Keywords

1 Introduction

Group signature, introduced by Chaum and van Heyst [14], is a fundamental anonymity primitive which allows members of a group to sign messages on behalf of the whole group. Yet, users are kept accountable for the signatures they issue since a tracing authority can identify them should the need arise. There have been numerous works on group signatures in the last quarter-century.

Ateniese et al. [2] proposed the first scalable instantiation meeting the security properties that can be intuitively expected from the primitive, although clean security notions were not available yet at that time. Bellare et al. [4] filled this gap by providing strong security notions for static groups, in which the group population is fixed at the setup phase. Subsequently, Kiayias and Yung [23] and Bellare et al. [5] established the models capturing the partially dynamic setting, where users are able to join the group at any time, but once they have done so, they cannot leave the group. Sakai et al. [44] strengthened these models by suggesting the notion of opening soundness, guaranteeing that a valid signature only traces to one user. Efficient schemes satisfying these models have been proposed in the random oracle model [16, 40] and in the standard model [20, 32].

One essential functionality of group signatures is the support for membership revocation. Enabling this feature in an efficient manner is quite challenging, since one has to ensure that revoked users are no longer able to sign messages and the workloads of other parties (managers, non-revoked users, verifiers) do not significantly increase in the meantime. Several different approaches have been suggested [6, 10, 11, 39, 46] to address this problem, and notable pairing-based constructions supporting both dynamic joining and efficient revocation were given in [30, 31, 37]. Very recently, Bootle et al. [7] pointed out a few shortcomings of previous models, and put forward stringent security notions for fully dynamic group signatures. They also demonstrated a construction satisfying these notions based on the decisional Diffie-Hellman (DDH) assumption, following a generic transformation from a secure accountable ring signature scheme [8].

For the time being, existing schemes offering full dynamicity all rely on number-theoretic assumptions which are vulnerable to quantum attacks. To avoid putting all eggs in one basket, it is thus encouraging to consider instantiations based on alternative, post-quantum foundations, e.g., lattice assumptions. In view of this, let us now look at the topic of lattice-based group signatures.

Lattice-based group signatures. Lattice-based cryptography has been an exciting research area since the seminal works of Regev [42] and Gentry et al. [18]. Along with other primitives, lattice-based group signature has received noticeable attention in recent years. The first scheme was introduced by Gordon et al. [19] whose solution produced signature size linear in the number of group users N. Camenisch et al. [12] then extended [19] to achieve anonymity in the strongest sense. Later, Laguillaumie et al. [24] put forward the first scheme with the signature size logarithmic in N, at the cost of relatively large parameters. Simpler and more efficient solutions with \(\mathcal {O}(\log N)\) signature size were subsequently given by Nguyen et al. [41] and Ling et al. [34]. Libert et al. [28] obtained substantial efficiency improvements via a construction based on Merkle trees which eliminates the need for GPV trapdoors [18]. More recently, a scheme supporting message-dependent opening (MDO) feature [43] was proposed in [29]. All the schemes mentioned above are designed for static groups.

The only two known lattice-based group signatures that have certain dynamic features were proposed by Langlois et al. [25] and Libert et al. [26]. The former is a scheme with verifier-local revocation (VLR) [6], which means that only the verifiers need to download the up-to-date group information. The latter addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked). To achieve those partially dynamic functionalities, both of the proposals have to incorporate relatively complicated mechanismsFootnote 1 and both heavily rely on lattice trapdoors.

The discussed above situation is somewhat unsatisfactory, given that the full dynamicity feature is highly desirable in most applications of group signatures (e.g., protecting the privacy of commuters in public transportation), and it has been achieved based on number-theoretic assumptions. This motivates us to work on fully dynamic group signatures from lattices. Furthermore, considering that the journey to partial dynamicity in previous works [25, 26] was shown not easy, we ask ourselves an inspiring question: Can we achieve full dynamicity with ease? At the end of the day, it is good to solve an open research question, but it would be even better and more exciting to do this in a simple way. To make it possible, we will likely need some new and insightful ideas.

Our Results and Techniques. We introduce the first fully dynamic group signature from lattices. The scheme satisfies the strong security requirements put forward by Bootle et al. [7], under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. As in all previous lattice-based group signatures, our scheme is analyzed in the random oracle model.

For a security parameter \(\lambda \) and maximum expected number of group users N, our scheme features signature size \(\widetilde{\mathcal {O}}(\lambda \cdot \log N)\) and group public key size \(\widetilde{\mathcal {O}}(\lambda ^2 + \lambda \cdot \log N)\). The user’s secret key has bit-size \(\widetilde{\mathcal {O}}(\lambda ) + \log N\). At each epoch when the group information is updated, the verifiers only need to download an extra \(\widetilde{\mathcal {O}}(\lambda )\) bits in order to perform verification of signaturesFootnote 2, while each active signer only has to download \(\widetilde{\mathcal {O}}(\lambda \cdot \log N)\) bits. In Table 1, we give a detailed comparison of our scheme with known lattice-based group signatures, in terms of efficiency and functionality. The full dynamicity feature is achieved with a very reasonable cost and without having to rely on lattice trapdoors. Somewhat surprisingly, our scheme even produces shorter signatures than the scheme from [28] - which is arguably the most efficient lattice-based group signature known to date. Furthermore, these results are obtained in a relatively simple manner, thanks to three main ideas/techniques discussed below.

Table 1. Comparison of known lattice-based group signatures, in terms of efficiency and functionality. The comparison is done based on two governing parameters: security parameter \(\lambda \) and the maximum expected number of group users \(N= 2^\ell \). As for the scheme from [25], R denotes the number of revoked users at the epoch in question.
Full size table

Our starting point is the scheme [28], which works in the static setting. Instead of relying on trapdoor-based ordinary signatures as in prior works, the LLNW scheme employs on a SIS-based Merkle tree accumulator. For a group of \(N= 2^\ell \) users, the manager chooses uniformly random vectors \(\mathbf {x}_0, \ldots , \mathbf {x}_{N-1}\); hashes them to \(\mathbf {p}_0, \ldots , \mathbf {p}_{N-1}\), respectively; builds a tree on top of these hash values; and publishes the tree root \(\mathbf {u}\). The signing key of user i consists of \(\mathbf {x}_i\) and the witness for the fact that \(\mathbf {p}_i\) was accumulated in \(\mathbf {u}\). When issuing signatures, the user proves knowledge of a valid pair \((\mathbf {x}_i, \mathbf {p}_i)\) and of the tree path from \(\mathbf {p}_i\) to \(\mathbf {u}\). The user also has to encrypt the binary representation \(\mathsf {bin}(i)\) of his identity i, and prove that the ciphertext is well-formed. The encryption layer is also lattice-trapdoor-free, since it utilizes the Naor-Yung double-encryption paradigm [38] with Regev’s LWE-based encryption scheme. To upgrade the LLNW scheme directly into a fully dynamic group signature, we now let the user compute the pair \((\mathbf {x}_i, \mathbf {p}_i)\) on his own (for enabling non-frameability), and we employ the following three ideas/techniques.

First, we add a dynamic ingredient into the static Merkle tree accumulator from [28]. To this end, we equip it with an efficient updating algorithm with complexity \(\mathcal {O}(\log N)\): to change an accumulated value, we simply update the values at the corresponding leaf and along its path to the root.

Second, we create a simple rule to handle user enrollment and revocation efficiently (i.e., without resetting the whole tree). Specifically, we use the updating algorithm to set up the system so that: (i) If a user has not joined the group or has been revoked, the value at the leaf associated with him is set as \(\mathbf {0}\); (ii) When a user joins the group, that value is set as his public key \(\mathbf {p}_i\). Our setup guarantees that only active users (i.e., who has joined and has not been revoked at the given epoch) have their non-zero public keys accumulated into the updated root. This rule effectively separates active users who can sign from those who cannot: when signing messages, the user proceeds as in the LLNW scheme, and is asked to additionally prove in zero-knowledge that \(\mathbf {p}_i \ne \mathbf {0}\). In other words, the seemingly big gap between being fully static and being fully dynamic has been reduced to a small difference!

