Efﬁcient Distributed Tag-Based Encryption and its Application to Group Signatures with Efﬁcient Distributed Traceability

. In this work, we ﬁrst formalize the notion of dynamic group signatures with distributed traceability, where the capability to trace signatures is distributed among n managers without requiring any interaction. This ensures that only the participation of all tracing managers permits tracing a signature, which reduces the trust placed in a single tracing manager. The threshold variant follows easily from our deﬁnitions and constructions. Our model offers strong security requirements. Our second contribution is a generic construction for the notion which has a concurrent join protocol, meets strong security requirements, and offers efﬁcient traceability, i.e. without requiring tracing managers to produce expensive zero-knowledge proofs for tracing correctness. To dispense with the expensive zero-knowledge proofs required in the tracing, we deploy a distributed tag-based encryption with public veriﬁability. Finally, we provide some concrete instantiations, which, to the best of our knowledge, are the ﬁrst efﬁcient provably secure realizations in the standard model simultaneously offering all the aforementioned properties. To realize our constructions efﬁciently, we construct an efﬁcient distributed (and threshold) tag-based encryption scheme that works in the efﬁcient Type-III asymmetric bilinear groups. Our distributed tag-based encryption scheme yields short ciphertexts (only 1280 bits at 128-bit security), and is secure under an existing variant of the standard decisional linear assumption. Our tag-based encryption scheme is of independent interest and is useful for many applications beyond the scope of this paper. As a special case of our distributed tag-based encryption scheme, we get an efﬁcient tag-based encryption scheme in Type-III asymmetric bilinear groups that is secure in the standard model.


Introduction
Group signatures, introduced by Chaum and van Heyst [25], are a fundamental cryptographic primitive allowing a member of a group (administered by a designated manager) to anonymously sign messages on behalf of the group.In the case of a dispute, a designated tracing manager can revoke anonymity by revealing the signer.The downside of granting a single entity the capability to trace signatures is the high trust placed in such an entity.As a result, anonymity in group signatures relying on a single tracing authority only holds if the tracing authority is fully honest.More precisely, a misbehaving tracing authority could abuse the power granted to it and open signatures need not be opened.Therefore, reducing the trust placed in the tracing manager by distributing the tracing capability among different parties is desirable.While some of the existing schemes can be translated into the distributed traceability setting by utilizing standard secret-sharing techniques, e.g.[10,50], unfortunately, most of those secure in the strong Bellare et al. model [13], would become impractical due to the expensive zero-knowledge proofs required in the tracing.Related Work.After their introduction, a long line of research on group signatures has emerged.Bellare, Micciancio and Warinschi [11] formalized the security definitions for group signatures supporting static groups.In such a notion, the group population is fixed at the setup phase.Moreover, the group manager (which also provides the traceability feature) needs to be fully trusted.Later, Bellare, Shi and Zhang [13] provided formal security definitions for the more practical dynamic case where members can enroll at any time.Also, [13] separated the tracing role from the group management.
Besides correctness, the model of [13] defines three other requirements: anonymity, traceability and non-frameability.Informally, anonymity requires that signatures do not reveal the identity of the signer; traceability requires that the tracing manager is always able to identify the signer and prove such a claim; non-frameability ensures that even if the group and tracing managers collude with the rest of the group, they cannot frame an honest member.More recently, Sakai et al. [49] strengthened the security definitions of group signatures by adding the opening soundness requirement.The stronger variant of opening soundness ensures that even if all entities are corrupt, it is infeasible to produce a signature that traces to two different members.
Constructions of group signatures in the random oracle model [12] include [24,23,8,18,22,21,46,29,41,26,15].Constructions not relying on random oracles include [7,35,19,36,20,5,43,44].Other measures in which the above mentioned constructions differ are: the security they offer, the size of the signatures they yield and the round complexity of the join protocol.For instance, some constructions, e.g.[18][19][20]5], only offer a weaker variant of the anonymity requirement (i.e.CPA-Anonymity [18]) where the adversary is not granted access to a tracing oracle.On the other hand, other constructions, e.g.[36,26], offer full anonymity where in the game the adversary is allowed to ask for any signature except the challenge signature to be traced.
Different approaches have been proposed to minimize the trust placed in the tracing manager.Sakai et al. [48] recently proposed the notion of group signatures with message-dependent opening.In such a notion, an admitter specifies what messages signatures upon which can be traced.This prevents the tracing manager from opening signatures on messages not admitted by the admitter.In [38], the authors informally highlighted how to extend their linkable group signature scheme (secure in the random oracle model) to provide distributed traceability.In [30], the authors presented a scheme where the roles of the managers can be distributed.Their scheme is only non-frameable against honest tracing managers, and requires both random oracles and the generic group model.
Benjumea et al. [14] introduced the notion of fair traceable multi-group signatures which combines the features of group signatures and traceable signatures [40] and in which traceability requires the cooperation of a judge with designated parties known as fairness authorities.The authors also provided a construction of their primitive in the random oracle model.
Zheng et al. [51] extended Manulis's notion of democratic group signatures [45] to add threshold traceability where group members must collude to trace signatures.Democratic group signatures differ from group signatures in many aspects.In the former, the roles of the group and tracing managers are eliminated and the group is managed by the members themselves.In addition, signatures are only anonymous to non-members.Our Contribution.We offer the following contributions: 1.A formal security model for group signatures with distributed traceability without requiring any interaction.Only the participation of all n tracing managers makes it possible to trace a signature.The more general k out of n threshold case follows easily from our definitions.Our model offers strong security including the notion of tracing soundness [49].2. A generic framework for constructing group signatures with efficient (i.e.without requiring expensive zero-knowledge proofs in the tracing) distributed traceability that supports dynamic groups with a concurrent join protocol and which is provably secure w.r.t.our strong security model.3. Instantiations of the generic framework in the standard model.To the best of our knowledge, they are the first provably secure realizations not relying on idealized assumptions offering all the aforementioned properties.4.An efficient distributed/threshold selective-tag weakly IND-CCA tag-based encryption scheme that is based on an existing variant of the standard decisional linear assumption.Our scheme is noninteractive (i.e.requires no interaction between the decryption servers) and is robust, i.e. the validity of the decryption shares as well as the ciphertext is publicly verifiable.The scheme works in the efficient Type-III bilinear groups setting and yields short ciphertexts which are much shorther than those of the original Kiltz's tag-based encryption scheme [42] and its threshold variant of [6].By combining our scheme with a strongly unforgeable one-time signature scheme as per the transformation in [42], we obtain an efficient fully secure IND-CCA distributed/threshold encryption scheme, which is useful for many applications beyond the scope of this paper.
Paper Organization.In Section 2, we give some preliminary definitions.We present our model for group signatures with distributed traceability in Section 3. We present the building blocks we use in Section 4. In Section 5, we present our generic construction and provide a proof of its security.In Section 6, we present instantiations in the standard model.Notation.A function ν(.) : N → R + is negligible in c if for every polynomial p(.) and all sufficiently large values of c, it holds that ν(c) <1 p(c) .Given a probability distribution Y , we denote by x ← Y the operation of selecting an element according to Y .If M is a probabilistic machine, we denote by M (x 1 , . . ., x n ) the output distribution of M on inputs (x 1 , . . ., x n ).By [n] we denote the set {1, . . ., n}.By PPT we mean running in probabilistic polynomial time in the relevant security parameter.

