## Cryptology ePrint Archive: Report 2014/607

Daniel Slamanig and Raphael Spreitzer and Thomas Unterluggauer

Abstract: Group signatures, which allow users of a group to anonymously produce signatures on behalf of the group, are an important cryptographic primitive for privacy-enhancing applications. Over the years, various approaches to enhanced anonymity management mechanisms, which extend the standard feature of opening of group signatures, have been proposed.

In this paper we show how pairing-based group signature schemes (PB-GSSs) following the sign-and-encrypt-and-prove (SEP) paradigm that are secure in the BSZ model can be generically transformed in order to support one particular enhanced anonymity management mechanism, i.e., we propose a transformation that turns every such PB-GSS into a PB-GSS with controllable linkability. Basically, this transformation replaces the public key encryption scheme used for identity escrow within a group signature scheme with a modified all-or-nothing public key encryption with equality tests scheme (denoted AoN-PKEET$^*$) instantiated from the respective public key encryption scheme. Thereby, the respective trapdoor is given to the linking authority as a linking key. The appealing benefit of this approach in contrast to other anonymity management mechanisms (such as those provided by traceable signatures) is that controllable linkability can be added to PB-GSSs based on the SEP paradigm for free, i.e., it neither influences the signature size nor the computational costs for signers and verifiers in comparison to the scheme without this feature.

Category / Keywords: cryptographic protocols / Controllable linkability, generic transformation, pairing-based group signature schemes

Original Publication (with major differences): ISC 2014

Date: received 7 Aug 2014, last revised 17 Nov 2016

Contact author: raphael spreitzer at iaik tugraz at

Available format(s): PDF | BibTeX Citation

Note: An extended abstract of this paper appears in the proceedings of ISC 2014, this is the full version.

Short URL: ia.cr/2014/607

[ Cryptology ePrint archive ]