VLR Group Signatures
How to Achieve Both Backward Unlinkability and Efficient Revocation Checks
Julien Bringer
1
and Alain Patey
1,2
1
Morpho, Safran Group, Paris, France
2
T´el´ecom ParisTech, Paris, France
Identity and Security Alliance (The Morpho and T´el´ecom ParisTech Research Center)
Keywords:
Group Signatures, Verifier-Local Revocation, Backward Unlinkability, Efficiency, Revocation Check.
Abstract:
Verifier-Local Revocation (VLR) group signatures are a particular case of dynamic group signature schemes
where the revocation process does not influence the activity of the signers. The verifiers use a Revocation List
and in all known schemes, checking a signature requires a computational time linear in the number of revoked
members. Usually, it requires one pairing per revoked user. Recently, Chen and Li proposed a scheme where
Revocation Check uses exponentiations instead of pairings. In this paper, we first propose a correction of their
scheme to enable a full proof of the traceability property and we succeed with a constant additional cost only
to extend this tweaked scheme to ensure Backward Unlinkability (BU). This important property prevents the
loss of anonymity of past signatures when a user is revoked. We thus obtain the scheme with the most efficient
Revocation Check among VLR schemes enabling BU.
1 INTRODUCTION
Group signatures, introduced by (Chaum and van
Heyst, 1991), enable a registered member to sign
anonymously on behalf of a group. The identity of
a signer can only be revealed by a Group Manager
who knows all the secret parameters of the group. Ac-
tual group signature schemes are dynamic: members
can join and leave (voluntarily or not) the group at
any time. To enable this, a revocation process is es-
tablished. We focus in this paper on schemes with
Verifier-Local Revocation (VLR), a particular way to
deal with revocation where we do not want additional
interactions with the signers. A Revocation List (RL)
is built by the group manager and sent only to the ver-
ifiers. The signers do not take it into account when
they sign. Verifying a signature is divided into two
parts: a Signature Check to verify if the signer is a
registered member and a Revocation Check to ver-
ify, using RL, whether the signer is revoked. This
type of group signature schemes is useful for appli-
cations where signers are often offline or are compu-
tationally weak devices (TPMs, smartcards...). Sev-
eral proposals for VLR group signatures have been
made, cf. for instance (Boneh and Shacham, 2004;
Nakanishi and Funabiki, 2006; Nakanishi et al., 2009;
Chen and Li, 2010; Libert and Vergnaud, 2009). A
similar concept is introduced in (Kiayias et al., 2004)
for traceable signatures with an implicit tracing mech-
anism. Applications of VLR schemes are, for in-
stance, Direct Anonymous Attestation (DAA) in the
context of Trusted Computing (Brickell et al., 2004;
Brickell and Li, 2010), Vehicular Ad-hoc NETworks
(VANETs) (Studer et al., 2008) or anonymousauthen-
tication (Bringer et al., 2008).
One downside of VLR schemes is the lack of ef-
ficiency of the Revocation Check during the verifica-
tion of a signature. Indeed, in the original (Boneh
and Shacham, 2004) scheme and many other propo-
sitions, this part requires at least one pairing opera-
tion per each revoked user. (Nakanishi et al., 2009)
proposed a slight variant where products of pairings
are used instead of separate pairings. In (Chen and
Li, 2010), a VLR scheme using exponentiations in
the Revocation Check is proposed. As exponentia-
tions require less computation time, this is a substan-
tial improvement concerning efficiency. However, in
the (Chen and Li, 2010) scheme, proofs of security
are not detailed and it is unclear how to obtain an ex-
tractor for the proof of knowledge included in the sig-
nature. Having an extractor is necessary for the proof
of traceability, one of the essential security proper-
ties required from a group signature scheme. This is
why we propose a patch to the original (Chen and Li,
2010) scheme and explain explicitly how to build an
extractor for the thus modified algorithm. This part
215
Bringer J. and Patey A..
VLR Group Signatures - How to Achieve Both Backward Unlinkability and Efficient Revocation Checks.
DOI: 10.5220/0004017502150220
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 215-220
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
of our work is a basis for our full scheme and can be
seen as a useful tool for our proofs of security.
