Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors

An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zero-knowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern’s protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: (i) the first lattice-based ring signatures with logarithmic size in the cardinality of the ring and (ii) the first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.

In a nutshell, an accumulator is a sort of algebraic hash function that maps a large set R of inputs into a short, constant-size accumulator value u such that an efficiently computable short witness w provides evidence that a given input was indeed incorporated into the hashed set.In order to be useful, the size of the witness should be much smaller than the cardinality of the input set.An extension, suggested by Camenisch and Lysyanskaya [21], allows the accumulator value to be updated over time, by adding or deleting elements of the hashed set while preserving the ability to efficiently update witnesses.For most applications, the usual security requirement mandates the infeasibility of computing an accumulator value u and a valid witness w for an element x outside the set of hashed inputs.This is made possible by public-key techniques like the existence of a trapdoor (e.g., the factorization of an RSA modulus or the discrete logarithm of some public group element) hidden behind public parameters.
So far, number theoretic realizations have been divided into two main families.The first one relies on groups of hidden order [10,7,48,15] and includes proposals based on the Strong RSA assumption [7,44].The second main family [58,20] was first explored by Nguyen [58] and appeals to bilinear maps (a.k.a.pairings) and assumptions of variabe size like the Strong Diffie-Hellman assumption [14].Strong-RSA-based candidates enjoy the advantage of short public parameters and they easily extend into universal accumulators [44] (where non-membership witnesses can show that a given input was not accumulated).While pairingbased schemes [58,20] usually require linear-size public parameters in the number of elements to be hashed, they are useful in applications [6,23] where we want to limit the number of elements to be hashed.A third family (e.g., [60]) of constructions relies on Merkle trees [51] rather than number theoretic assumptions.Its main disadvantage is that the use of hash trees makes it hardly compatible with efficient zero-knowledge proofs, which are inevitable ingredients of privacy-preserving protocols [21,69,20,1].In fact, currently known methods [15,9] for reconciling Merkle trees and zero-knowledge proofs require non-standard assumptions in groups of hidden order [15] or the machinery of SNARKs, which inherently rely on non-falsifiable [56] knowledge assumptions [36].
Despite its wide range of applications, the accumulator primitive still has a relatively small number of efficient realizations.For the time being, most known solutions require non-standard ad hoc assumptions like Strong RSA or Strong Diffie-Hellman.To our knowledge, the only exception is a generic construction from vector commitments [25], which leaves open the problem of candidates based on the standard Computational Diffie-Hellman assumption (in groups without a bilinear map) or zero-knowledge-friendly lattice-based schemes.In this paper, we describe a new construction based on standard lattice assumptions which interacts nicely with zero-knowledge proofs despite the use of Merkle trees.We show that this new construction enables new, unexpected applications to the design of lattice-based ring signatures and group signatures.
Our Contributions.We describe a lattice-based accumulator 3 that enables short zero-knowledge arguments of membership.Our construction relies on a Merkle hash tree which is computed in a special way that makes it compatible with efficient protocols for proving possession of a secret value (i.e., a leaf of the tree) that is properly accumulated in the root of the tree.More specifically, our system allows demonstrating the knowledge of a hash chain from the considered secret leaf to the root in a zero-knowledge manner.This building block enables many interesting applications.In particular, we use it to design latticebased ring and group signatures with dramatic improvements over the existing constructions.In the random oracle model, we obtain: -The first lattice-based ring signature with logarithmic signature size in the cardinality of the ring.So far, all suggested proposals have linear size in the number of ring members.-A lattice-based group signature with much shorter public key, signature length, and weaker hardness assumptions than all earlier realizations.
Our ring signature does not require any other setup assumption than having all users agree on a modulus q, a lattice dimension n and a random matrix A ∈ Z n×m q (which can be derived from a random oracle).It provably satisfies the strong security definitions put forth by Bender, Katz and Morselli [11].
Our group signature is analyzed in the setting of static groups using the definitions of Bellare, Micciancio and Warinschi [8].Its salient feature (which it shares with our ring signature) is that, unlike all earlier candidates [34,42,43,47,59], it does not require the use of a trapdoor (as defined by Gentry, Peikert and Vaikuntanathan [32]) consisting of a short basis of some lattice.It thus eliminates one of the frequently cited reasons [50] for which lattice-based signatures tend to be impractical.In fact, our group signature departs from previously used design principles -which are all inspired in some way by the general construction of [8] -in that, surprisingly, it does not even require an ordinary digital signature to begin with.All we need is a lattice-based accumulator with a compatible zero-knowledge argument system for arguing knowledge of a hash chain.
Our Techniques.Our accumulator proceeds by computing a Merkle tree using a hash function based on the Small Integer Solution (SIS) problem, which is a variant of the hash functions considered in [4,33,54] previously considered by Papamanthou et al. [60].Instead of hashing a vector x ∈ {0, 1} m by computing its syndrome A • x ∈ Z n q via a random matrix A ∈ Z n×m q , it outputs the coordinate-wise binary decomposition bin(A • x mod q) ∈ {0, 1} m/2 of the syndrome to obtain the two-fold compression factor that is needed for iteratively applying the function in a Merkle tree.However, Papamanthou et al. [60] did not consider the problem of proving knowledge of a hash chain in a zero-knowledge fashion.The main technical novelty that we introduce is thus a method for demonstrating knowledge of a Merkle-tree hash chain using the framework of Stern's protocol [68].
Using this method, we build ring and group signatures with logarithmic size in the number of ring or group members involved.Our constructions are conceptually simple.Each user's private key is a random m-bit vector x ∈ {0, 1} m and the matching public key is the binary expansion d = bin(A•x mod q) ∈ {0, 1} m/2 of the corresponding syndrome.In order to sign a message, the user considers an accumulation u ∈ {0, 1} m/2 of all users' public keys R = (d 0 , . . ., d N −1 )which is obtained by dynamically forming the ring R in the ring signature and simply consists of the group public key in the group signature -and generates a Stern-type argument that: (i) His public key d j belongs to the hashed set R; (ii) He knows the underlying secret d j = bin(A • x j mod q); (iii -for the group signature) He has honestly encrypted the binary representation of the integer j determining his position in the tree to a ciphertext attached in the signature.In order to acquire anonymity in the strongest sense (i.e., where the adversary is granted access to a signature opening oracle), we apply the Naor-Yung paradigm [57] to Regev's cryptosystem [65], as was previously considered in [12].As pointed out earlier, the advantage of not relying on an ordinary digital signature4 lies in that it does not require any party (i.e., neither the group manager nor the group members in the case of group signatures) to have a GPV trapdoor [32] consisting of a short lattice basis.As emphasized by Lyubashevsky [50], explicitly avoiding the use of such trapdoors allows for drastically more efficient choices of parameters.As by-products, our scheme features much smaller group public key and users' secret keys, produces shorter signatures, and relies on weaker hardness assumptions than all of the existing lattice-based group signature schemes [34,22,42,47,59] in the BMW model [8].
In the following, we give an estimated efficiency comparison among our group signature and the previous 2 most efficient schemes with CCA-anonymity, by Ling et al. [47] and Nguyen et al. [59].The estimations are done with parameter n = 2 8 , group size N = 1024, and soundness error 2 −80 for the NIZKs.
-Ling et al.'s scheme requires q = O(log N • n 2 ), m ≥ 2n log q, so we set q = 2 18 and m = 2 9 • 18.The infinity norm bound for discrete Gaussian samples is 2 6 .The scheme produces group public key size 65.8 MB; user's secret key size 13.5 KB (a Boyen signature [17]); and signature size 1.20 GB. -Nguyen et al.'s scheme requires q > m 8.5 , m ≥ 2n log q, so we set q = 2 142 and m = 2 9 • 142.The scheme produces group public key size 2.15 GB; user's secret key size 90 GB (a trapdoor in Z 3m×3m with (log m)-bit entries); and signature size 500 MB.-Our scheme works with q = 2 8 , m = 2 9 • 8, and parameters p = 32719, m E = 7980 for the encryption layer.The scheme features public key size 4.9 MB; user's secret key size 3.25 KB; and it produces signatures of size 61.5 MB.

