Attribute Based Tracing for Securing Group Signatures Against Centralized Authorities

Abstract

This paper proposes a group signature scheme with a tracing mechanism that limits the tracing ability of tracers based on their attributes and decentralizes the tracing key generation method. Thus, no other party than the attributes satisfying tracer can identify the signer. The proposing scheme answers the single point of failure of the tracing mechanism in the existing group signature schemes. On the other hand, the multiple tracers setting of the proposing scheme reduces the tracing workload that the single tracer had, and provides selection flexibility for users to choose a tracer for their signatures based on tracers’ attributes. This paper discussed the related security definitions against outsiders and honest but curious authorities.

Appendices

A Appendix: The Oracles

Figure 5 depicts the oracles that we use for proving the security of the scheme.

Fig. 5.

Oracles

B Appendix: Security Proof

The security proof of our proposal is similar to the proof given in dynamic group signatures of Bellare et al. [3]. While their anonymity proof is based on IND-CCA security of PKE scheme, our proof is based on IND-CPA security of CP-ABE scheme. We detail the security proof of GS scheme with ABT in extended version of this paper.

1.1 B.1 Anonymity

We fix an NP relation \(\rho \) over domain Dom and consider a pair of PPT algorithms (\(P_1, V_1\)) and (\(P_2, V_2\)) for NIZK proof systems as in Bellare et al. [3] paper.

On the assumption that \(P_1\) is computational zero knowledge for \(\rho _1\) over \(Dom_1\) and \(P_2\) is computational zero knowledge for \(\rho _2\) over \(Dom_2\), two simulations \(S_1\) and \(S_2\) can be fixed as: \(\varPi _1\) = \(P_1, V_1, S_1\);    \(\varPi _2\) = \(P_2, V_2, S_2\). \(\varPi _1\) and \(\varPi _2\) are the simulation sound zero knowledge non-interactive proof systems of them for \(L_{\rho 1}\) and \(L_{\rho 2}\) respectively.

For any polynomial time adversary \(B\), who will challenge the anonymity of our scheme GS and who can construct polynomial time IND-CPA adversaries \(A_0, A_1\) against CP-ABE scheme E, an adversary \(A_s\) against the simulation soundness of \(\varPi \) and distinguishers \(D_1, D_2\) that distinguish real proofs of \(\varPi _1\) and \(\varPi _2\) respectively, for all \(\lambda \in \mathbb {N}\), we say

$$\begin{aligned}&{\textbf {Adv}}_{GS, B}^{anon}(\lambda ) \le {\textbf {Adv}}_{E , A_0}^{\textit{ind-cpa}}(\lambda ) + {\textbf {Adv}}_{E , A_1}^{\textit{ind-cpa}}(\lambda ) + {\textbf {Adv}}_{\varPi , A_s}^{ss}(\lambda )\\&\qquad \qquad \qquad \qquad \qquad \qquad \qquad \,\, + 2 \cdot ({\textbf {Adv}}_{P_1, S_1, D_1}^{zk}(\lambda ) + {\textbf {Adv}}_{P_2, S_2, D_2}^{zk}(\lambda )). \end{aligned}$$

According to the Lemma 5.1 described and proved in Bellare’s scheme [3] we can say, the left side function is negligible since all the functions on the right side are negligible under the assumptions on the security of building blocks described. This proves the anonymity of group signature scheme with attribute-based tracing. The detail proof of security for the adversaries against the encryption scheme and the distinguisher for zero knowledge are provided in Bellare’s scheme [3]. Comparing to the proof given in Bellare’s scheme [3] the difference is our scheme is based on CP-ABE scheme instead PKE scheme.

1.2 B.2 Traceability

If there is a traceability adversary \(B\), who constructs an adversary \(A_1\) against the scheme DS, on the assumption that (\(P_1, V_1\)) is a sound proof system for \(\rho _1\), we say

$$\begin{aligned} {\textbf {Adv}}_{GS, B}^{trace}(\lambda )\qquad \qquad \le \qquad \qquad 2^{-\lambda +1} \qquad \qquad + \qquad \qquad {\textbf {Adv}}_{DS, A_1}^{\textit{unforg-cma}}(\lambda ). \end{aligned}$$

On the assumption that DS is secure against traceability, all the functions on the right side are negligible. Because of this, the advantage of \(B\) is negligible. Thus, it proves that group signature scheme with attribute-based tracing is traceable.

1.3 B.3 Non-Frameability

If there is a non-frameability adversary \(B\), who creates at most \(n(\lambda )\) honest users, where \(n\) is a polynomial and who constructs two adversaries \(A_2, A_3\) against the digital signature scheme, on the assumption that \((P_1, V_1), (P_2, V_2)\) are sound proof systems for \(\rho _1, \rho _2\) respectively, we say

$$\begin{aligned} {\textbf {Adv}}_{GS, B}^{\textit{non-fram}}(\lambda ) \le 2^{-\lambda +1} + n(\lambda ) \cdot ({\textbf {Adv}}_{DS, A_2}^{\textit{unforg-cma}}(\lambda ) + {\textbf {Adv}}_{DS, A_3}^{\textit{unforg-cma}}(\lambda )). \end{aligned}$$

On the assumption that the scheme DS is secure, all the functions on the right side are negligible, so the left side function. Thus, the group signature scheme with attribute-based tracing is non-frameable according to the definition of DS.