A New and Efficient Signature on Commitment Values

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 101

A New and Eﬃcient Signature on Commitment Values

Fangguo Zhang1,3, Xiaofeng Chen2,3, Yi Mu4, and Willy Susilo4 (Corresponding author: Fangguo Zhang)

Department of Electronics and Communication Engineering, Sun Yat-Sen University1 Guangzhou 510275, P. R. China (Email: [email protected]) Department of Computer Science, Sun Yat-Sen University, Guangzhou 510275, P. R. China2 Guangdong Key Laboratory of Information Security Technology Guangzhou 510275, P. R. China3 School of IT and Computer Science University of Wollongong, Wollongong, NSW 2522, Australia4 (Received July 15, 2006; revised and accepted Nov. 8, 2006)

Abstract user, it cannot be transferred to any one else, i.e. “non- transferability”. It is desirable that the overheads of com- We present a new short signature scheme based on a vari- munication and computation imposed by a credential sys- ant of the Boneh-Boyen’s short signatures schemes. Our tem to users and services must not heavily affect their short signature scheme is secure without requiring the performance. random oracle model. We show how to prove a commit- The studies of anonymous credential have gone through ted value embedded in our short signature. Using this several stages. After its introduction by Chaum, Brands primitive, we construct an efficient anonymous credential presented a public key based construction of anonymous system. credential in which a user can provide in zero knowledge Keywords: Anonymity, anonymous credentials, commit- that the credentials encoded by its certificate satisfy a ment, signature given linear Boolean formula [6]. This scheme allows only one show, namely, two transactions from the same user can be found performed by the same user. Camenisch and 1 Introduction Lysyanskaya proposed an anonymous credential scheme Signature schemes are a central cryptographic primitive. based on the strong RSA assumption [7]. In this scheme, Besides being an important stand-alone application, they it is possible to unlinkably prove possession of a creden- also constitute a building block in many cryptographic tial supporting multi-show property. There are several protocols. One of important applications of signatures is other schemes that are based on different security assump- anonymous credential. tions. Verheul recently proposed an efficient solution for The notion of anonymous credential was introduce by multi-show credentials based on the security assumptions Chaum [11]. A credential system allows a user to obtain of Decisional Diffie-Hellman problem and Computational credentials, and to prove that he has a given set of cre- Diffie-Hellman problem [15]. Camenisch and Lysyanskaya dentials. An anonymous credential system enables a user recently also proposed generalized anonymous credential to work with his credentials without revealing any infor- systems and showed how to construct them from known mation not explicitly requested. A user should be able to signature and encryption schemes [1]. obtain a credential without revealing his identity, and to As claimed by Camenisch and Lysyanskaya [8], in or- prove that he has a set of credentials without revealing der to construct an anonymous credential system, it is any information beyond that fact. To be useful for this sufficient to exhibit a commitment scheme, a signature application, a signature scheme must have efficient pro- scheme, and efficient protocols for (1) proving equality of tocols for obtaining a signature on a hidden (committed) two committed values; (2) getting a signature on a com- value, and for proving in zero-knowledge the knowledge mitted value (without revealing this value to the signer); of a signature. and (3) proving knowledge of a signature on a committed An anonymous credential system should meet some es- value. sential properties: It should be secure against attacks In this paper, we propose a variant of Boneh-Boyen from a coalition of users. It should be able to be used short signature scheme without random oracle such that for multiple times, i.e., so-called “multi-show”. It is it can be used as a building block for cryptographic pro- also essential that one a credential has been issued to a tocols. We provide a protocol to prove knowledge of a sig- International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 102 nature on a committed message and to obtain a signature • KeyGen(1`). on a committed message. Our scheme can be naturally converted into an anonymous credential scheme. • CIssue: The user uses Commit and the signer uses The organization of the rest of this paper is as follows. Sign. In the end of the process, the user obtains (c,s). In the next section, we define the definitions and require- • CVerify. The user checks the validity of (c,s) using ments for signature on commitment values. The Section 3 Verify. contains some preliminaries required throughout the paper. In Section 4, we present a variant of Boneh-Boyen • CProve. Using Prove, the user proves to the service short signature scheme without random oracle and give provider about his knowledge on (m,a) and s on c its security analysis. In Section 5 we propose a signa- and outputs (PK, Proof). ture on a committed message. In Section 6, we present a basic anonymous credential system based the proposed • CVerify. The service provider checks the correctness signature scheme. Section 7 concludes this paper. of (PK, proof) using PVerify. We define the security notion for our basic signature 2 Definitions and Requirements scheme only. It is easy to extend it to the anonymous multi-show credential scheme. Our signature scheme consists of a committer, a signer, Completeness property for the signature on commit- and a verifier. The committer commits to a value and ment values is defined as follows. the signer then signs the committed value. Any one can (SK, VK, param0) ← KeyGen(1`) ∧ verify the correctness of the signature. The committer  (c,s) ← Sign(c, SK) ∧  can prove to the verifier that he knows the committed Pr true ← Verify(c,s) ∧ =1. value embedded in the signature.    (PK, Proof) ← Prove(c,s) ∧    Definition 1. Our signature scheme is a 6-tuple  true ← PVerify(PK, Proof)    of polynomial-time algorithms (KeyGen, Commit, Sign, Verify, Prove, PVerify), where We require our schemes to meet the requirement of existentially unforgeable against the chosen message at- ` • KeyGen(1 ) is a probabilistic algorithm that takes as tacks. We split it into to properties: Security of signa- input the security parameter ` and outputs a pair of ture of commitment and security of proving knowledge of keys (SK, VK) and param0. SK is the user’s signing committed message in a signature. Assume there exists a key, which is kept secret, and VK the user’s verifica- TTP adversary A who launches a chosen message attack tion key, which is made public. against our signature scheme and at most asks n queries • Commit, a probabilistic algorithm, takes as input a to the signing oracle. message m from the associated message space M and a number a and outputs a commitment c. true ← Verify(c0,s0) ∧ (c0,s0) Pr = . • Sign, a probabilistic algorithm, takes as input the ← A(ci, VK, param0,i =1, · · · ,n) signer’s secret key SK, param0, and the commitment Here, is negligible. c and outputs a signature s ← Sign (c). SK,VK For security of proving knowledge of committed mes- • Verify is a deterministic algorithm that takes as input sage in a signature, we also require statistical zero knowl- the signed commitment c and the signer’s public key edge; that is, it is negligible for an adversary A to obtain VK and outputs true or ⊥. any information on m.

