Group signature, introduced by Chaum and van Heyst [10], enables anonymous,
yet accountable, authentication to a service. In such a system, a so-called group
manager has the responsibility of a group of users who can issue anonymous
signatures on behalf of the group. More specifically, anyone can check that the
resulting signatures were issued by a group member but it is impossible, except
for the group manager, to identify the actual signer. This means for example
that a service provider can check that the user has the right to access the service whereas the user has the assurance that this authentication leaks as little
information as possible.
This ability to reconcile the interests of all parties makes it an ideal solution in many scenarios, which explains the countless papers on this topic. We
in particular note that some simple variants such as DAA or EPID are today
massively deployed [1,25]. Group signature has also been proposed in the context of public transport (e.g. [12,15]) to implement an anonymous version of a
transport subscription pass such as
