Group signature with time-bound keys and unforgeability of expiry time for smart cities

Internet of Things (IoT) lays the foundation for the various applications in smart cities, yet resource-constrained IoT devices are prone to suffer from devastating cyberattacks and privacy leak threats, thus are inevitability supposed as the weakest link of the systems in smart cities. Mitigating the security risks of data and the computing limitation of edge devices, especially identity authentication and key validity management of group devices are essential for IoT system security. In order to tackle the issues of anonymity, traceability, unforgeability of expiry time as well as efficient membership revocation for life-cycle management of devices in IoT setting, we presented a dynamic time-bound group signature with unforgeability of expiry time. Unforgeability of expiry time disables a revoked signer to create a valid signature by means of associating the signing key with an expiry time. The anonymity and traceability of the proposed scheme contribute to the identity privacy of the entities and supervision for authority agency. Moreover, our proposal is feasible in the resource-constrained setting for efficient computational cost of signing and verification algorithms.

As described in Fig. 1, IoT devices are usually grouped according to their functionality or locations to perform the tasks on data collection, transmission, and commands execution. Traditional resource-limited IoT devices are typically not secured-by-design and located at the edge of the smart cities ecosystems, thus they are vulnerable to security and privacy threats that are prone to trigger devastating losses [8]. Generally, data confidentiality, integrity, and device authentication in groups must be guaranteed [5]. In addition, anonymity is indispensable because of identity privacy leakage, and traceability is expected when supervision or audit organizations need to find out malicious devices. The optimum solution to the questions mentioned above is the scheme employing group signature [9]. In a group signature, any group member is allowed to generate signatures anonymously representing the entire group, and a signature can be opened to reveal the misbehaved members in case of a dispute. Consequently, group signature has been proved to be an appropriate way to ensure authentication, anonymity, and traceability in numerous privacy-preserving intricate schemes [10][11][12].
In general, the following security and privacy problems are essential for practical and need to be considered. Firstly, efficient flexible registration and revocation functionality is indispensable for practical purposes due to constantly mobile devices and incompletely reliable signals. Dynamic group signature is more complex but is more efficient and available than static group signature in mobile IoT settings because without frequent initializations. Revocations usually cause the degradation of efficiency. Spontaneously, it is important to speed up revocation checks especially in resource-constrained settings. Moreover, it is necessary to maintain security after group members are revoked. Besides, it is worth especially noting that valid time of data and devices is crucial for lifecycle management and even counting economic value. However, the forgery attack to the expiration time of occupancy will cause exploiting inappropriately data, device or service, and consequently injurious to the interest of stakeholders. In addition, the encryption procedure employed in group signature is heavy for IoT devices and thus is necessary to be removed or reduced using a novel signature scheme. Naturally, how to realize efficient revocable dynamical group signature with unforgeability of expiry time in the IoT setting is a tough but critical question.

