Constant-Size Group Signatures from Lattices

Ling, San; Nguyen, Khoa; Wang, Huaxiong; Xu, Yanhong

doi:10.1007/978-3-319-76581-5_3

San Ling¹⁵,
Khoa Nguyen¹⁵,
Huaxiong Wang¹⁵ &
…
Yanhong Xu¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10770))

Included in the following conference series:

IACR International Workshop on Public Key Cryptography

2663 Accesses
41 Citations

Abstract

Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), ten other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, in all known constructions, one has to fix the number N of group users in the setup stage, and as a consequence, the signature sizes are dependent on N.

In this work, we introduce the first constant-size group signature from lattices, which means that the size of signatures produced by the scheme is independent of N and only depends on the security parameter $\lambda $. More precisely, in our scheme, the sizes of signatures, public key and users’ secret keys are all of order $\widetilde{\mathcal {O}}(\lambda )$. The scheme supports dynamic enrollment of users and is proven secure in the random oracle model under the Ring Short Integer Solution (RSIS) and Ring Learning With Errors (RLWE) assumptions. At the heart of our design is a zero-knowledge argument of knowledge of a valid message-signature pair for the Ducas-Micciancio signature scheme (Crypto 2014), that may be of independent interest.

You have full access to this open access chapter, Download conference paper PDF

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based

Lattice-Based Group Signatures with Logarithmic Signature Size

Simpler Efficient Group Signatures from Lattices

Keywords

1 Introduction

Group signature, introduced by Chaum and van Heyst [18], is a fundamental anonymity primitive which allows members of a group to sign messages on behalf of the whole group. Yet, users are kept accountable for the signatures they issue since a tracing authority can identify them should the need arise. These two appealing features allow group signatures to find applications in various real-life scenarios, such as digital right management, anonymous online communications, e-commerce systems, and much more. On the theoretical front, designing secure and efficient group signature schemes is interesting and challenging, since those advanced constructions usually require a sophisticated combination of carefully chosen cryptographic ingredients: digital signatures, encryption schemes, and zero-knowledge protocols. Numerous group signature schemes have been proposed in the last quarter-century, some of which produce very short signatures [2, 8]. In the setting of bilinear groups, many schemes [1, 12, 28, 40] achieved constant-size signatures, which means that the group signatures only contain $\mathcal {O}(1)$ number of group ts. In other words, the signature sizes in those schemes only depend on the security parameter and are independent of the number N of group users. In the lattice setting, however, none of the existing constructions achieved this feature.

Lattice-based group signatures. Lattice-based cryptography has been an exciting research area since the seminal works of Regev [55] and Gentry et al. [24]. Lattices not only allow to build powerful primitives (e.g., [23, 25]) that have no feasible instantiations in conventional number-theoretic cryptography, but they also provide several advantages over the latter, such as conjectured resistance against quantum adversaries and faster arithmetic operations. Along with other primitives, lattice-based group signature has received noticeable attention in recent years. The first scheme was introduced by Gordon et al. [26] whose solution produced signature size linear in the number of group users N. Camenisch et al. [16] then extended [26] to achieve anonymity in the strongest sense. Later, Laguillaumie et al. [32] put forward the first scheme with the signature size logarithmic in N, at the cost of relatively large parameters. Simpler and more efficient solutions with $\mathcal {O}(\log N)$ signature size were subsequently given by Nguyen et al. [52] and Ling et al. [42]. Libert et al. [37] obtained substantial efficiency improvements via a construction based on Merkle trees which eliminates the need for GPV trapdoors [24]. More recently, a scheme supporting message-dependent opening (MDO) feature [56] was proposed in [39]. All the schemes mentioned above are designed for static groups, and all have signature sizes dependent on N.

Three lattice-based group signatures that have certain dynamic features were proposed by Langlois et al. [33], Libert et al. [35], and Ling et al. [43]. The first one is a scheme with verifier-local revocation (VLR) [9], which means that only the verifiers need to download the up-to-date group information. The second one addresses the orthogonal problem of dynamic user enrollments, which was formalized by Kiayias and Yung [31] and by Bellare et al. [5]. The third one is a fully dynamic scheme that supports both features, following Bootle et al.’s model [10]. Again, all these three schemes have signature size $\mathcal {O}(\log N)$.

In all existing works on lattice-based group signatures, for various reasons, one has to fix the number $N = \mathsf {poly}(\lambda )$, where $\lambda $ is the security parameter, in the setup stage. For the schemes from [16, 26, 32, 33, 35, 39, 42, 52] - which are based on full-fledged lattice-based ordinary signatures [11, 17, 24], this is due to the fact that their security reductions have to guess a target user with probability 1/N, and cannot go through unless N is known in advance. For the schemes from [37, 43] - which associate group users with leaves in lattice-based Merkle hash trees - this is because the size N of the trees has to be determined so that the setup algorithm succeeds. As a consequence, the parameters of those schemes, including the signature sizes, are unavoidably dependent on N. This state-of-affairs is somewhat unsatisfactory, considering that the constant-size feature has been achieved in the pairing setting. This inspires us to investigate the problem of designing constant-size lattice-based group signatures.

Our Results and Techniques. We introduce the first constant-size group signature scheme from lattices. Here, by “constant-size”, we mean that the signature size is independent of the number of group users N, as in the context of pairing-based group signatures [12, 28]. The crucial difference between our scheme and previous works on lattice-based group signatures is that we do not have to fix N in the setup phase. As a result, the execution of the scheme is totally independent of N. The sizes of the public key, users’ signing keys and signatures are of order $\widetilde{\mathcal {O}}(\lambda )$. A comparison between our schemes and previous works, in terms of asymptotic efficiency and functionality, is given in Table 1.

The scheme operates in Bellare et al.’s model for partially dynamic groups [5], and is proven secure under the hardness of the Ring Short Integer Solution (RSIS) and the Ring Learning With Errors (RLWE) problems. As for all known lattice-based group signatures, our security analysis is in the random oracle model.

Table 1. Comparison of known lattice-based group signatures, in terms of asymptotic efficiency and functionality. The comparison is done based on two governing parameters: security parameter $\lambda $ and the maximum expected number of group users $N= 2^\ell $. Among the listed schemes, the LNW-II [42] scheme and ours are the only ideal-lattice-based constructions, while other schemes rely on various SIS and LWE assumptions in the general-lattice setting.

Full size table

Our scheme relies on the RSIS-based signature scheme by Ducas and Micciancio [20], which exploits the “confined guessing” technique [7] in the ring setting to achieve short public key. We employ the stateful and adaptively secure version of the scheme, described in [21], which suffices for building group signatures and which allows to work with even shorter key.

The scheme follows the usual sign-then-encrypt-then-prove approach for constructing group signatures. Each user generates a secret-public key pair $(\mathbf {x}, p)$ and becomes a certified group member once receiving a Ducas-Micciancio signature on his public key p. When generating group signatures, the user first encrypts his public key p to ciphertext $\mathbf {c}$ via a CCA-secure encryption scheme obtained by applying the Naor-Yung transformation [51] to a variant of the RLWE-based scheme by Lyubashevsky et al. [47]. Then he proves in zero-knowledge that: (i) he has a valid secret key $\mathbf {x}$ corresponding to p; (ii) he possesses a Ducas-Micciancio signature on p; and (iii) $\mathbf {c}$ is a correct ciphertext of p. The protocol is then transformed into a signature via the Fiat-Shamir heuristic [22].

To instantiate the above approach, we design a zero-knowledge argument of knowledge of a valid message-signature pair for the Ducas-Micciancio signature, which is based on Stern’s framework [57]. We observe that a similar protocol for the Boyen signature [11] was proposed by Ling et al. [42], but their method is sub-optimal in terms of efficiency. We thus propose a refined technique that allows to achieve better communication cost, and hence, shorter signature size. We believe that our protocol is of independent interest. Indeed, apart from group signatures, zero-knowledge protocols for valid message-signature pairs are essential ingredients for designing various privacy-enhancing constructions, such as anonymous credentials [15], compact e-cash [14, 38], policy-based signatures [3, 19], and much more.

On the practical front, as all known lattice-based group signatures, our scheme is not truly practical. Even though the scheme produces signatures of constant size $\widetilde{\mathcal {O}}(\lambda )$, due to a large poly-logarithmic factor contained in the $\widetilde{\mathcal {O}}$ notation, the signature size is too big to be really useful in practice. We, however, hope that our result will inspire more efficient constructions in the near future.

2 Background

Notations. The set $\{1, \ldots , n\}$ is denoted by [n]. If S is a finite set, then $x \xleftarrow {\$} S$ means that x is chosen uniformly at random from S. When concatenating column vectors $\mathbf {x}\in \mathbb {R}^m$ and $\mathbf {y}\in \mathbb {R}^k$, for simplicity, we use the notation $(\mathbf {x}\Vert \mathbf {y})\in \mathbb {R}^{m+k}$ instead of $(\mathbf {x}^\top \Vert \mathbf {y}^\top )^\top $.

2.1 Rings, RSIS and RLWE

Let $q \ge 3$ be a positive integer and let $\mathbb {Z}_q = [-\frac{q-1}{2}, \frac{q-1}{2}]$. Consider rings of the form $R = \mathbb {Z}[X]/(\varPhi _{2n}(X))$ and $R_q = (R/qR)$, where n is a power of 2 and $\varPhi _{2n}(X) = X^n + 1$ is the cyclotomic polynomial of degree n.

We will use the coefficient embedding $\tau : R_q \rightarrow \mathbb {Z}_q^n$ that maps ring element $v = v_0 + v_1 \cdot X + \ldots + v_{n-1}\cdot X^{N-1} \in R_q$ to vector $\tau (v) = (v_0, v_1, \ldots , v_{n-1})^\top \in \mathbb {Z}_q^n$. We will also use the ring homomorphism $\mathsf {rot}: R_q \rightarrow \mathbb {Z}_q^{n \times n}$ that maps $a \in R_q$ to matrix $\mathsf {rot}(a) = \big [\tau (a) \mid \tau (a\cdot X) \mid \ldots \mid \tau (a \cdot X^{n-1})\big ] \in \mathbb {Z}_q^{n \times n}$ (see, e.g., [49, 58]). These functions allow us to interpret the product $y = a\cdot v$ over $R_q$ as the matrix-vector product $\tau (y) = \mathsf {rot}(a) \cdot \tau (v) \bmod q$.

When working with vectors over $R_q$, we often abuse the notations $\mathsf {rot}$ and $\tau $. If $\mathbf {A} = [a_1 \mid \ldots \mid a_m] \in R_q^{1 \times m}$, then we denote by $\mathsf {rot}(A)$ the matrix

$$ \mathsf {rot}(\mathbf {A}) = \big [\mathsf {rot}(a_1) \mid \ldots \mid \mathsf {rot}(a_m)\big ] \in \mathbb {Z}_q^{n \times mn}. $$

If $\mathbf {v} = (v_1, \ldots , v_m)^\top \in R_q^m$, then we let $\tau (\mathbf {v}) = (\tau (v_1) \Vert \ldots \Vert \tau (v_m)) \in \mathbb {Z}_q^{mn}$. Note that, if $y = \mathbf {A} \cdot \mathbf {v}$ over $R_q$, then we have $\tau (y) = \mathsf {rot}(\mathbf {A}) \cdot \tau (\mathbf {v}) \bmod q$.

For $a = a_0 + a_1 \cdot X + \ldots + a_{n-1}\cdot X^{N-1} \in R$, we define $\Vert a\Vert _\infty = \max _i(|a_i|)$. Similarly, for vector $\mathbf {b} = (b_1, \ldots , b_{\mathfrak {m}})^\top \in R^{\mathfrak {m}}$, we define $\Vert \mathbf {b}\Vert _\infty = \max _j(\Vert b_j\Vert _\infty )$.

We now recall the average-case problems $\mathsf {RSIS}$ and $\mathsf {RLWE}$ associated with the rings $R, R_q$, as well as their hardness results.

Definition 1

[44, 45, 54]. The $\textsf {RSIS}_{n,m,q,\beta }$ problem is as follows. Given a uniformly random $\mathbf {A} = [a_1 \mid \ldots \mid a_m] \in R_q^{1 \times m}$, find a non-zero vector $\mathbf {x} = (x_1, \ldots , x_m)^\top \in {R}^m$ such that $\Vert \mathbf {x}\Vert _\infty \le \beta $ and $\mathbf {A} \cdot \mathbf {x} = a_1 \cdot x_1 + \ldots + a_m \cdot x_m = 0.$

For $m > \frac{\log q}{\log (2\beta )}$, $\gamma = 16\beta mn \log ^2 n$, and $q \ge \frac{\gamma \sqrt{n}}{4\log n}$, the $\mathsf {RSIS}_{n,m,q,\beta }$ problem is at least as hard as $\mathsf {SVP}_\gamma ^\infty $ in any ideal in the ring R (see, e.g., [44]).

Definition 2

[46]. Let $n,m \ge 1$, $q \ge 2$, and let $\chi $ be a probability distribution on R. For $s \in {R}_q$, let $A_{s, \chi }$ be the distribution obtained by sampling $a \xleftarrow {\$} {R}_q$ and $e \hookleftarrow \chi $, and outputting the pair $(a, a\cdot s + e) \in {R}_q \times {R}_q$. The $\mathsf {RLWE}_{n,m,q,\chi }$ problem (the Hermite-Normal-Form version) asks to distinguish m samples chosen according to $\mathcal {A}_{s,\chi }$ (for $s \hookleftarrow \chi $) and m samples chosen according to the uniform distribution over ${R}_q \times {R}_q$.

Let $q = \mathsf {poly}(n)$ be a prime power. Let $B = \widetilde{\mathcal {O}}(n^{5/4})$ be an integer and $\chi $ be a B-bounded distribution on R, i.e., it outputs samples $e \in R$ such that $\Vert e\Vert _\infty \le B$ with overwhelming probability in n. Then, for $\gamma = n^2(q/B)(nm/\log (nm))^{1/4}$, the $\mathsf {RLWE}_{n,m,q,\chi }$ problem is at least as hard as $\mathsf {SVP}_\gamma ^\infty $ in any ideal in the ring R, via a polynomial-time quantum reduction (see, e.g., [34, 46, 48, 53]).

2.2 Decompositions

We next recall the integer decomposition technique from [41]. For any $B \in \mathbb {Z}_+$, define $\delta _B:=\lfloor \log _2 B\rfloor +1 = \lceil \log _2(B+1)\rceil $ and the sequence $B_1, \ldots , B_{\delta _B}$, where $B_j = \lfloor \frac{B + 2^{j-1}}{2^j} \rfloor $, for each $ j \in [1,\delta _B]$. As observed in [41], it satisfies $\sum _{j=1}^{\delta _B} B_j = B$ and any integer $v \in [0, B]$ can be decomposed to $\mathsf {idec}_B(v) = (v^{(1)}, \ldots , v^{(\delta _B)})^\top \in \{0,1\}^{\delta _B}$ such that $\sum _{j=1}^{\delta _B}B_j \cdot v^{(j)} = v$. This decomposition procedure is described in a deterministic manner as follows:

1.
$v': = v$
2.
For $j=1$ to $\delta _B$ do:
1. (i)
  If $v' \ge B_j$ then $v^{(j)}: = 1$, else $v^{(j)}: = 0$;
2. (ii)
  $v': = v' - B_j\cdot v^{(j)}$.
3.
Output $\mathsf {idec}_B(v) = (v^{(1)}, \ldots , v^{(\delta _B)})^\top $.

