Group signature with time-bound keys and unforgeability of expiry time for smart cities

Internet of Things (IoT) lays the foundation for the various applications in smart cities, yet resource-constrained IoT devices are prone to suffer from devastating cyberattacks and privacy leak threats, thus are inevitability supposed as the weakest link of the systems in smart cities. Mitigating the security risks of data and the computing limitation of edge devices, especially identity authentication and key validity management of group devices are essential for IoT system security. In order to tackle the issues of anonymity, traceability, unforgeability of expiry time as well as efficient membership revocation for life-cycle management of devices in IoT setting, we presented a dynamic time-bound group signature with unforgeability of expiry time. Unforgeability of expiry time disables a revoked signer to create a valid signature by means of associating the signing key with an expiry time. The anonymity and traceability of the proposed scheme contribute to the identity privacy of the entities and supervision for authority agency. Moreover, our proposal is feasible in the resource-constrained setting for efficient computational cost of signing and verification algorithms.

Internet of Things (IoT), which is capable of sensing the physical world by ubiquitous smart devices and building a transparent information world, is considered to be one of the most fundamental and indispensable technologies for smart cities [1]. To provide citizens convenient public resource utilization and public administrations services, advanced application-oriented intelligent IoT ecosystems have mushroomed in various industries, such as vehicles, logistics, meteorology, architecture, geology, hydrology, and sharing economy. As a result, the growth spurts on city populations, smart terminals, and data abound to follow in the foreseeable future and will conversely impose great challenges on the city infrastructures and IoT devices. Hence, various solutions including data reduction dimensionality [2], transmission power optimization [3], multi-hop path optimization [4], secure key management [5, 6], and edge computing [7] are proposed to optimize the energy, the real-time, and distributed performance of applications in smart cities.

As described in Fig. 1, IoT devices are usually grouped according to their functionality or locations to perform the tasks on data collection, transmission, and commands execution. Traditional resource-limited IoT devices are typically not secured-by-design and located at the edge of the smart cities ecosystems, thus they are vulnerable to security and privacy threats that are prone to trigger devastating losses [8]. Generally, data confidentiality, integrity, and device authentication in groups must be guaranteed [5]. In addition, anonymity is indispensable because of identity privacy leakage, and traceability is expected when supervision or audit organizations need to find out malicious devices. The optimum solution to the questions mentioned above is the scheme employing group signature [9]. In a group signature, any group member is allowed to generate signatures anonymously representing the entire group, and a signature can be opened to reveal the misbehaved members in case of a dispute. Consequently, group signature has been proved to be an appropriate way to ensure authentication, anonymity, and traceability in numerous privacy-preserving intricate schemes [10,11,12].

Overview of the IoT architecture

Full size image

In general, the following security and privacy problems are essential for practical and need to be considered. Firstly, efficient flexible registration and revocation functionality is indispensable for practical purposes due to constantly mobile devices and incompletely reliable signals. Dynamic group signature is more complex but is more efficient and available than static group signature in mobile IoT settings because without frequent initializations. Revocations usually cause the degradation of efficiency. Spontaneously, it is important to speed up revocation checks especially in resource-constrained settings. Moreover, it is necessary to maintain security after group members are revoked. Besides, it is worth especially noting that valid time of data and devices is crucial for lifecycle management and even counting economic value. However, the forgery attack to the expiration time of occupancy will cause exploiting inappropriately data, device or service, and consequently injurious to the interest of stakeholders. In addition, the encryption procedure employed in group signature is heavy for IoT devices and thus is necessary to be removed or reduced using a novel signature scheme. Naturally, how to realize efficient revocable dynamical group signature with unforgeability of expiry time in the IoT setting is a tough but critical question.

1.1 Related work

Group signatures introduced by Chaum and van Heys [9] were strictly formalized as static BMW mode [13] and further extended to the circumstance of the dynamic BSZ model [14]. In the static BMW model setting, the group manager is responsible for opening signatures and generating keys honestly for predefined group members at the setup stage. Yet in the dynamically BSZ model, any new member is allowed to join the group at all moments after finishing the initial setup, while the monolithic group manager in the static model is separated into issuer and opener. These ingenious works have introduced general constructions, which have become the implicit framework for most of the following group signatures. Subsequently, Sakai et al. [15] explored a slightly modified scheme by defining the notion of weak opening soundness, which requires no malicious user can fabricate an opening proof and allege ownership of a signature issued by an honest one. Weak opening soundness is reasonable in the practical setting because it achieves an acceptable tradeoff between computational cost and anticipated security guarantees.

The widely used construction paradigm for group signatures is the modular Sign-Encrypt-Prove (SEP) paradigm, which typically consists of three steps. Firstly, the issuer and group members play an interactive protocol to generate the signing key, namely a certificate associated with the identity of a member. Then group member generates a digital signature on the message and the encryption of her identity. Finally, a Non-Interactive Zero-Knowledge proof (NIZK) is provided to prove that the user takes possession of knowledge of a legitimate certificate. Unfortunately, the main drawback of the SEP paradigm is inefficiency due to the complexity of NIZK proof and encryption. To solve this issue, Bichsel et al. [16] explored an efficient alternative called Sign-Randomize-Proof (SRP) paradigm and creatively removed explicit encryption by employing re-randomizable signatures during the group signature generation phase, guarantying that multiple randomized counterparts originated from the identical signature are not linkable. In particular, they improved efficiency by proving a Signature of Knowledge (SoK) on the message instead of NIZK proof. Following this novel paradigm, Derler and Slamanig [17] contributed a highly-efficient dynamic group signature construction that employed structure-preserving signatures on equivalence classes (SPS-EQ) [18, 19]. SPS-EQ defines a relation \({\mathcal{R}}\) to establish partitions of the message space, which indicates that the signer virtually signs the whole partition as long as signing one representative of a partition. Especially, the SPS-EQ signature can be transformed to any different representative of the partition, without knowing any information of the secret key. It is also noteworthy that the scheme of Derler and Slamanig is especially fit for resource-constrained devices because the signature size of their CPA-fully anonymous instantiation is shorter than the classical BBS scheme [20].

It is indispensable for practical purpose to provide revocation functionality, however, which usually cause the degradation of efficiency. Spontaneously, it is significant to speed up revocation checks, especially in the resource-constrained setting. More precisely, the revocation check (RC) is classified into implicit and explicit revocation. The implicit revocation indicates that a revoked signer cannot compute signatures that passing the verification check, and she needs to prove both that she is unrevoked and enrolled in the group. Hence, in the implicit revocation [21,22,23,24], the signing algorithm is computationally expensive, whereas the verification expense is relatively low. Inversely, in the explicit case, all signers can create signatures passing the verification check, but a verifier needs to further run the RC procedure to check if the signer has been revoked or not. Thus, in the explicit revocation [25,26,27,28], a signer only proves her membership. Accordingly, the signing algorithm is at a relatively low computational cost, while the cost of the verification part is computationally expensive because of the supplementary RC procedure. Therefore, explicit RC has lower power consumption than the implicit case, for the IoT devices as the data producers.

Typically, the computational cost of RC increases linearly with the scale of the revocation list. Therefore, there is a high demand for a flexible revocation approach to downsizing the revocation list. Libert et al. [22] put forward the classical paradigm for revocable group signature (RGS) solution in the standard model based on a complete subtree algorithm. Unfortunately, the solution fails to achieve sufficient efficiency in the practical setting, due to adopting the complex standard model and Groth–Sahai proofs. We additionally remark that the construction in the asymmetric pairing setting and the random oracle model (ROM) is highly desirable in view of efficiency and suitability for practical resource-constrained context, although that in the standard model or based on lattices are quite attractive. Ohara et al. [24] showed an RGS scheme called parallel BBS group signature and the costs of which are asymptotically identical with that of the LPY scheme [22]. Nonetheless, the cost of computing the signing process in [22] is relatively high due to implicit revocation. Emura and Hayashi [23] proposed an RGS scheme under the simple assumption by employing the methodology in [24]. They modify their proposal to support weak opening soundness since the LPY model is incapable of ownership proof. Ishida et al. [27] came up with a fully anonymous group signature, where revocation component is achieved using additional key pairs of a key-private public key encryption scheme. Their design is not fully dynamic due to following BMW construction and also fail to provide instantiation and efficiency evaluation. Very recently, Yue et al. [29] offered a distributed RGS scheme with backward security by introducing a trusted authority.

