ISO/IEC 20008-2:2013/Amd 2:2023
(Amendment)Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2
Technologies de l'information — Techniques de sécurité — Signatures numériques anonymes — Partie 2: Mécanismes utilisant une clé publique de groupe — Amendement 2
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 20008-2
First edition
2013-11-15
AMENDMENT 2
2023-04
Information technology — Security
techniques — Anonymous digital
signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Technologies de l'information — Techniques de sécurité — Signatures
numériques anonymes —
Partie 2: Mécanismes utilisant une clé publique de groupe
AMENDEMENT 2
Reference number
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Information technology — Security techniques —
Anonymous digital signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Clause 4
Add the following symbol:
Fp() the finite field containing exactly p elements.
6.1
Replace the first sentence with the following:
This clause specifies five digital signature mechanisms with linking capability.
Replace the text of NOTE 1 with the following:
In the literature, the mechanism of 6.2 is called a list signature scheme, the mechanism of 6.6 is
called a pre-DAA scheme and the mechanisms of 6.3, 6.4 and 6.5 are called DAA schemes. The
mechanisms given in 6.2, 6.4, 6.5 and 6.6 are based on schemes originally specified in References [9],
[6], [11] and [22] respectively, in which security proofs can also be found. The mechanism in 6.3 is
based on a scheme in Reference [3] which is a minor modification of the scheme in Reference [4];
the associated security analysis is given in the full version of Reference [4].
6.6
Add new subclause 6.6 as follows:
6.6 Mechanism 8
6.6.1 Symbols
The following symbols apply in the specification of this mechanism.
— τ : a security parameter.
' '' ''
— P , QX,, YX,,,X CD,,DT′, , TK,,KK,,KK,,KJ′′,,TT,,RR,,TT,,′′RT′′, ′: elements of
1 11 21 21 21 2
111 11
G .
1
'
— P , X , Y , X , X : elements of G .
2 2 2 22 2
′′ ′′ ′′
— xy,,zx,,zc,,ss,,,,cs uv,,wv,,rs,,kk,,kc,,zz, ,,zc,,sl,,kc,,ρ,c : integers in Z
kx zk 12 rx zr x zs mm p
.
1
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
— n : an integer of size τ -bit.
I
— H : a hash function that outputs elements in G .
1 1
— H , H : hash functions that output elements in Z .
2 3 p
6.6.2 Key generation process
The key generation process has two parts: setup process and group membership issuing process. The
setup process is executed by the group membership issuer to create the group public parameter, group
public key, and group membership issuing key. The group membership issuing process is an interactive
protocol running between the group membership issuer and a group member to create a unique group
member signature key for the group member.
The setup process takes the following steps by the group membership issuer:
a) Choose τ as a security parameter.
b) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
c) Choose two random independent generators P and Q of G and provide additional information,
1 1 1
denoted by π , that serve to demonstrate that these two generators were indeed chosen
Gen
independently, that is without a potentially exploitable relationship between them (such as Q =
1
sP for an integer s chosen by the group membership issuer). An example of how to verifiably
[]
1
select independent generators and to verify, using π , the correct generation of these generators,
Gen
is given in Annex G.
d) Choose a random generator P of G .
2 2
* * *
e) Choose three hash functions H : 01, → G , H : 01, → Z and H : 01, → Z . An example
{} {} {}
1 1 2 p 3 p
of how to construct such hash functions is provided in Annex B.
f) Choose three random integers x , y and z in Z .
p
g) Compute X = []zP + []xQ , Y = []yP , X = []xP and Y = []yP .
1 1 1 1 1 2 2 2 2
h) Choose two random integers x′ and z′ in Z .
p
' '
′ ′ ′
i) Compute X = []zP + []xQ and X = []xP .
1 1 1 2 2
' '
j) Compute c = H ( P || Q || P || X || Y || X || Y || X || X ).
k 2 1 1 2 1 1 2 2 1 2
k) Compute s = ( x′ + c × x ) mod p and s = ( z′ + c × z ) mod p .
x k z k
l) Set π = cs,,s as a proof that the second component of the representation of X in the base
()
Val kx z 1
P and Q is equal to the discrete logarithm of X in the base P .
1 1 2 2
m) Output the following:
— group public parameter = ( G , G , G , e , P , Q , P , p , H , H , H ),
1 2 T 1 1 2 1 2 3
— group public key = ( X , Y , X , Y , π , π ),
1 1 2 2 Gen Val
— group membership issuing key = ( x , yz, ).
NOTE 1 Examples of recommended parameters are provided in C.2.
2
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Each entity involved in this anonymous signature mechanism should verify the validity of the group
public key before using it. The group public key validity verification process includes the following
steps:
a) Verify that P and Q were generated independently using π .
1 1 Gen
b) Verify the validity of the proof π :
Val
1) Compute X = sP + sQ − cX and X = sP − cX .
[] [] [] [] []
z 1 x 1 k 1 x 2 k 2
1 2
'
2) Compute cH= PQ PX YX Y XX .
()
k 21 12 11 22 12
'
3) Verify that c = c .
k k
c) Verify that e (Y , P ) = e( P , Y ).
1 2 1 2
d) If any of the above verifications fails, output 0 (invalid), otherwise output 1 (valid).
The group membership issuing process requires a secure and authentic channel between the group
member and the group membership issuer. How to establish such a channel is out scope of this
mechanism. The group membership issuing process includes the following steps:
τ
a) The group membership issuer chooses a nonce n ∈ 01, .
{}
I
b) The group membership issuer sends n to the member.
I
c) The member chooses a random integer s from Z .
1 p
d) The member computes C = sY .
[]
1 11
e) The member chooses a random integer u from Z .
p
f) The member computes D = uY .
[]
1
g) The member computes v = H ( P || Q || P || X || Y || X || Y || C || D || n ).
2 1 1 2 1 1 2 2 1 I
h) The member computes w = ( u + v × s ) mod p .
1
i) The member sends ( C , v , w ) to the group membership issuer.
1
j) The group membership issuer computes D' = wY – vC .
[] []
1 1
′
k) The group membership issuer computes v = H ( P || Q || P || X || Y || X || Y || C || D' || n ).
2 1 1 2 1 1 2 2 1 I
′
l) The group membership issuer verifies v = v . If the verification fails, abort the group membership
issuing process.
m) The group membership issuer selects five random integers r , s , k , k and k from Z .
2 r x z p
n) The group membership issuer computes T = []rP and T = []xT + []rC + []rs× Y .
1 1 2 1 1 21
o) The group membership issuer computes K = []kP , K = []kT + []kC( + []sY ) and K =
1 r 1 2 x 1 r 1 21
kP + kQ .
[] []
z 1 x 1
p) The group membership issuer computes cH= ( P || Q || P || X || Y || X || Y || C || s || K ||
2 1 1 2 1 1 2 2 1 2 1
K || K ).
2
q) The group membership issuer computes z = (k + c × r ) mod p , z = (k + c × x ) mod p
r r x x
and z = (k + c × z ) mod p .
z z
r) The group membership issuer sets (T , T ) as the member’s group membership credential and
1 2
sends (T , Ts,,cz,,zz, ) to the member.
1 22 rx z
3
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 6 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
' '
s) The member computes K = []zP −[]cT , K = []zT +[]zC( + []sY ) −[]cT and K' =
1 r 1 1 2 xr11 21 2
[]zP + []zQ −[]cX .
z 1 x 1 1
' '
′
t) The member computes c = H ( P || Q || P || X || Y || X || Y || C || s || K || K || K ).
2 1 1 2 1 1 2 2 1 2 1 2
u) The member verifies c = c′. If the verification fails, the member aborts.
v) The member computes s = ( s + s ) mod p .
1 2
w) The group member signature key for the member is ( s , T , T ).
1 2
NOTE 2 The group membership issuer can use the same value s (for example s =0 mod p ) for several
2 2
executions of the group membership issuing process. In this case, the security of Mechanism 8 relies on the
[24] [25]
Pointcheval-Sanders (PS) assumption , instead of the q-MSDH assumption if the group membership issuer
uses a fresh random value s for each new session of the group membership issuing process.
2
6.6.3 Signature process
*
On input of a group member signature key ( s , T , T ), a linking base bsn and a message m ∈ {}01, to
1 2
be signed, the signature process takes the following steps. The linking base, denoted by bsn , is either a
special symbol ⊥ or an arbitrary string used for the linking capability.
a) If bsn = ⊥, the signer chooses a random J from G , otherwise, computes J = H (bsn ).
1 1
b) The signer selects two random integers l and k in Z .
s p
' '
c) The signer computes T = lT and T = lT .
[] []
1 1 2 2
' '
d) The signer computes R = sT and R' = kT .
[] []
1 s 1
e) The signer computes T =[]sJ and T ' = []kJ .
s
' '
f) The signer computes c = H (T || T || J || T || R || T' || R'|| m ).
m 3 1 2
g) The signer computes ρ = (k + cs× ) mod p .
s m
' '
h) The signer outputs the anonymous signature σ = (T , T , JR,,,Tc ,ρ ).
1 2 m
6.6.4 Verification process
' '
On input of a message m , a linking base bsn , a signature (T , T , JR,,,Tc ,ρ ) and a group public key (
1 2 m
X , Y , X , Y ), the verification process takes the following steps:
1 1 2 2
a) If bsn ≠ ⊥ , verify that J = H (bsn ).
1
'
b) Verify that TO≠ .
1 E
c) If any of the above verifications fails, output 0 (invalid).
'
′′
d) Compute R = ρ T − cR .
[] []
1 m
e) Compute T ′′ = ρ J − cT .
[] []
m
' ' '
′′ ′′
f) Compute c = H (T || T || J || T || R || T || R || m ).
m 3 1 2
4
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
'
g) Verify that c =c .
m m
' '
h) Verify that e (T , X )×e ( R , Y ) = e(T , P ).
1 2 2 2 2
i) Optionally, call the revocation checking process.
j) If any of the above verifications (steps g and h) fails, output 0 (invalid). Otherwise, output 1 (valid).
6.6.5 Linking process
' ' ' '
ˆ ˆ ˆˆ ˆ
ˆ ˆ ˆ
Given two valid signatures σ = (T , T , JR,,,Tc ,ρ ) and σ = (T , T , JR,,,Tc ,ρ ), the linking
1 2 m
1 2 m
process takes the following steps:
ˆ ˆ
a) If J = J and T = T , output 1 (linked), otherwise, output 0 (not linked).
