Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Libert, Benoît; Ling, San; Nguyen, Khoa; Wang, Huaxiong

doi:10.1007/s00145-023-09470-6

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Research Article
Open access
Published: 25 May 2023

Volume 36, article number 23, (2023)
Cite this article

Download PDF

You have full access to this open access article

Journal of Cryptology Aims and scope Submit manuscript

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Download PDF

Benoît Libert^1,2,
San Ling³,
Khoa Nguyen^3,4 &
…
Huaxiong Wang³

2466 Accesses
3 Citations
Explore all metrics

Abstract

An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zero-knowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern’s protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: (i) the first lattice-based ring signatures with logarithmic size in the cardinality of the ring and (ii) the first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

BLOOM: Bimodal Lattice One-out-of-Many Proofs and Applications

Short Lattice-Based One-out-of-Many Proofs and Applications to Ring Signatures

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

1 Introduction

Cryptographic accumulators were introduced by Benaloh and de Mare [9] as alternatives to digital signatures in the design of distributed protocols. While initially used in time-stamping and membership testing mechanisms [9], they found numerous applications in the context of fail-stop signatures [6], anonymous credentials [1, 20, 21], group signatures [80], anonymous ad hoc authentication [32], digital cash [5, 23, 65], set membership proofs [75, 81] or authenticated data structures [71, 72] (see [30] for further examples).

In a nutshell, an accumulator is a sort of algebraic hash function that maps a large set R of inputs into a short, constant-size accumulator value u such that an efficiently computable short witness w provides evidence that a given input was indeed incorporated into the hashed set. In order to be useful, the size of the witness should be much smaller than the cardinality of the input set. An extension, suggested by Camenisch and Lysyanskaya [21], allows the accumulator value to be updated over time, by adding or deleting elements of the hashed set while preserving the ability to efficiently update witnesses. For most applications, the usual security requirement mandates the infeasibility of computing an accumulator value u and a valid witness w for an element x outside the set of hashed inputs. This is made possible by public-key techniques like the existence of a trapdoor (e.g., the factorization of an RSA modulus or the discrete logarithm of some public group element) hidden behind public parameters.

So far, number-theoretic realizations have been divided into two main families. The first one relies on groups of hidden order [6, 9, 14, 58] and includes proposals based on the Strong RSA assumption [6, 49]. The second main family [20, 69] was first explored by Nguyen [69] and appeals to bilinear maps (a.k.a. pairings) and assumptions of variable size like the Strong Diffie–Hellman assumption [13]. Strong-RSA-based candidates enjoy the advantage of short public parameters and they easily extend into universal accumulators [49] (where non-membership witnesses can show that a given input was not accumulated). While pairing-based schemes [20, 69] usually require linear-size public parameters in the number of elements to be hashed, they are useful in applications [5, 23] where we want to limit the number of elements to be hashed. A third family (e.g., [71]) of constructions relies on Merkle trees [61] rather than number-theoretic assumptions. Its main disadvantage is that the use of hash trees makes it hardly compatible with efficient zero-knowledge proofs, which are inevitable ingredients of privacy-preserving protocols [1, 20, 21, 80]. In fact, currently known methods [8, 14] for reconciling Merkle trees and zero-knowledge proofs do require non-standard assumptions in groups of hidden order [14] or the machinery of SNARKs, which inherently rely on non-falsifiable [66] knowledge assumptions [39].

Despite its wide range of applications, the accumulator primitive still has a relatively small number of efficient realizations. For the time being, most known solutions require non-standard ad hoc assumptions like Strong RSA or Strong Diffie–Hellman. To our knowledge, the only exception is a generic construction from vector commitments [25], which leaves open the problem of developing candidates based on the standard Computational Diffie–Hellman assumption (in groups without a bilinear map) or zero-knowledge-friendly lattice-based schemes. In this paper, we describe a new construction based on standard lattice assumptions, which interacts nicely with zero-knowledge proofs despite the use of Merkle trees. We show that this new construction enables new, unexpected applications to the design of lattice-based ring signatures and group signatures.

Our Contributions. We describe a lattice-based accumulator^{Footnote 1} that enables short zero-knowledge arguments of membership. Our construction relies on a Merkle hash tree which is computed in a special way that makes it compatible with efficient protocols for proving possession of a secret value (i.e., a leaf of the tree) that is properly accumulated in the root of the tree. More specifically, our system allows demonstrating the knowledge of a hash chain from the considered secret leaf to the root in a zero-knowledge manner. This building block enables many interesting applications. In particular, we use it to design lattice-based ring and group signatures with dramatic improvements over the existing constructions. In the random oracle model, we obtain:

The first lattice-based ring signature with logarithmic signature size in the cardinality of the ring. So far, all suggested proposals have linear size in the number of ring members.
A lattice-based group signature with much shorter public key, signature length, and weaker hardness assumptions than all earlier realizations. The scheme is built upon relatively basic lattice-based cryptographic primitives and can work with parameters much smaller than those required by previous works.

Our ring signature does not require any other setup assumption than having all users agree on a modulus q, a lattice dimension n and a random matrix $\textbf{A} \in \mathbb {Z}_q^{n \times m}$ (which can be derived from a random oracle). It provably satisfies the strong security definitions put forth by Bender, Katz and Morselli [10].

Our group signature is analyzed in the setting of static groups using the definitions of Bellare, Micciancio and Warinschi [7]. Its salient feature (which it shares with our ring signature) is that, unlike all earlier candidates [22, 37, 48, 56, 70], it does not require the use of a trapdoor (as defined by Gentry, Peikert and Vaikuntanathan [35]) consisting of a short basis of some lattice. It thus eliminates one of the frequently cited reasons [60] for which lattice-based signatures tend to be impractical. In fact, our group signature departs from previously used design principles—which are all inspired in some way by the general construction of [7]—in that, surprisingly, it does not even require an ordinary digital signature to begin with. All we need is a lattice-based accumulator with a compatible zero-knowledge argument system for arguing knowledge of a hash chain.

Our Techniques. Our accumulator proceeds by computing a Merkle tree using a hash function based on the Small Integer Solution ($\textsf{SIS}$) problem, which is a variant of the hash functions considered in [3, 36, 64]. Instead of hashing a vector $\textbf{x} \in \{0,1\}^m$ by computing its syndrome $\textbf{A} \cdot \textbf{x} \in \mathbb {Z}_q^n$ via a random matrix $\textbf{A} \in \mathbb {Z}_q^{n \times m}$, it outputs the coordinate-wise binary decomposition $\textsf{bin}(\textbf{A} \cdot \textbf{x} \bmod q) \in \{0,1\}^{m/2}$ of the syndrome to obtain the two-fold compression factor that is needed for iteratively applying the function in a Merkle tree. However, Papamanthou et al. [71] did not consider the problem of proving knowledge of a hash chain in a zero-knowledge fashion. The main technical novelty that we introduce is thus a method for demonstrating knowledge of a Merkle-tree hash chain using the framework of Stern’s protocol [79].

Using this method, we build ring and group signatures with logarithmic size in the number of ring or group members involved. Our constructions are conceptually simple. Each user’s private key is a random m-bit vector $\textbf{x} \in \{0,1\}^m$ and the matching public key is the binary expansion $\textbf{d}=\textsf{bin}(\textbf{A} \cdot \textbf{x} \bmod q) \in \{0,1\}^{m/2}$ of the corresponding syndrome. In order to sign a message, the user considers an accumulation $\textbf{u} \in \{0,1\}^{m/2}$ of all users’ public keys $R=(\textbf{d}_0,\ldots ,\textbf{d}_{N-1})$—which is obtained by dynamically forming the ring R in the ring signature and simply consists of the group public key in the group signature—and generates a Stern-type argument that: (i) His public key $\textbf{d}_j$ belongs to the hashed set R; (ii) He knows the underlying secret $\textbf{d}_j=\textsf{bin}(\textbf{A} \cdot \textbf{x}_j \bmod q)$; (iii—for the group signature) He has honestly encrypted the binary representation of the integer j determining his position in the tree to a ciphertext attached in the signature. In order to acquire anonymity in the strongest sense (i.e., where the adversary is granted access to a signature opening oracle), we apply the Naor-Yung paradigm [67] to the multi-bit version [45, 74] of Regev’s encryption scheme [76], as was previously considered in [11]. As pointed out earlier, the advantage of not relying on an ordinary digital signature^{Footnote 2} lies in that it does not require any party (i.e., neither the group manager nor the group members in the case of group signatures) to have a GPV trapdoor [35] consisting of a short lattice basis. As emphasized by Lyubashevsky [60], explicitly avoiding the use of such trapdoors allows for drastically more efficient choices of parameters. As by-products, our scheme features much smaller group public key and users’ secret keys, produces shorter signatures, and relies on weaker hardness assumptions than all of the existing lattice-based group signature schemes [22, 37, 47, 56, 70] in the BMW model [7].

In the following, we give an estimated efficiency comparison among our group signature and the previous 2 most efficient schemes with CCA-anonymity, by Ling et al. [56] and Nguyen et al. [70]. The estimations are done with parameter $n=2^8$, group size $N=1024$, and soundness error $2^{-80}$ for the NIZKs.

Ling et al.’s scheme requires $q={\mathcal {O}}(\log N\cdot n^2)$, $m \ge 2n \log q$, so we set $q=2^{18}$ and $m=2^9\cdot 18$. The infinity norm bound for discrete Gaussian samples is $2^6$. The scheme produces group public key size 65.8 MB; user’s secret key size 13.5 KB (a Boyen signature [17]); and signature size 1.20 GB.
Nguyen et al.’s scheme requires $q>m^{8.5}$, $m \ge 2n \log q$, so we set $q = 2^{142}$ and $m = 2^9\cdot 142$. The scheme produces group public key size 2.15 GB; user’s secret key size 90 GB (a trapdoor in ${\mathbb {Z}}^{3m \times 3m}$ with $(\log m)$-bit entries); and signature size 500 MB.
Our scheme works with $q=2^8$, $m= 2^9\cdot 8$, and parameters $p = 32719$, $m_E = 7980$ for the encryption layer. The scheme features public key size 4.9 MB; user’s secret key size 3.25 KB; and it produces signatures of size 61.5 MB.

Related Work. While originally suggested as a 3-move code-based identification scheme, Stern’s protocol was adapted to the lattice setting by Kawachi et al. [46] and extended by Ling et al. [55] into an argument system for the Inhomogeneous Small Integer Solution (ISIS) problem. In particular, Ling et al. gave a method, called decomposition-extension framework, which allows arguing knowledge of an integer vector $\textbf{x} \in \mathbb {Z}^m$ of norm $\Vert \textbf{x} \Vert _\infty \le \beta $ such that $\textbf{A} \cdot \textbf{x} = \textbf{u} \in \mathbb {Z}_q^{n}$ without leaving any gap between the vector computed by the knowledge extractor and the actual witness $\textbf{x}$. As shown in [56], the technique of Ling et al. [55] can be used to prove more involved statements such as the possession of a Boyen signature [17] on a message encrypted by a dual Regev ciphertext [35]. Here, we take one step further and develop a zero-knowledge argument of knowledge (ZKAoK) that a specific element of some universe belongs to a hashed set.

Ring signatures were introduced by Rivest, Shamir and Tauman-Kalai [77] with the motivation of hiding the identity of a source (e.g., a whistleblower in a political scandal) while providing guarantees of trustworthiness. Bender, Katz and Morselli [10] gave stringent security definitions while constructions with sub-linear signature size were given by Chandran, Groth and Sahai [26]. The celebrated results of Gentry, Peikert and Vaikuntanathan [35] inspired a number of lattice-based ring signatures. The state-of-the-art construction probably stems from the framework of Brakerski and Tauman-Kalai [18], which results in linear size in the number of ring members. The same holds for all known Fiat–Shamir-like lattice-based ring signatures (e.g., [2, 46]), although some of them do not require a trapdoor. Thus far, the only logarithmic-size ring signatures [16, 40] arise from the results of Groth and Kohlweiss [40] and it is not clear how to extend them to the lattice setting.

The notion of group signatures dates back to Chaum and Van Heyst [27]. While viable constructions were given in the seminal paper by Ateniese, Camenisch, Joye and Tsudik [4], their security notions remained poorly understood until the work of Bellare, Micciancio and Warinschi [7]. The first lattice-based proposal came out with the results of Gordon, Katz and Vaikuntanathan [37], which inspired a number of follow-up works describing new systems with a better asymptotic efficiency [47, 56, 70] or additional properties [22, 48]. For the time being, the most efficient candidates are the recent concurrent proposals of Nguyen et al. and Ling et al. [56, 70]. As it turns out, except for one scheme [11] that mixes lattice-based and discrete-logarithm-related assumptions, all currently available candidates [22, 47, 48, 56, 70] utilize a GPV trapdoor, either to perform the setup of the system or to trace signatures (or both). Our results thus provide the first system that completely eliminates GPV trapdoors.

At a high level, our $\textsf{ZKAoK}$ system is partially inspired by the way Langlois et al. [48] made use of the Bonsai tree technique [24] since it proves knowledge of a solution to a $\textsf{SIS}$ problem determined by the user’s position in a tree. However, there are fundamental differences since our tree is built in a bottom-up (rather than top-down) manner and we do not perform any trapdoor delegation.

Subsequent Work. After the publication of [52], our lattice-based accumulator and its supporting zero-knowledge argument system were applied to design various lattice-based privacy-preserving constructions, such as fully dynamic group signatures [57], anonymous reputation systems [43], adaptive oblivious transfers with access control [51] and non-membership arguments [54]. The idea of using Merkle-tree accumulators supported by zero-knowledge proofs to build Fiat–Shamir anonymous signatures has also been used in several subsequent works—including those of Derler et al. [31], Boneh et al. [15] and Katz et al. [44]—which consider the design of practically efficient post-quantum ring and group signatures from symmetric-key primitives. Furthermore, since the publication of [52], the cryptography research community has been paying considerable attention to the design of trapdoor-free and practical lattice-based group signatures, leading to the recent introduction of an appealing scheme by del Pino et al. [29].

2 Preliminaries

Notations. We assume that all vectors are column vectors. The concatenation of matrices ${\textbf{A}} \in \mathbb {Z}^{k \times i}$, ${\textbf{B}} \in {\mathbb {Z}}^{k \times j}$ is denoted by $[{\textbf{A}} | {\textbf{B}}] \in {\mathbb {Z}}^{k \times (i + j)}$. For $b\in \{0,1\}$, we denote the bit $1-b \in \{0,1\}$ by ${\bar{b}}$. For a positive integer i, we let [i] be the set $\{1, \ldots , i\}$. If S is a finite set, $x \xleftarrow {\$} S$ means that x is chosen uniformly at random from S. All logarithms are of base 2. The addition in ${\mathbb {Z}}_2$ is denoted by $\oplus $.

In this section, we first recall the average-case lattice problems SIS and LWE, together with their hardness results; and the notion of statistical zero-knowledge arguments of knowledge. The definitions and security requirements of cryptographic accumulators, ring signatures, and group signatures are deferred to their respective Sects. 3, 4, and 5.

2.1 Average-Case Lattice Problems

Definition 1

([3, 35]) The $\textsf{SIS}^{\infty }_{n,m,q,\beta }$ problem is as follows: Given uniformly random matrix ${\textbf{A}} \in {\mathbb {Z}}_q^{n \times m}$, find a nonzero vector ${\textbf{x}} \in {\mathbb {Z}}^m$ such that $\Vert {\textbf{x}}\Vert _\infty \le \beta $ and $\mathbf {A\cdot x=0} \bmod q.$

If $m, \beta = \textsf{poly}(n)$, and $q > \beta \cdot \widetilde{{\mathcal {O}}}(\sqrt{n})$, then the $\textsf{SIS}^{\infty }_{n,m,q,\beta }$ problem is at least as hard as the worst-case lattice problem $\textsf{SIVP}_\gamma $ for some $\gamma = \beta \cdot \widetilde{{\mathcal {O}}}(\sqrt{nm})$ (see [35, 63]). Specifically, when $\beta =1$, $q = \widetilde{{\mathcal {O}}}(n)$, $m = 2n \lceil \log q \rceil $, the $\textsf{SIS}^{\infty }_{n,m,q,1}$ problem is at least as hard as $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$.

In the last decade, numerous SIS-based cryptographic primitives have been proposed. In this work, we will extensively employ 2 such constructions:

The Merkle tree accumulator we consider is built upon a specific family of collision-resistant hash functions, which is a syntactic modification (i.e., it takes two inputs, instead of one) of the one presented in [3, 64]. A similar scheme that works with larger SIS norm bound $\beta $ was proposed in [71].
Our zero-knowledge argument systems use the statistically hiding and computationally binding string commitment scheme from [46].

For appropriate settings of parameters, the security of the above two constructions can be based on the worst-case hardness of $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$.

In the group signature in Sect. 5, we will employ the multi-bit version of Regev’s encryption scheme [76], presented in [45, 74]. The scheme is based on the hardness of the LWE problem.

Definition 2

([76]) Let $n,m_E \ge 1$, $p \ge 2$, and let $\chi $ be a probability distribution on ${\mathbb {Z}}$. For ${\textbf{s}} \in {\mathbb {Z}}_p^n$, let $A_{{\textbf{s}}, \chi }$ be the distribution obtained by sampling ${\textbf{a}} \xleftarrow {\$} {\mathbb {Z}}_q^n$ and $e \hookleftarrow \chi $, and outputting $({\textbf{a}}, {\textbf{s}}^\top \cdot {\textbf{a}} + e) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p$. The $\textsf {LWE}_{n,p,\chi }$ problem asks to distinguish $m_E$ samples chosen according to ${\mathcal {A}}_{{\textbf{s}},\chi }$ (for ${\textbf{s}} \xleftarrow {\$} {\mathbb {Z}}_p^n$) and $m_E$ samples chosen according to the uniform distribution over ${\mathbb {Z}}_p^n \times {\mathbb {Z}}_p$.

If p is a prime power, $\chi $ is the discrete Gaussian distribution $D_{{\mathbb {Z}}, \alpha p}$, where $\alpha p \ge 2\sqrt{n}$, then $\textsf{LWE}_{n,p,\chi }$ is as least as hard as $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n/\alpha )}$ (see [62, 63, 73, 76]).

2.2 Zero-Knowledge Arguments of Knowledge

We will work with statistical zero-knowledge argument systems, namely, interactive protocols where the zero-knowledge property holds against any cheating verifier, while the soundness property only holds against computationally bounded cheating provers. More formally, let the set of statements-witnesses $\textrm{R} = \{(y,w)\} \in \{0,1\}^* \times \{0,1\}^*$ be an NP relation. A two-party game $\langle {\mathcal {P}},{\mathcal {V}} \rangle $ is called an interactive argument system for the relation $\textrm{R}$ with soundness error e if the following two conditions hold:

Completeness. If $(y,w) \in \textrm{R}$ then $\textrm{Pr}\big [\langle {\mathcal {P}}(y,w),{\mathcal {V}}(y) \rangle =1\big ]=1.$
Soundness. If $(y,w) \not \in \textrm{R}$, then $\forall $ PPT $\widehat{{\mathcal {P}}}$: $\textrm{Pr}[\langle \widehat{{\mathcal {P}}}(y,w),{\mathcal {V}}(y) \rangle =1] \le e.$

An argument system is called statistical zero-knowledge if for any $\widehat{{\mathcal {V}}}(y)$, there exists a PPT simulator ${\mathcal {S}}(y)$ producing a simulated transcript that is statistically close to the one of the real interaction between ${\mathcal {P}}(y,w)$ and $\widehat{{\mathcal {V}}}(y)$. A related notion is argument of knowledge, which requires the witness-extended emulation property. For protocols consisting of 3 moves (i.e., commitment-challenge-response), witness-extended emulation is implied by special soundness [38], where the latter assumes that there exists a PPT extractor which takes as input a set of valid transcripts with respect to different values of the ‘challenge’ to the same ‘commitment’, and outputs $w'$ such that $(y,w') \in \textrm{R}$.

The statistical zero-knowledge arguments of knowledge (sZKAoK) presented in this work are Stern-type [79]. In particular, they are $\Sigma $-protocols in the generalized sense defined in [11, 41] (where 3 valid transcripts are needed for extraction, instead of just 2). The main idea of Stern-type protocols is to use a random permutation over coordinates of a secret vector to prove that the latter satisfies a given constraint (e.g., having fixed Hamming weight). Several works rely on Stern-type protocols to design lattice-based [28, 50, 55, 56] and code-based [33, 41, 68] cryptographic constructions.

2.2.1 An Abstraction of Stern’s Protocol

Here, we recall an abstract Stern-type protocol, proposed in [53]. The protocol handles modular equations with respect to $\nu \ge 1$ moduli $q_1, \ldots , q_\nu $, where secret witnesses may simultaneously appear across multiple equations.

Let $n_i$ and $d_i \ge n_i$ be positive integers, and let $K = n_1 + \cdots + n_\nu $ and $D = d_1+ \cdots + d_\nu $. Suppose that $\textsf{VALID}$ is a subset of $\{0,1\}^D$ and ${\mathcal {S}}$ is a finite set such that every $\phi \in {\mathcal {S}}$ can be associated with a permutation $\Gamma _\phi $ of D elements satisfying the conditions

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{w}} \in \textsf{VALID} \Longleftrightarrow \Gamma _\phi ({\textbf{w}}) \in \textsf{VALID}; \\ \text {If } {\textbf{w}} \in \textsf{VALID} \text { and } \phi \text { is uniform in } {\mathcal {S}}, \text { then } \Gamma _\phi ({\textbf{w}}) \text { is uniform in } \textsf{VALID}. \end{array}\right. } \end{aligned}$$

(1)

In the abstract protocol, for public matrices $\{{\textbf{M}}_i \in {\mathbb {Z}}_{q_i}^{n_i \times d_i}\}_{i \in [\nu ]}$ and vectors $\{{\textbf{u}}_i \in {\mathbb {Z}}_{q_i}^{n_i}\}_{i \in [\nu ]}$, the prover argues in zero-knowledge the possession of integer vectors $\{{\textbf{w}}_i \in \{0,1\}^{d_i}\}_{i\in [\nu ]}$ such that:

$$\begin{aligned} ~&~{\textbf{w}} = \big ({\textbf{w}}_1^\top \mid \cdots \mid {\textbf{w}}_\nu ^\top \big )^\top \in \textsf{VALID}, \end{aligned}$$

(2)

$$\begin{aligned} ~&~\forall i \in [\nu ]: {\textbf{M}}_i \cdot {\textbf{w}}_i = {\textbf{u}}_i \bmod q_i. \end{aligned}$$

(3)

Formally, the goal is to construct a statistical ZKAoK for the following relation:

$$\begin{aligned} \mathrm {R_{abstract}} = \big \{\{({\textbf{M}}_i, {\textbf{u}}_i) \in {\mathbb {Z}}_{q_i}^{n_i \times d_i} \times {\mathbb {Z}}_{q_i}^{n_i}\}_{i \in [\nu ]},{} & {} {\textbf{w}} = \big ({\textbf{w}}_1^\top \mid \cdots \mid {\textbf{w}}_\nu ^\top \big )^\top \in \textsf{VALID}:\\{} & {} {\textbf{M}}_i \cdot {\textbf{w}}_i = {\textbf{u}}_i \bmod q_i, \forall i \in [\nu ]\big \}. \end{aligned}$$

Looking ahead, all the statements considered in Sects. 3, 4 and 5 will be reduced to the above setting. Specifically, the protocols in Sects. 3, 4 work with a single modulus q, and the underlying relations will be reduced to instances of

$$\begin{aligned} \mathrm {R_{abstract}} = \big \{\big (({\textbf{M}}, {\textbf{u}}), {\textbf{w}}\big ) \in ({\mathbb {Z}}_q^{K \times D} \times {\mathbb {Z}}_q^K) \times \textsf{VALID}: {\textbf{M}} \cdot {\textbf{w}} = {\textbf{u}} \bmod q\big \}. \end{aligned}$$

Meanwhile, the protocol considered in Sect. 5 deals with two moduli q and p and will be reduced to an instance of $\mathrm {R_{abstract}}$ with $\nu =2$.

