An 𝑟 -Hiding Revocable Group Signature Scheme: Group Signatures with the Property of Hiding the Number of Revoked Users

If there are many displaced workers in a company, then a person who goes for job hunting might not select this company. That is, the number of members who quit is quite negative information. Similarly, in revocable group signature schemes, if one knows (or guesses) the number of revoked users (say 𝑟 ), then one may guess the reason behind such circumstances, and it may lead to harmful rumors. However, no previous revocation procedure can achieve hiding 𝑟 . In this paper, we propose the first revocable group signature scheme, where 𝑟 is kept hidden, which we call 𝑟 -hiding revocable group signature. To handle this property, we newly define the security notion called anonymity with respect to the revocation which guarantees the unlinkability of revoked users.


Introduction
Imagine that there are many users who have stopped using a service.If this fact is published, then how would the newcomers feel about this?One may guess the reason behind such circumstances and may judge that those users did not find the service attractive or the service fee is expensive.The same thing may occur in other cases; for example, if there are many displaced workers in a company, then a person who goes for job hunting might not select this company.For example, the person might imagine there are many problematic employees in this company or might imagine the labor environment may not be good.That is, the number of members who quit is quite negative information.
Group Signature.Many cryptographic attempts for the revocation of rights of users have been considered so far.In this paper, we mainly focus on group signature.The concept of group signature was investigated by Chaum and van Heyst [1].A typical usage of group signature is described as follows.The group manager (GM) issues a membership certificate to a signer.A signer makes a group signature by using their own membership certificate and sends it (with a signed message) to a verifier.The verifier anonymously verifies whether a signer is a member of a group or not.That is, the verifier checks the possession of a membership certificate without revealing themself.In order to handle some special cases (e.g., an anonymous signer behaves maliciously), GM can identify the actual signer through the open procedure.Since verifiers do not have to identify individual signers, group signature is a useful and powerful tool for protecting signers' privacy.
As additional functionality of group signature, anonymity revocation has been introduced [2][3][4][5][6][7][8][9][10][11], where no revoked users can make a valid group signature or revoked users can be publicly detected even if they try to make a group signature.(Since a long RSA modulus might lead to certain inefficiency aspects (e.g., long signatures, heavy complexity costs, and so on), we exclude RSA-based revocable group signatures (e.g., [12,13]) in this paper.)However, the number of revoked users (say ) is revealed in all previous revocable group signature schemes.As mentioned previously, the number of revoked users  is quite negative information.Next, we introduce applications of revocable group signature for outsourcing businesses [14] and biometric authentication [15] 2 Journal of Applied Mathematics as concrete examples, where revealing  may lead to harmful rumors.

Concrete Example 1 (identity management).
In this application, presented in [14], there are four entities: a user, outsourcee, opening manager (OM), and revocation manager (RM).Let outsourcee be in charge of providing the service to legitimate users.When a user requests the service, the user makes a group signature and sends it to outsourcee.Due to anonymity of the underlying group signature scheme, outsourcee does not have to identify individual users (protect users' privacy).One important thing is that outsourcee does not have to manage a list of identities of users.That is, the risk of leaking user information (i.e., the user list) can be minimized, and this is the merit of using group signature in identity management.After a certain interval, for charging a service fee, OM detects a user by using the opening procedure of group signature.If a user does not pay a fee (or when a user wants to leave the service), then OM announces the identity of this user to RM, and RM revokes this user from the system.In this system, if  is revealed, then one may think that there might be many dropout users who have stopped using the service; that is, this service may not be interesting, or he/she have not paid the service fee; namely, the service fee may be expensive and so on.That is, "revealing " may lead to harmful rumors.

