Group–Proxy Signature Scheme: A Novel Solution to Electronic Cash

2.1 Notations

For a set A, a ∈_RA means that a is chosen randomly and uniformly from A, and A / {a} means that A – {a} = {x ∈ A|x ≠ a}. For a group G = 〈g〉, ord(g) means order of g in G. The bit length of a is denoted by |a|. Let c[j] be the j^th bit of a string c. We use ‖ to denote the concatenation of two (binary) strings or of binary representations of integers and group elements.

2.2 Signature Based on Proof of Knowledge

In a signature based on proof of knowledge (SPK), the signer ties his knowledge of a secret to the message to be signed. Thus, a signature of knowledge is used to sign a message and to prove the knowledge of the secret. Without the secret, no one can generate the valid signature. Signatures of knowledge were used by Camenisch and Stadler [6]. Their construction is based on the Schnorr signature scheme [23] to prove knowledge. All the signature of knowledge proposed by Camenisch and Stadler [6] can be proved secure in the random oracle model and their interactive versions are zero-knowledge.

We use several existing protocols of signature of knowledge [6] such as proving the knowledge of double discrete logarithm on a message and proving the knowledge of representations of some elements to the other bases on a message as building blocks in our proposed scheme. Due to space limitation, we omit the details of these protocols here. For more discussions, please refer to Ref. [6].

2.3 The Group–Proxy Signature Model

Our group–proxy signature model extends the group signature over only known-order group [20]. Generally speaking, our proposed group–proxy signature model comes from the basic group signatures [20] and integrates the properties of proxy signatures. Our model allows the member of a group to sign messages anonymously on behalf of some original entity such that the following properties hold for the resulting signature.

• Strong unforgeability: Only delegated group members can issue valid signatures on behalf of the original signer.

• Signer anonymity and signatures unlinkability: Given a signature, no one except the group manager can determine which group member issued the signature. It is infeasible to determine whether two message–signature pairs were issued by the same group member.

• Undeniable signer identity: The identity of the group member who issued the valid signature can always be traced by the entity called group manager.

• Secure against framing attacks: Neither the original signer nor the coalition of the original signer and some subset of the delegated group members can generate valid signatures on behalf of other group members.

2.4 Participants and Procedures

Our group–proxy signature scheme consists of a trusted party for the initial setup, the original signer O, two group managers (the issuer and the opener), and group users P_i with unique identities i ∈ N (the set of positive integers). All P_i’s form a group G. Each P_i can join G by its interaction with the issuer. Then, P_i can sign messages anonymously on behalf of O. In case of dispute, the identity of each group–proxy signature can be traced by the opener. Our scheme is specified as a tuple GPS = (Setup, Delegate, Join, Sign, Verify, Open) of polynomial–time algorithms described as follows.

• Setup: A probabilistic algorithm that generates the public keys Y_o, Y_ik, Y_ok and the corresponding private keys x_o, x_ik, x_ok for the original signer O, the issuer, and the opener.

• Delegate: An algorithm that inputs the original signer’s secret key and outputs the proxy signer P_i’s delegation key s_o.

• Join: An interactive protocol between the issuer and the new group member Alice that produces Alice’s secret key x, her membership certificate v, and her public key z.

• Sign: An algorithm on input message m, some user’s delegation key s_o, secret key x, and his membership certificate v produces a signature s on m that satisfies the properties above.

• Verify: An algorithm on input (m, s, Y_o, Y_ik, Y_ok), determines if s is a valid signature for the message m with respect to the corresponding public information.

• Open: An algorithm on input (s, x_ok) returns the identity of the real identity who issued the signature s.

3.1 System Setup

Suppose k is a security parameter. To set up the group–proxy signature scheme, similar to Miyaji and Umeda [20], the following procedures are performed:

1. Suppose H : {0, 1}* → {0, 1}^k be the secure, collision resistant, one-way hash function.

2. Choose a random k-bit prime q and a random prime p, such that q | (p – 1) and set P = pq.

3. Choose a random prime P/̃ such that P | (P̃ - 1).

4. Denote cyclic subgroup with order q and with order P.

5. Choose random elements g, h, g₁, g₂, g₃ and g₄ ∈_RG_P / {1} such that the discrete logarithms based on each other elements are unknown.

6. Choose a random element

7. Compute and where x_o, x_ik, x_ok ∈_RZ_q are kept secret by the original signer O, the issuer and the opener, respectively.

