Keywords

1 Introduction

With the development of the Internet, fair exchange has been applied to online transaction. In fair exchange, two involved parties exchange goods with each other fairly. However, most existing protocols can not protect the privacy of the exchange parties. Suppose one person wants to exchange a file with company B on behalf of company A, however, he may not want to expose his identity. This leads to a big challenge to achieve fair exchange protocols since most of them use verifiably encrypted signature (VES), which exposes the identities of the two parties in the transaction.

VES is an encrypted signature and its validity can be checked without decryption. As stated in [17, 20], a VES scheme consists of a signature scheme and an encryption scheme. Boneh et al. first proposed a VES scheme [6], which is constructed by aggregate signatures. Lu et al. [17], Nishimaki and Xagawa [18] independently proposed their VES schemes, which are both secure in the standard model. However, the private key size is rather large. Besides, the scheme of Nishimaki and Xagawa is based on Waters’ dual signature scheme, leading to a large size of the signature. Rückert and Schröder [20] proposed a VES scheme based on a short signature scheme [4], which is efficient due to the short verification key. However, most existing VES schemes are based on Public Key Infrastructure (PKI), leading to high cost in the authentication and management of the public keys. Using identity-based cryptosystems, the above problem can be solved. Gu et al. [16] proposed an identity-based VES scheme with random oracles. However, their scheme was proved to be insecure [21]. Then Zhang et al. [22] proposed an identity-based VES scheme in the standard model. However, their scheme is a weak version of identity-based VES [15]. Besides, all above schemes can not protect the anonymity of the signer, thus we have to use another technique called group signature.

Group signature was first introduced by Chaum and Heyst [11], which allows an authentic user generates a signature on behave of a group and hides his identity from others. In their paper, they gave the basic ideas about group signature and presented four group signature schemes. However, they did not give specific security definitions. Then several related works were presented [2, 3, 5, 13]. However, all of them are too inefficient or provably secure with random oracles. Then Bellare et al. [9] first formalized the security definitions of the group signature and presented a group signature scheme which is secure in the standard model. Ateniese et al. [1] also proposed a group signature which is secure without random oracles. However, all above schemes use Zero-Knowledge (ZK) proof technique which is inefficient. Later, Boyen and Waters [10] constructed a group signature scheme without ZK proof technique and their scheme is provably secure in the standard model.

Motivated by above works, we first formalized a new concept called verifiably encrypted group signature (VEGS), which is derived from verifiably encrypted signature (VES) and group signature. As a consequence, VEGS has similar properties with both VES and group signature. VEGS can be checked without decryption and protect the signer’s anonymity. Besides, if there exists dispute, a trusted parties can trace the identity of the signer. Thus VEGS can be used to construct fair exchange protocols which hide the identity of the parties in the transaction.

For example, if Alice wishes to exchange signature on a file with company B on behalf of company A and she does not want to expose her identity, she can use a VEGS to complete the exchange instead of an original signature. Alice first sends a VEGS to company B. Then a staff of company B (known as Bob) checks whether the VEGS is valid. If the VEGS is valid, Bob generates a group signature and sends it to company A. Then Alice checks whether the group signature is valid. If it is valid, Alice sends her group signature to company B. If Alice does not sends her group signature to B, B sends the VEGS together with Bob’s group signature to the adjudicator. If both of them are valid, the adjudicator recovers the original group signature of Alice and returns it to company B. The exchange reveals nothing about identities of Alice and Bob due to the anonymity of the group signature and VEGS. If someone denies that he generates the VEGS or group signature, the group manager can trace the identity of the signer. Besides, VEGS has useful applications such as online data exchange and online contact signing. And the special properties make it appealing to explore the potential in VEGS.

1.1 Our Contributions

We formalize a new concept of verifiably encrypted group signature (VEGS), which combines verifiably encrypted signature (VES) and group signature. VEGSs are encrypted group signatures which can be used to protect the anonymity of the signers. And VEGSs allow us to check their validity without decryption. In VEGS, the group master key and group tracing key are generated by the group master and the group manager keeps the group tracing key. A user generates a group signature with his private key, then encrypts it with the adjudicator’s public key, and obtains a VEGS. A verifier checks whether the VEGS is valid. The group manager can open the VEGS and trace the identity of the signer if necessary. The adjudicator can extract the original group signature from the VEGS with his private key.

We define the security properties required in VEGS schemes, i.e., full-anonymity, full-traceability, unforgeability, opacity and extractability. Full-anonymity describes that no one can reveal the identity of the signer except the group manager. Full-traceability means that any valid VEGS can be traced to a valid identity by the group manager. Unforgeability guarantees that no one can forge a VEGS without a signing key. Opacity means that no one can extract a valid group signature from a VEGS without the adjudicator’s private key. Extractability guarantees that if a VEGS is valid, then the original group signature can be extracted by the adjudicator.

We propose the first concrete VEGS scheme by employing Boyen-Waters group signature scheme [10] and the ElGamal encryption scheme [14]. Then we prove our VEGS scheme is secure in the standard model. Finally, we discuss the extensions of our VEGS scheme.

1.2 Outline

We organize the rest of the paper as follows. In Sect. 2 we give the relevant notions. In Sect. 3 we present definition of VEGS scheme and security definitions. In Sect. 4 we propose our concrete VEGS scheme, then we prove our scheme is secure in the standard model. In Sect. 5 we discuss the extensions of our VEGS scheme. Finally, we conclude in Sect. 6.

2 Preliminaries

In this section, we briefly review the bilinear maps and complexity assumptions that are essential in our construction.

2.1 Bilinear Maps

In our paper, we use composite order bilinear groups as stated in [7]. Let \(\mathbb {G}\) and \(\mathbb {G}_{T}\) be finite cyclic groups of order n, g be a generator of \(\mathbb {G}\), and \(n=pq\) has two large prime factors (p and q). A map \(e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\) can be called an efficient bilinear map if it satisfies the following properties:

  • \(Bilinear \): For \(\forall a,b\in \mathbb {Z}_{n}\), we have \(e(g^{a},g^{b})=e(g,g)^{ab}\). Clearly, the bilinearity implies that for \(\forall g_{1},g_{2},g_{3}\in \mathbb {G}\), we have \(e(g_{1},g_{3})e(g_{2},g_{3})=e(g_{1}g_{2},g_{3})\).

  • \(Non-degeneracy \): \(e(g,g)\ne 1\). In other words, the element e(gg) is a generator of \(\mathbb {G}_{T}\).

  • e is efficiently computable.

2.2 Complexity Assumptions

The security of our VEGS scheme is based on subgroup decision assumption, CDH assumption and aggregate extraction assumption. The subgroup decision assumption is based on the hardness of factoring [7], and aggregate extraction assumption is a variant of CDH assumption, thus all assumptions employed in our scheme are basic assumptions. We briefly review them below.

Subgroup Decision problem: Let \(\mathbb {G}\) and \(\mathbb {G}_{T}\) be finite cyclic groups of order \(n=pq\), \(\mathbb {G}_{p}\) and \(\mathbb {G}_{q}\) be subgroups of \(\mathbb {G}\) of order p and q, e be a bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\). Choose \(w\in \mathbb {G}\) randomly, decide whether \(w\in \mathbb {G}_{q}\).

The subgroup decision assumption is as follows.

Definition 1

The \((t,\epsilon )\)-subgroup decision assumption holds if no adversary runs at most t time and has at least \(\epsilon \) advantage in solving the subgroup decision problem.

CDH problem: Given g, \(g^{a}\), \(g^{b}\), compute \(g^{ab}\).

If the probability that adversary \(\mathcal {B}\) solves the CDH problem is at least \(\epsilon \), then we have

$$Pr[\mathcal {B}(g,g^{a},g^{b})=g^{ab}]\ge \epsilon ,$$

Then CDH assumption is as follows.

Definition 2

The \((t,\epsilon )\)-CDH assumption holds if no adversary runs at most t time and has at least \(\epsilon \) advantage in solving the CDH problem on \(\mathbb {G}\).

The aggregate extraction problem: Given \(\mathbb {G}\), \(\mathbb {G}_{p}\), \(\mathbb {G}_{q}\), \(n=pq\), p, q, g, \(g^{a}\), \(g^{b}\), \(g^{\delta }\), \(g^{\zeta }\) and \(g^{ab+\delta \zeta }\), compute \(g^{ab}\).

