Group Signatures are Suitable for Constrained Devices - Information Security and Cryptology-ICISC 2010

Cryptography Reference

In-Depth Information

•

the secret key gmsk ∈ R Z q of the group manager

and the associated

public key GMpk = gmsk .G 2 ;

•

the parameters of Paillier's encryption scheme [32] for ExtCommit ;

The public parameters of the system are

{

λ, q,

G 1 ,

G 2 ,

G T ,e , ψ , G 1 ,

G 2 ,G,G , GMpk , Rpk 1 , Rpk 2 }

- UserKeyGen (1 λ ): before that a user, denoted U i , can join a group, he has

to be registered in a PKI. This procedure permits to ensure the unlinkability

and the non-repudiation of the system. At the end of this procedure, the user

obtain a couple of key ( usk i , Upk i ). The value Upk i is added in a table UPK

which is supposed public.

- Join [

( UPK , gmsk )]: this interactive protocol between a

user U i and the group manager results by the adhesion of the new user to the

group. Consequently, the user obtain a group certificate cert i =( A i ,x i ), and

his group secret key gsk i . The group manager add an entry ( Upk i ,A i ,x i ,S )

in Tab ,where S is a signature of A i made by the user U i with his secret key

usk i . This interactive protocol is presented in Figure 2 where ExtCommit is

an extractable commitment done with the Paillier's encryption scheme [32].

U i ( usk i , Upk i )

↔GM

gsk i ∈ R Z q ; C = gsk i . Rpk 1

U i

c = ExtCommit(gsk i )

c, C, U

U = SoK(gsk i : C = gsk i . Rpk 1 ∧ c = ExtCommit(gsk i ))

Checks U et C ∈ G 1 ;

x i ∈ R Z q ;

A i := G 1 +

gmsk+ x i .C ;

B := e ( G 1 + C, G 2 ) /e ( A i , GMpk);

D := e ( A i ,G 2 );

A i ,V

V = SoK( α : B = α.D );

B := e ( G 1 C, G 2 ) /e ( A i , GMpk);

D := e ( A i ,G 2 );

Checks V et A i ∈ G 1 ;

S = PkiSign(usk i ,A i )

Verif( S, Upk i ,A i )

Adds (Upk i ,A i ,x i ,S )inTab

x i

Checks if ( x i + gmsk) .A i = G 1 + gsk i . Rpk 1 with:

e ( A i ,G 2 ) x i e ( A i , GMpk) e (Rpk 1 ,G 2 ) − gsk i = e ( G 1 ,G 2 )

Fig. 2. XSGS Join protocol

- Sign ( m, gsk i , cert i ): the signature of m is composed of two steps

•

a double linear encryption, namely, the user randomly chooses ( α 1 , β 1 ,

α 2 , β 2 )

∈ R Z q

and computes the fours values

T 2 = β 1 .G ;

T 1 = α 1 .G ;

T 3 = A +( α 1 + β 1 ) Rpk 1 ;

T 5 = β 2 .G ;

T 4 = α 2 .G ;

T 6 = A +( α 2 + β 2 ) Rpk 2 ;

•

a signature of knowledge U ,where z =( α 1 + β 1 ) .x + gsk i :

U = SoK α 1 ,β 1 ,α 2 ,β 2 ,x,z : T 1 = α 1 .G

T 2 = β 1 .G ∧

∧

T 4 = α 2 .G

T 5 = β 2 .G ∧

∧

( α 2 + β 2 ) Rpk 2 ∧

e ( T 3 ,G 2 ) x e ( Rpk 1 , GMpk ) − ( α 1 + β 1 ) e ( Rpk 1 ,G 2 ) −z =

T 3 −

T 6 =( α 1 + β 1 ) Rpk 1 −

( m ) .

e ( G 1 ,G 2 )

e ( T 3 , GMpk )

Information Security and Cryptology-ICISC 2010

Search WWH ::

Custom Search

Home