## Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions (2003)

### Cached

### Download Links

- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [www.cs.ucsd.edu]
- [www-cse.ucsd.edu]
- [cseweb.ucsd.edu]
- [charlotte.ucsd.edu]
- [cseweb.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 129 - 6 self |

### BibTeX

@MISC{Bellare03foundationsof,

author = {Mihir Bellare and Daniele Micciancio and Bogdan Warinschi},

title = {Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions},

year = {2003}

}

### Years of Citing Articles

### OpenURL

### Abstract

This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereby unifying and simplifying the requirements for this primitive. Finally we prove the existence of a construct meeting our definitions based only on the assumption that trapdoor permutations exist.

### Citations

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ... work is acknowledged and manifest. A classical example is public-key encryption. Although it might seem like an intuitive goal, much work has been required to formally define and provably achieve it =-=[20, 22, 19, 23, 26, 17]-=-, and these advances now serve as the basis for new schemes and applications. This paper provides such foundations for the group signatures primitive. 1.1 Background In the group signature setting int... |

832 | A digital signature scheme secure against adaptive chosen-message attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...quirements are enough, in the sense that all the other requirements are implied by them. Our formalisms build on definitional ideas used for encryption [20, 22, 19, 23, 26, 17] and digital signatures =-=[21]-=-. Full-anonymity. We adopt an indistinguishability based formalization under which the adversary produces a message and a pair of group-member identities, is returned a target signature of the given m... |

492 |
Undeniable Signatures
- Chaum, Antwerpen
- 1989
(Show Context)
Citation Context ...as the basis for new schemes and applications. This paper provides such foundations for the group signatures primitive. 1.1 Background In the group signature setting introduced by Chaum and Van Heyst =-=[14]-=- there is a group having numerous members and a single manager. Associated to the group is a single signature-verification key gpk called the group public key. Each group member i has its own secret s... |

448 | Nonmalleable cryptography
- Dolev, Dwork, et al.
- 2006
(Show Context)
Citation Context ... work is acknowledged and manifest. A classical example is public-key encryption. Although it might seem like an intuitive goal, much work has been required to formally define and provably achieve it =-=[20, 22, 19, 23, 26, 17]-=-, and these advances now serve as the basis for new schemes and applications. This paper provides such foundations for the group signatures primitive. 1.1 Background In the group signature setting int... |

339 |
Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack
- Rackoff, Simon
- 1992
(Show Context)
Citation Context ... work is acknowledged and manifest. A classical example is public-key encryption. Although it might seem like an intuitive goal, much work has been required to formally define and provably achieve it =-=[20, 22, 19, 23, 26, 17]-=-, and these advances now serve as the basis for new schemes and applications. This paper provides such foundations for the group signatures primitive. 1.1 Background In the group signature setting int... |

264 | Efficient group signature schemes for large groups
- Camenisch, Stadler
(Show Context)
Citation Context ...1.5 Related work As indicated above, the notion of group signature was introduced by Chaum and Heyst in [14]. They also gave the first schemes. Since then, many other schemes were proposed, including =-=[15, 11, 25, 13, 4]-=-. These schemes improve on the performance of the original group signature scheme of [14], but leave open some important security issues, most notably security against coalitions of group members. The... |

249 | Public-key cryptosystems provably secure against chosen ciphertext attacks
- Naor, Yung
- 1990
(Show Context)
Citation Context |

238 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ...zed, overlapping requirements whose precise meaning, and relation to each other, is neither always clear nor even always agreed upon in the existing literature. The state of the art is represented by =-=[5, 2]-=- that identify weaknesses in previous works and present new schemes. The schemes in [2] are claimed to be proven-secure (in the random oracle model). However, while the work in question establishes ce... |

197 | One-way functions are necessary and sufficient for secure signatures - Rompel - 1990 |

175 | A forward-secure digital signature scheme
- Bellare, Miner
- 1999
(Show Context)
Citation Context ...s of the group, to support membership revocation, and independent generation of group member keys. Still another extension is that of [29], that combines group signature schemes with forward security =-=[1, 7]-=-. The definitions and results of this paper are for the setting in which the group is static, meaning the number and identities of members is decided at the time the group is set up and new members ca... |

165 |
Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...on-sound Non-interactive zero knowledge proof systems. The last building block we need are simulation-sound NIZK proofs of membership in NP languages. The following presentation is along the lines of =-=[18, 28]-=-. An NP-relation over domain Dom ⊆{0,1} ∗ is a subset ρ of {0, 1} ∗ ×{0,1} ∗ such that membership of (x, w) ∈ ρ is decidable in time polynomial in the length of the first argument for all x in domain ... |

154 | Non-Malleable Non-Interactive Zero Knowledge and Adaptive ChosenCiphertext Security. FOCS ’99. Definitions for Non-Malleable NIZK For completeness, we include relevant definitions from [6]. Definition 4
- Sahai
(Show Context)
Citation Context ...c encryption scheme, known to exist given trapdoor permutations via [17]; simulation-sound adaptive non-interactive zero-knowledge (NIZK) proofs for NP, known to exist given trapdoor permutations via =-=[18, 28]-=-; and a digital signature scheme secure against chosen-message attack, known to exist given trapdoor permutations via [6]. As often the case with constructs based on general assumptions, our scheme is... |

86 | Foundations of group signatures: The case of dynamic groups
- Bellare, Shi, et al.
- 2005
(Show Context)
Citation Context ...ssues. Section 5 discusses dynamic groups and other extensions. Providing formal definitions of security and provably-secure constructions for dynamic group signatures is the subject of on-going work =-=[8]-=-. 2 Definitions of the security of group signature schemes Notation and terminology. If x is a string, then |x| denotes its length, while if S is a set then |S| denotes its size. The empty string is d... |