In this work, we will employ the above decomposition procedure when working with polynomials in the ring $R_q$. Specifically, for $B \in [1, \frac{q-1}{2}]$, we define the injective function $\mathsf {rdec}_B$ that maps $a \in R_q$ such that $\Vert a\Vert _\infty \le B$ to $\mathbf {a} \in R^{\delta _B}$ such that $\Vert \mathbf {a}\Vert _\infty \le 1$, which works as follows.

1.
Let $\tau (a) = (a_0, \ldots , a_{n-1})^\top $. For each i, let $\sigma (a_i) = 0$ if $a_i =0$; $\sigma (a_i) = -1$ if $a_i <0$; and $\sigma (a_i) = 1$ if $a_i >0$.
2.
$\forall i$, compute $\mathbf {w}_i = \sigma (a_i)\cdot \mathsf {idec}_B(|a_i|) = (w_{i,1}, \ldots , w_{i,\delta _B})^\top \in \{-1,0,1\}^{\delta _B}$.
3.
Form the vector $\mathbf {w} = (\mathbf {w}_0 \Vert \ldots \Vert \mathbf {w}_{n-1}) \in \{-1,0,1\}^{n\delta _B}$, and let $\mathbf {a} \in R^{\delta _B}$ be such that $\tau (\mathbf {a}) = \mathbf {w}$.
4.
Output $\mathsf {rdec}_B(a) = \mathbf {a}$.

When working with vectors of ring elements, e.g., $\mathbf {v} = (v_1, \ldots , v_m)^\top $ such that $\Vert \mathbf {v}\Vert _\infty \le B$, then we let $\mathsf {rdec}_B(\mathbf {v}) = \big (\mathsf {rdec}_B(v_1) \Vert \ldots \Vert \mathsf {rdec}_B(v_m)\big ) \in R^{m\delta _B}$.

Now, $\forall \,m, B \in \mathbb {Z}_+$, we define matrices $\mathbf {H}_{B} \in \mathbb {Z}^{n \times n\delta _B}$ and $\mathbf {H}_{m, B} \in \mathbb {Z}^{nm \times nm\delta _B}$ as

Then we have

$$ \tau (a) = \mathbf {H}_{B} \cdot \tau (\mathsf {rdec}_B(a)) \bmod q \,\, \text { and } \,\, \tau (\mathbf {v}) = \mathbf {H}_{m,B}\cdot \tau (\mathsf {rdec}_B(\mathbf {v})). $$

For simplicity of presentation, when $B = \frac{q-1}{2}$, we will use the notation $\mathsf {rdec}$ instead of $\mathsf {rdec}_{\frac{q-1}{2}}$, and $\mathbf {H}$ instead of $\mathbf {H}_{\frac{q-1}{2}}$.

2.3 A Variant of the Ducas-Micciancio Signature Scheme

We recall a variant of the Ducas-Micciancio signature scheme [20, 21], which is to used to design a (partially) dynamic group signature scheme as in the model of Bellare et al. [5]. Specifically, we use it to enroll new users.

In their papers, Ducas and Micciancio proposed two versions of signature schemes from ideal lattices: non-stateful and stateful. Note that in a group signature scheme, there are at most polynomial number of users. Therefore, it is reasonable to assume there are at most polynomial number of signature queries to the Ducas-Micciancio signature scheme. Under this assumption, the stateful version not only reduces the security loss of the proof, but also allows better parameters ([21, Sect. 4.1]), compared with the non-stateful version. We also note that in a group signature scheme, the signature scheme used to enroll users should be adaptively secure. To achieve adaptive security, we thus embed the chameleon hash function [21, Appendix B.3] into the above non-adaptively secure version.

Now we summarize the stateful and adaptively secure version of Ducas-Micciancio signature scheme below. Following [20, 21], throughout this work, let $c>1$ be some real constant and $\alpha _0\ge 1/(c-1)$. Let $d\ge \log _c(\omega (\log n))$ be an integer and $\{c_0,c_1\cdots ,c_d\}$ be a strictly increasing integer sequence with $c_0=0$ and $c_i=\lfloor \alpha _0 c^{i}\rfloor $ for $i\in [d]$. Define $\mathcal {T}_i=\{0,1\}^{c_i}$ for $i\in [d]$. For a tag $t=(t_0,t_1\ldots , t_{c_d-1})^\top \in \mathcal {T}_d$, let $t_{[i]}=(t_{c_{i-1}},\ldots ,t_{c_{i}-1})^\top $. Then we can check that $t=(t_{[1]}\Vert t_{[2]}\Vert \ldots \Vert t_{[d]})$. Identify each tag $t\in \mathcal {T}_d$ as $t(X)=\sum _{j=0}^{c_d-1} t_{j}X^j\in R$ and $t_{[i]}$ as $t_{[i]}(X)=\sum _{j=c_{i-1}}^{c_i-1}t_jX^j\in R$.

This variant works with the following parameters. Given the security parameter $\lambda $, the key generation algorithm works as follows.

Choose parameter $n=\mathcal {O}(\lambda )$ being a power of 2, and modulus $q=3^k$ for some positive integer k. Let $R=\mathbb {Z}[X]/(X^n+1)$ and $R_q=R/qR$.
Also, let $\ell =\lfloor \log \frac{q-1}{2}\rfloor +1$, $m\ge 2\lceil \log q\rceil +2$, and $\overline{m} = m + k$.
Let integer d and sequence $c_0,\ldots ,c_d$ as described above. Let $\beta =\widetilde{\mathcal {O}}(n)$ be a integer.
Let $S\in \mathbb {Z}$ be a state initialized to 0.

The verification key consists of the following:

$$ \mathbf {A}, \mathbf {F}_0 \in R_q^{1 \times \overline{m}}; \mathbf {A}_{[0]}, \ldots , \mathbf {A}_{[d]} \in R_q^{1 \times k}; \mathbf {F}, \mathbf {F}_1 \in R_q^{1 \times \ell }; u \in R_q $$

while the signing key is a Micciancio-Peikert [50] trapdoor matrix $\mathbf {R}\in R_q^{m\times k}$.

To sign a message $p\in R_q$, let $\mathbf {p}=\mathsf {rdec}(p)\in R^{\ell }$ whose coefficients are in the set $\{-1,0,1\}$. The signer then proceeds as follows.

Set the tag $t=(t_0,t_1\ldots , t_{c_d-1})^\top \in \mathcal {T}_d$, where $S=\sum _{j=0}^{c_d-1} 2^j\cdot t_j$, and compute $\mathbf {A}_{t} = [\mathbf {A}|\mathbf {A}_{[0]}+\sum _{i=1}^{d}t_{[i]}\mathbf {A}_{[i]}] \in R_q^{1\times (\overline{m} + k)}$. Update S to $S+1$.
Sample $\mathbf {r}\in R^{\overline{m}}$ such that $\Vert \mathbf {r}\Vert _{\infty }\le \beta $.
Let $y=\mathbf {F}_0 \cdot \mathbf {r}+\mathbf {F}_1\cdot \mathbf {p}\in R_q$ and ${u}_{p}=\mathbf {F}\cdot \mathsf {rdec}(y)+u \in R_q$.
Using the trapdoor matrix $\mathbf {R}$, generate a ring vector $\mathbf {v}\in R^{\overline{m} + k}$ such that $\mathbf {A}_t\cdot \mathbf {v}=u_p$ and $\Vert \mathbf {v}\Vert _{\infty }\le \beta $.
Output the tuple $(t,\mathbf {r},\mathbf {v})$ as a signature for $p\in R_q$.

To verify a signature tuple $(t,\mathbf {r},\mathbf {v})$ on message $p\in R_q$, the verifier computes the matrix $\mathbf {A}_t$ as above and checks the following conditions hold or not. If yes, he outputs 1. Otherwise, he outputs 0.

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {A}_t\cdot \mathbf {v}=\mathbf {F}\cdot \mathsf {rdec}(\mathbf {F}_0\cdot \mathbf {r}+\mathbf {F}_1\cdot \mathsf {rdec}(p))+u,\\ \Vert \mathbf {r}\Vert _{\infty }\le \beta ,~\Vert \mathbf {v}\Vert _{\infty }\le \beta . \end{array}\right. } \end{aligned}$$

Remark 1

We remark that $\mathbf {p}=\mathsf {rdec}(p)\in R^{\ell }$ and $\mathsf {rdec}(y)\in R^{\ell }$ are ring vectors with coefficients in the set $\{-1,0,1\}$ while Ducas-Micciancio signature scheme handles ring vectors with binary coefficients. However, this does not affect the security of the Ducas-Micciancio signature scheme.

Lemma 1

[20, 21]. If we assume there are at most polynomial number of signature queries and the $\mathsf {RSIS}_{n,\overline{m},q,\widetilde{\mathcal {O}}(n^2)}$ problem is hard, then the above variant of Ducas-Micciancio signature scheme is existentially unforgeable against adaptive chosen message attacks.

2.4 Zero-Knowledge Argument Systems and Stern-Like Protocols

We will work with statistical zero-knowledge argument systems, namely, interactive protocols where the zero-knowledge property holds against any cheating verifier, while the soundness property only holds against computationally bounded cheating provers. More formally, let the set of statements-witnesses $\mathrm {R} = \{(y,w)\} \in \{0,1\}^* \times \{0,1\}^*$ be an NP relation. A two-party game $\langle \mathcal {P},\mathcal {V} \rangle $ is called an interactive argument system for the relation $\mathrm {R}$ with soundness error e if the following conditions hold:

Completeness. If $(y,w) \in \mathrm {R}$ then $\mathrm {Pr}\big [\langle \mathcal {P}(y,w),\mathcal {V}(y) \rangle =1\big ]=1.$
Soundness. If $(y,w) \not \in \mathrm {R}$, then $\forall $ PPT $\widehat{\mathcal {P}}$: $\mathrm {Pr}[\langle \widehat{\mathcal {P}}(y,w),\mathcal {V}(y) \rangle =1] \le e.$

An argument system is called statistical zero-knowledge if there exists a PPT simulator $\mathcal {S}(y)$ having oracle access to any $\widehat{\mathcal {V}}(y)$ and producing a simulated transcript that is statistically close to the one of the real interaction between $\mathcal {P}(y,w)$ and $\widehat{\mathcal {V}}(y)$. A related notion is argument of knowledge, which requires the witness-extended emulation property. For protocols consisting of 3 moves (i.e., commitment-challenge-response), witness-extended emulation is implied by special soundness [27], where the latter assumes that there exists a PPT extractor which takes as input a set of valid transcripts with respect to all possible values of the “challenge” to the same “commitment”, and outputs $w'$ such that $(y,w') \in \mathrm {R}$.

Stern-like protocols. The statistical zero-knowledge arguments of knowledge presented in this work are Stern-like [57] protocols. In particular, they are $\varSigma $-protocols in the generalized sense defined in [6, 29] (where 3 valid transcripts are needed for extraction, instead of just 2). The basic protocol consists of 3 moves: commitment, challenge, response. If a statistically hiding and computationally binding string commitment scheme, such as the KTX scheme [30], is employed in the first move, then one obtains a statistical zero-knowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error 2/3. In many applications, the protocol is repeated $\kappa = \omega (\log \lambda )$ times to make the soundness error negligibly small in $\lambda $.

An abstraction of Stern’s protocol. We recall an abstraction of Stern’s protocol, proposed in [35]. Let K, L, q be positive integers, where $L\ge K$ and $q \ge 2$, and let $\mathsf {VALID}$ be a subset of $\{-1,0,1\}^L$. Suppose that $\mathcal {S}$ is a finite set such that one can associate every $\phi \in \mathcal {S}$ with a permutation $\varGamma _\phi $ of L elements, satisfying the following conditions:

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {w} \in \mathsf {VALID} \Longleftrightarrow \varGamma _\phi (\mathbf {w}) \in \mathsf {VALID}, \\ \text {If } \mathbf {w} \in \mathsf {VALID} \text { and } \phi \text { is uniform in } \mathcal {S}, \text { then } \varGamma _\phi (\mathbf {w}) \text { is uniform in } \mathsf {VALID}. \end{array}\right. } \end{aligned}$$

(1)

We aim to construct a statistical ZKAoK for the following abstract relation:

$$\begin{aligned} \mathrm {R_{abstract}} = \big \{(\mathbf {M}, \mathbf {u}), \mathbf {w} \in \mathbb {Z}_q^{K \times L} \times \mathbb {Z}_q^K \times \mathsf {VALID}: \mathbf {M}\cdot \mathbf {w} = \mathbf {u} \bmod q.\big \} \end{aligned}$$

The conditions in (1) play a crucial role in proving in ZK that $\mathbf {w} \in \mathsf {VALID}$: To do so, the prover samples $\phi \xleftarrow {\$}\mathcal {S}$ and let the verifier check that $\varGamma _\phi (\mathbf {w}) \in \mathsf {VALID}$, while the latter cannot learn any additional information about $\mathbf {w}$ thanks to the randomness of $\phi $. Furthermore, to prove in ZK that the linear equation holds, the prover samples a masking vector $\mathbf {r}_w \xleftarrow {\$} \mathbb {Z}_q^L$, and convinces the verifier instead that $\mathbf {M}\cdot (\mathbf {w} + \mathbf {r}_w) = \mathbf {M}\cdot \mathbf {r}_w + \mathbf {u} \bmod q.$

The interaction between prover $\mathcal {P}$ and verifier $\mathcal {V}$ is described in Fig. 1. The protocol employs a statistically hiding and computationally binding string commitment scheme COM (e.g., the RSIS-based scheme from [30]).

Theorem 1

[35]. Assume that $\mathsf {COM}$ is a statistically hiding and computationally binding string commitment scheme. Then, the protocol in Fig. 1 is a statistical ZKAoK with perfect completeness, soundness error 2/3, and communication cost $\mathcal {O}(L\log q)$. In particular:

There exists a polynomial-time simulator that, on input $(\mathbf {M}, \mathbf {u})$, outputs an accepted transcript statistically close to that produced by the real prover.
There exists a polynomial-time knowledge extractor that, on input a commitment $\mathrm {CMT}$ and 3 valid responses $(\mathrm {RSP}_1,\mathrm {RSP}_2,\mathrm {RSP}_3)$ to all 3 possible values of the challenge Ch, outputs $\mathbf {w}' \in \mathsf {VALID}$ such that $\mathbf {M}\cdot \mathbf {w}' = \mathbf {u} \bmod q.$

The proof of the Theorem 1, appeared in [35], employs standard simulation and extraction techniques for Stern-like protocols (e.g., [30, 36, 41]). The details are available in the full version.

Looking ahead, all the relations we consider in this work (Sects. 3.2 and 4.2), will be reduced to instances of the above abstract protocol.

