Computer Communications 31 (2008) 4199–4205

Contents lists available at ScienceDirect

Computer Communications

journal homepage: www.elsevier .com/locate /comcom

Research on anonymous signatures and group signatures

Fucai Zhou a, Jun Zhang a, Jian Xu b,*

a College of Information Science and Engineering, Northeastern University, Shenyang, Liaoning 110004, Chinab Software College, Northeastern University, Shenyang, Liaoning 110004, China

a r t i c l e i n f o

Article history:Received 2 April 2008Received in revised form 25 August 2008Accepted 4 September 2008Available online 11 September 2008

Keywords:Group signaturesConflict of authenticated contentsAnonymous signaturesAnonymous signature service providerPivot threshold schemes

0140-3664/$ - see front matter Crown copyright � 20doi:10.1016/j.comcom.2008.09.003

* Corresponding author. Tel./fax: +86 2483686984E-mail addresses: fczhou@mail.neu.edu.cn (F. Zh

(J. Xu).

a b s t r a c t

In this paper, we analyze the conventional group signature schemes, and propose the notion of conflict ofauthenticated contents which implies the unconquerable drawbacks of the current group signatureschemes and threshold signature schemes. We discuss an important problem of group signature, thatis, whether the group signature is produced on behalf of the group or on behalf of its members, and con-sider that the group signatures should be produced on behalf of the group. A new kind of signaturescheme, which is called anonymous signatures, has been proposed. And we indicate that the previouslyproposed group signature is actually a kind of anonymous signatures. In order to realize the anonymoussignatures, we design two kinds of implementation schemes, whose performances are analyzed and com-pared. Finally, we introduce the new notion of real group signatures, describe its characteristics, presentone realization based on pivot threshold scheme which we designed to solve the conflict of authenticatedcontents problem.

Crown copyright � 2008 Published by Elsevier B.V. All rights reserved.

1. Introduction

Chaum and Heyst proposed the notion of group signatures in1991 [1] which have the following three properties as they stated:

1. Only members of the group can sign messages;2. the receiver of the signature can verify whether it is a valid sig-

nature of that group, but cannot discover which member of thegroup made it;

3. in case of dispute later on, the signature can be ‘‘opened” (withor without the help of the group members) to reveal the iden-tity of the signer.

In their paper [1], Chaum and Heyst presented four group signa-ture schemes, and after that many requirements and solutions forconstructing group signature schemes were proposed [2–6]. Thecore requirements of group signature schemes were formalizedas full-anonymity and full-traceability by Bellare et al. in [7], fromwhich a large set of informal requirements in the literature can beimplied. But one important problem remains undiscussed in previ-ous works, that is, whether the group signatures are produced onbehalf of the group or on behalf of its member?

If the group signatures are produced on behalf of the group,from view of the point of a verifier, it must consider that the groupis an entity and its existence has more significance than that of its

08 Published by Elsevier B.V. All r

ou), neuxujian@hotmail.com

member. Else the verifier must consider that the group is not anentity and the meaning of its existence covers the identities of itsmembers when they are to produce signatures. According to theproperty 2 stated by Chaum and Heyst, we can see that the groupsignatures are produced on behalf of the group while a series of pa-pers hold the same opinions [2,3,6], but this problem were notmentioned in some other papers [4,5,7,8].

1.1. Conflict of authenticated contents

Suppose that the group signatures are produced on behalf of thegroup, and take the following situation into account. Group mem-ber A signs a message which says ‘‘The sun looks like a square” andreleases it out, but group member B does not agree to A’s opinion,thereby he signs another message which says ‘‘The sun looks like atriangle” and releases it out. As a result, by receiving two validgroup signatures, the verifier does not know what the sun lookslike on earth because the two messages are authenticated by thesame group. Puzzled by the situation, the verifier is convinced thatthe group has been corrupted or its signing key has been compro-mised. In this paper, this problem is called conflict of authenticatedcontents.

To avoid the problem mentioned above, the group signaturesmust be considered produced on behalf of some individual groupmembers but not the group. Not only conflict of authenticated con-tents emerges in group signature schemes, but also in the thresh-old signature schemes proposed by Desmedt and Frankel [9], inwhich any t out of n group members can produce cooperatively avalid signature but the fewer than t can do nothing, when two or

ights reserved.

4200 F. Zhou et al. / Computer Communications 31 (2008) 4199–4205

more subsets of at least t group members have different opinionsabout one topic. Perhaps the sole solution of this problem inthreshold signature schemes is to increase the value of t (i.e. thethreshold value) such that t > n/2, but the policy in some groupsmay be that it is unnecessary to get permission from so manymembers to authenticate a message. In Section 4, this problem willbe analyzed and solved.

