ISO/IEC 20008-2:2013

INTERNATIONAL ISO/IEC
STANDARD 20008-2
First edition
2013-11-15
Corrected version
2017-11
Information technology — Security
techniques — Anonymous digital
signatures —
Part 2:
Mechanisms using a group public key
Technologies de l'information — Techniques de sécurité — Signatures
numériques anonymes —
Partie 2: Mécanismes utilisant une clé publique de groupe
Reference number
©
ISO/IEC 2013
© ISO/IEC 2013, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2013 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols (and abbreviated terms) . 2
5 General model and requirements. 3
6 Mechanisms with linking capability . 4
6.1 General . 4
6.2 Mechanism 1 . 5
6.2.1 Symbols . 5
6.2.2 Key generation process . 5
6.2.3 Signature process . 8
6.2.4 Verification process . 9
6.2.5 Linking process .10
6.2.6 Revocation process .10
6.3 Mechanism 2 .10
6.3.1 Symbols .10
6.3.2 Key generation process .11
6.3.3 Signature process .13
6.3.4 Verification process .14
6.3.5 Linking process .15
6.3.6 Revocation process .15
6.4 Mechanism 3 .16
6.4.1 Symbols .16
6.4.2 Key generation process .16
6.4.3 Signature process .17
6.4.4 Verification process .18
6.4.5 Linking process .19
6.4.6 Revocation process .19
6.5 Mechanism 4 .20
6.5.1 Symbols .20
6.5.2 Key generation process .20
6.5.3 Signature process .22
6.5.4 Verification process .22
6.5.5 Linking process .23
6.5.6 Revocation process .23
7 Mechanisms with opening capability .23
7.1 General .23
7.2 Mechanism 5 .23
7.2.1 Symbols .23
7.2.2 Key generation process .24
7.2.3 Signature process .25
7.2.4 Verification process .26
7.2.5 Opening process .26
7.2.6 Revocation process .26
7.3 Mechanism 6 .27
7.3.1 Symbols .27
7.3.2 Key generation process .27
7.3.3 Signature process .28
7.3.4 Verification process .29
7.3.5 Opening process .29
© ISO/IEC 2013 – All rights reserved iii

7.3.6 Revocation process .29
8 Mechanisms with both opening and linking capabilities .29
8.1 General .29
8.2 Mechanism 7 .30
8.2.1 Symbols .30
8.2.2 Key generation process .30
8.2.3 Signature process .32
8.2.4 Verification process .32
8.2.5 Opening process .33
8.2.6 Evidence evaluation process .33
8.2.7 Linking process .33
8.2.8 Revocation process .34
Annex A (normative) Object identifiers .35
Annex B (normative) Special hash-functions .37
Annex C (informative) Security guidelines for the anonymous signature mechanisms .39
Annex D (informative) Comparison of revocation mechanisms .42
Annex E (informative) Numerical examples .45
Annex F (informative) Proof of correct generation in Mechanism 5 .80
Bibliography .84
iv © ISO/IEC 2013 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
ISO/IEC 20008-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 20008 consists of the following parts, under the general title Information technology — Security
techniques — Anonymous digital signatures:
— Part 1: General
— Part 2: Mechanisms using a group public key
Further parts may follow.
This corrected version of ISO/IEC 20008-2:2013 incorporates the following correction:
— in 6.5.4, step g) has been corrected and step h) has been added consequently.
© ISO/IEC 2013 – All rights reserved v

Introduction
Anonymous digital signature mechanisms are a special type of digital signature mechanism in which,
given a digital signature, an unauthorized entity cannot discover the signer's identifier yet can verify
that a legitimate signer has generated a valid signature.
ISO/IEC 20008 specifies anonymous digital signature mechanisms. ISO/IEC 20008-1 specifies
principles and requirements for two categories of anonymous digital signatures mechanisms: signature
mechanisms using a group public key, and signature mechanisms using multiple public keys. This part
of ISO/IEC 20008 specifies a number of anonymous signature mechanisms of the first category.
Anonymous signature mechanisms of the first category can have capabilities for providing more
information about the signer. Some have a linking capability, where two signatures signed by the same
signer are linkable. Some have an opening capability, where the signature can be opened by a special
entity to reveal the identity of the signer. Some have both linking and opening capabilities.
For each mechanism, the processes of opening, linking, and/or revocation are specified.
The mechanisms specified in this part of ISO/IEC 20008 use a collision-resistant hash-function. A hash-
function specified in ISO/IEC 10118 is to be used.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may
involve the use of patents.
ISO and IEC take no position concerning the evidence, validity, and scope of these patent rights.
The holders of these patent right have assured the ISO and IEC that they are willing to negotiate licences
either free of charge or under reasonable and non-discriminatory terms and conditions with applicants
throughout the world. In this respect, the statements of the holders of these patent rights are registered
with ISO and IEC. Information may be obtained from:
— Electronics and Telecommunications Research Institute (ETRI)
161, Gajeong-dong, Yuseong-gu, Daejeon, Korea
— NEC Corporation
7-1, Shiba 5-chome, Minato-Ku, Toyko 108-8001, Japan
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights other than those identified above. ISO and/or IEC shall not be held responsible for
identifying any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
vi © ISO/IEC 2013 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 20008-2:2013(E)
Information technology — Security techniques —
Anonymous digital signatures —
Part 2:
Mechanisms using a group public key
1 Scope
This part of ISO/IEC 20008 specifies anonymous digital signature mechanisms, in which a verifier
makes use of a group public key to verify a digital signature.
It provides
— a general description of an anonymous digital signature mechanism using a group public key, and
— a variety of mechanisms that provide such anonymous digital signatures.
For each mechanism, this part of ISO/IEC 20008 specifies
— the process for generating group member signature keys and a group public key,
— the process for producing signatures,
— the process for verifying signatures,
— the process for opening signatures (if the mechanism supports opening),
— the process for linking signatures (if the mechanism supports linking), and
— the process for revoking group members.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
ISO/IEC 15946-5, Information technology — Security techniques — Cryptographic techniques based on
elliptic curves — Part 5: Elliptic curve generation
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
ISO/IEC 18032, Information technology — Security techniques — Prime number generation
ISO/IEC 20008-1, Information technology — Security techniques — Anonymous digital signatures —
Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20008-1 and the
following apply.
© ISO/IEC 2013 – All rights reserved 1

3.1
assistant signer
entity that can help a principal signer to create anonymous signatures, but that cannot generate
anonymous signatures unaided
3.2
member-list
list that includes the identities of group members together with their corresponding group membership
credentials
3.3
principal signer
entity which is in possession of a group member signature key and which can create anonymous
signatures using this key
3.4
secret seed value
secret data known to a group member and used for deriving group member private keys
3.5
security parameters
variables that determine the security strength of a mechanism
4 Symbols (and abbreviated terms)
For the purposes of this part of ISO/IEC 20008, the following symbols and abbreviations apply.
bsn
Linking base, either a special symbol ⊥ or an arbitrary string.
e A bilinear map function e: G × G → G such that for all P ∈ G , Q ∈ G , and all positive in-
1 2 T 1 2
ab
tegers a, b, the equation e([a]P, [b]Q) = e(P, Q) holds. This function is also called a pairing
function.
gcd(a, b) The greatest common divisor of the integers a and b.
G An additive cyclic group of order p over an elliptic curve.
G An additive cyclic group of order p over an elliptic curve.
G A multiplicative cyclic group of order p.
T
H A cryptographic hash-function.
m Message to be signed.
n An RSA modulus where n = pq.
O The elliptic curve point at infinity.
E
p A prime number.
P Generator of G .
1 1
P Generator of G .
2 2
q A prime number.
Q +Q The elliptic curve sum of points Q and Q .
1 2 1 2
QR(n) The group of quadratic residues modulo n.
2 © ISO/IEC 2013 – All rights reserved

