Efficient Identity-Committable Signature and Group-Oriented Ring Signature Schemes

Efficient Identity-Committable Signature and

Group-Oriented Ring Signature Schemes

CHENG-KANG CHUAND WEN-GUEY TZENG

Department of Computer Science National Chiao Tung University

Hsinchu, 300 Taiwan

E-mail: {ckchu; wgtzeng}@cs.nctu.edu.tw

The identity of “Deep Throat”, a pseudonym of the information source in the Wa-tergate scandal, remained mysterious for more than three decades. In 2005, an ex-FBI of-ficial claimed that he was the anonymous source. Nevertheless, some are still inconvinced. In this paper, we introduce a new notion of identity-committable signatures (ICS) to en-sure the anonymity of “Deep Throat” inside a group. A member of an organization can sign a message on behalf of himself (regular signature) or the organization (identity- committed signature). In the latter case, the signer’s identity is hidden from anyone, and can be opened by himself only. We describe the requirements of ICS and give the formal definition of it. Then we extend the notion of ICS to group-oriented ring signatures (GRS) which further allow the signer to hide his identity behind multiple groups. Since the signer can include the whole members of a group at a time, our GRS scheme is more efficient and practical than general ring signature schemes. Finally, we provide concrete constructions of ICS and GRS with information-theoretic anonymity, that is, the identity of the signer is fully-protected.

Keywords: group signatures, ring signatures, anonymous signatures, identity-based

sig-natures, pairing-based cryptography

1. INTRODUCTION

In the early of 1970s, Woodward and Bernstein, two reporters of Washington Post, broke many stories that eventually led to the resignation of President Richard M. Nixon. This is the famous Watergate scandal in the history of the United States. The information source, assumed the pseudonym “Deep Throat”, remained confidential for more than three decades. Woodward and Bernstein guaranteed that they would not reveal Deep Throat’s identity unless he is willing to or he died. It is not till 2005 that, Felt, the ex-FBI No. 2, claimed that he was the anonymous source for Watergate affairs.

From this story, we learn some characteristics of being a “Deep Throat”:

• Full-Anonymity. Keeping identity anonymous is the most important thing for Deep Throat. Even the president can not trace the information source. Felt is fortunate that the reporters are dependable. If they were threatened or bribed, the identity of Deep Throat may be exposed much early.

• Group Authenticity. Although we can not learn the identity of Deep Throat, we should

Received November 21, 2007; revised April 22, 2008; accepted April 24, 2008. Communicated by Chin-Laung Lei.

be able to verify that the information comes from a specific organization for these in-side stories. The two reporters described above knew that the information from Felt is trustworthy because Felt was working in FBI at that time.

• Self-Identifiability. After the event, in order to benefit from the identity or witness in the court, Deep Throat should be able to prove that he is the information source. In fact, although the Washington Post confirmed that Felt was Deep Throat, some people still question that.

Based on these characteristics, we try to construct a signature scheme in the follow-ing scenario.

David, an employee of a government organization, owns a personal signing key is-sued by the organization. He uses this key to sign official documents. One day, he dis-covers a startling scandal inside the organization. He decides to be a “Deep Throat”, i.e. anonymously expose it to people. So he uses his signing key to generate a signature on a report of the scandal on behalf of the organization rather than his personal identity, and sends it to a journalist. The journalist first verifies that the information indeed comes from someone inside the organization, and then publishes it. No one, including the chief of the organization who owns the master secret key, can determine the identity of Deep Throat. After that, David continues his work in that organization as usual. Someday, if David wishes to, he can exhibit a witness identifying himself as Deep Throat.

Consider the existent signature schemes which may achieve this objective. A group

signature scheme allows a member of a group to sign anonymously on behalf of the

group. However, there is a designated group manager who can revoke the user’s ano-nymity, in case of disputes. Consequently, David will be afraid to expose the scandal. A

ring signature scheme enables a user to sign a message on behalf of a ring of possible

signers (of which the user is a member), without revealing exactly which member of that ring actually generated the signature. However, David needs to collect all public keys (or identities) of the staff in the organization to form the ring. The computation and commu-nication costs are too large to be practical. Besides, in some secret agency, the identities of its staff are classified. David may not be able to get the public keys of other secret agents.

In this paper, we propose a new notion of identity-committable signatures (ICS) which fits for the above scenario. A member of an organization can sign a message on behalf of himself (regular signature) or the organization (identity-committed signature). In the latter case, the signer’s identity is hidden from anyone, and can be opened by him-self only. We describe the requirements of ICS and give the formal definition of it. Then we extend the notion of ICS to group-oriented ring signatures (GRS) which further al-low the signer to hide his identity behind multiple groups. That is, a signer can sign mes-sages on behalf of numerous related groups instead of one group only. Deep Throat who works in FBI can sign secrets on behalf of FBI, CIA, NSA, etc. The identity of Deep Throat can be obfuscated more easily. The size of the signature is only linear to the number of included organizations. Since the signer can include the whole members of a group at a time, our GRS scheme is more efficient and practical than general ring signa-ture schemes.

Related Works In fact, ICS are intermediate between group signatures and ring

signa-tures described above. We consider some concrete constructions of these two signature schemes:

• Group signatures: The notion of group signatures was introduced by Chaum and Van Heyst [2]. Since then, many other schemes were proposed [3-12]. Group signatures make use of a group manager to identify the signer’s identity if needed. Some works also mentioned separability [13, 14], where the identifying ability can be separated from the group manager. If the identifying ability is designated to the signer himself, it is possible to use such separable group signature to construct ICS. However, we try to find more direct and more efficient solutions. Some group signature schemes with traceability [15, 16] give the signer self-identifiability directly, but there is still a group manager identifying the signer.

• Ring signatures: Rivest, Shamir, and Tauman [17, 18] first introduced the notion of ring signatures. Subsequently, many constructions were proposed under various set-tings of signing keys [19-23]. Some works also mentioned the self-identifiability [17, 24, 25]. But in their constructions, this property either needs to store witnesses with size linear to the number of non-signers in the ring, or only guarantees the computa-tional anonymity. Linkable ring signatures [26-28] stress the ability of checking whether two ring signatures are signed by the same signer. But the signer still cannot prove that he is the original signer of some signature. There are some ID-based constructions [19, 29-32] and constant-size constructions [22, 31, 32]. All these schemes need a private key generator (PKG) with a master secret. In fact, we can regard signers under the same PKG as the members of a group. So signing on behalf of the whole group is a better idea than signing on behalf of a list of group members. Even for constant-size schemes, the computation cost of the signing and verifying procedures are linear to the number of ring members.