Another issue in most VLR schemes is the follow-
ing: once a user has been revoked, all his previous sig-
natures lose their anonymity. The property that pre-
vents this loss is called Backward Unlinkability (BU).
It also allows a user to come back into the group after
having been revoked and use the same keys as before
while remaining anonymous. This property was first
introduced in (Song, 2001). There have been several
proposals to enable BU in schemes using pairings in
the Revocation Check, e.g. (Nakanishi and Funabiki,
2006; Libert and Vergnaud, 2009). This does not
change the type of operations to use in the Revoca-
tion Check. The other parts of the signing and verify-
ing algorithms are slightly modified but the difference
is constant and small. The same techniques cannot be
applied to schemes based on exponentiations. A first
proposal for such schemes has been suggested with-
out specific proofs in (Ateniese et al., 2002) in the
context of quadratic residues. We present in this pa-
per an improvement, inspired by the technique from
(Ateniese et al., 2002) that we adapt to the context of
bilinear groups, to the efficient (Chen and Li, 2010)
scheme in order to add the BU property. Moreover
we obtain full proofs of our security results includ-
ing the BU functionality and we also patch the (Chen
and Li, 2010) scheme in order to ensure traceabil-
ity. To achieve BU, we use zero-knowledge proofs of
knowledge involvingdouble discrete logarithms. This
technique requires a number of computations that is
a function of a security parameter, but that is inde-
pendent of the total number of users and of the num-
ber of revoked members. Moreover, this technique is
generic and can be applied to other exponentiation-
based VLR schemes.
Our scheme satisfies Backward Unlinkability, Tra-
ceability and Exculpability in the random oracle mo-
del. Security is based on the strong Diffie-Hellman
(SDH) assumption, a slight adaptation of the De-
cisional Diffie-Hellman (adapted DDH) assumption
and the Discrete Logarithm (DL). Contrary to the var-
ious previous constructions of VLR group signature
schemes with BU, our contribution succeeds in elim-
inating pairings in the revocation checks, and thus
greatly increases the efficiency when verifying a sig-
nature. We increase, by a constant overhead, the size
of our signatures and the time required for signing
but: 1/the overhead can be pre-computed offline such
that the message-depending part of the signature is
as efficient as in other VLR schemes; 2/the saving in
computation time for the online verification (includ-
ing revocation check) is very important as soon as
the number of revoked members is large (from a few
dozens of members).
An extended version of this work, containing in
particular full security definitions and proofs, is avail-
able in (Bringer and Patey, 2012).
2 VLR GROUP SIGNATURES
MODEL
We here extend the VLR group signature model from
(Chen and Li, 2010) by including BU following
the model of (Nakanishi and Funabiki, 2006). The
security properties for generic dynamic group sig-
natures are from (Bellare et al., 2005; Boneh and
Shacham, 2004) for Verifier-Local Revocation and
from (Nakanishi and Funabiki, 2006) to enable BU.
There are three types of entities in our model:
a Group Manager GM, a set of members and a set
of verifiers. A VLR Group Signature Scheme with
BU and Exculpability consists of the following algo-
rithms:
KeyGen(k,T). On input a security parameter k and a
number T of periods, this algorithm, run by GM out-
puts the group public parameters gpk and the issuing
key ik. It also sets an empty Revocation List RL
j
, for
each period j. These lists will be filled later with the
revocation tokens of the revoked users.
Join(gpk,ik;gpk). This algorithm is an interactive
protocol between GM and a member M
i
. GM takes
as input the public parameters gpk and the issuing
key ik, M
i
takes only gpk. In the end, M
i
outputs an
identity id
i
, a secret key sk
i
, a credential cre
i
and a
tracing key tk
i
(included in cre
i
). GM gets id
i
and
tk
i
and outputs also a list of revocation tokens for M
i
:
rt
i
= {rt
ij
| j ∈ {1,...,T}}.
Revoke(gpk, rt
ij
, j,RL
j
). GM runs this algorithm to
prevent a member M
i
from making valid signatures at
period j. It outputs an updated revocation list RL
j
for
period j, where rt
ij
has been added.
