A Practical and Provably Secure Coalition-Resistant Group Signature Scheme

  • Giuseppe Ateniese
  • Jan Camenisch
  • Marc Joye
  • Gene Tsudik
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 1880)


A group signature scheme allows a group member to sign messages anonymously on behalf of the group. However, in the case of a dispute, the identity of a signature’s originator can be revealed (only) by a designated entity. The interactive counterparts of group signatures are identity escrow schemes or group identification scheme with revocable anonymity. This work introduces a new provably secure group signature and a companion identity escrow scheme that are significantly more efficient than the state of the art. In its interactive, identity escrow form, our scheme is proven secure and coalition-resistant under the strong RSA and the decisional Diffie-Hellman assumptions. The security of the non-interactive variant, i.e., the group signature scheme, relies additionally on the Fiat-Shamir heuristic (also known as the random oracle model).


Group signature schemes revocable anonymity coalition-resistance strong RSA assumption identity escrow provable security 


  1. BF97.
    N. Barić and B. Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In Advances in Cryptology — EUROCRYPT’ 97, vol. 1233 of LNCS, pp. 480–494, Springer-Verlag, 1997.Google Scholar
  2. BR93.
    M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient protocols. In 1st ACM Conference on Computer and Communication Security, pp. 62–73, ACM Press, 1993.Google Scholar
  3. Bon98.
    D. Boneh. The decision Diffie-Hellman problem. In Algorithmic Number Theory (ANTS-III), vol. 1423 of LNCS, pp. 48–63, Springer-Verlag, 1998.CrossRefGoogle Scholar
  4. Bra93.
    S. Brands. An efficient off-line electronic cash system based on the representation problem. Technical Report CS-R9323, Centrum voor Wiskunde en Informatica, April 1993.Google Scholar
  5. CM98a.
    J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In Advances in Cryptology — ASIACRYPT’ 98, vol. 1514 of LNCS, pp. 160–174, Springer-Verlag, 1998.CrossRefGoogle Scholar
  6. CM98b.
    -. A group signature scheme based on an RSA-variant. Technical Report RS-98-27, BRICS, University of Aarhus, November 1998. An earlier version appears in [CM98a].Google Scholar
  7. CM99a.
    -. Proving in zero-knowledge that a number is the product of two safe primes. In Advances in Cryptology — EUROCRYPT’ 99, vol. 1592 of LNCS, pp. 107–122, Springer-Verlag, 1999.Google Scholar
  8. CM99b.
    -. Separability and efficiency for generic group signature schemes. In Advances in Cryptology — CRYPTO’ 99, vol. 1666 of LNCS, pp. 413–430, Springer-Verlag, 1999.Google Scholar
  9. CP95.
    L. Chen and T. P. Pedersen. New group signature schemes. In Advances in Cryptology — EUROCRYPT’ 94, vol. 950 of LNCS, pp. 171–181, 1995.CrossRefGoogle Scholar
  10. CS97.
    J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In Advances in Cryptology — CRYPTO’ 97, vol. 1296 of LNCS, pp. 410–424, Springer-Verlag, 1997.CrossRefGoogle Scholar
  11. Cam98.
    J. Camenisch. Group signature schemes and payment systems based on the discrete logarithm problem. PhD thesis, vol. 2 of ETH Series in Information Security an Cryptography, Hartung-Gorre Verlag, Konstanz, 1998. ISBN 3-89649-286-1.Google Scholar
  12. Cop96.
    D. Coppersmith. Finding a small root of a bivariatre interger equation; factoring with high bits known. In Advances in Cryptology — EUROCRYPT’ 96, volume 1070 of LNCS, pages 178–189. Springer Verlag, 1996.Google Scholar
  13. CvH91.
    D. Chaum and E. van Heyst. Group signatures. In Advances in Cryptology — EUROCRYPT’ 91, vol. 547 of LNCS, pp. 257–265, Springer-Verlag, 1991.Google Scholar
  14. DH76.
    W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6): 644–654, 1976.CrossRefMathSciNetGoogle Scholar
  15. FO97.
    E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In Advances in Cryptology — CRYPTO’ 97, vol. 1297 of LNCS, pp. 16–30, Springer-Verlag, 1997.CrossRefGoogle Scholar
  16. FO98.
    -. A practical and provably secure scheme for publicly verifiable secret] sharing and its applications. In Advances in Cryptology — EUROCRYPT’ 98, vol. 1403 of LNCS, pp. 32–46, Springer-Verlag, 1998.CrossRefGoogle Scholar
  17. FS87.
    A. Fiat and A. Shamir. How to prove yourself: practical solutions to identification and signature problems. In Advances in Cryptology — CRYPTO’ 86, vol. 263 of LNCS, pp. 186–194, Springer-Verlag, 1987.CrossRefGoogle Scholar
  18. GMR88.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, 17(2):281–308, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  19. KP98.
    J. Kilian and E. Petrank. Identity escrow. In Advances in Cryptology — CRYPTO’ 98, vol. 1642 of LNCS, pp. 169–185, Springer-Verlag, 1998.CrossRefGoogle Scholar
  20. LR98.
    A. Lysyanskaya and Z. Ramzan. Group blind digital signatures: A scalable solution to electronic cash. In Financial Cryptography (FC’ 98), vol. 1465 of LNCS, pp. 184–197, Springer-Verlag, 1998.CrossRefGoogle Scholar
  21. Sch91.
    C. P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991.zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2000

Authors and Affiliations

  • Giuseppe Ateniese
    • 1
  • Jan Camenisch
    • 2
  • Marc Joye
    • 3
  • Gene Tsudik
    • 4
  1. 1.Department of Computer ScienceThe Johns Hopkins UniversityBaltimoreUSA
  2. 2.IBM Research, Zurich Research LaboratoryRüschlikonSwitzerland
  3. 3.Card Security GroupGemplus Card InternationalGémenosFrance
  4. 4.Department of Information and Computer ScienceUniversity of CaliforniaIrvine, IrvineUSA

Personalised recommendations