In 1991, D. Chaum and E. van Heijst [8] introduced the
concept of group signature schemes. A group signature scheme
allows members to sign a document on behalf of the group in such a
way that signatures remain anonymous and unlinkable for everybody
but a group manager (GM), who can recover the identity of the
signer whenever needed (the latter procedure is called ``signature
opening''). Numerous group signature schemes have been published
and some of them are quite efficient ([1], [6],
[7] and [15]). In more recent ones, signatures and
public keys are constant-size and security is well established,
allowing them to be used in various applications such as
electronic cash ([15]), voting or bidding systems
([12]). However some problems still remain among which the
high computation cost of the signature, the coalition-resistance
and member revocation.
In this paper, we investigate a completely different approach for
carrying out group signature schemes, namely the usage of a
tamper-resistant device - typically a smart card. This allows a
very low cost during the signature phase. In fact, the signer only
has to compute two or three modular exponentiations (in contrast
with roughly a dozen in the scheme from [1] for
example). Moreover, the coalition-resistance problem is very easy
to solve when using smart cards and more simple procedures can be
used for member revocation.
The use of a smart card allows to prevent an (untrusted) member
from cheating, by letting his (trusted) device both secretly store
the signature keys and control their legitimate usage. Using smart
cards allows to provide solutions for member revocation that are
generic (i.e. work with any group signature scheme) and efficient,
in that the signatures are short and constant-size, and the number
of computations (for the signer and the verifier) is constant.
Moreover the work during the revocation protocol is constant.
Since smart cards are more and more used in real-life
applications, our solutions can be implemented at a negligible
extra-cost.
This paper is organized as follows. The following section provides
background on group signature schemes and points remaining
problems out. Section 3 presents our group signature scheme and
shows that it is coalition-resistant. Section 4 presents various
solutions for providing member revocation. Finally, we conclude in
section 5.