Group Signature with Verifier-Local Revocation Based on Coding Theory

Group signature with verifier-local revocation (VLR-GS) is a special variant of revocable group signature that not only allows a user to anonymously signmessages but also only requires the verifiers to possess some up-to-date revocation information. To date, a number of VLR-GS schemes have been proposed under bilinear groups and lattices, while they have not yet been instantiated based on coding theory. In this paper, we present a code-based VLR-GS scheme in the random oracle model, which is the first construction to the best of our knowledge. Concretely, our VLR-GS scheme does not rely on the traditional paradigm which utilizes an encryption scheme as a building block and achieves logarithmic-size group signature. To obtain the scheme, we first introduce a new code-based Stern-like interactive zero-knowledge protocol with member revocation mechanism based on syndrome decoding problem. Moreover, we employ the binary Goppa code embedded for our scheme with efficiency and security analysis.


Group Signature.
Group signature scheme is a fundamental cryptographic primitive that enables signer anonymity and has been extensively researched since introduced by Chaum and Van Heyst [1]. e anonymity indicates that any group member is allowed to issue signature for documents on behalf of the group, while the identity of the signer is anonymously hidden from a verifier. Concretely, it allows the group members to issue signatures on behalf of the whole group without compromising their identity information. When receiving an issued signing key from the group manager, a signer can generate a group signature on a certain message. Moreover, a verifier can verify the signature by only a group public key and cannot identify who is the actual signer even when the validity of the signature is verified.
At the same time, there is a serious problem that should be considered in the real-world applications. If a group member issues signatures for documents where he is not allowed to sign, this member should be revoked from the group. e membership of a revoked user should be canceled.
at is to say, how to remove the signing capability of misbehaving users without affecting remaining members is a significant problem.
is problem can be encountered in many application scenarios, such as in politics and business. For example, if illegal information sent by a malicious group member is reported, the group administrator will kick the malicious member out of the group after verification to ensure the safety of other legitimate members in the group. A naive method is to rebuild the group signature system for distributing system parameter to the unrevoked members; however, this certainly limits the practicality. Hence, support of membership revocation in group signature is highly desirable, which makes the notion of revocable group signature (RGS) to be proposed [2] and widely researched.

Revocable Group
Signature. When considering member revocation, how to efficiently and securely revoke the signing ability of misbehaving members in a unrevoked user-unaware way is a major problem in group signature.
Traditionally, the revocation information should be sent to both signer and verifier in the revocable group signature schemes [3][4][5]. Later, the most employed method is the verifier-local revocation technique [6], which only requires the verifier to possess some up-to-date revocation information, that is, the revocation messages are only sent to signature verifier, not the signer. Hence, the VLR-GS is more widely deployed in real-world application due to its high efficiency and flexible operations.
Currently, a number of VLG-GS schemes have been proposed based on various security assumptions in the pairing-free, pairing, and lattice setting [7][8][9][10], while they have not been studied yet based on coding theory. So, in this paper, we give a generic construction of the code-based VLG-GS scheme, which can resist quantum computer attacks.

Our Contributions.
Our main contribution is to give a generic construction for the code-based group signature scheme with support of verifier-local revocation function. For this purpose, we first design a code-based Stern-like interactive zero-knowledge (ZK) identification protocol with member revocation mechanism; this protocol allows the prover to convince the given ciphertext is well formed, and the hidden plaintext satisfies other additional conditions. en, we utilize the new ZK protocol to construct the code-based revocable group signature scheme. Our structure departs from the traditional "sign-and-encrypt-and-prove" group signature paradigm and deviates from code-based encryptions. So, how to construct an interactive ZK protocol with member revocation mechanism under a code-based security assumption is the main problem we have solved. Finally, we give a formal security proof for its correctness, selfless anonymity (this is a slightly weaker notion than the CPA anonymity and CCA anonymity for group signature, where this work focuses on providing membership revocation functionality for group signature), and traceability and reduce its security to the hardness of the syndrome decoding (SD) problem. By instantiating the scheme with [n, k] 2 Goppa codes with parameter analysis, the public key size and the signature size in the scheme achieve log(N) · O(n 2 ) and log(N) · O(n) over F 2 , respectively, where N is the number of group users.

