Performance evaluation of Group Signature schemes in Vehicular Communication: A feasibility study for Vehicular Communication

Performance evaluation of Group

Signature schemes

A feasibility study for Vehicular Communication

VIVEK AGRAWAL

Master’s Degree Project

Stockholm, Sweden December 27, 2012

A B S T R A C T

The aim of this work is to show the effectiveness of techniques that allow a user to maintain its privacy and anonymity while participating in real word scenario. Users need to communicate with each other in many situations in order to share information. This creates the danger of the user’s privacy being breached and it can discourage users from taking active participation in any information sharing task. There are many real scenarios or application where users want to remain anonymous while having their communication secured. This is so in vehicular communication systems.

Group signatures are versatile cryptographic tools that are suitable when we need security and privacy protection. A group signature scheme allows members of a group to sign messages on behalf of the group. Any receiver can verify the message validity but cannot discover the identity of the sender from the signed message or link two or more messages from the same signer.. However, the identity of the signer can be discovered by an authority using a signed message. For this reason, Group Signature schemes were proposed in the context of vehicular communication systems. In this context, communication and computation overheads are critical. Thus, the focus of this thesis is to implement and compare different group signature schemes in terms of overhead introduced due to processing cost, and analytically evaluate their suitability for vehicular communication scenarios.

Keywords: Anonymity, computation overheads, Group Signature, Privacy, Processing cost, Vehicular communication.

A C K N O W L E D G E M E N T S

First, I would like to express my gratitude to my supervisor Prof. Panos Papadimitratos for his research enthusiasm and inspiration, as well as the considerate encouragement and support. He helped me to set up the master’s research topic and offered tremendous assistance on how to write papers.

I would especially like to acknowledge Mr. Subhajit Karmakar for his continuous support and motivation. He provided me advices and help in almost every matter of my life and it made me to deal with all sorts of academic issues.

I also would like to thank my friends Chaitanya Pinnaka, Jibin Jacob, Akshay Rasiwasia and Abdullah al Ahad for helping me in my thesis research. We had many valuable and constructive discussion on the thesis topic and other related areas. I also would like to thank all the other friends who helped me in all aspects of my study during the two years of my master’s program and made my academic life fruitful.

I would like to express my heart-felt gratitude to my family. none of this would have been possible without the love and patience of my family. My family has been a constant source of love, concern, support and strength all these years.

C O N T E N T S

Acronyms xi

1 Introduction 1

1.1 Related work . . . 4

1.2 Thesis Outline and Contribution . . . 6

2 Group Signature 9 2.1 Entities in Group Signature . . . 9

2.2 Applications . . . 11

2.3 Phases. . . 11

2.4 Properties . . . 12

2.5 Background . . . 13

3 Group Signature Schemes 17 3.1 ACJT SCHEME . . . 17 3.1.1 Notations. . . 17 3.1.2 Security parameters . . . 18 3.1.3 Phases . . . 18 3.2 CG SCHEME. . . 22 3.2.1 Notations. . . 22 3.2.2 Security parameters . . . 22 3.2.3 Phases . . . 23 3.3 BBS SCHEME . . . 26 3.3.1 Notations. . . 27 3.3.2 Security parameters . . . 27 3.3.3 Phases . . . 27 3.4 BS SCHEME . . . 30 3.4.1 Notations. . . 30 3.4.2 Security parameters . . . 30 3.4.3 Phases . . . 31 4 Performance Evaluation 33 4.1 Group Signature phases . . . 34

4.1.1 SETUP . . . 34

4.1.2 JOIN . . . 38

4.1.3 SIGN . . . 41

4.1.4 VERIFY . . . 44

4.1.5 OPEN. . . 45

4.1.6 REVOKE . . . 46

5 Group Signature in Vehicular communication 47 5.1 Overview of Vehicular communication. . . 47

5.2 Secure Communication . . . 49

5.3 Computational overhead . . . 51

5.4 Processing Overhead . . . 52

5.5 Revocation . . . 55

6 Discussion and Future Work 59

Bibliography 61

L I S T O F F I G U R E S

1.1 Schematic Representation of a Vehicular Network . . . 3

2.1 Entities in Group Signature scheme . . . 10 4.1 Variation of execution time (ms) with the number of members

in Boneh, Boyen, Shacham (BBS) in SETUP at 80 bits of security level; mean of 150 measurements with 95% confidence Interval . 35 4.2 Variation of execution time (ms) with the number of members in

Boneh, Shacham (BS) in SETUP at 80 bits80 bit of security level; mean of 150 measurements with 95% confidence Interval . . . 35 4.3 Length of group public key in bits for different schemes at 80 bits

of security level; mean of 150 measurements . . . 36 4.4 Length of group public key in bits for different schemes at 128

bits of security level; mean of 150 measurements . . . 36 4.5 Variation of group public key size with the number of members

inBBSin SETUP; mean of 150 measurements with 95% confidence Interval . . . 38 4.6 Variation of group public key size with the number of members

in BSin SETUP; mean of 150 measurements with 95% confidence Interval . . . 38 4.7 Time taken by Group Manager to complete JOIN phase for

se-curity level of t=80 bits; mean of 15000 measurements with 95% confidence Interval . . . 40 4.8 Time taken by Group Member to complete JOIN phase for

se-curity level of t=80 bits; mean of 15000 measurements with 95% confidence Interval . . . 40 4.9 Time taken by Group Manager to complete JOIN phase for

se-curity level of t=128 bits; mean of 150 measurements with 95% confidence Interval . . . 40 4.10 Time taken by Group Member to complete JOIN phase for

se-curity level of t=128 bits; mean of 150 measurements with 95% confidence Interval . . . 40 4.11 Execution time (ms) of JOIN phase for security level of t=80 bits;

mean of 15000 measurements with 95% confidence Interval . . . 40 4.12 Execution time (ms) of JOIN phase for security level of t=128 bits;

mean of 150 measurements with 95% confidence Interval . . . 40

4.13 Execution time (ms) of SIGN phase for security level of t=80 bits; mean of 15000 measurements with 95% confidence Interval . . . 42 4.14 Size of Group signature in bytes for security level of t=80 bits;

mean of 15000 measurements with 95% confidence Interval . . . 42 4.15 Execution time (ms) of SIGN phase for security level of t=128 bits;

mean of 150 measurements with 95% confidence Interval . . . 42 4.16 Size of Group signature in bytes for security level of t=128 bits;

mean of 150 measurements with 95% confidence Interval . . . 42 4.17 Execution time (ms) of Verify phase for security level of t=80 bits;

mean of 15000 measurements with 95% confidence Interval . . . 45 4.18 Execution time (ms) of Verify phase for security level of t=128

bits; mean of 150 measurements with 95% confidence Interval . . 45 4.19 Execution time (ms) of OPEN phase for security level of t=80 bits;

mean of 15000 measurements with 95% confidence Interval . . . 45 4.20 Execution time (ms) of OPEN phase for security level of t=128

bits; mean of 150 measurements with 95% confidence Interval . . 45 4.21 Execution time (ms) of REVOKE phase for security level of t=80

bits; mean of 150 measurements with 95% confidence Interval . . 46 4.22 Execution time (ms) of REVOKE phase for security level of t=128

bits; mean of 150 measurements with 95% confidence Interval . . 46 5.1 Communication scenario of VC using Group signature scheme . 48 5.2 Traffic arrival rate as a function of N at α = 10, β = 0, τ = 60 for

