## Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings (2004)

Venue: | In ASIACRYPT 2004, volume 3329 of LNCS |

Citations: | 21 - 1 self |

### BibTeX

@INPROCEEDINGS{Nguyen04efficientand,

author = {Lan Nguyen and Rei Safavi-naini},

title = {Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings},

booktitle = {In ASIACRYPT 2004, volume 3329 of LNCS},

year = {2004},

pages = {372--386},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We propose a group signature scheme with constant-size public key and signature length that does not require trapdoor. So system parameters can be shared by multiple groups belonging to different organizations. The scheme is provably secure in the formal model recently proposed by Bellare, Shi and Zhang (BSZ04), using random oracle model, Decisional Bilinear Diffie-Hellman and Strong Diffie-Hellman assumptions. We give a more efficient variant scheme and prove its security in a formal model which is a modification of BSZ04 model and has a weaker anonymity requirement. Both schemes are very efficient and the sizes of signatures are approximately one half and one third, respectively, of the sizes of the well-known ACJT00 scheme. We also use the schemes to construct a traceable signature scheme. 1

### Citations

831 | How to prove yourself: Practical solutions to identification and signature problems - Fiat, Shamir - 1986 |

559 | Short signatures from the weil pairing
- Lynn, Shacham
- 2001
(Show Context)
Citation Context ...e group or a Jacobian of a hyperelliptic curve over a finite field of order p. GM is a subgroup of a finite field of size approximately 2 1024 . A possible choice for these parameters can be found in =-=[8]-=-, where G1 is derived from the curve E/GF (3 ι ) defined by y 2 = x 3 − x + 1. We assume that system parameters in ACJT00 scheme are ɛ = 1.1, lp = 512, k = 160, λ1 = 838, λ2 = 600, γ1 = 1102 and γ2 = ... |

280 | Security arguments for digital signatures and blind signatures - Pointcheval, Stern |

266 | Short signatures without random oracles
- Boneh, Boyen
(Show Context)
Citation Context ...ial-bound. The q-SDH assumption originates from a weaker assumption introduced by Mitsunari et. al. [24] to construct traitor tracing schemes [28] and later used by Zhang et al. [30] and Boneh et al. =-=[5]-=- to construct short signatures. It intuitively means that there is no PPT algorithm that can compute a pair (c, 1 x+c P ), where c ∈ Zp, from a tuple (P, xP, . . . , xqP ), where x ∈R Z∗ p. q-Strong D... |

264 | Efficient group signature schemes for large groups
- Camenisch, Stadler
(Show Context)
Citation Context ...e size of the group and so the schemes were impractical for large groups. Schemes with fixed size group public key and signatures368 Lan Nguyen and Rei Safavi-Naini length have been first proposed in =-=[13]-=- and later extended in [12, 1, 2]. In Crypto 2000, Ateniese et al. (ACJT00) [1] proposed an efficient group signature scheme with very short length and low computation cost. This scheme is also the on... |

238 | A practical and provably secure coalition-resistant group signature scheme
- Ateniese, Camenisch, et al.
(Show Context)
Citation Context ... signatures are among the most important cryptographic primitives for providing privacy and have been used for applications such as anonymous credentials [2], identity escrow [21], voting and bidding =-=[1]-=-, and electronic cash [23]. Kiayias et al. [18] also introduced the traceable signature primitive, which is basically the group signature system with added properties allowing a variety of levels for ... |

186 | A.: Signature schemes and anonymous credentials from bilinear maps
- Camenisch, Lysyanskaya
- 2004
(Show Context)
Citation Context ...ired, in comparison with the BSZ04 model. They also showed how to construct an extension, which provides Non-frameability (exculpability). Based on the LRSW assumption [22], Camenisch and Lysyanskaya =-=[11]-=- proposed a group signature scheme (CL04) derived from a signature scheme which allows an efficient zero-knowledge proof of the knowledge of a signature on a committed message, and used it to construc... |

168 | Dynamic accumulators and application to efficient revocation of anonymous credentials - Camenisch, Lysyanskaya |

141 | Efficient selective-id secure identity-based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...n Adv q-SDH A (l) is negligible. Adv q-SDH A (l) = Pr[(A(t, P, xP, . . . , x q 1 P ) = (c, P )) ∧ (c ∈ Zp)] x + c where t = (p, G1, GM, e, P ) ← G(1l ) and x ← Z∗ p . Intuitively, the DBDH assumption =-=[6]-=- states that there is no PPT algorithm that can distinguish between a tuple (aP, bP, cP, e(P, P ) abc ) and a tuple (aP, bP, cP, Γ ), where Γ ∈R G∗ M (i.e., chosen uniformly random from G∗M ) and . It... |