Technique Overview.
e main building block of our VLR group signature scheme is an interactive ZK protocol. e protocol allows a prover to convince the verifier that he is a certified group member (i.e., he possesses a valid secret signing key) and that he has not been revoked (i.e., his "revocation token" is not in the verifier's blacklist). We can repeat the protocol many times to make the soundness error negligibly small.
We consider a group of size N � 2 l , and each user is identified by a string d � (d [1], . . . , d[l]) ∈ 0, 1 { } l denoting the binary representation of his index in the group. To get an extension of d, inspired by the Bonsai tree signature originally proposed by Cash et al. in [11], which was first introduced into the code theory by Ezerman et al. [12], here we adapt and develop their method to manage the Bonsai tree of a difficult code-based problem, and hence a group user with identity d is issued a Bonsai signature under its identity. at is, we have a small vector z ∈ F (l+1)n 2 with z's Hamming weight w(z) � r and l ] is a subtree defined by d. e anonymity implies that the signer's identity d is hidden from the verifier; therefore, the matrix A d should not be explicitly given. We utilize the extension method in [7]: we add n suitable zero blocks to vector z to obtain an ex- , where the added zero blocks are l , We then have w(x) � r, and A · x ⊺ � u. Namely x is a solution to the syndrome decoding instance given by the whole Bonsai tree. To prove in zero-knowledge the possession of such a vector x, we adapt the "Stern extension" proof system, and the user identity d is hidden by a "one-time pad" technique. As a result, the user can anonymously prove his group membership.
To enable membership revocation, the secret key x of each group member should make the first block x 0 related with A 0 ; then, the revocation token could be formulated as With well-chosen parameters and sample x 0 from a proper distribution, the token can therefore be statistically close to uniform over F n− k 2 . In fact, when a user is asked to sample a uniformly random vector r 0 ∈ F n 2 and to compute a commitment c 0 using a (code-based) collisionresistant hash function COM, for which the value A 0 · r ⊺ 0 is part of the committed string. Depending on the verifier's challenge, the user will either reveal r 0 or r 0 + x 0 .

Related
Work. Group signature schemes have been well studied based on bilinear pairing [6,[13][14][15][16][17]. In 2018, Ishida et al. and Perera and Koshiba [18,19] gave two group signature frameworks, respectively, which accorded to the traditional "sign-and-encrypt" paradigm and could achieve a high level of anonymity: (almost) full anonymity. However, because the secure code-based signature scheme cannot be realized for a while, the code-based instantiation scheme cannot be presented. Later, a number of lattice-based and code-based group signature schemes have been proposed, which can resist quantum computer attacks. Gordon et al. [20] designed the first lattice-based group signature scheme whose public key size and signature size are linear in the number of group members N. Recently, there are several efficient lattice-based constructions [7,21,22] that have been proposed, whose group public key size and signature size are proportional to log(N). e first code-based group signature scheme was proposed by Alamélou et al. in [23], which allows to dynamically add new members during the lifetime of the group. In 2015, Ezerman et al. [12] proposed the first provably secure group signature scheme from code-based assumptions which satisfies CPA anonymity and traceability requirements in the random oracle model, whose security is reduced to the hardness of the syndrome decoding problem.
Moreover, the first rank code-based group signature was proposed by Alamélou et al. [24], which achieves dynamic in a relaxed pattern based on the BSZ model of Bellare et al. [13]. Nevertheless, there is no instantiation code-based group signature scheme with support of revocation functionality. e concept of VLR-GS was first considered by Brickell [25] and Kiayias et al. [26] and then formalized by Boneh and Shacham [6]. e state-of-the-art VLR-GS constructions are usually given in the bilinear map. e first latticebased VLR-GS scheme was given by Langlois et al. [7]. In 2020, Yin et al. [27] proposed a lattice-based VLR-GS scheme and realized full anonymity. However, this property cannot be implemented in code-based group signature scheme temporarily, for the research about code cryptography is not mature as lattice's.
1.6. Organization. Section 2 recalls some preliminary knowledge for our work, including code-based cryptography and group signature. In Section 3, we introduce a code-based "Stern-like" interactive protocol, which supports member revocation. We construct a code-based VLR group signature scheme and give its security analysis in Section 4. In the end, we conclude our work in Section 5.

