In general, a group signature scheme, which is one of very important cryptographic authentication schemes for protecting user's privacy, has been widely studied. The group signature scheme, concept of which was first proposed by Chaum and Heyst in 1991, has since greatly developed, and numerous substantial schemes thereof, as well as formal models with respect to security requirements, have been also proposed.
In addition, an effective anonymity authentication scheme, which may replace an ID/password authentication scheme and a real name-based PKI authentication scheme involving many problems such as an exposure of personal information, a service provider's excessive collecting of personal information, and a leakage caused by a management carelessness in the process of registering and confirming personal information, and the like, and an i-Pin scheme involving a problem of extensive behavior tracking, has been actively studied in recent years.
However, the traditional group signature scheme simply handles anonymity with a dichotomous structure of concealing and recovering a signer's ID and thus is not sufficient to be adopted in an actual application environment. The reason is because the side that uses services prefers the merits of perfect anonymity but the side that provides services cannot easily achieve its original purpose obtained from providing the services only with anonymity.
For example, in a web-based anonymity authentication service, various personalized services as well as good quality services cannot be provided. Also, in case of data mining, it would be difficult useful information obtained from anonymity authentication data.
Therefore, in order to solve such problems, a development of a group signature scheme or the like, which may be able to control various anonymity levels in a practical point of view and excellent in terms of performance, is urgently required.
In addition, in order to design and develop the effective group signature schemes providing the above-mentioned anonymity characteristics, an existing linear encryption (LE) scheme of a bilinear group is not sufficient, and a novel cryptographic scheme which is structurally flexible and able to efficiently encrypt multiple pairs of messages needs to be also developed together.
Meanwhile, various group signature schemes have been suggested to provide anonymity authentication so far; however, they adopt a simple structure in which anonymity is processed such that a signer's ID is concealed in a generated signature and when a master opening key is given, the signer's ID is recovered. Such method is not sufficient to be utilized in an actual application environment. A problem arises in that, although the side that uses services prefers the merits of anonymity, the side that provides services cannot easily achieve a useful purpose for providing the services only with anonymity.
For example, when a web-based anonymity authentication service is considered, a service provider requires user information (e.g., a user's consumption pattern) in the form of anonymity, and if this is not supported, various personalized services and good quality services in association therewith cannot be provided. Also, in case of data mining, it would be difficult to obtain useful information from anonymity authentication data depending on a developer-desired method.