SHORT messages in Hybrid Pseudonym (HP) scheme. . . . 55 5.3 Message verification delay for SHORT messages for security level

of t=80 bits as a function of N at values α = 10, β = 0, τ = 60. . . 55

L I S T O F T A B L E S

3.1 Notation and its meaning in Ateniese, Camenisch, Joye, Tsudik

(ACJT) scheme . . . 17

3.2 Notation and values of Security parameters [19, 30] . . . 18

3.3 Inter dependency of Security parameters . . . 18

3.4 Internal Ranges inACJT . . . 18

3.5 Notation and its meaning (Camenisch, Groth (CG)) . . . 22

3.6 Notation and values of Security parameters [19] . . . 23

3.7 Constraints on Security parameters . . . 23

3.8 Notation and its meaning inBBS scheme . . . 27

3.9 Notation and values of Security parameters . . . 27

3.10 Notation and its meaning inBS scheme . . . 30

3.11 Notation and values of Security parameters . . . 31

4.1 Details of system configuration . . . 33

4.2 Details of library used in different schemes [8, 44] . . . 33

4.3 This table shows the components/phases that are already imple-mented by other authors and those are impleimple-mented in this thesis work. . . 34

4.4 Processing cost of SETUP phase of ACJT and CG schemes as measured in milliseconds. Given values are the mean value generated from 150 measurements. . . . 35

4.5 Analytical calculation of length of Group public key of ACJT, CG, BBS andBS scheme. . . 37

4.6 Error percentage in the size of gpk . . . 37

4.7 Analytical Calculation of the length of a Group signature for the ACJT, CG, BBSand BSschemes . . . 43

4.8 Error percentage in size of Group Signature. . . 44

5.1 System parameters and values assigned for the evaluation [9] . . 51

5.2 computation cost of SHORT packets using Elliptic Curve Digital Signature Algorithm (EC-DSA) at 96bits and 128 bits security level 51 5.3 processing delay in (ms) for different packet types . . . 52

5.4 Notation and meaning of variables in average waiting time . . . 53

5.5 Maximum number of verifiable packets per γ−_{1s for γ = 10 and} γ=3.33 . . . 53

5.6 Notation and meaning of variables in arrival time . . . 54

5.7 Maximum number of packets a node can verify using different schemes and size of neighborhood for the corresponding message threshold values . . . 55 5.8 Notation and their values . . . 57

5.9 Indicative values for revocation cost, Revocation List (RL) size and memory requirement as a function of R. . . 57

5.10 Maximum number of messages can be verified per second by a node and maximum size of neighborhood which is allowed in different processing acceleration scenarios. . . 58

A C R O N Y M S

ACJT Ateniese, Camenisch, Joye, Tsudik . . . .viii

BBS Boneh, Boyen, Shacham . . . vi

BP Baseline Pseudonym . . . .49

BS Boneh, Shacham . . . .vi

CG Camenisch, Groth . . . .viii

DDH Decisional Diffie-Hellman . . . .14

DSRC Dedicated Short Range Communications . . . .5

EC-DSA Elliptic Curve Digital Signature Algorithm . .viii

GM Group Manager . . . .9

gmsk Group Manager’s Secret Key . . . .9

gpk Group Public Key . . . .9

GS Group Signature . . . 3

gsk Group Member Private Key . . . .9

HP Hybrid Pseudonym . . . .vii

ITS Intelligent Transportation System . . . .1

OBU On Board Unit . . . 47

RA Revocation Authority . . . .29

RL Revocation List . . . .ix

RSA Rivest, Shamir, Adleman . . . .14

SEVECOM Secure Vehicular Communication. . . .5

V2I Vehicle to Infrastructure . . . .1

V2V Vehicle to Vehicle . . . .1

VC Vehicular Communication . . . .1

VSC Vehicle Safety Communications . . . .5

VANET Vehicular ad-hoc network . . . .47

1

1

I N T R O D U C T I O N

The history of transportation is as old as the history of mankind. People used animals in order to draw goods and travel. With the growth in trade and commerce, people started using water a common medium of transportation and finally it got the sophisticated shape of train, bus, and car. In the last two centuries, almost every part of the world has experienced population outburst and increase in motorization and urbanization. The industrial growth caused the large ratio of population to move from rural area to urban area and this caused the uneven distribution of population. This gave rise to traffic congestion, air pollution and rise of road accidents. According to the ’World report on road Traffic injury prevention’, an estimated 1.2 million people are killed in road crashes each year and as many as 50 million are injured [45]. They suggested that proper implementation of engineering measures can prevent these road accidents by a remarkable figure. For example, fatalities can be reduced by 25% by lowering the average speed of a vehicle by 5km/hour in Western Europe region [22].

The above mentioned problems and strict requirement of safety paved the way to integrate modern technologies in transportation [38]. If vehicles can directly communicate (Beaconing their status in the form of position, speed, and direction) with each other and with infrastructure then it can be an entirely new paradigm for modern transportation system [24]. This was the foundation of the Vehicular Communication (VC) or intelligent transportation system Intelligent Transportation System (ITS). The main motivation for vehicular communication systems is safety and eliminating the excessive cost of traffic collisions. It comprise network node i.e. vehicle and road side infrastructure units (RSU), equipped with on-board sensory, processing and wireless communication mod-ules. Vehicular networks can support both Vehicle to Vehicle (V2V) and Vehicle to Infrastructure (V2I) communications. It can enable a wide range of appli-cations to improve on-the-road safety, transport efficiency and infotainment (information/entertainment) [21]. Safety applications can send warnings. For instance, in case of road accidents, road condition in case of heavy snowfall (see Figure 1.1). Efficiency related applications can collect traffic status data from different areas and help in improving traffic flow, reducing travel times, and regulating pollution emission from vehicles. Non-safety applications can provide useful tourist information [37]. Each unit of the vehicular network

2 introduction 1

generates several messages and transmits them to other entities. These messages can provide the information about the location of a car, details of any traffic congestion and road blockage nearby, etc.

The features and operation ofVC can be exploited by an adversary to create potential damage in the system [33]. This damage can put serious threat to the safety and efficiency of vehicles. An adversary can either be active or passive based on the nature of attack imposed by it. An adversary can become a part of the network itself and implant more sophisticated attack as it may possess some extra authorization being a part of the network. In that case, an adversary can tamper in-transit message they relay. It is possible for them to learn Vehicular communication protocol (from message history) and forge the message in such a way that it is complaint to the protocol but it contains false information. They can also jam communication by disabling other devices in the network. They can capture in-transit messages and analyze it to get significant information from it in order to inject any attack in the system. An adversary can modify the content of a message and transmit wrong information in the network. It can also fetch vehicles messages to track the location of moving cars and also infer sensitive user data. The primary task is to safeguard sensitive private information of the user and we are interested in anonymity for different phenomenon (message and transaction) of the vehicles [34]. On the other hand, in case of any dispute such as car accident or any crime, the authorities must have the capability to trace the concerned car and reveal its identity. This feature is also known as conditional anonymity [36].

Group signatures (ACJT, BBS, CG, BS) [2, 6, 7, 12] address the issue of privacy by ensuring anonymity for all valid group members in a specific group. Any group consists of a Group Manager and Group Members where group members can produce Group Signature on a message M using the group public key and individual’s secret key. A verifier can verify signature and extract useful information in the message (related to traffic condition, safety, etc.) without find-ing the actual identity of the signer. In case of any accident, fraud, and dispute, a signature can be opened by Manager using its secret key to trace the actual signer. In the context of vehicular communication system, Group signatures provide another significant feature i.e. scalability. Any vehicle can join/leave the group at any point of time by interacting with Manager. Vehicles do not need to maintain the public keys of all the vehicles/user on the road to interact with each other and instead maintain group public key. This feature of group signa-tures helps to reduce the number of keys which are required to generate and maintain in the system. One very important issue related with implementation of Group signature schemes in vehicular communication is performance [10, 32]. Vehicles cannot be equipped with sophisticated computational processors given the cost constraints to manufacture any vehicle. Group signature schemes involve lots of cryptographic phases and it can create substantial computational

1 introduction 3

Figure 1.1: Schematic Representation of a Vehicular Network

overhead in the network. The factors that affect performance are computational security overhead of member registration, generation of signature, verification of received signature and exclusion of any member from the group. In some cases of dispute, it includes the computation overhead of identity tracing of signer using a signature [46].

