Hi... I need help.
I am a student studying crypto protocols (newbies). I have a problem
pertaining group signatures, which has many use in electronic commerce too.
My problem
~~~~~~~~~~~
Actually, right now, I want to create a group signature, which upon group
signature verification by the group manager, the 'private signing key' of
the signer will remain hidden. Of course, the group manager will still know
who sign the signature by recovering proofs/traces of signer's public 'key'
or public 'identity' in the signature.
If this can be accomplished, it means that the signer can use the same
'private signing key' for an unlimited number of times, even if his identity
is revealed upon signature opening by the group manager (but only his public
'identity' / 'key').
Related paper:
~~~~~~~~~~~~~~~
I've studied a paper titled "Efficient Group Signature Scheme for Large
Group" (Crypto 97) by Jan L. Camenisch and Markus Stadler. Their solution is
nice and really efficient.
However, I think, in the paper, the group manager can impersonate the
member, after the group manager opens a group signature. The reason is
because the signer's 'private signing key is compromised' by the group
manager. Is this true?
I do not want this property.
If anyone can give me some directions what should I have to do (to let the
group manager know only the public 'identity' of the signer upon signature
opening), I really appreciate it. Or, if somebody you know has already
published the solution to this problem (at least as efficient as your basic
group signature protocol), please let me know.
Thank you very much.
Sincerely
-mukti
