Group signatures with reduced bandwidth

S. Zhou and D. Lin

Abstract: Group signatures are generalised credential/member authentication schemes with
wide applications. Membership revocation problem is a major issue of group signatures, and
is often resolved through an additional protocol which would encumber the whole group
signature both in computation and storage, as Camenisch et al. did to ACJTs group
signature scheme (the rst ever practical group signature based on RSA problem put forward
by Ateniese et al. at Crypto00) by dynamic accumulator. Boneh et al. applied Camenisch
et al.s dynamic accumulator based revocation reversely, resulted in short group signature.
We formally dene the method used by Boneh et al., named reversed dynamic accumulator in
this paper, and apply it on some previous group signatures to obtain improved ones with
revocation capability, reduced bandwidth (signature size) and less signature generation
computations. We also address the problems unsolved in Boneh et al.s work, e.g. how to
open a group signature since the current certicate may no longer be the one stored when it is
rstly generated.
1 Introduction
Group signature [1] is motivated by enabling members
of a group to sign on behalf of the group, without leak-
ing their own identities; but the signers identity can be
opened by the group manager when a dispute occurs, so
that the signing member can take the responsibility for
his/her behaviour. Various applications of group signa-
tures include anonymous authentication, internet voting,
bidding. But inefciency has prevented group signatures
from being widely applied in real world.
In brief, a group signature at least includes the fol-
lowing ve algorithms: SETUP, JOIN, SIGN, VERIFY
and OPEN. SETUP is executed by a group manager
(GM); JOIN is an interactive protocol between group
members and GM; SIGN is an algorithm run by group
members; any one can execute VERIFY to check the
validity of a given group signature; OPENis used by GM,
or a separate opener when available, to open a given
signature for the identity of its signer. The security req-
uirements for a group signature have been described and
formalised in [24] etc.
1.1 Membership revocation
Membership revocation is pointed out as a major
problem preventing proposed group signatures from
widely applied in real world in [5].
The resolutions to the problem can be classed into
two categories. One is based on certicate revocation list
(CRL) as [6,7]. In this category, generally GM issues
a revocation list of identities (i.e. public membership
keys). Any group member proves in a zero-knowledge
way that his identity encrypted in the signature is not
equal to any one in the revocation list. The drawback is
that signature size is linearly dependent on the size of
revocation list [6].
[7] improved the CRL based revocation resolution
so that signature size and computation were constant,
while complexity of VERIFY was linearly dependent on
the size of revocation list. GM publishes a CRL which
includes V
i
= f(pcert
i
), evaluations of one way function f
on partial certicate information pcert
i
unique to each
group member. In signing a message, j-th member
includes R,T = f
/
(V
j
, R) (f
/
is another one way function)
in the signature. Veriers check if T = f
/
(V
i
,R) by trying
every V
i
in the current CRL.
Another category is based on witness, specically
dynamic accumulator [8, 9]. GM publishes a single acc-
umulated value a, every group member proves in a zero-
knowledge way that he knows corresponding witness
w to a. It should be hard for users outside of the group
to forge such witnesses. Revocations in this category are
more efcient than CRL based resolutions, but they
have a common drawback that previously signed sig-
natures might not being able to pass VERIFY algorithm
under the current verication keys (i.e. public keys).
This inconvenience can be overcome by keeping tracks
of the public keys changes, running VERIFY with cor-
responding proper public key. Even in CRL based
group signatures with membership revocation, verifying
with proper CRL is also important.
The following literature review and our improvements
are in witness-based category.
As far as we know, [2] plus [8] and [10] plus [9] are the
only group signature schemes that have efcient revo-
cation algorithms, constant signature size, and constant
verication complexity.
[8] initiated the idea of dynamic accumulator and an
efcient revocation scheme for ACJT scheme. Whenever
membership change occurs, GM publishes an accu-
mulated value u = u
0
Q
jS
e
j
(S is the set of all current
members) along with the identities (e
i
) of changed
members. [9] is in the same line of [8], that a new
dynamic accumulator from bilinear maps is proposed.
The Institution of Engineering and Technology 2006
IEE Proceedings online no. 20055141
doi:10.1049/ip-ifs:20055141
Paper first received 1st December 2005 and in revised form 16th August
2006
The authors are with SKLOIS Lab, Institute of Software, Chinese
Academy of Sciences, 100080, Beijing, Peoples Republic of China
E-mail: zhousujing@is.iscas.ac.cn
146 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006

