Abstract
We solve an open question in codebased cryptography by introducing the first provably secure group signature scheme from codebased assumptions. Specifically, the scheme satisfies the CPAanonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing postquantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands (\({\approx }2^{24}\) users). The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
1.1 Background and Motivation
Group signature [CvH91] is a fundamental cryptographic primitive with two intriguing features: On the one hand, it allows users of a group to anonymously sign documents on behalf of the whole group (anonymity); On the other hand, there is a tracing authority that can tie a given signature to the signer’s identity should the need arise (traceability). These two properties make group signatures highly useful in various reallife scenarios such as controlled anonymous printing services, digital right management systems, ebidding and evoting schemes. Theoretically, designing secure and efficient group signature schemes is of deep interest since doing so typically requires a sophisticated combination of carefully chosen cryptographic ingredients. Numerous constructions of group signatures have been proposed, most of which are based on classical numbertheoretic assumptions (e.g., [CS97, ACJT00, BBS04, BW06, LPY12]).
While numbertheoreticbased group signatures could be very efficient (e.g., [ACJT00, BBS04]), such schemes would become insecure once the era of scalable quantum computing arrives [Sho97]. The search for postquantum group signatures, as a preparation for the future, has been quite active recently, with 6 published schemes [GKV10, CNR12, LLLS13, LLNW14, LNW15, NZZ15], all of which are based on computational assumptions from lattices. Despite their theoretical interest, those schemes involve significantly large key and signature sizes, and no implementation result has been given. Our evaluation shows that the latticebased schemes listed above are indeed very far from being practical (see Sect. 1.2). This somewhat unsatisfactory situation highlights two interesting challenges: First, making postquantum group signatures one step closer to practice; Second, bringing in more diversity with a scheme from another candidate for postquantum cryptography (e.g., codebased, hashbased, multivariatebased). For instance, an easytoimplement and competitively efficient codebased group signature scheme would be highly desirable.
A codebased group signature, in the strongest security model for static groups [BMW03], would typically require the following 3 cryptographic layers:

1.
The first layer requires a secure (standard) signature scheme to sign messages^{Footnote 1}. We observe that the existing codebased signatures fall into two categories. The “hashandsign” category consists of the CFS signature [CFS01] and its modified versions [Dal08, Fin10, MVR12]. The known security proofs for schemes in this category, however, should be viewed with skepticism: the assumption used in [Dal08] was invalidated by distinguishing attacks [FGUO+13], while the new assumption proposed in [MVR12] lies on a rather fragile ground. The “FiatShamir” category consists of schemes derived from Stern’s identification protocol [Ste96] and its variant [Vér96, CVA10, MGS11] via the FiatShamir transformation [FS86]. Although these schemes produce relatively large signatures (as the underlying protocol has to be repeated many times to make the soundness error negligibly small), their provable security (in the random oracle model) is wellunderstood.

2.
The second layer demands a semantically secure encryption scheme to enable the tracing feature: the signer is constrained to encrypt its identifying information and to send the ciphertext as part of the group signature, so that the tracing authority can decrypt if and when necessary. This ingredient is also available in codebased cryptography, thanks to various CPAsecure and CCAsecure variants of the McEliece [McE78] and the Niederreiter [Nie86] cryptosystems (e.g., [NIKM08, DDMN12, Per12, MVVR12]).

3.
The third layer, which is essentially bottleneck in realizing secure codebased group signatures, requires a zeroknowledge (ZK) protocol that connects the first two layers. Specifically, the protocol should demonstrate that a given signature is generated by a certain certified group user who honestly encrypts its identifying information. Constructing such a protocol is quite challenging. There have been ZK protocols involving the CFS and Stern’s signatures, which yield identitybased identification schemes [CGG07, ACM11, YTM+14] and threshold ring signatures [MCG08, MCGL11]. There also have been ZK proofs of plaintext knowledge for the McEliece and the Niederreiter cryptosystems [HMT13]. Yet we are not aware of any efficient ZK protocol that simultaneously deals with both codebased signature and encryption schemes in the above sense.
Designing a provably secure group signature scheme, thus, is a longstanding open question in codebased cryptography (see, e.g., [CM10]).
1.2 Our Contributions
In this work, we construct a group signature scheme which is provably secure under codebased assumptions. Specifically, the scheme achieves the anonymity and traceability requirements ([BMW03, BBS04]) in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem.
Contributions to CodeBased Cryptography. By introducing the first provably secure codebased group signature scheme, we solve the open problem discussed earlier. Along the way, we introduce two new techniques for codebased cryptography, which might be of independent interest:

1.
We design a ZK protocol for the randomized McEliece encryption scheme, that allows the prover to convince the verifier that a given ciphertext is wellformed, and that the hidden plaintext satisfies an additional condition. Such protocols, called verifiable encryption protocols, are useful not only in constructing group signatures, but also in much broader contexts [CS03]. It is worth noting that, prior to our work, verifiable encryption protocols for codebased cryptosystems only exist in the very basic form [HMT13] (where the plaintext is publicly given), which seem to have restricted applications.