Besides, time-bound keys (TBK) management techniques [30], which means that secret key is embedded with a timestamp, are usually combined with group key management, broadcast encryption, group signature, attribute-based encryption for efficient revocation, access control, and anonymous authentication on the time dimension [5, 31,32,33,34]. It is crucial to highlight that, for the sake of downsizing the expense of RC in practical settings, Chu et al. [31] detailed a feasible method called group signature with time-bound keys (GS-TBK). In GS-TBK, the signing key of each member is closely related to expiry time, and the verifiers check whether the signers produced group signatures based on expired keys. The proposal could be regarded as a solution possessing the simultaneous properties of both “natural” and “premature” revocation types. The “natural” revocation means that only signers having non-expired keys can create signatures that pass the verification check whereas the “premature” revocation indicates that it is able to revoke signers in advance even expiry times have not passed and thus verifiers need to run the RC procedure. The number of prematurely revoked signers is merely a small proportion of all revoked members, thus, the size of the revocation list and the cost of RC is significantly cut down [10, 34]. Subsequently, Emura et al. [34] revisited the definition the traceability in GS-TBK by offering the unforgeability of expiry time for signing keys [24]. The forgeability attack refers to an adversary may forge a valid signature after expiry time \(\tau\). Specifically, [34] defined a complete subtree algorithm for time-bound keys (CS-TBK) similar to the CS method and proposed a novel group signature in the proposed model. Assuming that \({\text{T}}\) represents the maxlength of time and the number of the leaf node belong to the binary tree \({\text{BT}}\), the subtree covering all nodes that are non-revoked could be found. The underlying primitives of the proposal are BBS + signature [20]. Regarding security properties, the scheme provides backward unlinkability-anonymity, traceability, and non-frameablity. Constant signing cost was provided, unlike the earlier solution where the efficiency of signing depends entirely on the length of bits representing the time. Similarly, Malina et al. [33] and Perera et al. [28] provided group signatures with time-bound membership but not consider premature revocation and fail to resist forgeability signing time and expiry time.

1.2 Motivation and our contribution

To sum up, it is necessary to propose an efficient fully dynamic group signature that provides minimize the revocation verification cost following the SRP paradigm. Our construction is based on a tailored combination of dynamic group signatures scheme following the SRP model in [17] and GS-TBK scheme in [34]. The main contributions are summarized below.

• Efficient flexible registration and revocation functionality is realized by combining with novel dynamic group signatures scheme and GS-TBK scheme.

• The design realizes security against forgery of expiry time and the backward attack, which prohibits revoked signers from generating group signatures associating future periods.

• Relatively low and constant computational cost at the signing stage is provided by employing re-randomizable structure-preserving signatures on equivalence classes (SPS-EQ).

• The cost of verification algorithms, which is linearly correlated with the number of signers prematurely revoked rather than that of total revoked signers, is significantly cut down.

• BU-anonymity, traceability, non-frameability, and weak opening soundness are fully guaranteed.

The remainder of this article is structured as follows. Some related definitions are recalled in Sect. 2. Then Sect. 3 focuses on the formal description of the proposed scheme and security model. Section 4 describes the details of the construction and analysis of security. In Sect. 5, the comparison with the related solutions will be discussed. Finally, Sect. 6 concludes the article.

Next, some cryptographic preliminaries used in this article are recalled. The detailed definitions about the digital signature, public key encryption (PKE), NIZK proof systems, and SoK could refer to [17].

Notation

\(z\mathop \leftarrow \limits^{{\text{R}}} Z\) means that \({\text{z}}\) is chosen randomly from a finite set \(Z\) uniformly. Let \(z \leftarrow \psi (x)\) denote that is the randomized function \(\psi\) with input \(x\) and output \(z\).

All algorithms are assumed that be run in polynomial time and output \(\bot\) if any error happens. \({{\rm Pr}} [\Omega :E]\) means that the probability of an event E over the probability space \(\Omega\). A negligible function \(\epsilon :{\mathbb{N}} \to {\mathbb{R}}^{ + }\) states that there exists a contain constant \(k_{0} \in {\mathbb{N}}\) satisfying \(\epsilon (k) < 1/k^{c}\) for any \(\, k > k_{0}\) and any positive number \(c\).

Assume \({\text{BGGen}} (1^{\kappa } )\) generates a bilinear group \({\text{BG}} = (p,{\mathbb{G}}_{{1}} ,{\mathbb{G}}_{{2}} ,{\mathbb{G}}_{T} ,e,P,\hat{P})\) in the Type-3 setting where \({\mathbb{G}}_{{1}} \ne {\mathbb{G}}_{{2}}\) and no computable isomorphism \(\varphi :{\mathbb{G}}_{{2}} \to {\mathbb{G}}_{{1}}\).

2.1 Assumptions

Definition 1

The Decisional Diffie–Hellman (DDH) assumption states that any adversary \({\mathcal{A}}\) is infeasible to break DDH assumption with a negligible function \(\epsilon (\kappa )\).That is

where \({\text{log}}_{{2}} {\text{P = }}\kappa\) and \(P\) is the prime-order of group \({\mathbb{G}}\).

Definition 2

The Symmetric External Diffie–Hellman (SXDH) assumption states that the DDH assumption holds in \({\mathbb{G}}_{{1}}\) and \({\mathbb{G}}_{{2}}\).

Definition 3

The Computational co-Diffie–Hellman Inversion (co-CDHI) assumption means that any adversary \({\mathcal{A}}\) is infeasible to break co-CDHI assumption with non-negligible probability during polynomial-time. That is

2.2 SPS-EQ

Definition 4

An SPS-EQ on \({\mathbb{G}}_{i}^{*}\) (\(i \in \{ 1,2\}\)) is defined based on the below algorithms:

• \({\text{BGGen}} (1^{\kappa } )\): input a security parameter \(\kappa\), and outputs a bilinear group \({\text{BG}}\).

• \({\text{KGen}}_{{\mathcal{R}}} (BG,\ell )\): input BG as well as a vector length \(\ell\), and outputs a key pair \({(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} )\).

• \(Sign_{{\mathcal{R}}} (M,sk_{{\mathcal{R}}} )\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\) of equivalence classes \(\left[ E \right]_{{\mathcal{R}}}\) and a secret key \(sk_{{\mathcal{R}}}\), and outputs an SPS-EQ signature.

• \({\text{ChgRep}}_{{\mathcal{R}}} (E,\sigma ,\mu ,pk_{{\mathcal{R}}} )\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\) of class \(\left[ E \right]_{{\mathcal{R}}}\), a signature \(\sigma\) for \(E\), a scalar \(\mu\), and a public key \(pk_{{\mathcal{R}}}\), finally outputs a fresh message-signature pair \((E^{\prime},\sigma^{\prime})\), where \(E^{\prime}{ = }\mu \cdot E\) is the new representative and \(\sigma^{\prime}\) is the corresponding updated signature.

• \({\text{Vrf}}_{{\mathcal{R}}} (E,\sigma ,pk_{{\mathcal{R}}} ) \,\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\), a signature \(\sigma\), and a public key \(pk_{{\mathcal{R}}}\), finally outputs \(0\) or \(1\).