• Prove is a probabilistic algorithm that takes as input Pr A knows m|true ← Verify(PK(m), Proof) = . s and c and outputs (PK, Proof) proving the knowledge of the committed m and c without revealing the committed values. 3 Preliminaries • PVerify is a deterministic algorithm that takes as in- 3.1 Bilinear Pairings put (PK, Proof) and outputs true or ⊥. In recent years, the bilinear pairings have been widely Our anonymous multi-show credential scheme is based applied to cryptography and enable us to construct some the proposed signature scheme and consists of an orga- new cryptographic primitives. We brieﬂy review the nec- nization, a group of users, and a service provider. The essary facts about bilinear pairings using the same nota- organization acts as the signer who issues credentials to tion as [2, 4, 5]: users for some service provided by the service provider. Let G1, G2 be (multiplicative) cyclic groups of prime Deﬁnition 2. The proposed anonymous multi-show cre- order p. Let g1 be a generator of G1 and g2 be a generator dential scheme is a 5-tuple of polynomial-time algorithms of G2. Let ψ is a computable isomorphism from G2 to G1, (KeyGen, CIssue, CVerify, CProve, CPVerify). with ψ(g2)= g1. International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 103

x r Definition 3. A map e : G1 × G2 → GT (here GT is an- and setting the commitment C = g h . This commitment other multiplicative cyclic group such that |G1| = |G2| = scheme is information-theoretically hiding, and is binding |GT | = p) is called a bilinear pairing if this map satisfies under the discrete logarithm assumption. the following properties: G G Z 1) Bilinearity: for all u ∈ 1, v ∈ 2 and a,b ∈ p, 4 A Variant of BB04 Signature a b ab we have e(u , v )= e(u, v) . Scheme 2) Non-degeneracy: e(g1,g2) 6=1. In other words, if g1 be a generator of G1 and g2 be a generator of G2, We describe the new signature scheme as follows. Let G G G then e(g1, g2) generates GT . e : 1 × 2 → T be the bilinear pairing where |G1| = |G2| = |GT | = p for some prime p. We assume 3) Computability: There is an efficient algorithm to that |p| ≥ 160. As for the message space, if the signa- G G compute e(u, v) for all u ∈ 1 and v ∈ 2. ture scheme is intended to be used directly for signing messages, then |m| = 160 is good enough, because, We say that (G , G ) are bilinear groups if there exists 1 2 given a suitable collision resistant hash function, such a group G , a computable isomorphism ψ : G → G , T 2 1 as SHA-1, one can first hash a message to 160 bits, and and a bilinear pairing e : G × G → G as above. 1 2 T then sign the resulting value. So the messages m to be In this paper, we assume that G 6= G . In this 1 2 signed can be regarded as an element in Z . We also case, the co-Decision Diffie-Hellman problem (co-DDH) p need a very efficient and suitable conversion function in (G , G ) is easy, but we can still assume that the De- 1 2 from G to Z∗: [·] : G → Z∗. The system parameter cision Diffie-Hellman problem (DDH) in G is hard. 1 p 1 p 1 is (G , G , G , e, p, g , h, g , [·]), here g ,h ∈ G , The following Strong Diffie-Hellman assumption is sug- 1 2 