Preliminaries
In this section we provide some preliminary definitions.Bilinear Groups.A bilinear group is a tuple P := (G, G, T, p, G, G, e) where G, G and T are groups of a prime order p, and G and G generate G and G, respectively.The function e is a non-degenerate bilinear map e : G × G −→ T. We use multiplicative notation for all the groups.We let G × := G \ {1 G } and G× := G \ {1 G}.In this paper, we focus on the efficient Type-III setting [32], where G = G and there is no isomorphism between the groups in either direction.We assume there is an algorithm BGrpSetup taking as input a security parameter λ and outputting a description of bilinear groups.Complexity Assumptions.We use the following existing assumptions: Symmetric External Decisional Diffie-Hellman (SXDH).The Decisional Diffie-Hellman (DDH) assumption holds in both groups G and G. Decisional Linear in G (DLIN G ) Assumption [33,1].Given P and a tuple for unknown h, r, s, t, u, v ∈ Z p , it is hard to determine whether or not t = r + s. q-Strong Diffie-Hellman (q-SDH) Assumption in G [17].Given the tuple (G, G x , . . ., G x q ) ∈ G q+1 for x ← Z p , it is hard to output a pair (c, G [3].Given a random tuple (G, G, W , X, Ỹ ) ∈ G × G4 , and q uniformly random tuples it is hard to output a new tuple (A * , B * , R * , D * ) satisfying the above equations.
Group Signatures.Here we briefly review the model of Bellare et al. [13] for dynamic group signatures with a single tracing authority.A dynamic group signature scheme consists of the following algorithms: • GKg(1 λ ) outputs a group public key gpk, a group manager's secret key msk and a tracing key tsk.• Verify(gpk, m, Σ) verifies whether or not Σ is a valid group signature on m outputting a bit.
• Trace(gpk, tsk, m, Σ, reg) is the tracing algorithm in which the tracing manager uses its tracing key tsk to identify the group member uid who produced the signature Σ plus a proof π Trace for such a claim.• TraceVerify(gpk, uid, π Trace , upk[uid], m, Σ) verifies the tracing proof π Trace outputting a bit accordingly.
Besides correctness, the security requirements defined by [13] are: • Anonymity: A group signature does not reveal the identity of the member who produced it even when the keys of the group manager and all group members are all revealed.This requirement relies on the tracing manager being fully honest.
i=1 , m, Σ, reg) on input the group public key gpk, κ tracing shares and their proofs, a message m, a signature Σ, and the users' registeration table, it outputs an identity uid > 0 of the user who produced Σ plus a proof θ Trace attesting to this claim.If the algorithm is unable to trace the signature to a user, it returns (0, θ Trace ).This algorithm does not require any secret information and hence could be run by any party.
• TraceVerify(gpk, uid, θ Trace , upk[uid], m, Σ) on input the group public key gpk, a user identity uid, a tracing proof θ Trace , the user's public key upk[uid], a message m, and a signature Σ, outputs 1 if θ Trace is a valid proof that uid has produced Σ or 0 otherwise.

