Anonymity-enhanced Pseudonym System

Transcription

1 JAIST Reposi Title Anonymity-enhanced Pseudonym System Autho(s)Tamua, Yuko; Miyaji, Atsuko Citation Lectue Notes in Compute Science, 2 47 Issue Date 2003 Type Jounal Aticle Text vesion autho URL Rights This is the autho-ceated vesion o Yuko Tamua, Atsuko Miyaji, Lectue Compute Science, 2846/2003, 2003, 3 oiginal publication is available at q Applied cyptogaphy and netwok sec Intenational Confeence, ACNS 2003, Desciption China, Octobe 16-19, 2003 : poceed Jianying Zhou, Moti Yung, Yongfei Ha Japan Advanced Institute of Science and

2 Anonymity-enhanced Pseudonym System Yuko Tamua and Atsuko Miyaji 1-1, Asahidai, Tatsunokuchi, Ishikawa, , Japan {yuko, Abstact. Pseudonym systems allow uses to inteact with multiple oganizations anonymously by using pseudonyms. Such schemes ae of significant pactical elevance because it is the best means of poviding pivacy fo uses. In pevious woks, uses tansact with a oganization by demonstation of possession of a cedential issued by the oganization o elationship with anothe cedential. Howeve, the infomation that a use has a cedential fom a specific oganization compomises pivacy of the use. In the pesent pape, we give a fomal definition of pactical pseudonym system in which the level of pivacy povided can be chosen be accoding to secuity policies. 1 Intoduction As infomation gets inceasingly accessible, it has been impotant that individuals contol thei infomation to potect thei pivacy. Pseudonym systems (also called anonymous cedential systems) [1 6] allow uses to wok effectively and anonymously with multiple oganizations by using diffeent pseudonyms. Such systems ae called anonymous when tansactions caied out by the same use cannot be coelated. In the systems, an oganization knows uses by only pseudonym in which each pseudonym cannot be linked to othes. An oganization issues a cedential on a pseudonym, and the coesponding use demonstates the possession of this cedential to anothe oganization without evealing anything but the possession. Lysyanskaya, Rivest, Sahai and Wolf [5] poposed a geneal pseudonym system based on one-way functions and geneal zeo-knowledge poofs. In thei scheme, howeve, cedentials fo a use need to be eissued by the oganization so that the use can pove the possession of a cedential seveal times. Camenisch and Lysyanskaya [6] solved such a poblem by applying stong-rsa-based signatue schemes [14] and goup signatue schemes [9] to thei pseudonym system. In thei scheme, uses can demonstate the possession of cedentials in any numbe of times and these demonstations cannot be linked to the same pseudonym. Howeve, unfotunately, the pevious schemes [1 6], poving the possession of a cedential cannot but give a veifie the infomation about which oganization a use tansacts with. A pseudonym system by Camenisch and Lysyanskaya [6] is the most efficient and the pactical in pevious woks. In thei system, a use establishes a pseudonym and its validating tag, then the use is issued a cedential as a signatue on the tag by the oganization. Thei system equies

3 the public-key of an issuing oganization to pove the possession of a cedential and thus gives the infomation of the oganization to a veifie necessaily. As a esult, this compomises the pivacy of uses, although the veifie does not necessaily need the infomation. The best pseudonym system should be able to choose the level of pivacy accoding to its secuity policies. In this pape, we popose an anonymity-enhanced pseudonym system by showing a cedential issued by a goup. Ou system can allow a use to choose the level of pivacy accoding to thei secuity policies. In ou system, an oganization is a membe of a goup, a cedential on a pseudonym with an oganization is issued by the goup manage. Such a cedential is a signatue on the validating tag and the public-key of the oganization by the goup manage. Consequently, the use can pove the possession of a cedential fom some oganization in the goup without infoming of the oganization. Moeove, ou system povides a featue: flexibility of choosing the methods to pove the possession of a cedential accoding to secuity policies. Namely, a use is given the fou methods to pove: (1) showing a cedential with the identity of an oganization if a use needs to infom a veifie of the possession of a cedential fom the oganization, (2) showing a cedential without the identity of an oganization if a use wants to give a veifie only the infomation that the cedential is issued fom a goup, (3) tansfeing a cedential with the identity of an oganization and (4) tansfeing a cedential without the identity of an oganization if a use want to pove the possession of a cedential to anothe oganization with whom the use has established a pseudonym. Futhemoe, ou system satisfies all the desiable popeties that the pevious schemes [1 6] have. The est of this pape is oganized as follows. The next section pesents the fomal definitions and the equiements of an anonymity-enhanced pseudonym system. In section 3, we popose a pactical pseudonym system, afte an oveview. The secuity is discussed in section 4. 2 Fomal Definitions and Requiements 2.1 The model of pseudonym system Ou pseudonym system is constituted by the following playes: Cetification authoity (CA) : only entity that knows the use s identity. Goup (G I ) : set of oganizations. Goup manage (G I ) : only entity that has a secet-key of G I and gants a cedential to a use. (We use CA and G 0 G 0 as intechangeable name.) Oganization (O i ) : entity which belongs to goups. Use (U) : entity who egistes with a goup and tansacts with an oganization in the goup by the pseudonym. Veifie (V ) : entity that veifies cedentials of uses. Pseudonym systems should satisfy the following popeties:

4 Anonymity of uses : Veifies (Veifying oganizations) cannot find out anything about a use, except the fact of the use s owneship of a cedentials, even if it coopeates with othes. Unlinkability of pseudonyms : Diffeent pseudonyms of the same use ae not linked, even if a goup manage o an oganization coopeates with othes. Unfogeability of cedentials : It is impossible to foge a cedential issued by a goup manage, even if uses, othe goup manages and oganizations team up. 2.2 Ideal cedential system We define an ideal pseudonyms system [6] that elies on a tusted paty T as an intemediato that is esponsible fo the necessay popeties of the system. All tansactions ae made via T. T also ensues anonymity of the uses towads the goup manages, oganizations, and veifies. Fo an ideal pseudonym system (IPS) and a cyptogaphic pseudonym system without T (CPS), we gives a secuity definition, same as [6]. Definition 1 Let V = poly(k) be the numbe of playes in the system with secuity paamete k. Fo an ideal pseudonym system IPS, and its cyptogaphic implementation CPS, we denote a cedential system with secuity paamete k and event schedule E fo the events that take place in this system, by IPS(1 k,e) (esp., (CPS(1 k,e))). If {A 1 (1 k ),...,A V (1 k )} is a list of the playes s outputs, then we denote these playe s outputs by {A 1 (1 k ),...,A V (1 k )} PS(1k,E) when all of them, togethe, exist within a pseudonyms system PS. CPS is secue if thee exists a simulato S (ideal-wold advesay) such that the following holds, fo all inteactive pobabilistic polynomial-time machines A (eal-wold advesay), fo all sufficiently lage k: (1) In the IPS, S contols the playes in the ideal-wold coesponding to those eal wold playes contolled by A. (2) Fo all event schedules E A {{Z i (1 k )} V i=1, A(1k )} CPS(1k,E) c {{Z i (1 k )} V i=1, SA (1 k )} IPS(1k,E) whee S is given black-box access to A, (D 1 (1 k ) c D 2 (1 k ) denotes computational indistinguishability of the distibutions D 1 and D 2.) 2.3 Functional definitions This section povides functional definitions in ou pseudonym system. Let k be the secuity paamete and neg(k) denote any function that vanishes faste than any invese polynomial. Definition 2 A pseudonym system consists of the following pocedue:

5 Key geneation GK G, GK (O,G) and GK U fo G, O G and U output a secet and public-key pai (X G, Y G ) fo a goup G, (X (O,G), Y (O,G) ) fo an oganization O G, and (X U, Y U ) fo a use U, espectively. GK G and GK U take as input 1 k, and GK (U,O) takes 1 k and a goup public-key Y G. Pseudonym geneation GP U, X between U and an entity X G, takes as U s pivate input the secet-key X U, and as thei common input a goup public-key Y G. The pivate output fo U is some secet infomation S (U,X), and the common output is U s pseudonym P (U,X). Cedential issue IC U, G between U and G G, outputs a cedential C (U,G) on P (U,G) GP U, G. U s pivate input is X U and S (U,G), G s pivate input is a goup secet-key X G, and thei common input is Y G and P (U,G). (GP P means that GP outputs P.) Pseudonym s validity geneation GV U, O i between U and O i G, outputs a signatue on P (U,Oi) GP U, O i. O i s pivate input is a secet-key X (Oi,G), and thei common input is Y G, Y (Oi,G) and P (U,Oi) with O i. U s pivate output is a signatue σ (U,Oi). Cedential blind issue BIC U, G, blind issue of a cedential on a pseudonym, between U and G G, outputs a cedential C (U,Oi) on P (U,Oi) GP U, O i whee O i G. U s pivate input is X U, S (U,G), S (U,Oi) and P (U,Oi), G s pivate input is X G, and thei common input is Y G, Y (Oi,G), P (U,G) and σ (U,Oi). Cedential showing SC U, V, showing a cedential on a pseudonym with a goup, between U and V, takes as U s pivate input X U, S (U,G), P (U,G) and C (U,G), and as thei common input Y G. It outputs 1 o 0, which, if C (U,G) IC U, G (P (U,G) ) whee P (U,G) GP U, G o not with pobability 1 neg(k), espectively. (IC(P) Cmeans that IC outputs C by an input P.) SC + U, V, showing a cedential with identity of an oganization, between U and V, takes as U s pivate input X U, S (U,Oi), P (U,Oi) and C (U,Oi), and as thei common input Y G and Y (Oi,G). It outputs 1 o 0, which, if C (U,Oi) BIC U(P (U,Oi)),G whee P (U,Oi) GP U, O i, o not with pobability 1 neg(k), espectively. (BIC U(P),G ) Cmeans that BIC outputs C by U s pivate input P.) SC U, V, showing a cedential without identity of an oganization, between U and V, takes as U s pivate input X U, S (U,Oi), P (U,Oi), C (U,Oi) and Y (Oi,G), and as thei common input Y G. It outputs 1 o 0, which, if C (U,Oi) BIC U(P (U,Oi)),G whee P (U,Oi) GP U, O i, o not with pobability 1 neg(k), espectively. Cedential tansfe TC U, X j, tansfeing a cedential on a pseudonym with a goup, between a use U and an entity X j G J, takes as U s pivate input X U, S (U,GI), S (U,Xj ), P (U,GI) and C (U,GI), as thei common input Y GI, Y GJ and P (U,Xj). It outputs 1 o 0, which, if C (U,GI) IC U, G I (P (U,GI)), P (U,GI) GP U(X U ),G I and P (U,Xj) GP U(X U ),X j o not with pobability 1 neg(k), espectively. TC + U, X j, tansfeing a cedential with identity of an oganization, between U and X j G J, takes as U s pivate input X U, S (U,Oi), S (U,Xj ), P (U,Oi) and C (U,Oi), as thei common input Y GI, Y GJ, Y (Oi,G I) and P (U,Xj). It outputs 1 o 0, which, if C (U,Oi) BIC U(P (U,Oi)),G I, P (U,Oi)

