signature=9bc570837af3ca986f376a821f1c0cc9,Short (resp. Fast) CCA2-Fully-Anonymous Group Signatures ...-优快云博客

本文解决了长期存在的问题，通过IND-CPA安全加密为开放权威机构（OA）构建了CCA2完全匿名的群签名方案，无需使用IND-CCA2安全加密。该方法利用ElGamal加密和Dodis-Yampolskiy的VRF技术，提供零知识签名且防御主动型Open Oracle攻击。新方案实现更短、更快，例如在配对运算中达到最短11个理性点，170位曲线下仅需1870比特，比之前最快方案节省27%。在强RSA框架下，速度提升25%，只需4次多基指数运算。

摘要：

In the newest and strongest security models for group signatures (7,10,41), attackers are given the capability to query an Open Oracle, OO, in order to obtain the signer identity of the queried signature. This oracle mirrors the Decryption Oracle in security experiments involving encryption schemes, and the security notion of CCA2-full-anonymity for group signatures mirrors the security notion of IND-CCA2-security for encryption schemes. Most group signatures escrows the signer iden- tity to a TTP called the Open Authority (OA) by encrypting the signer identity to OA. Methods to eciently instantiate O(1)-sized CCA2-fully-anonymous group signatures using IND-CCA2-secure en- cryptions, such as the Cramer-Shoup scheme or the twin encryption scheme, exist (7,10,41,49). However, it has long been suspected that IND-CCA2-secure encryption to OA is an overkill, and that CCA2-fully- anonymous group signature can be constructed using only IND-CPA-secure encryptions. Here, we settle this issue in the positive by constructing CCA2-fully-anonymous group signatures from IND-CPA-secure encryptions for the OA, without ever using IND-CCA2-secure encryptions. Our technique uses a single ElGamal or similar encryption plus Dodis and Yampolskiy (35)'s VRF (Verifiable Random Function). The VRF provides a sound signature with zero-knowledge in both the signer secret and the signer iden- tity, while it simultaneously defends active OO-query attacks. The benefits of our theoretical advance is improved eciency. Instantiations in pairings result in the shortest CCA2-fully-anonymous group sig- nature at 11 rational points or 1870 bits for 170-bit curves. It is 27% shorter (and slightly faster) than the previous fastest (12,41) at 15 rational points. Instantiations in the strong RSA framework result in the fastest CCA2-fully-anonymous group signature at 4 multi-base exponentiations for 1024-bit RSA. It is 25% faster than the previous fastest at 5 multi-base exponentiations (3,20,41).

展开