Beruflich Dokumente
Kultur Dokumente
kN
be a sequence of sets of values,
T
k
kN
a sequence of sets of functions from |
f
A
k
to
set |
f
, and {R
k
}
kN
a sequence of sets of relations. As in
[8], |
f
is an efciently samplable input domain for the
function T
k
, and A
k
is the intended input domain whose
elements are to be accumulated. For v |
f
, and x A
k
,
a vector of values w U
R
is called a witness for x in v
with R R
k
if it satises the relationship R, i.e. R(w,x,v)
= 1. A
k
kN
; T
k
kN
; 1
k
kN
is called a secure
dynamic accumulator if they have the following
properties:
v Efcient generation: There exists an efcient prob-
abilistic algorithm G(1
k
) to output a random function
f T
k
: |
f
A
k
|
f
, and a corresponding relation
R(U
R
; A
k
; |
f
), possibly along with some auxiliary
information aux
f
(trapdoor). Note that here |
f
can be
a set of vectors.
v Efcient evaluation: f T
k
is a polynomial-size
circuit that on input (u; x) |
f
A
k
, output v.
v Quasi-commutativity: For all k, for all f T
k
,
for all u |
f
, for all x
1
; x
2
A
k
; f(f(u; x
1
); x
2
) =
f ( f(u; x
2
); x
1
). That is, for X = x
1
; x
2
; :::; x
m
_ A
k
,
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 147
the value vector f ( f ( . . . (u,x
1
), . . . ), x
m
) is independent
of the order of x
i
, therefore can be denoted by f (u,X)
without confusion.
v Coalition resistance: For all probabilistic polynomial-
time adversary /, the following probability is negligible:
Pr[(f, R) G(1
k
), u U
f
, (x; w; X) A(f, R, U
f
, u) :
X A
k
, x = X; w U
R
, R(w, x, f(u, X)) = 1[
v Efcient addition: There exist polynomial algorithms
T
a
;
a
that if v = f(u,X), x X, x
/
= X, and R(w,x,v) = 1,
then (1) T
a
(v; x
/
) = v
/
such that f(u,X{x
/
}) =v
/
; and (2)
a
(f; R; v; v
/
; x; x
/
; w) = w
/
such that R(w
/
, x, v
/
) = 1.
v Efcient deletion: There exist polynomial algorithms
T
d
; W
d
that if v = f (u,X), x, x
/
X, x ,= x
/
, and R(w,x,v)
= 1, then (1) T
d
(aux
f
; v; x
/
) = v
/
such that
f(u; X x
/
) = v
/
; and (2)
d
(f; R; v; v
/
; x; x
/
; w) = w
/
such that R(w
/
,x,v
/
) = 1.
Note that D
d
is executable in polynomial time only
when the trapdoor is available.
2.1 Secure reversed dynamic accumulators
If T
k
in the above denition is a family of bijective
functions, we get a new accumulator by reversing all the
functions in T
k
. The new accumulator with T
1
k
, or
discharger, has the following properties if the original
accumulator is secure dynamic:
v Efcient generation: The efcient generation for T
k
is
still available for T
1
k
:
v Efcient evaluation: v = f
1
(u, x) is polynomial
computable by running T
d
(aux
f
; u; x).
v Quasi-commutativity: For all k, for all f T
k
, for all
u |
f
, for all x
1
; x
2
A
k
, if a = f
1
( f
1
(u, x
1
), x
2
), b =
f
1
( f
1
(u, x
2
), x
1
), then a = b. The equality is obtained
by checking u = f ( f(a, x
2
), x
1
) = f ( f(b, x
1
), x
2
) and
bijective f. That is, for X = x
1
; x
2
; :::; x
m
_ A
k
, the
value vector f
1
(f
1
( . . . (u, x
1
), . . . ), x
m
) is independent
of the order of x
i
, therefore can be denoted by f
1
(u, X)
without confusion.
v Efcient witness: There exist a polynomial algorithm
1(aux
f
; x; u; ) to calculate w that R(w,x,u) = 1.
v Security: For all probabilistic polynomial-time adver-
sary /, the following probability is negligible:
Pr[(f; R) G(1
k
); u |
f
; (x
i
; w
i
) Oracle(1; u);
i [1; t[; j
R
[1; t[; u
/
Oracle(f
1
(u; x
j
));
w /(f; R; |
f
; u; u
/
) :
w U
R
; R(w; x
j
; u
/
) = 1[
Otherwise the coalition resistance of the original
accumulator will not hold.
