Post-Quantum EPID Group Signatures from Symmetric Primitives

Transcription

1 Post-Quantum EPID Group Sgnatures from Symmetrc Prmtves Dan Boneh Stanford Unversty Saba Eskandaran Stanford Unversty Ben Fsch Stanford Unversty Abstract Group sgnatures are used extensvely for prvacy n anonymous credentals schemes and n real-world systems for hardware enclave attestaton. As such, there s a strong nterest n makng these schemes post-quantum secure. In ths paper we ntate the study of group sgnature schemes bult only from symmetrc prmtves, such as hash functons and PRFs, wdely regarded as the safest prmtves for post-quantum securty. We present two constructons n the random oracle model. The frst s a group sgnature scheme satsfyng the EPID group sgnature syntax and securty defntons needed for prvate hardware attestaton used n Intel s SGX. The second acheves sgnfcantly shorter sgnatures for many applcatons, ncludng the use case of remote hardware attestaton. Whle our group sgnatures for attestaton are longer than standard (nongroup) post-quantum sgnatures, they are short enough for applcatons where the data beng sgned s large, such as analytcs on large prvate data sets, or streamng meda to a trusted dsplay. We evaluate several nstantatons of our schemes so that the costs and benefts of these constructons are clear. Along the way we also gve mprovements to the zero-knowledge Merkle ncluson proofs of Derler et al. (2017). 1 Introducton Group sgnatures [24] allow members of a group to anonymously sgn messages on behalf of the group, wth the added property that a group manager can revoke the credental or possbly strp the anonymty of corrupt members. In recent years group sgnatures have become an mportant prvacy mechansm n real-world systems, most promnently n trusted hardware attestaton such as Intel s SGX. Group sgnatures are the essental ngredent n Enhanced Prvacy ID, or EPID, used for prvate attestaton [18, 40]. Attestaton s a process by whch a hardware enclave runnng on a clent devce proves the authentcty of ts executon envronment to a remote party. EPID lets the clent devce attest, wthout revealng ts dentty to the remote party. EPID s based on a group sgnature scheme [18] that s not post-quantum secure. An adversary who has access to a quantum computer could subvert the attestaton process and break a hardware enclave s securty n the worst possble way. In lght of the above, there s a strong nterest n developng group sgnatures that are postquantum secure. The safest way to ensure post-quantum securty s to construct a group sgnature scheme usng only symmetrc prmtves. Ths s analogous to constructng a standard (non-group) sgnature scheme from hash functons [10, 19, 23, 46, 47] to obtan a sgnature scheme whose postquantum securty s vrtually assured. Can we buld effcent and secure group sgnatures from symmetrc prmtves? Bellare et al. [7] gve a generc constructon from a standard sgnature scheme, publc-key encrypton, and a nonnteractve zero-knowledge (NIZK) proof. In ths generc constructon, the group manager adds a 1

2 member to the group by sgnng that member s publc key. The member can then sgn messages anonymously by frst usng the prvate key to sgn the message, and then computng a NIZK proof of knowledge of both ths sgnature and the group manager s sgnature on the correspondng publc key. Ths NIZK proof s the member s group sgnature. Wth some work, ther framework can be adapted to support the EPID group sgnature defnton of Brckell and L [18] and to only use symmetrc prmtves. The NIZK can be bult from the MPC n the Head technque of Isha et al. [4, 33, 39] usng random oracles, and the standard sgnature scheme can also be bult from one-way functons and collson-resstant hashng [10, 23, 34, 46]. Camensch and Groth [20] gve such a scheme from one-way functons and NIZKs. However, wthout careful optmzaton, ths generc approach leads to very neffcent group sgnatures due to the need for NIZK proofs on complex crcuts (the proof sze and prover tme of these NIZKs s proportonal to the number of multplcaton gate n the arthmetc crcut representng the statement). 1.1 Our Contrbutons We construct a group sgnature scheme from symmetrc prmtves, and take a sgnfcant step towards reducng the sgnature sze. Towards ths goal, we buld two group sgnature schemes. Our frst constructon greatly reduces the sze of the NIZK statement n the group sgnature by usng PRFs nstead of sgnatures wherever possble. In partcular, we are able to replace the nner group member s sgnature n the generc approach wth a PRF evaluaton. Our constructon does not treat the gven prmtves as a blackbox. Indeed, ths s lkely necessary by a separaton result of Abdalla and Warnsch [1] whch rules out black-box constructons for group sgnatures from one way functons (under the Bellare et al defnton of group sgnatures [7]). Consequently, our scheme performs best when nstantated wth NIZK-frendly PRFs and CRHFs. In partcular, we evaluate the scheme usng the LowMC cpher [3]. Next, we show how to sgnfcantly mprove our group sgnature by adaptng t to the specfc real-world use case where sgnature verfcaton requres an nteracton wth the group manager to ensure that the sgner has not been revoked. We take advantage of ths structure to dramatcally reduce the sgnature sze by movng many heavy verfcaton steps outsde of the NIZK, wthout compromsng anonymty or affectng securty. Ths sgnfcantly shrnks the sgnature sze over the frst constructon. Along the way, we develop a technque for provng membershp n a Merkle tree, wthout revealng the leaf locaton, usng a thrd premage resstant hash functon (Secton 5.4). Ths also provdes an mprovement to the recent post-quantum accumulators of Derler et al. [27]. Performance and use cases. In Secton 5 we dscuss optons for nstantatng our schemes, and measure the szes of the resultng sgnatures under dfferent securty assumptons. For the crcut szes needed nsde NIZKs n our constructon, ZKB++ [23] provdes the most effcent proofs. We report szes for both the Random Oracle and Quantum Random Oracle models [14], and fnd that our second group sgnature, desgned for attestaton, can support groups of over a mllon members wth 3.45 MB sgnatures at 128-bt post-quantum securty. Whle these sgnatures are not short, t s mportant to keep n mnd that several megabytes of traffc for attestaton s qute acceptable for many applcatons of trusted hardware, especally where the data transfer needs of the hgher-level applcaton dwarf the sze of the attestaton. One example s the case of analytcs over large prvate data sets, an area of heavy nvestment, 2

