Separable Linkable Threshold Ring Signatures

Transcription

1 Separable Lnkable Threshold Rng Sgnatures Patrck P. Tsang 1, Vctor K. We 1, Tony K. Chan 1, Man Ho Au 1, Joseph K. Lu 1, and Duncan S. Wong 2 1 Department of Informaton Engneerng The Chnese Unversty of Hong Kong Shatn, Hong Kong {pktsang3,kwwe,klchan3,mhau3,kslu9}@e.cuhk.edu.hk 2 Department of Computer Scence The Cty Unversty of Hong Kong Hong Kong duncan@ctyu.edu.hk Abstract. A rng sgnature scheme s a group sgnature scheme wth no group manager to setup a group or revoke a sgner. A lnkable rng sgnature, ntroduced by Lu, et al. [20], addtonally allows anyone to determne f two rng sgnatures are sgned by the same group member (a.k.a. they are lnked). In ths paper, we present the frst separable lnkable rng sgnature scheme, whch also supports an effcent thresholdng opton. We also present the securty model and reduce the securty of our scheme to well-known hardness assumptons. In partcular, we ntroduce the securty notons of accusatory lnkablty and non-slanderablty to lnkable rng sgnatures. Our scheme supports event-orented lnkng. Applcatons to such lnkng crteron s dscussed. 1 Introducton Rng Sgnatures. A rng sgnature scheme [22] s a group sgnature scheme [10, 2] wth no group manager to setup a group or revoke a sgner s dentty. Formaton of a group s spontaneous n a way that dverson group members can be totally unaware of beng conscrpted to the group. It allows members to anonymously sgn messages on behalf of ther group. Applcatons nclude leakng secrets [22] and anonymous dentfcaton/authentcaton for ad hoc groups [6, 13]. Threshold Rng Sgnatures. Threshold cryptography [12] allows n partes to share the ablty to perform a cryptographc operaton (e.g., creatng a dgtal sgnature). Any d partes can perform the operaton jontly, whereas t s nfeasble for at most d 1 to do so. In a (d, n)-threshold rng sgnature scheme, the generaton of a rng sgnature for a group of n members requres the nvolvement of at least d members/sgners, and yet the sgnature reveals nothng about the denttes of the sgners. Schemes n the lterature nclude [6, 19, 24]. An extended abstract was n Indocrypt 04. Ths verson updates the securty model and results concernng anonymty and non-slanderablty.

2 2 Authors Suppressed Due to Excessve Length Lnkable Rng Sgnatures. The noton of lnkable rng sgnatures was ntroduced by Lu, et al. [20]. They are rng sgnatures, but wth added lnkablty: such sgnatures allow anyone to determne f two sgnatures are sgned by the same group member (n whch case the two sgnatures are sad to be lnked ). If a user sgns only once on behalf of a group, the user stll enjoys anonymty smlar to that n conventonal rng sgnature schemes. If the user sgns multple tmes, anyone can tell that these sgnatures have been generated by the same group member. Applcatons nclude leakng sequences of secrets and e-votng [20]. Lnkable Threshold Rng Sgnatures. In [20], a (d, n)-threshold extenson to ts orgnal lnkable rng sgnature scheme s constructed by concatenatng d lnkable rng sgnatures. We note that the constructon, though smple and trval, s not effcent. In partcular, the space and tme complextes are both O(dn). We gve n ths paper a constructon wth tme and space complextes both beng O(n). Separablty. In [8], Camensch, et. al. dversfed the concept of separablty of cryptographc protocols nto perfect separablty, strong separablty and weak separablty when descrbng the users ablty to choose ther own cryptographc prmtve and system parameters. Separablty s of partcular mportance for rng sgnature schemes as there s no group manager to coordnate the choce of sgnature prmtve and system parameters for each user. For nstance, a rng sgnature scheme that s only weak separable s not practcal at all as t s unlkely to have all group members usng the same prmtve, system parameters and securty parameters. The RSA mplementaton of [22, 1, 19, 24, 20] are strongly separable whle the DL mplementaton of [1, 19, 20] are only weakly separable. Event-Orented Lnkablty. In [20], one can tell f two rng sgnatures are lnked or not f and only f they are sgned on behalf of the same group of members. We call ths group-orented lnkablty. We present a new lnkng crteron that we call event-orented lnkablty n whch one can tell f two sgnatures are lnked f and only f they are sgned for the same event, despte the fact that they may be sgned on behalf of dfferent groups. Event-orented lnkable rng sgnatures are comparatvely more flexble n applcaton. E.g., group settngs keep changng frequently n ad-hoc group and most of the rng sgnatures are sgned on behalf of dfferent groups, thus render group-orented lnkablty vrtually useless. Consder another scenaro: The CEOs of a company vote for busness decsons. Usng lnkable rng sgnatures, they can vote anonymously by rng-sgnng ther votes. However, as the group s fxed throughout the polls, votes among polls can be lnked by anybody and nformaton can be derved whch means anonymty s n jeopardy. Ths can be prevented when an event-orented scheme s used. 1.1 Contrbutons Our man contrbutons nclude: We gve the frst separable lnkable rng sgnature. It also the frst lnkable rng sgnature of the CDS-type ([11]). We present a securty model for lnkable threshold rng sgnature, and reduce the securty of our scheme to well-known hard problem assumptons.

