2016 International Seminar on Intelligent Technology and Its Application

An Anonymous Authentication System in Wireless

Networks Using Verifier-Local Revocation Group
Signature Scheme
Amang Sudarsono and M. Udin Harun Al Rasyid
Politeknik Elektronika Negeri Surabaya (PENS),
Electronics Engineering Polytechnic Institute of Surabaya (EEPIS),
Surabaya, Indonesia.
{amang, udinharun}@pens.ac.id
AbstractAs advancement of the Internet of Thing and data
centric technologies in collecting and distributing sensory data,
security becomes much more important and desirable. This is
because sensory data are commonly transmitted over wireless
networks toward data center which are naturally easily observed
for the goal of network traffic analysis. Furthermore, the collected
data in data center can be easily accessed by users as well
if the system does not deal with security mechanism. In this
paper, we propose an anonymous authentication system using
pairing-based verifier-local revocation group signature scheme to
authenticate wireless nodes (i.e., sensor nodes) of a particular
privilege group to the gateway node in transmitting data. In
addition, an anonymous authentication for accessing data to the
data center is also our achievement.
Keywordsprivacy-preserving authentication; group signature;
verifier-local revocation; wireless networks

I.

I NTRODUCTION

Recently, there exists numerous ubiquitous services such as

Internet of Thing (IoT) and data centric technologies growing
rapidly along with the advancement of personal computer,
laptop, smart phone, embedded system and other devices. Usually, such services require an authentication or identification
for accessing control and authorization in collecting and distributing data. Let say in the wireless networks, wireless nodes
such as sensor nodes in the Wireless Sensor Network (WSN)
provide sensory data which are transmitted over the wireless
network toward a data center through gateway node. In this
way, the natural context of wireless network environment, the
communication between sensor nodes and gateway node are
more easily observed by the adversaries for the goal of network
traffic analysis. As the results, transmitted data by sensor
nodes can be intercepted, linked, tracked, and even modified.
These impact sensory data tracked from node to node, joining
impersonated nodes, false data transmission, etc.
On the other hand, the collected data in the data center
also should be easily accessed by everyone including the adversaries. These problems can be solved by applying a security
mechanism such as node or user authentication together with
encryption and data integrity. However, common authentication
system which involves node identity, username, and password
can be linked and tracked, hence the node or user preference
access history is easiliy inspected. An implementation of secure data exchange in environmental health monitoring system

through WSN [13] has been introduced which considered

and addressed the problem. However, since cryptographic
primitives are used to achieve and realize the security features,
the anonymity has not yet been reached. One of cryptographic
solutions in the privacy-preserving authentication system is the
use of group signature schemes [1][8], since it offers practical
implementation and provides not only the anonymity, but also
unlinkability and untraceability features.
Group signature is a special digital signature which based
on public key (i.e., one is given to a privilege group, not to
a user or node). Firstly, the group signature was introduced
by Chaum and Heyst [8]. The signer in the group signature
scheme signs a message on behalf of the group, and the
verifier verifies the signature anonymously. There is a special
authority called Group Manager (GM) who registers the users
in a particular privilege group. Currently, many researchers
actively have been taking in account group signature and its
implementations as their research topic of interest. In the
group signature, firstly GM issues a membership certificate
to the user. Then, the user creates a signature by signing a
message using the membership certificate. Further, any verifier
is able to verify the validity of the signature using group
public key without identifying who the user is. However, in
case of key loss, misuses or other reasons, GM can trace the
signer. There also has been introduced some implementations
of group signature, such as in the web service [10], identity
management system [9], wireless authentication system [3],
and cloud computing environment [11].
In addition, group signature also has a feature called
user revocation. In the authentication system, user revocations
frequently happen due to key loss, ilegally usage or voluntary
leaving from the system. However, user revocation is not
easy due to the anonymity. Some group signature schemes
which deal with user revocation such as [9] achieved good
performance, but the signer needs to fetch a revocation list
which includes R revoked users before signing. R denotes
the number of revoked users. In the authentication system, if
user revocations often happen, thus R should be large. This
situation becomes worst if the network connections are not
stable such as in the wireless networks. One of solutions
regarding such situation is Verifier-Local Revocation (VLR)
group signature schemes [2][6], due to the signer does not
need to fetch the revocation list before signing. Instead, the
revocation check is done in the verifier.