Third, the arising question now is how to additionally prove the inequality \(\mathbf {p}_i \ne \mathbf {0}\) in the framework of the Stern-like [45] protocol from [28]. One would naturally expect that this extra job could be done without losing too much in terms of efficiency. Here, the surprising and somewhat unexpected fact is that we can actually do it while gaining efficiency, thanks to the following simple idea. Recall that, in [28], to prove knowledge of \(\mathbf {p}_i \in \{0,1\}^{nk}\), an extension technique from [33] is employed, in which \(\mathbf {p}_i\) is extended into a vector of dimension 2nk. We note that, the authors of [33] also suggested a slightly modified version of their technique, that allows to simultaneously prove that \(\mathbf {p}_i \in \{0,1\}^{nk}\) and \(\mathbf {p}_i\) is non-zero while working only with dimension \(2nk-1\). This intriguing tweak enables us to obtain a zero-knowledge protocol with slightly lower communication cost, and hence, group signatures with slightly smaller size than in [28].

To summarize, we solve a prominent open question in the field of lattice-based group signatures. Moreover, our solution is simple and comparatively efficient. Our results, while not yielding a truly practical scheme, would certainly help to bring the field one step closer to practice.

Organization. In Sect. 2, we recall some background on fully dynamic group signatures and lattice-based cryptography. Section 3 develops an updatable Merkle tree accumulator. Our main scheme is constructed and analyzed in Sect. 4.

2 Preliminaries

2.1 Fully Dynamic Group Signatures

We recall the definition and security notions of fully dynamic group signatures (\(\mathsf {FDGS}\)) presented by Bootle et al. [7]. A \(\mathsf {FDGS}\) scheme involves the following entities: a group manager \(\mathsf {GM}\) that determines who can join the group, a tracing manager \(\mathsf {TM}\) who can open signatures, and a set of users who are potential group members. Users can join/leave the group at the discretion of \(\mathsf {GM}\). We assume \(\mathsf {GM}\) will publish some information \(\mathsf {info}_{\tau }\) regularly associated with a distinct index \(\tau \) (referred as epoch hereafter). Without loss of generality, assume there is one-to-one correspondence between information and the associated epoch. The information describes changes of the group, e.g., current group members or members that are excluded from the group. We assume the published group information is authentic. By comparing current group information with previous one, it allows any party to identify revoked users at current epoch. For simplicity assume \(\tau _1< \tau _2\) if \(\mathsf {info}_{\tau _1}\) is published before \(\mathsf {info}_{\tau _2}\), i.e., the epoch preserves the order in which the corresponding group information was published. In existing models, the keys of authorities are supposed to be generated honestly; while in [7], Bootle et al. consider a stronger model where the keys of authorities can be maliciously generated by the adversary.

Syntax of Fully Dynamic Group Signatures. A \(\mathsf {FDGS}\) scheme is a tuple of following polynomial-time algorithms.

  • \(\mathsf {GSetup}(\lambda )\rightarrow \mathsf {pp}\). On input security parameter \(\lambda \), this algorithm generates public parameters \(\mathsf {pp}\).

  • \(\langle \mathsf {GKgen}_{\mathsf {GM}}(\mathsf {pp}),\mathsf {GKgen}_{\mathsf {TM}}(\mathsf {pp})\rangle \). This is an interactive protocol between the group manager \(\mathsf {GM}\) and the tracing manager \(\mathsf {TM}\). If it completes successfully, algorithm \(\mathsf {GKgen}_{\mathsf {GM}}\) outputs a manager key pair \((\mathsf {mpk},\mathsf {msk})\). Meanwhile, \(\mathsf {GM}\) initializes the group information \(\mathsf {info}\) and the registration table \(\mathbf {reg}\). The algorithm \(\mathsf {GKgen}_{\mathsf {TM}}\) outputs a tracing key pair \((\mathsf {tpk},\mathsf {tsk})\). Set group public key \(\mathsf {gpk}=(\mathsf {pp},\mathsf {mpk},\mathsf {tpk})\).

  • \(\mathsf {UKgen}(\mathsf {pp})\rightarrow (\mathsf {upk},\mathsf {usk})\). Given public parameters \(\mathsf {pp}\), this algorithm generates a user key pair \((\mathsf {upk},\mathsf {usk})\).

  • \(\langle \mathsf {Join}(\mathsf {info}_{\tau _\mathrm{{current}}},\mathsf {gpk},\mathsf {upk},\mathsf {usk});\mathsf {Issue}(\mathsf {info}_{\tau _\mathrm{{current}}},\mathsf {msk},\mathsf {upk})\rangle \). This is an interactive algorithm run by a user and \(\mathsf {GM}\). If it completes successfully, this user becomes a group member with an identifier \(\mathsf {uid}\) and the \(\mathsf {Join}\) algorithm stores secret group signing key \(\mathsf {gsk}[\mathsf {uid}]\) while \(\mathsf {Issue}\) algorithm stores registration information in the table \(\mathbf {reg}\) with index \(\mathsf {uid}\).

  • \(\mathsf {GUpdate}(\mathsf {gpk},\mathsf {msk},\mathsf {info}_{\tau _\mathrm{{current}}},\mathcal {S},\mathbf {reg})\rightarrow \mathsf {info}_{\tau _\mathrm{{new}}}\). This is an algorithm run by \(\mathsf {GM}\) to update group information while advancing the epoch. Given \(\mathsf {gpk}\),\(\mathsf {msk}\), \(\mathsf {info}_{\tau _\mathrm{{current}}}\), registration table \(\mathbf {reg}\), a set \(\mathcal {S}\) of active users to be removed from the group, \(\mathsf {GM}\) computes new group information \(\mathsf {info}_{\tau _\mathrm{{new}}}\) and may update the table \(\mathbf {reg}\). If there is no change to the group, \(\mathsf {GM}\) outputs \(\bot \).

  • \(\mathsf {Sign}(\mathsf {gpk},\mathsf {gsk}[\mathsf {uid}],\mathsf {info}_{\tau },M)\rightarrow \varSigma \). This algorithm outputs a group signature \(\varSigma \) on message M by user \(\mathsf {uid}\). It outputs \(\bot \) if this user is inactive at epoch \(\tau \).

  • \(\mathsf {Verify}(\mathsf {gpk},\mathsf {info}_{\tau },M,\varSigma )\rightarrow 0/1\). This algorithm checks the validity of the signature \(\varSigma \) on message M at epoch \(\tau \).

  • \(\mathsf {Trace}(\mathsf {gpk},\mathsf {tsk},\mathsf {info}_{\tau },\mathbf {reg},M,\varSigma )\rightarrow (\mathsf {uid},\varPi _{\mathsf {trace}})\). This is an algorithm run by \(\mathsf {TM}\). Given the inputs, \(\mathsf {TM}\) returns an identity \(\mathsf {uid}\) of a group member who signed the message and a proof indicating this tracing result or \(\bot \) if it fails to trace to a group member.

  • \(\mathsf {Judge}(\mathsf {gpk},\mathsf {uid},\mathsf {info}_{\tau },\varPi _{\mathsf {trace}},M,\varSigma )\rightarrow 0/1\). This algorithm checks the validity of \(\varPi _{\mathsf {trace}}\) outputted by the \(\mathsf {Trace}\) algorithm.

Correctness and Security of Fully Dynamic Group Signatures. As put forward by Bootle et al. [7], a \(\mathsf {FDGS}\) scheme must satisfy correctness, anonymity, non-frameability, traceability and tracing soundness.

Correctness demands that a signature generated by an honest and active user is always accepted by algorithm \(\mathsf {Verify}\), and that algorithm \(\mathsf {Trace}\) can always identify that user, as well as produces a proof accepted by algorithm \(\mathsf {Judge}\).

