Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Blazy, Olivier; Derler, David; Slamanig, Daniel; Spreitzer, Raphael

doi:10.1007/978-3-319-29485-8_8

Cited by 17 publications

(7 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the former, signatures by the same group member are publicly linkable, whereas in the latter the role of the tracing authority is reduced to the ability of deciding whether two signatures stem from the same (anonymous) member. This approach has been augmented by requiring a proof from the linking authority [11], by specifying a linking authority that obliviously processes linkability queries across sets of signatures [36] with the results being non-transitive (i.e., signatures are not linkable across queries), or [40] by adding the ability for the opening authority to link as well as open signatures and to also produce proofs of non-authorship. In the latter, users are able to claim or disclaim individual signatures and also link their own signatures.…”

Section: Background and Related Workmentioning

confidence: 99%

Foundations of Fully Dynamic Group Signatures

Bootle

Cerulli²,

Chaidos

et al. 2020

J Cryptol

View full text Add to dashboard Cite

Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability.

show abstract

Section: Background and Related Workmentioning

confidence: 99%

Foundations of Fully Dynamic Group Signatures

Bootle

Cerulli²,

Chaidos

et al. 2020

J Cryptol

View full text Add to dashboard Cite

show abstract

“…Because a signer is always linkable after the corresponding token is broadcasted, we cannot use traceable signatures instead of GS-TDL. As a special case of traceable signatures, group signatures with controllable linkability have been proposed [14,36,35], where a link key is defined for the linking procedure. However, pairing computations are required for linking, which lead to inefficiency.…”

Section: Related Workmentioning

confidence: 99%

“…The second one is a ring signature scheme with escrowed linkability where a linking authority can link two signatures by using a secret key. As in group signatures with controllable linkability [14,36,35], pairing computations are required for linking.…”

Section: Related Workmentioning

confidence: 99%

Road-to-Vehicle Communications With Time-Dependent Anonymity: A Lightweight Construction and Its Experimental Results

Emura

Hayashi

2018

IEEE Trans. Veh. Technol.

View full text Add to dashboard Cite

This paper describes techniques that enable vehicles to collect local information (such as road conditions and traffic information) and report it via road-to-vehicle communications. To exclude malicious data, the collected information is signed by each vehicle. In this communications system, the location privacy of vehicles must be maintained. However, simultaneously linkable information (such as travel routes) is also important. That is, no such linkable information can be collected when full anonymity is guaranteed using cryptographic tools such as group signatures. Similarly, continuous linkability (via pseudonyms, for example) may also cause problem from the viewpoint of privacy. In this paper, we propose a road-to-vehicle communication system with relaxed anonymity via group signatures with time-token dependent linking (GS-TDL). Briefly, a vehicle is unlinkable unless it generates multiple signatures in the same time period. We provide our experimental results (using the RELIC library on a cheap and constrained computational power device, Raspberry Pi), and simulate our system by using a traffic simulator (PTV), a radio wave propagation analysis tool (RapLab), and a network simulator (QualNet). Though a similar functionality of time-token dependent linking was proposed by Wu, Domingo-Ferrer and González-Nicolás (IEEE T. Vehicular Technology 2010), we can show an attack against the scheme where anyone can forge a valid group signature without using a secret key. In contrast, our GS-TDL scheme is provably secure. In addition to the time-dependent linking property, our GS-TDL scheme supports verifier-local revocation (VLR), where a signer (vehicle) is not involved in the revocation procedure. It is particularly worth noting that no secret key or certificate of a signer (vehicle) must be updated whereas the security credential management system (SCMS) must update certificates frequently for vehicle privacy. Moreover, our technique maintains constant signing and verification costs by using the linkable part of signatures. This might be of independent interest. * An extended abstract appears in the 4th International Workshop on Lightweight Cryptography for Security and Privacy (LightSec 2015) [27]. This is the full version. In the conference version, we provided the GS-TDL part, and used the TEPLA library [4] for estimating the efficiency of our GD-TDL scheme. In this full version, we use the RELIC library and reconsider the pairing equations in our algorithm. Moreover, we simulate our system using PTV, RapLab, and QualNet.

show abstract

“…The commit-and-prove methodology itself is of interest. For instance, as noted in [11], the commit-andprove technique is standard when one wants to prove that the witnesses to two distinct statements are the same [10], [12]- [15].…”

Section: Introduction a Non-interactive Zero-knowledge Proof Systemmentioning

confidence: 99%

On the Impossibility of NIZKs for Disjunctive Languages From Commit-and-Prove NIZKs

2021

View full text Add to dashboard Cite

This paper considers the problem of expanding a language class that can be proven by a noninteractive zero-knowledge proof system (NIZK) in a black-box manner in the common reference string model. Namely, given NIZKs for two languages, L 0 and L 1 , can we construct an NIZK for L 0 ∨ L 1 in a black-box manner? NIZKs for disjunctive languages have a large number of applications, such as electronic voting. Therefore, such a black-box construction may enable the efficient constructions of such applications. However, Abe et al. (PKC 2020) showed that this is impossible if the two given NIZKs are simulation-sound. In this paper, we prove that it is also impossible if the two given NIZKs are constructed by the commit-andprove methodology that is typically used in many cryptographic protocols, including NIZKs. This result suggests that if we want to augment the capability of NIZKs in terms of the languages they can prove, we should rely on certain properties or structures of the underlying NIZKs, such as algebraic structures.

show abstract

Non-Interactive Plaintext (In-)Equality Proofs and Group Signatures with Verifiable Controllable Linkability

Cited by 17 publications

References 38 publications

Foundations of Fully Dynamic Group Signatures

Foundations of Fully Dynamic Group Signatures

Road-to-Vehicle Communications With Time-Dependent Anonymity: A Lightweight Construction and Its Experimental Results

On the Impossibility of NIZKs for Disjunctive Languages From Commit-and-Prove NIZKs

Contact Info

Product

Resources

About