Group Signature

GS (Group Signature) is a mechanism allowing a single user to sign messages or transactions on behalf of a group. It was initially proposed by David Chaum and Eugene Van Heyst in April 1991¹ with the following key attributes:

1. Only members of a group can sign messages/transactions
2. A receiver can verify the signature's validity
3. The receiver cannot discover which group member signed it
4. If required, for example, in case of a dispute, an administrator or the group participants can disclose the actual signer using verification keys.

The described above attributes ensure the following security criteria:

1. Anonymity: A message signer's identity is not revealed unless there is a dispute
2. Unlinkability: It is impossible to know whether a specific user made one or several signatures.
3. Anonymous Traceability: Even if it has been revealed that a user signed some specific transaction, it does not automatically reveal that this particular user makes any future signature.

General Application

Before signing a transaction on behalf of the group, a group member selects one of the Secret Keys for the list. The receiver checks the signature against the list of corresponding public keys. If the signature matches at least one of the keys, the signature is acknowledged as valid.

Cons of the GS

1. The group administrator can sign on behalf of the group members
2. Adding a new group member is technically complicated
3. The array of the key pairs for each group member must be large enough to securely complicate the direct association of the group members with the key pairs.

Current situation

One of the most famous GS was proposed by Dan Boneh, Xavier Boyen & Hovav Shaham². They constructed a short group signature scheme based on the Strong Diffie-Hellman (SDH) and Linear assumptions. It uses a bilinear map $e: G1 × G2 → GT$. When any of the curves are used, the group $G1$ has a short representation and consequently leads to a group signature whose length is under 200 bytes — less than twice the length of an ordinary RSA signature (128 bytes) with comparable security. Their signature turned out to be quite efficient since its signature generation requires no bilinear pairing computations, and verification requires a single pairing; both also require a few exponentiations with short exponents.

Many implementations of the GS take advantage of the Pros and eliminate most of the Cons. We will talk about them in the next pages of the present documentation.

---

1. EUROCRYPT'91: Proceedings of the 10th annual international conference on Theory and application of cryptographic techniquesApril 1991 Pages 257–265↩
2. http://crypto.stanford.edu/~dabo/papers/groupsigs.pdf↩