Group Signatures with Linking-Based Revocation: A Pragmatic Approach for Efficient Revocation Checks

Group signatures represent an important mechanism for privacy-preserving applications. However, their practical applicability is restricted due to inefficiencies of existing membership revocation mechanisms that place a computational burden and communication overhead on signers and verifiers. In particular, it seems that the general belief (or unwritten law) of avoiding online authorities by all means artificially and unnecessarily restricts the efficiency and practicality of revocation mechanisms in group signature schemes. While a mindset of preventing online authorities might have been appropriate more than 10 years ago, today the availability of highly reliable cloud computing infrastructures could be used to solve open challenges. More specifically, in order to overcome the inefficiencies of existing revocation mechanisms, we propose an alternative approach denoted as linking-based revocation (LBR). The novelty of LBR is its transparency for signers and verifiers that spares additional computations as well as updates. We introduce dedicated revocation authorities (RAs) that can be contacted for efficient (constant time) revocation checks. In order to protect these RAs and to reduce the trust in these authorities, we also introduce distributed controllable linkability such that RAs need to cooperate with multiple authorities to compute the required linking/revocation tokens. Besides efficiency, an appealing benefit of LBR is its generic applicability to pairing-based GSSs secure in the BSZ model and GSSs with controllable linkability. This includes the XSGS scheme, and the GSSs proposed by Hwang et al., one of which has been standardized in the recent ISO 20008-2 standard. Request for Comments This paper will appear in the post-proceedings of the International Conference on Cryptology & Malicious Security 2016 (Mycrypt 2016), which seeks submissions in the context of paradigm-shifting crypto and unconventional solutions to existing problems. As there is still time to prepare the conference version of this paper, we would appreciate any comments on this somehow unconventional proposal of using an online revocation authority to achieve efficient revocation in group signature schemes.