Abstract: We identify a potential weakness in the standard security model
for dynamic group signatures which appears to have been overlooked
previously. More specifically, we highlight that even if a scheme
provably meets the security requirements of the model, a malicious
group member can potentially claim ownership of a group signature
produced by an honest group member by forging a proof of ownership.
This property leads to a number of vulnerabilities in scenarios in
which dynamic group signatures are likely to be used. We furthermore
show that the dynamic group signature scheme by Groth (ASIACRYPT 2007)
does not provide protection against this type of malicious behavior.
To address this, we introduce the notion of \emph{opening soundness}
for group signatures which essentially requires that it is infeasible
to produce a proof of ownership of a valid group signature for any
user except the original signer. We then show a relatively simple
modification of the scheme by Groth which allows us to prove opening
soundness for the modified scheme without introducing any additional
assumptions.
We believe that opening soundness is an important and natural
security requirement for group signatures, and hope that future
schemes will adopt this type of security.
|