The present invention claims priority of Korean Patent Application No. 10-2010-0096561, filed on Oct. 4, 2010, which is incorporated herein by reference.
The present invention relates to an cryptographic group signature scheme, and more particularly, to a group signature system and method which provide anonymity and linkability controllable in various levels, whereby a signature generated by an authorized user of a group superficially verifies that a user among group members has simply generated a signature with respect to a message, and when a particular opening key is given, the signer can be checked and when a particular linking key is given, the fact that signature values are linked (namely, they have been generated by a signing key) can be checked.
In general, a group signature scheme, which is one of very important cryptographic authentication schemes for protecting user's privacy, has been widely studied. The group signature scheme, concept of which was first proposed by Chaum and Heyst in 1991, has since greatly developed, and numerous substantial schemes thereof, as well as formal models with respect to security requirements, have been also proposed.
In addition, an effective anonymity authentication scheme, which may replace an ID/password authentication scheme and a real name-based PKI authentication scheme involving many problems such as an exposure of personal information, a service provider's excessive collecting of personal information, and a leakage caused by a management carelessness in the process of registering and confirming personal information, and the like, and an i-Pin scheme involving a problem of extensive behavior tracking, has been actively studied in recent years.
However, the traditional group signature scheme simply handles anonymity with a dichotomous structure of concealing and recovering a signer's ID and thus is not sufficient to be adopted in an actual application environment. The reason is because the side that uses services prefers the merits of perfect anonymity but the side that provides services cannot easily achieve its original purpose obtained from providing the services only with anonymity.
For example, in a web-based anonymity authentication service, various personalized services as well as good quality services cannot be provided. Also, in case of data mining, it would be difficult useful information obtained from anonymity authentication data.
Therefore, in order to solve such problems, a development of a group signature scheme or the like, which may be able to control various anonymity levels in a practical point of view and excellent in terms of performance, is urgently required.
In addition, in order to design and develop the effective group signature schemes providing the above-mentioned anonymity characteristics, an existing linear encryption (LE) scheme of a bilinear group is not sufficient, and a novel cryptographic scheme which is structurally flexible and able to efficiently encrypt multiple pairs of messages needs to be also developed together.
Meanwhile, various group signature schemes have been suggested to provide anonymity authentication so far; however, they adopt a simple structure in which anonymity is processed such that a signer's ID is concealed in a generated signature and when a master opening key is given, the signer's ID is recovered. Such method is not sufficient to be utilized in an actual application environment. A problem arises in that, although the side that uses services prefers the merits of anonymity, the side that provides services cannot easily achieve a useful purpose for providing the services only with anonymity.
For example, when a web-based anonymity authentication service is considered, a service provider requires user information (e.g., a user's consumption pattern) in the form of anonymity, and if this is not supported, various personalized services and good quality services in association therewith cannot be provided. Also, in case of data mining, it would be difficult to obtain useful information from anonymity authentication data depending on a developer-desired method.
Therefore, the present invention provides a novel type group-based anonymity signature scheme required for diversifying the level of anonymity by overcoming limited controlling of anonymity of an existing group signature scheme. More specifically, the present invention provides a group signature system and method which divide the concept of anonymity into various levels by employing a controllable linkability and provides a corresponding control method. Namely, only when a particular key is given, connection information between signer IDs or signature values is confirmed and thus anonymity can be controlled.
The present invention is further provides a linear combination encryption (LCE) scheme and a hybrid linear combination encryption (HLCE) scheme obtained by extending the LCE scheme. These schemes may be essentially used to design a group signature scheme and may be also significantly used to independently design a different cryptographic scheme. These cryptographic schemes may stably and efficiently encrypt multiple messages in an algebraic group in which a decisional Diffie-Hellman (DH) problem is easy, for example, in bilinear group defined for bilinear pairings.
In accordance with an aspect the present invention, there is a group signature system including: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins;
an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given.
In accordance with another aspect of the present invention, there is provided a group signature method including: generating, by a key issuer server, a first parameter of a group public key, and generating a corresponding master issuing key; issuing a signature key to a user device when the user device joins; generating, by an opener server, a second parameter of the group public key, and a corresponding master opening key and master linking key; and checking, by a linker server, whether two valid signatures have been linked by using the master linking key when the two signatures are given.
