www.ietdl.

org

Published in IET Information Security

Received on 30th September 2007
Revised on 19th December 2008
doi: 10.1049/iet-ifs.2007.0151

ISSN 1751-8709

Hidden identity-based signatures

A. Kiayias H.-S. Zhou
Department of Computer Science and Engineering, University of Connecticut, Storrs, CT 06269, USA
E-mail: hszhou@cse.uconn.edu

Abstract: This study introduces hidden identity-based signatures (Hidden-IBS), a type of digital signatures that
provide mediated signer-anonymity on top of Shamir’s identity-based signatures. The motivation of the new
signature primitive is to resolve an important issue with the kind of anonymity offered by ‘group signatures’
where it is required that either the group membership list be public for opening signatures or that the
opening authority be dependent on the group manager for its operation. Contrary to this, Hidden-IBS does
not require the maintenance of a group membership list for opening signatures and they enable an opening
authority that is totally independent of the group manager. As the authors argue this makes Hidden-IBS much
more attractive than group signatures for a number of applications. In this study, the authors provide a formal
model of Hidden-IBS as well as two efficient constructions that realise the new primitive. To demonstrate the
power of the new primitive, the authors apply it to solve a problem of current onion-routing systems focusing
on the Tor system in particular.

1 Introduction increase of malicious activity trafficking through

anonymous communication networks (e.g. for distribution
Anonymity and privacy is an issue of increasing concern in of child pornography) will force such networks to become
the internet and the offering of services such as anonymous even more restricted in scope something that in turn will
channels is an important aspect of the future internet nullify the purpose they were built originally (to protect free
infrastructure if we want to retain fundamental rights such speech and enable anonymous communication for legal uses).
as free speech. Still, anonymous systems are plagued by the
potential of misuse and any system that permits strong Misusing anonymity is by no means a new idea: for
anonymity seems to be doomed to be of limited use in one example the work of [2] shows how anonymous e-cash can
sense or another. To see this point consider the recent be used to commit a perfect crime. For this reason
example of Tor (http://tor.eff.org/), an onion-routing primitives such as fair off-line cash [3, 4] were proposed
system, and how Tor traffic is currently handled by where it is possible for an authority to manage anonymity
Wikipedia (http://wikipedia.org/). While Wikipedia allows and reveal the identities of the entities behind a certain
HTTP ‘GET requests’ from Tor, it does not allow editing transaction given that certain conditions are satisfied. It
(i.e. HTTP ‘POST requests’) since allowing such requests should be stressed that the existence of such ‘anonymity
opens the possibility that malicious users vandalise the mediation’ systems is not restricting anonymity but rather
content of the web site (indeed, Wikipedia suggests to enhance it since they make it possible to employ
disable privacy in Tor in order to publish to the web site anonymous systems in cases where no such system may be
through the onion-router, see [1]). For similar reasons, allowed to exist (because of regulation and potential of
Tor’s ‘exit policy’ drops all SMTP packets (i.e. packets misuse).
directed to port 25) to make sure that spammers do not
take advantage of the anonymity offered by Tor.
Group signatures, introduced in [5], and further studied in
a number of works [6– 27] constitute a tool that can be used
The above two examples illustrate the fact that anonymous to offer such mediated anonymity. Indeed, in a group
communication systems such as Tor are limited in their scope signature it is possible for users to join the group and
because of the potential of misuse. It is conceivable that an obtain a credential from the group manager (GM);

IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 119
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org