v Efcient discharge: There exist polynomial algorithms
1T
d
; 1
d
that if v = f
1
(u, X), y, x
/
= X, y ,= x
/
, and
R(w, y, v) = 1, then (1) 1T
d
(aux
f
; v; x
/
) = v
/
such that
f
1
(u, X {x
/
}) = v
/
; and (2) 1
d
(f; R; v; v
/
; y;
x
/
; w) = w
/
such that R(w
/
, y, v
/
) = 1. Precisely, 1T
d
can be computed by running T
d
(aux
f
; v; x
/
), 1
d
by
invoking
d
(f; R; v; v
/
; y; x
/
; w).
v Efcient recharge: There exist polynomial algorithms
1T
r
; 1
r
that if v = f
1
(u, X), y = X, x
/
X, and
R(w, y, v) = 1, then (1) 1T
r
(v; x
/
) = v
/
such that
f
1
(u; X x
/
) = v
/
; and (2) 1
r
(f; R; v; v
/
; y; x
/
; w) =
w
/
such that R(w
/
,y,v
/
) = 1. Actually, 1T
r
can be
computed by running T
a
(v; x
/
); 1
r
by invoking
a
( f; R; v; v
/
; y; x
/
; w).
The witness of x in v = f (u, X) dened in secure
dynamic accumulator becomes witness of x not in u =
f
1
(v,X) dened in the reversed accumulator.
Theorem 1. If f is a secure dynamic accumulator, then
f
1
is a secure reversed dynamic accumulator.
The proof is provided in Section 10.1.
2.2 Comparisons
For an ordinary dynamic accumulator, the evaluation is
efcient and available to every one, while for an reversed
dynamic accumulator, the evaluation is only efciently
available to some authority who knows the trapdoor in
executing D
d
dened in its ordinary version, but the
correctness of D
d
is veriable by every one checking the
relation R.
Discharge and recharge algorithms of a reversed
dynamic accumulator are similar to deletion and
addition algorithms of the dynamic accumulator respec-
tively, except that the order of them being invoked is
reversed.
An extra algorithm calculating witnesses 1 is
added in denition of reversed dynamic accumulator,
while it is not explicitly dened in ordinary dynamic
accumulator for the current accumulator u is the witness
of the next x to be accumulated.
2.3 Examples of secure reversed
dynamic accumulators
We reverse the secure dynamic accumulator construc-
tion dened in [8], see Section 10.2 for the security
proof.
Scheme 1. Let f T
k
be f(u; e) = u
e
mod n;
u QR(n); e A, where n is a product of two safe
primes with length k/2. A = e : e Z
+
n
Primes.
Then f
1
(u; e) = u
1=e
mod n is a secure reversed
dynamic accumulator. Witness of e not in u is knowl-
edge of x that x
e
= u mod n. The trapdoor of factorisa-
tion of n, i.e. aux
f
, is known only to the operator of
reversed accumulator.
3 Review of ACJTs group signature
and CLs membership revocation
The ACJT scheme [2] begins by choosing security
parameters " > 1; k; l
p
, as well as a collision resistent
Hash function H : 0; 1
+
0; 1
k
, let D = [2
l
1
2
l
2
;
2
l
1
2
l
2
[; G=[2
g
1
2
g
2
; 2
g
1
2
g
2
[, where l
1
> " (l
2
k)
2; l
2
>4l
p
; g
1
> (g
2
k) 2; g
2
>l
1
2.
3.1 SETUP
GM randomly chooses two safe primes p, q, i.e. p
/
=
(p 1)/2 and q
/
= (q 1)=2 are large primes too and
a;a
0
;g;h
R
QR
n
;x
R
Z
p
/
q
/ , calculates n=pq;y=g
x
modn.
Group public keys are Y=n;a;a
0
;y;g;h. GMs secret
keys are S=p
/
;q
/
;x.
3.2 JOIN
When user U wants to join the group, he runs an
interactive protocol with GM, and in the end, U obtains
his secret keys x
u
D, his certicate (A
u
, e
u
), where
e
u
R
G, and A
u
:= (a
x
u
a
0
)
1=e
u
mod n:(A
u
; e
u
; x
u
) is the
signing key of U. (A
u
, e
u
) and transcripts generated as
well as the identity of U are stored in a registration
database.
