Our solution consists in using a smart card and a group-shared
private key. First of all, we must choose an ordinary signature
scheme (keys and ) and a semantically secure
cryptosystem (keys and ), which is a
cryptosystem where the ciphertext does not leak any partial
information whatsoever about the plaintext that can be computed in
expected polynomial time (and consequently, it is a probabilist
cryptosystem). Then, the group manager computes keys in such a way
that he can keep secret private ones () or distribute
them () to members without knowing them (for example,
several group managers can share a discrete logarithm as the
private key). He publishes public keys ( and
).
If Alice wants to become a new group member, she firstly has to
hold a smart card. Then, she has to obtain from the group manager
an identifier (which is unique and that identifies her) and
the shared private key (which is common to all group
members). Alice's smart card also has access to all parameters so
as to use the cryptosystem (among which ) and the
signature scheme defined above. The group manager has to keep in
mind the link between the identifier (i.e. ) and the identity
of the group member (i.e. Alice).
When Alice wants to sign a message as a group member (see
Figure 1), she has to use her smart card. First, the
identifier is encrypted (algorithm ) with the group
manager's public key (so that the group manager is the
only one who can decrypt). Then the message is concatenated
with this encrypted value and the whole is signed with the
help of (algorithm and) the shared private key . As a
consequence, only group members can sign a message and everybody
is able to verify the signature with the associated public key
.
|