Anonymity requires that it is infeasible for any PPT adversary to distinguish signatures generated by two active users of its choice at the chosen epoch, even if it can corrupt any user, can choose the key of \(\mathsf {GM}\), and is given access to the \(\mathsf {Trace}\) oracle.

Non-Frameability makes sure that the adversary cannot generate a valid signature that traces to an honest user even if it can corrupt all other users, and can choose keys of both managers.

Traceability ensures that the adversary cannot produce a valid signature that cannot be traced to an active user at the chosen epoch, even if it can corrupt any user and can choose the key of \(\mathsf {TM}\).

Tracing Soundness requires that it is infeasible to produce a valid signature that traces to two different users, even if all group users and both managers are fully controlled by the adversary.

Formal definitions of correctness and security requirements are available in the full version.

2.2 Background on Lattices

We recall the average-case lattice problems SIS and LWE, together with their hardness results.

Definition 1

[1, 18]. The \(\mathsf {SIS}^{\infty }_{n,m,q,\beta }\) problem is as follows: Given uniformly random matrix \(\mathbf {A} \in \mathbb {Z}_q^{n \times m}\), find a non-zero vector \(\mathbf {x} \in \mathbb {Z}^m\) such that \(\Vert \mathbf {x}\Vert _\infty \le \beta \) and \(\mathbf {A\cdot x=0} \bmod q.\)

If \(m, \beta = \mathsf {poly}(n)\), and \(q > \beta \cdot \widetilde{\mathcal {O}}(\sqrt{n})\), then the \(\mathsf {SIS}^{\infty }_{n,m,q,\beta }\) problem is at least as hard as worst-case lattice problem \(\mathsf {SIVP}_\gamma \) for some \(\gamma = \beta \cdot \widetilde{\mathcal {O}}(\sqrt{nm})\) (see, e.g., [18, 36]). Specifically, when \(\beta =1\), \(q = \widetilde{\mathcal {O}}(n)\), \(m = 2n \lceil \log q \rceil \), the \(\mathsf {SIS}^{\infty }_{n,m,q,1}\) problem is at least as hard as \(\mathsf {SIVP}_{\gamma }\) with \(\gamma =\widetilde{\mathcal {O}}(n)\).

In the last decade, numerous SIS-based cryptographic primitives have been proposed. In this work, we will extensively employ 2 such constructions:

  • Our group signature scheme is based on the Merkle tree accumulator from [28], which is built upon a specific family of collision-resistant hash functions.

  • Our zero-knowledge argument systems use the statistically hiding and computationally binding string commitment scheme from [22].

For appropriate setting of parameters, the security of the above two constructions can be based on the worst-case hardness of \(\mathsf {SIVP}_{\widetilde{\mathcal {O}}(n)}\).

In the group signature in Sect. 4, we will employ the multi-bit version of Regev’s encryption scheme [42], presented in [21]. The scheme is based on the hardness of the LWE problem.

Definition 2

[42]. Let \(n,m \ge 1\), \(q \ge 2\), and let \(\chi \) be a probability distribution on \(\mathbb {Z}\). For \(\mathbf {s} \in \mathbb {Z}_q^n\), let \(\mathcal {A}_{\mathbf {s}, \chi }\) be the distribution obtained by sampling \(\mathbf {a} \xleftarrow {\$} \mathbb {Z}_q^n\) and \(e \hookleftarrow \chi \), and outputting \((\mathbf {a}, \mathbf {s}^\top \cdot \mathbf {a} + e) \in \mathbb {Z}_q^n \times \mathbb {Z}_q\). The \(\textsf {LWE}_{n,q,\chi }\) problem asks to distinguish m samples chosen according to \(\mathcal {A}_{\mathbf {s},\chi }\) (for \(\mathbf {s} \xleftarrow {\$} \mathbb {Z}_q^n\)) and m samples chosen according to the uniform distribution over \(\mathbb {Z}_q^n \times \mathbb {Z}_q\).

If q is a prime power, \(\chi \) is the discrete Gaussian distribution \(D_{\mathbb {Z}, \alpha q}\), where \(\alpha q \ge 2\sqrt{n}\), then \(\mathsf {LWE}_{n,q,\chi }\) is as least as hard as \(\mathsf {SIVP}_{\widetilde{\mathcal {O}}(n/\alpha )}\) (see [35, 36, 42]).

2.3 Stern-Like Protocols for Lattice-Based Relations

The zero-knowledge (ZK) argument systems appearing in this paper operate in the framework of Stern’s protocol [45]. Let us now recall some background. This protocol was originally proposed in the context of code-based cryptography, and was later adapted into the lattice setting by Kawachi et al. [22]. Subsequently, it was empowered by Ling et al. [33] to handle the matrix-vector relations associated with the SIS and LWE problems, and further developed to design several lattice-based schemes: group signatures [25, 26, 28, 29, 34], policy-based signatures [15] and group encryption [27].

Stern-like protocols are quite useful in the context of lattice-based privacy-preserving systems, when one typically works with modular linear equations of the form \(\sum _{i}\mathbf {M}_i\cdot \mathbf {x}_i = \mathbf {v} \bmod q\) - where \(\{\mathbf {M}_i\}_i\), \(\mathbf {v}\) are public, and one wants to prove in ZK that secret vectors \(\{\mathbf {x}_i\}_i\) satisfy certain constraints, e.g., they have small norms and/or have coordinates arranged in a special way. The high-level ideas can be summarized as follows. If the given constraints are invariant under certain type of permutations of coordinates, then one readily uses uniformly random permutations to prove those constraints. Otherwise, one performs some pre-processings with \(\{\mathbf {x}_i\}_i\) to reduce to the former case. Meanwhile, to prove that the modular linear equation holds, one makes use of a standard masking technique.

The basic protocol consists of 3 moves: commitment, challenge, response. If the statistically hiding and computationally binding string commitment scheme from [22] is employed in the first move, then one obtains a statistical zero-knowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error 2 / 3, and communication cost \(\mathcal {O}(|w|\cdot \log q)\), where |w| denotes the total bit-size of the secret vectors. In many applications, the protocol is repeated \(\kappa = \omega (\log \lambda )\) times, for security parameter \(\lambda \), to achieve negligible soundness error, and then made non-interactive via the Fiat-Shamir heuristic [17]. In the random oracle model, this results in a non-interactive zero-knowledge argument of knowledge (NIZKAoK) with bit-size \(\mathcal {O}(|w|\cdot \log q)\cdot \omega (\log \lambda )\).

3 Updatable Lattice-Based Merkle Hash Trees

We first recall the lattice-based Merkle-tree accumulator from [28], and then, we equip it with a simple updating algorithm which allows to change an accumulated value in time logarithmic in the size of the accumulated set. This updatable hash tree will serve as the building block of our construction in Sect. 4.

3.1 Cryptographic Accumulators

An accumulator scheme is a tuple of polynomial-time algorithms defined below.  

\(\mathsf {TSetup}(\lambda ).\) :

On input security parameter \(\lambda \), output the public parameter \(\mathsf {pp}\).

\(\mathsf {TAcc}_{\mathsf {pp}.}\) :

On input a set \(R = \{\mathbf {d}_0, \ldots , \mathbf {d}_{N-1}\}\) of N data values, output an accumulator value \(\mathbf {u}\).

\(\mathsf {TWitness}_{\mathsf {pp}.}\) :

On input a data set R and a value \(\mathbf {d}\), output \(\bot \) if \(\mathbf {d} \notin R\); otherwise output a witness w for the fact that \(\mathbf {d}\) is accumulated in \(\mathsf {TAcc}(R)\). (Typically, the size of w should be short (e.g., constant or logarithmic in N) to be useful.)

\(\mathsf {TVerify}_{\mathsf {pp}.}\) :

On input accumulator value \(\mathbf {u}\) and a value-witness pair \((\mathbf {d}, w)\), output 1 (which indicates that \((\mathbf {d}, w)\) is valid for the accumulator \(\mathbf {u}\)) or 0.