148 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006
3.3 SIGN and VERIFY
U signs on m by generating an honest verier zero-
knowledge proof of (A
u
; e
u
G; x
u
D), which is for-
mulated specically as follows
SK(a; b; g; d) : a
0
= T
a
1
=a
b
y
g
modn; T
2
= g
d
mod n;
1 = T
a
2
=g
g
mod n; T
3
= g
a
h
d
mod n; a G; b Dm;
The verication of the group signature is the verication
of the above proof.
3.4 OPEN
GM calculates A := T
1
=T
x
2
mod n, compares it with the
registration database, the signature signer is then traced;
then GM generates a proof of knowledge PK x : y =
g
x
mod n; T
1
=A
u
= T
x
2
mod n to support his judgement.
3.5 Revocation [8]
An accumulated value u = u
0
P
jS
e
j
is published, where S
is the set of all current group members. Each legitimate
member has to prove his knowledge of w
i
Z
+
n
such that
w
e
i
i
= u mod n, (called witness of U) additionally.
v Members addition: When members in E
add
are to be
added into the group, GM updates u: u u
Pe
j
; e
j
E
add
. An old member e
i
updates his witness w
i
: w
i
w
Pe
j
i
; e
j
E
add
.
v Members deletion: When members in E
del
are to be
revoked from the group, GM updates U: u u
1=Pe
j
;
e
j
E
del
. An old member e
i
= E
del
updates his witness
w
i
: w
i
w
t
i
u
s
, where se
i
te
j
= 1; e
j
E
del
.
To combine all the proofs of knowledge together
efciently, [8] introduced 3 more values: C
e
= g
e
i
h
t
1
;
C
u
= w
i
h
t
2
; C
r
= g
t
2
h
t
3
, where t
1
; t
2
; t
3
R
Z
n=4|
. And the
complete group signature becomes
SK(a; b; g; d; g
1
; g
2
; g
3
;
1
;
2
) : a
0
=T
a
1
=a
b
y
g
modn;
T
2
=g
d
modn; 1 =T
a
2
=g
g
modn; T
3
=g
a
h
d
modn;
C
r
=g
g
2
h
g
3
modn; C
e
=g
a
h
g
1
modn; u =C
u
a
=h
1
modn;
1 =C
r
a
=(g
1
h
2
) modn; a G; b D:
The complication of the proof of knowledge above
lies in the difculty of proving knowledge of an exponent
and a root [i.e. (A
i
,e
i
) and (w
i
,e
i
)] at the same time.
4 Reducing bandwidth of ACJT-CLs group
signature
The idea behind our proposal is to view f
1
2
(a; a
0
; e) =
(a
1=e
; a
1=e
0
) as a reversed extended dynamic accumulator,
where witness of e in (a,a
0
) is (A,x) so that A
e
=
a
x
a
0
mod n.
In fact, [7] had proposed a simple revocation similar
to our proposal. They let a, a
0
change sequentially every
time membership revocation took place. But their
scheme was so inefcient (the reason lay in the way
a, a
0
were changed) that it was abandoned by the authors.
Our scheme could be seen as an efcient version of [7].
Scheme 2. The chosen security parameters and algo-
rithms of SETUP, JOIN, SIGN, VERIFY are exactly
the same as the original ACJT group signature revie-
wed in Section 3, except that a, a
0
can be different
when a membership revocation occurs, so we omit
them here.
1. UPDATE. The UPDATE algorithm comprises
two parts, each executed by GM and concerned
group members, respectively. See Section 10.3 for its
correctness.
v UPDATE-GM
When member revocation occurs, take U
j
0
with
certicate (A
j
0
; e
j
0
) as an example, GM is able to update
a,a
0
as follows because he knows the factorisation of
n: a a
1=e
j
0
modn; a
0
a
0
1=e
j
0
mod n
When member addition occurs, a, a
0
are unchan-
ged. GM just runs normal JOIN protocols with new
members under current values of a, a
0
, the other
members are not affected at all.
v UPDATE-MEMBER
When member revocation occurs, take U
j
0
with
certicate (A
j
0
; e
j
0
) as an example, now part of the public
key a,a
0
have been updated to a
/
; a
/
0
, the i-th member
(i ,= j
0
) can update his certicate as follows: he rst
calculates s,t, so that se
i
te
j
0
= 1, then computes
A
/
i
= A
t
i
(a
/
x
i
a
/
0
)
s
mod n. The computation does not
require group secret key, i.e. factorisation of n, so any
unrevoked group member is able to run UPDATE-
MEMBER.
When member addition occurs, the other members
do nothing.
2. OPEN. GM or Opener calculates A := T
1
=T
x
2
mod n,
compares it with items in the registration database T, if
a match is found, GM generates a proof of knowledge
PKx : y = g
x
mod n; T
1
=A = T
x
2
modn to support his
judgement.
