Remark 1.

Although most cryptosystems based on pairings assume for simplicity that bilinear groups have prime order. In our case, it is important that the pairing is defined over a group G containing |G| = n elements, where n = pq has a (ostensibly hidden) factorization in two large primes, p ≠ q. Moreover, G_p and G_q denote the cyclic subgroups of G with respective order p and q.

1. The Computational Diffie-Hellman (CDH) assumption in bilinear groups. This assumption states that, given a triple for random exponents a, b ∈ Z_p, there is no PPT algorithm that can compute g^ab ∈ G_p with non-negligible probability. Because of the bilinear pairing, CDH in G_p implies a “Gap Diffie Hellman” assumption.
2. The subgroup decision assumption. Consider an “instance generator” algorithm 𝓖𝓖 that, on input a security parameter 1^λ, outputs a tuple (p, q, G, G_T, e), in which p and q are independent uniform random λ-bit primes, G and G_T are cyclic groups of order n = pq with efficiently computable group operations (over their respective elements, which must have a polynomial size representation in λ), and e: G × G → G_T is a bilinear map. The subgroup decision assumption is that on input a tuple (n = pq, G, G_T, e) derived from a random execution of 𝓖𝓖(1^λ), and an element w selected at random either from G or from G_q, there is no (PPT) algorithm can decide whether w ∈ G_q with non-negligible advantage.
3. The Hidden Strong Diffie-Hellman assumption. We first define the l-HSDH problem as follows: On input three generators g, h and g^ω of G_p, and l-1 distinct triples where c_i ∈ Z_p, output another such triple distinct of all the others. The Hidden Strong Diffie-Hellman assumption states that, in a family of prime order bilinear groups generated by the instance generator 𝓖𝓖, there is no PPT algorithm can solve the HSDH problem in the bilinear group with non-negligible probability for sufficiently large λ ∈ ℕ.
4. The Decisional Linear (DLIN) assumption. We first define the Decision Linear Problem in G as follows: Given u, v, h, u^a, v^b, h^c ∈ G as input, output yes if a+b = c and no otherwise. The DLIN assumption states that, there is no (PPT) algorithm can solve the Decision Linear Problem with non-negligible advantage.

Remark 2.

The DLIN problem is originally defined in a prime-order group in [46]. In our case, we use the DLIN assumption over composite-order group, similar assumptions could be found in literatures such as [47] and [48].

3.1.1. Setup.

The Setup algorithm takes a security parameter in unary as input. The algorithm outputs pub (a tuple consists of system parameters and public values), the master enrollment key MK, and the group manager’s tracing key TK. Suppose that up to 2^k signers are supported in the group, and the message space is {0,1}^m, where k = O(λ) and m = O(λ). Let Gen[group] denote the set of generators of the “group”. The usage of the algorithm is illustrated in Fig 1.

The algorithm proceeds as follows.

Algorithm Setup(1^λ,1^k,1^m)

Begin

 ,p and q are prime numbers s.t. log₂p = Θ(λ)>k∧log₂q=Θ(λ)>k

 n←p·q

 builss a cyclic bilinear group G of order n

 Let G_p be the cyclic subgroups of G of order p

 Let G_q be the cyclic subgroups of G of order q

 Ω←g^ω ∈ G

 u,v',v₁,…,v_m ∈ Gen[G]

 PP←(g,h,u,v’,v₁,…,v_m,Ω,A) ∈ G × G_q × G^m+3 × G_T

 MK←(g^a,ω) ∈ G × Z_n

 TK→q ∈ ℕ

 output (pub,MK,TK)

End

3.1.2. Enroll.

The algorithm Enroll serves for creating a signing key for a user whose identity is ID, where 0≤ID< 2^k <p. The enroll algorithm takes pub (a tuple consists of system parameters and public values), the master key MK, and the user’s identity ID as input. It outputs a unique identifier s_ID ∈ Z_n and a corresponding private signing key K_ID. The secret unique value s_ID can be later used for tracing purposes. This value must be chosen so that ω+s_ID lies in . The usage of the algorithm is illustrated in Fig 2.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 2. The usage of the Enroll algorithm.

https://doi.org/10.1371/journal.pone.0131550.g002

The algorithm proceeds as follows.

