Skip to main content

Dynamic group fuzzy extractor

Abstract

The group fuzzy extractor allows group users to extract and reproduce group cryptographic keys from their individual non-uniform random sources. It can be easily used in group-oriented cryptographic applications. However, current group fuzzy extractors are not dynamic, i.e. they spend a large cost when dealing with user revocation. In this work, we propose the formal definition and construction of dynamic group fuzzy extractor (DGFE) to address this issue. For the revocation, DGFE allows unrevoked group users to reproduce updated group keys from the existing group help data. Meanwhile, it prevents any revoked group user from generating new group keys using the previously authorized individual help data. We propose a DGFE construction based on the revocable group signature. Furthermore, we give formal proofs of reusability, anonymity and traceability of our construction.

Introduction

The fuzzy extractor, initially introduced by Dodis et al. (2008), is a primitive that serves to derive almost random strings from sources with high entropy, like iris (Daugman 2009), face (Parkhi et al. 2015), fingerprint (Marasco and Ross 2014), physically unclonable functions (Suh and Devadas 2007), etc. These sources inherently contain noise, causing two samples from the same source to be close in a certain distance metric but not identical. The fuzzy extractor is proposed to address this noise and consistently generate stable random strings. It comprises two core algorithms: the generation (Gen) and the reproduction (Rep). The Gen algorithm is responsible for extracting an almost random string from the source sample, while the Rep algorithm reproduces this string when given another similar sample.

Fuzzy extractors offer a secure method for extracting stable cryptographic keys without the requirement for private key storage. They present a promising solution for personal key management, enabling users to generate and reproduce the same cryptographic key from their biometric sources. Nevertheless, this solution is not well-suited for the growing popularity of group-oriented applications, including multipoint multimedia online conferences, multiplayer games, cloud file editors, etc. In group-oriented scenarios, users should also have the capability to manage a series of group keys in addition to their personal keys.

Recently, Ma et al. introduced the concept of group fuzzy extractors (GFE) (Ma et al. 2023), aiming at extending the functionality of fuzzy extractors to the group settings. In GFE, any user within the group has the capability to independently and anonymously derive a random string, denoted as R, from his biometric sample. This string R serves as a group key, which can be reproduced by any user within the group. A group manager (GM) is responsible for managing user enrollments and distributing users’ individual help data IPs. By hiding the sensitive information in IPs and group help data P, GFE eliminates the necessity of secure key storage for all group users. Furthermore, GM can trace the user who generates R from the corresponding P. However, the GFE scheme (Ma et al. 2023) encounters the challenge of not supporting user revocation. This presents a substantial security concern for the GFE scheme. A revoked user can still generate and reproduce group keys by utilizing his previously authorized individual help data. While straightforward methods, such as system re-initialization and re-registration of all legal users by GFE scheme (Ma et al. 2023), can deal with this problem, this method introduces substantial computation and communication overheads and renders the existing help data and group keys invalid. In summary, the primary challenge that needs to be addressed is: How can we define and construct a dynamic group fuzzy extractor that supports user revocation at a lower cost?

Our contributions Addressing the above-mentioned problem of user revocation in the group fuzzy extractor, we propose the concept of Dynamic Group Fuzzy Extractor (DGFE). The general idea of DGFE is simply outlined as following: we use the increment of time epoch to mark the event of user revocation. When a user intends to leave the group, the time epoch will increase by one and a revocation list will be computed at the beginning of the new time epoch. To prevent the revoked user from reproducing new group keys using their previous individual help data, DGFE will implicitly refresh all group keys by a modification of the group secret when the time epoch increases. As a result, unrevoked users can still reproduce the correct group keys, whereas revoked users can only reproduce outdated keys that are no longer valid.Footnote 1 Concretely, the contributions are outlined as follows.

  • We propose the formal definition of dynamic group fuzzy extractor (DGFE), extending the functionalities of the group fuzzy extractor (GFE) (Ma et al. 2023) with dynamic group user revocation. Compared to GFE (Ma et al. 2023), DGFE introduces a new primitive: User Revocation, which allows the unrevoked users in the group to reproduce updated group keys from the existing group help data. Meanwhile, it prevents the revoked users from generating new group keys by utilizing their outdated individual help data. The main functionality of user revocation is depicted in Fig. 4. Importantly, the anonymity of users is guaranteed in DGFE, except when the group manager employs the Trace algorithm to revoke the anonymity. Furthermore, we improve security definitions of reusability, traceability, and anonymity for the GFE scheme to accommodate user revocation events.

  • We propose a construction of dynamic group fuzzy extractor incorporating a revocable group signature (RGS) scheme and the concept of time epochs during which users’ joining and revocation events occur, to facilitate the management of the group dynamics. After evaluating various RGS schemes with their pros and cons from complexity and security perspective (as outlined in Sect. 2.3), we find LPY12-RGS scheme (Libert et al. 2012) is most suitable for DGFE construction. Besides, we provide a complexity analysis of various DGFE constructions in Sect. 5.4. Furthermore, to protect the privacy of users’ sensitive biometric information and sensitive group secrets and achieve the reusability, we incorporate public key encryption with private-key-shift security into our DGFE construction. Finally, we give a formal proof of reusability, traceability, and anonymity for our DGFE scheme.

  • We introduce sensitive group file sharing as the typical application scenario for DGFE construction. Besides, we show how to construct group file sharing system with DGFE schemes.

Outline

This paper is organized as follows. In Sect. 2, we summarize the related work of fuzzy extractors, group fuzzy extractors and group signatures. In Sect. 3, we give preliminaries of this work. In Sect. 4, we present formal definition and security properties of DGFE. In Sect. 5, we give the construction of DGFE, and present formal security proofs and a complexity analysis for DGFE construction. In Sect. 6, we use DGFE to construct a group file sharing system to illustrate the potential application of DGFE schemes. In Sect. 7, we conclude the paper and discuss the future work.

Related works

Fuzzy extractor

A fuzzy extractor serves to derive an almost random string from the noisy source. It consists of the generation procedure Gen and the reproduction procedure Rep. Gen takes a sample w, and extracted a string R with a public help data P. Rep takes another sample \(w'\) and the help data P as inputs, reproduces R if w and \(w'\) are sufficiently similar. The idea of fuzzy extractors was first proposed by Dodis et al. (2008) in the information-theoretic security. It indicates that the statistical distance between the distribution of extracted strings and a uniform distribution is negligible. Then Boyen (2004) extended the security definition to reusable fuzzy extractors, which means the adversary can additionally get information of help data generated by adversary-chosen shifted source samples. Fuller et al. (2013) proposed a computational fuzzy extractor with a much longer output random string length, although their security definition was relaxed to computational indistinguishability. Later, many works studied reusability and robustness (Canetti et al. 2016; Wen et al. 2018, 2019) in the computational setting. Reusable fuzzy extractor indicates that even if the adversary gets a series of (RP) pairs generated from samples of the same source, he cannot distinguish the specific \(R^*\) from a uniform distribution. Robust fuzzy extractor considers active adversaries and indicates that Rep is able to detect any modification of the public help data P and output a rejection symbol \(\perp\).

Group fuzzy extractor

With the ever-changing group-oriented application scenarios, Ma et al. (2023) proposed group fuzzy extractor (GFE). Shown as Fig. 1, every group user can extract group keys from the individual noisy source and reproduce group keys from group help data which are generated by arbitrary group users. GFE relies on a role of group manager (GM) to take responsibility for user joining and group secret distribution. A GFE scheme consists of five algorithms: (1) Setup is for system initialization and GM registration. (2) Join is for users joining under the control of GM. (3) Gen is for users generating the group key R and group help data P. (4) Rep is for users or GM reproducing the group key R. (5) Trace is for GM tracing the generator’s identity of a group help data P.

Besides, authors (Ma et al. 2023) designed a group-shared Bitcoin wallet based on GFE. In the Bitcoin wallet scenario, group keys are regarded as private keys for computing wallet addresses to receive coins. By using GFE, users do not need to manage the private keys and store them in private storage. The anonymity of the transfer records is guaranteed, while GM can revoke the anonymity and trace the coin receiver or consumer. Differing from their application of a group-shared Bitcoin wallet (Ma et al. 2023), we introduce a new scenario of group file sharing to exemplify the application of DGFE. In this setting, files are encrypted by extracted group keys. In case of user revocation, group keys are updated and new files are encrypted by new keys which revoked users cannot derive anymore. In Sec. 6, we will present a group file sharing system based on our DGFE scheme.

Fig. 1
figure 1

Functionalities of the group fuzzy extractor in the generation and reproduction algorithms

Group signtures

The group signature (GS) is a crucial primitive being used to construct for GFE (Ma et al. 2023). It provides the anonymity for users in GFE.Gen phase and group identity verification for users in GFE.Rep phase. Furthermore, GM can trace the generator of a group help data P by opening the group signature in P. In this subsection, we present a brief review of group signatures.

Chaum and Van Heyst (1991) proposed the concept of group signatures with following properties: (1) only group members can sign the messages; (2) the receiver can verify the signature but cannot discover the signer; (3) the signature can be opened to reveal the signer in some cases. They proposed four concrete group signature schemes that satisfied above properties. Early works of group signature (Ateniese and Tsudik 1999; Chen and Pedersen 1994; Ateniese et al. 2000) proposed various requirements of unforgeability, anonymity, unlinkability, exculpability, traceability, etc. However, these definitions are informal and partially overlapped in their precise meanings. Bellare et al. (2003) summarized all existing requirements and proposed two core properties of group signatures: full-anonymity and full-traceability. They also discussed the implication between the above requirements and their newly defined properties. However, the group membership is assumed to be static in Bellare et al. (2003), which is not suitable for the practice group applications with membership modification. Bellare et al. (2005) presented a GS scheme with dynamic joining function. How to efficiently fulfill user revocation is a challenge for GS when considering dynamic groups and attracts researchers’ interest.

Bresson and Stern (2001) proposed the first revocable group signature scheme using a group signature scheme of Camenisch and Stadler (1997). Bresson and Stern (2001) and Camenisch and Stadler (1997) relied on the notion of signature of knowledge (SoK) that the signer proves he/she knows a secret value related to the group membership without leaking the sensitive information when signing the signature. Since the proof is efficient both in the signing and verification phases, the non-revocable group signature in Camenisch and Stadler (1997) is efficient. However, Bresson and Stern (2001) realized revocation by collecting the public part of revoked users in a revocation list (RL) and the signer additionally proves that his/her membership is not in the RL. The computation cost of the signing and verification is linear in the size of the RL. Nakanishi et al. (2009) proposed a revocable group signature scheme with constant computation cost but the public key size will be \(O(\sqrt{N})\), where N is the number of group users. Most of SoK based group signatures (Bresson and Stern 2001; Camenisch and Stadler 1997; Nakanishi et al. 2009; Boneh and Shacham 2004) are designed in the random oracle model. Libert et al. (2012) proposed a revocable group signature that offers high efficiency in the computation cost of signing, verifying, and revocation and low storage cost of parameters in the standard model. Due to the outstanding performance of their work, it is used as a primitive in our DGFE.

In above GS schemes, the RL is used both in signing and verification phases. Besides that, researchers have discussed verifier-local revocation GS (VLR-GS) schemes that the RL is only sent to the verifier (Boneh and Shacham 2004; Libert and Vergnaud 2009; Nakanishi and Funabiki 2005). In the VLR-GS, an additional revocation check is executed in the verification. The verifier has to traverse the entire revocation list to confirm that the signer is not revoked. This leads to an extra computation cost. Recent works (Kumar et al. 2015; Rahaman et al. 2017) focused on reducing the computational complexity of VLR-GS. However, an additional limitation of the VLR-GS technique relates to the security aspect of selfless-anonymity. Most VLR-GS satisfy a weakened anonymity security that the adversary is not allowed to query the signing keys of the challenged group users when she queries the corruption oracle.

Another technical approach of RGS is based on accumulators (Helleseth 1994). When users revoke, each unrevoked user updates their secret signing keys with an accumulation of all the revocation information for revoked users. The computation cost of key updating is O(V) both for the unrevoked users and GM in Boneh et al. (2004); Camenisch and Groth (2004); Camenisch et al. (2009), where V denotes the maximum number of revoked users. Fan et al. (2011) reduced the computation cost of key updating for users by pre-calculated public membership information which is calculated by GM and broadcast to users when user revocation occurs.

As mentioned before, LPY-RGS (Libert et al. 2012) is efficient in computation costs of signing and verification, and the storage cost of signatures and user signing keys are constant. It fits the requirements of DGFE. What’s more, their scheme satisfies the security of fully-anonymity and is secure in the standard model. Although LPY-RGS is efficient in the signing and verification phases, the revocation list is storage-consuming. Considering that an updated revocation list needs to be broadcasted at the beginning of each new time epoch, the size of RL will influence the communication cost. To fix this problem, many works (Attrapadung et al. 2014; Nakanishi and Funabiki 2013; Attrapadung et al. 2015; Sadiah and Nakanishi 2017) improve LPY-RGS construction to reduce the size of RL with sacrifices in other efficiency parameters. Besides, Emura and Hayashi (2018); Ohara et al. (2019); Emura and Hayashi (2019) achieved better efficiency in practical rather than in asymptotic sense by using the random oracle. Since the above schemes are all based on the frame of LPY-RGS, we refer to the construction of the original LPY-RGS (Libert et al. 2012) in our DGFE. Since RGS is the most consuming part of DGFE, the efficiency of DGFE can be reduced with the improvement of RGS. We compare some widely discussed RGS schemes in Table 1 to make a summary of this subsection.

Table 1 Comparison of RGS Schemes

Preliminaries

Throughout this work, uppercase letters denote random variables and distributions, and lowercase letters denote samples. \(x\leftarrow X\) denotes sampling x according to X and \(x\leftarrow _{\$} X\) denotes sampling x from X uniformly at random. Calligraphy letters denote sets. Especially, \(U_\mathcal {X}\) denotes a uniform distribution over the set \(\mathcal {X}\). For any non-negative integer \(n>0\), [n] denotes the set \(\{1,2,\cdots , n\}\). PPT is the abbreviation of probabilistic polynomial time. All logarithms are base 2. In addition, we list the notation and their meaning in the following Table 2.

Table 2 Summary of notations

We also refer to the following notions and complexity assumptions.

Metric space A metric space is a finite set \(\mathcal {M}\) with a non-negative distance function dist: \(\mathcal {M}\times \mathcal {M}\rightarrow [0, \infty )\).

