The Fiat-Shamir (FS) transform is a popular tool to produce particularly efficient digital signature schemes out of identification protocols. It is known that the resulting signature scheme is secure (in the random oracle model) if and only if the identification protocol is secure against passive impersonators. A similar results holds for constructing ID-based signature schemes out of ID-based identification protocols. The transformation had also been applied to identification protocols with additional privacy properties. So, via the FS transform, ad-hoc group identification schemes yield ring signatures and identity escrow schemes yield group signature schemes. Unfortunately, results akin to those above are not known to hold for these latter settings and the security of the resulting schemes needs to be proved from scratch, or worse, it is often simply assumed. In this paper we provide the missing foundations for the use of the FS transform in these more complex settings. We start with defining a formal security model for identity escrow schemes (a concept proposed earlier but never rigorously formalized). Our main result constists of necessary and sufficient conditions for an identity escrow scheme to yield (via the FS transform) a secure group signature schemes. In addition, using the similarity between group and ring signature schemes we give analogous results for the latter primitive.
|Translated title of the contribution||The Fiat–Shamir Transform for Group and Ring Signature Schemes|
|Title of host publication||Security and Cryptography for Networks - SCN 2010|
|Publisher||Springer Berlin Heidelberg|
|Publication status||Published - 2010|
Bibliographical noteOther page information: 363-380
Conference Proceedings/Title of Journal: Security and Cryptography for Networks - SCN 2010
Other identifier: 2001253