Algorithm Enroll (pub,MK, ID)

Begin

 (g, h, u, v', v₁,…,v_m, Ω, A) ← PP

 (g^α,ω) ← MK

End

3.1.3. Sign.

The signing algorithm takes pub(a tuple consists of system parameters and public values), a group member’s private signing key K_ID, and the message M = (μ₁,…, μ_m) ∈ {0,1}^m as input. The algorithm outputs a signature (σ₁, σ₂, σ₃, σ₄, π₁, π₂) using the following procedure.

Algorithm Sign(pub, K_ID, M)

Begin

 (g, h, u, v', v₁,..., v_m , Ω, A) ← PP

 (μ₁,...,μ_m) ← M

 output (σ₁, σ₂, σ₃, σ₄, π₁, π₂)

End

3.1.4. Verify.

The group signature verification algorithm Verify takes pub(a tuple consists of system parameters and public values), a signature σ from an unknown group member, and a message M as input. If the signature σ is valid, it outputs 1, otherwise, outputs 0. Note that the verification algorithm outputs 1 only implies that the signature is generated by a member of the given group, but does not reveal the identity of the original signer.

Algorithm Verify(pub, σ, M)

Begin

 (σ₁, σ₂, σ₃, σ₄, π₁, π₂) ← σ

 (g, h, u, v', v₁, …, v_m, Ω, A) ← PP

 (μ₁, …, μ_m) ← M

  output 1

 Else

  output 0

End

3.1.5. Open.

As it is illustrated in Fig 3, to recover the identity of the signer, the group manager using the algorithm Open to test whether the signature is generated by a specific member of the group. If it is true, the algorithm outputs the identity of the member, otherwise, the output is ⊥.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 3. The usage of the Open algorithm.

https://doi.org/10.1371/journal.pone.0131550.g003

The algorithm proceeds as follows.

Algorithm Open(pub, σ, TK)

Begin

 (σ₁, σ_2, σ_3, σ₄, π_1, π₂) ← σ

 (g, h, u, v', v_1, ..., v_m , Ω, A) ← PP

 For Each ID

  output 1; exit;

 output ⊥

End

3.1.6. EKGen.

The encryption key generation algorithm EKGen takes the public parameters pub as input, and generates a key pair (PK_e, SK_e) as follows. Note that for each user, the TA should provide a certification for the public encryption key PK_e.

Algorithm EKGen(pub)

Begin

 (g,h,u,v′,v₁,…,v_m,Ω,A)←PP

 PK_e←(g^a,g^b),SK_e←(a,b)

 output(PK_e,SK_e)

End

3.1.7. Enc and Dec.

The encryption algorithm Enc takes the public parameters pub, the encryption key PK_e, and a (encoded) plaintext M ∈ G as input. The algorithm encrypts the plaintext and then outputs the ciphertext as follows.

Remark 3.

For simplicity, we use to denote the encryption algorithm while the encryption key is PK_e. Similarly, we use to denote the decryption algorithm while the decryption key is SK_e.

Algorithm

Begin

 (g, h, u, v', v₁,…, v_m, Ω, A) ← PP

 (PK_e,0, PK_e,1) ← PK_e

 C←(PK_e,0^x, PK_e,1^y, g^x+y ⋅ M)

 Output C

End

The decryption algorithm Dec works as follows.

Algorithm Dec_SKe(C)

Begin

 (C₁, C₂, C₃) ← C

 (a, b) ← SK_e

 output M

End

Remark 4.

The algorithm Setup also needs some operations that have not been listed in Table 2, such as generation of groups and large prime numbers, and random selection of group generators.

Remark 5.

The algorithm Open can be done in constant time. Because the value can be calculated once and for all for each user, we can construct a lookup table of for all users in the group. With the help of the lookup table, the algorithm “Open” only needs to compute (σ₂)^q.

In the next section, we introduce an obfuscator for the proposed EGS functionality, and prove the correctness and security of the obfuscator.

Definition 1. Preserving Functionality.

A PPT machine Obf is a circuit obfuscator for a class of probabilistic circuits ℂ = {ℂ_λ}_λ∈ℕ if, for every probabilistic circuit C ∈ ℂ_λ, (2) holds: (2) where the statistical difference StaDiff between C(x) and C′(x) is given by (1).

Theorem 1. (Preserving Functionality). Consider any circuit and let circuit . On every possible input, the output distributions of and are identical.