978-1-5090-1709-6/16/$31.00 2016 IEEE

49

Among those VLR group signature schemes, [5] and [6]

provide a shorter size of signature. However, the schemes
do not consider tracing algorithm which is a feature in the
group signature to trace the actual signer on given a signature.
This mechanism is important in the anonymous authentication
system when detecting ilegally usage. GM can revoke the user
and trace who the actual user is, based on given signature
of misuses user. In this paper, we propose a VLR group
signature scheme for easily and efficiently applying of an
anonymous authentication system in the wireless networks,
sensor networks, and other ubiquitous devices communication
protocol. Our proposed VLR group signature scheme is based
on [3] which reducing the size of signature.
II.

B ILINEAR G ROUPS AND C OMPLEXITY A SSUMPTION

The bilinear map notation can be defined as follows:

G1 and G2 are two multiplicative cyclic groups of
prime order p.
g1 is a generator of G1 and g2 is a generator of G2 .
is a computable isomorphism from G2 to G1 by
the isomorphism function (g2 ) = g1 ; and
e is a computable map, e : G1 G2 GT with the
following properties:
a) Bilinearity: for all u G1 , v G2 and a, b
Z, where e(ua , v b ) = e(u, v)ab .
b) Non-degeneracy: e(g1 , g2 ) = 1.

1)
2)
3)
4)

Secondly, we adopt the following assumptions for the security

requirements.
Strong Diffie-Hellman Assumption.
Let G1 and G2 be cyclic groups of prime order p, whereas
there is possibility that G1 = G2 . Let g1 be a generator of G1
and g2 is a generator of G2 . q-Strong Diffie-Hellman Problem
(q-SDH) is the q-SDH problem in (G1 , G2 ) which is defined
as follows:
q
2
Given a (q + 2)-tuple (g1 , g2 , g2 , g2 , ..., g2 ) as input, and
1/(+x)
the output is a pair (g1
, x), where x Zp . An algorithm A has advantage in solving q-SDH in (G1 , G2 ) if
q
1/(+x)
Pr [A(g1 , g2 , g2 , ..., g2 ) = (g1
, x)] .
Decision Linear Diffie-Hellman Assumption.
By using g1 in G1 as above, along with arbitrary generators
u, v, and h of G1 , consider the following:
Decision Linear Problem in G1 : on given u, v, ua , v b , hc
G1 as input, the output is yes if a + b = c or no otherwise.
More precisely, the definition of the advantage algorithm A in
deciding the Decision Linear problem in G1 is as:
Adv LinearA = |Pr [A(u, v, h, ua , v b , ha+b ) = yes : u, v, h
G1 , a, b Zp ] Pr [A(u, v, h, ua , v b , ) = yes : u, v,
G1 , a, b Zp ]|.
III.

P ROPOSED VLR G ROUP S IGNATURE S CHEME FOR

W IRELESS N ETWORKS

In this section, we review the security requirements of

communication protocol and the VLR group signature as our
adoption scheme in the proposed anonymous authentication
system. Then in detail, we describe our proposed system which
consists of four phases: Key Generation (KeyGen) phase,
Registration phase, Authentication phase, and Tracing phase.
50

The first phase is for generating public and secret parameters.

The second phase is the sensor nodes or users registration to
the GM through Key Issuer Manager authority and obtaining
some secret information used for authentication process. The
third phase is for authentication between sensor nodes and
gateway node in transmitting data sensor or between users and
data center in accessing data sensor. In this case, sensor nodes
and users act as the signer, meanwhile gateway node and data
center act as the verifier. The signer generates signature and
the verifier verifies the signature to prove that the signer is
a legitimate user without revealing any privacy information of
signer or invalid signature or revoked user. Here, GM manages
user revocation tokens, called revocation list RL through User
Revocation Manager authority. Based on RL obtained from
GM, verifier checks whether the signature is revoked or not.
The fourth phase is for the GM through Tracing Manager
authority to trace the user about his history records or sensor
node identity.
A. Security Requirements
Some security requirements of secure and anonymous
authentication system are commonly as follows.

