Foundations of Fully Dynamic Group Signatures

  • PDF / 1,747,268 Bytes
  • 49 Pages / 439.37 x 666.142 pts Page_size
  • 3 Downloads / 255 Views

DOWNLOAD

REPORT


Foundations of Fully Dynamic Group Signatures∗ Jonathan Bootle University of California, Berkeley, Berkeley, CA, USA [email protected]

Andrea Cerulli DFINITY, Zurich, Switzerland [email protected]

Pyrros Chaidos National and Kapodistrian University of Athens, Athens, Greece [email protected]

Essam Ghadafi University of the West of England, Bristol, UK [email protected]

Jens Groth University College London, London, UK DFINITY, Zurich, Switzerland [email protected] Communicated by Masayuki Abe Received 23 October 2018 / Revised 13 February 2020

Abstract. Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our ∗ An extended abstract of this paper appeared in the Proceedings of Applied Cryptography and Network Security—ACNS 2016. The research leading to these results has received funding from the European Research Council under the European Union’s Seventh Framework Programme (FP/2007–2013)/ERC Grant Agreement No. 307937 and EPSRC Grant EP/J009520/1. P. Chaidos: Was supported by an EPSRC scholarship (EP/G037264/1—Security Science DTC). J. Bootle, A. Cerulli, P. Chaidos, E. Ghadafi: Most of the work was done while at University College London.

© The Author(s) 2020

J. Bootle et al. definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability. Keywords. Group signatures, Security definitions.

1. Introduction Group signatures, put forward by Chaum and van Heyst [27], are a fundamental cryptographic primitive allowing a member of a group to anonymously sign messages on behalf of the group. Group membership is admi