6 GP U(X U ),O i, and P (U,Xj ) GP U(X U ),X j o not with pobability 1 neg(k), espectively. TC U, X j, tansfeing a cedential without identity of an oganization, between U and an entity X j G J, takes as U s pivate input X U, S (U,Oi), S (U,Xj ), P (U,Oi), C (U,Oi) and Y (Oi,G I), and as thei common input Y GI, Y GJ and P (U,Xj ). It outputs 1 o 0, which, if C (U,Oi) BIC U(P (U,Oi)),G I, P (U,Oi) GP U(X U ),O i, and P (U,Xj) GP U(X U ),X j o not with pobability 1 neg(k), espectively. 2.4 Notations We use the same notation in [6, 9] fo the vaious poofs of knowledge of discete logaithms and poofs of the validity of statements about discete logaithms. (I) Poof of knowledge o equality in diffeent goups: We use poofs that the discete logaithms of two goup elements y 1 G 1,y 2 G 2 to the bases g 1 G 1 and g 2 G 2 in diffeent goups G 1 and G 2 which has an ode q 1 and q 2, espectively, ae equal. This poof can be ealized only if both discete logaithms lie in the inteval [0, min{q 1,q 2 }]. PK{(α) :y 1 = g 1 α y 2 = g 2 α α [0, min{q 1,q 2 }]} denotes a zeo-knowledge poof of knowledge of integes α such that y 1 = g 1 α and y 2 = g 2 α holds, whee α [0, min{q 1,q 2 }]. This potocol genealized to seveal diffeent goups, to epesentations, and to abitay modula elations. (II) Poof of knowledge of the discete logaithm modulo a composite: In [6,?], they apply such PK s to the goup of quadatic esidues modulo a composite n, G = QR n. Thus the pove needs to convince the veifie that elements he pesents ae indeed quadatic esidues. It is sufficient to execute PK{(α) :y 2 = (g 2 ) α } instead of PK{(α) :y = g α } [6]. The quantity α is defined as log g 2 y 2 which is same as log g y in case y is a quadatic esidue. We use the notation PK 2 {(α) :y = g α } in the goup of quadatic esidues modulo a composite, simply. 3 Constuction of Pseudonym System 3.1 Pocedues We give an oveview of ou pseudonym system in this section. The basic system compises pocedues, (1) System setup, (2) Registation of an oganization (Enty into the system of an oganization), (3) Registation of a use ((3-1) Registation with CA (Enty into the system of a use), (3-2) Registation with a goup, (3-3) Registation with an oganization), (4) Poof the possession of a cedential by a use ((4-1) Showing a cedential with/without identity of an oganization, (4-2) Tansfeing a cedential with/without identity of an oganization). In ou pape, thoughout we assume that uses, oganizations and goup manages ae connected by pefect anonymous channels, and each potocol is executed though a secue channel.

7 1. System setup: All goup manages G I geneate thei goup secet and public-key pais (X GI, Y GI ) by unning GK GI. 2. Registation with goup G of oganization O i : O i uns GK (Oi,G), geneates a secet and public-key pai (X (Oi,G), Y (Oi,G)) by using G s public-key Y G, and egistes Y (Oi,G). A goup manage G publishes a list of public-keys of oganizations Registation with CA of use U: Afte identification by U, CA checks that U is eligible to join the system. U geneates a maste secet-key X U by unning GK U, both U and CA un GP U(X U ),CA to establish U s pseudonym P (U,CA) which is based on X U. Then U can eceive a cedential C (U,CA), by unning IC U, CA (P (U,CA) ) Registation with goup G of use U: Both U and G un GP U(X U ),G to establish U s pseudonym P (U,G), and un TC U, G to demonstate whethe o not U is a valid paticipant in the system. In TC, U can pove the possession of C (U,CA) on P (U,CA) based on X U whee P (U,G) GP U(X U ),G. If it is valid, G issues a cedential C (U,G) on P (U,G) to U by unning IC U, G Registation with oganization O i G of use U: Both U and O i un GP U(X U ),O i to get P (U,Oi), and un TC U, O i to pove the possession of C (U,G) on P (U,G) based on X U. If it is valid, then they un GV U, O i to geneate a poof of a validity of P (U,Oi), whose output σ (U,Oi) guaantees that U has egisteed a pseudonym with O i. Note that σ (U,Oi) is the U s pivate output. Afte G checks the validity of σ (U,Oi), G blindly issues a cedential C (U,Oi) on P (U,Oi) by unning BIC U(P (U,Oi)),G Showing of a cedential on a pseudonym with oganization O i : U chooses a way to show a cedential. If U wants to let V know an oganization O i G with which U tansacts, then both U and V un SC + U, V (Y (Oi,G)), which assues that U has C (U,Oi) on P (U,Oi) established with O i.ifu does not want to let V know the coesponding oganization, both U and V un SC U(Y (Oi,G)),V which poves the only possession of a cedential C (U,Oi) on P (U,Oi) without evealing Y (Oi,G), C (U,Oi) and P (U,Oi) Tansfeing a cedential on a pseudonym with oganization O i : Let U egiste P (U,Oi) and P (U,Xj) with an oganization O i G I and X j G J espectively. Both U and X j execute TC + U, X j (Y (Oi,G I)) which assues that U has C (U,Oi) on P (U,Oi) based on X U whee P (U,Xj ) GP U(X U ),X j, without evealing C (U,Oi) and P (U,Oi). IfU does not want to let X j know the oganization O i, then both U and X j un TC U(Y (Oi,G I)),X j. 3.2 Constuctions of pseudonym systems This section povides constuctions of ou pseudonym system. Common system paamete

