Practical "Signatures with Efficient Protocols" from Simple Assumptions

Libert, Benôıt; Mouhartem, Fabrice; Peters, Thomas; Yung, Moti

doi:10.1145/2897845.2897898

Cited by 18 publications

(19 citation statements)

References 60 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In 1991, Chaum and van Heyst [1] introduced group signatures. Over the past three decades, numerous group signature schemes have been presented to reduce the barriers for use in real life: based on random oracles [9,[11][12][13][14][15][16][17][18], without random oracles [19,20], improving security [8,9,[21][22][23][24][25][26][27], and efficiency [9,12,13,24,[28][29][30].…”

Section: Current Workmentioning

confidence: 99%

A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity

et al. 2022

View full text Add to dashboard Cite

This survey reviews the two most prominent group-oriented anonymous signature schemes and analyzes the existing approaches for their problem: balancing anonymity against traceability. Group signatures and ring signatures are the two leading competitive signature schemes with a rich body of research. Both group and ring signatures enable user anonymity with group settings. Any group user can produce a signature while hiding his identity in a group. Although group signatures have predefined group settings, ring signatures allow users to form ad-hoc groups. Preserving user identities provided an advantage for group and ring signatures. Thus, presently many applications utilize them. However, standard group signatures enable an authority to freely revoke signers’ anonymity. Thus, the authority might weaken the anonymity of innocent users. On the other hand, traditional ring signatures maintain permanent user anonymity, allowing space for malicious user activities; thus achieving the requirements of privacy-preserved traceability in group signatures and controlled anonymity in ring signatures has become desirable. This paper reviews group and ring signatures and explores the existing approaches that address the identification of malicious user activities. We selected many papers that discuss balancing user tracing and anonymity in group and ring signatures. Since this paper scrutinizes both signatures from their basic idea to obstacles including tracing users, it provides readers a broad synthesis of information about two signature schemes with the knowledge of current approaches to balance excessive traceability in group signatures and extreme anonymity in ring signatures. This paper will also shape the future research directions of two critical signature schemes that require more awareness.

show abstract

Section: Current Workmentioning

confidence: 99%

A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity

et al. 2022

View full text Add to dashboard Cite

show abstract

“…If so, α = log g f 1 = log u w holds for some unknown α, because of the simulation soundness of or traceability security analyses. All their non-frameability proofs are justified under the hardness of some computational problems such as the (S)DL [11,25,41,45] or the co-Diffie-Hellmam Inversion [26], and like the security analysis of the Schnorr signature, the witness used as the user secret key must be extracted as the solution of their underlying computational hardness problem. Furthermore, regarding the traceability proofs, BCN+10, LMP+16, and PS16 require sequential O(q) rewinding extractions for dealing with O(q) joining queries that are issued by an adversary.…”

Section: Traceabilitymentioning

confidence: 99%

“…In this regard, it is no surprise that group signature is still a very active cryptographic topic 30 years after its introduction, with countless contributions (see, e.g. [11,14,23,25,26,36,[40][41][42]45]). Although all these constructions have their own features, they share a common idea.…”

Section: Introduction 1related Workmentioning

confidence: 99%

See 1 more Smart Citation

Practical dynamic group signatures without knowledge extractors

Kim

Sanders

Abdalla

et al. 2022

Des. Codes Cryptogr.

View full text Add to dashboard Cite

Dynamic group signature (DGS) allows a user to generate a signature on behalf of a group, while preserving anonymity. Although many existing DGS schemes have been proposed in the random oracle model for achieving efficiency, their security proofs require knowledge extractors that cause loose security reductions. In this paper, we first propose a new practical DGS scheme whose security can be proven without knowledge extractors in the random oracle model. Moreover, our scheme can also be proven in the strong security model where an adversary is allowed to generate group managers' keys maliciously. The efficiency of our scheme is comparable to existing secure DGS schemes in the random oracle model using knowledge extractors. The security of our scheme is based on a new complexity assumption that is obtained by generalizing the Pointcheval-Sanders (PS) assumption. Although our generalized PS (GPS) assumption is interactive, we prove that, under the symmetric discrete logarithm (SDL) assumption, the new GPS assumption holds in the algebraic group model.

show abstract

“…Since group signatures were first proposed by Chaum and van Heyst [1], many efficient constructions have been proposed, most of which depend on a random oracle [10,[16][17][18][19][20][21][22][23]. Many earlier schemes were based on the strong RSA assumption [24,25].…”

Section: Related Workmentioning

confidence: 99%

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

Emura

Hanaoka

Kawai

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.

show abstract

Practical "Signatures with Efficient Protocols" from Simple Assumptions

Cited by 18 publications

References 60 publications

A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity

A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity

Practical dynamic group signatures without knowledge extractors

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

Contact Info

Product

Resources

About