Verifiable Encryption, Group Encryption, and Their Applications to Separable Group Signatures and Signature Sharing Schemes

Extended Abstract
  • Jan Camenisch
  • Ivan Damgård
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1976)


We generalize and improve the security and efficiency ofthe verifiable encryption scheme of Asokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofi ndependent of each other, even without having these applications in mind.


Encryption Scheme Signature Scheme Access Structure Random Oracle Secret Sharing Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    G. Ateniese Effcient Verifiable Encryption (and Fair Exchange) of Digital Signatures, In 6th ACM CCS, pp. 138–146, 1999.Google Scholar
  2. 2.
    N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. In EUROCRYPT’ 98, vol. 1403 of LNCS, pp. 591–606, 1998.CrossRefGoogle Scholar
  3. 3.
    N. Asokan, V. Shoup, and M. Waidner. Optimistic fair exchange of digital signatures. IEEE Journal on Selected Areas in Communications, 18(4):591–610, Apr. 2000.CrossRefGoogle Scholar
  4. 4.
    F. Bao. An Effcient Verifiable Encryption Scheme for the Encryption of Discrete Logarithms, In CARDIS’ 98 vol. 1820 of LNCS, 2000.Google Scholar
  5. 5.
    J. Camenisch and I. Damgård. Verifiable encryption and applications to group signatures and signature sharing. Technical Report RS-98-32, BRICS, Department of Computer Science, University of Aarhus, Dec. 1998.Google Scholar
  6. 6.
    J. Camenisch. Efficient and generalized group signatures. In EUROCRYPT’ 97, vol. 1233 of LNCS, pp. 465–479, 1997.Google Scholar
  7. 7.
    J. Camenisch, U. Maurer, and M. Stadler. Digital payment systems with passive anonymity-revoking trustees. In Computer Security-ESORICS 96, vol. 1146 of LNCS, pp. 33–43. Springer Verlag, 1996.Google Scholar
  8. 8.
    J. Camenisch and M. Michels. Separability and Efficiency for Generic Group Signature Schemes In M. Wiener, CRYPTO’ 99, vol. 1666 of LNCS, 1998.Google Scholar
  9. 9.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In CRYPTO’ 97, vol. 1296 of LNCS, pp. 410–424, 1997.Google Scholar
  10. 10.
    D. Catalano and R. Gennaro. New effcient and secure protocols for verifiable signature sharing and other applications. In CRYPTO’ 98, vol. 1642 of LNCS, pp. 105–120, Berlin, 1998. Springer Verlag.Google Scholar
  11. 11.
    D. Chaum and E. van Heyst. Group signatures. In EUROCRYPT’ 91, vol. 547 of LNCS, pp. 257–265. Springer-Verlag, 1991.Google Scholar
  12. 12.
    L. Chen and T. P. Pedersen. New group signature schemes. In EUROCRYPT’ 94, vol. 950 of LNCS, pp. 171–181, 1995.CrossRefGoogle Scholar
  13. 13.
    R. Cramer. Modular Design of Secure yet Practical Cryptographic Protocol. PhD thesis, University ofA msterdam, 1997.Google Scholar
  14. 14.
    R. Cramer and I. Damgård. Zero-knowledge prooff or finite field arithmetic, or: Can zero-knowledge be for free? In CRYPTO’ 98, vol. 1642 of LNCS, 1998.Google Scholar
  15. 15.
    R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design ofwit ness hiding protocols. In CRYPTO’ 94, vol. 839 of LNCS, pp. 174–187. Springer Verlag, 1994.Google Scholar
  16. 16.
    I. B. Damgård. On the existence of bit commitment schemes and zero-knowledge proofs. In CRYPTO’ 89, vol. 435 of LNCS, pp. 17–27, 1990.Google Scholar
  17. 17.
    Y. Desmedt and Y. Frankel. Threshold cryptography. In CRYPTO’ 89, vol. 435 of LNCS, pp. 307–315. Springer-Verlag, 1990.Google Scholar
  18. 18.
    C. Dwork, M. Naor, and A. Sahai. Concurrent zero knowledge. In Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), 1998.Google Scholar
  19. 19.
    U. Feige, A. Fiat, and A. Shamir. Zero-knowledge proofs of identity. Journal of Cryptology, 1:77–94, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    A. Fiat and A. Shamir. How to prove yourself: Practical solution to identification and signature problems. In CRYPTO’ 86, vol. 263 of LNCS, pp. 186–194, 1987.Google Scholar
  21. 21.
    Y. Frankel, Y. Tsiounis, and M. Yung. “Indirect discourse proofs:” Achieving efficient fair off-line e-cash. In ASIACRYPT’ 96, vol. 1163 of LNCS, 1996.Google Scholar
  22. 22.
    M. Franklin and M. Reiter. Verifiable signature sharing. In EUROCRYPT’ 95, vol. 921 of LNCS, pp. 50–63. Springer Verlag, 1995.Google Scholar
  23. 23.
    O. Goldreich and A. Kahan. How to construct constant-round zero-knowledge proof systems for NP. Journal of Cryptology, 9(3):167–190, 1996.zbMATHCrossRefMathSciNetGoogle Scholar
  24. 24.
    S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28(2):270–299, Apr. 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    L. C. Guillou and J.-J. Quisquater. A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory. In EUROCRYPT’ 88, vol. 330 of LNCS, pp. 123–128, 1988.Google Scholar
  26. 26.
    J. Kilian and E. Petrank. Identity escrow. In CRYPTO’ 98, vol. 1642 of LNCS, pp. 169–185, Berlin, 1998. Springer Verlag.Google Scholar
  27. 27.
    S. Micali. Efficient certificate revocation and certified e-mail with transparent post offces. Presentation at the 1997 RSA Security Conference.Google Scholar
  28. 28.
    S. Micali, C. Racko., and B. Sloan. The notion ofsecu rity for probabilistic cryptosystems. SIAM Journal on Computing, 17(2):412–426, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  29. 29.
    H. Petersen. How to convert any digital signature scheme into a group signature scheme. In Security Protocols Workshop, Paris, 1997.Google Scholar
  30. 30.
    G. Poupard and J. Stern, Fair Encryption of RSA Keys. In EUROCRYPT 2000, LNCS, pp. 173–190. Springer Verlag, 2000.Google Scholar
  31. 31.
    C. P. Schnorr. Eficient signature generation for smart cards. Journal of Cryptology, 4(3):239–252, 1991.CrossRefMathSciNetGoogle Scholar
  32. 32.
    M. Stadler. Publicly verifiable secret sharing. In EUROCRYPT’ 96, vol. 1070 of LNCS, pp. 191–199. Springer Verlag, 1996.Google Scholar
  33. 33.
    M. Stadler, J.-M. Piveteau, and J. Camenisch. Fair blind signatures. In EUROCRYPT’ 95, vol. 921 of LNCS, pp. 209–219, 1995.Google Scholar
  34. 34.
    A. Young and M. Yung. Auto-Recoverable Auto-Certifiable Cryptosystems. In EUROCRYPT’ 98, vol. 1403 of LNCS, pp. 17–31, 1998.CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Jan Camenisch
    • 1
  • Ivan Damgård
    • 2
  1. 1.IBM ResearchZurich Research LaboratoryRüschlikon
  2. 2.Department ofC omputer ScienceBRICS University of AarhusAarhus CDenmark

Personalised recommendations