Statistical distance The statistical distance between two probability distributions A and B over a set \(\mathcal {M}\) is \(\textsf{SD}(A,B):=\frac{1}{2}\sum _{w\in \mathcal {M}}|\Pr [A=w]-\Pr [B=w]|\).

Min-entropy For any random variable A, the min-entropy is defined as \(\mathsf{{H}}_\infty (A):=-\log (\max _a\Pr [A=a])\).

Average min-entropy For any random variable A given B, the average min-entropy is defined as \(\tilde{\mathsf{H}}_\infty (A|B):=-\log [\mathbb {E}_{b\leftarrow B}(\max _a\Pr [A=a|B=b])]\).

Definition 1

(Average-case Strong Extractor) Let Ext: \(\mathcal {M} \times \mathcal {K} \rightarrow \mathcal {Y}\) be a PPT function. We call Ext an average-case \((\mathcal {M},m,\mathcal {Y}, \epsilon )\)-strong extractor, if for any \(W\in \mathcal {M}\) and \(I\in \mathcal {I}\) satisfying \(\mathsf{\tilde{H}}_\infty (W|I)\ge m\), \(\textsf{SD}((\textsf{Ext}(W, K),K,I), (U_{\mathcal {Y}},K,I))\le \epsilon\), where K and U are uniformly distributions over \(\mathcal {K}\) and \(\mathcal {Y}\), I is an auxiliary variable over its space. Moreover, an extractor Ext is homomorphic if \(\textsf{Ext}(w+\delta )=\textsf{Ext}(w,k)+\textsf{Ext}(\delta ,k)\).

Definition 2

(Secure Sketch (Dodis et al. 2008)) An \((\mathcal {M}, m, \tilde{m}, \tau )\)-secure sketch is a pair of PPT algorithms SS.Gen and SS.Rec such that: SS.Gen takes sample \(w\in \mathcal {M}\) and outputs a sketch s; SS.Rec takes sample \(w'\in \mathcal {M}\) and a sketch s, then outputs \(\tilde{w}\).

It satisfies Correctness to guarantee that if \(\textsf{dist}(w, w')\le \tau\), \(\textsf{Rec}(\mathsf{SS.Gen}(w),w') = w\) and Security to guarantee that for any distribution W over \(\mathcal {M}\) with \(\mathsf{{H}}_\infty (W)\!\ge \! m\), \(\tilde{\mathsf{H}}_{\infty } (W | \mathsf{SS.Gen}(W)) \!\ge \! \tilde{m}\).

Definition 3

(DDH Assumption) For a cyclic group \(\mathbb {G}\) generated by \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\) with order p and generator g, the DDH assumption holds if for any PPT adversary \(\mathcal {A}\), \(\textsf{Adv}_{\mathcal {A}}^\textsf{DDH}:=|\mathcal {A}(\mathbb {G},p,g,g^x,g^y,g^{xy})\Rightarrow 1|-|\mathcal {A}(\mathbb {G},p,g,g^x,g^y,g^{z})\Rightarrow 1|\le \textsf{negl}(1^\lambda )\), where \(x,y,z\leftarrow _{\$}\mathbb {Z}_p\).

Definition 4

(\(\ell\)-FlexDHE Assumption) For a group \(\hat{\mathbb {G}}\) of prime order \(\hat{p}\), given \((\hat{g},\hat{g}_1,\cdots ,\hat{g}_\ell , \hat{g}_{\ell +2},\cdots ,\hat{g}_{2\ell })\in \hat{\mathbb {G}}^{2\ell }\) such that \(\hat{g}_i=\hat{g}^{(\alpha ^i)}\) and \(\alpha \leftarrow _{\$}\mathbb {Z}_{\hat{p}}^*\), the \(\ell\)-FlexDHE problem is to find a non-trivial triple \((\hat{g}^\mu ,\hat{g}_{\ell +1}^\mu ,\hat{g}_{2\ell }^\mu )\in (\hat{\mathbb {G}} \backslash \{1_{\hat{\mathbb {G}}}\})^3\), for some \(\mu \in \mathbb {Z}_{\hat{p}}^*\) and where \(\hat{g}_{\ell +1}=\hat{g}^{(\alpha ^{\ell +1})}\). The \(\ell\)-FlexDHE Assumption holds if for any PPT adversary, the advantage to solve the \(\ell\)-FlexDHE problem is negligible.

Private-key-shift secure public key encryption

The research by Ma et al. (2023) introduced a notion of key-shift secure secret key encryption and demonstrated the key-shift security of ElGamal-type SKE. This security indicates any PPT adversary is unable to retrieve the challenged message m, even when observing a series of ciphertexts of m, which is encrypted by shifted keys \(sk+\delta _i\) with the adversary-chosen shift \(\delta _i\). They also mentioned that ElGamal encryption is a private-key-shift secure PKE. We review their definition with a detailed security proof.

Definition 5

(Private-key-shift Security Ma et al. 2023) A \(\mathsf{PKE}\) scheme with algorithms \(\mathsf{(PKE.Init,PKE.PKGen,PKE.Enc,PKE.Dec)}\) is private-key-shift secure if for all PPT \(\mathcal {A}\), it holds that \(\textsf{Adv}_{\textsf{PKE},\mathcal {A}}^\textsf{ks}(1^\lambda )\!:=\!|\Pr [\textsf{Exp}^\textsf{ks}_{\textsf{PKE},\mathcal {A}}(1^\lambda )\!\Rightarrow 1]-\frac{1}{2} |\le \textsf{negl}(1^\lambda )\) where the \(\textsf{Exp}^\textsf{ks}_{\textsf{PKE},\mathcal {A}}(1^\lambda )\) is in Fig. 2.

Fig. 2
figure 2

Private-key-shift security experiment \(\textsf{Adv}_\textsf{PKE}^\textsf{ks}(1^\lambda )\)

Construction of ElGamal encryption is listed in Fig. 3.

Fig. 3
figure 3

Construction of ElGamal encryption

Lemma 1

If DDH assumption holds, the ElGamal encryption is private-key-shift secure that for any PPT adversary \(\mathcal {A}\), \(\textsf{Adv}_{\textsf{PKE},\mathcal{A}}^\textsf{ks}(1^\lambda )\le \textsf{Adv}^\textsf{DDH}(1^\lambda )\).

Proof

We prove the lemma by demonstrating that if a PPT adversary \(\mathcal {A}\) can compromise the private-key-shift security of ElGamal encryption, then a PPT algorithm \(\mathcal {B}\) can be constructed to solve the DDH problem. \((\mathbb {G},p,g,g^x,g^y,g^z)\) is the DDH challenge tuple, with \(x,y\leftarrow _{\$} \mathbb {Z}_p\). \(\mathcal {B}\) proceeds: (i) \(\mathcal {B}\) sends \(\textsf{pp} = (\mathbb {G},p,g)\) and \(pk= g^x\) to \(\mathcal {A}\), which means \(\mathcal {B}\) implicitly sets x as the private key. (ii) After receiving m from \(\mathcal {A}\), \(\mathcal {B}\) calculates \(c_1 = g^y\), \(c_2=m\cdot g^z\) and returns \(ct=(c_1,c_2)\). (iii) On receiving a query of shift \(\delta _i\), \(\mathcal {B}\) chooses \(r_i\leftarrow _{\$} \mathbb {Z}_p\), \(c_{1, \delta _i}\!=\!g^y\!\cdot \! g^{r_i}\!\), \(c_{2, \delta _i}\!=\!m\!\cdot \! g^z \!\cdot \! g^{xr_i}\!\cdot \! g^{y\delta _i}\!\cdot \! g^{\delta _i r_i}\!\) and returns \(pk_{\delta _i} =g^x\cdot g^{\delta _i}\) with \((c_{1, \delta _i},c_{2, \delta _i})\). (iv) \(\mathcal {B}\) outputs what it gets from \(\mathcal {A}\).

If \(z=xy\), \(\mathcal {B}\) simulates \(\textsf{Exp}^\textsf{ks}_{\textsf{PKE},\mathcal {A}}(1^\lambda )\) when \(\beta = 1\). If \(z\ne xy\), \(\mathcal {B}\) simulates \(\textsf{Exp}^\textsf{ks}_{\textsf{PKE},\mathcal {A}}(1^\lambda )\) when \(\beta = 0\). In this case, \(z\leftarrow _{\$} \mathbb {Z}_p\), \(pk=g^x,\ c_1 = g^y\), \(c_2=m\cdot g^{z}\); \(pk_{\delta _i} \!=\!g^{x+\delta _i}\), \(c_{1, \delta _i}\!=\! g^{y+ r_i}\), \(c_{2, \delta _i}=m\!\cdot \! g^z \!\cdot \! g^{xr_i}\!\cdot \! g^{y\delta _i}\!\cdot \!g^{\delta _i r_i}\) are uniformly distributed. Then, we have \(\textsf{Adv}_\textsf{PKE}^\textsf{ks}(1^\lambda )\le 1/2\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )\le \textsf{negl}(1^\lambda )\). \(\square\)

For the multiple messages version of PKE with \({\textbf {m}}=(m_0,m_1,\cdots ,m_t)\leftarrow \mathcal {A}(\textsf{pp},pk)\), we use \(\textsf{Adv}_{\textsf{PKE}}^{\textsf{ks},t}(1^\lambda )\) denoting the advantage of adversary. On querying \(\delta\), it returns whether \((pk_\delta , {\textbf {ct}}=(\textsf{Enc}(\textsf{pp},pk_\delta , m_0),\cdots ,\textsf{Enc}(\textsf{pp},pk_\delta , m_t)))\) or random ciphertexts from the space, depending on \(\beta\). Using hybrid technique, it is easy to prove that \(\textsf{Adv}_\textsf{PKE}^{\textsf{ks},t}(1^\lambda )\le t\cdot \textsf{Adv}_\textsf{PKE}^\textsf{ks}(1^\lambda )\le \textsf{negl}(1^\lambda )\).

Revocable group signature

Group signatures allow any group user to sign messages anonymously with a group identity, while the group manager (GM) retains the ability to revoke signature anonymity when necessary. Revocable group signatures (RGS) primarily deal with user leaving affairs. There are lots of RGS schemes based on different technical approaches as signature of knowledge (SoK) (Bresson and Stern 2001; Camenisch and Stadler 1997; Nakanishi et al. 2009; Boneh and Shacham 2004), verifier-local revocation (VLR) (Boneh and Shacham 2004; Libert and Vergnaud 2009; Nakanishi and Funabiki 2005; Kumar et al. 2015; Rahaman et al. 2017), accumulator-based (Boneh et al. 2004; Camenisch and Groth 2004; Camenisch et al. 2009; Fan et al. 2011) and LPY-based RGS schemes (Attrapadung et al. 2014; Nakanishi and Funabiki 2013; Attrapadung et al. 2015; Sadiah and Nakanishi 2017; Emura and Hayashi 2018, 2019; Ohara et al. 2019). We make a comparison of these RGS schemes and find that scheme of Libert et al. (2012) proposed a revocable group signature that is efficient in the computation and storage cost, meeting the requirement of DGFE. Due to the outstanding performance of their work, it is used as a primitive in our DGFE. In Sect. 5.1, we will explain in more detail the reason for choosing RGS scheme in Libert et al. (2012).

The lifetime of the RGS system is divided into revocation epochs indexed by t. GM maintains a group state st and a revocation list \(RL_t\) storing information about revoked users. RGS consists:

  • RGS.Setup\((1^\lambda , N)\). It is run by GM. It takes security parameter \(1^\lambda\) and the maximal number of the group user \(N\in \mathbb {N}\) as input. It outputs group public key \(\mathsf{gpk}\), master private key \(\mathsf{msk}\), opening private key \(\mathsf{osk}\), and initializes a public state \(st=\emptyset\) which comprises \({st}_{users}=\emptyset\) and \({st}_{trans}=\emptyset\).

  • RGS.Join\((1^\lambda ,\textsf{gpk},\textsf{msk}, i,st)\). It contains an interactive protocol executed between GM and \(\mathcal {P}_i\) denoted as \(\mathsf{RGS.J}_{\mathcal {P}_i}(1^\lambda ,\mathsf{gpk}) \rightleftharpoons \mathsf{RGS.J}_\mathsf{GM}(1^\lambda ,st, \mathsf{gpk}, \mathsf{msk} )\). After joining, \(\mathcal {P}_i\) gets signing secrets \((\textsf{cert}_i,\textsf{sec}_i)\) and GM updates the group state st.

  • RGS.Revoke\((\textsf{gpk},\textsf{msk},t,\mathcal {V}_t)\). On input \(\textsf{gpk}\), \(\textsf{msk}\), the next epoch t, a set of users to revoke in the next time epoch \(\mathcal {V}_t \in st_{users}\), it outputs \(RL_{t}\) at time t.

  • RGS.Sig\((\textsf{gpk},t,RL_t,\textsf{cert}_i,\textsf{sec}_i, m)\). Group user \(\mathcal {P}_i\) is allowed to use \((\textsf{cert}_i,\textsf{sec}_i)\) to sign message m at epoch t with \(\textsf{gpk}\) and \(RL_t\), it outputs \(\perp\) if \(\mathcal {P}_i \in \mathcal {V}_t\) (\(\mathcal {V}_t\) is an element in \(RL_t\)), otherwise a signature \(\sigma\).

  • RGS.Very\((\textsf{gpk}, m,t,RL_t, \sigma )\). It takes \(\textsf{gpk}\), m, \(\sigma\), the epoch t and the corresponding \(RL_t\) as inputs. It outputs 1 if \(\sigma\) is a signature on m signed by an unrevoked group user at epoch t. Otherwise, it outputs 0.

  • RGS.Open\((\textsf{gpk},\textsf{osk}, m,t,RL_t, \sigma ,st)\). It is run by GM. It takes \(\textsf{gpk}\), \(\textsf{osk}\), m, \(\sigma\), the corresponding t, \(RL_t\) and group state st as inputs. It returns the signer’s identity of \(\sigma\). If opening fails, it returns \(\perp\).

The property of RGS includes security against misidentification attacks, security against framing attacks and fully-anonymity. A detailed explanation of these properties can be found in Libert et al. (2012).

Dynamic group fuzzy extractor

We propose dynamic group fuzzy extractor (DGFE) to achieve effective user revocation. Besides, we give DGFE’s definitions of functionalities and security properties, such as reusability, traceability, and anonymity.