Related Work.
While originally suggested as a 3-move code-based identification scheme, Stern's protocol was adapted to the lattice setting by Kawachi et al. [41] and extended by Ling et al. [46] into an argument system for the Inhomogeneous Small Integer Solution (ISIS) problem.In particular, Ling et al. gave a method, called decomposition-extension framework, which allows arguing knowledge of an integer vector without leaving any gap between the vector computed by the knowledge extractor and the actual witness x.As shown in [47], the technique of Ling et al. [46] can be used to prove more involved statements such as the possession of a Boyen signature [17] on a message encrypted by a dual Regev ciphertext [32].Here, we take one step further and develop a zero-knowledge argument of knowledge (ZKAoK) that a specific element of some universe belongs to a hashed set.Ring signatures were introduced by Rivest, Shamir and Tauman-Kalai [66] with the motivation of hiding the identity of a source (e.g., a whistleblower in a political scandal) while providing guarantees of trustworthiness.Bender, Katz and Morselli [11] gave stringent security definitions while constructions with sub-linear signature size were given by Chandran, Groth and Sahai [26].The celebrated results of Gentry, Peikert and Vaikuntanathan [32] inspired a number of lattice-based ring signatures.The state-of-the-art construction probably stems from the framework of Brakerski and Tauman-Kalai [18], which results in linear-size in the number of ring members.The same holds for all known Fiat-Shamir-like lattice-based ring signatures (e.g., [41,2]), although some of them do not require a trapdoor.Thus far, the only logarithmic-size ring signatures [37,16] arise from the results of Groth and Kohlweiss [37] and it is not clear how to extend them to the lattice setting.
The notion of group signatures dates back to Chaum and Van Heyst [27].While viable constructions were given in the seminal paper by Ateniese, Camenisch, Joye and Tsudik [5], their security notions remained poorly understood until the work of Bellare, Micciancio and Warinschi [8].The first lattice-based proposal came out with the results of Gordon, Katz and Vaikuntanathan [34], which inspired a number of follow-up works describing new systems with a better asymptotic efficiency [42,59,47] or additional properties [22,43].For the time being, the most efficient candidates are the recent concurrent proposals of Nguyen et al. and Ling et al. [59,47].As it turns out, except for one scheme [12] that mixes lattice-based and discrete-logarithm-related assumptions, all currently available candidates [42,59,47,22,43] utilize a GPV trapdoor, either to perform the setup of the system or to trace signatures (or both).Our results thus provide the first system that completely eliminates GPV trapdoors.
At a high level, our ZKAoK system is partially inspired by the way Langlois et al. [43] made use of the Bonsai tree technique [24] since it proves knowledge of a solution to a SIS problem determined by the user's position in a tree.However, there are fundamental differences since our tree is built in a bottom-up (rather than top-down) manner and we do not perform any trapdoor delegation.

Preliminaries
Notations.We assume that all vectors are column vectors.The concatenation of matrices A ∈ Z k×i , B ∈ Z k×j is denoted by [A|B] ∈ Z k× (i+j) .For b ∈ {0, 1}, we denote the bit 1 − b ∈ {0, 1} by b.For a positive integer i, we let [i] be the set {1, . . ., i}.If S is a finite set, x $ ← − S means that x is chosen uniformly at random from S. All logarithms are of base 2. The addition in Z 2 is denoted by ⊕.
In this section, we first recall the average-case lattice problems SIS and LWE, together with their hardness results; and the notion of statistical zero-knowledge arguments of knowledge.The definitions and security requirements of cryptographic accumulators, ring signatures, and group signatures are deferred to their respective Sections 3, 4, and 5.

Average-case Lattice Problems
Definition 1 ( [3,32]).The SIS ∞ n,m,q,β problem is as follows: Given uniformly random matrix A ∈ Z n×m q , find a non-zero vector x ∈ Z m such that x ∞ ≤ β and A • x = 0 mod q.
In the last decade, numerous SIS-based cryptographic primitives have been proposed.In this work, we will extensively employ 2 such constructions: -Our Merkle tree accumulator is built upon a specific family of collision-resistant hash functions, which is a syntactic modification (i.e., it takes two inputs, instead of one) of the one presented in [3,54].A similar scheme that works with larger SIS norm bound β was proposed in [60].-Our zero-knowledge argument systems use the statistically hiding and computationally binding string commitment scheme from [41].
For appropriate setting of parameters, the security of the above two constructions can be based on the worst-case hardness of SIVP O(n) .

Zero-Knowledge Arguments of Knowledge
We will work with statistical zero-knowledge argument systems, namely, interactive protocols where the zero-knowledge property holds against any cheating verifier, while the soundness property only holds against computationally bounded cheating provers.More formally, let the set of statements-witnesses R = {(y, w)} ∈ {0, 1} * × {0, 1} * be an NP relation.A two-party game P, V is called an interactive argument system for the relation R with soundness error e if the following two conditions hold: -Completeness.If (y, w) ∈ R then Pr P(y, w), V(y) = 1 = 1.
An argument system is called statistical zero-knowledge if for any V(y), there exists a PPT simulator S(y) producing a simulated transcript that is statistically close to the one of the real interaction between P(y, w) and V(y).A related notion is argument of knowledge, which requires the witness-extended emulation property.For protocols consisting of 3 moves (i.e., commitment-challenge-response), witness-extended emulation is implied by special soundness [35], where the latter assumes that there exists a PPT extractor which takes as input a set of valid transcripts with respect to all possible values of the 'challenge' to the same 'commitment', and outputs w such that (y, w ) ∈ R.
The statistical zero-knowledge arguments of knowledge (sZKAoK) presented in this work are Stern-type [68].In particular, they are Σ-protocols in the generalized sense defined in [38,12] (where 3 valid transcripts are needed for extraction, instead of just 2).Several recent works rely on Stern-type protocols to design lattice-based [46,43,47] and code-based [38,30] constructions.

A Lattice-Based Accumulator with Supporting
Zero-Knowledge Argument of Knowledge Throughout the paper, we will work with positive integers n, q, k, m, where: n is the security parameter; q = O(n); k = log q ; and m = 2nk.We identify Z q by the set {0, . . ., q − 1}.We define the "powers-of-2" matrix Note that for every v ∈ Z n q , we have v = G • bin(v), where bin(v) ∈ {0, 1} nk denotes the binary representation of v.

Cryptographic Accumulators
An accumulator scheme is a tuple of algorithms (TSetup, TAcc, TWitness, TVerify) defined as follows: TSetup(n) On input security parameter n, output the public parameter pp.TAcc pp On input a set R = {d 0 , . . ., d N −1 } of N data values, output an accumulator value u.TWitness pp On input a data set R and a value d, output ⊥ if d ∈ R; otherwise output a witness w for the fact that d is accumulated in TAcc(R).(Typically, the size of w should be short (e.g., constant or logarithmic in N ) to be useful.)TVerify pp On input accumulator value u and a value-witness pair (d, w), output 1 (which indicates that (d, w) is valid for the accumulator u) or 0.
An accumulator scheme is called correct if for all pp ← TSetup(n), we have TVerify pp TAcc pp (R), d, TWitness pp (R, d) = 1 for all d ∈ R.
The security of an accumulator scheme, as defined in [7,21], says that it is infeasible to prove that a value d * was accumulated in a value u if it was not.This property is formalized as follows.

A Family of Lattice-Based Collision-Resistant Hash Functions
We now describe the specific family of lattice-based collision-resistant hash functions, upon which our Merkle hash tree will be built.

Proof. Given
In other words, z is a valid solution to the SIS ∞ n,m,q,1 problem associated with matrix A. The lemma then follows from the worst-case to average-case reduction from SIVP O(n) .

Our Merkle-Tree Accumulator
We now give the construction of a Merkle tree with N = 2 leaves, where is a positive integer, based on the family of lattice-based hash function H defined above.
TVerify A u, d, w .Let the given witness w be of the form: The algorithm recursively computes the path Then it returns 1 if v 0 = u.Otherwise, it returns 0.
In Figure 1, we give an illustrative example of a tree with 2 3 = 8 leaves.One can check that the above Merkle-tree accumulator scheme is correct.Furthermore, its security is based on the collision-resistance of the hash function family H, which in turn is based on the hardness of SIVP O(n) .
Theorem 1.The given accumulator scheme is secure in the sense of Definition 3, assuming the hardness of the SIVP O(n) problem.
Proof.Assuming that there exists a PPT adversary B who has non-negligible success probability in the security experiment of Definition 3. It receives a uniformly random matrix A ∈ Z n×m q generated by TSetup(n), and returns (R = (d 0 , . . ., Parse w * = ((j * 1 , . . ., j * ), (w * , . . ., w * 1 )).Let j * ∈ [0, N−1] be the integer having binary representation (j * 1 , . . ., j * ) and let u * be the path from the leave d j * to the root of the tree generated by TAcc A (R).On the other hand, let We then obtain a collision for h A at the parent node of u j * 1 ,...,j * k .The theorem then follows from Lemma 1.

Zero-Knowledge AoK of an Accumulated Value
Our goal in this section is to construct a zero-knowledge argument system that allows prover P to convince verifier V that P knows a secret value that is properly accumulated into the root of the lattice-based Merkle tree described above.More formally, in our protocol, P convinces V on input (A, u) that P possesses a valuewitness pair (d, w) such that TVerify A u, d, w = 1.The associated relation R acc is defined as follows.
Before going into the details, we first introduce several supporting notations and techniques.
-We denote by B nk m the set of all vectors in {0, 1} m that have Hamming weight nk; and by S m the set of all permutations of m elements.
-For b ∈ {0, 1}, for π ∈ S m , we define the permutation F b,π that transforms Namely, F b,π first rearranges the blocks of z according to b (it keeps the arrangement of blocks if b = 0, or swaps them if b = 1), then it permutes each block according to π.
Our strategy to achieve zero-knowledgeness will crucially rely on the following observation: For all c, b ∈ {0, 1}, all π, φ ∈ S m , and all v, w ∈ {0, 1} m , we have the equivalences Warm-up step.Now, let (d, w) be such that (A, u), d, w ∈ R acc , where w is of the form w = (j 1 , . . ., j ), (w , . . ., w 1 ) , and let v = d, v −1 , . . ., v 1 , v 0 be the path computed by TVerify A u, d, w .Note that v 0 = u and: We observe that relation (2) can be equivalently rewritten in a more compact form: ∀i ∈ { − 1, . . ., 1, 0}, Equation ( 3) then can be interpreted as: Therefore, to achieve our goal, it is necessary and sufficient to construct an argument system in which P convinces V in ZK that P knows j 1 , . . ., j ∈ {0, 1} and v 1 , . . ., v , w 1 , . . ., w ∈ {0, 1} nk satisfying To this end, we develop a Stern-type protocol [68], in which we adapt the extension technique from [46].Specifically, we perform the following extensions: , respectively.This is done by appending a length-nk vector of suitable Hamming weight to each of these vectors.
Note that now the conditions in (4) can be equivalently rewritten as: (5) The Interactive Protocol.Having performed the above preparation and transformation steps, we now give a summary and sketch the main ideas of our interactive protocol, before formally describing it.The public parameters are n, q, k, m, , the "powers-of-2" matrix G and its extension G * .
Common inputs: (A, u).Both parties extend A to A * .
To achieve its goal, P employs the following strategies: the equivalences observed in (1) are exploited.Specifically, for each Seeing ( 6), V should be convinced of the facts P wants to prove, while learning no additional information, thanks to the randomness of π i , φ i and b i .2. To prove in ZK that the equations in (5) hold, P samples uniformly random masking vectors r ← − Z 2m q , and then it shows V that Let COM : {0, 1} * ×{0, 1} m → Z n q be the string commitment scheme from [41], which is statistically hiding and computationally binding if the SIVP O(n) problem is hard.The interaction between prover P and verifier V is described in Figure 2.

Analysis of the Interactive Protocol
The properties of the given protocol are summarized in the following theorem.
Theorem 2. The given interactive protocol has perfect completeness and communication cost O( • n).If COM is a statistically hiding and computationally binding string commitment scheme, then it is a statistical zero-knowledge argument of knowledge for the relation R acc .
Verification.Receiving RSP, V proceeds as follows.
-Case Ch = 1: Parse RSP as in (7).Check that s w ).Then check that: -Case Ch = 2: Parse RSP as in (8) and check that: -Case Ch = 3: Parse RSP as in (9) and check that: In each case, V outputs 1 if all the conditions hold.Otherwise, it outputs 0.
Fig. 2: A zero-knowledge argument of knowledge for the relation R acc .
outputs 1.It can also be seen that the communication cost of the protocol is In order to prove that the protocol is a ZKAoK for the relation R acc , we will employ the standard simulation and extraction techniques for Stern-type protocols (see, e.g., [41,46,47]).
Lemma 2 (Zero-Knowledge Property).If COM is statistically hiding, then the interactive protocol in Figure 2 is a statistical zero-knowledge argument.
Proof.We construct a PPT simulator S interacting with a (possibly dishonest) verifier V, such that, given only the public input, S outputs with probability negligibly close to 2/3 a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.The simulator S begins by selecting a random Ch ∈ {1, 2, 3}.This is a prediction of the challenge value that V will not choose.Case Ch = 1: Using linear algebra, S computes z 1 , . . ., z , y 1 , . . ., y ∈ Z 2m Then it samples randomness ρ 1 , ρ 2 , ρ 3 for COM and v , . . ., r z , . . ., r y , . . ., r It then sends V commitment CMT = (C 1 , C 2 , C 3 ), where Receiving a challenge Ch from V, the simulator responds as follows: -If Ch = 1: Output ⊥ and abort. - z , . . ., r y , . . ., r It then computes and sends the commitment CMT computed in the same manner as in (13).
Receiving a challenge Ch from V, it responds as follows: - -If Ch = 3: Send RSP computed as in the case (Ch = 1, Ch = 3).
Case Ch = 3: The simulator proceeds with the preparation as in the case Ch = 2 above.Then it sends the commitment CMT := (C 1 , C 2 , C 3 ), where C 2 , C 3 are computed as in (13), while Receiving a challenge Ch from V, it responds as follows: -If Ch = 1: Send RSP computed as in the case (Ch = 2, Ch = 1).
We observe that, in every case we have considered above, since COM is statistically hiding, the distribution of the commitment CMT and the distribution of the challenge Ch from V are statistically close to those in the real interaction.
Hence, the probability that the simulator outputs ⊥ is negligibly close to 1/3.Moreover, one can check that whenever the simulator does not halt, it will provide an accepted transcript, the distribution of which is statistically close to that of the prover in the real interaction.In other words, we have constructed a simulator that can successfully impersonate the honest prover with probability negligibly close to 2/3.
To prove that our protocol is an argument of knowledge for the relation R acc , it suffices to demonstrate that the protocol has the special soundness property [35].
In other words, (d , w ) satisfies (A, u); d , w ∈ R acc .This concludes the proof.
In this section, we construct a ring signature scheme [66] with signature size O(log N • n), where N is the size of the ring, based on the hardness of lattice problem SIVP O(n) .We use the ZKAoK given in Section 3 as the building block.

Definitions
We recall the standard definitions and security requirements for ring signatures [11,37].A ring signature scheme consists of a tuple of efficient algorithms (RSetup, RKgen, RSign, RVerify) for generating a public parameter, generating keys for users, signing messages, and verifying ring signatures, respectively.

RSetup(n):
Generates public parameters pp which are made available to all users.RKgen(pp): Generates a public key pk and the corresponding secret key sk.
RSign pp (sk, M, R): Outputs a signature Σ on the message M ∈ {0, 1} * with respect to the ring R = (pk 0 , . . ., pk N −1 ).It is required that (pk, sk) be a valid key pair produced by RKgen(pp) and that pk ∈ R. RVerify pp (M, R, Σ): Given a candidate signature Σ on a message M with respect to the ring of public keys R, this algorithm outputs 1 if Σ is deemed valid or 0 otherwise.
We next describe the following requirements for ring signatures: correctness, unforgeability with respect to insider corruption, and statistical anonymity.
The correctness requirement says that a user can always sign any message on behalf of a ring he belongs to.This is formalized as follows.
A ring signature is unforgeable with respect to insider corruption if it is infeasible to forge a ring signature without controlling one of the ring members.Definition 7 (Unforgeability w.r.t.insider corruption).A ring signature scheme (RSetup, RKgen, RSign, RVerify) is unforgeable w.r.t.insider corruption if for all PPT adversaries A, where: -PKGen on the j-th query runs (pk j , sk j ) ← RKgen(pp) and returns pk j .
-Sign(j, M, R) returns the output of RSign pp (sk j , M, R) provided: (i) (pk j , sk j ) has been generated by PKGen; (ii) pk j ∈ R. Otherwise, it returns ⊥. -Corrupt(j) returns sk j , provided that (pk j , sk j ) has been generated by PKGen.
-A outputs (M , R , Σ ) such that Sign(•, M , R ) has not been queried.Moreover, R is non-empty and only contains public keys pk j generated by PKGen for which j has not been corrupted.Definition 8.A ring signature scheme (RSetup, RKgen, RSign, RVerify) provides statistical anonymity if, for any (possibly unbounded) adversary A, where pk j0 , pk j1 ∈ R .
Remark: Anonymity under full key exposure [11] requires that the randomness used by KeyGen be revealed to the adversary.In our construction, it does not make a difference since we assume computationally unbounded adversaries.A c-user ring signature scheme is a variant of ring signatures, that only supports rings of fixed size c.Here, we do not assume any upper bound on the size of a ring.Similarly to [37], we only assume that all users agree on pre-existing public parameters pp.In our scheme, these public parameters consist of a modulus q and a random matrix A ∈ Z n×2nk q which can be derived from a random oracle.In this case, we only need all users to agree on the parameters q and n.

The Underlying Zero-Knowledge Protocol
The ring signature scheme that we will present next relies on a simple extension of the ZKAoK in Section 3. Specifically, one more layer is added: apart from proving that it has a secret value d that was properly accumulated to the root of the tree, P has to convince V that it knows a vector x ∈ {0, 1} m such that bin(A•x mod q) = d, or equivalently, A•x = G•d mod q.The associated relation R ring is defined as follows.
Definition 9. Define the relation A ZKAoK for R ring can be obtained from the one in Section 3, where the new layer is handled by the same "extend-then-permute" technique.As before, the protocol relies on the string commitment scheme from [41], which is statistically hiding and computationally binding if the SIVP O(n) problem is hard.-There exists an efficient simulator that, on input (A, u), outputs an accepted transcript which is statistically close to that produced by the real prover.-There exists an efficient knowledge extractor that, on input 3 valid responses (RSP 1 , RSP 2 , RSP 3 ) to the same commitment CMT, outputs (d , w , x ) such that (A, u), d , w , x ∈ R ring .
The full description and analysis of the argument system are given in Appendix A.

Description of the Ring Signature Scheme
We now will construct a ring signature scheme for rings of N = 2 users based on the Merkle-tree accumulator presented in Section 3. Our ring signature can be easily adapted for the case when the size of the ring is not a power of 2 (see Remark 1).The scheme uses parameters n, m, q defined as in Section 3, parameter κ = ω(log n) that determines the number of protocol repetitions, and a random oracle , and output pp = A. 1. Run algorithm TAcc A (R) to build the Merkle tree based on R and the hash function h A , and obtain the root u ∈ {0, 1} nk .2. Run algorithm TWitness A (R, d) to get a witness w = (j 1 , . . ., j ) ∈ {0, 1} , (w , . . ., w 1 ) ∈ ({0, 1} nk ) to the fact that d was properly accumulated in u. 3. Generate a NIZKAoK Π ring to demonstrate the possession of a valid pair (sk, pk) = (x, d) such that d is properly accumulated in u.This is done by running the protocol in Section 4.2 with public input (A, u) and prover's witness (x, d, w).The protocol is repeated κ = ω(log n) times to achieve negligible soundness error and made non-interactive via the Fiat-Shamir heuristic as a triple and a signature Σ, this algorithm proceeds as follows: 1. Run algorithm TAcc A (R) to compute the root u of the tree.

Parse
For each i = 1 to κ, run the verification phase of the protocol from Section 4.2 with public input (A, u) to check the validity of RSP i with respect to CMT i and Ch i .If any of the conditions does not hold, then return 0. Otherwise, return 1.

Analysis of the Ring Signature Scheme
We first summarize the properties of the given ring signature scheme in the following theorem.
Theorem 3. The ring signature scheme described in Section 4.3 is correct, and produces signatures of bit-size O(n • log N ).In the random oracle model, the scheme is unforgeable w.r.t.insider corruption based on the worst-case hardness of the SIVP O(n) problem, and it is statistically anonymous.
Correctness.The correctness of the ring signature scheme directly follows from the correctness of the accumulator scheme in Section 3 and the perfect completeness of the argument system in Section 4.2: A member of a ring can always obtain a tuple (x, d, w) such that (A, u), d, w, x ∈ R ring , and thus, his signature on any message always get accepted by the verification algorithm.
Efficiency.Since the underlying protocol has communication cost O( • n), the signatures produced by the scheme has bit-size Unforgeability with respect to insider corruption.For simplicity, the proof of unforgeability assumes that the cardinality of each ring R is a power of 2. However, this restriction can be easily eliminated, as we will see later on.
The proof of unforgeability relies on the following Lemma from [49].
Lemma 5 ([49],Lemma 8).For any matrix A ∈ Z n×m q and a uniformly random x ∈ {0, 1} m , the probability that there exists another As already mentioned, we can handle arbitrary ring sizes.To this end, one option is to add dummy ring members d fake,1 , . . ., d fake,r0 whose public keys are sampled obliviously of their private keys, by deriving them as d fake,j = bin(G 0 (j)) ∈ {0, 1} nk for each j ∈ {1, . . ., r 0 }, where G 0 : N → Z n q is an additional random oracle.A simpler solution is to duplicate one of the actual ring members until reaching a multi-set whose cardinality is a power of two.

A Lattice-Based Group Signature without Trapdoors
This section shows how to use our accumulator and argument systems to build a lattice-based group signature which is dramatically more efficient than previous proposals as it does not use any trapdoor.Indeed, surprisingly, the scheme does not rely on a standard digital signature to generate group members' private keys.

Definitions
We recall the standard definitions and security requirements for static group signatures [8].A group signature scheme is a tuple of 4 polynomial-time algorithms (GKeygen, GSign, GVerify, GOpen) defined as follows: -GKeygen: This is a probabilistic algorithm that takes as input 1 n , 1 N , where n ∈ N is the security parameter and N ∈ N is the number of group users, and outputs a triple (gpk, gmsk, gsk), where gpk is the group public key; gmsk is the group manager's secret key; and gsk = (gsk[0], . . ., gsk[N − 1]), where for j ∈ {0, . . ., N − 1}, gsk[j] is the secret key for the group user of index j.-GSign: is a randomized algorithm that inputs gpk, a secret key gsk[j] for some j ∈ {0, . . ., N − 1}, and a message M .It returns a group signature Σ on M .-GVerify: This deterministic algorithm takes as input the group public key gpk, a message M , a purported signature Σ on M , and returns either 1 or 0. -GOpen: This deterministic algorithm takes as input the group public key gpk, the group manager's secret key gmsk, a message M , a signature Σ on M , and returns an index j ∈ {0, . . ., N − 1}, or ⊥ (to indicate failure).
In static groups, the security model of Bellare, Micciancio and Warinschi subsumes the desirable security properties of group signatures using two security notions called full anonymity and full traceability.
GS.GOpen(gpk,msk,.,.) 1 ∧ (no signing query involved(j , M )) then Return 1 else Return 0 Fig. 3: Experiments for the definitions of anonymity and full traceability Full anonymity.Full anonymity requires that, without the group manager's secret key, no efficient adversary can infer the identity of a user from its signatures.The adversary should even be unable to distinguish signatures from two distinct users j 0 , j 1 , even knowing their private keys gsk[j 0 ], gsk[j 1 ].Moreover, this should remain true even when the adversary is granted access to an oracle that opens arbitrary message-signature pairs (M, Σ) = (M , Σ ), where (M , Σ ) is the challenge pair generated by the challenger on behalf of user j b , for some b ∈ {0, 1}.Formally, the attacker, modeled as a two-stage adversary A = (A 1 , A 2 ), is run in the first experiment depicted in Figure 3.The adversary's advantage is defined as Definition 10 (Full anonymity, [8]).A group signature is fully anonymous if, for any polynomial N and any PPT adversary A, Adv anon GS,A (n, N ) is a negligible function in the security parameter n.
Full traceability.Full traceability mandates that all signatures, even those created by colluding users and the group manager who pool their secrets together, be traceable to a member of the coalition.The attacker is modeled as a twostage adversary A = (A 1 , A 2 ) which is run in the second experiment of Figure 3, where it is further granted access to an oracle GS.GSign(gpk, gsk[•], •) that returns signatures on behalf of any honest group member.Its success probability against GS is measured as . Definition 11 (Full traceability, [8]).A group signature scheme GS is fully traceable if for any polynomial N and any PPT adversariy A, the probability Succ trace GS,A (n, N ) is negligible in the security parameter n.

The Underlying Zero-Knowledge Protocol
The group signature scheme that we will present in Section 5.3 relies on an extension of the ZKAoK in Section 4.2.An encryption layer is added, and the prover additionally has to prove that the given 2 Regev ciphertexts both encrypt the same (j 1 , . . ., j ) that was included in w.The associated relation is defined as follows.
Definition 12. Define R group = (A, u, B, P 1 , P 2 , c 1 , c 2 ), d, w, x, r 1 , r 2 as a relation where To prove in ZK that the vector (j 1 , . . ., j ) T involved in the new layer is the same (j 1 , . . ., j ) T that was included in w, we introduce the following technique. - -For each b ∈ {0, 1}, we define the permutation T b that transforms vector Observe that the following equivalence holds: For all b ∈ {0, 1} and all In Stern's framework, this equivalence allows us to prove in ZK the possession of the bit j i , for every i ∈ [ ], by extending j i to extbit(j i ) and then, by permuting it with a one-time pad b i .Furthermore, to prove that the same j i is involved in both layers, we will use the same one-time pad in both layers of the protocol.
Embedding this new technique into the protocol in Section 4.2, we obtain an argument system for the relation R group .As for the previous two protocols, they also rely on the string commitment scheme from [41], which is statistically hiding and computationally binding if the SIVP O(n) problem is hard.Lemma 6. Assume that the SIVP O(n) problem is hard.Then, there exists a statistical ZKAoK for the relation R group with perfect completeness and communication cost O( • n) + O((m E + ) • log p).In particular: -There exists an efficient simulator that, on input (A, u, B, P 1 , P 2 , c 1 , c 2 ), outputs an accepted transcript which is statistically close to that produced by the real prover.-There exists an efficient knowledge extractor that, on input of 3 valid responses (RSP 1 , RSP 2 , RSP 3 ) to the same commitment CMT, outputs (d , w , x , r 1 , r 2 ) such that The full description and analysis of the argument system are given in Appendix B.
Efficiency.The public key consists of a constant number of matrices over Z q and Z p , where q and p are small moduli.The group signature has bit-size The scheme is dramatically more efficient than previous lattice-based realizations of group signatures.Indeed, its most important advantage is that it does not require any party to hold a GPV trapdoor.As observed by Lyubashevsky [50], lattice-based signatures without trapdoor can be made significantly more efficient.
Correctness.The correctness of algorithm GVerify follows directly from the correctness of the accumulator scheme in Section 3, and the completeness of the argument system in Section 5.2.As for the correctness of algorithm GOpen, it suffices to note that and E 1 • r 1 ∞ < p/4 with overwhelming probability, for the given setting of parameters, and the decryption algorithm should return (j 1 , . . ., j ) .
Security.The full traceability property of our scheme is stated in Theorem 6.
In the proof, which is given in Appendix D, we prove that any adversary with noticeable probability of evading traceability implies an algorithm for either breaking the security of the underlying accumulator of Section 3, breaking the computational soundness of the argument system in Section 5.2, or solving an instance of the SIS ∞ n,m,q,1 problem.Theorem 6.The scheme provides full traceability in the random oracle model if the SIVP O(n) problem is hard.
The proof of full anonymity relies on the fact that applying the Naor-Yung paradigm [57] to Regev's cryptosystem yields an IND-CCA2 secure cryptosystem.(A similar argument was used by Benhamouda et al. [12] for an NTRU-like encryption scheme.)Indeed, the argument system of Definition 12 implies that c 1 and c 2 encrypt the same message.In the random oracle model, it was already observed by Fouque and Pointcheval [31] (see [13] for a more general treatment) that applying the Fiat-Shamir heuristic to Σ-protocols can give simulationsound proofs [67].Similarly to [31,13], the proof of Theorem 7 relies on the fact that applying Fiat-Shamir to the argument system of Definition 12 yields a simulation-sound NIZK argument in the random oracle model if the underlying commitment is computationally binding.This holds even though this argument system does not have the standard special soundness property (i.e., three accepting conversations for distinct challenges are necessary to extract a witness).Simulation-soundness is actually implied by Lemma 6: suppose that c 1 and c 2 encrypt distinct -bit strings.This means that there exists no binary vector Now, recall that the computational soundness of all Stern-type protocols is proved by showing that the knowledge extractor obtains either a set of valid witnesses or breaks the binding property of the underlying commitment scheme.Given that the witnesses do not exist if the statement is false, by rewinding a simulation-soundness adversary sufficiently many times, the knowledge extractor necessarily extracts two openings of a given commitment.
The proof of Theorem 7 is similar to [67] and given in Appendix E.
Theorem 7. The scheme provides full anonymity if the LWE n,p,χ problem is hard, and if the argument system is simulation-sound.
A Full Description and Analysis of the Zero-Knowledge Protocol Underlying the Ring Signature Scheme In this section, we provide the full description and analysis of the ZKAoK for the relation We first restate Lemma 4.
Lemma 7. Assume that the SIVP O(n) problem is hard.Then there exists a statistical ZKAoK for the relation R ring with perfect completeness and communication cost O( • n).In particular: -There exists an efficient simulator that, on input (A, u), outputs an accepting transcript which is statistically close to that produced by the real prover.-There exists an efficient knowledge extractor that, on input 3 valid responses (RSP 1 , RSP 2 , RSP 3 ) to the same commitment CMT, outputs (d , w , x ) such that (A, u), d , w , x ∈ R ring .

A.1 Description of the Protocol
We now describe the protocol.The public parameters are n, q, k, m, , the "powersof-2" matrix G and its extension G * = [G|0 n×nk ] ∈ Z n×m q .
Common inputs: (A, u).Both parties extend A to A * as in Section 3. P's inputs: d, w, x.P's goal: Prove in ZK that Let A ∈ Z n×2m q be the matrix obtained by appending m zero-columns to matrix A. (Note that A = A * .)Let B m 2m be the set of all vectors in {0, 1} 2m having Hamming weight m, and let S 2m be the set of all permutations of 2m elements.
The prover P, possessing a valid tuple (d, w, x), performs the preparation steps as in the protocol for the relation R acc in Section 3 to obtain v Observe that by construction, one has to prove the possession of x in a zero-knowledge manner by using the equivalence: After the above preparation steps, in the protocol, P will convince , for all i ∈ [ ], and x * ∈ B m 2m which satisfy (15) and q be the string commitment scheme from [41], which is statistically hiding and computationally binding if the SIVP O(n) problem is hard.The interaction between prover P and verifier V is described in Figure 4.

A.2 Analysis of the Protocol
Completeness and Communication Cost.The perfect completeness of the protocol can be verified by inspection: if P is honest and follows the protocol, then V always outputs 1.It can also be seen that the communication cost of the protocol is just slightly larger than that of the argument system in Section 3, and is of order The proofs that the protocol is a ZKAoK for the relation R ring follow the same strategy as for the one in Section 3.
Zero-Knowledge Property.We will prove that, if COM is statistically hiding, then the interactive protocol in Figure 4 is a statistical zero-knowledge argument.Specifically, we construct a PPT simulator S interacting with a (possibly dishonest) verifier V such that, given only the public input, S outputs with probability close to 2/3 a simulated transcript that is statistically close to the one produced by the honest prover in the real interaction.
The simulator S begins by selecting a random Ch ∈ {1, 2, 3}.This is a prediction of the challenge value that V will not choose.
Another Permutation Technique.Our ZKAoK for the relation R group is an extension of the one for R ring .In order to prove in ZK that the vector (j 1 , . . ., j ) involved in the new layer is the same (j 1 , . . ., j ) that was included in w, we introduce the following technique.
- ( This equivalence allows proving in ZK the possession of the bit j i , for every i ∈ [ ], using a one-time pad b i .Furthermore, to prove that the same j i is involved in both layers, we will use the same b i in both layers of the protocol.
Preparation Steps.We first observe that the 4 equations: can be equivalently written in a more compact form: We now perform the following extensions: - .
For each i ∈ [ ], prepend a zero-column to h i so as to obtain a two-column matrix , then (26) can be rewritten as: The possession of f * and {g i } i=1 that satisfy the above equation can be proved in ZK using the usual masking-permuting technique (for f * ) and the technique introduced at the beginning of this section.

B.1 Description of the Protocol
The public parameters are n, q, k, m, , p, m E , the "powers-of-2" matrix G and its extension G * = [G|0 n×nk ] ∈ Z n×m q , and matrices H i defined above.
Common Inputs: (A, u, B, P 1 , P 2 , c 1 , c 2 ).Both parties form matrices A * , A as in the previous protocols, and matrix B * and vector c as described above.

P's Goal
Let COM : {0, 1} * ×{0, 1} m → Z n q be the statistically hiding and computationally binding string commitment scheme from [41].The interaction between prover P and verifier V is described in Figure 5.

Fig. 1 :
Fig. 1: A Merkle tree with 2 3 = 8 leaves, which accumulates the data blocks d 0 , . . ., d 7 into the value u at the root.The bit string (101) and the gray nodes form a witness to the fact that d 5 is accumulated in u.

Theorem 4 .Theorem 5 .
The scheme provides unforgeability w.r.t.insider corruption in the random oracle model if the SIVP O(n) problem is hard.(The proof is available in Appendix C.) Statistical anonymity.The proof of the following theorem relies on the statistical witness indistinguishability of the argument system of Lemma 4. The proof is straightforward and omitted.The scheme provides statistical anonymity in the random oracle model.Remark 1.
and that, in Stern's framework, one can use τ $ ← − S 2m and r x $ ← − Z 2m q
Append 2m E zero-columns to the matrix 1} 2m E to vector f * ∈ B 2m E 4m E , where B 2m E 4m E denotes the set of all vectors in {0, 1} 4m E that have Hamming weight 2m E .