ISS/Join


**GSig**(*gpk*, *i*, *gski*, *M*)


**TKGen**(*gpk*, *i*, *gski*, *M*)


#### **GVf**(*gpk*, *M*, *σ*)


**Open**(*gpk*, *ok*, *M*, *σ*, *TKM*)


*<sup>e</sup>*(*T*4/(*T*1*<sup>ξ</sup>* <sup>1</sup>*T*2*<sup>ξ</sup>* <sup>2</sup>*T*3*<sup>ξ</sup>* 3), *g*)·(*T*7/e(*T*5,*TKM*)) = *<sup>e</sup>*(*Ai*, *g*).


Determining correctness in an anonymous signature scheme is not that difficult in the proposed scheme when compared to proving the level of full anonymity. Nevertheless, it can be proven with a random oracle model when an assumption is made that the decisional bilinear Diffie–Hellman problem is not easy to solve. The unforgeability of a signature can be proven with the same model as above when it is assumed that the q-strong Diffie–Hellman problem is not easy to prove. The problem of the unforgeability of a token can be solved in a similar way, but the assumption should be made that the computational Diffie–Hellman problem is not easy to solve. The details of proof were omitted as they deviate from the research purpose.

This chapter provides a solution to signers' concerns about the exposure of their identities in the anonymous signature schemes. The issues pertaining to the excessive authority of the openers were covered by another study in which an admitter was added to the scheme to limit the power of the openers. However, as the possibility of successfully tracing the signer's identity still remained, this study proposed a method by which the signer issues a token him/herself without the intervention of the admitter. It is expected that, if the proposed method is applied to the existing anonymous signature schemes, their level of security will be improved significantly, thus alleviating the users' concerns.

#### **5. Efficiency Comparison**

A comparison of theoretical computational costs involved in the algorithms for the generation and verification of the group signatures is shown in Table 1. The group signature scheme in Reference [24] is a sort of a pairing-based group signature scheme which does not offer linkability, and is used for the comparison as a reference scheme. On the other hand, the group signature scheme in Reference [6] offers linkability by allowing the pre-defined linker to check the linkability of all the relevant signatures. Reference [25] introduced a scheme where the signer can control the linkability. When generating the random elements, the respective coefficients (integers) of variables G1, G2, and Zp indicate the individual number of generated random elements (i.e., 2 G1 + 1 G2 + 2 Zp indicates that two random elements were generated for G1, one random element for G2, and two random for Zp). Also, in the calculation formula, P represents the pairing operation; MG1 (or MG2) is the scalar multiplication operation for the group G1 (or G2); EGT is the exponentiation operation in the group GT. As such, the expression 6 P + 9 MG1 + 1 MG2 + 6 EGT implies that six pairings and nine scalar multiplications for G1, one scalar multiplication for G2, and six exponentiations for GT were performed by the algorithm which mainly focuses on the pairing tasks (Table 2), where the pairing operations were performed approximately six times more than the scalar multiplications.


**Table 1.** The computational costs of the group signatures calculated with the algorithms used by the major group signature schemes.


**Table 2.** Performance comparison.

The operation of each group signature scheme (Table 2) was simulated with the computer (Intel Sandy Bridge i3 2330M 2.2-GHz processor, 4 GB random-access memory (RAM), Ubuntu 12.04), whereas the operations (pairing) were performed using the Python Pairing-Based Cryptography (PYPBC) Library, adopting the d224 curve, specifically. The resulting values are the averages of 100 simulations conducted for the individual schemes. The time required for the proposed scheme to generate and verify the signature was similar to that of References [6,24,25] and the same level of similarity was found in the computational costs. This means that the function "signer-controlled opening capability" being added to the computation process did not actually affect the computational costs much. Meanwhile, the proposed algorithm in this study was developed in a way that it can be adopted in previous research [26–32] pertaining to smart grids.
