Fail-Stop Group Signature Scheme

In this paper, we propose a Fail-Stop Group Signature Scheme (FSGSS). FSGSS combines the features of the Group Signature and the Fail-Stop Signature to enhance the security level of the original Group Signature. Assuming that the FSGSS encounters an attack by a hacker armed with a supercomputer, this scheme can prove that the digital signature is indeed forged. Based on the above objectives, this paper proposes three lemmas and proves that they are indeed feasible. First, how does a recipient of a digitally signed document verify the authenticity of the signature? Second, when a digitally signed document is under dispute, how can the group's manager find out the identity of the original group member who signed the document, if necessary for an investigation? Third, how can we prove that the signature is indeed forged following an external attack from a supercomputer? Soon, in a future paper, we will extend this work to make the scheme even more effective. Following an attack, the signature could be proved to be forged without the need to expose the key.


Introduction
More and more people and organizations are starting to use electronic documents to conduct official government and private business instead of using paper documents.
Among other things, this benefits the environment by reducing the use of paper. It also increases the importance of using digital signatures to guarantee the validity, authenticity and integrity of electronic documents and reducing the risk of those documents being forged.
In order to cope with the wide range of potential uses for digital signature technology, the concept of group signing was born. Let's take a real-life example to explain the process of using a Group Signature Scheme: The chief of Taiwan's Environmental Protection Administration, along with 19 other staff members of the agency, are eligible to digitally sign documents, including those accusing a subordinate unit of breaking the law. In order to safeguard the agency members' neutrality and protect them from interference, each staffer would activate a digital signature key when they release a statement or document representing the administration. The recipient of the document would be able to verify the authenticity of the digital signature, but in the event someone impeached the integrity or validity of a digitally signed document, the identity of the individual who originally signed the document would remain secret.

Companies or other entities cited for violations by the Environmental Protection
Administration could file a complaint with the agency to deny that they had violated the law. As part of the review process, it might be necessary to find out the identity of the official who signed the original document making the accusation. Only the manager in the group would have the ability to find out who signed the document.
The manager, however, would not have the ability to pretend to be any other group member in order to forge a digital signature.
Chaum et al. [1] concluded that there are three properties of group signatures: (i) Only members of the group can sign messages. (ii) The recipient can verify that it is a valid group signature, but cannot discover which group member made the signature.
(iii) If necessary, the signature can be "opened," so that the person who signed the message is revealed.
There are also some favorable features of a group signature scheme that can applied in a range of fields. A digital signature can ensure the validity and authenticity of electronic documents. If the possibility of a document being forged could be reduced, or even if it were proved that the digital signature was indeed forged, the security level of the digital signature could then be enhanced. As for the application of digital signatures, there is another type of fail-stop signature scheme, or "FSS," which can satisfy the above needs.
Research by Nobuaki et al. [2] showed that a FSS scheme has to have at least two security properties: (i) A scheme based on information-theoretic security is secure even against a computationally-unbounded adversary. (ii) If the computational assumption is broken; an honest signer can prove a forgery by virtue of the information-theoretic security.
In this work, a FSGSS is proposed. FSGSS combines all of the functions and features of two schemes: Group Signature (GS) and a Fail-Stop Signature scheme (FSS).
The layout of this paper is as follows: Section 2 is related work. Section 3 is our scheme. Section 4 provides analysis and discussion. And finally, Section 5 concludes the paper and provides a direction for future research.