In accordance with still another aspect of the present invention, there is provided a method for generating a group public key: generating, by a key issuer server, a first parameter of a group public key and defining a corresponding master issuing key; defining, by an opener server, a master opening key and a master linking key, generating a second parameter of the group public key, and providing the generated second parameter to the key issuer server; and combining, by the key issuer server, the first and second parameters to generate the group public key.
In accordance with still another aspect of the present invention, there is provided a method for updating a group public key including: releasing, by a key issuer server, a revocation list for updating keys when a session is changed; generating, by the key issuer server, a new group public key and providing the new group public key to a user device; updating, by the user device, the group public key with the new group public key; and updating, by the user device, a signature key corresponding to the new group public key.
In accordance with still another aspect of the present invention, there is provided a method for generating a signature key including: receiving, at a key issuer server, a subscription request message from a user device; verifying, by the key issuer server, a validity of the subscription request message; receiving a signature with respect to the verified subscription request message from the user device; verifying, by the key issuer server, a validity of the signature to register the user device; and generating, by the user device, a secrete signature key corresponding to a group public key.
In accordance with still another aspect of the present invention, there is provided: a method for encrypting a message including: defining, by an opener server or a recipient, a public key, and storing a secret key corresponding thereto; outputting, by a message sender or a user device, a cryptogram regarding its message by using the public key; and calculating, by the opener server or the recipient, the cryptogram by using the secret key to recover the original message.
The objects and features of the present invention will become apparent from the following description of embodiments, given in conjunction with the accompanying drawings, in which:
Hereinafter, the embodiments of the present invention will be described with reference to the accompanying drawings which form a part hereof.
Referring to
The key issuer server 100, which is a reliable object, initially generates first group public parameters (gpp1), and generates a corresponding master issuing key (mik). When a new user device is joined, the key issuer server 100 run an interactive protocol and issues a signature key to the user device.
When a key revocation occurs, the key issuer server 100 releases information regarding a revocation list, and, when participants require, the key issuer server 100 updates key values.
The opener server 200 initially generates second group public parameters (gpp2) and corresponding master opening key (mok) and master linking key (mlk). The master linking key is provided to the linker server 300. When a valid signature is given, the opener server 200 outputs proof information for confirming a signer by using a master opening key. Anyone can check the output proof information freely.
The linker server 300 initially receives the master linking key (mlk) from the opener server 200. When two valid signatures are given, the linker server 300 may check whether they are linked (namely, whether the two signatures have been generated by a single signer) by using the master linking key.
The user device 400 may join as a member of an authorized group and receive a signature key issued by the key issuer server 100.
In this case, the user device 400 and the key issuer server 100 run the interactive protocol. Thereafter, the user device 400 generates a group signature with respect to a given message by using the issued signature key. When a key revocation takes place, the user device 400 updates the key values by using revocation information provided from the key issuer server 100. The signature verifying unit 500 is an algorithm that confirms the validity of the given signature. The signer information confirming unit 600 is an algorithm that verifies the validity of signer conformation information generated by the opener server 200.
The key issuer server 100 defines a group public key (gpk) by combining the generated first parameter gpp1 and second parameter gpp2, and releases the defined group public key to every participating component within the group signature system. Namely, gpk={gpp1,gpp2}. Afterwards, whenever a key revocation occurs, gpk is updated.
Now, the embodiment of the present invention will be described in detail with reference to
Upon receiving a security parameter k as an input at an early stage, the key issuer server 100 performs the following. First, the key issuer server 100 generates a pair of bilinear groups (G1,G2) and a bilinear map combined with the bilinear groups e: G1×G2→GT and a hash function H: {0,1}→Zp*. The key issuer server 100 selects certain elements h1εG2 and g1, g2, g3, gεG1. Also, the key issuer server 100 selects θεZp*, calculates hθ=h1θ, and then defines θ as a master issuing key (mik=θ) in step S200.
