Provably Secure Anonymous-Yet-Accountable

Proceedings on Privacy Enhancing Technologies ; 2017 (4):404–423

Sazzadur Rahaman*, Long Cheng, Danfeng (Daphne) Yao, He Li, and Jung-Min (Jerry) Park Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation Abstract: Group signature schemes enable anonymous-yet- 1 Introduction accountable communications. Such a capability is extremely useful for applications, such as smartphone-based crowdsens- The new urban-scale crowdsensing vision promises intriguing ing and citizen science. However, the performance of modern applications, such as health monitoring [1], environment mon- group signature schemes is still inadequate to manage large itoring [2], traffic prediction [3], etc. However, an open crowd- dynamic groups. In this paper, we design the first provably sensing platform where anyone can submit data is undesirable. secure verifier-local revocation (VLR) - based group signa- It is exposed to malicious and erroneous participation, which ture scheme that supports sublinear revocation, named Sublin- may threaten data integrity and reliability [4]. Accountability ear Revocation with Backward unlinkability and Exculpability of participants for their data reports is a key requirement for (SRBE). To achieve this performance gain, SRBE introduces crowdsensing platforms [5]. To serve this requirement, it is time bound pseudonyms for the signer. By introducing low- desirable that only the participants with proper authorization cost short-lived pseudonyms with sublinear revocation check- should be able contribute in a crowdsensing platform. We re- ing, SRBE drastically improves the efficiency of the group- fer to this controlled crowdsensing scenario as groupsensing. signature primitive. The backward-unlinkable anonymity of While accountability protects the data collector, the vast SRBE guarantees that even after the revocation of a signer, number of crowdsensing participants sharing sensitive infor- her previously generated signatures remain unlinkable across mation such as location, daily routine, health status, need to epochs. This behavior favors the dynamic nature of real-world be protected against privacy threats [6, 7]. The threats may in- crowdsensing settings. We prove its security and discuss pa- clude the semi-honest data-collection service provider, who at- rameters that influence its scalability. Using SRBE, we also tempts to track and de-anonymize participants, as well as data implement a prototype named GROUPSENSE for anonymous- breaches on the data-collection servers [8–10]. Therefore, the yet-accountable crowdsensing, where our experimental find- sensing-time anonymity is also an essential requirement, es- ings confirm GROUPSENSE’s scalability. We point out the pecially for the participants those are involved in long-term open problems remaining in this space. sensing applications. Keywords: Group Signature, Verifier Local Revocation, Pri- Anonymous-yet-accountable crowdsensing demands vacy, Participatory Sensing, Crowdsensing. “privacy preserving authentication". Privacy preserving authentication is a cryptographic protocol to authenticate DOI 10.1515/popets-2017-0056 Received 2017-02-28; revised 2017-06-01; accepted 2017-06-02. users without knowing their identity [11]. These protocols can broadly be categorized into two groups: (1) pseudonym- based systems [12, 13] and (2) group signature-based systems [14–16]. Both of them rely on a trusted group manager to coordinate between the signer (i.e., a crowdsensing participant) and the verifier (semi-honest data-collection server). e.g. *Corresponding Author: Sazzadur Rahaman: Department of Com- In pseudonym-based schemes ( , [17]), the group man- puter Science, Virginia Tech, E-mail: [email protected] ager needs to issue a list of pseudonyms and public-key cer- Long Cheng: Department of Computer Science, Virginia Tech, E-mail: tificates to certify the public keys of participants (for the [email protected] accountability purpose). Participants generate signatures us- Danfeng (Daphne) Yao: Department of Computer Science, Virginia ing pseudonyms and refresh pseudonyms periodically to pre- Tech, E-mail: [email protected] serve anonymity. However, all the signatures under the same He Li: Department of Electrical and Computer Engineering, Virginia Tech, E-mail: [email protected] pseudonym are linkable. Thus, frequent public-key certifi- Jung-Min (Jerry) Park: Department of Electrical and Computer Engi- cation and distribution are necessary to enable short-lived neering, Virginia Tech, E-mail: [email protected] pseudonyms, which appears to be expensive [18]. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 405

In comparison to pseudonyms, group signature schemes SRBE’s anonymity is defined in terms of Backward Un- (e.g., [14–16, 19, 20]) do not require frequent public-key cer- linkable anonymity (BU-anonymity), which means that even tifications for participants. One public key serves for all sig- after the revocation of a signer, signatures produced by the natures of all participants. However, the trade-offs among signer before revocation remain anonymous across epochs. security properties, computational and communication over- Our work supports unlinkability across different epochs [11]. heads [11, 21–23] for various applications has been the prime Signatures generated by a signer in different time periods can- focus in the state-of-the-art group signature literature. In gen- not be linked, as they are signed with unlinkable pseudonyms. eral, the revocation checking operation is known to be the most Our pseudonyms are unique, as they support i) sublinear re- expensive operation for modern group signature schemes [24], vocation and revocation checking, and ii) constant revocation which is necessary to enforce the blacklisting of misbehav- token size per signer. ing/deactivated users. As the revocation lists for these schemes The requirement of constant revocation token size per are maintained locally at the verifiers’ end, these schemes are signer is important. To revoke a signer, one needs to revoke known as verifier-local revocation (VLR). Typically, revoca- all the pseudonyms of the signer. It would be inefficient if the tion lists contain revocation tokens, where a revocation token size of the revocation token increases with the total number of uniquely represents a revoked user. The computational com- pseudonyms per signer. We aim to keep the size of revocation plexity of deterministic revocation checking for VLR-based tokens constant. Our pseudonyms are generated using a com- group signature schemes is typically O(R), where R is the bination of forward and reverse cryptographic hash chains. In size of the revocation list. Section 3.1, we explain why some straightforward pseudonym Therefore, the attractiveness of group signatures (e.g., [16, attempts do not work. 22, 25, 26]) in crowdsensing is substantially dampened by the In our work, signatures signed under the same pseudonym expensive revocation checking operations. For example, SP- (within the same time period) can be linked by the verifier (i.e., PEAR [27], a comprehensive crowdsensing system, avoids us- the data-collection server), i.e., linkable. The similar limitation ing group signatures for sensory data submission. SPPEAR exists in other group signature schemes [11, 32]. Supporting only uses group signatures for setting up pseudonyms, but re- the unlinkability within an epoch remains an open problem. sorts to the public-key certification approach for data submissions. AnonySense [28] is another privacy-preserving crowd- =+#>1) sensing framework that uses group signatures for data submis- * !+$,-!"#$%&!!! 5 !6$),7,80),$-! 4(5%+) $7!1(9$80),$- .=4/ sions. However, AnonySense does not support membership re- !"#$%&!'()%&! : !',4-0)%#(! vocation. Thus, its accountability guarantee is low. Also, There ;(#,7,80),$-!0-,-4! *%+,%+-)."*/ exists several other proposals to preserve anonymity without . !/0)0!1(&$#)! 2(,'+#(3%( ) 0+ '&'1( ) 8#'-%)9%,%$ 0+6'(5) 4#(' #+'(5 %,'&%-).0/ 2,)3!',4-0)%#( 7&(&% :+;;'&) accountability support [29–31]. "#(<' '#( In this paper, we present a new VLR-based group signature scheme named Sublinear Revocation with Backward Fig. 1. System Overview of GROUPSENSE unlinkability and Exculpability (SRBE). SRBE’s security is guaranteed under the random oracle model [16]. The main fea- ture of SRBE is that the computational complexity of revoca- Using SRBE group signatures, we develop a groupsensing prototype named GROUPSENSE. As illustrated in Figure 1, tion check is O(log2 R), where R is the size of the revocation list, which is explained next. Exculpability refers to that a in GROUPSENSE, a participant submits anonymously signed group manager cannot forge a signature of any honest signer data reports to the data-collection server – the signature does (i.e., the private key of the signer is not compromised) that the not reveal her identity but proves her membership. The group signer cannot dispute. manager can locate a participant for revocation purpose. The In VLR-based group signature schemes, signatures carry prototype includes client-side Android apps and server-side zero-knowledge proofs of signers’ revocation tokens [15, 16, programs, where the performance of the prototype is also ex- 22], so that the revocation tokens are not available in the signa- tensively evaluated. ture for direct comparison. To overcome this issue, SRBE uses Our technical contributions are summarized as follows. time bound pseudonyms as revocation tokens. This approach – We present a new bilinear-map based group signature enables verifiers to organize revocation tokens in standard data scheme (referred to as SRBE) with sub-linear revocation structures (i.e., binary search trees) for fast revocation check. check. SRBE also supports backward unlinkability and The main technical challenge to use these time bound short- exculpability. We prove the security in the random oracle lived pseudonyms is, to embed them in signatures with mini- model (ROM) using standard security assumptions. mal overheads as well as preserving the security properties. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 406

– We implement SRBE group signature scheme, along check. However, the major disadvantage of these schemes is with four other leading group signature schemes. We that, the signer needs to maintain a whitelist of unrevoked theoretically and experimentally compare their compu- users to create a valid signature. This requires updating each tation and communication costs and the scalability of of the signer’s secret key on each revocation, which is imprac- revocation check algorithm. We also use SRBE to im- tical for large dynamic groups. To address this, Nakanishi et plement GROUPSENSE, an anonymous-yet-accountable al. [23] proposed a revocable scheme with constant signing crowdsensing prototype. and verifying complexity, where no updates of secret key are – Our experimental results indicate the scalability of required. However, this scheme still requires signers to fetch O(R) R GROUPSENSE with SRBE for large crowds. The ma- data of complexity, where is the total number√ of re- jor experimental findings are as follows. The revocation voked users and the size of the public key is O( N), where check procedure of SRBE gives around 3-order of mag- N is the total number of users. nitude performance gain over state-of-the-art. After pre- Revocation in linking-based schemes. Recently, Slamanig computing some expensive operations, the average sign- et al. proposed a Sign-and-Encrypt-and-Prove based GS ing cost of SRBE in Nexus 10 is around 1.69 second. scheme with efficient revocation check [21] (similar as GROUPSENSE takes around 150ms on average to verify SRBE). The scheme adopts a centralized online OCSP ser- a signature with revocation checking against 70, 000 of vice for revocation checking. In most of the Sign-and-Encrypt- revoked users. and-Prove based GS schemes [21, 39, 40], RAs need to deanonymize a signature to perform revocation. However, as Multi-disciplinary crowdsensing and citizen-science every signature verification needs a consultation with OCSP projects [33] require secure and privacy-preserving cyberin- server for revocation checking, the communication overhead frastructures. Secure crowdsensing encourages participation, between verifier and the OCSP server becomes onerous. Most which in turn boosts the quality of data and discovery. We importantly, it is undesirable to deanonymize the signatures envision that the efficiency and scalability of SRBE may from benign users [27, 46], which might encourage massive help increase the real-world adoption of group signatures surveillance [47]. Conversely, in VLR based GS schemes such by developers, scientists and engineers in crowdsensing and as ours, trusted authorities are assumed to deanonymize (open) other applications requiring privacy. signatures only when the signer is suspected to be malicious. In [32], Emura et al. proposed a light-weight linking based GS scheme with efficient revocation checking. However, during revocation this scheme requires O(R) group operations by the 2 Related Work group manager, which restricts the scheme to be used in dynamic crowdsensing-settings where short-lived pseudonyms 2.1 Revocation in Group Signatures are critical. Group Signature (GS) Schemes allow signers (managed by Verifier local revocation. VLR-based GS schemes [16, 22, some authority) to anonymously produce signatures on behalf 26, 48, 49] are known to be more practical than the other of a group. After the introduction [14], different variants of GS schemes [24]. Some VLR-based GS schemes [22, 48, 49] sup- schemes were proposed (collision-resistant GS scheme [19], port backward unlinkability. In general, these VLR-based GS sign-and-encrypt-and-prove based GS [20], traceable signa- schemes need O(R) expensive operations to do revocation tures [15, 34, 35], GS with verifier local revocation [16], GS checking. The authors in [11] presented a new GS scheme from blind signatures [36], traceable signatures in standard with probabilistic revocation (GSPR) that drastically improves model [37], group signatures in standard model [38], GS with the performance of revocation check, compared to the prior controllable linkability [39, 40], GS with distributed trace- art. However, probabilistic revocation checking resulting in ability [41], GS with dynamic accumulators [42]). Kiayias et false positives (i.e., valid signatures mistaken as generated by al. (traceable signatures [15]) first introduced internal trac- revoked participants) may not be desirable in crowdsensing. ing algorithms (trapdoors) to efficiently trace and revoke the Moreover, the experimental evaluation suggests that, revoca- anonymity of misbehaving members. They also formalized the tion check mechanism of SRBE runs faster than GSPR. properties of “Traceability" and “Exculpability" to extend ex- Revocation in standard models. There are several standard isting security guarantees for better accountability. model constructions of GS schemes based on Groth-Sahai Existing GS literature discussing different types of mem- proof system [50], those support constant revocation check. bership revocation procedure can be classified as followed. Libert, Peters and Yung (LPY) [51] proposed a construction Revocation in dynamic accumulators. Dynamic accumu- based on broadcast encryption techniques to support constant lator based schemes [42–45] provide constant time revocation revocation check. However, the signature size (96 group ele- Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 407