3 Separable Lnkable Threshold Rng Sgnatures 3 Our scheme supports bandwdth-effcent threshold sgnng. The sgnature sze n [20] s O(dn) whle ours s O(n), where n s the number of users and d s the threshold. However, our scheme s nteractve: nsders nteract collaboratvely to generate the sgnature. We ntroduce new securty notons to lnkable rng sgnatures: (1) Nonaccusatory lnkablty only detects the presence of two lnked sgnatures, whle accusatory lnkablty addtonally outputs the dentty of the suspected double-sgner. (2) Strong non-slanderablty means no coalton can generate sgnatures accusatorly lnked to a targeted vctm. We present a new lnkng crteron that s event-orented. Under such lnkablty, one can tell f two sgnatures are lnked f and only f they are sgned for the same event, despte the fact that they may be sgned on behalf of dfferent groups. 1.2 Organzaton The paper s organzed as follows: In Sec. 2, we gve some prelmnares. In Sec. 3, we descrbe the buldng blocks used n our constructon. Then we defne our separable lnkable threshold sgnatures n Sec. 4. A constructon and ts securty analyss are presented n Sec. 5. We conclude n Sec Prelmnares 2.1 Notatons and Mathematcal Assumptons Defnton 1. A functon f(λ) s neglgble f for all polynomals p(λ), f(λ) < 1/p(λ) holds for all suffcently large λ. A functon s non-neglgble f t s not neglgble. Defnton 2 (Strong RSA Assumpton [7, 15, 16]). Gven a safe prme product N, and z QR(N), t s nfeasble to fnd u Z N and e > 1 such that u e = z(modn), n tme polynomal n the sze of N. Defnton 3 (Decsonal Dffe-Hellman (DDH) over QR(N) Assumpton). Gven a generator g of a cyclc group QR(N), where N s a composte of two prmes, the dstrbuton ensembles (g x, g y, g z ) and (g x, g y, g xy ), where x, y, z R [1, ord(g)], are computatonally ndstngushable by all PPT algorthm n tme polynomal n the sze of N. 2.2 Honest-Verfer Zero-Knowledge (HVZK) Proof of Knowledge Protocols (PoKs) Every HVZK proof can be turned nto a sgnature scheme by settng the challenge to the hash value of the commtment together wth the message to be sgned [14]. Such a scheme s proven secure by [21] aganst exstental forgery under adaptvely chosen message attack [17] n the random oracle model [4]. Followng [9], we call these sgnature schemes sgnatures based on proofs of knowledge, SPK for short. Note that there always exsts a correspondng HVZK PoK protocol for every SPK.

4 4 Authors Suppressed Due to Excessve Length 3 Basc Buldng Blocks In ths secton, we descrbe some three-move nteractve HVZK PoK protocols that we wll use as basc buldng blocks for our event-orented lnkable threshold rng sgnature scheme. These protocols all work n fnte cyclc groups of quadratc resdues modulo safe prme products. For each = 1,..., n, let N be. a safe-prme product and defne the group G = QR(N ) such that ts order s of length l 2 for some l N. Also let g, h be generators of G such that ther relatve dscrete logarthms are not known. Let 1 < ɛ R be a parameter and let H : {0, 1} Z q be a strong collsonresstant hash functon, where q s a κ-bt prme for some securty parameter κ N. Defne N =.. {1,..., n} and Γ = { 2 l q,..., (2 l q) ɛ }. 3.1 Provng the Knowledge of Several Dscrete Logarthms Ths protocol s a straghtforward generalzaton of the protocol for provng the knowledge of a dscrete logarthm over groups of unknown order n [7]. Ths allows a prover to prove to a verfer the knowledge of n dscrete logarthms x 1,..., x n Z of elements y 1,..., y n respectvely and to the bases g 1,..., g n respectvely. Usng the notaton n [9], the protocol s denoted by: P K{(α 1,..., α n ) : n =1 y = g α }. A prover P knowng x 1,..., x n Z such that y = g x prove to a verfer V hs/her knowledge as follows. for all = 1,..., n can (Commt.) P chooses r R Z (2 l q) ɛ and computes t g r for all = 1,..., n. P sends (t 1,..., t n ) to V. (Challenge.) V chooses c R Z q and sends t to P. (Response.) P computes, for all = 1,..., n, s r cx (n Z). P sends (s 1,..., s n ) to V. P verfes by checkng, for all = 1,..., n, f t? = g s yc. Theorem 1. If the Strong RSA assumpton holds, the protocol s an HVZK PoK protocol. Proof. We omt the proof as t s a straghtforward extenson of the proof of Lemma 1 n [7]. As noted before, the protocol can be turned nto a sgnature scheme by replacng the challenge by the hash of the commtment together wth the message M to be sgned: c H((g 1, y 1 )... (g n, y n ) t 1... t n M). In ths case, the sgnature s (c, s 1,..., s n ) and the verfcaton becomes: c? = H((g 1, y 1 )... (g n, y n ) g s 1 1 yc 1... g sn n y c n M).