2.
In our security proof of the traceability property, to obtain a reduction from the hardness of the Syndrome Decoding (SD) problem, we come up with an approach that, as far as we know, has not been considered in the literature before. Recall that the (averagecase) SD problem with parameters \(m, r, \omega \) is as follows: given a uniformly random matrix \(\widetilde{\mathbf {H}} \in \mathbb {F}_2^{r \times m}\) and a uniformly random syndrome \(\tilde{\mathbf {y}} \in \mathbb {F}_2^r\), the problem asks to find a vector \(\mathbf {s} \in \mathbb {F}_2^m\) that has Hamming weight \(\omega \) (denoted by \(\mathbf {s} \in \mathsf {B}(m, \omega )\)) such that \(\widetilde{\mathbf {H}}\cdot \mathbf {s}^\top = \tilde{\mathbf {y}}^\top \). In our scheme, the key generation algorithm produces public key containing matrix \(\mathbf {H}\in \mathbb {F}_2^{r \times m}\) and syndromes \(\mathbf {y}_j \in \mathbb {F}_2^r\), while users are given secret keys of the form \(\mathbf {s}_j \in \mathsf {B}(m, \omega )\) such that \(\mathbf {H}\cdot \mathbf {s}_j^\top = \mathbf {y}_j^\top \). In the security proof, since we would like to embed an SD challenge instance \((\widetilde{\mathbf {H}}, \tilde{\mathbf {y}})\) into the public key without being noticed with nonnegligible probability by the adversary, we have to require that \(\mathbf {H}\) and the \(\mathbf {y}_j\)’s produced by the key generation are indistinguishable from uniform. One method to generate these keys is to employ the “hashandsign” technique from the CFS signature [CFS01]. Unfortunately, while the syndromes \(\mathbf {y}_j\)’s could be made uniformly random (as the outputs of the random oracle), the assumption that the CFS matrix \(\mathbf {H}\) is computationally close to uniform (for practical parameters) is invalidated by distinguishing attacks [FGUO+13]. Another method, pioneered by Stern [Ste96], is to pick \(\mathbf {H}\) and the \(\mathbf {s}_j\)’s uniformly at random. The corresponding syndromes \(\mathbf {y}_j\)’s could be made computationally close to uniform if the parameters are set such that \(\omega \) is slightly smaller than the value \(\omega _0\) given by the GilbertVarshamov bound^{Footnote 2}, i.e., \(\omega _0\) such that \(\left( {\begin{array}{c}m\\ \omega _0\end{array}}\right) \approx 2^r\). However, for these parameters, it is not guaranteed with high probability that a uniformly random SD instance \((\widetilde{\mathbf {H}}, \tilde{\mathbf {y}})\) has solutions, which would affect the success probability of the reduction algorithm. In this work, we consider the case when \(\omega \) is moderately larger than \(\omega _0\), so that two conditions hold: First, the uniform distribution over the set \(\mathsf {B}(m,\omega )\) has sufficient minentropy to apply the leftover hash lemma [GKPV10]; Second, the SD problem with parameters \((m, r, \omega )\) admits solutions with high probability, yet remains intractable^{Footnote 3} against the best known attacks [FS09, BJMM12]. This gives us a new method to generate uniformly random vectors \(\mathbf {s}_j \in \mathsf {B}(m,\omega )\) and matrix \(\mathbf {H} \in \mathbb {F}_2^{r \times m}\) so that the syndromes \(\mathbf {y}_j\)’s corresponding to the \(\mathbf {s}_j\)’s are statistically close to uniform. This approach, which somewhat resembles the technique used in [GPV08] for the Inhomogeneous Small Integer Solution problem, is helpful in our security proof (and generally, in designing formal security reductions from the SD problem).
Contributions to PostQuantum Group Signatures. Our construction provides the first nonlatticebased alternative to provably secure postquantum group signatures. The scheme features public key and signature sizes linear in the number of group users N, which is asymptotically not as efficient as the recently published latticebased counterparts ([LLLS13, LLNW14, LNW15, NZZ15]). However, when instantiating with practical parameters, our scheme behaves much more efficiently than the scheme proposed in [NZZ15] (which is arguably the current most efficient latticebased group signature in the asymptotic sense). Indeed, our estimation shows that our scheme gives public key and signature sizes that are 2300 times and 540 times smaller, respectively, for an averagesize group of \(N=2^8\) users. As N grows, the advantage lessens, but our scheme remains more efficient even for a huge group of \(N=2^{24}\) users (which is comparable to the whole population of the Netherlands). The details of our estimation are given in Table 1.
Furthermore, we give implementation results  the first ones for postquantum group signatures  to support the feasibility of our scheme (see Sect. 5). Our results, while not yielding a truly practical scheme, would certainly help to bring postquantum group signatures one step closer to practice.
1.3 Overview of Our Techniques
Let \(m, r, \omega , n, k, t\) and \(\ell \) be positive integers. We consider a group of size \(N = 2^\ell \), where each user is indexed by an integer \(j \in [0, N1]\). The secret signing key of user j is a vector \(\mathbf {s}_j\) chosen uniformly at random from the set \(\mathsf {B}(m,\omega )\). A uniformly random matrix \(\mathbf {H} \in \mathbb {F}_2^{r \times m}\) and N syndromes \(\mathbf {y}_0, \ldots , \mathbf {y}_{N1} \in \mathbb {F}_2^r\), such that \(\mathbf {H}\cdot \mathbf {s}_j^\top = \mathbf {y}_j^\top \), for all j, are made public. Let us now explain the development of the 3 ingredients used in our scheme.
The Signature Layer. User j can run Stern’s ZK protocol [Ste96] to prove the possession of a vector \(\mathbf {s} \in \mathsf {B}(m,\omega )\) such that \(\mathbf {H}\cdot \mathbf {s}^\top = \mathbf {y}_j^\top \), where the constraint \(\mathbf {s} \in \mathsf {B}(m,\omega )\) is proved in ZK by randomly permuting the entries of \(\mathbf {s}\) and showing that the permuted vector belongs to \(\mathsf {B}(m,\omega )\). The protocol is then transformed into a FiatShamir signature [FS86]. However, such a signature is publicly verifiable only if the index j is given to the verifier.
The user can further hide its index j to achieve unconditional anonymity among all N users (which yields a ring signature [RST01] on the way, a la [BS13]), as follows. Let \(\mathbf {A} = \big [\mathbf {y}_0^\top  \cdots  \mathbf {y}_j^\top  \cdots  \mathbf {y}_{N1}^\top \big ] \in \mathbb {F}_2^{r \times N}\) and let \(\mathbf {x} = \delta _j^N\)  the Ndimensional unit vector with entry 1 at the jth position. Observe that \(\mathbf {A}\cdot \mathbf {x}^\top = \mathbf {y}_j^\top \), and thus, the equation \(\mathbf {H}\cdot \mathbf {s}^\top = \mathbf {y}_j^\top \) can be written as
where \(\oplus \) denotes addition modulo 2. Stern’s framework allows the user to prove in ZK the possession of \((\mathbf {s}, \mathbf {x})\) satisfying this equation, where the condition \(\mathbf {x} = \delta _j^N\) can be justified using a random permutation.
The Encryption Layer. To enable the tracing capability of the scheme, we let user j encrypt the binary representation of j via the randomized McEliece encryption scheme [NIKM08]. Specifically, we represent j as vector \(\mathsf{I2B}(j) = (j_0, \ldots , j_{\ell 1}) \in \{0,1\}^\ell \), where \(\sum _{i=0}^{\ell 1}j_i 2^{\ell 1i} = j\). Given a public encrypting key \(\mathbf {G} \in \mathbb {F}_2^{k \times n}\), a ciphertext of \(\mathsf{I2B}(j)\) is of the form:
where \((\mathbf {u}, \mathbf {e})\) is the encryption randomness, with \(\mathbf {u} \in \mathbb {F}_2^{k  \ell }\), and \(\mathbf {e} \in \mathsf {B}(n, t)\) (i.e., \(\mathbf {e}\) is a vector in \(\mathbb {F}_2^n\), that has weight t).
Connecting the Signature and Encryption Layers. User j must demonstrate that it does not cheat (e.g., by encrypting some string that does not point to j) without revealing j. Thus, we need a ZK protocol that allows the user to prove that the vector \(\mathbf {x} = \delta _j^N\) used in (1) and the plaintext hidden in (2) both correspond to the same secret \(j \in [0,N1]\). The crucial challenge is to establish a connection (which is verifiable in ZK) between the “index representation” \(\delta _j^N\) and the binary representation \(\mathsf{I2B}(j)\). This challenge is wellhandled by the following technique.
Instead of working with \(\mathsf{I2B}(j) = (j_0, \ldots , j_{\ell 1})\), we consider an extension of \(\mathsf{I2B}(j)\), defined as \(\mathsf{Encode}(j) = (1j_0, j_0, \ldots , 1j_i, j_i, \ldots , 1 j_{\ell 1}, j_{\ell 1}) \in \mathbb {F}_2^{2\ell }\). We then suitably insert \(\ell \) zerorows into matrix \(\mathbf {G}\) to obtain matrix \(\widehat{\mathbf {G}} \in \mathbb {F}_2^{(k + \ell ) \times n}\) such that \(\big (\mathbf {u}\Vert \mathsf{Encode}(j)\big )\cdot \widehat{\mathbf{G}}= \big (\mathbf {u}\Vert \mathsf{I2B}(j)\big )\cdot \mathbf{G}\). Let \(\mathbf {f} = \mathsf{Encode}(j)\), then equation (2) can be rewritten as:
Now, let \(\mathsf{B2I}: \{0,1\}^\ell \rightarrow [0,N1]\) be the inverse function of \(\mathsf{I2B}(\cdot )\). For every \(\mathbf {b} \in \{0,1\}^\ell \), we carefully design two classes of permutations \(T_{\mathbf {b}}: \mathbb {F}_2^N \rightarrow \mathbb {F}_2^N\) and \(T'_{\mathbf {b}}: \mathbb {F}_2^{2\ell } \rightarrow \mathbb {F}_2^{2\ell }\), such that for any \(j \in [0,N1]\), the following hold:
Given these equivalences, in the protocol, the user samples a uniformly random vector \(\mathbf {b} \in \{0,1\}^\ell \), and sends \(\mathbf {b}_1 = \mathsf{I2B}(j)\oplus \mathbf {b}\). The verifier, seeing that \(T_{\mathbf {b}}(\mathbf {x}) = \delta ^N_{\mathsf{B2I}(\mathbf {b}_1)}\) and \(T'_{\mathbf {b}}(\mathbf {f})=\mathsf{Encode}(\mathsf{B2I}(\mathbf {b}_1))\), should be convinced that \(\mathbf {x}\) and \(\mathbf {f}\) correspond to the same \(j \in [0,N1]\), yet the value of j is completely hidden from its view, because vector \(\mathbf {b}\) essentially acts as a “onetime pad”.
The technique extending \(\mathsf{I2B}(j)\) into \(\mathsf{Encode}(j)\) and then permuting \(\mathsf{Encode}(j)\) in a “onetime pad” fashion is inspired by a method originally proposed by Langlois et al. [LLNW14] in a seemingly unrelated context, where the goal is to prove that the message being signed under the Bonsai tree signature [CHKP10] is of the form \(\mathsf{I2B}(j)\), for some \(j \in [0,N1]\). Here, we adapt and develop their method to simultaneously prove two facts: the plaintext being encrypted under the randomized McEliece encryption is of the form \(\mathsf{I2B}(j)\), and the unit vector \(\mathbf {x} = \delta _j^N\) is used in the signature layer.
By embedding the above technique into Stern’s framework, we obtain an interactive ZK argument system, in which, given the public input \((\mathbf {H}, \mathbf {A}, \mathbf {G})\), the user is able to prove the possession of a secret tuple \((j, \mathbf {s}, \mathbf {x}, \mathbf {u}, \mathbf {f}, {\mathbf {e}})\) satisfying (1) and (3). The protocol is repeated many times to achieve negligible soundness error, and then made noninteractive, resulting in a noninteractive ZK argument of knowledge \(\varPi \). The final group signature is of the form \((\mathbf {c}, \varPi )\), where \(\mathbf {c}\) is the ciphertext. In the random oracle model, the anonymity of the scheme relies on the zeroknowledge property of \(\varPi \) and the CPAsecurity of the randomized McEliece encryption scheme, while its traceability is based on the hardness of the variant of the SD problem discussed earlier.
1.4 Related Works and Open Questions
A group signature scheme based on the security of the ElGamal signature scheme and the hardness of decoding of linear codes was given in [MCK01]. In a concurrent and independent work, Alamélou et al. [ABCG15] also propose a codebased group signature scheme. These two works have yet to provide a provably secure group signature scheme based solely on codebased assumptions, which we achieve in the present paper.
Our work constitutes a foundational step in codebased group signatures. In the next steps, we will work towards improving the current construction in terms of efficiency (e.g., making the signature size less dependent on the number of group users), as well as functionality (e.g., achieving dynamic enrollment and efficient revocation of users). Another interesting open question is to construct a scheme achieving CCAanonymity.
2 Preliminaries
Notations. We let \(\lambda \) denote the security parameter and \(\mathsf {negl}(\lambda )\) denote a negligible function in \(\lambda \). We denote by \(a\mathop {\leftarrow }\limits ^{\$}A\) if a is chosen uniformly at random from the finite set A. The symmetric group of all permutations of k elements is denoted by \(\mathsf {S}_k\). We use bold capital letters, (e.g., \(\mathbf {A}\)), to denote matrices, and bold lowercase letters, (e.g., \(\mathbf {x}\)), to denote row vectors. We use \({\mathbf {x}}^{\top }\) to denote the transpose of \(\mathbf {x}\) and \(wt(\mathbf {x})\) to denote the (Hamming) weight of \(\mathbf {x}\). We denote by \(\mathsf {B}(m,\omega )\) the set of all vectors \(\mathbf {x} \in \mathbb {F}_2^m\) such that \(wt(\mathbf {x}) = \omega \). Throughout the paper, we define a function \(\mathsf{I2B}\) which takes a nonnegative integer a as an input, and outputs the binary representation \((a_{0}, \cdots , a_{\ell 1})\in \{0,1\}^{\ell }\) of a such that \(a=\sum _{i=0}^{\ell 1}a_i2^{\ell 1i}\), and a function \(\mathsf{B2I}\) which takes as an input the binary representation \((a_{0}, \cdots , a_{\ell 1})\in \{0,1\}^{\ell }\) of a, and outputs a. All logarithms are of base 2.
2.1 Background on CodeBased Cryptography
We first recall the Syndrome Decoding problem, which is wellknown to be NPcomplete [BMvT78], and is widely believed to be intractable in the average case for appropriate choice of parameters [Ste96, Meu13].
Definition 1
(The Syndrome Decoding problem). The \(\mathsf {SD}(m, r, \omega )\) problem is as follows: given a uniformly random matrix \(\mathbf {H} \in \mathbb {F}_2^{r \times m}\) and a uniformly random syndrome \(\mathbf {y}\in \mathbb {F}_2^r\), find a vector \(\mathbf {s} \in \mathsf {B}(m, \omega )\) such that \(\mathbf {H}\cdot \mathbf {s}^\top = \mathbf {y}^\top \).
When \(m = m(\lambda ), r= r(\lambda ), \omega = \omega (\lambda )\), we say that the \(\mathsf {SD}(m, r, \omega )\) problem is hard, if the success probability of any \(\mathrm {PPT}\) algorithm in solving the problem is at most \(\mathsf {negl}(\lambda )\).
In our security reduction, the following variant of the leftover hash lemma for matrix multiplication over \(\mathbb {F}_2\) is used.
Lemma 1
(Leftover hash lemma, adapted from [GKPV10]). Let D be a distribution over \(\mathbb {F}_2^m\) with minentropy e. For \(\epsilon > 0\) and \(r \le e  2\log (1/\epsilon ) \mathcal {O}(1)\), the statistical distance between the distribution of \((\mathbf {H}, \mathbf {H}\cdot \mathbf {s}^\top )\), where \(\mathbf {H} \xleftarrow {\$} \mathbb {F}_2^{r \times m}\) and \(\mathbf {s} \in \mathbb {F}_2^m\) is drawn from distribution D, and the uniform distribution over \(\mathbb {F}_2^{r \times m} \times \mathbb {F}_2^r\) is at most \(\epsilon \).
In particular, if \(\omega <m\) is an integer such that \(r \le \log \left( {\begin{array}{c}m\\ \omega \end{array}}\right)  2\lambda  \mathcal {O}(1)\) and D is the uniform distribution over \(\mathsf {B}(m,\omega )\) (i.e., D has minentropy \(\log \left( {\begin{array}{c}m\\ \omega \end{array}}\right) \)), then the statistical distance between the distribution of \((\mathbf {H}, \mathbf {H}\cdot \mathbf {s}^\top )\) and the uniform distribution over \(\mathbb {F}_2^{r \times m} \times \mathbb {F}_2^r\) is at most \(2^{\lambda }\).
The Randomized McEliece Encryption Scheme. We employ a randomized variant of the McEliece [McE78] encryption scheme, suggested in [NIKM08], where a uniformly random vector is concatenated to the plaintext. The scheme is described as follows:

\(\mathsf {ME.Setup}(1^\lambda ){:}\) Select parameters \(n= n(\lambda ), k= k(\lambda ), t= t(\lambda )\) for a binary \([n, k, 2t+1]\) Goppa code. Choose integers \(k_1\), \(k_2\) such that \(k=k_1+k_2\). Set the plaintext space as \(\mathbb {F}_{2}^{k_2}\).