subsequently, users can issue signatures that a verifier can of users that take advantage of an anonymous service in
identify as signatures originating from a group member but most cases would be the most serious privacy violation
she cannot tell which member is issuing the signature. At possible! Indeed, publishing the list of users that use an
the same time an opening authority (OA) is capable, given anonymous service maybe enough to incriminate them if
an ‘offending’ signature, to recover a piece of information someone wishes their persecution. On the other hand, if (iv-
that leads to the identity of the signer. 2) is true, objective (iii) is violated since the OA cannot
open an offending signature without the help of the GM.
However, as we notice in this work, if one tries to employ This means that the GM can effectively produce a denial of
group signatures to mediate anonymity in an anonymous service to any entity that requires the assistance of the OA
credential system, a fundamental problem arises: and thus the OA cannot really guarantee to a service
provider that it can open an offending signature. This in
turn leads to the OA being less credible and may lead to
1.1 Anonymity catch-22 of group service providers restricting the use of the anonymous system
signatures something that in turn hurts anonymity. Thus no matter
In Heller’s novel [28] Catch-22 refers to a no-win situation; a how one deploys group signatures, privacy is being reduced.
certain setting where no matter what you do you lose. Here
we argue that a similar ‘Catch-22’ scenario occurs when 1.2 Our contribution: hidden identity-
one applies group signatures to mediate anonymity in an
anonymous credential system.
based signatures (Hidden-IBS)
In this work we propose a new digital signature scheme that
To see the problem consider the following sequence of offers anonymity that can be mediated and is based on the
objectives: our primary goal is to (i) maximise anonymity concept of identity-based signatures [30]. In a Hidden-IBS
and its scope; now given that perfect anonymity would be scheme, a signer obtains her signing key by communicating
of limited scope, this implies that we need to: (ii) employ to an identity manager (IM) and negotiating her identity
an opening authority (OA); now, once the OA is allowed, with IM. Given the secret-key the signer can produce
one would want this entity to be managed properly and signatures on a given message so that her identity is not
thus this brings forth: (iii) the OA should be separated revealed to the verifier. Still, the verifier is ensured of the
from the GM (the registration service) and preferably be a fact that the identity negotiation has taken place between
‘threshold entity’ where many share holders should be the signer and the IM and moreover that the signature
allowed to participate equally in the decision-making contains the name of the signer in enciphered form and
process of opening an offending signature. such name can be recovered by an OA.

Now recall the following: in all group signature schemes the Hidden-IBS resolve the anonymity Catch-22 of group
OA is incapable of recovering the identity of the signer signatures since they allow the OA to recover the identity
without comparing the information recovered from the of the signer (i) without having to consult with the IM
signature to a name directory (essentially a group (which substitutes the GM in the Hidden-IBS setting) and
membership database that acts as PKI) that is maintained by (ii) without requiring the IM to publish a listing of users
the GM (this is even true in the recently proposed ‘identity- for opening the anonymous signatures. See Fig. 1.
based’ group signature [29]). With respect to the
membership directory thus, it should be that either (iv-1) We note that in a Hidden-IBS the identity of the signer
the group member directory is public knowledge, or (iv-2) may be equal to any piece of information that is considered
the group member directory is kept secret by the GM. But if acceptable under the policy of the IM, for example, it can
(iv-1) is true, our objective (i) is violated: publishing the list be the signer’s e-mail address, the signer’s IP address and

Figure 1 Comparison of the opening functionality between group signatures and Hidden-IBS
a Group signature with public group membership list for opening signatures
b Group signature with secret group-membership list for opening signatures
c Hidden-IBS, where the member list is not for opening signatures

