A Shorter Group Signature with Verifier-Location Revocation and Backward Unlinkability
Group signatures are generalized credential/member authentication schemes with wide applications, such as Trust Computing. Membership revocation problem is a major issue of group signatures. In some applications that group secret keys are stored in tamper resistant chips, a Verifier-Local Revocation resolution is more reasonable than other methods, such as witness based revocation. Boneh et al. formally defined such VLR group signatures and proposed a VLR resolution for a short group signature. Later Nakanishi et al. pointed out it has a disadvantage of backward linkability, and provided a VLR resolution with backward unlinkability at the cost of longer signature size and more computation. We improve Nakanishi et al.'s scheme by reducing the signature size and computations required, without compromising VLR and backward unlinkability.
Analyzing Unlinkability of Some Group Signatures
Miyaji et.al proposed a fully functional(i.e., satisfying unforgeability, exculpability,anonymity, traceability, unlinkability, and revocability.) group signature over only known-order groups, that is based only on Discrete logarithm related assumptions, specifically, multiple DLP they proposed in the same paper [MU04]. In this paper, we point out their scheme and an improved scheme [ZZW05] do not have unlinkability.
On Anonymity of Group Signatures
A secure group signature is required to be anonymous, that is, given two group signatures generated by two different members on the same message or two group signatures generated by the same member on two different messages, they are indistinguishable except for the group manager. In this paper we prove the equivalence of a group signature's anonymity and its indistinguishability against chosen ciphertext attacks if we view a group signature as an encryption of member identity. Particularly, we prove ACJT's group signature is IND-CCA2 secure, so ACJT's scheme is anonymous in the strong sense. The result is an answer to an open question in literature.
Transitive Signatures Based on Non-adaptive Standard Signatures
Transitive signature, motivated by signing vertices and edges of a dynamically growing, transitively closed graph, was first proposed by Micali and Rivest. The general designing paradigm proposed there involved a underlying standard signature scheme, which is required to be existentially unforgeable against adaptive chosen message attacks. We show that the requirement for the underlying signature is not necessarily so strong, instead non-adaptive security is enough to guarantee the transitive signature scheme secure in the strongest sense, i.e, transitively unforgeable under adaptive chosen message attack (defined by Bellare and Neven). We give a general proof of such transitive signature schemes, and also propose a specific transitive signature scheme based on factoring and strong-RSA. Hence the choice of standard signatures that can be employed by transitive signature schemes is enlarged. The efficiency of transitive signature schemes may be improved since efficiency and security are trade-off parameters for standard signature schemes.
- Dongdai Lin (3)