## Short group signatures (2004)

### Cached

### Download Links

- [springerlink.metapress.com]
- [www.iacr.org]
- [hovav.net]
- [crypto.stanford.edu]
- [crypto.stanford.edu]
- [www.stanford.edu]
- [crypto.stanford.edu]
- [theory.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In proceedings of CRYPTO ’04, LNCS series |

Citations: | 292 - 21 self |

### BibTeX

@INPROCEEDINGS{Boneh04shortgroup,

author = {Dan Boneh and Xavier Boyen and Hovav Shacham},

title = {Short group signatures},

booktitle = {In proceedings of CRYPTO ’04, LNCS series},

year = {2004},

pages = {41--55},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1

### Citations

884 | How to prove yourself: Practical solutions to identification and signature problems
- Fiat, Shamir
(Show Context)
Citation Context ...rong-RSA counterparts. Our system is based on a new Zero-Knowledge Proof of Knowledge (ZKPK) of the solution to an SDH problem. We convert this ZKPK to a group signature via the Fiat-Shamir heuristic =-=[16]-=- and prove security in the random oracle model. Our security proofs use a variant of the security model for group signatures proposed by Bellare, Micciancio, and Warinschi [6]. Recently, Camenisch and... |

622 |
Ecient signature generation for smart cards
- Schnorr
- 1991
(Show Context)
Citation Context ...ch that A x+# = g 1 . Such a pair satisfies e(A, wg x 2 ) = e(g 1 , g 2 ). We use a standard generalization of Schnorr's protocol for proving knowledge of discrete logarithm in a group of prime order =-=[27]-=-. Protocol 1. Alice, the prover, selects exponents #, # R # Z p , and computes a Linear encryption of A: T 1 # u # T 2 # v # T 3 # Ah #+# . (1) She also computes two helper values # 1 # x# and # 2 # x... |

597 | Short signature from the Weil pairing
- Boneh, Lynn, et al.
- 2001
(Show Context)
Citation Context ...of Camenisch and Lysyanskaya [12]. In Section 7 we briefly sketch how to add strong exculpability. 2 Bilinear Groups We first review a few concepts related to bilinear maps. We follow the notation of =-=[9]-=-: 1. G 1 and G 2 are two (multiplicative) cyclic groups of prime order p; 2. g 1 is a generator of G 1 and g 2 is a generator of G 2 ; 3. # is a computable isomorphism from G 2 to G 1 , with #(g 2 ) =... |

528 |
Heyst. Group signatures
- Chaum, van
(Show Context)
Citation Context ... oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi. 1 Introduction Group signatures, introduced by Chaum and van Heyst =-=[14]-=-, provide anonymity for signers. Any member of the group can sign messages, but the resulting signature keeps the identity of the signer secret. In some systems there is a third party that can trace t... |

349 | Terra: A Virtual Machine-Based Platform for Trusted Computing - Garfinkel, Pfaff, et al. - 2003 |

300 | Security arguments for digital signatures and blind signatures
- Pointcheval, Stern
- 2000
(Show Context)
Citation Context ...e challenge group signature # in constant time. If A runs in time t, B runs in time t + q H O(1). The following theorem proves full traceability of our system. The proof is based on the Forking Lemma =-=[25]-=-. Theorem 5.3. If SDH is (q, t # , # # )-hard on (G 1 , G 2 ), then the SDH group signature scheme is (t, q H , q S , n, #)-fully-traceable, where n = q - 1, # = 4n # 2# # q H + n/p, and t = #(1) t # ... |

295 | Short signatures without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...th is under 200 bytes that o#er approximately the same level of security as a regular RSA signature of the same length. The security of our scheme is based on the Strong Di#e-Hellman (SDH) assumption =-=[8]-=- in groups with a bilinear map. We also introduce a new assumption in bilinear groups, called the Linear assumption, described in Section 3.2. The SDH assumption was recently used by Boneh and Boyen t... |

255 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ...Some systems support revocation [12, 4, 30, 15] where group membership can be selectively disabled without a#ecting the signing ability of unrevoked members. Currently, the most e#cient constructions =-=[2, 12, 4]-=- are based on the Strong-RSA assumption introduced by Baric and Pfitzman [5]. In the last two years a number of projects have emerged that require the properties of group signatures. The first is the ... |

233 | Lower bounds for discrete logarithms and related problems
- Shoup
(Show Context)
Citation Context ...ecently used by Boneh and Boyen [8] to construct a short signature scheme without random oracles. To gain confidence in the assumption they prove that it holds in generic groups in the sense of Shoup =-=[28]-=-. The q-SDH assumption has similar properties to the Strong-RSA assumption [5]. We use these properties to construct our short group signature scheme. Mitsunari et al. [23] use a related assumption wh... |