5 Separable Lnkable Threshold Rng Sgnatures 5 Followng [9], we denote ths sgnature scheme by: SP K{(α 1,..., α n ) : n =1 y = g α }(M). 3.2 Provng the Knowledge of d Out of n Equaltes of Dscrete Logarthms Ths protocol s constructed usng the technques descrbed n [11], by combnng the PoK for dscrete logarthm n [7] and the secret sharng scheme due to Shamr [23]. Ths allows a prover to prove to a verfer hs/her knowledge of some d out of n ntegers x 1,..., x n, where x = log g y = log h v for all = 1,..., n. The protocol s denoted by: P K (α 1,..., α n ) : J N, J =d J y = g α v = h α A prover P knowng, for all I, x Z such that y = g x. and v = h x, where I s some subset of N such that I = d, can prove hs/her knowledge to a verfer P as follows. R (Commt.) P does the followng: For N \I, select c Zq. For all N, R select r Z(2 l q) ɛ. Compute { g r t, I; g r yc, N \I, { h r and T, I; h r vc, N \I. P sends (t 1,..., t n, T 1,..., T n ) to V. (Challenge.) V chooses c R Z q and sends t to P. (Response.) P does the followng: Compute a polynomal f of degree n d over Z q such that f(0) = c and f() = c for all N \I. Compute c f() for all I. Set { r c s x, I; r, N \I. P sends (f, s 1,..., s n ) to V. P verfes by checkng f (1) f s a polynomal of degree n d over Z q, (2) f(0) =?? f() c, and (3) t = y g s? f() and T = v h s, for all = 1,..., n. Theorem 2. If the Strong RSA assumpton holds, the protocol s an HVZK PoK protocol. (Proof Sketch) To prove the theorem, t suffces to show that the protocol s correct, sound and statstcal HVZK. (Correctness.) Straghtforward.

6 6 Authors Suppressed Due to Excessve Length (Soundness.) It suffces to show how a wtness can be extracted f gven two vald protocol conversatons wth the same commtment but dfferent challenges. Denotng the two conversaton transcrpts by (t 1,..., t n, T 1,..., T n ), (c), (f, s 1,..., s n ) and (t 1,..., t n, T 1,..., T n ), (c ), (f, s 1,..., s n), we have c c and thus f(0) f (0). As the degrees of f and f are at most n d, there are at least d dstnct values π 1,..., π d {1,..., n} such that f(π ) f (π ) for all = 1,..., d. Usng arguments n [7], f(π) f (π) dvdes s π s π and therefore an nteger ˆx such that y π = gˆxπ π and v π = hˆxπ π can be computed as: ˆx π (s π s π)/(f (π) f(π)). Hence a wtness (ˆx π1,..., ˆx πd ) can be computed from two such transcrpts. (Statstcal HVZK.) To smulate a transcrpt, a smulator S frst chooses unformly at random a polynomal f of degree n d over Z q. For all = 1,..., n, S pcks unformly at random s R Z (2 l q) ɛ and computes t gs. The smulated transcrpt s: (t 1,..., t n, T 1,..., T n), (f (0)), (f, s 1,..., s n). To prove that the smulaton s statstcal ndstngushable from real protocol conservatons, one should consder, for each = 1,..., n, the probablty dstrbuton P S (s ) of the responses of the prover and the probablty dstrbuton P S (s ) accordng to whch S chooses s. The statstcal dstance between the two dstrbutons can be computed to be at most: 2(2 l )(q 1)/(2 l q) ɛ 2/(2 l q) ɛ 1. The result follows. The protocol can be turned nto a sgnature scheme by replacng the challenge by the hash of the commtment together wth the message M to be sgned: yf () c H((g 1, y 1, h 1, v 1 )... (g n, y n, h n, y n ) t 1... t n T 1... T n M). In ths case, the sgnature s (f, s 1,..., s n ) and step (3) of the verfcaton becomes: c =? H( (g 1, y 1, h 1, v 1 )... (g n, y n, h n, y n ) y c 1 1 gs ycn n gn sn v c 1 1 hs 1 1 We denote ths sgnature scheme by: SP K (α 1,..., α n ) : J N, J =d J... vcn n h sn y = g α n M). v = h α (M). 4 Securty Model We gve our securty model and defne relevant securty notons. 4.1 Syntax A lnkable threshold rng sgnature, (LTRS) scheme, s a tuple of fve algorthms (Key-Gen, Int, Sgn, Verfy and Lnk).

