Dynamic Membership Management in Anonymous and Deniable Distance Bounding

For secure location proof in many applications, distance bounding protocols are considered as one of the useful tools that can be used in practice. In distance bounding protocols, a prover and a verifier can measure the distance between them by performing an interactive protocol. In general, the verifier is regarded as an honest service provider, and thus, an adversarial verifier is not considered for security analysis. However, we cannot ignore the possibility of the corruption of the verifier, which can spoil the prover’s privacy. To handle the security problem, a prover-anonymous and deniable distance bounding protocol is proposed, which can guarantee the privacy of the prover even though the verifier is corrupted. In this paper, we review the prover-anonymous and deniable distance bounding protocol in terms of the membership management, and we show that the communication overhead in the protocol for each membership change is O(n) where n is the number of users. Then, we propose an improved membership management technique, which can efficiently support membership change in terms of the communication overhead. The improved technique requires O(1) for each membership change instead of O(n), as in the existing protocol.


Introduction
In the beginning, distance bounding (DistB) protocols were devised to counter relay attacks in authentication protocols by allowing a verifier to check that a prover is really within his/her neighborhood or not [1]. By proving the closeness of two parties, a verifier can believe that it is not impossible to relay any information between them since the distance between the two parties is too short to intrude in their communication. Although the primary goal of DistB protocols was to counter relay attacks, currently, they are considered as a practical solution for secure localization in location-based services [2][3][4] since we can use them to measure the location-related information of a client. Authenticating the exact location-related information of a client makes it possible to provide IT services linked to a specific location or social community. These services are difficult to provide using a general user authentication protocol that is free of physical constraints. In addition, analyzing the possible security and privacy threats of protocols and providing enhancement techniques to cope with them are fundamental requirements ensuring the sustainability of the IT services based on these protocols and the social environment in which these services are used. Thus, until now, a number of distance bounding protocols have been proposed with additional functions and security features [5][6][7].
To prove the distance between a verifier and a prover in a reliable way, they perform a number of interactive protocols as follows. First, the prover and the verifier exchange some information to share common secret values in a secure and authenticated way. Using the shared secret values, the verifier and the prover perform a number of interactive challenge-response protocols to measure the round trip time between them. In each iteration, the verifier measures the current time and sends a challenge to the prover. Then, the prover responds to the challenge as soon as possible. If the verifier receives the response from the prover, he/she immediately measures the current time to evaluate the round trip time between the two parties. After performing the above-described challenge-response protocols, the verifier obtains a number of samples for the round trip time. The verifier computes the average round trip time from all measured round trip times. We can compute the distance between two parties using the average round trip time and the speed of the signals.
For the reliability of distance bounding protocols, we expect that no one except the proper can correctly respond to challenges sent by the verifier. To achieve the security goal, we use cryptographic techniques to generate the challenges. Generally, the prover is a low-power device, and thus, we cannot use any complicated questions as a challenge since the time to solve the question should not influence on the round trip time. Hence, most of the distance bounding protocols employ symmetric cryptography instead of costly public-key cryptography.
Since verifiers are generally service providers in distance bounding protocols, the privacy of the prover is an important security condition for DistB protocols [10][11][12]. For this reason, at first, researchers focused on the privacy of provers under the assumption that verifiers are relatively reliable. However, it is not easy to guarantee the security requirement without public-key cryptography [13].
Some protocols can protect the privacy of provers by using public-key cryptography [14][15][16] when the assumption that postulates that the verifiers are honesty entities holds. Until now, most of techniques, which have been proposed for the privacy issues, guarantee the privacy of provers only when verifiers are reliable.
Unfortunately, most of the existing techniques have shown that they cannot preserve the privacy of the provers' when verifiers are not reliable. Since we cannot ignore the possibility of the corruption of the verifier or the data leakage from the verifier, it is meaningful to design a secure and efficient DistB protocol that also can preserve the privacy of the prover against malicious or corrupted verifiers. The first solution was proposed by Gambs, Onete, and Robert [9]. In the literature, the prover-anonymous and deniable distance bounding (PA-DistB) protocol proposed in [9] was the first and only DistB protocol that can preserve the privacy of the prover even though the verifier is corrupted or any information is revealed by the verifier.
As a separate research flow, designing efficient DistB protocols by providing a new mechanism with a low false acceptance rate is one of the main research directions in this field [8,[17][18][19]. Some researchers have designed distance bounding protocols that are secure against stronger adversarial provers who perform mafia-fraud attacks or terrorist-fraud attacks [5,6,20]. Guaranteeing stronger security or supporting improved performance is an important research issue in this field, but the main concern of this paper is the privacy of provers against malicious verifiers. Hence, from this viewpoint, we are interested in the technique introduced in [9] as an existing relevant technique since the technique is the only known solution for the same problem.