The main ideas underlying the protocol are as follows. To prove (2), the prover samples $\phi \xleftarrow {\$} {\mathcal {S}}$ and provides evidence that $\Gamma _\phi ({\textbf{w}}) \in \textsf{VALID}$. The verifier should be convinced while learning nothing else, owing to the aforementioned properties of the sets $\textsf{VALID}$ and ${\mathcal {S}}$. Meanwhile, to prove that equations (3) hold, the prover uses masking vectors $\{{\textbf{r}}_i \xleftarrow {\$} {\mathbb {Z}}_{q_i}^{d_i}\}_{i\in [\nu ]}$ and demonstrates instead that ${\textbf{M}}_i\cdot ({\textbf{w}}_i + {\textbf{r}}_i) = {\textbf{u}}_i + {\textbf{M}}_i\cdot {\textbf{r}}_i \bmod q_i$.

The interaction between prover ${\mathcal {P}}$ and verifier ${\mathcal {V}}$ is described in Fig. 1. The common input consists of $\{{\textbf{M}}_i \in {\mathbb {Z}}_{q_i}^{n_i \times d_i}\}_{i \in [\nu ]}$ and $\{{\textbf{u}}_i \in {\mathbb {Z}}_{q_i}^{n_i}\}_{i \in [\nu ]}$, while ${\mathcal {P}}$’s secret input is ${\textbf{w}} = \big ({\textbf{w}}_1^\top \mid \cdots \mid {\textbf{w}}_\nu ^\top \big )^\top $. The protocol makes use of a statistically hiding and computationally binding string commitment scheme COM such as the SIS-based commitment of [46].

For simplicity of presentation, for vectors ${\textbf{w}} = \big ({\textbf{w}}_1^\top \mid \cdots \mid {\textbf{w}}_\nu ^\top \big )^\top \in {\mathbb {Z}}^D$ and ${\textbf{r}} = \big ({\textbf{r}}_1^\top \mid \cdots \mid {\textbf{r}}_\nu ^\top \big )^\top \in {\mathbb {Z}}^D$, we denote by ${\textbf{w}} \boxplus {\textbf{r}}$ the operation that computes ${\textbf{z}}_i = {\textbf{w}}_i + {\textbf{r}}_i \bmod q_i$ for all $i \in [\nu ]$, and outputs D-dimensional integer vector ${\textbf{z}} = \big ({\textbf{z}}_1 \Vert \ldots \Vert {\textbf{z}}_\nu \big )$. We note that, for all $\phi \in {\mathcal {S}}$, if ${\textbf{t}} = \Gamma _{\phi }({\textbf{w}})$ and ${\textbf{s}} = \Gamma _{\phi }({\textbf{r}})$, then we have $\Gamma _\phi ({\textbf{w}} \boxplus {\textbf{r}}) = {\textbf{t}} \boxplus {\textbf{s}}$.

The properties of the protocol are summarized in Theorem 1.

Theorem 1

([53]) Suppose that $\textsf{COM}$ is a statistically hiding and computationally binding string commitment. Then, the protocol of Fig. 1 is a statistical ZKAoK for $\textrm{R}_{\textrm{abstract}}$, with perfect completeness, soundness error 2/3, and communication cost ${{\mathcal {O}}}\big (\sum _{i=1}^\nu d_i \cdot \log q_i\big )$. In particular:

There exists an efficient simulator that, on input $\{{\textbf{M}}_i, {\textbf{u}}_i\}_{i \in [\nu ]}$, outputs an accepted transcript statistically close to that produced by the real prover.
There exists an efficient knowledge extractor that, on input a commitment $\textrm{CMT}$ as well as valid responses $(\textrm{RSP}_1, \textrm{RSP}_2, \textrm{RSP}_3)$ to all three possible values of the challenge Ch, outputs a witness ${\textbf{w}}' = ({\textbf{w}}_1' \Vert \ldots \Vert {\textbf{w}}_\nu ') \in \textsf{VALID}$ such that ${\textbf{M}}_i \cdot {\textbf{w}}'_i = {\textbf{u}}_i \bmod q_i$, for all $i \in [\nu ]$.

The proof of Theorem 1, which appeared in [53], employs standard simulation and extraction techniques for Stern-type protocols [46, 55]. The proof is provided in “Appendix A” for the sake of completeness.

3 A Lattice-Based Accumulator with Supporting Zero-Knowledge Argument of Knowledge

Throughout the paper, we will work with positive integers n, q, k, m, where: n is the security parameter; $q = \widetilde{{\mathcal {O}}}(n)$; $k = \lceil \log q \rceil $; and $m = 2nk$. We identify ${\mathbb {Z}}_q$ by the set $\{0,\ldots , q-1\}$. We define the “powers-of-2” matrix

$$\begin{aligned} {\textbf{G}} = \left[ \begin{array}{cccc} 1~2~4~\ldots ~2^{k-1} &{} &{} &{} \\ &{} 1~2~4~\ldots ~2^{k-1} &{} &{} \\ &{} &{} \ldots &{} \\ &{} &{} &{} 1~2~4~\ldots ~2^{k-1} \end{array}\right] \in {\mathbb {Z}}_q^{n \times nk}. \end{aligned}$$

Note that for every ${\textbf{v}} \in {\mathbb {Z}}_q^n$, we have ${\textbf{v}} = {\textbf{G}}\cdot \textsf{bin}({\textbf{v}})$, where $\textsf{bin}({\textbf{v}}) \in \{0,1\}^{nk}$ denotes the binary representation of ${\textbf{v}}$.

3.1 Cryptographic Accumulators

An accumulator scheme is a tuple of algorithms $(\textsf{TSetup}, \textsf{TAcc}, \textsf{TWitness}, \textsf{TVerify})$ defined as follows:

$\textsf{TSetup}(n)$:: On input security parameter n, output the public parameter pp.
$\textsf{TAcc}_{pp}$:: On input a set $R = \{{\textbf{d}}_0, \ldots , {\textbf{d}}_{N-1}\}$ of N data values, output an accumulator value ${\textbf{u}}$.
$\textsf{TWitness}_{pp}$:: On input a data set R and a value ${\textbf{d}}$, output $\bot $ if ${\textbf{d}} \not \in R$; otherwise output a witness w for the fact that ${\textbf{d}}$ is accumulated in $\textsf{TAcc}_{pp}(R)$. (Typically, the size of w should be short (e.g., constant or logarithmic in N) to be useful.)
$\textsf{TVerify}_{pp}$:: On input accumulator value ${\textbf{u}}$ and a value-witness pair $({\textbf{d}}, w)$, output 1 (which indicates that $({\textbf{d}}, w)$ is valid for the accumulator ${\textbf{u}}$) or 0.

Note that, in this work, we only consider accumulator schemes with deterministic accumulation algorithm $\textsf{TAcc}_{pp}(R)$.

An accumulator scheme is called correct if for all $pp \leftarrow \textsf{TSetup}(n)$, we have $\textsf{TVerify}_{pp}\big (\textsf{TAcc}_{pp}(R), {\textbf{d}}, \textsf{TWitness}_{pp}(R, {\textbf{d}})\big ) = 1$ for all ${\textbf{d}} \in R$.

The security of an accumulator scheme, as defined in [6, 21], says that it is infeasible to prove that a value ${\textbf{d}}^*$ was accumulated in a value ${\textbf{u}}$ if it was not. This property is formalized as follows.

Definition 3

An accumulator scheme $(\textsf{TSetup}, \textsf{TAcc}, \textsf{TWitness}, \textsf{TVerify})$ is called secure if for all PPT adversaries ${\mathcal {A}}$:

$$\begin{aligned} \textrm{Pr}\big [pp \leftarrow \textsf{TSetup}(n); (R, {\textbf{d}}^*, w^*) \leftarrow {\mathcal {A}}(pp):~~~~~~~~~~~~~~~~~~~~~ \\ {\textbf{d}}^* \not \in R \wedge \textsf{TVerify}_{pp}(\textsf{TAcc}_{pp}(R), {\textbf{d}}^*, w^*)=1\big ] = \textsf{negl}(n). \end{aligned}$$

3.2 A Family of Lattice-Based Collision-Resistant Hash Functions

We now describe the specific family of lattice-based collision-resistant hash functions, upon which we will build Merkle trees.

Definition 4

The function family ${\mathcal {H}}$ mapping $\{0,1\}^{nk} \times \{0,1\}^{nk}$ to $\{0,1\}^{nk}$ is defined as ${\mathcal {H}} = \{h_{{\textbf{A}}} | {\textbf{A}} \in {\mathbb {Z}}_q^{n \times m}\}$, where for ${\textbf{A}} = [{\textbf{A}}_0 | {\textbf{A}}_1]$ with ${\textbf{A}}_0, {\textbf{A}}_1 \in {\mathbb {Z}}_q^{n \times nk}$, and for any $({\textbf{u}}_0, {\textbf{u}}_1) \in \{0,1\}^{nk} \times \{0,1\}^{nk}$, we have:

$$\begin{aligned} h_{{\textbf{A}}}({\textbf{u}}_0, {\textbf{u}}_1)= \textsf{bin}\big ({\textbf{A}}_0 \cdot {\textbf{u}}_0 + {\textbf{A}}_1\cdot {\textbf{u}}_1 \bmod q\big ) \in \{0,1\}^{nk}. \end{aligned}$$

Note that $h_{{\textbf{A}}}({\textbf{u}}_0, {\textbf{u}}_1) = {\textbf{u}} \Leftrightarrow {\textbf{A}}_0\cdot {\textbf{u}}_0 + {\textbf{A}}_1 \cdot {\textbf{u}}_1 = {\textbf{G}}\cdot {\textbf{u}} \bmod q$.

Lemma 1

The function family ${\mathcal {H}}$, shown in Definition 4, is collision-resistant, assuming the hardness of the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem.

Proof

Given ${\textbf{A}} = [{\textbf{A}}_0 | {\textbf{A}}_1] \xleftarrow {\$} {\mathbb {Z}}_q^{n \times m}$, if one can find two distinct pairs $({\textbf{u}}_0, {\textbf{u}}_1) \in \big (\{0,1\}^{nk}\big )^2$ and $({\textbf{v}}_0, {\textbf{v}}_1)\in \big (\{0,1\}^{nk}\big )^2$ such that $h_{{\textbf{A}}}({\textbf{u}}_0, {\textbf{u}}_1) = h_{{\textbf{A}}}({\textbf{v}}_0, {\textbf{v}}_1) \bmod q$, then one can obtain a nonzero vector ${\textbf{z}} = \left( \begin{array}{c} {\textbf{u}}_0 - {\textbf{v}}_0 \\ {\textbf{u}}_1 - {\textbf{v}}_1 \\ \end{array} \right) \in \{-1,0,1\}^m$ such that

$$\begin{aligned} {\textbf{A}}\cdot {\textbf{z}} = {\textbf{A}}_0\cdot ({\textbf{u}}_0 - {\textbf{v}}_0) + {\textbf{A}}_1\cdot ({\textbf{u}}_1 - {\textbf{v}}_1) = {\textbf{G}}\cdot h_{{\textbf{A}}}({\textbf{u}}_0, {\textbf{u}}_1) - {\textbf{G}}\cdot h_{{\textbf{A}}}({\textbf{v}}_0, {\textbf{v}}_1) = {\textbf{0}} \bmod q. \end{aligned}$$

In other words, ${\textbf{z}}$ is a valid solution to the $\textsf{SIS}_{n, m, q, 1}^\infty $ problem associated with matrix ${\textbf{A}}$. The lemma then follows from the worst-case to average-case reduction from $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$.

$\square $

3.3 A Lattice-Based Merkle-Tree Accumulator

We now give the construction of a Merkle tree with $N=2^\ell $ leaves, where $\ell $ is a positive integer, based on the family of lattice-based hash function ${\mathcal {H}}$ defined above.

$\textsf{TSetup}(n).$:: Sample ${\textbf{A}} \xleftarrow {\$} {\mathbb {Z}}_q^{n \times m}$, and output $pp= {\textbf{A}}$.

$\textsf{TAcc}_{{\textbf{A}}}(R = \{{\textbf{d}}_0 \in \{0,1\}^{nk}, \ldots , {\textbf{d}}_{N-1} \in \{0,1\}^{nk}\}).$ For every $j \in [0,N-1]$, let $(j_1, \ldots , j_\ell ) \in \{0,1\}^\ell $ be the binary representation of j, and let ${\textbf{d}}_j={\textbf{u}}_{j_1, \ldots , j_\ell }$. Form the tree of depth $\ell = \log N$ based on the N leaves ${\textbf{u}}_{0,0,\ldots , 0}, \ldots , {\textbf{u}}_{1, 1,\ldots , 1}$ as follows:

1.
At depth $i\in [\ell ]$, the node ${\textbf{u}}_{b_1,\ldots , b_i} \in \{0,1\}^{nk}$, for all $(b_1,\ldots , b_i) \in \{0,1\}^i$, is defined as $h_{{\textbf{A}}}({\textbf{u}}_{b_1,\ldots , b_i,0}, {\textbf{u}}_{b_1,\ldots , b_i, 1})$.
2.
At depth 0: The root ${\textbf{u}} \in \{0,1\}^{nk}$ is defined as $h_{{\textbf{A}}}({\textbf{u}}_0, {\textbf{u}}_1)$.

The algorithm outputs the accumulator value ${\textbf{u}}$.

$\textsf{TWitness}_{{\textbf{A}}}(R, {\textbf{d}}).$ If ${\textbf{d}} \not \in R$, return $\bot $. Otherwise, ${\textbf{d}} = {\textbf{d}}_j$ for some $j \in [0, N-1]$ with binary representation $(j_1,\ldots , j_\ell )$. Output the witness w defined as:

$$\begin{aligned} w = \big ((j_1,\ldots , j_\ell ), ({\textbf{u}}_{j_1,\ldots , j_{\ell -1},\bar{j_\ell }}, \ldots , {\textbf{u}}_{j_1,\bar{j_2}}, {\textbf{u}}_{\bar{j_1}}) \big ) \in \{0,1\}^\ell \times \big (\{0,1\}^{nk}\big )^\ell , \end{aligned}$$

for ${\textbf{u}}_{j_1,\ldots , j_{\ell -1},\bar{j_\ell }}, \ldots , {\textbf{u}}_{j_1,\bar{j_2}}, {\textbf{u}}_{\bar{j_1}}$ computed by algorithm $\textsf{TAcc}_{{\textbf{A}}}(R)$. $\textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ).$ Let the given witness w be of the form:

$$\begin{aligned} w = \big ((j_1,\ldots , j_\ell ),({\textbf{w}}_\ell , \ldots , {\textbf{w}}_1)\big ) \in \{0,1\}^\ell \times \big (\{0,1\}^{nk}\big )^\ell . \end{aligned}$$

The algorithm recursively computes the path ${\textbf{v}}_\ell , {\textbf{v}}_{\ell -1}, \ldots , {\textbf{v}}_1, {\textbf{v}}_0 \in \{0,1\}^{nk}$ as follows: ${\textbf{v}}_\ell = {\textbf{d}}$ and $-$0.25 cm

$$\begin{aligned} \forall i \in \{\ell -1, \ldots , 1, 0\}: {\textbf{v}}_i = {\left\{ \begin{array}{ll} h_{{\textbf{A}}}({\textbf{v}}_{i+1}, {\textbf{w}}_{i+1}), \text { if } j_{i+1}=0; \\ h_{{\textbf{A}}}({\textbf{w}}_{i+1}, {\textbf{v}}_{i+1}), \text { if } j_{i+1}=1. \end{array}\right. } \end{aligned}$$

Then, it returns 1 if ${\textbf{v}}_0 = {\textbf{u}}$. Otherwise, it returns 0. In Fig. 2, we give an illustrative example of a tree with $2^3=8$ leaves.

One can check that the above Merkle-tree accumulator scheme is correct. Furthermore, its security is based on the collision-resistance of the hash function family ${\mathcal {H}}$, which in turn is based on the hardness of $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$.

Theorem 2

The given accumulator scheme is secure in the sense of Definition 3, assuming the hardness of the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem.

Proof

Assuming that there exists a PPT adversary ${\mathcal {B}}$ who has non-negligible success probability in the security experiment of Definition 3. It receives a uniformly random matrix ${\textbf{A}} \in {\mathbb {Z}}_q^{n \times m}$ generated by $\textsf{TSetup}(n)$, and returns $(R=({\textbf{d}}_0, \ldots , {\textbf{d}}_{N-1}), {\textbf{d}}^*, w^*)$ such that ${\textbf{d}}^* \not \in R$ and $\textsf{TVerify}_{{\textbf{A}}}({\textbf{u}}^*, {\textbf{d}}^*, w^*)=1$, where ${\textbf{u}}^* = \textsf{TAcc}_{{\textbf{A}}}(R)$.

Parse $w^* = ((j_1^*, \ldots , j_\ell ^*), ({\textbf{w}}_\ell ^*, \ldots , {\textbf{w}}_1^*))$. Let $j^* \in [0,N-1]$ be the integer having binary representation $(j_1^*, \ldots , j_\ell ^*)$ and let ${\textbf{u}}_{j_1^*, \ldots , j_\ell ^*} = {\textbf{d}}_{j^*}, {\textbf{u}}_{j_1^*, \ldots , j_{\ell -1}^*}, \ldots , {\textbf{u}}_{j_1^*}, {\textbf{u}}^*$ be the path from the leave ${\textbf{d}}_{j^*}$ to the root of the tree generated by $\textsf{TAcc}_{{\textbf{A}}}(R)$. On the other hand, let ${\textbf{v}}_\ell ^* = {\textbf{d}}^*, {\textbf{v}}_{\ell -1}^*, \ldots , {\textbf{v}}_1^*, {\textbf{v}}_0^* = {\textbf{u}}^*$ be the path computed by algorithm $\textsf{TVerify}_{{\textbf{A}}}({\textbf{u}}^*, {\textbf{d}}^*, w^*)$. Note that ${\textbf{d}}^* \ne {\textbf{d}}_{j^*}$ since ${\textbf{d}}^* \not \in R$. Thus, comparing the two paths, we can find the smallest integer $k \in [\ell ]$, such that ${\textbf{v}}_k^* \ne {\textbf{u}}_{j_1^*, \ldots , j_k^*}$. We then obtain a collision for $h_{{\textbf{A}}}$ at the parent node of ${\textbf{u}}_{j_1^*, \ldots , j_k^*}$. The theorem then follows from Lemma 1.

$\square $

3.4 Zero-Knowledge AoK of an Accumulated Value

Our goal in this section is to construct a zero-knowledge argument system that allows prover ${\mathcal {P}}$ to convince verifier ${\mathcal {V}}$ that ${\mathcal {P}}$ knows a secret value that is properly accumulated into the root of the lattice-based Merkle tree described above. More formally, in our protocol, ${\mathcal {P}}$ convinces ${\mathcal {V}}$ on input $({\textbf{A}}, {\textbf{u}})$ that ${\mathcal {P}}$ possesses a value-witness pair $({\textbf{d}}, w)$ such that $\textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1$. The associated relation $\mathrm {R_{acc}}$ is defined as follows.

Definition 5

$$\begin{aligned} \mathrm {R_{acc}}= \Big \{ \big (({\textbf{A}}, {\textbf{u}}) \in {\mathbb {Z}}_q^{n \times m} \times \{0,1\}^{nk}; {\textbf{d}} \in \{0,1\}^{nk}, w\in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell \big ):\\ \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \Big \}. \end{aligned}$$

Before going into the details, we first introduce several supporting notations and techniques.

We denote by ${\textsf{B}}_m^{nk}$ the set of all vectors in $\{0,1\}^{m}$ that have Hamming weight nk; and by ${\mathcal {S}}_m$ the set of all permutations of m elements.
For $i \in \{nk, m\}$, for $b \in \{0,1\}$ and for ${\textbf{v}} \in \{0,1\}^{i}$, we let $\textsf{ext}(b, {\textbf{v}})$ denote the vector ${\textbf{z}} \in \{0,1\}^{2i}$ of the form ${\textbf{z}} = \left( \begin{array}{c} {\bar{b}}\cdot {\textbf{v}} \\ b\cdot {\textbf{v}} \\ \end{array} \right) $.
For $b \in \{0,1\}$, for $\pi \in {\mathcal {S}}_m$, we define the permutation $F_{b, \pi }$ that transforms ${\textbf{z}} = \left( \begin{array}{c} {\textbf{z}}_0 \\ {\textbf{z}}_1 \\ \end{array} \right) \in {\mathbb {Z}}_q^{2\,m}$ consisting of 2 blocks of size m into $F_{b, \pi }({\textbf{z}}) = \left( \begin{array}{c} \pi ({\textbf{z}}_b) \\ \pi ({\textbf{z}}_{{\bar{b}}}) \\ \end{array} \right) $. Namely, $F_{b,\pi }$ first rearranges the blocks of ${\textbf{z}}$ according to b (it keeps the arrangement of blocks if $b=0$, or swaps them if $b=1$), then it permutes each block according to $\pi $.

Our strategy to achieve the zero-knowledge property will crucially rely on the following observation: For all $c,b \in \{0,1\}$, all $\pi , \phi \in {\mathcal {S}}_{m}$, and all ${\textbf{v}},{\textbf{w}} \in \{0,1\}^{m}$, we have the equivalences

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{z}} = \textsf{ext}(c, {\textbf{v}}) \wedge {\textbf{v}} \in {\textsf{B}}_{m}^{nk} \Longleftrightarrow F_{b, \pi }({\textbf{z}}) = \textsf{ext}(c \oplus b, \pi ({\textbf{v}})) \wedge \pi ({\textbf{v}}) \in {\textsf{B}}_{m}^{nk}; \\ {\textbf{y}} = \textsf{ext}({\bar{c}}, {\textbf{w}}) \wedge {\textbf{w}} \in {\textsf{B}}_{m}^{nk} \Longleftrightarrow F_{{\bar{b}}, \phi }({\textbf{y}}) = \textsf{ext}(c \oplus b, \phi ({\textbf{w}})) \wedge \phi ({\textbf{w}}) \in {\textsf{B}}_{m}^{nk}. \end{array}\right. } \end{aligned}$$

(4)

3.4.1 Warm-Up Step

Now, let $({\textbf{d}}, w)$ be such that $\big (({\textbf{A}}, {\textbf{u}}), {\textbf{d}}, w\big ) \in \textrm{R}_{\textrm{acc}}$, where w is of the form $w = \big ((j_1, \ldots , j_\ell ), ({\textbf{w}}_\ell , \ldots , {\textbf{w}}_1)\big )$, and let ${\textbf{v}}_\ell = {\textbf{d}}, {\textbf{v}}_{\ell -1}, \ldots , {\textbf{v}}_1, {\textbf{v}}_0$ be the path computed by $\textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big )$. Note that ${\textbf{v}}_0 = {\textbf{u}}$ and:

$$\begin{aligned} \forall i \in \{\ell -1, \ldots , 1, 0\}: {\textbf{v}}_i = {\left\{ \begin{array}{ll} h_{{\textbf{A}}}({\textbf{v}}_{i+1}, {\textbf{w}}_{i+1}), \text { if } j_{i+1}=0; \\ h_{{\textbf{A}}}({\textbf{w}}_{i+1}, {\textbf{v}}_{i+1}), \text { if } j_{i+1}=1. \end{array}\right. } \end{aligned}$$

(5)

We observe that relation (5) can be equivalently rewritten in a more compact form: $\forall i \in \{\ell -1, \ldots , 1, 0\},$

$$\begin{aligned} {\textbf{v}}_i = {\bar{j}}_{i+1}\cdot h_{{\textbf{A}}}({\textbf{v}}_{i+1}, {\textbf{w}}_{i+1}) + j_{i+1} \cdot h_{{\textbf{A}}}({\textbf{w}}_{i+1}, {\textbf{v}}_{i+1}). \end{aligned}$$

(6)

Equation (6) then can be interpreted as:

Therefore, to achieve our goal, it is necessary and sufficient to construct an argument system in which ${\mathcal {P}}$ convinces ${\mathcal {V}}$ in ZK that ${\mathcal {P}}$ knows $j_1,\ldots , j_\ell \in \{0,1\}^\ell $ and ${\textbf{v}}_1, \ldots , {\textbf{v}}_\ell , {\textbf{w}}_1, \ldots , {\textbf{w}}_\ell \in \{0,1\}^{nk}$ satisfying

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}}\cdot \textsf{ext}(j_{1}, {\textbf{v}}_{1}) + {\textbf{A}}\cdot \textsf{ext}({\bar{j}}_{1}, {\textbf{w}}_{1}) = {\textbf{G}}\cdot {\textbf{u}}\bmod q; \\ \forall i\in [\ell -1]: {\textbf{A}}\cdot \textsf{ext}(j_{i+1}, {\textbf{v}}_{i+1}) + {\textbf{A}} \cdot \textsf{ext}({\bar{j}}_{i+1}, {\textbf{w}}_{i+1}) = {\textbf{G}}\cdot {\textbf{v}}_{i} \bmod q . \end{array}\right. } \end{aligned}$$

(7)

To this end, we will employ several dedicated techniques to reduce the considered relation to an instance of the abstract relation $\textrm{R}_{\textrm{abstract}}$ from Sect. 2.2, with respect to the case where there is a single modulus q, i.e., $\nu =1$. The reduction consists of two steps.