Also, the opener server 200 selects θ1, θ2, ξ1, ξ2εZp* and calculates u=h1ξ
The key issuer server 100 combines gpp2=(u, v, w1, w2, d1, d2) received from the opener server 200 with its own gpp1=(e, G1, G2, g1, g2, g3, g, h1, hθ, H) to create an initial group public key gpk=(e, G1, G2, g1, g2, g3, g, h1, hθ, H, u, v, w1, w2, d1, d2) and allows the initial group public key to be used freely in step S204. The initial public key is updated whenever a key revocation occurs. For the sake of convenience, it is assumed that the initial group public key is denoted as gpk0, and parameters in the group public key managed by the key issuer server 100 and the opener server 200 can be verified by using a freely authenticated method.
Now, the embodiment of the present invention will be described in detail with reference to
First, the user device 400, which wants to join a group newly, and the key issuer server 100 interactively perform the following process. In this case, it is assumed that an authentication and security channel have been already established between the two participants. In the following description, Ext-Commit denotes an extractable commitment scheme providing perfect binding and computationally hiding. When trapdoor information is given, a committed value can be recovered. NIZKEqDL(a,b,c) denotes a non-interactive zero-knowledge proof scheme verifying that a value committed to ‘a’ and logcb are identical.
In addition, NIZKEqDL(B,D) denotes a non-interactive zero-knowledge proof scheme verifying knowledge about logDB.
It is assumed that an initial group public key gpk0=(e, g1, g2, g3, T) and a current group public key gpkk=(e, {tilde over (g)}1, {tilde over (g)}2, {tilde over (g)}3, T) are given (where T=(e, h1, hθ, u, v, w1, w2, d1, d2, H)). Hereinafter, the user device 400 uses a general signature scheme (which is available for PKI-based form) Σ=(KGen, Sign, Vrfy). In the following description, it is assumed that each user device 400 generates a pair of a public key and a secret key for using the signature scheme Σ=(KGen, Sign, Vrfy) in advance.
(1) The user device 400 selects a certain random number Z1εzp* and calculates upk[i]=Zi=g3z
(2) The key issuer server 100 receives the subscription request message (Join, IDi, (upk[i]=Zi, TU)) and then verifies the validity of (upk[i]=Zi, TU) according to a predetermined method. When (upk[i]=Zi, TU) is valid, the key issuer server 100 checks whether (IDi, H(gy
(3) The user device 400 receives (Ai, TI, VI, Y1,i=g2y
(4) The key issuer server 100 receives the signature σ2,i and then verifies validity of that signature. When the signature is valid, the key issuer server 100 transmits information regarding portion of secret key (xi, yi) to the user device 400 in step S306.
(5) The user device 400 receives, (xi, yi), and then calculates Ã″=(g1″g2″−yg3″−z)1/(θ+x) corresponding to the current group public key by using a user key updating algorithm. And then, it is checked whether the following equation holds:
e(Ai,h1x
and
e(Ai,{tilde over (h)}1)=e(Ãi,h1).
When the equation holds, the user device 400 stably stores usk[i]=(Ã1, xi, yi, zi, Ai) as a secret signature key corresponding to the current group public key in step S308. Finally, when e(X1,i, h1)=e(g, X2,i) and e(Y1,i, h1)=e(g2, Y2,i) are held, the user device 400 generates a signature σjudge,i←Signsk
(6) The key issuer server 100 receives the signature σjudge,i then verifies validity of that signature. When the signature is valid, the key issuer server 100 adds (IDi, H(gy
In the above description, the structure, in which when the master linking key mlk is given, linkability can be checked regardless of the membership of the user device 400, is provided. This structure may be modified such that linkability is provided only while the user device 400 is joined and maintained as an authorized member, and in this case, the key issuer server 100 may select yiεZp* as a new value whenever a user joins in the above process (2).
First, when a message M is received, the user device 400 receives a given current group public key gpk, a corresponding user secret signature key usk[i]=(Ã, x, y, z, A), and the message M as inputs in step S400. Next, the user device 400 generates a signature σ with respect to the inputs as follows in step S402. Namely, the user device 400 first selects a random number α, β←Zp, and calculates:
D
1
←u
α
,D
2
←v
β
,D
3
←Ãw
1
α
w
2
β
,D
4
←g
y
d
1
α
d
2
β,
and
γ←xαmod p,δ←xβmod p.