ˆ
NOTE If the linking process outputs 0 because of J JJ≠ , it means that the linking process cannot determine
whether two signatures were created by the same group member.
6.6.6 Revocation process
Details of the revocation process in this mechanism are surveyed in Reference [10]. There are two types
of revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either global revocation or local revocation. Verifier blacklist revocation
is a local revocation.
Private key revocation:
— If a group member signature key ( s , T , T ) is compromised, the group membership issuer puts s
1 2
into a revocation list RL of this type.
' '
— Given a valid signature σ = (T , T , JR,,,Tc ,ρ ) computed using a linking base bsn and a
1 2 m
revocation list RL of this type, a verifier can check revocation of this signature as follows: for each
s′∈ RL, verify T ≠ sJ′ . If any of these verifications fails, output 0 (revoked), otherwise, output 1
[]
(valid).
NOTE The private key revocation works only if the group membership issuer or the verifier has learned the
group member signature keys of the compromised group members. This revocation process allows to identify
every group signature generated using this private key. If this key can be associated with a group member (e.g.
by using contextual information), then no anonymity can be retained for this group member as their signatures
can therefore be traced. This is a property inherent to DAA schemes. Thus, a careful assessment of the need for
revocation and the consequences for the corresponding group member will be carried out before deployment.
Verifier blacklist revocation:
— If signatures were computed using a linking base bsn , a verifier can build its own revocation list RL
' '
corresponding to bsn. If the verifier wants to blacklist the signer of a valid signature σ = (T , T ,
1 2
JR,,,Tc ,ρ ), they put T into a revocation list RL of this type.
m
' '
— Given a signature σ = (T , T , JR,,,Tc, ρ ) computed using a linking base bsn and a revocation
1 2 m
ˆ
list RL of this type, a verifier can check revocation of this signature as follows: for each T ∈ RL,
ˆ
verify T ≠ T . If any of these verifications fails, output 0 (revoked), otherwise, output 1 (valid).
In order to use verifier blacklist revocation in this mechanism, a signer must use a specific linking base
for each verifier. The value of the linking base can, for example, be chosen by the verifier or agreed in
advance by the signer and verifier.
5
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
7.1
Replace the first sentence with the following:
This clause specifies three digital signature mechanisms with opening capability.
Replace the text of NOTE with the following:
The mechanisms and associated security proofs in 7.2, 7.3 and 7.4 are based on References [17],
[14] and [23] (an extended version of Reference [24]), respectively.
7.4
Add new subclause 7.4 as follows:
7.4 Mechanism 9
7.4.1 Symbols
The following symbols apply in the specification of this mechanism.
''
′
— P , S , T , TK,,KT,,T : elements of G .
1 i 1 21 2 1
'' ''
— P , XY,,AB,,YC,,CC,,CKKK,, ,,KK,,KK,,K : elements of G .
2 i 12 3 412 3 412 34 2
′
— WW,,RR, : elements of G .
i T
'
′
— xy, ,,,ab su,,vk,,kk,,cz,,zz,,cr,,tw,,cz,,c : elements of Z .
is uv su vm m p
— H : a hash function that outputs elements in Z .
p
7.4.2 Key generation process
The group membership issuer key generation process takes the following steps:
a) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
b) Choose a random generator P of G and a random generator P of G .
1 1 2 2
c) Choose two random integers x and y in Z .
p
d) Compute X = []xP and Y = []yP .
2 2
*
e) Choose a hash function H : {}01, → Z . Such a hash function shall be constructed as described in
p
Annex B.
f) Output the following:
— group public parameters: ( G , G , G , e , p , HP,,P ),
1 2 T 12
— group public key: (XY, ),
— group membership issuing key: (xy, ).
6
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
The group membership opener key generation process takes the following steps:
a) Choose two random integers a and b in Z .
p
b) Compute A = []aP and B = []bP .
2 2
c) Output the following:
— group membership opener public key (AB, ),
— group membership opening key (ab, ).
The group membership issuer manages a member-list LIST = (LIST[1],., LIST[ n ]) where n is the
number of group members who are registered so far. Each entry of the list contains information
associated with each registered user. This member-list LIST can be published but it will only be useful
to the group membership opener.
The group membership issuing process is an interactive protocol running between the group
membership issuer and a user U to create a group member signature key for the user. It consists of the
i
following steps:
a) U selects six random integers su,,vk,,k and k in Z .
i is u v p
b) U computes S = []sP and Y =[]sY .
i i i 1 i i
c) U computes C = []uP , C = Y + []uA , C = []vP , C = Y + []vB .
i 1 2 2 i 3 2 4 i
d) U computes K = kP , K = kP , K = kY + kA , K = kP , K = kY + kB
[] [] [] [] [] [] []
i s 1 1 u 2 2 s u 3 v 2 4 s v
.
e) U computes c = H( P || P || X || Y || A || B || S || Y || C || C || C || C || K || K || K || K || K ).
i 1 2 i i 1 2 3 4 1 2 3 4
f) U computes z = (k + c × s ) mod p , z = (k + c × u ) mod p and z = (kc+×v ) mod p .
i s s i u u v v
g) U sends S , C , C ,,C C c , z , z and z .
i i 1 23 4 , s u v
' '
h) The group membership issuer computes K' = zP − cS , K = zP – cC , K =
[] [] [] []
s 1 i 1 u 2 1 2
' '
[]zY +[]zA −[]cC , K = []zP –[]cC and K = []zY +[]zB −[]cC .
su 2 3 v 2 3 4 sv 4
′
i) The group membership issuer computes c = H( P || P || X || Y || A || B || S || Y || C || C || C ||
1 2 i i 1 2 3
' ' ' '
C || K' || K || K || K || K ).
4 1 2 3 4
j) The group membership issuer checks if cc= ′ and aborts if these two values are different.
k) The group membership issuer stores ( i , S , C , C ,,C C , c , z , z , z ) in LIST[ i ].
i 1 23 4 s u v
l) The group membership issuer selects a random integer r in Z .
p
m) The group membership issuer computes T = rP and T = rx× P + ry× S .
[] [] []
1 1 2 1 i
n) The group membership issuer sends T and T to the user U .
1 2 i
o) The signature key of the group member U is then ( s , T , T ).
i i 1 2
7
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
7.4.3 Signature process
On input of a group public key ( X , Y ), a group member signature key ( s , T , T ) owned by the signer
i 1 2
*
and a message m ∈ {}01, to be signed, the signature process takes the following steps.
a) The signer selects two random integers t and w in Z .
p
' '
b) The signer computes T = []tT and T = []tT .
1 1 2 2
'
c) The signer computes W = e ([]wT , Y ).
1
' '
d) The signer computes c = H (T || T || W || m ).
m 1 2
e) The signer computes z = ( w + cs× ) mod p .
mi
' '
f) The signer outputs the group signature σ = (T , T , cz, ).
1 2 m
7.4.4 Verification process
*
' '
On input of a message m ∈ {}01, , a group signature σ = (T , T , cz, ) and a group public key (XY,
1 2 m
), the verification process takes the following steps:
'
a) Verify that TO≠ . If this verification fails, output 0 (invalid).
1 E
' ' '
b) Compute W ' = e ( zT , Y )×−ec TP, ×e ( cT , X ).
[] [] []
()
1 m 22 m 1
' ' '
c) Compute c = H (T || T || W ' || m ).
m 1 2
'
d) Verify that c =c holds.
m m
e) If the above verification fails, output 0 (invalid), otherwise, output 1 (valid).
7.4.5 Opening process
' '
Given a group signature σ = (T , T , cz, ), the member-list LIST=(LIST[1],.,LIST[ n ]) and a group
1 2 m
opening key ( a , b ), the opening process takes the following steps:
' '
a) Compute R = e (T , P )×e ([]−1 T , X ).
2 2 1
b) For each i ∈ [1, n ],
1) Recover ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
2) Compute Y = C + []−aC .
i 2 1
'
3) Verify if e (T , Y ) = R .
1 i
4) If the above equation holds, output i .
7.4.6 Revocation process
The revocation process is a membership credential revocation. The group membership opener revokes
a user U by adding some element R (defined below) specific to this user in a revocation list RL.
i i
8
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Revocation can thus be global but also local as any verifier is able to manage its own revocation list by
deciding whether or not to include R . In all cases, the revocation process has no impact whatsoever on
i
the signature process.
— To revoke a user U , the group membership opener, taking as input the group opening key and
i
LIST=(LIST[1],., LIST[ n ]), proceeds as follows:
a) Recovers ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
b) Computes R = C + −aC .
[]
i 2 1
c) Adds R in RL.
i
' '
— Given a group signature σ = (T , T , cz, ) and a revocation list RL, test for each element R in RL
1 2 m i
' ' '
if e (T , R ) = e (T , P )×e ( −1 T , X ). If this equality is satisfied by some element R in RL, then
[]
1 i 2 2 1 i
output 0 (revoked). Otherwise, output 1 (valid).
Annex A
Insert the following lines after id-as-gpk-m-7 OID ::= { id-as-gpk mechanism7(7) }:
id-as-gpk-m-8 OID ::= { id-as-gpk mechanism8(8) }
id-as-gpk-m-9 OID ::= { id-as-gpk mechanism9(9) }
Replace the line of as-gpk-m-7 with the following:
as-gpk-m-7 |
as-gpk-m-8 |
as-gpk-m-9
Insert the following lines after OID id-as-gpk-m-7 PARMS HashFunctions }:
as-gpk-m-8 ALGORITHM ::= { OID id-as-gpk-m-8 PARMS HashFunctions }
as-gpk-m-9 ALGORITHM ::= { OID id-as-gpk-m-9 PARMS HashFunctions }
C.1.1, first paragraph
Replace the paragraph with the following:
The following computational hardness assumptions underlie the security of the mechanisms
[13]
specified in this document; namely, the strong RSA assumption , the decisional Diffie-Hellman
[2] [12]
(DDH) assumption , the strong Diffie-Hellman (SDH) assumption , the Lysyanskaya-Rivest-
[18] [8]
Sahai-Wolf (LRSW) assumption , the static Diffie-Hellman (Static DH) assumption , the q-MSDH
[25] [24]
assumption and the Pointcheval-Sanders (PS) assumption . Table C.1 below summarizes
which of these assumptions underlie the security of each of the mechanisms specified in this
document.