Else if no match is found, GM sets B A, computes
B B
e
j
mod n and searches in T for a match, for each
e
j
E
del
in the reverse order (i.e. if e
1
is revoked before
e
2
, then compute B
e
2
rst) until a match is found.
In other words, if E
del
= e
j
1
; ::::; e
j
D
where
e
j
k
; k [1; D[ is in the order of revocation time, GM
computes A
e
j
D1
e
j
D
:::e
j
k
mod n, from k = D+1 to k = 1 (set
e
j
D1
= 1), and searches in T for a match after each
computation; if a match is found, then stops, outputs
the A
i
and the sequence of e
j
, generates a proof of
knowledge PKx : y = g
x
mod n; T
1
=A = T
x
2
mod n. If
no match is found at last, then output failure.
4.1 The OPEN algorithm
A disadvantage of our proposed scheme is that running
OPEN algorithm on a group signature with encrypted
certicate, e.g. A
i
, might result in a different value from
the stored certicates by GM, because the members
might have updated their certicates when members
deletion occurs. This problem is xed in the above
OPEN algorithm.
It might be doubtful that multiple matches exist in
OPEN. Suppose a user with (x, A, e) joined in the group
when public key is a, a
0
, and A is stored in T; after some
updates, the public key has been updated to a
//
; a
//
0
, the
user generates a group signature using current certicate
A
//
where A
//
e
= a
//
x
a
//
0
mod n. After A
//
is decrypted,
if OPEN is executed on A
//
, the correct A and identity
of user should be recovered when rolling back to a, a
0
,
but what if in an intermediate status, e.g. a match
is found when rolling back to a
/
; a
/
0
between (a, a
0
)
and (a
//
; a
//
0
)
Suppose (a
/
; a
/
0
) = (a
1=E
; a
1=E
0
), and (a
//
; a
//
0
) =
(a
/
1=F
; a
/
0
1=F
), where E and F are co-prime products
of primes in G. If a match is found ahead of correct time,
i.e. there exists a A
/
= A
//
F
in T, then there must be
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 149
a (e x; e e) satisfying A
/
~ e
= a
/
~ x
a
/
0
, so
A
//
eF
= a
/
x
a
/
0
mod n
A
//
F~ e
= a
/
~ x
a
/
0
mod n
When x ,= e x (the probability of x = e x is negligible, so
only inequality is considered here), A
//
Fe~ xF~ ex
=
a
/
0
~ xx
mod n is obtained, if a
/
0
= b
1=C
from some random
b, and C is product of some primes G, which is available
from published revocation list, then the RSA problem of
b is resolvable by the user A and A
/
since the left
exponent is larger than the right one, a contradiction to
RSA assumption. The argument shows the correctness
of above OPEN algorithm.
4.2 Security
Theorem 2. The underlying reversed dynamic accumu-
lator is secure (the proof is in Section 10.5).
Theorem 3. In the proposed scheme, revoked member is
not able to forge valid certicates in polynomial time
(the proof is in Section 10.6).
4.3 Efciency comparisons
Table 1 is a comparison of our scheme and [7, 8] with
respect to signature bandwidth and required computa-
tions (in terms of number of modulus exponent and
root extraction, denoted as e and r, respectively) in
UPDATE, SIGN, VERIFY and OPEN algorithms,
under the parameters of l
p
= 512; k = 160; " = 1:1;
l
2
= 2048; l
1
= 2430; g
2
= 2432; g
1
= 2854. Computa-
tions in UPDATE, i.e., Add and Delete, are summed for
GM and group member (M) separately. Note: BW,
short for bandwidth, i.e. signature size; gpk denotes
group public key; R is the number of revoked members.
5 Review of Nguyen-Nainis group signature
and Nguyens membership revocation
Nguyen-Nainis group signature [10] is essentially the
same as the one with non-frameablity in [11] (Section 7),
except with different description.
It begins by choosing security parameters l, as well as
a collision resistent Hash function H : 0; 1
+
Z
p
, and
a bilinear map e : G
1
G
1
G
M
; ord(G
M
) =p; G
1
=<P>.
SETUP. GM randomly chooses x; x
/
Z
+
p
; P
0
; G;
H
R
G
1
, computes P
pub
= xP; Y = e(G; G)
x/
. Group
public keys are P; P
0
; P
pub
; H; G; Y, GMs secret keys
are x; x
/
.
