A Revocable Group Signature Scheme with Scalability from Simple Assumptions

Keita EMURA  Takuya HAYASHI  

Publication
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences   Vol.E103-A   No.1   pp.125-140
Publication Date: 2020/01/01
Online ISSN: 1745-1337
DOI: 10.1587/transfun.2019CIP0004
Type of Manuscript: Special Section PAPER (Special Section on Cryptography and Information Security)
Category: 
Keyword: 
group signatures,  anonymity,  revocation,  scalability,  identity management system,  

Full Text: PDF(935KB)>>
Buy this Article




Summary: 
Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers N, and other costs regarding signers are at most logarithmic in N, is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under q-type assumptions. We implemented our scheme by employing a Barreto-Lynn-Scott curve of embedding degree 12 over a 455-bit prime field (BLS-12-455), and a Barreto-Naehrig curve of embedding degree 12 over a 382-bit prime field (BN-12-382), respectively, by using the RELIC library. We showed that the online running times of our signing algorithm were approximately 14msec (BLS-12-455) and 11msec (BN-12-382), and those of our verification algorithm were approximately 20msec (BLS-12-455) and 16msec (BN-12-382), respectively. Finally, we showed that our scheme (with a slight extension) is applied to an identity management system proposed by Isshiki et al.