Professional Documents
Culture Documents
Hidden - Identity Based - Signatures Zhou Kiayias
Hidden - Identity Based - Signatures Zhou Kiayias
org
ISSN 1751-8709
Abstract: This study introduces hidden identity-based signatures (Hidden-IBS), a type of digital signatures that
provide mediated signer-anonymity on top of Shamir’s identity-based signatures. The motivation of the new
signature primitive is to resolve an important issue with the kind of anonymity offered by ‘group signatures’
where it is required that either the group membership list be public for opening signatures or that the
opening authority be dependent on the group manager for its operation. Contrary to this, Hidden-IBS does
not require the maintenance of a group membership list for opening signatures and they enable an opening
authority that is totally independent of the group manager. As the authors argue this makes Hidden-IBS much
more attractive than group signatures for a number of applications. In this study, the authors provide a formal
model of Hidden-IBS as well as two efficient constructions that realise the new primitive. To demonstrate the
power of the new primitive, the authors apply it to solve a problem of current onion-routing systems focusing
on the Tor system in particular.
IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 119
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
subsequently, users can issue signatures that a verifier can of users that take advantage of an anonymous service in
identify as signatures originating from a group member but most cases would be the most serious privacy violation
she cannot tell which member is issuing the signature. At possible! Indeed, publishing the list of users that use an
the same time an opening authority (OA) is capable, given anonymous service maybe enough to incriminate them if
an ‘offending’ signature, to recover a piece of information someone wishes their persecution. On the other hand, if (iv-
that leads to the identity of the signer. 2) is true, objective (iii) is violated since the OA cannot
open an offending signature without the help of the GM.
However, as we notice in this work, if one tries to employ This means that the GM can effectively produce a denial of
group signatures to mediate anonymity in an anonymous service to any entity that requires the assistance of the OA
credential system, a fundamental problem arises: and thus the OA cannot really guarantee to a service
provider that it can open an offending signature. This in
turn leads to the OA being less credible and may lead to
1.1 Anonymity catch-22 of group service providers restricting the use of the anonymous system
signatures something that in turn hurts anonymity. Thus no matter
In Heller’s novel [28] Catch-22 refers to a no-win situation; a how one deploys group signatures, privacy is being reduced.
certain setting where no matter what you do you lose. Here
we argue that a similar ‘Catch-22’ scenario occurs when 1.2 Our contribution: hidden identity-
one applies group signatures to mediate anonymity in an
anonymous credential system.
based signatures (Hidden-IBS)
In this work we propose a new digital signature scheme that
To see the problem consider the following sequence of offers anonymity that can be mediated and is based on the
objectives: our primary goal is to (i) maximise anonymity concept of identity-based signatures [30]. In a Hidden-IBS
and its scope; now given that perfect anonymity would be scheme, a signer obtains her signing key by communicating
of limited scope, this implies that we need to: (ii) employ to an identity manager (IM) and negotiating her identity
an opening authority (OA); now, once the OA is allowed, with IM. Given the secret-key the signer can produce
one would want this entity to be managed properly and signatures on a given message so that her identity is not
thus this brings forth: (iii) the OA should be separated revealed to the verifier. Still, the verifier is ensured of the
from the GM (the registration service) and preferably be a fact that the identity negotiation has taken place between
‘threshold entity’ where many share holders should be the signer and the IM and moreover that the signature
allowed to participate equally in the decision-making contains the name of the signer in enciphered form and
process of opening an offending signature. such name can be recovered by an OA.
Now recall the following: in all group signature schemes the Hidden-IBS resolve the anonymity Catch-22 of group
OA is incapable of recovering the identity of the signer signatures since they allow the OA to recover the identity
without comparing the information recovered from the of the signer (i) without having to consult with the IM
signature to a name directory (essentially a group (which substitutes the GM in the Hidden-IBS setting) and
membership database that acts as PKI) that is maintained by (ii) without requiring the IM to publish a listing of users
the GM (this is even true in the recently proposed ‘identity- for opening the anonymous signatures. See Fig. 1.
