Linking-Based Revocation for Group Signatures: A Pragmatic Approach for Efficient Revocation Checks

  • Daniel Slamanig
  • Raphael Spreitzer
  • Thomas Unterluggauer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10311)


Group signature schemes (GSS) represent an important privacy-enhancing technology. However, their practical applicability is restricted due to inefficiencies of existing membership revocation mechanisms that often place a too large computational burden and communication overhead on the involved parties. Moreover, it seems that the general belief (or unwritten law) of avoiding online authorities by all means artificially and unnecessarily restricts the efficiency and practicality of revocation mechanisms in GSSs. While a mindset of preventing online authorities might have been appropriate more than 10 years ago, today the availability of highly reliable cloud computing infrastructures could be used to solve open challenges. More specifically, in order to overcome the inefficiencies of existing revocation mechanisms, we propose an alternative approach denoted as linking-based revocation (LBR) which is based on the concept of controllable linkability. The novelty of LBR is its transparency for signers and verifiers that spares additional computations as well as updates. We therefore introduce dedicated revocation authorities (RAs) that can be contacted for efficient (constant time) revocation checks. In order to protect these RAs and to reduce the trust in involved online authorities, we additionally introduce distributed controllable linkability. Using latter, RAs cooperate with multiple authorities to compute the required linking information, thus reducing the required trust. Besides efficiency, an appealing benefit of LBR is its generic applicability to pairing-based GSSs secure in the BSZ model as well as GSSs with controllable linkability. This includes the XSGS scheme, and the GSSs proposed by Hwang et al., one of which has been standardized in the recent ISO 20008-2 standard.



The authors would like to thank the anonymous reviewers for their valuable comments and suggestions. Daniel Slamanig has been supported by the H2020 project Prismacloud, grant agreement number 644962. Raphael Spreitzer and Thomas Unterluggauer have been supported by the European Commission through the FP7 program under project number 610436 (project MATTHEW).


