Group signature system and method providing controllable linkability

摘要

A group signature system includes: a key issuer server for generating a first parameter of a group public key, generating a corresponding master issuing key, and issuing a signature key to a user when a user device joins; an opener server for generating a second parameter of the group public key, and a corresponding master opening key and master linking key; and a linker server for checking whether two valid signatures have been linked by using the master linking key when the two signatures corresponding to a group public key are given. The group signature system further includes: a signature verifying unit for confirming a validity of the given signatures and a signer information confirming unit for confirming a validity of singer confirming information generated by the opener server.

主权项

1. A group signature system comprising:
a key issuer server; an opener server; a linker server; a signature verifying unit; and a user device, wherein the key issuer server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: generating a first parameter of a group public key, generating a corresponding master issuing key, generating a group public key using the first parameter of a group public key and a second parameter of a group public key received from the opener server, verifying a validity of a subscription request message received from the user device requesting a membership in the group signature system, and storing a secret signature key corresponding to the user device membership in the group signature system, wherein the opener server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: generating the second parameter of a group public key, transmitting the second parameter of a group public key to the key issuer server, defining a master opening key, and defining a master linking key, wherein the master linking key is a secret key, wherein the user device includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving a message, receiving the group public key, receiving a secret signature key corresponding to the group public key, generating for the message a group signature corresponding to the group public key, selecting a random number Ziεzp*, calculating upk[1]=Zi=g3Zi, generating TU (CU=Ext-Commit(Zi), NIZKEqDL (CU,Zi,g3)), wherein Ext-Commit is an extractable commitment scheme providing perfect binding and computational hiding, and NIZKEqDL( ) is a non-interactive zero-knowledge proof scheme, and transmitting the subscription request message (Join, Idi, (upk[i]=Zi, TU)), wherein the subscription request message includes upk[i]=Zi, TU as a proof of possession of a personal key, wherein the signature verifying unit is configured to includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving the message and the group signature corresponding to the group public key, and checking whether the group signature received from the user device is valid, and wherein the linker server includes a processor; and a non-transitory computer readable medium with computer executable instructions stored thereon which, when executed by the processor, perform a method comprising: receiving the master linking key from the opener server, receiving from the user device at least two pairs of a message and a group signature as input values, and determining whether said pairs are linked using the master linking key when each of the group signatures correspond to the group public key.