8. Output the group public key PK =(q, P, P̃, g, h, g₁, g₂, g₃, g₄, g̃, y_o, y_ik, y_ok) and the secret key SK = (x_o, x_ik, x_ok ∈_RZ_q).

3.2 Generation of the Delegation Key

The original signer O performs the following steps to generate the proxy signing key and delegate his sign ability to the proxy signers:

1. Generate the warrant m_ω, which consists of the type of the delegated information, the original and the proxy signers’ identities, the delegation period, etc.

2. Select k_o ∈_RZ_q and compute

   

   s_o = x_oH(m_ω ‖ r_o) + k_o mod q,

   

   

   r_o, S_o, T_o are published by the original signer.

3. Send (r_o, s_o, m_ω) to the proxy signer P_i ∈ G via secure channel.

After receiving (r_o, s_o, m_ω), the proxy signer P_i verifies the validity of the original signer O’s signature by checking

Finally, s_o is kept secret by the proxy signer P_i, and it will be used to generate the proxy signer’s private signing key in the later sections.

3.3 Registration

In this protocol, after receiving the delegation secret s_o, user P_i and the issuer jointly perform the following procedures. In the end, P_i obtains a random value x_i ∈ Z_q satisfying where x_i is only known by P_i, and A_i, b_i are generated by the issuer manager. The concrete procedures are as follows.

• where t, r ∈_RZ_q.

• P_i ← issuer : u, v ∈_RZ_q.

• P_i computes

• P_i → issuer : y_i and a signature on the warrant m_ω based on the proof of knowledge of (α, β, τ) such that T_o = H(m_ω ‖r_o)^β mod P, and Precisely, P_i executes as follows.

  • Choose random integers r₁, r₂, r₃ ∈_RZ_q.

  • Compute and t_o = H(m_ω‖r_o) mod P and

  • Compute c = H(g₂‖g‖h‖t_o‖y_i‖ T‖ T_o‖ T₁‖T₂‖ T₃‖r_o‖m_ω).

  • Compute in Z_p: s₁ = r₁ – cx_i, s₂ = r₂ – cur, s₃ = r₃ – cs_o.

  • Send (c, s₁, s₂, s₃) to the issuer.

    After receiving (c, s₁, s₂, s₃), the issuer computes

    

    

    and checks whether c′ = c holds. If not, the protocol aborts.

• and b_i = w_i – A_ix_ik mod q, where w_i ∈_RZ_q.

• U_i verifies that

Finally, P_i obtains a membership key (x_i, s_o) and a membership certificate (A_i, b_i) ∈ Z_P×Z_q, and the issuer inserts (ID_i, A_i, b_i) into the member list ML.

3.4 Signature Generation

To sign a message m, any legitimate P_i executes the following procedures.

1. Choose a random integer w ∈_RZ_q.

2. Compute and and

3. Choose random integers w_1j, w_2j, w_3j ∈_RZ_q, for 1≤j≤k.

4. Compute 2 and mod P, for 1≤j≤k.

5. Compute c₁ = H(g₂‖g₃‖g₄‖‖g̃‖T₁‖T₂‖T₃‖T₆‖t₁₁‖…‖t_1k‖t₂₁‖…‖t_2k‖t₃₁‖…‖t_3k‖t₄₁‖…‖t_4k‖m_ω‖m), s_1j = w_1j – c₁[j]b_i mod q, s_2j = w_2j – c₁[j]w mod q, and s_3j = w_3j – c₁[j]x_i mod q, for 1≤j≤k.

Remark 1. The above protocol is actually the signature of knowledge of

and the set of (c₁, s₁₁, . . . , s_1k, s₂₁, . . . , s_2k, s₃₁, . . . , s_3k) ∈ {0, 1}^k× is the corresponding signature.

Subsequently, P_i executes the following procedures.

1. Choose random integers w₄ ∈_RZ_P, w₅, w₆, w₇, w₈ ∈_RZ_P.

2. Compute t_o = H(m_ω‖r_o) mod P.

3. Compute and

4. Compute c₂ = H( g₁‖ g₂ ‖ g₃ ‖ g₄ ‖ g ‖ ‖ y_ik ‖ y_ok ‖ T₁‖T₃ ‖ T₄ ‖ T₅ ‖ T_o ‖ t₅ ‖ t₆ ‖ t₇ ‖ t₈ ‖ t₉ ‖ m_ω‖m), s₄ = w₄ – c₂A_i mod P, s₅ = w₅ – c₂b_i mod q, s₆ = w₆ – c₂x_i mod q, s₇ = w₇ – c₂w mod q, and s₈ = w₈ – c₂s_o mod q.