  1. 1.
    Ateniese, G., Song, D.X., Tsudik, G.: Quasi-efficient revocation of group signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 183–197. Springer, Heidelberg (2003). doi: 10.1007/3-540-36504-4_14 CrossRefGoogle Scholar
  2. 2.
    Attrapadung, N., Emura, K., Hanaoka, G., Sakai, Y.: A revocable group signature scheme from identity-based revocation techniques: achieving constant-size revocation list. In: Boureanu, I., Owesarski, P., Vaudenay, S. (eds.) ACNS 2014. LNCS, vol. 8479, pp. 419–437. Springer, Cham (2014). doi: 10.1007/978-3-319-07536-5_25 Google Scholar
  3. 3.
    Au, M.H., Tsang, P.P., Susilo, W., Mu, Y.: Dynamic universal accumulators for DDH groups and their application to attribute-based anonymous credential systems. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 295–308. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00862-7_20 CrossRefGoogle Scholar
  4. 4.
    Baek, J., Zheng, Y.: Identity-based threshold decryption. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 262–276. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24632-9_19 CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30574-3_11 CrossRefGoogle Scholar
  6. 6.
    Blazy, O., Derler, D., Slamanig, D., Spreitzer, R.: Non-interactive plaintext (in-)equality proofs and group signatures with verifiable controllable linkability. In: Sako, K. (ed.) CT-RSA 2016. LNCS, vol. 9610, pp. 127–143. Springer, Cham (2016). doi: 10.1007/978-3-319-29485-8_8 CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-28628-8_3 CrossRefGoogle Scholar
  8. 8.
    Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Computer and Communications Security - CCS, pp. 168–177 (2004)Google Scholar
  9. 9.
    Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J.: Foundations of fully dynamic group signatures. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 117–136. Springer, Cham (2016). doi: 10.1007/978-3-319-39555-5_7 Google Scholar
  10. 10.
    Bresson, E., Stern, J.: Efficient revocation in group signatures. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 190–206. Springer, Heidelberg (2001). doi: 10.1007/3-540-44586-2_15 CrossRefGoogle Scholar
  11. 11.
    Brickell, E., Li, J.: Enhanced privacy ID from bilinear pairing for hardware authentication and attestation. In: Social Computing - SocialCom/Privacy, Security, Risk and Trust - PASSAT 2010, pp. 768–775 (2010)Google Scholar
  12. 12.
    Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. IEEE Trans. Dependable Secure Comput. 9, 345–360 (2012)CrossRefGoogle Scholar
  13. 13.
    Camenisch, J., Lysyanskaya, A.: Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_5 CrossRefGoogle Scholar
  14. 14.
    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997). doi: 10.1007/BFb0052252 CrossRefGoogle Scholar
  15. 15.
    Canard, S., Coisel, I., de Meulenaer, G., Pereira, O.: Group signatures are suitable for constrained devices. In: Rhee, K.-H., Nyang, D.H. (eds.) ICISC 2010. LNCS, vol. 6829, pp. 133–150. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24209-0_9 CrossRefGoogle Scholar
  16. 16.
    Canard, S., Desmoulins, N., Devigne, J., Traoré, J.: On the implementation of a pairing-based cryptographic protocol in a constrained device. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 210–217. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36334-4_14 CrossRefGoogle Scholar
  17. 17.
    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). doi: 10.1007/3-540-46416-6_22 CrossRefGoogle Scholar
  18. 18.
    Chow, S.S.M., Susilo, W., Yuen, T.H.: Escrowed linkability of ring signatures and its applications. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 175–192. Springer, Heidelberg (2006). doi: 10.1007/11958239_12 CrossRefGoogle Scholar
  19. 19.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280, RFC Editor, May 2008.
  20. 20.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998). doi: 10.1007/BFb0055717 CrossRefGoogle Scholar
  21. 21.
    Delerablée, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006). doi: 10.1007/11958239_13 CrossRefGoogle Scholar
  22. 22.
    Emura, K., Hayashi, T.: A light-weight group signature scheme with time-token dependent linking. In: Güneysu, T., Leander, G., Moradi, A. (eds.) LightSec 2015. LNCS, vol. 9542, pp. 37–57. Springer, Cham (2016). doi: 10.1007/978-3-319-29078-2_3 CrossRefGoogle Scholar
  23. 23.
    Emura, K., Miyaji, A., Omote, K.: An r-hiding revocable group signature scheme: group signatures with the property of hiding the number of revoked users. J. Appl. Math. 2014, 983040:1–983040:14 (2014)CrossRefzbMATHGoogle Scholar
  24. 24.
    Fan, C.-I., Hsu, R.-H., Manulis, M.: Group signature with constant revocation costs for signers and verifiers. In: Lin, D., Tsudik, G., Wang, X. (eds.) CANS 2011. LNCS, vol. 7092, pp. 214–233. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25513-7_16 CrossRefGoogle Scholar
  25. 25.
    Fouque, P.-A., Pointcheval, D.: Threshold cryptosystems secure against chosen-ciphertext attacks. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 351–368. Springer, Heidelberg (2001). doi: 10.1007/3-540-45682-1_21 CrossRefGoogle Scholar
  26. 26.
    Ghadafi, E.: Efficient distributed tag-based encryption and its application to group signatures with efficient distributed traceability. In: Aranha, D.F., Menezes, A. (eds.) LATINCRYPT 2014. LNCS, vol. 8895, pp. 327–347. Springer, Cham (2015). doi: 10.1007/978-3-319-16295-9_18 Google Scholar
  27. 27.
    Grewal, G., Azarderakhsh, R., Longa, P., Hu, S., Jao, D.: Efficient implementation of bilinear pairings on ARM processors. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 149–165. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-35999-6_11 CrossRefGoogle Scholar
  28. 28.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-78967-3_24 CrossRefGoogle Scholar
  29. 29.
    Hwang, J.Y., Chen, L., Cho, H.S., Nyang, D.: Short dynamic group signature scheme supporting controllable linkability. IEEE Trans. Inf. Forensics Secur. 10, 1109–1124 (2015)CrossRefGoogle Scholar
  30. 30.
    Hwang, J.Y., Lee, S., Chung, B.H., Cho, H.S., Nyang, D.: Short group signatures with controllable linkability. In: LightSec, pp. 44–52. IEEE (2011)Google Scholar
  31. 31.
    Hwang, J.Y., Lee, S., Chung, B., Cho, H.S., Nyang, D.: Group signatures with controllable linkability for dynamic membership. Inf. Sci. 222, 761–778 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    International Organization for Standardization (ISO): ISO/IEC 20008–2: Information technology - Security techniques - Anonymous digital signatures - Part 2: Mechanisms using a group public key, November 2013Google Scholar
