ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering.

Slides:



Advertisements
Similar presentations
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
Advertisements

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
This document and the information therein are the property of Morpho, They must not be copied or communicated to a third party without the prior written.
A Survey of Key Management for Secure Group Communications Celia Li.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (4) Information Security.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 5 Group Key Management.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
Optimal Structure-Preserving Signatures in Asymmetric Bilinear Groups Masayuki Abe, NTT Jens Groth, University College London Kristiyan Haralambiev, NYU.
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
1 An Efficient Strong Key-Insulated Signature Scheme and Its Application 5 th European PKI Workshop June 16-17, 2008 NTNU, Trondheim, Norway Go Ohtake.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Buyer-Seller Watermarking (BSW) Protocols Geong Sen Poh 31 Oct 2006.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Anonymity and Security in Public Internet Forums Ho-fung LEUNG Senior Member, IEEE Dept. of Computer Science & Engineering The Chinese University of Hong.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
Strongly Secure Certificateless Encryption Alexander W. Dent Information Security Group
Unlinkable Secret Handshakes and Key-Private Group Key Management Schemes Author: Stanislaw Jarecki and Xiaomin Liu University of California, Irvine From:
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
1 Hidden Exponent RSA and Efficient Key Distribution author: He Ge Cryptology ePrint Archive 2005/325 PDFPDF 報告人:陳昱升.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
1. Outline 1. Background 1. Attacks on distance-bounding 2. Symmetric vs asymmetric protocol 3. Motivation: DBPK-Log 2. VSSDB 1. Building blocks 2. Protocol.
Building Better Signcryption Schemes with Tag-KEMs Tor E. Bjørstad and Alexander W. Dent University of Bergen, Norway Royal Holloway, University of London,
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computer Science Public Key Management Lecture 5.
WISA An Efficient On-line Electronic Cash with Unlinkable Exact Payments Toru Nakanishi, Mitsuaki Shiota and Yuji Sugiyama Dept. of Communication.
8. Data Integrity Techniques
Lecture 8 Digital Signatures. This lecture considers techniques designed to provide the digital counterpart to a handwritten signature. A digital signature.
Bob can sign a message using a digital signature generation algorithm
Identity Based Encryption Debdeep Mukhopadhyay Associate Professor Dept of Computer Sc and Engg, IIT Kharagpur.
Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.
September 20 th, 2006 U-Prove crypto overview Copyright © 2006, Quebec Inc. Proprietary and Confidential.
An Ad Hoc Group Signature Scheme for Accountable and Anonymous Access to Outsourced Data Chuang Wang a,b and Wensheng Zhang a a Department of Computer.
Anonymous Identification in Ad Hoc Groups New York, NY, USAApril 6 th, 2004 Yevgeniy Dodis, Antonio Nicolosi, Victor Shoup
02/22/2005 Joint Seminer Satoshi Koga Information Technology & Security Lab. Kyushu Univ. A Distributed Online Certificate Status Protocol with Low Communication.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Collusion-Resistant Group Key Management Using Attribute-
Signcryption Parshuram Budhathoki Department of Mathematical Sciences Florida Atlantic University April 18, 2013
Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
WISTP’08 ©LAM /05/2008 A Self-Certified and Sybil-Free Framework for Secure Digital Identity Domain Buildup Christer Andersson Markulf Kohlweiss.
Multicast Security: A Taxonomy and Some Efficient Constructions By Cannetti et al, appeared in INFOCOMM 99. Presenter: Ankur Gupta.
Merkle trees Introduced by Ralph Merkle, 1979 An authentication scheme
Signatures, etc. Network Security Gene Itkis Signature scheme: Formal definition GenKey Generation: Gen(1 k )   PK, SK  SignSigning: Sign(SK, M) 
A new provably secure certificateless short signature scheme Authors: K.Y. Choi, J.H. Park, D.H. Lee Source: Comput. Math. Appl. (IF:1.472) Vol. 61, 2011,
10/25/04 Security of Ad Hoc and Sensor Networks (SASN) 1/22 An Attack on the Proactive RSA Signature Scheme in the URSA Ad Hoc Network Access Control Protocol.
A Simple Traceable Pseudonym Certificate System for RSA-based PKI SCGroup Jinhae Kim.
Anonymous Statistical Survey of Attributes Toru Nakanishi and Yuji Sugiyama Okayama Univ., Japan.
Interleaving and Collusion Attacks on a Dynamic Group Key Agreement Scheme for Low-Power Mobile Devices * Junghyun Nam 1, Juryon Paik 2, Jeeyeon Kim 2,
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1/28 Chosen-Ciphertext Security from Identity- Based Encryption Jonathan Katz U. Maryland Ran Canetti, Shai Halevi IBM.
1 Compact Group Signatures Without Random Oracles Xavier Boyen and Brent Waters.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
COM 5336 Lecture 8 Digital Signatures
Online/Offline Attribute-Based Encryption Brent WatersSusan Hohenberger Presented by Shai Halevi.
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
29/Jul/2009 Young Hoon Park.  M.Bellare, D.Micciancio, B.Warinschi, Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and.
1 Secret Handshakes or Privacy-Preserving Interactive Authentication Gene Tsudik University of California, Irvine joint work with: Claude Castelluccia,
Key Substitution Attacks on Some Provably Secure Signature Schemes
Author : Guilin Wang Source : Information Processing Letters
Foundations of Fully Dynamic Group Signatures
CSC 774 Advanced Network Security
Presentation transcript:

ICICS2002, Singapore 1 A Group Signature Scheme Committing the Group Toru Nakanishi, Masayuki Tao, and Yuji Sugiyama Dept. of Communication Network Engineering Okayama University, Japan

ICICS2002, Singapore 2 What’s group signature ? A group signature Traceable only by TTP He/she is a group member! But, who? applied to anonymous e-cash, auction...

