Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

Accountable Metadata-Hiding Escrow: A Group Signature Case Study

Markulf Kohlweiss / Ian Miers
Published Online: 2015-06-22 | DOI: https://doi.org/10.1515/popets-2015-0012


A common approach to demands for lawful access to encrypted data is to allow a trusted third party (TTP) to gain access to private data. However, there is no way to verify that this trust is well placed as the TTP may open all messages indiscriminately. Moreover, existing approaches do not scale well when, in addition to the content of the conversation, one wishes to hide one’s identity. Given the importance of metadata this is a major problem. We propose a new approach in which users can retroactively verify cryptographically whether they were wiretapped. As a case study, we propose a new signature scheme that can act as an accountable replacement for group signatures, accountable forward and backward tracing signatures.

Keywords: Accountability; traceable signatures; group signatures


  • [1] Masayuki Abe, Melissa Chase, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, and Miyako Ohkubo. Constant-size structure-preserving signatures: Generic constructions and simple assumptions. In Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6, 2012. Proceedings, pages 4–24, 2012.Google Scholar

  • [2] Masayuki Abe, Bernardo David, Markulf Kohlweiss, Ryo Nishimaki, and Miyako Ohkubo. Tagged one-time signatures: Tight security and optimal tag size. In Public-Key Cryptography - PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, February 26 - March 1, 2013. Proceedings, pages 312–331, 2013.Google Scholar

  • [3] Masayuki Abe, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. Optimal structure-preserving signatures in asymmetric bilinear groups. In Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, pages 649–666, 2011.Google Scholar

  • [4] Masayuki Abe, Kristiyan Haralambiev, and Miyako Ohkubo. Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive, Report 2010/133, 2010.Google Scholar

  • [5] Mihir Bellare, Alexandra Boldyreva, Anand Desai, and David Pointcheval. Key-privacy in public-key encryption. In Advances in Cryptology—ASIACRYPT 2001, pages 566–582. Springer, 2001.Google Scholar

  • [6] Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Advances in Cryptology—Eurocrypt 2003, pages 614–629. Springer, 2003.Google Scholar

  • [7] Jan Camenisch, Nishanth Chandran, and Victor Shoup. A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In Advances in Cryptology - EUROCRYPT 2009, volume 5479, pages 351–368, 2009.Google Scholar

  • [8] David Chaum and Eugène van Heyst. Group signatures. In EUROCRYPT, volume 547 of Lecture Notes in Computer Science, pages 257–265, 1991.Google Scholar

  • [9] Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. Transferable constant-size fair e-cash. In Juan A. Garay, Atsuko Miyaji, and Akira Otsuka, editors, CANS, volume 5888 of Lecture Notes in Computer Science, pages 226–247. Springer, 2009.Google Scholar

  • [10] Georg Fuchsbauer and Damien Vergnaud. Fair blind signatures without random oracles. In AFRICACRYPT, volume 6055 of Lecture Notes in Computer Science, pages 16–33, 2010.Google Scholar

  • [11] Philippe Golle, Markus Jakobsson, Ari Juels, and Paul F. Syverson. Universal re-encryption for mixnets. In CT-RSA, volume 2964 of Lecture Notes in Computer Science, pages 163–178, 2004.Google Scholar

  • [12] Matthew Green. Secure blind decryption. In Dario Catalano, Nelly Fazio, Rosario Gennaro, and Antonio Nicolosi, editors, Public Key Cryptography, volume 6571 of Lecture Notes in Computer Science, pages 265–282. Springer, 2011.Google Scholar

  • [13] Dennis Hofheinz and Tibor Jager. Tightly secure signatures and public-key encryption. In CRYPTO. Springer, 2012.Google Scholar

  • [14] Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung. Traceable signatures. In Advances in Cryptology-EUROCRYPT 2004, pages 571–589. Springer, 2004.Google Scholar

  • [15] Dennis Kügler and Holger Vogt. Auditable tracing with unconditional anonymity. 2001.Google Scholar

  • [16] Dennis Kügler and Holger Vogt. Offline payments with auditable tracing. In Financial Cryptography, pages 269–281. Springer, 2003.Google Scholar

  • [17] Kaoru Kurosawa. Multi-recipient public-key encryption with shortened ciphertext. In Public Key Cryptography, pages 48–63. Springer, 2002.Google Scholar

  • [18] Jia Liu, Mark D Ryan, and Liqun Chen. Balancing societal security and individual privacy: Accountable escrow system. In 27th IEEE Computer Security Foundations Symposium (CSF), 2014.Google Scholar

  • [19] Bryan Parno, Jon Howell, Craig Gentry, and Mariana Raykova. Pinocchio: Nearly practical verifiable computation. In IEEE Symposium on Security and Privacy, pages 238–252. IEEE Computer Society, 2013.Google Scholar

About the article

Received: 2015-02-15

Revised: 2015-05-18

Accepted: 2015-05-18

Published Online: 2015-06-22

Published in Print: 2015-06-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2015, Issue 2, Pages 206–221, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0012.

Export Citation

© Markulf Kohlweiss et al.. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. BY-NC-ND 3.0

Comments (0)

Please log in or register to comment.
Log in