Research Article | Open Access
Keita Emura, Atsuko Miyaji, Kazumasa Omote, "An -Hiding Revocable Group Signature Scheme: Group Signatures with the Property of Hiding the Number of Revoked Users", Journal of Applied Mathematics, vol. 2014, Article ID 983040, 14 pages, 2014. https://doi.org/10.1155/2014/983040
An -Hiding Revocable Group Signature Scheme: Group Signatures with the Property of Hiding the Number of Revoked Users
If there are many displaced workers in a company, then a person who goes for job hunting might not select this company. That is, the number of members who quit is quite negative information. Similarly, in revocable group signature schemes, if one knows (or guesses) the number of revoked users (say ), then one may guess the reason behind such circumstances, and it may lead to harmful rumors. However, no previous revocation procedure can achieve hiding . In this paper, we propose the first revocable group signature scheme, where is kept hidden, which we call -hiding revocable group signature. To handle this property, we newly define the security notion called anonymity with respect to the revocation which guarantees the unlinkability of revoked users.
Imagine that there are many users who have stopped using a service. If this fact is published, then how would the newcomers feel about this? One may guess the reason behind such circumstances and may judge that those users did not find the service attractive or the service fee is expensive. The same thing may occur in other cases; for example, if there are many displaced workers in a company, then a person who goes for job hunting might not select this company. For example, the person might imagine there are many problematic employees in this company or might imagine the labor environment may not be good. That is, the number of members who quit is quite negative information.
Group Signature. Many cryptographic attempts for the revocation of rights of users have been considered so far. In this paper, we mainly focus on group signature. The concept of group signature was investigated by Chaum and van Heyst . A typical usage of group signature is described as follows. The group manager (GM) issues a membership certificate to a signer. A signer makes a group signature by using their own membership certificate and sends it (with a signed message) to a verifier. The verifier anonymously verifies whether a signer is a member of a group or not. That is, the verifier checks the possession of a membership certificate without revealing themself. In order to handle some special cases (e.g., an anonymous signer behaves maliciously), GM can identify the actual signer through the open procedure. Since verifiers do not have to identify individual signers, group signature is a useful and powerful tool for protecting signers’ privacy.
As additional functionality of group signature, anonymity revocation has been introduced [2–11], where no revoked users can make a valid group signature or revoked users can be publicly detected even if they try to make a group signature. (Since a long RSA modulus might lead to certain inefficiency aspects (e.g., long signatures, heavy complexity costs, and so on), we exclude RSA-based revocable group signatures (e.g., [12, 13]) in this paper.) However, the number of revoked users (say ) is revealed in all previous revocable group signature schemes. As mentioned previously, the number of revoked users is quite negative information. Next, we introduce applications of revocable group signature for outsourcing businesses  and biometric authentication  as concrete examples, where revealing may lead to harmful rumors.
Concrete Example 1 (identity management). In this application, presented in , there are four entities: a user, outsourcee, opening manager (OM), and revocation manager (RM). Let outsourcee be in charge of providing the service to legitimate users. When a user requests the service, the user makes a group signature and sends it to outsourcee. Due to anonymity of the underlying group signature scheme, outsourcee does not have to identify individual users (protect users’ privacy). One important thing is that outsourcee does not have to manage a list of identities of users. That is, the risk of leaking user information (i.e., the user list) can be minimized, and this is the merit of using group signature in identity management. After a certain interval, for charging a service fee, OM detects a user by using the opening procedure of group signature. If a user does not pay a fee (or when a user wants to leave the service), then OM announces the identity of this user to RM, and RM revokes this user from the system. In this system, if is revealed, then one may think that there might be many dropout users who have stopped using the service; that is, this service may not be interesting, or he/she have not paid the service fee; namely, the service fee may be expensive and so on. That is, “revealing ” may lead to harmful rumors.