Preliminaries
In this section, we present some notations and technical tools used in this work. Let B(n, r) be the set of all vectors x ∈ F n 2 such that w(x) � r, where w(x) is the Hamming weight of vector x. In addition, we use bold lowercase and capital letters to denote vectors and matrices, respectively.

General Definitions
Definition 1 (linear codes). A[n, k](n > k) linear errorcorrecting code C over a finite field F 2 is a k-dimensional subspace of n-dimensional linear space F n 2 , and co-dimension is n − k. Let matrix G ∈ F k×n 2 be a generator matrix of code C, and the row vectors of G form a base of C, i.e., C � m · G ∈ F n 2 |m ∈ F k 2 . Note that G is not unique. In addition, the code C can also be defined by a parity-check matrix H ∈ F (n− k)×n 2 such that C � c ∈ F n 2 |H · c ⊺ � 0 n− k , and hence the check matrix of code C is not unique as well. Besides, any row vector of H is orthogonal to any row vector of the generating matrix G of C, i.e., H · G ⊺ � 0. For any vector x ∈ F n 2 , define the syndrome of x as s � H · x ⊺ ∈ F n− k 2 , where x is a codeword of C if and only if H · c ⊺ � 0 n− k .
Besides, we say that G (respectively, H) is in systematic form if it is of the form (I k |A) (respectively, (I n− k |B)).
Definition 2 (syndrome decoding problem, SDP). Let H be a parity check matrix for a random [n, k] linear code over F 2 and let a vector s be chosen uniformly at random in F n− k 2 and an integer r < n. Find a vector x ∈ B(n, r) such that When n � n(λ), k � k(λ), r � r(λ), we say that the SD problem (H, s, r) is hard, if the success probability of any PPT algorithm in solving the problem is at most negl(λ).
In our security reduction, the following variant of the leftover hash lemma for matrix multiplication over F 2 is used.
Lemma 1 (left-over hash lemma [12]). Let D be a distribution over F n 2 with min-entropy e. For ε > 0 and In particular, if r < n is an integer such that and D is the uniform distribution over B(n, r) (i.e., D has min-entropy log n r ), then the statistical distance between the distribution of (H, H · x ⊺ ) and the uniform distribution over

Stern's Protocol.
e identification protocols are very important for enhancing the security of network services and smart cards, where the zero-knowledge (ZK) protocol is a convincing primitive to suggest that a protocol can be reused without any security loss.
An efficient code-based ZK protocol was first proposed by Stern [28] as shown in Figure 1 (we give a modification with employing hamming metric), which is a 3-pass prover-verifier protocol. e prover P makes a zero-knowledge proof to the verifier V solving a SD instance (H, s, r) on a low density weight secret z. Let S be the set of all permutations that keep the propositions in Section 3.1. Hence, the protocol suffers a distinguishable issue since a verifier with the knowledge of z is able to check whether a given witness z was actually involved during the protocol or not. Function h is modelled as a random oracle: h: F * 2 ⟶ F n 2 . Note that the prover and the verifier in the protocol with a cheating probability 2/3 are assumed to be honest, in such a way that, the completeness, soundness, and zero knowledge can be thus achieved [29].
Given the public information (H, s, r) ∈ F (n− k)×n 2 × F n− k 2 × N, the prover P needs to prove the knowledge of z ∈ B(n, r) such that H · z ⊺ � s.

