Short Threshold Dynamic Group Signatures.

Traditional group signatures feature a single issuer who can add users to the group of signers and a single opening authority who can reveal the identity of the group member who computed a signature. Interestingly, despite being designed for privacy-preserving applications, they require strong trust in these central authorities who constitute single points of failure for critical security properties. To reduce the trust placed on authorities, we introduce dynamic group signatures which distribute the role of issuer and opener over several entities, and support \( t _I\)-out-of-\(n_I\) issuance and \( t _O\)-out-of-\(n_O\) opening. We first define threshold dynamic group signatures and formalize their security. We then give an efficient construction relying on the pairing-based Pointcheval–Sanders (PS) signature scheme (CT-RSA 2018), which yields very short group signatures of two first-group elements and three field elements. We also give a simpler variant of our scheme in which issuance requires the participation of all \(n_I\) issuers, but still supports \( t _O\)-out-of-\(n_O\) opening. It is based on a new multi-signature variant of the PS scheme which allows for efficient proofs of knowledge and is a result of independent interest. We prove our schemes secure in the random-oracle model under a non-interactive q-type of assumption.