Group signature schemes allow a member of group to sign a message on behalf of the group anonymously and in unlinkable passion. However, a designated group manager can easily identify the signer. The signer of a valid group signature is needed to be a member of the group. These features are important in some specialized applications. This scheme is to be used in electronic business transaction. The scheme needed to satisfy six properties to be secured. These are unforgeability, anonymity, unlinkability, no framing, traceability and coalition-resistant.
Mathematicians and computer scientist continues their studies to improve their proposed schemes. It is to satisfy the six properties with no doubt. Key words: group signature, unforgeability, unlinkability, no framing, traceability, coalition-resistant Group Signature Introduction The process, in which certain anonymity is needed to perform a task in spite of a collection of people or groups, is the based the concept of group signatures is born. Chaum and van Heyst first introduced this. The concept of group signature provides a member of group to sign certain messages anonymously and unlinkably on behalf of the whole group.
On the other hand, a designated group manager has power to unveil the identity of the signer in cases of dispute. A group signature is verified through a series of algorithm to ensure that the signer is a member of that certain group. However, the group’s structure is still concealed and the signer can only be identified if the necessity occurs. With this features, the group signature scheme have potential application. Such applications are needed in electronic transaction that needed to be signed. The anonymity of the signer is essential to prevent others to see organizational structure of the signatory group.
A group signature is needed to be secured to preserve the unlinkability and anonymity. A group signature scheme must satisfy the six properties. One is unforgeability. This is the property which ensures that only members of the group can sign on behalf of the group. This feature is necessary to make sure that invalid members or revoked members cannot sign on behalf of the group. This provides a way on which if there is dispute in a valid group signature, the group manager can easily find out who the signer is or it can be concluded that it is a member of the group when the message is signed. Number two is anonymity.
This feature assures the members of the group that the identification of the signer will be hard except to the group manger. This is one of the main features of group signature. It conceals the identity of the signer. Consequently, it conceals the organizational structure of the group. The third one is unlinkability. This is feature which tells that determining whether two valid signatures were generated by a common member will be hard. This feature is necessary to go with anonymity of the signer. Since if you can identify two valid signatures coming from single member then it will easy to identify the signer.
Number four is no framing. This is ensures that no member or the group manager can sign on behalf of other members. This is necessary to protect any member from a wrong identification when a dispute occurs. The fifth one is traceability. The traceability means that a group manager will be able to open a valid signature and determine the identity of member who signed it. It means that in a dispute, the group manager can easily identify the signer. Additionally, this property does not the possibility of not identifying the signer. The last one is coalition-resistant.
This means a subset of members of the group or even the whole group cannot generate a valid signature on which the group manger cannot link on one of the members of the subset group. This ensures that a certain valid group signature can always be associated with a single member of the group not with subset of the group. There are many studies which ensure that the six properties are satisfied. There are many proposals of which contains algorithm that is claimed to satisfy the six properties. There are some summaries of articles of proposals and advancement in group signature.
The reader would find these summaries of articles to contain dispute of other schemes. Security Remarks on a Group Signature Scheme with Member Deletion The Kim-Lim-Lee group signature scheme is scheme which claims to have a member deletion function, security and unlinkability. These claims are put into consideration because it is found to be unsecured and linkable. This will present some remarks which will prove the unsecurity and linkability of the Kim-Lim-Lee group signature scheme (Wang et al. , n. d. ). This scheme consists of different stages. These are system set up, join, delete, sign verify and open phases (Wang et al.
, n. d. ). The system set-up is done by the membership manager in which he sets parameters and compute for secret and public keys. At the same time, the revocation manager selects his secret key and then computes and publishes his own public key (Wang et al. , n. d. ). At the join stage, the user who wants to join the group need undergo an interactive protocol on which he is assigned to a generated membership key and given the public key. Additionally, current members of the group update their membership key (Wang et al. , n. d. ). The deletion stage happens when a member is voluntary or involuntary leaving the group.
The membership manger performs a series of algorithm and updates the group’s public key. He then computes fro the renewal public key. Here, the membership manager publishes the two new public keys. Then, every valid members of the group updates his secret property key (Wang et al. , n. d. ). In the sign stage, a member needed to sign some message. The member submits his membership key and his secret to generate the group signature (Wang et al. , n. d. ). The group signature generated in the sign stage is then subjected to verification. The verifier then uses a series of computation to verify the signature.