Sign(gpk, j, sk
i
,cre
i
,m). This algorithm, run by a
member M
i
, takes as input a message m, M
i
’s keys
sk
i
and cre
i
and a message m to sign at period j. It
outputs a signature σ.
Verify(gpk, j,RL
j
,m,σ). This algorithm, run by a
verifier takes as input a message m, its signature σ,
a period j, the corresponding Revocation List RL
j
and the public parameters gpk. It checks if the mes-
sage has been signed by an unrevoked group member,
without revealing the signer’s identity. The possible
outputs are valid and invalid.
The scheme is correct if every signature created
SECRYPT2012-InternationalConferenceonSecurityandCryptography
216
by an unrevoked member is verified as valid. The
model of Backward Unlinkability enables a user that
has been revoked at a given time period to remain
anonymous in any other time periods. The aim of the
Exculpability property is to offer protection against
the Group Manager. In the Exculpability game, roles
are inverted: the adversary is the GM and, conse-
quently, knowsthe group’s secret key and all the play-
ers’ credentials. The goal of the adversary is to forge
a valid signature that will be attributed to an honest
(i.e. not corrupted) member. This signature must be
such that it cannot be denied by the signer.
3 PRELIMINARIES
3.1 Bilinear Groups, Pairings and
Complexity Assumptions
Let G
1
be a cyclic group of prime order p, G
2
be a
group of order a power of p, G
T
be a cyclic group
of prime order p, ψ be an homomorphism from G
2
to
G
1
, g
2
be an order-p element of G
2
, g
1
a generator
of G
1
such that ψ(g
2
) = g
1
and e : G
1
× G
2
→ G
T
a
pairing.
Discrete Logarithm (DL) Problem. Given G a mul-
tiplicative finite cyclic group, with generator g, and g
n
(with n ∈
R
Z), the problem is to find n.
q-Strong Diffie-Hellman (q-SDH) Problem (Boneh
and Boyen, 2004). Given bilinear groups G
1
, G
2
,
G
T
, g
1
,g
2
and a pairing e, as in Section 3.1, and a q-
tuple (g
γ
2
,.., g
(γ
q
)
2
) (γ ∈
R
Z
∗
p
). The problem is to com-
pute a pair (g
1/(γ+x)
1
,x), with x ∈ Z
∗
p
.
Adapted DDH Problem. Given G a multiplicative
finite cyclic group of order a safe prime p, with gen-
erator g, g
a
, g
b
(a,b ∈
R
Z
∗
p
), u a generator of a sub-
group of Z
∗
q
(q prime) of order (p − 1)/2 and u
a
. The
problem is to distinguish g
ab
from a random element
z ∈ G.
3.2 Proofs of Knowledge for Double
Discrete Logarithms
Let G be a cylic group of safe prime order p, g ∈ G,
h a generator of a subgroup of order (p − 1)/2 of Z
∗
q
,
where q is prime, and x ∈ Z
∗
p
. Let K = g
x
and L = g
h
x
.
We want to build a Non-Interactive Zero-Knowledge
Proof of Knowledge of x.
We must use binary challenges instead of a mod-
ular integer in the classical NIZK PK
`
a la (Schnorr,
1989). This technique is due to (Stadler, 1996; Ca-
menisch and Stadler, 1997) and has been suggested
for group signatures by (Ateniese et al., 2002). We
describe in Table 1 how such a proof works for a se-
curity parameter λ (we keep the same notations for
g, h, x, K and L). In (Stadler, 1996), the authors state
that an attacker can cheat successfully only with prob-
ability 2
−λ
.
Table 1: Signature-proof of knowledge of the equality of a
logarithm and a double logarithm.
Proof Generation:
1. For l = 1... λ, pick r
l
∈
R
Z
p
and compute V
l
= g
r
l
, W
l
= g
h
r
l
.
2. Compute c = H(m||K||L||(V
l
,W
l
)
l=1,...,λ
).
3. For l = 1... λ, let b
l
denote the l
th
bit of c. Set s
l
= r
l
− b
l
x.
4. Return g, K, L, c, s
1
,. . . ,s
λ
.
