International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 101

A New and Efficient Signature on Commitment

Values

Fangguo Zhang1,3, Xiaofeng Chen2,3, Yi Mu4, and Willy Susilo4

(Corresponding author: Fangguo Zhang)

Department of Electronics and Communication Engineering, Sun Yat-Sen University1

Guangzhou 510275, P. R. China (Email: isszhfg@mail.sysu.edu.cn)

Department of Computer Science, Sun Yat-Sen University, Guangzhou 510275, P. R. China2

Guangdong Key Laboratory of Information Security Technology Guangzhou 510275, P. R. China3

School of IT and Computer Science University of Wollongong, Wollongong, NSW 2522, Australia4

(Received July 15, 2006; revised and accepted Nov. 8, 2006)

Abstract

We present a new short signature scheme based on a vari-ant of the Boneh-Boyen’s short signatures schemes. Ourshort signature scheme is secure without requiring therandom oracle model. We show how to prove a commit-ted value embedded in our short signature. Using thisprimitive, we construct an efficient anonymous credentialsystem.

Keywords: Anonymity, anonymous credentials, commit-ment, signature

1 Introduction

Signature schemes are a central cryptographic primitive.Besides being an important stand-alone application, theyalso constitute a building block in many cryptographicprotocols. One of important applications of signatures isanonymous credential.

The notion of anonymous credential was introduce byChaum [11]. A credential system allows a user to obtaincredentials, and to prove that he has a given set of cre-dentials. An anonymous credential system enables a userto work with his credentials without revealing any infor-mation not explicitly requested. A user should be able toobtain a credential without revealing his identity, and toprove that he has a set of credentials without revealingany information beyond that fact. To be useful for thisapplication, a signature scheme must have efficient pro-tocols for obtaining a signature on a hidden (committed)value, and for proving in zero-knowledge the knowledgeof a signature.

An anonymous credential system should meet some es-sential properties: It should be secure against attacksfrom a coalition of users. It should be able to be usedfor multiple times, i.e., so-called “multi-show”. It isalso essential that one a credential has been issued to a

user, it cannot be transferred to any one else, i.e. “non-transferability”. It is desirable that the overheads of com-munication and computation imposed by a credential sys-tem to users and services must not heavily affect theirperformance.

The studies of anonymous credential have gone throughseveral stages. After its introduction by Chaum, Brandspresented a public key based construction of anonymouscredential in which a user can provide in zero knowledgethat the credentials encoded by its certificate satisfy agiven linear Boolean formula [6]. This scheme allows onlyone show, namely, two transactions from the same usercan be found performed by the same user. Camenisch andLysyanskaya proposed an anonymous credential schemebased on the strong RSA assumption [7]. In this scheme,it is possible to unlinkably prove possession of a creden-tial supporting multi-show property. There are severalother schemes that are based on different security assump-tions. Verheul recently proposed an efficient solution formulti-show credentials based on the security assumptionsof Decisional Diffie-Hellman problem and ComputationalDiffie-Hellman problem [15]. Camenisch and Lysyanskayarecently also proposed generalized anonymous credentialsystems and showed how to construct them from knownsignature and encryption schemes [1].

As claimed by Camenisch and Lysyanskaya [8], in or-der to construct an anonymous credential system, it issufficient to exhibit a commitment scheme, a signaturescheme, and efficient protocols for (1) proving equality oftwo committed values; (2) getting a signature on a com-mitted value (without revealing this value to the signer);and (3) proving knowledge of a signature on a committedvalue.

In this paper, we propose a variant of Boneh-Boyenshort signature scheme without random oracle such thatit can be used as a building block for cryptographic pro-tocols. We provide a protocol to prove knowledge of a sig-

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 102

nature on a committed message and to obtain a signatureon a committed message. Our scheme can be naturallyconverted into an anonymous credential scheme.

The organization of the rest of this paper is as follows.In the next section, we define the definitions and require-ments for signature on commitment values. The Section 3contains some preliminaries required throughout the pa-per. In Section 4, we present a variant of Boneh-Boyenshort signature scheme without random oracle and giveits security analysis. In Section 5 we propose a signa-ture on a committed message. In Section 6, we presenta basic anonymous credential system based the proposedsignature scheme. Section 7 concludes this paper.