DGFE is a system whose users are PPT Turing machines and could be divided into four types of roles. Group manager (GM) is trusted and takes charge of user joining and leaving. It also maintains the group state. External users are those who have never joined the group. Revoked users are those ready to leave the group or who have left the group at an earlier time epoch. The sensitive information a revoked user holds is outdated. Unrevoked users are those who remain in the group at the current time epoch.

Adversary \(\mathcal {A}\) is a PPT Turing machine, that can neither join the group nor corrupt group members. But \(\mathcal {A}\) tries to break the security of reusability, traceability, and anonymity. \(\mathcal {A}\) tries to obtain sensitive information of users, (RP) pairs and change the system state by querying some oracles. For any user \(\mathcal {P}_i\), \(\mathcal {A}\) is allowed to submitted shifts \(\delta\) and get P, \(\textsf{IP}_i\) generated with shifted samples \(w_i+\delta\). Additionally, \(\mathcal {A}\) can also get sensitive information in \(\textsf{IP}_i\) in traceability and anonymity security experiments.

The lifetime of DGFE system is divided into time epochs. Users can join the group at any epoch. When some users try to leave the group, the time epoch increases by one and GM publishes a revocation list at the beginning of the new time epoch. \(\mathcal {M} =\mathcal {M}_1\times \cdots \mathcal {M}_N \times \mathcal {M}_{g}\) is the metric space where the samples of users and GM come from. User \(\mathcal {P}_i\) samples \(w_i^0\), \(w_i\) from a distribution \(W_i\) over \(\mathcal {M}_i\). For the security of DGFE, we require that \(W_1,\cdots ,W_N,W_{g}\) are independent and \(\textsf{H}_\infty (W_i)\ge m\). The threshold between two samples is denoted by \(\tau\), which means if the distance between two samples is within \(\tau\), they are regarded as homologous samples. \(\mathcal {L}\) is the set of \(RL_t\).

Definition of DGFE

Definition 6

(Dynamic Group Fuzzy Extractor) An \((\mathcal {M}, m, \mathcal {U}, \tau )\)-DGFE for a group \(\mathcal {P} =\{\mathcal {P}_i: i\in [N]\}\) and a GM over metric space \(\mathcal {M}\) consists of six PPT algorithms, and satisfies the following properties of correctness, anonymity, traceability and reusability.

  • \((\textsf{pp}, \textsf{IP}_g, \mathcal {L},\mathcal {C}\mathcal {U},st)\leftarrow \textsf{Setup}(1^\lambda , w_g^0, N)\). Run by GM, on input a security parameter \(1^\lambda\), a sample \(w_g^0 \in \mathcal {M}_g\) and the permitted number of users N, it outputs the group public parameters \(\mathsf{pp}\), a (public) individual help data \(\textsf{IP}_g\) for GM, the revocation list set \(\mathcal {L}=\emptyset\) for revoked users, the initial group state \(st=(\emptyset ,\emptyset )\), and the initial set of the current group user \(\mathcal {C}\mathcal {U} =\emptyset\).

  • \((\textsf{IP}_i, \tilde{st},\tilde{\mathcal {C}\mathcal {U}})/\perp \leftarrow \textsf{Join}(\textsf{pp},(\textsf{IP}_g, w_g ), w_i^0, i,st,\mathcal {C}\mathcal {U})\). It is an interactive protocol run between GM and \(\mathcal {P}_i\). On input \(\textsf{IP}_g\), \(w_g \in \mathcal {M}_g\), \(w_i^0 \in \mathcal {M}_i\), \(\textsf{pp}\), st and \(\mathcal{C}\mathcal{U}\), if \(\textsf{dist}(w_g^0, w_g )\le \tau\), it outputs a (public) individual help data \(\textsf{IP}_i\) for \(\mathcal {P}_i\) and GM outputs the updated \(\tilde{st}\) and \(\tilde{\mathcal {C}\mathcal {U}}\); otherwise, it outputs \(\perp\).

  • \((R,P)/\perp \leftarrow \textsf{Gen}(\textsf{pp}, {(}\textsf{IP}_i, w_i{)},\mathcal {L})\). Run by a user \(\mathcal {P}_i\), on input \(\textsf{IP}_i\), \(w_i \in \mathcal {M}_i\), a revocation list set \(\mathcal {L}\) and \(\mathsf{pp}\), if \(\textsf{dist}(w_i^0, w_i )\le \tau\) and \(\mathcal {P}_i\) is unrevoked, it outputs a pair (RP), where R is an extracted nearly random string whose distribution is indistinguishable with the uniform distribution and P is a public group help data; otherwise, it outputs \(\perp\).

  • \(R/\perp \leftarrow \textsf{Rep}(\textsf{pp},(\textsf{IP}_j, w_j ), P,\mathcal {L})\). Run by a user \(\mathcal {P}_j\), on input \(\textsf{IP}_j\), \(w_j \in \mathcal {M}_j\), a group help data P, the revocation list set \(\mathcal {L}\) and \(\textsf{pp}\), if \(\textsf{dist}(w_j^0, w_j ) \le \tau\) and P is produced by an unrevoked user, it reproduces the string R; otherwise, it outputs \(\perp\).

  • \(i/\perp \leftarrow \textsf{Trace}(\textsf{pp},(\textsf{IP}_g, w_g ), P,\mathcal {L},st)\). Run by GM, on input \(\textsf{IP}_g\), \(w_g\in \mathcal {M}_g\), a group help data P, the group state st, the revocation list set \(\mathcal {L}\) and \(\textsf{pp}\), it returns the identity i of user \(\mathcal {P}_i\) who generates P if \(\textsf{dist}(w_g^0, w_g )\le \tau\) and P is valid; otherwise, it outputs \(\perp\).

  • (\(\tilde{\textsf{IP}}_g,\)\(\{ \tilde{\textsf{IP}_i} \} _{i\in \mathcal {C}\mathcal {U}\backslash \mathcal {V}}, \tilde{\mathcal {L}},\tilde{\mathcal {C}\mathcal {U}})/\perp \leftarrow \textsf{Revoke}(\textsf{pp},(\textsf{IP}_g, w_g), \mathcal {L},\mathcal {V},st, \mathcal {C}\mathcal {U},\{(\textsf{IP}_i, w_i)\}_{i\in \mathcal {C}\mathcal {U}\backslash \mathcal {V}})\). It contains interactive protocols run between GM and unrevoked users. on input \(\textsf{IP}_g\), \(w_g\in \mathcal {M}_g\), revocation list set \(\mathcal {L}\), revoked user set \(\mathcal {V} \subseteq [N]\), samples and \(\textsf{IP}\)s of the unrevoked users \(\{(\textsf{IP}_i, w_i)\}_{i\in \mathcal {C}\mathcal {U}\backslash \mathcal {V}}\), the group state st and \(\mathsf{pp}\), after the interaction, it returns the updated individual help data \(\tilde{\textsf{IP}_i}\) for each \(i\in \mathcal {C}\mathcal {U} \backslash \mathcal {V}\), updated \(\tilde{\mathcal {L}}\), \(\tilde{\mathcal {C}\mathcal {U}}\) and \(\tilde{\textsf{IP}}_g\). It outputs \(\perp\) if \(\mathcal {V}\) contains external users.

Figure 4 shows how DGFE works with user revocation when \(\mathsf{Gen}\) and \(\mathsf{Rep}\) are running in different time epochs. Group help data P is generated in t. In epoch \(t'>t\), all unrevoked users will reproduce the same group key \(R'\) which is updated. The revoked user \(\mathcal {P}_k\) will reproduce group key \(R''\) which is different from \(R'\). If \(\mathsf{Gen}\) and \(\mathsf{Rep}\) run in the same time epoch, DGFE works like traditional GFE.

Fig. 4
figure 4

Main functionality of DGFE

Definition 7

(Correctness for DGFE) A DGFE is correct if it fulfills the following conditions: (1) After a user joins the group, the user can correctly generate group keys and reproduce group keys from previously generated group help data. (2) After user revoking, unrevoked users can correctly reproduce updated group keys even if they are generated by revoked users. (3) After user revoking, the revoked user cannot generate valid group keys. The group keys reproduced by any revoked user are outdated. (4) Any valid group help data can be traced to the correct generator by GM.

Security properties

DGFE satisfies reusability, traceability, and anonymity defined in the following. We formalize security properties through attack experiments involving an adversary \(\mathcal {A}\) and a challenger who assumes the roles of GM and users. During the experiments, \(\mathcal {A}\) will have access to the following oracles.

  • \(\underline{\mathcal {O}_\textsf{SftJoin}(i,\delta )}\). The oracle takes the identity i of a user and a shift \(\delta\) on the sample as inputs. If \(\delta > \tau\), it returns \(\perp\). Otherwise, it returns \(\textsf{IP}_i^\delta\) which is outputed by \(\textsf{Join}(\textsf{pp},(\textsf{IP}_g,w_g),w_i^0+\delta ,i,st,\mathcal {C}\mathcal {U})\). Note that if \(0<\delta \le \tau\), \(\mathcal {O}_\textsf{SftJoin}\) oracle just returns \(\textsf{IP}_i^\delta\) and transcripts in the joining operation. It will not affect the system state. \(\mathcal {P}_i\) is still an external user. If \(\delta = 0\), \(\mathcal {P}_i\) joins the group with no shift on the sample, and the group state will be modified. \(\mathcal {O}_\textsf{SftJoin}\) enables an adversary to observe \(\textsf{IP}_i^\delta\) generated from source readings within the tolerant distance.

  • \(\underline{\mathcal {O}_\textsf{SftGen}(i,\delta )}\). The oracle takes the identity i of an unrevoked user and the shift \(\delta\) as inputs. If \(\textsf{dist}(\delta ,0)\le \tau\), it returns \((R,P)\leftarrow \textsf{Gen}(\textsf{pp},{(} \textsf{IP}_i, w_i^0+\delta {)},\mathcal {L})\); otherwise, it returns \(\perp\). The oracle maintains a query set GSet initialized with \(GSet=\emptyset\). \(\mathcal {O}_\textsf{SftGen}\) enables an adversary to observe the generation results of \(w_i^0+\delta\) without knowing sample \(w_i^0\).

  • \(\underline{\mathcal {O}_\textsf{Trace}(P)}\). The oracle takes group help data P as input and returns the user identity i who generates P. The oracle returns \(\perp\) if P cannot be traced to an identity. \(\mathcal {O}_\textsf{Trace}^{\urcorner (P)}(\cdot )\) means the oracle cannot take P as input.

  • \(\underline{\mathcal {O}_\textsf{Revoke}(\mathcal {V})}\). On input a revoked user set \(\mathcal {V}\), the oracle makes the system revoke \(\mathcal {V}\) and update unrevoked users’ individual help data to \(\{\tilde{\textsf{IP}}_\ell \}_{\ell \in \mathcal {C}\mathcal {U}\backslash \mathcal {V} }\), and returns the transcript. \(\mathcal {O}_\textsf{Revoke}^{\urcorner (i,t_i)}(\cdot )\) means the oracle cannot revoke user \(\mathcal {P}_i\) before time \(t_i\). \(\mathcal {O}_\textsf{Revoke}(\cdot )\) returns \(\perp\) if any user in \(\mathcal {V}\) is an external user.

  • \(\underline{\mathcal {O}_\textsf{Reveal}(i)}\). On input i, the oracle returns sensitive information \(m_i\) protected in \(\textsf{IP}_i\). This oracle manages a corrupt user set CSet, initialized with \(CSet = \emptyset\). The oracle returns \(\perp\) if \(\mathcal {P}_i\) is an external user; otherwise, it adds i to CSet. \(\mathcal {O}_\textsf{Reveal}\) enables an adversary to observe sensitive information related to group key generation of users who have joined the group.

  • \(\underline{\mathcal {O}_\textsf{Time}(\cdot )}\). It returns the current time epoch.

In the experiment, we restrict the number of querying \(\mathcal {O}_\textsf{SftJoin}\), \(\mathcal {O}_\textsf{SftGen}\) and \(\mathcal {O}_\textsf{Revoke}\) with \(Q_\textsf{SftJoin},Q_\textsf{SftGen},Q_\textsf{Revoke}\) respectively.

Definition 8

(Reusability) A DGFE scheme achieves reusability if, for distributions \((W_1,\cdots ,W_N,W_g)\) over \(\mathcal {M}\) that \(\textsf{H}_\infty (W_i)\ge m\), and for any PPT adversary \(\mathcal {A}\), it holds that \(\textsf{Adv}^\textsf{reu}_{\mathcal {A}}(1^\lambda ):=| \Pr [\textsf{Exp}^\textsf{reu}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]- \frac{1}{2} ]| \le \textsf{negl}(1^\lambda )\) where \(\textsf{Exp}^\textsf{reu}_{\mathcal {A}}(1^\lambda )\) is given in Fig. 5.

Fig. 5
figure 5

Experiment for reusability

Reusability indicates that any PPT adversary cannot distinguish an extracted group key \(R^*\) from a random string, even if the adversary can adaptively query \(\mathcal {O}_\textsf{SftGen}\) to get (RP) pairs with slight shifts on the input samples and query \(\mathcal {O}_\textsf{SftJoin},\mathcal {O}_\textsf{Revoke},\mathcal {O}_\textsf{Trace},\mathcal {O}_\textsf{Time}\). It allows group users to extract group keys multiple times.

Definition 9

(Traceability) A DGFE scheme achieves traceability if, for distributions \((W_1,\cdots ,W_N,W_g)\) over \(\mathcal {M}\) that \(\textsf{H}_\infty (W_i)\ge m\), and for any PPT adversary \(\mathcal {A}\), it holds that \(\textsf{Adv}^\textsf{trace}_{\mathcal {A}}(1^\lambda ):=\Pr [\textsf{Exp}^\textsf{trace}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]\le \textsf{negl}(1^\lambda )\) where \(\textsf{Exp}^\textsf{trace}_{\mathcal {A}}(1^\lambda )\) is given in Fig. 6.

Fig. 6
figure 6

Experiment for traceability

Traceability indicates that any PPT adversary cannot forge a group help data \(P^*\) which is not generated by \(\mathcal {O}_\textsf{SftGen}\) and can be traced to an adversary uncontrolled user or a revoked user, even if the adversary can query \(\mathcal {O}_\textsf{Reveal}\) to get users’ sensitive information \((fek,\textsf{cert}_i,\textsf{sec}_i)\). It indicates that external users and revoked users cannot generate valid (RP) pairs.