Proof Verification:
1. For l = 1... λ, let b
l
denote the l
th
bit of c. Compute V
′
l
=
g
s
l
K
b
l
and W
′
l
= (g
1−b
l
L
b
l
)
h
s
l
2. Compute c
′
= H(m||K||L||(V
′
l
,W
′
l
)
l=1,...,λ
)
3. If c = c
′
, accept the proof, else reject it
4 PROPOSED SCHEME
In this section we describe our extension of (Chen and
Li, 2010) to prove traceability and to achieve Back-
ward Unlinkability.
The KeyGen algorithm is described in Algori-
thm 1: we use bilinear groups and the notations of
Section 3.1 (G
1
, G
2
, G
T
, e, g
1
, g
2
). The issuing key is
γ ∈
R
Z
p
, its public counterpart is w = g
γ
2
. Notice that
p must be a safe prime so that adapted DDH holds in
the group containing the revocation tokens.
Algorithm 1: KeyGen(k, T).
1: Choose bilinear groups G
1
,G
2
,G
T
of order a k-bit prime number p that
is safe (i.e. (p− 1)/2 prime number), a prime number q and a pairing
e : G
1
× G
2
→ G
T
. Let g
1
,g
2
be generators of G
1
and G
2
.
2: Choose a hash function H : {0,1}
∗
→ Z
p
and a security parameter λ for
the proofs of knowledge involving double logarithms.
3: Choose ˜g
1
, ˆg
1
∈
R
G
1
,γ ∈
R
Z
∗
p
,h
1
,. .. ,h
T
∈
R
Z
∗
q
, (γ and the h
j
’s of order
(p− 1)/2) and compute w = g
γ
2
.
4: Compute T
1
= e(g
1
,g
2
), T
2
= e( ˜g
1
,g
2
), T
3
= e( ˆg
1
,g
2
) and T
4
= e( ˆg
1
,w).
5: Output: gpk = (G
1
, G
2
, G
T
, e, p, g
1
, g
2
, ˜g
1
, ˆg
1
, w, H, T
1
, T
2
, T
3
, T
4
, λ,
h
1
, ... , h
T
) and ik = γ.
The Join algorithm is explained in Algorithm 2.
Each member M
i
chooses a secret key sk
i
= f
i
∈
R
Z
p
,
not known by GM. M
i
gives to GM an identity id
i
=
˜g
f
i
1
and proves the knowledge of f
i
. GM sends him,
over a secure channel, a credential cre
i
= (A
i
,x
i
). To
enable BU, we divide the time into T periods. For
VLRGroupSignatures-HowtoAchieveBothBackwardUnlinkabilityandEfficientRevocationChecks
217
each period j, there is a public token h
j
. The revo-
cation token for a member M
i
at period j is rt
ij
= h
x
i
j
and tk
i
= x
i
is the tracing key. Revocation lists are
different at each period, they are denoted RL
j
.
Algorithm 2: Join(gpk, ik ; gpk).
1: GM sends a nonce n
i
∈ {0,1}
k
to M
i
.
2: M
i
chooses f
i
∈
R
Z
p
and computes F
i
= ˜g
f
i
1
. He sets sk
i
= f
i
and id
i
=
F
i
. He chooses r
f
∈
R
Z
p
and computes R = ˜g
r
f
1
. He computes c =
H(gpk||F
i
||R||n
i
) then s
f
= r
f
+ c f
i
.
3: M
i
sends comm = (F
i
,c, s
f
) to GM.
4: GM computes R
′
= ˜g
s
f
1
F
−c
i
and checks that s
f
∈ Z
p
and c =
H(gpk||F||R
′
||n
i
). He chooses x
i
∈
R
Z
p
and computes A
i
=
(g
1
F
i
)
1/(x
i
+γ)
. He sets cre
i
= (A
i
,x
i
), tk
i
= x
i
and id
i
= F
i
.
5: GM sends cre
i
to M
i
, using a secure channel.
6: M
i
checks that e(A
i
,wg
x
i
2
) = e(g
1
˜g
f
i
1
,g
2
) and outputs (id
i
,sk
i
,cre
i
).
