ANONYMOUS MESSAGE AUTHENTICATION

Universally Composable Deﬁnition and Construction

Kazuki Yoneyama

The University of Electro-Communications, 1-5-1, Chofugaoka, Chofu-shi, Tokyo 182-8585, Japan

Keywords:

Anonymity, anonymous message authentication, universal composability, ring signature, group-certiﬁcation

authority.

Abstract:

Recently, various casual communication tools which are run by a certain group (e.g., social network ser-

vice, blog and Wiki) are popularized. In such services, a member may want to inform some information to

other group members without exposing his identity. For this perpose, message authentication schemes which

guarantee anonymity of senders seem to be suitable. In this paper, we introduce a new anonymous message

authentication scheme using ring signature with a special certiﬁcation authority, called group-certiﬁcation au-

thority. Our scheme does not need any group manager to preserve the anonymity of the group member by

the property of ring signature. Therefore, our scheme is suitable to casual services where a strict operation

is not required by a system manager. Furthermore, we evaluate the security of our scheme in the universal

composability framework.

1 INTRODUCTION

Motivation. In our daily life, open blog services

are widely used. Blog is short for weblog, chrono-

logical publication of comments and thoughts on the

web. Usually, blog is operated by a certain group, and

members freely insert comments or contents. Then,

we consider the anonymity problem of group mem-

bers. That is, when each member of the group ed-

its the blog with a message which contains the target

part of edit and contents, the blog server can verify

whether the editor belongs to the group, but it should

not be able to distinguish a member from other mem-

bers. This property is reasonable for such services

because a member may want to inform some informa-

tion to group members without exposing his identity.

For this purpose, authentication schemes which

guarantee anonymity of senders seem to be suitable.

There are some previous papers (Schechter et al.,

1999; Boneh and Franklin, 1999; Nguyen and Safavi-

Naini, 2005; Nguyen, 2006) which study anonymous

authentication schemes. These schemes aim for the

authentication of the membership of users in some

group. However, for casual services like open blogs,

it is enough to authenticate the message of the sender.

So, we focus on the message authentication scheme

which guarantees anonymity of the sender.

Contribution. We introduce a special type message

authentication scheme which guarantees anonymity:

a sender belonging to a group sends an authenticated

message to a recipient. Then, the recipient veriﬁes

that this message is sent by one of the group mem-

bers, but the recipient cannot distinguish the sender

from other group members. We call this scheme

anonymous message authentication scheme, obtained

from ring signature schemes. Ring signature-based

anonymous message authentication schemes have no

property of revoking members. However, in the case

of a small system blog within a very limited group

(e.g., laboratory) where the joining and revoking of

the members are very rare, ring signature is preferable

to group signature, because we do not need any group

manager in ring signature to preserve the anonymity

of the group members, in contrast to group signatures.

In an unauthenticated communication model, it is im-

possible to construct the anonymous message authen-

tication scheme by only using ring signature because

we cannot conﬁrm whether veriﬁcation keys which

are gone public are true keys of members. Thus, we

need to bind messages and signatures to “physical en-

tities” directly. We make the minimal set-up assump-

tion that parties have access to a “certiﬁcation author-

ity (CA)” who registers party identities together with

veriﬁcation keys. Since a veriﬁer in ring signature

351

Yoneyama K. (2008).

ANONYMOUS MESSAGE AUTHENTICATION - Universally Composable Deﬁnition and Construction.

In Proceedings of the International Conference on Security and Cryptography, pages 351-354

DOI: 10.5220/0001916503510354

 SciTePress

schemes veriﬁes signatures by using the list of veri-

ﬁcation keys for the group from CA, our scheme as-

sumes that parties have access to “group CA (gCA)”

who records the list of veriﬁcation keys for the group.

Furthermore, we evaluate the security of our

scheme with universal composability (UC) frame-

work which was introduced in (Canetti, 2001). The

advantage to traditional frameworks is that UC pro-

vides strong secure composability (i.e., the security

of a primitive which has UC security in a stand-alone

manner will always be preserved even when it is exe-

cuted concurrently with other unbounded number of

UC secure primitives in an adversarially controlled

manner).