Definition 10

(Anonymity) A DGFE scheme achieves anonymity if, for distributions \((W_1,\cdots ,W_N,W_g)\) over \(\mathcal {M}\) that \(\textsf{H}_\infty (W_i)\ge m\), and for any PPT adversary \(\mathcal {A}\), it holds that \(\textsf{Adv}^\textsf{anony}_{\mathcal {A}}(1^\lambda ):=|\Pr [\textsf{Exp}^\textsf{anony}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]-\frac{1}{2}|\le \textsf{negl}(1^\lambda )\) where \(\textsf{Exp}^\textsf{anony}_{\mathcal {A}}(1^\lambda )\) is given in Fig. 7.

Fig. 7
figure 7

Experiment for anonymity

Anonymity indicates that under no circumstance should an adversary identify the generator of a valid (RP) pair, even if the adversary can query \(\mathcal {O}_\textsf{Reveal}\) to get user’s sensitive information in \(\textsf{IP}_i\) and \(\mathcal {O}_\textsf{Trace}\) to revoke anonymity except \(P^*\). It guarantees the anonymity of the generator in the group.

Construction of DGFE

We present the construction method of DGFE in this section. Firstly, we present an overall intuition of construction methodology and outline the efficiency requirement of DGFE. Then, we give a comparative analysis of various RGS schemes which is an main component of our DGFE construciton, justifying the selection of the RGS scheme (Libert et al. 2012). Subsequently, we present the detailed construction of DGFE, including correctness analysis and security proofs. At the last, we provide a concrete analysis regarding the asymptotic complexity of various DGFE construction approaches.

High-Level intuition

We design construction of DGFE under the framework of Ma et al. (2023), where individual help data \(\textsf{IP}\)s are generated to store sensitive information, eliminating the necessity of secure storage. In the original design (Ma et al. 2023), a group signature was implied to realize the functionalities of GFE. In our construction of DGFE, we replace this component with a revocable group signature for efficient user revocation. Figure 8 illustrates the ingredient of \(\textsf{IP}_i\) in our DGFE construction. For each user \(\mathcal {P}_i\), a key is extracted from their biometric source , which is then used to encrypt user’s sensitive information \(m_i\). The encrypted message \(ct_i\) and a sketch data \(s_i\) are stored together in \(\textsf{IP}_{i}\). The sensitive information \(m_i\) consists of two parts - the group signing key part and the group secret part. The group signing key part contains \((\textsf{cert}_i,\textsf{sec}_i)\) which are used to generate signatures and prove the signer is an unrevoked group member. The group secret part fek is used to generate group keys. Typically, fek is distributed and updated by GM.

Fig. 8
figure 8

Ingredients of \(\textsf{IP}_i\). \(\textsf{IP}_i\) consists of sketch data \(s_i\) (light-blue-colored) and an encrypted part (yellow-colored) of group secret fek, group signature key \((\mathsf{cert}_i, \mathsf{sec}_i)\), and time epoch t. The fek is distributed by GM and updated in every new time epoch. the \((\mathsf{cert}_i,\mathsf{sec}_i)\) are generated by executing RGS.Join protocol with GM. The t is a synchronous time epoch that is managed by GM

The revocable group signature is a crucial component of DGFE to enable the functionality of user revocation. Since different technical approaches of RGS vary in the complexity of storage cost and computation cost, which directly impact the overall consumption of DGFE, it is imperative to choose an appropriate technical approach of RGS that meets the requirement of DGFE. Then we explain why we have chosen RGS proposed by Libert et al. (2012), referred to as LPY-RGS.

In summary, the efficiency requirements of DGFE are as follows. The computation cost of DGFE.Gen and DGFE.Rep should be low enough since these operations occur frequently during the lifetime of a DGFE scheme. DGFE.Gen involves a RGS.Sign operation and DGFE.Rep involves a RGS.Very operation, implying that the computation cost of signing and verification should be minimized. The functionality of DGFE demands that even if a user leaves the group, the group data generated by the user before the revocation should remain reproducible and traceable. Therefore, the introduced RGS construction is preferred to generate unchanged mskosk for GM and unchanged gsk for the users. Without this property, GM would need to retain all the previous group keys and the mapping relationship of \(\textsf{trans}\) and the user identities. Here, the term \(\textsf{trans}\) denotes the registration transcripts of a user and is retained by GM to trace the signer of signatures, often referred to as reg in certain RGS works. Furthermore, if the mapping relationship is sensitive in a specific RGS scheme, the mapping should either be securely stored or encrypted in \(\textsf{IP}_g\), incurring additional computation and storage costs.

Based on above-mentioned selection criteria of DGFE construction, we give a comparative analysis of various RGS-based DGFE constructions with different type of RGS schemes. As mentioned in Subsect. 2.3, we classify RGS into different types: signature of knowledge (SoK) (Bresson and Stern 2001; Camenisch and Stadler 1997; Nakanishi et al. 2009; Boneh and Shacham 2004), verifier local revocation (VLR) (Boneh and Shacham 2004; Libert and Vergnaud 2009; Nakanishi and Funabiki 2005; Kumar et al. 2015; Rahaman et al. 2017), accumulator-based (Boneh et al. 2004; Camenisch and Groth 2004; Camenisch et al. 2009; Fan et al. 2011) and LPY-based RGS scheme (Attrapadung et al. 2014; Nakanishi and Funabiki 2013; Attrapadung et al. 2015; Sadiah and Nakanishi 2017; Emura and Hayashi 2018, 2019; Ohara et al. 2019). In many SoK-based RGS schemes, the computation cost of the signing and verification is linear in the size of the revocation list (RL), which affects the efficiency of Gen and Rep in DGFE. Although Nakanishi et al. (2009) improved the computation cost of the signing and verification, the size of \(\mathsf{gpk}\) remains large. Additionally, most SoK-based RGS schemes are secure in random oracle model. VLR-GRS schemes add revocation tokens of the revoked user to RL. The verifier executes an additional revocation check for all elements in RL to confirm that the signer is not revoked, affecting the efficiency of Rep in DGFE. ACC-based RGS schemes achieve user revocation by modifying keys in the system and incurs a high cost of key updating for unrevoked users and GM. To realize DGFE.Rep and DGFE.Trace, GM needs to maintain all the previous group keys and the mapping relationship, thus increasing computation and storage costs. LPY-based RGS schemes perform efficiently in signing and verification, and the key management is convenient with no key updating. As a result, compared to other approaches, LPY-based RGS schemes can better meet the selection criteria of DGFE construction. In the following subsection, we give a detailed construction of DGFE based on LPY12 (Libert et al. 2012) RGS scheme. Note that compared to LPY12 (Libert et al. 2012) RGS scheme, a newly designed LPY-based RGS scheme (Sadiah and Nakanishi 2017) performs better in the storage of the revocation list, but sacrifices the efficiency of signing and verification. For a detailed analysis regarding the asymptotic complexity of the DGFE construction incorporating various RGS approaches, refer to Table 3.

Detailed construction

We give the detailed construction of DGFE in this subsection. In our construction, we introduce two primitives: ElGamal-type public key encryption and LPY-revocable group signature (LPY-RGS)(Libert et al. 2012). LPY-RGS relies on structure-preserving signature (SPS) (Abe et al. 2010), which has an algorithm ReRand to publicly randomize signatures but preserves the ability of verifying, and Groth-Sahai (GS) proof systems (Groth and Sahai 2008) which proposes a proof framework on cryptographic pairings. LPY-RGS is efficient with an almost-for-free cost in the computation and storage. It has a binary tree structure with depth \(\ell =\lceil \log N\rceil\). Users are located at leaf nodes. So the signature of path \(C_{v_i}\) from a leaf node \(v_i\) to the root node signed by GM indicates the group membership of user \(\mathcal {P}_i\). A signature is \(\sigma =(\textsf{VK}, \Upsilon _1,\Upsilon _2,\Upsilon _3,\Upsilon _4,\Upsilon _5,\Omega ,\textrm{com},\mathrm{\Pi }, \sigma _{ots})\). The signer generates \((\textsf{VK},\textsf{SK})\), which is the one-time signature key pair to sign the message and outputs \(\sigma _{ots}\), then adds \(\textsf{VK}\) and \(\sigma _{ots}\) to the final revocable signature. \(\Upsilon _1\) to \(\Upsilon _5\) are encrypted messages of \(\textsf{sec}_i\) that can be decrypted by GM with osk to trace the signer. \(\Omega\) is a set of structure-preserving signatures produced by GM. \(\textrm{com}\) is a set of commitments. \(\mathrm{\Pi }\) is the GS proof systems result. \(\Omega , \textrm{com}\) and \(\mathrm{\Pi }\) collaborate to verify that the signature is from an unrevoked group user without leaking the signer’s identity.

We provide graphical representations of Gen, Rep, Join, and Revoke processes in Fig. 9, Fig. 10, Fig. 11, and Fig. 12. These figures describe the data flows and the execution order of various DGFE components, including PKE, RGS, SS, and Ext. We display the major parameters in these figures and omit parameters such as PKE.pp, \(\mathcal{C}\mathcal{U}\), etc.

Fig. 9
figure 9

Process of Gen. Components in group help data P is green-colored

Fig. 10
figure 10

Process of Rep. Components in group help data P is green-colored

Fig. 11
figure 11

Process of Join

Fig. 12
figure 12

Process of Revoke

Our construction includes six algorithms: Setup, Join, Revoke, Gen, Rep, Trace.

Setup shown in Fig. 13 is run by GM to initialize the system and get GM registered. In this phase, GM generates the public parameter for PKE and extracts a random string from its biometric sample as the private key for PKE. GM generates \((\textsf{gpk},\mathsf{msk,\textsf{osk})}\) for RGS, the group secret fek and initializes \(st,\mathcal {L},\mathcal {C}\mathcal {U}\). Finally, GM encrypts \(fek, \textsf{msk},\textsf{osk}\) and epoch \(t=0\) with the public key generated from the extracted private key.

Fig. 13
figure 13

Construction of Setup

Join shown in Fig. 14 is run by GM and a user. User \(\mathcal {P}_i\) extracts a random string from his biometric sample as \(sk_i\) for PKE, generates the public key \(pk_i\), and then sends \(pk_i\) to GM. GM reproduces (fekmsk) and the current time epoch t from \(\textsf{IP}_g\). GM and the user run an interactive protocol of RGS.Join for the user to get membership certificate. GM sends an encrypted message of the group secret and the time epoch to the user. Finally, the user \(\mathcal {P}_i\) encrypts group secret and membership certificate in \(\textsf{IP}_i\) and GM updates group state.

Fig. 14
figure 14

Construction of Join

Revoke shown in Fig. 15 is run by GM and users to revoke some users in the group. On receiving a set of user \(\mathcal {V}\) ready to be revoked in the next time epoch, GM runs RGS.Revoke to generate the revocation list \(RL_{t+1}=(t+1,\mathcal {V}_{t+1},\mathcal {I}_{t+1}^\textsf{revokePath})\) in the next time. The revocation list \(RL_{t+1}\) is a structure that contains the epoch \(t+1\), the revoking user set \(\mathcal {V}_{t+1}\) and the path \(\mathcal {I}_{t+1}^\textsf{revokePath}\) indicating the revoking users’ location in the tree. Then GM randomly chooses y to update the group secret fek and sends encrypted y to unrevoked users. When users receive the messages, they update their \(\textsf{IP}\)s with the new fek and the time epoch.

Fig. 15
figure 15

Construction of Revoke

Gen shown in Fig. 16 is run by any user to extract the group key. Note that if \(\mathcal {L}\) is empty which means no user in the group has revoked, the user only needs to prove the membership certificate (\(C_{v_i}\) in LPY-RGS). If \(\mathcal {L}\) is not empty, in RGS.Sig user also needs to prove that the leaf bound with the user is not in the revocation list.

Fig. 16
figure 16

Construction of Gen

Rep shown in Fig. 17 is run by any user or GM to reproduce group keys. If a group help data P is generated by a revoked user, Rep will return \(\perp\) since RGS.Very fails. A revoked user will reproduce outdated group keys if it tries to reproduce group keys from P.

Fig. 17
figure 17

Construction of Rep

Trace shown in Fig. 18 is run by GM to revoke anonymity of DGFE. It returns the identity of user who generates P.

Fig. 18
figure 18

Construction of Trace

Theorem 1

If the DDH assumption holds with the group \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\) and the underlying SS is an \((\mathcal {M}, m, \tilde{m}, \tau )\)-secure sketch, Ext is a homomorphic average-case \((\mathcal {M},\tilde{m},\mathcal {K}_{sk},\epsilon )\)-strong extractor with a negligible \(\epsilon\), PKE is private-key-shift secure with private key space \(\mathcal {K}_{sk}\), LPY-RGS is secure under \(\ell\)-FlexDHE assumptions, then, our construction is an \((\mathcal {M}^{N+1}, m, \mathbb {G}, \tau )\)-dynamic group fuzzy extractor with reusability, traceability, and anonymity, where N is the maximum number of group users, \(\ell =\lceil \log N\rceil\).

Proof

The proof is presented in the subsequent subsection. \(\square\)

Correctness and security

The correctness of DGFE construction follows from the correctness of secure sketch, public key encryption and revocable group signature. If \(\textsf{dist}(w_i^0,w_i)\le \tau\), \(w_i^0\) is correctly recovered and the private key of PKE is extracted. User \(\mathcal {P}_i\) obtains fek, \(\textsf{cert}_i\) and \(\textsf{sec}_i\) from the \(\textsf{IP}_i\). The correctness of RGS allows \(\mathcal {P}_i\) to generate group keys and group help data. Since \(\mathcal {P}_i\) possesses current fek, the user can correctly reproduce group keys. After user revocation, fek for the unrevoked users is updated. The reproduced group keys are updated for the unrevoked users, while that is outdated for the revoked users. The revocable group signature scheme ensures that signatures forged by revoked users fail in the verification phase, thereby invalidating the group keys generated by them. The correctness of the open algorithm within the RGS scheme guarantees that valid help data can be traced back to the correct generator by GM. In summary, our construction of DGFE is correct.

Then, we prove the reusability, traceability, and anonymity.

Lemma 2

(Reusability) If the DDH assumption holds with the group \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\) and the underlying SS is an \((\mathcal {M}, m, \tilde{m}, \tau )\)-secure sketch, Ext is a homomorphic average-case \((\mathcal {M},\tilde{m},\mathcal {K}_{sk},\epsilon )\) -strong extractor with a negligible \(\epsilon\), PKE is private-key-shift secure with private key space \(\mathcal {K}_{sk}\), LPY-RGS is revocable group signature, then the construction of DGFE is reusable.

