 Research
 Open Access
 Published:
An efficient fully dynamic group signature with message dependent opening from lattice
Cybersecurity volume 4, Article number: 15 (2021)
Abstract
Messagedependent opening is one of the solutions to solve the problem of the tracing manager owns excessive power. In this paper, we present a new latticebased fully dynamic group signature scheme with messagedependent opening by combining an improved version of the fully dynamic group signature scheme proposed by Ling et al and the double encryption paradigm. In addition, we propose an improved underlying zero knowledge protocol, it has a soundness error \(\frac {1}{\max (n,p)+1}\) that is better than the Sternlike protocol, which helps to bring down the communication complexity of the protocol and hence the signature scheme. Our scheme constrains the power of group managers by adding an admitter, and the signature size has a logarithmic relationship with the group size.
Introduction
Related work
Since the concept of group signature was proposed in Chaum and van Heyst (1991), it has become an important primitive to realize anonymous authentication. Group signature allows members in a group to sign messages on behalf of the group without revealing any information of the signer’s identity. At the same time, the signature could be traced to the signer when it is in dispute. In other words, there is an authority in the scheme called trace manager GM_{trace} who can deanonymize the signature and trace it to the specific signer. But in many scenarios, GM_{trace} is given too much power as it can open all signatures whether the signer is valid or not. To solve this problem, there is an extension of the group signature in Sakai et al. (2012) to balance the traceability and privacy, it is called group signature scheme with messagedependent opening (GSMDO). In the GSMDO system, there is another participant named admitter, and the trace manager GM_{trace} could open one signature only when he work with the admitter. To open a signature Σ of message M, the admitter generates a token t_{M} with respect to M using its secret key firstly, and sends t_{M} to the trace manager GM_{trace}, then GM_{trace} uses its secret key and t_{M} to open the signature. That is, the trace manager GM_{trace} can only open the signatures of messages specified by admitter. Subsequently, many other GSMDO schemes were proposed based on different assumptions, such as decision linear (DLIN) (Sakai et al. 2012), strong DiffieHellman (Ohara et al. 2013), Decision 3party DiffieHellman (D3DH) (Libert and Joye 2014), learning with error (LWE) and small integer solution (SIS) (Libert et al. 2016).
Latticebased cryptography has attracted a lot of attention for its simple arithmetic operations and potential ability to resist quantum attack. However, compared with other nonlattice based cryptographic schemes, such as DDH, factoring, et al, the efficiency of latticebased cryptographic schemes have not been solved well. The first latticebased static group signature scheme is given in Gordon et al. (2010), its security is proven in RO model, and there is a linear relationship between signature size and group size N. Subsequently, the signature size was lowered up to O(logN) by different manners (Laguillaumie et al. 2013;Ling et al. 2015), such as bonsai tree (Langlois et al. 2014), Merkle hash tree (Libert et al. 2016) and latticebased accumulators (Ling et al. 2017). In order to further satisfy the requirements of real applications, it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017) by combining the static group signature scheme inLibert et al. (2016) with the security model in Bootle et al. (2016). It includes an update algorithm in accumulator that is constructed based on hash Merkle tree, and both the security and the signature size were improved compared with the scheme in Libert et al. (2016). However, the schemes above all follow encryptionthenproof pattern, and rely heavily on zeroknowledge protocol in the proof process, which limits the improvement of efficiency and security. In order to break this bottleneck, there are currently two research lines: one is to try to remove the zeroknowledge proof protocol from the construction of group signature schemes, which is the research content in Katsumata and Yamada (2019). In other words, a latticebased static group signature scheme without NIZK was proposed in Katsumata and Yamada (2019), and it is proved secure under the standard model. There is a natural idea: whether it is possible to construct a latticebased fully dynamic group signature scheme that is provably secure under the standard model? To solve this problem, we tried to propose a construction in Sun and Liu (2020) and proved it to be secure under the standard model. The other is to improve the efficiency of zeroknowledge proof (Beullens 2020) and try to apply it to the construction of group signature schemes under the RO model. Our work in this paper gives a positive solution of the latter.
Our contribution
In this paper, we give a new fully dynamic group signature scheme over ring with messagedependent opening (FDGSMDO) by combining an improved version of the fully dynamic group signature scheme in Ling et al. (2017) and the double encryption paradigm (Canetti et al. 2004), which uses our following zero knowledge proof of knowledge as a underlying protocol. Compared with the scheme in Sun et al. (2019), our scheme realizes the weaken of GM_{trace}’s power by adding another participant: admitter. Concretely, the admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter. And we also give an improved zero knowledge proof of knowledge that has smaller soundness error than Sternlike protocol, and we use it as the underlying protocol to improves the efficiency of the scheme in Sun et al. (2019).
We give the specific construction and security analysis of our zero knowledge proof of knowledge, which partially realizes the optimization idea in Beullens (2020). In Beullens (2020), it is necessary to transform an instance of SIS problem into an instance of the permuted kernel problem (PKP) firstly, and then prove its knowledge by using a Σ  protocol for latter, while in our work, we omit this transformation operation. In addition, in order to reduce the communication complexity of our underlying protocol, the prover does not need to send all commitments \(\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}\) and {com_{i}}_{i∈[n]} to the verifier in the first round of our protocol. We build two Merkle hash trees with the commitments \(\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}\) and {com_{i}}_{i∈[n]} as leaves respectively, and send the roots u and \(\hat {\mathbf {u}}\) of the two trees to the verifier. In the third round of the protocol, the prover needs to send some additional messages to the verifier: the commitments com_{I},com_{Ich} for challenge (I,ch) and the witnesses w_{I},w_{Ich} that needed to recompute the roots. The verifier need to check that whether the roots \(\mathbf {u}', \hat {\mathbf {u}}'\) he recomputes are consistent with \(\mathbf {u}, \hat {\mathbf {u}}\) received in the first round. Our protocol has a soundness error \(\frac {1}{\max (n,p)+1}\), which is better than the soundness error \(\frac {2}{3}\) of the Sternlike protocol. Given a security parameter λ, our protocol need to be executed \(k'=\frac {\lambda }{\log (\max (n,p)+1)}\) times sequentially to realize a negligible soundness error 2^{−λ}, while the Sternlike need to be performed Θ(λ) times sequentially. So our protocol satisfies stronger soundness and it effectively reduce the communication complexity of the protocol, thus bring to the group signature scheme the stronger security property and smaller signature size.
In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in “Preliminaries” section. In “Syntax and security of fully dynamic group signature with message dependent opening” section, we present the syntax of the fully dynamic group signature scheme with message dependent opening. And the detailed construction of the scheme and its security analysis are presented in “The latticebased dynamic group signature scheme with messagedependent opening” section. Finally, we present the underlying zero knowledge protocol and its security analysis in “The improved zeroknowledge protocol of knowledge” section, and conclusion in “Conclusion” section.
Preliminaries
The background of lattice
In this section, we will review some notations, definitions and theorems used for analysing our main results. Throughout this paper, set the security parameter λ, positive integer n=O(λ),p=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k\), and \(R=\mathbb {Z}[x]/f(x), f(x)=x^{n}+1, R_{q}=R/qR\), given vectors x=(x_{1},⋯,x_{m}),z=(z_{1},⋯,z_{m}), integer t, then \(\\mathbf {x}\_{t}=\left (\sum _{i=1}^{m} {x_{i}}^{t}\right)^{\frac {1}{t}}\) denotes its tnorm, (xz) is a concatenation of the two vectors.
Definition 1
(The ringSVP and ringSIVP) (Lyubashevsky et al. 2013) Given a ring R, let γ≥1, then the ring SVP_{γ} problem is: given the ideal lattice \(\mathcal {I}\) over R, find out a nonzero short vector \(\mathbf {x}\in \mathcal {I}\), such that \(\\mathbf {x}\_{\infty }\leq \gamma \cdot \lambda _{1}(\mathcal {I})\). And the ring SIVP_{γ} problem could be defined similarly: find out n independent elements (x_{1},⋯,x_{n}) in \(\mathcal {I}\), such that \(\(\mathbf {x}_{1},\cdots,\mathbf {x}_{n})\_{\infty }\leq \gamma \cdot \lambda _{n}(\mathcal {I})\).
