El desarrollo turístico de las regiones europeas del litoral

The KY group signature scheme is dynamic and works in the RSA setting. Let , µ, k, ε denote integers satisfying the following conditions:

• S(2Y_{, 2}µ_{) = {2}Y_{− 2}µ_{+ 1, . . . , 2}Y_{+ 2}µ_{− 1} ⊆ {1, . . . , p} '_q '_{} where p} '_{, q} ' _{are the same as used} in the RSAGen algorithm, defined in Section 3.2.1.

• ε > 1.

• S(2Y_{, 2}ε(µ+k)+2_{) ⊆ {5, . . . , min{p} '_{, q} '_{} − 1}.}

In the following we specify the core algorithms and protocols of the KY scheme. Our description follows the specification from [119, 121].

Key generation. The key generation algorithm GKg on input 1κ _{performs the following steps:} 1. Use RSAGen to generate a tuple (N, p, q, p ', q ') where (N, p, q) is the output of the RSAGen

algorithm and p ', q ' are the two primes used during the RSAGen algorithm. 2. Chose an element g as quadratic residue modulo N, that is generator of QR(N).

l₎−1 l₎−1

(q (p

3. Compute a generator a = ρ(g₁ , g₂ ) of QR(N) using the Chinese remaindering mapping ρ from _Z∗_p × _Z∗ _to

Z∗ and g1, g2 as non-trivial quadratic residues modulo p

q N

and modulo q, respectively. That is g1, g2 ∈ {0, 1}. Note that ρ preserves the quadratic residuosity, i.e., ∀x ∈ QR(p) ∀y ∈ QR(q) ∃z ∈ QR(N) ρ(x, y) = z.

4. Select x, xˆ∈RZp∗l lq and a0, a, h ∈RQR(N). 5. Compute y = gx_{, ˆy = g}xˆ_.

6. Output (gpk, gmsk, reg) such that:

• group public key gpk = (N, a0, a, g, h, y, yˆ)

• group manager’s secret key gmsk = (gpk, p, q, x, xˆ) • registration list reg is initially empty.

Join protocol. The join protocol Join is executed between the group manager with input

gmsk = (gpk, p, q, x, xˆ), a prospective member i with input gpk = (N, a0, a, g, h, y, yˆ) and a trusted third party T with input gpk = (N, a0, a, g, h, y, yˆ). It proceeds as follows:

1. Member i asks T to start the joining process.

xi

2. T selects a random xi ∈RlN/4J and computes Ci = a mod N. 3. T sends Ci to the group manager and xi to the member.

4. The group manager selects a random prime ei ∈RS(2Y, 2µ)−{p ', q '} = {2Y−2µ+1, . . . , 2Y+ 2µ_{− 1} − {p} '_{, q} '_{} and computes A}

i = (a0Ci)1/ei mod N.

5. The group manager stores (Ai, ei, Ci, transi) to reg[i] where transi is the communication transcript and sends (Ai, ei) back to member i.

6. Member i sets gsk[i] = (gpk, Ai, ei, xi)

Note that the join protocol of the KY scheme is executed with the assistance of some third trusted party T . Furthermore, Kiayias and Yung [119, 121] distinguish between the member’s certificate and the member’s secret. The member’s secret x is the private key of an ElGamal key pair. The group manager generates the certificate (Ai, ei) over the public value a0, a that attests member’s i membership in the group. The communication transcripts transi that the issuer stores in reg are assumed to be authenticated by member i in a way that any publication

of transi uniquely identifies i as participant of that join protocol.

Signature generation. The signing algorithm GSign takes as input the secret signing key gsk[i] = (gpk, Ai, ei, xi) of member i, with gpk = (N, a0, a, g, h, y, yˆ) and a message m ∈ {0, 1}∗ and proceeds as follows:

1. Pick random r, rˆ∈RlN/4J and compute

r r rˆ rˆ ei_hr

T1 = Aiy mod N, T2 = g mod N, T3 = Aiyˆ mod N, T4 = g mod N, T5 = g mod N 2. Compute S as a signature of knowledge of α, β, γ, δ, c, ζ

⎤ ⎡

SoK⎢⎢ ⎣

α, β, γ, δ, c, ζ :

T1/T3 = yα/yˆβ mod N and T2 = gα mod N T3 = gβ mod N and T5 = gγhα mod N

T γ Y _T γ

2 = g mod N and 1 = a0aδ Yy mod N ⎥ ⎥ ⎦

m . T5 = g(g2)ζhα mod N

3. Output group signature σ = (S, T1, T2, T3, T4, T5).

The pairs (T1, T2) and (T3, T4) form ElGamal ciphertexts of Ai in the QR(N) group. The SoK signature S ensures that those pairs do, actually, encrypt the same value Ai. Furthermore, S proves that the signer is a member of the group by proving knowledge of a valid certificate (Ai, ei) issued by the group manager.

Signature verification. The signature verification algorithm GVrfy takes as input the group public key gpk = (N, a0, a, g, h, y, yˆ), a message m and a candidate group signature σ, and proceeds as follows:

1. Parse σ as (S, T1, T2, T3, T4, T5).

2. If S is a valid SoK signature on message m then output 1; otherwise output 0.

Opening procedure. The opening algorithm Open takes as input the group manager’s secret key gmsk = (gpk, p, q, x, xˆ), a message m and a group signature σ, and proceeds as follows:

1. If GVrfy(gpk, m, σ) = 0 then output 0. 2. Parse σ as (S, T1, T2, T3, T4, T5). 3. Get Ai = (T1T2

−x

)2 _{mod N using ElGamal.}

4. Find i such that reg[i] = (Ai, ei) if no such entry exists output 0. 5. Compute J as

T 2 _{= T} 2ω ω

NIZKPoK ω : _{1 2} Ai mod N and y = g mod N . 6. Output (i, τ) with τ = ((Ai, ei, Ci, transi), J).

To prevent the group manager from outputting arbitrary identities i the opening procedure, ad­ ditionally, proves that the ciphertext (T1, T2) was decrypted correctly through the corresponding NIZPoK proof τ.

Judgement procedure. The judgement algorithm Judgetakes as input the group public key

gpk = (N, a0, a, g, h, y, yˆ), a message m, a signature σ, an identity i, and a proof τ, and proceeds as follows:

1. If GVrfy(gpk, m, σ) = 0 then output 0. 2. Parse τ as ((Ai, ei, Ci, transi), J).

3. If all of the following holds then output 1; otherwise output 0: • J is a valid NIZKPoK proof.

• Ai is included in transi.

• transi is authenticated by i

• (Ai, ei) satisfies Aiei = a0Ci mod N.

The validity of the NIZKPoK proof J ensures, that the opener correctly decrypted the claimed value Ai from the ElGamal ciphertext (T1, T2). The proof that Ai identifies i stems from the authenticity of the transcript transi in combination with the validity check of the disclosed certificate (Ai, ei).