Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabocs
253K - views

Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabocs

stanfordedu Craig Gen try cgentrydocomolabsusacom Ben Lynn blynncsstanfordedu Ho Shac ham hovavcsstanfordedu Abstract An aggregate signature sc heme is digital signature that supp orts aggregation Giv en signatures on distinct messages from distinct

Download Pdf

Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabocs




Download Pdf - The PPT/PDF document "Aggregate and eriably Encrypted Signatur..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.



Presentation on theme: "Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabocs"‚ÄĒ Presentation transcript:


Page 1
Aggregate and eriably Encrypted Signatures from Bilinear Maps Dan Boneh dabo@cs.stanford.edu Craig Gen try cgentry@docomolabs-usa.com Ben Lynn blynn@cs.stanford.edu Ho Shac ham hovav@cs.stanford.edu Abstract An aggregate signature sc heme is digital signature that supp orts aggregation: Giv en signatures on distinct messages from distinct users, it is ossible to aggregate all these signatures in to single short signature. This single signature (and the original messages) will con vince the erier that the users did indeed sign the original messages (i.e., user

signed message for ). In this pap er in tro duce the concept of an aggregate signature, presen securit mo dels for suc signatures, and giv sev eral applications for aggregate signatures. construct an ecien aggregate signature from recen short signature sc heme based on bilinear maps due to Boneh, Lynn, and Shac ham. Aggregate signatures are useful for reducing the size of certicate hains (b aggregating all signatures in the hain) and for reducing message size in secure routing proto cols suc as SBGP also sho that aggregate signatures giv rise to eriably encrypted

signatures. Suc signatures enable the erier to test that giv en ciphertext is the encryption of signature on giv en message eriably encrypted signatures are used in con tract-signing proto cols. Finally sho that similar ideas can used to extend the short signature sc heme to giv simple ring signatures. In tro duction Man real-w orld applications in olv signatures on man dieren messages generated man dieren users. or example, in Public Key Infrastructure (PKI) of depth eac user is giv en hain of certicates. The hain con tains signatures Certicate

Authorities (CAs) on distinct certicates. Similarly in the Secure BGP proto col (SBGP) [18 eac router receiv es list of signatures attesting to certain path of length in the net ork. router signs its wn segmen in the path and forw ards the resulting list of signatures to the next router. As result, the um er of signatures in routing messages is linear in the length of the path. Both applications ould enet from metho for compressing the list of signatures on distinct messages issued distinct parties. Sp ecically X.509 certicate hains could shortened compressing

the signatures in the hain in to single signature. An aggregate signature sc heme enables us to ac hiev precisely this yp of compression. Supp ose eac of users has public-priv ate ey pair PK SK ). User signs message to obtain signature Then there is public aggregation algorithm that tak es as input all of and outputs short compressed signature An one can aggregate the signatures. Moreo er, the aggregation can erformed incremen tally That is, signatures can aggregated in to 12 whic can then further aggregated with to obtain 123 When aggregating signatures in certicate hain, eac CA can

incremen tally aggregate its wn signature in to the hain. There is also an aggregate erication algorithm that tak es and and decides
Page 2
whether the aggregate signature is alid. In tuitiv ely the securit requiremen is that the aggregate signature is declared alid only if the aggregator who created as giv en all of Precise securit denitions are giv en in Sect. 3.2. Th us, an aggregate signature pro vides non-repudiation at once on man dieren messages man users. construct an aggregate signature sc heme based on recen short signature due to Boneh, Lynn, and

Shac ham (BLS) [6]. This signature sc heme orks in an group where the Decision Die- Hellman problem (DDH) is easy but the Computational Die-Hellman problem (CDH) is hard. refer to suc groups as gap groups [6, 26]. Recen tly there ha een um er of constructions using suc gap groups [6, 19, 8, 4]. Surprisingly general gap groups are insucien for constructing ecien aggregate signatures. Instead, our construction uses pair of groups and bilinear map where CDH is hard in Joux and Nguy en [17] sho ed that the map can used to solv DDH in and so is gap group. It is the

extra structure pro vided the bilinear map that enables us to construct an ecien aggregate signature sc heme. do not kno ho to build ecien aggregate signatures from general gap groups. Th us, our construction is an example where the bilinear map pro vides extra functionalit ey ond simple algorithm for solving DDH. Bilinear maps ere previously used for three-w Die-Hellman [16], Iden tit y-Based Encryption (IBE) [5 ], and Hierarc hical IBE [15 13]. Aggregate signatures are related to ultisignatures [20, 25, 24, 4]. In ultisignatures, set of users all sign the same message

and the result is single signature. Recen tly Micali et al. [20] dened securit mo del for ultisignatures and ga some constructions and applications. Mul- tisignatures are insucien for the applications ha in mind, suc as certicate hains and SBGP or these applications ust able to aggregate signatures on distinct messages. note that recen tly Boldyrev [4] sho ed that general gap groups are sucien for constructing ul- tisignatures from BLS signatures. As noted ab e, to obtain aggregate signatures, one needs the extra structure pro vided bilinear maps. Our

application of aggregate signatures to compressing certicate hains is related to an op en problem osed Micali and Riv est [21]: Giv en certicate hain and some sp ecial additional signatures, can in termediate links in the hain cut out? Aggregate signatures allo the com- pression of certicate hains without an additional signatures, but erier ust still are of all in termediate links in the hain. note that batc RSA [9] also pro vides some signature compression, but only for signatures pro duced single signer. As further application for aggregate signatures sho in

Sect. that certain aggregate signature sc hemes giv rise to simple eriably encrypted signatures. These signatures enable user Alice to giv Bob signature on message encrypted using third part yís public ey and Bob to erify that the encrypted signature is alid. eriably encrypted signatures are used in optimistic con tract signing proto cols [1, 2] to enable fair exc hange. Previous constructions [1, 27] require zero kno wledge pro ofs to erify an encrypted signature. The eriably encrypted signatures in Section are short and can alidated ecien tly note that the

resulting con tract signing proto col is not abuse-free in the sense of [10]. As third application of these ideas construct in Sect. simple ring signature [28 using bilinear maps. As ab e, the construction using bilinear map is simpler and more ecien than constructions that only mak use of gap groups. Signature Sc hemes Based on Co-Gap Die-Hellman rst review few concepts related to bilinear maps and Gap Die-Hellman signatures [6]. Throughout the pap er use the follo wing notation:
Page 3
1. and are (m ultiplicativ e) cyclic groups of prime order 2. is

generator of and is generator of 3. is computable isomorphism from to with and 4. is computable bilinear map as describ ed elo w. The isomorphism is mostly needed for the pro ofs of securit eep the discussion general, simply assume that exists and is ecien tly computable. When are subgroups of the group of oin ts of an elliptic curv the trace map on the curv can used as this isomorphism (w assume and )). Throughout the pap er, consider bilinear maps where all groups are ultiplicativ and of prime order One could set Ho ev er, allo for the more general case where so that our

constructions can mak use of certain families of non- sup ersingular elliptic curv es dened Miy ji et al. [22]. These curv es giv rise to ery short signatures [6]. This will lead in turn to short aggregate signatures, ring signatures, etc. handle the case dene the co-CDH and co-DDH problems [6 ]. When these problems reduce to the standard CDH and DDH problems. Hence, for the remainder of the pap er, although handle arbitrary for simplicit the reader ma assume and the iden tit map. With this setup obtain natural generalizations of the CDH and DDH problems: Computational