7 Separable Lnkable Threshold Rng Sgnatures 7 (sk, pk ) Key-Gen(1 λ ) s a PPT algorthm whch, on nput a securty parameter λ N, outputs a prvate/publc key par (sk, pk ). We denote by SK and PK the domans of possble secret keys and publc keys, resp. When we say that a publc key corresponds to a secret key or vce versa, we mean that the secret/publc key par s an output of Key-Gen. param Int(λ) s a PPT algorthm whch, on nput a securty parameter λ, outputs the set of securty parameters param whch ncludes λ. σ =(e,n,d,y,σ) Sgn(e, n, d, Y, X, M) whch, on nput event-d e, group sze n, threshold d {1,..., n}, a set Y of n publc keys n PK, a set X of d prvate keys whose correspondng publc keys are all contaned n Y, and a message M, produces a sgnature σ. 1/0 Verfy(M, σ ) s an algorthm whch, on nput a message-sgnature par (M,σ ) returns 1 or 0 for accept or reject, resp. If accept, the messagesgnature par s vald. 1/0 Lnk ( σ 1, σ 2 ) s an algorthm whch, upon nput two vald sgnature pars, outputs 0 or 1 for lnked or unlnked. In case of lnked t addtonally outputs the publc key pk of the suspected double-sgner. Remark: Our lnkablty s accusatory meanng t outputs the publc key of the suspected double sgner. The lnkablty n [20] s not accusatory t only outputs lnked or unlnked wthout suspect dentty. Correctness. LTRS schemes must satsfy: (Verfcaton Correctness.) Sgnatures sgned accordng to specfcaton are accepted durng verfcaton. (Lnkng Correctness.) If two sgnatures are sgned for the same event accordng to specfcaton, then they are lnked f and only f the two sgnatures share a common sgner. In the case of lnked, the suspect output by Lnk s exactly the common sgner. 4.2 Notons of Securty Securty of LTRS schemes has three aspects: unforgeablty, anonymty and lnkablty. Before gvng ther defnton, we consder the followng oracles whch together model the ablty of the adversares n breakng the securty of the schemes. pk J O( ). The Jonng Oracle, on request, adds a new user to the system. It returns the publc key pk PK of the new user. sk CO(pk ). The Corrupton Oracle, on nput a publc key pk PK that s a query output of J O, returns the correspondng secret key sk SK. σ SO(e, n, d, Y, V, X, M). The Sgnng Oracle, on nput an event-d e, a group sze n, a threshold d {1,..., n}, a set Y of n publc keys, a subset V of Y wth V = d, a set of secret keys X whose correspondng publc keys are all contaned n V, and a message M, returns a vald sgnature σ.

8 8 Authors Suppressed Due to Excessve Length Remark: An alternatve approach to specfy the SO s to exclude the sgner set V from the nput and have SO select t accordng to sutable random dstrbuton. We do not pursue that alternatve further. Unforgeablty. Unforgeablty for LTRS schemes s defned n the followng game between the Smulator S and the Adversary A n whch A s gven access to oracles J O, CO and SO: 1. S generates and gves A the system parameters param. 2. A may query the oracles accordng to any adaptve strategy. 3. A gves S an event-d e EID, a group sze n N, a threshold d {1,..., n}, a set Y of n publc keys n PK, a message M M and a sgnature σ Σ. A wns the game f: (1) Verfy(M,σ )=1, (2) all of the publc keys n Y are query outputs of J O, (3) at most (d 1) of the publc keys n Y have been nput to CO, and (4) σ s not a query output of SO on any nput contanng M. We denote by Adv unf A (λ) the probablty of A wnnng the game. Defnton 4 (unforgeablty). An LTRS scheme s unforgeable f for all PPT adversary A, Adv unf A (λ) s neglgble. Lnkable Anonymty. Anonymty for LTRS schemes s defned n the followng game: Game LA 1. (Intalzaton Phase) S generates and gves A the system parameters param. 2. (Probe-1 Phase) A may query the oracles accordng to any adaptve strategy. 3. (Gauntlet Phase) A gves S event-d e g, group sze n g, threshold d g {1,..., n g }, message M g, a set Y g of n publc keys all of whch are query outputs of J O, a subset V g of Y g wth V g = d g, a set of secret keys X g wth X g = d g 1 and whose correspondng secret keys are all contaned n V g. The lone publc key y g V g whose correspondng secret key s not contaned n X g has never been quered to CO and has been ncluded n the nsder set V n any query to Sgnng Oracle SO. Then S flps a far con to select b {real, deal}. Case b=real: S queres CO wth y g to obtan ts correspondng secret key x g, and computes σ g = Sgn (e g, n g, d g, Y g, X g {x g }, M g ), Case b=deal: S computes σ g = SO (e g, n g, d g, Y g, V g, X g, M g ). S sends σ g to A. 4. (Probe-2 Phase) A queres the oracles adaptvely, except that y g cannot be quered to CO or ncluded n the nsder set V of any query to SO. 5. (End Game) A delvers an estmate ˆb {real, deal} of b. A wns the game f ˆb = b. Defne the advantage of A as Adv Anon A (λ) = Pr[A wns] 1/2.