1.2. Discussions about group signatures

Before the discussions about group signatures, we discuss someissues about groups, including the relationship between groupsand individuals etc.

It can be deduced easily that anyone cannot authenticate mes-sages to outsiders on behalf of a group member in the group signa-ture setting, but sometimes it is enough for an outsider to get themessage authenticated by any member of the group but not thegroup. How can we deal with this situation? Consider the case thateveryone in our society has an ID card which proves its identity;meanwhile it has an employee card, with which it can prove tothe outsiders that it is a member of the company or take part insome activities, if it works for some company. We can adopt suchmechanisms to build the internal structure of the group. In a group,each member has an internal identity (together with an internalprivate/public key pair) which is independent of its global identity(if it has) and will be used in the communications between thegroup members. The group grants each member a certificate con-taining its internal identity and the corresponding public key. If agroup member wants to authenticate message to the outsider, itsigns the message with his internal secret key and sends the signa-ture together with his certificate to the outsider. By receivingthese, the outsider checks the validity of the certificate by usingof the public key of the group first. If the certificate is valid, it ver-ifies the signature by using of the public key contained in the cer-tificate. If the signature is valid, it is convinced that the messagehas been authenticated by a member of the designated group (itseems like an ‘‘anonymous” signature because the outsider is un-able to know the signer’s identity at the global level). Furthermore,if a group member has a global identify, the group can grant it acertificate containing its global identity, by showing which it canprove to the outsiders that it is a member of the group. TheFig. 1 shows the relationship between groups and individual users.

In Fig. 1, there are three individual users (Alice, David, and Bob)and a group G. Alice has double identities: a global user (A), a groupmember (a). Bob has only one identity (b) as a member of G. David(D) knows only the existence of A and G. A, D, G are in the sameposition for authenticating messages; a and b are in the sameposition.

The conclusion can be drawn that the group cannot produce sig-natures on behalf of itself in conventional group signature settingaccording to the analysis above, or there might be conflict ofauthenticated contents. Therefore, the group is not an entity inthe authentication setting and has less significance than its mem-bers. Its functions are covering the identities of its members whenthey authenticate messages and convincing the verifier that themessage was authenticated by a valid user. This seems somewhatembarrassing: given a valid signature s for message M, one knowsthat it is produced by a group because he verifies it by using the

a b

Fig. 1. The relationship between groups and individual users.

public key of the group, but he must persuade himself that the sig-nature was actually produced by some individual user but not thegroup.

Group signatures are a ‘generalization’ of credential mecha-nisms and of membership schemes, in which a group membercan convince a verifier that he belongs to a certain group, withoutrevealing his identity [1]. This statement shows also the two func-tions of the group indicated above. From it we can also see that themeaning of existence of the group is less than that of its members,and the group is a means but not a target. But actually, the mean-ing of existence of the group should be more than its members ingroup-oriented setting [10]. Obviously, group signatures proposedby Chaum and Heyst contradict this requirement, and they are notreal ‘‘group signatures” anyway because they are at least not pro-duced by the group. Then what is a real group signature scheme?In Section 4, we will answer these questions.

1.3. Our Contribution

Our contributions can be summarized as follows:

1. We propose the notion of conflict of authenticated contents incurrent group signature schemes.

2. We give the definition of anonymous signatures, design twoschemes, and analyze their performance.

3. We point out that the current group signature schemes previ-ously proposed are not real group signatures. Therefore wenot only present the notion of real group signatures, but alsodescribe their requirements and two constructing schemes.

4. We provide a pivot threshold scheme to realize a real group sig-nature which solve the problem of conflict of authenticatedcontents.

1.4. Organization

The rest of the paper is organized as follows. In Section 2, we ana-lyze the conventional signature schemes and get the conclusion thata valid signature should prove to the verifier two pieces of informa-tion, one is legitimacy, and the other is identity. In Section 3, we notonly introduce the notion of anonymous signatures, but also de-scribe their requirements. We also design two kinds of anonymoussignature schemes, give the analysis and comparison on them, andpoint out in which conditions the scheme has better advantages thanthe other. In Section 4, we propose the definition of real group signa-tures and present a realization which is based on a pivot thresholdscheme. Finally, we conclude the work in Section 5.

2. Preliminaries

The notion of digital signatures appeared first in Diffie and Hell-man’s historic paper [11], which is used to be a legal replacementfor handwritten signature in electronic setting. With the develop-ment of cryptography some different kinds of digital signatureschemes have been proposed [12,13].

Given a digital signature s for message M, to check its validity,the two necessities are needed:

1. Who might be the signer (i.e. the identity of the signer),2. How its signatures can be verified (i.e. the public key of the

signer).