Concrete Example 2 (biometric authentication).
In this application presented in [15], there are four entities: a human user, a sensor client, a card issuer, and a service provider.A human user authenticates himself/herself to the service provider by using his/her biometric data preserved on a plastic card.A card issuer (with a group master secret key) issues a card to a human user which contains a signing key and his/her biometric data.Moreover, the card issuer can revoke users if malicious behavior occurs or a user loses his/her card.A sensor client extracts human user's biometric trait (e.g., iris is used in [15]) and communicates with the service provider, so that the user will be authenticated by the service provider.The service provider verifies a group signature and provides a service (e.g., open a door) if the signature is valid.Due to anonymity, the service provider does not identify who the user is; even sensitive biometric information is treated.In this system, if someone knows  in this application, they may think that there might be many malicious behaviors, or there might be many lost cards; that is, good management may deteriorate, and so on.That is, "revealing " may lead to harmful rumors.
Our Target.So, our main target is to propose a revocable group signature scheme with the property of hiding the number of revoked users , which we call -hiding revocable group signature.Then, we need to investigate the methodology for achieving the following.
(1) The size of any value does not depend on .
(2) The costs of any algorithm do not depend on , except the revocation algorithm executed by GM.
In particular, if revoked users are linkable, then anyone can guess (i.e., not exactly obtain)  by linking and counting revoked users.Although we assume that an adversary can obtain the polynomial (of the security parameter) number of group signatures, this assumption is not unreasonable (actually, the adversary can be allowed to access the signing oracle in polynomial times).In addition,  is also a polynomial-size value.That is, this guessing attack works given that revoked users are linkable.However, no previous revocable signature scheme satisfying all requirements above has been proposed.For example, in revocable group signatures [2,4,11] (which are based on updating the group public values, e.g., using accumulators), either the size of public value or the costs of updating membership certificate depend on .Nakanishi et al. [6] proposed a novel technique of group signature, where no costs of the GSign algorithm (or the Verify algorithm also) depend on .However, their methodology requires that  signatures are published to make a group signature, and therefore  is revealed.Recently, Libert-Peters-Yung proposed two scalable group signature schemes [7,8] by applying the Naor-Naor-Lotspeich (NNL) broadcast encryption framework [16].However, at least one cost depends on  (e.g., ()-size revocation list is required for signing in [7,8] (of subset difference variant) and ( log(/))-size revocation list is required for signing in [8] (of complete subtree variant) and  (the number of users) are publicly available).Therefore,  is revealed.In [3,5,10,17,18] (which are verifier-local revocation (VLR) type group signature schemes), revoked users are linkable.In this case, anyone can guess  by executing the verification procedure.For the sake of clarity, we introduce the Nakanishi-Funabiki methodology [10] as follows: let RL = {ℎ  1 , ℎ  2 , . . ., ℎ   } be the revocation list, where   is the secret value of revoked user   .Note that, by adding dummy values, we can easily expand the size of revocation list |RL|.So, we can assume that  is not revealed from the size of RL, but  is revealed (or rather, guessed) as follows.Each group signature  (made by   ) contains    + and ℎ  for some random  and some group elements  and ℎ.If   has been revoked, then there exists ℎ   such that (   + , ℎ) = (ℎ   ℎ  , ) holds.By counting such , one can easily guess  even if RL is expanded by dummy values.Since each value in RL is linked to a user (i.e., ℎ   is linked to   ), even if values in RL are randomized (e.g., (ℎ   )   for some random   ), this connection between a user and a value in RL is still effective.So, one can easily guess  even if RL is randomized.
From the above considerations, no previous revocation procedure can be applied for hiding .One solution has been proposed in [19], where only the designated verifier can verify the signature.By preventing the verification of signature from the third party,  is not revealed from the viewpoint of the third party.However, this scheme (called anonymous designated verifier signature) is not publicly verifiable and is not group signature any longer.Next, as another methodology, we may consider multigroup signatures [20,21] with two groups (valid user group and revoked user group).However, this attempt does not work, since each user is given his/her membership certificate (corresponding to the group he/she belongs to) in the initial setup phase, and the revocation procedure is executed after the setup phase.
Our Contribution.In this paper, we propose the first hiding revocable group signature scheme in the random oracle model by applying attribute-based group signature (ABGS) [22][23][24][25].By considering two attributes: (1) valid group user and (2) the user's identity, we can realize the property of hiding .To handle this property, we newly define the security notion called anonymity with respect to the revocation.As the main difference among our anonymity definition and previous ones, to guarantee the unlinkability of revoked users, A can issue the revocation queries against the challenge users.Our scheme is secure under the computational Diffie-Hellman (CDH) assumption, the decision Diffie-Hellman (DDH) assumption over a bilinear group (i.e., the external Diffie-Hellman (XDH) assumption), the decision linear (DLIN) assumption, the hidden strong Diffie-Hellman (HSDH) assumption, and the -strong Diffie-Hellman (SDH) assumption, in the random oracle model.We apply the Boldyreva multisignature scheme [26] to revoke each user.
Related Work.There were several security definitions of group signatures until the Bellare-Micciancio-Warinschi work [27], which we call the BMW model.They showed that fullanonymity and full-traceability are enough to capture all security requirements that appeared before their work.Bellare et al. [28] extended the BMW model, which we call the BSZ model, to handle the dynamic group setting, where a user can join the system even after the system setup phase.Later, Sakai et al. [29] further extended the BSZ model for preventing signature hijacking.Independently, Kiayias and Yung also give a formal definition with dynamic join [30,31], and Libert et al. [7,8] extended to the KY model for revocable group signature.
Efficient group signature schemes in the random oracle model have been proposed in [2,4,32] and in the standard model [5,33,34].Technically, (honest verifier) zero knowledge proofs of knowledge and the Fiat-Shamir heuristic [35] are mainly applied for constructing group signatures in the random oracle model, and Groth-Sahai proofs [36] and structure-preserving signatures [37] are mainly applied for constructing group signatures in the standard model.Though the above schemes are constructed over bilinear groups, lattice-based group signature schemes also have been proposed [38][39][40].Usually, encryption schemes are applied for implementing the open algorithm; however, encryptionfree group signatures schemes have been proposed in [41,42].
As group signatures with an additional functionality, a new open functionality, which we call message-dependent opening, has been proposed in [43][44][45], where a signed message-dependent token is generated by an authority called admitter and an opener who has the opening key can open the group signatures using the corresponding token.Forward secure group signature schemes have been proposed [46][47][48][49], where users can update their secret signing key periodically, and group signatures made by the secret keys of previous periods remain secure even if a secret key is exposed.Revocable group signature schemes with backward unlinkability have been proposed [5,9,10,18], where even after a user is revoked, group signatures made by this user before the revocation remain anonymous.Identity-based analogue of group signature also has been proposed in [50,51].
As feasibility results, a group signature secure in the BMW model implies CCA-secure public key encryption (PKE) [52,53], and a group signature secure in the Sakai et al. model implies PKENO [54], where PKENO stands for public key encryption with noninteractive opening [55].Moreover, a group signature with message-dependent opening implies identity-based encryption [44].