Contribution
In this paper, we review the PA-DistB protocol and analyze its performance, especially its membership revocation mechanism. Then, we propose a new membership management technique that requires remarkably less communication overhead than the existing technique in [9]. In the existing technique, for each membership change, the back-end server updates public information and posts it on the public bulletin board. Then, to perform the PA-DistB protocol, each user should download the updated public information (posted on the public bulletin board), the size of which is O(n) where n is the number clients. Hence, the communication overhead for downloading updated information is O(n) in the existing technique. For some applications where the number of clients is not small or the changes of membership occur frequently, the inefficiency of membership changes could be a burden on the system. Therefore, it is very important to provide an efficient membership management technique, the cost of which is not influenced by the number of clients. Our technique gives a way to solve the problem since it requires O(1) communication overhead instead of O(n), as in the existing PA-DistB protocol. The main contribution of our technique can be summarized as follows: • Support anonymous and deniable distance bounding. • Guarantee the privacy of legitimate provers against malicious verifiers. • Main contribution: support efficient membership update for dynamic membership change.
We want to emphasize that reducing the complexity from O(n) to O(1) is very hard to accomplish. Therefore, the proposed technique is very meaningful work from this view point. As we know from the literature, our work is the first and only prover-anonymous distance bounding protocol supporting dynamic membership management with complexity O(1).

Review of the PA-DistB Protocol
In this section, we briefly review the description of the PA-DistB protocol [9]. Before describing the PA-DistB protocol, we want to emphasize that our goal is to give a new membership management technique that can improve the PA-DistB protocol rather than to design a new protocol. Since we did not modify the core algorithms of the PA-DistB protocol, some component algorithms will be described without a detailed explanation if it is possible to explain our idea without them.
We use the following notations throughout the paper (see Table 1).

Notation Description
Srv the server that maintains public information Pv i the i-th prover q security parameter that determines the size of other variables 1 E an elliptic curve defined over a finite field F q P a point of E , the order of which is prime q G = P P is a generator of the group G x i secret key of the i-th prover Pv i P i auxiliary public key for the i-th prover Pv i (used only for the protocol of [9]) Q v,i auxiliary public key for the i-th prover Pv i in the v-th step (used only for our protocol) HEnc(pk, M) encryption of message M under public key pk using additive homomorphic encryption Sign(z, M) signature of message M under signing key z Prove(c) zero-knowledge proof about ciphertext c X (P ) the most significant bits of the x-coordinate of P , where P is a point of an elliptic curve E 1 For example, a 256 bit positive integer is chosen to guarantee the security similar to a 2048 bit RSA cryptosystem.

Setting
In the PA-DistB protocol, three schemes are used as building blocks. Since the PA-DistB protocol can use any scheme as a building block if the scheme satisfies the pre-defined conditions described in [9], we describe the PA-DistB protocol without giving concrete schemes. Here, we simply remind the reader about some functions of the schemes to help understand the procedure of the PA-DistB protocol.
In the PA-DistB protocol, an additive homomorphic encryption scheme is used as a building block. Let HEnc(pk, M) be the encryption of a message M under the public key pk. Due to the additive homomorphic property, anyone can compute HEnc(pk, aM) from HEnc(pk, M) and an integer a. Note that, this is equal to a • HEnc(pk, M), which denotes the addition of the encryption a times by itself. Note that, in the PA-DistB protocol, the ElGamal encryption scheme defined over an elliptic curve (EC-ElGamal encryption) is considered for the scheme. Refer to Appendix A for the additive homomorphic property of the EC-ElGamal encryption.
For a server Srv that maintains a public bulletin board B, we need a signature scheme to guarantee the information posted on the public bulletin board. Let Sign(z, M) be the signature of a message M under the server's signing key z.
For a prover, we need a non-interactive zero-knowledge system. Let Prove(c) be the zero-knowledge proof that proves that the ciphertext c is well formed. The meaning of "well formed" is that the ciphertext is the encryption of one of publicly known value. Refer to Section 2.1.4 for more explanation.