In most cases the identity of the signer is contained in messageM or transmitted along with (M, s) for the execution of verificationprocedure.

F. Zhou et al. / Computer Communications 31 (2008) 4199–4205 4201

Perhaps in rare conditions the identity of the signer is not con-tained in the message, which guarantees only that the message isfrom a reliable source. The receiver must know, however, who wouldsend him a message in advance. Anyway, we consider that the iden-tity of the signer can be extracted from message M. And next howcould the verifier get to know the signer’s public key provided thathe does not know it in advance? Obviously, transmitting one’s publickey along with (M, s) is unfeasible for any adversary can forge a sig-nature on behalf of him by using an arbitrary private/public key pair.Actually, one’s public key must be acquired from some authenticparties, such as Certificate Authority (CA), which implies that thepublic key must be related authentically to its owner. Within thisframework, given a key pair (sk, pk), we define a signature for mes-sage M produced with sk a verifiable signature, and a valid signatureif pk can be related authentically to a certain user. It can be deducedthat a valid signature must be a verifiable signature but a verifiablesignature is not always a valid signature.

Now leave the problem of identity alone and discuss that ofpublic key. Namely, given (M, s) which does not contain the iden-tity of the signer, the verifier downloads all public keys of legiti-mate users from the CA, and then verifies (M, s) with each ofthem. If there exists a pki such that Verify (M, s, pki) = TRUE, thenthe verifier is convinced that there must be a valid user who hassigned message M. So we can see that the public key proves tothe verifier the information of legitimacy.

Lemma 1. A valid signature proves to the verifier two pieces ofinformation:

1. Legitimacy. A legitimate user has authenticated the message.2. Identity. The signer extracted from M is right that user.

In the conventional signature schemes, as shown in Fig. 2, bothof the two pieces of information are transmitted to the verifier.

Because we have already discussed the conventional digital sig-natures. Now the conventional group signatures and threshold sig-natures will be analyzed as follows.

Lemma 2. Conventional group signature should satisfy three proper-ties in the following:

1. Only members of the group can sign messages;2. the receiver of the signature can verify whether it is a valid signa-

ture of that group, but cannot discover which member of the groupmade it;

3. in case of dispute later on, the signature can be ‘‘opened” (with or with-out the help of the group members) to reveal the identity of the signer.

Definition 1. Threshold signature [14]: In the (t, n) threshold sig-nature scheme, n shadows of a signing key are shared among n par-ticipants in a group, and at least t or more participants can sign amessage on behalf of the group, where t < = n.

3. Anonymous signatures

In the traditional signature schemes, both of the two pieces ofinformation (legitimacy and identity) are transmitted to the veri-

s

s Rs

Fig. 2. Conventional signature schemes.

fier. Does such a signature scheme exist that only legitimacy oridentity is transmitted to the verifier? It can be deduced in seman-tics that the second piece of information is dependent on the first,so the signature schemes that do not transmit it are meaningless.But the signature schemes which transmit only the first piece ofinformation are potentially existent, that is anonymous signatures.

Definition 2 (Anonymous signatures). That is, given a validsignature, one knows only that it is produced by a legitimate userbut he is unable to know who that user is. We call such signaturesanonymous signatures.

Bellare et al. have formalized the core requirements of ‘‘groupsignatures” as full-anonymity and full-traceability in [9] whichcan be applied to anonymous signatures after tiny modifications.

3.1. How to design anonymous signature schemes

Now we discuss the following example. Bob wants to send a fileto Alice, but he does not want Alice know his name while convinc-ing Alice that the file comes from a friend of hers. Obviously, send-ing the file directly to Alice will expose his name, or mailing the fileto Alice anonymously cannot convince Alice the source of the file.To solve this problem, the participation of a trusted third party isneeded; in this paper we call it Anonymous Signature Service Pro-vider (ASSP).

Definition 3 (ASSP). To be realistic, the ASSP must be able to tracethe real signer. So it has three duties:

1. ASSP guarantees the receiver that the signature was producedby a legitimate user.

2. ASSP guarantees the signer that its identity will not be revealed.3. ASSP opens the signature to reveal the identity of the signer in a

dispute later on.

With the definition of ASSP, we can describe the requirementsof the anonymous signatures.

Lemma 3. The anonymous signatures should satisfy tworequirements:

1. Full-anonymity. The adversary, who produces a message and apair of valid-user identities, generates a target signature ofthe given message with use of one of the two identities ran-domly. The adversary is also required to have negligible advan-tage over one-half in determining which of the two identitiesproduces the target signature. Within this framework, theadversary is given the secret keys of all valid users and cansee the outcome of opening attempts conducted by the ASSPon arbitrary signatures of its choice (except of course the chal-lenge signature).

