Recently, various information is digitalized and exchanged in the developed network. Thus, Information security technologies that guarantee a communication partner and legitimacy of data has been.
The digital signature is one of information security technologies, which confirms the validity of electronic data is sent the valid sender. A signer makes the private key and the corresponding public key, and uses the private key in signing messages. Verifiers can verify signatures using the public key. In addition, digital signatures can be used to identification for the user's identity information. However, sometimes privacy protection is required even in identification. For example, let us consider entrance identification of resident an apartment. Verifiers let only admitted people enter, but signer wants to keep privacy such us going out time and return time. Furthermore, we have to trace signers when problems happen. The group signature is introduced to solve these problems. Group signatures allow a group member to anonymously sign a message on behalf of a group, where a group manager controls the membership of members. Furthermore, only group manager can trace signers when problems happen. In addition, only group manager can register and revoke group members. Group signatures are desired where to privacy protection is required in signing or identification such as the above-mentioned apartment, etc.

Group signatures satisfy the following features:

  • Correctness: A group signature generated by an honest group member is accepted.
  • Unforgeability: Only group members can generate group signatures.
  • Anonymity: everyone cannot identify signers except group managers.
  • Unlinkability: It is hard that decide whether the same group member signed two different valid signatures.
  • Traceability: Group managers can identify signers of group signatures in the case of dispute.

Group signature schemes based on an RSA signature are proposed. However, group signature schemes based on an RSA signature have complexity proof of knowledge, so signature length become longer. Recently, group signature schemes from bilinear map are proposed. This group signature schemes have easily proof of knowledge, so signature length become shorter.

For group signature, when group managers revoke group members from group, there are key update types and certification revocation list publishing types to revoke mainly. For key update types, we update public parameters of a group and member's private key corresponding to it. We have to update keys of members whenever group managers revoke group member in this method. For certification revocation list publishing types, group managers make a revocation member list as public parameter, and verifier verify whether singers' information is not shown revocation member list. Group manager update revocation member list when group managers revoke group member, and verifiers need to verify whether signers are not revoked. Key update types are load for group managers and signers. Certification revocation list publishing types are load for verifiers. These types have relation of the trade-off.

There is one of key update types that group managers publish the public parameter called accumulator. When group manager add or revoke group members, group managers update the accumulator and publish the updated public parameter and certification revocation list. After, group members update own private certification using public parameter and certification revocation list. On the other hand, there is one of certification revocation list publishing types, verifier-local revocation group signature schemes. Only authorized verifier and signer have member revocation list. Group manager do not have to notify group members to revoke members, and group managers update only revocation list when group managers revoke group members. However, because revocation lists identify revocation members, anonymity of revocation members don't keep when group managers revoke group members. Because certifications contain revoked members' secret key, It is desirable to keep anonymity without publishing revoked members' certifications where we reuse secret keys.

In this thesis, we propose an efficient group signature scheme with key update revocation. We use bilinear map and don't published revocation member list. Proposed scheme has load group managers, but don't has load signers and verifiers. Furthermore, proposed scheme is not published certification revocation list and revoked members' anonymity keep. So, if is effective when group members are revoked for certain period of time without updating private keys.