9
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Table C.1
Replace Table C.1 with the following table:
Table C.1 — Mathematical assumptions used in the mechanisms
Strong RSA DDH SDH LRSW Static DH q-MSDH PS
Mechanism 1 √ √
Mechanism 2 √ √ √
Mechanism 3 √ √
Mechanism 4 √ √ √
Mechanism 5 √ √
Mechanism 6 √ √
Mechanism 7 √ √
Mechanism 8 √ √
Mechanism 9 √ √
C.1.7
Add new subclause C.1.7 as follows:
C.1.7 The q-MSDH assumption
Let ( G , G ) be a bilinear group pair of type 3 of large prime order p and an associated pairing
1 2
function e : G × G → G . Let PO≠ (respectively PO≠ ) be given in G (respectively in G ).
1 2 T 1 E 2 E 1 2
ii
Given q pairs ( xP ,)xP , for i from 1 to q , and a triplet ([]aP ,[]aP , []ax× P ) for some
12 12 2
integers a and x in Z , the q-MSDH assumption states that it is computationally infeasible to
p
generate a tuple ( w , Rx,,+wQ aR/ xQ ), where Q is an element of G different from the
[] []()
1
neutral element of this group, R is a polynomial of degree at most q and w is a scalar such that ( X
+ w ) and R ( X ) are relatively prime.
C.1.8
Add new subclause C.1.8 as follows:
C.1.8 The Pointcheval-Sanders (PS) assumption
Let ( G , G ) be a bilinear group pair of large prime order p and an associated pairing function e :
1 2
G × G → G . Let (,Py P ) be given in G and (Px, P , yP ) be given in G for some integers
[] [] []
1 2 T 11 1 22 2 2
x and y in Z . Assume that an oracle can be called that answers queries s in Z by a pair ( Q ,
p p
xy+×sQ ), where Q is a random group element of G . Let this oracle be called with the following
[]
1
queries s , s , …, s . The PS assumption states that it is computationally infeasible to generate a
1 2 m
triplet ( t , Rx, +×yt R ), where t ∉ { s , s , …, s } and R is an element of G different from the
[]
1 2 m 1
neutral element of this group.
C.2, first paragraph
Replace the paragraph with the following:
10
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Mechanisms 3, 4, 6, 7, 8, 9 all make use of a pairing function. Methods of generating pairing-friendly
elliptic curves are given in ISO/IEC 15946-5. For current standard security levels (128-bit, 192-bit
and 256-bit), the curves parameters proposed in section 7 of Reference [21] are recommended.
C.2, third paragraph
Replace the paragraph with the following:
The following security parameters are recommended:
— Mechanism 1: For 112-bit security strength, the following parameters are recommended: l
p
(1 024-bit), k (160-bit), l (160-bit), l (170-bit), l (420-bit), l (410-bit), ε = 5/4.
x e E X
— Mechanism 2:
— For 104-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (104-bit), l (368-bit), l (120-bit), l (2 536-bit), l (80-bit), l (160-bit), l (80-bit),
f e e v ∅ H r
l (1 024-bit), l (1 632-bit), l (208-bit).
s Γ ρ
— For 112-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (112-bit), l (544-bit), l (128-bit), l (2 720-bit), l (128-bit), l (256-bit), l (128-
f e e v ∅ H r
bit), l (1 024-bit), l (2 048-bit), l (224-bit).
s Γ ρ
— Mechanism 5:
— For 80-bit security strength, the following parameters are recommended: K (1 024-bit),
n
K (160-bit), K (160-bit), K (60-bit), K (504-bit), K (60-bit).
′
c s e e
— For 112-bit security strength, the following parameters are recommended: K (2 048-bit),
n
K (224-bit), K (224-bit), K (112-bit), K (736-bit), K (60-bit).
c s e e′
— For 128-bit security strength, the following parameters are recommended: K (3 076-bit),
n
K (256-bit), K (256-bit), K (128-bit), K (832-bit), K (60-bit).
′
c s e e
Annex D, eleventh paragraph
Replace the paragraph with the following:
There are five revocation mechanisms specified in this document. Credential update is a type of
membership credential revocation, where each signer updates its credential so the proof that the
membership credential of the signer is not in the list in inherited in signature generation.
Table D.1 summarizes which mechanisms are global revocation and which are local.
Table D.1
Replace Table D.1 with the following table:
Table D.1 — Categorization of revocation mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Global revocation √ √ √ √
Local revocation √ √ √ √
11
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 14 ----------------------
ISO/IEC 20008-2:2013/Amd. 2:2023(E)
Table D.2
Replace Table D.2 with the following table:
Table D.2 — Revocation options used in the anonymous signature mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Mechanism 1 √ √
Mechanism 2 √ √
Mechanism 3 √ √ √
Mechanism 4 √ √ √ √
Mechanism 5 √
Mechanism 6 √
Mechanism 7 √
Mechanism 8 √ √
Mechanism 9 √
Annex D, NOTE 2
Replace the first three sentences of NOTE 2 with the following:
In mechanisms 1-4 and 8, it can be possible for the holder of a revoked private key to be “framed”
for signatures they did not create. If a mali
...
INTERNATIONAL ISO/IEC
STANDARD 20008-2
First edition
2013-11-15
AMENDMENT 2
Information technology — Security
techniques — Anonymous digital
signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Technologies de l'information — Techniques de sécurité — Signatures
numériques anonymes —
Partie 2: Mécanismes utilisant une clé publique de groupe
AMENDEMENT 2
PROOF/ÉPREUVE
Reference number
ISO/IEC 20008-2/Amd. 2:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 20008 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iii
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 3 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Information technology — Security techniques —
Anonymous digital signatures —
Part 2:
Mechanisms using a group public key
AMENDMENT 2
Clause 4
Add the following symbol:
Fp() the finite field containing exactly p elements.
6.1
Replace the first sentence with the following:
This clause specifies five digital signature mechanisms with linking capability.
Replace the text of NOTE 1 with the following:
In the literature, the mechanism of 6.2 is called a list signature scheme, the mechanism of 6.6 is
called a pre-DAA scheme and the mechanisms of 6.3, 6.4 and 6.5 are called DAA schemes. The
mechanisms given in 6.2, 6.4, 6.5 and 6.6 are based on schemes originally specified in References [9],
[6], [11] and [22] respectively, in which security proofs can also be found. The mechanism in 6.3 is
based on a scheme in Reference [3] which is a minor modification of the scheme in Reference [4];
the associated security analysis is given in the full version of Reference [4].
6.6
Add new subclause 6.6 as follows:
6.6 Mechanism 8
6.6.1 Symbols
The following symbols apply in the specification of this mechanism.
— τ : a security parameter.
' '' ''
— P , QX,, YX,,,X CD,,DT′, , TK,,KK,,KK,,KJ′′,,TT,,RR,,TT,,′′RT′′, ′: elements of
1 11 21 21 21 2
111 11
G .
1
'
— P , X , Y , X , X : elements of G .
2 2 2 22 2
′′ ′′ ′′
— xy,,zx,,zc,,ss,,,,cs uv,,wv,,rs,,kk,,kc,,zz, ,,zc,,sl,,kc,,ρ,c : integers in Z
kx zk 12 rx zr x zs mm p
.
1
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 4 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
— n : an integer of size τ -bit.
I
— H : a hash function that outputs elements in G .
1 1
— H , H : hash functions that output elements in Z .
2 3 p
6.6.2 Key generation process
The key generation process has two parts: setup process and group membership issuing process. The
setup process is executed by the group membership issuer to create the group public parameter, group
public key, and group membership issuing key. The group membership issuing process is an interactive
protocol running between the group membership issuer and a group member to create a unique group
member signature key for the group member.
The setup process takes the following steps by the group membership issuer:
a) Choose τ as a security parameter.
b) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
c) Choose two random independent generators P and Q of G and provide additional information,
1 1 1
denoted by π , that serve to demonstrate that these two generators were indeed chosen
Gen
independently, that is without a potentially exploitable relationship between them (such as Q =
1
sP for an integer s chosen by the group membership issuer). An example of how to verifiably
[]
1
select independent generators and to verify, using π , the correct generation of these generators,
Gen
is given in Annex G.
d) Choose a random generator P of G .
2 2
* * *
e) Choose three hash functions H : 01, → G , H : 01, → Z and H : 01, → Z . An example
{} {} {}
1 1 2 p 3 p
of how to construct such hash functions is provided in Annex B.
f) Choose three random integers x , y and z in Z .
p
g) Compute X = []zP + []xQ , Y = []yP , X = []xP and Y = []yP .
1 1 1 1 1 2 2 2 2
h) Choose two random integers x′ and z′ in Z .
p
' '
′ ′ ′
i) Compute X = []zP + []xQ and X = []xP .
1 1 1 2 2
' '
j) Compute c = H ( P || Q || P || X || Y || X || Y || X || X ).
k 2 1 1 2 1 1 2 2 1 2
k) Compute s = ( x′ + c × x ) mod p and s = ( z′ + c × z ) mod p .
x k z k
l) Set π = cs,,s as a proof that the second component of the representation of X in the base
()
Val kx z 1
P and Q is equal to the discrete logarithm of X in the base P .
1 1 2 2
m) Output the following:
— group public parameter = ( G , G , G , e , P , Q , P , p , H , H , H ),
1 2 T 1 1 2 1 2 3
— group public key = ( X , Y , X , Y , π , π ),
1 1 2 2 Gen Val
— group membership issuing key = ( x , yz, ).
NOTE 1 Examples of recommended parameters are provided in C.2.
2
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Each entity involved in this anonymous signature mechanism should verify the validity of the group
public key before using it. The group public key validity verification process includes the following
steps:
a) Verify that P and Q were generated independently using π .
1 1 Gen
b) Verify the validity of the proof π :
Val
1) Compute X = sP + sQ − cX and X = sP − cX .
[] [] [] [] []
z 1 x 1 k 1 x 2 k 2
1 2
'
2) Compute cH= PQ PX YX Y XX .
()
k 21 12 11 22 12
'
3) Verify that c = c .
k k
c) Verify that e (Y , P ) = e( P , Y ).
1 2 1 2
d) If any of the above verifications fails, output 0 (invalid), otherwise output 1 (valid).
