit the zero-knowledge part. We can make the protocol zero-knowledge by modifying Step 2 as follows: P commits B to V using a commitment scheme such that V cannot learn what B is unless V sends the correct e1 and e2 to P. Because B = (Z1Z2)e1fe2 mod n can be computed using the correct e1 and e2, P reveals no extra information to V. Accordingly, the whole protocol is zero-knowledge.
We prove that the verifier will accept a valid signature.
Theorem 1. If S is a valid group undeniable signature, then the verifier will
accept S as a valid signature for m.
Proof. Obviously, S0and S1must be correct. Furthermore, because w = (gy+c)d mod
n, we have
S2≡ wr≡ ((gy+c)d)r≡ ((ˆg)y+c)d≡ (Z1Z2)d (mod n). So B ≡ Ae≡ ((S
2)e1(Sf)e2)e≡ (Z1Z2)e1fe2 (mod n). ut Next, we prove that the group manager cannot cheat a verifier into accepting an invalid signature as valid except with a very small probability.
Theorem 2. If S is not a valid group undeniable signature, then a verifier will
accept S as a valid signature for m with probability at most 1/q1q2.
Proof. If S0 or S1 is incorrect, a verifier recognizes S as invalid. Now suppose
S0 and S1are correct. Because S is generated without a valid signing key, S26= (Z1Z2)dmod n. P can make V accept the signature only if P can find B = (Z1Z2)e1fe2 mod n such that (e1, e2) satisfies A ≡ S2e1(Sf)e2 (mod n). That is,
(e1, e2) satisfies the following two equations:
A = S2e1Sfe2 mod n (1)
B = (Z1Z2)e1fe2 mod n, (2) where S26= (Z1Z2)dmod n. Assume A = fi, B = fj, S2= fk, and Z1Z2 = f`, where i, j, k, ` ∈ Zq1q2, and all arithmetic is modulo n. Recall Sf = f
dmod n.
From (1) and (2), we have
i = ke1+ de2mod q1q2 (3)
j = `e1+ e2mod q1q2. (4) Because fk 6= f`d (mod n), k 6= `d (mod q
1q2). As a result, there is only one solution for (e1, e2) from (3) and (4).
ordered pairs (e1, e2) corresponding to A. P can not identify which of them has been used to compute A by V. In addition, every B is the correct response for exactly one of the possible q1q2 ordered pairs (e1, e2) for e1, e2 < q1q2. Conse-quently, the probability that P will give V the correct response B verified is at
most 1/q1q2. The theorem is proven. ut
5.5 Signature Denial Protocol
A signature denial protocol is an interactive protocol between P and V, which allows P to convince V of the fact that an alleged signature is invalid. However,
P cannot make V believe that a valid signature is invalid except with a very
small probability. In the denial protocol, common inputs to P and V include two constants c1 and c2, the message m, the group public key, and the alleged signature S. The secret input to P is the group secret key. Now, we present how
P can make V accept an invalid signature S as invalid. First, V checks S0 and
S1. If either is incorrect, then V recognizes that S is invalid. Otherwise, P and
V repeat the following steps at most c2times. When V finds S is undetermined, the protocol stops.
1. V −→ P : A1, A2
V chooses e1 ∈R Zc1, e2 ∈R Zn and computes A1 = (Z1Z2)e1fe2 mod n,
A2= Se12 Sfe2 mod n.
2. P −→ V : B
P computes A1/Ae2 ≡ (Z1Z2/S2e)e1 (mod n). P finds e1, and then sends
B = e1to V.
3. V checks whether B = e? 1.
If equality holds, then V is convinced that S is invalid one time. Otherwise
S is undetermined.
If convinced of S’s invalidity c2times, V will accept S as invalid. It is noteworthy that P can perform at most c1c2operations to find the correct e1’s.