Related work
Group signatures introduced by Chaum and van Heys [9] were strictly formalized as static BMW mode [13] and further extended to the circumstance of the dynamic BSZ model [14]. In the static BMW model setting, the group manager is responsible for opening signatures and generating keys honestly for predefined group members at the setup stage. Yet in the dynamically BSZ model, any new member is allowed to join the group at all moments after finishing the initial setup, while the monolithic group manager in the static model is separated into issuer and opener. These ingenious works have introduced general constructions, which have become the implicit framework for most of the following group signatures. Subsequently, Sakai et al. [15] explored a slightly modified scheme by defining the notion of weak opening soundness, which requires no malicious user can fabricate an opening proof and allege ownership of a signature issued by an honest one. Weak opening soundness is reasonable in the practical setting because it achieves an acceptable tradeoff between computational cost and anticipated security guarantees.
The widely used construction paradigm for group signatures is the modular Sign-Encrypt-Prove (SEP) paradigm, which typically consists of three steps. Firstly, the issuer and group members play an interactive protocol to generate the signing key, namely a certificate associated with the identity of a member. Then group member generates a digital signature on the message and the encryption of her identity. Finally, a Non-Interactive Zero-Knowledge proof (NIZK) is provided to prove that the user takes possession of knowledge of a legitimate certificate. Unfortunately, the main drawback of the SEP paradigm is inefficiency due to the complexity of NIZK proof and encryption. To solve this issue, Bichsel et al. [16] explored an efficient alternative called Sign-Randomize-Proof (SRP) paradigm and creatively removed explicit encryption by employing re-randomizable signatures during the group signature generation phase, guarantying that multiple randomized counterparts originated from the identical signature are not linkable. In particular, they improved efficiency by proving a Signature of Knowledge (SoK) on the message instead of NIZK proof. Following this novel paradigm, Derler and Slamanig [17] contributed a highly-efficient dynamic group signature construction that employed structure-preserving signatures on equivalence classes (SPS-EQ) [18,19]. SPS-EQ defines a relation R to establish partitions of the message space, which indicates that the signer virtually signs the whole partition as long as signing one representative of a partition. Especially, the SPS-EQ signature can be transformed to any different representative of the partition, without knowing any information of the secret key. It is also noteworthy that the scheme of Derler and Slamanig is especially fit for resource-constrained devices because the signature size of their CPA-fully anonymous instantiation is shorter than the classical BBS scheme [20].
It is indispensable for practical purpose to provide revocation functionality, however, which usually cause the degradation of efficiency. Spontaneously, it is significant to speed up revocation checks, especially in the resource-constrained setting. More precisely, the revocation check (RC) is classified into implicit and explicit revocation. The implicit revocation indicates that a revoked signer cannot compute signatures that passing the verification check, and she needs to prove both that she is unrevoked and Core network IoT Devices Fig. 1 Overview of the IoT architecture enrolled in the group. Hence, in the implicit revocation [21][22][23][24], the signing algorithm is computationally expensive, whereas the verification expense is relatively low. Inversely, in the explicit case, all signers can create signatures passing the verification check, but a verifier needs to further run the RC procedure to check if the signer has been revoked or not. Thus, in the explicit revocation [25][26][27][28], a signer only proves her membership. Accordingly, the signing algorithm is at a relatively low computational cost, while the cost of the verification part is computationally expensive because of the supplementary RC procedure. Therefore, explicit RC has lower power consumption than the implicit case, for the IoT devices as the data producers.
Typically, the computational cost of RC increases linearly with the scale of the revocation list. Therefore, there is a high demand for a flexible revocation approach to downsizing the revocation list. Libert et al. [22] put forward the classical paradigm for revocable group signature (RGS) solution in the standard model based on a complete subtree algorithm. Unfortunately, the solution fails to achieve sufficient efficiency in the practical setting, due to adopting the complex standard model and Groth-Sahai proofs. We additionally remark that the construction in the asymmetric pairing setting and the random oracle model (ROM) is highly desirable in view of efficiency and suitability for practical resource-constrained context, although that in the standard model or based on lattices are quite attractive. Ohara et al. [24] showed an RGS scheme called parallel BBS group signature and the costs of which are asymptotically identical with that of the LPY scheme [22]. Nonetheless, the cost of computing the signing process in [22] is relatively high due to implicit revocation. Emura and Hayashi [23] proposed an RGS scheme under the simple assumption by employing the methodology in [24]. They modify their proposal to support weak opening soundness since the LPY model is incapable of ownership proof. Ishida et al. [27] came up with a fully anonymous group signature, where revocation component is achieved using additional key pairs of a key-private public key encryption scheme. Their design is not fully dynamic due to following BMW construction and also fail to provide instantiation and efficiency evaluation. Very recently, Yue et al. [29] offered a distributed RGS scheme with backward security by introducing a trusted authority.
Besides, time-bound keys (TBK) management techniques [30], which means that secret key is embedded with a timestamp, are usually combined with group key management, broadcast encryption, group signature, attribute-based encryption for efficient revocation, access control, and anonymous authentication on the time dimension [5,[31][32][33][34]. It is crucial to highlight that, for the sake of downsizing the expense of RC in practical settings, Chu et al. [31] detailed a feasible method called group signature with time-bound keys (GS-TBK). In GS-TBK, the signing key of each member is closely related to expiry time, and the verifiers check whether the signers produced group signatures based on expired keys. The proposal could be regarded as a solution possessing the simultaneous properties of both "natural" and "premature" revocation types. The "natural" revocation means that only signers having non-expired keys can create signatures that pass the verification check whereas the "premature" revocation indicates that it is able to revoke signers in advance even expiry times have not passed and thus verifiers need to run the RC procedure. The number of prematurely revoked signers is merely a small proportion of all revoked members, thus, the size of the revocation list and the cost of RC is significantly cut down [10,34]. Subsequently, Emura et al. [34] revisited the definition the traceability in GS-TBK by offering the unforgeability of expiry time for signing keys [24]. The forgeability attack refers to an adversary may forge a valid signature after expiry time τ . Specifically, [34] defined a complete subtree algorithm for timebound keys (CS-TBK) similar to the CS method and proposed a novel group signature in the proposed model. Assuming that T represents the maxlength of time and the number of the leaf node belong to the binary tree BT , the subtree covering all nodes that are non-revoked could be found. The underlying primitives of the proposal are BBS + signature [20]. Regarding security properties, the scheme provides backward unlinkabilityanonymity, traceability, and non-frameablity. Constant signing cost was provided, unlike the earlier solution where the efficiency of signing depends entirely on the length of bits representing the time. Similarly, Malina et al. [33] and Perera et al. [28] provided group signatures with time-bound membership but not consider premature revocation and fail to resist forgeability signing time and expiry time.

Motivation and our contribution
To sum up, it is necessary to propose an efficient fully dynamic group signature that provides minimize the revocation verification cost following the SRP paradigm. Our construction is based on a tailored combination of dynamic group signatures scheme following the SRP model in [17] and GS-TBK scheme in [34]. The main contributions are summarized below.
• Efficient flexible registration and revocation functionality is realized by combining with novel dynamic group signatures scheme and GS-TBK scheme. • The design realizes security against forgery of expiry time and the backward attack, which prohibits revoked signers from generating group signatures associating future periods. • Relatively low and constant computational cost at the signing stage is provided by employing re-randomizable structure-preserving signatures on equivalence classes (SPS-EQ). • The cost of verification algorithms, which is linearly correlated with the number of signers prematurely revoked rather than that of total revoked signers, is significantly cut down. • BU-anonymity, traceability, non-frameability, and weak opening soundness are fully guaranteed.
The remainder of this article is structured as follows. Some related definitions are recalled in Sect. 2. Then Sect. 3 focuses on the formal description of the proposed scheme and security model. Section 4 describes the details of the construction and analysis of security. In Sect. 5, the comparison with the related solutions will be discussed. Finally, Sect. 6 concludes the article.