Proof. Suppose that PK_e = (g^a, g^b). On an arbitrary message M≠NULL, the output of is (c_i = Enc(σ_i, PK_e)_{i = 1,2,3,4}, c_i+4 = Enc(π_i, PK_e)_{i = 1,2}) where (σ₁, σ₂, σ₃, σ₄, π₁, π₂) = Sign(M, sk_ID). Let sk_ID = (K₁, K₂, K₃) and M = (μ₁…μ_m) ∈ {0,1}^m. We have (3) (4) (5) (6) (7) (8) where s, t₁, t₂, t₃, t₄, r₁,…, r₆, s₁,…, s₆ are uniformly random elements of Z_n.

Because , we have: (9) where (10) In (10), x₁, y₁, x₂, y₂, x₃, y₃ are uniformly random elements of Z_n.

For the same input M, suppose that the output of is (11) Consequently, we have: (12) (13) (14) (15) (16) (17) In the above six equations, are uniformly random elements of Z_n.

Let , the two tuples of ciphertexts are listed in Table 4.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 4. Comparison of ciphertexts.

https://doi.org/10.1371/journal.pone.0131550.t004

Clearly, the two tuples of ciphertexts are identically distributed.

If the input is a null message M = NULL, both the output of and the output of are (pub, PK_e).

This ends the proof.

4.3.1. Security notions for the EGS functionality and the obfuscator.

Average-Case Secure Virtual Black-box Property (ACVBP) was proposed in [35], and it was extended to ACVBP w.r.t. Dependent Oracles in [34]. The generalization allows distinguishers to have sampling access not only to <<C>> but also to a set of oracles dependent on C.

Definition 2.

A circuit obfuscator Obf for ℂ satisfies the ACVBP w.r.t. dependent oracle set T if the following condition holds: There exists a PPT oracle machine S (simulator) such that, for every PPT oracle machine 𝓓 (distinguisher), every polynomial f, all sufficiently large λ ∈ ℕ, and every z ∈ {0,1}^poly(λ), (18) where 𝓓^{<<C, T(C)>>} means that 𝓓 has sampling access to all oracles contained in T(C) in addition to C.

To the best of our knowledge, in obfuscating sig-then-encrypt functionalities, T(C) is always assigned to the signature function, such as in [34,36,38,41,49,50]. However, we have to investigate the effects of collision attacks from some members of the same group against the proposed obfuscator. In this scenario, the adversary against the obfuscator can get the signing key of a corrupted group member, that is, the adversary can query the Enroll oracle on the identity of a corrupted member. Because there are some restrictions on these kinds of queries, we define a set of restricted oracles dependent on C as 𝓡(C). Each element of 𝓡(C) is an oracle-restrictions pair. For example, in this paper 𝓡(C) = {(Enroll, id≠ID)}. Conventionally, when 𝓡(C) consists of only one element, we omit the braces. Moreover, we suggest that the restrictions could be written as superscripts of the oracle, e.g., Enroll^[id≠ID].

Based on the above intuition, we extended ACVBP w.r.t. Dependent Oracles (Definition 2) to ACVBP w.r.t. Dependent Oracles and Restricted Dependent Oracles as follows.

Definition 3.

A circuit obfuscator Obf for ℂ satisfies the ACVBP w.r.t. dependent oracle set T and restricted dependent oracle set 𝓡 if the following condition holds: There exists a PPT oracle machine S (simulator) such that, for every PPT oracle machine 𝓓 (distinguisher), every polynomial f, all sufficiently large λ ∈ ℕ, and every z ∈ {0,1}^poly(λ), (19) where 𝓓^{<<C, T(C), 𝓡(C)>>} means that 𝓓 has sampling access to all oracles contained in T(C) and 𝓡(C) in addition to C.

Besides the security notion for the obfuscator in WBAC, we should also provide security notions for the EGS functionality. There is a number of existing security notions of group signature schemes. Fortunately, as shown in Fig 6, there are two cores that imply other security notions as it was discussed in [2]. Hence, we focus on the full traceability (FT) and full anonymity (FA). Note that we use the CPA-full-anonymity[46] instead of the CCA2-full-anonymity[2].