Step 1 Transforming the equations in (7) into a unified equation of the form ${\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}_{\textrm{acc}} = {\textbf{v}}_\textrm{acc} \bmod q$, where ${\textbf{w}}_{\textrm{acc}} \in \textsf{VALID}_\textrm{acc}$ - a “specially designed” set.

To do so, we first perform the following extensions:

Extend matrix ${\textbf{A}} = [{\textbf{A}}_0 | {\textbf{A}}_1]$ to matrix ${\textbf{A}}^* = [{\textbf{A}}_0 | {\textbf{0}}^{n \times nk} | {\textbf{A}}_1 | {\textbf{0}}^{n \times nk}] \in {\mathbb {Z}}_q^{n \times 2m}$.
Extend matrix ${\textbf{G}}$ to matrix ${\textbf{G}}^* = [{\textbf{G}} | {\textbf{0}}^{n \times nk}] \in {\mathbb {Z}}_q^{n \times m}$.
Extend ${\textbf{v}}_1, \ldots , {\textbf{v}}_\ell , {\textbf{w}}_1, \ldots , {\textbf{w}}_\ell $ into ${\textbf{v}}_1^*, \ldots , {\textbf{v}}_\ell ^*, {\textbf{w}}_1^*, \ldots , {\textbf{w}}_\ell ^* \in {\textsf{B}}_{m}^{nk}$, respectively. This is done by appending a length-nk vector of suitable Hamming weight to each of these vectors.

Let ${\textbf{z}}_i = \textsf{ext}(j_i, {\textbf{v}}_i^*)$ and ${\textbf{y}}_i = \textsf{ext}({\bar{j}}_i, {\textbf{w}}_i^*)$ for each $i \in [\ell ]$. Note that now the conditions in (7) can be equivalently rewritten as:

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}}^*\cdot {\textbf{z}}_1 + {\textbf{A}}^* \cdot {\textbf{y}}_1 = {\textbf{G}}\cdot {\textbf{u}}\bmod q; \\ \forall i\in [\ell -1]: {\textbf{A}}^*\cdot {\textbf{z}}_{i+1} + {\textbf{A}}^* \cdot {\textbf{y}}_{i+1} = {\textbf{G}}^*\cdot {\textbf{v}}_{i}^* \bmod q . \end{array}\right. } \end{aligned}$$

(8)

Next, let us form vector ${\textbf{w}}_{\textrm{acc}} \in \{0,1\}^{D_\textrm{acc}}$, where $D_{\textrm{acc}} = (5\ell -1)m$ and

$$\begin{aligned} {\textbf{w}}_{\textrm{acc}} = \big ( {\textbf{z}}_1^\top \mid \cdots \mid {\textbf{z}}_\ell ^\top \mid {\textbf{y}}_1^\top \mid \cdots \mid {\textbf{y}}_\ell ^\top \mid {{\textbf{v}}_1^*}^\top \mid \cdots \mid {{\textbf{v}}_{\ell -1}^*}^\top \big )^\top . \end{aligned}$$

Then observe that the $\ell $ equations in (8) can be unified as

$$\begin{aligned} {\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}_{\textrm{acc}} = {\textbf{v}}_\textrm{acc} \bmod q, \end{aligned}$$

where ${\textbf{v}}_{\textrm{acc}} = \big (({\textbf{G}}\cdot {\textbf{u}})^\top \mid {\textbf{0}}^{n} \mid \cdots \mid {\textbf{0}}^{n}\big )^\top \in {\mathbb {Z}}_q^{n\ell }$ and ${\textbf{M}}_{\textrm{acc}} \in {\mathbb {Z}}_q^{n\ell \times D_{\textrm{acc}}}$ is a public matrix built upon ${\textbf{A}}^*, {\textbf{G}}^*$ and zero sub-matrices.

We now let $\textsf{VALID}_{\textrm{acc}}$ be the set of all vectors in $\{0,1\}^{D_{\textrm{acc}}}$ having the form

$$\begin{aligned} \nonumber \big ({} & {} \textsf{ext}(j_1, {\textbf{v}}_1^*)^\top \mid \cdots \mid \textsf{ext}(j_\ell , {\textbf{v}}_\ell ^*)^\top \mid \\{} & {} \textsf{ext}({\bar{j}}_1, {\textbf{w}}_1^*)^\top \mid \cdots \mid \textsf{ext}({\bar{j}}_\ell , {\textbf{w}}_\ell ^*)^\top \mid {{\textbf{v}}_1^*}^\top \mid \cdots \mid {{\textbf{v}}_{\ell -1}^*}^\top \big )^\top , \end{aligned}$$

(9)

for some ${\textbf{v}}_1^*, \ldots , {\textbf{v}}_\ell ^*, {\textbf{w}}_1^*, \ldots , {\textbf{w}}_\ell ^* \in {\textsf{B}}_{m}^{nk}$ and some $j_1, \ldots , j_\ell \in \{0,1\}$. It can be seen that the constructed vector ${\textbf{w}}_{\textrm{acc}}$ belongs to this tailored set $\textsf{VALID}_{\textrm{acc}}$.

Step 2 Specifying the set ${\mathcal {S}}_\textrm{acc}$ and permutations of $D_{\textrm{acc}}$ elements $\{\Gamma ^\textrm{acc}_\phi : \phi \in {\mathcal {S}}_{\textrm{acc}}\}$ for which the conditions in (1) hold.

Define ${\mathcal {S}}_{\textrm{acc}} = ({\mathcal {S}}_m)^\ell \times ({\mathcal {S}}_m)^\ell \times \{0,1\}^\ell $.
For $\phi = (\pi _1, \ldots , \pi _\ell , \psi _1, \ldots , \psi _\ell , b_1, \ldots , b_\ell ) \in {\mathcal {S}}_{\textrm{acc}}$ and for vector ${\textbf{x}} \in {\mathbb {Z}}^{D_{\textrm{acc}}}$ of the form
$$\begin{aligned} \big ( {\textbf{x}}_1^\top \mid \cdots \mid {\textbf{x}}_\ell ^\top \mid {\textbf{s}}_1^\top \mid \cdots \mid {\textbf{s}}_\ell ^\top \mid {{\textbf{t}}_1}^\top \mid \cdots \mid {{\textbf{t}}_{\ell -1}}^\top \big )^\top , \end{aligned}$$
where ${\textbf{x}}_1, \ldots , {\textbf{x}}_\ell , {\textbf{s}}_1, \ldots , {\textbf{s}}_\ell \in {\mathbb {Z}}^{2\,m}$ and ${\textbf{t}}_1, \ldots , {\textbf{t}}_{\ell -1} \in {\mathbb {Z}}^{m}$, define $\Gamma ^\textrm{acc}_\phi ({\textbf{x}})$ as the permutation that transforms ${\textbf{x}}$ as follows:
- ${\textbf{x}}_i \mapsto F_{b_i, \pi _i}({\textbf{x}}_i)$, ${\textbf{s}}_i \mapsto F_{{\bar{b}}_i, \psi _i}({\textbf{s}}_i)$, for all $i \in [\ell ]$;
- ${\textbf{t}}_i \mapsto \pi _i({\textbf{t}}_i)$, for all $i \in [\ell -1]$.

Based on the equivalences observed in (4), we can check that the conditions in (1) hold.

3.4.2 The Interactive Protocol

Having performed the above preparation and transformation steps, we are now ready to describe our interactive protocol.

Common inputs::: The matrix–vector pair $({\textbf{M}}_{\textrm{acc}}, {\textbf{v}}_{\textrm{acc}})$, which is obtained from ${\textbf{A}}, {\textbf{u}}, {\textbf{G}}$ as discussed above.
${\mathcal {P}}$’s inputs::: Vector ${\textbf{w}}_{\textrm{acc}} \in \textsf{VALID}_{\textrm{acc}}$, which is obtained from the original witnesses ${\textbf{d}} \in \{0,1\}^{nk}$ and $w \in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell $, as specified above.
${\mathcal {P}}$’s goal::: Prove in ZK that ${\textbf{w}}_{\textrm{acc}} \in \textsf{VALID}_{\textrm{acc}}$ and ${\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}_{\textrm{acc}} = {\textbf{v}}_{\textrm{acc}} \bmod q$.

The prover and the verifier then run the protocol described in Fig. 1, for $\nu =1$ and with respect to $({\textbf{M}}_{\textrm{acc}}, {\textbf{v}}_{\textrm{acc}}), {\textbf{w}}_{\textrm{acc}}, (\textsf{VALID}_{\textrm{acc}}, {\mathcal {S}}_\textrm{acc}, \Gamma ^{\textrm{acc}}_\phi )$. The properties of the resulting protocol are summarized in the following theorem.

Theorem 3

The described interactive protocol has perfect completeness and communication cost $\widetilde{{\mathcal {O}}}(\ell \cdot n)$. If $\textsf{COM}$ is a statistically hiding and computationally binding string commitment scheme, then it is a statistical zero-knowledge argument of knowledge for the relation $\mathrm {R_{acc}}$.

Proof

The perfect completeness and statistical zero-knowledge property of the protocol directly follow from Theorem 1 (the case $\nu =1$). The communication cost of the protocol is ${\mathcal {O}}(D_{\textrm{acc}} \cdot \log q) = \widetilde{{\mathcal {O}}}(\ell \cdot m \cdot \log q) = \widetilde{{\mathcal {O}}}(\ell \cdot n)$ bits.

Furthermore, by running the knowledge extractor of Theorem 1, one obtains ${\textbf{w}}'_\textrm{acc} \in \textsf{VALID}_{\textrm{acc}}$ such that ${\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}'_{\textrm{acc}} = {\textbf{v}}_{\textrm{acc}} \bmod q$. Then note that ${\textbf{w}}'_{\textrm{acc}}$ has the form

$$\begin{aligned} \big ({} & {} \textsf{ext}(j'_1, {\textbf{v}}_1^*)^\top \mid \cdots \mid \textsf{ext}(j'_\ell , {\textbf{v}}_\ell ^*)^\top \mid \\{} & {} \textsf{ext}({\bar{j}}'_1, {\textbf{w}}_1^*)^\top \mid \cdots \mid \textsf{ext}({\bar{j}}'_\ell , {\textbf{w}}_\ell ^*)^\top \mid {{\textbf{v}}_1^*}^\top \mid \cdots \mid {{\textbf{v}}_{\ell -1}^*}^\top \big )^\top , \end{aligned}$$

for some ${\textbf{v}}_1^*, \ldots , {\textbf{v}}_\ell ^*, {\textbf{w}}_1^*, \ldots , {\textbf{w}}_\ell ^* \in {\textsf{B}}_{m}^{nk}$ and some $j'_1, \ldots , j'_\ell \in \{0,1\}$.

Now, by dropping the last nk coordinates from ${\textbf{v}}_1^*, \ldots , {\textbf{v}}_\ell ^*, {\textbf{w}}_1^*, \ldots , {\textbf{w}}_\ell ^*$, we obtain ${\textbf{v}}'_1, \ldots , {\textbf{v}}'_\ell , {\textbf{w}}'_1, \ldots , {\textbf{w}}'_\ell \in \{0,1\}^{nk}$, respectively. Next, by “backtracking” the transformations performed above, we can deduce that these vectors, together with bits $j'_1, \ldots , j'_\ell $, satisfy:

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}}\cdot \textsf{ext}(j'_{1}, {\textbf{v}}'_{1}) + {\textbf{A}}\cdot \textsf{ext}({\bar{j}}'_{1}, {\textbf{w}}'_{1}) = {\textbf{G}}\cdot {\textbf{u}}\bmod q \\ \forall i\in [1,\ell -1]: {\textbf{A}}\cdot \textsf{ext}(j'_{i+1}, {\textbf{v}}'_{i+1}) + {\textbf{A}} \cdot \textsf{ext}({\bar{j}}'_{i+1}, {\textbf{w}}'_{i+1}) = {\textbf{G}}\cdot {\textbf{v}}'_{i} \bmod q \end{array}\right. } \\ \Leftrightarrow {\left\{ \begin{array}{ll} {\textbf{v}}'_0 = {\textbf{u}} \\ \forall i\in [0,\ell -1]: {\textbf{v}}'_i = {\bar{j}}'_{i+1}\cdot h_{{\textbf{A}}}({\textbf{v}}'_{i+1}, {\textbf{w}}'_{i+1}) + j'_{i+1} \cdot h_{{\textbf{A}}}({\textbf{w}}'_{i+1}, {\textbf{v}}'_{i+1}).~~~~~~~ \end{array}\right. } \end{aligned}$$

Let ${\textbf{d}}' = {\textbf{v}}'_\ell $ and $w' = \big ((j'_1, \ldots , j'_\ell ), ({\textbf{w}}'_\ell , \ldots , {\textbf{w}}'_1)\big )$, then $\textsf{TVerify}_{{\textbf{A}}}({\textbf{u}}, {\textbf{d}}', w')=1$. In other words, $({\textbf{d}}', w')$ satisfies $\big (({\textbf{A}},{\textbf{u}}); {\textbf{d}}', w'\big ) \in \mathrm {R_{acc}}$. This concludes the proof. $\square $ $\square $

4 A Logarithmic-Size Ring Signature from Lattices

In this section, we construct a ring signature scheme [77] with signature size $\widetilde{{\mathcal {O}}}(\log N\cdot n)$, where N is the size of the ring, based on the hardness of lattice problem $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$. We use the ZKAoK given in Sect. 3 as the building block.

4.1 Definitions

We recall the standard definitions and security requirements for ring signatures [10, 40]. A ring signature scheme consists of a tuple of efficient algorithms $(\textsf{RSetup}, \textsf{RKgen}, \textsf{RSign}, \textsf{RVerify})$ for generating a public parameter, generating keys for users, signing messages, and verifying ring signatures, respectively.

$\textsf{RSetup}(n)$::: Generates public parameters pp which are made available to all users.
$\textsf{RKgen}(pp)$::: Generates a public key pk and the corresponding secret key sk.
$\textsf{RSign}_{pp}(sk, M, R)$::: Outputs a signature $\Sigma $ on the message $M \in \{0,1\}^*$ with respect to the ring $R = (pk_0, \ldots , pk_{N-1})$. It is required that (pk, sk) is a valid key pair produced by $\textsf{RKgen}(pp)$ and that $pk \in R$.
$\textsf{RVerify}_{pp}(M, R, \Sigma )$::: Given a candidate signature $\Sigma $ on a message M with respect to the ring of public keys R, this algorithm outputs 1 if $\Sigma $ is deemed valid or 0 otherwise.

We next describe the following requirements for ring signatures: correctness, unforgeability with respect to insider corruption, and statistical anonymity.

The correctness requirement says that a user can always sign any message on behalf of a ring he belongs to. This is formalized as follows.

Definition 6

(Correctness) A ring signature $(\textsf{RSetup}, \textsf{RKgen}, \textsf{RSign}, \textsf{RVerify})$ is correct if for any $pp \leftarrow \textsf{RSetup}(n)$, any $(pk,sk) \leftarrow \textsf{RKgen}(pp)$, any R such that $pk \in R $, any $M \in \{0,1\}^*$, we have $ \textsf{RVerify}_{pp}\big ( M, R, \textsf{RSign}_{pp}(sk, M, R)\big ) = 1.$

A ring signature is unforgeable with respect to insider corruption if it is infeasible to forge a ring signature without controlling one of the ring members.

Definition 7

(Unforgeability w.r.t. insider corruption) A ring signature scheme $(\textsf{RSetup}, \textsf{RKgen}, \textsf{RSign}, \textsf{RVerify})$ is unforgeable w.r.t. insider corruption if for all PPT adversaries ${\mathcal {A}}$,

$$\begin{aligned} \Pr [ pp \leftarrow \textsf{RSetup}(1^n); (M^\star , R^\star , \Sigma ^\star ) \leftarrow {\mathcal {A}}^{\textrm{PKGen}, \textrm{Sign}, \textrm{Corrupt}}(pp): \\ \textsf{RVerify}_{pp}(M^\star , R^\star , \Sigma ^\star ) = 1 ] \in \textsf{negl}(n), \end{aligned}$$

where:

$\textrm{PKGen}$ on the j-th query runs $(pk_j, sk_j) \leftarrow \textsf{RKgen}(pp)$ and returns $pk_j$.
$\textrm{Sign}(j, M, R)$ returns the output of $\textsf{RSign}_{pp}(sk_j,M, R)$ if: (i) $(pk_j, sk_j)$ has been generated by $\textrm{PKGen}$; (ii) $pk_j \in R$. Otherwise, it returns $\perp $.
$\textrm{Corrupt}(j)$ returns $sk_j$, if $(pk_j, sk_j)$ has been generated by $\textrm{PKGen}$.
${\mathcal {A}}$ outputs $(M^\star , R^\star , \Sigma ^\star )$ such that $\textrm{Sign}(\cdot , M^\star , R^\star )$ has not been queried. Furthermore, $R^\star $ is non-empty and only contains public keys $pk_j$ generated by $\textrm{PKGen}$ for which j has not been corrupted.

Definition 8

A ring signature scheme $(\textsf{RSetup}, \textsf{RKgen}, \textsf{RSign}, \textsf{RVerify})$ provides statistical anonymity if, for any (possibly unbounded) adversary ${\mathcal {A}}$,

$$\begin{aligned} \textrm{Pr}{} & {} \left[ \begin{array}{c} pp \leftarrow \textsf{RSetup}(1^n); (M^\star , j_0, j_1, R^\star ) \leftarrow {\mathcal {A}}^{\textsf{RKgen}(pp)}(pp)\\ b \xleftarrow {\$} \{0,1\}; \Sigma ^* \leftarrow \textsf{RSign}_{pp }(sk_{j_b},M^\star , R^\star ) \end{array}: {\mathcal {A}}(\Sigma ^\star )= b \right] \\ {}= & {} 1/2 + \textsf{negl}(n), \end{aligned}$$

where $pk_{j_0},pk_{j_1} \in R^\star $.

In Definition 8, the adversary is given access to all users’ keys. In the challenge phase, it returns a message $M^\star $, two user indices $j_0, j_1$, and a ring $R^\star $ containing the public keys of users $j_0$ and $j_1$. The challenger then picks a uniformly random bit b and generates a challenge ring signature $\Sigma ^\star $ using the secret key of user $j_b$.

Remark

Anonymity under full key exposure [10] requires that the randomness used by KeyGen be revealed to the adversary. In our construction, it does not make a difference since we assume computationally unbounded adversaries. A c-user ring signature scheme is a variant of ring signatures, that only supports rings of fixed size c. Here, we do not assume any upper bound on the size of a ring. Similarly to [40], we only assume that all users agree on pre-existing public parameters pp. In our scheme, these public parameters consist of a modulus q and a random matrix $\textbf{A} \in \mathbb {Z}_q^{n \times 2nk}$ which can be derived from a random oracle. In this case, we only need all users to agree on the parameters q and n.

4.2 The Underlying Zero-Knowledge Protocol

The ring signature scheme that we will present next relies on a simple extension of the ZKAoK in Sect. 3. Specifically, one more layer is added: apart from proving that it has a secret value ${\textbf{d}}$ that was properly accumulated to the root of the tree, ${\mathcal {P}}$ has to convince ${\mathcal {V}}$ that it knows a vector ${\textbf{x}} \in \{0,1\}^m$ such that $\textsf{bin}({\textbf{A}}\cdot {\textbf{x}} \bmod q) = {\textbf{d}}$, or equivalently, ${\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q$. The associated relation $\mathrm {R_{ring}}$ is defined as follows.

Definition 9

Define the relation

$$\begin{aligned} \mathrm {R_{ring}}= \Big \{ \big (({\textbf{A}}, {\textbf{u}}) \in {\mathbb {Z}}_q^{n \times m} \times \{0,1\}^{nk}; {\textbf{d}} \in \{0,1\}^{nk}, w\in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell ,\\ {\textbf{x}} \in \{0,1\}^m \big ): \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \wedge {\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q \Big \}. \end{aligned}$$

A ZKAoK for $\mathrm {R_{ring}}$ can be obtained from the one in Sect. 3, where the new layer is handled by the same “extend-then-permute” technique. As before, the protocol relies on the string commitment scheme from [46], which is statistically hiding and computationally binding if the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard.

Lemma 2

Let us assume that the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard. Then, there exists a statistical $\textsf{ZKAoK}$ for the relation $\mathrm {R_{ring}}$ with perfect completeness and communication cost $\widetilde{{\mathcal {O}}}(\ell \cdot n)$. In particular:

There exists an efficient simulator that, on input $({\textbf{A}}, {\textbf{u}})$, outputs an accepted transcript which is statistically close to that produced by the real prover.
There exists an efficient knowledge extractor that, on input 3 valid responses $(\textrm{RSP}_1, \textrm{RSP}_2, \textrm{RSP}_3)$ to the same commitment $\textrm{CMT}$, outputs $({\textbf{d}}', w', {\textbf{x}}')$ such that
$$\begin{aligned} \big (({\textbf{A}},{\textbf{u}}), {\textbf{d}}', w', {\textbf{x}}'\big ) \in \mathrm {R_{ring}}. \end{aligned}$$

The description and analysis of the argument system are given in “Appendix B”.

4.3 Description of the Ring Signature Scheme

We now will construct a ring signature scheme for rings of $N=2^\ell $ users based on the Merkle-tree accumulator presented in Sect. 3. Our ring signature can be easily adapted for the case when the size of the ring is not a power of 2 (see Remark 1). The scheme uses parameters n, m, q defined as in Sect. 3, parameter $\kappa = \omega (\log n)$ that determines the number of protocol repetitions, and a random oracle ${\mathcal {H}}_{\textsf{FS}}: \{0,1\}^* \rightarrow \{1,2,3\}^\kappa $.

$\textsf{RSetup}(n)$:

: Sample ${\textbf{A}} \xleftarrow {\$} {\mathbb {Z}}_q^{n \times m}$, and output $pp = {\textbf{A}}$.

$\textsf{RKgen}(pp= {\textbf{A}})$:

: Pick ${\textbf{x}} \xleftarrow {\$} \{0,1\}^m$, compute ${\textbf{d}} = \textsf{bin}({\textbf{A}}\cdot {\textbf{x}} \bmod q) \in \{0,1\}^{nk}$, and output $(sk, pk) = ({\textbf{x}}, {\textbf{d}})$.

$\textsf{RSign}_{pp}(sk, M, R)$:

: Given a ring $R = ({\textbf{d}}_0, \ldots , {\textbf{d}}_{N-1})$, where ${\textbf{d}}_i \in \{0,1\}^{nk}$ for every $i \in [0,N-1]$, and $sk = {\textbf{x}} \in \{0,1\}^m$ such that ${\textbf{d}} = \textsf{bin}({\textbf{A}}{\textbf{x}} \bmod q) \in R$, this algorithm generates a ring signature $\Sigma $ on $M \in \{0,1\}^*$ as follows:

1.:

Run algorithm $\textsf{TAcc}_{{\textbf{A}}}( R)$ to build the Merkle tree based on R and the hash function $h_{{\textbf{A}}}$, and obtain the root ${\textbf{u}} \in \{0,1\}^{nk}$.

2.:

Run algorithm $\textsf{TWitness}_{{\textbf{A}}}(R, {\textbf{d}})$ to get a witness

$$\begin{aligned} w = \big ( (j_1, \ldots , j_\ell ) \in \{0,1\}^\ell , ({\textbf{w}}_\ell , \ldots , {\textbf{w}}_1) \in (\{0,1\}^{nk})^\ell \big ) \end{aligned}$$

to the fact that ${\textbf{d}}$ was properly accumulated in ${\textbf{u}}$.

3.:

Generate a NIZKAoK $\Pi _{\textsf{ring}}$ to demonstrate the possession of a valid pair $(sk, pk)= ({\textbf{x}}, {\textbf{d}})$ such that ${\textbf{d}}$ is properly accumulated in ${\textbf{u}}$. This is done by running the protocol in Sect. 4.2 with public input $({\textbf{A}}, {\textbf{u}})$ and prover’s witness $({\textbf{x}}, {\textbf{d}}, w)$. The protocol is repeated $\kappa = \omega (\log n)$ times to achieve negligible soundness error and made non-interactive via the Fiat–Shamir heuristic as a triple $\Pi _{\textsf{ring}}= (\{\textrm{CMT}_i\}_{i=1}^\kappa , \textrm{CH}, \{\textrm{RSP}_i\}_{i=1}^\kappa )$, where

$$\begin{aligned} \textrm{CH} = {\mathcal {H}}_{\textsf{FS}}\big (M, (\{\textrm{CMT}_i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, R\big ) \in \{1,2,3\}^\kappa . \end{aligned}$$

4.:

Let $\Sigma = \Pi _{\textsf{ring}}$.