2. Traceability. A group of colluding legitimate users who pooltheir secret keys cannot create a valid signature that the ASSPwould not catch as belonging to some member of them, and thisis true even if the ASSP is one member of them.

3.2. Realization schemes of anonymous signature

With different functions of ASSP, the realization schemes ofanonymous signature can be divide into two types, distributedschemes and centralized schemes.

Definition 4. For any legitimate user can produce signatureindependently, we call such schemes Distributed AnonymousSignature Schemes.

4202 F. Zhou et al. / Computer Communications 31 (2008) 4199–4205

The ASSP issues a public key and distributes the secret key toproduce signatures to users whom it considers legitimate in whichway that the identity of the signer can be revealed in a dispute lateron, as shown in Fig. 3.

It is can be deduced that the schemes proposed by Chaum andHeyst are actually distributed anonymous signature schemeswhereas the existence of the group is unnecessary and it can be re-placed by the ASSP. All preciously proposed ‘‘group signatureschemes” which satisfy the requirements of full-anonymity andtraceability can be used as distributed anonymous signatureschemes.

Second, if a user, Bob, wants to produce an anonymous signa-ture for message M, he signs M with his secret key (let s denotesthe signature), encrypts (M, s) with the public key of the ASSPand sends the encrypted data to it. After decrypting the receiveddata with its secret key, the ASSP checks the validity of the signa-ture. If the signature is valid and it considers Bob as a legitimateuser, the ASSP signs M with its own secret key (if Bob’s identityis contained in M, the ASSP replaces it with its own identity). Lets0 denotes the new signature. While keeping s secret, the ASSPsends (M, s0) to the one Bob required. To verify an anonymous sig-nature, it is sufficient for one to know the public key of the ASSP. Incase of a dispute later on, the ASSP can find out the initial signatures produced by Bob in its database and identifies him.

Definition 5. For all signatures must go through the ASSP, we callsuch schemes Centralized Anonymous Signature Schemes. It is can beeasily verified that they satisfy the requirements of full-anonymityand traceability (As shown in Fig. 4).

‘‘A” denotes the ASSP, ‘‘S” denotes the real signer and ‘‘R” de-notes the recipient of signature in the figures above. ‘‘S” is an entitythat can produce signatures on behalf of itself in the authenticationsetting. But ‘‘A” is not an entity that is why it is illustrated by adashed, and the meaning of its existence is to provide servicesfor ‘‘S”, so it cannot produce signatures on behalf of itself. Wecan see that the legitimacy of ‘‘S” is transmitted to the recipientwhile its identity is kept secret because of the existence of ‘‘A”.Once seeing the identity of the ASSP from message M, one getsto know that the signature for M is an anonymous signature andthe real signer is not the ASSP, though he verifies the signatureby using of its public key, because he knows the properties of theASSP, which is just like Alice knows that real sender of the file isnot David though she takes it from the hand of David.

In our real life, almost all services providers do their business intwo ways, wholesale and retail.

There are many ASSPs which provide anonymous signature ser-vices to the users whom they consider legitimate. The ways for theASSP to provide anonymous signature services are just like this.The distributed scheme is just like a kind of wholesale and the cen-tralized scheme is just like a kind of retail. In both distributed andcentralized anonymous signature schemes, the legitimate usershave to take the risk that their identities are compromised by the

A RSA

A

A

A

S

Fig. 3. Distributed anonymous signature schemes.

S RA

S

S

A

A

S

Fig. 4. Centralized anonymous signature schemes.

ASSP, and the recipients of anonymous signatures have to takethe risk that the ASSP grants the rights for producing anonymoussignatures to illegitimate users. In the scheme proposed by Chaumand Heyst, meanwhile, ‘‘the group members” and the recipients ofthe signatures have to take the same risks as above. Actually, allcryptosystems depend on the last end on trust; thereby we con-sider that the ASSP deserves full trust of legitimate users and recip-ients of anonymous signatures.

3.3. Analysis and comparison

In this section, we give the analysis on the two kinds of anony-mous signature schemes mentioned above.

1. Security. The centralized scheme can be implemented easilybased on any existing individual signature schemes. But it ishard to implement distributed schemes satisfying both of thetwo requirements, and some of them rely on indefinitely strongproblems (e.g. CDHP, DDHP). Furthermore, adding or revokingusers is another hard problem in the distributed schemes butthis problem does not exist in the centralized schemes. Thatis, if the ASSP accepts the signature of a certain user, then it islegitimate, else it is illegitimate.

