| Short (resp. Fast) CCA2-Fully-Anonymous Group Signatures Using IND-CPA-Encrypted Escrows (2005) | |||||||||||||||
Abstract | |||||||||||||||
| In the newest and strongest security models for group signatures [7, 10, 41], attackers are given the capability to query an Open Oracle, in order to obtain the signer identity of the queried signature. This oracle mirrors the Decryption Oracle in security experiments involving encryption schemes, and the security notion of CCA2-full-anonymity for group signatures mirrors the security notion of IND-CCA2-security for encryption schemes. Most group signatures escrows the signer identity to a TTP called the Open Authority (OA) by encrypting the signer identity to OA. Methods to e#ciently instantiate O(1)-sized CCA2-fully-anonymous group signatures using IND-CCA2-secure encryptions, such as the Cramer-Shoup scheme or the twin encryption scheme, exist [7, 10, 41, 49]. However, it has long been suspected that IND-CCA2-secure encryption to OA is an overkill, and that CCA2-fullyanonymous group signature can be constructed using only IND-CPA-secure encryptions. Here, we settle this issue in the positive by constructing CCA2-fully-anonymous group signatures from IND-CPA-secure encryptions for the OA, without ever using IND-CCA2-secure encryptions. Our technique uses a single ElGamal or similar encryption plus Dodis and Yampolskiy [35]'s VRF (Verifiable Random Function). | |||||||||||||||
Details der Publikation | |||||||||||||||
| |||||||||||||||