Note that under this compromise scenario, the attacker can perform all
operations which are available to a legitimate client even without access to the
actual value of the signature key.
Without access to the group secrets, the adversary will not have the ability to
generate messages which look valid to other members of the group and to the
infrastructure as they need to have access to group secrets to compute the
encryption keys or the membership tag.
Is this really a realistic scenario? In the most common case, if the attacker can
sign as the victim they also have the group secrets. I would suggest we remove
this last graf.
Is this really a realistic scenario? In the most common case, if the attacker can sign as the victim they also have the group secrets. I would suggest we remove this last graf.