7: The revocation token for M
i
at period j is rt
ij
= h
x
i
j
.
The Sign algorithm is described in Algorithm 3.
When a member M
i
creates a signature, he first
chooses a random B ∈
R
G
1
and computes J = B
f
i
,
K = B
x
i
and L = B
h
x
i
j
. He picks a random a ∈
R
Z
p
,
computes b = ax
i
and T = A
i
ˆg
a
1
. He then does a
NIZK PK of ( f
i
,A
i
,x
i
) satisfying J = B
f
i
, K = B
x
i
and e(A
i
,wg
x
i
2
) = e(g
1
˜g
f
i
1
,g
2
). He also provides ev-
idence that b = ax
i
as in (Boneh and Shacham, 2004)
to ensure traceability based on an extractor. He finally
computes a Proof of Knowledge (c,(V
l
,W
l
)
l=1...λ
), as
described in Section 3.2, of the equality: log
B
K =
log
h
j
(log
B
L) (= x
i
).
Algorithm 3: Sign(gpk,sk
i
,cre
i
,m, j).
1: Choose B ∈
R
G
1
and compute J = B
f
i
, K = B
x
i
and L = B
h
x
i
j
.
2: Choose a ∈
R
Z
p
, compute b = ax
i
and T = A
i
ˆg
a
1
.
3: Choose r
f
,r
x
,r
a
,r
b
,r
1
,. .. ,r
λ
∈
R
Z
p
.
4: Compute R
1
= B
r
f
, R
2
= B
r
x
, R
4
= K
r
a
B
−r
b
, R
3
=
e(T,g
2
)
−r
x
T
r
f
2
T
r
b
3
T
r
a
4
, V
l
= B
r
l
and W
l
= B
h
r
l
j
, ∀l = 1.. . λ.
5: Compute c=H(gpk||B||J||K||L||T||R
1
||R
2
||R
3
|| R
4
|| j||m).
6: Compute d = H(c||(V
l
,W
l
)
l=1...λ
).
7: Compute s
f
= r
f
+ c f
i
, s
x
= r
x
+ cx
i
, s
a
= r
a
+ ca and s
b
= r
b
+ cb.
8: ∀l = 1... λ, let b
l
be the l
th
bit of d. Set s
l
= r
l
− b
l
x.
9: Output: σ = (B,J, K,L, T,c,d,s
f
,s
x
,s
a
,s
b
,s
1
,. .. , s
λ
).
Remark 1. Note that the steps 1 to 4 in Algorithm 3
can be fully pre-computed in advance. Particularly, it
includes the costly proof of knowledge of the equal-
ity of a logarithm and a double logarithm that we in-
troduce here to enable BU. This leads to a message-
depending part of signature generation almost as ef-
ficient as in the other VLR schemes.
The Verify algorithm is described in Algorithm 4.
5 SECURITY
In (Chen and Li, 2010), the Sign algorithm was slight-
Algorithm 4: Verify(gpk,m, σ,RL
j
, j).
1: Signature Check:
2: Check that B,J, K,L, T ∈ G
1
and s
f
, s
x
, s
a
, s
b
, s
1
, ..., s
λ
∈ Z
p
.
3: Compute R
′
1
= B
s
f
J
−c
, R
′
2
= B
s
x
K
−c
, R
′
3
=
e(T,g
2
)
−s
x
T
s
f
2
T
s
b
3
T
s
a
4
T
c
1
e(T,w)
−c
and R
′
4
= K
s
a
B
−s
b
.
4: Check that c=H(gpk||B||J||K||L||T||R
′
1
||R
′
2
| |R
′
3
||R
′
4
|| j||m).
5: ∀l = 1.. . λ, let b
l
be the l
th
bit of d. Compute V
′
l
= B
s
l
K
b
l
and
W
′
l
= (B
1−b
l
L
b
l
)
h
s
l
j
.
6: Check that d = H(c
′
||(V
′
l
,W
′
l
)
l=1...λ
).
7: Revocation Check:
8: Check that ∀rt
ij
∈ RL
j
,L 6= B
rt
ij
.
