Abstract
This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.
Highlights
Group signatures [1] are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group
They proposed a partially structure-preserving identitybased encryption (IBE) scheme and used it as a building block of group signature scheme with message-dependent opening (GS-messagedependent opening (MDO)). The signature of their scheme consists of 53 log N + 35 group elements, where N is the number of group members, whereas our GS-MDO schemes achieve constant-size signatures, though our standard model scheme does not achieve the unbounded MDO property
This primitive is an extension of ordinary group signatures, which relaxes the strong assumption that the opener, who is able to trace the identity of the signer of a signature, does not misuse his strong capability of breaking anonymity
Summary
Group signatures [1] are anonymous signatures that allow members of a group to anonymously sign messages on behalf of the group. As follow-up works to our results [45, 46], Libert and Joye [7] proposed an unbounded GS-MDO scheme in the standard model with logarithmic signature size They proposed a partially structure-preserving IBE scheme and used it as a building block of GS-MDO. The signature of their scheme consists of 53 log N + 35 group elements, where N is the number of group members, whereas our GS-MDO schemes achieve constant-size signatures, though our standard model scheme does not achieve the unbounded MDO property.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