Group Signature with Verifier-Local Revocation (VLR-GS).
Generally, a VLR-GS scheme consists of the following three algorithms [6]: (2) Selfless Anonymity. e goal of an adversary A in the selfless anonymity game (i.e., Figure 2) is to determine that a signature is generated by which secret key from two adaptively chosen keys. e challenger randomly chooses a bit b ∈ 0, 1 e adversary A may query an oracle with a group public key gpk at any point during its execution, with the exception that it is not allowed to make any corruption or revocation query for user d 0 or d 1 in the second query stage. e adversary A wins the game when b ′ � b, and thus the probability of this event is defined as Pr[Exp self− anon− b A,GS (λ)]. Now, we define the advantage of A in the experiment as (3) Traceability. e goal of an adversary in the traceability game is to forge a signature that cannot be traced to which group user using the implicit tracing algorithm. Finally, the adversary A outputs a message M * , a set of revocation tokens RL * , and a signature Σ * .
In the experiment, the sets HU and CU consist of the honest users and corrupted users, respectively, and the set U consists of corrupt users which is initially empty. Hence, the adversary A wins the game if (i) Verify(gpk, RL * , Σ * , M * ) � valid; (ii) the (implicit) tracing algorithm fails or traces to a user outside of the coalition U\RL * ; (iii) the signature Σ * is nontrivial, i.e., A did not obtain Σ * by making a signing query on M * . e traceability game is formally defined in Figure 3.
e probability that A wins the game is defined as Pr[Exp tr A,GS (λ, N)]. We define the advantage of A as Adv tr Figure 2: e selfless anonymity notion.
as follows: and sends c 1 , c 2 , c 3 to ν.

The Underlying Zero-Knowledge Interactive System
3.1. Some Specific Sets. Before describing the protocol, we introduce several supporting sets of vectors and permutations that will be extensively used throughout this work, which is inspired by Langlois et al. [7]. Let l be a positive integer and N � 2 l , and we have , we define the following two permutations of x: (a) e set S of all permutations that keep the following propositions: if π ∈ S, then π(x) � (π 0 (x 0 ) � � � �π 0 where each permutation π b i can transform any word x b i for all b ∈ 0, 1 { } and i ∈ [l] with same weight that leak any information about their support (in fact, the operation in [29] meets the above proposition: for any x, π(x) ∈ F n 2 , such that w(x) � w(π(x)), it is possible to find a n × n invertible matrix P ∈ F n×n 2 such that π(x) � xP). (b) e set T as T � T e |e ∈ 0, 1 { } l , where for e � e [1], . . . , e[l], T e ∈ T is a permutation: When given d, e ∈ 0, 1 { } l , π ∈ S, and x ∈ F (2l+1)n 2 , it can be checked that erefore, in the following ZK protocol, to prove that x ∈ Secret(d) for some d ∈ 0, 1 { } l and A · x ⊺ � u, one can instead prove that for ∀π ∈ S, e ∈ 0, 1 { } l , it satisfies T e ∘ π(x) ∈ Secret(d⊕e),

e Interactive Protocol.
e interactive protocol generally follows Stern's protocol whose security is reduced to the SD problem and makes a zero-knowledge proof to a verifier V on a small weight secret z with solving a SD instance (A, u, r). e protocol needs to be repeated t � r(log n) times to reduce the soundness error negligibly small. e protocol is summarized as follows: (i) e public parameters consist of a matrix , and a vector u ∈ F n− k 2 and r ∈ N.
(ii) e witness of a prover includes a vector whose cardinality is at most N − 1.
(iii) e goal of the prover is to let the verifier convince the following issues with zero knowledge that (1) { } λ be a collision-resistant hash function to be modelled as a random oracle. e prover's witness is , for which we employ an additional commitment c 0 to enable the revocation mechanism. e prover and the verifier interact as follows.

Analysis of the Protocol.
We use the following theorem to summarize some properties of the interactive protocol.

