An efficient fully dynamic group signature with message dependent opening from lattice

Sun, Yiru; Liu, Yanyan

doi:10.1186/s42400-021-00076-8

Research
Open access
Published: 03 May 2021

An efficient fully dynamic group signature with message dependent opening from lattice

Cybersecurity volume 4, Article number: 15 (2021) Cite this article

2348 Accesses
6 Citations
Metrics details

Abstract

Message-dependent opening is one of the solutions to solve the problem of the tracing manager owns excessive power. In this paper, we present a new lattice-based fully dynamic group signature scheme with message-dependent opening by combining an improved version of the fully dynamic group signature scheme proposed by Ling et al and the double encryption paradigm. In addition, we propose an improved underlying zero knowledge protocol, it has a soundness error $\frac {1}{\max (n,p)+1}$ that is better than the Stern-like protocol, which helps to bring down the communication complexity of the protocol and hence the signature scheme. Our scheme constrains the power of group managers by adding an admitter, and the signature size has a logarithmic relationship with the group size.

Introduction

Related work

Since the concept of group signature was proposed in Chaum and van Heyst (1991), it has become an important primitive to realize anonymous authentication. Group signature allows members in a group to sign messages on behalf of the group without revealing any information of the signer’s identity. At the same time, the signature could be traced to the signer when it is in dispute. In other words, there is an authority in the scheme called trace manager GM_trace who can de-anonymize the signature and trace it to the specific signer. But in many scenarios, GM_trace is given too much power as it can open all signatures whether the signer is valid or not. To solve this problem, there is an extension of the group signature in Sakai et al. (2012) to balance the traceability and privacy, it is called group signature scheme with message-dependent opening (GS-MDO). In the GS-MDO system, there is another participant named admitter, and the trace manager GM_trace could open one signature only when he work with the admitter. To open a signature Σ of message M, the admitter generates a token t_M with respect to M using its secret key firstly, and sends t_M to the trace manager GM_trace, then GM_trace uses its secret key and t_M to open the signature. That is, the trace manager GM_trace can only open the signatures of messages specified by admitter. Subsequently, many other GS-MDO schemes were proposed based on different assumptions, such as decision linear (DLIN) (Sakai et al. 2012), strong Diffie-Hellman (Ohara et al. 2013), Decision 3-party Diffie-Hellman (D3DH) (Libert and Joye 2014), learning with error (LWE) and small integer solution (SIS) (Libert et al. 2016).

Lattice-based cryptography has attracted a lot of attention for its simple arithmetic operations and potential ability to resist quantum attack. However, compared with other non-lattice based cryptographic schemes, such as DDH, factoring, et al, the efficiency of lattice-based cryptographic schemes have not been solved well. The first lattice-based static group signature scheme is given in Gordon et al. (2010), its security is proven in RO model, and there is a linear relationship between signature size and group size N. Subsequently, the signature size was lowered up to O(logN) by different manners (Laguillaumie et al. 2013;Ling et al. 2015), such as bonsai tree (Langlois et al. 2014), Merkle hash tree (Libert et al. 2016) and lattice-based accumulators (Ling et al. 2017). In order to further satisfy the requirements of real applications, it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017) by combining the static group signature scheme inLibert et al. (2016) with the security model in Bootle et al. (2016). It includes an update algorithm in accumulator that is constructed based on hash Merkle tree, and both the security and the signature size were improved compared with the scheme in Libert et al. (2016). However, the schemes above all follow encryption-then-proof pattern, and rely heavily on zero-knowledge protocol in the proof process, which limits the improvement of efficiency and security. In order to break this bottleneck, there are currently two research lines: one is to try to remove the zero-knowledge proof protocol from the construction of group signature schemes, which is the research content in Katsumata and Yamada (2019). In other words, a lattice-based static group signature scheme without NIZK was proposed in Katsumata and Yamada (2019), and it is proved secure under the standard model. There is a natural idea: whether it is possible to construct a lattice-based fully dynamic group signature scheme that is provably secure under the standard model? To solve this problem, we tried to propose a construction in Sun and Liu (2020) and proved it to be secure under the standard model. The other is to improve the efficiency of zero-knowledge proof (Beullens 2020) and try to apply it to the construction of group signature schemes under the RO model. Our work in this paper gives a positive solution of the latter.

Our contribution

In this paper, we give a new fully dynamic group signature scheme over ring with message-dependent opening (FDGS-MDO) by combining an improved version of the fully dynamic group signature scheme in Ling et al. (2017) and the double encryption paradigm (Canetti et al. 2004), which uses our following zero knowledge proof of knowledge as a underlying protocol. Compared with the scheme in Sun et al. (2019), our scheme realizes the weaken of GM_trace’s power by adding another participant: admitter. Concretely, the admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter. And we also give an improved zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol, and we use it as the underlying protocol to improves the efficiency of the scheme in Sun et al. (2019).

We give the specific construction and security analysis of our zero knowledge proof of knowledge, which partially realizes the optimization idea in Beullens (2020). In Beullens (2020), it is necessary to transform an instance of SIS problem into an instance of the permuted kernel problem (PKP) firstly, and then prove its knowledge by using a Σ - protocol for latter, while in our work, we omit this transformation operation. In addition, in order to reduce the communication complexity of our underlying protocol, the prover does not need to send all commitments $\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}$ and {com_i}_i∈[n] to the verifier in the first round of our protocol. We build two Merkle hash trees with the commitments $\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}$ and {com_i}_i∈[n] as leaves respectively, and send the roots u and $\hat {\mathbf {u}}$ of the two trees to the verifier. In the third round of the protocol, the prover needs to send some additional messages to the verifier: the commitments com_I,com_Ich for challenge (I,ch) and the witnesses w_I,w_Ich that needed to recompute the roots. The verifier need to check that whether the roots $\mathbf {u}', \hat {\mathbf {u}}'$ he recomputes are consistent with $\mathbf {u}, \hat {\mathbf {u}}$ received in the first round. Our protocol has a soundness error $\frac {1}{\max (n,p)+1}$, which is better than the soundness error $\frac {2}{3}$ of the Stern-like protocol. Given a security parameter λ, our protocol need to be executed $k'=\frac {\lambda }{\log (\max (n,p)+1)}$ times sequentially to realize a negligible soundness error 2^−λ, while the Stern-like need to be performed Θ(λ) times sequentially. So our protocol satisfies stronger soundness and it effectively reduce the communication complexity of the protocol, thus bring to the group signature scheme the stronger security property and smaller signature size.

In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in “Preliminaries” section. In “Syntax and security of fully dynamic group signature with message dependent opening” section, we present the syntax of the fully dynamic group signature scheme with message dependent opening. And the detailed construction of the scheme and its security analysis are presented in “The lattice-based dynamic group signature scheme with message-dependent opening” section. Finally, we present the underlying zero knowledge protocol and its security analysis in “The improved zero-knowledge protocol of knowledge” section, and conclusion in “Conclusion” section.

Preliminaries

The background of lattice

In this section, we will review some notations, definitions and theorems used for analysing our main results. Throughout this paper, set the security parameter λ, positive integer n=O(λ),p=O(λ), prime modules $q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k$, and $R=\mathbb {Z}[x]/f(x), f(x)=x^{n}+1, R_{q}=R/qR$, given vectors x=(x₁,⋯,x_m),z=(z₁,⋯,z_m), integer t, then $\|\mathbf {x}\|_{t}=\left (\sum _{i=1}^{m} {|x_{i}|}^{t}\right)^{\frac {1}{t}}$ denotes its t-norm, (x|z) is a concatenation of the two vectors.

Definition 1

(The ring-SVP and ring-SIVP) (Lyubashevsky et al. 2013) Given a ring R, let γ≥1, then the ring- SVP_γ problem is: given the ideal lattice $\mathcal {I}$ over R, find out a non-zero short vector $\mathbf {x}\in \mathcal {I}$, such that $\|\mathbf {x}\|_{\infty }\leq \gamma \cdot \lambda _{1}(\mathcal {I})$. And the ring- SIVP_γ problem could be defined similarly: find out n independent elements (x₁,⋯,x_n) in $\mathcal {I}$, such that $\|(\mathbf {x}_{1},\cdots,\mathbf {x}_{n})\|_{\infty }\leq \gamma \cdot \lambda _{n}(\mathcal {I})$.

Definition 2

(The ring-$\mathbf {SIS}^{\infty }_{n,m,q,\beta }$) (Ling et al. 2015;Peikert 2016)Choose m elements $a_{j}\overset {\$}{\leftarrow }R_{q}$ uniformly, let random vector $\mathbf {A}=(a_{1},\cdots,a_{m})\in R_{q}^{m}$, positive real number β=poly(n), find out a non-zero short vector $\mathbf {z}=(z_{1},\cdots,z_{m})\in R^{m}_{q}, \|\mathbf {z}\|_{\infty }\leq \beta $, such that

$$ f_{\mathbf{A}}(\mathbf{z})=\langle \mathbf{A},\mathbf{z}\rangle=\mathbf{A}^{\top}\cdot \mathbf{z}=\sum_{j} a_{j}\cdot z_{j}=0\in R_{q} $$

Numerous studies (Lyubashevsky and Micciancio 2006;Peikert and Rosen 2006;Peikert and Rosen 2007;Lyubashevsky 2008;Lyubashevsky 2012) have shown that if f(x) is irreducible polynomial with integer coefficients, $m>\frac {\log q}{\log (2\beta)}, \gamma =16mn\log ^{2} n, q\geq \frac {\gamma \sqrt {n}}{4\log n}$, then the problem ring-$\mathbf {SIS}^{\infty }_{n,m,q,\beta }$ is at least as difficult as the problem ring-$\mathbf {SVP}^{\infty }_{\gamma }$ over $\mathcal {I}$.

Definition 3

(The ring- LWE distribution) (Peikert 2016)For secret element $s\in R_{q}, \mathcal {X}$ is the noise distribution in R_q with bound β, choose $a\overset {\$}{\leftarrow } R_{q}, e\overset {\$}{\leftarrow }\mathcal {X}$ uniformly, then $A_{s,\mathcal {X}}=(a,b=s\cdot a+e\mod q)$ is called the ring- LWE distribution in R_q×R_q.

Definition 4

(The decision ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$) (Lyubashevsky et al. 2010;Peikert 2016) Let n,m≥1,q≥2, given m samples (a_j,b_j)∈R_q×R_q, which are sampled from one of the two distributions: $A_{s,\mathcal {X}}$ and the uniform distribution in R_q×R_q, then the decision ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ is to distinguish which one the samples are from.

Theorem 1

(Lyubashevsky et al. 2010)Let $q=1\mod 2n, \beta \geq \omega (\sqrt {n\log n}), \gamma =n^{2}(q/\beta)(nm/ \log (nm))^{1/4}$, then there is an error distribution $\mathcal {X}$ with bound β, such that the problem ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ is at least as difficult as the problem ring-$\mathbf {SVP}^{\infty }_{\gamma }$ over $\mathcal {I}$.

The sigma protocol

Definition 5

(The Σ-protocol) (Hazay and Lindell 2010)Given an NP relation R=(x,w)∈{0,1}^∗×{0,1}^∗, a two party interactive protocol 〈P,V〉 is called Σ-protocol for relation R if it is a three-round public-coin protocol and satisfies the following requirements:

Completeness: For (x,w)∈R, if both prover P and verifier V follow this protocol, then Pr[〈P(x,w),V(x)〉=1]=1.

2-Special soundness: For any statement x, if there is an adversary $\mathcal {A}$ that outputs with noticeable probability a pair of accepting transcripts (a,e,z) and (a,e^′,z^′) with e≠e^′, then one can extract a witness w such that (x,w)∈R.

Special honest verifier zero knowledge: For (x,w)∈R, there is a PPT simulator $\mathcal {S}$ that given the statement x and a random challenge e outputs a transcript (a,e,z) that is indistinguishable from the probability distribution of transcripts of honest executions of the protocol on input (x,w)∈R, i.e. $\mathcal {S}(x,e)\approx \langle P(x,w),V(x,e)\rangle $.

The zero-knowledge protocol used in this paper satisfies completeness, max(n,p)+1-special soundness and special honest-verifier zero knowledge, which depends heavily on the security (statistical hiding and computing binding) of the commitment scheme that used as a submodule in our zero-knowledge protocol. The detailed construction of our protocol and its security proof is given in “The improved zero-knowledge protocol of knowledge” section.

The dynamic algorithm of constructing lattice-based Merkle hash tree

The security of Merkle tree used in Sun et al. (2019) and here are all based on the collision-resistant hash functions, whereas the size and depth of the former are fixed, and that of the latter increase with the registration of users. For any t∈ R_q,bin(t)∈{0,1}^k is its binary representation, let

$$ \begin{aligned} \mathbf{G}= \left[ \begin{array}{ccc} 1,2,4,\cdots,2^{\lceil\log q\rceil-1} & & \\ & \cdots & \\ & & 1,2,4,\cdots,2^{\lceil\log q\rceil-1}\\ \end{array} \right]\in \mathbb{Z}^{n\times k}_{q} \end{aligned} $$

(1)

then t=G·bin(t). let $\mathcal {H}=\{h_{\mathbf {A}}|\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}\}, h_{\mathbf {A}}:\{0,1\}^{k}\times \{0,1\}^{k}\rightarrow \{0,1\}^{k}$ is collision-resistant hash functions based on the ring- SIS problem, where $\mathbf {A}=[\mathbf {A}_{0}|\mathbf {A}_{1}]\in R_{q}^{m}, \mathbf {A}_{0},\mathbf {A}_{1}\overset {\$}{\leftarrow } R_{q}^{k}$ is an instance of the ring- SIS_m,q,1 problem, for arbitrary (u₀,u₁)∈{0,1}^k×{0,1}^k, we have

$$h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{bin}(\mathbf{A}_{0}\cdot\mathbf{u}_{0}+\mathbf{A}_{1}\cdot\mathbf{u}_{1}\mod q)\in\{0,1\}^{k} $$

so the following equivalent relationship is true,

$$h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{u} \Leftrightarrow \mathbf{A}_{0}\cdot \mathbf{u}_{0}+\mathbf{A}_{1}\cdot \mathbf{u}_{1}=\mathbf{G}\cdot \mathbf{u} \mod q $$

Suppose that there is an PPT adversary who can give two different u≠u^′ such that h_A(u)=h_A(u^′), then we have Au mod q=Au^′ mod q, i.e. A(u−u^′)=0 mod q. Since u≠u^′,u−u^′≠0,∥u−u^′∥_∞≤1, then u−u^′ is a solution to the ring- SIS_m,q,1 problem.

Let $\mathcal {H}=\{h_{\mathbf {A}}|\mathbf {A}\in R_{q}^{m}\}$, then we give the following specific description of the dynamic updating algorithm TDA(t,d^∗) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as a tree with depth 1, the value of leaves are 0, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first leaf with value 0 in all leaves, and assume that its index is i≤t. Include a tree of depth j=⌈logt⌉ where all leaves are 0 into the original one if there is not a such leaf. And take its root u^′ and the root u of the original tree as two inputs of the hash function to compute a new root u_new=h_A(u,u^′) of the new Merkle tree. And for any i∈[2^j+1], we have |bin(i)|=j+1. TUpdate: Let u_j+1=d^∗ denote the value of the leaf corresponding to the ith user, bin(i−1)=(i₁,⋯,i_j+1) is the binary description of integer i−1, its witness is w=(bin(i−1),(w_j+1,⋯,w₁)). Update the value of notes recursively in the path u_j,⋯,u₀ from the leaf u_j+1 to root u, then output the witness w, a new root u_new, where w_j+1,⋯,w₁ and u_j,⋯,u₀ satisfy the following relationship

$$ \forall l\in\{j,\cdots,1,0\}, \mathbf{u}_{l}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{l+1},\mathbf{w}_{l+1}), & \text{if}\ i_{l+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{l+1},\mathbf{u}_{l+1}), & \text{if}\ i_{l+1}=1 \end{array}\right. $$

(2)

Let u_new=u₀ be the new root of the Merkle tree.

Given the variable t, the computational complexity of algorithm TUpdate(t,d^∗) is O(logt), and it satisfies the following property

Theorem 2

Suppose that the problem ring-$\mathbf {SIS}^{\infty }_{m,q,\beta }$ is difficult, let R^′={d₀,⋯,d_t} be the set of the leaves related to users who have been registered, then the algorithm TDA(t,d^∗) is secure. And given a negligible function negl(λ), for any PPT adversary $\mathcal {A}$, the following inequality is true

$$ \Pr[(\mathbf{d}^{*},\mathbf{w}^{*})\leftarrow \mathcal{A}(R',t):\mathbf{d}^{*}\notin R',\mathbf{u}=\mathbf{u}_{0}]\leq negl(\lambda) $$

Syntax and security of fully dynamic group signature with message dependent opening

Different from the general group signature scheme, there are four participants in a fully dynamic group signature scheme with message-dependent opening(FDGS-MDO): The group manager(GM _update): Who is responsible to update the group information and the registration and revocation of users. The admitter(AM): who is responsible to generate a token t_M that specifies the signatures associated with message M would be opened. The trace manager(GM _trace): Given a signature and token t_M, GM _trace is responsible to trace the identity of signer when there is a dispute. The users: Who are usually appeared as a signer to sign messages or a verifier to verify signatures.

The definition of FDGS-MDO

A fully dynamic group signature scheme with message-dependent opening consists of the following polynomial-time algorithms: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk=(pp,mpk,opk), and the group secret key msk of GM _update, the tracing secret key osk of GM _trace and the secret key tsk of AM. GM _update initializes the registration list reg and the group information info as ∅, and we assume that they can only be edited by a party knowing msk. UKeyGen(pp)→(upk,usk): Given the public parameter pp, this algorithm outputs a user’s key pair (upk,usk). 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: This algorithm is an interactive protocol between a user and the group manager GM _update. Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk=(bin(t−1),upk_t,usk_t). For the Issue algorithm, GM _update runs the algorithm TDA(t,upk_t) to update the Merkle hash tree, the group information info_τ, and the registered user list reg. $\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}$: Given the revocation list S, for any i∈S, the group manager GM _update runs algorithm TUpdate(bin(i−1),0^k) to update the Merkle hash tree, the registered user list reg and the group information $\mathbf {info}_{\tau _{new}}$. Sign(gpk,gsk_i,info_τ,M)→Σ: On input group public key gpk, group information info_τ, this algorithm outputs a signature Σ to a message M signed by the user corresponding to ith leaf at τ or an error symbol ⊥ if the user is illicit at τ, i.e. the user has not been registered or has been revoked at τ. Verify(gpk,Σ,info_τ,M)→0/1: Verify the signature Σ and output 1 if it is valid, otherwise output 0. TrapGen(gpk,tsk,M,reg,info_τ)→t_M: This algorithm is operated by the admitter AM, it outputs a token t_M for the corresponding message M. Trace(gpk,osk,t_M,M,Σ,reg,info_τ)→(b^′,Π_trace): This algorithm is operated by the trace manager GM _trace, it outputs the public key b^′ of the signer who signed the message M at τ and generate a proof for this fact if the signature Σ is valid. Otherwise output ⊥. Judge(gpk,b^′,M,Π_trace,Σ,info_τ)→0/1: Verify the proof Π_trace generated by the trace manager GM _trace, and output 1 if it is valid, otherwise output 0.

To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ, the group manager verifies that whether the value of the leaf corresponding to this signer is non-zero. And to avoid leaking any information about the signer’s identity, we use the extension-permutation technology (Libert et al. 2016) to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(d_i)=(d_i1,d_i2,⋯,d_ik),i∈[t], choose a vector $\mathbf {a}\overset {\$}{\leftarrow }\{0,1\}^{k-1}$ uniformly such that the Hamming weight of di′=(bin(d_i)|a)∈{0,1}^2k−1 is k. Given a random permutation $\pi _{2k-1}\in \mathcal {S}_{2k-1}=\{\pi _{2k-1}|\pi _{2k-1}$ is a random permutation of elements in {0,1}^2k−1}, the Hamming weight of π_2k−1(di′) is k if and only if d_i≠0.

Security of FDGS-MDO scheme

A fully dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity against admitter, anonymity against opener, non-frameability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chal_b, TL is the set of tokens generated by oracle Chal_b. And oracles used in the proof are as follows: AddU(i): Add an honest user i into the set HUL at time τ. CreU(i,upk_i): Create a new user i whose public key upk_i is chosen by the adversary, which is invoked in the oracle SenToM. SenToM(i,M_in): It is used to run the algorithm Join, on behalf of a corrupt user, together with the honest group manager GM _update. SenToU(i,M_in): It is used to run the algorithm Join, on behalf of the corrupt group manager GM _update, together with a legitimate user i. RReg(i): Return the registration information reg_i of user i. MReg(i,ρ): Change the registration information reg_i of user i into ρ. RevealU(i): Return the signing secret key gsk_i of user i to the adversary, and add i to the set BUL. Sign(i,M,τ): Return a signature to a message M signed by user i at time τ, and add this signature to the set SL. Chal_b(info_τ,i₀,i₁,M): For any b∈{0,1}, Return the signature to a message M signed by user i_b at time τ, and add this signature to the set CL. This requires that the users i₀,i₁ are all legitimate at time τ, and this oracle could be revoked only once. Trace(info_τ,Σ,M): Return the signer of a signature Σ signed at time τ and a proof of this fact, which requires that the signature Σ∉CL. TrapGen(info_τ,M): Return a token of the message M generated at time τ, which requires that the message M∉TL. UpdateG(S,τ): It allows the adversary to update some information about the group at time τ, which requires that each element in S is legitimate user’s public key at time τ. IsActive(info_τ,reg,i): Return 1 if and only if the user i is a legitimate member in the group at time τ, otherwise return 0.

Correctness: This property means that if the signer signs a message M honestly, the algorithm Verify can always output 1. With a token t_M that outputted by the algorithm TrapGen, the trace manager GM _trace can trace the identity of the signer by the algorithm Trace, and generates a proof Π_trace accepted by the algorithm Judge.

Anonymity against admitter: For any PPT adversary $\mathcal {A}$, this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary $\mathcal {A}$ could learn the secret key msk of GM _update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle Trace. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against admitter for all PPT adversary $\mathcal {A}$ if $\Pr [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)=1]\leq negl(\lambda)$.

Anonymity against opener: For any PPT adversary $\mathcal {A}$, this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary $\mathcal {A}$ could learn the secret key msk of GM _update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle TrapGen. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against opener for all PPT adversary $\mathcal {A}$ if $\Pr [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonO-b}(\lambda)=1]\leq negl(\lambda)$.

Non-frameability: For any PPT adversary $\mathcal {A}$, the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary $\mathcal {A}$ could learn the secret keys of GM _update and GM _trace, and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies non-frame-ability for all PPT adversary $\mathcal {A}$ if $\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1]\leq negl(\lambda)$.

Traceability: For any PPT adversary $\mathcal {A}$, the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary $\mathcal {A}$ could learn the secret key of GM _trace and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme is traceable for all PPT adversary $\mathcal {A}$ if $\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)$.

Tracing soundness: For any PPT adversary $\mathcal {A}$, the probability to generate a valid signature that traced to two different users is negligible, even though the adversary $\mathcal {A}$ could learn the secret keys of GM _update and GM _trace, and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies tracing soundness for all PPT adversary $\mathcal {A}$ if $\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace-sound}(\lambda)=1]\leq negl(\lambda)$.

The lattice-based dynamic group signature scheme with message-dependent opening

The construction of the scheme

By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the fully dynamic group signature scheme with message-dependent opening, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): Given the security parameter λ, let t>0 denote the number of registered users, l=⌈logt⌉,n=O(λ),p=O(λ), prime modules $q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k$, real integer $\beta >0, \mathcal {X}$ is the noise distribution bounded by β in R, $\phantom {\dot {i}\!}H:\{0,1\}^{*}\rightarrow \{0,1\}^{k'}$ is a hash function for FS transformation, $H':\{0,1\}^{*}\rightarrow \mathcal {X}^{k}$ is a collision resistant hash function, and $Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}$ is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008). Let $\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}, \mathbf {B}\overset {\$}{\leftarrow } R_{q}^{k}$. GM _update chooses $\mathbf {msk}\overset {\$}{\leftarrow }\{0,1\}^{m}$, computes mpk=A·msk, and initializes the registration list reg and the group information info as ∅. GM _trace chooses $\mathbf {S}_{1},\mathbf {S}_{2}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{1},E_{2}\overset {\$}{\leftarrow }\mathcal {X}$, and computes $P_{1}=\mathbf {S}_{1}^{\top }\mathbf {B}+E_{1}\in R_{q}, P_{2}=\mathbf {S}_{2}^{\top }\mathbf {B}+E_{2}\in R_{q}$. AM chooses $\mathbf {S}_{3},\mathbf {S}_{4}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{3},E_{4}\overset {\$}{\leftarrow }\mathcal {X}$. Set the GM _trace’s key pair (opk,osk)=(P₁,(S₁,E₁)), the GM _update’s key pair (mpk,msk), and the AM’s secret key tsk=(S₃,E₃). Finally, the algorithm outputs the public parameter $pp=(\lambda,n,p,q,k,m,\beta,\mathcal {X},H,Com,\mathbf {A},\mathbf {B})$, the group public key gpk=(pp,mpk,opk,tpk). UKeyGen(pp)→(upk,usk): The user chooses $\mathbf {usk}\overset {\$}{\leftarrow } \{0,1\}^{m}$ uniformly as its secret key, and computes the related public key upk=bin(A·usk mod q), and upk∈{0,1}^k. 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: Assume that the new registered user is the t-th member in the group, and the user sends its public key upk to the group manager GM _update, and if this algorithm goes well, the latter searches and denotes the first non-zero leaf as t^′ if he approves the user’s application. Let $\phantom {\dot {i}\!}\mathbf {upk}_{t'}=\mathbf {upk}, \mathbf {reg}_{t'}=\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ], \tau $ is the time the user registered, GM _update includes $\phantom {\dot {i}\!}\mathbf {reg}_{t'}$ into the registration list $\phantom {\dot {i}\!}\mathbf {reg}:=(\mathbf {reg}_{1}[\mathbf {upk}_{1}][\tau ],\cdots,\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ],\cdots,\mathbf {reg}_{t} [\mathbf {upk}_{t}][\tau ])$. Then GM _update ru-ns the algorithm $\phantom {\dot {i}\!}\mathbf {TDA}(\mathbf {bin}(t'),\mathbf {upk}_{t'})$ to update the Merkle tree, outputs the group information $\phantom {\dot {i}\!}\mathbf {info}_{\tau }=(\mathbf {u},\{\mathbf {w}_{j}\}_{i_{j}})$ where u is the root and $\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}$ are witnesses of all legal users, and updates the counter of registered users t=t+1. Let $\phantom {\dot {i}\!}\mathbf {usk}_{t'}=\mathbf {usk}$, the user sets $\phantom {\dot {i}\!}gsk_{t'}=(\mathbf {bin}(t'-1),\mathbf {upk}_{t'},\mathbf {usk}_{t'})$ as its signing secret key. $\phantom {\dot {i}\!}\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}$: Given the revocation list S that is the set of public keys of group members who would be revoked, and if $\phantom {\dot {i}\!}S=\{\mathbf {upk}_{i_{1}},\cdots,\mathbf {upk}_{i_{r}}\}$ is not empty, where r≥1,i_j∈[t],j∈[r], for every $\phantom {\dot {i}\!}j\in [r], \mathbf {upk}_{i_{j}}\in S$, GM _update runs the algorithm TUpdate in TDA(bin(i_j−1),0^k) to update the Merkle hash tree, then updates the registration list reg: changes $\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]$ to $\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[0^{k}][\tau _{new}]$ if $\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}\in S$, otherwise changes $\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]$ to $\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}} [\mathbf {upk}_{i_{j}}][\tau _{new}]$, finally outputs the new group information $\phantom {\dot {i}\!}\mathbf {info}_{\tau _{new}}=(\mathbf {u}_{new},\{\mathbf {w}_{j}\}_{i_{j}})$ that consists of a new root u_new and witnesses $\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}$ of $\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}$, updates the counter of legitimate users t=t−r. So, the leaves with value 0^k in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk,gsk_i,info_τ,M)→Σ: To sign a message M at τ by using the group information info_τ, the user related to the ith leaf verifies that whether there is a witness of bin(i−1) in info_τ firstly, if not, return ⊥. Otherwise, the user sends M to AM, receives $P_{3}=\tilde {\mathbf {S}}_{3}^{\top }\mathbf {B}+E_{3}$ and $P_{4}=\tilde {\mathbf {S}}_{4}^{\top }\mathbf {B}+E_{4}$ from it, where $\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\|M), \tilde {\mathbf {S}}_{4}=H'(\mathbf {S}_{4}\|M)$, and obtains (bin(i−1),(w_l,⋯,w₁)) from info_τ to do the follows: Choose random strings $\mathbf {r}_{1},\mathbf {r}_{2},\mathbf {r}_{3},\mathbf {r}_{4}\overset {\$}{\leftarrow }\{0,1\}^{k}$, the user encrypts vector upk_i by making use of the double-encryption paradigm (Naor and Yung 1990) and the RLWE-based encryptionp scheme (Regev 2009;Lyubashevsky et al. 2013) to obtain the ciphertexts,

$$ \begin{aligned} \mathbf{c}_{1}=&(c_{1,1},\mathbf{c}_{1,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{1}\mod q,P_{1}\cdot \mathbf{r}_{1}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{upk}_{i}\mod q\right)\in R_{q}\times R_{q}^{k}, \end{aligned} $$

$$ \begin{aligned} \mathbf{c}_{2}=&(c_{2,1},\mathbf{c}_{2,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{2}\mod q,P_{2}\cdot \mathbf{r}_{2}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{upk}_{i}\mod q\right)\in R_{q}\times R_{q}^{k}. \end{aligned} $$

Then encrypt ciphertext c_1,2 by using a method similar to the one above to obtain the ciphertexts,

$$\begin{aligned} \mathbf{c}_{3}=&(c_{3,1},\mathbf{c}_{3,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{3}\mod q,P_{3}\cdot \mathbf{r}_{3}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{c}_{1,2}\mod q\right)\in R_{q}\times R_{q}^{k},\\ \mathbf{c}_{4}=&(c_{4,1},\mathbf{c}_{4,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{4}\mod q,P_{4}\cdot \mathbf{r}_{4}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{c}_{1,2}\mod q\right)\in R_{q}\times R_{q}^{k}. \end{aligned} $$

Finally, the signer generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Π_sign for: (1) It has legitimate witness ζ=(usk_i,upk_i,bin(i),w_l,⋯,w₁,r₁,⋯,r₄) such that the signer is a legitimate member in the group, i.e. upk_i≠0^k, and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct. (2) (usk_i,upk_i) is a valid public-private key-pair. (3) (c₁,c₂) are two legitimate ciphertext of upk_i. (4) (c₃,c₄) are two legitimate ciphertext of c_1,2.

Output the signature Σ=(c_1,1,c₂,c₃,c₄,Π_sign). The NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. runs the underlying protocol $k'=\lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\rceil $ times sequentially to obtain a negligible soundness error 2^−λ, and the transcript is $\Pi _{sign}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)$, where

$$ \begin{aligned}\mathbf{ch} & =(ch_{1},\cdots,ch_{k'})\in([n]\times\mathbb{Z}_{p})^{k'} \\ &=\!H\!\left(M,\{\!(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})\!\}_{j=1}^{k'},\mathbf{A},\mathbf{u}_{\tau},\mathbf{B},\{P_{i}\}_{i=1}^{4},c_{1,1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4}\right) \end{aligned} $$

Verify(gpk,Σ,info_τ,M)→0/1: The verifier obtains the root u_τ of the Merkle hash tree at τ from the group information info_τ, and verifies that whether the predicted challenge ch is true, outputs 0 if not, otherwise verifies the respond rsp_j that corresponding to $(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})$ and ch_j for each j∈[k^′], and outputs 1 if everything is correct, otherwise outputs 0. TrapGen(gpk,tsk,M,reg,info_τ)→t_M: If a token t_M for message M was already queried, answer consistently. Otherwise, compute $\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\|M)$, let $\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3})$, and outputs t_M. Trace(gpk,osk,t_M,M,Σ,reg,info_τ)→(b^′,Π_trace): Firstly, trace manager GM _trace uses token t_M to decrypt ciphertext c₃ to get c1,2′, i.e. computes $\mathbf {c}'_{1,2}=\left \lfloor \frac {(\mathbf {c}_{3,2}-\tilde {S}_{3}^{\top }\cdot c_{3,1})}{q/2}\right \rceil \in \{0,1\}^{k}$, and the ciphertexts c₂ and c₄ are only used in our proof. Let $c^{\prime }_{1,1}=c_{1,1}$, then GM _trace uses its tracing secret key osk to decrypt the ciphertext c1′=(c1,1′,c1,2′) and computes $\mathbf {b}'=\left \lfloor \frac {(\mathbf {c}'_{1,2}-S_{1}^{\top }\cdot c'_{1,1})}{q/2}\right \rceil \in \{0,1\}^{k}$. If there is not a witness of b^′ in info_τ or b^′=0^k, output ⊥. Then GM _trace generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Π_trace for the fact that the user corresponding to b^′ really generated a signature Σ to message M at τ. In other words, the trace manager GM _trace should proof that he has $\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3}), \mathbf {S}_{1},\tilde {\mathbf {S}}_{3}\in R_{q}^{k}, E_{1},E_{3}\in R_{q}, \mathbf {y}_{1},\mathbf {y}_{3}\in R_{q}^{k}$, such that

$${} \begin{aligned} \|\mathbf{S}_{1}\|_{\infty},\|\tilde{\mathbf{S}}_{3}\|_{\infty}\leq\beta,|E_{1}|,|E_{3}|\leq\beta,\|\mathbf{y}_{1}\|_{\infty},\|\mathbf{y}_{3}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1}^{\top}\cdot \mathbf{B}+E_{1}=P_{1}\mod q \\ \tilde{\mathbf{S}}_{3}^{\top}\cdot \mathbf{B}+E_{3}=P_{3}\mod q \\ \mathbf{c}_{3,2}-\tilde{\mathbf{S}}_{3}^{\top}\cdot c_{3,1}=\mathbf{y}_{3}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{c}'_{1,2}\mod q \\ \mathbf{c}'_{1,2}-\mathbf{S}_{1}^{\top}\cdot c_{1,1}=\mathbf{y}_{1}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{b}'\mod q \end{aligned} $$

Similarly, the NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. GM _trace runs the underlying protocol $k'=\left \lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\right \rceil $ times sequentially to obtain a negligible soundness error 2^−λ, and the transcript is $\Pi _{trace}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)$, where $\mathbf {ch}\in ([n]\times \mathbb {Z}_{p})^{k'}$,

$$\begin{aligned} \mathbf{ch}=(ch_{1},\cdots,ch_{k'})=H\left(M,\{(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})\}_{j=1}^{k'},gpk,\Sigma,\mathbf{info}_{\tau},\mathbf{t_{M}},\mathbf{b}'\right) \end{aligned} $$

Finally, this algorithm outputs (b^′,Π_trace). Judge(gpk,b^′,M,Π_trace,Σ,info_τ)→0/1: Verify the proof Π_trace and output 1 if it is true, otherwise output 0.

Finally, a timestamp τ is given to each member in the group, the group manager GM _update updates the group information info_τ once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information info_τ, we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ₁<τ₂, the group information $\mathbf {info}_{\tau _{1}}$ is published earlier than $\mathbf {info}_{\tau _{2}}$.

Analysis of the lattice-based FDGS-MDO scheme

In our scheme, it is not necessary to prepare a large storage space for the Merkle tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in Ling et al. (2017), our work could economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it (Table 1).

Table 1 Comparison of lattice-based group signature schemes in (Libert et al. 2016) and (Ling et al. 2017), in terms of efficiency and functionality

Full size table

Complexity: Given a security parameter λ, the size of legitimate users t, $l=\lceil \log t\rceil, n=O(\lambda), q=\tilde {O}(n^{1.5})=\tilde {O}(c\lambda ^{1.5})$ with a constant c, k=n⌈logq⌉=O(λ logλ). Then the size of group public key gpk=(pp,mpk,opk,tpk) is |gpk|=O(nk)+k+O(k²)=O((λ logλ)²), the size of signing secret key gsk_i=(bin(i),upk_i,usk_i) is $|gsk_{i}|=l+3k=l+O(\lambda \log \lambda)=l+\tilde {O}(\lambda)$, and the size of signature Σ=(c_1,1,c₂,c₃,c₄,Π_sign) is

$$\begin{aligned} |\Sigma|= & |\Pi_{sign}|+|c_{1,1}|+|\mathbf{c}_{2}|+|\mathbf{c}_{3}|+|\mathbf{c}_{4}| \\ = & k'\cdot(|(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})|+|ch_{j}|+\cdot|rsp_{j}|)+1+3(k+1)\log q \\ = & k'\cdot(2k+\log p+\log n\!+2(\log q+k\log k)\!+2\lambda\!+D)\\&+1+3(k+1)\log q \\ = & O(l\lambda^{2}) \end{aligned} $$

The soundness error of our underlying protocol is $\frac {1}{\max {(n,p)}+1}$, so we need to perform the protocol $\frac {\lambda }{\log (\max (n,p)+1)}$ times sequentially to reach a negligible soundness error 2^−λ, and the generated group signature size is O(lλ²). To realize the same soundness error, the underlying protocol in Ling et al. (2017) need to be excluded Θ(λ) times sequentially, and the corresponding group signature size would be $\tilde {O}(l\lambda ^{2})$. Let the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l= logN, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in Ling et al. (2017) over ring is O(l), and that of our work is roughly $\frac {1}{2}O(l)$, So the expected computational complexity down almost by half. Correspondingly, the space complexity has been reduced by the same magnitude.

The security of the fully dynamic group signature scheme presented in this paper satisfies some security requirements given in Bootle et al. (2016): correctness, anonymity, non-frameability, traceability, and tracing soundness.

Correctness: Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature Σ=(c_1,1,c₂,c₃,c₄,Π_sign) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature Σ to pass the verification of the algorithm Verify, and the algorithm Trace will take the token t_M outputted by the algorithm TrapGen as one of the inputs to decrypt the ciphertext c₃ and outputs c_1,2, then let c₁=(c_1,1,c_1,2), and uses its secret key osk to decrypt c₁ and outputs the user public key b^′=upk_i with a probability approximate to 1 together with a proof Π_trace accepted by Judge. We need to compute $\mathbf {e}_{1}=\mathbf {c}_{3,2}-\tilde {\mathbf {S}}_{3}^{\top }c_{3,1}=E_{3}\cdot \mathbf {r}_{3}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {c}_{1,2}\mod q$ and $\mathbf {e}_{2}=\mathbf {c}_{1,2}-\mathbf {S}_{1}^{\top }c_{1,1}=E_{1}\cdot \mathbf {r}_{1}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {upk}_{i}\mod q$ when to decrypt a ciphertext, and for s=1,2, let bs′=(bs,1′,⋯,bs,l′),e_s=(e_s,1,⋯,e_s,l), for any j∈[l],

$$ b'_{s,j}=\left\{ \begin{aligned} 0, & if & 0 < |e_{s,j}| < \frac{q}{2} \\ 1, & if & \frac{q}{2} < |e_{s,j}| \end{aligned}\right. $$

(3)

Note that $\|E_{s'}\cdot \mathbf {r}_{s'}\|_{\infty }<\frac {q}{5}$ for s^′=1,3, so b1′=c_1,2,b2′=upk_i with overwhelming probability. Furthermore, because the user corresponding to upk_i is legitimate, then the witness w=(bin(i−1),w_l,⋯,w₁) is included in the group information info_τ, and the value of the related leaf is not 0^k. So, the algorithm Trace could always obtain a tuple (S₁,E₁,y,t_M) that satisfies requirement. And finally, for the fact that the proof Π_trace is perfect completeness, the algorithm Judge outputs 1 with probability 1.

Theorem 3

The FDGS-MDO scheme satisfies anonymous against admitter, anonymous against opener, unforgeable, traceable and tracing soundness security requirements under the ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ and ring-$\mathbf {SIS}^{\infty }_{n,m,q,1}$ assumptions in RO model.

The proof of Theorem in “The improved zero-knowledge protocol of knowledge” section consists of the following five lemmas.

Lemma 1

Suppose that the ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ problem is difficult, then the scheme in this paper is anonymous against admitter in RO model.

Proof

Assume that the size of legitimate users is t, the adversary $\mathcal {A}$ and challenger $\mathcal {C}$ are all PPT algorithms. For two different users i₀≠i₁∈[t] given by $\mathcal {A}$,

we say that the scheme satisfies anonymity if there is a negligible function negl(λ), such that $\Pr \left [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)=1\right ]\leq negl(\lambda)$. Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OP_l,l∈[9].

Game0: Given two different legitimate users i₀≠i₁∈[t] by $\mathcal {A}$, let b=0, the challenger $\mathcal {C}$ runs the experiment $\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)$ honestly by using i₀.

Game1: This game is completely consistent with Game0 except that include (S₂,E₂) to osk, i.e. let osk=((S₁,E₁),(S₂,E₂)). And this change, to the view of the adversary $\mathcal {A}$, makes no difference, Pr[OP₁=1]= Pr[OP₀=1].

Game2: This game is completely consistent with Game1 except that use a simulator Sim_trace to simulate the real interactions of the protocol that generates Π_trace, i.e. replace the real transcript Π_trace with a simulated transcript of Sim_trace. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Π_trace, Pr[OP₂=1]− Pr[OP₁=1]≤negl(λ).

Game3: This game is completely consistent with Game2 except that replace (S₁,E₁) with (S₂,E₂) when Sim_trace simulates the oracle Trace. For a legitimate signature (c_1,1,c₂,c₃,c₄,Π_sign), where c₁,c₂ are encryptions to different strings respectively, let F₁ be a event of the above signature inquiry initiated by $\mathcal {A}$ to the oracle Trace, and the view of $\mathcal {A}$ may changing if F₁ appears, however, it violates the soundness of the protocol that generates Π_sign. And the change in this game, to the view of $\mathcal {A}$, is indistinguishable except the incident F₁, i.e. Pr[OP₃=1]− Pr[OP₂=1]≤ Pr[F₁]≤negl(λ).

Game4: This game is completely consistent with Game3 except that use a simulator Sim_sign to simulate the real interactions of the protocol that generates Π_sign, i.e. replace the real transcript Π_sign with a simulated transcript of Sim_sign. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Π_sign, Pr[OP₄=1]− Pr[OP₃=1]≤negl(λ).

Game5: This game is completely consistent with Game4 except that change the ciphertext c₁ into the encryption to $\mathbf {upk}_{i_{1}}$ when initiate an inquiry to the oracle Chal_b. And the difference of the view of $\mathcal {A}$ caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S₂,E₂) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c₁, so, Pr[OP₅=1]− Pr[OP₄=1]=negl(λ).

Game6: This game is completely consistent with Game5 except that replace (S₂,E₂) with (S₁,E₁) when Sim_trace simulates the oracle Trace. For a legitimate signature (c_1,1,c₂,c₃,c₄,Π_sign), where c₁,c₂ are encryptions to different strings respectively, let F₂ be a event of the above signature inquiry initiated by $\mathcal {A}$ to the oracle Trace, which violates the simulation soundness of the protocol that generates Π_sign. And the change in this game, to the view of $\mathcal {A}$, is indistinguishable except the incident F₂, Pr[OP₆=1]− Pr[OP₅=1]≤ Pr[F₂]≤negl(λ).

Game7: This game is completely consistent with Game6 except that change the ciphertext c₂ into the encryption to $\mathbf {upk}_{i_{1}}$. And the difference of the view of $\mathcal {A}$ caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S₁,E₁) during the inquiry to the oracle Trace, so change c₂ makes no difference to the view of the adversary, Pr[OP₇=1]− Pr[OP₆=1]=negl(λ).

Game8: This game is completely consistent with Game7 except that replace the simulator Sim_sign with a real protocol that generates Π_sign, i.e. replace the simulated transcript of Sim_sign by a real transcript Π_sign. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_sign, Pr[OP₈=1]− Pr[OP₇=1]≤negl(λ).

Game9: This game is completely consistent with Game8 except that replace the simulator Sim_trace with a real protocol that generates Π_trace, i.e. replace the simulated transcript of Sim_trace by a real transcript Π_trace. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_trace, Pr[OP₉=1]− Pr[OP₈=1]≤negl(λ).

Finally, we could learn from the games above that the probability:

$${}\begin{aligned} & \Pr[OP_{9}=1]-\Pr[OP_{0}=1] \\ = & \Pr\left[\mathbf{Exp}_{FDGS-MDO,\mathcal{A}}^{anonA-1}(\lambda)\right]-\Pr\left[\mathbf{Exp}_{FDGS-MDO,\mathcal{A}}^{anonA-0}(\lambda)\right] \\ \leq & c\cdot negl(\lambda) \end{aligned} $$

where c is a constant. So, the scheme satisfies the property of anonymity against admitter. □

Lemma 2

Suppose that the ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ problem is difficult, then the scheme in this paper is anonymous against opener in RO model.

Proof

Assume that the size of legitimate users is t, the adversary $\mathcal {A}$ and challenger $\mathcal {C}$ are all PPT algorithms. For two different users i₀≠i₁∈[t] given by $\mathcal {A}$,

the proof of property anonymity against opener is similar to that of anonymity against admitter, so we are not describe it in detail anymore. □

Lemma 3

Suppose that the problem ring-$\mathbf {SIS}^{\infty }_{n,m,q,1}$ is difficult, then the sche-me in this paper is unforgeable in the RO model.

Proof

Suppose that there ia a PPT adversary $\mathcal {A}$ could forge a valid signature with a non-negligible probability ε, then there is a PPT algorithm $\mathcal {B}$ could break the security of Merkle hash tree or solve the problem ring-$\mathbf {SIS}^{\infty }_{n,m,q,1}$ with a non-negligible probability by invoking $\mathcal {A}$ as a black box.

If there is a negligible function negl(λ), such that $\Pr \left [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\leq negl(\lambda)$, then we say that the scheme is unforgeable. Given a random vector A, the challenger computes the public parameter pp honestly, then invokes the algorithm of $\mathcal {A}$, runs the operations in the game $\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)$, during this process, $\mathcal {B}$ responds the inquiries of $\mathcal {A}$ honestly. If the adversary $\mathcal {A}$ wins the game and outputs $\left (M^{*},\Sigma ^{*},i^{*},\Pi _{trace}^{*},\mathbf {info}_{\tau }\right)$ finally, then there is a non-negligible function ε, such that $\Pr \left [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\geq \epsilon $, and the algorithm $\mathcal {B}$ could operate as follows: Decompose the signature Σ^∗ into $(c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}^{*}_{4},\Pi _{sign}^{*})$, where $\Pi _{sign}=\left (\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*},\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}\right)$, because the adversary $\mathcal {A}$ wins the game $\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)$, so $\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}$ is a legitimate respond to $\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*}$. Let $\xi ^{*}=\left (M^{*},\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {A},\mathbf {u}_{\tau },\{P_{i}\}_{i=1}^{4}, \mathbf {B},c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}_{4}^{*}\right)$, for the successful probability to guess H(ξ^∗) is $\phantom {\dot {i}\!}(np)^{-k'}$, so the adversary uses the ξ^∗ to initiate queries to the oracle H with overwhelming probability, and ξ^∗ is the preimage of H with probability $\phantom {\dot {i}\!}\epsilon '=\epsilon -(np)^{-k'}$, let t^∗∈{1,2,⋯,Q_H} be the index of one inquiry, where Q_H is the number of inquiries that the adversary $\mathcal {A}$ made to the oracle H. The inputs of the hash queries from 1th to t^∗th are all ξ^∗, and $\mathcal {B}$ runs the operations of $\mathcal {A}$ for t^∗ times. And the inputs of other hash queries from t^∗+1th to Q_Hth are something else, $\mathcal {B}$ responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000;Pointcheval and Stern 1999), the probability of $\mathcal {B}$ gets max(n,p)+1 different hash values $\mathbf {ch}_{t^{*}}^{1},\cdots,\mathbf {ch}_{t^{*}}^{\max (n,p)+1}\in \{[n]\times \mathbb {Z}_{p}\}^{k'}$ to the same input ξ^∗ is non-negligible, and the pigeon hole principle tells us that there are at least two accept responds $\phantom {\dot {i}\!}(rsp_{t^{*},1},rsp_{t^{*},2})$ with the same I and different ch, then what we could learn from the protocol that generates Π_sign is that we could extract a witness $\phantom {\dot {i}\!}\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4},\right)$, where $\phantom {\dot {i}\!}w^{\prime }_{\tau }=\left (\mathbf {bin}(i'-1),\mathbf {w}'_{l,\tau },\cdots,\mathbf {w}'_{1,\tau }\right) \in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}$, such that for d=1,2,d^′=3,4,j∈{0,l−1}, we have

$$ \left\{ \begin{aligned} \mathbf{u}_{j,\tau}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if\ i'_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if\ i'_{j+1}=1 \end{aligned} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i'}=\mathbf{G}\cdot \mathbf{upk}_{i'} \\ \mathbf{c}^{*}_{d}=\left(c^{*}_{d,1},\mathbf{c}^{*}_{d,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d},P_{d}\cdot \mathbf{r}'_{d}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i'}\right) \\ \mathbf{c}^{*}_{d'}=\left(c^{*}_{d',1},\mathbf{c}^{*}_{d',2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d'},P_{d'}\cdot \mathbf{r}'_{d'}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{c}^{*}_{1,2}\right) \end{aligned} \right. $$

(4)

We can learn from the correctness of the encryption scheme that $\mathbf {c}_{1}^{*}$ is the encryption to $\phantom {\dot {i}\!}\mathbf {upk}_{i'}$ and $\mathbf {c}_{3}^{*}$ is the encryption to $\mathbf {c}^{*}_{1,2}$. The algorithm Judge outputs 1 because of the fact that $\mathcal {A}$ wins the game, and what we can learn from the soundness of the protocol that generates Π_trace is that $\mathbf {c}_{1}^{*}$ is the encryption to $\phantom {\dot {i}\!}\mathbf {upk}_{i^{*}}$, then $\phantom {\dot {i}\!}\mathbf {upk}_{i'}=\mathbf {upk}_{i^{*}}$ with overwhelming probability. By the correctness of the Merkle hash tree, the user i^∗ is legitimate. i^∗∈HUL∖BUL indicates that the adversary $\mathcal {A}$ doesn’t know $\phantom {\dot {i}\!}gsk_{i^{*}}=(\mathbf {bin}(i^{*}-1),\mathbf {upk}_{i'},\mathbf {usk}_{i^{*}})$. $\phantom {\dot {i}\!}\mathbf {usk}_{i^{*}}$ was chosen by $\mathcal {B}$ and $\phantom {\dot {i}\!}\mathbf {A}\cdot \mathbf {usk}_{i^{*}}=\mathbf {G}\cdot \mathbf {upk}_{i'}$, so we have $\phantom {\dot {i}\!}\Pr [\mathbf {usk}_{i^{*}}\not =\mathbf {usk}_{i'}]\geq \frac {1}{2}$. Let $\phantom {\dot {i}\!}\mathbf {z}=\mathbf {usk}_{i^{*}}-\mathbf {usk}_{i'}$, then z≠0 and Az=0 mod q, so, the algorithm $\mathcal {B}$ could solve the problem ring-$\mathbf {SIS}^{\infty }_{n,m,q,1}$ with non-negligible probability. □

Lemma 4

Suppose that the ring-$\mathbf {SIS}^{\infty }_{n,m,q,1}$ problem is difficult, then the sche-me in this paper is traceable in RO model.

Proof

Given a negligible function negl(λ), such that $\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)$, then we say that the scheme is traceable. In other words, If the adversary $\mathcal {A}$ wins the game $\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)$, the signature generated by $\mathcal {A}$ is legitimate and it was traced to a revoked user or a legitimate user without a valid proof Π_trace to it, and next, we will explain that the probability of the fact that the adversary $\mathcal {A}$ wins the game is negligible.

Let (info_τ,M,Σ) be a forged information by the adversary $\mathcal {A}$ in the game $\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)$, then the challenger could extract the identity (bin(i−1),Π_trace) by running the algorithm Trace. Decompose the signature Σ into (c1,1′,c2′,c3′,c4′,Π_sign), where $\Pi _{sign}=\left (\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)$. Since (info_τ,M,Σ) is a legitimate signature, $\{rsp_{j}\}_{j=1}^{k'}$ are valid responds to $\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'}, \mathbf {ch}$. Then we could extract a witness $\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4}\right)$, which is similar to the property of unforgeability, where $w^{\prime }_{\tau }=\left (\mathbf {bin}(i'-1),\mathbf {w}'_{l,\tau },\cdots, \mathbf {w}'_{1,\tau }\right)\in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}$, such that for d=1,2,d^′=3,4,j∈{0,l−1}, we have

$$ \left\{ \begin{aligned} \mathbf{upk}_{i'}\not=0 \\ \mathbf{u}_{j,\tau}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if \ i'_{i+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if \ i'_{i+1}=1 \end{aligned} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i'}=\mathbf{G}\cdot \mathbf{upk}_{i'} \\ \mathbf{c}'_{d}=\left(c'_{d,1},\mathbf{c}'_{d,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d},P_{d}\cdot \mathbf{r}'_{d}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i'}\right) \\ \mathbf{c}'_{d'}=\left(c'_{d',1},\mathbf{c}'_{d',2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d'},P_{d'}\cdot \mathbf{r}'_{d'}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{c}'_{1,2}\right) \end{aligned} \right. $$

(5)

What we can learn from the correctness of the encryption scheme is that the ciphertext $\phantom {\dot {i}\!}\mathbf {c}'_{1}$ could be decrypted to $\phantom {\dot {i}\!}\mathbf {upk}_{i'}, \mathbf {c}'_{3}$ could be decrypted to $\phantom {\dot {i}\!}\mathbf {c}'_{1,2}$, and we can learn from the correctness of the algorithm Trace that upk_i is the plaintext obtained from the ciphertext $\phantom {\dot {i}\!}\mathbf {c}'_{1}$, so $\phantom {\dot {i}\!}\mathbf {upk}_{i}=\mathbf {upk}_{i'}$ with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof Π_trace is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof Π_trace, and we can learn from the perfect completeness of the protocol that generates Π_trace that the algorithm Judge would accepts Π_trace with probability 1. In conclusion, the scheme in this paper is traceable. □

Lemma 5

The scheme in this paper satisfies the property of tracing soundness in RO model.

Proof

Suppose that the information $\phantom {\dot {i}\!}(M,\Sigma,i_{0},\Pi _{trace,i_{0}}, i_{1},\Pi _{trace,i_{1}},\mathbf {info}_{\tau })$ is the output of the adversary $\mathcal {A}$ in the game $\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace-sound}(\lambda)$, if the game outputs 1 finally, i.e. $\phantom {\dot {i}\!}\mathbf {Judge}(gpk,\mathbf {upk}_{i_{b}},\mathbf {info}_{\tau }, \Pi _{trace},M,\Sigma)=1, i_{0}\not =i_{1}\not =\perp, \mathbf {Verify}(gpk,\mathbf {info}_{\tau },M,\Sigma)=1$, then we say that $\mathcal {A}$ wins. Given Π_trace with $\phantom {\dot {i}\!}\Pi _{trace}= \left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)$, the fact that the algorithm Judge outputs 1 indicates that $\phantom {\dot {i}\!}\{rsp_{j}\}_{j=1}^{k'}$ are legitimate responds to $\phantom {\dot {i}\!}\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}$. For b=0,1,j=1,3, it is similarly to the property of unforgeability, we could extract $\mathbf {S}_{1,b},\tilde {\mathbf {S}}_{3,b},E_{j,b},\mathbf {y}_{j,b}$, such that

$$\begin{aligned} \|\mathbf{S}_{1,b}\|_{\infty},\|\tilde{\mathbf{S}}_{3,b}\|_{\infty}\leq\beta,|E_{j,b}|\leq\beta,\|\mathbf{y}_{j,b}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1,b}^{\top}\cdot \mathbf{B}+E_{1,b}=P_{1,b}\mod q \\ \tilde{\mathbf{S}}_{3,b}^{\top}\cdot \mathbf{B}+E_{3,b}=P_{3,b}\mod q \\ \mathbf{c}_{3,2}-\tilde{\mathbf{S}}_{3,b}^{\top}\cdot c_{3,1}=\mathbf{y}_{3,b}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{c}_{1,2}\mod q \\ \mathbf{c}_{1,2}-\mathbf{S}_{1,b}^{\top}\cdot c_{1,1}=\mathbf{y}_{1,b}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{upk}_{i_{b}}\mod q \end{aligned} $$

then we have

$$ \begin{aligned} \left(\mathbf{S}_{1,0}^{\top}-\mathbf{S}_{1,1}^{\top}\right)\cdot c_{1,1}\,=\,(\mathbf{y}_{1,1}-\mathbf{y}_{1,0})\!+\left\lfloor\frac{q}{2}\right\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\mod q \end{aligned} $$

Suppose that $\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}\not =\mathbf {upk}_{i_{0}}$, so $\|\lfloor \frac {q}{2}\rfloor \cdot (\mathbf {upk}_{i_{1}}-\mathbf {upk}_{i_{0}})\|_{\infty }=\lfloor \frac {q}{2}\rfloor, \|\mathbf {y}_{1,1}-\mathbf {y}_{1,0}\|_{\infty } \leq 2\cdot \lceil \frac {q}{5}\rceil $, and

$$ \|(\mathbf{y}_{1,1}-\mathbf{y}_{1,0})+\lfloor\frac{q}{2}\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\|_{\infty}>0 $$

then $\mathbf {S}_{1,0}^{\top }\not =\mathbf {S}_{1,1}^{\top }$, we obtained two different solutions of the function $\mathbf {S}_{1}^{\top }\cdot \mathbf {B}+E_{1}=P_{1}\mod q$, which is contradictory to the fact that there is at most one solution to the ring-$\mathbf {LWE}_{n,m,q,\mathcal {X}}$ sample (B,P₁). So, $\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}=\mathbf {upk}_{i_{0}}$ with overwhelming probability. Similarly, if there are two different strings c_1,2 and $\phantom {\dot {i}\!}\mathbf {c}'_{1,2}$ w.r.t one ciphertext c₃, then $\phantom {\dot {i}\!}\mathbf {c}_{1,2}=\mathbf {c}'_{1,2}$ is also true with overwhelming probability. In other words, the probability of the fact that $\mathcal {A}$ wins is negligible, so the scheme in this paper satisfies the property of tracing soundness. □

The improved zero-knowledge protocol of knowledge

Details of the protocol

Suppose that the size of the legitimate members in the group is t≥1 at time τ, for d=1,2,d^′=3,4,i∈[t],∀j∈[l−1], the underlying zero-knowledge protocol is used to prove the following relationships by utilizing the extending and permuting techniques (Stern 1996;Ling et al. 2017).

$$ \left\{ \begin{aligned} \mathbf{upk}_{i}\not=0 \\ \mathbf{u}_{j}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1}), & if\ i_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1}), & if\ i_{j+1}=1 \end{aligned} \hspace{5mm}(\star) \right. \\ \mathbf{upk}_{i}=\mathbf{bin}(\mathbf{A}\cdot \mathbf{usk}_{i}) \\ \mathbf{c}_{d}=(c_{d,1},\mathbf{c}_{d,2})=(\mathbf{B}\cdot \mathbf{r}_{d},P_{d}\cdot \mathbf{r}_{d}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{upk}_{i}) \\ \mathbf{c}_{d'}=(c_{d',1},\mathbf{c}_{d',2})=(\mathbf{B}\cdot \mathbf{r}_{d'},P_{d'}\cdot \mathbf{r}_{d'}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{c}_{1,2}) \end{aligned} \right. $$

(6)

Given a bit b, a vector a, let $\mathbf {ext}(b,\mathbf {a})=(\bar {b}\cdot \mathbf {a},b\cdot \mathbf {a})^{\top }, \mathbf {ext}_{2}(b)=(\bar {b},b)^{\top }$. Given bit b^′ and vector $\phantom {\dot {i}\!}\mathbf {a'}$, we can get similar results $\phantom {\dot {i}\!}\mathbf {ext}(b',\mathbf {a'})=(\bar {b'}\cdot \mathbf {a'},b'\cdot \mathbf {a'})^{\top }, \mathbf {ext}_{2}(b')=(\bar {b'},b')^{\top }$. then we have the following equivalence relationship:

$$\begin{aligned} (\star) & \Leftrightarrow \bar{i}_{j+1}\cdot h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1})+i_{j+1}\cdot h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1})=\mathbf{u}_{j} \\ & \Leftrightarrow \bar{i}_{j+1}\!\cdot \!(\mathbf{A}_{0} \mathbf{u}_{j+1}\!+\mathbf{\!A}_{1}\mathbf{w}_{j+1})\,+\,i_{j+1}\!\cdot\! (\mathbf{A}_{0} \mathbf{w}_{j+1}\,+\,\mathbf{A}_{1}\mathbf{u}_{j+1})\!=\mathbf{\!G}\mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \left(\begin{aligned} \bar{i}_{j+1}\cdot \mathbf{u}_{j+1}\\ i_{j+1}\cdot \mathbf{u}_{j+1} \end{aligned}\right) +\mathbf{A}\cdot \left(\begin{aligned} i_{j+1}\cdot \mathbf{w}_{j+1}\\ \bar{i}_{j+1}\cdot \mathbf{w}_{j+1} \end{aligned}\right) =\mathbf{G}\cdot \mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \mathbf{ext}(i_{j+1},\mathbf{u}_{j+1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{j+1},\mathbf{w}_{j+1})=\mathbf{G}\cdot \mathbf{u}_{j} \mod q \end{aligned} $$

Then for d=1,2,d^′=3,4,i∈[t],bin(i−1)=(i₁,⋯,i_l), the Eq. (2) is equal to the following form

$$ \left\{ \begin{aligned} \mathbf{A}\cdot \mathbf{ext}(i_{1},\mathbf{u}_{1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{1},\mathbf{w}_{1})-\mathbf{G}\cdot \mathbf{u}=0 \mod q \\ \mathbf{A}\cdot \mathbf{ext}(i_{2},\mathbf{u}_{2})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{2},\mathbf{w}_{2})-\mathbf{G}\cdot \mathbf{u}_{1}=0 \mod q \\ \hspace{2cm} \cdots \\ \mathbf{A}\cdot \mathbf{ext}(i_{l},\mathbf{upk}_{i})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{l},\mathbf{w}_{l})-\mathbf{G}\cdot \mathbf{u}_{l-1}=0 \mod q \\ \mathbf{A}\cdot \mathbf{usk}_{i}-\mathbf{G}\cdot \mathbf{upk}_{i}=0\mod q \\ c_{d,1}=\mathbf{B}\cdot \mathbf{r}_{d}\mod q \\ \mathbf{c}_{d,2}=P_{d}\cdot \mathbf{r}_{d}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{upk}_{i}\mod q \\ c_{d',3}=\mathbf{B}\cdot \mathbf{r}_{d'}\mod q \\ \mathbf{c}_{d',2}=P_{d'}\cdot \mathbf{r}_{d'}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{c}_{1,2}\mod q \end{aligned} \right. $$

(7)

Let $\mathbf {B}_{n}^{2n}$ be the set of strings with length 2n, where the Hamming weight of each string is n, to illustrate the fact that the user’s public key upk_i≠0^k, we pad upk_i with a random string with length k−1 to obtain a new string $\mathbf {upk}_{i}^{*}$, such that $\mathbf {upk}_{i}^{*}\in \mathbf {B}_{k}^{2k-1}$, then for any permutation $\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2k-1}$, we have

$$ \mathbf{upk}_{i}\not=0^{k}\Leftrightarrow \mathbf{upk}_{i}^{*}\in\mathbf{B}_{k}^{2k-1} \Leftrightarrow \pi_{\mathbf{upk}_{i}}(\mathbf{upk}_{i}^{*})\in\mathbf{B}_{k}^{2k-1} $$

We make similar operations for c_1,2 to obtain $\mathbf {c}_{1,2}^{*}\in \mathbf {B}_{k}^{2k-1}$, for each usk_i to obtain $\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m}$, for any $\pi _{\mathbf {usk}_{i}}\in \mathcal {S}_{2m}$, we have $\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m} \Leftrightarrow \pi _{\mathbf {usk}_{i}}(\mathbf {usk}_{i}^{*})\in \mathbf {B}_{m}^{2m}$. Similarly, extend the vectors u₁,⋯,u_l−1,w₁,⋯,w_l,r₁,⋯,r₄ to obtain $\mathbf {u}_{1}^{*}\cdots,\mathbf {u}_{l-1}^{*}, \mathbf {w}_{1}^{*}\cdots,\mathbf {w}_{l}^{*}\in \mathbf {B}_{k}^{2k}, \mathbf {r}_{1}^{*},\cdots,\mathbf {r}_{4}^{*}\in \mathbf {B}_{k}^{2k}$. And then let $\hat {\mathbf {u}}_{1}=\mathbf {ext}(i_{1},\mathbf {u}_{1}^{*}),\cdots,\hat {\mathbf {u}}_{l-1}=\mathbf {ext}(i_{l-1},\mathbf {u}_{l-1}^{*})\in \{0,1\}^{4k}, \hat {\mathbf {upk}_{i}}=\mathbf {ext}(i_{l},\mathbf {upk}_{i}^{*})\in \{0,1\}^{4k-2}, \hat {\mathbf {w}}_{1}=\mathbf {ext}(\bar {i_{1}},\mathbf {w}_{1}^{*}),\cdots,\hat {\mathbf {w}}_{l}=\mathbf {ext}(\bar {i_{l}}, \mathbf {w}_{l}^{*})\in \{0,1\}^{4k}$.

Given upk_i=(upk_i1,⋯,upk_ik), for any j∈[k], let upkij′=ext₂(upk_ij). For any $b\in \{0,1\}, \mathbf {t}=(t_{0},t_{1})\in \mathbb {Z}^{2}$, let $T_{b}(\mathbf {t})=(t_{b},t_{\bar {b}})$. Then for any b_j∈{0,1}, we have $\mathbf {upk}'_{ij}=\mathbf {ext}_{2}(upk_{ij})\Leftrightarrow T_{b_{j}}(\mathbf {upk'}_{ij})=\mathbf {ext}_{2}(upk_{ij}\oplus b_{j})$. Because b_j is chosen randomly, so the operations above are equal to carry out a one-time pad to the user’s upk_ij by b_j to hide it perfectly. And for c_1,2 and $\mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}$, we give similar operations.

Let $\phantom {\dot {i}\!}r\in \{2k-1,2k\}, b\in \{0,1\}, \pi \in \mathcal {S}_{r}, \mathbf {t}=(t_{0},t_{1})^{T}\in \mathbb {Z}^{2r}, \mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}$, we define the permutation $\phantom {\dot {i}\!}F_{b,\pi }(\mathbf {t})=(\pi (t_{b}),\pi (t_{\bar {b}})), F_{b,\pi }(\mathbf {t'})=(\pi (t'_{b}),\pi (t'_{\bar {b}}))$. Then for all $\phantom {\dot {i}\!}b_{1},\cdots,b_{l}\in \{0,1\}, \phi _{\mathbf {u},1},\cdots,\phi _{\mathbf {u},l-1},\phi _{\mathbf {w},1},\cdots,\phi _{\mathbf {w},l}\in \mathcal {S}_{2k}, \pi _{\mathbf {upk}_{i}},\pi _{\mathbf {c}_{1}}\in \mathcal {S}_{2k-1}$, the following relationship is true,

$$ \begin{aligned} \left\{ \begin{aligned} \forall j\in[l-1], \hat{\mathbf{u}}_{j}=\mathbf{ext}(i_{j},\mathbf{u}_{j}^{*})\Leftrightarrow F_{b_{j},\phi_{\mathbf{u},j}}(\hat{\mathbf{u}}_{j})=\mathbf{ext}(i_{j}\oplus b_{j},\phi_{\mathbf{u},j}(\mathbf{u}_{j}^{*})) \\ \forall j\in[l], \hat{\mathbf{w}}_{j}=\mathbf{ext}(i_{j},\mathbf{w}_{j}^{*})\Leftrightarrow F_{b_{j},\phi_{\mathbf{w},j}}(\hat{\mathbf{w}}_{j})=\mathbf{ext}(i_{j}\oplus b_{j},\phi_{\mathbf{w},j}(\mathbf{w}_{j}^{*})) \\ \hat{\mathbf{upk}_{i}}=\mathbf{ext}(i_{l},\mathbf{upk}_{i}^{*})\Leftrightarrow F_{b_{l},\pi_{\mathbf{upk}_{i}}}(\hat{\mathbf{upk}_{i}})=\mathbf{ext}(i_{l}\oplus b_{l},\pi_{\mathbf{upk}_{i}}(\mathbf{upk}_{i}^{*})) \\ \hat{\mathbf{c}_{1,2}}=\mathbf{ext}(i_{l},\mathbf{c}_{1,2}^{*})\Leftrightarrow F_{b_{l},\pi_{\mathbf{c}_{1,2}}}(\hat{\mathbf{c}_{1,2}})=\mathbf{ext}(i_{l}\oplus b_{l},\pi_{\mathbf{c}_{1,2}}(\mathbf{c}_{1,2}^{*})) \end{aligned} \right. \end{aligned} $$

(8)

Let

$$\begin{aligned} \mathbf{z}=(\mathbf{u}_{1}^{*}\|\hat{\mathbf{u}}_{1}\|\hat{\mathbf{w}}_{1}\|\cdots\|\mathbf{u}_{l-1}^{*}\|\hat{\mathbf{u}}_{l-1}\|\hat{\mathbf{w}}_{l-1}\|\mathbf{upk}_{i}^{*}\|\hat{\mathbf{upk}_{i}}\|\\ \mathbf{c}_{1,2}^{*}\|\hat{\mathbf{c}_{1,2}}\|\hat{\mathbf{w}}_{l}\|\mathbf{usk}_{i}^{*}\|\mathbf{r}_{1}^{*}\|\cdots\|\mathbf{r}_{4}^{*}\|\mathbf{upk}'_{i1}\|\cdots\|\mathbf{upk}'_{ik}) \end{aligned} $$

then z∈{0,1}^{10kl+2m+16k−6}, the equation (4) can be unified into one equation A^′z=U mod q, where A^′,U could be obtained from the public parameters. Let VALID be the set of vectors in {0,1}^{10kl+2m+16k−6} that satisfy the relationship above, let $\bar {\mathcal {S}}=\mathcal {S}_{2k}^{2l-1}\times \mathcal {S}^{2}_{2k-1}\times \mathcal {S}_{2m}\times \mathcal {S}_{2l}^{4}\times \{0,1\}^{l}$ for any

$$\begin{aligned} \eta= & ((\phi_{\mathbf{u},1},\cdots,\phi_{\mathbf{u},l-1},\phi_{\mathbf{w},1},\cdots,\phi_{\mathbf{w},l}),\pi_{\mathbf{upk}_{i}},\\ & \pi_{\mathbf{c}_{1,2}},\pi_{\mathbf{usk}_{i}},(\pi_{r,1},\cdots,\pi_{r,4}),(b_{1},\cdots,b_{l}))\in\bar{\mathcal{S}} \end{aligned} $$

let Γ_η be the permutation for strings in {0,1}^{10kl+2m+16k−6}, then we have

$$ \mathbf{z}\in \mathbf{VALID} \Leftrightarrow \Gamma_{\eta}(\mathbf{z})\in \mathbf{VALID} $$

After that, we could utilize our protocol and the equal relationship above to proof that z∈VALID, and A^′z=U mod q. Let D=10kl+2m+16k−6, the protocol is presented in Algorithm 1, where the commitment $Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}$ is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008).

Security analysis of the protocol

Theorem 4

Suppose that the commitment scheme used in this paper satisfies statistical hiding and computing binding, then our new zero knowledge protocol satisfies completeness, (max(n,p)+1)-special soundness and special honest-verifier zero knowledge.

Proof

Denote rsp=((com_I,w_I),(com_Ich,w_Ich),(rI′,r_Ich,x_I)), we prove completeness, (max(n,p)+1)-special soundness and special honest-verifier zero knowledge separately:

Completeness: Suppose that the prover and verifier have run each step of the protocol honestly, then $\mathbf {u}'=\mathbf {u} \wedge \hat {\mathbf {u}}'=\hat {\mathbf {u}}$ is true with overwhelming probability by the definition of TDA, and we have

$$ \mathbf{y}_{I}=\mathbf{A}'\mathbf{x}_{I}-ch\mathbf{U}\mod q=\mathbf{A}'\mathbf{r}_{I}+ch\mathbf{A}'\mathbf{z}-ch\mathbf{U}\mod q. $$

So if z is a solution to the instance (U,A^′), then U=A^′z mod q, which means that y=A^′r_I, and the completeness of the protocol follow from the binding of the commitment scheme.

(max(n,p)+1)-special soundness: If there are (max(n,p)+1) valid transcripts, the pigeon hole principle tells us that there are at least two accept transcripts with the same I and different ch. Suppose $\left ((\mathbf {u},\hat {\mathbf {u}}),(I,ch),\left ((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),\left (\mathbf {r}'_{I}, \mathbf {r}_{Ich},\mathbf {x}_{I}\right)\right)\right)$ and $((\mathbf {u},\hat {\mathbf {u}}),(I,ch'),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich'},w_{Ich'}), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I})))$ are two valid transcripts with ch≠ch^′, one can efficiently extract a collision of the hash function $h_{\mathbf {A}}\in \mathcal {H}$, a witness z such that U=A^′z by using the binding of the commitment scheme.

Suppose that ((aux_I,com_I),(I,ch),(rI′,r_Ich,x_I)) and $\phantom {\dot {i}\!}((\mathbf {aux}_{I},\mathbf {com}_{I}),(I,ch'), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I}))$ are two valid transcripts that are accepted by verifier. Let $\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {A}'\mathbf {x}_{I}-ch\mathbf {U}\mod q$ and $\phantom {\dot {i}\!}\mathbf {y}'_{I}=\mathbf {A}'\mathbf {x}'_{I}-ch'\mathbf {U}\mod q$, then we have $\phantom {\dot {i}\!}\mathbf {com}_{I}=\mathbf {Com}\left (\mathbf {y}_{I},\mathbf {r}'_{I}\right)=\mathbf {Com}\left (\mathbf {y}'_{I},\mathbf {r}'_{I}\right)$, so the binding of the commitment implies that $\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {y}'_{I}$, i.e. $\phantom {\dot {i}\!}\mathbf {A}'(\mathbf {x}_{I}-\mathbf {x}'_{I})=(ch-ch')\mathbf {U}$.

In addition, com_Ich=Com(r_I+chz mod q,r_Ich)=Com(x_I,r_Ich) and $\phantom {\dot {i}\!}\mathbf {com}_{Ich'}=\mathbf {Com}(\mathbf {r}_{I}+ch'\mathbf {z}\mod q,\mathbf {r}_{Ich'}) =\mathbf {Com}(\mathbf {x}'_{I},\mathbf {r}_{Ich'})$, so x_I=r_I+chz mod q and $\phantom {\dot {i}\!}\mathbf {x}'_{I}=\mathbf {r}_{I}+ch'\mathbf {z}\mod q$ by the binding of the commitment.

$$\left. \begin{aligned} \mathbf{y}_{I}=\mathbf{y}'_{I}\\ \mathbf{A}'\mathbf{x}_{I}-ch\mathbf{U}\mod q=\mathbf{y}_{I}\\ \mathbf{A}'\mathbf{x}'_{I}-ch'\mathbf{U}\mod q=\mathbf{y}'_{I}\\ \mathbf{x}_{I}=\mathbf{r}_{I}+ch\mathbf{z}\mod q\\ \mathbf{x}'_{I}=\mathbf{r}_{I}+ch'\mathbf{z}\mod q \end{aligned} \right\}\Longrightarrow \mathbf{x}_{I}-\mathbf{x}'_{I}=(ch-ch')\mathbf{z} $$

Then one can compute z efficiently as a solution of the instance (U,A^′).

Special honest-verifier zero knowledge: In this proof, we construct a PPT simulator $\mathcal {S}$ with inputs (U,A^′),{seed_i}_i∈[n] and (I,ch), it interacts with a (maybe dishonest) verifier and does the following things:

1.
Sample $\mathbf {r}'_{I}\stackrel {\$}{\leftarrow }\{0,1\}^{m}$, and compute r_I,r_Ich from seed_I.
2.
Compute com_I=Com(A^′r_I mod q,rI′) honestly, commit to random dummy values to calculate the commitments com_i≠I.
3.
Compute a vector z^′ by Gaussian elimination such that U=A^′z^′ mod q.
4.
Compute xI′=r_I+chz^′ mod q,com_Ich=Com(xI′,r_Ich), and commit to random dummy values to calculate the commitments com_ic for all i≠I and c≠ch.
5.
Run TDA(n,Bin(com_i)) for i∈[n],TDA(np,Bin(com_ic)) for $i\in [n], c\in \mathbb {Z}_{p}$, output the root u^′ and $\hat {\mathbf {u}}'$ respectively.
6.
Output the transcript $((\mathbf {u}',\hat {\mathbf {u}}'),(I,ch),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),(\mathbf {r}'_{I},\mathbf {r}_{Ich}, \mathbf {x}'_{I})))$.

It is clear that (rI′,r_Ich,xI′) and the corresponding real transcript are both uniformly distributed in {0,1}^2λ×{0,1}^D and hence follow the same distribution. (com_I,com_Ich) and the corresponding real transcript are statistical indistinguishable by the hiding property of the commitment. By the definition of the collision resistant hash function, both (w_I,w_Ich) and the corresponding real transcript are indistinguishable from uniform distribution, so (w_I,w_Ich) and the corresponding real transcript are indistinguishable. Because the commitments com_i,com_ic for all i≠I,c≠ch are never opened, $(\mathbf {u}',\hat {\mathbf {u}}')$ also follows from the hiding property of the commitment and the definition of the hash function. So, the transcript outputted by $\mathcal {S}$ and the real transcript of the protocol are computing indistinguishable. □

Conclusion

In this paper, we give a new ring-based fully dynamic group signature scheme with message-dependent opening. The efficiency of it is improved by an improved underlying zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol. This modification helps to bring down the communication complexity of the underlying zero knowledge protocol and hence the computational/space complexity of the group signature scheme. In addition, we add another participant - an admitter to our scheme to constrain the power of trace manager. The admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter.

Availability of data and materials

Not applicable.

References

Beullens, W (2020) Sigma protocols for mq, pkp and sis, and fishy signature schemes. In: Canteaut A Ishai Y (eds)Proceedings of Conference EUROCRYPT: 10-14 May 2020, 183–211.. Springer, Zagreb.
Google Scholar
Bootle, J, Cerulli A, Chaidos P, Ghadafi E, Groth J (2016) Foundations of fully dynamic group signatures. In: Manulis M, Sadeghi A-R, Schneider S (eds)Proceedings of Conference ACNS: 19-22 June 2016, 117–136.. Springer, Guildford.
MATH Google Scholar
Brickell, E, Pointcheval D, Vaudenay S, Yung M (2000) Design validations for discrete logarithm based signature schemes. In: Imai H Zheng Y (eds)Proceedings of Conference PKC: 18-20 January 2000, 276–292.. Springer, Melbourne.
Google Scholar
Canetti, R, Halevi S, Katz J (2004) Chosen-ciphertext security from identity-based encryption. In: Cachin C Camenisch J (eds)Proceedings of Conference EUROCRYPT: 2-6 May 2004, 207–222.. Springer, Interlaken.
Google Scholar
Chaum, D, van Heyst E (1991) Group signatures. In: Davies DW (ed)Proceedings of Conference EUROCRYPT: 8-11 April 1991, 257–265.. Springer, Brighton.
Google Scholar
Gordon, SD, Katz J, Vaikuntanathan V (2010) A group signature scheme from lattice assumptions. In: Abe M (ed)Proceedings of Conference ASIACRYPT: 5-9 December 2010, 395–412.. Springer, Singapore.
Google Scholar
Hazay, C, Lindell Y (2010) Sigma protocols and efficient zero-knowledge In: Efficient Secure Two-Party Protocols. Information Security and Cryptography.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14303-8_6.
Chapter Google Scholar
Katsumata, S, Yamada S (2019) Group signatures without nizk: from lattice in the standard model. In: Ishai Y Rijmen V (eds)Proceedings of Conference EUROCRYPT: 19-23 May 2019, 312–344.. Springer, Darmstadt.
Google Scholar
Kawachi, A, Tanaka K, Xagawa K (2008) Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk J (ed)Proceedings of Conference ASIACRYPT: 7-11 December 2008, 372–389.. Springer, Singapore.
MATH Google Scholar
Laguillaumie, F, Langlois A, Libert B, Stehlé D (2013) Lattice-based group signatures with logarithmic signature size. In: Sako K Sarkar P (eds)Proceedings of Conference ASIACRYPT: 1-5 December 2013, 41–61.. Springer, Bengaluru.
Google Scholar
Langlois, A, Ling S, Nguyen K, Wang H (2014) Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk H (ed)Proceedings of Conference PKC: 26-28 March 2014, 345–361.. Springer, Buenos.
Google Scholar
Libert, B, Joye M (2014) Group signatures with message-dependent opening in the standard model. In: Benaloh J (ed)Proceedings of Conference CT-RSA: 25-28 February 2014, 286–306.. Springer, San Francisco.
Google Scholar
Libert, B, Ling S, Nguyen K, Wang H (2016) Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin M Coron J-S (eds)Proceedings of Conference EUROCRYPT: 8-12 May 2016, 1–31.. Springer, Vienna.
Google Scholar
Libert, B, Mouhartem F, Nguyen K (2016) A lattice-based group signature scheme with message-dependent opening. In: Manulis M, Sadeghi A-R, Schneider S (eds)Proceedings of Conference ACNS: 19-22 June 2016, 137–155.. Springer, Guildford.
Google Scholar
Ling, S, Nguyen K, Wang HX (2015) Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz J (ed)Proceedings of Conference PKC: 30 March-1 April 2015, 427–449.. Springer, Gaithersburg.
Google Scholar
Ling, S, Nguyen K, Wang H, Xu Y (2017) Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann D, Miyaji A, Kikuchi H (eds)Proceedings of Conference ACNS: 10-12 July 2017, 293–312.. Springer, Kanazawa.
Google Scholar
Lyubashevsky, V (2008) Lattice-based identification schemes secure under active attacks. In: Cramer R (ed)Proceedings of Conference PKC: 9-12 March 2008, 162–179.. Springer, Barcelona.
Google Scholar
Lyubashevsky, V (2012) Lattice signatures without trapdoors. In: Pointcheval D Johansson T (eds)Proceedings of Conference EUROCRYPT: 15-19 April 2012, 738–755.. Springer, Cambridge.
Google Scholar
Lyubashevsky, V, Micciancio D (2006) Generalized compact knapsacks are collision resistant. In: Bugliesi M, Preneel B, Sassone V, Wegener I (eds)Proceedings of Conference ICALP: 10-14 July 2006, 144–155.. Springer, Venice.
Google Scholar
Lyubashevsky, V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Gilbert H (ed)Proceedings of Conference EUROCRYPT: 30 May-3 June 2010, 1–23.. Riviera, Springer.
Google Scholar
Lyubashevsky, V, Peikert C, Regev O (2013) A toolkit for ring-lwe cryptography. In: Johansson T Q.Nguyen P (eds)Proceedings of Conference EUROCRYPT: 26-30 May 2013, 35–54.. Springer, Athens.
Google Scholar
Naor, M, Yung M (1990) Public-key cryptosystems provably secure against chosen ciphertext attacks In: Proceedings of the ACM Conference STOC: 1990, 427–437.. ACM DL, Baltimore.
Google Scholar
Ohara, K, Sakai Y, Emura K, Hanaoka G (2013) A group signature scheme with unbounded message-dependent opening In: Proceedings of the ACM Conference AsiaCCS: 2013, 517–522.. ACM DL, Hangzhou.
Google Scholar
Peikert, C (2016) A decade of lattice cryptography. Found Trends Theor Comput Sci 10:283–424.
Article MathSciNet Google Scholar
Peikert, C, Rosen A (2006) Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi S Rabin T (eds)Proceedings of Conference TCC: 4-7 March 2006, 145–166.. Springer, New York.
Google Scholar
Peikert, C, Rosen A (2007) Lattices that admit logarithmic worst-case to average-case connection factors In: Proceedings of the ACM Conference STOC: 11-13 June 2007, 478–487.. ACM DL, San Diego.
Google Scholar
Pointcheval, D, Stern J (1999) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396.
Article Google Scholar
Regev, O (2009) On lattices, learning with errors, random linear codes, and cryptography. J ACM 56:1–40.
Article MathSciNet Google Scholar
Sakai, Y, Emura K, Hanaoka G, Kawai Y, Matsuda T, Omote K (2012) Group signatures with message-dependent opening. In: Abdalla M Lange T (eds)Proceedings of Conference Pairing: 16-18 May 2012, 270–294.. Springer, Cologne.
Google Scholar
Stern, J (1996) A new paradigm for public key identification. IEEE Trans Inf Theory 42(6):1757–1768.
Article MathSciNet Google Scholar
Sun, Y, Liu Y (2020) A lattice-based fully dynamic group signature scheme without nizk In: Proceedings of Conference INSCRYPT: 11-14 December 2020.. Springer, Guangzhou.
Google Scholar
Sun, Y, Liu Y, Wu B (2019) An efficient full dynamic group signature scheme over ring. Cybersecurity 2(21). https://doi.org/10.1186/s42400-019-0037-8.

Download references

Acknowledgements

Not applicable.

Funding

This work was supported by the National Natural Science Foundation of China (Grant No.61932019, No.61772521, No.61772522) and the Key Research Program of Frontier Sciences, CAS (Grant No.QYZDB-SSW-SYS035).

Author information

Authors and Affiliations

State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Haidian District, Beijing, China
Yiru Sun & Yanyan Liu
School of Cyber Security, University of Chinese Academy of Sciences, Huairou District, China
Yiru Sun & Yanyan Liu
State Key Laboratory of Cryptology, P.O. Box 515, Xicheng District, Beijing, China
Yiru Sun & Yanyan Liu

Authors

Yiru Sun
View author publications
You can also search for this author in PubMed Google Scholar
Yanyan Liu
View author publications
You can also search for this author in PubMed Google Scholar

Contributions

The first author conceived the idea of the study and wrote the paper; all authors discussed the results and revised the final manuscript. Both authors read and approved the final manuscript.

Corresponding author

Correspondence to Yiru Sun.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Cite this article

Sun, Y., Liu, Y. An efficient fully dynamic group signature with message dependent opening from lattice. Cybersecur 4, 15 (2021). https://doi.org/10.1186/s42400-021-00076-8

Download citation

Received: 26 October 2020
Accepted: 01 February 2021
Published: 03 May 2021
DOI: https://doi.org/10.1186/s42400-021-00076-8

An efficient fully dynamic group signature with message dependent opening from lattice

Abstract

Introduction

Related work

Our contribution

Preliminaries

The background of lattice

Definition 1

Definition 2

Definition 3

Definition 4

Theorem 1

The sigma protocol

Definition 5

The dynamic algorithm of constructing lattice-based Merkle hash tree

Theorem 2

Syntax and security of fully dynamic group signature with message dependent opening

The definition of FDGS-MDO

Security of FDGS-MDO scheme

The lattice-based dynamic group signature scheme with message-dependent opening

The construction of the scheme

Analysis of the lattice-based FDGS-MDO scheme

Theorem 3

Lemma 1

Proof

Lemma 2

Proof

Lemma 3

Proof

Lemma 4

Proof

Lemma 5

Proof

The improved zero-knowledge protocol of knowledge

Details of the protocol

Security analysis of the protocol

Theorem 4

Proof

Conclusion

Availability of data and materials

References

Acknowledgements

Funding

Author information

Authors and Affiliations

Contributions

Corresponding author

Ethics declarations

Competing interests

Additional information

Publisher’s Note

Rights and permissions

About this article

Cite this article

Share this article

Keywords