User anonymity: No one can identify the sensor

nodes or users.

Unlinkability: On given two or more signatures, no

one can distinguish whether these signatures are related or not.

Untraceability: No one can trace users or sensor

nodes records. The goal is protecting the identity and
related secret information of the sensor nodes or users.

Unforgeability: no one except sensor nodes or users

of the group is able to generate a valid signature.

Confidentiality: Only GM can obtain sensor nodes

or users communication history through the Tracing
mechanism.

Integrity: No one can modify the message content

(i.e., data sensor).

Authentication: The sensor node or user can request

services to the gateway node or data center for confirming the legitimacy of the sensor node or user.

B. VLR Group Signature

Boneh et al. [2] proposed a VLR group signature scheme
which formally comprises three algorithms: KeyGen, Sign, and
Verify.
KeyGen(n). This is a randomized algorithm. On given a
parameter n, the number of member of the group. It outputs a
group public key gpk, user secret key gsk[i], user revocation
tokens grt, and secret tracing key tsk.
Sign(gpk, gsk[i], M ). This is a randomized signing algorithm
on given gpk, gsk[i], and a message M {0, 1} . It outputs
a signature .
Verify(gpk, RL, , M ). This is verification algorithm on given
gpk, a set of revocation tokens RL, called user revocation list
which is the subset of grt, and a signature on a message
M . It returns either valid or invalid. The later response means

Fig. 1.

Involved players and procedures in VLR group signature.

that signature is either invalid signature or the user has been

revoked.

Fig. 2.

In addition, there also exists Open(, tsk) algorithm. On given

a signature , the GM can trace a signature using secret
tracing key tsk.

gsk[i] = (Ai , xi ). GM computes Qi = hxi and stores Group

List GL = (xi , Qi ).

In VLR group signature scheme, there are 3 players who

involved in the system (see Fig. 1).

Revoke: GM acts as User Revocation Manager adds Bij = hx1ji

to revocation list RL[j] = (Bij ).

Group Manager: it has an authority to issue the key

(group public key gpk and group secret key gmsk, and
also users private key pair through a Setup algorithm)
and open signers identity through an Open algorithm.

User or signer: the entity who joins the group. He

signs a message to prove himself as a legitimate user
anonymously using his private key gsk[i] issued by
GM through Sign algorithm.

Verifier: the entity who verifies users signature to

check whether the user is valid user or not or revoked
user anonymously through Verify algorithm and User
Revocation Check.

C. Proposed Protocol
In this section, we describe our VLR group signature
scheme used in the anoymous authentication system for wireless networks as shown in Fig. 2. Our motivation of proposed
VLR group signature is to reduce the size of signature and
omit some procedures in Registration phase and Authentication
phase of previous VLR group signature scheme [3].
The detail procedure of the scheme is as follows:
Setup: the GM selects secret key gmsk = (), tracing
key tsk = (s) and group public key gpk = (g1 , h,
h11 , ..., h1t , S, g2 , w, h21 , ..., h2t ) for j [1, t], where t is user
r
r
revocation token, h1j = g1j , h2j = g2j and w = g2 . While
g1 and g2 are generators of the bilinear groups G1 and G2 . In
addition, S = hs , where h is another generator of G1 .
Join: user selects his secret key xi R Zp randomly. Then,
1/(+xi )
GM acts as Key Issuer Manager computes Ai = g1
and sends Ai to the user. Here, the user has his secret key

Proposed communication protocol.