T 1 2 1 1 g ∈ G are random generators. gested by [2, 13, 16]. [2] also provides a lower bound on 2 2 the computational complexity in a generic group model. Z∗ Key Generation. Randomly select x, y ∈R p, x y Definition 4. (q-SDH problem) The q-Strong Diffie- and compute u = g2 , v = g2 . The public key is u, v. The Hellman problem in (G1, G2) is defined as follows: given secret key is x, y. γ γq a (q + 2)-tuple (g1,g2,g2 , · · · ,g2 ) as input, outputs a 1/γ+x Z∗ Z∗ pair (g1 , x) where x ∈ p. Signing: Given the secret key x, y ∈R p, and a message m ∈ Zp, compute the signature An algorithm A has advantage in solving q-SDH in 1 G G m x gm yr ( 1, 2) if +[ 1 ]+ G σ = (g1 ) ∈ 1. γ γq 1/γ+x P r[A(g1,g2,g2 , · · · ,g2 ) = (g1 , x)] ≥ , Z∗ Here r is randomly selected from p. The signature is where the probability is over the random choice of gen- (r, σ). G Z∗ erator in g2 ∈ 2, of γ ∈ p, and of the random bits of m [g1 ] r m A. Verification: Verify that e(σ, ug2 v )= e(g1 , g2). We say that the (q,t,)-SDH assumption holds in We now give the security theorems and proofs for the above instantiation. (G1, G2) if no t-time algorithm has advantage at least in solving the q-SDH problem in (G , G ). 1 2 Lemma 1. If there exists a (t, qS,)-forger F using adaptive chosen message attack for the proposed signature 3.2 Proofs of Knowledge of Discrete Log- scheme, then there exists a (t, qS ,)-forger F for BB04 arithms scheme. We will use the notation introduced by Camenisch and Proof. Recall that BB04 signature scheme is described Stadler [10] for various proofs of knowledge of discrete as follows. The system parameter is same as the above logarithms. For instance, scheme. α β 0α 0γ Z∗ PK{(α,β,γ) : y = g h ∧ z = g h ∧ (a ≤ α ≤ b)} Key Generation. Randomly select x, y ∈R p, x y and compute u = g2 , v = g2 . The public key is u, v. The is used for proving the knowledge of integers α, β and γ secret key is x, y. such that y = gαhβ and z = g0αh0γ holds, where a ≤ α ≤ 0 0 b. Here y,g,h,z,g and h are elements of some groups Z∗ Signing: Given the secret key x, y ∈R p, and a G G = = and T = = . message m ∈ Zp, compute the signature

1 x+m+yr G 3.3 Pedersen Commitment Scheme σ = g1 ∈ 1. Recall the Pedersen commitment scheme [14]: given a The signature is (r, σ). group G of prime order p with generators g and h, a com- Z∗ Z∗ m r mitment to x ∈ p is formed by choosing a random r ∈ p Veriﬁcation: Verify that e(σ, ug2 v )= e(g1, g2). International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 104

Suppose that there exists a (t, qS ,)-forger F using proof of knowledge of a signed message for above signa- adaptive chosen message attack for the proposed signature scheme. ture scheme, i.e., after at most qS signatures queries and t processing time, F outputs a valid signature forgery Common input. The system parameter is (G1, (r, σ) on message m with probability at least , here G2, GT , e, p, g1, h, g2, [·]), and the public key (u, v). m [g1 ] r m e(σ, ug2 v )= e(g1 , g2). − 0 m 0 m 1 Prover’s input. The committed message m and Let m = [g1 ], σ = σ , then we have a forgery on BBS04 scheme. This is because of a, and signature (r, σ).

