Dynamic group fuzzy extractor

The group fuzzy extractor allows group users to extract and reproduce group cryptographic keys from their individual non-uniform random sources. It can be easily used in group-oriented cryptographic applications. However, current group fuzzy extractors are not dynamic, i.e. they spend a large cost when dealing with user revocation. In this work, we propose the formal definition and construction of dynamic group fuzzy extractor (DGFE) to address this issue. For the revocation, DGFE allows unrevoked group users to reproduce updated group keys from the existing group help data. Meanwhile, it prevents any revoked group user from generating new group keys using the previously authorized individual help data. We propose a DGFE construction based on the revocable group signature. Furthermore, we give formal proofs of reusability, anonymity and traceability of our construction.


Introduction
The fuzzy extractor, initially introduced by Dodis et al. (2008), is a primitive that serves to derive almost random strings from sources with high entropy, like iris (Daugman 2009), face (Parkhi et al. 2015), fingerprint (Marasco and Ross 2014), physically unclonable functions (Suh and Devadas 2007), etc.These sources inherently contain noise, causing two samples from the same source to be close in a certain distance metric but not identical.The fuzzy extractor is proposed to address this noise and consistently generate stable random strings.It comprises two core algorithms: the generation (Gen) and the reproduction (Rep).The Gen algorithm is responsible for extracting an almost random string from the source sample, while the Rep algorithm reproduces this string when given another similar sample.
Fuzzy extractors offer a secure method for extracting stable cryptographic keys without the requirement for private key storage.They present a promising solution for personal key management, enabling users to generate and reproduce the same cryptographic key from their biometric sources.Nevertheless, this solution is not well-suited for the growing popularity of group-oriented applications, including multipoint multimedia online conferences, multiplayer games, cloud file editors, etc.In group-oriented scenarios, users should also have the capability to manage a series of group keys in addition to their personal keys.
Recently, Ma et al. introduced the concept of group fuzzy extractors (GFE) (Ma et al. 2023), aiming at extending the functionality of fuzzy extractors to the group settings.In GFE, any user within the group has the capability to independently and anonymously derive a random string, denoted as R, from his biometric sample.This string R serves as a group key, which can be reproduced by any user within the group.A group manager (GM) is responsible for managing user enrollments and distributing users' individual help data IPs.By hiding the sensitive information in IPs and group help data P, GFE eliminates the necessity of secure key storage for all group users.Furthermore, GM can trace the user who generates R from the corresponding P.However, the GFE scheme (Ma et al. 2023) encounters the challenge of not supporting user revocation.This presents a substantial security concern for the GFE scheme.A revoked user can still generate and reproduce group keys by utilizing his previously authorized individual help data.While straightforward methods, such as system re-initialization and re-registration of all legal users by GFE scheme (Ma et al. 2023), can deal with this problem, this method introduces substantial computation and communication overheads and renders the existing help data and group keys invalid.In summary, the primary challenge that needs to be addressed is: How can we define and construct a dynamic group fuzzy extractor that supports user revocation at a lower cost?
Our contributions Addressing the above-mentioned problem of user revocation in the group fuzzy extractor, we propose the concept of Dynamic Group Fuzzy Extractor (DGFE).The general idea of DGFE is simply outlined as following: we use the increment of time epoch to mark the event of user revocation.When a user intends to leave the group, the time epoch will increase by one and a revocation list will be computed at the beginning of the new time epoch.To prevent the revoked user from reproducing new group keys using their previous individual help data, DGFE will implicitly refresh all group keys by a modification of the group secret when the time epoch increases.As a result, unrevoked users can still reproduce the correct group keys, whereas revoked users can only reproduce outdated keys that are no longer valid. 1  Concretely, the contributions are outlined as follows.
• We propose the formal definition of dynamic group fuzzy extractor (DGFE), extending the functionalities of the group fuzzy extractor (GFE) (Ma et al. 2023) with dynamic group user revocation.Compared to GFE (Ma et al. 2023), DGFE introduces a new primitive: User Revocation, which allows the unrevoked users in the group to reproduce updated group keys from the existing group help data.Meanwhile, it prevents the revoked users from generating new group keys by utilizing their outdated individual help data.
The main functionality of user revocation is depicted in Fig. 4. Importantly, the anonymity of users is guaranteed in DGFE, except when the group manager employs the Trace algorithm to revoke the anonymity.Furthermore, we improve security definitions of reusability, traceability, and anonymity for the GFE scheme to accommodate user revocation events.• We propose a construction of dynamic group fuzzy extractor incorporating a revocable group signature (RGS) scheme and the concept of time epochs dur-ing which users' joining and revocation events occur, to facilitate the management of the group dynamics.After evaluating various RGS schemes with their pros and cons from complexity and security perspective (as outlined in Sect.2.3), we find LPY12-RGS scheme (Libert et al. 2012) is most suitable for DGFE construction.Besides, we provide a complexity analysis of various DGFE constructions in Sect.5.4.Furthermore, to protect the privacy of users' sensitive biometric information and sensitive group secrets and achieve the reusability, we incorporate public key encryption with private-key-shift security into our DGFE construction.Finally, we give a formal proof of reusability, traceability, and anonymity for our DGFE scheme.• We introduce sensitive group file sharing as the typical application scenario for DGFE construction.
Besides, we show how to construct group file sharing system with DGFE schemes.

Outline
This paper is organized as follows.In Sect.2, we summarize the related work of fuzzy extractors, group fuzzy extractors and group signatures.In Sect.3, we give preliminaries of this work.In Sect.4, we present formal definition and security properties of DGFE.In Sect.5, we give the construction of DGFE, and present formal security proofs and a complexity analysis for DGFE construction.In Sect.6, we use DGFE to construct a group file sharing system to illustrate the potential application of DGFE schemes.In Sect.7, we conclude the paper and discuss the future work.

Fuzzy extractor
A fuzzy extractor serves to derive an almost random string from the noisy source.It consists of the generation procedure Gen and the reproduction procedure Rep.
Gen takes a sample w, and extracted a string R with a public help data P. Rep takes another sample w ′ and the help data P as inputs, reproduces R if w and w ′ are suffi- ciently similar.The idea of fuzzy extractors was first proposed by Dodis et al. (2008) in the information-theoretic security.It indicates that the statistical distance between the distribution of extracted strings and a uniform distribution is negligible.Then Boyen (2004) extended the security definition to reusable fuzzy extractors, which means the adversary can additionally get information of help data generated by adversary-chosen shifted source samples.Fuller et al. (2013) proposed a computational fuzzy extractor with a much longer output random string length, although their security definition was relaxed to 1 DGFE scheme does support users' joining, just as GFE (Ma et al. 2023) does.A newly joined group user can reproduce all existing group keys with his individual help data and generate (R, P) pairs.computational indistinguishability. Later, many works studied reusability and robustness (Canetti et al. 2016;Wen et al. 2018Wen et al. , 2019) ) in the computational setting.
Reusable fuzzy extractor indicates that even if the adversary gets a series of (R, P) pairs generated from samples of the same source, he cannot distinguish the specific R * from a uniform distribution.Robust fuzzy extractor considers active adversaries and indicates that Rep is able to detect any modification of the public help data P and output a rejection symbol ⊥.