3 both n terms of research and fnancal resources [32, 52]. In ths settng, nodes n a dstrbuted network (or the server n a clent-server settng) provde a sngle remote attestaton and then exchange a great deal of data. As the quantty of data transferred exceeds mllons of database records, the sze of the ntal attestaton ceases to present a major bottleneck. The case of dgtal rghts management (DRM), for whch hardware enclaves such as Intel SGX seem partcularly well-suted [25], s another settng where the sze of our sgnatures are acceptable. Consder the common stuaton where a content provder wshes to stream a move (easly a few ggabytes n sze) to a subscrber whle preventng redstrbuton or unauthorzed vewng of copyrghted content [51, 53]. The few addtonal megabytes of an attestaton do not matter next to a flm or televson seres totalng several hundred tmes ther sze. 1.2 Addtonal Related Work Group Sgnatures. Group sgnatures [24] allow members of a group to anonymously produce sgnatures on behalf of the group, wth the added restrcton that a group manager has the power to polce the behavor of members, e.g. by revokng ther group credentals or strppng ther anonymty. The most frequently used defntons of group sgnatures are descrbed by Bellare et al. [7, 8]. Subsequent work on group sgnatures has led to varous schemes, for example, those of Lysyanskaya and Camensch [21, 22], Boneh et al. [13, 15], and a scheme of Groth [38]. These constructons are not post-quantum secure. Post-Quantum Sgnatures and Proofs. Lattce-based cryptography s a popular canddate for post-quantum securty. Lattce group sgnatures were ntroduced by Gordon et al. [37] and extended n several subsequent works [42 45]. The resultng group sgnatures are shorter than the ones developed here, but rely on qualtatvely stronger post-quantum assumptons. Another set of post-quantum tools come from the MPC n the Head technque [39] for constructng zero-knowledge proofs. Ths dea has been extended by ZKBoo [33], ZKB++ [23], and Lgero [4]. In partcular, Chase et al. use ZKB++ to construt two post-quantum sgnature schemes Fsh and Pcnc [23]. The recent development of zk-starks [9] opens another avenue to postquantum zero-knowledge proofs. In concurrent work, El Bansarkhan and Msoczk [5] descrbe a stateful group sgnature scheme based on hash functons. Ther work features small sgnature szes but large keys and focuses on a dfferent defnton of group sgnatures than that consdered here. Trusted Hardware and Attestaton. Hardware enclaves, partcularly Intel s SGX [25], have recently been used for a varety of securty applcatons [31, 48]. One of the prmary cryptographc components of SGX s ts use of drect anonymous attestaton, a prmtve ntroduced by Brckell et al. [17] and whch reles on group sgnatures. The EPID attestaton mechansm currently n use by SGX, s due to Brckell et al. [18, 40]. 2 Prelmnares Notaton. Let x F (y) denote the assgnment of the output of F (y) to x, and let x R S denote assgnment to x of a unformly random element sampled from set S. We use λ to refer to a securty parameter and sometmes omt t f ts presence s mplct. The notaton [k] represents the set of ntegers 1, 2,..., k, and denotes the empty set. We use A H to denote that A has oracle access to some functon H. A functon negl(x) s neglgble f for all c > 0, there s an x 0 such that for any x > x 0, negl(x) < 1 x. We omt x f the parameter s mplct. We use f(x) g(x) to mean that for c 3

4 two functons f, g, f(x) g(x) < negl(x). PPT stands for probablstc polynomal tme. We use the notaton Func A,B a, b to refer to a protocol Func between partes A and B wth nputs a and b, respectvely. Fnally, we allow algorthms to output to ndcate falure. Standard Prmtves. In Appendx A we revew the syntax for the standard cryptographc prmtves used throughout the paper along wth ther securty propertes. In partcular, we defne pseudorandom functons, secure sgnatures, commtments, and collson resstant hashng. Proof Systems. We brefly revew the defntons of proof systems that we wll need n later sectons. The man noton we wll use s that of a non-nteractve zero knowledge proof of knowledge n the random oracle model. We use the defntons of [29], whch modfy pror commom reference strng-based defntons of non-nteractve zero-knowledge for use n the Random Oracle Model. Defnton 1 (Non-nteractve Proof System). A non-nteractve proof system Π for a relaton R conssts of prover algorthm that on nput x, w outputs a proof π and a verfer algorthm that on nput x, π outputs a bt b. We say that (P, V ) s correct and sound f t satsfes the followng propertes: (x, w) R V (x, P (x, w)) = 1 (x, w) / R Pr[V (x, P (x, w)) = 1] < negl for any (potentally cheatng) prover P. For convenence and clarty of notaton, we use P (publc( ), prvate( ), R) to ndcate that the publc parts of the nput to a prover P for relaton R correspond to the statement x and that the prvate parts correspond to the wtness w. The zero-knowledge property [36] nformally requres that a proof reveals nothng about (x, w) except that (x, w) R. Formally, we model ths property by descrbng a smulator that can provde a legtmate proof gven only x and not w. The smulator S keeps a state st and operates n two modes: one where t generates responses to random oracle queres and another where t generates the actual smulated proof. S takes three nputs: the number 1 or 2 to ndcate the mode, the state st, and ether a random oracle query q or a strng x. Defnton 2 (Non-nteractve Zero Knowledge [12]). Denote wth (S 1, S 2 ) the oracles such that S 1 (q ) returns the frst output of (h, st) S(1, st, q ) and S 2 (x, w) returns the frst output of (π, st) S(2, st, x) f (x, w) R. We say a protocol (P H, V H ), where H s a hash functon modeled as a random oracle, s a non-nteractve zero knowledge (NIZK) proof for R n the random oracle model f there exsts a PPT smulator S such that for all PPT dstngushers D we have Pr[D H( ),P H (, ) (1 λ ) = 1] Pr[D S 1( ),S 2 (, ) (1 λ ) = 1] where both P and S 2 oracles output f (x, w) / R. Extractablty, nformally, s a strengthenng of the soundness property that requres any acceptable proof to have an extractor algorthm that can effcently recover w wth hgh probablty gven the ablty to nteract wth the prover. We refer to Bellare and Goldrech [6] for a full defnton. Smulaton-sound extractablty further strengthens the extractablty requrement of proofs of knowledge to enable extractng a wtness even after seeng many smulated proofs. The followng noton s defned as weak smulaton extractablty by Faust et al [29] because t allows the extractor to rewnd the adversary and see the responses to smulator queres, but t suffces for our purposes. 4