Proof

We prove the reusability through a sequence of games played between a PPT adversary \(\mathcal {A}\) and a challenger \(\mathcal {C}\). In all games, \(\mathcal {C}\) acts as GM and users \(\mathcal {P}_i\), providing algorithm results, oracle results and challenge for \(\mathcal {A}\). We use \(Q_\textsf{SftJoin},Q_\textsf{SftGen},Q_\textsf{Revoke}\) to denote the numbers of querying \(\mathcal {O}_\textsf{SftJoin}\), \(\mathcal {O}_\textsf{SftGen}\), \(\mathcal {O}_\textsf{Revoke}\). \(\Pr [\textbf{G}_j\Rightarrow 1 ]\) denotes the probability that game \(\textbf{G}_j\) outputs 1. In the following proofs, we omit public parameter \(\mathsf{PKE.pp}\) in PKE.PKGen, PKE.Enc, and PKE.Rec. We omit public parameter \(\textsf{pp}\) and revocation list set \(\mathcal{L}\) in \(\textsf{Gen}\).

\(\boxed {\hbox { Game } \textbf{G}_0}\) \(\textbf{G}_0\) is the original reusability experiment. It runs as following:

  1. 1.

    \(\mathcal {C}\) samples \(w_g^0\leftarrow _{\$} W_g\),\(\{w_i^0\leftarrow _{\$} W_i\}_{i\in N}\), \(\beta \leftarrow _{\$} \{0,1\}\) privately.

  2. 2.

    \(\mathcal {C}\) sets \(t=0\), \(\mathcal {C}\mathcal {U}=\emptyset ,\mathcal {L}=\emptyset\), runs \((\textsf{gpk},\textsf{msk},\textsf{osk},st)\leftarrow \mathsf{RGS.Setup}(1^\lambda ,N)\), \(\mathsf{PKE.pp} \leftarrow \mathsf{PKE.Init}(1^\lambda )\).

  3. 3.

    \(\mathcal {C}\) samples \(k \leftarrow _{\$} \mathcal {K}_\textsf{EXT}\), and calculates \(s_g=\mathsf{SS.Gen}(w_g^0)\), \(sk_g=\textsf{Ext}(w_g^0,k)\), \(\ pk_g\leftarrow \mathsf{{PKE.}PKGen}(sk_g)\).

  4. 4.

    \(\mathcal {C}\) samples \(fek \leftarrow _{\$} \mathbb {Z}_p\), and sets \(m_g=(fek, \textsf{msk},\textsf{osk},t)\).

  5. 5.

    \(\mathcal {C}\) calculates \(ct_g\leftarrow \mathsf{PKE.Enc}(pk_g,m_g)\).

  6. 6.

    \(\mathcal {C}\) sets \(\textsf{pp}=(\textsf{gpk},\mathsf{PKE.pp},k)\), \(\textsf{IP}_g=(ct_g,s_g)\).

  7. 7.

    For each \(i\in [N]\): \(\mathcal {C}\) calculates \(sk_i = \textsf{Ext}(w_i^0,k)\).

  8. 8.

    \(i^* \leftarrow\) \(\mathcal {A}^{\mathcal {O}_\textsf{SftJoin},\mathcal {O}_\textsf{Revoke},\mathcal {O}_\textsf{SftGen},\mathcal {O}_\textsf{Trace},\mathcal {O}_\textsf{Time}}(\textsf{pp})\). If \(i^*\notin \mathcal {C}\mathcal {U}\), \(\mathcal {A}\) reruns this step. Else, sends i to \(\mathcal {C}\).

  9. 9.

    \(\mathcal {C}\) calculates \((R^*,P^*)\leftarrow \textsf{Gen}(\tilde{\textsf{IP}}_{i^*},w_{i^*})\).

  10. 10.

    if \(\beta =1\), return \(ch=(R^*,P^*)\); else, return \(ch=(U,P^*)\) where \(U\leftarrow _{\$} \mathcal {R}\).

  11. 11.

    \(\beta '\leftarrow \mathcal {A}^{\mathcal {O}_\textsf{SftJoin},\mathcal {O}_\textsf{Revoke},\mathcal {O}_\textsf{SftGen},\mathcal {O}_\textsf{Trace},\mathcal {O}_\textsf{Time}}(\textsf{pp},ch)\).

  12. 12.

    If \(\beta =\beta '\), output 1; else, output 0.

  13. 13.

    \(\mathcal {C}\) simulates oracle \(\mathcal {O}_\textsf{SftJoin}(i,\delta )\) as:

    1. (a)

      If \(\delta > \tau\), \(\mathcal {C}\) returns \(\perp\).

    2. (b)

      \(s_i^\delta \!=\!\mathsf{SS.Gen}(w_i^0\!+\!\delta )\),\(sk_i^\delta \!=\!\textsf{Ext}(w_i^0\!+\!\delta ,k)\),\(pk_i^\delta \!\leftarrow \!\mathsf{PKE.{P}KGen}(sk_i^\delta )\), publish \(pk_i^\delta\).

    3. (c)

      \(\textsf{IP}_g=(ct_g,s_g)\), \(w_g^0=\mathsf{SS.Rec}(s_g,w_g)\), \(sk_g=\textsf{Ext}(w_g^0,k)\), \(m_g\leftarrow\) \(\textsf{PKE.Dec}\) \((sk_g,ct_g)\), parse \(\ m_g=(fek,\textsf{msk},\textsf{osk},t)\).

    4. (d)

      \(\mathsf{RGS.J_{user}}(1^\lambda ,\textsf{gpk}) \rightleftharpoons\) \(\mathsf{RGS.J_{GM}}(1^\lambda ,st, \textsf{gpk}, \textsf{msk} )\).

    5. (e)

      \(\bar{ct_i^\delta }\leftarrow\) \(\textsf{PKE.Enc}\) \((pk_i^\delta ,(fek,t))\), publish \(\bar{ct_i^\delta }\).

    6. (f)

      \(m_i=(fek,\textsf{cert}_i,\textsf{sec}_i,t)\), \(ct_i^\delta \leftarrow\) \(\textsf{PKE.Enc}\) \((pk_i^\delta ,m_i)\).

    7. (g)

      If \(\delta =0\), \(st_{users} = st_{users}\cup (pk_i,i)\), \({st}_{trans}={st}_{trans}||<i,\textsf{transcript}_i>\).

    8. (h)

      Return \(\textsf{IP}_i^\delta =(ct_i^\delta ,s_i^\delta )\).

  14. 14.

    \(\mathcal {C}\) simulates oracle \(\mathcal {O}_\textsf{SftGen}(i,\delta )\) as:

    1. (a)

      If \(\delta > \tau\) or \(i\notin \mathcal {C}\mathcal {U}\), return \(\perp\).

    2. (b)

      \(\textsf{IP}_i=(ct_i,s_i)\), \(w_i^0=\mathsf{SS.Rec}(s_i,w_i^0+\delta )\), \(sk_i=\textsf{Ext}(w_i^0,k)\), \(m_i\leftarrow\) \(\textsf{PKE.Dec}\) \((sk_i,ct_i)\), parse \(m_i=(fek,\textsf{cert}_i,\textsf{sec}_i,t)\).

    3. (c)

      \(x\leftarrow _{\$} \mathbb {Z}_p,\ X=g^x,\ R=X^{fek}\).

    4. (d)

      \(\sigma \leftarrow\) \(\textsf{RGS.Sig}\) \((\textsf{gpk},t,RL_t,\textsf{cert}_i,\textsf{sec}_i,X)\).

    5. (e)

      \(P:=(X,t,\sigma )\), Return \((R,\,P)\).

  15. 15.

    \(\mathcal {C}\) simulates oracle \(\mathcal {O}_\textsf{Trace}(P)\) as:

    1. (a)

      Parse \(\textsf{IP}_g=(ct_g,s_g),\ P=(X,t,\sigma )\), \(w_g^0={\textsf{SS.Rec}}\) \((s_g,w_g),\ sk_g={\textsf{Ext}}\) \((w_g^0,k),\) \(m_g\leftarrow\) \(\textsf{PKE.Dec}\) \((sk_g,ct_g)\), parses \(m_g=(fek,\textsf{msk},\textsf{osk},t)\).

    2. (b)

      Return \(\textsf{RGS.Open}\) \((\textsf{gpk},\textsf{osk},X,t,RL_t,\sigma ,st)\).

  16. 16.

    \(\mathcal {C}\) simulates oracle \(\mathcal {O}_\textsf{Revoke}(\mathcal {V})\) as:

    1. (a)

      If \(\mathcal {V}\backslash st_{users}\ne \emptyset\), return \(\perp\).

    2. (b)

      \(\textsf{IP}_g=(ct_g,s_g)\), \(w_g^0=\mathsf{SS.Rec}(s_g,w_g)\), \(sk_g=\textsf{Ext}(w_g^0,k)\), \(m_g\leftarrow \mathsf{PKE.Dec}(sk_g,ct_g)\), parse \(m_g=(fek,\textsf{msk},\textsf{osk},t)\). \(RL_{t}=(t,\mathcal {V}_{t},\mathcal {I}_{t}^\textsf{revokePath})\),\(\mathcal {V}_{t+1}=\mathcal {V}\cup \mathcal {V}_{t}\).

    3. (c)

      \(RL_{t+1}\leftarrow \mathsf{RGS.{R}evoke}(\textsf{gpk},\textsf{msk},t,\mathcal {V}_{t+1})\).

    4. (d)

      \(\mathcal {L}=\mathcal {L}\cup RL_{t+1}\), \(\mathcal {C}\mathcal {U}=\mathcal {C}\mathcal {U}\backslash \mathcal {V}\), \(y\leftarrow _{\$} \mathbb {Z}_p,\ t'=t+1\).

    5. (e)

      For \(i \in \mathcal {C}\mathcal {U}\): \(\textsf{IP}_i=(ct_i,s_i)\), \(w_i^0=\mathsf{SS.Rec}(s_i,w_i)\), \(sk_i=\textsf{Ext}(w_i^0,k)\), \(m_i\leftarrow \mathsf{PKE.Dec}(sk_i,ct_i)\), parses \(m_i=(fek,\textsf{cert}_i,\textsf{sec}_i,t)\). Calculate \(m_i'=(fek\cdot y,\textsf{cert}_i,\textsf{sec}_i,t')\), \(ct_i'\leftarrow \mathsf{PKE.Enc}(pk_i,m_i')\). Update \(\tilde{\textsf{IP}}_i=(ct_i',s_i)\).

    6. (f)

      \(m_g'\!=\!(fek\cdot y,\textsf{msk},\textsf{osk},t')\), \(ct_g'\!\leftarrow \! \mathsf{PKE.Enc}(pk_g,m_g')\). Update \(\tilde{\textsf{IP}}_g=(ct_g',s_g)\).

The challenger simulates sources for GM and users \(\mathcal {P}_i\) as \(W_g\) and \(\{w_i^0\leftarrow _{\$} W_i\}_{i\in [N]}\) respectively and runs RGS.Setup to get \(\mathsf{gpk,msk,osk}\). Since \(\mathcal {C}\) generates all the private information by itself, it can perfectly answer queries from \(\mathcal {A}\).

\(\boxed {\hbox {Game} \textbf{G}_1}\) In \(\textbf{G}_1\), the modification is about \(\mathcal {C}\)’s action on answering \(\mathcal {O}_\textsf{SftGen}\), \(\mathcal {O}_\textsf{SftJoin}\) and \(\mathcal {O}_\textsf{Trace}\). For \(\mathcal {O}_\textsf{SftGen}\), instead of using \(w_i^0+\delta\) to recover \(w_i^0\), extracting \(sk_i\) and then decrypt \(ct_i\) in \(\textsf{IP}_i\) for \(\mathcal {P}_i\), challenger directly use \(m_i=(fek,\textsf{cert}_i,\textsf{sec}_i,t)\) generated in \(\mathcal {O}_\textsf{SftJoin}\).(f) or the perspective \(m_i'\) updated in \(\mathcal {O}_\textsf{Revoke}\).(e). For \(\mathcal {O}_\textsf{SftJoin}\) and \(\mathcal {O}_\textsf{Trace}\), instead of using \(m_g\) decrypted from \(ct_g\) in \(\textsf{IP}_g\), \(\mathcal {C}\) uses \(m_g=(fek,\textsf{msk},\textsf{osk},t)\) generated in 4 or \(m_g'\) updated in \(\mathcal {O}_\textsf{Revoke}\).(f). If the shift on input \(\delta\) is within the threshold \(\tau\), secure sketch correctly recover \(w_i^0\) and \(w_g^0\), and \(\Pr [\textbf{G}_0\Rightarrow 1]=\Pr [\textbf{G}_1\Rightarrow 1]\).

\(\boxed {\hbox { Game } \textbf{G}_2}\) In \(\textbf{G}_2\), the modification is about \(\mathcal {C}\)’s action on answering the \(\mathcal {O}_\textsf{SftJoin}\). In \(\mathcal {O}_\textsf{SftJoin}\).(b), the computation of \(sk_i^\delta\) will be \(\underline{sk_i^\delta =sk_i+\textsf{Ext}(\delta ,k)}\). Since randomness extractor is homomorphic, \(\Pr [\textbf{G}_1\Rightarrow 1]=\Pr [\textbf{G}_2\Rightarrow 1]\).

\(\boxed {\hbox { Game } \textbf{G}_3}\) In \(\textbf{G}_3\), the modification is about \(\mathcal {C}\)’s action on experiment setup phase and answering the \(\mathcal {O}_\textsf{SftJoin}\). It modifies 7 as \(\underline{\bar{sk}_i\leftarrow _{\$} \mathcal {S}\mathcal {K}_\textsf{PKE}}\) and \(\mathcal {O}_\textsf{SftJoin}\).(b) as \(\underline{sk_i^\delta =\bar{sk}_i+\textsf{Ext}(\delta ,k)}\). Since Ext is average-case \((\mathcal {M},\tilde{m},\mathcal {S}\mathcal {K},\epsilon )\)-strong extractor and \(\mathcal {A}\) can query \(\mathcal {O}_\textsf{SftJoin}\) at most \(Q_\textsf{ShtJoin}\) times, we have\(|\Pr [\textbf{G}_2\Rightarrow 1] - \Pr [\textbf{G}_3\Rightarrow 1] | \le Q_\textsf{SftJoin}\cdot \epsilon\).

