Short Group Signatures
Brisaac Johnson
Long Li
Overview
1.
2.
3.
4.
Motivation & Application
A zero-knowledge protocol for SDH
Short Group Signature
Code result
2
1. Motivation & Application
1. Motivation & Application
 A scheme could be used by an employee of a large company where it is sufficient for a
verifier to know a message was signed by an employee, but not which particular
employee signed it.
 The group manager are able to reveal the original signer in the event of disputes.
 The author construct short group signatures whose length is 192 bytes but provide same
level of security as a regular RSA signatures of 128 bytes.
4
2. A zero-knowledge protocol for SDH
2. A zero-knowledge protocol for SDH
 What is zero-knowledge proof?
Alice randomly picks a path
Bob select a path
Alice exit from that path
6
2. A zero-knowledge protocol for SDH
 Linear Encryption: u, v, h ∈ 𝐺1 and 𝑥, 𝑦 ∈ 𝒁p . 𝑆𝑢𝑐ℎ 𝑡ℎ𝑎𝑡 𝑢 𝑥 = 𝑣 𝑦 = ℎ
To encrypt a message M ∈ 𝐺1 , choose random value 𝑎, 𝑏 ∈ 𝒁p and output
(𝑇1 , 𝑇2 , 𝑇3 ) = (𝑢𝑎 , 𝑣 𝑏 , 𝑀 ⋅ ℎ𝑎+𝑏 )
 Linear Decryption: To recover message M, compute
𝑇3
𝑦
(𝑇1𝑥 ⋅𝑇2 )
=
𝑀⋅h𝑎+𝑏
𝑢𝑎𝑥 ⋅ 𝑣 𝑏𝑦
=
𝑀⋅h𝑎+𝑏
ℎ𝑎+𝑏
=M
7
2. A zero-knowledge protocol for SDH
 Public value: 𝒈𝟏 and 𝒈𝟐 are random generator of 𝐺1 𝑎𝑛𝑑𝐺2 , and 𝑔1 =𝜓(𝑔2 ).
u, v, h are ramdom i𝑛 𝐺1 and 𝒘 ∈ 𝐺2 .
𝜸
W =𝒈𝟐 for secret value 𝜸 ∈ 𝒁p
 Private value: 𝑨 ∈ 𝐺1 and x ∈ 𝒁p , such that 𝐴𝑥+𝛾 = 𝑔1 and e(A, ω𝑔2𝑥 ) = e(𝑔1 , 𝑔2 )
 Alice randomly selects exponents 𝛼, 𝛽 from 𝒁p and compute a Linear encryption of A:
𝑇1 ← 𝑢𝛼
and two helper values
𝛿1 ← 𝑥𝛼
𝑇2 ← 𝑣 𝛽
𝑇3 ← 𝐴ℎ𝛼+𝛽
𝛿2 ← 𝑥𝛽
8
2. A zero-knowledge protocol for SDH
 Alice want to prove she has knowledge of values (𝛼, 𝛽, 𝑥, 𝛿1 , 𝛿2 ) satisfying the following