If the probability that adversary \(\mathcal {B}\) solves the aggregate extraction problem is at least \(\epsilon \), then we have

$$Pr[\mathcal {B}(g,g^{a},g^{b},g^{\delta },g^{\zeta },g^{ab+\delta \zeta })=g^{ab}]\ge \epsilon ,$$

Then aggregate extraction assumption is as follows.

Definition 3

The \((t,\epsilon )\)-aggregate extraction assumption holds if no adversary runs at most t time and has at least \(\epsilon \) advantage in solving the aggregate extraction problem on \(\mathbb {G}\).

3 Modelling VEGS

3.1 Definition of VEGS Scheme

VEGS works as follows. A group master sets up the system and distributes the keys of users. A group manager keeps the group tracing key, which can be used to reveal a user’s identity from the VEGS. Group members first register in the system with their identities and obtain their signing keys. Then they generate group signatures with the signing keys, encrypt them with the adjudicator’s public key and finally obtain VEGSs. A verifier can check whether the VEGS is valid without decrypting it. The adjudicator can reveal the original group signature from the VEGS with his private key.

A VEGS scheme consists of following algorithms: \(\textsf {Setup}\), \(\textsf {AKG}\), \(\textsf {Enroll}\), \(\textsf {Sign}\), \(\textsf {Verify}\), \(\textsf {VESign}\), \(\textsf {VEVerify}\), \(\textsf {Open}\), \(\textsf {Adj}\).

\(\textsf {Setup}\): \(\textsf {Setup}\) takes as input security parameter \(1^{\lambda }\), and outputs public parameters \(\texttt {param}\) for verification, a master key \(\textsf {MK}\) for enrollment of users, and a tracing key \(\textsf {TK}\) for revealing the identity from the VEGS.

\(\textsf {AKG}\): \(\textsf {AKG}\) takes as input security parameter \(1^{\lambda }\), and outputs a pair of keys \((SK_{T},PK_{T})\) for the adjudicator.

\(\textsf {Enroll}\): \(\textsf {Enroll}\) takes as input a user’s identity \(\mathfrak {u}\), and the master key \(\textsf {MK}\), outputs signing key \(sk_{\mathfrak {u}}\) for a group member.

\(\textsf {Sign}\): \(\textsf {Sign}\) takes as input a message \(\mathfrak {m}\), the signing key \(sk_{\mathfrak {u}}\), and outputs a group signature \(\sigma \).

\(\textsf {Verify}\): \(\textsf {Verify}\) takes as input a message \(\mathfrak {m}\), a group signature \(\sigma \) and the public parameters \(\texttt {param}\), outputs a bit \(b\in \{0,1\}\). If \(b=0\), the group signature is invalid. Otherwise, it is valid.

\(\textsf {VESign}\): \(\textsf {VESign}\) takes as input a message \(\mathfrak {m}\), a signing key \(sk_{\mathfrak {u}}\) and the adjudicator’s public key \(PK_{T}\), outputs a VEGS \(\omega \).

\(\textsf {VEVerify}\): \(\textsf {VEVerify}\) takes as input a message \(\mathfrak {m}\), a VEGS \(\omega \), and public parameters \(\texttt {param}\), outputs a bit \(b\in \{0,1\}\). If \(b=0\), the VEGS is invalid. Otherwise, it is valid.

\(\textsf {Open}\): \(\textsf {Open}\) takes as input the tracing key \(\textsf {TK}\), a VEGS \(\omega \), and outputs the identity \(\mathfrak {u}\) of the signer.

\(\textsf {Adj}\): \(\textsf {Adj}\) takes as input a VEGS \(\omega \), the adjudicator’s private key \(SK_{T}\), output the original group signature \(\sigma \).

A VEGS scheme \(\textsf {VEGS}=(\textsf {Setup},\textsf {AKG},\textsf {Enroll},\textsf {Sign},\textsf {Verify},\textsf {VESign}, \textsf {VEVerify},\textsf {Open},\textsf {Adj})\) is correct if for all \((\texttt {param},\textsf {MK},\textsf {TK})\leftarrow \textsf {Setup}(1^{\lambda })\), \((SK,PK)\leftarrow \textsf {AKG}(1^{\lambda })\), \(\mathfrak {u}\), \(sk_{\mathfrak {u}}\leftarrow \textsf {Enroll}(\textsf {MK},\mathfrak {u})\), \(\mathfrak {m}\), and \(\omega \leftarrow \textsf {VESign}(\mathfrak {m},sk_{\mathfrak {u}},PK_{T})\), it always holds that \(\textsf {VEVerify}(\mathfrak {m},\textsf {VESign}(\mathfrak {m},sk_{\mathfrak {u}},PK_{T}),PK_{T},\texttt {param})=1\) and \(\textsf {Verify}(\mathfrak {m},\textsf {Adj}(\textsf {VESign}(\mathfrak {m},sk_{\mathfrak {u}},PK_{T}),SK_{T}), \texttt {param},\mathfrak {u})=1\).

3.2 Security Definitions

Security is significant for VEGS schemes. Informally, a VEGS scheme is secure if it satisfies the following properties, i.e., anonymity, traceability, unforgeability, opacity and extractability. Briefly, anonymity means that given a valid VEGS, no one can extract the identity of the signer except the group manager who keeps the group tracing key. And traceability describes the property that the group manager can open any valid VEGS and reveal the identity of the signer. In our paper, we give stronger notions about anonymity and traceability called full-anonymity and full-traceability [9]. We define the new properties under stronger attack, which means that the adversary has the access to the private key oracle, the group signing oracle and VESign oracle. And for the attack of the full-traceability, we can even give the tracing key to the adversary. Unforgeability describes the property that no one can forge a VEGS without a signing key. And opacity means that no one can extract a valid group signature from a VEGS without the adjudicator’s private key. Finally, extractability is also a necessary property and it guarantees that the valid group signature can be extracted from the valid VEGS. Formally, we define these properties by the following games.

Definition 4

Full-anonymity is defined by the game \(\textsf {Game}_{Anoy}(\lambda )\). The involved parties in the game are a challenger and an adversary \(\mathcal {A}\).

  • Setup. The challenger sets up the system, generates the system parameters and sends the public parameters to \(\mathcal {A}\).

  • Query. \(\mathcal {A}\) submits an identity \(\mathfrak {u}\) to the challenger and asks for a private key, the challenger runs \(\textsf {Enroll}\) and returns the signing key \(sk_{\mathfrak {u}}\) to \(\mathcal {A}\). \(\mathcal {A}\) can query at most \(q_{1}\) times for signing keys. \(\mathcal {A}\) submits an identity \(\mathfrak {u}\), a message \(\mathfrak {m}\) to the challenger and asks for a group signature or VEGS, the challenger runs \(\textsf {Sign}\) or \(\textsf {VESign}\) and returns a group signature \(\sigma \) or a VEGS \(\omega \). \(\mathcal {A}\) can query at most \(q_{2}\) times for group signatures and \(q_{3}\) times for VEGSs. If \(\mathcal {A}\) submits a message \(\mathfrak {m}\), a VEGS \(\omega \) to the challenger, and asks for arbitration, the challenger first checks whether \(\omega \) is valid, if it is not, then the challenger returns \(\bot \). Otherwise, the challenger runs \(\textsf {Adj}\) and returns a group signature \(\sigma \). \(\mathcal {A}\) can query at most \(q_{4}\) times for adjudication.

  • Challenge. \(\mathcal {A}\) randomly chooses two identities \(\mathfrak {u}_{1}\), \(\mathfrak {u}_{2}\) which have the same length, a message \(\mathfrak {m}^{*}\) and sends them to the challenger. The challenger random picks a bit \(b\in \{0,1\}\), generates a private key of \(\mathfrak {u}_{b}\), and returns a VEGS \(\omega _{b}\leftarrow \textsf {VESign}(\mathfrak {m}^{*},sk_{\mathfrak {u}_{b}},PK_{T})\) to \(\mathcal {A}\).

  • Guess. Finally, \(\mathcal {A}\) outputs a bit \(b^{\prime }\in \{0,1\}\) as a guess of b.