9: Output valid if all checks succeed. Otherwise output invalid.
ly different. Of course, there was no proof of knowl-
edge of a double logarithm. What is important to no-
tice is that there moreover was no R
4
value. We think
there is something missing in the proof of traceability
in (Chen and Li, 2010), that does not explicitly give
an extractor. This is why we add the R
4
part in our al-
gorithms. Notice that adding R
4
does not change the
signature size but only adds one multi-exponentiation
in both Sign and Verify algorithms. In (Bringer and
Patey, 2012) we prove that one can actually obtain an
extractor when using the Sign procedure from Algo-
rithm 3. Note that as a group signature is essentially a
proof of knowledge (POK) of a member key, the no-
tion of extractor is here the same as in the context of
POKs.
Theorem 1. There exists an extractor for the group
signature scheme as defined in Section 4, that extracts
a valid key (x, f,A) from a convincing signer.
The correctness of our scheme is straightforward.
We also prove (cf. (Bringer and Patey, 2012)) that
it achieves the other expected security properties as
stated below.
Theorem 2. Under the ROM and the hardness of
the adapted DDH problem in G
1
, the scheme de-
scribed in Section 4 achieves BU. Under the ROM
and the SDH assumption in (G
1
,G
2
,G
T
), the scheme
achieves Traceability. Under the ROM and the DL
assumption, the scheme achieves Exculpability.
6 EFFICIENCY
6.1 Analysis of the Proposed Scheme
We compare here our proposal with the patched (Chen
and Li, 2010) scheme. Notice that we add in the sig-
nature λ elements s
1
,. . . , s
λ
of Z
p
and one element L
of G
1
. Chen and Li proposed to use 256-bit Barreto-
Naehrig curves(Barreto and Naehrig, 2005). In this
SECRYPT2012-InternationalConferenceonSecurityandCryptography
218
context, each element of G
1
can be represented us-
ing 257 bits. A (Chen and Li, 2010) signature us-
ing these parameters is 2308-bit long. A signature
from our scheme using a security parameter λ = 80
is 23301-bit long, i.e. about ten times bigger. Con-
cerning computation times, our modification requires
2λ + 1 additional exponentiations in G
1
and λ expo-
nentiations over Z
q
for the signing part. Nevertheless,
all these additional exponentiations are independent
of the message and can be pre-computed offline by
the signer.
It also requires 2λ additional exponentiations in
G
1
and λ exponentiations over Z
q
for the verifying
part. Note that, despite this overhead, one important
property of our solution is that revocation check re-
mains as fast as in the original scheme. Consequently
the cost of this overhead will be amortized with large
revocation lists (cf. next section).
This is summed up in Table 2. (me stands for
multi-exponentiations in G
1
, me stands for multi-
exponentiations in Z
∗
q
, ME for multi-exponentiations
in G
T
and P for pairings. The “patched CL” scheme
is the (Chen and Li, 2010) scheme modified to ob-
tain an extractor, i.e. our scheme without the proof of
knowledge of a double logarithm. And we denote by
CL-BU
λ
our scheme with a security parameter λ.)
Table 2: Computational costs for (Chen and Li, 2010) and
our scheme.
Scheme Cost of Sign Cost of Sign Cost of Verify
(offline) (online)
patched CL 6 me negligible (4 + |RL|) me
+ 1 ME (1 hash) + 1 ME + 1 P
our scheme (7+ 2λ) me negligible (4+ |RL
j
| + 2 λ) me
(CL-BU
λ
) + λ me + 1 ME (2 hash) + λ me + 1 ME + 1 P
6.2 Comparison with Existing Works
We now compare the additional cost for BU for the
(Chen and Li, 2010) scheme and for a pairing-based
scheme. We use as an example the (Boneh and
Shacham, 2004) and the (Nakanishi and Funabiki,
2006) schemes (denoted respectively by BS and NF
in the subsequent tables), the latter being a modi-
fication of the BS scheme enabling BU. We imple-
mented all these algorithms on a PC with a 2.93 GHz
Intel
R
Core
TM
2 Duo processor. The implementation
uses the C++ programming language and the NTL li-
brary (Shoup, ). The order p of the groups used in the
implementation is a 160-bit integer, q is a 1248-bit
integer. We compute pairings using an optimization
technique from (Stogbauer, 2004).