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 6. Security notions of group signature schemes.

https://doi.org/10.1371/journal.pone.0131550.g006

We formally define full-traceability (FT w.r.t. EGS Functionality) using the following experiment.

Begin

 (PK_e, SK_e) ← EKGen(pub)

 st←(pub, TK, PK_e);Θ←∅;L ← ∅;Γ←ε;count←true

While(cont = true) do

  IF(cont = true)

   Θ←Θ∪{id};Γ ← Enroll(pub, MK, id)

 EndWhile

 IF(0 = Verify(pub, σ, M)) return 0;

 IF(⊥ = Open(pub, TK, σ, M)) return 0;

 IF(∃id ∈ [0,…, 2^k – 1], s.t. id = Open(TK, σ, M) ∧ id ∉ Θ ∧ (M, ID) ∉ L)

  return 0

 Else

  return 1

End

Definition 4.

(FT w.r.t. EGS Functionality). Let (Setup, Enroll, Sign, Verify) and (EKGen, Enc, Dec) be a pair of group signature and public key encryption schemes. The group signature scheme is FT w.r.t. the EGS functionality if the following condition holds: For every PPT oracle machine 𝓕 (adversary), every polynomial f, all sufficiently large λ ∈ ℕ, and every st ∈ {0,1}^poly(λ), (20) We formally define full-anonymity (FA w.r.t. EGS Functionality) using the following experiment.

Begin

 (PK_e,SK_e) ← EKGen(pub)

 SK ← ∅;id ← 0

 While(id < 2^k) do

  SK ← SK ∪ Enroll(pub,MK,id);id ← id + 1

 EndWhile

 return d

End

Definition 5.

(FA w.r.t. EGS Functionality). Let (Setup, Enroll, Sign, Verify) and (EKGen, Enc, Dec) be a pair of group signature and public key encryption schemes. The group signature scheme is full anonymous w.r.t. the EGS functionality if the following condition holds: For every PPT oracle machine 𝓕 (adversary), every polynomial f, all sufficiently large λ ∈ ℕ, and every st ∈ {0,1}^poly(λ), (21) Next, we consider a pair of stronger security notions, which require that the group signature scheme is still secure even when the adversary is given an obfuscated circuit. The following experiments are used to describe the strengthened definitions of full-traceability and full-anonymity respectively.

Begin

 (PK_e, SK_e) ← EKGen(pub)

 st ← (pub, TK, PK_e);SK ← ∅;Θ ← ∅;L ← ∅;Γ ← ε;cont ← true

 While(id < 2^k) do

  SK ← SK ∪ Enroll(pub, MK, id);id ← id + 1

 EndWhile

 While(cont = true) do

  IF(cont = true)

   Θ ← Θ ∪ {id};Γ ← Enroll(pub, MK, id)

 EndWhile

 IF(0 = Verify(pub, σ, M)) return 0;

 IF(⊥ = Open(pub, TK, σ, M)) return 0;

 IF(∃id ∈ [0, …, 2^k - 1], s.t. id = Open(TK, σ, M) ∧ id ∉ Θ ∧ (M, ID) ∉ L)

  return 0

 Else

  return 1

End

Algorithm O_EGS(id)

Begin

 Extract sk_id from SK

End

Begin

 (PK_e, SK_e) ← EKGen(pub)

 SK ← ∅;id ← 0

 While(id < 2^k) do

  SK ← SK ∪ Enroll(pub, MK, id);id ← id + 1

 EndWhile

 return d

End

Algorithm O_EGS(id)

Begin

 Extract sk_id from SK

End

Now we give definitions of full-traceability (FT) and full-anonymity (FA) w.r.t. EGS Obfuscator as follows.

Definition 6.

(FT w.r.t. EGS Obfuscator). Let (Setup, Enroll, Sign, Verify) and (EKGen, Enc, Dec) be a pair of group signature and public key encryption schemes. The group signature scheme is FT w.r.t. Obf_EGS if the following condition holds: For every PPT oracle machine 𝓕 (adversary), every polynomial f, all sufficiently large λ ∈ ℕ, and every st ∈ {0,1}^poly(λ), (22)

Definition 7.