Security of Dynamic Group Signatures with Distributed Traceability
Our model extends Bellare's et al. model [13] to provide distributed traceability and additionally captures tracing soundness as recently defined by [49] in the context of group signatures with a single tracing manager, which is vital for many applications as we explain later.Moreover, our non-frameability definition is slightly stronger than that of [13].
The security requirements of a dynamic group signature with distributed traceability are: correctness, anonymity, non-frameability, traceability and tracing soundness.To define those requirements, we use a set of games in which the adversary has access to a set of oracles.The following global lists are maintained: HUL is a list of honest users; CUL is a list of corrupt users whose personal secret keys have been chosen by the adversary; BUL is a list of bad users whose personal and group signing keys have been revealed to the adversary; SL is a list of signatures obtained from the Sign oracle; CL is a list of challenge signatures obtained from the challenge oracle.
The details of the following oracles are given in Fig. 1.
AddU(uid) adds an honest user uid to the group.CrptU(uid, pk) adds a new corrupt user whose public key upk[uid] is chosen by the adversary.This is called in preparation for calling the SndM oracle.SndM(uid, M in ) used to engage in the Join-Issue protocol with the honest, Issue-executing group manager.SndU(uid, M in ) used to engage in the Join-Issue protocol with an honest, Join-executing user uid on behalf of the corrupt group manager.RReg(uid) returns the registration information reg[uid] of user uid.WReg(uid, val) modifies the entry reg[uid] by setting reg[uid] := val.RevealU(uid) returns the personal secret key usk[uid] and the group signing key gsk[uid] of group member uid.Sign(uid, m) returns a signature on the message m by the group member uid.CH b (uid 0 , uid 1 , m) is a left-right oracle for defining anonymity.The adversary sends a couple of identities (uid 0 , uid 1 ) and a message m and receives a group signature by member uid b for b ← {0, 1}.TraceShare(tid, m, Σ) returns the tracing share of signature Σ of tracing manager TM tid .Trace(m, Σ) returns the identity of the signer of the signature Σ, i.e. first obtains the different tracing shares and then combines them.
The following security requirements are defined by the games in Fig. 2.
Correctness.This guarantees that: signatures produced by honest users are accepted by the Verify algorithm, the tracing shares are accepted by the ShareVerify algorithm, and the final tracing outcome of TraceCombine is accepted by the TraceVerify algorithm and points out to the user who produced the signature.Formally, a DGSDT scheme is correct if for all λ, κ ∈ N, the advantage Adv Corr DGSDT ,A,κ (λ) := Pr[Exp Corr DGSDT ,A,κ (λ) = 1] is negligible for all PPT adversaries A. (Full) Anonymity.This requires that signatures do not reveal the identity of the group member who produced them.In the game, the adversary can corrupt any user and fully corrupt the group manager.It can also learn the secret tracing keys of up to κ − 1 tracing managers of its choice.The only restriction is that the adversary is not allowed to query the TraceShare and Trace oracles on the challenge signature.

If st uid
Join is undefined

If st uid
Issue is undefined If Return Σ.

Fig. 1. Details of the oracles used in the security games
Since the adversary can learn the personal secret and group signing keys of any user, including the challenge users, our definition captures full key exposure attacks.Also, since the adversary can corrupt up to κ − 1 tracing managers, it can obtain up to κ − 1 tracing shares of the challenge signature.
In the game, the adversary chooses a message and two group members and gets a signature by either member and wins if it correctly guesses the member.WLOG we allow the adversary a single call to the challenge oracle.A hybrid argument (similar to that used in [13]) can be used to prove that this is sufficient.
Formally, a DGSDT scheme is (fully) anonymous if for all λ, κ ∈ N, the advantage Adv Anon DGSDT ,A,κ (λ) is negligible for all PPT adversaries A, where Non-Frameability.This ensures that even if the rest of the group as well as the group and all tracing managers are fully corrupt, they cannot produce a signature that traces to an honest group member who did not produce such a signature.Our definition is stronger than that used in other group signature models, e.g.[13], in the sense that the adversary in our game wins even if it produces a new signature on a message that was queried to the signing oracle, i.e. analogous to strong unforgeability in traditional signatures.The definition can in a straightforward manner be adapted to the weaker variant by requiring that the adversary's signature is on a new message that the framed user did not sign. Experiment: • Σ ← Sign(gpk, gsk[uid], m).
´. Formally, a DGSDT scheme is non-frameable if for all λ, κ ∈ N, the advantage Adv Non-Frame DGSDT ,A,κ (λ) := Pr[Exp Non-Frame DGSDT ,A,κ (λ) = 1] is negligible for all PPT adversaries A. Traceability.This ensures that the adversary cannot produce a signature that cannot be traced to a member in the group.In the game, the adversary can corrupt any user and learn the tracing keys of all tracing managers.The only restriction is that the adversary is not given the group manager's secret key as this would allow it to create dummy users which are thus untraceable.
Tracing Soundness.Tracing soundness, as recently defined by [49] in the context of group signatures with a single tracing manager, requires that even if the group and all tracing managers as well as all members of the group collude, they cannot produce a valid signature that traces to two different members.As shown (in the single tracing authority setting) in [49], such a property is important for many applications.For example, applications where signers might get rewarded or where abusers might be prosecuted.In such applications, it is important that signatures can only trace to one user.Refer to [49] for more details.Formally, a DGSDT scheme has tracing soundness if for all λ, κ ∈ N, Adv Trace-Sound DGSDT ,A,κ (λ) := Pr[Exp Trace-Sound DGSDT ,A,κ (λ) = 1] is negligible for all PPT adversaries A.

Building Blocks
In this section we present the building blocks that we use in our constructions.