3 ZKAoK for the Ducas-Micciancio Signature Scheme

This section presents our statistical zero-knowledge argument of knowledge for a valid message-signature pair for the Ducas-Micciancio signature scheme [20, 21]. In the process, we will need to prove knowledge of a witness vector of the “mixing” form

$$\begin{aligned} \big (\mathbf {z} \,\, \Vert \,\, t_0 \cdot \mathbf {z} \,\, \Vert \,\, \ldots \,\, \Vert \,\, t_{c_d-1} \cdot \mathbf {z}\big ), \end{aligned}$$

(2)

where $\mathbf {z} \in \{-1,0,1\}^{\mathfrak {m}}$ and $\mathbf {t} = (t_0, \ldots , t_{c_d-1})^\top \in \{0,1\}^{c_d}$ for some positive integers $\mathfrak {m}$ and $c_d$.

We note that, in their ZK protocol for the Boyen signature [11], Ling et al. [42] also derived a vector of similar form. To handle such a vector in the Stern’s framework [57], Ling et al. used a permutation in the symmetric group $\mathcal {S}_{3\mathfrak {m}}$ to hide the value of $\mathbf {z}$ and a permutation in the symmetric group $\mathcal {S}_{2c_d}$ to hide the value of $\mathbf {t}$. As a consequence, the cost of communicating the permutations from the prover to the verifier is $3 \mathfrak {m} \log \mathfrak {m} + 2 c_d \log c_d$ bits. This is sub-optimal, because the cost is much larger than the number of secret bits.

In Sect. 3.1, we put forward a refined permuting technique in which the total cost for the permutations is exactly the total bit-size of $\mathbf {z}$ and $\mathbf {t}$. We then employ this technique as a building block for our ZK protocol in Sect. 3.2.

3.1 A Refined Permuting Technique

We first observe that the coefficients of the vector described in (2) are highly correlated: most of them are products of $t_i$ and $z_j$, where both $t_i$ and $z_j$ do appear at other positions. Thus, to prove the well-formedness of such a vector, we have to solve two sub-problems: (i) proving that a secret integer z is an element of the set $\{-1,0,1\}$; (ii) proving that a secret integer y is the product of secret integers $t \in \{0,1\}$ and $z \in \{-1,0,1\}$. Furthermore, these sub-protocols must be compatible and extendable, so that we can additionally prove that the same t and z satisfy other relations.

Technique for proving that $z \in \{-1,0,1\}$ . For any integer a, let us denote by $[a]_3$ the integer $a' \in \{-1,0,1\}$ such that $a' = a \bmod 3$. For integer $z \in \{-1,0,1\}$, we define the 3-dimensional vector $\mathsf {enc}_3(z)$ as follows:

$$ \mathsf {enc}_3(z) = \big ([z+1]_3, [z]_3, [z-1]_3\big )^\top \in \{-1,0,1\}^3. $$

Namely, $\mathsf {enc}_3(-1) = (0, -1,1)^\top $, $\mathsf {enc}_3(0) = (1, 0,-1)^\top $ and $\mathsf {enc}_3(1) = (-1, 1,0)^\top $.

Now, for any integer $e \in \{-1,0,1\}$, define the permutation $\pi _e$ that transforms vector $\mathbf {v} = (v^{(-1)}, v^{(0)}, v^{(1)})^\top \in \mathbb {Z}^3$ into vector

$$ \pi _e(\mathbf {v}) = (v^{([-e-1]_3)}, v^{([-e]_3)}, v^{([-e+1]_3)})^\top . $$

We then observe that, for any $z, b \in \{-1,0,1\}$, the following equivalence holds.

$$\begin{aligned} \mathbf {v} = \mathsf {enc}_3(z) \,\, \Longleftrightarrow \,\, \pi _e(\mathbf {v}) = \mathsf {enc}_3([z+e]_3). \end{aligned}$$

(3)

In the framework of Stern’s protocol, the above technique in fact allows us to prove knowledge of $z\in \{-1,0,1\}$, where z may satisfy other relations. To do this, we first extend z to $\mathbf {v} = \mathsf {enc}_3(z)$. Then, to show that $\mathbf {v}$ is a well-formed extension, we pick a uniformly random $e \xleftarrow {\$} \{-1,0,1\}$, and send $\pi _e(\mathbf {v})$ to the verifier. Thanks to the equivalence observed in (3), when seeing that $\pi _e(\mathbf {v}) = \mathsf {enc}_3([z+e]_3)$, the verifier should be convinced that $\mathbf {v} = \mathsf {enc}_3(z)$, which implies that $z\in \{-1,0,1\}$. Meanwhile, since e acts as a “one-time pad”, the value of z is completely hidden from the verifier. Furthermore, to prove that z satisfies other relations, we can use the same “one-time pad” e at other appearances of z. An example of that is to prove that z is involved in a product $t \cdot z$, which we now present.

Technique for proving that $y = t \cdot z$ . For any $b \in \{0,1\}$, we denote by $\overline{b}$ the bit $1-b$. The addition operation modulo 2 is denoted by $\oplus $.

For any $t \in \{0,1\}$ and $z \in \{-1,0,1\}$, we construct the 6-dimensional integer vector $\mathsf {ext}(t,z) \in \{-1,0,1\}^6$ as follows:

$$\begin{aligned} \mathsf {ext}(t,z) = \big (\,\, \overline{t}\cdot [z + 1]_3, \,\, t \cdot [z + 1]_3, \,\, \overline{t} \cdot [z]_3, \,\, t \cdot [z]_3, \,\, \overline{t} \cdot [z - 1]_3, \,\, t \cdot [z - 1]_3\big )^\top . \end{aligned}$$

Now, for any $b \in \{0,1\}$ and $e \in \{-1,0,1\}$, we define the permutation $\psi _{b,e}(\cdot )$ that transforms vector

$$\begin{aligned} \mathbf {v} = \big (v^{(0, -1)}, v^{(1,-1)}, v^{(0,0)}, v^{(1,0)}, v^{(0,1)}, v^{(1,1)}\big )^\top \in \mathbb {Z}^6 \end{aligned}$$

into vector

$$ \psi _{b,e}(\mathbf {v}) = \big ( v^{(b, [-e-1]_3)}, v^{(\overline{b}, [-e-1]_3)}, v^{(b, [-e]_3)}, v^{(\overline{b}, [-e]_3)}, v^{(b, [-e+1]_3)}, v^{(\overline{b}, [-e+1]_3)} \big )^\top . $$

We then observe that the following equivalence holds for any $t, b \in \{0,1\}$ and any $z,e \in \{-1,0,1\}$.

$$\begin{aligned} \mathbf {v} = \mathsf {ext}(t,z) \Longleftrightarrow \psi _{b,e}(\mathbf {v}) = \mathsf {ext}(t \oplus b, [z + e]_3). \end{aligned}$$

(4)

Example 1

Let $t =1$ and $z=-1$. Then we have

$$\mathbf {v} = \mathsf {ext}(t,z) = (0,0,0,-1,0,1)^\top = (v^{(0, -1)}, v^{(1,-1)}, v^{(0,0)}, v^{(1,0)}, v^{(0,1)}, v^{(1,1)})^\top .$$

Suppose that $b=0$ and $e=1$, then

$$ \psi _{b,e}(\mathbf {v}) = (v^{(0,1)}, v^{(1,1)}, v^{(0,-1)}, v^{(1,-1)}, v^{(0,0)}, v^{(1,0)})^\top = (0, 1, 0, 0 , 0, -1)^\top , $$

which is equal to $\mathsf {ext}(1,0) = \mathsf {ext}(1 \oplus 0, [-1+1]_3)$.

In the framework of Stern’s protocol, the above technique will be used to prove that $y = t\cdot z$, as follows. We first extend y to $\mathbf {v} = \mathsf {ext}(t,z)$. Then, to prove that $\mathbf {v}$ is well-formed, we sample $b \xleftarrow {\$} \{0,1\}$, $e \xleftarrow {\$} \{-1,0,1\}$, and demonstrate to the verifier that $\psi _{b,e}(\mathbf {v}) = \mathsf {ext}(t \oplus b, [z + e]_3)$. Thanks to the equivalence observed in (4), the verifier should be convinced that $\mathbf {v}$ is well-formed, implying that the original integer y does have the form $t\cdot z$. Meanwhile, the random integers b, e essentially act as “one-time pads” that perfectly hide the values of t and z, respectively. Moreover, if we want to prove that the same t, z appear elsewhere, we can use the same b, e at those places.

Next, we will describe the somewhat straightforward generalizations of the above two core techniques, which enable us to prove knowledge of vector $\mathbf {z} \in \{-1,0,1\}^{\mathfrak {m}}$ as well as vector of the form (2). Based on the above discussions, one can see that the target is to obtain equivalences similar to (3) and (4), which are useful in Stern’s framework.

Proving that $\mathbf {z} \in \{-1,0,1\}^{\mathfrak {m}}$ . For any vector $\mathbf {a} \in \mathbb {Z}^{\mathfrak {m}}$, we will also use the notation $[\mathbf {a}]_3$ to denote the vector $\mathbf {a}' \in \{-1,0,1\}^{\mathfrak {m}}$ such that $\mathbf {a}' = \mathbf {a} \bmod 3$.

For $\mathbf {z} = ({z}_1, \ldots , z_{\mathfrak {m}})^\top \in \{-1,0,1\}^{\mathfrak {m}}$, we define the following extension:

$$ \mathsf {enc}(\mathbf {z}) = \big ( \mathsf {enc}_3(z_1) \Vert \ldots \Vert \mathsf {enc}_3(z_{\mathfrak {m}}) \big ) \in \{-1,0,1\}^{3\mathfrak {m}}. $$

For any vector $\mathbf {e} = ({e}_1, \ldots , e_{\mathfrak {m}})^\top \in \{-1,0,1\}^{\mathfrak {m}}$, we define the permutation $\varPi _{\mathbf {e}}$ that acts as follows. When applied to vector $\mathbf {v} = (\mathbf {v}_1 \Vert \ldots \Vert \mathbf {v}_{\mathfrak {m}}) \in \mathbb {Z}^{3\mathfrak {m}}$ consisting of $\mathfrak {m}$ blocks of size 3, it transforms $\mathbf {v}$ into vector:

$$ \varPi _{\mathbf {e}}(\mathbf {v}) = \big ( \pi _{e_1}(\mathbf {v}_1) \Vert \ldots \Vert \pi _{e_{\mathfrak {m}}}(\mathbf {v}_{\mathfrak {m}}) \big ). $$

It then follows from (3) that the following holds for any $\mathbf {z}, \mathbf {e} \in \{-1,0,1\}^{\mathfrak {m}}$.

$$\begin{aligned} \mathbf {v} = \mathsf {enc}(\mathbf {z}) \Longleftrightarrow \varPi _{\mathbf {e}}(\mathbf {v}) = \mathsf {enc}([\mathbf {z} + \mathbf {e}]_3). \end{aligned}$$

(5)

Handling a “mixing” vector. We now tackle the “mixing” vector discussed earlier, i.e.,

$$\begin{aligned} \mathbf {y} = \big ( \mathbf {z} \, \Vert t_0 \cdot \mathbf {z} \Vert \ldots \Vert t_{c_d-1} \cdot \mathbf {z} \big ). \end{aligned}$$

For any $\mathbf {z} = ({z}_1, \ldots , z_{\mathfrak {m}})^\top \in \{-1,0,1\}^{\mathfrak {m}}$ and $\mathbf {t} = (t_0, \ldots , t_{c_d-1})^\top \in \{0,1\}^{c_d}$, we define vector $ \mathsf {mix}(\mathbf {t}, \mathbf {z}) \in \{-1,0,1\}^{3\mathfrak {m} + 6\mathfrak {m}c_d} $ of the form:

$$ \big (\mathsf {enc}(\mathbf {z}) \Vert \mathsf {ext}(t_0, z_1) \Vert \ldots \Vert \mathsf {ext}(t_0, z_{\mathfrak {m}}) \Vert \ldots \Vert \mathsf {ext}(t_{c_d-1}, z_1) \Vert \ldots \Vert \mathsf {ext}(t_{c_d-1}, z_{\mathfrak {m}}) \big ), $$

which is an extension of vector $\mathbf {y}$. Next, for $\mathbf {b}= (b_0, \cdots , b_{c_d-1})^\top \in \{0,1\}^{c_d}$ and $\mathbf {e} = (\mathbf {e}_1, \ldots , e_{\mathfrak {m}}) \in \{-1,0,1\}^{\mathfrak {m}}$, we define the permutation $\varPsi _{\mathbf {b}, \mathbf {e}}$ that acts as follows. When applied to vector

$$ \mathbf {v} = \big (\mathbf {v}_{-1} \Vert \mathbf {v}_{0,1} \Vert \ldots \Vert \mathbf {v}_{0, \mathfrak {m}} \Vert \ldots \Vert \mathbf {v}_{c_d-1, 1} \Vert \ldots \Vert \mathbf {v}_{c_d-1, \mathfrak {m}} \big ) \in \mathbb {Z}^{3\mathfrak {m} + 6\mathfrak {m}c_d}, $$

where block $\mathbf {v}_{-1}$ has length $3\mathfrak {m}$ and each block $\mathbf {v}_{i,j}$ has length 6, it transforms $\mathbf {v}$ into vector

$$\begin{aligned} \varPsi _{\mathbf {b}, \mathbf {e}}(\mathbf {v}) = \big ( \varPi _{\mathbf {e}}(\mathbf {v}_{-1}) \Vert&\psi _{b_0, e_1}(\mathbf {v}_{0,1}) \Vert \ldots \Vert \psi _{b_0, e_{\mathfrak {m}}}(\mathbf {v}_{0, \mathfrak {m}}) \Vert \ldots \Vert \\&\psi _{b_{c_d-1}, e_1}(\mathbf {v}_{c_d-1, 1}) \Vert \ldots \Vert \psi _{b_{c_d-1}, e_{\mathfrak {m}}}(\mathbf {v}_{c_d-1, \mathfrak {m}}) \big ). \end{aligned}$$

Then, observe that the following desirable equivalence holds for all $\mathbf {t}, \mathbf {b} \in \{0,1\}^{c_d}$ and $\mathbf {z}, \mathbf {e} \in \{-1,0,1\}^{\mathfrak {m}}$.

$$\begin{aligned} \mathbf {v} = \mathsf {mix}(\mathbf {t},\mathbf {z}) \Longleftrightarrow \varPsi _{\mathbf {b},\mathbf {e}}(\mathbf {v}) = \mathsf {mix}(\mathbf {t} \oplus \mathbf {b}, [\mathbf {z} + \mathbf {e}]_3). \end{aligned}$$

(6)

3.2 Zero-Knowledge Protocol for the Ducas-Micciancio Signature

We now present our statistical ZKAoK of a valid message-signature pair for the Ducas-Micciancio signature scheme. Let $n,q, m, k, \overline{m}, \ell , \beta , d, c_0, \ldots , c_d$ as specified in Sect. 2.3. The protocol can be summarized as follows.

