Cryptography Reference
In-Depth Information
O
CrptU
(
i
): this oracle gives the total control of the user
i
to the adversary. In
other words, the adversary obtains all the information related to this user
(secret keys, random values, ...). The member
i
is moved from
-
HU
to
CU
.
O
Reveal
(
i
): this oracle outputs the secret keys (
usk
[
i
]
,
gsk
[
i
]) of the member
i
.
-
-
O
SignU
(
i, m
): this oracle outputs the signature
σ
on
m
of the member
i
and
adds the tuple (
m, σ, i
)in
Set
(initially empty).
O
Open
(
m, σ
): this oracle outputs the identity of the user which produced
σ
.
-
O
Choose
b
(
m, i
0
,i
1
): if
i
0
or
i
1
have not been given as input to
O
CrptU
-
(i.e.
i
0
,i
1
/
), this oracle outputs the signature
σ
on the message
m
of the
member
i
b
(where
b
is a bit).
σ
cannot be given in input to the
∈HU
O
Open
oracle.
2.3 Some Group Signature Constructions
In this paper we focus on group signatures based on the use of pairings [3,17,14]
since they are relatively ecient (compared to standard model based group signa-
tures [22]) and does not need the manipulation of big integers (contrary to [1,7]).
The BBS scheme [3] only considers static group while others [17,14] are secure
in the dynamic case [2]. We here base our study on a variant of the XSGS pro-
tocol from [14], which one is described in Appendix A. In fact, our study is also
relevant for the scheme in [17] but we have chosen the XSGS one as it includes
a complete security study
1
. To prevent the use of the XDH assumption, which
may be seen as a too strong assumption, we adapt XSGS (as suggested in [14])
by replacing the El Gamal encryption scheme [18] by the Linear encryption [3],
at the cost of a slightly bigger group signature. In a nutshell, a user owns a group
secret key
gsk
and a certificate (
A, x
) such that (
x
+
gmsk
)
.A
=
G
1
+
gsk
.
Rpk
1
,
where
G
1
is a parameter,
Rpk
1
the opening manager public key, and
gmsk
is the
group manager secret key. To sign a message on behalf of the group, a member
produces a double encryption of
A
and a signature of knowledge of
m
which
must prove that the double encryption contains a part of a valid certificate (and
is thus linked to the group master secret key).
The main drawback of XSGS is that it needs one pairing evaluation, many
elliptic curve point multiplications and modular exponentiations (13 and 2 re-
spectively) to produce a group signature. But this is the case for many other
group signature schemes. In fact, this complexity places XSGS as one of the most
ecient group signature scheme which is today available. Our purpose in this
paper is now to propose a secure (see next section) and ecient (see Sections 4
and 5) cooperative version of XSGS.
3 Security of Cooperative Group Signatures
A cooperative group signature [27] allows a group member, with constrained
resources, to be helped by some powerful entity, called an intermediary, in the
1
In order to reach the full anonymity property described in [2], the proposal in [14]
uses the Naor-Yung methodology [30], and thus twice the same encryption scheme
with the same message together with a proof. The scheme in [17] does not totally
uses this method and the resulting security is not discussed in the paper.
Search WWH ::
Custom Search