Distributed Tag-Based Encryption with Public Verification
A Distributed Tag-Based Encryption scheme DTBE is a special case of threshold tag-based encryption [6] where n out of n decryption servers must compute their decryption shares honestly for the decryption to succeed.Public verification requires that checking the well-formedness of the ciphertext only require public information.We say the scheme is non-interactive if decrypting a ciphertext requires no interaction among the decryption servers.Also, the scheme is robust if invalid decryption shares can be identified by the combiner.Formally, a DTBE scheme for a message space M DT BE and a tag space T DT BE is a tuple of polynomial-time algorithms (Setup, Enc, IsValid, ShareDec, ShareVerify, Combine), where Setup(1 λ , n) outputs a public key pk and vectors svk = (svk 1 , . . ., svk n ) and sk = (sk 1 , . . ., sk n ) of verification/secret keys for the decryption servers; Enc(pk, t, m) outputs a ciphertext C dtbe on the message m under the tag t; IsValid(pk, t, C dtbe ) outputs 1 if the ciphertext is valid under the tag t w.r.t. the pubic key pk or 0 otherwise; ShareDec(pk, sk i , t, C dtbe ) takes as input the public key pk, the i-th server secret key sk i , a tag t, and the ciphertext C dtbe , and outputs the i-th server decryption share ν i of C dtbe or the reject symbol ⊥; ShareVerify(pk, svk i , t, C dtbe , ν i ) takes as input the public key pk, the i-th server verification key svk i , a tag t, the ciphertext C dtbe , and the i-th server decryption share ν i and outputs 1 if the decryption share ν i is valid or 0 otherwise.Combine(pk, {svk i } n i=1 , {ν i } n i=1 , C dtbe , t) outputs either the message m or the reject symbol ⊥.
We say the scheme is correct if for every message m ∈ M DT BE , every tag t ∈ T DT BE and every (pk, {svk} n i=1 , {sk} n i=1 ) output by Setup, if C dtbe ← Enc(pk, t, m) then we have that: Besides correctness, we require two security properties: Selective-Tag weak Indistinguishability against Adaptive Chosen Ciphertext Attacks (ST-wIND-CCA) [42] and Decryption Consistency (DEC-CON).Informally, the former requires that an adversary who gets a decryption oracle for any ciphertext under a tag different from the target tag (which is chosen beforehand), cannot distinguish which challenge message was encrypted.The latter requires that an adversary cannot output two different sets of decryption shares of a ciphertext which open differently.The formal definitions of those can be found in Appendix A. Our Distributed Tag-Based Encryption Scheme.We provide in Fig. 3 a new efficient construction of a distributed tag-based encryption schme with public verification that works in the efficient Type-III bilinear group setting.Our scheme which is secure in the standard model under a variant of the DLIN assumption, namely, the XDLIN G assumption is based on Kiltz's tag-based encryption scheme [42] and ) and svk i as ( Ũi , Ṽi ).
• Parse C dtbe as (C i ) 5 i=1 and sk i as . DT BE.ShareVerify(pk, svk i , t, C dtbe , ν i ) • Parse svk i as ( Ũi , Ṽi ) and ν i as Fig. 3. Our distributed tag-based encryption scheme its Type-I threshold variant in [6].Our scheme is efficient and yields ciphertexts of size G 5 .Note that in Type-III bilinear groups, elements of G are much smaller than their Type-I counterparts, especially now that small-characteristic symmetric bilinear groups are rendered insecure [9,34].To give a sense of comparison, we outline that at 128-bit security, the size of elements of G is 256 bits whereas that of their large-characteristic symmetric groups counterparts is 1536 bits.Therefore, our construction yields much shorter ciphertexts than the variants of Kiltz's scheme in symmetric bilinear groups.Our scheme is of independent interest and has other applications beyond the scope of this paper.For instance, combining it with a strongly unforgeable one-time signature scheme (e.g. the full Boneh-Boyen scheme) as per the transformation in [42], we get an efficient distributed (or threshold) IND-CCA secure encryption scheme [27,28] in Type-III groups which is secure in the standard model under the XDLIN G and q-SDH assumptions.In addition, when n = 1, we obtain a tag-based encryption scheme in the efficient Type-III setting with 29% shorter ciphertexts than the Type-III variant of Kiltz's scheme in [39] (which yields ciphertexts of size G 3 × G2 ).Unlike the scheme in [39], which only works for a polynomial (in the security parameter) message space, our scheme has no restriction on the message space.
For simplicity we consider the n-out-of-n case.However, our scheme can, in a straightforward manner, be adapted to the k-out-of-n case by deploying any k-out-of-n secret sharing scheme to compute the servers' secret keys.
We prove the following Theorem in Appendix B Theorem 1.The construction in Fig. 3 is a secure distributed tag-based encryption scheme if the XDLIN G assumption holds.

Digital Signatures
A digital signature for a message space M DS is a tuple of polynomial-time algorithms DS := (KeyGen, Sign, Verify) where KeyGen outputs a pair of secret/public keys (sk, pk); Sign(sk, m) outputs a signature σ on the message m; Verify(pk, m, σ) outputs 1 if σ is a valid signature on m.
Besides correctness, we require existential unforgeability under adaptive chosen-message attack which demands that all PPT adversaries getting the public key and access to a sign oracle, have a negligible advantage in outputting a valid signature on a message that was not queried to the sign oracle.A weaker variant of existential unforgeability (i.e.existential unforgeability under a weak chosen-message attack) requires that the adversary sends all its queries before seeing the public key.

DS.KeyGen(P)
• Choose x ← Zp and set X := G x .
SPDSS.Verify(pk, M, σ)  In this paper, we use two digital signatures by Boneh and Boyen [17] which we refer to as the Full Boneh-Boyen signature (Fig. 4 (Left)) and the Weak Boneh-Boyen signature (Fig. 4 (Right)), respectively.Both schemes are secure under the q-SDH assumption.The weaker scheme is secure under a weak chosen-message attack.
Structure-Preserving Signatures.Structure-preserving signatures [2] are signature schemes where the message, the public key and the signature are all group elements, and signatures are verified by evaluating pairing product equations.
In this paper, we use two structure-preserving signatures from the literature.The first scheme is by Abe et al. [4] which offers controlled re-randomizability where a signature can only be re-randomized if the user has a special randomization token.The scheme in the asymmetric setting is illustrated in Fig. 5 (Left).The unforgeability of the scheme relies on an interactive assumption.Refer to [4] for details.The second scheme we use is that of Abe et al. [3].The scheme in the asymmetric setting is given in Fig. 5 (Right).The strong unforgeability of the scheme relies on the non-interactive q-AGHO assumption.