2. Communication cost. Obviously, the distributed schemes exceedthe centralized schemes. To produce an anonymous signature,one must send the signed message to the ASSP and then it issent to the recipient by the ASSP in centralized schemes whilethe anonymous signature can be sent directly to the recipientin distributed schemes. If the communication quality betweenthe users and the ASSP is not good or the ASSP has a limitedcomputation power, the centralized schemes perform badly.

3. Computation cost. Two conventional signing operations and oneconventional verifying operation plus one public key encryp-tion/decryption operation are needed in the signing process,which seems like to be time-consuming, in the centralizedscheme. But remember that to achieve the target of full-ano-nymity and full-traceability much more computations have tobe paid in distributed schemes. As we know, the signing processof centralized schemes is at least not more time-consumingthan that of distributed schemes. Furthermore, the verificationprocess of the former is just a conventional verification process.But till now, a large set of complicated computations have to beexecuted even in the most effective distributed schemes to ver-ify a signature (e.g. in the scheme proposed in [8], six multi-exponentiations and one pairing computation are needed).

4. Length of signature and public key. We can see that the central-ized scheme has an overwhelming advantage because the anon-ymous signature is just a conventional signature and it issufficient for the verifier to know the public key of the ASSP.

According to these comparisons we can draw conclusions asfollows:

� If the anonymous signature occurs not frequently and the com-munication between the user and the ASSP is kept fluent, thenthe centralized schemes are more adaptive;

� if the message to be signed is sensitive to the ASSP, then the dis-tributed schemes are more adaptive.

4. Real group signatures

Groups play a crucial role in our real world. When a number ofpeople have the same needs or goals to achieve, they can form agroup. In most cases, the functional aspect of a group is indepen-

F. Zhou et al. / Computer Communications 31 (2008) 4199–4205 4203

dent of its member. And if one wants to communicate with thegroup, it is unnecessary for it to know the names of group mem-bers while knowing the identity of the group is enough. Such agroup was called ‘‘a group with anonymous membership” in [13],and we call it real group. Actually, when the group members aremore known than the group, they should be called a union for bet-ter understandings. So when talking about groups in the literatureof security communications, we consider that the meaning of theirexistence has more significance than that of the ones who aremembers.

4.1. Requirements of real group signatures

A group signature is a signature produced by the designatedgroup and represents its will, just like an individual signature rep-resents the will of the signer. Obviously, the signature schemesproposed by Chaum and Heyst cannot be used as a real group sig-nature because it represents only the will of some group memberbut not the group. So the real group signature schemes should sat-isfy two requirements:

1. Non-Disclosure. This requirement implies the relationshipsbetween the group and the outsiders. That is, from point of viewof an outsider, given a group signature and the correspondingpublic key together with a set of verification algorithms, neithercan it get any information of the internal structure of the groupnor can it know how the signature was produced. This require-ment guarantees that the group is an entity in semantics.What’s more, this property exists in conventional group signa-ture [1].

2. Conflict-resistance. This requirement implies the relationshipamong the group members when they produce a group signa-ture. Take it into account that group signatures care about agroup of participants who work together more than merelythe computers, so we have to face to the problem of conflictof authenticated contents. This requirement means that, oncea message says ‘‘The sun looks like a square” is signed, the prob-ability of another message saying ‘‘The sun looks like a line” orsomething else which contradicts it in contents signed at thesame time is as little as possible. But banishing the probabilitycompletely is impossible because even in individual signaturesetting one might sign two messages which contradict eachother in contents for the reasons of personal mistake or some-thing else; what we can do is to make the probability as littleas possible.

The two requirements guarantee that the group is an entitywhich acts similarly with an individual user. Remark that onemay receive signatures from both groups and individual users atany time in the authentication setting. To verify all of these signa-tures correctly, he must be able to distinguish them. That is, to dis-tinguish which one orients from a group and which one orientsform an individual user. Next he is allowed to perform the verifica-tion procedure with the corresponding algorithm. We can see thatit is extremely inconvenient to verify a signature for the existenceof the groups. To solve this problem, the group signatures and theindividual signatures must share the same format and verificationalgorithm. According to this requirement it can be deduced thatreal group signature schemes are extensions of individual signa-ture schemes.

As a result, the two requirements of real group signature satis-fies the completeness of logic. But the traceability is also concernedin real group signature. In our realization scheme of real group sig-natures, we propose the pivot member who is the ‘manager’ of thegroup. Any group signature cannot be produced without the partic-ipation of the pivot member, therefore it is easy to realize the

traceability. The more details about pivot member is given in Sec-tion 4.3.

So the requirements of real group signatures can be summa-rized as follows:

How should the group members share the secret key for pro-ducing individual signatures in such a way that the probability ofoccurrence of conflict of authenticated contents is as little aspossible?

Finally, we can give the definition of real group signature.