\(\mathsf {ME.KeyGen}(n, k, t){:}\) Perform the following steps:

1.
Produce a generator matrix \(\mathbf{G}' \in \mathbb {F}_2^{k\times n}\) of a randomly selected \([n, k, 2t+1]\) Goppa code. Choose a random invertible matrix \(\mathbf{S}\in \mathbb {F}_2^{k\times k}\) and a random permutation matrix \(\mathbf{P}\in \mathbb {F}_2^{n\times n}\). Let \(\mathbf{G}=\mathbf{S}\mathbf{G}'\mathbf{P}\in \mathbb {F}_2^{k\times n}\).

2.
Output encrypting key \(\mathsf {pk_{ME}}=\mathbf{G}\) and decrypting key \(\mathsf {sk_{ME}}=(\mathbf{S}, \mathbf{G}', \mathbf{P})\).

1.

\(\mathsf {ME.Enc}(\mathsf {pk_{ME}}, \mathbf {m}){:}\) To encrypt a message \(\mathbf {m}\in \mathbb {F}_2^{k_2}\), sample \(\mathbf {u} \xleftarrow {\$}\mathbb {F}_2^{k_1}\) and \(\mathbf {e} \mathop {\leftarrow }\limits ^{\$}\mathsf {B}(n, t)\), then output the ciphertext \(\mathbf {c}=(\mathbf {u}\Vert \mathbf {m})\cdot \mathbf{G}\oplus \mathbf {e} \in \mathbb {F}_2^{n}\).

\(\mathsf {ME.Dec}(\mathsf {sk_{ME}}, \mathbf {c}){:}\) Perform the following steps:

1.
Compute \(\mathbf {c}\cdot \mathbf{P}^{1}=((\mathbf {u}\Vert \mathbf {m})\cdot \mathbf{G}\oplus \mathbf {e})\cdot \mathbf{P}^{1}\) and then \(\mathbf {m}'\cdot \mathbf{S}= { Decode}_{\mathbf{G}'}(\mathbf {c}\cdot \mathbf{P}^{1})\) where \({ Decode}\) is an errorcorrecting algorithm with respect to \(\mathbf{G}'\). If \({ Decode}\) fails, then return \(\bot \).

2.
Compute \(\mathbf {m}'=(\mathbf {m}'\mathbf{S})\cdot \mathbf{S}^{1}\), parse \(\mathbf {m}'=(\mathbf {u}\Vert \mathbf {m})\), where \(\mathbf {u}\in \mathbb {F}_2^{k_1}\) and \(\mathbf {m}\in \mathbb {F}_2^{k_2}\), and return \(\mathbf {m}\).

1.
The scheme described above is CPAsecure in the standard model assuming the hardness of the \(\mathsf {DMcE}(n, k, t)\) problem and the \(\mathsf {DLPN}(k_1, n, \mathsf {B}(n, t))\) problem [NIKM08, Döt14]. We now recall these two problems.
Definition 2
(The Decisional McEliece problem). The \(\mathsf {DMcE}(n, k, t)\) problem is as follows: given a matrix \(\mathbf {G} \in \mathbb {F}_2^{k\times n}\), distinguish whether \(\mathbf {G}\) is a uniformly random matrix over \(\mathbb {F}_2^{k\times n}\) or it is generated by algorithm \(\mathsf {ME.KeyGen}(n, k, t)\) described above.
When \(n= n(\lambda ), k= k(\lambda ), t= t(\lambda )\), we say that the \(\mathsf {DMcE}(n, k, t)\) problem is hard, if the success probability of any \(\mathrm {PPT}\) distinguisher is at most \(1/2 + \mathsf {negl}(\lambda )\).
Definition 3
(The Decisional Learning Parity with (fixedweight) Noise problem). The \(\mathsf {DLPN}(k, n, \mathsf {B}(n, t))\) problem is as follows: given a pair \((\mathbf {A}, \mathbf {v}) \in \mathbb {F}_2^{k \times n} \times \mathbb {F}_2^n\), distinguish whether \((\mathbf {A}, \mathbf {v})\) is a uniformly random pair over \(\mathbb {F}_2^{k \times n} \times \mathbb {F}_2^n\) or it is obtained by choosing \(\mathbf {A} \mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^{k \times n}\), \(\mathbf {u} \mathop {\leftarrow }\limits ^{\$}\mathbb {F}_2^k\), \(\mathbf {e} \mathop {\leftarrow }\limits ^{\$}\mathsf {B}(n, t)\) and outputting \((\mathbf {A}, \mathbf {u}\cdot \mathbf {A} \oplus \mathbf {e})\).
When \(k= k(\lambda ), n=n(\lambda ), t=t(\lambda )\), we say that the \(\mathsf {DLPN}(k, n, \mathsf {B}(n, t))\) problem is hard, if the success probability of any \(\mathrm {PPT}\) distinguisher is at most \(1/2 + \mathsf {negl}(\lambda )\).
2.2 Group Signatures
We follow the definition of group signatures provided in [BMW03] for the case of static groups.
Definition 4
A group signature \(\mathcal {GS}= \mathsf {(KeyGen, Sign, Verify, Open)}\) is a tuple of four polynomialtime algorithms:

\(\mathsf {KeyGen}\): This randomized algorithm takes as input \((1^\lambda , 1^{N})\), where \(N \in \mathbb {N}\) is the number of group users, and outputs \(\mathsf {(gpk, gmsk, gsk)}\), where \(\mathsf {gpk}\) is the group public key, \(\mathsf {gmsk}\) is the group manager’s secret key, and \(\mathsf {gsk}= \{\mathsf {gsk}[j]\}_{j \in [0,N1]}\) with \(\mathsf {gsk}[j]\) being the secret key for the group user of index j.

\(\mathsf {Sign}\): This randomized algorithm takes as input a secret signing key \(\mathsf {gsk}[j]\) for some \(j \in [0, N1]\) and a message M and returns a group signature \(\varSigma \) on M.

\(\mathsf {Verify}\): This deterministic algorithm takes as input the group public key \(\mathsf {gpk}\), a message M, a signature \(\varSigma \) on M, and returns either 1 \(\mathsf {(Accept)}\) or 0 \(\mathsf {(Reject)}\).

\(\mathsf {Open}\): This deterministic algorithm takes as input the group manager’s secret key \(\mathsf {gmsk}\), a message M, a signature \(\varSigma \) on M, and returns an index \(j \in [0,N1]\) associated with a particular user, or \(\bot \), indicating failure.
Correctness. The correctness of a group signature scheme requires that for all \(\lambda , N \in \mathbb {N}\), all \(\mathsf {(gpk, gmsk, gsk)}\) produced by \(\textsf {KeyGen}(1^\lambda , 1^N)\), all \(j \in [0,N1]\), and all messages \(M \in \{0,1\}^*\),
Security Notions. A secure group signature scheme must satisfy two security notions:

Traceability requires that all signatures, even those produced by a coalition of group users and the group manager, can be traced back to a member of the coalition.

Anonymity requires that, signatures generated by two distinct group users are computationally indistinguishable to an adversary who knows all the user secret keys. In Bellare et al.’s model [BMW03], the anonymity adversary is granted access to an opening oracle (CCAanonymity). Boneh et al. [BBS04] later proposed a relaxed notion, where the adversary cannot query the opening oracle (CPAanonymity).
Formal definitions of CPAanonymity and traceability are as follows.
Definition 5
We say that a group signature \(\mathcal {GS}= \mathsf {(KeyGen, Sign, Verify, Open)}\) is \(\mathsf {CPA}\)anonymous if for all polynomial \(N(\cdot )\) and any PPT adversaries \(\mathcal {A}\), the advantage of \(\mathcal {A}\) in the following experiment is negligible in \(\lambda \):

1.
Run \((\mathsf {gpk}, \mathsf {gmsk}, \mathsf {gsk})\leftarrow \mathsf {KeyGen}(1^{\lambda }, 1^{N})\) and send \((\mathsf {gpk}, \mathsf {gsk})\) to \(\mathcal {A}\).

2.
\(\mathcal {A}\) outputs two identities \(j_0,j_1\in [0, N1]\) with a message M. Choose a random bit b and give \(\mathsf {Sign}(\mathsf {gsk}[j_b], M)\) to \(\mathcal {A}\). Then, \(\mathcal {A}\) outputs a bit \(b'\).
\(\mathcal {A}\) succeeds if \(b'=b\), and the advantage of \(\mathcal {A}\) is defined to \(\left \Pr [\mathcal {A}~\,succeeds]\dfrac{1}{2}\right \).
Definition 6
We say that a group signature \(\mathcal {GS}= \mathsf {(KeyGen, Sign, Verify, Open)}\) is traceable if for all polynomial \(N(\cdot )\) and any PPT adversaries \(\mathcal {A}\), the success probability of \(\mathcal {A}\) in the following experiment is negligible in \(\lambda \):

1.
Run \((\mathsf {gpk}, \mathsf {gmsk}, \mathsf {gsk})\leftarrow \mathsf {KeyGen}(1^{\lambda }, 1^{N})\) and send \((\mathsf {gpk}, \mathsf {gmsk})\) to \(\mathcal {A}\).

2.
\(\mathcal {A}\) may query the following oracles adaptively and in any order:

A \(\mathcal {O}^\mathsf {Corrupt}\) oracle that on input \(j\in [0, N1]\), outputs \(\mathsf {gsk}[j]\).

A \(\mathcal {O}^\mathsf {Sign}\) oracle that on input j, a message M, returns \(\mathsf {Sign}(\mathsf {gsk}[j], M)\).
Let CU be the set of identities queried to \(\mathcal {O}^\mathsf {Corrupt}\).


3.
Finally, \(\mathcal {A}\) outputs a message \(M^*\) and a signature \(\varSigma ^{*}\).
\(\mathcal {A}\) succeeds if (1) \(\mathsf {Verify}(\mathsf {gpk}, M^*, \varSigma ^*)=1\) and (2) \(\mathsf {Sign}(\mathsf {gsk}[j], M^*)\) was never queried for \(j\notin CU\), yet (3) \(\mathsf {Open}(\mathsf {gmsk}, M^*, \varSigma ^*)\notin CU\).
3 The Underlying ZeroKnowledge Argument System
Recall that a statistical zeroknowledge argument system is an interactive protocol where the soundness property holds for computationally bounded cheating provers, while the zeroknowledge property holds against any cheating verifier. In this section we present a statistical zeroknowledge argument system which will serve as a building block in our group signature scheme in Sect. 4.
Before describing the protocol, we first introduce several supporting notations and techniques. Let \(\ell \) be a positive integer, and let \(N=2^\ell \).