Z * The multiplicative group of invertible elements in Z .
n n
Z The set of integers in [0, p-1].
p
Z * The set of integers in [1, p-1].
p
(a|p) The Legendre symbol of a and p where a is an integer and p is an odd prime number.
[n]P Multiplication operation that takes a positive integer n and a point P on the elliptic curve
E as input and produces as output another point Q on the curve E, where Q = [n]P = P + P
+ … + P, i.e. the sum of n copies of P. The operation satisfies [0]P = O and [–n]P = [n](–P).
E
[x, y] The set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y.
|| X || Y is used to mean the result of the concatenation of data items X and Y in the order
specified. In cases where the result of concatenating two or more data items is signed as
part of one of the mechanisms specified in this part of ISO/IEC 20008, this result shall be
composed so that it can be uniquely resolved into its constituent data strings, i.e. so that
there is no possibility of ambiguity in interpretation. This latter property could be achieved
in a variety of different ways, depending on the application. For example, it could be guar-
anteed by (a) fixing the length of each of the substrings throughout the domain of use of
the mechanism, or (b) encoding the sequence of concatenated strings using a method that
guarantees unique decoding, e.g. using the distinguished encoding rules defined in ISO/
[1]
IEC 8825-1.
5 General model and requirements
This clause specifies the general model and requirements for the anonymous digital signature
mechanisms specified in this part of ISO/IEC 20008. Some of the contents of this clause are taken from
Part 1 of this international standard. In addition, specific requirements applying to mechanisms using a
group public key are addressed.
An anonymous digital signature mechanism using a group public key involves a group and a set of group
members. Each group shall possess a group membership issuer. There may also be a group membership
opener and/or a group signature linker, depending on the mechanism. Multiple entities may function
in the role of a group membership opener or a group signature linker. The level of anonymity of the
mechanism depends on the anonymity strength (i.e., the size of the group), whether there is an opening
capability, whether there is a linking capability, how revocation is done, whether the issuer knows the
private keys, and the likelihood of compromise of a private key.
Such an anonymous digital signature mechanism is defined by the specification of the following
processes:
— key generation process,
— signature process,
— verification process,
— opening process (if the mechanism supports opening),
— linking process (if the mechanism supports linking), and
— revocation process.
© ISO/IEC 2013 – All rights reserved 3

The anonymous digital signature mechanisms using a group public key specified in this part of
ISO/IEC 20008 involve a range of types of entity. Some of these entities exist in every mechanism
whereas others exist only in some mechanisms. These entities are as follows:
— Signer: a signer is an entity that generates a digital signature. In some mechanisms, a signer role is
split between two entities. For example, in direct anonymous attestation mechanisms, the signer
role is split between a principal signer with limited computational and storage capability, e.g. a
trusted platform module (TPM), and an assistant signer with more computational power but less
security tolerance, e.g. an ordinary computer platform (namely the Host with an embedded TPM).
— Verifier: a verifier is an entity that verifies a digital signature.
— Group membership issuer: a group membership issuer is an entity that issues a group membership
credential to a signer. This entity exists in all the mechanisms.
— Group membership opener: a group membership opener is an entity who can identify the signer
from a signature. This entity exists in some of the mechanisms.
— Group signature linker: a group signature linker is an entity that checks whether two signatures
have been generated by the same signer with a linking key or a linking base. This entity exists in
some of the mechanisms.
In order to use any of the mechanisms specified in this part of ISO/IEC 20008, the following requirements
shall be met:
— Each entity involved in an anonymous digital signature mechanism is aware of a common set of
group public parameters, which are used to compute a variety of functions in the mechanism.
— Each verifier has access to an authentic copy of the group public key.
— An authentic channel is required between a signer and a group membership issuer during the
process of issuing group member signature key. This ensures that the group membership issuer is
able to provide the group member signature key only to a legitimate group member.
— A collision-resistant hash function such as one of those specified in ISO/IEC 10118 shall be used.
— A robust random bit generator such as one of those specified in ISO/IEC 18031 shall be used.
— A robust prime number generator such as one of those specified in ISO/IEC 18032 shall be used.
— A robust elliptic curve generator such as one of those specified in ISO/IEC 15946-5 shall be used in
some mechanisms.
6 Mechanisms with linking capability
6.1 General
This clause specifies four digital signature mechanisms with linking capability.
NOTE 1 In the literature the mechanism of 6.2 is called a list signature scheme, and the mechanisms of 6.3,
6.4 and 6.5 are called DAA schemes. The mechanisms given in 6.2, 6.4 and 6.5 are based on schemes originally
[9] [6] [11]
specified in , , and , respectively, in which security proofs can also be found. The mechanism in 6.3 is
[3] [4]
based on a scheme in which is a minor modification of the scheme in ; the associated security analysis is
[4]
given in the full version of .
NOTE 2 For certain applications such as attestation, a message to be signed may be hashed and/or
concatenated with additional information before being input to the signature process of one of the anonymous
digital signature mechanisms specified in this clause.
4 © ISO/IEC 2013 – All rights reserved

6.2 Mechanism 1
6.2.1 Symbols
The following symbols apply in the specification of this mechanism.
— l , k, l , l , l , l , ε: security parameters.
p x e E X
— p', q’, e: prime numbers.
— a, a , g, h, b, C , D, C , d’, d , d , t’, t , t , A, f, T , T , T , T , d , d , d , t , t , t : integers in QR(n).
0 1 2 1 2 1 2 1 2 3 4 3 4 5 3 4 5
lx
— x’, α, β: integers in [0, 2 −1].
2lp
— w , w , w : integers in [0, 2 −1].
1 2 3
— ĉ, ċ, c’, c, c”, c”’: k-bit integers.
— ř: (2l + 1)-bit integer.
p
— t , ŝ , r’, r , r : (ε ∙ (l + k))-bit integers.
1 1 1 2 x
— t , ŝ : (ε ∙ (2l + k + 1))-bit integers.
2 2 p
— x: (l + 1)-bit integer.
x
— r : (ε ∙(l + 2l + k + 1))-bit integer.
3 x p
lx+k ε(lx+k)
— s , s , s , s’: integers in [-2 , 2 -1].
0 1 2
lx+2lp +k+1 ε(lx+2lp +k+1)
— s : integer in [-2 , 2 -1].
— r , r : (ε ∙ (2l + k))-bit integers.
4 5 p
— r , r : (ε ∙ (2l + l + k))-bit integers.
9 10 p e
2lp+k ε(2lp+k)
— s , s : integers in [-2 , 2 -1].
4 5
2lp+le+k ε(2lp+le+k)
— s , s : integers in [-2 , 2 -1].
9 10
— H: a hash function that outputs k-bit message digest.
— H : a hash function that outputs (2l )-bit message digest.
Г p
6.2.2 Key generation process
The key generation process has two parts: a setup process and a group membership issuing process.
The setup process is executed by the group membership issuer to create the group public parameter,
group public key, and group membership issuing key. The group membership issuing process is an
interactive protocol running between the group membership issuer and a group member to create a
unique group member signature key for the group member.
The setup process takes the following steps by the group membership issuer:
a) Choose the following parameters: l , k, l , l , l , l , ε.
p x e E X
b) Choose an RSA modulus n = pq with p = 2p’ + 1, q = 2q’ + 1 such that p, q, p’, q’ are all primes and p’ as
well as q’ have l bits.
p
c) Choose a random generator a of the group of quadratic residues modulo n by performing the
following steps:
1) Choose a random integer g in Z * such that gcd(g+1, n) = 1 and gcd(g –1, n) = 1.
n
© ISO/IEC 2013 – All rights reserved 5

