Group signatures with controllable linkability for dynamic membership

doi:10.1016/j.ins.2012.07.065

Information Sciences

Volume 222, 10 February 2013, Pages 761-778

https://doi.org/10.1016/j.ins.2012.07.065 Get rights and content

Abstract

In this paper we present a novel group signature scheme for dynamic membership which enables fine-grained control over the release of user information. This scheme could be widely used for various anonymity-based applications such as privacy-preserving data mining and customized anonymous authentication owing to a useful property called controllable linkability. A valid signer is able to create signatures that hide his or her identity as normal group signatures but can be anonymously linked regardless of changes to the membership status of the signer and without exposure of the history of the joining and revocation. From signatures, only linkage information can be disclosed, with a special linking key. Using this controllable linkability and the controllable anonymity of a group signature, anonymity may be flexibly or elaborately controlled according to a desired level. To begin construction of our scheme, we first introduce the Decision Linear Combination (DLC) assumption in a so-called gap Diffie–Hellman group where the DDH problem is tractable but the CDH problem is hard, and we prove that this assumption can be guaranteed in generic bilinear groups. To identify security requirements more precisely, we formally present definitions of anonymity, traceability, non-frameabilty, and linkability. We then prove that our scheme achieves all these security properties in the random oracle model. Our scheme supporting controllable linkability yields a short signature that is only 33.3% longer than the best-known normal group signature. Furthermore, we show that our scheme is comparable to the group signature scheme in terms of the amount of computation for basic operations such as signing, verification, and the key update caused by revocation. Finally, using the linkability for dynamic membership, computation overhead in opening signer’s identity can be significantly reduced or minimized.

Introduction

As various information communication technologies have been developed and deployed for real applications, it has become easier to collect and distribute a large amount of user information. Obviously, there are potential dangers associated with the high volume collection and distribution of user information, such as sensitive user information being unexpectedly collected and intentionally abused. To avoid such hazards in the face of the proliferation of user information, proper cryptographic mechanisms for protecting user privacy should be constructed.

Among cryptographic primitives for privacy, a group signature (GS) scheme has recently attracted increasing attention as a promising tool [6], [30]. In contrast to conventional digital signature schemes where a signer can be publicly identified, a GS scheme allows a member to anonymously sign a message on behalf of a group without revealing his identity. A GS scheme provides a kind of controllable anonymity such that a signer can be disclosed from his signature under a master opening key that is secretly managed by a trusted authority. On the one hand, this feature imposes responsibility on the signer and thus prevents malicious behaviors, and on the other hand, it provides the appropriate confirmation for a signer when benefits are acquired, or as otherwise necessary.

However, in the model of a normal group signature, anonymity has been coarsely treated by hiding and revealing only identities. This treatment of anonymity seems excessively simplified and may not be suitable for diverse privacy applications. For example, consider that anonymity is applied to real world applications such as data mining, mileage services, and personalized services. A verifier or a service provider needs individual statistics on transactions, such as a consumer’s buying pattern that are based on the “linkability” of the transactions, while preserving anonymity. Meanwhile, a signer may want to provide a specific verifier or a service provider with linking capability, while his signatures remain unlinked to other verifiers. As the controllable anonymity, the linkability also must be able to be controlled. In the conventional group signature schemes, verifiers are able to have this linkability by querying two signatures to an Opener who responds only to privileged verifiers. This imposes severe burden on the Opener.

Although linkability can be easily realized by using a pseudonym instead of a real identity in a public key certificate and by establishing an Opener to manage the association between a pseudonym and a real identity [29], this simple approach has some drawbacks. First of all, in the pseudonym system that has a single pseudonym and a single secret key, a user cannot avoid being linked by anyone who obtains his signatures. The disclosure of linkage information cannot be controlled either by the user or by an authority. Sometimes, a user or an authority might want to designate verifiers who have the right to link signatures. On the other hand, in the pseudonym system that has onetime pseudonym, where fresh pseudonym is used whenever a signer makes a signature, the problem of being linked by anyone is resolved, but it gives too much burden to pseudonym issuer for checking linkability. Furthermore, a signer must be issued a fresh pseudonym whenever he is about to generate a signature. Even if the signature is encrypted with some specific verifier’s public key, the verifier can transfer the decrypted signatures to others who can see the linkability of signatures in an obvious way. Another drawback is that it is necessary to trust the Opener, and there is no way to validate whether the identity revealed by the Opener is really the owner of the pseudonym. In addition, when the linkability is required even after repeated joining and revocation, a verifier can find the history of membership status by keeping a list of revoked public key certificates of a pseudonym. This situation is undesirable for user privacy.