Preliminaries
Next, some cryptographic preliminaries used in this article are recalled. The detailed definitions about the digital signature, public key encryption (PKE), NIZK proof systems, and SoK could refer to [17].
Notation z R ← − Z means that z is chosen randomly from a finite set Z uniformly. Let z ← ψ(x) denote that is the randomized function ψ with input x and output z.
All algorithms are assumed that be run in polynomial time and output ⊥ if any error happens. Pr[ : E] means that the probability of an event E over the probability space . A negligible function ǫ : N → R + states that there exists a contain constant k 0 ∈ N satisfying ǫ(k) < 1/k c for any k > k 0 and any positive number c.

Definition 1
The Decisional Diffie-Hellman (DDH) assumption states that any adversary A is infeasible to break DDH assumption with a negligible function ǫ(κ).That is where log 2 P = κ and P is the prime-order of group G.

Definition 2
The Symmetric External Diffie-Hellman (SXDH) assumption states that the DDH assumption holds in G 1 and G 2 .

Definition 3
The Computational co-Diffie-Hellman Inversion (co-CDHI) assumption means that any adversary A is infeasible to break co-CDHI assumption with non-negligible probability during polynomial-time. That is

SPS-EQ
is defined based on the below algorithms: BGGen(1 κ ) : input a security parameter κ , and outputs a bilinear group BG.
KGen R (BG, ℓ) : input BG as well as a vector length ℓ , and outputs a key pair (sk R , pk R ). Sign R (M, sk R ) : input a representative E ∈ (G * i ) ℓ of equivalence classes [E] R and a secret key sk R , and outputs an SPS-EQ signature.
a signature σ for E , a scalar µ , and a public key pk R , finally outputs a fresh message-signature pair (E ′ , σ ′ ) , where E ′ =µ · E is the new representative and σ ′ is the corresponding updated signature. Vrf R (E, σ , pk R ) : input a representative E ∈ (G * i ) ℓ , a signature σ , and a public key pk R , finally outputs 0 or 1. Vkey R (sk R , pk R ) : input a secret key sk R and a public key pk R , finally outputs 0 or 1.

Definition 6
Existential unforgeablity under adaptive chosen-message attacks (EUF-CMA) is achieved for an SPS-EQ scheme on (G * i ) ℓ , if a negligible function ǫ(·) exits for any PPT adversary able to access to a signing oracle O Sign R such that: where Q Sign R is the set of queries that adversary has sent to the signing oracle O Sign R . Definition 7 Perfect adaption is achieved for an SPS-EQ scheme on (G * i ) ℓ if (ρE, Sign R (ρE, sk R )) and ChgRep R (E, σ , µ, pk R ) are identically distribute for any tuple (sk R , pk R , E, σ , µ) as long as

CS-TBK
The CS-TBK algorithm detailed in [34] is used for finds subtrees containing all nonrevoked nodes. Let T denotes the maximum size of expiry time τ , and thus the number of leaf nodes in the binary tree BT is T . Both current time t and expiry time τ are mapped to the corresponding leaf nodes. If τ is allocated to a leaf node η , the issuer produces a signature for each node of Path(η) via the CS-TBK algorithm and then publishes these signatures to signers with τ . Although a bunch of signers with the same expiry times share a common leaf node η , the signatures of those signers are dissimilar for randomness. All leaves located left side of the leaf node related to a certain time t are revoked for their expiry times ahead of t . Expiration information info t at time t is essentially signatures of non-revoked nodes generated according to the CS-TBK algorithm.
For example, let T = 8 and τ corresponds to node 11, signers with τ obtain signatures of nodes 1, 2, 5, and 11. As shown in Fig. 2a, nodes 8, 9 are revoked when t < τ , namely current time t is before expiry time τ , whereas nodes 3 and 5 are chosen as root nodes of subtrees of all non-revoked nodes, that is node 10-15. Thus, info t contains signatures of non-revoked subtrees of root node 3 and node5. Later, the signers can prove in a zeroknowledge manner that they own a signature of node 5, which is also contained in corresponding info t . As shown in Fig. 2b when t > τ , nodes 8,9,10, and11 are revoked. Thus, info t contains signatures of subtrees of root node 3 but no 5.