This study measures the performance (processing cost) of different phases of four different Group signature schemes. The initial phase of this work was started with studying of different properties of group signature scheme. There are some standard properties and requirements of Group Signature (GS) and it must be followed by all schemes in any circumstances. The later phase consists of selection of four differentGSschemes in order to measure their performance. The performance is measured in terms of processing cost and it provides the details of overhead of each process of the scheme. The final phase includes the selection of an analytical model to calculate an average number of packets which can be arrived at each node for verification. The arrival rate of packets depends upon the neighborhood size and few other traffic related parameters. The outcome of the final phase helps to analyze the application of group signature schemes in real world scenario of secure vehicular communication where there is large number of dynamic nodes.

4 related work 1.1

1.1

related work

The IEEE 802.11p task group amended a standard on IEEE 802.11 standard to enable the 802.11 protocols to support wireless data communication between vehicle and road side Unit. The newly approved standard 802.11p specifies physical and medium access control protocols designed with the highly dynamic and practical scenarios in mind [1, 38].

The study in [33] discussed general security issues such as adversary model, security requirements, communication model. This paper describes all the general and specific issues which provide a solid basis for the development of future vehicular security schemes. There are some mechanisms discussed in [20, 23, 42] to address security related issues in vehicular communication. Authors in [27] added some other significant aspects in threat model and security requirements of Vehicular communication. They proposed the Group Signature Based protocol. Using this protocol, each vehicle stores its private key and a group public key. Vehicle can sign messages on behalf of the group using the group signature scheme without revealing any identity information to the public. However, the time for safety message verification grows linearly with the number of revoked vehicles in the revocation list in the entire network. Hence, each vehicle has to spend additional time on safety message verification. Furthermore, when the number of revoked vehicles in the revocation list is larger than some threshold value, the protocol requires every remaining vehicle to calculate a new private key and group public key based on the exhaustive list of revoked vehicles whenever a vehicle is revoked. They do not explore solutions to effectively update the system parameters in a timely, reliable and scalable fashion. This issue is not explored and represents an important obstacle to the success of this scheme [47].

Studies in [4, 10, 41, 46] discussed the importance of anonymity and security in the field of vehicular communication. Authors have also suggested ways to improve anonymity by different means e.g. Group Signature, pseudonym. Authors in [42] suggested a solution to ensure privacy and anonymity of vehicle owners. They introduced Anonymous public keys that do not contain any publicly known relationship with the true identity of the key holders. The main problem of this technique is that an attacker can trace the identity of a user by logging the messages (containing the given key) for a certain period of time. It is therefore required to change public key frequently so that an attacker cannot related a particular public key to a user for a longer period. Authors suggested that a vehicle must change its anonymous public key within an interval of one minute to avoid being tracked. If a vehicle travels 3 hours per day then the number of keys required to be generated and exchanged in the network are 65700, which is equal to 32 Megabytes. The storage and maintenance of large set of keys and certificate in a system is a critical issue.

1.1 related work 5

Authors in [20] introduced a scheme to detect and correct errors which have been introduced by malicious nodes (Cars) in the network. A malicious node can impersonate other nodes or it can introduce many other fraud nodes to disseminate wrong information in the network and affect performance of the network. This scheme correlates data coming from different nodes and validates it using a predefined model. In case of any inconsistency, explanation of errors is searched using an adversarial model and best explanation is provided to maintain stability in the network. This scheme assumes that an event is observed by many different nodes and most of the nodes are not fraud. This assumption is not often true and it gives in undesired result [4].

There are several related European projects. SEcure VEhicular COMmunica-tion project is an EU-funded project which was started in 2006. The prime goal of Secure Vehicular Communication (SEVECOM) is to enhance the immunity of future road safety applications against various security threats [25]. This project specifies different kinds of possible threats, fundamental security requirements and operational properties. It has been pointed out in this project that all the safety related messages or any kind of action must be anonymous in order to guarantee privacy of the user [35].

PrimeLife is a European FP7 research project that identifies the major prob-lem of privacy and trust in anyone’s life. It identifies that an individual always leave a lifelong trail of personal data while contributing and distributing any information [39]. It pointed out the importance of privacy and trust in any information sharing system and how identity management can be made reliable and robust. PrimeLife group worked on the idea of anonymous credentials which was introduced by Chaum [15]. It would be possible to build application which can work with anonymous authentication. But Chaum’s scheme had a serious problem of linkability i.e. it is possible to link subsequent message with the same credential. Hence, project group adopted the scheme, proposed by Camenisch and Lysyanskaya, to maintain identities or attributes [40].

The Vehicle safety Communications Vehicle Safety Communications (VSC) project group worked on the feasibility of ’Dedicated short-range communi-cations’ Dedicated Short Range Communications (DSRC) standard for vehicles safety applications. This project group also proposed to use the short-lived anonymous certificates. The rationale behind the use of short-lived is the short expiry time. The certificate will be expired and hence discarded after being used to maintain the privacy of the driver. Authors in [43] stated that the proposed scheme is better than the scheme of [42] in terms of security. The main disadvantage noticed against the scheme is the communication cost. The presence of anonymous certificate in the message (mainly in case of new vehicle joins the group) increases the network overhead.

6 thesis outline and contribution 1.2

1.2

thesis outline and contribution

The outline of the thesis is as follows. Chapter 2 presents the detail view of GS scheme; it serves as an introduction to the following chapter by stating entities, general properties, application and theoretical comparison of different GSscheme. Chapter3describes in detail explanation of algorithm of different phases, values of security parameters at different security levels for GSschemes, implemented in this thesis and evaluated. Chapter4contains the experimental result and data which is the outcome of the different experiments conduct throughout the thesis works. Chapter5shows integration of Group signature schemes in vehicular communication with the help of an analytical model. Finally chapter 6 concludes the thesis. A summary of each chapter is given below.

Chapter 2- This chapter aims to describe the fundamental properties of Group Signature schemes. It includes the application, entities and phases as well. A thorough literature study has been performed on various schemes to understand fundamental requirements of Group Signature scheme, and its properties. The background section includes history and current start of knowledge regarding group signature. It focuses on the strength and weakness of various schemes and highlights the main characteristics of each scheme. This chapter is based upon:

• David Chaum and Eugène Van Heyst. “Group signatures”. In: Proceed-ings of the 10th annual international conference on Theory and application of cryptographic techniques. EUROCRYPT’91. Brighton, UK: Springer-Verlag, 1991, pp. 257–265.

Chapter 3- This chapter presents detailed information of four different Group signature schemes. It describes the presence of different security parameters in each scheme, their length, values at different security levels and dependency on each other. It also includes the step by step description of algorithm of different phases of a scheme. The phases, which are mentioned in this chapter, are implemented to evaluate their performance. This chapter is based upon following research papers:

• Giuseppe Ateniese et al. "A Practical and Provably Secure Coalition-Resistant Group Signature Scheme". In: Proceedings of the 20th An-nual International Cryptology Conference on Advances in Cryptology. CRYPTO ’00. London, UK, UK: Springer-Verlag, 2000, pp. 255–270.

• Jan Camenisch and Jens Groth. "Group signatures: better efficiency and new theoretical aspects". In: Proceedings of the 4th international conference on Security in Communication Networks. SCN’04. Amalfi, Italy: Springer-Verlag, 2005, pp. 120–133.

1.2 thesis outline and contribution 7

• Dan Boneh, Xavier Boyen, and Hovav Shacham. "Short group signatures". In: In proceedings of CRYPTO’04, LNCS series. Springer-Verlag, 2004, pp. 41–55.

