Group Undeniable Signatures

Group Undeniable Signatures

YUH-DAUH LYUU

Dept. of Computer Science & Information Engineering and Dept. of Finance

National Taiwan University

No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan

lyuu@csie.ntu.edu.tw

MING-LUEN WU

Dept. of Computer Science & Information Engineering

National Taiwan University

No 1, Sec 4, Roosevelt Rd, Taipei, Taiwan

d5526009@csie.ntu.edu.tw

Abstract: - A group undeniable signature scheme is proposed in which each group member can sign on behalf

of the group without revealing his identity and the verification of a signature can only be done by interaction with the group manager. For business applications, group undeniable signatures can be used when the signatures are commercially valuable to competitors. If a group member is falsely accused of having signed a signature, the group manager has the ability to prove his innocence. In case of later disputes, the group manager can track down which member signed the signature. Our scheme can be proven to be unforgeable, signature-simulatable and coalition-resistant. The confirmation and denial protocols are also zero-knowledge. Furthermore, the time, space and communication complexity are independent of the group size.

Key-Words: - Group signature, Undeniable signature, Signature of knowledge, Unforgeability, Coalition

resis-tance

1

Introduction

Digital signatures are bonded with messages and signers such that everyone can verify whether the message really comes from the alleged signer. Generally, a signer uses a secret value to generate the signature and publishes the corresponding public information for universal verification. However, universal verifiability might not suit the circumstances when the ability to verify signatures can be used against the signers’ interests. For example, a competitor may inquire about prices and request the merchant to sign the message. If anyone can verify the signature, the merchant’s power to give differential quotes to clients of different standing may be compromised. Limiting the ability to verify signatures is hence desirable. Chaum and van Antwerpen [4] initiate an undeniable signature scheme in which interaction with the signer is needed to verify a signature and the signer can disavow an invalid signature through a denial protocol. Non-repudiation requires that the signer cannot deny his signature unless the signature is indeed invalid.

A group signature scheme allows a group member to sign messages on behalf of the group without revealing his identity. Nevertheless, in case of later disputes, a designated group manager can open the signature, thus tracing the signer. At the same time, anyone—including the group manager—cannot misattribute a valid signature. The concept of group signature is first introduced by Chaum and van Heyst [5], and Camenisch and Stadler [2] present the first scheme in which the size of the public key and signatures is independent of the group size. Analogous to standard digital signatures, group signatures are non-repudiatable and universally verifiable.

In this paper, we introduce a new concept, group undeniable signature. A group undeniable signature is like an ordinary group signature except that verifying signatures must involve the group manager. The notion of group undeniable signature combines group signatures and undeniable signatures. Applications of group undeniable signatures include validating price lists, press releases, and digital contracts when the signatures for companies are commercially valuable to competitors. Our scheme is based on signatures of knowledge [2] and undeniable signature schemes [3]. The proposed scheme is existentially unforgeable against adaptive chosen message attacks. It is also signature-simulatable and coalition-resistant under reasonable number-theoretic complexity assumptions and in the random oracle model [1]. The signature confirmation and denial protocols can be zero-knowledge by applying the commitment techniques.

2

Model

A group undeniable signature scheme consists of six components.

System setup: The group’s secret and public keys are generated for the group manager.

Join: To become a group member, a person first generates his secret key and membership key, and then registers the membership key with the group manager. Afterwards the group manager sends him the membership certificate. Sign: A group member signs messages using his secret key, his membership certificate, and the group public key. Signature confirmation protocol: To verify a signature requires interacting with the group manager.

Signature denial protocol: The group manager can prove to anyone that an invalid signature is indeed invalid through a signature denial protocol.

Open: The group manager can trace the identity of the member who signs a given message.

In general, a group undeniable signature scheme should satisfy the following security considerations. Unforgeability: Only a group member can sign on behalf of the group.

Unlinkability: No one except the group manager can tell whether two different signatures are generated by the same group member.

Anonymity: No one except the group manager can identify the signer.

Non-transferability: Only the group manager can prove the validity or invalidity of signatures.