The group membership issuing process requires a secure and authentic channel between the group
member and the group membership issuer. How to establish such a channel is out scope of this
mechanism. The group membership issuing process includes the following steps:
τ
a) The group membership issuer chooses a nonce n ∈ 01, .
{}
I
b) The group membership issuer sends n to the member.
I
c) The member chooses a random integer s from Z .
1 p
d) The member computes C = sY .
[]
1 11
e) The member chooses a random integer u from Z .
p
f) The member computes D = uY .
[]
1
g) The member computes v = H ( P || Q || P || X || Y || X || Y || C || D || n ).
2 1 1 2 1 1 2 2 1 I
h) The member computes w = ( u + v × s ) mod p .
1
i) The member sends ( C , v , w ) to the group membership issuer.
1
j) The group membership issuer computes D' = wY – vC .
[] []
1 1
′
k) The group membership issuer computes v = H ( P || Q || P || X || Y || X || Y || C || D' || n ).
2 1 1 2 1 1 2 2 1 I
′
l) The group membership issuer verifies v = v . If the verification fails, abort the group membership
issuing process.
m) The group membership issuer selects five random integers r , s , k , k and k from Z .
2 r x z p
n) The group membership issuer computes T = []rP and T = []xT + []rC + []rs× Y .
1 1 2 1 1 21
o) The group membership issuer computes K = []kP , K = []kT + []kC( + []sY ) and K =
1 r 1 2 x 1 r 1 21
kP + kQ .
[] []
z 1 x 1
p) The group membership issuer computes cH= ( P || Q || P || X || Y || X || Y || C || s || K ||
2 1 1 2 1 1 2 2 1 2 1
K || K ).
2
q) The group membership issuer computes z = (k + c × r ) mod p , z = (k + c × x ) mod p
r r x x
and z = (k + c × z ) mod p .
z z
r) The group membership issuer sets (T , T ) as the member’s group membership credential and
1 2
sends (T , Ts,,cz,,zz, ) to the member.
1 22 rx z
3
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 6 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
' '
s) The member computes K = []zP −[]cT , K = []zT +[]zC( + []sY ) −[]cT and K' =
1 r 1 1 2 xr11 21 2
[]zP + []zQ −[]cX .
z 1 x 1 1
' '
′
t) The member computes c = H ( P || Q || P || X || Y || X || Y || C || s || K || K || K ).
2 1 1 2 1 1 2 2 1 2 1 2
u) The member verifies c = c′. If the verification fails, the member aborts.
v) The member computes s = ( s + s ) mod p .
1 2
w) The group member signature key for the member is ( s , T , T ).
1 2
NOTE 2 The group membership issuer can use the same value s (for example s =0 mod p ) for several
2 2
executions of the group membership issuing process. In this case, the security of Mechanism 8 relies on the
[24] [25]
Pointcheval-Sanders (PS) assumption , instead of the q-MSDH assumption if the group membership issuer
uses a fresh random value s for each new session of the group membership issuing process.
2
6.6.3 Signature process
*
On input of a group member signature key ( s , T , T ), a linking base bsn and a message m ∈ {}01, to
1 2
be signed, the signature process takes the following steps. The linking base, denoted by bsn , is either a
special symbol ⊥ or an arbitrary string used for the linking capability.
a) If bsn = ⊥, the signer chooses a random J from G , otherwise, computes J = H (bsn ).
1 1
b) The signer selects two random integers l and k in Z .
s p
' '
c) The signer computes T = lT and T = lT .
[] []
1 1 2 2
' '
d) The signer computes R = sT and R' = kT .
[] []
1 s 1
e) The signer computes T =[]sJ and T ' = []kJ .
s
' '
f) The signer computes c = H (T || T || J || T || R || T' || R'|| m ).
m 3 1 2
g) The signer computes ρ = (k + cs× ) mod p .
s m
' '
h) The signer outputs the anonymous signature σ = (T , T , JR,,,Tc ,ρ ).
1 2 m
6.6.4 Verification process
' '
On input of a message m , a linking base bsn , a signature (T , T , JR,,,Tc ,ρ ) and a group public key (
1 2 m
X , Y , X , Y ), the verification process takes the following steps:
1 1 2 2
a) If bsn ≠ ⊥ , verify that J = H (bsn ).
1
'
b) Verify that TO≠ .
1 E
c) If any of the above verifications fails, output 0 (invalid).
'
′′
d) Compute R = ρ T − cR .
[] []
1 m
e) Compute T ′′ = ρ J − cT .
[] []
m
' ' '
′′ ′′
f) Compute c = H (T || T || J || T || R || T || R || m ).
m 3 1 2
4
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
'
g) Verify that c =c .
m m
' '
h) Verify that e (T , X )×e ( R , Y ) = e(T , P ).
1 2 2 2 2
i) Optionally, call the revocation checking process.
j) If any of the above verifications (steps g and h) fails, output 0 (invalid). Otherwise, output 1 (valid).
6.6.5 Linking process
' ' ' '
ˆ ˆ ˆˆ ˆ
ˆ ˆ ˆ
Given two valid signatures σ = (T , T , JR,,,Tc ,ρ ) and σ = (T , T , JR,,,Tc ,ρ ), the linking
1 2 m
1 2 m
process takes the following steps:
ˆ ˆ
a) If J = J and T = T , output 1 (linked), otherwise, output 0 (not linked).
ˆ
NOTE If the linking process outputs 0 because of J JJ≠ , it means that the linking process cannot determine
whether two signatures were created by the same group member.
6.6.6 Revocation process
Details of the revocation process in this mechanism are surveyed in Reference [10]. There are two types
of revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either global revocation or local revocation. Verifier blacklist revocation
is a local revocation.
Private key revocation:
— If a group member signature key ( s , T , T ) is compromised, the group membership issuer puts s
1 2
into a revocation list RL of this type.
' '
— Given a valid signature σ = (T , T , JR,,,Tc ,ρ ) computed using a linking base bsn and a
1 2 m
revocation list RL of this type, a verifier can check revocation of this signature as follows: for each
s′∈ RL, verify T ≠ sJ′ . If any of these verifications fails, output 0 (revoked), otherwise, output 1
[]
(valid).
NOTE The private key revocation works only if the group membership issuer or the verifier has learned the
group member signature keys of the compromised group members. This revocation process allows to identify
every group signature generated using this private key. If this key can be associated with a group member (e.g.
by using contextual information), then no anonymity can be retained for this group member as their signatures
can therefore be traced. This is a property inherent to DAA schemes. Thus, a careful assessment of the need for
revocation and the consequences for the corresponding group member will be carried out before deployment.
Verifier blacklist revocation:
— If signatures were computed using a linking base bsn , a verifier can build its own revocation list RL
' '
corresponding to bsn. If the verifier wants to blacklist the signer of a valid signature σ = (T , T ,
1 2
JR,,,Tc ,ρ ), they put T into a revocation list RL of this type.
m
' '
— Given a signature σ = (T , T , JR,,,Tc, ρ ) computed using a linking base bsn and a revocation
1 2 m
ˆ
list RL of this type, a verifier can check revocation of this signature as follows: for each T ∈ RL,
ˆ
verify T ≠ T . If any of these verifications fails, output 0 (revoked), otherwise, output 1 (valid).
In order to use verifier blacklist revocation in this mechanism, a signer must use a specific linking base
for each verifier. The value of the linking base can, for example, be chosen by the verifier or agreed in
advance by the signer and verifier.
5
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 8 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
7.1
Replace the first sentence with the following:
This clause specifies three digital signature mechanisms with opening capability.
Replace the text of NOTE with the following:
The mechanisms and associated security proofs in 7.2, 7.3 and 7.4 are based on References [17],
[14] and [23] (an extended version of Reference [24]), respectively.
7.4
Add new subclause 7.4 as follows:
7.4 Mechanism 9
7.4.1 Symbols
The following symbols apply in the specification of this mechanism.
''
′
— P , S , T , TK,,KT,,T : elements of G .
1 i 1 21 2 1
'' ''
— P , XY,,AB,,YC,,CC,,CKKK,, ,,KK,,KK,,K : elements of G .
2 i 12 3 412 3 412 34 2
′
— WW,,RR, : elements of G .
i T
'
′
— xy, ,,,ab su,,vk,,kk,,cz,,zz,,cr,,tw,,cz,,c : elements of Z .
is uv su vm m p
— H : a hash function that outputs elements in Z .
p
7.4.2 Key generation process
The group membership issuer key generation process takes the following steps:
a) Choose a bilinear group pair ( G , G ) of large prime order p , such that no efficiently computable
1 2
homomorphism is known between G and G , in either direction, and an associated pairing
1 2
function e : G × G → G .
1 2 T
b) Choose a random generator P of G and a random generator P of G .
1 1 2 2
c) Choose two random integers x and y in Z .
p
d) Compute X = []xP and Y = []yP .
2 2
*
e) Choose a hash function H : {}01, → Z . Such a hash function shall be constructed as described in
p
Annex B.
f) Output the following:
— group public parameters: ( G , G , G , e , p , HP,,P ),
1 2 T 12
— group public key: (XY, ),
— group membership issuing key: (xy, ).
6
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 9 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
The group membership opener key generation process takes the following steps:
a) Choose two random integers a and b in Z .
p
b) Compute A = []aP and B = []bP .
2 2
c) Output the following:
— group membership opener public key (AB, ),
— group membership opening key (ab, ).
The group membership issuer manages a member-list LIST = (LIST[1],., LIST[ n ]) where n is the
number of group members who are registered so far. Each entry of the list contains information
associated with each registered user. This member-list LIST can be published but it will only be useful
to the group membership opener.
The group membership issuing process is an interactive protocol running between the group
membership issuer and a user U to create a group member signature key for the user. It consists of the
i
following steps:
a) U selects six random integers su,,vk,,k and k in Z .
i is u v p
b) U computes S = []sP and Y =[]sY .
i i i 1 i i
c) U computes C = []uP , C = Y + []uA , C = []vP , C = Y + []vB .
i 1 2 2 i 3 2 4 i
d) U computes K = kP , K = kP , K = kY + kA , K = kP , K = kY + kB
[] [] [] [] [] [] []
i s 1 1 u 2 2 s u 3 v 2 4 s v
.
e) U computes c = H( P || P || X || Y || A || B || S || Y || C || C || C || C || K || K || K || K || K ).
i 1 2 i i 1 2 3 4 1 2 3 4
f) U computes z = (k + c × s ) mod p , z = (k + c × u ) mod p and z = (kc+×v ) mod p .
i s s i u u v v
g) U sends S , C , C ,,C C c , z , z and z .
i i 1 23 4 , s u v
' '
h) The group membership issuer computes K' = zP − cS , K = zP – cC , K =
[] [] [] []
s 1 i 1 u 2 1 2
' '
[]zY +[]zA −[]cC , K = []zP –[]cC and K = []zY +[]zB −[]cC .
su 2 3 v 2 3 4 sv 4
′
i) The group membership issuer computes c = H( P || P || X || Y || A || B || S || Y || C || C || C ||
1 2 i i 1 2 3
' ' ' '
C || K' || K || K || K || K ).