Remark 2. The size of q is chosen so that the DL
problem is hard over the subgroups of Z
∗
q
of order
(p− 1)/2. Note that the impact on the performances
is very limited as only some of the additional expo-
nentiations for the proof of knowledge of the double
logarithm / logarithm equality are made on Z
∗
q
and,
in particular, the exponentiations made during revo-
cation check remain in G
1
(whose order is the smaller
prime p).
One can find in Table 3 our results for the schemes
(Boneh and Shacham, 2004) (BS) and our correc-
tion of (Chen and Li, 2010) without Backward Un-
linkability. We give the computation times for the
Sign algorithm, for the constant part of the Verify al-
gorithm and, finally, the time needed for each addi-
tional revoked user. Our results imply that computing
a pairing is about four times longer than computing
an exponentiation, which confirms the improvement
brought by exponentiations in terms of efficiency.
In Table 4, we describe the additional time needed
to add Backward Unlinkability to these schemes. The
operations in the Revocation Check part have the
same cost, that is why they are not mentioned here.
We can see that, for pairing based schemes ((Boneh
and Shacham, 2004; Nakanishi and Funabiki, 2006)),
BU is essentially for free. In our scheme, it requires
about 100 more milliseconds per security level (that
can be handled offline for the signing part), which is
coherent with the theoretical costs of Table 2. We also
show why, despite the additional cost due to the secu-
rity parameter of the proof of knowledge, our scheme
becomes quickly more efficient than a pairing-based
scheme with BU. In Table 5, we show the time needed
by the Verify algorithm for the NF scheme (Nakan-
ishi and Funabiki, 2006) and for our scheme, using
different security parameters. We can see that there
is a threshold value for the number of revoked mem-
bers from which our scheme is more efficient. Our
scheme is the most adapted for large groups (from a
few dozens of users).
For instance, we remark that the overall time for
signing and verifying when there are 1000 revoked
members is divided by 3 for our scheme CL-BU
80
compared to the (Nakanishi and Funabiki, 2006)
scheme.
Table 3: Computation times for the schemes without BU.
Scheme BS patched CL
Signature 1000 ms 450 ms
Verification 1170 ms 400 ms
Rev. Check (/rev.) 180 ms 45 ms
Table 4: Additional time for Backward Unlinkability.
Scheme with/ NF/BS CL-BU
80
/CL CL-BU
128
/CL
without BU
Signature 80 ms 8 s (offline) 13 s (offline)
Verification 40 ms 8 s 13 s
VLRGroupSignatures-HowtoAchieveBothBackwardUnlinkabilityandEfficientRevocationChecks
219
Table 5: Overall computational time for the Verify algo-
rithm, depending on the number of revoked members.
Revoked members NF CL-BU
80
CL-BU
128
10 3 s 9 s 14 s
100 19 s 13 s 18 s
1000 3 min 53 s 58 s
7 CONCLUSIONS
We present the first VLR Group Signature scheme
that enables BU where the revocation check (which
is the costliest part) requires |RL| (number of revoked
users) exponentiations instead of |RL| pairings. Our
technique can be applied for adding BU to other VLR
schemes that rely on exponentiations in the Revoca-
tion Check. By applying our technique to (Chen and
Li, 2010), that we moreover modified to give a full se-
curity proof for traceability, we obtain the most effi-
cient VLR scheme enabling Backward Unlinkability.
ACKNOWLEDGEMENTS
This work is partially funded under the European FP7
FIDELITY project (SEC-2011-284862).
REFERENCES
Ateniese, G., Song, D. X., and Tsudik, G. (2002). Quasi-
efficient revocation in group signatures. In Blaze,
M., editor, Financial Cryptography, volume 2357 of
LNCS, pages 183–197. Springer.
Barreto, P. S. L. M. and Naehrig, M. (2005). Pairing-
friendly elliptic curves of prime order. In Preneel, B.
and Tavares, S. E., editors, Selected Areas in Cryp-
tography, volume 3897 of LNCS, pages 319–331.
Springer.