8 Secuity-elated system paametes ae as follows: the length l n of the RSA modulus, the intege intevals Γ =] 2 lγ, 2 lγ [, =] 2 l, 2 l [, Λ =]2 lλ, 2 lλ+lσ [, such that l = ɛl Γ and l Γ =2l n, whee ɛ>1 is a secuity paamete, and 2 lλ > 2(2 2lΓ +2 lγ +2 l ), and 2(2 lσ (2 2lΓ +2 l )+2 l ) < 2 lλ. Geneation of keys 1. A goup manage G G chooses andom l n /2-bit pimes p G,q G such that p G := 2p G + 1 and q G := 2q G + 1 ae pime, sets modulus n G := p G q G.It also chooses elements d G,e G,f G,g G,h G R QR ng. It stoes X G := (p G,q G ) as its secet-keys, and publishes Y G := (n G,d G,e G,f G,g G,h G ) as its publickey togethe with a poof that n G is the poduct of two safe pimes and that the elements d G,e G,f G,g G and h G lie indeed in QR ng. 2. An oganization O i chooses a secet-key x (Oi,G) R Γ and sets a coesponding public-key y (Oi,G) := g (Oi,G) G (mod n G ) to egiste with goup G. O i x stoes x (Oi,G) as a secet-key X (Oi,G) and publishes y (Oi,G) and its identity id (Oi,G) as O i s public-keys Y (Oi,G). 3. A use U chooses a andom secet element x U Γ, and stoes it as U s maste secet-key X U in the system. Geneation of a pseudonym GP U, X assues that P (U,X) =(N (U,X),P (U,X) ) is of ight fom, i.e., P (U,X) = g G x U h G s (U,X), with x U Γ and s (U,X). N (U,X) and P (U,X) ae called a nym and its validating tag, espectively. To establish a pseudonym with an entity X, both U and X cay out the following potocol: 1. U chooses N 1 {0, 1} k, 1 R and 2, 3 R {0, 1} 2ln, sets c 1 := d G 1 e G 2 and c 2 := d G x U e G 3. U sends N 1,c 1 and c 2 to X, and seves as the pove to veifie X in PK 2 {(α, β, γ, δ) : c 1 = d G α e G β c 2 = d G γ e G δ }, to pove c 1 and c 2 ae geneated coectly. 2. X chooses R, and sends and N 2 to U. 3. U sets the nym N (U,X) := N 1 N 2, and computes s (U,X) := ( 1 + (mod 2 l )) 2 l + 1, and s = ( 1 + )/(2 l +1 1). U sets P (U,X) := g G x U h G s (U,X) as a validating tag of N (U,X). U sends P (U,X) to X, and shows that it was fomed coectly: U sets c 3 := d G s e G 4 fo 4 R {0, 1} ln, sends it to X. Then they engage in PK 2 {(α, β, γ, δ, ε, ζ, ϑ, ξ) :c 1 = d G α e G β c 2 = d G γ e G δ c 3 = d G ε e G ζ P (U,X) = g G γ h G ϑ (c 1 (d G ) 2l +1 )/(c 3 2 l )=d G ϑ e G ξ γ Γ ϑ }. 5. X stoes P (U,X) =(N (U,X),P (U,X) ) in its database. 6. U stoes (S (U,X), P (U,X) )=(s (U,X), {N (U,X),P (U,X) }) in its ecod with X.