On the same direction, [11] put forward a new group
signature with membership revocation based on q-
Strong DifeHellman assumption [12], with a change
that the revoked members instead of remained legit-
imate members are accumulated, and the accumulated
value is part of GMs public key, thus no additional
values have to be published in contrast to [8]. And
whenever new member addition occurs, the system and
other members do not have to update except that secret
keys of new members are to be generated according to
the current partly updated public keys.
But they did not deal with OPEN algorithm if such
dynamic revocation is adopted, because the latest
certicate of members, such as A
i
, may no longer be
the same one stored in the registration table after group
members joining and leaving. So if previous OPEN
algorithms are still used, they will fail to rediscover the
identity of the signer.
In this paper, we formally dene the revocation
method proposed in [11] and apply it on [2] and [10],
resulting in shorter signature than [8] and [9]. We
present new OPEN algorithms in these cases and
analyse the correctness of them.
1.2 Related work
The idea of [13], another membership revocation
method for ACJTs scheme, is to prevent members
from frequent updating secret keys. This idea has
already been used in an earlier literature, where a signer
is supposed to prove that his certicate does not equal to
any one in the revocation list. The disadvantage is that
the computation complexity and signature size are
directly proportional to revoked members number. In
fact, it is still the case in [13], where a signer is to prove
the knowledge of one value e
i
co-prime to E (a published
value of products of all e
j
in revocation list). In the proof
of knowledge, a, b satisfying e
i
aEb = 1 are calculated;
the resulting signature includes a value s whose size is
proportional to E, i.e. the number of revoked members.
1.3 Our contribution
We present improved schemes for [2, 8] and [9, 10],
respectively. As shown in Table 1, the signature length,
i.e. bandwidth, and computation of signature generation
and verication are nearly halved, at the cost of more
computation in opening algorithm, which is far less
frequently executed than other algorithms. A similar
result can be concluded about our improved scheme 6
and the scheme of [9, 10].
The idea behind our proposals is reversing the secure
dynamic accumulator adopted in previous group signa-
ture schemes to support membership revocation.
1.4 Organisation
We introduce the idea of reversed dynamic accumulator
in Section 2; then describe ACJTs group signature
and CLs membership revocation scheme in Section 3;
our proposed improvement appears in Section 4. The
original scheme of [9, 10] is reviewed in Section 5,
following with our proposed improvement in Section 6.
1.5 Notations
The following notations and denitions will appear in
the paper.
v PK{(a, b, . . . ) : R(a, b, . . . )} denotes a proof of
knowledge the values of (a, b, . . . ) satisfying the relation
R(a, b, . . . ).
v SK{(a, b, . . . ) : R(a, b, . . . )}{m} denotes a signature of
knowledge, a non-interactive version of the above proof
of knowledge. Because of the ease of transformation
between PK and SK, they might be mentioned
interchangeably.
2 Dynamic accumulators
A one-way accumulator is a function mapping multiple
items into a single value, and the value has nothing to do
with the order of the items being evaluated. It is often
used in member authentication as follows: every
member is given (w
i
, c
i
), the system runs a proper one-
way accumulator f on every c
i
to get a single value C,
where (w
i
, c
i
, C) satises f (w
i
, c
i
) = C, every member
authenticates himself by providing a zero-knowledge
proof of knowledge of the witness w
i
. When a new
member applies for joining in the system, the system
assigns a new (w
j
, c
j
) to him then update C as in C
f(C, c
j
), the other members witnesses can be updated by
themselves as in w
i
f (w
i
, c
j
).
Let f(u
0
; c
i
) = u
0
c
i
mod n, it is easy to see that it is a
one way accumulator with the features described above.
But it has a disadvantage that if any member is to leave
the system, the system has to be reestablished from
scratch. [8] proposed the idea of dynamic accumulators
that supports dynamic members changes. It is achieved
by restricting c
i
to different primes in a certain range,
thus when a member is to join in the system, the system
manager (the other members) can run D
a
(W
a
) to update
C (w
i
) exactly as before; when a member holding c
j
is to
be excluded from the system, the system manager can
run D
d
to update C as C C
1=c
j
mod n since he knows
the trapdoor of f, i.e. the factorisation of n, all members
except the excluded member can update their witnesses
w
i
by running Extended GCD algorithm without help
from the system manager.
We present a general denition of a secure dynamic
accumulator provided in [8, 9]. We extends the domain
and range of an accumulator from a single value to a
vector of values, the witness w from a single value
satisfying f (w,x) = v, to a vector of values satisfying R
(w,x,v) = 1.
Denition 1. Let A
k

kN
be a sequence of sets of values,
T
k

kN
a sequence of sets of functions from |
f
A
k
to
set |
f
, and {R
k
}
kN
a sequence of sets of relations. As in
[8], |
f
is an efciently samplable input domain for the
function T
k
, and A
k
is the intended input domain whose
elements are to be accumulated. For v |
f
, and x A
k
,
a vector of values w U
R
is called a witness for x in v
with R R
k
if it satises the relationship R, i.e. R(w,x,v)
= 1. A
k

kN
; T
k

kN
; 1
k

kN
is called a secure
dynamic accumulator if they have the following
properties:
v Efcient generation: There exists an efcient prob-
abilistic algorithm G(1
k
) to output a random function
f T
k
: |
f
A
k
|
f
, and a corresponding relation
R(U
R
; A
k
; |
f
), possibly along with some auxiliary
information aux
f
(trapdoor). Note that here |
f
can be
a set of vectors.
v Efcient evaluation: f T
k
is a polynomial-size
circuit that on input (u; x) |
f
A
k
, output v.
v Quasi-commutativity: For all k, for all f T
k
,
for all u |
f
, for all x
1
; x
2
A
k
; f(f(u; x
1
); x
2
) =
f ( f(u; x
2
); x
1
). That is, for X = x
1
; x
2
; :::; x
m
_ A
k
,
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 147

the value vector f ( f ( . . . (u,x
1
), . . . ), x
m
) is independent
of the order of x
i
, therefore can be denoted by f (u,X)
without confusion.
v Coalition resistance: For all probabilistic polynomial-
time adversary /, the following probability is negligible:
Pr[(f, R) G(1
k
), u U
f
, (x; w; X) A(f, R, U
f
, u) :
X A
k
, x = X; w U
R
, R(w, x, f(u, X)) = 1[
v Efcient addition: There exist polynomial algorithms
T
a
;
a
that if v = f(u,X), x X, x
/
= X, and R(w,x,v) = 1,
then (1) T
a
(v; x
/
) = v
/
such that f(u,X{x
/
}) =v
/
; and (2)