9 Separable Lnkable Threshold Rng Sgnatures 9 Defnton 5 (Lnkable-anonymty). An LTRS scheme s lnkably-anonymous f for any PPT adversary A, Adv Anon A (λ) s neglgble. Remark: Lnkable anonymty s a form of computatonal zero-knowledge: the attacker cannot computatonally dstngush the real world from the deal world. Note that the anonymty notons n [3, 5, 18] appear to be also computatonal zero-knowledge. Our attacker model s not a fully actve attacker: queres relevant to the gauntlet publc key, y g, are ruled out. The anonymty n [20] s also wth respect to the above model. We note that [3], p.623, argued that anonymty and lnkablty cannot coexst n ther securty model. Lnkablty. Lnkablty for LTRS schemes s defned n the followng game between the Smulator S and the Adversary A n whch A s gven access to oracles J O, CO and SO: 1. S generates and gves A the system parameters param. 2. A may query the oracles accordng to any adaptve strategy. 3. A gves S an event-d e EID, group szes n 1, n 2 N, thresholds d 1 {1,..., n 1 }, d 2 {1,..., n 2 }, sets Y 1 and Y 2 of publc keys n PK of szes n 1 and n 2 resp., messages M 1, M 2 M and sgnatures σ 1, σ 2 Σ. A wns the game f (1) all publc keys n Y 1 Y 2 are query outputs of J O, (2) Verfy(M,σ )=1 for = 1, 2, (3) CO has been quered at most (d 1 +d 2 1) tmes, and (4) Lnk(σ 1, σ 2)=0. We denote by Adv Lnk A the probablty of A wnnng the game. Defnton 6 (Lnkablty). An LTRS scheme s lnkable f for all PPT adversary A, Adv Lnk A s neglgble. Non-Slanderablty. Non-Slanderablty for LTRS schemes s defned n the followng game between the Smulator S and the Adversary A n whch A s gven access to oracles J O, CO and SO: Game NS 1. (Intalzaton Phase) S generates and gves A the system parameters param. 2. (Probe-1 Phase) A may query the oracles accordng to any adaptve strategy. 3. (Gauntlet Phase) A gves S an event e, group sze n, threshold d, a set of n publc keys Y g, a set of d nsders V g Y g, a message M. No member of V g has been quered to CO or has been ncluded n the nsder set of any query to SO. S queres all members of V g to CO to obtan the correspondng secret keys X g, and nvoke Sgn to produce a sgnatures σ = (e, n, d, Y g, σ). 4. (Probe-2 Phase) A queres oracles wth arbtrary nterleavng. Except no member of V g can be queres to CO, or ncluded n the nsder set of any query to SO. In parctular, A s allowed to query any publc keys whch s not n V g to CO.

10 10 Authors Suppressed Due to Excessve Length 5. (End Game.) A delvers a vald sgnature ˆσ whch s not an SO query output to S. A wns Game NS f Lnk(ˆσ, σ ) = 1. The Adverary A s advantage probablty of wnnng. s hs Defnton 7 (Non-Slanderablty). An LTRS scheme s non-slanderable f no PPT adversary A has a non-neglgble advantage n Game NS. Securty. Summarzng we have: Defnton 8 (Securty of LTRS Schemes). An LTRS scheme s secure f t s unforgeable, lnkably-anonymous, lnkable and non-slanderable. 5 Our Constructon 5.1 An Lnkable Threshold Rng Sgnature Scheme In ths secton, we gve a concrete constructon of an LTRS scheme. We then show that such a constructon s secure under the securty model defned n the prevous secton. Key-Gen. On nput a securty parameter l, the algorthm randomly pcks two dstnct prmes p, q of the form p = 2p + 1 and q = 2q + 1, where p, q are both ((l 2)/2)-bt prmes, and sets N p q. It then pcks a random generator g of QR(N ) and a random x R Z p q and computes y g x. It pcks a strong collson-resstant hash functon H : {0, 1} {h h = QR(N )}. It sets the publc key to pk (l, N, g, y, H ), and the secret key to sk (p, q, x ). Fnally t outputs (sk, pk ). Int. On nput securty parameters l N, 1 < ɛ R and κ N, the algorthm randomly pcks a κ-bt prme q and a strong collson-resstant hash functon H : {0, 1} Z q. It outputs the system parameters param = (l, ɛ, κ, q, H). Sgn. On nput the system parameters param = (l, ɛ, κ, q, H), an event-d e {0, 1}, a group sze n N, a threshold d {1,..., n}, a publc key set Y = {pk 1,..., pk n }, where each pk = (l, N, g, y, H ) s s.t. l l, a prvate key set X = {sk π1,..., sk πd }, where each sk π = (p π, q π, x π ) corresponds to pk π Y, and a message M {0, 1}, Defne N = {1,..., n} and I = {π 1,..., π d } N, the algorthm does the followng: 1. For all N, compute h,e H (param, pk, e) and the tags ỹ,e { h x,e, I; h a,e, N \I, a R Z N /4.