9 Issue of a cedential on a pseudonym with a goup IC U, G guaantees that a cedential on a peviously established P (U,G) is C (U,G) =(E (U,G),C (U,G) ) such that C (U,G) (P (U,G) f G ) 1/E (U,G) (mod ng ). To be ganted cedential, U uns the following potocol with G: 1. U identifies as its owne by PK 2 {(α, β) :P (U,G) = g α G h β G } fo P (U,G) in G s database. 2. G chooses a andom pime E (U,G) R Λ, computes C (U,G) := (P (U,G) f G ) 1/E (U,G) (mod n G ), and sends E (U,G) and C (U,G) to U. Then G stoes C (U,G) = (E (U,G),C (U,G) ) as a cedential on P (U,G). E 3. U checks if C (U,G) (U,G) P (U,G) f G (mod n G ) and E (U,G) Λ, and stoes C (U,G) =(E (U,G),C (U,G) ) in its ecod with goup G. Showing a cedential on a pseudonym with a goup U poves the possession of C (U,G) IC U, G by unning SC. Both U and V engage in the following potocol: 1. U sets c 1 := C (U,G) e G 1 and c 2 := e G 1 d G 2 fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to V, 2. U engages with V in PK 2 {(α, β, γ, δ, ε, ζ, ξ) :f G = c 1 α /g G β h G γ e G δ c 2 = e G ε d G ζ 1=c 2 α /e G δ d G ξ α Λ β Γ γ }. Tansfeing a cedential on a pseudonym with a goup TC assues that U owns C (U,GI) on P (U,GI) based on X U whee P (U,Xj ) GP U(X U ),X j. U poves it by unning TC with X j G J with whom U has established P (U,Xj): 1. U sets c 1 := C (U,GI)e 1 G and c 2 := e 1 GI d 2 GI fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to X j, 2. U engages with X i in PK 2 {(α, β, γ, δ, ε, ζ, ξ, η) :f GI = c α 1 /g β GI h γ δ GI e GI c 2 = e ε ζ GI d GI 1=c α 2 /e δ ξ GI d GI P (U,Xj) = g β η GJ h GJ α Λ β Γ γ }, fo P (U,Xj) in X j s database.

10 Geneation of a poof of pseudonym s validity GV guaantees that U s output σ (U,Oi) is independent of O i s view of the convesation. In ode to geneate a signatue on P (U,Oi), both U and O i un GV : 1. U identifies as its owne by PK 2 {(α, β) :P (U,Oi) = g α G h β G }, fo P (U,Oi) in O i s database. 2. O i geneates Q (U,Oi) := P x (O (U,Oi) i,g), t 1 := g G and t 2 := P (U,Oi) fo R {0, 1} 2ln, and sends Q (U,Oi),t 1 and t 2 to U. 3. U chooses 1, 2 and 3 R {0, 1} 2ln and computes t 1 := t 1 g 1 G y (Oi,G) 2, t 2 := (t 2 P 1 (U,Oi) Q 2 (U,Oi) ) 3, P (U,O := P i) (U,O 3 i) and Q (U,O := Q i) (U,O 3 i). Then U sets e := H(g G,y (Oi,G),P(U,O i),q (U,O,t i) 1,t 2 ), sends e := e 2 to O i. 4. O i computes s := ex (Oi,G) and sends it to U. 5. U checks if t 1 = g s G y e (Oi,G), t 2 = P s (U,Oi) Q e (U,Oi), and sets s := s + 1. Then U stoes σ (U,Oi) := (e,s,p(u,o i),q (U,O i) ) as a poof of a validity of P (U,Oi), and keeps 3 secetly until U gets a cedential on P (U,Oi). Issue of a cedential on a pseudonym with an oganization BIC U, G guaantees that a cedential on P (U,Oi) is C (U,Oi) =(E (U,Oi),C (U,Oi)) such that C (U,Oi) (P (U,Oi)d G id (Oi,G) f G ) 1/E (U,O i). BIC establishes C (U,Oi) without evealing anything moe than the fact that U has egisteed with O i to G. Such a cedential can be ganted by using the blind RSA-signatue [1] in the following potocol: 1. U chooses a pime E (U,Oi) R Λ and R Z ng, and geneates c := E (U,O i ) P (U,Oi) id d (Oi,G) G f G. Then U sends c, E (U,Oi) and σ (U,Oi). Futhemoe U must show that σ (U,Oi) was geneated to U and c was geneated coectly: U computes c 1 := e 1 G fo 1 R {0, 1} 2ln, and engages with G in PK 2 {(α, β, γ, δ, ε, ζ, ξ, η) :P (U,G) = g G α h G β 1=P (U,G) γ /g G δ h G ε P (U,O i) = g G δ h G ζ P (U,O i) = cγ (e G E (U,Oi) ) ξ /(c 1 E (U,Oi) d G id (U,Oi) f G ) γ α Γ, β }, fo P (U,G) in G s database. 2. O i checks if σ is valid: if e = H(g G,y (Oi,G),P (U,O i),q (U,O i), t 1, t 2 ) whee t 1 = g G s y (Oi,G) e, t 2 = P (U,O i) s Q (U,O i) e, and y (Oi,G) is in G s public-key list. Then O i computes c := c 1/E (U,O i) and sends it to U. 3. U sets C (U,Oi) := c /. Then U checks if C (U,Oi) E (U,O i) P (U,Oi)d G id (Oi,G) f G (mod n G ), and stoes (E (U,Oi),C (U,Oi)) in its ecod with oganization O i.