5 Defnton 3 (Smulaton-sound Extractablty [29]). Consder a NIZK proof system (P H, V H ) for R wth zero-knowledge smulator S. Denote wth (S 1, S 2 ) the oracles such that S 1 (q ) returns the frst output of (h, st) S(1, st, q ) and S 2 (x, w) returns the frst output of (π, st) S(2, st, x) f (x, w) R. We say (P H, V H ) s smulaton-sound extractable wth extracton error ν and wth respect to S n the random oracle model, f for all PPT adversares A there exsts an effcent algorthm E A wth access to the answers T H, T of (S 1, S 2 ) respectvely such that the followng holds. Let acc = Pr[(x, π ) A S 1( ),S 2 ( ) (1 λ ) (x, π ) / T, V S 1 (x, π ) = 1], ext = Pr[(x, π ) A S 1( ),S 2 ( ) (1 λ ), w E A (x, π, T H, T ) (x, π ) / T, (x, w ) R], where the probablty n both cases s taken over the random choces of S and the adversary s random tape. Then, there exsts a constant d > 0 and a polynomal p such that whenever acc ν, we have that ext 1 p (acc ν)d. Defnton 4 (Smulaton-Sound Extractable Non-nteractve Zero Knowledge Proof of Knowledge). We say a non-nteractve proof system s a smulaton-sound extractable non-nteractve zero knowledge proof of knowledge n the random oracle model f t has the correctness, zero-knowledge, and smulaton-sound extractablty propertes defned above. 3 Post-Quantum EPID Group Sgnatures In ths secton we descrbe and prove the securty of our frst post-quantum group sgnature scheme. 3.1 EPID Group Sgnatures: Defntons We construct our group sgnature to the match the syntax and securty requrements as defned by Brckel and L [18]. Frst, anonymty must ensure that the group manager colludng wth any number of group members cannot uncover the dentty of the sgner. In partcular, we do not want the group manager to have a tracng key that lets t compromse a group member s dentty from a group sgnature. Nevertheles, we wll later brefly explan how to extend our scheme to acheve traceablty, f desred. Second, we want a revocaton property where a group manager can revoke a user s ablty to sgn by ether: addng a revoked user s leaked sgnng key to a revocaton lst KEY-RL, or addng a revoked user s group sgnature to a revocaton lst SIG-RL. A user s revoked f ts key s ncluded n the lst KEY-RL, or f any of ts sgnatures are ncluded n the lst SIG-RL. Wth ths setup, we defne the syntax and securty propertes for a group sgnature scheme as follows. Defnton 5 (Group Sgnature). A group sgnature scheme G nvolvng a group manager M and n group members, partes P 1 to P n, conssts of algorthms Int, Jon, GPSgn, GPVerfy, RevokeKey and RevokeSg: (gsk, gpk) Int(1 λ ): Ths algorthm takes as nput a securty parameter 1 λ and outputs a key par (gsk, gpk). 5

6 cert, (sk, cert ) Jon M,P (gsk, gpk), gpk : Ths s a protocol between the group manager and a group member P where each party has ts keys as nput, and both partes get party P s certfcate as output. P also gets ts secret key sk as an output. /sg GPSgn(gpk, sk, cert, m, SIG-RL): Ths algorthm takes as nput the publc key, a sgnature revocaton lst SIG-RL, and party P s secret key and certfcate. The output s a group sgnature sg. 1/0 GPVerfy(gpk, m, KEY-RL, SIG-RL, sg): Ths algorthm verfes a group sgnature sg on a message m gven the group publc key and key/sgnature revocaton lsts KEY-RL, SIG-RL. It outputs 1 to accept the sgnature and 0 to reject t. KEY-RL RevokeKey(gpk, KEY-RL, sk ): Ths algorthm adds a secret key sk to a key revocaton lst, so sgnatures created wth ths key wll no longer be accepted. SIG-RL RevokeSg(gpk, KEY-RL, SIG-RL, m, sg): Ths algorthm adds a sgnature sg to a sgnature revocaton lst, so sgnatures created wth the same key as sg wll no longer be accepted. The algorthms must satsfy Correctness (Defnton 6), Anonymty (Defnton 9), and Unforgeablty (Defnton 12), whch dffer only on mnor ponts from those of EPID [18]. We only need one drecton of the correctness defnton of [18] because unforgeablty mples the other drecton. That s, we requre that f a group member has successfully completed the Jon procedure and nether ts key nor any of ts sgnatures have been revoked, then that group member s sgnatures should successfully verfy. Defnton 6 (Correctness). Let Σ be the set of sgnatures ssued by group member P who has successfully run the Jon procedure n group sgnature scheme G wth securty parameter λ. G s correct f and only f sk / KEY-RL Σ SIG-RL = Pr[GPVerfy(gpk, m, KEY-RL, SIG-RL, GPSgn(gpk, sk, cert, m, SIG-RL)) 1] < negl(λ) Next, we defne anonymty va the Anonymty game. Informally, the property of beng Anonymous requres that sgnatures n G hde the dentty of the sgner aganst any coalton of group members (ncludng the group manager) except the sgner herself. The defnton of anonymty also mples notons of unlnkablty between a sgner and her sgnatures. The strongest possble defnton of anonymty, the full-anonymty of Bellare et al [7] whch provdes anonymty even aganst the sgner herself, cannot be attaned n our settng because we wsh to support revocaton. Revocaton s ncompatble wth full-anonymty because the compromse of a user P n the full-anonymty game would reveal sk, the nformaton needed to revoke P s credentals, to the adversary. If revocaton were possble, the adversary could then, on ts own, buld a revocaton lst that ncludes only P and use t to determne whether P sgned a partcular message or not by checkng whether the sgnature verfes. 6

7 Admssble adversares The securty games for both anonymty (Defnton 7) and exstental unforgeablty (Defnton 10) follow the standard practce of defnng admssble adversares whose behavor we restrct merely n order to smplfy the presentaton of the man game. We stress that defnng an admssble adversary s not the same as a sem-honest adversary. In each of our games t s easy to see that any devaton from each admssblty crteron could be trvally detected by the challenger (n ether experment) and rejected so that the adversary does not gan any dstngushng advantage. Therefore, restrctng to these admssble adversares s wthout loss of generalty,.e. does not weaken the adversary. Defnton 7 (Anonymty Experment). The anonymty experment denoted by ANON[A, λ, b] wth securty parameter λ s played between adversary A and challenger C who s gven nput b. 1. Setup. Adversary A chooses (gpk, gsk) 1 and sends gpk to challenger C. 2. Unrestrcted Queres. A s allowed to make as many of the followng queres to the C as t wants: Jon. A requests creaton of a new group member P. C runs Jon A,P (gsk, gpk), gpk wth C playng the role of P, so that A gets cert and C gets (sk, cert ). Sgn. A requests a sgnature on a message m from party P relatve to a sgnature revocaton lst SIG-RL of ts choosng, constructed from any subset of sgnatures t has receved thus far n the game. C computes sg GPSgn(gpk, sk, cert, m, SIG-RL) and sends t to A. Corrupt. A requests the prvate key of P. C sends sk. 3. Challenge. A sends C a message m, a sgnature lst SIG-RL and two group member numbers 0 and 1. C computes sg = GPSgn(gpk, sk b, cert b, m, SIG-RL), and sends sg to A. 4. Restrcted Queres. A can make addtonal queres to C as above. 5. Output. A outputs b. ANON[A, λ, b] outputs the value b returned by A at the end of the game. Defnton 8 (Admssble Anonymty Adversary). An adversary A s admssble for ANON[A, λ, b] f t satsfes the followng crtera: only makes Sgn or Corrupt queres on partes that have already partcpated n a Jon and does not make Jon queres on partes that have already partcpated n a Jon. only sends legtmate certfcates cert n the jon phase (well-formed accordng to the protocol, e.g. sgnatures verfy, over the correct values). chooses partes P 0 and P 1 that have already partcpated n a Jon. chooses partes P 0 and P 1 that have not been corrupted and whose sgnatures have never appeared n a revocaton lst. 1 Note that the adversary may choose these keys arbtrarly and may even cause the jon protocol to fal as a result. However, t s easy to see that n our constructon ths wll affect the adverary s vew n both experments equally (mplct n our securty proof 7