ments) and membership certificate size (O(log2 N)) are ex- one of the earliest solutions that utilize group signatures for tremely large in [51]. In [52], LPY reduced the membership crowdsensing. As pointed in [59], the way AnonySense [28] certificate size to constant, with the increased cost of pub- employs group signatures renders it vulnerable to Sybil at- lic key size (O(log2 N)) and signature size (144 group ele- tacks [60]. Because in AnonySense, it is impossible to identify ments). Attrapadung et al. [53] proposed another scheme to signatures from the same participant, without opening the sig- reduce the size of revocation list to constant. However, the signatures of all data reports. As a result, misbehavior detection nature size (98 group elements) of this scheme is still large. becomes a lengthy and inefficient process, also requiring the Recently, Ohara et al. [54] proposed a new GS scheme to re- de-anonymization of benign reports. tain the constant revocation check complexity like [51] with a It is conceivable that the inherent openness of privacy pre- shorter signature size in ROM. Unfortunately, like the original serving systems exposes itself to abuse. Therefore, it is impor- scheme [51], this scheme also has a large membership certifi- tant to efficiently identify abusive users. SPPEAR [27] and SP- cate size (O(log2 N)). Moreover, the revocation complexity of PEAR with enhanced incentive provisioning [59] are focused all of these schemes is at least O(R) [53]. Most importantly, all on both anonymity and accountability. In SPPEAR [27], BU- of these group signature schemes maintain the revocation list anonymity is achieved through pseudonym-based signature at the signers’ end. Thus overall applicability of these schemes approach. However, because of using the pseudonym based in crowdsensing applications envisioned in this paper remains signature scheme to share data, SPPEAR incorporates extra questionable, where light-weight solutions are desirable. It is public-key certificate management overhead (e.g., pseudonym still open to use the techniques of standard model schemes in certificate generation, acquisition, distribution, revocation), ROM to achieve a practical GS scheme with constant revoca- which affects the scalability and performance of the system. tion checking. In contrast, GROUPSENSE provides an alternative approach Other revocation techniques. Expensive revocation check to solve the problem and also spares the requirement of such has been a major performance bottleneck for anonymous cre- public-key certificate management overhead. dential schemes as well. In [55, 56], authors proposed an efficient VLR mechanism for anonymous credential systems supporting backward unlinkability. To generate and distribute 3 Motivation and Definitions the revocation list for an epoch, it requires O(R) exponentiation operations of large numbers (expensive) at the revoca- We give some intuitions to our design in Section 3.1, define tion authority’s end. Like linking-based schemes [21], revoca- the operations of SRBE in Section 3.2 and formally define the tion scheme proposed in [56] requires an online central OCSP security of SRBE in Section 3.3. server to check the revocation status of signatures from all the verifiers, which introduces additional problems, such as extra 3.1 Motivation communication overheads and the surveillance capability of To motivate our design, we describe several straightfor- the OCSP server. Camenisch et al. [46] presents a new reward schemes that naively extend a secure group signature vocation scheme for anonymous credentials based on n-times scheme with short-lived pseudonyms. Using these schemes, unlinkable proofs construction, which overcomes previously we demonstrate the challenges to preserve security require- mentioned performance overhead. However, it does not sup- ments while building an efficient scheme with fast O(log2 R) port backward unlinkability. As a result, after the revocation revocation check (where R is the total number of revoked of a user device due to legitimate causes (e.g., lost or stolen), users) without compromising the security. all the proofs produced by the device become linkable. The Failed Scheme I: Consider a naive scheme, where an ex- size of the revocation token per user is also linear with the to- isting group signature scheme is modified as follows. In ad- tal number of pseudonyms, which makes it challenging to use dition with private key parameters, each signer (i.e., crowd- short epochs. On the other hand, unlike [55, 56], SRBE does sensing participant) is assigned with a set of T short-lived not require centralized computations for revocation manage- pseudonyms pjs by the group manager, where j ∈ [1,T ]. ment and unlike [46], SRBE supports backward unlinkability When submitting sensory data, the signer concatenates the and constant sized revocation tokens. message m with her pseudonym pj, and signs (mkp) follow- 2.2 Privacy in CrowdSensing ing the adopted group signature scheme. The data and signature are submitted in an end-to-end secure channel between The privacy concerns in crowdsensing were first pointed out the participant and the data-collection server (e.g., HTTPS). in [57], immediately followed by [58]. AnonySense [28], a The verifier can use a binary search tree to maintain revoked privacy preserving crowdsensing framework offers strong pri- pseudonyms. Thus, revocation check can be done efficiently. vacy protection at the data collection server. AnonySense was Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 408

However, this scheme is not secure. Any verifier can learn 3. The use of pseudoIDs as revocation token enables veri- the pseudonym of the signer. If the verifier is also a mem- fiers to store revocation tokens in standard data-structures ber of the group, then she can forge signatures using others’ for efficient look up. pseudonyms, which violates the traceability property (Defi- nition 3.4). Thus, it is necessary to have an easily verifiable These new features lead to new capabilities (listed below), correspondence between pseudonyms and the private keys. which have not previously been realized in the GS literature. Failed Scheme II: Let’s assume, we repair Scheme I 1. VLR based sublinear revocation and revocation checking to preserve the traceability property. Now to revoke a signer mechanism. the group manager needs to send all the corresponding 2. BU-anonymity with constant revocation token size per pseudonyms to the verifier. Thus, the size of revocation token signer. to be transmitted from the group manager to the verifier becomes O(T ), where T is the total number of pseudonyms. To Trade-off. The limitation of using same pseudoID by a signer overcome this problem, one may generate pseudonym pj for to produce signatures for a given time period is that, it makes time interval j as follows: the signatures linkable within that time period. However, signatures from different time intervals are unlinkable. It still re- p = Hj(SEED) ∀j ∈ [1,T ] (1) j z mains an open problem to design a group signature scheme However, using Equation 1, a verifier can link all the with sublinear revocation and unlinkability support within a pseudonyms corresponding to a signer, even if the signer is time interval and across intervals. not revoked. Hence, the anonymity is compromised. The significance of our SRBE scheme is that it has the poten- Intuitions about SRBE. By observing the failed tial to make large-scale smartphone applications, whose pri- schemes, we see that using pseudonyms to achieve sublinear vacy costs were previously formidable, become a reality. It revocation check for a GS scheme is not straightforward. Here, provides a practical fast alternative to existing group signa- we provide a high-level overview of the intuitions behind the tures, through leveraging the tradeoff between unlinkability design choices of SRBE. and interval duration. Fixing Scheme I: In SRBE, pseudonyms are called pseu- 3.2 Definitions of SRBE Operations doIDs (PID represents the pseudoID of signer i at time ij There are three types of roles: Group Manager (GM), User or epoch j). Our SRBE embeds pseudoIDs into the secret keys Signer and Verifier. The SRBE scheme consists of the follow- for the signers, so that nobody other than the honest signer can ing algorithms: "claim" the ownership (See, Join protocol in Section 4.1 for – KeyGen(1λ): The GM runs this algorithm, that takes details). Such embedding satisfies the following properties. security parameter λ as input and outputs a group public 1. Signers are restricted to use issued pseudoIDs only. key gpk, a group manager’s secret key gms and initializes 2. Signer i is restricted to use PIDij for time period j. a registration list reg. 3. Even if one knows PIDij, she cannot forge signatures. – Join: This is an interactive protocol between GM and the The reconstruction of signing key is not feasible even with user i to add user i as a member of the group. On success- the knowledge of PID s. ij ful execution, the user i obtains the secret key gski, the GM updates reg with an entry regi and gets revocation Fixing Scheme II: In SRBE, the pseudoIDs at a given time are token list grti = {grtik}, ∀k ∈ [1,T ], where grtik is the generated using a combination of a hash chain and a reverse revocation token of user i at time period k. The revocation hash chain (See, Step 6 in Join protocol in Section 4.1), token is used in Revoke. so that the revocation token size becomes constant without – Sign(gpk, j, gski,M): With gpk, time period j and compromising security. gski as input, a signer generates signature σ on message M. The salient features of SRBE are summarized as follows. – Verify(gpk, j, RL , σ, M): This algorithm is run by 1. Embedding of pseudoIDs in private key parameters and j the verifiers. If both of the following sub-algorithms out- tying a pseudoID to an epoch (provable under the assump- put the value valid, this algorithm outputs the value tions similar to Boneh-Boyen full signature scheme[61]). valid; otherwise, it outputs the value invalid. 2. PseudoID generation uses a combination of a hash chain – SignCheck(gpk, j, σ, M): With gpk, this sub- and a reverse hash chain to maintain BU-anonymity with algorithm outputs the value valid, if σ is an hon- revocation efficiency. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 409

est signature on message M; otherwise, it outputs the – Signing: Algorithm A requests a signature on an arbi- value invalid. trary message M for an arbitrary member i. The chal- – RevCheck(j, RLj, σ): This sub-algorithm outputs lenger computes σ ← Sign(gpk, j, gski,M) and returns the value valid, if the revocation handle embedded the signature σ to A. in signature σ is not revoked; otherwise, it outputs – Corruption: Algorithm A requests the secret key of invalid. signer i. The challenger responds with the key gski. – Revoke(j, grti): This protocol is executed between the – Revocation: Algorithm A requests the revocation token GM and all the verifiers to revoke the membership of user of the signer i at time interval j. The challenger responds i at time period j. On successful execution, verifiers ob- with the revocation token grtij. tains grtij and then update their current and future revo- Challenge: Algorithm A outputs a message M, time period j∗ cation lists (RLk, ∀k ∈ [j, T ]) with corresponding revo- and two signers i , i , who are neither corrupted nor revoked cation handles generated using grtij. 0 1 ∗ R – Open(reg, j, σ, M): Given a valid signature σ on a mes- at time period j . Challenger chooses a bit b ←−−{0, 1} uni- sage M at time period j, created by a signer i, the group formly at random, computes a signature on M by signer ib as σ∗ ← Sign(gpk, j∗, gsk ,M) and provides σ∗ to A. manager outputs the signer’s identity i. ib Restricted Queries: After obtaining the challenge, algo- 3.3 Security Definitions rithm A is allowed to make additional queries of the challenger, restricted as follows. In the security definitions of SRBE, we consider that the to- – Signing: As before, but if A issues any signing queries tal number of signers in the group is N and the total number ∗ for i0 and i1 at time period j , B reports failure and exits. of time periods is T . The SRBE scheme needs to satisfy the – Corruption: As before, but if A issues corruption queries following properties. for i0 and i1 at any period, B reports failure and exits. Definition 3.1. (Signature Correctness): The scheme is cor- – Revocation: As before, but A can only issue revocation rect, if and only if for all (gpk, reg, gski, grti) generated by queries for i and i at any period strictly later than j∗. KeyGen and Join algorithms, every signature generated by 0 1 signer i ∈ [1,T ] using Sign algorithm is flagged as valid Output: Finally, A outputs a guess b0 ∈ {0, 1}. The adver- by Verify algorithm in time period j ∈ [1,T ], except when sary wins if b0 = b. We define her advantage in attacking the the signer is revoked using Revoke algorithm, formally, 0 1 scheme to be |P r[b = b ] − 2 |. Verify(gpk, j, RLj, Sign(gpk, j, gski,M), M) = Definition 3.4. (Traceability): We say that the proposed group valid, iff, signer i is not revoked at time period j, signature scheme is traceable, if the probability of winning the ∀i ∈ [1,N] and ∀j ∈ [1,T ]. following game is negligibly small for each PPT algorithm A. Definition 3.2. (Identity Correctness): The scheme is cor- Setup: The challenger B runs KeyGen(1λ) and Join, ∀i ∈ rect, if and only if for all (gpk, reg, gski, grti) generated [1,N]. She obtains gpk, gsk, grt and reg. She sends gpk and by KeyGen and Join algorithms, every signature generated grt to A and sets U ← ∅. by signer i ∈ [1,N] using Sign algorithm in time period Queries: At the beginning of each period j, A announces j ∈ [1,T ], Open algorithm outputs i, formally, the beginning of j to B, so that they both increment j simulta- Open(reg, j, Sign(gpk, j, gski,M), M) = i, ∀i ∈ [1,N] and neously. At any time period j ∈ [1,T ], Algorithm A can issue ∀j ∈ [1,T ]. queries to the challenger, as follows. Definition 3.3. (BU-anonymity): A group signature scheme is – Signing: Algorithm A requests a signature on an arbi- said to satisfy backward unlinkability or BU-anonymity prop- trary message M for an arbitrary member i. The chal- erty if the probability of winning the following game is negli- lenger computes σ ← Sign(gpk, j, gski,M) and returns gibly small for any Probabilistic Polynomial Time (PPT) algo- the signature σ to A. rithm A. – Corruption: Algorithm A requests the secret key of Setup: The challenger B runs KeyGen(1λ) and Join, ∀i ∈ signer i. The challenger sets U ← U ∪ {i} responds with [1,N]. She obtains gpk, gskis and reg. She sends gpk to A. the key gski. Queries: At the beginning of each period j, A announces Output: Algorithm A outputs a message M ∗ and a signature the beginning of j to B, so that they both increment j simulta- σ∗ for time period j∗. A wins if: neously. At any time period j ∈ [1,T ], algorithm A can make 1. SignCheck(gpk, j∗, σ∗,M ∗) return valid; queries to the challenger, as follows. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 410

