This application claims priority to and the benefit of Korean Patent Application No. 10-2011-0103670 filed in the Korean Intellectual Property Office on Oct. 11, 2011, the entire contents of which are incorporated herein by reference.
The present invention relates to a lightweight group signature system and method with short signatures, and more particularly, to a lightweight group signature system and method with short signatures, which can be effectively operated on a lightweight smart terminal.
A group signature mechanism, which is one of the very important cryptographic authentication mechanisms for protecting user's privacy, has been widely researched and has been considerably developed since the concept thereof is first proposed by Chaum and Heyst in 1991. Various security requirements, formal models, and detailed mechanisms have been proposed. Recently, a group signature mechanism providing controllable linkability by extending typical group signature mechanisms has been researched.
Typical authentication mechanisms, such as an ID/password authentication mechanism, a real-name based PKI authentication mechanism, and an i-Pin mechanism, and the like, have many disadvantages, such as personal information exposure due to a registration and identification process of personal information, leakage due to excessive personal information collection and management carelessness of a service provider, a wide range of activity trace, and the like. As a result, a group signature mechanism providing controllable linkability as an effective anonymous authentication mechanism that can replace the above-mentioned mechanisms has been actively researched recently.
The group signature mechanism providing controllable linkability additionally has controllable linkability capable of identifying that group signatures are linked with each other (that is, the group signatures are generated by one signer or a signer key) when a special linking key is provided, by extending the typical group signature mechanisms simply handling anonymity using a dichotomical structure that conceals/recovers identity information or ID of a signer. Therefore, the anonymity can be controlled to various levels according to the desired policy.
Using the characteristics, a service provider can obtain user related effective information from various anonymity based services, for example, web based personalized anonymous authentication service or in the case of data mining, anonymous authentication data, while maintaining anonymity of identity information.
Existing group signature mechanisms providing various security characteristics such as the known controllable linkability, and the like, cannot be widely adopted in various application environments due to structural complexity. Currently, user storage costs and operation costs are very cheap. Therefore, costs of resources for designing the system greatly depends on communication costs and therefore, the group signature mechanism providing controllable linkability with short signatures is urgently required in low resource application environments such as a radio Internet based service market.
Recently, application mechanisms for enhancing privacy protection by performing anonymous authentication between the smart terminals by using short range communication environment, and the like, have been researched and developed.
As an example, a method for transmitting information using multi-dimensional codes such as a QR code has been greatly interested as one method of short range communications. A device with a built-in camera capable of recognizing the multi-dimensional code can obtain information through the multi-dimensional codes any time and therefore, the user can process information using the corresponding devices without separate communication networks (thus, without charging communication costs). The method for recognizing multi-dimensional codes through a camera is performed by a contactless type and therefore, does not require devices such as a separate connection cable, and the like.
In order to solve the above problems, the present inventors have developed the lightweight group signature mechanism, and the like, that is excellent in terms of performance, in particular, outputs short signatures and has the excellent security characteristics while providing excellent operation efficiency at the time of signature generation and signature verification on the smart terminals.
The present invention has been made in an effort to provide a lightweight group signature system and method with short signatures capable of providing excellent operation efficiency at the time of signature generation, signature verification, and revocation on smart terminals while providing security characteristics similar to group signature mechanisms providing the existing known controllable linkability but outputting the short signatures.
An exemplary embodiment of the present invention provides a lightweight group signature system with short signatures, may include: a signature control unit configured to generate a group public key, issue a signature key to a user device, store the signature key in a signature key management list, and update related information including the signature key management list when validity of a join request generated from the user device is verified, identify whether two signatures are linked and manage a revocation list to perform revocation and generate a signer identification proof when a valid signature is; a user device configured to generate a signature using a signature key issued from the signature control unit; a signature verifying unit configured to verify a signature generated from the user device; signer identification proof evaluating unit configured to evaluate the validity of the signer identification proof generated from the signature control unit.
The signature control unit may include: a key issuing unit configured to generate a group public key, a master issuing key, a master opening key, and a master linking key based thereon, issue the signature key to the user device when a join of the user device is requested, and manage a revocation list so as to be used to update the signature key when the revocation of the issued signature key is performed; a signer identifying unit configured to identify the validity of a signature key generating a signature and generate the signer identification proof by using the master opening key when the valid signature is given; and a signature linking unit configured to identify whether two signatures are linked with each other by using the master linking key when two valid signatures are present.
The key issuing unit may provide the generated group public key to all the participants including the user device.
The key issuing unit may define the master issuing key by using (algebraic) bilinear groups and a bilinear map associated with the bilinear groups.