• Dan Boneh and Hovav Shacham. "Group signatures with verifierlocal revocation". In: Proceedings of the 11th ACM conference on Computer and communications security. CCS ’04. Washington DC, USA: ACM, 2004, pp. 168–177.

Chapter 4- The aim of this chapter is to discuss results generated from different phases of the four aforementioned schemes discussed in detail in Chapter 3. There are several performance related issues covered in this chapter and few of those issues are:

• Calculation of processing cost of executing different phases of Group Signature schemes for different security levels.

• Comparison of group signature lengths of different schemes for different security parameters.

• Size of group signature, notably as it compares to the signed message size.

• Comparison of gpk length.

• Length of gpk as a function of number of members in the group.

• Revocation processing cost a function of unrevoked members.

Chapter 5- This chapter shows a feasibility study of Group signature schemes in vehicular communication scenarios. It starts with the overview of vehicular communications using group signatures to secure communication with related optimizations to reduce overhead i.e. the use of SHORT and LONG packets. Computational overhead is calculated for SHORT and LONG packets using values discussed in chapter 4. It later covers important issues of processing overhead using analytical model to calculate arrival rate of packets need to be verified and verification delay introduced by security introduction. There is discussion on the processing cost, and memory requirement to revoke any member from a group and how different group signature schemes perform in this context. This chapter is based upon the framework and data presented and used in the paper:

• G. Calandriello et al. “On the Performance of Secure Vehicular Communi-cation Systems”. IEEE Transactions on Dependable and Secure Computing, Vol. 8, No. 6, pp. 898-912, November 2011.

9

2

G R O U P S I G N A T U R E

A group signature scheme is an advanced form of digital signature (σ) and it provides enhanced features of privacy and anonymity. A group can be formed of Group Members and a Group Manager (GM). Group signature schemes allow a group member to sign a message (M) anonymously on behalf of the group using its Group Member Private Key (gsk). Signatures can be verified with respect to a single Group Public Key (gpk), but that does not reveal the identity of the signer of the message. A receiving party can only figure out the identity of the group from the given message but it is computationally hard to discover the identity of the individual who signed the message [16]. It is also computationally hard to link two signatures which have been issued by the same group member. It is also not possible for anyone including the group manager to misattribute a valid group signature. In case of any dispute, a message can be opened by the GM using the Group Manager’s Secret Key (gmsk) to trace identity of the signer.

2.1

entities in group signature

Here are the different entities which take active part in any Group Signature scheme, see Figure 2.1[16].

• Group Manager: It is responsible to set up the group, public key of group and its secret key. It allows any non-member to join the group or revoke any valid user from group. It can trace the signed message can reveal the identity of the signer.

• Group Member: This is the user in the group and it can sign any message on the behalf of the group without revealing its identity.

• Verifier: This is the entity which is not the member of the group but it checks that the signed message is correct or not.

• Non-Member: This is a user which is not the part of the group yet but it may or may not join the group in future.

10 entities in group signature 2.1

2.2 applications 11

2.2

applications

A typical Information Technology company has many computers, printers, scanners, etc., connected to a network. An employee can use printer to take print out of necessary/official documents. S/he needs the credentials to access printer to convince printer that s/he is the legitimate user of the printer (valid employee of that company). At the same time, company demands privacy and that is why the name (username) must not be revealed to anyone. If the printer is misused by any employee to take excess print out of his/her personal documents and it is whatsoever not related to official works, then it must be possible for the administrator (Group Manager) to discover the identity of the employee [16].

An employee of a big company can also use a group signature scheme to sign any document on behalf of the company. The verifier is just interested that the document came from the legitimate group (company) and some representative of the company has signed it. He is not interested in the actual identity of the employee who signed the file. In case of any dispute, verifier can notify the group manager (administrator) of the company can he can discover the identity of the employee who signed the document.

Group signatures can also be applicable in a scenario where it is required to submit a tender by companies. All companies, submitting a tender, can form a group and these participating companies can become group member in that group. All the bidders (owner) can sign the tender using the group public key and their identity will be remained anonymous. There will be a trusted third party which can act as the group manager for that group. Once the preferred tender is selected, group manager can trace the owner of the tender offer while other bidders remain anonymous [2].

2.3

phases

A group signature scheme is comprised of following phases [2,5, 14]:

• SETUP: This is the initial phase and it involves theGMto set the group public keygpkand his secret keygmsk.

• JOIN: A protocol between the GMand a non-member that results in the user to become a part of the group as a valid group member. The output of this process is a membership certificate and a membership secret.

• SIGN: an algorithm that allows a member to generate a valid group signature σ of a message M.

12 properties 2.4

• VERIFY: an algorithm to verify the validity of an alleged group signature. It can be done by feeding the message M, signature , and the group public keygpkin the algorithm and checking whether the signature is correct.

• OPEN: It is an algorithm which can output the identity (ID) of the signer using a valid group signature.

• REVOKE: It is a procedure that results in the removal of a member from the group. This process is executed by theGMto update gpk and publish some information publicly. All unrevoked group members use this public information to update their membership certificates and generate modified group public key gpknew by their own.

2.4

properties

A group signature has following general properties [2, 5]:

• Anonymity: Group signatures are anonymous. It must be computation-ally infeasible for everyone except group manager to discover the identity of the member who signed the message.

• Unforgeability: Only members of the group can sign a message on behalf of the group. It is not possible for a non-member to generate a valid group signature and claim that it belongs to the group.

• Unlinkability: Group signatures must be unlinkable. It must be computa-tionally hard to decide whether two valid signatures have been generated by the same group members.

• Correctness: VERIFY must accept group signatures which are produced by a valid group member using SIGN.

• Exculpability: It must not be possible for a group manager or a group member to sign a message on behalf of other group members

• Traceability: The group manager is always able to open a valid signature and identify the actual signer in case of any dispute or fraud. This property can also violate if a subset of group members, pooling together their secrets, can generate a valid that cannot be opened by GM.

• Coalition-resistance: This property is a modification on the Traceability property. It states that a colluding subset of group members (even if comprised of the entire group) cannot generate a valid signature that GM cannot link to one of the colluding group members.

2.5 background 13

• Revocability: It must be possible to revoke a group member in some situations. A signature generated by a revoked member using SIGN phase must be rejected by a verifier using VERIFY phase. All the signatures produced by a valid member must be accepted by a verifier.

2.5

background

The idea of group signature was first introduced by Chaum and Eugéne van Heyst in 1991 [16]. They introduced four different schemes in order to imple-ment Group signature schemes. Pederson and Chen in [17] pointed out some major problems in the schemes of [16]. They mentioned that only one scheme of [16] protects the anonymity of Group Member unconditionally while other three schemes depends on the computational assumptions. They also stated that any Group signature schemes must allow adding new members in the group after the execution of setup phase; This was not supported by two schemes in [16]. Authors in [17] also stated that the Group authority/Manager must be able to identify the signer with the help of signature, group public key and some other auxiliary information but three out of four schemes of Chaum failed to meet this requirement as Group Manager needs to contact each and every group member until and unless the signer is found. Pederson and Chen proposed two different schemes based on the above mentioned requirements. These schemes allow adding new members in the group even after the setup phase and to distribute the functionality of the group manager. These schemes were the state of art until Camenisch in [11] disclosed a serious problem in the schemes of [17]. Camenisch showed that the Group Manager in [17] could falsely accuse any member of having signed a message. The weaknesses of these schemes were solved by suggesting a new group signature scheme. However, all the above mentioned schemes have two drawbacks:

• They are not suitable for large groups as the size of the group public key is dependent on the number of members in the group.

• It is mandatory to update the group public key in order to add new members in the group.

