Key Words: Signature Group Signature Information Security

Abstract: On the basis of BB short signature scheme, this paper derives a new signature scheme, from which we construct a new kind of group signature scheme. The security of the new group signature scheme is based on the q-Strong Diffie-Hellman assumption and the Decisional Diffie-Hellman assumption in the random oracle model. The length of the new group signature is a little longer than that of BBS short group signature. However, in the new group signature scheme, giving certificates and private keys to group members do not need any third trusted party, while in BBS short group signature scheme it does need.


Introduction
In 1991 Chaum and van Heyst put forth the concept of a group signature scheme [8].Participants are group members, group manager.And as for group manager, it consists of a membership manager, and a revocation manager.A group signature scheme allows a group member to sign messages anonymously on behalf of the group.More precisely, signatures can be verified with respect to a single public key of the group and do not reveal the identity of the signer.The membership manager is responsible for the system setup and for adding group members while the revocation manager has the ability to revoke the anonymity of signatures.
A group signature scheme could for instance be used by an employee of a large company to sign documents on behalf of the company.In this scenario, it is sufficient for a verifier to know that some representative of the company has signed.Moreover, in contrast to when an ordinary signature scheme would be used, the verifier does not need to check whether a particular employee is allowed to sign contracts on behalf of the company, i.e., he needs only to know a single company's public key.A further application of group signature schemes is electronic cash.In this scenario, several banks issue coins, but it is impossible for shops to find out which bank issued a coin that is obtained from a customer.Hence, the central bank plays the role of the membership and the revocation manager and all other banks issuing coins are group members.
Various group signature schemes have been proposed so far.However, in the schemes presented in [8,9,10] the length of signatures and/or the size of the group's public key depend on the size of the group and thus these schemes are not suitable for large groups.Camenisch first propose a group signature scheme suitable for large groups [11].In that scheme, the length of signatures and the size of the group's public key are independent of the number of group members.After that, researchers concentrate their attentions on how to add security property to group signature scheme [5] and standardize the security of group signature scheme [6].In paper [5], the group signature scheme proposed by Ateniese et al. not only has high efficiency but also adds another security property, coalition-resistance.In paper [6], Bellare et al. standardize the different properties of group signature scheme into two characters: Full-Anonymity and Full-Traceablity, which provides the standard mode for proving the security of group signature scheme.The scheme proposed by CL [12] and the one proposed by BBS [7] have all been proven in this mode.This paper derives a new signature scheme from the short signature proposed by BB [3], and from which constructs a new type of group signature scheme.The new proposed group signature scheme has been proven in the standard mode of paper [6].

Preliminaries
In this section, we give some cryptographic building blocks, assumptions and definitions for the signature we will build.

Bilinear Groups
Let be an additional group such that : T e G G G × → with the following properties: Definition2.We say that are bilinear groups if they satisfy the following properties: 1 2

( , ) G G
1.There exists a bilinear map : , there exists an efficient algorithm computing .
We know that Gap Diffie-Hellman(GDH) groups can be constructed from bilinear groups [1].In GDH groups, the DDH problem can be solved, however, CDH problem is still difficult.It is worth noting that DDH problem is still hard in group .
T G

Signature of Knowledge
So-called zero-knowledge proofs of knowledge allow a prover to demonstrate the knowledge of a secret to a verifier without revealing anything else.The protocol we use in the following is a 3-move protocol and can be proven zero-knowledge in an honest-verifier model.Such protocol can be performed non-interactively with the help of an ideal hash function .Following paper [2], we refer to the resulting constructs as signature of knowledge.

H
In the following, we consider the building block for the signature of knowledge of a discrete logarithm.for the corresponding interactive protocol.As for signature of knowledge, the Greek letterα denotes the signer's private key, while for the protocol, the Greek letterα is the knowledge of which is being proved.

CS98 Encryption Scheme[4]
We give a brief description of CS98 encryption scheme.Assume that we have a group G of prime order .We also assume that cleartext messages are elements of .We also use a collision-resistant hash function .The scheme is as follows: Randomly chooses , and computes .The public key is , , ( , , , , , ) pk g g c d h H ← ,and the private key is ( , , , , ) sk x x y y z ← .

Encryption. Given a message m G ∈
, randomly chooses , and , and then verifies whethter the equation 1 1 2 2 1 2 x y x y u u
, , , G G g g q − Strong Diffie-Hellman Problem.The q SDH − problem in bilinear groups is defined as follows: given a tuple as input where ( , , , , , ) q x x x g g g g g Pr[ ( , , , , , ) ( , )] Definition4.We say that the ( , , ) q t SDH ε − assumption holds in bilinear groups if no t -time algorithm has advantage at least Occasionally we drop the , t ε and refer to the q SDH − assumption rather than the ( , , ) q t SDH ε − assumption.