\(\boxed {\hbox { Game } \textbf{G}_4}\) In \(\textbf{G}_4\), the modification is about \(\mathcal {C}\)’s action on answering the \(\mathcal {O}_\textsf{SftJoin}\). It modifies \(\mathcal {O}_\textsf{SftJoin}\).(e,f) with \(\underline{\bar{ct_i^\delta }\leftarrow _{\$} \mathcal {C}\mathcal {T}_\textsf{PKE}}\), \(\underline{ct_i^\delta \leftarrow _{\$} \mathcal {C}\mathcal {T}_\textsf{PKE}}\).

Proposition 2

\(|\Pr [\textbf{G}_3\Rightarrow 1] - \Pr [\textbf{G}_4\Rightarrow 1] | \le 2N\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\)

Proof

We refer a series of games \(\textbf{G}_{4,j}\) where \(j \in [N]\) to prove this proposition. \(\textbf{G}_{4,j}\) is identical to \(\textbf{G}_{3}\) except the operation of \(\mathcal {C}\) in \(\mathcal {O}_\textsf{SftJoin}\). For each \(j\in [N]\), in \(\mathcal {O}_\textsf{SftJoin}\).(e,f), if \(i>j\), \(\bar{ct_i^\delta }\leftarrow \mathsf{PKE.Enc}(pk_i^\delta ,(fek,t))\), \(ct_i^\delta \leftarrow\) PKE.Enc\((pk_i,m_i)\); if \(i \le j\), \(\bar{ct_i^\delta }\leftarrow \mathcal {C}\mathcal {T}_\textsf{PKE}\), \(ct_i^\delta \leftarrow \mathcal {C}\mathcal {T}_\textsf{PKE}\). For \(j=0\), \(\textbf{G}_{4,0}\) is identical the \(\textbf{G}_{3}\); for \(j=N\), \(\textbf{G}_{4,N}\) is identical the \(\textbf{G}_{4}\). We have \(\textbf{G}_{4,j-1}\) and \(\textbf{G}_{4,j}\) is indistinguishable, that is \(|\Pr [\textbf{G}_{4,j-1}\Rightarrow 1] - \Pr [\textbf{G}_{4,j}\Rightarrow 1] | \le 2\textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\). The proof is to construct a PPT algorithm \(\mathcal {B}\) that breaks the private-key-shift security of private-key-shift secure PKE by invoking a PPT algorithm \(\mathcal {A}\) which is supposed to distinguish \(\textbf{G}_{4,j-1}\) and \(\textbf{G}_{4,j}\).

\(\mathcal {B}\) proceeds: (i) \(\mathcal {B}\) acts the role of challenger in \(\textbf{G}_{3}\). By receiving the public parameter from private-key-shift secure PKE challenger, \(\mathcal {B}\) samples \(w_g^0\leftarrow _{\$} W_g\),\(\{w_i^0\leftarrow _{\$} W_i\}_{i\in [N]}\) and calculates all information used in the experiment by itself except the \(sk_j\) for user \(\mathcal {P}_j\) in 7 and the results of \(\mathcal {O}_\textsf{SftJoin}(j,\delta )\) for \(\mathcal {P}_j\). (ii) For simulation of \(\mathcal {P}_j\), \(\mathcal {B}\) gets \(pk_j\) from PKE, sends (fekt) and \(m_j\) as the multiple messages. For \(\mathcal {O}_\textsf{SftJoin}(j,\delta )\), \(\mathcal {B}\) queries \(O_\textsf{Enc}(\delta )\) of private-key-shift secure PKE to get \(\bar{ct_j^\delta }\) and \(ct_j^\delta\). (iii) Finally, \(\mathcal {B}\) returns what \(\mathcal {A}\) outputs.

If all queries from private-key-shift secure PKE challenger is the real ciphertexts (\(\beta\) in \(\textsf{Exp}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\) is 1), \(\mathcal {B}\) simulates \(\textbf{G}_{4,j-1}\) perfectly. If all queries from private-key-shift secure PKE challenger is randomly chosen in the ciphertexts space (\(\beta\) in \(\textsf{Exp}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\) is 0), \(\mathcal {B}\) simulates \(\textbf{G}_{4,j}\) perfectly.

So, we have \(|\Pr [\textbf{G}_{4,j-1}\Rightarrow 1] - \Pr [\textbf{G}_{4,j}\Rightarrow 1] | \le 2\textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\). By hybrid games, Proposition. 2 follows. \(\square\)

\(\boxed {\hbox { Game } \textbf{G}_5}\) In \(\textbf{G}_5\), the modification is about ciphertexts. In 5, it modifies the ciphertext as \(\underline{ct_g\leftarrow _{\$} \mathcal {C}\mathcal {T}_\textsf{PKE}}\), and in \(\mathcal {O}_\textsf{Revoke}\).(e,f) as \(\underline{ct_i'\leftarrow _{\$} \mathcal {C}\mathcal {T}_\textsf{PKE}}\), \(\underline{ct_g'\leftarrow _{\$} \mathcal {C}\mathcal {T}_\textsf{PKE}}\). We separate \(\textbf{G}_5\) into \(\textbf{G}_{5,0}\) and \(\textbf{G}_{5,1}\) to modify ciphertexts of GM and unrevoked users respectively. Suppose adversary can query \(\mathcal {O}_\textsf{Revoke}\) at most \(Q_\textsf{Revoke}\) times. By Lemma. 1, \(|\Pr [\textbf{G}_{4}\Rightarrow 1] - \Pr [\textbf{G}_{5,0}\Rightarrow 1] | \le N\cdot Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\), \(|\Pr [\textbf{G}_{5,0}\Rightarrow 1] - \Pr [\textbf{G}_{5,1}\Rightarrow 1] | \le Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\), \(|\Pr [\textbf{G}_{4}\Rightarrow 1] - \Pr [\textbf{G}_{5}\Rightarrow 1] | \le (N+1)\cdot Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\).

\(\boxed {\hbox { Game } \textbf{G}_6}\) In \(\textbf{G}_6\), the modification is about \(\mathcal {C}\)’s action on answering the \(\mathcal {O}_\textsf{SftGen}\). It modifies \(\mathcal {O}_\textsf{SftGen}\).(c) as \(x\leftarrow _{\$} \mathbb {Z}_p,\ X=g^x\), \(\underline{R\leftarrow _{\$}\mathbb {Z}_p}\). If DDH assumption holds, suppose adversary can query \(\mathcal {O}_\textsf{SftGen}\) at most \(Q_\textsf{SftGen}\) times, so that \(|\Pr [\textbf{G}_{5}\Rightarrow 1] - \Pr [\textbf{G}_{6}\Rightarrow 1] | \le Q_\textsf{SftGen}\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )\).

Observe that in \(\textbf{G}_6\), all messages returned to adversary in queries are chosen random uniformly. If a PPT adversary \(\mathcal {A}\) can win \(\textbf{G}_{6}\), then there exists a PPT \(\mathcal {B}\) that breaks the DDH assumption.

Given the challenge tuple \((\mathbb {G},p,g,g^x,g^y,g^z)\) from DDH challenger, \(\mathcal {B}\) proceeds as follows. (i) \(\mathcal {B}\) acts the role of challenger in \(\textbf{G}_{6}\), replaces \(\mathsf{PKE.pp}\) with the received \((\mathbb {G},p,g)\). (ii) On receiving the challenged user i from \(\mathcal {A}\), \(\mathcal {B}\) implicitly set \(fek = y\) and \(\bar{X}=g^x\), \(\bar{R}=g^z\), then generates signing key of \(\mathcal {P}_i\) and signs \(\sigma \leftarrow \mathsf{RGS.Sig}(\textsf{gpk},t,RL_t,\textsf{cert}_i,\textsf{sec}_i,\bar{X})\). \(\mathcal {B}\) makes \(\bar{P}=(\bar{X},t,\sigma )\) and returns \(ch =(\bar{P},\bar{R})\) (iii) On receiving any query from \(\mathcal {A}\), \(\mathcal {B}\) returns as queries in \(\textbf{G}_{5}\). (iv) \(\mathcal {B}\) outputs what it gets from \(\mathcal {A}\).

If \(z=xy\), \(\mathcal {B}\) perfectly simulates \(\textbf{G}_{6}\) when \(\beta = 1\). If \(z=d\), where \(d\leftarrow _{\$}\mathbb {Z}_p\), \(\mathcal {B}\) perfectly simulates \(\textbf{G}_{6}\) when \(\beta = 0\). \(\textsf{Adv}^\textsf{DDH}_{\mathcal {B}}(1^\lambda )= |\Pr [\mathcal {B} (\mathbb {G},p,g,g^x,g^y,g^d)\Rightarrow 1 ]-\Pr [\mathcal {B} (\mathbb {G},p,g,g^x,g^y,g^{xy})\Rightarrow 1 ]| = |\Pr [\textbf{G}_{6}\Rightarrow 1| \beta = 0]-\Pr [\textbf{G}_{6}\Rightarrow 1| \beta = 1]|\).

When \(\beta = 0\), all the public messages are randomly chosen, so we have \(| \Pr [\textbf{G}_{6}\Rightarrow 1| \beta = 1]-\Pr [\textbf{G}_{6}\Rightarrow 1| \beta = 0]|=| \Pr [\textbf{G}_{6}\Rightarrow 1| \beta = 1]-\frac{1}{2}|=\textsf{Adv}^\textsf{DDH}_{\mathcal {B}}(1^\lambda )\le \textsf{negl}(1^\lambda )\). The advantage of \(\mathcal {A}\) winning in \(\mathbb {G}_6\) is \(|\Pr [\textbf{G}_{6}\Rightarrow 1]-\frac{1}{2}| = |\Pr [\textbf{G}_{6}\Rightarrow 1 | \beta = 0]\Pr [\beta = 0]+\Pr [\textbf{G}_{6}\Rightarrow 1 | \beta = 1]\Pr [\beta = 1]-\frac{1}{2}| = \frac{1}{2}(\Pr [\textbf{G}_{6}\Rightarrow 1 | \beta = 1]-\frac{1}{2})\le \frac{1}{2}\textsf{Adv}^\textsf{DDH}(1^\lambda ).\)

Finally, we have \(\textsf{Adv}^\textsf{reu}_{\mathcal {A}}:= |\Pr [\textsf{Exp}^\textsf{reu}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]- \frac{1}{2}| = |\Pr [\textbf{G}_0 \Rightarrow 1]- \frac{1}{2}| \le Q_\textsf{SftJoin}\cdot \epsilon + 2N\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda ) + (N+1)\cdot Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )+ Q_\textsf{SftGen}\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )+\frac{1}{2} \textsf{Adv}^\textsf{DDH}(1^\lambda )\le \textsf{negl}(1^\lambda )\). \(\square\)

Lemma 3

(Traceability) If the DDH assumption holds with the group \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\) and the underlying SS is an \((\mathcal {M}, m, \tilde{m}, \tau )\)-secure sketch, Ext is a homomorphic average-case \((\mathcal {M},\tilde{m},\mathcal {K}_{sk},\epsilon )\) -strong extractor with a negligible \(\epsilon\), PKE is private-key-shift secure with private key space \(\mathcal {K}_{sk}\), LPY-RGS is secure under \(\ell\)-FlexDHE assumption, then the construction of DGFE is traceable, where N is the maximum number of group users, \(\ell =\lceil \log N\rceil\).

Proof

We prove the traceability through games. \(Q_\textsf{SftJoin}\), \(Q_\textsf{SftGen}\) and \(Q_\textsf{Revoke}\) denote numbers of querying \(\mathcal {O}_\textsf{SftJoin}\), \(\mathcal {O}_\textsf{SftGen}\), \(\mathcal {O}_\textsf{Revoke}\) oracles.

\(\boxed {\hbox { Game } \textbf{G}_0}\) \(\textbf{G}_0\) is the original traceability experiment. Adversary is additionally given the \(\mathcal {O}_\textsf{Reveal}\) to get users’ sensitive information \(m_i\) containing fek and the signing secret \(\textsf{cert}_i\), \(\textsf{sec}_i\) and t, which are protected in \(\textsf{IP}_i\). Challenger will add the compromised users queried by \(\mathcal {O}_\textsf{Reveal}\) to CSet.

\(\boxed {\hbox { Game } \textbf{G}_1-\textbf{G}_5}\) The change in \(\textbf{G}_1\) to \(\textbf{G}_4\) are exactly the same with that in the reusability games. Especially, in \(\textbf{G}_1\), challenger returns up to date \(m_i = (fek, \textsf{cert}_i, \textsf{sec}_i, t)\) rather than decrypting from \(ct_i\) in \(\mathcal {O}_\textsf{Reveal}\). We have \(\Pr [\textbf{G}_0\Rightarrow 1]=\Pr [\textbf{G}_1\Rightarrow 1]=\Pr [\textbf{G}_2\Rightarrow 1]\), \(|\Pr [\textbf{G}_2\Rightarrow 1] - \Pr [\textbf{G}_3\Rightarrow 1] | \le Q_\textsf{SftJoin}\cdot \epsilon\).

\(\textbf{G}_4\) uses a ciphertext randomly chosen from the ciphertext space to replace a ciphertext encrypted by user’s \(pk_i\) in \(\mathcal {O}_\textsf{SftJoin}\). Since the adversary can get plaintext \(m_i\) by querying \(\mathcal {O}_\textsf{Reveal}\), the proof for the hybrid game between \(\textbf{G}_3\), \(\textbf{G}_4\), slightly differs from Proposition. 2. When \(\mathcal {B}\) receives a reveal query \(\mathcal {O}_\textsf{Reveal}(i)\) from \(\mathcal {A}\) for user i, it checks whether i has joined the group and returns \(m_i\) to \(\mathcal {B}\) if i has joined the group. Since \(m_i\) is generated by \(\mathcal {B}\), \(\mathcal {B}\) perfectly answers \(\mathcal {O}_\textsf{Reveal}\). So we also have \(|\Pr [\textbf{G}_3\Rightarrow 1] - \Pr [\textbf{G}_4\Rightarrow 1] | \le 2N\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE},\mathcal {A}}(1^\lambda )\).

