 Research
 Open Access
 Published:
Group signature with timebound keys and unforgeability of expiry time for smart cities
EURASIP Journal on Wireless Communications and Networking volume 2021, Article number: 113 (2021)
Abstract
Internet of Things (IoT) lays the foundation for the various applications in smart cities, yet resourceconstrained IoT devices are prone to suffer from devastating cyberattacks and privacy leak threats, thus are inevitability supposed as the weakest link of the systems in smart cities. Mitigating the security risks of data and the computing limitation of edge devices, especially identity authentication and key validity management of group devices are essential for IoT system security. In order to tackle the issues of anonymity, traceability, unforgeability of expiry time as well as efficient membership revocation for lifecycle management of devices in IoT setting, we presented a dynamic timebound group signature with unforgeability of expiry time. Unforgeability of expiry time disables a revoked signer to create a valid signature by means of associating the signing key with an expiry time. The anonymity and traceability of the proposed scheme contribute to the identity privacy of the entities and supervision for authority agency. Moreover, our proposal is feasible in the resourceconstrained setting for efficient computational cost of signing and verification algorithms.
Introduction
Internet of Things (IoT), which is capable of sensing the physical world by ubiquitous smart devices and building a transparent information world, is considered to be one of the most fundamental and indispensable technologies for smart cities [1]. To provide citizens convenient public resource utilization and public administrations services, advanced applicationoriented intelligent IoT ecosystems have mushroomed in various industries, such as vehicles, logistics, meteorology, architecture, geology, hydrology, and sharing economy. As a result, the growth spurts on city populations, smart terminals, and data abound to follow in the foreseeable future and will conversely impose great challenges on the city infrastructures and IoT devices. Hence, various solutions including data reduction dimensionality [2], transmission power optimization [3], multihop path optimization [4], secure key management [5, 6], and edge computing [7] are proposed to optimize the energy, the realtime, and distributed performance of applications in smart cities.
As described in Fig. 1, IoT devices are usually grouped according to their functionality or locations to perform the tasks on data collection, transmission, and commands execution. Traditional resourcelimited IoT devices are typically not securedbydesign and located at the edge of the smart cities ecosystems, thus they are vulnerable to security and privacy threats that are prone to trigger devastating losses [8]. Generally, data confidentiality, integrity, and device authentication in groups must be guaranteed [5]. In addition, anonymity is indispensable because of identity privacy leakage, and traceability is expected when supervision or audit organizations need to find out malicious devices. The optimum solution to the questions mentioned above is the scheme employing group signature [9]. In a group signature, any group member is allowed to generate signatures anonymously representing the entire group, and a signature can be opened to reveal the misbehaved members in case of a dispute. Consequently, group signature has been proved to be an appropriate way to ensure authentication, anonymity, and traceability in numerous privacypreserving intricate schemes [10,11,12].
In general, the following security and privacy problems are essential for practical and need to be considered. Firstly, efficient flexible registration and revocation functionality is indispensable for practical purposes due to constantly mobile devices and incompletely reliable signals. Dynamic group signature is more complex but is more efficient and available than static group signature in mobile IoT settings because without frequent initializations. Revocations usually cause the degradation of efficiency. Spontaneously, it is important to speed up revocation checks especially in resourceconstrained settings. Moreover, it is necessary to maintain security after group members are revoked. Besides, it is worth especially noting that valid time of data and devices is crucial for lifecycle management and even counting economic value. However, the forgery attack to the expiration time of occupancy will cause exploiting inappropriately data, device or service, and consequently injurious to the interest of stakeholders. In addition, the encryption procedure employed in group signature is heavy for IoT devices and thus is necessary to be removed or reduced using a novel signature scheme. Naturally, how to realize efficient revocable dynamical group signature with unforgeability of expiry time in the IoT setting is a tough but critical question.
Related work
Group signatures introduced by Chaum and van Heys [9] were strictly formalized as static BMW mode [13] and further extended to the circumstance of the dynamic BSZ model [14]. In the static BMW model setting, the group manager is responsible for opening signatures and generating keys honestly for predefined group members at the setup stage. Yet in the dynamically BSZ model, any new member is allowed to join the group at all moments after finishing the initial setup, while the monolithic group manager in the static model is separated into issuer and opener. These ingenious works have introduced general constructions, which have become the implicit framework for most of the following group signatures. Subsequently, Sakai et al. [15] explored a slightly modified scheme by defining the notion of weak opening soundness, which requires no malicious user can fabricate an opening proof and allege ownership of a signature issued by an honest one. Weak opening soundness is reasonable in the practical setting because it achieves an acceptable tradeoff between computational cost and anticipated security guarantees.
The widely used construction paradigm for group signatures is the modular SignEncryptProve (SEP) paradigm, which typically consists of three steps. Firstly, the issuer and group members play an interactive protocol to generate the signing key, namely a certificate associated with the identity of a member. Then group member generates a digital signature on the message and the encryption of her identity. Finally, a NonInteractive ZeroKnowledge proof (NIZK) is provided to prove that the user takes possession of knowledge of a legitimate certificate. Unfortunately, the main drawback of the SEP paradigm is inefficiency due to the complexity of NIZK proof and encryption. To solve this issue, Bichsel et al. [16] explored an efficient alternative called SignRandomizeProof (SRP) paradigm and creatively removed explicit encryption by employing rerandomizable signatures during the group signature generation phase, guarantying that multiple randomized counterparts originated from the identical signature are not linkable. In particular, they improved efficiency by proving a Signature of Knowledge (SoK) on the message instead of NIZK proof. Following this novel paradigm, Derler and Slamanig [17] contributed a highlyefficient dynamic group signature construction that employed structurepreserving signatures on equivalence classes (SPSEQ) [18, 19]. SPSEQ defines a relation \({\mathcal{R}}\) to establish partitions of the message space, which indicates that the signer virtually signs the whole partition as long as signing one representative of a partition. Especially, the SPSEQ signature can be transformed to any different representative of the partition, without knowing any information of the secret key. It is also noteworthy that the scheme of Derler and Slamanig is especially fit for resourceconstrained devices because the signature size of their CPAfully anonymous instantiation is shorter than the classical BBS scheme [20].
It is indispensable for practical purpose to provide revocation functionality, however, which usually cause the degradation of efficiency. Spontaneously, it is significant to speed up revocation checks, especially in the resourceconstrained setting. More precisely, the revocation check (RC) is classified into implicit and explicit revocation. The implicit revocation indicates that a revoked signer cannot compute signatures that passing the verification check, and she needs to prove both that she is unrevoked and enrolled in the group. Hence, in the implicit revocation [21,22,23,24], the signing algorithm is computationally expensive, whereas the verification expense is relatively low. Inversely, in the explicit case, all signers can create signatures passing the verification check, but a verifier needs to further run the RC procedure to check if the signer has been revoked or not. Thus, in the explicit revocation [25,26,27,28], a signer only proves her membership. Accordingly, the signing algorithm is at a relatively low computational cost, while the cost of the verification part is computationally expensive because of the supplementary RC procedure. Therefore, explicit RC has lower power consumption than the implicit case, for the IoT devices as the data producers.
Typically, the computational cost of RC increases linearly with the scale of the revocation list. Therefore, there is a high demand for a flexible revocation approach to downsizing the revocation list. Libert et al. [22] put forward the classical paradigm for revocable group signature (RGS) solution in the standard model based on a complete subtree algorithm. Unfortunately, the solution fails to achieve sufficient efficiency in the practical setting, due to adopting the complex standard model and Groth–Sahai proofs. We additionally remark that the construction in the asymmetric pairing setting and the random oracle model (ROM) is highly desirable in view of efficiency and suitability for practical resourceconstrained context, although that in the standard model or based on lattices are quite attractive. Ohara et al. [24] showed an RGS scheme called parallel BBS group signature and the costs of which are asymptotically identical with that of the LPY scheme [22]. Nonetheless, the cost of computing the signing process in [22] is relatively high due to implicit revocation. Emura and Hayashi [23] proposed an RGS scheme under the simple assumption by employing the methodology in [24]. They modify their proposal to support weak opening soundness since the LPY model is incapable of ownership proof. Ishida et al. [27] came up with a fully anonymous group signature, where revocation component is achieved using additional key pairs of a keyprivate public key encryption scheme. Their design is not fully dynamic due to following BMW construction and also fail to provide instantiation and efficiency evaluation. Very recently, Yue et al. [29] offered a distributed RGS scheme with backward security by introducing a trusted authority.
Besides, timebound keys (TBK) management techniques [30], which means that secret key is embedded with a timestamp, are usually combined with group key management, broadcast encryption, group signature, attributebased encryption for efficient revocation, access control, and anonymous authentication on the time dimension [5, 31,32,33,34]. It is crucial to highlight that, for the sake of downsizing the expense of RC in practical settings, Chu et al. [31] detailed a feasible method called group signature with timebound keys (GSTBK). In GSTBK, the signing key of each member is closely related to expiry time, and the verifiers check whether the signers produced group signatures based on expired keys. The proposal could be regarded as a solution possessing the simultaneous properties of both “natural” and “premature” revocation types. The “natural” revocation means that only signers having nonexpired keys can create signatures that pass the verification check whereas the “premature” revocation indicates that it is able to revoke signers in advance even expiry times have not passed and thus verifiers need to run the RC procedure. The number of prematurely revoked signers is merely a small proportion of all revoked members, thus, the size of the revocation list and the cost of RC is significantly cut down [10, 34]. Subsequently, Emura et al. [34] revisited the definition the traceability in GSTBK by offering the unforgeability of expiry time for signing keys [24]. The forgeability attack refers to an adversary may forge a valid signature after expiry time \(\tau\). Specifically, [34] defined a complete subtree algorithm for timebound keys (CSTBK) similar to the CS method and proposed a novel group signature in the proposed model. Assuming that \({\text{T}}\) represents the maxlength of time and the number of the leaf node belong to the binary tree \({\text{BT}}\), the subtree covering all nodes that are nonrevoked could be found. The underlying primitives of the proposal are BBS + signature [20]. Regarding security properties, the scheme provides backward unlinkabilityanonymity, traceability, and nonframeablity. Constant signing cost was provided, unlike the earlier solution where the efficiency of signing depends entirely on the length of bits representing the time. Similarly, Malina et al. [33] and Perera et al. [28] provided group signatures with timebound membership but not consider premature revocation and fail to resist forgeability signing time and expiry time.
Motivation and our contribution
To sum up, it is necessary to propose an efficient fully dynamic group signature that provides minimize the revocation verification cost following the SRP paradigm. Our construction is based on a tailored combination of dynamic group signatures scheme following the SRP model in [17] and GSTBK scheme in [34]. The main contributions are summarized below.