• \(Vkey_{{\mathcal{R}}} {(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} )\): input a secret key \(sk_{{\mathcal{R}}}\) and a public key \(pk_{{\mathcal{R}}}\), finally outputs \(0\) or \(1\).

Definition 5

Correctness is achieved for an SPS-EQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\), if

where \(\kappa \in {\mathbb{N}}\), \(\ell > 1\), \({\text{BG}} \leftarrow {\text{BGGen}}_{R} (1^{\kappa } )\), \({(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ) \leftarrow {\text{KGen}}_{{\mathcal{R}}} (BG,\ell )\), \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\), and \(\mu \in {\mathbb{Z}}_{p}^{*}\).

Definition 6

Existential unforgeablity under adaptive chosen-message attacks (EUF-CMA) is achieved for an SPS-EQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\), if a negligible function \(\epsilon ( \cdot )\) exits for any PPT adversary able to access to a signing oracle \({\mathcal{O}}^{{{\text{Sign}}_{{\mathcal{R}}} }}\) such that:

where \(Q^{{{\text{Sign}}_{{\mathcal{R}}} }}\) is the set of queries that adversary has sent to the signing oracle \({\mathcal{O}}^{{{\text{Sign}}_{{\mathcal{R}}} }}\).

Definition 7

Perfect adaption is achieved for an SPS-EQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\) if \((\rho E,{\text{Sign}}_{{\mathcal{R}}} (\rho E,sk_{{\mathcal{R}}} ))\) and \({\text{ChgRep}}_{{\mathcal{R}}} (E,\sigma ,\mu ,pk_{{\mathcal{R}}} )\) are identically distribute for any tuple \((sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ,E,\sigma ,\mu )\) as long as

\(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell } \wedge \mu \in {\mathbb{Z}}_{p}^{*} \wedge Vkey_{{\mathcal{R}}} {(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ) = 1 \wedge {\text{Vrf}}_{{\mathcal{R}}} (E,\sigma ,pk_{{\mathcal{R}}} ) = 1\).

2.3 CS-TBK

The CS-TBK algorithm detailed in [34] is used for finds subtrees containing all non-revoked nodes. Let \(T\) denotes the maximum size of expiry time \(\tau\), and thus the number of leaf nodes in the binary tree \(BT\) is \(T\). Both current time \(t\) and expiry time \(\tau\) are mapped to the corresponding leaf nodes.

If \(\tau\) is allocated to a leaf node \(\eta\), the issuer produces a signature for each node of \(Path(\eta )\) via the CS-TBK algorithm and then publishes these signatures to signers with \(\tau\). Although a bunch of signers with the same expiry times share a common leaf node \(\eta\), the signatures of those signers are dissimilar for randomness. All leaves located left side of the leaf node related to a certain time \(t\) are revoked for their expiry times ahead of \(t\). Expiration information \(info_{t}\) at time \(t\) is essentially signatures of non-revoked nodes generated according to the CS-TBK algorithm.

For example, let \(T = 8\) and \(\tau\) corresponds to node 11, signers with \(\tau\) obtain signatures of nodes 1, 2, 5, and 11. As shown in Fig. 2a, nodes 8, 9 are revoked when \(t < \tau\), namely current time \(t\) is before expiry time \(\tau\), whereas nodes 3 and 5 are chosen as root nodes of subtrees of all non-revoked nodes, that is node 10–15. Thus, \(info_{t}\) contains signatures of non-revoked subtrees of root node 3 and node5. Later, the signers can prove in a zero-knowledge manner that they own a signature of node 5, which is also contained in corresponding \(info_{t}\). As shown in Fig. 2b when \(t > \tau\), nodes 8,9,10, and11 are revoked. Thus, \(info_{t}\) contains signatures of subtrees of root node 3 but no 5.

The example of the CS-TBK

Full size image

3.1 Scheme

In this part, we provide the established model for the revocable group signatures with time-bound keys and unforgeability of expiry time (RGS-TBK-UET). There are several entities involved in our scheme: a trusted party responsible for initial key generation and distribution, two authorities called the issuer and the opener, a bunch of users trying to join the group. The proposed proposal consists of the following algorithms.

• \({\text{GS}}{.}GKGen(1^{\kappa } ) \to (gpk,ik,ok)\): The algorithm takes in the security parameter \(1^{\kappa }\), and finally outputs the group public key \(gpk\), the issuing key \(ik\), and the opening key \(ok\). The algorithm also initializes the user registration table reg.

• \({\text{GS}} .UKGen(1^{\kappa } ) \to (usk_{i} {,}upk_{i} )\): The algorithm takes in the public parameters and outputs secret/public key pair \((usk_{i} {,}upk_{i} )\) for user \(i\).

• \(\langle {\text{GS}}.{\text{Join}}(gpk,usk_{i} ,upk_{i} ),{\text{GS}}.{\text{Issue}}(gpk,ik,i,upk_{i} ,{\mathbf{reg}},\tau_{i} )\rangle\): In order to add user to the group, the issuer and a user executes the interactive protocol, which is usually assumed to communicate over secure channels. The joining algorithm is implemented by a user with \((usk_{i} {,}upk_{i} )\), whereas the issuing algorithm is run by the issuer with inputs \(gpk\), \(ik\), \(upk_{i}\),\({\mathbf{reg}}\) and \(\tau_{i}\). On success, the joining algorithm outputs \({(}gsk_{i} ,\tau_{i} )\) and the issuing algorithm outputs registration table \({\mathbf{reg}}\) which user \(i\) is added an entry.

• \({\text{GS}}{.}{\text{Revoke}}(i,ik,t,{\mathcal{R}}_{t} ,{\mathbf{reg}}) \to (RL_{t} ,info_{t} )\): The issuer runs the algorithm to generate expiration information and revocation list \(RL_{t}\) for revoked signers at time \(t\). Upon input \(i\), \(ik\), \(t\), \({\mathcal{R}}_{t}\) and \({\mathbf{reg}}\), the algorithm outputs \((RL_{t} ,info_{t} )\). The algorithm computes revocation token \(grt_{i,t}\) for each \(i\) provided \(t < \tau_{i}\) and stores \(grt_{i,t}\) to \(RL_{t}\). Besides, expiration information \(info_{t}\) is computed.

• \(GS.{\text{Sign}} (gpk,gsk_{i} ,m,t,info_{t} ) \to \sigma\): The algorithm takes in the group public key \(gpk\), group signing key \(\, gsk_{i}\), a message \(m\), current time \(t\), and group information \(info_{t}\), and outputs a group signature \(\sigma\).

• \(GS.{\text{Verify}} (gpk,m,\sigma ,t,RL_{t} ) \to {0/1}\): The deterministic algorithm is able to be run by anyone holding group public key \(gpk\) to check given \(\sigma\) is a valid group signature on \(m\).

• \(GS.{\text{Open}}(gpk,ok,{\mathbf{reg}},m,\sigma ) \to (i,\pi )\): Provided that the group public key \(gpk\), the opening key \(ok\), a registration table \({\mathbf{reg}}\), a message \(m\), and a signature \(\sigma\) are input, the opener may extract the identity of the signer and the proof of signature, and finally return a pair \((i,\pi )\), where integer \(i\) is nonnegative. The algorithm output a pair \((0,\pi )\) to indicate that the opener fails to attribute the signature to a certain group member. If \(i > 0\), the opener could allege that the group member with identity \(i\) who produced the signature because the group member produced a proof \(\pi\) as corresponding evidence to demonstrate the above-mentioned fact.

• \(GS.{\text{Judge}} (gpk,m,\sigma ,i,upk_{i} ,\pi ) \to {0/1}\): Anyone in possession \(gpk\) can deterministically judge the validity of \(\pi\) given the group public key \(gpk\), a message \(m\), a signature \(\sigma\), a user \(i\), its public key \(upk_{i}\), and a proof \(\pi\). If \(\pi\) is a valid proof demonstrating that group member with identity \(i\) produced signature \(\sigma\), the deterministic algorithm outputs 1 and outputs 0 otherwise.