JOIN. When a user denoted as i want to join the
group, he runs an interactive protocol with GM, and in
the end, user i holds secret key x
i
, and (a
i
,S
i
) called
a certicate from GM, D
i
as his identity, where
e(a
i
P P
pub
; S
i
) = e(P; x
i
P P
0
), and D
i
= e(P; S
i
).
SIGN. A signature of user i on m is to show his
knowledge of (a
i
; S
i
; x
i
) such that e(a
i
P P
pub
; S
i
) =
e(P; x
i
P P
0
), and he has correctly encrypted his
identity D
i
in (E = tG; L = D
i
Y
t
), without revealing
any information about his identity, except for the
opener, who can decrypt (E, L) to get D
i
.
VERIFY. Verier accept a signature by checking the
correctness of the signature of proof.
OPEN & JUDGE. Omitted here.
Revocation [9]. Publish an accumulated value V,
which is initialised to V
0
= uQ, where u
R
Z
+
p
. Add
Q
pub
= sQ to the public key.
Suppose the current group accumulator value is V
j
,
when user i with (x
i
; a
i
; S
i
) has joined the group, GM
updates the value V
j
to V
j 1
: V
j1
= (a
i
s)V
j
.
User i sets his current membership witness W
i;j1
to be
V
j
. While the other members update their membership
witnesses as follows (take user i
/
with (a
i
/ ; S
i
/ ; x
i
/ ) as an
example): W
i
/
, j1
= V
j
(a
i
a
i
/ )W
i
/
;j
.
Suppose the current group accumulator value is V
j
,
when user i with (x
i
; a
i
; S
i
) has been revoked from the
group, the GM or issuer updates the value V
j
to V
j 1
:
V
j1
=
1
a
i
s
V
j
User i
/
,= i with (a
i
/ ; S
i
/ ; x
i
/ ) updates his membership
witness as follows:
W
i
/
;j1
=
1
a
i
a
i
/
(W
i
/
;j
V
j
)
The group signature includes an additional proof of
knowledge of (a
i
,W
i
) that e(a
i
QQ
pub
; W
i
) = e(Q; V),
so the complexity is nearly twice that of the revocation-
free scheme.
6 Reducing bandwidth of Nguyen-Nainis
group signature with revocation
Scheme 3. The chosen security parameters and algo-
rithms of SETUP, JOIN, SIGN, VERIFY are exactly
the same as the original Nguyen-Nainis group signature
scheme [10] reviewed in Section 5 except that P; P
0
; P
pub
can be different when a membership revocation occurs,
so we omit them here.
1. UPDATE. The UPDATE algorithm comprises two
parts, each executed by GM and concerned group
members respectively. See Section 10.4 for its correctness.
v UPDATE-GM
When member revocation occurs, suppose user j
0
with certicate (S
j
0
; a
j
0
) is to be deleted, GM is able to
update P; P
0
; P
pub
since it knows group secret key x:
P
1
a
j
0
x
P; P
0
1
a
j
0
x
P
0
;P
pub
xP
When member addition occurs, P,P
0
are unchan-
ged. GM just runs normal JOIN protocols with new
members under current values of P,P
0
, the other
members are not affected at all.
v UPDATE-MEMBER
When member revocation occurs, suppose user j
0
with certicate (S
j
0
; a
j
0
) has been deleted, now P,P
0
has
been updated to P
/
; P
/
0
, the ith member (i ,= j
0
)
computes:
S
/
i
=
1
a
j
0
a
i
[S
i
(x
i
P
/
P
/
0
)[
Note that the computation does not require group
secret key x, so is available to any unrevoked group
member.
When member addition occurs, the other members
do nothing.
Table 1: Comparison of ACJT scheme with various
membership revocations
Standard BW gpk Add Delete SIGN VERIFY OPEN
[Ast02] O(k) 6288 Not required 14e O(R) 1e
[CL02] 20399 7312 GM:1e/M:1e GM:1r/M:2e 24e 24e 1e
Ours 14261 6288 GM:0/M:0 GM:2r/M:3e 11e 11e Re
150 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006
2. OPEN. The decryption is same as Nguyen-Nainis.
After D is obtained from decryption, GM compares it
with items in the registration database T; if a match is
found, output the identity and a proof of correct
decryption as in [10].
Else if no match is found, GM sets B D, computes
B B
(a
j
x)
2
and searches in T for a match, for each
a
j
E
del
in the reverse order (i.e. if a
1
is revoked before
a
2
, then compute B
a
2
rst) until a match is found.