Scheme
In this part, we provide the established model for the revocable group signatures with time-bound keys and unforgeability of expiry time (RGS-TBK-UET). There are several entities involved in our scheme: a trusted party responsible for initial key generation and distribution, two authorities called the issuer and the opener, a bunch of users trying to join the group. The proposed proposal consists of the following algorithms.
GS.GKGen(1 κ ) → (gpk, ik, ok) : The algorithm takes in the security parameter 1 κ , and finally outputs the group public key gpk , the issuing key ik , and the opening key ok . The algorithm also initializes the user registration table reg.
The algorithm takes in the public parameters and outputs secret/public key pair (usk i ,upk i ) for user i. GS.Join(gpk, usk i , upk i ), GS.Issue(gpk, ik, i, upk i , reg, τ i ) : In order to add user to the group, the issuer and a user executes the interactive protocol, which is usually assumed to communicate over secure channels. The joining algorithm is implemented by a user with (usk i ,upk i ) , whereas the issuing algorithm is run by the issuer with inputs gpk , ik , upk i ,reg and τ i . On success, the joining algorithm outputs (gsk i , τ i ) and the issuing algorithm outputs registration table reg which user i is added an entry. GS.Revoke(i, ik, t, R t , reg) → (RL t , info t ) : The issuer runs the algorithm to generate expiration information and revocation list RL t for revoked signers at time t . Upon input i , ik , t , R t and reg , the algorithm outputs (RL t , info t ) . The algorithm computes revocation token grt i,t for each i provided t < τ i and stores grt i,t to RL t . Besides, expiration information info t is computed. GS.Sign(gpk, gsk i , m, t, info t ) → σ : The algorithm takes in the group public key gpk , group signing key gsk i , a message m , current time t , and group information info t , and outputs a group signature σ. GS.Verify(gpk, m, σ , t, RL t ) → 0/1 : The deterministic algorithm is able to be run by anyone holding group public key gpk to check given σ is a valid group signature on m. GS.Open(gpk, ok, reg, m, σ ) → (i, π) : Provided that the group public key gpk , the opening key ok , a registration table reg , a message m , and a signature σ are input, the opener may extract the identity of the signer and the proof of signature, and finally return a pair (i, π) , where integer i is nonnegative. The algorithm output a pair (0, π) to indicate that the opener fails to attribute the signature to a certain group member. If i > 0 , the opener could allege that the group member with identity i who produced the signature because the group member produced a proof π as corresponding evidence to demonstrate the above-mentioned fact. GS.Judge(gpk, m, σ , i, upk i , π) → 0/1 : Anyone in possession gpk can deterministically judge the validity of π given the group public key gpk , a message m , a signature σ , a user i , its public key upk i , and a proof π . If π is a valid proof demonstrating that group member with identity i produced signature σ , the deterministic algorithm outputs 1 and outputs 0 otherwise.

Security model
Generally, the attack capabilities of adversaries are formalized via accessing certain subsets of oracles, which are detailed in Fig. 3. The security experiments corresponding to different requirements of the group signature as showed in Fig. 4. The following lists used in oracles are assumed to be global and maintained by the environment. Notably, A is capable of choosing personal secret keys of corrupted users, yet obtaining both personal and group signing keys of bad users.
AddU : A adds an honest user with an identity i ∈ N and expiry time τ i to the group. RReg : A can read the information from the registration table. WReg : A is allowed to modify the specified value of the registration table. USK : A inputs an identity i ∈ N and then returns the personal private key usk i and the private signing key gsk i to the user. Sign : A obtains a signature on behalf of an honest user by the signing oracle. Chal b : A chooses two non-revoked honest members (i 0 , i 1 ) as challenging users, and obtains challenge signature by calling the challenge oracle in the anonymity experi-  Fig. 2 The example of the CS-TBK ment. Additionally, the adversary adds (m, σ , t) to the challenge signature set CL . The adversary is restricted to call the challenge oracle only once.
Open : A receives the identity and proof on a signature by running the opening algorithm as long as signature σ is not part of the challenge set CL.
Revoke : A removes users by calling revocation oracle. CrptU : A parse the certain value pk as personal public key upk i of newly corrupted user i before calling the SndToU oracle. SndToU : A interacts with an honest user on behalf of the corrupted issuer. SndToI : A communicate with an honest issuer in the user role.

Security notions
The definitions of correctness and main security attribute of the scheme are focused in this subsection. Let Adv GS·A (k) = Pr[Exp GS·A (k) = 1] ≤ ǫ(k) formally denote that the advantage of adversary A to win the respective experiment during polynomial-time in Fig. 4 is negligible.

Definition 8
The scheme achieves correctness if Adv correctness The correctness states that any honest non-revoked group member should be able to issue valid signatures on any message. Once the message and signature are given, the opening algorithm ought to correctly recover the identity of the original signer. The opening algorithm produces the publicly verifiable proof that should be accepted by the judging algorithm. . The anonymity with backward unlinkability (BU-anonymity) means that A is infeasible to distinguish the identities of signers from signatures even if signatures are created by revoked signers. Specifically, if the real value of the bit b in the Chal b oracle is guessed perfectly, A will break the anonymity. Moreover, A is allowed to access Open oracle and obtain signing keys excluding that of the challenge users.

Definition 10
The scheme achieves non-frameability if Adv Non -Frame Non-frameability guarantees that A is incapable of enforcing the honest opener to ascribe a certain valid signature to a specific user via creating a judge-accepted proof if this honest user indeed did not create this signature. Traceability essentially defines that A is infeasible to counterfeit a signature result. In other words, the honest opener is either incapable of identifying the signer of the forgery signature or generating a judge-accepted proof of its claim even if the signer of a signature has been identified.