120 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
 www.ietdl.org

so forth. Note that the IM and the signer may execute a id and we write it as certid Reg(pk IM ; sk IM , id); the
multi-round protocol to establish the validity of the signer’s certificate is then returned to the user; the user checks
identity (e.g. the IM may send a verification e-mail to the the validity of the certificate for her identity with respect
signer’s e-mail account). to the IM’s public key and we denote it as
b RegCheck(pk IM ; id, certid ) where b [ {0, 1} and if
In this work we present a formal model of Hidden-IBS verified then b ¼ 1 otherwise b ¼ 0.
that captures two intuitive properties, misidentification
forgery and anonymity. We then present a construction over † Sign: A probabilistic algorithm that given an IM’s public
elliptic curve groups that is based on the strong Diffie- key, an open authority’s public key, a user’s identity, a
Hellman assumption and the decisional linear Diffie- membership certificate on the user’s identity and a message
Hellman assumption in the random oracle model, which is m, outputs a signature for the message m. We write
merely 4605 bits long. We demonstrate how Hidden-IBS Sign(pk IM , pk OA , id; certid , m) to denote the application
can be applied to onion routing [31] and in particular to of the signing algorithm.
the Tor system [32] to allow mediation of anonymity and
thus increase rather than limit the scope of such anonymous † Verify: An algorithm for establishing the validity of an
communication systems. In the full version [33] we also alleged Hidden-IBS signature of a message with respect to
consider how the property of exculpability can also be an IM’s verification key and an OA’s public key. If s is a
achieved, and based on the strong-RSA assumption and signature on a message m, then we have
decisional composite residuosity assumption in the random Verify(pk IM , pk OA ; m, s) [ {0, 1}.
oracle model, we present a construction that achieves
security against a malicious IM. More discussions and all † Open: An algorithm that given a message, a valid Hidden-
proofs are included in the full version. We note that in an IBS signature on it, an IM’s verification key, an OA’s public
independent work [34], a group signature where opening key, and an OA secret key, determines the id directly. In
algorithm does not depend on the membership list is particular id Open(pk IM , pk OA ; sk OA , m, s).
considered, and a concrete construction with exculpability is
also proposed. We note that to achieve their exculpability, Definition 2: (Correctness): The correctness of the Hidden-
each user needs to have a key pair, while in our construction IBS include the registration correctness, the signing
this is not required. Further, our registration protocol is correctness, and the opening correctness. Let (pk IM , sk IM )
much more efficient than theirs. SetupIM(1l ) and (pk OA , sk OA ) SetupOA(1l ).

† Registration correctness: Any membership certificate

2 Hidden-IBS: modelling issued by IM can be verified, that is for any certid
In this section, we give the definition of Hidden-IBS. The Reg(pk IM ; sk IM , id), it holds that RegCheck(pk IM ; id,
participating parties are: IM, OA, users U and verifiers V. certid ) ¼ 1.

Definition 1: A Hidden-IBS scheme is a digital signature † Signing correctness: For any verified (certid , id), and for
scheme that consists of six polynomial-time algorithms any m, if s Sign(pk IM , pk OA , id; certid , m), then
kSetup, Reg, Sign, RegCheck, Verify, Openl. The first Verify(pk IM , pk OA ; m, s) ¼ 1.
three algorithms are probabilistic but the last three are not
necessarily. † Opening correctness: For any verified (certid , id), and
for any m, if s Sign(pk IM , pk OA , id; certid , m), then
† Setup: The Setup algorithm includes SetupIM and Open(pk IM , pk OA ; sk OA , m, s) ¼ id.
SetupOA. On input a security parameter, first the global
system parameter is generated. Then on input a security Definition 3: (Misidentification forgery): We say a Hidden-
parameter and the system parameter, the probabilistic IBS scheme is against misidentification-forgery attacks if for
algorithm SetupIM outputs the group verification key pk IM any PPT adversary A, Adv misid A (l) is negligible in l, where
and the signing key sk IM for the IM, the probabilistic Adv misid
A ( l ) ¼ Pr[Expmisid
A ( l) ¼ 1], where the experiment
algorithm SetupOA outputs the public key pk OA and the defined as in Fig. 2.
secret key sk OA for the OA. The Setup algorithm may
include SetupUser; on the input a security parameter Definition 4: (CCA2-anonymity): We say a Hidden-IBS
and the system parameter, outputs id for both the IM and scheme is against anonymity attacks if for any PPT
cca2anon
the user. adversary A ¼ (A1 , A2 ), Adv A (l) is negligible in
cca2anon cca2anon,1
l, where Adv A (l) ¼ Pr[ExpA (l) ¼ 1]
cca2anon,0
† Reg, RegCheck: A user can obtain her membership Pr[ExpA (l) ¼ 1], where the experiment defined as
certificate from the IM based on a registration protocol. For in Fig. 3.
simplicity, here we only consider the following case: a user
sends her identity id to the IM; the IM uses his signing key Definition 5: (CPA-anonymity): We say a Hidden-IBS
to generate a membership certificate certid for the identity scheme is against CPA-anonymity attacks if for any PPT

IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 121
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org