Co-Die-Hellman. Giv en and compute Decision Co-Die-Hellman. Giv en and h; output yes if and no otherwise. When the answ er is yes sa that h; is co-Die-Hellman tuple. When and these problems reduce to the standard CDH and DDH. Next dene co-GDH gap groups to group pairs and on whic co-DDH is easy but co-CDH is hard. Denition 2.1. Tw groups are decision group pair for co-Die-Hellman if the group action on the group action on and the map from to can computed in one time unit, and Decision co-Die-Hellman on can solv ed in one time unit.

Denition 2.2. The adv an tage of an algorithm in solving the Computational co-Die-Hellman problem in groups and is Adv co-CDH def Pr The probabilit is tak en er the hoice of and ís coin tosses. An algorithm t; )-breaks Computational co-Die-Hellman on and if runs in time at most and Adv co-CDH is at least Tw Groups are t; )-co-GDH group pair if they are decision group pair for co-Die-Hellman and no algorithm t; )-breaks Computational co-Die-Hellman on them. 2.1 Bilinear Maps Let and groups as ab e, with an additional group suc that bilinear map is map

with the follo wing prop erties: 1. Bilinear: for all and a; u; ab
Page 4
2. Non-degenerate: 1. These prop erties imply more: for an ); and for an u; ). Denition 2.3. Tw groups are bilinear group pair if the group action on either can computed in one time unit, the map from to can computed in one time unit, bilinear map exists, and is computable in one time unit. Denition 2.4. Tw groups are t; )-bilinear group pair for co-Die-Hellman if they are bilinear group pair and no algorithm t; )-breaks Computational co-Die-Hellman on them. Joux and Nguy en [17]

sho ed that an ecien tly-computable bilinear map pro vides an algo- rithm for solving the decision co-Die-Hellman problem. or tuple h; ha mo h; Consequen tly if groups are t; )-bilinear group pair for co-Die-Hellman, then they are also t= )-co-GDH group pair. The con erse is probably not true. 2.2 The Co-GDH Signature Sc heme review the signature sc heme of [6 ], whic can based on an gap group. It comprises three algorithms, KeyGen Sign and erify and uses full-domain hash function view ed as random oracle [3]. Key Generation. Pic random and compute The public ey is The

secret ey is Signing. Giv en secret ey and message compute ), where and The signature is erication. Giv en public ey message and signature compute and erify that h; is alid co-Die-Hellman tuple. co-GDH signature is single elemen of On certain elliptic curv es these signatures are ery short: they are half the size of DSA signatures with similar securit Theorem of [6 pro es the existen tial unforgeabilit of the sc heme under hosen message attac [14] in the random oracle mo del assuming is co-gap group pair for Die-Hellman. Aggregate Signatures dene aggregate

signatures and describ an aggregate signature sc heme based on co-GDH signatures. Unlik the co-GDH sc heme, aggregate signatures require the existence of bilinear map. dene securit mo dels and pro vide pro ofs of securit for aggregate signatures. Consider set of users. Eac user has signing eypair PK SK ). wish to aggregate the signatures of some subset Eac user pro duces signature on message of her hoice. These signatures are then com bined in to single aggregate an aggregating part The aggregating part who can dieren from and un trusted the users in has access to the users

public eys, to the messages, and to the signatures on them, but not
Page 5
to an priv ate eys. The result of this aggregation is an aggregate signature whose length is the same as that of an of the individual signatures. This aggregate has the prop ert that erier giv en along with the iden tities of the parties in olv ed and their resp ectiv messages is con vinced that eac user signed her resp ectiv message. 3.1 Bilinear Aggregate Signatures describ bilinear aggregate signature sc heme based on the co-GDH sc heme presen ted ab e. Individual signatures in the aggregate

signature sc heme are created and eried precisely as are signatures in the co-GDH sc heme (Sect. 2.2). Aggregate erication mak es use of bilinear map on and The aggregate signature sc heme allo ws the creation of signatures on arbitrary distinct messages An individual signature is an elemen of The base groups and their resp ectiv generators and the computable isomorphism from to and the bilinear map with target group are system parameters. The sc heme comprises v algorithms: KeyGen Sign erify ggr gate and ggr gateV erify The rst three are as in ordinary

signature sc hemes; the last pro vide the aggregation capabilit The sc heme emplo ys full-domain hash function view ed as random oracle. Key Generation. or particular user, pic random and compute The userís public ey is The userís secret ey is Signing. or particular user, giv en the secret ey and message compute ), where and The signature is erication. Giv en userís public ey message and signature compute ); accept if h; holds. Aggregation. or the aggregating subset of users assign to eac user an index ranging from to Eac user pro vides signature on message of his hoice. The messages

ust all distinct. Compute =1 The aggregate signature is Aggregate erication. are giv en an aggregate signature for an aggregating subset of users indexed as efore, and are giv en the original messages and public eys for all users erify the aggregate signature 1. ensure that the messages are all distinct, and reject otherwise; and 2. compute for and accept if =1 holds. bilinear aggregate signature, lik co-GDH signature, is single elemen of Note that aggregation can done incremen tally The in tuition ehind bilinear aggregate signatures is as follo ws. Eac user has secret ey and public ey

User ís signature, if correctly formed, is where is the hash of the userís hosen message, The aggregate signature is th us Using the prop erties of the bilinear map, the left-hand side of the erication equation expands: whic is the righ t-hand side, as required. It remains to pro the securit of the sc heme.
Page 6
3.2 Aggregate Signature Securit Informally the securit of aggregate signature sc hemes is equiv alen to the nonexistence of an adv er- sary capable, within the connes of certain game, of existen tially forging an aggregate signature. Existen tial forgery

here means that the adv ersary attempts to forge an aggregate signature, on messages of his hoice, some set of users. formalize this in tuition as the aggregate hosen-k ey securit mo del. In this mo del, the adv ersary is giv en single public ey His goal is the existen tial forgery of an aggregate signature. giv the adv ersary er to ho ose all public eys except the hallenge public ey The adv ersary is also giv en access to signing oracle on the hallenge ey His adv an tage, Adv AggSig is dened to his probabilit of success in the follo wing game. Setup. The aggregate forger is pro vided