Concrete Example 2 (biometric authentication). In this application presented in , there are four entities: a human user, a sensor client, a card issuer, and a service provider. A human user authenticates himself/herself to the service provider by using his/her biometric data preserved on a plastic card. A card issuer (with a group master secret key) issues a card to a human user which contains a signing key and his/her biometric data. Moreover, the card issuer can revoke users if malicious behavior occurs or a user loses his/her card. A sensor client extracts human user’s biometric trait (e.g., iris is used in ) and communicates with the service provider, so that the user will be authenticated by the service provider. The service provider verifies a group signature and provides a service (e.g., open a door) if the signature is valid. Due to anonymity, the service provider does not identify who the user is; even sensitive biometric information is treated. In this system, if someone knows in this application, they may think that there might be many malicious behaviors, or there might be many lost cards; that is, good management may deteriorate, and so on. That is, “revealing ” may lead to harmful rumors.
Our Target. So, our main target is to propose a revocable group signature scheme with the property of hiding the number of revoked users , which we call -hiding revocable group signature. Then, we need to investigate the methodology for achieving the following.(1)The size of any value does not depend on .(2)The costs of any algorithm do not depend on , except the revocation algorithm executed by GM.(3)Revoked users are unlinkable. In particular, if revoked users are linkable, then anyone can guess (i.e., not exactly obtain) by linking and counting revoked users. Although we assume that an adversary can obtain the polynomial (of the security parameter) number of group signatures, this assumption is not unreasonable (actually, the adversary can be allowed to access the signing oracle in polynomial times). In addition, is also a polynomial-size value. That is, this guessing attack works given that revoked users are linkable.
However, no previous revocable signature scheme satisfying all requirements above has been proposed. For example, in revocable group signatures [2, 4, 11] (which are based on updating the group public values, e.g., using accumulators), either the size of public value or the costs of updating membership certificate depend on . Nakanishi et al.  proposed a novel technique of group signature, where no costs of the GSign algorithm (or the Verify algorithm also) depend on . However, their methodology requires that signatures are published to make a group signature, and therefore is revealed. Recently, Libert-Peters-Yung proposed two scalable group signature schemes [7, 8] by applying the Naor-Naor-Lotspeich (NNL) broadcast encryption framework . However, at least one cost depends on (e.g., -size revocation list is required for signing in [7, 8] (of subset difference variant) and -size revocation list is required for signing in  (of complete subtree variant) and (the number of users) are publicly available). Therefore, is revealed. In [3, 5, 10, 17, 18] (which are verifier-local revocation (VLR) type group signature schemes), revoked users are linkable. In this case, anyone can guess by executing the verification procedure. For the sake of clarity, we introduce the Nakanishi-Funabiki methodology  as follows: let be the revocation list, where is the secret value of revoked user . Note that, by adding dummy values, we can easily expand the size of revocation list . So, we can assume that is not revealed from the size of RL, but is revealed (or rather, guessed) as follows. Each group signature (made by ) contains and for some random and some group elements and . If has been revoked, then there exists such that holds. By counting such , one can easily guess even if RL is expanded by dummy values. Since each value in RL is linked to a user (i.e., is linked to ), even if values in RL are randomized (e.g., for some random ), this connection between a user and a value in RL is still effective. So, one can easily guess even if RL is randomized.
From the above considerations, no previous revocation procedure can be applied for hiding . One solution has been proposed in , where only the designated verifier can verify the signature. By preventing the verification of signature from the third party, is not revealed from the viewpoint of the third party. However, this scheme (called anonymous designated verifier signature) is not publicly verifiable and is not group signature any longer. Next, as another methodology, we may consider multigroup signatures [20, 21] with two groups (valid user group and revoked user group). However, this attempt does not work, since each user is given his/her membership certificate (corresponding to the group he/she belongs to) in the initial setup phase, and the revocation procedure is executed after the setup phase.