To formulate our scheme and these settings in UC

framework, we ﬁrst formulate a new ideal anonymous

message authentication functionality F

aAUTH

as an

extension of the ideal message authentication func-

tionality F

AUTH

in (Canetti, 2004), and assume a ring

signature scheme and a group-certiﬁcation authority

which are represented by an ideal ring signature func-

tionality F

rSIG

in (Yoneyama and Ohta, 2007) and a

new ideal group-certiﬁcation authority functionality

gCA

. Next, we show that our anonymous message

authentication scheme realizes F

aAUTH

given ideal

access to F

rSIG

and F

gCA

(i.e., (F

rSIG

, F

gCA

)-hybrid

model).

2 PRELIMINARIES

In this section, we will present the intuitive frame-

work of ring signature schemes, group-certiﬁcation

authority and our anonymous message authentication

scheme. For the formal UC deﬁnition, readers refer

to (Canetti, 2001).

Ring Signature. Ring signature schemes permit any

party to generate a signing key and a veriﬁcation key.

A signer chooses group members from parties who

generate keys and makes public their veriﬁcation

keys without the group manager. Let M

all

be the set

of parties who generate their keys, and L

all

be the

list of their veriﬁcation keys. Furthermore, let M

be a subset of M

all

with n elements of M, and L be

the list of veriﬁcation keys of the group members in

M. Also, a signature of a message is generated by a

signer of the group M. Though any party can verify

the signature using L as a veriﬁer, he cannot identify

the signer in M.

Group-Certiﬁcation Authority. In general, a rudi-

mentary certiﬁcation authority guarantees binding be-

tween a single party’s identity with previously regis-

tered value. However, our scheme requires guaran-

teeing binding between a group’s identity with the list

of the group’s veriﬁcation keys. Therefore, we sup-

pose that there is a group-certiﬁcation authority gCA

which guarantees the connection between a group M

and the list of the group’s veriﬁcation keys L.

Anonymous Message Authentication. Our anony-

mous message authentication scheme is based on ring

signature schemes with gCA. Ring signature is used

for binding a sender’s message m with the group M

to which the sender belongs. Furthermore, by using

gCA, the recipient can obtain the list of veriﬁcation

keys L which are generated by the group members.

Therefore, our scheme guarantees the following three

properties:

• Group Authenticity the recipient is able to verify

that the message m is certainly sent by a member

of the group M because a party who does not be-

long to M cannot generate a valid signature from

the property of ring signature.

• Anonymity of Sender the recipient cannot iden-

tify the sender from other members of the group

M because signature veriﬁcation in ring signature

only needs a set of a message, a signature and a

list of veriﬁcation keys as inputs.

• No trusted Third Party our scheme does not

need the group manager who manages group, e.g.,

joining and revoking members, because ring sig-

nature also does not need the group manager.

3 FORMULATING NEW

FUNCTIONALITIES

In this section, we will deﬁne a new ideal function-

ality F

aAUTH

which represents anonymous message

authentication schemes and a new group-certiﬁcation

authority functionality F

gCA

based on the ideal mes-

sage authentication functionality F

AUTH

and the ideal

certiﬁcation authority functionality F

in (Canetti,

2004) respectively.

3.1 Anonymous Message Authentication

Functionality F

aAUTH

The essential difference between F

aAUTH

and F

AUTH

is output to a recipient in the Receiving Message

phase. When each party behaves correctly, F

aAUTH

provides the name of the group to which the sender

belongs instead of the name of an entity to the recip-

ient. As F

AUTH

, F

aAUTH

does not ensure the revoca-

tion property of recorded data because this is able to

SECRYPT 2008 - International Conference on Security and Cryptography

352

Functionality F

aAUTH

Sending Message: On input (“Send”, sid, P

, m, M) from party P

, verify that P

∈ M. If not, ignore the input. Else,

send (“Sent”, sid, M, P

, m) to the adversary.

