Group Signature with Deniability: How to Disavow a Signature

Ai ISHIDA, Keita EMURA, Goichiro HANAOKA, Yusuke SAKAI, Keisuke TANAKA
2017 IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences  
Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, in some situations it is only required to know whether a specific user is the signer of a given signature. In this case, the use of a standard group signature may be problematic since the specified user might not
more » ... e the signer of the given signature, and hence, the identity of the actual signer will be exposed. Inspired by this problem, we propose the notion of a deniable group signature, where, with respect to a signature and a user, the authority can issue a proof showing that the specified user is NOT the signer of the signature, without revealing the actual signer. We also describe a fairly practical construction by extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme. . The fourth author is supported by a JSPS Fellowship for Young Scientists. yusuke.sakai@aist.go.jp ¶ Tokyo Institute of Technology, Japan. keisuke@is.titech.ac.jp valid group signature), or 0. Open: The opening algorithm takes as input gpk , ok , m, Σ, and reg, and returns (i, τ O ), where i is a user identity, and τ O is a proof that user i computed Σ. Judge: The judgement algorithm takes as inputs gpk , i, upk i , m, Σ, and τ O , and returns 1 if Σ is produced by user i, and 0 otherwise. DOpen: The denial opening algorithm takes as input gpk , j, ok , m, Σ, and reg, and returns τ D(j) , where j is a user identity, and τ D(j) is a proof that user j did not compute Σ. DJudge: The denial judgement algorithm takes as inputs gpk , j, upk j , m, Σ, and τ D(j) , and returns 1 if Σ is not produced by user j, and 0 otherwise. The model in [5] introduces four requirements for a group signature, namely, correctness, anonymity, nonframeability, and traceability. Furthermore, opening soundness is introduced by [41]. Here, we provide the definitions of correctness, anonymity, non-frameability, traceability, and opening soundness for a deniable group signature. The security model is extended from the dynamic group signature defined by Sakai et al. [41] and therefore, is almost the same except for the anonymity. We first define several oracles used in security games. We newly introduce the DOpen oracle (which is underlined in the following definition) in addition to Sakai et al.'s definition. AddU: This add user oracle runs UKg and Join/Iss protocol to add an honest user to the group. The oracle returns upk i and adds i to HU. CrptU: This corrupt user oracle allows A to add corrupt users. On input an identity i and upk , this oracle sets upk i ← upk and adds i to CU. SndToU: This send to user oracle takes as input a user identity i, at first sets up a user public and private key pair (upk i , usk i ) ← UKg(1 k , gpk ) and adds i to HU. Then the oracle interacts with A who corrupts the issuer by running Join(gpk , upk i , usk i ) and the respond of the user is returned to A. SndToI: This send to issuer oracle takes as input a user identity i, and interacts with A who corrupts the user i by running Iss(gpk , upk i , ik ). The user i needs to be in the set CU. Ch: This challenge oracle takes as input a bit b, two identities i 0 , i 1 , and m, and returns Σ * ← GSig(gpk , gsk i b , m) if both i 0 ∈ HU and i 1 ∈ HU. If not, the oracle returns ⊥. The oracle stores (m, Σ * ) in GSet, and stores i 0 and i 1 in ISet. Open: This opening oracle takes as input m and Σ, and returns (i, τ O ) ← Open(gpk , ok , m, Σ, reg) if (m, Σ) ∈ GSet and ⊥ otherwise. DOpen: This deniable opening oracle takes as input a user identity j, m and Σ, and returns τ D(j) ← DOpen(gpk , j, ok , m, Σ, reg) if (m, Σ) ∈ GSet ∨ j ∈ ISet and ⊥ otherwise. USK: This user secret keys oracle takes as input i ∈ HU, and returns the secret keys usk i and gsk i . GSig: This signing oracle takes as input i and a message m, and returns Σ ← GSig(gpk , gsk i , m) if i ∈ HU. Otherwise, the oracle returns ⊥. RReg: This read registration table oracle takes as input i, and returns reg[i]. WReg: This write registration table oracle takes as input i and a value ρ, and modifies the contents of reg by setting reg[i] ← ρ.
doi:10.1587/transfun.e100.a.1825 fatcat:n6rg267c2bf25aidwmnqjlw3g4