five relations:
 To prove Alice has knowledge of values (𝛼, 𝛽, 𝑥, 𝛿1 , 𝛿2 ), she randomly pick blinding value
𝑟𝛼 , 𝑟𝛽 , 𝑟𝑥 , 𝑟𝛿1 ,𝑟𝛿2 from 𝒁p . Then compute R1~R5:
𝑅1 ← 𝑢𝑟𝛼
𝑅3 ← 𝑒 𝑇3 , 𝑔2
𝑟
𝑅2 ← 𝑢𝑟𝛽
𝑟𝑥
𝑅4 ← 𝑇1 𝑥 ⋅ 𝑢−𝑟𝛿1
⋅ 𝑒(ℎ, 𝜔)−𝑟𝛼−𝑟𝛽 ⋅ 𝑒(ℎ, 𝑔2 )−𝑟𝛿1 −𝑟𝛿2
𝑟
𝑅5 ← 𝑇1 𝑥 ⋅ 𝑣 −𝑟𝛿2
9
2. A zero-knowledge protocol for SDH
 Alice sends (𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 ) to Bob. And Bob sends a challenge value c at
random from 𝒁p . Alice then compute and sends back the values:
𝑆𝛼 ← 𝑟𝛼 + 𝑐𝛼
𝑆𝛽 ← 𝑟𝛽 + 𝑐𝛽
𝑆𝛿1 ← 𝑟𝛿1 + 𝑐𝛿1
𝑆𝑥 ← 𝑟𝑥 + 𝑐𝑥
𝑆𝛿2 ← 𝑟𝛿2 + 𝑐𝛿2
 Finally, Bob verifies the following equations and accepts if all five hold:
𝑢 𝑠𝛼 = 𝑇1𝑐 ⋅ 𝑅1
𝑒 𝑇3 , 𝑔2
𝑠
𝑠𝑥
𝑣 𝑠𝛽 = 𝑇2𝑐 ⋅ 𝑅2
⋅ 𝑒(ℎ, 𝜔)−𝑠𝛼−𝑠𝛽 ⋅ 𝑒(ℎ, 𝑔2 )−𝑠𝛿1 −𝑠𝛿2 = 𝑒(𝑔1 , 𝑔2 )/𝑒(𝑇3 , 𝜔)
𝑇1 𝑥 ⋅ 𝑢−𝑠𝛿1 = 𝑅4
𝑐
⋅ 𝑅3
𝑠
𝑇2 𝑥 ⋅ 𝑣 −𝑠𝛿2 = 𝑅5
10
2. A zero-knowledge protocol for SDH
11
3. Short Group Signature
3. Short Group Signature
 The short group signature include 4 algorithms:
1. KeyGen(n)
2. Sign(gpk, gsk[i], M)
3. Verify(gpk, M, 𝜎)
4. Open(gpk, gmsk, M, 𝜎)
1. KeyGen(n)




𝑔1 and 𝑔2 are random generator of 𝐺1 𝑎𝑛𝑑𝐺2 , and 𝑔1 =𝜓(𝑔2 ).
𝛾
Randomly select: h from 𝐺1 , 𝜉1 , 𝜉2 𝑎𝑛𝑑 𝛾 from 𝒁p and w = 𝑔2 .
Set u,v ∈ 𝐺1 and 𝑢𝜉1 = 𝑢𝜉2 = h
1/(𝛾+𝑥𝑖 )
Using 𝛾 generate private key (𝐴𝑖 , 𝑥𝑖 ) for user i. randomly select 𝑥𝑖 from 𝒁p and set 𝐴𝑖 = 𝑔1
n
KeyGen
gpk = ( 𝑔1 , 𝑔2 , h, u, v, w)
gmsk = (𝜉1 , 𝜉2 )
gsk[i] = (𝐴𝑖 , 𝑥𝑖 )
Key generator =𝛾
13
3. Short Group Signature
1. KeyGen(n)
 𝑔1 and 𝑔2 are random generator of 𝐺1 𝑎𝑛𝑑𝐺2 ,
and 𝑔1 =𝜓(𝑔2 ).
 Randomly select: h from 𝐺1 , 𝜉1 , 𝜉2 𝑎𝑛𝑑 𝛾 from
𝛾
𝒁p and w = 𝑔2 .
 Set u,v ∈ 𝐺1 and 𝑢𝜉1 = 𝑢𝜉2 = h
 Using 𝛾 generate private key (𝐴𝑖 , 𝑥𝑖 ) for user i.
