
For FullText PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.

Shortening the LibertPetersYung Revocable Group Signature Scheme by Using the Random Oracle Methodology
Kazuma OHARA Keita EMURA Goichiro HANAOKA Ai ISHIDA Kazuo OHTA Yusuke SAKAI
Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences
Vol.E102A
No.9
pp.11011117 Publication Date: 2019/09/01
Online ISSN: 17451337
DOI: 10.1587/transfun.E102.A.1101
Type of Manuscript: Special Section PAPER (Special Section on Discrete Mathematics and Its Applications) Category: Cryptography and Information Security Keyword: group signature, revocation, scalability,
Full Text: PDF(1.8MB)>>
Summary:
At EUROCRYPT 2012, Libert, Peters and Yung (LPY) proposed the first scalable revocable group signature (RGS) scheme in the standard model which achieves constant signing/verification costs and other costs regarding signers are at most logarithmic in N, where N is the maximum number of group members. However, although the LPY RGS scheme is asymptotically quite efficient, this scheme is not sufficiently efficient in practice. For example, the signature size of the LPY scheme is roughly 10 times larger than that of an RSA signature (for 160bit security). In this paper, we propose a compact RGS scheme secure in the random oracle model that is efficient not only in the asymptotic sense but also in practical parameter settings. We achieve the same efficiency as the LPY scheme in an asymptotic sense, and the signature size is nearly equal to that of an RSA signature (for 160bit security). It is particularly worth noting that our RGS scheme has the smallest signature size compared to those of previous RGS schemes which enable constant signing/verification costs. Our technique, which we call parallel BonehBoyenShacham group signature technique, helps to construct an RGS scheme without following the technique used in LPY, i.e., we directly apply the NaorNaorLotspiech framework without using any identitybased encryption.