Group fuzzy extractor
With the ever-changing group-oriented application scenarios, Ma et al. (2023) proposed group fuzzy extractor (GFE).Shown as Fig. 1, every group user can extract group keys from the individual noisy source and reproduce group keys from group help data which are generated by arbitrary group users.GFE relies on a role of group manager (GM) to take responsibility for user joining and group secret distribution.A GFE scheme consists of five algorithms: (1) Setup is for system initialization and GM registration.
(2) Join is for users joining under the control of GM.
(3) Gen is for users generating the group key R and group help data P. (4) Rep is for users or GM reproducing the group key R. (5) Trace is for GM tracing the generator's identity of a group help data P. Besides, authors (Ma et al. 2023) designed a groupshared Bitcoin wallet based on GFE.In the Bitcoin wallet scenario, group keys are regarded as private keys for computing wallet addresses to receive coins.By using GFE, users do not need to manage the private keys and store them in private storage.The anonymity of the transfer records is guaranteed, while GM can revoke the anonymity and trace the coin receiver or consumer.Differing from their application of a group-shared Bitcoin wallet (Ma et al. 2023), we introduce a new scenario of group file sharing to exemplify the application of DGFE.In this setting, files are encrypted by extracted group keys.In case of user revocation, group keys are updated and new files are encrypted by new keys which revoked users cannot derive anymore.In Sec. 6, we will present a group file sharing system based on our DGFE scheme.

Group signtures
The group signature (GS) is a crucial primitive being used to construct for GFE (Ma et al. 2023).It provides the anonymity for users in GFE.Gen phase and group identity verification for users in GFE.Rep phase.Furthermore, GM can trace the generator of a group help data P by opening the group signature in P. In this subsection, we present a brief review of group signatures.Chaum and Van Heyst (1991) proposed the concept of group signatures with following properties: (1) only group members can sign the messages; (2) the receiver can verify the signature but cannot discover the signer; (3) the signature can be opened to reveal the signer in some cases.They proposed four concrete group signature schemes that satisfied above properties.Early works of group signature (Ateniese and Tsudik 1999;Chen and Pedersen 1994;Ateniese et al. 2000) proposed various requirements of unforgeability, anonymity, unlinkability, exculpability, traceability, etc.However, these definitions are informal and partially overlapped in their precise meanings.Bellare et al. (2003) summarized all existing requirements and proposed two core properties of group signatures: full-anonymity and full-traceability.They also discussed the implication between the above requirements and their newly defined properties.However, the group membership is assumed to be static in Bellare et al. (2003), which is not suitable for the practice group applications with membership modification.Bellare et al. (2005) presented a GS scheme with dynamic joining function.How to efficiently fulfill user revocation is a challenge for GS when considering dynamic groups and attracts researchers' interest.Bresson and Stern (2001) proposed the first revocable group signature scheme using a group signature scheme of Camenisch and Stadler (1997).Bresson and Stern (2001) and Camenisch and Stadler (1997) relied on the notion of signature of knowledge (SoK) that the signer proves he/she knows a secret value related to the group membership without leaking the sensitive information when signing the signature.Since the proof is efficient both in the signing and verification phases, the non-revocable group signature in Camenisch and Stadler (1997) is efficient.However, Bresson and Stern (2001) realized revocation by collecting the public part of revoked users in a revocation list (RL) and the signer additionally proves that his/her membership is not in the RL.The computation cost of the signing and verification is linear in the size of the RL.Nakanishi et al. (2009) proposed a revocable group signature scheme with constant computation cost but the public key size will be O( √ N ) , where N is the number of group users.Most of SoK based group signatures (Bresson and Stern 2001;Camenisch and Stadler 1997;Nakanishi et al. 2009;Boneh and Shacham 2004) are designed in the random oracle model.Libert et al. (2012) proposed a revocable group signature that offers high efficiency in the computation cost of signing, verifying, and revocation and low storage cost of parameters in the standard model.Due to the outstanding performance of their work, it is used as a primitive in our DGFE.
In above GS schemes, the RL is used both in signing and verification phases.Besides that, researchers have discussed verifier-local revocation GS (VLR-GS) schemes that the RL is only sent to the verifier (Boneh and Shacham 2004;Libert and Vergnaud 2009;Nakanishi and Funabiki 2005).In the VLR-GS, an additional revocation check is executed in the verification.The verifier has to traverse the entire revocation list to confirm that the signer is not revoked.This leads to an extra computation cost.Recent works (Kumar et al. 2015;Rahaman et al. 2017) focused on reducing the computational complexity of VLR-GS.However, an additional limitation of the VLR-GS technique relates to the security aspect of selfless-anonymity.Most VLR-GS satisfy a weakened anonymity security that the adversary is not allowed to query the signing keys of the challenged group users when she queries the corruption oracle.
Another technical approach of RGS is based on accumulators (Helleseth 1994).When users revoke, each unrevoked user updates their secret signing keys with an accumulation of all the revocation information for revoked users.The computation cost of key updating is O(V) both for the unrevoked users and GM in Boneh et al. (2004); Camenisch and Groth (2004); Camenisch et al. (2009), where V denotes the maximum number of revoked users.Fan et al. (2011) reduced the computation cost of key updating for users by pre-calculated public membership information which is calculated by GM and broadcast to users when user revocation occurs.
As mentioned before, LPY-RGS (Libert et al. 2012) is efficient in computation costs of signing and verification, and the storage cost of signatures and user signing keys are constant.It fits the requirements of DGFE.What's more, their scheme satisfies the security of fully-anonymity and is secure in the standard model.Although LPY-RGS is efficient in the signing and verification phases, the revocation list is storage-consuming.Considering that an updated revocation list needs to be broadcasted at the beginning of each new time epoch, the size of RL will influence the communication cost.To fix this problem, many works (Attrapadung et al. 2014;Nakanishi and Funabiki 2013;Attrapadung et al. 2015;Sadiah and Nakanishi 2017) improve LPY-RGS construction to reduce the size of RL with sacrifices in other efficiency parameters.
Besides, Emura and Hayashi (2018); Ohara et al. (2019); Emura and Hayashi (2019) achieved better efficiency in practical rather than in asymptotic sense by using the random oracle.Since the above schemes are all based on the frame of LPY-RGS, we refer to the construction of the original LPY-RGS (Libert et al. 2012) in our DGFE.Since RGS is the most consuming part of DGFE, the efficiency of DGFE can be reduced with the improvement of RGS.We compare some widely discussed RGS schemes in Table 1 to make a summary of this subsection.