The change in \(\textbf{G}_5\), \(\textbf{G}_6\) are the same with that in the reusability games. \(|\Pr [\textbf{G}_{4}\Rightarrow 1] - \Pr [\textbf{G}_{5}\Rightarrow 1] | \le (N+1)\cdot Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\), \(|\Pr [\textbf{G}_{5}\Rightarrow 1] - \Pr [\textbf{G}_{6}\Rightarrow 1] | \le Q_\textsf{SftGen}\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )\)

\(\boxed {\hbox { Game } \textbf{G}_6}\) In \(\textbf{G}_6\), all messages returned to adversary in queries are chosen random uniformly except the signature part in \(\mathcal {O}_\textsf{SftGen}\). Adversary wins the game if it forges a signature that open to a unrevealed user or a revoked user at time \(t^*\). Review the construction of LPY-RGS. \(\sigma =(\textsf{VK}, \Upsilon _1,\Upsilon _2,\Upsilon _3,\Upsilon _4,\Upsilon _5,\Omega ,\textrm{com},\mathrm{\Pi }, \sigma _{ots})\). \(\textrm{com}\) and \(\mathrm \Pi\) makes a proof of membership certificate. \(\Omega\) is structure-preserving signature (SPS) of \(RL_t^*\) and user path \(C_{v_i}\) which is signed by GM.

If \(t^*=0\), there is no user revoked in the group and \(RL_0=\emptyset\). Adversary wins if it forges a signature opening to a non-adversary controlled user \(i^*\) that \(i^*\notin CSet\). We use \(\textsf{Adv}_{\mathcal {A}}^{\textsf{Forge},t^*=0}\) to indicate the advantage when \(t^*=0\). In this case, adversary needs to forge a fresh structure-preserving signature \(\sigma _{v}^*\) of membership certificate \((X_{\textsf{RGS}},C_{v_i})\) (\(X_{\textsf{RGS}}\) is the parameter related to \(sec_i\), \(C_{v_i}\) is the committed path from the user leaf to the root), or \(\mathcal {A}\) successfully generate a faithful proof with a invalid signature. Since the GS proof systems used in the construction is perfect soundness, we have \(\Pr [\textbf{G}_{6}\Rightarrow 1 |t^*=0] = \textsf{Adv}_{\mathcal {A}}^{\textsf{Forge},t^*=0}\le \textsf{Adv}_\textsf{SPS}^\mathsf{EUF\text{- }CMA}\). Otherwise, there exists \(\mathcal {B}\) that refers to \(\mathcal {A}\) and breaks the \(\mathsf{EUF\text{- }CMA}\) of SPS. \(\mathcal {B}\) simulates a challenger in \(\textbf{G}_{6}\) by following the specification of the \(\mathsf {Setup}\) algorithm except that \(\mathcal {B}\) gets public keys and signs the messages from SPS’s challenger. Since \(\mathcal {B}\) knows \(\mathsf{osk}\) and gets SPS signature from SPS’s challenger, it faithfully answers all queries from \(\mathcal {A}\).

If \(t^*\ne 0\), there are two types of forges in the \(\textbf{G}_6\). (1) type1-forge: adversary either forges structure-preserving signature on \(RL_t^*\) or user’s membership \((X_\textsf{RGS}, C_{v_i})\). Adversary will break the \(\mathsf{EUF\text{- }CMA}\) of SPS. So, we have \(\Pr [\textbf{G}_{6}\Rightarrow 1, \mathsf{type1\text{- }forge}|t^*\ne 0]= \textsf{Adv}_{\mathcal {A}}^{\mathsf{Type1\text{- }Forge},t^*\ne 0}\le \textsf{Adv}_\textsf{SPS}^\mathsf{EUF\text{- }CMA}\); (2) type2-forge: revocation list \(RL_t^*\), membership certification \((X_\textsf{RGS},C_{v_i^*})\) and the corresponding signatures are signed correctly, but \(C_{v_i^*}\) encodes a path from root to a revoked user \(i^*\) at time \(t^*\). Since \(C_{v_i}\) is based on \(\ell\)-FlexDHE assumption, we make the reduction as following. Given the \(\ell\)-FlexDHE instance, \(\mathcal {B}\) simulates an environment for \(\mathcal {A}\). \(\mathcal {B}\) acts the role of challenger in \(\textbf{G}_{6}\), calculates all information used in the experiment with the difference that, it replaces part of \(\mathsf gpk\) by the instance getting from \(\ell\)-FlexDHE challenger. Since \(\mathcal {B}\) knows group secret \((\textsf{msk},\textsf{osk},fek)\), it can faithfully answer \(\mathcal {O}_\textsf{SftJoin},\mathcal {O}_\textsf{Revoke},\mathcal {O}_\textsf{SftGen},\mathcal {O}_\textsf{Trace},\mathcal {O}_\textsf{Reveal}\). Once it gets type2-forge signature \(\sigma ^*\) from \(P^*\), it can generate an non-trivial triple \((\hat{g}^\mu ,\hat{g}_{\ell +1}^\mu , \hat{g}_{2\ell }^\mu )\) that breaks \(\ell\)-FlexDHE problem. The detailed reduction refers to Lemma. 1 Libert et al. (2012). We have \(\Pr [\textbf{G}_{6}\Rightarrow 1, \mathsf{type2\text{- }forge}|t^*\ne 0]= \textsf{Adv}_{\mathcal {A}}^{\mathsf{Type2\text{- }Forge},t^*\ne 0}\!\le \!\textsf{Adv}^{\ell - \textsf{FlexDHE}}\). Finally, we have \(\Pr [\textbf{G}_6\!\Rightarrow \! 1 ] \!= \!\Pr [\textbf{G}_{6}\!\Rightarrow \! 1, \mathsf{type1\text{- }forge}|t^*= 0]\cdot \Pr [t^*=0] + \Pr [\textbf{G}_{6}\Rightarrow 1, \mathsf{type1\text{- }forge}|t^*\ne 0]\cdot \Pr [t^*\ne 0] + \Pr [\textbf{G}_{6}\Rightarrow 1, \mathsf{type2\text{- }forge}|t^*\ne 0]\cdot \Pr [t^*\ne 0] < \textsf{Adv}_\textsf{AHO}^\mathsf{EUF\text{- }CMA}(1^\lambda )+ \textsf{Adv}^{\ell \text{- } \textsf{FlexDHE}}(1^\lambda )\).

In all, \(\textsf{Adv}^\textsf{trace}_{\mathcal {A}}:= |\Pr [\textsf{Exp}^\textsf{trace}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]| < Q_\textsf{SftJoin}\cdot \epsilon + 2N\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda ) + (N+1)\cdot Q_\textsf{Revoke}\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )+ Q_\textsf{SftGen}\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )+\textsf{Adv}_\textsf{AHO}^\mathsf{EUF\text{- }CMA}(1^\lambda )+ \textsf{Adv}^{\ell \text{- } \textsf{FlexDHE}}(1^\lambda ) \le \textsf{negl}(1^\lambda )\). \(\square\)

Lemma 4

(Anonymity) If the DDH assumption holds with the group \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\) and the underlying SS is an \((\mathcal {M}, m, \tilde{m}, \tau )\)-secure sketch, Ext is a homomorphic average-case \((\mathcal {M},\tilde{m},\mathcal {K}_{sk},\epsilon )\) -strong extractor with a negligible \(\epsilon\), PKE is private-key-shift secure with private key space \(\mathcal {K}_{sk}\), LPY-RGS is secure under \(\ell\)-FlexDHE assumptions, then construction of DGFE is anonymous, where N is the maximum number of group users, \(\ell =\lceil \log N\rceil\).

Proof

We also prove the anonymity through games. \(\textbf{G}_0\) is the original anonymity experiment. The modifications from \(\textbf{G}_0\) to \(\textbf{G}_6\) are identical to that in traceability experiment. In \(\textbf{G}_6\), all messages returned to the adversary in queries are chosen random uniformly except the signature part in \(\mathcal {O}_\textsf{SftGen}\) and challenge phase. Now we analysis the \(\mathcal {A}\)’s advantage of winning in game \(\textbf{G}_6\). We reduce the security of fully-anonymity of the RGS signature to the anonymity in our construction.

If \(\mathcal {A}\) can win \(\textbf{G}_{6}\), then an algorithm \(\mathcal {B}\) can be constructed to break fully-anonymity of the RGS. \(\mathcal {B}\) proceeds. (i) \(\mathcal {B}\) acts the role of challenger in \(\textbf{G}_{6}\). \(\mathcal {B}\) samples \(w_g^0\leftarrow _{\$} W_g\),\(\{w_i^0\leftarrow _{\$} W_i\}_{i\in [N]}\), and follows exactly the Setup phase in anonymity experiment except RGS.Setup phase. After RGS.Setup, \(\mathcal {B}\) gets \(\mathsf{gpk,msk}\) of RGS by querying the \(\mathcal {O}_\textsf{keyGM}\), \(\mathcal {O}_\textsf{pub}\) oracles provided by challenger of the signature and samples osk randomly. \(\mathcal {B}\) generates parameters of PKE and samples sk for users. (ii) \(\mathcal {B}\) can simulates \(\mathcal {O}_\textsf{SftJoin}\). Since \(\mathcal {B}\) knows \(w_i\) and \(sk_i\), it can calculate \(sk_{i}^{\delta }\) and \(s_{i}^{\delta }\). In the first time of querying \(\mathcal {O}_\textsf{SftJoin}\) for user \(\mathcal {P}_i\). \(\mathcal {B}\) generates user group signature key \((\textsf{cert}_i, \textsf{sec}_i)\) by a simulated joining protocol between user \(\mathcal {P}_i\) and GM and modifies group state using \(\mathcal {O}_\textsf{write}\) oracle of the RGS scheme. (iii) Since \(\mathcal {B}\) knows all secrets except osk of the RGS, it can simulates \(\mathcal {O}_\textsf{Revoke},\mathcal {O}_\textsf{SftGen},\mathcal {O}_\textsf{Reveal}\) perfectly. (iv) \(\mathcal {B}\) can simulate \(\mathcal {O}_\textsf{Trace}\). \(\mathcal {B}\) parses \(P=(X,t,\sigma )\), queries \(\mathcal {O}_\textsf{open}\) oracle of the RGS with X and \(\sigma\), returns what \(\mathcal {O}_\textsf{open}\) outputs to \(\mathcal {A}\). (v) In the challenge phase, \(\mathcal {B}\) receives \((i_0,i_1,t^*)\) from \(\mathcal {A}\). It transmits \((i_0,i_1,t^*)\) to RGS fully-anonymity challenger and gets a signature \(\sigma ^*\) of \(i_\beta\). \(\mathcal {B}\) randomly samples \(x\leftarrow _{\$}\mathbb {Z}_p\) computes \(X^*=g^x\) and sets \(P^*=(X^*,t^*,\sigma ^*)\). Then in time epoch \(t^*\), \(\mathcal {B}\) gets a modified \(\tilde{fek}\) and compute \(R^*=X^{\tilde{fek} }\), returns \((R^*,P^*)\) to \(\mathcal {A}\). (vi) Finally, \(\mathcal {B}\) returns what algorithm \(\mathcal {A}\) outputs to the RGS fully-anonymity challenger. So, we have \(|\Pr [\textbf{G}_6\Rightarrow 1 ]-\frac{1}{2}| \le \textsf{Adv}_\textsf{RGS}^\mathsf{fully\text{- }anonymity}(1^\lambda )\). In all, \(\textsf{Adv}^\textsf{anony}_{\mathcal {A}} \!:=\! |\Pr [\textsf{Exp}^\textsf{anony}_{\mathcal {A}}(1^\lambda )\Rightarrow 1]-\frac{1}{2}| \le Q_\textsf{SftJoin}\cdot \epsilon + 2N\cdot \textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda ) + (N+1)\cdot Q_\textsf{Revoke}\textsf{Adv}^\textsf{ks}_{\textsf{PKE}}(1^\lambda )\!+\! Q_\textsf{SftGen}\cdot \textsf{Adv}^\textsf{DDH}(1^\lambda )+\textsf{Adv}_\textsf{RGS}^\mathsf{fully\text{- }anonymity}(1^\lambda ) \le \textsf{negl}(1^\lambda )\). \(\square\)

Complexity analysis

We will now provide a concrete analysis regarding the asymptotic complexity of the DGFE construction. We use variables NTV and \(T'\), which denote the maximum number of users, the maximum number of revocation epochs, the maximum number of revoked users, the parameter of the vector commitment value in Sadiah and Nakanishi (2017), respectively. We strict the length of the sample to be \({O}(\lambda )\) and choose syndrome construction (Dodis et al. 2008) as the secure sketch. Besides, our DGFE construction relies on ElGamal-type PKE and LPY-revocable group signature (LPY-RGS) (Libert et al. 2012). ElGamal encryption works in group \(\mathbb {G}\) with \((\mathbb {G},p,g)\leftarrow \mathcal{I}\mathcal{G}(1^\lambda )\). LPY-RGS works in the group \(\hat{\mathbb {G}}\) of prime order \(\hat{p}>2^\lambda\) with a symmetric pairing function e.

We list the storage complexity, computation complexity, communication complexity of different DGFE constructions in Table 3. The first three columns list complexities of DGFE constructions which are based on SoK-type RGS (Nakanishi et al. 2009), VLR-type RGS (Libert and Vergnaud 2009), ACC-type RGS (Fan et al. 2011). The 5th column lists complexity of DGFE construction based on an improved LPY-RGS scheme (Sadiah and Nakanishi 2017). The 6th column denotes complexity of GFE construction with extra re-initialization phase to realize group dynamics. The last column denotes complexity of original GFE (Ma et al. 2023) with PKE. The complexity of our proposed DGFE construction in Sect. 4 is shown in 4th Column with a mark “*”. Note that storage costs are measured by bits related to \(\lambda\) but we omit \(\lambda\) to keep the table concise. The computation cost is performed over group \(\mathbb {G}\) and \(\hat{\mathbb {G}}\) respectively. In Setup phase, \(\mathsf{pp}\) and \(\textsf{IP}_g\) are calculated by GM. In Join and Revoke phases, interactive protocols are executed, and the consumption of GM and users are calculated respectively. All RGS schemes mentioned above are efficient in signing and verification operation. We also assume that RGS schemes work in symmetric pairings and the costs for GS schemes are counted in \(\hat{\mathbb {G}}\).

