A group signature scheme allows us to anonymously sign a message on behalf of a group. One of important issues in the group signatures is user revocation, and thus lots of revocable group signature (RGS) schemes have been proposed so far. One of the applications suitable to the group signature is privacy-enhancing crowdsensing, where the group signature allows mobile sensing users to be anonymously authenticated to hide the location. In the mobile environment, verifier-local revocation (VLR) type of RGS schemes are suitable, since revocation list (RL) is not needed in the user side. However, in the conventional VLR-RGS schemes, the revocation check in the verifier needs O(R) cryptographic operations for the number R of revoked users. On this background, VLR-RGS schemes with efficient revocation check have been recently proposed, where the revocation check is just (bit-string) matching. However, in the existing schemes, signatures are linkable in the same interval or in the same application-independent task with a public index. The linkability is useful in some scenarios, but users want the unlinkability for the stronger anonymity. In this paper, by introducing a property that at most K unlinkable signatures can be issued by a signer during each interval for a fixed integer K, we propose a VLR-RGS scheme with the revocation token matching. In our scheme, even the signatures during the same interval are unlinkable. Furthermore, since used indexes are hidden, the strong anonymity remains. The overheads are the computational costs of the revocation algorithm and the RL size. We show that the overheads are practical in use cases of crowdsensing.

Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers N, and other costs regarding signers are at most logarithmic in N, is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under q-type assumptions. We implemented our scheme by employing a Barreto-Lynn-Scott curve of embedding degree 12 over a 455-bit prime field (BLS-12-455), and a Barreto-Naehrig curve of embedding degree 12 over a 382-bit prime field (BN-12-382), respectively, by using the RELIC library. We showed that the online running times of our signing algorithm were approximately 14msec (BLS-12-455) and 11msec (BN-12-382), and those of our verification algorithm were approximately 20msec (BLS-12-455) and 16msec (BN-12-382), respectively. Finally, we showed that our scheme (with a slight extension) is applied to an identity management system proposed by Isshiki et al.

In ID-based user authentications, a privacy problem can occur, since the service provider (SP) can accumulate the user's access history from the user ID. As a solution to that problem, group signatures have been researched. One of important issues in the group signatures is the user revocation. Previously, an efficient revocable scheme with signing/verification of constant complexity was proposed by Libert et al. In this scheme, users are managed by a binary tree, and a list of data for revoked users, called a revocation list (RL), is used for revocation. However, the scheme suffers from the large RL. Recently, an extended scheme has been proposed by Sadiah and Nakanishi, where the RL size is reduced by compressing RL. On the other hand, there is a problem that some overhead occurs in the authentication as a price for reducing the size of RL. In this paper, we propose an extended scheme where the authentication is speeded up by reducing the number of Groth-Sahai (GS) proofs. Furthermore, we implemented it on a PC to show the effectiveness. The verification time is about 30% shorter than that of the previous scheme by Sadiah and Nakanishi.

At EUROCRYPT 2012, Libert, Peters and Yung (LPY) proposed the first scalable revocable group signature (R-GS) scheme in the standard model which achieves constant signing/verification costs and other costs regarding signers are at most logarithmic in N, where N is the maximum number of group members. However, although the LPY R-GS scheme is asymptotically quite efficient, this scheme is not sufficiently efficient in practice. For example, the signature size of the LPY scheme is roughly 10 times larger than that of an RSA signature (for 160-bit security). In this paper, we propose a compact R-GS scheme secure in the random oracle model that is efficient not only in the asymptotic sense but also in practical parameter settings. We achieve the same efficiency as the LPY scheme in an asymptotic sense, and the signature size is nearly equal to that of an RSA signature (for 160-bit security). It is particularly worth noting that our R-GS scheme has the smallest signature size compared to those of previous R-GS schemes which enable constant signing/verification costs. Our technique, which we call parallel Boneh-Boyen-Shacham group signature technique, helps to construct an R-GS scheme without following the technique used in LPY, i.e., we directly apply the Naor-Naor-Lotspiech framework without using any identity-based encryption.