Sign: user generates a group signature = (T1 , T2 , T3 , f1 ,

f2 , U, V, c, s , s , sx , s , sr , su ) on the message M by using his secret key. Then, user-i selects r R Zp and
computes f1 = g1r , f2 = g2r , and = xi . Then, he
computes T1 = Ai h , T2 = f1+xi , T3 = h1j . Here, T1 ,
T2 , and T3 are linear encryption results for blinding Ai ,
xi , and . In addition, the user computes U = hxi +u ,
V = S u , whereas u R Zp . Then, he computes R1 =
r
r +r
e(T1 , g2 )rx e(h, w)r e(h, g2 )r , R2 = f1 x , R3 = h1j ,
R4 = g1rr , R5 = g2rr , R6 = hrx +ru , R7 = S ru with random
blinding values r , r , rx , r , rr , ru . Also he computes a
challenge c = Hash(M, T1 , T2 , T3 , f1 , f2 , U, V, R1 , ..., R7 ),
using random numbers s , s , sx , s , sr , su , which are the
values for zero-knowledge proof of (Ai , xi ).
Verify: the verifier verifies the users signature on given
message M and signature = (T1 , T2 , T3 , f1 , f2 , U, V, c, s ,
1 , ..., R
7 such that,
s , sx , s , sr , su ), the verifier computes R
)c
(
e(g
,g
1 2)
2 =
1 = e(T1 , g2 )sx e(h, w)s e(h, g2 )s
, R
R
e(T1 ,w)
s
s +sx
sr
c
c
5 = g sr /f c ,
/T2 , R3 = h1j /T3 , R4 = g1 /f1c , R
f1
2
2
sx +su
c
su
c

R6 = h
/U , R7 = S /V . Then, the verifier checks if c
1 , ..., R
7)
is equal to c = Hash(M, T1 , T2 , T3 , f1 , f2 , U, V, R

or not. The verification is successful if c = c and the following

revocation check says left hand and right hand are not equal.
?
Then he checks the revocation: e(T2 , h2j ) = e(Bij T3 , f2 ), if
it holds, then the user-i is revoked user.

Open: on given message M , signature = (T1 , T2 , T3 , f1 ,

f2 , U, V, c, s , s , sx , s , sr , su ), and tsk = (s) the GM acts
as Tracing Manager checks the validity of signature and opens
U
, if the signature is valid,
the signers secret Qi as Qi = V (1/s)
then Qi is a part of signer as the signer identity.
The proposed protocol is based on [3] and the hash function
51

technology. The detail procedure is described in Fig. 2. We

separated the authority of GM into three entities, Key Issuer
Manager, User Revocation Manager, and Tracing Manager.
Key Issuer Manager has the authority to issue group public
key (gpk), group secret key (gmsk), tracing key (tsk), and
users secret key gsk[i] and users group list GL[i] for the
successfully joining users. On reported key loss, stolen key,
and misuses users activities, User Revocation Manager adds
the revoked users signature into revocation list RL[i]. Whilst,
the Tracing Manager has the authority to trace and open the
users identity information from the users signature obtained
from the verifier or Issuer Revocation Manager who requested
opening users identity, in case of misuses activities, contract
expiration date of services, or other reasons. We define our
protocol procedures into 4 phases which are described in detail
as follows:
Phase 1: KeyGen Algorithm.
This is the randomized algorithm with the input parameter n,
the number of users of a privilege group. Then, the GM acts
as Key Issuer Manager proceeds the following steps:
Select a generator g2 R G2 and g1 R G1 uniformly
at random. Select h R G1 , and set j [1, t] where t
r
is used for user revocation token, such that h1j = g1j ,
rj
h2j = g2 , whereas rj R Zp .
Select R Zp and set w = g2 .
Select s R Zp . Then, compute S = hs .
Output the group public key gpk = (g1 , h, h11 , ...,
h1t , S, g2 , w, h21 , ..., h2t ), group secret key gmsk =
(), and the tracing secret key tsk = (s).
Distribute gpk and tsk to Tracing Manager.

1)

2)
3)
4)
5)

Phase 2: Registration Protocol.

