Up to now, how to construct an efficient secure group signature scheme, which needs not to reset the system when some group members' signing keys are exposed, is still a difficult problem. A construction concerning revocation of group members is an ideal one if it satisfies forward security which makes it more attractive for not sacrificing the security of past signatures of deleted members. This paper analyses the problem and gives a construction in which the group manager can be un-trustworthy. The scheme is efficient even when the number of revoked members is large.
Let Z/(p^e) be the integer residue ring modulo p^e with p an odd prime and integer e ≥ 3. For a sequence a over Z/(p^e), there is a unique p-adic decomposition a- = a-0 +a-1 .p +… + a-e-l .p^e-1 where each a-i can be regarded as a sequence over Z/(p), 0 ≤ i ≤ e - 1. Let f(x) be a primitive polynomial over Z/(p^e) and G'(f(x),p^e) the set of all primitive sequences generated by f(x) over Z/(p^e). For μ(x) ∈ Z/(p)[x] with deg(μ(x)) ≥ 2 and gad(1 + deg(μ(x)),p- 1) = 1, setφe-1 (x0, x1,… , xe-1) = xe-1. [μ(xe-2) + ηe-3(x0, X1,…, xe-3)] + ηe-2(x0, X1,…, xe-2) which is a function of e variables over Z/(p). Then the compressing mapφe-1 : G'(f(x),p^e) → (Z/(p))^∞ ,a-→φe-1(a-0,a-1, … ,a-e-1) is injective. That is, for a-,b-∈ G'(f(x),p^e), a- = b- if and only if φe-1 (a-0,a-1, … ,a-e-1) = φe-1(b-0, b-1,… ,b-e-1). As for the case of e = 2, similar result is also given. Furthermore, if functions φe-1 and ψe-1 over Z/(p) are both of the above form and satisfy φe-1(a-0,a-1,…,a-e-1)=ψe-1(b-0, b-1,… ,b-e-1) for a-,b-∈G'(f(x),p^e), the relations between a- and b-, φe-1 and ψe-1 are discussed