198 | Signature schemes and anonymous credentials from bilinear maps
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...curity in the random oracle model. Our security proofs use a variant of the security model for group signatures proposed by Bellare, Micciancio, and Warinschi [6]. Recently, Camenisch and Lysyanskaya =-=[13]-=- proposed a signature scheme with e#cient protocols for obtaining and proving knowledge of signatures on committed values. They then derive a group signature scheme using these protocols as building b... |

175 | Dynamic accumulators and application to efficient revocation of anonymous credentials
- Camenisch, Lysyanskaya
(Show Context)
Citation Context ...ignature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation =-=[12, 4, 29, 15]-=- where group membership can be selectively disabled without affecting the signing ability of unrevoked members. Currently, the most efficient constructions [2, 12, 4] are based on the Strong-RSA assum... |

172 | Collision-free accumulators and fail-stop signature schemes without trees
- Baric, Pfitzmann
(Show Context)
Citation Context ...tively disabled without a#ecting the signing ability of unrevoked members. Currently, the most e#cient constructions [2, 12, 4] are based on the Strong-RSA assumption introduced by Baric and Pfitzman =-=[5]-=-. In the last two years a number of projects have emerged that require the properties of group signatures. The first is the Trusted Computing e#ort [29] that, among other things, enables a desktop PC ... |

133 | Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions
- Bellare, Micciancio, et al.
- 2003
(Show Context)
Citation Context ...e Fiat-Shamir heuristic [16] and prove security in the random oracle model. Our security proofs use a variant of the security model for group signatures proposed by Bellare, Micciancio, and Warinschi =-=[6]-=-. Recently, Camenisch and Lysyanskaya [13] proposed a signature scheme with e#cient protocols for obtaining and proving knowledge of signatures on committed values. They then derive a group signature ... |

123 | Pseudonym systems
- Lysyanskaya, Rivest, et al.
(Show Context)
Citation Context ...ing and proving knowledge of signatures on committed values. They then derive a group signature scheme using these protocols as building blocks. Their signature scheme is based on the LRSW assumption =-=[22]-=-, which, like SDH, is a discrete-logarithm-type assumption. Their methodology can also be applied to the SDH assumption, yielding a di#erent SDH-based group signature. The SDH group signature we const... |

105 | New explicit condition of elliptic curve trace for FRreduction
- Miyaji, Nakabayashi, et al.
(Show Context)
Citation Context ...ld set G 1 = G 2 . However, we allow for the more general case where G 1 #= G 2 so that our constructions can make use of certain families of nonsupersingular elliptic curves defined by Miyaji et al. =-=[24]-=-. In this paper we only use the fact that G 1 can be of size approximately 2 170 , elements in G 1 are 171-bit strings, and that discrete log in G 1 is as hard as discrete log in Z # q where q is 1020... |

97 | Foundations of Group Signatures: The Case of Dynamic Groups
- Bellare, Shi, et al.
- 2005
(Show Context)
Citation Context ...the entity that issues user keys cannot forge signatures on behalf of users. Formalizations of strong exculpability have recently been proposed by Kiayias and Yung [21] and by Bellare, Shi, and Zhang =-=[7]-=-. To achieve this stronger property the system of Ateniese et al. [2] uses a protocol (called JOIN) to issue a key to a new user. At the end of the protocol, the key issuer does not know the full priv... |

90 | Group signatures with verifier-local revocation
- Boneh, Shacham
(Show Context)
Citation Context ...s to update their keys. Similar mechanisms were also considered by Ateniese et al. [4] and Kiayias et al. [20]. We refer to this as Verifier-Local Revocation (VLR) group signatures. Boneh and Shacham =-=[10]-=- show how to modify our group signature scheme to support this VLR revocation mechanism. Using this revocation mechanism, only a fragment of the user's private key is placed on the revocation list and... |

74 |
A new traitor tracing
- Mitsunari, Sakai, et al.
(Show Context)
Citation Context ..., described in Section 3.2. The SDH assumption was recently used by Boneh and Boyen to construct short signatures without random oracles [8]. A closely related assumption was used by Mitsunari et al. =-=[23]-=- to construct a traitor-tracing system. The SDH assumption has similar properties to the Strong-RSA assumption. We use these properties to construct our short group signature scheme. Our results sugge... |

60 | Quasi-efficient revocation of group signatures
- Ateniese, Song, et al.
(Show Context)
Citation Context ...ignature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation =-=[12, 4, 30, 15]-=- where group membership can be selectively disabled without a#ecting the signing ability of unrevoked members. Currently, the most e#cient constructions [2, 12, 4] are based on the Strong-RSA assumpti... |

53 | Traceable signature
- Kiayias, Tsiounis, et al.
- 2004
(Show Context)
Citation Context ...n messages are only sent to signature verifiers, so that there is no need for unrevoked signers to update their keys. Similar mechanisms were also considered by Ateniese et al. [4] and Kiayias et al. =-=[20]-=-. We refer to this as Verifier-Local Revocation (VLR) group signatures. Boneh and Shacham [10] show how to modify our group signature scheme to support this VLR revocation mechanism. Using this revoca... |

