Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions

  • Mihir Bellare
  • Daniele Micciancio
  • Bogdan Warinschi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2656)


This paper provides theoretical foundations for the group signature primitive. We introduce strong, formal definitions for the core requirements of anonymity and traceability. We then show that these imply the large set of sometimes ambiguous existing informal requirements in the literature, thereby unifying and simplifying the requirements for this primitive. Finally we prove the existence of a construct meeting our definitions based only on the sole assumption that trapdoor permutations exist.


  1. 1.
    R. Anderson. Invited talk. Fourth Annual Conference on Computer and Communications Security, 1997.Google Scholar
  2. 2.
    G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure coalition-resistant group signature scheme. In M. Bellare, editor, CRYPTO’00, volume 1880 of LNCS, pages 255–270. Springer-Verlag, 2000.Google Scholar
  3. 3.
    G. Ateniese and G. Tsudik. Quasi-efficient revocation in group signature schemes. Available at
  4. 4.
    G. Ateniese and G. Tsudik. Group signatures à la carte. In ACM Symposium on Discrete Algorithms, pages 848–849. ACM Press, 1999.Google Scholar
  5. 5.
    G. Ateniese and G. Tsudik. Some open issues and directions in group signature. In Financial Crypto’99, volume 1648 of LNCS, pages 196–211. Springer-Verlag, 1999.CrossRefGoogle Scholar
  6. 6.
    M. Bellare and S. Micali. How to sign given any trapdoor permutation. Journal of ACM, 39(1): 214–233, January 1992.zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    M. Bellare, D. Micciancio, and B. Warinschi. Full version of this paper. Available at
  8. 8.
    M. Bellare and S. Miner. A forward-secure digital signature scheme. In M. Wiedner, editor, CRYPTO’99, volume 1666 of LNCS, pages 431–448. Springer-Verlag, 1999.Google Scholar
  9. 9.
    M. Blum, A. DeSantis, S. Micali, and G. Persiano. Non-interactive zero-knowledge proof systems. SIAM Journal on Computing, 20(6):1084–1118, December 1991.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    E. Bresson and J. Stern. Efficient revocation in group signatures. In PKC’2001, volume 1992 of LNCS, pages 190–206. Springer-Verlag, 2001.Google Scholar
  11. 11.
    J. Camenisch. Efficient and generalized group signature. In EUROCRYPT’97, volume 1233 of LNCS, pages 465–479. Springer-Verlag, 1997.Google Scholar
  12. 12.
    J. Camenisch and M. Michels. A group signature scheme with improved efficiency. In K. Ohta and D. Pei, editors, ASIACRYPT’98, volume 1514 of LNCS, pages 160–174. Springer-Verlag, 1999.Google Scholar
  13. 13.
    J. Camenisch and M. Stadler. Efficient group signatures schemes for large groups. In B. Kaliski, editor, CRYPTO’97, volume 1294 of LNCS, pages 410–424. Springer-Verlag, 1997.Google Scholar
  14. 14.
    D. Chaum and E. van Heyst. Group signatures. In D. W. Davis, editor, EUROCRYPT’91, volume 547 of LNCS, pages 257–265. Springer-Verlag, 1991.Google Scholar
  15. 15.
    L. Chen and T. P. Pedersen. New group signature schemes. In A. DeSantis, editor, EUROCRYPT’94, volume 950 of LNCS, pages 171–181. Springer-Verlag, 1994.Google Scholar
  16. 16.
    D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM Journal of Computing, 30(2): 391–437, 2000.zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    U. Feige, D. Lapidot, and A. Shamir. Multiple non-interactive zero-knowledge proofs under general assumptions. SIAM Journal on Computing, 29(1):1–28, September 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  18. 18.
    O. Goldreich. A uniform-complexity treatment of encryption and zero-knowledge. Journal of Cryptology, 6(1):21–53, 1993.zbMATHCrossRefMathSciNetGoogle Scholar
  19. 19.
    S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Science, 28: 270–299, 1984.zbMATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal of Computing, 17(2):281–308, April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  21. 21.
    S. Micali, C. Rackoff, and B. Sloan. The notion of security for probabilistic cryptosystems. SIAM Journal of Computing, 17(2):412–426, 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  22. 22.
    M. Naor and M. Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC’90, pages 427–437, 1990.Google Scholar
  23. 23.
    N. I. of Standards and Technology. Dictionary of algorithms and data structures.
  24. 24.
    H. Petersen. How to convert any digital signature scheme into a group signature scheme. In Proceedings of Security Protocols Workshop’97, pages 177–190, 1997.Google Scholar
  25. 25.
    C. Rackoff and D. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In CRYPTO’91, pages 433–444, 1992.Google Scholar
  26. 26.
    J. Rompel. One-way functions are necessary and sufficient for secure signatures. In 22nd Annual Symposium on Theory of Computing, pages 387–394. ACM, ACM Press, 1990.Google Scholar
  27. 27.
    A. Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS’99, pages 543–553, 1999.Google Scholar
  28. 28.
    D. Song. Practical forward-secure group signature schemes. In ACM Symposium on Computer and Communication Security, pages 225–234, November 2001.Google Scholar

Copyright information

© International Association for Cryptologic Research 2003

Authors and Affiliations

  • Mihir Bellare
    • 1
  • Daniele Micciancio
    • 1
  • Bogdan Warinschi
    • 1
  1. 1.Dept. of Computer Science & EngineeringUniversity of California at San DiegoLa JollaUSA

Personalised recommendations