The public input consists of
$$ \mathbf {A}, \mathbf {F}_0 \in R_q^{1 \times \overline{m}}; \,\, \mathbf {A}_{[0]}, \ldots , \mathbf {A}_{[d]} \in R_q^{1 \times k}; \,\, \mathbf {F}, \mathbf {F}_1 \in R_q^{1 \times \ell }; \,\, u \in R_q. $$
The prover’s secret input consists of message $p \in R_q$ and signature $(t, \mathbf {r}, \mathbf {v})$, where
$$\begin{aligned} {\left\{ \begin{array}{ll} t = (t_0, \ldots , t_{c_1 -1}, \ldots , t_{c_{d-1}}, \ldots , t_{c_d -1})^\top \in \{0,1\}^{c_d}; \\ \mathbf {r} \in R^{\overline{m}}; \,\, \mathbf {v} = (\mathbf {s} \Vert \mathbf {z})\in R^{\overline{m} + k}; \,\, \mathbf {s} \in R^{\overline{m}}; \,\, \mathbf {z} \in R^k; \end{array}\right. } \end{aligned}$$
The prover’s goal is to prove in zero-knowledge that $\Vert \mathbf {r}\Vert _\infty \le \beta $, $\Vert \mathbf {v}\Vert _\infty \le \beta $, and that the equation
$$\begin{aligned} \mathbf {A} \cdot \mathbf {s} + \mathbf {A}_{[0]} \cdot \mathbf {z} + \sum _{i=1}^d \mathbf {A}_{[i]} \cdot t_{[i]} \cdot \mathbf {z} = \mathbf {F}\cdot \mathbf {y} + u \end{aligned}$$
(7)
holds for $\big \{t_{[i]} = \sum _{j = c_{i-1}}^{{c_i -1}} t_j \cdot X^j\big \}_{i=1}^d$ and
$$\begin{aligned} \mathbf {y} = \mathsf {rdec}\left( \mathbf {F}_0 \cdot \mathbf {r} + \mathbf {F}_1 \cdot \mathsf {rdec}(p)\right) \in R^\ell . \end{aligned}$$
(8)

Our strategy is to reduce the considered statement to an instance of the abstract protocol from Sect. 2.4. The reduction consists of 2 steps.

Decomposing-Unifying. In the first step, we will employ the decomposition techniques from Sect. 2.2 together with the notations $\mathsf {rot}$ and $\tau $ from Sect. 2.1 to transform Eqs. (7) and (8) into one equation of the form $\mathbf {M}_0\cdot \mathbf {w}_0 = \mathbf {u} \bmod q$, where $\mathbf {M}_0, \mathbf {u}$ are public, and the coefficients of vector $\mathbf {w}_0$ are in the set $\{-1,0,1\}$.

Let $\mathbf {s}^\star = \tau (\mathsf {rdec}_\beta (\mathbf {s})) \in \{-1,0,1\}^{n \overline{m}\delta _\beta }$, $\mathbf {z}^\star = \tau (\mathsf {rdec}_\beta (\mathbf {z})) \in \{-1,0,1\}^{nk\delta _\beta }$ and $\mathbf {r}^\star = \tau (\mathsf {rdec}_\beta (\mathbf {r})) \in \{-1,0,1\}^{n\overline{m}\delta _\beta }$. Then, we observe that, Eq. (7) is equivalent to,

$$\begin{aligned} \nonumber&[\mathsf {rot}(\mathbf {A}_{[0]})\cdot \mathbf {H}_{{k}, \beta }]\cdot \mathbf {z}^\star + \sum _{i=1}^d \sum _{j=c_{i-1}}^{c_i -1} [\mathsf {rot}(\mathbf {A}_{[i]}\cdot X^{j}) \cdot \mathbf {H}_{k, \beta }]\cdot t_j \cdot \mathbf {z}^* + \\&[\mathsf {rot}(\mathbf {A})\cdot \mathbf {H}_{\overline{m}, \beta }]\cdot \mathbf {s}^\star - [\mathsf {rot}(\mathbf {F})]\cdot \tau (\mathbf {y}) = \tau (u) \bmod q, \end{aligned}$$

and Eq. (8) is equivalent to

$$\begin{aligned}{}[\mathsf {rot}(\mathbf {F}_{0})\cdot \mathbf {H}_{\overline{m}, \beta }] \cdot \mathbf {r}^\star + [\mathsf {rot}(\mathbf {F}_1)]\cdot \tau (\mathsf {rdec}(p)) - [\mathbf {H}]\cdot \tau (\mathbf {y}) = \mathbf {0} \bmod q. \end{aligned}$$

Now, using basic algebra, we can manipulate the two derived equations: rearranging the secret vectors and combining them, as well as concatenating the public matrices (namely, those written inside $[\cdot ]$) accordingly. As a result, we obtain an unifying equation of the form:

$$ \mathbf {M}_0 \cdot \mathbf {w}_0 = \mathbf {u} \bmod q, $$

where $\mathbf {u} = (\tau (u) \Vert \mathbf {0}) \in \mathbb {Z}_q^{2n}$ and $\mathbf {M}_0$ are public, and $\mathbf {w}_0 = (\mathbf {w}_1 \Vert \mathbf {w}_2)$, with

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {w}_1 = (\mathbf {z}^\star \Vert t_0 \cdot \mathbf {z}^\star \Vert \ldots \Vert t_{c_d-1}\cdot \mathbf {z}^\star ) \in \{-1,0,1\}^{(k\delta _\beta + c_d k\delta _\beta )n}; \\ \mathbf {w}_2 = (\mathbf {s}^\star \Vert \mathbf {r}^\star \Vert \tau (\mathbf {y}) \Vert \tau (\mathsf {rdec}(p))) \in \{-1,0,1\}^{(\overline{m}\delta _\beta + \ell )2n}. \end{array}\right. } \end{aligned}$$

Extending-Permuting. In this second step, we will transform the equation $\mathbf {M}_0 \cdot \mathbf {w}_0 = \mathbf {u} \bmod q$ obtained in the first step into an equation of the form $\mathbf {M} \cdot \mathbf {w} = \mathbf {u} \bmod q$, where the secret vector $\mathbf {w}$ satisfies the conditions required by the abstract protocol. In the process, we will employ the techniques introduced in Sect. 3.1.

Specifically, we extend the blocks of vector $\mathbf {w}_0 = (\mathbf {w}_1 \Vert \mathbf {w}_2)$ as follows.

$$\begin{aligned} \mathbf {w}_1\mapsto & {} \mathbf {w}'_1 = \mathsf {mix}\big (t, \mathbf {z}^\star \big ) \in \{-1,0,1\}^{L_1}; \\ \nonumber \mathbf {w}_2\mapsto & {} \mathbf {w}'_2 = \mathsf {enc}(\mathbf {w}_2) \in \{-1,0,1\}^{L_2}. \end{aligned}$$

(9)

Then we form vector $\mathbf {w} = (\mathbf {w}'_1 \Vert \mathbf {w}'_2) \in \{-1,0,1\}^{L}$, where

$$ L = L_1 + L_2; \,\, L_1 = (k\delta _\beta + 2c_d k \delta _\beta )3n; \,\, L_2 = (\overline{m}\delta _\beta + \ell )6n.$$

At the same time, we insert suitable zero-columns to matrix $\mathbf {M}_0$ to obtain matrix $\mathbf {M} \in \mathbb {Z}_q^{2n \times L}$ such that $\mathbf {M} \cdot \mathbf {w} = \mathbf {M}_0 \cdot \mathbf {w}_0$.

Up to this point, we have transformed the considered relations into one equation of the desired form $\mathbf {M} \cdot \mathbf {w} = \mathbf {u} \bmod q$. We now specify the set $\mathsf {VALID}$ that contains the obtained vector $\mathbf {w}$, the set $\mathcal {S}$ and permutations $\{\varGamma _\phi : \phi \in \mathcal {S}\}$, such that the conditions in (1) hold.

Define $\mathsf {VALID}$ as the set of all vectors $\mathbf {v}' = (\mathbf {v}'_1 \Vert \mathbf {v}'_2) \in \{-1,0,1\}^{L}$, satisfying the following:

There exist $t \in \{0,1\}^{c_d}$ and $\mathbf {z}^\star \in \{-1,0,1\}^{nk\delta _\beta }$ such that $\mathbf {v}'_1 = \mathsf {mix}(t, \mathbf {z}^\star )$.
There exists $\mathbf {w}_2 \in \{-1,0,1\}^{(\overline{m}\delta _\beta + \ell )2n}$ such that $\mathbf {v}'_2 = \mathsf {enc}(\mathbf {w}_2)$.

Clearly, our vector $\mathbf {w}$ belongs to this tailored set $\mathsf {VALID}$.

Now, let $\mathcal {S} = \{0,1\}^{c_d} \times \{-1,0,1\}^{nk\delta _\beta } \times \{-1,0,1\}^{(\overline{m}\delta _\beta + \ell )2n}$, and associate every element $\phi = (\mathbf {b}, \mathbf {e}, \mathbf {f}) \in \mathcal {S}$ with permutation $\varGamma _\phi $ that acts as follows. When applied to vector $\mathbf {v}^\star = (\mathbf {v}_1^\star \Vert \mathbf {v}_2^\star ) \in \mathbb {Z}^L$, where $\mathbf {v}_1^\star \in \mathbb {Z}^{L_1}$ and $\mathbf {v}_2^\star \in \mathbb {Z}^{L_2}$, it transforms $\mathbf {v}^\star $ into vector

$$ \varGamma _\phi (\mathbf {v}^\star ) = \big (\varPsi _{\mathbf {b}, \mathbf {e}}(\mathbf {v}_1^\star ) \,\, \Vert \,\, \varPi _{\mathbf {f}}(\mathbf {v}_2^\star )\big ). $$

Based on the equivalences observed in (5) and (6), it can be checked that $\mathsf {VALID}$, $\mathcal {S}$ and $\varGamma _\phi $ satisfy the conditions specified in (1). In other words, we have reduced the considered statement to an instance of the abstract protocol from Sect. 2.4.

The interactive protocol. Given the above preparations, our interactive protocol works as follows.

The public input consists of matrix $\mathbf {M}$ and vector $\mathbf {u}$, which are built from $\mathbf {A}$, ($\mathbf {A}_{[0]}, \ldots , \mathbf {A}_{[d]}$, $\mathbf {F}, \mathbf {F}_0, \mathbf {F}_1$, u), as discussed above.
The prover’s witness is vector $\mathbf {w} \in \mathsf {VALID}$, which is obtained from the original witnesses $(p, t,\mathbf {r}, \mathbf {v})$, as described above.

Both parties then run the protocol of Fig. 1. The protocol uses the KTX string commitment scheme $\mathsf {COM}$, which is statistically hiding and computationally binding under the $\mathsf {(R)SIS}$ assumption. We therefore obtain the following result, as a corollary of Theorem 1.

Theorem 2

Assume that $\mathsf {COM}$ is a statistically hiding and computationally binding string commitment scheme. Then the protocol described above is a statistical $\mathsf {ZKAoK}$ of a valid message-signature pair for the Ducas-Micciancio signature scheme, with perfect completeness, soundness error 2/3 and communication cost $\widetilde{\mathcal {O}}(\lambda )$.

Proof

For simulation, we simply run the simulator of Theorem 1. As for extraction, we invoke the knowledge extractor of Theorem 1 to obtain a vector $\mathbf {w}' \in \mathsf {VALID}$ such that $\mathbf {M}\cdot \mathbf {w}' = \mathbf {u} \bmod q$. Then, by “backtracking” the transformations being done, we can extract from $\mathbf {w}'$ a satisfying witness $(p', t',\mathbf {r}', \mathbf {v}')$ for the considered statement.

The perfect completeness, soundness error and communication cost of the protocol directly follow from those of the abstract protocol in Sect. 2.4. In particular, the communication cost is:

$$ \mathcal {O}(L \cdot \log q) = \mathcal {O}\big ((k\delta _\beta + 2c_d k \delta _\beta )3n\cdot \log q + (\overline{m}\delta _\beta + \ell )6n\cdot \log q\big ) = {\mathcal {O}}(n \cdot \log ^4 n) \!=\! \widetilde{\mathcal {O}}(\lambda ), $$

for the setting of parameters for the Ducas-Micciancio signature in Sect. 2.3. $\square $

4 Constant-Size Group Signatures from Lattices

In Sect. 4.1, we recall the syntax, correctness and security requirements of the (partially) dynamic group signatures, as in the model of Bellare et al. [5]. In Sect. 4.2, we describe our main zero-knowledge argument, which will be used as a building block in our group signature scheme constructed in Sect. 4.3.

4.1 Dynamic Group Signatures

In this section, we recall the syntax, correctness and security definitions of the (partially) dynamic group signatures, as put forward by Bellare et al. [5]. A dynamic group signature scheme involves a trusted party who generates the initial keys, an authority named issuer, an authority named opener and a set of users who are potential group members. The scheme consists of the following polynomial-time algorithms.

$\mathsf {GKg}(\lambda )$::: Given the security parameter $\lambda $, the trusted party runs this algorithm to generate a triple $(\mathsf {gpk},\mathsf {ik},\mathsf {ok})$. The issue key $\mathsf {ik}$ is given to the issuer, the opening key $\mathsf {ok}$ is given to the opener and the group public key $\mathsf {gpk}$ is made public.
$\mathsf {UKg}(\lambda )$::: A user who intends to be a group member runs this algorithm to obtain a personal key pair $(\mathsf {upk},\mathsf {usk})$. It is assumed that $\mathsf {upk}$ is public.
$\langle \mathsf {Join},\mathsf {Iss}\rangle $::: This is an interactive protocol run by the issuer and a user. If it completes successfully, the issuer registers this user to the group and this user becomes a group member. The final state of the $\mathsf {Join}$ is the secret signing key $\mathsf {gsk}_i$ while the final state of the $\mathsf {Iss}$ is the registration information $\mathbf {reg}[i]$ stored in the registration table $\mathbf {reg}$.
$\mathsf {Sign}(\mathsf {gpk},\mathsf {gsk}_i,M)$::: A group member, using his group signing key $\mathsf {gsk}_i$, runs this algorithm to obtain a signature $\varSigma $ on message M.
$\mathsf {Verify}(\mathsf {gpk},M,\varSigma )$::: This algorithm outputs 1/0 indicating whether or not $\varSigma $ is a valid signature on message M, with respect to the group public key $\mathsf {gpk}$.
$\mathsf {Open}(\mathsf {gpk},\mathsf {ok},\mathbf {reg},M,\varSigma )$::: Given $\mathsf {gpk}$, a message-signature pair $(M,\varSigma )$ and $\mathsf {ok}$, the opener, who has read-access to the registration table $\mathbf {reg}$, runs this algorithm to obtain a pair $(i,\varPi _{\mathsf {open}})$, where $i\in \mathbb {N}\cup \{\bot \}$. In case $i=\bot $, $\varPi _{\mathsf {open}}=\bot $.
$\mathsf {Judge}(\mathsf {gpk}, M, \varSigma , i,\mathsf {upk}_i,\varPi _{\mathsf {open}})$::: This algorithm outputs 1/0 to check whether or not $\varPi _{\mathsf {open}}$ is a proof that i produced $\varSigma $, with respect to the group public key $\mathsf {gpk}$ and message M.

Now we recall the correctness and security definitions of dynamic group signatures below.

Correctness requires that for any signature generated by honest group members, the following should hold: the signature should be valid; the opening algorithm, given the message and signature, should correctly identify the signer; the proof returned by the opening algorithm should be accepted by the judge.

Full Anonymity requires that it is infeasible to recover the identity of a signer from a signature, even if the adversary is given access to the opening oracle. As pointed out by [4, 5], it is sufficient that the adversary is unable to distinguish which of two signers of its choice signed a targeted message of its choice.