8 makes no Corrupt queres on P 0 or P 1 n the Restrcted Queres stage. never ncludes sg n SIG-RL durng the Restrcted Queres stage. Defnton 9 (Anonymous). Group sgnature scheme G s Anonymous f no admssble PPT adversary can wn the Anonymty game wth greater than neglgble advantage. That s, f the quantty Pr[ANON[A, λ, 0] = 1] Pr[ANON[A, λ, 1] = 1] negl(λ) for any admssble PPT A. Fnally, we defne unforgeablty. Our unforgeablty game conssts of an adversary who can add arbtrary partes to a group and corrupt arbtrarly many members of a group. Securty holds f ths adversary cannot forge the sgnature of an uncorrupted party on a message f ts own choosng. Defnton 10 (Unforgeablty Experment). The unforgeablty experment FORGE[A, λ] wth securty parameter λ s played between adversary A and challenger C. 1. Setup. C computes (gpk, gsk) Int(1 λ ) and sends gpk to A. C creates a set U of corrupted partes and ntalzes t as U =. 2. Queres. A s allowed to make as many of the followng queres to C as t wants. Jon. A requests creaton of a new group member P. One of two cases follows:. C runs Jon nternally, addng a new party P to the group and keepng sk, cert. C also sends cert to A.. C and A run Jon C,P (gsk, gpk), gpk wth A playng the role of P, so that C gets cert and A gets (sk, cert ). A then sends sk to C who then appends to U. Sgn. A requests a sgnature on a message m from party P relatve to a sgnature revocaton lst SIG-RL of ts choosng, constructed from any subset of sgnatures t has receved thus far n the game. C computes sg GPSgn(gpk, sk, cert, m, SIG-RL) and sends t to A. Corrupt. A requests the secret key of party P. C appends to U and sends sk to A. 3. Forgery. A outputs a message m, revocaton lsts KEY-RL and SIG-RL, and a sgnature sg. FORGE[A, λ] outputs 1 (A wns the unforgeablty game) f GPVerfy(gpk, m, KEY-RL, SIG-RL, sg ) = 1 and for every U, ether sk KEY-RL or sg sgns a message n SIG-RL. Otherwse, t outputs 0. Defnton 11 (Admssble Unforgeablty Adversary). An adversary A s admssble for FORGE[A, λ] f t satsfes the followng crtera: only makes Sgn or Corrupt queres on partes that have already partcpated n a Jon. does not make Jon queres on partes that have already partcpated n a Jon. only sends legtmate values for sk n the jon phase. That s, sk should correspond to the certfcate that C ssues for t. does not obtan sg by makng a Sgn query on m. Defnton 12 (Unforgeable). Group sgnature scheme G s Unforgeable f no admssble PPT adversary can wn the Unforgeablty game wth greater than neglgble probablty. That s, f the quantty Pr[FORGE[A, λ] = 1] negl(λ) for any admssble PPT A. 8

9 3.2 Group Sgnature Constructon I Our constructon uses a standard (non-group) sgnature scheme where each group member has ts own key par and a certfcate from the group manager. Instead of sgnature keys, however, we construct our scheme so that each group member has a unque PRF secret key that wll be used to ssue group sgnatures. As we wll see, ths leads to sgnfcant savngs over the general framework of Bellare et al. [7]. We stll need a sgnature scheme for the group manager to produce certfcates, but the NIZK proof s done over a crcut that verfes a sngle sgnature (the group manager s) along wth a few evaluatons of the PRF. The sgnature scheme can be nstantated usng a stateful hash-based sgnature. Collson Resstant PRF. We state and prove securty of our scheme usng a functon f : K X Y that s both a secure PRF and a collson resstant functon. In fact, t suffces that f be collsonresstant on the keyspace, meanng that for a target nput x X chosen by the adversary, t should be hard to fnd k 0 k 1 K such that f(k 0, x) = f(k 1, x). We explan how to construct an MPC-frendly functon wth ths property n Secton 5. Constructon 13 (Group Sgnature). Our group sgnature scheme G = (Int, Jon, GPSgn, GPVerfy, RevokeKey, RevokeSg) wth securty parameter λ uses a sgnature scheme S = (Keygen, Sgn, Verfy), a proof system Π = (P, V ), and a PRF f that also serves as a collson-resstant hash functon. Int(1 λ ): Group manager M runs Keygen(1 λ ) to get (gpk, gsk) and outputs ths tuple (gpk s publshed and gsk kept secret). Jon M,P (gsk, gpk), gpk : - Group manager M sends challenge c to member P. - P chooses sk R {0, 1} λ and sends t jon = f(sk, c ) back to M. - M produces sgnature σ = Sgn(gsk, (t jon, c )), and constructs cert = (t jon, c, σ ), sendng a copy to P. If the sgnature scheme s stateful, then algorthm Jon must mantan a counter that s ncremented for every user who jons the group. - The group member s prvate key s sk and both partes get copes of cert. GPSgn(gpk, sk, cert, m, SIG-RL): Compute the followng and output sg: - r R {0, 1} λ c - t (f(sk, r), r) - π P ( publc(λ, m, gpk, t, SIG-RL, KEY-RL), prvate(sk, cert ), R 1 ) - sg (t, π). We defne the relaton R 1 n the proof of knowledge π for (sk, cert ) to be true when the followng statements hold: - t = (f(sk, r), r) - r c 9