2. DEFINITION OF ICS

In this section we give the formal definition of identity-committable signatures.

2.1 Components

An identity-committable signature scheme consists of the following algorithms. • Setup(1λ

): For the security parameter in unary, 1λ, the algorithm chooses a master se-cret key K and outputs the corresponding public parameter μ.

• Extract(μ, ID, K): Output the private key SK for the identity ID. • Sign(μ, m, SK): Output the regular signature σ on message m.

• Verify(μ, ID, m, σ): If σ is signed by ID’s private key on m, output ‘accept’; otherwise, output ‘reject’.

• IC-Sign(μ, m, SK): Output an identity-committed signature σIC on message m and a witness ω for identifying.

• IC-Verify(μ, m, σIC): If σIC is signed by a private key of the organization on m, output ‘accept’; otherwise output ‘reject’.

• Identify(μ, ID, ω, σIC): If σIC is a valid identity-committed signature and ω opens σIC to ID, output ‘valid’; otherwise output ‘invalid’.

Let PKG be the private key generator of an organization. PKG first runs Setup, and publishes the public parameters. Then it issues the private key for each organization member by performing Extract. Each member uses Sign and Verify algorithms for regu-lar signing and verification. When a member tries to anonymously sign a message, he performs IC-Sign to get the identity-committed signature and a witness. He outputs the signature to the verifier such that the verifier can verify it via the IC-Verify algorithm. The signer holds the witness secretly for later revealing his identity if he wants. Someday, he can execute Identify by using the witness to prove that he is the original signer.

2.2 Security Definition

Bellare et al. [33] characterize the fundamental properties of group signatures in terms of two crucial security requirements. But the two requirements are not sufficient for ICS. Informally speaking, an identity-committable signature scheme should satisfy the following properties.

1. Completeness: With the private key issued by the PKG of an organization, one can sign messages on behalf of himself or the organization. In the latter case, he can prove that he is the original signer.

2. Unforgeability: The scheme should be secure against existential forgery of regular signature under adaptively chosen message and identity attack.

3. ICS-Unforgeability: For someone outside the organization, the scheme should be se-cure against existential forgery of identity-committed signature under adaptively cho-sen message attack.

4. ICS-Anonymity: No one but the signer himself can identify the signer of an identity- committed signature.

5. ICS-Binding: The identity-committed signature can only be opened to the original signer.

Formally, we have the following definition for an identity-committable signature scheme.

Definition 1 Identity-Committable Signatures: Define the following oracles which can

be queried adaptively by any probabilistic polynomial-time algorithm (PPTA) A against

the challenger C.

• ExtractA_{(ID): C returns the private key for identity ID.}

• SignA_{(ID, m): C returns a regular signature of identity ID on message m.}

• IC-SignA_{(ID, m): C returns an identity-committed signature on m along with a witness} which identifies ID as the signer.

An identity-committable signature scheme is secure if it meets the following re-quirements.

• Completeness. For any m and ID, it holds that Pr[Verify(μ, ID, m, σ) = accept:

σ ← Sign(μ, m, SK); SK ← Extract(μ, ID, K); (μ, K) ← Setup(1λ_{)] = 1} and

Pr[IC-Verify(μ, m, σIC) = accept, Identify(μ, ID, ω, σIC) = valid:

(σIC, ω) ← IC-Sign(μ, m, SK); SK ← Extract(μ, ID, K); (μ, K) ← Setup(1λ)] = 1. • Unforgeability. Given the public parameters and access of all oracles, no PPTA A can

output a valid regular signature (ID, m, σ) with non-negligible probability if ExtractA_(ID) and SignA_{(ID, m) are never queried.}

• ICS-Unforgeability. Given the public parameters and access of Sign and IC-Sign ora-cles, no PPTA A can output a valid identity-committed signature (m, σIC) with non-neg- ligible probability if SignA_(ID*

, m) and IC-SignA_(ID*

, m) are never queried for any ID*. • ICS-Anonymity. Given the public parameters and access of all oracles, no PPTA A has

a non-negligible advantage against a challenger C in the following game:

1. A chooses two identities ID0, ID1 and a message m, and sends them to C.

2. C chooses b ∈R {0, 1}, and computes an identity-committed signature σIC on m by

IDb’s private key. Then C sends σIC to A.

3. A outputs the guess b′. If b′ = b, A wins the game.

• ICS-Binding. Given the public parameters and access of all oracles, no PPTA A can output a valid identity-committed signature (m, σIC) and two witnesses (ID, ω) and (ID′, ω′) with non-negligible probability.

3. DEFINITION OF GRS

In this section we give the formal definition of group-oriented ring signatures.

3.1 Components

A group-oriented ring signature scheme consists of the following algorithms. • Setup(1λ

): For the security parameter 1λ, the algorithm chooses a master secret key K and outputs the corresponding public parameter μ.

• Extract(μ, ID, K): Output the private key SK for the identity ID.

• GR-Sign(L, m, SK): For the list L of public parameters of all groups, output a group- oriented ring signature σGR on message m.

• GR-Verify(L, m, σGR): If σGR is signed by a private key of a group whose public pa-rameter is in L, output ‘accept’; otherwise output ‘reject’.

Each PKG of groups first performs Setup, and publishes the public parameter. It also issues the private key for each group member by performing Extract. When a signer wants to sign messages on behalf of some groups, he takes the public parameters of these groups to form the list L. Then the signer executes GR-Sign to generate the

group-oriented ring signature. The verifier also takes the list L, and executes GR-Verify to confirm that σGR is signed by a member of one group whose public parameter is in L.

3.2 Security Definition

We have the following definition for a group-oriented ring signature scheme.

Definition 2 Group-Oriented Ring Signatures: Define the following oracles which can

be queried adaptively by any PPTA A against the challenger C with a list L of public

pa-rameters.

• ExtractA_{(i, ID): C returns the private key for identity ID of the group which} corre-sponds to the ith public parameter in L.

• GR-SignA(i, L′, ID, m): C returns a group-oriented ring signature, signed by identity ID of the group which corresponds to the ith public parameter in L, on m for the list L′. Note that L′ must contain the ith parameter of L, but the other parameters of L′ need not be in the list L.