The Model for Group Signature Scheme
Definition5.Group signature scheme is a signature consisting of the following five procedures: Setup: this probabilistic algorithm outputs the initial group public key (including all system parameters) and the secret key for the group manager.JOIN: A protocol between the group manager and a user that results in the user becoming a new group member.The user's output is a membership certificate and a membership secret.Sign: A probabilistic algorithm that on input a group public key, a membership certificate, a membership secret, and a message m outputs group signature of .m Verify: An algorithm for establishing the validity of an alleged group signature of a message with respect to a group public key.
Open: An algorithm that, given a message, a valid group signature on it, a group public key and a group manager's secret key, determines the identity of the signer.

New Signature Based on BB Short Signature
In this section, we propose a new type of signature scheme derived from BB short signature [3], which is secure as BB short signature.By means of this new signature scheme, we will use it as a tool to issue certificates in our group signature scheme.
Our new signature scheme is described as follows: All parameters are just the same as those of section2.1.We assume that messages to be signed We now give the security analysis for the above scheme.With some simple computation, we know that our scheme is correct.Since the equation is equal.Next we prove our scheme is secure against existential forgery under an adaptive chosen message attack.Theorem1.The proposed signature scheme is secure against existential forgery under an adaptive chosen message attack if the ( , , ) This theorem is proven by the following lemma1 and 2.
Lemma1.If there exists a ( , , ) s t q F ε − using adaptive chosen message attack against the proposed signature scheme, then there exists a ( , , ) s t q F ε − against BB short signature scheme.

. roof Ρ
We first give a brief description of BB short signature scheme as follows: Assume that there exists a ( , , ) s t q F ε − using adaptive chosen message attack against the proposed signature scheme, that is, after at most s q signatures queries and at most time, , then we have a forgery on BB short signature.This is because of .

Key
From the above lemma1 and 2, we know that our theorem1 is correct.

Group Signature Scheme
This section will use the above mentioned signature scheme and CS98 encryption scheme to establish our group signature scheme.
The system parameters are .is bilinear group and a bilinear map is .are generators of correspondingly.
; At last, he makes signature of knowledge on message :

, , , r r u k
The group signature is (( , ), ( , , , ), ) Verify.By means of verifying the correctness of Δ , we know that group signature is correct.

Gmsk sk =
, group revocation manager can decrypt to get member's identity . )

Security Analysis of Group Signature Scheme
In paper [6], Bellare et al. put forward three properties which group signature scheme must satisfy: Correctness: This property ensures that honestly-generated signatures verify and open correctly; Full-anonymity: This property ensures that signatures do not reveal their signer's identity; Full-traceability: This property ensures that all signatures, even those created by the collusion of multiple users and the group manager, trace to a member of the forging coalition.In the following, we prove the security of the proposed group signature scheme just according to the above mentioned properties.Theorem2.The proposed group signature scheme is correct.

. roof Ρ
Given the group public key  From paper [4], we know that CS98 encryption scheme is IND-CCA2 secure, so it is IND-CPA secure.In the following, we suppose there is an adversary Α capable of attacking CPA-full-anonymous of the proposed group signature scheme.And we also assume the number of members in group is n .We show how to construct another adversary Β to attack the security of CS98 encryption scheme under the case of IND-CPA.
Adversary Β has public key Z as its answer, storing the answer in case the same query is asked again.As a result, we get .Thus, we have obtained signature Z , which has only one more element than that of BBS; Besides, the proposed scheme does not need the third trusted party to issue members secret keys and certificates, while the BBS does need.

Signature
Given the secret key , x y , and a message , compute the signature When the verifier receives the signature ( , ) r σ , he verifies whether the equation is equal.If the equation is equal, When the verifier receives the signature ( , ) r σ , he verifies whether the equation is equal.If the equation is equal, g g , the verification of a group signature is equal to the verification of signature of knowledge Σ Δ .According to the computation in Definition3 of Section2.2,we easily know that the honestly-generated group signatures are valid.Besides, we could easily recover the signer's identity from in the valid group signature .The process of computation can be found in Section4.
If CS98 encryption scheme is semantically secure(IND-CPA) on, then the proposed group signature scheme is CPA-fully-anonymous.

6
Comparison with BBS Short Group SignatureCompared with BBS short group signature scheme in paper[7], the security of BBS short group signature scheme is based on and decision linear Diffie-Hellman assumption under random oracle model, while, the security of the proposed one is on the basis of q S d as its answer to hash query from adversary Α .If the queries are the same, the answers also must be the same.At last, adversary Α outputs a bit b′ , adversary Β treats b′ as the answer to his own challenge.If the signature scheme in section3 is unforgeable under adaptively chosen message attack, then the proposed group signature scheme is fully-traceable. ΑTheorem4.*p Queries.Adversary asks for a signature on messageΑM by a key of member i .ByWe know that adversary Α can use the simulator in the zero-knowledge proof of knowledge to Output.Finally, adversary successfully output a forged group signature Α Σ on message M .We use the group revocation manager private key R Gmsk sk = S ,1