In order to resolve these problems, we consider a new useful property called controllable linkability (CL). Under this notion, a signer can generate signatures that look random and so hide his or her identity properly as normal group signatures while the signatures can be anonymously linked under a linking key secretly managed by a Linker. Since only linkage information can be revealed from the signatures with the linking key, we can establish a fine-grained control on anonymity by adding this CL to the controllable anonymity of a GS. A group signature supporting the CL is referred to here as a CL–GS. From a signature, the corresponding signer’s identity can be revealed to an Opener who can access an “opening key.” Our scheme provides an algorithm Judge for public validation of opening results. Thus, a validating entity of the opened identity does not need to trust the Opener.

In this paper, we construct a CL–GS scheme for dynamic membership which achieves the “efficient” CL. Our scheme achieves CL regardless of changes to the membership status of the signer and without exposure of the history of joining and revocation. By giving linking keys to designated Linkers, Opener’s linking tasks can be distributed into the Linkers.

Owing to our trapdoor based approach to anonymity and also linkability, we can overcome all the drawbacks of the pseudonym system mentioned above. In our scheme the linkage information for signatures cannot be transferred to others without the Linker revealing the linking key, which the Linker is most unlikely to do. The exposure problem of membership status history can be solved in our scheme, because a user’s secret key to be revoked and published is independent of the signer’s linkage information.

To Linker, our scheme provides the same level of anonymity of the pseudonym-based schemes, because it can see the linkage information. Thus, we should assume that the verifier is not able to obtain any signature of which signer is known. Practically, this assumption is plausible considering that a user registers to a service provider anonymously from the beginning and she/he will use another link index (a kind of a pseudonym) in other service providers. The assumption is required also in pseudonym-based anonymous schemes. We stress, however, that to other than Linkers, our scheme provides stronger notion of anonymity than pseudonym-based schemes. Thus, our scheme can be regarded as a group signature scheme that efficiently and effectively implements an encrypted pseudonym for Linker, while not losing properties of the normal group signature scheme to others.

To capture the notion of CL more precisely, we present a formal definition of this security notion. Essentially, it should be guaranteed that a linking key cannot be used to open identities. This requirement is necessary to distinguish between the Opener and the Linker roles. In addition, it is required that an adversary should be unable to generate two signatures such that identities recovered from the signatures are the same but are proven to be “unlinked,” or such that identities recovered from the signatures are different but are proven to be “linked.” This requirement is critical to preventing an adversarial signer or colluding (conspiring) signers from generating false information about linkage. To reflect the linking capability that is possible through link queries, we slightly modified the security model of [9] to measure anonymity, traceability, non-frameability, and CL.

As a main building block for our construction, we introduce the Linear Combination Encryption (LCE) scheme that extends the well-known Linear Encryption scheme [6]. To show that the LCE scheme is semantically secure, we introduce a new computational problem in bilinear groups, called the Decision Linear Combination (DLC), and show that the difficulty of the problem can be guaranteed in generic bilinear groups. We also introduce a modified q Strong Diffie–Hellman (q-SDH⁺) problem which is not easier than the original q Strong Diffie–Hellman problem [4], [6]. In principle, our CL–GS scheme is based on a zero-knowledge proof of knowledge of a valid q-SDH⁺ instance and the equality of two discrete logarithms. We prove that our scheme achieves all the security properties, i.e., anonymity, traceability, non-frameability, and CL, under the above assumptions.

Our CL–GS scheme works with any pairing map regardless of the type of the pairing map. Our scheme supporting CL yields a short signature which is only 33.3% longer than the best-known GS of [6] in the literature. More concretely, if a pairing map based on the MNT curve is used, where the order of a bilinear group associated with the pairing map is a 170-bit prime and the size of the relative base field is 171 bits, then our signature length is about 2044 bits or 256 bytes. Signing requires no pairing computation with pre-computation of parameters, and verifying requires a single pairing computation, as is also the case for the BBS scheme. Interestingly, due to the linkability for dynamic membership, computation overhead for opening can be significantly reduced or minimized, because the Opener can directly find a static signer’s index that is set up for linkability. As shown in the comparison results that will be provided later, our scheme is comparable to [6] in terms of the amount of computation for basic operations such as signing, verification, and key updates caused by revocation.