Figure 2 Experiment of misidentification forgery

Figure 3 Experiment of CCA2-anonymity

In the experiment above, OpenOracle:s ðÞ operates as the OpenOracleðÞ with the restriction that it will return ? if the adversary submit s
as the signature to be opened

cpaanon
adversary A ¼ (A1 , A2 ), Adv A (l) is negligible in 3 Hidden-IBS: construction
cpaanon cpaanon,1
l, where Adv A (l) ¼ Pr[ExpA (l) ¼ 1]
cpaanon,0 In this section we describe our first Hidden-IBS
Pr[ExpA (l) ¼ 1], where the experiment defined as
in Fig. 4. construction. It is geared towards producing short

122 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
 www.ietdl.org

Figure 4 Experiment of CPA-anonymity

In the experiment above, the CorruptIMOracle() used is same as that in the CCA2 version, and the OpenOracle() is not allowed

signatures and is suitable for relatively short identity strings between the IM and the users. Then the IM generates a
r
(e.g. IP addresses of 32 bits). We let the IM use the BB signature ks, rl for id, where s g 1=xþidþyr , r  Zp ,
Boneh-Boyen [35] signature to issue a certificate to each and sends ks, rl to the user by a secure communication
user identity. Once a user obtains the certificate from the channel. Upon receiving the signature ks, rl from the IM,
r
IM, she can generate a Hidden-IBS signature for a bb
the user verifies e(s, X g id b
Y ) ¼ e(g, b
g). The user sets her
message: the user uses linear encryption [16] to ‘embed’ her membership certificate to certid ¼ ks, rl.
identity which can be opened by the OA; the user forms
the signature based on a proof of knowledge that ensures Sign: With a membership certificate certid ¼ ks, rl in
her identity, her certificate, and the relations between them hand, a user can compute a Hidden-IBS signature s for
are properly formed. We present the details below: message m. We first develop a proof of knowledge in
Fig. 5, where the user proves her knowledge of id and
Setup: This procedure first generates the system certid , and proves that certid is a BB signature of id
parameters including the bilinear group parameter from the IM. Then we transform the proof of knowledge
kp, g, b
g, G, G,b c, G , el. Here G ¼ kgl and G b ¼ kb gl are into a signing algorithm by using the Fiat–Shamir
T
cyclic groups of prime order p; and c : G ! G is anb heuristic [36].
isomorphism with c(b g) ¼ g; and e : G  G b ! G is a
T
bilinear map, that is for all (u, b b
u) [ G  G and a, b [ Z, it Verify: The verifier can verify a message-signature
holds that e(ua , b ub ) ¼ e(u, b
u)ab and e is non-trivial, that is pair by checking the equation c ¼? H(mkSkb RkU
c (j þj ) j c j jr
e(g, bg) = 1. The procedure also generates random element b c jk
kV k W kU u k V v kW b c jl b w k l
b
g id b
kR b g r2b
h 1
r
b b
h  Gn{1} and h ¼ c(b h), and a hash function jr  j j j
b
Y kU jr1 ujd1 kV jr1 vjd2 kb R 1b
r
g jd3bh 4b
d d
Y 5 ke(g, X bWbb R)jr1
H : {0, 1} ! Zp which will be treated as a random oracle
e(S, b w)(jd1 þjd2 ) e(S, b
w)(jk þjl ) e(g, b g)jr2 e(g, b g)jd3 e(S, b
h)jr1 e(g,
in the security proof. Then the algorithm SetupIM
r
generates key pair (pk IM , sk IM ): selects x, y  Zp and b j
h) d4 (e(g, b
g)=e(S, X bWbb c
R)) ).
computes X b ¼b g and b
x
Y ¼b y
g ; sets pk IM ¼ kX b, bY l,
and sk IM ¼ kx, yl. The algorithm SetupOA generates key Open: Given a message-signature pair as described above, the
r r
pair (pk OA , sk OA ): selects b b
w  Gn{1}, selects z, h  Zp OA first verifies the message-signature pair. Next the OA
and sets b u, b
v[G b such that b z
u ¼b h
v ¼bw; sets w ¼ c(b w), uses her secret key sk OA ¼ kz, hl to open ciphertext
kU , V , W l into g id where W ¼ c(Wb ); considering that the
u ¼ c(b u), v ¼ c(b v); note that uz ¼ vh ¼ w holds; sets
pk OA ¼ ku, v, w, b u, bv, b
wl and sk OA ¼ kz, hl. Finally the identity space is small, the OA recovers id from g id .
algorithm sets the public parameters for the Hidden-IBS
as pub ¼ kp, g, b g, h, b b c, G , e; X
h, G, G, b, bY ; u, v, w, bu, b
v, Theorem 6: The Hidden-IBS scheme is correct and secure
T
b
w; Hl. We still need to prescribe the form of the user satisfying misidentification-forgery and CPA-anonymity in
identities: each identity is a short string with length ‘. For the random oracle model under the SDH and the DLDH
example, it can be an IP address with ‘ ¼ 32 or a userid in assumptions.
a reputation system (e.g. using ‘ ¼ 50 we can allow ten
character long userids with 5 bits per character).
4 Reducing abuse in anonymous
Reg, RegCheck: In the registration protocol, the user
routing systems
sends her identity id to the IM. The IM verifies that id is As mentioned in the introduction some internet services
acceptable (e.g. not being used before or not blacklisted). block certain types of traffic coming through anonymous
We note that the id can also be a product of a negotiation routing systems in order to maintain the quality of their

IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 123
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org

Figure 5 Hidden identity-based identification protocol

124 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
 www.ietdl.org

service (e.g. in the case of Wikipedia, POST requests coming open the signature and recover the identity of the abusive
from Tor are blocked to prevent vandalism). This practice user. Subsequently the IM can be notified of the abusive
stems from the fact that anonymous routing systems such user’s identity and the user can be punished by being black-
as Tor have no built-in mechanisms to handle abusive listed (or receiving a negative point in a reputation system).
users. In this section, the authors show how using our Below we describe in more details how we propose to
Hidden-IBS we can strengthen the Tor network with the deploy our Hidden-IBS enhanced Tor system for handling
capability to defend itself against such abusive users. HTTP POST requests to Wikipedia. Note that all other
traffic through Tor would be unaffected (i.e. it would not
Our approach, outlined in Fig. 6, adds three entities to the require a signature).
Tor network deployment: the IM of a Hidden-IBS, a
Disputes&Grievances database and the OA of the Hidden- When the user first installs a Tor OP she can obtain a
IBS. Our basic idea is to show how a service web site that certificate certid for her identity id from the IM. The id
receives Tor traffic can complain about malicious requests that the user deposits to the IM can be the user’s IP address
(e.g. vandalism in the case of Wikipedia) and recover some or a long-lived userid in a reputation system. Subsequently
information about the offending users. In this way the whenever the user wants to send an HTTP POST the OP
anonymous routing system offers a mechanism to prevent builds a route to a Tor exit point (in the figure, this route is
abusive users from taking advantage of anonymity and thus OR1,OR7,OR5 and OR5 is the Tor exit point). When the
its services can be granted higher functionality by service user generates a POST request for a Wikipedia web site
providers. Our enhancement to Tor will be totally the following things happen: (i) the user’s browser passes the
transparent to service web sites that receive Tor traffic. POST request, say post1 to the OP; (ii) the OP sanitises
post1 into post2 so that the header of post2 does not
More specifically now, the Hidden-IBS enhanced Tor contain any unnecessary identity-related information; (iii) the
works like this: certain packets generated by a Tor user are OP generates a random nonce and stored in a Nonce field
permitted through the Tor exit point only if they carry a into the header of post2, resulting to packet post3; and (iv)
Hidden-IBS. The Tor user’s onion proxy (OP) catches this the OP hashes post3 and signs the hash with the Hidden-
and assists the user to obtain the Hidden-IBS signing IBS signing algorithm; (v) the OP creates a new field called
capability. Then any packet that needs to be signed is Signature in the header of post3 and fills it with the
hashed and then signed. Tor exit points verify the Hidden- generated signature; we call the modified post3 as post4; and
IBS signature on the hashed reconstructed packet and (vi) the OP forwards the post4 along the established circuit.
forwards the packet (with the signature removed) to the
web site that the packet was directed while they write the When a Tor exit point assembles a POST request such as
hashed packet together with the signature to a post4 above, it parses the field Signature and obtains the
Disputes&Grievances database. If any vandalism is caught Hidden-IBS signature; then it transforms post4 into post3
by a service provider, the service provider using the packet by throwing away the Signature field in the header and
that was sent through Tor by the abusive user can retrieve computes the hash value of post3 to verify the signature
the corresponding Hidden-IBS from the database and (using the public-key of the IM). Finally, if the signature
forward it to the OA along with a complaint report. Based verifies, the exit point forwards post3 to the Wikipedia
on the properties of the Hidden-IBS scheme, the OA can web site; at the same time it submits the hash value and