Our Contribution. In this paper, we propose the first -hiding revocable group signature scheme in the random oracle model by applying attribute-based group signature (ABGS) [22–25]. By considering two attributes: valid group user and the user’s identity, we can realize the property of hiding . To handle this property, we newly define the security notion called anonymity with respect to the revocation. As the main difference among our anonymity definition and previous ones, to guarantee the unlinkability of revoked users, can issue the revocation queries against the challenge users. Our scheme is secure under the computational Diffie-Hellman (CDH) assumption, the decision Diffie-Hellman (DDH) assumption over a bilinear group (i.e., the external Diffie-Hellman (XDH) assumption), the decision linear (DLIN) assumption, the hidden strong Diffie-Hellman (HSDH) assumption, and the -strong Diffie-Hellman (SDH) assumption, in the random oracle model. We apply the Boldyreva multisignature scheme  to revoke each user.
Related Work. There were several security definitions of group signatures until the Bellare-Micciancio-Warinschi work , which we call the BMW model. They showed that full-anonymity and full-traceability are enough to capture all security requirements that appeared before their work. Bellare et al.  extended the BMW model, which we call the BSZ model, to handle the dynamic group setting, where a user can join the system even after the system setup phase. Later, Sakai et al.  further extended the BSZ model for preventing signature hijacking. Independently, Kiayias and Yung also give a formal definition with dynamic join [30, 31], and Libert et al. [7, 8] extended to the KY model for revocable group signature.
Efficient group signature schemes in the random oracle model have been proposed in [2, 4, 32] and in the standard model [5, 33, 34]. Technically, (honest verifier) zero knowledge proofs of knowledge and the Fiat-Shamir heuristic  are mainly applied for constructing group signatures in the random oracle model, and Groth-Sahai proofs  and structure-preserving signatures  are mainly applied for constructing group signatures in the standard model. Though the above schemes are constructed over bilinear groups, lattice-based group signature schemes also have been proposed [38–40]. Usually, encryption schemes are applied for implementing the open algorithm; however, encryption-free group signatures schemes have been proposed in [41, 42].
As group signatures with an additional functionality, a new open functionality, which we call message-dependent opening, has been proposed in [43–45], where a signed message-dependent token is generated by an authority called admitter and an opener who has the opening key can open the group signatures using the corresponding token. Forward secure group signature schemes have been proposed [46–49], where users can update their secret signing key periodically, and group signatures made by the secret keys of previous periods remain secure even if a secret key is exposed. Revocable group signature schemes with backward unlinkability have been proposed [5, 9, 10, 18], where even after a user is revoked, group signatures made by this user before the revocation remain anonymous. Identity-based analogue of group signature also has been proposed in [50, 51].
As feasibility results, a group signature secure in the BMW model implies CCA-secure public key encryption (PKE) [52, 53], and a group signature secure in the Sakai et al. model implies PKENO , where PKENO stands for public key encryption with noninteractive opening . Moreover, a group signature with message-dependent opening implies identity-based encryption .
In this section, we give definitions of bilinear groups and complexity assumptions and introduce cryptographic tools which are applied in our construction. Let PPT mean probabilistic polynomial time, and means that an element is chosen at uniform random from a set .
2.1. Bilinear Groups and Complexity Assumptions
Definition 1 (bilinear groups). Let , , and be cyclic groups with prime order , and and . Let be an (efficient computable) bilinear map with the following properties: bilinearity: for all and , and hold, and nondegeneracy: , where is the unit element over .
Definition 2 (the computational Diffie-Hellman (CDH) assumption). We say that the CDH assumption holds if, for all PPT adversary , is negligible, where and .
Definition 3 (the decision Diffie-Hellman (DDH) assumption). We say that the DDH assumption holds if, for all PPT adversary , is negligible, where and with .
Definition 4 (the decision linear (DLIN) assumption ). We say that the DLIN assumption holds if, for all PPT adversary , is negligible, where and .
Definition 5 (the hidden strong Diffie-Hellman (HSDH) assumption ). We say that -HSDH assumption holds if, for all PPT adversary , is negligible, where , and .
Definition 6 (the strong Diffie-Hellman (SDH) assumption ). We say that -SDH assumption holds if, for all PPT adversary , is negligible, where , , and .
Definition 7 (the external Diffie-Hellman (XDH) assumption ). Let be a bilinear group. We say that the XDH assumption holds if for all PPT adversary , the DDH assumption over holds.