2) Compute a = g (mod n).
d) Choose a random generator a of QR(n) different from a.
e) Choose a random generator g of QR(n) different from a and a .
f) Choose a random generator h of QR(n) different from a, a and g.
g) Choose a random generator b of QR(n) different from a, a , g and h.
k
h) The group membership issuer chooses two hash functions H: {0, 1}* → {0, 1} and H : {0, 1}* → {0,
Г
2lp
1} . An example of how to construct H is provided in Annex B.
Г
i) Output the following:
— group public parameter = (l , k, l , l , l , l , ε),
p x e E X
— group public key = (n, a, a , g, h, b),
— group membership issuing key = (p’, q’).
NOTE An example of recommended parameters is provided in Annex C.2.
The group membership issuing process may require a secure and authentic channel between the
member and the group membership issuer to prevent the group membership credential from being
observed by an eavesdropper. How to establish such a channel is out scope of this mechanism. The
group membership issuing process is as follows:
lx
a) The group member chooses a random integer x’ ∈ [0, 2 −1].
b) The member chooses a random integer ř ∈ [0, 2n −1].
x’ ř
c) The member computes C = g h (mod n).
d) The member generates a proof of knowledge U of the representation (x’, ř) of C in the bases g and
h by performing the following steps:
ε(lx+k)
1) The member chooses a random integer t ∈ [0, 2 -1].
ε(2lp+k+1)
2) The member chooses a random integer t ∈ [0, 2 -1].
t1 t2
3) The member computes D = g h (mod n).
4) The member computes ĉ = H(g || h || C || D).
5) The member computes ŝ = t - ĉ x’.
1 1
6) The member computes ŝ = t - ĉ ř.
2 2
7) U = (ĉ, ŝ , ŝ ).
1 2
e) The member sends C and U to the group membership issuer.
f) The group membership issuer receives C and U from the member.
g) The group membership issuer verifies that C belongs to QR(n) by performing the following step:
1) The group membership issuer checks that (C |p) = 1 and that (C |q) = 1. If either of these
1 1
verifications fails, the group membership issuer outputs Reject and stops.
h) The group membership issuer verifies the proof of knowledge U by performing the following steps:
ŝ1 ŝ2 ĉ
1) The group membership issuer computes D’ = g h C (mod n).
2) The group membership issuer computes ċ = H(g || h || C || D’).
6 © ISO/IEC 2013 – All rights reserved

lx+k ε(lx+k)
3) The group membership issuer checks that ċ = ĉ, ŝ belongs to [-2 , 2 -1] and ŝ belongs to
1 2
2lp+k+1 ε(2lp+k+1)
[-2 , 2 -1]. If any of these verifications fails, the group membership issuer outputs
Reject and stops.
lx
i) The group membership issuer chooses a random odd integer α ∈ [0, 2 −1].
lx
j) The group membership issuer chooses a random integer β ∈ [0, 2 −1].
k) The group membership issuer sends α and β to the member.
l) The member receives α and β from the group membership issuer.
lX lx
m) The member computes x = 2 + (αx’+ β (mod 2 )).
x
n) The member computes C = a (mod n).
lx
o) The member computes υ = (αx’+ β) | 2 .
p) The member generates a proof of knowledge V of the discrete logarithm x of C in base a by
performing the following steps:
ε(lx+k)
1) The member chooses a random integer r’ ∈ [0, 2 -1].
r’
2) The member computes d’ = a (mod n).
3) The member computes c’ = H(a || g || C || d’).
lX
4) The member computes s’ = r’ – c’(x - 2 ).
5) The member set V = (c’, s’).
q) The member generates a proof of knowledge W by performing the following steps:
ε(lx+k)
1) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+k)
2) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+2lp+k+1)
3) The member chooses a random integer r ∈ [0, 2 -1].
r1
4) The member computes d = a (mod n).
r1 l r2 r3 lx
5) The member computes d = g (g ) h (mod n) where l = 2 .
6) The member computes c = H(a || g || h || C || C || d || d ).
1 2 1 2
lX
7) The member computes s = r – c(x - 2 ).
1 1
8) The member computes s = r – cυ.
2 2
9) The member computes s = r – cαř.
3 3
10) The member sets W = (c, s , s , s ).
1 2 3
r) The member sends C , V and W to the group membership issuer.
s) The group membership issuer receives C , V and W from the member.
t) The group membership issuer checks that C belongs to QR(n) by performing the following step:
1) The group membership issuer checks that (C |p) = 1 and that (C |q) = 1. If any of these
2 2
verifications fails, the group membership issuer outputs Reject and stops.
u) The group membership issuer verifies the proof of knowledge V by performing the following steps:
lX
1) The group membership issuer computes s = s’ – c’ 2 .
© ISO/IEC 2013 – All rights reserved 7

c’ s0
2) The group membership issuer computes t’ = C a (mod n).
3) The group membership issuer computes c” = H(a || g || C || t’).
lx+k ε(lx+k)
4) The group membership issuer checks that c” = c’ and that s’∈ [-2 , 2 -1]. If any of these
verifications fails, the group membership issuer outputs Reject and stops.
v) The group membership issuer verifies the proof of knowledge W by performing the following steps:
L c s1 lX
1) The group membership issuer computes t = (C /a ) a (mod n) where L = 2 .
1 2
α β c s1 l s2 s3 lx
2) The group membership issuer computes t = (C g ) g (g ) h (mod n) where l = 2 .
2 1
3) The group membership issuer computes c”’ = H(a || g || h || C || C || t || t ).
1 2 1 2
lx+k ε(lx+k)
4) The group membership issuer checks that: c”’ = c, s belongs to [-2 , 2 -1], s belongs to
1 2
lx+k ε(lx+k) lx+2lp+k+1 ε(lx+2lp+k+1)
[-2 , 2 -1] and that s belongs to [-2 , 2 -1]. If any of these verifications
fails, the group membership issuer outputs Reject and stops.
lE le lE le
w) The group membership issuer chooses a random prime e ∈ [2 - 2 + 1, 2 + 2 - 1].
x) The group membership issuer computes đ = 1/e (mod p’q’).
đ1
y) The group membership issuer computes A = (a C ) (mod n).
0 2
z) The group membership issuer stores (A, e, Member) in member-list LIST.
aa) The group membership issuer sends A and e to the member.
bb) The member receives A and e from the group membership issuer.
e x
cc) The member checks that A = a a (mod n).
dd) The group member signature key of the signer is (A, e, x), in which x is the group member private
key and (A, e) is the group membership credential.
6.2.3 Signature process
On input of a group public key (n, a, a , g, h, b), a group member signature key(A, e, x), a linking base
bsn, and a message m ∈ {0, 1}* to be signed, the signature process takes the following steps below. The
linking base is used for the linking capability. It is chosen by group membership issuer or any other
trusted authorities.
a) The member computes f = (H (bsn)) (mod n).
Г
2lp
b) The member chooses a random integer w ∈ [0, 2 - 1].
2lp
c) The member chooses a random integer w ∈ [0, 2 - 1].
2lp
d) The member chooses a random integer w ∈ [0, 2 - 1].
w1
e) The member computes T = Ab (mod n).
w1 w2
f) The member computes T = g h (mod n).
e w3
g) The member computes T = g h (mod n).
x
h) The member computes T = f (mod n).
ε(le+k)
i) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+k)
j) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+k)
k) The member chooses a random integer r ∈ [0, 2 -1].
8 © ISO/IEC 2013 – All rights reserved