Camenisch and Stadler proposed a new scheme [14] that turned out to be a major breakthrough as the length of public key and signature are independent of the number of group members. It also enhanced the computational effort for signing, verifying phase. There is also no need to change the group public key in case of addition or deletion of any member from the group.

Ateniese, Camenisch, Joye, Tsudik [2] indicated some serious issues in all existing group signature schemes. Those schemes are prone to the coalition

14 background 2.5

attack (see section 2.4) and not suitable for the real world implementation. The authors suggested scheme in [2] which was provably coalition-resistant under the strong Rivest, Shamir, Adleman (RSA) assumption 1_{. This scheme}

is commonly know asACJTscheme. The other security properties hold under the decisional Diffie-Hellman 2 _{or the discrete logarithm assumption} 3 _[29].

ACJT schemes introduced efficient and reliable member registration protocol (JOIN) for new members. This protcol is based on a zero-knowledge proof with respect to the group’s members secret. On the other hand, the member registration protocol of [13] is prone to attack. The ACJT scheme is coalition resistant against an adaptive adversary but the scheme in [13] is provably secure only for static adversary. In this way, ACJT scheme supports growing group membership efficiently. However, it is still unable to solve the problem of shrinking group membership without incurring masssive computational costs. It is unacceptable to simply publish revoked member identities somewhere in order to cease that user to sign valid signature. This will breach the strict requirement of anonymity as past signatures can be disclosed. Authors in [5] criticized ACJT scheme as it does not define any attack model and state any definition of adversarial success.

The limitation of ACJTscheme (Revocation), revealed a strong need of mem-bership revocation in the field of Group Signature and drawn attention of various researchers. They understood that it is not possible to follow strict requirement of [5], i.e., to revoke the membership of a group member, it is necessary to change the security/signing parameters of all the members of the group. That is why, a new concept of ’Verifier Local Revocation’ was invented and according to this technique, it is not required to change the parameters of all the participating members rather a VERIFIER can modify its local parameters to find out the malicious/revoked member of the group. Camenisch and Groth [12] suggested a scheme (also know as CG scheme) which was based on the same tecnique and it was the first scheme that adopted this technique. CG scheme is provably secured under the strongRSA assumption and a Decisional Diffie-Hellman (DDH) assumption. It has more efficient JOIN protocol in com-pare to ACJT schemes as it takes only two rounds to establish membership in compare to five rounds ofACJT. CGscheme has larger signature size in compare to other well known Group signature scheme but it is faster to sign a message using this scheme [12]. Authors in [12] also pointed that VERIFY phase ofCG scheme is faster than any group signature schemes based on bilinear pairings. There are many analytical analysis carried out by the authors in [12] to compare performance among different group signature schemes. This thesis carried out some experiments to measure and compare performance of group signature

1 _{Detailed information in Section 3.3 of [29]} 2 _{Detailed information in Section 3.7 of [29]} 3 _{Detailed information in Section 3.6 of [29]}

2.5 background 15

schemes in chapter 4.

Some researchers paid special attention to the computational cost of the Group signature scheme while others focused on the overhead incurred by the length of the signature. Authors in [6] showed the necessity of short group signature in some of the real world scenarios. It is not efficient to use long group signature in case of Vehicle communication as number of cars transmit messages concurrently very frequently. There is a strict requirement that the length of the signature must be less than 250 bytes. The security of this scheme (BBS scheme) is based on the strong Diffie-Hellman assumption and linear assumption1 _in

bilinear map. This scheme contructs short group signature of length even less than 200 bytes that can offer approximately same level of security as of RSA signature2 of same length [6]. BBSscheme does not have any JOIN protocol and exculpability and only showed how to implement it [48]. It is also indicated by researchers in [48] that the security level ofBBSsignature scheme does not fit in the security models of [5] and anonymity is no longer formally guaranteed as soon as one signature is open.

After the successful construction of Short group signatures, researchers started to incorporate verifier local functionalty in the same scheme and Boneh, Shacham formed short group signature with verifier local revocation (BSscheme) [7]. The signature of this scheme is as short asRSA signature and it is provably secure under strong Diffie Hellman assumption and the Decisional Linear Assumption in Bilinear groups. The nature and working priciple of BSscheme is very much similar toBBSscheme. In addition, the group Manager maintains a RLand updates it periodically to send it to verifiers to check that the signature is not generated by the revoked member. Libert and Vergnaud [26] mentioned that BSscheme has a major drawback in its security principles as the signatures of a revoked member can become linkable and it poses direst threat on the privacy of the members who intentionally leave the group. The additional useful feature ofBSscheme is the derivation of user’s revocation token using the user’s private key. TheRL contains revocation token present in the left half of the private key (see section3.3.3). Hence, it is computationally easy to add revocation token in theRL and revoke a user if private key of the user is disclosed publicly.

1 _{Detailed information is given in Section 3.2 of [6]} 2 _{Detailed information is given in Section 11.3 of [29]}

17

3

G R O U P S I G N A T U R E S C H E M E S

This section describes all schemes in a detailed manner. It covers all the infor-mation that is required during implementation phase. It includes notations, security parameters, length of security parameters, and detail description of all the steps of different phases. ACJT and CG schemes are implemented us-ing framework of [19] whereas BBS and BS schemes are implemented using framework of [28].

3.1

acjt scheme

ACJT scheme is known by the name of its inventor i.e. Ateniese, Camenisch, Joye, and Tsudik. This section defines the security parameters, their dependency among each other and detail description of the various functions carried out in different phases of the scheme. This section is based on [2].

3.1.1 Notations

Symbols Meaning

GM Group Manage

Y Group Public key

S group Secret key

x Member secret key

m, m ∈{0,1}∗ Message

P Set of Group members/users

Pi Group member

Sign group Signature

L Security Parameters

xcert Membership certificate

18 acjt scheme 3.1

3.1.2 Security parameters

Name Description Values

lp RSA modulus / 2 security level (80 bits):1024

security level (128 bits):1536

 It controls the tightness

of the statistical zero-knowledge proof

1.1

λ1, λ2, λ3, λ4 Interval Ranges 838, 600, 1102, 800

k Digest Length 160 bits

Table 3.2: Notation and values of Security parameters [19,30]

The security parameters are identified as: λ1, λ2, γ1, γ2, k, , lpThese parameters

have some constraint among them which are as follows λ1 > (λ2+ k) + 2

λ2 > 4lp

γ1 > (γ2 + k) + 2

γ2 > λ1 + 2

Table 3.3: Inter dependency of Security parameters

The integral ranges are defined as: Λ = [2λ

1− 2λ2, 2λ1+ 2λ2]

Γ = [2γ₁ − 2γ₂, 2γ₁ + 2γ₂]

Table 3.4: Internal Ranges inACJT

3.1.3 Phases

Different phases ofACJT schemes are defined as follows:

SETUP This is the initial phase of the scheme. It involves only Group Manager. The output of this phase is the generation of Y and S.

1. Select random secret lp- bit primes p

0

and q0 so that p = 2p0 + 1 and q = 2q0+ 1are prime.

3.1 acjt scheme 19

2. Set the modulus n = p ∗ q.

3. Choose random elements a, a0, g, h ∈RQR(n) where QR (n) is the

cyclic subgroup of quadratic residues modulo n, i.e. the cyclic subgroup QR (n) generated by an element of order p0q0.

4. Choose a random secret element x ∈R Z∗_p0

q0

5. Set y = gxmod n.

6. The group public key is: Y = (n, ak, a0,k,y, g, h )

7. The group secret key is: S =(p

0

, q0, x)

The group public key Y can be made available in public by embedding in some form of a public key certificate signed by trusted authority. Components of Y must be verifiable to prevent framing attack. Group manager needs the proof that n is the product of two safe primes.

JOIN This phase is an interactive communication between group managers and non-group member. It provides the functionality which can be used by any non-member to become a legitimate member of group.

