Revocable group signatures with compact revocation list using accumulators

Abstract

Group signatures allow a group member to anonymously sign a message on behalf of the group. One of the important issues is the revocation, and lots of revocable schemes have been proposed so far. The scheme recently proposed by Libert et al. achieves that O(1) or O(logN) efficiency except for the revocation list size (also the revocation cost), for the total number of members N and the number of revoked members R. However, since a signature is required for each subset in the used subset difference method, the size is about 900RBytes in the 128-bit security. In the case of R = 100,000, it amounts to about 80 MB. In this paper, we extend the scheme to reduce the revocation list (also the revocation cost). In the proposed scheme, an extended accumulator accumulates T subsets, which is signed for the revocation list. The revocation list size is reduced by 1/T , although the public key size, membership certificate size and the cost of a witness computation needed for signing increase related to T.