Related work
Desmedt proposed the Group-Oriented Cryptosystem concept in 1987. In his research [3], he pointed out that in addition to entities that exist as individuals, there are entities consisting of groups of many individuals, such as hospitals, schools, public institutions and private companies. When these entities issue signed electronic documents, such as certificates, the concept of a digital signature becomes a mechanism to replace signatures on paper documents. The digital signatures could be placed on electronic diplomas, electronic medical records and other official documents released by governmental agencies. The types of documents that carry digital signatures must have the following features: certainty of identity, nonrepudiation and unforgeability.
So the design of the way keys are exchanged and the parameters of the exchanges become particularly important. Although each member in a group has a secret key, the group password must be reused. In other words, individuals in the group cannot exchange their keys during an operation. Instead, they exchange secondary keys derived from their main keys. This ensures the security of the main keys. In addition, members cannot export the group's master key in order to ensure that this key is kept secure. Jonathan et al. [4] developed a new and faster anonymous digital signature system by linking the LUC function with the complexities of discrete logarithm and factorization.
On other hand, a lot of research has focused on the security of ordinary digital signature schemes that rely on a computational assumption. Fail-Stop Signature schemes provide security for a sender against a forger with unlimited computational power by enabling the sender to provide a proof of forgery if it occurs. FSS schemes have been proposed [2][5][6] [7]. Kai et al. [8] proposed that a fail-stop scheme could assert a victim's innocence without exposing the n = p × q secret and would guard against malicious behavior. And more recently, Takashi N. et al. [9] proposed a framework for FSS operating in a multisigner setting and called for a primitive fail-stop multisignature scheme (FSMS). In other words, they combine threshold [10] [11] and fail-stop signatures. After the first aggregate signature scheme was proposed, many researchers have tried to propose an efficient aggregate signature scheme.
FSS provides the security for a signer against a computationally unbounded adversary by enabling the signer to provide a proof of forgery. A conventional GS scheme has none of these properties. In this work, we propose a new scheme for integrating FSS and GS in the next section.

3-2 Group and its members
Without loss of generality, we assume that a group and its members , 0 ≤ ≤ 0 chooses a number , and satisfying the following equation.

3-4
Signing a message Multiply on the 2 sides of the equation (11) and hence, Multiply on the 2 sides of the equation (9) and hence, By equation (13) and (14), we have,  and We assume that the recipient of the message is , sends messages to .
We note that, calculate the equations as follows.

Analysis and discussion
In this section, first we introduce Lemma 1 to check whether a digital signature is valid or not. Lemma 2 verifies whether a digital signature is activated by the group member. Lemma 3 shows the attack method that is mentioned by Willy Susilo et al. [7] will not succeed. There are a lot of parameters after these procedures above. We make a list of members holding parameters as Table 1. In this scheme, members share the partial parameters and keep a few parameter(s). For example, manager 0 only holds the parameter , and a member only holds the parameter . In case someone makes a digital signature of 0 and it is verified but she/he has no idea about , that means someone is a forger.

Lemma 1
Assumes that 0 , are honest, if both equations (25) and (26) are valid, then the digital signature is correct.

Proof:
By the equation (22), we have There are 2 parts in last term of the equations above, consider that the first part, by equation (4) that we have Combine these equations (28) and (29), we obtain When we want to check if the message has been sent by or not. It needs some parameters. And hence we obtain the following Lemma.

Lemma 2 Assumes that 0 ,
are honest, only 0 can prove the message was sent from by the equation (8).
Consider that the equation ( Consider that the equation (15), , 0 , 3 , and is known. It is not easy to get by other people, except the manager of group 0 . Actually, it is a Discrete Logarithm Problem (DLP), when someone just knows 1 , 3 by the equation (8).
We conclude that 0 can get , because he has known already a part of parameters from and he has his own parameter . Therefore, after check the equations (25) and (26), we can to say, the message is send by exactly.

Lemma 3
An attacker intercepts the message passed by the digital signature adapting the method of Willy Susilo. It will not succeed.

Proof:
Note that, Assume that an attacker A intercepts the message as the equation (24) shows.  , ). We note that the probability of being equal to * is 1/ 0 . Therefore, it is proved that the * is not sent by the member of group.

Conclusion and future work
In this paper, we propose a novel FSGS scheme. This scheme integrates the features of two types of digital signatures, which strengthens its security level under the group-signature system. It ensures that group members can prove that a digital signature is indeed a forgery after supercomputer forgery attacks. In addition to the technology of integrating two digital signatures, this work also contributes three proposed lemmas and proves that they are indeed feasible. Lemma 1 is a method to verify a FSGSS digital signature. Lemma 2 is used by the group manager, when needed, to determine the identity of the group member originally creating a digital signature. Finally, this paper proposes Lemma 3. When the digital signature is found to be forged, members of the group can prove this fact.
In addition, the ultimate goal of the FSGSS is to stop using the same key immediately after the discovery of a forgery attack to avoid the same attack happening again. That is, the "key" used in this paper is the parameter used by . If we need to change the parameters each time after an attack, the process of replacing the parameters is equivalent to re-executing the exchange parameter program. Therefore, in future work, if we cannot directly expose the key , we could still prove that a certain number of signatures are forged, which would enhance the efficiency of the GFSS scheme.