1. User Pi generates a secret exponent ˜xi ∈R 0, 2λ2.

2. User generates a random integer ˜r ∈R 0, n2.

3. User sends C1 =g˜xih˜r mod n to GMand proves him knowledge of the

representation of C1with respect to bases g and h.

4. GMchecks that C1 ∈ QR(n). GMwill reject the joining of the new member

if this check fails.

5. If the above mentioned check passes, GM selects αi and βi ∈R 0, n2



and sends it to user Pi.

6. User Picomputes xi = 2λ1 + ( αi˜xi + βi mod 2λ2 ) and send GM the

value C2 = axi mod n. The user also proves toGM:

(a) That the discrete log of C2 with respect to base a lies in Λ,

(b) Knowledge of integers u, v, and w such that i. u lies in−2λ2, 2λ2.

ii. u equals the discrete log of C2/a2

λ1

with respect to base a, and iii. Cα1igβi equals gu(gλ2)

v

20 acjt scheme 3.1

7. GM checks that C2 ∈ QR(n). if this check fails, then GM will reject the

joining request of user.

8. If all the above mentioned steps passed, thenGMselects a random prime ei∈R Γ and computes Ai= (C2a0)1/eimod n.

9. GMsends user the new membership certificate [Ai, ei].

10. User can verify the certificate by checking axi_a

0 Aiei(mod n)

11. GMcreates a new entry in the membership table and stores {[Ai, ei], Join

transcript} in it.

SIGN This is the phase where a user generates a group signature on a message. This signature is anonymous and unlinkable i.e. if a user signs a message twice, then it will computationally infeasible to link those two messages.

1. A group member can generate a random value ω ∈R{0, 1} 2lp 2. It computes (a) T1 = Aiyω mod n (b) T2 = gω mod n (c) T3 = gei hω mod n 3. It chooses (a) r1∈R ±{0, 1}( γ2+ κ) (b) r2∈R ±{0, 1} (λ2+ κ) (c) r3∈R ±{0, 1} ( γ1+2lp+ κ+1) (d) r4∈R ±{0, 1}(2lp+ κ) 4. It computes (a) d1 = T1r1/ (ar2 yr3 )mod n (b) d2 = T2r1/ (gr3 )mod n (c) d3 = gr4 mod n (d) d4 = gr1 hr4 mod n 5. It computes c = H (g k h k y k a0 k a k T1 k T2 k T3k d₁ k d2 k d3 k d4 k m) 6. It computes

3.1 acjt scheme 21

(a) s1= r1 – c(ei - 2γ1)

(b) s2= r2 – c(xi- 2λ1)

(c) s3= r3 – ceiω

(d) s4= r4 – cω

7. The output of this phase is the signature sign = ( c, s1, s2, s3, s4, T1, T2,

T3).

VERIFY A verifier can check the validity of a signature (output of SIGN phase) of the message m as follows:

1. It computes c0 = H(g k h k y k a0 k a k T1 k T2 k T3 k ac0Ts1−c2 γ1 1 as2−c2λ1 ys3 mod n k T₂s1−c2γ1 gs3 mod nk T2cgs4 mod nk T3c gs1−c2 γ1 hs4 _{mod n}k m)

2. Accept the signature if and only if c0 = c and checks if (a) s1 ∈ ±{0, 1}( γ2+ κ)+1 (b) s2 ∈ ±{0, 1} (λ2+ κ)+1 (c) s3 ∈ ±{0, 1} (λ1+2lp+ κ+1)+1 (d) s4 ∈ ±{0, 1}(2lp+ κ)+1

3. If all the condition of 2 satisfies then validity of signature is justified else not.

OPEN In case of any dispute, GM executes OPEN process to discover the identity of the entity involved.

1. It checks the signature’s validity via the VERIFY process. 2. Recover Ai and the identity of Pias Ai= _TT1x

2

mod n 3. Prove that loggy = logT2

T1

Ai mod n

REVOKE This is a procedure to revoke a member from the group. It also results in generation of new group public key and new membership certificate. ACJTScheme doesn’t provide revocation feature but the extension of theACJT to revocation proposed in [3]. It is mentioned as follows:

22 cg scheme 3.2

2. GMselects a random number r∈R Z∗_p0

q0

3. It computes ak = ark−1mod n and a0,k = ar0,k−1mod n

4. GM issues a new certificate of the form Ak, i = ( axki a0,k) 1/ei

mod n, eiwhere k is the number of shrinking membership changes.

5. Revoked member cannot obtain newly issued group certificate as value of ris unknown to her.

6. The new group public key will become Y = (n, ak, a0,k,y, g, h )

3.2

cg scheme

This section describes various phases ofCGscheme with in depth description of various operations done in each phase. It also shows the security parameters of this scheme, their estimated size and their constraint. The author of this scheme is Camenisch and Groth and this section is based on their paper [12].

3.2.1 Notations

Symbols Meaning

GM Group Manager

vk Group public key

gmsk Group secret key

sk Member secret key

m, m ∈ {0,1}∗ Message

P Set of Group members/users

Pi Group member

σ Group signature

L Security parameters

xcert Membership certificate

Table 3.5: Notation and its meaning (CG)

3.2.2 Security parameters

3.2 cg scheme 23

Name Description Values

ln RSA modulus Security level (80 bits):2048

Security level (128 bits):3072 bits lP Order of the group Z∗P Security level (80 bits):2048

Security level (128 bits):3072 bits lQ Order of the group in Z∗P 282 bits

lc Length of the output of hash

func-tion

160 bits le a number large enough that we

can assign all members different numbers

60 bits

ls bit-length such that for any

integer a when we pick r as a |a|+ls-bit random number then

a+r and r are statistically indistin-guishable.

60 bits

lE To calculate prime number 504 bits

Table 3.6: Notation and values of Security parameters [19]

These parameters have some constraint among them which are as follows: lc+ le + ls + 1 < lQ

lQ+ lc+ ls + 1 < lE

lE < ln/2.

Table 3.7: Constraints on Security parameters

3.2.3 Phases

SETUP

1. Select two safe primes p0 and q0 and calculate p = 2p

0

+1and q = 2q0 + 1

2. Calculate modulus n = pqwhere n is lnbits.

3. Choose random elements a, g, h ∈RQR(n) where QR(n) is the cyclic

subgroup of quadratic residues modulo n, i.e. the cyclic subgroup QR (n) generated by an element of order p0q0.

24 cg scheme 3.2

5. Let F be an element of order Q in Z∗P.

6. Choose at random XG, XH ∈RZ∗Q.

7. Set G = FXG _{mod P, H = F}XH _{mod P}

8. Choose random elements w ∈R QR(n)

9. Public key: vk = (n, a, g, h, Q, P, F, G, H, w) 10. Private key: gmsk = (p, q, XG)

JOIN

1. The member selects at random xi∈RZQ.

2. It computes yi= Gxi mod P.

3. The member form a commitment to xi, gxi hr

0 i

mod n where ri ∈RZn.

4. The member selects ri ∈RZn.

5. The member sends yi, gxihr

0 i

mod n to GM. 6. The group manager selects ei ∈ {0, 1}

le

such that Ei = 2lE + ei is prime.

7. GM computes wi = wE −1 i mod n. 8. GM selects at random r 00 i ∈RZe. 9. GM sets yi = ( agxihr 0 i+r 00 i)E−1_{i mod n.} 10. GM sends wi, yi, Ei, r 00 i to the user.

11. The secret key of the member is ski = ( vk, wi, xi, ri= r

0 i+ r

00

i, yi, ei)

SIGN A valid member can sign on behalf of group using this algorithm. 1. Selects a random integer ∈ {0, 1}ln/2 and R ∈RZQ.

