Separability and efficiency for generic group signature schemes

Abstract

A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a key-management as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an efficient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depend on the number of group member. Its efficiency is comparable to the most efficient schemes that do not offer separability and is an order of magnitude more efficient than a previous scheme that provides partial separability. As a side result, we provide efficient proofs of the equality of two discrete logarithms from different groups and, more general, of the validity of polynomial relations in Z among discrete logarithms from different groups.