This paper introduces group signatures, a new type of digital signature scheme that allows members of a group to sign messages while maintaining the privacy of the signer. The scheme has three main properties: (i) only group members can sign messages; (ii) the receiver can verify the signature but cannot determine the signer; and (iii) the signature can be "opened" to reveal the signer's identity if needed. Group signatures generalize credential authentication schemes, where a person proves they belong to a group without revealing their identity.
Four group signature schemes are presented, each based on different cryptographic assumptions. The first scheme uses any public key system, while the others rely on assumptions related to the difficulty of computing discrete logarithms and RSA roots. In some schemes, a trusted authority is needed during setup, while others allow group members to create their own group without a trusted center.
The first scheme involves a trusted authority (Z) that distributes secret keys and public keys to group members. Each member can sign messages using their secret key, and the recipient can verify the signature using the corresponding public key. Z can identify the signer if needed. To protect privacy, public keys are blinded, ensuring Z cannot forge signatures.
The second scheme uses a trusted authority to generate large primes and a one-way function. Group members sign messages using their secret keys, and the recipient verifies the signature. A confirmation protocol is used to prove the validity of the signature without revealing the signer's identity.
The third scheme relies on RSA and requires the factorization of each member's RSA modulus. The signature includes the set of signers and a cryptographic proof that the exponent used is valid.
The fourth scheme is based on discrete logarithms and uses public generators and secret keys. The signature includes the set of signers and a cryptographic proof that the secret exponent is used in a public key.
The paper also discusses open problems, including the possibility of creating group signatures that can be opened by a majority of members and the application of existing cryptographic results to ensure anonymity in group signatures.This paper introduces group signatures, a new type of digital signature scheme that allows members of a group to sign messages while maintaining the privacy of the signer. The scheme has three main properties: (i) only group members can sign messages; (ii) the receiver can verify the signature but cannot determine the signer; and (iii) the signature can be "opened" to reveal the signer's identity if needed. Group signatures generalize credential authentication schemes, where a person proves they belong to a group without revealing their identity.
Four group signature schemes are presented, each based on different cryptographic assumptions. The first scheme uses any public key system, while the others rely on assumptions related to the difficulty of computing discrete logarithms and RSA roots. In some schemes, a trusted authority is needed during setup, while others allow group members to create their own group without a trusted center.
The first scheme involves a trusted authority (Z) that distributes secret keys and public keys to group members. Each member can sign messages using their secret key, and the recipient can verify the signature using the corresponding public key. Z can identify the signer if needed. To protect privacy, public keys are blinded, ensuring Z cannot forge signatures.
The second scheme uses a trusted authority to generate large primes and a one-way function. Group members sign messages using their secret keys, and the recipient verifies the signature. A confirmation protocol is used to prove the validity of the signature without revealing the signer's identity.
The third scheme relies on RSA and requires the factorization of each member's RSA modulus. The signature includes the set of signers and a cryptographic proof that the exponent used is valid.
The fourth scheme is based on discrete logarithms and uses public generators and secret keys. The signature includes the set of signers and a cryptographic proof that the secret exponent is used in a public key.
The paper also discusses open problems, including the possibility of creating group signatures that can be opened by a majority of members and the application of existing cryptographic results to ensure anonymity in group signatures.