11 Separable Lnkable Threshold Rng Sgnatures Compute a sgnature (f, s 1,..., s n ) for SP K (α 1,..., α n ) : J N, J =d J y = g α ỹ,e = h α (M).,e In partcular, ths requres the knowledge of x π1,..., x πd. We wll refer to ths sgnature scheme as SP K Compute a sgnature (c, s 1,..., s n) for { } SP K (β 1,..., β n ) : n =1 ỹ,e = h β,e (M). In partcular, ths requres the knowledge of x for all I and a for all N \I. We wll refer to ths sgnature scheme as SP K The sgnature s σ ((ỹ 1,e,..., ỹ n,e ), (f, s 1,..., s n ), (c, s 1,..., s n). Note that a sgnature s composed of three parts: the tags, a sgnature for SP K 1 and a sgnature for SP K 2. Verfy. On nput a tuple (param, e, n, d, Y, M, σ), the algorthm parses param nto (l, ɛ, κ, q, H), Y nto {pk 1,..., pk n }, where pk = (l, N, g, y, H ), and σ nto ((ỹ 1,..., ỹ n ), (f, s 1,..., s n ), (c, s 1,..., s n). If any l < l, the algorthm returns wth 0. Otherwse t does the followng: 1. For N, compute h,e H (param, pk, e). 2. Verfy f (f, s 1,..., s n ) s a correct sgnature for SP K Verfy f (c, s,..., s n) s a correct sgnature for SP K 2. Lnk. On nput a tuple (param, e, (n 1, d 1, Y 1, M 1, σ 1 ), (n 2, d 2, Y 2, M 2, σ 2 )) s.t., for j = 1, 2, Verfy(M j,σ j )=1, the algorthm frst parses, for j = 1, 2, Y j nto Y j = {pk (j) 1,..., pk(j) n j } and σ j nto ((ỹ (j) 1,e,..., ỹ(j) n,e), (f (j), s (j) 1,..., s(j) n ), (c (j), s (j) 1,..., s (j) n ). If there exsts π 1 {1,..., n 1 } and π 2 {1,..., n 2 } s.t. pk π (1) 1 = pk π (2) 2 and ỹ (1) π 1,e = ỹ (2) π 2,e, t returns 1 and addtonally pk π (1) 1. Otherwse t returns 0. Correctness. Straghtforward. 5.2 Securty We state the securty theorems here and provde proof sketches. Theorem 3 (Unforgeablty). Our constructon s unforgeable under the Strong RSA assumpton n the random oracle model.