based’ group signature [29]). With respect to the
membership directory thus, it should be that either (iv-1) We note that in a Hidden-IBS the identity of the signer
the group member directory is public knowledge, or (iv-2) may be equal to any piece of information that is considered
the group member directory is kept secret by the GM. But if acceptable under the policy of the IM, for example, it can
(iv-1) is true, our objective (i) is violated: publishing the list be the signer’s e-mail address, the signer’s IP address and
Figure 1 Comparison of the opening functionality between group signatures and Hidden-IBS
a Group signature with public group membership list for opening signatures
b Group signature with secret group-membership list for opening signatures
c Hidden-IBS, where the member list is not for opening signatures
120 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
so forth. Note that the IM and the signer may execute a id and we write it as certid Reg(pk IM ; sk IM , id); the
multi-round protocol to establish the validity of the signer’s certificate is then returned to the user; the user checks
identity (e.g. the IM may send a verification e-mail to the the validity of the certificate for her identity with respect
signer’s e-mail account). to the IM’s public key and we denote it as
b RegCheck(pk IM ; id, certid ) where b [ {0, 1} and if
In this work we present a formal model of Hidden-IBS verified then b ¼ 1 otherwise b ¼ 0.
that captures two intuitive properties, misidentification
forgery and anonymity. We then present a construction over † Sign: A probabilistic algorithm that given an IM’s public
elliptic curve groups that is based on the strong Diffie- key, an open authority’s public key, a user’s identity, a
Hellman assumption and the decisional linear Diffie- membership certificate on the user’s identity and a message
Hellman assumption in the random oracle model, which is m, outputs a signature for the message m. We write
merely 4605 bits long. We demonstrate how Hidden-IBS Sign(pk IM , pk OA , id; certid , m) to denote the application
can be applied to onion routing [31] and in particular to of the signing algorithm.
the Tor system [32] to allow mediation of anonymity and
thus increase rather than limit the scope of such anonymous † Verify: An algorithm for establishing the validity of an
communication systems. In the full version [33] we also alleged Hidden-IBS signature of a message with respect to
consider how the property of exculpability can also be an IM’s verification key and an OA’s public key. If s is a
achieved, and based on the strong-RSA assumption and signature on a message m, then we have
decisional composite residuosity assumption in the random Verify(pk IM , pk OA ; m, s) [ {0, 1}.
oracle model, we present a construction that achieves
security against a malicious IM. More discussions and all † Open: An algorithm that given a message, a valid Hidden-
proofs are included in the full version. We note that in an IBS signature on it, an IM’s verification key, an OA’s public
independent work [34], a group signature where opening key, and an OA secret key, determines the id directly. In
algorithm does not depend on the membership list is particular id Open(pk IM , pk OA ; sk OA , m, s).
considered, and a concrete construction with exculpability is
also proposed. We note that to achieve their exculpability, Definition 2: (Correctness): The correctness of the Hidden-
each user needs to have a key pair, while in our construction IBS include the registration correctness, the signing
this is not required. Further, our registration protocol is correctness, and the opening correctness. Let (pk IM , sk IM )
much more efficient than theirs. SetupIM(1l ) and (pk OA , sk OA ) SetupOA(1l ).
Definition 1: A Hidden-IBS scheme is a digital signature † Signing correctness: For any verified (certid , id), and for
scheme that consists of six polynomial-time algorithms any m, if s Sign(pk IM , pk OA , id; certid , m), then
kSetup, Reg, Sign, RegCheck, Verify, Openl. The first Verify(pk IM , pk OA ; m, s) ¼ 1.
three algorithms are probabilistic but the last three are not
necessarily. † Opening correctness: For any verified (certid , id), and
for any m, if s Sign(pk IM , pk OA , id; certid , m), then
† Setup: The Setup algorithm includes SetupIM and Open(pk IM , pk OA ; sk OA , m, s) ¼ id.
SetupOA. On input a security parameter, first the global
system parameter is generated. Then on input a security Definition 3: (Misidentification forgery): We say a Hidden-
parameter and the system parameter, the probabilistic IBS scheme is against misidentification-forgery attacks if for
algorithm SetupIM outputs the group verification key pk IM any PPT adversary A, Adv misid A (l) is negligible in l, where
and the signing key sk IM for the IM, the probabilistic Adv misid
A ( l ) ¼ Pr[Expmisid
A ( l) ¼ 1], where the experiment
algorithm SetupOA outputs the public key pk OA and the defined as in Fig. 2.
secret key sk OA for the OA. The Setup algorithm may
include SetupUser; on the input a security parameter Definition 4: (CCA2-anonymity): We say a Hidden-IBS
and the system parameter, outputs id for both the IM and scheme is against anonymity attacks if for any PPT
cca2anon
the user. adversary A ¼ (A1 , A2 ), Adv A (l) is negligible in
cca2anon cca2anon,1
l, where Adv A (l) ¼ Pr[ExpA (l) ¼ 1]
cca2anon,0
† Reg, RegCheck: A user can obtain her membership Pr[ExpA (l) ¼ 1], where the experiment defined as
certificate from the IM based on a registration protocol. For in Fig. 3.
simplicity, here we only consider the following case: a user
sends her identity id to the IM; the IM uses his signing key Definition 5: (CPA-anonymity): We say a Hidden-IBS
to generate a membership certificate certid for the identity scheme is against CPA-anonymity attacks if for any PPT
IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 121
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
cpaanon
adversary A ¼ (A1 , A2 ), Adv A (l) is negligible in 3 Hidden-IBS: construction
cpaanon cpaanon,1
l, where Adv A (l) ¼ Pr[ExpA (l) ¼ 1]
cpaanon,0 In this section we describe our first Hidden-IBS
Pr[ExpA (l) ¼ 1], where the experiment defined as
in Fig. 4. construction. It is geared towards producing short
122 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
signatures and is suitable for relatively short identity strings between the IM and the users. Then the IM generates a
r
(e.g. IP addresses of 32 bits). We let the IM use the BB signature ks, rl for id, where s g 1=xþidþyr , r Zp ,
Boneh-Boyen [35] signature to issue a certificate to each and sends ks, rl to the user by a secure communication
user identity. Once a user obtains the certificate from the channel. Upon receiving the signature ks, rl from the IM,
r
IM, she can generate a Hidden-IBS signature for a bb
the user verifies e(s, X g id b
Y ) ¼ e(g, b
g). The user sets her
message: the user uses linear encryption [16] to ‘embed’ her membership certificate to certid ¼ ks, rl.
identity which can be opened by the OA; the user forms
the signature based on a proof of knowledge that ensures Sign: With a membership certificate certid ¼ ks, rl in
her identity, her certificate, and the relations between them hand, a user can compute a Hidden-IBS signature s for
are properly formed. We present the details below: message m. We first develop a proof of knowledge in
Fig. 5, where the user proves her knowledge of id and
Setup: This procedure first generates the system certid , and proves that certid is a BB signature of id
parameters including the bilinear group parameter from the IM. Then we transform the proof of knowledge
kp, g, b
g, G, G,b c, G , el. Here G ¼ kgl and G b ¼ kb gl are into a signing algorithm by using the Fiat–Shamir
T
cyclic groups of prime order p; and c : G ! G is anb heuristic [36].
isomorphism with c(b g) ¼ g; and e : G G b ! G is a
T
bilinear map, that is for all (u, b b
u) [ G G and a, b [ Z, it Verify: The verifier can verify a message-signature
holds that e(ua , b ub ) ¼ e(u, b
u)ab and e is non-trivial, that is pair by checking the equation c ¼? H(mkSkb RkU
c (j þj ) j c j jr
e(g, bg) = 1. The procedure also generates random element b c jk
kV k W kU u k V v kW b c jl b w k l
b
g id b
kR b g r2b
h 1
r
b b
h Gn{1} and h ¼ c(b h), and a hash function jr j j j
b
Y kU jr1 ujd1 kV jr1 vjd2 kb R 1b
r
g jd3bh 4b
d d
Y 5 ke(g, X bWbb R)jr1
H : {0, 1} ! Zp which will be treated as a random oracle
e(S, b w)(jd1 þjd2 ) e(S, b
w)(jk þjl ) e(g, b g)jr2 e(g, b g)jd3 e(S, b
h)jr1 e(g,
in the security proof. Then the algorithm SetupIM
r
generates key pair (pk IM , sk IM ): selects x, y Zp and b j
h) d4 (e(g, b
g)=e(S, X bWbb c
R)) ).
computes X b ¼b g and b
x
Y ¼b y
g ; sets pk IM ¼ kX b, bY l,
and sk IM ¼ kx, yl. The algorithm SetupOA generates key Open: Given a message-signature pair as described above, the
r r
pair (pk OA , sk OA ): selects b b
w Gn{1}, selects z, h Zp OA first verifies the message-signature pair. Next the OA
and sets b u, b
v[G b such that b z
u ¼b h
v ¼bw; sets w ¼ c(b w), uses her secret key sk OA ¼ kz, hl to open ciphertext
kU , V , W l into g id where W ¼ c(Wb ); considering that the
u ¼ c(b u), v ¼ c(b v); note that uz ¼ vh ¼ w holds; sets
pk OA ¼ ku, v, w, b u, bv, b
wl and sk OA ¼ kz, hl. Finally the identity space is small, the OA recovers id from g id .
algorithm sets the public parameters for the Hidden-IBS
as pub ¼ kp, g, b g, h, b b c, G , e; X
h, G, G, b, bY ; u, v, w, bu, b
v, Theorem 6: The Hidden-IBS scheme is correct and secure
T
b
w; Hl. We still need to prescribe the form of the user satisfying misidentification-forgery and CPA-anonymity in
identities: each identity is a short string with length ‘. For the random oracle model under the SDH and the DLDH
example, it can be an IP address with ‘ ¼ 32 or a userid in assumptions.
a reputation system (e.g. using ‘ ¼ 50 we can allow ten
character long userids with 5 bits per character).
4 Reducing abuse in anonymous
Reg, RegCheck: In the registration protocol, the user
routing systems
sends her identity id to the IM. The IM verifies that id is As mentioned in the introduction some internet services
acceptable (e.g. not being used before or not blacklisted). block certain types of traffic coming through anonymous
We note that the id can also be a product of a negotiation routing systems in order to maintain the quality of their
IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 123
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
124 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
service (e.g. in the case of Wikipedia, POST requests coming open the signature and recover the identity of the abusive
from Tor are blocked to prevent vandalism). This practice user. Subsequently the IM can be notified of the abusive
stems from the fact that anonymous routing systems such user’s identity and the user can be punished by being black-
as Tor have no built-in mechanisms to handle abusive listed (or receiving a negative point in a reputation system).
users. In this section, the authors show how using our Below we describe in more details how we propose to
Hidden-IBS we can strengthen the Tor network with the deploy our Hidden-IBS enhanced Tor system for handling
capability to defend itself against such abusive users. HTTP POST requests to Wikipedia. Note that all other
traffic through Tor would be unaffected (i.e. it would not
Our approach, outlined in Fig. 6, adds three entities to the require a signature).
Tor network deployment: the IM of a Hidden-IBS, a
Disputes&Grievances database and the OA of the Hidden- When the user first installs a Tor OP she can obtain a
IBS. Our basic idea is to show how a service web site that certificate certid for her identity id from the IM. The id
receives Tor traffic can complain about malicious requests that the user deposits to the IM can be the user’s IP address
(e.g. vandalism in the case of Wikipedia) and recover some or a long-lived userid in a reputation system. Subsequently
information about the offending users. In this way the whenever the user wants to send an HTTP POST the OP
anonymous routing system offers a mechanism to prevent builds a route to a Tor exit point (in the figure, this route is
abusive users from taking advantage of anonymity and thus OR1,OR7,OR5 and OR5 is the Tor exit point). When the
its services can be granted higher functionality by service user generates a POST request for a Wikipedia web site
providers. Our enhancement to Tor will be totally the following things happen: (i) the user’s browser passes the
transparent to service web sites that receive Tor traffic. POST request, say post1 to the OP; (ii) the OP sanitises
post1 into post2 so that the header of post2 does not
More specifically now, the Hidden-IBS enhanced Tor contain any unnecessary identity-related information; (iii) the
works like this: certain packets generated by a Tor user are OP generates a random nonce and stored in a Nonce field
permitted through the Tor exit point only if they carry a into the header of post2, resulting to packet post3; and (iv)
Hidden-IBS. The Tor user’s onion proxy (OP) catches this the OP hashes post3 and signs the hash with the Hidden-
and assists the user to obtain the Hidden-IBS signing IBS signing algorithm; (v) the OP creates a new field called
capability. Then any packet that needs to be signed is Signature in the header of post3 and fills it with the
hashed and then signed. Tor exit points verify the Hidden- generated signature; we call the modified post3 as post4; and
IBS signature on the hashed reconstructed packet and (vi) the OP forwards the post4 along the established circuit.
forwards the packet (with the signature removed) to the
web site that the packet was directed while they write the When a Tor exit point assembles a POST request such as
hashed packet together with the signature to a post4 above, it parses the field Signature and obtains the
Disputes&Grievances database. If any vandalism is caught Hidden-IBS signature; then it transforms post4 into post3
by a service provider, the service provider using the packet by throwing away the Signature field in the header and
that was sent through Tor by the abusive user can retrieve computes the hash value of post3 to verify the signature
the corresponding Hidden-IBS from the database and (using the public-key of the IM). Finally, if the signature
forward it to the OA along with a complaint report. Based verifies, the exit point forwards post3 to the Wikipedia
on the properties of the Hidden-IBS scheme, the OA can web site; at the same time it submits the hash value and
Figure 6 Enhancing the Tor network with a mechanism to defend against anonymity abuse using the Hidden-IBS primitive
Note that we use IP addresses as user identities in the figure but other types of identities can be used, for example userids of a reputation
system
IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 125
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
the Hidden-IBS signature to the Disputes&Grievances [11] ATENIESE G., CAMENISCH J., JOYE M., TSUDIK G.: ‘A
database. practical and provably secure coalition-resistant group
signature scheme’. CRYPTO, 2000, (LNCS, 1880), pp. 255–270
Wikipedia may now keep the POST request coming
through a Tor exit point (or in fact only the hash of the [12] CAMENISCH J., LYSYANSKAYA A.: ‘An identity escrow scheme
request suffices). If a certain posting is found to be with appointed verifiers’. CRYPTO, 2001, (LNCS, 2139),
offensive or abusive the web site may search for the pp. 388– 407
corresponding Hidden-IBS signature into the
Disputes&Grieances database (that will be indexed based [13] BELLARE M., MICCIANCIO D., WARINSCHI B.: ‘Foundations of
on the hash of the post). Then, once the hidden-IBS is group signatures: Formal definitions, simplified
recovered it can be submitted to the OA along with a requirements, and a construction based on general
complaint report. The OA uses his secret key to open the assumptions’. EUROCRYPT, 2003, (LNCS, 2656), pp. 614–629
Hidden-IBS and recover offender’s identity (e.g. her IP
address), and then sends this identity to the IM. The IM [14] ATENIESE G., DE MEDEIROS B: ‘Efficient group signatures
may blacklist this identity, which may result in refusing without trapdoors’. ASIACRYPT, 2003, (LNCS, 2894),
future registration requests originating from the offender’s pp. 246– 268
IP address for example. Other strategies may be followed
here by the IM, for example if the identity is a userid in a [15] KIAYIAS A., TSIOUNIS Y., YUNG M.: ‘Traceable signatures’.
reputation system the user may receive a negative point. EUROCRYPT, 2004, (LNCS, 3027), pp. 571– 589
[16] BONEH D., BOYEN X., SHACHAM H.: ‘Short group signatures’.
CRYPTO, 2004, (LNCS, 3152), pp. 41 – 55
5 References
[17] CAMENISCH J., GROTH J.: ‘Group signatures: better
[1] Wikipedia: ‘Advice to Tor users in China’, http://en. efficiency and new theoretical aspects’. SCN, 2004, (LNCS,
wikipedia.org/wiki/Wikipedia:Tor, accessed May 2006 3352), pp. 120 – 133
[2] VON SOLMS S.H., NACCACHE D.: ‘On blind signatures and [18] FURUKAWA J., YONEZAWA S. : ‘Group signatures with
perfect crimes’, Comput. Secur., 1992, 11, (6), pp. 581– 583 separate and distributed authorities’. SCN, 2004, (LNCS,
3352), pp. 77 – 90
[3] CAMENISCH J., MAURER U.M., STADLER M.: ‘Digital payment
systems with passive anonymity-revoking trustees’. [19] CAMENISCH J., LYSYANSKAYA A.: ‘Signature schemes and
ESORICS, 1996, (LNCS, 1146), pp. 33– 43 anonymous credentials from bilinear maps’. CRYPTO,
2004, (LNCS, 3152), pp. 56– 72
[4] FRANKEL Y., TSIOUNIS Y., YUNG M.: ‘Indirect discourse Proof’:
achieving efficient fair off-line e-cash’. ASIACRYPT, 1996, [20] NGUYEN L. , SAFAVI-NAINI R. : ‘Efficient and provably
(LNCS, 1163), pp. 286– 300 securetrapdoor-free group signature schemes from
bilinear pairings’. ASIACRYPT, 2004, (LNCS, 3329),
[5] CHAUM D., VAN HEYST E.: ‘Group signatures’. EUROCRYPT, pp. 372– 386
1991, pp. 257 – 265
[21] BONEH D., SHACHAM H.: ‘Group signatures with verifier-
[6] CHEN L., PEDERSEN T.P.: ‘New group signature schemes local revocation’. CCS, 2004, pp. 168 – 177
(extended abstract)’. EUROCRYPT, 1994, pp. 171– 181
[22] BELLARE M., SHI H., ZHANG C.: ‘Foundations of group
[7] CAMENISCH J. : ‘Efficient and generalized group signatures: the case of dynamic groups’. CT-RSA, 2005,
signatures’. EUROCRYPT, 1997, pp. 465– 479 (LNCS, 3376), pp. 136– 153
[8] CAMENISCH J. , STADLER M.: ‘Efficient group signature [23] KIAYIAS A., YUNG M.: ‘Efficient secure group signatures
schemes for large groups (extended abstract)’. CRYPTO, with dynamic joins and keeping anonymity against group
1997, (LNCS, 1294), pp. 410– 424 managers’. Mycrypt, 2005, (LNCS, 3715), pp. 151 – 170,
Full version at http://eprint.iacr.org/2004/076/
[9] CAMENISCH J., MICHELS M.: ‘A group signature scheme with
improved efficiency’. ASIACRYPT, 1998, (LNCS, 1514), [24] KIAYIAS A., YUNG M.: ‘Group signatures with efficient
pp. 160– 174 concurrent join’. EUROCRYPT, 2005, (LNCS, 3494),
pp. 198–214, Full version at http://eprint.iacr.org/2005/345/
[10] CAMENISCH J., MICHELS M.: ‘Separability and efficiency for
generic group signature schemes’. CRYPTO, 1999, (LNCS, [25] FURUKAWA J., IMAI H.: ‘An efficient group signature scheme
1666), pp. 413 – 430 from bilinear maps’. ACISP, 2005, (LNCS, 3574), pp. 455–467
126 IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119– 127
& The Institution of Engineering and Technology 2009 doi: 10.1049/iet-ifs.2007.0151
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.
www.ietdl.org
[26] BOYEN X., WATERS B.: ‘Compact group signatures without [32] DINGLEDINE R. , MATHEWSON N., SYVERSON P.F.: ‘Tor: the
random oracles’. EUROCRYPT, 2006, (LNCS, 4004), pp. 427–444 second-generation onion router’. USENIX Security Symp.,
2004, pp. 303 – 320
[27] ATENIESE G., CAMENISCH J., HOHENBERGER S., DE MEDEIROS B.:
‘Practical group signatures without random oracles. [33] KIAYIAS A., ZHOU H.-S.: ‘Hidden identity-based signatures’.
Cryptology ePrint Archive’. Report 2005/385, 2005, Cryptology ePrint Archive. Report 2007/140, 2007,
Available at http://eprint.iacr.org/2005/385/ Available at http://eprint.iacr.org/2007/140/
[28] HELLER J.L.: ‘Catch-22’ (Simon & Schuster, 1961) [34] ZHOU S. , LIN D. : ‘An interesting member
ID-based group signature’. Cryptology ePrint Archive.
[29] WEI V.K., YUEN T.H., ZHANG F.: ‘Group signature where group Report 2007/126, 2007, Available at http://eprint.iacr.org/
manager, members and open authority are identity-based’. 2007/126/
ACISP, 2005, (LNCS, 3574), pp. 468 – 480
[35] BONEH D., BOYEN X.: ‘Short signatures without random
[30] SHAMIR A.: ‘Identity-based cryptosystems and signature oracles and the sdh assumption in bilinear groups’,
schemes’. CRYPTO, 1984, pp. 47– 53 J. Crypt., 2008, 21, (2), pp. 149 – 177
[31] GOLDSCHLAG D.M., REED M.G., SYVERSON P.F.: ‘Hiding routing [36] FIAT A., SHAMIR A.: ‘How to prove yourself: practical
information’. Information Hiding, 1996, (LNCS, 1174), solutions to identification and signature problems’.
pp. 137– 150 CRYPTO, 1986, (LNCS, 263), pp. 186 – 194
IET Inf. Secur., 2009, Vol. 3, Iss. 3, pp. 119 – 127 127
doi: 10.1049/iet-ifs.2007.0151 & The Institution of Engineering and Technology 2009
Authorized licensd use limted to: KINGS COLEG LOND. Downlade on Novembr 30, 209 at 10:32 from IE Xplore. Restricon aply.