4 1 2 3 4
j) The group membership issuer checks if cc= ′ and aborts if these two values are different.
k) The group membership issuer stores ( i , S , C , C ,,C C , c , z , z , z ) in LIST[ i ].
i 1 23 4 s u v
l) The group membership issuer selects a random integer r in Z .
p
m) The group membership issuer computes T = rP and T = rx× P + ry× S .
[] [] []
1 1 2 1 i
n) The group membership issuer sends T and T to the user U .
1 2 i
o) The signature key of the group member U is then ( s , T , T ).
i i 1 2
7.4.3 Signature process
7
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 10 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
On input of a group public key ( X , Y ), a group member signature key ( s , T , T ) owned by the signer
i 1 2
*
and a message m ∈ {}01, to be signed, the signature process takes the following steps.
a) The signer selects two random integers t and w in Z .
p
' '
b) The signer computes T = tT and T = tT .
[] []
1 1 2 2
'
c) The signer computes W = e ([]wT , Y ).
1
' '
d) The signer computes c = H (T || T || W || m ).
m 1 2
e) The signer computes z = ( w + cs× ) mod p .
mi
' '
f) The signer outputs the group signature σ = (T , T , cz, ).
1 2 m
7.4.4 Verification process
*
' '
On input of a message m ∈ {}01, , a group signature σ = (T , T , cz, ) and a group public key (XY,
1 2 m
), the verification process takes the following steps:
'
a) Verify that TO≠ . If this verification fails, output 0 (invalid).
1 E
' ' '
b) Compute W ' = e ( zT , Y )×−ec TP, ×e ( cT , X ).
[] [] []
()
1 m 22 m 1
' ' '
c) Compute c = H (T || T || W ' || m ).
m 1 2
'
d) Verify that c =c holds.
m m
e) If the above verification fails, output 0 (invalid), otherwise, output 1 (valid).
7.4.5 Opening process
' '
Given a group signature σ = (T , T , cz, ), the member-list LIST=(LIST[1],.,LIST[ n ]) and a group
1 2 m
opening key ( a , b ), the opening process takes the following steps:
' '
a) Compute R = e (T , P )×e ([]−1 T , X ).
2 2 1
b) For each i ∈ [1, n ],
1) Recover ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
2) Compute Y = C + []−aC .
i 2 1
'
3) Verify if e (T , Y ) = R .
1 i
4) If the above equation holds, output i .
7.4.6 Revocation process
The revocation process is a membership credential revocation. The group membership opener revokes
a user U by adding some element R (defined below) specific to this user in a revocation list RL.
i i
Revocation can thus be global but also local as any verifier is able to manage its own revocation list by
8
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 11 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
deciding whether or not to include R . In all cases, the revocation process has no impact whatsoever on
i
the signature process.
— To revoke a user U , the group membership opener, taking as input the group opening key and
i
LIST=(LIST[1],., LIST[ n ]), proceeds as follows:
a) Recovers ( i , S , C , C ,,C C , c , z , z , z ) from LIST[ i ].
i 1 23 4 s u v
b) Computes R = C + []−aC .
i 2 1
c) Adds R in RL.
i
' '
— Given a group signature σ = (T , T , cz, ) and a revocation list RL, test for each element R in RL
1 2 m i
' ' '
if e (T , R ) = e (T , P )×e ([]−1 T , X ). If this equality is satisfied by some element R in RL, then
1 i 2 2 1 i
output 0 (revoked). Otherwise, output 1 (valid).
Annex A
Insert the following lines after id-as-gpk-m-7 OID ::= { id-as-gpk mechanism7(7) }:
id-as-gpk-m-8 OID ::= { id-as-gpk mechanism8(8) }
id-as-gpk-m-9 OID ::= { id-as-gpk mechanism9(9) }
Replace the line of as-gpk-m-7 with the following:
as-gpk-m-7 |
as-gpk-m-8 |
as-gpk-m-9
Insert the following lines after OID id-as-gpk-m-7 PARMS HashFunctions }:
as-gpk-m-8 ALGORITHM ::= { OID id-as-gpk-m-8 PARMS HashFunctions }
as-gpk-m-9 ALGORITHM ::= { OID id-as-gpk-m-9 PARMS HashFunctions }
C.1.1, first paragraph
Replace the paragraph with the following:
The following computational hardness assumptions underlie the security of the mechanisms
[13]
specified in this document; namely, the strong RSA assumption , the decisional Diffie-Hellman
[2] [12]
(DDH) assumption , the strong Diffie-Hellman (SDH) assumption , the Lysyanskaya-Rivest-
[18] [8]
Sahai-Wolf (LRSW) assumption , the static Diffie-Hellman (Static DH) assumption , the q-MSDH
[25] [24]
assumption and the Pointcheval-Sanders (PS) assumption . Table C.1 below summarizes
which of these assumptions underlie the security of each of the mechanisms specified in this
document.
Table C.1
Replace Table C.1 with the following table:
Table C.1 — Mathematical assumptions used in the mechanisms
Strong RSA DDH SDH LRSW Static DH q-MSDH PS
Mechanism 1 √ √
Mechanism 2 √ √ √
Mechanism 3 √ √
Mechanism 4 √ √ √
Mechanism 5 √ √
9
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 12 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
TTabablele C C.11 ((ccoonnttiinnueuedd))
Strong RSA DDH SDH LRSW Static DH q-MSDH PS
Mechanism 6 √ √
Mechanism 7 √ √
Mechanism 8 √ √
Mechanism 9 √ √
C.1.7
Add new subclause C.1.7 as follows:
C.1.7 The q-MSDH assumption
Let ( G , G ) be a bilinear group pair of type 3 of large prime order p and an associated pairing
1 2
function e : G × G → G . Let PO≠ (respectively PO≠ ) be given in G (respectively in G ).
1 2 T 1 E 2 E 1 2
ii
Given q pairs ( xP ,)xP , for i from 1 to q , and a triplet ( aP , aP , ax× P ) for some
[] [] []
12 12 2
integers a and x in Z , the q-MSDH assumption states that it is computationally infeasible to
p
generate a tuple ( w , Rx,,[]+wQ []aR/ ()xQ ), where Q is an element of G different from the
1
neutral element of this group, R is a polynomial of degree at most q and w is a scalar such that ( X
+ w ) and R ( X ) are relatively prime.
C.1.8
Add new subclause C.1.8 as follows:
C.1.8 The Pointcheval-Sanders (PS) assumption
Let ( G , G ) be a bilinear group pair of large prime order p and an associated pairing function e :
1 2
G × G → G . Let (,Py[]P ) be given in G and (Px,[]P , []yP ) be given in G for some integers
1 2 T 11 1 22 2 2
x and y in Z . Assume that an oracle can be called that answers queries s in Z by a pair ( Q ,
p p
[]xy+×sQ ), where Q is a random group element of G . Let this oracle be called with the following
1
queries s , s , …, s . The PS assumption states that it is computationally infeasible to generate a
1 2 m
triplet ( t , Rx,[]+×yt R ), where t ∉ { s , s , …, s } and R is an element of G different from the
1 2 m 1
neutral element of this group.
C.2, first paragraph
Replace the paragraph with the following:
Mechanisms 3, 4, 6, 7, 8, 9 all make use of a pairing function. Methods of generating pairing-friendly
elliptic curves are given in ISO/IEC 15946-5. For current standard security levels (128-bit, 192-bit
and 256-bit), the curves parameters proposed in section 7 of Reference [21] are recommended.
C.2, third paragraph
Replace the paragraph with the following:
The following security parameters are recommended:
— Mechanism 1: For 112-bit security strength, the following parameters are recommended: l
p
(1 024-bit), k (160-bit), l (160-bit), l (170-bit), l (420-bit), l (410-bit), ε = 5/4.
x e E X
10
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 13 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
— Mechanism 2:
— For 104-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (104-bit), l (368-bit), l (120-bit), l (2 536-bit), l (80-bit), l (160-bit), l (80-bit),
f e e v ∅ H r
l (1 024-bit), l (1 632-bit), l (208-bit).
s Γ ρ
— For 112-bit security strength, the following parameters are recommended: l (2 048-bit),
n
'
l (112-bit), l (544-bit), l (128-bit), l (2 720-bit), l (128-bit), l (256-bit), l (128-
f e e v ∅ H r
bit), l (1 024-bit), l (2 048-bit), l (224-bit).
s Γ ρ
— Mechanism 5:
— For 80-bit security strength, the following parameters are recommended: K (1 024-bit),
n
K (160-bit), K (160-bit), K (60-bit), K (504-bit), K (60-bit).
′
c s e e
— For 112-bit security strength, the following parameters are recommended: K (2 048-bit),
n
K (224-bit), K (224-bit), K (112-bit), K (736-bit), K (60-bit).
c s e e′
— For 128-bit security strength, the following parameters are recommended: K (3 076-bit),
n
K (256-bit), K (256-bit), K (128-bit), K (832-bit), K (60-bit).
′
c s e e
Annex D, eleventh paragraph
Replace the paragraph with the following:
There are five revocation mechanisms specified in this document. Credential update is a type of
membership credential revocation, where each signer updates its credential so the proof that the
membership credential of the signer is not in the list in inherited in signature generation.
Table D.1 summarizes which mechanisms are global revocation and which are local.