Define the probability that \(\mathcal {A}\) wins in the above game as

$$\begin{aligned} Adv_{\mathcal {A}}^{Anon}&=|Pr[b^{\prime }=b]-\frac{1}{2}|. \end{aligned}$$

A VEGS scheme is fully-anonymous if for every probability polynomial time (PPT) adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) wins in the above game is negligible. In fact, since we use the “selective-identity,adaptive-message” attack [10] in the above game, we call it CPA (chosen-plaintext attack)-ID model.

Definition 5

Full-traceability is defined by the game \(\textsf {Game}_{Trac}(\lambda )\) which is played by a challenger and an adversary \(\mathcal {A}\).

  • Setup. The challenger sets up the system, generates the system parameters and sends the public parameters to \(\mathcal {A}\). In this step, \(\mathcal {A}\) can also get the group tracing key.

  • Query. In this step, \(\mathcal {A}\) does the same thing as he does in \(\textsf {Game}_{Anoy}(\lambda )\).

  • Forge. Finally, \(\mathcal {A}\) outputs a pair \((\mathfrak {m}^{*},\omega ^{*})\). The challenger first checks whether the VEGS is valid. If it is invalid, the challenger returns \(\bot \). Otherwise, the challenger runs \(\textsf {Open}\) and obtains an identity \(\mathfrak {u}^{*}\). If \(\mathfrak {u}^{*}\in \mathcal {U}\) (we assume \(\mathcal {U}\) is a set of all queried identities), then the challenger returns \(\bot \). If \(\mathfrak {u}^{*}\notin \mathcal {U}\) and \(\mathcal {A}\) has not queried a private key of identity \(\mathfrak {u}^{*}\), a group signature or VEGS on \((\mathfrak {u}^{*},\mathfrak {m}^{*})\), then \(\mathcal {A}\) wins in the game.

A VEGS scheme is said to be fully-traceable if for every PPT adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) wins in the above game is negligible.

One may find that our definition of full-traceability simply implies unforgeability, thus we do not give more details about unforgeability. And we deduce that a fully-traceable VEGS scheme must be unforgetable.

Definition 6

Opacity is defined by the game \(\textsf {Game}_{Opac}(\lambda )\) which is played by a challenger and an adversary \(\mathcal {A}\).

  • Setup. The challenger sets up the system, generates the system parameters and sends the public parameters to \(\mathcal {A}\).

  • Query. In this step, \(\mathcal {A}\) does the same thing as he does in \(\textsf {Game}_{Anoy}(\lambda )\).

  • Forge. Finally, \(\mathcal {A}\) outputs a pair \((\mathfrak {m}^{*},\sigma ^{*})\). The challenger first checks whether the group signature \(\sigma ^{*}\) is valid. If it is invalid, then the challenger returns \(\bot \). If \(\sigma ^{*}\) is valid and \(\mathcal {A}\) has not queried a private key of identity \(\mathfrak {u}^{*}\), a group signature on \((\mathfrak {u}^{*},\mathfrak {m}^{*})\), then \(\mathcal {A}\) wins in the game.

A VEGS scheme is said to be opaque if for every PPT adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) wins in the above game is negligible.

Definition 7

Extractability is defined by the game \(\textsf {Game}_{Extr}(\lambda )\) which is played by a challenger and an adversary \(\mathcal {A}\).

  • Setup. The challenger sets up the system, generates the system parameters and sends the public parameters to \(\mathcal {A}\).

  • Query. In this step, \(\mathcal {A}\) does the same thing as he does in \(\textsf {Game}_{Anoy}(\lambda )\).

  • Forge. Finally, \(\mathcal {A}\) submits a tuple \((\mathfrak {m}^{*},\omega ^{*},\texttt {param}^{*})\) to the challenger.

  • Extract. The challenger runs \(\textsf {Adj}\) and gets a group signature \(\sigma ^{*}\). If \(\textsf {VEVerify}(\mathfrak {m}^{*},\omega ^{*},PK_{T},\texttt {param}^{*})=1\) and \(\textsf {Verify}(\mathfrak {m}^{*},\sigma ^{*},\texttt {param}^{*})=0\), then \(\mathcal {A}\) wins in the game.

A VEGS scheme is extractable if for every PPT adversary \(\mathcal {A}\), the probability that \(\mathcal {A}\) wins in the above game is negligible.

4 VEGS Scheme

In this section, we present our VEGS scheme, which is based on Boyen-Waters group signature scheme [10] and ElGamal encryption scheme [14]. The VEGS scheme consists of following algorithms, \(\textsf {Setup}\), \(\textsf {Enroll}\), \(\textsf {Sign}\), \(\textsf {Verify}\), \(\textsf {VESign}\), \(\textsf {VEVerify}\), \(\textsf {Open}\), \(\textsf {Adj}\).

4.1 Construction of VEGS Scheme

\(\textsf {Setup}\): Take as input a security parameter \(1^{\lambda }\), and setup the system as follows. Let \(\mathbb {G}\) and \(\mathbb {G}_{T}\) be finite cyclic groups of order \(n=pq\), \(\mathbb {G}_{p}\) and \(\mathbb {G}_{q}\) be subgroups of \(\mathbb {G}\) of order p and q, e be a bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\). Choose generators \(g\in \mathbb {G}\) and \(h\in \mathbb {G}_{q}\), a secret value \(\alpha _{1}\in \mathbb {Z}_{n}\) at random. Besides, choose random \(g_{2},u^{\prime },u_{1},...,u_{n_{u}},m^{\prime },m_{1},...,m_{n_{m}}\in \mathbb {G}\), and set \(g_{1}=g^{\alpha _{1}}\), the master key \(\textsf {MK}=g_{2}^{\alpha _{1}}\), the group tracing key \(\textsf {TK}=q\). And the public parameters are \(\texttt {param}=(g,h,g_{1},g_{2},u^{\prime },u_{1},...u_{n_{u}},m^{\prime },m_{1},...,m_{n_{m}})\).

\(\textsf {AKG}\): Choose a secret value \(\alpha _{T}\in \mathbb {Z}_{n}\), and set the adjudicator’s keys as \((SK_{T},PK_{T})=(\alpha _{T},g^{\alpha _{T}})\).

\(\textsf {Enroll}\): Let \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\) (\(k_{i}^{u}\in \{0,1\}\)) be an identity of a group member, then his signing key is generated as follows. Choose \(r_{u}\in \mathbb {Z}_{n}\) randomly, and compute,

$$\begin{aligned} sk_{\mathfrak {u}}=d_{\mathfrak {u}}=(d_{1},d_{2},d_{3})=\left( g_{2}^{\alpha _{1}}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}}, g^{r_{u}},h^{r_{u}}\right) \!. \end{aligned}$$

\(\textsf {Sign}\): Suppose a user of identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\) wishes to generate a group signature on message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\), then he does as follows. First, choose \(r_{u}^{\prime },r_{m},t_{1},...,t_{n_{u}}\in \mathbb {Z}_{n}\), and set \(t=\sum _{i=1}^{n_{u}}t_{i}\). Then compute,

$$\begin{aligned} \sigma _{1}&= g_{2}^{\alpha _{1}}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \sigma _{2}&= g^{r_{u}+r_{u}^{\prime }},\\ \sigma _{3}&= g^{r_{m}},\\ \sigma _{4}&= h^{t},\\ \sigma _{5}&= \sigma _{2}^{t} = g^{(r_{u}+r_{u}^{\prime })t},\\ c_{i}&=u_{i}^{k_{i}^{u}}\cdot h^{t_{i}},\\ \pi _{i}&=(u_{i}^{2k_{i}^{u}-1}\cdot h^{t_{i}})^{t_{i}},\\ \sigma&=(\sigma _{1},\sigma _{2},\sigma _{3},\sigma _{4},\sigma _{5},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

For simplicity, let \(c=u^{\prime }\prod _{i=1}^{n_{u}}c_{i}\) and \(M=m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\), then we have \(\sigma _{1}=g_{2}^{\alpha _{1}}c^{r_{u}+r_{u}^{\prime }}M^{r_{m}}\).

