A group signature scheme allows us to anonymously sign a message on behalf of a group. One of important issues in the group signatures is user revocation, and thus lots of revocable group signature (RGS) schemes have been proposed so far. One of the applications suitable to the group signature is privacy-enhancing crowdsensing, where the group signature allows mobile sensing users to be anonymously authenticated to hide the location. In the mobile environment, verifier-local revocation (VLR) type of RGS schemes are suitable, since revocation list (RL) is not needed in the user side. However, in the conventional VLR-RGS schemes, the revocation check in the verifier needs O(R) cryptographic operations for the number R of revoked users. On this background, VLR-RGS schemes with efficient revocation check have been recently proposed, where the revocation check is just (bit-string) matching. However, in the existing schemes, signatures are linkable in the same interval or in the same application-independent task with a public index. The linkability is useful in some scenarios, but users want the unlinkability for the stronger anonymity. In this paper, by introducing a property that at most K unlinkable signatures can be issued by a signer during each interval for a fixed integer K, we propose a VLR-RGS scheme with the revocation token matching. In our scheme, even the signatures during the same interval are unlinkable. Furthermore, since used indexes are hidden, the strong anonymity remains. The overheads are the computational costs of the revocation algorithm and the RL size. We show that the overheads are practical in use cases of crowdsensing.

Collecting and analyzing personal data is important in modern information applications. Though the privacy of data providers should be protected, the need to track certain data providers often arises, such as tracing specific patients or adversarial users. Thus, tracking only specific persons without revealing normal users' identities is quite important for operating information systems using personal data. It is difficult to know in advance the rules for specifying the necessity of tracking since the rules are derived by the analysis of collected data. Thus, it would be useful to provide a general way that can employ any data analysis method regardless of the type of data and the nature of the rules. In this paper, we propose a privacy-preserving data analysis construction that allows an authority to detect specific users while other honest users are kept anonymous. By using the cryptographic techniques of group signatures with message-dependent opening (GS-MDO) and public key encryption with non-interactive opening (PKENO), we provide a correspondence table that links a user and data in a secure way, and we can employ any anonymization technique and data analysis method. It is particularly worth noting that no “big brother” exists, meaning that no single entity can identify users who do not provide anomaly data, while bad behaviors are always traceable. We show the result of implementing our construction. Briefly, the overhead of our construction is on the order of 10 ms for a single thread. We also confirm the efficiency of our construction by using a real-world dataset.

Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers N, and other costs regarding signers are at most logarithmic in N, is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under q-type assumptions. We implemented our scheme by employing a Barreto-Lynn-Scott curve of embedding degree 12 over a 455-bit prime field (BLS-12-455), and a Barreto-Naehrig curve of embedding degree 12 over a 382-bit prime field (BN-12-382), respectively, by using the RELIC library. We showed that the online running times of our signing algorithm were approximately 14msec (BLS-12-455) and 11msec (BN-12-382), and those of our verification algorithm were approximately 20msec (BLS-12-455) and 16msec (BN-12-382), respectively. Finally, we showed that our scheme (with a slight extension) is applied to an identity management system proposed by Isshiki et al.

In ID-based user authentications, a privacy problem can occur, since the service provider (SP) can accumulate the user's access history from the user ID. As a solution to that problem, group signatures have been researched. One of important issues in the group signatures is the user revocation. Previously, an efficient revocable scheme with signing/verification of constant complexity was proposed by Libert et al. In this scheme, users are managed by a binary tree, and a list of data for revoked users, called a revocation list (RL), is used for revocation. However, the scheme suffers from the large RL. Recently, an extended scheme has been proposed by Sadiah and Nakanishi, where the RL size is reduced by compressing RL. On the other hand, there is a problem that some overhead occurs in the authentication as a price for reducing the size of RL. In this paper, we propose an extended scheme where the authentication is speeded up by reducing the number of Groth-Sahai (GS) proofs. Furthermore, we implemented it on a PC to show the effectiveness. The verification time is about 30% shorter than that of the previous scheme by Sadiah and Nakanishi.