∗ 2. σ traces to some signer outside of U or the Open algo- 4 SRBE Construction rithm fails; and ∗ 3. A did not obtain σ by making a signing query on mes- Our SRBE group signature scheme is based on bilinear map ∗ sage M . which is one of the most widely used mathematical tool to build numerous cryptographic schemes (e.g., signatures [63], Definition 3.5. (Exculpability): A VLR group signature aggregate signatures [64], group signatures [16], role-based scheme is said to satisfy exculpability property, if no PPT algo- signatures [65], identity-based encryption [66–68], etc.). Our rithm can forge a signature that can be attributed to an honest security and anonymity guarantees rely on several crypto- (i.e., not corrupted) member such that the member cannot dis- graphic assumptions, including the Decision Linear (DLIN) pute. Formally, the probability of winning the following game assumption [69], the Discrete Logarithm (DL) assumption, is negligibly small for any PPT algorithm A. and q-Bilinear Strong Diffie-Hellman (BSDH) assumption Setup: The challenger runs KeyGen(1λ). She obtains gpk, [25]. They are defined next. gms and reg. She stores gpk and sends gpk, gms and reg Definition 4.1. Let G1, G2 and GT are three multiplicative to A. Challenger initializes a list of revocation lists {RLj} as cyclic group of prime order p. g is a generator of and g empty, ∀j ∈ [1,T ]. 1 G1 2 is a generator of . ψ is an isomorphism between and Queries: At the beginning of each period j, A announces G2 G2 G1 with efficiently computable homomorphism in both directions. the beginning of j to B, so that they both increment j simulta- We say e is a bilinear map e : × −→ with the neously. At any time period j ∈ [1,T ], algorithm A can make G1 G2 GT following properties: queries to the challenger, as follows. 1. Bilinear: for all u ∈ , v ∈ and a, b ∈ ∗, – Join: Algorithm A requests the creation of a new signer G1 G2 Zp e(ua, vb) = e(u, v)ab. i ∈ [1,N] at period j. Challenger performs Join proto- 2. Non-degenerate: e(g1, g2) 6= 1. col as the new user with A and gets gski, where A plays the role of the group manager. A gets a revocation token Definition 4.2. DLIN Problem in G is defined as follows. Given u, v, h, ua vb, z ∈ , where a, b ∈ ∗, as inputs, one list grti for the member and an entry regi to be inserted G Zp a+b R into the registration list reg. needs to output yes, if z = h , or to output no, if z ←−− G. – Signing: Same as BU-anonymity game. We say that (t, )-DLIN assumption holds in G, if no polynomial t-time algorithm has an advantage of at least at solv- – Corruption: Algorithm A requests the secret key of ing DLIN problem in G. signer i. The challenger responds with the key gski. The challenger updates its current and future revocation lists Definition 4.3. q-BSDH Problem in (G1, G2) is defined as γ γq (RL , ∀k ∈ [j, T ]) with corresponding revocation han- follows. Given a (q + 2)-tuple (g1, g2, g2 , ··· , g2 ) as in- k 1 γ+x dles generated using grtij. puts, the problem is to output a pair (e(g1, g2) , x), where ∗ R R ∗ x ∈ Zp, g2 ←−− G2, g1 = ψ(g2), and γ ←−− Zp. Challenge: Algorithm A outputs a message M ∗, time period We say that (q, )-BSDH assumption holds in ( 1, 2), if ∗ ∗ ∗ G G j , a signature σ and a signer i . We say that A wins the no polynomial t-time algorithm has an advantage of at least game if all the following statements hold: at solving BSDH problem in (G1, G2). 1. A did not obtain σ∗ from signing query on M ∗. Definition 4.4. DL Problem in 1 is defined as follows. Given ∗ ∗ ∗ G 2. SignCheck(gpk, j , σ ,M ) return valid. a 2 ∗ g, g ∈ G1, where a ∈ Zp, as inputs, output a. 3. Open(reg, j∗, σ∗,M ∗) = i∗. We say that (t, )-DL assumption holds in G1, if no poly- 4. A did not corrupt signer i∗. nomial t-time algorithm has an advantage of at least at solv- 5. The challenger cannot dispute the knowledge of signer ing DL problem in G1. ∗ ∗ ∗ ∗ i ’s secret key gski∗ such that A did not obtain σ us- SRBE scheme also uses Hz : {0, 1} −→ Zp and Hg : ∗ 2 ing gski∗ . {0, 1} −→ G2 [70] as collision resistant hash functions treated as random oracles, where Hz,Hg are considered to be The Condition 5 was formalized in [62]. Note that, like other public knowledge. standard group signature schemes, this exculpability game as- Note that, the bilinear map we use here is of Type-I, which is λ sumes honest execution of KeyGen(1 ). However, the ex- necessary for an efficient instantiation of Hg [71]. If G1 = G2, culpability guarantee without such assumption is still open. then ψ is an identity map, which is trivial to calculate. By considering more general case of Type-I bilinear map, where G1 6= G2 but there exists efficiently computable bilinear map e and isomorphism ψ, we can take advantage of certain fam- Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 411

j ilies of non-supersingular elliptic curves (e.g., MNT [72]) to HCj = Hz (SEEDi1) obtain short signatures. As shown in [69], our security assump- T +1−j RHCT +1−j = Hz (SEEDi2) (2) tions hold for generic bilinear maps, including G1 = G2 or PIDij = Hz(HCj ⊕ RHCT +1−j) 1 6= 2 with efficiently computable e and ψ. G G x Here Hz (.) means applying the hash function Hz for x times. 4.1 SRBE Scheme (The mechanism of using multiple cryptographic hash chains In this section, we present our SRBE group signature scheme, was also employed in [73] to protect user privacy in location- which extends the classic VLR-based group signature scheme based systems.) T by Boneh and Shacham [16]. SRBE stands for sublinear revo- 7. GM computes πi = Πj=1(γ1 + γ2τj + PIDij), ∀j ∈ 1 cation with backward unlinkability and exculpability. We de- πi 0 πi [1,T ] . Then computes, Ai = Fi and Bi = g2 . fine, τj = Hz(j), ∀j ∈ [1,T ]. 0 πi/(γ1+γ2τj +PIDij ) λ 8. GM computes, C = g , ∀j ∈ [1,T ]. KeyGen(1 ): For the given security parameter λ ∈ N, ij 2 In the most unlikely case, if πi = 0, restart from step 1. this algorithm chooses a bilinear group pair (G1, G2), with λ- 0 0 bit prime order p and isomorphism ψ. Then it generates the 9. GM defines gski = (SEEDi1, SEEDi2,Ai, Bi, 0 0 group public key gpk and the group manager’s secret gms {Cij}), ∀j ∈ [1,T ] and sends gski to user. 0 0fi 0fi through the following steps. 10. Using gski, user calculates Bi = Bi and Cij = Cij , R 1. Select a generator g2 ←−− G2 and set g1 = ψ(g2) such ∀j ∈ [1,T ] and stores them. that g is a generator of . 0 1 G1 11. Using gski, user also calculates PIDij, ∀j ∈ [1,T ] as R ∗ γ1 γ2 e(A ,B ) = e(g , g ) e(g ,B ) 2. Select γ1, γ2 ←−− Zp and compute w1 = g2 , w2 = g2 . before and verifies i i 1 2 and 1 i τj PIDij = e(ψ(w1)ψ(w2 )g1 ,Cij), ∀j ∈ [1,T ]. The group public key is defined as gpk = (g1, g2, w1, w2) and 12. On successful verification, user stores the secret key gski the group manager’s secret key is defined as gms = (γ1, γ2). = (fi, SEEDi1, SEEDi2, Ai, Bi, {Cij}), ∀j ∈ [1,T ], Finally, the algorithm sets the registration list reg to empty otherwise discards them and outputs error. and outputs (gpk, gms). Note that, only group manager has the access to the registration list reg. On successful execution, the user i gets the secret key gski = (fi, SEEDi1, SEEDi2, Ai, Bi, {Cij}), ∀j ∈ [1,T ]. Join: The interactive protocol is performed securely be- The GM updates reg with an entry regi = (Fi,PIDi) tween the group manager (GM) and a new user i. Steps 6, 7 and gets revocation token list grti = {grtij}, where j and 8 are the most important steps of join protocol. Step 6 gen- grtij = (Hz (SEEDi1),SEEDi2), ∀j ∈ [1,T ]. The GM erates pseudoIDs to ensure BU-anonymity and also enables erases the intermediate hash values HCs and RHCs. the scheme to have constant sized revocation token. Steps 7 and 8 embed pseudoIDs in the secret parameters by preserv- Sign(gpk, j, gski,M): The inputs to the signing al- ing identity correctness. gorithm include the group public key gpk, time period j, R ∗ 1. GM sends a nonce ni ←−− Zp to the User. the signer’s secret key gski, and the message to be signed 1 ∗ R M ∈ {0, 1} . This algorithm generates a signature σ on M 2. User selects f ←−− ∗ and sets F = g fi . User chooses i Zp i 1 using the following steps. R r ←−− ∗ and computes R = grf . User also computes f Zp 1 1. Compute PIDij as before. c c = Hz(gpk, Fi, R, ni) and sf = rf + . User reselects fi 2. To generate a signature in the time period j, use c fi, in the most unlikely case when = 1. fi (Ai,Bi,Cij,PIDij) as the credentials for signing. Af- 3. User sends (F , c, s ) to GM. i f ter this time interval, discard the PIDij. When all the 0 sf −c R ∗ 4. GM computes R = g1 Fi and checks that sf ←−− Zp pseudoIDs are exhausted, group manager should run the 0 and c = Hz(gpk, Fi,R , ni). Join algorithm again to generate new set of secret keys R ∗ and pseudoIDs (gski) for the user. 5. GM selects two secret seeds SEEDi1,SEEDi2 ←−− Zp. R 3. Select r ←−− ∗ Compute (û, vˆ) = 6. GM generates PIDij, ∀j ∈ [1,T ] using the following Zp equation (Equation 2) and then sets the list of pseudoIDs Hg(gpk, r, M, P IDij). Also calculate their images in , set u = ψ(û), v = ψ(ˆv). PIDi = {PIDij}, ∀j ∈ [1,T ]. G1 R ∗ α 4. Select α, β, δ ←−− Zp, and compute T1 = u ,T2 = α β δ Aiv ,T3 = Bi and T4 = Cij. 5. Compute the signature of knowledge (SPK), V which is expressed as follows. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 412