\(\textsf {Verify}\): If a verifier wishes to check whether a group signature \(\sigma \) is valid, he first computes \(c=u^{\prime }\prod _{i=1}^{n_{u}}c_{i}\), then checks whether the following equations hold.

$$\forall i=1,...,k : e(c_{i},u_{i}^{-1}c_{i})\overset{?}{=}e(h,\pi _{i}).$$

If all of them hold, then check whether the following equations hold.

$$\begin{aligned} e(\sigma _{1},g)\overset{?}{=}e(g_{2},g_{1})e(c,\sigma _{2}) e(M,\sigma _{3}). \end{aligned}$$
$$\begin{aligned} e(\sigma _{2},\sigma _{4})\overset{?}{=}e(\sigma _{5},h). \end{aligned}$$

If the equations hold, then the group signature \(\sigma =(\sigma _{1},\sigma _{2},\sigma _{3},\sigma _{4},\sigma _{5},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}})\) is valid.

\(\textsf {VESign}\): To create a VEGS of identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\) on message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\), the signer first generates a group signature \(\sigma \), then chooses a random \(s\in \mathbb {Z}_{n}\), and computes,

$$\begin{aligned} \omega _{1}&= (PK_{T})^{s}\cdot \sigma _{1} = (PK_{T})^{s} g_{2}^{\alpha _{1}}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \omega _{2}&= g^{s}, \\ \omega _{3}&= \sigma _{2} =g^{r_{u}+r_{u}^{\prime }},\\ \omega _{4}&= \sigma _{3} = g^{r_{m}},\\ \omega _{5}&= \sigma _{4} = h^{t},\\ \omega _{6}&= \sigma _{5} = g^{(r_{u}+r_{u}^{\prime })t},\\ \omega&=(\omega _{1},\omega _{2},\omega _{3},\omega _{4},\omega _{5},\omega _{6},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

In fact, we only encrypt \(\sigma _{1}\), because the other part of the group signature is independent with the message \(\mathfrak {m}\) and identity \(\mathfrak {u}\).

\(\textsf {VEVerify}\): To verify if a VEGS is valid, a verifier checks whether the following equations hold.

$$\forall i=1,...,k : e(c_{i},u_{i}^{-1}c_{i})\overset{?}{=}e(h,\pi _{i}),$$
$$\begin{aligned} e(\omega _{1},g)\overset{?}{=}e(PK_{T},\omega _{2})e(g_{2},g_{1})e(c,\omega _{3}) e(M,\omega _{4}), \end{aligned}$$
$$\begin{aligned} e(\omega _{3},\omega _{5})\overset{?}{=}e(\omega _{6},h). \end{aligned}$$

where \(c=u^{\prime }\prod _{i=1}^{n_{u}}c_{i}\) and \(M=m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\). If all equations hold, then the VEGS is valid. Otherwise, it is invalid.

\(\textsf {Open}\): The group manager recovers the signer’s identity from the VEGS as follows if necessary. For each \(i=1,...,n_{u}\), if \((c_{i})^{q}=g^{0}\), the group manager sets \(k_{i}^{u}=0\). Otherwise, he sets \(k_{i}^{u}=1\). Finally, the group manager outputs the signer’s identity, \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\).

\(\textsf {Adj}\): Take as input a VEGS \(\omega \), the adjudicator’s private key \(SK_{T}\), output the original group signature as follows.

$$\begin{aligned} \sigma _{1}&= \frac{\omega _{1}}{\omega _{2}^{\alpha _{T}}} = g_{2}^{\alpha _{1}}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \sigma _{2}&= \omega _{3} = g^{r_{u}+r_{u}^{\prime }},\\ \sigma _{3}&= \omega _{4} = g^{r_{m}},\\ \sigma _{4}&= \omega _{5} = h^{t},\\ \sigma _{5}&= \omega _{6} = g^{(r_{u}+r_{u}^{\prime })t},\\ \sigma&=(\sigma _{1},\sigma _{2},\sigma _{3},\sigma _{4},\sigma _{5},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

The correctness of our scheme is quite explicit and we will not prove it.

4.2 Security

Our VEGS scheme is secure in the standard model, which means that our scheme satisfies all properties described in Subsect. 3.2, we now prove it.

Theorem 1

Our VEGS scheme is fully-anonymous (under CPA-ID attack) if the subgroup decision assumption holds.

We do not prove it because the similar proof is given in [10].

Theorem 2

Our VEGS scheme is fully-traceable if the underlying signature scheme is unforgeable.

Proof

Suppose an adversary \(\mathcal {A}\) breaks full-traceability of our VEGS scheme with advantage at least \(\epsilon \), then there exists an adversary \(\mathcal {B}\) which can break the unforgeability of the underlying identity-based signature scheme [10] (also called two-level signature scheme) with the same advantage. \(\mathcal {B}\) and \(\mathcal {A}\) play the game \(\textsf {Game}_{Trac}(\lambda )\), \(\mathcal {B}\) interacts with \(\mathcal {A}\) and acts as a simulator. At the same time, \(\mathcal {B}\) also plays a signature game called unforgeable game and tries to break the unforgeability of the underlying signature scheme. To complete the simulation, we assume that \(\mathcal {B}\) plays the unforgeable game in \(\mathbb {G}_{p}\), while he plays game \(\textsf {Game}_{Trac}(\lambda )\) in \(\mathbb {G}\). We show how to construct \(\mathcal {B}\).

  • Setup. \(\mathcal {B}\) gets the parameters of the signature scheme from his challenger, \(\texttt {param}_{\mathbb {G}_{p}}=(\tilde{g},\tilde{g}_{1}=\tilde{g}^{\alpha },\tilde{g}_{2},\tilde{u}^{\prime }, \tilde{u}_{1},...,\tilde{u}_{n_{u}},\tilde{m}^{\prime }, \tilde{m}_{1},...,\tilde{m}_{n_{m}})\in \mathbb {G}_{p}^{n_{u}+n_{m}+3}\). Then \(\mathcal {B}\) chooses \((\hat{g},\hat{g}_{1}=\hat{g}^{\beta },\hat{g}_{2},h,\hat{u}^{\prime },\hat{u}_{1},...,\hat{u}_{n_{u}},\hat{m}^{\prime }, \hat{m}_{1},...,\hat{m}_{n_{m}})\in \mathbb {G}_{q}^{n_{u}+n_{m}+4}\) randomly, and sets the public parameters as,

    $$\begin{aligned} \texttt {param}_{\mathbb {G}}=(g=\tilde{g}\hat{g},g_{1}=\tilde{g}_{1}\hat{g}_{1},&~g_{2}=\tilde{g}_{2}\hat{g}_{2},h, u^{\prime }=\tilde{u}^{\prime }\hat{u}^{\prime },u_{1}=\tilde{u}_{1}\hat{u}_{1}, ...,u_{n_{u}}=\tilde{u}_{n_{u}}\hat{u}_{n_{u}},\\&m^{\prime }=\tilde{m}^{\prime }\hat{m}^{\prime }, m_{1}=\tilde{m}_{1}\hat{m}_{1},...,m_{n_{m}}=\tilde{m}_{n_{m}}\hat{m}_{n_{m}}). \end{aligned}$$

    Besides, \(\mathcal {B}\) chooses a random value \(\alpha _{T}\in \mathbb {Z}_{n}\) and sets the adjudicator’s private key as \((SK_{T},PK_{T})=(\alpha _{T},g^{\alpha _{T}})\). Then \(\mathcal {B}\) sends \(\texttt {param}_{\mathbb {G}}\), \(PK_{T}\) and the tracing key \(\textsf {TK}=q\) to \(\mathcal {A}\). The parameters are distributed identically to what \(\mathcal {A}\) expects.

