 Research
 Open Access
 Published:
An efficient full dynamic group signature scheme over ring
Cybersecurity volume 2, Article number: 21 (2019)
Abstract
The group signature scheme is an important primitive in cryptography, it allows members in a group to generate signatures anonymously on behalf of the whole group. In view of the practical application of such schemes, it is necessary to allow users’ registration and revocation when necessary, which makes the construction of dynamic group signature schemes become a significant direction. On the basis of (Ling et al., Latticebased group signatures: achieving full dynamicity with ease, 2017), we present the first full dynamic group signature scheme over ring, and under the premise of ensuring security, the efficiency of the scheme is improved mainly from the following three aspects: the size of keys, the dynamic construction of a Merkle hash tree that used to record the information of registered users, and the reuse of the leaves in this tree. In addition, the public and secret keys of both group manager and trace manager are generated by a trusted third party, which prevents the situation that the two managers generate their respective public key and secret key maliciously. Compared with the counterpart of the scheme in (Ling et al., Latticebased group signatures: achieving full dynamicity with ease, 2017) over ring, the expected space complexity of the Merkle tree used in our work down almost by half, and the computational complexity of its update has been reduced by a notch because of the dynamic construction of the hash tree.
Introduction
The concept of group signature scheme was proposed by Chaum and van Heyst (1991), which allows and only allows members in a group to sign messages anonymously on behalf of the whole group, and the generated signature would reveals nothing about the identity of the signer. In other words, the verifier in the scheme can only verify that the signature was generated by one of the group members, and have no idea which member it is. However, the trace manager can use its secret key to open the signature to trace the identity of the signer, which avoids the unnecessary disputes. In view of the group signature scheme has the above properties: anonymity (Chen and Pedersen 1994) and traceability, which help the group signature scheme to be one of the cryptography primitives to realize anonymous authentication.
In the early stages, most of the constructions of group signature schemes are static (Boneh et al. 2004; Camenisch and Lysyanskaya 2004; Nguyen and Naini 2004; Furukawa and Yonezawa 2004), namely the members in a group and its size are all fixed in the setup phase, no changes about these parameters would appear during the subsequent operations in the scheme. And furthermore, they also assume that the group manager is always honest and trustworthy. After that, many other properties were considered in the construction of the group signature schemes:

(1)
It is fortunately that the size of public key and generated signatures could do not depend on the size of the group (Camenisch and Stadler 1997; Camenisch and Michels 1998), this property is very important for the construction and application of group signature schemes, which avoids the overexpansion of the size of public key and signatures as the number of valid group members increases, and makes the schemes with this property are well suited for large groups. At the same time, the former is beneficial to improve the implementation efficiency of schemes, while the latter makes the communication complexity and cost of the scheme are independent of the group size.

(2)
The power of the group manager was weakened (Bellare et al. 2005) by separating a trace manager GM _{trace} from the group manager GM _{update} and decreasing the trust level to each authority to enhance protection for honest algorithm executant, for example, their key pairs were generated by a trust third party, which improves the security of the algorithms and makes them closer to the practical application. GM _{trace} is responsible for the trace of a signature when necessary, and GM _{update} is responsible for the registration and revocation of users and the update of the group information. The tracing soundness of a group signature scheme (Stern 1996) no longer assumes that the group managers are all reliable, which means that, before the verifier outputs the final verification result, the identity of the signer traced by a trace manager and the corresponding proof are also need to be checked. This improvement makes the constructed group signature schemes have stronger security.

(3)
Semidynamic model (Kiayias and Yung 2006), which involves the dynamic registration that allows users to apply to join the group when needed in RO model (Camenisch and Stadler 1997; Camenisch and Michels 1998; Ateniese et al. 2000; Furukawa and Imai 2005; Kawachi et al. 2008; Delerablée and Pointcheval 2006; Bichsel et al. 2010) and standard model (Practical Group Signatures Without Random Oracles; Boyen and Waters 2006; Groth 2006; 2007; Boyen and Waters 2007; Signing on Elements in Bilinear Groups for Modular Protocol Design), or the dynamic revocation that allows the group manager to remove certain group members from the group. And there are different manners to realize the latter functionality:

(a)
The group manager updates the group public key and distribute it to the users that are not revoked (Sakai et al. 2012; Camenisch and Lysyanskaya 2002).

(b)
Making use of a accumulator (Dodis et al. 2004; Nguyen 2005), which allows efficient proof of group membership and update of the group information.

(c)
The signer is required to include a proof of eligible membership when signing a message (Bresson and Stern 2001) or update its secret key (Boneh et al. 2004) according to the changes of the group.

(d)
VLR(verifier local revocation) (An Efficient Protocol for Anonymously Providing Assurance of the Container of a Private Key; Boneh and Shacham 2004; Nakanishi and Funabiki 2005; Libert and Vergnaud 2009) means that the list of revoked group members is only distributed to the verifier.

(a)

(4)
Full dynamic model (Naor et al. 2001; Peikert and Rosen 2007; Camenisch and Groth 2004; Nakanishi et al. 2009; Libert et al. 2012a, b), which allows both the dynamic registration of users and the dynamic revocation of group members, which makes the algorithm has stronger security and higher practicability.
The security of schemes mentioned above are mostly based on the hardness assumption in the algebraic theory while the development of quantum computing technology makes such schemes meet serious security problems. Fortunately, the research of the postquantum cryptography has brought new hope to cryptology. And as one important branch of it, lattice based cryptography is widely considered has potential ability to against quantum attack, because there is no efficient algorithm has been found to breaks the hardness assumptions based on lattice. However, the computational complexity and space complexity of lattice based cryptographic schemes have not been solved very well.
The first lattice based group signature scheme is given in (Gordon et al. 2010) in 2010, which was improved to obtain stronger anonymity in (Camenisch et al. 2012), and given the size of group N, the size of signatures generated by the schemes in (Gordon et al. 2010; Camenisch et al. 2012) are all polynomials in N. Subsequently, the size of the signature was lowered up to O(logN) in (Laguillaumie et al. 2013; Nguyen et al. 2015; Ling et al. 2015) by different manners. And then, an efficient lattice based static group signature scheme is presented in (Libert et al. 2016b) without using the GPV trapdoor (Gentry et al. 2008), where a Merkle tree was used as an accumulator to keep a record of the registered user and group information. In order to further satisfy the requirements of making the schemes allow users to register and to be revoked dynamically, the schemes in (Langlois et al. 2014; Libert et al. 2016a) are dependent on lattice trapdoor seriously, and contains some complex modules. By combining the static scheme in (Libert et al. 2016b) with the security model in (Bootle et al. 2016), it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017). It includes an update algorithm in accumulator, and both the security and the signature size were improved.
In this paper, the first full dynamic group signature scheme over ring is presented inspired by (Ling et al. 2017), which realizes the full dynamic register and revocation of users, the dynamic construction of Merkle hash tree that is used to record the legitimate users with their witnesses and the group information, the reuse of leaves in this tree, and the honestly generation of keys of GM=(GM _{update}, GM _{trace}) by a trusted third party, which leads to a reduction in the security of the generated algorithm. And in theory, the trust third party needs to be completely trusted and not easy to be violated, however, it is impossible in practice. We can only use relatively trusted entities to partially implement the functions of a trusted third party, such as certificate authority(CA), to avoid situations where the group manager and trace manager generate their respective keys maliciously. Concretely, the scheme in this paper improves the efficiency of that in (Ling et al. 2017) from the following three aspects:

(1)
To reduces the size of keys and signature, the scheme is implemented over ring, which also helps to reduce the space complexity and computational complexity of the scheme.

(2)
The dynamic construction and update of the Merkle hash tree allows the size of it expanded along with the size of group gradually, and this change helps to reduce both the computational complexity of the update of group information and the space complexity of the scheme.