A group-oriented ring signature scheme is secure if it meets the following require-ments.

• Completeness. For any m, ID and L, it holds that Pr[GR-Verify(L, m, σGR) = accept:

σGR ← GR-Sign(L, m, SK); SK ← Extract(μ, ID, K); (μ, K) ← Setup(1λ); μ ∈ L] = 1. • Unforgeability. Given a list of public parameters L = (μ1, …, μl) and access of all

ora-cles, let C be the set of μi ∈ L where ExtractA(i, ID*) is queried for any ID*. No PPTA

A can output a valid group-oriented ring signature (L*

, m, σGR) with non-negligible probability if L* ⊆ L\C and GR-SignA_(i*

, L*, ID*, m) is never queried for any i* and ID*. • Anonymity. Given a list of public parameters L = (μ1, …, μl) and access of all oracles,

no PPTA A has a non-negligible advantage against a challenger C in the following

game:

1. A chooses two identities (i0, ID0), (i1, ID1), a list L* and a message m, where μi0, μi1

∈ L*

, and sends them to C.

2. C chooses b ∈R {0, 1}, and computes a group-oriented ring signature σGR on m for

L* by the private key of IDb of the group which corresponds to the ib-th public pa-rameter in L. Then C sends σGR to A.

3. A outputs the guess b′. If b′ = b, A wins the game.

4. CONCRETE CONSTRUCTIONS

In this section we first think of a generic construction of ICS and then propose spe-cific constructions of ICS and GRS.

4.1 Generic ICS Construction

We first provide a generic ICS scheme from an ID-based signature scheme and a commitment scheme. The signature scheme Σ = (SetupΣ, ExtractΣ, SignΣ, VerifyΣ) is de-fined as the regular signature part of ICS components (section 2.1). The commitment scheme Γ = (CommitΓ, RevealΓ) is defined as follows.

• CommitΓ(σ): For a secret σ, output a committed value γ and a witness ω.

• RevealΓ(γ, ω): If γ is the commitment of σ, and ω is the corresponding witness, output the secret σ.

There are two requirements for a secure commitment scheme:

1. Hiding: Before reveal step, the receiver does not learn anything about the committed value.

2. Binding: The sender cannot change the committed value after the commit step. The organization first designates a special IDG as the group identity, and issues the corresponding private key SKG along with personal private keys to all members. When a member wants to generate an identity-committed signature, he uses the key SKG to sign the message and commits his regular signature on that message. In the Identify process, the signer reveals the regular signature from the commitment. The detail is given as fol-lows.

• Setup(1λ

): Perform SetupΣ(1λ) to get the public parameters μ and master secret key K. Define a group identity IDG which differs from all members. Output (μ, IDG, K). • Extract(μ, ID, K): Perform ExtractΣ(μ, IDG, K) and ExtractΣ(μ, ID, K) to get SKG and

SKID, respectively. Output (SKG, SKID) as the private key for identity ID. • Sign(μ, m, SKID): Output the regular signature σ = SignΣ(μ, m, SKID). • Verify(μ, ID, m, σ): Output the result of VerifyΣ(μ, ID, m, σ).

• IC-Sign(μ, m, SKG, SKID): Perform CommitΓ(σ) to get a committed value γ and a wit-ness ω, where σ = SignΣ(μ, m, SKID). Then compute σG = SignΣ(μ, m || γ, SKG). Output the identity-committed signature σIC = (σG, γ) and the witness ω.

• IC-Verify(μ, m, σIC): Parse the identity-committed signature σIC as (σG, γ). Output the result of VerifyΣ(μ, IDG, m || γ, σG).

• Identify(μ, ID, ω, σIC): If σIC = (σG, γ) is a valid identity-committed signature on m, then output the result of VerifyΣ(μ, ID, m, σ), where σ = RevealΓ(γ, ω).

The security of this generic scheme can be directly obtained from the security of Σ and Γ. However, it is weak in some scenario while all group members use the same pri-vate key to generate identity-committed signatures. For example, if Alice signs a per-sonal message in the private communication with Bob, Bob may use Alice’s signature to generate an identity-committed signature, and then frame Alice as Deep Throat. More-over, the generic scheme loses some additional properties such as chosen-linkability and

4.2 The ICS Scheme Based on Pairings

Let G and G1 be two cyclic groups of prime order p. We write G additively and G1 multiplicatively. Let e: G × G → G1 is a map with the following properties:

• Bilinear: for all P, Q ∈ G and a, b ∈ Z, e(aP, bQ) = e(P, Q)ab . • Non-degenerate: for some P ∈ G, e(P, P) ≠ 1.

We say that G is a bilinear group [34] if the group operations in G and G1, and the bi-linear map are efficiently computable.

Our scheme needs three following complexity assumptions. The first two are the discrete logarithm problem and the computational Diffie-Hellman problem in bilinear group G. The third one is the Diffie-Hellman problem with chosen bases.

Discrete Logarithm Problem (DLP) The discrete logarithm problem in an (additive)

cyclic group G is, given P, aP ∈ G, to output a ∈ Zp. We say that a PPTA algorithm A has advantage ε in solving DLP in G if

Pr[A(P, aP) = a: P, aP ∈R G] ≥ ε.

The DL assumption in G holds if no PPTA A has non-negligible advantage ε in solving DLP in G.

Computational Diffie-Hellman Problem (CDHP) The computational Diffie-Hellman

problem in an (additive) cyclic group G is, given P, aP, bP ∈ G, to output abP ∈ G. We say that a PPTA algorithm A has advantage ε in solving CDHP in G if

Pr[A(P, aP, bP) = abP: P, aP, bP ∈R G] ≥ ε.

The CDH assumption in G holds if no PPTA A has non-negligible advantage ε in solving CDHP in G.

Chosen-Base CDH Problem (CB-CDHP) The chosen-base CDH problem in an

(ad-ditive) cyclic group G is, given P, aP, bP ∈ G, to output Q, abQ ∈ G\{eG}, where eG is

the identity of G. We say that a PPTA algorithm A has advantage ε in solving CB-CDHP in G if

Pr[A(P, aP, bP) = (Q, abQ), Q ∈ G\{eG}: P, aP, bP ∈R G] ≥ ε.

The CB-CDH assumption in G holds if no PPTA A has non-negligible advantage ε in solving CB-CDHP in G.