a
(f; R; v; v
/
; x; x
/
; w) = w
/
such that R(w
/
, x, v
/
) = 1.
v Efcient deletion: There exist polynomial algorithms
T
d
; W
d
that if v = f (u,X), x, x
/
X, x ,= x
/
, and R(w,x,v)
= 1, then (1) T
d
(aux
f
; v; x
/
) = v
/
such that
f(u; X x
/
) = v
/
; and (2)
d
(f; R; v; v
/
; x; x
/
; w) = w
/
such that R(w
/
,x,v
/
) = 1.
Note that D
d
is executable in polynomial time only
when the trapdoor is available.
2.1 Secure reversed dynamic accumulators
If T
k
in the above denition is a family of bijective
functions, we get a new accumulator by reversing all the
functions in T
k
. The new accumulator with T
1
k
, or
discharger, has the following properties if the original
accumulator is secure dynamic:
v Efcient generation: The efcient generation for T
k
is
still available for T
1
k
:
v Efcient evaluation: v = f
1
(u, x) is polynomial
computable by running T
d
(aux
f
; u; x).
v Quasi-commutativity: For all k, for all f T
k
, for all
u |
f
, for all x
1
; x
2
A
k
, if a = f
1
( f
1
(u, x
1
), x
2
), b =
f
1
( f
1
(u, x
2
), x
1
), then a = b. The equality is obtained
by checking u = f ( f(a, x
2
), x
1
) = f ( f(b, x
1
), x
2
) and
bijective f. That is, for X = x
1
; x
2
; :::; x
m
_ A
k
, the
value vector f
1
(f
1
( . . . (u, x
1
), . . . ), x
m
) is independent
of the order of x
i
, therefore can be denoted by f
1
(u, X)
without confusion.
v Efcient witness: There exist a polynomial algorithm
1(aux
f
; x; u; ) to calculate w that R(w,x,u) = 1.
v Security: For all probabilistic polynomial-time adver-
sary /, the following probability is negligible:
Pr[(f; R) G(1
k
); u |
f
; (x
i
; w
i
) Oracle(1; u);
i [1; t[; j
R
[1; t[; u
/
Oracle(f
1
(u; x
j
));
w /(f; R; |
f
; u; u
/
) :
w U
R
; R(w; x
j
; u
/
) = 1[
Otherwise the coalition resistance of the original
accumulator will not hold.
v Efcient discharge: There exist polynomial algorithms
1T
d
; 1
d
that if v = f
1
(u, X), y, x
/
= X, y ,= x
/
, and
R(w, y, v) = 1, then (1) 1T
d
(aux
f
; v; x
/
) = v
/
such that
f
1
(u, X {x
/
}) = v
/
; and (2) 1
d
(f; R; v; v
/
; y;
x
/
; w) = w
/
such that R(w
/
, y, v
/
) = 1. Precisely, 1T
d
can be computed by running T
d
(aux
f
; v; x
/
), 1
d
by
invoking
d
(f; R; v; v
/
; y; x
/
; w).
v Efcient recharge: There exist polynomial algorithms
1T
r
; 1
r
that if v = f
1
(u, X), y = X, x
/
X, and
R(w, y, v) = 1, then (1) 1T
r
(v; x
/
) = v
/
such that
f
1
(u; X x
/
) = v
/
; and (2) 1
r
(f; R; v; v
/
; y; x
/
; w) =
w
/
such that R(w
/
,y,v
/
) = 1. Actually, 1T
r
can be
computed by running T
a
(v; x
/
); 1
r
by invoking

a
( f; R; v; v
/
; y; x
/
; w).
The witness of x in v = f (u, X) dened in secure
dynamic accumulator becomes witness of x not in u =
f
1
(v,X) dened in the reversed accumulator.
Theorem 1. If f is a secure dynamic accumulator, then
f
1
is a secure reversed dynamic accumulator.
The proof is provided in Section 10.1.
2.2 Comparisons
For an ordinary dynamic accumulator, the evaluation is
efcient and available to every one, while for an reversed
dynamic accumulator, the evaluation is only efciently
available to some authority who knows the trapdoor in
executing D
d
dened in its ordinary version, but the
correctness of D
d
is veriable by every one checking the
relation R.
Discharge and recharge algorithms of a reversed
dynamic accumulator are similar to deletion and
addition algorithms of the dynamic accumulator respec-
tively, except that the order of them being invoked is
reversed.
An extra algorithm calculating witnesses 1 is
added in denition of reversed dynamic accumulator,
while it is not explicitly dened in ordinary dynamic
accumulator for the current accumulator u is the witness
of the next x to be accumulated.
2.3 Examples of secure reversed
dynamic accumulators
We reverse the secure dynamic accumulator construc-
tion dened in [8], see Section 10.2 for the security
proof.
Scheme 1. Let f T
k
be f(u; e) = u
e
mod n;
u QR(n); e A, where n is a product of two safe
primes with length k/2. A = e : e Z
+
n
Primes.
Then f
1
(u; e) = u
1=e
mod n is a secure reversed
dynamic accumulator. Witness of e not in u is knowl-
edge of x that x
e
= u mod n. The trapdoor of factorisa-
tion of n, i.e. aux
f
, is known only to the operator of
reversed accumulator.
3 Review of ACJTs group signature
and CLs membership revocation
The ACJT scheme [2] begins by choosing security
parameters " > 1; k; l
p
, as well as a collision resistent
Hash function H : 0; 1
+
0; 1
k
, let D = [2
l
1
2
l
2
;
2
l
1
2
l
2
[; G=[2
g
1
2
g
2
; 2
g
1
2
g
2
[, where l
1
> " (l
2
k)
2; l
2
>4l
p
; g
1
> (g
2
k) 2; g
2
>l
1
2.
3.1 SETUP
GM randomly chooses two safe primes p, q, i.e. p
/
=
(p 1)/2 and q
/
= (q 1)=2 are large primes too and
a;a
0
;g;h
R
QR
n
;x
R
Z
p
/
q
/ , calculates n=pq;y=g
x
modn.
Group public keys are Y=n;a;a
0
;y;g;h. GMs secret
keys are S=p
/
;q
/
;x.
3.2 JOIN
When user U wants to join the group, he runs an
interactive protocol with GM, and in the end, U obtains
his secret keys x
u
D, his certicate (A
u
, e
u
), where
e
u