The verification will yield a result which indicates if a valid member of the group signed it or not (Wang et al. , n. d. ). In the case of dispute, the open protocol is done. The open protocol is done to trace the identity of the signer. Only the group manager can do this (Wang et al. , n. d. ). The process of which the Kim-Lim-Lee group signature scheme under is found to be unsecured. This is due to proven accounts its security parameters is lacking in some cases. It is proven the two parameters used in the scheme are not sufficient to ensure absolute security (Wang et al. , n. d. ).
The unlinkability claim of this scheme is also taken to account. The unlikability claim was proven wrong. The group signature scheme of Kim, Lim and Lee is prove to be linkable. It is proven that it easy to associate a given group signature to member of a group. This is due to invariance in the group signatures within time and even in all time periods. It means two signatures can be traced back to signer simple computational analysis (Wang et al. , n. d. ). A member deletion stage is then scrutinized by disproving the claim of which a deleted member cannot generate a valid group signature.
The problem with this is identified in the process of the updating the members secret key. It is said a deleted member can simply update his secret along with other valid members since he can compute for a member secret in a given time. At the same time, a new member can get a version of his secret membership in the past time when is not yet a member (Wang et al. , n. d. ). Thus, the security of the Kim-Lim-Lee group signature scheme is proven to unreliable and unsecured. It is needed to revised and improved to satisfy the needs for a good group signature scheme (Wang et al. , n. d. ).
An Efficient ID-Based Group Signature Scheme The ID-based signature scheme is proposed to be more efficient than other predecessors. The scheme is based on the process of the ID-based electronic signature. The identity-based signature uses publicly known identifier such as IP address, e-mail address and other identifiers. It is use to compute for public key component of the pair use for digital signatures, encryptions, and key agreement. The private key is computed by a trusted authority. This scheme is aimed to have better efficiency and to cope with large number of members in a group (Popescu, 2000, 29-35).
The identity based signature scheme is done in several phases. The set-up process is done by the trusted authority which leads to the extract phase in which the user provide the ID. The ID becomes the public key and the trusted authority returns a private key which is needed to make for the signing protocol (Popescu, 2000, 29-35). The verification of an identity based signature is done by inputting the message with the signature, the parameters and a public key ID. The verify stage outputs the validity of the signature (Popescu, 2000, 29-35). There is another type of ID-based signature which is from the pairings on elliptical curves.
This scheme is done to improve the efficiency of the ID-based signature processes. It is basically similar with the conventional one. However, the computations are different and more appropriate for large number of users (Popescu, 2000, 29-35). The scheme use in ID-based signature is put into the context of group signatures. The set-up procedures are similar with the ID-base signature but the group public key and the secret key is computed differently. Compared to other group signature schemes the set-up stage is done more efficiently (Popescu, 2000, 29-35).
In the join stage, the user sends the ID to the group manager and the group manager computes for the membership certificate and secretly sends it to the new member in a secure private channel. This process is more efficient since the stages were reduced. However, the security is still intact because of the process in the set-up stage that lessens the work at other stages (Popescu, 2000, 29-35). The signing stage makes use of the public and private key pair which was generated by the user himself. The pair key is use to compute and generate the group signature.
It is combined with a random number for it to be anonymous and unlinkable (Popescu, 2000, 29-35). The verify stage is split in the two parts. The first part is that it verifies if the signer is definitely a member of the group. If the signature generated by the group is valid and it is signed by a member of the group, the second stage commences. It is to verify that a member signed the group signature and not the group manager (Popescu, 2000, 29-35). The open stage is done when there is time that the signer needed to be identified. Like other schemes, the group manager can only do this.
This process is very easy for the group manager since the manager knows the identity of the user who is associated with the group signature. This is because in the join stage the bind between the user and the manager was forged (Popescu, 2000, 29-35). The ID-based group signature scheme keeps the security properties of a good group signature in tact. The identity based signature guarantees some the properties and the added processes in the group signature scheme made other necessary security measures (Popescu, 2000, 29-35). The ID-based group signature from elliptic curves was derived from the identity based signature scheme.
This scheme can handle a large number of members in a group without compromising the security and the efficiency of the process involved. However, the disadvantage is that the efficiency of the group signature is based on the efficiency of the identity based signature scheme it uses (Popescu, 2000, 29-35). Practical and Provably Secure Coalition-Resistant Group Signature Scheme Group signature concept is dual to the identity escrow which this scheme uses to create a coalition-resistant group signature scheme. The identity escrow can replace the membership certificate which other group signature uses.