12 12 Authors Suppressed Due to Excessve Length (Proof Sketch) Roughly speakng, smlarly constructed rng sgnatures [19] already has unforgeablty, and that mples unforgeablty wth lnkable rng sgnatures. Theorem 4 (Lnkable-anonymty). Our constructon s anonymous under the Strong RSA assumpton and DDH over QR(N) assumpton n the random oracle model. (Proof Sketch) Smulatng Sgnng Oracle, SO: Upon nput (e, n, d, Y, V, X, M), generate a vald sgnature as follows: For each Y\V, randomly generate a and compute ỹ,e = h a,e. For each V, randomly generate a and backpatch the random oracle to h,e = H (param, pk, e) = g a and compute ỹ,e = y a. Ensure consstency wth other oracles from the begnnng. Generate c 0,, c n such that they nterpolate a polynomal f wth degree n d and f() = c for 0 n. For each, smulate the correspondng 3-move conversaton n Step (2) of Sgn wth randomly generated responses s 1,, s n to produce the commtments. Backpatch the random oracle so that the commtments are hashed to c 0. Ths completes up to Step (2) n Sgn. The rest s easy: Randomly generate challenge c, smulate the SPK n Step (3) of Sgn wth randomly generate responses s 1,, s n. Settng up the gauntlet for solvng DDH: Smlar to proof of anonymty n [20]. Let Q J be the number of J O queres. Denote the Gauntlet DDH Problem as ( ˆN, ĝ, ĝ α, ĝ β, ĝ γ ) where γ = αβ wth probablty 1/2. In the Gauntlet Phase, Smulator S sets up the wtness extracton mechansm as follows: Randomly select {1,, Q J }. Return pk (ˆl, ˆN, ĝ, ĝ α, Ĥ) n the -th J O query, backpatch Random Oracle HO to h,e = ĝ β. There s a non-neglgble probablty that pk = y g, the gauntlet publc key. Generate the Gauntlet sgnature σ g wth ỹ,e = ĝ γ and smulate the SPK s. Wth 1/2 probablty, αβ = γ and t can be shown that the gauntlet sgnature s ndstngushable from one generated usng Sgn. Otherwse, wth 1/2 probablty, αβ γ and t can be shown that σ g s ndstngushable from one generated usng SO. If A returns ˆb = 1, S answers Yes to the DDH queston. Otherwse, S answers No. S s advantage n DDH equals A s advantage n wnnng Game LA. Theorem 5 (Lnkablty). Our constructon s lnkable under the Strong RSA assumpton n the random oracle model. (Proof Sketch) Smlar to proof of lnkablty n [20]. If Adversary can produce two unlnked sgnatures, then he s rewound twce to produce two sets of wtnesses of set-sze d 1 and d 2 respectvely. If the two sets overlap, then the threshold sgnatures should have already been lnked. If the two sets do not overlap, then we would have obtaned a total of d 1 + d 2 wtnesses whle Adversary only corrupted at most d 1 + d 2 1 wtnesses. Theorem 6 (Non-Slanderablty). Our constructon s non-slanderable under the Strong RSA assumpton n the random oracle model.

13 Separable Lnkable Threshold Rng Sgnatures 13 (Proof Sketch) The non-slanderablty s protected by Step (3) of the sgnature. Gven a sgnature from SO, Adversary does not know the dscrete logarthm of any ỹ, and therefore cannot produce a sgnature contanng some ỹ j and prove knowledge of logarthm of ỹ j as n Sgn s Step (3). Summarzng, we have Theorem 7 (Securty). Our constructon s a secure LTRS scheme. Note the lnkable rng sgnature n [20] s also secure n our securty model. 5.3 Dscussons Separable Lnkable Rng Sgnatures. We acheved separable lnkable rng sgnatures where ndvdual users choose ther own safe RSA modulus N. In our constructon, ndvdual user s key par are constraned to resde n Dscret Logarthm (DL) over a composte modul. In fact, our method can be easly modfed to allow user key pars from DL over a prme modulus,.e. (sk, pk)= (x, y = g x (mod P )). Therefore, our sgnatures can be easly modfed to support a mxture of composte DL and prme DL. RST-type rng sgnature. Although our constructon utlzes the CDS-type structure, meanng the structure from Cramer, et al. [11], the technque can be easly adapted to construct the frst separable lnkable rng sgnature of the RST-type, meanng the structure from Rvest, et al. [22]. Smply follow [20] but use dfferent ỹ for dfferent users nstead usng a sngle ỹ. ỹ = h a wth randomly generated a except ỹ s = h x s wth sgner s. Then smulate the Proof-of-Knowledge {(x ) : y = g x ỹ = h x } along the rng, computng Hash(commtments ) = challenge +1 and smulatng, except for the actual sgner. The resultng lnkable rng sgnature s separable, supportng a mxture of composte DL and prme DL key pars. Bandwdth Effcency. The length of our sgnature s O(n) (n beng the group sze). Ths mproves upon [20] whose length f O(nd). However, our scheme s not non-nteractve whle [20] s. Event-IDs. Event-ds should be chosen carefully to accordng specfc applcatons. We gve two examples here. (1) When an event-orented lnkable (threshold) rng sgnature scheme s used to leak sequences of secrets, the whstle-blower should choose a unque event-d when leakng the frst secret and stck to usng the same n the sequel. Ths makes sure that the sequence of secrets cannot be lnked to other sequences. (2) When used n electronc votng, t s usually the votng organzer (e.g. the government) who decdes on an event-d. Each elgble voter should therefore, before they cast a vote, make sure that the event-d has not been used n any prevous votng event, so as to secure the ntended prvacy. Lnkablty n Threshold Rng Sgnatures. Lnkablty n threshold rng sgnatures requres a more precse defnton. In partcular, there are two possble flavors: two sgnatures are lnked f and only f (1) they are sgned by exactly the same set of sgners, or (2) they nvolve a common sgner. We call sgnatures of the former type coalton-lnkable whle those of the latter type ndvdual-lnkable.