ε(2lp+k)
l) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+k)
m) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+le+k)
n) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+le+k)
o) The member chooses a random integer r ∈ [0, 2 -1].
r1 r2 r9
p) The member computes d = T /(a b ) (mod n).
1 1
r1 r9 r10
q) The member computes d = T /(g h ) (mod n).
2 2
r3 r4
r) The member computes d = g h (mod n).
r1 r5
s) The member computes d = g h (mod n).
r2
t) The member computes d = f (mod n).
u) The member computes c = H(a || a || g || h || T || T || T || T || d || d || d || d || d || m).
0 1 2 3 4 1 2 3 4 5
lE
v) The member computes s = r – c(e - 2 ).
1 1
lX
w) The member computes s = r – c(x - 2 ).
2 2
x) The member computes s = r – cw .
3 3 1
y) The member computes s = r – cw .
4 4 2
z) The member computes s = r – cw .
5 5 3
aa) The member computes s = r – cew .
9 9 1
bb) The member computes s = r – cew .
10 10 2
cc) The member sets the signature as σ = (c, s , s , s , s , s , s , s , T , T , T , T ).
1 2 3 4 5 9 10 1 2 3 4
6.2.4 Verification process
On input of a message m, a linking base bsn, a signature (c, s , s , s , s , s , s , s , T , T , T , T ), a group
1 2 3 4 5 9 10 1 2 3 4
public key (n, a, a , g, h, b), the verification process takes the following steps:
a) The verifier computes f = (H (bsn)) (mod n).
Г
c s1-cl’ s2-cL s9 lE lX
b) The verifier computes t = a T / (a b ) (mod n) where l’ = 2 and L = 2 .
1 0 1
s1-cl’ s9 s10 lE
c) The verifier computes t = T / (g h ) (mod n) where l’ = 2 .
2 2
c s3 s4
d) The verifier computes t = T g h (mod n).
3 2
c s1-cl’ s5 lE
e) The verifier computes t = T g h (mod n) where l’ = 2 .
4 3
c s2-cL lX
f) The verifier computes t = T f (mod n) where L = 2 .
5 4
g) The verifier computes c' = H(a || a || g || h || T || T || T || T || t || t || t || t || t || m).
0 1 2 3 4 1 2 3 4 5
le+k ε(le+k) lx+k ε(lx+k) 2lp+k
h) If c' = c, s belongs to [-2 , 2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 ,
1 2 3
ε(2lp+k) 2lp+k ε(2lp+k) 2lp+k ε(2lp+k) 2lp+le+k
2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 ,
4 5 9
ε(2lp+le+k) 2lp+le+k ε(2lp+le+k)
2 -1], s belongs to [-2 , 2 -1], then return 1(valid).
i) Else return 0 (invalid).
© ISO/IEC 2013 – All rights reserved 9

6.2.5 Linking process
Given two valid signatures σ = (c, s , s , s , s , s , s , s , T , T , T , T ) and σ’ = (c’, s ’, s ’, s ’, s ’, s ’, s ’, s ’,
1 2 3 4 5 9 10 1 2 3 4 1 2 3 4 5 9 10
T ’, T ’, T ’, T ’) computed using a linking base bsn, the linking process takes the following step:
1 2 3 4
a) If T = T ’, output 1 (linked), otherwise, output 0 (not linked).
4 4
6.2.6 Revocation process
[10]
Details of the revocation process in this mechanism are surveyed in . There are two types of
revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either a global revocation or a local revocation. Verifier blacklist
revocation is a local revocation.
Private key revocation:
— If a group member signature key (A, e, x) is compromised, the group membership issuer or a verifier
puts x into a revocation list RL of this type.
— Given a valid signature σ = (c, s , s , s , s , s , s , s , T , T , T , T ) computed using a linking base
1 2 3 4 5 9 10 1 2 3 4
bsn and a revocation list RL of this type, a verifier can check revocation of this signature as follows:
2x’
For each x’ ∈ RL, verify T ≠ (H (bsn)) (mod n). If any of the verification fails, output 0 (revoked),
4 Г
otherwise, output 1 (valid).
NOTE The private key revocation works only if the group membership issuer or the verifier has learned the
group member signature keys of the compromised group members.
Verifier blacklist revocation:
— If signatures were computed using a linking base bsn, and a verifier can build its own revocation list
RL corresponding to bsn. If the verifier wants to blacklist the signer of a signature σ = (c, s , s , s , s ,
1 2 3 4
s , s , s , T , T , T , T ), she puts T into a revocation list RL of this type.
5 9 10 1 2 3 4 4
— Given a valid signature σ = (c, s , s , s , s , s , s , s , T , T , T , T ) computed using a linking base bsn
1 2 3 4 5 9 10 1 2 3 4
and a revocation list RL of this type, a verifier can check revocation of this signature as follows: For
each T ’ ∈ RL, verify T ≠ T ’. If any of the verification fails, output 0 (revoked), otherwise, output 1
4 4 4
(valid).
NOTE In order to use verifier blacklist revocation in this mechanism, a signer is required to use a specific
linking base for each verifier. The value of the linking base could, for example, be chosen by the verifier or agreed
in advance by the signer and verifier.
6.3 Mechanism 2
6.3.1 Symbols
The following symbols apply in the specification of this mechanism.
— l , l , l , l’ , l , l , l , l , l , l , l : security parameters.
n f e e v ∅ H r s Г ρ
— p’, q’, ρ, Г, e: prime numbers.
— g’, g, h, S, Z, R , R , U, U’, A, A’, T, T ’: integers in QR(n).
0 1 t
— x , x , x , x , x , x , s , r : integers in [1, p’⋅q’].
0 1 z s h g e e
— γ, J , K , K ’, J, K, J’, K’: integers whose multiplicative order modulo Г is ρ.
I I I
— f, f’: integers in [0, ρ–1].
— f , f : l -bit integers.
0 1 f
10 © ISO/IEC 2013 – All rights reserved

— c , c, c’, n , n : l -bit integers.
h I V H
— n , n : l -bit integers.
T H ∅
— t, t , r : (2l + l + l + 1)-bit integers.
2 f f ∅ H
— t : (l + l )-bit integer.
1 e H
— r , r : (l + l + l )-bit integers.
0 1 f ∅ H
— r : (l + l + l )-bit integer.
v v ∅ H
— r : (l + l + 2l + l + 1)-bit integer.
v* e n
...