Definition 12
The scheme achieves weak opening Weak opening soundness actually means that a malicious user is infeasible to allege ownership of signatures generated originally by honest users via a counterfeited opening proof as long as the opener behaves honestly [15].

Detailed construction
As previously mentioned, the scheme [17] essentially only allow members to enroll at all times but cannot leave freely, which inspired us to added revocation functionality to  [17] using the methodology of [34]. Our construction is detailed in Fig. 5, and system parameters are illustrated in Table 1.
The natural revocation is achieved by CS-TBK algorithm and is details as follows. Assumed that a leaf node η is selected to an expiry time τ , the issuer produces SPS-EQ signature σ ′ A j ← Sign R (ξ j (U i , Q), sk R ) for each node ξ j ∈ path(η) and sends ({σ ′ A j } j∈[nt] , τ i ) to the signer i . Then, the signer computers her owning secret signing key by re-randomization property of SPS-EQ .For the current time t , the issuer firstly outputs Y =: (ϑ 1 , ϑ 2 , . . . , ϑ num ) running the CS -TBK(BT ,t) algorithm and chooses a secret vector (T i , Q) ← (µP, P) ∈ (G * 1 ) 2 (where µ $ ← − Z * p ). Next, the issuer computers SPS-EQ signature σ Bk ← Sign R (ϑ k (T i , Q), sk R ) , which is contained in expiration information info t . Apparently, the gsk i is the SPS-EQ signature of the message ξ j ∈ path(η) := (ξ 1 , ξ 2 , . . . , ξ nt ) and the equivalence class of signer secret identity, whereas info t is the SPS-EQ signature of another message ϑ i ∈ Y =: (ϑ 1 , ϑ 2 , . . . , ϑ num ) and the equivalence class corresponding to the current time. In the light of the CS method, such a common node both ξ ∈ Path(η) ∩ Y exists if τ < t . That is the non-revoked signers can prove in a zero-knowledge manner, that the node ξ possesses two signatures in their own the private signing key gsk and expiry information info t respectively. Note that unless unforgeability of the SPS-EQ signature scheme is broken, that is the signer creates SPS-EQ signature σ Bk , it is infeasible to generate a valid group signature for an expired signer. Consequently, the unforgeability of expiry time for signing keys is guaranteed.
The way of premature revocation is described as below: At the stage of GS.Issue , the issuer stores a revocation token grt i := U i . At the time t , the issuer picks randomly y t $ ← − Z * p and lets h t =y t P,ĥ t =y tP , then e(h t ,P) = e(P,ĥ t ) hold. A group signature is composed of βy t P,α(rq+β)P and αP , where α, β are picked randomly by the signer. If i ∈ R t , namely a signer i is revoked in the premature manner then the issuer computes grt i,t := y t grt i and stores grt i,t to RL t . By checking whether the equation e(grt i,t + βy t P, αP) = e(α(rq + β)P, y tP ) holds for each grt i,t successively, the verifier is able to verify whether i is a premature revoked signer.

Theorem 1 The proposal achieves correctness if SPS-EQ and SoK achieve correctness.
Proof (Sketch) Correctness is straightly originated from the correctness of the proposal [17,34].