The key issuing unit may verify the validity of a join request message when receiving the join request message from the user device to be registered in the lightweight group signature system and then, issues the signature key to the user device.
The join request message may include personal key ownership verification information and verification information related to key issuance.
A security channel for authentication may be formed between the key issuing unit and the user device.
The key issuing unit may change a session at the time of generating a revocation list of issued signature keys and make public the revocation list to be used to update the group public key and a user secret key.
The signer identifying unit may output a proof identifying who is a signer by using the master opening key when the valid signature is given.
Another exemplary embodiment of the present invention provides a lightweight group signature method, including: generating a group public key and generating a master secret key, a master opening key, and a master linking key based thereon; verifying the validity of user information after receiving user information required to join a signature group from a user device when a join is requested from the user device, issuing a signature key by using the master secret key when the verification is valid, and generating the signature; and searching registration information including a public key of the user device, calculating validity of the signature by using the master opening key, the signature, and related information, and determining whether revocation of the signature is performed according to whether the calculating results are present in the revocation list.
The generating of the signature may further include: verifying the validity of the join request message by receiving a join request message from the user device; receiving a signature for the join request message of which the validity is verified from the user device; generating a secret signature key corresponding to a group public key in the user device by verifying the validity of the signature and registering the user device; and providing the generated group public key to the user device registered in the group signature system.
The determining whether the revocation of the signature is performed may further include identifying whether two signatures are linked with each other by using the master linking key when two valid signatures are given.
The determining whether the revocation of the signature is performed may further include providing the identifying result of the revocation to the user device when the revocation identification for the given signature is requested
The master issuing key may be defined by using bilinear groups, a bilinear map associated with the bilinear groups, and a hash function.
The join request message may include a personal key ownership verification information.
The lightweight group signature system and method with short signatures according to the exemplary embodiments of the present invention can make the revocation method simple and can be widely applied to various anonymity-based application environments such as the multi-dimensional code based authentication, and the like, by providing the excellent operation efficiency at the time of the signature generation and verification and outputting the very short signature length.
The lightweight group signature system and method with short signatures according to the exemplary embodiments of the present invention can provide unforgeability, traceability, non-frameability, controllable anonymity, and controllable linkability to systemically control the degree of anonymity.
The lightweight group signature system and method with short signatures according to the exemplary embodiments of the present invention can be used for applications to which the existing group signature mechanisms, such as anonymous authentication for traffic network, future Internet anonymous packet authentication, and the like, are applied, and various next-generation IT applications such as anonymous based web services, medical information security, cloud computing authentication, and the like, and can be used on the smart terminals.
The foregoing summary is illustrative only and is not intended to be in any way limiting. In addition to the illustrative aspects, embodiments, and features described above, further aspects, embodiments, and features will become apparent by reference to the drawings and the following detailed description.
It should be understood that the appended drawings are not necessarily to scale, presenting a somewhat simplified representation of various features illustrative of the basic principles of the invention. The specific design features of the present invention as disclosed herein, including, for example, specific dimensions, orientations, locations, and shapes will be determined in part by the particular intended application and use environment.
In the figures, reference numbers refer to the same or equivalent parts of the present invention throughout the several figures of the drawing.
Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings. First of all, we should note that in giving reference numerals to elements of each drawing, like reference numerals refer to like elements even though like elements are shown in different drawings. In describing the present invention, well-known functions or constructions will not be described in detail since they may unnecessarily obscure the understanding of the present invention, and terms described in the singular form may include a plural concept. Hereinafter, exemplary embodiments of the present invention will be described, but the spirit of the present invention is not limited thereto and may be changed and modified in various ways by those skilled in the art.
Referring to
The key issuing unit 110 initially generates the group public key as a trusted subject and generates a master issuing key (mik), a master opening key (mok), and a master linking key (mlk) corresponding thereto.
The key issuing unit 110 performs an interactive protocol when receiving a join request from a new user device 140 and then, issues a signature key to the user device.
The signer identifying unit 120 updates related information including a revocation list when a revocation phenomenon occurs. If the signer identifying unit 120 identifies whether revocation is performed, by using the updated revocation list and the master opening key when the revocation identification request is received from the signature verifying unit 150 and then, returns the identified results to the signature verifying unit 150.
The signer identifying unit 120 uses the master opening key to output the verification information for identifying a signer when a valid signature is given. Anyone can publicly identify the output verification information.
The signature linking unit 100 can identify a linking relationship of two signatures by using the master linking key when two valid signatures are given. That is, it can be appreciated whether a single signer generates two signatures.
