Advertisement

Designs, Codes and Cryptography

, Volume 82, Issue 1–2, pp 469–493 | Cite as

A code-based group signature scheme

  • Quentin Alamélou
  • Olivier Blazy
  • Stéphane Cauchie
  • Philippe Gaborit
Article

Abstract

This work is the extended version of Alamélou et al. (in: Tillich et al. (eds.) The 9th International workshop on coding and cryptography 2015 (WCC2015), 2015) which proposed the first code-based group signature. The new group signature scheme we present here has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to add new members during the lifetime of the group (dynamic). Plus, it appears that our scheme might be extended into a traceable signature according to the definition of Kiayias et al. (in: Cachin and Camenisch (eds.) Advances in cryptology—EUROCRYPT 2004, 2004) (KTY model) while handling membership revocation. Our security is based on a relaxation of the model of Bellare et al. (in: Topics in cryptology—CT-RSA 2005, 2005) (BSZ model) verifying the properties of anonymity, traceability and non-frameability. The main idea of our scheme consists in building an offset collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member’s secret signing key whose knowledge will be proved thanks to a variation of Stern’s authentication protocol. For applications, we consider the case of the code-based CFS signature scheme (Nicolas in Advances in cryptology—ASIACRYPT 2001, 2001) of Courtois, Finiasz and Sendrier. If one denotes by N the number of group members, CFS leads to signatures and public keys sizes in \(N^{1/\sqrt{{\log }(N)}}\). Along with this work, we also introduce a new kind of proof of knowledge, Testable weak Zero Knowledge (TwZK), implicitly covered in the short version of this paper (Alamélou et al. in: Tillich et al. (eds.) The 9th international workshop on coding and cryptography 2015 (WCC2015), 2015). TwZK proofs appear particularly well fitted in the context of group signature schemes: it allows a verifier to test whether a specific witness is used without learning anything more from the proof. Under the random oracle model (ROM), we ensure the security of our scheme by defining the One More Syndrome Decoding problem, a new code-based problem related to the syndrome decoding problem (Berlekamp et al. in IEEE Trans Inf Theory 24(3):384–386, 1978).

Keywords

Code-based cryptography Group signature Proof of knowledge Random oracle model 

Mathematics Subject Classification

81P94 94A60 

Notes

Acknowledgments

The authors would like to thank the anonymous reviewers for their helpful comments that led to notably improve the present work.