(3)
The reuse of leaves in Merkle hash tree is realized in this scheme, which reduces the space complexity of the scheme indirectly to a certain extent.
Though we have tried a lot, there is still a large space for improvement in the use of zeroknowledge protocol to proof a legitimate membership. And the problem of the delayed verification of a signature is also not solved, the direct idea to solve this problem is to store the signature and the verification information or just store the verification result of the signature by the group manager at each time τ, and the verifier requests the corresponding information from it as needed. Unfortunately, this would increase the space complexity unlimitedly along with the extension of the time.
In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in “Preliminaries” section. And then the detailed full dynamic group signature scheme is presented in “The efficient full dynamic group signature scheme” section. To analysis the security properties of the scheme, we present the underlying zero knowledge protocol and its security analysis in “The underlying protocol” section. Finally, we discuss the properties of the scheme in “The analysis of the group signature scheme” section, and conclusion in “Conclusion” section.
Preliminaries
The background of lattice
In this section, we will review some notations, definitions and theorems used for analysing our main results. Throughout this paper, set the security parameter λ, integer n=O(λ), prime modules \(q=\tilde {O}\left (n^{1.5}\right), k=\lceil \log q\rceil, m=2k\), and R=Z[x]/f(x),f(x)=x^{n}+1,R_{q}=R/qR, given vectors x=(x_{1},⋯,x_{m}),z=(z_{1},⋯,z_{m}), integer t, then \(\\mathbf {x}\_{t}=\left (\sum \nolimits _{i=1}^{m} \x_{i}\^{t}\right)^{\frac {1}{t}}\) denotes its tnorm, (xz) is a concatenation of the two vectors.
Definition 1
(The ringSVP and ringSIVP) (Lyubashevsky et al. 2013) Given a field R, let γ≥1, then the ring SVP_{γ} problem is: given the ideal lattice \(\mathcal {I}\) over R, find out a nonzero short vector \(\mathbf {x}\in \mathcal {I}\), such that \(\\mathbf {x}\_{\infty }\leq \gamma \cdot \lambda _{1}(\mathcal {I})\). And the ring SIVP_{γ} problem could be defined similarly: find out n independent elements (x_{1},⋯,x_{n}) in \(\mathcal {I}\), such that \(\(\mathbf {x}_{1},\cdots,\mathbf {x}_{n})\_{\infty }\leq \gamma \cdot \lambda _{n}(\mathcal {I})\).
Definition 2
(The ring\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\)) (Ling et al. 2015; Peikert 2016) Choose m elements \(a_{j}\overset {\$}{\leftarrow }\mathbf {R}_{q}\) uniformly, let random vector \(\mathbf {A}=(a_{1},\cdots,a_{m})\in \mathbf {R}_{q}^{m}\), positive real number β=poly(n), find out a nonzero short vector \(\mathbf {z}=(z_{1},\cdots,z_{m})\in \mathbf {R}^{m}_{q}, \\mathbf {z}\_{\infty }\leq \beta \), such that
Numerous studies (Lyubashevsky and Micciancio 2006; Lyubashevsky 2008; 2012; Peikert and Rosen 2006; 2007) have shown that if f(x) is irreducible polynomial with integer coefficients, \(m>\frac {\log q}{\log (2\beta)}, \gamma =16mn\log ^{2} n, q\geq \frac {\gamma \sqrt {n}}{4\log n}\), then the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\) is at least as difficult as the problem ring\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).
Definition 3
(The ring LWE distribution) (Peikert 2016) For secret element \(s\in \mathbf {R}_{q}, \mathcal {X}\) is the noise distribution in R_{q} with bound β, choose \(a\overset {\$}{\leftarrow }\mathbf {R}_{q}, e\overset {\$}{\leftarrow }\mathcal {X}\) uniformly, then \(A_{s,\mathcal {X}}=(a,b=s\cdot a+e\mod q)\) is called the ring LWE distribution in R_{q}×R_{q}.
Definition 4
(The decision ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\)) (Lyubashevsky et al. 2010; Peikert 2016) Let n,m≥1,q≥2, given m samples (a_{j},b_{j})∈R_{q}×R_{q}, which are sampled from one of the two distributions: \(A_{s,\mathcal {X}}\) and the uniform distribution in R_{q}×R_{q}, then the decision ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is to distinguish which one the samples are from.
Theorem 1
(Lyubashevsky et al. 2010) Let \(q=1\mod 2n, \beta \geq \omega \left (\sqrt {n\log n}\right), \gamma =n^{2}\left (\frac {q}{\beta }\right)\left (\frac {nm}{\log (nm)}\right)^{1/4}\), then there is an error distribution \(\mathcal {X}\) with bound β, such that the problem ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is at least as difficult as the problem ring\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).
The Merkle hash tree and its dynamic comstruction
The construction of Merkle tree used in the group signature scheme is based on the collisionresistant hash functions. For arbitrary positive integer t, let G=(1,2,4,⋯,2^{k−1}),bin(t) is the binary representation of t, then t=G·bin(t). let \(\mathcal {H}=\left \{h_{\mathbf {A}}\mathbf {A}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{m}\right \}, h_{\mathbf {A}}:\{0,1\}^{k}\times \{0,1\}^{k}\rightarrow \{0,1\}^{k}\) is collisionresistant hash functions based on the problem ring SIS_{n,m,q,β}, where \(\mathbf {A}=[\mathbf {A}_{0}\mathbf {A}_{1}]\in \mathbf {R}_{q}^{m}, \mathbf {A}_{0},\mathbf {A}_{1}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{k}\), for arbitrary (u_{0},u_{1})∈{0,1}^{k}×{0,1}^{k}, we have
so the following equivalent relationship is true,
Let \(\mathcal {H}=\{h_{\mathbf {A}}\mathbf {A}\in \mathbf {R}_{q}^{m}\}\), then we give the following specific description of the dynamic updating algorithm TDA(t,d^{∗}) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as an empty tree with depth 1, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first nonzero leaf in all leaves, and assume that its index is i≤t. Include an empty tree with depth j=⌈logt⌉ into the original one if there is not a such leaf. And take its root u_{t,1} and the root u_{t,0} of the original tree as two inputs of the hash function to compute a new root u=h_{A}(u_{t,0},u_{t,1}) of the new Merkle tree. In other words, the original tree and the empty tree are two children of the new Merkle tree with depth j+1. And for any i∈[2^{j+1}], we have bin(i)=j+1. TUpdate: Let u_{j+1}=d^{∗} denote the value of the leaf corresponding to the ith user, bin(i)=(i_{1},⋯,i_{j+1}) is the binary description of integer i, its witness is w=(bin(i),(w_{j+1},⋯,w_{1})). Update the value of notes recursively in the path u_{j},⋯,u_{0} from the leaf u_{j+1} to root u, then output the witness w, a new root u_{new}, where w_{j+1},⋯,w_{1} and u_{j},⋯,u_{0} satisfy the following relationship
Let u_{new}=u_{0} be the new root of the Merkle tree.
Given the variable t, the computational complexity of algorithm TUpdate(t,d^{∗}) is O(logt), and it satisfies the following property
Theorem 2
Suppose that the ring\(\mathbf {SIS}^{\infty }_{m,q,\beta }\) is difficult, R={d_{0},⋯,d_{t}} be the set of the leaves related to users who have been registered, then the algorithm TDA(t,d^{∗}) is secure. And given a negligible function negl(λ), for any PPT adversary\(\mathcal {A}\), the following inequality is true
The full dynamic group signature scheme and its security
Generally, there are four participants in a group signature scheme: the trusted third party(TTP): who generates the public parameters and the publicprivate key of the group manager and the trace manager. The group manager GM _{update}: who is responsible to update the group information and the registration and revocation of users. The trace manager GM _{trace}: given a signature, GM _{trace} is responsible to trace the identity of signer when there is a dispute. The users: who are usually appeared as a signer to sign messages or a verifier to verify signatures. Here, we give some changes of the full dynamic group signature scheme in (Ling et al. 2017), and a revised definition is given as follows: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk)): On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk=(pp,mpk,opk), and distribute the group secret key msk to GM _{update}, the tracing secret key osk to GM _{trace}. Initialize the registration list reg and the group information info as ∅, and we assume that they can only be edited by a party knowing msk. UKeyGen(pp)→(upk,usk): Given the public parameter pp, this algorithm outputs a user’s key pair (upk,usk). 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: This algorithm is an interactive protocol between a user and the group manager GM _{update}. Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk=(bin(t),upk_{t},usk_{t}). For the Issue algorithm, GM _{update} runs the algorithm TDA(t,upk_{t}) to update the Merkle hash tree, the group information info_{τ}, and the registered user list reg. \(\mathbf {Revoke}({gpk},S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S, for any i∈S, the group manager GM _{update} runs algorithm TUpdate(bin(i),0^{k}) to update the Merkle hash tree, the registered user list reg and the group information \(\mathbf {info}_{\tau _{new}}\). Sign(gpk,gsk_{i},info_{τ},M)→Σ: On input group public key gpk, group information info_{τ}, this algorithm outputs a signature Σ to a message M signed by the user corresponding to ith leaf at τ or an error symbol ⊥ if the user is illicit at τ, i.e. the user has not been registered or has been revoked at τ. Verify(gpk,Π_{sign},info_{τ},M)→0/1: Verify the signature Σ and output 1 if it is valid, otherwise output 0. Trace(gpk,osk,M,Σ,reg,info_{τ})→(b6^{′},Π_{trace}): This algorithm is operated by the trace manager GM _{trace}, it outputs the public key b^{′} of the signer who signed the message M at τ and generate a proof for this fact if the signature Σ is valid. Otherwise output ⊥. Judge(gpk,b^{′},M,Π_{trace},Σ,info_{τ})→0/1: Verify the proof Π_{trace} generated by the trace manager GM _{trace}, and output 1 if it is valid, otherwise output 0.
To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ, the group manager verifies that whether the value of the leaf corresponding to this signer is nonzero. And to avoid leaking any information about the signer’s identity, we bring to the extensionpermutation technology to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(d_{i})=(d_{i1},d_{i2},⋯,d_{ik}),i∈[t], choose a vector \(\mathbf {a}\overset {\$}{\leftarrow }\{0,1\}^{k1}\) uniformly such that the Hamming weight of \(\mathbf {d}^{\prime }_{i}=(\mathbf {bin}(\mathbf {d}_{i})\mathbf {a})\in \{0,1\}^{2k1}\) is k. Given \(\mathcal {S}_{2k1}=\{\pi _{2k1}\pi _{2k1}\ is\ a\ random\ permutation\ of\ elements in\{0,1\}^{2k1}\}, \pi _{2k1}\in \mathcal {S}_{2k1}\), we have
Moreover, the full dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity, nonframeability, traceability, and tracking soundness. Correctness: This property means that if the signer signs a message honestly, the algorithm Verify can always output 1, the trace manager GM _{trace} can trace the identity of the signer by the algorithm Trace, and generates a proof Π_{trace} accepted by the algorithm Judge. Anonymity: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a nonnegligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM _{update}, corrupt some of the users, and is given the access to the oracle Trace. Nonframeability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM _{update} and GM _{trace}, and corrupt some of the users. Traceability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret key of GM _{trace} and corrupt some of the users. Tracing soundness: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to two different users is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM _{update} and GM _{trace}, and corrupt some of the users.
The efficient full dynamic group signature scheme
By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the full dynamic group signature scheme, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ): Given the security parameter λ, this algorithm is operated by a trusted third party, let t>0 denote the number of registered users, l=⌈logt⌉,n=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=\lceil \log q\rceil, m=2k\), real integer \(\beta >0, \mathcal {X}\) is the noise distribution bounded by β in R,k^{′}=ω(logλ). \(\phantom {\dot {i}\!}H:\{0,1\}^{*}\rightarrow \{0,1\}^{k'}\) is a hash function for FS transformation, and \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbf {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008). Choose a matrix \(\mathbf {A}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{m}\) uniformly, for any j∈{1,2}, TTP chooses \(\mathbf {S}_{j}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{j}\overset {\$}{\leftarrow }\mathcal {X}, \mathbf {B}\overset {\$}{\leftarrow }\mathbf {R}_{q}^{k}, \mathbf {msk}\overset {\$}{\leftarrow }\mathbf {R}^{m}\) uniformly, and computes the public keys \(P_{i}=\mathbf {S}_{i}^{\top }\mathbf {B}+E_{i}\in \mathbf {R}_{q}, \mathbf {mpk}=\mathbf {A}\times \mathbf {msk}\). Output the public parameter \(pp=(\lambda,n,q,k,m,\beta,\mathcal {X},k',H,Com,\mathbf {A})\), the tracing public key opk=(B,P_{1},P_{2}), the group public key gpk=(pp,mpk,opk). And distribute the tracing secret key osk=(S_{1},E_{1}) to GM _{trace}, the group secret key msk to GM _{update}. Initialize the registration list reg and the group information info as ∅, and we assume that they can only be edited by a party knowing msk. UKeyGen(pp): The user chooses \(\mathbf {usk}\overset {\$}{\leftarrow }\mathbf {R}^{m}\) uniformly as its secret key, and computes the related public key upk=bin(A·usk) mod q∈{0,1}^{k}. 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: Assume that the new registered user is the tth member in the group, and the user runs algorithm Join, sends its public key upk to the group manager GM _{update}, and if this algorithm goes well, the algorithm Issue searches and denotes the first nonzero leaf as t^{′} if he approves the user’s application. Let \(\mathbf {upk}_{t^{\prime }}=\mathbf {upk}, \mathbf {reg}_{t^{\prime }}=\mathbf {reg}_{t^{\prime }}[\mathbf {upk}_{t^{\prime }}][\tau ], \tau \) is the time the user registered, the algorithm Issue includes \(\phantom {\dot {i}\!}\mathbf {reg}_{t'}\) into the registration list \(\mathbf {reg}:=(\mathbf {reg}_{1}[\mathbf {upk}_{1}][\tau ],\cdots,\mathbf {reg}_{t^{\prime }}[\mathbf {upk}_{t^{\prime }}][\tau ],\cdots, \mathbf {reg}_{t}[\mathbf {upk}_{t}][\tau ])\). Then the group manager GM _{update} runs the algorithm \(TDA(\mathbf {bin}(t^{\prime }),\mathbf {upk}_{t^{\prime }})\) to update the Merkle tree, outputs the group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau }=(\mathbf {u},\{\mathbf {w}_{j}\}_{i_{j}})\) where u is the root and \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) are witnesses of all legal users, and updates the counter of registered users t=t+1. Let \(\phantom {\dot {i}\!}\mathbf {usk}_{t'}=\mathbf {usk}\), the user sets \(\phantom {\dot {i}\!}{gsk}_{t'}=(\mathbf {bin}(t'),\mathbf {upk}_{t'},\mathbf {usk}_{t'})\) as its signing secret key. Revoke(gpk,S,msk,reg,info_{τ}): Given the revocation list S that is the set of public keys of group members who would be revoked, if \(S=\left \{\mathbf {upk}_{i_{1}},\cdots,\mathbf {upk}_{i_{r}}\right \}\) is not an empty set, i_{j}∈[t],j∈[r], for every \(j\in [r], \mathbf {upk}_{i_{j}}\in S\), GM _{update} runs the algorithm TUpdate in TDA(bin(i_{j}),0^{k}) to update the Merkle hash tree, then updates the registration list reg: changes \(\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\mathbf {reg}_{i_{j}}\left [0^{k}\right ][\tau _{new}]\) if \(\mathbf {upk}_{i_{j}}\in S\), otherwise changes \(\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\mathbf {reg}_{i_{j}} [\mathbf {upk}_{i_{j}}][\tau _{new}]\), outputs the new group information \(\mathbf {info}_{\tau _{new}}=(\mathbf {u}_{new},\{\mathbf {w}_{j}\}_{i_{j}})\) that consists of a new root u_{new} and witnesses \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) of \(\mathbf {upk}_{i_{j}}\), updates the counter of legitimate users t=t−r. So, the leaves with value 0^{k} in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk,gsk_{i},info_{τ},M): To sign a message M at τ by using the group information info_{τ}, the user related to the ith leaf verifies that whether there is a witness of bin(i) in info_{τ} firstly, if not, return ⊥. Otherwise, the user obtains (bin(i),(w_{l},⋯,w_{1})) from info_{τ} to do the follows: For each j∈{1,2}, random string \(\mathbf {r}_{j}\overset {\$}{\leftarrow }\{0,1\}^{k}\), the user encrypts vector upk_{i} by making use of the doubleencryption paradigm (Naor and Yung 1990) and the RLWEbased encryption scheme (Regev 2009; Lyubashevsky et al. 2013) to obtain the ciphertext
Then the user generates a noninteractive zeroknowledge argument of knowledge(NIZKAoK) Π_{sign} for:

(1)
it has legitimate witness ζ=(usk_{i},upk_{i},bin(i),w_{l},⋯,w_{1},r_{1},r_{2}) such that the signer is a legitimate member in the group, i.e. upk_{i}≠0^{k}, and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct.

(2)
(usk_{i},upk_{i}) is a valid publicprivate keypair.

(3)
(c_{1},c_{2}) are two legitimate ciphertext of upk_{i}.
Finally, the signer outputs the signature Σ=((c_{1},c_{2}),Π_{sign}). The NIZK argument of knowledge mentioned above is obtained from the Stern’s threeround interactive protocol (Song 2001) by FS transformation, i.e. runs the Stern protocol k^{′} times sequentially to obtain a negligible soundness error, and the transcript is \(\Pi _{sign}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), where
Verify(gpk,Π_{sign},info_{τ},M): The verifier obtains the root u_{τ} of the Merkle hash tree at τ from the group information info_{τ}, and verifies that whether the predicted challenge CH is true, outputs 0 if not, otherwise verifies the respond RSP_{j} that corresponding to CMT_{j} and CH_{j} for each j∈[k^{′}], and outputs 1 if everything is correct, otherwise outputs 0. Trace(gpk,osk,M,Σ,reg,info_{τ}): The trace manager GM _{trace} uses its tracing secret key osk to decrypt the ciphertext c_{1}=(c_{1,1},c_{1,2}) and compute \(\mathbf {b}^{\prime }=\left \lfloor \frac {(\mathbf {c}_{1,2}S_{1}^{\top }\cdot c_{1,1})}{q/2}\right \rceil \in \{0,1\}^{k}\). If there is not a witness of b^{′} in info_{τ} or b^{′}=0^{k}, output ⊥. Then GM _{trace} generates a noninteractive zeroknowledge argument of knowledge(NIZKAoK) Π_{trace} for the fact that the user corresponding to b^{′} really generated a signature Σ to message M at τ. In other words, the trace manager GM _{trace} should proof that he has \(\mathbf {S}_{1}\in \mathbf {R}_{q}^{k}, E_{1}\in \mathbf {R}_{q}, \mathbf {y}\in \mathbf {R}_{q}^{k}\), such that
Similarly, the NIZKAoK mentioned above is obtained from the Stern’s threeround interactive protocol (Song 2001) by FS transformation, i.e. GM _{trace} runs the Stern protocol k^{′} times sequentially to obtain a negligible soundness error, and the transcript is \(\Pi _{trace}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH, \{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), where
Finally, this algorithm outputs (b^{′},Π_{trace}). Judge(gpk,b^{′},M,Π_{trace},Σ,info_{τ}): Verify the proof Π_{trace} and output 1 if it is true, otherwise output 0.
In this scheme, the public parameter and the publicprivate key pair are all generated by a trusted third party, which can avoid the problem that the illegitimate group managers generate their keys maliciously, but not the malpractices of the legitimate group managers. This is one possible attack on this type of scenario that we can think of, such as group members can be added or withdrawn according to a group manager’s personal preference or interest relationship. To this problem, we can consider to set up the group manager a trust value TV, a confidence threshold CT, and a reduction coefficient RC, where the value of TV is initialized to tv=1,0<CT, and RC<1. The value of TV is reduced to TV_{s}=tv−s·RC if the group manager has s times malpractices, and it would be revoked if TV_{s}<CT.
Furthermore, it is not necessary to prepare a large storage space for a large empty tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in (Ling et al. 2017), our work could realizes the truly dynamic of the group signature scheme, which helps to economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it.
Finally, a timestamp τ is given to each member in the group, the group manager GM _{update} updates the group information info_{τ} once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information info_{τ}, we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ_{1}<τ_{2}, the group information \(\mathbf {info}_{\tau _{1}}\) is published earlier than \(\mathbf {info}_{\tau _{2}}\).
The underlying protocol
The definition of the underlying protocol
Suppose that the size of the legitimate members in the group is t≥1 at time τ, for any b∈{1,2},i∈[ t],∀j∈[l−1], the underlying zeroknowledge protocol is used to proof the following relationship by utilizing the Stern’s protocol (Song 2001)
Given a bit b, a vector a, let \(\mathbf {ext}(b,\mathbf {a})=(\bar {b}\cdot \mathbf {a},b\cdot \mathbf {a})^{\top }, \mathbf {ext}_{2}(b)=(\bar {b},b)^{\top }\), then we have the following equivalence relationship:
Then for any b∈{1,2},i∈[t],bin(i)=(i_{1},⋯,i_{l}), the Eq. 1 is equal to the following form
Let \(\mathbf {B}_{n}^{2n}\) be the set of strings with length 2n, where the Hamming weight of each string is n, to illustrate the fact that the user’s public key upk_{i}≠0^{k}, we pad upk_{i} with a random string with length k−1 to obtain a new string \(\mathbf {upk}_{i}^{*}\), such that \(\mathbf {upk}_{i}^{*}\in \mathbf {B}_{k}^{2k1}\), then for any permutation \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2k1}\), we have
We make similar operations for each usk_{i} to obtain \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m}\), for any \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2m}\), we have \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m} \Leftrightarrow \pi _{\mathbf {usk}_{i}}(\mathbf {usk}_{i}^{*})\in \mathbf {B}_{m}^{2m}\). Similarly, extend the vectors u_{1},⋯,u_{l−1},w_{1},⋯,w_{l},r_{1},r_{2} to obtain \(\mathbf {u}_{1}^{*}\cdots,\mathbf {u}_{l1}^{*}, \mathbf {w}_{1}^{*}\cdots,\mathbf {w}_{l}^{*}\in \mathbf {B}_{k}^{2k}, \mathbf {r}_{1}^{*},\mathbf {r}_{2}^{*}\in \mathbf {B}_{k}^{2k}\). And then let \(\hat {\mathbf {u}}_{1}=\mathbf {ext}(i_{1},\mathbf {u}_{1}^{*}),\cdots,\hat {\mathbf {u}}_{l1}=\mathbf {ext}\left (i_{l1},\mathbf {u}_{l1}^{*}\right)\in \{0,1\}^{4k}, \hat {\mathbf {upk}_{i}}=\mathbf {ext}\left (i_{l},\mathbf {upk}_{i}^{*}\right)\in \{0,1\}^{4k2}, \hat {\mathbf {w}}_{1}=\mathbf {ext}\left (\bar {i_{1}},\mathbf {w}_{1}^{*}\right),\cdots,\hat {\mathbf {w}}_{l}=\mathbf {ext}\left (\bar {i_{l}}, \mathbf {w}_{l}^{*}\right)\in \{0,1\}^{4k}\).
Given upk_{i}=(upk_{i1},⋯,upk_{ik}), for any j∈[ k], let \(\mathbf {upk}^{\prime }_{ij}=\mathbf {ext}_{2}({upk}_{ij})\). For any b∈{0,1},t=(t_{0},t_{1})∈Z^{2}, let \(T_{b}(\mathbf {t})=\left (t_{b},t_{\bar {b}}\right)\). Then for any b_{j}∈{0,1}, we have \(\mathbf {upk}'_{ij}=\mathbf {ext}_{2}({upk}_{ij})\Leftrightarrow T_{b_{j}}\left (\mathbf {upk^{\prime }}_{ij}\right)=\mathbf {ext}_{2}({upk}_{ij}\oplus b_{j})\). Because b_{j} is chosen randomly, so the operations above are equal to carry out a onetime pad to the user’s upk_{ij} by b_{j} to hide it perfectly.
Let \(r\in \{2k1,2k\}, b\in \{0,1\}, \pi \in \mathcal {S}_{r}, \mathbf {t}=(t_{0},t_{1})^{T}\in \mathbf {Z}^{2r}\), we define the permutation \(F_{b,\pi }(\mathbf {t})=(\pi (t_{b}),\pi (t_{\bar {b}}))\). Then for all \(b_{1},\cdots,b_{l}\in \{0,1\}, \phi _{u,1},\cdots,\phi _{u,l1},\phi _{w,1},\cdots,\phi _{w,l}\in \mathcal {S}_{2k}, \pi _{upk_{i}}\in \mathcal {S}_{2k1}\), the following relationship is true,
Let
then z∈{0,1}^{10kl+2m+6k−3}, the Eq. 2 can be unified into one equation A^{′}·z=U mod q, where A^{′},U could be obtained from the public parameters. Let VALID be the set of vectors in {0,1}^{10kl+2m+6k−3} that satisfy the relationship above, let
for any
let Γ_{η} be the permutation for strings in {0,1}^{10kl+2m+6k−3}, then we have
After that, we could utilize the Stern’s protocol and the equal relationship above to proof that z∈VALID, and A^{′}·z=U mod q. Let D=10kl+2m+6k−3, the underlying zeroknowledge argument of knowledge is as follows,
The security analysis of the underlying protocol
Theorem 3
Suppose that the problem ring\(\mathbf {SVP}_{\tilde {O}(n)}\) is difficult, then the protocol in the previous section satisfies the following properties: perfect completeness, statistical zero knowledge, argument of knowledge, and the soundness error is \(\frac {2}{3}\), the communication complexity is \(\tilde {O}(D\log q)\).
Proof
As to the property of perfect completeness, if participants in the protocol run each step honestly, then V would accepts the proof generated by P with probability 1. Owing to \(\mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \mathbf {z}\in \{0,1\}^{D}, \\mathbf {r}_{z}\=\\mathbf {z}\=D\), it is easy to verify that the communication complexity is \(\tilde {O}(D\log q)\). And next, we will present a detailed description of the property of zero knowledge.
We construct a PPT simulator Sim firstly to simulate the real interactions between a honest prover P and a malicious verifier V^{∗}, such that the distribution of the transcript outputted simulator Sim is statistical close to that of the real interactions. Sim chooses \(\bar {CH}\in \{1,2,3\}\) randomly as a prediction of the challenge that the verifier V^{∗} would not choose.
If \(\bar {CH}=1\), Sim computes a vector \(\mathbf {z}^{\prime }\in \mathbf {Z}_{q}^{D}\) by using the algebraic method, such that A^{′}·z^{′}=u mod q. Then chooses \(\mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ_{1},ρ_{2},ρ_{3}∈{0,1}^{m} uniformly and randomly to compute the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot \mathbf {r}_{z};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}^{\prime }+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=\left (C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3}\right)\) to V^{∗}. Depend on the challenge CH that received from V^{∗}, the simulator responds as follows:

1.
If CH=1, output ⊥ and break.

2.
If CH=2, let RSP=(η,z^{′}+r_{z},ρ_{1},ρ_{3}) and send it to V^{∗}.

3.
If CH=3, let RSP=(η,r_{z},ρ_{1},ρ_{2}) and send it to V^{∗}.
If \(\bar {CH}=2\), Sim chooses \(\mathbf {z}^{\prime }\in \mathbf {VALID}, \mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ_{1},ρ_{2},ρ_{3}∈{0,1}^{m} uniformly and randomly to compute the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot \mathbf {r}_{z};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}'+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=(C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3})\) to the verifier V^{∗}. Depend on the challenge CH that received from V^{∗}, the simulator responds as follows:

1.
If CH=1, let RSP=(Γ_{η}(z^{′}),Γ_{η}(r_{z}),ρ_{2},ρ_{3}) and send it to V^{∗}.

2.
If CH=2, output ⊥ and break.

3.
If CH=3, let RSP=(η,r_{z},ρ_{1},ρ_{2}) and send it to V^{∗}.
If \(\bar {CH}=3\), Sim chooses \(\mathbf {z}^{\prime }\in \mathbf {VALID}, \mathbf {r}_{z}\in \mathbf {Z}_{q}^{D}, \eta \in \bar {\mathcal {S}}\), and strings ρ_{1},ρ_{2},ρ_{3}∈{0,1}^{m} uniformly and randomly, and computes the commitments \(C^{\prime }_{1}=Com(\eta,\mathbf {A}^{\prime }\cdot (\mathbf {z}^{\prime }+\mathbf {r}_{z})\mathbf {u};\rho _{1}), C^{\prime }_{2}=Com(\Gamma _{\eta }(\mathbf {r}_{z});\rho _{2}), C^{\prime }_{3}=Com(\Gamma _{\eta }(\mathbf {z}^{\prime }+\mathbf {r}_{z});\rho _{3})\), and sends the commitment \(CMT=\left (C^{\prime }_{1},C^{\prime }_{2},C^{\prime }_{3}\right)\) to the verifier V^{∗}. Depend on the challenge CH that received from V^{∗}, the simulator responds as follows:

1.
If CH=1, compute RSP as in the case \((\bar {CH}=2,CH=1)\), and send it to V^{∗}.

2.
If CH=2, compute RSP as in the case \((\bar {CH}=1,CH=2)\), and send it to V^{∗}.

3.
If CH=3, output ⊥ and break.
For the commitment scheme is statistical indistinguishable, the distribution of the output of Sim and that of the real interactions are statistical indistinguishable. i.e. there is a negligible function negl(n) such that \(\Pr [\bot \leftarrow Sim]=\frac {1}{3}\pm negl(n)\). So the simulator would outputs an acceptable transcript as long as no error symbol ⊥ is outputted, in other words, Sim would outputs a transcript that is indistinguishable from that of a real interactions with probability almost \(\frac {2}{3}\).
Finally, we would like to give a concrete explanation of the property of argument of knowledge. Suppose that there are three different valid responds RSP_{1}=(t_{z},t_{r},ρ_{2},ρ_{3}),RSP_{2}=(η_{2},z_{2},ρ_{1},ρ_{3}),RSP_{3}=(η_{3},z_{3},ρ_{1},ρ_{2}) corresponding to three different challenges of one commitment CMT, then the validity of responds indicates the following relationship:
Because of the computational binding of the commitment scheme Com, we have
For t_{z}∈VALID, let \(\mathbf {z}^{\prime }=\Gamma _{\eta _{2}}^{1}(\mathbf {t}_{z})\), then \(\mathbf {z}'\in \mathbf {VALID}, \Gamma _{\eta _{2}}(\mathbf {z}^{\prime })+\Gamma _{\eta _{2}}(\mathbf {z}_{3})=\Gamma _{\phi _{2}}(\mathbf {z}_{2})\mod q\), and we could learn that z^{′}+z_{3}=z_{2},A^{′}·z^{′}+A^{′}·z_{3}=A^{′}·z_{2} mod q, Finally, we obtain a solution z^{′} to a instance of the problem ring SIS, which satisfies A^{′}·z^{′}=u mod q. □
The analysis of the group signature scheme
Notation
The security of the full dynamic group signature scheme presented in this paper satisfies the strong security definition given in (Bootle et al. 2016): correctness, anonymity, nonframeability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chal_{b}. And oracles used in the proof are as follows: AddU(i): Add an honest user i into the set HUL at time τ. CreU(i,upk_{i}): Create a new user i whose public key upk_{i} is chosen by the adversary, which is invoked in the oracle SenToM. SenToM(i,M_{in}): It is used to run the algorithm Join, on behalf of a corrupt user, together with the honest group manager GM _{update}. SenToU(i,M_{in}): It is used to run the algorithm Join, on behalf of the corrupt group manager GM _{update}, together with a legitimate user i. RReg(i): Return the registration information reg_{i} of user i. MReg(i,ρ): Change the registration information reg_{i} of user i into ρ. RevealU(i): Return the signing secret key gsk_{i} of user i to the adversary, and add i to the set BUL. Sign(i,M,τ): Return a signature to a message M signed by user i at time τ, and add this signature to the set SL. Chal_{b}(info_{τ},i_{0},i_{1},M): For any b∈{0,1}, Return the signature to a message M signed by user i_{b} at time τ, and add this signature to the set CL. This requires that the users i_{0},i_{1} are all legitimate at time τ, and this oracle could be revoked only once. Trace(info_{τ},Σ,M): Return the signer of a signature Σ signed at time τ and a proof of this fact, which requires that the signature Σ∉CL. UpdateG(S,τ): It allows the adversary to update some information about the group at time τ, which requires that each element in S is legitimate user’s public key at time τ. IsActive(info_{τ},reg,i): Return 1 if and only if the user i is a legitimate member in the group at time τ, otherwise return 0.
The security analysis
Complexity: Given a security parameter λ, the size of legitimate users t, \(l=\lceil \log t\rceil, n=O(\lambda), q=\tilde {O}\left (n^{1.5}\right)=\tilde {O}\left (c\lambda ^{1.5}\right)\) with a constant c, k=O(log(λ^{1.5})) (Table 1). Then the size of group public key gpk=(pp,mpk,opk) is \(gpk=\tilde {O}\left (\lambda ^{1.5}\right)+l\cdot O(\log \lambda)\), the size of signing secret key gsk_{i}=(bin(i),upk_{i},usk_{i}) is gsk_{i}=l+3k=l+O(logλ), and the size of signature Σ=(Π_{sign},c_{1},c_{2}) is
Suppose that the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l= logN, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in (Ling et al. 2017) over ring is O(l), and that of our work is
Correspondingly, the expected space complexity of Merkle tree used in (Ling et al. 2017) is O(2N−1) (Table 2), and that of our work is
.
Theorem 4
The full dynamic group signature scheme based on ring in this paper is correct.
Proof
Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature Σ=(Π_{sign},c_{1},c_{2}) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature Σ to pass the verification of the algorithm Verify, and the algorithm Trace will outputs the user public key upk_{i} with a probability approximate to 1 together with a proof Π_{trace} accepted by Judge. We need to compute \(\mathbf {e}=\mathbf {c}_{1,2}\mathbf {S}_{1}^{\top }c_{1,1}=E_{1}\cdot \mathbf {r}_{1}+\left \lfloor \frac {q}{2}\right \rfloor \cdot \mathbf {upk}_{i}\mod q\) when to decrypt a ciphertext, and let \(\mathbf {b}^{\prime }=\left (b^{\prime }_{1},\cdots,b^{\prime }_{l}\right), \mathbf {e}=(e_{1},\cdots,e_{l})\), for any j∈[ l],
Note that \(\E_{1}\cdot \mathbf {r}_{1}\_{\infty }<\frac {q}{5}\), so b^{′}=upk_{i} with overwhelming probability. Furthermore, because the user corresponding to upk_{i} is legitimate, then the witness w=(bin(i),w_{l},⋯,w_{1}) is included in the group information info_{τ}, and the value of the related leaf is not 0^{k}. So, the algorithm Trace could always obtain a tuple (S_{1},E_{1},y) that satisfies requirement. And finally, for the fact that the proof Π_{trace} is perfect completeness, so the algorithm Judge outputs 1 with probability 1. □
Theorem 5
Suppose that the problem ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is difficult, then the scheme in this paper is anonymous in RO model.
Proof
Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i_{0}≠i_{1}∈[t] given by \(\mathcal {A}\), we give the following game before the concrete proof:
We say that the scheme has a property of anonymity if there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{anonb}(\lambda)\right ]=1\leq negl(\lambda)\). Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OP_{l}, l∈[0,9].
Game0: Given two different legitimate users i_{0}≠i_{1}∈[t] by \(\mathcal {A}\), let b=0, the challenger \(\mathcal {C}\) runs the experiment above honestly by using i_{0}.
Game1: This game is completely consistent with Game0 except that include (S_{2},E_{2}) to osk, i.e. let osk=((S_{1},E_{1}),(S_{2},E_{2})). And this change, to the view of the adversary \(\mathcal {A}\), makes no difference, Pr[OP_{1}=1]= Pr[OP_{0}=1].
Game2: This game is completely consistent with Game1 except that use a simulator Sim_{trace} to simulate the real interactions of the protocol that generates Π_{trace}, i.e. replace the real transcript Π_{trace} with a simulated transcript of Sim_{trace}. And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of Π_{trace}, Pr[OP_{2}=1]− Pr[OP_{1}=1]≤negl(λ).
Game3: This game is completely consistent with Game2 except that replace (S_{1},E_{1}) with (S_{2},E_{2}) when Sim_{trace} simulates the oracle Trace. For a legitimate signature (M,Π_{sign},c_{1},c_{2}), where c_{1},c_{2} are encryptions to different strings respectively. Let F_{1} be the signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, and the view of \(\mathcal {A}\) may changing if F_{1} appears, however, it violates the soundness of the protocol that generates Π_{sign}. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F_{1}, i.e. Pr[OP_{3}=1]− Pr[OP_{2}=1]≤ Pr[F_{1}]≤negl(λ).
Game4: This game is completely consistent with Game3 except that use a simulator Sim_{sign} to simulate the real interactions of the protocol that generates Π_{sign}, i.e. replace the real transcript Π_{sign} with a simulated transcript of Sim_{sign}. And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of Π_{sign}, Pr[OP_{4}=1]− Pr[OP_{3}=1]≤negl(λ).
Game5: This game is completely consistent with Game4 except that change the ciphertext c_{1} into the encryption to \(\mathbf {upk}_{i_{1}}\) when initiate an inquiry to the oracle Chal_{b}. And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S_{2},E_{2}) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c_{1}, so, Pr[OP_{5}=1]− Pr[OP_{4}=1]=negl(λ).