R
G, and A
u
:= (a
x
u
a
0
)
1=e
u
mod n:(A
u
; e
u
; x
u
) is the
signing key of U. (A
u
, e
u
) and transcripts generated as
well as the identity of U are stored in a registration
database.
148 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006

3.3 SIGN and VERIFY
U signs on m by generating an honest verier zero-
knowledge proof of (A
u
; e
u
G; x
u
D), which is for-
mulated specically as follows
SK(a; b; g; d) : a
0
= T
a
1
=a
b
y
g
modn; T
2
= g
d
mod n;
1 = T
a
2
=g
g
mod n; T
3
= g
a
h
d
mod n; a G; b Dm;
The verication of the group signature is the verication
of the above proof.
3.4 OPEN
GM calculates A := T
1
=T
x
2
mod n, compares it with the
registration database, the signature signer is then traced;
then GM generates a proof of knowledge PK x : y =
g
x
mod n; T
1
=A
u
= T
x
2
mod n to support his judgement.
3.5 Revocation [8]
An accumulated value u = u
0
P
jS
e
j
is published, where S
is the set of all current group members. Each legitimate
member has to prove his knowledge of w
i
Z
+
n
such that
w
e
i
i
= u mod n, (called witness of U) additionally.
v Members addition: When members in E
add
are to be
added into the group, GM updates u: u u
Pe
j
; e
j

E
add
. An old member e
i
updates his witness w
i
: w
i

w
Pe
j
i
; e
j
E
add
.
v Members deletion: When members in E
del
are to be
revoked from the group, GM updates U: u u
1=Pe
j
;
e
j
E
del
. An old member e
i
= E
del
updates his witness
w
i
: w
i
w
t
i
u
s
, where se
i
te
j
= 1; e
j
E
del
.
To combine all the proofs of knowledge together
efciently, [8] introduced 3 more values: C
e
= g
e
i
h
t
1
;
C
u
= w
i
h
t
2
; C
r
= g
t
2
h
t
3
, where t
1
; t
2
; t
3

R
Z
n=4|
. And the
complete group signature becomes
SK(a; b; g; d; g
1
; g
2
; g
3
;
1
;
2
) : a
0
=T
a
1
=a
b
y
g
modn;
T
2
=g
d
modn; 1 =T
a
2
=g
g
modn; T
3
=g
a
h
d
modn;
C
r
=g
g
2
h
g
3
modn; C
e
=g
a
h
g
1
modn; u =C
u
a
=h

1
modn;
1 =C
r
a
=(g

1
h

2
) modn; a G; b D:
The complication of the proof of knowledge above
lies in the difculty of proving knowledge of an exponent
and a root [i.e. (A
i
,e
i
) and (w
i
,e
i
)] at the same time.
4 Reducing bandwidth of ACJT-CLs group
signature
The idea behind our proposal is to view f
1
2
(a; a
0
; e) =
(a
1=e
; a
1=e
0
) as a reversed extended dynamic accumulator,
where witness of e in (a,a
0
) is (A,x) so that A
e
=
a
x
a
0
mod n.
In fact, [7] had proposed a simple revocation similar
to our proposal. They let a, a
0
change sequentially every
time membership revocation took place. But their
scheme was so inefcient (the reason lay in the way
a, a
0
were changed) that it was abandoned by the authors.
Our scheme could be seen as an efcient version of [7].
Scheme 2. The chosen security parameters and algo-
rithms of SETUP, JOIN, SIGN, VERIFY are exactly
the same as the original ACJT group signature revie-
wed in Section 3, except that a, a
0
can be different
when a membership revocation occurs, so we omit
them here.
1. UPDATE. The UPDATE algorithm comprises
two parts, each executed by GM and concerned
group members, respectively. See Section 10.3 for its
correctness.
v UPDATE-GM
When member revocation occurs, take U
j
0
with
certicate (A
j
0
; e
j
0
) as an example, GM is able to update
a,a
0
as follows because he knows the factorisation of
n: a a
1=e
j
0
modn; a
0
a
0
1=e
j
0
mod n
When member addition occurs, a, a
0
are unchan-
ged. GM just runs normal JOIN protocols with new
members under current values of a, a
0
, the other
members are not affected at all.
v UPDATE-MEMBER
When member revocation occurs, take U
j
0
with
certicate (A
j
0
; e
j
0
) as an example, now part of the public
key a,a
0
have been updated to a
/
; a
/
0
, the i-th member
(i ,= j
0
) can update his certicate as follows: he rst
calculates s,t, so that se
i
te
j
0
= 1, then computes
A
/
i
= A
t
i
(a
/
x
i
a
/
0
)
s
mod n. The computation does not
require group secret key, i.e. factorisation of n, so any
unrevoked group member is able to run UPDATE-
MEMBER.
When member addition occurs, the other members
do nothing.
2. OPEN. GM or Opener calculates A := T
1
=T
x
2
mod n,
compares it with items in the registration database T, if
a match is found, GM generates a proof of knowledge
PKx : y = g
x
mod n; T
1
=A = T
x
2
modn to support his
judgement.
Else if no match is found, GM sets B A, computes
B B
e
j
mod n and searches in T for a match, for each
e
j
E
del
in the reverse order (i.e. if e
1
is revoked before
e
2
, then compute B
e
2
rst) until a match is found.
In other words, if E
del
= e
j
1
; ::::; e
j
D
where
e
j
k
; k [1; D[ is in the order of revocation time, GM
computes A
e
j
D1
e
j
D
:::e
j
k
mod n, from k = D+1 to k = 1 (set
e
j
D1
= 1), and searches in T for a match after each
computation; if a match is found, then stops, outputs
the A
i
and the sequence of e
j
, generates a proof of
knowledge PKx : y = g
x
mod n; T
1
=A = T
x
2
mod n. If
no match is found at last, then output failure.
4.1 The OPEN algorithm
A disadvantage of our proposed scheme is that running
OPEN algorithm on a group signature with encrypted
certicate, e.g. A
i
, might result in a different value from
the stored certicates by GM, because the members
might have updated their certicates when members
deletion occurs. This problem is xed in the above
OPEN algorithm.
It might be doubtful that multiple matches exist in
OPEN. Suppose a user with (x, A, e) joined in the group
when public key is a, a
0
, and A is stored in T; after some
updates, the public key has been updated to a
//
; a
//
0
, the
user generates a group signature using current certicate
A
//
where A
//
e
= a
//
x
a
//
0
mod n. After A
//
is decrypted,
if OPEN is executed on A
//
, the correct A and identity
of user should be recovered when rolling back to a, a
0
,
but what if in an intermediate status, e.g. a match
is found when rolling back to a
/
; a
/
0
between (a, a
0
)
and (a
//
; a
//
0
)
Suppose (a
/
; a
/
0
) = (a
1=E
; a
1=E
0
), and (a
//
; a
//
0
) =
(a
/
1=F
; a
/
0
1=F
), where E and F are co-prime products
of primes in G. If a match is found ahead of correct time,
i.e. there exists a A
/
= A
//
F
in T, then there must be
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 149