Prover and Verifier Setup
Let E be an elliptic curve defined over a finite field F q and P be a point of E , the order of which is prime q. Let G = P , which implies that P is a generator of the group G. Let X (P ) be the function that maps a point P ∈ G to the most significant bits of the x-coordinate of P .
For each prover Pv i , a random value x i ∈ Z q is chosen as a secret key. Then, the server Srv evaluates an auxiliary public key P i for Pv i . Note that the secret key x i ∈ Z q and the auxiliary public key P i are stored by both Pv i and Srv. The auxiliary public key P i is computed as: The server evaluates one more public key as: Note that these values are updated dynamically as provers are created and revoked. Let (z, Z) be a signature key pair for the server where z is the signing key and Z is the corresponding verification key. The server generates a signature σ = Sign(z, m), and then, he/she publishes the message m and the signature σ on the public bulletin board B.
The verifier has a private/public key pair (y, Y) where y ∈ Z q and Y = yP.

Prover Revocation
When a prover Pv i is revoked, the server removes the revoked prover's secret key x i from his/her database and updates all the values in the internal database and on the public board B. For the update, the server removes the corresponding auxiliary public key P i , regenerates the other prover's auxiliary public key P j( =i) and the public key Q, and generates a new signature for the updated information. Note that the updated auxiliary public keys, the public key, and the signature are generated as described in Section 2.1.2. In other words, we have to perform the prover setup procedure again whenever any user is revoked.

Protocol Execution
The PA-DistB protocol is composed of the following four phases.

Freshness Test
Before starting the protocol's execution, a prover Pv i should test the freshness of the information stored in his/her storage by comparing it with the public information published on the public board B. The prover can perform the protocol's execution without changing stored information if it is not updated. However, when the public information has been changed, the prover needs his/her updated auxiliary public key since all auxiliary public keys are updated for each prover revocation. The prover can obtain his/her auxiliary public key by downloading it from the public board. Unfortunately, to obtain his/her updated key, the prover should download all updated information from the public board instead of downloading only his/her updated auxiliary public key. See Section 2.2 for a detailed explanation.

Preparation Phase
The prover chooses three random values r 1 , r 2 , sk e ∈ Z q and generates R 1 , R 2 , pk e as follows: and pk e = sk e P.
Then, the prover generates a ciphertext c = HEnc(pk e , P i ) and a zero-knowledge proof π = Prove(c). Note that we use the zero-knowledge system to prove that the ciphertext c is the encryption of one of {P j |j = 1, . . . , k}. The verifier checks the given values and stops the protocol's execution if any value is invalid. Otherwise, the verifier chooses r, r 3 ∈ Z q , computes: and gives R 3 , c to the prover. Then, the prover tests if R 3 = O and accepts it if the condition holds. Let n be the number of iterations in the fast bit exchange phase. To prepare the fast bit exchange phase, the prover and the verifier generate: respectively.

Fast Bit Exchange Phase
For the fast bit exchange phase, the verifier randomly chooses challenge bits c 1 , . . . , c . Let c = c || · · · ||c 1 . The prover and the verifier perform the following steps times. For the j-th iteration, two parties perform the following: 1. V starts the timer and sends the j-th challenge c j to P; 2. P replies by sending r j = (1 − c j )p 0 j + c j p 1 j to V; 3. V stops the timer and measures the round trip time ∆T j .