3.2 Security model

Generally, the attack capabilities of adversaries are formalized via accessing certain subsets of oracles, which are detailed in Fig. 3. The security experiments corresponding to different requirements of the group signature as showed in Fig. 4. The following lists used in oracles are assumed to be global and maintained by the environment.

• \({\mathcal{H}}\): Honest users. \({\mathcal{C}}\): Corrupted users. \({\mathcal{B}}\): Bad users. \({\mathcal{R}}_{t}\): Revoked users at time t.

• \(SL\): List of message-signature tuples. \(CL\): List of challenge signatures obtained.

• \(RL_{t}\): List of revocation information.

Details of the oracles

Full size image

Security experiments

Full size image

Notably, \({\mathcal{A}}\) is capable of choosing personal secret keys of corrupted users, yet obtaining both personal and group signing keys of bad users.

• \({\mathbf{{\rm A}ddU}}\): \({\mathcal{A}}\) adds an honest user with an identity \(i \in {\mathbb{N}}\) and expiry time \(\tau_{i}\) to the group.

• \({\mathbf{RReg}}\): \({\mathcal{A}}\) can read the information from the registration table.

• \({\mathbf{WReg}}\): \({\mathcal{A}}\) is allowed to modify the specified value of the registration table.

• \({\mathbf{USK}}\): \({\mathcal{A}}\) inputs an identity \(i \in {\mathbb{N}}\) and then returns the personal private key \(usk_{i}\) and the private signing key \(gsk_{i}\) to the user.

• \({\mathbf{Sign}}\): \({\mathcal{A}}\) obtains a signature on behalf of an honest user by the signing oracle.

• \({\mathbf{Chal}}_{{\mathbf{b}}}\): \({\mathcal{A}}\) chooses two non-revoked honest members \((i_{0} ,i_{1} )\) as challenging users, and obtains challenge signature by calling the challenge oracle in the anonymity experiment. Additionally, the adversary adds \((m,\sigma ,t{)}\) to the challenge signature set \(CL\). The adversary is restricted to call the challenge oracle only once.

• \({\mathbf{Open}}\): \({\mathcal{A}}\) receives the identity and proof on a signature by running the opening algorithm as long as signature \(\sigma\) is not part of the challenge set \(CL\).

• \({\mathbf{Revoke}}\): \({\mathcal{A}}\) removes users by calling revocation oracle.

• \({\mathbf{CrptU}}\): \({\mathcal{A}}\) parse the certain value \(pk\) as personal public key \(upk_{i}\) of newly corrupted user \(i\) before calling the \({\mathbf{SndToU}}\) oracle.

• \({\mathbf{SndToU}}\): \({\mathcal{A}}\) interacts with an honest user on behalf of the corrupted issuer.

• \({\mathbf{SndToI}}\): \({\mathcal{A}}\) communicate with an honest issuer in the user role.

3.3 Security notions

The definitions of correctness and main security attribute of the scheme are focused in this subsection. Let \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{}} (k) = 1] \le \epsilon (k)\) formally denote that the advantage of adversary \({\mathcal{A}}\) to win the respective experiment during polynomial-time in Fig. 4 is negligible.

Definition 8

The scheme achieves correctness if \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{correctness}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{correctness}}}} (k) = 1] \le \epsilon (k)\).

The correctness states that any honest non-revoked group member should be able to issue valid signatures on any message. Once the message and signature are given, the opening algorithm ought to correctly recover the identity of the original signer. The opening algorithm produces the publicly verifiable proof that should be accepted by the judging algorithm.

Definition 9

The scheme achieves BU-Anonymity if \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Anonymity}}}} (k) = \left| {{{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{0 - Anonymity}}} (k) = 1] - {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{1 - Anonymity}}} (k) = 1]} \right| \le \epsilon (k)\).

The anonymity with backward unlinkability (BU-anonymity) means that \({\mathcal{A}}\) is infeasible to distinguish the identities of signers from signatures even if signatures are created by revoked signers. Specifically, if the real value of the bit \(b\) in the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle is guessed perfectly, \({\mathcal{A}}\) will break the anonymity. Moreover, \({\mathcal{A}}\) is allowed to access \({\mathbf{Open}}\) oracle and obtain signing keys excluding that of the challenge users.

Definition 10

The scheme achieves non-frameability if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{Non - Frame}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{Non - Frame}}} (k) = 1] \le \epsilon (k)\)_.

Non-frameability guarantees that \({\mathcal{A}}\) is incapable of enforcing the honest opener to ascribe a certain valid signature to a specific user via creating a judge-accepted proof if this honest user indeed did not create this signature.

Definition 11

The scheme achieves traceability if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k) = 1] \le \epsilon (k)\).

Traceability essentially defines that \({\mathcal{A}}\) is infeasible to counterfeit a signature result. In other words, the honest opener is either incapable of identifying the signer of the forgery signature or generating a judge-accepted proof of its claim even if the signer of a signature has been identified.

Definition 12

The scheme achieves weak opening soundness if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{WeakOS}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{WeakOS}}}} (k) = 1] \le \epsilon (k)\).

Weak opening soundness actually means that a malicious user is infeasible to allege ownership of signatures generated originally by honest users via a counterfeited opening proof as long as the opener behaves honestly [15].

4.1 Detailed construction

As previously mentioned, the scheme [17] essentially only allow members to enroll at all times but cannot leave freely, which inspired us to added revocation functionality to the construction of [17] using the methodology of [34]. Our construction is detailed in Fig. 5, and system parameters are illustrated in Table 1.

The details of construction

Full size image

The natural revocation is achieved by CS-TBK algorithm and is details as follows. Assumed that a leaf node \(\eta\) is selected to an expiry time \(\tau\), the issuer produces SPS-EQ signature \(\sigma^{\prime}_{{{\text{A}}_{j} }} \leftarrow {\text{Sign}}_{{\mathcal{R}}} (\xi_{j} (U_{i} ,Q),sk_{{\mathcal{R}}} )\) for each node \(\xi_{j} \in {\text{path}} (\eta )\) and sends \({(}\{ \sigma^{\prime}_{{{\text{A}}_{j} }} \}_{j \in [nt]} ,\tau_{i} )\) to the signer \(i\). Then, the signer computers her owning secret signing key by re-randomization property of SPS-EQ \(gsk_{i} : = \{ (\xi_{j} (rP,P),\sigma_{Aj} )\}_{j \in [nt]} \leftarrow \{ {\text{ChgRep}}_{{\mathcal{R}}} (\xi_{j} (U_{i} ,Q),\sigma^{\prime}_{{A_{j} }} ,q^{ - 1} ,pk_{{\mathcal{R}}} )\}_{j \in [nt]}\).For the current time \(t\), the issuer firstly outputs \(Y = :(\vartheta_{1} ,\vartheta_{2} , \ldots ,\vartheta_{{{\text{num}}}} )\) running the \({\text{CS - TBK(}}BT{, }t{)}\) algorithm and chooses a secret vector \({(}T_{i} ,Q{)} \leftarrow (\mu P,P) \in ({\mathbb{G}}_{1}^{*} )^{2}\) (where \(\mu \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\)). Next, the issuer computers SPS-EQ signature \(\sigma_{Bk} \leftarrow {\text{Sign}}_{{\mathcal{R}}} (\vartheta_{k} (T_{i} ,Q),sk_{{\mathcal{R}}} )\), which is contained in expiration information \(info_{t}\). Apparently, the \(gsk_{i}\) is the SPS-EQ signature of the message \(\xi_{j} \in {\text{path}} (\eta ): = (\xi_{1} ,\xi_{2} , \ldots ,\xi_{nt} )\) and the equivalence class of signer secret identity, whereas \(info_{t}\) is the SPS-EQ signature of another message \(\vartheta_{i} \in Y = :(\vartheta_{1} ,\vartheta_{2} , \ldots ,\vartheta_{num} )\) and the equivalence class corresponding to the current time. In the light of the CS method, such a common node both \(\xi \in Path(\eta ) \cap Y\) exists if \(\tau < t\). That is the non-revoked signers can prove in a zero-knowledge manner, that the node \(\xi\) possesses two signatures in their own the private signing key \(gsk\) and expiry information \(info_{t}\) respectively. Note that unless unforgeability of the SPS-EQ signature scheme is broken, that is the signer creates SPS-EQ signature \(\sigma_{Bk}\), it is infeasible to generate a valid group signature for an expired signer. Consequently, the unforgeability of expiry time for signing keys is guaranteed.