2.2. Other Cryptographic Tools
In this section, we introduce cryptographic tools applied for our construction.
BBS+ Signature [2, 6, 32, 57]. Let be the number of signed messages and let be a bilinear group. Select , , and , and compute . The signing key is and the verification key is . For a set of signed messages , choose , and compute . For a signature , the verification algorithm output 1 if holds. The BBS+ signature scheme satisfies existential unforgeability against chosen message attack (EUF-CMA) under the -SDH assumption. (First an adversary is given vk from the challenger . Then sends messages to and obtains the corresponding signatures. Finally, outputs a message/signature pair . We say that wins if is valid and has not sent as a signing query. The EUF-CMA security guarantees that the probability is negligible.)
Linear Encryption . A public key is such that for . The corresponding secret key is . For a plaintext , choose and compute a ciphertext , where , , and . can be decrypted as . The linear encryption is IND-CPA secure under the DLIN assumption. (First an adversary is given pkfrom the challenger . Then sends the challenge message to , and chooses and computes the challenge ciphertext which is a ciphertext of . is given and outputs a bit . The IND-CPA security guarantees that is negligible.)
Signature Based on Proof of Knowledge. In our group signature, we apply the conversion of the underlying interactive zero knowledge (ZK) proof into noninteractive ZK (NIZK) proof by applying the Fiat-Shamir heuristic . We describe such converted signature based on proof of knowledge (SPK) as , where is the knowledge to be proved, is a relation (e.g., in the case of the knowledge of the discrete logarithm), and is a signed message. The SPK has an extractor of the proved knowledge from two accepting protocol views whose commitments are the same but challenges are different.
3. Definitions of Group Signature with the Property of Hiding the Number of Revoked Users
Here, we define the syntax of revocable group signature and security requirements (anonymity with respect to the revocation and traceability) by adapting . Note that our definition follows the static group settings as in the BMW model , but we can easily handle the dynamic group settings as in the BSZ model  (and nonframeability) by adding an interactive join algorithm.
Definition 8 (syntax of -hiding revocable group signature).
Setup. This probabilistic setup algorithm takes as input the security parameter and returns public parameters params.
KeyGen. This probabilistic key generation algorithm (for GM) takes as input the maximum number of users and params and returns the group public key gpk, GM’s secret key msk, all user’s secret key , and the initial revocation-dependent value .
GSign. This probabilistic signing algorithm (for a user ) takes as input , , a signed message , and a revocation-dependent value (in the period ) and returns a group signature .
Verify. This deterministic verification algorithm takes as input gpk,, , and and returns 1 if is a valid group signature and 0 otherwise.
Revoke. This (potentially) probabilistic revocation algorithm takes as input gpk, msk, a set of revoked users , and and returns .
Open. This deterministic algorithm takes as input msk and a valid pair and returns the identity of the signer of ID. If ID is not a group member, then the algorithm returns 0.
In the Revoke algorithm, we set and assume that the nonrevoked users in are . Under this setting, boomerang users (who rejoin the group) are available (i.e., such that and ). In addition, if an invalid pair is input to the Open algorithm, then the Open algorithm easily detects this fact by using the Verify algorithm. So, we exclude this case from the definition of the Open algorithm.
Next, we define anonymity with respect to the revocation and traceability. As the main difference among our anonymity definition and previous ones, can issue the revocation queries against the challenge users in order to guarantee the unlinkability of revoked users. Note that we do not consider the CCA-anonymity, where an adversary can issue the open queries. So, we just handle the CPA-anonymity  only in this paper. However, as mentioned by Boneh et al. , the CCA-anonymity can be handled by applying a CCA secure public key encryption for implementing the open algorithm.
Definition 9 (anonymity with respect to the revocation).
Setup. The challenger runs the Setup algorithm and the KeyGen algorithm and obtains params, gpk, msk, and all . gives params and gpkto and sets , , and , where denotes the (initial) set of IDs of revoked users and CU denotes the set of IDs of corrupted users.
