Fully Forward-Secure Group Signatures

  • Benoît Libert
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6805)

Abstract

When embedding cryptographic tools in actual computing systems, it is important to ensure physical layer protection to cryptographic keys. A simple risk analysis shows that taking advantage of system (i.e., hardware, software, network) vulnerabilities is usually much easier than cryptanalyzing the cryptographic primitives themselves. For-ward-secure cryptosystems, in turn, are one of the suggested protective measures, where private keys periodically evolve in such a way that, if a break-in occurs, past uses of those keys in earlier periods are protected.

Group signatures are primary privacy-preserving credentials that enable both, non-repudiation and abuser-tracing. In 2001, Song argued why key exposures may cause even greater concerns in the context of group signatures (namely, under the mask of anonymity within a group of other key holders). She then gave two examples of forward-secure group signatures, and argued their ad hoc properties based on the state of understanding of group signature security properties at that time (proper security models had not been formalized yet). These implementations are fruitful initial efforts, but still suffer from certain imperfections. In the first scheme for instance, forward security is only guaranteed to signers as long as the group manager’s private key is safe. Another scheme recently described by Nakanishi et al. for static groups also fails to maintain security when the group manager is compromised.

In this paper, we reconsider the subject and first formalize the notion of “fully forward-secure group signature” (FS-GS) in dynamic groups. We carefully define the correctness and security properties that such a scheme ought to have. We then give a realization of the primitive with quite attractive features: constant-size signatures, constant cost of signing/verifying, and at most polylog complexity of other metrics. The scheme is further proven secure in the standard model (no random oracle idealization is assumed).

Keywords

Key Exposure Security Modeling Key Protection Forward Security Anonymity Group Signature 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abdalla, M., Reyzin, L.: A new forward-secure digital signature scheme. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 116–129. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  2. 2.
    Abe, M., Fehr, S.: Perfect NIZK with adaptive soundness. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 118–136. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Anderson, R.: Two remarks on public key cryptology. In: ACM-CCS 1997 (1997) (invited talk)Google Scholar
  4. 4.
    Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. Cryptology ePrint Archive: Report 2005/385 (2005)Google Scholar
  5. 5.
    Ateniese, G., Camenisch, J.L., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  6. 6.
    Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Delegatable anonymous credentials. Cryptology ePrint Archive: Report 2008/428 (2008)Google Scholar
  7. 7.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Miner, S.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM-CCS 1993, pp. 62–73 (1993)Google Scholar
  11. 11.
    Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: The case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  14. 14.
    Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACM-CCS 2004, pp. 168–177 (2004)Google Scholar
  17. 17.
    Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identity-based techniques. In: ACM-CCS 2005, pp. 320–329 (2005)Google Scholar
  18. 18.
    Boyen, X., Shacham, H., Shen, E., Waters, B.: Forward-secure signatures with untrusted update. In: ACM-CCS 2006, pp. 191–200 (2006)Google Scholar
  19. 19.
    Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)Google Scholar
  24. 24.
    Damgård, I.B.: Towards Practical Public Key Systems Secure against Chosen Ciphertext Attacks. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 445–456. Springer, Heidelberg (1992)Google Scholar
  25. 25.
    Dodis, Y., Katz, J., Xu, S., Yung, M.: Key-insulated public key cryptosystems. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 65–82. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  26. 26.
    Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive zaps and new techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  28. 28.
    Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  30. 30.
    Guillou, L., Quisquater, J.-J.: A Paradoxical Identity-Based Signature Scheme Resulting from Zero-Knowledge. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 216–231. Springer, Heidelberg (1990)Google Scholar
  31. 31.
    Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  32. 32.
    Itkis, G., Reyzin, L.: Sibir: Signer-base intrusion-resilient signatures. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 499–514. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  33. 33.
    Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  34. 34.
    Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. International Journal of Security and Networks (IJSN) 1(1/2), 24–45 (2004); Earlier version appeared as Cryptology ePrint Archive: Report 2004/076 (2004)CrossRefGoogle Scholar
  35. 35.
    Kiayias, A., Yung, M.: Group signatures with efficient concurrent join. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 198–214. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  36. 36.
    Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  37. 37.
    Krawczyk, H.: Simple forward-secure signatures from any signature scheme. In: ACM-CCS 2000, pp. 108–115 (2000)Google Scholar
  38. 38.
    Libert, B., Quisquater, J.-J., Yung, M.: Forward-Secure Signatures in Untrusted Update Environments: Efficient and Generic Constructions. In: ACM-CCS 2007, pp. 266–275. ACM Press, New York (2007)Google Scholar
  39. 39.
    Libert, B., Quisquater, J.-J., Yung, M.: Key Evolution Systems in Untrusted Update Environments. In: ACM Transactions on Information and System Security (ACM-TISSEC), vol. 13(4) (December 2010)Google Scholar
  40. 40.
    Libert, B., Yung, M.: Efficient Traceable Signatures in the Standard Model. Theoretical Computer Science 412(12-14), 1220–1242 (March 2011)MathSciNetMATHCrossRefGoogle Scholar
  41. 41.
    Libert, B., Yung, M.: Dynamic Fully Forward-Secure Group Signatures. In: Asia CCS 2010, pp. 70–81. ACM Press, New York (2010)Google Scholar
  42. 42.
    Malkin, T., Micciancio, D., Miner, S.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  43. 43.
    Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  44. 44.
    Nakanishi, T., Hira, Y., Funabiki, N.: Forward-Secure Group Signatures from Pairings. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 171–186. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  45. 45.
    Nguyen, L., Safavi-Naini, R.: Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 372–386. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  46. 46.
    Song, D.: Practical forward secure group signature schemes. In: ACM-CCS 2001, pp. 225–234 (2001)Google Scholar
  47. 47.
    Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  48. 48.
    Yao, D., Fazio, N., Dodis, Y., Lysyanskaya, A.: ID-based encryption for complex hierarchies with applications to forward security and broadcast encryption. In: ACM-CCS 2004, pp. 354–363 (2004)Google Scholar
  49. 49.
    Zhang, R.: Tweaking TBE/IBE to PKE transforms with chameleon hash functions. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 323–339. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Benoît Libert
    • 1
  • Moti Yung
    • 2
  1. 1.ICTEAM InstituteUniversité catholique de LouvainBelgium
  2. 2.Google Inc. and Columbia UniversityUSA

Personalised recommendations