Theorem 1 (see [7]). If COM is a collision-resistant hash function, modelled as a random oracle, then the interactive protocol described in Section 3.2.1 is a ZK protocol of knowledge with perfect completeness, soundness error 2/3, and communication cost l · O(n).
In particular, there exists an efficient knowledge extractor that, on inputting a commitment CMT and 3 valid responses (RSP (1) , RSP (2) , RSP satisfying A · y ⊺ � u, where y ∈ Secret(d) for some d ∈ 0, 1 { } l , and A 0 · y ⊺ 0 ∉ RL. It can be seen that the given interactive protocol is perfectly complete, i.e., if the prover possesses a valid witness z, the verifier always outputs Valid according to this protocol. Indeed, given z satisfying z ∈ Secret(d) and A · z ⊺ � u, as discussed above, prover can always obtain z satisfying A · z ⊺ � u and T e ∘ π(x) ∈ Secret(d⊕e). As a result, prover should always pass verifier's verification in the case ch � 1 and ch � 2, and in the case ch � 3, it suffices to note that verifier simply checks for honest computations of c 1 and c 2 .
Besides, the interactive protocol is statistically zero knowledge if COM is modelled as a random oracle [12].

A Code-Based VLR-GS
In this section, we will describe and analyze our code-based VLR-GS scheme. First, we need to introduce an important tool for our scheme: trapdoor matrix, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added.
Definition 3 (trapdoor matrix [23]). A trapdoor matrix family is a couple of polynomial algorithms (TrapGen, SampleS) such that (i) TrapGen(λ): outputs a pair (A, trk) ∈ F (n− k)×n 2 × TRK according to the security parameter λ, where the TRK is the value range of trk. (ii) SampleS(A, trk, u, r): outputs with a non-negligible probability, some x ∈ B(n, r) such as A · x ⊺ � u assuming (A, trk)←TrapGen(λ), u ∈ F n− k 2 and r ∈ N. Notice that x appears randomly from B(n, r), and it returns ⊥ if no solution is found. (iii) (Correctness): for all (A, trk)←TrapGen(λ) and all vectors u ∈ F n− k 2 , we have A(SampleS (A, trk, u, r)) � u ⊺ . (iv) (One-wayness): for all PPT adversary A, we have a negligible probability: Hence, we say that A is a trapdoor matrix and trk is a trapdoor key if (A, trk) was generated by TrapGen.

Key Generation.
On input the security parameter λ, an expected number of group users N � 2 l ∈ poly(λ) and a positive integer l.
. . . , d[l]) ∈ 0, 1 { } l , and do the following: : l be zero vectors 0 n , and define (1) Generate a proof that the user is a certified group member and has not been revoked; this is done by repeating the ZK protocol with t times to achieve a negligible soundness error. With the public parameter (A, u) and prover's witness x, we make it noninteractive with the Fiat-Shamir heuristic as a triple: where CH ∈ 1, 2, 3 (1) Parse the group signature Σ as (M, Π) as in formula (14). Remark 2. According to the above key generation algorithm, we can get some observations as follows: (1) According to Lemma 1, the distribution of A 0 is statistically close to uniform over F (n− k)×n 2 . Hence, the distribution of gpk is statistically close to uniform over F (n− k)×(2l+1)n 2 × F n− k 2 .
(2) e secret key x (d) of a group user indexed by d satisfies A · x (d)⊺ � u and x (d) ∈ Secret(d).
(3) e distribution of revocation token grt[d] is statistically close to uniform over F (n− k) 2 , and the tokens of two different group users should be different. In each rare event of conflict, the algorithm simply resamples the key and token for the user indexed by d 2 .

Security.
e correctness, selfless anonymity, and traceability of our VLR-GS are stated in eorems 2-4, respectively.