Table D.1
Replace Table D.1 with the following table:
Table D.1 — Categorization of revocation mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Global revocation √ √ √ √
Local revocation √ √ √ √
Table D.2
Replace Table D.2 with the following table:
Table D.2 — Revocation options used in the anonymous signature mechanisms
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Mechanism 1 √ √
Mechanism 2 √ √
Mechanism 3 √ √ √
Mechanism 4 √ √ √ √
Mechanism 5 √
11
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 14 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
TTabablele D D.22 ((ccoonnttiinnueuedd))
Private key Verifier blacklist Signature Membership Credential
revocation revocation revocation credential update
revocation
Mechanism 6 √
Mechanism 7 √
Mechanism 8 √ √
Mechanism 9 √
...
2022-12-22 Style Definition: zzCopyright
Style Definition: Footer
Final text for Date: 2023-02-07
Formatted: Different first page header
ISO/IEC 20008-2:2013/Amd. 2:20222023(E)
Formatted: Font: Not Bold
Formatted: Font: Not Bold
ISO/IEC JTC1/SC 27/WG 2
Formatted: Font: Not Bold
Secretariat: DIN Formatted: Font: Not Bold
Information technology — Security techniques —Anonymous digital signatures —
Part 2: Mechanisms using a group public key —
Amendment 2
Technologies de l'information — Techniques de sécurité — Signatures numériques anonymes — Formatted: French (Switzerland)
Partie 2 : Mécanismes utilisant une clé publique de groupe —
Formatted: French (Switzerland)
Amendement 2
Formatted: French (Switzerland)
---------------------- Page: 1 ----------------------
Final text for ISO/IEC 20008-2:2013/Amd. 2:20222023(E)
© ISO 20222023 Formatted
Formatted: Default Paragraph Font
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no
Formatted: Indent: Left: 0 pt, Right: 0 pt, Space
part of this publication may be reproduced or utilized otherwise in any form or by any means,
Before: 0 pt, No page break before, Adjust space
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
between Latin and Asian text, Adjust space between
prior written permission. Permission can be requested from either ISO at the address below or
Asian text and numbers
ISO’sISO's member body in the country of the requester.
ISO copyright officeCopyright Office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Formatted: Indent: Left: 0 pt, First line: 0 pt, Right: 0
pt, Adjust space between Latin and Asian text, Adjust
Phone: + 41 22 749 01 11 space between Asian text and numbers
Email: copyright@iso.org
Email: copyright@iso.org
Website: www.iso.orgwww.iso.org
Formatted: English (United Kingdom)
Formatted: Indent: Left: 0 pt, First line: 0 pt, Right: 0
Published in Switzerland.
pt, Adjust space between Latin and Asian text, Adjust
space between Asian text and numbers
Formatted: English (United Kingdom)
Formatted: English (United Kingdom)
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
2 © ISO/IEC 2022 – All rights reserved
ii © ISO/IEC 2023 – All rights reserved
Orange Restricted
---------------------- Page: 2 ----------------------
Final text for ISO/IEC 20008-2:2013/Amd. 2:20222023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted. This document was drafted in accordance with the editorial
rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directiveswww.iso.org/directives or
www.iec.ch/members_experts/refdocswww.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details
of any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patentswww.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.chhttps://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.htmlwww.iso.org/iso/foreword.html. In the IEC, see
www.iec.ch/understanding-standardswww.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 20008 series can be found on the ISO and IEC websites.
Formatted: English (United Kingdom)
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.htmlwww.iso.org/members.html
and www.iec.ch/national-committeeswww.iec.ch/national-committees.
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
© ISO/IEC 2022 – All rights reserved 3
© ISO/IEC 2023 – All rights reserved iii
Orange Restricted
---------------------- Page: 3 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Formatted: Right
Formatted: Different first page header
Formatted: Don't adjust space between Latin and
Information technology — Security techniques — Anonymous
Asian text, Don't adjust space between Asian text and
digital signatures — Part 2: Mechanisms using a group public
numbers
key — Amendment 2
Formatted: Font: Italic
Clause 4
Add the following symbol:
p Field Code Changed
Fp( ) Fp( ) the finite field containing exactly p elements.
Field Code Changed
6.1
Replace the first sentence with the following:
This clause specifies five digital signature mechanisms with linking capability.
Replace the text of NOTE 1 with the following:
In the literature, the mechanism of 6.2 is called a list signature scheme, the mechanism of 6.6 is called
a pre-DAA scheme and the mechanisms of 6.3, 6.4 and 6.5 are called DAA schemes. The mechanisms
given in 6.2, 6.4, 6.5 and 6.6 are based on schemes originally specified in References [9], [6], [11] and
[22] respectively, in which security proofs can also be found. The mechanism in 6.3 is based on a
scheme in Reference [3] which is a minor modification of the scheme in Reference [4]; the associated
security analysis is given in the full version of Reference [4].
6.6
Add new subclause 6.6 as follows:
6.6 Mechanism 8
6.6.1 Symbols
The following symbols apply in the specification of this mechanism.
Field Code Changed
— ττ : a security parameter.
Field Code Changed
Field Code Changed
' '
— P P , Q ,,X Q ,,X Y ,,,X X C , DD, ′,T Y ,,,X X C , DD, ′,T ,
1 1 11 11
1 1 1 1 1 1 1 1 1 1
Field Code Changed
' ' '' ' ' ''
TK, ,K ,K ,K ,K ,K′, J ,T ,TR,,R′,,T T′,R′′,T′′ TK, ,K ,K ,K ,K ,K′, J ,T ,TR,,R′,,T T′,R′′,T′′ :
2 1 2 1 2 1 2 2 1 2 1 2 1 2 Field Code Changed
elements of G G . Field Code Changed
1 1
Field Code Changed
' '
P P X X Y Y G G
— , , , X , X X , X : elements of . Field Code Changed
2 2 2 2 2 2 2 2 2 2 2 2
Field Code Changed
Field Code Changed
© ISO/IEC 2023 – All rights reserved 1
---------------------- Page: 4 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
x , y , z , x′′, z , cs, ,,s cs′ ,,u,v ,w ,v′, r , s ,k ,k ,k ,c , z , z , z ,c′, s ,l ,k ,c ,ρ ,c′
—
k x z k 12 r x z r x z sm m
Field Code Changed
′′ ′ ′ ′ ′
x , y , z , x , z , cs, ,,s cs,,u,v ,w ,v , r , s ,k ,k ,k ,c , z , z , z ,c , s ,l ,k ,c ,ρ ,c : integers in Z
k x z k 12 r x z r x z sm m p
Field Code Changed
Z .
p
Field Code Changed
Field Code Changed
n n ττ
— : an integer of size -bit.
I I
Field Code Changed
Field Code Changed
— H H : a hash function that outputs elements in G G .
1 1 1 1
Field Code Changed
Field Code Changed
— H H , H H : hash functions that output elements in Z Z .
2 2 3 3 p p
Field Code Changed
Field Code Changed
Field Code Changed
6.6.2 Key generation process
Field Code Changed
The key generation process has two parts: setup process and group membership issuing process. The
setup process is executed by the group membership issuer to create the group public parameter, group
Field Code Changed
public key, and group membership issuing key. The group membership issuing process is an interactive
Field Code Changed
protocol running between the group membership issuer and a group member to create a unique group
Field Code Changed
member signature key for the group member.
Field Code Changed
The setup process takes the following steps by the group membership issuer:
Field Code Changed
τ
a) Choose τ as a security parameter.
Field Code Changed
Field Code Changed
b) Choose a bilinear group pair ( G G , G G ) of large prime order p p , such that no efficiently
1 1 2 2
Field Code Changed
computable homomorphism is known between G G and G G , in either direction, and an
1 1 2 2
Field Code Changed
associated pairing function e e : G G × G G → G G .
1 1 2 2 T T
Field Code Changed
Field Code Changed
c) Choose two random independent generators P P and Q Q of G G and provide additional
1 1 1 1 1 1
Field Code Changed
information, denoted by π π , that serve to demonstrate that these two generators were
Gen Gen
Field Code Changed
indeed chosen independently, that is without a potentially exploitable relationship between them
Field Code Changed
(such as Q Q == [s]P s P for an integer s s chosen by the group membership issuer). An
[ ]
1 1 1 1
Field Code Changed
example of how to verifiably select independent generators and to verify, using π π , the
Gen Gen
Field Code Changed
correct generation of these generators, is given in Annex G.
Field Code Changed
Field Code Changed
d) Choose a random generator P P of G G .
2 2 2 2
Field Code Changed
Field Code Changed
* * * *
H G H H
e) Choose three hash functions H : {0, 1} {0, 1} → G , H : {0, 1} {0, 1} → Z Z and
1 1 1 1 2 2 p p 3
Field Code Changed
* *
H : 0, 1 0, 1 → Z Z . An example of how to construct such hash functions is provided in
{ } { }
3 p p Field Code Changed
Annex B.
Field Code Changed
Field Code Changed
f) Choose three random integers x , y y and z in Z Z .
x z
p p
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
2 © ISO/IEC 2022 – All rights reserved
2 © ISO/IEC 2023 – All rights reserved
Orange Restricted
---------------------- Page: 5 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Formatted: Right
X zP xQ Y yP X xP Y yP
g) Compute = [ ] + [ ] , = [ ] , = [ ] and = [ ] .
1 1 1 1 1 2 2 2 2
g) Compute X = [zP] + [xQ] , Y = [ yP] , X = [xP] and Y = [ yP] . Field Code Changed
1 1 1 1 1 2 2 2 2 .
′ ′ ′ ′
h) Choose two random integers x x and z z in Z Z . Field Code Changed
p p .
' '
′ ′ ′
i) Compute X = [z]P + [xQ] and X = [x]P .
1 1 1 2 2
' '
j) Compute c = H ( P || Q || P || X || Y || X || Y || X || X ).
k 2 1 1 2 1 1 2 2 1 2
′ ′
k) Compute s = ( x + c × x ) mod p and s = ( z + c × z ) mod p .
x k z k
' '
Field Code Changed
i) Compute X = z′ P + xQ′ and X = x′ P . .
[ ] [ ] [ ]
1 1 1 2 2
' '
Field Code Changed
j) Compute c = H ( P || Q || P || X || Y || X || Y || X || X ). .
k 2 1 1 2 1 1 2 2 1 2
x′ × x p z′ × z p
k) Compute s = ( + c ) mod and s = ( + c ) mod . Field Code Changed
...
x k z k
l) Set π = (𝑐𝑐 , 𝑠𝑠 , 𝑠𝑠 )π=(c ,,ss ) as a proof that the second component of the representation
Field Code Changed
Val 𝑘𝑘 𝑥𝑥 𝑧𝑧 Val k xz
...
of X X in the base P P and Q Q is equal to the discrete logarithm of X X in the base P P .