Efficient flexible registration and revocation functionality is realized by combining with novel dynamic group signatures scheme and GSTBK scheme.

The design realizes security against forgery of expiry time and the backward attack, which prohibits revoked signers from generating group signatures associating future periods.

Relatively low and constant computational cost at the signing stage is provided by employing rerandomizable structurepreserving signatures on equivalence classes (SPSEQ).

The cost of verification algorithms, which is linearly correlated with the number of signers prematurely revoked rather than that of total revoked signers, is significantly cut down.

BUanonymity, traceability, nonframeability, and weak opening soundness are fully guaranteed.
The remainder of this article is structured as follows. Some related definitions are recalled in Sect. 2. Then Sect. 3 focuses on the formal description of the proposed scheme and security model. Section 4 describes the details of the construction and analysis of security. In Sect. 5, the comparison with the related solutions will be discussed. Finally, Sect. 6 concludes the article.
Preliminaries
Next, some cryptographic preliminaries used in this article are recalled. The detailed definitions about the digital signature, public key encryption (PKE), NIZK proof systems, and SoK could refer to [17].
Notation
\(z\mathop \leftarrow \limits^{{\text{R}}} Z\) means that \({\text{z}}\) is chosen randomly from a finite set \(Z\) uniformly. Let \(z \leftarrow \psi (x)\) denote that is the randomized function \(\psi\) with input \(x\) and output \(z\).
All algorithms are assumed that be run in polynomial time and output \(\bot\) if any error happens. \({{\rm Pr}} [\Omega :E]\) means that the probability of an event E over the probability space \(\Omega\). A negligible function \(\epsilon :{\mathbb{N}} \to {\mathbb{R}}^{ + }\) states that there exists a contain constant \(k_{0} \in {\mathbb{N}}\) satisfying \(\epsilon (k) < 1/k^{c}\) for any \(\, k > k_{0}\) and any positive number \(c\).
Assume \({\text{BGGen}} (1^{\kappa } )\) generates a bilinear group \({\text{BG}} = (p,{\mathbb{G}}_{{1}} ,{\mathbb{G}}_{{2}} ,{\mathbb{G}}_{T} ,e,P,\hat{P})\) in the Type3 setting where \({\mathbb{G}}_{{1}} \ne {\mathbb{G}}_{{2}}\) and no computable isomorphism \(\varphi :{\mathbb{G}}_{{2}} \to {\mathbb{G}}_{{1}}\).
Assumptions
Definition 1
The Decisional Diffie–Hellman (DDH) assumption states that any adversary \({\mathcal{A}}\) is infeasible to break DDH assumption with a negligible function \(\epsilon (\kappa )\).That is
where \({\text{log}}_{{2}} {\text{P = }}\kappa\) and \(P\) is the primeorder of group \({\mathbb{G}}\).
Definition 2
The Symmetric External Diffie–Hellman (SXDH) assumption states that the DDH assumption holds in \({\mathbb{G}}_{{1}}\) and \({\mathbb{G}}_{{2}}\).
Definition 3
The Computational coDiffie–Hellman Inversion (coCDHI) assumption means that any adversary \({\mathcal{A}}\) is infeasible to break coCDHI assumption with nonnegligible probability during polynomialtime. That is
SPSEQ
Definition 4
An SPSEQ on \({\mathbb{G}}_{i}^{*}\) (\(i \in \{ 1,2\}\)) is defined based on the below algorithms:

\({\text{BGGen}} (1^{\kappa } )\): input a security parameter \(\kappa\), and outputs a bilinear group \({\text{BG}}\).

\({\text{KGen}}_{{\mathcal{R}}} (BG,\ell )\): input BG as well as a vector length \(\ell\), and outputs a key pair \({(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} )\).

\(Sign_{{\mathcal{R}}} (M,sk_{{\mathcal{R}}} )\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\) of equivalence classes \(\left[ E \right]_{{\mathcal{R}}}\) and a secret key \(sk_{{\mathcal{R}}}\), and outputs an SPSEQ signature.

\({\text{ChgRep}}_{{\mathcal{R}}} (E,\sigma ,\mu ,pk_{{\mathcal{R}}} )\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\) of class \(\left[ E \right]_{{\mathcal{R}}}\), a signature \(\sigma\) for \(E\), a scalar \(\mu\), and a public key \(pk_{{\mathcal{R}}}\), finally outputs a fresh messagesignature pair \((E^{\prime},\sigma^{\prime})\), where \(E^{\prime}{ = }\mu \cdot E\) is the new representative and \(\sigma^{\prime}\) is the corresponding updated signature.

\({\text{Vrf}}_{{\mathcal{R}}} (E,\sigma ,pk_{{\mathcal{R}}} ) \,\): input a representative \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\), a signature \(\sigma\), and a public key \(pk_{{\mathcal{R}}}\), finally outputs \(0\) or \(1\).

\(Vkey_{{\mathcal{R}}} {(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} )\): input a secret key \(sk_{{\mathcal{R}}}\) and a public key \(pk_{{\mathcal{R}}}\), finally outputs \(0\) or \(1\).
Definition 5
Correctness is achieved for an SPSEQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\), if
where \(\kappa \in {\mathbb{N}}\), \(\ell > 1\), \({\text{BG}} \leftarrow {\text{BGGen}}_{R} (1^{\kappa } )\), \({(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ) \leftarrow {\text{KGen}}_{{\mathcal{R}}} (BG,\ell )\), \(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell }\), and \(\mu \in {\mathbb{Z}}_{p}^{*}\).
Definition 6
Existential unforgeablity under adaptive chosenmessage attacks (EUFCMA) is achieved for an SPSEQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\), if a negligible function \(\epsilon ( \cdot )\) exits for any PPT adversary able to access to a signing oracle \({\mathcal{O}}^{{{\text{Sign}}_{{\mathcal{R}}} }}\) such that:
where \(Q^{{{\text{Sign}}_{{\mathcal{R}}} }}\) is the set of queries that adversary has sent to the signing oracle \({\mathcal{O}}^{{{\text{Sign}}_{{\mathcal{R}}} }}\).
Definition 7
Perfect adaption is achieved for an SPSEQ scheme on \(({\mathbb{G}}_{i}^{*} {)}^{\ell }\) if \((\rho E,{\text{Sign}}_{{\mathcal{R}}} (\rho E,sk_{{\mathcal{R}}} ))\) and \({\text{ChgRep}}_{{\mathcal{R}}} (E,\sigma ,\mu ,pk_{{\mathcal{R}}} )\) are identically distribute for any tuple \((sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ,E,\sigma ,\mu )\) as long as
\(E \in ({\mathbb{G}}_{i}^{*} {)}^{\ell } \wedge \mu \in {\mathbb{Z}}_{p}^{*} \wedge Vkey_{{\mathcal{R}}} {(}sk_{{\mathcal{R}}} ,pk_{{\mathcal{R}}} ) = 1 \wedge {\text{Vrf}}_{{\mathcal{R}}} (E,\sigma ,pk_{{\mathcal{R}}} ) = 1\).
CSTBK
The CSTBK algorithm detailed in [34] is used for finds subtrees containing all nonrevoked nodes. Let \(T\) denotes the maximum size of expiry time \(\tau\), and thus the number of leaf nodes in the binary tree \(BT\) is \(T\). Both current time \(t\) and expiry time \(\tau\) are mapped to the corresponding leaf nodes.
If \(\tau\) is allocated to a leaf node \(\eta\), the issuer produces a signature for each node of \(Path(\eta )\) via the CSTBK algorithm and then publishes these signatures to signers with \(\tau\). Although a bunch of signers with the same expiry times share a common leaf node \(\eta\), the signatures of those signers are dissimilar for randomness. All leaves located left side of the leaf node related to a certain time \(t\) are revoked for their expiry times ahead of \(t\). Expiration information \(info_{t}\) at time \(t\) is essentially signatures of nonrevoked nodes generated according to the CSTBK algorithm.
For example, let \(T = 8\) and \(\tau\) corresponds to node 11, signers with \(\tau\) obtain signatures of nodes 1, 2, 5, and 11. As shown in Fig. 2a, nodes 8, 9 are revoked when \(t < \tau\), namely current time \(t\) is before expiry time \(\tau\), whereas nodes 3 and 5 are chosen as root nodes of subtrees of all nonrevoked nodes, that is node 10–15. Thus, \(info_{t}\) contains signatures of nonrevoked subtrees of root node 3 and node5. Later, the signers can prove in a zeroknowledge manner that they own a signature of node 5, which is also contained in corresponding \(info_{t}\). As shown in Fig. 2b when \(t > \tau\), nodes 8,9,10, and11 are revoked. Thus, \(info_{t}\) contains signatures of subtrees of root node 3 but no 5.
Scheme and security model
Scheme
In this part, we provide the established model for the revocable group signatures with timebound keys and unforgeability of expiry time (RGSTBKUET). There are several entities involved in our scheme: a trusted party responsible for initial key generation and distribution, two authorities called the issuer and the opener, a bunch of users trying to join the group. The proposed proposal consists of the following algorithms.