Queries. can issue the following queries. Revocation. can request the revocation of users for some constant . runs Revoke and adds to . Signing. can request a group signature on a message for a user where . runs GSign, where is the current revocation-dependent value and gives to . Corruption. can request the secret key of a user . adds to CU and gives to .
Challenge. sends a message and two users and , where . chooses a bit and runs , where is the current revocation-dependent value and gives to .
Queries. It is the same as the previous one (note that no corruption query for the challenge users is allowed).
Output. outputs a guessing bit .
We say that anonymity holds if, for all PPT adversaries , the advantage is negligible.
There are two types of revocable group signature such that any users can make a valid group signature, but anyone can check whether a signer has been revoked or not [3, 5, 10, 17], or no revoked user can make a valid group signature without breaking traceability [2, 4, 6, 11]. We implicitly require the second type of revocable group signature, since clearly anonymity is broken if one of the challenge users is revoked in a first type scheme. We also require that the challenger (that has msk) can break traceability to compute the challenge group signature for the case that a challenger user is revoked. Note that since msk is used for generating user’s secret keys, obviously any entity with msk makes an “untraceable” group signature, and this fact does not detract the security of our group signature.
One may think that the above anonymity definition can be extended that can issue the corruption query against the challenge users as in the full-anonymity . It might be desired that is not revealed even if revoked users reveal their secret signing keys, since their signing keys are already meaningless (i.e., the rights of signing have expired). For example, if users are not intentionally revoked (e.g., a user has not paid in the outsourcing businesses example ), then users might reveal their secret signing keys to compromise the systems. Or, even if users are intentionally revoked (e.g., they feel that this service is not interesting in the outsourcing businesses example), they might reveal their secret signing keys as a crime for pleasure. However, even if is kept hidden when revoked users reveal their secret signing keys, one can easily guess by counting the number of revealed secret keys. So, in our opinion such secret key leakage resilient property is too strong, and therefore, our proposed group signature does not follow this leakage property.
Next, we define traceability.
Definition 10 (traceability).
Setup. The challenger runs the Setup algorithm and the KeyGen algorithm and obtains params, gpk, msk, and all . gives params and gpk to and sets , , and , where denotes the (initial) set of IDs of revoked users and CU denotes the set of IDs of corrupted users.
Queries. can issue the following queries.
Revocation. can request the revocation of users for some constant . runs and adds to . GSigning. can request a group signature on a message for a user where . runs GSign, where is the current revocation-dependent value and gives to . Corruption. can request the secret key of a user . adds to CU and gives to . Opening. can request to a group signature on a message . returns the result of Open to .
Output. outputs a past interval for the current interval , and .
We say that wins if holds, where(1)Verify,(2) did not obtain by making a signing query at ,(3)for Open, ,(4)for Open, .
We say that traceability holds if, for all PPT adversaries , the advantage is negligible.
4. Proposed Group Signature Scheme with Hiding of the Number of Revoked Users
In this section, we propose an -hiding revocable group signature scheme by applying ABGS. Before explaining our scheme, we introduce ABGS as follows.
Attribute-Based Group Signature (ABGS). ABGS [22–25, 58] is a kind of group signature, where a user with a set of attributes can prove anonymously whether he/she has these attributes or not. Anonymity means a verifier cannot identify who the actual signer is among group members. As a difference from attribute-based signature (ABS) [59–68], there is an opening manager (as in group signatures) who can identify the actual signer (anonymity revocation), and a verifier can “explicitly” verify whether a user has these attributes or not [22, 24, 25]. By applying this explicit attribute verification, anonymous survey for the collection of attribute statistics is proposed . As one exception, the Fujii et al. ABGS scheme  achieves signer-attribute privacy (as in ABS), where a group signature does not leak which attributes were used to generate it, except that assigned attributes satisfy a predicate. As another property (applied in our construction), the dynamic property has been proposed in , where the attribute predicate can be updated without reissuing the user’s secret keys.