Strongly Unforgeable One-Time Signatures
A one-time signature scheme is a signature scheme that is unforgeable against an adversary who is only allowed a single signing query.Strong Unforgeability requires that the adversary cannot even forge a new signature on a message that she queried the sign oracle on.In this paper, we will instantiate the one-time signature using the Full Boneh-Boyen signature scheme from Fig. 4.
• Pairing Product Equation (PPE): x i y j = t• Fig. 6.Types of equations one can use Groth-Sahai proofs for

Non-Interactive Zero-Knowledge Proofs
Let R be an efficiently computable relation.For pairs (x, w) ∈ R, we call x the statement and w the witness.We define the language L as all the statements x in R. A Non-Interactive Zero-Knowledge (NIZK) proof system [16] for R is defined by a tuple of algorithms N IZK := (Setup, Prove, Verify, Extract, SimSetup, SimProve).
Setup(1 λ ) outputs a common reference string crs and an extraction key xk which allows for witness extraction.Prove(crs, x, w) outputs a proof π that (x, w) ∈ R. Verify(crs, x, π) outputs 1 if the proof is valid, or 0 otherwise.Extract(crs, xk, x, π) outputs a witness.SimSetup(1 λ ) outputs a simulated reference string crs Sim and a trapdoor key tr that allows for proof simulation.SimProve(crs Sim , tr, x) outputs a simulated proof π Sim without a witness.
We require: completeness, soundness and zero-knowledge.Completeness requires that honestly generated proofs are accepted; Soundness requires that it is infeasible (but for a small probability) to produce a valid proof for a false statement; Zero-knowledge requires that a proof reveals no information about the witness used.For formal definitions refer to [16].
GROTH-SAHAI PROOFS.Groth-Sahai (GS) proofs [37] are efficient non-interactive proofs in the Common Reference String (CRS) model.The language for the system has the form where E i (statement, •) is one of the types of equation summarized in Fig. 6, where X 1 , . . ., X m ∈ G, Ỹ1 , . . ., Ỹn ∈ G, x 1 , . . ., x m , y 1 , . . ., y n ∈ Z p are secret variables (hence underlined), whereas The proof system has perfect completeness, (perfect) soundness, composable witness-indistinguishability/zero-knowledge.We use the SXDH-based instantiation of the proofs.Refer to [37] for details.

Our Generic Construction
In this section, we present our generic construction for dynamic group signatures with distributed traceability.
Overview of the construction.The idea behind our generic construction has some in common with Groth's scheme [36] in that we combine a standard NIZK proof system with a weakly secure tag-based encryption scheme and a strong one-time signature scheme to eliminate the need for the more expensive simulation-sound NIZK systems [47] and IND-CCA public-key encryption schemes which were required by the construction of Bellare et al. [13].However, unlike [36], our framework provides distributed traceability, has a concurrent join protocol and achieves tracing soundness.
Our generic construction requires three digital signatures DS 1 , DS 2 and WDS where the first two have to be unforgeable against a standard adaptive chosen-message attack, whereas it suffices for the third scheme to be unforgeable against a weak chosen-message attack.We also require a strongly unforgeable one-time signature scheme OT S that is secure against an adaptive chosen-message attack.Additionally, we require a NIZK proof of knowledge system N IZK and a ST-wIND-CCA distributed tag-based encryption scheme DT BE.In order to have efficient tracing, we ask that DT BE is non-interactive and robust.As was noted by [31], such a propety simplifies tracing even in traditional group signatures with a single tracing manager.Finally, we require a collision-resistant hash function H : {0, 1} * → T DT BE .For simplicity and WLOG we assume that T DT BE = M WDS .Otherwise, one could use a second hash function.Note that one can use the same signature scheme for both DS 1 and DS 2 but using different key pairs.
The GKg algorithm runs N IZK.Setup to generate a common reference string crs for N IZK.It also runs DT BE.Setup to generate (pk DT BE , {svk i } κ i=1 , {sk i } κ i=1 ), and DS 1 .KeyGen to generate (pk GM , sk GM ).The group public key is gpk := (1 λ , crs, pk GM , pk DT BE , {svk i } κ i=1 , H).The group managers' secret key is msk := sk GM , whereas the tracing key of tracing manager TM i is tsk i := sk i .
A new user creates her personal key pair by running DS 2 .KeyGen to generate (upk[uid], usk[uid]).When the user wishes to join the group, she generates a key pair (pk uid , sk uid ) for the signature scheme WDS and then signs pk uid using DS 2 and her personal secret key usk[uid] to obtain a signature sig uid .We use sig uid as a proof when proving that the user has produced a group signature.
To join the group, the user sends pk uid and sig uid to the group manager.If sig uid is valid, the group manager issues a membership certificate cert uid (which is a DS 1 signature on pk uid that verifies w.r.t.pk GM ).
To sign a message m, the member chooses a fresh key pair (otsvk, otssk) for the one-time signature OT S and encrypts her public key pk uid with DT BE using H(otsvk) as tag (and possibly some randomness τ ) to obtain a ciphertext C dtbe .She then signs H(otsvk) using the digital signature scheme WDS and her secret key sk uid to obtain a signature σ.She then uses N IZK to produce a proof π proving that: she did the encryption correctly, she has a signature σ on H(otsvk) that verifies w.r.t.her public key pk uid and she has a certificate cert uid on pk uid from the group manager.Finally, she signs (m, C dtbe , otsvk, π) using the one-time signature OT S to obtain σ ots .The group signature is Σ := (σ ots , π, C dtbe , otsvk).To verify the signature, one verifies the proof π and the one-time signature σ ots , and ensures that the ciphertext C dtbe is well-formed.
We remark here if DS 1 and/or WDS schemes are re-randomizable, one can reveal the signature components which are independent of their respective messages after re-randomization.This simplifies the proof π and subsequently improves the efficiency.The revealed parts of those signatures can then be included as the part of the message to be signed by OT S to ensure that one achieves the stronger notion of non-frameability.
To trace a signature, the decryption shares ν i of the ciphertext C dtbe are obtained from the respective tracing managers and then combined together in order to recover the plaintext pk uid .Then one just needs to search in the registration table reg to see if any entry reg[j].pkmatches pk uid .If this is the case, (j, ({ν} κ i=1 , pk uid , reg[j].sig)) is returned.Otherwise, (0, ({ν} κ i=1 , pk uid , ⊥)) is returned.Note that combining the different tracing shares does not require the knowledge of any secret key and hence this could be performed by any party.To verify the correctness of the tracing, one just needs to ensure that • (crs, xk) ← N IZK.Setup(1 λ ); Choose a collision-resistant hash function H : {0, 1} * → T DT BE .
Fig. 8.Our generic construction all decryption shares verify correctly and in the case that j > 0, one needs to verify that the signature sig verifies w.r.t.upk[j].
The construction is detailed in Fig. 8, whereas the Join/Issue protocol is given in Fig. 7.The language associated with the NIZK proof is as follows, where for clarity we underline the elements of the witness: L : (C dtbe , H(otsvk), pk GM , pk DT BE ), (pk uid , τ, σ, cert uid ) : The construction in Fig. 7 and Fig. 8 is a secure dynamic group signature with distributed traceability providing that the building blocks are secure w.r.t.their security requirements.
The full proof of this Theorem can be found in Appendix D.
Next, we present two example instantiations of the generic construction in the standard model.