1/(𝛾+𝑥𝑖 )
randomly select 𝑥𝑖 from 𝒁p and set 𝐴𝑖 = 𝑔1
14
3. Short Group Signature
2. Sign(gpk, gsk[i], M)
 Compute 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 as introduced in previous protocol
 Compute challenge value c using hash function:
𝑐 ← 𝐻(𝑀, 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 ) ∈ 𝒁p
 Using c construct 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2
 Output the signature𝜎= (𝑇1 , 𝑇2 , 𝑇3 , c, 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2 )
gpk = ( 𝑔1 , 𝑔2 , h, u, v, w)
gsk[i] = (𝐴𝑖 , 𝑥𝑖 )
M
Sign
𝜎= (𝑇1 , 𝑇2 , 𝑇3 , c, 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2 )
15
3. Short Group Signature
2. Sign(gpk, gsk[i], M)
 Compute 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5
as introduced in previous protocol
 Compute challenge value c using hash
function:
𝑐 ← 𝐻(𝑀, 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 ,
𝑅3 , 𝑅4 , 𝑅5 ) ∈ 𝒁p
 Using c construct 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2
 Output the signature𝜎= (𝑇1 , 𝑇2 , 𝑇3 , c,
𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2 )
16
3. Short Group Signature
3. Verify(gpk, M, 𝜎)
 Re-derive, 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 as follows:
𝑅1 = 𝑢 𝑠𝛼 ⋅ 𝑇1−𝑐
𝑅2 = 𝑇2−𝑐 ⋅ 𝑣 𝑠𝛽
𝑅3 = 𝑒 𝑇3 , 𝑔2
𝑠𝑥
⋅ 𝑒(ℎ, 𝜔)−𝑠𝛼 −𝑠𝛽 ⋅ 𝑒(ℎ, 𝑔2 )−𝑠𝛿1 −𝑠𝛿2 ⋅ 𝑒(𝑇3 , 𝜔)/𝑒(𝑔1 , 𝑔2 )
𝑠
𝑠
𝑅4 = 𝑇1 𝑥 ⋅ 𝑢−𝑠𝛿1
𝑅5 = 𝑇2 𝑥 ⋅ 𝑣 −𝑠𝛿2
 Check the following equation, accept if it’s hold, otherwise reject:
𝑐 ← 𝐻(𝑀, 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 )
gpk = ( 𝑔1 , 𝑔2 , h, u, v, w)
𝜎= (𝑇1 , 𝑇2 , 𝑇3 , c, 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2 )
M
Verify
𝐴𝑐𝑐𝑒𝑝𝑡/𝑅𝑒𝑗𝑒𝑐𝑡
17
𝑐
3. Short Group Signature
3. Verify(gpk, M, 𝜎)
 Re-derive, 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 :
 Check the following equation, accept
if it’s hold, otherwise reject:
𝑐 ← 𝐻(𝑀, 𝑇1 , 𝑇2 , 𝑇3 , 𝑅1 , 𝑅2 , 𝑅3 , 𝑅4 , 𝑅5 )
18
3. Short Group Signature
4. Open(gpk, gmsk, M, 𝜎)
 Verify that σ is a valid signature on M.
 Recover 𝐴𝑖 from Linear encryption 𝑇1 , 𝑇2 , 𝑇3 . 𝐴𝑖 ←
 Look up the signer id from index book of 𝐴𝑖
gpk = ( 𝑔1 , 𝑔2 , h, u, v, w)
𝜎= (𝑇1 , 𝑇2 , 𝑇3 , c, 𝑠𝛼 , 𝑠𝛽 , 𝑠𝑥 , 𝑠𝛿1 , 𝑠𝛿2 )
M
gmsk = ( 𝜉1 , 𝜉2 )
Open
𝑇3
𝜉1 𝜉2
𝑇1 ⋅𝑇2
𝑆𝑖𝑔𝑛𝑒𝑟 𝑖𝑑
19
3. Short Group Signature
4. Open(gpk, gmsk, M, 𝜎)
 Verify that σ is a valid signature on M.
 Recover 𝐴𝑖 from Linear encryption 𝑇1 , 𝑇2 , 𝑇3 . 𝐴𝑖 ←
 Look up the signer id from index book of 𝐴𝑖
𝑇3
𝜉1 𝜉2
𝑇1 ⋅𝑇2
20
4. Code Result
4. Code result
22
4. Code result
23
Thanks & Questions?