  An accumulator scheme is called correct if for all \(\mathsf {pp}\leftarrow \mathsf {TSetup}(\lambda )\), we have \(\mathsf {TVerify}_{\mathsf {pp}}\big (\mathsf {TAcc}_{\mathsf {pp}}(R), \mathbf {d}, \mathsf {TWitness}_{\mathsf {pp}}(R, \mathbf {d})\big ) = 1\) for all \(\mathbf {d} \in R\).

A natural security requirement for accumulators, as considered in [3, 11, 28], says that it is infeasible to prove that a value \(\mathbf {d}^*\) was accumulated in a value \(\mathbf {u}\) if it was not. This property is formalized as follows.

Definition 3

[28]. An accumulator scheme \((\mathsf {TSetup}, \mathsf {TAcc}, \mathsf {TWitness}, \mathsf {TVerify})\) is called secure if for all PPT adversaries \(\mathcal {A}\):

3.2 The LLNW Merkle-Tree Accumulator

Notations. Hereunder we will use the notation \(x \xleftarrow {\$} S\) to indicate that x is chosen uniformly at random from finite set S. For bit \(b \in \{0,1\}\), we let \(\bar{b}= 1-b\).

The Merkle-tree accumulator scheme from [28] works with parameters \(n=\mathcal {O}(\lambda )\), \(q=\widetilde{\mathcal {O}}(n^{1.5})\), \(k=\lceil \log _2 q\rceil \), and \(m=2nk\). The set \(\mathbb {Z}_q\) is identified by \(\{0,\ldots , q-1\}\). Define the “powers-of-2” matrix

$$\begin{aligned} \mathbf {G} = \left[ \begin{array}{cccc} 1~2~4~\ldots ~2^{k-1} &{} &{} &{} \\ &{} &{} \ldots &{} \\ &{} &{} &{} 1~2~4~\ldots ~2^{k-1} \end{array}\right] \in \mathbb {Z}_q^{n \times nk}. \end{aligned}$$

Note that for every \(\mathbf {v} \in \mathbb {Z}_q^n\), we have \(\mathbf {v} = \mathbf {G}\cdot \mathsf {bin}(\mathbf {v})\), where \(\mathsf {bin}(\mathbf {v}) \in \{0,1\}^{nk}\) denotes the binary representation of \(\mathbf {v}\). The scheme is built upon the following family of SIS-based collision-resistant hash functions.

Definition 4

The function family \(\mathcal {H}\) mapping \(\{0,1\}^{nk} \times \{0,1\}^{nk}\) to \(\{0,1\}^{nk}\) is defined as \(\mathcal {H} = \{h_{\mathbf {A}} | \mathbf {A} \in \mathbb {Z}_q^{n \times m}\}\), where for \(\mathbf {A} = [\mathbf {A}_0 | \mathbf {A}_1]\) with \(\mathbf {A}_0, \mathbf {A}_1 \in \mathbb {Z}_q^{n \times nk}\), and for any \((\mathbf {u}_0, \mathbf {u}_1) \in \{0,1\}^{nk} \times \{0,1\}^{nk}\), we have:

$$ h_{\mathbf {A}}(\mathbf {u}_0, \mathbf {u}_1)= \mathsf {bin}\big (\mathbf {A}_0 \cdot \mathbf {u}_0 + \mathbf {A}_1\cdot \mathbf {u}_1 \bmod q\big ) \in \{0,1\}^{nk}. $$

Note that \(h_{\mathbf {A}}(\mathbf {u}_0, \mathbf {u}_1) = \mathbf {u} \Leftrightarrow \mathbf {A}_0\cdot \mathbf {u}_0 + \mathbf {A}_1 \cdot \mathbf {u}_1 = \mathbf {G}\cdot \mathbf {u} \bmod q\).

A Merkle tree with \(N=2^\ell \) leaves, where \(\ell \) is a positive integer, then can be constructed based on the function family \(\mathcal {H}\) as follows.

 

\(\mathsf {TSetup}(\lambda ).\) :

Sample \(\mathbf {A} \xleftarrow {\$} \mathbb {Z}_q^{n \times m}\), and output \(\mathsf {pp}= \mathbf {A}\).

\(\mathsf {TAcc}_{\mathbf {A}}(R = \{\mathbf {d}_0 \in \{0,1\}^{nk}, \ldots , \mathbf {d}_{N-1} \in \{0,1\}^{nk}\}).\) :

For every \(j \in [0,N-1]\), let \(\mathsf {bin}(j)= (j_1, \ldots , j_\ell ) \in \{0,1\}^\ell \) be the binary representation of j, and let \(\mathbf {d}_j=\mathbf {u}_{j_1, \ldots , j_\ell }\). Form the tree of depth \(\ell = \log N\) based on the N leaves \(\mathbf {u}_{0,0,\ldots , 0}, \ldots , \mathbf {u}_{1, 1,\ldots , 1}\) as follows:

1.:

At depth \(i\in [\ell ]\), the node \(\mathbf {u}_{b_1,\ldots , b_i} \in \{0,1\}^{nk}\), for all \((b_1,\ldots , b_i) \in \{0,1\}^i\), is defined as \(h_{\mathbf {A}}(\mathbf {u}_{b_1,\ldots , b_i,0}, \mathbf {u}_{b_1,\ldots , b_i, 1})\).

2.:

At depth 0: The root \(\mathbf {u} \in \{0,1\}^{nk}\) is defined as \(h_{\mathbf {A}}(\mathbf {u}_0, \mathbf {u}_1)\).

The algorithm outputs the accumulator value \(\mathbf {u}\).

\(\mathsf {TWitness}_{\mathbf {A}}(R, \mathbf {d}).\) :

If \(\mathbf {d} \not \in R\), return \(\bot \). Otherwise, \(\mathbf {d} = \mathbf {d}_j\) for some \(j \in [0, N-1]\) with binary representation \((j_1,\ldots , j_\ell )\). Output the witness w defined as:

$$\begin{aligned} w = \big ((j_1,\ldots , j_\ell ), (\mathbf {u}_{j_1,\ldots , j_{\ell -1},\bar{j_\ell }}, \ldots , \mathbf {u}_{j_1,\bar{j_2}}, \mathbf {u}_{\bar{j_1}}) \big ) \in \{0,1\}^\ell \times \big (\{0,1\}^{nk}\big )^\ell , \end{aligned}$$

for \(\mathbf {u}_{j_1,\ldots , j_{\ell -1},\bar{j_\ell }}, \ldots , \mathbf {u}_{j_1,\bar{j_2}}, \mathbf {u}_{\bar{j_1}}\) computed by algorithm \(\mathsf {TAcc}_{\mathbf {A}}(R)\).

\(\mathsf {TVerify}_{\mathbf {A}}\big (\mathbf {u}, \mathbf {d}, w\big ).\) :

Let the given witness w be of the form:

$$ w = \big ((j_1,\ldots , j_\ell ),(\mathbf {w}_\ell , \ldots , \mathbf {w}_1)\big ) \in \{0,1\}^\ell \times \big (\{0,1\}^{nk}\big )^\ell . $$

The algorithm recursively computes the path \(\mathbf {v}_\ell , \mathbf {v}_{\ell -1}, \ldots , \mathbf {v}_1, \mathbf {v}_0 \in \{0,1\}^{nk}\) as follows: \(\mathbf {v}_\ell = \mathbf {d}\) and

$$\begin{aligned} \forall i \in \{\ell -1, \ldots , 1, 0\}: \mathbf {v}_i = {\left\{ \begin{array}{ll} h_{\mathbf {A}}(\mathbf {v}_{i+1}, \mathbf {w}_{i+1}), \text { if } j_{i+1}=0; \\ h_{\mathbf {A}}(\mathbf {w}_{i+1}, \mathbf {v}_{i+1}), \text { if } j_{i+1}=1. \end{array}\right. } \end{aligned}$$
(1)

Then it returns 1 if \(\mathbf {v}_0 = \mathbf {u}\). Otherwise, it returns 0.

 

The following lemma states the correctness and security of the above Merkle tree accumulator.

