Lucky writes:
At 9:32 AM 11/15/1996, Adam Shostack wrote: I've been toying with schemes that multiply the Ns from everybody's public key to create a new semi-anonymous public key. The only problem is that in each case either identity is revealed or the person seeking semi-anonymously reveals their secret key. So, I am not quite there. ;-)
I think that Chaum wrote some papers on group signatures. I'll try to dig them out. But it probably won't be before Sunday.
There are several types of "group signature" schemes out there. The one which Chaum wrote about was signatures which require a group to perform verification of the signature in relation to his undeniable signature system (Lidong Chen advanced this a bit further to make the scheme more general.) There are also systems in which group or subset of a group is necessary to sign the message, the original work was by Yves Desmet in his paper "Social Cryptography" in Crypto 88 or 89 I think. There have been various advancements on these systems, with different threshold schemes applied, the ability to have "super-votes" among the shares or veto schemes, mechanisms using distributed computation to securely perform the signing or encryption, as well other bells and whistles. At one point I was thinking about such systems in the context of the DNSSEC work as a means for creating a pseudonymous top-level domain with the same mechanisms for adjudication and dispute resolution as the current system through group signatures but had to set it aside to work on something a bit more practical. If anyone is really interested I could probably put together a fairly comprehensive listing of the literature in this particular area... jim