Figure 6 Enhancing the Tor network with a mechanism to defend against anonymity abuse using the Hidden-IBS primitive
Note that we use IP addresses as user identities in the figure but other types of identities can be used, for example userids of a reputation
system

IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 125
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org

the Hidden-IBS signature to the Disputes&Grievances [11] ATENIESE G., CAMENISCH J., JOYE M., TSUDIK G.: ‘A
database. practical and provably secure coalition-resistant group
signature scheme’. CRYPTO, 2000, (LNCS, 1880), pp. 255–270
Wikipedia may now keep the POST request coming
through a Tor exit point (or in fact only the hash of the [12] CAMENISCH J., LYSYANSKAYA A.: ‘An identity escrow scheme
request suffices). If a certain posting is found to be with appointed verifiers’. CRYPTO, 2001, (LNCS, 2139),
offensive or abusive the web site may search for the pp. 388– 407
corresponding Hidden-IBS signature into the
Disputes&Grieances database (that will be indexed based [13] BELLARE M., MICCIANCIO D., WARINSCHI B.: ‘Foundations of
on the hash of the post). Then, once the hidden-IBS is group signatures: Formal definitions, simplified
recovered it can be submitted to the OA along with a requirements, and a construction based on general
complaint report. The OA uses his secret key to open the assumptions’. EUROCRYPT, 2003, (LNCS, 2656), pp. 614–629
Hidden-IBS and recover offender’s identity (e.g. her IP
address), and then sends this identity to the IM. The IM [14] ATENIESE G., DE MEDEIROS B: ‘Efficient group signatures
may blacklist this identity, which may result in refusing without trapdoors’. ASIACRYPT, 2003, (LNCS, 2894),
future registration requests originating from the offender’s pp. 246– 268
IP address for example. Other strategies may be followed
here by the IM, for example if the identity is a userid in a [15] KIAYIAS A., TSIOUNIS Y., YUNG M.: ‘Traceable signatures’.
reputation system the user may receive a negative point. EUROCRYPT, 2004, (LNCS, 3027), pp. 571– 589

[16] BONEH D., BOYEN X., SHACHAM H.: ‘Short group signatures’.
CRYPTO, 2004, (LNCS, 3152), pp. 41 – 55
5 References
[17] CAMENISCH J., GROTH J.: ‘Group signatures: better
[1] Wikipedia: ‘Advice to Tor users in China’, http://en. efficiency and new theoretical aspects’. SCN, 2004, (LNCS,
wikipedia.org/wiki/Wikipedia:Tor, accessed May 2006 3352), pp. 120 – 133

[2] VON SOLMS S.H., NACCACHE D.: ‘On blind signatures and [18] FURUKAWA J., YONEZAWA S. : ‘Group signatures with
perfect crimes’, Comput. Secur., 1992, 11, (6), pp. 581– 583 separate and distributed authorities’. SCN, 2004, (LNCS,
3352), pp. 77 – 90
[3] CAMENISCH J., MAURER U.M., STADLER M.: ‘Digital payment
systems with passive anonymity-revoking trustees’. [19] CAMENISCH J., LYSYANSKAYA A.: ‘Signature schemes and
ESORICS, 1996, (LNCS, 1146), pp. 33– 43 anonymous credentials from bilinear maps’. CRYPTO,
2004, (LNCS, 3152), pp. 56– 72
[4] FRANKEL Y., TSIOUNIS Y., YUNG M.: ‘Indirect discourse Proof’:
achieving efficient fair off-line e-cash’. ASIACRYPT, 1996, [20] NGUYEN L. , SAFAVI-NAINI R. : ‘Efficient and provably
(LNCS, 1163), pp. 286– 300 securetrapdoor-free group signature schemes from
bilinear pairings’. ASIACRYPT, 2004, (LNCS, 3329),
[5] CHAUM D., VAN HEYST E.: ‘Group signatures’. EUROCRYPT, pp. 372– 386
1991, pp. 257 – 265
[21] BONEH D., SHACHAM H.: ‘Group signatures with verifier-
[6] CHEN L., PEDERSEN T.P.: ‘New group signature schemes local revocation’. CCS, 2004, pp. 168 – 177
(extended abstract)’. EUROCRYPT, 1994, pp. 171– 181
[22] BELLARE M., SHI H., ZHANG C.: ‘Foundations of group
[7] CAMENISCH J. : ‘Efficient and generalized group signatures: the case of dynamic groups’. CT-RSA, 2005,
signatures’. EUROCRYPT, 1997, pp. 465– 479 (LNCS, 3376), pp. 136– 153

