only members of the group can sign messages;
the receiver can verify that it is a valid group signature, but cannot discover which group member made it;
if necessary, the signature can be “opened”, so that the person who signed the message is revealed.
We present four schemes that satisfy the properties above. Not all these schemes are based on the same cryptographic assumption. In some of the schemes a trusted centre is only needed during the setup; and in other schemes, each person can create the group he belongs to.
- [BCDvdG87]Ernest Brickell, David Chaum, Ivan Damgard and Jeroen van de Graaf, Gradual and verifiable release of a secret, Advances in Cryptology-CRYPTO 87, C. Pomerance ed., Lecture Notes in Computer Science 293, Springer-Verlag, pp. 156–166.Google Scholar
- [Ch87]David Chaum, Blinding for unanticipated signatures, Advances in Cryptology-EUROCRYPT 87, D. Chaum, W. Price eds., Lecture Notes in Computer Science 304, Springer-Verlag, pp. 227–233.Google Scholar
- [Ch90]David Chaum, Zero-knowledge undeniable signatures, Advances in Cryptology-EUROCRYPT 90, I. Damgård ed., Lecture Notes in Computer Science 473, Springer-Verlag, pp. 458–464.Google Scholar
- [CEvdG87]David Chaum, Jan-Hendrik Evertse and Jeroen van de Graaf, An improved protocol for demonstrating possession of discrete logarithms and some generalizations, Advances in Cryptology-EUROCRYPT 87, D. Chaum, W. Price eds., Lecture Notes in Computer Science 304, Springer-Verlag, pp. 127–141.Google Scholar
- [OOK90]Kazuo Ohta, Tatsuaki Okamoto and Kenji Koyama, Membership authentication for hierarchical multigroup using the extended Fiat-Shamir scheme, Advances in Cryptology-EUROCRYPT 90, I. Damgård ed., Lecture Notes in Computer Science 473, Springer-Verlag, pp. 446–457.Google Scholar
- [SS90]Schrift and Shamir, The discrete log is very discreet, Proc. 22 nd STOC 1990, pp. 405–415.Google Scholar