α V = SPK{(α, β, δ, Ai,Bi,Cij): T1 = u The checking can be accomplished by running a fast bi- α β δ nary search in RLj. ∧ T2 = Aiv ∧ T3 = Bi ∧ T4 = Cij

∧ e(Ai,Bi) = e(g1, g2) Revoke(j, grti): GM initiates this protocol by broadcasting γ1 γ2τj PIDij ∧ e(g1,Bi) = e(g1 g1 g1 ,Cij)}(M) the revocation token grtij from signer i’s revocation token α = SPK{(α, β, δ, Ai,Bi,Cij): T1 = u list grti at time period j to the veriﬁers, if the membership α β of the signer is needed to be revoked. Upon receiving it, ∧ e(T2,T3) = e(v, T3) e(g1, g2) the veriﬁers calculate the revoked users’ current and future δ τj PIDij −β ∧ 1 = e(g1,T3) e(ψ(w1)ψ(w2 )g1 ,T4) }(M) pseudoIDs using Equation 2 and update its revocation lists This SPK is computed with the following steps. RLk, ∀k ∈ [j, T ] by inserting the pseudoID, PIDik in a R ∗ sorted order. (a) Select blinding factors rα, rβ, rδ ←−− Zp, and compute

rα rα rβ R1 = u ,R2 = e(v, T3) e(g1, g2) , Open(reg, j, σ, M): With the valid signature σ on mes-

rδ τj PIDij −rβ sage M, the actual signer of the signature is identiﬁed using R3 = e(g1,T3) e(ψ(w1)ψ(w )g ,T4) . 2 1 the following steps. (b) Compute the challenge c as c = Hz(gpk, M, j, PIDij, 1. Search the registration list reg for the signer i, who gen- T1, T2, T3, T4, R1, R2, R3). erated the signature σ with the pseudoID, PIDij at time

(c) Compute responses, sα = rα + cα, sβ = rβ + cβ, and period j. sδ = rδ + cδ. 2. If a match is successfully found, outputs i; otherwise, outputs 0 to indicate a failure. The output of this algorithm is the signature σ = (r, PIDij, T1, T2, T3, T4, c, sα, sβ, sδ). 4.2 Security Analysis

It can be shown that SRBE satisfies the signature correct- Verify(gpk, j, RLj, σ, M): The verification algorithm ness and the identity correctness properties, by constructing takes the group public key gpk, the revocation list RLj at time period j, the signature σ, and the message M as input. the frameworks discussed in [16]. Here, we prove the BU- Using the following sub-algorithms, it verifies two things: (1) anonymity (Theorem 4.5), traceability (Theorem 4.6) and ex- whether the signature was honestly generated, and (2) revoca- culpability (Theorem 4.7) properties of SRBE under DLIN assumption, BSDH assumption and DH assumption respectively. tion status of the T5, embedded in σ. If both the sub-algorithms output valid, this algorithm outputs valid; otherwise it Proofs are provided in Appendix A. outputs invalid. Theorem 4.5. (BU-Anonymity). In the random oracle model, (a) SignCheck(gpk, j, σ, M): With the group public key suppose an algorithm A breaks the BU-anonymity of SRBE gpk and a signature σ on a message M, this sub-algorithm scheme with an advantage of after qH hash queries and qS outputs valid if σ is a valid signature on M as follows. signing queries, then there exists an algorithm B that breaks 1. Compute (û, vˆ) = Hg(gpk, r, M, P IDij) and calcu- 1 qS qH the DLIN assumption with an advantage of 2 ( N 2 − p ). late their images in G1, like, u = ψ(û) and v = ψ(ˆv). 2. Retrieve: Theorem 4.6. (Traceability). In a random oracle model, suppose an algorithm A breaks the traceability of SRBE with ˜ sα −c ˜ sα sβ −c R1 = u T1 , R2 = e(v, T3) e(g1, g2) e(T2,T3) an advantage of after qH hash queries, then there exists an τ PID ˜ sδ j ij −sβ R3 = e(g1,T3) e(ψ(w1)ψ(w2 )g1 ,T4) . algorithm B that breaks the q-BSDH assumption with an advantage of (/N − 1/p)2/(16q ), where q = (N + 1)T . 3. Check the correctness of the challenge c as H

? Theorem 4.7. (Exculpability). In a random oracle model, c = H (gpk, M, j, P ID ,T ,T ,T ,T , R˜ , R˜ , R˜ ). z ij 1 2 3 4 1 2 3 suppose an algorithm A breaks the exculpability of SRBE If the above equation holds, this sub-algorithm outputs with an advantage of , then there exists an algorithm B that valid; otherwise, it outputs invalid. breaks the DL assumption with non-negligible probability. Note that, like other GS schemes in Random Oracle Model RevCheck( ) (b) j, RLj, σ : The inputs to the revocation (ROM), reductions to the standard assumptions for all these check algorithm are the PIDij embedded in the signature theorems are non-tight. σ and the revocation list RLj. The purpose of this sub- algorithm is to check whether the PIDij exists in RLj. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 413

4.3 Complexity Analysis probabilistic revocation, the fast runtime complexity of RevCheck algorithm of both SRBE and GSPR is noticeable. On the other hand, for revoke operation, only SRBE and Table 1. Comparison of computationalExp. overhead. Exp. Bilinear GSPR have non-constant runtime complexity. However, Scheme Function in Big O in GT Ops. unlike frequent revocation checking, member revocation is G1/G2 Sign 5 4 3 O(1) not often. The small increase is justiﬁed, as it substantially SRBE SignCheck 3 5 4 O(1) improves revocation checking from O(R) to O(log2 R).