a (e x; e e) satisfying A
/
~ e
= a
/
~ x
a
/
0
, so
A
//
eF
= a
/
x
a
/
0
mod n
A
//
F~ e
= a
/
~ x
a
/
0
mod n
When x ,= e x (the probability of x = e x is negligible, so
only inequality is considered here), A
//
Fe~ xF~ ex
=
a
/
0
~ xx
mod n is obtained, if a
/
0
= b
1=C
from some random
b, and C is product of some primes G, which is available
from published revocation list, then the RSA problem of
b is resolvable by the user A and A
/
since the left
exponent is larger than the right one, a contradiction to
RSA assumption. The argument shows the correctness
of above OPEN algorithm.
4.2 Security
Theorem 2. The underlying reversed dynamic accumu-
lator is secure (the proof is in Section 10.5).
Theorem 3. In the proposed scheme, revoked member is
not able to forge valid certicates in polynomial time
(the proof is in Section 10.6).
4.3 Efciency comparisons
Table 1 is a comparison of our scheme and [7, 8] with
respect to signature bandwidth and required computa-
tions (in terms of number of modulus exponent and
root extraction, denoted as e and r, respectively) in
UPDATE, SIGN, VERIFY and OPEN algorithms,
under the parameters of l
p
= 512; k = 160; " = 1:1;
l
2
= 2048; l
1
= 2430; g
2
= 2432; g
1
= 2854. Computa-
tions in UPDATE, i.e., Add and Delete, are summed for
GM and group member (M) separately. Note: BW,
short for bandwidth, i.e. signature size; gpk denotes
group public key; R is the number of revoked members.
5 Review of Nguyen-Nainis group signature
and Nguyens membership revocation
Nguyen-Nainis group signature [10] is essentially the
same as the one with non-frameablity in [11] (Section 7),
except with different description.
It begins by choosing security parameters l, as well as
a collision resistent Hash function H : 0; 1
+
Z
p
, and
a bilinear map e : G
1
G
1
G
M
; ord(G
M
) =p; G
1
=<P>.
SETUP. GM randomly chooses x; x
/
Z
+
p
; P
0
; G;
H
R
G
1
, computes P
pub
= xP; Y = e(G; G)
x/
. Group
public keys are P; P
0
; P
pub
; H; G; Y, GMs secret keys
are x; x
/
.
JOIN. When a user denoted as i want to join the
group, he runs an interactive protocol with GM, and in
the end, user i holds secret key x
i
, and (a
i
,S
i
) called
a certicate from GM, D
i
as his identity, where
e(a
i
P P
pub
; S
i
) = e(P; x
i
P P
0
), and D
i
= e(P; S
i
).
SIGN. A signature of user i on m is to show his
knowledge of (a
i
; S
i
; x
i
) such that e(a
i
P P
pub
; S
i
) =
e(P; x
i
P P
0
), and he has correctly encrypted his
identity D
i
in (E = tG; L = D
i
Y
t
), without revealing
any information about his identity, except for the
opener, who can decrypt (E, L) to get D
i
.
VERIFY. Verier accept a signature by checking the
correctness of the signature of proof.
OPEN & JUDGE. Omitted here.
Revocation [9]. Publish an accumulated value V,
which is initialised to V
0
= uQ, where u
R
Z
+
p
. Add
Q
pub
= sQ to the public key.
Suppose the current group accumulator value is V
j
,
when user i with (x
i
; a
i
; S
i
) has joined the group, GM
updates the value V
j
to V
j 1
: V
j1
= (a
i
s)V
j
.
User i sets his current membership witness W
i;j1
to be
V
j
. While the other members update their membership
witnesses as follows (take user i
/
with (a
i
/ ; S
i
/ ; x
i
/ ) as an
example): W
i
/
, j1
= V
j
(a
i
a
i
/ )W
i
/
;j
.
Suppose the current group accumulator value is V
j
,
when user i with (x
i
; a
i
; S
i
) has been revoked from the
group, the GM or issuer updates the value V
j
to V
j 1
:
V
j1
=
1
a
i
s
V
j
User i
/
,= i with (a
i
/ ; S
i
/ ; x
i
/ ) updates his membership
witness as follows:
W
i
/
;j1
=
1
a
i
a
i
/
(W
i
/
;j
V
j
)
The group signature includes an additional proof of
knowledge of (a
i
,W
i
) that e(a
i
QQ
pub
; W
i
) = e(Q; V),
so the complexity is nearly twice that of the revocation-
free scheme.
6 Reducing bandwidth of Nguyen-Nainis
group signature with revocation
Scheme 3. The chosen security parameters and algo-
rithms of SETUP, JOIN, SIGN, VERIFY are exactly
the same as the original Nguyen-Nainis group signature
scheme [10] reviewed in Section 5 except that P; P
0
; P
pub
can be different when a membership revocation occurs,
so we omit them here.
1. UPDATE. The UPDATE algorithm comprises two
parts, each executed by GM and concerned group
members respectively. See Section 10.4 for its correctness.
v UPDATE-GM
When member revocation occurs, suppose user j
0
with certicate (S
j
0
; a
j
0
) is to be deleted, GM is able to
update P; P
0
; P
pub
since it knows group secret key x:
P
1
a
j
0
x
P; P
0