References

  1. 1.
    Chaum D., van Heyst E.: Group signatures. In: Advances in Cryptology—EUROCRYPT ’91, Workshop on the Theory and Application of Cryptographic Techniques, Brighton 8–11 April 1991, Proceedings, pp. 257–265 (1991).Google Scholar
  2. 2.
    Bellare M., Micciancio D., Warinschi B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Advances in Cryptology—EUROCRYPT 2003, International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, 4–8 May 2003, Proceedings, pp. 614–629 (2003).Google Scholar
  3. 3.
    Bellare M., Shi H., Zhang C.: Foundations of group signatures: the case of dynamic groups. In: Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, 14–18 Feb 2005, Proceedings, pp. 136–153 (2005).Google Scholar
  4. 4.
    Boneh D., Boyen X., Shacham H.: Short group signatures. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, 15–19 Aug 2004, Proceedings, pp. 41–55 (2004).Google Scholar
  5. 5.
    Boneh D., Shacham H.: Group signatures with verifier-local revocation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Washington, DC, 25–29 Oct 2004, pp. 168–177 (2004).Google Scholar
  6. 6.
    Camenisch J., Lysyanskaya A.: Signature schemes and anonymous credentials from bilinear maps. In: Advances in Cryptology—CRYPTO 2004, 24th Annual International Cryptology Conference, Santa Barbara, 15–19 Aug 2004, Proceedings, pp. 56–72 (2004).Google Scholar
  7. 7.
    Delerablée C., Pointcheval D.: Dynamic fully anonymous short group signatures. In: Progress in Cryptology—VIETCRYPT 2006, First International Conference on Cryptology in Vietnam, 25–28 Sept 2006, Revised Selected Papers, pp. 193–210 (2006).Google Scholar
  8. 8.
    Groth J.: Fully anonymous group signatures without random oracles. In: Advances in Cryptology—ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, 2–6 Dec 2007, Proceedings, pp. 164–180 (2007).Google Scholar
  9. 9.
    Kiayias A., Tsiounis Y., Yung M.: Traceable signatures. In: Cachin C., Camenisch J.L. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 571–589. Springer, Berlin (2004).Google Scholar
  10. 10.
    Libert B., Yung M.: Efficient traceable signatures in the standard model. In: Pairing-Based Cryptography—Pairing 2009, Third International Conference, Palo Alto, 12–14 Aug 2009, Proceedings, pp. 187–205 (2009).Google Scholar
  11. 11.
    Gordon S.D., Katz J., Vaikuntanathan V.: A group signature scheme from lattice assumptions. In: Advances in Cryptology—ASIACRYPT 2010, 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 5–9 Dec 2010, Proceedings, pp. 395–412 (2010).Google Scholar
  12. 12.
    Laguillaumie F., Langlois A., Libert B., Stehlé D.: Lattice-based group signatures with logarithmic signature size. In: Advances in Cryptology—ASIACRYPT 2013, 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, 1–5 Dec 2013, Proceedings, Part II, pp. 41–61 (2013).Google Scholar
  13. 13.
    Langlois A., Ling S., Nguyen K., Wang H.: Lattice-based group signature scheme with verifier-local revocation. In: Public-Key Cryptography—PKC 2014, 17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, 26–28 March 2014, Proceedings, pp. 345–361 (2014).Google Scholar
  14. 14.
    Ling S., Nguyen K., Wang H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Public-Key Cryptography—PKC 2015, 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, 30 March–1 April 2015, Proceedings, pp. 427–449 (2015).Google Scholar
  15. 15.
    Nguyen P.Q., Zhang J., Zhang Z.: Simpler efficient group signatures from lattices. In: Public-Key Cryptography—PKC 2015, 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, 30 March–1 April 2015, Proceedings, pp. 401–426 (2015).Google Scholar
  16. 16.
    Ezerman M.F., Lee H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from code-based assumptions. In: IACR Cryptology ePrint Archive 2015, 479 (2015).Google Scholar
  17. 17.
    Libert B., Ling S., Mouhartem F., Nguyen K., Wang H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: IACR Cryptology ePrint Archive 2016, 101 (2016).Google Scholar
  18. 18.
    Courtois N., Finiasz M., Sendrier N.: How to achieve a McEliece-based digital signature scheme. In: Advances in Cryptology—ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, 9–13 Dec 2001, Proceedings, pp. 157–174 (2001).Google Scholar
  19. 19.
    Alamélou Q., Blazy O., Cauchie S., Gaborit P.: A code-based group signature scheme. In: Charpin P., Sendrier N., Tillich J.-P. (eds.) The 9th International Workshop on Coding and Cryptography 2015 WCC2015, Proceedings of the 9th International Workshop on Coding and Cryptography 2015 (WCC2015), France, April 2015.Google Scholar
  20. 20.
    Goldwasser S., Micali S., Rackoff C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989).Google Scholar
  21. 21.
    Berlekamp E.R., McEliece R.J., van Tilborg H.C.A.: On the inherent intractability of certain coding problems (corresp.). IEEE Trans. Inf. Theory 24(3), 384–386 (1978).Google Scholar
  22. 22.
    MacWilliams F.J., Sloane N.J.A.: The Theory of Error-Correcting Codes, 2nd edn. North-Holland, Amsterdam (1978).Google Scholar
  23. 23.
    Arora S., Babai L., Stern J., Sweedyk Z.: The hardness of approximate optima in lattices, codes, and systems of linear equations. In: 34th Annual Symposium on Foundations of Computer Science, Palo Alto, 3–5 Nov 1993, pp. 724–733 (1993).Google Scholar
  24. 24.
    Bellare M., Namprempre C., Pointcheval D., Semanko M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003).Google Scholar
  25. 25.
    Stern J.: A new identification scheme based on syndrome decoding. In: Advances in Cryptology—CRYPTO ’93, 13th Annual International Cryptology Conference, Santa Barbara, 22–26 Aug 1993, Proceedings, pp. 13–21 (1993).Google Scholar
  26. 26.
    Stern J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996).Google Scholar
  27. 27.
    Fiat A., Shamir A.: How to prove yourself: practical solutions to identification and signature problems. In: Advances in Cryptology—CRYPTO ’86, Santa Barbara, 1986, Proceedings, pp. 186–194 (1986).Google Scholar
  28. 28.
    Feige U., Shamir A.: Witness indistinguishable and witness hiding protocols. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, 13–17 May 1990, Baltimore, pp. 416–426 (1990).Google Scholar
  29. 29.
    Faugère J.-C., Gauthier-Umaña V., Otmani A., Perret L., Tillich J.-P.: A distinguisher for high rate mceliece cryptosystems. In: 2011 IEEE Information Theory Workshop, ITW 2011, Paraty Brazil, 16–20 Oct 2011, pp. 282–286 (2011).Google Scholar
  30. 30.
    Mathew, K. P., Vasant, S., Rangan, C. P.: A provably secure signature and signcryption scheme using the hardness assumptions in coding theory. In: Lee H.-S., Han D.-G. (eds.) Information Security and Cryptology—ICISC 2013: 16th International Conference, Seoul, Korea, 27–29 Nov 2013, Revised Selected Papers, pp. 342–362 (2013).Google Scholar
  31. 31.
    Becker A., Joux A., May A., Meurer A.: Decoding random binary linear codes in 2 n/20: how \(1 + 1 = 0\) improves information set decoding. In: Advances in Cryptology—EUROCRYPT 2012, 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, 15–19 April 2012, Proceedings, pp. 520–536 (2012).Google Scholar
  32. 32.
    Finiasz M., Sendrier N.: Security bounds for the design of code-based cryptosystems. In: Advances in Cryptology—ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, 6–10 Dec 2009. Proceedings, pp. 88–105 (2009).Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  • Quentin Alamélou
    • 1
    • 2
  • Olivier Blazy
    • 1
  • Stéphane Cauchie
    • 2
  • Philippe Gaborit
    • 1
  1. 1.XLIM-DMIUniversité de LimogesLimogesFrance
  2. 2.R&D DepartmentWorldlineSeclinFrance

Personalised recommendations