48 | Supersingular abelian varieties in cryptology
- Rubin, Silverberg
(Show Context)
Citation Context ...at discrete log in G 1 is as hard as discrete log in Z # q where q is 1020 bits. We will use these groups to construct short group signatures. We note that the bilinear groups of Rubin and Silverberg =-=[26]-=- can also be used. 2 We say that two groups (G 1 , G 2 ) as above are a bilinear group pair if the group action in G 1 and G 2 , the map #, and the bilinear map e are all e#ciently computable. The iso... |

34 | From identification to signatures via the Fiat-Shamir transform: Minimizing assumptions for security and forward-security
- Abdalla, An, et al.
(Show Context)
Citation Context ...1 , T 2 , T 3 ). 5 Short Group Signatures from SDH Armed with Theorem 4.1, we obtain from Protocol 1 a regular signature scheme secure in the random oracle model by applying the Fiat-Shamir heuristic =-=[16, 1]-=-. Signatures obtained from a proof of knowledge via the Fiat-Shamir heuristic are often called signatures of knowledge. The resulting signature scheme is, in fact, also a group signature scheme and we... |

22 | Accumulating composites and improved group signing
- Tsudik, Xu
- 2003
(Show Context)
Citation Context ...ignature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation =-=[12, 4, 30, 15]-=- where group membership can be selectively disabled without a#ecting the signing ability of unrevoked members. Currently, the most e#cient constructions [2, 12, 4] are based on the Strong-RSA assumpti... |

16 |
Some open issues and directions in group signatures
- Ateniese, Tsudik
- 1999
(Show Context)
Citation Context ... is placed on the revocation list and hence the limitation discussed in the previous paragraph is not an issue. 7 Exculpability In Bellare et al. [6], exculpability (introduced by Ateniese and Tsudik =-=[3]-=-) is informally defined as follows: No member of the group and not even the group manager --- the entity that is given the tracing key --- can produce signatures on behalf of other users. Thus, no use... |

16 | Leak-free group signatures with immediate revocation
- Ding, Tsudik, et al.
- 2004
(Show Context)
Citation Context ...ignature keeps the identity of the signer secret. In some systems there is a third party that can trace the signature, or undo its anonymity, using a special trapdoor. Some systems support revocation =-=[12, 4, 30, 15]-=- where group membership can be selectively disabled without a#ecting the signing ability of unrevoked members. Currently, the most e#cient constructions [2, 12, 4] are based on the Strong-RSA assumpti... |

12 | Easy Decision-Diffie-Hellman Groups - Galbraith, Rotger |

11 |
An efficient protocol for anonymously providing assurance of the container of a private key
- Brickell
- 2003
(Show Context)
Citation Context ... that, among other things, enables a desktop PC to prove to a remote party what software it is running via a process called attestation. Group signatures are needed for privacy-preserving attestation =-=[11]-=- [18, Sect. 2.2]. Perhaps an even more relevant project is the Vehicle Safety Communications (VSC) system from the Department of Transportation in the U.S. [19]. The system embeds short-range transmit... |

4 |
Dynamic accumulators and application to ecient revocation of anonymous credentials
- Camenisch, Lysyanskaya
- 2002
(Show Context)
Citation Context |

3 |
Easy decision-di#e-hellman groups. Cryptology ePrint Archive, Report 2004/070
- Galbraith, Rotger
- 2004
(Show Context)
Citation Context ...s defined over the ground field of the curve where as G 2 is defined over a low-degree extension). Supersingular curves do not have this property since DDH is known to be easy on all cyclic subgroups =-=[17]-=-. If one is willing to assume that for MNT curves the DDH assumption holds in G 1 then we can construct even shorter group signatures. If DDH holds in G 1 then ElGamal encryption is secure in G 1 and ... |

3 |
Group signatures: Efficient constructions and anonymity from trapdoor-holders. Cryptology ePrint Archive, Report 2004/076, 2004. http: //eprint.iacr.org
- Kiayias, Yung
(Show Context)
Citation Context .... [2], where one requires that even the entity that issues user keys cannot forge signatures on behalf of users. Formalizations of strong exculpability have recently been proposed by Kiayias and Yung =-=[20]-=- and by Bellare, Shi, and Zhang [7]. To achieve this stronger property the system of Ateniese et al. [2] uses a protocol (called JOIN) to issue a key to a new user. At the end of the protocol, the key... |

1 |
Group signatures: E#cient constructions and anonymity from trapdoor-holders. Cryptology ePrint Archive, Report 2004/076
- Kiayias, Yung
- 2004
(Show Context)
Citation Context .... [2], where one requires that even the entity that issues user keys cannot forge signatures on behalf of users. Formalizations of strong exculpability have recently been proposed by Kiayias and Yung =-=[21]-=- and by Bellare, Shi, and Zhang [7]. To achieve this stronger property the system of Ateniese et al. [2] uses a protocol (called JOIN) to issue a key to a new user. At the end of the protocol, the key... |