Instantiations in the Standard Model
Here we provide two example instantiations of the generic framework in the standard model.

Instantiation I
Here we instantiate the signature schemes DS 1 and DS 2 using the recent structure-preserving signature scheme by Abe et al. [4] (shown in Fig. 5 (Left)), and instantiate WDS and OT S with the weak and full Boneh-Boyen signature schemes, respectively.We also instantiate N IZK using the Groth-Sahai proof system.For the distributed tag-based encryption scheme, we use our new scheme from Fig 3 .The size of the signature of this instantiation is G 24 × G21 × Z 5 p .The details are in Appendix C. The proof for the following Theorem follows from that of Theorem 2. Theorem 3. Instantiation I is secure if the Abe et al. signature scheme [4] is unforgeable and the SXDH, XDLIN G and q-SDH assumptions hold.

Instantiation II
To eliminate the need for interactive intractability assumptions, we instead use the strongly unforgeable signature scheme by Abe et al. [3] (Fig. 5 (Right)) to instantiate DS 1 and DS 2 signature schemes.The rest of the tools remain the same as in Instantiation I.The size of the group signature of this instantiation is G 28 × G24 × Z 3 p .The details are in Appendix C. The proof for the following Theorem follows from that of Theorem 2. Theorem 4. Instantiation II is secure if the SXDH, q-AGHO, XDLIN G and q-SDH assumptions hold.

Efficiency Comparison
Since there are no existing constructions which simultaneously offer all the properties as our constructions, we compare the size of the signature of our instantiations with that of Groth's scheme [35] for the single tracing manager setting which is considered the-state-of-the-art. Groth's scheme yields signatures of size G 46 ×Z p in symmetric groups.Besides the extra distributed traceability feature, our instantiations involve fewer rounds in the join protocol than [35] and, in addition, satisfy tracing soundness.
Experiment: Exp DEC-CON DT BE,A,n (λ): • If IsValid(pk, t, C dtbe ) = 0 Then Return 0.  Proof.We show if there exists an adversary A winning the ST-wIND-CCA game, we can construct an adversary B that breaks the XDLIN G assumption such that Adversary B gets P and the tuple (H, U, V, H r , V s , U t , H, Ũ , Ṽ , Hr , Ṽ s ) ∈ G 6 × G5 from its game and its aim is to decide whether or not t = r+s.It starts A to get the set S and the target tag t * .Adversary B then selects an index j from the set [n] \ S. For all servers i ∈ [n] \ {j}, B chooses α i , β i ← Z p that will be used as the secret key for server i.The corresponding server verification key is computed as ( Ũi , Ṽi ) := ( Hα i , Ṽ β i ).For the remaining server j, B computes its verification key as ( Ũj , Ṽj ) := ( It then sets pk := (P, H, H, U, Ũ , V, Ṽ , W, W , Z, Z) and sends pk, {svk} n i=1 and {sk i } i∈S to A. When answering ShareDec t * queries by server i = j on any tag t = t * , B first checks that the ciphertext is valid and if so, it returns (C i,1 := C α i 1 , C i,2 := C β i 2 ).For the j-th server, after verifying that the ciphertext is valid, it returns C j,1 := ) ) . This is a valid decryption share satisfying e(C j,1 , H) = e(C 1 , Ũj ) and e(C j,2 , Ṽ ) = e(C 2 , Ṽj ).
In the challenge phase, B receives two messages M 0 and M 1 .It randomly chooses b ← {0, 1} and responds with a challenge ciphertext (C 1 , C 2 , C 3 , C 4 , C 5 ) := (H r , V s , H rd1 , V sd2 , M b U t ).Note this is a valid ciphertext satisfying e(C 1 , Ũ t W ) = e(C 4 , H) and e(C 2 , Ũ t Z) = e(C 5 , Ṽ ).Any further decryption queries made by A are answered by B as above.
Eventually, when A outputs its guess b * , B proceeds as follows: if b * = b, B guesses that t = r + s; otherwise, B guesses that t is random.
Lemma 2. The construction satisfies decryption consistency.
Proof.Suppose that an adversary A outputs two valid sets {(C i,1 , C i,2 )} n i=1 and {(C i,1 , C i,2 )} n i=1 of decryption shares of a ciphertext C dtbe .For it to win, both sets must contain valid shares, i.e. all 2n shares must be accepted by the ShareVerify algorithm.Thus, we must have e(C i,1 , H) = e(C 1 , Ũi ) and e(C i,2 , Ṽ ) = e(C 2 , Ṽi ) for i = 1, . . ., n.This means we must have n Similarly, we must have e(C i,1 , H) = e(C 1 , Ũi ) and e(C i,2 , Ṽ ) = e(C 2 , Ṽi ) for i = 1, . . ., n.This means that we must have n i=1 C i,1 = C u 1 and n i=1 C i,2 = C v 2 .Thus, we must have C i,1 = C i,1 and C i,2 = C i,2 for i = 1, . . ., n which contradicts the winning condition.This concludes the proof.
• To prove DS 1 .Verify(pk GM , pk uid , cert uid ) = 1, the user re-randomizes cert uid using the token Ω 4 to obtain a new membership certificate cert uid = ( Ω 1 , Ω 2 , Ω 3 ) and then proves the following linear equations Note that all the proven equations are simulatable and hence the corresponding proofs are zeroknowledge.The total size of the signature is G 24 + G21 + Z 5 p .
To prove DS 1 .Verify(pk GM , pk uid , cert uid ) = 1, the user proves the following equations The rest of the proofs are the same as in Instantiation I. Again, all the proven equations are simulatable and hence the corresponding proofs are zero-knowledge.The size of the signature is G 28 × G24 × Z 3 p .