2 Definitions and Requirements

Our signature scheme consists of a committer, a signer,and a verifier. The committer commits to a value andthe signer then signs the committed value. Any one canverify the correctness of the signature. The committercan prove to the verifier that he knows the committedvalue embedded in the signature.

Definition 1. Our signature scheme is a 6-tupleof polynomial-time algorithms (KeyGen, Commit, Sign,Verify, Prove, PVerify), where

• KeyGen(1`) is a probabilistic algorithm that takes asinput the security parameter ` and outputs a pair ofkeys (SK,VK) and param0. SK is the user’s signingkey, which is kept secret, and VK the user’s verifica-tion key, which is made public.

• Commit, a probabilistic algorithm, takes as input amessage m from the associated message spaceM anda number a and outputs a commitment c.

• Sign, a probabilistic algorithm, takes as input thesigner’s secret key SK, param0, and the commitmentc and outputs a signature s← SignSK,VK(c).

• Verify is a deterministic algorithm that takes as inputthe signed commitment c and the signer’s public keyVK and outputs true or ⊥.

• Prove is a probabilistic algorithm that takes as inputs and c and outputs (PK, Proof) proving the knowl-edge of the committed m and c without revealing thecommitted values.

• PVerify is a deterministic algorithm that takes as in-put (PK, Proof) and outputs true or ⊥.

Our anonymous multi-show credential scheme is basedthe proposed signature scheme and consists of an orga-nization, a group of users, and a service provider. Theorganization acts as the signer who issues credentials tousers for some service provided by the service provider.

Definition 2. The proposed anonymous multi-show cre-dential scheme is a 5-tuple of polynomial-time algorithms(KeyGen,CIssue,CVerify,CProve,CPVerify).

• KeyGen(1`).

• CIssue: The user uses Commit and the signer usesSign. In the end of the process, the user obtains (c, s).

• CVerify. The user checks the validity of (c, s) usingVerify.

• CProve. Using Prove, the user proves to the serviceprovider about his knowledge on (m, a) and s on c

and outputs (PK, Proof).

• CVerify. The service provider checks the correctnessof (PK, proof) using PVerify.

We define the security notion for our basic signaturescheme only. It is easy to extend it to the anonymousmulti-show credential scheme.

Completeness property for the signature on commit-ment values is defined as follows.

Pr

(SK,VK, param0)← KeyGen(1`) ∧(c, s)← Sign(c, SK) ∧true← Verify(c, s) ∧

(PK,Proof)← Prove(c, s) ∧true← PVerify(PK,Proof)

= 1.

We require our schemes to meet the requirement ofexistentially unforgeable against the chosen message at-tacks. We split it into to properties: Security of signa-ture of commitment and security of proving knowledge ofcommitted message in a signature. Assume there exists aTTP adversary A who launches a chosen message attackagainst our signature scheme and at most asks n queriesto the signing oracle.

Pr

[

true← Verify(c′, s′) ∧ (c′, s′)← A(ci,VK, param0, i = 1, · · · , n)

]

= ε.

Here, ε is negligible.For security of proving knowledge of committed mes-

sage in a signature, we also require statistical zero knowl-edge; that is, it is negligible for an adversary A to obtainany information on m.

Pr[

A knowsm|true← Verify(PK(m),Proof)]

= ε.

3 Preliminaries

3.1 Bilinear Pairings

In recent years, the bilinear pairings have been widelyapplied to cryptography and enable us to construct somenew cryptographic primitives. We briefly review the nec-essary facts about bilinear pairings using the same nota-tion as [2, 4, 5]:

Let G1,G2 be (multiplicative) cyclic groups of primeorder p. Let g1 be a generator of G1 and g2 be a generatorof G2. Let ψ is a computable isomorphism from G2 to G1,with ψ(g2) = g1.