The use of identity escrow in group signatures can be regarded as group-identification scheme with revocable anonymity. This is scheme is just the second coalition-resistant group signature scheme which is an improve version of the first (Ateniese et al. , 2000, 255-270). This group signature scheme differs to other scheme in the efficiency of the join process. The user needs not to send his secret to the group manager not like other conventional schemes. The feature of which the user sends secrets to the group manager is found to be susceptible to attacks.
This scheme eliminates such possibility and is proven to be coalition resistant even against adaptive adversaries (Ateniese et al. , 2000, 255-270). The model use by this scheme is somewhat similar to conventional group signature schemes. The group signature scheme undergoes several phases. These phases are the setup, join, sign, verify and in some cases open. Like the other group signature schemes every phase has algorithm need to be follow to ensure the properties to be intact (Ateniese et al. , 2000, 255-270). They only differ in the sign process as this scheme provides an interactive process between the signer and the verifier.
The process is derived by replacing the call of the user to the hash function to the call to the verifier. The interactive protocol between the user and the verifier gives way to a more secure group signature (Ateniese et al. , 2000, 255-270). This scheme was proposed to have two major advantages over other conventional group signature schemes. One is the join process is more efficient than other scheme. This is since the new member just needed to provide proofs of knowledge of discrete logarithms in contrast with other schemes which requires new members to prove that a number is a product of two primes.
The other advantage is that join process is more secure since it does not require the new member to send his membership secrets which is required in other schemes. Additionally, the property of being coalition resistant against adaptive is in fact an extra advantage (Ateniese et al. , 2000, 255-270). Generally, this scheme surpasses all other schemes created before it in terms of performance and security and it is proven to be coalition-resistant. It is because of the feature like spliting the group manager in two, a membership manager and a revocation manager (Ateniese et al.
, 2000, 255-270). Group Signature Scheme with Revocation A number of group signature schemes had been proposed. However, these schemes don’t consider a growing membership or shrinking membership as well. In the real world, a member of a group can join, voluntary or be expelled from the group in any time. This done by other proposed schemes by not issuing changes to public keys and re-issuing group memberships. Thus, Popescu, Noje, Bede and Mang from the University of Oradea proposed a group signature scheme with revocation (Popescu et al. , 2003).
There are other several group signature schemes that were proposed. However, these other proposed schemes lacked in efficiency and other others in security. There is a scheme which was proved to be efficient and secured but it requires time periods which any and all verifiers must know, thus requires more time in the verification stage (Popescu et al. , 2003). They proposed a group signature scheme in which every step or phase is different from other group signature schemes. It consists of different computational procedures (Popescu et al. , 2003).
In the setup procedure, the group manager needs to undergo several steps which will yield the public key P, the secret key S and a group membership certificate consisting of two integers X and ? satisfying a certain equation which relates the two integers (Popescu et al. , 2003). In the join stage, a user wants to join a group. The scheme requires a secure and private communication between the group manager and the user to protect the anonymity of the user. The user chooses an element from a set formed by the parameters set by the group manager.
From the chosen element the user will compute and send an ID which he needs to prove before he chooses a random number from a designated set. The group and the user computes and send computation results to each other until the user received his membership certificate. After this process, only the user knows his membership certificate and that the group manager only registers the ID of the user in the data base which was obtained in the first computation (Popescu et al. , 2003). The user is then allowed to sign to represent the whole group. At the signing process, the user can create a group signature inside a message by computation.
The computation starts with the computation with his membership certificate. The user is the only one who knows his membership certificate so he remains anonymous to others. The group signature is then sent to the verifier for verification (Popescu et al. , 2003). In the verification phase, the resulting signature inside a message is verified through a series of computations in which the check the proof of equality between the double discrete logarithm of F (a part of the signature) and the discrete logarithm of D’s representation base on the element of the set that the group manager defined in the setup process.
If it is equal the verifier concludes that the user who signed the group signature is a member of the group (Popescu et al. , 2003). When the time comes when it is needed to know who signs the message containing the group signature. He can do this by checking the correctness of the group signature. If it is incorrect, the group managers abort the process. Other wise, the group manager recovers a certain ID in the database and prove that the ID is relative to the D (a part of the group signature) (Popescu et al. , 2003).
