*3.1. Application*

The proposed anonymous signature scheme prevents the opener from identifying the signer without his/her permission so that the opener has to obtain a token specifically issued for the signature that the signer wishes to be identified. For example, this scheme can be applied to an anonymous donation system. The identities of the donors are hidden to ensure that the fundraiser cannot know who donated the funds. However, if the donors wish to apply for an income tax deduction, all they have to do is issue a token to the relevant tax administration to prove their donations through signature authentication. Currently, many countries operate an anonymous reporting system against corruption among civil servants, but the problem is that the filed reports and the identity of a whistle-blower or an accuser can be leaked while processing the report, thus endangering that person or making the system useless. The proposed anonymous signature scheme can prevent such an incident by offering a more secure protection mechanism that makes it almost impossible for an intruder or a report handler to find the identity of the person filing the report. If the reporting system requires the accuser to be identified, and if he/she agrees to disclose his/her identity for a final confirmation or compensation, all he/she has to do is issue a token allowing the relevant authority to confirm the true identity.

#### *3.2. Formal Model*

The proposed method has the following four algorithms:

**GKg**(1*<sup>λ</sup>*, 1*n*): This is the algorithm where the group manager puts the security parameter *λ* and the number of anonymous signers *n* to create the signer's signing key *gski*, the opener's opening key *ok*, and the public parameters *gpk* for the system.

**GSig**(*gpk*, *i*, *gski*, *M*): This is the algorithm where the anonymous signer uses the group public key *gpk*, the signer's index *i*, the signer's signing key *gski*, and the message *M* to create the anonymous signature *σ*, and the token *TKM* that permits disclosure.

**GVf**(*gpk*, *i*, *gski*, *M*): This is the algorithm where the verifier puts the group public key *gpk*, the message *M*, and the anonymous signature *σ* to verify the signature.

**Open**(*gpk*, *ok*, *M*, *σ*, *TKM*): This is the algorithm where the opener puts the group public key *gpk*, the opener's opening key *ok*, the message *M*, the anonymous signature *σ*, and the token *TKM* to check the signer's identification.

#### *3.3. Security Notion*

The four security concepts based on the definition of a general security model [12,13] for the group signature schemes proposed by Mihir Bellare et al. are introduced in the proposed group signature scheme.


#### *3.4. Proposed Scheme*

**GKg**(1*<sup>λ</sup>*, 1*n*)


**GSig**(*gpk*, *i*, *gski*, *M*)


#### **GVf**(*gpk*, *M*, *σ*)


**Open**(*gpk*, *ok*, *M*, *σ*, *TKM*)


$$\varepsilon(T\_4/(T\_1^{\sqrt[5]{2}}T\_2^{\sqrt[5]{2}}T\_3^{\sqrt[5]{3}}), \varrho) \cdot (T\_6/\operatorname{e}(T\_{5\prime}TK\_M)) = \varepsilon(A\_i, \varrho).$$


Based on the assumption that the correctness of the proposed scheme is adequate while the decisional bilinear Diffie–Hellman problem and the decisional linear problem are difficult to solve, full anonymity can be achieved with a random oracle model. Also, the unforgeability of a signature (token) can be dealt with using the same model by assuming that the q-strong (computational) Diffie–Hellman problem is difficult to solve. The details of proof were omitted as they deviate from the research purpose.

In the following section, an anonymous signature scheme is proposed whereby a signer allows the opener to trace his/her identity by accessing his/her information or message to which he/she gave permission by issuing a token. The proposed scheme is expected to raise the level of privacy protection for the signer and can be used in a variety of systems, such as anonymous donation or corruption reporting systems.

#### **4. Group Signature with Signer-Controlled Opening Capability: Separate Token Generator**

Group signature schemes are considered a high-security cryptographic signature authentication system for protection of the signers privacy. The authenticator or the verifier of a signature is provided with a limited amount of information or authority when he/she verifies the signer's affiliation with a certain group without knowing the latter's true identity. Nevertheless, it is still possible for the opener to trace the identity when the situation makes it necessary to deal with malicious accesses. However, concerns about breaches of the signer's privacy through the exposure of his/her personal information still remain. This chapter deals with such a problem by allowing the signer to issue a token with which the opener can access only those messages or items of information, including the signers identity, whose disclosure is approved.

#### *4.1. Formal Model*

The proposed anonymous signature method is composed of the following four algorithms:

**KGen**(1*<sup>λ</sup>*): This is an algorithm where a trusted third party puts a security parameter *λ* to create public parameters for the running system *gpk*, an issuing key for the key issuer *ik*, and an opening key for the opener *ok*.

**ISS/Join**: This is an interactive algorithm between users and issuers that functions as an issuer issues *gski* to a user in response to a user request.

**GSig**(*gpk*, *i*, *gski*, *M*): This is an algorithm where an anonymous signer creates a signature *σ* using a group public key *gpk*, an index of the signer *i*, a signing key of the signer *i*, *gski*, and a message *M*.

**TKGen**(*gpk*, *i*, *gski*, *M*): This is an algorithm where an anonymous signer creates an opening-permission token *TKM* using a group public key *gpk*, and an index of a signer *i*.

**GVf**(*gpk*, *i*, *gski*, *M*): This is an algorithm where a signature verifier performs a verification of an anonymous signature using a group public key *gpk*, a message *M*, and an anonymous signature *σ.*

**Open**(*gpk*, *ok*, *M*, *σ*, *TKM*): This is an algorithm where an opener checks the identity of an anonymous signer from an anonymous signature using an opening key of an opener *ok*, a message *M*, an anonymous signature *σ*, and a token *TKM*.

#### *4.2. Security Notion*

Mihir Bellare et al. defined the general security model of a group signature method [12,13]. This paper suggests the following four security notions based on Bellare's definition:

**Correctness**: The proper signature and proper token are always valid when verifying, and the opener with the right signature and the right token can always check the identification from the signature.

**Full anonymity**: The identity on the anonymous signature must remain inaccessible until the anonymous signer issues a token. When a token is issued, the identity must be inaccessible except by the opener with the token.

**Signature unforgeability**: Only the proper signer can create a valid anonymous signature for a specific message.

**Token unforgeability**: Only the proper signer can create a valid token for a specific signature.

#### *4.3. Proposed Scheme*

**GKg**(1*<sup>λ</sup>*, 1*n*)

