Key exposure problem turns out to be very serious in security services. For example, in electronic cash, the problem is very severe since money is directly involved. In other applications of cryptography, it is also a devastating attack. Forward security is the first security notion addressing the this issue. Roughly speaking, forward secrecy is aimed to protect validity of the all usage before key exposure. In this paper, we investigate the key exposure problem in blind signature (with application to electronic cash in mind). We then propose a blind signature scheme which guarantees forward security. Our scheme is constructed from the provably secure Okamoto-Guillou-Quisquater (OGQ for short) blind signature scheme. Using forking lemma proposed by Pointcheval and Stern [4], we can show the equivalence between existence of a forger with feasibility of solving the strong RSA problem. In addition, our scheme introduces no significant communication overhead comparing with OGQ scheme.

Group signatures are a useful cryptographic construct for privacy-preserving non-repudiable authentication, and there have been many group signature schemes. In this paper, we introduce a variant of group signatures that offers two new security properties called leak-freedom and immediate-revocation. Intuitively, the former ensures that an insider (i.e., an authorized but malicious signer) be unable to convince an outsider (e.g., signature receiver) that she indeed signed a certain message; whereas the latter ensures that the authorization for a user to issue group signatures can be immediately revoked ∗ An earlier version appeared in the Proceedings of IEEE ICDCS’04 [32]. 1 whenever the need arises (temporarily or permanently). These properties are not offered in existing group signature schemes, nor captured by their security definitions. However, these properties might be crucial to a large class of enterprise-centric applications because they are desirable from the perspective of the enterprises who adopt group signatures or are the group signatures liability-holders (i.e., will be hold accountable for the consequences of group signatures). In addition to introducing these new security