The way of premature revocation is described as below: At the stage of \({\text{GS}}{.}{\text{Issue}}\), the issuer stores a revocation token \(grt_{i} : = U_{i}\). At the time \(t\), the issuer picks randomly \(y_{t} \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\) and lets \(h_{t} { = }y_{t} P,\hat{h}_{t} { = }y_{t} \hat{P}\), then \(e(h_{t} ,\hat{P}) = e(P,\hat{h}_{t} )\) hold. A group signature is composed of \(\beta y_{t} P\),\(\alpha (rq{ + }\beta )P\) and \(\alpha \hat{P}\), where \(\alpha ,\beta\) are picked randomly by the signer. If \(i \in {\mathcal{R}}_{t}\), namely a signer \(i\) is revoked in the premature manner then the issuer computes \(grt_{i,t} : = y_{t} grt_{i}\) and stores \(grt_{i,t}\) to \(RL_{t}\). By checking whether the equation \(e(grt_{i,t} + \beta y_{t} P,\alpha \hat{P}) = e(\alpha (rq + \beta )P,y_{t} \hat{P})\) holds for each \(grt_{i,t}\) successively, the verifier is able to verify whether \(i\) is a premature revoked signer.

4.2 Security analysis

Theorem 1

The proposal achieves correctness if SPS-EQ and SoK achieve correctness.

Proof

(Sketch) Correctness is straightly originated from the correctness of the proposal [17, 34].

Theorem 2

The proposal achieves BU-anonymity if П achieves adaptive zero-knowledge, SoK achieves simulatability (simulatability and straight-line f-extractability), \(\Omega\) achieves IND-CPA (IND-CCA2) security and the DDH assumption holds.

Proof

(Sketch) Usually, BU-anonymity indicates that signers of two group signatures cannot be distinguished without an opening secret key. Thus, the attack on anonymity is essentially equivalent to that on encryption, which producing membership certificates and proofs. Finally, the anonymity is reduced to the security of the PKE scheme and NIZK Proof. Naturally, a signer maintains anonymity because two randomized user secret keys are difficult to distinguish under DDH assumption in \({\mathbb{G}}_{{1}}\). Therefore, the output distributions of the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle and the input bit \(b\) are mutually independent.

Proof

Let \({\text{N}}_{ch} ,{\text{N}}_{o} ,{\text{N}}_{{{\text{AddU}}}} \le {\text{poly}}(\kappa )\) denote the number of queries to \({\mathbf{Chal}}_{{\mathbf{b}}}\), \({\mathbf{Open}}\), and \({\mathbf{{\rm A}ddU}}\) respectively.

• G₀: original anonymity experiment.

• G₁: As G₀, except that executing \((crs_{J} ,td_{J} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{J} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{J}\) is stored. Next, each call to \(\Pi .{\text{Proof}}\) that executed at the stage of \({\text{GS.Join}}\) algorithm is simulated via the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zero-knowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G₀ and G₁ is negligible, i.e. \(\left| {\Pr [{\mathcal{G}}_{1} ] - \Pr [{\mathcal{G}}_{0} ]} \right| \le \epsilon_{{zk_{J} }} (k)\).

• G₂: As G₁, except that executing \((crs_{O} ,td_{O} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{O} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{O}\) is stored. Next, all zero-knowledge proofs \(\Pi .{\text{Proof}}\) at the stage of \({\text{GS.Open}}\) algorithm is simulated via the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zero-knowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G₁ and G₂ is negligible, i.e. \(\left| {\Pr [{\mathcal{G}}_{2} ] - \Pr [{\mathcal{G}}_{1} ]} \right| \le \epsilon_{{zk_{o} }} (k)\).

• G₃: As G₂, except that executing \((crs_{s} ,td_{s} ) \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) rather than \(crs_{s} \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{s}\) is stored. Next, each call to \({\text{Sok.Sign}}\) is simulated via the simulator (without a witness). According to simulatability of \({\text{Sok}}\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G₃ and G₂ is negligible, i.e., \(\left| {\Pr [{\mathcal{G}}_{3} ] - \Pr [{\mathcal{G}}_{2} ]} \right| \le \epsilon_{{{\text{SIM}}}} (k)\).

• G₄: As G₃, except that \(pk_{o}\) is obtained from an IND-CPA or IND-CCA2 challenger rather than \({(}sk_{o} ,pk_{o} ) \leftarrow \Omega .{\text{KGen}}(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and \(sk_{o} = \bot\) is set. In the CCA2 case, it next uses the \({\mathbf{Open}}\) oracle to decrypt the ciphertext \(\hat{C}_{{J_{i} }}\) stored in \({\mathbf{reg}}\) for all users and obtain simulates the proof via the straight-line f-extractor. In case of CCA2, a witness \(\, \rho\) can be extracted in each call to the \({\mathbf{Open}}\) oracle with overwhelm \(1 - \epsilon_{{{\text{EXT}}}} (k)\) extraction probability according to the straight-line f-extractability of the SoK. Therefore, both games proceed same unless there is a extraction fail, i.e., \(\left| {{\text{Pr}}[{\mathcal{G}}_{4} ] - {\text{Pr}}[{\mathcal{G}}_{3} ]} \right| \le N_{o} \cdot \epsilon_{{{\text{EXT}}}} (k)\). In case of CPA, the \({\mathbf{Open}}\) oracle do not have to be simulated and the opening key is only obtained from the IND-CPA challenger. Therefore, G₄ is conceptually identical to G₃, i.e., \({\text{Pr}}[{\mathcal{G}}_{4} ] = {\text{Pr}}[{\mathcal{G}}_{3} ]\).

• G₅: As G₄, except that the ciphertext \(\hat{C}_{{J_{i} }}\) is computed in the \({\text{GS.Join}}\) algorithm (actually executed via the \({\mathbf{{\rm A}ddU}}\) oracle) as \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,\hat{P})\) rather than \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,r\hat{P},\omega )\), namely the random parameters associated with identity is removed in message. According to the IND-CCA2 security of \(\Omega\), the probability of winning the game for \({\mathcal{A}}\), i.e., \(\left| {{\text{Pr}}[{\mathcal{G}}_{5} ] - {\text{Pr}}[{\mathcal{G}}_{4} ]} \right| \le N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k)\).

• G₆: As G₅, except that \(sk_{o}\) is re-added, namely, \({(}sk_{o} ,pk_{o} ) \leftarrow \Omega .{\text{KGen}}(1^{\kappa } )\) is obtained again. We decrypt ourselves with in the \({\text{WReg}}\) simulation rather than via the decryption oracle in the CCA2 case. Therefore, G₆ is conceptually identical to G₅, i.e., \({\text{Pr}}[{\mathcal{G}}_{6} ] = {\text{Pr}}[{\mathcal{G}}_{5} ] \,\).