(Ours) RevCheck 0 0 0 O(log2 R) Revoke 0 0 0 O(log2 R) Sign 7 5 5 O(1) Table 2. Comparison of communication overhead.Elem. CLHZ SignCheck 7 6 7 O(1) Elem. Scheme Messages ∗ in Numbers [48] RevCheck R 0 0 O(R) in Zp G1/G2 Revoke 0 0 0 O(1) 0 4 0 Sign 5 3 3 O(1) Pub. Key 2 T + 2 0 BS SignCheck 4 4 4 O(1) SRBE Priv. key 6 4 0 [16] RevCheck 0 0 R + 1 O(R) (Ours) Sign. 2 0 0 Revoke 0 0 0 O(1) Rev. Token 0 6 0 Sign 3 1 1 O(1) Pub. Key T + 1 T 1 BSNSW SignCheck 0 2 5 O(1) CLHZ Priv. Key 5 4 2 [26] RevCheck 0 0 R + 2 O(R) [48] Sign. T 0 0 Revoke 0 0 0 O(1) Rev. Token 0 3 0 Sign 6 4 3 O(1) Pub. Key 1 1 0 GSPR SignCheck 2 5 4 O(1) BS Priv. Key 5 2 0 [11] RevCheck 0 0 0 O(1) [16] Sign. 0 1 0 Revoke 0 0 0 O(T ) Rev. Token Pub. Key 0 2 0 BSNSW Priv. Key 1 3 0 A. Computational Overhead [26] Sign. 2 3 0 We implemented four state-of-the-art group signature Rev. Token 0 1 0 schemes, CLHZ [48], BS [16], BCNSW [26], and GSPR [11] Pub. Key 0 T + 2 0 for performance comparison, the results of which confirm our GSPR Priv. Key 1 1 0 5 4 0 fast revocation property and are shown in Figure 2 in Sec- [11] Sign. Rev. Token 0 0 1 tion 6.2, of them only CLHZ supports backward unlinkability. In this section, we theoretically compare the computational and communication overhead of them. Note that all the B. Communication Overhead selected schemes are chosen from VLR based schemes. Communication costs in terms of various message sizes As explained in 2, VLR based schemes are best suited for are shown in Table 2. Here T is the number of time peri- crowdsensing applications. GSPR is the only scheme with ods. In dynamic crowdsensing environments, the size of sig- probabilistic revocation and also all the signatures generated natures and revocation tokens are arguably the most impor- by a signer in an epoch are linkable. In Table 1, we compare tant, because only these two messages are exchanged for mul- the most frequent operations of them in terms of exponentia- tiple times (user sends signatures to the verifier, group man- tion, bilinear operations and the overall runtime complexity. ager sends revocation token to multiple verifiers) between en- In runtime complexity, R indicates the size of the revocation tities for a user. The sizes of SRBE’s revocation tokens and list. For GSPR, T denotes the number of time periods. We public keys are much smaller than CLHZ and GSPR, and are consider only the computationally most expensive operations comparable to BS and BCNSW schemes. The size of signature for SRBE is shorter than CLHZ scheme and comparable - i.e., exponentiation in G1, G2 or GT and bilinear operations. Since in our implementation, G1 = G2, the application to GSPR, but is higher than BCNSW and BS. Although the of isomorphism is not considered here. For both Sign and exchange of private key parameters is quite infrequent than SignCheck, BCNSW is the most efficient scheme. For SRBE, others, the size of private key is significantly larger for SRBE τj and CLHZ schemes than the other three schemes. In SRBE, during signature generation and verification w2 , e(g1, g2) can be precomputed. Some other expensive operations of signing the size growth of private key is due to PID and C values. algorithm are also independent of the message, thus further One can reduce the space complexity of the private key pre-computation is feasible, which we have implemented and in SRBE for low storage devices as follows. Only one PID the results are presented in Table 3. Although GSPR supports and one C are used in a single time period, so group manager Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 414 can securely send them to the signing device on demand. On reports. In addition to that, anyone including the group receiving the current values, the device can discard the previ- manager may attempt to forge the identity of a signer to ous values of PID and C, which can reduce the linear space submit malicious/fake data reports. complexity of the signing device to constant. Adoption of this – Honest-but-curious data collector. The data-collection mechanism will also help to reduce the computational delay server follows the protocol, but may attempt to track a due to private key verification during Join protocol. participant through her data reports. This type adversary Overall SRBE clearly makes advantageous trade-off be- is also known as semi-honest. For example, the data- tween computational and communication overheads. When collection server may examine the context and location of considering scalability, reducing the computational overhead sensory data, attempt to pinpoint a participant’s IP address significantly is much more precious, even at the cost of a slight history and movement trajectory. increase in the communication overhead. In addition to that the backward unlinkability property of SRBE, is also useful The credential distribution between the group manager and the in dynamic group settings. participants is assumed secure. In addition, we assume that the mobile app on participant’s device is trustworthy, e.g., free of spyware, stealth tracking capability, and data-leak vulner- 5 SRBE Application in abilities. Advanced collusion and correlation attacks for de- anonymization are out of our scope, e.g., the semi-honest data- Groupsensing collection server colludes with a mobile service provider, or correlates sensory data with known locations of a participant. We define groupsensing to be a controlled crowdsensing sce- We assume that external adversaries who may launch disrup- nario where data submission is limited to members of a pre- tive attacks such as DDoS and jamming can be detected with authorized sensing group. Non-members without proper sens- existing solutions. Traffic analysis threats from adversaries ing group credentials cannot submit valid data reports. We that are external to a groupsensing system (e.g., routers, ac- show how our SRBE group signature can be applied to realize cess points, and other network intermediaries) are out of our anonymous-yet-accountable groupsensing. scope. We explain how anonymous routing (such as TOR) is Our prototype GROUPSENSE is composed of three types positioned in GROUPSENSE in the next section. of entities: participant’s device (PD), data-collection server Security and Privacy Goals. (DCS), and a trusted group manager (GM) (i.e., the group Under the above attack model, GROUPSENSE has three manager in SRBE). GROUPSENSE allows participants to security and privacy goals: accountability (traceability), iden- anonymously sign sensory data and to submit the data to tity unforgeability and sensing-time anonymity. a semi-honest data-collection server. The data collector per- Accountability. The sensing group membership of a mis- forms signature verification and revocation checking. How- behaving participant can be identified and revoked efficiently. ever, it is unable to track participants even after the revoca- Identity Unforgeability. In groupsensing, this goal is tion, as data submitted by the same participant are backward two-fold. (1) Data-collection server can verify that received unlinkable. The trusted group manager is responsible for cre- data reports are from valid group members. So that, any data dential, revocation management, and possible reward distri- submissions outside of group membership can be automati- bution, but even group manager cannot forge signatures for cally discarded. (2) No one including the group manager can any participants because of the exculpability property of our forge the identity of a valid signer. SRBE scheme. Our experiments in the next section show that Sensing-time Anonymity. The data reports submitted by GROUPSENSE has the potentials to support massive crowds in a participant do not provide any information that enables the practice with fast signature verification coupled with speedy data-collection server to link them with reports of the same revocation checking. participant, even after the signer is revoked. 5.1 Security Model in GroupSense Collusion and Correlation Attacks. Although advanced collusion and correlation attacks for Threat Model. de-anonymization are out of our threat model, we briefly de- We focus on three categories of threats. scribe possible mitigation and open problems. An example of – Data forgery. Malicious participants may purposely con- such attacks is where a semi-honest data-collector colludes tribute fake data reports (e.g., submit fake traffic conges- with a participant’s mobile service provider to correlate data tion reports). submission activities with cell phone activities. Another data – Identity forgery. Unauthorized individuals and devices that are not part of the group may attempt to submit data Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 415 source useful for correlation attacks is surveillance video of Revocation: After detection of a misbehaving partici- public places and locations and IP addresses. pant (e.g., data, submitted by the participant deviates from the For the IP addresses from which a participant connects normal pattern), the DCS sends the corresponding signature to the Internet, we distinguish two cases: (1) public-place IP (σ) of that participant to the GM. After receiving the signa- address (e.g., Wi-Fi at hotels and restaurants) that multiple ture, GM opens it to get the identity of the participant by in- participants may have access to, and (2) private-place IP ad- voking Open(reg, j, σ, M). Consequently, the GM executes dress (e.g., at a private residence), which can be determinis- Revoke(j, grti) protocol to send the revocation token grtij tically mapped to individuals. In the latter case, the data col- back to the DCS (step 4). lector can easily link multiple data submissions from a partic- Reward Distribution: Metrics for distributing rewards ipant’s home. Therefore, anonymous routing (such as TOR) is may depend on applications. In general, GM is in-charge for required for data submission from private residences. the incentive distribution of GROUPSENSE. If reward distri- However, in the former case, correlation attacks (e.g., with bution demands the assessment of each participant’s contribu- surveillance video of the location) may enable attackers to link tion, PD can submit receipts corresponding to its data submis- signatures. It is unclear how these advanced correlation attacks sions to GM. are defended. Mobile performance of TOR onion routing also Security Analysis. needs evaluation in this specific context. It is straightforward to show that the security goals of GROUPSENSE are achieved by our SRBE group signature 5.2 GroupSense Operations scheme. Accountability, sensing-time anonymity, identity un- GROUPSENSE is a crowdsensing prototype that supports forgeability are enforced by the traceability, BU-anonymity anonymity and accountability through SRBE group signature and exculpability property of SRBE, respectively. scheme. Key operations in GROUPSENSE are shown in Fig- In addition, SRBE makes typical Sybil attacks [60, 76] ure 1 and are built on SRBE operations. We describe the op- harder on GROUPSENSE, by restricting participants to use one erations in GROUPSENSE below. pseudoID at a given time interval. In Sybil attack [60], a par- Initialization and Recruitment: DCS initiates a crowd- ticipatory node illegitimately claims multiple identities. sensing campaign by sending a group setup request to the GROUPSENSE can support shorter time periods to enforce group manager (GM) (step 1). GM divides the entire data col- stronger unlinkability. When all the private keys stored in par- λ lection period into T time epochs. GM invokes KeyGen(1 ) ticipant’s device (PD) are exhausted, PD refills its private pa- function to get (gms, gpk), stores gms secretly and distributes rameters by initiating Join protocol with GM. gpk to data-collection server (DCS). During this phase, the DCS specifies the desired sensing tasks including the sensor readings of interest, time period and geographic area to sense. It may also specify the task budget and incentive scheme [74]. 6 Evaluation: SRBE & In this phase, DCS and GM also agrees on data exchange and GroupSense communication protocols for their future interactions. For a particular crowdsensing campaign, the GM is re- 6.1 Implementation sponsible for advertising the task and recruiting participants. We implemented all five group signature schemes compared Interested participants start Join protocol with GM to join in Tables 1 and 2, namely SRBE (ours), CLHZ [48], BS [16], a campaign. After successful completion of Join protocol, BCNSW [26], and GSPR [11], in C using the PBC library GM obtains (grti, regi) and participant’s device (PD) obtains [77]. We used “Type A" pairing as internally defined in the (gpk, gski) with the information of the DCS. We assume that library, which is constructed with supersingular elliptic curve the communication between PD and GM during Join proto- E ≡ y2 = x3 + x over the field F for some prime q = col is secured using end-to-end encryption. q 3 mod 4. As both and are groups of points E(F ), Data Collection: Participants perform the sensing task G1 G2 q this pairing is symmetric. In our implementation, an element and collect sensory data using PD. PD signs each data report ∗ in Zp is denoted by 160 bits and an element in G1 or G2 is using Sign(gpk, j, gski,M) and sends data along with the denoted by 512 bits, which implies that the security strength of signature (σ) (step 3) to DCS. Then DCS verifies the signature all these implementations is comparable to an RSA signature by invoking Verify(gpk, j, RLj, σ, M). The DCS server with a modulus size of 1024 bits. For SRBE, CLHZ and GSPR is responsible for storing and processing the collected data, schemes, we assume that the duration of each epoch is one day. including data aggregation and false data detection [75]. On Our GROUPSENSE prototype based on our SRBE group each data submission, DCS responds with a receipt (signed signature scheme consists of (1) an Android mobile app acknowledgement) to the PD. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 416 for PD and (2) the server-side programs for data collection – How does GROUPSENSE data-collection server perform server (DCS) and group manager (GM). Server-side appli- during data submissions under stress testing? (Section cations are implemented in JavaEE platform using the scal- 6.2.4) able Spring Framework. Both Android application and server- – How does GROUPSENSE GM server perform during de- side programs use jPBC library [78] (a Java wrapper of vice revocation under stress testing? (Section 6.2.5) PBC library). The PD application invokes joinGroup API of GM application for joining the group and storeData API for sending sensor data to DCS. In the DCS applica- 6.2.1 Scalability of Revocation Checking tion, we implemented two services and exposed correspond-

storeData 6 ing RESTful web service APIs named: (1) , to 10 BCNSW receive and store data from PD after verifying the signa- 5 10 BN 4 CLHZ ture; (2) revoke, to receive revocation tokens from GM. 10 GSPR 3 In the GM application, we implemented four services and 10 SRBE 2 exposed corresponding RESTful web service APIs named: 10 1 (1) setupGroup, to setup and initialize the group; (2) 10 0 joinGroup, for the participants to join the campaign; (3) 10 −1

Computational Cost (ms) 10 requestRevocation, to receive requests for revocation −2 10

storeContributionAssessments −3 from DCS; (4) , to 10

−4 receive and store contribution assessment reports for incentive 10 0 1 2 3 4 5 10 10 10 10 10 10 provisioning from PD. Number of Revoked Users joinGroup supports both GET and POST requests. PD Fig. 2. RevocationCheck runtime with increasing number of re- initiates the protocol and receives nonce through GET request voked users in five group signature schemes. and submits Fi for the credential generation in POST request as suggested in the Join protocol. Figure 2 shows the run time of RevocationCheck al- 6.2 Evaluation gorithm in all five group signature schemes under a large number of revoked users. The measurements were obtained by For performance evaluation, we deployed server-side applica- averaging over 1,000 runs of each scheme. The experimen- tions in a Tomcat server, running on an Intel(R) Xeon(R) CPU tal results show that SRBE’s RevocationCheck with the bi- E5-1620 v3 @ 3.50GHz machine. For client side evaluation, nary search tree is significantly faster than others as expected. we used Nexus 7 CPU 1.51 GHz quad-core Krait 300 and From Figure 2, we see that GSPR’s runtime complexity does Nexus 10 CPU 1.7 GHz Dual-core Cortex-A15 with Android not directly depend on number of revoked users. However, it version 4.4.2. We simulated the real-world environments with linearly depends on the number of iterations and the size of its a load-testing tool named Gatling1 while evaluating server- piecewise-orthogonal-codes. We used 20 bit long piecewise- side performance and present the results in boxes showing the orthogonal-codes and the number of iterations was 1. With the inter quartiles (i.e., 25th and 75th percentiles); the line inside linear increase in either of these parameters, the false positive the box depicts the average value; and the whiskers show the rate decays exponentially, but the computational complexity minimum and maximum values. also increases linearly. So it is conceivable that with constant Our performance evaluation of SRBE and GROUPSENSE negligible false positive rate, GSPR’s computational complex- aims to answer the following questions: ity will be substantially increased. Hence, it cannot cannot out- – How long does revocation checking take under thousands perform SRBE. of revoked users in 5 group signature schemes? (Section 6.2.1) – How long does signing take on Android devices? What 6.2.2 Android Signing Performance code optimization can be done? (Section 6.2.2) – How long does Join protocol take overall (both in Android In Table 3, we show the average signing delay of 20 runs in two and GM server)? What can be done to minimize the over- Android devices (Nexus 7 and Nexus 10) of SRBE, BS [16] all delay effect? (Section 6.2.3) and CLHZ [48]. We see that, relative performance of these schemes is consistent with the theoretical comparison in Ta- ble 1. We also measured the signing delay by pre-computing the message independent expensive operations for SRBE. The 1 http://gatling.io/ Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 417

Table 3. Average signing delays on two different Android devices. tervals. Still we observe that, to acquire pseudoIDs for 50 time Nexus 7 Nexus 10 intervals, overall it takes less than 6s in Nexus 7 and around 4s in Nexus 10, which is faster than the state-of-the art privacy SRBE 2.421s 2.385s BS [16] 2.189s 2.120s preserving crowdsensing systems (e.g., SPPEAR [27]). Note CLHZ [48] 3.082s 2.787s that, the effect of the computational delay in Android devices can be minimized, if GM sends private parameters on demand as mentioned in Section 4.3. precomputed version took on average of 1.806s in Nexus 7 and 1.686s in Nexus 10. Doing precomputations in elliptic curve cryptosystems [79] and group signature [80] are very common 6.2.4 Data-collection Server Performance to speed up the signing performance.

20 SRBE Quartiles CLHZ Quartiles 50 Size of Revocation List: 70K Size of Revocation List: 100 15 40 6.2.3 Join Protocol Performance 30 10 20 5 10 Response Throughput Response Throughput 0 0 In join protocol joinGroup service, GM registers the PD 20 30 40 50 2 4 6 8 10 Submission Rate of Signed Data (per second) Submission Rate of Signed Data (per second) and generates the secret parameters for PD. After receiving (a) SRBE scheme (b) CLHZ scheme the parameters, PD veriﬁes and stores them. Fig. 5. Data submission rate vs. Throughput Quartiles of storeData service.

400 SRBE Quartiles 50000 CLHZ Quartiles 350 Submission Rate: 30/sec Submission Rate: 6/sec 300 40000 250 30000 200 150 20000 100 10000 Response Time (ms) 50 Response Time (ms) 0 0 40K 50K 60K 70K 50 75 100 125 150 Number of Revoked Users Number of Revoked Users (a) SRBE scheme (b) CLHZ scheme

Fig. 3. Computational delay of cryptographic operations during Fig. 6. Revocation list size vs. Response time Quartiles of join protocol in android devices. storeData service.

