Group Signatures with Message-Dependent Opening in the Standard Model

摘要

Group signatures allow members of a group to anonymously sign messages in the name of this group. They typically involve an opening authority that can identify the origin of any signature if the need arises. In some applications, such a tracing capability can be excessively strong and it seems desirable to restrict the power of the authority. Sakai et al. recently suggested the notion of group signatures with message-dependent opening (GS-MDO), where the opening operation is made contingent on the knowledge of a trapdoor information - generated by a second authority - associated with the message. Sakai et al. showed that their primitive implies identity-based encryption (IBE). In the standard model, efficiently constructing such a system thus requires a structure-preserving IBE scheme, where the plaintext space is the source group G (rather than the target group G_T) of a bilinear map e:G×G→ G_T. Sakai et al. used a structure-preserving IBE which only provides bounded collusion-resistance. As a result, their GS-MDO construction only provides a weak form of anonymity where the maximal number of trapdoor queries is determined by the length of the group public key. In this paper, we construct the first fully collusion-resistant IBE scheme that encrypts messages in G. Using this construction, we obtain a GS-MDO system with logarithmic signature size (in the number N of group members) and prove its security in the standard model under simple assumptions.