11 Showing a cedential with identity of an oganization To pove the possession of C (U,Oi) BIC U, G, both U and V un SC +. They engage in the following potocol: 1. U sets c 1 := C (U,Oi)e 1 G and c 2 := e 1 G d 2 G fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to V, 2. U engages with V in PK 2 id {(α, β, γ, δ, ε, ζ, ξ) :f G d (Oi,G) G = c α 1 /g β G h γ δ G e G c 2 = e G ε d G ζ 1=c 2 α /e G δ d G ξ α Λ β Γ γ }. Showing a cedential without identity of an oganization In ode to pove the possession of a cedential geneated by unning BIC U, G, both U and V un SC. They engage in the following potocol: 1. U sets c 1 := C (U,Oi)e 1 G and c 2 := e 1 G d 2 G fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to V, 2. U engages with V in PK 2 {(α, β, γ, δ, ε, ζ, ξ, η) :f G = c 1 α /g G β h G γ d G δ e G ε c 2 = e G ζ d G ξ 1=c 2 α /e G ε d G η α Λ β Γ γ }. Tansfeing a cedential with identity of an oganization In TC +, U poves the possession of C (U,Oi) on P (U,Oi) based on X U whee P (U,Xj) GP U(X U ),X j to X j G J : 1. U sets c 1 := C (U,Oi)e 1 GI and c 2 := e 1 GI d 2 GI fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to X j, 2. U engages with X j in PK 2 {(α, β, γ, δ, ε, ζ, ξ, η) :f GI d GI id (Oi,G I ) = c 1 α /g GI β h GI γ e GI δ fo P (U,Xj) in X j s database. c 2 = e GI ε d GI ζ 1=c 2 α /e GI δ d GI ξ P (U,Xj) = g GJ β h GJ η α Λ β Γ γ }, Tansfeing a cedential without identity of an oganization U poves the possession of a cedential geneated by unning BIC U, G I on a pseudonym based on X U whee P (U,Xj) GP U(X U ),X j :

12 1. U sets c 1 := C (U,Oi)e 1 GI and c 2 := e 1 GI d 2 GI fo 1, 2 R {0, 1} 2ln, and sends c 1 and c 2 to X j, 2. U engages with X j in PK 2 {(α, β, γ, δ, ε, ζ, ξ, η, ϕ) :f GI = c α 1 /g β GI h γ GI d δ ε GI e GI c 2 = e ζ ξ GI d GI 1=c α 2 /e ε η GI d GI P (U,Xj ) = g β ϕ GJ h GJ α Λ β Γ γ }, fo P (U,Xj ) in X j s database. 4 Poof of Secuity fo Ou Scheme In this section, we assess the secuity of ou pseudonym system. Unde the stong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe pime poduct, the following technical lemmas about the potocols descibed ae stated hee: Lemma 3 The PK 2 {(α, β, γ, δ, ε, ζ, ϑ, ξ) :c 1 = d α G e β G c 2 = d γ G e δ G c 3 = d ε G e ζ G P (U,X) = g γ G h ϑ G (c 1 (d G ) 2l +1 2 )/(c l ) = d ϑ G e ξ G γ Γ ϑ } in GP is a statistical zeo-knowledge poof of knowledge of the coectly fomed values x U,s (U,X) that coespond to a pseudonym validating tag P (U,X). Lemma 4 The PK 2 potocols in SC,TC,SC +,SC,TC + and TC ae a statistical zeo-knowledge poof of knowledge of the pove s maste secet-key, coesponding secet infomation(s) and cedential in ight fom. The poofs of these Lemmas is closely elated to Lemma 1, 2 and 3 of [6], we only pove the secuity of the PK 2 potocol in TC hee. The othe poofs can easily infeed fom the following. Lemma 5 The PK 2 {(α, β, γ, δ, ε, ζ, ξ, η, ϕ) :f GI = c α 1 /g β GI h γ GI d δ GI e ε GI c 2 = e ζ GI d ξ GI 1 = c α 2 /e ε GI d η GI P (U,Xj ) = g β GJ h ϕ GJ α Λ β Γ γ } in TC is a statistical zeo-knowledge poof of knowledge of the values x Γ, s 1,s 2, E Λ, C, and y such that P (U,Xj ) = g x s GJ h 1 GJ (mod n GJ ), and C E = g x s GI h 2 GI d y GI f GI (mod n GI ). Poof. By the popeties of the PK 2 and the RSA assumption, the knowledge extacto can poduce values α, β, γ, δ, ε, ζ, ξ, η, ϕ such that the statement afte the colon holds. As c 2 = e GI ζ d GI ξ and 1 = c 2 α /e GI ε d GI η fom which we conclude that ζα = ε (mod od(e GI )), we have c 1 α /e GI ε = g GI β h GI γ d GI δ f G = (c 1 /e GI ζ ) α, whee α Λ, β Γ and γ. It follows that U must know a valid cedential c 1 /e GI ζ on a pseudonym. Futhemoe, fom P (U,Xj) = g GJ β h GJ η,it guaantees that both pseudonym P (U,Xj) and a pseudonym egisteed with O i ae based on the same maste secet key.