\({\text{GS}}{.}GKGen(1^{\kappa } ) \to (gpk,ik,ok)\): The algorithm takes in the security parameter \(1^{\kappa }\), and finally outputs the group public key \(gpk\), the issuing key \(ik\), and the opening key \(ok\). The algorithm also initializes the user registration table reg.

\({\text{GS}} .UKGen(1^{\kappa } ) \to (usk_{i} {,}upk_{i} )\): The algorithm takes in the public parameters and outputs secret/public key pair \((usk_{i} {,}upk_{i} )\) for user \(i\).

\(\langle {\text{GS}}.{\text{Join}}(gpk,usk_{i} ,upk_{i} ),{\text{GS}}.{\text{Issue}}(gpk,ik,i,upk_{i} ,{\mathbf{reg}},\tau_{i} )\rangle\): In order to add user to the group, the issuer and a user executes the interactive protocol, which is usually assumed to communicate over secure channels. The joining algorithm is implemented by a user with \((usk_{i} {,}upk_{i} )\), whereas the issuing algorithm is run by the issuer with inputs \(gpk\), \(ik\), \(upk_{i}\),\({\mathbf{reg}}\) and \(\tau_{i}\). On success, the joining algorithm outputs \({(}gsk_{i} ,\tau_{i} )\) and the issuing algorithm outputs registration table \({\mathbf{reg}}\) which user \(i\) is added an entry.

\({\text{GS}}{.}{\text{Revoke}}(i,ik,t,{\mathcal{R}}_{t} ,{\mathbf{reg}}) \to (RL_{t} ,info_{t} )\): The issuer runs the algorithm to generate expiration information and revocation list \(RL_{t}\) for revoked signers at time \(t\). Upon input \(i\), \(ik\), \(t\), \({\mathcal{R}}_{t}\) and \({\mathbf{reg}}\), the algorithm outputs \((RL_{t} ,info_{t} )\). The algorithm computes revocation token \(grt_{i,t}\) for each \(i\) provided \(t < \tau_{i}\) and stores \(grt_{i,t}\) to \(RL_{t}\). Besides, expiration information \(info_{t}\) is computed.

\(GS.{\text{Sign}} (gpk,gsk_{i} ,m,t,info_{t} ) \to \sigma\): The algorithm takes in the group public key \(gpk\), group signing key \(\, gsk_{i}\), a message \(m\), current time \(t\), and group information \(info_{t}\), and outputs a group signature \(\sigma\).

\(GS.{\text{Verify}} (gpk,m,\sigma ,t,RL_{t} ) \to {0/1}\): The deterministic algorithm is able to be run by anyone holding group public key \(gpk\) to check given \(\sigma\) is a valid group signature on \(m\).

\(GS.{\text{Open}}(gpk,ok,{\mathbf{reg}},m,\sigma ) \to (i,\pi )\): Provided that the group public key \(gpk\), the opening key \(ok\), a registration table \({\mathbf{reg}}\), a message \(m\), and a signature \(\sigma\) are input, the opener may extract the identity of the signer and the proof of signature, and finally return a pair \((i,\pi )\), where integer \(i\) is nonnegative. The algorithm output a pair \((0,\pi )\) to indicate that the opener fails to attribute the signature to a certain group member. If \(i > 0\), the opener could allege that the group member with identity \(i\) who produced the signature because the group member produced a proof \(\pi\) as corresponding evidence to demonstrate the abovementioned fact.

\(GS.{\text{Judge}} (gpk,m,\sigma ,i,upk_{i} ,\pi ) \to {0/1}\): Anyone in possession \(gpk\) can deterministically judge the validity of \(\pi\) given the group public key \(gpk\), a message \(m\), a signature \(\sigma\), a user \(i\), its public key \(upk_{i}\), and a proof \(\pi\). If \(\pi\) is a valid proof demonstrating that group member with identity \(i\) produced signature \(\sigma\), the deterministic algorithm outputs 1 and outputs 0 otherwise.
Security model
Generally, the attack capabilities of adversaries are formalized via accessing certain subsets of oracles, which are detailed in Fig. 3. The security experiments corresponding to different requirements of the group signature as showed in Fig. 4. The following lists used in oracles are assumed to be global and maintained by the environment.

\({\mathcal{H}}\): Honest users. \({\mathcal{C}}\): Corrupted users. \({\mathcal{B}}\): Bad users. \({\mathcal{R}}_{t}\): Revoked users at time t.

\(SL\): List of messagesignature tuples. \(CL\): List of challenge signatures obtained.

\(RL_{t}\): List of revocation information.
Notably, \({\mathcal{A}}\) is capable of choosing personal secret keys of corrupted users, yet obtaining both personal and group signing keys of bad users.

\({\mathbf{{\rm A}ddU}}\): \({\mathcal{A}}\) adds an honest user with an identity \(i \in {\mathbb{N}}\) and expiry time \(\tau_{i}\) to the group.

\({\mathbf{RReg}}\): \({\mathcal{A}}\) can read the information from the registration table.

\({\mathbf{WReg}}\): \({\mathcal{A}}\) is allowed to modify the specified value of the registration table.

\({\mathbf{USK}}\): \({\mathcal{A}}\) inputs an identity \(i \in {\mathbb{N}}\) and then returns the personal private key \(usk_{i}\) and the private signing key \(gsk_{i}\) to the user.

\({\mathbf{Sign}}\): \({\mathcal{A}}\) obtains a signature on behalf of an honest user by the signing oracle.

\({\mathbf{Chal}}_{{\mathbf{b}}}\): \({\mathcal{A}}\) chooses two nonrevoked honest members \((i_{0} ,i_{1} )\) as challenging users, and obtains challenge signature by calling the challenge oracle in the anonymity experiment. Additionally, the adversary adds \((m,\sigma ,t{)}\) to the challenge signature set \(CL\). The adversary is restricted to call the challenge oracle only once.

\({\mathbf{Open}}\): \({\mathcal{A}}\) receives the identity and proof on a signature by running the opening algorithm as long as signature \(\sigma\) is not part of the challenge set \(CL\).

\({\mathbf{Revoke}}\): \({\mathcal{A}}\) removes users by calling revocation oracle.

\({\mathbf{CrptU}}\): \({\mathcal{A}}\) parse the certain value \(pk\) as personal public key \(upk_{i}\) of newly corrupted user \(i\) before calling the \({\mathbf{SndToU}}\) oracle.

\({\mathbf{SndToU}}\): \({\mathcal{A}}\) interacts with an honest user on behalf of the corrupted issuer.