The Scheme The algorithms of our construction are described as follows. The

con-struction is based on the ID-based signature scheme proposed by Cha and Cheon [35], which can be proved secure in the random oracle model.

• Setup(1λ

bilinear map e and a generator P defined above. Choose two random values x, y ∈ Zp, compute

PX = xP and PY = yP.

Choose three cryptographically secure hash functions H1: {0, 1}* → G and H2: {0, 1}* × G → Zp. H′2: {0, 1}* × G × G → Zp. Output (x, y) as the master secret key and μ = (G, G1, e, P, PX, PY, H1, H2, H′2) as the public parameters.

• Extract(μ, ID, x, y): Let QID = H1(ID), compute

Q′ID = xQID and SID = xyQID.

Output Q′ID and SID as the public and private keys for identity ID, respectively. • Sign(μ, m, QID, Q′ID, SID): Compute

U = rQ′ID and V = (r + h)SID,

where r ∈R Zp and h = H2(m, U). Output the regular signature σ = (Q′ID, U, V). • Verify(μ, ID, m, σ): Parse the regular signature σ as (Q′ID, U, V). Compute QID =

H1(ID) and h = H2(m, U). Check that

e(QID, PX) ≟ e(Q′ID, P) and e(U, PY) ≟ e(V, P)e(Q′ID, − PY)h. If both equations hold, output ‘accept’; otherwise output ‘reject’. • IC-Sign(μ, m, Q′ID, SID): Randomly choose a value w ∈ Zp*\{1}, compute

Q = wQID, Q′ = wQ′ID, U = rQ′ and V = (r + h)S,

where S = wSID, r ∈R Zp and h = H′2(m, Q, U). Output the identity-committed signa-ture σIC = (Q, Q′, U, V) and the witness w.

• IC-Verify(μ, m, σIC): Parse the identity-committed signature σIC as (Q, Q′, U, V). Compute h = H′2(m, Q, U). Check that

e(Q, PX) ≟ e(Q′, P) and e(U, PY) ≟ e(V, P)e(Q′, − PY)h.

If both equations hold, output ‘accept’; otherwise output ‘reject’.

• Identify(μ, ID, w, σIC): Compute QID = H1(ID). If σIC = (Q, Q′, U, V) is a valid identity- committed signature and QID = w-1Q, output ‘valid’; otherwise output ‘invalid’.

Note that we cannot verify whether w = 1 in the IC-Verify algorithm. One may di-rectly use a standard signature for some ID as an identity-committed signature. However, this is reasonable because ICS is designed for exposing messages. If someone already signed a message m, then the identity-committed signature for the same m is meaning-less.

The security argument of this construction can be found in Appendix 1.

Additional Properties In addition to the properties of ICS we defined, our

• Chosen-Linkability. The signer can decide the linkability of his identity-committed signatures. If a signer wants to show that some identity-committed signatures are signed by him, he can use the same witness w to mask his identity. The verifier knows that the signatures with the same Q come from the same signer.

• Private-Communicability. One can privately communicate with the signer of an iden-tity-committed signature without revealing the signer’s identity. For an identity-com- mitted signature (Q, Q′, U, V), one can treat Q as the public key of the signer, and en-crypt messages using Boneh and Franklin’s IBE scheme [36] (let Q be the hashed value of H1). The ciphertext can be posted onto some bulletin board, and only the original signer1 can decrypt the message.

4.3 Group-Oriented Ring Signatures

Abe et al. [20] proposed a ring signature scheme that allows mixed use of different flavors of keys at the same time. All participants can choose their keys with different parameter domains. By applying their construction to our ICS scheme, we get an effi-cient GRS scheme. A signer can sign messages on behalf of the organization which he belongs to, and then take the public parameters of other organizations to form a ring sig-nature. These groups have their own public parameters, respectively.

First, we slightly modify IC-Sign and IC-Verify of our ICS scheme to be a three- move type signature scheme.

• IC-Sign′(μ, m, Q′ID, SID): Randomly choose a value w ∈ Zp*\{1}, compute

Q = wQID, Q′ = wQ′ID, U = rQ′ and V = (r + h)S,

where S = wSID, r ∈R Zp and h = H2′(m, Q, e(U, PY)). Output the identity-committed signature σIC = (Q, Q′, h, V) and the witness w.

• IC-Verify′(μ, m, σIC): Parse the identity-committed signature σIC as (Q, Q′, h, V). Compute U′ = e(V, P)e(Q′, − PY)h. Check that

e(Q, PX) ≟ e(Q′, P) and h ≟ H2′(m, Q, U′).

If both equations hold, output ‘accept’; otherwise output ‘reject’.

It is easy to see that the modification does not affect the security proof of the original scheme.

Let L = {μ(i) _{= (G}(i)_{, G}

1(i), e(i), P(i), PX(i), PY(i), H1(i), H2(i), H2′(i)) | 1 ≤ i ≤ n} be the list of public parameters of the n groups that the signer wants to form the ring. Assume that the signer belongs to the sth group. The GRS scheme is as follows.

• Setup and Extract: The same as the algorithms of the ICS scheme. • GR-Sign(L, m, Q′ID, SID)

− For i = s: Randomly choose a value w ∈ Zp*\{1}, compute

Q(s) = wQID, Q′(s) = wQ′ID and U′(s) = e(rQ′(s), PY(s)) where r ∈R Zp. − For i = s + 1, …, n, 1, …, s − 1: Randomly choose z(i) _{∈ Z and V}(i) _{∈ G}(i)

. Compute

Q(i) = z(i)P(i), Q′(i) = z(i)PX(i) and h(i) = H2′(i)(L, m, Q(i), U′(i-1)) and set U′(i) = e(i)(V(i),

P(i))e(i)(Q′(i), − PY(i))h

(i) . Finally, compute h(s) = H2′(s)(L, m, Q(s), U′(s-1)) and V(s) = (r + h(s))SID. Output σGR = (h(1), (Q(1), Q′(1), V(1)), …, (Q(n), Q′(n), V(n))). • GR-Verify(L, m, σGR) For i = 1, …, n, compute

U′(i) = e(i)(V(i), P(i))e(i)(Q′(i), − PY(i))h

(i)

,

where h(i) = H2′(i)(L, m, Q(i), U′(i-1)) if i ≠ 1. Check that

e(i)(Q(i), PX(i)) ≟ e(i)(Q′(i), P(i)) and h(1)≟ H2′(1)(L, m, Q(1), U′(n)). If both equations hold, output ‘accept’; otherwise output ‘reject’.