Definition 6. A group signature is a signature produced by thedesignated group and represents its will. And it should satisfy non-disclosure and conflict-resistance properties. We call such groupsignature Real group signature.

4.2. How to produce real group signatures

The schemes to achieve the target of real group signatures de-pend on a large extent on trust. For example, if all group membershave full trust on one member, then all group signatures can beproduced by it. Another example, if there are no different opinionsabout one topic among the group members, then anyone can pro-duce a group signature, which implies that the schemes proposedby Chaum and Heyst can be used as real group signature schemes.But actually, there must be some dishonor group members or dif-ferent opinions about one topic in the process of producing groupsignatures, so we consider the general cases.

There are two solutions to implement group signatures accord-ing to the ways of sharing rights by the group members:

1. All group members own equal rights and take equalresponsibility.

2. Some group members own more rights and take moreresponsibility.

The first solution corresponds to the threshold schemes. Basedon the analysis in Section 1.1 we can see that, when used in thegroup signature setting, the threshold schemes cannot solve theproblem of conflict of authenticated contents if the threshold valueis less than half of the number of group members.

Do they function well when the threshold value is more thanthat? Suppose that a group consists of 9 members and the thresholdvalue is 5.5 of them cooperate to sign a message, but the rest 4group members insist that the message should not be signed, sothey bribe 1 of the 5 signers to work with them, and then thenew 5 members cooperate to sign a new message which saysagainst the initial signed message, thus conflict of authenticatedcontents occurs. Though this case happens rarely, it shows at leastthat the threshold schemes are unstable. Besides, they are vulnera-ble to collusion attacks that any t group members can collude tosign a message on behalf of other t group members, to avoid whichheavy cost of computations and communications has to be paid. Itcan be concluded that it is hard to solve the problem of conflict ofauthenticated contents in the first solution. So in a stable group,there must be some members who have more rights to producegroup signatures while having more responsibility for the potentialdisputes later on. Furthermore, such group members had better beunique or the difference of opinions among them may cause conflictof authenticated contents as occurs in the threshold schemes.

4.3. A pivot threshold scheme

Within the above discussion, we propose a pivot thresholdschemes which can realize a real group signature. It has the follow-ing properties:

4204 F. Zhou et al. / Computer Communications 31 (2008) 4199–4205

1. There is one and only one pivot member in a group consisting ofn members.

2. To produce a group signature at least t (t�n) members areneeded.

3. Any group signature cannot be produced without participationof the pivot member.

We call such a pivot member ‘manager’, who is different fromthe managers in some signature schemes whose duties are manag-ing the membership or opening signatures or something elsewhich are independent of the rights to produce signatures, and callnon-manager member as ‘‘group member” for simplicity.

Suppose that a subset with at least t � 1 group members butwithout the manager is to produce a group signature which says‘The sun looks like a square’, but another similar subset insiststhat the message which says ‘The sun looks like a triangle’should be signed. Because any group signature cannot be pro-duced without the participation of the manager, the two subsetshave to request the manager to cooperate with them. It isimpossible for the manager to adopt both of the two messageswhich contradict each other in contents because he must takeresponsibility for every group signature. So on receiving thetwo messages, the manager could choose one of them withwhich he agrees (or choose none) and then signs it cooperativelywith the corresponding subset. It proceeds similarly in the casethat more than two subsets of the group members want to signdifferent messages about one topic.

In our pivot threshold scheme, the pivot member is certain to bea trusted entity. He is the only one in the group owns veto, can vetowhen he find obvious errors merely. However, he is unable to de-cide to create a group signature. Only when t or more membersagree on, the group signature can be created. Therefore, the prob-lem of conflict of authenticated contents is solved in the pivotthreshold schemes. Furthermore, the scheme have the similarfunctions with the threshold schemes while discarding their draw-back of being vulnerable to the collusion attacks. It helps nothingto produce a group signature that any subset of the group membersacts in collusion without the manager. In a word, by presetting aproper threshold value, the group signatures produced in the pivotthreshold schemes can represent the will of the group.

The pivot threshold scheme is given as followed. First it is as-sumed that all communications among the members are secure.

Let M denotes the message of any length which will be signed,h: Zp � Z ? Zq is a cryptographic hash function.

Our scheme is based on the Schnorr signature scheme [15]which has been shown to achieve the highest level of security in[16] and has been proven to be secure in the multi-user settingin the random oracle model in [17].