Zero knowledge: The confirmation and denial protocols reveal no extra information beyond the validity or invalidity of signatures.

Exculpability: Neither the group manager nor a group member can sign on behalf of another group member. Traceability. The group manager can identify the signer of a valid signature.

Coalition-resistance: A colluding subset of group members can not generate valid signatures that can not be traced by the group manager.

The efficiency of a group undeniable signature scheme involves the following parameters of interest.

• The size of the group signature. • The size of the group public key.

• The efficiency of System setup, Join and Open.

• The efficiency of Sign and Verify (including the confirmation and deniable protocols).

3

Number-theoretic Preliminaries

For positive integer n, Zn denotes the ring of integers modulo n, and Z∗ndenotes the multiplicative group modulo

n. Let φ(n) denote Euler’s phi function, which gives the number of positive integers m ∈ {1, 2, . . . , n − 1} such

that gcd(m, n) = 1. Expression “r ∈RI00 means that r is chosen randomly from set I. The least positive integer

d such that gd _{≡ 1 (mod M ) is called the order of g modulo M , and is denoted by ord}

Mg or simply ord(g) if M

is understood.

Fact 3.1. Let G = hgi be a cyclic group generated by g. If ord(g) = n and if r is a positive integer, then

ord(gr_{) = n/ gcd(n, r).}

Let G = hgi be the cyclic group generated by g with order n. The following problem is assumed to be intractable whether n is known or not.

Equality of Discrete Logarithms (EDL): Given x, y ∈RG = hf i = hgi, determine the equality of logfx and

loggy over Zn.

4

Signatures of Knowledge

Signatures of knowledge allow a prover to prove the knowledge of a secret with respect to some public information noninteractively. In this section, we review the important signatures of knowledge to be employed as building blocks of our signature scheme.

Let G be a cyclic group generated by g with order n, where n is the product of two large primes. We denote by Greek letters the elements whose knowledge is to be proven and by all other letters the elements that are publicly known. Denote by k the concatenation of two binary strings and by ∧ the logical conjunction. A hash function H is coalition-resistant if it is infeasible to find two different inputs x and y such that H(x) = H(y). Assume H is a collision-resistant hash function throughout the paper.

Knowledge of a representation. Let y1 = Q_{`1</sub> j=1g x<sub>e1j</sub> b1j , . . . , yw = Q<sub>`w} j=1g x_ewj bwj , where eij ∈ {1, . . . , u} and

bij ∈ {1, . . . , k}. A signature of knowledge of a representation (x1, . . . , xu) of y1, . . . , ywwith respect to generators

g1, . . . , gk on message m is (c, s1, s2, . . . , su). It can be generated as follows. Choose ri ∈RZn for i = 1, . . . , u and

then compute c = H(m k y1 k . . . k yw k g1 k . . . k gk k {{eij, bij}`j=1i }wi=1 k

Q`1 j=1g r<sub>e1j</sub> b1j k · · · k Q`w j=1g r_ewj bwj ) and

si= ri− cximod n, for i = 1, . . . , u. Such a signature can be computed by a signer who knows the representation

(x1, . . . , xu). We denote this signature by

SKREP  (α1, . . . , αu) : (y1= `1 Y j=1 gα<sub>b1j</sub>e1j) ∧ · · · ∧ (yw= `w Y j=1 gα_bwjewj)   (m). Anyone can verify the signature by checking whether c = H(m k y1k . . . k gkk {{eij, bij}`j=1i }wi=1 k

Q<sub>`1</sub> j=1g s<sub>e1j</sub> b1j y c 1k · · · kQ`w j=1g s_ewj bwj y c w).

Knowledge of roots of representations. Such a signature is used to prove that one knows the e-th root x of the g-part of a representation of v = fw_gxe

∈ G = hf i = hgi. A signature of knowledge of the pair (w, x) of v = fw_gxe

on message m consists of two components.

• (v1, . . . , ve−1), where vi= frigx

i

and ri∈RZn for i = 1, . . . , e − 1.

