Formalizing Group Blind Signatures and Practical Constructions without Random Oracles [chapter]

Essam Ghadafi
2013 Lecture Notes in Computer Science  
In this paper, we first provide foundations for dynamic group blind signatures where we provide formal security definitions and present a security model to capture all the security properties. In doing so, we identify and address some issues which were not considered by previous constructions and (informal) security definitions. We then present a practical construction which has a round-optimal signing phase and yields signatures of a constant-size. Our construction allows for members of the
more » ... up to join dynamically and concurrently and yet its security does not rely on any idealized assumptions. We provide different instantiations of the construction, all of which are proven secure in the standard model. In addition, the building blocks we present are of interest in their own right and could be used either on their own or as building blocks for other cryptographic constructions. one it got from interacting with the challenge oracle as we discuss later in the definition of the anonymity property. In addition, existing constructions e.g. [34, 37] require either many rounds of interaction in the signing phase (deploying interactive divertible proofs of knowledge [8] ) and hence requiring that the signing authority remains online throughout the signing process or requiring proofs in the random oracle model [6] . The schemes we propose have a round-optimal signing phase and their security does not require any idealized assumptions. Therefore, they are more suitable for practical applications. Related Work. The concept of group blind signatures was first introduced by [34], where it was mainly used to design a distributed e-cash system in which digital coins could be issued by different banks. While there exist a number of group signature schemes, e.g. [14, 5, 11, 3, 12, 28] , only a few group blind signature schemes exist in the literature, e.g. [34, 37] . The subtlety one faces when designing group blind signatures lies in the need to use the same zeroknowledge proof to prove two different statements by two different parties which could be regarded in some sense as a malleable proof. On the one hand, the signer needs to hide his identity and parts of the signature that could identify him (i.e. anonymity of the signer requirement). On the other hand, the user wants to hide the message and parts of the signature which could lead to a linkage between a signature and its sign request (i.e. the blindness requirement). The schemes presented in [34] were based on different variants of the Camenisch-Stadler group signature [14] and their security required the use of random oracles. Other schemes, e.g. [37] used divertible zero-knowledge proofs [8, 38] to realize those conflicting anonymity requirements. A divertible proof allows a mediator to use a proof it got from a party to prove a statement to a third party. Constructions that rely on such proofs either require many rounds of interaction in the signing protocol or the Fiat-Shamir transformation [19] to eliminate the interaction required for the proofs which results in the security proof for such schemes lying in the random oracle model, e.g. [34]. Our Contribution. We first formalize the security model for dynamic group blind signatures and then present efficient dynamic group blind signature constructions which have a round-optimal signing phase and whose security does not rely on random oracles. Our schemes are practical and has a concurrent join protocol and yield signatures of a constant-size. We start by showing how to construct CPA-anonymous schemes and then outline how such schemes can be extended to provide full anonymity. We also provide a proof of security for our schemes. Paper Organization. The rest of the paper is organized as follows: In Section 2, we give some preliminary definitions. In Section 3, we define dynamic group blind signatures. We present the security model for dynamic group blind signatures in Section 4. We present the building blocks we use in Section 5 and describe the techniques underlying our constructions in Section 6. In Sections 7 and 8, we present and explain our constructions as well as provide a security proof for them. In Section 9, we outline how we can achieve full anonymity as well as other instantiations. Finally, we conclude the paper in Section 10.
doi:10.1007/978-3-642-39059-3_23 fatcat:r6tiqxouxngival265ohibgdta