D Proof of Theorem 2
Proof.Correctness of the construction follows from that of the underlying building blocks.
Lemma 3. If N IZK is zero-knowledge, the tag-based encryption scheme DT BE is selective-tag weakly IND-CCA secure, the one-time signature OT S is strongly existentially unforgeable, and the hash function H is collision-resistant then the construction satisfies strong full anonymity against full-key exposure.
Proof.We show that if there exists an adversary B which breaks the anonymity of the construction, we can build adversaries A 1 against the collision-resistance of the hash function H, A 2 against the strong unforgeability of the one-time signature OT S, A 3 against the NIZK property of the proof system N IZK, and A 4 against the selective-tag weakly IND-CCA security of the tag-based encryption scheme DT BE.
The collision-resistance of H ensures that B has a negligible probability in finding otsvk s.t.H(otsvk ) collides with the tag H(otsvk * ) we use for the challenge signature.If this is not the case, we can use B to build an adversary A 1 that breaks the collision-resistance of H.
The strong existential unforgeability of OT S ensures that B has a negligible probability in forging a one-time signature under otsvk * we use in the challenge signature.If this is not the case, we can build an adversary A 2 that wins the strong unforgeability game of OT S.
We start N IZK in the simulation setting which means that the proof π is now zero-knowledge and hence does not reveal any information about the witness.
We now proceed to show how to use B to build an adversary A 4 against the selective-tag weakly IND-CCA security of DT BE.Adversary A 4 starts B to get the list BTL of the tracing managers it would like to corrupt.Adversary A 4 runs the GKg algorithm where it starts by randomly choosing a key pair (otsvk * , otssk * ) for OT S that it will use in answering B's challenge signature.This needed to be chosen beforehand because the tag-based encryption scheme is only selective-tag secure.A 4 sends (H(otsvk * ), BTL) to its own game and gets back pk DT BE , {svk i } i∈[κ] and {sk i } i∈BTL .In its game, A 4 has access to a share decryption oracle ShareDec H(otsvk * ) which it can query on any ciphertext under any tag different from the target tag H(otsvk * ).A 4 now chooses a simulated string crs for N IZK and runs the rest of the setup normally.It sends gpk := (1 λ , crs, pk GM , pk DT BE , {svk i } κ i=1 , H), msk := sk GM and {sk i } i∈BTL to B. All B's queries are answered normally as in Fig. 1 except the following oracles.
• CH b : To answer the challenge query CH b (uid 0 , uid 1 , m), A 4 sends (pk uid 0 , pk uid 1 ) as its challenge in its ST-wIND-CCA game and gets a ciphertext under the tag H(otsvk * ) of either the plaintext pk uid 0 or pk uid 1 which it needs to distinguish.A 4 then constructs the rest of the challenge signature by simulating the proof π and signing the whole thing with otssk * to obtain σ ots .• TraceShare: A 4 just uses its ShareDec H(otsvk * ) oracle to get the decryption share of C dtbe contained within the signature.Note that since we have chosen otsvk * uniformly at random and since we already eliminated any case where any signature sent to TraceShare uses the same tag as that we used in the challenge signature, such a query will be accepted by A 4 's ShareDec H(otsvk * ) oracle because the tag is different from the target tag used in the challenge signature.• Trace: To answer this, A 4 just uses its ShareDec H(otsvk * ) oracle to get all the decryption shares {ν i } κ i=1 of C dtbe contained within the signature.Finally, when B outputs its guess, A 4 's output is that of B Lemma 4. The construction is non-frameable if N IZK is sound, the hash function H is collisionresistant, and the digital signatures DS 2 and WDS as well as the one-time signature OT S are existentially unforgeable.
Proof.We show that if there exists an adversary B that wins the non-frameability game then we can build adversaries A 1 against the unforgeability of signature scheme DS 2 , adversary A 2 against the unforgeability of the weak digital signature WDS, adversary A 3 against the strong unforgeability of the one-time signature scheme OT S, A 4 against the collision-resistance of the hash function H and A 5 against the soundness of N IZK respectively, such that Adv Non-Frame DGSDT ,B,κ (λ) ≤γ(λ) • Adv Unfor DS 2 ,A 1 (λ) + Adv Unfor WDS,A 2 (λ) + δ(λ) • Adv Unfor OT S,A 3 (λ) + Adv Coll H,A 4 (λ) + Adv Sound N IZK,A 5 (λ), where γ(λ) and δ(λ) are polynomials in λ representing an upper bound on the number of honest users and signing queries, respectively, B is allowed to make in the game.We start by instantiating the proof system N IZK in the soundness setting and hence the adversary cannot frame users by faking proofs for a false statement.Also, we have by the collision-resistance of Adversary A 3 randomly chooses j ← {1, . . ., δ(λ)} and guesses that B's forgery will involve forging a one-time signature that verifies under otsvk * used in answering the j-th signing query.All B's queries are answered normally as in Fig. 1 except the following oracles.
• Sign: When asked for the i-th Sign query (uid, m), if j = i, A 3 chooses a fresh key pair (otsvk, otssk) for the one-time signature scheme and answers the query by itself.If j = i, A 3 encrypts pk uid using H(otsvk * ) as a tag to obtain C dtbe and generates the proof π.It then forwards (m, π, C dtbe , otsvk * ) as the message to its one-time signing oracle to get a one-time signature σ ots .A 3 then sends the signature Σ := (σ ots , π, C dtbe , otsvk * ) to B.
Eventually, when B outputs its forgery, A 2 aborts if the B's forgery did not involve forging a onetime signature that verifies w.r.t otsvk * it got from its game.The probability that B forges a one-time signature that verifies w.r.t the same otsvk * is 1 δ(λ) .By the strong existential unforgeability of the one-time signature OT S, this only happens with a negligible probability.This concludes the proof.Lemma 5.The construction is traceable if the N IZK proof system is sound, and the digital signature scheme DS 1 is existentially unforgeable.
Proof.We show that if there exists an adversary B that wins the traceability game then we can build adversaries A 1 against the unforgeability of signature scheme DS 1 and adversary A 2 against the soundness of N IZK, respectively, such that Adv Trace DGSDT ,B,κ (λ) ≤Adv Unfor DS 1 ,A 1 (λ) + Adv Sound N IZK,A 2 (λ)• We start by instantiating the proof system N IZK in the soundness setting and hence the adversary cannot break traceability by faking proofs for a false statement.
• Adversay A 1 : Adversary A 1 gets the signature scheme's verification key pk * from its game and has access to a Sign oracle that it can query on messages its choice.Adversary A 1 starts by running (crs, xk) ← N IZK.Setup(1 λ ), (pk DT BE , {svk i } κ i=1 , {sk i } κ i=1 ) ← T PKE.Setup(1 λ , κ) and setting pk GM := pk * and hence it does not know the corresponding secret key sk GM .A 1 forwards gpk := (1 λ , crs, pk GM , pk DT BE , {svk i } κ i=1 , H) and {tsk i } κ i=1 := {sk i } κ i=1 to B. All B's queries are answered normally as in Fig. 1 except the following oracles.
• SndM and AddU: Since A 1 does not know the group manager's secret key sk GM , in order to generate the membership certificate cert uid , A 1 forwards pk uid to its sign oracle and sends back the signature cert uid to B as the membership certificate.Eventually, when B outputs its forgery, A 1 uses N IZK's extraction key xk to extract pk * uid and cert * uid and returns (pk * uid , cert * uid ) as its forgery in its game.By the existential unforgeability of DS 1 , this only happens with a negligible probability.This concludes the proof.Lemma 6.The construction satisfies tracing soundness if the DT BE scheme satisfies decryption consistency.
Proof.We show that if there exists an adversary B that wins the tracing soundness game then we can build an adversary A that breaks the decryption consistency requirement of the distributed tag-based encryption scheme DT BE such that Adv Trace-Sound DGSDT ,B,κ (λ) ≤ Adv DEC-CON DT BE,A,κ (λ)•