14 14 Authors Suppressed Due to Excessve Length In a coalton-lnkable scheme, users are able to sgn multple tmes wthout ther sgnatures beng lnked, as long as they are not collaboratng wth exactly the same set of sgners agan. However, n an ndvdual-lnkable scheme, a user sgnng more than once wll have the sgnatures lnked, no matter who other collaboratng sgners are. The scheme we present n ths paper falls nto the later category. 6 Concluson We have gven n ths paper the frst separable lnkable rng sgnature scheme, whch also supports an effcent thresholdng opton. We have also presented the securty model and reduce the securty of our scheme to well-known hardness assumptons. In partcular, we have ntroduced the securty notons of accusatory lnkablty and non-slanderablty to lnkable rng sgnatures. Applcatons to event-orented rng-sgnng has been dscussed. References 1. M. Abe, M. Ohkubo, and K. Suzuk. 1-out-of-n sgnatures from a varety of keys. In ASIACRYPT 2002, pages Sprnger-Verlag, G. Atenese, J. Camensch, M. Joye, and G. Tsudk. A practcal and provably secure coalton-resstant group sgnature scheme. In CRYPTO 2000, pages Sprnger-Verlag, M. Bellare, D. Mccanco, and B. Warnsch. Foundatons of group sgnatures: formal defntons, smplfed requrements and a constructon based on general assumptons. In EUROCRYPT 03, volume 2656 of LNCS. Sprnger-Verlag, M. Bellare and P. Rogaway. Random oracles are practcal: a paradgm for desgnng effcent protocols. In Proceedngs of the 1st ACM conference on Computer and communcatons securty, pages ACM Press, M. Bellare, H. Sh, and C. Zhang. Foundatons of group sgnatures: the case of dynamc groups. Cryptology eprnt Archve, Report 2004/077, E. Bresson, J. Stern, and M. Szydlo. Threshold rng sgnatures and applcatons to ad-hoc groups. In Crypto 02, volume 2442 of LNCS, pages Sprnger- Verlag, J. Camensch and M. Mchels. A group sgnature scheme based on an RSA-varant. rs RS-98-27, brcs, J. Camensch and M. Mchels. Separablty and effcency for generc group sgnature schemes. In Crypto 99, pages Sprnger-Verlag, J. Camensch and M. Stadler. Effcent group sgnature schemes for large groups (extended abstract). In CRYPTO 97, pages Sprnger-Verlag, D. Chaum and E. van Heyst. Group sgnatures. In EUROCRYPT 91, volume 547 of LNCS, pages Sprnger-Verlag, R. Cramer, I. Damgard, and B. Schoenmakers. Proofs of partal knowledge and smplfed desgn of wtness hdng protocols. In CRYPTO 94, pages Sprnger-Verlag, 1994.

15 Separable Lnkable Threshold Rng Sgnatures Y. Desmedt and Y. Frankel. Threshold cryptosystems. In CRYPTO 89, volume 435 of LNCS, pages Sprnger-Verlag, Y. Dods, A. Kayas, A. Ncolos, and V. Shoup. Anonymous dentfcaton n ad hoc groups. In EUROCRYPT 2004, volume 3027 of LNCS, pages Sprnger-Verlag, A. Fat and A. Shamr. How to prove yourself: Practcal soluton to dentfcaton and sgnature problems. In CRYPTO 86, volume 263 of LNCS, pages Sprnger-Verlag, E. Fujsak and T. Okamoto. Statstcal zero knowledge protocols to prove modular polynomal relatons. In CRYPTO 97, pages Sprnger-Verlag, E. Fujsak and T. Okamoto. A practcal and provably secure scheme for publcly verfable secret sharng and ts applcatons. In Eurocrypt 98, volume 1403 of LNCS, pages Sprnger-Verlag, S. Goldwasser, S. Mcal, and R. L. Rvest. A dgtal sgnature scheme secure aganst adaptve chosen-message attacks. SIAM J. Comput., 17(2): , A. Kayas and M. Yung. Group sgnatures: provable securty, effcent constructons, and anonymty from trapdoor-holders. Cryptology eprnt Archve, Report 2004/076, J. K. Lu, V. K. We, and D. S. Wong. A separable threshold rng sgnature scheme. In ICISC 2003, volume 2971 of LNCS, pages Sprnger-Verlag, J. K. Lu, V. K. We, and D. S. Wong. Lnkable spontaneous anonymous group sgnature for ad hoc groups (extended abstract). In ACISP 04, volume 3108 of LNCS, pages Sprnger-Verlag, D. Pontcheval and J. Stern. Securty proofs for sgnature schemes. In EURO- CRYPT 96, volume 1070 of LNCS, pages Sprnger-Verlag, R. L. Rvest, A. Shamr, and Y. Tauman. How to leak a secret. In ASIACRYPT 2001, pages Sprnger-Verlag, A. Shamr. How to share a secret. Commun. ACM, 22(11): , D. S. Wong, K. Fung, J. K. Lu, and V. K. We. On the RS-code constructon of rng sgnature schemes and a threshold settng of RST. In ICISC 2003, volume 2971 of LNCS, pages Sprnger-Verlag, 2003.