| ¡¡ | Chinese Journal of Computers Full Text |
| Title | A Short Group Signature with IND-CCA2 Full-Anonymity |
| Authors | ZHANG Yue-Yu CHEN Jie SU Wan-Li WANG Yu-Min |
| Address | (Key Laboratory of Computer Network and Information Security of Ministry of Education, Xidian University, Xi¡¯an 710071) |
| Year | 2007 |
| Issue | No.10(1865¡ª1871) |
| Abstract & Background | Abstract In CRYPTO 2004, a short group signature is proposed by Boneh, Boyen and Shacham, which is based on strong Diffie-Hellman(SDH) assumption and Decision Linear assumption. Thereafter it is denoted BBS. Only chosen plaintext attack(CPA) full-anonymity is achieved in BBS short group signature for CPA secure in linear encryption. In this case, adversary could not query an open oracle. However, when adversaries try to break the notion of chosen ciphertext attack(IND-CCA2) full-anonymity, they have the ability to query an open oracle in the current and strongest security model for group signatures. Hence adversaries can obtain the signer identity of the queried signature. This paper presents a new zero-knowledge protocol for SDH£¬which based on Cramer-Shoup encryption from the linear assumption. Using this protocol as a building block, a new short group signature is constructed in this paper, which is provable secure in the Bellare-Micciancio-Warinshi model. The scheme is of IND-CCA2-full-anonymity, which allows adversary querying open oracle when trying to attack the anonymity notion. And the signature is only 1704 bits in size. keywords group signature; full anonymity; linear Cramer-Shoup encryption; IND-CCA2 secure; decision linear assumption background This research is supported by the National High Technology Research and Development Program (863 Program) of China (2007AA01Z435)£¬the National Natural Science Foundation of China under grant No.60473072, and the Natural Science Basic Research Plain in Shaanxi Province of China (2007F37). This paper focuses on the field of full-anonymity of group signature. The research group has done much research work in the design of group signature scheme and other related work of electronic auction. Group signatures, introduced by Chaum and van Heyst, allow any member of a certain group to sign a message on behalf of the group, but the signer remains anonymous within the group. Since then, there have been several works on this subject. In 2000, based on a novel use of the DDH assumption combined with the Strong-RSA assumption, Ateniese, Camenisch, Joye and Tsudik present a scheme with constant signature size. This scheme has a resistance to attacks by coalitions of users. In CRYPTO 2004, the scheme of Boneh, Boyen and Shacham takes about 1533 bits for achieving an RSA-1024 security level. It is the shortest GS in the random oracle model. But only chosen plaintext attack(CPA) full-anonymity is achieved in this short group signature. Bellare, Micciancio, and Warinschi (BMW) introduced a modern formalism for static groups. Their definition models a primitive of a relaxed group signature as it requires a key-issuing center to generate all keys in the system and distributes them to the group manager and group members. Since they use generic Non-Interactive Zero Knowledge techniques, their scheme is too inefficient to be useful in practice. Bellare, Shi and Zhang strengthened the security model to include dynamic enrollment of members. Recently, two schemes secure in the standard model are proposed by Boyen and Waters, but the anonymity of those schemes relies on the adversary not being able to see any opening of group signatures. The authors present a new zero-knowledge protocol for SDH£¬which based on Cramer-Shoup encryption from the linear assumption. Using this protocol as a building block, a new short group signature is constructed in this paper, which is provable secure in the Bellare-Micciancio-Warinshi model. The scheme is of IND-CCA2-full-anonymity, which allows adversary querying open oracle when trying to attack the anonymity notion. And the signature is only 1704 bits in size. |