Further, the user device 400 selects certain random numbers rα, rβ, rγ, rδ, rx, ry, rz←Zp and calculates:
R
1
←u
r
,R
2
←v
r
,R
3
←e(D3,h1)r
In addition, the user device 400 calculates:
c=H(M,D1,D2,D3,D4,R1,R2,R3,R4,R5,R6)
by using a hash function, and also calculates:
s
α
=r
α
+cα,s
β
=r
β
+cβ,s
γ
=r
γ
+cγ,s
δ
=r
δ
+cδ,s
x
=r
x
+cx,s
y
=r
y
+cy,s
z
=r
z
+cz.
Finally, the user device 400 outputs σ=(D1, D2, D3, D4, c, sα, sβ, sγ, sδ, sx, sy, sz) as a signature in step S404.
In the above description, a linear encryption scheme, instead of a linear combination encryption scheme, may be used for D3←Ãw1αw2β or D4←gyd1αd2β. For example, D4←gydα+β instead of D4←gyd1αd2β is calculated. In this case, the generation of the relevant group public key, the generation of the proof information for the signer, the algorithm for confirming the signer proof information, and the method for checking linkability information may be appropriately corrected for consistency as necessary. The correction may be obviously made to those skilled in the art, so a description thereof will be omitted.
It is assumed that a signature σ=(D2, D3, D4, c, sα, sβ, sγ, sδ, sx, sy, sZ) is given for a message M in step S500. Then, the signature verifying unit 500 calculates:
R
1
←u
s
D
1
−c,R
2
←v
s
D
2
−c
,R
3
←e(D3,h1)s
and
R
6
←D
2
s
v
−s
in step S502.
And then, the signature verifying unit 500 calculates a hash function value c′=H(M, D1, D2, D3, D4, R1, R2, R3, R4, R5, R6), and then checks whether C and C′ are identical. When they are identical, the signature verifying unit 500 outputs 1 indicating that the given signature is valid, and if not, it outputs 0 in step S504.
It is assumed that a signature σ=(D1, D2, D3, D4, c, sα, sβ, sγ, sδ, sx, sy, sz) with respect to a message M is given in step S600. The opener server 200 generates proof information τ by using the master opening key mok=(η1, η2, ξ1, ξ2) as follows. The opener server 200 calculates H(gy) and à through gy←D4(D1ξ
Subsequently, the opener server 200 efficiently searches the user registration list REG for a user index i satisfying H(gy)=H(gy
The signer information confirming unit 600 checks whether the following equation holds with respect to the signature σ=(D1, D2, D3, D4, c, sα, sβ, sγ, sδ, sx, sy, sz) for the given message M and the signer proof information (i, τ=(K12, c12, s1, s2), upk[i]=Zi=g3Z
(1) First, the signer information confirming unit 600 calculates:
c′12=H(σ,u,v,K12,us
and checks whether c′12=c12 holds.
(2) The signer information confirming unit 600 checks whether e(D3K12−1, X2,ihθ)=e(g1Y1,i−1Z1,i−1{tilde over (h)}1) holds. Here, {tilde over (h)}1 is a value included in the current group public key, and g1 is a value included in the initial group public key gpk0. When the above equalities are all hold, the signer information confirming unit 600 outputs 1 indicating that they are valid, or otherwise, the signer information confirming unit 600 outputs 0 in step S608.
When pairs of given messages and signatures (σ, M) and (σ′, M′) are received in step S700, the linker server 300 calculates B1=e(D4, h1) [e(D1, U)e(D2, V)]−1 and B2=e(D′4, h1) [e(D′1, U)e(D′2, V)]−1 by using the master linking key mlk=(U,V), and then checks whether B1=B2 HOLDS in step S702. When the equation is established, the linker server 300 outputs 1 indicating that they are linked, or otherwise, the linker server 300 outputs 0 in step S704.
Selectively, it can be checked whether an equation e(D4/D′4, h1)=e(D1/D′1, U) e(D2/D′2, V) is established in order to increase the efficiency of calculation.
It is assumed that the sets of keys are revoked at every session and a session is denoted by using an index variable k in order to distinguish each session. It is also assumed that k is increased by 1 at a time when a session is changed. It is also assumed that an initial group public key gpk0=(T, g1, g2, g3) and a current group public key gpkk-1=(T, g′1, g′2, g′3) are given (where T=(e, G1, G2, g, h1, hθ, H, u, v, w1, w2, d1, d2)).