ICICS2002, Singapore 3 Committing the membership group Our contribution A group signature scheme with new characteristic Universal group He/she is a member in some group But, which group? … Group 1 Group T divided to multiple groups signature Group ID is traceable only by TTP

ICICS2002, Singapore 4 Outline of this presentation  Definition of group signature scheme committing the group  Based conventional group signature scheme  Proposed scheme  Security  Application

ICICS2002, Singapore 5 Definition of group signature scheme committing the group Participants except signer and verifier  Membership Manager(MM)…has authority to decide whether an entity may join a group  Revocation Manager(RM)…has authority to trace identity and group ID from the signature Important requirements  Unforgeability of signature  Anonymity, and secrecy of group ID  Traceability of identity and group ID by RM

ICICS2002, Singapore 6 Based group signature scheme Ateniese et al.’s scheme in Crypto2000 (ACJT scheme)  Most efficient Efficient in signing/verification and even registration  Provably secure Coalition resistance against an adaptive adversary (Strong adversary reflecting the reality) Why is our scheme based on this?

ICICS2002, Singapore 7 In advance, MM & RM set up keys and parameters Registration (joining a group) ACJT scheme: Overview Signature Membership certificate (Sig. for PK) MM Proof( ) Enc RM ( ) PK SK Unforgeable Traceable by RM ID, Anonymous (Zero-knowledge)

ICICS2002, Singapore 8 ACJT scheme: Setup MM and RM set up the following:  n=pq: RSA modulus (only MM knows p and q)  a, b, g, h: public elements in QR n (Set of quadratic residues in Z n *)  y=g x : public key (only RM knows x)

ICICS2002, Singapore 9 ACJT scheme: Registration Membership certificate: (A, e) s.t. A = (a x b) 1/e (mod n) MM PK: a x SK: x ID, This is an RSA signature that MM only generates

ICICS2002, Singapore 10 ACJT scheme: Signature Signature for messege m consists of  T = Enc RM (A) : ElGamal ciphertext w.r.t. y  S = SPK[(x, A, e) s.t. T= Enc RM (A) ∧ A = (a x b) 1/e ](m) Enc RM ( ) Proof( ) SPK: Signature converted from zero-knowledge proof of knowledge (Only one with knowledge can make SPK without revealing information on knowledge)

ICICS2002, Singapore 11 Our scheme: Basic idea Registration (joining a group) Signature Membership certificate (Sig. for PK and Group ID) MM Proof( ) Enc RM ( ) PK SK ID, (Zero-knowledge) Enc RM (Group ID)

ICICS2002, Singapore 12 Our scheme: Setup and Registration Setup  Another c ∈ QR n  Group IDs E 1,…E T Registration for group ID E t Membership certificate: (A, e) s.t. A = (a x bc Et ) 1/e (mod n) MM PK: a x SK: x ID, (This form is also provably unforgeable…explained later)

ICICS2002, Singapore 13 Our scheme: Signature and revocation Signature for messege m consists of  T = Enc RM (A)  T’= Enc RM (h E t )  S = SPK[(x, A, e, E t ) s.t. T= Enc RM (A) ∧ T’=Enc RM (h Et ) ∧ A = (a x bc Et ) 1/e ](m) Group ID can be identified by RM’s decrypting T’ For using E t in exponent, we can construct efficient SPK using known SPKs for secret exponent

ICICS2002, Singapore 14 Security : Coalition resisitance Certificate (A,e) is unforgeable even if valid members collude.  Formally, this means the unforgeability against adaptive adversary After obtaining valid certificates from MM a constant times, this adversary forges a new certificate For RSA modulus n and z ∈ QR n, it is infeasible to compute (u,e>1) s.t. u e = z This paper provides the security proof under strong RSA assumption

ICICS2002, Singapore 15 Security: Others Unforgeability of group signature ← Unforgeability of cert. and SPK proving cert. Anonymity, and secrecy of group ID ←zero-knowledge-ness of SPK and encryption

ICICS2002, Singapore 16 Application: Anonymous survey Anonymous survey to generate statistics on users’ attributes  Background This system generates statistics on attributes secretly Commercial service provider User(Customer) Man or Woman ? Young or Old? Anonymously Marketing

ICICS2002, Singapore 17 Problem on previous survey system Previous survey system [Nakanishi&Sugiyama, ACISP01] Vast computation depending on number of all registering users So, inefficient Commercial service providerUser(Customer) Group Signature TTP Group Signature Group Signature Group Signature Female 90% 10% Male Statistics Secure comp.

ICICS2002, Singapore 18 Efficient system using proposed scheme(1/2) Setup  Group ID E 1,..,E T are assigned to attribute values (e.g., E 1 : Female, E 2 :Male) Registration (e.g., E 1 :Female) Membership certificate (Sig. for PK and E 1 ) MM PK SK ID,

ICICS2002, Singapore 19 Efficient system using proposed scheme(2/2) Commercial service providerUser(Customer) Group Signature including Enc RM (E 1 ) Enc RM (E 2 ) … TTP E 2, E 2 …E 1 ( shuffled) Female 90% 10% Male Known efficient shuffle protocol The cost is independent from number of registering users So, more efficient

ICICS2002, Singapore 20 Conclusion Group signature scheme committing the group is proposed  Efficient and provably secure  Useful for applications (e.g., Anonymous survey) Further works  Application to e-cash  Improving anonymous survey

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.