Certainly, the signer can also add some single persons to the list of the ring. By the generic construction of [20], these individual public keys can be “three-move type” or “trapdoor-one-way type”. Therefore, this extension improves the efficiency of ring sig-natures without loss of generality.

We provide security proofs in Appendix 2.

5. CONCLUSIONS

In this paper we introduce the new notion of identity-committable signatures that allow the signer to “commit” his identity on the signature generated on behalf of the signer’s group. Later, the signer can open the identity and prove that he is the original signer. Furthermore, we also introduce the extension of ICS, group-oriented ring signa-tures, which can be regarded as a very efficient and practical ring signature scheme. We give the definitions of ICS and GRS schemes. Finally, we provide the implementations providing unconditional anonymity, chosen-linkability and private-communicability.

ACKNOWLEDGEMENT

We first thank anonymous reviewers for giving us many useful suggestions. Also, we are grateful to Sherman S.M. Chow for pointing out some security flaws in our manu-script.

APPENDIX 1. SECURITY PROOFS OF THE ICS SCHEME

In addition to the three oracles ExtractA_{, Sign}A _{and IC-Sign}A _{defined in section 2.2,} we provide three hash oracles H1A, H2A, H′2A for adversary A . Without loss of generality, we assume that all adversary algorithms query oracles with the same input at most once, and query H1(ID) before ID is used as an input of queries to H2, Extract, Sign and IC-Sign. The proof techniques are similar to that of the underlying signature scheme [35]. Since the completeness requirement can be checked straightforward, we provide the other security arguments as follows.

Lemma 1 [35, Lemma 1] If there is an algorithm A that forges a regular signature of

our scheme under adaptively chosen message and identity attack with advantage ε in time t, then there is an algorithm A1 which can forge a signature under chosen message and given identity attack with advantage ε1 ≥ ε(1 − 1/p)1/qH1 in time t1 ≤ t, where qH1 is

the maximum number of queries to H1 made by A .

Proof: On input ID and system parameters, A1 performs the following steps:

1. Randomly choose j ∈ {1, 2, …, qH1}. Let IDi be the ith query to H1A where i ∈ {1,

2, …, qH1}. Define ID′i = IDi if i ≠ j and ID′j = ID.

2. Execute A on the given system parameters. When A queries to H1A(IDi), ExtractA(IDi), SignA_{(IDi, m) and IC-Sign}A_{(IDi, m), return H1}A1(ID′_i), ExtractA1(ID′_i), SignA1(ID′_i, m)

and IC-SignA1(ID′_i, m), respectively. Besides, define H₂A = H₂A1 and H′₂A = H′₂A1.

3. Finally, A outputs a forgery (ID0, m, σ). If ID0 = ID and (ID0, m, σ) is a valid signature, then output (ID, m, σ); otherwise output fail.

Since H1 is modeled as a random oracle, the output distribution of all oracles queried by

A are indistinguishable from the distribution of oracles queried by A1. By the assumption

of A, we have

Pr[(ID0, m, σ) is valid] ≥ ε.

For the same reason, A outputs a valid signature (ID0, m, σ) without query to H1(ID0) is negligible. That is,

Pr[ID0 = IDi, i ∈ {1, 2, …, qH1} | (ID0, m, σ) is valid] ≥ 1 − 1/p.

Moreover, since j is randomly chosen, we have

Pr[ID0 = ID | ID0 = IDi, i ∈ {1, 2, …, qH1}] ≥ 1/qH1.

By combining these equations, we have

Pr[A outputs a valid signature (ID, m, σ)] ≥ ε ⋅ (1 − 1/p) ⋅ 1/qH1. ‰

Lemma 2 If there is an algorithm A1 that forges a regular signature of our scheme un-der adaptively chosen message and given identity attack with advantage ε1 ≥ 10(qS +

1)(qS + qH2)/p in time t1, then there is an algorithm B which can solve CDHP with

advan-tage ε′ ≥ 1/9 in time t′ ≤ 23qH2t1/ε1, where qH2 and qS are the maximum number of queries

to H2 and Sign, respectively.

Proof: Given a CDHP instance (P, aP, bP), B computes abP by performing the

follow-ing steps:

1. Choose an identity ID for A1. Let PX = xP and PY = aP, where x is randomly chosen from Zp. Let qH1 be the maximum number of queries to H1. Define the oracles queried

by A1 as follows, where i, ij, ik, il denotes the ith H1 query, the jth Extract query, the kth Sign query and the lth IC-Sign query, respectively.

H1A1(ID_i) = if ; otherwise, , i i i R p bP ID ID z P z = ⎧⎪ ⎨ _∈ ⎪⎩ Z 1 ≤ i ≤ qH1, ExtractA1(ID_i j) = (Q′j, Sj) = (xzijP, xzij(aP)), SignA1(ID_i

k, mk) = (Q′k, Uk, Vk) = (xH1A1(IDik), vkP − hkxH1A1(IDik), vk(aP)),

where vk, hk ∈R Zp, 1 ≤ k ≤ qS. IC-SignA1(ID_i l, ml) = (wl, Ql, Q′l, Ul, Vl) = (wl, wlH1A1(IDil), xwlH1A1(IDil), vlP − hlxwlH1A1(ID_i l), vl(aP)), where wl, vl, hl ∈R Zp.

Note that hk and hl will be stored as the result of the queries to H2A1(m_k, U_k) and H₂A1(m_l, Ul), respectively. If a query of SignA1 or IC-SignA1 produces a result which is

inconsis-tent with other results of queries to SignA1 or IC-SignA1 or H₂A1, output fail and exit.

2. Run A1 with the given parameters and oracles. If A1 outputs a valid signature (m, ID,

Q′, U, h, V), replay it with the same random tape, but different choice of H2 queries such that A1 outputs another signature (m, ID, Q′, U, h′, V′), where h ≠ h′.

3. Compute and output x-1(h − h′)-1(V − V′) if both outputs are expected ones. Otherwise, output fail.

We can see that the oracles ExtractA1 and SignA1 output correct keys and signatures

as desired, respectively. Moreover, by the random oracle model, H1A1, H₂A1, ExtractA1 and

SignA1 output random distribution and are indistinguishable from the results of the

origi-nal scheme. By the result of Pointcheval and Stern [38, Lemma 4], B will obtain two

valid signatures (m, ID, Q′, U, h, V) and (m, ID, Q′, U, h′, V′) such that h ≠ h′ within time 23qH2t1/ε1 and with probability at least 1/9.