  33. 33.
    Isern-Deyà, A.P., Huguet-Rotger, L., Payeras-Capellà, M., Mut-Puigserver, M.: On the practicability of using group signatures on mobile devices: implementation and performance analysis on the android platform. Int. J. Inf. Secur. 14, 335–345 (2015)CrossRefGoogle Scholar
  34. 34.
    Isern-Deyà, A.P., Vives-Guasch, A., Puigserver, M.M., Payeras-Capellà, M., Castellà-Roca, J.: A secure automatic fare collection system for time-based or distance-based services with revocable anonymity for users. Comput. J. 56, 1198–1215 (2013)CrossRefGoogle Scholar
  35. 35.
    Kiayias, A., Tsiounis, Y., Yung, M.: Traceable signatures. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 571–589. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24676-3_34 CrossRefGoogle Scholar
  36. 36.
    Kiayias, A., Yung, M.: Group signatures with efficient concurrent join. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 198–214. Springer, Heidelberg (2005). doi: 10.1007/11426639_12 CrossRefGoogle Scholar
  37. 37.
    Koga, S., Sakurai, K.: A distributed online certificate status protocol with a single public key. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 389–401. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-24632-9_28 CrossRefGoogle Scholar
  38. 38.
    Kumar, V., Li, H., Park, J.J., Bian, K., Yang, Y.: Group signatures with probabilistic revocation: a computationally-scalable approach for providing privacy-preserving authentication. In: Computer and Communications Security - CCS 2015, pp. 1334–1345 (2015)Google Scholar
  39. 39.
    Libert, B., Peters, T., Yung, M.: Group signatures with almost-for-free revocation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 571–589. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_34 CrossRefGoogle Scholar
  40. 40.
    Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_36 CrossRefGoogle Scholar
  41. 41.
    Manulis, M., Fleischhacker, N., Felix Günther, F.K., Poettering, B.: Group signatures: authentication with privacy. Technical report, BSI - Federal Office for Information Security (2012)Google Scholar
  42. 42.
    Nakanishi, T., Fujii, H., Hira, Y., Funabiki, N.: Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 463–480. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-00468-1_26 CrossRefGoogle Scholar
  43. 43.
    Nakanishi, T., Fujiwara, T., Watanabe, H.: A linkable group signature and its application to secret voting. Trans. Inf. Process. Soc. Jpn. 40(7), 3085–3096 (1999)MathSciNetGoogle Scholar
  44. 44.
    Nakanishi, T., Funabiki, N.: Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 533–548. Springer, Heidelberg (2005). doi: 10.1007/11593447_29 CrossRefGoogle Scholar
  45. 45.
    Nakanishi, T., Funabiki, N.: A short verifier-local revocation group signature scheme with backward unlinkability. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 17–32. Springer, Heidelberg (2006). doi: 10.1007/11908739_2 CrossRefGoogle Scholar
  46. 46.
    Nakanishi, T., Kubooka, F., Hamada, N., Funabiki, N.: Group signature schemes with membership revocation for large groups. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 443–454. Springer, Heidelberg (2005). doi: 10.1007/11506157_37 CrossRefGoogle Scholar
  47. 47.
    Nakanishi, T., Sugiyama, Y.: A group signature scheme with efficient membership revocation for reasonable groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 336–347. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-27800-9_29 CrossRefGoogle Scholar
  48. 48.
    Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: Symposium on the Theory of Computing - STOC, pp. 427–437 (1990)Google Scholar
  49. 49.
    Nguyen, L., Safavi-Naini, R.: Efficient and provably secure trapdoor-free group signature schemes from bilinear pairings. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 372–386. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_26 CrossRefGoogle Scholar
  50. 50.
    Pagh, R., Rodler, F.F.: Cuckoo hashing. J. Algorithms 51, 122–144 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  51. 51.
    Ponemon Institute LLC: 2015 PKI Global Trends Study (2015)Google Scholar
  52. 52.
    Potzmader, K., Winter, J., Hein, D.M., Hanser, C., Teufl, P., Chen, L.: Group signatures on mobile devices: practical experiences. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) Trust 2013. LNCS, vol. 7904, pp. 47–64. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-38908-5_4 CrossRefGoogle Scholar
  53. 53.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992). doi: 10.1007/3-540-46766-1_35 Google Scholar
  54. 54.
    Santesson, S., Myers, M., Ankney, R., Malpani, A., Galperin, S., Adams, C.: X.509 internet public key infrastructure online certificate status protocol - OCSP. RFC 6960, Internet Engineering Task Force (IETF), June 2013.
  55. 55.
    Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar
  56. 56.
    Slamanig, D., Spreitzer, R., Unterluggauer, T.: Adding controllable linkability to pairing-based group signatures for free. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 388–400. Springer, Cham (2014). doi: 10.1007/978-3-319-13257-0_23 Google Scholar
  57. 57.
    Tang, Q.: Public key encryption supporting plaintext equality test and user-specified authorization. Secur. Commun. Netw. 5, 1351–1362 (2012)CrossRefGoogle Scholar
  58. 58.
    Teranishi, I., Furukawa, J., Sako, K.: k-times anonymous authentication (extended abstract). In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 308–322. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30539-2_22 CrossRefGoogle Scholar
  59. 59.
    Unterluggauer, T., Wenger, E.: Efficient pairings and ECC for embedded systems. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 298–315. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44709-3_17 Google Scholar
  60. 60.
    Verheul, E.R.: Practical backward unlinkable revocation in FIDO, German e-ID, Idemix and U-Prove. IACR Cryptology ePrint Archive 2016/217 (2016)Google Scholar
  61. 61.
    Wei, V.K.: Tracing-by-linking group signatures. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 149–163. Springer, Heidelberg (2005). doi: 10.1007/11556992_11 CrossRefGoogle Scholar
  62. 62.
    Zhou, S., Lin, D.: Shorter verifier-local revocation group signatures from bilinear maps. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 126–143. Springer, Heidelberg (2006). doi: 10.1007/11935070_8 CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Daniel Slamanig
    • 1
  • Raphael Spreitzer
    • 1
  • Thomas Unterluggauer
    • 1
  1. 1.IAIKGraz University of TechnologyGrazAustria

Personalised recommendations