The denial protocol is based on Chaum’s method [4]. To illustrate this pro-tocol clearly, we omit the zero-knowledge part. Applying a commitment scheme, we can make the protocol zero-knowledge by modifying Step 2 as follows: P commits B to V such that V cannot learn what B is unless V sends the correct
e2 to P. The correct e2 means that e2 satisfies A1 = (Z1Z2)e1fe2 mod n and
A2 = S2e1Sfe2 mod n, where e1 is the value found by P. This can be checked by
P. Because the correct e2 ensures that P and V have the same e1, P reveals no extra information to V. Accordingly, the whole protocol is zero-knowledge.
In the following theorem, we prove P can convince V of the fact that an alleged signature is invalid.
Theorem 3. If S is not a valid group undeniable signature, then a verifier will
accept S as an invalid signature for m.
Proof. If S0or S1is incorrect, a verifier will recognize S as an invalid signature. Suppose S0 and S1 are correct. Because S is generated without a valid signing
key, S26= (Z1Z2)dmod n. Therefore S2e6= Z1Z2. We have A1/Ae2≡ (Z1Z2/Se2)e1 (mod n). Consequently, P can always find e1and give the correct response. This implies that V will accept S as an invalid signature for m. ut
Next, we prove that P cannot fool V into accepting a valid signature as invalid except with a small probability.
Theorem 4. If S is a valid group undeniable signature, then a verifier will
accept S as an invalid signature for m with probability 1/cc21 .
Proof. Because S is valid, S0 and S1 are correct, and S2 = (Z1Z2)dmod n. Therefore Se
2 ≡ Z1Z2 (mod n). We have A1/Ae2 ≡ (Z1Z2/S2e)e1 ≡ 1 (mod n). In this case P can only randomly choose e1from Zc1. Consequently, V will accept
S as an invalid signature for m with probability 1/cc21 . ut
5.6 Open
Given a valid signature S, the group manager can compute zP = A1A−ρ
−1
2 . The signer with the membership key z = zP can be traced directly. We notice that
zP is an ElGamal decryption of (A1, A2) with respect to the secret key ρ−1.
5.7 Convertibility
We describe the four components for convertibility.
Individual receipt generation. Let S be a signature for the message m. We show how to generate its individual receipt. The group manager chooses
r ∈RZ∗q1q2, and computes the receipt R = ( ˜f , R1, R2, R3) as follows: ˜ f = frmod n, R1= (Z1Z2)rmod n, H = H(m k ˜f k R1), R2= SKREP[α : R1= (Z1Z2)α∧ ˜f = fα](m), R3= r − Hd mod q1q2.
Obviously, releasing the individual receipt does not compromise security of the secret key d needed to generate signatures.
Individual verification. To check R, one sees the correctness of R2 and tests whether ˜f = fR3SH
f mod n. If both succeed, then the receipt R with respect
to S is valid. Otherwise the receipt is invalid. If R is valid, then the alleged signature S can be verified by checking the correctness of S0and S1, and testing whether R1 = (Z1Z2)R3S2H mod n. Hence, with the individual receipt R, the alleged signature S can be universally verified.
Universal receipt generation. To make all signatures universally verifiable, the group manager releases e as the universal receipt. According to the basic assumption behind regular RSA, this does not compromise security of the secret key d needed to generate signatures.
Universal verification. To check e, one can test whether f = Se
f mod n. If
the equality holds, then e is valid. Otherwise e is invalid. If e is valid, then all alleged signatures can be verified by checking the correctness of S0 and S1, and testing whether Z1Z2≡ S2e (mod n). Consequently, the group undeniable signa-ture scheme can totally be converted into an ordinary group signasigna-ture scheme by releasing the universal receipt e. In addition, our scheme allows the group manager to delegate the ability to confirm and deny to a limited set of parties by issuing e only to them.
5.8 Security Analysis
The security notions below are considered under reasonable number-theoretic complexity assumptions and the random oracle model.
