Group Signatures are Suitable for Constrained Devices
S. Canard, I. Coisel, G. De Meulenaer, and O. Pereira.

In a group signature scheme, group members are able to sign messages on behalf of the group. Moreover, resulting signatures are anonymous and unlinkable for every verifier except for a given authority. In this paper, we mainly focus on one of the most secure and efficient group signature scheme, namely XSGS proposed by Delerablé and Pointcheval at Vietcrypt 2006. We show that it can efficiently be implemented in a sensor node or an RFID tag, even if it requires 13 elliptic curve point multiplications, 2 modular exponentiations and one pairing evaluation to produce a group signature. This is done by securely outsourcing part of the computation to an untrusted powerful intermediary. The result is that XSGS can be executed in the MICAz (8-bit 7.37MHz ATmega128 microprocessor) and the TelosB (16-bit 4MHz MSP430 processor) sensor nodes in less than 200 ms.