0 0 −1 m m r m [g1 ] r Protocol. The prover does the following: e(σ , ug2 v )= e(σ , ug2 v )= e(g1, g2). 1) Compute a blinded version of his signature (r, σ): Z∗ Randomly select r1, r2 ∈R p, and compute Theorem 1 ([2]). Suppose the (q,t0,0)-SDH assumption 0 [c] r [c] 0 holds in G. Then BBS04 signature scheme is (t, qS ,)- r r1 r1 1 rr1 r2 c = (ug2 v ) = u g2 v , σ = σ . secure against existential forgery under an adaptive chosen message attack provided that Send (c0, σ0) to the veriﬁer.

0 qS 0 0 2 qS

Here α = mr1r2, β = ar1r2, λ1 = r1, λ2 = r1[c], λ3 = 5 Obtaining a Signature on a rr1. blind the credential by using two randomly generate numbers r1, r2. The completeness of the proposed signa- Committed Value ture scheme on a committed value is obvious. Due to the using of two randomly generate numbers r1, r2, the proto- Following Camenisch and Lysyanskaya, in order to con- col can provide the anonymity. The protocol above uses struct an anonymous credential system, it is suﬃcient to zero-knowledge proof, so, it is a zero-knowledge proof of exhibit a signature on a committed value. We provide a a signature on a value. new signature on a committed value based on the variant of BB04 signature scheme in this section. G G G The system parameter is ( 1, 2, T , e, p, g1, h, g2, 6 A Multi-show Anonymous Cre- G G [·]), here g1, h ∈ 1, g2 ∈ 2 are random generators. dential Scheme Z∗ KeyGen. Randomly select x, y ∈R p, and compute y Based on the proposed signature scheme, we can now con- u = gx, v = g . The public key is u, v. The secret key is 2 2 struct the multi-show anonymous credential scheme. We x, y. will follow the notations given previously in this paper. The system parameter is same as above signature Commit: Compute c = gmha. 1 scheme. Z∗ Sign: Given the secret key x, y ∈R p, and a com- • KeyGen(1`): Generate public (u, v) and private sign- G mitment c ∈ 1, compute the signature as follows: ing key (x, y). Z∗ Randomly select r ∈R p, compute • CIssue: The user commits to (m,a) by computing 1 m a σ = c x+[c]+ry ∈ G1. c = g1 h . and the signer computes the signature on 1 c: (r, σ = c x+[c]+ry ). m a The signature one c = g1 h is (r, σ). [c] r ? • CVerify. The user checks e(σ, ug v ) = e(c, g2). [c] r 2 Verify: Verify that e(σ, ug2 v )= e(c, g2). • CProve. Using Prove, the user proves to the service Prove: The following protocol is a zero-knowledge provider about his knowledge on (m,a) and (r, σ) on International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 105

