Presentation is loading. Please wait.

Presentation is loading. Please wait.

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

Published byDelphia Moore Modified over 8 years ago

Similar presentations

Presentation on theme: "ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering."— Presentation transcript:

1 ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering Okayama University, Japan

2 ICICS2002, Singapore 2 What’s group signature ? A group signature Traceable only by TTP He/she is a group member! But, who? applied to anonymous e-cash, auction...

3 ICICS2002, Singapore 3 Committing the membership group Our contribution A group signature scheme with new characteristic Universal group He/she is a member in some group But, which group? … Group 1 Group T divided to multiple groups signature Group ID is traceable only by TTP

4 ICICS2002, Singapore 4 Outline of this presentation  Definition of group signature scheme committing the group  Based conventional group signature scheme  Proposed scheme  Security  Application

5 ICICS2002, Singapore 5 Definition of group signature scheme committing the group Participants except signer and verifier  Membership Manager(MM)…has authority to decide whether an entity may join a group  Revocation Manager(RM)…has authority to trace identity and group ID from the signature Important requirements  Unforgeability of signature  Anonymity, and secrecy of group ID  Traceability of identity and group ID by RM

6 ICICS2002, Singapore 6 Based group signature scheme Ateniese et al.’s scheme in Crypto2000 (ACJT scheme)  Most efficient Efficient in signing/verification and even registration  Provably secure Coalition resistance against an adaptive adversary (Strong adversary reflecting the reality) Why is our scheme based on this?

7 ICICS2002, Singapore 7 In advance, MM & RM set up keys and parameters Registration (joining a group) ACJT scheme: Overview Signature Membership certificate (Sig. for PK) MM Proof( ) Enc RM ( ) PK SK Unforgeable Traceable by RM ID, Anonymous (Zero-knowledge)

8 ICICS2002, Singapore 8 ACJT scheme: Setup MM and RM set up the following:  n=pq: RSA modulus (only MM knows p and q)  a, b, g, h: public elements in QR n (Set of quadratic residues in Z n *)  y=g x : public key (only RM knows x)

9 ICICS2002, Singapore 9 ACJT scheme: Registration Membership certificate: (A, e) s.t. A = (a x b) 1/e (mod n) MM PK: a x SK: x ID, This is an RSA signature that MM only generates

10 ICICS2002, Singapore 10 ACJT scheme: Signature Signature for messege m consists of  T = Enc RM (A) : ElGamal ciphertext w.r.t. y  S = SPK[(x, A, e) s.t. T= Enc RM (A) ∧ A = (a x b) 1/e ](m) Enc RM ( ) Proof( ) SPK: Signature converted from zero-knowledge proof of knowledge (Only one with knowledge can make SPK without revealing information on knowledge)

11 ICICS2002, Singapore 11 Our scheme: Basic idea Registration (joining a group) Signature Membership certificate (Sig. for PK and Group ID) MM Proof( ) Enc RM ( ) PK SK ID, (Zero-knowledge) Enc RM (Group ID)

12 ICICS2002, Singapore 12 Our scheme: Setup and Registration Setup  Another c ∈ QR n  Group IDs E 1,…E T Registration for group ID E t Membership certificate: (A, e) s.t. A = (a x bc Et ) 1/e (mod n) MM PK: a x SK: x ID, (This form is also provably unforgeable…explained later)

13 ICICS2002, Singapore 13 Our scheme: Signature and revocation Signature for messege m consists of  T = Enc RM (A)  T’= Enc RM (h E t )  S = SPK[(x, A, e, E t ) s.t. T= Enc RM (A) ∧ T’=Enc RM (h Et ) ∧ A = (a x bc Et ) 1/e ](m) Group ID can be identified by RM’s decrypting T’ For using E t in exponent, we can construct efficient SPK using known SPKs for secret exponent

14 ICICS2002, Singapore 14 Security : Coalition resisitance Certificate (A,e) is unforgeable even if valid members collude.  Formally, this means the unforgeability against adaptive adversary After obtaining valid certificates from MM a constant times, this adversary forges a new certificate For RSA modulus n and z ∈ QR n, it is infeasible to compute (u,e>1) s.t. u e = z This paper provides the security proof under strong RSA assumption

15 ICICS2002, Singapore 15 Security: Others Unforgeability of group signature ← Unforgeability of cert. and SPK proving cert. Anonymity, and secrecy of group ID ←zero-knowledge-ness of SPK and encryption

16 ICICS2002, Singapore 16 Application: Anonymous survey Anonymous survey to generate statistics on users’ attributes  Background This system generates statistics on attributes secretly Commercial service provider User(Customer) Man or Woman ? Young or Old? Anonymously Marketing

17 ICICS2002, Singapore 17 Problem on previous survey system Previous survey system [Nakanishi&Sugiyama, ACISP01] Vast computation depending on number of all registering users So, inefficient Commercial service providerUser(Customer) Group Signature TTP Group Signature Group Signature Group Signature Female 90% 10% Male Statistics Secure comp.

18 ICICS2002, Singapore 18 Efficient system using proposed scheme(1/2) Setup  Group ID E 1,..,E T are assigned to attribute values (e.g., E 1 : Female, E 2 :Male) Registration (e.g., E 1 :Female) Membership certificate (Sig. for PK and E 1 ) MM PK SK ID,

19 ICICS2002, Singapore 19 Efficient system using proposed scheme(2/2) Commercial service providerUser(Customer) Group Signature including Enc RM (E 1 ) Enc RM (E 2 ) … TTP E 2, E 2 …E 1 ( shuffled) Female 90% 10% Male Known efficient shuffle protocol The cost is independent from number of registering users So, more efficient

20 ICICS2002, Singapore 20 Conclusion Group signature scheme committing the group is proposed  Efficient and provably secure  Useful for applications (e.g., Anonymous survey) Further works  Application to e-cash  Improving anonymous survey

Download ppt "ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering."

Similar presentations

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.

This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.

Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.

1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.

Similar presentations

Ads by Google