500 We test the scalability of two implementations of the DCS SRBE Quartiles 450 Request Rate: 10/sec (speciﬁcally the storeData service), one with our SRBE 400 350 and one with CHLZ [48] (baseline). We choose CHLZ as the 300 250 baseline, because it supports deterministic revocation (i.e., no 200 false alarms), backward unlinkability (signatures are unlink- 150

Response Time (ms) 100 able, across and within epochs), exculpability and has a revo- 50 0 cation complexity like several other schemes. In storeData 10 20 30 40 50 Number of Time Periods service, DCS veriﬁes the signatures of the submitted data reports and after successful veriﬁcation it stores data or dis- Fig. 4. Number of time periods vs. response time Quartiles of cards otherwise. It is worth-mentioning that, the overall scal- POST requests to joinGroup service. ability of DCS server, solely depends on the performance In Figures 3 4, we show the impact of number of time in- of storeData service, where the revocation check is per- tervals on both PD and GM while performing join protocol. In formed and known to be a bottleneck previously. Figure 5a Figure 3, we report the averages of 20 runs. Note that, the per- illustrates that, the average throughput with SRBE increases formance evaluation shows that the computational overhead of linearly with the data submission rate (before reaching its joinGroup service does not depend on the size of the regis- peak) and Figure 6a illustrates that, the average response time tration list or the revocation list. remains constant with the increase of the size of revocation The result depicts the linear increase of both the compu- list. We kept both the revocation list size and data submission tational delay and response time with the number of time in- rate low for CLHZ, as higher values caused server timeout. Here the revocation list size is measured in terms of users. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 418

6.2.5 Revocation Performance (5) The performance of Data collection server (DCS) during device revocation under stress testing is also an order of 400 900 SRBE Quartiles SRBE Quartiles 350 850 Request Rate: 10/sec 800 Submission Rate: 10/sec magnitude greater than the prior art (e.g., SPPEAR [27]). 300 750 700 250 650 200 600 550 150 500 100 450 400 Response Time (ms) 50 Response Time (ms) 350 0 300 40K 50K 60K 70K 40K 50K 60K 70K Total Participants Number of Revoked Users 7 Conclusion (a) GM (b) DCS Our work was motivated by the need for supporting large-scale Fig. 7. Response time Quartiles for both requestRevocation anonymous smartphone applications, such as crowdsensing. service of GM and revoke service of DCS. Our main technical contribution is a provably secure group signature scheme called SRBE that realizes sublinear revocation After receiving a device revocation request at checking. Revocation checking is a frequently executed oper- requestRevocation API, GM opens the signature ation required for each signature verification. SRBE also pro- to identify the participant and to find the revocation token vides typical group signature guarantees including backward of the participant. Then GM sends the revocation token unlinkability. Our fast revocation checking is made possible asynchronously to DCS servers by invoking the revoke through utilizing and integrating cryptographic, algorithmic, API. After receiving the revocation token, DCS updates the and data structural building blocks. We gave a formal and com- current revocation list instantly and the upcoming revocation prehensive security analysis of SRBE and discussed limita- lists asynchronously. In Figure 7a and 7b, we observe that the tions and trade-offs. Another substantial technical contribution response time to revoke a participant both in GM and DCS is the SRBE-based crowdsensing prototype with Android sup- end does not increase with the size of registration list (for port called GROUPSENSE including its security analysis. Our GM) and revocation list (for DCS). In GM, the average time extensive experimental evaluation on GROUPSENSE showed it takes to revoke a user is around 150ms and in DCS it takes that GROUPSENSE with fast revocation checking scales well around 550ms to update a revocation list, which is an order with the increase of the revocation tokens. of magnitude faster than the prior art (e.g., SPPEAR [27] The significance of our work is that it brings provably se- reported 2.3s (on avg.) for device revocation). As before, cure group signatures closer to deployment in a large scale here the registration list size and the revocation list size are in practice. Such effort on privacy is necessary with the ever- measured in terms of users. To build the registration list, we increasing number of user-centric applications. considered 100 pseudonyms per user. 6.3 Summary We summarize our overall performance evaluation below. 8 Acknowledgement (1) On average, SRBE’s performance of revocation check of SRBE scheme is 3 order of magnitude greater than the We thank Keita Emura for helpful technical discussion on the state of the art for a fairly large number of revoked users. anonymity properties. We would also like to thank our shep- (2) The signing performances of GROUPSENSE with SRBE herd, Aggelos Kiayias, and anonymous reviewers for their scheme, in Android devices are comparable to other help and insightful suggestions. This project has been sup- known group signature schemes. Precomputation of ex- ported in part by NSF grant CBET-1645121. pensive operations gives a fairly better performance gain over the non-precomputed one. (3) The joining protocol is the most expensive task in References GROUPSENSE. Still the overall delay is shorter than the prior art. [1] Mu Lin, Nicholas D. Lane, Mashfiqui Mohammod, Xiaochao (4) The increase in averaged response time of GROUPSENSE Yang, Hong Lu, Giuseppe Cardone, Shahid Ali, Afsaneh data collection procedure is negligible, when we increase Doryab, Ethan Berke, Andrew T. Campbell, and Tanzeem Choudhury. Bewell+: multi-dimensional wellbeing monitoring the revocation list size from 40K to 70K users. This re- with community-guided user feedback and energy optimiza- sult is promising, indicating the scalability potentials of tion. In Wireless Health ’12, pages 1–8, 2012. GROUPSENSE in practical crowdsensing applications. [2] Eiman Kanjo. Noisespy: A real-time mobile phone platform for urban noise monitoring and mapping. Mobile Networks and Applications, 15(4):562–574, 2010. Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 419

[3] Bei Pan, Yu Zheng, David Wilkie, and Cyrus Shahabi. Crowd plified requirements, and a construction based on general sensing of traffic anomalies based on human mobility and assumptions. In EUROCRYPT ’03, pages 614–629, 2003. social media. In SIGSPATIAL ’13, pages 344–353, 2013. [21] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterlug- [4] R. K. Ganti, F. Ye, and H. Lei. Mobile crowdsensing: current gauer. Group signatures with linking-based revocation: A state and future challenges. IEEE Communications Maga- pragmatic approach for efficient revocation checks. In My- zine, 49(11):32–39, 2011. Crypt 2016, 2016. to appear. [5] Raluca Ada Popa, Andrew J. Blumberg, Hari Balakrishnan, [22] Julien Bringer and Alain Patey. Backward unlinkability for a and Frank H. Li. Privacy and accountability for location- VLR group signature scheme with efficient revocation check. based aggregate statistics. In ACM CCS ’11, pages 653– IACR Cryptology ePrint Archive, 2011:376, 2011. 666, 2011. [23] Toru Nakanishi, Hiroki Fujii, Yuta Hira, and Nobuo Funabiki. [6] Delphine Christin. Privacy in mobile participatory sensing: Revocable group signature schemes with constant costs for Current trends and future challenges. Journal of Systems signing and verifying. In PKC 2009, pages 463–480, 2009. and Software, 116:57–68, 2016. [24] Mark Manulis, Nils Fleischhacker, F Gunther, K Franziskus, [7] Leyla Kazemi and Cyrus Shahabi. A privacy-aware frame- and Bertram Poettering. Group signatures: Authentication work for participatory sensing. SIGKDD, 13(1):43–51, 2011. with privacy. Bundesamt fur Sicherheit in der Information- [8] Facebook urged to tighten privacy stechnik. Tech. Rep, 2012. settings after harvest of user data. [25] Dan Boneh and Xavier Boyen. Short signatures without www.theguardian.com/technology/2015/aug/09/facebook- random oracles and the SDH assumption in bilinear groups. privacy-settings-users-mobile-phone-number, August 2015. J. Cryptology, 21(2):149–177, 2008. [Online; accessed 16-May-2016]. [26] Patrik Bichsel, Jan Camenisch, Gregory Neven, Nigel P. [9] NSA Prism program taps in to user Smart, and Bogdan Warinschi. Get shorty via group signa- data of Apple, Google and others. tures without encryption. In Security and Cryptography for http://www.theguardian.com/world/2013/jun/06/us- Networks SCN ’10, pages 381–398, 2010. tech-giants-nsa-data, June 2013. [Online; accessed [27] Stylianos Gisdakis, Thanassis Giannetsos, and Panos Pa- 16-May-2016]. padimitratos. SPPEAR: security & privacy-preserving archi- [10] Facebook admits year-long data breach exposed 6 million tecture for participatory-sensing applications. In WiSec ’14, users. http://www.reuters.com/article/net-us-facebook- pages 39–50, 2014. security-idUSBRE95K18Y20130621, June 2013. [Online; [28] Cory Cornelius, Apu Kapadia, David Kotz, Dan Peebles, accessed 16-May-2016]. Minho Shin, and Nikos Triandopoulos. Anonysense: Privacy- [11] Vireshwar Kumar, He Li, Jung-Min “Jerry" Park, Kaigui Bian, aware people-centric sensing. In MobiSys ’08, pages 211– and Yaling Yang. Group signatures with probabilistic revo- 224, 2008. cation: A computationally-scalable approach for providing [29] Ioannis Boutsis and Vana Kalogeraki. Privacy preservation privacy-preserving authentication. In ACM CCS ’15, pages for participatory sensing data. In IEEE Pervasive Computing 1334–1345, 2015. and Communications (PerCom) ’13, pages 103–113, 2013. [12] Anna Lysyanskaya, Ronald L. Rivest, Amit Sahai, and Stefan [30] Emiliano De Cristofaro and Claudio Soriente. Extended Wolf. Pseudonym systems. In SAC’99, pages 184–199, capabilities for a privacy-enhanced participatory sensing 1999. infrastructure (PEPSI). IEEE Trans. Information Forensics [13] David Chaum. Security without identification: Transaction and Security, 8(12):2021–2033, 2013. systems to make big brother obsolete. Commun. ACM, [31] Leyla Kazemi and Cyrus Shahabi. TAPAS: trustworthy 28(10):1030–1044, 1985. privacy-aware participatory sensing. Knowl. Inf. Syst., [14] David Chaum and Eugène van Heyst. Group signatures. In 37(1):105–128, 2013. EUROCRYPT ’91, pages 257–265, 1991. [32] Keita Emura and Takuya Hayashi. A light-weight group [15] Aggelos Kiayias, Yiannis Tsiounis, and Moti Yung. Traceable signature scheme with time-token dependent linking. In signatures. In EUROCRYPT 2004, pages 571–589, 2004. Lightweight Cryptography for Security and Privacy 2015, [16] Dan Boneh and Hovav Shacham. Group signatures with pages 37–57, 2015. verifier-local revocation. In ACM CCS ’04, pages 168–177, [33] Citizen Science Alliance. 2004. http://www.citizensciencealliance.org/. [Online; accessed [17] Maxim Raya and Jean-Pierre Hubaux. Securing vehicular ad 04-August-2016]. hoc networks. Journal of Computer Security, 15(1):39–68, [34] Seung Geol Choi, Kunsoo Park, and Moti Yung. Short trace- 2007. able signatures based on bilinear pairings. In IWSEC 2006, [18] Xiaodong Lin, Xiaoting Sun, Pin-Han Ho, and Xuemin Shen. pages 88–103, 2006. GSIS: A secure and privacy-preserving protocol for vehic- [35] Vicente Benjumea, Seung Geol Choi, Javier Lopez, and Moti ular communications. IEEE Trans. Vehicular Technology, Yung. Fair traceable multi-group signatures. In Financial 56(6):3442–3456, 2007. Cryptography and Data Security, 2008, pages 231–246, [19] Giuseppe Ateniese, Jan Camenisch, Marc Joye, and Gene 2008. Tsudik. A practical and provably secure coalition-resistant [36] Jan Camenisch and Anna Lysyanskaya. Signature schemes group signature scheme. In CRYPTO 2000, pages 255–270, and anonymous credentials from bilinear maps. In CRYPTO 2000. ’04, pages 56–72, 2004. [20] Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. [37] Benoît Libert and Moti Yung. Efficient traceable signatures in Foundations of group signatures: Formal definitions, sim- the standard model. In Pairing-Based Cryptography - Pairing Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 420