1 1 1 1 1 1 2 2 2 2
m) Output the following:
— group public parameter = ( G G , G G , G G , e e , P P , Q , Q , P P , p p , H H , H H Field Code Changed
...
1 1 2 2 T T 1 1 1 1 2 2 1 1 2 2
, H H ),
3 3
X Y X Y π π Field Code Changed
— group public key = ( X , Y , X , , π , π ),Y , , ),
Gen Val .
1 1 1 1 2 2 2 2 Gen Val
Field Code Changed
...
— group membership issuing key = ( x , yz, x , yz, ).
Field Code Changed
...
NOTE 1 Examples of recommended parameters are provided in C.2.
Each entity involved in this anonymous signature mechanism should verify the validity of the group
public key before using it. The group public key validity verification process includes the following steps:
a) Verify that P P and Q Q were generated independently using π .π . Field Code Changed
Gen .
1 1 1 1 Gen
Field Code Changed
b) Verify the validity of the proof π :π :
Val Field Code Changed
Val
1) Compute X = [s ]P + [sQ] − [cX] and X = [sP] − [cX] .
1 z 1 x 1 k 1 2 x 2 k 2
Field Code Changed
...
1) Compute X = s P + sQ − cX and X = sP − cX .
[ ] [ ] [ ] [ ] [ ]
Formatted: Font: 11 pt
1 z 1 x 1 k 1 2 x 2 k 2
Formatted: Space After: 0 pt, Line spacing: single
© ISO/IEC 2022 – All rights reserved 3
© ISO/IEC 2023 – All rights reserved 3
Orange Restricted
---------------------- Page: 6 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
'
2) Compute c = H P Q P X Y XY X X .
( )
k 2 1 1 21 1 2 21 2
'
c = HP Q P X Y X Y X X .
( )
k 2 1 1 21 1 2 21 2
'
'
Field Code Changed
3) Verify that c c = c c .
k k k k
e Y P P Y Field Code Changed
c) Verify that e ( Y , P ) == e( P , Y ).
...
1 1 2 2 1 1 2 2
d) If any of the above verifications fails, output 0 (invalid), otherwise output 1 (valid).
The group membership issuing process requires a secure and authentic channel between the group
member and the group membership issuer. How to establish such a channel is out scope of this
mechanism. The group membership issuing process includes the following steps:
τ τ
Field Code Changed
a) The group membership issuer chooses a nonce n n ∈∈ 0, 1 0, 1 . .
{ } { }
I I
b) The group membership issuer sends n n to the member. Field Code Changed
I I
s
c) The member chooses a random integer s from Z Z . Field Code Changed
1 1 p p
d) The member computes C C == [sY] sY . Field Code Changed
[ ]
1 1 11 11 .
e) The member chooses a random integer u u from Z Z .
Field Code Changed
p p
f) The member computes D D uY . Field Code Changed
== [ ] [uY]
...
1 1
g) The member computes v = H ( P || Q || P || X || Y || X || Y || C || D || n ).
2 1 1 2 1 1 2 2 1 I
g) The member computes v = H ( P || Q || P || X || Y || X || Y || C || D || n ).
Field Code Changed
2 1 1 2 1 1 2 2 1 I .
× s
h) The member computes w w == ( u u ++ v v × s ) mod p p . Field Code Changed
...
1 1
i) The member sends ( C C , v , w ) to the group membership issuer. Field Code Changed
v w
1 .
1
j) The group membership issuer computes D' D' == [wY] [wY] – [vC] [vC] . Field Code Changed
...
1 1 1 1
′ ′ H P Q P X Y X
k) The group membership issuer computes v v = H ( P || Q || P || X || Y || Field Code Changed
...
2 2 1 1 1 1 2 2 1 1 1 1 2
Y C n
X || Y || C || D' D' || n ).
2 2 2 1 1 I I
′ ′
l) The group membership issuer verifies v v == v v . If the verification fails, abort the group Field Code Changed
...
membership issuing process.
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
4 © ISO/IEC 2022 – All rights reserved
4 © ISO/IEC 2023 – All rights reserved
Orange Restricted
---------------------- Page: 7 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Formatted: Right
s k k k Field Code Changed
m) The group membership issuer selects five random integers r r , s , k , k and k from
...
2 2 r r x x z z
Z Z .
p p
n) The group membership issuer computes T T == [rP] rP and T T = [x]T x T ++ Field Code Changed
[ ] [ ]
1 1 2 1 .
1 1 2 1
[r]C + r C + [rs× ]Y rs× Y .
[ ] [ ]
1 2 1
1 2 1
o) The group membership issuer computes K K == [kP] [kP] , K K = [kT] [kT] ++ Field Code Changed
...
1 1 r 1 r 1 2 2 x 1 x 1
[kC]( +[kC]( + [sY] )[sY] ) and K K == [kP] [kP] + [kQ] [kQ] .
r 1 r 1 2 1 2 1 z 1 z 1 x 1 x 1
cH= P Q P X Y X Field Code Changed
p) The group membership issuer computes cH= ( P || Q || P || X || Y ||
...
2 2 1 1 1 1 2 2 1 1 1 1 2
Y C s K K
X || Y || C || s || K || K || K K ).
2 2 2 1 1 2 2 1 1 2 2
q) The group membership issuer computes z = ( k + × r ) mod p , z = ( k + × x ) mod p
c c
r r x x
z k + z
and = ( c × ) mod p .
z z
q) The group membership issuer computes ( c × r ) mod p , ( c × x ) mod p
z = k + z = k + Field Code Changed
r r x x .
c p
and z = ( k + × z ) mod .
z z
r) The group membership issuer sets (T T , T T ) as the member’s group membership credential and Field Code Changed
1 1 2 2 .
sends (T T , T , s ,,cz , z , z T , s ,,cz , z , z ) to the member.
1 1 2 2 r xz 2 2 r xz
' '
s) The member computes K =[zP] −[cT] , K =[z ]T ++[z ](C [sY] ) −[cT] and K'=
1 r 1 1 2 xr11 2 1 2
[zP] +[z ]Q −[cX] .
z 1 x 1 1
' '
′
t) The member computes c = H ( P || Q || P || X || Y || X || Y || C || s || K || K || K ).
2 1 1 2 1 1 2 2 1 2 1 2
' '
Field Code Changed
s) The member computes K = zP − cT , K = z T ++z (C sY ) − cT and K'= .
[ ] [ ] [ ] [ ] [ ] [ ]
1 2
r 1 1 xr11 2 1 2
zP + z Q − cX .
[ ] [ ] [ ]
z 1 x 1 1
' '
Field Code Changed
′ K K K .
t) The member computes c = H ( P || Q || P || X || Y || X || Y || C || s || || || ).
2 1 1 2 1 1 2 2 1 2 1 2
u) The member verifies c == c′. c′. If the verification fails, the member aborts.
c Field Code Changed
...
v) The member computes s s == ( s s ++ s s ) mod p p . Field Code Changed
...
1 1 2 2
s T T Field Code Changed
w) The group member signature key for the member is ( s , T , T ).
...
1 1 2 2
Field Code Changed
...
NOTE 2 The group membership issuer can use the same value s s (for example s = 0 s = 0 mod p p ) for
2 2 2 2
Formatted: Font: 11 pt
several executions of the group membership issuing process. In this case, the security of Mechanism 8 relies on the
Formatted: Space After: 0 pt, Line spacing: single
© ISO/IEC 2022 – All rights reserved 5
© ISO/IEC 2023 – All rights reserved 5
Orange Restricted
---------------------- Page: 8 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
[24] [25]
Pointcheval-Sanders (PS) assumption , instead of the q-MSDH assumption if the group membership issuer uses
a fresh random value s s for each new session of the group membership issuing process.
2 2
6.6.3 Signature process
On input of a group member signature key ( s s , T T , T T ), a linking base bsn bsn and a message m Field Code Changed
...
1 1 2 2
* *
m ∈∈ {0, 1} {0, 1} to be signed, the signature process takes the following steps. The linking base,
denoted by bsn bsn , is either a special symbol ⊥ or an arbitrary string used for the linking capability.
G H
a) If bsn == ⊥, the signer chooses a random J J from G , otherwise, computes J J == H ( Field Code Changed
...
1 1 1 1
bsn
bsn ).
b) The signer selects two random integers l l and k k in Z Z . Field Code Changed
...
s s p p
' ' ' '
Field Code Changed
c) The signer computes T T == [l]T [l]T and T T == [l]T [l]T . .
1 1 1 1 2 2 2 2
' '
' '
Field Code Changed
d) The signer computes R R == [sT] [sT] and R' R' == kT [kT] . .
[ ]
1 1 s 1 s 1
= sJ kJ
e) The signer computes T T [ ] =[sJ] and T ' T ' == [ ] [kJ] . Field Code Changed
...
s s
' ' ' '
Field Code Changed
f) The signer computes c c == H H (T T || T T || J J || T T || R R || T' T' || R' R'|| m m ). .
m m 3 3 1 1 2 2
ρ k + cs× p Field Code Changed
g) The signer computes ρ == ( k + cs× ) mod p .
...
s s m m
' ' ' '
Field Code Changed
σ J ,,,RT c ,ρ
h) The signer outputs the anonymous signature σ == (T T , T T , J ,,,RT c ,ρ ). .
1 1 2 2 m m
6.6.4 Verification process
' '
' '
Field Code Changed
On input of a message m m , a linking base bsn bsn , a signature ( T T , T T , J ,,,RT c ,ρ ), .
1 1 2 2 m
J ,,,RT c ,ρ ) and a group public key ( X X , Y Y , X X , Y Y ), the verification process takes the
m 1 1 1 1 2 2 2 2
following steps:
H
a) If bsn ≠ ⊥ , verify that J = ( bsn ).
1
a) If bsn ≠ ⊥ , verify that J = H ( bsn ). Field Code Changed
1 .
' '
Field Code Changed
b) Verify that TO≠ TO≠ .
1 E 1 E
c) If any of the above verifications fails, output 0 (invalid).
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
6 © ISO/IEC 2022 – All rights reserved
6 © ISO/IEC 2023 – All rights reserved
Orange Restricted
---------------------- Page: 9 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Formatted: Right
'
'
Field Code Changed
d) Compute R′′ R′′ == ρ T [ρ]T − [cR] cR . .