with public ey PK generated at random. Queries. Pro ceeding adaptiv ely requests signatures with PK on messages of his hoice. Resp onse. Finally outputs additional public eys PK PK Here is at most game parameter. These eys, along with the initial ey PK will included in ís forged aggregate. also outputs messages and, nally an aggregate signature the users, eac on his corresp onding message. The forger wins if the aggregate signature is alid aggregate on messages under eys PK PK and is non trivial, i.e., did not request signature on under PK The probabilit is er the coin tosses of the

ey-generation algorithm and of Denition 3.1. An aggregate forger t; )-breaks an -user aggregate signature sc heme in the aggregate hosen-k ey mo del if: runs in time at most mak es at most queries to the hash function and at most queries to the signing oracle; Adv AggSig is at least and the forged aggregate signature is at most users. An aggregate signature sc heme is t; )-secure against existen tial forgery in the aggregate hosen-k ey mo del if no forger t; )-breaks it. oten tial attac on aggregate signatures. The adv ersaryís abilit in the hosen-k ey mo del to generate eys suggests

the follo wing attac k, previously considered in the con text of ultisigna- tures [20, 4]. Alice publishes her public ey Bob generates priv ate ey and public ey but publishes as his public ey =v alue whose discrete log he do es not kno w. Then eries as an aggregate signature on oth Alice and Bob. Note that in this forgery Alice and Bob oth sign the same message One coun termeasure is to require the adv ersary to pro kno wledge of the discrete logarithms (to base of his published public eys. or example, Boldyrev a, in her ultisignature sc heme [4], requires, in eect, that the

adv ersary disclose the corresp onding priv ate eys Micali et al. [20 discuss series of more sophisticated approac hes based on zero-kno wledge pro ofs, again with the eect that the adv ersary is constrained in his ey selection. These defenses apply equally ell to our aggregate signature sc heme. or aggregate signatures, though, there is simpler defense. simple defense for aggregate signatures. In the con text of aggregate signatures can defend against the attac ab simply requiring that an aggregate signature is alid only if it is an aggregation of signatures on distinct messages. This

restriction, co died in Step of ggr gateV erify suces to pro the securit of the bilinear aggregate signature sc heme in the hosen-k ey mo del. There is no need for zero-kno wledge pro ofs or the disclosure of priv ate eys.
Page 7
The requiremen that all messages in an aggregate distinct is naturally satised for the applications to certicate hains and SBGP ha in mind. Ev en in more general en vironmen ts it is easy to ensure that all messages are distinct: The signer simply prep ends her public ey to ev ery message she signs prior to the application of

the hash function The implicit prex need not transmitted with the signature, so signature and message length is unaected. The next theorem sho ws that this simple constrain is sucien for pro ving securit in the hosen-k ey mo del. Theorem 3.2. et -biline ar gr oup air for o-Die-Hel lman, with ach gr oup of or der with esp ctive gener ators and with an isomorphism omputable fr om to and with biline ar map Then the biline ar aggr gate signatur scheme on is t; -se cur against existential for gery in the aggr gate chosen-key mo del for al and satisfying and 4) 1)

wher is the ase of natur al lo garithms, and exp onentiation and inversion on take time Pr of. Supp ose is forger algorithm that t; )-breaks the signature sc heme. sho ho to construct -time algorithm that solv es co-CDH in with probabilit at least This will con tradict the fact that are )-co-GDH group pair. Let generator of Algorithm is giv en and where Its goal is to output Algorithm sim ulates the hallenger and in teracts with forger as follo ws. Setup. Algorithm starts giving the generator and the public ey where is random in Hash Queries. an time algorithm can query the random oracle resp

ond to these queries, main tains list of tuples as explained elo w. refer to this list as the -list. The list is initially empt When queries the oracle at oin algorithm resp onds as follo ws: 1. If the query already app ears on the -list in some tuple b; then algorithm resp onds with 2. Otherwise, generates random coin so that Pr[ 0] ). 3. Algorithm pic ks random If holds, computes If holds, computes 4. Algorithm adds the tuple b; to the -list and resp onds to as Note that, either is uniform in and is indep enden of ís curren view as required. Signature queries. Algorithm requests signature on

some message under the hallenge ey Algorithm resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for resp onding to -queries on obtaining the corresp onding tuple b; on the -list. If holds then rep orts failure and terminates. 2. kno that holds and hence Let Observ that and therefore is alid signature on under the public ey Algorithm giv es to algorithm
Page 8
Output. Finally halts. It either concedes failure, in whic case so do es or it returns alue (where ), public eys messages and forged aggregate signature The messages ust all distinct, and ust not ha

requested signature on Algorithm runs its hash algorithm at eac obtaining the corresp onding tuples on the -list. Algorithm no pro ceeds only if and, for 1; otherwise declares failure and halts. Since 0, it follo ws that or 1, since 1, it follo ws that The aggregate signature ust satisfy the aggregate erication equation, =1 or eac 1, sets Then, for 1, So is alid signature on (whose hash is the ey whose public comp onen is No constructs alue =2 Then =2 =1 =2 Th us is alid co-GDH signature ey on message whose hash is Then calculates and outputs the required as This completes the

description of algorithm It remains to sho that solv es the giv en instance of the co-CDH problem in with probabilit at least do so, analyze the three ev en ts needed for to succeed: do es not ab ort as result of an of ís signature queries. generates alid and non trivial aggregate signature forgery ). Ev en ccurs, and, in addition, 0, and, for 1, where for eac is the -comp onen of the tuple con taining on the -list. succeeds if all of these ev en ts happ en. The probabilit Pr[ decomp oses as Pr[ Pr[ Pr[ Pr (1) The follo wing claims giv lo er ound for eac of these terms. Claim 3.3. The pr ob

ability that algorithm do es not ab ort as esult of ís aggr gate signatur queries is at le ast (1 )) Henc e, Pr (1 )) Pr of. Without loss of generalit assume that do es not ask for the signature of the same message wice. pro induction that after mak es signature queries the probabilit that do es not ab ort is at least (1 )) The claim is trivially true for 0. Let ís íth signature query and let the corresp onding tuple on the -list. Then, prior to ís issuing the query the bit is indep enden of ís view the only alue that could giv en to that dep ends on is ), but the distribution of is the same

whether or 1. Therefore, the probabilit that this query causes to ab ort is at most ). Using the inductiv yp othesis and the indep endence of the probabilit that do es not ab ort after this query is at least (1 )) This pro es the inductiv claim. Since mak es at most signature queries the probabilit that do es not ab ort as result of all signature queries is at least (1 ))
Page 9
Claim 3.4. If algorithm do es not ab ort as esult of ís queries then algorithm ís view is identic al to its view in the al attack. Henc e, Pr[ Pr of. The public ey giv en to is from the same distribution as

public eys pro duced algo- rithm KeyGen Resp onses to hash queries are as in the real attac since eac resp onse is uniformly and indep enden tly distributed in Since did not ab ort as result of ís signature queries, all its resp onses to those queries are alid. Therefore will pro duce alid and non trivial aggregate signature forgery with probabilit at least Hence Pr[ Claim 3.5. The pr ob ability that algorithm do es not ab ort after outputs valid and nontrivial for gery is at le ast (1 )) Henc e, Pr (1 )) Pr of. Ev en ts and ha ccurred, and has generated some alid and non trivial forgery ). or

eac let the tuple corresp onding to on the -list. Algorithm will ab ort unless generates forgery suc that and, for 1, 1. Since all the messages are distinct, the alues are all indep enden of eac other; as efore, is indep enden of for eac Since its forgery is non trivial, cannot ha ask ed for signature on under ey It can th us ha no information ab out the alue of in the forged aggregate, ccurs with probabilit or eac 1, either ask ed for signature under ey on in whic case with probabilit 1, or it didnít, and with probabilit ). Regardless, the probabilit that for all is at least (1 )) (1 ))

Therefore Pr (1 )) ), as required. complete the pro of of Theorem 3.2, use the ounds from the claims ab in equation (1). Algorithm pro duces the correct answ er with probabilit at least =e as required. Algorithm ís running time is the same as ís running time plus the time is tak es to resp ond to hash queries and signature queries, and the time to transform ís nal forgery in to the co-CDH solution. Eac query requires an exp onen tiation in The output phase requires at most additional hash computations, in ersions, exp onen tiations, and ultiplications. assume that exp onen

tiation and in ersion in tak time Hence, the total running time is at most 4) as required. This completes the pro of of Theorem 3.2. Aggregate erication time. Let an aggregate of the signatures The time to erify the aggregate signature is linear in In the sp ecial case when all signatures are issued the same public ey aggregate erication is faster. One need only erify that =1 )) holds, where are the signed messages.
Page 10
eriably Encrypted Signatures Next, sho an application of aggregate signatures to eriably encrypted signatures. eriably

encrypted signatures are used in applications suc as online con tract signing [1, 2]. Supp ose Alice an ts to sho Bob that she has signed message, but do es not an Bob to ossess her signature of that message. (Alice will giv her signature to Bob only when certain ev en has ccurred, e.g., Bob has giv en Alice his signature on the same message.) Alice can ac hiev this encrypting her signature using the public ey of trusted third part and sending this to Bob along with pro of that she has giv en him alid encryption of her signature. Bob can erify that Alice has signed the message, but cannot

deduce an information ab out her signature. Later in the proto col, if Alice is unable or un willing to rev eal her signature, Bob can ask the third part to rev eal Aliceís signature. note that the resulting con tract signing proto col is not abuse-free in the sense of [10]. sho that arian of the bilinear aggregate signature sc heme allo ws the creation of ery ecien eriably encrypted signatures. 4.1 eriably Encrypted Signature Securit eriably encrypted signature sc heme comprises sev en algorithms. Three, KeyGen Sign and erify are analogous to those in ordinary

signature sc hemes. The others, djKeyGen VESigCr ate VESigV erify and djudic ate pro vide the eriably encrypted signature capabilit The algorithms are describ ed elo w. refer to the trusted third part as the adjudicator. Key Generation, Signing, erication. As in standard signature sc hemes. Adjudicator Key Generate public-priv ate ey pair APK ASK for the adjudicator. VESig Creation. Giv en secret ey SK message and an adjudicatorís public ey APK compute (probabilistically) eriably encrypted signature on VESig erication. Giv en public ey PK message an

adjudicatorís public ey APK and eriably encrypted signature erify that is alid eriably encrypted signature on under ey PK Adjudication. Giv en an adjudicatorís eypair APK ASK ), certied public ey PK and eriably encrypted signature on some message extract and output an ordinary signature on under PK Besides the ordinary notions of signature securit in the signature comp onen t, require three securit prop erties of eriably encrypted signatures: alidit unforgeabilit and opacit describ these prop erties in the single user setting. alidit requires that

eriably encrypted signatures erify and that adjudicated eriably encrypted signatures erify as ordinary signatures, i.e., that VESigV erify VESigCr ate )) and erify djudic ate VESigCr ate )) hold for all and for all prop erly-generated eypairs and adjudicator eypairs. (The eys pro vided to the algorithms are here omitted for brevit .) Unforgeabilit requires that it dicult to forge alid eriably encrypted signature. The adv an tage in existen tially forging eriably encrypted signature of an algorithm giv en access to eriably-encrypted-signature

creation oracle and an adjudication oracle along with 10
Page 11
hash oracle, is Adv VSigF def Pr VESigV erify PK APK valid PK SK KeyGen APK ASK djKeyGen ;A PK APK The probabilit is tak en er the coin tosses of the ey-generation algorithms, of the oracles, and of the forger. The forger is additionally constrained in that its forgery on ust non trivial: It ust not previously ha queried either oracle at Note that an ordinary signing oracle is not pro vided; it can sim ulated call to follo ed call to Denition 4.1. eriably encrypted signature forger t; )-forges

eriably en- crypted signature if: Algorithm runs in time at most mak es at most queries to the hash function, at most queries to the eriably-encrypted-signature creation oracle at most queries to the adjudication oracle and Adv VSigF is at least eriably encrypted signature sc heme is t; )-secure against existen tial forgery if no forger t; )-breaks it. Opacit requires that it dicult, giv en eriably encrypted signature, to extract an ordinary signature on the same message. The adv an tage in extracting eriably encrypted signature of an algorithm

giv en access to eriably-encrypted-signature creation oracle and an adjudication oracle along with hash oracle, is Adv VSigE def Pr erify PK valid PK SK KeyGen APK ASK djKeyGen ;A PK APK The probabilit is tak en er the coin tosses of the ey-generation algorithms, of the oracles, and of the forger. The extraction ust non trivial: the adv ersary ust not ha queried the adjudication oracle at (It is allo ed, ho ev er, to query at .) eriably encrypted signature extraction is th us no more dicult than forgery in the underlying signature sc heme. Denition 4.2. An

algorithm t; )-extracts eriably encrypted signature if runs in time at most mak es at most queries to the hash function, at most queries to the eriably-encrypted-signature creation oracle at most queries to the adjudication oracle, and Adv VSigE is at least eriably encrypted signature sc heme is t; )-secure against extraction if no algorithm t; )-extracts it. 4.2 Aggregate Extraction Our eriably encrypted signature sc heme dep ends on the assumption that giv en an aggregate signature of signatures it is dicult to extract the individual signatures.

Consider the bilinear aggregate signature sc heme on group pair ). osit that it is dicult to reco er the individual signatures giv en their aggregate the public eys, and the message hashes. In fact, osit that it is dicult to reco er an aggregate of an prop er subset of the signatures. This term the -elemen aggregate extraction problem. 11
Page 12
formalize this assumption as follo ws. Let bilinear group pair for co-Die- Hellman, eac of order with resp ectiv generators and computable isomorphism suc that ), and computable bilinear map Consider -user aggregate

in this setting. Eac user has priv ate ey and public ey Eac user selects distinct message whose hash is and creates signature Finally the signatures are aggregated, yielding Let the set Eac public ey can expressed as eac hash as eac signature as and the aggregate signature as where The adv an tage of an algorithm in extracting subaggregate from -elemen aggregate is Adv -Extr def Pr The probabilit is tak en er the hoices of all and and the coin tosses of Denition 4.3. An algorithm t; )-extracts subaggregate from an -elemen bilinear ag- gregate signature if runs in time at most and Adv

-Extr is at least An instan tiation of the bilinear aggregate signature sc heme is t; )-secure against aggregate extraction if no algorithm t; )-extracts it. will particularly concerned with the case 2. In this case, the aggregate extraction problem reduces to this one: giv en and au bv calculate au (If the extractor outputs bv instead, ma reco er au as au bv =g bv .) 4.3 eriably Encrypted Signatures via Aggregation motiv ate our construction for eriably encrypted signatures considering aggregate signa- tures as launc hing oin t. An aggregate signature sc heme can giv rise to

eriably encrypted signature sc heme if it is dicult to extract individual signatures from an aggregate, but easy to forge existen tially under the adjudicatorís ey Consider the follo wing: 1. Alice wishes to create eriably encrypted signature, whic Bob will erify; Carol is the ad- judicator. Alice and Carolís eys are oth generated under the underlying signature sc hemeís ey-generation algorithm. 2. Alice creates signature on under her public ey She forges signature on some random message under Carolís public ey She then com bines and obtaining an aggregate The

eriably encrypted signature is the pair ). 3. Bob alidates Aliceís eriably encrypted signature on hec king that is alid aggregate signature Alice on and Carol on 4. Carol adjudicates, giv en eriably encrypted signature on Alice, computing signature on under her ey and remo ving from the aggregate; what remains is Aliceís ordinary signature In the bilinear aggregate signature sc heme, it is dicult to extract individual signatures, under the aggregate extraction assumption. Moreo er, existen tial forgery is easy when the random oracle hash function is set aside:

Giv en public ey and is alid signature on message whose hash is Belo w, formalize and pro the securit of the eriably encrypted signature sc heme created in this 12
Page 13
4.4 The Bilinear eriably-Encrypted Signature Sc heme The bilinear eriably encrypted signature sc heme is built on the bilinear aggregate signature sc heme of the previous section. It shares the ey-generation algorithm with the underlying aggregate sc heme. Moreo er, the adjudicatorís public and priv ate information is simply an aggregate-signature eypair. The sc heme comprises the sev en

algorithms describ ed elo w: Key Generation. KeyGen and djKeyGen are the same as KeyGen in the co-GDH signature sc heme. Signing, erication. Sign and erify are the same as in the co-GDH signature sc heme. VESig Creation. Giv en secret ey message and an adjudicatorís public ey compute ), where and Select at random from and set and Aggregate and as The eriably encrypted signature is the pair ). (This can also view ed as ElGamal encryption of under the adjudicatorís ey .) VESig erication. Giv en public ey message an adjudicatorís public ey and eriably encrypted

signature ), set ); accept if h; ; holds. Adjudication. Giv en an adjudicatorís public ey and corresp onding priv ate ey certied public ey and eriably encrypted signature on some message ensure that the eriably encrypted signature is alid; then output = If the adjudicator do es not rst alidate purp orted eriably encrypted signature, malicious user can tric him in to signing arbitrary messages under his adjudication ey Similarly the adjudicator should only adjudicate for certied public eys assume that the CA, in issuing certicate

on eries that the user kno ws the priv ate ey for It is easy to see that alidit holds. eriably encrypted signature correctly alidates under VESigV erify whic is simply the aggregate signature erication algorithm. Moreo er, for an alid eriably encrypted signature, = ; h; ; ; h; ), so the output of djudic ate is alid signature on message under the ey The next theorems pro the unforgeabilit and opacit of the sc heme. Theorem 4.4. et and cyclic gr oups of prime or der with esp ctive gener ators and with omputable biline ar map Supp ose that

the o-GDH signatur scheme is -se cur against existential for gery on Then the biline ar veriably encrypte signatur scheme is t; -se cur against existential for gery on for al and al satisfying 1) wher exp onentiation and inversion on take time Pr of. Giv en eriably-encrypted-signature forger algorithm construct forger algorithm for the underlying co-GDH signature sc heme. assume that is ell-b eha ed in the sense that it alw ys requests the hash of message efore it requests eriably encrypted signature or an adjudication in olving and that it nev er requests adjudication

on message on whic it had not previously ask ed for eriably encrypted signature. It is trivial to mo dify an forger algorithm to ha the rst prop ert The second prop ert is reasonable since the input to the adjudication oracle in this case ould non trivial eriably encrypted signature forgery; can mo died simply to output it and halt. 13
Page 14
The co-GDH forger is giv en public ey and has access to signing oracle for and hash oracle. It sim ulates the hallenger and runs in teracts with as follo ws. Setup. Algorithm generates ey KeyGen whic serv es as

the adjudicatorís ey No runs pro viding as input the public eys and Hash Queries. Algorithm requests hash on some string Algorithm mak es query on to its wn hash oracle, receiving some alue with whic it resp onds to ís query erSig Creation Queries. Algorithm requests signature on some string (It will ha already queried the hash oracle at .) queries its signing oracle (for at obtaining It then selects at random from and returns to the pair ). Adjudication Queries. Algorithm requests adjudication for ), eriably encrypted sig- nature on message under ey and adjudicator ey Algorithm hec ks

that the eriably encrypted signature is alid, then returns = Output. Finally halts, either declaring failure, in whic case to o, declares failure and halts, or pro viding alid and non trivial eriably encrypted signature on message sets whic h, the alidit prop ert is alid co-GDH signature on under ey That the forgery is non trivial means that did not query the eriably encrypted signature oracle at from whic it follo ws that did not query its signing oracle at Th us is non trivial co-GDH forgery; algorithm outputs it and halts. It remains only to analyze the success

probabilit and running time of Algorithm succeeds whenev er do es, that is, with probabilit at least Algorithm ís running time is the same as ís running time plus the time it tak es to resp ond to hash queries, eriably-encrypted signature queries, and adjudication queries, and the time to transform ís nal eriably-encrypted signature forgery in to co-GDH signature forgery Hash queries imp ose no erhead. Eac eriably-encrypted signature query requires to erform exp onen tiations in Eac adjudication query requires to erform an exp onen tiation and an in ersion in

The output phase also requires an exp onen tiation and an in ersion. assume that exp onen tiation and in ersion in tak time Hence, the total running time is at most 1). queries its hash oracle whenev er queries its hash oracle, and its signing oracle whenev er queries its eriably encrypted signature oracle. Com bining all this, see that if t; )-forges bilinear eriably encrypted signa- ture on ), then 1) )-breaks the co-GDH signature sc heme on ). Con ersely if the co-GDH signature sc heme is )-secure, then the bilinear er- iably encrypted signature sc heme is 1)

)-secure against existen tial forgery Theorem 4.5. et and cyclic gr oups of prime or der with esp ctive gener ators and with omputable isomorphism such that and omputable biline ar map Supp ose that the biline ar aggr gate signatur scheme on is -se cur against aggr gate extr action. Then the biline ar veriably encrypte signatur scheme is t; -se cur against extr action on for al and satisfying 1) and 3) 14
Page 15
wher is the ase of natur al lo garithms, and exp onentiation and inversion on take time Pr of. Giv en eriably-encrypted-signature extractor algorithm

construct an aggregate ex- tractor algorithm The co-GDH forger is giv en alues and in and in It runs answ ering its oracle calls, and uses ís eriably encrypted signature extraction to cal- culate the answ er to its wn extraction hallenge. Let generator of and of suc that Algorithm is giv en and Its goal is to output Algorithm sim ulates the hallenger and in teracts with eriably-encrypted-signature extractor as follo ws. Setup. Algorithm sets the signerís public ey and the adjudicatorís public ey It giv es and to Hash Queries. an time algorithm can query the random oracle resp

ond to these queries, main tains list of tuples as explained elo w. refer to this list as the -list. The list is initially empt When queries the oracle at oin algorithm resp onds as follo ws: 1. If the query already app ears on the -list in some tuple b; then algorithm resp onds with 2. Otherwise, generates random coin so that Pr[ 0] 1). 3. Algorithm pic ks random If holds, computes If holds, computes 4. Algorithm adds the tuple b; to the -list and resp onds to as erSig Creation Queries. requests eriably-encrypted signature on some string under hallenge ey and adjudicator ey Algorithm

resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for resp onding to -queries on obtaining the corresp onding tuple b; on the -list. 2. selects at random from If equals 0, computes and returns ). If equals 1, computes and returns ). It is easy to erify that ; is in either case correct eriably encrypted signature on the message with hash Adjudication Queries. Algorithm requests adjudication for ), eriably encrypted sig- nature on message under ey and adjudicator ey Algorithm resp onds to this query as follo ws: 1. Algorithm runs the ab algorithm for

resp onding to -queries on obtaining the corresp onding tuple b; on the -list. 2. Algorithm hec ks that the eriably encrypted signature is alid. If it is not, returns placeholder alue. 3. If equals 0, declares failure and halts. Otherwise, it computes and returns It is easy to erify that is the correct co-GDH signature under ey on the message with hash 15
Page 16
Output. Finally halts. It either concedes failure, in whic case so do es or returns non trivial extracted signature on some message or the extraction to non trivial, ust not ha ask ed for adjudication on

eriably encrypted signature of Algorithm runs its hash algorithm at obtaining the corresp onding tuples on the -list. no pro ceeds only if 0; otherwise it declares failure and halts. Since 0, it follo ws that The extracted signature ust satisfy the co-GDH erication equation, ). sets = Then Where in the last equalit substitute Th us is alid co-Die- Hellman tuple, so equals the answ er to the aggregate extraction problem; algorithm outputs it and halts. This completes the description of algorithm It remains to sho that solv es the giv en instance of the aggregate

extraction problem on with probabilit at least do so, analyze the three ev en ts needed for to succeed: do es not ab ort as result of an of ís adjudication queries. generates alid and non trivial eriably-encrypted signature extraction ). Ev en ccurs, and holds, where is the -comp onen of the tuple con taining on the -list. succeeds if all of these ev en ts happ en. The probabilit Pr decomp oses as Pr[ Pr[ Pr[ Pr (2) The follo wing claims giv lo er ound for eac of these terms. Claim 4.6. The pr ob ability that algorithm do es not ab ort as esult of ís adjudic ation queries is at le ast

=e Henc e, Pr[ =e Pr of. Without loss of generalit assume that do es not ask for adjudication of the same message wice. pro induction that after mak es signature queries the probabilit that do es not ab ort is at least (1 1)) The claim is trivially true for 0. Let ís íth adjudication query for eriably encrypted signature ), on message under the hallenge ey and let the corresp onding tuple on the -list. Then prior to issuing the query the bit is indep enden of ís view the only alues that could giv en to that dep end on are and eriably-encrypted signatures on but the

distributions on these alues are the same whether or 1. Therefore, the probabilit that this query causes to ab ort is at most 1). Using the inductiv yp othesis and the indep endence of the probabilit that do es not ab ort after this query is at least (1 1)) This pro es the inductiv claim. Since mak es at most adjudication queries the probabilit that do es not ab ort as result of all signature queries is at least (1 1)) =e Claim 4.7. If algorithm do es not ab ort as esult of ís adjudic ation queries then ís view is identic al to its view in the al attack. Henc e, Pr[ 16
Page 17
Pr of.

The hallenge public ey giv en to is from the same distribution as public eys pro duced KeyGen the adjudicatorís public ey giv en to is from the same distribution as the adju- dicator eys pro duces djKeyGen Resp onses to hash queries are as in the real attac since eac resp onse is uniformly and indep enden tly distributed in Resp onses to eriably-encrypted signature queries are also as in the real attac k: They are alid, and their comp onen ts are uni- formly and indep enden tly distributed in Since did not ab ort as result of ís adjudication queries, all its resp onses to those queries

are alid. Therefore will pro duce alid and non trivial eriably-encrypted signature extraction with probabilit at least Hence Pr Claim 4.8. The pr ob ability that algorithm do es not ab ort after outputs valid and nontrivial veriably-encrypte signatur extr action is at le ast 1) Henc e, Pr[ 1) Pr of. Giv en that ev en ts and happ ened, algorithm will ab ort only if generates forgery for whic the tuple on the -list has 1. Since its extraction is non trivial, could not ha requested adjudication on an eriably encrypted signature on and ust indep enden of ís curren view.

Therefore Pr[ 1) as required. Using the ounds from the claims ab in equation (2) sho ws that pro duces the correct answ er with probabilit at least =e 1) as required. Algorithm ís running time is the same as ís running time plus the time is tak es to resp ond to ís oracle queries and to transform ís eriably-encrypted signature extraction in to an aggregate extraction. Eac eriably-encrypted signature query eac adjudication query and the output phase requires to run its -algorithm. It ust therefore run this algorithm 1) times. Eac run requires an exp onen tiation in

Algorithm ust run its eriably-encrypted signing algorithm times, and eac run requires at most three exp onen tiation in Finally ís output phase requires at most one exp onen tiation and one in ersion in assume that exp onen tiation and in ersion in tak time Hence, the total running time is at most 3) as required. 4.5 Observ ations on eriably Encrypted Signatures note some extensions of the eriably encrypted signature sc heme discussed ab e. Some of these rely for securit on the -elemen aggregate extraction assumption with 2. An one can con ert an ordinary unencrypted

signature to eriably encrypted signature. The same applies to unencrypted aggregate signatures. An adjudicatorís priv ate ey can shared amongst parties using -of- threshold cryp- tograph [12, 11], so that parties are needed to adjudicate eriably encrypted signature. message-signature pair in the co-GDH signature sc heme is of the same form as an iden tit y{ priv ate-k ey pair in the Boneh-F ranklin Iden tit y-Based Encryption Sc heme [5]. Th us the eri- ably encrypted signature sc heme can oten tially mo died to yield eriably encrypted encryption sc heme

for IBE priv ate eys. eriably encrypted priv ate eys ha man appli- cations [27]. 17
Page 18
Ring Signatures Riv est, Shamir and auman dene ring signature sc hemes and construct some using RSA and Rabin cryptosystems [28]. Naor denes the closely-related notion of deniable ring authen tication and prop oses suc sc heme that relies only on the existence of strong encryption function [23]. shall see that co-GDH signatures giv rise to natural ring signatures. 5.1 Ring Signatures Consider set of users. Eac user has signing eypair PK SK ). ring signature on is

signature that is constructed using all the public eys of the users in and single priv ate ey of an user in ring signature has the prop ert that erier is con vinced that the signature as pro duced using one of the priv ate eys of but is not able to determine whic one. This prop ert is called signer-ambiguity [28]. Applications for ring signatures include authen ticated (y et repudiable) comm unication and leaking secrets [28]. Zhang and Kim [29] devised bilinear ring signature in an iden tit y-based setting. Our sc heme diers from theirs, as our goal is to extend co-GDH

signatures to obtain ecien ring signatures; the system parameters and ey generation algorithm in our system are iden tical to those of the co-GDH sc heme. 5.2 Bilinear Ring Signatures The ring signature sc heme comprises three algorithms: KeyGen ingSign and ingV erify Recall are generators of groups resp ectiv ely and is bilinear map, and computable isomorphism exists, with Again use full-domain hash function The securit analysis views as random oracle. Key Generation. or particular user, pic random and compute The userís public ey is The userís secret ey is Ring Signing. Giv en public

eys message and priv ate ey corresp onding to one of the public eys for some ho ose random for all Compute and set h= =x or all let Output the ring signature Ring erication. Giv en public eys message and ring signa- ture compute and erify that h; =1 ). Using the bilinearit and nondegeneracy of the pairing it is easy to sho that signature pro duced the ingSign algorithm will erify under the ingV erify algorithm. 5.3 Securit There are asp ects securit analysis for ring signatures ust consider. Firstly signer am biguit ust ensured. sho that the iden tit of the signer is unconditionally

protected. 18
Page 19
Theorem 5.1. or any algorithm any set of users and andom the pr ob ability Pr[ is at most wher is any ring signatur on gener ate with private key SK Pr of. The theorem follo ws from simple probabilit argumen t: for an and an the distribution for s; hosen suc that =1 is iden tical to the distribution =1 since the alue of an one of the ís is uniquely determined the alues of the other ís. Secondly need to examine the sc hemeís resistance to forgery adopt the securit mo del of Riv est, Shamir and auman [28]. Consider the follo wing game pla ed et een an adv ersary

and hallenger. The adv ersary is giv en the public eys of set of users and is giv en oracle access to and ring-signing oracle. The adv ersary ma ork adaptiv ely The goal of the adv ersary is to output alid ring signature on of message sub ject to the condition that has nev er een presen ted to the ring-signing oracle. An adv ersary ís adv an tage Adv RingSig in existen tially forging bilinear ring signature is the probabilit tak en er the coin tosses of the ey-generation algorithm and of the forger, that succeeds in creating alid ring signature in the ab game. Theorem 5.2. Supp ose is

-algorithm that an pr duc for gery of ring signatur on set of users of size Then ther exists an t; -algorithm that an solve the o-CDH pr oblem wher (2 nq and (( =e )(1 )) wher issues at most ring-signatur queries and at most hash queries, and exp onentiation and inversion on take time Pr of. The co-CDH problem can solv ed rst solving random instances of the follo wing problem: Giv en ab (and ), compute shall construct an algorithm that solv es this problem. This is easy if 0. In what follo ws, assume 0. Initially pic ks at random from and sets 1. It sets Algorithm is giv en the public

eys Without loss of generalit ma assume submits distinct queries (as previous replies can cac hed); that for ev ery ring-signing query on message has previously issued hash query for and that issues hash query on the message on whic it attempts to forge signature some time efore giving its nal output. On hash query ips coin that sho ws with probabilit and otherwise shall determined later). Then pic ks random and if the coins sho ws 0, returns ab otherwise it returns Supp ose issues ring sign query for message By assumption, has previously issued hash query for If the coin

ipp ed for this -query sho ed 0, then fails and exits. Otherwise had returned for some In this case ho oses random computes ), and returns the signature Ev en tually outputs forgery for message Again assumption, has previously issued -query for If the coin ipp ed for this query did not sho then fails. Otherwise abr for some hosen and outputs the th ro ot of Algorithm cannot distinguish et een ís sim ulation and real life. Also, will not fail with probabilit (1 whic is maximized when 1), giving ound of (1 =e )(1 ). If it do es not fail and successfully forges ring signature then

is successful and outputs Algorithm requires exp onen tiations on in setup, one exp onen tiation for eac of ís hash queries, exp onen tiations for eac of ís signature queries, and exp onen tiations in the output phase, so its running time is ís running time plus (2 nq ). 19
Page 20
5.4 Observ ations on Ring Signatures An ring signature sc heme restricts to an ordinary signature sc heme when 1. Our sc heme restricts to short signature sc heme similar to the co-GDH sc heme [6]. In this mo died co-GDH sc heme, equals =x rather than and one eries that h; rather than that

h; ). Bresson et al. [7] extend Riv est-Shamir-T auman ring signatures to obtain threshold and ad-ho ring signatures. Ho ev er, bilinear ring signatures ha in teresting prop erties that do not app ear to shared ring signatures in general. or an set of users with anyone can con ert mo died co-GDH signature in to ring signature Sp ecically to con ert mo died co-GDH signature on for public ey in to ring signature on for public eys ho ose for and set =2 and for More generally an one can further anon ymize ring signature adding users to Conclusions in tro duced the concept

of aggregate signatures and constructed an ecien aggregate signature sc heme based on bilinear maps. Key generation, aggregation, and erication require no in teraction. pro ed securit of the system in mo del that giv es the adv ersary his hoice of public eys and messages to forge. or securit in tro duced the additional constrain that an aggregate signature is alid only if it is an aggregation of signatures on distinct messages. This constrain is satised naturally for the applications ha in mind. More generally the constrain can satised prep ending the public ey

to the message prior to signing. ga sev eral applications for aggregate signatures. or example, they can used to reduce the size of certicate hains and reduce comm unication bandwidth in proto cols suc as SBGP also sho ed that our sp ecic aggregate signature sc heme giv es eriably encrypted signatures. Previous signature constructions using bilinear maps [6, 19 8, 4] only required gap Die- Hellman group (i.e., DDH easy but CDH hard). The signature constructions in this pap er require the extra structure pro vided the bilinear map. These constructions are an

example where bilinear map pro vides more er than generic gap Die-Hellman group. Ac kno wledgmen ts The authors thank Leonid Reyzin, Liqun Chen, Alice Silv erb erg, and Cyn thia Dw ork for helpful discussions ab out this ork. The rst author is supp orted arp the ac ard foundation, and an nsf career ard. The third and fourth authors are supp orted arp and nsf References [1] N. Asok an, V. Shoup, and M. aidner. Optimistic fair exc hange of digital signatures. IEEE J. Sele cte as in Comm. 18(4):593{610, April 2000. [2] F. Bao, R. Deng, and W. Mao. Ecien and practical fair

exc hange proto cols with oine TTP. In Pr dings of IEEE Symp osium on Se curity and Privacy pages 77{85, 1998. 20
Page 21
[3] M. Bellare and Roga The exact securit of digital signatures: Ho to sign with RSA and Rabin. In Pr dings of Eur crypt í96 olume 1070 of LNCS pages 399{416. Springer-V erlag, 1996. [4] A. Boldyrev a. Ecien threshold signature, ultisignature and blind signature sc hemes based on the gap-Die-Hellman-group signature sc heme. In Pr dings of PK 2003 olume 2567 of LNCS pages 31{46. Springer-V erlag, 2003. [5] D. Boneh and M. ranklin. Iden tit

y-based encryption from the eil pairing. SIAM J. Com- puting 32(3):586{615, 2003. Extended abstract in Pr dings of Crypto 2001 [6] D. Boneh, B. Lynn, and H. Shac ham. Short signatures from the eil pairing. In Pr dings of Asiacrypt 2001 olume 2248 of LNCS pages 514{32. Springer-V erlag, 2001. ull pap er: ttp://crypto.stanford.edu/ dab o/pubs.h tml. [7] E. Bresson, J. Stern, and M. Szydlo. Threshold ring signatures and applications to ad-ho groups. In M. ung, editor, Pr dings of Crypto 2002 olume 2442 of LNCS pages 465{80. Springer-V erlag, 2002. [8] Y. Do dis. Ecien construction of

(distributed) eriable random functions. In Pr dings of PK 2003 olume 2567 of LNCS pages 1{17. Springer-V erlag, 2003. [9] A. Fiat. Batc RSA. In Pr dings of Crypto í89 pages 175{185, 1989. [10] J. Gara M. Jak obsson, and MacKenzie. Abuse-free optimistic con tract signing. In Pr o- dings of Crypto í99 olume 1666 of LNCS pages 449{466. Springer-V erlag, 1999. [11] Gemmel. An in tro duction to threshold cryptograph RSA CryptoBytes 2(3):7{12, 1997. [12] R. Gennaro, T. Rabin, S. Jarec ki, and H. Kra czyk. Robust and ecien sharing of RSA functions. J. Cryptolo gy 13(2):273{300, 2000.

[13] C. Gen try and A. Silv erb erg. Hierarc hical ID-based cryptograph In Pr dings of Asiacrypt 2002 olume 2501 of LNCS pages 548{66. Springer-V erlag, 2002. [14] S. Goldw asser, S. Micali, and R. Riv est. digital signature sc heme secure against adaptiv hosen-message attac ks. SIAM J. Computing 17(2):281{308, 1988. [15] J. Horwitz and B. Lynn. ard hierarc hical iden tit y-based encryption. In Pr dings of Eur crypt 2002 olume 2332 of LNCS pages 466{81. Springer-V erlag, 2002. [16] A. Joux. one round proto col for tripartite Die-Hellman. In Pr dings of ANTS IV olume 1838 of LNCS pages

385{94. Springer-V erlag, 2000. [17] A. Joux and K. Nguy en. Separating Decision Die-Hellman from Die-Hellman in Crypto- graphic Groups. Cryptology ePrin Arc hiv e, Rep ort 2001/003, 2001. http://eprint.iacr. org/ [18] S. Ken t, C. Lynn, and K. Seo. Secure order gatew proto col (Secure-BGP). IEEE J. Sele cte as in Comm. 18(4):582{92, April 2000. [19] A. Lysy ansk a. Unique signatures and eriable random functions from the DH-DDH sepa- ration. In Pr dings of Crypto 2002 olume 2442 of LNCS pages 597{612. Springer-V erlag, 2002. 21
Page 22
[20] S. Micali, K. Oh

ta, and L. Reyzin. Accoun table-subgroup ultisignatures (extended abstract). In Pr dings of CCS 2001 pages 245{54. CM Press, 2001. [21] S. Micali and R. Riv est. ransitiv signature sc hemes. In Pr dings of RSA 2002 olume 2271 of LNCS pages 236{43. Springer-V erlag, 2002. [22] A. Miy ji, M. Nak aba ashi, and S. ak ano. New explicit conditions of elliptic curv traces for FR-reduction. IEICE ans. undamentals E84-A(5):1234{43, Ma 2001. [23] M. Naor. Deniable ring authen tication. In Pr dings of Crypto 2002 olume 2442 of LNCS pages 481{98. Springer-V erlag, 2002. [24] K. Oh ta and T. Ok amoto.

Multisignature sc hemes secure against activ insider attac ks. IEICE ans. undamentals E82-A(1):21{31, 1999. [25] T. Ok amoto. digital ultisignature sc heme using bijectiv public-k ey cryptosystems. CM ans. Computer Systems 6(4):432{441, 1998. [26] T. Ok amoto and D. oin tc hev al. The gap problems: new class of problems for the securit of cryptographic primitiv es. In Pr dings of PK 2001 olume 1992 of LNCS pages 104{118. Springer-V erlag, 2001. [27] G. oupard and J. Stern. air encryption of RSA eys. In Pr dings of Eur crypt 2000 olume 1807 of LNCS pages 172{89. Springer-V erlag, 2000. [28] R.

Riv est, A. Shamir, and Y. auman. Ho to leak secret. In Pr dings of Asiacrypt 2001 olume 2248 of LNCS pages 552{65. Springer-V erlag, 2001. [29] F. Zhang and K. Kim. ID-based blind signature and ring signature from pairings. In Pr dings of Asiacrypt 2002 olume 2501 of LNCS pages 533{47. Springer-V erlag, 2002. 22