• SKREP[(γ1, γ2. . . , γe, δ) : v1= fγ1gδ∧ v2= fγ2v1δ∧ · · · ∧ ve−1= fγe−1ve−2δ ∧ v = fγeve−1δ ](m).

We denote the complete signature by SKRREP[(α, β) : v = fα_gβe

](m). If a small integer e is chosen, the signature can be generated efficiently. A signer who knows (w, x) can generate such a signature. The first component is computed directly. Because ri ∈R Zn, we know vi ∈R G. Furthermore, because of equations vi = frigx

i

and

v = fw_gxe

, we let γ1 = r1, γi = ri− xri−1 for i = 2, . . . , e − 1, γe= w − xre−1, and δ = x. Hence, the second

component can be obtained.

Knowledge of roots of discrete logarithms. Assume f is another generator of G = hgi and loggf is not

known. A signature of knowledge of the e-th root x of the discrete logarithm of y = gxe

on the message m comprises two components.

• SKRREP[(α, β) : y = fα_gβe

](m).

• SKREP[γ : y = gγ_](m).

We denote the whole signature by SKRDL[α : y = gαe

](m). With the secret x, the signer knows a representation (0, xe_{) of y = f}0_gxe

to generators f and g. This must be the only representation the signer knows; otherwise, he would be able to compute loggf . This implies α = 0, β = x, and γ = xe, and the two underlying signatures can

be computed. To verify such a signature, one must check the correctness of the two components.

According to results in [6, Section 3], in the random oracle model, we can derive that the above signatures are simulatable and existentially unforgeable against adaptive chosen message attacks under the related number-theoretic complexity assumptions.

5

The Scheme

5.1

System Setup

To derive the group secret key and the group public key, the group manager computes the following values.

• An RSA public key (n = p1p2, eR) and secret key dR.

• A cyclic group G = hgi of order n. • f = ga_{, S}

g = gb, u = gh, t = uρ where a, b, h, and ρ ∈RZ∗n.

• (e, d) for e, d ∈ Z∗

n such that ed ≡ 1 (mod n).

• Sf = fd.

Note that n must be chosen such that factoring n and solving discrete logarithm in G are intractable. Here is one way to pick G = hgi. Let g0be a generator of Z∗p, a cyclic group, where p is a prime. If we let G = hg

(p−1)/n

0 i

and n | (p − 1), then G is a subgroup of Z∗

p. By Fact 3.1, g = g

(p−1)/n

0 has order n and is hence the desired generator of G. The orders of f, Sf, Sg, u, and t are also n. The group manager keeps (b, d, dR, e, ρ−1, p1, p2) as the group secret key and opens (n, eR, f, g, Sf, Sg, u, t) as the group public key.

5.2

Join

When Alice wants to join the group, she chooses the secret key y ∈RZ∗n to compute her membership key z = gy.

Then Alice sends z to the group manager and proves to the group manager that she knows the discrete logarithm of z without revealing it. Next, the group manager chooses c ∈R Z∗n such that (zgc)p1 6= 1 and (zgc)p2 6= 1 (this

is doable by testing at most three continuous integers). Note that gcd(y + c, n) = 1. Then the group manager computes Alice’s membership certificate (x, v, w) and sends it to Alice, where x = gc_{, v = (c + b)}dR _{mod n, and}

w = (zx)d_{. The 4-tuple (y, x, v, w) is called a valid signing key. The group manager must choose distinct c’s for}

5.3

Sign

Given a message m, Alice computes the following values.

• ˆg = gr _{for r ∈}

RZ∗n (note that G = hˆgi).

• Z0= Sgr, Z1= ˆgy, Z2= xr, A1= gyur, A2= tr.

• S0= SKREP[(α, β) : ˆg = gβ∧ Z0= Sβg ∧ Z1= ˆgα∧ A1= gαuβ∧ A2= tβ](m).

• S1= SKRDL[γ : Z2Z0= ˆgγeR](m).

• S2= wr.

Alice’s group undeniable signature on m is S = (ˆg, Z0, Z1, Z2, A1, A2, S0, S1, S2). We call S a valid group undeniable signaure if S is generated using a valid signing key. The correctness of S is based on the correctness of S0, S1, and

S2.