Preliminaries
In this section, we give definitions of bilinear groups and complexity assumptions and introduce cryptographic tools which are applied in our construction.Let PPT mean probabilistic polynomial time, and  $ ←  means that an element  is chosen at uniform random from a set .

Other Cryptographic Tools.
In this section, we introduce cryptographic tools applied for our construction.
BBS+ Signature [2,6,32,57].Let  be the number of signed messages and let (G 1 , G 2 , G  ) be a bilinear group.Select  ) .For a signature (, , ), the verification algorithm output 1 if (, Ωℎ  ) = ( The BBS+ signature scheme satisfies existential unforgeability against chosen message attack (EUF-CMA) under the -SDH assumption.(First an adversary A is given vk from the challenger C. Then A sends messages to C and obtains the corresponding signatures.Finally, A outputs a message/signature pair ( * ,  * ).We say that A wins if ( * ,  * ) is valid and A has not sent  * as a signing query.The EUF-CMA security guarantees that the probability Pr[A wins] is negligible.) Linear Encryption [2].Signature Based on Proof of Knowledge.In our group signature, we apply the conversion of the underlying interactive zero knowledge (ZK) proof into noninteractive ZK (NIZK) proof by applying the Fiat-Shamir heuristic [35].We describe such converted signature based on proof of knowledge (SPK) as SPK{ : (, ) ∈ }(), where  is the knowledge to be proved,  is a relation (e.g.,  =   in the case of the knowledge of the discrete logarithm), and  is a signed message.The SPK has an extractor of the proved knowledge from two accepting protocol views whose commitments are the same but challenges are different.

Definitions of Group Signature with the Property of Hiding the Number of Revoked Users
Here, we define the syntax of revocable group signature and security requirements (anonymity with respect to the revocation and traceability) by adapting [6].Note that our definition follows the static group settings as in the BMW model [27], but we can easily handle the dynamic group settings as in the BSZ model [28] (and nonframeability) by adding an interactive join algorithm.
Setup.This probabilistic setup algorithm takes as input the security parameter 1  and returns public parameters params.
In the Revoke algorithm, we set RL 0 = 0 and assume that the nonrevoked users in  are { 1 , . . .,   } \ RL  .Under this setting, boomerang users (who rejoin the group) are available (i.e.,   such that   ∈ RL −1 and   ∉ RL  ).In addition, if an invalid pair (, ) is input to the Open algorithm, then the Open algorithm easily detects this fact by using the Verify algorithm.So, we exclude this case from the definition of the Open algorithm.
Next, we define anonymity with respect to the revocation and traceability.As the main difference among our anonymity definition and previous ones, A can issue the revocation queries against the challenge users in order to guarantee the unlinkability of revoked users.Note that we do not consider the CCA-anonymity, where an adversary A can issue the open queries.So, we just handle the CPA-anonymity [2] only in this paper.However, as mentioned by Boneh et al. [2], the CCA-anonymity can be handled by applying a CCA secure public key encryption for implementing the open algorithm.

