A Provably Secure Group Signature Scheme from Code-Based Assumptions

  • Martianus Frederic Ezerman
  • Hyung Tae Lee
  • San Ling
  • Khoa Nguyen
  • Huaxiong Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9452)


We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands (\({\approx }2^{24}\) users). The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.


Random Oracle Random Oracle Model Interactive Protocol Argument System Group Signature Scheme 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors would like to thank Jean-Pierre Tillich, Philippe Gaborit, Ayoub Otmani, Nicolas Sendrier, Nico Döttling, and anonymous reviewers of ASIACRYPT 2015 for helpful comments and discussions. The research was supported by Research Grant TL-9014101684-01 and the Singapore Ministry of Education under Research Grant MOE2013-T2-1-041.


  1. [ABCG15]
    Alamélou, Q. Blazy, O., Cauchie, S., Gaborit, P.: A code-based group signature scheme. Presented at WCC, April 2015Google Scholar
  2. [ACJT00]
    Ateniese, G., Camenisch, J.L., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. [ACM11]
    El Yousfi Alaoui, S.M., Cayrel, P.-L., Mohammed, M.: Improved identity-based identification and signature schemes using quasi-dyadic Goppa codes. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 146–155. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. [BBS04]
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. [BJMM12]
    Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2\(^{n/20}\): how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. [BMvT78]
    Berlekamp, E., McEliece, R.J., van Tilborg, H.C.A.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
  7. [BMW03]
    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. [BS08]
    Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 47–62. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  9. [BS13]
    Bettaieb, S., Schrek, J.: Improved lattice-based threshold ring signature scheme. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 34–51. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  10. [BW06]
    Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. [CFS01]
    Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  12. [CGG07]
    Cayrel, P. L., Gaborit, P., Girault, M.: Identity-based identification and signature schemes using correcting codes. In: WCC, pp. 69–78 (2007)Google Scholar
  13. [CHKP10]
    Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  14. [CM10]
    Cayrel, P.-L., Meziani, M.: Post-quantum cryptography: code-based signatures. In: Kim, T., Adeli, H. (eds.) AST/UCMA/ISA/ACN 2010. LNCS, vol. 6059, pp. 82–99. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  15. [CNR12]
    Camenisch, J., Neven, G., Rückert, M.: Fully anonymous attribute tokens from lattices. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 57–75. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  16. [CS97]
    Camenisch, J., Stadler, M.A.: Efficient group signature schemes for large groups. In: Kaliski Jr, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  17. [CS03]
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. [CVA10]
    Cayrel, P.-L., Véron, P., El Yousfi Alaoui, S.M.: A zero-knowledge identification scheme based on the \(q\)-ary syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  19. [CvH91]
    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)CrossRefGoogle Scholar
  20. [Dal08]
    Dallot, L.: Towards a concrete security proof of Courtois, Finiasz and Sendrier signature scheme. In: Lucks, S., Sadeghi, A.-R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 65–77. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. [DDMN12]
    Döttling, N., Dowsley, R., Müller-Quade, J., Nascimento, A.C.A.: A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inf. Theor. 58(10), 6672–6680 (2012)MathSciNetCrossRefGoogle Scholar
  22. [Döt14]
    Döttling, N.: Cryptography based on the hardness of decoding. Ph.D. thesis, Karlsruhe Institute of Technology (2014).
  23. [ELL+15]
    Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from code-based assumptions. In: IACR Cryptography ePrint Archive, Report 2015/479 (2015)Google Scholar
  24. [FGUO+13]
    Faugere, J.-C., Gauthier-Umana, V., Otmani, A., Perret, L., Tillich, J.-P.: A distinguisher for high-rate McEliece cryptosystems. IEEE Trans. Inf. Theor. 59(10), 6830–6844 (2013)MathSciNetCrossRefGoogle Scholar
  25. [Fin10]
    Finiasz, M.: Parallel-CFS. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. [FS86]
    Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)CrossRefGoogle Scholar
  27. [FS96]
    Fischer, J.-B., Stern, J.: An efficient pseudo-random generator provably as secure as syndrome decoding. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 245–255. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  28. [FS09]
    Finiasz, M., Sendrier, N.: Security bounds for the design of code-based cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  29. [GF2]