5.4

Signature Confirmation Protocol

A signature confirmation protocol is an interactive protocol between the group manager and a verifier whereby the group manager can convince the verifier that the signature is valid. However, the group manager cannot cheat the verifier into accepting an invalid signature as valid except with a very small probability. In the following, we denote by P the group manager and by V the verifier. The notation X −→ Y : Z represents that X sends Z to

Y . In the confirmation protocol, common inputs to P and V include the message m, the group public key and the

alleged signature S. The secret input to P is the group secret key.

To be convinced that S is valid, first V checks S0 and S1. If either is incorrect, then V recognizes that S is invalid. Otherwise, P and V perform the following steps:

1. V −→ P : A

V chooses e1, e2∈RZ∗n and computes A = Se21Sfe2.

2. P −→ V : B

P computes B = Ae_.

3. V verifies that (Z1Z2)e1fe2 = B.

If the equality holds then V accepts S as a valid signature for m. Otherwise V cannot determine S is valid or invalid.

The following theorem says that V accepts valid signatures.

Theorem 5.1. If S is a valid group undeniable signature, then the verifier will accept S as a valid signature for

m.

Proof. Obviously, S0and S1must be correct. Furthermore, because w = (gy+c)d, we have S2= wr= ((gy+c)d)r= ((ˆg)y+c₎d_{= (Z}

1Z2)d. So B = Ae= ((S2)e1(Sf)e2)e= (Z1Z2)e1fe2.

Next we show that P cannot cheat V into accepting invalid signatures as valid except with a very small probability.

Theorem 5.2. If S is not a valid group undeniable signature, then a verifier will accept S as a valid signature

for m with probability 1/n.

Proof. If S0 or S1 is incorrect, a verifier recognizes S as invalid. Now suppose S0 and S1 are correct. Because S is generated without a valid signing key, S2 6= (Z1Z2)d. P can make V accept the signature only if P can find

B = (Z1Z2)e1fe2 such that (e1, e2) satisfies A = S2e1Sfe2. That is, (e1, e2) satisfies the following two equations:

A = Se1

2 Sfe2 (1)

B = (Z1Z2)e1fe2, (2)

where S26= (Z1Z2)d. As the order of f is n, we let A = fi, B = fj, S2= fk, and Z1Z2= f`for some i, j, k, ` ∈ Zn.

Recall Sf = fd. From (1) and (2), we have i = ke1+ de2mod n and j = `e1+ e2mod n. As fk 6= f`d, k 6= `d (mod n) and there is a unique solution for (e1, e2).

By Fact 3.1, the orders of S2, Sf, and Z1Z2are all n; hence there are n ordered pairs (e1, e2) satisfying A = S2e1Sfe2.

P cannot identify which among them was used to compute A by V. In addition, every B is a correct response

for exactly one of the possible ordered pairs. Consequently, the probability that P will give V the correct B is 1/n.

To illustrate the protocol clearly, the above steps omit the zero-knowledge part. We can make the protocol zero-knowledge by modifying Step 2 as follows: P commits B to V using a commitment scheme such that V cannot learn what B is unless V sends the correct e1 and e2 to P. Because B = (Z1Z2)e1fe2 can be computed using the

5.5

Signature Denial Protocol

A signature denial protocol allows P to convince V of the fact that an invalid signature is indeed invalid. However,

P cannot make V believe that a valid signature is invalid except with a very small probability. In the denial

protocol, the common inputs to P and V include two constants c1 and c2, the message m, the group public key, and the alleged signature S. The secret input to P is the group secret key.

We first present how P can make V reject an invalid signature S. V starts by checking S0 and S1. If either is incorrect, then V recognizes that S is invalid. Otherwise, P and V repeat the following steps c2 times.

1. V −→ P : A1, A2

V chooses e1∈RZc1, e2∈RZn and computes A1= (Z1Z2)

e1_fe2_{, A}

2= S2e1Sfe2.

2. P −→ V : B

P finds e1 such that A1/Ae2= (Z1Z2/S2e)e1 and computes B = e1. 3. V checks whether B = e1.