Attribute-based encryption (ABE), a cryptographic primitive, realizes fine-grained access control. Because of its attractive functionality, many systems based on ABE have been constructed to date. In such cryptographic systems, revocation functionality is indispensable to handle withdrawal of users, secret key exposure, and others. Although many ABE schemes with various functionalities have been proposed, only a few of these are revocable ABE (RABE). In this paper, we propose two generic constructions of RABE from ABE. Our first construction employs the pair encoding framework (Attrapadung, EUROCRYPT 2014), and combines identity-based revocation and ABE via the generic conjunctive conversion of Attrapadung and Yamada (CT-RSA 2015). Our second construction converts ABE to RABE directly when ABE supports Boolean formulae. Because our constructions preserve functionalities of the underlying ABE, we can instantiate various fully secure RABE schemes for the first time, e.g., supporting regular languages, with unbounded attribute size and policy structure, and with constant-size ciphertext and secret key.

Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is suitable for data access control on cloud storage systems. In ABE, to revoke users' attributes, it is necessary to make them unable to decrypt ciphertexts. Some CP-ABE schemes for efficient attribute revocation have been proposed. However, they have not been given a formal security proof against a revoked user, that is, whether they satisfy forward secrecy has not been shown or they just do not achieve fine-grained access control of shared data. We propose an attribute revocable attribute-based encryption with the forward secrecy for fine-grained access control of shared data. The proposed scheme can use both “AND” and “OR” policy and is IND-CPA secure under the Decisional Parallel Bilinear Diffie-Hellman Exponent assumption in the standard model.

Internet of Things (IoT) has been widely applied in various fields. IoT data can also be put to cloud, but there are still concerns regarding security and privacy. Ciphertext-Policy Attribute-Based Encryption (CP-ABE) is attracted attention in cloud storage as a suitable encryption scheme for confidential data share and transmission. In CP-ABE, the secret key of a user is associated with a set of attributes; when attributes satisfy the access structure, the ciphertext is able to be decrypted. It is necessary that multiple authorities issue and manage secret keys independently. Authorities that generate the secret key can be regarded as managing the attributes of a user in CP-ABE. CP-ABE schemes that have multiple authorities have been proposed. The other hand, it should consider that a user's operation at the terminals is not necessary when a user drop an attribute and key is updated and the design of the communication system is a simple. In this paper, we propose CP-ABE scheme that have multiple key authorities and can revoke attribute immediately with no updating user's secret key for attribute revocation. In addition, the length of ciphertext is fixed. The proposed scheme is IND-CPA secure in DBDH assumption under the standard model. We compare the proposed scheme and the other CP-ABE schemes and show that the proposed scheme is more suitable for cloud storage.

The application of Intelligent Transport Systems (ITS) transmits data with road-to-vehicle communication (RVC) and inter-vehicle communication (IVC). Digital signature is essential to provide security for RVC and IVC. The public key certificate is used to verify that a public key belongs to an individual prover such as user or terminal. A certificate revocation list (CRL) is used for verifying validity of the public key certificate. A certificate authority (CA) publishes a CRL and distributes it to vehicles. CRL distribution traffic disturbs ITS application traffic because of sharing wireless channel between them. To distribute it on low bit rate will help to ease the disturbance. Although multiplex transmitting is effective in reliable communication, a duplication of received packets is waste of bandwidth as a consequence. This paper proposes a CRL distribution scheme based on random network coding which can reduce duplicate packets. The simulation results show that the number of duplicate packets of the proposed scheme is less than that of a simple error correction (EC)-based scheme and the proposed one can distribute CRL to more vehicles than EC-based ones.

A group signature allows any group member to anonymously sign a message. One of the important issues is an efficient membership revocation. The scheme proposed by Libert et al. has achieved O(1) signature and membership certificate size, O(1) signing and verification times, and O(log N) public key size, where N is the total number of members. However the Revocation List (RL) data is large, due to O(R) signatures in RL, where R is the number of revoked members. The scheme proposed by Nakanishi et al. achieved a compact RL of O(R/T) signatures for any integer T. However, this scheme increases membership certificate size by O(T). In this paper, we extend the scheme proposed by Libert et al., by reducing the RL size to O(R/T) using a vector commitment to compress the revocation entries, while O(1) membership certificate size remains.