• G₇: As G₆, except that \(i^{*}\) is revoked by computing \(grt_{{i^{*} ,t}} : = y_{t} r_{{i^{*} }} qP\) while \(t \ne t^{*}\). Remark that \({\mathcal{A}}\) is not need to compute \(grt_{{i^{*} ,t^{*} }}\) because at the challenge time \(t^{*}\), \(i^{*}\) is unrevoked, which induced backward unlinkability. Therefore, G₇ is conceptually identical to G₆. i.e., \({\text{Pr}}[{\mathcal{G}}_{7} ] = {\text{Pr}}[{\mathcal{G}}_{6} ] \,\).

• G₈: As G₇, except that the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle is modified as follows. Instead of \({\text{ChgRep}}_{{\mathcal{R}}} (M,\rho ,pk_{{\mathcal{R}}} )\), \((\Phi ,\Psi )\mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{1}\) is chosen, and \({\text{ChgRep}}_{{\mathcal{R}}} ((\Phi ,\Psi ),\rho ,pk_{{\mathcal{R}}} )\) is computed to answers to the \({\mathbf{Chal}}_{{\mathbf{b}}}\) query. According to DDH assumption, the winning probability of \({\mathcal{A}}\) is negligible, i.e.\(\left| {{\text{Pr}}[{\mathcal{G}}_{8} ] - {\text{Pr}}[{\mathcal{G}}_{7} ]} \right| \le N_{{{\text{Chal}}_{b} }} \cdot \epsilon_{{{\text{DDH}}}} (k)\). In G₈, the advantage of \({\mathcal{A}}\) can then only be 0 and the simulation is irrelevant the bit \(b\), i.e., \({\text{Pr}}[{\mathcal{G}}_{8} ] = \, {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern-\nulldelimiterspace} 2}\).

• G₉: As G₉, except that \(\psi_{3}^{*} \mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{2}\) is randomly choose.

• G₁₀: As G₉, except that randomly choose \(\psi_{2}^{*} \mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{1}\) is randomly choose.

The bound of success probability in G₀ is \({{\rm Pr}}[{\mathcal{G}}_{0} ] \le {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern-\nulldelimiterspace} 2} + N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k) \, + N_{Chalb} \cdot \epsilon_{{{\text{DDH}}}} (k) \, + \epsilon_{{{\text{zk}}_{J} }} (k) \, + \epsilon_{{{\text{zk}}_{o} }} (k) \, + \epsilon_{{{\text{SIM}}}} (k)\) (in the CPA case) or \({{\rm Pr}}[{\mathcal{G}}_{0} ] \le {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern-\nulldelimiterspace} 2} + N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k) \, + N_{{{\text{Chanl}}}} \cdot \epsilon_{{{\text{DDH}}}} (k) \, + \epsilon_{{{\text{zk}}_{J} }} (k) + \epsilon_{{{\text{zk}}_{o} }} (k) + \epsilon_{{{\text{SIM}}}} (k) + N_{o} \cdot \epsilon_{{{\text{EXT}}}} (k)\) (in the CCA2 case), which proves Theorem 2.

Theorem 3

The proposal achieves non-frameablity if П achieves soundness and adaptive zero-knowledge, SoK achieves simulatability and extractability, \(\sum\) achieves EUF-CMA security, Ω achieves perfect correctness, and the co-CDHI assumption holds.

Proof

(Sketch) Equivalence class related to each group member is chosen as the secret vector of the membership certificate, and this secret information is only known by the signer. The encryption of \(\hat{R} \in {\mathbb{G}}_{{2}}\) and digital signature are used an identity proof for providing means to open signatures. The signer issues a group signature, which consists of the randomized group signing key and the signature of knowledge. The unforgeability of \(\sum\) and perfect correctness of \(\Omega\) ensure that all valid signatures can be correctly opened. Moreover, the impossibility to unblind a user secret key under co-CDHI, ensures the impossibility to counterfeit a signature owned by an honest group member. Additionally, the SoK guarantees that unblinded user secret keys can be extracted even if \({\mathcal{A}}\) has succeeded.

Proof

Let \(n \le {\text{poly}} (\kappa )\) denote the number of users.

• G₀: The original non-frameability experiment.

• G₁: As G₀, except that we guess \({\mathcal{A}}\) will attack the user \(i^{*}\) and if \({\mathcal{A}}\) attacks another user, we abort. The winning probability in G₁ is in common with that in G₀ unless an abortion happens, i.e., \({\text{Pr}}[{\mathcal{G}}_{1} ] = {\text{Pr}}[{\mathcal{G}}_{0} ] \cdot {1 \mathord{\left/ {\vphantom {1 n}} \right. \kern-\nulldelimiterspace} n}\).

• G₂: As G₁, except that executing \((crs_{J} ,td_{J} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{J} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm and the trapdoor information \(td_{J}\) is stored. Next, each call to \(\Pi .{\text{Proof}}\) at the stage of \({\text{GS.Join}}\) algorithm is simulated by the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zero-knowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G₁ and G₂ is negligible, i.e., \(\left| {{\text{Pr}}[{\mathcal{G}}_{2} ] - {\text{Pr}}[{\mathcal{G}}_{1} ]} \right| \le \epsilon_{{{\text{zk}}_{J} }} (k)\)

• G₃: As G₂, except that \(crs_{o}\) is obtained from a soundness challenger at the stage of \({\text{GS}}{.}GKGen\) algorithm. Therefore, G₃ is conceptually identical to G₂, i.e., \({\text{Pr}}[{\mathcal{G}}_{3} ] = {\text{Pr}}[{\mathcal{G}}_{2} ]\).

• G₄: As G₃, except that we setup the SoK via \((crs_{s} ,td_{s} ) \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) rather than \(crs_{s} \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{s}\) is stored. Next, each call to \({\text{Sok.Sign}}\) is simulated by the simulator. According to simulatability of \({\text{Sok}}\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G₄ and G₃ is negligible, i.e.,\(\left| {{\text{Pr}}[{\mathcal{G}}_{4} ] - {\text{Pr}}[{\mathcal{G}}_{3} ]} \right| \le \epsilon_{{{\text{SIM}}}} (k)\).

• G₅: As G₄, except that we pick \(q,r\mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\) while queried for user \(i^{*}\) and let \({(}U_{{i^{*} }} ,Q_{{i^{*} }} {)}\) denote at the stage of \({\text{GS.Join}}\) algorithm (actually executed via the \({\mathbf{SndToU}}\)) \((r \cdot qP,qP) \,\). Next, on each Join for any user \(i \ne i^{*}\), it need to check that if the same class have been chosen for user \(i^{*}\) incidentally. The check process is performed via checking whether \(U_{{i^{*} }} = r_{i} \cdot Q_{{i^{*} }}\) using \(r_{i}\) that is the value for \(r\) selected for the user \(i\) when Joining. The check above does not need to acquire \(r\) for user \(i^{*}\) or the discrete logarithms \(q\).Both G₄ and G₅ proceed identically unless an abortion happens, the probability of which is \(\epsilon_{guess} (k) = n/(p - 1)\), i.e., \(\left| {{\text{Pr}}[{\mathcal{G}}_{5} ] - {\text{Pr}}[{\mathcal{G}}_{4} ]} \right| \le \epsilon_{guess} (k)\).

• G₆: As G₅ except that a co-CDHI instance \((aP,{1 \mathord{\left/ {\vphantom {1 a}} \right. \kern-\nulldelimiterspace} a}\hat{P})\) in relation to \(BG\) is obtained and pick \(\hbar \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\). Next, we adjust the \({\text{GS.Join}}\) algorithm (actually executed via the \({\text{SndToU}}\)) while queried for \(i^{*}\) as below. Let \({(}U_{{i^{*} }} ,Q_{{i^{*} }} {)} = (\hbar P,aP)\), compute \(\hat{C}_{{J_{{i^{*} }} }} \leftarrow \Omega .{\text{Enc}}(pk_{o} ,\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern-\nulldelimiterspace} a}\hat{P})\) and store \(\hbar\). Once execution is successful, let group signing key \(gsk_{i} : = \{ (U_{{i^{*} }} ,Q_{{i^{*} }} ,\sigma _{{Aj}} )\} _{{j \in [nt]}}\) and revocation token \(grt_{{i^{*} }} = U_{{i^{*} }}\) Because \(\hbar\) is uniformly random. Therefore, G₆ is conceptually identical to G₅, i.e.,\({\text{Pr}}[{\mathcal{G}}_{6} ] = {\text{Pr}}[{\mathcal{G}}_{5} ]\).