(FA w.r.t. EGS Obfuscator). Let (Setup, Enroll, Sign, Verify) and (EKGen, Enc, Dec) be a pair of group signature and public key encryption schemes. The group signature scheme is FA w.r.t. Obf_EGS if the following condition holds: For every PPT oracle machine 𝓕 (adversary), every polynomial f, all sufficiently large λ ∈ ℕ, and every st ∈ {0,1}^poly(λ), (23)

Definition 8.

A circuit obfuscator Obf for ℂ is rerandomizable (RR) w.r.t. dependent oracle set T and restricted dependent oracle set 𝓡 if the following condition holds: There exists a PPT oracle machine RR such that, for every PPT oracle machine 𝓓 (distinguisher), every polynomial f, all sufficiently large λ ∈ ℕ, and everyz ∈ {0,1}^poly(λ), when C ∈ ℂ_λ and C′←Obf(C), (24) holds. (24) In (24), 𝓓^{<<C, T(C), 𝓡(C)>>} means that 𝓓 has sampling access to all oracles contained in T(C) and 𝓡(C) in addition to C.

Note that if a circuit obfuscator Obf for ℂ is rerandomizable w.r.t. dependent oracle set T and restricted dependent oracle set 𝓡 and Obf also satisfies the ACVBP w.r.t. dependent oracle set T and restricted dependent oracle set 𝓡, we say that Obf is RR&ACVBP w.r.t. dependent oracle set T and restricted dependent oracle set 𝓡.

There are six new security notions that are proposed in this section. Relationships among the proposed security notions and known security notions are shown in Fig 7. In Fig 7, the arrows denote the “imply” relationships. Most of the “imply” relationships are easy to verify so we omit the detail analysis, except the complex one that is investigated in Theorem 3.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 7. Relationships among the proposed security notions and known security notions.

https://doi.org/10.1371/journal.pone.0131550.g007

As illustrated in Fig 7, some new security notions are equal to old ones. Especially, Definition 5 (FA w.r.t. EGS Obfuscator), Definition 7 (FA w.r.t. EGS functionality) and the CAP-full-anonymity (in [46]) are equivalent. Hence, from the practice point of view, it seems that Definition 5 and Definition 7 are somewhat useless because in fact depict the same security of CAP-full-anonymity. However, to provide these security notions and investigate them are necessary, both to acquire the result and to fulfill the completeness of theory.

4.3.2. The main security theorem.

Theorem 2. The proposed obfuscator Obf_EGS for the proposed EGS functionality satisfies ACVBP w.r.t. dependent oracle and restricted dependent oracle .

Proof. We have , and . Then we define a pair of probabilities in (25) and (26). They are the probabilities that 𝓓^{<<C, T(C), 𝓡(C)>>} outputs 1, given the real and simulated distributions, respectively. sk_ID = (K₁, K₂, K₃) is encrypted in the real distribution while (K₁′, K₂′, K₃′) ∈ _$ G³ is encrypted in the simulated distribution. It is the only difference.

Let (25) and (26) We construct a simulator Sim that works as follows

(g^a, g^b) ← PK_e

For contradiction, assume that the probability that a distinguisher can distinguish between C' and C" is not negligible. That is, the difference between the following two probabilities is not negligible. Without loss of generosity, we suppose that Pr_Nick-Pr_Junk = δ > 0.

Then an adversary pair (𝓐, 𝓑) which breaks the indistinguishability of the linear encryption scheme is constructed as follows. 𝓐 produces a plaintext pair 〈sk_ID, sk′〉, and the associated public setting and some global parameters of the asymmetric encryption scheme using 𝓐.Init and plays the following security game with 𝓓 and 𝓑.

We list the usage of the algorithms that are used in Game1, i.e., 𝓐.Init, 𝓐.OC, 𝓐.OS, 𝓐.OE, 𝓐.Guess, and 𝓑.CipherTextGen, in Table 5.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 5. The algorithms in Game1.

https://doi.org/10.1371/journal.pone.0131550.t005

The descriptions of the algorithms are as follows.

Algorithm 𝓐.Init(1^λ)

Begin

 st ← (pub,priv)

 output (st, challenge)

End

Remark 6.

We suppose that 𝓐 generates the system parameters honestly, that is, 𝓐 does not set any “backdoor” in the parameters. Otherwise, the system parameters could be generated by a trusted third party.

Remark 7.

After 𝓐 is initialized, pub,ID and sk_ID are private “member variables” of 𝓐.