At EUROCRYPT 2012, Libert, Peters and Yung (LPY) proposed the first scalable revocable group signature (R-GS) scheme in the standard model which achieves constant signing/verification costs and other costs regarding signers are at most logarithmic in N, where N is the maximum number of group members. However, although the LPY R-GS scheme is asymptotically quite efficient, this scheme is not sufficiently efficient in practice. For example, the signature size of the LPY scheme is roughly 10 times larger than that of an RSA signature (for 160-bit security). In this paper, we propose a compact R-GS scheme secure in the random oracle model that is efficient not only in the asymptotic sense but also in practical parameter settings. We achieve the same efficiency as the LPY scheme in an asymptotic sense, and the signature size is nearly equal to that of an RSA signature (for 160-bit security). It is particularly worth noting that our R-GS scheme has the smallest signature size compared to those of previous R-GS schemes which enable constant signing/verification costs. Our technique, which we call parallel Boneh-Boyen-Shacham group signature technique, helps to construct an R-GS scheme without following the technique used in LPY, i.e., we directly apply the Naor-Naor-Lotspiech framework without using any identity-based encryption.

Group signature (GS) schemes guarantee anonymity of the actual signer among group members. Previous GS schemes assume that randomness in signing is never exposed. However, in the real world, full randomness exposure can be caused by implementation problems (e.g., using a bad random number generator). In this paper, we study (im)possibility of achieving anonymity against full randomness exposure. First, we formulate a new security model for GS schemes capturing full randomness exposure. Next, we clarify that it is impossible to achieve full-anonymity against full randomness exposure without any secure component (e.g., a tamper-proof module or a trusted outside storage). Finally, we show a possibility result that selfless-anonymity can be achieved against full randomness exposure. While selfless-anonymity is weaker than full-anonymity, it is strong enough in practice. Our transformation is quite simple; and thus, previous GS schemes used in real-world systems can be easily replaced by a slight modification to strengthen the security.

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, it is not always the case that we need to know the specific identity of a signature. In this paper, we propose the notion of deniable group signatures, where the authority can issue a proof showing that the specified user is NOT the signer of a signature, without revealing the actual signer. We point out that existing efficient non-interactive zero-knowledge proof systems cannot be straightforwardly applied to prove such a statement. We circumvent this problem by giving a fairly practical construction through extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

A group signature allows any group member to anonymously sign a message. One of the important issues is an efficient membership revocation. The scheme proposed by Libert et al. has achieved O(1) signature and membership certificate size, O(1) signing and verification times, and O(log N) public key size, where N is the total number of members. However the Revocation List (RL) data is large, due to O(R) signatures in RL, where R is the number of revoked members. The scheme proposed by Nakanishi et al. achieved a compact RL of O(R/T) signatures for any integer T. However, this scheme increases membership certificate size by O(T). In this paper, we extend the scheme proposed by Libert et al., by reducing the RL size to O(R/T) using a vector commitment to compress the revocation entries, while O(1) membership certificate size remains.

A group signature scheme allows a group member to anonymously sign a message on behalf of the group. One of the important issues is the member revocation, and lots of revocable schemes have been proposed so far. A scheme recently proposed by Libert et al. achieves that O(1) or O(log N) efficiency of communication and computation except for the revocation list size (also the revocation cost), for the total number of members N and the number of revoked members R. However, since a signature is required for each subset separated from the set of non-revoked members, the size is about 900R Bytes in the 128-bit security. In the case of R=100,000, it amounts to about 80MB. In this paper, we extend the scheme to reduce the revocation list (also the revocation cost), by accumulating T subsets, which is signed for the revocation list. The revocation list size is reduced by 1/T. Unfortunately, the public key size, membership certificate size and the cost of a witness computation needed for signing increase related to T.

For the sake of privacy preservation, services that are offered with reference to individual user preferences should do so with a sufficient degree of anonymity. We surveyed various tools that meet requirements of such services and decided that group signature schemes with weakened anonymity (without unlinkability) are adequate. Then, we investigated a theoretical gap between unlinkability of group signature schemes and their other requirements. We show that this gap is significantly large. Specifically, we clarify that if unlinkability can be achieved from any other property of group signature schemes, it becomes possible to construct a chosen-ciphertext secure cryptosystem from any one-way function. This result implies that the efficiency of group signature schemes can be drastically improved if unlinkability is not taken into account. We also demonstrate a way to construct a scheme without unlinkability that is significantly more efficient than the best known full-fledged scheme.

To reduce the damage of key exposures, forward-secure group signature schemes have been first proposed by Song. In the forward-secure schemes, a secret key of a group member is updated by a one-way function every interval and the previous secret key is erased. Thus, even if a secret key is exposed, the signatures produced by the secret keys of previous intervals remain secure. Since the previous forward-secure group signature schemes are based on the strong RSA assumption, the signatures are longer than pairing-based group signatures. In addition, the complexity of the key update or signing/verification is O(T), where T is the total number of intervals. In this paper, a forward-secure group signature scheme from pairings is proposed. The complexity of our key update and signing/verification is O(log T).