Definition 9 (anonymity with respect to the revocation).
Setup.The challenger C runs the Setup algorithm and the KeyGen algorithm and obtains params, gpk, msk, and all {usk  }  =1 .C gives params and gpk to A and sets  = 0, RU 0 = 0, and CU = 0, where RU 0 denotes the (initial) set of IDs of revoked users and CU denotes the set of IDs of corrupted users.
Queries.A can issue the following queries.Queries.It is the same as the previous one (note that no corruption query for the challenge users is allowed).
We say that anonymity holds if, for all PPT adversaries A, the advantage is negligible.
There are two types of revocable group signature such that (1) any users can make a valid group signature, but anyone can check whether a signer has been revoked or not [3,5,10,17], or (2) no revoked user can make a valid group signature without breaking traceability [2,4,6,11].We implicitly require the second type of revocable group signature, since clearly anonymity is broken if one of the challenge users is revoked in a first type scheme.We also require that the challenger C (that has msk) can break traceability to compute the challenge group signature  * for the case that a challenger user is revoked.Note that since msk is used for generating user's secret keys, obviously any entity with msk makes an "untraceable" group signature, and this fact does not detract the security of our group signature.
One may think that the above anonymity definition can be extended that A can issue the corruption query against the challenge users as in the full-anonymity [27].It might be desired that  is not revealed even if revoked users reveal their secret signing keys, since their signing keys are already meaningless (i.e., the rights of signing have expired).For example, if users are not intentionally revoked (e.g., a user has not paid in the outsourcing businesses example [14]), then users might reveal their secret signing keys to compromise the systems.Or, even if users are intentionally revoked (e.g., they feel that this service is not interesting in the outsourcing businesses example), they might reveal their secret signing keys as a crime for pleasure.However, even if  is kept hidden when revoked users reveal their secret signing keys, one can easily guess  by counting the number of revealed secret keys.So, in our opinion such secret key leakage resilient property is too strong, and therefore, our proposed group signature does not follow this leakage property.
Next, we define traceability.
Setup.The challenger C runs the Setup algorithm and the KeyGen algorithm and obtains params, gpk, msk, and all {usk  }  =1 .C gives params and gpk to A and sets  = 0, RU 0 = 0, and CU = 0, where RU 0 denotes the (initial) set of IDs of revoked users and CU denotes the set of IDs of corrupted users.
Queries.A can issue the following queries.We say that traceability holds if, for all PPT adversaries A, the advantage

Revocation
is negligible.

Proposed Group Signature Scheme with Hiding of the Number of Revoked Users
In this section, we propose an -hiding revocable group signature scheme by applying ABGS.Before explaining our scheme, we introduce ABGS as follows.
Attribute-Based Group Signature (ABGS).ABGS [22][23][24][25]58] is a kind of group signature, where a user with a set of attributes can prove anonymously whether he/she has these attributes or not.Anonymity means a verifier cannot identify who the actual signer is among group members.As a difference from attribute-based signature (ABS) [59][60][61][62][63][64][65][66][67][68], there is an opening manager (as in group signatures) who can identify the actual signer (anonymity revocation), and a verifier can "explicitly" verify whether a user has these attributes or not [22,24,25].By applying this explicit attribute verification, anonymous survey for the collection of attribute statistics is proposed [22].As one exception, the Fujii et al.ABGS scheme [23] achieves signer-attribute privacy (as in ABS), where a group signature does not leak which attributes were used to generate it, except that assigned attributes satisfy a predicate.As another property (applied in our construction), the dynamic property has been proposed in [22], where the attribute predicate can be updated without reissuing the user's secret keys.
Our Methodology.We consider two attributes: (1) valid group user and (2) the user's identity (say   ), and apply the dynamic property of ABGS [22] and the signer-attribute privacy of ABGS [23].Here we explain our methodology.Let the initial access tree be represented as in Figure 1.
Due to the signer-attribute privacy, a user   can anonymously prove that he/she has attributes "valid group user" and "  ." Namely, anyone can verify whether the signer's attributes satisfy the access tree, without detecting the actual attribute (i.e., the user's identity).
When a user (say  1 ) is revoked, the tree structure is changed as in Figure 2.
Due to the dynamic property of ABGS, this modification can be done without reissuing the user's secret keys.By removing the attribute "valid group user" from the subtree of  1 , we can express the revocation of  1 , since  1 cannot prove that his/her attributes satisfy the current access tree.
In addition, we propose randomization and dummy attribute techniques to implement the revocation procedure (Figure 3).We apply the Boldyreva multisignature scheme [26], since it is applied for the computation of the membership certificate in the Fujii et al.ABGS.Let  be the time interval and let V denote the attribute "valid group user." For a nonrevoked user   , GM publishes the dummy value and   's secret key   =      1 .Let   be revoked in the time interval  + 1.Then, GM publishes a randomized dummy value ), and therefore,   cannot compute  ( V,+1, +  )  due to the CDH assumption.