Fig. 2 .
Fig. 2. Security games for dynamic group signatures with distributed traceability

Fig. 7 .
Fig. 7.The Join/Issue protocol for our construction

Fig. 10 .
Fig. 10.The decryption consistency game for distributed tag-based encryption • Non-Frameability: Even if the group and tracing managers collude with the rest of the group, they cannot frame an honest group member.•Traceability: Even if the tracing manager and all group members are corrupt, they cannot produce a signature that does not trace to a member of the group.3 Syntax and Security of Dynamic Group Signatures with Distributed Traceability The parties involved in a Dynamic Group Signature with Distributed Traceability (DGSDT ) are: a group manager GM who authorizes who can join the group; κ tracing managers TM 1 , . . ., TM κ which only the participation of all of which makes it possible to identify who produced a signature; a set of users who can join group at any time by contacting the group manager.A DGSDT scheme consists of the following polynomial-time algorithms: Sign(gpk, gsk[uid], m) on input the group public key gpk, a user's group signing key gsk[uid] and a message m, outputs a group signature Σ on m by the group member uid.• Verify(gpk, m, Σ) is a deterministic algorithm which checks whether or not Σ is a valid group signature on m outputting a bit.• TraceShare(gpk, tsk i , m, Σ) on input the group public key gpk, a tracing key tsk i belonging to tracing manager TM i , a message m and a signature Σ, it outputs (ν, π Trace ) where ν is the tracing share of TM i of Σ and π Trace is a proof for the correctness of the tracing share.If TM i is unable to compute her share, she outputs (⊥, ⊥).If the validity of the shares are publicly verifiable, we just omit π Trace .• ShareVerify(gpk, tid, ν, π Trace , m, Σ) verifies whether the share ν is a valid tracing share of Σ by tracing manager TM tid outputting a bit accordingly.