Our Methodology. We consider two attributes: (1) valid group user and (2) the user’s identity (say ), and apply the dynamic property of ABGS  and the signer-attribute privacy of ABGS . Here we explain our methodology. Let the initial access tree be represented as in Figure 1.
Due to the signer-attribute privacy, a user can anonymously prove that he/she has attributes “valid group user” and “.” Namely, anyone can verify whether the signer’s attributes satisfy the access tree, without detecting the actual attribute (i.e., the user’s identity).
When a user (say ) is revoked, the tree structure is changed as in Figure 2.
Due to the dynamic property of ABGS, this modification can be done without reissuing the user’s secret keys. By removing the attribute “valid group user” from the subtree of , we can express the revocation of , since cannot prove that his/her attributes satisfy the current access tree.
In addition, we propose randomization and dummy attribute techniques to implement the revocation procedure (Figure 3). We apply the Boldyreva multisignature scheme , since it is applied for the computation of the membership certificate in the Fujii et al. ABGS. Let be the time interval and let denote the attribute “valid group user.”
For a nonrevoked user , GM publishes the dummy value . Then can compute from and ’s secret key . Let be revoked in the time interval . Then, GM publishes a randomized dummy value (instead of ), and therefore, cannot compute due to the CDH assumption. Note that and are indistinguishable under the XDH assumption, where the DDH assumption holds in . So, no one can decide whether is a revoked user or not by observing either or . This is our main idea for preventing revealing the number of revoked users .
Next, we give our group signature scheme.
Construction 1 (proposed -hiding revocable group signature scheme).
Setup(). Select a bilinear group with prime order and a bilinear map , , . Output , where is a hash function modeled as a random oracle.
KeyGen. Let be all users. Set . Select . Compute(i) with the condition (note that is a public key of the linear encryption and is the corresponding secret key),(ii), , and for all ,(iii) and .For all , choose . If , then choose again until holds. Set and compute(i),(ii) (which is a BBS+ signature for signed messages ,(iii).Set . Output(i), where is a hash function which is modeled as a random oracle,(ii),(iii) for all , and ,(iv).
GSign. Let be a nonrevoked user in the current time interval . That is, for , and hold for some unknown exponent . chooses , sets , , , , , and , and computes Next, we explain the relations proved in SPK which proves the following three things.(1)A signer has a valid generated by the KeyGen algorithm.(i) can be verified by using the public value such that (ii)Since (resp., ) is hidden such that , (resp., ), this relation is represented as (iii)We need to guarantee the relation in the relation above. To prove this, introduce an intermediate value and prove that Note that yields and .(2)A signer has not been revoked.(i)A nonrevoked signer can compute from and , where is a signed message of . These satisfy the following relations: (ii)Since , , and are hidden such that , , and , these relations are represented as (iii)We need to guarantee the relations and in the relations above. To prove these, introduce intermediate values and and prove that (iv)As in and explained before, relations , , , and are obtained from the relations above.(v)Note that is a BBS+ signature for signed messages , and therefore depends on the current time interval .(3)A value for the Open algorithm is included in .(i) is a ciphertext (of the linear encryption scheme) of the plaintext , which can be computed by decrypting using msk.According to the above explanations, compute the SPK proving the following relations (we give the detailed SPK in the Appendix): Output .
Verify. Return 1 if is a valid group signature and 0 otherwise. We give the procedure of the verification algorithm in the Appendix.
Revoke. Let be a set of revoked users. Set . For all , choose . For all , choose (until holds), set , and compute and compute such that and set . Output .
Open. Compute and search such that and . If there is no such , output . Otherwise, output .
In our scheme, no public values have size dependent on and no costs of the GSign algorithm (or the Verify algorithm) depend on or . In addition, our scheme satisfies anonymity with respect to the revocation which guarantees the unlinkability of revoked users. So, in our scheme, no is revealed.
5. Security Analysis
Theorem 11. The proposed group signature scheme satisfies anonymity with respect to the revocation under the DLIN assumption and the XDH assumption in the random oracle model.