Game6: This game is completely consistent with Game5 except that replace (S_{2},E_{2}) with (S_{1},E_{1}) when Sim_{trace} simulates the oracle Trace. For a legitimate signature (M,Π_{sign},c_{1},c_{2}), where c_{1},c_{2} are encryptions to different strings respectively, let F_{2} be the signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, which violates the soundness of the protocol that generates Π_{sign}. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F_{2}, Pr[OP_{6}=1]− Pr[OP_{5}=1]≤ Pr[F_{2}]≤negl(λ).
Game7: This game is completely consistent with Game6 except that change the ciphertext c_{2} into the encryption to \(\mathbf {upk}_{i_{1}}\). And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S_{1},E_{1}) during the inquiry to the oracle Trace, which makes no difference to the view of the adversary, Pr[OP_{7}=1]− Pr[OP_{6}=1]=negl(λ).
Game8: This game is completely consistent with Game7 except that replace the simulator Sim_{sign} with a real protocol that generates Π_{sign}, i.e. replace the simulated transcript of Sim_{sign} by a real transcript Π_{sign}. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_{sign}, Pr[OP_{8}=1]− Pr[OP_{7}=1]≤negl(λ).
Game9: This game is completely consistent with Game8 except that replace the simulator Sim_{trace} with a real protocol that generates Π_{trace}, i.e. replace the simulated transcript of Sim_{trace} by a real transcript Π_{trace}. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_{trace}, Pr[OP_{9}=1]− Pr[OP_{8}=1]≤negl(λ).
Finally, we could learn from the games above that the probability:
where c is constant. So, the scheme in this paper satisfies the property of anonymity. □
Theorem 6
Suppose that the ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the scheme in this paper is unforgeable in the RO model.
Proof
Suppose that there ia a PPT adversary \(\mathcal {A}\) could forge a valid signature with a nonnegligible probability ε, then there is a PPT algorithm \(\mathcal {B}\) could break the security of Merkle hash tree or solve the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with a nonnegligible probability by invoking \(\mathcal {A}\) as a black box. And to complete the proof, we give the following game:
If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{unforge}(\lambda)\right ]=1\leq negl(\lambda)\), then we say that the scheme is unforgeable. Given a random matrix A, the challenger computes the public parameter pp honestly, then invokes the algorithm of \(\mathcal {A}\), runs the operations in the game above, during this process, \(\mathcal {B}\) responds the inquiries of \(\mathcal {A}\) honestly. If the adversary \(\mathcal {A}\) wins the game and outputs \(\left (M^{*},\Sigma ^{*},i^{*},\Pi _{trace}^{*},\mathbf {info}_{\tau }\right)\) finally, then there is a nonnegligible function ε, such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{unforge}(\lambda)\right ]=1\geq \epsilon \), and the algorithm \(\mathcal {B}\) could operate as follows: Decompose the signature Σ^{∗} into \(\left (\Pi _{sign}^{*},\mathbf {c}_{1}^{*},\mathbf {c}_{2}^{*}\right)\), where \(\Pi _{sign}=\left (\left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},CH^{*},\left \{RSP_{i}^{*}\right \}_{i=1}^{k^{\prime }}\right)\), because the adversary \(\mathcal {A}\) wins the game above, so \(\left \{RSP_{i}^{*}\right \}_{i=1}^{k^{\prime }}\) is legitimate responds to \(\left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},CH^{*}\). Let \(\xi ^{*}=\left (M^{*}, \left \{CMT_{i}^{*}\right \}_{i=1}^{k^{\prime }},\mathbf {A},\mathbf {u}_{\tau },\mathbf {B},P_{1},P_{2}, \mathbf {c}_{1}^{*},\mathbf {c}_{2}^{*}\right)\), for the successful probability to guess the value H(ξ^{∗}) is \(3^{k^{\prime }}\), so the adversary uses the ξ^{∗} to initiate queries to the oracle H with overwhelming probability, and ξ^{∗} is the preimage of H with probability \(\epsilon ^{\prime }=\epsilon 3^{k^{\prime }}\), let t^{∗}∈{1,2,⋯,Q_{H}} be the index of one inquiry, where Q_{H} is the number of inquiries that the adversary \(\mathcal {A}\) made to the oracle H. The inputs of the hash queries from 1th to t^{∗}th are all ξ^{∗}, and \(\mathcal {B}\) runs the operations of \(\mathcal {A}\) for t^{∗} times. And the inputs of other hash queries from t^{∗}+1th to Q_{H}th are something else, \(\mathcal {B}\) responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000; Pointcheval and Stern 2000), the probability of \(\mathcal {B}\) gets three different hash values \({CH}_{t^{*}}^{1},{CH}_{t^{*}}^{2},{CH}_{t^{*}}^{3}\in \{1,2,3\}^{k^{\prime }}\) to the same input ξ^{∗} is \(\geq \frac {1}{2}\), then for any j∈{1,2,⋯,k^{′}}, we have \(\Pr \left [\left ({CH}_{t^{*},j}^{1},{CH}_{t^{*},j}^{2},{CH}_{t^{*},j}^{3}\right)=(1,2,3)\right ]=1\left (\frac {7}{9}\right)^{k^{\prime }}\). Given three different legitimate responds \(\left ({RSP}_{t^{*},j}^{1},{RSP}_{t^{*},j}^{2},{RSP}_{t^{*},j}^{3}\right)\), what we could learn from the protocol that generates Π_{sign} is that we could extract a witness \(\zeta ^{\prime }=\left (\mathbf {usk}_{i^{\prime }},\mathbf {upk}_{i^{\prime }},w^{\prime }_{\tau },\mathbf {r}^{\prime }_{1},\mathbf {r}^{\prime }_{2}\right)\), where \(w^{\prime }_{\tau }=(\mathbf {bin}(i^{\prime }),\mathbf {w}^{\prime }_{l,\tau },\cdots,\mathbf {w}^{\prime }_{1,\tau })\in \{0,1\}^{l}\times \left (\{0,1\}^{k}\right)^{l}\), such that for ∀b∈{1,2},∀j∈{0,l−1}, we have
We can learn from the correctness of the encryption scheme that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\mathbf {upk}_{i^{\prime }}\). The algorithm Judge outputs 1 because of the fact that \(\mathcal {A}\) wins the game, and what we can learn from the soundness of the protocol that generates Π_{trace} is that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i^{*}}\), then \(\mathbf {upk}_{i^{\prime }}=\mathbf {upk}_{i^{*}}\) with overwhelming probability. By the correctness of the Merkle hash tree, the user i^{∗} is legitimate. i^{∗}∈HUL∖BUL indicates that the adversary \(\mathcal {A}\) doesn’t know \({gsk}_{i^{*}}=(\mathbf {bin}(i^{*}),\mathbf {upk}_{i^{\prime }},\mathbf {usk}_{i^{*}})\). \(\phantom {\dot {i}\!}\mathbf {usk}_{i^{*}}\) was chosen by \(\mathcal {B}\) and \(\mathbf {A}\cdot \mathbf {usk}_{i^{*}}=\mathbf {G}\cdot \mathbf {upk}_{i^{\prime }}\), so we have \(\Pr [\mathbf {usk}_{i^{*}}\not =\mathbf {usk}_{i^{\prime }}]\geq \frac {1}{2}\). Let \(\mathbf {z}=\mathbf {usk}_{i^{*}}\mathbf {usk}_{i^{\prime }}\), then z≠0 and Az=0 mod q, so, the algorithm \(\mathcal {B}\) could solve the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with nonnegligible probability. □
Theorem 7
Suppose that the ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the scheme in this paper is traceable in RO model.
Proof
To finish the proof, we give the following game firstly:
If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS,\mathcal {A}}^{trace}(\lambda)\right ]=1\leq negl(\lambda)\), then we say that the scheme is traceable. In other words, If the adversary \(\mathcal {A}\) wins the game above, the signature generated by \(\mathcal {A}\) is legitimate and it was traced to a revoked user or a legitimate user without a valid proof Π_{trace} to it, and next, we will explain that the probability of the fact that the adversary \(\mathcal {A}\) wins the game above is negligible.
Let (info_{τ},M,Σ) be a forged information by the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGS,\mathcal {A}}^{trace}(\lambda)\), then the challenger could extract the identity (bin(i),Π_{trace}) by running the algorithm Trace. Decompose the signature Σ into \((\Pi _{sign},\mathbf {c}^{\prime }_{1},\mathbf {c}^{\prime }_{2})\), where \(\Pi _{sign}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), for (info_{τ},M,Σ) is a legitimate signature, so \(\{RSP_{j}\}_{j=1}^{k^{\prime }}\) are valid responds to \(\{CMT_{j}\}_{j=1}^{k^{\prime }},CH\). Then we could extract a witness \(\zeta ^{\prime }=\left (\mathbf {usk}_{i^{\prime }},\mathbf {upk}_{i^{\prime }},w^{\prime }_{\tau },\mathbf {r}^{\prime }_{1},\mathbf {r}^{\prime }_{2}\right)\), which is similar to the property of unforgeability, where \(w^{\prime }_{\tau }=\left (\mathbf {bin}(i^{\prime }),\mathbf {w}^{\prime }_{l,\tau },\cdots,\mathbf {w}^{\prime }_{1,\tau }\right)\in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for ∀b∈{1,2},∀j∈{0,l−1}, we have