Preliminaries
Throughout this work, uppercase letters denote random variables and distributions, and lowercase letters denote samples.x ← X denotes sampling x according to X and x ← $ X denotes sampling x from X uniformly at random.Calligraphy letters denote sets.Especially, U X denotes a uniform distribution over the set X .For any non-nega- tive integer n > 0 , [n] denotes the set {1, 2, • • • , n} .PPT is the abbreviation of probabilistic polynomial time.All logarithms are base 2. In addition, we list the notation and their meaning in the following Table 2.
We also refer to the following notions and complexity assumptions.
Metric space A metric space is a finite set M with a non-negative distance function dist: Statistical distance The statistical distance between two probability distributions A and B over a set M is Min-entropy For any random variable A, the minentropy is defined as H ∞ (A) := − log(max a Pr[A = a]).
Average min-entropy For any random variable A given B, the average min-entropy is defined as Definition 1 (Average-case Strong Extractor) Let Ext: M × K → Y be a PPT function.We call Ext an average-case (M, m, Y, ǫ)-strong extractor, if for any W ∈ M and I ∈ I satisfying H∞ (W |I) ≥ m , SD((Ext(W , K ), K , I), (U Y , K , I)) ≤ ǫ , where K and U are uniformly distributions over K and Y , I is an auxil- iary variable over its space.Moreover, an extractor Ext is Definition 2 (Secure Sketch (Dodis et al. 2008)) An (M, m, m, τ )-secure sketch is a pair of PPT algorithms SS.Gen and SS.Rec such that: SS.Gen takes sample w ∈ M and outputs a sketch s; SS.Rec takes sample w ′ ∈ M and a sketch s, then outputs w.O( 1)

Private-key-shift secure public key encryption
The research by Ma et al. (2023) introduced a notion of key-shift secure secret key encryption and demonstrated the key-shift security of ElGamal-type SKE.This security indicates any PPT adversary is unable to retrieve the challenged message m, even when observing a series of ciphertexts of m, which is encrypted by shifted keys sk + δ i with the adversary-chosen shift δ i .They also men- tioned that ElGamal encryption is a private-key-shift secure PKE.We review their definition with a detailed security proof.
Construction of ElGamal encryption is listed in Fig. 3.
Lemma 1 If DDH assumption holds, the ElGamal encryption is private-key-shift secure that for any PPT adversary A , Adv ks PKE,A (1 ) ≤ Adv DDH (1 ).
Proof We prove the lemma by demonstrating that if a PPT adversary A can compromise the private-key- shift security of ElGamal encryption, then a PPT algorithm B can be constructed to solve the DDH prob- lem.(G, p, g, g x , g y , g z ) is the DDH challenge tuple, with x, y ← $ Z p .B proceeds: (i) B sends pp = (G, p, g) and pk = g x to A , which means B implicitly sets x as the private key.(ii) After receiving

For the multiple messages version of PKE with
PKE (1 ) denoting the advantage of adversary.On querying δ , it returns whether or random ciphertexts from the space, depending on β .Using hybrid technique, it is easy to prove that Adv ks,t PKE (1 ) ≤ t • Adv ks PKE (1 ) ≤ negl(1 ).

Revocable group signature
Group signatures allow any group user to sign messages anonymously with a group identity, while the group manager (GM) retains the ability to revoke signature anonymity when necessary.Revocable group signatures (RGS) primarily deal with user leaving affairs.There are lots of RGS schemes based on different technical approaches as signature of knowledge (SoK) (Bresson and Stern 2001;  Camenisch and Stadler 1997;Nakanishi et al. 2009;Boneh and Shacham 2004), verifier-local revocation (VLR) (Boneh and Shacham 2004;Libert and Vergnaud 2009;Nakanishi and Funabiki 2005;Kumar et al. 2015;Rahaman et al. 2017), accumulator-based (Boneh et al. 2004;Camenisch and Groth 2004;Camenisch et al. 2009;Fan et al. 2011) and LPY-based RGS schemes (Attrapadung et al. 2014;Nakanishi and Funabiki 2013;Attrapadung et al. 2015;Sadiah and Nakanishi 2017;Emura andHayashi 2018, 2019;Ohara et al. 2019).We make a comparison of these RGS schemes and find that scheme of Libert et al. (2012) proposed a revocable group signature that is efficient in the computation and storage cost, meeting the requirement of DGFE.Due to the outstanding performance of their work, it is used as a primitive in our DGFE.In Sect.5.1, we will explain in more detail the reason for choosing RGS scheme in Libert et al. (2012).
The lifetime of the RGS system is divided into revocation epochs indexed by t.GM maintains a group state st and a revocation list RL t storing information about revoked users.RGS consists: The property of RGS includes security against misidentification attacks, security against framing attacks and fullyanonymity.A detailed explanation of these properties can be found in Libert et al. (2012).

Dynamic group fuzzy extractor
We propose dynamic group fuzzy extractor (DGFE) to achieve effective user revocation.Besides, we give DGFE's definitions of functionalities and security properties, such as reusability, traceability, and anonymity.DGFE is a system whose users are PPT Turing machines and could be divided into four types of roles.Group manager (GM) is trusted and takes charge of user joining and leaving.It also maintains the group state.External users are those who have never joined the group.Revoked users are those ready to leave the group or who have left the group at an earlier time epoch.The sensitive information a revoked user holds is outdated.Unrevoked users are those who remain in the group at the current time epoch.
Adversary A is a PPT Turing machine, that can neither join the group nor corrupt group members.But A tries to break the security of reusability, traceability, and anonymity.A tries to obtain sensitive information of users, (R, P) pairs and change the system state by querying some oracles.For any user P i , A is allowed to submit- ted shifts δ and get P, IP i generated with shifted samples w i + δ .Additionally, A can also get sensitive information in IP i in traceability and anonymity security experiments.
The lifetime of DGFE system is divided into time epochs.Users can join the group at any epoch.When some users try to leave the group, the time epoch increases by one and GM publishes a revocation list at the beginning of the new time epoch.
is the metric space where the samples of users and GM come from.User P i samples w 0 i , w i from a distribution W i over M i .For the security of DGFE, we require that W 1 , • • • , W N , W g are independ- ent and H ∞ (W i ) ≥ m .The threshold between two sam- ples is denoted by τ , which means if the distance between two samples is within τ , they are regarded as homologous samples.L is the set of RL t .

Definition of DGFE
Definition 6 (Dynamic Group Fuzzy Extractor) An (M, m, U, τ )-DGFE for a group P = {P i : i ∈ [N ]} and a GM over metric space M consists of six PPT algorithms, and satisfies the following properties of correctness, anonymity, traceability and reusability.
• (pp, IP g , L, CU, st) ← Setup(1 , w 0 g , N ) .Run by GM, on input a security parameter 1 , a sample w 0 g ∈ M g and the permitted number of users N, it outputs the group public parameters pp , a (public) individual help data IP g for GM, the revocation list set L = ∅ for revoked users, the initial group state st = (∅, ∅) , and the initial set of the current group user CU = ∅.
• (IP i , st, C U)/ ⊥← Join(pp, (IP g , w g ), w 0 i , i, st, CU) .It is an interactive protocol run between GM and P i .On input IP g , w g ∈ M g , w 0 i ∈ M i , pp , st and CU , if dist(w 0 g , w g ) ≤ τ , it outputs a (public) individual help data IP i for P i and GM outputs the updated st and C U ; otherwise, it outputs ⊥.
• (R, P)/ ⊥← Gen(pp, (IP i , w i ), L) .Run by a user P i , on input IP i , w i ∈ M i , a revocation list set L and pp , if dist(w 0 i , w i ) ≤ τ and P i is unrevoked, it outputs a pair (R, P), where R is an extracted nearly random string whose distribution is indistinguishable with the uniform distribution and P is a public group help data; otherwise, it outputs ⊥.
• R/ ⊥← Rep(pp, (IP j , w j ), P, L) .Run by a user P j , on input IP j , w j ∈ M j , a group help data P, the revoca- tion list set L and pp , if dist(w 0 j , w j ) ≤ τ and P is pro- duced by an unrevoked user, it reproduces the string R; otherwise, it outputs ⊥.
• i/ ⊥← Trace(pp, (IP g , w g ), P, L, st) .Run by GM, on input IP g , w g ∈ M g , a group help data P, the group state st, the revocation list set L and pp , it returns the identity i of user P i who generates P if dist(w 0 g , w g ) ≤ τ and P is valid; otherwise, it outputs ⊥.
. It contains interactive protocols run between GM and unrevoked users.on input IP g , w g ∈ M g , revocation list set L , revoked user set V ⊆ [N ] , samples and IP s of the unrevoked users {(IP i , w i )} i∈CU\V , the group state st and pp , after the interaction, it returns the updated individual help data ĨP i for each i ∈ CU\V , updated L , C U and Ĩ P g .It outputs ⊥ if V contains external users. Figure