Proof. This proof contains three games, Games 0, 1, and 2. Game 0 is the same as anonymity game. In Game 1, all where is randomly chosen. Let be the adversary who breaks anonymity with respect to the revocation of our scheme and let be the simulator. First, chooses all values and sets up the scheme as in Game 0, except all , where are randomly chosen. Note that still can answer all queries issued from since knows all secret values and can compute for all . Under the XDH assumption, Game 0 and Game 1 are identical.
Game 2 is the same as Game 1, except that the challenge group signature contains the challenge ciphertext of the linear encryption. In Game 2, let be the challenger of the linear encryption and let be the adversary who breaks anonymity with respect to the revocation of our scheme. We construct algorithm that breaks the IND-CPA security of the linear encryption. First, gives the public key of the linear encryption . chooses all values, except for , and therefore can answer all queries issued from . In the challenge phase, sends . Let and be (a part of) secret key of and , respectively. sets and and sends to as the challenge messages of the linear encryption. sends the challenge ciphertext . sets and computes the challenge group signature . Note that does not know the random number and such that , since are chosen by . So, uses the backpatch of the random oracle for computing and includes in . Then, all values (except for ) are independent of . Note that even if is revoked in the challenge interval, can compute , since knows msk. Finally, outputs the guessing bit . outputs as the guessing bit of the IND-CPA game of the linear encryption.
Theorem 12. The proposed group signature scheme satisfies traceability under the -HSDH assumption, the CDH assumption, and the -SDH assumption, where is the final time interval that outputs .
Proof. From the winning conditions of traceability, that is, either or , an adversary is divided into the following three types: , , and , as follows: let be an adversary who outputs , where for Open, and hold. Let be an adversary who outputs , where for Open, and hold. In addition, let be an adversary who outputs , where for Open, holds (note that since , holds).
We construct an algorithm (resp., and ) that breaks the -HSDH assumption (resp., -SDH assumption, where is the number of signing queries, and the CDH assumption) by using (resp., and ).
First, we describe . Let be an -HSDH instance. selects , and choose all values, except for , , and . answers queries issued by as follows.
Revocation. requests the revocation of users for some constant . Since knows , adds to and simply returns the result of the Revoke algorithm.
GSigning. requests a group signature on a message for a user where . Since does not know , computes by using the backpatch of the random oracle and gives to .
Corruption. requests the secret key of a user . If , then aborts. Otherwise, sets , chooses , sets , and computes . adds to CU and gives to .
Opening. Since has , simply returns the result of the Open algorithm.
Finally, outputs a past interval for the current interval and a pair . By using the extractor of SPK, gets , where , , , , and hold. From , obtains by using the Open algorithm. If , then aborts. Otherwise, outputs as a solution of the -HSDH problem.
Next, we describe that outputs a forged BBS+ signature. Let be the challenger of the BBS+ signature. is given from . chooses all values, except for . For each revocation query, issues signing queries to for obtaining . So, needs to issue the signing query in times. For other queries, can answer since knows all other secret values. Finally, outputs a past interval for the current interval and a pair . By using the extractor of SPK, gets , where . Note that since , does not obtain from . So, outputs a forged BBS+ signature .
Finally, we describe that breaks the CDH assumption. Let be an CDH instance. selects , sets and , and chooses all values, except for and . answers queries issued by as follows.
Revocation. requests the revocation of users for some constant . Since knows , adds to and simply returns the result of the Revoke algorithm.
GSigning. requests a group signature on a message for a user where . computes by using the backpatch of the random oracle and gives to .
Corruption. requests the secret key of a user . If , then aborts. Otherwise, adds to CU and gives to .
Opening. Since has , simply returns the result of the Open algorithm.
Finally, outputs a past interval for the current interval and a pair . By using the extractor of SPK, gets , where , , , , and hold. From , obtains by using the Open algorithm. If , then aborts. Otherwise, solves the CDH problem as follows. Since , has computed and . That is, holds. So, outputs as the solution of the CDH problem.