Revocation is one of the major problems for access control systems. Especially, the revocation cost for the data outsourced in the third party environment such as cloud storage systems. The revocation in the cloud-based access control typically deals with the cryptographic operations that introduce costly overheads for key re-generation, file re-encryption, and key re-distribution. Also, the communication for retrieving files for re-encryption and loading them back to the cloud is another non-trivial cost for data owners. In this paper, we propose a Very Lightweight Proxy Re-Encryption (VL-PRE) scheme to efficiently support attribute-based revocation and policy update in the collaborative data sharing in cloud computing environment. To this end, we propose three-phase VL-PRE protocol including re-encryption key generation, re-encryption key update, and re-encryption key renewal for supporting the optimized attribute revocation and policy update. Finally, we conduct the experiments to evaluate the performance of our VL-PRE and show that it exhibits less computation cost with higher scalability in comparison with existing PRE schemes.

Radio Frequency Identification (RFID) plays a crucial role in IoT development. With the extensive use of RFID, the fact that a single RFID tag integrates multiple applications has become a mainstream. To facilitate users to use the multi-application RFID tag and revoke some applications in the tag securely and efficiently, a secure RFID application revocation scheme is proposed in this paper. In the scheme, each response for the challenge between tag and reader is different, and a group has the feature of many tags. Even if the group index number and corresponding group are revealed, a specific tag does not be precisely found and tracked. Users are anonymous completely. The scheme also allows users to set the validity period for an application or some applications. If the application contains the validity period and expires, the server will remove the validity period and revoke the application automatically in the tag when the RFID tag accesses server again. The proposed scheme cannot only be used in multi-application RFID tag but also be used in one-application RFID tag. Furthermore, compared with other existing schemes, the scheme provides a higher level of security and has an advantage of performance. Our scheme has the ability of mutual authentication and Anti-replay by adding a random number r2, and it is easy to against synchronization attack. Security proof is given in our paper and performance advantage are mainly reflected in the following points such as forward security, synchronization, storage complexity, computational complexity, etc. Finally, the proposed scheme can be used in multi-application RFID tag to promote the development of the IoT.

Designing secure revocable storage systems for a large number of users in a cloud-based environment is important. Cloud storage systems should allow its users to dynamically join and leave the storage service. Further, the rights of the users to access the data should be changed accordingly. Recently, Liang et al. proposed a cloud-based revocable identity-based proxy re-encryption (CR-IB-PRE) scheme that supports user revocation and delegation of decryption rights. Moreover, to reduce the size of the key update token, they employed a public key broadcast encryption system as a building block. In this paper, we show that the CR-IB-PRE scheme with the reduced key update token size is not secure against collusion attacks.

To overcome the privacy limitations of conventional PKI (Public Key Infrastructure) systems, combinatorial certificate schemes assign each certificate to multiple users so that users can perform anonymous authentication. From a certificate pool of N certificates, each user is given n certificates. If a misbehaving user revokes a certificate, all the other users who share the revoked certificate will also not be able to use it. When an honest user shares a certificate with a misbehaving user and the certificate is revoked by the misbehaving user, the certificate of the honest user is said to be covered. To date, only the analysis for the worst scenario has been conducted; the probability that all n certificates of an honest user are covered when m misbehaving users revoke their certificates is known. The subject of this article is the following question: how many certificates (among n certificates) of an honest user are covered on average when m misbehaving users revoke their certificates? We present the first average-case analysis of the cover probability in combinatorial certificate schemes.

