Improved VLR Group Signature Based on DTDH Assumption

In VLR (verifier-local revocation) group signatures, revocation messages are only sent to signature verifiers (as opposed to both signers and verifiers). Consequently there is no need to contact individual signers when some user is revoked. Since signers have no load, the VLR group signature schemes are suitable for mobile environments. To meet the requirement of speediness in mobile communication, reducing computation costs and shortening signature length are two requirements at the current research of VLR group signatures. Based on this idea, an improved version of Zhou’s VLR group signature is given. Compared with the original scheme, the improved scheme not only can achieve the same security level, but also has shorter signature size and lower computation costs.


Introduction
Group signatures, introduced by Chaum and van Heyst [1] , provide anonymity for signers. A group member can sign on behalf of the group; no one can identify the signing member except the group manager (GM).
A group signature scheme generally includes the following steps: Setup, Join, Sign, Verify, and Open. Later, a new step, Revocation, is added into it [2] . GM can revoke a dishonest group member with revocation algorithm. The revoked member can't sign again on behalf of the group, but its former signatures are still valid.
There are two main revocation methods in group signature: one is based on witness, the other is based on revocation list (RL). In a membership revocation resolution based on witness [3] , GM publishes a single accumulated value a , every group member proves in a zero-knowledge way that he/she knows corresponding witness w to a . It should be hard for users outside the group to forge such witnesses. Revocations in this category are more efficient than RL based resolutions, but they have a common drawback that previously signed signatures might not being able to pass verifying algorithm under the current verification keys. In the category of membership revocation schemes based on RL [4] , GM issues a revocation list of identities (public membership keys). Any group member proves in a zero-knowledge way that his/her identity embedded in the signature is not equal to any one in the RL. The corresponding revocation messages are only sent to verifiers, while the signers are not involved. Since the signer's costs are lower, this approach is suitable for mobile environments where mobile hosts anonymously communicate with the servers. This type of group signature is called Verifier-Local Revocation (VLR) group signature.
VLR group signature was formalized in [5], which presented a short group signature with VLR based on [6]. Nakanishi et al. [7] pointed out that this scheme did not satisfy the security of backward unlinkability, and proposed another VLR scheme with the feature of backward unlinkability, i.e., group signatures generated by the same group member is unlinkable except himself and GM, even after this member has been revoked (his/her revocation token is published). In 2006, Zhou and Lin [8] proposed another VLR group signature scheme (ZL06 scheme) based on q-SDH (Strong Diffie-Hellman) assumption and DTDH (Decisional Tripartite Diffie-Hellman) assumption. The scheme in [8] has shorter signature size and lower computation costs than those in [7].
In this paper, we improve ZL06 [8] VLR group signature scheme. Compared with the original scheme, the proposed scheme not only has the same security, i.e., backward unlinkability (BU-anonymity) and traceablity, but also has lower computation costs and shorter signature length.

Definition 1 Bilinear maps:
G are multiplicative cyclic groups of prime order p . ψ is an efficiently computed isomorphism from 2 G to 1 G , with Then e is an efficiently computed bilinear map: 1 2 ' In this paper, we choose 1 2 Definition 2 ( q -SDH assumption [5,6] ) For all PPT algorithms A, the probability Definition 3 (DTDH assumption [8] ) For all PPT algorithms A, the probability The model and the security definitions of a VLR group signature scheme with backward unlinkability can be found in [7], we omit it here. We also need the knowledge on signature proof of knowledge (SPK), which can be found in a lot of literatures such as [5] - [8], here, we also omit it.

Brief Introduction to ZL06 Scheme
ZL06 VLR group signature scheme [8] is briefly introduced as follows. Suppose n is the number of group members, T is the number of time intervals.
The group public key is 1 ( , , , , , ) [ ] gsk i , M): Group member i does the followings: 1 Select random * , , 2 Generate a signature proof of knowledgeV : The group signature on M signed by group member i at time interval j is   The following lemma implies the above theorem. . The task of B is to decide that Z it is given is abc g or d g by communicating with A, as follows.
Setup: B simulates KEYGEN( n , T ) as follows:  As the analysis of lemma 2 in [7], the advantage that B guesses ω , i.e., the advantage of B breaks DTDH assumption is at least ( 1 nT -S H q q p ) ε .  Theorem 2. The proposed VLR group signature scheme satisfies the traceability in the random oracle model under the q -SDH assumption.
The following lemma implies the above theorem.  e g g can be pre-computed. So, the verification requires 3 multi-exponentiations (denoted by ME) and (2+|RLj|) bilinear maps (denoted by BM). From table 1, we can see that the size of signature of our scheme reduces about 31% than that of ZL06 scheme, also, our scheme has lower computation costs.

Conclusion
In this paper, we propose a new VLR group signature scheme with backward unlinkability based on q-SDH assumption and DTDH assumption. The proposed scheme has lower computation costs and shorter signature length than ZL06 scheme, and can be applicable to mobile environments such as IEEE 802.1x [9] .