# Group signatures *Note*: I'm not cryptographer. ## Overview Group signature(gs) introduced by Chaum and Van Heyst. In group signature(sg), we have 2 actors: a group members and a group manager. One group have a group public key(gpk) respective with for this group and each member have secret key(gsk). Member in group can sign the message by their gsk. The signature proving signer belong in a group without revaling any information about signer(**anonymity**). The group manager hold group secret key(gmsk), with gmsk manager can trace who sign the message(**traceability**). ## Advantages and disadvantages Advantages: - Signature sign is small, fast sign algorithm(in some protocol). - Support traceability by default. - Another direction research for semaphore protocol. Disadvantages: - Mamager have a lot of power. This will be bad if somebody steal gsk. - Hard to setup the protocol. How we ensure only one manager key was created? - Static group vs dynamics group. A few protocol is support dynamics group. I not check it yet so I not sure this is enought good. ## I. BBS Signature (Short Group Signatures) [BBS Signature Paper](https://crypto.stanford.edu/~dabo/pubs/papers/groupsigs.pdf). ### 1. Abstraction - Support static group only. - Signature is short(signature size is small). - Verify cost is 6 multi-exponentiations and one pairing computation. - Hard to do transparent setup. - A Zero-Knowledge Protocol for Strong Diffie-Hellman Assumtion. ### 2. Intuition ### 3. Protocol We have 2 group $G_1, G_2$. Group signature schema include 4 algorithms below: - $KeyGen(n)$: Genarate gpk, gsk and $n$ gmsk key. - $Sign(gpk, gsk[i], M )$: Sign message $M$ via group public key $gpk$ and member secret key $gmsk[i]$. - $Verify(gpk, M, \sigma)$: Verify signature $\sigma$ - $Open(gpk, gmsk, M, \sigma)$: Trace who create signature $\sigma$ on message $M$.