Definition 2
(The ring\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\)) (Ling et al. 2015;Peikert 2016)Choose m elements \(a_{j}\overset {\$}{\leftarrow }R_{q}\) uniformly, let random vector \(\mathbf {A}=(a_{1},\cdots,a_{m})\in R_{q}^{m}\), positive real number β=poly(n), find out a nonzero short vector \(\mathbf {z}=(z_{1},\cdots,z_{m})\in R^{m}_{q}, \\mathbf {z}\_{\infty }\leq \beta \), such that
Numerous studies (Lyubashevsky and Micciancio 2006;Peikert and Rosen 2006;Peikert and Rosen 2007;Lyubashevsky 2008;Lyubashevsky 2012) have shown that if f(x) is irreducible polynomial with integer coefficients, \(m>\frac {\log q}{\log (2\beta)}, \gamma =16mn\log ^{2} n, q\geq \frac {\gamma \sqrt {n}}{4\log n}\), then the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\) is at least as difficult as the problem ring\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).
Definition 3
(The ring LWE distribution) (Peikert 2016)For secret element \(s\in R_{q}, \mathcal {X}\) is the noise distribution in R_{q} with bound β, choose \(a\overset {\$}{\leftarrow } R_{q}, e\overset {\$}{\leftarrow }\mathcal {X}\) uniformly, then \(A_{s,\mathcal {X}}=(a,b=s\cdot a+e\mod q)\) is called the ring LWE distribution in R_{q}×R_{q}.
Definition 4
(The decision ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\)) (Lyubashevsky et al. 2010;Peikert 2016) Let n,m≥1,q≥2, given m samples (a_{j},b_{j})∈R_{q}×R_{q}, which are sampled from one of the two distributions: \(A_{s,\mathcal {X}}\) and the uniform distribution in R_{q}×R_{q}, then the decision ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is to distinguish which one the samples are from.
Theorem 1
(Lyubashevsky et al. 2010)Let \(q=1\mod 2n, \beta \geq \omega (\sqrt {n\log n}), \gamma =n^{2}(q/\beta)(nm/ \log (nm))^{1/4}\), then there is an error distribution \(\mathcal {X}\) with bound β, such that the problem ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is at least as difficult as the problem ring\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).
The sigma protocol
Definition 5
(The Σprotocol) (Hazay and Lindell 2010)Given an NP relation R=(x,w)∈{0,1}^{∗}×{0,1}^{∗}, a two party interactive protocol 〈P,V〉 is called Σprotocol for relation R if it is a threeround publiccoin protocol and satisfies the following requirements:
Completeness: For (x,w)∈R, if both prover P and verifier V follow this protocol, then Pr[〈P(x,w),V(x)〉=1]=1.
2Special soundness: For any statement x, if there is an adversary \(\mathcal {A}\) that outputs with noticeable probability a pair of accepting transcripts (a,e,z) and (a,e^{′},z^{′}) with e≠e^{′}, then one can extract a witness w such that (x,w)∈R.
Special honest verifier zero knowledge: For (x,w)∈R, there is a PPT simulator \(\mathcal {S}\) that given the statement x and a random challenge e outputs a transcript (a,e,z) that is indistinguishable from the probability distribution of transcripts of honest executions of the protocol on input (x,w)∈R, i.e. \(\mathcal {S}(x,e)\approx \langle P(x,w),V(x,e)\rangle \).
The zeroknowledge protocol used in this paper satisfies completeness, max(n,p)+1special soundness and special honestverifier zero knowledge, which depends heavily on the security (statistical hiding and computing binding) of the commitment scheme that used as a submodule in our zeroknowledge protocol. The detailed construction of our protocol and its security proof is given in “The improved zeroknowledge protocol of knowledge” section.
The dynamic algorithm of constructing latticebased Merkle hash tree
The security of Merkle tree used in Sun et al. (2019) and here are all based on the collisionresistant hash functions, whereas the size and depth of the former are fixed, and that of the latter increase with the registration of users. For any t∈ R_{q},bin(t)∈{0,1}^{k} is its binary representation, let
then t=G·bin(t). let \(\mathcal {H}=\{h_{\mathbf {A}}\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}\}, h_{\mathbf {A}}:\{0,1\}^{k}\times \{0,1\}^{k}\rightarrow \{0,1\}^{k}\) is collisionresistant hash functions based on the ring SIS problem, where \(\mathbf {A}=[\mathbf {A}_{0}\mathbf {A}_{1}]\in R_{q}^{m}, \mathbf {A}_{0},\mathbf {A}_{1}\overset {\$}{\leftarrow } R_{q}^{k}\) is an instance of the ring SIS_{m,q,1} problem, for arbitrary (u_{0},u_{1})∈{0,1}^{k}×{0,1}^{k}, we have
so the following equivalent relationship is true,
Suppose that there is an PPT adversary who can give two different u≠u^{′} such that h_{A}(u)=h_{A}(u^{′}), then we have Au mod q=Au^{′} mod q, i.e. A(u−u^{′})=0 mod q. Since u≠u^{′},u−u^{′}≠0,∥u−u^{′}∥_{∞}≤1, then u−u^{′} is a solution to the ring SIS_{m,q,1} problem.
Let \(\mathcal {H}=\{h_{\mathbf {A}}\mathbf {A}\in R_{q}^{m}\}\), then we give the following specific description of the dynamic updating algorithm TDA(t,d^{∗}) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as a tree with depth 1, the value of leaves are 0, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first leaf with value 0 in all leaves, and assume that its index is i≤t. Include a tree of depth j=⌈logt⌉ where all leaves are 0 into the original one if there is not a such leaf. And take its root u^{′} and the root u of the original tree as two inputs of the hash function to compute a new root u_{new}=h_{A}(u,u^{′}) of the new Merkle tree. And for any i∈[2^{j+1}], we have bin(i)=j+1. TUpdate: Let u_{j+1}=d^{∗} denote the value of the leaf corresponding to the ith user, bin(i−1)=(i_{1},⋯,i_{j+1}) is the binary description of integer i−1, its witness is w=(bin(i−1),(w_{j+1},⋯,w_{1})). Update the value of notes recursively in the path u_{j},⋯,u_{0} from the leaf u_{j+1} to root u, then output the witness w, a new root u_{new}, where w_{j+1},⋯,w_{1} and u_{j},⋯,u_{0} satisfy the following relationship
Let u_{new}=u_{0} be the new root of the Merkle tree.
Given the variable t, the computational complexity of algorithm TUpdate(t,d^{∗}) is O(logt), and it satisfies the following property
Theorem 2
Suppose that the problem ring\(\mathbf {SIS}^{\infty }_{m,q,\beta }\) is difficult, let R^{′}={d_{0},⋯,d_{t}} be the set of the leaves related to users who have been registered, then the algorithm TDA(t,d^{∗}) is secure. And given a negligible function negl(λ), for any PPT adversary \(\mathcal {A}\), the following inequality is true
Syntax and security of fully dynamic group signature with message dependent opening
Different from the general group signature scheme, there are four participants in a fully dynamic group signature scheme with messagedependent opening(FDGSMDO): The group manager(GM _{update}): Who is responsible to update the group information and the registration and revocation of users. The admitter(AM): who is responsible to generate a token t_{M} that specifies the signatures associated with message M would be opened. The trace manager(GM _{trace}): Given a signature and token t_{M}, GM _{trace} is responsible to trace the identity of signer when there is a dispute. The users: Who are usually appeared as a signer to sign messages or a verifier to verify signatures.
