Mukti writes: > I've studied a paper titled "Efficient Group Signature Scheme for Large > Group" (Crypto 97) by Jan L. Camenisch and Markus Stadler. Their solution is > nice and really efficient. > However, I think, in the paper, the group manager can impersonate the > member, after the group manager opens a group signature. The reason is > because the signer's 'private signing key is compromised' by the group > manager. Is this true? No, this is not true. Neither of the schemes in that paper have this property. For the first scheme, the secret key of a group member is x. She computes y = a^x and then z = g^y. Her identity is associated with y and z. If the revocation manager opens a signature, he learns y (actually he does an exhaustive search over all y values for all group members to see which one satisfies a relationship with the signature). However learning y does not reveal x. One must know x to issue a signature, specifically you must prove that g^y = g^a^x for some x. For the second scheme in the paper, the secret key is x, and the group member computes y = x^e1 and z = g^y where e1 and g are system parameters. Her identity is associated with z (but not y). Signature opening is allowed by provably ElGamal encrypting the z value under the revocation manager's public key. So the revocation manager learns only z, but not y or x. Without those values he cannot sign. You might also want to take a look at the group signature scheme by Camenisch and Michels which appeared at Asiacrypt 98. It has better proven security and is more efficient in most operations. Like the other methods, the revocation manager does not learn the private key of group members. See http://www.brics.dk/RS/98/27/index.html.
