IACR News item: 26 September 2025
Stephan Krenn, Kai Samelin, Daniel Slamanig
ePrint Report
Group signatures enable users to sign on behalf of a group while preserving anonymity, with accountability provided by a designated opener. The first rigorous model for dynamic groups (Bellare, Shi, Zhang, CT--RSA '05) captured anonymity, non-frameability, and traceability, later extended with trace-soundness (Sakai et al., PKC '12) and non-claimability (introduced as ``opening-soundness'' by Bootle et al., ACNS '16 & JoC '20).
In practice, issuer and opener are often distinct entities, often implemented by different organizations and/or hardware modules. We therefore formalize and prove the consequences of a model that enforces their complete separation, allows key reuse across groups, treats issuer and opener as stateless, and makes both joining and opening non-interactive.
This separation makes it necessary to reformulate traceability against a corrupt issuer and to introduce three additional unforgeability notions-key-unforgeability, certificate-unforgeability, and opening-unforgeability-for the case of a corrupt opener. Following this line of reasoning, we also develop strengthened formulations of trace-soundness and non-claimability.
We prove that in this model the eight resulting properties are fully distinct: even the conjunction of any seven does not imply the eighth. This yields the first comprehensive map of group signature security in a stateless, reusable-key, and non-interactive framework, and formally demonstrates the impact of complete issuer--opener separation.
In practice, issuer and opener are often distinct entities, often implemented by different organizations and/or hardware modules. We therefore formalize and prove the consequences of a model that enforces their complete separation, allows key reuse across groups, treats issuer and opener as stateless, and makes both joining and opening non-interactive.
This separation makes it necessary to reformulate traceability against a corrupt issuer and to introduce three additional unforgeability notions-key-unforgeability, certificate-unforgeability, and opening-unforgeability-for the case of a corrupt opener. Following this line of reasoning, we also develop strengthened formulations of trace-soundness and non-claimability.
We prove that in this model the eight resulting properties are fully distinct: even the conjunction of any seven does not imply the eighth. This yields the first comprehensive map of group signature security in a stateless, reusable-key, and non-interactive framework, and formally demonstrates the impact of complete issuer--opener separation.
Additional news items may be found on the IACR news page.