When a member of the leaves the group the group performs a series of algorithm which will result to the publication of the revocation status of a user in the Certificate Revocation List which was assumed to be available at all times in a well-known public servers. The CRL is also assumed to be signed by the issuer, the group manager or other trusted party (Popescu et al. , 2003). In this scheme, there are strong considerations in the security as provided different calculations that ensure the impossibility of some scenarios that compromises the anonymity of the members of the group.
Furthermore, the cost of the revoke process is linear to the number of revoked members. Additionally, this scheme provides fixed signature size and constant work of the signers which makes it more practical than other group signature schemes. However, the opening process of this scheme can result to hundred of exponentiations per signature due to the proofs involving double discrete logarithms (Popescu et al. , 2003). Quasi-Efficient Revocation of Group Signatures This scheme is specified to address the inefficient and unsecured revocation methods use by other group signature scheme.
The security of a group signature is not met if it uses an inefficient way of revocation. Additionally, the quasi-efficient revocation methods provide a practical public keys and signatures (Ateniese et al, n. d. ). The importance of a good revocation method is seen in groups with shrinking number of members. The security of the group is compromised if the revocation process is not well established since a revoked member can still sign in spite of the group (Ateniese et al, n. d. ).
There are a number of group signature scheme which provides good revocation methods but they need to use synchronized clocks and the signature size is relative to the number of revoked members. The use of loosely synchronized clocks in revocation of membership needs to notify all existing members about the revocation. It modifies the membership certificate of all members and consequently, affects the size of group signature generated (Ateniese et al, n. d. ). This revocation method is made in line with the ACJT signature scheme.
The revocation methods can only be done by revising the backward unlinkability to unconditional unlinkability. However, the easiest way of revocation is reissuing of the membership certificates and regenerating the public key. This costs a lot of work to the group manager and the members since they have to repeat parts of the join process. Additionally, the verifiers need to be informed of the changes. However, there is a way to eliminate this inconvenience by generating public keys and membership certificates automatically.
This is will eliminate the interactive process between the manager and the members. On the other hand, it has impracticality in the process since it requires issuance of new certificates to existing members (Ateniese et al, n. d. ). The efficient way to overcome this problem is to avoid issuing new membership certificates in the event of revocation of a member. This is done in some scheme in which they use a Certificate Revocation List (CRL). However, the scheme’s group signature presented contains an encrypted version of the CRL. It is necessary to prevent the linking of the group signatures.
However, the problem is resolved here by including the latest CRL to the group public key in which the unlinkability is preserved (Ateniese et al, n. d. ). The efficiency of this scheme is measured by the size of the signature, the signer cost, verifier cost, CRL size, and the CRL issuance cause. This scheme had passed all requirements since it minimizes the size of the signature as it fixed, the cost of the signer is constant, the verifier costs is also constant, the CRL size is inevitably rising but it is minimize and the CRL issuance cost is also unavoidable, however it is the least significant (Ateniese et al, n. d. ).
The revocation method with the ACJT group signature scheme had been proven to be efficient and secured. This more practical than other group signature due to its features that fixes the size of the signature and requires constant work by signers. However, the ACJT group signature scheme requires the use of proofs-of-knowledge involving a double discrete logarithm (Ateniese et al, n. d. ). Conclusion These articles had proposed changes to other group signature schemes and some presented their own schemes.
Generally, these articles aim to the advancement of the concept of group signature in relation to efficiency. The articles above had proposed methods of how to satisfy six properties needed fro a secure group signature scheme. These schemes are still subjected to further research to optimize its efficiency without compromising its security. References Ateniese, G. , Camenisch, J. , Joye, M. , and Tsudik, G. (2000). A practical and provably secure coalition-resistant group signature scheme.
Advances in cryptography, CRYPTO, 1880, 255-270. Ateniese, G. , Song, D. , and Tsudik, G. (n. d. ). Quasi-efficient revocation of group signatures. The Johns Hopkins University & University of California. Popescu, C. (2002). An efficient ID-based group signature scheme. StudiaUniv. Babes-Bolyai, Informatica, 47, 29-35. Popescu,C. , Noje,D. , Bede, B. and Mang, Ioan. (2003). A group signature scheme with revocation. University of Oradea. (Popescu et al. , 2003) Wang, G. , Bao, F. , Zhou, J. , and Deng, R. H. (n. d. ). Security remarks on a group signature scheme with member deletion. Infocomm Security Department, Institute for Infocomm Research.