\({\mathbf{SndToI}}\): \({\mathcal{A}}\) communicate with an honest issuer in the user role.
Security notions
The definitions of correctness and main security attribute of the scheme are focused in this subsection. Let \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{}} (k) = 1] \le \epsilon (k)\) formally denote that the advantage of adversary \({\mathcal{A}}\) to win the respective experiment during polynomialtime in Fig. 4 is negligible.
Definition 8
The scheme achieves correctness if \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{correctness}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{correctness}}}} (k) = 1] \le \epsilon (k)\).
The correctness states that any honest nonrevoked group member should be able to issue valid signatures on any message. Once the message and signature are given, the opening algorithm ought to correctly recover the identity of the original signer. The opening algorithm produces the publicly verifiable proof that should be accepted by the judging algorithm.
Definition 9
The scheme achieves BUAnonymity if \({\text{ Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Anonymity}}}} (k) = \left {{{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{0  Anonymity}}} (k) = 1]  {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{1  Anonymity}}} (k) = 1]} \right \le \epsilon (k)\).
The anonymity with backward unlinkability (BUanonymity) means that \({\mathcal{A}}\) is infeasible to distinguish the identities of signers from signatures even if signatures are created by revoked signers. Specifically, if the real value of the bit \(b\) in the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle is guessed perfectly, \({\mathcal{A}}\) will break the anonymity. Moreover, \({\mathcal{A}}\) is allowed to access \({\mathbf{Open}}\) oracle and obtain signing keys excluding that of the challenge users.
Definition 10
The scheme achieves nonframeability if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{Non  Frame}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{\text{Non  Frame}}} (k) = 1] \le \epsilon (k)\)_{.}
Nonframeability guarantees that \({\mathcal{A}}\) is incapable of enforcing the honest opener to ascribe a certain valid signature to a specific user via creating a judgeaccepted proof if this honest user indeed did not create this signature.
Definition 11
The scheme achieves traceability if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k) = 1] \le \epsilon (k)\).
Traceability essentially defines that \({\mathcal{A}}\) is infeasible to counterfeit a signature result. In other words, the honest opener is either incapable of identifying the signer of the forgery signature or generating a judgeaccepted proof of its claim even if the signer of a signature has been identified.
Definition 12
The scheme achieves weak opening soundness if \({\text{Adv}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{WeakOS}}}} (k) = {{\rm Pr}}[{\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{WeakOS}}}} (k) = 1] \le \epsilon (k)\).
Weak opening soundness actually means that a malicious user is infeasible to allege ownership of signatures generated originally by honest users via a counterfeited opening proof as long as the opener behaves honestly [15].
Construction and security analysis
Detailed construction
As previously mentioned, the scheme [17] essentially only allow members to enroll at all times but cannot leave freely, which inspired us to added revocation functionality to the construction of [17] using the methodology of [34]. Our construction is detailed in Fig. 5, and system parameters are illustrated in Table 1.
The natural revocation is achieved by CSTBK algorithm and is details as follows. Assumed that a leaf node \(\eta\) is selected to an expiry time \(\tau\), the issuer produces SPSEQ signature \(\sigma^{\prime}_{{{\text{A}}_{j} }} \leftarrow {\text{Sign}}_{{\mathcal{R}}} (\xi_{j} (U_{i} ,Q),sk_{{\mathcal{R}}} )\) for each node \(\xi_{j} \in {\text{path}} (\eta )\) and sends \({(}\{ \sigma^{\prime}_{{{\text{A}}_{j} }} \}_{j \in [nt]} ,\tau_{i} )\) to the signer \(i\). Then, the signer computers her owning secret signing key by rerandomization property of SPSEQ \(gsk_{i} : = \{ (\xi_{j} (rP,P),\sigma_{Aj} )\}_{j \in [nt]} \leftarrow \{ {\text{ChgRep}}_{{\mathcal{R}}} (\xi_{j} (U_{i} ,Q),\sigma^{\prime}_{{A_{j} }} ,q^{  1} ,pk_{{\mathcal{R}}} )\}_{j \in [nt]}\).For the current time \(t\), the issuer firstly outputs \(Y = :(\vartheta_{1} ,\vartheta_{2} , \ldots ,\vartheta_{{{\text{num}}}} )\) running the \({\text{CS  TBK(}}BT{, }t{)}\) algorithm and chooses a secret vector \({(}T_{i} ,Q{)} \leftarrow (\mu P,P) \in ({\mathbb{G}}_{1}^{*} )^{2}\) (where \(\mu \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\)). Next, the issuer computers SPSEQ signature \(\sigma_{Bk} \leftarrow {\text{Sign}}_{{\mathcal{R}}} (\vartheta_{k} (T_{i} ,Q),sk_{{\mathcal{R}}} )\), which is contained in expiration information \(info_{t}\). Apparently, the \(gsk_{i}\) is the SPSEQ signature of the message \(\xi_{j} \in {\text{path}} (\eta ): = (\xi_{1} ,\xi_{2} , \ldots ,\xi_{nt} )\) and the equivalence class of signer secret identity, whereas \(info_{t}\) is the SPSEQ signature of another message \(\vartheta_{i} \in Y = :(\vartheta_{1} ,\vartheta_{2} , \ldots ,\vartheta_{num} )\) and the equivalence class corresponding to the current time. In the light of the CS method, such a common node both \(\xi \in Path(\eta ) \cap Y\) exists if \(\tau < t\). That is the nonrevoked signers can prove in a zeroknowledge manner, that the node \(\xi\) possesses two signatures in their own the private signing key \(gsk\) and expiry information \(info_{t}\) respectively. Note that unless unforgeability of the SPSEQ signature scheme is broken, that is the signer creates SPSEQ signature \(\sigma_{Bk}\), it is infeasible to generate a valid group signature for an expired signer. Consequently, the unforgeability of expiry time for signing keys is guaranteed.
The way of premature revocation is described as below: At the stage of \({\text{GS}}{.}{\text{Issue}}\), the issuer stores a revocation token \(grt_{i} : = U_{i}\). At the time \(t\), the issuer picks randomly \(y_{t} \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\) and lets \(h_{t} { = }y_{t} P,\hat{h}_{t} { = }y_{t} \hat{P}\), then \(e(h_{t} ,\hat{P}) = e(P,\hat{h}_{t} )\) hold. A group signature is composed of \(\beta y_{t} P\),\(\alpha (rq{ + }\beta )P\) and \(\alpha \hat{P}\), where \(\alpha ,\beta\) are picked randomly by the signer. If \(i \in {\mathcal{R}}_{t}\), namely a signer \(i\) is revoked in the premature manner then the issuer computes \(grt_{i,t} : = y_{t} grt_{i}\) and stores \(grt_{i,t}\) to \(RL_{t}\). By checking whether the equation \(e(grt_{i,t} + \beta y_{t} P,\alpha \hat{P}) = e(\alpha (rq + \beta )P,y_{t} \hat{P})\) holds for each \(grt_{i,t}\) successively, the verifier is able to verify whether \(i\) is a premature revoked signer.
Security analysis
Theorem 1
The proposal achieves correctness if SPSEQ and SoK achieve correctness.
Proof
(Sketch) Correctness is straightly originated from the correctness of the proposal [17, 34].
Theorem 2
The proposal achieves BUanonymity if П achieves adaptive zeroknowledge, SoK achieves simulatability (simulatability and straightline fextractability), \(\Omega\) achieves INDCPA (INDCCA2) security and the DDH assumption holds.
Proof
(Sketch) Usually, BUanonymity indicates that signers of two group signatures cannot be distinguished without an opening secret key. Thus, the attack on anonymity is essentially equivalent to that on encryption, which producing membership certificates and proofs. Finally, the anonymity is reduced to the security of the PKE scheme and NIZK Proof. Naturally, a signer maintains anonymity because two randomized user secret keys are difficult to distinguish under DDH assumption in \({\mathbb{G}}_{{1}}\). Therefore, the output distributions of the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle and the input bit \(b\) are mutually independent.
Proof
Let \({\text{N}}_{ch} ,{\text{N}}_{o} ,{\text{N}}_{{{\text{AddU}}}} \le {\text{poly}}(\kappa )\) denote the number of queries to \({\mathbf{Chal}}_{{\mathbf{b}}}\), \({\mathbf{Open}}\), and \({\mathbf{{\rm A}ddU}}\) respectively.

G_{0}: original anonymity experiment.

G_{1}: As G_{0}, except that executing \((crs_{J} ,td_{J} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{J} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{J}\) is stored. Next, each call to \(\Pi .{\text{Proof}}\) that executed at the stage of \({\text{GS.Join}}\) algorithm is simulated via the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zeroknowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G_{0} and G_{1} is negligible, i.e. \(\left {\Pr [{\mathcal{G}}_{1} ]  \Pr [{\mathcal{G}}_{0} ]} \right \le \epsilon_{{zk_{J} }} (k)\).

G_{2}: As G_{1}, except that executing \((crs_{O} ,td_{O} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{O} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{O}\) is stored. Next, all zeroknowledge proofs \(\Pi .{\text{Proof}}\) at the stage of \({\text{GS.Open}}\) algorithm is simulated via the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zeroknowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G_{1} and G_{2} is negligible, i.e. \(\left {\Pr [{\mathcal{G}}_{2} ]  \Pr [{\mathcal{G}}_{1} ]} \right \le \epsilon_{{zk_{o} }} (k)\).

G_{3}: As G_{2}, except that executing \((crs_{s} ,td_{s} ) \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) rather than \(crs_{s} \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{s}\) is stored. Next, each call to \({\text{Sok.Sign}}\) is simulated via the simulator (without a witness). According to simulatability of \({\text{Sok}}\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G_{3} and G_{2} is negligible, i.e., \(\left {\Pr [{\mathcal{G}}_{3} ]  \Pr [{\mathcal{G}}_{2} ]} \right \le \epsilon_{{{\text{SIM}}}} (k)\).

G_{4}: As G_{3}, except that \(pk_{o}\) is obtained from an INDCPA or INDCCA2 challenger rather than \({(}sk_{o} ,pk_{o} ) \leftarrow \Omega .{\text{KGen}}(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and \(sk_{o} = \bot\) is set. In the CCA2 case, it next uses the \({\mathbf{Open}}\) oracle to decrypt the ciphertext \(\hat{C}_{{J_{i} }}\) stored in \({\mathbf{reg}}\) for all users and obtain simulates the proof via the straightline fextractor. In case of CCA2, a witness \(\, \rho\) can be extracted in each call to the \({\mathbf{Open}}\) oracle with overwhelm \(1  \epsilon_{{{\text{EXT}}}} (k)\) extraction probability according to the straightline fextractability of the SoK. Therefore, both games proceed same unless there is a extraction fail, i.e., \(\left {{\text{Pr}}[{\mathcal{G}}_{4} ]  {\text{Pr}}[{\mathcal{G}}_{3} ]} \right \le N_{o} \cdot \epsilon_{{{\text{EXT}}}} (k)\). In case of CPA, the \({\mathbf{Open}}\) oracle do not have to be simulated and the opening key is only obtained from the INDCPA challenger. Therefore, G_{4} is conceptually identical to G_{3}, i.e., \({\text{Pr}}[{\mathcal{G}}_{4} ] = {\text{Pr}}[{\mathcal{G}}_{3} ]\).