This is a communication protocol between Key Issuer Manager
and a joining user. The i-th user joins to the group by
processing the following steps:
User i requests user secret key and group public key
to Key Issuer Manager. Then, Key Issuer Manager
selects xi R Zp , and computes Qi = hxi . Where
the users ID is embedded into his secret key xi .
1/(+xi )
Key Issuer Manager computes Ai = g1
. Then
the Key Issuer Manager sends (Ai , xi ) to user i. Key
Issuer Manager adds (i, xi , Qi ) to his Group List
(GL), which is the database of users in the group.
Upon receiving (Ai , xi ), user i stores gsk[i] =
(Ai , xi ) as his secret key.

1)

2)

3)

Phase 3: Authentication Protocol.

This is an authentication protocol between the signer and
the verifier. This protocol comprises into two algorithms,
Sign algorithm and Verify algorithm. Detail description of
algorithms are described as follows:
Signature Generation: Sign Algorithm.
This algorithm is performed by the sensor nodes and users as
the signer to authenticate themselves to the gateway node or
data center as a verifier, where the inputs of signing algorithm
are the group public key gpk, the signer secret key gsk[i], and
a signed message, M {0, 1} . The algorithm is performed
as follows:
Select , R Zp and set = xi . Then, select
r R Zp , compute f1 = g1r and f2 = g2r .

1)

52

2)
3)
4)

5)
6)

7)
8)
9)

Then, compute T1 = Ai h , T2 = f1+xi , and T3 =

h1j .
Select u R Zp . Compute U = hxi +u and V = S u .
The SP KX is computed as follows:
X = SP K{(xi , , , , r, u) :
e(g1 ,g2 )

xi
e(h, g2 ) ,
e(T1 ,w) = e(T1 , g2 ) e(h, w)
+xi

T2 = f1
, T3 = h1j , f1 = g1r , f2 = g2r , U =
xi +u
h
, V = S u }(M ).
Pick blinding factors: r , r , rx , r , rr , ru R Zp .
Compute:
R1 = e(T1 , g2 )rx e(h, w)r e(h, g2 )r , R2 =
r
r +r
f1 x , R3 = h1j , R4 = g1rr , R5 = g2rr , R6 =
hrx +ru , R7 = S ru .
Compute a challenge c R Zp as: c = Hash(M, T1 ,
T2 , T3 , f1 , f2 , U, V, R1 , ..., R7 ).
Compute responses:
sx = rx + cxi , s = r + c, s = r + c, s =
r + c, sr = rr + cr, su = ru + cu Zp .
Output the group signature:
= (T1 , T2 , T3 , f1 , f2 , U, V, c, s , s , sx , s , sr , su ).

Signature Verification: Verify Algorithm.

This algorithm is performed by verifier with the inputs gpk,
a target signature , and the message M {0, 1} . The
signature is verified as follows:
Signature check: check whether is valid or not by using
SP KX as follows:
1)

1, R
2, R
3, R
4, R
5, R
6, R
7 as:
Re-derive R
)c
(
1 = e(T1 , g2 )sx e(h, w)s e(h, g2 )s e(g1 ,g2 )
,
R
e(T1 ,w)

2)

3)

3 = hs /T c , R
4 = g sr /f c ,
2 = f s +sx /T c , R
R
1
2
3
1
1
1j
6 = hsx +su /U c , R
7 = S su /V c .
5 = g sr /f c , R
R
2
2
Re-derive the challenge c R Zp as:
1 , ..., R
7 ). If
c = Hash(M, T1 , T2 , T3 , f1 , f2 , U, V, R

c = c , the signature is valid, otherwise signature is

invalid.
Revocation check: The verification is successful if
c = c and the following revocation check says left
hand and right hand are not equal. Then check the
?
revocation: e(T2 , h2j ) = e(Bij T3 , f2 ), if it holds,
then the user-i is revoked user.

Phase 4: Tracing.
The input of this algorithm are gpk, the traced signature ,
message M , and the tracing secret key tsk. The Tracing
Manager traces and identifies the signer as follows:
1)
2)
3)

Verify the traced signature by using the above Verify

algorithm.
U
, using
If the signature is valid, compute Qi = V (1/s)
the tracing key tsk = (s).
Output i.
IV.