c and outputs (PK, Proof). Here, the (Proof) is the [4] D. Boneh and M. Franklin, “Identity-based encryp- zero-knowledge proof: tion from the Weil pairing,” in Advances in Cryptol- ogy (Crypto’01), LNCS 2139, pp. 213-229, Springer- ZKP {(α, β, λ1, λ2, λ3)|A Verlag, 2001. α β 0 λ1 λ2 λ3 = B C ∧ c = u g2 v ∧ λ1 6=0}. [5] D. Boneh, B. Lynn, and H. Shacham, “Short signatures from the Weil pairing,” in Advances in • CVerify. The service provider checks the correctness Cryptology (Asiacrypt’01), LNCS 2248, pp. 514-532, of (PK, Proof) using PVerify. Springer-Verlag, 2001. [6] S. Brands, Rethinking Public Key Infrastructures and Our credential scheme is of multi-show, i.e., the user Digital Certificates; Bulding in Privacy, MIT Press, can blind the credential by using two randomly gener- 2000. ate numbers r1, r2. The credential itself is never sent to [7] J. Camenisch and A. Lysyanskaya, “Efficient non- the service provider in clear. Clearly, our scheme also transferable anonymous multishow credential system supports non-transferability. To show a credential to the with optional anonymity revocation,” in Advances in service provider, the user has to know his secret (m,a). Cryptology (Eurocrypt’01), LNCS 2045, pp. 93-118, Of course, we have to assume that his secret should not Springer-Verlag, 2001. be given to others. However, it is also not hard for us [8] J. Camenisch and A. Lysyanskaya, “A signature to modify the scheme such that there exists a revocation scheme with efficient protocols,”in Security in Com- manager who can revoke the identity of the user if needed. munication Networks (SCN’02), LNCS 2576, pp. 268-289, Springer-Verlag, 2003. 7 Conclusion [9] J. Camenisch and A. Lysyanskaya, “Signature schemes and anonymous credentials from bilin- In this paper, we propose a variant of Boneh-Boyen short ear maps,” in Advances in Cryptology (Crypto’04), signature scheme without random oracle such that it can LNCS 3152, pp. 56-72, Springer-Verlag, 2004. be used as a building block for cryptographic protocols. [10] J. Camenisch and M. Michels, “Efficient group sig- We provide a protocol to prove knowledge of a signature nature schemes for large group,” in Advances in on a committed message and to obtain a signature on Cryptology (Crypto’97), LNCS 1296, pp. 410-424, a committed message such that it can be converted into Springer-Verlag, 1997. an efficient multi-show credential scheme. The proposed [11] D. Chaum, “Security without identification: signature scheme on a committed value in this paper has transacation systems to make big brother obsolete,” many good properties, and for the further work, we expect Communications of ACM, vol. 28, no. 10, pp. to design a group signature scheme based on this signature 1030-1044, Oct. 1985. [12] A. Joux, “A one round protocol for tripartite Diffie- scheme. Hellman,” in 4th International Symposium on Algo- rithmic Number Theory (ANTS IV), LNCS 1838, pp. Acknowledgements 385-394, Springer-Verlag, 2000. [13] S. Mitsunari, R. Sakai, and M. Kasahara, “A new This work is supported by the National Natural Science traitor tracing,” IEICE Transactions on Fundamen- Foundation of China (No. 60403007, No. 60503006 and tals, vol. E85-A, no. 2, pp. 481-484, 2002. No. 60633030), Natural Science Foundation of Guang- [14] T. P. Pedersen, “Non-interactive and information- dong Province, China (No. 04205407), 973 Program theoretic secure verifiable secret sharing,” in Ad- (2006CB303104) and ARC Discovery Grant DP055749. vances in Cryptology (Crypto’91), LNCS 576, pp. 129-140. Springer-Verlag, 1992. [15] E. Verheul, “Self-blindable credential certificates References from the Weil pairing,” in Advances in Cryptology (Asiacrypt’01), LNCS 2248, pp. 533-551, Springer- [1] E. Bangerter, J. Camenisch, and A. Lysyanskaya, “A Verlag, 2001. cryptographc framework for the controlled release [16] F. Zhang, R. S. Naini, and W. Susilo, “An efficient of certified data,” in Twelfth International Work- signature scheme from bilinear pairings and its ap- shop on Security Protocols, LNCS 3957, pp. 20-42, plications,” in Public Key Cryptography (PKC’04), Springer-Verlag, 2006. LNCS 2947, pp. 277-290, Springer-Verlag, Singapore, [2] D. Boneh, and X. Boyen, “Short signatures without 2004. random Oracles,” in Advances in Cryptology (Euro- crypt’04), LNCS 3027, pp. 56-73, Springer-Verlag, 2004. [3] D. Boneh, X. Boyen, and H. Shacham, “Short group signatures using strong diffie hellman,” in Advances in Cryptology (Crypto’04), LNCS 3152, pp. 41-55, Springer-Verlag, 2004. International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 106

Fangguo Zhang is a Professor in the Yi Mu received his PhD from Department of Electronics and Com- the Australian National University in munication Engineering at Sun Yan- 1994. He was a lecturer in the School sen University in Guangzhou, China. of Computing and IT at the University He obtained his Ph.D. degree in Cryp- of Western Sydney and a senior lec- tography from School of Communi- turer in the Department of Computing cation Engineering, Xidian University at Macquarie University. He currently in 2001. His main research interests is an associate professor in the Infor- include elliptic curve cryptography, pairing-based cryp- mation Technology and Computer Science, University of tosystem and its applications. Wollongong. His current research interests include network security, computer security, and cryptography. Yi Xiaofeng Chen is an Associate Pro- Mu has published more than 140 research papers in inter- fessor in the Department of Computer national conferences and journals. He has served in tech- Science at Sun Yan-sen University, nical program committees of a number of international Guangzhou, China. He obtained his conferences and the editorial boards of six international Ph.D. degree in Cryptography from journals. He is a senior member of the IEEE, and a mem- School of Communication Engineer- ber of the IACR. ing, Xidian University in 2003. His main research interests include public Willy Susilo received a Ph.D. in key cryptography and E-commerce security. Computer Science from University of Wollongong, Australia. He is currently an Associate Professor at the School of Information Technology and Computer Science of the University of Wollongong. He is the coordinator of Network Security Research Labora- tory at the University of Wollongong. His research interests include cryptography, information security, computer security and network security. His main contribution is in the area of digital signature schemes, in particular fail- stop signature schemes and short signature schemes. He has served as a program committee member in a number of international conferences. He has published numerous publications in the area of digital signature schemes and encryption schemes.