Exculpability. Because the DL problem is intractable, neither the group man-ager nor a group member can compute the secret key of another group member. Thus, it is infeasible to frame another member. However, this does not prevent the group manager from generating any valid signatures.
Unforgeability. We prove that our signature is existentially unforgeable against adaptive chosen message attacks. Recall that any valid signature ¯S must contain
correct S0, S1, and S2. Considering S2, an attacker must obtain S2= ξdmod n, where ξ = ξ1ξ2 with ξ1= ¯gy¯mod n, ξ2Z¯0= ¯gv¯eR mod n. Using adaptive chosen message attacks, the attacker can compute many (ξ, ξd)’s with random ξ’s, but
he cannot learn d. From a random ξ, the two values ξ1and ξ2must be computed such that S0 and S1 are correct. Here S0 =SKREP[(α, β) : ¯g = gβ∧ ¯Z0 =
Sβ
g ∧ ξ1= ¯gα∧ ¯A1= gαuβ∧ ¯A2= tβ](m) and S1=SKRDL[γ : ξ2Z¯0= ¯gγeR](m). Next, we show that the attacker cannot simultaneously obtain correct S0, S1and
S2. Suppose α = ¯y and γ = ¯v. Note that the attacker cannot compute S0 and
S1 without knowing ¯y and ¯v, respectively. Now, to obtain S0 from a (ξ, ξd), the attacker chooses ¯y and has ξ1 = ¯gy¯mod n. So ξ2 = ξξ1−1mod n. Assume ξ2 = ¯
g¯cmod n. Because the value ¯v = (¯c+ b)dR satisfying ξ
2Z¯0≡ ¯g¯veR mod n cannot be obtained, S1 is existentially unforgeable against adaptive chosen message attacks. Consequently, we have the following theorem:
Theorem 5. Our signature scheme is existentially unforgeable against adaptive
chosen message attacks.
Unlinkability, Anonymity, Non-transferability. These properties hold if the signatures are simulatable. Now, we show the signatures can be simulated. Let S be a valid signature. Assume the signer’s membership key z equals urz mod
n for some rz ∈ Z∗n. So A1 = urz+rmod n. To generate an indistinguishable signature ˜S, the simulator randomly chooses ¯r, ˜r, ˜y, ˜c, ˜d, and then computes ˜g = g˜r, ˜Z
0 = Srg˜, ˜Z1 = ˜gy˜, ˜Z2 = ˜g˜c, ˜A1 = ur¯, ˜A2 = tr˜, ˜S2 = ( ˜Z1Z˜2)d˜, where all arithmetic is modulo n. Obviously, ˜g, ˜Z0, ˜A1, and ˜A2are indistinguishable from ˆ
g, Z0, A1, and A2, respectively. Because the EDL problem is intractable, ˜Z1, ˜Z2 and ˜S2 are indistinguishable from Z1, Z2, and S2, respectively. Recall that S0 and S1 are simulatable in the random oracle model. Consequently, the whole signature is simulatable. Hence, we have the following theorem:
Theorem 6. Our signature scheme is signature-simulatable. Thus the
proper-ties of unlinkability, anonymity, and non-traceability hold.
Zero knowledge. By applying the commitment techniques, the confirmation and denial protocols reveal no extra information except for the validity or inva-lidity of a signature. As a result, our scheme can be zero-knowledge.