If the equality holds, then V is convinced that S is invalid.

If V is convinced of S’s invalidity c2times, S is rejected for invalidity. It is noteworthy that P performs at most

c1c2 operations to find the correct e1’s.

The following theorem says that P can convince V of the fact that an invalid signature is indeed invalid. Theorem 5.3. If S is not a valid group undeniable signature, then a verifier will accept S as an invalid signature

for m.

Proof. If S0 or S1 is incorrect, a verifier will recognize S as an invalid signature. Suppose S0 and S1 are both correct. Because S is generated without a valid signing key, S2 6= (Z1Z2)d and therefore S2e 6= Z1Z2. As

A1/Ae2= (Z1Z2/S2e)e1, P can always find the required e1. This implies that V will reject S for invalidity.

Next we prove that P cannot fool V into accepting a valid signature as an invalid signature except with a small probability.

Theorem 5.4. If S is a valid group undeniable signature, then a verifier will accept S as an invalid signature for

m with probability 1/cc2

1 .

Proof. Because S is valid, S0 and S1 are correct and S2 = (Z1Z2)d. Therefore S2e = Z1Z2. We have A1/Ae2 = (Z1Z2/S2e)e1 = 1. In this case P can only randomly choose e1 from Zc1. Consequently, V will accept S as an

invalid signature for m with probability 1/cc2

1 .

To illustrate this protocol clearly, we omit the zero-knowledge part. Applying a commitment scheme, we can make the protocol zero-knowledge by modifying Step 2 as follows: P commits B to V such that V cannot learn what B is unless V sends the correct e2 to P. The correct e2 means that e2 satisfies A1 = (Z1Z2)e1fe2 and

A2= Se21Sfe2, where e1is the value found by P. This can be checked by P. Because the correct e2ensures that P and V have the same e1, P reveals no extra information to V. Accordingly, the whole protocol is zero-knowledge.

5.6

Open

Given a valid signature S, the group manager can compute z = A1A−(ρ

−1_{mod n)}

2 . The signer with the membership key z can be traced directly. We notice that zP is an ElGamal decryption of (A1, A2) with respect to the secret key ρ−1_{mod n.}

6

Security Analysis

Exculpability. Because the discrete logarithm problem is intractable, neither the group manager nor a group member can compute the secret key y of another group member. Thus, it is infeasible to frame another member. Unforgeability. Recall that any valid signature S must contain correct S0, S1, and S2. Considering S2, an attacker must obtain S2 = ξd, where ξ = ξ1ξ2 with ξ1 = ˆgy and ξ2Z0 = ˆgveR. Using adaptive chosen message attacks, the attacker can compute many (ξ, ξd_{)’s with random ξ’s, but he cannot learn d. From a random ξ, the}

two values ξ1and ξ2must be computed such that S0and S1are correct. Here S0=SKREP[(α, β) : ˆg = gβ∧ Z0=

Sβ

g ∧ ξ1= ˆgα∧ A1= gαuβ∧ A2= tβ](m) and S1=SKRDL[γ : ξ2Z0= ˆgγeR](m). Next we show that the attacker cannot simultaneously obtain correct S0, S1 and S2. Note that the attacker cannot compute S0 and S1 without knowing α and γ, respectively. Now, to obtain S0 from a (ξ, ξd), the attacker chooses y and has ξ1 = ˆgy. So

ξ2= ξξ1−1. Assume ξ2= ˆgc. Because the value v = (c + b)dRmod n satisfying ξ2Z0= ˆgveR cannot be obtained, S1 is existentially unforgeable against adaptive chosen message attacks. Consequently, we have the following theorem. Theorem 6.1. Our signature scheme is existentially unforgeable against adaptive chosen message attacks.