Our scheme shares the same domain parameters as those inSchnorr signature scheme. It is supposed that the group consistsof n members and a manager. To produce a group signature, atleast t (t5n) group members are needed, so the (t, n) thresholdscheme which is proposed by Shamir [18] and based on Lagrangeinterpolation over a finite field is adopted. To implement it, a poly-nomial of degree t � 1 is generated at random over Zq in such a waythat f(0) = b (the secret). Each group member i is given a valuexi 2 Zq and the corresponding secret share f(xi). Now any t out ofn shareholders can reconstruct the secret b by pooling their sharestogether and computing (1).

f ð0Þ ¼Xt

i¼1

f ðxiÞYt

j¼1;j–i

�xj

xi � xjðmodqÞ ð1Þ

For simplicity, we assign the group members consecutive integeridentities 1, 2, . . . ,n, and describe our pivot threshold scheme onthe following steps.

4.3.1. SetupThe system chooses two large primes p and q (q|p � 1), a gener-

ator g of order q over GF(p). The triple (q, p, g) is then the domainparameters. A User i in the system chooses xi 2 Z�q as its secret key.

Share Distribution Center (SDC) generates a polynomial of de-gree t � 1 randomly, of which b is the secret.

f ðxÞ ¼ bþ a1xþ a2x2 þ � � � þ at�1xt�1ðmodqÞ ð2ÞThen SDC chooses x1, x2, . . . ,xn at random in such a way that any twoof them are not equal, after that SDC computes f(x1), f(x2), . . . , f(xn)and distributes (x1, f(x1)), (x2, f(x2)), . . . , (xn,f(xn)) secretly to eachgroup member on the sequence of ID. In the next, SDC computesy1, y2 . . . ,yn and sends the triples (x1, y1, ID1), (x2, y2, ID2), . . . , (xn,yn, IDn) to the manager.

The manager chooses a at random as its secret key and sends ga

(modp) to SDC, SDC computes y as the public key of the group.

y1 ¼ gf ðx1ÞðmodpÞ;y2 ¼ gf ðx2ÞðmodpÞ; ð3Þ. . . ;

yn ¼ gf ðxnÞðmodpÞy ¼ gabðmodpÞ ð4Þ

4.3.2. Sign

Step1. If group member i agrees to sign for M, it chooses ki 2 Z�qat random and computes ri then sends ri together with his ownxi to the manager.

ri ¼ gki ðmodpÞ ð5Þ

Step 2. If the number of ri it received is not less than t, the man-ager chooses t pieces of them. Without loss of generality, weassume the chosen pieces are r1, r2, . . . ,rt. The manager choosesk 2 Z�q at random and computes rm and next broadcasts (rm, am,x1, x2, . . . ,xt) to the group members.

rm ¼Yt

i¼1

ri

!k

ðmodpÞ;am ¼ k�1aðmodqÞ ð6Þ

Step 3. If group member i finds that his own xi lies in the list themanager has broadcasted, it computes r as its partial signaturefor message M and sends si to the manager.

r ¼ hðrm;MÞ; si ¼ ki � ramf ðxiÞYt

j¼1;j–i

�xj

xi � xjðmodqÞ ð7Þ

Step 4. After all si are available, the manager computes (r, s) isthe group signature for message M which will be released bythe manager.

r ¼ hðrm;MÞ; s ¼ kXt

i¼1

siðmodqÞ ð8Þ

For assurance, the manager executes the procedure of verifica-tion. If it fails, the manager checks every partial signature it re-ceived according to the Eq. (9) If it does not hold, the managerconfirms that group member i has made a wrong partial signature.

gsi yram

Qt

j¼1;j–i

�xjxi�xjðmod qÞ

i ðmodpÞ ¼ ri ð9Þ

4.3.3. VerifyOne checks whether the Eq. (10) holds. If and only if it does, it

accepts the signature.

hðgsyri ðmodpÞ;MÞ ¼ r ð10Þ

F. Zhou et al. / Computer Communications 31 (2008) 4199–4205 4205

4.3.4. Proof

gsyrðmodpÞ ¼ gkPt

i¼1ki

� ��rk�1ab

� �ðmod qÞgrabðmod qÞðmodpÞ

¼ gkPt

i¼1kiðmod qÞðmodpÞ ¼ rm;

so, h(gsyr(modp), M) = h(rm, M) = r.The format of public key, signature and the algorithm of verifi-

cation in our scheme are very similar to those of Schnorr signaturescheme, which satisfies the target of real group signature schemesindicated above. During the signing process, at least t members areneeded because the fewer cannot recover the secret b and anygroup signature cannot be produced without the manager’s secretkey a, but the manager cannot forge the partial signatures. Andafter that, the manager’s key and the members’ secret shares keepsecret to each other. All these properties satisfy the requirementsof pivot threshold schemes. Additionally, to produce a signatureno interaction among members is needed in our scheme. If themanager keeps the relationships between xi and the identity of cor-responding group member secret, then the group members cannotget to know who has taken part in the process of producing groupsignatures.