1
a
j
0
x
P
0
;P
pub
xP
When member addition occurs, P,P
0
are unchan-
ged. GM just runs normal JOIN protocols with new
members under current values of P,P
0
, the other
members are not affected at all.
v UPDATE-MEMBER
When member revocation occurs, suppose user j
0
with certicate (S
j
0
; a
j
0
) has been deleted, now P,P
0
has
been updated to P
/
; P
/
0
, the ith member (i ,= j
0
)
computes:
S
/
i
=
1
a
j
0
a
i
[S
i
(x
i
P
/
P
/
0
)[
Note that the computation does not require group
secret key x, so is available to any unrevoked group
member.
When member addition occurs, the other members
do nothing.
Table 1: Comparison of ACJT scheme with various
membership revocations
Standard BW gpk Add Delete SIGN VERIFY OPEN
[Ast02] O(k) 6288 Not required 14e O(R) 1e
[CL02] 20399 7312 GM:1e/M:1e GM:1r/M:2e 24e 24e 1e
Ours 14261 6288 GM:0/M:0 GM:2r/M:3e 11e 11e Re
150 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006

2. OPEN. The decryption is same as Nguyen-Nainis.
After D is obtained from decryption, GM compares it
with items in the registration database T; if a match is
found, output the identity and a proof of correct
decryption as in [10].
Else if no match is found, GM sets B D, computes
B B
(a
j
x)
2
and searches in T for a match, for each
a
j
E
del
in the reverse order (i.e. if a
1
is revoked before
a
2
, then compute B
a
2
rst) until a match is found.
In other words, if E
del
= a
j
1
; ::::; a
j
D
where
a
j
k
; k [1; D[ is in the order of revocation time,
GM computes D
(a
j
D1
x)
2
(a
j
D
x)
2
:::(a
j
k
x)
2
, from k = D +
1 to k = 1 (set a
j
D1
= 1), and searches in T for a match
after each computation; if a match is found, then stops,
outputs the D
i
, the identity and the sequence of a
j
,
generates a proof of correct decryption. If no match is
found at last, then output failure.
6.1 Correctness of OPEN
The correctness of above OPEN can be veried as
follows. Suppose a group member joined the group at
(P; P
0
; P
pub
), obtained a certicate S
i
and D
i
= e(P; S
i
)
was stored in T. After some time public key (P; P
0
; P
pub
)
has been updated to (P
/
; P
/
0
; P
/
pub
) because of revocation
of a
j
. The group member generates signatures under
current public key, encrypts D = e(P
/
; S
/
i
) in the group
signature.
D
(a
j
x)
2
= e((a
j
x)P
/
; (a
j
a
i
a
i
x)S
/
i
)
= e(P; (a
j
a
i
)S
/
i
x
i
P P
0
)
= e(P; S
i
) = D
i
It might be doubtful that multiple matches exist in
OPEN. Suppose a group member with secret key and
certicate (x
i
; S
i
; a
i
) joined the group when public key is
(P; P
0
; P
pub
), and D
i
= e(P; S
i
) is stored in T; after some
updates, the public key has been updated to
(P
//
; P
//
0
; P
//
pub
), the member generates a group signature
using current certicate S
//
i
where S
//
i
=
1
a
i
x
(x
i
P
//
P
//
0
).
After e(P
//
; S
//
i
) is decrypted, if OPEN is executed, the
correct D
i
and identity of user should be recovered when
rolling back to (P; P
0
; P
pub
), but what if a match is
found in an intermediate status between (P,P
0
,P
pub
) and
(P
//
; P
//
0
; P
//
pub
), say (P
/
; P
/
0
; P
/
pub
):
Suppose (P
/
, P
/
0
; P
/
pub
) = (
1
E
P;
1
E
P
0
;
1
E
P
pub
), and
(P
//
; P
//
0
; P
//
pub
) = (
1
F
P
/
;
1
F
P
/
0
;
1
F
P
/
pub
), where E and F are
products of a
k
x, a
k
s are published in revocation list
and it is said k E if a
k
x is included in E, E F = .
Denote E =
Q
kE
(a
k
x); F =
Q
kF
(a
k
x).
If a match is found ahead of correct time, i.e. there
exists a e(P
/
; S
/
) = e(P
//
; S
//
i
)
F
2
in T, then there must be
a (x
j
; a
j
,= a
i
) satisfying S
/
=
1
a
j
x
(x
j
P
/
P
/
0
), so
1
a
j
x
(x
j
P
/
P
/
0
) = S