$\textsf{RVerify}_{pp}(M, R, \Sigma )$:

: Given $pp = {\textbf{A}}$, a message M, a ring $R = ({\textbf{d}}_0, \ldots , {\textbf{d}}_{N-1})$, and a signature $\Sigma $, this algorithm proceeds as follows:

1.:: Run algorithm $\textsf{TAcc}_{{\textbf{A}}}(R)$ to compute the root ${\textbf{u}}$ of the tree.
2.:: Parse $\Sigma $ as $\Sigma = (\{\textrm{CMT}_i\}_{i=1}^\kappa , (Ch_1, \ldots , Ch_\kappa ), \{\textrm{RSP}_i\}_{i=1}^\kappa )$. Return 0 if $(Ch_1, \ldots , Ch_\kappa ) \ne {\mathcal {H}}_{\textsf{FS}}\big (M, (\{\textrm{CMT}_i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, R\big )$.
3.:: For each $i = 1$ to $\kappa $, run the verification phase of the protocol from Sect. 4.2 with public input $({\textbf{A}}, {\textbf{u}})$ to check the validity of $\textrm{RSP}_i$ with respect to $\textrm{CMT}_i$ and $Ch_i$. If any of the conditions does not hold, then return 0. Otherwise, return 1.

4.4 Analysis of the Ring Signature Scheme

We first summarize the properties of the given ring signature scheme in the following theorem.

Theorem 4

The ring signature scheme described in Sect. 4.3 is correct and produces signatures of bit-size $\widetilde{{\mathcal {O}}}(n \cdot \log N)$. In the random oracle model, the scheme is unforgeable w.r.t. insider corruption based on the worst-case hardness of the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem, and it is statistically anonymous.

Correctness The correctness of the ring signature scheme directly follows from the correctness of the accumulator scheme in Sect. 3 and the perfect completeness of the argument system in Sect. 4.2: A member of a ring can always obtain a tuple $({\textbf{x}}, {\textbf{d}}, w)$ such that $\big (({\textbf{A}},{\textbf{u}}), {\textbf{d}}, w, {\textbf{x}}\big ) \in \mathrm {R_{ring}}$, and thus, his signature on any message always get accepted by the verification algorithm.

Efficiency Since the underlying protocol has communication cost $\widetilde{{\mathcal {O}}}(\ell \cdot n)$, the signatures produced by the scheme has bit-size $\widetilde{{\mathcal {O}}}(\kappa \cdot \ell \cdot n) = \widetilde{{\mathcal {O}}}(\log N \cdot n)$.

Unforgeability with Respect to Insider Corruption For simplicity, the proof of unforgeability assumes that the cardinality of each ring $R^\star $ is a power of 2. However, this restriction can be easily eliminated, as we will see later on.

The proof of unforgeability relies on the following lemma from [59].

Lemma 3

([59], Lemma 8) For any matrix $\textbf{A} \in \mathbb {Z}_q^{n \times m}$ and a uniformly random $\textbf{x} \in \{0,1\}^m$, the probability that there exists another $\textbf{x}' \in \{0,1\}^m {\setminus } \{\textbf{x}\}$ such that $\textbf{A} \cdot \textbf{x} = \textbf{A} \cdot \textbf{x}' \bmod q$ is at least $1-2^{n \cdot \log q - m}$.

With $m=2nk$ and ${\textbf{x}} \xleftarrow {\$} \{0,1\}^m$, there exists $\textbf{x}' \in \{0,1\}^m\setminus \{{\textbf{x}}\}$ such that $\textbf{A} \cdot \textbf{x} = \textbf{A} \cdot \textbf{x}' \bmod q$ with overwhelming probability $1-2^{-nk}$.

Theorem 5

The scheme provides unforgeability w.r.t. insider corruption in the random oracle model if the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard.

Proof

In the random oracle model, assuming that an adversary $\mathcal {A}$ has non-negligible advantage $\epsilon $ in the game of Definition 7, we construct an algorithm $\mathcal {B}$ that either breaks the security of the accumulator in Sect. 3, breaks the computational soundness of the protocol of Lemma 2, or directly solves an $\textsf{SIS}^\infty _{n,m,q,1}$ instance ${\textbf{A}}$ with non-negligible probability.

To this end, $\mathcal {B}$ defines the public parameters by setting $pp=\textbf{A}$. During the game, it faithfully answers all queries to the $\textrm{PKGen}$ oracle and thus provides $\mathcal {A}$ with public keys $pk=\textsf{bin}(\textbf{A} \cdot \textbf{x} \bmod q)$ that are distributed exactly as in the real scheme. At each $\textsf{PKGen}$-query, $\mathcal {B}$ retains the underlying chosen secret key $sk=\textbf{x} \in \{0,1\}^m$ for later use. Knowing all users’ secret keys, the reduction $\mathcal {B}$ is able to perfectly answer all corruption queries as well as queries to the signing oracle $\textrm{Sign}(.,.,.)$. Queries to the random oracle ${\mathcal {H}}_{\textsf{FS}}(.)$ are answered in the standard way, by outputting uniformly random elements of the range $\{1,2,3\}^{\kappa }$. Of course, the adversary obtains the same answer in case the same hash query ${\mathcal {H}}_{\textsf{FS}}(.)$ occurs more than once.

When $\mathcal {A}$ halts, it outputs a triple $(M^\star ,R^\star ,\Sigma ^\star )$ that properly verifies although no member of $R^\star $ was corrupted and no $\textrm{Sign}(.,M^\star ,R^\star )$ was made. Let us re-write $R^\star =(pk_{i_1},\ldots ,pi_{i_{|R^\star |}})$ as a set of binary vectors $(\textbf{d}_{0},\ldots ,\textbf{d}_{|R^\star |-1})$. If we parse $\Sigma ^\star $ as an argument of knowledge $\Pi _{\textsf{ring}}^\star = (\{\textrm{CMT}_i^\star \}_{i=1}^\kappa , \textrm{CH}^\star , \{\textrm{RSP}^\star \}_{i=1}^\kappa )$, with all but negligible probability, $\mathcal {A}$ must have invoked the random oracle ${\mathcal {H}}_{\textsf{FS}}$ on the input $\big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}^\star , R^\star \big )$, where ${\textbf{u}}^\star =\textsf{TAcc}_{{\textbf{A}}}(R^\star )$. Otherwise, the probability that $\textrm{CH}^\star = {\mathcal {H}}_{\textsf{FS}} \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}^\star , R^\star \big )$ would be smaller than $3^{-\kappa }$, making $\mathcal {A}$’s success probability negligible. With probability at least $ \epsilon ':= \epsilon - 3^{-\kappa } $, the tuple $ \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}^\star , R^\star \big )$ has been the input of a random oracle query and we call $t^\star \in \{1,\ldots ,Q_H\}$ the index of this hash query.

Then, algorithm $\mathcal {B}$ runs up to $32 \cdot Q_H / (\epsilon - 3^{-\kappa })$ extra executions of the adversary $\mathcal {A}$ with the same random tape and input as in the first execution. In each new run, all queries receive exactly the same answers as in the first run until the $t^\star $-th random oracle query where a forking occurs. Namely, the first $t^\star -1$ ${\mathcal {H}}_{\textsf{FS}}$-queries—which must coincide with those of the first run given that $\mathcal {A}$ is provided with the same random tape—obtain the same responses $\textrm{CH}_1,\ldots , \textrm{CH}_{t^\star -1}$ as in the first run. This implies that the $t^\star $-th query necessarily involves the same input $ \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}^\star , R^\star \big ) $ as in the initial run. The forking occurs at the moment of the $t^\star $-th query from which $\mathcal {A}$’s ${\mathcal {H}}_{\textsf{FS}}$-queries receive fresh random responses $\textrm{CH}_{t^\star }',\ldots ,\textrm{CH}_{Q_H}'$ at each new run. The Forking Lemma of Brickell et al. [19] tells us that, with probability at least 1/2, $\mathcal {B}$ can obtain a 3-fork involving the same tuple $ \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}^\star , R^\star \big )$ with pairwise distinct responses $\textrm{CH}_{t^\star }^{(1)}, \textrm{CH}_{t^\star }^{(2)}, \textrm{CH}_{t^\star }^{(3)} \in \{1,2,3\}^\kappa $. With probability $1-(7/9)^\kappa $, the results of [19] imply that there exists $j \in \{1,\ldots ,\kappa \}$ for which the j-th bits of $\textrm{CH}_{t^\star }^{(1)}, \textrm{CH}_{t^\star }^{(2)}, \textrm{CH}_{t^\star }^{(3)}$ are $ ({Ch}_{t^\star ,j}^{(1)}, {Ch}_{t^\star ,j}^{(2)}, {Ch}_{t^\star ,j}^{(3)} )=(1,2,3)$. The soundness of the argument system for relation $\textrm{R}_{\textrm{ring}}$ implies that, from the responses $({ \textrm{RSP}^\star }^{(1)},{ \textrm{RSP}^\star }^{(2)},{ \textrm{RSP}^\star }^{(3)})$, algorithm $\mathcal {B}$ can extract witnesses $(\textbf{x}^\star ,\textbf{d}^\star ,w^\star )$, where $w^\star = \big ( (j_1^\star ,\ldots , j_\ell ^\star ), (\textbf{w}_{\ell }^\star , \ldots , \textbf{w}_{1}^\star ) \big )$ such that $(j_1^\star ,\ldots , j_\ell ^\star ) \in \{0,1\}^\ell $ is the binary expansion of some index $j^\star \in \{0,\ldots ,|R^\star |-1\}$ and

$$\begin{aligned} \textbf{A} \cdot \textbf{x}^\star = \textbf{G} \cdot \textbf{d}^\star \bmod q, \quad \text { and } \quad \textsf{TVerify}_{\textbf{A}}\big ( \textbf{u}^\star ,\textbf{d}^\star ,w^\star \big )=1. \quad \end{aligned}$$

(10)

At this point, we distinguish two cases:

$\textbf{d}^\star \not \in R^\star =(\textbf{d}_0,\ldots ,\textbf{d}_{|R^\star |-1})$. Then, the second condition of (10) implies that $\mathcal {B}$ can use $(\textbf{d}^\star ,R^\star ,\textbf{u}^\star )$ to break the security of the accumulator.
$\textbf{d}^\star \in R^\star =(\textbf{d}_0,\ldots ,\textbf{d}_{|R^\star |-1})$, so that $\textbf{d}^\star =\textbf{d}_{j^\star }=pk_{j^\star }$. The soundness of the argument system implies that the extracted witnesses $(\textbf{d}_{j^\star },\textbf{x}^\star )$ satisfy the first condition of (10). Recall that $sk_{j^\star } $ consists of a vector $\textbf{x}_{j^\star } \in \{0,1\}^m$ chosen by $\mathcal {B}$ at some $\textrm{PKGen}$ query which satisfies
$$\begin{aligned} \textbf{G} \cdot \textbf{d}_{j^\star } = \textbf{A} \cdot \textbf{x}_{j^\star } \bmod q. \end{aligned}$$
Since $\mathcal {A}$ did not corrupt user $j^\star $, we claim that $\textbf{x}_{j^\star } \ne \textbf{x}^\star $ with probability at least 1/2. The first condition of (10) then implies that $\textbf{A} \cdot (\textbf{x}_{j^\star } - \textbf{x}^\star ) = 0 \bmod q$, which yields a valid $\textsf{SIS}$ solution $\textbf{w}=\textbf{x}_{j^\star } - \textbf{x}^\star \in \{-1,0,1\}^m$. To argue that $\textbf{x}_{j^\star } \ne \textbf{x}^\star $ with probability at least 1/2, we have to recap what $\mathcal {A}$ can learn about $\textbf{x}_{j^\star }$ during the game. We note that, in the extreme case, $|R^\star |=1$, so that can $\mathcal {A}$ learn $\textbf{u}^\star =\textbf{d}_{j^\star }$. However, by Lemma 3, there exists at least another vector $\textbf{x}^\star \ne \textbf{x}_{j^\star } $ for which $\textbf{d}_{j^\star }=\textsf{bin}(\textbf{A} \cdot \textbf{x}^\star \bmod q)$. Given that the argument system of Lemma 2 is statistically ZK, signing queries of the form $(j^\star ,.,.)$ only leak a negligible amount of information regarding the witness $\textbf{x}_{j^\star }$ used to answer signing queries. With probability at least 1/2, the knowledge extractor thus obtains $\textbf{x}^\star \ne \textbf{x}_{j^\star }$, as claimed.

It follows that a ring forger $\mathcal {A}$ implies an algorithm $\mathcal {B}$ that either directly solves an instance of the $\textsf{SIS}^\infty _{n,m,q,1}$ problem, breaks the security of the accumulator of Sect. 3, or breaks the soundness of the zero-knowledge argument of Lemma 2. Thus, assuming that $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ is hard, the scheme provides unforgeability in the random oracle model. $\square $

Statistical Anonymity The proof of the following theorem relies on the statistical zero-knowledge property of the argument system of Lemma 2.

Theorem 6

The scheme provides statistical anonymity in the random oracle model.

Proof

The proof uses the transcript simulator of the underlying zero-knowledge argument system (Lemma 2) to simulate the challenge signature in the anonymity game. Specifically, we consider two games.

Game 0 This is the original anonymity game of Definition 8. The challenger runs $\textsf{RSetup}$ and then sends $\textsf{pp} = {\textbf{A}}$ to the adversary. The latter, who is given access to all users’ keys, returns with a message $M^\star $, two user indices $j_0, j_1$, and a ring $R^\star $ containing the public keys of users $j_0$ and $j_1$. The challenger picks a uniformly random bit b, uses the secret key of user $j_b$ to generate a challenge ring signature $\Sigma ^\star $. The adversary then tries to guess b based on $\Sigma ^*$.

Note that, in this game, $\Sigma ^\star = \Pi _\textsf{ring} = (\{\textrm{CMT}_i\}_{i=1}^\kappa , \textrm{CH}, \{\textrm{RSP}_i\}_{i=1}^\kappa )$, where

$$\begin{aligned} \textrm{CH} = (Ch_1, \ldots , Ch_\kappa ) = {\mathcal {H}}_{\textsf{FS}}\big (M^\star , (\{\textrm{CMT}_i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, R^\star \big ) \in \{1,2,3\}^\kappa , \end{aligned}$$

and for each $i \in [\kappa ]$, $\textrm{CMT}_i$ and $\textrm{RSP}_i$ are computed honestly using a valid witness to relation $\textrm{R}_{\textrm{ring}}$, which can be obtained from the secret key of user $j_b$.

Game 1 In this game, we simulate the argument $\Pi _\textsf{ring}$ without using a valid witness. This is done as follows.

1.
For each $i \in [\kappa ]$, run the simulator of Lemma 2 to produce a simulated transcript $(\textrm{CMT}^\star _i, Ch^\star _i, \textrm{RSP}^\star _i)$.
2.
Program the random oracle so that
$$\begin{aligned} {\mathcal {H}}_{\textsf{FS}}\big (M^\star , (\{\textrm{CMT}^\star _i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, R^\star \big ): = (Ch^\star _1, \ldots , Ch^\star _\kappa ). \end{aligned}$$
3.
Output $\Pi ^\star _\textsf{ring} = (\{\textrm{CMT}^\star _i\}_{i=1}^\kappa , (Ch^\star _1, \ldots , Ch^\star _\kappa ), \{\textrm{RSP}^\star _i\}_{i=1}^\kappa )$.

Since the distribution of $(\textrm{CMT}^\star _i, Ch^\star _i, \textrm{RSP}^\star _i)$, for each $i \in [\kappa ]$, is statistically close to that of a real transcript, the simulated argument $\Pi ^\star _\textsf{ring}$ is statistically indistinguishable from an honestly generated argument.

As a result, Game 1 is statistically indistinguishable from Game 0. Furthermore, since Game 1 is independent of the challenger’s choice b, the advantage of the adversary in this simulated game is 0. We therefore deduce that its advantage in Game 0 is negligible. This concludes the theorem. $\square $

Remark 1

As already mentioned, we can handle arbitrary ring sizes. To this end, one option is to add dummy ring members $\textbf{d}_{\textsf{fake},1},\ldots ,\textbf{d}_{\textsf{fake},r_0}$ whose public keys are sampled obliviously of their private keys, by deriving them as $\textbf{d}_{\textsf{fake},j}=\textsf{bin}({\mathcal {G}}_0(j)) \in \{0,1\}^{nk} $ for each $j \in \{1,\ldots ,r_0\}$, where ${\mathcal {G}}_0: {\mathbb {N}} \rightarrow \mathbb {Z}_q^{n}$ is an additional random oracle. A simpler solution is to duplicate one of the actual ring members until reaching a multi-set whose cardinality is a power of two.

5 A Lattice-Based Group Signature Without Trapdoors

This section shows how to use our accumulator and argument systems to build a lattice-based group signature which is dramatically more efficient than previous proposals as it does not use any trapdoor. Indeed, surprisingly, the scheme does not rely on a standard digital signature to generate group members’ private keys.

5.1 Definitions

We recall the standard definitions and security requirements for static group signatures [7]. A group signature scheme is a tuple of 4 polynomial-time algorithms $(\textsf{GKeygen}, \textsf{GSign}, \textsf{GVerify}, \textsf{GOpen})$ defined as follows:

GKeygen: This is a probabilistic algorithm that takes as input $1^n, 1^N$, where $n \in {\mathbb {N}}$ is the security parameter and $N \in {\mathbb {N}}$ is the number of group users, and outputs a triple $\mathsf {(gpk, gmsk, \textbf{gsk})}$, where $\textsf{gpk}$ is the group public key; $\textsf{gmsk}$ is the group manager’s secret key; and $\textbf{gsk}= ( \textsf{gsk}[0],\ldots ,\textsf{gsk}[N-1] )$, where for $j \in \{0,\ldots , N-1\}$, $\textsf{gsk}[j]$ is the secret key for the group user of index j.
GSign: is a randomized algorithm that inputs $\textsf{gpk}$, a secret key $\textsf{gsk}[j]$ for some $j \in \{0,\ldots , N-1\}$, and a message M. It returns a group signature $\Sigma $ on M.
GVerify: This deterministic algorithm takes as input the group public key $\textsf{gpk}$, a message M, a purported signature $\Sigma $ on M, and returns either 1 or 0.
GOpen: This deterministic algorithm takes as input the group public key $\textsf{gpk}$, the group manager’s secret key $\textsf{gmsk}$, a message M, a signature $\Sigma $ on M, and returns an index $j \in \{0,\ldots , N-1\}$, or $\bot $ (to indicate failure).

Correctness The correctness requirement is stated as follows. For all $n, N \in {\mathbb {N}}$, all $\mathsf {(gpk, gmsk, \textbf{gsk})}$ produced by $\textsf {GKeygen}(1^n, 1^N)$, all $j \in \{0,\ldots , N-1\}$, and any message $M \in \{0,1\}^*$, we have $\textsf {GVerify}\big (\textsf{gpk}, M, \textsf {GSign}(\textsf{gpk},\textsf{gsk}[j], M)\big )=1$ and $ \textsf {GOpen}\big (\textsf{gpk},\textsf{gmsk}, M, \textsf {GSign}(\textsf{gsk}[j], M)\big )=j.$

In static groups, the security model of Bellare, Micciancio and Warinschi subsumes the desirable security properties of group signatures using two security notions called full anonymity and full traceability.

Full anonymity Full anonymity requires that, without the group manager’s secret key, no efficient adversary can infer the identity of a user from its signatures. The adversary should even be unable to distinguish signatures from two distinct users $j_0,j_1$, even knowing their private keys $\textsf{gsk}[j_0],\textsf{gsk}[j_1]$. Moreover, this should remain true even when the adversary is granted access to an oracle that opens arbitrary message-signature pairs $(M,\Sigma ) \ne (M^\star ,\Sigma ^\star )$, where $(M^\star ,\Sigma ^\star )$ is the challenge pair generated by the challenger on behalf of user $j_b$, for some $b \in \{0,1\}$. Formally, the attacker, modeled as a two-stage adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)$, is run in the first experiment depicted in Fig. 3. The adversary’s advantage is defined as

$$\begin{aligned} {\textbf {Adv}}^\textsf {anon}_{\mathcal{G}\mathcal{S},\mathcal {A}}(n,N) = \left| \Pr [{\textbf {Exp}}^\textsf {anon-1}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N) = 1] - \Pr [{\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N) = 1] \right| . \end{aligned}$$

Definition 10

[Full anonymity, [7]] A group signature is fully anonymous if, for any polynomial N and any PPT adversary ${\mathcal {A}}$, ${\textbf {Adv}}^\textsf {anon}_{\mathcal{G}\mathcal{S},\mathcal {A}}(n,N)$ is a negligible function in the security parameter n.

Full traceability Full traceability mandates that all signatures, even those created by colluding users and the group manager who pool their secrets together, be traceable to a member of the coalition. The attacker is modeled as a two-stage adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)$ which is run in the second experiment of Fig. 3, where it is further granted access to an oracle $\mathcal{G}\mathcal{S}.\textsf{GSign}(\textsf{gpk},\textsf{gsk}[\cdot ],\cdot )$ that returns signatures on behalf of any honest group member. Its success probability against $\mathcal{G}\mathcal{S}$ is measured as

$$\begin{aligned} {\textbf {Succ}}^\textsf {trace}_{\mathcal{G}\mathcal{S},\mathcal {A}}(n,N) = \Pr [{\textbf {Exp}}^\textsf {trace}_{\mathcal{G}\mathcal{S},\mathcal {A}}(n,N)= 1]. \end{aligned}$$

Definition 11

(Full traceability, [7]) A group signature scheme $\mathcal{G}\mathcal{S}$ is fully traceable if for any polynomial N and any PPT adversary ${\mathcal {A}}$, the probability ${\textbf {Succ}}^\textsf {trace}_{\mathcal{G}\mathcal{S},\mathcal {A}}(n,N)$ is negligible in the security parameter n.

5.2 The Underlying Zero-Knowledge Protocol

The group signature scheme that we will present in Sect. 5.3 relies on an extension of the ZKAoK in Sect. 4.2. An encryption layer with operations modulo p is added, and the prover additionally has to prove that the given 2 Regev ciphertexts both encrypt the same $(j_1, \ldots , j_\ell )^\top $ that was included in w. The associated relation is defined as follows.

Definition 12

Define $\mathrm {R_{group}} = \Big \{({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_1, {\textbf{c}}_2), {\textbf{d}}, w, {\textbf{x}}, {\textbf{r}}_1, {\textbf{r}}_2 \Big \} $ as a relation where

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}} \in {\mathbb {Z}}_q^{n \times m}; {\textbf{u}} \in \{0,1\}^{nk}; {\textbf{B}} \in {\mathbb {Z}}_p^{n \times m_E}; \\ \forall i\in \{1,2\}: {\textbf{P}}_i \in {\mathbb {Z}}_p^{\ell \times m_E}; {\textbf{c}}_i = ({\textbf{c}}_{i,1}, {\textbf{c}}_{i,2}) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^\ell ; \\ {\textbf{d}} \in \{0,1\}^{nk}; w= \big ((j_1, \ldots , j_\ell ), ({\textbf{w}}_\ell , \ldots , {\textbf{w}}_1)\big )\in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell ; \\ {\textbf{x}} \in \{0,1\}^m; {\textbf{r}}_1, {\textbf{r}}_2 \in \{0,1\}^{m_E} \end{array}\right. } \end{aligned}$$

satisfy

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \wedge {\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q \\ \forall i\in \{1,2\}: {\textbf{c}}_{i,1} = {\textbf{B}}\cdot {\textbf{r}}_i \bmod p \wedge {\textbf{c}}_{i,2}= {\textbf{P}}_i \cdot {\textbf{r}}_i + \big \lfloor \frac{p}{2}\big \rceil \cdot (j_1, \ldots , j_\ell )^\top \bmod p. \end{array}\right. } \end{aligned}$$

To prove in ZK that the vector $(j_1, \ldots , j_\ell )^T$ involved in the new layer is the same $(j_1, \ldots , j_\ell )^T$ that was included in w, we introduce the following technique.

For each $c \in \{0,1\}$, let $\textsf{extbit}(c) = \left( \begin{array}{c} {\bar{c}} \\ c \\ \end{array} \right) \in \{0,1\}^2. $
For each $b \in \{0,1\}$, we define the permutation $T_b$ that transforms vector ${\textbf{z}} = \left( \begin{array}{c} z_0 \\ z_1 \\ \end{array} \right) \in {\mathbb {Z}}_p^2$ into vector $T_b({\textbf{z}}) = \left( \begin{array}{c} z_b \\ z_{{\bar{b}}} \\ \end{array} \right) $.

Observe that the following equivalence holds: For all $b \in \{0,1\}$ and all ${\textbf{z}} \in {\mathbb {Z}}_p^2$,

$$\begin{aligned} {\textbf{z}} = \textsf{extbit}(j_i) \Leftrightarrow T_b({\textbf{z}}) = \textsf{extbit}(j_i \oplus b). \end{aligned}$$

(11)

In Stern’s framework, this equivalence allows us to prove in ZK the possession of the bit $j_i$, for every $i \in [\ell ]$, by extending $j_i$ to $\textsf{extbit}(j_i)$ and then, by permuting it with a one-time pad $b_i$. Furthermore, to prove that the same $j_i$ is involved in both layers, we will use the same one-time pad in both layers of the protocol.

Embedding this new technique into the protocol in Sect. 4.2, we obtain an argument system for the relation $\mathrm {R_{group}}$. As for the previous two protocols, they also rely on the string commitment scheme from [46], which is statistically hiding and computationally binding if the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard.

Lemma 4

Assume that the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard. Then, there exists a statistical $\textsf{ZKAoK}$ for the relation $\mathrm {R_{group}}$ with perfect completeness and communication cost $\widetilde{{\mathcal {O}}}(\ell \cdot n) + {\mathcal {O}}((m_E + \ell )\cdot \log p)$. In particular:

There exists an efficient simulator that, on input $({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_1, {\textbf{c}}_2)$, outputs an accepted transcript which is statistically close to that produced by the real prover.
There exists an efficient knowledge extractor that, on input of 3 valid responses $(\textrm{RSP}_1, \textrm{RSP}_2, \textrm{RSP}_3)$ to the same commitment $\textrm{CMT}$, outputs $({\textbf{d}}', w', {\textbf{x}}', {\textbf{r}}'_1, {\textbf{r}}'_2)$ such that
$$\begin{aligned} \big (({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_1, {\textbf{c}}_2), {\textbf{d}}', w', {\textbf{x}}', {\textbf{r}}'_1, {\textbf{r}}'_2\big ) \in \mathrm {R_{group}}. \end{aligned}$$

The description and analysis of the argument system are given in “Appendix C”.

5.3 Our Construction

Let n be the security parameter, and $N = 2^\ell = \textsf{poly}(n)$ be the maximum expected number of group users. Parameters $m,q,k, \kappa $ and the random oracle ${\mathcal {H}}_{\textsf{FS}}$ are defined as in the ring signature scheme in Sect. 4.3. To employ the $\ell $-bit version of Regev’s encryption scheme, we will also need prime modulus $p = \widetilde{{\mathcal {O}}}(n^{1.5})$, parameter $m_E = 2(n+\ell )\lceil \log p\rceil $, and an LWE error distribution $\chi = D_{{\mathbb {Z}}, 2\sqrt{n}}$.

GKeygen$(1^n,1^N)$:

: This algorithm begins by sampling a uniformly random matrix ${\textbf{A}} \xleftarrow {\$} {\mathbb {Z}}_q^{n \times m}$. Then, it performs the following steps:

1.:

For each $j \in [0,N-1]$, sample a random binary vector ${\textbf{x}}_j \xleftarrow {\$} \{0,1\}^m$ and compute ${\textbf{d}}_j = \textsf{bin}({\textbf{A}}\cdot {\textbf{x}}_j \bmod q) \in \{0,1\}^{nk}$. In the unlikely event that $\{\textbf{d}_j\}_{j=0}^{N-1}$ are not pairwise distinct, restart the process. Otherwise, define the set $R = ({\textbf{d}}_0, \ldots , {\textbf{d}}_{N-1})$.

2.:

Run algorithm $\textsf{TAcc}_{{\textbf{A}}}(R)$ to build the Merkle tree based on R and the hash function $h_{{\textbf{A}}}$, and obtain the root ${\textbf{u}} \in \{0,1\}^{nk}$.

3.:

For each $j \in [0, N-1]$, run algorithm $\textsf{TWitness}_{{\textbf{A}}}(R, {\textbf{d}}_j)$ to output a witness

$$\begin{aligned} w^{(j)} = \big ( (j_1, \ldots , j_\ell ) \in \{0,1\}^\ell , ({\textbf{w}}_\ell ^{(j)}, \ldots , {\textbf{w}}_1^{(j)}) \in (\{0,1\}^{nk})^\ell \big ) \end{aligned}$$

to the fact that ${\textbf{d}}_j$ was accumulated in ${\textbf{u}}$. (Note that $(j_1, \ldots , j_\ell )$ is the binary representation of j.) Then define $\textsf{gsk}[j] = ({\textbf{x}}_j, {\textbf{d}}_j, w^{(j)})$.^{Footnote 3}

4.:

Sample ${\textbf{B}} \xleftarrow {\$} {\mathbb {Z}}_p^{n \times m_E}$. For $i \in \{ 1,2\}$, sample ${\textbf{S}}_i\xleftarrow {\$} {\mathbb {Z}}_p^{n \times \ell }$, ${\textbf{E}}_i \hookleftarrow \chi ^{\ell \times m_E}$, and compute ${\textbf{P}}_i = {\textbf{S}}_i^\top \cdot {\textbf{B}} + {\textbf{E}}_i \in {\mathbb {Z}}_p^{\ell \times m_E}$.

5.:

Output

$$\begin{aligned} \textsf{gpk}:= \left\{ {\textbf{A}}, {\textbf{u}}, {\textbf{B}},{\textbf{P}}_1,{\textbf{P}}_2 \right\} ; \textsf{gmsk}:= {\textbf{S}}_1; \textbf{gsk}:= ( \textsf{gsk}[0],\ldots ,\textsf{gsk}[N-1] ). \end{aligned}$$

GSign:

$(\textsf{gpk},\textsf{gsk}[j], M)$: To sign $M \in \{0,1\}^*$ using $\textsf{gsk}[j] = ({\textbf{x}}_j, {\textbf{d}}_j, w^{(j)})$, where $ w^{(j)} = \big ( (j_1, \ldots , j_\ell ), ({\textbf{w}}_\ell ^{(j)}, \ldots , {\textbf{w}}_1^{(j)}) \big )$, the user conducts the following steps:

1.:

Encrypt $(j_1, \ldots , j_\ell ) \in \{0,1\}^\ell $ twice using Regev’s encryption scheme. Namely, for each $i \in \{1,2\}$, sample ${\textbf{r}}_i \xleftarrow {\$} \{0,1\}^{m_E}$ and compute

$$\begin{aligned} {\textbf{c}}_i= & {} ({\textbf{c}}_{i,1}, {\textbf{c}}_{i,2}) \\ {}= & {} \Bigl ( {\textbf{B}}\cdot {\textbf{r}}_i \bmod p, ~ {\textbf{P}}_i\cdot {\textbf{r}}_i + \big \lceil \frac{p}{2} \big \rfloor \cdot (j_1, \ldots , j_\ell )^\top \bmod p \Bigr ) \in {\mathbb {Z}}_p^{n} \times {\mathbb {Z}}_p^\ell . \end{aligned}$$

2.:

Generate a NIZKAoK $\Pi _{\textsf{group}}$ in order to demonstrate the possession of a valid tuple $\tau = \big ({\textbf{x}}_j, {\textbf{d}}_j, w^{(j)}, {\textbf{r}}_1, {\textbf{r}}_2 \big )$, where $w^{(j)} = \big ( (j_1, \ldots , j_\ell ), ({\textbf{w}}_\ell ^{(j)}, \ldots , {\textbf{w}}_1^{(j)}) \big )$, such that:

(a):: ${\textbf{A}}\cdot {\textbf{x}}_j = {\textbf{G}}\cdot {\textbf{d}}_j \bmod q$ and $\textsf{TVerify}_{{\textbf{A}}}\big ( {\textbf{u}}, {\textbf{d}}_j, w^{(j)} \big ) =1$.
(b):: ${\textbf{c}}_1$ and ${\textbf{c}}_2$ are both correct encryptions of $(j_1, \ldots , j_\ell )$ with randomness ${\textbf{r}}_1$ and ${\textbf{r}}_2$, respectively.

This is done by running the protocol in Sect. 5.2 with public input $({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}, {\textbf{c}}_{2})$ and prover’s witness $\tau $ defined above. The protocol is repeated $\kappa = \omega (\log n)$ times to achieve negligible soundness error and made non-interactive via the Fiat–Shamir heuristic as a triple $\Pi _{\textsf{group}}= (\{\textrm{CMT}_i\}_{i=1}^\kappa , \textrm{CH}, \{\textrm{RSP}_i\}_{i=1}^\kappa )$, where

$$\begin{aligned} \textrm{CH} = {\mathcal {H}}_{\textsf{FS}}\big (M, (\{\textrm{CMT}_i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}, {\textbf{c}}_{2}\big ) \in \{1,2,3\}^\kappa . \end{aligned}$$

3.:

Output the group signature $\Sigma = (\Pi _{\textsf{group}}, {\textbf{c}}_1, {\textbf{c}}_2)$.

GVerify$(\textsf{gpk}, M, \Sigma )$:

: This algorithm proceeds as follows:

1.:: Parse $\Sigma $ as $\Sigma = \big (\{\textrm{CMT}_i\}_{i=1}^\kappa , (Ch_1, \ldots , Ch_\kappa ), \{\textrm{RSP}_i\}_{i=1}^\kappa , {\textbf{c}}_1, {\textbf{c}}_2\big )$. If $(Ch_1, \ldots , Ch_\kappa ) \ne {\mathcal {H}}_{\textsf{FS}}\big (M, (\{\textrm{CMT}_i\}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}, {\textbf{c}}_{2}\big )$, then return 0.
2.:: For each $i = 1$ to $\kappa $, run the verification phase of the protocol in Sect. 5.2 with public input $({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}, {\textbf{c}}_{2})$ to check the validity of $\textrm{RSP}_i$ w.r.t. $\textrm{CMT}_i$ and $Ch_i$. If any of the conditions does not hold, then return 0.
3.:: Return 1.

GOpen$(\textsf{gpk},\textsf{gmsk}, \Sigma , M)$::

On input $\textsf{gmsk}= {\textbf{S}}_1$ and a group signature $\Sigma = (\Pi _{\textsf{group}}, {\textbf{c}}_1, {\textbf{c}}_2)$ on message M, this algorithm decrypts ${\textbf{c}}_1 = ({\textbf{c}}_{1,1}, {\textbf{c}}_{1,2})$ and returns an index $j \in [0,N-1]$, as follows:

1.:: Compute $(j'_1, \ldots , j'_\ell )= {\textbf{c}}_{1,2} - {\textbf{S}}_1^\top \cdot {\textbf{c}}_{1,1} \in {\mathbb {Z}}_p^\ell $.
2.:: For each $i \in [\ell ]$, if $j'_i$ is closer to 0 than to $\lceil \frac{p}{2} \rfloor $ modulo p, then let $j_i = 0$; otherwise, let $j_i = 1$.
3.:: Output index $j \in [0,N-1]$ that has binary representation $(j_1, \ldots , j_\ell )$.

Efficiency The public key consists of a constant number of matrices over ${\mathbb {Z}}_q$ and ${\mathbb {Z}}_p$, where q and p are small moduli. The group signature has bit-size $\kappa \cdot \big (\widetilde{{\mathcal {O}}}(\ell \cdot n) + {\mathcal {O}}((m_E + \ell )\cdot \log p)\big )= \widetilde{{\mathcal {O}}}(\log N\cdot n)$. The scheme is dramatically more efficient than previous lattice-based realizations of group signatures. Indeed, its most important advantage is that it does not require any party to hold a GPV trapdoor. As observed by Lyubashevsky [60], lattice-based signatures without trapdoor can be made significantly more efficient.

Correctness The correctness of algorithm $\textsf{GVerify}$ follows directly from the correctness of the accumulator scheme in Sect. 3, and the completeness of the argument system in Sect. 5.2. As for the correctness of algorithm $\textsf{GOpen}$, it suffices to note that

$$\begin{aligned} {\textbf{c}}_{1,2} - {\textbf{S}}_1^\top \cdot {\textbf{c}}_{1,1}= & {} ({\textbf{S}}_1^\top \cdot {\textbf{B}} + {\textbf{E}}_1)\cdot {\textbf{r}}_1 + \big \lceil \frac{p}{2} \big \rfloor \cdot (j_1, \ldots , j_\ell )^\top - {\textbf{S}}_1^\top \cdot {\textbf{B}}\cdot {\textbf{r}}_1 \\= & {} {\textbf{E}}_1\cdot {\textbf{r}}_1 + \big \lceil \frac{p}{2} \big \rfloor \cdot (j_1, \ldots , j_\ell )^\top \bmod p, \end{aligned}$$

and $\Vert {\textbf{E}}_1 \cdot {\textbf{r}}_1\Vert _\infty < p/4$ with overwhelming probability, for the given setting of parameters, and the decryption algorithm should return $(j_1, \ldots , j_\ell )^\top $.

Security The full traceability property of our scheme is stated in Theorem 7. In the proof, we prove that any adversary with noticeable probability of evading traceability implies an algorithm for either breaking the security of the underlying accumulator of Sect. 3, breaking the computational soundness of the argument system in Sect. 5.2, or solving an instance of the $\textsf{SIS}^\infty _{n,m,q,1}$ problem.

Theorem 7

The scheme provides full traceability in the random oracle model if the $\textsf{SIVP}_{\widetilde{{\mathcal {O}}}(n)}$ problem is hard.

Proof

For the sake of contradiction, let us assume that an adversary $\mathcal {A}$ can win the full traceability experiment with noticeable advantage $\epsilon $. We build an algorithm $\mathcal {B}$ that solves a $\textsf{SIS}^\infty _{n,m,q,1}$ instance $\textbf{A}$ with non-negligible probability.

To this end, the reduction $\mathcal {B}$ faithfully runs the $\textsf{GKeygen}$ algorithm and thus provides the adversary with a public key $\textsf{gpk}$ that has exactly the prescribed distribution. This also allows the reduction $\mathcal {B}$ to have at disposal all users’ private keys $ \textsf{gsk}[j] = ({\textbf{x}}_j, {\textbf{d}}_j, w^{(j)})$, where ${\textbf{u}}=\textsf{TAcc}_{\textbf{A}}(\textbf{d}_0,\ldots ,\textbf{d}_1)$ and $\textbf{d}_{j}=\textsf{bin}(\textbf{A} \cdot \textbf{x}_{j}) \in \{0,1\}^{nk}$ for each $j \in \{0,\ldots ,N-1\}$. For this reason, $\mathcal {B}$ can consistently answer all user corruption queries and, at each signing query (j, M), return a valid signature on behalf of user j by following the exact specification of the signing algorithm.

When the adversary $\mathcal {A}$ halts, it outputs a pair $(M^\star ,\Sigma ^\star )$ that presumably opens to some honest user $j^\star \in \{0,\ldots ,N-1\} \setminus {\mathcal {C}}$, where ${\mathcal {C}}$ denotes the set of corrupted users at the end of the game. If we parse $\Sigma ^\star $ as $(\Pi _{\textsf{group}}^\star , {\textbf{c}}_1^\star , {\textbf{c}}_2^\star )$ and the proof of knowledge $\Pi _{\textsf{group}}^\star $ as $ (\{\textrm{CMT}_i^\star \}_{i=1}^\kappa , \textrm{CH}^\star , \{\textrm{RSP}^\star \}_{i=1}^\kappa )$, with overwhelming probability, the adversary must have queried the random oracle ${\mathcal {H}}_{\textsf{FS}}$ on the input $\big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}^\star , {\textbf{c}}_{2}^\star \big )$. Otherwise, the probability that $\textrm{CH}^\star = {\mathcal {H}}_{\textsf{FS}} \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}^\star , {\textbf{c}}_{2}^\star \big )$ would be at most $3^{-\kappa }$, which is negligible. With probability at least $ \epsilon ':= \epsilon - 3^{-\kappa } $, the tuple $ \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}^\star , {\textbf{c}}_{2}^\star \big )$ must have been the input of a random oracle query and we denote by $t^\star \in \{1,\ldots ,Q_H\}$ the index of that specific query.

Then, the reduction $\mathcal {B}$ triggers up to $32 \cdot Q_H / (\epsilon - 3^{-\kappa })$ additional executions of the adversary $\mathcal {A}$ with the same random tape and input as in the original run. As usual in proofs based on the Forking Lemma, all queries receive exactly the same answers as in the initial run until the $t^\dagger $-th random oracle query. Namely, the first $t^\star -1$ ${\mathcal {H}}_{\textsf{FS}}$-queries—which necessarily coincide with those of the initial run since $\mathcal {A}$ is fed with the same random tape—receive the same answers $\textrm{CH}_1,\ldots , \textrm{CH}_{t^\star -1}$ as in the first execution. For this reason, the $t^\star $-th query is guaranteed to involve exactly the same input $ \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}^\star , {\textbf{c}}_{2}^\star \big )$ as in the first run. From the $t^\star $-th query forward, $\mathcal {A}$’s random oracle queries receive fresh and independent responses $\textrm{CH}_{t^\star }',\ldots ,\textrm{CH}_{Q_H}'$ at each new execution. The Forking Lemma of Brickell et al. [19] ensures that, with probability $\ge 1/2$, the reduction $\mathcal {B}$ manages to obtain a 3-fork involving the same tuple

$$\begin{aligned} \big (M^\star , \{\textrm{CMT}_i^\star \}_{i=1}^\kappa , {\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_{1}^\star , {\textbf{c}}_{2}^\star \big ) \end{aligned}$$

with pairwise distinct answers $\textrm{CH}_{t^\star }^{(1)}, \textrm{CH}_{t^\star }^{(2)}, \textrm{CH}_{t^\star }^{(3)} \in \{1,2,3\}^\kappa $. With probability $1-(7/9)^\kappa $, the results of [19] imply that there exists $j \in \{1,\ldots ,\kappa \}$ for which the j-th bits of the challenges $\textrm{CH}_{t^\star }^{(1)}, \textrm{CH}_{t^\star }^{(2)}, \textrm{CH}_{t^\star }^{(3)}$ are

$$\begin{aligned} ({Ch}_{t^\star ,j}^{(1)}, {Ch}_{t^\star ,j}^{(2)}, {Ch}_{t^\star ,j}^{(3)} )=(1,2,3). \end{aligned}$$

Theorem 3 ensures that, from the responses $({ \textrm{RSP}^\star }^{(1)},{ \textrm{RSP}^\star }^{(2)},{ \textrm{RSP}^\star }^{(3)})$, the reduction $\mathcal {B}$ is able to extract witnesses

$$\begin{aligned} (\textbf{x}^\star ,\textbf{d}^\star ,w^\star ,\textbf{r}_1^\star ,\textbf{r}_2^\star ), \end{aligned}$$

where $w^\star = \big ( (j_1^\star ,\ldots , j_\ell ^\star ), (\textbf{w}_{\ell }^\star , \ldots , \textbf{w}_{1}^\star ) \big )$ such that $(j_1^\star ,\ldots , j_\ell ^\star ) \in \{0,1\}^\ell $ is the binary expansion of some integer $j^\star \in \{0,\ldots ,N-1\}$ and

$$\begin{aligned} \textbf{A} \cdot \textbf{x}^\star = \textbf{G} \cdot \textbf{d}^\star \bmod q, \quad \text { and } \quad \textsf{TVerify}_{\textbf{A}}\big ( \textbf{u},\textbf{d}^\star ,w^\star \big )=1. \quad \end{aligned}$$

(12)

At this point, we distinguish two cases:

$\textbf{d}^\star \not \in R=(\textbf{d}_0,\ldots ,\textbf{d}_{N-1})$. In this case, the second condition of (12) immediately implies a breach in the security of the accumulator.
$\textbf{d}^\star \in R=(\textbf{d}_0,\ldots ,\textbf{d}_{N-1})$, so that $\textbf{d}^\star =\textbf{d}_{j^\star }$. Note that $\{\textbf{d}_j \}_{j=0}^{N-1}$ are pairwise distinct, as ensured by the $\textsf{GKeyen}$ algorithm.

The soundness of the argument system implies that $\textbf{c}_1^\star $ decrypts to $(j_1^\star ,\ldots , j_\ell ^\star ) \in \{0,1\}^\ell $ which, in turn, implies that $\mathcal {A}$ did not obtain the private key $\textsf{gsk}[j^\star ] $ of user $j^\star \in \{0,\ldots ,N-1\} \backslash {\mathcal {C}}$. Recall that $\textsf{gsk}[j^\star ] $ contains a vector $\textbf{x}_{j^\star } \in \{0,1\}^m$, which was initially chosen by $\mathcal {B}$ and satisfies
$$\begin{aligned} \textbf{G} \cdot \textbf{d}_{j^\star } = \textbf{A} \cdot \textbf{x}_{j^\star } \bmod q. \end{aligned}$$
Since $\mathcal {A}$ did not obtain $\textsf{gsk}[j^\star ] $, we claim that $\textbf{x}_{j^\star } \ne \textbf{x}^\star $ with probability at least 1/2. In this case, we clearly have a $\textsf{SIS}$ solution since the first condition of (12) implies that $\textbf{A} \cdot (\textbf{x}_{j^\star } - \textbf{x}^\star ) = 0 \bmod q$. We are left with the task of arguing that $\textbf{x}_{j^\star } \ne \textbf{x}^\star $ with noticeable probability. To this end, we remark that $\mathcal {A}$ may learn $\textbf{d}_{j^\star }=\textsf{bin}(\textbf{A} \cdot \textbf{x}_{j^\star } \bmod q)$, which it can possibly obtain by corrupting $\textsf{gsk}[j^\star +1]$ or $\textsf{gsk}[j^\star -1]$. However, Lemma 3 implies that there exists at least another vector $\textbf{x}^\star \ne \textbf{x}_{j^\star } $ such that $\textbf{d}_{j^\star }=\textsf{bin}(\textbf{A} \cdot \textbf{x}^\star \bmod q)$. Moreover, since the argument system of Definition 4 is statistically WI,^{Footnote 4} signing queries of the form $(j^\star ,.)$ only reveal a negligible amount of information as to which witness among $\textbf{x}^\star $ and $\textbf{x}_{j^\star } $ is used to answer signing queries. With probability at least 1/2, the extracted vector $\textbf{x}^\star $ is thus different from $ \textbf{x}_{j^\star } $, as claimed.

We conclude that a successful forger $\mathcal {A}$ implies an algorithm that either directly solves a $\textsf{SIS}$ instance, defeats the security of the $\textsf{SIS}$-based accumulator of Sect. 3, or breaks the soundness of the zero-knowledge argument system for the relation $\mathrm {R_{group}}$. Since the latter also relies on the $\textsf{SIS}$ assumption if the underlying commitment is the state-of-the-art $\textsf{SIS}$-based statistically hiding commitment [46], we conclude that the scheme provides full traceability in the random oracle model under the $\textsf{SIS}$ assumption. $\square $

The proof of full anonymity relies on the fact that applying the Naor-Yung paradigm [67] to Regev’s cryptosystem yields an IND-CCA2 secure cryptosystem. (A similar argument was used by Benhamouda et al. [11] for an NTRU-like encryption scheme.) Indeed, the argument system of Definition 12 implies that $\textbf{c}_1$ and $\textbf{c}_2$ encrypt the same message. In the random oracle model, it was already observed by Fouque and Pointcheval [34] (see [12] for a more general treatment) that applying the Fiat–Shamir heuristic to $\Sigma $-protocols can give simulation-sound proofs [78]. Similarly to [12, 34], the proof of Theorem 8 relies on the fact that applying Fiat–Shamir to the argument system of Definition 12 yields a simulation-sound NIZK argument in the random oracle model if the underlying commitment is computationally binding. This holds even though this argument system does not have the standard special soundness property (i.e., three accepting conversations for distinct challenges are necessary to extract a witness). Simulation-soundness is actually implied by Lemma 4: suppose that $\textbf{c}_1$ and $\textbf{c}_2$ encrypt distinct $\ell $-bit strings. This means that there exists no binary vector $(\textbf{r}_1^T \mid \textbf{r}_2^T)^T$ such that

$$\begin{aligned} \left[ \begin{array}{c|c} \textbf{B} ~&{}~-\textbf{B} \\ \hline \textbf{P}_1 ~&{}~ -\textbf{P}_2 \end{array}\right] \cdot \begin{bmatrix} \textbf{r}_1 \\ \hline \textbf{r}_2 \end{bmatrix} = \begin{bmatrix} \textbf{c}_{1,1} - \textbf{c}_{2,1} \\ \textbf{c}_{2,1} - \textbf{c}_{2,2} \end{bmatrix}. \end{aligned}$$

Now, recall that the computational soundness of all Stern-type protocols is proved by showing that the knowledge extractor obtains either a set of valid witnesses or breaks the binding property of the underlying commitment scheme. Given that the witnesses do not exist if the statement is false, by rewinding a simulation-soundness adversary sufficiently many times, the knowledge extractor necessarily extracts two openings of a given commitment.

Theorem 8

The scheme provides full anonymity if the $\textsf{LWE}_{n,p,\chi }$ problem is hard, and if the argument system is simulation-sound.

The proof of Theorem 8 is similar to [78].

Proof

We prove the result using a sequence of games. In the first game, the challenger runs experiment ${\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)$ whereas, in the last game, it runs experiment ${\textbf {Exp}}^\textsf {anon-1}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)$. For each i, we denote by $W_i$ the event that the adversary outputs 1 in Game i.

Game 0::: This is the real experiment ${\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)$, where the adversary obtains a challenge signature $\Sigma ^\star \leftarrow \textsf{GSign}(\textsf{gpk},\textsf{gsk}[j_0],M^\star )$ in the challenge phase. The only difference is that, when $\textsf{gpk}$ is generated, the challenger $\mathcal {B}$ retains the second Regev decryption key $\textbf{S}_2 \in \mathbb {Z}_p^{n \times \ell }$ instead of erasing it. Still, $\mathcal {A}$’s view is exactly the same as in ${\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)$. If we define $W_0$ to be the event that the adversary outputs $b'=1$ in the end of the game, we thus have $\Pr [W_0]= \Pr [{\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)=1]$.
Game 1::: This game is like Game 0 with one modification in the signature opening oracle $\mathcal{G}\mathcal{S}.\textsf{GOpen}(\textsf{gpk},\textsf{gmsk},.,.)$. Namely, instead of opening signatures using the real $\textsf{gmsk}=\textbf{S}_1 \in \mathbb {Z}_p^{n \times \ell }$, the opening oracle opens them using the auxiliary Regev decryption key $\textbf{S}_2 \in \mathbb {Z}_p^{n \times \ell }$. It is easy to see that $\mathcal {A}$’s view will be the same as in Game 0 until that event $F_1$ that $\mathcal {A}$ queries the opening of a signature $\Sigma = (\Pi _{\textsf{group}}, {\textbf{c}}_1, {\textbf{c}}_2)$ for which $\textbf{c}_1$ and $\textbf{c}_2$ encrypt distinct $\ell $-bit strings. Since event $F_1$ could clearly break the soundness of the argument system for relation $\mathrm {R_{group}}$, we have $|\Pr [W_1]-\Pr [W_0]|\le \Pr [F_1] \le \textbf{Adv}^{\textsf{sound}}_\mathcal {B}(n) $. If the proof system uses a commitment scheme based on the $\textsf{SIS}$ assumption, the $\textsf{LWE}$ assumption thus implies that $|\Pr [W_1]-\Pr [W_0]|\in \textsf{negl}(n)$.
Game 2::: This game is identical to Game 1 with one modification. Instead of computing $\Pi _{\textsf{group}}$ as a real proof using the witnesses $\textbf{r}_1,\textbf{r}_2$, the challenger $\mathcal {B}$ appeals to the simulator of Theorem 3 to generate a simulated proof by programming the random oracle ${\mathcal {H}}_{\textsf{FS}}$. Note that, since $\textbf{c}_1$ and $\textbf{c}_2$ still encrypt the same $\ell $-bit string, $\Pi _{\textsf{group}}$ is a simulated proof for a true statement. Its distributions is thus statistically close to that of Game 1. We have $\Pr [W_2] \approx \Pr [W_1]$.
Game 3::: In this game, we modify the distribution of the challenge signature $\Sigma ^\star = (\Pi _{\textsf{group}}^\star , {\textbf{c}}_1^\star , {\textbf{c}}_2^\star )$. Here, we compute $\textbf{c}_1^\star $ by encrypting the $\ell $-bit binary representation of $j_1$ (instead of $j_0$). The semantic security of Regev’s encryption scheme for the public key $(\textbf{B},\textbf{P}_1)$ (which is implied by the $\textsf{LWE}$ assumption and can be relied on since $\mathcal {B}$ does not use $\textbf{S}_1$ for now) ensures that $|\Pr [W_3]-\Pr [W_2]| \in \textsf{negl}(n)$.
Game 4::: This game is identical to Game 3 except that we modify again the signature opening oracle $\mathcal{G}\mathcal{S}.\textsf{GOpen}(\textsf{gpk},\textsf{gmsk},.,.)$. Instead of opening signatures using $\textbf{S}_2 \in \mathbb {Z}_p^{n \times \ell }$ at step 1 of the $\textsf{GOpen}$ algorithm, we switch back to using the real opening key $\textsf{gmsk}=\textbf{S}_1 \in \mathbb {Z}_p^{n \times \ell }$. It is easy to see that $\mathcal {A}$’s view will remain unchanged until the event $F_4$ that $\mathcal {A}$ invokes the oracle $\mathcal{G}\mathcal{S}.\textsf{GOpen}(\textsf{gpk},\textsf{gmsk},.,.)$ on a signature $\Sigma = (\Pi _{\textsf{group}}, {\textbf{c}}_1, {\textbf{c}}_2)$ where $\textbf{c}_1$ and $\textbf{c}_2$ encrypt distinct strings. A standard argument shows that event $F_4$ would contradict the simulation-soundness of the proof system for relation $\mathrm {R_{group}}$: we have $|\Pr [W_4]-\Pr [W_3]|\le \Pr [F_4] \le \textbf{Adv}^{\textsf{ss}\text {-}\textsf{sound}}_\mathcal {B}(1^n) $. Lemma 4 implies that $\textbf{Adv}^{\textsf{ss}\text {-}\textsf{sound}}_\mathcal {B}(n) \in \textsf{negl}(n) $ under the $\textsf{SIS}$ assumption.
Game 5::: We modify again the distribution of the challenge signature $\Sigma ^\star = (\Pi _{\textsf{group}}^\star , {\textbf{c}}_1^\star , {\textbf{c}}_2^\star )$. Now, $\textbf{c}_2^\star $ is also computed by encrypting the binary representation of $j_1$ (instead of $j_0$). The semantic security of Regev’s encryption scheme with respect to $(\textbf{B},\textbf{P}_2)$ (which is implied by the $\textsf{LWE}$ assumption) implies that $|\Pr [W_5]-\Pr [W_4]| \in \textsf{negl}(n)$. Note that $\textbf{c}_1^\star $ and $\textbf{c}_2^\star $ both encrypt the binary expansion of $j_1$ in Game 6, so that $\Pi _{\textsf{group}}^\star $ is a simulated proof for a true statement.
Game 6::: In this game, we modify again the generation of the challenge signature $\Sigma ^\star = (\Pi _{\textsf{group}}^\star , {\textbf{c}}_1^\star , {\textbf{c}}_2^\star )$, for which $\Pi _{\textsf{group}}^\star $ is generated as a real proof using the witnesses $\textbf{r}_1,\textbf{r}_2 \in \{0,1\}^{m_E}$. Since $\Pi _{\textsf{group}}^\star $ was a simulated NIZK argument for a true statement in Game 5, the distribution of $\Pi _{\textsf{group}}^\star $ is statistically close to its distribution in Game 5. Hence, $\Pr [W_6] \approx \Pr [W_5]$. In Game 6, it is easy to see that the adversary’s view is exactly the same as its view in ${\textbf {Exp}}^\textsf {anon-1}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)=1$, so that $\Pr [W_6]= \Pr [{\textbf {Exp}}^\textsf {anon-1}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)=1]$.

When tracing through the whole sequence of games, we find that

$$\begin{aligned} |\Pr [{\textbf {Exp}}^\textsf {anon-1}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)=1]- \Pr [{\textbf {Exp}}^\textsf {anon-0}_{\mathcal{G}\mathcal{S},{\mathcal {A}}}(n,N)=1] | \in \textsf{negl}(n) \end{aligned}$$

assuming that the $\textsf{LWE}$ assumption holds and that the argument system of Lemma 4 is simulation-sound. $\square $

Notes

A lattice-based accumulator was previously claimed in [42]. However, the generation of witnesses can only be performed using the secret key of the system. Moreover, their scheme is seemingly not compact due to the required choice of parameters.
Recall that all ${\mathcal {O}}(\log N)$-size group signatures employ a signature scheme in the standard model (for which all known constructions use trapdoors) in order to smoothly interact with zero-knowledge proofs.
Note that ${\textbf{d}}_j$ can be computed based on ${\textbf{x}}_j$ and public information. Here, we include it in $\textsf{gsk}[j]$ for ease of presentation of Sect. 5 as an extension of Sect. 4.
This is because the basic version (where the challenge space is $\{1,2,3\}$) is statistically ZK, which implies statistical WI when at least two witnesses exist. Moreover, witness indistinguishability is preserved by parallel repetitions.

References

T. Acar, L. Nguyen, Revocation for delegatable anonymous credentials, in PKC 2011. LNCS, vol. 6571 (Springer, 2011), pp. 423–440
C. Aguilar-Melchor, S. Bettaieb, X. Boyen, L. Fousse, P. Gaborit, Adapting Lyubashevsky’s signature schemes to the ring signature setting, in AFRICACRYPT 2013. LNCS, vol. 7918 (Springer, 2013), pp. 1–25
M. Ajtai, Generating hard instances of lattice problems (extended abstract), in STOC 1996 (ACM, 1996), pp. 99–108
G. Ateniese, J. Camenisch, M. Joye, G. Tsudik, A practical and provably secure coalition-resistant group signature scheme, in CRYPTO 2000. LNCS, vol. 1880 (Springer, 2000), pp. 255–270
M. H. Au, Q. Wu, W. Susilo, Y. Mu, Compact E-cash from bounded accumulator, in CT-RSA 2007. LNCS, vol. 4377 (Springer, 2007), pp. 178–195
N. Baric, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in EUROCRYPT 1997. LNCS, vol. 1233 (Springer, 1997), pp. 480–494
M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions, in EUROCRYPT 2003. LNCS, vol. 2656 (Springer, 2003), pp. 614–629
E. Ben-Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, M. Virza, Zerocash: decentralized anonymous payments from bitcoin, in IEEE S &P 2014 (IEEE, 2014), pp. 459–474
J. Benaloh, M. de Mare, One-way accumulators: a decentralized alternative to digital signatures, in EUROCRYPT 1993. LNCS, vol. 765 (Springer, 1993), pp. 274–285
A. Bender, J. Katz, R. Morselli. Ring signatures: stronger definitions, and constructions without random oracles. J. Cryptol. 22(1), 114–138 (2009)
Article MathSciNet MATH Google Scholar
F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, G. Neven, Better zero-knowledge proofs for lattice encryption and their application to group signatures, in ASIACRYPT 2014. LNCS, vol. 8873 (Springer, 2014), pp. 551–572
D. Bernhard, M. Fischlin, B. Warinschi, Adaptive proofs of knowledge in the random oracle model, in PKC 2015. LNCS, vol. 9020 (Springer, 2015), pp. 629–649
D. Boneh, X. Boyen, Short signatures without random oracles, in EUROCRYPT 2004. LNCS, vol. 3027 (Springer, 2004), pp. 223–238
D. Boneh, H. Corrigan-Gibbs, Bivariate polynomials modulo composites and their applications, in ASIACRYPT 2014, Part I. LNCS, vol. 8873 (Springer, 2014), pp. 42–62
D. Boneh, S. Eskandarian, B. Fisch, Post-quantum EPID signatures from symmetric primitives. IACR Cryptology ePrint Archive, 2018:261, 2018. To appear at CT-RSA 2019
J. Bootle, A. Cerulli, P. Chaidos, E. Ghadafi, J. Groth, C. Petit, Short accountable ring signatures based on DDH, in ESORICS 2015. LNCS, vol. 9326 (Springer, 2015)
X. Boyen, Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more, in PKC 2010. LNCS, vol. 6056 (Springer, 2010), pp. 499–517
Z. Brakerski, Y. T. Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model, in IACR Cryptology ePrint Archive, 2010:86, 2010
E. Brickell, D. Pointcheval, S. Vaudenay, M. Yung, Design validations for discrete logarithm based signature schemes, in PKC 2000. LNCS, vol. 1751 (Springer, 2000), pp. 276–292
J. Camenisch, M. Kohlweiss, C. Soriente, An accumulator based on bilinear maps and efficient revocation for anonymous credentials, in PKC 2009. LNCS, vol. 5443 (Springer, 2009), pp. 481–500
J. Camenisch, A. Lysyanskaya, Dynamic accumulators and application to efficient revocation of anonymous credentials, in CRYPTO 2002. LNCS, vol. 2442 (Springer, 2002), pp. 61–76
J. Camenisch, G. Neven, M. Rückert, Fully anonymous attribute tokens from lattices, in SCN 2012. LNCS, vol. 7485 (Springer, 2012), pp. 57–75
S. Canard, A. Gouget, Multiple denominations in E-cash with compact transaction data, in FC 2010. LNCS, vol. 6052 (Springer, 2010), pp. 82–97
D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, Bonsai trees, or how to delegate a lattice basis, in EUROCRYPT 2010. LNCS, vol. 6110 (Springer, 2010), pp. 523–552
D. Catalano, D. Fiore, Vector commitments and their applications, in PKC 2013. LNCS, vol. 7778 (Springer, 2013), pp. 55–72
N. Chandran, J. Groth, A. Sahai, Ring signatures of sub-linear size without random oracles, in ICALP 2007. LNCS, vol. 4596 (Springer, 2007), pp. 423–434
D. Chaum, E. van Heyst. Group signatures, in EUROCRYPT 1991. LNCS, vol. 547 (Springer, 1991), pp. 257–265
S. Cheng, K. Nguyen, H. Wang, Policy-based signature scheme from lattices. Des. Codes Cryptogr. 81(1), 43–74 (2016)
Article MathSciNet MATH Google Scholar
R. del Pino, V. Lyubashevsky, G. Seiler, Lattice-based group signatures and zero-knowledge proofs of automorphism stability, in CCS 2018 (ACM, 2018), pp. 574–591
D. Derler, C. Hanser, D. Slamanig, Revisiting cryptographic accumulators, additional properties and relations to other primitives, in CT-RSA 2015. LNCS, vol. 9048 (Springer, 2015), pp. 127–144
D. Derler, S. Ramacher, D. Slamanig, Post-quantum zero-knowledge proofs for accumulators with applications to ring signatures from symmetric-key primitives, in PQCrypto 2018. LNCS, vol. 10786 (Springer, 2018), pp. 419–440
Y. Dodis, A. Kiayias, A. Nicolosi, V. Shoup, Anonymous identification in ad hoc groups, in EUROCRYPT 2004. LNCS, vol. 3027 (Springer, 2004), pp. 609–626
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, H. Wang, A provably secure group signature scheme from code-based assumptions, in ASIACRYPT 2015, Part I. LNCS, vol. 9452 (Springer, 2015), pp. 260–285
P.-A. Fouque, D. Pointcheval, Threshold cryptosystems secure against chosen-ciphertext attacks, in ASIACRYPT 2001. LNCS, vol. 2248 (Springer, 2001), pp. 351–368
C. Gentry, C. Peikert, V. Vaikuntanathan, Trapdoors for hard lattices and new cryptographic constructions, in STOC 2008 (ACM, 2008), pp. 197–206
O. Goldreich, S. Goldwasser, S. Halevi, Collision-free hashing from lattice problems, in Studies in Complexity and Cryptography. LNCS, vol. 6650 (Springer, 2011), pp. 30–39
S. D. Gordon, J. Katz, V. Vaikuntanathan, A group signature scheme from lattice assumptions, in ASIACRYPT 2010. LNCS, vol. 6477 (Springer, 2010), pp. 395–412
J. Groth, Evaluating security of voting schemes in the universal composability framework, in ACNS 2004. LNCS, vol. 3089 (Springer, 2004), pp. 46–60
J. Groth, Short pairing-based non-interactive zero-knowledge arguments, in ASIACRYPT 2010. LNCS, vol. 6477 (Springer, 2010), pp. 321–340
J. Groth, M. Kohlweiss, One-out-of-many proofs: or how to leak a secret and spend a coin, in EUROCRYPT 2015. LNCS, vol. 9057 (Springer, 2015), pp. 253–280
A. Jain, S. Krenn, K. Pietrzak, A. Tentes, Commitments and efficient zero-knowledge proofs from learning parity with noise, in ASIACRYPT 2012. LNCS, vol. 7658 (Springer, 2012), pp. 663–680
M. P. Jhanwar, R. Safavi-Naini, Compact accumulator using lattices. IACR Cryptology ePrint Archive: Report 2014/1015, February (2015)
A. E. Kaafarani, S. Katsumata, R. Solomon, Anonymous reputation systems achieving full dynamicity from lattices, in Financial Cryptography and Data Security 2018 (2018)
J. Katz, V. Kolesnikov, X. Wang, Improved non-interactive zero knowledge with applications to post-quantum signatures, in CCS 2018 (ACM, 2018), pp. 525–537
A. Kawachi, K. Tanaka, K. Xagawa, Multi-bit cryptosystems based on lattice problems, in PKC 2007. LNCS, vol. 4450 (Springer, 2007), pp. 315–329
A. Kawachi, K. Tanaka, K. Xagawa, Concurrently secure identification schemes based on the worst-case hardness of lattice problems, in ASIACRYPT 2008. LNCS, vol. 5350 (Springer, 2008), pp. 372–389
F. Laguillaumie, A. Langlois, B. Libert, D. Stehlé, Lattice-based group signatures with logarithmic signature size, in ASIACRYPT 2013. LNCS, vol. 8270 (Springer, 2013), pp. 41–61
A. Langlois, S. Ling, K. Nguyen, H. Wang, Lattice-based group signature scheme with verifier-local revocation, in PKC 2014. LNCS, vol. 8383 (Springer, 2014), pp. 345–361
J. Li, N. Li, R. Xue, Universal accumulators with efficient nonmembership proofs, in ACNS 2007. LNCS, vol. 4521 (Springer, 2007), pp. 253–269
B. Libert, S. Ling, F. Mouhartem, K. Nguyen, H. Wang, Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions, in ASIACRYPT 2016. LNCS, vol. 10032 (Springer, 2016), pp. 373–403
B. Libert, S. Ling, F. Mouhartem, K. Nguyen, H. Wang, Adaptive oblivious transfer with access control from lattice assumptions, in ASIACRYPT 2017. LNCS, vol. 10624 (Springer, 2017), pp. 533–563
B. Libert, S. Ling, K. Nguyen, H. Wang. Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors, in EUROCRYPT 2016. LNCS, vol. 9666 (Springer, 2016), pp. 1–31
B. Libert, S. Ling, K. Nguyen, H. Wang. Zero-knowledge arguments for lattice-based prfs and applications to e-cash, in ASIACRYPT 2017. LNCS, vol. 10626 (Springer, 2017), pp. 304–335
B. Libert, S. Ling, K. Nguyen, H. Wang, Lattice-based zero-knowledge arguments for integer relations, in CRYPTO 2018. LNCS, vol. 10992 (Springer, 2018), pp. 700–732
S. Ling, K. Nguyen, D. Stehlé, H. Wang, Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications, in PKC 2013. LNCS, vol. 7778 (Springer, 2013), pp. 107–124
S. Ling, K. Nguyen, H. Wang, Group signatures from lattices: simpler, tighter, shorter, ring-based, in PKC 2015. LNCS, vol. 9020 (Springer, 2015), pp. 427–449
S. Ling, K. Nguyen, H. Wang, Y. Xu, Lattice-based group signatures: achieving full dynamicity (and deniability) with ease. Theor. Comput. Sci. 783, 71–94 (2019)
Article MathSciNet MATH Google Scholar
H. Lipmaa, Secure accumulators from Euclidean rings without trusted setup, in ACNS 2012. LNCS, vol. 7341 (Springer, 2012), pp. 224–240
V. Lyubashevsky, Lattice-based identification schemes secure under active attacks, in PKC 2008. LNCS, vol. 4939 (Springer, 2008), pp. 162–179
V. Lyubashevsky, Lattice signatures without trapdoors, in EUROCRYPT 2012. LNCS, vol. 7237 (Springer, 2012), pp. 738–755
R.C. Merkle, A certified digital signature, in CRYPTO 1989. LNCS, vol. 435 (Springer, 1989), pp. 218–238
D. Micciancio, P. Mol, Pseudorandom knapsacks and the sample complexity of LWE search-to-decision reductions, in CRYPTO 2011. LNCS, vol. 6841 (Springer, 2011), pp. 465–484
D. Micciancio, C. Peikert, Hardness of SIS and LWE with small parameters, in CRYPTO 2013, Part I. LNCS, vol. 8042 (Springer, 2013), pp. 21–39
D. Micciancio, O. Regev, Worst-case to average-case reductions based on Gaussian measures. SIAM J. Comput. 37(1), 267–302 (2007)
Article MathSciNet MATH Google Scholar
I. Miers, C. Garman, M. Green, A. D. Rubin, Zerocoin: anonymous distributed E-cash from bitcoin, in IEEE S &P 2013 (IEEE, 2013), pp. 397–411
M. Naor, On cryptographic assumptions and challenges, in CRYPTO 2003. LNCS, vol. 2729 (Springer, 2003), pp. 96–109
M. Naor, M. Yung, Public-key cryptosystems provably secure against chosen ciphertext attacks, in STOC 1990 (ACM, 1990), pp. 427–437
K. Nguyen, H. Tang, H. Wang, N. Zeng, New code-based privacy-preserving cryptographic constructions, in ASIACRYPT 2019. LNCS, vol. 11922 (Springer, 2019), pp. 25–55
L. Nguyen, Accumulators from bilinear pairings and applications, in CT-RSA 2005. LNCS, vol. 3376 (Springer, 2005), pp. 275–292
P. Q. Nguyen, J. Zhang, Z. Zhang, Simpler efficient group signatures from lattices, in PKC 2015. LNCS, vol. 9020 (Springer, 2015), pp. 401–426
C. Papamanthou, E. Shi, R. Tamassia, K. Yi, Streaming authenticated data structures, in EUROCRYPT 2013. LNCS, vol. 7881 (Springer, 2013), pp. 353–370
C. Papamanthou, R. Tamassia, N. Triandopoulos, Authenticated hash tables, in ACM-CCS 2008 (ACM, 2008), pp. 437–448
C. Peikert, Public-key cryptosystems from the worst-case shortest vector problem: extended abstract, in STOC 2009 (ACM, 2009), pp. 333–342
C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in CRYPTO 2008. LNCS, vol. 5157 (Springer, 2008), pp. 554–571
M. Prabhakaran, R. Xue, Statistically hiding sets, in CT-RSA 2009. LNCS, vol. 5473 (Springer, 2009), pp. 100–116
O. Regev, On lattices, learning with errors, random linear codes, and cryptography, in STOC 2005 (ACM, 2005), pp. 84–93
R. L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in ASIACRYPT 2001. LNCS, vol. 2248 (Springer, 2001), pp. 552–565
A. Sahai, Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security, in FOCS 1999 (1999), pp. 543–553
J. Stern, A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)
Article MathSciNet MATH Google Scholar
G. Tsudik, S. Xu, Accumulating composites and improved group signing, in ASIACRYPT 2003. LNCS, vol. 2894 (Springer, 2003), pp. 269–286
R. Xue, N. Li, J. Li, Algebraic construction for zero-knowledge sets. J. Comput. Sci. Technol. 23(2), 166–175 (2008)
Article MathSciNet Google Scholar

Download references

Acknowledgements

We would like to thank the anonymous reviewers for helpful comments and suggestions. Benoît Libert was supported by the “Programme Avenir Lyon Saint-Etienne de l’Université de Lyon” in the framework of the programme “Investissements d’Avenir” (ANR-11-IDEX-0007), by the French ANR ALAMBIC Project (ANR-16-CE39-0006) and by the European Union PROMETHEUS Project (Horizon 2020 Research and Innovation Program, Grant 780701). San Ling, Khoa Nguyen and Huaxiong Wang were supported by the Singapore Ministry of Education under Research Grant MOE2019-T2-2-083. Khoa Nguyen was also partially supported by Vietnam National University HoChiMinh City (VNU-HCM) under Grant Number NCM2019-18-01.

Funding

Open Access funding enabled and organized by CAUL and its Member Institutions

Author information

Authors and Affiliations

CNRS, Laboratoire LIP, Lyon, France
Benoît Libert
ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), Lyon, France
Benoît Libert
School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
San Ling, Khoa Nguyen & Huaxiong Wang
Institute of Cybersecurity and Cryptology, School of Computing and Information Technology, University of Wollongong, Wollongong, Australia
Khoa Nguyen

Authors

Benoît Libert
View author publications
You can also search for this author in PubMed Google Scholar
San Ling
View author publications
You can also search for this author in PubMed Google Scholar
Khoa Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Huaxiong Wang
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Khoa Nguyen.

Additional information

Communicated by Daniele Micciancio.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article is the full version of [52], which was published in the proceedings of EUROCRYPT 2016.

Appendices

Proof of Theorem 1

Proof

It can be checked that the protocol has perfect completeness: If an honest prover follows the protocol, then it always gets accepted by the verifier. It is also easy to see that the communication cost is bounded by ${{\mathcal {O}}}\big (\sum _{i=1}^\nu d_i \cdot \log q_i\big )$. We now prove that the protocol is a statistical zero-knowledge argument of knowledge.

Zero-Knowledge Property We will construct a PPT simulator $\textsf{SIM}$ interacting with a (possibly dishonest) verifier $\widehat{{\mathcal {V}}}$, such that, given the public input $\{({\textbf{M}}_i, {\textbf{u}}_i)\}_{i \in [\nu ]}$, it outputs with probability negligibly close to 2/3 a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.

The simulator first chooses a random ${\overline{Ch}} \in \{1,2,3\}$ as a prediction of the challenge value that $\widehat{{\mathcal {V}}}$ will not choose.

Case ${\overline{Ch}}=1$: For every $i\in [\nu ]$, the simulator uses basic linear algebra over ${\mathbb {Z}}_{q_i}$ to compute vector ${\textbf{w}}'_i \in {\mathbb {Z}}_{q_i}^{d_i}$ such that ${\textbf{M}}_i\cdot {\textbf{w}}'_i = {\textbf{u}}_i \bmod q_i$. Let ${\textbf{w}}' = ({\textbf{w}}'_1 \Vert \ldots \Vert {\textbf{w}}'_\nu )$.

Next, it samples $\phi \xleftarrow {\$} {\mathcal {S}}$, $\{{\textbf{r}}_i \xleftarrow {\$} {\mathbb {Z}}_{q_i}^{d_i}\}_{i \in [\nu ]}$, and computes ${\textbf{r}} = ({\textbf{r}}_1^\top \Vert \ldots \Vert {\textbf{r}}_\nu ^\top )^\top $, ${\textbf{z}}' = {\textbf{w}}' \boxplus {\textbf{r}}$. Then, it samples randomness $\rho _1, \rho _2, \rho _3$ for $\textsf{COM}$ and sends the commitment $\textrm{CMT}= \big (C'_1, C'_2, C'_3\big )$ to $\widehat{{\mathcal {V}}}$, where

$$\begin{aligned} C'_1= & {} \textsf{COM}(\phi , \{{\textbf{M}}_i\cdot {\textbf{r}}_i \bmod q_i\}_{i\in [\nu ]}; \rho _1), \\ C'_2= & {} \textsf{COM}(\Gamma _{\phi }({\textbf{r}}); \rho _2), C'_3 = \textsf{COM}(\Gamma _{\phi }({\textbf{z}}'); \rho _3). \end{aligned}$$

Receiving a challenge Ch from $\widehat{{\mathcal {V}}}$, the simulator responds as follows:

If $Ch=1$: Output $\bot $ and abort.
If $Ch=2$: Send $\textrm{RSP} = \big (\phi , {\textbf{z}}', \rho _1, \rho _3 \big )$.
If $Ch=3$: Send $\textrm{RSP} = \big (\phi , {\textbf{r}}, \rho _1, \rho _2\big )$.

Case ${\overline{Ch}}=2$: $\textsf{SIM}$ samples ${\textbf{w}}' \xleftarrow {\$} \textsf{VALID}$, together with $\phi \xleftarrow {\$} {\mathcal {S}}$, and vectors $\{{\textbf{r}}_i \xleftarrow {\$} {\mathbb {Z}}_{q_i}^{d_i}\}_{i \in [\nu ]}$. It computes ${\textbf{r}} = ({\textbf{r}}_1^\top \Vert \ldots \Vert {\textbf{r}}_\nu ^\top )^\top $, ${\textbf{z}}' = {\textbf{w}}' \boxplus {\textbf{r}}$. Then, it samples randomness $\rho _1, \rho _2, \rho _3$ for $\textsf{COM}$ and sends the commitment $\textrm{CMT}= \big (C'_1, C'_2, C'_3\big )$ to $\widehat{{\mathcal {V}}}$, where

$$\begin{aligned} C'_1 = \textsf{COM}(\phi , \{{\textbf{M}}_i\cdot {\textbf{r}}_i \bmod q_i\}_{i\in [\nu ]}; \rho _1), \\ C'_2 = \textsf{COM}(\Gamma _{\phi }({\textbf{r}}); \rho _2), C'_3 = \textsf{COM}(\Gamma _{\phi }({\textbf{z}}'); \rho _3). \end{aligned}$$

Receiving a challenge Ch from $\widehat{{\mathcal {V}}}$, the simulator responds as follows:

If $Ch=1$: Send $\textrm{RSP} = \big (\Gamma _{\phi }({\textbf{w}}'), \Gamma _{\phi }({\textbf{r}}), \rho _2, \rho _3\big )$.
If $Ch=2$: Output $\bot $ and abort.
If $Ch=3$: Send $\textrm{RSP} = \big (\phi , {\textbf{r}}, \rho _1, \rho _2\big )$.

Case ${\overline{Ch}}=3$: $\textsf{SIM}$ samples ${\textbf{w}}' \xleftarrow {\$} \textsf{VALID}$ and parse it as ${\textbf{w}}'= ({\textbf{w}}'_1 \Vert \ldots \Vert {\textbf{w}}'_\nu )$, where ${\textbf{w}}'_i \in {\mathbb {Z}}^{d_i}$ for all $i \in [\nu ]$.

Next, it picks $\phi \xleftarrow {\$} {\mathcal {S}}$, and $\{{\textbf{r}}_i \xleftarrow {\$} {\mathbb {Z}}_{q_i}^{d_i}\}_{i \in [\nu ]}$. It computes ${\textbf{r}} = ({\textbf{r}}_1^\top \Vert \ldots \Vert {\textbf{r}}_\nu ^\top )^\top $, ${\textbf{z}}' = {\textbf{w}}' \boxplus {\textbf{r}}$. Then, it samples randomness $\rho _1, \rho _2, \rho _3$ for $\textsf{COM}$ and sends the commitment $\textrm{CMT}= \big (C'_1, C'_2, C'_3\big )$ to $\widehat{{\mathcal {V}}}$, where

$$\begin{aligned} C'_2 = \textsf{COM}(\Gamma _{\phi }({\textbf{r}}); \rho _2), C'_3 = \textsf{COM}(\Gamma _{\phi }({\textbf{z}}'); \rho _3), \end{aligned}$$

as in the previous two cases, while

$$\begin{aligned} C'_1 = \textsf{COM}(\phi , \{{\textbf{M}}_i\cdot ({\textbf{w}}'_i + {\textbf{r}}_i) - {\textbf{u}}_i \bmod q_i\}_{i\in [\nu ]}; \rho _1). \end{aligned}$$

Receiving a challenge Ch from $\widehat{{\mathcal {V}}}$, it responds as follows:

If $Ch=1$: Send $\textrm{RSP}$ computed as in the case $({\overline{Ch}}=2, Ch=1)$.
If $Ch=2$: Send $\textrm{RSP}$ computed as in the case $({\overline{Ch}}=1, Ch=2)$.
If $Ch=3$: Output $\bot $ and abort.

Observe that, in every case considered above, since $\textsf{COM}$ is statistically hiding, the distribution of the commitment $\textrm{CMT}$ and the distribution of the challenge Ch from $\widehat{{\mathcal {V}}}$ are statistically close to those in the real interaction. Hence, the probability that the simulator outputs $\bot $ is negligibly close to 1/3. Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction. In other words, we have constructed a simulator that can successfully impersonate the honest prover with probability negligibly close to 2/3.

Argument of Knowledge Suppose that

$$\begin{aligned} \textrm{RSP}_1 = ({\textbf{t}}, {\textbf{s}}, \rho _2^{(1)}, \rho _3^{(1)}), \textrm{RSP}_2 = (\pi , {\textbf{x}}, \rho _1^{(2)}, \rho _3^{(2)}), \textrm{RSP}_3 = (\psi , {\textbf{y}}, \rho _1^{(3)}, \rho _2^{(3)}) \end{aligned}$$

are 3 valid responses to the same commitment $\textrm{CMT} = (C_1, C_2, C_3)$, with respect to all 3 possible values of the challenge. Let us parse ${\textbf{x}}$ and ${\textbf{y}}$ as ${\textbf{x}} = ({\textbf{x}}_1 \Vert \ldots \Vert {\textbf{x}}_\nu )$, ${\textbf{y}} = ({\textbf{y}}_1 \Vert \ldots \Vert {\textbf{y}}_\nu )$, where ${\textbf{x}}_i, {\textbf{y}}_i \in {\mathbb {Z}}_{q_i}^{d_i}$ for all $i \in [\nu ]$.

The validity of the given responses implies that:

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{t}} \in \textsf{VALID}; \\ C_1 = \textsf{COM}(\pi , \{{\textbf{M}}_i\cdot {\textbf{x}}_i - {\textbf{u}}_i \bmod q_i\}_{i \in [\nu ]}; \rho _1^{(2)}); \\ C_1 = \textsf{COM}(\psi , \{{\textbf{M}}_i\cdot {\textbf{y}}_i \bmod q_i\}_{i\in [\nu ]}; \rho _1^{(3)}); \\ C_2 = \textsf{COM}({\textbf{s}}; \rho _2^{(1)}) = \textsf{COM}(\Gamma _{\psi }({\textbf{y}}); \rho _2^{3}); \\ C_3 = \textsf{COM}({\textbf{t}} \boxplus {\textbf{s}}; \rho _3^{(1)}) = \textsf{COM}(\Gamma _{\pi }({\textbf{x}}); \rho _3^{(2)}). \end{array}\right. } \end{aligned}$$

Since COM is computationally binding, we can deduce that:

$$\begin{aligned} {\textbf{t}} \in \textsf{VALID}; \pi = \psi ; {\textbf{s}} = \Gamma _{\psi }({\textbf{y}}); {\textbf{t}} \boxplus {\textbf{s}} = \Gamma _{\pi }({\textbf{x}}); \\ \forall i\in [\nu ]: {\textbf{M}}_i\cdot {\textbf{x}}_i - {\textbf{u}}_i = {\textbf{M}}_i\cdot {\textbf{y}}_i \bmod q_i. \end{aligned}$$

Let ${\textbf{w}}' = [\Gamma _{\psi }]^{-1}({\textbf{t}})$. Since ${\textbf{t}} \in \textsf{VALID}$, we have ${\textbf{w}}' \in \textsf{VALID}$. Furthermore, note that $\Gamma _\psi ({\textbf{w}}') \boxplus \Gamma _{\psi }({\textbf{y}}) = \Gamma _{\psi }({\textbf{x}})$, which implies that ${\textbf{w}}' \boxplus {\textbf{y}} = {\textbf{x}}$.

Now, parse ${\textbf{w}}'$ as ${\textbf{w}}' = ({\textbf{w}}'_1 \Vert \ldots \Vert {\textbf{w}}'_\nu )$, where ${\textbf{w}}'_i \in {\mathbb {Z}}^{d_i}$, for all $i \in [\nu ]$. Then, for all $i \in [\nu ]$, we have ${\textbf{w}}'_i + {\textbf{y}}_i = {\textbf{x}}_i \bmod q$, and that

$$\begin{aligned} {\textbf{M}}_i \cdot {\textbf{w}}'_i = {\textbf{M}}_i\cdot {\textbf{x}}_i - {\textbf{M}}_i\cdot {\textbf{y}}_i = {\textbf{u}}_i\bmod q_i. \end{aligned}$$

As a result, we have ${\textbf{w}}' \in \textsf{VALID}$ and ${\textbf{M}}_i \cdot {\textbf{w}}'_i = {\textbf{u}}_i$, for all $i \in [\nu ]$. This concludes the proof. $\square $

Description and Analysis of the Zero-Knowledge Protocol Underlying the Ring Signature Scheme

In this section, we provide the full description and analysis of the ZKAoK for the relation

$$\begin{aligned} \mathrm {R_{ring}}= \Big \{ \big (({\textbf{A}}, {\textbf{u}}) \in {\mathbb {Z}}_q^{n \times m} \times \{0,1\}^{nk}; {\textbf{d}} \in \{0,1\}^{nk}, w\in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell ,\\ {\textbf{x}} \in \{0,1\}^m \big ): \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \wedge {\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q \Big \}. \end{aligned}$$

1.1 Description of the Protocol

The public parameters are $n,q,k,m,\ell $, the “powers-of-2” matrix ${\textbf{G}}$ and its extension ${\textbf{G}}^*= [{\textbf{G}} | 0^{n \times nk}] \in {\mathbb {Z}}_q^{n \times m}$. Let $\widehat{{\textbf{A}}} \in {\mathbb {Z}}_q^{n \times 2m}$ be the matrix obtained by appending m zero-columns to matrix ${\textbf{A}}$. (Note that $\widehat{{\textbf{A}}} \ne {\textbf{A}}^*$.) Let ${\textsf{B}}_{2m}^m$ be the set of all vectors in $\{0,1\}^{2m}$ having Hamming weight m, and let ${\mathcal {S}}_{2m}$ be the set of all permutations of 2m elements.

The prover ${\mathcal {P}}$, possessing a valid tuple $({\textbf{d}}, w, {\textbf{x}})$, performs the preparation steps as in the protocol for the relation $\textrm{R}_{\textrm{acc}}$ in Sect. 3 to obtain ${\textbf{v}}_i^*, {\textbf{w}}_i^* \in {\textsf{B}}_m^{nk}$, ${\textbf{z}}_i = \textsf{ext}(j_i, {\textbf{v}}_i^*)$, ${\textbf{y}}_i = \textsf{ext}({\bar{j}}_i, {\textbf{w}}_i^*)$ for all $i \in [\ell ]$ such that

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}}^*\cdot {\textbf{z}}_1 + {\textbf{A}}^* \cdot {\textbf{y}}_1 = {\textbf{G}}\cdot {\textbf{u}}\bmod q; \\ \forall i\in [\ell -1]: {\textbf{A}}^*\cdot {\textbf{z}}_{i+1} + {\textbf{A}}^* \cdot {\textbf{y}}_{i+1} = {\textbf{G}}^*\cdot {\textbf{v}}_{i}^* \bmod q. \end{array}\right. } \end{aligned}$$

(13)

Observe that by construction, one has ${\textbf{G}}^* \cdot {\textbf{v}}^*_\ell = {\textbf{G}}\cdot {\textbf{d}}$. Now, ${\mathcal {P}}$ extends ${\textbf{x}}$ into ${{\textbf{x}}}^* \in {\textsf{B}}_{2m}^m$. Observe that $\widehat{{\textbf{A}}}\cdot {{\textbf{x}}^*} = {\textbf{A}}\cdot {\textbf{x}}$ and that, in Stern’s framework, one can use $\tau \xleftarrow {\$} {\mathcal {S}}_{2\,m}$ and $\mathbf {r_x} \xleftarrow {\$} {\mathbb {Z}}_q^{2\,m}$ to prove the possession of ${\textbf{x}}$ in a zero-knowledge manner by using the equivalence:

$$\begin{aligned} {\textbf{x}}^* \in {\textsf{B}}_{2m}^m \Leftrightarrow \tau ({\textbf{x}}^*) \in {\textsf{B}}_{2m}^m. \end{aligned}$$

(14)

Given the above preparation steps, ${\mathcal {P}}$’s task now is to convince ${\mathcal {V}}$ that ${\mathcal {P}}$ knows ${\textbf{v}}_i^*, {\textbf{w}}_i^* \in {\textsf{B}}_m^{nk}$, ${\textbf{z}}_i = \textsf{ext}(j_i, {\textbf{v}}_i^*)$, ${\textbf{y}}_i = \textsf{ext}({\bar{j}}_i, {\textbf{w}}_i^*)$, for all $i \in [\ell ]$, and ${{\textbf{x}}^*} \in {\textsf{B}}_{2m}^m$ which satisfy (13) and $\widehat{{\textbf{A}}}\cdot {{\textbf{x}}^*} = {\textbf{G}}^*\cdot {\textbf{v}}^*_\ell \bmod q$.

Our strategy to obtain a ZKAoK for the considered relation is the same as in Sect. 3.4: we will reduce it to an instance of the abstract relation $\textrm{R}_{\textrm{abstract}}$ from Sect. 2.2, with respect to the case where there is a single modulus q, i.e., $\nu =1$. The reduction consists of two steps.

Step 1 Transforming the underlying equations into a unified equation of the form ${\textbf{M}}_{\textrm{ring}} \cdot {\textbf{w}}_{\textrm{ring}} = {\textbf{v}}_{\textrm{ring}} \bmod q$, where ${\textbf{w}}_{\textrm{ring}} \in \textsf{VALID}_{\textrm{ring}}$ - a “specially designed” set.

Recall that, based on the results of Sect. 3.4, equations in (13) can be unified as ${\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}_{\textrm{acc}} = {\textbf{v}}_{\textrm{acc}} \bmod q$, where ${\textbf{w}}_{\textrm{acc}} \in \textsf{VALID}_{\textrm{acc}}$. Combining this equation with equation $\widehat{{\textbf{A}}}\cdot {{\textbf{x}}^*} = {\textbf{G}}^*\cdot {\textbf{v}}^*_\ell \bmod q$, we then obtain

$$\begin{aligned} {\textbf{M}}_{\textrm{ring}} \cdot {\textbf{w}}_{\textrm{ring}} = {\textbf{v}}_\textrm{ring} \bmod q, \end{aligned}$$

where ${\textbf{w}}_{\textrm{ring}} = ({\textbf{w}}_{\textrm{acc}}^\top \mid {{\textbf{x}}^*}^\top )^\top \in \{0,1\}^{(5\ell +1)m}$, ${\textbf{v}}_{\textrm{ring}} = ({\textbf{v}}_{\textrm{acc}}^\top \mid {\textbf{0}}^n)^\top \in {\mathbb {Z}}_q^{(\ell +1)n}$ and ${\textbf{M}}_{\textrm{ring}} \in {\mathbb {Z}}_q^{(\ell +1)n \times (5\ell +1)m}$ (built upon ${\textbf{M}}_{\textrm{acc}}$, $\widehat{{\textbf{A}}}$ and ${\textbf{G}}^*$).

Let $D_{\textrm{ring}} = (5\ell +1)m$. We now let $\textsf{VALID}_\textrm{ring}$ be the set of all vectors in $\{0,1\}^{D_{\textrm{ring}}}$ having the form

$$\begin{aligned} \big ({\textbf{s}}_0^\top \mid {\textbf{s}}_1^\top \big )^\top , \end{aligned}$$

for some ${\textbf{s}}_0 \in \textsf{VALID}_{\textrm{acc}}$ and ${\textbf{s}}_1 \in {\textsf{B}}_{2m}^m$. It is then obvious that the constructed vector ${\textbf{w}}_{\textrm{ring}}$ belongs to this tailored set $\textsf{VALID}_{\textrm{ring}}$.

Step 2 Specifying the set ${\mathcal {S}}_\textrm{ring}$ and permutations of $D_{\textrm{ring}}$ elements $\{\Gamma ^\textrm{ring}_\phi : \phi \in {\mathcal {S}}_{\textrm{ring}}\}$ for which the conditions in (1) hold.

Define ${\mathcal {S}}_{\textrm{ring}} = {\mathcal {S}}_{\textrm{acc}} \times {\mathcal {S}}_{2\,m}$, where ${\mathcal {S}}_{\textrm{acc}}$ is as defined in Sect. 3.4.
For $\phi = (\pi , \tau ) \in {\mathcal {S}}_{\textrm{ring}}$ and for vector ${\textbf{s}} = \big ({\textbf{s}}_0^\top \mid {\textbf{s}}_1^\top \big )^\top \in {\mathbb {Z}}^{D_{\textrm{ring}}}$, where ${\textbf{s}}_0 \in {\mathbb {Z}}^{D_{\textrm{acc}}}$ and ${\textbf{s}}_1 \in {\mathbb {Z}}^{2\,m}$, define $\Gamma ^{\textrm{ring}}_\phi ({\textbf{s}})$ as the permutation that transforms ${\textbf{s}}$ as follows:
- ${\textbf{s}}_0 \mapsto \Gamma ^{\textrm{acc}}_\pi ({\textbf{s}}_0)$, where $\Gamma ^{\textrm{acc}}_\pi (\cdot )$ denotes the permutation of $D_{\textrm{acc}}$ elements defined in Sect. 3.4;
- ${\textbf{s}}_1 \mapsto \tau ({\textbf{s}}_1)$.

Based on the equivalences observed in Sect. 3.4 and in (14), we can check that the conditions in (1) hold with respect to $\textsf{VALID}_{\textrm{ring}}, {\mathcal {S}}_{\textrm{ring}}$ and $\Gamma ^{\textrm{ring}}_\phi $.

The Interactive Protocol Having performed the above preparation and transformation steps, we are now ready to describe our interactive protocol.

Common inputs::: The matrix–vector pair $({\textbf{M}}_{\textrm{ring}}, {\textbf{v}}_{\textrm{ring}})$, which is obtained from ${\textbf{A}}, {\textbf{u}}, {\textbf{G}}$ as discussed above.
${\mathcal {P}}$’s inputs::: Vector ${\textbf{w}}_{\textrm{ring}} \in \textsf{VALID}_{\textrm{ring}}$, which is obtained from the original witnesses ${\textbf{d}} \in \{0,1\}^{nk}$, $w \in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell $ and ${\textbf{x}} \in \{0,1\}^m$, as specified above.
${\mathcal {P}}$’s goal::: Prove in ZK that ${\textbf{w}}_{\textrm{ring}} \in \textsf{VALID}_{\textrm{ring}}$ and ${\textbf{M}}_{\textrm{ring}} \cdot {\textbf{w}}_{\textrm{ring}} = {\textbf{v}}_{\textrm{ring}} \bmod q$.

The prover and the verifier then run the protocol described in Fig. 1, for the case $\nu =1$ and with respect to $({\textbf{M}}_{\textrm{ring}}, {\textbf{v}}_{\textrm{ring}}), {\textbf{w}}_{\textrm{ring}}, (\textsf{VALID}_{\textrm{ring}}, {\mathcal {S}}_\textrm{ring}, \Gamma ^{\textrm{ring}}_\phi )$.

1.2 Analysis of the Protocol

The perfect completeness and statistical zero-knowledge property of the protocol directly follow from Theorem 1 (for the case $\nu =1$). The communication cost of the protocol is ${\mathcal {O}}(D_{\textrm{ring}} \cdot \log q) = \widetilde{{\mathcal {O}}}(\ell \cdot m \cdot \log q) = \widetilde{{\mathcal {O}}}(\ell \cdot n)$ bits.