  • Query. In this step, \(\mathcal {A}\) can make queries for private keys, group signatures and VEGSs. When \(\mathcal {A}\) asks for a signing key of identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\), \(\mathcal {B}\) also asks his challenger for the user’s (with the identity \(\mathfrak {u}\)) signing key. Then \(\mathcal {B}\) receives the signing key of the underlying signature scheme, \(\tilde{sk}_{\mathfrak {u}}=\tilde{d}_{\mathfrak {u}}=(\tilde{d}_{1},\tilde{d}_{2}) =(\tilde{g}_{2}^{\alpha }(\tilde{u}^{\prime }\prod _{i=1}^{n_{u}}\tilde{u}_{i}^{k_{i}^{u}})^{\tilde{r}_{u}}, \tilde{g}^{\tilde{r}_{u}})\). Then \(\mathcal {B}\) chooses \(\hat{r}_{u}\in \mathbb {Z}_{q}\) and computes,

    $$\begin{aligned} sk_{\mathfrak {u}}=d_{\mathfrak {u}}=(d_{1},d_{2},d_{3})=\left( \tilde{d}_{1}\hat{g_{2}}^{\beta } \left( \hat{u}^{\prime }\prod _{i=1}^{n_{u}}\hat{u}_{i}^{k_{i}^{u}}\right) ^{\hat{r}_{u}}, \tilde{d}_{2}\hat{g}^{\hat{r}_{u}},h^{\hat{r}_{u}}\right) . \end{aligned}$$

    It is obvious that the private keys generated by \(\mathcal {B}\) have the same distribution with the real ones. If \(\mathcal {A}\) asks for a group signature of identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\) on message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\), \(\mathcal {B}\) also submits the same identity \(\mathfrak {u}\), the same message \(\mathfrak {m}\) to his challenger and asks for an identity-based signature. Then \(\mathcal {B}\) will obtain a signature,

    $$\begin{aligned} \tilde{\sigma }=(\tilde{\sigma }_{1},\tilde{\sigma }_{2},\tilde{\sigma }_{3})=\left( \tilde{g}_{2}^{\alpha } \left( \tilde{u}^{\prime }\prod _{i=1}^{n_{u}}\tilde{u}_{i}^{k_{i}^{u}}\right) ^{\tilde{r}_{u}+\tilde{r}_{u}^{\prime }} \left( \tilde{m}^{\prime }\prod _{j=1}^{n_{m}}\tilde{m}_{j}^{k_{j}^{m}}\right) ^{\tilde{r}_{m}}, \tilde{g}^{\tilde{r}_{u}+\tilde{r}_{u}^{\prime }},\tilde{g}^{\tilde{r}_{m}}\right) . \end{aligned}$$

    Next \(\mathcal {B}\) chooses \(t_{1},...,t_{n_{u}}\in \mathbb {Z}_{n}\), \(r_{u},r_{m}\in \mathbb {Z}_{q}\) at random and computes,

    $$\begin{aligned} t&= \sum _{i=1}^{n_{u}}t_{i}, c_{i} = u_{i}^{k_{i}^{u}}h^{t_{i}}, \pi _{i}=(u_{i}^{2k_{i}^{u}-1}h^{t_{i}})^{t_{i}},\\ \sigma _{1}&= \tilde{\sigma }_{1} \hat{g_{2}}^{\beta }\left( \hat{u}^{\prime }\prod _{i=1}^{n_{u}}\hat{u}_{i}^{k_{i}^{u}}\right) ^{r_{u}} \left( \hat{m}^{\prime }\prod _{j=1}^{n_{m}}\hat{m}_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{r_{u}t},\\ \sigma _{2}&= \tilde{\sigma }_{2}\hat{g}^{r_{u}}, \sigma _{3} =\tilde{\sigma }_{3}\hat{g}^{r_{m}}, \sigma _{4} = h^{t}, \sigma _{5} = (\tilde{\sigma }_{2}\hat{g}^{r_{u}})^{t}\\ \sigma&= (\sigma _{1},\sigma _{2},\sigma _{3},\sigma _{4},\sigma _{5},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

    The distribution of the group signature is the same as the real one. If \(\mathcal {A}\) submits an identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\), a message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\) and asks for a VEGS. \(\mathcal {B}\) first generates a group signature according to the above steps. Then \(\mathcal {B}\) chooses \(s\in \mathbb {Z}_{n}\) and computes,

    $$\begin{aligned} \omega&=(\omega _{1},\omega _{2},\omega _{3},\omega _{4},\omega _{5},\omega _{6},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}})\\&=\left( (PK_{T})^{s}\sigma _{1},g^{s},\sigma _{2}, \sigma _{3},\sigma _{4},\sigma _{5},c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}\right) . \end{aligned}$$

    The distribution of the VEGS is the same as the real one. Besides, \(\mathcal {A}\) can also submit a VEGS \(\omega \), and a message \(\mathfrak {m}\) to \(\mathcal {B}\) for adjudication. \(\mathcal {B}\) first checks whether the VEGS is valid. If it is invalid, then \(\mathcal {B}\) responses with an empty symbol \(\bot \). Otherwise, \(\mathcal {B}\) runs \(\textsf {Adj}\) and returns the valid group signature \(\sigma \) to \(\mathcal {A}\).

  • Forge. Finally, \(\mathcal {A}\) outputs a pair \((\mathfrak {m}^{*},\omega ^{*})\). \(\mathcal {B}\) first checks whether the VEGS is valid. If it is invalid, then the challenger returns 0. Otherwise, \(\mathcal {B}\) runs \(\textsf {Open}\) and obtains an identity \(\mathfrak {u}^{*}\). If \(\mathcal {A}\) has not queried a private key of identity \(\mathfrak {u}^{*}\), a group signature or VEGS on \((\mathfrak {u}^{*},\mathfrak {m}^{*})\), then \(\mathcal {A}\) successfully forges a valid VEGS.

And \(\mathcal {B}\) can also forge a valid identity-based signature. \(\mathcal {B}\) first decrypts the VEGS, and obtains a valid group signature,

$$\begin{aligned} \sigma _{1}^{*}&= \frac{\omega _{1}^{*}}{\omega _{2}^{*\alpha _{T}}} = g_{2}^{\alpha _{1}}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \sigma _{2}^{*}&= \omega _{3}^{*} = g^{r_{u}+r_{u}^{\prime }},\\ \sigma _{3}^{*}&= \omega _{4}^{*} = g^{r_{m}},\\ \sigma _{4}^{*}&= \omega _{5}^{*} = h^{t},\\ \sigma _{5}^{*}&= \omega _{6}^{*} = g^{(r_{u}+r_{u}^{\prime })t},\\ \sigma ^{*}&=(\sigma _{1}^{*},\sigma _{2}^{*},\sigma _{3}^{*},\sigma _{4}^{*},\sigma _{5}^{*}, c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

Let \(\gamma \in \mathbb {Z}_{n}\) be an integer and \(\gamma \equiv 0\) (mod q), \(\gamma \equiv 1\) (mod p) hold, then we have

$$\begin{aligned} e(\sigma _{1}^{*\gamma },\tilde{g})=e(\tilde{g}_{2},\tilde{g}_{1}) e\left( \tilde{u}^{\prime }\prod _{j=1}^{n_{u}}\tilde{u}_{j}^{k_{i}^{u}},\sigma _{2}^{*\gamma }\right) e\left( \tilde{m}^{\prime }\prod _{j=1}^{n_{m}}\tilde{m}_{j}^{k_{j}^{m}},\sigma _{3}^{*\gamma }\right) . \end{aligned}$$

Thus \(\mathcal {B}\) submits a tuple \((\mathfrak {u}^{*},\mathfrak {m}^{*}, (\sigma _{1}^{*\gamma },\sigma _{2}^{*\gamma },\sigma _{3}^{*\gamma }))\) to his challenger. Since the signature has not been queried, \(\mathcal {B}\) forges a valid identity-based signature \(\sigma =(\sigma _{1}^{*\gamma },\sigma _{2}^{*\gamma },\sigma _{3}^{*\gamma })\). Therefore, if \(\mathcal {A}\) breaks full-traceability of our VEGS scheme, then \(\mathcal {B}\) also breaks the underlying identity-based signature scheme with the same advantage. Since the underlying identity-based signature scheme is unforgeable [10], our VEGS scheme satisfies full-traceability.

Theorem 3

Our VEGS scheme is opaque if the aggregate extraction assumption holds on \(\mathbb {G}\).

Proof

Suppose an adversary \(\mathcal {A}\) breaks opacity of our VEGS scheme with advantage at least \(\epsilon \), then there exists an adversary \(\mathcal {B}\) that solves the aggregate extraction problem with a non-negligible probability. \(\mathcal {B}\) and \(\mathcal {A}\) play the game \(\textsf {Game}_{Opac}(\lambda )\), \(\mathcal {B}\) simulates a challenger for \(\mathcal {A}\) and tries to solve the given aggregate extraction problem on \(\mathbb {G}\) (Given \(\mathbb {G},\mathbb {G}_{p},\mathbb {G}_{q},n=pq,p,q,g,g^{a},g^{b},g^{\delta },g^{\zeta },g^{ab+\delta \zeta }\), compute \(g^{ab}\)). We show how to construct \(\mathcal {B}\).