Based on comparison result shown in Table. 3, we can find that our DGFE with LPY-RGS has the same asymptotic complexity as GFE (Ma et al. 2023), while original GFE scheme does not support user revocation. The only additional cost is increased storage cost of pp. We compare our DGFE construction with the straightforward method of system re-initialization. This method handle user revocation by re-initializing the system and re-registering all unrevoked users. The functionality of DGFE demands that even if a user quits the group, the group data generated by this user before quitting the group should remain reproducible and traceable. As a result, GM need to store osks securely of all previous GS instances, leading to an additional computation and storage cost. Users and GM need to store all previous gpks. When compared with SoK-based RGS scheme (Nakanishi et al. 2009) whose computation cost of signing and verifying is O(1), our construction is still better in the size of pp and the security of backward linkability. Here, backward linkability indicates that the signatures signed by a revoked user are linkable. Note that the consumptions on signing and verifying for many SoK-type RGS schemes are linear in the size of the RL. When compared with VLR-RGS based DGFE, the most significant advantage of LPY-RGS based DGFE is the computation cost in Rep. The Rep phase of a VLR-RGS based DGFE needs to execute an additional revocation check for the entire RL to confirm the signer is not revoked and the revocation check is a time-consuming pairing operation in many schemes. Besides, revocation tokens contain identity information, directly making them public to the verifiers may raise concerns about the anonymity. Although there exists VLR-RGS scheme (Libert and Vergnaud 2009) which can alleviate the anonymity concern. Our DGFE construction, which is based on LPY-RGS, does not have this problem. Finally, we compare our DGFE scheme with ACC-RGS based DGFE. As mentioned in SubSect. 2.3, in user revocation phase, each unrevoked user updates their secret signing keys with an accumulation of all the revocation information of revoked users. The computation cost of key updating is O(V) both for the unrevoked users and GM in Boneh et al. (2004); Camenisch and Groth (2004). Though one can use (Fan et al. 2011) to reduce the computation cost of key updating by pre-calculated public membership information (pmi) which is calculated by GM and broadcast to users when user revocation occurs, the revocation is still costly since membership tokens (mt) corresponding to pmi are specific for every unrevoked users and related all the revoke users. So the computation cost of mt is O(VN). Besides, all the existing pmi should be preserved for the verification in Rep phase. When DGFE is constructed with a newly designed LPY-RGS scheme (Sadiah and Nakanishi 2017). The storage cost of RL is improved with a sacrifice in the efficiency of Gen. Through the comparisons above, we conclude that there is a tradeoff between the cost in storage and computation and LPY-RGS is a most suitable RGS construction to meet the performance requirements of DGFE so far.

Table 3 Consumption of DGFE

An application scenario: group file sharing

In this section, we present a group file sharing system based on our DGFE scheme. In this application scenario, a group of users need to share sensitive files. To ensure the confidentiality of file contents, group users must encrypt the files before uploading them to the file server. These encrypted files can only be downloaded and decrypted by other group members. In this setting, we use DGFE as a key management solution for group file encryption. We present three main processes in the group file sharing system in Fig. 19.

1. File encryption and uploading. Any group member executes this process to upload encrypted files to the database server. By providing his biometric sample (for example, the fingerprint), individual help data, and plain files, a group user executes DGFE.Gen to extract group key R with a group help data P from the sample and the individual help data \(\textsf{IP}\). Using key R, the user encrypts the files, typically with highly efficient symmetric encryption. The user merges the encrypted files with the group help data and uploads them to the database server.

2. File download and decryption. Any group member executes this process to retrieve and decrypt the shared files. The user downloads the target files together with the group help data. Then, by providing the group help data P, user’s biometric sample, and the individual help data, the group key R corresponding to P is reproduced. The user can decrypt the files correctly. As a result, the files are securely shared with all group members.

3. User revocation and file re-encryption. Regarding user revocation, this process is launched to ensure that revoked users cannot decrypt shared files anymore. All existing files will be re-encrypted by the updated group keys. The group manager is responsible for user revocation and file re-encryption process. On the one hand, GM executes DGFE.Revoke with the unrevoked users by sending them an encrypted modification data y for the individual help data modification. On the other hand, GM decrypts files using old group keys and encrypts them with updated group keys. Since GM has the ability to reproduce group keys from group help data, the file re-encryption process can be executed successfully. This process is efficient because it uses symmetric encryption and the DGFE.Rep is also efficient.

Fig. 19
figure 19

Group file sharing system based on DGFE

Conclusion

We propose the definition and construction of dynamic group fuzzy extractor (DGFE) to handle events of user revocation without system re-initiation. It allows the unrevoked users in the group to reproduce updated group keys from existing group help data and prevents the revoked user from reproducing group keys with the outdated individual help data. We introduce revocable group signature (Libert et al. 2012) into our construction, which has a constant generation and verification cost. Finally, we give a formal proof on the reusability, traceability, and anonymity of our construction. When considering applications, our group fuzzy extractor faces the challenge of relying on a privileged group manager, who distributes the group secrets to all the users. In the future, we will strip the task of group key generation from the group manager and improve the robustness of the group fuzzy extractor.

Availability of data and materials

Not applicable.

Notes

  1. DGFE scheme does support users’ joining, just as GFE (Ma et al. 2023) does. A newly joined group user can reproduce all existing group keys with his individual help data and generate (RP) pairs.

References

  • Abe M, Fuchsbauer G, Groth J, Haralambiev K, Ohkubo M (2010) Structure-preserving signatures and commitments to group elements. In: Advances in cryptology–CRYPTO 2010: 30th annual cryptology conference, Santa Barbara, CA, USA, August 15–19, 2010. Proceedings 30. Springer, pp 209–236

  • Ateniese G, Tsudik G (1999) Some open issues and new directions in group signatures. vol 1648, pp 196–211

  • Ateniese G, Camenisch J, Joye M, Tsudik G (2000) A practical and provably secure coalition-resistant group signature scheme. In: Advances in cryptology-CRYPTO 2000: 20th annual international cryptology conference Santa Barbara, California, USA, August 20–24, 2000 Proceedings 20. Springer, pp 255–270

  • Attrapadung N, Emura K, Hanaoka G, Sakai Y (2014) A revocable group signature scheme from identity-based revocation techniques: achieving constant-size revocation list. In: Applied cryptography and network security: 12th international conference, ACNS 2014, Lausanne, Switzerland, June 10–13, 2014. Proceedings 12. Springer, pp 419–437

  • Attrapadung N, Emura K, Hanaoka G, Sakai Y (2015) Revocable group signature with constant-size revocation list. Comput. J. 58(10):2698–2715

    Article  Google Scholar 

  • Bellare M, Micciancio D, Warinschi B (2003) Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Advances in cryptology-EUROCRYPT 2003: international conference on the theory and applications of cryptographic techniques, Warsaw, Poland, May 4–8, 2003 Proceedings 22. Springer, pp 614–629

  • Bellare M, Shi H, Zhang C (2005) Foundations of group signatures: the case of dynamic groups. In: Cryptographers’ track at the RSA conference. Springer, pp 136–153

  • Boyen X (2004) Reusable cryptographic fuzzy extractors. In: Proceedings of the 11th ACM Conference on computer and communications security, pp 82–91

  • Boneh D, Shacham H (2004) Group signatures with verifier-local revocation. In: Proceedings of the 11th ACM conference on computer and communications security, pp 168–177

  • Boneh D, Boyen X, Shacham H (2004) Short group signatures. In: Annual international cryptology conference. Springer, pp 41–55

  • Bresson E, Stern J (2001) Efficient revocation in group signatures. In: Public key cryptography: 4th international workshop on practice and theory in public key cryptosystems, PKC 2001 Cheju Island, Korea, February 13–15, 2001 Proceedings 4. Springer, pp 190–206

  • Camenisch J, Stadler M (1997) Efficient group signature schemes for large groups. In: Annual international cryptology conference. Springer, pp 410–424

  • Camenisch J, Groth J (2004) Group signatures: Better efficiency and new theoretical aspects. In: International conference on security in communication networks. Springer, pp 120–133

  • Camenisch J, Kohlweiss M, Soriente C (2009) An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Public key cryptography–PKC 2009: 12th international conference on practice and theory in public key cryptography, Irvine, CA, USA, March 18–20, 2009. Proceedings 12. Springer, pp 481–500

  • Canetti R, Fuller B, Paneth O, Reyzin L, Smith A (2016) Reusable fuzzy extractors for low-entropy distributions. In: Advances in cryptology-EUROCRYPT 2016: 35th annual international conference on the theory and applications of cryptographic techniques, Vienna, Austria, May 8–12, 2016, proceedings, part I 35. Springer, pp 117–146

  • Chaum D, Van Heyst E (1991) Group signatures. In: Advances in cryptology-EUROCRYPT’91: workshop on the theory and application of cryptographic techniques Brighton, UK, April 8–11, 1991 Proceedings 10. Springer, pp 257–265

  • Chen L, Pedersen TP (1994) New group signature schemes. In: Workshop on the theory and application of of cryptographic techniques. Springer, pp 171–181

  • Daugman J (2009) How iris recognition works, pp 715–739

  • Dodis Y, Ostrovsky R, Reyzin L, Smith A (2008) Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 38(1):97–139. https://doi.org/10.1137/060651380

    Article  MathSciNet  Google Scholar 

  • Emura K, Hayashi T (2018) A revocable group signature scheme with scalability from simple assumptions and its implementation. In: Information security: 21st international conference, ISC 2018, Guildford, UK, September 9–12, 2018, Proceedings 21. Springer, pp 442–460

  • Emura K, Hayashi T (2019) A revocable group signature scheme with scalability from simple assumptions and its application to identity management. Cryptology ePrint Archive

  • Fan C-I, Hsu R-H, Manulis M (2011) Group signature with constant revocation costs for signers and verifiers. In: Cryptology and network security: 10th international conference, CANS 2011, Sanya, China, December 10–12, 2011. Proceedings 10. Springer, pp 214–233

  • Fuller B, Meng X, Reyzin L (2013) Computational fuzzy extractors. In: Advances in cryptology-ASIACRYPT 2013: 19th international conference on the theory and application of cryptology and information security, Bengaluru, India, December 1–5, 2013, proceedings, part I 19. Springer, pp 174–193

  • Groth J, Sahai A (2008) Efficient non-interactive proof systems for bilinear groups. In: Advances in cryptology–EUROCRYPT 2008: 27th annual international conference on the theory and applications of cryptographic techniques, Istanbul, Turkey, April 13–17, 2008. Proceedings 27. Springer, pp 415–432

  • Helleseth BJdMM (1994) One-way accumulators: a decentralized alternative to digital signatures. In: Advances in cryptology-EUROCRYPT, vol 93

  • Kumar V, Li H, Park J-M, Bian K, Yang Y (2015) Group signatures with probabilistic revocation: A computationally-scalable approach for providing privacy-preserving authentication. In: Proceedings of the 22nd ACM SIGSAC conference on computer and communications security, pp 1334–1345

  • Libert B, Peters T, Yung M (2012) Group signatures with almost-for-free revocation. In: Annual cryptology conference. Springer, pp 571–589

  • Libert B, Vergnaud D (2009) Group signatures with verifier-local revocation and backward unlinkability in the standard model. In: Cryptology and network security: 8th international conference, CANS 2009, Kanazawa, Japan, December 12–14, 2009. Proceedings 8. Springer, pp 498–517

  • Ma J, Qi B, Lv K (2023) Reusable group fuzzy extractor and group-shared bitcoin wallet. Comput J 66(3):643–661

    Article  MathSciNet  Google Scholar 

  • Marasco E, Ross A (2014) A survey on antispoofing schemes for fingerprint recognition systems. ACM Comput Surv (CSUR) 47(2):1–36

    Article  Google Scholar 

  • Nakanishi T, Funabiki N (2005) Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In: International conference on the theory and application of cryptology and information security. Springer, pp 533–548

  • Nakanishi T, Funabiki N (2013) Revocable group signatures with compact revocation list using accumulators. In: International conference on information security and cryptology, pp 435–451

  • Nakanishi T, Fujii H, Hira Y, Funabiki N (2009) Revocable group signature schemes with constant costs for signing and verifying. In: Public key cryptography-PKC 2009, 12th international conference on practice and theory in public key cryptography, Irvine, CA, USA, March 18–20, 2009. Proceedings. Lecture Notes in Computer Science, vol 5443. Springer, pp 463–480

  • Ohara K, Emura K, Hanaoka G, Ishida A, Ohta K, Sakai Y (2019) Shortening the Libert–Peters–Yung revocable group signature scheme by using the random oracle methodology. IEICE Trans Fundam Electron Commun Comput Sci 102(9):1101–1117

    Article  ADS  Google Scholar 

  • Parkhi O, Vedaldi A, Zisserman A (2015) Deep face recognition. In: BMVC 2015-proceedings of the British machine vision conference 2015 . British Machine Vision Association

  • Rahaman S, Cheng L, Yao DD, Li H, Park JJ (2017) Provably secure anonymous-yet-accountable crowdsensing with scalable sublinear revocation. Proc. Priv. Enhanc. Technol. 2017(4):384–403

    Google Scholar 

  • Sadiah S, Nakanishi T (2017) Revocable group signatures with compact revocation list using vector commitments. IEICE Trans Fundam Electron Commun Comput Sci 100(8):1672–1682

    Article  ADS  Google Scholar 

  • Suh GE, Devadas S (2007) Physical unclonable functions for device authentication and secret key generation. In: Proceedings of the 44th annual design automation conference, pp 9–14

  • Tsudik G, Xu S (2003) Accumulating composites and improved group signing. In: Advances in cryptology-ASIACRYPT 2003: 9th international conference on the theory and application of cryptology and information security, Taipei, Taiwan, November 30–December 4, 2003. Proceedings 9. Springer, pp 269–286

  • Wen Y, Liu S, Han S (2018) Reusable fuzzy extractor from the decisional Diffie–Hellman assumption. Des. Codes Cryptogr. 86(11):2495–2512. https://doi.org/10.1007/s10623-018-0459-4

    Article  MathSciNet  Google Scholar 

  • Wen Y, Liu S, Gu D (2019) Generic constructions of robustly reusable fuzzy extractor. In: Public-key cryptography-PKC 2019: 22nd IACR international conference on practice and theory of public-key cryptography, Beijing, China, April 14–17, 2019, proceedings, part II 22. Springer, pp 349–378

Download references

Acknowledgements

Not applicable.

Funding

Not applicable.

Author information

Authors and Affiliations

Authors

Contributions

All authors have contributed to the manuscript and approve of this submission. KC constructed the scheme with security proofs and drafted the manuscript. PS and KL revised the manuscript critically and checked the security proofs. XT and CC joined the discussion of the work, made constructive suggestions, and revising the article. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Peisong Shen.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Chen, K., Shen, P., Lv, K. et al. Dynamic group fuzzy extractor. Cybersecurity 7, 25 (2024). https://doi.org/10.1186/s42400-024-00210-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s42400-024-00210-2

Keywords