A CL–GS can be used for various kinds of anonymity applications including not only known systems such as Vehicle Safety Communications (VSCs), Trusted Platform Modules (TPMs), and anonymous packet authentication for future internet systems, but also new kinds of services such as anonymously customized authentication (with a premium mileage service) and privacy-preserving data mining. Also, if we apply our scheme so that a signer should have a linking key, then a group signature scheme with a new functionality is established, where a signer is able to know whether a signature is belonged to him/her or not later. More specific applications with this functionality will be further studied in the future work.

The concept of a GS was introduced in [18]. Since that revolutionary work, group signatures have attracted attention due to their applicability in the various areas of privacy protection, and a number of GS schemes have been proposed [37], [2], [16], [14], [13], [17], [6], [31], [8], [9], [19], [11], [7], [8].

The GS scheme of [2] is the first practical and coalition-resistant solution. To treat a dynamic group, some research has addressed efficient revocation problems [3], [16]. The scheme in [10] provides a verifier-local revocation method where a verifier can check if a given signature has been generated by a revoked user. Formal definitions of security properties were well presented in [8] for static groups and in [31], [9] for dynamic groups. Ref. [31] considered concurrent joining, which enables users to register simultaneously.

In [6], Boneh et al. proposed an efficient GS scheme that yields a short signature with bilinear pairings. The scheme was proven secure under the strong Diffie–Hellman and Decisional Linear assumptions. They also informally presented methods to achieve strong exculpability (or non-frameability) and revoke users by updating keys, realizing the revocation idea of [17]. Handling dynamic groups, [19] extended the BBS scheme to support concurrent joining and proved that the proposed scheme achieves stronger anonymity against chosen ciphertext attacks under the XDH assumption, which seems too strong in bilinear groups.

Recently, construction methods for a GS scheme without random oracles have been suggested [1], [11], [24], [12], [25]. As the GS schemes in [11], [12] employ a symmetric bilinear map on groups of composite order, the signature size is large. The scheme of [1] does not achieve forward anonymity. The signature size in [24] is large for a practical deployment. In [25], a GS scheme is proposed to address some drawbacks of [24]. However, the above GS schemes are not sufficient to handle dynamic groups, particularly with revocation.

There have been other research efforts to design a more general framework of group signatures [15] and to utilize group signatures for wireless environments such as vehicular ad hoc networks [26], [38].

The remainder of this paper is organized as follows. We present a security model for a CL–GS scheme in Section 2. We present cryptographic assumptions for the security of our scheme in Section 3 and an honest-verifier ZKPK protocol in Section 4. Using this protocol we propose a dynamic CL–GS scheme and formally prove that it is secure in Section 5, and we present efficient join and revocation methods in Section 6. We analyze the performance of our scheme in Section 7. Finally, we conclude in Section 8.

Section snippets

Model

We present a security model for a CL–GS scheme. In this model we consider three main authorities, the Issuer, the Opener, and the Linker, who have their independent privilege and a certain level of trust. The Issuer is an authority who manages and updates a group public key gpk when revocation occurs, and also takes the responsibility of issuing a secret signing key usk[i] to a joining user by using the master issuing key mik. The Opener is an authority who can use the master opening key mok to

Preliminaries

We now review bilinear maps and computational assumptions on which our scheme relies. Let $Z_{p}^{*} = {1, \dots, p - 1}$ for a prime number p. Denote by $s \overset{R}{\leftarrow} S$ the operation that picks an element s of a set S uniformly at random.

ZKPK protocol for SDH⁺

Before describing our CL–GS scheme in detail, we first introduce an honest-verifier zero-knowledge proof of knowledge (ZKPK) protocol for proving possession of an SDH⁺ tuple. The public parameters for this protocol are $(e, G_{1}, G_{2}, G_{T}, p, g, g_{1}, g_{2}, g_{3}, h_{1}, h_{θ}, w_{1}, w_{2}, d_{1}, d_{2}, u, v)$ , where $e : G_{1} \times G_{2} \to G_{T}$ is a bilinear pairing, and $w_{1}, w_{2}, d_{1}, d_{2}, u, v, g, g_{1}, g_{2}, g_{3} \overset{R}{\leftarrow} G_{1}$ , $h_{1} \overset{R}{\leftarrow} G_{2}$ and $h_{θ} = h_{1}^{θ}$ for random $θ \in Z_{p}^{*}$ . The protocol has two players, a prover $P$ and a verifier $V$ . Let $Z = g_{2}^{y}$ and $\hat{Z} = g^{y}$ for some $y \in Z_{p}^{*}$ . Assume that the prover

Our construction

We construct a CL–GS scheme for dynamic membership. For convenience we call this scheme GS-L.