  30. [GKPV10]
    Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: ICS, pp. 230–240. Tsinghua University Press (2010)Google Scholar
  31. [GKV10]
    Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  32. [GPV08]
    Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008)Google Scholar
  33. [Gro04]
    Groth, J.: Evaluating security of voting schemes in the universal composability framework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 46–60. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  34. [HMT13]
    Hu, R., Morozov, K., Takagi, T.: Proof of plaintext knowledge for code-based public-key encryption revisited. In: ASIA CCS, pp. 535–540. ACM (2013)Google Scholar
  35. [KTX08]
    Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. [LLLS13]
    Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  37. [LLNW14]
    Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  38. [LNSW13]
    Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  39. [LNW15]
    Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015)Google Scholar
  40. [LPY12]
    Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  41. [McE78]
    McEliece, R.J.: A public-key cryptosystem based on algebraic coding theory. Deep Space Network Progress Report, vol. 44, pp. 114–116 (1978)Google Scholar
  42. [MCG08]
    Melchor, C.A., Cayrel, P.-L., Gaborit, P.: A new efficient threshold ring signature scheme based on coding theory. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 1–16. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  43. [MCGL11]
    Melchor, C.A., Cayrel, P.-L., Gaborit, P., Laguillaumie, F.: A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theor. 57(7), 4833–4842 (2011)MathSciNetCrossRefGoogle Scholar
  44. [MCK01]
    Ma, J.F., Chiam, T.C., Kot, A.C: A new efficient group signature scheme based on linear codes. In: Networks, pp. 124–129. IEEE (2001)Google Scholar
  45. [Meu13]
    Meurer, A.: A coding-theoretic approach to cryptanalysis. Ph.D. thesis, Ruhr University Bochum (2013).
  46. [MGS11]
    Melchor, C.A., Gaborit, P., Schrek, J.: A new zero-knowledge code based identification scheme with reduced communication. CoRR, abs/1111.1644 (2011)Google Scholar
  47. [MVR12]
    Mathew, K.P., Vasant, S., Rangan, C.P.: On provably secure code-based signature and signcryption scheme. In: IACR Cryptography ePrint Archive, Report 2012/585 (2012)Google Scholar
  48. [MVVR12]
    Mathew, K.P., Vasant, S., Venkatesan, S., Pandu Rangan, C.: An efficient IND-CCA2 secure variant of the Niederreiter encryption scheme in the standard model. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 166–179. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  49. [Nie86]
    Niederreiter, H.: Knapsack-type cryptosystems and algebraic coding theory. Probl. Control Inf. Theor. 15(2), 159–166 (1986)MathSciNetzbMATHGoogle Scholar
  50. [NIKM08]
    Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  51. [NTL]
    NTL: a library for doing number theory version 9.0.2.
  52. [NZZ15]
    Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015)Google Scholar
  53. [Pat75]
    Patterson, N.J.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (1975)MathSciNetCrossRefzbMATHGoogle Scholar
  54. [Per12]
    Persichetti, E.: On a CCA2-secure variant of McEliece in the standard model. In: IACR Cryptography ePrint Archive, Report 2012/268 (2012)Google Scholar
  55. [PV97]
    Pointcheval, D., Vaudenay, S.: On provable security for digital signature algorithms. Technical report LIENS-96-17, Laboratoire d’Informatique de Ecole Normale Superieure (1997)Google Scholar
  56. [RST01]
    Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  57. [Sen14]
    Sendrier, N.: QC-MDPC-McEliece: a public-key code-based encryption scheme based on quasi-cyclic moderate density parity check codes. In: Workshop “Post-Quantum Cryptography: Recent Results and Trends”, Fukuoka, Japan, November 2014Google Scholar
  58. [Sho97]
    Shor, P.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)MathSciNetCrossRefzbMATHGoogle Scholar
  59. [Ste96]
    Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theor. 42(6), 1757–1768 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  60. [Vér96]
    Véron, P.: Improved identification schemes based on error-correcting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  61. [YTM+14]
    Yang, G., Tan, C.H., Mu, Y., Susilo, W., Wong, D.S.: Identity based identification from algebraic coding theory. Theor. Comput. Sci. 520, 51–61 (2014)MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© International Association for Cryptologc Research 2015

Authors and Affiliations

  • Martianus Frederic Ezerman
    • 1
  • Hyung Tae Lee
    • 1
  • San Ling
    • 1
  • Khoa Nguyen
    • 1
  • Huaxiong Wang
    • 1
  1. 1.Division of Mathematical Sciences, School of Physical and Mathematical SciencesNanyang Technological UniversitySingaporeSingapore

Personalised recommendations