A group signature scheme with signer-controlled opening capability for signatures with previous time-tokens

Abstract

Group signature is one of the electronic signature techniques that provides anony-mity, and its concept was first introduced by Chaum and Heyst in 1991. In the group signature scheme, a signer is a member of a signer group created by the group manager, and can generate a signature for a message on behalf of that group. The verifier can verify that the message is valid and that one of the members of the group created the signature for the message, but cannot know which of the group members actually signed it.

To prevent abuse of the anonymity, there exists an entity named opener, designated by the system. An opener has a value called an opening key, which is generated by a key generation algorithm, as a secret value that only he or she knows. Using this value, the identity of the actual signer of the corresponding signature can be revealed for a certain group signature. In the case of an accident or dispute in the anonymous authentication system, the problem can be solved by revealing the identity of the signer using the authority of the opener, but from the point of view of group members, there is a concern that their anonymity may be infringed by the opener.

Various studies have been conducted on the group signature technique that limits the opening capability (of the opener). In 2013, Sakai et al. proposed group signature with message dependent opening (GS-MDO). In the GS-MDO, there is an entity called an admitter in addition to the opener. The admitter cannot identify the signer of signatures, but admits the opener to reveal the signer for signatures of the specific messages by issuing tokens. In 2017, Eom et al. proposed group signature with signer-controlled opening capability (GS-SCO). In GS-SCO, the admitter does not exist, and the signer himself/herself creates the token for the message. Therefore, the opener of GS-SCO cannot verify the identity of the signer from the group signature in any case when the signer has not created a token, and can find out who the signer is only for the signature that the signer creates the token.

GS-SCO has improved privacy of the signer in the anonymous authentication system, but on the contrary, the opening capability has been greatly reduced, making it very difficult to respond immediately to problems that may occur in the anonymous authentication system. Therefore, there is a need to find a balance between the signer's privacy and the opener's right to disclose the signer's identity. This paper proposes a group signature scheme with signer-controlled opening capability for signatures with previous time-tokens. The token generation unit specified by the system distributes time-token periodically to all group members, and the signer utilizes that time-token when generating signatures. The opener can reveal the identity of a signer only for signatures with current time-token. For signatures with past time-token, the opener can disclose signer's identity only when he or she creates the message token for signatures.