10 - Verfy(gpk, (t jon, c ), σ ) = 1 - t jon = f(sk, c ) - for each sg j SIG-RL, t sgj (f(sk, r sgj ), r sgj ) GPVerfy(gpk, m, KEY-RL, SIG-RL, sg): - Verfy proof π: check V ((λ, m, gpk, t, SIG-RL, KEY-RL), π) = 1. - For each sk j KEY-RL, check that t (f(sk j, r), r). - Check that sg / SIG-RL. - Output 1 f all of the above checks return 1; otherwse, output 0. RevokeKey(gpk, KEY-RL, sk ): Return KEY-RL {sk }. RevokeSg(gpk, KEY-RL, SIG-RL, m, sg): return SIG-RL {sg} f GPVerfy(gpk, m, KEY-RL, SIG-RL, sg) = 1. Otherwse, return SIG-RL. Performance. We dscuss concrete nstantatons of ths scheme, and ther performance n Secton 5. Revocaton. Although the dfference between the two forms of revocaton does not affect our scheme s securty, the effect of revocaton dffers n practce dependng on whether a group member s revoked by key or by sgnature. A revocaton by key renders all sgnatures, past or future, nvald for that user, whereas a revocaton by sgnature only apples to future sgnatures because past sgnatures need to be verfed wth respect to the SIG-RL n place at the tme of sgnng. Ths does not matter for the purposes of the securty game because the attempted forgery s always the last sgnature produced n the game. For the same reason, the decson to nclude the check that sg / SIG-RL durng GPVerfy does not affect securty for the purpose of the proof and can be omtted. We nclude t only to better capture behavor that may be expected of revocaton n practce. Traceable Sgnatures. Our approach can also be used to acheve traceable sgnatures. Traceablty requres that the group manager have the power to learn the dentty of a sgner. We presented our scheme wthout a tracng property n order to guarantee a stronger anonymty property aganst the group manager, but a smlar approach could be used to acheve traceablty. The group manager could gve each group member a sgned secret token sk, and every sgnature would nclude the token t = (f(sk, r ), r ), for a newly pcked random r, along wth a proof of knowledge of a sgnature on sk. Now the group manager can trace a sgnature by tryng to reconstruct t wth the value of sk for each sgner, but anonymty wll stll hold aganst any other group member. Despte beng able to provde both traceablty and anonymty, such a constructon does not mply publc-key encrypton va the result of [1] because our anonymty defnton does not provde prvacy aganst the sgner herself, a requrement of full-anonymty as defned by Bellare et al [7]. Camensch and Groth [20] also gve a traceable group sgnature scheme from one-way functons and NIZKs. Although ther scheme can be nstantated under the same assumptons as ours, they (loosely speakng) nclude a commtment to a credental for each group member n ther publc key 10

11 and gve a proof of knowledge that a sgnature corresponds to one of those credentals. By avodng ths cost, our scheme shrnks both the publc key sze and sgnature sze by a factor O(N). Our publc key can also be publshed at group ntalzaton tme before any members have joned the group. 3.3 Securty proof We now prove the securty of our group sgnature scheme. Correctness follows almost mmedately from the constructon wth the caveat that we must ensure that the revocaton checks do not accdentally cause a sgnature from a legtmate key to be rejected. Theorem 14. Assumng the correctness of sgnature scheme S and proof system Π and the pseudorandomness of f, G s a correct group sgnature scheme. Proof. Correctness follows from the constructon. A group member that s not affected by revocatons of ether form has all the necessary nformaton to produce a sgnature that wll verfy, gven that the sgnature and the proof system also have correctness. Then t only remans to show that an unrevoked sgnature or key sk wll not accdentally satsfy the relaton (f(sk, r), r) = (f(sk j, r ), r ) for some revoked key sk j or sgnature wth key/randomness par (sk j, r). We call these events BAD-KEY and BAD-SIG respectvely and argue, usng the fact that f s a PRF, that they occur wth neglgble probablty over the choces of sk, sk j, r, and r. We wll only show the proof for the case of BAD-KEY because the proof for BAD-SIG proceeds analogously. Consder the transcrpt T = (t 0,..., t k ) of k (polynomal n λ) responses to queres on f made up of f(sk j, r) for all sk j KEY-RL as well as f(sk, r). The event BAD-KEY occurs exactly when there exsts some j such that f(sk j, r) = f(sk, r). We can show that T s ndstngushable from a lst of random strngs by a seres of hybrds, where each successve hybrd replaces the next PRF output wth a random strng. Each hybrd wll be ndstngushable from the next by the securty of f. Ths s the case because an adversary who can dstngush between the lst wth PRF output t and the same lst where t s replaced by random strng t can be gven a lst wth the output of a purported PRF n poston and determne whether that strng s the output of a PRF or a truly random functon. Call the fnal hybrd T = (t 0,..., t k ). The probablty of BAD-KEY n ths hybrd s equal to the probablty that the random strng t k = t j for some j [k 1]. Ths s neglgble n the securty parameter λ, completng the proof. Next, we show that our group sgnature scheme provdes anonymty. Ths property follows from the zero-knowledge and pseudorandomness propertes of the prmtves used n our constructon. A full proof follows. Theorem 15. Assumng that Π s a zero-knowledge proof system and that f s a PRF, G s an anonymous group sgnature scheme. Proof. We proceed by a seres of hybrds and begn by descrbng our hybrds. In the followng, let x 0 and x 1 be dstnct elements of [N], where N s an upper bound on the number of group members. N s necessarly polynomal n λ because the adversary A s effcent. H 0 [x 0, x 1 ]: The real anonymty experment, ANON[A, λ, 0] (Defnton 7) run wth an admssble adversary A, except that we abort f A does not choose 0 = x 0 and 1 = x 1 n the Challenge phase of the anonymty game. 11

