Group signatures were introduced by Chaum and Van Heyst, and
many security requirements for group signatures have been proposed. 
Bellare, Micciancio, and Warinschi showed that satisfying
full-anonymity and full-traceability is sufficient, in the sence that
all the above-mentioned requirements are implied by them. 
Wilson and Menezes introduced a considerable attack against 
standard signatures, key substitution attack. 
In this paper, we propose security conditions of group signatures
against this attack and show
that the security requirements are not sufficient regarding the attack. 
We also propose a group signature scheme 
that is secure against the key substitution attack, fully-anonymous, and fully-traceable.