Introduction

The concept of group signature scheme was proposed by Chaum and van Heyst (1991), which allows and only allows members in a group to sign messages anonymously on behalf of the whole group, and the generated signature would reveals nothing about the identity of the signer. In other words, the verifier in the scheme can only verify that the signature was generated by one of the group members, and have no idea which member it is. However, the trace manager can use its secret key to open the signature to trace the identity of the signer, which avoids the unnecessary disputes. In view of the group signature scheme has the above properties: anonymity (Chen and Pedersen 1994) and traceability, which help the group signature scheme to be one of the cryptography primitives to realize anonymous authentication.

In the early stages, most of the constructions of group signature schemes are static (Boneh et al. 2004; Camenisch and Lysyanskaya 2004; Nguyen and Naini 2004; Furukawa and Yonezawa 2004), namely the members in a group and its size are all fixed in the setup phase, no changes about these parameters would appear during the subsequent operations in the scheme. And furthermore, they also assume that the group manager is always honest and trustworthy. After that, many other properties were considered in the construction of the group signature schemes:

  1. (1)

    It is fortunately that the size of public key and generated signatures could do not depend on the size of the group (Camenisch and Stadler 1997; Camenisch and Michels 1998), this property is very important for the construction and application of group signature schemes, which avoids the over-expansion of the size of public key and signatures as the number of valid group members increases, and makes the schemes with this property are well suited for large groups. At the same time, the former is beneficial to improve the implementation efficiency of schemes, while the latter makes the communication complexity and cost of the scheme are independent of the group size.

  2. (2)

    The power of the group manager was weakened (Bellare et al. 2005) by separating a trace manager GM trace from the group manager GM update and decreasing the trust level to each authority to enhance protection for honest algorithm executant, for example, their key pairs were generated by a trust third party, which improves the security of the algorithms and makes them closer to the practical application. GM trace is responsible for the trace of a signature when necessary, and GM update is responsible for the registration and revocation of users and the update of the group information. The tracing soundness of a group signature scheme (Stern 1996) no longer assumes that the group managers are all reliable, which means that, before the verifier outputs the final verification result, the identity of the signer traced by a trace manager and the corresponding proof are also need to be checked. This improvement makes the constructed group signature schemes have stronger security.

  3. (3)

    Semi-dynamic model (Kiayias and Yung 2006), which involves the dynamic registration that allows users to apply to join the group when needed in RO model (Camenisch and Stadler 1997; Camenisch and Michels 1998; Ateniese et al. 2000; Furukawa and Imai 2005; Kawachi et al. 2008; Delerablée and Pointcheval 2006; Bichsel et al. 2010) and standard model (Practical Group Signatures Without Random Oracles; Boyen and Waters 2006; Groth 2006; 2007; Boyen and Waters 2007; Signing on Elements in Bilinear Groups for Modular Protocol Design), or the dynamic revocation that allows the group manager to remove certain group members from the group. And there are different manners to realize the latter functionality:

    1. (a)

      The group manager updates the group public key and distribute it to the users that are not revoked (Sakai et al. 2012; Camenisch and Lysyanskaya 2002).

    2. (b)

      Making use of a accumulator (Dodis et al. 2004; Nguyen 2005), which allows efficient proof of group membership and update of the group information.

    3. (c)

      The signer is required to include a proof of eligible membership when signing a message (Bresson and Stern 2001) or update its secret key (Boneh et al. 2004) according to the changes of the group.

    4. (d)

      VLR(verifier local revocation) (An Efficient Protocol for Anonymously Providing Assurance of the Container of a Private Key; Boneh and Shacham 2004; Nakanishi and Funabiki 2005; Libert and Vergnaud 2009) means that the list of revoked group members is only distributed to the verifier.

  4. (4)

    Full dynamic model (Naor et al. 2001; Peikert and Rosen 2007; Camenisch and Groth 2004; Nakanishi et al. 2009; Libert et al. 2012a, b), which allows both the dynamic registration of users and the dynamic revocation of group members, which makes the algorithm has stronger security and higher practicability.

The security of schemes mentioned above are mostly based on the hardness assumption in the algebraic theory while the development of quantum computing technology makes such schemes meet serious security problems. Fortunately, the research of the post-quantum cryptography has brought new hope to cryptology. And as one important branch of it, lattice based cryptography is widely considered has potential ability to against quantum attack, because there is no efficient algorithm has been found to breaks the hardness assumptions based on lattice. However, the computational complexity and space complexity of lattice based cryptographic schemes have not been solved very well.

The first lattice based group signature scheme is given in (Gordon et al. 2010) in 2010, which was improved to obtain stronger anonymity in (Camenisch et al. 2012), and given the size of group N, the size of signatures generated by the schemes in (Gordon et al. 2010; Camenisch et al. 2012) are all polynomials in N. Subsequently, the size of the signature was lowered up to O(logN) in (Laguillaumie et al. 2013; Nguyen et al. 2015; Ling et al. 2015) by different manners. And then, an efficient lattice based static group signature scheme is presented in (Libert et al. 2016b) without using the GPV trapdoor (Gentry et al. 2008), where a Merkle tree was used as an accumulator to keep a record of the registered user and group information. In order to further satisfy the requirements of making the schemes allow users to register and to be revoked dynamically, the schemes in (Langlois et al. 2014; Libert et al. 2016a) are dependent on lattice trapdoor seriously, and contains some complex modules. By combining the static scheme in (Libert et al. 2016b) with the security model in (Bootle et al. 2016), it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017). It includes an update algorithm in accumulator, and both the security and the signature size were improved.

In this paper, the first full dynamic group signature scheme over ring is presented inspired by (Ling et al. 2017), which realizes the full dynamic register and revocation of users, the dynamic construction of Merkle hash tree that is used to record the legitimate users with their witnesses and the group information, the reuse of leaves in this tree, and the honestly generation of keys of GM=(GM update, GM trace) by a trusted third party, which leads to a reduction in the security of the generated algorithm. And in theory, the trust third party needs to be completely trusted and not easy to be violated, however, it is impossible in practice. We can only use relatively trusted entities to partially implement the functions of a trusted third party, such as certificate authority(CA), to avoid situations where the group manager and trace manager generate their respective keys maliciously. Concretely, the scheme in this paper improves the efficiency of that in (Ling et al. 2017) from the following three aspects:

  1. (1)

    To reduces the size of keys and signature, the scheme is implemented over ring, which also helps to reduce the space complexity and computational complexity of the scheme.

  2. (2)

    The dynamic construction and update of the Merkle hash tree allows the size of it expanded along with the size of group gradually, and this change helps to reduce both the computational complexity of the update of group information and the space complexity of the scheme.

  3. (3)

    The reuse of leaves in Merkle hash tree is realized in this scheme, which reduces the space complexity of the scheme indirectly to a certain extent.

Though we have tried a lot, there is still a large space for improvement in the use of zero-knowledge protocol to proof a legitimate membership. And the problem of the delayed verification of a signature is also not solved, the direct idea to solve this problem is to store the signature and the verification information or just store the verification result of the signature by the group manager at each time τ, and the verifier requests the corresponding information from it as needed. Unfortunately, this would increase the space complexity unlimitedly along with the extension of the time.

In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in “Preliminaries” section. And then the detailed full dynamic group signature scheme is presented in “The efficient full dynamic group signature scheme” section. To analysis the security properties of the scheme, we present the underlying zero knowledge protocol and its security analysis in “The underlying protocol” section. Finally, we discuss the properties of the scheme in “The analysis of the group signature scheme” section, and conclusion in “Conclusion” section.

Preliminaries

The background of lattice

In this section, we will review some notations, definitions and theorems used for analysing our main results. Throughout this paper, set the security parameter λ, integer n=O(λ), prime modules \(q=\tilde {O}\left (n^{1.5}\right), k=\lceil \log q\rceil, m=2k\), and R=Z[x]/f(x),f(x)=xn+1,Rq=R/qR, given vectors x=(x1,⋯,xm),z=(z1,⋯,zm), integer t, then \(\|\mathbf {x}\|_{t}=\left (\sum \nolimits _{i=1}^{m} \|x_{i}\|^{t}\right)^{\frac {1}{t}}\) denotes its t-norm, (x|z) is a concatenation of the two vectors.

Definition 1

(The ring-SVP and ring-SIVP) (Lyubashevsky et al. 2013) Given a field R, let γ≥1, then the ring- SVPγ problem is: given the ideal lattice \(\mathcal {I}\) over R, find out a non-zero short vector \(\mathbf {x}\in \mathcal {I}\), such that \(\|\mathbf {x}\|_{\infty }\leq \gamma \cdot \lambda _{1}(\mathcal {I})\). And the ring- SIVPγ problem could be defined similarly: find out n independent elements (x1,⋯,xn) in \(\mathcal {I}\), such that \(\|(\mathbf {x}_{1},\cdots,\mathbf {x}_{n})\|_{\infty }\leq \gamma \cdot \lambda _{n}(\mathcal {I})\).

Definition 2

(The ring-\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\)) (Ling et al. 2015; Peikert 2016) Choose m elements \(a_{j}\overset {\$}{\leftarrow }\mathbf {R}_{q}\) uniformly, let random vector \(\mathbf {A}=(a_{1},\cdots,a_{m})\in \mathbf {R}_{q}^{m}\), positive real number β=poly(n), find out a non-zero short vector \(\mathbf {z}=(z_{1},\cdots,z_{m})\in \mathbf {R}^{m}_{q}, \|\mathbf {z}\|_{\infty }\leq \beta \), such that

$$ f_{\mathbf{A}}(\mathbf{z})=\langle \mathbf{A},\mathbf{z}\rangle=\mathbf{A}^{\top}\cdot \mathbf{z}=\sum\limits_{j} a_{j}\cdot z_{j}=0\in\mathbf{R}_{q} $$

Numerous studies (Lyubashevsky and Micciancio 2006; Lyubashevsky 2008; 2012; Peikert and Rosen 2006; 2007) have shown that if f(x) is irreducible polynomial with integer coefficients, \(m>\frac {\log q}{\log (2\beta)}, \gamma =16mn\log ^{2} n, q\geq \frac {\gamma \sqrt {n}}{4\log n}\), then the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\) is at least as difficult as the problem ring-\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).

Definition 3

(The ring- LWE distribution) (Peikert 2016) For secret element \(s\in \mathbf {R}_{q}, \mathcal {X}\) is the noise distribution in Rq with bound β, choose \(a\overset {\$}{\leftarrow }\mathbf {R}_{q}, e\overset {\$}{\leftarrow }\mathcal {X}\) uniformly, then \(A_{s,\mathcal {X}}=(a,b=s\cdot a+e\mod q)\) is called the ring- LWE distribution in Rq×Rq.

Definition 4

(The decision ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\)) (Lyubashevsky et al. 2010; Peikert 2016) Let n,m≥1,q≥2, given m samples (aj,bj)∈Rq×Rq, which are sampled from one of the two distributions: \(A_{s,\mathcal {X}}\) and the uniform distribution in Rq×Rq, then the decision ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is to distinguish which one the samples are from.

Theorem 1

(Lyubashevsky et al. 2010) Let \(q=1\mod 2n, \beta \geq \omega \left (\sqrt {n\log n}\right), \gamma =n^{2}\left (\frac {q}{\beta }\right)\left (\frac {nm}{\log (nm)}\right)^{1/4}\), then there is an error distribution \(\mathcal {X}\) with bound β, such that the problem ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is at least as difficult as the problem ring-\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).

The Merkle hash tree and its dynamic comstruction

The construction of Merkle tree used in the group signature scheme is based on the collision-resistant hash functions. For arbitrary positive integer t, let G=(1,2,4,⋯,2k−1),bin(t) is the binary representation of t, then t=G·bin(t). let \(\mathcal {H}=\left \{h_{\mathbf {A}}|\mathbf {A}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{m}\right \}, h_{\mathbf {A}}:\{0,1\}^{k}\times \{0,1\}^{k}\rightarrow \{0,1\}^{k}\) is collision-resistant hash functions based on the problem ring- SISn,m,q,β, where \(\mathbf {A}=[\mathbf {A}_{0}|\mathbf {A}_{1}]\in \mathbf {R}_{q}^{m}, \mathbf {A}_{0},\mathbf {A}_{1}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{k}\), for arbitrary (u0,u1)∈{0,1}k×{0,1}k, we have

$$ h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{bin}(\mathbf{A}_{0}\cdot\mathbf{u}_{0}+\mathbf{A}_{1}\cdot\mathbf{u}_{1}\mod q)\in\{0,1\}^{k} $$

so the following equivalent relationship is true,

$$ h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{u} \Leftrightarrow \mathbf{A}_{0}\cdot \mathbf{u}_{0}+\mathbf{A}_{1}\cdot \mathbf{u}_{1}=\mathbf{G}\cdot \mathbf{u} \mod q $$

Let \(\mathcal {H}=\{h_{\mathbf {A}}|\mathbf {A}\in \mathbf {R}_{q}^{m}\}\), then we give the following specific description of the dynamic updating algorithm TDA(t,d) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as an empty tree with depth 1, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first non-zero leaf in all leaves, and assume that its index is it. Include an empty tree with depth j=⌈logt⌉ into the original one if there is not a such leaf. And take its root ut,1 and the root ut,0 of the original tree as two inputs of the hash function to compute a new root u=hA(ut,0,ut,1) of the new Merkle tree. In other words, the original tree and the empty tree are two children of the new Merkle tree with depth j+1. And for any i∈[2j+1], we have |bin(i)|=j+1. TUpdate: Let uj+1=d denote the value of the leaf corresponding to the ith user, bin(i)=(i1,⋯,ij+1) is the binary description of integer i, its witness is w=(bin(i),(wj+1,⋯,w1)). Update the value of notes recursively in the path uj,⋯,u0 from the leaf uj+1 to root u, then output the witness w, a new root unew, where wj+1,⋯,w1 and uj,⋯,u0 satisfy the following relationship

$$ \forall l\in\{j,\cdots,1,0\}, \mathbf{u}_{l}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{l+1},\mathbf{w}_{l+1}), & if \ i_{l+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{l+1},\mathbf{u}_{l+1}), & if \ i_{l+1}=1 \end{array}\right. $$

Let unew=u0 be the new root of the Merkle tree.

Given the variable t, the computational complexity of algorithm TUpdate(t,d) is O(logt), and it satisfies the following property

Theorem 2

Suppose that the ring-\(\mathbf {SIS}^{\infty }_{m,q,\beta }\) is difficult, R={d0,⋯,dt} be the set of the leaves related to users who have been registered, then the algorithm TDA(t,d) is secure. And given a negligible function negl(λ), for any PPT adversary\(\mathcal {A}\), the following inequality is true

$$ \Pr[(\mathbf{d}^{*},\mathbf{w}^{*})\leftarrow \mathcal{A}(R,t):\mathbf{d}^{*}\notin R,\mathbf{u}=\mathbf{u}_{0}]\leq negl(\lambda) $$

The full dynamic group signature scheme and its security

Generally, there are four participants in a group signature scheme: the trusted third party(TTP): who generates the public parameters and the public-private key of the group manager and the trace manager. The group manager GM update: who is responsible to update the group information and the registration and revocation of users. The trace manager GM trace: given a signature, GM trace is responsible to trace the identity of signer when there is a dispute. The users: who are usually appeared as a signer to sign messages or a verifier to verify signatures. Here, we give some changes of the full dynamic group signature scheme in (Ling et al. 2017), and a revised definition is given as follows: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk)): On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk=(pp,mpk,opk), and distribute the group secret key msk to GM update, the tracing secret key osk to GM trace. Initialize the registration list reg and the group information info as , and we assume that they can only be edited by a party knowing msk. UKeyGen(pp)→(upk,usk): Given the public parameter pp, this algorithm outputs a user’s key pair (upk,usk). 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: This algorithm is an interactive protocol between a user and the group manager GM update. Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk=(bin(t),upkt,uskt). For the Issue algorithm, GM update runs the algorithm TDA(t,upkt) to update the Merkle hash tree, the group information infoτ, and the registered user list reg. \(\mathbf {Revoke}({gpk},S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S, for any iS, the group manager GM update runs algorithm TUpdate(bin(i),0k) to update the Merkle hash tree, the registered user list reg and the group information \(\mathbf {info}_{\tau _{new}}\). Sign(gpk,gski,infoτ,M)→Σ: On input group public key gpk, group information infoτ, this algorithm outputs a signature Σ to a message M signed by the user corresponding to ith leaf at τ or an error symbol ⊥ if the user is illicit at τ, i.e. the user has not been registered or has been revoked at τ. Verify(gpk,Πsign,infoτ,M)→0/1: Verify the signature Σ and output 1 if it is valid, otherwise output 0. Trace(gpk,osk,M,Σ,reg,infoτ)→(b6,Πtrace): This algorithm is operated by the trace manager GM trace, it outputs the public key b of the signer who signed the message M at τ and generate a proof for this fact if the signature Σ is valid. Otherwise output ⊥. Judge(gpk,b,M,Πtrace,Σ,infoτ)→0/1: Verify the proof Πtrace generated by the trace manager GM trace, and output 1 if it is valid, otherwise output 0.

To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ, the group manager verifies that whether the value of the leaf corresponding to this signer is non-zero. And to avoid leaking any information about the signer’s identity, we bring to the extension-permutation technology to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(di)=(di1,di2,⋯,dik),i∈[t], choose a vector \(\mathbf {a}\overset {\$}{\leftarrow }\{0,1\}^{k-1}\) uniformly such that the Hamming weight of \(\mathbf {d}^{\prime }_{i}=(\mathbf {bin}(\mathbf {d}_{i})|\mathbf {a})\in \{0,1\}^{2k-1}\) is k. Given \(\mathcal {S}_{2k-1}=\{\pi _{2k-1}|\pi _{2k-1}\ is\ a\ random\ permutation\ of\ elements in\{0,1\}^{2k-1}\}, \pi _{2k-1}\in \mathcal {S}_{2k-1}\), we have

$$ the\ Hamming\ weigth\ of\ \pi_{2k-1}\left(\mathbf{d}^{\prime}_{i}\right) \ is\ k\Leftrightarrow \mathbf{d}_{i}\not=0 $$

Moreover, the full dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity, non-frameability, traceability, and tracking soundness. Correctness: This property means that if the signer signs a message honestly, the algorithm Verify can always output 1, the trace manager GM trace can trace the identity of the signer by the algorithm Trace, and generates a proof Πtrace accepted by the algorithm Judge. Anonymity: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM update, corrupt some of the users, and is given the access to the oracle Trace. Non-frameability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM update and GM trace, and corrupt some of the users. Traceability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret key of GM trace and corrupt some of the users. Tracing soundness: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to two different users is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM update and GM trace, and corrupt some of the users.

The efficient full dynamic group signature scheme

By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the full dynamic group signature scheme, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ): Given the security parameter λ, this algorithm is operated by a trusted third party, let t>0 denote the number of registered users, l=⌈logt⌉,n=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=\lceil \log q\rceil, m=2k\), real integer \(\beta >0, \mathcal {X}\) is the noise distribution bounded by β in R,k=ω(logλ). \(\phantom {\dot {i}\!}H:\{0,1\}^{*}\rightarrow \{0,1\}^{k'}\) is a hash function for FS transformation, and \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbf {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008). Choose a matrix \(\mathbf {A}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{m}\) uniformly, for any j∈{1,2}, TTP chooses \(\mathbf {S}_{j}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{j}\overset {\$}{\leftarrow }\mathcal {X}, \mathbf {B}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{k}, \mathbf {msk}\overset {\$}{\leftarrow }\mathbf {R}^{m}\) uniformly, and computes the public keys \(P_{i}=\mathbf {S}_{i}^{\top }\mathbf {B}+E_{i}\in \mathbf {R}_{q}, \mathbf {mpk}=\mathbf {A}\times \mathbf {msk}\). Output the public parameter \(pp=(\lambda,n,q,k,m,\beta,\mathcal {X},k',H,Com,\mathbf {A})\), the tracing public key opk=(B,P1,P2), the group public key gpk=(pp,mpk,opk). And distribute the tracing secret key osk=(S1,E1) to GM trace, the group secret key msk to GM update. Initialize the registration list reg and the group information info as , and we assume that they can only be edited by a party knowing msk. UKeyGen(pp): The user chooses \(\mathbf {usk}\overset {\$}{\leftarrow }\mathbf {R}^{m}\) uniformly as its secret key, and computes the related public key upk=bin(A·usk) mod q∈{0,1}k. 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: Assume that the new registered user is the tth member in the group, and the user runs algorithm Join, sends its public key upk to the group manager GM update, and if this algorithm goes well, the algorithm Issue searches and denotes the first non-zero leaf as t if he approves the user’s application. Let \(\mathbf {upk}_{t^{\prime }}=\mathbf {upk}, \mathbf {reg}_{t^{\prime }}=\mathbf {reg}_{t^{\prime }}[\mathbf {upk}_{t^{\prime }}][\tau ], \tau \) is the time the user registered, the algorithm Issue includes \(\phantom {\dot {i}\!}\mathbf {reg}_{t'}\) into the registration list \(\mathbf {reg}:=(\mathbf {reg}_{1}[\mathbf {upk}_{1}][\tau ],\cdots,\mathbf {reg}_{t^{\prime }}[\mathbf {upk}_{t^{\prime }}][\tau ],\cdots, \mathbf {reg}_{t}[\mathbf {upk}_{t}][\tau ])\). Then the group manager GM update runs the algorithm \(TDA(\mathbf {bin}(t^{\prime }),\mathbf {upk}_{t^{\prime }})\) to update the Merkle tree, outputs the group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau }=(\mathbf {u},\{\mathbf {w}_{j}\}_{i_{j}})\) where u is the root and \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) are witnesses of all legal users, and updates the counter of registered users t=t+1. Let \(\phantom {\dot {i}\!}\mathbf {usk}_{t'}=\mathbf {usk}\), the user sets \(\phantom {\dot {i}\!}{gsk}_{t'}=(\mathbf {bin}(t'),\mathbf {upk}_{t'},\mathbf {usk}_{t'})\) as its signing secret key. Revoke(gpk,S,msk,reg,infoτ): Given the revocation list S that is the set of public keys of group members who would be revoked, if \(S=\left \{\mathbf {upk}_{i_{1}},\cdots,\mathbf {upk}_{i_{r}}\right \}\) is not an empty set, ij∈[t],j∈[r], for every \(j\in [r], \mathbf {upk}_{i_{j}}\in S\), GM update runs the algorithm TUpdate in TDA(bin(ij),0k) to update the Merkle hash tree, then updates the registration list reg: changes \(\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\mathbf {reg}_{i_{j}}\left [0^{k}\right ][\tau _{new}]\) if \(\mathbf {upk}_{i_{j}}\in S\), otherwise changes \(\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\mathbf {reg}_{i_{j}} [\mathbf {upk}_{i_{j}}][\tau _{new}]\), outputs the new group information \(\mathbf {info}_{\tau _{new}}=(\mathbf {u}_{new},\{\mathbf {w}_{j}\}_{i_{j}})\) that consists of a new root unew and witnesses \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) of \(\mathbf {upk}_{i_{j}}\), updates the counter of legitimate users t=tr. So, the leaves with value 0k in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk,gski,infoτ,M): To sign a message M at τ by using the group information infoτ, the user related to the ith leaf verifies that whether there is a witness of bin(i) in infoτ firstly, if not, return ⊥. Otherwise, the user obtains (bin(i),(wl,⋯,w1)) from infoτ to do the follows: For each j∈{1,2}, random string \(\mathbf {r}_{j}\overset {\$}{\leftarrow }\{0,1\}^{k}\), the user encrypts vector upki by making use of the double-encryption paradigm (Naor and Yung 1990) and the RLWE-based encryption scheme (Regev 2009; Lyubashevsky et al. 2013) to obtain the ciphertext

$$ {}\begin{aligned}\mathbf{c}_{j}=(c_{j,1},\mathbf{c}_{j,2})&=\left(\mathbf{B}\cdot \mathbf{r}_{j}\mod q,P_{j}\cdot \mathbf{r}_{j}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{upk}_{i}\right.\\ &\quad\left.{\vphantom{\left\lceil\frac{q}{2}\right\rfloor}}\mod q\right)\in\mathbf{R}_{q}\times\mathbf{R}_{q}^{k} \end{aligned} $$

Then the user generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Πsign for:

  1. (1)

    it has legitimate witness ζ=(uski,upki,bin(i),wl,⋯,w1,r1,r2) such that the signer is a legitimate member in the group, i.e. upki≠0k, and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct.

  2. (2)

    (uski,upki) is a valid public-private key-pair.

  3. (3)

    (c1,c2) are two legitimate ciphertext of upki.

Finally, the signer outputs the signature Σ=((c1,c2),Πsign). The NIZK argument of knowledge mentioned above is obtained from the Stern’s three-round interactive protocol (Song 2001) by FS transformation, i.e. runs the Stern protocol k times sequentially to obtain a negligible soundness error, and the transcript is \(\Pi _{sign}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), where

$$ {}CH\,=\,H\left(M,\{CMT_{j}\}_{j=1}^{k^{\prime}},\mathbf{A},\mathbf{u}_{\tau},\mathbf{B},P_{1},P_{2},\mathbf{c}_{1}, \mathbf{c}_{2}\right)\!\in\{1,2,3\}^{k^{\prime}} $$

Verify(gpk,Πsign,infoτ,M): The verifier obtains the root uτ of the Merkle hash tree at τ from the group information infoτ, and verifies that whether the predicted challenge CH is true, outputs 0 if not, otherwise verifies the respond RSPj that corresponding to CMTj and CHj for each j∈[k], and outputs 1 if everything is correct, otherwise outputs 0. Trace(gpk,osk,M,Σ,reg,infoτ): The trace manager GM trace uses its tracing secret key osk to decrypt the ciphertext c1=(c1,1,c1,2) and compute \(\mathbf {b}^{\prime }=\left \lfloor \frac {(\mathbf {c}_{1,2}-S_{1}^{\top }\cdot c_{1,1})}{q/2}\right \rceil \in \{0,1\}^{k}\). If there is not a witness of b in infoτ or b=0k, output ⊥. Then GM trace generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Πtrace for the fact that the user corresponding to b really generated a signature Σ to message M at τ. In other words, the trace manager GM trace should proof that he has \(\mathbf {S}_{1}\in \mathbf {R}_{q}^{k}, E_{1}\in \mathbf {R}_{q}, \mathbf {y}\in \mathbf {R}_{q}^{k}\), such that

$$\begin{aligned} \|\mathbf{S}_{1}\|_{\infty}\leq\beta,|E_{1}|\leq\beta,\|\mathbf{y}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1}^{\top}\cdot \mathbf{B}+E_{1}=P_{1}\mod q \\ \mathbf{c}_{1,2}-\mathbf{S}_{1}^{\top}\cdot c_{1,1}=\mathbf{y}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{b}^{\prime}\mod q \end{aligned} $$

Similarly, the NIZKAoK mentioned above is obtained from the Stern’s three-round interactive protocol (Song 2001) by FS transformation, i.e. GM trace runs the Stern protocol k times sequentially to obtain a negligible soundness error, and the transcript is \(\Pi _{trace}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH, \{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), where

$$ CH=H(M,\{CMT_{j}\}_{j=1}^{k^{\prime}},gpk,\Sigma,\mathbf{info}_{\tau},\mathbf{b}^{\prime})\in\{1,2,3\}^{k^{\prime}} $$

Finally, this algorithm outputs (b,Πtrace). Judge(gpk,b,M,Πtrace,Σ,infoτ): Verify the proof Πtrace and output 1 if it is true, otherwise output 0.

In this scheme, the public parameter and the public-private key pair are all generated by a trusted third party, which can avoid the problem that the illegitimate group managers generate their keys maliciously, but not the malpractices of the legitimate group managers. This is one possible attack on this type of scenario that we can think of, such as group members can be added or withdrawn according to a group manager’s personal preference or interest relationship. To this problem, we can consider to set up the group manager a trust value TV, a confidence threshold CT, and a reduction coefficient RC, where the value of TV is initialized to tv=1,0<CT, and RC<1. The value of TV is reduced to TVs=tvs·RC if the group manager has s times malpractices, and it would be revoked if TVs<CT.

Furthermore, it is not necessary to prepare a large storage space for a large empty tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in (Ling et al. 2017), our work could realizes the truly dynamic of the group signature scheme, which helps to economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it.

Finally, a timestamp τ is given to each member in the group, the group manager GM update updates the group information infoτ once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information infoτ, we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ1<τ2, the group information \(\mathbf {info}_{\tau _{1}}\) is published earlier than \(\mathbf {info}_{\tau _{2}}\).

The underlying protocol

The definition of the underlying protocol

Suppose that the size of the legitimate members in the group is t≥1 at time τ, for any b∈{1,2},i∈[ t],∀j∈[l−1], the underlying zero-knowledge protocol is used to proof the following relationship by utilizing the Stern’s protocol (Song 2001)

$$ \left\{ \begin{array}{lcr} \mathbf{upk}_{i}\not=0 \\ \mathbf{u}_{j}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1}), & if\ i_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1}), & if\ i_{j+1}=1 \end{array} \ (\star) \right. \\ \mathbf{upk}_{i}=\mathbf{bin}(\mathbf{A}\cdot \mathbf{usk}_{i}) \\ \mathbf{c}_{b}=(c_{b,1},\mathbf{c}_{b,2})=\left(\mathbf{B}\cdot \mathbf{r}_{b},P_{b}\cdot \mathbf{r}_{b}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i}\right) \end{array} \right. $$
(1)

Given a bit b, a vector a, let \(\mathbf {ext}(b,\mathbf {a})=(\bar {b}\cdot \mathbf {a},b\cdot \mathbf {a})^{\top }, \mathbf {ext}_{2}(b)=(\bar {b},b)^{\top }\), then we have the following equivalence relationship:

$${\begin{aligned} (\star) & \Leftrightarrow \bar{i}_{j+1}\cdot h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1})+i_{j+1}\cdot h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1})=\mathbf{u}_{j} \\ & \Leftrightarrow \bar{i}_{j+1}(\mathbf{A}_{0}\mathbf{u}_{j+1}+\mathbf{A}_{1}\mathbf{w}_{j+1})+i_{j+1} (\mathbf{A}_{0}\mathbf{w}_{j+1}+\mathbf{A}_{1}\mathbf{u}_{j+1})=\mathbf{G}\cdot \mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \left(\begin{array}{cc}\bar{i}_{j+1}\cdot \mathbf{u}_{j+1} \\i_{j+1}\cdot \mathbf{u}_{j+1} \end{array}\right)+\mathbf{A}\cdot \left(\begin{array}{cc}i_{j+1}\cdot \mathbf{w}_{j+1} \\\bar{i}_{j+1}\cdot \mathbf{w}_{j+1} \end{array}\right)=\mathbf{G}\cdot \mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \mathbf{ext}(i_{j+1},\mathbf{u}_{j+1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{j+1},\mathbf{w}_{j+1})=\mathbf{G}\cdot \mathbf{u}_{j} \mod q \end{aligned}} $$

Then for any b∈{1,2},i∈[t],bin(i)=(i1,⋯,il), the Eq. 1 is equal to the following form

$$ {}\left\{ \begin{array}{lcr} \mathbf{A}\cdot \mathbf{ext}(i_{1},\mathbf{u}_{1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{1},\mathbf{w}_{1})-\mathbf{G}\cdot \mathbf{u}=0 \mod q \\ \mathbf{A}\cdot \mathbf{ext}(i_{2},\mathbf{u}_{2})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{2},\mathbf{w}_{2})-\mathbf{G}\cdot \mathbf{u}_{1}=0 \mod q \\ \hspace{2cm} \cdots \\ \mathbf{A}\cdot \mathbf{ext}(i_{l},\mathbf{upk}_{i})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{l},\mathbf{w}_{l})-\mathbf{G}\cdot \mathbf{u}_{l-1}=0 \mod q \\ \mathbf{A}\cdot \mathbf{usk}_{i}-\mathbf{G}\cdot \mathbf{upk}_{i}=0\mod q \\ c_{b,1}=\mathbf{B}\cdot \mathbf{r}_{b}\mod q \\ \mathbf{c}_{b,2}=P_{b}\cdot \mathbf{r}_{b}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i}\mod q \end{array} \right. $$

Let \(\mathbf {B}_{n}^{2n}\) be the set of strings with length 2n, where the Hamming weight of each string is n, to illustrate the fact that the user’s public key upki≠0k, we pad upki with a random string with length k−1 to obtain a new string \(\mathbf {upk}_{i}^{*}\), such that \(\mathbf {upk}_{i}^{*}\in \mathbf {B}_{k}^{2k-1}\), then for any permutation \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2k-1}\), we have

$$ \mathbf{upk}_{i}\not=0^{k}\Leftrightarrow \mathbf{upk}_{i}^{*}\in\mathbf{B}_{k}^{2k-1} \Leftrightarrow \pi_{\mathbf{upk}_{i}}\left(\mathbf{upk}_{i}^{*}\right)\in\mathbf{B}_{k}^{2k-1} $$

We make similar operations for each uski to obtain \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m}\), for any \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2m}\), we have \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m} \Leftrightarrow \pi _{\mathbf {usk}_{i}}(\mathbf {usk}_{i}^{*})\in \mathbf {B}_{m}^{2m}\). Similarly, extend the vectors u1,⋯,ul−1,w1,⋯,wl,r1,r2 to obtain \(\mathbf {u}_{1}^{*}\cdots,\mathbf {u}_{l-1}^{*}, \mathbf {w}_{1}^{*}\cdots,\mathbf {w}_{l}^{*}\in \mathbf {B}_{k}^{2k}, \mathbf {r}_{1}^{*},\mathbf {r}_{2}^{*}\in \mathbf {B}_{k}^{2k}\). And then let \(\hat {\mathbf {u}}_{1}=\mathbf {ext}(i_{1},\mathbf {u}_{1}^{*}),\cdots,\hat {\mathbf {u}}_{l-1}=\mathbf {ext}\left (i_{l-1},\mathbf {u}_{l-1}^{*}\right)\in \{0,1\}^{4k}, \hat {\mathbf {upk}_{i}}=\mathbf {ext}\left (i_{l},\mathbf {upk}_{i}^{*}\right)\in \{0,1\}^{4k-2}, \hat {\mathbf {w}}_{1}=\mathbf {ext}\left (\bar {i_{1}},\mathbf {w}_{1}^{*}\right),\cdots,\hat {\mathbf {w}}_{l}=\mathbf {ext}\left (\bar {i_{l}}, \mathbf {w}_{l}^{*}\right)\in \{0,1\}^{4k}\).

Given upki=(upki1,⋯,upkik), for any j∈[ k], let \(\mathbf {upk}^{\prime }_{ij}=\mathbf {ext}_{2}({upk}_{ij})\). For any b∈{0,1},t=(t0,t1)∈Z2, let \(T_{b}(\mathbf {t})=\left (t_{b},t_{\bar {b}}\right)\). Then for any bj∈{0,1}, we have \(\mathbf {upk}'_{ij}=\mathbf {ext}_{2}({upk}_{ij})\Leftrightarrow T_{b_{j}}\left (\mathbf {upk^{\prime }}_{ij}\right)=\mathbf {ext}_{2}({upk}_{ij}\oplus b_{j})\). Because bj is chosen randomly, so the operations above are equal to carry out a one-time pad to the user’s upkij by bj to hide it perfectly.

Let \(r\in \{2k-1,2k\}, b\in \{0,1\}, \pi \in \mathcal {S}_{r}, \mathbf {t}=(t_{0},t_{1})^{T}\in \mathbf {Z}^{2r}\), we define the permutation \(F_{b,\pi }(\mathbf {t})=(\pi (t_{b}),\pi (t_{\bar {b}}))\). Then for all \(b_{1},\cdots,b_{l}\in \{0,1\}, \phi _{u,1},\cdots,\phi _{u,l-1},\phi _{w,1},\cdots,\phi _{w,l}\in \mathcal {S}_{2k}, \pi _{upk_{i}}\in \mathcal {S}_{2k-1}\), the following relationship is true,

$$ {\begin{aligned} \left\{\begin{array}{lcr} \forall j\in[l-1], \hat{\mathbf{u}}_{j}=\mathbf{ext}\left(i_{j},\mathbf{u}_{j}^{*}\right)\Leftrightarrow F_{b_{j},\phi_{u,j}}(\hat{\mathbf{u}}_{j})=\mathbf{ext}\left(i_{j}\oplus b_{j},\phi_{u,j}\left(\mathbf{u}_{j}^{*}\right)\right) \\ \forall j\in[l], \hat{\mathbf{w}}_{j}=\mathbf{ext}\left(i_{j},\mathbf{w}_{j}^{*}\right)\Leftrightarrow F_{b_{j},\phi_{w,j}}(\hat{\mathbf{w}}_{j})=\mathbf{ext}\left(i_{j}\oplus b_{j},\phi_{w,j}\left(\mathbf{w}_{j}^{*}\right)\right) \\ \hat{\mathbf{upk}_{i}}=\mathbf{ext}\left(i_{l},\mathbf{upk}_{i}^{*}\right)\Leftrightarrow F_{b_{l},\pi_{upk_{i}}}\left(\hat{\mathbf{upk}_{i}}\right)=\mathbf{ext}\left(i_{l}\oplus b_{l},\pi_{upk_{i}}\left(\mathbf{upk}_{i}^{*}\right)\right) \end{array} \right. \end{aligned}} $$
(2)

Let

$$ {\begin{aligned} \mathbf{z}=&\left(\mathbf{u}_{1}^{*}|\hat{\mathbf{u}}_{1}|\hat{\mathbf{w}}_{1}|\cdots|\mathbf{u}_{l-1}^{*}| \hat{\mathbf{u}}_{l-1}|\hat{\mathbf{w}}_{l-1}|\mathbf{upk}_{i}^{*}|\hat{\mathbf{upk}_{i}}|\hat{\mathbf{w}}_{l}|\right.\\ &\left.{\vphantom{\left(\mathbf{u}_{1}^{*}|\hat{\mathbf{u}}_{1}|\hat{\mathbf{w}}_{1}|\cdots|\mathbf{u}_{l-1}^{*}| \hat{\mathbf{u}}_{l-1}|\hat{\mathbf{w}}_{l-1}|\mathbf{upk}_{i}^{*}|\hat{\mathbf{upk}_{i}}|\hat{\mathbf{w}}_{l}|\right.}}\mathbf{usk}_{i}^{*}|\mathbf{r}_{1}^{*}|\mathbf{r}_{2}^{*}|\mathbf{upk}^{\prime}_{i1}|\cdots|\mathbf{upk}^{\prime}_{ik}\right) \end{aligned}} $$

then z∈{0,1}10kl+2m+6k−3, the Eq. 2 can be unified into one equation A·z=U mod q, where A,U could be obtained from the public parameters. Let VALID be the set of vectors in {0,1}10kl+2m+6k−3 that satisfy the relationship above, let

$$ \bar{\mathcal{S}}=\mathcal{S}_{2k}^{2l-1}\times\mathcal{S}_{2k-1}\times\mathcal{S}_{2m}\times\mathcal{S}_{2l}^{2}\times\{0,1\}^{l} $$

for any

$$ {\begin{aligned} \eta=&\left((\phi_{u,1},\cdots,\phi_{u,l-1},\phi_{w,1},\cdots,\phi_{w,l}),\pi_{upk_{i}},\pi_{usk_{i}},\right.\\&\left.(\pi_{r,1}, \pi_{r,2}),(b_{1},\cdots,b_{l})\right)\in\bar{\mathcal{S}} \end{aligned}} $$

let Γη be the permutation for strings in {0,1}10kl+2m+6k−3, then we have

$$ \mathbf{z}\in \mathbf{VALID} \Leftrightarrow \Gamma_{\eta}(\mathbf{z})\in \mathbf{VALID} $$

After that, we could utilize the Stern’s protocol and the equal relationship above to proof that zVALID, and A·z=U mod q. Let D=10kl+2m+6k−3, the underlying zero-knowledge argument of knowledge is as follows,

The security analysis of the underlying protocol

Theorem 3

Suppose that the problem ring-\(\mathbf {SVP}_{\tilde {O}(n)}\) is difficult, then the protocol in the previous section satisfies the following properties: perfect completeness, statistical zero knowledge, argument of knowledge, and the soundness error is \(\frac {2}{3}\), the communication complexity is \(\tilde {O}(D\log q)\).

Proof

As to the property of perfect completeness, if participants in the protocol run each step honestly, then V would accepts the proof generated by P with probability 1. Owing to \(\mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \mathbf {z}\in \{0,1\}^{D}, \|\mathbf {r}_{z}\|=\|\mathbf {z}\|=D\), it is easy to verify that the communication complexity is \(\tilde {O}(D\log q)\). And next, we will present a detailed description of the property of zero knowledge.

We construct a PPT simulator Sim firstly to simulate the real interactions between a honest prover P and a malicious verifier V, such that the distribution of the transcript outputted simulator Sim is statistical close to that of the real interactions. Sim chooses \(\bar {CH}\in \{1,2,3\}\) randomly as a prediction of the challenge that the verifier V would not choose.

If \(\bar {CH}=1\), Sim computes a vector \(\mathbf {z}^{\prime }\in \mathbf {Z}_{q}^{D}\) by using the algebraic method, such that A·z=u mod q. Then chooses \(\mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ1,ρ2,ρ3∈{0,1}m uniformly and randomly to compute the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot \mathbf {r}_{z};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}^{\prime }+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=\left (C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3}\right)\) to V. Depend on the challenge CH that received from V, the simulator responds as follows:

  1. 1.

    If CH=1, output ⊥ and break.

  2. 2.

    If CH=2, let RSP=(η,z+rz,ρ1,ρ3) and send it to V.

  3. 3.

    If CH=3, let RSP=(η,rz,ρ1,ρ2) and send it to V.

If \(\bar {CH}=2\), Sim chooses \(\mathbf {z}^{\prime }\in \mathbf {VALID}, \mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ1,ρ2,ρ3∈{0,1}m uniformly and randomly to compute the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot \mathbf {r}_{z};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}'+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=(C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3})\) to the verifier V. Depend on the challenge CH that received from V, the simulator responds as follows:

  1. 1.

    If CH=1, let RSP=(Γη(z),Γη(rz),ρ2,ρ3) and send it to V.

  2. 2.

    If CH=2, output ⊥ and break.

  3. 3.

    If CH=3, let RSP=(η,rz,ρ1,ρ2) and send it to V.

If \(\bar {CH}=3\), Sim chooses \(\mathbf {z}^{\prime }\in \mathbf {VALID}, \mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ1,ρ2,ρ3∈{0,1}m uniformly and randomly, and computes the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot (\mathbf {z}^{\prime }+\mathbf {r}_{z})-\mathbf {u};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}^{\prime }+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=\left (C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3}\right)\) to the verifier V. Depend on the challenge CH that received from V, the simulator responds as follows:

  1. 1.

    If CH=1, compute RSP as in the case \((\bar {CH}=2,CH=1)\), and send it to V.

  2. 2.

    If CH=2, compute RSP as in the case \((\bar {CH}=1,CH=2)\), and send it to V.

  3. 3.

    If CH=3, output ⊥ and break.

For the commitment scheme is statistical indistinguishable, the distribution of the output of Sim and that of the real interactions are statistical indistinguishable. i.e. there is a negligible function negl(n) such that \(\Pr [\bot \leftarrow Sim]=\frac {1}{3}\pm negl(n)\). So the simulator would outputs an acceptable transcript as long as no error symbol ⊥ is outputted, in other words, Sim would outputs a transcript that is indistinguishable from that of a real interactions with probability almost \(\frac {2}{3}\).

Finally, we would like to give a concrete explanation of the property of argument of knowledge. Suppose that there are three different valid responds RSP1=(tz,tr,ρ2,ρ3),RSP2=(η2,z2,ρ1,ρ3),RSP3=(η3,z3,ρ1,ρ2) corresponding to three different challenges of one commitment CMT, then the validity of responds indicates the following relationship:

$$\begin{array}{@{}rcl@{}} {\left\{\begin{aligned} &\mathbf{t}_{z}\in \mathbf{VALID};C_{1}=Com(\eta_{2},\mathbf{A}^{\prime}\cdot \mathbf{z}_{2}-\mathbf{u};\rho_{1})=Com(\eta_{3},\mathbf{A}'\cdot \mathbf{z}_{3};\rho_{1}); \\ &C_{2}=Com(\mathbf{t}_{r};\rho_{2})=Com(\Gamma_{\eta_{3}}(\mathbf{z}_{2});\rho_{2}); \\ &C_{3}=Com(\mathbf{t}_{z}+\mathbf{t}_{r};\rho_{3})=Com(\Gamma_{\eta_{2}}(\mathbf{z}_{2});\rho_{3}) \end{aligned} \right.} \end{array} $$

Because of the computational binding of the commitment scheme Com, we have

$$ {\left\{\begin{array}{lcr} \mathbf{t}_{z}\in \mathbf{VALID};\eta_{2}=\eta_{3};\mathbf{t}_{r}=\Gamma_{\eta_{3}}(\mathbf{z}_{3});\mathbf{t}_{z}+\mathbf{t}_{r}=\Gamma_{\eta_{2}}(\mathbf{z}_{2})\mod q; \\ \mathbf{A}^{\prime}\cdot \mathbf{z}_{2}-\mathbf{u}=\mathbf{A}^{\prime}\cdot \mathbf{z}_{3}\mod q \end{array} \right.} $$

For tzVALID, let \(\mathbf {z}^{\prime }=\Gamma _{\eta _{2}}^{-1}(\mathbf {t}_{z})\), then \(\mathbf {z}'\in \mathbf {VALID}, \Gamma _{\eta _{2}}(\mathbf {z}^{\prime })+\Gamma _{\eta _{2}}(\mathbf {z}_{3})=\Gamma _{\phi _{2}}(\mathbf {z}_{2})\mod q\), and we could learn that z+z3=z2,A·z+A·z3=A·z2 mod q, Finally, we obtain a solution z to a instance of the problem ring- SIS, which satisfies A·z=u mod q. □

The analysis of the group signature scheme

Notation

The security of the full dynamic group signature scheme presented in this paper satisfies the strong security definition given in (Bootle et al. 2016): correctness, anonymity, non-frameability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chalb. And oracles used in the proof are as follows: AddU(i): Add an honest user i into the set HUL at time τ. CreU(i,upki): Create a new user i whose public key upki is chosen by the adversary, which is invoked in the oracle SenToM. SenToM(i,Min): It is used to run the algorithm Join, on behalf of a corrupt user, together with the honest group manager GM update. SenToU(i,Min): It is used to run the algorithm Join, on behalf of the corrupt group manager GM update, together with a legitimate user i. RReg(i): Return the registration information regi of user i. MReg(i,ρ): Change the registration information regi of user i into ρ. RevealU(i): Return the signing secret key gski of user i to the adversary, and add i to the set BUL. Sign(i,M,τ): Return a signature to a message M signed by user i at time τ, and add this signature to the set SL. Chalb(infoτ,i0,i1,M): For any b∈{0,1}, Return the signature to a message M signed by user ib at time τ, and add this signature to the set CL. This requires that the users i0,i1 are all legitimate at time τ, and this oracle could be revoked only once. Trace(infoτ,Σ,M): Return the signer of a signature Σ signed at time τ and a proof of this fact, which requires that the signature ΣCL. UpdateG(S,τ): It allows the adversary to update some information about the group at time τ, which requires that each element in S is legitimate user’s public key at time τ. IsActive(infoτ,reg,i): Return 1 if and only if the user i is a legitimate member in the group at time τ, otherwise return 0.

The security analysis

Complexity: Given a security parameter λ, the size of legitimate users t, \(l=\lceil \log t\rceil, n=O(\lambda), q=\tilde {O}\left (n^{1.5}\right)=\tilde {O}\left (c\lambda ^{1.5}\right)\) with a constant c, k=O(log(λ1.5)) (Table 1). Then the size of group public key gpk=(pp,mpk,opk) is \(|gpk|=\tilde {O}\left (\lambda ^{1.5}\right)+l\cdot O(\log \lambda)\), the size of signing secret key gski=(bin(i),upki,uski) is |gski|=l+3k=l+O(logλ), and the size of signature Σ=(Πsign,c1,c2) is

$${}{\begin{aligned} |\Sigma|= & |\Pi_{sign}|+|\mathbf{c}_{1}|+|\mathbf{c}_{2}| \\ = & k^{\prime}\cdot|CMT|+k^{\prime}+k^{\prime}\cdot|RSP|+2(k+1)\log q \\ = & k^{\prime}\cdot(20kl+6m+12k+3n\log q-5)\\&+2(k+1)\log q \\ = & k^{\prime}\cdot(20kl+6m+12k+(3n+2k+2)\log q-5) \\ = & \tilde{O}(\lambda)+l\cdot O\left(\log\lambda^{1.5}\right) \end{aligned}} $$
Table 1 Comparison of main parameters in (Ling et al. 2017) and our work
Full size table

Suppose that the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l= logN, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in (Ling et al. 2017) over ring is O(l), and that of our work is

$$\begin{aligned} & O\left(\frac{1}{2}\cdot l+\frac{1}{2^{2}}\cdot(l-1)+\cdots+\frac{1}{2^{l-1}}\cdot 2+\frac{1}{2^{l}}\right)\\ = & O\left(l\cdot\left(\left(\sum\limits_{i=1}^{l-1}\frac{1}{2^{i}}\right)+\frac{1}{2^{l-1}}\right)-\sum\limits_{i=2}^{l-1}\frac{i}{2^{i+1}}\right) \\ = & O\left(l-\left(1-\frac{l}{2^{l-1}}\right)\right) \\ = & O(l-1) \end{aligned} $$

Correspondingly, the expected space complexity of Merkle tree used in (Ling et al. 2017) is O(2N−1) (Table 2), and that of our work is

$$\begin{aligned} & O\left(\frac{1}{2}\cdot (2N-1)+\frac{1}{2^{2}}\cdot(N-1)+\cdots\right.\\&+\left.\frac{1}{2^{l-1}}\cdot \left(\frac{N}{2^{l-3}}-1\right)+\frac{1}{2^{l}}\cdot\left(\frac{N}{2^{l-3}}-1\right)\right)\\ &= O\left(\sum\limits_{i=l}^{3-l}2^{i}-\sum\limits_{i=1}^{l}\frac{1}{2^{i}}\right) \\ &= O\left(\frac{1}{3}\cdot\left(2^{l+2}+\frac{1}{2^{l-3}}\right)-\left(1-\frac{1}{2^{l}}\right)\right) \\ &= O\left(\frac{4}{3}\cdot N-1+\frac{11}{3N}\right) \\ &= O\left(\frac{4}{3}\cdot N-1\right) \end{aligned} $$

.

Table 2 Comparison of the expect complexity of Merkle trees used in (Ling et al. 2017) and our work
Full size table

Theorem 4

The full dynamic group signature scheme based on ring in this paper is correct.

Proof

Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature Σ=(Πsign,c1,c2) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature Σ to pass the verification of the algorithm Verify, and the algorithm Trace will outputs the user public key upki with a probability approximate to 1 together with a proof Πtrace accepted by Judge. We need to compute \(\mathbf {e}=\mathbf {c}_{1,2}-\mathbf {S}_{1}^{\top }c_{1,1}=E_{1}\cdot \mathbf {r}_{1}+\left \lfloor \frac {q}{2}\right \rfloor \cdot \mathbf {upk}_{i}\mod q\) when to decrypt a ciphertext, and let \(\mathbf {b}^{\prime }=\left (b^{\prime }_{1},\cdots,b^{\prime }_{l}\right), \mathbf {e}=(e_{1},\cdots,e_{l})\), for any j∈[ l],

$$ b'_{j}=\left\{ \begin{array}{lcr} 0,\ if \ |e_{j}-0|<|e_{j}-\frac{q}{2}| \\ 1,\ if \ |e_{j}-0|\geq|e_{j}-\frac{q}{2}| \end{array} \right. $$

Note that \(\|E_{1}\cdot \mathbf {r}_{1}\|_{\infty }<\frac {q}{5}\), so b=upki with overwhelming probability. Furthermore, because the user corresponding to upki is legitimate, then the witness w=(bin(i),wl,⋯,w1) is included in the group information infoτ, and the value of the related leaf is not 0k. So, the algorithm Trace could always obtain a tuple (S1,E1,y) that satisfies requirement. And finally, for the fact that the proof Πtrace is perfect completeness, so the algorithm Judge outputs 1 with probability 1. □

Theorem 5

Suppose that the problem ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is difficult, then the scheme in this paper is anonymous in RO model.

Proof

Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i0i1∈[t] given by \(\mathcal {A}\), we give the following game before the concrete proof:

We say that the scheme has a property of anonymity if there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{anon-b}(\lambda)\right ]=1\leq negl(\lambda)\). Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OPl, l∈[0,9].

Game0: Given two different legitimate users i0i1∈[t] by \(\mathcal {A}\), let b=0, the challenger \(\mathcal {C}\) runs the experiment above honestly by using i0.

Game1: This game is completely consistent with Game0 except that include (S2,E2) to osk, i.e. let osk=((S1,E1),(S2,E2)). And this change, to the view of the adversary \(\mathcal {A}\), makes no difference, Pr[OP1=1]= Pr[OP0=1].

Game2: This game is completely consistent with Game1 except that use a simulator Simtrace to simulate the real interactions of the protocol that generates Πtrace, i.e. replace the real transcript Πtrace with a simulated transcript of Simtrace. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Πtrace, Pr[OP2=1]− Pr[OP1=1]≤negl(λ).

Game3: This game is completely consistent with Game2 except that replace (S1,E1) with (S2,E2) when Simtrace simulates the oracle Trace. For a legitimate signature (M,Πsign,c1,c2), where c1,c2 are encryptions to different strings respectively. Let F1 be the signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, and the view of \(\mathcal {A}\) may changing if F1 appears, however, it violates the soundness of the protocol that generates Πsign. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F1, i.e. Pr[OP3=1]− Pr[OP2=1]≤ Pr[F1]≤negl(λ).

Game4: This game is completely consistent with Game3 except that use a simulator Simsign to simulate the real interactions of the protocol that generates Πsign, i.e. replace the real transcript Πsign with a simulated transcript of Simsign. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Πsign, Pr[OP4=1]− Pr[OP3=1]≤negl(λ).

Game5: This game is completely consistent with Game4 except that change the ciphertext c1 into the encryption to \(\mathbf {upk}_{i_{1}}\) when initiate an inquiry to the oracle Chalb. And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S2,E2) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c1, so, Pr[OP5=1]− Pr[OP4=1]=negl(λ).

Game6: This game is completely consistent with Game5 except that replace (S2,E2) with (S1,E1) when Simtrace simulates the oracle Trace. For a legitimate signature (M,Πsign,c1,c2), where c1,c2 are encryptions to different strings respectively, let F2 be the signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, which violates the soundness of the protocol that generates Πsign. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F2, Pr[OP6=1]− Pr[OP5=1]≤ Pr[F2]≤negl(λ).

Game7: This game is completely consistent with Game6 except that change the ciphertext c2 into the encryption to \(\mathbf {upk}_{i_{1}}\). And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S1,E1) during the inquiry to the oracle Trace, which makes no difference to the view of the adversary, Pr[OP7=1]− Pr[OP6=1]=negl(λ).

Game8: This game is completely consistent with Game7 except that replace the simulator Simsign with a real protocol that generates Πsign, i.e. replace the simulated transcript of Simsign by a real transcript Πsign. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Πsign, Pr[OP8=1]− Pr[OP7=1]≤negl(λ).

Game9: This game is completely consistent with Game8 except that replace the simulator Simtrace with a real protocol that generates Πtrace, i.e. replace the simulated transcript of Simtrace by a real transcript Πtrace. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Πtrace, Pr[OP9=1]− Pr[OP8=1]≤negl(λ).

Finally, we could learn from the games above that the probability:

$$\begin{aligned} & \Pr[{OP}_{9}=1]-\Pr[{OP}_{0}=1] \\ = & \Pr\left[\mathbf{Exp}_{FDGS,\mathcal{A}}^{anon-1}(\lambda)\right]-\Pr\left[\mathbf{Exp}_{FDGS,\mathcal{A}}^{anon-0}(\lambda)\right] \\ \leq & c\cdot negl(\lambda) \end{aligned} $$

where c is constant. So, the scheme in this paper satisfies the property of anonymity. □

Theorem 6

Suppose that the ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the scheme in this paper is unforgeable in the RO model.

Proof

Suppose that there ia a PPT adversary \(\mathcal {A}\) could forge a valid signature with a non-negligible probability ε, then there is a PPT algorithm \(\mathcal {B}\) could break the security of Merkle hash tree or solve the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with a non-negligible probability by invoking \(\mathcal {A}\) as a black box. And to complete the proof, we give the following game:

If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{unforge}(\lambda)\right ]=1\leq negl(\lambda)\), then we say that the scheme is unforgeable. Given a random matrix A, the challenger computes the public parameter pp honestly, then invokes the algorithm of \(\mathcal {A}\), runs the operations in the game above, during this process, \(\mathcal {B}\) responds the inquiries of \(\mathcal {A}\) honestly. If the adversary \(\mathcal {A}\) wins the game and outputs \(\left (M^{*},\Sigma ^{*},i^{*},\Pi _{trace}^{*},\mathbf {info}_{\tau }\right)\) finally, then there is a non-negligible function ε, such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{unforge}(\lambda)\right ]=1\geq \epsilon \), and the algorithm \(\mathcal {B}\) could operate as follows: Decompose the signature Σ into \(\left (\Pi _{sign}^{*},\mathbf {c}_{1}^{*},\mathbf {c}_{2}^{*}\right)\), where \(\Pi _{sign}=\left (\left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},CH^{*},\left \{RSP_{i}^{*}\right \}_{i=1}^{k^{\prime }}\right)\), because the adversary \(\mathcal {A}\) wins the game above, so \(\left \{RSP_{i}^{*}\right \}_{i=1}^{k^{\prime }}\) is legitimate responds to \(\left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},CH^{*}\). Let \(\xi ^{*}=\left (M^{*}, \left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},\mathbf {A},\mathbf {u}_{\tau },\mathbf {B},P_{1},P_{2}, \mathbf {c}_{1}^{*},\mathbf {c}_{2}^{*}\right)\), for the successful probability to guess the value H(ξ) is \(3^{-k^{\prime }}\), so the adversary uses the ξ to initiate queries to the oracle H with overwhelming probability, and ξ is the preimage of H with probability \(\epsilon ^{\prime }=\epsilon -3^{-k^{\prime }}\), let t∈{1,2,⋯,QH} be the index of one inquiry, where QH is the number of inquiries that the adversary \(\mathcal {A}\) made to the oracle H. The inputs of the hash queries from 1th to tth are all ξ, and \(\mathcal {B}\) runs the operations of \(\mathcal {A}\) for t times. And the inputs of other hash queries from t+1th to QHth are something else, \(\mathcal {B}\) responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000; Pointcheval and Stern 2000), the probability of \(\mathcal {B}\) gets three different hash values \({CH}_{t^{*}}^{1},{CH}_{t^{*}}^{2},{CH}_{t^{*}}^{3}\in \{1,2,3\}^{k^{\prime }}\) to the same input ξ is \(\geq \frac {1}{2}\), then for any j∈{1,2,⋯,k}, we have \(\Pr \left [\left ({CH}_{t^{*},j}^{1},{CH}_{t^{*},j}^{2},{CH}_{t^{*},j}^{3}\right)=(1,2,3)\right ]=1-\left (\frac {7}{9}\right)^{k^{\prime }}\). Given three different legitimate responds \(\left ({RSP}_{t^{*},j}^{1},{RSP}_{t^{*},j}^{2},{RSP}_{t^{*},j}^{3}\right)\), what we could learn from the protocol that generates Πsign is that we could extract a witness \(\zeta ^{\prime }=\left (\mathbf {usk}_{i^{\prime }},\mathbf {upk}_{i^{\prime }},w^{\prime }_{\tau },\mathbf {r}^{\prime }_{1},\mathbf {r}^{\prime }_{2}\right)\), where \(w^{\prime }_{\tau }=(\mathbf {bin}(i^{\prime }),\mathbf {w}^{\prime }_{l,\tau },\cdots,\mathbf {w}^{\prime }_{1,\tau })\in \{0,1\}^{l}\times \left (\{0,1\}^{k}\right)^{l}\), such that for ∀b∈{1,2},∀j∈{0,l−1}, we have

$$ \left\{ \begin{array}{lcr} \mathbf{u}_{j,\tau}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if\hspace{1mm} i^{\prime}_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if\hspace{1mm} i^{\prime}_{j+1}=1 \end{array} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i^{\prime}}=\mathbf{G}\cdot \mathbf{upk}_{i^{\prime}} \\ \mathbf{c}^{*}_{b}=\left(c^{*}_{b,1},\mathbf{c}^{*}_{b,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}^{\prime}_{b},P_{b}\cdot \mathbf{r}^{\prime}_{b}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i^{\prime}}\right) \end{array} \right. $$

We can learn from the correctness of the encryption scheme that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\mathbf {upk}_{i^{\prime }}\). The algorithm Judge outputs 1 because of the fact that \(\mathcal {A}\) wins the game, and what we can learn from the soundness of the protocol that generates Πtrace is that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i^{*}}\), then \(\mathbf {upk}_{i^{\prime }}=\mathbf {upk}_{i^{*}}\) with overwhelming probability. By the correctness of the Merkle hash tree, the user i is legitimate. iHULBUL indicates that the adversary \(\mathcal {A}\) doesn’t know \({gsk}_{i^{*}}=(\mathbf {bin}(i^{*}),\mathbf {upk}_{i^{\prime }},\mathbf {usk}_{i^{*}})\). \(\phantom {\dot {i}\!}\mathbf {usk}_{i^{*}}\) was chosen by \(\mathcal {B}\) and \(\mathbf {A}\cdot \mathbf {usk}_{i^{*}}=\mathbf {G}\cdot \mathbf {upk}_{i^{\prime }}\), so we have \(\Pr [\mathbf {usk}_{i^{*}}\not =\mathbf {usk}_{i^{\prime }}]\geq \frac {1}{2}\). Let \(\mathbf {z}=\mathbf {usk}_{i^{*}}-\mathbf {usk}_{i^{\prime }}\), then z0 and Az=0 mod q, so, the algorithm \(\mathcal {B}\) could solve the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with non-negligible probability. □

Theorem 7

Suppose that the ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the scheme in this paper is traceable in RO model.

Proof

To finish the proof, we give the following game firstly:

If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{trace}(\lambda)\right ]=1\leq negl(\lambda)\), then we say that the scheme is traceable. In other words, If the adversary \(\mathcal {A}\) wins the game above, the signature generated by \(\mathcal {A}\) is legitimate and it was traced to a revoked user or a legitimate user without a valid proof Πtrace to it, and next, we will explain that the probability of the fact that the adversary \(\mathcal {A}\) wins the game above is negligible.

Let (infoτ,M,Σ) be a forged information by the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGS,\mathcal {A}}^{trace}(\lambda)\), then the challenger could extract the identity (bin(i),Πtrace) by running the algorithm Trace. Decompose the signature Σ into \((\Pi _{sign},\mathbf {c}^{\prime }_{1},\mathbf {c}^{\prime }_{2})\), where \(\Pi _{sign}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), for (infoτ,M,Σ) is a legitimate signature, so \(\{RSP_{j}\}_{j=1}^{k^{\prime }}\) are valid responds to \(\{CMT_{j}\}_{j=1}^{k^{\prime }},CH\). Then we could extract a witness \(\zeta ^{\prime }=\left (\mathbf {usk}_{i^{\prime }},\mathbf {upk}_{i^{\prime }},w^{\prime }_{\tau },\mathbf {r}^{\prime }_{1},\mathbf {r}^{\prime }_{2}\right)\), which is similar to the property of unforgeability, where \(w^{\prime }_{\tau }=\left (\mathbf {bin}(i^{\prime }),\mathbf {w}^{\prime }_{l,\tau },\cdots,\mathbf {w}^{\prime }_{1,\tau }\right)\in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for ∀b∈{1,2},∀j∈{0,l−1}, we have

$$ \left\{ \begin{array}{lcr} \mathbf{upk}_{i^{\prime}}\not=0 \\ \mathbf{u}_{j,\tau}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if \hspace{1mm} i^{\prime}_{i+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if \hspace{1mm} i^{\prime}_{i+1}=1 \end{array} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i^{\prime}}=\mathbf{G}\cdot \mathbf{upk}_{i^{\prime}} \\ \mathbf{c}^{\prime}_{b}=\left(c^{\prime}_{b,1},\mathbf{c}^{\prime}_{b,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}^{\prime}_{b},P_{b}\cdot \mathbf{r}^{\prime}_{b}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i^{\prime}}\right) \end{array} \right. $$

What we can learn from the correctness of the encryption scheme is that the ciphertext \(\mathbf {c}^{\prime }_{1}\) could be decrypted to \(\mathbf {upk}_{i^{\prime }}\), and we can learn from the correctness of the algorithm Trace that upki is the plaintext obtained from the ciphertext \(\mathbf {c}^{\prime }_{1}\), so \(\mathbf {upk}_{i}=\mathbf {upk}_{i^{\prime }}\) with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof Πtrace is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof Πtrace, and we can learn from the perfect completeness of the protocol that generates Πtrace that the algorithm Judge would accepts Πtrace with probability 1. In conclusion, the scheme in this paper is traceable. □

Theorem 8

The scheme in this paper satisfies the property of tracing soundness in RO model.

Proof

To finish the proof, we give the following game firstly:

Suppose that the information \(\phantom {\dot {i}\!}(M,\Sigma,i_{0},\Pi _{trace,i_{0}},i_{1}, \Pi _{trace,i_{1}},\mathbf {info}_{\tau })\) is the output of the adversary \(\mathcal {A}\) in this game, if the game \(\mathbf {Exp}_{FDGS,\mathcal {A}}^{trace-sound}(\lambda)\) outputs 1 finally, i.e. \(\mathbf {Judge}(gpk,\mathbf {upk}_{i_{b}},\mathbf {info}_{\tau }, \Pi _{trace},M,\Sigma)=1, i_{0}\not =i_{1}\not =\perp, \mathbf {Verify}(gpk,\mathbf {info}_{\tau },M,\Sigma)=1\), then we say that \(\mathcal {A}\) wins. Given a transcript \(\Pi _{trace}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), the fact that the algorithm Judge outputs 1 indicates that \(\{RSP_{j}\}_{j=1}^{k^{\prime }}\) are legitimate responds to \(\{CMT_{j}\}_{j=1}^{k^{\prime }},CH\). For any b∈{0,1}, it is similarly to the property of unforgeability, we could extract S1,b,E1,b,yb, such that

$$\begin{aligned} \|\mathbf{S}_{1,b}\|_{\infty}\leq\beta,|E_{1,b}|\leq\beta,\|\mathbf{y}_{b}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1,b}^{\top}\cdot \mathbf{B}+E_{1,b}=P_{1,b}\mod q \\ \mathbf{c}_{1,2}-\mathbf{S}_{1,b}^{\top}\cdot c_{1,1}=\mathbf{y}_{b}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{upk}_{i_{b}}\mod q \end{aligned} $$

then we have

$$ {\begin{aligned}\left(\mathbf{S}_{1,0}^{\top}-\mathbf{S}_{1,1}^{\top}\right)\cdot c_{1,1}=(\mathbf{y}_{1}-\mathbf{y}_{0})+\left\lfloor\frac{q}{2}\right\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\mod q \end{aligned}} $$

Suppose that \(\mathbf {upk}_{i_{1}}\not =\mathbf {upk}_{i_{0}}\), so \(\|\left \lfloor \frac {q}{2}\right \rfloor \cdot (\mathbf {upk}_{i_{1}}-\mathbf {upk}_{i_{0}})\|_{\infty }=\left \lfloor \frac {q}{2}\right \rfloor, \|\mathbf {y}_{1}-\mathbf {y}_{0}\|_{\infty }\leq 2\cdot \left \lceil \frac {q}{5}\right \rceil \), and

$$ \|(\mathbf{y}_{1}-\mathbf{y}_{0})+\left\lfloor\frac{q}{2}\right\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\|_{\infty}>0 $$

then \(\mathbf {S}_{1,0}^{\top }\not =\mathbf {S}_{1,1}^{\top }\), we obtained two different solutions of the function \(\mathbf {S}_{1}^{\top }\cdot \mathbf {B}+E_{1}=P_{1}\mod q\), which is contradictory to the fact that there is at most one solution to the ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) sample (B,P1). So, \(\mathbf {upk}_{i_{1}}=\mathbf {upk}_{i_{0}}\) with overwhelming probability. In other words, the probability of the fact that \(\mathcal {A}\) wins is negligible, so the scheme in this paper satisfies the property of tracing soundness. □

Conclusion

In this paper, we give the first ring based full dynamic group signature scheme, and improve the efficiency of it mainly from the following three aspects: the size of public/secret keys, the dynamic construction of the Merkle hash tree, and the reuse of its leaves. These changes help to reduce the computational complexity and space complexity by leaps and bounds. In addition, we avoid the adverse condition where the group managers generate their keys maliciously. Though we have tried a lot, there is still a large space for improvement in the use of zero-knowledge proof, and the problem of the delayed verification of a signature is also not solved. Next, we would like to focus on the two problems and do some correlative works.