Unlinkability, Anonymity, Non-transferability. These properties hold if the signatures are simulatable. The signatures can be simulated as follows. Let S = (ˆg, Z0, Z1, Z2, A1, A2, S0, S1, S2) be a valid signature. Assume the signer’s membership key z equals urz for some r_z∈ Z∗

n. So A1= urz+r. To generate an indistinguishable signature ˜

S, the simulator randomly chooses ¯r, ˜r, ˜y, ˜c, ˜d, and then computes ˜g = gr˜_{, ˜Z}

0= Sgr˜, ˜Z1= ˜gy˜, ˜Z2= ˜gc˜, ˜A1= ur¯, ˜A2=

tr˜_{, ˜S}

2= ( ˜Z1Z˜2)d˜. Obviously, ˜g, ˜Z0, ˜A1, and ˜A2 are indistinguishable from ˆg, Z0, A1, and A2, respectively. Because the EDL problem is intractable, ˜Z1, ˜Z2and ˜S2are indistinguishable from Z1, Z2, and S2, respectively. In addition,

S0and S1are simulatable in the random oracle model. Consequently, the whole signature is simulatable. Hence, the following theorem holds.

Theorem 6.2. Our signature scheme is signature-simulatable. Thus the properties of unlinkability, anonymity,

and non-transferability hold.

Coalition-resistance. We next show that a colluding subset of group members cannot generate a valid signature that cannot be traced by the group manager. A valid signature S must contain correct S0, S1, and S2. To generate

S2, the colluding members must obtain S2 = ξd, where ξ = ξ1ξ2 with ξ1 = ˆgy and ξ2Z0 = ˆgveR. Note that the colluding members cannot derive d even using their signing keys. In addition, the two values ξ1 and ξ2 must be computed such that S0 and S1 are correct. Here S0 =SKREP[(α, β) : ˆg = gβ∧ Z0 = Sgβ∧ ξ1 = ˆgα∧ A1 =

gα_uβ_{∧ A}

2 = tβ](m) and S1 =SKRDL[γ : ξ2Z0 = ˆgγeR](m). We now show that the colluding members cannot simultaneously obtain correct S0, S1, and S2. We know that the colluding members cannot compute S0 and S1 without knowing α and γ, respectively. Now, to generate an untraceable signature with correct S0, S1, and S2, the colluding members must choose y and c such that (ˆgy+c₎d _{and v = (c + b)}dR _{can be computed. Note that}

ξ1 = ˆgy, ξ2 = ˆgc, and ξ = ξ1ξ2 = ˆgy+c. However, the colluding members have no ability to obtain such a c by the following argument. Suppose a group member i has the signing key (yi, xi= gci, vi= (ci+ b)dR, wi). Because

the colluding members cannot compute any ci, solving for b is infeasible. Thus c0 cannot be derived from (c0+ b),

where (c0_{+ b) is any value that ensures (c}0_{+ b)}dR _{can be computed by the colluding members. As a result, the}

colluding members cannot compute (ˆgy+c₎d_{and v = (c + b)}dR_{simultaneously. Hence, the following theorem holds.}

Theorem 6.3. Our signature scheme is coalition-resistant.

7

Conclusions

In this paper, we employ signatures of knowledge and well-known undeniable signature techniques to construct a group undeniable signature scheme. Under reasonable number-theoretic complexity assumptions and the random oracle model, the group undeniable signature scheme is proven to be unforgeable, unlinkable, anonymous, non-transferable, and exculpable. The signature confirmation and denial protocols are zero-knowledge. Even a colluding subset of group members cannot generate valid signatures that cannot be traced.

References:

[1] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In

Proc. 1st ACM Conference on Computer and Communications Security, pp. 62–73, 1993.

[2] J. Camenisch and M. Stadler. Efficient group signature schemes for large groups (extended abstract). In

Advances in Cryptology—CRYPTO ’97, pp. 410–424, 1997.

[3] D. Chaum. Zero-knowledge undeniable signatures (extended abstract). In Advances in Cryptology—

EUROCRYPT 90, pp. 458–464, 1990.

[4] D. Chaum and H. van Antwerpen. Undeniable signatures. In Advances in Cryptology—CRYPTO ’89, pp. 212–216, 1989.

[5] D. Chaum and E. van Heyst. Group signatures. In Advances in Cryptology—EUROCRYPT 91, pp. 257–265, 1991.

[6] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of