INTERNATIONAL ISO/IEC
STANDARD 20008-2
First edition
2013-11-15
Corrected version
2017-11
Information technology — Security
techniques — Anonymous digital
signatures —
Part 2:
Mechanisms using a group public key
Technologies de l'information — Techniques de sécurité — Signatures
numériques anonymes —
Partie 2: Mécanismes utilisant une clé publique de groupe
Reference number
©
ISO/IEC 2013
© ISO/IEC 2013, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2013 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols (and abbreviated terms) . 2
5 General model and requirements. 3
6 Mechanisms with linking capability . 4
6.1 General . 4
6.2 Mechanism 1 . 5
6.2.1 Symbols . 5
6.2.2 Key generation process . 5
6.2.3 Signature process . 8
6.2.4 Verification process . 9
6.2.5 Linking process .10
6.2.6 Revocation process .10
6.3 Mechanism 2 .10
6.3.1 Symbols .10
6.3.2 Key generation process .11
6.3.3 Signature process .13
6.3.4 Verification process .14
6.3.5 Linking process .15
6.3.6 Revocation process .15
6.4 Mechanism 3 .16
6.4.1 Symbols .16
6.4.2 Key generation process .16
6.4.3 Signature process .17
6.4.4 Verification process .18
6.4.5 Linking process .19
6.4.6 Revocation process .19
6.5 Mechanism 4 .20
6.5.1 Symbols .20
6.5.2 Key generation process .20
6.5.3 Signature process .22
6.5.4 Verification process .22
6.5.5 Linking process .23
6.5.6 Revocation process .23
7 Mechanisms with opening capability .23
7.1 General .23
7.2 Mechanism 5 .23
7.2.1 Symbols .23
7.2.2 Key generation process .24
7.2.3 Signature process .25
7.2.4 Verification process .26
7.2.5 Opening process .26
7.2.6 Revocation process .26
7.3 Mechanism 6 .27
7.3.1 Symbols .27
7.3.2 Key generation process .27
7.3.3 Signature process .28
7.3.4 Verification process .29
7.3.5 Opening process .29
© ISO/IEC 2013 – All rights reserved iii

7.3.6 Revocation process .29
8 Mechanisms with both opening and linking capabilities .29
8.1 General .29
8.2 Mechanism 7 .30
8.2.1 Symbols .30
8.2.2 Key generation process .30
8.2.3 Signature process .32
8.2.4 Verification process .32
8.2.5 Opening process .33
8.2.6 Evidence evaluation process .33
8.2.7 Linking process .33
8.2.8 Revocation process .34
Annex A (normative) Object identifiers .35
Annex B (normative) Special hash-functions .37
Annex C (informative) Security guidelines for the anonymous signature mechanisms .39
Annex D (informative) Comparison of revocation mechanisms .42
Annex E (informative) Numerical examples .45
Annex F (informative) Proof of correct generation in Mechanism 5 .80
Bibliography .84
iv © ISO/IEC 2013 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the national bodies
casting a vote.
ISO/IEC 20008-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
ISO/IEC 20008 consists of the following parts, under the general title Information technology — Security
techniques — Anonymous digital signatures:
— Part 1: General
— Part 2: Mechanisms using a group public key
Further parts may follow.
This corrected version of ISO/IEC 20008-2:2013 incorporates the following correction:
— in 6.5.4, step g) has been corrected and step h) has been added consequently.
© ISO/IEC 2013 – All rights reserved v

Introduction
Anonymous digital signature mechanisms are a special type of digital signature mechanism in which,
given a digital signature, an unauthorized entity cannot discover the signer's identifier yet can verify
that a legitimate signer has generated a valid signature.
ISO/IEC 20008 specifies anonymous digital signature mechanisms. ISO/IEC 20008-1 specifies
principles and requirements for two categories of anonymous digital signatures mechanisms: signature
mechanisms using a group public key, and signature mechanisms using multiple public keys. This part
of ISO/IEC 20008 specifies a number of anonymous signature mechanisms of the first category.
Anonymous signature mechanisms of the first category can have capabilities for providing more
information about the signer. Some have a linking capability, where two signatures signed by the same
signer are linkable. Some have an opening capability, where the signature can be opened by a special
entity to reveal the identity of the signer. Some have both linking and opening capabilities.
For each mechanism, the processes of opening, linking, and/or revocation are specified.
The mechanisms specified in this part of ISO/IEC 20008 use a collision-resistant hash-function. A hash-
function specified in ISO/IEC 10118 is to be used.
The International Organization for Standardization (ISO) and International Electrotechnical
Commission (IEC) draw attention to the fact that it is claimed that compliance with this document may
involve the use of patents.
ISO and IEC take no position concerning the evidence, validity, and scope of these patent rights.
The holders of these patent right have assured the ISO and IEC that they are willing to negotiate licences
either free of charge or under reasonable and non-discriminatory terms and conditions with applicants
throughout the world. In this respect, the statements of the holders of these patent rights are registered
with ISO and IEC. Information may be obtained from:
— Electronics and Telecommunications Research Institute (ETRI)
161, Gajeong-dong, Yuseong-gu, Daejeon, Korea
— NEC Corporation
7-1, Shiba 5-chome, Minato-Ku, Toyko 108-8001, Japan
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights other than those identified above. ISO and/or IEC shall not be held responsible for
identifying any or all such patent rights.
ISO (www.iso.org/patents) and IEC (http://patents.iec.ch) maintain on-line databases of patents
relevant to their standards. Users are encouraged to consult the databases for the most up to date
information concerning patents.
vi © ISO/IEC 2013 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 20008-2:2013(E)
Information technology — Security techniques —
Anonymous digital signatures —
Part 2:
Mechanisms using a group public key
1 Scope
This part of ISO/IEC 20008 specifies anonymous digital signature mechanisms, in which a verifier
makes use of a group public key to verify a digital signature.
It provides
— a general description of an anonymous digital signature mechanism using a group public key, and
— a variety of mechanisms that provide such anonymous digital signatures.
For each mechanism, this part of ISO/IEC 20008 specifies
— the process for generating group member signature keys and a group public key,
— the process for producing signatures,
— the process for verifying signatures,
— the process for opening signatures (if the mechanism supports opening),
— the process for linking signatures (if the mechanism supports linking), and
— the process for revoking group members.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 10118 (all parts), Information technology — Security techniques — Hash-functions
ISO/IEC 15946-5, Information technology — Security techniques — Cryptographic techniques based on
elliptic curves — Part 5: Elliptic curve generation
ISO/IEC 18031, Information technology — Security techniques — Random bit generation
ISO/IEC 18032, Information technology — Security techniques — Prime number generation
ISO/IEC 20008-1, Information technology — Security techniques — Anonymous digital signatures —
Part 1: General
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 20008-1 and the
following apply.
© ISO/IEC 2013 – All rights reserved 1

3.1
assistant signer
entity that can help a principal signer to create anonymous signatures, but that cannot generate
anonymous signatures unaided
3.2
member-list
list that includes the identities of group members together with their corresponding group membership
credentials
3.3
principal signer
entity which is in possession of a group member signature key and which can create anonymous
signatures using this key
3.4
secret seed value
secret data known to a group member and used for deriving group member private keys
3.5
security parameters
variables that determine the security strength of a mechanism
4 Symbols (and abbreviated terms)
For the purposes of this part of ISO/IEC 20008, the following symbols and abbreviations apply.
bsn
Linking base, either a special symbol ⊥ or an arbitrary string.
e A bilinear map function e: G × G → G such that for all P ∈ G , Q ∈ G , and all positive in-
1 2 T 1 2
ab
tegers a, b, the equation e([a]P, [b]Q) = e(P, Q) holds. This function is also called a pairing
function.
gcd(a, b) The greatest common divisor of the integers a and b.
G An additive cyclic group of order p over an elliptic curve.
G An additive cyclic group of order p over an elliptic curve.
G A multiplicative cyclic group of order p.
T
H A cryptographic hash-function.
m Message to be signed.
n An RSA modulus where n = pq.
O The elliptic curve point at infinity.
E
p A prime number.
P Generator of G .
1 1
P Generator of G .
2 2
q A prime number.
Q +Q The elliptic curve sum of points Q and Q .
1 2 1 2
QR(n) The group of quadratic residues modulo n.
2 © ISO/IEC 2013 – All rights reserved