• G₇: As G₆, except that for each forgery output by the \({\mathcal{A}}\), \(\rho = {\text{Sok}}.{\text{Extract}}(crs_{s} ,td_{s} ,((P,\sigma_{1A} [1][2]),\sigma_{1A} ||m,\sigma_{2A} )))\)\([2]\)\(),\sigma_{1A} ||m,\sigma_{2A} )))\) is extracted and abort if the extraction fails. According to the extractability of the SoK, the unsuccessful probability of extracting a witness \(\rho\) is negligible. Therefore, both G₇ and G₆ proceed identically unless an extracting failure happens, i.e.,\(\left| {{\text{Pr}}[{\mathcal{G}}_{7} ] - {\text{Pr}}[{\mathcal{G}}_{6} ]} \right| \le \epsilon_{{{\text{EXT}}}} (k)\).

• G₈: As G₇, except that we further adjust the \({\text{GS.Join}}\) algorithm while queried for user \(i^{*}\) (actually executed via the \({\mathbf{SndToU}}\) oracle) as below. Rather than obtaining \({(}usk_{{i^{*} }} ,upk_{{i^{*} }} )\) from \({\text{GS.UK}}Gen(1^{\kappa } )\), we set \(usk_{{i^{*} }} \leftarrow \emptyset\) and obtain \(upk_{{i^{*} }}\) by interacting with an EUF-CMA challenger. Moreover, we obtain all required signatures via the oracle offered by the EUF-CMA challenger. Therefore, G₈ is conceptually identical to G₇, so \({\text{Pr}}[{\mathcal{G}}_{8} ] = {\text{Pr}}[{\mathcal{G}}_{7} ]\).

Now there are three possibilities when \({\mathcal{A}}\) creates a valid forgery.

1. 1.

   In the case that a signature for \(\hat{C}_{{J_{{i^{*} }} }}\) was never requested, thus an EUF-CMA forger for \(\sum\) is \({\mathcal{A}}\) and the forgery is \((\hat{C}_{{J_{{i^{*} }} }} ,\sigma_{{J_{{i^{*} }} }} )\). The upper bound of the probability of this event is \(\epsilon_{f} (k)\).

2. 2.

   Otherwise, according to the perfect correctness of \(\Omega\), \(\hat{C}_{{J_{{i^{*} }} }}\) is deemed to honestly computed by the environment thus contains \({\hbar \mathord{\left/ {\vphantom {\hbar a}} \right. \kern-\nulldelimiterspace} a}\hat{P}\). Furthermore, there are two following possibilities:

   • If \(e(\sigma_{{{\text{1A}}}} [1][1],\hat{P}) = e(\sigma_{{{\text{1A}}}} [1][2],{\hbar \mathord{\left/ {\vphantom {\hbar a}} \right. \kern-\nulldelimiterspace} a}\hat{P})\), \({\mathcal{A}}\) is an adversary breaking co-CDHI, because we can obtain \(((\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern-\nulldelimiterspace} a}P,P),\sigma^{\prime}_{{{\text{A}}_{j} }} ) \leftarrow {\text{ChgRep}}_{{\mathcal{R}}} (\sigma_{1A} ,\rho^{ - 1} ,pk_{{\mathcal{R}}} )\) and use \(\hbar\) to output \(\hbar^{ - 1} \cdot (\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern-\nulldelimiterspace} a}P) = {1 \mathord{\left/ {\vphantom {1 a}} \right. \kern-\nulldelimiterspace} a}P\). The upper bound of the probability of this event is \(\epsilon_{co - CDHI} (k)\).

   • (Otherwise,\({\mathcal{A}}\) has created an opening proof of a statement that does not belong to \(L_{RO}\). The upper bound of the probability of this event is \(\epsilon_{S} (k)\).

The result of merging the above upper bound is \(\epsilon_{nf8} (k) \le \epsilon_{f} (k) \, + \epsilon_{co - CDHI} (k) + \epsilon_{S} (k) \,\). Therefore, the upper probabilistic bound of the success of \({\mathcal{A}}\) in G₁ is negligible, i.e.,\(\Pr [{\mathcal{G}}_{0} ] \le n \cdot (\epsilon_{nf8} (k) + \epsilon_{{{\text{zk}}_{J} }} (k) + \epsilon_{{{\text{SIM}}}} (k) + \epsilon_{{{\text{guess}}}} (k) + \epsilon_{{{\text{EXT}}}} (k))\).

Theorem 4

The proposal achieves traceability if SPS-EQ achieves EUF-CMA security and П achieves soundness.

Proof

(Sketch) The adversary is essentially concerned with two forgeries in \({\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k)\): the forgery of the current group membership certificate and that of non-revoked users’ tokens. The first type of forgery can be `reduced to the EUF-CMA security of SPS-EQ and the soundness of NIZK proof because group membership certificates are created based on SPS-EQ and NIZK proof system. The second type of forgery, if an adversary can forge a valid signature after expiry time, then there exist a valid SPS-EQ signatures which is not contained in the revocation list \({\text{RL}}_{{t^{*} }}\). Thus, the second forgery attack is also reduced to EUF-CMA security of the SPS-EQ. Therefore, traceability is guaranteed both by the EUF-CMA security of the SPS-EQ scheme and the soundness of the NIZK proof system.

Proof

Use \(q \le {\text{poly}} (\kappa )\) to denote the number of queries to the \({\mathbf{SndToI}}\) oracle.

• G₀: The original traceability experiment.

• G₁: As G₀, except that \(crs_{J}\) is obtained from a soundness challenger of \(\Pi\). Therefore, G₁ is conceptually identical to G₀, i.e., \({\text{Pr}}[{\mathcal{G}}_{1} ] = {\text{Pr}}[{\mathcal{G}}_{0} ]\).

• G₂: As G₁ except that \(BG\) and \(pk_{{\mathcal{R}}}\) is obtained from an EUF-CMA challenger of the SPS-EQ. G₂ is conceptually identical to G₁, i.e.\({\text{Pr}}[{\mathcal{G}}_{2} ] = {\text{Pr}}[{\mathcal{G}}_{1} ]\)

• G₃: According to the winning condition \(i \notin {\mathcal{C}}\backslash {\mathcal{R}}_{t}\), \({\mathcal{A}}\) needs to inquiry the signing oracle of the SPS-EQ to generate a counterfeit \(\sigma_{Aj}\) (namely type I forger) which is not published via the \({\mathbf{SndToI}}\) oracle. The Type II forger can be considered as in real game. As G₀ except that upon successful execution of \({\mathbf{SndToI}}\), we obtain \(\hat{R} = \Omega .Dec(sk_{o} ,\hat{C}_{{J_{i} }} )\) and abort when \(e(U_{i} ,\hat{P}) \ne e(Q,\hat{R})\). If abortion happens, we obtain a valid proof \(\pi_{{J_{i} }}\) attesting that \({(}U_{i} ,Q,\hat{C}_{{J_{i} }} ,pk_{o} {)} \in L_{{R_{J} }}\), but by the perfect correctness of \(\Omega\) there exists no \(\omega\) so that \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,r \cdot \hat{P};\omega ) \wedge U_{i} = r \cdot Q\), i.e., \({(}U_{i} ,Q,\hat{C}_{{J_{i} }} ,pk_{o} {)}\) is actually not in \(L_{{R_{J} }}\). Therefore, both G₃ and G₂ proceed identically as long as \({\mathcal{A}}\) does not break the soundness of NIZK in one oracle query, i.e., \(\left| {{\text{Pr}}[{\mathcal{G}}_{3} ] = {\text{Pr}}[{\mathcal{G}}_{2} ]} \right| \le q \cdot \epsilon_{s} (k) \,\).