Traceability requires that every valid signature should be traced to some group member and the opener is able to generate a proof accepted by the judge.

Non-frameability requires that the adversary is unable to generate a proof, which is accepted by the judge, that an honest user generated a valid signature unless this user really did generate this signature.

Formal definitions of correctness and security requirements are available in the full version.

4.2 The Underlying Zero-Knowledge Argument System

Before describing our group signature scheme in Sect. 4.3, let us first present the statistical ZKAoK that will be invoked by the signer when generating group signatures. The protocol is an extension of the one for the Ducas-Micciancio signature from Sect. 3.2, for which the prover additionally convinces the verifier of the following two facts.

1.
He knows a secret key $\mathbf {x} \in R^m$ corresponding to the public key $p \in R_q$, which satisfies $\Vert \mathbf {x}\Vert _\infty \le 1$ and $\mathbf {B}\cdot \mathbf {x} = p$. Here, $\mathbf {B} \in R_q^{1 \times m}$ is a public matrix.
2.
He has correctly encrypted the vector $\mathsf {rdec}(p) \in R^\ell $ to a given ciphertext $(\mathbf {c}_{1,1}, \,\, \mathbf {c}_{1,2}, \,\, \mathbf {c}_{2,1}, \,\, \mathbf {c}_{2,2})\in (R_q^{\ell })^4$, under public key $(\mathbf {a}, \mathbf {b}_1, \mathbf {b}_2) \in (R_q^\ell )^3$. To this end, he proves that equations
$$\begin{aligned} \mathbf {c}_{i,1}=\mathbf {a}\cdot g_i+\mathbf {e}_{i,1}, \,\,\,\, \mathbf {c}_{i,2}=\mathbf {b}_{i}\cdot g_i+\mathbf {e}_{i,2}+\lfloor q/4\rfloor \cdot \mathsf {rdec}(p), \end{aligned}$$
(10)
hold for B-bounded randomness $g_1, g_2\in R$, and $\mathbf {e}_{1,1},\mathbf {e}_{2,1},\mathbf {e}_{1,2},\mathbf {e}_{2,2} \in R^{\ell }$.

As the transformations for the “Ducas-Micciancio layer” have been established in Sect. 3.2, in the following, we only specify the transformations with respect to the newly appeared relations.

We will first apply the decomposition techniques in Sect. 2.2 to the secret objects.

Let $\mathbf {x}^\star =\tau (\mathbf {x})\in \{-1,0,1\}^{nm}$.
For $i\in \{1,2\}$, compute $\mathbf {g}_i^\star =\tau (\mathsf {rdec}_B(g_i))\in \{-1,0,1\}^{n\delta _B}$.
For $i\in \{1,2\}$, compute $\mathbf {e}_{i,1}^\star =\tau (\mathsf {rdec}_B(\mathbf {e}_{i,1}))$ and $\mathbf {e}_{i,2}^\star =\tau (\mathsf {rdec}_B(\mathbf {e}_{i,2}))$. Note that they are vectors in $\{-1,0,1\}^{n\ell \delta _B}$.

Then the equation $\mathbf {B} \cdot \mathbf {x} = p$ can be translated as

$$\begin{aligned}{}[\mathsf {rot}(\mathbf {B})]\cdot \mathbf {x}^\star -[\mathbf {H}]\cdot \tau (\mathsf {rdec}(p))=\mathbf {0}^{n} \bmod q. \end{aligned}$$

(11)

Meanwhile, let $\mathbf {a} = (a_1, \ldots , a_\ell )^\top $, $\{\mathbf {b}_i = (b_{i,1}, \ldots , b_{i, \ell })^\top \}_{i=1,2}$, then Eq. (10) can be rewritten as, for $i =1, 2$,

$$\begin{aligned} \left[ \begin{array}{c} \mathsf {rot}(a_1)\cdot \mathbf {H}_B \\ \vdots \\ \mathsf {rot}(a_\ell ) \cdot \mathbf {H}_B \\ \end{array} \right] \cdot \mathbf {g}_i^\star + [\mathbf {H}_{\ell ,B}]\cdot \mathbf {e}_{i,1}^\star =\tau (\mathbf {c}_{i,1})\bmod q; \end{aligned}$$

(12)

$$\begin{aligned} \left[ \begin{array}{c} \mathsf {rot}(b_{i,1})\cdot \mathbf {H}_B \\ \vdots \\ \mathsf {rot}(b_{i,\ell }) \cdot \mathbf {H}_B \\ \end{array} \right] \cdot \mathbf {g}_i^\star + [\mathbf {H}_{\ell ,B}]\cdot \mathbf {e}_{i,2}^\star + \lfloor q/4\rfloor \cdot \tau (\mathsf {rdec}(p))=\tau (\mathbf {c}_{i,2})\bmod q. \end{aligned}$$

(13)

Before proceeding further, let us recall that, in the protocol for the Ducas-Micciancio signature from Sect. 3.2, at the end of the Decomposing-Unifying step, we did combine the secret objects into vectors $\mathbf {w}_1, \mathbf {w}_2$ of the form:

$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {w}_1 = (\mathbf {z}^\star \Vert \,\, t_0 \cdot \mathbf {z}^\star \,\, \Vert \,\, \ldots \,\, \Vert \,\, t_{c_d-1}\cdot \mathbf {z}^\star ) \in \{-1,0,1\}^{(k\delta _\beta + c_d k\delta _\beta )n}; \\ \mathbf {w}_2 = (\mathbf {s}^\star \,\, \Vert \,\, \mathbf {r}^\star \,\, \Vert \,\, \tau (\mathbf {y}) \,\, \Vert \,\, \tau (\mathsf {rdec}(p))) \in \{-1,0,1\}^{(\overline{m}\delta _\beta + \ell )2n}. \end{array}\right. } \end{aligned}$$

Since vector $\tau (\mathsf {rdec}(p))$ has been counted as a block of vector $\mathbf {w}_2$, we now combine the newly appeared secret vectors in Eqs. (11), (12) and (13) into vector

$$\begin{aligned} \mathbf {w}_3 = \big ( \,\, \mathbf {x}^\star \,\, \Vert \,\, \mathbf {g}_1^\star \,\, \Vert \,\, \mathbf {g}_2^\star \,\, \Vert \,\, \mathbf {e}_{1,1}^\star \,\, \Vert \,\, \mathbf {e}_{1,2}^\star \,\, \Vert \,\, \mathbf {e}_{2,1}^\star \,\, \Vert \,\, \mathbf {e}_{2,2}^\star \,\, \big ) \in \{-1,0,1\}^{nm + 2n\delta _B+ 4n\ell \delta _B}, \end{aligned}$$

and let $\mathbf {w}_4 = (\mathbf {w}_2 \Vert \mathbf {w}_3) \in \{-1,0,1\}^{L_4'}$, for $L_4' = (\overline{m}\delta _\beta + \ell )2n + nm + 2n\delta _B + 4n\ell \delta _B$.

Next, we extend $\mathbf {w}_4$ to vector $\mathbf {w}'_4= \mathsf {enc}(\mathbf {w}_4) \in \{-1, 0,1\}^{L_4}$, where $L_4 = 3 L_4'$, and form the vector

$$ \widetilde{\mathbf {w}} = \big (\mathbf {w}'_1 \Vert \mathbf {w}'_4 \big ) \in \{-1,0,1\}^{\widetilde{L}}, $$

where $\mathbf {w}'_1 = \mathsf {mix}\big (t, \mathbf {z}^\star \big ) \in \{-1,0,1\}^{L_1}$ is the “mixing vector” obtained in (9), and $\widetilde{L} = L_1 + L_4$.

We remark that, by suitably concatenating/extending the matrices and vectors derived from the public input, we can obtain public matrix $\widetilde{\mathbf {M}}$ and public vector $\widetilde{\mathbf {u}}$ such that $\widetilde{\mathbf {M}}\cdot \widetilde{\mathbf {w}} = \widetilde{\mathbf {u}} \bmod q.$ Having obtained this desired equation, we now proceed as in Sect. 3.2.

Define $\widetilde{\mathsf {VALID}}$ as the set of all vectors $\mathbf {v}' = (\mathbf {v}'_1 \Vert \mathbf {v}'_4) \in \{-1,0,1\}^{\widetilde{L}}$, satisfying the following:

There exist $t \in \{0,1\}^{c_d}$ and $\mathbf {z}^\star \in \{-1,0,1\}^{nk\delta _\beta }$ such that $\mathbf {v}'_1 = \mathsf {mix}(t, \mathbf {z}^\star )$.
There exists $\mathbf {w}_4 \in \{-1,0,1\}^{L'_4}$ such that $\mathbf {v}'_4 = \mathsf {enc}(\mathbf {w}_4)$.

It can be seen that vector $\widetilde{\mathbf {w}}$ belongs to $\widetilde{\mathsf {VALID}}$.

Now, let $\widetilde{\mathcal {S}} = \{0,1\}^{c_d} \times \{-1,0,1\}^{nk\delta _\beta } \times \{-1,0,1\}^{L'_4}$, and associate every element $\phi = (\mathbf {b}, \mathbf {e}, \mathbf {f}) \in \mathcal {S}$ with permutation $\widetilde{\varGamma }_\phi $ that acts as follows. When applied to vector $\mathbf {v}^\star = (\mathbf {v}_1^\star \Vert \mathbf {v}_4^\star ) \in \mathbb {Z}^{\widetilde{L}}$, where $\mathbf {v}_1^\star \in \mathbb {Z}^{L_1}$ and $\mathbf {v}_2^\star \in \mathbb {Z}^{L_4}$, it transforms $\mathbf {v}^\star $ into vector

$$ \widetilde{\varGamma }_\phi (\mathbf {v}^\star ) = \big (\varPsi _{\mathbf {b}, \mathbf {e}}(\mathbf {v}_1^\star ) \Vert \varPi _{\mathbf {f}}(\mathbf {v}_4^\star )\big ). $$

Based on the equivalences observed in (5) and (6), it can be checked that $\widetilde{\mathsf {VALID}}$, $\widetilde{\mathcal {S}}$ and $\widetilde{\varGamma }_\phi $ satisfy the conditions specified in (1). In other words, we have reduced the considered statement to an instance of the abstract protocol from Sect. 2.4.

The interactive protocol. Given the above preparations, our interactive protocol works as follows.

The public input consists of matrix $\widetilde{\mathbf {M}}$ and vector $\widetilde{\mathbf {u}}$, which are built from $\mathbf {A}$, ($\mathbf {A}_{[0]}, \ldots , \mathbf {A}_{[d]}$, $\mathbf {F}, \mathbf {F}_0, \mathbf {F}_1$, u), and $\mathbf {B}$, $\mathbf {c}_{1,1},\mathbf {c}_{1,2},\mathbf {c}_{2,1},\mathbf {c}_{2,2}$, $\mathbf {a}, \mathbf {b}_1, \mathbf {b}_2$, as discussed in Sect. 3.2 and above.
The prover’s witness is vector $\widetilde{\mathbf {w}} \in \widetilde{\mathsf {VALID}}$, which is obtained from the original witnesses $(p, t,\mathbf {r}, \mathbf {v}, \mathbf {x}, g_1, g_2,\mathbf {e}_{1,1},\mathbf {e}_{2,1},\mathbf {e}_{1,2},\mathbf {e}_{2,2})$, as described in Sect. 3.2 and above.

Both parties then run the protocol of Fig. 1. The protocol uses the KTX string commitment scheme $\mathsf {COM}$, which is statistically hiding and computationally binding under the $\mathsf {(R)SIS}$ assumption. We therefore obtain the following result, as a corollary of Theorem 1.

Theorem 3

Assume that $\mathsf {COM}$ is a statistically hiding and computationally binding string commitment scheme. Then the protocol described above is a statistical $\mathsf {ZKAoK}$ for the considered statement, with perfect completeness, soundness error $2$ $/$ $3$ and communication cost $\widetilde{\mathcal {O}}(\lambda )$.

Proof

For simulation, we simply run the simulator of Theorem 1. As for extraction, we invoke the knowledge extractor of Theorem 1 to obtain a vector $\widetilde{\mathbf {w}}' \in \widetilde{\mathsf {VALID}}$ such that $\widetilde{\mathbf {M}}\cdot \widetilde{\mathbf {w}}' = \widetilde{\mathbf {u}} \bmod q$. Then, by “backtracking” all the transformations being done, we can extract from vector $\widetilde{\mathbf {w}}'$ a satisfying witness $(p', t',\mathbf {r}', \mathbf {v}', \mathbf {x}', g'_1, g'_2,\mathbf {e}'_{1,1},\mathbf {e}'_{2,1},\mathbf {e}'_{1,2},\mathbf {e}'_{2,2})$ for the considered statement.

The perfect completeness, soundness error and communication cost of the protocol directly follow from those of the abstract protocol in Sect. 2.4. In particular, the communication cost is:

$$ \mathcal {O}(\widetilde{L} \cdot \log q) = \mathcal {O}\big ((k\delta _\beta + c_d k \delta _\beta )n\cdot \log q + ((\overline{m}\delta _\beta + \ell )n + nm +n\delta _B+ n\ell \delta _B)\cdot \log q\big ), $$

which is of order ${\mathcal {O}}(n \cdot \log ^4 n) = \widetilde{\mathcal {O}}(\lambda )$, for the setting of parameters we use in the group signature scheme of Sect. 4.3. $\square $

4.3 Description of Our Scheme

In the description below, the Ducas-Micciancio signature scheme [20, 21] as described in Sect. 2.3 is used to design a group signature scheme for (partially) dynamic groups. Group public key consists of three parts: (i) a verification key from the Ducas-Micciancio signature scheme, (ii) two public keys of an extended version of LPR encryption scheme [47] and (iii) a public matrix $\mathbf {B}$ for users to generate their short secret vectors together with public syndromes as user key pairs. The issue key is the corresponding signing key of the verification key while the opening key is any one of the corresponding secret keys of the two public keys.

When a user joins the group, it first generates a short vector together with a public syndrome using matrix $\mathbf {B}$. It then interacts with the issuer. The issuer signs the public syndrome of this user using the issue key. If the interaction completes successfully, the user obtains a signature on his syndrome from the issuer while the issuer registers this user to the group.

Once registered as a group member, the user can sign messages on behalf of the group. When signing a message, it first encrypts the public syndrome twice using the two public keys. The user then generates a $\mathsf {ZKAoK}$ of his syndrome, of the signature on the syndrome obtained from the issuer, of the short vector corresponding to his syndrome and of randomness used in the encryptions of the syndrome. This $\mathsf {ZKAoK}$ protocol is repeated $\kappa =\omega (\log \lambda )$ times to achieve negligible soundness error and made non-interactive via Fiat-Shamir transform [22]. The signature then consists of the $\mathsf {NIZKAoK}$ $\varPi _{\mathsf {gs}}$ and the two ciphertexts of the syndrome. Note that the $\mathsf {ZK}$ argument together with double encryption enables CCA-security of the underlying encryption scheme, which is known as the Naor-Yung transformation [51]. This enables full anonymity of our group signature scheme.