12 H 1 [x 0, x 1 ]: Same as the prevous hybrd, but wth the proof of knowledge π always replaced wth the output of ts smulator. Ths s ndstngushable from the prevous hybrd by the zero-knowledge property of the proof. H 2 [x 0, x 1 ]: Same as the prevous hybrd, but for group member P x0, the output of f(sk x0, ) s replaced by a random strng. Ths s ndstngushable from the prevous hybrd by the PRF securty of f. H 3 [x 0, x 1 ]: Same as the prevous hybrd, but for group member P x1, the output of f(sk x1, ) s also replaced by a random strng. Ths s ndstngushable from the prevous hybrd by the PRF securty of f. Indstngushablty between hybrds H 0 [x 0, x 1 ] and H 1 [x 0, x 1 ] follows mmedately from the zero knowledge property of proof π, so we omt ths proof. Next, we prove ndstngushablty between the remanng hybrds. Lemma 1. Assumng that f s a PRF, the outputs of H 1 [x 0, x 1 ] and H 2 [x 0, x 1 ] are ndstngushable. Proof. We use an adversary A that dstngushes between the outputs of H 1 [x 0, x 1 ] and H 2 [x 0, x 1 ] to construct an adversary B that wns the PRF securty game. B acts as the challenger n the anonymty game of H 1 [x 0, x 1 ] and smultaneously plays the PRF securty game wth a PRF securty game challenger. It reproduces the anonymty game for H 1 [x 0, x 1 ] exactly except any queres to f(sk x0, ) t replaces by queres to the PRF securty game challenger (wth a 0 prepended to the nput). B then passes on the output of A as ts own output. Notce that n the anonymty game of H 1 [x 0, x 1 ] the key sk x0 s only used by the challenger to respond to queres for f(sk x0, ) (because the proof π has already been replaced by a smulated strng). In partcular, sk x0 s never gven to the adversary A. Therefore, n the case that the PRF challenger s usng a PRF on a randomly sampled key then B provdes a perfect smulaton of H 1 [x 0, x 1 ] for A. In the case that the PRF challenger s usng a random functon B provdes a perfect smulaton of H 2 [x 0, x 1 ]. If the output of A dstngushes these two cases w.h.p, then B s able to wn the PRF securty game, contradctng the PRF securty assumpton. Lemma 2. Assumng that f s a PRF, the outputs of H 2 [x 0, x 1 ] and H 3 [x 0, x 1 ] are ndstngushable. Proof. We use an adversary A that dstngushes between the outputs of H 2 [x 0, x 1 ] and H 3 [x 0, x 1 ] to construct an adversary B that wns the PRF securty game. B acts as the challenger n the anonymty game of H 2 [x 0, x 1 ] and reproduces t exactly except any queres to f(sk x1, ) are replaced by queres to the PRF securty game challenger (wth a 1 prepended to the nput). B then passes on the output of A as ts own output. Note that B provdes a perfect smulaton of ether H 2 [x 0, x 1 ] or H 3 [x 0, x 1 ] dependng on whether the PRF challenger uses a PRF or a random functon. As such, the output of B wll determne whether t was nteractng wth a PRF or a random functon and wn the PRF securty game. By Lemmas 1 and 2, we have shown that H 0 [x 0, x 1 ] s ndstngushable from H 3 [x 0, x 1 ]. We can defne correspondng hybrds H 0 -H 2 [x 0, x 1 ] wth accompanyng ndstngushablty proofs startng from ANON[A, λ, 1]. Note that ths mples hybrds H 0 [x 0, x 1 ] and H 0 [x 0, x 1 ] are ndstngushable. 12

13 That s, for all admssble PPT adversares A, Pr[ANON[A, λ, 0] = 1 0 = x 0, 1 = x 1 ] Pr[ANON[A, λ, 1] = 1 0 = x 0, 1 = x 1 ] < negl(λ). Now t only remans to show that the probablty that 0 = x 0, 1 = x 1 s polynomal n λ to complete the proof of anonymty. If we choose x 0, x 1 R [N], we wll have that Pr[x 0 = 0 ] = 1 N and Pr[x 1 = 1 ] = 1 N because x 0, x 1 are chosen ndependently of A. So the probablty that 1 0 = x 0, 1 = x 1 s whch s polynomal n λ because N, an upper bound on the group sze, s N 2 polynomal n λ. Thus we have that 1 Pr[ANON[A, λ, 0] = 1] Pr[ANON[A, λ, 1] = 1] < negl(λ) N 2 Pr[ANON[A, λ, 0] = 1] Pr[ANON[A, λ, 1] = 1] < N 2 negl(λ). Snce N 2 negl(λ) s stll neglgble n λ, ths completes the proof. Fnally, we show that our group sgnature scheme s unforgeable. Intutvely, unforgeablty comes from the fact that n order to produce a vald sgnature wthout the endorsement of the group manager, an attacker must guess a group member s unrevoked secret key. Theorem 16. Assumng that Π s a zero knowledge proof of knowledge proof system wth smulatonsound extractablty, S s an unforgeable sgnature scheme, that f s a PRF, and that f s addtonally a collson-resstant hash functon, G s an unforgeable group sgnature scheme. Proof. We proceed by a seres of hybrds and begn by descrbng our hybrds: H 0 : The real unforgeablty game, FORGE[A, λ] run wth an admssble adversary A. H 1 : Same as prevous hybrd, but we also run the extractor on each hdden value n the proof of knowledge π from the forgery and output 0 (.e. adversary loses) f the extractor fals. Ths s ndstngushable from the prevous world by the extractablty property of the proof of knowledge. H 2 : Same as the prevous hybrd, but we output 0 (.e. adversary loses) f the values of (t jon, c ) extracted from the forgery are not from a certfcate ssued by the group manager. Ths s ndstngushable from the prevous world by the unforgeablty of sgnature scheme S. H 3 : Same as prevous hybrd, but we abort f there exsts a j U, that s, a party P j n the set of corrupted group members, such that for cert extracted from the forgery, t jon = f(sk j, c ). Ths s ndstngushable from the prevous world by the collson-resstance of f. Indstngushablty between hybrds H 0 and H 1 follows mmedately from the extractablty of π. We therefore omt ths proof. Next, we prove ndstngushablty between the remanng hybrds. Lemma 3. Assumng that S s an unforgeable sgnature scheme, the outputs of H 1 and H 2 are ndstngushable. 13