• G₄: According to the winning condition \(i \notin {\mathcal{C}}{{\backslash }}{\mathcal{R}}_{t}\), \({\mathcal{A}}\) needs to inquiry the signing oracle of the SPS-EQ signature to create a forged non-revoked certificate \(\sigma_{Bk}\) while the \({\mathbf{Revoke}}\) oracle is called. The Type I forger can be considered as in real game. As G₃, but obtain \(\sigma_{Bk}\) from an EUF-CMA challenger of the SPS-EQ. Therefore, G₄ is conceptually identical to G₃, i.e., \({\text{Pr}}[{\mathcal{G}}_{4} ] = {\text{Pr}}[{\mathcal{G}}_{3} ]\)

• G₅: According to the winning condition \(i \in {\mathcal{C}}\backslash {\mathcal{R}}_{t} \wedge t \ge \tau_{i}\), obviously, if \({\mathcal{A}}\) is able to create a valid signature when \(\tau_{i} < t^{*}\), there definitely exists a valid \(\sigma_{Bk}\) not contained in \(RL_{{t^{*} }}\).The unforgeability of expiry time is finally reduced to unforgeability of the SPS-EQ scheme. Therefore, G₅ is conceptually identical to G₄, i.e.,\({\text{Pr}}[{\mathcal{G}}_{5} ] = {\text{Pr}}[{\mathcal{G}}_{4} ]\).

If \({\mathcal{A}}\) finally produces a valid forgery signatures \(\sigma\), which contains an SPS-EQ signature \(\sigma_{{{\text{1A}}}}\) for some \((rP,P)\) so that the registration table exits no entry \(i\) for corresponding \(r\hat{P}\) s.t. \(e(\sigma_{{{\text{1A}}}} [1][1],\hat{P}) = e(\sigma_{{{\text{1A}}}} [1][2],r\hat{P})\) holds. Consequently, \(\sigma_{{{\text{1A}}}}\) is a valid SPS-EQ signature for an unqueried equivalence class and we can conclude that \({{\rm Pr}}[{\mathcal{G}}_{3} ] \le \epsilon_{F} (k)\) and then \({{\rm Pr}} [{\mathcal{G}}_{0} ] \le \epsilon_{F} (k) + q \cdot \epsilon_{S} (k)\) which proves the theorem.

Theorem 5

The proposal achieves weak opening soundness if Ω achieves perfect correctness and \(\sum\) achieves EUF-CMA security.

Proof

(Sketch) \({\mathcal{A}}\) breaks weak opening soundness when he can forge an opening proof to eliminate the uniqueness of group members, which indicates that he can resist against the soundness of \(\Pi\) in the phase of \(GS.{\text{Judge}}\). The EUF-CMA security of digital signatures and the perfect correctness of the PKE scheme guarantee that user \(i\) signed \(\sigma\) uniquely. Once \({\text{GS.Join}}\) is honestly executed for users \(i\) and \(j\), the probability that \(r\) (resp.\(\hat{R}\)) values of users \(i\) and \(j\) are identical is negligible.

In Table 2, we summarize the characteristics of our scheme and other revocable group signatures schemes [23, 24, 27,28,29, 34] that are security in ROM and asymmetric pairing-based. Our proposal can resist the attack of the forgeability of expiry time for signing keys for following the way of GS-TBK in [34], but the counterparts are not taken into account that attack. Moreover, we employed re-randomizable SPS-EQ instead of traditional ones based on BBS + signature. The benefit of this method is gaining efficiency following the SRP paradigm, and thus avoiding the assumption of q-SDH assumption and the knowledge of secret key (KOSK) that employed in [24, 29, 34]. The substantial drawback of the KOSK assumption is difficult to realize by existing infrastructure [35], and the q-type assumption leads to the Cheon attack [36].

Weak opening soundness is reasonable in many scenarios, where it needs to reward signers or prevent the abusers from transferring blame to someone else. The schemes of [23, 24, 29] and our proposal capture weak opening soundness, but others fail to possess the property. As mentioned before, introducing revocation functionality inevitably leads to the scheme fail to satisfy the anonymity because the revocation token could be derived from the signing key. In other words, it fails to prevent the leakages of group signing keys. Although our proposal can only achieve BU- and selfless anonymity, it seems to be a reasonable price considering the benefits. The scheme of [27] shows the construction of the VLR-GS with a fully anonymous, which is desirable but rather strict for reasonable application areas of group signature schemes. As a result, a slightly weaker notion of anonymity was suitable for more general use cases.

Table 3 shows an evaluation of the signature size, computational costs for the signing, and verification of revocable group signature schemes. The schemes [27, 28] have not provided instantiations. The scheme [24] achieves scalability in ROM, but the costs are asymptotically equal to that of the scheme [22]. As shown in Table 3, our proposal has the lowest cost in the signatures generation and verification processes due to avoiding complex \({\mathbb{G}}_{T}\) operation. Regarding signature size, our group signature contains respectively 10, 3, and 4 group elements in \({\mathbb{G}}_{{1}}\) \({\mathbb{G}}_{{2}}\) and \({\mathbb{Z}}_{p}\), which benefits from the SEP paradigm. Besides, the complexity of the CS method is acceptable. Consequently, our proposal is efficient on the computation cost and is suited for resource-constrained systems.

In this article, we presented a revocable group signature that realizes the unforgeability of expiry time for signing keys, BU-anonymity, non-frameability, traceability, weak opening soundness, and backward security. Moreover, the results showed that it is feasible in resource-constrained settings for constant and efficient computational cost of signing algorithm. Our scheme essentially follows the BSZ model, which places reliance heavily on the monopolistic issuer and opener. In other words, there are no strategies against either corrupt opener disclosing privacy illegally or corrupt issuer counterfeiting credentials in the BSZ model. Those imperfections are bound to be barriers in the future. Thus, it is attractive to adopt group signatures with multiple issuers and openers for distributed applications in the future.

Data sharing is not applicable to this article as no datasets are generated or analyzed during the current study.

IoT:

Internet of things

SEP:

Sign-encrypt-prove

SRP:

Sign-randomize-proof

ROM:

Random oracle model

BU:

Backward unlinkability

SPS-EQ:

Structure preserving signatures on equivalence classes

SoK:

Signature of knowledge

NIZK:

Non-interactive zero-knowledge proof

PKE:

Public key encryption

RGS:

Revocable group signature

RC:

Revocation check

KOSK:

The knowledge of secret key

TBK:

Time-bound key

GS-TBK:

Group signature with time-bound keys

The authors would like to thank the reviewers for their meticulous and constructive suggestions, for improving this article.

This work is supported by the National Natural Science Foundation of China (Grant No. 61762060), Educational Commission of Gansu Province, China (Grant No. 2017C-05), Natural Science Foundation of Gansu Province, China (Grant No. 20JR5RA467), Foundation for the Key Research and Development Program of Gansu Province, China (Grant No. 20YF3GA016).

Authors and Affiliations

1. School of Computer and Communication, Lanzhou University of Technology, Lanzhou, 730050, China

   Junli Fang & Tao Feng

Contributions

JF proposed the scheme and is the main writer of the manuscript. TF is the corresponding author and gave important advices with the respect to the construction, result, and writing. Both authors read and approved the final manuscript.

Corresponding author

Correspondence to Tao Feng.

Competing interests

The authors declared no potential conflicts of interest with respect to this article.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions