Cryptology ePrint Archive: Report 2016/368

Foundations of Fully Dynamic Group Signatures

Jonathan Bootle and Andrea Cerulli and Pyrros Chaidos and Essam Ghadafi and Jens Groth

Abstract: Group signatures are a central cryptographic primitive that has received a considerable amount of attention from the cryptographic community. They allow members of a group to anonymously sign on behalf of the group. Membership is overseen by a designated group manager. There is also a tracing authority that can revoke anonymity by revealing the identity of the signer if and when needed, to enforce accountability and deter abuse. For the primitive to be applicable in practice, it needs to support fully dynamic groups, i.e. users can join and leave at any time. In this work we take a close look at existing security definitions for fully dynamic group signatures. We identify a number of shortcomings in existing security definitions and fill the gap by providing a formal rigorous security model for the primitive. Our model is general and is not tailored towards a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. In the process, we identify a subtle issue inherent to one design paradigm, where new members might try to implicate older ones by means of back-dated signatures. This is not captured by existing models. We propose some inexpensive fixes for some existing constructions to avoid the issue.

Category / Keywords: foundations / Group Signatures, Security definitions

Original Publication (with minor differences): International Conference on Applied Cryptography and Network Security 2016 (ACNS 2016)

Date: received 11 Apr 2016

Contact author: jonathan bootle 14 at ucl ac uk; andrea cerulli 13@ucl ac uk; pyrros chaidos 10@ucl ac uk; e ghadafi@ucl ac uk; j groth@ucl ac uk

Available format(s): PDF | BibTeX Citation

Version: 20160412:211549 (All versions of this report)

Short URL: ia.cr/2016/368

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]