  • Setup. Let \(\mathbb {G}\) and \(\mathbb {G}_{T}\) be finite cyclic groups of order \(n=pq\), \(\mathbb {G}_{p}\) and \(\mathbb {G}_{q}\) be subgroups of \(\mathbb {G}\) of order p and q, g be a generator of \(\mathbb {G}\), e be a bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_{T}\). \(\mathcal {B}\) generates the system parameters as follows. \(\mathcal {B}\) chooses \(u^{\prime },u_{1},...,u_{n_{u}},m^{\prime },m_{1},...,m_{n_{m}}\in \mathbb {G}\) at random, and sets \(g_{1}=g^{a}\), \(g_{2}=g^{b}\), \(PK_{T}=g^{\delta }\). Besides, choose a generator \(h\in \mathbb {G}_{q}\). We assume \(h=g^{\eta }\) and \(\eta \) is known to \(\mathcal {B}\). Then \(\mathcal {B}\) sends the public parameters \(\texttt {param}=(g,h,g_{1},g_{2},u^{\prime },u_{1},...u_{n_{u}},m^{\prime },m_{1},...,m_{n_{m}})\) and the adjudicator’s public key \(PK_{T}=g^{\delta }\) to \(\mathcal {A}\). The distribution of the parameters are the same as the real ones. Although \(\mathcal {B}\) does not know \(\textsf {MK}=g_{2}^{a}\) and \(SK_{T}=\delta \), we can still complete the simulation by playing some tricks. \(\mathcal {B}\) first sets \(l_{u}=2(q_{1}+q_{2}+q_{3})\) and \(l_{m}=2(q_{2}+q_{3})\) (\(\mathcal {A}\) can query at most \(q_{1}\) times for private keys, \(q_{2}\) times for group signatures and \(q_{3}\) times for VEGSs), and chooses \(x^{\prime }\), \(z^{\prime }\), \(n_{u}\)-length vector \(X=(x_{i})\) and \(n_{m}\)-length vector \(Z=(z_{j})\) at random, where \(x^{\prime }\) and \(x_{i}\) are random values in \(\{0,...,l_{u}\}\), \(z^{\prime }\) and \(z_{j}\) are random values in \(\{0,...,l_{m}\}\). Besides, \(\mathcal {B}\) picks \(y^{\prime }\), \(w^{\prime }\), \(n_{u}\)-length vector \(Y=(y_{i})\) and \(n_{m}\)-length vector \(W=(w_{j})\), where \(y^{\prime }\), \(y_{i}\), \(w^{\prime }\) and \(w_{j}\) are random elements in \(\mathbb {Z}_{n}\). Next \(\mathcal {B}\) sets \(u^{\prime }=g_{2}^{-l_{u}k_{1}+x^{\prime }}g^{y^{\prime }}\), \(u_{i}=g_{2}^{x_{i}}g^{y_{i}}\), \(m^{\prime }=g_{2}^{-l_{m}k_{2}+z^{\prime }}g^{w^{\prime }}\), \(m_{j}=g_{2}^{z_{j}}g^{w_{j}}\), where \(0\le k_{1}\le n_{u}\) and \(0\le k_{2}\le n_{m}\). Then define the following functions,

    figure a

    And we have

    $$\begin{aligned} u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}&= g_{2}^{F_{1}(\mathfrak {u})}g^{K_{1}(\mathfrak {u})} \\ m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}&= g_{2}^{F_{2}(\mathfrak {m})}g^{K_{2}(\mathfrak {m})} \end{aligned}$$

  • Query. Private key queries: If \(\mathcal {A}\) submits an identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\) to \(\mathcal {B}\) and asks for a signing key, \(\mathcal {B}\) randomly chooses \(r_{u}\in \mathbb {Z}_{n}\), and computes,

    $$\begin{aligned} d_{\mathfrak {u}}=(d_{1},d_{2})=\left( g_{1}^{\frac{-K_{1}(\mathfrak {u})}{F_{1}(\mathfrak {u})}} \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}}, g_{1}^{\frac{-1}{F_{1}(\mathfrak {u})}}g^{r_{u}}\right) . \end{aligned}$$

    Writing \(\bar{r}_{u}=r_{u}-\frac{a}{F_{1}(\mathfrak {u})}\), then we have

    $$\begin{aligned} d_{1}&= g_{1}^{\frac{-K_{1}(\mathfrak {u})}{F_{1}(\mathfrak {u})}} \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}} \\&= g_{1}^{\frac{-K_{1}(\mathfrak {u})}{F_{1}(\mathfrak {u})}} \left( g_{2}^{F_{1}(\mathfrak {u}}g^{K_{1}(\mathfrak {u})}\right) ^{r_{u}}\\&= g_{2}^{a}(g_{2}^{F_{1}(\mathfrak {u})}g^{K_{1}(\mathfrak {u})}) ^{-\frac{a}{F_{1}(\mathfrak {u})}}(g_{2}^{F_{1}(\mathfrak {u})}g^{K_{1}(\mathfrak {u})})^{r_{u}}\\&= g_{2}^{a}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}- \frac{a}{F_{1}(\mathfrak {u})}} \\&= g_{2}^{a}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{\bar{r}_{u}}, \\ d_{2}&= g_{1}^{-\frac{1}{F_{1}(\mathfrak {u})}}g^{r_{u}}=g^{r_{u}-\frac{a}{F_{1}(\mathfrak {u})}} \\&=g^{\bar{r}_{u}}\\ d_{3}&= g_{1}^{-\frac{\eta }{F_{1}(\mathfrak {u})}}h^{r_{u}}\\&= h^{\bar{r}_{u}} \end{aligned}$$

    Therefore the private keys generated by \(\mathcal {B}\) are indistinguishable from the real ones. Then \(\mathcal {B}\) sends \(d_{\mathfrak {u}}=(d_{1},d_{2},d_{3})\) to \(\mathcal {A}\).

    Group signature queries: If \(\mathcal {A}\) submits an identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\), a message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\) to \(\mathcal {B}\) and requests a group signature, \(\mathcal {B}\) answers as follows. \(\mathcal {B}\) chooses \(r_{u},r_{u}^{\prime },r_{m},t_{1},...,t_{n_{u}}\in \mathbb {Z}_{n}\) at random, sets \(t=\sum _{i=1}^{n_{u}}t_{i}\), \(c_{i}=u_{i}^{k_{i}^{u}}h^{t_{i}}\), \(\pi _{i}=(u_{i}^{2k_{i}^{u}-1}h^{t_{i}})^{t_{i}}\), and computes,

    $$\begin{aligned} \sigma _{1}&= g_{1}^{\frac{-K_{2}(\mathfrak {m}_{\ell })}{F_{2}(\mathfrak {m}_{\ell })}} \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}} \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t} \\&= g_{2}^{a}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{\bar{r}_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \sigma _{2}&= g^{r_{u}}g^{r_{u}^{\prime }}=g^{r_{u}+r_{u}^{\prime }}, \\ \sigma _{3}&= g_{1}^{\frac{-1}{F_{2}(\mathfrak {m})}}g^{r_{m}}=g^{\bar{r}_{m}}, \\ \sigma _{4}&= h^{t}, \\ \sigma _{5}&= g^{(r_{u}+r_{u}^{\prime })t}, \\ \sigma&= (\sigma _{1},\sigma _{2},\sigma _{3},\sigma _{4},\sigma _{5},c_{1},...c_{n_{u}},\pi _{1},...,\pi _{n_{u}}), \end{aligned}$$

    where \(\bar{r}_{m}=r_{m}-\frac{a}{F_{2}(\mathfrak {m_{\ell }})}\). The distribution of the group signature is the same as the real one.