The definition of FDGSMDO
A fully dynamic group signature scheme with messagedependent opening consists of the following polynomialtime algorithms: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk=(pp,mpk,opk), and the group secret key msk of GM _{update}, the tracing secret key osk of GM _{trace} and the secret key tsk of AM. GM _{update} initializes the registration list reg and the group information info as ∅, and we assume that they can only be edited by a party knowing msk. UKeyGen(pp)→(upk,usk): Given the public parameter pp, this algorithm outputs a user’s key pair (upk,usk). 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: This algorithm is an interactive protocol between a user and the group manager GM _{update}. Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk=(bin(t−1),upk_{t},usk_{t}). For the Issue algorithm, GM _{update} runs the algorithm TDA(t,upk_{t}) to update the Merkle hash tree, the group information info_{τ}, and the registered user list reg. \(\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S, for any i∈S, the group manager GM _{update} runs algorithm TUpdate(bin(i−1),0^{k}) to update the Merkle hash tree, the registered user list reg and the group information \(\mathbf {info}_{\tau _{new}}\). Sign(gpk,gsk_{i},info_{τ},M)→Σ: On input group public key gpk, group information info_{τ}, this algorithm outputs a signature Σ to a message M signed by the user corresponding to ith leaf at τ or an error symbol ⊥ if the user is illicit at τ, i.e. the user has not been registered or has been revoked at τ. Verify(gpk,Σ,info_{τ},M)→0/1: Verify the signature Σ and output 1 if it is valid, otherwise output 0. TrapGen(gpk,tsk,M,reg,info_{τ})→t_{M}: This algorithm is operated by the admitter AM, it outputs a token t_{M} for the corresponding message M. Trace(gpk,osk,t_{M},M,Σ,reg,info_{τ})→(b^{′},Π_{trace}): This algorithm is operated by the trace manager GM _{trace}, it outputs the public key b^{′} of the signer who signed the message M at τ and generate a proof for this fact if the signature Σ is valid. Otherwise output ⊥. Judge(gpk,b^{′},M,Π_{trace},Σ,info_{τ})→0/1: Verify the proof Π_{trace} generated by the trace manager GM _{trace}, and output 1 if it is valid, otherwise output 0.
To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ, the group manager verifies that whether the value of the leaf corresponding to this signer is nonzero. And to avoid leaking any information about the signer’s identity, we use the extensionpermutation technology (Libert et al. 2016) to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(d_{i})=(d_{i1},d_{i2},⋯,d_{ik}),i∈[t], choose a vector \(\mathbf {a}\overset {\$}{\leftarrow }\{0,1\}^{k1}\) uniformly such that the Hamming weight of di′=(bin(d_{i})a)∈{0,1}^{2k−1} is k. Given a random permutation \(\pi _{2k1}\in \mathcal {S}_{2k1}=\{\pi _{2k1}\pi _{2k1}\) is a random permutation of elements in {0,1}^{2k−1}}, the Hamming weight of π_{2k−1}(di′) is k if and only if d_{i}≠0.
Security of FDGSMDO scheme
A fully dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity against admitter, anonymity against opener, nonframeability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chal_{b}, TL is the set of tokens generated by oracle Chal_{b}. And oracles used in the proof are as follows: AddU(i): Add an honest user i into the set HUL at time τ. CreU(i,upk_{i}): Create a new user i whose public key upk_{i} is chosen by the adversary, which is invoked in the oracle SenToM. SenToM(i,M_{in}): It is used to run the algorithm Join, on behalf of a corrupt user, together with the honest group manager GM _{update}. SenToU(i,M_{in}): It is used to run the algorithm Join, on behalf of the corrupt group manager GM _{update}, together with a legitimate user i. RReg(i): Return the registration information reg_{i} of user i. MReg(i,ρ): Change the registration information reg_{i} of user i into ρ. RevealU(i): Return the signing secret key gsk_{i} of user i to the adversary, and add i to the set BUL. Sign(i,M,τ): Return a signature to a message M signed by user i at time τ, and add this signature to the set SL. Chal_{b}(info_{τ},i_{0},i_{1},M): For any b∈{0,1}, Return the signature to a message M signed by user i_{b} at time τ, and add this signature to the set CL. This requires that the users i_{0},i_{1} are all legitimate at time τ, and this oracle could be revoked only once. Trace(info_{τ},Σ,M): Return the signer of a signature Σ signed at time τ and a proof of this fact, which requires that the signature Σ∉CL. TrapGen(info_{τ},M): Return a token of the message M generated at time τ, which requires that the message M∉TL. UpdateG(S,τ): It allows the adversary to update some information about the group at time τ, which requires that each element in S is legitimate user’s public key at time τ. IsActive(info_{τ},reg,i): Return 1 if and only if the user i is a legitimate member in the group at time τ, otherwise return 0.
Correctness: This property means that if the signer signs a message M honestly, the algorithm Verify can always output 1. With a token t_{M} that outputted by the algorithm TrapGen, the trace manager GM _{trace} can trace the identity of the signer by the algorithm Trace, and generates a proof Π_{trace} accepted by the algorithm Judge.
Anonymity against admitter: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a nonnegligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM _{update} and the secret key tsk of AM, corrupt any user, and is given the access to the oracle Trace. Given a negligible function negl(λ), a DFGSMDO scheme is anonymous against admitter for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{DGSMDO,\mathcal {A}}^{anonAb}(\lambda)=1]\leq negl(\lambda)\).
Anonymity against opener: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a nonnegligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM _{update} and the secret key tsk of AM, corrupt any user, and is given the access to the oracle TrapGen. Given a negligible function negl(λ), a DFGSMDO scheme is anonymous against opener for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{DGSMDO,\mathcal {A}}^{anonOb}(\lambda)=1]\leq negl(\lambda)\).
Nonframeability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM _{update} and GM _{trace}, and corrupt some of the users. Given a negligible function negl(λ), a DFGSMDO scheme satisfies nonframeability for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{unforge}(\lambda)=1]\leq negl(\lambda)\).
Traceability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret key of GM _{trace} and corrupt some of the users. Given a negligible function negl(λ), a DFGSMDO scheme is traceable for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)\).
Tracing soundness: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to two different users is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM _{update} and GM _{trace}, and corrupt some of the users. Given a negligible function negl(λ), a DFGSMDO scheme satisfies tracing soundness for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{tracesound}(\lambda)=1]\leq negl(\lambda)\).