To accomplish secure communication in vehicular networks, public key infrastructure (PKI) can be employed. However, traditional PKI systems are not suitable because a unique certificate is assigned to each vehicle and thus no anonymity is guaranteed. In the combinatorial certificate schemes, each vehicle is assigned multiple certificates from a shared certificate pool and each certificate in the pool is assigned to multiple vehicles to achieve a level of anonymity. When a certificate assigned to a misbehaving vehicle is revoked, a certificate replacement procedure is executed to all vehicles sharing the certificate. To replace the revoked certificate, a randomized certificate replacement scheme probabilistically assigns different certificates to different vehicles, which can reduce collateral damage caused by repeatedly misusing a certificate and its replacement certificates. Unfortunately, previous randomized certificate replacement schemes allow unbounded collateral damage; a finite number of certificate replacements cannot detect the misbehaving vehicle with certainty. To address this problem, we propose a new randomized certificate replacement scheme with bounded collateral damage.

To enhance the privacy of vehicle owners, combinatorial certificate management schemes assign each certificate to a large enough group of vehicles so that it will be difficult to link a certificate to any particular vehicle. When an innocent vehicle shares a certificate with a misbehaving vehicle and the certificate on the misbehaving vehicle has been revoked, the certificate on the innocent vehicle also becomes invalid and is said to be covered. When a group of misbehaving vehicles collectively share all the certificates assigned to an innocent vehicle and these certificates are revoked, the innocent vehicle is said to be covered. We point out that the previous analysis of the vehicle cover probability is not correct and then provide a new and exact analysis of the vehicle cover probability.

A group signature scheme allows a group member to anonymously sign a message on behalf of the group. One of the important issues is the member revocation, and lots of revocable schemes have been proposed so far. A scheme recently proposed by Libert et al. achieves that O(1) or O(log N) efficiency of communication and computation except for the revocation list size (also the revocation cost), for the total number of members N and the number of revoked members R. However, since a signature is required for each subset separated from the set of non-revoked members, the size is about 900R Bytes in the 128-bit security. In the case of R=100,000, it amounts to about 80MB. In this paper, we extend the scheme to reduce the revocation list (also the revocation cost), by accumulating T subsets, which is signed for the revocation list. The revocation list size is reduced by 1/T. Unfortunately, the public key size, membership certificate size and the cost of a witness computation needed for signing increase related to T.

Lots of revocable group signature schemes have been proposed so far. In one type of revocable schemes, signing and/or verifying algorithms have O(N) or O(R) complexity, where N is the group size and R is the number of revoked members. On the other hand, in Camenisch-Lysyanskaya scheme and the followers, signing and verifying algorithms have O(1) complexity. However, before signing, the updates of the secret key are required. The complexity is O(R) in the worst case. In this paper, we propose a revocable scheme with signing and verifying of O(1) complexity, where any update of secret key is not required. The compensation is the long public key of O(N). In addition, we extend it to the scheme with O()-size public key, where signing and verifying have constant extra costs.

In this letter, we improve NF'07 (Nakanishi and Funabiki) VLR group signature scheme such that it satisfies exculpability and has lower computation costs. In the proposed scheme, a group member generates his own private key together with the group manager in order to realize exculpability while the signature size is not made longer. Also, a new revocation check method is proposed at the step of verifying, and the computation costs of verifying are independent of the number of the revoked members, while they are linear with the number of the revoked members in the original scheme. Thus, the proposed scheme is more efficient than the original scheme and can be applicable to mobile environments such as IEEE 802.1x.

Previously Verifier-Local Revocation (VLR) group signature schemes from bilinear maps were proposed. In VLR schemes, only verifiers are involved in the revocation of a member, while signers are not. Thus, the VLR schemes are suitable for mobile environments. Furthermore, the previously proposed schemes satisfy the important backward unlinkability. This means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. This property is needed in case of a voluntary leave of a member or in case of a key loss. However, in the previous schemes, signatures become long, due to the adopted assumption, which should be improved in order to apply the schemes to the mobile environments. In this paper an improved VLR scheme is proposed with the shorter group signatures. This is achieved by using a different assumption, DLDH assumption, and improving zero-knowledge proofs in the group signatures. The length of the proposed group signatures is reduced to about 53% of that of the previous ones.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlinkability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.