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 103

Definition 3. A map e : G1×G2 → GT (here GT is an-other multiplicative cyclic group such that |G1| = |G2| =|GT | = p) is called a bilinear pairing if this map satisfiesthe following properties:

1) Bilinearity: for all u ∈ G1, v ∈ G2 and a, b ∈ Zp,we have e(ua, vb) = e(u, v)ab.

2) Non-degeneracy: e(g1, g2) 6= 1. In other words, ifg1 be a generator of G1 and g2 be a generator of G2,then e(g1, g2) generates GT .

3) Computability: There is an efficient algorithm tocompute e(u, v) for all u ∈ G1 and v ∈ G2.

We say that (G1,G2) are bilinear groups if there existsa group GT , a computable isomorphism ψ : G2 → G1,and a bilinear pairing e : G1 ×G2 → GT as above.

In this paper, we assume that G1 6= G2. In thiscase, the co-Decision Diffie-Hellman problem (co-DDH)in (G1,G2) is easy, but we can still assume that the De-cision Diffie-Hellman problem (DDH) in G1 is hard.

The following Strong Diffie-Hellman assumption is sug-gested by [2, 13, 16]. [2] also provides a lower bound onthe computational complexity in a generic group model.

Definition 4. (q-SDH problem) The q-Strong Diffie-Hellman problem in (G1,G2) is defined as follows: givena (q + 2)-tuple (g1, g2, g2

γ , · · · , g2γq

) as input, outputs apair (g1

1/γ+x, x) where x ∈ Z∗

p.

An algorithm A has advantage ε in solving q-SDH in(G1,G2) if

Pr[A(g1, g2, g2γ , · · · , g2

γq

) = (g11/γ+x, x)] ≥ ε,

where the probability is over the random choice of gen-erator in g2 ∈ G2, of γ ∈ Z∗

p, and of the random bits ofA.

We say that the (q, t, ε)-SDH assumption holds in(G1,G2) if no t-time algorithm has advantage at leastε in solving the q-SDH problem in (G1,G2).

3.2 Proofs of Knowledge of Discrete Log-

arithms

We will use the notation introduced by Camenisch andStadler [10] for various proofs of knowledge of discretelogarithms. For instance,

PK{(α, β, γ) : y = gαhβ ∧ z = g′αh′γ ∧ (a ≤ α ≤ b)}

is used for proving the knowledge of integers α, β and γ

such that y = gαhβ and z = g′αh′γ holds, where a ≤ α ≤b. Here y, g, h, z, g′ and h′ are elements of some groupsG =< g >=< h > and GT =< g′ >=< h′ >.

3.3 Pedersen Commitment Scheme

Recall the Pedersen commitment scheme [14]: given agroup G of prime order p with generators g and h, a com-mitment to x ∈ Z

∗

p is formed by choosing a random r ∈ Z∗

p

and setting the commitment C = gxhr. This commitmentscheme is information-theoretically hiding, and is bindingunder the discrete logarithm assumption.

4 A Variant of BB04 Signature

Scheme

We describe the new signature scheme as follows. Lete : G1 × G2 → GT be the bilinear pairing where|G1| = |G2| = |GT | = p for some prime p. We assumethat |p| ≥ 160. As for the message space, if the signa-ture scheme is intended to be used directly for signingmessages, then |m| = 160 is good enough, because,given a suitable collision resistant hash function, suchas SHA-1, one can first hash a message to 160 bits, andthen sign the resulting value. So the messages m to besigned can be regarded as an element in Zp. We alsoneed a very efficient and suitable conversion functionfrom G1 to Z

∗

p: [·] : G1 → Z∗

p. The system parameteris (G1, G2,GT , e, p, g1, h, g2, [·]), here g1, h ∈ G1,g2 ∈ G2 are random generators.

Key Generation. Randomly select x, y ∈R Z∗

p,and compute u = gx

2 , v = gy2 . The public key is u, v. The

secret key is x, y.

Signing: Given the secret key x, y ∈R Z∗

p, and amessage m ∈ Zp, compute the signature

σ = (gm1 )

1x+[gm

1 ]+yr ∈ G1.