2. Set u = hryiwi mod n.

3. It computes the following values: (a) U1 = FR mod P.

(b) U2 = GR+xi mod P.

3.2 cg scheme 25

4. It chooses the following values: (a) rx ∈ {0, 1} lQ+ lc+ ls (b) rr ∈ {0, 1} ln/2+ lc+ ls (c) re ∈ {0, 1} le+ lc+ ls (d) RR∈ ZQ

5. It computes the following values: (a) v = ure _g−rx _hrr _{mod n}

(b) V1 = FRR mod P

(c) V2 = GRR+rx mod P

(d) V3 = HRR+re mod P

6. Computes the hash value c,

c =H (vk k u k v k U1 k U2 k U3k V1 k V2 k V3 k m)

7. It again computes the following values: (a) zx = rx+ cxi (b) zr= rr+ c(−ri−rEi) (c) ze = re+ cei (d) ZR= RR+ cR mod Q 8. It generates signature σ = (c, u, U1, U2, U3, zx, zr, ze, ZR) VERIFY

1. The verifier checks that (a) ze ∈ {0, 1}

le+ lc+ ls

(b) zx ∈ {0, 1}

lQ+ lc+ ls

2. Computes

(a) v = (aw)−cg−zx_hzr _uc2 lE + ze _{mod n}

(b) V1 = U1−cFzR mod P

(c) V2 = U2−cGzR+zx mod P

(d) V3 = U3−cHzR+ze mod P

3. Verify that

26 bbs scheme 3.3

OPEN Group Manager can discover the identity of any member using this algorithm.

1. Check the validity of group signature as mentioned in the VERIFY process. 2. Compute

id = U1U2−XGmod p

3. Look for id in member list and fetch the identity corresponding to id.

REVOKE

1. GM publishes ei of the corresponding revoked member. The value ei is

coming from the step 6 of JOIN phase. 2. GM chooses random elements wi ∈RQR(n)

3. All valid members of the group will update their secret key as follows: (a) Member selects α, β randomly

(b) Member computes new element wj = wβ_iwαj mod n

(c) The secret key of member becomes ski= ( vk, wj, xi, ri = r

0 i+ r00

i, yi,

ei)

4. The new group public is vk = (n, a, g, h, Q, P, F, G, H, wi)

3.3

bbs scheme

The author of this scheme is Boneh, Boyen, Shacham and this scheme is based on their paper [6]. This section contains description of different phases of BBS scheme.

3.3 bbs scheme 27

3.3.1 Notations

Symbols Meaning

GM Group Manager

gpk Group public key

gmsk Group secret key

gsk Member secret key

m, m ∈ {0,1}∗ _Message

P Set of Group members/users

Pi Group member

σ Group signature

Table 3.8: Notation and its meaning inBBSscheme

3.3.2 Security parameters

The security parameters are identified as:

Name Description Values

lg1 Length of Order of cyclic

group G1

Security level (80 bits):1024 bits Security level (128 bits):3072 bits lg2 Length of Order of cyclic

group G2

Security level (80 bits):1024 bits Security level (128 bits):3072 bits lp Length Prime subgroup Security level (80 bits):160 bits

Security level (128 bits):256 bits lq Length of big field Security level (80 bits):512 bits

Security level (128 bits):1536 bits

k Embedding Degree 2

Table 3.9: Notation and values of Security parameters

3.3.3 Phases

SETUP This phase takes the number of members in the group as an argument and proceeds as follows:

1. Select a generator g2 in G2 uniformly at random.

2. Set g1 = ψ(g2)

3. Select a random number h = G1\{1G1 } and ξ1, ξ2 ∈RZ

∗ p.

28 bbs scheme 3.3

4. Set u, v ∈ G1 such that uξ1 = vξ2 = h

5. Select γ ∈RZ∗pand set w = g2 γ

6. Using γ generate for each user i, 1 6 i 6 n, a tuple (Ai, xi)where xi∈RZ∗p

and set

Ai= g1

1

γ+ xi_{∈ G1}

7. The group public key isgpk= (g1, g2, h, u, v, w)

8. The group private key isgmsk= ( ξ1, ξ2)

9. The secret key of each user is her tuplegsk[i] = (Ai, xi)

SIGN gpk and gsk[i] have been calculated in the Setup phase. M is the message which is needed to be signed by the user.

1. Select a message M ∈ {0, 1}∗ 2. Compute

(a) T1 = uα

(b) T2 = vβ

(c) T3 = Ahα+β

User selects rα, rβ, rx, rδ1, rδ2∈RZpand again computes few other values:

1. R1 = urα

2. R2 = urβ

3. R3 = e(T3, g2)rx.e(h, w)−rα−rβ. e(h, g2)−rδ1−rδ2

4. R4 = T1rx.u−rδ1

5. R5 = T2rx.v−rδ2

6. Compute a challenge c using the hash function as:

c = H(M, T1, T2, T3, R1, R2, R3, R4, R5)∈ Zp

7. Using value c construct following values: (a) sα = rα+ cα

(b) sβ = rβ+ cβ

3.3 bbs scheme 29

(d) sδ1 = rδ1 + cδ1

(e) sδ2 = rδ2 + cδ2

8. The signature on the message is computed as:

σ = (T1, T2, T3, c, sα, sβ, sx, sδ1, sδ2)

VERIFY

1. The verifier will compute following values in order to verify the signature. 2. fR1 = usα. T1−c 3. fR2 = vsβ. T2−c 4. fR3 = e(T3, g2) sx .e(h, w)−sα−sβ . e(h, g2) −s_δ1−s_δ2 .(e(T3, w) e(g1,g2)) c 5. fR4 = T1sx. u−sδ1 6. fR5 = T2sx. v−sδ2 7. Compute a challenge c0 = H(M, T1, T2, T3, fR1, fR2, fR3, fR4, fR5)

8. Accept the signature if and only if c is equal to c

0

.

OPEN

1. GMwill first verify that the signature is valid on message M. This can be done by simply sending the parameters to the VERIFY phase.

2. If the signature is valid then user’s identity can be traced by calculating A = T3/( T1ξ1, T

ξ2

2 )

3. GM can check the list of users and finds the user corresponding to calculate A.

REVOKE Let us suppose there is a set of {1, . . . ., r} number of users which will be revoked from the group.

1. The Revocation Authority (Revocation Authority (RA)) publishes a Revo-cation List (RL) which contains private key of all revoked users.

2. TheRLis given to all signers and verifiers in the system to get the updated group public key.

30 bs scheme 3.4

3. They will computer y =Qri=1(γ + xi)∈ Z∗pto calculate

4. g1 = g 1/y 1

5. g2 = g1/y₂

6. w = (g2)γ

7. The new public key becomesgpk= (g1, g2, h, u, v, w)

8. Unrevoked member with old private key asgsk= (A , x )can calculate updated private key (A, x) where A = (g1)

1/(γ+x)

3.4

bs scheme

This scheme is proposed by Boneh and Shacham. This section is based on the paper [7].

3.4.1 Notations

Symbols Meaning

GM Group Manager

gpk Group public key

gmsk Group secret key

gsk Member secret key

m, m ∈ {0,1}∗ Message

P Set of Group members/users

Pi Group member

σ Group signature

Table 3.10: Notation and its meaning inBSscheme

3.4.2 Security parameters

3.4 bs scheme 31

Name Description Values

lg1 Length of Order of cyclic

group G1

Security level (80 bits):1024 bits Security level (128 bits):3072 bits lg2 Length of Order of cyclic

group G2

Security level (80 bits):1024 bits Security level (128 bits):3072 bits lp Length Prime subgroup Security level (80 bits):160 bits

Security level (128 bits):256 bits lq Length of big field Security level (80 bits):512 bits

Security level (128 bits):1536 bits

k Embedding Degree 2

Table 3.11: Notation and values of Security parameters

3.4.3 Phases

SETUP This phase takes the number of members in the group as an argument and proceeds as follows:

1. Select a generator g2 in G2 uniformly at random.

2. Set g1 = ψ(g2)

3. Select γ ∈RZ∗p and set w = g2 γ

4. Using γ generate for each user i, 1 6 i 6 n, a tuple (Ai, xi)where xi∈RZ∗p

such that γ + xi 6= 0 and set Ai = g1

1

γ+ xi_{∈ G1}

5. The group public key isgpk= (g1, g2, w)

6. The secret key of each user is her tuplegsk[i] = (Ai, xi)

7. The revocation token corresponding to user’s key (Ai, xi)is grt [i] = Ai

8. The output of this phase isgpk, gsk, grt

SIGN gpk and gsk[i] have been calculated in the Setup phase. M is the message which is needed to be signed by the user.