What we can learn from the correctness of the encryption scheme is that the ciphertext \(\mathbf {c}^{\prime }_{1}\) could be decrypted to \(\mathbf {upk}_{i^{\prime }}\), and we can learn from the correctness of the algorithm Trace that upk_{i} is the plaintext obtained from the ciphertext \(\mathbf {c}^{\prime }_{1}\), so \(\mathbf {upk}_{i}=\mathbf {upk}_{i^{\prime }}\) with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof Π_{trace} is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof Π_{trace}, and we can learn from the perfect completeness of the protocol that generates Π_{trace} that the algorithm Judge would accepts Π_{trace} with probability 1. In conclusion, the scheme in this paper is traceable. □
Theorem 8
The scheme in this paper satisfies the property of tracing soundness in RO model.
Proof
To finish the proof, we give the following game firstly:
Suppose that the information \(\phantom {\dot {i}\!}(M,\Sigma,i_{0},\Pi _{trace,i_{0}},i_{1}, \Pi _{trace,i_{1}},\mathbf {info}_{\tau })\) is the output of the adversary \(\mathcal {A}\) in this game, if the game \(\mathbf {Exp}_{FDGS,\mathcal {A}}^{tracesound}(\lambda)\) outputs 1 finally, i.e. \(\mathbf {Judge}(gpk,\mathbf {upk}_{i_{b}},\mathbf {info}_{\tau }, \Pi _{trace},M,\Sigma)=1, i_{0}\not =i_{1}\not =\perp, \mathbf {Verify}(gpk,\mathbf {info}_{\tau },M,\Sigma)=1\), then we say that \(\mathcal {A}\) wins. Given a transcript \(\Pi _{trace}=\left (\{CMT_{j}\}_{j=1}^{k^{\prime }},CH,\{RSP_{j}\}_{j=1}^{k^{\prime }}\right)\), the fact that the algorithm Judge outputs 1 indicates that \(\{RSP_{j}\}_{j=1}^{k^{\prime }}\) are legitimate responds to \(\{CMT_{j}\}_{j=1}^{k^{\prime }},CH\). For any b∈{0,1}, it is similarly to the property of unforgeability, we could extract S_{1,b},E_{1,b},y_{b}, such that
then we have
Suppose that \(\mathbf {upk}_{i_{1}}\not =\mathbf {upk}_{i_{0}}\), so \(\\left \lfloor \frac {q}{2}\right \rfloor \cdot (\mathbf {upk}_{i_{1}}\mathbf {upk}_{i_{0}})\_{\infty }=\left \lfloor \frac {q}{2}\right \rfloor, \\mathbf {y}_{1}\mathbf {y}_{0}\_{\infty }\leq 2\cdot \left \lceil \frac {q}{5}\right \rceil \), and
then \(\mathbf {S}_{1,0}^{\top }\not =\mathbf {S}_{1,1}^{\top }\), we obtained two different solutions of the function \(\mathbf {S}_{1}^{\top }\cdot \mathbf {B}+E_{1}=P_{1}\mod q\), which is contradictory to the fact that there is at most one solution to the ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) sample (B,P_{1}). So, \(\mathbf {upk}_{i_{1}}=\mathbf {upk}_{i_{0}}\) with overwhelming probability. In other words, the probability of the fact that \(\mathcal {A}\) wins is negligible, so the scheme in this paper satisfies the property of tracing soundness. □
Conclusion
In this paper, we give the first ring based full dynamic group signature scheme, and improve the efficiency of it mainly from the following three aspects: the size of public/secret keys, the dynamic construction of the Merkle hash tree, and the reuse of its leaves. These changes help to reduce the computational complexity and space complexity by leaps and bounds. In addition, we avoid the adverse condition where the group managers generate their keys maliciously. Though we have tried a lot, there is still a large space for improvement in the use of zeroknowledge proof, and the problem of the delayed verification of a signature is also not solved. Next, we would like to focus on the two problems and do some correlative works.
Availability of data and materials
Not applicable.
References
An Efficient Protocol for Anonymously Providing Assurance of the Container of a Private Key. https://www.researchgate.net/publication/243775241. Accessed 2004.
Ateniese, G, Camenisch J, Joye M, Tsudik G (2000) A practical and provably secure coalitionresistant group signature scheme. In: Bellare M (ed)Proceedings of Conference CRYPTO: 2024 August 2000; California, 255–270.. Springer, Beilin Heidelberg.
Bellare, M, Shi HX, Zhang C (2005) Foundations of group signatures: the case of dynamic groups. In: Menezes A (ed)Proceedings of Conference CTRSA: 1418 February 2005; San Francisco, 136–153.. Springer, Beilin Heidelberg.
Bichsel, P, Camenisch J, Neven G, Smart NP, Warinschi B (2010) Get shorty via group signatures without encryption. In: Garay JA Prisco RD (eds)Proceedings of Conference SCN: 1315 September 2010; Amalfi, 381–398.. Springer, Beilin Heidelberg.
Boneh, D, Boyen X, Shacham H (2004) Short group signatures. In: Franklin M (ed)Proceedings of Conference CRYPTO: 1519 August 2004; California, 41–55.. Springer, Beilin Heidelberg.
Boneh, D, Shacham H (2004) Group signatures with verifierlocal revocation In: Proceedings of Conference CCS: 2529 October 2004; Washington DC, 168–177.. ACM DL.
Bootle, J, Cerulli A, Chaidos P, Ghadafi E, Groth J (2016) Foundations of fully dynamic group signatures. In: Manulis M, Sadeghi AR, Schneider S (eds)Proceedings of Conference ACNS: 1922 June 2016; Guildford, 117–136.. Springer, Beilin Heidelberg.
Boyen, X, Waters B (2006) Compact group signatures without random oracles. In: Vaudenay S (ed)Proceedings of Conference EUROCRYPT: 28 May1 June 2006; St.Petersburg, 427–444.. Springer, Beilin Heidelberg.
Boyen, X, Waters B (2007) Fulldomain subgroup hiding and constantsize group signatures. In: Okamoto T Wang XT (eds)Proceedings of Conference PKC: 1620 April 2007; Beijing, 1–15.. Springer, Beilin Heidelberg.
Bresson, E, Stern J (2001) Efficient revocation in group signatures. In: Kim K (ed)Proceedings of Conference PKC: 1315 February 2001; Cheju Island, 190–206.. Springer, Beilin Heidelberg.
Brickell, E, Pointcheval D, Vaudenay S, Yung M (2000) Design validations for discrete logarithm based signature schemes. In: Imai H Zheng YL (eds)Proceedings of Conference PKC: 1820 January 2000; Melbourne, 276–292.. Springer, Beilin Heidelberg.
Camenisch, J, Groth J (2004) Group signatures: better efficiency and new theoretical aspects. In: Blundo C Cimato S (eds)Proceedings of Conference SCN: 810 September 2004; Amalfi, 120–133.. Springer, Beilin Heidelberg.
Camenisch, J, Lysyanskaya A (2002) Dynamic accumulators and application to efficient revocation of anonymous credentials. In: Yung M (ed)Proceedings of Conference CRYPTO: 1822 August 2002; California, 61–76.. Springer, Beilin Heidelberg.
Camenisch, J, Lysyanskaya A (2004) Signature schemes and anonymous credentials from bilinear maps. In: Franklin M (ed)Proceedings of Conference CRYPTO: 1519 August 2004; California, 56–72.. Springer, Beilin Heidelberg.
Camenisch, J, Michels M (1998) A group signature scheme with improved efficiency. In: Ohta K Pei DY (eds)Proceedings of Conference ASIACRYPT: 1822 October 1998; Beijing, 160–174.. Springer, Beilin Heidelberg.
Camenisch, J, Stadler M (1997) Efficient group signature schemes for large groups (extended abstract). In: KaliskiJr BS (ed)Proceedings of Conference CRYPTO: 1721 August 1997; California, 410–424.. Springer, Beilin Heidelberg.
Camenisch, J, Neven G, Rückert M (2012) Fully anonymous attribute tokens from lattices. In: Visconti I Prisco RD (eds)Proceedings of Conference SCN: 57 September 2012; Amalfi, 57–75.. Springer, Beilin Heidelberg.
Chaum, D, van Heyst EV (1991) Group signatures. In: Davies DW (ed)Proceedings of Conference EUROCRYPT: 811 April 1991; Brighton, 257–265.. Springer, Beilin Heidelberg.
Chen, L, Pedersen TP (1994) New group signature schemes. In: Santis AD (ed)Proceedings of Conference EUROCRYPT: 912 May 1994; Perugia, 171–181.. Springer, Beilin Heidelberg.
Delerablée, C, Pointcheval D (2006) Dynamic fully anonymous short group signatures. In: Nguyen PQ (ed)Proceedings of Conference VIETCRYPT: 2528 September 2006; Hanoi, 193–210.. Springer, Beilin Heidelberg.
Dodis, Y, Kiayias A, Nicolosi A, Shoup V (2004) Anonymous identification in ad hoc groups. In: Cachin C Camenisch JL (eds)Proceedings of Conference EUROCRYPT: 26 May 2004; Interlaken, 609–626.. Springer, Beilin Heidelberg.
Furukawa, J, Imai H (2005) An efficient group signature scheme from bilinear maps. IEICE Trans Fundam Electron Commun Comput Sci E89A:1328–1338.
Furukawa, J, Yonezawa S (2004) Group signatures with separate and distributed authorities. In: Blundo C Cimato S (eds)Proceedings of Conference SCN: 810 September 2004; Amalfi, 77–90.. Springer, Beilin Heidelberg.