Here r is randomly selected from Z∗

p. The signature is(r, σ).

Verification: Verify that e(σ, ug[gm

1 ]2 vr) = e(gm

1 , g2).We now give the security theorems and proofs for the

above instantiation.

Lemma 1. If there exists a (t, qS , ε)-forger F using adap-tive chosen message attack for the proposed signaturescheme, then there exists a (t, qS , ε)-forger F for BB04scheme.

Proof. Recall that BB04 signature scheme is describedas follows. The system parameter is same as the abovescheme.

Key Generation. Randomly select x, y ∈R Z∗

p,and compute u = gx

2 , v = gy2 . The public key is u, v. The

secret key is x, y.

Signing: Given the secret key x, y ∈R Z∗

p, and amessage m ∈ Zp, compute the signature

σ = g1

x+m+yr

1 ∈ G1.

The signature is (r, σ).

Verification: Verify that e(σ, ugm2 v

r) = e(g1, g2).

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 104

Suppose that there exists a (t, qS , ε)-forger F usingadaptive chosen message attack for the proposed signa-ture scheme, i.e., after at most qS signatures queries andt processing time, F outputs a valid signature forgery(r, σ) on message m with probability at least ε, here

e(σ, ug[gm

1 ]2 vr) = e(gm

1 , g2).

Let m′ = [gm1 ], σ′ = σm−1

, then we have a forgery onBBS04 scheme. This is because of

e(σ′, ugm′

2 vr) = e(σm−1

, ug[gm

1 ]2 vr) = e(g1, g2).

Theorem 1 ([2]). Suppose the (q, t′, ε′)-SDH assumptionholds in G. Then BBS04 signature scheme is (t, qS , ε)-secure against existential forgery under an adaptive cho-sen message attack provided that

qS < q, ε ≥ 2(ε′ +qS

p) ≈ 2ε′, t ≤ t′ −Θ(q2T ),

where T is the maximum time for an exponentiation in(G1,G2).

So, we have the following theorem:

Theorem 2. The proposed signature scheme is secureagainst existential forgery under an adaptive chosen mes-sage attack if the (q, t′, ε′)-SDH assumption holds in(G1,G2).

5 Obtaining a Signature on a

Committed Value

Following Camenisch and Lysyanskaya, in order to con-struct an anonymous credential system, it is sufficient toexhibit a signature on a committed value. We provide anew signature on a committed value based on the variantof BB04 signature scheme in this section.

The system parameter is (G1, G2, GT , e, p, g1, h, g2,[·]), here g1, h ∈ G1, g2 ∈ G2 are random generators.

KeyGen. Randomly select x, y ∈R Z∗

p, and computeu = gx

2 , v = gy2 . The public key is u, v. The secret key is

x, y.

Commit: Compute c = gm1 h

a.

Sign: Given the secret key x, y ∈R Z∗

p, and a com-mitment c ∈ G1, compute the signature as follows:Randomly select r ∈R Z∗

p, compute

σ = c1

x+[c]+ry ∈ G1.

The signature one c = gm1 h

a is (r, σ).

Verify: Verify that e(σ, ug[c]2 v

r) = e(c, g2).

Prove: The following protocol is a zero-knowledge

proof of knowledge of a signed message for above signa-ture scheme.

Common input. The system parameter is (G1,G2, GT , e, p, g1, h, g2, [·]), and the public key (u, v).

Prover’s input. The committed message m anda, and signature (r, σ).

Protocol. The prover does the following:

1) Compute a blinded version of his signature (r, σ):Randomly select r1, r2 ∈R Z∗

p, and compute

c′ = (ug[c]2 vr)r1 = ur1g

r1[c]2 vrr1 , σ′ = σr2 .

Send (c′, σ′) to the verifier.

2) PVerify. The prover and verifier compute the follow-ing values:

A = e(σ′, c′), B = e(g1, g2), C = e(h, g2)

and then carry out the following zero-knowledgeproof protocols:

ZKP{(α, β, λ1, λ2, λ3)|A

= BαCβ ∧ c′ = uλ1gλ22 vλ3 ∧ λ1 6= 0}.