14 Proof. Note that so long as the cert extracted from adversary A s forgery contans values (t jon, c ) from a certfcate ssued by the group manager, the outputs of H 1 and H 2 are dentcal, so the only case n whch the two dstrbutons dffer s when Verfy(gpk, (t jon, c ), σ ) = 1 and (t jon, c ) were not ssued by the group manager (and the adversary wns). Call ths event F. We wll show that F occurs wth at most neglgble probablty. We buld an adversary B for S s unforgeablty game that wns wth non-neglgble probablty f Pr[F ] > negl(λ). B acts as the challenger n the group sgnature unforgeablty game H 2 and reproduces t exactly except any sgnng queres to Sgn(gsk, ) are sent to the unforgeablty game for S. As ts forgery, B outputs the value t jon extracted from adversary A s group sgnature forgery. B wns S s unforgeablty game exactly when event F occurs. Thus, f F occurs wth more than neglgble probablty, B breaks the unforgeablty of sgnature scheme S. Snce S s an unforgeable sgnature scheme, F must occur wth at most neglgble probablty, so the outputs of H 1 and H 2 must only dffer wth at most neglgble probablty. Lemma 4. Assumng that f s a collson-resstant hash functon, the outputs of H 2 and H 3 are ndstngushable. Proof. Note that so long as there s no j U such that for cert extracted from the forgery, t jon = f(sk j, c ), the outputs of H 2 and H 3 are dentcal, so the only case n whch the two dstrbutons dffer s when there does exst such a j and the adversary A successfully outputs a forgery. Call ths event F. We wll show that F occurs wth at most neglgble probablty. Snce t s possble for j U to be revoked by key or by sgnature, we wll show only the case where the group member P j s revoked by key. The case for revocaton by sgnature s analogous. Let t be the value of t extracted from the A s forgery. In order for event F to occur, the adversary must produce a value sk such that (f(sk, r), r) = t (f(sk j, r), r) and f(sk, c ) = t jon = f(sk j, c ). We buld an adversary B that breaks the collson-resstance of f when event F occurs wth greater than neglgble probablty. B acts as the challenger n the group sgnature unforgeablty game H 2. At the concluson of the game, f there exsts a group member P j as defned n H 3, B outputs the values (sk, c j ) and (sk j, c j ), where sk s extracted from A s forgery and sk j by a lnear search over compromsed group member keys, as ts canddate collson for f. Otherwse, t fals to output a collson. B outputs a successful collson on f whenever event F occurs. Thus, f F occurs wth greater than neglgble probablty, B breaks the collson-resstance of f on t jon j. Snce f s collsonresstant, F must occur wth at most neglgble probablty, so the outputs of H 2 and H 3 must only dffer wth neglgble probablty. By Lemmas 3 and 4, we have shown that FORGE[A, λ] s ndstngushable from H 3. Now we wll show how to use an adversary A who successfully outputs a forgery n H 3 wth non-neglgble probablty to construct an adversary B that breaks the PRF securty of f, completng the proof. Adversary B begns by pckng a value n R [N], where N s an upper bound on the number of members n the group. Then B acts as the challenger n the anonymty game of H 3 and reproduces t exactly except any queres to f(sk n, ) are replaced by queres to the PRF securty game challenger, and any proofs usng sk n are replaced wth smulatons (ndstngushable from the real proofs by 14

15 the smulaton-sound extractablty of the proof system). Let F PRF be the functon computed by the PRF adversary. If the cert extracted from the A s forgery s not equal to cert n, B aborts. Otherwse, for the value r used n A s forgery, B queres the PRF adversary on r to get response F PRF (r). If F PRF (r) = f(sk n, r) B outputs 1 (nteractng wth PRF). Otherwse, t outputs 0. Now we argue that B successfully dstngushes between a PRF and a random functon. Frst, suppose for the certfcate cert extracted from the forgery, that cert = cert n, so F PRF (c n ) = f(sk n, c n ). If B s nteractng wth a random functon, B wll output 0 wth hgh probablty because a random functon only colldes wth f(sk n, ) on r wth neglgble probablty. On the other hand, f B s nteractng wth a PRF wth key sk n, there are two cases: sk n = sk n : In ths case, B always outputs 1. sk n sk n : Then f(sk n, c n ) = f(sk n, c n ) s a collson that volates the collson-resstance of f. Note that ths s where we need the check that r c because f ths check were omtted, an adversary could set r = c n and render the query F PRF (r) useless for B snce B already knows ths value. Snce all the algorthms nvolved n fndng ths collson are effcent, ths case must only occur wth neglgble probablty. All that remans s to show that cert = cert n wth non-neglgble probablty. Snce cert corresponds to a certfcate ssued by the group manager wth all but neglgble probablty (n whch case A would abort early), we are assured that [N]. Snce n s chosen ndependently of A s choce of, there s a 1 N chance that n =, whch s certanly non-neglgble n λ because there can only be polynomally many group members created by A. 4 Practcal Post-Quantum Group Sgnatures for Attestaton Attestaton schemes (such as that used n Intel SGX [25, 40]) nvolve an attestaton servce n the loop every tme an attestaton needs to be verfed despte the fact that ths s not necessary for the underlyng group sgnature scheme. Put n terms of the group sgnature settng, every tme a group sgnature s verfed, there s a step that nvolves contactng the group manager to get an updated revocaton lst. Ths requrement means that frequent contact between the group manager and group members should be possble. In ths secton, we leverage the contnung avalablty of the group manager n the attestaton settng to buld sgnfcantly smaller post-quantum group sgnatures. The number of gates requred to verfy the sgnature on a group member s certfcate by far outweghs that of other components n the proof of knowledge ncluded n each sgnature of the scheme from Secton 3. Movng ths verfcaton outsde of the proof would dramatcally shrnk sgnature szes, and ths s exactly what we do. In our modfed scheme, each group member s certfcate s a leaf n a Merkle tree. The group manager sgns the root of the tree and provdes each group member a membershp proof as part of the Jon process. Now the group manager s sgnature can be verfed outsde the proof of knowledge because the group manager s sgnature on the publcly known root of the tree leaks nothng about the dentty of a partcular sgner. Instead of verfyng a sgnature nsde a proof, the sgner now only needs to verfy a Merkle ncluson proof an operaton that requres a much smaller crcut, compared to verfyng a hash-based stateful sgnature. 15

16 The above modfcaton, whle greatly mprovng effcency, ntroduces a crtcal securty flaw n the model where each group member regsters wth the group manager once and then begns creatng sgnatures: a new Merkle tree root wll need to be publshed by the group manager each tme a group member jons! As an mmedate consequence, group members jonng earler suffer from smaller anonymty sets. Even worse, a curous group manager could ssue a sequence of Merkle roots where each tree only ncluded a vald credental for one group member, unquely dentfyng the member s sgnatures. Fortunately, the contnung contact between group members and the group manager enforced by attestaton n practce enable effectve mtgatons for the concerns lsted above. Group members can perodcally re-jon the group to update the Merkle root relatve to whch they provde membershp proofs, thereby ncreasng the sze of ther anonymty sets. In practce, we can ensure that subsequent Merkle roots ssued by the group manager only ever add new credentals to the group and never omt prevous ones by usng a Merkle consstency proof such as the one proposed by the Certfcate Transparency standard [41] and proven secure by Dowlng et al [28]. We model the Merkle trees used n our proofs as accumulators wth zero-knowledge membershp proofs and dscuss how we nstantate ths prmtve wth an mproved constructon n Secton Defntons In ths secton we defne accumulators and group sgnatures for attestaton. We begn wth a specal case of the formalzaton of accumulators by [26]. Defnton 17 (Accumulator). A statc accumulator s a tuple of effcent algorthms (AGen, AEval, AWtCreate, AVerfy, AProveCon, ACheckCon) whch are defned as follows: AGen(1 λ ): Ths algorthm takes a securty parameter λ and returns a publc key pk. AEval(pk, X ): Ths determnstc algorthm takes a key pk and a set X to be accumulated and returns an accumulator Λ X. AWtCreate(pk, Λ X, X, x ): Ths algorthm takes a key pk, an accumulator Λ X, the set X, and a value x. It returns f x / X and a wtness wt x for x otherwse. AVerfy(pk, Λ X, wt x, x ): Ths algorthm takes a publc key pk, an accumulator Λ X, a wtness wt x, and a value x. It returns 1 f wt x s a wtness for x X and 0 otherwse. We requre accumulators to be correct, meanng that AVerfy wll accept an honestly generated wtness for x X. We also requre a soundness property dubbed collson-freeness, formally defned below. Defnton 18 (Collson Freeness). An accumulator s collson free f for all PPT adversares A, we have that Pr[AVerfy(pk, Λ, wt x, x ) = 1 x / X pk AGen(1 λ, Λ ), Λ Eval r (pk, X ), (wt x, x, X ) A(pk, Λ )] negl(λ) The settng of group sgnatures for attestaton largely leaves the securty defntons of Secton 3 unaffected up to changes n syntax, so we present the updated syntax for clarty of presentaton and omt statements of the securty propertes. The only notable change s that n both securty 16