Remark 2. The above protocol is actually the signature of knowledge of

and the set of (c₂, s₄, s₅, s₆, s₇, s₈) ∈ {0, 1}^k×Z_p× is the corresponding signature.

3.5 Signature Verification

Any verifier can perform the following procedures to check the validity of the signature.

1. Compute

   

   

   

   

   and

   

2. Compute mod P, mod P, and

3. Check whether and hold. If it does, the signature is valid. Otherwise, it will be rejected.

3.6 Open

To trace the real identity of a signature on message m, the opener executes as follows.

1. Check the validity of the signature on message m.

2. Compute

3. Identify a signer P_i from A_i using the member list ML.

4. Output the signer’s identity ID_i.

4.1 Security Proof of the Delegation Phase

As presented in Section 3.2, the proxy signer P_i ∈ G obtains (r_o, s_o, m_ω) from the original signer O. Actually, (r_o, s_o) is the original signer O’s signature on the warrant m_ω. The correctness of the signature is obvious. In fact, we use Schnorr-type signature [21], which has been proved secure in the random oracle model, to generate such signature. In general, the warrant m_ω contains the type of the delegated information, the original and the proxy signers’ identities, the delegation period, etc. Thus, from the angle of the proxy signature, neither can the delegated proxy signer P_i ∈ G abuse the rights delegated by the original signer nor can anyone forge a valid delegation tuple. In the later sections, we will show that any verifier can be convinced that the valid group–proxy signature implies that the proxy signer P_i owns the original signer O’s authorization.

4.2 Security Proof of the Membership Certificate

Similar to Miyaji and Umeda [20], the security of our revised membership certification-generation algorithm is based on the difficulty of the strong multiple discrete logarithm problem (MDLP).

For the security parameter k, let p and q be primes with | q | = k and q | p – 1. Set P = pq, and let g₁, g₂, g₃, g₄ ∈ be elements with order q. Define a set where the discrete logarithms of g₁, g₂, g₃, and g₄ based on each other element are not known.

Problem (strong MDLP). Given Z_P, g₁, g₂, g₃ and such that the discrete logarithm based on each other element is not known and any subset X ⊂ χ(Z_P, g₁, g₂, g₃, g₄) with the polynomial order |X|, find a pair (x₁, x₂, x₃, x₄) ∈ Z_P× such that and (x₁, x₂, x₃, x₄) ∉ X.

Assumption (strong MDLP assumption). There is no probabilistic polynomial–time algorithm P that can solve the problem above.

Similar to Miyaji and Umeda [20], we have the following theorem to guarantee the security of the certificate-generation algorithm.

Theorem 1.Let A be a polynomial–time adversary who can successfully forge a new certificate, then there exists an adversary B who can attack against the strong MDLP with at least the same advantage.

4.3 Security Proof on the Group Signature

The following theorem shows the security of the group signature generation.

Theorem 2.The interactive version of the group signature generation is an honest-verifier zero-knowledge proof of knowledge of a delegation key authorized by the original signer O and a pair of membership certificate and corresponding membership key obtained by interaction with the issuer. Furthermore, (T₄, T₅) is the ElGamal ciphertext for A with respect to the public key y_ok.

Proof sketch. It is easy to prove the completeness and the zero-knowledgeness. The rest is to extract the knowledge. Owing to the knowledge extractor of each SPK, we can extract the values α₁, α₂, α₃, α₄, α₅, α₆, α₇ and α₈ satisfying

Here, α₁ = α₅, α₂ = α₇ and α₃ = α₆ hold from Eq. (4). Thus, Eqs. (1) and (2) represent

and

From Eqs. (5) and (10), Eq. (7) can be rewritten as

Then

holds.

It is obvious that the tuple {α₆, α₈, α₄, α₅} implies a valid delegation key, a membership certificate, and the corresponding membership key.

From Eqs. (8) and (12), the original signer O’s delegation key α₈, i.e., s_o, is extracted. That is to say, our signature proves the knowledge of the delegation key authorized by the original signer O.

From Eq. (12), Eq. (5) represents

Thus, (T₄, T₅) is a pair of ElGamal ciphertext, and the ciphertext can be considered as the encryption of α₄, i.e., A, with respect to the opener’s public key y_ok.

Besides, similar to Ref. [20], our proposed scheme satisfies the basic security requirements of the group signature scheme. We omit the proof procedures here.     □