Receiving Message: On input (“Send”,sid, P

′

, m

′

) from the adversary, verify that P

is uncorrupted. If not, send

(“Sent”,sid, M, m

′

) to party P

′

. Else, send (“Sent”,sid, M, m) to party P

Figure 1: Anonymous message authentication functionality F

aAUTH

Functionality F

gCA

Resister Key: On ﬁrst input (“Register”, sid, v

) from party P

, forward (“Registered”, sid, v

) to the adversary. On

input “OK” from the adversary, verify that this is the ﬁrst request from P

. If not, ignore the input. Else, record

all

← M

all

∪ {P

} and L

all

← L

all

∪ {v

Retrieve Key: On input (“Retrieve”,sid, M) from party P

, forward (“Retrieve”,sid, P

, M) to the adversary. On input

“OK” from the adversary, verify that M ⊆ M

all

. If not, output (“Retrieve”, sid, ⊥). Else, output (“Retrieve”, sid, L).

Figure 2: Group-certiﬁcation authority functionality F

gCA

be considered as an optional property. Figure 1 shows

the functionality F

aAUTH

Here, we show several notable points of formula-

tion of F

aAUTH

Guaranteeing Anonymity of Sender. When a

sender P

is uncorrupted and belongs to the group M,

aAUTH

sends (“Sent”,sid, M, m) to party P

. Then,

though P

recognizes that P

belongs to the group

M, P

cannot distinguish P

from other members of

M. Therefore, F

aAUTH

guarantees anonymity of the

sender.

Group Authenticity. When a sender P

is uncor-

rupted and does not belong to the group M, F

aAUTH

ignores the input of P

. This formulation means

that an invalid sender, i.e., non-member of the group

M, cannot succeed to be authenticated. Therefore,

aAUTH

guarantees the property of rejecting such an

invalid sender.

3.2 Group-Certiﬁcation Authority

Functionality F

gCA

Next, We deﬁne group-certiﬁcation authority func-

tionality F

gCA

. F

gCA

is obtained from an extension

of F

in (Canetti, 2004). To adapt to the setting

of anonymous message authentication scheme, F

gCA

outputs a list of veriﬁcation keys instead of a veriﬁ-

cation key directly. F

gCA

accepts only ﬁrst registered

values, and does not allow for modiﬁcation or “revo-

cation”. Such more advanced features are of course

useful, but are not necessary for our basic use. We

stress that F

gCA

does not perform any checks on the

registered value; it simply acts as a public bulletin

board. (In particular, no “proof of possession of sign-

ing key”is required.) Figure 2 shows the functionality

gCA

4 REALIZING F

aAUTH

GIVEN

RING SIGNATURE WITH GCA

In this section, we present our anonymous message

authentication scheme, called RAMA, given a UC se-

cure ring signature scheme. Also, we assume that

parties can access to gCA in our scheme. This as-

sumption is considered as an ideal access to F

rSIG

(Yoneyama and Ohta, 2007) and F

gCA

in the UC

framework. Then, we claim that RAMA securely re-

alizes F

aAUTH

in the (F

rSIG

, F

gCA

)-hybrid model.

4.1 Ring Signature-based Anonymous

Message Authentication Protocol

RAMA

Here, we show our scheme, called RAMA. RAMA

stands for “Ring signature-based anonymousmessage

authentication”. Therefore, in the basic deﬁnition,

this protocol is based on ring signature schemes with

gCA, and, in the UC deﬁnition, that realizes F

aAUTH

in the (F

rSIG

, F

gCA

)-hybrid model. Figure 3 shows the

protocol RAMA.

The unforgeability property of the ring signature

guarantees the group authenticity property of RAMA

because an invalid sender which is not a member of

the group cannot forge a signature which is accepted

by recipients. Also, the anonymity property of the

ring signature guarantees the anonymity of sender

ANONYMOUS MESSAGE AUTHENTICATION - Universally Composable Definition and Construction

353

Protocol RAMA

For all P

′

∈ M, in the ﬁrst activation, P

′

sends (“KeyGen”, sid

rSIG

) to F

rSIG

, and obtains (“Veriﬁcation Algorithms”,

sid

rSIG

, RV

′

) from F

rSIG

. P

′

sets v

′

= RV

′

sends (“Register”, sid

gCA

, v

′

) to F

gCA

Sending Message. When party P

is activated with input (“Send”, sid, P

, m, M), party P

does:

1. P

checks P

∈ M. If not, then P

halts. Else, sets m

′

= (m, P

2. P

sends (“Retrieve”, sid

gCA

, M) to F

gCA

, and obtains (“Retrieve”, sid

gCA

, L). Also, P

sends (“Sign”,

sid

rSIG

, m

′

, L) to F

rSIG

, and obtains (“Signature”, sid

rSIG

, m

′

, L, σ) from F

rSIG

. Finally, P

sends

(sid, M, m, σ) to party P

Receiving Message. When party P

is activated with input (sid, M, m, σ), party P

does:

1. P

sets m

′

= (m, P

2. P

veriﬁes that a pair (M, L) is recorded. If not, P

sends (“Retrieve”, sid

gCA

, M) to F

gCA

, and obtains

(“Retrieve”, sid

gCA

, L). Then, if L = ⊥, P

derives (“Veriﬁed”, sid

rSIG

, m

′

, 0), i.e., rejects the signature,

outputs nothing. Else, P

records a pair (M, L).

3. P

sends (“Verify”, sid

rSIG

, m

′

, σ, L) to F

rSIG

, and obtains (“Veriﬁed”, sid

rSIG

, m

′

, f ) from F

rSIG

. If f = 1,

outputs (“Sent”, sid, M, m) and halts. Else, P

outputs nothing.

Figure 3: Ring signature-based anonymous message authentication protocol RAMA.

property of RAMA because a recipient cannot dis-

tinguish the sender with other members of the group

while the recipient is able to authenticate that the

message is certainly sent by a member of the group.

Theorem 4.1 Protocol RAMA securely realizes

aAUTH

in the (F

rSIG

, F

gCA

)-hybrid model.

[Proof Idea.] Let A be an adversary in the

rSIG

, F

gCA

)-hybrid model. The proof outline is that

for any A we can construct a simulator S such that any

environment Z cannot successfully distinguish the in-

teraction with A and parties running RAMA in the

rSIG

, F

gCA

)-hybrid model from the interaction with

S and parties for F

aAUTH

in the ideal model. Simula-

tor S runs simulated copy of A and the interface for

A . Then, S forwards all instructions from Z to A and

back. The detail of the proof will be shown in the full

paper.

5 PRACTICAL APPLICATION

Here, we consider casual applications, more specif-

ically, open blog services, Wiki and social network

services. Especially, we pick up a blog that is pro-

moted by a small group (e.g., a laboratory) and al-

lows members to freely insert comments or contents.

In this setting, the case of no group manager is handy

to promote for such a small system than the case of

a group manager because the change of permission is

not frequent. Therefore, our scheme is quite suitable

for such services. Because the UC security guarantees

strongly composable security under concurrent exe-

cution environments among any other protocols, the

security of our scheme provides elimination of loads

to prove security of these applications.

REFERENCES

Boneh, D. and Franklin, M. K. (1999). Anonymous Authen-

tication with Subset Queries. In ACM Conference on

Computer and Communications Security 1999, pages

113–119.

Canetti, R. (2001). Universally Composable Security: A

New Paradigm for Cryptographic Protocols. In FOCS

2001, pages 136–145.

Canetti, R. (2004). Universally Composable Signatures,

Certiﬁcation and Authentication. In CSFW 2004,

pages 219–233.

Nguyen, L. (2006). Efﬁcient Dynamic k-Times Anonymous

Authentication. In VIETCRYPT 2006, pages 81–98.

Nguyen, L. and Safavi-Naini, R. (2005). Dynamic k-Times

Anonymous Authentication. In ACNS 2005, pages

318–333.

Schechter, S., Parnell, T., and Hartemink, A. (1999).

Anonymous Authentication of Membership in Dy-

namic Groups. In Financial Cryptography 1999,

pages 184–195.

Yoneyama, K. and Ohta, K. (2007). Ring Signatures: Uni-

versally Composable Deﬁnitions and Constructions.

In ASIACCS 2007, pages 374–376.

SECRYPT 2008 - International Conference on Security and Cryptography

354