Theorem 2.
e VLR-GS scheme described in Section 4.1 is correct with an overwhelming probability.
Proof. According to the correctness requirement, it is necessary to prove that for all gpk � (A, u), We can observe that , with overwhelming probability, the honest signer index d ∈ 0, 1 { } l can obtain a valid witness x to be used in the underlying argument system. en, thanks to the perfect completeness of the latter protocol, the Π satisfy formula (5)   Proof. Let A be any PPT adversary that aims to break the selfless anonymity security of the scheme. We define a sequence of hybrid games Game G (b) 0 : the original selfless anonymity game in which the bit chosen by the challenger is b.
1 : a game similar to G (b) 0 , except the game G (b) 1 performs signing algorithm in an honest manner, and generates a legitimate signature.

Security and Communication Networks
Game G (b) 2 : a game similar to G (b) 1 , except the game G (b) 2 replaces the token grt[d b ] with a value selected uniformly random over F n− k 2 . Game G 3 : a game executes a proper SD problem instance.
We continue to prove that each of the two games is indistinguishable based on the zero-knowledge property of the underlying argument and the hardness of the SD problem. In the end, the selfless anonymity of our scheme then follows from the fact that game G 3 is independent of the bit b.
1 . is game makes the following modification with respect to Game G (b) 0 in Step 4, instead of generating a signature as follows: run the preparation steps of the signing algorithm in an honest manner; then simulate the noninteractive ZK protocol Π * .
is is done by invoking the simulator of the argument in eorem 1 for each repetition and programming the random oracle H accordingly. Since the underlying argument is statistically zero knowledge, the distribution of Π * is statistically close to that of the legitimate Π. Output Σ * � (M * , Π * ).
It can be seen that Σ * is statistically close to the signature Σ outputted by Step 4 in Game G (b) 0 . Hence, we can conclude that Game G (b) In this game, we introduce the following modification with respect to game G (b) 1 . In G (b) 1 , the token grt[d b ] is unknown to A, since it is statistically close to uniform over F n− k 2 . Clearly, the advantage of the adversary in this game is 0. Hence, we can conclude that G (b) 2 and G 3 are computationally indistinguishable if the SD problem is hard.
Finally, based on the combined observations on where "s" means statistically indistinguishable and "c" means computationally indistinguishable. e result shows that the advantage of an adversary winning in game G (b) 0 for b ∈ 0, 1 { } is negligible. is concludes the proof. □ Theorem 4. Suppose there is a PPT traceability adversary A against our VLR-GS scheme with a success probability ξ in the random oracle model; then, there is an algorithm F that solves the SD problem with a success probability polynomially related to ξ.
Proof. Suppose there is an adversary A that can break the computational blinding property of COM employed by the underlying argument with a non-negligible probability; then, we can use A to solve the SD problem. erefore, without loss of generality, we assume that COM is a collision-resistant hash function. Now, we construct a PPT algorithm F solving the SD problem with a non-negligible probability, which works as follows.
Challenge: the algorithm F receives a challenge SD instance, that is, a uniformly random matrix C � [C 0 |C 1 |. . . |C l ] ∈ F (n− k)×(l+1)n 2 and a vector u ∈ F (n− k)×(l+1)n 2 , and it wins the challenge if it can produce a nonzero vector x ∈ F (l+1)n 2 such that w(x) � r and C · x ⊺ � u. Setup: F performs the following steps: where each coordinate of z is sampled from F 2 with length n. If w(z) > r, then repeat the sampling; otherwise, compute u � C · z ⊺ .
(4) Define the secret key and revocation token for user d * as follows: where for ∀i ∈ [l]: frameworks with the traditional "sign-and-encrypt" paradigm, which can achieve a high level of anonymity: (almost-) full anonymity. But, the code-based instantiation scheme seems not readily available, as code-based signatures for which there are efficient zero-knowledge proofs of knowledge of message/signature pairs are not known to date. Scheme [27] is a lattice-based VLR-GS scheme; like our scheme, it can resist quantum computer attacks. Scheme [27] achieves full anonymity. However, it cannot be realized in code-based group signature scheme temporarily. e scheme [12] introduced the first provably secure group signature scheme from code-based assumptions in a static group. References [23,31] are the other two code-based group signature schemes, and they allow to dynamically add new members (weakly dynamic) but cannot realize the membership revocation. In summary, our scheme is the first code-based group signature scheme that realizes membership revocation, but unfortunately, it does not serve member registration. Next, we will consider further constructing a fully dynamic group signature system simultaneously supporting dynamic user enrolments and user revocations.