Theorem 2 The proposal achieves BU-anonymity if П achieves adaptive zero-knowledge, SoK achieves simulatability (simulatability and straight-line f-extractability), achieves IND-CPA (IND-CCA2) security and the DDH assumption holds.
Proof (Sketch) Usually, BU-anonymity indicates that signers of two group signatures cannot be distinguished without an opening secret key. Thus, the attack on anonymity is essentially equivalent to that on encryption, which producing membership certificates and proofs. Finally, the anonymity is reduced to the security of the PKE scheme and NIZK Proof. Naturally, a signer maintains anonymity because two randomized user secret keys are difficult to distinguish under DDH assumption in G 1 . Therefore, the output distributions of the Chal b oracle and the input bit b are mutually independent.
Proof Let N ch , N o , N AddU ≤ poly(κ) denote the number of queries to Chal b , Open , and AddU respectively. G 0 : original anonymity experiment. G 1 : As G 0 , except that executing (crs J , td J ) ← �.S 1 (1 κ ) rather than crs J ← �.Setup(1 κ ) at the stage of GS.GKGen algorithm, and the information td J is stored. Next, each call to .Proof that executed at the stage of GS.Join algorithm is simulated via the simulator .S 1 . According to adaptive zero-knowledge of , the probability of winning the game that A successfully distinguishes G 0 and G 1 is negligible, i.e. |Pr[G 1 ] − Pr[G 0 ]| ≤ ǫ zk J (k). G 2 : As G 1 , except that executing (crs O , td O ) ← �.S 1 (1 κ ) rather than crs O ← �.Setup(1 κ ) at the stage of GS.GKGen algorithm, and the information td O is stored. Next, all zero-knowledge proofs .Proof at the stage of GS.Open algorithm is simulated via the simulator .S 1 . According to adaptive zero-knowledge of , the probability of winning the game that A successfully distinguishes G 1 and G 2 is negligible, i.e. |Pr[G 2 ] − Pr[G 1 ]| ≤ ǫ zk o (k). G 3 : As G 2 , except that executing (crs s , td s ) ← Sok.Setup(1 κ ) rather than crs s ← Sok.Setup(1 κ ) at the stage of GS.GKGen algorithm, and the information td s is stored. Next, each call to Sok.Sign is simulated via the simulator (without a witness). According to simulatability of Sok , the probability of winning the game that A successfully distinguishes G 3 and G 2 is negligible, i.e., |Pr[G 3 ] − Pr[G 2 ]| ≤ ǫ SIM (k) . G 4 : As G 3 , except that pk o is obtained from an IND-CPA or IND-CCA2 challenger rather than (sk o , pk o ) ← �.KGen(1 κ ) at the stage of GS.GKGen algorithm, and sk o = ⊥ is set. In the CCA2 case, it next uses the Open oracle to decrypt the ciphertext Ĉ J i stored in reg for all users and obtain simulates the proof via the straight-line f-extractor. In case of CCA2, a witness ρ can be extracted in each call to the Open oracle with overwhelm 1 − ǫ EXT (k) extraction probability according to the straightline f-extractability of the SoK. Therefore, both games proceed same unless there is a extraction fail, i.e., |Pr[G 4 ] − Pr[G 3 ]| ≤ N o · ǫ EXT (k) . In case of CPA, the Open oracle do not have to be simulated and the opening key is only obtained from the IND-CPA challenger. Therefore, G 4 is conceptually identical to G 3 , i.e., Pr[G 4 ] = Pr[G 3 ]. G 5 : As G 4 , except that the ciphertext Ĉ J i is computed in the GS.Join algorithm (actually executed via the AddU oracle) as Ĉ J i = �.Enc(pk o ,P) rather than Ĉ J i = �.Enc(pk o , rP, ω) , namely the random parameters associated with identity is removed in message. According to the IND-CCA2 security of , the probability of winning the game for A , i.e., |Pr[G 5 ] − Pr[G 4 ]| ≤ N AddU · ǫ CCA2 (k). G 6 : As G 5 , except that sk o is re-added, namely, (sk o , pk o ) ← �.KGen(1 κ ) is obtained again. We decrypt ourselves with in the WReg simulation rather than via the decryption oracle in the CCA2 case. Therefore, G 6 is conceptually identical to G 5 , i.e., Pr[G 6 ] = Pr[G 5 ]. G 7 : As G 6 , except that i * is revoked by computing grt i * ,t := y t r i * qP while t = t * . Remark that A is not need to compute grt i * ,t * because at the challenge time t * , i * is unrevoked, which induced backward unlinkability. Therefore, G 7 is conceptually identical to G 6 . i.e., Pr[G 7 ] = Pr[G 6 ]. G 8 : As G 7 , except that the Chal b oracle is modified as follows. Instead of ChgRep R (M, ρ, pk R ) , (�, �) $ ← − G 1 is chosen, and ChgRep R ((�, �), ρ, pk R ) is computed to answers to the Chal b query. According to DDH assumption, the winning probability of A is negligible, i.e.|Pr[G 8 ] − Pr[G 7 ]| ≤ N Chal b · ǫ DDH (k) . In G 8 , the advantage of A can then only be 0 and the simulation is irrelevant the bit b , i.e., Pr[G 8 ] = 1 2. G 9 : As G 9 , except that ψ * 3 $ ← − G 2 is randomly choose.
Proof (Sketch) Equivalence class related to each group member is chosen as the secret vector of the membership certificate, and this secret information is only known by the signer. The encryption of R ∈ G 2 and digital signature are used an identity proof for providing means to open signatures. The signer issues a group signature, which consists of the randomized group signing key and the signature of knowledge. The unforgeability of and perfect correctness of ensure that all valid signatures can be correctly opened. Moreover, the impossibility to unblind a user secret key under co-CDHI, ensures the Proof Let n ≤ poly(κ) denote the number of users.
G 0 : The original non-frameability experiment. G 1 : As G 0 , except that we guess A will attack the user i * and if A attacks another user, we abort. The winning probability in G 1 is in common with that in G 0 unless an abortion happens, i.e., Pr[G 1 ] = Pr[G 0 ] · 1 n. G 2 : As G 1 , except that executing (crs J , td J ) ← �.S 1 (1 κ ) rather than crs J ← �.Setup(1 κ ) at the stage of GS.GKGen algorithm and the trapdoor information td J is stored. Next, each call to .Proof at the stage of GS.Join algorithm is simulated by the simulator .S 1 . According to adaptive zero-knowledge of , the probability of winning the game that A successfully distinguishes G 1 and G 2 is negligible, i.e., |Pr[G 2 ] − Pr[G 1 ]| ≤ ǫ zk J (k) G 3 : As G 2 , except that crs o is obtained from a soundness challenger at the stage of GS.GKGen algorithm. Therefore, G 3 is conceptually identical to G 2 , i.e., Pr[G 3 ] = Pr[G 2 ]. G 4 : As G 3 , except that we setup the SoK via (crs s , td s ) ← Sok.Setup(1 κ ) rather than crs s ← Sok.Setup(1 κ ) at the stage of GS.GKGen algorithm, and the information td s is stored. Next, each call to Sok.Sign is simulated by the simulator. According to simulatability of Sok , the probability of winning the game that A successfully distinguishes G 4 and G 3 is negligible, i.e.,|Pr[G 4 ] − Pr[G 3 ]| ≤ ǫ SIM (k). G 5 : As G 4 , except that we pick q, r $ ← − Z * p while queried for user i * and let (U i * , Q i * ) denote at the stage of GS.Join algorithm (actually executed via the SndToU ) (r · qP, qP) . Next, on each Join for any user i = i * , it need to check that if the same class have been chosen for user i * incidentally. The check process is performed via The key pair from the encryption algorithm grt The revocation token (sk ǫ , pk ǫ ) The key pair from the signature algorithm info The group information (usk,upk) The user secret/public key pair The equivalence classes representative on users τ The expiry time The equivalence classes representative on time checking whether U i * = r i · Q i * using r i that is the value for r selected for the user i when Joining. The check above does not need to acquire r for user i * or the discrete logarithms q.Both G 4 and G 5 proceed identically unless an abortion happens, the probability of which is ǫ guess (k) = n/(p − 1) , i.e., |Pr[G 5 ] − Pr[G 4 ]| ≤ ǫ guess (k). G 6 : As G 5 except that a co-CDHI instance (aP, 1 aP) in relation to BG is obtained and pick � $ ← − Z * p . Next, we adjust the GS.Join algorithm (actually executed via the SndToU ) while queried for i * as below. Let (U i * , Q i * ) = ( P, aP) , compute Ĉ J i * ← �.Enc(pk o , ·1 aP) and store . Once execution is successful, let group signing key gsk i := {(U i * , Q i * , σ Aj )} j∈ [nt] and revocation token grt i * = U i * Because is uniformly random. Therefore, G 6 is conceptually identical to G 5 , i.e.,Pr[G 6 ] = Pr[G 5 ]. G 7 : As G 6 , except that for each forgery output by the A , ρ = Sok.Extract(crs s , td s , is extracted and abort if the extraction fails. According to the extractability of the SoK, the unsuccessful probability of extracting a witness ρ is negligible. Therefore, both G 7 and G 6 proceed identically unless an extracting failure happens, i.e.,|Pr[G 7 ] − Pr[G 6 ]| ≤ ǫ EXT (k). G 8 : As G 7 , except that we further adjust the GS.Join algorithm while queried for user i * (actually executed via the SndToU oracle) as below. Rather than obtaining (usk i * , upk i * ) from GS.UKGen(1 κ ) , we set usk i * ← ∅ and obtain upk i * by interacting with an EUF-CMA challenger. Moreover, we obtain all required signatures via the oracle offered by the EUF-CMA challenger. Therefore, G 8 is conceptually identical to Now there are three possibilities when A creates a valid forgery.
1. In the case that a signature for Ĉ J i * was never requested, thus an EUF-CMA forger for is A and the forgery is (Ĉ J i * , σ J i * ) . The upper bound of the probability of this event is ǫ f (k). 2. Otherwise, according to the perfect correctness of , Ĉ J i * is deemed to honestly computed by the environment thus contains aP . Furthermore, there are two following possibilities: • If e(σ 1A [1] [1],P) = e(σ 1A [1] [2], aP) , A is an adversary breaking co-CDHI, because we can obtain (( ·1 aP, P), σ ′ A j ) ← ChgRep R (σ 1A , ρ −1 , pk R ) and use to output −1 · ( ·1 aP) = 1 aP . The upper bound of the probability of this event is ǫ co−CDHI (k). • (Otherwise,A has created an opening proof of a statement that does not belong to L RO . The upper bound of the probability of this event is ǫ S (k).