129 | Foundations of group signatures: formal definitions, simplified requirements and a construction based on general assumptions - Bellare, Micciancio, et al. - 2003 |

117 | Pseudonym systems
- Lysyanskaya, Rivest, et al.
- 1999
(Show Context)
Citation Context ...rameability property is not required, in comparison with the BSZ04 model. They also showed how to construct an extension, which provides Non-frameability (exculpability). Based on the LRSW assumption =-=[22]-=-, Camenisch and Lysyanskaya [11] proposed a group signature scheme (CL04) derived from a signature scheme which allows an efficient zero-knowledge proof of the knowledge of a signature on a committed ... |

113 | Foundations of Cryptography: Basic Applications - Goldreich - 2004 |

86 | Foundations of group signatures: The case of dynamic groups
- Bellare, Shi, et al.
- 2005
(Show Context)
Citation Context ...ments, and is given in the generic model [3]. Security of a group signature scheme has been traditionally proved by showing that it satisfies a list of informally defined requirements. Bellare et al. =-=[4]-=- gave a formal security model (BSZ04) for (partially) dynamic groups with four security requirements (Correctness, Anonymity, Traceability and Non-frameability). The model uses various oracles includi... |

84 |
A group signature scheme with improved efficiency
- Camenisch, Michels
- 1998
(Show Context)
Citation Context ...the schemes were impractical for large groups. Schemes with fixed size group public key and signatures368 Lan Nguyen and Rei Safavi-Naini length have been first proposed in [13] and later extended in =-=[12, 1, 2]-=-. In Crypto 2000, Ateniese et al. (ACJT00) [1] proposed an efficient group signature scheme with very short length and low computation cost. This scheme is also the only scheme that has been proved to... |

72 | Identity escrow - Kilian, Petrank - 1998 |

70 | Efficient and generalized group signatures
- Camenisch
- 1997
(Show Context)
Citation Context ...duced the traceable signature primitive, which is basically the group signature system with added properties allowing a variety of levels for protecting user privacy. In early group signature schemes =-=[9, 14, 15]-=- the size of the public key and the signature grew with the size of the group and so the schemes were impractical for large groups. Schemes with fixed size group public key and signatures368 Lan Nguye... |

69 |
A new traitor tracing
- Mitsunari, Sakai, et al.
- 2002
(Show Context)
Citation Context ...r α0 such that for every positive integer l, it holds that f(l) < lα0 , then f is said to be polynomial-bound. The q-SDH assumption originates from a weaker assumption introduced by Mitsunari et. al. =-=[24]-=- to construct traitor tracing schemes [28] and later used by Zhang et al. [30] and Boneh et al. [5] to construct short signatures. It intuitively means that there is no PPT algorithm that can compute ... |

61 |
New group signature schemes
- Chen, Pedersen
- 1994
(Show Context)
Citation Context ...duced the traceable signature primitive, which is basically the group signature system with added properties allowing a variety of levels for protecting user privacy. In early group signature schemes =-=[9, 14, 15]-=- the size of the public key and the signature grew with the size of the group and so the schemes were impractical for large groups. Schemes with fixed size group public key and signatures368 Lan Nguye... |

56 | An efficient signature scheme from bilinear pairings and its applications
- Zhang, Safavi-Naini, et al.
- 2004
(Show Context)
Citation Context ... is said to be polynomial-bound. The q-SDH assumption originates from a weaker assumption introduced by Mitsunari et. al. [24] to construct traitor tracing schemes [28] and later used by Zhang et al. =-=[30]-=- and Boneh et al. [5] to construct short signatures. It intuitively means that there is no PPT algorithm that can compute a pair (c, 1 x+c P ), where c ∈ Zp, from a tuple (P, xP, . . . , xqP ), where ... |

50 | Traceable signatures
- Kiayias, Tsiounis, et al.
(Show Context)
Citation Context ...ographic primitives for providing privacy and have been used for applications such as anonymous credentials [2], identity escrow [21], voting and bidding [1], and electronic cash [23]. Kiayias et al. =-=[18]-=- also introduced the traceable signature primitive, which is basically the group signature system with added properties allowing a variety of levels for protecting user privacy. In early group signatu... |

49 |
Accumulators from bilinear pairings and applications
- Nguyen
- 2005
(Show Context)
Citation Context ... in ACJT00 scheme. For higher security levels this ratio will be smaller. Our schemes can be converted into identity escrow systems or extended to support efficient membership revocation, as shown in =-=[26]-=-. The schemes are trapdoor-free. The only other trap-door free scheme is the AdM03 scheme, which uses a trapdoor in the initialisation of the system and assumes that the initialising party “safely for... |