17 games, the adversary can now choose to have a group member run the new GARejon at any tme t chooses. Defnton 19 (Group Sgnature for Attestaton). A group sgnature scheme GA for attestaton nvolvng a group manager M and n group members partes P 1 to P n conssts of algorthms GAInt, GAJon, GARejon, GASgn, GAVerfy, RevokeKey and RevokeSg. In the followng, X represents a set, Λ represents a statc accumulator representng X, and σ Λ s a sgnature on Λ. (gsk, gpk) GAInt(1 λ ): Ths algorthm takes as nput a securty parameter 1 λ and outputs a key par (gsk, gpk). (cert, Λ, σ ), (sk, cert, Λ, σ ) GAJon M,P (gsk, gpk, X ), gpk : Ths s a protocol between the group manager and a group member P where each party has ts keys as nput, and the group manager also has the set X of group member credentals. Both partes get party P s certfcate, an accumulator value Λ, and a sgnature σ on Λ from the group manager as output. P also gets ts secret key sk as an output. (cert, Λ, σ ), (cert, Λ, σ ) GARejon M,P (gsk, gpk, X, Λ, σ ), (gpk, cert ) : Ths s a protocol between the group manager and a group member P where the group manager has the group key par, a set of user credentals X, an accumulator Λ for X, and a sgnature σ on Λ as nputs, and group member P has the group publc key and ts certfcate as nputs. Both partes get an updated certfcate for P as well as the accumulator value Λ and sgnature σ as outputs. /sg GASgn(gpk, sk, cert, m, SIG-RL, Λ, σ ): Ths algorthm takes as nput the publc key, party P s secret key and certfcate, a sgnature revocaton lst SIG-RL, an accumulator Λ, and a sgnature σ on Λ from the group manager. The output s a group sgnature sg. 1/0 GAVerfy(gpk, m, KEY-RL, SIG-RL, sg): Ths algorthm verfes a group sgnature sg on a message m gven the group publc key and key/sgnature revocaton lsts KEY-RL, SIG-RL. It outputs 1 to accept the sgnature and 0 to reject t. KEY-RL GARevokeKey(gpk, KEY-RL, sk ): Ths algorthm adds a secret key sk to a key revocaton lst, so sgnatures created wth ths key wll no longer be accepted. SIG-RL GARevokeSg(gpk, KEY-RL, SIG-RL, m, sg): Ths algorthm adds a sgnature sg to a sgnature revocaton lst, so sgnatures created wth the same key as sg wll no longer be accepted. In order to capture the securty guarantees of our new settng, namely the fact that anonymty only apples relatve to the anonymty set of users wth the same merkle root, we add the followng admssblty crteron for anonymty adversares. Defnton 20 (Admssble Anonymty Adversary for Attestaton). An adversary A s admssble for ANON[A, λ, b] f t satsfes the followng crtera: It s an admssble anonymty adversary as n Defnton 8. It chooses partes P 0 and P 1 that produce sgnatures relatve to the same accumulator Λ. 17

18 4.2 Group Sgnature Constructon II The full constructon of the modfed group sgnature scheme appears below. Structurally smlar to the constructon n Secton 3, the man changes nvolve the ntroducton of a post-quantum accumulator and the resultng restructurng of what needs to be proven nsde/outsde the proof of knowledge π. Constructon 21 (Group Sgnature for Attestaton). Our group sgnature scheme for attestaton GA = (GAInt, GAJon, GARejon, GASgn, GAVerfy, GARevokeKey, GARevokeSg) wth securty parameter λ uses a sgnature scheme S = (Keygen,Sgn,Verfy), a proof system Π = (P, V ), a PRF f that also serves as a collson-resstant hash functon, and an accumulator Ac = (AGen, AEval, AWtCreate, AVerfy). GAInt(1 λ ): Group manager M runs Keygen(1 λ ) to get (pk gp, sk gp ) and runs AGEN(1 λ ), to get pk. It outputs publc key gpk = (pk gp, pk ) and secret key gsk = sk gp. GAJon M,P (gsk, gpk, X ), gpk : - Group manager M sends challenge c to member P. - P pcks sk R {0, 1} λ and sends t jon = f(sk, c ) back to M. - M defnes x = (t jon, c ), sets X = X x, sets Λ = AEval(pk, X ), and produces sgnature σ = Sgn(gsk, Λ). Next, M creates wt x = AWtCreate(pk, Λ, X, x ) and constructs cert = (x, wt x ), sendng a copy to P along wth Λ and σ. - The group member s prvate key s sk and both partes get copes of cert, Λ, and σ. GARejon M,P (gsk, gpk, X, Λ, σ ), (gpk, cert ) : - P sends cert to M. - Frst, M verfes the sgnature n cert and aborts f verfcaton fals. Then t creates a new wt x = AWtCreate(pk, Λ, X, x ) and constructs the updated cert = (x, wt x ), sendng a copy to P along wth Λ and σ. - P updates ts values of cert, Λ, and σ. GASgn(gpk, sk, cert, m, SIG-RL, Λ, σ ): Compute the followng and output sg: - Verfy(pk gp, σ, Λ) (abort f t outputs 0) - r R {0, 1} λ c - t = (f(sk, r), r) - π = P (publc(λ, m, gpk, t, SIG-RL, KEY-RL, Λ), prvate(sk, cert ), R 2 ) - sg = (t, π, Λ, σ ). We defne R 2 as a relaton n the proof of knowledge of (sk, cert ) such that the followng statements hold: - t = (f(sk, r), r) 18