Theorem 4 The proposal achieves traceability if SPS-EQ achieves EUF-CMA security and П achieves soundness.
Proof (Sketch) The adversary is essentially concerned with two forgeries in Exp Traceability GS·A (k) : the forgery of the current group membership certificate and that of non-revoked users' tokens. The first type of forgery can be `reduced to the EUF-CMA security of SPS-EQ and the soundness of NIZK proof because group membership certificates are created based on SPS-EQ and NIZK proof system. The second type of forgery, if an adversary can forge a valid signature after expiry time, then there exist a valid SPS-EQ signatures which is not contained in the revocation list RL t * . Thus, the second forgery attack is also reduced to EUF-CMA security of the SPS-EQ. Therefore, traceability is guaranteed both by the EUF-CMA security of the SPS-EQ scheme and the soundness of the NIZK proof system.
Proof Use q ≤ poly(κ) to denote the number of queries to the SndToI oracle.
G 0 : The original traceability experiment. G 1 : As G 0 , except that crs J is obtained from a soundness challenger of . Therefore, G 1 is conceptually identical to G 0 , i.e., Pr[G 1 ] = Pr[G 0 ]. G 2 : As G 1 except that BG and pk R is obtained from an EUF-CMA challenger of the SPS-EQ. G 2 is conceptually identical to G 1 , i.e.Pr[G 2 ] = Pr[G 1 ] G 3 : According to the winning condition i / ∈ C\R t , A needs to inquiry the signing oracle of the SPS-EQ to generate a counterfeit σ Aj (namely type I forger) which is not published via the SndToI oracle. The Type II forger can be considered as in real game. As G 0 except that upon successful execution of SndToI , we obtain R = �.Dec(sk o ,Ĉ J i ) and abort when e(U i ,P) � = e(Q,R) . If abortion happens, we obtain a valid proof π J i attesting that (U i , Q,Ĉ J i , pk o ) ∈ L R J , but by the perfect correctness of there exists no ω so that Ĉ J i = �.Enc(pk o , r ·P; ω) ∧ U i = r · Q , i.e., (U i , Q,Ĉ J i , pk o ) is actually not in L R J . Therefore, both G 3 and G 2 proceed identically as long as A does not break the soundness of NIZK in one oracle query, i.e., |Pr[G 3 ] = Pr[G 2 ]| ≤ q · ǫ s (k). G 4 : According to the winning condition i / ∈ C\R t , A needs to inquiry the signing oracle of the SPS-EQ signature to create a forged non-revoked certificate σ Bk while the Revoke oracle is called. The Type I forger can be considered as in real game. As G 3 , but obtain σ Bk from an EUF-CMA challenger of the SPS-EQ. Therefore, G 4 is conceptually identical to G 3 , i.e., Pr[G 4 ] = Pr[G 3 ] G 5 : According to the winning condition i ∈ C\R t ∧ t ≥ τ i , obviously, if A is able to create a valid signature when τ i < t * , there definitely exists a valid σ Bk not contained in RL t * .The unforgeability of expiry time is finally reduced to unforgeability of the SPS-EQ scheme. Therefore, G 5 is conceptually identical to G 4 , i.e.,Pr[G 5 ] = Pr[G 4 ].

