Democratic group signatures with collective traceability

Recently, democratic group signatures (DGSs) particularly catch our attention due to their great functionalities, i.e., no group manager, anonymity, and individual traceability. In existing DGS schemes, individual traceability says that any member in the group can reveal the actual signer’s identity from a given signature. In this paper, we strengthen the security notions of DGS by taking insider attack against anonymity into account, and present a concrete DGS construction with collective traceability. The idea behind collective traceability is that a sender can first choose (ad-hoc) a set of n members (including himself), and then sign a message by using the public keys of all the members, in such a way that his identity would be recovered, in case of disputes, if and only if all n members collectively cooperate. The security properties of our scheme are formally proved under reasonable assumptions.