G_{5}: As G_{4}, except that the ciphertext \(\hat{C}_{{J_{i} }}\) is computed in the \({\text{GS.Join}}\) algorithm (actually executed via the \({\mathbf{{\rm A}ddU}}\) oracle) as \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,\hat{P})\) rather than \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,r\hat{P},\omega )\), namely the random parameters associated with identity is removed in message. According to the INDCCA2 security of \(\Omega\), the probability of winning the game for \({\mathcal{A}}\), i.e., \(\left {{\text{Pr}}[{\mathcal{G}}_{5} ]  {\text{Pr}}[{\mathcal{G}}_{4} ]} \right \le N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k)\).

G_{6}: As G_{5}, except that \(sk_{o}\) is readded, namely, \({(}sk_{o} ,pk_{o} ) \leftarrow \Omega .{\text{KGen}}(1^{\kappa } )\) is obtained again. We decrypt ourselves with in the \({\text{WReg}}\) simulation rather than via the decryption oracle in the CCA2 case. Therefore, G_{6} is conceptually identical to G_{5}, i.e., \({\text{Pr}}[{\mathcal{G}}_{6} ] = {\text{Pr}}[{\mathcal{G}}_{5} ] \,\).

G_{7}: As G_{6}, except that \(i^{*}\) is revoked by computing \(grt_{{i^{*} ,t}} : = y_{t} r_{{i^{*} }} qP\) while \(t \ne t^{*}\). Remark that \({\mathcal{A}}\) is not need to compute \(grt_{{i^{*} ,t^{*} }}\) because at the challenge time \(t^{*}\), \(i^{*}\) is unrevoked, which induced backward unlinkability. Therefore, G_{7} is conceptually identical to G_{6}. i.e., \({\text{Pr}}[{\mathcal{G}}_{7} ] = {\text{Pr}}[{\mathcal{G}}_{6} ] \,\).

G_{8}: As G_{7}, except that the \({\mathbf{Chal}}_{{\mathbf{b}}}\) oracle is modified as follows. Instead of \({\text{ChgRep}}_{{\mathcal{R}}} (M,\rho ,pk_{{\mathcal{R}}} )\), \((\Phi ,\Psi )\mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{1}\) is chosen, and \({\text{ChgRep}}_{{\mathcal{R}}} ((\Phi ,\Psi ),\rho ,pk_{{\mathcal{R}}} )\) is computed to answers to the \({\mathbf{Chal}}_{{\mathbf{b}}}\) query. According to DDH assumption, the winning probability of \({\mathcal{A}}\) is negligible, i.e.\(\left {{\text{Pr}}[{\mathcal{G}}_{8} ]  {\text{Pr}}[{\mathcal{G}}_{7} ]} \right \le N_{{{\text{Chal}}_{b} }} \cdot \epsilon_{{{\text{DDH}}}} (k)\). In G_{8}, the advantage of \({\mathcal{A}}\) can then only be 0 and the simulation is irrelevant the bit \(b\), i.e., \({\text{Pr}}[{\mathcal{G}}_{8} ] = \, {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern\nulldelimiterspace} 2}\).

G_{9}: As G_{9}, except that \(\psi_{3}^{*} \mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{2}\) is randomly choose.

G_{10}: As G_{9}, except that randomly choose \(\psi_{2}^{*} \mathop \leftarrow \limits^{\$ } {\mathbb{G}}_{1}\) is randomly choose.
The bound of success probability in G_{0} is \({{\rm Pr}}[{\mathcal{G}}_{0} ] \le {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern\nulldelimiterspace} 2} + N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k) \, + N_{Chalb} \cdot \epsilon_{{{\text{DDH}}}} (k) \, + \epsilon_{{{\text{zk}}_{J} }} (k) \, + \epsilon_{{{\text{zk}}_{o} }} (k) \, + \epsilon_{{{\text{SIM}}}} (k)\) (in the CPA case) or \({{\rm Pr}}[{\mathcal{G}}_{0} ] \le {1 \mathord{\left/ {\vphantom {1 2}} \right. \kern\nulldelimiterspace} 2} + N_{{{\text{AddU}}}} \cdot \epsilon_{CCA2} (k) \, + N_{{{\text{Chanl}}}} \cdot \epsilon_{{{\text{DDH}}}} (k) \, + \epsilon_{{{\text{zk}}_{J} }} (k) + \epsilon_{{{\text{zk}}_{o} }} (k) + \epsilon_{{{\text{SIM}}}} (k) + N_{o} \cdot \epsilon_{{{\text{EXT}}}} (k)\) (in the CCA2 case), which proves Theorem 2.
Theorem 3
The proposal achieves nonframeablity if П achieves soundness and adaptive zeroknowledge, SoK achieves simulatability and extractability, \(\sum\) achieves EUFCMA security, Ω achieves perfect correctness, and the coCDHI assumption holds.
Proof
(Sketch) Equivalence class related to each group member is chosen as the secret vector of the membership certificate, and this secret information is only known by the signer. The encryption of \(\hat{R} \in {\mathbb{G}}_{{2}}\) and digital signature are used an identity proof for providing means to open signatures. The signer issues a group signature, which consists of the randomized group signing key and the signature of knowledge. The unforgeability of \(\sum\) and perfect correctness of \(\Omega\) ensure that all valid signatures can be correctly opened. Moreover, the impossibility to unblind a user secret key under coCDHI, ensures the impossibility to counterfeit a signature owned by an honest group member. Additionally, the SoK guarantees that unblinded user secret keys can be extracted even if \({\mathcal{A}}\) has succeeded.
Proof
Let \(n \le {\text{poly}} (\kappa )\) denote the number of users.

G_{0}: The original nonframeability experiment.

G_{1}: As G_{0}, except that we guess \({\mathcal{A}}\) will attack the user \(i^{*}\) and if \({\mathcal{A}}\) attacks another user, we abort. The winning probability in G_{1} is in common with that in G_{0} unless an abortion happens, i.e., \({\text{Pr}}[{\mathcal{G}}_{1} ] = {\text{Pr}}[{\mathcal{G}}_{0} ] \cdot {1 \mathord{\left/ {\vphantom {1 n}} \right. \kern\nulldelimiterspace} n}\).

G_{2}: As G_{1}, except that executing \((crs_{J} ,td_{J} ) \leftarrow \Pi .{\mathcal{S}}_{1} (1^{\kappa } )\) rather than \(crs_{J} \leftarrow \Pi .Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm and the trapdoor information \(td_{J}\) is stored. Next, each call to \(\Pi .{\text{Proof}}\) at the stage of \({\text{GS.Join}}\) algorithm is simulated by the simulator \(\Pi .{\mathcal{S}}_{1}\). According to adaptive zeroknowledge of \(\Pi\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G_{1} and G_{2} is negligible, i.e., \(\left {{\text{Pr}}[{\mathcal{G}}_{2} ]  {\text{Pr}}[{\mathcal{G}}_{1} ]} \right \le \epsilon_{{{\text{zk}}_{J} }} (k)\)

G_{3}: As G_{2}, except that \(crs_{o}\) is obtained from a soundness challenger at the stage of \({\text{GS}}{.}GKGen\) algorithm. Therefore, G_{3} is conceptually identical to G_{2}, i.e., \({\text{Pr}}[{\mathcal{G}}_{3} ] = {\text{Pr}}[{\mathcal{G}}_{2} ]\).

G_{4}: As G_{3}, except that we setup the SoK via \((crs_{s} ,td_{s} ) \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) rather than \(crs_{s} \leftarrow {\text{Sok}}{.}Setup(1^{\kappa } )\) at the stage of \({\text{GS}}{.}GKGen\) algorithm, and the information \(td_{s}\) is stored. Next, each call to \({\text{Sok.Sign}}\) is simulated by the simulator. According to simulatability of \({\text{Sok}}\), the probability of winning the game that \({\mathcal{A}}\) successfully distinguishes G_{4} and G_{3} is negligible, i.e.,\(\left {{\text{Pr}}[{\mathcal{G}}_{4} ]  {\text{Pr}}[{\mathcal{G}}_{3} ]} \right \le \epsilon_{{{\text{SIM}}}} (k)\).

G_{5}: As G_{4}, except that we pick \(q,r\mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\) while queried for user \(i^{*}\) and let \({(}U_{{i^{*} }} ,Q_{{i^{*} }} {)}\) denote at the stage of \({\text{GS.Join}}\) algorithm (actually executed via the \({\mathbf{SndToU}}\)) \((r \cdot qP,qP) \,\). Next, on each Join for any user \(i \ne i^{*}\), it need to check that if the same class have been chosen for user \(i^{*}\) incidentally. The check process is performed via checking whether \(U_{{i^{*} }} = r_{i} \cdot Q_{{i^{*} }}\) using \(r_{i}\) that is the value for \(r\) selected for the user \(i\) when Joining. The check above does not need to acquire \(r\) for user \(i^{*}\) or the discrete logarithms \(q\).Both G_{4} and G_{5} proceed identically unless an abortion happens, the probability of which is \(\epsilon_{guess} (k) = n/(p  1)\), i.e., \(\left {{\text{Pr}}[{\mathcal{G}}_{5} ]  {\text{Pr}}[{\mathcal{G}}_{4} ]} \right \le \epsilon_{guess} (k)\).