Algorithm 𝓐.OS(M)

Begin

End

Algorithm 𝓐.OS(id)

Begin

 IF(ID = id) output ⊥

 Else output Enroll(pub,M,id)

End

Algorithm 𝓑.CipherTextGen(challenge)

Begin

 IF(d = 0)

  (K₁,K₂,K₃)←sk

 Else

  (K₁,K₂,K₃)←sk′

 output ct,PK_e

End

Algorithm 𝓐.Guess(ct,st)

Begin

  d' ← 0

 Else

 output d'

End

Note that if d = 1, is the same as which is generated by Sim, otherwise, is really a valid output of Obf_EGS.

Algorithm 𝓐.OC(M)

Begin

End

We compute Pr[d′ = 0∧d = 0] and Pr[d′ = 1∧d = 1] in the security game as follows.

(27)

(28)

Finally, the advantage of 𝓐 (as an adversary in a chosen-plaintext attack against the linear encryption scheme LE) can be calculated as follows.

(29)

Recall that δ = Pr_Nick-Pr_Junk, if δ is non-negligible, so is . This contradicts the security property (i.e., semantically secure against chosen-plaintext attacks) of the linear encryption scheme based on the decisional linear assumption. This ends the proof.

Remark 8.

By a natural extension on the proof of the security of the ElGamal encryption scheme, the linear encryption scheme is semantically secure against chosen-plaintext attacks, assuming the decisional linear assumption holds [46].

Remark 9.

Definition 3 (ACVBP w.r.t. Dependent Oracles and Restricted Dependent Oracles) fits for many application scenarios. Examples are shown in Table 6. Moreover, the proof of Theorem 3 does not work under the ACVBP or ACVBP w.r.t. Dependent Oracles.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 6. Some of the scenarios that Definition 3 should be used.

https://doi.org/10.1371/journal.pone.0131550.t006

4.3.3. FT and FA w.r.t. the proposed EGS Obfuscator.

We prove the relationship between Definition 3, 4, 6 and 8 which is already shown in Fig 7 as follows.

Theorem 3. If an obfuscator Obf_EGS for a EGS functionality satisfies RR&ACVBP w.r.t. dependent oracle and restricted dependent oracle , then the FT w.r.t. EGS Functionality implies the FT w.r.t. EGS Obfuscator.

Proof. Suppose that a group signature scheme is FT w.r.t. the EGS functionality but not FT w.r.t. Obf_EGS. There exists a PPT oracle machine 𝓕 (forgery) and Q_Obf ∈ ℕ such that is not a negligible value where the superscript Q_Obf implies that 𝓕 queries the oracle O_EGS(·) at most Q_Obf times.

We denote the maximum advantage of the forgery 𝓕 which can query the oracle O_EGS(·) at most q_Obf(1≤q_Obf≤Q_Obf) times in the experiment as . Clearly, we have (30) Therefore, ∃q′_Obf(1≤q′_Obf≤Q_Obf), s.t. (31) We design the experiment as follows. In the experiment, the simulator Sim works the same as in the proof of Theorem 2.

Begin

 C* = C^(coin)

End

Furthermore, we design a security game as follows.

We list the usage of the algorithms of 𝓓 that are used in Game2, i.e., 𝓓.Init(), 𝓓.Sig(id, M), 𝓓.Answer_O_EGS(id) and 𝓓.RR, in Table 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Table 7. The algorithms of 𝓓 in the Game2.

https://doi.org/10.1371/journal.pone.0131550.t007

The existence of 𝓓.RR is guaranteed by the hypothesis. The other three algorithms work as follows.

Algorithm 𝓓.Init( )

Begin

 While(id<2^k) do

  IF (id ≠ ID)

  id ← id + 1

 EndWhile

End

Algorithm 𝓓.Sig(id, M)

Begin

 IF (id = ID)

   //Get the output via oracle query

 Else

  output Sign_sk[id] (M) //Compute the output directly

End

Algorithm 𝓓.Answer_O_EGS(id)

Begin

 IF (id = ID)

  𝓓.RR(C*)

 Else

End

Let be the probability of 𝓕 (and 𝓓) outputs 1 when coin = 0 and 𝓕 queries at most q′_Obf times. Clearly, we have (32) Let be the probability of 𝓕 (and 𝓓) outputs 1 when coin = 1 and 𝓕 queries at most q′_Obf times. equals to .