1.
For \(\mathbf {x} = (x_0, x_1, \ldots , x_{N1}) \in \mathbb {F}_2^N\) and for \(j \in [0, N1]\), we denote by \(\mathbf {x} = \delta _j^N\) if \(x_j=1\) and \(x_i = 0\) for all \(i \ne j\).

2.
We define an encoding function \(\mathsf{Encode}:[0,N1]\rightarrow \mathbb {F}_2^{2\ell }\), that encodes integer \(j \in [0, N1]\), whose binary representation is \(\mathsf{I2B}(j) = (j_{0}, \ldots , j_{\ell 1})\), as vector:
$$\begin{aligned} \mathsf{Encode}(j) = (1j_0, j_0, \ldots , 1j_i, j_i, \ldots , 1 j_{\ell 1}, j_{\ell 1}). \end{aligned}$$ 
3.
Given a vector \(\mathbf {b} = (b_0, \ldots , b_{\ell 1}) \in \{0,1\}^\ell \), we define the following 2 permutations:

(a)
\(T_{\mathbf {b}}: \mathbb {F}_2^N \rightarrow \mathbb {F}_2^N\) that transforms \(\mathbf {x} = (x_0, \ldots , x_{N1})\) to \((x'_0, \ldots , x'_{N1})\), where for each \(i \in [0,N1]\), we have \(x_i = x'_{i^*}\), where \(i^* = \mathsf{B2I}\big (\mathsf{I2B}(i)\oplus \mathbf {b}\big )\).

(b)
\(T'_{\mathbf{b}}: \mathbb {F}_2^{2\ell } \rightarrow \mathbb {F}_2^{2\ell }\) that transforms \(\mathbf {f} = (f_0, f_1, \ldots , f_{2i}, f_{2i+1}, \ldots , f_{2(\ell 1)}, f_{2(\ell 1)+1} )\) to \((f_{b_0}, f_{1b_0}, \ldots , f_{2i+b_i}, f_{2i+ (1b_i)}, \ldots , f_{2(\ell 1)+ b_{\ell 1}}, f_{2(\ell 1)+ (1 b_{\ell 1})})\).

(a)
Observe that, for any \(j \in [0,N1]\) and any \(\mathbf {b} \in \{0,1\}^\ell \), we have:
Example: Let \(N=2^4\). Let \(j = 6\), then \(\mathsf{I2B}(j) = (0,1,1,0)\) and \(\mathsf{Encode}(j)= (1, 0, 0, 1, 0, 1, 1, 0)\). If \(\mathbf {b} = (1, 0, 1, 0)\), then \(\mathsf{B2I}(\mathsf{I2B}(j)\oplus \mathbf {b})= \mathsf{B2I}(1,1,0,0) = 12\), and we have:
3.1 The Interactive Protocol
We now present our interactive zeroknowledge argument of knowledge (ZKAoK). Let \(n, k, t, m, r, \omega , \ell \) be positive integers, and \(N = 2^\ell \). The public input consists of matrices \(\mathbf{G}\in \mathbb {F}_2^{k\times n}\), \(\mathbf {H} \in \mathbb {F}_2^{r \times m}\); N syndromes \(\mathbf {y}_0, \ldots , \mathbf {y}_{N1}\in \mathbb {F}_2^r\); and a vector \(\mathbf {c} \in \mathbb {F}_2^{n}\). The protocol allows prover \(\mathcal {P}\) to simultaneously convince verifier \(\mathcal {V}\) in zeroknowledge that \(\mathcal {P}\) possesses a vector \(\mathbf {s}\in \mathsf {B}(m, \omega )\) corresponding to certain syndrome \(\mathbf {y}_j \in \{\mathbf {y}_0, \ldots , \mathbf {y}_{N1}\}\) with hidden index j, and that \(\mathbf {c}\) is a correct encryption of \(\mathsf{I2B}(j)\) via the randomized McEliece encryption. Specifically, the secret witness of \(\mathcal {P}\) is a tuple \((j,\mathbf {s},\mathbf {u},\mathbf {e}) \in [0, N1] \times \mathbb {F}_2^{m} \times \mathbb {F}_2^{k \ell } \times \mathbb {F}_2^{n}\) satisfying:
Let \(\mathbf {A} = \big [\mathbf {y}_0^\top  \cdots  \mathbf {y}_j^\top  \cdots  \mathbf {y}_{N1}^\top \big ] \in \mathbb {F}_2^{r \times N}\) and \(\mathbf {x} = \delta _j^N\). We have \(\mathbf {A}\cdot \mathbf {x}^\top = \mathbf {y}_j^\top \), and thus, the equation \(\mathbf {H}\cdot \mathbf {s}^\top = \mathbf {y}_j^\top \) can be written as \(\mathbf {H}\cdot \mathbf {s}^\top \oplus \mathbf {A}\cdot \mathbf {x}^\top = \mathbf {0}\).
Let \(\widehat{\mathbf {G}} \in \mathbb {F}_2^{(k + \ell ) \times n}\) be the matrix obtained from \(\mathbf {G} \in \mathbb {F}_2^{k \times n}\) by replacing its last \(\ell \) rows \(\mathbf {g}_{k\ell +1}, \mathbf {g}_{k \ell + 2}, \ldots , \mathbf {g}_{k}\) by \(2\ell \) rows \(\mathbf {0}^n, \mathbf {g}_{k\ell +1}, \mathbf {0}^n, \mathbf {g}_{k \ell + 2}, \ldots , \mathbf {0}^n, \mathbf {g}_k\). We then observe that \(\big (\mathbf {u} \Vert \mathsf{I2B}(j)\big )\cdot \mathbf{G}= \big (\mathbf {u} \Vert \mathsf{Encode}(j)\big )\cdot \widehat{\mathbf{G}}\).
Let \(\mathbf {f} = \mathsf{Encode}(j)\), then (6) can be equivalently rewritten as:
To obtain a ZKAoK for relation (7) in Stern’s framework [Ste96], \(\mathcal {P}\) proceeds as follows:

To prove that \(\mathbf {x} = \delta _j^N\) and \(\mathbf {f} = \mathsf{Encode}(j)\) while keeping j secret, prover \(\mathcal {P}\) samples a uniformly random vector \(\mathbf {b} \in \{0,1\}^\ell \), sends \(\mathbf {b}_1 = \mathsf{I2B}(j)\oplus \mathbf {b}\), and shows that:
$$\begin{aligned} T_{\mathbf {b}}(\mathbf {x}) = \delta ^N_{\mathsf{B2I}(\mathbf {b}_1)} \wedge T'_{\mathbf {b}}(\mathbf {f})= \mathsf{Encode}(\mathsf{B2I}(\mathbf {b}_1)). \end{aligned}$$By the equivalences observed in (4) and (5), the verifier will be convinced about the facts to prove. Furthermore, since \(\mathbf {b}\) essentially acts as a “onetime pad”, the secret j is perfectly hidden.

To prove in zeroknowledge that \(\mathbf {s} \in \mathsf {B}(m, \omega )\), \(\mathcal {P}\) samples a uniformly random permutation \(\pi \in \mathsf {S}_m\), and shows that \(\pi (\mathbf {s}) \in \mathsf {B}(m, \omega )\). Similarly, to prove in zeroknowledge that \(\mathbf {e} \in \mathsf {B}(n, t)\), a uniformly random permutation \(\sigma \in \mathsf {S}_{n}\) is employed.

Finally, to prove the linear equations in zeroknowledge, \(\mathcal {P}\) samples uniformly random “masking” vectors \((\mathbf {r}_{\mathbf {s}}, \mathbf {r}_{\mathbf {x}}, \mathbf {r}_{\mathbf {u}}, \mathbf {r}_{\mathbf {f}}, \mathbf {r}_{{\mathbf {e}}})\), and shows that:
$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {H}\cdot (\mathbf {s} \oplus \mathbf {r}_{\mathbf {s}})^\top \oplus \mathbf {A}\cdot (\mathbf {x} \oplus \mathbf {r}_{\mathbf {x}})^\top = \mathbf {H}\cdot \mathbf {r}_{\mathbf {s}}^\top \oplus \mathbf {A}\cdot \mathbf {r}_{\mathbf {x}}^\top ; \\ \big (\mathbf {u}\oplus \mathbf {r}_{\mathbf {u}} \Vert \mathbf {f}\oplus \mathbf {r}_{\mathbf {f}}\big )\cdot \widehat{\mathbf{G}} \oplus ({\mathbf {e}}\oplus \mathbf {r}_{{\mathbf {e}}}) \oplus \mathbf {c} = \big (\mathbf {r}_{\mathbf {u}} \Vert \mathbf {r}_{\mathbf {f}}\big )\cdot \widehat{\mathbf{G}} \oplus \mathbf {r}_{{\mathbf {e}}}. \end{array}\right. } \end{aligned}$$(8)
Now let \(\mathrm {COM}: \{0,1\}^* \rightarrow \{0,1\}^\lambda \) be a collisionresistant hash function, to be modelled as a random oracle. Prover \(\mathcal {P}\) and verifier \(\mathcal {V}\) first perform the preparation steps described above, and then interact as described in Fig. 1.
3.2 Analysis of the Protocol
The properties of our protocol are summarized in the following theorem.
Theorem 1
The interactive protocol described in Sect. 3.1 has perfect completeness, and has communication cost bounded by \(\beta = (N + 3\log N) + m(\log m +1) + n(\log n +1) + k + 5\lambda \) bits. If \(\mathrm {COM}\) is modelled as a random oracle, then the protocol is statistical zeroknowledge. If \(\mathrm {COM}\) is a collisionresistant hash function, then the protocol is an argument of knowledge.
Completeness. It can be seen that the given interactive protocol is perfectly complete, i.e., if \(\mathcal {P}\) possesses a valid witness \((j , \mathbf {s}, \mathbf {u}, \mathbf {e})\) and follows the protocol, then \(\mathcal {V}\) always outputs 1. Indeed, given \((j , \mathbf {s}, \mathbf {u}, \mathbf {e})\) satisfying (6), \(\mathcal {P}\) can always obtain \((j, \mathbf {s}, \mathbf {x}, \mathbf {u}, \mathbf {f}, {\mathbf {e}})\) satisfying (7). Then, as discussed above, the following are true:
As a result, \(\mathcal {P}\) should always pass \(\mathcal {V}\)’s checks in the case \(\text {Ch}=1\). In the case \(\text {Ch}=2\), since the linear equations in (8) hold true, \(\mathcal {P}\) should also pass the verification. Finally, in the case \(\text {Ch}=3\), it suffices to note that \(\mathcal {V}\) simply checks for honest computations of \(c_1\) and \(c_2\).
Communication Cost. The commitment CMT has bitsize \(3\lambda \). If \(\mathrm {Ch}=1\), then the response RSP has bitsize \(3\ell + N + 2(m +n + \lambda )\). In each of the cases \(\mathrm {Ch}=2\) and \(\mathrm {Ch}=3\), RSP has bitsize \(2\ell + N + m(\log m + 1) + n(\log n + 1) + k + 2\lambda \). Therefore, the total communication cost (in bits) of the protocol is less than the bound \(\beta \) specified in Theorem 1.
ZeroKnowledge Property. The following lemma says that our interactive protocol is statistically zeroknowledge if COM is modelled as a random oracle.
Lemma 2
In the random oracle model, there exists an efficient simulator \(\mathcal {S}\) interacting with a (possibly cheating) verifier \(\widehat{\mathcal {V}}\), such that, given only the public input of the protocol, \(\mathcal {S}\) outputs with probability negligibly close to 2 / 3 a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
Argument of Knowledge Property. The next lemma states that our protocol satisfies the special soundness property of \(\varSigma \)protocols, which implies that it is an argument of knowledge [Gro04].
Lemma 3
Let \(\mathrm {COM}\) be a collisionresistant hash function. Given the public input of the protocol, a commitment \(\mathsf {CMT}\) and 3 valid responses \(\mathsf {RSP}_1, \mathsf {RSP}_2, \mathsf {RSP}_3\) to all 3 possible values of the challenge \(\mathrm {Ch}\), one can efficiently construct a knowledge extractor \(\mathcal {E}\) that outputs a tuple \((j', \mathbf {s}', \mathbf {u}', \mathbf {e}')\in [0, N1] \times \mathbb {F}_2^{m} \times \mathbb {F}_2^{k \ell } \times \mathbb {F}_2^{n}\) such that:
The proofs of Lemmas 2 and 3 employ the standard simulation and extraction techniques for Sterntype protocols (e.g., [Ste96, KTX08, LNSW13]). These proofs are omitted here due to space constraints. They can be found in the full version of this paper [ELL+15].
4 Our CodeBased Group Signature Scheme
4.1 Description of the Scheme
Our group signature scheme is described as follows:

KeyGen \((1^\lambda , 1^N)\): On input a security parameter \(\lambda \) and an expected number of group users \(N=2^{\ell } \in \mathsf {poly}(\lambda )\), for some positive integer \(\ell \), this algorithm first selects the following:

–Parameters \(n= n(\lambda ), k= k(\lambda ), t= t(\lambda )\) for a binary \([n, k, 2t+1]\) Goppa code.

–Parameters \(m = m(\lambda ), r= r(\lambda ), \omega = \omega (\lambda )\) for the Syndrome Decoding problem, such that
$$\begin{aligned} r \le \log \left( {\begin{array}{c}m\\ w\end{array}}\right)  2\lambda  \mathcal {O}(1). \end{aligned}$$(9) 
– Two collisionresistant hash functions, to be modelled as random oracles:

1.
\(\mathrm {COM}: \{0,1\}^* \rightarrow \{0,1\}^\lambda \), to be used for generating zeroknowledge arguments.

2.
\(\mathcal {H}:\{0,1\}^{*}\rightarrow \{1,2,3\}^\kappa \) (where \(\kappa = \omega (\log {\lambda })\)), to be used in the FiatShamir transformation.

1.
The algorithm then performs the following steps:

1.
Run \(\mathsf {ME.KeyGen}(n, k, t)\) to obtain a key pair \(\big (\mathsf {pk_{ME}}=\mathbf{G}\in \mathbb {F}_{2}^{k\times n}; \mathsf {sk_{ME}}\big )\) for the randomized McEliece encryption scheme with respect to a binary \([n, k, 2t+1]\) Goppa code. The plaintext space is \(\mathbb {F}_{2}^{\ell }\).

2.
Choose a matrix \(\mathbf{H}\xleftarrow {\$} \mathbb {F}_2^{r \times m}\).

3.
For each \(j \in [0, N1]\), pick \(\mathbf {s}_j \xleftarrow {\$} \mathsf {B}(m, \omega )\), and let \(\mathbf {y}_j \in \mathbb {F}_2^{r}\) be its syndrome, i.e., \(\mathbf {y}_j^\top =\mathbf{H}\cdot \mathbf {s}_j^{\top }\). Remark 1. We note that, for parameters \(m, r, \omega \) satisfying condition (9), the distribution of syndrome \(\mathbf {y}_j\), for all \(j \in [0, N1]\), is statistically close to the uniform distribution over \(\mathbb {F}_2^r\) (by Lemma 1).

4.
Output
$$\begin{aligned} \big (\mathsf {gpk} = (\mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}), \mathsf {gmsk} = \mathsf {sk_{ME}}, \mathsf {gsk}= (\mathbf {s}_0, \ldots , \mathbf {s}_{N1})\big ). \end{aligned}$$(10)


Sign \((\mathsf {gsk}[j], M)\): To sign a message \(M \in \{0,1\}^*\) under \(\mathsf {gpk}\), the group user of index j, who possesses secret key \(\mathbf {s} = \mathsf {gsk}[j]\), performs the following steps:

1.
Encrypt the binary representation of j, i.e., vector \(\mathsf{I2B}(j) \in \mathbb {F}_2^\ell \), under the randomized McEliece encrypting key \(\mathbf {G}\). This is done by sampling \((\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }, \mathbf {e} \xleftarrow {\$} \mathsf {B}(n, t))\) and outputting the ciphertext:
$$\begin{aligned} \mathbf {c} = \big (\mathbf {u}\Vert \mathsf{I2B}(j)\big )\cdot \mathbf{G}\oplus \mathbf {e} \in \mathbb {F}_2^{n}. \end{aligned}$$ 
2.
Generate a NIZKAoK \(\varPi \) to simultaneously prove in zeroknowledge the possession of a vector \(\mathbf {s}\in \mathsf {B}(m, \omega )\) corresponding to a certain syndrome \(\mathbf {y}_j \in \{\mathbf {y}_0, \ldots , \mathbf {y}_{N1}\}\) with hidden index j, and that \(\mathbf {c}\) is a correct McEliece encryption of \(\mathsf{I2B}(j)\). This is done by employing the interactive argument system in Sect. 3 with public input \((\mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c})\), and prover’s witness \((j,\mathbf {s},\mathbf {u},\mathbf {e})\) that satisfies:
$$\begin{aligned} {\left\{ \begin{array}{ll} \mathbf {H}\cdot \mathbf {s}^\top = \mathbf {y}_j^\top \wedge \mathbf {s} \in \mathsf {B}(m, \omega );\\ \big (\mathbf {u} \Vert \mathsf{I2B}(j)\big )\cdot \mathbf{G}\oplus \mathbf {e} = \mathbf {c} \wedge \mathbf {e} \in \mathsf {B}(n, t). \end{array}\right. } \end{aligned}$$(11)The protocol is repeated \(\kappa =\omega (\log {\lambda })\) times to achieve negligible soundness error, and then made noninteractive using the FiatShamir heuristic. Namely, we have
$$\begin{aligned} \varPi = \big (\mathsf{CMT}^{(1)}, \ldots , \mathsf{CMT}^{(\kappa )}; (\mathsf{Ch}^{(1)}, \ldots , \mathsf{Ch}^{(\kappa )});\mathsf{RSP}^{(1)}, \ldots , \mathsf{RSP}^{(\kappa )} \big ), \end{aligned}$$(12)where \((\mathsf{Ch}^{(1)}, \ldots , \mathsf{Ch}^{(\kappa )}) = \mathcal {H}\big (M; \mathsf{CMT}^{(1)}, \ldots , \mathsf{CMT}^{(\kappa )}; \mathsf {gpk}, \mathbf {c}\big ) \in \{1,2,3\}^\kappa .\)

3.
Output the group signature \(\varSigma =(\mathbf {c}, \varPi )\).

1.

Verify \((\mathsf {gpk}, M, \varSigma )\): Parse \(\varSigma \) as \((\mathbf {c}, \varPi )\) and parse \(\varPi \) as in (12). Then proceed as follows:

1.
If \((\mathsf{Ch}^{(1)}, \ldots , \mathsf{Ch}^{(\kappa )}) \ne \mathcal {H}\big (M; \mathsf{CMT}^{(1)}, \ldots , \mathsf{CMT}^{(\kappa )}; \mathsf {gpk}, \mathbf {c}\big )\), then return 0.

2.
For \(i=1\) to \(\kappa \), run the verification step of the interactive protocol in Sect. 3 with public input \((\mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c})\) to check the validity of \(\mathsf{RSP}^{(i)}\) with respect to \(\mathsf{CMT}^{(i)}\) and \(\mathsf{Ch}^{(i)}\). If any of the verification conditions does not hold, then return 0.

3.
Return 1.

1.

Open \((\mathsf {gmsk}, M, \varSigma )\): Parse \(\varSigma \) as \((\mathbf {c}, \varPi )\) and run \(\mathsf {ME.Dec}(\mathsf {gmsk},\mathbf {c})\) to decrypt \(\mathbf {c}\). If decryption fails, then return \(\bot \). If decryption outputs \(\mathbf {g} \in \mathbb {F}_2^\ell \), then return \(j = \mathsf{B2I}(\mathbf {g}) \in [0,N1]\).
The efficiency, correctness, and security aspects of the above group signature scheme are summarized in the following theorem.
Theorem 2
The given group signature scheme is correct. The public key has size \(nk + (m+N)r\) bits, and signatures have bitsize bounded by \(\big ((N + 3\log N) + m(\log m +1) + n(\log n +1) + k + 5\lambda \big )\kappa +n\). Furthermore, in the random oracle model:

If the Decisional McEliece problem \(\mathsf {DMcE}(n, k, t)\) and the Decisional Learning Parity with fixedweight Noise problem \(\mathsf {DLPN}(k\ell , n, \mathsf {B}(n, t))\) are hard, then the scheme is \(\mathsf {CPA}\)anonymous.