Z * The multiplicative group of invertible elements in Z .
n n
Z The set of integers in [0, p-1].
p
Z * The set of integers in [1, p-1].
p
(a|p) The Legendre symbol of a and p where a is an integer and p is an odd prime number.
[n]P Multiplication operation that takes a positive integer n and a point P on the elliptic curve
E as input and produces as output another point Q on the curve E, where Q = [n]P = P + P
+ … + P, i.e. the sum of n copies of P. The operation satisfies [0]P = O and [–n]P = [n](–P).
E
[x, y] The set of integers from x to y inclusive, if x, y are integers satisfying x ≤ y.
|| X || Y is used to mean the result of the concatenation of data items X and Y in the order
specified. In cases where the result of concatenating two or more data items is signed as
part of one of the mechanisms specified in this part of ISO/IEC 20008, this result shall be
composed so that it can be uniquely resolved into its constituent data strings, i.e. so that
there is no possibility of ambiguity in interpretation. This latter property could be achieved
in a variety of different ways, depending on the application. For example, it could be guar-
anteed by (a) fixing the length of each of the substrings throughout the domain of use of
the mechanism, or (b) encoding the sequence of concatenated strings using a method that
guarantees unique decoding, e.g. using the distinguished encoding rules defined in ISO/
[1]
IEC 8825-1.
5 General model and requirements
This clause specifies the general model and requirements for the anonymous digital signature
mechanisms specified in this part of ISO/IEC 20008. Some of the contents of this clause are taken from
Part 1 of this international standard. In addition, specific requirements applying to mechanisms using a
group public key are addressed.
An anonymous digital signature mechanism using a group public key involves a group and a set of group
members. Each group shall possess a group membership issuer. There may also be a group membership
opener and/or a group signature linker, depending on the mechanism. Multiple entities may function
in the role of a group membership opener or a group signature linker. The level of anonymity of the
mechanism depends on the anonymity strength (i.e., the size of the group), whether there is an opening
capability, whether there is a linking capability, how revocation is done, whether the issuer knows the
private keys, and the likelihood of compromise of a private key.
Such an anonymous digital signature mechanism is defined by the specification of the following
processes:
— key generation process,
— signature process,
— verification process,
— opening process (if the mechanism supports opening),
— linking process (if the mechanism supports linking), and
— revocation process.
© ISO/IEC 2013 – All rights reserved 3

The anonymous digital signature mechanisms using a group public key specified in this part of
ISO/IEC 20008 involve a range of types of entity. Some of these entities exist in every mechanism
whereas others exist only in some mechanisms. These entities are as follows:
— Signer: a signer is an entity that generates a digital signature. In some mechanisms, a signer role is
split between two entities. For example, in direct anonymous attestation mechanisms, the signer
role is split between a principal signer with limited computational and storage capability, e.g. a
trusted platform module (TPM), and an assistant signer with more computational power but less
security tolerance, e.g. an ordinary computer platform (namely the Host with an embedded TPM).
— Verifier: a verifier is an entity that verifies a digital signature.
— Group membership issuer: a group membership issuer is an entity that issues a group membership
credential to a signer. This entity exists in all the mechanisms.
— Group membership opener: a group membership opener is an entity who can identify the signer
from a signature. This entity exists in some of the mechanisms.
— Group signature linker: a group signature linker is an entity that checks whether two signatures
have been generated by the same signer with a linking key or a linking base. This entity exists in
some of the mechanisms.
In order to use any of the mechanisms specified in this part of ISO/IEC 20008, the following requirements
shall be met:
— Each entity involved in an anonymous digital signature mechanism is aware of a common set of
group public parameters, which are used to compute a variety of functions in the mechanism.
— Each verifier has access to an authentic copy of the group public key.
— An authentic channel is required between a signer and a group membership issuer during the
process of issuing group member signature key. This ensures that the group membership issuer is
able to provide the group member signature key only to a legitimate group member.
— A collision-resistant hash function such as one of those specified in ISO/IEC 10118 shall be used.
— A robust random bit generator such as one of those specified in ISO/IEC 18031 shall be used.
— A robust prime number generator such as one of those specified in ISO/IEC 18032 shall be used.
— A robust elliptic curve generator such as one of those specified in ISO/IEC 15946-5 shall be used in
some mechanisms.
6 Mechanisms with linking capability
6.1 General
This clause specifies four digital signature mechanisms with linking capability.
NOTE 1 In the literature the mechanism of 6.2 is called a list signature scheme, and the mechanisms of 6.3,
6.4 and 6.5 are called DAA schemes. The mechanisms given in 6.2, 6.4 and 6.5 are based on schemes originally
[9] [6] [11]
specified in , , and , respectively, in which security proofs can also be found. The mechanism in 6.3 is
[3] [4]
based on a scheme in which is a minor modification of the scheme in ; the associated security analysis is
[4]
given in the full version of .
NOTE 2 For certain applications such as attestation, a message to be signed may be hashed and/or
concatenated with additional information before being input to the signature process of one of the anonymous
digital signature mechanisms specified in this clause.
4 © ISO/IEC 2013 – All rights reserved

6.2 Mechanism 1
6.2.1 Symbols
The following symbols apply in the specification of this mechanism.
— l , k, l , l , l , l , ε: security parameters.
p x e E X
— p', q’, e: prime numbers.
— a, a , g, h, b, C , D, C , d’, d , d , t’, t , t , A, f, T , T , T , T , d , d , d , t , t , t : integers in QR(n).
0 1 2 1 2 1 2 1 2 3 4 3 4 5 3 4 5
lx
— x’, α, β: integers in [0, 2 −1].
2lp
— w , w , w : integers in [0, 2 −1].
1 2 3
— ĉ, ċ, c’, c, c”, c”’: k-bit integers.
— ř: (2l + 1)-bit integer.
p
— t , ŝ , r’, r , r : (ε ∙ (l + k))-bit integers.
1 1 1 2 x
— t , ŝ : (ε ∙ (2l + k + 1))-bit integers.
2 2 p
— x: (l + 1)-bit integer.
x
— r : (ε ∙(l + 2l + k + 1))-bit integer.
3 x p
lx+k ε(lx+k)
— s , s , s , s’: integers in [-2 , 2 -1].
0 1 2
lx+2lp +k+1 ε(lx+2lp +k+1)
— s : integer in [-2 , 2 -1].
— r , r : (ε ∙ (2l + k))-bit integers.
4 5 p
— r , r : (ε ∙ (2l + l + k))-bit integers.
9 10 p e
2lp+k ε(2lp+k)
— s , s : integers in [-2 , 2 -1].
4 5
2lp+le+k ε(2lp+le+k)
— s , s : integers in [-2 , 2 -1].
9 10
— H: a hash function that outputs k-bit message digest.
— H : a hash function that outputs (2l )-bit message digest.
Г p
6.2.2 Key generation process
The key generation process has two parts: a setup process and a group membership issuing process.
The setup process is executed by the group membership issuer to create the group public parameter,
group public key, and group membership issuing key. The group membership issuing process is an
interactive protocol running between the group membership issuer and a group member to create a
unique group member signature key for the group member.
The setup process takes the following steps by the group membership issuer:
a) Choose the following parameters: l , k, l , l , l , l , ε.
p x e E X
b) Choose an RSA modulus n = pq with p = 2p’ + 1, q = 2q’ + 1 such that p, q, p’, q’ are all primes and p’ as
well as q’ have l bits.
p
c) Choose a random generator a of the group of quadratic residues modulo n by performing the
following steps:
1) Choose a random integer g in Z * such that gcd(g+1, n) = 1 and gcd(g –1, n) = 1.
n
© ISO/IEC 2013 – All rights reserved 5