Furthermore, by running the knowledge extractor of Theorem 1, one obtains ${\textbf{w}}'_\textrm{ring} \in \textsf{VALID}_{\textrm{ring}}$ such that ${\textbf{M}}_\textrm{ring} \cdot {\textbf{w}}'_{\textrm{ring}} = {\textbf{v}}_{\textrm{ring}} \bmod q$. Then note that ${\textbf{w}}'_{\textrm{ring}}$ has the form ${\textbf{w}}'_{\textrm{ring}} = ({{\textbf{w}}'_{\textrm{acc}}}^\top \mid {\widetilde{{\textbf{x}}}}^\top )^\top $, where

${\textbf{w}}'_{\textrm{acc}} \in \textsf{VALID}_{\textrm{acc}}$ and ${\textbf{M}}_{\textrm{acc}} \cdot {\textbf{w}}'_{\textrm{acc}} = {\textbf{v}}_{\textrm{acc}} \bmod q$. Then, as in Sect. 3.4, we can extract from ${\textbf{w}}'_{\textrm{acc}}$ objects ${\textbf{d}}' = {\textbf{v}}'_\ell $ and $w' = \big ((j'_1, \ldots , j'_\ell ), ({\textbf{w}}'_\ell , \ldots , {\textbf{w}}'_1)\big )$ such that $\textsf{TVerify}_{{\textbf{A}}}({\textbf{u}}, {\textbf{d}}', w')=1$.
$\widetilde{{\textbf{x}}} \in {\textsf{B}}_{2\,m}^m$ and $\widehat{{\textbf{A}}} \cdot \widehat{{\textbf{x}}} = {\textbf{G}} \cdot {\textbf{d}}' \bmod q$, where ${\textbf{d}}'$ is as extracted in the above. Let ${\textbf{x}}' \in \{0,1\}^m$ be the vector obtained by dropping the last m coordinates from $\widehat{{\textbf{x}}}$. Then we have ${\textbf{A}}\cdot {\textbf{x}}' = {\textbf{G}} \cdot {\textbf{d}}' \bmod q$.

In other words, the extracted tuple $({\textbf{d}}', w', {\textbf{x}}')$ satisfies

$$\begin{aligned} \big (({\textbf{A}},{\textbf{u}}), {\textbf{d}}', w', {\textbf{x}}'\big ) \in \mathrm {R_{ring}}. \end{aligned}$$

We thus have proved Lemma 2.

Description and Analysis of the Zero-Knowledge Protocol Underlying the Group Signature Scheme

In this section, we provide the description and analysis of the ZKAoK for the relation $\mathrm {R_{group}} = \Big \{({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_1, {\textbf{c}}_2), {\textbf{d}}, w, {\textbf{x}}, {\textbf{r}}_1, {\textbf{r}}_2 \Big \} $ where

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{A}} \in {\mathbb {Z}}_q^{n \times m}; {\textbf{u}} \in \{0,1\}^{nk}; {\textbf{B}} \in {\mathbb {Z}}_p^{n \times m_E}; \\ \forall i\in \{1,2\}: {\textbf{P}}_i \in {\mathbb {Z}}_p^{\ell \times m_E}; {\textbf{c}}_i = ({\textbf{c}}_{i,1}, {\textbf{c}}_{i,2}) \in {\mathbb {Z}}_p^n \times {\mathbb {Z}}_p^\ell ; \\ {\textbf{d}} \in \{0,1\}^{nk}; w= \big ((j_1, \ldots , j_\ell ), ({\textbf{w}}_\ell , \ldots , {\textbf{w}}_1)\big )\in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell ; \\ {\textbf{x}} \in \{0,1\}^m; {\textbf{r}}_1, {\textbf{r}}_2 \in \{0,1\}^{m_E} \end{array}\right. } \end{aligned}$$

satisfying

$$\begin{aligned} {\left\{ \begin{array}{ll} \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \wedge {\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q \\ \forall i\in \{1,2\}: {\textbf{c}}_{i,1} = {\textbf{B}}\cdot {\textbf{r}}_i \bmod p \wedge {\textbf{c}}_{i,2}= {\textbf{P}}_i \cdot {\textbf{r}}_i + \big \lfloor \frac{p}{2}\big \rceil \cdot (j_1, \ldots , j_\ell )^\top \bmod p. \end{array}\right. } \end{aligned}$$

Another Permutation Technique Our ZKAoK for the relation $\mathrm {R_{group}}$ is an extension of the one for $\mathrm {R_{ring}}$. In order to prove in ZK that the vector $(j_1, \ldots , j_\ell )$ involved in the new layer is the same $(j_1, \ldots , j_\ell )$ that was included in w, we introduce the following technique.

For each $b \in \{0,1\}$, let $\textsf{extbit}(b) = \left( \begin{array}{c} {\bar{b}} \\ b \\ \end{array} \right) \in \{0,1\}^2. $
For each $b \in \{0,1\}$, we define the permutation $T_b$ that transforms vector ${\textbf{z}} = \left( \begin{array}{c} z_0 \\ z_1 \\ \end{array} \right) \in {\mathbb {Z}}_p^2$ into vector $T_b({\textbf{z}}) = \left( \begin{array}{c} z_b \\ z_{{\bar{b}}} \\ \end{array} \right) $.

Observe that we have the following equivalence: For all $c, b \in \{0,1\}$ and ${\textbf{z}} \in {\mathbb {Z}}_p^2$,

$$\begin{aligned} {\textbf{z}} = \textsf{extbit}(c) \Leftrightarrow T_b({\textbf{z}}) = \textsf{extbit}(c \oplus b). \end{aligned}$$

(15)

This equivalence allows proving in ZK the possession of the bit $j_i$, for every $i \in [\ell ]$, using a one-time pad $b_i$. Furthermore, to prove that the same $j_i$ is involved in both layers, we will use the same $b_i$ in both layers of the protocol.

Preparation Steps We first observe that the 4 equations:

$$\begin{aligned} {\left\{ \begin{array}{ll} {\textbf{c}}_{1,1} = {\textbf{B}}\cdot {\textbf{r}}_1 \bmod p \\ {\textbf{c}}_{1,2}= {\textbf{P}}_1 \cdot {\textbf{r}}_1 + \big \lfloor \frac{p}{2}\big \rceil \cdot (j_1, \ldots , j_\ell )^\top \bmod p \\ {\textbf{c}}_{2,1} = {\textbf{B}}\cdot {\textbf{r}}_2 \bmod p \\ {\textbf{c}}_{2,2}= {\textbf{P}}_2 \cdot {\textbf{r}}_2 + \big \lfloor \frac{p}{2}\big \rceil \cdot (j_1, \ldots , j_\ell )^\top \bmod p \end{array}\right. } \end{aligned}$$

(16)

can be equivalently written in a more compact form:

(17)

We now perform the following extensions:

Append $2m_E$ zero-columns to the matrix so as to obtain matrix ${\textbf{B}}^* \in {\mathbb {Z}}_p^{2(n+\ell ) \times 4m_E}$.
Extend $\left( \begin{array}{c} {\textbf{r}}_1 \\ {\textbf{r}}_2 \\ \end{array} \right) \in \{0,1\}^{2m_E} $ to vector ${\textbf{f}}^*\in {\textsf{B}}_{4m_E}^{2m_E}$, where ${\textsf{B}}_{4m_E}^{2m_E}$ denotes the set of all vectors in $\{0,1\}^{4m_E}$ that have Hamming weight $2m_E$.
Let the columns of matrix be ${\textbf{h}}_1, \ldots , {\textbf{h}}_{\ell } \in {\mathbb {Z}}_p^{2(n+ \ell )}$. For each $ i \in [\ell ]$, prepend a zero-column to ${\textbf{h}}_i$ so as to obtain a two-column matrix ${\textbf{H}}_i = [{\textbf{0}}| {\textbf{h}}_i]\in {\mathbb {Z}}_p^{2(n+\ell ) \times 2}$.
For each $i \in [\ell ]$, let ${\textbf{g}}_i = \textsf{extbit}(j_i)$.

Let ${\textbf{c}} = ({\textbf{c}}_{1,1}^\top \mid {\textbf{c}}_{1,2}^\top \mid {\textbf{c}}_{2,1}^\top \mid {\textbf{c}}_{2,2}^\top )^\top \in {\mathbb {Z}}_p^{2(n + \ell )} $, then (17) can be rewritten as:

$$\begin{aligned} {\textbf{B}}^* \cdot {\textbf{f}}^* + \sum _{i=1}^\ell {\textbf{H}}_i \cdot {\textbf{g}}_i = {\textbf{c}} \bmod p. \end{aligned}$$

(18)

The possession of ${\textbf{f}}^*$ and $\{{\textbf{g}}_i\}_{i=1}^\ell $ that satisfy the above equation can be proved in ZK using the usual masking-permuting technique (for ${\textbf{f}}^*$) and the technique introduced at the beginning of this section.

1.1 Description of the Protocol

The public parameters are $n,q,k,m,\ell , p, m_E$, the “powers-of-2” matrix ${\textbf{G}}$ and its extension ${\textbf{G}}^*= [{\textbf{G}} | 0^{n \times nk}] \in {\mathbb {Z}}_q^{n \times m}$, and matrices ${\textbf{H}}_i$ defined above.

Our strategy to obtain a ZKAoK for the considered relation is similar to the one employed in Sect. 3.4 and Sect. B. However, the main difference here is that the protocol involves $\nu =2$ moduli, q and p. Consequently, we will reduce the considered relation to an instance of the abstract relation $\textrm{R}_{\textrm{abstract}}$ from Sect. 2.2, where there are $\nu =2$ moduli. The reduction consists of two steps.

Step 1 Transforming the underlying equations into two equations of the form ${\textbf{M}}_{1, \mathrm group} \cdot {\textbf{w}}_{1, \mathrm group} = {\textbf{v}}_{1, \mathrm group} \bmod q$, ${\textbf{M}}_{2, \mathrm group} \cdot {\textbf{w}}_{2, \mathrm group} = {\textbf{v}}_{2, \mathrm group} \bmod p$, where ${\textbf{w}}_{1,\mathrm group}, {\textbf{w}}_{2,\mathrm group}$ are binary vectors and ${\textbf{w}}_\textrm{group} = ({\textbf{w}}_{1,\mathrm group}^\top \mid {\textbf{w}}_{2,\mathrm group}^\top )^\top \in \textsf{VALID}_{\textrm{group}}$ - a “specially designed” set.

Recall that, based on the results of Sects. 3.4 and B, the conditions

$$\begin{aligned} \textsf{TVerify}_{{\textbf{A}}}\big ({\textbf{u}}, {\textbf{d}}, w\big ) =1 \wedge {\textbf{A}}\cdot {\textbf{x}} = {\textbf{G}}\cdot {\textbf{d}} \bmod q \end{aligned}$$

can be captured by equation ${\textbf{M}}_{\textrm{ring}} \cdot {\textbf{w}}_{\textrm{ring}} = {\textbf{v}}_{\textrm{ring}} \bmod q$, where ${\textbf{w}}_{\textrm{ring}} \in \textsf{VALID}_{\textrm{ring}}$. For ease of notation, let ${\textbf{M}}_{1, \mathrm group} = {\textbf{M}}_{\textrm{ring}}$, ${\textbf{v}}_{1, \mathrm group} = {\textbf{v}}_{\textrm{ring}}$ and ${\textbf{w}}_{1,\mathrm group} = {\textbf{w}}_{\textrm{ring}}$. Then we have

$$\begin{aligned} {\textbf{M}}_{1,\mathrm group} \cdot {\textbf{w}}_{1,\mathrm group} = {\textbf{v}}_{1, \mathrm group} \bmod q. \end{aligned}$$

Now, observe that equation (18), can be rewritten as

$$\begin{aligned} {\textbf{M}}_{2,\mathrm group} \cdot {\textbf{w}}_{2,\mathrm group} = {\textbf{v}}_{2, \mathrm group} \bmod p, \end{aligned}$$

where matrix ${\textbf{M}}_{2,\mathrm group} = [{\textbf{B}}^* \mid {\textbf{H}}_1 \mid \cdots \mid {\textbf{H}}_\ell ] \in {\mathbb {Z}}_p^{2(n + \ell ) \times (4m_E + 2\ell )}$, and vectors ${\textbf{v}}_{2, \mathrm group} = {\textbf{c}} \in {\mathbb {Z}}_p^{2(n + \ell )}$ and ${\textbf{w}}_{2,\mathrm group} = ({{\textbf{f}}^*}^\top \mid {\textbf{g}}_1^\top \mid \cdots \mid {\textbf{g}}_\ell ^\top ) \in \{0,1\}^{4m_E + 2\ell }$.

Now, we let $D_{\textrm{group}} = (5\ell +1)m + 4m_E + 2\ell $ and form vector

$$\begin{aligned} {\textbf{w}}_{\textrm{group}} = ({\textbf{w}}_{1, \mathrm group}^\top \mid {\textbf{w}}_{2, \mathrm group}^\top )^\top \in \{0,1\}^{D_{\textrm{group}}}. \end{aligned}$$

Then, we define $\textsf{VALID}_{\textrm{group}}$ as the set of all vectors in $\{0,1\}^{D_{\textrm{group}}}$ of the form

$$\begin{aligned} \big ({\textbf{t}}_1^\top \mid {\textbf{t}}_2^\top \mid {\textbf{e}}_1^\top \mid \cdots \mid {\textbf{e}}_\ell ^\top \big )^\top , \end{aligned}$$

for some ${\textbf{t}}_1 \in \textsf{VALID}_{\textrm{ring}}$, ${\textbf{t}}_2 \in {\textsf{B}}_{4m_E}^{2m_E}$, and for $\{{\textbf{e}}_i = \textsf{extbit}(j_i)\}_{j=1}^{\ell }$, with $j_1, \ldots , j_\ell $ being the same $\ell $ bits encoded in the blocks of vector ${\textbf{t}}_1$ (in the sense of (9)). We then can check that the constructed vector ${\textbf{w}}_{\textrm{group}}$ belongs to this tailored set $\textsf{VALID}_{\textrm{group}}$.

Step 2 Specifying the set ${\mathcal {S}}_\textrm{group}$ and permutations of $D_{\textrm{group}}$ elements $\{\Gamma ^\textrm{group}_\phi : \phi \in {\mathcal {S}}_{\textrm{group}}\}$ for which the conditions in (1) hold.

Define ${\mathcal {S}}_{\textrm{group}} = {\mathcal {S}}_{\textrm{ring}} \times {\mathcal {S}}_{4m_E}$, where ${\mathcal {S}}_{\textrm{ring}} = {\mathcal {S}}_{\textrm{acc}} \times {\mathcal {S}}_{2\,m}$ (see Sect. B) and ${\mathcal {S}}_{\textrm{acc}} = ({\mathcal {S}}_m)^\ell \times ({\mathcal {S}}_m)^\ell \times \{0,1\}^\ell $ (see Sect. 3.4).
For $\phi = (\theta , \delta ) \in {\mathcal {S}}_{\textrm{group}}$, where $\theta = (\pi _1, \ldots , \pi _\ell , \psi _1, \ldots , \psi _\ell , b_1, \ldots , b_\ell , \tau )$, and for vector ${\textbf{t}}= \big ({\textbf{t}}_0^\top \mid {\textbf{t}}_1^\top \mid {\textbf{e}}_1^\top \mid \cdots \mid {\textbf{e}}_\ell ^\top \big )^\top \in {\mathbb {Z}}^{D_{\textrm{group}}}$, where ${\textbf{t}}_0 \in {\mathbb {Z}}^{D_{\textrm{ring}}}$, ${\textbf{t}}_1 \in {\mathbb {Z}}^{4m_E}$, and ${\textbf{e}}_1, \ldots , {\textbf{e}}_\ell \in {\mathbb {Z}}^2$, define $\Gamma ^{\textrm{group}}_\phi ({\textbf{t}})$ as the permutation that transforms ${\textbf{t}}$ as follows:
- ${\textbf{t}}_0 \mapsto \Gamma ^{\textrm{ring}}_\theta ({\textbf{t}}_0)$, where $\Gamma ^{\textrm{ring}}_\theta (\cdot )$ denotes the permutation of $D_{\textrm{ring}}$ elements defined in Sect. B;
- ${\textbf{t}}_1 \mapsto \delta ({\textbf{t}}_1)$;
- ${\textbf{e}}_i \mapsto T_{b_i}({\textbf{e}}_i)$, for all $i \in [\ell ]$.

Based on the equivalences observed in Sect. 3.4, in (14) and (15), we can verify that the conditions in (1) hold with respect to sets $\textsf{VALID}_{\textrm{group}}, {\mathcal {S}}_{\textrm{group}}$ and permutation $\Gamma ^{\textrm{group}}_\phi $.

The Interactive Protocol Having performed the above preparation and transformation steps, we are now ready to describe our interactive protocol.

Common inputs::: Matrix–vector pairs $({\textbf{M}}_{1, \mathrm group}, {\textbf{v}}_{1, \mathrm group})$, $({\textbf{M}}_{2, \mathrm group}, {\textbf{v}}_{2, \mathrm group})$, which are obtained from ${\textbf{A}}, {\textbf{u}}, {\textbf{G}}$, $\{{\textbf{H}}_i\}_{i \in [\ell ]}$, ${\textbf{B}}$ and $\{{\textbf{c}}_{i, j}\}_{i, j \in [2]}$, as discussed above.
${\mathcal {P}}$’s inputs::: Vector ${\textbf{w}}_{\textrm{group}} = ({\textbf{w}}_{1, \mathrm group}^\top \mid {\textbf{w}}_{2, \mathrm group}^\top )^\top \in \{0,1\}^{D_{\textrm{group}}}$, which is constructed from the original witnesses ${\textbf{d}} \in \{0,1\}^{nk}$, $w \in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell $, ${\textbf{x}} \in \{0,1\}^m$, and ${\textbf{r}}_1, {\textbf{r}}_2 \in \{0,1\}^{m_E}$, as specified above.
${\mathcal {P}}$’s goal::: Prove in zero-knowledge that ${\textbf{w}}_{\textrm{group}} \in \textsf{VALID}_{\textrm{group}}$ and that equations ${\textbf{M}}_{1, \mathrm group} \cdot {\textbf{w}}_{1, \mathrm group} = {\textbf{v}}_{1, \mathrm group} \bmod q$, ${\textbf{M}}_{2, \mathrm group} \cdot {\textbf{w}}_{2, \mathrm group} = {\textbf{v}}_{2, \mathrm group} \bmod p$ simultaneously hold.

The prover and the verifier then run the protocol described in Fig. 1, for the case with $\nu =2$ moduli, q and p. The protocol operates with objects $({\textbf{M}}_{1, \mathrm group}, {\textbf{v}}_{1, \mathrm group})$, $({\textbf{M}}_{2, \mathrm group}, {\textbf{v}}_{2, \mathrm group})$, ${\textbf{w}}_{\textrm{group}}, (\textsf{VALID}_{\textrm{group}}, {\mathcal {S}}_{\textrm{group}}, \Gamma ^{\textrm{group}}_\phi )$, as defined above.

1.2 Analysis of the Protocol

The perfect completeness and statistical zero-knowledge property of the protocol directly follow from Theorem 1 (for the case $\nu =2$). The communication cost of the protocol is $\widetilde{{\mathcal {O}}}(\ell \cdot n) + {\mathcal {O}}((m_E + \ell )\cdot \log p)$ bits.

Furthermore, by running the knowledge extractor of Theorem 1, one obtains ${\textbf{w}}'_\textrm{group} = ({{\textbf{w}}'_{1, \mathrm group}}^\top \mid {{\textbf{w}}'_{2, \mathrm group}}^\top )^\top \in \textsf{VALID}_{\textrm{group}}$ such that ${\textbf{M}}_{1, \mathrm group} \cdot {\textbf{w}}'_{1, \mathrm group} = {\textbf{v}}_{1, \mathrm group} \bmod q$, ${\textbf{M}}_{2, \mathrm group} \cdot {\textbf{w}}'_{2, \mathrm group} = {\textbf{v}}_{2, \mathrm group} \bmod p$. Then note that

As in Sect. B, we can extract from ${\textbf{w}}'_{1, \mathrm group}$ objects ${\textbf{d}}' = {\textbf{v}}'_\ell $ and $w' = \big ((j'_1, \ldots , j'_\ell ), ({\textbf{w}}'_\ell , \ldots , {\textbf{w}}'_1)\big )$ and ${\textbf{x}}' \in \{0,1\}^m$ such that
$$\begin{aligned} \textsf{TVerify}_{{\textbf{A}}}({\textbf{u}}, {\textbf{d}}', w')=1 \text { and } {\textbf{A}}\cdot {\textbf{x}}' = {\textbf{G}}\cdot {\textbf{d}}'. \end{aligned}$$
${\textbf{w}}'_{2, \mathrm group} = ({{\textbf{f}}'}^\top \mid {{\textbf{g}}_1'}^\top \mid \cdots \mid {{\textbf{g}}_\ell '}^\top )^\top $, where ${\textbf{f}}' \in {\textsf{B}}_{4m_E}^{2m_E}$ and, for all $i \in [\ell ]$, ${\textbf{g}}_i' = \textsf{extbit}(j'_i)$. Moreover, we have
$$\begin{aligned} {\textbf{B}}^* \cdot {\textbf{f}}' + \sum _{i=1}^\ell {\textbf{H}}_i \cdot {\textbf{g}}'_i = {\textbf{c}} \bmod p, \end{aligned}$$
from which we can backtrack the transformations being done at the beginning of this section to obtain ${\textbf{r}}'_1, {\textbf{r}}'_2 \in \{0,1\}^{m_E}$ such that
$$\begin{aligned} \forall i\in \{1,2\}: {\textbf{c}}_{i,1} = {\textbf{B}}\cdot {\textbf{r}}'_i \bmod p \wedge {\textbf{c}}_{i,2}= {\textbf{P}}_i \cdot {\textbf{r}}'_i + \big \lfloor \frac{p}{2}\big \rceil \cdot (j'_1, \ldots , j'_\ell )^\top \bmod p. \end{aligned}$$

In other words, we have extract tupled $({\textbf{d}}', w', {\textbf{x}}', {\textbf{r}}'_1, {\textbf{r}}'_2)$ such that

$$\begin{aligned} \big (({\textbf{A}}, {\textbf{u}}, {\textbf{B}}, {\textbf{P}}_1, {\textbf{P}}_2, {\textbf{c}}_1, {\textbf{c}}_2), {\textbf{d}}', w', {\textbf{x}}', {\textbf{r}}'_1, {\textbf{r}}'_2\big ) \in \mathrm {R_{group}}, \end{aligned}$$

and hence, have proved Lemma 4.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Libert, B., Ling, S., Nguyen, K. et al. Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors. J Cryptol 36, 23 (2023). https://doi.org/10.1007/s00145-023-09470-6

Download citation

Received: 14 December 2018
Revised: 08 May 2023
Accepted: 08 May 2023
Published: 25 May 2023
DOI: https://doi.org/10.1007/s00145-023-09470-6

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

Abstract

Similar content being viewed by others

Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

BLOOM: Bimodal Lattice One-out-of-Many Proofs and Applications

Short Lattice-Based One-out-of-Many Proofs and Applications to Ring Signatures

1 Introduction

2 Preliminaries

2.1 Average-Case Lattice Problems

Definition 1

Definition 2

2.2 Zero-Knowledge Arguments of Knowledge

2.2.1 An Abstraction of Stern’s Protocol

Theorem 1

3 A Lattice-Based Accumulator with Supporting Zero-Knowledge Argument of Knowledge

3.1 Cryptographic Accumulators

Definition 3

3.2 A Family of Lattice-Based Collision-Resistant Hash Functions

Definition 4

Lemma 1

Proof

3.3 A Lattice-Based Merkle-Tree Accumulator

Theorem 2

Proof

3.4 Zero-Knowledge AoK of an Accumulated Value

Definition 5

3.4.1 Warm-Up Step

3.4.2 The Interactive Protocol

Theorem 3

Proof

4 A Logarithmic-Size Ring Signature from Lattices

4.1 Definitions

Definition 6

Definition 7

Definition 8

Remark

4.2 The Underlying Zero-Knowledge Protocol

Definition 9

Lemma 2

4.3 Description of the Ring Signature Scheme

4.4 Analysis of the Ring Signature Scheme

Theorem 4

Lemma 3

Theorem 5

Proof

Theorem 6

Proof

Remark 1

5 A Lattice-Based Group Signature Without Trapdoors

5.1 Definitions

Definition 10

Definition 11

5.2 The Underlying Zero-Knowledge Protocol

Definition 12

Lemma 4

5.3 Our Construction

Theorem 7

Proof

Theorem 8

Proof

Notes

References

Acknowledgements

Funding

Author information

Authors and Affiliations

Corresponding author

Additional information

Publisher's Note

Appendices

Proof of Theorem 1

Proof

Description and Analysis of the Zero-Knowledge Protocol Underlying the Ring Signature Scheme

1.1 Description of the Protocol

1.2 Analysis of the Protocol

Description and Analysis of the Zero-Knowledge Protocol Underlying the Group Signature Scheme

1.1 Description of the Protocol

1.2 Analysis of the Protocol

Rights and permissions

About this article