I MPLEMENTATION AND P ERFORMANCE

M EASUREMENT

In this section, we describe the implementation of our

anonymous authentication system and the experiment. The
topology of our system is shown in Fig. 3. We measured the
performance of our proposed scheme in a desktop PC acts
as data center and Group Manager, laptop PC as the user, and

TABLE I.

E QUIPMENTS SPECIFICATION

Specification
of

Sensor Node /
Gateway Node
gcc-4.6.4-5,
openssl-1.0.1k
Linux Raspberrypi
4.1.17-v7+
Raspberry pi 2
model B embedded
system ARM Cortex
rev 5 v71 Proccessor
900MHz
1 GB
TP-Link
TL-WN722N
150Mbps
IEEE802.11b/g/n

Software
O/S

CPU

RAM
NIC

TABLE II.
Fig. 3.

System implementation and experiment.

embedded system devices as the sensor node and gateway node

of our initial implementation. The specification of devices used
in the experiment is shown in Table I.
In the system scenario, sensor nodes (e.g., Node 1, Node
2, ..., Node N ) generate a group signature on data sensor
M using Sign algorithm to authenticate themselves that they
are legitimated nodes in the privilege group. Along with data
sensor M , signature is transmitted to the gateway node
through wireless network (i.e., WSN or WiFi). Upon receiving
a-tuple of (M, ), gateway node verifies the signature
based on message M using Verify algorithm. If and only
if the signature is valid, subsequently the gateway node
checks whether signature is revoked or not by comparing
?
e(T2 , h2j ) = e(Bij T3 , f2 ) of Revocation check mechanism,
if it holds, signature is revoked. Otherwise, gateway node
accepts and stores the data sensor temporarily and forwards
it to the data center for storing permanently. On the other
hand, only the user (e.g., User 1, User 2, ..., or User N ) who
succesfully authenticated by data center is able to access data
sensor provided by data center. Here, the user has to generate a
group signature on request data sensor access message M .
This request data sensor message M is transmitted through
TCP/IP connection (i.e., Internet or LAN) along with signature
generated by the user. Data center allows the user to access
data sensor if the signature is successfully verified and not in
the revocation list (i.e., e(T2 , h2j ) = e(Bij T3 , f2 )).
This scenario may be used in the IoT technology, such
as for the deployment of data sensor to the Internet which
can be accessed by the user at anytime and anywhere (e.g.,
environmental health monitoring system through WSN [13]).
To do so, firstly the system assigns a particular privilege
group. Only sensor nodes in the group that carry sensory
information are able to generate signature and successfully
verified by gateway node. Then, the gateway node forwards
data sensor to the data center. On the other hand, only users
in the group are able to generate signature on request data
sensor to the data center through the Internet. At anytime, if
any ilegally usage, voluntary leaving, exit from the network
for particular time, etc., data center and gateway node admit
such users or sensor nodes to revocation list, and even if it is
necessary to be traced based on their signatures using Tracing
algorithm for identifying the users or sensor nodes. As an

USED IN THE EXPERIMENT.

Data Center

User

gcc-4.3.5,
openssl-0.9.8o
Debian Linux
kernel-2.6.32

gcc-4.4.5,
openssl-0.9.8o
Debian Linux
kernel-2.6.32

Intel Core i7
2.60GHz

Intel Core i7
1.80GHz

4 GB

2 GB

Broadcom
BCM43xx 1.0
(5.106.98.100.17)

Intel Dual Band

Wireless-N 7260
IEEE802.11a/b/g/n

C OMPARISON OF COMPUTATION COSTS OF Sign AND Verify.