Hence, 𝓓 is a distinguisher of a simulator and a real obfuscator because: (33) In the above analysis, we show that, if the FT w.r.t. EGS Functionality is satisfied, but the FT w.r.t. EGS Obfuscator is NOT satisfied, then it contradicts the RR&ACVBP w.r.t. dependent oracle and restricted dependent oracle . This ends the proof.

The following propositions are easy to verify, hence we omit the proofs.

Proposition 1.

The proposed obfuscator Obf_EGS is rerandomizable w.r.t. the dependent oracle and the restricted dependent oracle .

Proposition 2.

The group signature scheme in [45] satisfies the following security properties with regard to the proposed EGS functionality or the proposed obfuscator Obf_EGS:

1. FT w.r.t. the proposed EGS functionality.
2. FA w.r.t. the proposed EGS functionality.
3. FT w.r.t. the proposed obfuscator Obf_EGS.
4. FA w.r.t. the proposed obfuscator Obf_EGS.

6.1.1. An Application in cloud computing.

Group signature technique is perfectly suited for privacy-preserving security schemes in cloud computing. The proposed application is inspired by [18]. The application scenario for encrypted group signature schemes is a single company hosting a private cloud for its employees, e.g. providing access to file sharing or printing services. Usually, there is no need to identify the employee who has uploaded a certain file, and in some cases this may even be a confidential information (e.g. for labor unions within the company). However, in the event of uploading a file illegally, the company’s management may have a severe interest in finding the responsible employee, regardless of potential reasons for preserving anonymity. The application is illustrated in Fig 8.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 8. An application in cloud computing.

https://doi.org/10.1371/journal.pone.0131550.g008

6.1.2. An Application in mobile healthcare social networks.

The second application is a privacy-preserving emergency call scheme for mobile healthcare social networks. It is adapted from [4].

As illustrated in Fig 9, a privacy-preserving emergency call system enables patients in life-threatening emergencies to accurately and fast transmit emergency data to the nearby helpers via mobile healthcare social networks. Once an emergency happens, the personal digital assistant (PDA) of the patient runs the emergency call procedure to collect the emergency data including patient health record, patient physiological condition, as well as the current emergency location. The emergency call procedure then generates an emergency call with the emergency data inside and epidemically disseminates it to every user in the patient’s neighborhood. If a physician happens to be nearby, the PEC ensures the time used to notify the physician of the emergency to be the shortest.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 9. A decentralized emergency response scheme.

https://doi.org/10.1371/journal.pone.0131550.g009

In an emergency situation, a patient must reveal his/her information to the nearby users in order to ask for their instant help. However, with privacy concerns, the patients would preserve the identity privacy and prevent their transactions being linked to their unique identities. On the other hand, a TA must be able to trace the emergency call and identify the corresponding patient. In this way, any malicious attacker who has generated a bogus emergency call would be detected and punished. Details of the application are listed as follows and illustrated in Fig 10.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Fig 10. An application in a privacy-preserving emergency call system based on mobile social network.

https://doi.org/10.1371/journal.pone.0131550.g010

(1) Initialization Phase:

At the beginning, the Trusted Authority (TA) uses the algorithm Setup to generate system parameters, public values, the master enrollment key MK, and the group manager’s tracing key TK.

(2) Registration Phase:

When a patient who needs medical services for possible emergency situations joins the system, TA uses the algorithm Enroll to issue a secret signing key sk and delivers the key to the patient through a secure channel.

(3) Obfuscation phase:

The patient uses the obfuscator Obf_EGS to generate an obfuscated implementation of encrypted group signature functionality in his/her personal computer. Then the patient transfers the obfuscated implementation to his/her PDA.

(4) Emergency call generation phase:

The emergency call generation is started by a detection of the abnormal physiological condition from body sensors. This condition can be pre-implanted into the patient’s PDA with the instructions of the medical professionals.

Let patient n_i denote a user who has an emergency situation. The patient n_i’s PDA generates an emergency call according to the following steps.

(4.1) General information collection phase: The PDA intelligently collects the following general information:

• Location (LOC): It contains the emergency location information which can be measured by a global positioning system (GPS) of the patient PDA.
• Incident (INC): It contains a general description of the environment where the emergency occurs.
• Time (TIME): It contains the exact time when the emergency occurs.