33 | Threshold cryptosystems secure against chosen-ciphertext attacks
- Fouque, Pointcheval
- 2001
(Show Context)
Citation Context ...A) in the random oracle model. Due to space limitation, we only provide description of El GamalBP 2 . This is the bilinear pairing version of the scheme presented and proved by Fouque and Pointcheval =-=[17]-=-. Description of El GamalBP 1 can be found in the full version of this paper [25]. Key generation: Let p, G1, GM, e be bilinear pairing parameters, as defined above, and G be a generator of G1. Suppos... |

28 | Efficient group signatures without trapdoors
- Ateniese, Medeiros
(Show Context)
Citation Context ...and the opener can frame a group member. Group signatures are among the most important cryptographic primitives for providing privacy and have been used for applications such as anonymous credentials =-=[2]-=-, identity escrow [21], voting and bidding [1], and electronic cash [23]. Kiayias et al. [18] also introduced the traceable signature primitive, which is basically the group signature system with adde... |

28 |
A practical group signature
- PARK, LEE, et al.
- 1995
(Show Context)
Citation Context ...ame a group member. Group signatures are among the most important cryptographic primitives for providing privacy and have been used for applications such as anonymous credentials [2], identity escrow =-=[21]-=-, voting and bidding [1], and electronic cash [23]. Kiayias et al. [18] also introduced the traceable signature primitive, which is basically the group signature system with added properties allowing ... |

19 |
On the Security of El Gamal based Encryption
- Tsiounis, Yung
- 1998
(Show Context)
Citation Context ...roof of knowledge of the plaintext can provide INDCCA. This combination has been proved to provide IND-CCA in the random oracle model, but the proof has required either another very strong assumption =-=[29]-=- or is in generic model [27]. In ACJT00 and GS2 signatures, the identitybound information is encrypted by variations of El Gamal encryption and the other part of the signatures proves knowledge of the... |

17 | Group Signatures: Provable Secure, Efficient Constructions and Anonymity from Trapdoor Holders. http://eprint.iacr.org/2004/076.ps
- Kiayias
(Show Context)
Citation Context ... ACJT00 scheme although satisfies the conventional list of requirements but cannot be proved secure in the formal model mainly because of the inclusion of the Open oracle in the model. Kiayias et al. =-=[19]-=- proposed an extension (KY04 scheme) of ACJT00 scheme that is proved secure in their formal model. A new direction in constructing group signature schemes is to use bilinear pairings to shorten the le... |

13 | Extracting group signatures from traitor tracing schemes - Kiayias, Yung - 2003 |

11 |
New Traitor Tracing Schemes Using Bilinear Map
- T, Safavi-Naini, et al.
(Show Context)
Citation Context ...l, it holds that f(l) < lα0 , then f is said to be polynomial-bound. The q-SDH assumption originates from a weaker assumption introduced by Mitsunari et. al. [24] to construct traitor tracing schemes =-=[28]-=- and later used by Zhang et al. [30] and Boneh et al. [5] to construct short signatures. It intuitively means that there is no PPT algorithm that can compute a pair (c, 1 x+c P ), where c ∈ Zp, from a... |

5 | A provably secure nyberg-rueppel signature variant with applications. Cryptology ePrint Archive, Report 2004/93
- Ateniese, Medeiros
- 2004
(Show Context)
Citation Context ... one satisfying the equation. This is an computationally expensive process. The security proof (corrected version) is for the informal list of security requirements, and is given in the generic model =-=[3]-=-. Security of a group signature scheme has been traditionally proved by showing that it satisfies a list of informally defined requirements. Bellare et al. [4] gave a formal security model (BSZ04) for... |

5 |
Comments on some group signature schemes
- Michels
- 1996
(Show Context)
Citation Context ... most important cryptographic primitives for providing privacy and have been used for applications such as anonymous credentials [2], identity escrow [21], voting and bidding [1], and electronic cash =-=[23]-=-. Kiayias et al. [18] also introduced the traceable signature primitive, which is basically the group signature system with added properties allowing a variety of levels for protecting user privacy. I... |

5 |
Security of signed El Gamal encryption
- Schnorr, Jakobsson
- 1976
(Show Context)
Citation Context ...intext can provide INDCCA. This combination has been proved to provide IND-CCA in the random oracle model, but the proof has required either another very strong assumption [29] or is in generic model =-=[27]-=-. In ACJT00 and GS2 signatures, the identitybound information is encrypted by variations of El Gamal encryption and the other part of the signatures proves knowledge of the information. The Open oracl... |

1 | Short Group Signatures. CRYPT0 2004 - Boneh, Boyen, et al. |

1 | 2002. and Provably Secure Trapdoor-free Group Signature Schemes - E85-A, 481-484 - 1990 |