An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlikability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps. 2 Model and Security Definitions We show a model of VLR group signature scheme with backward unlinkability, which is extended from a model of VLR group signature scheme proposed in [7]. Definition 1. A VLR group signature scheme with backward unlinkability consists of the following algorithms: KeyGen(n, T): It is a probabilistic algorithm on inputs n, which is the number of members, and T , which is the number of time intervals. It outputs a Then, the security requirements, Correctness, Traceability, and BU-anonymity, are defined as follows, which are also extended from [7]. Definition 2 (Correctness). Correctness requires that for all (gpk, gsk, grt) = KeyGen(n, T), all j ∈ [1, T ], all RL j , all i ∈ [1, n], and all M ∈ {0, 1} * , Verify(gpk, j, RL j , Sign(gpk, j, gsk[i], M), M) = valid ⇐⇒ grt[i][j] / ∈ RL j .