6. Discussion: Toward Efficient and Standard Model Construction
One drawback of our scheme is that the number of public values depends on , since no common attribute can be applied for implementing the revocation procedure of “each” user. So, one may think that there might be a more trivial construction (without applying ABGS) if such a big-size public value is allowed. For example, as one of the most simple group signature constructions, let be users’ public keys, and GM randomizes these values such that and publishes . Each user (say ) proves the knowledge of for the relation using the OR relation such that to hide the identity . If a user (say ) is revoked, then publishes a random value (instead of ). In this case, the number of revoked users is not revealed under the DDH assumption, since is a DDH tuple. However, this trivial approach requires -dependent signing/verification cost, whereas our scheme achieves constant proving costs.
As another candidate, Sudarsono et al.  proposed an attribute-based anonymous credential system by applying an efficient pairing-based accumulator proposed by Camenisch et al. . Since the Sudarsono et al. construction follows AND/OR relations of attributes, a revocable group signature scheme with the property of hiding might be constructed. However, it is not obvious whether 2-DNF (disjunctive normal form) formulae can be implemented or not in the Sudarsono et al. attribute-based proof system. Later, Begum et al.  proposed an attribute-based anonymous credential system for CNF (conjunctive normal form) formulae which can be converted to DNF formulae. However, these constructions require the -dependent-size ( is the number of attributes in this context) public values to update the witness of users as in our group signature scheme. So, we insist that proposing a revocable group signature scheme with both the property of hiding and constant proving costs is not trivial even if such a large-size public key is allowed.
Libert et al.  proposed anonymous broadcast encryption, where information of a set of authorized users (indicated by a user who encrypts a plaintext ) is not revealed from a ciphertext, except for the size of . More precisely, they first considered a scheme, where there are public keys ( is the total number of users in this context) and the user encrypts (resp., 0) by using the corresponding user’s public key if a user belongs to (resp., does not belong to ), using key-private public key encryption . Though the size of ciphertext is , no information of , including its size, is revealed. In order to improve the size of ciphertext of their first scheme, Abdalla et al. applied robust encryption  and constructed an anonymous broadcast encryption scheme whose ciphertext size is . In other words, they can reduce the ciphertext size at the expense of information of the size of . In -hiding group signature, the size of the set of revoked user needs to be hidden. To do so, we essentially use the same methodology of the Libert et al.’s first scheme, that is, adding dummies. Though an anonymous broadcast encryption scheme with sublinear size ciphertext has been proposed , this scheme only achieves outsider anonymity, where the receiver’s identities are hidden from outsiders; this security notion seems not enough for our purpose. Therefore, if an efficient anonymous broadcast encryption scheme which hides the size of can be constructed, then we might construct more efficient -hiding group signature scheme by using the methodology of recent group signature schemes [7, 8], where nonrevocable users prove the decryption ability of a ciphertext of a broadcast encryption scheme.
Another (theoretical) drawback of our construction is using random oracles. Actually, a typical group signature construction methodology for standard model construction has been appearing in several papers after the Groth construction , that is, using Groth-Sahai proofs  and structure-preserving signatures . By applying this methodology, we can expect that an -hiding revocable group signature scheme in the standard model can be constructed. However, big-size public values problem still remains. So, we need to propose a novel methodology for proposing an -hiding revocable group signature scheme with small-size public key, even in the random oracle model.
Under a XDH-hard elliptic curve with 170-bit (as in [4, 10]), the size of signature is bits, where the size of an element of is 171 bits, the size of an element of is 513 bits, and the size of the challenge is 80 bits. Since the size of signature in  (resp., in ) is 1444 (resp., ) bits, there might be space for improvement of the signature size.
In this paper, for the first time we pointed out that the number of revoked users is quite negative information in group signature, and we propose a revocable group signature scheme with the property of hiding , by applying ABGS. As a matter of first priority, proposing such a group signature scheme with small-size public parameter is an interesting future work. Then, we may be able to apply the standard model construction methodology for constructing an efficient scheme in the standard model.
AppendixHere, we describe the detailed SPK as follows.(1)Choose .(2)Compute (3).
So, the final form of a group signature is described as .Next, we give the detailed verification procedure. Let .(1)Compute