    VEGS queries: When \(\mathcal {A}\) submits an identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\), a message \(\mathfrak {m}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\) to \(\mathcal {B}\) and requests a VEGS, \(\mathcal {B}\) can use a list QueryList to response. \(\mathcal {B}\) initializes list \(QueryList:=\emptyset \) and chooses random index \(\ell ^{*}\in \{1,...,q_{3}\}\) to guess from which VEGS \(\mathcal {A}\) selects and outputs the extraction. And \(\mathcal {A}\) has not queried for a signing key at \(\mathfrak {u}_{\ell ^{*}}\) or group signature at \((\mathfrak {u}_{\ell ^{*}},\mathfrak {m}_{\ell ^{*}})\). If \(\ell \ne \ell ^{*}\), \(\mathcal {B}\) first generates a group signature \(\sigma _{\ell }=(\sigma _{1,\ell },\sigma _{2,\ell },\sigma _{3,\ell },\sigma _{4,\ell },\sigma _{5,\ell }, c_{1},...c_{n_{u}},\pi _{1},...,\pi _{n_{u}})\) as he does in group signature queries. Next \(\mathcal {B}\) chooses \(s\in \mathbb {Z}_{n}\) at random and computes,

    $$\begin{aligned} \omega _{1,\ell }&= (PK_{T})^{s}\sigma _{1,\ell }=(PK_{T})^{s} g_{2}^{a}\left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{\tilde{r}_{m}}h^{(r_{u}+r_{u}^{\prime })t}, \\ \omega _{2,\ell }&=g^{s}, \omega _{3,\ell } = \sigma _{2,\ell } = g^{r_{u}+r_{u}^{\prime }}, \omega _{4,\ell }=\sigma _{3,\ell }= g^{\bar{r}_{m}} \\ \omega _{5,\ell }&=\sigma _{4,\ell }= h^{t}, \omega _{6,\ell }=\sigma _{5,\ell }= g^{(r_{u}+r_{u}^{\prime })t} \\ \omega _{\ell }&= (\omega _{1,\ell },\omega _{2,\ell },\omega _{3,\ell },\omega _{4,\ell },c_{1},...c_{n_{u}}, \pi _{1},...,\pi _{n_{u}}) \end{aligned}$$

    \(\mathcal {B}\) sends \(\omega _{\ell }\) to \(\mathcal {A}\) and stores the tuple \((\mathfrak {u}_{\ell },\mathfrak {m}_{\ell },\sigma _{\ell },\omega _{\ell })\) in QueryList. If \(\ell =\ell ^{*}\), then \(\mathcal {B}\) will embed the instance. \(\mathcal {B}\) randomly chooses \(r_{u},r_{u}^{\prime },r_{m},t_{1},...,t_{n_{u}}\in \mathbb {Z}_{n}\) and sets,

    $$\begin{aligned} \omega _{1,\ell ^{*}}&= g^{ab+\delta \zeta } \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t} \\&=(g^{\delta })^{\zeta }g_{2}^{a} \left( u^{\prime }\prod _{i=1}^{n_{u}}u_{i}^{k_{i}^{u}}\right) ^{r_{u}+r_{u}^{\prime }} \left( m^{\prime }\prod _{j=1}^{n_{m}}m_{j}^{k_{j}^{m}}\right) ^{r_{m}}h^{(r_{u}+r_{u}^{\prime })t} \\ \omega _{2,\ell ^{*}}&= g^{\zeta }, \omega _{3,\ell ^{*}}=g^{r_{u}+r_{u}^{\prime }}, \omega _{4,\ell ^{*}}=g^{r_{m}}, \omega _{5,\ell ^{*}} = h^{t}, \omega _{6,\ell ^{*}}= g^{(r_{u}+r_{u}^{\prime })t} \\ c_{i}&=u_{i}^{k_{i}^{u}}h^{t_{i}}, \pi _{i}=(u_{i}^{2k_{i}^{u}-1}h^{t_{i}})^{t_{i}} \\ \omega _{\ell ^{*}}&= (\omega _{1,\ell ^{*}},\omega _{2,\ell ^{*}},\omega _{3,\ell ^{*}},\omega _{4,\ell ^{*}},\omega _{5,\ell ^{*}}, \omega _{6,\ell ^{*}},c_{1},...c_{n_{u}}, \pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

    \(\mathcal {B}\) sends \(\omega _{\ell ^{*}}\) to \(\mathcal {A}\) and stores the tuple \((\mathfrak {u}_{\ell ^{*}},\mathfrak {m}_{\ell ^{*}},\sigma _{\ell ^{*}},\omega _{\ell ^{*}})\) in QueryList. If one of \(F_{1}(\mathfrak {u}_{\ell })=0\), \(F_{2}(\mathfrak {m}_{\ell })=0\), \(F_{1}(\mathfrak {u}_{\ell ^{*}})\ne 0\), \(F_{2}(\mathfrak {m}_{\ell ^{*}})\ne 0\) holds, \(\mathcal {B}\) stops the game (If one of them holds, \(\mathcal {B}\) can not solve his problem). We denote this event by \(S_{1}\). Otherwise, the distribution of the VEGSs are the same with the real ones.

    Adjudication queries: In this phase, \(\mathcal {A}\) is not allowed to make a query on \((\mathfrak {m}_{\ell ^{*}},\omega _{\ell ^{*}})\). When \(\mathcal {A}\) submits a message \(\mathfrak {m}_{\ell ^{\prime }}=(k_{1}^{m}\cdot \cdot \cdot k_{n_{m}}^{m})\), a VEGS \(\omega _{\ell ^{\prime }}\) to \(\mathcal {B}\) and requests a group signature, \(\mathcal {B}\) does as follows. \(\mathcal {B}\) first checks whether the VEGS is valid. If it is invalid, \(\mathcal {B}\) returns \(\bot \). Otherwise, \(\mathcal {B}\) checks whether the pair \((\mathfrak {m}_{\ell ^{\prime }},\omega _{\ell ^{\prime }})\) exists in the list QueryList, if it is not in QueryList, then the VEGS is invalid and \(\mathcal {B}\) returns \(\bot \) (If the VEGS is valid, then \(\mathcal {A}\) forges a valid VEGS, and this contradicts the unforgeability of our VEGS scheme).

    If the tuple is in the list QueryList, and \(\ell ^{\prime }=\ell \), then \(\mathcal {B}\) finds out the tuple \((\mathfrak {u}_{\ell },\mathfrak {m}_{\ell },\sigma _{\ell },\omega _{\ell })\), and returns \(\sigma _{\ell }\) to \(\mathcal {A}\). The above simulation is perfect if \(\mathcal {B}\) has not aborted.

  • Forge. Finally, \(\mathcal {A}\) outputs a valid signature \(\sigma _{\ell ^{*}}=(\sigma _{1,\ell ^{*}},\sigma _{2,\ell ^{*}},\sigma _{3,\ell ^{*}}, \sigma _{4,\ell ^{*}},\sigma _{5,\ell ^{*}}, c_{1},...,c_{n_{u}},\pi _{1},...,\pi _{n_{u}})\) (on message \(\mathfrak {m}_{\ell ^{*}}\)) of identity \(\mathfrak {u}_{\ell ^{*}}\) with a non-negligible probability \(\epsilon \). That means \(\mathcal {B}\) correctly guesses from which VEGS \(\mathcal {A}\) extracts the group signature, and we denote this event by \(S_{2}\).

Then \(\mathcal {B}\) solves his problem by computing,

$$\begin{aligned} g^{ab}=\frac{\sigma _{1,\ell ^{*}}}{(\sigma _{2,\ell ^{*}})^{K_{1}(\mathfrak {u}_{\ell ^{*}})} (\sigma _{3,\ell ^{*}})^{K_{2}(\mathfrak {m}_{\ell ^{*}})}\sigma _{5,\ell ^{*}}^{\eta }} \end{aligned}$$

The probability that \(\mathcal {B}\) wins in the above game is as follows.

$$\begin{aligned} Pr[S_{1}\wedge S_{2}]=Pr[S_{1}]Pr[S_{2}]. \end{aligned}$$

The probability that \(\mathcal {B}\) correctly guesses the index \(\ell ^{*}\) is \(1/q_{3}\). Since we use the proof techniques in [19], we deduce that \(Pr[S_{1}]\ge 1/(16(q_{1}+q_{2}+q_{3})(q_{2}+q_{3})(n_{u}+1)(n_{m}+1))\). Thus we have

$$\begin{aligned} Pr[S_{1}\wedge S_{2}]&\ge \frac{1}{16(q_{1}+q_{2}+q_{3})(q_{2}+q_{3})(n_{u}+1)(n_{m}+1)} \cdot \frac{1}{q_{3}}\\&=\frac{1}{16q_{3}(q_{1}+q_{2}+q_{3})(q_{2}+q_{3})(n_{u}+1)(n_{m}+1)} \end{aligned}$$

and the probability that \(\mathcal {B}\) solves the aggregate extraction problem is at least \(\epsilon /(16q_{3}(q_{1}+q_{2}+q_{3})(q_{2}+q_{3})(n_{u}+1)(n_{m}+1))\), which is non-negligible.

Theorem 4

Our VEGS scheme is extractable.

Proof

The challenger plays the game \(\textsf {Game}_{Extr}(\lambda )\) with an adversary \(\mathcal {A}\) as follows.

  • Setup. \(\mathcal {B}\) runs \(\textsf {Setup}\) and \(\textsf {AKG}\) and generates system parameters of VEGS scheme, and sends the public parameters \((\texttt {param},PK_{T})\) to \(\mathcal {A}\).

  • Query. In this phase, the challenger runs algorithms \(\textsf {Enroll}\), \(\textsf {Sign}\), \(\textsf {VESign}\) and \(\textsf {Adj}\) to response \(\mathcal {A}\).

  • Forge. Finally, \(\mathcal {A}\) submits a tuple \((\mathfrak {m}^{*},\omega ^{*},\texttt {param}^{*})\) to the challenger.

  • Extract. If the given VEGS \(\omega ^{*}= (\omega _{1}^{*},\omega _{2}^{*},\omega _{3}^{*},\omega _{4}^{*},\omega _{5}^{*},\omega _{6}^{*}, c_{1},...c_{n_{u}},\pi _{1},...,\pi _{n_{u}})\) passes the check, then we can obtain a valid identity \(\mathfrak {u}=(k_{1}^{u}\cdot \cdot \cdot k_{n_{u}}^{u})\). Besides, we have

    $$\begin{aligned} e(\omega _{1}^{*},g)= e(PK_{T},\omega _{2}^{*})e(g_{2},g_{1}) e\left( c,\omega _{3}^{*}\right) e\left( M,\omega _{4}^{*}\right) , \end{aligned}$$
    $$\begin{aligned} e(\omega _{3}^{*},\omega _{5}^{*})=e(\omega _{6}^{*},h). \end{aligned}$$

    Then a group signature can be extracted by computing,

    $$\begin{aligned} \sigma _{1}^{*}=\frac{\omega _{1}^{*}}{\omega _{2}^{*\alpha _{T}}},\sigma _{2}^{*}=\omega _{3}^{*}, \sigma _{3}^{*}=\omega _{4}^{*},\sigma _{4}^{*}=\omega _{5}^{*},\sigma _{5}^{*}=\omega _{6}^{*} \end{aligned}$$
    $$\begin{aligned} \sigma ^{*}=(\sigma _{1}^{*},\sigma _{2}^{*},\sigma _{3}^{*},\sigma _{4}^{*},\sigma _{5}^{*}, c_{1},...c_{n_{u}},\pi _{1},...,\pi _{n_{u}}). \end{aligned}$$

    and we have

    $$\begin{aligned} e(\sigma _{0}^{*},g)&=e\left( \frac{\omega _{1}^{*}}{\omega _{2}^{*\alpha _{T}}},g\right) \\&=e(\omega _{1}^{*},g)e(\omega _{2}^{*\alpha _{T}},g)^{-1} \\&=e(PK_{T},\omega _{2}^{*})e(g_{2},g_{1}) e\left( c,\omega _{3}^{*}\right) e\left( M,\omega _{4}^{*}\right) e(\omega _{2}^{*},g^{\alpha _{T}})^{-1} \\&=e(g_{2},g_{1})e\left( c,\sigma _{2}^{*}\right) e\left( M,\sigma _{3}^{*}\right) .\\ e(\omega _{3}^{*},\omega _{5}^{*})&=e(\sigma _{2}^{*},\sigma _{4}^{*}) =e(\sigma _{5}^{*},h)=e(\omega _{6}^{*},h). \end{aligned}$$

    It implies that if \(\textsf {VEVerify}(\mathfrak {m}^{*},\omega ^{*},PK_{T},\texttt {param}^{*})=1\) holds, then \(\textsf {Verify}(\mathfrak {m}^{*},\sigma ^{*},\texttt {param}^{*})=1\) always holds as well. Thus our VEGS scheme is extractable.

5 Extensions

In this section, we will discuss some extensions about our scheme.

5.1 Other Properties

In above paper, we discussed main properties of VEGS according to the security requirements of VES and group signature. In fact, there are other crucial properties for VEGS, we will give more details in this subsection.

Exculpability, first proposed by Chaum and Heystis [11], is also significant to group signature schemes. And we extend it to VEGS schemes. A VEGS scheme satisfies exculpability if on one can create VEGSs on behalf of other honest group members. Consider a malicious user who wishes to forge a VEGS on behalf other users. If he is not the group master, then he will not succeed to generate a valid VEGS if the VEGS scheme satisfies unforgeability. Then we consider the case that the malicious user is the group master. Ateniese et al. [1] pointed that Boyen-Waters group signature scheme does not satisfy (strong) exculpability because the group master generates and distributes users’ secret keys, however their scheme can achieve exculpability by changing some settings to the group master. In their scheme, the group master is an ephemeral entity and the master key is destroyed once the group is set up. To achieve the exculpability of our VEGS scheme, we can construct the group master in the same way. Therefore, no one can create a valid VEGS on behalf of other users.

Coalition resistance means that if a group of signers collude together to generate a valid VEGS, then it must be traceable. Coalition resistance emphasizes the fact that it allows attacks by a coalition of group members. However, coalition resistance can still be obtained from full-traceability [9]. Therefore, we deduce that fully-traceable VEGS schemes are also coalition resistant.

Unlinkability requires that on one can determine whether two different VEGS are generated by the same group member except the group manager. Given two different VEGSs, if one (except the group manager) wishes to check whether they are created by the same user, he has to recover the identity of the signer. Then he breaks the anonymity of the VEGS if he succeeds with a non-negligible probability. It implies the anonymity immediately. Thus we can deduce that fully-anonymous VEGS schemes also satisfy unlinkability.

5.2 Batch Verification

To improve efficiency of our VEGS scheme, some measures can be taken. One method is to perform fast batch verification [10, 12]. The generic definition of batch verification was given by Bellare et al. [8], then Camenisch et al. [12] instantiates it to the case of signatures from many signers and aggregate signatures. We can also use their method to simplify the verification of our VEGS scheme. Suppose a verifier wish to check if a VEGS is valid, and the different things he need to do is that he chooses \(\theta _{1},...,\theta _{n_{u}}\in \mathbb {Z}_{n}\), then tests,

$$\begin{aligned} \prod _{i=1}^{n_{u}} e(c_{i}^{\theta _{i}},u_{i}^{-1}c_{i})e(h^{-\theta _{i}},\pi _{i})\overset{?}{=}1. \end{aligned}$$

Since we batch the pairs into a multi-pairing, which is similar to multi-exponentiation algorithm, we can reduce the cost of the pairing computations. As stated in [10], to get better efficiency, some pre-computations and extra storage are also required.

5.3 Dynamic Groups

The above VEGS scheme is called a static VEGS scheme since we do not consider the case where users join and leave after the group is set up. To achieve dynamic groups where users can both join and leave the group, we need to add some modifications to the VEGS scheme. When a user is allowed to join the group, the group master distributes the user’s private key with the group master key. When a user leaves the group, it is very different for the discussion of leave operation. The group master needs to publish the recovered signing keys, then he generates a new group master key and distributes each user’s private key. And what calls for attention is that the revocation information is published on public channel while the signing keys are transferred in secret channel. The above method can also be used in the cases where multiple users are revoked.

Besides, someone may find that the group master in the dynamic VEGS is not an ephemeral entity, it involves in the scheme when users join or leave the group. Therefore the weakness of our VEGS scheme is that it can not achieve dynamic groups and exculpability simultaneously. However we believe it will be solved in the future works.

6 Conclusion

In this paper, we formalized the concept of VEGS which is derived from VES and group signature. Then we presented the first VEGS scheme based on Boyen-Waters group signature scheme and ElGamal encryption scheme. We defined the security properties which are necessary for VEGS schemes, i.e., anonymity, traceability, unforgeability, opacity and extractability. Then we proved our VEGS scheme is secure in the standard model according to the definitions. Additionally, we discussed the extentions of our VEGS scheme. The results showed that our VEGS scheme has many applications. However, there still exists a few open problems (e.g., achieving dynamic groups and exculpability simultaneously, using prime order groups), which will motivate more works on VEGS.