Security properties
DGFE satisfies reusability, traceability, and anonymity defined in the following.We formalize security properties through attack experiments involving an adversary A and a challenger who assumes the roles of GM and users.
During the experiments, A will have access to the follow- ing oracles.
• O SftJoin (i, δ) .The oracle takes the identity i of a user and a shift δ on the sample as inputs.If δ > τ , it returns ⊥ .Otherwise, it returns IP δ i which is outputed by Join(pp, (IP g , w g ), w 0 i + δ, i, st, CU) .Note that if 0 < δ ≤ τ , O SftJoin oracle just returns IP δ i and transcripts in the joining operation.It will not affect the system state.P i is still an external user.If δ = 0 , P i joins the group with no shift on the sample, and the group state will be modified.O SftJoin enables an adversary to observe IP δ i generated from source readings within the tolerant distance.
• O SftGen (i, δ) .The oracle takes the iden- tity i of an unrevoked user and the shift δ as inputs.If dist(δ, 0) ≤ τ , it returns (R, P) ← Gen(pp, (IP i , w 0 i + δ), L) ; otherwise, it returns ⊥ .The oracle maintains a query set GSet • O Revoke (V) .On input a revoked user set V , the oracle makes the system revoke V and update unre- voked users' individual help data to { Ĩ P ℓ } ℓ∈CU\V , and returns the transcript.O (i,t i ) Revoke (•) means the oracle cannot revoke user P i before time

Construction of DGFE
We present the construction method of DGFE in this section.Firstly, we present an overall intuition of construction methodology and outline the efficiency requirement of DGFE.Then, we give a comparative analysis of various RGS schemes which is an main component of our DGFE construciton, justifying the selection of the RGS scheme (Libert et al. 2012).Subsequently, we present the detailed construction of DGFE, including correctness analysis and security proofs.At the last, we provide a concrete analysis regarding the asymptotic complexity of various DGFE construction approaches.

High-Level intuition
We design construction of DGFE under the framework of Ma et al. (2023), where individual help data IP s are generated to store sensitive information, eliminating the necessity of secure storage.In the original design (Ma et al. 2023), a group signature was implied to realize the functionalities of GFE.In our construction of DGFE, we replace this component with a revocable group signature for efficient user revocation.Figure 8 illustrates the ingredient of IP i in our DGFE construction.For each user P i , a key is extracted from their biometric source , which is then used to encrypt user's sensitive information m i .The encrypted message ct i and a sketch data s i are stored together in IP i .The sensitive information m i con- sists of two parts -the group signing key part and the group secret part.The group signing key part contains (cert i , sec i ) which are used to generate signatures and prove the signer is an unrevoked group member.The group secret part fek is used to generate group keys.Typically, fek is distributed and updated by GM.
The revocable group signature is a crucial component of DGFE to enable the functionality of user revocation.Since different technical approaches of RGS vary in the complexity of storage cost and computation cost, which directly impact the overall consumption of DGFE, it is imperative to choose an appropriate technical approach of RGS that meets the requirement of DGFE.Then we explain why we have chosen RGS proposed by Libert et al. (2012), referred to as LPY-RGS.
In summary, the efficiency requirements of DGFE are as follows.The computation cost of DGFE.Gen and DGFE.Rep should be low enough since these operations occur frequently during the lifetime of a DGFE scheme.DGFE.Gen involves a RGS.Sign operation and DGFE.Rep involves a RGS.Very operation, implying that the computation cost of signing and verification should be minimized.The functionality of DGFE demands that even if a user leaves the group, the group data generated by the user before the revocation should remain reproducible and traceable.Therefore, the introduced RGS construction is preferred to generate unchanged msk, osk for GM and unchanged gsk for the users.Without this property, GM would need to retain all the previous group keys and the mapping relationship of trans and the user identities.Here, the term trans denotes the registration transcripts of a user and is retained by GM to trace the signer of signatures, often referred to as reg in certain RGS works.Furthermore, if the mapping relationship is sensitive in a specific RGS scheme, the mapping should either be securely stored or encrypted in IP g , incurring additional computation and storage costs.
Based on above-mentioned selection criteria of DGFE construction, we give a comparative analysis of various RGS-based DGFE constructions with different type of RGS schemes.As mentioned in Subsect.2.3, we classify RGS into different types: signature of knowledge (SoK) (Bresson and Stern 2001;Camenisch and Stadler 1997;Nakanishi et al. 2009;Boneh and Shacham 2004), verifier local revocation (VLR) (Boneh and Shacham 2004;Libert and Vergnaud 2009;Nakanishi and Funabiki 2005;Kumar et al. 2015;Rahaman et al. 2017), accumulator-based (Boneh et al. 2004;Camenisch and Groth 2004;Camenisch et al. 2009;Fan et al. 2011) and LPY-based RGS scheme (Attrapadung et al. 2014;Nakanishi and Funabiki 2013;Attrapadung et al. 2015;Sadiah and Nakanishi 2017;Emura andHayashi 2018, 2019;Ohara et al. 2019).In many SoK-based RGS schemes, the computation cost of the signing and verification is linear in the size of the revocation list (RL), which affects the efficiency of Gen and Rep in DGFE.Although Nakanishi et al. (2009) improved the computation cost of the signing and verification, the size of gpk remains large.Additionally, most SoK-based RGS schemes are secure in random oracle model.VLR-GRS schemes add revocation tokens of the revoked user to RL.The verifier executes an additional revocation check for all elements in RL to confirm that the signer is not revoked, affecting the efficiency of Rep in DGFE.ACC-based RGS schemes achieve user revocation by modifying keys in the system and incurs a high cost of key updating for unrevoked users and GM.To realize DGFE.Rep and DGFE.Trace, GM needs to maintain all the previous group keys and the mapping relationship, thus increasing computation and storage costs.LPY-based RGS schemes perform efficiently in signing and verification, and the key management is convenient with no key updating.As a result, compared to other approaches, LPY-based RGS schemes can better meet the selection criteria of DGFE construction.In the following subsection, we give a detailed construction of DGFE based on LPY12 (Libert et al. 2012) RGS scheme.Note that compared to LPY12 (Libert et al. 2012) RGS scheme, a newly designed LPY-based RGS scheme (Sadiah and Nakanishi 2017) performs better in the storage of the revocation list, but sacrifices the efficiency of signing and verification.For a detailed analysis regarding the asymptotic complexity of the DGFE construction incorporating various RGS approaches, refer to Table 3.