13 Lemma 6 The PK 2 {(α, β, γ, δ, ε, ζ, ξ, η) :P (U,G) = g G α h G β 1=P (U,G) γ /g G δ h G ε P (U,O i) = g G δ h G ζ P (U,O i) = cγ (e G E (U,Oi) ) ξ /(c 1 E (U,Oi) d G id (U,Oi ) f G ) γ α Γ, β } in BIC is a statistical zeo-knowledge poof of knowledge of the values x Γ, s,, and 3 such that P (U,G) = g G x h G s, c = E (U,O i ) P (U,Oi)d G id (Oi,G) f G and P (U,O i) = P (U,O i) 3. Poof. In the statement afte the colon, P (U,G) = g G α h G β and 1 = P (U,G) γ /g G δ h G ε fom which we conclude αγ δ (mod od(g G )). Fom P (U,O i) = cγ (e G E (U,Oi) ) ξ /(c 1 E (U,Oi) d G id (U,Oi) f G ) γ, we have c γ = g G δ h G ζ (c 1 E (U,Oi) d G id (Oi,G) f G ) γ /(e G E (U,Oi) ) ξ = {(c 1 /e G ξ/γ ) E (U,O i) g G α h G ζ/γ d G id (Oi,G) f G } γ.asα Γ and β, c is fomed collectly, by using the same key undelying P (U,G). 4.1 Desciption of the simulato We have to descibe simulato S fo ou scheme and then show that it satisfies Definition 1. The paties the advesay A contols ae subsumed into a single paty. We only descibe the simulato fo the advesay. Setup. Fo the goup manage G G and the oganization O G not contolled by A, S sets up thei secet and public-key (X G, Y G ), and (X (Oi,G), Y (Oi,G)) as dictated by the potocol. Futhemoe, S ceates an achive G o achive O whee it will ecod the cedentials of uses contolled by A with the goup manage o the oganization. It also initialized a list of uses contolled by A, list A. Geneation of a pseudonym with a goup. A use establishes a pseudonym with a goup manage G: (I) If a use is contolled by A, (i) S uses the knowledge extacto of Lemma 3 to discove the use s maste secet key x and the secet values s, (i-1) If x / list A, S ceates a new use U with login name L U, and obtains a pseudonym N (U,G), and a key K U coesponding to L U by inteaction with T. Denote (x, s) by(x U,s (U,G) ), S stoes (U, L U,x U,K U,N (U,G),s (U,G) )in list A, (ii-2) If x list A, S obtains N (U,G) fo this use U coesponding to x by inteaction with T, and adds N (U,G),s (U,G) := s to U s ecod. (II) If a goup manage G is contolled by A, S will use the zeo-knowledge simulato fom Lemma 3 to funish the A s view of the potocol. Issue a cedential on a pseudonym with a goup. A use equests a goup manage G to issue a cedential: (I) If a use is contolled by A, (i) upon eceiving a message fom T, S uns the knowledge extacto fo the poof of knowledge of step 1 of IC, to detemine the value x and s. Fo N coesponding to (x, s), (i-1) if N / list A, then S efuses to gant a cedential. (i-2) If N list A, then S issued the coect E and C by inteaction with T. S stoes the values (x U,s (U,G),E (U,G),C (U,G) ):=(x, s, E, C) inachive G. (II) If a goup manage G is contolled by A, S will un the zeo-knowledge simulato fo step 1 of IC, and continue the potocol as U would. If the use accepts, then S infoms T that the cedential was ganted.

14 Geneation of a pseudonym with an oganization. A use establishes a pseudonym with an oganization O G: This pat of the simulato can easily be infeed fom the pat fo the above Geneation of a pseudonym with a goup. Geneation of a poof of pseudonym s validity. A use equests an oganization O to gant a poof of pseudonym s validity: (I) If a use is contolled by A, (i) S uses the knowledge extacto fo PK of step 1 of GV to discove the use s key x and the value s.fon coesponding to (x, s), (i-1) If N/ list A, S efuses to gant a poof of pseudonym s validity. (i-2) If N list A, S gants σ by inteaction with T. (II) If an oganization O is contolled by A, S will un the zeo-knowledge simulato fo step 1 of GV, and continue the potocol as U would. Issue a cedential on a pseudonym with an oganization. A use equests a goup manage G G to issue a cedential with an oganization O G: (I) If a use is contolled by A, (i) upon eceiving a message fom T, S uns the knowledge extacto fo the poof of knowledge of step 1 of BIC to extact the value x, s (U,G),s (U,O) and. (i-1) If (x, s (U,G) ) / achive G, then S efuses to gant a cedential, (i-2) If (x, s (U,G) ) achive G, then S issues the coect c coesponding to E by executing the est of the G s side of it. S detemines C by c /. It stoes the values (x, s (U,O),C,E)inachive O. (II) If a use is contolled by A and an oganization O G is dishonest, (i) upon eceiving a message fom T, S uns the knowledge extacto fo the poof of knowledge of step 1 of BIC, to extact the value x, s (U,G),s and. S looks at achive O : (i-1) If (x, s) achive O, S denotes this use by U, (i-2) If (x, s) / achive O, let U be the use with x. S obtains N (U,O) by inteaction with T, (ii) S looks at achive G : (ii-1) If (x, s (U,G) ) / achive G, then S efuses to gant a cedential, (ii-2) If (x, s (U,G) ) achive G, then S issues the coect c coesponding to E by executing the est of the G s side of it. S detemines C by c /. It stoes the values (x, s (U,O),C,E)in achive O. (III) If an issuing goup manage G G contolled by A, S will un the zeo-knowledge simulato fo step 1 of BIC, and execute the est of the use s side of it. If the use accepts, then S infoms T that the cedential was ganted. Showing a cedential with identity of an oganization Showing a cedential without identity of an oganization Tansfeing a cedential with identity of an oganization These pats of the simulato can easily be infeed fom the pat fo Tansfeing a cedential without identity of an oganization that follows. Tansfeing a cedential without identity of an oganization. A use wants to show owneship of a cedential of a pseudonym with some oganization in a goup G I to an oganization O j G J : (I) If a use is contolled by A, (i) S uns O j s pat of TC, and extacts the values x, s (U,Oi),s (U,Oj ),E,C and y (Oi,G I) with the knowledge extacto of Lemma 5. (i-1) if (x, s (U,Oi),E,C) / achive Oi, S ejects, (i-2) If

