Group signatures and more from isogenies and lattices: generic, simple, and efficient

We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size O(logN)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\log N)$$\end{document}, where N is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt’20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable. Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the O(·)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$O(\cdot )$$\end{document}-notation hides a very small constant factor, it remains small even for very large group sizes, say 220\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$2^{20}$$\end{document}.


Introduction
Group signature schemes, introduced by Chaum and van Heyst [31], allow authorized members of a group to individually sign on behalf of the group while the specific identity of the signer remains anonymous. However, should the need arise, a special entity called the group manager (or sometimes the tracing authority) can trace the signature to the signer, thus holding the group members accountable for their signatures. Group signatures have been an active area of academic research for the past three decades, and have also been gathering practical attention due to the recent real-world deployment of variants of group signatures such as directed anonymous attestation (DAA) [23] and enhanced privacy ID (EPID) [24].
Currently, there are versatile constructions of efficient group signatures from classical assumptions, e.g., [6,16,17,34,39,40,55,58,71,72]. In this work, when we argue the efficiency of a group signature, we focus on one of the quintessential metrics: the signature size. We require it to be smaller than c · log N bits, where N is the group size and c is some explicit small polynomial in the security parameter. In their seminal work, Bellare, Micciancio, and Warinschi [8] provided a generic construction of a group signature with signature size O(1) from any signature scheme, public-key encryption scheme, and general non-interactive zero-knowledge (NIZK) proof system. Unfortunately, this only provides an asymptotic feasibility result, and thus one of the main focuses of subsequent works, including ours, has been to construct a concretely efficient group signature.
In contrast to the classical setting, constructing efficient group signatures from any postquantum assumptions has been elusive. Since the first lattice-based construction by Gordon, Katz, and Vaikuntanathan [57], there has been a rich line of subsequent works on latticebased (and one code-based) group signatures, including but not limited to [49,59,65,70,74]. However, these results remained purely asymptotic. It was not until recently that efficient lattice-based group signatures appeared [22,38,47,48]. In [47], Esgin et al. report a signature size of 12KB and 19KB for a group size of N = 2 6 and 2 10 , respectivelyseveral orders of magnitude better than prior constructions. 1 These rapid improvements in efficiency for lattices originate in the recent progress of lattice-based NIZK proof systems for useful languages [5,21,45,46,75,76,85], most of which rely heavily on the properties of special structured lattices. Thus, it seems impossible to import similar techniques to other post-quantum assumptions or to standard non-structured lattices. For instance, constructing efficient group signatures from isogenies-one of the promising alternative post-quantum tools to lattices-still seems out of reach using current techniques. This brings us to the main question of this work: Can we construct an efficient group signature secure from isogenies? Moreover, can we have a generic construction that can be instantiated from versatile assumptions, including those based on less structured lattices?
In addition, as we discuss in more detail later, we notice that all works regarding efficient post-quantum group signatures [22,38,47,48,60] do not satisfy the ideal security properties (which are by now considered standard) formalized by Bootle et al. [20]. Thus, we are also interested in the following question: Can we construct efficient post-quantum group signatures satisfying the ideal security properties formalized by Bootle et al. [20]?
To address these questions, in this work we focus on accountable ring signatures [84]. An accountable ring signature offers the flexibility of choosing the group of users when creating a signature (like a ring signature [82]), while also enforcing accountability by including one of the openers in the group (like a group signature). Although research on accountable ring signatures is still limited [19,48,62,68,84], we advocate that they are as relevant and interesting as group and ring signatures. As shown by Bootle et al. [19], accountable ring signatures imply group and ring signatures by naturally limiting or downgrading their functionality. Thus, an efficient post-quantum solution to an accountable ring signature implies solutions for both secure (dynamic) group signatures [9] and ring signatures, making it an attractive target to focus on.
Finally, as an independent interest, we are also concerned with tightly-secure constructions. To the best of our knowledge, all prior efficient post-quantum secure group and ring signatures are in the random oracle model and have a very loose reduction loss. In typical security proofs, given an adversary with advantage that breaks some security property of the group signature, we can only construct an adversary with advantage at most (N 2 Q) −1 · 2 against the underlying hard problem, where Q is the number of random oracle queries and N is the number of users in the system. If we aim for 128-bit security (i.e., = 2 −128 ), and set for example (N , Q) = (2 10 , 2 50 ), then we need at least 326-bits of security for the hard problem. When aiming for a provably-secure construction, the parameters must be set much larger to compensate for this significant reduction loss, which then leads to a less efficient scheme. This is especially unattractive in the isogeny setting since only the smallest among the CSIDH parameters [28] enjoys properties suitable to achieve concrete efficiency [15].

Our contribution
In this work, we construct an efficient accountable ring signature based on isogenies and lattices. This in particular implies the first efficient isogeny-based group signature. Our generic construction departs from known general feasibility results such as [8] and builds on primitives that can be efficiently instantiated. Unlike previous efficient post-quantum group signatures, our scheme satisfies all the desired properties provided by Bootle et al. [20] including dynamicity and fully (CCA) anonymity: the former states that the group members can be added and revoked dynamically and are not fixed on setup; the later states that anonymity holds even in the presence of an adversary that sees the signing keys of all honest users, who is additionally granted access to an opening oracle. We also satisfy the ideal variant of non-frameability and traceability [20], where the former is captured by unforgeability in the context of accountable ring signature. Roughly, this ensures that arbitrary collusion among members, even with the help of a corrupted group manager, cannot falsely open a signature to an honest user.
Our accountable ring signature schemes are realized in three steps. We first provide a generic construction of an accountable ring signature from simple cryptographic primitives such as a public-key encryption (PKE) scheme and an accompanying NIZK for a specific language. We then show an efficient instantiation of these primitives based on a group action that satisfies certain cryptographic properties. Finally, we instantiate the group action by either the CSIDH group action or the MLWE-based group action. Our generic construction builds on the recent efficient OR-proofs for isogeny and lattice-based hard languages by Beullens, Katsumata, and Pintore [14], which were used to construct ring signatures. The most technical part of this work is to efficiently add a proof of valid ciphertext to their ORproof and proving full anonymity, which done naively would incur an exponential security loss. At the core of our construction is an efficient online-extractable OR-proof that allows to also prove validity of a ciphertext.
Moreover, thanks to the online extractability, our construction achieves a much tighter reduction loss compared to prior accountable ring signatures (and also group and ring signatures). It suffices to assume that the underlying post-quantum hard problem cannot be solved with advantage more than N −1 · rather than (N 2 Q) −1 · 2 as in prior works whose proofs rely on the forking lemma [50,81]. Working with the above example, we only lose 10-bits rather than 198-bits of security. We further show how to remove N −1 using the Katz-Wang technique [61] along with some techniques unique to our NIZK. As a side product, we obtain a tightly-secure and efficient isogeny and lattice-based ring signatures, improving upon those by Beullens et al. [14] which have a loose security reduction. Comparison to prior work. To the best of our knowledge, Esgin et al. [47,48] are the only other work that (implicitly) provide an efficient post-quantum accountable ring signature. 2 Since the efficiency of an accountable ring signature is equivalent to those of the group signature obtained through limiting the functionality of the accountable ring signature, we chose to compare the efficiency of our scheme with other state-of-the-art post-quantum group signatures. Table 1 includes a comparison of the signature size and the different notions of security it satisfies. The first two schemes satisfy all the desired security properties of a  [80]. Manager accountability states whether the (possibly malicious) group manager is accountable when opening a signature to some user. Namely, it is "Yes" when even a malicious group manager cannot falsely accuse an honest user of signing a signature that it hasn't signed dynamic group signature formalized by Bootle et al. [20]. Our scheme is the only one to achieve full CCA anonymity. Esgin et al. [47] achieves full CPA anonymity, where anonymity is broken once an adversary is given access to an opening oracle; in practice, this means that if a specific signature is once opened to some user, then any signature ever signed by that particular user will lose anonymity. Here, "full" means that the signing key of all the users may be exposed to the adversary. In contrast, Katz, Kolesnikov, and Wang [60] satisfies selfless CCA anonymity. While their scheme supports opening oracles, anonymity no longer holds if the signing key used to sign the signature is exposed to the adversary. Moreover, our scheme is the only one that also achieves the ideal variant of non-frameability and traceability [9,20] (illustrated in the "Manager Accountability" column). The two schemes [47,60] assume the group manager honestly executes the opening algorithm and that everyone trusts the output. Put differently, a malicious group manager can frame any honest members in the group by simply replacing the output of the opening algorithm. In contrast, our scheme remains secure even against malicious group managers since the validity of the output of the opening algorithm is verifiable. That is, even the group manager is held accountable in our group signature.
Not only our group signatures satisfy more ideal security properties compared to previous constructions, Table 1 shows that our signature size remains competitive. Our isogeny-based group signature based on CSIDH provides the smallest signature size among all post-quantum group signatures, which is 0.6 log 2 (N ) + 3 KB. In contrast, our lattice signature is larger; the scheme in the second (resp. third) row has signature size 0.5 log 2 (N ) + 123.5 KB (resp. 0.5 log 2 (N ) + 85.9 KB). It is smaller compared to [60], while larger compared to [47]. Compared to the two constructions, our signature size grows much slower with the group size N (see also Footnote 1) and also satisfies stronger security. We thus leave it as an interesting open problem to lower the constants in our construction.

Technical overview
An accountable ring signature is like a standard ring signature where the ring R also includes an arbitrary opener public key opk of the signer's choice when creating a signature σ . The signature σ remains anonymous for anybody who does not know the corresponding opener secret key osk, while the designated opener can use osk to trace the user who created σ . A ring signature can be thought of as an accountable ring signature where opk = ⊥, while a group signature can be thought as an accountable ring signature where there is only a single opener. General approach. Our generic construction of an accountable ring signature follows the well-known template of the encrypt-then-prove approach to construct a group signature [27]. The high-level idea is simple. The signer encrypts its verification key vk (or another unique identifier) using the opener's public key opk for a PKE scheme and provides a NIZK proof for the following three facts: the ciphertext ct encrypts vk via opk; vk is included in the ring R; and that it knows a secret key sk corresponding to vk. To trace the signer, the opener simply decrypts ct to recover vk. Notice that the NIZK proof implicitly defines a verifiable encryption scheme [25,26] since it is proving that ct is a valid encryption for some message vk in R. Below, although our construction can be based on any cryptographically-hard group action, we mainly focus on isogenies for simplicity.
One of the difficulties in instantiating this template using isogeny-based cryptography is that we do not have an efficient verifiable encryption scheme for an appropriate PKE scheme. To achieve full anonymity, most of the efficient group signatures, e.g., [38,39,55,58,71,72], use an IND-CCA secure PKE as a building block and construct an efficient NIZK that proves validity of the ciphertext. Full anonymity stipulates that an adversary cannot de-anonymize a signature even if it is provided with an opening oracle, which traces the signatures submitted by the adversary. Roughly, by using an IND-CCA secure PKE as a building block, the reduction can simulate the opening oracle by using the decapsulation oracle provided by the IND-CCA game, rather than the opener's secret key. In the classical setting, constructing such an efficient IND-CCA secure verifiable encryption scheme is possible using the Cramer-Shoup PKE [35] that offers a rich algebraic structure. Unfortunately, in the isogeny setting, although we know how to construct an IND-CCA secure PKE based on the Fujisaki-Okamoto transform [53], it seems quite difficult to provide an accompanying verifiable encryption scheme as the construction internally uses a hash function modeled as a random oracle. Another approach is to rely on the weaker IND-CPA secure PKE but to use a stronger NIZK satisfying onlineextractability [52]. At a high level, the reduction can use the online-extractor to extract the witness in the ciphertext ct instead of relying on the decapsulation oracle. 3 However, it turns out that even this approach is still non-trivial since we do not have any efficient verifiable encryption scheme for existing isogeny-based PKEs, let alone an accompanying online-extractable NIZK. For instance, most isogeny-based IND-CPA secure PKEs are based on the hashed version of ElGamal, and to the best of our knowledge, there are no efficient verifiable encryption schemes for hashed ElGamal. Verifiable encryption scheme for a limited class of PKE. In this work, we observe that in the context of accountable ring signatures and group signatures, we do not require the full decryption capability of a standard PKE. Observe that decryption is only used by the opener and that it knows the ciphertext ct must be an encryption of one of the verification keys included in the ring (or group) R. Therefore, given a ciphertext ct, we only require a mechanism to check if ct encrypts a particular message M, rather than being able to decrypt an arbitrary unknown message. Specifically, the opener can simply run through all the verification keys vk ∈ R to figure out which vk was encrypted in ct. This allows us to use a simple IND-CPA secure PKE with limited decryption capability based on the CSIDH group action: Let E 0 ∈ E p (O, π) be a fixed and public elliptic curve. The public key is pk = (E 0 , E := s E 0 ), where sk = s is sampled uniformly at random from the class group C (O). To encrypt a message M ∈ C (O), we sample r ← C (O) and set ct = (ct 0 := r E 0 , ct 1 := M (r E)).
To check if ct decrypts to M , we check whether ct 1 is equal to M (sk ct 0 ). Note that in general we cannot decrypt when M is unknown since we cannot cancel out sk ct 0 from ct 1 . Now, observe that proving ct encrypts M ∈ C (O) is easy since there is a simple sigma protocol for the Diffie-Hellman-like statement (ct 0 , (−M) ct 1 ) = (r E 0 , r E), where r is the witness, e.g., [43]. Although this comes closer to what we want, this simple sigma protocol is not yet sufficient since the prover must reveal the message M to run it. Specifically, it proves that ct is an encryption of M, while what we want to prove is that ct is an encryption of some M ∈ R. In the context of accountable ring signature and group signature, this amounts to the signer being able to hide its verification key vk ∈ R. Constructing NIZK for accountable ring signature Let us move forward to the intermediate goal of constructing a (non-online-extractable) NIZK proof system for the following three facts: the ciphertext ct encrypts vk via pk; vk is included in the ring R; and that the prover knows a secret key sk corresponding to vk. Recently, Beullens, Katsumata, and Pintore [14] proposed an efficient sigma protocol (and a non-online-extractable NIZK via the Fiat-Shamir transform) for proving the last two facts, which in particular constitutes an efficient OR-proof. We show how to glue the above "weak" verifiable encryption scheme with their OR-proof.
We first review a variant of the OR-sigma protocol in [14] with proof size O(N ), where N is the size of the ring. Assume each user i ∈ [N ] in the ring holds vk To prove vk I ∈ R and that it knows sk I , the prover first sample s ← C (O) and sets R i = s E i for i ∈ [N ]. It also samples randomness rand i and creates commitments (C i = Com(R i , rand i )) i∈ [N ] , where this commitment is simply instantiated by a random oracle. It finally samples a random permutation φ over [N ] and sends a permuted tuple (C φ(i) = Com(R i , rand i )) i∈ [N ] . The verifier samples a random bit b ∈ {0, 1}. If b = 0, the prover returns all the randomness (s , (rand i ) i∈ [N ] , φ) used to create the first message. The verifier then checks if the first message sent by the prover is consistent with this randomness. Otherwise, if b = 1, the prover returns (I , rand , s ) := (φ(I ), rand I , s + s I ). The verifier then checks if C I = Com(s E 0 , rand ) holds. Notice that if the prover is honest, then s E 0 = s E I as desired. It is easy to check it is honestverifier zero-knowledge. The transcript when b = 0 is independent of the witness, while the transcript when b = 1 can be simulated if the commitment scheme is hiding. Moreover, special soundness can be checked by noticing that given s and s , we can extract some (i * , s * ) such that (E 0 , E i * = s * E 0 ) ∈ R. A full-fledged OR-sigma protocol with proof size O(N ) is then obtained by running this protocol λ-times in parallel, where λ denotes the security parameter. [14] showed several simple optimization techniques to compress the proof size from O(N ) to O(log N ), but we first explain our main idea below.
We add our "weakly decryptable" PKE to this OR-sigma protocol. Since our PKE only handles messages in C (O), the prover with vk I ∈ R encrypts the index I ∈ [N ] rather than vk I , where we assume the verification keys in the ring R are ordered lexicographically. 4 The statement now consists of the ring R and the ciphertext ct = (ct 0 := r E 0 , ct 1 = I (r E)), where (E 0 , E) is the opener's public key opk. Recall the opener can decrypt ct with knowledge of the ring R by brute-force searching for an i ∈ [N ] such that ct 1 = i (osk ct 0 ). Now, to prove vk I is an entry in R and that it knows sk I , the prover samples s ← C (O) and sets R i = s E i for i ∈ [N ] as before. It then further samples r ← C (O) and prepares ct i = (r ct 0 , (−i) (r ct 1 )) for all i ∈ [N ]. Observe that ct i is an encryption of the message (I − i) using randomness (r + r ). Specifically, ct I is of the form ((r +r ) E 0 , (r +r ) E), which admits a natural sigma protocol as explained above. Finally, the prover samples randomness rand i and a random permutation φ over [N ], and sends the randomly permuted commitments (C φ(i) = Com(R i ct i , rand i )) i∈ [N ] . The verifier samples a random bit b ∈ {0, 1}. If b = 0, then similarly to the above OR-sigma protocol, the prover simply returns all the randomness and the verifier checks the consistency of the first message. Otherwise, if b = 1, the prover returns (I , rand , s , r ) := (φ(I ), rand I , s + s I , r + r ). The verifier checks if C I = Com(s E 0 (r E 0 , r E), rand ) holds. Correctness and honest-verifier zero-knowledge holds essentially for the same reason as the above OR-sigma protocol. More importantly, special soundness holds as well. Intuitively, since the opening to b = 0 forces the cheating prover to commit to the proper (vk i , i)-pair, a cheating prover cannot encrypt an index I and prove that it has sk I corresponding to vk I for a different I = I .
To compile our sigma protocol into an NIZK, we apply the Fiat-Shamir transform. Moreover, we apply similar optimization techniques used in [14] to compress the proof size from O(N ) to O(log N ). Roughly, the prover additionally uses a pseudorandom generator to generate the randomness (i.e., s , r , φ, (rand i ) i∈ [N ] ). Then, in case b = 0, the prover needs to reply only with the seed of size O (1). The prover also uses a Merkle tree to accumulate (C φ(i) ) i∈ [N ] and sends the root value in the first message. It then only opens to the path necessary for verification when b = 1. This has a positive side-effect that we no longer require a permutation φ since the path hides the index if we use a slightly tweaked variant of the standard Merkle tree. Finally, we take advantage of the asymmetry in the prover's response size for b = 0 and b = 1, which are O(1) and O(log N ), respectively. Namely, we imbalance the challenge space so that the prover opens to more 0 than 1, while still maintaining negligible soundness error. Adding online-extractability. To build an accountable ring signature or group signature, we require the above NIZK to be (multi-proof) online-extractable. This is a strengthening of standard proof of knowledge (PoK) that roughly states that the knowledge extractor, who can see what the adversary queries to the random oracle, is able to directly extract witnesses from the proofs output by the adversary. The OR-proof by [14], which our NIZK builds on, was only shown to satisfy the standard PoK, which bases on a rewinding extractor.
One simple way to add online-extractability to our NIZK is to apply the Unruh transform [83]. Namely, we can modify the prover to add two more commitments h 0 = Com(s r , rand 0 ) and h 1 = Com(s r , rand 1 ) in the first message, where Com is instantiated by the random oracle. Then, if b = 0 (resp. b = 1), the prover further opens to h 0 (resp. h 1 ). Recall that if the reduction obtains both (s , r ) and (s , r ), then it can invoke the extractor provided by the underlying sigma protocol to extract some (i * , s * ) such that Therefore, for the cheating adversary to fool the reduction, it must guess the bit b and create h b correctly while creating h 1−b arbitrary. Intuitively, if we have λ-repetition of the sigma protocol, then the cheating prover cannot possibly guess all the challenge bits correctly. Therefore, there must be some challenge where it created h 0 and h 1 honestly. For that challenge bit, the reduction algorithm can then retrieve the corresponding inputs (s r , rand 0 ) and (s r , rand 1 ) from simply observing the random oracle, and then, run the extractor to obtain the witness.
This idea works but it comes with an extra two hashes per one execution of the binarychallenge sigma protocol. Although it may sound insignificant in an asymptotic sense, these hashes add up when we execute the sigma protocol many times, and it makes it difficult to apply some of the optimization tricks. Concretely, when we apply this change to the isogeny-based ring signature by Beullen et al. [14], the signature grows by roughly a factor of 2 to 3.
In this work, we show that we can in fact prove online-extractability without making any modification to the aforementioned NIZK. Our main observations are the following: if the prover uses a seed to generate the randomness used in the first message via a random oracle, then the online extractor can observe (s , r , φ, (rand i ) i∈ [N ] ); and the prover must respond to some execution of the binary-challenge sigma protocol where the challenge bit is 1. The first implies that the seed implicitly acts as a type of commitment to (s , r ). The second implies the prover returns a response that includes (s , r ). Specifically, our online extractor only looks at all the responses for the rounds where the challenge bit was 1, and checks the random oracle for any seed that leads to the commitment provided in the first message of the sigma protocol. If such seed is found, then it succeeds in extracting a witness. The intuition is simple but it turns out that the formal proof is technically more complicated due to the several optimizations performed on the basic sigma protocol to achieve proof size O(log N ). Generalizing with group actions. Although we have been explaining our generic construction using the CSIDH group action, it is not unique to them. It works equally well for any group action that naturally induces a PKE. Specifically, we instantiate the above idea also by the MLWE group action defined roughly as : R n+m q × R m q : (s, e) t → A s + e + t, where R q = Z q [X ]/(X d + 1). Since CSIDH and MLWE induce a PKE with slightly different algebraic structures, we introduce a group-action-based PKE defined by two group actions to formally capture both instances. This abstraction may be of an independent interest since at first glance, isogeny-based and lattice-based PKEs seem to rely on different algebraic structures. Finally, one interesting feature unique to our generic construction is that since our sigma protocol is rather combinatorial in nature, we can for instance use CSIDH for the user's public key vk and mix it with an MLWE-based PKE for the opener' public key opk. The practical impact of such mixture is that we can achieve stronger bit-security for anonymity (due to MLWE) while keeping the user's public key and signature small (due to CSIDH). Achieving tight reduction. Since the proofs do not rely on the forking lemma [50,81] to extract witnesses from the forged proofs, our construction achieves a tighter reduction compared to prior works on efficient group signatures. However, we still lose a factor 1/N in the proof of unforgeability, which may vary from 1/2 to 1/2 20 . 5 Recall N is the size of the group in group signatures but it is the size of all the users enrolled in the system for accountable ring signatures, which may be far larger than the size of the ring. The main reason for this loss was because the reduction needs to guess one user's verification key used by the adversary to create its forgery and to embed the hard problem into it.
A well known technique to obtain a tight proof is to rely on the Katz-Wang technique [61] along with the generic OR-composition of sigma protocols, and rely on a multi-instance version of the hard problem (which are believed to be as difficult as the single-instance version for specific hard problems). Namely, we modify the scheme to assign two verification keys (vk (1) , vk (2) ) to each user. The users will only hold one signing key sk (b) for b ∈ {1, 2} corresponding to the verification key vk (b) . The user can honestly run the aforementioned sigma protocol where the statement includes vk (b) , and a simulated sigma protocol using the ZK-simulator where the statement includes vk (3−b) . We can then use the sequential OR-proof technique as presented in [1,51] to bridge these two sigma protocols so that it hides the b. 6 While this generic transform works, it unfortunately doubles the signature size, which may outweigh the motivation for having a tight reduction. In this work, we present a novel Table 2 Comparison of this work with concurrent works [33,66] in terms of signature size, anonymity and manager accountability. The integer N represents the size of the group

Schemes
Signature size Anonymity Manager Accountable [66] O(N log(N )) CPA No [33] O(N 2 ) CPA Partial This Work O(log(N )) CCA Yes and far cheaper technique tailored to our sigma protocol. The signature size overhead is a mere 512B for our concrete lattice-based instantiation. The key observation is that we can view the set of all users' verification key (vk (1) , vk (2) ) as a ring of size 2N , rather than a ring of size N where each ring element consists of two verification keys. This observation itself is not yet sufficient since recall that we typically must encrypt some information bound to the signer for traceability, e.g., encrypt the position/index of vk in R, and it is no longer clear what to encrypt when we have two verification keys in the ring. Luckily, it turns out that our sigma protocol can be easily modified with no loss in efficiency to overcome this apparent issue. Details are provided in Sect. 6.3. Concurrent works. There are two concurrent and independent works published on the Cryptology ePrint Archive [33,66]. Both of these works obtain isogeny-based group signatures from variants of ring signatures. Lai et al. [66] base their group signature on revocable ring signatures, while Chung et al. [33] base theirs on accountable ring signatures. Chug et al. follow the security properties formalized in [84], in contrast with our accountable ring signature which follows those formalized in [20]. Since the security properties defined in [20] are stronger, our group signature satisfies more desirable security properties. Concretely, even though the opening algorithm of Chung et al. can output an opening proof, it does not enjoy the security guarantees defined in [20]. In fact, their construction does not have tracing soundness. In other words, their signature can be opened to two distinct parties with distinct valid opening proofs. Table 2 compares this work with [33,66] in terms of signature size, anonymity and manager accountability, where the integer N represents the size of the group. The construction in [33] is marked with partial manager accountability for the aforementioned reason. Ours is the only scheme that achieves an O(log N ) signature size and CCA anonymity. Additionally, our schem provides a much tighter security since both [33,66] rely on the forking lemma in their security proofs. Structure of this paper. We begin in Sect. 3 with some preliminary background on sigma protocols, accountable ring signatures, and other mathematical content which this paper relies on. We then introduce our new, generic constructions of accountable ring signature and dynamic group signature schemes in Sect. 4. These generic constructions are built from various components put forward in the proceeding sections: Sect. 5 defines group-actionbased hard instance generators and public-key encryption schemes; Sect. 6 introduces our new "traceable" sigma protocol and proves its security; and Sect. 7 then constructs a NIZK proof system from said sigma protocol through the Fiat-Shamir transform. Finally, Sect. 8 details the instantiation of our schemes from isogenies and lattices.

Preliminaries
Notation. We begin by introducing some notation that will be used throughout the paper. For N ∈ N, we denote by [N ] the set {1, . . . , N }. We use to represent concatenation of two strings. We also use {X i } i∈S to denote the set of elements X i iterating over all values i ∈ S. For any randomized algorithm A taking as input x, we will write A(x; r ) to denote the execution of A on x using the randomness r . With an overload in notation, we write A(x) to denote the set of all possible outputs of A on input x, and y ∈ A(x) to indicate that there exists a randomness r such that y = A(x; r ). Finally, we let negl(λ) be a negligible function, i.e. one dominated by O(λ −n ) for all n > 0. A note on random oracles. Throughout the paper, we instantiate several standard cryptographic primitives, such as pseudorandom number generators (i.e., Expand) and commitment schemes, by hash functions modeled as a random oracle O. We always assume the input domain of the random oracle is appropriately separated when instantiating several cryptographic primitives by one random oracle. With abuse of notation, we may occasionally write for example O(Expand ·) instead of Expand(·) to make the usage of the random oracle explicit. Here, we identify Expand with a unique string when inputting it to O. Finally, we denote by A O an algorithm A that has black-box access to O, and we may occasionally omit the superscript O for simplicity when the meaning is clear from context.

Sigma protocols
A sigma protocol for a NP relation R ⊆ {0, 1} * × {0, 1} * is a public-coin three-move interactive protocol between a prover and a verifier that satisfies a specific flavor of soundness and zero-knowledge. The language L R is defined as {X | (X, W) ∈ R}. As standard with many sigma protocols for a language defined over post-quantum algebraic structures, we relax the soundness notion to only hold for a slightly wider relationR (i.e., R ⊆R), e.g., [4,10,14,36,44,54]. That is, a cheating prover may not be using a witness in R but is guaranteed to be using some witness in the wider relationR. Below, we consider a sigma protocol in the random oracle model, where the prover and verifier have access to a random oracle similarly to [14]. 7 Definition 3.1 (Sigma Protocol) A sigma protocol for the relations R andR such that R ⊆R (which are implicitly parameterized by the security parameter λ) consists of oraclecalling PPT algorithms (P = (P 1 , P 2 ), V = (V 1 , V 2 )), where V 2 is deterministic and we assume P 1 and P 2 share states. Let ChSet denote the challenge space. Then, has the following three-move flow: • The prover, on input (X, W) ∈ R, runs com ← P O 1 (X, W) and sends a commitment com to the verifier.
• The verifier runs chall ← V O 1 (1 λ ) to obtain a random challenge chall from ChSet, and sends it to the prover.
• The prover, given chall, runs resp ← P O 2 (X, W, chall) and returns a response resp to the verifier. Here, we allow P 2 to abort with some probability. In such cases we assign resp with a special symbol ⊥ denoting abort.
• The verifier runs V O 2 (X, com, chall, resp) and outputs (accept) or ⊥ (reject). Here, O is modeled as a random oracle and we often drop O from the superscript for simplicity when the meaning is clear from context. We assume X is always given as input to P 2 and V 2 , and omit it in the following. The protocol transcript (com, chall, resp) is said to be valid in case V 2 (com, chall, resp) outputs .
We require a sigma protocol in the random oracle model to satisfy the following standard properties: correctness, high min-entropy, special zero-knowledge and (relaxed) special soundness.
We require the sigma protocol to be correct conditioned on the prover not aborting the protocol. Below, if δ = 0, then it corresponds to the case when the prover never aborts.
if for all λ ∈ N and (X, W) ∈ R, the probability of the prover outputting ⊥ is at most δ, and we have where the probability is taken over the randomness used by (P, V ) and by the random oracle.

Definition 3.3 (High Min-Entropy)
We say a sigma protocol has α(λ) min-entropy if for any λ ∈ N, (X, W) ∈ R, and a possibly computationally-unbounded adversary A, we have where the probability is taken over the randomness used by P 1 and by the random oracle. We say has high min-entropy if 2 −α is negligible in λ.

Definition 3.4 (Non-Abort Special Zero-Knowledge)
We say is (non-abort) special zeroknowledge if there exists a PPT simulator Sim O with access to a random oracle O such that for any λ ∈ N, statement-witness pair (X, W) ∈ R, chall ∈ ChSet and any computationallyunbounded adversary A that makes at most a polynomial number of queries to O, we have where P is a non-aborting prover P = (P 1 , P 2 ) run on (X, W) with a challenge fixed to chall and the probability is taken over the randomness used by (P, V ) and by the random oracle.
Below, for the special soundness property, the extraction algorithm is only required to recover a "weaker" witness inR rather than in R used in the real protocol. In many applications, the capability of extracting from this wider relation suffices.

Definition 3.5 (Special Soundness)
We say a sigma protocol has (relaxed) special soundness if there exists a PT extraction algorithm Extract such that, given a statement X and any two valid transcripts (com, chall, resp) and (com, chall , resp ) relative to X and such that chall = chall , outputs a witness W satisfying (X, W) ∈R.

Non-interactive Zero-knowledge proofs of knowledge in the ROM
We consider non-interactive zero-knowledge proof of knowledge protocols (or simply NIZK (proof system)) in the ROM. Below, we define a variant where the proof is generated with respect to a label. Although syntactically different, such NIZK is analogous to the notion of signature of knowledge [30] Definition 3.6 (NIZK Proof System) Let L denote a label space, where checking membership can be done efficiently. A non-interactive zero-knowledge (NIZK) proof system NIZK for the relations R andR such that R ⊆R (which are implicitly parameterized by λ) consists of oracle-calling PPT algorithms (Prove, Verify) defined as follows: Prove O (lbl, X, W) → π/⊥ : On input a label lbl ∈ L, a statement and witness pair (X, W) ∈ R, it outputs a proof π or a special symbol ⊥ denoting abort. Verify O (lbl, X, π) → /⊥ : On input a label lbl ∈ L, a statement X, and a proof π, it outputs either (accept) or ⊥ (reject).
We require a NIZK proof system in the random oracle model to satisfy the following standard properties: correctness, zero-knowledge, (relaxed) statistical soundness, and online extractability. We assume for simplicity that Verify always outputs ⊥ in case lbl / ∈ L.
outputting ⊥ is at most δ, and we have where the probability is taken over the randomness used by (Prove, Verify) and by the random oracle.
Definition 3.8 (Zero-Knowledge) Let O be a random oracle, NIZK a NIZK proof system, and Sim = (Sim 0 , Sim 1 ) a zero-knowledge simulator for NIZK , consisting of two algorithms Sim 0 and Sim 1 with a shared state. We say the advantage of an adversary A against Sim is where Prove and S are prover oracles that on input (lbl, X, W) return ⊥ if lbl / ∈ L∨(X, W) / ∈ R and otherwise return Prove O (lbl, X, W) or Sim 1 (lbl, X), respectively. Moreover, the probability is taken also over the randomness of sampling O.
We say NIZK for R andR is zero-knowledge if there exists a PPT simulator Sim such that for all (possibly computationally-unbounded) adversary A making at most polynomially many queries to the random oracle and the prover oracle, we have Adv ZK NIZK (A) ≤ negl(λ). Statistical soundness guarantees that any adversary cannot generate a proof for an invalid statement except with a negligible probability. Definition 3.9 (Statistical Soundness) Let O be a random oracle and NIZK a NIZK proof system. We say the advantage of an adversary A against soundness is where the probability is taken also over the randomness of sampling O. We say the NIZK proof system NIZK for R andR has (relaxed) statistical soundness if for all (possibly computationally-unbounded) adversary A making at most polynomially many queries to the random oracle, we have Adv soundness Online extractability requires the existence of an extraction algorithm which, on input a valid proof π and the list or random-oracle queries made by an adversary, always extract a (relaxed) witness except with a negligible probability. Definition 3.10 (Multi-Proof Online Extractability) A NIZK proof system NIZK is (multiproof) online extractable if there exists a PPT extractor OnlineExtract such that for any (possibly computationally-unbounded) adversary A making at most polynomially-many queries has at most a negligible advantage in the following game played against a challenger (with access to a random oracle O).
(i) The challenger prepares empty lists L O and L P , and sets flag to 0. (ii) A can make random-oracle, prove, and extract queries an arbitrary polynomial number of times: We assume below that A runs the verification algorithm after receiving a proof from the prover oracle and before submitting a proof to the extract oracle. 8 ∈R, and returns ⊥ if yes and sets flag = 1. Otherwise, if all checks pass, it returns W.

(iii) At some point A outputs 1 to indicate that it is finished with the game. We say
where the probability is also taken over the randomness used by the random oracle.
Note, importantly, that OnlineExtract is not given access to the queries Prove O makes directly to O. Thus, OnlineExtract is not guaranteed to return a valid witness W when called with any output of the Prove oracle. The requirement that (lbl, X, π) / ∈ L P ensures that this does not allow the adversary to trivially win the game, and in particular by extension ensures that modifying the label lbl should invalidate any proof obtained from the Prove oracle.

Remark 3.11
If a NIZK proof system NIZK is (multi-proof) online extractable, it is statistically sound-that is, online extractability implies statistical soundness. This is clear, because if an adversary is able to generate an accepting tuple (lbl, X, π) for which W : (X, W) ∈R in the soundness game, then clearly (extract, lbl, X, π) will allow the adversary to win the online extractability game.

Remark 3.12 (NIZKs with Labels)
If the label space of the NIZK is L = {⊥}, we say the NIZK is without labels (or a plain/unlabelled NIZK). In this case, we omit the lbl argument from the Prove and Verify functions for clarity.

Public-key encryption
We recall the standard multi-challenge IND-CPA security of a public-key encryption (PKE) scheme. • Setup(1 λ ) → pp : On input the security parameter 1 λ , it outputs a public parameter pp.
• KeyGen(pp) → (pk, sk) : On input a public parameter pp, it outputs a pair of public key and secret key (pk, sk). • Enc(pk, M) → ct: On input a public key pk i and a message M ∈ M, it outputs a ciphertext ct. • Dec(sk, ct) → M or ⊥ : On input a secret key sk and a ciphertext ct, it outputs either M ∈ M or a special symbol ⊥ / ∈ M.
We will denote by R the set containing the randomness used by the encryption algorithm Enc.
We omit the standard definition of correctness as we provide a more generalized version in Sect. 4.1,Def. 4.1. Below, we define the standard IND-CPA security extended to the multichallenge setting. Using a textbook hybrid argument, it is clear that the multi-challenge definition is polynomially related to the standard single-challenge definition. The motivation for introducing the multi-challenge variant is because in some cases, we can show that the two definitions are equally difficult without incurring any reduction loss.
any PPT adversary A has at most a negligible advantage in the following game played against a challenger.
(i) The challenger runs pp ← Setup(1 λ ), (pk, sk) ← KeyGen(pp) and samples a bit b ∈ {0, 1}. The challenger provides (pp, pk) to A. (ii) A can adaptively query the challenge oracle at most Q times. In each query, A sends a pair of messages (M 0 , M 1 ) ∈ M 2 , and the challenger returns
An accountable ring signature is required to satisfy the following properties: correctness, anonymity, traceability, unforgeability, and tracing soundness.
First, we require correctness to hold even if the ring contains maliciously-generated user keys or the signature has been produced for a maliciously-generated opener key. Note that the correctness guarantee for the open and judge algorithms are defined implicitly in the subsequent security definitions. Definition 3.16 (Correctness) An accountable ring signature ARS is correct if, for all λ ∈ N, any PPT adversary A has at most a negligible advantage in λ in the following game played against a challenger.
The advantage of A is defined as Adv Correct ARS (A) = Pr[A wins]. Anonymity requires that a signature does not leak any information on who signed it. We consider the standard type of anonymity notion where the adversary gets to choose the signing key used to generate the signature. Moreover, we allow the adversary to make (nontrivial) opening queries that reveal who signed the messages. This notion is often called full (CCA) anonymity [8,20] to differentiate between weaker notions of anonymity such as selfless anonymity that restricts the adversary from exposing the signing key used to sign the signature or CPA anonymity where the adversary is restricted from querying the open oracle. (iii) A can make signing and opening queries an arbitrary polynomial number of times: The advantage of A is defined as Adv Anon ARS (A) = |Pr[A wins] − 1/2|. Unforgeability considers two types of forgeries. The first captures the natural notion of unforgeability where an adversary cannot forge a signature for a ring of honest users, i.e., a ring of users for which it does not know any of the corresponding secret keys. The second captures the fact that an adversary cannot accuse an honest user of producing a signature even if the ring contains malicious users and the opener is malicious. Definition 3.18 (Unforgeability) An accountable ring signature scheme ARS is unforgeable (with respect to insider corruption) if, for all λ ∈ N, any PPT adversary A has at most negligible advantage in the following game played against a challenger.
(i) The challenger runs pp ← Setup(1 λ ) and initializes an empty keyed dictionary D UKey [·] and three empty sets Q UKey , Q sign and Q cor . It provides pp to A. (ii) A can make user key generation, signing, and corruption queries an arbitrary polynomial number of times: • (iv) A outputs (opk, vk, R, M, σ, π). We say A wins if The advantage of A is defined as Adv Unf ARS (A) = Pr[A wins]. Traceability requires that any opener key pair (opk, osk) in the range of the opener keygeneration algorithm can open a valid signature σ to some user vk along with a proof valid π. This ensures that any opener can trace the user and produce a proof for its decision. Below, rather than assuming an efficient algorithm that checks set membership (opk, osk) ∈ OKGen(pp), we simply ask the adversary to output the randomness used to generate (opk, osk). Note that this definition contains the prior definitions where opk was assumed to be uniquely defined and efficiently computable from osk [19]. Definition 3.19 (Traceability) An accountable ring signature scheme ARS is traceable if, for all λ ∈ N, any PPT adversary A has at most negligible advantage in the following game played against a challenger.
The advantage of A is defined as Adv Tra ARS (A) = Pr[A wins]. Finally, tracing soundness requires that a signature cannot trace to two different users in the ring. This must hold even if all the users in the ring and the opener are corrupt. Definition 3.20 (Tracing Soundness) An accountable ring signature scheme ARS is traceable sound if, for all λ ∈ N, any PPT adversary A has at most negligible advantage in the following game played against a challenger.
(i) The challenger runs pp ← Setup(1 λ ) and provides pp to A. (ii) A returns an opener's public key, a ring, a message, a signature, and two verification keys and proofs (opk, The advantage of A is defined as Adv TraS ARS (A) = Pr[A wins].

Isogenies and ideal class group actions
Let F p be a prime field, with p ≥ 5. In the following E and E denote elliptic curves defined over F p . An isogeny ϕ : E → E is a non-constant morphism mapping 0 E to 0 E . Each coordinate of ϕ(x, y) is then the fraction of two polynomials in F p [x, y], where F p denotes the algebraic closure of F p . If the coefficients of the polynomials lie in F p , then ϕ is said to be defined over F p . We restrict our attention to separable isogenies (which induce separable extensions of function fields) between supersingular elliptic curves defined over F p , i.e., curves whose set of rational points E(F p ) has cardinality p + 1.
The set End p (E) of all endomorphisms of E that are defined over F p , together with the zero map, form a commutative ring under pointwise addition and composition. End p (E) is isomorphic to an order O of the quadratic field K = Q( √ − p) [28]. We recall that an order is a subring of K, which is also a finitely-generated Z-module containing a basis of K as a Q-vector space. A fractional ideal a of O is a finitely generated O-submodule of K. We say that a is invertible if there exists another fractional ideal b of O such that ab = O, and that it is principal if a = αO for some α ∈ K. The invertible fractional ideals of O form an Abelian group whose quotient by the subgroup of principal fractional ideals is finite. This quotient group is called the ideal class group of O, and denoted by C (O).
The ideal class group C (O) acts freely and transitively on the set E p(O, π), which contains all supersingular elliptic curves E over F p -modulo isomorphisms defined over F p -such that there exists an isomorphism between O and End p (E) mapping the Frobenius endomorphism (x, y) → (x p , y p ). We denote this action by * . Recently, it has been used to design several cryptographic primitives [15,28,37,67], whose security proofs rely on (variations of) the Group Action Inverse Problem (GAIP), defined as follows.
The best known classical algorithm to solve the GAIP problem has time complexity The best known quantum algorithm, on the other hand, is Kuperberg's algorithm for the hidden shift problem [63,64]. It has a subexponential complexity, for which the concrete security estimates are still an active area of research [12,18,32,80].
For the security of the isogeny-based instantiations, we will also rely on a multi-instance variant the GAIP problem which is trivially equivalent to the GAIP problem.
To see the equivalence (informally), given an instance of the GAIP problem ( We also need the following assumption, the decisional CSIDH Problem. Looking ahead, the distinguishing problems will ensure (multi-instance) IND-CPA for our PKE in Sect. 8.1 and therefore anonymity for our ring/group signature schemes. Note that we will require the class group to be of odd order to avoid the attack presented in [29]. Equivalently, we require p = 3 mod 4.
where p is an odd prime. The decisional CSIDH problem is that given a tuple

Lattices
Let R and R q denote the rings Z[X ]/(X n + 1) and Z[X ]/(q, X n + 1) for integers n and q, respectively. Norms over R are defined through the coefficient vectors of the polynomials, which lie over Z n . Norms over R q are defined in the conventional way by uniquely representing coefficients of elements over R q by elements in the range (−q/2, q/2] when q is even and [−(q − 1)/2, (q − 1)/2] when q is odd (see for example [42] for more details).
The hard problems we will rely on are the module short integer solution (MSIS) problem and module learning with errors (MLWE) problem, first introduced in [69]. Definition 3.24 (Module Short Integer Solution) Let n, q, k, , γ be integers. The advantage for the (Hermite normal form) module short integer solution problem MSIS n,q,k, ,γ for an algorithm A is defined as Definition 3.25 (Module Learning with Errors) Let n, q, k, be integers and D a probability distribution over R q . For any A ∈ R k× q , define two oracles as follows: The advantage for the decision module learning with errors problem sMLWE n,q,k, ,D for an algorithm A is defined as where the probability is taken also over the random choice of A ← R k× q . The advantage for the search learning with errors problem sMLWE n,q,k, ,D is defined as where v is one of the vectors returned by O A .
In this work, we consider the MLWE problem where an adversary is given oracle access to a MLWE sample generator. For any PPT adversary A, this is polynomially related to the conventional single-instance MLWE problem via a standard hybrid argument. There is also a simple tight reduction from the single-instance to the multi-instance MLWE problem à la "noise-flooding," where (roughly) the support of the distribution D considered by the multiinstance problem is required to be super-polynomially larger than those considered by the single-instance problem. However, practically speaking, to the best of our knowledge, we are not aware of any attacks that exploit the multiplicity of the MLWE sample. Therefore, throughout this work, we assume the multi-instance MLWE problem to be as difficult as the single-instance MLWE problem.
The assumption on the hardness of (multi-instance) MLWE is believed to hold even when D is the uniform distribution over ring elements with infinity norm at most a fixed value B, say B ≈ 5, for appropriate choices of n, q, k, [2]. We write MLWE n,q,k, ,B when we consider such distribution D. For example, the round-2 NIST candidate signature scheme Dilithium [42] uses such parameters for the (single-instance) MLWE problem, and in particular, our scheme borrows the same parameter sets.

Generic construction of accountable ring signature and dynamic group signature
In this section, we present novel generic frameworks for accountable ring signature, dynamic group signature, and their tightly secure variants. Firstly, we introduce a generic construction of an accountable ring signature in Sect. 4.1. Constructing a dynamic group signature immediately follows by limiting the functionality of accountable ring signature. Our construction achieves a tighter reduction compared to prior works on efficient group signatures as it does not rely on the forking lemma [50,81]. However, since we still lose a factor of 1/N in the reduction, we finally show how to modify our construction to be truly tight using the Katz-Wang technique [61] in Sect. 4.3.

Generic construction of accountable ring signature
In this subsection, we present our generic construction of an accountable ring signature scheme. Before diving in the details we give a brief overview of our generic construction. The setup is as follows. The opening authorities generate a PKE key-pair, denoted as (opk, osk) to indicate that they are the opener's keys, and publish the opening public key opk. The users generate an element (x, w) in a hard relation R, and publish the statement x as verification key, and keep the witness w as secret signing key. A signature for our ARS scheme for a ring R = {x 1 , . . . , x N } consists of a ciphertext ct, and a NIZK proof that: 1) The ciphertext is an encryption of an index I ∈ [N ] under an opener public key opk, and 2) that the signer knows a witness w corresponding to the I -th statement x I in the ring R. The second property ensures that the signature is unforgeable, and the first property ensures that the opener (who has the secret key opk) can decrypt the ciphertext to find out who the real signer is. To convince others that a signature was produced by the I -th member of the ring, the opener uses a second NIZK proof to prove that he knows an opener secret key osk that is consistent with opk, and such that Dec(osk, ct) = I . If the opener could find a second secret key osk , consistent with opk and such that ct decrypts to I = I under osk , then the opener could frame I for signing a signature, which breaks the tracing soundness of the signature scheme. To prevent this we require the PKE to satisfy a strong correctness property, which says that an encryption of I will always decrypt to I , even if the encryption randomness and decryption key are invalid (in some specific, controlled way). More formally we define the following special correctness notion for a PKE scheme. , with R the set containing all possible randomness used by Enc and KR the binary relation that contains all the key pairs (pk, sk) that can be generated by running KeyGen. Let R be a set containing R, and KR a relation containing KR. Then we say that PKE is (R , KR )-correct if, for all λ ∈ N, and for all but a negligible fraction of pp ∈ Setup(1 λ ), we have for all (pk, sk) ∈ KR , for all messages m in the plaintext space M, and all r ∈ R that Dec(sk, Enc(pk, m; r )) = m.

Remark 4.2
Note that pp is also implicitly used in the relations KR, KR . If R = R and KR = KR, then the (R , KR )-correctness is exactly the standard correctness property for PKEs. If R or KR is larger than R or KR, respectively, then the definition becomes a stronger property, because the decryption algorithm is required to decrypt correctly even when the encryption algorithm used some invalid randomness, and/or when the keypair is invalid. (R and KR control how "invalid" randomness and secret key are allowed to be.) Our generic construction of an accountable ring signature scheme ARS = (ARS.Setup, ARS.OKGen, ARS.UKGen, ARS.Sign, ARS.Verify, ARS.Open, ARS.Judge), provide in Fig. 1, is based on the following building blocks: • A hard-instance generator contains a setup algorithm RelSetup that, on input a security parameter λ, outputs a description pp of a pair of binary relations R p p ⊆R p p, and an , pk, ct), (I , w, r ) (x I , w) ∈ R p p ∧ ct = Enc(pk, I ; r ) , pk, ct), (I , w, r ) (x I , w) ∈R p p ∧ ct = Enc(pk, I ; r ) .
To be precise, we need to also include the public parameters output by RelSetup and PKE.Setup in the statement. We omit them for better readability. Similarly to above, we omit the public parameter output by PKE.Setup in the statement. We emphasize that NIZK does not need to be online extractable.
Correctness and security of the proposed accountable ring signature scheme ARS are shown in the following theorems.

Theorem 4.3
The accountable ring signature scheme ARS in Fig. 1 is correct. Proof Due to the correctness of the underlying NIZK proof system, NIZK,lbl , any signature output by ARS.Sign will be accepted by ARS.Verify with probability 1.

Theorem 4.4
The accountable ring signature scheme ARS in Fig. 1 Proof We prove anonymity using a hybrid argument with the following series of games. Let the advantage of the adversary A in Game i be denoted by Adv i (A).
Game 1 : This is the original anonymity game defined in Def. 3.17. The adversary's advantage in this game is Adv 1 (A) = Adv Anon ARS (A) by definition. Game 2 : This is the same as Game 1 , except that it uses the simulator NIZK.Sim = (NIZK.Sim 0 , NIZK.Sim 1 ) for NIZK to answer random-oracle and opening queries from the adversary. When A makes a random oracle query, the challenger forwards the query to NIZK.Sim 0 , records the query and answers, and forwards the answer to A. When A makes an opening query, rather than computing π open using NIZK.Prove and osk, the challenger instead uses the output of NIZK.Sim 1 .
We consider an adversary B 1 against the zero-knowledge property of NIZK which simulates Game 2 for A. Let Prove and S be as in the definition of zero-knowledge for the NIZK proof system. Then, if B 1 s oracle queries are answered by (O, Prove) the game is identical to Game 1 , and if queries are answered by (NIZK.Sim 0 , S), then the game is identical to Game 2 . Therefore, assuming B 1 outputs 1 when A wins, we have Adv 1 (A) ≤ Adv 2 (A) + Adv ZK NIZK (B 1 ). Game 3 : This is the same as Game 2 , except that the way the challenger answers opening queries is further modified. Rather than using the secret key osk to decrypt the ciphertext ct and identify the index I of the real signing key (as ARS.Open does in the honest protocol), the challenger instead runs the online extractor OnlineExtract for NIZK,lbl to extract the witness (I , sk, r ) from (ct, π sign ), and then returns the user R I . We consider an adversary B 2 against the online extractability of NIZK,lbl that simulates Game 3 for A such that • random-oracle queries from A are replied by querying (hash, ·) (see Def. 3.10); • instead of computing π sign when answering a signing query, B 2 makes a query (prove, M, x, w), where (x, w) = ((R, opk, ct), (I , sk, r )), and • instead of running OnlineExtract, B 2 makes a query (extract, M, x, π sign ).
Note that extract for proofs originating from prove queries are answered with ⊥, which is compatible with the fact that the challenger outputs ⊥ for opening queries that correspond to signatures originating from the signing oracle in Game 3 . If B 2 loses the multi-proof online extractability game (i.e., B 2 did not cause the extractor to fail), then it follows from the (R , KR )-correctness of PKE that for each extraction W = (I , sk, r ) we have Dec(osk, ct) = Dec(osk, Enc(opk, I ; r )) = I , so the view of A is not affected by whether I was obtained from OnlineExtract or by decrypting ct with osk. Therefore, we have . Game 4 : This is the same as Game 3 , except that we change how the challenger answers signing queries from the adversary: The challenger generates ct as in Game 3 , but uses the zero-knowledge simulator Sim for NIZK,lbl to create the proof π sign rather than using NIZK.Prove lbl . It then outputs (ct, π sign ) as the signature. Similarly to the transition from Game 1 to Game 2 , we can define an adversary B 3 against the zeroknowledge property of NIZK,lbl such that Adv 3 (A) ≤ Adv 4 (A) + Adv ZK NIZK,lbl (B 3 ). Game 5 : This is the same as Game 4 , except we further change how the challenger answers signing queries: Instead of encrypting the correct index I to obtain ct, the challenger encrypts a random index I . We define a multi-challenge IND-CPA adversary B 4 for PKE that simulates Game 5 for A, but instead of generating (opk, osk), the adversary B 4 receives opk from the multi-challenge IND-CPA challenger, and instead of producing the ciphertexts ct the adversary B 4 makes encryption queries (I , I ), where I is the correct index, and I is a random index. Note that, say on input (sign, R, M, sk 0 , sk 1 ), the I -th key in R is the verification key corresponding to sk 0 . We can make this replacement because in Game 5 , the challenger does not use osk. Finally, observe that in Game 5 the challenger leaks no information about the secret bit b because b is not used. Hence, Adv 5 (A) = 0.

Remark 4.5
In the previous proof we really relied on the online extractability property (without rewinding). This is because, even if we allow for a non-tight reduction, we cannot resort to rewinding (i.e., the forking lemma) since there can be polynomially many open queries and the reduction loss will be exponential if we try to extract from all of them. Here, keep in mind that the online extractor must succeed with (roughly) 1 − negl(λ) rather than any nonnegligible function 1/poly(λ) since there can be polynomially many open queries. Namely, even a success probability of 1/2 will not be good enough. Most, if not all, prior works circumvent this issue by using an IND-CCA PKE as building block rather than a (possibly inefficient) online extractable NIZK to simulate the decryption of ct.

Theorem 4.6
The accountable ring signature scheme ARS in Fig. 1  Proof We prove unforgeability using a hybrid argument with the following series of games. Let the advantage of the adversary A in Game i be denoted by Adv i (A).
Game 1 : This is the original unforgeability game defined in Def. 3.18. The adversary's advantage in this game is Adv 1 (A) = Adv Unf ARS (A) by definition. Game 2 : This is the same as Game 1 , but the winning condition is changed. We let the challenger maintain a list L O of all the random oracle queries that A makes. When A finishes the game by outputting (opk, vk, R, M, σ = (ct, π sign ), π), the challenger runs (I , sk, r ) ← OnlineExtract(M, (R, opk, ct), π sign , L O ). The game results in a loss if ((R, opk, ct), (I , sk, r )) / ∈R sig , otherwise, the winning condition is not changed. We construct an online-extractability adversary B 1 for NIZK,lbl that simulates Game 2 for A. He replies random-oracle queries from A by querying (hash, ·) (see Def. 3.10), signing queries by making an oracle call (prove, M, (R, opk, ct), (I , sk, r )) instead of computing π sign himself, and makes the oracle call (extract, M, (R, opk, ct), π sign ) instead of running OnlineExtract. The view of A during the game simulated by B 1 is identical to its view during Game 1 and Game 2 . Suppose that the output received by A is a win for the winning condition of Game 1 , but a loss for the winning condition of Game 2 . This means that NIZK.Verify O lbl (M, (R, opk, ct), π sign ) = and (ct, π sign ) was not the output of a query (sign, opk, vk , R, M) for any vk , otherwise the winning condition of Game 1 would not be met. Moreover, we would have ((R, opk, ct), (I , sk, r )) / ∈R sig , otherwise the winning condition of Game 2 would be met. This is precisely the situation B 1 needs in order to win the online extractability game. Therefore, we have Adv 1 (A) ≤ Adv 2 (A) + Adv OE NIZK,lbl (B 1 ) Game 3 : This is the same as Game 2 except that we change the way the challenger answers signing queries from A. Specifically, the challenger generates ct as in Game 2 but uses the zero-knowledge simulator Sim = (Sim 0 , Sim 1 ) for NIZK,lbl to create the proof π sign . That is, it forwards the random-oracle queries to Sim 0 , and runs Sim 1 to get π sign . It then outputs (ct, π sign ) as the signature. Let B 2 be an adversary against the zero-knowledge property of NIZK,lbl , which simulates Game 3 for A by forwarding random-oracle queries and proving queries to the oracles Sim 0 and Sim 1 , respectively. If B 2 is given access to oracles O and Prove (see Def. 3.8), then A's view is identical to Game 2 , and if B 2 is run with access to Sim 0 , Sim 1 , then A's view is identical to Game 3 . Therefore, we have Adv 2 (A) ≤ Adv 3 (A) + Adv ZK NIZK,lbl (B 2 ). Game 4 : This is the same as Game 3 except that we change the winning condition again: the challenger guesses a random index I ∈ {1, . . . , Q u } at the outset of the game. If A makes a corruption query to corrupt the verification key returned in the I -th user key generation query, then Game 4 aborts. The game results in a win if the winning condition of Game 3 is met and if I = I . Since I is information-theoretically hidden during the execution of the game, we have I = I with probability 1/Q u . Therefore, we have Adv 3 (A) = Q u Adv 4 (A).
Finally, let B 3 be an adversary against (RelSetup, IGen) which simulates Game 4 for A. At the beginning of the game, B 3 is given an instance (pp 1 , x). The adversary B 3 simulates an execution of Game 4 by using the public parameter pp 1 that is given to him, rather than generating a new pp 1 himself using RelSetup, and by answering the I -th ukeygen query assigning vk I = x instead of running (x, w) ← IGen(pp 1 ). Note that B 3 does not need w because if A makes a query to corrupt vk I then the game aborts. The view of A during B 3 's simulation is the same as its view during a real execution of Game 4 , so OnlineExtract outputs a valid witness ( I , sk, r ) with probability at least Adv 4 (A). If this is the case, then B 3 wins his game against the hardness of (RelSetup, IGen) by outputting sk. Therefore, we have Adv 4 (A) ≤ Adv Hard RelSetup,IGen (B 3 ). Theorem 4.7 The accountable ring signature scheme ARS in Fig. 1 is traceable and , ct, I ), π open ) = . This means that A did not win the traceability game. Therefore, A produces valid proofs for statements not inR sig with probability at least Adv Tra ARS (A). We can use this to construct an adversary B 1 against the statistical soundness of NIZK,lbl that generates pp ← ARS.Setup(1 λ ) for a security parameter λ, runs (rr, R, M, σ ) ← A(pp) where σ = (ct, π sign ), and (osk, opk) ← ARS.OKGen(pp; rr), and outputs (M, x := (R, opk, ct), π sign ), which makes B 1 win. B 1 's advantage is therefore Adv Tra ARS (A) ≤ Adv soundness NIZK,lbl (B 1 ). Tracing soundness Similarly, tracing soundness follows from the statistical soundness of NIZK and NIZK,lbl , and the (R , KR )-correctness of the PKE . In order for A to win the tracing soundness game, it needs to output valid proofs π sign , π 0 , π 1 (the former is part of the produced signature σ = (ct, π sign )) such that there exist witnesses (I , sk, r ), osk 0 and osk 1 where with I 0 = I 1 . However, it follows from the (R , KR )-correctness of PKE that no three such witnesses can exist. Suppose, towards a contradiction, that those witnesses exist. Then we have I 0 = Dec(osk 0 , ct = Enc(opk, I ; r )), so the (R , KR )-correctness implies that I 0 = I , and similarly it follows from I 1 = Dec(osk 1 , ct = Enc(opk, I ; r )) that I 1 = I , which contradicts I 0 = I 1 . Therefore, at least one of π sign , π 0 , π 1 is a valid proof of an invalid statement, i.e. a X for which does not exist W such that (X, W) ∈R sig (or (v) ∈R open ), with probability at least Adv TraS ARS (A). Let B 2 and B 3 be statistical-soundness adversaries for NIZK,lbl and NIZK , respectively, that simulate the tracing soundness game and output π sign or π b , respectively, where b is a random bit. Then we have Adv TraS ARS (A) ≤ Adv soundness NIZK,lbl (B 2 )+ 2Adv soundness NIZK (B 3 ).

Accountable ring signature to dynamic group signature
Accountable ring signatures are known to trivially imply dynamic group signatures [19,20]. A formal treatment is provided by Bootle et al. [20]. We remark that the transformation provided in [20] retains the same level of security provided by the underlying accountable ring signature. That is, all reductions between unforgeability, full-anonymity and traceability are tight. For completeness, we provide more details on group signatures and the transformation in App. B.

Tightly secure variant
Observe the only source of loose reduction in the previous section was in the unforgeability proof (see Theorem 4.6), where we assume each building blocks, i.e., NIZK and PKE, are tightly reduced to concrete hardness assumptions. In this subsection, we apply the Katz-Wang technique [61] to modify our construction in Fig. 1 to obtain a tight reduction.
We firstly give an intuition of the method. Recall that in the proof of Theorem 4.6, the reduction is given a challenge instance x, guesses which user's signature the adversary will forge, and assigns x to the verification key vk of the selected user. If the adversary queries the corruption oracle on the key vk, the reduction fails and aborts since it will not be able to produce the corresponding secret key for vk. If the guess is correct and the adversary successfully forges the signature, then the reduction can recover a witness w such that (x, w ) is in the relation R pp 1 . Therefore, if the adversary makes Q u user key generation queries and its advantage is , then the reduction can extract a witness with probability roughly /Q u . A high-level viewpoint of the Katz-Wang method is that each user is given a pair of statements (x (1) , x (2) ) as the verification key vk, with only one witness w as the secret signing key, such that either (x (1) , w) or (x (2) , w) is in the relation R pp 1 . Also, we assume that now the reduction is given Q u challenge instances {x i } i∈[Q u ] and it is required to solve any one of them. The reduction in this case needs no guessing steps as above. Specifically, the reduction can use IGen to generate pairs ( x i , w i ) for i ∈ [Q u ], randomly permutes x i , x i and assigns the obtained ordered pair to vk i . Therefore, the reduction can always answer any corruption query with w i . As long as the adversary wins the unforgeability game by forging a signature, the reduction can return a witness for one of the {x i } i∈[Q u ] with probability 1/2. Roughly speaking, if the success rate of the adversary is , then the reduction can extract the answer for the challenge ( , X 0 , {x i } i∈[Q u ] ) with probability around /2. Here, it is important that the information on which verification key the user knows the corresponding signing key remains hidden from the adversary. Otherwise, the adversary may always create a forgery with respect to the signing key the reduction already knows.
To turn the above idea into a formal proof, we require two new ingredients: an instance generator that outputs multiple challenges and a NIZK that additionally hides the information on which signing key is used. More formally, we build a tightly secure accountable ring signature scheme • A hard multi-instance generator (RelSetup, IGen) contains a setup algorithm RelSetup that outputs a description pp of a pair of relations R p p ⊆R p p, and an instance generator IGen for these pairs of relations. That is, RelSetup and IGen are PPT algorithms such that Pr Moreover, if we define the advantage of an adversary A against (RelSetup, IGen) as  [2] , pk, ct), [2] , pk, ct), • A second The building blocks listed above are combined similarly to Fig. 1. For the sake of completeness, we detail the resulting protocol in Fig. 2. For the security properties, we only focus on unforgeability. The others are a direct consequence of the proofs given for the non-tight construction in Fig. 1.

Theorem 4.8 The accountable ring signature scheme
Tight ARS in Fig. 2 is unforgeable in the random oracle model. More precisely, for any adversary A that runs in time T and makes Q u queries to the ukeygen oracle, there exist adversaries Proof We prove unforgeability using a hybrid argument with the following series of games. Let the advantage of an adversary A in Game i be denoted by Adv i (A).
• The first game, Game 1 , is the original unforgeability game defined in Def. 3.18. The adversary's advantage in this game is Adv 1 (A) = Adv Unf ARS (A) by definition. • Game 2 is the same as Game 1 , but with a modified winning condition. We let the challenger maintain a list L O of all the random-oracle queries that A makes. When  • The third game, Game 3 , is the same as Game 2 except that we change the way the challenger answers signing queries from A. Specifically, the challenger generates ct as in Game 2 but uses the NIZK,lbl zero-knowledge simulator Sim = (Sim 0 , Sim 1 ) to create the proof π sign . As we have shown in the proof of Theorem 4.6, there exists a zeroknowledge adversary B 2 for NIZK,lbl running in time O(T ) and such that Adv 2 (A) ≤ Adv 3 (A) + Adv ZK NIZK,lbl (B 2 ). • Finally, we consider an adversary B 3 against the hardness of (RelSetup, IGen) which simulates Game 3 for A. At the beginning of the game, the adversary B 3 is given the instances (pp 1 , {x} i∈[Q u ] ). B 3 uses the public parameter pp 1 that is given to him, rather than generating new pp 1 himself using RelSetup. Moreover, when answering the i-th ukeygen query, B 3 uniformly draws b i from {1, 2}, generates ( x i , w i ) ← IGen(pp 1 ), and assigns vk i = (x (1) i , x Note that now B 3 is able to respond to any valid corruption query corrupt. In fact, for any i ∈ [Q u ], if A makes a corruption query to corrupt vk i , then B 3 responds by sk = (b i , w i ). The view of A during B 3 's simulation is the same as its view during a real execution of Game 3 , so OnlineExtract outputs a valid witness ( I , sk = (b , w ), r ) with probability at least Adv 3 (A). Since the sampling of the statements and witnesses follows the same distribution determined by IGen(pp 1 ) in the real execution, there is an 1/2 chance that b = (3 − b I ). That is, (x I , w ) ∈ R pp 1 . Therefore, we have Adv 3 (A)/2 ≤ Adv Multi-Hard RelSetup,IGen,Q u (B 3 ).

Group-action-based hard instance generators and PKEs
In this section, we introduce group-action-based hard instance generators (HIGs) and groupaction-based PKEs. These are classes of HIGs and PKEs, that derive their security from cryptographic group actions, and which have some specific internal structure. We define these concepts because, as we will see in Sects. 6 and 7, if we instantiate our generic accountable ring signature construction with a group-action-based HIG and a group-action-based PKE, then we can construct a very efficient multi-proof online extractable NIZK for the R sig relation. We provide concrete instantiations of group-action-based HIGs and PKEs from lattices and isogenies in Sect. 8.

Group-action-based hard instance generator
We consider a special class of hard instance generators naturally induced by cryptographic hard actions.

Definition 5.1 (Group-Action-based Hard Instance Generator) A group-action-based hard
instance generator, GA-HIG in short, is a pair of efficient algorithms (RelSetup, IGen) with the following properties: • On input a security parameter λ, RelSetup outputs pp = (G, S 1 , S 2 , δ, X 0 , X , ) such that: G is an additive group whose elements can be represented uniquely, S 1 ⊆ S 2 are symmetric subsets of G, such that membership in S 1 and S 2 can be decided efficiently, and such that the group law can be computed efficiently for elements in S 1 ∪ S 2 . Moreover, the intersection S 3 = ∩ g∈S 1 g + S 2 has cardinality δ|S 2 | and membership of S 3 can be decided efficiently. is an action : G × X → X of G on a set X that contains the element X 0 . can be evaluated efficiently on elements of S 1 ∪ S 2 . These parameters describe an NP-relation and a relaxed NP-relatioñ • On input pp, IGen samples an element s from S 1 and outputs (s X 0 , s) ∈ R p p.

Group-action-based PKE
We also consider group actions provided with a corresponding public-key encryption scheme, as specified in the following definition.

Definition 5.2 (Group-action-based PKE) A group-action-based public-key encryption scheme,
GA-PKE in short, is a public-key encryption scheme GA -PKE = (Setup, KeyGen, Enc, Dec) with the following properties: Setup(1 λ ) → pp : On input a security parameter 1 λ , it returns the public parameter pp = (G, G M , X , S 1 , S 2 , δ, D X , M , M) (sometimes implicitly) used by the scheme.
Here, G, G M are additive groups, S 1 , S 2 two symmetric subsets of G, X a finite set, δ a real number in [0, 1], D X a distribution over a set of group actions p k : G × X → X and elements in X , M : G M × X → X a group action, M ⊆ G M a message space. For any polynomially large N ∈ N, we assume that there exists a feasible and invertible embedding τ from the set of index [N ] into the message space M. For simplicity, we will write τ (i) M X , Enc(pk, τ (i)) as i M X , Enc(pk, i) respectively without causing confusion. KeyGen(pp) → (pk, sk) : On input a public parameter pp, it returns a public key pk and a secret key sk. We assume pk = ( p k, X p k) to be drawn from D X , where p k : G × X → X is a group action and X p k ∈ X , and sk ∈ G. We also assume pk includes pp w.l.o.g. Enc(pk, M; r ) → ct : On input a public key pk = ( p k, X p k) and a message M ∈ M, it returns a ciphertext ct. We assume ct is generated as M M (r p kX p k) ∈ X , where the encryption randomness is sampled as r $ ← S 1 . Dec(sk, ct) → M : On input a secret key sk and a ciphertext ct, it (deterministically) returns a message M ∈ M. In addition, we assume the following properties hold for the group actions defined by pp. 1. There exists a positive-valued polynomial T such that for all λ ∈ N, pp ∈ Setup(1 λ ), and (pk, sk) ∈ KeyGen(pp), one can efficiently compute g p kX for all g ∈ S 1 ∪ S 2 and all X ∈ X in time at most T (λ), sample uniformly from S 1 and S 2 , and represent elements of G and X uniquely. It is also efficient to compute the action M for every possible input. 2. The intersection S 3 of the sets S 2 + g, with g varying in S 1 , is such that its cardinality is equal to δ|S 2 |. Furthermore, it is efficient to check whether an element g ∈ G belongs to S 3 .
We further require a group-action-based PKE to satisfy standard correctness and decryption efficiency.

Definition 5.3 (Correctness and Decryption Efficiency) We say a group-action-based PKE
GA -PKE is correct if for all λ ∈ N, and for all but a negligible fraction of pp ∈ Setup(1 λ ), we have Dec(sk, Enc(pk, M)) = M for all (pk, sk) ∈ KeyGen(pp) and M ∈ M.
Moreover, we require Dec to run in poly(λ) for a fixed polynomial function poly and for all possible inputs.
As we show in Sect. 4.1, in order to construct an accountable ring signature, a group-actionbased PKE is also required to be (multi-challenge) IND-CPA secure and (R , KR )-correct for some relaxed randomness set R and some relaxed key relation KR (Def. 4.1).
The concrete choice of (R , KR ) may depend on the instantiation. For instance, while we define (R , KR ) = (R, KR) for our isogeny-based instantiation in Sect. 8.1, we must rely on a strictly wider relation for our lattice-based instantiation to compensate for the relaxed soundness. In slightly more detail, in our lattice-based NIZK, we are only able to argue that an adversary created a ciphertext ct using message M and randomness r ∈ R , and/or that a ct can be decrypted to M using secret key sk such that (pk, sk) ∈ KR . Roughly, (R , KR )correctness guarantees that such an argument suffices to prove that ct can only be decrypted to a unique M.

Sigma protocol for a "Traceable" OR relation
In this section, we present an efficient sigma protocol for the relation R sig introduced in Sect. 4.1, using group-action-based HIG and a group-action-based PKE from the previous section. Recall this relation was used to define the multi-proof online extractable NIZK with labels NIZK , which allowed an OR proof along with a proof of opening to a ciphertext. Looking ahead, in Sect. 7, we show that our sigma protocol can be turned into a multi-proof online extractable NIZK using the Fiat-Shamir transform. This is in contrast to the common application of the Fiat-Shamir transform that only provides a proof of knowledge via the rewinding argument [50,81]. We note that we do not focus on the other NIZK for the relation R open in Sect. 4.1 since they can be obtained easily from prior works.
We call the sigma protocol we present in this section as a traceable OR sigma protocol since it allows to trace the prover. This section is structured as follows. Firstly, we introduce a base traceable OR sigma protocol base for the relation R sig with proof size O(log N ) but with a binary challenge space. Secondly, we amplify the soundness of the sigma protocol by performing parallel repetitions. Here, instead of applying λ-parallel repetitions naively, we optimize it using three approaches developed in [14] to obtain our main traceable OR sigma protocol tOR . Finally, we show a sigma protocol for the "tight" relation R Tight sig introduced in Sect. 4.3.

From a group-action-based HIG and PKE to base traceable OR sigma protocol
In this section, we present a base OR sigma protocol for the relation R sig with a binary challenge space from which the main OR sigma protocol will be deduced.
Recall that by definition of GA-PKE (Def. 5.2), the ciphertext ct is restricted to the simple form I M (r p kY p k) ∈ Y, where r ∈ S 1 ⊆ G. Sigma Protocol for R sig . We now sketch the base traceable OR sigma protocol base .
A prover with witness (I , s, r ) and builds a Merkle tree with (C 1 , . . . , C N ) as its leaves, obtaining root. Here, notice r pk (−i M ct) = r pk (−i + I ) M (r pk Y pk ) is simply (r + r ) p kY p k when i = I . Then, the prover sends com = root to the verifier as the commitment of the sigma protocol. The verifier, in turn, responds with a uniform challenge chall ∈ {0, 1}.
If the challenge bit chall is 0, then the prover sends (s , r ) and the commitment randomness {bits i } i∈ [N ] . That is, all the randomness it generated in the first round. The verifier then can reconstruct the Merkle tree and verify that the root of the obtained tree is equal to root.
If the challenge bit chall is equal to 1, then the prover computes s = s + s, r = r + r . The prover aborts the protocol if s / ∈ S 3 or r / ∈ S 3 . The first event will occur with probability (1 − δ x ) and, similarly, the second event will occur with probability (1 − δ y ). Otherwise, the prover sends (r , s ) together with the path connecting C I to root in the Merkle tree, and the corresponding commitment randomness bits I to the verifier. The verifier computes C I = O(Com s X 0 r p kY p k bits I ) and uses the received path to reconstruct root of the Merkle tree. The verifier checks whether root = root.
To reduce the communication cost, a pseudorandom number generator (PRG) Expand can be run over a uniform seed seed ∈ {0, 1} λ to produce the group elements s , r and all commitment randomness values bits 1 , . . . , bits N (part of the response for chall = 0). As a consequence, if the challenge bit is 0, the prover responds with seed so that the verifier can generate (s , r , bits 1 , · · · , bits N ) with the PRG Expand. The response corresponding to the challenge bit chall = 1 remains unchanged. We instantiate the PRG by a random oracle O(Expand ·). Looking ahead, using a PRG not only provides efficiency, but it proves to be essential when proving multi-proof online extractability when compiled into a NIZK. Roughly, the seed binds the cheating prover from using arbitrary (s , r , bits 1 , · · · , bits N ) and the random oracle allows for efficient extraction. Finally, we instantiate the collision-resistant hash function H Coll (·) used in our Merkle tree by a random oracle O(Coll ·).
A formal description of base is provided in Fig. 3 Security of Sigma Protocol base . The following Theorems 6.1 and 6.2 summarize the security of our sigma protocol. We point out that in Theorem 6.1, we show our sigma protocol satisfies special soundness for the relations R sig andR sig such that R sig ⊂R sig , rather than for the relations R sig andR sig such that R sig ⊆R sig , whereR sig is the relaxed relation introduced in Sect. 4.1. The subtle difference is thatR sig captures the scenario where the extractor may extract a witness that forms a collision in the random oracle. This has no concrete impact as we are able to turn such a sigma protocol into a multi-proof online extractable NIZK for the relations R sig andR sig .

Theorem 6.1
The sigma protocol base has correctness with abort rate (1 − δ x δ y )/2 and relaxed special soundness for the relations R sig andR sig , wherẽ Here,R sig is identical to the one defined in Sect. 4

.1 if we ignore the hash collision
Proof Correctness. Say the prover honestly runs base on an input (I , s, r ) satisfying X I = s X 0 and ct = Enc(pk, I ; r ), and does not abort. If chall = 0, then the verifier repeats the computation in the commitment phase (see Round 1 in Fig. 3) and therefore obtains the same output. If chall = 1, then the verifier computes T = s X 0 and ct = r p kY p k where s = s + s and r = r + r . Besides, since T is equal to T I = s X I , ct is equal to ct I = r p k(−I M ct) and C = O(Com T ct bits) is equal to the leaf C = C I ∈ {C 1 , · · · , C N }, the verifier reconstructs the root root which is equal to root. Hence, the protocol has (non-abort) correctness. Abort rate. The prover will not abort in the case chall = 0. When chall = 1 (which occurs with probability 1/2) the prover aborts if s = s + s / ∈ S 3 or r = r + r / ∈ S 3 . We note that s is in S 1 and s is drawn uniformly at random from S 2 (in the random oracle model). We can therefore say s is drawn uniformly at random from S 2 + s, which contains S 3 as a subset. So the probability that s = s + s ∈ S 3 is |S 3 |/|S 2 | = δ x . The same reasoning applies to r , so the probability of both s , r lying in S 3 , S 3 respectively is δ x δ y and the total abort rate is (1 − δ x δ y )/2 Relaxed special soundness. Given two valid transcripts for the same statement and on the same commitment, (com, 0, seed) and (com, 1, (s , r , path, bits)) where com = root, an extraction algorithm Extract for a witness for the relation R p k proceeds as follows. Extract firstly generates (s , r , bits 1 , · · · , bits N ) ← O(Expand seed) and constructs C 1 , · · · , C N such that the Merkle Tree with leaves (C 1 , · · · , C N ) has root equal to root. Extract outputs W = (Coll x 1 , Coll x 2 ) as the witness if it there exists (Coll x 2 ). Otherwise, by Lem. A.1, we can assume C = O(Com s X 0 r p kY p k bits) is equal to C I ∈ {C 1 , · · · , C N } for some I ∈ [N ]. Then, Extract outputs W = (Com x 1 , Com x 2 ) as the witness if it there exists x 1 = x 2 such that O(Com x 1 ) = O(Com x 2 ). Otherwise, from C = C I , we can assume s X I = s X 0 , r p k( I M ct) = r p kY p k, and bits = bits I . Let s = −s + s ∈ S 2 + S 3 and r = −r + r ∈ S 2 + S 3 . Finally, Extract outputs W = ( I , s, r ). Here, the equalities s X 0 = X I and I M ( r p kY p k) = ct follow directly from the relations s X I = s X 0 and r p k( I M ct) = r p kY p k, respectively. Therefore, W = ( I , s, r ) is a witness for the "relaxed" relation R pk . Hence, the protocol base has relaxed special soundness.
where P is a non-aborting prover P = (P 1 , P 2 ) run on (X, W) with a challenge fixed to chall.
Proof Assume the adversary makes Q Expand and Q Com queries to the random oracles of the form O(Expand ·) and O(Com ·), respectively. We have Q Expand + Q Com ≤ Q. The PPT simulator Sim O , on input (X, chall), proceeds as follows.
In the first case, the whole transcript is generated exactly as in the protocol. Hence transcripts generated by P O and Sim O are indistinguishable to the adversary A. Therefore, we have To conclude the proof, it suffices to show that the difference between the probabilities that the adversary A outputs 1 for the other case, chall = 1, is also bounded by Q 2 λ . We use a hybrid argument by introducing a series of simulators Sim 0 = P, . . . , Sim 4 = Sim, gradually changing from the honest prover P to Sim, to show that they are indistinguishable with overwhelming probability. We fix an adversary A, (X, W) ∈ R sig , and for each i ∈ {0, 1, . . . , 4}, we denote by E i the event that A O (1 λ , Sim O i (X, chall = 1)) = 1. • Sim 1 is identical to Sim 0 except that instead of using Expand to generate s , r , {bits i } i∈ [N ] , the simulator generates these by sampling uniformly at random from the corresponding domains. This does not change the view of A, unless the adversary queries O on input (Expand seed). Since seed has λ bits of min-entropy and because it is informationtheoretically hidden from A, the probability that A queries O on this input is bounded by • Sim 2 is identical to Sim 2 except that all the commitments C i for i ∈ [N ] \ {I } are generated uniformly at random. This does not change the view of A, unless the adversary queries O on input (Com T i ct i bits i ) for any i ∈ [N ]\{I }, where T i = s X i and ct i = r p k(−i M ct). Since for any i ∈ [N ] \ {I } the string bits i has λ bits of min-entropy and because it is information-theoretically hidden from A, the probability • Sim 3 is identical to Sim 3 except that instead of computing s , r as s + s, r + r (conditioned on them respectively lying in S 3 , S 3 , due to non-aborting transcripts), the simulator generates these two values by sampling uniformly at random from S 3 , S 3 , respectively. Both the distributions are uniform over S 3 and S 3 . Therefore, we have Collecting the bounds, we obtain the bound in the statement.

From base to main traceable OR sigma protocol
In this section, compile base to make the soundness error negligibly small. This is straightforward if we run the OR sigma protocol in parallel λ-times. However, we show how to do much better by incorporating the three optimizations developed in [14] explained in the technical overview. Our main traceable OR sigma protocol, denote by tOR , is detailed in Fig. 4. Unbalanced Challenge Space Given the construction base , one can observe that the response produced by the prover by running P 2 when the challenge is 1 is larger than the response produced when the challenge is 0, which is a single seed of λ bits. Concretely, the response for the challenge chall = 1 consists of a Merkle tree path, two elements in S 3 , S 3 respectively, and a λ bit string. We leverage this fact by preparing an unbalanced challenge space C M,K , where each element in C M,K is a string containing K 1's and M − K 0's. We chose K M to chose more 0's, while satisfying M K ≥ 2 λ for negligible soundness error. Seed Trees The seed tree described in Sect. A.2 allows the prover to generate all seeds seed by using a single seed seed root , and reveal parts of the tree according to the challenge. A smaller signature size follows directly from this approach. Adding Salt We prefix a salt and the session identifier, i.e. (salt i), to the random oracle when used within the i-th parallel execution of base . In particular, throughout such execution, O i (·) = O(salt i ·) is used. The salt is used as a prefix also within the construction of Merkle trees and seed trees. Adding salt benefits the protocol in having a tighter reduction and resisting multi-target attacks, such as those in [41]. The approach appears to make no difference in a sigma protocol but it is quite beneficial for a group (ring) signature scheme after we apply the Fiat-Shamir transform. Roughly, in the anonymity game (Def. 3.17) each oracle O query made by the adversary will only give useful information to at most one challenge signature due to distinct prefix salts. In contrast, without salts an oracle query of O can give useful information to each challenge signature. Fig. 4 Main traceable OR sigma protocol tOR = (P = (P 1 , P 2 ), V = (V 1 , V 2 )) for the relation R sig built on the the base traceable OR sigma protocol base = (P = (P 1 , P 2 ), V = (V 1 , V 2 )) in Fig. 3. The challenge space is defined as C M,K := {c ∈ {0, 1} M | c 1 = K }. Both the seed tree and base have access to salted random oracles derived from O Theorem 6.3 The sigma protocol tOR has correctness with abort rate (1−δ K x δ K y ), high minentropy, and relaxed special soundness for the relations R sig andR sig , where the relations are identical to those used in Theorem 6.1.
Proof As a starting remark, we note that in the following lines we will use the notation of Fig. 4. Correctness and abort rate. If the execution of tOR does not abort, then the verifier will accept with probability 1 due to the correctness of base and SeedTree. We recall that in the case of challenge equal to 1 the execution of base will abort with probability (1 − δ x δ y ). Since the challenge c, sampled from C M,K , is of Hamming weight K , the abort rate of tOR is (1 − δ K x δ K y ). High min-entropy. Since a random salt of length 2λ is included in the commitment com, it has at least 2λ bits of min-entropy. Relaxed special Soundness. The proof is similar to the one for the relaxed special soundness of base . Let (com, chall = c, resp) (com, chall = c , resp ) be two accepting transcripts for the same statement. Without loss of generality, say c j = 0, c j = 1, i.e. the j th components of c and c are different. By computing , the extraction algorithm gets resp j . In this way, two valid transcripts (com j , 0, resp j ) and (com j , 1, resp j ) for base have been obtained, and the extractor of base in Theorem 6.1 can be invoked to extract the witness for the relationR sig . To be concrete, in case a witness W = (x 1 , x 2 ) is extracted by the extractor of Theorem 6.1 such that it forms a collision in the random oracle O j = O(salt j ·), then the extractor appends x 1 and x 2 by either salt j Coll or salt j Com to produce a collision in O.

Theorem 6.4
The sigma protocol tOR has non-abort special zero-knowledge. Precisely, there exists a PPT simulator Sim O with access to a random oracle O such that, for any statement-witness pair (X, W) ∈ R sig , chall ∈ C M,K and any computationally-unbounded adversary A that makes at most Q queries of the form (salt ·) to the random oracle O, where salt is the salt value included in the transcript returned by P or Sim, we have where P is a non-aborting prover P = (P 1 , P 2 ) run on (X, W) with a challenge fixed to chall.
Proof The PPT simulator Sim O (X, chall) for the main sigma protocol tOR proceeds as in Fig. 5, where the simulator used for the base sigma protocol base in Theorem 6.2, denoted by Sim is a subroutine. Say the adversary makes Q i queries to the random oracle of the form We use a hybrid argument by introducing a sequence of simulators Sim 0 , · · · , Sim 2 that gradually change from Sim 0 = P to Sim 2 = Sim. We fix an adversary A, (X, W) ∈ R sig , and for each i ∈ {0, 1, 2}, we denote by E i the event A O (1 λ , Sim O i (X, chall)) = 1. • Sim 1 is identical to Sim 0 , except that, rather than using a SeedTree with root seed root to generate seeds internal and {seed i } i s.t. c i =0 , the simulator instead runs Collecting the bounds, we obtain the bound in the statement.

Tight sig
In this section, we show how to slightly tweak our base sigma protocol for the relation R sig to obtain a sigma protocol for the "tight" relation R Tight sig (see Sect. 4.3). This can then be used to construct the desired NIZK for R Tight sig required for our tightly secure accountable ring signature construction (see the full version of this paper).
As explained in the technical overview, we can use the sigma protocol for R sig along with the sequential OR-proof [51] to construct a sigma protocol for the "tight" relation R Tight sig . Unfortunately, this approach requires to double the proof size. Instead, we present a small tweak to our sigma protocol for R sig to directly support statements in R Tight sig . Concretely, we use the same Merkle tree to commit to the 2N instances {X [2] and for each X (1) i and X (2) i , we encrypt the same index i. The main observation is that when the prover opens to the challenge bit 1 (which is the only case that depends on the witness), the path does no leak which X (1) i and X (2) i it opened to, and hence hides b ∈ [2]. Notice the only increase in the size of the response is due to the path. Since the accumulated commitment only grows from N to 2N , the overhead in the size of the path is merely 2λ bits. By using the unbalanced challenge space C M,K for the optimized parallel repetition, which consists of M-bit strings of Hamming weight K , the additional cost is only 2K λ where we typically set K to be a small constant (e.g., K ≤ 20 for our concrete instantiation). This is much more efficient than the generic approach that doubles the proof size.
Formally, the sigma protocol for the "tight" relation R Tight sig , denoted as baseTi , is provided in Fig. 6. We can turn it into a full-fledged sigma protocol with negligible soundness error by applying exactly the same argument in Sect. 6.1. We omit the proof of correctness and security for baseTi as they are almost identical to those of our sigma protocol base for R sig . 7 Multi-proof online extractable NIZK from sigma protocol 5 tOR

6
In this section, we show that applying the Fiat-Shamir transform to our traceable OR sigma protocol tOR from the previous section results in a multi-proof online extractable NIZK with labels NIZK,lbl . The construction of our NIZK,lbl for the relation R sig is provide in Fig. 7. 9 We assume the output of O(FS ·) is an M-bit string of Hamming weight K , i.e., the image is the challenge set C M,K .
Correctness of NIZK,lbl for the relation R sig follows directly from the correctness of the underlying traceable OR sigma protocol tOR . We show in Theorems. 7.1 and 7.4 that NIZK,lbl is multi-proof online extractable and zero-knowledge. We highlight that while we show special soundness for tOR with respect to the relaxed relationR sig (see Theorem 6.1), NIZK,lbl is multi-proof online extractable with respect to the relaxed relationR sig originally considered in Sect. 4.1 for the generic construction of accountable ring signature. At a high level, we upper bound the probability that a cheating prover finds a collision in the random oracle, which was the only difference betweenR sig andR sig . This subtle difference makes the resulting NIZK more handy to use as a building block, since we can ignore the edge case where the extractor accidentally extracts a collision in the random oracle. Below, we provide the proof of the multi-proof online extractability.

Theorem 7.1
The NIZK with labels NIZK,lbl in Fig. 7 is multi-proof online extractable for the family of relations R sig andR sig considered in Sect. 4.1, where R sig was formally redefined using notations related to group actions in Sect. 6.1 andR sig is formally redefined as follows: More precisely, for any (possibly computationally-unbounded) adversary A making at most Q queries to the random oracle and T queries to the extract oracle, we have Proof We begin the proof by providing the description of the online extractor OnlineExtract. Below, it is given as input (lbl, X, π, L O ), where π is guaranteed to be valid by definition.
We analyze the probability of A winning the multi-proof online extractability game with the above online extractor OnlineExtract. Below, P and V are the prover and verifier of the base traceable OR sigma protocol base in Fig. 3.
• We say a tuple input base = (X, salt, j, com, chall, resp) is valid if the following properties hold: (com, chall, resp) outputs accept (i.e., it is a valid transcript for base with challenge 1); -there exists (seed, s , r , bits 1 , · · · , bits N ) such that (salt j Expand seed), (s , r , bits 1 , · · · , bits N ) ∈ L O , and if we execute P O(salt j ·) 1 with randomness seed, it produces com. Here, we use the fact that P can be executed without the witness. By correctness of base , this implies that (com, 0, seed) is a valid transcript.
Observe that if input base is valid, then the online extractor can recover a valid transcript (com, 0, seed) from input base . Then, it can (informally) extract a witness by combining it with (com, 1, resp) and using the extractor from base constructed in Theorem 6.1. In contrast, if input base is invalid, then intuitively, no adversary would be able to prepare a valid response resp = seed for the challenge chall = 0 since L O (i.e., the random oracle query the adversary makes) does not contain a valid response. However, to make this claim formal, we need to also take into account the fact that the adversary may learn non-trivial information about resp = seed via the proof output by the prove query. That is, when the challenger runs P O , the adversary may learn non-trivial input/output pairs without directly querying the random oracle itself. In this case, even though no useful information is stored in L O , the adversary may still be able to forge a proof.
We formally show in Lem. 7.2 below that if an adversary A submits an extract query on a valid input (lbl, X, π), then a valid input base must be included in π (i.e., it cannot consist of input base that are all invalid). This allows us to argue that the online extractor will be able to recover two valid transcripts with overwhelming probability, which then further allows the online extractor to extract the witness by running the extractor for the special soundness of the base traceable OR sigma protocol base .

Lemma 7.2 Assume an adversary A submits a total of T extract queries of the form
, where every π k is a valid proof including the same salt and satisfies (lbl k , X k , π k ) / ∈ L P . Let {(com k, j , chall k, j , resp k, j )} j∈ [M] be the transcript of the base traceable OR sigma protocol base that the verification algorithm reconstructs when verifying π k (see Line 7 of Verification V O 2 in Fig. 4). Then, with probability at least 1 Proof For any k ∈ [T ], let us redefine π k = (com, chall, resp), (com, chall) = ((salt, com 1 , · · · , com M ), c = (c 1 , · · · , c M )) where c = O(FS lbl X com), resp = (seeds internal , {resp j } j s.t. c j =1 ). Namely, we omit the subscript k for better readability. We consider two cases: (1) there exists (lbl, X, π ) ∈ L P such that π = (com, chall, resp ) and resp = resp and (2) no such entry in L P exists.
We consider the first case (1). This corresponds to the case where A reuses the proof π obtained through the prove query by simply modifying the response. We claim that this cannot happen with overwhelming probability. Let resp = (seed internal , {resp j } j s.t. c j =1 ). It is clear if seed internal is different from seeds internal , then A finds a collision in the random oracle. Since we use a seed tree to generate the randomness used in each base sigma protocol, we can very loosely upper bound the probability of A outputting such transcript for any k ∈ [T ] by Q salt /2 2λ . Similarly, consider resp j = resp j for some j such that c j = 1. Then, it either finds a collision in O(Coll ·) (used by the Merkle tree) or O(Com ·). We can again very loosely upper bound the probability of A outputting such transcript for any k ∈ [T ] by Q salt /2 2λ . Thus, case (1) occurs with probability at most Q salt /2 2λ−1 .
We next consider the second case (2). If com included in π is the same as π , then chall is the same challenge included in π since the challenge is generated as O(FS lbl X com). However, this results in a tuple that falls in the first case (1). Therefore, there exists no π in L P that contains the same com as π. This, in particular, implies that the output chall ← O(FS lbl X com) is distributed uniform random from the view of A before it makes the hash query. Now, for the sake of contradiction, we assume input base, j = (X, salt, j, com j , c j , resp j ) is invalid for all j ∈ [M] such that c j = 1. Let L O P be a list that contains all the inputs/outputs of the random oracle queries Prove O makes when the challenger answers the prove query made by A. We prove the following corollary.

Corollary 7.3 For any j * ∈ [M]
, if input base, j * is invalid, then either of the following holds: • there exists no tuple (s , r , bits 1 , · · · , bits N , seed) and j ∈ [M] such that (salt j Expand seed), (s , r , bits 1 , · · · , bits N ) ∈ L O P , but if we execute P O(salt j ·) 1 with randomness seed, it produces com j * ; • there exists such a tuple but seed retains λ-bits of min-entropy from the view of A except with probability at most (M Q salt )/2 λ .
Proof Assume such an entry is found in L O P . This corresponds to the case A is reusing com j * that was included in a proof π obtained through the prove query. Let {(com j , c j , resp j )} j∈ [M] be the transcript of the base traceable OR sigma protocol base that the verification algorithm reconstructs from such π (see Line 7 of Verification V O 2 in Fig. 4), where com j = com j * . Our current goal is to prove that c j = 1 (i.e., seed was not used as a response). Since com j and com j * are roots of a Merkle tree and the indices j and j * are used as prefix to the hash when constructing the roots, respectively, the probability of A outputting com j * such that j = j * is upper bounded by ((M − 1)Q salt )/2 λ . Below, we assume j = j * . Recall by definition of the online extractability game (see Def. 3.10), A runs the verification algorithm to check if π is valid. Therefore, if input base, j * is invalid, then we have c j = 1. Otherwise, there must exist an entry (salt j * Expand seed), (s , r , bits 1 , · · · , bits N ) ∈ L O , which contradicts that input base, j * is invalid. This further implies that resp j does not include seed. Then, by Lem. A.3 regarding the seed tree, seed that was used to construct com j = com j * is statistically hidden to the adversary with all but probability Q salt /2 λ . The proof is completed by collecting all the bounds.
By Lem. 7.3, if input base, j is invalid, then A cannot prepare a valid response for the challenge c j = 0 with all but probability at most (M Q salt )/2 λ . This is because such response is either not recorded in both L O and L O P , or it is recorded in L O P but the seed retains λ-bits of min-entropy from the view of A except with probability (M Q salt )/2 λ . Moreover, since chall is statistically hidden to A before it queries the random oracle, the probability that chall coincides with challenges for which A can open to is at most 1 − 1/|C M,K |, where recall C M,K is the challenge space (or equivalently the output space of O(FS ·)).
Taking the union bound and collecting all the bounds together, at least one of the input base must be valid with the probability stated in the statement. This completes the proof of the lemma.
We are now prepared to analyze the probability that A wins the multi-proof online extractability game with the aforementioned online extractor OnlineExtract. By Lem. 7.2, if A makes at most T extract queries, then by a simple union bound and using the inequality   Intermediate simulator Sim int , where P = (P 1 , P 2 ) is the prover of the traceable OR sigma protocol tOR in Fig. 4 and any computationally-unbounded adversary A that makes at most Q 1 queries to O or Sim 0 , and Q 2 queries to Prove or S, we have Proof To prove the zero-knowledge property of NIZK,lbl = (Prove O , Verify O ), we define a zero-knowledge simulator Sim = (Sim 0 , Sim 1 ) in Fig. 8, where Sim 0 and Sim 1 share states, including a list L which is initially empty. At a high level, Sim 0 simulates the random oracle O in an on-the-fly manner but replaces certain queries for consistency with Sim 1 . On the other hand, Sim 1 simulates the prover oracle using the simulator from the underlying sigma protocol, which we denote here by Sim (see Theorem 6.4), as a subroutine. Specifically, Sim 1 is given a valid statement X = ({X i } i∈ [N ] , pk, ct), and samples a random challenge chall from the challenge space C M,K , which is also the output space of O(FS ·). It then runs Sim on challenge chall by providing it oracle access to Sim 0 , and updates the list L accordingly. In Fig. 8, we denote by D x the distribution of O(x), where the probability is taken over the random choice of the random oracle O. Without loss of generality, we assume D x to be efficiently sampleable.
To show the indistinguishability of (O, Prove) and (Sim 0 , S), we use a hybrid argument by introducing an intermediate pair of simulators (Sim 0 , Sim int ), where Sim int is defined in Fig. 9. Let S int , analog to Prove and S, be an oracle that on input (lbl, X, W) returns ⊥ if lbl / ∈ L ∨ (X, W) / ∈ R sig and otherwise returns Sim int (lbl, X, W). Suppose A makes Q 1 queries to the oracles O or Sim 0 , and Q 2 queries to the oracles Prove, S int , or S. For each i ∈ {1, 2, 3}, we denote by E i the event that A returns 1 respectively. We analyze the differences by defining three games as follows: Game 1 : This is the real zero-knowledge game where A is given access to O and Prove. Game 2 : The game is modified to provide A access to Sim 0 and S int instead. The view of A is identical to the previous game unless Sim int outputs ⊥ in Line 4. Roughly, this occurs when the reprogramming of the random oracle fails due to the input being already defined. By Theorem 6.3, com has 2λ bits of min-entropy. Since at most Q 1 + Q 2 queries of the form (FS lbl X com) are made in this game, we have |Pr[ . Game 3 : The game is modified to provide A access to Sim 0 and S instead. The only difference is that rather than computing honestly via (P 1 , P 2 ) from the traceable OR sigma protocol tOR , the simulator Sim 1 simulates these using the simulator Sim provided by tOR . Let salt i represent the salt that Sim int or Sim 1 samples on its i-th invocation.
For i ∈ [Q 2 ], let Q i be the number of queries the adversary makes to oracle Sim 0 of the form (salt i ·). By Theorem 6.4, the advantage of the adversary in distinguishing Sim int or Sim 1 is bounded by Collecting the bounds, we obtain the bound in the statement.

Instantiations
We instantiate the building blocks required for our generic construction of an accountable ring signature scheme presented in Sect. 4 via isogenies based on CSIDH group action and lattices.

Instantiation from isogenies
We instantiate a group-action-based HIG and PKE, and the corresponding NIZKs for the relations R sig and R open based on the CSIDH paradigm. In particular we assume that the structure of the ideal class group C (O) is known, and cyclic of odd order n, so that it is isomorphic to Z n . Given a generator g of C (O), Z n acts freely and transitively on E p(O, π) via the group action : (a, E) → g a * E, which we can compute efficiently. Note that in case the class group structure is not known (e.g., at higher security levels where computing the class group is currently not feasible.) we can still instantiate all the building blocks using rejection sampling à la SeaSign. Group-Action-Based HIG. We instantiate the group-action-based HIG defined by the algorithms (RelSetup, IGen) as follows. The output of RelSetup describes a setup for a CSIDH group action : π), and X 0 = E 0 , where E 0 is the elliptic curve E 0 : y 2 = x 3 + x over F p . The output of IGen is then (E 0 , a E 0 ), where a is uniformly sampled from C (O). Then the properties of Def. 5.1 are easily verified. In particular, the security of the hard instance generator is equivalent to the hardness of GAIP for CSIDH. Moreover, it is not difficult to see that the group-action-based HIG is also a hard multi-instance generator based on the same assumption. Concretely, given one instance (E 0 , E), the reduction can rerandomize this arbitrarily many times to obtain fresh statements (E 0 , b E), where b is uniformly sampled from C (O). If an adversary succeeds in breaking any of these instances, then the reduction can subtract b from it to solve its original instance. Group-Action-Based PKE. We can define an ElGamal-like public-key encryption scheme GA -PKE = (Setup, KeyGen, Enc, Dec) based on the CSIDH group action, as follows. Note that the decryption algorithm works by enumerating the message space, so the PKE is only efficient when the message space M (which is a subset of C (O)) is polynomially large. This relaxed notion of decryption suffices for our ARS generic construction.
Setup(1 λ ) → pp: On input a security parameter 1 λ , it returns the setup for a CSIDH group action as (a, (E 1 , E 2 )) → (E 1 , a E 2 ) (i.e., M acts on the second component only). KeyGen(pp) → (pk, sk): On input a public parameter pp, it returns a secret key sk sampled uniformly from C (O), and a public key pk = ( p k, Y p k), where , a E 2 ) (i.e., p k acts on both components), and Y p k = (E 0 , sk E 0 ). Enc(pk, M; r ) → ct: On input a public key pk = ( p k, Y p k) and a message M ∈ M, it returns the ciphertext ct = (M M (r p kY p k)) ∈ Y, where r ← G. Dec(sk, ct) → M: On input a secret key sk and a ciphertext ct = (ct 1 , ct 2 ), the decryption algorithm tries all messages M ∈ M until it finds a message M such that M ct 1 = −sk ct 2 . If such a message exists, it is unique, and the algorithm outputs it; otherwise, ⊥ is output.
It is not difficult to verify that the above-defined GA -PKE is correct (with probability 1). The decryption scheme of GA -PKE differs from that of ElGamal since it is not possible to divide out sk ct 1 from ct 2 . Therefore, retrieving M from ct 1 , ct 2 , sk requires the resolution of an instance of GAIP with input (sk ct 1 , ct 2 ). Dec solves this problem by a brute force over the message space M. In case M is polynomially large, then we have efficient decryption as desired.
Multi-challengeIND-CPA Security. The scheme is multi-challenge IND-CPA secure based on the dCSIDH assumption. Since GA -PKE is an ElGamal-like encryption scheme in the CSIDH setting -where each exponentiation is replaced by a group action -for the security proof it is sufficient to adapt the usual proof for the group-based ElGamal encryption scheme. Note that the the reduction loses a factor 1/Q c t, where Q c t is the number of challenge ciphertext the adversary observes. This is the only reason why we do not achieve tight security for our accountable ring signature and group signature.
We point out that by ignoring the PKE, we obtain a ring signature identical to Beullens et al. [14]. Thus we obtain the first tightly secure and efficient isogeny-based ring signature in this work. (R , KR )-correctness. In the isogeny setting, it is not needed to relax the key relation (contrary to our lattice instantiation where some relaxation is necessary in order to get an efficient opening proof). We can simply set KR Similarly, since S 2 = S 1 , there is no relaxation in the encryption randomness. Therefore (R , KR )-correctness is equivalent to the standard correctness property (with probability 1), which is satisfied by our PKE. Multi-Proof Online Extractable NIZK with Labels NIZK,lbl . Using the group-action-based HIG and PKE, we can instantiate NIZK,lbl for the signing relation R sig (see Sect. 4.1) as explained in Sects. 6 and 7. Statistically Sound NIZK without Labels NIZK . The last ingredient for our ARS is a NIZK for the opening relation R open , which in our instantiation is A sigma protocol for this relation was introduced in [43, Sect. 3.2]. We can then turn this sigma protocol into an NIZK by applying the Fiat-Shamir transform. (Note that we do not need this NIZK to be online-extractable.) Concrete Instantiation for Tab. 1. For our isogeny-based instantiation, we chose an HIG and a PKE based on the CSIDH-512 group action. The structure of this class group has been computed [15], which allows for more efficient proofs. We chose the challenge space as string of length M = 855 with Hamming weight K = 19. Most of the signature is independent of N , and contains a fixed number of curves and class group elements as well as some overhead from the generic construction such as a hash value, the internal nodes in the seed tree, and commitment randomness to open the commitments. The only reason the signature size increases with N is that the signature contains a fixed amount of paths in a Merkle tree of depth log 2 N . This makes for a very mild dependence on N .

Instantiation from lattices
We instantiate a group-action-based HIG and PKE, and the corresponding NIZKs for the relations R sig and R open based on lattices under the MSIS and MLWE assumptions. The choices for the integer n, modulus q, and ring R q are provided in Sect. 3.6. Group-Action-Based HIG. By Def. 5.1, it suffices to define the public parameter pp 1 = (G, S 1 , S 2 , δ x , X 0 , X , ) generated by RelSetup and to check that the output of IGen defines a hard relation. The public parameters pp are defined as follows: • The group action : G ×X → X is defined as (s, e) w = (As+z)+w, where A ∈ R k× q is a fixed matrix sampled uniformly by RelSetup.
We define S 3 to be a subset of G with coefficients all bounded by B 2 − B 1 . It can be checked that pp satisfies all the conditions in Def. 5.1, where δ x follows by simply counting the points included in S 2 and S 3 . It remains to check that the relation R p p = {(b, (s, z))|b = As + e ∧ (s, e) ∈ S 2 + S 3 } defines a hard relation as defined in Sect. 4.1, where S 2 + S 3 . Note that if the adversary A is restricted to output a witness (s, e) ∈ S 1 , then this follows directly from the MLWE n,q,B 1 assumption. For our application, we have to further consider the scenario where A may output a witness (s, e) outside of S 1 . We need to consider this case since our online extractor for the NIZK can only extract a witness in the relaxed relation R p p rather than R p p.
The hardness of our group-action-based HIG follows naturally from the MSIS n,q,k, ,2B 2 and sMLWE n,q,k, ,B 1 assumptions. We only focus on an adversary A that outputs a witness (s, e) outside of S 1 , since the other case simply follows from MLWE as we seen above. Let us construct an adversary B against the MSIS n,q,k, ,2B 2 problem by using A as a subroutine. B, given A as input, samples a random (s, e) ← S 1 , sets b = As + e and invokes A on input pp, b, where pp includes A. When A outputs (s , e ), B submits (s + s , e + e ) as its solution. By assumption, s + s ∞ , e + e ∞ ≤ B 1 + B 2 + B 3 = 2B 2 and they are non-zero. Therefore, B breaks the MSIS n,q,k, ,2B 2 problem as desired.
Finally, the same proof shows that our group-action-based HIG is a hard multi-instance generator based on the same assumptions.
Group-Action-Based PKE. We use a PKE scheme based on the Lindner-Peikert framework [73]. We first explain the public parameters pp 2 = (G, G T , Y, S 1 , S 2 , δ y , D Y , M , M) generated by PKE.Setup. 11 positive integers such that B 1 < B 2 < q and 4(nk • D Y is a distribution that samples a uniform random (A, s, z) ∈ R k× × R q × R k q and outputs a group action : G × Y → Y defined as (r, e, e) (w, w) = ((A r + e + w, b r + e + w) and an element Y = (w, w) ∈ Y, where b = As + z, Correctness is a consequence of (R , KR )-correctness, which we show below, and decryption efficiency clearly holds as well. We discuss the remaining properties. Multi-challengeIND-CPA Security. The security follows by a standard proof using dMLWE. For completeness, we provide the proof: We consider a sequence of games and prove that the adversary's advantage only changes negligibly in each adjacent games. The first game is the original security game. In the second game, we modify the group action p k included in the public key to be defined by a random (A, b) ← R k× × R k q . By the dMLWE n,q,k, ,B 1 assumption, this game is indistinguishable from the previous game. In the final game, we sample each ciphertext as ct ← R k × R q . By the dMLWE n,q, +1,k,B 1 assumption, this game is indistinguishable from the previous game. Note that we appropriately parse the matrix A ∈ R ( +1)×k q provided by the challenge as A and b, and query the oracle once for each ciphertext. Since the challenge bit b is statistically hidden from the adversary, no adversary has advantage in winning this game. This concludes the proof.
We note that we can prove multi-challenge IND-CPA security while only relying on the dMLWE assumption with a fixed number of instances (i.e., those that do not rely on the number of challenge ciphertexts), if we can tolerate choosing slightly less efficient parameters. Specifically, we can use the dual-Regev encryption [56], where A is a tall matrix. When A is tall enough, A r and b r is distributed statistically close to random under appropriate choices of parameters owing to the regularity lemma [77]. Hence, we only need the dMLWE assumption to jump from the first to second game above. (R , KR ) − correctness We define R and KR as follows, where the choice of R coincides with those considered in Theorem 6.1: various lattice-based interactive protocols based on the Fiat-Shamir with aborts paradigm [78] that allows to roughly halve the proof size, or signature size when viewing the proof as a signature, with no additional cost. Intuitively, for MLWE, proving knowledge of a short s indirectly proves knowledge of a short e since it is uniquely defined as b − As. Therefore, we can remove the components that are used to explicitly prove that e is short. Since the size of s and e are about the same in our construction, this allows to almost halve the proof size. For further details, see for example [7,14,42].
Concrete Instantiation for Tab. 1. For the concrete instantiation in Tab. 1, we use M = 1749, K = 16. For the HIG, we chose the parameters according to the parameters used in the Security Level II variant of the (round 3) NIST submission of the Dilithium signature scheme. Concretely, we use the ring R q = Z q [X ]/(X n + 1), with n = 256 and q = 2 23 − 2 13 + 1, and we put l = k = 4, B 1 = 2, B 2 = 2 17 . These parameters are chosen by the Dilithium team such that the relevant MLWE and MSIS problems are hard enough to reach NIST SL II.
For the PKE, we use the ring R q with n = 256 and q ≈ 2 49 , and we put k = l = 8, B 1 = 1, B 2 ≈ 2 16.3 . The LWE estimator of Albrecht et al. estimates that this MLWE instance has 141 bits of security [3]. Moreover, the (R , KR )-correctness holds, because we have (2B 2 − B 1 ) + 2nk(2B 2 − B 1 ) 2 ≤ q/4. For the parameter set without manager accountability, we only require (R , KR)-correctness, so we only need (2B 2 − B 1 ) + 2nk(2B 2 − B 1 )B 1 ≤ q/4. Therefore, we can choose our parameters as q ≈ 2 30 , l = k = 5, B 1 = 1, and B 2 = 2 15.9 for better signature sizes. The LWE estimator of Albrecht et al. estimates that this MLWE instance has also 141 bits of security. In either cases, we use an optimization due to Bai and Galbraith to reduce the size of the proofs (and therefore the size of the signature).
Similar to the isogeny instantiation, the signature size depends very mildly on N because N only affects the length of some paths in the signature. Finally, we can use Sect. 6.3 to obtain a tightly secure scheme. Since K = 16, the overhead compared to the non-tight scheme is a mere 512B.  = (a 1 , . . . , a N ). Then we have D I = D J for all I , J ∈ [N ].

A.2 Seed tree
The definition seed tree is taken almost verbatim from [14]. The purpose of a seed tree is to first generate a number of pseudorandom values and later disclose an arbitrary subset of them, without revealing information on the remaining values. The seed tree is a complete binary tree 12 of λ-bit seed values such that the left (resp. right) child of a seed seed h is the left (resp. right) half of Expand(seed h), where Expand is a pseudorandom generator (PRG). The unique identifier h of the parent seed is appended to separate the input domains of the different calls to the PRG. A sender can efficiently reveal the seed values associated with a subset of the set of leaves by revealing the appropriate set of internal seeds in the tree. We provide the full detail of the seed tree below. Let Expand : {0, 1} λ+ log 2 (M−1) → {0, 1} 2λ be a PRG for any λ, M ∈ N, instantiated by a random oracle O. Then, a seed tree consists of the following four oracle-calling algorithms. It then randomly samples a seed from {0, 1} λ for each of these nodes, and finally outputs the set of these seeds as seeds internal .
By construction, the leaves {leaf i } i s.t. c i =1 output by SeedTree(seed root , M) are the same as those output by RecoverLeaves (ReleaseSeeds(seed root , c), c) for any c ∈ {0, 1} M . The last algorithm SimulateSeeds can be used to argue that the seeds associated with all the leaves with index i such that c i = 0 are indistinguishable from uniformly random values for a recipient that is only given seeds internal and c. More formally, we have the following. Here, the distributions take into account the randomness used by the random oracle as well.

B Dynamic group signatures from accountable ring signatures
In this section, we review briefly the definition of group signatures and explain how accountable ring signatures can be naturally viewed as group signatures. A formal treatment can be found in Bootle et al. [20]

B.1 Preliminaries on group signatures
Group signatures can be divided into two primary types: static schemes [8] and dynamic schemes [9]. Roughly, while static group signature require the group to be fixed at setup, dynamic group signatures allow members to join and leave the group at any time. This joining and leaving is administered by the group manager, who has the power to add and revoke membership -as well as the ability to revoke anonymity and reveal the specific signer of a certain signature. For a dynamic group signature scheme, the revocation mechanism can be handled by a separate entity called opening or tracing authority to offer better flexibility in the scheme and this makes only little difference regarding the security notions.
Informally, a dynamic group signature scheme consists of a setup algorithm Setup, key generation algorithms MKGen and UKGen for the group manager and group members (or users) respectively, and Sign, Verify, Open, and Judge algorithms which are counterparts of the ARS scheme functions of the same names. Additionally, an interactive Join protocol run between the group manager and a user allows users to be added to the group, while an UpdateGroup function allows the group manager to revoke a user's membership in the group dynamically (this is done via some publicly-published group info info).
Dynamic group signature schemes should satisfy standard security properties of correctness, anonymity, traceability and non-frameability [9,20]. Correctness ensures that a signature produced by a user running Sign after joining the group via Join is accepted by Verify. The inclusion of the Join function in this definition ensures joining works as intended, beyond just guaranteeing the signing algorithms's correctness. Full CCA-anonymity (often refereed simply as full anonymity) states that even under full key exposure of all group members (other than the group manager, who can trivially revoke anonymity via Open), and with access to an opening oracle, the user who generated a certain signature cannot be identified. More specifically, an adversary should be unable to distinguish between signatures generated by any two members of the adversary's choice-even if the adversary knows all secret keys involved. This notion is almost identical to its namesake in the ARS setting (Sect. 3.4). In contrast, CPA-anonymity is a weaker notion which still allows the adversary to learn all group members' keys, but removes access to the opening oracle. Weaker variants of these two are selfless CCA-anonymity and selfless CPA-anonymity where the adversary cannot obtain any secret keys of targeted members in the anonymity game. Traceability states that an adversary who is able to corrupt any members is not able to produce a signature for which Open fails to return an active member of the group even if the group manager's secret key is leaked. Finally, non-frameability states that even if the group manager and all but one of the group members are corrupted, they cannot forge or falsely attribute a signature to an honest member who did not produce it. These properties also imply what is usually called unforgeability, because if an adversary could produce a signature for a group they knew no secret keys for, the signature must either fail to Open to an active user, or would frame an honest member of the group-violating either traceability or non-frameability. We also remark a difference, usually being neglected, that the group manager can be corrupted in the security model of a dynamic group while a static variant only takes into account the exposure of the opening secret key [8]. We refer the reader to [20] for more thorough definitions.

B.2 Constructing group signatures from ARS
For completeness, we now review the generic construction of a dynamic group signature scheme from an accountable ring signature scheme, by Bootle et al. [19,20]. Let ARS be a secure ARS scheme, then we define a group signature scheme GS as follows: Let the group manager be the opening authority of ARS , and let the group manager's keypair be (gmpk = opk, gmsk = osk). The group public key gpk is then set to (gmpk, pp), where pp is the output of GS.Setup := ARS.Setup. Define GS.UKGen := ARS.UKGen, so that users generate their own keypairs directly. The Join protocol proceeds by a user submitting their public key pk to the group manager, who appends it to the list of keys in info τ := [vk 0 , . . . , vk i ] (the group info at epoch τ ) and publishes info τ +1 . Membership is similarly revoked by the group manager via UpdateGroup by removing the user's public key from info τ and publishing the updated info. Finally, define: and returns ( j, π). • GS.Judge(gpk, info τ , M, σ, ( j, π)) := ARS.Judge(gmpk, info τ , vk j , M, σ, π).
Note that info τ defines the ring of signers at epoch τ and should be publicly accessible, as too should be the index-to-public-key ( j ↔ vk j ) correspondence table, maintained by the group manager. As shown in [20], this generic construction of a group signature from an ARS is tightly secure assuming the ARS is secure. Hence, our ARS construction in Sect. 4.1 implies a secure dynamic group signature scheme. The type of security notions satisfied by the resulting group signature, e.g., full or selfless, CCA or CPA anonymity, is directly inherited from the ARS.
We note that this scheme's group info grows linearly in the number of group members. This is the same as all other proposed efficient post-quantum group signature constructions such as [48]. It remains an interesting open problem to construct a efficient group signature where the group info grows at most logarithmically in the number of group members.