Detailed construction
We give the detailed construction of DGFE in this subsection.In our construction, we introduce two primitives: ElGamal-type public key encryption and LPY-revocable group signature (LPY-RGS) (Libert et al. 2012).LPY-RGS relies on structure-preserving signature (SPS) (Abe et al. 2010), which has an algorithm ReRand to publicly randomize signatures but preserves the ability of verifying, and Groth-Sahai (GS) proof systems (Groth and Sahai 2008) which proposes a proof framework on cryptographic pairings.LPY-RGS is efficient with an almost-for-free cost in the computation and storage.It has a binary tree structure with depth ℓ = ⌈log N ⌉ .Users are located at leaf nodes.So the signature of path C v i from a leaf node v i to the root node signed by GM indi- cates the group membership of user P i .A signature is σ = (VK, ϒ 1 , ϒ 2 , ϒ 3 , ϒ 4 , ϒ 5 , �, com, �, σ ots ) .The signer generates (VK, SK) , which is the one-time signature key pair to sign the message and outputs σ ots , then adds VK and σ ots to the final revocable signature.ϒ 1 to ϒ 5 are encrypted messages of sec i that can be decrypted by GM with osk to trace the signer.is a set of structure-preserving signatures produced by GM. com is a set of com- mitments.is the GS proof systems result., com and collaborate to verify that the signature is from an unrevoked group user without leaking the signer's identity.
We provide graphical representations of Gen, Rep, Join, and Revoke processes in Fig. 9, Fig. 10, Fig. 11, and Fig. 12.These figures describe the data flows and the execution order of various DGFE components, including PKE, RGS, SS, and Ext.We display the major parameters in these figures and omit parameters such as PKE.pp, CU , etc.
Setup shown in Fig. 13 is run by GM to initialize the system and get GM registered.In this phase, GM generates the public parameter for PKE and extracts a random string from its biometric sample as the private key for PKE.GM generates (gpk, msk, osk) for RGS, the group secret fek and initializes st, L, CU .Finally, GM encrypts fek, msk, osk and epoch t = 0 with the public key gener- ated from the extracted private key.
Join shown in Fig. 14 is run by GM and a user.User P i extracts a random string from his biometric sample as sk i for PKE, generates the public key pk i , and then sends pk i to GM.GM reproduces (fek, msk) and the current time epoch t from IP g .GM and the user run an interactive protocol of RGS.Join for the user to get membership certificate.GM sends an encrypted message of the group secret and the time epoch to the user.Finally, the user P i encrypts group secret and membership certificate in IP i and GM updates group state.
Revoke shown in Fig. 15 is run by GM and users to revoke some users in the group.On receiving a set of user V ready to be revoked in the next time epoch, GM runs RGS.Revoke to generate the revocation list RL t+1 = (t + 1, V t+1 , I revokePath t+1 ) in the next time.The revocation list RL t+1 is a structure that contains the epoch t + 1 , the revoking user set V t+1 and the path I revokePath t+1 indicating the revoking users' location in the tree.Then GM randomly chooses y to update the group secret fek and sends encrypted y to unrevoked users.When users receive the messages, they update their IP s with the new fek and the time epoch.
Gen shown in Fig. 16 is run by any user to extract the group key.Note that if L is empty which means no user in the group has revoked, the user only needs to prove the membership certificate ( C v i in LPY-RGS).If L is not empty, in RGS.Sig user also needs to prove that the leaf bound with the user is not in the revocation list.
Rep shown in Fig. 17 is run by any user or GM to reproduce group keys.If a group help data P is generated by a revoked user, Rep will return ⊥ since RGS.Very fails.A revoked user will reproduce outdated group keys if it tries to reproduce group keys from P.
Trace shown in Fig. 18 is run by GM to revoke anonymity of DGFE.It returns the identity of user who generates P.
Theorem 1 If the DDH assumption holds with the group (G, p, g) ← IG(1 ) and the underlying SS is an (M, m, m, τ )-secure sketch, Ext is a homomorphic Proof The proof is presented in the subsequent subsection.

Correctness and security
The correctness of DGFE construction follows from the correctness of secure sketch, public key encryption and revocable group signature.If dist(w 0 i , w i ) ≤ τ , w 0 i is correctly recovered and the private key of PKE is extracted.User P i obtains fek, cert i and sec i from the IP i .The correctness of RGS allows P i to generate group keys and group help data.Since P i possesses current fek, the user can correctly reproduce group keys.After user revocation, fek for the unrevoked users is updated.The reproduced group keys are updated for the unrevoked users, while that is outdated for the revoked users.The revocable group signature scheme ensures that signatures forged by revoked users fail in the verification phase, thereby invalidating the group keys generated by them.The correctness of the open algorithm within the RGS scheme guarantees that valid help data can be traced back to the correct generator by GM.In summary, our construction of DGFE is correct.Then, we prove the reusability, traceability, and anonymity.
Lemma 2 (Reusability) If the DDH assumption holds with the group (G, p, g) ← IG(1 ) and the underlying SS is an (M, m, m, τ )-secure sketch, Ext is a homomorphic average-case (M, m, K sk , ǫ) -strong extractor with a neg- ligible ǫ , PKE is private-key-shift secure with private key space K sk , LPY-RGS is revocable group signature, then the construction of DGFE is reusable.
Proof We prove the reusability through a sequence of games played between a PPT adversary A and a challenger C .In all games, C acts as GM and users P i , pro- viding algorithm results, oracle results and challenge for A .We use denotes the probability that game G j outputs 1.In the following proofs, we omit public parameter PKE.pp in PKE.PKGen, PKE.Enc, and PKE.Rec.We omit public parameter pp and revocation list set L in Gen. Game G 0 G 0 is the original reusability experiment.It runs as following: and calculates s g = SS.Gen(w 0 g ) , sk g = Ext(w 0 g , k) , pk g ← PKE.PKGen(sk g ).
15. C simulates oracle O Trace (P) as: The challenger simulates sources for GM and users P i as W g and {w 0 i ← $ W i } i∈[N ] respectively and runs RGS.Setup to get gpk, msk, osk .Since C generates all the private information by itself, it can perfectly answer queries from A.
GameG 1 In G 1 , the modification is about C 's action on answering O SftGen , O SftJoin and O Trace .For O SftGen , instead of using w 0 i + δ to recover w 0 i , extracting sk i and then decrypt ct i in IP i for P i , challenger directly use m i = (fek, cert i , sec i , t) generated in O SftJoin .(f ) or the perspective m ′ i updated in O Revoke .(e).For O SftJoin and O Trace , instead of using m g decrypted from ct g in IP g , C uses m g = (fek, msk, osk, t) generated in 4 or m ′ g Fig. 18 Construction of Trace updated in O Revoke .(f).If the shift on input δ is within the threshold τ , secure sketch correctly recover w 0 i and w 0 g , and Game G 2 In G 2 , the modification is about C 's action on answering the O SftJoin .In O SftJoin .(b), the computation of sk δ i will be sk Game G 3 In G 3 , the modification is about C 's action on experiment setup phase and answering the O SftJoin .It modifies 7 as Proof We refer a series of games G 4,j where j ∈ . The proof is to construct a PPT algorithm B that breaks the private-key-shift security of private-key-shift secure PKE by invoking a PPT algorithm A which is supposed to distinguish G 4,j−1 and G 4,j .B proceeds: (i) B acts the role of challenger in G 3 .By receiving the public parameter from private-keyshift secure PKE challenger, B samples w and calculates all information used in the experiment by itself except the sk j for user P j in 7 and the results of O SftJoin (j, δ) for P j .(ii) For simulation of P j , B gets pk j from PKE, sends (fek, t) and m j as the multi- ple messages.For O SftJoin (j, δ) , B queries O Enc (δ) of pri- vate-key-shift secure PKE to get c t δ j and ct δ j .(iii) Finally, B returns what A outputs.
If all queries from private-key-shift secure PKE challenger is the real ciphertexts ( β in Exp ks PKE (1 ) is 1), B simulates G 4,j−1 perfectly.If all queries from private-key- shift secure PKE challenger is randomly chosen in the ciphertexts space ( β in Exp ks PKE (1 ) is 0), B simulates G 4,j perfectly.

