Information Technology Reference
In-Depth Information
2.2 Group Signature Generation
Let
M
be the message to be signed by a member of
G
. We can assume that after
computing its hash value (by using, for example, a public hash function from
the SHA-2 family), we have
(
M
)=
m
. For signing
M
on behalf of the group
G
, a random and anonymous member of
G
is chosen, for example,
U
i
.Next,
U
i
does the following.
h
1.
U
i
generates a secret integer
λ
i
∈
Z
r
at random. This value must be gener-
ated each time a message is signed.
2.
U
i
determines his signature, (
F
i
,G
i
,H
i
), for
M
, computing the following
values:
⎫
⎬
C
i
α
λ
i
F
i
=
A
i
·
·
(mod
n
)
G
i
=
β
b
i
(
α
d
i
)
m
·
α
−λ
i
·
(mod
n
)
(6)
⎭
(
α
λ
i
)
H
i
=
h
3. Finally,
publishes the group signature for the message
M
:(
F, G, H
)=
(
F
i
,G
i
,H
i
).
T
Remark.
Nobody can impersonate the user
U
i
because he is the only one know-
ing the values
b
i
,d
i
,and
λ
i
.
2.3 Group Signature Verification
Let (
F, G, H
) be a group signature of
G
for the message
M
. In order to verify
this signature, any verifier knowing the public key of the group
G
,(
P, Q
), can
check that
Q
m
≡
P
·
F
·
G
(mod
n
)
.
(7)
The equation (7) can be immediately justified from expressions (4)-(6) as
follows:
C
i
α
λ
i
β
b
i
α
m·d
i
α
−λ
i
F
·
G
(mod
n
)
≡
A
i
·
·
·
·
·
(mod
n
)
β
b
i
C
i
α
m·d
i
=
A
i
·
·
·
Q
m
.
=
P
·
3 Properties of the New Scheme
The proposed scheme has the following properties:
1. All the operations involved in the different phases described in the previous
paragraphs can be eciently computed in polynomial time.
2. Despite
knows part of
U
i
's private key, it cannot forge the signature de-
termined by
U
i
as the signer has generated at random the value:
λ
i
. Never-
theless, it can generate a valid group signature.
3. The verifier is only able to test whether the signature was generated by a
member of the signer group and it is not able to ascertain the identity of the
actual signer.
T
Search WWH ::
Custom Search