[8] CAMENISCH J. , STADLER M.: ‘Efficient group signature [23] KIAYIAS A., YUNG M.: ‘Efficient secure group signatures
schemes for large groups (extended abstract)’. CRYPTO, with dynamic joins and keeping anonymity against group
1997, (LNCS, 1294), pp. 410– 424 managers’. Mycrypt, 2005, (LNCS, 3715), pp. 151 – 170,
Full version at http://eprint.iacr.org/2004/076/
[9] CAMENISCH J., MICHELS M.: ‘A group signature scheme with
improved efficiency’. ASIACRYPT, 1998, (LNCS, 1514), [24] KIAYIAS A., YUNG M.: ‘Group signatures with efficient
pp. 160– 174 concurrent join’. EUROCRYPT, 2005, (LNCS, 3494),
pp. 198–214, Full version at http://eprint.iacr.org/2005/345/
[10] CAMENISCH J., MICHELS M.: ‘Separability and efficiency for
generic group signature schemes’. CRYPTO, 1999, (LNCS, [25] FURUKAWA J., IMAI H.: ‘An efficient group signature scheme
1666), pp. 413 – 430 from bilinear maps’. ACISP, 2005, (LNCS, 3574), pp. 455–467

126 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
 www.ietdl.org

[26] BOYEN X., WATERS B.: ‘Compact group signatures without [32] DINGLEDINE R. , MATHEWSON N., SYVERSON P.F.: ‘Tor: the
random oracles’. EUROCRYPT, 2006, (LNCS, 4004), pp. 427–444 second-generation onion router’. USENIX Security Symp.,
2004, pp. 303 – 320
[27] ATENIESE G., CAMENISCH J., HOHENBERGER S., DE MEDEIROS B.:
‘Practical group signatures without random oracles. [33] KIAYIAS A., ZHOU H.-S.: ‘Hidden identity-based signatures’.
Cryptology ePrint Archive’. Report 2005/385, 2005, Cryptology ePrint Archive. Report 2007/140, 2007,
Available at http://eprint.iacr.org/2005/385/ Available at http://eprint.iacr.org/2007/140/

[28] HELLER J.L.: ‘Catch-22’ (Simon & Schuster, 1961) [34] ZHOU S. , LIN D. : ‘An interesting member
ID-based group signature’. Cryptology ePrint Archive.
[29] WEI V.K., YUEN T.H., ZHANG F.: ‘Group signature where group Report 2007/126, 2007, Available at http://eprint.iacr.org/
manager, members and open authority are identity-based’. 2007/126/
ACISP, 2005, (LNCS, 3574), pp. 468 – 480
[35] BONEH D., BOYEN X.: ‘Short signatures without random
[30] SHAMIR A.: ‘Identity-based cryptosystems and signature oracles and the sdh assumption in bilinear groups’,
schemes’. CRYPTO, 1984, pp. 47– 53 J. Crypt., 2008, 21, (2), pp. 149 – 177

[31] GOLDSCHLAG D.M., REED M.G., SYVERSON P.F.: ‘Hiding routing [36] FIAT A., SHAMIR A.: ‘How to prove yourself: practical
information’. Information Hiding, 1996, (LNCS, 1174), solutions to identification and signature problems’.
pp. 137– 150 CRYPTO, 1986, (LNCS, 263), pp. 186 – 194

IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 127
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009

Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.