Scheme

Computation costs of Sign

Computation costs of Verify

Scheme
[3]
Proposed
Scheme

7E(G1 ) + 2E(G2 ) + 3E(GT )

6E(G1 ) + 4E(G2 ) + 2E(GT ) + P + T (G2 )
6E(G1 ) + E(G2 ) + 2E(GT )
5E(G1 ) + E(G2 ) + 3E(GT )

initial implementation, we measured the performance of our

proposed scheme in the sensor node or gateway node, user,
and data center. Our implementation of VLR group signature
is based on pairing-based cryptography with the underlying
Elliptic Curve Cryptography (ECC) computations using 158bit group order of Barreto-Naehrig curve [12] which may also
be increased into 254-bit to pursue more security level.
A. Efficiency Consideration
As well as previous scheme [3], we compared the efficiency
of Sign and Verify algorithms with the exception Join-related
and Open-related parts, due to these computations are performed once when the nodes or users join in the system for
the first time and when tracing based on a signature occurs.
However, in the Join protocol, our proposed scheme is simpler
whereas the signers secret key component includes xi and
1/(+xi )
Ai = g1
. Meanwhile, in the previous scheme [3],
there are xi , yi , zi , and Ai = (g1 g1xi g1zi )1/(+yi ) . We also
exclude user revocation check, due to it is similar approach
between previous scheme [3] and the proposed scheme. The
comparison costs of Sign and Verify algorithms between
previous scheme [3] and proposed scheme is shown in Table II.
As a note that E(G1 ), E(G2 ), and E(GT ) are exponentiation
computation in G1 , G2 , and GT , P is pairing computation,
and T (G2 ) is testing membership on G2 computation.
B. Performance Measurement
Table III and Table IV show the time comparison of
signing, verification and opening algorithms between previous
scheme [3] and our proposed scheme on the Desktop PC and
embedded system device, respectively. Key generation time in
the embedded system (i.e., gateway node) takes about 85 ms,
while in the data center needs only about 11 ms. Whilst, the
previous scheme [3] consumes about 126 ms and 17 ms in the
gateway node and data center, respectively. Meanwhile, signing
time, verification time, and tracing time in the gateway node
consumes about 155 ms, 214 ms, and 6 ms, respectively. These
are about 39 ms, 43 ms, and 2 ms in the data center, whilst
53

TABLE III.
C OMPARISON OF COMPUTATION TIME OF K EYGEN , S IGN ,
V ERIFY AND O PEN ALGORITHMS IN THE GATEWAY NODE AND DATA
CENTER .
Time
of
KeyGen
Sign
Verify
Open

TABLE IV.

Gateway Node (ms)

Scheme [3]
Proposed Scheme
126.471
172.923
242.736
6.517

85.139
155.378
214.531
6.420

Data Center (ms)

Scheme [3]
Proposed Scheme
16.825
44.129
49.084
1.522

11.295
38.719
42.792
1.505

Time of

Scheme [3] (ms)

Proposed Scheme (ms)

Future Works. Our future works include the implementation

of the proposed scheme into wireless networks with involving
communication and transferring data sensor from sensor nodes
toward data center and accessing data sensor from users to
the data center and the further improvement of VLR group
signature scheme.

Sign
Verify
Open

58.382
62.838
1.565

51.998
54.701
1.525

ACKNOWLEDGMENT

C OMPARISON OF COMPUTATION TIME OF S IGN , V ERIFY

AND O PEN ALGORITHM IN THE USER .

signing time, verification time, and tracing time of previous

scheme [3] are about 173 ms, 243 ms, and 6 ms in the gateway
node, whereas in the data center needs about 44 ms, 49 ms, and
2 ms, respectively. On the other hand, signing time, verification
time, and tracing time in the user are about 52 ms, 55 ms, and 2
ms, and for previous scheme [3], they are about 58 ms, 63 ms,
and 2 ms, respectively. However, since the user is the signer
which usually only generate signature in the authentication
system, the signing time is the most important for the user.
In addition, tracing time is similar between proposed scheme
and previous scheme [3], due to it has the same approach.
Moreover, the size of signature in the proposed scheme is 488
Bytes. This is shorter than the size of signature in the previous
scheme [3], 572 Bytes.
Fig. 4 shows verfier-local revocation of user revocation
check time in the gateway node and data center. We vary the
number of revoked users R from 1 to 100. This is because user
revocations may often happen in the system. For R = 100,
gateway node consumes about 3.2 seconds to perform user
revocation check, whilst data center only needs about 700 ms
which is less than a second.
V.

