International Association
for Cryptologic Research

In many applications of group signatures, not only a signer\'s

identity but also which group the signer belongs to is sensitive

information regarding signer privacy. In this paper, we study these

applications and combine a group signature with a ring signature to

create a ring group signature, which specifies a set of possible

groups without revealing which member of which group produced the

signature. The main contributions of this paper are a formal

definition of a ring group signature scheme and its security model,

a generic construction and a concrete example of such a scheme. Both

the construction and concrete scheme are provably secure if the

underlying group signature and ring signature schemes are

secure.