In order to revoke given key values and update keys, first, the key issuer server 100 releases a revocation list RI={(T1,i=g11/(θ+x
(1) In order to update the group public key from gpkk-1 to gpkk, the key issuer server 100 calculates
The updated group public key is gpkk=(T, g″1, g″2, g″3), as in step S802.
(2) In order to update its signature key from uSkk-1[i]=(A′, x, y, z, A) to uSkk=[i], the user device 400 calculates:
An updated signature key corresponding to the current group public key gpkk=(T, g″1, g″2, g″3) is set to be uSkk[i]=(Ã″, x, y, z, A) in step S804.
A key generation algorithm, an encryption algorithm and a decryption algorithm are defined as follows:
(1) The key generation algorithm: A first user generates an algebraic group G1 as a prime order p, and a certain generation source u,v of G1. And then, x and y are selected from a set ZP*, and w1=ux and w2=uy are calculated. Here, G1 is expressed as a multiplicative group. The user defines a public key as (G1, u, v, w1, w2) and releases it, and stably stores the corresponding secret key (x,y) in step S900;
(2) Encryption algorithm: When a message MεG1 is given and a public key (G1, u, v, w1, w2) and the corresponding secret key (x,y), a and b are selected from the set Zp*, c1=ua, c2=vb, and D1=Mw1aw2b are calculated, and then a ciphertext (C1, C2, D1) is output in step S902; and
(3) Decryption algorithm: In order to decrypt the given ciphertext (C1, C2, D1), M=D1C1−xC2−y is calculated by using the secret key (x,y) to recover the message in step S904.
A key generation algorithm, an encryption algorithm, and a decryption algorithm are defined as follows:
(1) Key generation algorithm: A first user generates an algebraic group G1 as a prime order p, and a certain generation source u,v of G1. And then, x and y are selected from a set ZP*, and W2i-1=u
(2) Encryption algorithm: When a tuple of n messages (M1, . . . , Mn) for MiεG1 is given, a and b are randomly selected from the set ZP*, c1=ua, c2=vb, and D1=Mw1aw2b, . . . , Dj=Mjw2j-1awjb, . . . , Dn=Mnw2n-1awnb are calculated, and then a ciphertext (C1, C2, D1, . . . , Dn) is output in step S952; and
(3) Decryption algorithm: In order to decrypt the given ciphertext (C1, C2, D1, . . . , Dn), Mj=DjC1−x
As described above, the present invention provides a method which is capable of protecting user privacy by using a group signature scheme that can control anonymity, including a controllable linkability, in various levels.
In accordance with the present invention, anonymity can be combined with various conditions and policies through a provided controllable linkability so as to be segmented.
Basically, a configuration scheme provides all the functions of the existing known group signature scheme and security characteristics. Namely, it is not possible to simply check a signer or linkability information from a given signature value. However, when particular keys are given, namely, when a particular opening key is given, a signer can be checked, and also, when a particular linking key is given, signature values of a signer can be checked to be linked to each other (namely, they have been generated by one signer or a signer key).
In addition, the present invention provides a method for stably encrypting and decrypting a message in an algebraic group in which a decisional Diffie-Hellman (DH) problem is easy. Moreover, the present invention can be applicable to various next-generation IT application fields such as an anonymity-based web service, a medical information protection, a cloud computing authentication, and the like, as well as to application fields in which the existing group signature schemes, such as an anonymity authentication (VSC) for a traffic network, a future Internet anonymity packet authentication, and the like, are available.
Although the present invention has been described with respect to the particular embodiments, various changes or modifications may be made without departing the scope of the present invention. That is, although the present invention has been described with respect to a group signature scheme providing a controllable linkability, a linear combination encryption scheme and a hybrid linear combination encryption with reference to the illustrated drawings, it will be understood by those skilled in the art that various changes and modification may be made.
While the invention has been shown and described with respect to the particular embodiments, it will be understood by those skilled in the art that various changes and modification may be made without departing from the scope of the invention as defined in the following claims.
Number | Date | Country | Kind |
---|---|---|---|
10-2010-0096561 | Oct 2010 | KR | national |