Gentry, C, Peikert C, Vaikuntanathan V (2008) Trapdoors for hard lattices and new cryptographic constructions In: Proceedings of Conference STOC: 1720 May 2008; Victoria, 197–206.. ACM DL.
Gordon, SD, Katz J, Vaikuntanathan V (2010) A group signature scheme from lattice assumptions. In: Abe M (ed)Proceedings of Conference ASIACRYPT: 59 December 2010; Singapore, 395–412.. Springer, Beilin Heidelberg.
Groth, J (2006) Simulationsound nizk proofs for a practical language and constant size group signatures. In: Lai XJ Chen KF (eds)Proceedings of Conference ASIACRYPT: 37 December 2006; Shanghai, 444–459.. Springer, Beilin Heidelberg.
Groth, J (2007) Fully anonymous group signatures without random oracles. In: Kurosawa K (ed)Proceedings of Conference ASIACRYPT: 26 December 2007; Kuching, 164–180.. Springer, Beilin Heidelberg.
Kawachi, A, Tanaka K, Xagawa K (2008) Concurrently secure identification schemes based on the worstcase hardness of lattice problems. In: Pieprzyk J (ed)Proceedings of Conference ASIACRYPT: 711 December 2008; Singapore, 372–389.. Springer, Beilin Heidelberg.
Kiayias, A, Yung M (2006) Secure scalable group signature with dynamic joins and separable authorities. Secur Netw 1:24–45.
Laguillaumie, F, Langlois A, Libert B, Stehlé D (2013) Latticebased group signatures with logarithmic signature size. In: Sako K Sarkar P (eds)Proceedings of Conference ASIACRYPT: 15 December 2013; Bengaluru, 41–61.. Springer, Beilin Heidelberg.
Langlois, A, Ling S, Nguyen K, Wang H (2014) Latticebased group signature scheme with verifierlocal revocation. In: Krawczyk H (ed)Proceedings of Conference PKC: 2628 March 2014; Buenos, 345–361.. Springer, Beilin Heidelberg.
Libert, B, Ling S, Mouhartem F, Nguyen K, Wang H (2016a) Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon JH Takagi T (eds)Proceedings of Conference ASIACRYPT: 48 December 2016; Hanoi, 373–403.. Springer, Beilin Heidelberg.
Libert, B, Ling S, Nguyen K, Wang H (2016b) Zeroknowledge arguments for latticebased accumulators: logarithmicsize ring signatures and group signatures without trapdoors. In: Fischlin M Coron JS (eds)Proceedings of Conference EUROCRYPT: 812 May 2016; Vienna, 1–31.. Springer, Beilin Heidelberg.
Libert, B, Peters T, Yung M (2012a) Group signatures with almostforfree revocation. In: Naini RS Canetti R (eds)Proceedings of Conference CRYPTO: 1923 August 2012; Santa Barbara, 571–589.. Springer, Beilin Heidelberg.
Libert, B, Peters T, Yung M (2012b) Scalable group signatures with revocation. In: Pointcheval D Johansson T (eds)Proceedings of Conference EUROCRYPT: 1519 April 2012; Cambridge, 609–627.. Springer, Beilin Heidelberg.
Libert, B, Vergnaud D (2009) Group signatures with verifierlocal revocation and backward unlinkability in the standard model. In: Garay JA, Miyaji A, Otsuka A (eds)Proceedings of Conference CANS: 1214 December 2009; Kanazawa, 498–517.. Springer, Beilin Heidelberg.
Ling, S, Nguyen K, Wang HX (2015) Group signatures from lattices: simpler, tighter, shorter, ringbased. In: Katz J (ed)Proceedings of Conference PKC: 30 March1 April 2015; Gaithersburg, 427–449.. Springer, Beilin Heidelberg.
Ling, S, Nguyen K, Wang H, Xu Y (2017) Latticebased group signatures: achieving full dynamicity with ease. In: Gollmann D, Miyaji A, Kikuchi H (eds)Proceedings of Conference ACNS: 1012 July 2017; Kanazawa, 293–312.. Springer, Beilin Heidelberg.
Lyubashevsky, V (2008) Latticebased identification schemes secure under active attacks. In: Cramer R (ed)Proceedings of Conference PKC: 912 March 2008; Barcelona, 162–179.. Springer, Beilin Heidelberg.
Lyubashevsky, V (2012) Lattice signatures without trapdoors. In: Pointcheval D Johansson T (eds)Proceedings of Conference EUROCRYPT: 1519 April 2012; Cambridge, 738–755.. Springer, Beilin Heidelberg.
Lyubashevsky, V, Micciancio D (2006) Generalized compact knapsacks are collision resistant. In: Bugliesi M, Preneel B, Sassone V, Wegener I (eds)Proceedings of Conference ICALP: 1014 July 2006; Venice, 144–155.. Springer, Beilin Heidelberg.
Lyubashevsky, V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Gilbert H (ed)Proceedings of Conference EUROCRYPT: 30 May3 June 2010; Riviera, 1–23.. Springer, Beilin Heidelberg.
Lyubashevsky, V, Peikert C, Regev O (2013) A toolkit for ringlwe cryptography. In: Johansson T Nguyen PQ (eds)Proceedings of Conference EUROCRYPT: 2630 May 2013; Athens, 35–54.. Springer, Beilin Heidelberg.
Nakanishi, T, Funabiki N (2005) Verifierlocal revocation group signature schemes with backward unlinkability from bilinear maps. In: Roy B (ed)Proceedings of Conference ASIACRYPT: 48 December 2005; Chennai, 533–548.. Springer, Beilin Heidelberg.
Nakanishi, T, Fujii H, Hira Y, Funabiki N (2009) Revocable group signature schemes with constant costs for signing and verifying. In: Jarecki S Tsudik G (eds)Proceedings of Conference PKC: 1820 March 2009; Irvine, 463–480.. Springer, Beilin Heidelberg.
Naor, D, Naor M, Lotspiech J (2001) Revocation and tracing schemes for stateless receivers. In: Kilian J (ed)Proceedings of Conference CRYPTO: 1923 August 2001; Santa Barbara, 41–62.. Springer, Beilin Heidelberg.
Naor, M, Yung M (1990) Publickey cryptosystems provably secure against chosen ciphertext attacks In: Proceedings of Conference STOC: 1990; Baltimore, 427–437.. ACM DL.
Nguyen, L (2005) Accumulators from bilinear pairings and applications. In: Menezes A (ed)Proceedings of Conference CTRSA: 1418 February 2005; San Francisco, 275–292.. Springer, Beilin Heidelberg.
Nguyen, L, Naini RS (2004) Efficient and provably secure trapdoorfree group signature schemes from bilinear pairings. In: Lee PJ (ed)Proceedings of Conference ASIACRYPT: 59 December 2004; Jeju Island, 372–386.. Springer, Beilin Heidelberg.
Nguyen, PQ, Zhang J, Zhang Z (2015) Simpler efficient group signatures from lattices. In: Katz J (ed)Proceedings of Conference PKC: 30 March1 April 2015; Gaithersburg, 401–426.. Springer, Beilin Heidelberg.
Peikert, C (2016) A decade of lattice cryptography. Found Trends Theor Comput Sci 10:283–424.
Peikert, C, Rosen A (2006) Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices. In: Halevi S Rabin T (eds)Proceedings of Conference TCC: 47 March 2006; New York, 145–166.. Springer, Beilin Heidelberg.
Peikert, C, Rosen A (2007) Lattices that admit logarithmic worstcase to averagecase connection factors In: Proceedings of Conference STOC: 1113 June 2007; San Diego, 478–487.. ACM DL, Beilin Heidelberg.
Pointcheval, D, Stern J (2000) Security arguments for digital signatures and blind signatures. Cryptology 13:361–396.
Practical Group Signatures Without Random Oracles. http://citeseerx.ist.psu.edu/viewdoc. Accessed 2005.
Regev, O (2009) On lattices, learning with errors, random linear codes, and cryptography. J ACM 56:1–40.
Sakai, Y, Schuldt JCN, Emura K, Hanaoka G, Ohta K (2012) On the security of dynamic group signatures: preventing signature hijacking. In: Fischlin M, Buchmann J, Manulis M (eds)Proceedings of Conference PKC: 2123 May 2012; Darmstadt, 715–732.. Springer, Beilin Heidelberg.
Signing on Elements in Bilinear Groups for Modular Protocol Design. https://eprint.iacr.org/2010/133.pdf. Accessed 2010.
Song, DX (2001) Practical forward secure group signature schemes In: Proceedings of Conference CCS: 58 November 2001; Philadelphia, 225–234.. ACM DL.
Stern, J (1996) A new paradigm for public key identification. IEEE Trans Inf Theory 42:1757–1768.
Acknowledgements
Not applicable.
Funding
This work was supported by National Natural Science Foundation of China (Grant No. 61379141 and No. 61772521), Key Research Program of Frontier Sciences, CAS (Grant No. QYZDBSSWSYS035), and the Open Project Program of the State Key Laboratory of Cryptology.
Author information
Affiliations
Contributions
The first author conceived the idea of the study and wrote the paper; all authors discussed the results and revised the final manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.
About this article
Cite this article
Sun, Y., Liu, Y. & Wu, B. An efficient full dynamic group signature scheme over ring. Cybersecur 2, 21 (2019). https://doi.org/10.1186/s4240001900378
Received:
Accepted:
Published:
Keywords
 Group signature
 Dynamic
 Merkle Tree
 RingLWE