Verification Phase
The verifier sends all challenge bits to the prover. Then, the prover compares this with the challenge received while performing the fast bit exchange phase. If the equality test is passed, the prover computes D = r 2 Y and generates a signature S as follows: The verifier then evaluatesQ = (S − yR 2 ) − eR 1 − R 2 and tests ifQ = rQ. The verifier checks the correctness of all responses returned by the prover. If all conditions hold, the verifier measures the average round trip time as:

Membership Management in the PA-DistB Protocol
For seamless service, we expect that the PA-DistB protocol provides dynamic membership management in the sense that any modification (caused by some membership changes) can be immediately applied to the system. The necessity of the dynamic membership management was already considered and designed in [9]. The technique in [9] uses a public board to announce the quite recently updated public key Q, the auxiliary public keys {P i |i = 1, . . . , k} for all users, and the signature σ for the information. For each membership change, all values published on the public board are updated by reflecting the membership change, and any user can dynamically follow the change by referring to the posted information.
The membership management technique in [9] works dynamically as claimed in [9], but we need an improved membership management technique since there are some weak points in the existing technique. Recall that each user needs his/her updated auxiliary public key to perform the PA-DistB protocol, and he/she can obtain the updated public key by downloading it from the public board. If the user reddownloads only his/her auxiliary public key, his/her anonymity cannot be guaranteed since anyone can identify the user by seeing the index of the downloaded key. Therefore, the user should download all updated information posted on the public board instead of downloading only his/her key. If there are many clients or the membership changes occur frequently, the cost of downloading updated data could be a burden on the execution of the PA-DistB protocol. Moreover, we cannot use the membership management technique in [9] for some applications where the device used for the protocol cannot access the public board. To use the PA-DistB protocol, devices (used by provers) should be able to access the public board, but some devices such as radio-frequency identification (RFID) tags cannot directly access the public board via the Internet. The verifier can help the devices by downloading the updated information on behalf of the provers. However, in this case, we need additional safeguards to prove the correctness and the freshness of the information given by the verifier.
Here, we do not want to disparage the value of the PA-DistB protocol since it is still useful in the current form. We merely want to emphasize that it is worth providing an efficient membership management technique that can support the PA-DistB protocol to overcome the above described weak points.

PA-DistB Protocol with Dynamic Membership Management
Before introducing the PA-DistB protocol with dynamic membership management, we want to emphasize that the main goal of this work is not to design an entirely new distance bounding protocol compared with the previous work in [9], but to give an improved membership management technique for the PA-DistB protocol without spoiling the security of the underlying protocol [9]. To achieve this goal, we will design a novel technique that does not require the public bulletin board since the use of the public board causes the above-described demerits.

Basic Idea
In this section, we briefly explain the basic idea of our protocol. Recall that the main goal of this work is to give an efficient way to deal with dynamic membership changes. In the existing protocol [9], the existence of a public board causes many problems in achieving the goal since a number of public keys are maintained in the board and the values should be downloaded for each membership change. In the following, we will explain the way to remove the public bulletin board from the protocol and the reason why it is not easy to remove the board in the existing technique. Finally, we will explain a brief strategy of this work in removing the bulletin board.
To remove the use of the public bulletin board, we have to support each prover to follow up all membership changes without access to the public board. To support each prover, we can use the verifier, who is sufficiently stronger than the provers. Since RFID readers, which have sufficient computing and electric power, are verifiers, it is reasonable to assume that the verifier can access the public bulletin board.
Based on the above-described observation, we can give a simple countermeasure as follows. First, the verifier gives the updated information to each prover before performing the protocol execution. In this case, the verifier cannot ask the prover to open the prover's user index to choose one auxiliary public key among many public keys since the user index can be used to break the anonymity of the prover. Then, in the existing technique [9], the only way is to give all updated keys to the prover. In the above-described simple countermeasure, the communication overhead for the update increases along with the number of members for the existing technique [9].
Recall that our goal is to present a way to fix the above discussed problem without sending all public keys. We achieve the goal by introducing the concept of versioned public keys. Instead of downloading all new public keys, in our approach, only the most recent public key of a prover will be computed by the server, and it will be transmitted to the prover. In our protocol, we assume that the verifier is stronger than the prover, and thus, the prover communicates with the server with the help of a verifier. To protect the privacy of the prover, the current public key will be transmitted to the server via the verifier in an encrypted form. To compute the most recent public key in an encrypted form without revealing the identity of the prover, the current public key will be encrypted using a homomorphic encryption scheme. Due to the property of homomorphic encryption schemes, a new public key can be computed from the current public key without revealing the owner of the public key.