2) Compute a = g (mod n).
d) Choose a random generator a of QR(n) different from a.
e) Choose a random generator g of QR(n) different from a and a .
f) Choose a random generator h of QR(n) different from a, a and g.
g) Choose a random generator b of QR(n) different from a, a , g and h.
k
h) The group membership issuer chooses two hash functions H: {0, 1}* → {0, 1} and H : {0, 1}* → {0,
Г
2lp
1} . An example of how to construct H is provided in Annex B.
Г
i) Output the following:
— group public parameter = (l , k, l , l , l , l , ε),
p x e E X
— group public key = (n, a, a , g, h, b),
— group membership issuing key = (p’, q’).
NOTE An example of recommended parameters is provided in Annex C.2.
The group membership issuing process may require a secure and authentic channel between the
member and the group membership issuer to prevent the group membership credential from being
observed by an eavesdropper. How to establish such a channel is out scope of this mechanism. The
group membership issuing process is as follows:
lx
a) The group member chooses a random integer x’ ∈ [0, 2 −1].
b) The member chooses a random integer ř ∈ [0, 2n −1].
x’ ř
c) The member computes C = g h (mod n).
d) The member generates a proof of knowledge U of the representation (x’, ř) of C in the bases g and
h by performing the following steps:
ε(lx+k)
1) The member chooses a random integer t ∈ [0, 2 -1].
ε(2lp+k+1)
2) The member chooses a random integer t ∈ [0, 2 -1].
t1 t2
3) The member computes D = g h (mod n).
4) The member computes ĉ = H(g || h || C || D).
5) The member computes ŝ = t - ĉ x’.
1 1
6) The member computes ŝ = t - ĉ ř.
2 2
7) U = (ĉ, ŝ , ŝ ).
1 2
e) The member sends C and U to the group membership issuer.
f) The group membership issuer receives C and U from the member.
g) The group membership issuer verifies that C belongs to QR(n) by performing the following step:
1) The group membership issuer checks that (C |p) = 1 and that (C |q) = 1. If either of these
1 1
verifications fails, the group membership issuer outputs Reject and stops.
h) The group membership issuer verifies the proof of knowledge U by performing the following steps:
ŝ1 ŝ2 ĉ
1) The group membership issuer computes D’ = g h C (mod n).
2) The group membership issuer computes ċ = H(g || h || C || D’).
6 © ISO/IEC 2013 – All rights reserved

lx+k ε(lx+k)
3) The group membership issuer checks that ċ = ĉ, ŝ belongs to [-2 , 2 -1] and ŝ belongs to
1 2
2lp+k+1 ε(2lp+k+1)
[-2 , 2 -1]. If any of these verifications fails, the group membership issuer outputs
Reject and stops.
lx
i) The group membership issuer chooses a random odd integer α ∈ [0, 2 −1].
lx
j) The group membership issuer chooses a random integer β ∈ [0, 2 −1].
k) The group membership issuer sends α and β to the member.
l) The member receives α and β from the group membership issuer.
lX lx
m) The member computes x = 2 + (αx’+ β (mod 2 )).
x
n) The member computes C = a (mod n).
lx
o) The member computes υ = (αx’+ β) | 2 .
p) The member generates a proof of knowledge V of the discrete logarithm x of C in base a by
performing the following steps:
ε(lx+k)
1) The member chooses a random integer r’ ∈ [0, 2 -1].
r’
2) The member computes d’ = a (mod n).
3) The member computes c’ = H(a || g || C || d’).
lX
4) The member computes s’ = r’ – c’(x - 2 ).
5) The member set V = (c’, s’).
q) The member generates a proof of knowledge W by performing the following steps:
ε(lx+k)
1) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+k)
2) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+2lp+k+1)
3) The member chooses a random integer r ∈ [0, 2 -1].
r1
4) The member computes d = a (mod n).
r1 l r2 r3 lx
5) The member computes d = g (g ) h (mod n) where l = 2 .
6) The member computes c = H(a || g || h || C || C || d || d ).
1 2 1 2
lX
7) The member computes s = r – c(x - 2 ).
1 1
8) The member computes s = r – cυ.
2 2
9) The member computes s = r – cαř.
3 3
10) The member sets W = (c, s , s , s ).
1 2 3
r) The member sends C , V and W to the group membership issuer.
s) The group membership issuer receives C , V and W from the member.
t) The group membership issuer checks that C belongs to QR(n) by performing the following step:
1) The group membership issuer checks that (C |p) = 1 and that (C |q) = 1. If any of these
2 2
verifications fails, the group membership issuer outputs Reject and stops.
u) The group membership issuer verifies the proof of knowledge V by performing the following steps:
lX
1) The group membership issuer computes s = s’ – c’ 2 .
© ISO/IEC 2013 – All rights reserved 7

c’ s0
2) The group membership issuer computes t’ = C a (mod n).
3) The group membership issuer computes c” = H(a || g || C || t’).
lx+k ε(lx+k)
4) The group membership issuer checks that c” = c’ and that s’∈ [-2 , 2 -1]. If any of these
verifications fails, the group membership issuer outputs Reject and stops.
v) The group membership issuer verifies the proof of knowledge W by performing the following steps:
L c s1 lX
1) The group membership issuer computes t = (C /a ) a (mod n) where L = 2 .
1 2
α β c s1 l s2 s3 lx
2) The group membership issuer computes t = (C g ) g (g ) h (mod n) where l = 2 .
2 1
3) The group membership issuer computes c”’ = H(a || g || h || C || C || t || t ).
1 2 1 2
lx+k ε(lx+k)
4) The group membership issuer checks that: c”’ = c, s belongs to [-2 , 2 -1], s belongs to
1 2
lx+k ε(lx+k) lx+2lp+k+1 ε(lx+2lp+k+1)
[-2 , 2 -1] and that s belongs to [-2 , 2 -1]. If any of these verifications
fails, the group membership issuer outputs Reject and stops.
lE le lE le
w) The group membership issuer chooses a random prime e ∈ [2 - 2 + 1, 2 + 2 - 1].
x) The group membership issuer computes đ = 1/e (mod p’q’).
đ1
y) The group membership issuer computes A = (a C ) (mod n).
0 2
z) The group membership issuer stores (A, e, Member) in member-list LIST.
aa) The group membership issuer sends A and e to the member.
bb) The member receives A and e from the group membership issuer.
e x
cc) The member checks that A = a a (mod n).
dd) The group member signature key of the signer is (A, e, x), in which x is the group member private
key and (A, e) is the group membership credential.
6.2.3 Signature process
On input of a group public key (n, a, a , g, h, b), a group member signature key(A, e, x), a linking base
bsn, and a message m ∈ {0, 1}* to be signed, the signature process takes the following steps below. The
linking base is used for the linking capability. It is chosen by group membership issuer or any other
trusted authorities.
a) The member computes f = (H (bsn)) (mod n).
Г
2lp
b) The member chooses a random integer w ∈ [0, 2 - 1].
2lp
c) The member chooses a random integer w ∈ [0, 2 - 1].
2lp
d) The member chooses a random integer w ∈ [0, 2 - 1].
w1
e) The member computes T = Ab (mod n).
w1 w2
f) The member computes T = g h (mod n).
e w3
g) The member computes T = g h (mod n).
x
h) The member computes T = f (mod n).
ε(le+k)
i) The member chooses a random integer r ∈ [0, 2 -1].
ε(lx+k)
j) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+k)
k) The member chooses a random integer r ∈ [0, 2 -1].
8 © ISO/IEC 2013 – All rights reserved