1. Select a message M ∈ {0, 1}∗

2. Pick a random nonce r ∈RZp. Obtain generators ( ˆu, ˆv) in G2 from H0 as

(ˆu, ˆv) = H0(gpk, M, r)∈ G22 and compute their images in G1:

32 bs scheme 3.4

1. Select an exponent α ∈RZp

(a) T1 = uα

(b) T2 = Aivα

User sets δ = xiα∈RZpand again computes few other values:

1. R1 = urα 2. R2 = e(T2, g2) rx .e(v, w)−rα . e(v, g2) −rδ 3. R3 = T1rx.u−rδ

4. Compute a challenge c using the hash function as: c = H(gpk, M, r, T1, T2, R1, R2, R3)∈ Zp

5. Using value c construct following values: (a) sα = rα+ cα

(b) sx = rx+ cxi

(c) sδ = rδ + cδ

6. The signature on the message is computed as: σ = (r, T1, T2, c, sα, sx, sδ )

VERIFY

1. Signature Check

(a) Verifier checks that σ is a valid signature by computing ˆu and ˆv and their images as defined in the step 2 of 3.4.3

(b) The verifier will compute following values in order to verify the signature. i. fR1 = usα. T1−c ii. fR2 = e(T2, g2) sx .e(v, w)−sα . e(v, g2) −sδ .(e(T2, w) e(g1,g2)) c iii. fR3 = T1sx. u−sδ (c) Compute a challenge c 0 = H(gpk, M, r, T1, T2, fR1, fR2, fR3) 2. Revocation Check

3. For each element A RL, check whether A is encoded in (T1, T2) by

checking if e(T2/A, ˆu) is equal to e (T1, ˆv).

If no element of RL is encoded in (T1, T2) , the signer of σ has not been

33

4

P E R F O R M A N C E E V A L U A T I O N

This section is based on the performance evaluation of various aspects of Group Signature schemes. Performance is defined and measured in terms of computational delay (processing cost) introduced by a phase or process. Other aspects like size of group public key and its dependency on the group size are also taken into consideration.

The computational cost is calculated on the following configuration:

Operating system Windows 7 Home premium

64 Bit (6.1 Build 7601)

Processor Intel§CoreT M _{i3 CPU M330}

@ 2.13 GHz (4 CPUs)

Memory 4096 MB

System Manufacture Hewlett-Packard

IDE NetBeans IDE 7.0.1

Testing Framework JUnit 4.8.2

Sun’s java Development Kit JDK 1.7

Table 4.1: Details of system configuration

The computation cost is calculated using following libraries:

ACJT CG BBS BS

bcprov (Bouncy Castle)

jpbc (Java Pairing Based Cryptography) using Type A curve generator, embedding degree k=2

Table 4.2: Details of library used in different schemes [8,44]

The processing cost ofGS schemes is calculated using the code provided in [19,28]. Phases like SETUP, SIGN, VERIFY are already implemented by these authors in their respective works. In this thesis work, the remaining phases are implemented to complete all the phases of Group signature schemes in order to assess their processing cost. Table 4.3shows the phases of aGSscheme already implemented and those phases that are implemented in this thesis. For

34 group signature phases 4.1

example, SETUP, SIGN, VERIFY phases of ACJT scheme are implemented by author Diego, F in [19] using BouncyCastle library and JOIN, OPEN, REVOKE phases are implemented in this work.

Schemes Library Already Implemented Phases

Newly Implemented Phases

ACJT Bouncy

Castle

SETUP, SIGN, VERIFY Author: Diego, F [19]

JOIN, OPEN,

RE-VOKE

CG Bouncy

Castle

SETUP, SIGN, VERIFY Author: Diego, F [19]

JOIN, OPEN,

RE-VOKE

BBS Jpbc SETUP, SIGN, VERIFY

Author: Manolopoulos, V [28]

OPEN, REVOKE

BS Jpbc SETUP, SIGN, VERIFY

Author: Manolopoulos, V [28]

OPEN, REVOKE

ECDSA Bouncy

Castle

SIGN, VERIFY

Table 4.3: This table shows the components/phases that are already implemented by other authors and those are implemented in this thesis work

4.1

group signature phases

4.1.1 SETUP

SETUP is the first phase of Group signature scheme and it is initiated by the group manager of the group to initialize group public key and group secret key. This algorithm mainly uses various security parameters to generate Group public key and Group secret key. All the schemes have the common characteristic in SET UP phase and that is identified by the size of the RSA modulus used. This modulus is responsible for the security level of keys being generated in this phase. Table 4.4 demonstrates the computational cost of SETUP phase ofACJTandCGunder 2048 bits and 3072 bits modulus size. These values are the mean value generated from 150 measurements. Due to the high computational cost of the SETUP phase it is recommended to execute this phase offline and using a high performance computing system.

4.1 group signature phases 35

ACJT CG

Security level of 80 bits i.e. 2048 bits modulus

30785 73789

Security level of 128 bits i.e. 3072 bits modulus

1039036 3086642

Table 4.4: Processing cost of SETUP phase of ACJT and CG schemes as measured in milliseconds. Given values are the mean value generated from 150 measurements.

BBS andBSschemes do not have separate SETUP and JOIN phase rather it is combined in a single phase. The SETUP phase takes the number of members in the group while executing this phase. The absence of explicit JOIN phase makes these two schemes poor in terms of scalability and ACJT, CG get significant advantage over BBSandBS. Figure 4.1shows the variation of delay is a function of number of members in SETUP phase of BBS scheme at t= 80 bits security level. This figure shows the amount of time taken by the SETUP phase to complete when the number of member is N ∈{0, 1000} in the system. Similarly, Figure 4.2 shows the computational delay of SETUP phase is a function of number of members in BSscheme.

Figure 4.1: Variation of execution time (ms) with the number of members in

BBS in SETUP at 80 bits of se-curity level; mean of 150 mea-surements with 95% confidence Interval

Figure 4.2: Variation of execution time (ms) with the number of members in

BS in SETUP at 80 bits80 bit of security level; mean of 150 mea-surements with 95% confidence Interval

The output of the set up phase is the generation of group public key and group secret key. The length of group public key is also a major factor on the efficiency and it must be considered while implementing any scheme. It is required to broadcast group public key to all the members of the group after completion of SETUP phase. A large group public key can incur large overhead

36 group signature phases 4.1

on the network and it also requires large space of storage. The size ofgpk is calculated for each scheme experimentally (see Figure4.3, Figure4.4) and ana-lytically in Table4.5. The size ofgpkvaries slightly in different measurements due to the random number being assigned to different parameters used to form gpk. Table4.6shows the error percentage of experimental and analytical size of gpk.

Figure 4.3: Length of group public key in bits for different schemes at 80 bits of security level; mean of 150 measurements

Figure 4.4: Length of group public key in bits for different schemes at 128 bits of security level; mean of 150 measurements

The length of Group public key of each scheme and for security level of t = 80 bits, 128bits is shown in Table4.5