In other words, if E
del
= a
j
1
; ::::; a
j
D
where
a
j
k
; k [1; D[ is in the order of revocation time,
GM computes D
(a
j
D1
x)
2
(a
j
D
x)
2
:::(a
j
k
x)
2
, from k = D +
1 to k = 1 (set a
j
D1
= 1), and searches in T for a match
after each computation; if a match is found, then stops,
outputs the D
i
, the identity and the sequence of a
j
,
generates a proof of correct decryption. If no match is
found at last, then output failure.
6.1 Correctness of OPEN
The correctness of above OPEN can be veried as
follows. Suppose a group member joined the group at
(P; P
0
; P
pub
), obtained a certicate S
i
and D
i
= e(P; S
i
)
was stored in T. After some time public key (P; P
0
; P
pub
)
has been updated to (P
/
; P
/
0
; P
/
pub
) because of revocation
of a
j
. The group member generates signatures under
current public key, encrypts D = e(P
/
; S
/
i
) in the group
signature.
D
(a
j
x)
2
= e((a
j
x)P
/
; (a
j
a
i
a
i
x)S
/
i
)
= e(P; (a
j
a
i
)S
/
i
x
i
P P
0
)
= e(P; S
i
) = D
i
It might be doubtful that multiple matches exist in
OPEN. Suppose a group member with secret key and
certicate (x
i
; S
i
; a
i
) joined the group when public key is
(P; P
0
; P
pub
), and D
i
= e(P; S
i
) is stored in T; after some
updates, the public key has been updated to
(P
//
; P
//
0
; P
//
pub
), the member generates a group signature
using current certicate S
//
i
where S
//
i
=
1
a
i
x
(x
i
P
//
P
//
0
).
After e(P
//
; S
//
i
) is decrypted, if OPEN is executed, the
correct D
i
and identity of user should be recovered when
rolling back to (P; P
0
; P
pub
), but what if a match is
found in an intermediate status between (P,P
0
,P
pub
) and
(P
//
; P
//
0
; P
//
pub
), say (P
/
; P
/
0
; P
/
pub
):
Suppose (P
/
, P
/
0
; P
/
pub
) = (
1
E
P;
1
E
P
0
;
1
E
P
pub
), and
(P
//
; P
//
0
; P
//
pub
) = (
1
F
P
/
;
1
F
P
/
0
;
1
F
P
/
pub
), where E and F are
products of a
k
x, a
k
s are published in revocation list
and it is said k E if a
k
x is included in E, E F = .
Denote E =
Q
kE
(a
k
x); F =
Q
kF
(a
k
x).
If a match is found ahead of correct time, i.e. there
exists a e(P
/
; S
/
) = e(P
//
; S
//
i
)
F
2
in T, then there must be
a (x
j
; a
j
,= a
i
) satisfying S
/
=
1
a
j
x
(x
j
P
/
P
/
0
), so
1
a
j
x
(x
j
P
/
P
/
0
) = S
/
= FS
//
i
=
1
a
i
x
(x
i
P
/
P
/
0
)
If P
/
0
= gP
/
, g is unknown to GM, then from above
equation it follows that
g =
a
j
x
i
a
i
x
j
(x
i
x
j
)x
a
i
a
j
It means if multiple matches for one decrypted D
occurs with non-negligible probability, then it can be
used to resolve the discrete logarithm problem in a
certain group, which is a contradiction to our
assumption since q-SDH assumption implies discrete
logarithm assumption.
6.2 Security
The security of our scheme can be reduced to the
original scheme of [10] and adopted secure reversed
dynamic accumulator, which we omit here for its
similarity with ACJTs scheme.
6.3 Efciency comparisons
Obviously SIGN here is more efcient than the original
scheme with membership revocation, since an additional
proof of knowledge of his witness W
i;j1
is missing.
UPDATE algorithm is also efcient especially when
member addition occurs, since no updates are needed
at all.
7 Conclusions
We formally dened reversed dynamic accumulator,
which has been used in some short group signatures
to provide revocation efcient [11]; we then applied it to
[2, 8] and [9, 10] to obtain short group signature schemes
with revocation.
We deal with some problems occurring when reversed
dynamic accumulators are adopted, which has not been
considered and solved in [11], such as opening a group
signature correctly.
Opening a signature is inefcient compared with
regular dynamic accumulator based schemes, but it is
acceptable under the condition that OPEN is far less
executed than SIGN and VERIFY, and it is very useful
in some applications where short signature size and
efcient revocation are all important.