(4.2) Encrypted Signature generation phase: The PDA uses the obfuscated implementation EGS to generate an encrypted group signature on “LOC||INC||TIME”. The encrypted group signature will be put into the “EGS” component.

(4.3) Data encryption phase: The PDA encrypts the patient n_i’s physiological condition (PC) and health record (HR).

(4.4) Information dissemination phase: The PDA disseminates the Emergency Call Message to the neighboring users and APs (Access Points). Note that denotes the ciphertexts of GS and PC||HR where .

(5) Emergency call response phase:

User n_j receives the ECM from patient n_i and executes the following steps, where a PDA represents user n_j ‘s PDA:

(5.1) Cryptographic preprocess: First, the PDA decrypts the encrypted part of the message () and gets the plaintext GS,PC||HR. Second, the PDA verifies the group signature “GS” by using the verification algorithm Verify. If the verification passes, user n_j confirms the information “LOC||INC||TIME.”

(5.2) Local response: As an emergency response, user n_j firstly makes a phone call (e.g., dialing 911) to report the emergency to the hospital/first-aid center. Then, the PDA executes the step (5.3).

(5.3) Information re-dissemination phase: The PDA checks the “TIME” component: If the time period from the emergency occurrence to the user n_j receiving it, is larger than the threshold value, then the emergency call is discarded. Otherwise, the PDA forwards the ECM to the neighboring users.

6.1.3. Extensions to identity-based signatures and key-insulated signatures.

In a traditional (certification-based) public-key cryptosystem, the association between a user’s identity and his/her public key is obtained through a digital certificate issued by a Certifying Authority (CA). The CA checks the credentials of a user before issuing a certificate to the user. If a signer wants to sign a message, first the signer obtains a digital certificate for his/her public key from a CA. The signer then signs the message using the private signing key and sends the signed message along with his/her certificate to the receiver. The receiver (verifier) first verifies the validity of the certificate by checking the certificate revocation list published by the CA, then the receiver verifies the signature using the public key in the certificate. If many CAs are involved between the signer and the verifier, then the entire certificate path has to be verified.

Hence, the process of certificate management requires high computational and storage efforts. To simplify the certificate management process, Shamir [60] introduced the concept of identity-based cryptosystem. In such cryptosystems the public key of a user is derived from his/her identity information and a private key is generated by a Trusted Authority (TA). The advantage of an identity-based cryptosystem is that it simplifies the key management process which is a heavy burden in the traditional certificate based cryptosystems. In these cryptosystems, the verifier can verify the signer’s signature just by using his/her identity information. In general, an identity based cryptosystem has the following properties:

• user’s public key is his/her identity (or derived from the identity).
• no requirement of public key directories
• the verification process of a signature requires only the signers’ identity (along with some public system parameters)

These properties make identity-based cryptosystems advantageous over the traditional certification-based cryptosystems, as key distribution is far simplified. It needs a directory only for authenticated public system parameters of the KGC (Key Generation Center), which is clearly less burdensome than maintaining a public key directory for total users.

As a by-product of the paper, we found that one could easily transform the proposed functionality to an obfuscatable encrypted identity-based signature by applying the following steps.

1. The KGC sets up the group for all users.
2. The KGC broadcasts the tracing key as a public value.
3. When generating a signature, the signer appends his/her identity at the end of the signature.
4. Merge the verification algorithm and the opening algorithm together.
5. The obfuscators, and even the encryption key generation algorithm, the encryption algorithm and the decryption algorithm can be used in the identity-based scenario without modification.

Note that the main security definition (ACVBP w.r.t. DOs and RDOs) can be almost directly obtained from Section 4. Moreover, the security proof can be deducted from this paper easily. So we omit the details in this paper.

Furthermore, as suggested in [61], by identifying time periods with identities, any identity-based signature scheme yields a perfectly (but not necessarily strong) key-insulated signature scheme. Accordingly, by applying this technique to the above identity-based scheme, an obfuscatable key-insulated signature scheme and a corresponding obfuscator is acquired.

Hence, besides the encrypted group signature, this paper adds two more new items in the list of obfuscatable cryptographic functionalities, i.e., the encrypted identity-based signature and the encrypted key-insulated signature.