So, we have
. By hybrid games, Proposition. 2 follows.
Game G 5 In G 5 , the modification is about cipher- texts.In 5, it modifies the ciphertext as ct g ← $ CT PKE , and in O Revoke .(e,f ) as ct ′ i ← $ CT PKE , ct ′ g ← $ CT PKE .We separate G 5 into G 5,0 and G 5,1 to modify ciphertexts of GM and unrevoked users respectively.Suppose adversary can query O Revoke at most Q Revoke times.By Lemma. 1, Game G 6 In G 6 , the modification is about C 's action on answering the Observe that in G 6 , all messages returned to adversary in queries are chosen random uniformly.If a PPT adversary A can win G 6 , then there exists a PPT B that breaks the DDH assumption.
Given the challenge tuple (G, p, g, g x , g y , g z ) from DDH challenger, B proceeds as follows.(i) B acts the role of challenger in G 6 , replaces PKE.pp with the received (G, p, g) .(ii) On receiving the challenged user i from A , B implicitly set fek = y and X = g x , R = g z , then generates signing key of P i and signs σ ← RGS.Sig(gpk, t, RL t , cert i , sec i , X) .
B makes P = ( X, t, σ ) and returns ch = ( P, R) (iii) On receiving any query from A , B returns as queries in G 5 .(iv) B out- puts what it gets from A.
If z = xy , B perfectly simulates When β = 0 , all the public messages are randomly chosen, so we have Game G 1 − G 5 The change in G 1 to G 4 are exactly the same with that in the reusability games.Especially, in G 1 , challenger returns up to date m i = (fek, cert i , sec i , t) rather than decrypting from ct i in O Reveal .We have

Finally, we have Adv reu
G 4 uses a ciphertext randomly chosen from the cipher- text space to replace a ciphertext encrypted by user's pk i in O SftJoin .Since the adversary can get plaintext m i by querying O Reveal , the proof for the hybrid game between G 3 , G 4 , slightly differs from Proposition.2. When B receives a reveal query O Reveal (i) from A for user i, it checks whether i has joined the group and returns m i to B if i has joined the group.Since m i is gen- erated by B , B perfectly answers O Reveal .So we also have | Game G 6 In G 6 , all messages returned to adversary in queries are chosen random uniformly except the signature part in O SftGen .Adversary wins the game if it forges a signature that open to a unrevealed user or a revoked user at time t * .Review the construction of LPY-RGS.σ = (VK, ϒ 1 , ϒ 2 , ϒ 3 , ϒ 4 , ϒ 5 , �, com, �, σ ots ) .com and makes a proof of membership certificate.is structurepreserving signature (SPS) of RL * t and user path C v i which is signed by GM.
If t * = 0 , there is no user revoked in the group and RL 0 = ∅ .Adversary wins if it forges open- ing to a non-adversary controlled user i * that i * / ∈ CSet .We use Adv Forge,t * =0 A to indicate the advantage when t * = 0 .In this case, adversary needs to forge a fresh structure-preserving signature σ * v of membership certificate (X RGS , C v i ) ( X RGS is the parameter related to sec i , C v i is the committed path from the user leaf to the root), or A successfully generate a faithful proof with a invalid signature.Since the GS proof systems used in the construction is perfect soundness, we have

SPS
. Otherwise, there exists B that refers to A and breaks the EUF-CMA of SPS.B simulates a challenger in G 6 by following the specification of the Setup algorithm except that B gets public keys and signs the messages from SPS's challenger.Since B knows osk and gets SPS signature from SPS's challenger, it faithfully answers all queries from A.
If t * � = 0 , there are two types of forges in the G 6 .(1) type1-forge: adversary either forges structure-preserving signature on RL * t or user's membership (X RGS , C v i ) .Adversary will break the EUF-CMA of SPS.So, we have (2) type2-forge: revocation list RL * t , membership certification (X RGS , C v * i ) and the corre- sponding signatures are signed correctly, but C v * i encodes a path from root to a revoked user i * at time t * .Since C v i is based on ℓ-FlexDHE assumption, we make the reduction as following.Given the ℓ-FlexDHE instance, B simulates an environment for A .B acts the role of challenger in G 6 , calculates all information used in the experiment with the difference that, it replaces part of gpk by the instance getting from ℓ-FlexDHE challenger.Since B knows group secret (msk, osk, fek)  ) that breaks ℓ-FlexDHE problem.The detailed reduc- tion refers to Lemma. 1 Libert et al. (2012).We have

Complexity analysis
We will now provide a concrete analysis regarding the asymptotic complexity of the DGFE construction.We use variables N, T, V and T ′ , which denote the maxi- mum number of users, the maximum number of revocation epochs, the maximum number of revoked users, the parameter of the vector commitment value in Sadiah and Nakanishi (2017), respectively.We strict the length of the sample to be O( ) and choose syndrome construc- tion (Dodis et al. 2008) as the secure sketch.Besides, our DGFE construction relies on ElGamal-type PKE and LPY-revocable group signature (LPY-RGS) (Libert et al. 2012).ElGamal encryption works in group G with (G, p, g) ← IG(1 ) .LPY-RGS works in the group Ĝ of prime order p > 2 with a symmetric pairing function e.
We list the storage complexity, computation complexity, communication complexity of different DGFE constructions in Table 3.The first three columns list complexities of DGFE constructions which are based on SoKtype RGS (Nakanishi et al. 2009), VLR-type RGS (Libert and Vergnaud 2009), ACC-type RGS (Fan et al. 2011).The 5th column lists complexity of DGFE construction based on an improved LPY-RGS scheme (Sadiah and Nakanishi 2017).The 6th column denotes complexity of GFE construction with extra re-initialization phase to realize group dynamics.The last column denotes complexity of original GFE (Ma et al. 2023) with PKE.The complexity of our proposed DGFE construction in Sect. 4 is shown in 4th Column with a mark "*".Note that storage costs are measured by bits related to but we omit to keep the table concise.The computation cost is performed over group G and Ĝ respectively.In Setup phase, pp and IP g are calculated by GM.In Join and Revoke phases, interactive protocols are executed, and the consumption of GM and users are calculated respectively.All RGS schemes mentioned above are efficient in signing and verification operation.We also assume that RGS schemes work in symmetric pairings and the costs for GS schemes are counted in Ĝ.
Based on comparison result shown in Table .3, we can find that our DGFE with LPY-RGS has the same asymptotic complexity as GFE (Ma et al. 2023), while original GFE scheme does not support user revocation.The only additional cost is increased storage cost of pp.We compare our DGFE construction with the straightforward method of system re-initialization.This method handle user revocation by re-initializing the system and re-registering all unrevoked users.The functionality of DGFE demands that even if a user quits the group, the group data generated by this user before quitting the group should remain reproducible and traceable.As a result, GM need to store osks securely of all previous GS instances, leading to an additional computation and storage cost.Users and GM need to store all previous gpks.When compared with SoK-based RGS scheme (Nakanishi et al. 2009)