If the Syndrome Decoding problem \(\mathsf {SD}(m, r, \omega )\) is hard, then the scheme is traceable.
4.2 Efficiency and Correctness
Efficiency. It is clear from (10) that \(\mathsf {gpk}\) has bitsize \(nk + (m+N)r\). The length of the NIZKAoK \(\varPi \) is \(\kappa \) times the communication cost of the underlying interactive protocol. Thus, by Theorem 1, \(\varSigma =(\mathbf {c}, \varPi )\) has bitsize bounded by \(\big ((N + 3\log N) + m(\log m +1) + n(\log n +1) + k + 5\lambda \big )\kappa +n\).
Correctness. To see that the given group signature scheme is correct, first observe that the honest user with index j, for any \(j \in [0, N1]\), can always obtain a tuple \((j,\mathbf {s},\mathbf {u},\mathbf {e})\) satisfying (11). Then, since the underlying interactive protocol is perfectly complete, \(\varPi \) is a valid NIZKAoK and algorithm \(\mathsf {Verify}(\mathsf {gpk}, M, \varSigma )\) always outputs 1, for any message \(M \in \{0,1\}^*\).
Regarding the correctness of algorithm Open, it suffices to note that, if the ciphertext \(\mathbf {c}\) is of the form \(\mathbf {c} = \big (\mathbf {u}\Vert \mathsf{I2B}(j)\big )\cdot \mathbf{G}\oplus \mathbf {e}\), where \(\mathbf {e} \in \mathsf {B}(n, t)\), then, by the correctness of the randomized McEliece encryption scheme, algorithm \(\mathsf {ME.Dec}(\mathsf {gmsk},\mathbf {c})\) will output \(\mathsf{I2B}(j)\).
4.3 Anonymity
Let \(\mathcal {A}\) be any PPT adversary attacking the CPAanonymity of the scheme with advantage \(\epsilon \). We will prove that \(\epsilon =\mathsf {negl}(\lambda )\) based on the ZK property of the underlying argument system, and the assumed hardness of the \(\mathsf {DMcE}(n, k, t)\) and the \(\mathsf {DLPN}(k\ell , n, \mathsf {B}(n, t))\) problems. Specifically, we consider the following sequence of hybrid experiments \(G_0^{(b)}, G_1^{(b)}, G_2^{(b)}, G_3^{(b)}\) and \(G_4\).
Experiment \({G_0^{(b)}}\). This is the real CPAanonymity game. The challenger runs \(\mathsf {KeyGen}(1^\lambda , 1^N)\) to obtain
and then gives \(\mathsf {gpk}\) and \(\{\mathsf {gsk}[j]\}_{j \in [0, N1]}\) to \(\mathcal {A}\). In the challenge phase, \(\mathcal {A}\) outputs a message \(M^*\) together with two indices \(j_0, j_1 \in [0, N1]\). The challenger sends back a challenge signature \(\varSigma ^* = (\mathbf {c}^*, \varPi ^*) \leftarrow \mathsf {Sign}(\mathsf {gpk}, \mathsf {gsk}[j_b])\), where \(\mathbf {c}^* = \big (\mathbf {u}\Vert \mathsf{I2B}(j_b)\big )\cdot \mathbf{G}\oplus \mathbf {e}\), with \(\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }\) and \(\mathbf {e} \xleftarrow {\$} \mathsf {B}(n, t)\). The adversary then outputs b with probability \(1/2 + \epsilon \).
Experiment \({G_1^{(b)}}\). In this experiment, we introduce the following modification in the challenge phase: instead of faithfully generating the NIZKAoK \(\varPi ^*\), the challenger simulates it as follows:

1.
Compute \(\mathbf {c}^* \in \mathbb {F}_2^{n}\) as in experiment \(G_0^{(b)}\).

2.
Run the simulator of the underlying interactive protocol in Sect. 3 \(t= \omega (\log \lambda )\) times on input \((\mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c}^*)\), and then program the random oracle \(\mathcal {H}\) accordingly.

3.
Output the simulated NIZKAoK \(\varPi ^*\).
Since the underlying argument system is statistically zeroknowledge, \(\varPi ^*\) is statistically close to the real NIZKAoK. As a result, the simulated signature \(\varSigma ^* = \big (\mathbf {c}^*, \varPi ^*\big )\) is statistically close to the one in experiment \(G_0^{(b)}\). It then follows that \(G_0^{(b)}\) and \(G_1^{(b)}\) are indistinguishable from \(\mathcal {A}\)’s view.
Experiment \({G_2^{(b)}}\). In this experiment, we make the following change with respect to \(G_1^{(b)}\): the encrypting key \(\mathbf{G}\) obtained from \(\mathsf {ME.KeyGen}(n, k, t)\) is replaced by a uniformly random matrix \(\mathbf{G}\xleftarrow {\$} \mathbb {F}_2^{k\times n}\). We will demonstrate in Lemma 4 that experiments \(G_1^{(b)}\) and \(G_2^{(b)}\) are computationally indistinguishable based on the assumed hardness of the \(\mathsf {DMcE}(n, k, t)\) problem.
Lemma 4
If \(\mathcal {A}\) can distinguish experiments \(G_1^{(b)}\) and \(G_2^{(b)}\) with probability nonnegligibly larger than 1 / 2, then there exists an efficient distinguisher \(\mathcal {D}_1\) solving the \(\mathsf {DMcE}(n, k, t)\) problem with the same probability.
Proof
An instance of the \(\mathsf {DMcE}(n, k, t)\) problem is a matrix \(\mathbf{G}^* \in \mathbb {F}_2^{k\times n}\) which can either be uniformly random, or be generated by \(\mathsf {ME.KeyGen}(n, k, t)\). Distinguisher \(\mathcal {D}_1\) receives a challenge instance \(\mathbf{G}^*\) and uses \(\mathcal {A}\) to distinguish between the two. It interacts with \(\mathcal {A}\) as follows.

Setup. Generate \((\mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1})\) and \((\mathsf {gsk}[0], \ldots , \mathsf {gsk}[N1])\) as in the real scheme. Then, send the following to \(\mathcal {A}\):
$$\begin{aligned} \big (\mathsf {gpk}^* = (\mathbf{G}^*, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}), \mathsf {gsk}= (\mathsf {gsk}[0], \ldots , \mathsf {gsk}[N1])\big ). \end{aligned}$$ 
Challenge. Receiving the challenge \((M^*, j_0, j_1)\), \(\mathcal {D}_1\) proceeds as follows:

1.
Pick \(b \xleftarrow {\$} \{0,1\}\), and compute \(\mathbf {c}^* = \big (\mathbf {u}\Vert \mathsf{I2B}(j_b)\big )\cdot \mathbf{G}^* \oplus \mathbf {e}\), where \(\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }\) and \(\mathbf {e} \xleftarrow {\$} \mathsf {B}(n, t)\).

2.
Simulate the NIZKAoK \(\varPi ^*\) on input \((\mathbf{G}^*, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c}^*)\), and output \(\varSigma ^* = \big (\mathbf {c}^*, \varPi ^*\big )\).

1.
We observe that if \(\mathbf{G}^*\) is generated by \(\mathsf {ME.KeyGen}(n, k, t)\) then the view of \(\mathcal {A}\) in the interaction with \(\mathcal {D}_1\) is statistically close to its view in experiment \(G_1^{(b)}\) with the challenger. On the other hand, if \(\mathbf{G}^*\) is uniformly random, then \(\mathcal {A}\)’s view is statistically close to its view in experiment \(G_2^{(b)}\). Therefore, if \(\mathcal {A}\) can guess whether it is interacting with the challenger in \(G_1^{(b)}\) or \(G_2^{(b)}\) with probability nonnegligibly larger than 1 / 2, then \(\mathcal {D}_1\) can use \(\mathcal {A}\)’s guess to solve the challenge instance \(\mathbf{G}^*\) of the \(\mathsf {DMcE}(n, k, t)\) problem, with the same probability. \(\square \)
Experiment \({G_3^{(b)}}\). Recall that in experiment \(G_2^{(b)}\), we have
where \(\mathbf{G}_1 \in \mathbb {F}_2^{(k \ell ) \times n}\), \(\mathbf{G}_2 \in \mathbb {F}_2^{\ell \times n}\) such that \(\Big [\frac{\mathbf {G}_1}{\mathbf {G}_2}\Big ]= \mathbf{G}\); and \(\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }\), \(\mathbf {e} \xleftarrow {\$} \mathsf {B}(n, t)\).
In experiment \(G_3^{(b)}\), the generation of \(\mathbf {c}^*\) is modified as follows: we instead let \(\mathbf {c}^* = \mathbf {v} \oplus \mathsf{I2B}(j_b)\cdot \mathbf{G}_2\), where \(\mathbf {v} \xleftarrow {\$} \mathbb {F}_2^{n}\). Experiments \(G_2^{(b)}\) and \(G_3^{(b)}\) are computationally indistinguishable based on the assumed hardness of the \(\mathsf {DLPN}(k\ell , n, \mathsf {B}(n, t))\) problem, as shown in Lemma 5.
Lemma 5
If \(\mathcal {A}\) can distinguish experiments \(G_2^{(b)}\) and \(G_3^{(b)}\) with probability nonnegligibly larger than 1 / 2, then there exists an efficient distinguisher \(\mathcal {D}_2\) solving the \(\mathsf {DLPN}(k\ell , n, \mathsf {B}(n, t))\) problem with the same probability.
Proof
An instance of the \(\mathsf {DLPN}(k\ell , n, \mathsf {B}(n, t))\) problem is a pair \((\mathbf {B}, \mathbf {v}) \in \mathbb {F}_2^{(k \ell ) \times n} \times \mathbb {F}_2^{n}\), where \(\mathbf {B}\) is uniformly random, and \(\mathbf {v}\) is either uniformly random or of the form \(\mathbf {v} = \mathbf {u} \cdot \mathbf {B} \oplus \mathbf {e}\), for \((\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }; \mathbf {e} \xleftarrow {\$} \mathsf {B}(n, t))\). Distinguisher \(\mathcal {D}_2\) receives a challenge instance \((\mathbf {B}, \mathbf {v})\) and uses \(\mathcal {A}\) to distinguish between the two. It interacts with \(\mathcal {A}\) as follows.

Setup. Pick \(\mathbf{G}_2 \xleftarrow {\$} \mathbb {F}_2^{\ell \times n}\) and let \(\mathbf{G}^* = \big [\frac{\mathbf {B}}{\mathbf{G}_2}\big ]\). Generate \((\mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1})\) and \((\mathsf {gsk}[0], \ldots , \mathsf {gsk}[N1])\) as in the real scheme, and send the following to \(\mathcal {A}\):
$$\begin{aligned} \big (\mathsf {gpk}^* = (\mathbf{G}^*, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}), \mathsf {gsk}= (\mathsf {gsk}[0], \ldots , \mathsf {gsk}[N1])\big ). \end{aligned}$$ 
Challenge. Receiving the challenge \((M^*, j_0, j_1)\), \(\mathcal {D}_2\) proceeds as follows:

1.
Pick \(b \xleftarrow {\$} \{0,1\}\), and let \(\mathbf {c}^* = \mathbf {v} \oplus \mathsf{I2B}(j_b)\cdot \mathbf{G}_2\), where \(\mathbf {v}\) comes from the challenge DLPN instance.

2.
Simulate the NIZKAoK \(\varPi ^*\) on input \((\mathbf{G}^*, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c}^*)\), and output \(\varSigma ^* = \big (\mathbf {c}^*, \varPi ^*\big )\).

1.
We observe that if \(\mathcal {D}_2\)’s input pair \((\mathbf {B}, \mathbf {v})\) is of the form \((\mathbf {B}, \mathbf {v}= \mathbf {u} \cdot \mathbf {B} \oplus \mathbf {e})\), where \(\mathbf {u} \xleftarrow {\$} \mathbb {F}_2^{k \ell }\) and \(\mathbf {e} \mathop {\leftarrow }\limits ^{\$}\mathsf {B}(n, t)\), then the view of \(\mathcal {A}\) in the interaction with \(\mathcal {D}_2\) is statistically close to its view in experiment \(G_2^{(b)}\) with the challenger. On the other hand, if the pair \((\mathbf {B}, \mathbf {v})\) is uniformly random, then \(\mathcal {A}\)’s view is statistically close to its view in experiment \(G_3^{(b)}\). Therefore, if \(\mathcal {A}\) can guess whether it is interacting with the challenger in \(G_2^{(b)}\) or \(G_3^{(b)}\) with probability nonnegligibly larger than 1 / 2, then \(\mathcal {D}_2\) can use \(\mathcal {A}\)’s guess to solve the challenge instance of the \(\mathsf {DLPN}(k\ell , \mathsf {B}(n, t))\) problem with the same probability. \(\square \)
Experiment \({G_4}\). In this experiment, we employ the following modification with respect to \(G_3^{(b)}\): the ciphertext \(\mathbf {c}^*\) is now set as \(\mathbf {c}^* = \mathbf {r} \xleftarrow {\$} \mathbb {F}_2^{n}\). Clearly, the distributions of \(\mathbf {c}^*\) in experiments \(G_3^{(b)}\) and \(G_4\) are identical. As a result, \(G_4\) and \(G_3^{(b)}\) are statistically indistinguishable. We note that \(G_4\) no longer depends on the challenger’s bit b, and thus, \(\mathcal {A}\)’s advantage in this experiment is 0.
The above discussion shows that experiments \(G_0^{(b)}, G_1^{(b)}, G_2^{(b)}, G_3^{(b)}, G_4\) are indistinguishable, and that \(\mathbf {Adv}_{\mathcal {A}}(G_4)= 0\). It then follows that the advantage of \(\mathcal {A}\) in attacking the CPAanonymity of the scheme, i.e., in experiment \(G_0^{(b)}\), is negligible. This concludes the proof of the CPAanonymity property.
4.4 Traceability
Let \(\mathcal {A}\) be a PPT traceability adversary against our group signature scheme, that has success probability \(\epsilon \). We construct a PPT algorithm \(\mathcal {F}\) that solves the \(\mathsf {SD}(m, r, \omega )\) problem with success probability polynomially related to \(\epsilon \).
Algorithm \(\mathcal {F}\) receives a challenge \(\mathsf {SD}(m, r, \omega )\) instance, that is, a uniformly random matrixsyndrome pair \((\widetilde{\mathbf {H}}, \tilde{\mathbf {y}}) \in \mathbb {F}_2^{r\times m} \times \mathbb {F}_2^{r}\). The goal of \(\mathcal {F}\) is to find a vector \(\mathbf {s} \in \mathsf {B}(m, \omega )\) such that \(\widetilde{\mathbf {H}}\cdot \mathbf {s}^\top = \tilde{\mathbf {y}}^\top \). It then proceeds as follows:

1.
Pick a guess \(j^* \xleftarrow {\$} [0,N1]\) and set \(\mathbf {y}_{j^*} = \tilde{\mathbf {y}}\).

2.
Set \(\mathbf {H} = \widetilde{\mathbf {H}}\). For each \(j \in [0, N1]\) such that \(j \ne j^*\), sample \(\mathbf {s}_j \mathop {\leftarrow }\limits ^{\$}\mathsf {B}(m,\omega )\) and set \(\mathbf {y}_j\in \mathbb {F}_2^r\) be its syndrome, i.e., \(\mathbf {y}_j^\top = \mathbf {H}\cdot \mathbf {s}_j^\top \).

3.
Run \(\mathsf {ME.KeyGen}(n, k, t)\) to obtain a key pair \(\big (\mathsf {pk_{ME}}=\mathbf{G}\in \mathbb {F}_{2}^{k\times n}; \mathsf {sk_{ME}}\big )\).

4.
Send \(\mathsf {gpk} = \big ( \mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}\big )\) and \(\mathsf {gmsk} = \mathsf {sk_{ME}}\) to \(\mathcal {A}\).
We note that, since the parameters \(m, r, \omega \) were chosen such that \(r \le \log \left( {\begin{array}{c}m\\ w\end{array}}\right)  2\lambda  \mathcal {O}(1)\), by Lemma 1, the distribution of syndrome \(\mathbf {y}_j\), for all \(j \ne j^*\), is statistically close to the uniform distribution over \(\mathbb {F}_2^r\). In addition, the syndrome \(\mathbf {y}_{j^*} = \tilde{\mathbf {y}}\) is truly uniform over \(\mathbb {F}_2^r\). It then follows that the distribution of \((\mathbf {y}_0, \ldots , \mathbf {y}_{N1})\) is statistically close to that in the real scheme (see Remark 1). As a result, the distribution of \((\mathsf {gpk}, \mathsf {gmsk})\) is statistically close to the distribution expected by \(\mathcal {A}\).
The forger \(\mathcal {F}\) then initializes a set \(CU = \emptyset \) and handles the queries from \(\mathcal {A}\) as follows:

Queries to the random oracle \(\mathcal {H}\) are handled by consistently returning uniformly random values in \(\{1,2,3\}^\kappa \). Suppose that \(\mathcal {A}\) makes \(Q_{\mathcal {H}}\) queries, then for each \(\eta \le Q_{\mathcal {H}}\), we let \(r_\eta \) denote the answer to the \(\eta \)th query.

\(\mathcal {O}^\mathsf {Corrupt}(j)\), for any \(j \in [0,N1]\): If \(j \ne j^*\), then \(\mathcal {F}\) sets \(CU: = CU \cup \{j\}\) and gives \(\mathbf {s}_j\) to \(\mathcal {A}\); If \(j = j^*\), then \(\mathcal {F}\) aborts.

\(\mathcal {O}^\mathsf {Sign}(j, M)\), for any \(j \in [0,N1]\) and any message M:

If \(j \ne j^*\), then \(\mathcal {F}\) honestly computes a signature, since it has the secret key \(\mathbf {s}_j\).

If \(j = j^*\), then \(\mathcal {F}\) returns a simulated signature \(\varSigma ^*\) computed as in Sect. 4.3 (see Experiment \(G_1^{(b)}\) in the proof of anonymity).

At some point, \(\mathcal {A}\) outputs a forged group signature \(\varSigma ^*\) on some message \(M^*\), where
By the requirements of the traceability experiment, one has \(\mathsf {Verify}(\mathsf {gpk}, M^*, \varSigma ^*)=1\), and for all \(j \in CU\), signatures of user j on \(M^*\) were never queried. Now \(\mathcal {F}\) uses \(\mathsf {sk_{ME}}\) to open \(\varSigma ^*\), and aborts if the opening algorithm does not output \(j^*\). It can be checked that \(\mathcal {F}\) aborts with probability at most \({(N1)}/{N} + (2/3)^\kappa \), because the choice of \(j^* \in [0, N1]\) is completely hidden from \(\mathcal {A}\)’s view, and \(\mathcal {A}\) can violate the soundness of the argument system with probability at most \((2/3)^\kappa \). Thus, with probability at least \(1/N  (2/3)^\kappa \), it holds that
Suppose that (13) holds. Algorithm \(\mathcal {F}\) then exploits the forgery as follows. Denote by \(\varDelta \) the tuple \(\big (M^*; \mathsf{CMT}^{(1)}, \ldots , \mathsf{CMT}^{(\kappa )}; \mathbf{G}, \mathbf {H}, \mathbf {y}_0, \ldots , \mathbf {y}_{N1}, \mathbf {c}^*\big )\). Observe that if \(\mathcal {A}\) has never queried the random oracle \(\mathcal {H}\) on input \(\varDelta \), then
Therefore, with probability at least \(\epsilon  3^{\kappa }\), there exists certain \(\eta ^* \le Q_{\mathcal {H}}\) such that \(\varDelta \) was the input of the \(\eta ^*\)th query. Next, \(\mathcal {F}\) picks \(\eta ^*\) as the target forking point and replays \(\mathcal {A}\) many times with the same random tape and input as in the original run. In each rerun, for the first \(\eta ^* 1\) queries, \(\mathcal {A}\) is given the same answers \(r_1, \ldots , r_{\eta ^*1}\) as in the initial run, but from the \(\eta ^*\)th query onwards, \(\mathcal {F}\) replies with fresh random values \(r^{'}_{\eta ^*}, \ldots , r^{'}_{q_{\mathcal {H}}} \xleftarrow {\$} \{1,2,3\}^\kappa \). The Improved Forking Lemma of Pointcheval and Vaudenay [PV97, Lemma 7] implies that, with probability larger than 1 / 2 and within less than \(32\cdot Q_{\mathcal {H}}/(\epsilon  3^{\kappa })\) executions of \(\mathcal {A}\), algorithm \(\mathcal {F}\) can obtain a 3fork involving the tuple \(\varDelta \). Now, let the answers of \(\mathcal {F}\) with respect to the 3fork branches be
Then, by a simple calculation, one has:
Conditioned on the existence of such index i, one parses the 3 forgeries corresponding to the fork branches to obtain \(\big (\mathsf {RSP}^{(i)}_1, \mathsf {RSP}^{(i)}_2, \mathsf {RSP}^{(i)}_3\big )\). They turn out to be 3 valid responses with respect to 3 different challenges for the same commitment \(\mathsf {CMT}^{(i)}\). Then, by using the knowledge extractor of the underlying interactive argument system (see Lemma 3), one can efficiently extract a tuple \((j', \mathbf {s}', \mathbf {u}', \mathbf {e}')\in [0, N1] \times \mathbb {F}_2^{m} \times \mathbb {F}_2^{k \ell } \times \mathbb {F}_2^{n}\) such that:
Since the given group signature scheme is correct, the equation \(\big (\mathbf {u}' \Vert \mathsf{I2B}(j')\big )\cdot \mathbf{G}\oplus \mathbf {e}' = \mathbf {c}^*\) implies that \(\mathsf {Open}(\mathsf {sk_{ME}}, M^*, \varSigma ^*) = j'\). On the other hand, we have \(\mathsf {Open}(\mathsf {sk_{ME}}, M^*, \varSigma ^*) = j^*\), which leads to \(j' = j^*\). Therefore, it holds that \(\widetilde{\mathbf {H}}\cdot \mathbf {s}'^{\top }= \mathbf {H}\cdot \mathbf {s}'^{\top } = \mathbf {y}_{j^*}^\top = \tilde{\mathbf {y}}^\top \), and that \(\mathbf {s}' \in \mathsf {B}(m, \omega )\). In other words, \(\mathbf {s}'\) is a valid solution to the challenge \(\mathsf {SD}(m, r, \omega )\) instance \((\widetilde{\mathbf {H}}, \tilde{\mathbf {y}})\).
Finally, the above analysis shows that, if \(\mathcal {A}\) has success probability \(\epsilon \) and running time T in attacking the traceability of our group signature scheme, then \(\mathcal {F}\) has success probability at least \({1}/{2}\big (1/N  (2/3)^\kappa \big )\big (1  (7/9)^\kappa \big )\) and running time at most \(32\cdot T\cdot Q_{\mathcal {H}}/(\epsilon  3^{\kappa }) + \mathsf {poly}(\lambda , N)\). This concludes the proof of the traceability property.
5 Implementation Results
This section presents our basic implementation results of the proposed codebased group signature to demonstrate its feasibility. The testing platform was a modern PC running at 3.5 GHz CPU with 16 GB RAM. We employed the NTL library [NTL] and the \(\mathsf {gf2x}\) library [GF2] for efficient polynomial operations over a field of characteristic 2. To decode binary Goppa codes, the Paterson algorithm [Pat75] was used in our implementation of the McEliece encryption. We employed SHA3 with various output sizes to realize several hash functions. To achieve 80bit security, we chose the parameters as follows:

The McEliece parameters were set to \((n, k, t) = (2^{11}, 1696, 32)\), as in [BS08].

The parameters for Syndrome Decoding were set to \((m, r, \omega ) = (2756, 550, 121)\) so that the distribution of \(\mathbf {y}_0, \ldots , \mathbf {y}_{N1}\) is \(2^{80}\)close to the uniform distribution over \(\mathbb {F}_2^r\) (by Lemma 1), and that the \(\mathsf {SD}(m,r, \omega )\) problem is intractable with respect to the best known attacks. In particular, these parameters ensure that:

The number of protocol repetitions \(\kappa \) was set to 140 to obtain soundness \(12^{80}\).
Table 2 shows our implementation results, together with the public key and signature sizes with respect to various numbers of group users and different message sizes. To reduce the signature size, in the underlying zeroknowledge protocol, we sent a random seed instead of permutations when \(\text {Ch}=2\). Similarly, we sent a random seed instead of the whole response \(\mathsf {RSP}\) when \(\text {Ch}=3\). Using this technique, the average signature sizes were reduced to about 159 KB for 4, 096 users and 876 KB for 65, 536 users, respectively. Our public key and signature sizes are linear in the number of group users N, but it does not come to the front while N is less than \(2^{12}\) due to the size of parameters \(\mathbf {G}\) and \(\mathbf {H}\).
Our implementation took about 0.27 and 0.20 seconds for 1 B message and about 5.70 and 5.60 seconds for 1 GB message, respectively, to sign a message and to verify a generated signature for a group of 65, 536 users. In our experiments, it takes about 5.40 seconds to hash 1 GB message and it leads to the differences of signing and verifying times between 1 B and 1 GB messages.
As far as we know, the implementation results presented here are the first ones for postquantum group signatures. Our results, while not yielding a truly practical scheme, would certainly help to bring postquantum group signatures one step closer to practice.
Notes
 1.
In most schemes in the [BMW03] model, a standard signature is also employed to issue users’ secret keys. However, this is not necessarily the case: the scheme constructed in this paper is an illustrative example.
 2.
In this case, the function \(f_{\mathbf {H}}(\mathbf {s}_j) = \mathbf {H}\cdot \mathbf {s}_j^\top \) acts as a pseudorandom generator [FS96].
 3.
References
Alamélou, Q. Blazy, O., Cauchie, S., Gaborit, P.: A codebased group signature scheme. Presented at WCC, April 2015
Ateniese, G., Camenisch, J.L., Joye, M., Tsudik, G.: A practical and provably secure coalitionresistant group signature scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000)
El Yousfi Alaoui, S.M., Cayrel, P.L., Mohammed, M.: Improved identitybased identification and signature schemes using quasidyadic Goppa codes. In: Kim, T., Adeli, H., Robles, R.J., Balitanas, M. (eds.) ISA 2011. CCIS, vol. 200, pp. 146–155. Springer, Heidelberg (2011)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2\(^{n/20}\): how 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012)
Berlekamp, E., McEliece, R.J., van Tilborg, H.C.A.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theor. 24(3), 384–386 (1978)
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003)
Biswas, B., Sendrier, N.: McEliece cryptosystem implementation: theory and practice. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 47–62. Springer, Heidelberg (2008)
Bettaieb, S., Schrek, J.: Improved latticebased threshold ring signature scheme. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 34–51. Springer, Heidelberg (2013)
Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 427–444. Springer, Heidelberg (2006)
Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliecebased digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001)
Cayrel, P. L., Gaborit, P., Girault, M.: Identitybased identification and signature schemes using correcting codes. In: WCC, pp. 69–78 (2007)
Cash, D., Hofheinz, D., Kiltz, E., Peikert, C.: Bonsai trees, or how to delegate a lattice basis. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 523–552. Springer, Heidelberg (2010)
Cayrel, P.L., Meziani, M.: Postquantum cryptography: codebased signatures. In: Kim, T., Adeli, H. (eds.) AST/UCMA/ISA/ACN 2010. LNCS, vol. 6059, pp. 82–99. Springer, Heidelberg (2010)
Camenisch, J., Neven, G., Rückert, M.: Fully anonymous attribute tokens from lattices. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 57–75. Springer, Heidelberg (2012)
Camenisch, J., Stadler, M.A.: Efficient group signature schemes for large groups. In: Kaliski Jr, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)
Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)
Cayrel, P.L., Véron, P., El Yousfi Alaoui, S.M.: A zeroknowledge identification scheme based on the \(q\)ary syndrome decoding problem. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 171–186. Springer, Heidelberg (2011)
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)
Dallot, L.: Towards a concrete security proof of Courtois, Finiasz and Sendrier signature scheme. In: Lucks, S., Sadeghi, A.R., Wolf, C. (eds.) WEWoRC 2007. LNCS, vol. 4945, pp. 65–77. Springer, Heidelberg (2008)
Döttling, N., Dowsley, R., MüllerQuade, J., Nascimento, A.C.A.: A CCA2 secure variant of the McEliece cryptosystem. IEEE Trans. Inf. Theor. 58(10), 6672–6680 (2012)
Döttling, N.: Cryptography based on the hardness of decoding. Ph.D. thesis, Karlsruhe Institute of Technology (2014). https://crypto.iti.kit.edu/fileadmin/User/Doettling/thesis.pdf
Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from codebased assumptions. In: IACR Cryptography ePrint Archive, Report 2015/479 (2015)
Faugere, J.C., GauthierUmana, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for highrate McEliece cryptosystems. IEEE Trans. Inf. Theor. 59(10), 6830–6844 (2013)
Finiasz, M.: ParallelCFS. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)
Fischer, J.B., Stern, J.: An efficient pseudorandom generator provably as secure as syndrome decoding. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 245–255. Springer, Heidelberg (1996)
Finiasz, M., Sendrier, N.: Security bounds for the design of codebased cryptosystems. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 88–105. Springer, Heidelberg (2009)
gf2x library, ver. 1.1. https://gforge.inria.fr/projects/gf2x/
Goldwasser, S., Kalai, Y., Peikert, C., Vaikuntanathan, V.: Robustness of the learning with errors assumption. In: ICS, pp. 230–240. Tsinghua University Press (2010)
Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206. ACM (2008)
Groth, J.: Evaluating security of voting schemes in the universal composability framework. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 46–60. Springer, Heidelberg (2004)
Hu, R., Morozov, K., Takagi, T.: Proof of plaintext knowledge for codebased publickey encryption revisited. In: ASIA CCS, pp. 535–540. ACM (2013)
Kawachi, A., Tanaka, K., Xagawa, K.: Concurrently secure identification schemes based on the worstcase hardness of lattice problems. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 372–389. Springer, Heidelberg (2008)
Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Latticebased group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013)
Langlois, A., Ling, S., Nguyen, K., Wang, H.: Latticebased group signature scheme with verifierlocal revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014)
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zeroknowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013)
Ling, S., Nguyen, K., Wang, H.: Group signatures from lattices: simpler, tighter, shorter, ringbased. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 427–449. Springer, Heidelberg (2015)
Libert, B., Peters, T., Yung, M.: Scalable group signatures with revocation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 609–627. Springer, Heidelberg (2012)
McEliece, R.J.: A publickey cryptosystem based on algebraic coding theory. Deep Space Network Progress Report, vol. 44, pp. 114–116 (1978)
Melchor, C.A., Cayrel, P.L., Gaborit, P.: A new efficient threshold ring signature scheme based on coding theory. In: Buchmann, J., Ding, J. (eds.) PQCrypto 2008. LNCS, vol. 5299, pp. 1–16. Springer, Heidelberg (2008)
Melchor, C.A., Cayrel, P.L., Gaborit, P., Laguillaumie, F.: A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theor. 57(7), 4833–4842 (2011)
Ma, J.F., Chiam, T.C., Kot, A.C: A new efficient group signature scheme based on linear codes. In: Networks, pp. 124–129. IEEE (2001)
Meurer, A.: A codingtheoretic approach to cryptanalysis. Ph.D. thesis, Ruhr University Bochum (2013). http://www.cits.rub.de/imperia/md/content/diss.pdf
Melchor, C.A., Gaborit, P., Schrek, J.: A new zeroknowledge code based identification scheme with reduced communication. CoRR, abs/1111.1644 (2011)
Mathew, K.P., Vasant, S., Rangan, C.P.: On provably secure codebased signature and signcryption scheme. In: IACR Cryptography ePrint Archive, Report 2012/585 (2012)
Mathew, K.P., Vasant, S., Venkatesan, S., Pandu Rangan, C.: An efficient INDCCA2 secure variant of the Niederreiter encryption scheme in the standard model. In: Susilo, W., Mu, Y., Seberry, J. (eds.) ACISP 2012. LNCS, vol. 7372, pp. 166–179. Springer, Heidelberg (2012)
Niederreiter, H.: Knapsacktype cryptosystems and algebraic coding theory. Probl. Control Inf. Theor. 15(2), 159–166 (1986)
Nojima, R., Imai, H., Kobara, K., Morozov, K.: Semantic security for the McEliece cryptosystem without random oracles. Des. Codes Cryptogr. 49(1–3), 289–305 (2008)
NTL: a library for doing number theory version 9.0.2. http://www.shoup.net/ntl/
Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015)
Patterson, N.J.: The algebraic decoding of Goppa codes. IEEE Trans. Inf. Theor. 21(2), 203–207 (1975)
Persichetti, E.: On a CCA2secure variant of McEliece in the standard model. In: IACR Cryptography ePrint Archive, Report 2012/268 (2012)
Pointcheval, D., Vaudenay, S.: On provable security for digital signature algorithms. Technical report LIENS9617, Laboratoire d’Informatique de Ecole Normale Superieure (1997)
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)
Sendrier, N.: QCMDPCMcEliece: a publickey codebased encryption scheme based on quasicyclic moderate density parity check codes. In: Workshop “PostQuantum Cryptography: Recent Results and Trends”, Fukuoka, Japan, November 2014
Shor, P.: Polynomialtime algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997)
Stern, J.: A new paradigm for public key identification. IEEE Trans. Inf. Theor. 42(6), 1757–1768 (1996)
Véron, P.: Improved identification schemes based on errorcorrecting codes. Appl. Algebra Eng. Commun. Comput. 8(1), 57–69 (1996)
Yang, G., Tan, C.H., Mu, Y., Susilo, W., Wong, D.S.: Identity based identification from algebraic coding theory. Theor. Comput. Sci. 520, 51–61 (2014)
Acknowledgements
The authors would like to thank JeanPierre Tillich, Philippe Gaborit, Ayoub Otmani, Nicolas Sendrier, Nico Döttling, and anonymous reviewers of ASIACRYPT 2015 for helpful comments and discussions. The research was supported by Research Grant TL901410168401 and the Singapore Ministry of Education under Research Grant MOE2013T21041.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 International Association for Cryptologc Research
About this paper
Cite this paper
Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H. (2015). A Provably Secure Group Signature Scheme from CodeBased Assumptions. In: Iwata, T., Cheon, J. (eds) Advances in Cryptology  ASIACRYPT 2015. ASIACRYPT 2015. Lecture Notes in Computer Science(), vol 9452. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783662487976_12
Download citation
DOI: https://doi.org/10.1007/9783662487976_12
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 9783662487969
Online ISBN: 9783662487976
eBook Packages: Computer ScienceComputer Science (R0)