When one needs to know the validity of a signature, one simply verifies $\varPi _{\mathsf {gs}}$. In case of dispute, the opener can decrypt the syndrome using his opening key. To prevent corrupted opening, the opener is required to generate a $\mathsf {NIZKAoK}$ of correct opening $\varPi _{\mathsf {open}}$. Only when $\varPi _{\mathsf {open}}$ is a valid proof, will the judger accept the opening result. Details of the scheme are described below.

$\mathsf {GKg}(\lambda )$ : Given the security parameter $\lambda $, the trusted party proceeds as follows.
- Choose parameter $n=\mathcal {O}(\lambda )$ being a power of 2, and modulus $q=\widetilde{\mathcal {O}}(n^4)$, where $q=3^k$ for some positive integer k. Let $R=\mathbb {Z}[X]/(X^n+1)$ and $R_q=R/qR$.
  
  Also, let $\ell =\lfloor \log \frac{q-1}{2}\rfloor +1$, $m\ge 2\lceil \log q\rceil +2$, and $\overline{m} = m + k$.
- Choose integer d and sequence $c_0,\ldots ,c_d$ as described in Sect. 2.3.
- Choose integer bounds $\beta =\widetilde{\mathcal {O}}(n)$, $B=\widetilde{\mathcal {O}}(n^{5/4})$, and let $\chi $ be a B-bounded distribution over R.
- Let $\mathcal {H}_{\mathsf {FS}}:\{0,1\}^*\rightarrow \{1,2,3\}^{\kappa }$, where $\kappa =\omega (\log \lambda )$, be a collision-resistant hash function, to be modelled as a random oracle in the Fiat-Shamir transformations [22].
- Let $\mathsf {COM}$ be the statistically hiding and computationally binding commitment scheme from [30], to be used in our zero-knowledge argument systems.
- Draw a uniformly random matrix $\mathbf {B} \in R_q^{1 \times m}$.
- Generate verification key
  $$ \mathbf {A}, \mathbf {F}_0 \in R_q^{1 \times \overline{m}}; \mathbf {A}_{[0]}, \ldots , \mathbf {A}_{[d]} \in R_q^{1 \times k}; \mathbf {F}, \mathbf {F}_1 \in R_q^{1 \times \ell }; \,\, u \in R_q $$
  and signing key $\mathbf {R}\in R_q^{m\times k}$ for the Ducas-Micciancio signature scheme, as described in Sect. 2.3.
- Initialize the Naor-Yung double-encryption mechanism [51] with an extended version of the LPR encryption scheme [47] that allows to encrypt $\{-1,0,1\}$ ring vectors of length $\ell $. Specifically, sample $s_1,s_2 \hookleftarrow \chi $, $\mathbf {e}_1,\mathbf {e}_2 \hookleftarrow \chi ^{\ell }$, $\mathbf {a}\xleftarrow {\$} R_q^{\ell }$, and compute
  $$\begin{aligned} \mathbf {b}_1=\mathbf {a}\cdot s_1+\mathbf {e}_1\in R_q^{\ell }; \,\, \mathbf {b}_2=\mathbf {a}\cdot s_2+\mathbf {e}_2\in R_q^{\ell }. \end{aligned}$$
Set the public parameter $\mathsf {pp}$, the group public key $\mathsf {gpk}$, the issue key $\mathsf {ik}$ and the opening key $\mathsf {ok}$ as follows:
$$\begin{aligned} \mathsf {pp}=\{n,q,k,R,R_q,\ell ,m,\overline{m},\chi , d,c_0,\dots ,c_d, B, \beta , \kappa , \mathcal {H}_{\mathsf {FS}},\mathsf {COM},\mathbf {B}\}, \end{aligned}$$

$$\begin{aligned} \mathsf {gpk}=\{\mathsf {pp},\mathbf {A},\{\mathbf {A}_{[j]}\}_{j=0}^{d}, \mathbf {F},\mathbf {F}_0,\mathbf {F}_1,u, \mathbf {a},\mathbf {b}_1,\mathbf {b}_2\}, \end{aligned}$$

$$\begin{aligned} \mathsf {ik}=\mathbf {R},~\mathsf {ok}=(s_1,\mathbf {e}_1). \end{aligned}$$
The trusted party then makes $\mathsf {gpk}$ public and sends $\mathsf {ik}$ to the issuer and $\mathsf {ok}$ to the opener.

Assume that after receiving $\mathsf {ik}$ from the trusted party, the issuer initializes his internal state $S=0$ and the registration table $\mathbf {reg}$.
$\mathsf {UKg}(\mathsf {gpk})$ : The user samples $\mathbf {x} \in R^m$, whose coefficients are uniformly random in the set $\{-1,0,1\}$. Then he computes $p=\mathbf {B}\cdot \mathbf {x}\in R_q$. Set $\mathsf {upk} = p$ and $\mathsf {usk}=\mathbf {x}$.
$\langle \mathsf {Join},\mathsf {Iss}\rangle $ : When receiving the joining request from a user with public key $\mathsf {upk}=p$, the issuer verifies that $\mathsf {upk}$ was not previously used by a registered user, and aborts if this is not the case. Otherwise, he proceeds as follows.
- Set the tag $t=(t_0,t_1\ldots , t_{c_d-1})^\top \in \mathcal {T}_d$, where $S=\sum _{j=0}^{c_d-1} 2^j\cdot t_j$, and compute $\mathbf {A}_{t} = [\mathbf {A}|\mathbf {A}_{[0]}+\sum _{i=1}^{d}t_{[i]}\mathbf {A}_{[i]}] \in R_q^{1\times (\overline{m} + k)}$.
- Using the signing key $\mathbf {R}$, generate a Ducas-Micciancio signature $(t,\mathbf {r},\mathbf {v})$ on message $\mathsf {rdec}(p) \in R^\ell $ - whose coefficients are in $\{-1,0,1\}$. As described in Sect. 2.3, one has $\mathbf {r} \in R^{\overline{m}}$, $\mathbf {v} \in R^{\overline{m} + k}$ and
  $$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {A}_t\cdot \mathbf {v}=\mathbf {F}\cdot \mathsf {rdec}(\mathbf {F}_0\cdot \mathbf {r}+\mathbf {F}_1\cdot \mathsf {rdec}(p))+u,\\ \Vert \mathbf {r}\Vert _{\infty }\le \beta ,~\Vert \mathbf {v}\Vert _{\infty }\le \beta . \end{array}\right. } \end{aligned}$$
  (14)
The issuer then sends the triple $(t, \mathbf {r},\mathbf {v})$ to the user. The latter sets his group signing key as $\mathsf {gsk}=(t, \mathbf {r},\mathbf {v},\mathbf {x})$ while the former stores $\mathbf {reg}[S]=p$ and updates S to $S+1$.
$\mathsf {Sign}(\mathsf {gpk},\mathsf {gsk}_i,M)$ : To sign a message $M \in \{0,1\}^*$ using $\mathsf {gsk}=(t,\mathbf {r},\mathbf {v},\mathbf {x})$, the group member who has public key $p \in R_q$ proceeds as follows.
- Encrypt the ring vector $\mathsf {rdec}(p)\in R_q^{\ell }$ with coefficients in $\{-1,0,1\}$ twice. Namely, for each $i\in \{1,2\}$, sample $g_i \hookleftarrow \chi $, $\mathbf {e}_{i,1}\hookleftarrow \chi ^{\ell }$, and $\mathbf {e}_{i,2}\hookleftarrow \chi ^{\ell }$ and compute
  $$\begin{aligned} \mathbf {c}_i&=(\mathbf {c}_{i,1},\mathbf {c}_{i,2})\\&=\big (\mathbf {a}\cdot g_i+\mathbf {e}_{i,1}, \mathbf {b}_{i}\cdot g_i+\mathbf {e}_{i,2}+\lfloor q/4\rfloor \cdot \mathsf {rdec}(p)\big )\in R_q^{\ell }\times R_q^{\ell }. \end{aligned}$$
- Generate a $\mathsf {NIZKAoK}$ $\varPi _{\mathsf {gs}}$ to demonstrate the possession of a valid tuple
  $$\begin{aligned} \zeta =(t,\mathbf {r},\mathbf {v},\mathbf {x}, p, g_1,g_2,\mathbf {e}_{1,1},\mathbf {e}_{2,1},\mathbf {e}_{1,2},\mathbf {e}_{2,2}) \end{aligned}$$
  (15)
  such that
  1. (i)
    The conditions from (14) hold.
  2. (ii)
    $\mathbf {c}_1$ and $\mathbf {c}_2$ are both correct encryptions of $\mathsf {rdec}(p)$ with B-bounded randomness $g_1,\mathbf {e}_{1,1},\mathbf {e}_{1,2}$ and $g_2,\mathbf {e}_{2,1},\mathbf {e}_{2,2}$, respectively.
  3. (iii)
    $\Vert \mathbf {x}\Vert _\infty \le 1$ and $\mathbf {B}\cdot \mathbf {x}=p$.
  This is done by running the argument system described in Sect. 4.2. The protocol is an extension of the one for the Ducas-Micciancio signature from Sect. 3.2, in which the prover additionally proves statements (ii) and (iii). The protocol is repeated $\kappa =\omega (\log \lambda )$ times to achieve negligible soundness error and made non-interactive via Fiat-Shamir heuristic [22] as a triple $\varPi _{\mathsf {gs}}=(\{\mathrm {CMT}_i\}_{i=1}^{\kappa },\mathrm {CH},\{\mathrm {RSP}_i\}_{i=1}^{\kappa })$ where $\mathrm {CH}=\mathcal {H}_{\mathsf {FS}}(M,\{\mathrm {CMT}_i\}_{i=1}^{\kappa },\xi )$ with
  $$\begin{aligned} \xi =(\mathbf {A},\mathbf {A}_{[0]},\ldots ,\mathbf {A}_{[d]},\mathbf {F},\mathbf {F}_0,\mathbf {F}_1,u,\mathbf {B},\mathbf {a},\mathbf {b}_1,\mathbf {b}_2,\mathbf {c}_1,\mathbf {c}_2) \end{aligned}$$
  (16)
- Output the group signature $\varPi =(\varPi _{\mathsf {gs}},\mathbf {c}_1,\mathbf {c}_2)$.
$\mathsf {Verify}(\mathsf {gpk},M,\varSigma )$ : Given the inputs, this algorithm proceeds as follows.
1. 1.
  Parse $\varSigma $ as $\varSigma = \big (\{\mathrm {CMT}_i\}_{i=1}^\kappa , (Ch_1, \ldots , Ch_\kappa ), \{\mathrm {RSP}\}_{i=1}^\kappa , \mathbf {c}_1, \mathbf {c}_2\big )$. If $(Ch_1, \ldots , Ch_\kappa ) \ne \mathcal {H}_{\mathsf {FS}}\big (M, \{\mathrm {CMT}_i\}_{i=1}^\kappa , \xi \big )$, then return 0, where $\xi $ is as in (16).
2. 2.
  For each $i \in [\kappa ]$, run the verification phase of the protocol in Sect. 4.2 to check the validity of $\mathrm {RSP}_i$ with respect to $\mathrm {CMT}_i$ and $Ch_i$. If any of the conditions does not hold, then return 0.
3. 3.
  Return 1.
$\mathsf {Open}(\mathsf {gpk},\mathsf {ok},\mathbf {reg},M,\varSigma )$ : Let $\mathsf {ok}=(s_1,\mathbf {e}_1)$ and $\varSigma =(\varPi _{\mathsf {gs}},\mathbf {c}_1,\mathbf {c}_2)$. This algorithm then does the following.
1. 1.
  Use $s_1$ to decrypt $\mathbf {c}_1=(\mathbf {c}_{1,1},\mathbf {c}_{1,2})$ as follows.
  1. (a)
    It computes
    $$\begin{aligned} \mathbf {p''}=\frac{\mathbf {c}_{1,2}-\mathbf {c}_{1,1}\cdot s_1}{\lfloor q/4\rfloor }. \end{aligned}$$
  2. (b)
    For each coefficient of $\mathbf {p''}$,
    - if it is closer to 0 than to $-1$ and 1, then round it to 0;
    - if it is closer to $-1$ than to 0 and 1, then round it to $-1$;
    - if it is closer to 1 than to 0 and $-1$, then round it to 1.
  3. (c)
    Denote the rounded $\mathbf {p''}$ as $\mathbf {p'}\in R_q^{\ell }$ with coefficients in $\{-1,0,1\}$.
  4. (d)
    Let $p'\in R_q$ such that $\tau (p')=\mathbf {H}\cdot \tau (\mathbf {p'})$. Recall that $\mathbf {H}\in \mathbb {Z}_q^{n\times n\ell }$ is the decomposition matrix for elements of $R_q$ (see Sect. 2.2).
2. 2.
  If $\mathbf {reg}$ does not include an entry $p'$, then return $(\bot ,\bot )$.
3. 3.
  Otherwise, generate a $\mathsf {NIZKAoK}$ $\varPi _{\mathsf {open}}$ to demonstrate the possession of a tuple $(s_1,\mathbf {e}_1,\mathbf {y})\in R_q\times R_q^{\ell }\times R_q^{\ell }$
  $$\begin{aligned} {\left\{ \begin{array}{ll} \Vert s_1 \Vert _\infty \le B; \Vert \mathbf {e}_1 \Vert _\infty \le B; \Vert \mathbf {y}\Vert _\infty \le \lceil q/10 \rceil ; \\ \mathbf {a} \cdot s_1 + \mathbf {e}_1 = \mathbf {b}_1; \\ \mathbf {c}_{1,2} - \mathbf {c}_{1,1}\cdot s_1 = \mathbf {y} + \lfloor q/4 \rfloor \cdot \mathsf {rdec}(p'). \end{array}\right. } \end{aligned}$$
  (17)
  We remark that conditions in (17) involve only linear secret objects with bounded norms, and can be handled using the Stern-like techniques from Sects. 3.2 and 4.2. As a result, we can obtain a statistical ZKAoK for the considered statement. The protocol is repeated $\kappa = \omega (\log \lambda )$ times to achieve negligible soundness error and made non-interactive via the Fiat-Shamir heuristic as a triple $\varPi _{\mathsf {Open}}= (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathrm {CH}, \{\mathrm {RSP}\}_{i=1}^\kappa )$, where
  $$\begin{aligned} \mathrm {CH} = \mathcal {H}_{\mathsf {FS}}\big (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathbf {a},\mathbf {b}_1, M, \varSigma , p'\big ) \in \{1,2,3\}^\kappa . \end{aligned}$$
  (18)
4. 4.
  Output $(p', \varPi _{\mathsf {Open}})$.
$\mathsf {Judge}(\mathsf {gpk}, M, \varSigma , p',\varPi _{\mathsf {open}})$ : If $\mathsf {Verify}$ algorithm outputs 0, then this algorithm returns 0. Otherwise, this algorithm then verifies the argument $\varPi _{\mathsf {Open}}$ w.r.t. common input $(\mathbf {a}, \mathbf {b}_1, M, \varSigma , p')$, in a similar manner as in algorithm $\mathsf {Verify}$. If $\varPi _{\mathsf {open}}$ does not verify, then return 0; otherwise, return 1.

4.4 Analysis of the Scheme

Efficiency. We first analyze the efficiency of the scheme described in Sect. 4.3, with respect to security parameter $\lambda $.