Table 3 Consumption of DGFE
N is the maximum number of group users.T is the maximum number of revocation epochs.V is the maximum number of revoked users.T ′ is the parameter of the vector commitment value in Sadiah and Nakanishi (2017) "*" indicates the scheme we incorporated for DGFE."-" indicates the cost in this cell is not considered.The principal (GM or user P i ) to store or calculate the parameter of each phase are specified in the brackets.The computation cost considers the numbers of exponentiations over group G and Ĝ respectively." 1 " indicates the cost can be reduced to O(1)." 2 " indicates the cost is only required at the first Gen for each user at each epoch "⋄ " is different from table 1 because they are stored distributedly in each user."(pmi)" is public membership information for verification 1 trans i is the message recorded by GM in the user joining interaction and used to identify a user in the Trace phase.In some GS schemes, it is marked as reg i 2 A set of trans i for all users joining in the group within the lifetime of DGFE 3 This row is the computation cost of GM to generate gsk i .The computation cost for the user to generate gsk i in an interactive joining protocol is included in the statistic of computation cost for IP i 4 This row is the computation cost of GM to generate trans i ."-" means that this part of computation cost is omitted because the part is included in the component in the bracket or the part is sent by the role in the bracket 5 rc indicates the additional computations on the revocation check.The verifier traverses the entire revocation list to confirm that the signer is not revoked O( 1) O( 1) O( 1) O( 1) O( 1) O(T) O( 1) 1) O( 1) O( 1) O( 1) O( 1) O( 1) O( 1) 1) O( 1) O( 1) O( 1) O( 1) O( 1) 1) O( 1) O( 1) O( 1) O( 1) O( 1) O( 1) 1) O( 1) O( 1) O( 1) O( 1) O( 1)   (2004); Camenisch and Groth (2004).Though one can When DGFE is constructed with a newly designed LPY-RGS scheme (Sadiah and Nakanishi 2017).The storage cost of RL is improved with a sacrifice in the efficiency of Gen. Through the comparisons above, we conclude that there is a tradeoff between the cost in storage and computation and LPY-RGS is a most suitable RGS construction to meet the performance requirements of DGFE so far.

An application scenario: group file sharing
In this section, we present a group file sharing system based on our DGFE scheme.In this application scenario, a group of users need to share sensitive files.To ensure the confidentiality of file contents, group users must encrypt the files before uploading them to the file server.These encrypted files can only be downloaded and decrypted by other group members.In this setting, we use DGFE as a key management solution for group file encryption.We present three main processes in the group file sharing system in Fig. 19. 1. File encryption and uploading.Any group member executes this process to upload encrypted files to the database server.By providing his biometric sample (for example, the fingerprint), individual help data, and plain files, a group user executes DGFE.Gen to extract group key R with a group help data P from the sample and the individual help data IP .Using key R, the user encrypts the files, typically with highly efficient symmetric encryption.The user merges the encrypted files with the group help data and uploads them to the database server.
2. File download and decryption.Any group member executes this process to retrieve and decrypt the shared files.The user downloads the target files together with the group help data.Then, by providing the group help data P, user's biometric sample, and the individual help data, the group key R corresponding to P is reproduced.The user can decrypt the files correctly.As a result, the files are securely shared with all group members.
3. User revocation and file re-encryption.Regarding user revocation, this process is launched to ensure that revoked users cannot decrypt shared files anymore.All existing files will be re-encrypted by the updated group keys.The group manager is responsible for user revocation and file re-encryption process.On the one hand, GM executes DGFE.Revoke with the unrevoked users by sending them an encrypted modification data y for the individual help data modification.On the other hand, GM decrypts files using old group keys and encrypts them with updated group keys.Since GM has the ability to reproduce group keys from group help data, the file re-encryption process can be executed successfully.This process is efficient because it uses symmetric encryption and the DGFE.Rep is also efficient.

Conclusion
We propose the definition and construction of dynamic group fuzzy extractor (DGFE) to handle events of user revocation without system re-initiation.It allows the unrevoked users in the group to reproduce updated group keys from existing group help data and prevents the revoked user from reproducing group keys with the outdated individual help data.We introduce revocable group signature (Libert et al. 2012) into our construction, which has a constant generation and verification cost.Finally, we give a formal proof on the reusability, traceability, and anonymity of our construction.When considering applications, our group fuzzy extractor faces the challenge of relying on a privileged group manager, who distributes the group secrets to all the users.In the future, we will strip the task of group key generation from the group manager and improve the robustness of the group fuzzy extractor.

Fig. 1
Fig. 1 Functionalities of the group fuzzy extractor in the generation and reproduction algorithms

Fig. 4
Fig. 4 Main functionality of DGFE and for any PPT adversary A , it holds thatAdv reu A (1 ) := | Pr[Exp reu A (1 ) ⇒ 1] − 1 2 ]| ≤ negl(1 ) where Exp reu A (1 ) is given in Fig. 5. Reusability indicates that any PPT adversary cannot distinguish an extracted group key R * from a random string, even if the adversary can adaptively query O SftGen to get (R, P) pairs with slight shifts on the input samples and query O SftJoin , O Revoke , O Trace , O Time .It allows group users to extract group keys multiple times.Definition 9 (Traceability) A DGFE scheme achieves traceability if, for distributions and for any PPT adversary A , it holds that Adv trace A (1 ) := Pr[Exp trace A (1 ) ⇒ 1] ≤ negl(1 ) where Exp trace A (1 ) is given in Fig. 6.

Fig. 9
Fig. 9 Process of Gen. Components in group help data P is green-colored

Fig. 11
Fig. 11 Process of Join

Fig. 13
Fig. 13 Construction of Setup 2 * , B gets a modified fek and compute R * = X fek , returns (R * , P * ) to A .(vi) Finally, B returns what algorithm A outputs to the RGS fully-anonymity challenger.So, we have | Pr[G 6 ⇒ 1] − 1 2 | ≤ Adv fully-anonymity RGS (1 ) .In all, Adv anony A := | Pr[Exp anony and verifying is O(1), our construction is still better in the size of pp and the security of backward linkability.Here, backward linkability indicates that the signatures signed by a revoked user are linkable.Note that the consumptions on signing and verifying for many SoK-type RGS schemes are linear in the size of the RL.When compared with VLR-RGS based DGFE, the most significant advantage of LPY-RGS based DGFE is the computation cost in Rep.The Rep phase of a VLR-RGS based DGFE needs to execute an additional revocation check for the entire RL to confirm the signer is not revoked and the revocation check is a time-consuming pairing operation in many schemes.Besides, revocation tokens contain identity information, directly making them public to the verifiers may raise concerns about the anonymity.Although there exists VLR-RGS scheme(Libert and Vergnaud 2009) which can alleviate the anonymity concern.Our DGFE construction, which is based on LPY-RGS, does not have this problem.Finally, we compare our DGFE scheme with ACC-RGS based DGFE.As mentioned in SubSect.2.3, in user revocation phase, each unrevoked user updates their secret signing keys with an accumulation of all the revocation information of revoked users.The computation cost of key updating is O(V) both for the unrevoked users and GM inBoneh et al.