Our Protocol
Now, we describe our technique. To clarify the difference between our construction and the existing construction in [9], we will give a short comment for each algorithm regarding the differences, if any. Recall that our protocol is modified from the work in [9]. Hence, unless otherwise stated, we refer to the protocol in [9] when discussing the previous technique.

Setting
In our protocol, the same setting is used as in the PA-DistB protocol, and thus, we omit the detailed explanation of the system setting procedure.

Prover Setup
In our scheme, some parameters are updated along with the change of membership. Therefore, we use a variable v to indicate the number of updates. Now, we call the state the v-th step if there are v changes of membership. In the initialization step, the state number is set to zero and gradually increased by one if a new member is joining or an existing member is revoked. When the latest version index is v, each prover holds a version index v (≤ v), and the server maintains the list L update of all the history of the membership changes. Now, we describe the prover setup procedure. First, we setup each user's key pair as follows. Let k be the number of provers in the initialization step and I be the set of all indexes of valid provers. Then, I = {1, . . . , k} in the setup phase. Each prover Pv i chooses a secret key x i ∈ Z q and securely sends it to the server Srv. Then, the server evaluates the auxiliary public key Q 0,i and gives it to the prover Pv i . Here, the prover's auxiliary public key Q 0,i is defined as: Note that the key pair {x i , Q 0,i } is shared by Pv i and Srv. Then, the initial public key Q 0 is defined as: The prover Pv i 's auxiliary public key Q 0,i and the public key Q 0 will be updated for each membership change. Let Q v,i and Q v be the updated auxiliary public key (for the prover Pv i ) and the updated public key for the v-th step, respectively. Let Q v be the set of all provers' auxiliary public keys in the v-th step. Initially, Q 0 = {Q 0,i |i = 0, . . . , k}. The server generates a signature σ = Sign(z, m 0 ) where z is the signing key of the server and m 0 = {Q 0 , Q 0 }. Then, the server distributes it to all provers. Using the signature, each prover can verify his/her own information given by the server.
Note that the main difference between the existing techniques is the version index. In [9], each prover did not maintain its version index since all updated public keys were posted on the public bulletin board. In our construction, each prover maintains his/her version number, and this is the main difference of this step. However, the computation of the initial keys is identical to the existing protocol.

Prover Joining or Revocation
Before describing the joining and revocation method, we want to emphasize that all equations described in this section are fully new ones that were not considered in the existing technique. Recall that the joining and revocation of provers are solved by publishing updated public keys using a public bulletin board.
Let v be the latest version index and n be the largest user index in the v-th step. The server maintains a list L update where all update details are summarized. For the v-th update, the server adds {v, i v , x v , flag v } to the list where i v is the user index of the joining/revoked user, x v is the private key of the user Pv i v , and flag v is an indicator. We set flag v = 1 when the update is caused by the joining of a new member and flag v = −1 if the update is caused by the revocation of an existing member. In other words, the flag indicates the validity of the user since flag v = 1 if Pv i v is a valid user and flag v = −1 if Pv i v is an invalid user. Note that x v is the private key of the user P i v who is joining or revoked in the v-th step, and thus, we have Recall that n is the largest user index, and thus, the user index for a new joining prover is n + 1. When a new prover Pv n+1 joins the system, the server does the following: • privately shares a secret key x n+1 with the new prover; • stores Q v+1 , Q v+1 , and σ v+1 instead of Q v , Q v , and σ v where: • adds {v + 1, n + 1, x n+1 , 1} and n + 1 to the list L update and I, respectively; • updates the version index and the largest user index as v * = v + 1 and n * = n + 1, respectively.
Suppose that an existing prover Pv i maintains the information of which version number is v , i.e., his/her private key is x i , and the corresponding public key is Q v ,i . To revoke the prover Pv i , the server does the following: • stores Q v+1 , Q v+1 , and σ v+1 instead of Q v , Q v , and σ v where: • adds {v + 1, i, x i , −1} to L update and removes i from I; • updates the version index as v * = v + 1.

Protocol Execution
Note that most of the procedures of the improved protocol are identical to the PA-DistB protocol except the freshness test step. The only difference is the freshness test step and the key update procedure. In the two steps, the prover checks the version of its current public key and updates his/her public key with the help of the verifier if the version of the current public key is old. Except for the two steps, the protocol's execution is almost identical to the existing technique. The improved protocol works as follows.

Freshness Test
We assume that the verifier maintains the latest version index. When the prover and the verifier have the same index, they go to the preparation phase. Otherwise, the prover performs the key update procedure (as described in Section 3.2.5) to obtain the updated information and then goes to the preparation phase.

Preparation Phase
Here, we assume that the prover and the verifier have the information of the latest version. Let v be the version index and n be the largest user index.
As in the PA-DistB protocol, the prover chooses three random values r 1 , r 2 , sk e ∈ Z q , computes R 1 = r 1 p, R 2 = r 2 P, pk e = sk e P, and generates c = HEnc(pk e , Q v,i ) and π = NIZK(c well formed). Then, the prover sends R 1 , R 2 , c, and π to the verifier. Then, the verifier chooses r, r 3 ∈ Z q , computes: R 3 = r 3 P and c = r • c = HEnc(pk e , rQ v,i ), and gives them to the prover. Then, the prover tests if R 3 = O and accepts it if the condition holds. To prepare the fast bit exchange phase, the prover and the verifier generate: and: respectively.

Fast Bit Exchange Phase
For the fast bit exchange phase, the verifier randomly chooses challenge bits c 1 , . . . , c . Let p b j be the j-th bit of p b . The prover and the verifier perform the following steps times. For the j-th iteration, the two parties perform the following: S1. V starts the timer and sends the j-th challenge c j to P; S2. P replies by sending r j = (1 − c j )p 0 j + c j p 1 i to V; S3. V stops the timer and measures the round trip time ∆T j .

Verification Phase
The verifier sends all challenge bits to the prover. Then, the prover compares this with the challenge received while performing the fast bit exchange phase. If the equality test is passed, the prover computes D = r 2 Y and generates a signature S as follows: The verifier then evaluatesQ = (S − yR 2 ) − eR 1 − R 2 and tests ifQ = rQ. The verifier checks the correctness of all responses returned by the prover. If all conditions hold, the verifier measures the average round trip time as:

Key Update
Note that the key update method is a fully new technique compared with the existing protocol. In [9], the key update was performed by the server, and provers obtained their new public keys by downloading them from the public bulletin board. In our approach, each prover receives his/her updated public key from the server with the help of the verifier.
Let v be the index for the latest version of the membership state, v be the version number maintained by the prover, and n be the largest user index in the v-th step. Recall that the key update procedure is performed only if v < v. The prover P i maintains the information of which version number is v , i.e., his/her private key is x i , and the corresponding public key is Q v ,i .
Note that the prover cannot communicate with the server without the help of the verifier. The key update procedure can be performed with the help of the verifier, i.e., the verifier forwards all communicating messages from the prover to the server and vice versa. With the help of the verifier, the prover can obtain the updated key by performing the following procedure with the server: • The prover Pv i chooses a value sk u ∈ Z q , pk u = sk u P, generates c u = HEnc(pk u , Q v ,i ), and gives c u with the version number v to the server in a secure and authenticated way (There are several cryptographic tools that can be used for establishing a secure and authenticated communication channel without revealing the privacy of the initiator. For example, we can use the signcryption scheme in [21] for the goal since the scheme permits a sender to share a common session key with the receiver without opening his/her identity to others except for the receiver.). • To update the prover's key Q v ,i in an encrypted form, the server Srv computes: and gives it with the newest version index v to the prover in a secure and authenticated way. • The prover obtains the updated public key Q v,i by decrypting c u and stores it with the corresponding version index v in his/her secure storage.

Analysis of the Proposed Technique
In this section, we examine the correctness and security of the prover-anonymous and deniable distance bounding protocol described in Section 3.2. We also compare the proposed technique with existing anonymous and deniable distance bounding techniques.

Correctness
First, we examine the correctness of the protocol as follows. Theorem 1. The proposed prover-anonymous and deniable distance bounding protocol correctly works.

Proof.
Recall that the only difference between the proposed protocol and the underlying PA-DistB protocol is the key update technique. Though there are some insignificant differences, they have no influence on the correctness of the proposed protocol. Hence, it suffices to prove the correctness of the proposed key update technique. Let v be the index for the latest version of the membership state and v (< v) be the version number maintained by the prover P i . To prove the correctness of the key update procedure, we have to show that: Recall that Q v ,i and Q v,i can be rewritten as follows: where I v and I v are the set of indexes of all valid provers in the v -th step and the v-th step, respectively. When the set of indexes of all valid provers is changed from I v to I v along with the change of membership, some members join and others are revoked. Let I J and I R be the set of indexes of the joining members and the revoked members from the v -th step to the v-th step, respectively. Then, we have I v ∪ I J \ I R = I v . Note that existing users are not performing the joining procedure again, and only existing users can be revoked; thus, we have I v ∩ I J = ∅ and I R ⊂ I v ∪ I J . There are v − v updates between the v -th step and the v-th step, and the recodes for the updates are as follows: It is easy to see that I J ∪ I R = {v + 1, v + 2, . . . , v}. Then, we can obtain the following: Hence, the proposed update technique correctly works.

Security
It remains to examine the security of the proposed protocol. It is easy to prove the security of the proposed protocol due to the similarity between the proposed protocol and the PA-DistB protocol. Note that the proposed protocol is constructed by giving a new key update mechanism instead of using a public board, and this is the only difference between the two protocols. Therefore, the security of the proposed protocol is identical to the underlying protocol if the proposed key update technique can securely support the key update functionality without using the public board. Recall that the goal of the key update mechanism is to inform about the latest public information in an authenticated way. In the proposed protocol, the server maintains the history of updates and helps each prover update his/her key information. As we prove in Theorem 1, the technique given in Section 3.2.5 correctly updates the key information, and all communicating messages for the update are transmitted in a secure and authenticated way as discussed in Section 3.2.5. Therefore, the update procedure provides the same security functionalities as the PA-DistB protocol.

Comparison
In this section, we compare the proposed technique introduced in [9], which is known as the only anonymous and deniable distance bounding protocol in the literature. In Figure 1, we compare the main difference of the two protocols, the protocol in [9] and the proposed technique. For performance comparison, we focus on the cost of dynamic membership changes since the two techniques provide the same performance for the other operations. To compare their performance, we measure the number of operations and the size of the messages, and we summarize the result in Table 2. Table 2. Efficiency comparison (for membership management).

Computational Cost Communication Overhead
Prover Verifier Server Prover Verifier Server [9] c v n 2 c sm + c s (n − 1) p + s -(n − 1) p + s   In this section, we compare the proposed technique introduced in [9], which is known as the only 340 anonymous and deniable distance bounding protocol in the literature. In Figure 1, we compare the 341 main difference of two protocols, the protocol in [9]  c v n 2 c sm +c s (n − 1) p + s -(n − 1) p + s Our c sm +c e +c d +c v c sme +c sm +c s 2 c 4 c 2 c * n: number of users, p : length of a public key, p : length of a signature, c : length of a ciphertext * c s : cost of signing, c v : cost of signature verification, c sm : cost of ECC scalar multiplication, c sme : cost of scalar multiplication of an encryption * ester, C cert : cost of Note that, in the existing technique [9], the server updates all public keys and publishes them on 346 a public bulletin board. In our approach, the server records update history as described in Section , 347 and helps the prover to update its public key in the key update step as described in Section 3.2.5.

348
As summarized in Table 2 Note that, in the existing technique [9], the server updates all public keys and publishes them on a public bulletin board. In our approach, the server records the update history as described in Section and helps the prover update his/her public key in the key update step as described in Section 3.2.5.
As summarized in Table 2, the existing technique requires about O(n 2 ) computations from the server's viewpoint and O(n) communication overhead. Though the prover needs more computations to get an updated public key from the server, the server's computational cost is dramatically reduced from n 2 c sm + c s to c sme + c sm + c s . Though the server performs the operations for each prover's update requirements, our approach is more stable than the technique in [9] since the existing technique requires heavy operations instead of a light computational cost as in our construction. Moreover, in our scheme, the prover can update his/her public key with low communication overhead. Though the costs of sending and receiving a message are not the same, we count all messages in Table 2. As seen in Table 2, we need only a few messages to update the key values.
In Table 3, we summarize and compare main features of the two techniques, the technique in [9] and our technique. The two schemes support privacy protection for provers. The two schemes also can support dynamic membership management, but the scheme in [9] has a heavy computational cost and communication overhead for the feature. In our technique, we can support key update without assuming the existence of an additional server, but a bulletin board should be assumed in [9]. As a result, in our technique, a prover can update even though it cannot access the server via the Internet. Therefore, our scheme can support some devices with limited capability in terms of communication.

Conclusions
In this paper, we review the efficiency of the prover-anonymous and deniable distance bounding protocol. Especially, we examine its performance in terms of the membership management and show that we need a somewhat improved membership management technique due to the communication overhead in the existing technique. Then, we propose an improved membership management technique that can improve the performance of the prover-anonymous and deniable distance bounding protocol by efficiently supporting membership change in terms of the communication overhead. The main features guaranteed by the proposed technique can be summarized as follows: • Security (same a the technique in [9]).
-Support anonymous and deniable distance bounding.

-
Guarantee the privacy of legitimate provers against malicious verifiers.
-Membership update without an additional bulletin board system to publish valid keys.  (1)). -Support dynamic update for offline provers.
As we summarized above, the proposed technique supports efficient membership management different from the existing technique, the complexity of which is O(n) where n is the number of users. We want to emphasize that our work is the first and only prover-anonymous distance bounding protocol supporting dynamic membership management with complexity O(1). Funding: This work was supported by the Electronics and Telecommunications Research Institute (ETRI) grant funded by the Korean government (20ZR1300, Development of core technologies for trust data connectome to realize a safe data society).

Conflicts of Interest:
The authors declare no conflicts of interest.

Appendix A. Additive Homomorphic Property of the EC-ElGamal Encryption Scheme
The original ElGamal encryption scheme is multiplicative homomorphic, but the ElGamal encryption defined over an elliptic curve (EC-ElGamal encryption) provides the additive homomorphic property with respect to the points of the underlying elliptic curve.
KeyGen: Let G = P be a subgroup of prime order q defined by the points on the elliptic curve E over a finite field F q . The point P is a generator of the group G. Then, a user chooses random x ∈ Z q as his/her private key and computes Q = xP as the corresponding public key. Enc: To encrypt a message M ∈ E , for randomly chosen r, we compute the following: C = M + rQ and D = rP.
Then, Ctx = (C, D) is the ciphertext for M. Dec: From the ciphertext Ctx, we can recover the message M as follows: Add: For i ∈ {1, 2}, let Ctx i = (C i , D i ) be the ciphertext of M i where c i = M i + r i Q and D i = r i P. From Ctx 1 and Ctx 2 , we can compute: C = C 1 + C 2 = M 1 + M 2 + (r 1 + r 2 )Q and: D = D 1 + D 2 = (r 1 + r 2 )P.
Due to the additive homomorphic property of EC-ElGamal encryption, we can compute the encryption of a message aM ∈ E , from the encryption of the same message M ∈ E and any integer a.
Let Ctx = (C, D) be the ciphertext for M where C = M + rQ and D = rP for some r. Then, it is easy to check the correctness of the property as follows: a • Ctx = Ctx + · · · + Ctx a times = (aC, aD) = (aM + r Q, r P), where r = ar. Recall that, as defined in Section 2.1, a • Ctx denotes the addition of the ciphertext a times itself.