/
= FS
//
i
=
1
a
i
x
(x
i
P
/
P
/
0
)
If P
/
0
= gP
/
, g is unknown to GM, then from above
equation it follows that
g =
a
j
x
i
a
i
x
j
(x
i
x
j
)x
a
i
a
j
It means if multiple matches for one decrypted D
occurs with non-negligible probability, then it can be
used to resolve the discrete logarithm problem in a
certain group, which is a contradiction to our
assumption since q-SDH assumption implies discrete
logarithm assumption.
6.2 Security
The security of our scheme can be reduced to the
original scheme of [10] and adopted secure reversed
dynamic accumulator, which we omit here for its
similarity with ACJTs scheme.
6.3 Efciency comparisons
Obviously SIGN here is more efcient than the original
scheme with membership revocation, since an additional
proof of knowledge of his witness W
i;j1
is missing.
UPDATE algorithm is also efcient especially when
member addition occurs, since no updates are needed
at all.
7 Conclusions
We formally dened reversed dynamic accumulator,
which has been used in some short group signatures
to provide revocation efcient [11]; we then applied it to
[2, 8] and [9, 10] to obtain short group signature schemes
with revocation.
We deal with some problems occurring when reversed
dynamic accumulators are adopted, which has not been
considered and solved in [11], such as opening a group
signature correctly.
Opening a signature is inefcient compared with
regular dynamic accumulator based schemes, but it is
acceptable under the condition that OPEN is far less
executed than SIGN and VERIFY, and it is very useful
in some applications where short signature size and
efcient revocation are all important.
8 Acknowledgments
The work reported here was supported by 973 Project of
China (No.2004CB318004), 863 Project of China (No.
2003AA144030) and NSFC90204016.
9 References
1 Chaun, and van Heyst, E.: Group signatures. EUROCRYPT91.
1991, (LNCS, 547), pp. 257265
2 Ateniese, G., Camenisch, J., Joye, M., and Tsudik, G.: A practical
and provably secure coalition-resistant group signature scheme.
CRYPTO00, 2000, (LNCS, 1880), pp. 255270
3 Bellare, M., Shi, H., and Zhang, C.: Foundations of group
signatures: The case of dynamic groups. CT-RSA05. 2005,
(LNCS, 3376), pp. 136153. Full Paper at http://www-cse.ucsd.
edu/~mihir/papers/dgs.html.
4 Kiayias, A., and Yung, M.: Group signatures: Provable security,
efcient constructions and anonymity from trapdoor-holders.
Cryptology ePrint Archive, Report 2004/076, 2004
5 Ateniese, G., and Tsudik, G.: Some open issues and new directions
in group signature schemes. Financial Cryptography99, 1999,
(LNCS, 1648)
6 Bresson, E., and Stern, J.: Efcient revocation in group signatures.
PRC01, 2001, (LNCS, 1992)
7 Ateniese, G., Song, D., and Tsudik, G.: Quasi-efcient revocation
in group signatures. Financial Cryptography02, 2002, (LNCS,
2357)
8 Camenisch, J., and Lysyanskaya, A.: Dynamic accumulators
and application to efcient revocation of anonymous credentials.
CRYPTO02, pp. 6176, (LNCS, 2442)
9 Nguyen, L.: Accumulators from bilinear pairings and applications.
CT-RSA05, 2005, (LNCS, 3376), pp. 275292. A modied version
is available at Cryptology ePrint Archive: Report 2005/123
10 Nguyen, L., and Safavi-Naini, R.: Efcient and provably secure
trapdoor-free group signature schemes from bilinear pairings.
ASIACRYPT04, 2004, (LNCS, 3329), pp. 372386
11 Boneh, D., Boyen, X., and Shacham, H.: Short group signatures.
CRYPTO04, 2004, (LNCS, 3152), pp. 4555
12 Boneh, D., and Boyen, X.: Short signatures without random
oracles. EUROCRYPT04, 2004, (LNCS, 3027), pp. 5673
IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006 151