Bellare, M., Shi, H., and Zhang, C. (2005). Foundations
of group signatures: The case of dynamic groups. In
CT-RSA, pages 136–153.
Boneh, D. and Boyen, X. (2004). Short signatures with-
out random oracles. In Cachin, C. and Camenisch, J.,
editors, EUROCRYPT, volume 3027 of LNCS, pages
56–73. Springer.
Boneh, D. and Shacham, H. (2004). Group signatures with
verifier-local revocation. In Atluri, V., Pfitzmann, B.,
and McDaniel, P. D., editors, ACM Conference on
Computer and Communications Security, pages 168–
177. ACM.
Brickell, E. and Li, J. (2010). A pairing-based daa scheme
further reducing tpm resources. In Acquisti, A.,
Smith, S. W., and Sadeghi, A.-R., editors, TRUST,vol-
ume 6101 of LNCS, pages 181–195. Springer.
Brickell, E. F., Camenisch, J., and Chen, L. (2004). Di-
rect anonymous attestation. In Atluri, V., Pfitzmann,
B., and McDaniel, P. D., editors, ACM Conference on
Computer and Communications Security, pages 132–
145. ACM.
Bringer, J., Chabanne, H., Pointcheval, D., and Zimmer, S.
(2008). An application of the Boneh and Shacham
group signature scheme to biometric authentication.
In Matsuura, K. and Fujisaki, E., editors, IWSEC, vol-
ume 5312 of LNCS, pages 219–230. Springer.
Bringer, J. and Patey, A. (2012). Backward unlinkability for
a VLR group signature scheme with efficient revoca-
tion check. IACR Cryptology ePrint Archive, Report
2011/376. http://eprint.i,acr.org/.
Camenisch, J. and Stadler, M. (1997). Efficient group signa-
ture schemes for large groups (extended abstract). In
Jr., B. S. K., editor, CRYPTO, volume 1294 of LNCS,
pages 410–424. Springer.
Chaum, D. and van Heyst, E. (1991). Group signatures. In
EUROCRYPT, pages 257–265.
Chen, L. and Li, J. (2010). VLR group signatures with in-
disputable exculpability and efficient revocation. In
PASSAT.
Kiayias, A., Tsiounis, Y., and Yung, M. (2004). Traceable
signatures. In Cachin, C. and Camenisch, J., editors,
EUROCRYPT,volume 3027 of LNCS, pages 571–589.
Springer.
Libert, B. and Vergnaud, D. (2009). Group signatures with
verifier-local revocation and backward unlinkability in
the standard model. In Garay, J. A., Miyaji, A., and
Otsuka, A., editors, CANS, volume 5888 of LNCS,
pages 498–517. Springer.
Nakanishi, T. and Funabiki, N. (2006). A short verifier-
local revocation group signature scheme with back-
ward unlinkability. In Yoshiura, H., Sakurai, K., Ran-
nenberg, K., Murayama, Y., and ichi Kawamura, S.,
editors, IWSEC, volume 4266 of LNCS, pages 17–32.
Springer.
Nakanishi, T., Sudarsono, A., Sakemi, Y., Nogami, Y., and
Funabiki, N. (2009). A group signature scheme with
efficient verifier-local revocation check. In SCIS.
Schnorr, C.-P. (1989). Efficient identification and signatures
for smart cards. In Brassard, G., editor, CRYPTO, vol-
ume 435 of Lecture Notes in Computer Science, pages
239–252. Springer.
Shoup, V. Number theory library. http://www.shoup.net/ntl.
Song, D. X. (2001). Practical forward secure group signa-
ture schemes. In ACM Conference on Computer and
Communications Security, pages 225–234.
Stadler, M. (1996). Publicly verifiable secret sharing. In
EUROCRYPT, pages 190–199.
Stogbauer, M. (2004). Efficient algorithms for pairing-
based cryptosystems. Master’s thesis, Darmstadt Uni-
versity of Technology.
Studer, A., Shi, E., Bai, F., and Perrig, A. (2008). Tack-
ing together efficient authentication, revocation, and
privacy in vanets. Technical report, Carnegie Mellon
CyLab.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
220