Fig. 19
Fig. 19 Group file sharing system based on DGFE

Table 1
Comparison of RGS SchemesThe maximum number of group users, T: The maximum number of revocation epochs, V: The maximum number of revoked users.T N:

Table 2
Summary of notations i Membership certificate of user P i sec i Membership secret of user P i gsk i The set of (cert i , sec i ) st, st Public state of RGS, consist of st users and st trans , st is the updated state transcript i Transcript of interactive protocol between GM and P i t Time epoch for revocation RL t Revocation list for time epoch t V t Revocating user set for time epoch t L , L Set of revocation list, L is the updated revocation list set CU , C U Set of users that currently in the group, C U is the updated user set IP i , ĨP i Individual help data of user P i , ĨP i is the updated individual help data fek, fek Group secret, fek is the updated group secret Gen,Rep Generation and reproduction algorithm of DGFE (R, P) A pair of extracted random string and group help data, R is also called the group key • RGS.Sig(gpk, t, RL t , cert i , sec i , m) .Group user P i is allowed to use (cert i , sec i ) to sign message m at epoch t with gpk and RL t , it outputs⊥ if P i ∈ V t ( V t is an ele- ment in RL t ),otherwise a signature σ. • RGS.Very(gpk, m, t, RL t , σ ) .It takes gpk , m, σ , the epoch t and the corresponding RL t as inputs.It outputs 1 if σ is a signature on m signed by an unrevoked group user at epoch t.Otherwise, it outputs 0. • RGS.Open(gpk, osk, m, t, RL t , σ , st) .It is run by GM.It takes gpk , osk , m, σ , the corresponding t, RL t and group state st as inputs.It returns the signer's identity of σ .If opening fails, it returns ⊥.
is run by GM.It takes security parameter 1 and the maximal number of the group user N ∈ N as input.It outputs group public key gpk , master private key msk , opening private key osk , and initializes a public state st = ∅ which comprises st users = ∅ and st trans = ∅.• RGS.Join(1 , gpk, msk, i, st) .It contains an interac- tive protocol executed between GM and P i denoted as RGS.J P i (1 , gpk) ⇋ RGS.J GM (1 , st, gpk, msk) .After joining, P i gets signing secrets (cert i , sec i ) and GM updates the group state st.• RGS.Revoke(gpk, msk, t, V t ) .On input gpk , msk , the next epoch t, a set of users to revoke in the next time epoch V t ∈ st users , it outputs RL t at time t.
′′which is different from R ′ .If Gen and Rep run in the same time epoch, DGFE works like traditional GFE.
4 shows how DGFE works with user revocation when Gen and Rep are running in different time epochs.Group help data P is generated in t.In epoch t ′ > t , all unrevoked users will reproduce the same group key R ′ which is updated.The revoked user P k will reproduce group key R Definition 7 (Correctness for DGFE) A DGFE is correct if it fulfills the following conditions: (1) After a user joins the group, the user can correctly generate group keys and reproduce group keys from previously generated group help data.(2) After user revoking, unrevoked users can correctly reproduce updated group keys even if they are generated by revoked users.(3) After user revoking, the revoked user cannot generate valid group keys.The group keys reproduced by any revoked user are outdated.(4) Any valid group help data can be traced to the correct generator by GM.
the oracle returns sensi- tive information m i protected in IP i .This oracle manages a corrupt user set CSet, initialized with CSet = ∅ .The oracle returns ⊥ if P i is an external user; otherwise, it adds i to CSet.O Reveal enables an adversary to observe sensitive information related to group key generation of users who have joined the group.• O Time (•) .It returns the current time epoch.In the experiment, we restrict the number of querying O SftJoin , O SftGen and O Revoke with Q SftJoin , Q SftGen , Q Revoke respectively.
If the DDH assumption holds with the group (G, p, g) ← IG(1 ) and the underlying SS is an (M, m, m, τ )-secure sketch, Ext is a homomorphic average-case (M, m, K sk , ǫ) -strong extractor with a neg- ligible ǫ , PKE is private-key-shift secure with private key space K sk , LPY-RGS is secure under ℓ-FlexDHE assump- tion, then the construction of DGFE is traceable, where N is the maximum number of group users, ℓ = ⌈log N ⌉.Proof We prove the traceability through games.Q SftJoin , Q SftGen and Q Revoke denote numbers of querying O SftJoin , O SftGen , O Revoke oracles.Game G 0 G 0 is the original traceability experiment.Adversary is additionally given the O Reveal to get users' sensitive information m i containing fek and the signing secret cert i , sec i and t, which are protected in IP i .Chal- lenger will add the compromised users queried by O Reveal to CSet. .
, it can faith- fully answer O SftJoin , O Revoke , O SftGen , O Trace , O Reveal .Once it gets type2-forge signature σ * from P * , it can generate an non-trivial triple (ĝ µ , ← IG(1 ) and the underlying SS is an (M, m, m, τ )-secure sketch, Ext is a homomorphic average-case (M, m, K sk , ǫ) -strong extractor with a neg- ligible ǫ , PKE is private-key-shift secure with private key space K sk , LPY-RGS is secure under ℓ-FlexDHE assump- tions, then construction of DGFE is anonymous, where N is the maximum number of group users, ℓ = ⌈log N ⌉.Proof We also prove the anonymity through games.G 0 is the original anonymity experiment.The modifications from G 0 to G 6 are identical to that in traceability experi- ment.In G 6 , all messages returned to the adversary in queries are chosen random uniformly except the signature part in O SftGen and challenge phase.Now we analysis the A 's advantage of winning in game G 6 .We reduce the security of fully-anonymity of the RGS signature to the anonymity in our construction.IfA can win G 6 , then an algorithm B can be constructed to break fully-anonymity of the RGS.B proceeds.(i)Bacts the role of challenger in G 6 .B samples w 0g ← $ W g ,{w 0 i ← $ W i } i∈[N ] ,and follows exactly the Setup phase in anonymity experiment except RGS.Setup phase.After RGS.Setup, B gets gpk, msk of RGS by querying the O keyGM , O pub oracles provided by challenger of the signature and samples osk randomly.B generates param- eters of PKE and samples sk for users.(ii) B can simu- lates O SftJoin .Since B knows w i and sk i , it can calculate sk δ i and s δ i .In the first time of querying O SftJoin for user P i .B generates user group signature key (cert i , sec i ) by a simulated joining protocol between user P i and GM and modifies group state using O write oracle of the RGS scheme.(iii) Since B knows all secrets except osk of the RGS, it can simulates O Revoke , O SftGen , O Reveal per- fectly.(iv) B can simulate O Trace .B parses P = (X, t, σ ) , queries O open oracle of the RGS with X , returns what O open outputs to A