ε(2lp+k)
l) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+k)
m) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+le+k)
n) The member chooses a random integer r ∈ [0, 2 -1].
ε(2lp+le+k)
o) The member chooses a random integer r ∈ [0, 2 -1].
r1 r2 r9
p) The member computes d = T /(a b ) (mod n).
1 1
r1 r9 r10
q) The member computes d = T /(g h ) (mod n).
2 2
r3 r4
r) The member computes d = g h (mod n).
r1 r5
s) The member computes d = g h (mod n).
r2
t) The member computes d = f (mod n).
u) The member computes c = H(a || a || g || h || T || T || T || T || d || d || d || d || d || m).
0 1 2 3 4 1 2 3 4 5
lE
v) The member computes s = r – c(e - 2 ).
1 1
lX
w) The member computes s = r – c(x - 2 ).
2 2
x) The member computes s = r – cw .
3 3 1
y) The member computes s = r – cw .
4 4 2
z) The member computes s = r – cw .
5 5 3
aa) The member computes s = r – cew .
9 9 1
bb) The member computes s = r – cew .
10 10 2
cc) The member sets the signature as σ = (c, s , s , s , s , s , s , s , T , T , T , T ).
1 2 3 4 5 9 10 1 2 3 4
6.2.4 Verification process
On input of a message m, a linking base bsn, a signature (c, s , s , s , s , s , s , s , T , T , T , T ), a group
1 2 3 4 5 9 10 1 2 3 4
public key (n, a, a , g, h, b), the verification process takes the following steps:
a) The verifier computes f = (H (bsn)) (mod n).
Г
c s1-cl’ s2-cL s9 lE lX
b) The verifier computes t = a T / (a b ) (mod n) where l’ = 2 and L = 2 .
1 0 1
s1-cl’ s9 s10 lE
c) The verifier computes t = T / (g h ) (mod n) where l’ = 2 .
2 2
c s3 s4
d) The verifier computes t = T g h (mod n).
3 2
c s1-cl’ s5 lE
e) The verifier computes t = T g h (mod n) where l’ = 2 .
4 3
c s2-cL lX
f) The verifier computes t = T f (mod n) where L = 2 .
5 4
g) The verifier computes c' = H(a || a || g || h || T || T || T || T || t || t || t || t || t || m).
0 1 2 3 4 1 2 3 4 5
le+k ε(le+k) lx+k ε(lx+k) 2lp+k
h) If c' = c, s belongs to [-2 , 2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 ,
1 2 3
ε(2lp+k) 2lp+k ε(2lp+k) 2lp+k ε(2lp+k) 2lp+le+k
2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 , 2 -1], s belongs to [-2 ,
4 5 9
ε(2lp+le+k) 2lp+le+k ε(2lp+le+k)
2 -1], s belongs to [-2 , 2 -1], then return 1(valid).
i) Else return 0 (invalid).
© ISO/IEC 2013 – All rights reserved 9

6.2.5 Linking process
Given two valid signatures σ = (c, s , s , s , s , s , s , s , T , T , T , T ) and σ’ = (c’, s ’, s ’, s ’, s ’, s ’, s ’, s ’,
1 2 3 4 5 9 10 1 2 3 4 1 2 3 4 5 9 10
T ’, T ’, T ’, T ’) computed using a linking base bsn, the linking process takes the following step:
1 2 3 4
a) If T = T ’, output 1 (linked), otherwise, output 0 (not linked).
4 4
6.2.6 Revocation process
[10]
Details of the revocation process in this mechanism are surveyed in . There are two types of
revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either a global revocation or a local revocation. Verifier blacklist
revocation is a local revocation.
Private key revocation:
— If a group member signature key (A, e, x) is compromised, the group membership issuer or a verifier
puts x into a revocation list RL of this type.
— Given a valid signature σ = (c, s , s , s , s , s , s , s , T , T , T , T ) computed using a linking base
1 2 3 4 5 9 10 1 2 3 4
bsn and a revocation list RL of this type, a verifier can check revocation of this signature as follows:
2x’
For each x’ ∈ RL, verify T ≠ (H (bsn)) (mod n). If any of the verification fails, output 0 (revoked),
4 Г
otherwise, output 1 (valid).
NOTE The private key revocation works only if the group membership issuer or the verifier has learned the
group member signature keys of the compromised group members.
Verifier blacklist revocation:
— If signatures were computed using a linking base bsn, and a verifier can build its own revocation list
RL corresponding to bsn. If the verifier wants to blacklist the signer of a signature σ = (c, s , s , s , s ,
1 2 3 4
s , s , s , T , T , T , T ), she puts T into a revocation list RL of this type.
5 9 10 1 2 3 4 4
— Given a valid signature σ = (c, s , s , s , s , s , s , s , T , T , T , T ) computed using a linking base bsn
1 2 3 4 5 9 10 1 2 3 4
and a revocation list RL of this type, a verifier can check revocation of this signature as follows: For
each T ’ ∈ RL, verify T ≠ T ’. If any of the verification fails, output 0 (revoked), otherwise, output 1
4 4 4
(valid).
NOTE In order to use verifier blacklist revocation in this mechanism, a signer is required to use a specific
linking base for each verifier. The value of the linking base could, for example, be chosen by the verifier or agreed
in advance by the signer and verifier.
6.3 Mechanism 2
6.3.1 Symbols
The following symbols apply in the specification of this mechanism.
— l , l , l , l’ , l , l , l , l , l , l , l : security parameters.
n f e e v ∅ H r s Г ρ
— p’, q’, ρ, Г, e: prime numbers.
— g’, g, h, S, Z, R , R , U, U’, A, A’, T, T ’: integers in QR(n).
0 1 t
— x , x , x , x , x , x , s , r : integers in [1, p’⋅q’].
0 1 z s h g e e
— γ, J , K , K ’, J, K, J’, K’: integers whose multiplicative order modulo Г is ρ.
I I I
— f, f’: integers in [0, ρ–1].
— f , f : l -bit integers.
0 1 f
10 © ISO/IEC 2013 – All rights reserved

— c , c, c’, n , n : l -bit integers.
h I V H
— n , n : l -bit integers.
T H ∅
— t, t , r : (2l + l + l + 1)-bit integers.
2 f f ∅ H
— t : (l + l )-bit integer.
1 e H
— r , r : (l + l + l )-bit integers.
0 1 f ∅ H
— r : (l + l + l )-bit integer.
v v ∅ H
— r : (l + l + 2l + l + 1)-bit integer.
v* e n
...