I am searching for a scheme supporting group signatures and at the same time permitting the blinding of the message-signature pair. Let me explain.
There is a certification scheme proposed by Verheul: if we have message that is a public key, say $\texttt{pk}(A)$, and a signature $\texttt{sig}(\texttt{pk}(A), s)$ made with the secret key $s$, Verheul scheme respects blinding: $$\texttt{verify}(\left<\texttt{pk}(A), \texttt{sig}(\texttt{pk}(A), s)\right>, \texttt{pk}(s))=\texttt{OK} \ \Longleftrightarrow \ \texttt{verify}(\left<x\cdot\texttt{pk}(A), x\cdot\texttt{sig}(\texttt{pk}(A), s)\right>, \texttt{pk}(s))=\texttt{OK}$$
where $x$ is a blinding factor. I am searching for a similar scheme that also supports group signatures, i.e. $s_i$, $i \in I$ can sign, but the verification is done against the common $\texttt{pk}(\vec{s})$ for the group $I$:
$$\texttt{verify}(\left<\texttt{pk}(A), \texttt{sig}(\texttt{pk}(A), s_i)\right>, \texttt{pk}(s))=\texttt{OK} \ \Longleftrightarrow \ \texttt{verify}(\left<x\cdot\texttt{pk}(A), x\cdot\texttt{sig}(\texttt{pk}(A), s)\right>, \texttt{pk}(\vec{s}))=\texttt{OK}$$
Could you share your thoughts or point me in the direction I should look at? Being able to sign a generic message is also good, but for my purpose, a certificate on the public key is enough.