15 (x, s (U,Oi),E,C) achive Oi, S communicates with T fo tansfeing a cedential by U. (II) If a use is contolled by A and an issuing goup manage G I is dishonest, (i) S uns O j side of CT with the knowledge extacto of Lemma 5 to obtain the values x, s, s (U,Oj),E,C and y, let O i be an oganization whose public-key is y. (i-1) If O j s side of the potocol eject, it does nothing, (i- 2) Othewise: (2-A-a) If x achive Oi, denote this use by U, (2-A-b) If x/ achive Oi, let U be the use with x, and S obtain N (U,Oi) by inteaction with T. (2-B) If (E,C) / achive Oi, then S uns BIC, adds the output to U s ecod. (2-C) S communicates with T fo tansfeing a cedential by U. (III) If a veification oganization O j is contolled by A, S uns the zeoknowledge simulato of Lemma 5 to do that. 4.2 Poof of Successful Simulation We show that ou simulato fails with negligible pobability only. We show in the following lemma that a tuple (x, s, E, C) the knowledge of which is essential fo poving possession of a cedential, is unfogeable even unde an adaptive attack. As these poofs can be found in [6], we leave out the poofs. Lemma 7 Unde the stong RSA assumption and the discete logaithm assumption modulo a safe pime poduct, if a polynomially bounded advesay succeeds in poving owneship of a valid cedential ecod (P, E, C) with a goup G, then this cedential ecod was ceated by unning GP, IC and TC with a goup manage G G. Lemma 8 Unde the stong RSA assumption, the discete logaithm assumption modulo a safe pime poduct and, if a polynomially bounded advesay succeeds in poving owneship of a valid cedential ecod (P, E, C) with an oganization O G, then this cedential ecod was ceated by unning GP and TC with an oganization O G, BIC with a goup manage G G. The statistical zeo-knowledge popety of the undelying potocols gives us Lemma 9 which in tun implies Theoem 10. Lemma 9 The view of the advesay in the eal potocol is statistically close to his view in the simulation. Theoem 10 Unde the stong RSA assumption, the decisional Diffie-Hellman assumption modulo a safe pime poduct, and the assumption that factoing is had, ou pseudonym system descibed above is secue. 5 Conclusion This pape pesents an anonymity-enhanced pseudonym system; a use can select a way to pove the possession of a cedential on a pseudonym with an oganization. We can add a mechanism: global anonymity evocation fo discoveing the

16 identity of a use whose tansactions ae illegal, o local anonymity evocation fo evealing a pseudonym of a use who misuses the cedential, in the same way as [6]. Refeences 1. D.Chaum, Secuity without identification: Tansaction systems to make big bothe obsolete, Communications of the ACM, vol. 28, , D.Chaum and J.-H.Evetse, A secue and pivacy - potecting potocol fo tansmitting pesonal infomation between oganizations, Poceedings of CRYPTO 86, vol. 263, , Spinge Velag, L.Chen, Access with pseudonyms, Cyptogaphy: Policy and Algoithms, vol. 1029, , Spinge Velag, I.B.Damgad, Payment systems and cedential mechanism with povable secuity against abuse by individuals, Poceedings of CRYPTO 88, vol. 403, , Spinge Velag, A.Lysyanskaya and R.Rivest and A.Sahai and S.Wolf, Pseudonym Systems, Selected Aeas in Cyptogaphy, vol. 1758, Spinge Velag, J.Camenisch and A.Lysyanskaya, Efficient non-tansfeable anonymous multishow cedential system with optional anonymity evocation, Poceedings of EU- ROCRYPT 2001, vol. 2045, , Spinge Velag, J.Camenisch and A.Lysyanskaya, Dynamic accumulatos and application to efficient evocation of anonymous cedentials, Poceedings of CRYPTO 2002, vol. 2442, 61 76, Spinge Velag, J.Camenisch and E.V.Heeweghen, Design and implementation of the idemix anonymous cedential system, ACM CCS 02, G.Ateniese and J.Camenisch and M.Joye and G.Tsudik, A pactical and povably secue coalition-esistant goup signatue scheme, Poceedings of CRYPTO 2000, vol. 1880, , Spinge Velag, C.P.Schno, Efficient signatue geneation fo smat cads, Jounal of Cyptology, vol. 4, , A.Fiat and A.Shami, How to pove youself: Pactical solution to identification and signatue poblems, Poceedings of CRYPTO 86, vol. 263, , Spinge Velag, E.Fujisaki and T.Okamoto, Statistical zeo knowledge potocols to pove modula polynomial elations, Poceedings of CRYPTO 97, vol. 1294, 16 30, Spinge Velag, J.Camenisch and M.Stadle, Efficient goup signatue schemes fo lage goups, Poceedings of CRYPTO 97, vol. 1294, , Spinge Velag, R.Came and V.Shoup, Signatue schemes based on the stong RSA assumption, Poceedings of 6th ACM Confeence on Compute and Communications Secuity, 46 52, ACM pess, M.Bellae and C.Nampempe and D.Pointcheval and M.Semanko, The Powe of RSA Invesion Oacles and the Secuity of Chaum s RSA-Based Blind Signatue Scheme, Poceedings of Financial Cyptogaphy 2001, vol. 2339, , Spinge Velag, 2001