Coalition-resistance. We show that a colluding subset of group members can-not generate a valid signature that cancan-not be traced by the group manager. A valid signature ¯S must contain correct S0, S1, and S2. Considering S2, collud-ing members must obtain S2= ξdmod n, where ξ = ξ1ξ2 with ξ1= ¯gy¯mod n,
ξ2Z¯0= ¯g¯veR mod n. However, even using their signing keys, the colluding mem-bers cannot derive d; they can obtain ξ = grmod n and ξdmod n for any r. In
addition, the two values ξ1 and ξ2 must be computed such that S0 and S1 are correct. Here S0=SKREP[(α, β) : ¯g = gβ∧ ¯Z0= Sβg∧ξ1= ¯gα∧ ¯A1= gαuβ∧ ¯A2=
tβ](m) and S
1=SKRDL[γ : ξ2Z¯0= ¯gγeR](m). Next, we show that the colluding members cannot simultaneously obtain correct S0, S1and S2. Suppose α = ¯y and
γ = ¯v. We know that the colluding members cannot compute S0and S1without knowing ¯y and ¯v, respectively. Now, to obtain the correct S0, S1and S2, the col-luding members must choose ¯y and ¯c such that ¯y+¯c and ¯v = (¯c+b)dRcan be
com-puted. Note that ξ1= ¯g¯ymod n, ξ2= ¯gc¯mod n, and ξ ≡ ξ1ξ2≡ ¯gy+¯¯ c (mod n). In the following we show that obtaining such a ¯c is infeasible. Suppose a group member i has the signing key (yi, xi= gci mod n, vi= (ci+ b)dRmod q1q2, wi).
Because the colluding members cannot compute the ci’s, solving for b is
infeasi-ble. Therefore ¯c0 cannot be derived from (¯c0+ b), where (¯c0+ b) is any value such
that (¯c0+ b)dR can be obtained by the colluding members. As a result, ¯y + ¯c0
cannot be computed. This implies that it is infeasible to choose ¯y and ¯c such that
¯
y + ¯c and ¯v = (¯c + b)dR are derived simultaneously. Now, we have the following
theorem:
Theorem 7. Our signature scheme is coalition-resistant.
6
Conclusions
In this paper, we employ signatures of knowledge and RSA-based undeniable sig-nature techniques to construct a convertible group undeniable sigsig-nature scheme. Our scheme also allows the group manager to delegate the ability to confirm and deny to a limited set of parties without providing them the capability of generating signatures. Under reasonable number-theoretic complexity assump-tions and the random oracle model, we can prove the group undeniable signature scheme is unforgeable, unlinkable, anonymous, non-transferable, and exculpable. The signature confirmation and denial protocols are zero-knowledge. Even a col-luding subset of group members cannot generate valid signatures that cannot be traced.
References
1. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In Proc. 1st ACM Conference on Computer and Communica-tions Security, pages 62–73, 1993.
2. J. Boyar, D. Chaum, I. Damg˚ard, and T. Pedersen. Convertible undeniable signa-tures. In Advances in Cryptology—CRYPTO ’90, pages 189–205, 1990.
3. J. Camenisch and M. Stadler. Efficient group signature schemes for large groups (extended abstract). In Advances in Cryptology—CRYPTO ’97, pages 410–424, 1997.
4. D. Chaum. Zero-knowledge undeniable signatures (extended abstract). In Ad-vances in Cryptology—EUROCRYPT 90, pages 458–464, 1990.
5. D. Chaum and H. van Antwerpen. Undeniable signatures. In Advances in Cryptology—CRYPTO ’89, pages 212–216, 1989.
6. D. Chaum and E. van Heyst. Group signatures. In Advances in Cryptology— EUROCRYPT 91, pages 257–265, 1991.
7. I. Damg˚ard and T. Pedersen. New convertible undeniable signature schemes. In Advances in Cryptology—EUROCRYPT 96, pages 372–386, 1996.
8. S. J. Kim, S. J. Park and D. H. Won. Convertible group signatures. In Advances in Cryptology—ASIACRYPT 96, pages 311–321, 1996.
9. M. Michels and M. Stadler. Efficient convertible undeniable signature schemes. In Proc. 4th Workshop on Selected Areas in Cryptography (SAC ’97), pages 231–244, 1997.
10. D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000.
11. K. H. Rosen. Elementary Number Theory and its Applications (Third Edition). Addison Wesley, 1993.