Note that (𝑔
) and ( ) are indistinguishable under the XDH assumption, where the DDH , ).This is our main idea for preventing revealing the number of revoked users .
Next, we give our group signature scheme.
GSign(,   , , T  ).Let   be a nonrevoked user in the current time interval .
Next, we explain the relations proved in SPK  which proves the following three things.
(i) ( ,1 ,  ,2 ) can be verified by using the public value Ω 1 such that (ii) Since  ,1 (resp.,  ,2 ) is hidden such that  1 =  ,1 g 1 , (resp.,  2 =  ,2 h 2 ), this relation is represented as (iii) We need to guarantee the relation  = − 1  2 in the relation above.To prove this, introduce an intermediate value  =  2  6 +  7 and prove that (2) A signer has not been revoked. 1 )   from   and  ,, , where  ,, is a signed message of  , .These satisfy the following relations: (3) A value for the Open algorithm is included in .
In our scheme, no public values have size dependent on  and no costs of the GSign algorithm (or the Verify algorithm) depend on  or .In addition, our scheme satisfies anonymity with respect to the revocation which guarantees the unlinkability of revoked users.So, in our scheme, no  is revealed.

Security Analysis
Theorem 11.The proposed group signature scheme satisfies anonymity with respect to the revocation under the DLIN assumption and the XDH assumption in the random oracle model.
Proof.This proof contains three games, Games 0, 1, and 2. Game 0 is the same as anonymity game.In Game 1, all  ,, where  ∈ [1, ] is randomly chosen.Let A 1 be the adversary who breaks anonymity with respect to the revocation of our

2 𝑋 2 3.
1 , and  3 = V  2 . can be decrypted as  =  1 /  1  The linear encryption is IND-CPA secure under the DLIN assumption.(First an adversary A is given pk from the challenger C. Then A sends the challenge message ( * 0 ,  * 1 ) to C, and C chooses  $ ← {0, 1} and computes the challenge ciphertext  * which is a ciphertext of  *  .A is given  * and outputs a bit   .The IND-CPA security guarantees that |Pr[ =   ] − 1/2| is negligible.)

Figure 3 :
Figure 3: Our randomization and dummy attribute technique.
Signing.A can request a group signature on a message  for a user   where ID  ∉ CU.C runs  ← GSign(gpk, usk  , , T  ), where T  is the current revocation-dependent value and gives  to A.Corruption.A can request the secret key of a user   .C adds ID  to CU and gives usk  to A.Challenge.A sends a message  * and two users   0 and   1 , where ID  0 , ID  1 ∉ CU.C chooses a bit  ← {0,1} and runs  * ← GSign(gpk, usk   ,  * , T  * ), where T  * is the current revocation-dependent value and gives  * to A.
GSigning.A can request a group signature on a message  for a user   where ID  ∉ CU.C runs  ← GSign(gpk, usk  , , T  ), where T  is the current revocation-dependent value and gives  to A.Corruption.A can request the secret key of a user   .C adds ID  to CU and gives usk  to A.Opening.A can request to a group signature  on a message .C returns the result of Open(msk, , ) to A.Output.A outputs a past interval  * ≤  for the current interval , and( * ,  * ).* ,  * , T  * ) = 1,(2)A did not obtain  * by making a signing query at  * , (3) for ID  * ← Open(msk,  * ,  * ), ID  * ∉ CU, (4) for ID  * ← Open(msk,  * ,  * ), ID  * ∈ RU  * .
holds in G 1 .So, no one can decide whether   is a revoked user or not by observing either ( assumption