2009, pages 187–205, 2009. Security - 12th International Conference, ACNS 2014, pages [38] Benoît Libert, Thomas Peters, and Moti Yung. Short group 419–437, 2014. signatures via structure-preserving signatures: Standard [54] Kazuma Ohara, Keita Emura, Goichiro Hanaoka, Ai Ishida, model security from simple assumptions. In CRYPTO ’15, Kazuo Ohta, and Yusuke Sakai. Shortening the libert-peters- pages 296–316, 2015. yung revocable group signature scheme by using the ran- [39] Jung Yeon Hwang, Sokjoon Lee, Byung-Ho Chung, dom oracle methodology. IACR Cryptology ePrint Archive, Hyun Sook Cho, and DaeHun Nyang. Group signatures 2016:477, 2016. with controllable linkability for dynamic membership. Inf. Sci., [55] Wouter Lueks, Gergely Alpár, Jaap-Henk Hoepman, and Pim 222:761–778, 2013. Vullers. Fast revocation of attribute-based credentials for [40] Daniel Slamanig, Raphael Spreitzer, and Thomas Unterlug- both users and verifiers. In IFIP ’15, pages 463–478, 2015. gauer. Adding controllable linkability to pairing-based group [56] Eric R. Verheul. Practical backward unlinkable revocation signatures for free. In Information Security - 17th Interna- in fido, german e-id, idemix and u-prove. IACR Cryptology tional Conference, ISC 2014, pages 388–400, 2014. ePrint Archive, 2016:217, 2016. [41] Essam Ghadafi. Efficient distributed tag-based encryp- [57] Katie Shilton, Jeffrey A Burke, Deborah Estrin, Mark Hansen, tion and its application to group signatures with efficient dis- and Mani Srivastava. Participatory privacy in urban sens- tributed traceability. In LATINCRYPT 2014, pages 327–347, ing. In International Workshop on Mobile Device and Urban 2014. Sensing (MODUS), 2008. [42] Toru Nakanishi and Nobuo Funabiki. Efficient revocable [58] Apu Kapadia, David Kotz, and Nikos Triandopoulos. Oppor- group signature schemes using primes. JIP, 16:110–121, tunistic sensing: Security challenges for the new paradigm. 2008. In 2009 First International Communication Systems and Net- [43] Jan Camenisch and Anna Lysyanskaya. Dynamic accumu- works and Workshops, pages 1–10. IEEE, 2009. lators and application to efficient revocation of anonymous [59] Stylianos Gisdakis, Thanassis Giannetsos, and Panos Pa- credentials. In CRYPTO 2002, pages 61–76, 2002. padimitratos. Security, privacy & incentive provision for mo- [44] Jorn Lapon, Markulf Kohlweiss, Bart De Decker, and Vincent bile crowd sensing systems. IEEE IoT, 2016. Naessens. Performance analysis of accumulator-based revo- [60] Gang Wang, Bolun Wang, Tianyi Wang, Ana Nika, Haitao cation mechanisms. In Security and Privacy - Silver Linings Zheng, and Ben Y. Zhao. Defending against sybil devices in in the Cloud - 25th IFIP TC-11 International Information Se- crowdsourced mapping services. In MobiSys ’16, 2016. curity Conference, SEC 2010, Held as Part of WCC 2010, [61] Dan Boneh and Xavier Boyen. Short signatures without pages 289–301, 2010. random oracles. In Christian Cachin and Jan Camenisch, [45] Chun-I Fan, Ruei-Hau Hsu, and Mark Manulis. Group signa- editors, EUROCRYPT’04, volume 3027 of Lecture Notes in ture with constant revocation costs for signers and verifiers. Computer Science, pages 56–73, 2004. In Cryptology and Network Security CANS 2011, pages 214– [62] Liqun Chen and Jiangtao Li. VLR group signatures with 233, 2011. indisputable exculpability and efficient revocation. IJIPSI, [46] Jan Camenisch, Manu Drijvers, and Jan Hajny. Scalable 1(2/3):129–159, 2012. revocation scheme for anonymous credentials based on n- [63] Dan Boneh, Ben Lynn, and Hovav Shacham. Short signa- times unlinkable proofs. In Proceedings of the 2016 ACM on tures from the weil pairing. J. Cryptology, 17(4):297–319, Workshop on Privacy in the Electronic Society, WPES ’16, 2004. pages 123–133, New York, NY, USA, 2016. ACM. [64] Dan Boneh, Craig Gentry, Ben Lynn, and Hovav Shacham. [47] Markulf Kohlweiss and Ian Miers. Accountable metadata- Aggregate and verifiably encrypted signatures from bilinear hiding escrow: A group signature case study. PoPETs, maps. In EUROCRYPT 2003, pages 416–432, 2003. 2015(2):206–221, 2015. [65] Danfeng Yao and Roberto Tamassia. Compact and anony- [48] Cheng-Kang Chu, Joseph K. Liu, Xinyi Huang, and Jianying mous role-based authorization chain. ACM Trans. Inf. Syst. Zhou. Verifier-local revocation group signatures with time- Sec., 12(3):15:1–15:27, 2009. bound keys. In ACM ASIACCS ’12, pages 26–27, 2012. [66] Dan Boneh and Matthew K. Franklin. Identity-based encryp- [49] Toru Nakanishi and Nobuo Funabiki. Verifier-local revocation tion from the weil pairing. SIAM J. Comput., 32(3):586–615, group signature schemes with backward unlinkability from 2003. bilinear maps. IEICE Transactions, 90-A(1):65–74, 2007. [67] Saman Zarandioon, Danfeng (Daphne) Yao, and Vinod [50] Jens Groth and Amit Sahai. Efficient non-interactive proof Ganapathy. K2C: cryptographic cloud storage with lazy systems for bilinear groups. In EUROCRYPT 2008, pages revocation and anonymous access. In SecureComm 2011, 415–432, 2008. pages 59–76, 2011. [51] Benoît Libert, Thomas Peters, and Moti Yung. Scalable [68] Danfeng Yao, Nelly Fazio, Yevgeniy Dodis, and Anna Lysyan- group signatures with revocation. In EUROCRYPT 2012, skaya. Id-based encryption for complex hierarchies with pages 609–627, 2012. applications to forward security and broadcast encryption. In [52] Benoît Libert, Thomas Peters, and Moti Yung. Group sig- ACM CCS 2004, pages 354–363, 2004. natures with almost-for-free revocation. In CRYPTO 2012, [69] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group pages 571–589, 2012. signatures. In CRYPTO ’04, pages 41–55, 2004. [53] Nuttapong Attrapadung, Keita Emura, Goichiro Hanaoka, and [70] Hovav Shacham. New paradigms in signature schemes. PhD Yusuke Sakai. A revocable group signature scheme from thesis, Stanford University, 2005. identity-based revocation techniques: Achieving constant- [71] Steven D. Galbraith, Kenneth G. Paterson, and Nigel P. size revocation list. In Applied Cryptography and Network Smart. Pairings for cryptographers. Discrete Applied Mathe- Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 421

matics, 156(16):3113 – 3121, 2008. Applications of Algebra ates the private key gski and revocation token grti for user i, to Cryptography. where i ∈ [1,N]−{i0, i1} according to the Join protocol de- [72] Atsuko Miyaji, Masaki Nakabayashi, and Shunzou Takano. R fined in SRBE. For users i0 and i1, B first selects W ←−− 2, New explicit conditions of elliptic curve traces for FR- G then defines A = zW and A = W hb. reduction. IEICE transactions on fundamentals of electronics, i0 ha i1 communications and computer sciences, 84(5):1234–1243, During signing query for i0 or i1, depending on the user,

2001. challenger B simulates the values of either Ai0 or Ai1 while [73] Xiaoyan Zhu, Haotian Chi, Shunrong Jiang, Xiaosan Lei, R generating T1,T2 similar as [16] and selects T3,T4 ←−− G2 and Hui Li. Using dynamic pseudo-IDs to protect privacy in R and T ←−− to simulate corresponding B ,C ,PID , location-based services. In IEEE ICC ’14, pages 2307–2312, 5 G1 i ij ij 2014. where i ∈ {i0, i1}, j ∈ [1,T ]. Then it produces the signa- [74] Francesco Restuccia, Sajal K. Das, and Jamie Payton. In- ture σ by using these values according to the Sign procedure. centive mechanisms for participatory sensing: Survey and B also back patches hash queries (Hg,Hz) to ensure consis- research challenges. ACM Trans. Sen. Netw., 12(2):13:1– tency. If A issues any hash queries before back patching, then 13:40, 2016. B reports failure and aborts. According to [16], σ is a properly [75] L. Cheng, L. Kong, C. Luo, J. Niu, Y. Gu, W. He, and S. Das. False data detection and correction framework for participa- distributed signature under signer i’s private key. ∗ tory sensing. In IWQoS ’15, pages 213–218, 2015. During challenge phase, A outputs a message M , time ∗ ∗ ∗ [76] John R. Douceur. The sybil attack. In Peter Druschel, period j and two users i0 and i1, whose are neither corrupted M. Frans Kaashoek, and Antony I. T. Rowstron, editors, ∗ ∗ ∗ nor revoked at time period j . If {i0, i1} 6= {i0, i1}, then B IPTPS ’02, volume 2429 of Lecture Notes in Computer Sci- R reports failure and aborts. Otherwise, B picks a random b ←−− ence, pages 251–260, 2002. ∗ [77] Ben Lynn. Pbc (pairing-based cryptography) library. https: {0, 1} and generates a signature σ using signer ib’s key for ∗ //crypto.stanford.edu/pbc/, 2016. [Online; accessed 16-May- M , similar as the signing queries in Phase 1. Then B sends 2016]. σ∗ as the challenge to A. [78] Angelo De Caro and Vincenzo Iovino. jpbc: Java pairing During output phase, A outputs its guess b0 ∈ {0, 1} for IEEE ISCC ’11 based cryptography. In , pages 850–855. b. If b = b0 then B outputs 0 (indicating that z is random in IEEE, 2011. a+b [79] Kenji Koyama and Yukio Tsuruoka. Speeding up elliptic G2); otherwise B outputs 1 (indicating that z = h ). cryptosystems by using a signed binary window method. In If we assume that, during the simulation of the above in- CRYPTO ’92, pages 345–357, 1992. teraction framework B does not abort, we see that B can break [80] Klaus Potzmader and Johannes Winter et al. Group signa- the DLIN assumption in G2 with an advantage of 2 . We see tures on mobile devices: Practical experiences. In Trust and ∗ ∗ that, the probability of selecting i0 and ii by A without caus- Trustworthy Computing, pages 47–64, 2013. ing B to abort is 1 . Even if A correctly select i∗ and i∗, the [81] David Pointcheval and Jacques Stern. Security arguments n2 0 i qS qH for digital signatures and blind signatures. J. Cryptology, probability of B to abort due to signing queries is p . So 1 qS qH 13(3):361–396, 2000. the probability of B not to abort is N 2 − p , which makes B to break the DLIN assumption in G2 with an advantage of 1 qS qH 2 ( N 2 − p ). Appendix A Signatures from different time intervals are unlinkable, hence BU-anonymity is preserved for across time epochs. However, 8.1 BU-anonymity (Theorem 4.5) signatures under the same time epoch contain the same pseu- doID. Therefore, they are linkable. It remains an open problem In [16], Boneh and Shacham developed a technique to prove to design a group signature scheme with sublinear revocation the anonymity by capitalizing the randomness of (û, vˆ) and the supporting full anonymity. The challange is that any informa- ability of backpatching the hash queries (H ,H ). Hence, we g z tion that can make revocation tokens pre-computable at the can employ the core technique that was used in [16] to prove verifier’s side needs to be excluded from the SPK, which can this theorem. be used to break the within-epoch anonymity. Proof. Suppose algorithm A-breaks the BU-anonymity of 8.2 Traceability (Theorem 4.6) SRBE scheme. We build an algorithm B that breaks the DLIN To prove the traceability theorem, we recall Lemma 1 of group assumption in G2. Algorithm B is given as input a 6-tuple a b 6 R ∗ a+b signature scheme with probabilistic revocation [11] as follows. u, v, h, u , v , z ∈ G2 where a, b ←−− Zp and either z = h Lemma 8.1. Suppose an algorithm A that is or z is random in G2. Now B interacts with A according to the γ γT BU-Anonymity game (Definition 3.3). Where in setup phase, given an instance (˜g1, g˜2, g˜2 , ··· , g˜2 ) and N tu- R ples of (A˜ , x , x , ··· , x ), ∀i ∈ [1,N], where B picks two random users i0, i1 ←−−{1, ··· ,N} and gener- i i1 i2 iT ∗ xij ∈ Zp, ∀i ∈ [1,N], j ∈ [1,T ], g˜2 ∈ G2, Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 422