The user device 140 may be joined in a member of a valid group to receive a signature key from the key issuing unit 110. In this case, the user device 140 and the key issuing unit 110 perform an interactive protocol.
Thereafter, the user device 140 generates a group signature for a given message by using an issued signature key. The signature verifying unit 150 identifies validity of a signature for the given signature. The signer identification proof evaluating unit 160 evaluates the validity of the signer identification proof generated from the signer identifying unit 120.
The key issuing unit 110 defines a group public key (gpk) and makes public the defined group public key to components of the lightweight group signature system and all the systems linked with the lightweight group signature system.
Hereinafter, referring to
Initially, the key issuing unit 110 receives a security parameter k as an input to generate bilinear groups G1 and G2, a bilinear map e:G1×G2→GT coupled therewith, and a hash function H:{0,1}→Zp′. Here, the number of groups is set to be a decimal p. The key issuing unit 110 performs the followings so as to generate parameters for generating the keys according to each group signature mechanism.
Elements h1ε G2 and g, g1, g2, u ε G1 and θεZp* and η, ξεZp* are selected uniformly at random. After hθ=h1θ, w=uη, d=uξ is calculated, mik=θ is defined as the master issuing key, mok=(η, ξ) is defined as the master opening key, and mlk=L=h1ξ is defined as the master linking key, respectively (S200).
The key issuing unit 110 transfers the master opening key mok=(η, ξ) to an identifier server and transfers the master linking key mlk=L=h1ξ to a linker unit 130 (S202).
The key issuing unit 110 generates an initial group public key gpk=(e, G1, G2, GT, g, g1, g2, h1, he, H, u, w, d) and make the generated key public (S204).
Hereinafter, the process of generating the signature key of the key issuing unit 110 according to the exemplary embodiment of the present invention will be described in detail with reference to
The user device 140 and the key issuing unit 110 interactively perform the following operations according to the group signature mechanism to be used. Authentication and security channels are formed between the user device 140 and the key issuing unit 110 that are two participants.
The user device 140 selects secret value ziεZp* and generates its own public key Ci=wZ
The key issuing unit 110 verifies that the user IDi knows zi=logwCi by using POP(w, Ci) and also verifies loguYi=logwCi by using zero-knowledge verification of knowledge ZK-Eq(u, Zi=uZ
The user device 140 verifies the validity of (Ai, xi, yi) and stores a secret key usk[i]=(Ai, xi, yi, zi) of a group member (S304).
The key issuing unit 110 additionally registers registration information REGi=[gy
The methods may support a simultaneous join when using a non-interactive zero-knowledge verification of knowledge.
Hereinafter, a process of generating the group signature by the valid user device according to the exemplary embodiment of the present invention will be described in detail with reference to
The user device 140 receives the given group public key (gpk), a user secret signature key usk[i]=(A, x, z, y) corresponding to the group public key, and a message M (S400). Then, the user device 140 generates a signature a for the input as follows.
The user device 140 selects any random number α←Zp and calculates γ=αx-z (modp), D1←uα, D2←Awα, and D3←gydα. The user device 140 selects a plurality of any random numbers rα, rx, rγ, ry←Zp and calculates R1←ur
The user device 140 calculates c=H(M, D1, D2, D3, R1, R2, R3) by using the hash function H and calculates sα=rα+cα(modp), sx=rx+cx(modp), sγ=rγ+cγ(modp), and sy=ry+cy(modp) (S402). Then, the user device 140 outputs σ=(D1, D2, D3, c, sα, sx, sγ, sy) as a signature (S404).
Hereinafter, a process of verifying the signature verifying unit 150 according to the exemplary embodiment of the present invention will be described in detail with reference to
It is assumed that the signature for the message M is previously generated (S500). The signature verifying unit 150 for the given signature calculates R1←us
Hereinafter, a process of verifying the validity of the verification information by the signer identification proof evaluating unit 160 according to the exemplary embodiment of the present invention will be described in detail with reference to
It is assumed that a valid signature σ=(D1, D2, D3, c, sα, sx, sγ, sy) for the message M is previously given (S600). The signer identifying unit 120 generates the verification information τ by using the master opening key mok=(η, ξ) as follows.
The signer identifying unit 120 calculates LI=D3D1−ξ=gyuξα·(uα)−ξ=g
Then, the signer identifying unit 120 searches a user index i and information REGi=[gy
The signer identification proof evaluating unit 160 evaluates if the valid signature σ=(D1, D2, D3, c, sα, sx, sγ, sy) for the given message M, the signer identification proof upk[i]=Ci=wz
(1) The signer identification proof evaluating unit 160 calculates W1=us
If both of the Equations (1) and (2) are established, the signer identification proof evaluating unit 160 outputs 1 representing the validity. If not, 0 is output (S608).
