Research On Membership Revocation Mechanism In Group Signature

Group signature was presented by Chaum and Heyst at Crypto 1991 conference.The concept is that a member can sign a message on behalf of the group,a verifier can verify the group signature,and be assured that the signature is indeed issued by someone among the group if valid.But the verifier cannot find out who is the real signer.Only the privileged group manager can open a group signature to find out the real signer when necessary.Since group signature combines anonymity and traceability,it can be used in many occasions such as trust computing,network forensics,e-voting,e-auction,e-cash etc.So it soon becomes a central cryptographic primitive and there are many concrete constructions for group signature.The efficiency and security of group signature schemes have been improved a lot over these years.For practical usage of group signature,a very important issue is membership revocation.Because a member's secret key could be lost or stolen in practice,or some member become malicious and abuse his sign right.Today many group signature schemes do not support revocation,or the revocation operation is not very efficient,or the revocation is not flexible enough.These issues hinder practical usage of group signature.A related issue is the revocability of anonymity,i.e.open the signature and find the real signer.The two issues are closely related,since usually a signature which cannot be opened is legitimate.In this paper,the two revocation issues are researched.Also the research is to overcome some problems of existed revocable group signature schemes,such as inflexible revocation operation,ROM-based,and not-so-good trade-offs between anonymity and traceability.The main theme is to provide more revocation options and more flexible revocation operations.To achieve better trade-offs between anonymity and traceability.To make group signature suited for more scenarios.The main results obtained are the following:1.Based on existed forward and backward revocation concept,a new group signature concept with double revocation mechanism is presented,i.e.backward un-linkable and linkable revocation.The former can be applied to normal group members who quit the group,the later to malicious members.A concrete ROM based scheme which combined existed VLR(Verifier Local Revocation),DA(Dynamic Accumulator)revocation and traceable signature is presented.2.Currently there are some standard model group signature schemes which do not support membership revocation.Thus hinder their practical usage.We present a novel and general revocation method for standard model group signature scheme based on length-reducing commitment and Groth-Sahai proof system.Demonstrate its usage by adding revocation capability to the Groth's full secure group signature scheme.3.Based on existed K-times conditional group signature concept,a new digital signature concept,i.e.K+L-times conditional group signature,is introduced.Compared with traditional ring and group signature,this new signature scheme can achieve better tradeoffs between anonymity and traceability.4.Combining ring signature and group signature,a new anonymity-revocable ring signature scheme is constructed in standard model.The anonymity of group signature can be revoked by group manager,though the anonymity of ring signature is unconditional.Besides,the anonymity level of ring signature can be controlled by signer,i.e.he is free to form the ring which contains him when signing.Combining these properties of group and ring signature,we present an efficient ring signature scheme with revocable anonymity.The security assurance is higher,since existed anonymity-revocable ring signature scheme is based on ROM model.RRS(Revocable ring signature)adds signer-controlled traceability to the common ring signature scheme.Previous RRS scheme was constructed based on random oracle model,which only provide heuristic security.A new RRS scheme in standard model is presented based on Groth-Sahai proof system and structure-preserving signature.Moreover the new RRS scheme can guarantee anonymity even when the signer's private key is exposed,resolving an open problem posed by the authors who introduced the RRS concept.