Here α = mr1r2, β = ar1r2, λ1 = r1, λ2 = r1[c], λ3 =rr1. blind the credential by using two randomly generatenumbers r1, r2. The completeness of the proposed signa-ture scheme on a committed value is obvious. Due to theusing of two randomly generate numbers r1, r2, the proto-col can provide the anonymity. The protocol above useszero-knowledge proof, so, it is a zero-knowledge proof ofa signature on a value.

6 A Multi-show Anonymous Cre-

dential Scheme

Based on the proposed signature scheme, we can now con-struct the multi-show anonymous credential scheme. Wewill follow the notations given previously in this paper.

The system parameter is same as above signaturescheme.

• KeyGen(1`): Generate public (u, v) and private sign-ing key (x, y).

• CIssue: The user commits to (m, a) by computingc = gm

1 ha. and the signer computes the signature on

c: (r, σ = c1

x+[c]+ry ).

• CVerify. The user checks e(σ, ug[c]2 vr)

?= e(c, g2).

• CProve. Using Prove, the user proves to the serviceprovider about his knowledge on (m, a) and (r, σ) on

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 105

c and outputs (PK,Proof). Here, the (Proof) is thezero-knowledge proof:

ZKP{(α, β, λ1, λ2, λ3)|A

= BαCβ ∧ c′ = uλ1gλ22 vλ3 ∧ λ1 6= 0}.

• CVerify. The service provider checks the correctnessof (PK, Proof) using PVerify.

Our credential scheme is of multi-show, i.e., the usercan blind the credential by using two randomly gener-ate numbers r1, r2. The credential itself is never sent tothe service provider in clear. Clearly, our scheme alsosupports non-transferability. To show a credential to theservice provider, the user has to know his secret (m, a).Of course, we have to assume that his secret should notbe given to others. However, it is also not hard for usto modify the scheme such that there exists a revocationmanager who can revoke the identity of the user if needed.

7 Conclusion

In this paper, we propose a variant of Boneh-Boyen shortsignature scheme without random oracle such that it canbe used as a building block for cryptographic protocols.We provide a protocol to prove knowledge of a signatureon a committed message and to obtain a signature ona committed message such that it can be converted intoan efficient multi-show credential scheme. The proposedsignature scheme on a committed value in this paper hasmany good properties, and for the further work, we expectto design a group signature scheme based on this signaturescheme.

Acknowledgements

This work is supported by the National Natural ScienceFoundation of China (No. 60403007, No. 60503006 andNo. 60633030), Natural Science Foundation of Guang-dong Province, China (No. 04205407), 973 Program(2006CB303104) and ARC Discovery Grant DP055749.

References

[1] E. Bangerter, J. Camenisch, and A. Lysyanskaya, “Acryptographc framework for the controlled releaseof certified data,” in Twelfth International Work-shop on Security Protocols, LNCS 3957, pp. 20-42,Springer-Verlag, 2006.

[2] D. Boneh, and X. Boyen, “Short signatures withoutrandom Oracles,” in Advances in Cryptology (Euro-crypt’04), LNCS 3027, pp. 56-73, Springer-Verlag,2004.

[3] D. Boneh, X. Boyen, and H. Shacham, “Short groupsignatures using strong diffie hellman,” in Advancesin Cryptology (Crypto’04), LNCS 3152, pp. 41-55,Springer-Verlag, 2004.

[4] D. Boneh and M. Franklin, “Identity-based encryp-tion from the Weil pairing,” in Advances in Cryptol-ogy (Crypto’01), LNCS 2139, pp. 213-229, Springer-Verlag, 2001.

[5] D. Boneh, B. Lynn, and H. Shacham, “Short sig-natures from the Weil pairing,” in Advances inCryptology (Asiacrypt’01), LNCS 2248, pp. 514-532,Springer-Verlag, 2001.

[6] S. Brands, Rethinking Public Key Infrastructures andDigital Certificates; Bulding in Privacy, MIT Press,2000.