G_{6}: As G_{5} except that a coCDHI instance \((aP,{1 \mathord{\left/ {\vphantom {1 a}} \right. \kern\nulldelimiterspace} a}\hat{P})\) in relation to \(BG\) is obtained and pick \(\hbar \mathop \leftarrow \limits^{\$ } {\mathbb{Z}}_{p}^{*}\). Next, we adjust the \({\text{GS.Join}}\) algorithm (actually executed via the \({\text{SndToU}}\)) while queried for \(i^{*}\) as below. Let \({(}U_{{i^{*} }} ,Q_{{i^{*} }} {)} = (\hbar P,aP)\), compute \(\hat{C}_{{J_{{i^{*} }} }} \leftarrow \Omega .{\text{Enc}}(pk_{o} ,\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern\nulldelimiterspace} a}\hat{P})\) and store \(\hbar\). Once execution is successful, let group signing key \(gsk_{i} : = \{ (U_{{i^{*} }} ,Q_{{i^{*} }} ,\sigma _{{Aj}} )\} _{{j \in [nt]}}\) and revocation token \(grt_{{i^{*} }} = U_{{i^{*} }}\) Because \(\hbar\) is uniformly random. Therefore, G_{6} is conceptually identical to G_{5}, i.e.,\({\text{Pr}}[{\mathcal{G}}_{6} ] = {\text{Pr}}[{\mathcal{G}}_{5} ]\).

G_{7}: As G_{6}, except that for each forgery output by the \({\mathcal{A}}\), \(\rho = {\text{Sok}}.{\text{Extract}}(crs_{s} ,td_{s} ,((P,\sigma_{1A} [1][2]),\sigma_{1A} m,\sigma_{2A} )))\)\([2]\)\(),\sigma_{1A} m,\sigma_{2A} )))\) is extracted and abort if the extraction fails. According to the extractability of the SoK, the unsuccessful probability of extracting a witness \(\rho\) is negligible. Therefore, both G_{7} and G_{6} proceed identically unless an extracting failure happens, i.e.,\(\left {{\text{Pr}}[{\mathcal{G}}_{7} ]  {\text{Pr}}[{\mathcal{G}}_{6} ]} \right \le \epsilon_{{{\text{EXT}}}} (k)\).

G_{8}: As G_{7}, except that we further adjust the \({\text{GS.Join}}\) algorithm while queried for user \(i^{*}\) (actually executed via the \({\mathbf{SndToU}}\) oracle) as below. Rather than obtaining \({(}usk_{{i^{*} }} ,upk_{{i^{*} }} )\) from \({\text{GS.UK}}Gen(1^{\kappa } )\), we set \(usk_{{i^{*} }} \leftarrow \emptyset\) and obtain \(upk_{{i^{*} }}\) by interacting with an EUFCMA challenger. Moreover, we obtain all required signatures via the oracle offered by the EUFCMA challenger. Therefore, G_{8} is conceptually identical to G_{7}, so \({\text{Pr}}[{\mathcal{G}}_{8} ] = {\text{Pr}}[{\mathcal{G}}_{7} ]\).
Now there are three possibilities when \({\mathcal{A}}\) creates a valid forgery.

1.
In the case that a signature for \(\hat{C}_{{J_{{i^{*} }} }}\) was never requested, thus an EUFCMA forger for \(\sum\) is \({\mathcal{A}}\) and the forgery is \((\hat{C}_{{J_{{i^{*} }} }} ,\sigma_{{J_{{i^{*} }} }} )\). The upper bound of the probability of this event is \(\epsilon_{f} (k)\).

2.
Otherwise, according to the perfect correctness of \(\Omega\), \(\hat{C}_{{J_{{i^{*} }} }}\) is deemed to honestly computed by the environment thus contains \({\hbar \mathord{\left/ {\vphantom {\hbar a}} \right. \kern\nulldelimiterspace} a}\hat{P}\). Furthermore, there are two following possibilities:

If \(e(\sigma_{{{\text{1A}}}} [1][1],\hat{P}) = e(\sigma_{{{\text{1A}}}} [1][2],{\hbar \mathord{\left/ {\vphantom {\hbar a}} \right. \kern\nulldelimiterspace} a}\hat{P})\), \({\mathcal{A}}\) is an adversary breaking coCDHI, because we can obtain \(((\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern\nulldelimiterspace} a}P,P),\sigma^{\prime}_{{{\text{A}}_{j} }} ) \leftarrow {\text{ChgRep}}_{{\mathcal{R}}} (\sigma_{1A} ,\rho^{  1} ,pk_{{\mathcal{R}}} )\) and use \(\hbar\) to output \(\hbar^{  1} \cdot (\hbar {{ \cdot 1} \mathord{\left/ {\vphantom {{ \cdot 1} a}} \right. \kern\nulldelimiterspace} a}P) = {1 \mathord{\left/ {\vphantom {1 a}} \right. \kern\nulldelimiterspace} a}P\). The upper bound of the probability of this event is \(\epsilon_{co  CDHI} (k)\).

(Otherwise,\({\mathcal{A}}\) has created an opening proof of a statement that does not belong to \(L_{RO}\). The upper bound of the probability of this event is \(\epsilon_{S} (k)\).

The result of merging the above upper bound is \(\epsilon_{nf8} (k) \le \epsilon_{f} (k) \, + \epsilon_{co  CDHI} (k) + \epsilon_{S} (k) \,\). Therefore, the upper probabilistic bound of the success of \({\mathcal{A}}\) in G_{1} is negligible, i.e.,\(\Pr [{\mathcal{G}}_{0} ] \le n \cdot (\epsilon_{nf8} (k) + \epsilon_{{{\text{zk}}_{J} }} (k) + \epsilon_{{{\text{SIM}}}} (k) + \epsilon_{{{\text{guess}}}} (k) + \epsilon_{{{\text{EXT}}}} (k))\).
Theorem 4
The proposal achieves traceability if SPSEQ achieves EUFCMA security and П achieves soundness.
Proof
(Sketch) The adversary is essentially concerned with two forgeries in \({\text{Exp}}_{{{\mathcal{G}\mathcal{S}} \cdot {\mathcal{A}}}}^{{{\text{Traceability}}}} (k)\): the forgery of the current group membership certificate and that of nonrevoked users’ tokens. The first type of forgery can be `reduced to the EUFCMA security of SPSEQ and the soundness of NIZK proof because group membership certificates are created based on SPSEQ and NIZK proof system. The second type of forgery, if an adversary can forge a valid signature after expiry time, then there exist a valid SPSEQ signatures which is not contained in the revocation list \({\text{RL}}_{{t^{*} }}\). Thus, the second forgery attack is also reduced to EUFCMA security of the SPSEQ. Therefore, traceability is guaranteed both by the EUFCMA security of the SPSEQ scheme and the soundness of the NIZK proof system.
Proof
Use \(q \le {\text{poly}} (\kappa )\) to denote the number of queries to the \({\mathbf{SndToI}}\) oracle.

G_{0}: The original traceability experiment.

G_{1}: As G_{0}, except that \(crs_{J}\) is obtained from a soundness challenger of \(\Pi\). Therefore, G_{1} is conceptually identical to G_{0}, i.e., \({\text{Pr}}[{\mathcal{G}}_{1} ] = {\text{Pr}}[{\mathcal{G}}_{0} ]\).

G_{2}: As G_{1} except that \(BG\) and \(pk_{{\mathcal{R}}}\) is obtained from an EUFCMA challenger of the SPSEQ. G_{2} is conceptually identical to G_{1}, i.e.\({\text{Pr}}[{\mathcal{G}}_{2} ] = {\text{Pr}}[{\mathcal{G}}_{1} ]\)

G_{3}: According to the winning condition \(i \notin {\mathcal{C}}\backslash {\mathcal{R}}_{t}\), \({\mathcal{A}}\) needs to inquiry the signing oracle of the SPSEQ to generate a counterfeit \(\sigma_{Aj}\) (namely type I forger) which is not published via the \({\mathbf{SndToI}}\) oracle. The Type II forger can be considered as in real game. As G_{0} except that upon successful execution of \({\mathbf{SndToI}}\), we obtain \(\hat{R} = \Omega .Dec(sk_{o} ,\hat{C}_{{J_{i} }} )\) and abort when \(e(U_{i} ,\hat{P}) \ne e(Q,\hat{R})\). If abortion happens, we obtain a valid proof \(\pi_{{J_{i} }}\) attesting that \({(}U_{i} ,Q,\hat{C}_{{J_{i} }} ,pk_{o} {)} \in L_{{R_{J} }}\), but by the perfect correctness of \(\Omega\) there exists no \(\omega\) so that \(\hat{C}_{{J_{i} }} = \Omega .{\text{Enc}}(pk_{o} ,r \cdot \hat{P};\omega ) \wedge U_{i} = r \cdot Q\), i.e., \({(}U_{i} ,Q,\hat{C}_{{J_{i} }} ,pk_{o} {)}\) is actually not in \(L_{{R_{J} }}\). Therefore, both G_{3} and G_{2} proceed identically as long as \({\mathcal{A}}\) does not break the soundness of NIZK in one oracle query, i.e., \(\left {{\text{Pr}}[{\mathcal{G}}_{3} ] = {\text{Pr}}[{\mathcal{G}}_{2} ]} \right \le q \cdot \epsilon_{s} (k) \,\).