8 Acknowledgments
The work reported here was supported by 973 Project of
China (No.2004CB318004), 863 Project of China (No.
2003AA144030) and NSFC90204016.
9 References
1 Chaun, and van Heyst, E.: Group signatures. EUROCRYPT91.
1991, (LNCS, 547), pp. 257265
2 Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G.: A practical
and provably secure coalition-resistant group signature scheme.
CRYPTO00, 2000, (LNCS, 1880), pp. 255270
3 Bellare, M., Shi, H., and Zhang, C.: Foundations of group
signatures: The case of dynamic groups. CT-RSA05. 2005,
(LNCS, 3376), pp. 136153. Full Paper at http://www-cse.ucsd.
edu/~mihir/papers/dgs.html.
4 Kiayias, A., and Yung, M.: Group signatures: Provable security,
efcient constructions and anonymity from trapdoor-holders.
Cryptology ePrint Archive, Report 2004/076, 2004
5 Ateniese, G., and Tsudik, G.: Some open issues and new directions
in group signature schemes. Financial Cryptography99, 1999,
(LNCS, 1648)
6 Bresson, E., and Stern, J.: Efcient revocation in group signatures.
PRC01, 2001, (LNCS, 1992)
7 Ateniese, G., Song, D., and Tsudik, G.: Quasi-efcient revocation
in group signatures. Financial Cryptography02, 2002, (LNCS,
2357)
8 Camenisch, J., and Lysyanskaya, A.: Dynamic accumulators
and application to efcient revocation of anonymous credentials.
CRYPTO02, pp. 6176, (LNCS, 2442)
9 Nguyen, L.: Accumulators from bilinear pairings and applications.
CT-RSA05, 2005, (LNCS, 3376), pp. 275292. A modied version
is available at Cryptology ePrint Archive: Report 2005/123
10 Nguyen, L., and Safavi-Naini, R.: Efcient and provably secure
trapdoor-free group signature schemes from bilinear pairings.
ASIACRYPT04, 2004, (LNCS, 3329), pp. 372386
11 Boneh, D., Boyen, X., and Shacham, H.: Short group signatures.
CRYPTO04, 2004, (LNCS, 3152), pp. 4555
12 Boneh, D., and Boyen, X.: Short signatures without random
oracles. EUROCRYPT04, 2004, (LNCS, 3027), pp. 5673
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 151
13 Chen, Z., Wang, J., Wang, Y., Huang, J., and Huang, D.: An
efcient revocation algorithm in group signatures. ICISC03, 2003,
(LNCS, 2971), pp. 339351
10 Appendixes
10.1 Proof of Theorem 1
Proof. Suppose f
1
is not secure, given a randomly
chosen u, polynomial number of (x
i
; w
i
) that
R(x
i
; w
i
; u) = 1, there exist an adversary / to calculate
w
+
that R(x
j
; w
+
; u
/
) = 1, where x
j
is chosen by / from
the queries, and u
/
is a reply from Oracle(f
1
(x
j
; u)).
Then an adversary B of f can be constructed as
follows: run
d
(f; R; u; u
/
; x
i
; x
j
; w
i
) = w
/
i
for all x
i
; i ,= j,
such that R(w
/
i
; x
i
; u
/
) = 1. Let X = x
i
; i ,= j, there exist
u
0
that f(u
0
; X) = u, then (x
j
; w
+
; X) is the output of B,
R(x
j
; w
+
; f(u
0
; X)) = 1 while x
j
= X, a violation of secure
dynamic accumulator f. &
10.2 Security proof of reversed dynamic
accumulator scheme 1
Scheme 4. Let f
1
T
k
be f
1
(u; e) = u
e
mod n; u QR(n);
e A, where n is a product of two safe primes
with length k/2. A = e : e Z
+
n
Primes. Then
f
1
1
(u; e) = u
1=e
mod n is a secure reversed dynamic
accumulator. Witness of e not in u is knowledge of x
that x
e
= u mod n. The trapdoor of factorisation of n,
i.e. aux
f
1
, is known only to the operator of reversed
accumulator.
v Efcient evaluation when trapdoor is known:
f
1
1
(u; X) = u
1
e
1
e
2
:::e
l
; X = e
i
; e
i
A is efcient if p,q are
known.
v Efcient witness: Given u, e and p, q, it is efcient
to calculate w such that w
e
= u mod n by w =
u
e
1
mod (p1)(q1)
modn.
v Discharge: to discharge e
1
from v, computes v
/
=
f
1
1
(v; e
1
) = v
1=e
1
mod n efciently by knowledge of fac-
torisation of n. For a member holding (e
2
; w
2
) where
e
2
,= e
1
and w
2
e
2
= v mod n, new witness w
/
2
is comput-
able by the extended GCD algorithm as described in [8].
v Security: For the discharged or revoked member
holding e
1
; w
1
; w
1
e
1
= v, it is not polynomially comput-
able to get the new witness w
/
1
that w
/
1
e
1
=
v
/
= v
1=e
1
mod n, otherwise strong RSA assumption is
broken.
Proof. Suppose a challenge of strong RSA problem is
y
R
Z
+
n
, simulator of Oracle(1) and Oracle(f
1
1
) is
run as follows: let u = y
P
i
e
i
mod n; i [1; Q[ (Q is the
query number to Oracle(1)), then responds to queries
are (e
i
; w
i
= y
P
k,=i
e
k
) mod n. Adversary may select any
one out of e
i
randomly, suppose it is e
j
, queries
Oracle(f
1
) about e
j
and u, and get the return u
/
=
y
P
i,=j
e
i
mod n. The adversary wins if it can come out w
*
so
that w
+e
j
= u
/
mod n. That is w
+e
j
= y
P
i,=j
e
i
mod n, since
e
i
are different primes, we can compute y =
(y
s
w
+t
)
e
j
mod n, where se
j
tP
i,=j
e
i
= 1. &
10.3 Correctness of UPDATE in Section 4
A
/
i
e
i
= (A
t
i
(a
/
x
i
a
/
0
)
s
)
e
i
= A
i
te
i
(a
/
x
i
a
/
0
)
1te
j
0
= a
/
x
i
a
/
0
[
A
i
e
i
(a
/
x
i
a
/
0
)
e
j
0
[
t
= a
/
x
i
a
/
0
[
A
i
e
i
(a
x
i
a
0
)
[
t
= a
/
x
i
a
/
0
mod n:
10.4 Correctness of UPDATE in Section 6
(a
i
x)S
/
i
=
a
i
x
a
j
0
a
i
[S
i
(x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
1
a
i
x
(x
i
PP
0
) (x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
1
a
i
x
(x
i
(a
j
0
x)P
/
(a
j
0
x)P
/
0
)
(x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
x
i
(a
j
0
x)
a
i
x
x
i
[P
/
a
i
x
a
j
0
a
i
[
a
j
0
x
a
i
x
1[P
/
0
=x
i
P
/
P
/
0
:
10.5 Proof of Theorem 2
Proof. The security of f
1
2
as a reversed accumulator is
based on the secure reversed accumulator dened as f
1
1
in Scheme 1. Suppose f
1
2
is not secure, we can construct
an adversary /
1
of f
1
1
from adversary /
2
of f
1
2
. Let
a
0
= u, a = a
P
i
e
i
0
mod n; i [1; Q[(Q is the query number
to Oracle
f
2
(1)). Oracle
f
2
(1) responds each query
with (x
i
; A
i
; e
i
). (A
i
=a
x
i
P
j,=i
e
j
0
; e
i
) are returned to the
adversary /
1
as responds of Oracle
f
1
(RW). Suppose f
1
2
is not secure, adversary /
2
successfully computed
(A
+
; x
+
) where A
+e
j
= a
/
x
+
a
/
0
mod n; j
R
[1; Q[, and
(a
/
; a
/
0
) = Oracle(f
1
2
(e
j
; a; a
0
)). Then A
1
wins by output-
ting w
+
= A
+
a
/
0
x
+
P
k,=j
e
k
mod n because w
+e
j
= a
/
0
mod n,
where a
/
0
= a
1=e
j
0
mod n. &
10.6 Proof of Theorem 3
Proof. If a member with certicate and secret key
(A
i
; e
i
; x
i
) is revoked, suppose he can forge a valid
certicate (A
/
; e
/
; x
/
) compatible to the current public
key (a
/
; a
/
0
) where a
/
= a
1=e
i
modn, a
/
0
= a
0
1=e
i
mod n.
Case e
/
,= e
i
: In this case,
A
i
= a
/
x
i
a
/
0
mod n
A
/
e
/
= a
/
x
/
a
/
0
mod n:
It is a contradiction to the unforgeability and coalition
resistance of the original ACJT scheme with public keys
a
/
; a
/
0
[2].
Case e
/
= e
i
: In this case, a forgery is a contradiction to
the based secure reversed dynamic accumulator. &
152 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006