SetUp. It takes as input a security parameter 1^λ and generates a group public key gpk and its corresponding master private keys mik, mok, and mlk as follows. Let ( $G_{1}, G_{2}, G_{T}$ ) be a tuple of groups of prime order p that defines a bilinear map $e : G_{1} \times G_{2} \to G_{T}$ . It picks random $h_{1} \overset{R}{\leftarrow} G_{2}$ and $g_{1}, g_{2}, g_{3}, g, u, v \overset{R}{\leftarrow} G_{1} ⧹ {1_{G_{1}}}$ and $η_{1}, η_{2}, ξ_{1}, ξ_{2}, θ \overset{R}{\leftarrow} Z_{p}^{*}$ and computes $w_{1} = u^{η_{1}}$ , $w_{2} = v^{η_{2}}$ , $d_{1} = u^{ξ_{1}}$ , $d_{2} = v^{ξ_{2}}$ , $U = h_{1}^{ξ_{1}}$ , $V = h_{1}^{ξ_{2}}$ , and $h_{θ} \leftarrow h_{1}^{θ}$ . Let $H : {0$

Join and revocation

We present our join and revocation algorithms. Let the initial group public key be gpk₀ = (χ, g₁, g₂, g₃) where $χ = (e, G_{1}, G_{2}, g, h_{1}, h_{θ}, u, v, w_{1}, w_{2}, d_{1}, d_{2}, H)$ . χ does not change regardless of revocation.

Performance analysis

We analyze the performance of our scheme in terms of signature size and computation overhead, and provide simulation results. This analysis includes a comparison between the best-known GS scheme [6], referred to as BBS, and our own.

Signature length. Let ℓ_p and $ℓ_{G_{1}}$ be the bit-length of the order of $G_{1}$ and an element of $G_{1}$ , respectively. Our signature consists of four elements of $G_{1}$ and eight elements of $Z_{p}$ and so its bit-length is $4 ℓ_{G_{1}} + 8 ℓ_{p}$ . The BBS signature consists of three elements of $G_{1}$ and

Conclusion

We have introduced a novel and useful notion, controllable linkability for a GS scheme with dynamic membership. Through controllable linkability, a linker can always link signatures from a signer even when the signer is revoked and re-joins. The feature is very versatile and useful in many privacy preserving data mining applications. We concretely constructed a GS scheme with the linkability and proved that the proposed scheme achieves not only the basic security properties, anonymity,

Acknowledgements

This work was supported by Next-Generation Information Computing Development Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology in Korea (Grant No. 2012-0006493).

References (38)

Y. Tseng et al.
A novel ID-based group signature
Information Sciences
(1999)
G. Ateniese, J. Camenisch, S. Hohenberger, B. de Medeiros, Practical group signatures without random oracles, ePrint...
G. Ateniese et al.
A practical and provably secure coalition-resistant group signature scheme
G. Ateniese et al.
Quasi-efficient revocation in group signatures
D. Boneh et al.
Short signatures without random oracles and the SDH assumption in bilinear groups
Journal of Cryptology
(2008)
P. Bichsel et al.
Get Shorty via Group Signatures without Eencryption
D. Boneh et al.
Short group signatures
X. Boyen et al.
Expressive subgroup signatures
M. Bellare et al.
Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions
M. Bellare et al.
Foundations of group signatures: the case of dynamic groups

D. Boneh et al.

Group signatures with verifier-local revocation

X. Boyen et al.

Compact group signatures without random oracles

X. Boyen et al.

Full-domain subgroup hiding and constant-size group signatures

J. Camenisch

Efficient and generalized group signatures

J. Camenisch et al.

Group signatures: better efficiency and new theoretical aspects

J. Camenisch et al.

Efficient attributes for anonymous credentials

J. Camenisch et al.

Dynamic accumulators and application to efficient revocation of anonymous credentials

J. Camenisch et al.

Signature schemes and anonymous credentials from bilinear maps

D. Chaum et al.