Lemma 1

[28]. The given accumulator scheme is correct and is secure in the sense of Definition 3, assuming the hardness of the \(\mathsf {SIS}_{n,m,q,1}^\infty \) problem.

3.3 An Efficient Updating Algorithm

Unlike the static group signature scheme from [28], our fully dynamic construction of Sect. 4 requires to regularly edit the accumulated values without having to reconstruct the whole tree. To this end, we equip the Merkle tree accumulator from [28] with a simple, yet efficient, updating algorithm: to change the value at a given leaf, we simply modify all values in the path from that leaf to the root. The algorithm, which takes as input a bit string \(\mathsf {bin}(j) = (j_1,j_2,\ldots ,j_\ell )\) and a value \(\mathbf {d}^* \in \{0,1\}^{nk}\), is formally described below.

Given the tree in Sect. 3.2, algorithm \(\mathsf {TUpdate}_{\mathbf {A}}((j_1,j_2,\ldots ,j_\ell ),\mathbf {d}^*)\) performs the following steps:

  1. 1.

    Let \(\mathbf {d}_j\) be the current value at the leaf of position determined by \(\mathsf {bin}(j)\), and let \(((j_1,\ldots , j_\ell ),(\mathbf {w}_{j,\ell }, \ldots , \mathbf {w}_{j,1}))\) be its associated witness.

  2. 2.

    Set \(\mathbf {v}_{\ell }: = \mathbf {d}^*\) and recursively compute the path \(\mathbf {v}_{\ell }, \mathbf {v}_{\ell -1},\ldots ,\mathbf {v}_{1},\mathbf {v}_{0}\in \{0,1\}^{nk}\) as in (1).

  3. 4.

    Set \(\mathbf {u}:=\mathbf {v}_{0}\); \(\mathbf {u}_{j_1}:=\mathbf {v}_{1}; \ldots ; \mathbf {u}_{j_1,j_2,\ldots ,j_{\ell -1}}:=\mathbf {v}_{\ell -1}\); \(\mathbf {u}_{j_1,j_2,\ldots ,j_{\ell }}:=\mathbf {v}_{\ell }=\mathbf {d}^*\).

It can be seen that the provided algorithm runs in time \(\mathcal {O}(\ell )= \mathcal {O}(\log N)\). In Fig. 1, we give an illustrative example of a tree with \(2^3=8\) leaves.

Fig. 1.
figure 1

A Merkle tree with \(2^3= 8\) leaves, which accumulates the data blocks \(\mathbf {d}_0, \ldots , \mathbf {d}_7\) into the value \(\mathbf {u}\) at the root. The bit string (101) and the pink nodes form a witness to the fact that \(\mathbf {d}_5\) is accumulated in \(\mathbf {u}\). If we replace \(\mathbf {d}_5\) by a new value \(\mathbf {d}^*\), we only need to update the yellow nodes. (Color figure online)

Full size image

4 Our Fully Dynamic Group Signatures from Lattices

In this section, we construct our lattice-based fully dynamic group signature and prove its security in Bootle et al.’s model [7]. We start with the LLNW scheme [28], which works in the static setting.

While other constructions of lattice-based group signatures employ trapdoor-based ordinary signature schemes (e.g., [9, 13]) to certify users, the LLNW scheme relies on a SIS-based Merkle tree accumulator which we recalled in Sect. 3.2. The GM, who manages a group of \(N= 2^\ell \) users, chooses uniformly random vectors \(\mathbf {x}_0, \ldots , \mathbf {x}_{N-1} \in \{0,1\}^m\); hashes them to \(\mathbf {p}_0, \ldots , \mathbf {p}_{N-1} \in \{0,1\}^{nk}\), respectively; builds a tree on top of these hash values; and lets the tree root \(\mathbf {u} \in \{0,1\}^{nk}\) be part of the group public key. The signing key of user i consists of \(\mathbf {x}_i\) and the witness for the fact that \(\mathbf {p}_i\) was accumulated in \(\mathbf {u}\). When generating group signatures, the user proves knowledge of a valid pair \((\mathbf {x}_i, \mathbf {p}_i)\) and of the tree path from \(\mathbf {p}_i\) to \(\mathbf {u}\). The user also has to encrypt the binary representation \(\mathsf {bin}(i)\) of his identity i, and prove that the ciphertext is well-formed. The encryption layer utilizes the Naor-Yung double-encryption paradigm [38] with Regev’s LWE-based cryptosystem, and thus, it is also lattice-trapdoor-free.

To upgrade the LLNW scheme directly into a fully dynamic group signature, some tweaks and new ideas are needed. First, to enable the non-frameability feature, we let the user compute the pair \((\mathbf {x}_i, \mathbf {p}_i)\) on his own. The second problem we have to consider is that Merkle hash trees seem to be a static primitive. To this end, we equip the accumulator with an efficient updating algorithm (see Sect. 3.3). Now, the challenging question is how to handle user enrollment and revocation in a simple manner (i.e., without having to reset the whole tree). To tackle these issues, we associate each of the N potential users with a leaf in the tree, and then use the updating algorithm to set up the system so that:

  1. 1.

    If a user has not joined the group or has been revoked, the value at the leaf associated with him is set as \(\mathbf {0}\);

  2. 2.

    When a user joins the group, that value is set as his public key \(\mathbf {p}_i\).

Our setup guarantees that only active users (i.e., who has joined and has not been revoked at the given epoch) have their non-zero public keys accumulated into the updated root. This effectively gives us a method to separate active users who can sign from those who cannot: when signing messages, the user proceeds as in the LLNW scheme, and is asked to additionally prove in ZK that \(\mathbf {p}_i \ne \mathbf {0}\).

At this point, the arising question is how to prove the inequality \(\mathbf {p}_i \ne \mathbf {0}\) in the framework of the Stern-like [45] protocol from [28]. One would naturally hope that this extra job could be done without losing too much in terms of efficiency. Here, the surprising and somewhat unexpected fact is that we can actually do it while gaining efficiency, thanks to a technique originally proposed in [33].

To begin with, let \(\mathsf {B}_t^L\) denote the set of all vectors in \(\{0,1\}^L\) having Hamming weight exactly t. In Stern-like protocols (see Sect. 2.3), a common technique for proving in ZK the possession of \(\mathbf {p} \in \{0,1\}^{nk}\) consists of appending nk “dummy” entries to it to obtain \(\mathbf {p}^* \in \mathsf {B}_{nk}^{2nk}\), and demonstrating to the verifier that a random permutation of \(\mathbf {p}^*\) belongs to the “target set” \(\mathsf {B}_{nk}^{2nk}\). This suffices to convince the verifier that the original vector \(\mathbf {p}\) belongs to \(\{0,1\}^{nk}\), while the latter cannot learn any additional information about \(\mathbf {p}\), thanks to the randomness of the permutation. This extending-then-permuting technique was first proposed in [33], and was extensively used in the underlying protocol of the LLNW scheme. Now, to address our question, we will employ a modified version of this technique, which was also initially suggested in [33]. Let us think of another “target set”, so that it is possible to extend \(\mathbf {p} \in \{0,1\}^{nk}\) to an element of that set if and only if \(\mathbf {p}\) is non-zero. That set is \(\mathsf {B}_{nk}^{2nk-1}\). Indeed, the extended vector \(\mathbf {p}^*\) belongs to \(\mathsf {B}_{nk}^{2nk-1}\) if and only if the original vector has Hamming weight at least \(nk- (nk-1)=1\), which means that it cannot be a zero-vector. When combining with the permuting step, this modification allows us to additionally prove the given inequality while working with smaller dimension. As a result, our fully dynamic scheme produces slightly shorter signatures than the original static scheme.

Finally, we remark that the fully dynamic setting requires a proof of correct opening, which boils down to proving correct decryption for Regev’s encryption scheme. It involves modular linear equations with bounded-norm secrets, and can be easily handled using Stern-like techniques from [26, 33].

4.1 Description of the Scheme

Our scheme is described as follows.

