\(e(U_1+U_2,V_1) =e(U_1,V_1) \times e(U_2,V_1)\)
\(e(U_1,V_1+V_2) =e(U_1,V_1) \times e(U_1,V_2)\)
BBS Signatures
[Pairing Home][Home]
With pairing-based cryptography we have two cyclic groups (\(G_1\) and \(G_2\)), and which are of an order of a prime number (\(n\)). A pairing on \((G_1,G_2,G_T)\) defines the function \(e:G_1 \times G_2 \rightarrow G_T\), and where \(g_1\) is a generator for \(G_1\) and \(g_2\) is a generator for \(G_2\). If we have the points of \(U_1\) and \(U_2\) on \(G_1\) and \(V_1\) and \(V_2\) on \(G_2\), we get the bilinear mapping of:
\(e(U_1+U_2,V_1) =e(U_1,V_1) \times e(U_2,V_1)\) \(e(U_1,V_1+V_2) =e(U_1,V_1) \times e(U_1,V_2)\) |
Can we produce a digital signature for a group of members, and then for it not to be possible to know who has signed within the group? This problem was solved in 2004 with BBS signatures and where Boneh, Boyen and Shacham defined this in [1]. With a group signature we create a membership of a group with defined private keys. These are defined as members, and the signature of any member cannot be seen from the signature, in terms of the public key of the signature.
With group signatures use a group manager and which responsible for signing things on behalf of the members. The key features of group signatures are:
With group signatures, we create a group private key, and which differs from each of the private keys of members. Then the group private key can produce private keys, and can also be used to reveal the signer of a message. With this we must also revoke the private key of a member, and this is done with a public announcement of the revocation. This can then also create a new group private address, and which revokes the private key of a member.
In this case we will take a SHA-256 hash of a message, and then sign this with the group private key. The outline coding using the library from the BBSSig library [here] is:
package main import ( "github.com/agl/pond/bbssig" "crypto/rand" "crypto/sha256" "fmt" "os" ) func main(){ m:="Hello" argCount := len(os.Args[1:]) if (argCount>0) {m= os.Args[1]} priv, _ := bbssig.GenerateGroup(rand.Reader) group := priv.Group member,_ := priv.NewMember(rand.Reader) msg := []byte(m) h := sha256.New() h.Write(msg) hashmsg := h.Sum(nil) fmt.Printf("Message: %s\n", msg) sig, err := member.Sign(rand.Reader, hashmsg, h) if err == nil { fmt.Printf("Message signed okay: %x\n", sig) } if group.Verify(hashmsg, h, sig) { fmt.Printf("Signature verified okay\n") } hashmsg[1] ^= 0x01 if !group.Verify(hashmsg, h, sig) { fmt.Printf("Signature failed okay\n") } hashmsg[1] ^= 0x01 tag, ok := priv.Open(sig) if ok { fmt.Printf("Signature opened okay.\n\nTag: %x\n",tag) } }
In this case we will flip the least significant bit of the hash of the message, and check the signature (and which should fail). Next, we flip it back and check again (and which should be successful).
A sample run is:
Message: Hello Message signed okay: 17caba412ca379549bfaa777cbd8e6c7cc2782ce3b5e2df98839a57874d588b05544591e80e1aac58b05b4091f42d43a397d8ec31dec6b06bc8926d374ea6b7d5ef3e97d30d46c4c514d01319a724d4556ebf252222722fc0ff5303bf82b860a595b67f65e46808ec7fa085a4a3a4d8564df7c6c22253feed92d8ada0a4192f832451acc1827807f60e90c9ab5719ddc123e017f1544ae2bbdbae12ad2ace31370822b5a0a6d6f5b37b4da6ddb87b4b2e0db69936e8b91107eabfad49005429e07ffd56971d953d38f86cc7902c2087892b9f9da9731dd1006299cdde1605b590b4cb6f8b77f48001b025dd6d10a83a78bcc6e5fbe6a5cda24c94a1b4b8444f44436e10728ec17fa1085322b071fdd28cb3e6d109af9cec3a3423eb3f978fa3067ccabbcd0b41d9074f9f4da07516932cd8c5564d16dd39ea52a35799a1d8844136238035d60f5b22096404782ad1e0e7ad067ecd53046cd17525501adca0ca169320a84cf9e4f174a19ff20fcaacc4aab8ba2efd1b0e925c2bfc12bf44318fc Signature verified okay Signature failed okay Signature opened okay. Tag: 4421373d72e5e8f10a89a3512f67334a8bd6bab4fac3ab1efbdbf87282195de1639d9d690bd47f7eb0d86d5aac62845c91003bcdf6f429e3479a2278e94b4b4c
[1] Boneh, D., Boyen, X., & Shacham, H. (2004, August). Short group signatures. In Annual International Cryptology Conference (pp. 41-55). Springer, Berlin, Heidelberg.