Since the two signatures (m, ID, Q′, U, h, V) and (m, ID, Q′, U, h′, V′) are valid, we have

x-1(h − h′)-1(V − V′) = x-1(h − h′)-1((r + h)SID − (r + h′)SID) = x-1(h − h′)-1((r + h)xabP − (r + h′)xabP)

= x-1(h − h′)-1(h − h′)xabP = abP. ‰ By the above two lemmas, the following theorem holds.

Theorem 1 Unforgeability: If there is an algorithm A that forges a regular signature of

our scheme under adaptively chosen message and identity attack with advantage ε ≥ 10(qS +1)(qS + qH2)qH1/(p − 1) in time t, then there is an algorithm B which can solve

CDHP with advantage ε′ ≥ 1/9 in time t′ ≤ 23qH1qH2t/ε(1 − 1/p), where qH1, qH2 and qS are

the maximum number of queries to H1, H2 and Sign, respectively.

Theorem 2 ICS-Unforgeability: If there is an algorithm A that forges an identity-com-

mitted signature of our scheme under adaptively chosen message attack with advantage ε ≥ 10(qSIC + 1)(qSIC + qH′2)/p in time t, then there is an algorithm B which can solve CB-

CDHP with advantage ε′ ≥ 1/9 in time t′ ≤ 23qH′2t/ε, where qH′2 and qSIC are the maximum

number of queries to H2′ and IC-Sign, respectively.

Proof: Given a CB-CDHP instance (P, aP, bP), B computes abQ for some Q by

per-forming the following steps:

1. Let PX = aP and PY = bP. Let qH1 be the maximum number of queries to H1. Define the

oracles queried by A as follows, where i, ik, il denotes the ith H1 query, the kth Sign query and the lth IC-Sign query, respectively.

H1A(IDi) = ziP, zi ∈R Zp, 1 ≤ i ≤ qH1 SignA_(IDi k, mk) = (Q′k, Uk, Vk) = (zik(aP), vkP − hkzik(aP), vk(bP)), where vk, hk ∈R Zp. IC-SignA_(IDi l, ml) = (wl, Ql, Q′l, Ul, Vl) = (wl, wlzilP, wlzil(aP), vlP − hlwlzil(aP), vl(bP)), where wl, vl, hl ∈R Zp, 1 ≤ l ≤ qSIC.

Note that hk and hl will be stored as the result of the query H′2A(mk, Uk) and H′2A(ml,

Ul), respectively. If a query of SignA or IC-SignA produces a result which is inconsis-tent with other results of queries to SignA _{or IC-Sign}A or H′₂A_{, output fail and exit.} 2. Run A with the given parameters and oracles. When A outputs a valid signature (m, Q,

Q′, U, h, V), replay it with the same random tape, but different choice of H′2 queries such that A outputs another signature (m, Q, Q′, U, h′, V′), where h ≠ h′.

3. Compute and output (h − h′)-1_{(V − V′) if both outputs are expected ones. Otherwise,} output fail.

We can see that the oracles SignA _{and IC-Sign}A _{output correct signatures as desired.} Moreover, by the random oracle model, H1A, H2′A, SignA and IC-SignA output random distribution and are indistinguishable from the results of the original scheme. By the re-sult of Pointcheval and Stern [38, Lemma 4], B will obtain two valid signatures (m, Q, Q′,

U, h, V) and (m, Q, Q′, U, h′, V′) such that h ≠ h′ within time 23qH′2t/ε and with

probabil-ity at least 1/9.

Since the two signatures (m, Q, Q′, U, h, V) and (m, Q, Q′, U, h′, V′) are valid, we have

(h − h′)-1_{(V − V′) = (h − h′)}-1

((r + h)SID − (r + h′)SID) = (h − h′)-1_{((r + h)abQ − (r + h′)abQ)}

Theorem 3 ICS-Anonymity: Our scheme has the information-theoretic ICS-Anonym-

ity property.

Proof: For a valid identity-committed signature σIC = (Q, Q′, U, V), it can be opened to any identity ID* because there is a w* such that

Q = w*QID*,

where QID* = H1(ID*). Therefore, the signature has information-theoretic ICS-Anonymity. ‰

Theorem 4 ICS-Binding: If there is an algorithm A that breaks ICS-Binding property

with advantage ε in time t, then there is an algorithm B which can solve DLP with

ad-vantage ε′ ≥ ε(1 − 1/p2

)(1/q2H1) in time t′ = O(t), where qH1 is the maximum number of

queries to H1.

Proof: On input ( ,P aP), B computes a as follows.

1. Run Setup and execute A on the output system parameters.

2. Answer the oracle queries as the real scheme except that when A queries H1A(IDj) and

H1A(IDj′) for two randomly chosen j, j′ ∈ {1, 2, …, qH1}, return P and aP

respec-tively.

3. A outputs an identity-committed signature (Q, Q′, U, V) on m, and two witnesses (w,

ID) and (w′, ID′). If ID ≠ IDj or ID′ ≠ IDj′, output fail and abort. Otherwise, output a =

w/w′.

We can see that since Q = wQID = wP and Q = w′QID′ = w aP′ , the value a is properly computed. Moreover, since H1 is modeled as a random oracle, the output distribution of all oracles queried by A are indistinguishable from the distribution of the real scheme. By

the assumption of A , we have

Pr[w and w′ are witnesses for ID and ID′] ≥ ε.

For the same reason, the probability that A outputs valid witnesses (w, ID) and (w′, ID′)

without queries to H1(ID) and H1(ID′) is negligible. That is,

Pr[ID = IDi, ID′ = IDi′, i, i′ ∈ {1, 2, …, qH1} | w and w′ are witnesses for ID and ID′]

≥ 1 − 1/p2 .

Moreover, since j and j′ are randomly chosen, we have

Pr[ID = IDj = P, ID′ = IDj′ = aP| ID = IDi, ID′ = IDi′i, i′ ∈ {1, 2, …, qH1}] ≥ 1/q

2 H1.

By combining these equations, we have

Pr[B outputs the correct answer a for DLP] ≥ ε ⋅ (1 − 1/p2_{) ⋅ 1/q}2

APPENDIX 2. SECURITY PROOFS OF THE GRS SCHEME

Theorem 5 Unforgeability: For a public parameter list L of size n, if there is an

algo-rithm A that forges a group-oriented ring signature of our scheme under adaptively

cho-sen message attack with advantage ε ≥ 10(qSGR + 1)(qSGR + q H′2)/p in time t, then there is

an algorithm B which can solve CB-CDHP with advantage ε′ ≥ 1/9 in time t′ ≤ 23qH′2tn/ε,

where qH′2 and qSGR are the maximum number of queries to H2′ and GR-Sign, respectively.

Proof: Given a CB-CDHP instance (P, aP, bP), B computes abQ for some Q by

per-forming the following steps:

1. Randomly choose an index ˆi∈ {1, 2, …, n}. Perform Setup as usual to generate pub- lic parameters μ(i) _{for all i ∈ {1, …, n}\{ }.iˆ}

Let P( )iˆ = P, PX( )iˆ = aP and

ˆ ( )i Y

P = bP. Let qH1 be the maximum number of queries to

ˆ ( ) 1 .

i

H Define the oracles queried by A

as follows, where j, jk denotes the jth ˆ ( ) 1

i

H query and the kth GR-Sign query, respec-tively.

• For the queries to group i ∈ {1, …, n}\_{{ },i}ˆ _{since the master secret keys are known,}

compute the answer as the real scheme. • ExtractA_{( ,i}ˆ _{ID): output fail and exit for any ID.}

• ( )ˆ 1 ( ) i j H A ID = zjP, zj ∈R Zp, 1 ≤ j ≤ qH1. • GR-SignA_{( ,i}ˆ _{L′, IDj} k}, mk) = (1) (1) (1) (1) ( ) ( ) ( ) (h_k , (Q_k ,Q_k′ ,V_k , ),…, (Q_kn′,Q_k′n′,V_kn′)), where − ( )ˆ ( )ˆ ( )ˆ (Q_ki ,Q_k′i ,V_ki )= (zjkP, zjk(aP), vk(bP)); vk ∈R Zp, 1 ≤ k ≤ qSGR, − _{( )}ˆ _{( )}ˆ ( , ( ), ) k i i k k j U′ =e v P−h z aP bP is computed implicitly; h_k( )iˆ ∈R Zp, 1 ≤ k ≤ qSGR, − ( )ˆ ( )ˆ ( )ˆ

(Q_ki ,Q_k′i ,V_ki ), i ∈ {1, …, n}\{ }iˆ are computed as the real scheme (in the case

i ≠ s).

Note that h_k( )ˆi will be randomly chosen first, and stored as the result of the query H ′₂A

ˆ ˆ

( ) ( 1)

( ,L m_k,Q_ki ,U_ki− ).

2. Run A with the given parameters and oracles until it outputs a valid signature (L* , h(1), (Q(1), Q′(1), V(1)), …, (Q(n*), Q′(n*), V(n*))), where L* = (μ*(1), …, μ*(n*)). If μ( )iˆ ∉ L*, output fail and abort. Otherwise, replay it with the same random tape, but different choices of H2′A queries such that A outputs another valid signature (L*, h′(1), (Q(1), Q′(1),

V′(1)), …, (Q(n*), Q′(n*), V′(n*))), where h(1) ≠ h′(1) and V(i) ≠ V′(i) for all i ∈ {1, …, n*}. 3. Suppose that μ*(i*)

= μ( )iˆ. Compute and output (h(i*) − (h′(i*))-1(V(i*) − V′(i*)) if both outputs are expected ones. Otherwise, output fail.

We can see that the oracles output correct keys and signatures as desired. Moreover, by the random oracle model, H1A, H2′A, ExtractA and GR-SignA output random distribu-tion and are indistinguishable from the results of the original scheme. By the result of Pointcheval and Stern [38, Lemma 4], B will obtain two valid signatures within time

23qH′2tn/ε and with probability at least 1/9. Since the two signatures are valid, we can

compute abQ(i*) as in Theorem 2. ‰

Theorem 6 Anonymity: Our GRS scheme has the information-theoretic Anonymity

Proof: Consider a valid signature (L*, h(1), (Q(1), Q′(1), V(1)), …, (Q(n*), Q′(n*), V(n*))). Since all (Q(i), Q′(i), V(i)) are equally distributed for 1 ≤ i ≤ n, the adversary cannot identify the group that the signer belongs to. The remaining value h(1) is uniquely determined from (L*, m) and (Q(i), V(i))’s. Moreover, by Theorem 3, we know that the signature of a single group is also information-theoretic anonymous. ‰

REFERENCES

1. C. K. Chu and W. G. Tzeng, “Identity-committable signatures and their extension to group-oriented ring signatures,” in Proceedings of the 12th Australasian Conference

on Information Security and Privacy, LNCS 4586, 2007, pp. 323-337.

2. D. Chaum and E. van Heyst, “Group signatures,” in Proceedings of Advances in

Cryptology − EUROCRYPT, LNCS 547, 1991, pp. 257-265.

3. L. Chen and T. P. Pedersen, “New group signature schemes,” in Proceedings of

Ad-vances in Cryptology − EUROCRYPT, LNCS 950, 1994, pp. 171-181.

4. J. Camenisch and M. Stadler, “Proof systems for general statements about discrete logarithms,” Technical Report 260, Institute for Theoretical Computer Science, ETH Zurich, 1997.

5. J. Camenisch, “Efficient and generalized group signatures,” in Proceedings of

Ad-vances in Cryptology − EUROCRYPT, LNCS 1233, 1997, pp. 465-479.

6. J. Camenisch and M. Michels, “A group signature scheme with improved effi-ciency,” in Proceedings of Advances in Cryptology − ASIACRYPT, LNCS 1514, 1998, pp. 160-174.

7. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical and provably secure coalition-resistant group signature scheme,” in Proceedings of Advances in

Cryp-tology − CRYPTO, LNCS 1880, 2000, pp. 255-270.

8. O. Baudron and J. Stern, “Non-interactive private auctions,” in Proceedings of

Fi-nancial Cryptography, LNCS 2339, 2001, pp. 364-378.

9. G. Ateniese and B. de Medeiros, “Efficient group signatures without trapdoors,” in

Proceedings of Advances on Cryptology − ASIACRYPT, LNCS 2894, 2003, pp. 246-

268.

10. D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Proceedings of

Advances in Cryptology − CRYPTO, LNCS 3152, 2004, pp. 41-55.

11. A. Kiayias and M. Yung, “Group signatures with efficient concurrent join,” in

Pro-ceedings of Advances in Cryptology − EUROCRYPT, LNCS 3494, 2005, pp. 198-

214.

12. X. Boyen and B. Waters, “Compact group signatures without random oracles,” in

Proceedings of Advances in Cryptology − EUROCRYPT, LNCS 4004, 2006, pp. 427-

444.

13. J. Kilian and E. Petrank, “Identity escrow,” in Proceedings of Advances in

Cryptol-ogy − CRYPTO, LNCS 1462, 1998, pp. 169-185.

14. J. Camenisch and M. Michels, “Separability and efficiency for generic group signa-ture schemes,” in Proceedings of Advances in Cryptology − CRYPTO, LNCS 1666, 1999, pp. 413-430.

Advances in Cryptology − EUROCRYPT, LNCS 3027, 2004, pp. 571-589.

16. L. Nguyen and R. Safavi-Naini, “Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings,” in Proceedings of Advances in

Cryptol-ogy − EUROCRYPT, LNCS 3027, 2004, pp. 372-386.

17. R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Proceedings of

Advances in Cryptology − ASIACRYPT, LNCS 2248, 2001, pp. 552-565.

18. R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret: Theory and applica-tions of ring signatures,” in Essays in Memory of Shimon Even, LNCS 3895, 2006, pp. 164-186.

19. F. Zhang and K. Kim, “Id-based blind signature and ring signature from pairings,” in

Proceedings of Advances in Cryptology − ASIACRYPT, LNCS 2501, 2002, pp. 533-

547.

20. M. Abe, M. Ohkubo, and K. Suzuki, “1-out-of-n signatures from a variety of keys,” in Proceedings of Advances in Cryptology − ASIACRYPT, LNCS 2501, 2002, pp. 415-432.

21. J. Herranz and G. Saez, “Forking lemmas for ring signature schemes,” in

Proceed-ings of Progress in Cryptology − INDOCRYPT, LNCS 2904, 2003, pp. 266-279.

22. Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, “Anonymous identification in ad hoc groups,” in Proceedings of Advances in Cryptology − EUROCRYPT, LNCS 3027, 2004, pp. 609-626.

23. A. Bender, J. Katz, and R. Morselli, “Ring signatures: Stronger definitions, and con-structions without random oracles,” in Proceedings of the 3rd Theory of

Cryptogra-phy Conference, LNCS 3876, 2006, pp. 60-79.

24. J. Lv and X. Wang, “Verifiable ring signature,” in Proceedings of the 3rd

Interna-tional Workshop on Cryptology and Network Security, 2003, pp. 663-667.

25. K. C. Lee, H. A. Wen, and T. Hwang, “Convertible ring signature,” IEE

Proceed-ings of Communications, Vol. 152, 2005, pp. 411-414.

26. P. P. Tsang, V. K. Wei, T. K. Chan, M. H. Au, J. K. Liu, and D. S. Wong, “Separa-ble linka“Separa-ble threshold ring signatures,” in Proceedings of Progress in Cryptology −

INDOCRYPT, LNCS 3348, 2004, pp. 384-398.

27. J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” in Proceedings of the 9th Australasian Conference on

Information Security and Privacy, LNCS 3108, 2004, pp. 325-335.

28. J. K. Liu and D. S. Wong, “Linkable ring signatures: Security models and new schemes,” in Proceedings of International Conference on Computational Science

and its Applications − Part 2, LNCS 3481, 2005, pp. 614-623.

29. J. Herranz and G. Saez, “New identity-based ring signature schemes,” in

Proceed-ings of International Conference on Information and Communication Security, LNCS

3269, 2004, pp. 27-39.

30. S. S. M. Chow, S. M. Yiu, and L. C. K. Hui, “Efficient identity based ring signature,” in Proceedings of Applied Cryptography and Network Security, LNCS 3531, 2005, pp. 499-512.

31. L. Nguyen, “Accumulators from bilinear pairings and applications,” in Proceedings

of Topics in Cryptology: The Cryptographer’s Track at RSA Conference, LNCS 3376,

2005, pp. 275-292.

secure in the standard model,” Cryptology ePrint Archive, Report 2006/205, 2006. 33. M. Bellare, D. Micciancio, and B. Warinschi, “Foundations of group signatures:

Formal definitions, simplified requirements, and a construction based on general as-sumptions,” in Proceedings of Advances in Cryptology − EUROCRYPT, LNCS 2656, 2003, pp. 614-629.

34. A. Joux, “A one round protocol for tripartite diffie-hellman,” Journal of Cryptology, Vol. 17, 2004, pp. 263-276.

35. J. C. Cha and J. H. Cheon, “An identity-based signature from gap diffie-hellman groups,” in Proceedings of the Public-Key Cryptography, LNCS 2567, 2003, pp. 18- 30.

36. D. Boneh and M. K. Franklin, “Identity-based encryption from the weil pairing,” in

Proceedings of Advances in Cryptology − CRYPTO, LNCS 2139, 2001, pp. 213-229.

37. S. S. Al-Riyami and K. G. Paterson, “Certicateless public key cryptography,” in Pro-

ceedings of Advances on Cryptology − ASIACRYPT, LNCS 2894, 2003, pp. 452-473.

38. D. Pointcheval and J. Stern, “Security arguments for digital signatures and blind signatures,” Journal of Cryptology, Vol. 13, 2000, pp. 361-396.

Cheng-Kang Chu (朱成康) received his B.S. degree in

Computer Science and Engineering from Yuan Ze University, 1999; and M.S. and Ph.D. degrees in Computer Science from National Chiao Tung University in 2001 and 2008, respectively. He joined School of Information Systems, Singapore Manage-ment University, Singapore, as a research staff in 2008 and works there till now. His current research interests include applied cryp- tography and information security.

Wen-Guey Tzeng (曾文貴) received his B.S. degree in

Computer Science and Information Engineering from National Taiwan University, Taiwan, 1985; and M.S. and Ph.D. degrees in Computer Science from the State University of New York at Stony Brook, U.S.A., in 1987 and 1991, respectively. He joined the Department of Computer and Information Science (now, De-partment of Computer Science), National Chiao Tung University, Taiwan, in 1991 and works there till now. Dr. Tzeng’s current research interests include Cryptology, Information Security and Network Security.