C ONCLUSION

We have presented a pairing-based VLR group signature

scheme for the implementation of anonymous authentication
in the wireless networks which is suitable for mobile devices,

Fig. 4. Compariosn of user revocation check time between gateway node

and data center w.r.t. the number of revoked users.

54

wireless sensor network devices, or other embedded system

devices. Our experimental results showed the practicality of
our system with signing time and verification time are only
about 155 ms and 214 ms in the Arm Cortex processor and
these are about 39 ms and 43 ms in the Intel i7 processor.

This research was made possible through the help and

support in part by Ministry of Research, Technology, and
Higher Education of Indonesia, Insentif Riset SINAS Scheme
2016.
R EFERENCES
[1] D. Boneh, X. Boyen, and H. Shacham, Short group signatures, In
Vol. 3152 of LNCS, pp. 4555, 2004.
CRYPTO 04,
[2] D. Boneh and H. Shacham, Group signatures with verifier-local revocation, In Proceeding of the 11th ACM Conference on Computer and
Communications Security (CCS), pp. 168177, 2004.
[3] A. Sudarsono, T. Nakanishi, Y. Nogami, and N. Funabiki, Anonymous
IEEE802.1X authentication system using group signatures, Journal of
Information Processing, Vol. 18, pp. 6376, March, 2010.
[4] T. Nakanishi and N. Funabiki, A short verifier-local revocation group signature scheme with backward unlinkability, In 1st International Workshop
on Security (IWSEC 2006), LNCS 4266, Springer Verlag, pp. 1732,
October 2006.
[5] L. Wei and J. Liu, Shorter Verifier-Local Revocation Group Signature
with Backward Unlinkability, Pairing-Based Cryptography - Pairing 2010
Vol. 6487 of LNCS, pp. 136146, 2010.
[6] J. Zhang, Shorter verifier-local revocation group signature based on
DTDH assumption, Journal of Theoretical and Applied Information
Technology, Vol. 50 No. 1, pp. 252259, April, 2013.
[7] V. Kumar, K. Li, J.M. Park, K. Bian, and Y. Yang, Group Signatures
with Probabilistic Revocation: A Computationally-Scalable Approach for
Providing Privacy-Preserving Authentication, Proceedings of the 22nd
ACM SIGSAC Conference on Computer and Communications Security
(CCS15), pp. 13341345, 2015.
[8] D. Chaum and E.V. Heyst, Group signatures, In D.W Davies, editor,
Proceeding of Eurocrypt 1991, Vol 547 of LNCS, pp. 257265, April
1991.
[9] T. Isshiki, K. Mori, K. Sako, I. Teranishi, and S. Yonezawa, Using group
signatures for identity management and its implementation, Proceeding
of ACM-DIM 2006, pp. 7378, 2006.
[10] T. Nakanishi, H. Obayashi, and N. Funabiki, An implementation of
anonymous authentication system for Web services using proxies, In
The 13th IEEE International Symposium on Consumer Electronics
(ISCE2009), pp. 179181, 2009.
[11] S. Morioka, J. Furukawa, Y. Nakamura, and K. Sako, Architecture
optimization of group signature circuits for cloud computing environment.
In The 17th Workshop on Synthesis And System Integration of Mixed
Information Technologies, pp. 497502, 2012.
[12] P.S.L.M. Barreto and M. Naehrig, Pairing-Friendly Elliptic Curves of
Prime Order, Lecture Notes in Computer Science, Vol. 3897, pp 319
331, 2006.
[13] A. Sudarsono, S. Huda, N. Fahmi, M.U.H. Al Rasyid, and P. Kristalina,
Secure Data Exchange in Environmental Health Monitoring System
through Wireless Sensor Network, International Journal of Engineering
and Technology Innovation (IJETI), Vol. 6, No. 2, pp. 103122, 2016.