5. Conclusions

In this paper, we analyze the conventional group signatureschemes, and discuss an important problem of group signature, thatis, whether the group signatures are produced on behalf of the groupor on behalf of its group members. With the analysis we get the con-clusion that the group signatures should be produced on behalf ofthe group. We point out a problem of the current group signatureschemes, and name it conflict of authenticated contents. We intro-duce the definition of anonymous signatures, design and analyzetwo kinds of implementation schemes. From the point of our viewon group signatures, we consider that the current group signaturesare not real group signatures. So we present the requirements of realgroup signatures, and give a new scheme to realize a real group sig-nature, which is based on pivot threshold scheme. Our new schemesnot only solve the conflict of authenticated contents problem butalso have the high security.

References

[1] D. Chaum, E. van Heyst, Group signatures, in: Proceedings of Advances inCryptology – Eurocrypt’91, Lecture Notes in Computer Science, vol. 547,Springer-Verlag, 1991, pp. 257–265.

[2] J. Camenisch, M. Stadler, Efficient group signature schemes for large groups, in:Proceedings of Advances in Cryptology – Crypto’97, Lecture Notes in ComputerScience, vol. 1294, Springer-Verlag, 1997, pp. 410–424.

[3] G. Ateniese, G. Tsudik, Some open issues and new direction in groupsignatures, in: Proceedings of Financial Cryptography – FC’99, Lecture Notesin Computer Science, vol. 1648, Springer-Verlag, 1999, pp. 196–211.

[4] J. Camenisch, A. Lysyanskaya, Dynamic accumulators and application toefficient revocation of anonymous credentials, in: Proceedings of Advancesin Cryptology – Crypto’02, Lecture Notes in Computer Science, vol. 2442,Springer-Verlag, 2002, pp. 61–76.

[5] D. Boneh, X. Boyen, H. Shacham, Short group signatures, in: Proceedings ofAdvances in Cryptology – Crypto’04, Lecture Notes in Computer Science, vol.3152, Springer-Verlag, 2004, pp. 41–55.

[6] G. Ateniesel, J. Camenisch, M. Joye, G. Tsudik, A practical and provably securecoalition-resistant group signature scheme, in: Proceedings of Advances inCryptology – Crypto’00, Lecture Notes in Computer Science, vol. 1880,Springer-Verlag, 2000, pp. 255–270.

[7] M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures:formal definitions, simplified requirements, and a construction based ongeneral assumptions, in: Proceedings of Advances in Cryptology –Eurocrypt’03, Lecture Notes in Computer Science, vol. 2656, Springer-Verlag,2003, pp. 614–629.

[8] Lin Chen, Xiaoqin Huang, Jinyuan You, Group signature schemes with forwardsecure properties, Applied Mathematics and Computation 170 (2005) 841–849.

[9] Y. Desmedt, Y. Frankel, Shared generation of authenticators and signatures, in:Proceedings of Advances in Cryptology – Crypto’91, Lecture Notes in ComputerScience, vol. 576, Springer-Verlag, 1992, pp. 457–469.

[10] Y. Desmedt, Society and group oriented cryptography: a new concept, in:Proceedings of Advances in Cryptology – Crypto’87, Lecture Notes in ComputerScience, vol. 293, Springer-Verlag, 1988, pp. 120–127.

[11] W. Diffie, M. Hellman, New directions in cryptography, IEEE Transactions onInformation Theory 22 (6) (1976) 644–654.

[12] Ching-Te Wang, Chu-Hsing Lin, Chin-Chen Chang, Threshold signatureschemes with traceable signer in group communications, ComputerCommunications 21 (1998) 771–776.

[13] N.-Y. Lee, T. Hwangb, Group-oriented undeniable signature schemes with atrusted center, Computer Communications 22 (1999) 730–734.

[14] Jen-Ho Yang, Chin-Chen Chang, Chih-Hung Wang, A Practical solution to the (t,n) threshold untraceable signature with (k, l) verification scheme, in:Proceedings of Ubiquitous Intelligence and Computing 2006, Lecture Notesin Computer Science, vol. 4159, Springer-Verlag, 2006, pp. 998–1007.

[15] C. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology4 (3) (1991) 161–174.

[16] D. Pointcheval, J. Stern, Security arguments for digital signatures and blindsignatures, Journal of Cryptology 13 (3) (2000) 361–396.

[17] A. Menezes, N. Smart, Security of signature schemes in a multi-user setting,Designs, Codes and Cryptography 33 (3) (2004) 261–274.

[18] A. Shamir, How to share a secret, Communications of the ACM 22 (11) (1979)612–613.