G_{4}: According to the winning condition \(i \notin {\mathcal{C}}{{\backslash }}{\mathcal{R}}_{t}\), \({\mathcal{A}}\) needs to inquiry the signing oracle of the SPSEQ signature to create a forged nonrevoked certificate \(\sigma_{Bk}\) while the \({\mathbf{Revoke}}\) oracle is called. The Type I forger can be considered as in real game. As G_{3}, but obtain \(\sigma_{Bk}\) from an EUFCMA challenger of the SPSEQ. Therefore, G_{4} is conceptually identical to G_{3}, i.e., \({\text{Pr}}[{\mathcal{G}}_{4} ] = {\text{Pr}}[{\mathcal{G}}_{3} ]\)

G_{5}: According to the winning condition \(i \in {\mathcal{C}}\backslash {\mathcal{R}}_{t} \wedge t \ge \tau_{i}\), obviously, if \({\mathcal{A}}\) is able to create a valid signature when \(\tau_{i} < t^{*}\), there definitely exists a valid \(\sigma_{Bk}\) not contained in \(RL_{{t^{*} }}\).The unforgeability of expiry time is finally reduced to unforgeability of the SPSEQ scheme. Therefore, G_{5} is conceptually identical to G_{4}, i.e.,\({\text{Pr}}[{\mathcal{G}}_{5} ] = {\text{Pr}}[{\mathcal{G}}_{4} ]\).
If \({\mathcal{A}}\) finally produces a valid forgery signatures \(\sigma\), which contains an SPSEQ signature \(\sigma_{{{\text{1A}}}}\) for some \((rP,P)\) so that the registration table exits no entry \(i\) for corresponding \(r\hat{P}\) s.t. \(e(\sigma_{{{\text{1A}}}} [1][1],\hat{P}) = e(\sigma_{{{\text{1A}}}} [1][2],r\hat{P})\) holds. Consequently, \(\sigma_{{{\text{1A}}}}\) is a valid SPSEQ signature for an unqueried equivalence class and we can conclude that \({{\rm Pr}}[{\mathcal{G}}_{3} ] \le \epsilon_{F} (k)\) and then \({{\rm Pr}} [{\mathcal{G}}_{0} ] \le \epsilon_{F} (k) + q \cdot \epsilon_{S} (k)\) which proves the theorem.
Theorem 5
The proposal achieves weak opening soundness if Ω achieves perfect correctness and \(\sum\) achieves EUFCMA security.
Proof
(Sketch) \({\mathcal{A}}\) breaks weak opening soundness when he can forge an opening proof to eliminate the uniqueness of group members, which indicates that he can resist against the soundness of \(\Pi\) in the phase of \(GS.{\text{Judge}}\). The EUFCMA security of digital signatures and the perfect correctness of the PKE scheme guarantee that user \(i\) signed \(\sigma\) uniquely. Once \({\text{GS.Join}}\) is honestly executed for users \(i\) and \(j\), the probability that \(r\) (resp.\(\hat{R}\)) values of users \(i\) and \(j\) are identical is negligible.
Results and discussion
In Table 2, we summarize the characteristics of our scheme and other revocable group signatures schemes [23, 24, 27,28,29, 34] that are security in ROM and asymmetric pairingbased. Our proposal can resist the attack of the forgeability of expiry time for signing keys for following the way of GSTBK in [34], but the counterparts are not taken into account that attack. Moreover, we employed rerandomizable SPSEQ instead of traditional ones based on BBS + signature. The benefit of this method is gaining efficiency following the SRP paradigm, and thus avoiding the assumption of qSDH assumption and the knowledge of secret key (KOSK) that employed in [24, 29, 34]. The substantial drawback of the KOSK assumption is difficult to realize by existing infrastructure [35], and the qtype assumption leads to the Cheon attack [36].
Weak opening soundness is reasonable in many scenarios, where it needs to reward signers or prevent the abusers from transferring blame to someone else. The schemes of [23, 24, 29] and our proposal capture weak opening soundness, but others fail to possess the property. As mentioned before, introducing revocation functionality inevitably leads to the scheme fail to satisfy the anonymity because the revocation token could be derived from the signing key. In other words, it fails to prevent the leakages of group signing keys. Although our proposal can only achieve BU and selfless anonymity, it seems to be a reasonable price considering the benefits. The scheme of [27] shows the construction of the VLRGS with a fully anonymous, which is desirable but rather strict for reasonable application areas of group signature schemes. As a result, a slightly weaker notion of anonymity was suitable for more general use cases.
Table 3 shows an evaluation of the signature size, computational costs for the signing, and verification of revocable group signature schemes. The schemes [27, 28] have not provided instantiations. The scheme [24] achieves scalability in ROM, but the costs are asymptotically equal to that of the scheme [22]. As shown in Table 3, our proposal has the lowest cost in the signatures generation and verification processes due to avoiding complex \({\mathbb{G}}_{T}\) operation. Regarding signature size, our group signature contains respectively 10, 3, and 4 group elements in \({\mathbb{G}}_{{1}}\) \({\mathbb{G}}_{{2}}\) and \({\mathbb{Z}}_{p}\), which benefits from the SEP paradigm. Besides, the complexity of the CS method is acceptable. Consequently, our proposal is efficient on the computation cost and is suited for resourceconstrained systems.
Conclusion
In this article, we presented a revocable group signature that realizes the unforgeability of expiry time for signing keys, BUanonymity, nonframeability, traceability, weak opening soundness, and backward security. Moreover, the results showed that it is feasible in resourceconstrained settings for constant and efficient computational cost of signing algorithm. Our scheme essentially follows the BSZ model, which places reliance heavily on the monopolistic issuer and opener. In other words, there are no strategies against either corrupt opener disclosing privacy illegally or corrupt issuer counterfeiting credentials in the BSZ model. Those imperfections are bound to be barriers in the future. Thus, it is attractive to adopt group signatures with multiple issuers and openers for distributed applications in the future.
Availability of data and materials
Data sharing is not applicable to this article as no datasets are generated or analyzed during the current study.
Abbreviations
 IoT:

Internet of things
 SEP:

Signencryptprove
 SRP:

Signrandomizeproof
 ROM:

Random oracle model
 BU:

Backward unlinkability
 SPSEQ:

Structure preserving signatures on equivalence classes
 SoK:

Signature of knowledge
 NIZK:

Noninteractive zeroknowledge proof
 PKE:

Public key encryption
 RGS:

Revocable group signature
 RC:

Revocation check
 KOSK:

The knowledge of secret key
 TBK:

Timebound key
 GSTBK:

Group signature with timebound keys
References
 1.
A. Zanella, N. Bui, A. Castellani, L. Vangelista, M. Zorzi, Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014). https://doi.org/10.1109/JIOT.2014.2306328
 2.
L. Zhao, X. Dong, An industrial internet of things feature selection method based on potential entropy evaluation criteria. IEEE Access 6, 4608–4617 (2018). https://doi.org/10.1109/ACCESS.2018.2800287
 3.
R. Liu, Y. Wang, M. Shu, H. Zhao, C. Chen, Power control with nearest neighbor nodes distribution for coexisting wireless body area network based on stochastic geometry. KSII Trans. Internet Inf. Syst. 12(11), 5218–5233 (2018). https://doi.org/10.3837/tiis.2018.11.003
 4.
Y. Hu, Y. Zheng, X. Wu, H. Liu, A rendezvous node selection and routing algorithm for mobile wireless sensor network. KSII Trans. Internet Inf. Syst. 12(10), 4738–4753 (2018). https://doi.org/10.3837/tiis.2018.10.007
 5.
A. Anand, M. Conti, P. Kaliyar, C. Lal, TARE: topology adaptive rekeying scheme for secure group communication in IoT networks. Wirel. Netw. 26(4), 2449–2463 (2020). https://doi.org/10.1007/s1127601901975y
 6.
A. Castiglione, P. D’Arco, A.D. Santis, R. Russo, Secure group communication schemes for dynamic heterogeneous distributed computing. Future Gener. Comput. Syst. 74, 313–324 (2017). https://doi.org/10.1016/j.future.2015.11.026
 7.
L.U. Khan, I. Yaqoob, N.H. Tran, S.M.A. Kazmi, T.N. Dang, C.S. Hong, Edgecomputingenabled smart cities: a comprehensive survey. IEEE Internet Things J. 7(10), 10200–10232 (2020). https://doi.org/10.1109/JIOT.2020.2987070
 8.
J. Lin, W. Yu, N. Zhang, X. Yang, H. Zhang, W. Zhao, A survey on internet of things: architecture, enabling technologies, security and privacy, and applications. IEEE Internet Things J. 4(5), 1125–1142 (2017). https://doi.org/10.1109/JIOT.2017.2683200
 9.
D. Chaum, E. van Heyst, in EUROCRYPT'91: Advances in Cryptology—EUROCRYPT’91, ed. by DW Davies. Workshop on the Theory and Application of of Cryptographic Techniques, Brighton, April 1991. Lecture Notes in Computer Science, vol. 547 (Springer, Heidelberg, 1991), p. 257.
 10.
J.K. Liu, C. Chu, S.S.M. Chow, X. Huang, M.H. Au, J. Zhou, Timebound anonymous authentication for roaming networks. IEEE Trans. Inf. Forensics Secur. 10(1), 178–189 (2015). https://doi.org/10.1109/TIFS.2014.2366300
 11.
K. Kluczniak, J. Wang, X. Chen, M. Kutylowski, Multidevice anonymous authentication. Int. J. Inf. Secur. 18, 181–197 (2019). https://doi.org/10.1007/s1020701804064
 12.
T. Feng, X. Chen, C. Liu, X. Feng, Research on privacy enhancement scheme of blockchain transactions. Secur. Privacy 2(6), e89 (2019). https://doi.org/10.1002/spy2.89
 13.
M. Bellare, D. Micciancio, B. Warinschi, in EUROCRYPT'03: Advances in CryptologyEUROCRYPT 2003, ed. by E Biham. 22th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, May 2003. Lecture Notes in Computer Science, vol. 2656 (Springer, Heidelberg, 2003), p. 614.
 14.
M. Bellare, H. Shi, C. Zhang, in CTRSA'05: Topics in Cryptology, ed. by A Menezes. The Cryptographers' Track at the RSA Conference 2005, San Francisco, CA, February 2005. Lecture Notes in Computer Science, vol. 3376 (Springer, Heidelberg, 2005), p. 136.
 15.
Y. Sakai, J.C.N. Schuldt, K. Emura, G. Hanaoka, K. Ohta, in PKC'12: Public Key Cryptography—PKC 2012, ed. by M Fischlin, J Buchmann, M Manulis. 15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, May 2012. Lecture Notes in Computer Science, vol. 7293 (Springer, Heidelberg, 2012), p. 715.
 16.
P. Bichsel, J. Camenisch, G. Neven, N.P. Smart, B. Warinschi, in SCN'10: Security and Cryptography for Networks, ed. by JA Garay, R De Prisco. 4th Security and Cryptography for Networks, Amalfi, September 2010. Lecture Notes in Computer Science, vol. 6280 (Springer, Heidelberg, 2010), p. 381.
 17.
D. Derler, D. Slamanig, in AsiaCCS'18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, ed. by J Kim, GJ Ahn, S Kim, Y Kim, J López, T Kim. The 13th ACM Asia Conference on Computer and Communications Security, Incheon, June 2018. Lecture Notes in Computer Science, (ACM, 2018), p. 551.
 18.
C. Hanser, D. Slamanig, in ASIACRYPT'14: Advances in CryptologyASIACRYPT 2014, ed. by P. Sarkar, T Iwata. 20th International Conference on the Theory and Application of Cryptology and Information Security, Taiwan, December 2014. Lecture Notes in Computer Science, vol. 8873 (Springer, Heidelberg, 2014), p. 491.
 19.
G. Fuchsbauer, C. Hanser, D. Slamanig, Structurepreserving signatures on equivalence classes and constantsize anonymous credentials. J. Cryptol. 32, 498–546 (2019). https://doi.org/10.1007/s0014501892814
 20.
D. Boneh, X. Boyen, H. Shacham, in CRYPTO'04: Advances in CryptologyCRYPTO 2004, ed. by M Franklin. 24th Annual International Cryptology Conference, Santa Barbara, August 2004. Lecture Notes in Computer Science, vol. 3152 (Springer, Heidelberg, 2004), p. 41.
 21.
T. Nakanishi, H. Fujii, Y. Hira, N. Funabiki, in PKC'09: Public Key Cryptography—PKC 2009, ed. by S Jarecki, G Tsudik. 12th International Conference on Practice and Theory in Public Key Cryptography, Irvine, March 2009. Lecture Notes in Computer Science, vol. 5443 (Springer, Heidelberg, 2009), p. 463.
 22.
B. Libert, T. Peters, M. Yung, in CRYPTO'12: Advances in CryptologyCRYPTO 2012, ed. by R. SafaviNaini, R. Canetti. 32nd Annual Cryptology Conference, Santa Barbara, August 2012. Lecture Notes in Computer Science, vol. 7417, (Springer, Heidelberg, 2012), p. 571.
 23.
T.H. Emura, in ISC'18: Information SecurityISC 2018, ed. by L. Chen, M. Manulis, S. Schneider. 21st International Conference, Guildford, September 2018. Lecture Notes in Computer Science, vol. 11060 (Springer, Cham, 2018), p. 442.
 24.
K. Ohara, K. Emura, G. Hanaoka, A. Ishida, K. Ohta, Y. Sakai, Shortening the Libert–Peters–Yung revocable group signature scheme by using the random oracle methodology. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E102(9), 1101–1117 (2019). https://doi.org/10.1587/transfun.E102.A.1101
 25.
J. Camenisch, A. Lysyanskaya, in CRYPTO'02: Advances in CryptologyCRYPTO 2002, ed. by M Yung. 22nd Annual International Cryptology Conference, Santa Barbara, August 2002. Lecture Notes in Computer Science, vol. 2442 (Springer, Heidelberg, 2002), p. 61.
 26.
T. Nakanishi, N. Funabiki, in IWSEC'06: Advances in Information and Computer Security, ed. by H Yoshiura, K Sakurai, K Rannenberg, Y Murayama, S Kawamura. First International Workshop on Security, Kyoto, October 2006. Lecture Notes in Computer Science, vol. 4266 (Springer, Heidelberg, 2006), p.17.
 27.
A. Ishida, Y. Sakai, K. Emura, G. Hanaoka, K. Tanaka, in SCN'18: Security and Cryptography for NetworksSCN 2018, ed. by D Catalano, R De Prisco. 11th International Conference on Security and Cryptography for Networks, Amalfi, September 2018. Lecture Notes in Computer Science, vol. 11035 (Springer, Cham, 2018), p.23.
 28.
M.N.S. Perera, T. Koshiba, in IDCS'18: Internet and Distributed Computing SystemsIDCS 2018, ed. by Y Xiang, J Sun, G Fortino, A Guerrieri, J Jung. 11th International Conference on Internet and Distributed Computing Systems, Tokyo, October 2018. Lecture Notes in Computer Science, vol. 11226 (Springer, Cham, 2018), p. 134.
 29.
X. Yue, M. Xi, B. Chen, M. Gao, J. Xu, A revocable group signatures scheme to provide privacypreserving authentications. Mob. Netw. Appl. (2020). https://doi.org/10.1007/s11036019014595
 30.
W.T. Zhu, R.H. Deng, J. Zhou, F. Rao, Timebound hierarchical key assignment: an Overview. Ice Trans. Inf. Syst. 93(5), 1044–1052 (2010). https://doi.org/10.1587/transinf.E93.D.1044
 31.
C.K. Chu, J.K. Liu, X. Huang, in ASIACCS'12: Information, Computer and Communications Security, ed. by N Foo, R Goebel. 7th ACM Symposium on Information, Computer and Communications Security, Seoul, May 2012 Lecture Notes in Computer Science, vol. 1114 (ACM, 2012), p. 26.
 32.
R. Zhang, L. Liu, R. Xue, Rolebased and timebound access and management of EHR data. Secur. Commun. Netw. 7(6), 1–22 (2014). https://doi.org/10.1002/sec.817
 33.
L. Malina, J. Hajny, V. Zeman, Lightweight group signatures with timebound membership. Secur. Commun. Netw. 9(7), 599–612 (2016). https://doi.org/10.1002/sec.1383
 34.
K. Emura, T. Hayashi, A. Ishida, Group signatures with timebound keys revisited: a new model, an efficient construction, and its implementation. IEEE Trans. Dependable Secure Comput. 17(2), 292–305 (2020). https://doi.org/10.1109/TDSC.2017.2754247
 35.
T. Ristenpart, S. Yilek, in EUROCRYPT'07: Advances in Cryptology EUROCRYPT 2007, ed. by M Naor. 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, May 2007. Lecture Notes in Computer Science, vol. 4515 (Springer, Heidelberg, 2007), p. 228.
 36.
J.H. Cheon, Discrete logarithm problems with auxiliary inputs. J. Cryptol. 23(3), 457–547 (2010)
Acknowledgements
The authors would like to thank the reviewers for their meticulous and constructive suggestions, for improving this article.
Funding
This work is supported by the National Natural Science Foundation of China (Grant No. 61762060), Educational Commission of Gansu Province, China (Grant No. 2017C05), Natural Science Foundation of Gansu Province, China (Grant No. 20JR5RA467), Foundation for the Key Research and Development Program of Gansu Province, China (Grant No. 20YF3GA016).
Author information
Affiliations
Contributions
JF proposed the scheme and is the main writer of the manuscript. TF is the corresponding author and gave important advices with the respect to the construction, result, and writing. Both authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declared no potential conflicts of interest with respect to this article.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Fang, J., Feng, T. Group signature with timebound keys and unforgeability of expiry time for smart cities. J Wireless Com Network 2021, 113 (2021). https://doi.org/10.1186/s1363802101948w
Received:
Accepted:
Published:
Keywords
 Group signatures
 Unforgeability of expiry time
 Timebound keys
 Internet of things
 Smart cities