The public key $\mathsf {gpk}$ has bit-size $\mathcal {O}(\lambda \cdot \log ^2 \lambda )=\widetilde{\mathcal {O}}(\lambda )$.
The signing key $\mathsf {gsk}_i$ has bit-size $\mathcal {O}(\lambda \cdot \log ^2 \lambda )=\widetilde{\mathcal {O}}(\lambda )$.
The size of a signature $\varSigma $ is dominated by that of the Stern-like NIZKAoK $\varPi _{\mathsf { gs}}$, which is $\mathcal {O}(\widetilde{L}\cdot \log q)\cdot \omega (\log \lambda )$, where $\widetilde{L}$ denotes the bit-size of a vector $\widetilde{\mathbf {w}}\in \widetilde{\mathsf {VALID}}$ as described in Sect. 4.2. Recall $\mathcal {O}(\widetilde{L}\cdot \log q)=\mathcal {O}(\lambda \cdot \log ^4\lambda )$. As a result, $\varSigma $ has bit-size $\mathcal {O}(\lambda \cdot \log ^4 \lambda ) \cdot \omega (\log \lambda )=\widetilde{\mathcal {O}}(\lambda )$.
The Stern-like NIZKAoK $\varPi _{\mathsf {open}}$ has bit-size $\mathcal {O}(\lambda \cdot \log ^3 \lambda )\cdot \omega (\log \lambda )=\widetilde{\mathcal {O}}(\lambda )$.

Correctness. The correctness of the above group signature scheme relies on the following facts: (i) the underlying argument systems to generate $\varPi _{\mathsf {gs}}$ and $\varPi _{\mathsf {open}}$ are perfectly complete; (ii) the underlying encryption scheme, which is an extended version of LPR encryption scheme [47] is correct.

Specifically, for an honest user, when he signs a message on behalf of the group, he is able to demonstrate the possession of a valid tuple $\zeta $ of the form (15). With probability 1, $\varPi _{\mathsf {gs}}$ is accepted by the $\mathsf {Verify}$ algorithm, which is implied by the perfect completeness of the argument system to generate $\varPi _{\mathsf {gs}}$. As for the correctness of the $\mathsf {Open}$ algorithm, note that

$$\begin{aligned} \mathbf {c}_{1,1}-\mathbf {c}_{1,2}\cdot s_1&=\mathbf {b}_{1}\cdot g_1+\mathbf {e}_{1,2}+\lfloor q/4\rfloor \cdot \mathsf {rdec}(p) -(\mathbf {a}\cdot g_1+\mathbf {e}_{1,1})\cdot s_1 \\&=(\mathbf {a}\cdot s_1+\mathbf {e}_1)\cdot g_1+\mathbf {e}_{1,2}+\lfloor q/4\rfloor \cdot \mathsf {rdec}(p) -(\mathbf {a}\cdot g_1+\mathbf {e}_{1,1} )\cdot s_1\\&=\mathbf {e}_1\cdot g_1 + \mathbf {e}_{1,2}- \mathbf {e}_{1,1} \cdot s_1+\lfloor q/4\rfloor \cdot \mathsf {rdec}(p) \end{aligned}$$

where $\Vert \mathbf {e}_1\Vert _{\infty }\le B$, $\Vert s_1\Vert _{\infty }\le B$, $\Vert g_1\Vert _{\infty }\le B$, $\Vert \mathbf {e}_{1,1}\Vert _{\infty }\le B$, $\Vert \mathbf {e}_{1,2}\Vert _{\infty }\le B$. Recall $B=\widetilde{\mathcal {O}}(n^{5/4})$ and $q=\widetilde{\mathcal {O}}(n^4)$. Hence we have:

$$\begin{aligned} \Vert \mathbf {e}_1\cdot g_1 + \mathbf {e}_{1,2}- \mathbf {e}_{1,1} \cdot s_1\Vert _{\infty }\le 2n\cdot B^2+B=\widetilde{\mathcal {O}}(n^{3.5})\le \big \lceil \frac{q}{10}\big \rceil =\widetilde{\mathcal {O}}(n^4). \end{aligned}$$

With probability 1, the rounding procedure described in the $\mathsf {Open}$ algorithm recovers $\mathsf {rdec}(p)$ and hence outputs p, which is the actual signer. Thus the opener is able to identify the signer of a signature and hence correctness of the $\mathsf {Open}$ algorithm holds.

As the opener correctly recovers $\mathsf {rdec}(p)$ and p, it possesses a valid tuple $(s_1,\mathbf {e}_1,\mathbf {y})$ satisfying conditions in (17). It then follows from the perfect completeness of the argument system to generate $\varPi _{\mathsf {open}}$, the judge will accept the opening result outputted by the opener and hence correctness of the $\mathsf {Judge}$ algorithm holds.

Security. In Theorem 4, we prove that our scheme satisfies the security requirements of the Bellare et al. model [5]. For the proof of non-frameability, we will use the following simple lemma.

Lemma 2

Let $\mathbf {B}\in R_q^{1\times m}$, where $m\ge 2 \lceil \log q\rceil +2$. If $\mathbf {x}$ is a uniformly random element of $R^m$ such that $\Vert \mathbf {x}\Vert _{\infty }\le 1$, then with probability at least $1-2^{-n}$, there exists another $\mathbf {x'}\in R^m$ such that $\Vert \mathbf {x'}\Vert _{\infty }\le 1$ and $\mathbf {B}\cdot \mathbf {x}=\mathbf {B}\cdot \mathbf {x'} \in R_q$.

Proof

Note that there are in total $3^{nm}$ elements $\mathbf {x}\in R^m$ such that $\Vert \mathbf {x}\Vert _{\infty }\le 1$. Among them, there exist at most $q^n-1$ elements that do not have $\mathbf {x'}$ such that $\mathbf {B}\cdot \mathbf {x}= \mathbf {B}\cdot \mathbf {x'}$. Hence, the probability that a uniformly random $\mathbf {x}$ has a corresponding $\mathbf {x'}$ for which $\mathbf {B}\cdot \mathbf {x}= \mathbf {B}\cdot \mathbf {x'}$ is at least

$$ \frac{3^{nm}-q^n+1}{3^{nm}} = 1 - \frac{q^n-1}{3^{nm}} > 1 - \frac{q^n}{2^n q^n} = 1 - 2^{-n}. $$

$\square $

Theorem 4

Assume that the Stern-like argument systems used in Sect. 4.3 are simulation-sound. Then, in the random oracle model, the given group signature scheme satisfies full anonymity, traceability and non-frameability under the $\mathsf {RLWE}$ and $\mathsf {RSIS}$ assumptions.

In the random oracle model, the proof of Theorem 4 relies on the following facts:

1.
The Stern-like zero-knowledge argument systems being used are simulation-sound;
2.
The underlying encryption scheme, which is an extended version of the LPR encryption scheme [47], via the Naor-Yung transformation [51], is IND-CCA secure;
3.
The variant of Ducas-Micciancio signature scheme described in Sect. 2.3 with at most polynomial number of signature queries is existentially unforgeable against adaptive chosen message attacks [20, 21];
4.
For a properly generated user key pair $(\mathbf {x},p)$, it is infeasible to find $\mathbf {x}' \in R_q^m$ such that $\Vert \mathbf {x}'\Vert _\infty \le 1$, $\mathbf {x}' \ne \mathbf {x}$ and $\mathbf {B}\cdot \mathbf {x}' = p$.

The proof of Theorem 4 is established by Lemmas 3–5 given below.

Lemma 3

Assume that the $\mathsf {RLWE}_{n, \ell ,q, \chi }$ problem is hard. Then the given group signature scheme is fully anonymous in the random oracle model.

The detailed proof of Lemma 3 is available in the full version.

Lemma 4

Assume that the $\mathsf {RSIS}_{n,\overline{m},q,\widetilde{\mathcal {O}}(n^{2})}^\infty $ problem is hard. Then the given group signature scheme is traceable in the random oracle model.

Proof

We prove traceability by contradiction. Suppose that $\mathcal {A}$ succeeds with non-negligible advantage $\epsilon $. Then we build a $\mathrm {PPT}$ algorithm $\mathcal {B}$ that, with non-negligible probability, breaks the unforgeability of the Ducas-Micciancio signature scheme from Sect. 2.3, which is based on the hardness of the $\mathsf {RSIS}_{n,\overline{m},q,\widetilde{\mathcal {O}}(n^{2})}^\infty $ problem. It then follows that our construction is traceable.

When given the verification key of the Ducas-Micciancio signature scheme, the simulator $\mathcal {B}$ runs the experiment $\mathbf {Exp}_{\mathsf {GS},\mathcal {A}}^{\mathsf {trace}}(\lambda )$ faithfully. $\mathcal {B}$ can answer all oracle queries made by $\mathcal {A}$ except when $\mathcal {A}$ queries the send to issuer $\mathsf {SndToI}$ oracle or add user $\mathsf {AddU}$ oracle. However, $\mathcal {B}$ can resort to his oracle queries of the signature scheme. In these two cases, $\mathcal {B}$ enrolls the corresponding user to the group. When $\mathcal {A}$ halts, it outputs $(M^*,\varPi _{\mathsf {gs}}^*,\mathbf {c}_1^*,\mathbf {c}_2^*)$. With non-negligible probability $\epsilon $, $\mathcal {A}$ wins the experiment. Parse $\varPi _{\mathsf {gs}}^*=(\{\mathrm {CMT}_i^*\}_{i=1}^{\kappa },\mathrm {CH}^*,\{\mathrm {RSP}_i^*\}_{i=1}^{\kappa })$. Let

$$\xi ^*=(\mathbf {A},\mathbf {A}_{[0]},\ldots ,\mathbf {A}_{[d]},\mathbf {F},\mathbf {F}_0,\mathbf {F}_1,u,\mathbf {B},\mathbf {a},\mathbf {b}_1,\mathbf {b}_2,\mathbf {c}_1^*,\mathbf {c}_2^*). $$

Then $\mathrm {CH}^*=\mathcal {H}_{\mathsf {FS}}\big (M^*, \{\mathrm {CMT}_i^*\}_{i=1}^\kappa , \xi ^* \big )$ and $\mathrm {RSP}_i^*$ is a valid response w.r.t. $\mathrm {CMT}_i^*$ and $\mathrm {CH}_i^*$ for $i\in [\kappa ]$ by the fact that $\mathcal {A}$ wins and hence $(\varPi _{\mathsf {gs}}^*,\mathbf {c}_1^*,\mathbf {c}_2^*)$ is a valid signature on message $M^*$.

We claim that $\mathcal {A}$ had queried $\big (M^*, \{\mathrm {CMT}_i^*\}_{i=1}^\kappa , \xi ^* \big )$ to the hash oracle $\mathcal {H}_{\mathsf {FS}}$ with overwhelming probability. Otherwise, the probability of guessing correctly the value of $\mathcal {H}_{\mathsf {FS}}\big (M^*, \{\mathrm {CMT}_i^*\}_{i=1}^\kappa , \xi ^* \big )$ is at most $3^{-\kappa }$, which is negligible. Therefore, with probability $\epsilon '=\epsilon -3^{-\kappa }$, $\mathcal {A}$ had queried the hash oracle $\mathcal {H}_{\mathsf {FS}}$. Denote by $\theta ^*\in \{1,2,\ldots , Q_H\}$ the index of this specific query, where $Q_H$ is the total number of hash queries made by $\mathcal {A}$.

Algorithm $\mathcal {B}$ then runs at most $32 \cdot Q_H/\epsilon '$ executions of $\mathcal {A}$. For each new run, it is exactly the same as the original run until the point of $\theta ^*$-th query to the hash oracle $\mathcal {H}_{\mathsf {FS}}$. From this point on, $\mathcal {B}$ replies $\mathcal {A}$’s hash queries with uniformly random and independent values for each new run. This guarantees that the input of $\theta ^*$-th query $\mathcal {A}$ made to $\mathcal {H}_{\mathsf {FS}}$ is the tuple $\big (M^*, \{\mathrm {CMT}_i^*\}_{i=1}^\kappa , \xi ^* \big )$ for each new run while the output of this hash query is uniformly random and independent for each new run. To this point, by the forking lemma of Brickell et al. [13], with probability $\ge $1/2, $\mathcal {B}$ obtains 3-fork involving the same tuple $\big (M^*, \{\mathrm {CMT}_i^*\}_{i=1}^\kappa , \xi ^* \big )$ with pairwise distinct hash values $\mathrm {CH}_{\theta ^*}^{(1)}, \mathrm {CH}_{\theta ^*}^{(2)}, \mathrm {CH}_{\theta ^*}^{(3)}\in \{1,2,3\}^{\kappa }$ and corresponding valid responses $\mathrm {RSP}_{\theta ^*}^{(1)}$, $\mathrm {RSP}_{\theta ^*}^{(2)}$, $\mathrm {RSP}_{\theta ^*}^{(3)}$. A simple calculation shows that with probability $1-(\frac{7}{9})^{\kappa }$, we have $\{\mathsf {CH}_{\theta ^*,j}^{(1)},\mathsf {CH}_{\theta ^*,j}^{(2)},\mathsf {CH}_{\theta ^*,j}^{(3)}\}=\{1,2,3\}$ for some $j\in \{1,2,\ldots ,\kappa \}$.

Therefore, $\mathrm {RSP}_{\theta ^*,j}^{(1)}$, $\mathrm {RSP}_{\theta ^*,j}^{(2)}$, $\mathrm {RSP}_{\theta ^*,j}^{(3)}$ are 3 valid responses for all the challenges 1, 2, 3 w.r.t. the same commitment $\mathrm {CMT}_{j}^*$. Since $\mathsf {COM}$ is computationally binding, $\mathcal {B}$ is able to extract the witness

$$ t^*\in \mathcal {T}_d; \mathbf {r}^*\in R_q^{\overline{m}}; \mathbf {v}^*\in R_q^{\overline{m}+k}; \mathbf {p}^*\in R_q^{\ell }, $$

such that $\Vert \mathbf {r}^*\Vert _{\infty }\le \beta $, $\Vert \mathbf {v}^*\Vert _{\infty }\le \beta $, $\Vert \mathbf {p}^*\Vert _\infty \le 1$ and

$$\mathbf {A}_{t^*}\cdot \mathbf {v}^*=\mathbf {F}\cdot \mathsf {rdec}(\mathbf {F}_0\cdot \mathbf {r}^*+\mathbf {F}_1\cdot \mathbf {p}^*)+u,$$

and $\mathbf {c}_1^*,\mathbf {c}_2^*$ are correct encryptions of $\mathbf {p}^*$.

Since $\mathcal {A}$ wins the game, either we have (i) the $\mathsf {Open}$ algorithm outputs $(\bot ,\bot )$ or (ii) the $\mathsf {Open}$ algorithm output $({p'},\varPi _{\mathsf {open}}^*)$ with ${p'}\ne \bot $ but the $\mathsf {Judge}$ algorithm rejects the opening result.