The latticebased dynamic group signature scheme with messagedependent opening
The construction of the scheme
By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the fully dynamic group signature scheme with messagedependent opening, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): Given the security parameter λ, let t>0 denote the number of registered users, l=⌈logt⌉,n=O(λ),p=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k\), real integer \(\beta >0, \mathcal {X}\) is the noise distribution bounded by β in R, \(\phantom {\dot {i}\!}H:\{0,1\}^{*}\rightarrow \{0,1\}^{k'}\) is a hash function for FS transformation, \(H':\{0,1\}^{*}\rightarrow \mathcal {X}^{k}\) is a collision resistant hash function, and \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008). Let \(\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}, \mathbf {B}\overset {\$}{\leftarrow } R_{q}^{k}\). GM _{update} chooses \(\mathbf {msk}\overset {\$}{\leftarrow }\{0,1\}^{m}\), computes mpk=A·msk, and initializes the registration list reg and the group information info as ∅. GM _{trace} chooses \(\mathbf {S}_{1},\mathbf {S}_{2}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{1},E_{2}\overset {\$}{\leftarrow }\mathcal {X}\), and computes \(P_{1}=\mathbf {S}_{1}^{\top }\mathbf {B}+E_{1}\in R_{q}, P_{2}=\mathbf {S}_{2}^{\top }\mathbf {B}+E_{2}\in R_{q}\). AM chooses \(\mathbf {S}_{3},\mathbf {S}_{4}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{3},E_{4}\overset {\$}{\leftarrow }\mathcal {X}\). Set the GM _{trace}’s key pair (opk,osk)=(P_{1},(S_{1},E_{1})), the GM _{update}’s key pair (mpk,msk), and the AM’s secret key tsk=(S_{3},E_{3}). Finally, the algorithm outputs the public parameter \(pp=(\lambda,n,p,q,k,m,\beta,\mathcal {X},H,Com,\mathbf {A},\mathbf {B})\), the group public key gpk=(pp,mpk,opk,tpk). UKeyGen(pp)→(upk,usk): The user chooses \(\mathbf {usk}\overset {\$}{\leftarrow } \{0,1\}^{m}\) uniformly as its secret key, and computes the related public key upk=bin(A·usk mod q), and upk∈{0,1}^{k}. 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: Assume that the new registered user is the tth member in the group, and the user sends its public key upk to the group manager GM _{update}, and if this algorithm goes well, the latter searches and denotes the first nonzero leaf as t^{′} if he approves the user’s application. Let \(\phantom {\dot {i}\!}\mathbf {upk}_{t'}=\mathbf {upk}, \mathbf {reg}_{t'}=\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ], \tau \) is the time the user registered, GM _{update} includes \(\phantom {\dot {i}\!}\mathbf {reg}_{t'}\) into the registration list \(\phantom {\dot {i}\!}\mathbf {reg}:=(\mathbf {reg}_{1}[\mathbf {upk}_{1}][\tau ],\cdots,\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ],\cdots,\mathbf {reg}_{t} [\mathbf {upk}_{t}][\tau ])\). Then GM _{update} runs the algorithm \(\phantom {\dot {i}\!}\mathbf {TDA}(\mathbf {bin}(t'),\mathbf {upk}_{t'})\) to update the Merkle tree, outputs the group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau }=(\mathbf {u},\{\mathbf {w}_{j}\}_{i_{j}})\) where u is the root and \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) are witnesses of all legal users, and updates the counter of registered users t=t+1. Let \(\phantom {\dot {i}\!}\mathbf {usk}_{t'}=\mathbf {usk}\), the user sets \(\phantom {\dot {i}\!}gsk_{t'}=(\mathbf {bin}(t'1),\mathbf {upk}_{t'},\mathbf {usk}_{t'})\) as its signing secret key. \(\phantom {\dot {i}\!}\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S that is the set of public keys of group members who would be revoked, and if \(\phantom {\dot {i}\!}S=\{\mathbf {upk}_{i_{1}},\cdots,\mathbf {upk}_{i_{r}}\}\) is not empty, where r≥1,i_{j}∈[t],j∈[r], for every \(\phantom {\dot {i}\!}j\in [r], \mathbf {upk}_{i_{j}}\in S\), GM _{update} runs the algorithm TUpdate in TDA(bin(i_{j}−1),0^{k}) to update the Merkle hash tree, then updates the registration list reg: changes \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[0^{k}][\tau _{new}]\) if \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}\in S\), otherwise changes \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}} [\mathbf {upk}_{i_{j}}][\tau _{new}]\), finally outputs the new group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau _{new}}=(\mathbf {u}_{new},\{\mathbf {w}_{j}\}_{i_{j}})\) that consists of a new root u_{new} and witnesses \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) of \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}\), updates the counter of legitimate users t=t−r. So, the leaves with value 0^{k} in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk,gsk_{i},info_{τ},M)→Σ: To sign a message M at τ by using the group information info_{τ}, the user related to the ith leaf verifies that whether there is a witness of bin(i−1) in info_{τ} firstly, if not, return ⊥. Otherwise, the user sends M to AM, receives \(P_{3}=\tilde {\mathbf {S}}_{3}^{\top }\mathbf {B}+E_{3}\) and \(P_{4}=\tilde {\mathbf {S}}_{4}^{\top }\mathbf {B}+E_{4}\) from it, where \(\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\M), \tilde {\mathbf {S}}_{4}=H'(\mathbf {S}_{4}\M)\), and obtains (bin(i−1),(w_{l},⋯,w_{1})) from info_{τ} to do the follows: Choose random strings \(\mathbf {r}_{1},\mathbf {r}_{2},\mathbf {r}_{3},\mathbf {r}_{4}\overset {\$}{\leftarrow }\{0,1\}^{k}\), the user encrypts vector upk_{i} by making use of the doubleencryption paradigm (Naor and Yung 1990) and the RLWEbased encryptionp scheme (Regev 2009;Lyubashevsky et al. 2013) to obtain the ciphertexts,
Then encrypt ciphertext c_{1,2} by using a method similar to the one above to obtain the ciphertexts,
Finally, the signer generates a noninteractive zeroknowledge argument of knowledge(NIZKAoK) Π_{sign} for: (1) It has legitimate witness ζ=(usk_{i},upk_{i},bin(i),w_{l},⋯,w_{1},r_{1},⋯,r_{4}) such that the signer is a legitimate member in the group, i.e. upk_{i}≠0^{k}, and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct. (2) (usk_{i},upk_{i}) is a valid publicprivate keypair. (3) (c_{1},c_{2}) are two legitimate ciphertext of upk_{i}. (4) (c_{3},c_{4}) are two legitimate ciphertext of c_{1,2}.
Output the signature Σ=(c_{1,1},c_{2},c_{3},c_{4},Π_{sign}). The NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. runs the underlying protocol \(k'=\lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\rceil \) times sequentially to obtain a negligible soundness error 2^{−λ}, and the transcript is \(\Pi _{sign}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)\), where
Verify(gpk,Σ,info_{τ},M)→0/1: The verifier obtains the root u_{τ} of the Merkle hash tree at τ from the group information info_{τ}, and verifies that whether the predicted challenge ch is true, outputs 0 if not, otherwise verifies the respond rsp_{j} that corresponding to \((\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\) and ch_{j} for each j∈[k^{′}], and outputs 1 if everything is correct, otherwise outputs 0. TrapGen(gpk,tsk,M,reg,info_{τ})→t_{M}: If a token t_{M} for message M was already queried, answer consistently. Otherwise, compute \(\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\M)\), let \(\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3})\), and outputs t_{M}. Trace(gpk,osk,t_{M},M,Σ,reg,info_{τ})→(b^{′},Π_{trace}): Firstly, trace manager GM _{trace} uses token t_{M} to decrypt ciphertext c_{3} to get c1,2′, i.e. computes \(\mathbf {c}'_{1,2}=\left \lfloor \frac {(\mathbf {c}_{3,2}\tilde {S}_{3}^{\top }\cdot c_{3,1})}{q/2}\right \rceil \in \{0,1\}^{k}\), and the ciphertexts c_{2} and c_{4} are only used in our proof. Let \(c^{\prime }_{1,1}=c_{1,1}\), then GM _{trace} uses its tracing secret key osk to decrypt the ciphertext c1′=(c1,1′,c1,2′) and computes \(\mathbf {b}'=\left \lfloor \frac {(\mathbf {c}'_{1,2}S_{1}^{\top }\cdot c'_{1,1})}{q/2}\right \rceil \in \{0,1\}^{k}\). If there is not a witness of b^{′} in info_{τ} or b^{′}=0^{k}, output ⊥. Then GM _{trace} generates a noninteractive zeroknowledge argument of knowledge(NIZKAoK) Π_{trace} for the fact that the user corresponding to b^{′} really generated a signature Σ to message M at τ. In other words, the trace manager GM _{trace} should proof that he has \(\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3}), \mathbf {S}_{1},\tilde {\mathbf {S}}_{3}\in R_{q}^{k}, E_{1},E_{3}\in R_{q}, \mathbf {y}_{1},\mathbf {y}_{3}\in R_{q}^{k}\), such that
Similarly, the NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. GM _{trace} runs the underlying protocol \(k'=\left \lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\right \rceil \) times sequentially to obtain a negligible soundness error 2^{−λ}, and the transcript is \(\Pi _{trace}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)\), where \(\mathbf {ch}\in ([n]\times \mathbb {Z}_{p})^{k'}\),
Finally, this algorithm outputs (b^{′},Π_{trace}). Judge(gpk,b^{′},M,Π_{trace},Σ,info_{τ})→0/1: Verify the proof Π_{trace} and output 1 if it is true, otherwise output 0.
Finally, a timestamp τ is given to each member in the group, the group manager GM _{update} updates the group information info_{τ} once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information info_{τ}, we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ_{1}<τ_{2}, the group information \(\mathbf {info}_{\tau _{1}}\) is published earlier than \(\mathbf {info}_{\tau _{2}}\).
Analysis of the latticebased FDGSMDO scheme
In our scheme, it is not necessary to prepare a large storage space for the Merkle tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in Ling et al. (2017), our work could economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it (Table 1).
