Signature Size. The signature size in terms of the number of group elements and the bit sizes for 80-bit security. We adopt the estimates of the bit sizes of group elements used in [9] (the sizes of the elements of , , and are 176 bits, 170 bits, and 1056 bits, respectively.) is the number of group members. We assume that the Wee one-time signature scheme [48] is used for the instantiation of the one-time signature scheme.
MDO. The security level of the message-dependent functionality, where “-bounded” denotes that one needs, at the setup, to fix the number of tokens that will be issued, and “unbounded” denotes that one needs not fix the upper bound.
Assumptions. The hardness assumption on which the scheme is based. D3DH stands for the decision 3-party Diffie-Hellman assumption [11]. The -U assumption is defined in [32].
Without RO. Whether or not the scheme requires the random oracle model.