Implementation Results.
Our code-based VLR group signature scheme can be implemented in polynomial time by selecting parameters carefully. For a [n, k] 2 code, a group with N � 2 l group members, asymptotically, the public key mainly consists of (A, u) ∈ F (n− k)×(2l+1)n 2 × F n− k 2 , and the group public key size is l · O(n 2 ) � log(N) · O(n 2 ) over F 2 . For the group signature size, the commitment CMT achieves the bit size with 4λ (the security parameter λ should be greater than 80), and for each of the cases ch � 1, ch � 2, and ch � 3, the size of response RSP is 4nl + 2n + l, and hence the group signature size is tl · O(n) + 4λ � t log(N) · O(n) + 4λ over F 2 , where t is the repetition number of the protocol described in Section 3.2.1. e running time of revocation check (i.e., the check against c (k) 0 when ch (k) � 2) is linear with the number of revoked users.
We present the basic implementation results to demonstrate the feasibility, where the scheme is generic and can be used with any code. e binary Goppa codes are embedded since they constitute well-suited candidates for the instantiating introduced in our scheme. To achieve a 80-bit security level, we set the SD parameters as (n, k, r) � (2 11 , 1696, 121), so that the distribution of u is 2 80 -close to the uniform distribution over F n− k 2 and that the SD problem is intractable with respect to the best known attacks. e protocol is repeated at least 140 times to make the soundness error negligibly small (less than 1 − 2 − 80 .) We employ SHA-3 as an instantiation for the used hash functions, where it leads to the public key of size 8.9 × 10 6 bits for 2 8 � 256 users and 1.7 × 10 7 bits for 2 16 � 65536 users. And the signature size is 6.8 × 10 7 bits for 2 8 users and 1.3 × 10 8 bits for 2 16 users, with the bit size of any message M ∈ 0, 1 { } * .

Conclusion
In this work, we propose the first code-based group signature scheme with membership revocation, whose security is reduced to the hardness of the syndrome decoding problem. e main idea of our work is to build a new Stern-like interactive identification protocol with member revocation mechanism. Our structure departs from the traditional "signand-encrypt-and-prove" group signature paradigm and does not rely on a specific encryption primitive.
To the best of our knowledge, the construction presented here is the first one for code-based group signature scheme that supports member revocation, although it could still be improved for efficiency. In the future work, we will focus on improving the current building in terms of performance (for example, achieving both dynamic registration and efficient revocation of users), efficiency (for example, making the group signature size less dependent or independent of the group size), and CCA anonymity.
Moreover, in terms of practical application, group signature scheme with membership revocation is a useful cryptographic primitive. With the development of the openness of wireless network, the mobile device and application (app) security are increasingly important [32], and authentication and anonymity issues in mobile environments must be concerned. e network communication between mobile users and cloud servers may suffer from various attacks, such as impersonation attack and password guessing attack. So, it is indispensable to establish an authentication and key agreement (AKA) protocol to protect the conversations between the users with mobile devices and remote servers in various application environments. To be practical, a two-factor/multifactor AKA protocol [33,34] must satisfy the following security goals: (1) truly two-factor/ multifactor security, that is, if an attacker gains any part of the authentication factors, the attacker cannot successfully figure out the remaining factors; (2) anonymity and untraceability, including identity protection and user untraceability; (3) local and secure password update. Actually, the unforgeability, anonymity, and other attributes of an AKA protocol just meet the security requirements of a VLR-GS scheme. So, we firmly believe that the application research studies of VLR-GS system in mobile device authentication and two-factor/multifactor authentication schemes are worthy of discussion in the future. Moreover, we can consider using a zero-knowledge proof protocol to ensure the security of user identity, utilizing a key encapsulation mechanism to protect the session-key security in an AKA protocol.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.