[7] J. Camenisch and A. Lysyanskaya, “Efficient non-transferable anonymous multishow credential systemwith optional anonymity revocation,” in Advances inCryptology (Eurocrypt’01), LNCS 2045, pp. 93-118,Springer-Verlag, 2001.

[8] J. Camenisch and A. Lysyanskaya, “A signaturescheme with efficient protocols,”in Security in Com-munication Networks (SCN’02), LNCS 2576, pp.268-289, Springer-Verlag, 2003.

[9] J. Camenisch and A. Lysyanskaya, “Signatureschemes and anonymous credentials from bilin-ear maps,” in Advances in Cryptology (Crypto’04),LNCS 3152, pp. 56-72, Springer-Verlag, 2004.

[10] J. Camenisch and M. Michels, “Efficient group sig-nature schemes for large group,” in Advances inCryptology (Crypto’97), LNCS 1296, pp. 410-424,Springer-Verlag, 1997.

[11] D. Chaum, “Security without identification:transacation systems to make big brother obsolete,”Communications of ACM, vol. 28, no. 10, pp.1030-1044, Oct. 1985.

[12] A. Joux, “A one round protocol for tripartite Diffie-Hellman,” in 4th International Symposium on Algo-rithmic Number Theory (ANTS IV), LNCS 1838, pp.385-394, Springer-Verlag, 2000.

[13] S. Mitsunari, R. Sakai, and M. Kasahara, “A newtraitor tracing,” IEICE Transactions on Fundamen-tals, vol. E85-A, no. 2, pp. 481-484, 2002.

[14] T. P. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” in Ad-vances in Cryptology (Crypto’91), LNCS 576, pp.129-140. Springer-Verlag, 1992.

[15] E. Verheul, “Self-blindable credential certificatesfrom the Weil pairing,” in Advances in Cryptology(Asiacrypt’01), LNCS 2248, pp. 533-551, Springer-Verlag, 2001.

[16] F. Zhang, R. S. Naini, and W. Susilo, “An efficientsignature scheme from bilinear pairings and its ap-plications,” in Public Key Cryptography (PKC’04),LNCS 2947, pp. 277-290, Springer-Verlag, Singapore,2004.

International Journal of Network Security, Vol.7, No.1, PP.101–106, July 2008 106

Fangguo Zhang is a Professor in theDepartment of Electronics and Com-munication Engineering at Sun Yan-sen University in Guangzhou, China.He obtained his Ph.D. degree in Cryp-tography from School of Communi-cation Engineering, Xidian Universityin 2001. His main research interests

include elliptic curve cryptography, pairing-based cryp-tosystem and its applications.

Xiaofeng Chen is an Associate Pro-fessor in the Department of ComputerScience at Sun Yan-sen University,Guangzhou, China. He obtained hisPh.D. degree in Cryptography fromSchool of Communication Engineer-ing, Xidian University in 2003. Hismain research interests include public

key cryptography and E-commerce security.

Yi Mu received his PhD fromthe Australian National University in1994. He was a lecturer in the Schoolof Computing and IT at the Universityof Western Sydney and a senior lec-turer in the Department of Computingat Macquarie University. He currentlyis an associate professor in the Infor-

mation Technology and Computer Science, University ofWollongong. His current research interests include net-work security, computer security, and cryptography. YiMu has published more than 140 research papers in inter-national conferences and journals. He has served in tech-nical program committees of a number of internationalconferences and the editorial boards of six internationaljournals. He is a senior member of the IEEE, and a mem-ber of the IACR.

Willy Susilo received a Ph.D. inComputer Science from University ofWollongong, Australia. He is cur-rently an Associate Professor at theSchool of Information Technology andComputer Science of the University ofWollongong. He is the coordinatorof Network Security Research Labora-

tory at the University of Wollongong. His research inter-ests include cryptography, information security, computersecurity and network security. His main contribution isin the area of digital signature schemes, in particular fail-stop signature schemes and short signature schemes. Hehas served as a program committee member in a numberof international conferences. He has published numerouspublications in the area of digital signature schemes andencryption schemes.