Case (i) implies that, if $\mathbf {c}_1^*$ is decrypted to $\mathbf {p'}$ and $p'\in R_q$ such that $\tau (p')=\mathbf {H}\cdot \tau (\mathbf {p'})\in \mathbb {Z}_q^n$, then $p'$ is not in the registration table. From the extraction, we know that $\mathbf {c}_1^*$ will be decrypted to $\mathbf {p}^*$ by the correctness of our encryption scheme. Therefore, the intermediate opening result $\mathbf {p'}$ is equal to $\mathbf {p}^*$. On the other hand, the fact that $p'$ is not in the registration table implies that $\mathcal {B}$ did not enroll $p'$ to the group, that is, $\mathcal {B}$ did not query $p'$ to his challenger when $\mathcal {A}$ made the $\mathsf {AddU}$ oracle queries or $\mathsf {SndToI}$ oracle queries. To summarize, $\mathcal {B}$ did not query signature on $p'$ and $\mathcal {B}$ extracts a signature $(t^*,\mathbf {r}^*,\mathbf {v}^*)$ on $\mathbf {p}^*=\mathbf {p'}$ such that $\tau (p')=\mathbf {H}\cdot \tau (\mathbf {p'})$. Therefore $(\mathbf {p}^*, t^*,\mathbf {r}^*,\mathbf {v}^*)$ is a valid forgery of the Ducas-Micciancio signature scheme.

Case (ii) implies that, if $\mathbf {c}_1^*$ is decrypted to $\mathbf {p'}$ and $p'\in R_q$ such that $\tau (p')=\mathbf {H}\cdot \tau (\mathbf {p'})\in \mathbb {Z}_q^n$, then $p'$ is in the registration table and $\varPi _{\mathsf {open}}^*$ generated by $\mathcal {B}$ is not accepted by the $\mathsf {Judge}$ algorithm. From the extraction, we know that $\mathbf {c}_1^*$ will be decrypted to $\mathbf {p}^*$ by the correctness of our encryption scheme. Therefore, the intermediate opening result $\mathbf {p'}$ is equal to $\mathbf {p}^*$. On the other hand, we claim that $\mathsf {rdec}(p')\ne \mathbf {p'}=\mathbf {p}^*$. Otherwise, $\mathsf {rdec}(p')= \mathbf {p'}=\mathbf {p}^*$, then $\mathcal {B}$ possesses valid witness to generate the proof $\varPi _{\mathsf {open}}^*$. By the perfect completeness of the underlying argument system generating $\varPi _{\mathsf {open}}^*$, it will be accepted by the $\mathsf {judge}$ algorithm with probability 1. This is a contradiction and hence we obtain $\mathsf {rdec}(p')\ne \mathbf {p'}=\mathbf {p}^*$. Recall that in the $\langle \mathsf {Join},\mathsf {Iss}\rangle $ algorithm, the issuer only generates signature on $\mathsf {rdec}(p')$. So $\mathcal {B}$ only queries the signature on $\mathsf {rdec}(p')$ and hence $(\mathbf {p}^*, t^*,\mathbf {r}^*,\mathbf {v}^*)$ is a valid forgery of the Ducas-Micciancio signature scheme.

Therefore, with probability at least $\frac{1}{2}\cdot (\epsilon -3^{-\kappa })(1-(\frac{7}{9})^{\kappa })$, which is non-negligible, $\mathcal {B}$ breaks the unforgeability of the Ducas-Micciancio signature scheme. This concludes the proof. $\square $

Lemma 5

Assume that the $\mathsf {RSIS}_{n,m,q,1}^\infty $ problem is hard. Then the given group signature scheme is non-frameable in the random oracle model.

Proof

We prove non-frameability by contradiction. Suppose that $\mathcal {A}$ succeeds with non-negligible advantage $\epsilon $. Then we build a $\mathrm {PPT}$ algorithm $\mathcal {B}$ that solves a $\mathsf {RSIS}_{n,m,q,1}$ instance $\mathbf {B}\in R_q^{1\times m}$ with non-negligible probability.

After $\mathcal {B}$ is given a $\mathsf {RSIS}$ instance matrix $\mathbf {B}$, it runs the experiment $\mathbf {Exp}_{\mathsf {GS},\mathcal {A}}^{\mathsf {nf}}$ faithfully. $\mathcal {B}$ can answer all the oracle queries made by $\mathcal {A}$ since $\mathcal {B}$ knows all the keys. When $\mathcal {A}$ halts, it outputs $(M^*,\varPi _{\mathsf {gs}}^*,\mathbf {c}_1^*,\mathbf {c}_2^*, {p}^*,\varPi _{\mathsf {open}}^*)$. With non-negligible probability $\epsilon $, $\mathcal {A}$ wins the experiment.

The fact that $\mathcal {A}$ wins the game implies $(M^*,\varPi _{\mathsf {gs}}^*,\mathbf {c}_1^*,\mathbf {c}_2^*)$ is a valid message-signature pair that was not queried before. By the same extraction technique as in Lemma 4, we can extract witness $\mathbf {x'}\in R_q^{m}$ and $\mathbf {p'}\in R_q^{\ell }$ such that $\mathbf {x'},\mathbf {p'}$ have coefficients in $\{-1,0,1\}$, $\mathbf {B}\cdot \mathbf {x'}=p'$ with $\tau (p')=\mathbf {H}\cdot \tau (\mathbf {p'})$ and $\mathbf {c}_1^*,\mathbf {c}_2^*$ are correct encryptions of $\mathbf {p'}$. By the correctness of the encryption scheme being used, $\mathbf {c}_1^*$ will be decrypted to $\mathbf {p'}$.

The fact that $\mathcal {A}$ wins the game also implies $(p^*,\varPi _{\mathsf {open}}^*)$ is accepted by the $\mathsf {Judge}$ algorithm. It follows from the soundness of the argument system used to generate $\varPi _{\mathsf {open}}^*$ that $\mathbf {c}_1^*$ will be decrypted to $\mathsf {rdec}(p^*)$. Therefore, we have $\mathbf {p'}=\mathsf {rdec}(p^*)$ and hence $p'=p^*$. Note that $\mathcal {A}$ wins the game also implies that $p^*$ is an honest user with $\mathsf {gsk}\ne \bot $ and $\mathcal {A}$ did not query the user secret key $\mathbf {x}^*$ that corresponds to $p^*$. Thus we obtain: $\mathbf {B}\cdot \mathbf {x'}=p'=p^*=\mathbf {B}\cdot \mathbf {x}^*$, where $\mathbf {x}^*$ has coefficients in $\{-1,0,1\}$. By Lemma 2, $\mathbf {x'}\ne \mathbf {x}^*$ with probability at least 1 / 2. In the case they are not equal, we obtain a non-zero vector $\mathbf {y}=\mathbf {x'}-\mathbf {x}^*$ such that $\mathbf {B}\cdot \mathbf {y}=0$ and $\Vert \mathbf {y}\Vert _{\infty }=1$.

Therefore, with probability at least $\frac{1}{2}\cdot (\epsilon -3^{-\kappa })(1-(\frac{7}{9})^{\kappa })\cdot \frac{1}{2}$, which is non-negligible, $\mathcal {B}$ solves a $\mathsf {RSIS}_{n,m,q,1}$ instance $\mathbf {B}\in R_q^{1\times m}$. This concludes the proof. $\square $

References

Ateniese, G., Camenisch, J., Hohenberger, S., de Medeiros, B.: Practical group signatures without random oracles. IACR Cryptology ePrint Archive 2005/385 (2005)
Google Scholar
Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A practical and provably secure coalition-resistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_16
Chapter Google Scholar
Bellare, M., Fuchsbauer, G.: Policy-based signatures. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 520–537. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_30
Chapter Google Scholar
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_38
Chapter Google Scholar
Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_11
Chapter Google Scholar
Benhamouda, F., Camenisch, J., Krenn, S., Lyubashevsky, V., Neven, G.: Better zero-knowledge proofs for lattice encryption and their application to group signatures. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 551–572. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45611-8_29
Google Scholar
Böhl, F., Hofheinz, D., Jager, T., Koch, J., Striecks, C.: Confined guessing: new signatures from standard assumptions. J. Cryptol. 28(1), 176–208 (2015)
Article MathSciNet MATH Google Scholar
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_3
Chapter Google Scholar
Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: ACM CCS 2004, pp. 168–177. ACM (2004)
Google Scholar
Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J.: Foundations of fully dynamic group signatures. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 117–136. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_7
Google Scholar
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_29
Chapter Google Scholar
Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_1
Chapter Google Scholar
Brickell, E., Pointcheval, D., Vaudenay, S., Yung, M.: Design validations for discrete logarithm based signature schemes. In: Imai, H., Zheng, Y. (eds.) PKC 2000. LNCS, vol. 1751, pp. 276–292. Springer, Heidelberg (2000). https://doi.org/10.1007/978-3-540-46588-1_19
Chapter Google Scholar
Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_18
Chapter Google Scholar
Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7
Chapter Google Scholar
Camenisch, J., Neven, G., Rückert, M.: Fully anonymous attribute tokens from lattices. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 57–75. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_4
Chapter Google Scholar
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_27
Chapter Google Scholar
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Google Scholar
Cheng, S., Nguyen, K., Wang, H.: Policy-based signature scheme from lattices. Des. Codes Crypt. 81(1), 43–74 (2016)
Article MathSciNet MATH Google Scholar
Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 335–352. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_19
Chapter Google Scholar
Ducas, L., Micciancio, D.: Improved short lattice signatures in the standard model. IACR Cryptology ePrint Archive 2014/495 (2014)
Google Scholar
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Google Scholar
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC 2009, pp. 169–178. ACM (2009)
Google Scholar
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Predicate encryption for circuits from LWE. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 503–523. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_25
Chapter Google Scholar
Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_23
Chapter Google Scholar
Groth, J.: Evaluating security of voting schemes in the universal composability framework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 46–60. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_4
Chapter Google Scholar
Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-76900-2_10
Chapter Google Scholar
Jain, A., Krenn, S., Pietrzak, K., Tentes, A.: Commitments and efficient zero-knowledge proofs from learning parity with noise. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 663–680. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_40
Chapter Google Scholar
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89255-7_23
Chapter Google Scholar
Kiayias, A., Yung, M.: Secure scalable group signature with dynamic joins and separable authorities. Int. J. Secur. Netw. 1(1), 24–45 (2006)
Article Google Scholar
Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_3
Chapter Google Scholar
Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_20. http://eprint.iacr.org/2014/033
Chapter Google Scholar
Langlois, A., Stehlé, D.: Worst-case to average-case reductions for module lattices. Des. Codes Crypt. 75(3), 565–599 (2015)
Article MathSciNet MATH Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Chapter Google Scholar
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 101–131. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_4
Chapter Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_1
Chapter Google Scholar
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based PRFs and applications to E-cash. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 304–335. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_11
Chapter Google Scholar
Libert, B., Mouhartem, F., Nguyen, K.: A lattice-based group signature scheme with message-dependent opening. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 137–155. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_8
Google Scholar
Libert, B., Peters, T., Yung, M.: Short group signatures via structure-preserving signatures: standard model security from simple assumptions. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 296–316. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_15
Chapter Google Scholar
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8
Chapter Google Scholar
Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_19
Google Scholar
Ling, S., Nguyen, K., Wang, H., Xu, Y.: Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann, D., Miyaji, A., Kikuchi, H. (eds.) ACNS 2017. LNCS, vol. 10355, pp. 293–312. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-61204-1_15
Chapter Google Scholar
Lyubashevsky, V., Micciancio, D.: Generalized compact knapsacks are collision resistant. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 144–155. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_13
Chapter Google Scholar
Lyubashevsky, V., Micciancio, D., Peikert, C., Rosen, A.: SWIFFT: a modest proposal for FFT hashing. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 54–72. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71039-4_4
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60(6), 43:1–43:35 (2013)
Article MathSciNet MATH Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Chapter Google Scholar
Micciancio, D.: Generalized compact knapsacks, cyclic lattices, and efficient one-way functions. Comput. Complex 16(4), 365–411 (2007)
Article MathSciNet MATH Google Scholar
Micciancio, D., Peikert, C.: Trapdoors for lattices: simpler, tighter, faster, smaller. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 700–718. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_41
Chapter Google Scholar
Naor, M., Yung, M.: Public-key cryptosystems provably secure against chosen ciphertext attacks. In: ACM 1990, pp. 427–437. ACM (1990)
Google Scholar
Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_18
Google Scholar
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC 2017, pp. 461–473. ACM (2017)
Google Scholar
Peikert, C., Rosen, A.: Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 145–166. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_8
Chapter Google Scholar
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: ACM 2005, pp. 84–93. ACM (2005)
Google Scholar
Sakai, Y., Emura, K., Hanaoka, G., Kawai, Y., Matsuda, T., Omote, K.: Group signatures with message-dependent opening. In: Abdalla, M., Lange, T. (eds.) Pairing 2012. LNCS, vol. 7708, pp. 270–294. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36334-4_18
Chapter Google Scholar
Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theory 42(6), 1757–1768 (1996)
Article MathSciNet MATH Google Scholar
Xagawa, K.: Improved (hierarchical) inner-product encryption from lattices. IACR Cryptology ePrint Archive 2015/249 (2015)
Google Scholar

Download references

Acknowledgements

The authors would like to thank Benoît Libert and the anonymous reviewers of PKC 2018 for helpful comments and discussions. The research is supported by Singapore Ministry of Education under Research Grant MOE2016-T2-2-014(S).

Author information

Authors and Affiliations

Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, Singapore
San Ling, Khoa Nguyen, Huaxiong Wang & Yanhong Xu

Authors

San Ling
View author publications
You can also search for this author in PubMed Google Scholar
Khoa Nguyen
View author publications
You can also search for this author in PubMed Google Scholar
Huaxiong Wang
View author publications
You can also search for this author in PubMed Google Scholar
Yanhong Xu
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yanhong Xu .

Editor information

Editors and Affiliations

CNRS and École Normale Supérieure, Paris, France
Michel Abdalla
University of Campinas, Campinas, São Paulo, Brazil
Ricardo Dahab

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Ling, S., Nguyen, K., Wang, H., Xu, Y. (2018). Constant-Size Group Signatures from Lattices. In: Abdalla, M., Dahab, R. (eds) Public-Key Cryptography – PKC 2018. PKC 2018. Lecture Notes in Computer Science(), vol 10770. Springer, Cham. https://doi.org/10.1007/978-3-319-76581-5_3

Download citation

DOI: https://doi.org/10.1007/978-3-319-76581-5_3
Published: 01 March 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76580-8
Online ISBN: 978-3-319-76581-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Constant-Size Group Signatures from Lattices

Abstract

Similar content being viewed by others

Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based

Lattice-Based Group Signatures with Logarithmic Signature Size

Simpler Efficient Group Signatures from Lattices

Keywords

1 Introduction

2 Background

2.1 Rings, RSIS and RLWE

Definition 1

Definition 2

2.2 Decompositions

2.3 A Variant of the Ducas-Micciancio Signature Scheme

Remark 1

Lemma 1

2.4 Zero-Knowledge Argument Systems and Stern-Like Protocols

Theorem 1

3 ZKAoK for the Ducas-Micciancio Signature Scheme

3.1 A Refined Permuting Technique

Example 1

3.2 Zero-Knowledge Protocol for the Ducas-Micciancio Signature

Theorem 2

Proof

4 Constant-Size Group Signatures from Lattices

4.1 Dynamic Group Signatures

4.2 The Underlying Zero-Knowledge Argument System

Theorem 3

Proof

4.3 Description of Our Scheme

4.4 Analysis of the Scheme

Lemma 2

Proof

Theorem 4

Lemma 3

Lemma 4

Proof

Lemma 5

Proof

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation