Short Dynamic Group Signature Scheme Supporting Controllable Linkability The controllable linkability of group signatures introduced by Hwang et al. enables an entity who has a linking key to find whether or not two group signatures were generated by the same signer, while preserving the anonymity. This functionality is very useful in many applications that require the linkability but still need the anonymity, such as sybil attack detection in a vehicular ad hoc network and privacy-preserving data mining. In this paper, we present a new group signature scheme supporting the controllable linkability. The major advantage of this scheme is that the signature length is very short, even shorter than this in the best-known group signature scheme without supporting the linkability. We have implemented our scheme in both a Linux machine with an Intel Core2 Quad and an iPhone4. We compare the results with a number of existing group signature schemes. We also prove security features of our scheme, such as anonymity, traceability, nonframeability, and linkability, under a random oracle model.