84 |
A group signature scheme with improved efficiency
- Camenisch, Michels
- 1998
(Show Context)
Citation Context ...lition attack on the scheme of [13] is also described. A subsequent work trying to address the issue of securing group signature schemes against coalition attacks is [2]. On a separate research line, =-=[10, 3, 12]-=- investigate issues related to the dynamics of the group, to support membership revocation, and independent generation of group member keys. Still another extension is that of [29], that combines grou... |

82 |
The Notion of Security for Probabilistic Cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context |

73 | A Uniform Complexity Treatment of Encryption and Zero-Knowledge - Goldreich - 1993 |

70 | Efficient and generalized group signatures
- Camenisch
- 1997
(Show Context)
Citation Context ...1.5 Related work As indicated above, the notion of group signature was introduced by Chaum and Heyst in [14]. They also gave the first schemes. Since then, many other schemes were proposed, including =-=[15, 11, 25, 13, 4]-=-. These schemes improve on the performance of the original group signature scheme of [14], but leave open some important security issues, most notably security against coalitions of group members. The... |

61 |
New group signature schemes
- Chen, Pedersen
- 1994
(Show Context)
Citation Context ...ity). Since [14], more requirements, that refine or augment the core ones, have been introduced (eg. unlinkability, unforgeability, collusion resistance [5], exculpability [5], and framing resistance =-=[15]-=-) so that now we have a large set of unformalized, overlapping requirements whose precise meaning, and relation to each other, is neither always clear nor even always agreed upon in the existing liter... |

56 |
Non-interactive zero-knowledge proof systems
- Santis, Micali, et al.
(Show Context)
Citation Context ...r a pair of polynomial time algorithms (P, V ), where P is randomized and V is deterministic. They have access to a common reference string, R. Wesaythat(P, V )formanon-interactive proof system for ρ =-=[18, 9]-=- over domain Dom if there exists a polynomial p such that the following two conditions are satisfied: 1. Completeness: ∀k ∈ N, ∀(x, w) ∈ ρ with |x| ≤kand x ∈ Dom– � Pr R $ ←{0,1} p(k) ;π $ � ←P(k, x, ... |

39 | Practical forward secure group signature schemes
- Song
- 2001
(Show Context)
Citation Context ...f each time period, each user updates his key using an update algorithm gsk j+1[i] =GUpd(gsk j[i]). Although the forward security requirement for group signature schemes was already considered before =-=[29]-=-, that definition has a serious security flaw: [29] only requires that no adversary, given gsk t[i], can efficiently recover gsk j[i] for any j<t. This is not enough. 2 We define forward secure group ... |

33 | How to sign given any trapdoor permutation
- Bellare, Micali
- 1992
(Show Context)
Citation Context ...edge (NIZK) proofs for NP, known to exist given trapdoor permutations via [18, 28]; and a digital signature scheme secure against chosen-message attack, known to exist given trapdoor permutations via =-=[6]-=-. As often the case with constructs based on general assumptions, our scheme is polynomial-time but not practical, and our result should be regarded as a plausibility one only. The basic framework of ... |

32 | How to convert any digital signature scheme into a group signature scheme,” in Security Protocols
- Petersen
- 1998
(Show Context)
Citation Context ...1.5 Related work As indicated above, the notion of group signature was introduced by Chaum and Heyst in [14]. They also gave the first schemes. Since then, many other schemes were proposed, including =-=[15, 11, 25, 13, 4]-=-. These schemes improve on the performance of the original group signature scheme of [14], but leave open some important security issues, most notably security against coalitions of group members. The... |

30 | Efficient revocation in group signatures
- Bresson, Stern
- 1992
(Show Context)
Citation Context ...lition attack on the scheme of [13] is also described. A subsequent work trying to address the issue of securing group signature schemes against coalition attacks is [2]. On a separate research line, =-=[10, 3, 12]-=- investigate issues related to the dynamics of the group, to support membership revocation, and independent generation of group member keys. Still another extension is that of [29], that combines grou... |

18 | Group signature a la carte
- ATENIESE, TSUDIK
- 1999
(Show Context)
Citation Context |

15 |
Some open issues and directions in group signatures
- Ateniese, Tsudik
- 1999
(Show Context)
Citation Context ...ntity of the group member who created σ (anonymity). Since [14], more requirements, that refine or augment the core ones, have been introduced (eg. unlinkability, unforgeability, collusion resistance =-=[5]-=-, exculpability [5], and framing resistance [15]) so that now we have a large set of unformalized, overlapping requirements whose precise meaning, and relation to each other, is neither always clear n... |

6 |
Cryptograpic applications of the non-interactive metaproof and many-prover systems
- Santis, Yung
- 1991
(Show Context)
Citation Context ..., and then produces a simulated proof for the validity of x with respect to R. This two phase behavior is not required explicitly in the definitions of [18, 9] but has been highlighted for example in =-=[16]-=-. The construction of [18] does have this property, and it is noted and used in other places too. Zero-knowledge is defined by means of a distinguisher D which essentially tries to distinguish between... |

2 | Quasi-efficient revocation in group signature schemes. Available at http://eprint.iacr.org/2001/101.pdf - Ateniese, Tsudik |

1 |
of Standards and Technology. Dictionary of algorithms and data structures. http://www.nist.gov/dads
- I
(Show Context)
Citation Context ... this section we discuss various extensions of the basic definition, including schemes where the group is dynamic. i.e., members can join and leave the group over time. Following standard terminology =-=[24]-=- we refer to these groups as partially or fully dynamic. Partially dynamic groups. These are groups supporting either join (incremental) or leave (decremental) operation. Here we concentrate on increm... |