[ ] [ ]
1 1 m m
′′ ′′
e) Compute T T =[ρ] J=[ρ] J − [cT] [cT] . Field Code Changed
...
m m
' ' '
f) Compute = H ( || || || T || R || T′′ || R′′ || m ).
c T T J
3
m 1 2
' ' '
Field Code Changed
′′ ′′
f) Compute c = H (T || T || J || T || R || T || R || m ). .
m 3 1 2
'
'
Field Code Changed
g) Verify that c c = c = c .
m m m m
' '
X Y P
h) Verify that e (T , )×e ( R , ) = e(T , ).
1 2 2 2 2
' '
Field Code Changed
h) Verify that e (T , X )×e ( R , Y ) = e(T , P ). .
1 2 2 2 2
i) Optionally, call the revocation checking process.
j) If any of the above verifications (steps g and h) fails, output 0 (invalid), otherwise). Otherwise, output
1 (valid).
6.6.5 Linking process
' '
' ' ' ' '
ˆ ˆ ˆ Field Code Changed
Given two valid signatures σσ == (T T , T T , J ,,,RT c ,ρ J ,,,RT c ,ρ ) and σˆσˆ == (T T , T .
1 1 2 2 m m
1 1 2
'
ˆˆ ˆ ˆˆ ˆ
ˆ
, J,,R,T, cˆ ρˆ J,,R,T, cˆ ρˆ ), the linking process takes the following steps:
T
m m
2
ˆ ˆ ˆ ˆ
Field Code Changed
a) If J = J= J and T == T T , output 1 (linked), otherwise, output 0 (not linked).
...
ˆ
ˆ
JJ≠ J≠ J Field Code Changed
NOTE If the linking process outputs 0 because of J , it means that the linking process cannot
determine whether two signatures were created by the same group member.
6.6.6 Revocation process
Details of the revocation process in this mechanism are surveyed in Reference [10]. There are two types
of revocation (private key revocation and verifier blacklist revocation) supported in this mechanism.
Private key revocation can be either global revocation or local revocation. Verifier blacklist revocation is
a local revocation.
Private key revocation:
— If a group member signature key ( s s , T T , T T ) is compromised, the group membership issuer Field Code Changed
1 1 2 2 .
puts s s into a revocation list RL of this type.
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
© ISO/IEC 2022 – All rights reserved 7
© ISO/IEC 2023 – All rights reserved 7
Orange Restricted
---------------------- Page: 10 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
' '
' '
Field Code Changed
— Given a valid signature σσ == (T T , T T , J ,,,RT c ,ρ J ,,,RT c ,ρ ) computed using a linking
1 1 2 2 m m
Field Code Changed
base bsn bsn and a revocation list RL of this type, a verifier can check revocation of this signature as
Field Code Changed
′ sJ′ ′ ′
follows: for each s∈ RL, verify T ≠ [ ] . s∈ RL, verify T ≠ [sJ] . If any of these verifications
Field Code Changed
fails, output 0 (revoked), otherwise, output 1 (valid).
Field Code Changed
NOTE 1 The private key revocation works only if the group membership issuer or the verifier has learned the
Field Code Changed
group member signature keys of the compromised group members. This revocation process allows to identify every
Field Code Changed
group signature generated using this private key. If this key can be associated with a group member (e.g. by using
contextual information), then no anonymity can be retained for this group member as their signatures can therefore
Field Code Changed
be traced. This is a property inherent to DAA schemes. Thus, a careful assessment of the need for revocation and
Field Code Changed
the consequences for the corresponding group member will
Field Code Changed
be carried out before deployment.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers, Tab
Verifier blacklist revocation:
stops: Not at 19.85 pt + 39.7 pt + 59.55 pt + 79.4 pt
— If signatures were computed using a linking base bsn bsn , a verifier can build its own revocation list
+ 99.25 pt + 119.05 pt + 138.9 pt + 158.75 pt +
178.6 pt + 198.45 pt
RL corresponding to bsn. bsn. If the verifier wants to blacklist the signer of a valid signature σσ =
' ' ' ' Field Code Changed
T T J ,,,RT c ,ρ
= (T , T , J ,,,RT c ,ρ ), they put T T into a revocation list RL of this type.
1 1 2 2 m m
Field Code Changed
' ' ' ' Field Code Changed
J,,,RT c ,ρ
— Given a signature σσ == (T T , T T , J,,,RT c ,ρ ) computed using a linking base
1 1 2 2 m m
Field Code Changed
bsn bsn and a revocation list RL of this type, a verifier can check revocation of this signature as
Field Code Changed
ˆ ˆ ˆ ˆ
follows: for each T ∈ RL, verify T ≠ T . T ∈ RL, verify T ≠ T . If any of these verifications fails,
Field Code Changed
output 0 (revoked), otherwise, output 1 (valid).
Field Code Changed
NOTE 2 In order to use verifier blacklist revocation in this mechanism, a signer must use a specific linking
Field Code Changed
base for each verifier. The value of the linking base can, for example, be chosen by the verifier or agreed
Field Code Changed
in advance by the signer and verifier.
Field Code Changed
Field Code Changed
7.1
Field Code Changed
Replace the first sentence with the following:
Field Code Changed
This clause specifies three digital signature mechanisms with opening capability.
Field Code Changed
Field Code Changed
Replace the text of NOTE with the following:
Field Code Changed
The mechanisms and associated security proofs in 7.2, 7.3 and 7.4 are based on References [17], [14]
and [23] (the fullan extended version of Reference [24]), respectively.
Field Code Changed
Field Code Changed
Field Code Changed
7.4
Formatted
...
Add new subclause 7.4 as follows:
7.4 Mechanism 9
Formatted: Default Paragraph Font, Font: Not Bold
Formatted: Font: 11 pt
7.4.1 Symbols
Formatted: Space After: 0 pt, Line spacing: single
8 © ISO/IEC 2022 – All rights reserved
8 © ISO/IEC 2023 – All rights reserved
Orange Restricted
---------------------- Page: 11 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
Formatted
...
Field Code Changed
...
Field Code Changed
...
The following symbols apply in the specification of this mechanism.
Field Code Changed
...
'' ''
P S T ′ ′ G
— P , S , T , T ,,KK ,T ,T T ,,KK ,T ,T : elements of G .
1 1 i i 1 1 2 12 2 12 1 1
Field Code Changed
...
Field Code Changed
...
' ' ' '
— P P ,
X ,Y , A,B ,Y ,C ,C ,C ,C ,K ,K ,,KK ,K ,K ,,KK
2
2 i 1 2 3 4 1 2 3 4 1 2 3 4
Field Code Changed
...
' ' ' '
X ,Y , A,B ,Y ,C ,C ,C ,C ,K ,K ,,KK ,K ,K ,,KK : elements of G G .
i 1 2 3 4 1 2 3 4 1 2 3 4 2 2 Field Code Changed
...
Field Code Changed
...
W ,W′,,RR ′ G .
— W ,W ,,RR : elements of G .
i i T T
Field Code Changed
...
Field Code Changed
...
'
— x , y ,a,b, s ,u,v ,k ,kk, ,,c z , z , z ,c′,,r t ,w ,c , z ,c
i s u v s uv m m
Field Code Changed
...
'
′
x , y ,a,b, s ,u,v ,k ,kk, ,,c z , z , z ,c ,,r t ,w ,c , z ,c : elements of Z Z .
i s u v s uv m m p p Field Code Changed
...
Field Code Changed
...
— H H : a hash function that outputs elements in Z Z .
p p
Field Code Changed
...
Field Code Changed
...
Field Code Changed
...
7.4.2 Key generation process
Field Code Changed
...
The group membership issuer key generation process takes the following steps:
Field Code Changed
...
a) Choose a bilinear group pair ( G G , G G ) of large prime order p p , such that no efficiently
Field Code Changed
1 1 2 2
...
Field Code Changed
computable homomorphism is known between G G and G G , in either direction, and an .
1 1 2 2
Field Code Changed
...
associated pairing function e e : G G × G G → G G .
1 1 2 2 T T
Field Code Changed
...
Field Code Changed
P G P G .
b) Choose a random generator P of G and a random generator P of G .
1 1 1 1 2 2 2 2
Field Code Changed
...
x y Field Code Changed
c) Choose two random integers x and y in Z Z .
...
p p
Field Code Changed
...
d) Compute X = [xP] and Y = [ yP] . Field Code Changed
2 2 .
Field Code Changed
...
d) Compute X = [xP] and Y = [ yP] .
2 2
Field Code Changed
...
Field Code Changed
...
* *
e) Choose a hash function H H : 0, 1 0, 1 → Z . An example of how to construct such Z . Such a
{ } { }
p p
Field Code Changed
...
hash function is providedshall be constructed as described in Annex B.
Field Code Changed
...
Field Code Changed
...
f) Output the following:
Field Code Changed
...
— group public parameters: ( G G , G G , G G , e e , p p , H ,,P P H ,,P P ),
1 1 2 2 T T 1 2 1 2
Field Code Changed
...
Field Code Changed
...
— group public key: ( X ,Y ),
X ,Y
Field Code Changed
...
Field Code Changed
...
— group membership issuing key: ( xy, xy, ).
Formatted
...
Formatted
...
© ISO/IEC 2022 – All rights reserved 9
© ISO/IEC 2023 – All rights reserved 9
Orange Restricted
---------------------- Page: 12 ----------------------
ISO/IEC 20008-2/Amd. 2:2023(E)
The group membership opener key generation process takes the following steps:
a) Choose two random integers a a and b b in Z Z . Field Code Changed
p p
Field Code Changed
b) Compute A = [a]P and B = [bP] .
2 2
b) Compute A = [a]P and B = [bP] .
Field Code Changed
2 2
Field Code Changed
c) Output the following:
Field Code Changed
Field Code Changed
— group membership opener public key ( AB, AB, ),
Field Code Changed
— group membership opening key ( ab, ab, ).
Field Code Changed
Field Code Changed
The group membership issuer manages a member-list LIST = (LIST[1],., LIST[ n n]) where n n is the
Field Code Changed
number of group members who are registered so far. Each entry of the list contains information
Field Code Changed
associated with each registered user. This member-list LIST can be published but it will only be useful to
the group membership opener.
The group membership issuing process is an interactive protocol running between the group
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.