1/[ΠT (γ+x )] 1/[ΠT (γ+x )] ˜ j=1 ij ˜ j=1 ij g˜1 = ψ(˜g2), Ai =g ˜1 , forges a tu- Ai =g ˜1 , and asked to forge a tuple ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ˜ ple (A∗, B∗, C∗, x∗) for some A∗ ∈ G1, B∗ ∈ G2, (A∗, B∗, C∗, x∗) for some A∗ ∈ G1, B∗ ∈ G2, ˜ ˜ C∗ ∈ G2 and x∗ 6= xij, ∀i ∈ [1,N], j ∈ [1,T ] such that C∗ ∈ G2 and x∗ 6= xij, ∀i ∈ [1,N], j ∈ [1,T ] such ˜ ˜ ˜ γ x∗ ˜ ˜ ˜ ˜ γ x∗ ˜ e(A∗, B∗) = e(˜g1, g˜2) and e(˜g1, B∗) = e(˜g1 g˜1 , C∗), then that e(A∗, B∗) = e(˜g1, g˜2) and e(˜g1, B∗) = e(˜g1 g˜1 , C∗), there exists an algorithm B solving q-BSDH problem, where depending on the instantiation of forgers by A, B can ask A to q = (N + 1)T . forge a tuple, by either defining, γ1 = γ, γ2τj + PIDij = xij Similar as Boneh-Boyen [61] weak signature scheme, Lemma or γ2τj = γ, γ1 + PIDij = xij. Which contradicts with 8.1 prescribes the security of xij of GSPR scheme against ex- Lemma 8.1. So, we conclude that Lemma 8.2 holds. istential forgery under a weak chosen message attack, when q-BSDH assumption holds. Similar as Boneh-Boyen full signature scheme, we need to show that PIDij of SRBE is se- 8.2.1 Proof Theorem 4.6 cure against existential forgery under a chosen message attack, when q-BSDH assumption holds. Hence, we state the follow- Proof. The following is an interaction between A and B. ing lemma. – Setup. Algorithm B is given two groups G1, and Lemma 8.2. Suppose an algorithm A that is given G2) with generators g1, g2 respectively. B is also γ1 γ2 γ1 γ2 given w1 = g2 , w2 = g2 and a list of tuples an instance (˜g1, g˜2, g˜2 , g˜2 ) and N tuples of (SEEDi1,SEEDi2,Ai,Bi, {Cij}), ∀j ∈ [1,T ], ∀i ∈ (A˜i,PIDi1,PIDi2, ··· ,PIDiT ), ∀i ∈ [1,N], where ∗ [1,N]. For each signer i, B sets either si = 0, means PIDij ∈ Zp, ∀i ∈ [1,N], j ∈ [1,T ], g˜2 ∈ G2, T that the given tuple is generated with Join protocol 1/[Πj=1(γ1+γ2τj +PIDij )] g˜1 = ψ(˜g2), A˜i =g ˜ , 1 (For simplicity, let’s assume B selects fi = 1 in the forges a tuple (A˜ , B˜ , C˜ ,PID , j ) for some ∗ ∗ ∗ ∗ ∗ join protocol for all users), or else B sets s = 1 ˜ ˜ ˜ ∗ i A∗ ∈ 1, B∗ ∈ 2, C∗ ∈ 2, PID∗ ∈ p and G G G Z indicating that (SEEDi1,SEEDi2) corresponding to j∗ ∈ [1,T ], such that e(A˜∗, B˜∗) = e(˜g1, g˜2) and (Ai,Bi,Cij), ∀j ∈ [1,T ] is not known. Then B runs γ1 γ2τ∗ PID∗ e(˜g1, B˜∗) = e(˜g g˜ g˜ , C˜∗) where τ∗ = Hz(j∗), 1 1 1 A, giving it the group public key (g1, g2, w1, w2) and then there exists an algorithm B to solve q-BSDH problem, (SEEDi1,SEEDi2). After that B answers A’s oracle where q = (N + 1)T . queries as follows. Proof. We see that, to forge a tuple, A can instantiate 2 types – Queries. At the beginning of each period j, A announces of forgers as follows. the beginning of j to B, so that they both increment j si- Type I Forger. Forges a tuple (A˜∗, B˜∗, C˜∗,PID∗, j∗) multaneously. At any time period j ∈ [1,T ], Algorithm ˜ ˜ ˜ for some A∗ ∈ G1, B∗ ∈ G2, C∗ ∈ G2, γ2τ∗ + PID∗ 6= A can make queries to B, as follows. γ2τj + PIDij, ∀i ∈ [1,N], j ∈ [1,T ], such that e(A˜∗, B˜∗) = – Signing: At time period j, Algorithm A requests ˜ γ1 γ2τ∗ PID∗ ˜ e(˜g1, g˜2) and e(˜g1, B∗) = e(˜g1 g˜1 g˜1 , C∗). a signature on an arbitrary message M for an ˜ ˜ ˜ Type II Forger. Forges a tuple (A∗, B∗, C∗,PID∗, j∗) arbitrary signer i. If si = 0, then B computes the ˜ ˜ ˜ for some A∗ ∈ G1, B∗ ∈ G2, C∗ ∈ G2, γ2τ∗ + PID∗ = signature σ ← Sign(gpk, gski,M) and returns γ2τj + PIDij but τ∗ 6= τj,PID∗ 6= PIDij for some σ to A. If si = 1, B selects (PIDij, α, β, δ), ˜ ˜ i ∈ [1,N], j ∈ [1,T ], such that e(A∗, B∗) = e(˜g1, g˜2) and computes (û, v,ˆ T1,T2,T3,T4,R1,R2, ˜ γ1 γ2τ∗ PID∗ ˜ e(˜g1, B∗) = e(˜g1 g˜1 g˜1 , C∗). R3, c, sα, sβ, sδ) and derives a signature Using the similar method used by Boneh and Boyen to σ = (r, P IDij,T1,T2,T3,T4, c, sα, sβ, sδ). In prove the security of full signature scheme [61], we can show addition B, patches the hash oracle. If in case, hash that, either forger can be used to forge a tuple defined in function causes collision, B declares failure and Lemma 8.1. To give some intuition, one can observe that, exits. Otherwise, B returns σ to A. A signature query Forger I succeeds to forge, only if it finds a PID∗, so that can trigger a hash query, which we charge against γ1 = −PID∗. Forger II succeeds, if it can find some τ∗ = A’s hash query limit. γ2τ∗ PID∗ γ2τj PIDij Hz(j∗),PID∗ such that, g˜1 g˜1 =g ˜1 g˜1 , but – Corruption: Algorithm A requests the secret key of (τ∗,PID∗) 6= (τj,PIDij), which implies that, it can extract user i at any time period j. If si = 0, then B sets γ2 by computing, γ2 = (PIDij − PID∗)/(τ∗ − τj). U ← U ∪ {i} responds with (SEEDi1,SEEDi2, Now, if algorithm B is given with tu- Ai,Bi,Cij), where j ∈ [1,T ]. otherwise B declares γ γT ple (˜g1, g˜2, g˜2 , ··· , g˜2 ) and N tuples of failure and exit. ˜ (Ai, xi1, xi2, ··· , xiT ), ∀i ∈ [1,N], where xij ∈ – Output. Finally if algorithm A is successful, it outputs ∗ ∗ ∗ Zp, ∀i ∈ [1,N], j ∈ [1,T ], g˜2 ∈ G2, g˜1 = ψ(˜g2), a forged signature σ on a message M using tuple Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocation 423

(Ai∗ ,Bi∗ ,Ci∗j) at any time period j. For the forgery to – Hash queries: At any time, A can query the hash func- be non-trivial, i should not be in U. If indeed B fails to tions Hz. Algorithm B responds with random values ∗ ∗ ﬁnd the signer i in U, it outputs σ . If si = 1, B outputs while ensuring consistency. ∗ σ , otherwise it declares failure and exits. – Signing: If i 6= i∗, B returns the signature signed as in the 0 0 ∗ scheme. Otherwise, B picks α, β , δ ←− Zp and makes As implied by the output phase of the framework above, there the following assignments: are two types of forger algorithm, similar to [16]. Type I forger forges a signature σ on a message M for a user i∈ / [1,N]. α α Type II forger forges a signature of user i ∈ [1,N] whose T1 = u ,T2 = Aiv , corruption query is yet to be requested. Hence, similar as [11], 0β0 0δ0 T3 = Bi ,T4 = Cij . against Type I forger, we assign N valid private keys to N 0 0 0 and against Type II forger, we randomly choose a signer i and Let β = β /fi, δ = δ /fi. Then we observe that, T1 = α α β δ assign N − 1 private keys to rest of the N − 1 signers. u , T2 = Aiv , T3 = Bi , T4 = Cij. For Type I forgery, if A succeeds with an advantage of R ∗ Algorithm B then selects rα, rβ, rδ ←−− Zp and , B also succeeds with an advantage of . But for Type II computes the corresponding R1,R2,R3. In the un- forgery, B gains against the BSDH instance only if the sig- likely event A has already issued a hash query for nature is signed with the private key of signer i0. Hence, the Hz(gpk, M, j, P IDijT1,T2,T3,T4,R1,R2,R3), then B probability of B to be succeeded is /N. For both Type of reports failure and terminates. Otherwise B deﬁnes, the forgeries, B rewinds the interaction framework, between A and B to obtain two forged signatures on the same mes- Hz(gpk, M, j, P IDij,T1,T2,T3,T4,R1,R2,R3) = c sage. According to the forking lemma [16] the probability of 0 2 0 Algorithm B then computes the signature σ as σ = B to be succeeded is at least ( − 1/p) /16qH , where is the probability of successful forgery. After gaining the forged sig- (r, P IDij,T1,T2,T3,T4, c, sα, sβ, sδ) and gives σ to A. According to [16], σ is a properly distributed signature nature B extracts (A˜∗, B˜∗, C˜∗,PID∗, j∗) (similar as Lemma 5.2 in [16]) and then, using the technique employed in 8.2, B under signer i’s private key. can compute a new BSDH pair. So B can break the q-BSDH – Corruption: B returns the secret secret key gski to A assumption, by obtaining a new BSDH pair with an advantage and updates the current and future revocation lists (RLk, 2 of (/N − 1/p) /16qH . ∀k ∈ [j, T ]) with corresponding revocation handles at time period k. 8.3 Exculpability (Theorem 4.7) Proof. If an adversary A breaks the exculpability game (Def- Forge. Algorithm A outputs a message M ∗, time period j∗, a inition 3.5) with non-negligible probability, we can construct signature σ∗ and a signer i∗. another polynomial-time algorithm B to solve DL problem in B has an advantage against the given DL instance if T5 ∗ ∗ ∗ G2 with non-negligible probability. corresponding to σ , indeed represents i . As i looks random Let us assume that B is given a DL instance (˜g, h˜). It then for A, so the probability that i∗ is chosen from [1,N] is at least

ﬁnds logg˜h˜ by interacting with A. 1/N. Setup. B performs KeyGen(1λ) as in the scheme, ex- If we assume that A wins the exculpability game, we can 0β0/f ∗ cept that she sets g2 ←− g˜, g1 ←− ψ(g2). B stores the group i state that T3 = Bi . Since this statement is indisputable, public key gpk, sends gpk, group manager’s secret gms, reg- by employing forking lemma [81], after a polynomial reply of istration list reg to A. It also initializes a list of revocation lists ˜ algorithm A, B can extract fi∗ . Consequently, it ﬁnds logg˜ h, RLj, where j ∈ [1,T ]. the solution for her DL instance, with non-negligible probabil- Queries. At the beginning of each period j, A announces ity in polynomial time. the beginning of j to B, so that they both increment j simul- taneously. At any time period j ∈ [1,T ], Algorithm A issues the following queries to B. – Join: When A requests for creating a new group member, B performs Join protocol as the new member with ∗ A, except that it sets Fi∗ ←− ψ(h˜) for a random user i .

∗ B also simulates the proof of knowledge of logg1 Fi . So ∗ ∗ the signer’s secret during join protocol, fi = logg1 Fi = ˜ logg˜ h, but A does not know its value.