Lots of revocable group signature schemes have been proposed so far. In one type of revocable schemes, signing and/or verifying algorithms have O(N) or O(R) complexity, where N is the group size and R is the number of revoked members. On the other hand, in Camenisch-Lysyanskaya scheme and the followers, signing and verifying algorithms have O(1) complexity. However, before signing, the updates of the secret key are required. The complexity is O(R) in the worst case. In this paper, we propose a revocable scheme with signing and verifying of O(1) complexity, where any update of secret key is not required. The compensation is the long public key of O(N). In addition, we extend it to the scheme with O()-size public key, where signing and verifying have constant extra costs.

A group signature scheme introduced by Chaum and Van Heyst allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signer of a group signature can be revealed only by a privileged entity, called a group manager. The group signature scheme has mainly been studied from the viewpoint of computational security setting so far. The main contribution of this paper is to study group signature schemes in unconditional security. More specifically, we newly introduce strong security notions of unconditionally secure group signatures (USGS for short) based on the idea of those of computationally secure group signatures proposed by Bellare, Micciancio and Warinschi. We also provide a generic method to construct USGS that is provably secure in our security definition. More precisely, we construct USGS by combining an encryption scheme with a signature, and show that the constructed scheme is unconditionally secure if the encryption and the signature used in the construction are unconditionally secure. Finally, we provide an instantiation of the one-time secure group signature scheme based on the generic construction.

We propose an authentication scheme in which users can be authenticated anonymously so long as times that they are authenticated is within an allowable number. The proposed scheme has two features: 1) no one, not even an authority, can identify users who have been authenticated within the allowable number, 2) anyone can trace, without help from the authority, dishonest users who have been authenticated beyond the allowable number by using the records of these authentications. Our scheme can be applied to e-voting, e-cash, electronic coupons, and trial browsing of content. In these applications, our scheme, unlike the previous one, conceals users' participation from protocols and guarantees that they will remain anonymous to everyone.

In this letter, we improve NF'07 (Nakanishi and Funabiki) VLR group signature scheme such that it satisfies exculpability and has lower computation costs. In the proposed scheme, a group member generates his own private key together with the group manager in order to realize exculpability while the signature size is not made longer. Also, a new revocation check method is proposed at the step of verifying, and the computation costs of verifying are independent of the number of the revoked members, while they are linear with the number of the revoked members in the original scheme. Thus, the proposed scheme is more efficient than the original scheme and can be applicable to mobile environments such as IEEE 802.1x.

In the current broadcasting system or Internet content distribution system, content providers distribute decoders (STB) that contain secret keys for content decryption, prior to content distribution. A content provider sends encrypted content to each user, who then decodes it with his or her STB. While users can get the services at their houses if they have an STB, it is hard for them to get the services outside their houses. A system that allowed users to carry around their secret keys would improve usability, but it would require countermeasures against secret key exposure. In this paper, we propose such an extended broadcasting system using tokens and group signature. The content providers can control the number of keys that users can use outside their houses. The system enables the broadcasters to minimize the damage caused by group signature key exposures and the user to get services outside his or her home.

Previously Verifier-Local Revocation (VLR) group signature schemes from bilinear maps were proposed. In VLR schemes, only verifiers are involved in the revocation of a member, while signers are not. Thus, the VLR schemes are suitable for mobile environments. Furthermore, the previously proposed schemes satisfy the important backward unlinkability. This means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. This property is needed in case of a voluntary leave of a member or in case of a key loss. However, in the previous schemes, signatures become long, due to the adopted assumption, which should be improved in order to apply the schemes to the mobile environments. In this paper an improved VLR scheme is proposed with the shorter group signatures. This is achieved by using a different assumption, DLDH assumption, and improving zero-knowledge proofs in the group signatures. The length of the proposed group signatures is reduced to about 53% of that of the previous ones.

Ring signature scheme enables a signer to sign a message anonymously. In the ring signature scheme, the signer who wants to sign a document anonymously first chooses some public keys of entities (signers) and then generates a signature which ensures that one of the signer or entities signs the document. In some situations, however, the ring signature scheme allows the signer to shift the blame to victims because of the anonymity. The group signature scheme may be a solution for the problem; however, it needs an electronic big brother, called a group manager, who can violate the signer anonymity by himself, and a complicated key setting. This paper introduces a new notion of a signature scheme with signer anonymity, a deniable ring signature scheme (DRS), in which no group manager exists, and the signer should be involved in opening the signer anonymity. We also propose a concrete scheme proven to be secure under the assumption of the DDH (decision Diffie Hellman) problem in the random oracle model.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlinkability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.

We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q-Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].