  • \(\mathsf {GSetup}(\lambda )\). On input security parameter \(\lambda \), this algorithm specifies the following:

    • An expected number of potential users \(N=2^{\ell }=\mathsf {poly}(\lambda )\).

    • Dimension \(n = \mathcal {O}(\lambda )\), prime modulus \(q = \widetilde{\mathcal {O}}(n^{1.5})\), and \(k=\lceil \log _2 q\rceil \). These parameters implicitly determine the “powers-of-2” matrix \(\mathbf {G} \in \mathbb {Z}_q^{n \times nk}\), as defined in Sect. 3.

    • Matrix dimensions \(m = 2nk\) for the hashing layer, and \(m_E = 2(n+\ell )k\) for the encryption layer.

    • An integer \(\beta = \sqrt{n}\cdot \omega (\log n)\), and a \(\beta \)-bounded noise distribution \(\chi \).

    • A hash function \(\mathcal {H}_{\mathsf {FS}}: \{0,1\}^* \rightarrow \{1,2,3\}^\kappa \), where \(\kappa = \omega (\log \lambda )\), to be modelled as a random oracle in the Fiat-Shamir transformations [17].

    • Let \(\mathsf {COM}: \{0,1\}^* \times \{0,1\}^m \rightarrow \mathbb {Z}_q^n\) be the string commitment scheme from [22], to be used in our zero-knowledge argument systems.

    • Uniformly random matrix \(\mathbf {A} \in \mathbb {Z}_q^{n \times m}\).

    The algorithm outputs public parameters

    $$\mathsf {pp}=\{\lambda , N, n,q,k, m, m_E, \ell ,\beta , \chi , \kappa , \mathcal {H}_{\mathsf {FS}}, \mathsf {COM}, \mathbf {A}\}.$$

  • \(\langle \mathsf {GKgen_{GM}(pp)},\mathsf {GKgen_{TM}(pp)}\rangle \). The group manager GM and the tracing manager TM initialize their keys and the public group information as follows.

    • \(\mathsf {GKgen_{GM}(pp)}.\) This algorithm samples \(\mathsf {msk} \xleftarrow {\$} \{0,1\}^m\) and computes \(\mathsf {mpk} = \mathbf {A}\cdot \mathsf {msk} \bmod q\), and outputs \((\mathsf {mpk}, \mathsf {msk})\). Here, we consider \(\mathsf {mpk}\) as an identifier of the group managed by GM who has \(\mathsf {mpk}\) as his public key. Furthermore, as in [7, Sect. 3.3, full version], we assume that the group information board is visible to everyone, but can only be edited by a party knowing \(\mathsf {msk}\).

    • \(\mathsf {GKgen_{TM}(pp)}.\) This algorithm initializes the Naor-Yung double-encryption mechanism with the \(\ell \)-bit version Regev encryption scheme. It first chooses \(\mathbf {B} \xleftarrow {\$} \mathbb {Z}_q^{n \times m_E}\). For each \(i \in \{ 1,2\}\), it samples \(\mathbf {S}_i\xleftarrow {\$} \chi ^{n \times \ell }\), \(\mathbf {E}_i \hookleftarrow \chi ^{\ell \times m_E}\), and computes \(\mathbf {P}_i = \mathbf {S}_i^\top \cdot \mathbf {B} + \mathbf {E}_i \in \mathbb {Z}_q^{\ell \times m_E}\). Then, TM sets \(\mathsf {tsk} = (\mathbf {S}_1, \mathbf {E}_1)\), and \(\mathsf {tpk} = (\mathbf {B}, \mathbf {P}_1, \mathbf {P}_2)\).

    • TM sends \(\mathsf {tpk}\) to GM who initializes the following:

      • \(\bullet \) Table \(\mathbf {reg}: = (\mathbf {reg}[0][1], \mathbf {reg}[0][2], \ldots , \mathbf {reg}[N - 1][1], \mathbf {reg}[N - 1][2])\), where for each \(i \in [0, N-1]\): \(\mathbf {reg}[i][1] = \mathbf {0}^{nk}\) and \(\mathbf {reg}[i][2] = 0\). Looking ahead, \(\mathbf {reg}[i][1]\) will be used to record the public key of a registered user, while \(\mathbf {reg}[i][2]\) stores the epoch at which the user joins.

      • \(\bullet \) The Merkle tree \(\mathcal {T}\) built on top of \(\mathbf {reg}[0][1], \ldots , \mathbf {reg}[N - 1][1]\). (Note that \(\mathcal {T}\) is an all-zero tree at this stage, but it will be modified when a new user joins the group, or when GM computes the updated group information.)

      • \(\bullet \) Counter of registered users \(c: = 0\).

      Then, GM outputs \(\mathsf {gpk} = (\mathsf {pp}, \mathsf {mpk}, \mathsf {tpk})\) and announces the initial group information \(\mathsf {info} = \emptyset \). He keeps \(\mathcal {T}\) and c for himself.

  • \(\mathsf {UKgen}(\mathsf {pp})\). Each potential group user samples \(\mathsf {usk} = \mathbf {x} \xleftarrow {\$} \{0,1\}^{m}\), and computes \(\mathsf {upk} = \mathbf {p}=\text {bin}(\mathbf {A}\cdot \mathbf {x})\bmod q \in \{0,1\}^{nk}\).

    Without loss of generality, we assume that every honestly generated \(\mathsf {upk}\) is a non-zero vector. (Otherwise, the user would either pick \(\mathbf {x} = \mathbf {0}^m\) or accidentally find a solution to the \(\mathsf {SIS}_{n,m,q,1}^\infty \) problem associated with matrix \(\mathbf {A}\) - both happen with negligible probability.)

  • \(\langle \mathsf {Join}, \mathsf {Issue}\rangle \). If the user with key pair \((\mathsf {upk}, \mathsf {usk})= (\mathbf {p}, \mathbf {x})\) requests to join the group at epoch \(\tau \), he sends \(\mathbf {p}\) to GM. If the latter accepts the request, then the two parties proceed as follows.

    1. 1.

      GM issues a member identifier for the user as \(\mathsf {uid} = \mathsf {bin}(c) \in \{0,1\}^\ell \). The user then sets his long-term signing key as \(\mathsf {gsk}[c] = (\mathsf {bin}(c), \mathbf {p}, \mathbf {x})\).

    2. 2.

      GM performs the following updates:

      • – Update \(\mathcal {T}\) by running algorithm \(\mathsf {TUpdate}_{\mathbf {A}}(\mathsf {bin}(c), \mathbf {p})\).

      • – Register the user to table \(\mathbf {reg}\) as \(\mathbf {reg}[c][1]:= \mathbf {p}\); \(\mathbf {reg}[c][2]:= \tau \).

      • – Increase the counter \(c: = c+1\).

  • \(\mathsf {GUpdate}(\mathsf {gpk}, \mathsf {msk}, \mathsf {info}_{\tau _\mathrm{current}}, \mathcal {S}, \mathbf {reg})\). This algorithm is run by GM to update the group information while also advancing the epoch. It works as follows.

    1. 1.

      Let the set \(\mathcal {S}\) contain the public keys of registered users to be revoked. If \(\mathcal {S} = \emptyset \), then go to Step 2.

      Otherwise, \(\mathcal {S} = \{\mathbf {reg}[i_1][1], \ldots , \mathbf {reg}[i_r][1]\}\), for some \(r \in [1, N]\) and some \(i_1, \ldots , i_r \in [0,N-1]\). Then, for all \(t \in [r]\), GM runs \(\mathsf {TUpdate}_{\mathbf {A}}(\mathsf {bin}(i_t), \mathbf {0}^{nk})\) to update the tree \(\mathcal {T}\).

    2. 2.

      At this point, by construction, each of the zero leaves in the tree \(\mathcal {T}\) corresponds to either a revoked user or a potential user who has not yet registered. In other words, only active users who are allowed to sign in the new epoch \(\tau _\mathrm{new}\) have their non-zero public keys, denoted by \(\{\mathbf {p}_j\}_j\), accumulated in the root \(\mathbf {u}_{\tau _\mathrm{new}}\) of the updated tree.

      For each j, let \(w_j \in \{0,1\}^\ell \times (\{0,1\}^{nk})^\ell \) be the witness for the fact that \(\mathbf {p}_j\) is accumulated in \(\mathbf {u}_{\tau _\mathrm{new}}\). Then GM publishes the group information of the new epoch as:

      $$ \mathsf {info}_{\tau _\mathrm{new}} = \big (\mathbf {u}_{\tau _\mathrm{new}}, \{w_j\}_j\big ). $$

    We remark that the \(\mathsf {info}_{\tau }\) outputted at each epoch by GM is technically not part of the verification key. Indeed, as we will describe below, in order to verify signatures bound to epoch \(\tau \), the verifiers only need to download the first component \(\mathbf {u}_\tau \) of size \(\widetilde{\mathcal {O}}(\lambda )\) bits. Meanwhile, each active signer only has to download the respective witness of size \(\widetilde{\mathcal {O}}(\lambda )\cdot \ell \).

  • \(\mathsf {Sign}(\mathsf {gpk},\mathsf {gsk}[j], \mathsf {info}_\tau , M)\) . To sign message M using the group information \(\mathsf {info}_\tau \) at epoch \(\tau \), the user possessing \(\mathsf {gsk}[j] = (\mathsf {bin}(j), \mathbf {p}, \mathbf {x})\) first checks if \(\mathsf {info}_\tau \) includes a witness containing \(\mathsf {bin}(j)\). If this is not the case, return \(\bot \). Otherwise, the user downloads \(\mathbf {u}_\tau \) and the witness of the form \(\big (\mathsf {bin}(j), (\mathbf {w}_\ell , \ldots , \mathbf {w}_1)\big )\) from \(\mathsf {info}_\tau \), and proceeds as follows.

    1. 1.

      Encrypt vector \(\mathsf {bin}(j) \in \{0,1\}^\ell \) twice using Regev’s encryption scheme. Namely, for each \(i \in \{1,2\}\), sample \(\mathbf {r}_i \xleftarrow {\$} \{0,1\}^{m_E}\) and compute

      $$\begin{aligned} \mathbf {c}_i= & {} (\mathbf {c}_{i,1}, \mathbf {c}_{i,2}) \\= & {} \Bigl ( \mathbf {B}\cdot \mathbf {r}_i \bmod q,~ \mathbf {P}_i\cdot \mathbf {r}_i + \big \lceil \frac{q}{2} \big \rfloor \cdot \mathsf {bin}(j) \bmod q \Bigr ) \in \mathbb {Z}_q^{n} \times \mathbb {Z}_q^\ell . \end{aligned}$$
    2. 2.

      Generate a NIZKAoK \(\varPi _{\mathsf {gs}}\) to demonstrate the possession of a valid tuple

      $$\begin{aligned} \zeta = (\mathbf {x}, \mathbf {p}, \mathsf {bin}(j), \mathbf {w}_\ell , \ldots , \mathbf {w}_1, \mathbf {r}_1, \mathbf {r}_2) \end{aligned}$$
      (2)

      such that:

      1. (i)

        \(\mathsf {TVerify}_{\mathbf {A}}\big ( \mathbf {u}_\tau , \mathbf {p}, \big (\mathsf {bin}(j), (\mathbf {w}_\ell , \ldots , \mathbf {w}_1)\big ) \big ) =1\) and \(\mathbf {A}\cdot \mathbf {x} = \mathbf {G}\cdot \mathbf {p} \bmod q\);

      2. (ii)

        \(\mathbf {c}_1\) and \(\mathbf {c}_2\) are both correct encryptions of \(\mathsf {bin}(j)\) with randomness \(\mathbf {r}_1\) and \(\mathbf {r}_2\), respectively;

      3. (iii)

        \(\mathbf {p} \ne \mathbf {0}^{nk}\).

      Note that statements (i) and (ii) were covered by the LLNW protocol [28]. Meanwhile, statement (iii) is handled using the technique described at the beginning of this Section. We thus obtain a Stern-like interactive zero-knowledge argument system which is a slight modification of the one from [28]. Due to space restriction, the details are presented in the full version.

      The protocol is repeated \(\kappa = \omega (\log \lambda )\) times to achieve negligible soundness error and made non-interactive via the Fiat-Shamir heuristic as a triple \(\varPi _{\mathsf {gs}}= (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathrm {CH}, \{\mathrm {RSP}\}_{i=1}^\kappa )\), where

      $$ \mathrm {CH} = \mathcal {H}_{\mathsf {FS}}\big (M, (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathbf {A}, \mathbf {u}_\tau , \mathbf {B}, \mathbf {P}_1, \mathbf {P}_2, \mathbf {c}_{1}, \mathbf {c}_{2}\big ) \in \{1,2,3\}^\kappa . $$
    3. 3.

      Output the group signature

      $$\begin{aligned} \varSigma = (\varPi _{\mathsf {gs}}, \mathbf {c}_1, \mathbf {c}_2). \end{aligned}$$
      (3)

  • \(\mathsf {Verify}(\mathsf {gpk},\mathsf {info}_{\tau },M,\varSigma )\). This algorithm proceeds as follows:

    1. 1.

      Download \(\mathbf {u}_\tau \in \{0,1\}^{nk}\) from \(\mathsf {info}_\tau \).

    2. 2.

      Parse \(\varSigma \) as \(\varSigma = \big (\{\mathrm {CMT}_i\}_{i=1}^\kappa , (Ch_1, \ldots , Ch_\kappa ), \{\mathrm {RSP}\}_{i=1}^\kappa , \mathbf {c}_1, \mathbf {c}_2\big )\). If \((Ch_1, \ldots , Ch_\kappa ) \ne \mathcal {H}_{\mathsf {FS}}\big (M, (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathbf {A}, \mathbf {u}_\tau , \mathbf {B}, \mathbf {P}_1, \mathbf {P}_2, \mathbf {c}_{1}, \mathbf {c}_{2}\big )\), then return 0.

    3. 3.

      For each \(i = 1\) to \(\kappa \), run the verification phase of the protocol presented in the full version to check the validity of \(\mathrm {RSP}_i\) with respect to \(\mathrm {CMT}_i\) and \(Ch_i\). If any of the conditions does not hold, then return 0.

    4. 4.

      Return 1.

  • \(\mathsf {Trace}(\mathsf {gpk}, \mathsf {tsk}, \mathsf {info}_\tau , \mathbf {reg}, M, \varSigma \)). This algorithm parses \(\mathsf {tsk}\) as \((\mathbf {S}_1, \mathbf {E}_1)\), parses \(\varSigma \) as in (3), and performs the following steps.

    1. 1.

      Use \(\mathbf {S}_1\) to decrypt \(\mathbf {c}_1 = (\mathbf {c}_{1,1}, \mathbf {c}_{1,2})\) to obtain a string \(\mathbf {b}' \in \{0,1\}^\ell \) (i.e., by computing \(\big \lfloor (\mathbf {c}_{1,2} - \mathbf {S}_1^\top \cdot \mathbf {c}_{1,1})/(q/2)\big \rceil \).

    2. 2.

      If \(\mathsf {info}_\tau \) does not include a witness containing \(\mathbf {b}'\), then return \(\bot \).

    3. 3.

      Let \(j' \in [0,N-1]\) be the integer having binary representation \(\mathsf {b}'\). If the record \(\mathbf {reg}[j'][1]\) in table \(\mathbf {reg}\) is \(\mathbf {0}^{nk}\), then return \(\bot \).

    4. 4.

      Generate a NIZKAoK \(\varPi _{\mathsf {trace}}\) to demonstrate the possession of \(\mathbf {S}_1 \in \mathbb {Z}^{n \times \ell }\), \(\mathbf {E}_1 \in \mathbb {Z}^{\ell \times m_E}\), and \(\mathbf {y} \in \mathbb {Z}^\ell \), such that:

      $$\begin{aligned} {\left\{ \begin{array}{ll} \Vert \mathbf {S}_1 \Vert _\infty \le \beta ; \Vert \mathbf {E}_1 \Vert _\infty \le \beta ; \Vert \mathbf {y}\Vert _\infty \le \lceil q/5 \rceil ; \\ \mathbf {S}_1^\top \cdot \mathbf {B} + \mathbf {E}_1 = \mathbf {P}_1 \bmod q; \\ \mathbf {c}_{1,2} - \mathbf {S}_1^\top \cdot \mathbf {c}_{1,1} = \mathbf {y} + \lfloor q/2 \rfloor \cdot \mathbf {b}' \bmod q. \end{array}\right. } \end{aligned}$$
      (4)

      As the statement involves modular linear equations with bounded-norm secrets, we can obtain a statistical zero-knowledge argument by employing the Stern-like interactive protocol from [26]. The protocol is repeated \(\kappa = \omega (\log \lambda )\) times to achieve negligible soundness error and made non-interactive via the Fiat-Shamir heuristic as a triple \(\varPi _{\mathsf {trace}}= (\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathrm {CH}, \{\mathrm {RSP}\}_{i=1}^\kappa )\), where

      $$\begin{aligned} \mathrm {CH} = \mathcal {H}_{\mathsf {FS}}\big ((\{\mathrm {CMT}_i\}_{i=1}^\kappa , \mathsf {gpk}, \mathsf {info}_\tau , M, \varSigma , \mathbf {b}'\big ) \in \{1,2,3\}^\kappa . \end{aligned}$$
      (5)
    5. 5.

      Set \(\mathsf {uid} = \mathbf {b}'\) and output \((\mathsf {uid}, \varPi _{\mathsf {trace}})\).

  • \(\mathsf {Judge}(\mathsf {gpk}, \mathsf {uid}, \mathsf {info}_{\tau }, \varPi _{\mathsf {trace}}, M, \varSigma )\). This algorithm consists of verifying the argument \(\varPi _{\mathsf {trace}}\) w.r.t. common input \((\mathsf {gpk}, \mathsf {info}_\tau , M, \varSigma , \mathsf {uid})\), in a similar manner as in algorithm \(\mathsf {Verify}\).

    If \(\varPi _{\mathsf {trace}}\) does not verify, return 0. Otherwise, return 1.

4.2 Analysis of the Scheme

Efficiency. We first analyze the efficiency of the scheme described in Sect. 4.1, with respect to security parameter \(\lambda \) and parameter \(\ell = \log N\).

  • The public key \(\mathsf {gpk}\) contains several matrices, and has bit-size \(\widetilde{\mathcal {O}}(\lambda ^2 + \lambda \cdot \ell )\).

  • For each \(j \in [0,N-1]\), the signing key \(\mathsf {gsk}[j]\) has bit-size \(\ell + nk + m = \widetilde{\mathcal {O}}(\lambda )+ \ell \).

  • At each epoch, the signature verifiers downloads \(nk = \widetilde{\mathcal {O}}(\lambda )\) bits, while each active signer downloads \(\widetilde{\mathcal {O}}(\lambda \cdot \ell )\) bits.

  • The size of signature \(\varSigma \) is dominated by that of the Stern-like NIZKAoK \(\varPi _\mathsf{gs}\), which is \(\mathcal {O}(|\zeta |\cdot \log q)\cdot \omega (\log \lambda )\), where \(|\zeta |\) denotes the bit-size of the witness-tuple \(\zeta \) in (2). Overall, \(\varSigma \) has bit-size \(\widetilde{\mathcal {O}}(\lambda \cdot \ell )\).

  • The Stern-like NIZKAoK \(\varPi _\mathsf{trace}\) has bit-size \(\widetilde{\mathcal {O}}(\ell ^2 + \lambda \cdot \ell )\).

Correctness. We now demonstrate that the scheme is correct with overwhelming probability, based on the perfect completeness of Stern-like protocols, and the correctness of Regev’s encryption scheme.

First, note that a signature \(\varSigma =(\varPi _{\mathsf {gs}},\mathbf {c}_1,\mathbf {c}_2)\) generated by an active and honest user j is always accepted by algorithm \(\mathsf {Verify}\). Indeed, such a user can always compute a tuple \(\zeta =(\mathbf {x},\mathbf {p},\mathsf {bin}(j),\mathbf {w}_\ell ,\ldots ,\mathbf {w}_1,\mathbf {r}_1,\mathbf {r}_2)\) satisfying conditions (i),(ii) and (iii) in the \(\mathsf {Sign}\) algorithm. The completeness of the underlying argument system then guarantees that \(\varSigma \) is always accepted by algorithm \(\mathsf {Verify}\).

Next, we show that algorithm \(\mathsf {Trace}\) outputs \(\mathsf {bin}(j)\) with overwhelming probability, and produces a proof \(\varPi _{\mathsf {trace}}\) accepted by algorithm \(\mathsf {Judge}\). Observe that, the decryption algorithm essentially computes

$$\begin{aligned} \mathbf {e}=\mathbf {c}_{1,2}-\mathbf {S}_1^T\mathbf {c}_{1,1} =\mathbf {E}_1\cdot \mathbf {r}_1+\lfloor q/2\rceil \cdot \mathsf {bin}(j)\mod q, \end{aligned}$$

and sets the j-th bit of \(\mathbf {b}'\) to be 0 if j-th entry of \(\mathbf {e}\) is closer to 0 than to \(\lfloor q/2\rceil \) and 1 otherwise. Note that our parameters are set so that \(\Vert \mathbf {E}_1\cdot \mathbf {r}_1\Vert _{\infty }< q/5\), for \(\mathbf {E}_1 \hookleftarrow \chi ^{\ell \times m_E}\) and \(\mathbf {r}_1 \xleftarrow {\$} \{0,1\}^{m_E}\). This ensures that \(\mathbf {b'}=\mathsf {bin}(j)\) with overwhelming probability.

Further, as the user is active, \(\mathsf {info}_{\tau }\) must contain \(w=(\mathsf {bin}(j),\mathbf {w}_\ell ,\ldots ,\mathbf {w}_1)\) and \(\mathbf {reg}[j][1]\) in table \(\mathbf {reg}\) is not \( \mathbf {0}^{nk}\). Therefore, algorithm \(\mathsf {Trace}\) will move to the 4-th step, where it can always obtain the tuple \((\mathbf {S}_1,\mathbf {E}_1,\mathbf {y})\) satisfying the conditions (4). By the completeness of the argument system, \(\varPi _{\mathsf {trace}}\) will be accepted by the algorithm \(\mathsf {Judge}\).

Security. In Theorem 1, we prove that our scheme satisfies the security requirements of the Bootle et al.’s model [7].

Theorem 1

Assume that the Stern-like argument systems used in Sect. 4.1 are simulation-sound. Then, in the random oracle model, the given fully dynamic group signature satisfies the anonymity, traceability, non-frameability and tracing soundness requirements under the \(\mathsf {LWE}_{n, q, \chi }\) and \(\mathsf {SIS}_{n,m,q,1}^\infty \) assumptions.

In the random oracle model, the proof of Theorem 1 relies on the following facts:

  1. 1.

    The Stern-like zero-knowledge argument systems being used are simulation-sound;

  2. 2.

    The underlying encryption scheme, which is obtained from Regev cryptosystem [42] via the Naor-Yung transformation [38], is IND-CCA2 secure;

  3. 3.

    The Merkle tree accumulator we employ is secure in the sense of Definition 3;

  4. 4.

    For a properly generated key-pair \((\mathbf {x}, \mathbf {p})\), it is infeasible to find \(\mathbf {x}' \in \{0,1\}^m\) such that \(\mathbf {x}' \ne \mathbf {x}\) and \(\mathsf {bin}(\mathbf {A}\cdot \mathbf {x}' \bmod q) = \mathbf {p}\).

Due to space restriction, details of the proof of Theorem 1 are provided in the full version of the paper.