Hereinafter, a process of identifying on the linking of group signatures of two group signatures according to the exemplary embodiment of the present invention will be described in detail with reference to
The signature linking unit 130 receives the given massage-signature pair (σ, M) and (σ′, M′) (S700) and calculates two linking indexes LI and LI′ as follows by using the master linking key mlk=L=h1ξ (S702). Here, it is assumed that σ=(D1, D2, D3, . . . ) and σ′=(D1′, D2′, D3′, . . . ) and LI=e(D3, h1)e(D1, L)=e(gy, h1) and LI′=e(D3′, h1)e(D1′, L)=c(gy′, h1). The signature linking unit 130 outputs 1 when LI=LI′ and if not, outputs 0 (S704).
Hereinafter, the process of outputting processed results at the time of receiving the revocation identification request by the signer identifying unit 120 will be described in detail with reference to
The valid signature σ=(D1, D2, D3, c, sα, sx, sγ, sy) for the message M is previously given as an input (S800). The signer identifying unit 120 identifies whether the revocation of the key generating the signature given as follows is performed by using the master opening key mok=(η, ξ).
The signer identifying unit 120 calculates LI=D3D1−ξ=gyuξα·(uα)−ξ=g
As described above, the exemplary embodiments have been described and illustrated in the drawings and the specification. The exemplary embodiments were chosen and described in order to explain certain principles of the invention and their practical application, to thereby enable others skilled in the art to make and utilize various exemplary embodiments of the present invention, as well as various alternatives and modifications thereof. As is evident from the foregoing description, certain aspects of the present invention are not limited by the particular details of the examples illustrated herein, and it is therefore contemplated that other modifications and applications, or equivalents thereof, will occur to those skilled in the art. Many changes, modifications, variations and other uses and applications of the present construction will, however, become apparent to those skilled in the art after considering the specification and the accompanying drawings. All such changes, modifications, variations and other uses and applications which do not depart from the spirit and scope of the invention are deemed to be covered by the invention which is limited only by the claims which follow.
Number | Date | Country | Kind |
---|---|---|---|
10-2011-0103670 | Oct 2011 | KR | national |
Number | Name | Date | Kind |
---|---|---|---|
6295359 | Cordery et al. | Sep 2001 | B1 |
7844614 | Brickell et al. | Nov 2010 | B2 |
7945044 | Sorniotti et al. | May 2011 | B2 |
7995762 | Teranishi et al. | Aug 2011 | B2 |
8078876 | Brickell et al. | Dec 2011 | B2 |
8094810 | Hohenberger et al. | Jan 2012 | B2 |
8127140 | Teranishi | Feb 2012 | B2 |
8213609 | Kusakawa et al. | Jul 2012 | B2 |
8225098 | Chen | Jul 2012 | B2 |
8245047 | Zaccone et al. | Aug 2012 | B2 |
8356181 | Brickell et al. | Jan 2013 | B2 |
8499149 | Chen | Jul 2013 | B2 |
8499158 | Lee et al. | Jul 2013 | B2 |
8572385 | Papamanthou et al. | Oct 2013 | B2 |
8645690 | Lee et al. | Feb 2014 | B2 |
8762729 | Hwang et al. | Jun 2014 | B2 |
20040111607 | Yellepeddy | Jun 2004 | A1 |
20050097336 | Canard et al. | May 2005 | A1 |
20050169461 | Canard et al. | Aug 2005 | A1 |
20080152130 | Teranishi | Jun 2008 | A1 |
20080244276 | Prouff et al. | Oct 2008 | A1 |
20090089575 | Yonezawa et al. | Apr 2009 | A1 |
20090210705 | Chen | Aug 2009 | A1 |
20090222668 | Zaccone et al. | Sep 2009 | A1 |
20100174911 | Isshiki | Jul 2010 | A1 |
20100250951 | Ueno et al. | Sep 2010 | A1 |
20110154045 | Lee et al. | Jun 2011 | A1 |
20120084567 | Hwang et al. | Apr 2012 | A1 |
20120159166 | Lee et al. | Jun 2012 | A1 |
Entry |
---|
Dan Boneh et al., “Short Group Signatures”, CRYPTO 2004, 2004, pp. 1-20. |
Number | Date | Country | |
---|---|---|---|
20130091360 A1 | Apr 2013 | US |