13 Chen, Z., Wang, J., Wang, Y., Huang, J., and Huang, D.: An
efcient revocation algorithm in group signatures. ICISC03, 2003,
(LNCS, 2971), pp. 339351
10 Appendixes
10.1 Proof of Theorem 1
Proof. Suppose f
1
is not secure, given a randomly
chosen u, polynomial number of (x
i
; w
i
) that
R(x
i
; w
i
; u) = 1, there exist an adversary / to calculate
w
+
that R(x
j
; w
+
; u
/
) = 1, where x
j
is chosen by / from
the queries, and u
/
is a reply from Oracle(f
1
(x
j
; u)).
Then an adversary B of f can be constructed as
follows: run
d
(f; R; u; u
/
; x
i
; x
j
; w
i
) = w
/
i
for all x
i
; i ,= j,
such that R(w
/
i
; x
i
; u
/
) = 1. Let X = x
i
; i ,= j, there exist
u
0
that f(u
0
; X) = u, then (x
j
; w
+
; X) is the output of B,
R(x
j
; w
+
; f(u
0
; X)) = 1 while x
j
= X, a violation of secure
dynamic accumulator f. &
10.2 Security proof of reversed dynamic
accumulator scheme 1
Scheme 4. Let f
1
T
k
be f
1
(u; e) = u
e
mod n; u QR(n);
e A, where n is a product of two safe primes
with length k/2. A = e : e Z
+
n
Primes. Then
f
1
1
(u; e) = u
1=e
mod n is a secure reversed dynamic
accumulator. Witness of e not in u is knowledge of x
that x
e
= u mod n. The trapdoor of factorisation of n,
i.e. aux
f
1
, is known only to the operator of reversed
accumulator.
v Efcient evaluation when trapdoor is known:
f
1
1
(u; X) = u
1
e
1
e
2
:::e
l
; X = e
i
; e
i
A is efcient if p,q are
known.
v Efcient witness: Given u, e and p, q, it is efcient
to calculate w such that w
e
= u mod n by w =
u
e
1
mod (p1)(q1)
modn.
v Discharge: to discharge e
1
from v, computes v
/
=
f
1
1
(v; e
1
) = v
1=e
1
mod n efciently by knowledge of fac-
torisation of n. For a member holding (e
2
; w
2
) where
e
2
,= e
1
and w
2
e
2
= v mod n, new witness w
/
2
is comput-
able by the extended GCD algorithm as described in [8].
v Security: For the discharged or revoked member
holding e
1
; w
1
; w
1
e
1
= v, it is not polynomially comput-
able to get the new witness w
/
1
that w
/
1
e
1
=
v
/
= v
1=e
1
mod n, otherwise strong RSA assumption is
broken.
Proof. Suppose a challenge of strong RSA problem is
y
R
Z
+
n
, simulator of Oracle(1) and Oracle(f
1
1
) is
run as follows: let u = y
P
i
e
i
mod n; i [1; Q[ (Q is the
query number to Oracle(1)), then responds to queries
are (e
i
; w
i
= y
P
k,=i
e
k
) mod n. Adversary may select any
one out of e
i
randomly, suppose it is e
j
, queries
Oracle(f
1
) about e
j
and u, and get the return u
/
=
y
P
i,=j
e
i
mod n. The adversary wins if it can come out w
*
so
that w
+e
j
= u
/
mod n. That is w
+e
j
= y
P
i,=j
e
i
mod n, since
e
i
are different primes, we can compute y =
(y
s
w
+t
)
e
j
mod n, where se
j
tP
i,=j
e
i
= 1. &
10.3 Correctness of UPDATE in Section 4
A
/
i
e
i
= (A
t
i
(a
/
x
i
a
/
0
)
s
)
e
i
= A
i
te
i
(a
/
x
i
a
/
0
)
1te
j
0
= a
/
x
i
a
/
0
[
A
i
e
i
(a
/
x
i
a
/
0
)
e
j
0
[
t
= a
/
x
i
a
/
0
[
A
i
e
i
(a
x
i
a
0
)
[
t
= a
/
x
i
a
/
0
mod n:
10.4 Correctness of UPDATE in Section 6
(a
i
x)S
/
i
=
a
i
x
a
j
0
a
i
[S
i
(x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
1
a
i
x
(x
i
PP
0
) (x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
1
a
i
x
(x
i
(a
j
0
x)P
/
(a
j
0
x)P
/
0
)
(x
i
P
/
P
/
0
)[
=
a
i
x
a
j
0
a
i
[
x
i
(a
j
0
x)
a
i
x
x
i
[P
/

a
i
x
a
j
0
a
i
[
a
j
0
x
a
i
x
1[P
/
0
=x
i
P
/
P
/
0
:
10.5 Proof of Theorem 2
Proof. The security of f
1
2
as a reversed accumulator is
based on the secure reversed accumulator dened as f
1
1
in Scheme 1. Suppose f
1
2
is not secure, we can construct
an adversary /
1
of f
1
1
from adversary /
2
of f
1
2
. Let
a
0
= u, a = a
P
i
e
i
0
mod n; i [1; Q[(Q is the query number
to Oracle
f
2
(1)). Oracle
f
2
(1) responds each query
with (x
i
; A
i
; e
i
). (A
i
=a
x
i
P
j,=i
e
j
0
; e
i
) are returned to the
adversary /
1
as responds of Oracle
f
1
(RW). Suppose f
1
2
is not secure, adversary /
2
successfully computed
(A
+
; x
+
) where A
+e
j
= a
/
x
+
a
/
0
mod n; j
R
[1; Q[, and
(a
/
; a
/
0
) = Oracle(f
1
2
(e
j
; a; a
0
)). Then A
1
wins by output-
ting w
+
= A
+
a
/
0
x
+
P
k,=j
e
k
mod n because w
+e
j
= a
/
0
mod n,
where a
/
0
= a
1=e
j
0
mod n. &
10.6 Proof of Theorem 3
Proof. If a member with certicate and secret key
(A
i
; e
i
; x
i
) is revoked, suppose he can forge a valid
certicate (A
/
; e
/
; x
/
) compatible to the current public
key (a
/
; a
/
0
) where a
/
= a
1=e
i
modn, a
/
0
= a
0
1=e
i
mod n.
Case e
/
,= e
i
: In this case,
A
i
= a
/
x
i
a
/
0
mod n
A
/
e
/
= a
/
x
/
a
/
0
mod n:
It is a contradiction to the unforgeability and coalition
resistance of the original ACJT scheme with public keys
a
/
; a
/
0
[2].
Case e
/
= e
i
: In this case, a forgery is a contradiction to
the based secure reversed dynamic accumulator. &
152 IEE Proc.-Inf. Secur., Vol. 153, No. 4, December 2006