A Group Signature Scheme with Improved Efficiency (Extended Abstract)

Camenisch, Jan; Michels, Markus

doi:10.1007/3-540-49649-1_14

Cited by 118 publications

(94 citation statements)

References 42 publications

(56 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Extending the scheme to a blind group-signature scheme or to split the group manager into a membership manager and a revocation manager is straight-forward (cf. [CM98a,LR98]). …”

Section: Discussionmentioning

confidence: 99%

“…Moreover, our registration protocol is statistically zero-knowledge with respect to the group member's secrets. In contrast, in [CM98a] the group member is required to send the group manager the product of her secret, a prime of special form, and a random prime; such products are in principle susceptible to an attack due to Coppersmith [Cop96]. Moreover, our scheme is provably coalition-resistance against an adaptive adversary, whereas for the scheme by Camenisch and Michels [CM98a] this holds only for a static adversary.…”

Section: Introductionmentioning

confidence: 95%

“…Our new (group signature) scheme improves on the state-of-the-art exemplified by the scheme of Camenisch and Michels [CM98a] which is the only known scheme whose coalition-resistance is provable under a standard cryptographic assumption. In particular, our scheme's registration protocol (JOIN) for new members is an order of magnitude more efficient.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

Ateniese

Camenisch

Joye³

et al. 2000

Lecture Notes in Computer Science

Self Cite

576

484

View full text Add to dashboard Cite

Abstract.A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature's originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalition-resistant under the strong RSA and the decisional Diffie-Hellman assumptions. The security of the noninteractive variant, i.e., the group signature scheme, relies additionally on the Fiat-Shamir heuristic (also known as the random oracle model).

show abstract

“…Extending the scheme to a blind group-signature scheme or to split the group manager into a membership manager and a revocation manager is straight-forward (cf. [CM98a,LR98]). …”

Section: Discussionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 95%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

Ateniese

Camenisch

Joye³

et al. 2000

Lecture Notes in Computer Science

Self Cite

576

484

View full text Add to dashboard Cite

show abstract

“…For a user with secret key x, a group membership certificate for an appointed verifier V , will be a quin-tuple (s, Z, c, u, e) such that each of these values lies in the correct integer interval, u 2e = (a 0 a s 1 a x 2 Za c 4 ) 2 holds, and c is the encryption of the value log a3 Z mod n under V 's public key. We show that such a certificate is hard to forge under the strong RSA assumption [3,11,23,27,28] and the assumption that computing discrete logarithms modulo a modulus of this form is hard. On the other hand, if c is not an encryption of log a3 Z mod n, then this certificate is easy to forge (Lemma 3).…”

Section: The Modelmentioning

confidence: 99%

An Identity Escrow Scheme with Appointed Verifiers

Camenisch

Lysyanskaya²

2001

Advances in Cryptology — CRYPTO 2001

Self Cite

View full text Add to dashboard Cite

Abstract. An identity escrow scheme allows a member of a group to prove membership in this group without revealing any extra information. At the same time, in case of abuse, his identity can still be discovered. Such a scheme allows anonymous access control. In this paper, we put forward the notion of an identity escrow scheme with appointed verifiers. Such a scheme allows the user to only convince an appointed verifier (or several appointed verifiers) of his membership; but no unauthorized verifier can verify a user's group membership even if the user fully cooperates, unless the user is completely under his control. We provide a formal definition of this new notion and give an efficient construction of an identity escrow scheme with appointed verifiers provably secure under common number-theoretic assumptions in the public-key model.

show abstract

“…To address this, Bellare, Shi, and Zhang [3] extended the model of [2] to capture dynamic group signature schemes in which a user can dynamically join the group by engaging in a join protocol with the issuer. Furthermore, to reduce trust in the opener, the model adopts the approach by Camenisch and Michels [11], and requires that the opener produces a non-interactive and publicly verifiable proof that a given signature was produced by a given signer. The model introduces three formal security notions: anonymity, traceability, and non-frameability.…”

Section: Introductionmentioning

confidence: 99%

On the Security of Dynamic Group Signatures: Preventing Signature Hijacking

Sakai

Schuldt

Emura

et al. 2012

Public Key Cryptography – PKC 2012

View full text Add to dashboard Cite

We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the dynamic group signature scheme by Groth (ASIACRYPT 2007) does not provide protection against this type of malicious behavior.To address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions.We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

show abstract

A Group Signature Scheme with Improved Efficiency (Extended Abstract)

Cited by 118 publications

References 42 publications

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

An Identity Escrow Scheme with Appointed Verifiers

On the Security of Dynamic Group Signatures: Preventing Signature Hijacking

Contact Info

Product

Resources

About