Theorem 5 The proposal achieves weak opening soundness if Ω achieves perfect correctness and achieves EUF-CMA security.
Proof (Sketch) A breaks weak opening soundness when he can forge an opening proof to eliminate the uniqueness of group members, which indicates that he can resist against the soundness of in the phase of GS.Judge . The EUF-CMA security of digital signatures and the perfect correctness of the PKE scheme guarantee that user i signed σ uniquely. Once GS.Join is honestly executed for users i and j , the probability that r (resp.R ) values of users i and j are identical is negligible.

Results and discussion
In Table 2, we summarize the characteristics of our scheme and other revocable group signatures schemes [23,24,[27][28][29]34] that are security in ROM and asymmetric pairing-based. Our proposal can resist the attack of the forgeability of expiry time for signing keys for following the way of GS-TBK in [34], but the counterparts are not taken into account that attack. Moreover, we employed re-randomizable SPS-EQ instead of traditional ones based on BBS + signature. The benefit of this method is gaining efficiency following the SRP paradigm, and thus avoiding the assumption of q-SDH assumption and the knowledge of secret key (KOSK) that employed in [24,29,34]. The substantial drawback of the KOSK assumption is difficult to realize by existing infrastructure [35], and the q-type assumption leads to the Cheon attack [36].
Weak opening soundness is reasonable in many scenarios, where it needs to reward signers or prevent the abusers from transferring blame to someone else. The schemes of [23,24,29] and our proposal capture weak opening soundness, but others fail to possess the property. As mentioned before, introducing revocation functionality inevitably leads to the scheme fail to satisfy the anonymity because the revocation token could be derived from the signing key. In other words, it fails to prevent the leakages of group signing keys. Although our proposal can only achieve BU-and selfless anonymity, it seems to be a reasonable price considering the benefits. The scheme of [27] shows the construction of the VLR-GS with a fully anonymous, which is desirable but rather strict for reasonable application areas of group signature schemes. As a result, a slightly weaker notion of anonymity was suitable for more general use cases.  Table 3 shows an evaluation of the signature size, computational costs for the signing, and verification of revocable group signature schemes. The schemes [27,28] have not provided instantiations. The scheme [24] achieves scalability in ROM, but the costs are asymptotically equal to that of the scheme [22]. As shown in Table 3, our proposal has the lowest cost in the signatures generation and verification processes due to avoiding complex G T operation. Regarding signature size, our group signature contains respectively 10, 3, and 4 group elements in G 1 G 2 and Z p , which benefits from the SEP paradigm. Besides, the complexity of the CS method is acceptable. Consequently, our proposal is efficient on the computation cost and is suited for resource-constrained systems.

Conclusion
In this article, we presented a revocable group signature that realizes the unforgeability of expiry time for signing keys, BU-anonymity, non-frameability, traceability, weak opening soundness, and backward security. Moreover, the results showed that it is feasible in resource-constrained settings for constant and efficient computational cost of signing algorithm. Our scheme essentially follows the BSZ model, which places reliance heavily on the monopolistic issuer and opener. In other words, there are no strategies against either corrupt opener disclosing privacy illegally or corrupt issuer counterfeiting credentials in the BSZ model. Those imperfections are bound to be barriers in the future. Thus, it is attractive to adopt group signatures with multiple issuers and openers for distributed applications in the future.