Complexity: Given a security parameter λ, the size of legitimate users t, \(l=\lceil \log t\rceil, n=O(\lambda), q=\tilde {O}(n^{1.5})=\tilde {O}(c\lambda ^{1.5})\) with a constant c, k=n⌈logq⌉=O(λ logλ). Then the size of group public key gpk=(pp,mpk,opk,tpk) is gpk=O(nk)+k+O(k^{2})=O((λ logλ)^{2}), the size of signing secret key gsk_{i}=(bin(i),upk_{i},usk_{i}) is \(gsk_{i}=l+3k=l+O(\lambda \log \lambda)=l+\tilde {O}(\lambda)\), and the size of signature Σ=(c_{1,1},c_{2},c_{3},c_{4},Π_{sign}) is
The soundness error of our underlying protocol is \(\frac {1}{\max {(n,p)}+1}\), so we need to perform the protocol \(\frac {\lambda }{\log (\max (n,p)+1)}\) times sequentially to reach a negligible soundness error 2^{−λ}, and the generated group signature size is O(lλ^{2}). To realize the same soundness error, the underlying protocol in Ling et al. (2017) need to be excluded Θ(λ) times sequentially, and the corresponding group signature size would be \(\tilde {O}(l\lambda ^{2})\). Let the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l= logN, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in Ling et al. (2017) over ring is O(l), and that of our work is roughly \(\frac {1}{2}O(l)\), So the expected computational complexity down almost by half. Correspondingly, the space complexity has been reduced by the same magnitude.
The security of the fully dynamic group signature scheme presented in this paper satisfies some security requirements given in Bootle et al. (2016): correctness, anonymity, nonframeability, traceability, and tracing soundness.
Correctness: Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature Σ=(c_{1,1},c_{2},c_{3},c_{4},Π_{sign}) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature Σ to pass the verification of the algorithm Verify, and the algorithm Trace will take the token t_{M} outputted by the algorithm TrapGen as one of the inputs to decrypt the ciphertext c_{3} and outputs c_{1,2}, then let c_{1}=(c_{1,1},c_{1,2}), and uses its secret key osk to decrypt c_{1} and outputs the user public key b^{′}=upk_{i} with a probability approximate to 1 together with a proof Π_{trace} accepted by Judge. We need to compute \(\mathbf {e}_{1}=\mathbf {c}_{3,2}\tilde {\mathbf {S}}_{3}^{\top }c_{3,1}=E_{3}\cdot \mathbf {r}_{3}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {c}_{1,2}\mod q\) and \(\mathbf {e}_{2}=\mathbf {c}_{1,2}\mathbf {S}_{1}^{\top }c_{1,1}=E_{1}\cdot \mathbf {r}_{1}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {upk}_{i}\mod q\) when to decrypt a ciphertext, and for s=1,2, let bs′=(bs,1′,⋯,bs,l′),e_{s}=(e_{s,1},⋯,e_{s,l}), for any j∈[l],
Note that \(\E_{s'}\cdot \mathbf {r}_{s'}\_{\infty }<\frac {q}{5}\) for s^{′}=1,3, so b1′=c_{1,2},b2′=upk_{i} with overwhelming probability. Furthermore, because the user corresponding to upk_{i} is legitimate, then the witness w=(bin(i−1),w_{l},⋯,w_{1}) is included in the group information info_{τ}, and the value of the related leaf is not 0^{k}. So, the algorithm Trace could always obtain a tuple (S_{1},E_{1},y,t_{M}) that satisfies requirement. And finally, for the fact that the proof Π_{trace} is perfect completeness, the algorithm Judge outputs 1 with probability 1.
Theorem 3
The FDGSMDO scheme satisfies anonymous against admitter, anonymous against opener, unforgeable, traceable and tracing soundness security requirements under the ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) and ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) assumptions in RO model.
The proof of Theorem in “The improved zeroknowledge protocol of knowledge” section consists of the following five lemmas.
Lemma 1
Suppose that the ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) problem is difficult, then the scheme in this paper is anonymous against admitter in RO model.
Proof
Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i_{0}≠i_{1}∈[t] given by \(\mathcal {A}\),
we say that the scheme satisfies anonymity if there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{DGSMDO,\mathcal {A}}^{anonAb}(\lambda)=1\right ]\leq negl(\lambda)\). Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OP_{l},l∈[9].
Game0: Given two different legitimate users i_{0}≠i_{1}∈[t] by \(\mathcal {A}\), let b=0, the challenger \(\mathcal {C}\) runs the experiment \(\mathbf {Exp}_{DGSMDO,\mathcal {A}}^{anonAb}(\lambda)\) honestly by using i_{0}.
Game1: This game is completely consistent with Game0 except that include (S_{2},E_{2}) to osk, i.e. let osk=((S_{1},E_{1}),(S_{2},E_{2})). And this change, to the view of the adversary \(\mathcal {A}\), makes no difference, Pr[OP_{1}=1]= Pr[OP_{0}=1].
Game2: This game is completely consistent with Game1 except that use a simulator Sim_{trace} to simulate the real interactions of the protocol that generates Π_{trace}, i.e. replace the real transcript Π_{trace} with a simulated transcript of Sim_{trace}. And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of Π_{trace}, Pr[OP_{2}=1]− Pr[OP_{1}=1]≤negl(λ).
Game3: This game is completely consistent with Game2 except that replace (S_{1},E_{1}) with (S_{2},E_{2}) when Sim_{trace} simulates the oracle Trace. For a legitimate signature (c_{1,1},c_{2},c_{3},c_{4},Π_{sign}), where c_{1},c_{2} are encryptions to different strings respectively, let F_{1} be a event of the above signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, and the view of \(\mathcal {A}\) may changing if F_{1} appears, however, it violates the soundness of the protocol that generates Π_{sign}. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F_{1}, i.e. Pr[OP_{3}=1]− Pr[OP_{2}=1]≤ Pr[F_{1}]≤negl(λ).
Game4: This game is completely consistent with Game3 except that use a simulator Sim_{sign} to simulate the real interactions of the protocol that generates Π_{sign}, i.e. replace the real transcript Π_{sign} with a simulated transcript of Sim_{sign}. And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of Π_{sign}, Pr[OP_{4}=1]− Pr[OP_{3}=1]≤negl(λ).
Game5: This game is completely consistent with Game4 except that change the ciphertext c_{1} into the encryption to \(\mathbf {upk}_{i_{1}}\) when initiate an inquiry to the oracle Chal_{b}. And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S_{2},E_{2}) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c_{1}, so, Pr[OP_{5}=1]− Pr[OP_{4}=1]=negl(λ).
Game6: This game is completely consistent with Game5 except that replace (S_{2},E_{2}) with (S_{1},E_{1}) when Sim_{trace} simulates the oracle Trace. For a legitimate signature (c_{1,1},c_{2},c_{3},c_{4},Π_{sign}), where c_{1},c_{2} are encryptions to different strings respectively, let F_{2} be a event of the above signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, which violates the simulation soundness of the protocol that generates Π_{sign}. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F_{2}, Pr[OP_{6}=1]− Pr[OP_{5}=1]≤ Pr[F_{2}]≤negl(λ).
Game7: This game is completely consistent with Game6 except that change the ciphertext c_{2} into the encryption to \(\mathbf {upk}_{i_{1}}\). And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S_{1},E_{1}) during the inquiry to the oracle Trace, so change c_{2} makes no difference to the view of the adversary, Pr[OP_{7}=1]− Pr[OP_{6}=1]=negl(λ).
Game8: This game is completely consistent with Game7 except that replace the simulator Sim_{sign} with a real protocol that generates Π_{sign}, i.e. replace the simulated transcript of Sim_{sign} by a real transcript Π_{sign}. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_{sign}, Pr[OP_{8}=1]− Pr[OP_{7}=1]≤negl(λ).
Game9: This game is completely consistent with Game8 except that replace the simulator Sim_{trace} with a real protocol that generates Π_{trace}, i.e. replace the simulated transcript of Sim_{trace} by a real transcript Π_{trace}. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Π_{trace}, Pr[OP_{9}=1]− Pr[OP_{8}=1]≤negl(λ).
Finally, we could learn from the games above that the probability:
where c is a constant. So, the scheme satisfies the property of anonymity against admitter. □
Lemma 2
Suppose that the ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) problem is difficult, then the scheme in this paper is anonymous against opener in RO model.
Proof
Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i_{0}≠i_{1}∈[t] given by \(\mathcal {A}\),
the proof of property anonymity against opener is similar to that of anonymity against admitter, so we are not describe it in detail anymore. □
Lemma 3
Suppose that the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the scheme in this paper is unforgeable in the RO model.
Proof
Suppose that there ia a PPT adversary \(\mathcal {A}\) could forge a valid signature with a nonnegligible probability ε, then there is a PPT algorithm \(\mathcal {B}\) could break the security of Merkle hash tree or solve the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with a nonnegligible probability by invoking \(\mathcal {A}\) as a black box.
If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\leq negl(\lambda)\), then we say that the scheme is unforgeable. Given a random vector A, the challenger computes the public parameter pp honestly, then invokes the algorithm of \(\mathcal {A}\), runs the operations in the game \(\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{unforge}(\lambda)\), during this process, \(\mathcal {B}\) responds the inquiries of \(\mathcal {A}\) honestly. If the adversary \(\mathcal {A}\) wins the game and outputs \(\left (M^{*},\Sigma ^{*},i^{*},\Pi _{trace}^{*},\mathbf {info}_{\tau }\right)\) finally, then there is a nonnegligible function ε, such that \(\Pr \left [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\geq \epsilon \), and the algorithm \(\mathcal {B}\) could operate as follows: Decompose the signature Σ^{∗} into \((c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}^{*}_{4},\Pi _{sign}^{*})\), where \(\Pi _{sign}=\left (\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*},\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}\right)\), because the adversary \(\mathcal {A}\) wins the game \(\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{unforge}(\lambda)\), so \(\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}\) is a legitimate respond to \(\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*}\). Let \(\xi ^{*}=\left (M^{*},\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {A},\mathbf {u}_{\tau },\{P_{i}\}_{i=1}^{4}, \mathbf {B},c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}_{4}^{*}\right)\), for the successful probability to guess H(ξ^{∗}) is \(\phantom {\dot {i}\!}(np)^{k'}\), so the adversary uses the ξ^{∗} to initiate queries to the oracle H with overwhelming probability, and ξ^{∗} is the preimage of H with probability \(\phantom {\dot {i}\!}\epsilon '=\epsilon (np)^{k'}\), let t^{∗}∈{1,2,⋯,Q_{H}} be the index of one inquiry, where Q_{H} is the number of inquiries that the adversary \(\mathcal {A}\) made to the oracle H. The inputs of the hash queries from 1th to t^{∗}th are all ξ^{∗}, and \(\mathcal {B}\) runs the operations of \(\mathcal {A}\) for t^{∗} times. And the inputs of other hash queries from t^{∗}+1th to Q_{H}th are something else, \(\mathcal {B}\) responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000;Pointcheval and Stern 1999), the probability of \(\mathcal {B}\) gets max(n,p)+1 different hash values \(\mathbf {ch}_{t^{*}}^{1},\cdots,\mathbf {ch}_{t^{*}}^{\max (n,p)+1}\in \{[n]\times \mathbb {Z}_{p}\}^{k'}\) to the same input ξ^{∗} is nonnegligible, and the pigeon hole principle tells us that there are at least two accept responds \(\phantom {\dot {i}\!}(rsp_{t^{*},1},rsp_{t^{*},2})\) with the same I and different ch, then what we could learn from the protocol that generates Π_{sign} is that we could extract a witness \(\phantom {\dot {i}\!}\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4},\right)\), where \(\phantom {\dot {i}\!}w^{\prime }_{\tau }=\left (\mathbf {bin}(i'1),\mathbf {w}'_{l,\tau },\cdots,\mathbf {w}'_{1,\tau }\right) \in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for d=1,2,d^{′}=3,4,j∈{0,l−1}, we have
We can learn from the correctness of the encryption scheme that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}\) and \(\mathbf {c}_{3}^{*}\) is the encryption to \(\mathbf {c}^{*}_{1,2}\). The algorithm Judge outputs 1 because of the fact that \(\mathcal {A}\) wins the game, and what we can learn from the soundness of the protocol that generates Π_{trace} is that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i^{*}}\), then \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}=\mathbf {upk}_{i^{*}}\) with overwhelming probability. By the correctness of the Merkle hash tree, the user i^{∗} is legitimate. i^{∗}∈HUL∖BUL indicates that the adversary \(\mathcal {A}\) doesn’t know \(\phantom {\dot {i}\!}gsk_{i^{*}}=(\mathbf {bin}(i^{*}1),\mathbf {upk}_{i'},\mathbf {usk}_{i^{*}})\). \(\phantom {\dot {i}\!}\mathbf {usk}_{i^{*}}\) was chosen by \(\mathcal {B}\) and \(\phantom {\dot {i}\!}\mathbf {A}\cdot \mathbf {usk}_{i^{*}}=\mathbf {G}\cdot \mathbf {upk}_{i'}\), so we have \(\phantom {\dot {i}\!}\Pr [\mathbf {usk}_{i^{*}}\not =\mathbf {usk}_{i'}]\geq \frac {1}{2}\). Let \(\phantom {\dot {i}\!}\mathbf {z}=\mathbf {usk}_{i^{*}}\mathbf {usk}_{i'}\), then z≠0 and Az=0 mod q, so, the algorithm \(\mathcal {B}\) could solve the problem ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with nonnegligible probability. □
Lemma 4
Suppose that the ring\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) problem is difficult, then the scheme in this paper is traceable in RO model.
Proof
Given a negligible function negl(λ), such that \(\Pr [\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)\), then we say that the scheme is traceable. In other words, If the adversary \(\mathcal {A}\) wins the game \(\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{trace}(\lambda)\), the signature generated by \(\mathcal {A}\) is legitimate and it was traced to a revoked user or a legitimate user without a valid proof Π_{trace} to it, and next, we will explain that the probability of the fact that the adversary \(\mathcal {A}\) wins the game is negligible.
Let (info_{τ},M,Σ) be a forged information by the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{trace}(\lambda)\), then the challenger could extract the identity (bin(i−1),Π_{trace}) by running the algorithm Trace. Decompose the signature Σ into (c1,1′,c2′,c3′,c4′,Π_{sign}), where \(\Pi _{sign}=\left (\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)\). Since (info_{τ},M,Σ) is a legitimate signature, \(\{rsp_{j}\}_{j=1}^{k'}\) are valid responds to \(\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'}, \mathbf {ch}\). Then we could extract a witness \(\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4}\right)\), which is similar to the property of unforgeability, where \(w^{\prime }_{\tau }=\left (\mathbf {bin}(i'1),\mathbf {w}'_{l,\tau },\cdots, \mathbf {w}'_{1,\tau }\right)\in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for d=1,2,d^{′}=3,4,j∈{0,l−1}, we have
What we can learn from the correctness of the encryption scheme is that the ciphertext \(\phantom {\dot {i}\!}\mathbf {c}'_{1}\) could be decrypted to \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}, \mathbf {c}'_{3}\) could be decrypted to \(\phantom {\dot {i}\!}\mathbf {c}'_{1,2}\), and we can learn from the correctness of the algorithm Trace that upk_{i} is the plaintext obtained from the ciphertext \(\phantom {\dot {i}\!}\mathbf {c}'_{1}\), so \(\phantom {\dot {i}\!}\mathbf {upk}_{i}=\mathbf {upk}_{i'}\) with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof Π_{trace} is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof Π_{trace}, and we can learn from the perfect completeness of the protocol that generates Π_{trace} that the algorithm Judge would accepts Π_{trace} with probability 1. In conclusion, the scheme in this paper is traceable. □
Lemma 5
The scheme in this paper satisfies the property of tracing soundness in RO model.
Proof
Suppose that the information \(\phantom {\dot {i}\!}(M,\Sigma,i_{0},\Pi _{trace,i_{0}}, i_{1},\Pi _{trace,i_{1}},\mathbf {info}_{\tau })\) is the output of the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGSMDO,\mathcal {A}}^{tracesound}(\lambda)\), if the game outputs 1 finally, i.e. \(\phantom {\dot {i}\!}\mathbf {Judge}(gpk,\mathbf {upk}_{i_{b}},\mathbf {info}_{\tau }, \Pi _{trace},M,\Sigma)=1, i_{0}\not =i_{1}\not =\perp, \mathbf {Verify}(gpk,\mathbf {info}_{\tau },M,\Sigma)=1\), then we say that \(\mathcal {A}\) wins. Given Π_{trace} with \(\phantom {\dot {i}\!}\Pi _{trace}= \left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)\), the fact that the algorithm Judge outputs 1 indicates that \(\phantom {\dot {i}\!}\{rsp_{j}\}_{j=1}^{k'}\) are legitimate responds to \(\phantom {\dot {i}\!}\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}\). For b=0,1,j=1,3, it is similarly to the property of unforgeability, we could extract \(\mathbf {S}_{1,b},\tilde {\mathbf {S}}_{3,b},E_{j,b},\mathbf {y}_{j,b}\), such that
then we have
Suppose that \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}\not =\mathbf {upk}_{i_{0}}\), so \(\\lfloor \frac {q}{2}\rfloor \cdot (\mathbf {upk}_{i_{1}}\mathbf {upk}_{i_{0}})\_{\infty }=\lfloor \frac {q}{2}\rfloor, \\mathbf {y}_{1,1}\mathbf {y}_{1,0}\_{\infty } \leq 2\cdot \lceil \frac {q}{5}\rceil \), and
then \(\mathbf {S}_{1,0}^{\top }\not =\mathbf {S}_{1,1}^{\top }\), we obtained two different solutions of the function \(\mathbf {S}_{1}^{\top }\cdot \mathbf {B}+E_{1}=P_{1}\mod q\), which is contradictory to the fact that there is at most one solution to the ring\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) sample (B,P_{1}). So, \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}=\mathbf {upk}_{i_{0}}\) with overwhelming probability. Similarly, if there are two different strings c_{1,2} and \(\phantom {\dot {i}\!}\mathbf {c}'_{1,2}\) w.r.t one ciphertext c_{3}, then \(\phantom {\dot {i}\!}\mathbf {c}_{1,2}=\mathbf {c}'_{1,2}\) is also true with overwhelming probability. In other words, the probability of the fact that \(\mathcal {A}\) wins is negligible, so the scheme in this paper satisfies the property of tracing soundness. □
The improved zeroknowledge protocol of knowledge
Details of the protocol
Suppose that the size of the legitimate members in the group is t≥1 at time τ, for d=1,2,d^{′}=3,4,i∈[t],∀j∈[l−1], the underlying zeroknowledge protocol is used to prove the following relationships by utilizing the extending and permuting techniques (Stern 1996;Ling et al. 2017).
Given a bit b, a vector a, let \(\mathbf {ext}(b,\mathbf {a})=(\bar {b}\cdot \mathbf {a},b\cdot \mathbf {a})^{\top }, \mathbf {ext}_{2}(b)=(\bar {b},b)^{\top }\). Given bit b^{′} and vector \(\phantom {\dot {i}\!}\mathbf {a'}\), we can get similar results \(\phantom {\dot {i}\!}\mathbf {ext}(b',\mathbf {a'})=(\bar {b'}\cdot \mathbf {a'},b'\cdot \mathbf {a'})^{\top }, \mathbf {ext}_{2}(b')=(\bar {b'},b')^{\top }\). then we have the following equivalence relationship:
Then for d=1,2,d^{′}=3,4,i∈[t],bin(i−1)=(i_{1},⋯,i_{l}), the Eq. (2) is equal to the following form
Let \(\mathbf {B}_{n}^{2n}\) be the set of strings with length 2n, where the Hamming weight of each string is n, to illustrate the fact that the user’s public key upk_{i}≠0^{k}, we pad upk_{i} with a random string with length k−1 to obtain a new string \(\mathbf {upk}_{i}^{*}\), such that \(\mathbf {upk}_{i}^{*}\in \mathbf {B}_{k}^{2k1}\), then for any permutation \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2k1}\), we have
We make similar operations for c_{1,2} to obtain \(\mathbf {c}_{1,2}^{*}\in \mathbf {B}_{k}^{2k1}\), for each usk_{i} to obtain \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m}\), for any \(\pi _{\mathbf {usk}_{i}}\in \mathcal {S}_{2m}\), we have \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m} \Leftrightarrow \pi _{\mathbf {usk}_{i}}(\mathbf {usk}_{i}^{*})\in \mathbf {B}_{m}^{2m}\). Similarly, extend the vectors u_{1},⋯,u_{l−1},w_{1},⋯,w_{l},r_{1},⋯,r_{4} to obtain \(\mathbf {u}_{1}^{*}\cdots,\mathbf {u}_{l1}^{*}, \mathbf {w}_{1}^{*}\cdots,\mathbf {w}_{l}^{*}\in \mathbf {B}_{k}^{2k}, \mathbf {r}_{1}^{*},\cdots,\mathbf {r}_{4}^{*}\in \mathbf {B}_{k}^{2k}\). And then let \(\hat {\mathbf {u}}_{1}=\mathbf {ext}(i_{1},\mathbf {u}_{1}^{*}),\cdots,\hat {\mathbf {u}}_{l1}=\mathbf {ext}(i_{l1},\mathbf {u}_{l1}^{*})\in \{0,1\}^{4k}, \hat {\mathbf {upk}_{i}}=\mathbf {ext}(i_{l},\mathbf {upk}_{i}^{*})\in \{0,1\}^{4k2}, \hat {\mathbf {w}}_{1}=\mathbf {ext}(\bar {i_{1}},\mathbf {w}_{1}^{*}),\cdots,\hat {\mathbf {w}}_{l}=\mathbf {ext}(\bar {i_{l}}, \mathbf {w}_{l}^{*})\in \{0,1\}^{4k}\).
Given upk_{i}=(upk_{i1},⋯,upk_{ik}), for any j∈[k], let upkij′=ext_{2}(upk_{ij}). For any \(b\in \{0,1\}, \mathbf {t}=(t_{0},t_{1})\in \mathbb {Z}^{2}\), let \(T_{b}(\mathbf {t})=(t_{b},t_{\bar {b}})\). Then for any b_{j}∈{0,1}, we have \(\mathbf {upk}'_{ij}=\mathbf {ext}_{2}(upk_{ij})\Leftrightarrow T_{b_{j}}(\mathbf {upk'}_{ij})=\mathbf {ext}_{2}(upk_{ij}\oplus b_{j})\). Because b_{j} is chosen randomly, so the operations above are equal to carry out a onetime pad to the user’s upk_{ij} by b_{j} to hide it perfectly. And for c_{1,2} and \(\mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}\), we give similar operations.
Let \(\phantom {\dot {i}\!}r\in \{2k1,2k\}, b\in \{0,1\}, \pi \in \mathcal {S}_{r}, \mathbf {t}=(t_{0},t_{1})^{T}\in \mathbb {Z}^{2r}, \mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}\), we define the permutation \(\phantom {\dot {i}\!}F_{b,\pi }(\mathbf {t})=(\pi (t_{b}),\pi (t_{\bar {b}})), F_{b,\pi }(\mathbf {t'})=(\pi (t'_{b}),\pi (t'_{\bar {b}}))\). Then for all \(\phantom {\dot {i}\!}b_{1},\cdots,b_{l}\in \{0,1\}, \phi _{\mathbf {u},1},\cdots,\phi _{\mathbf {u},l1},\phi _{\mathbf {w},1},\cdots,\phi _{\mathbf {w},l}\in \mathcal {S}_{2k}, \pi _{\mathbf {upk}_{i}},\pi _{\mathbf {c}_{1}}\in \mathcal {S}_{2k1}\), the following relationship is true,
Let
then z∈{0,1}^{10kl+2m+16k−6}, the equation (4) can be unified into one equation A^{′}z=U mod q, where A^{′},U could be obtained from the public parameters. Let VALID be the set of vectors in {0,1}^{10kl+2m+16k−6} that satisfy the relationship above, let \(\bar {\mathcal {S}}=\mathcal {S}_{2k}^{2l1}\times \mathcal {S}^{2}_{2k1}\times \mathcal {S}_{2m}\times \mathcal {S}_{2l}^{4}\times \{0,1\}^{l}\) for any
let Γ_{η} be the permutation for strings in {0,1}^{10kl+2m+16k−6}, then we have
After that, we could utilize our protocol and the equal relationship above to proof that z∈VALID, and A^{′}z=U mod q. Let D=10kl+2m+16k−6, the protocol is presented in Algorithm 1, where the commitment \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008).
Security analysis of the protocol
Theorem 4
Suppose that the commitment scheme used in this paper satisfies statistical hiding and computing binding, then our new zero knowledge protocol satisfies completeness, (max(n,p)+1)special soundness and special honestverifier zero knowledge.
Proof
Denote rsp=((com_{I},w_{I}),(com_{Ich},w_{Ich}),(rI′,r_{Ich},x_{I})), we prove completeness, (max(n,p)+1)special soundness and special honestverifier zero knowledge separately:
Completeness: Suppose that the prover and verifier have run each step of the protocol honestly, then \(\mathbf {u}'=\mathbf {u} \wedge \hat {\mathbf {u}}'=\hat {\mathbf {u}}\) is true with overwhelming probability by the definition of TDA, and we have
So if z is a solution to the instance (U,A^{′}), then U=A^{′}z mod q, which means that y=A^{′}r_{I}, and the completeness of the protocol follow from the binding of the commitment scheme.
(max(n,p)+1)special soundness: If there are (max(n,p)+1) valid transcripts, the pigeon hole principle tells us that there are at least two accept transcripts with the same I and different ch. Suppose \(\left ((\mathbf {u},\hat {\mathbf {u}}),(I,ch),\left ((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),\left (\mathbf {r}'_{I}, \mathbf {r}_{Ich},\mathbf {x}_{I}\right)\right)\right)\) and \(((\mathbf {u},\hat {\mathbf {u}}),(I,ch'),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich'},w_{Ich'}), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I})))\) are two valid transcripts with ch≠ch^{′}, one can efficiently extract a collision of the hash function \(h_{\mathbf {A}}\in \mathcal {H}\), a witness z such that U=A^{′}z by using the binding of the commitment scheme.
Suppose that ((aux_{I},com_{I}),(I,ch),(rI′,r_{Ich},x_{I})) and \(\phantom {\dot {i}\!}((\mathbf {aux}_{I},\mathbf {com}_{I}),(I,ch'), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I}))\) are two valid transcripts that are accepted by verifier. Let \(\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {A}'\mathbf {x}_{I}ch\mathbf {U}\mod q\) and \(\phantom {\dot {i}\!}\mathbf {y}'_{I}=\mathbf {A}'\mathbf {x}'_{I}ch'\mathbf {U}\mod q\), then we have \(\phantom {\dot {i}\!}\mathbf {com}_{I}=\mathbf {Com}\left (\mathbf {y}_{I},\mathbf {r}'_{I}\right)=\mathbf {Com}\left (\mathbf {y}'_{I},\mathbf {r}'_{I}\right)\), so the binding of the commitment implies that \(\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {y}'_{I}\), i.e. \(\phantom {\dot {i}\!}\mathbf {A}'(\mathbf {x}_{I}\mathbf {x}'_{I})=(chch')\mathbf {U}\).
In addition, com_{Ich}=Com(r_{I}+chz mod q,r_{Ich})=Com(x_{I},r_{Ich}) and \(\phantom {\dot {i}\!}\mathbf {com}_{Ich'}=\mathbf {Com}(\mathbf {r}_{I}+ch'\mathbf {z}\mod q,\mathbf {r}_{Ich'}) =\mathbf {Com}(\mathbf {x}'_{I},\mathbf {r}_{Ich'})\), so x_{I}=r_{I}+chz mod q and \(\phantom {\dot {i}\!}\mathbf {x}'_{I}=\mathbf {r}_{I}+ch'\mathbf {z}\mod q\) by the binding of the commitment.
Then one can compute z efficiently as a solution of the instance (U,A^{′}).
Special honestverifier zero knowledge: In this proof, we construct a PPT simulator \(\mathcal {S}\) with inputs (U,A^{′}),{seed_{i}}_{i∈[n]} and (I,ch), it interacts with a (maybe dishonest) verifier and does the following things:

1.
Sample \(\mathbf {r}'_{I}\stackrel {\$}{\leftarrow }\{0,1\}^{m}\), and compute r_{I},r_{Ich} from seed_{I}.

2.
Compute com_{I}=Com(A^{′}r_{I} mod q,rI′) honestly, commit to random dummy values to calculate the commitments com_{i≠I}.

3.
Compute a vector z^{′} by Gaussian elimination such that U=A^{′}z^{′} mod q.

4.
Compute xI′=r_{I}+chz^{′} mod q,com_{Ich}=Com(xI′,r_{Ich}), and commit to random dummy values to calculate the commitments com_{ic} for all i≠I and c≠ch.

5.
Run TDA(n,Bin(com_{i})) for i∈[n],TDA(np,Bin(com_{ic})) for \(i\in [n], c\in \mathbb {Z}_{p}\), output the root u^{′} and \(\hat {\mathbf {u}}'\) respectively.

6.
Output the transcript \(((\mathbf {u}',\hat {\mathbf {u}}'),(I,ch),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),(\mathbf {r}'_{I},\mathbf {r}_{Ich}, \mathbf {x}'_{I})))\).
It is clear that (rI′,r_{Ich},xI′) and the corresponding real transcript are both uniformly distributed in {0,1}^{2λ}×{0,1}^{D} and hence follow the same distribution. (com_{I},com_{Ich}) and the corresponding real transcript are statistical indistinguishable by the hiding property of the commitment. By the definition of the collision resistant hash function, both (w_{I},w_{Ich}) and the corresponding real transcript are indistinguishable from uniform distribution, so (w_{I},w_{Ich}) and the corresponding real transcript are indistinguishable. Because the commitments com_{i},com_{ic} for all i≠I,c≠ch are never opened, \((\mathbf {u}',\hat {\mathbf {u}}')\) also follows from the hiding property of the commitment and the definition of the hash function. So, the transcript outputted by \(\mathcal {S}\) and the real transcript of the protocol are computing indistinguishable. □
Conclusion
In this paper, we give a new ringbased fully dynamic group signature scheme with messagedependent opening. The efficiency of it is improved by an improved underlying zero knowledge proof of knowledge that has smaller soundness error than Sternlike protocol. This modification helps to bring down the communication complexity of the underlying zero knowledge protocol and hence the computational/space complexity of the group signature scheme. In addition, we add another participant  an admitter to our scheme to constrain the power of trace manager. The admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter.
Availability of data and materials
Not applicable.
References
Beullens, W (2020) Sigma protocols for mq, pkp and sis, and fishy signature schemes. In: Canteaut A Ishai Y (eds)Proceedings of Conference EUROCRYPT: 1014 May 2020, 183–211.. Springer, Zagreb.
Bootle, J, Cerulli A, Chaidos P, Ghadafi E, Groth J (2016) Foundations of fully dynamic group signatures. In: Manulis M, Sadeghi AR, Schneider S (eds)Proceedings of Conference ACNS: 1922 June 2016, 117–136.. Springer, Guildford.
Brickell, E, Pointcheval D, Vaudenay S, Yung M (2000) Design validations for discrete logarithm based signature schemes. In: Imai H Zheng Y (eds)Proceedings of Conference PKC: 1820 January 2000, 276–292.. Springer, Melbourne.
Canetti, R, Halevi S, Katz J (2004) Chosenciphertext security from identitybased encryption. In: Cachin C Camenisch J (eds)Proceedings of Conference EUROCRYPT: 26 May 2004, 207–222.. Springer, Interlaken.
Chaum, D, van Heyst E (1991) Group signatures. In: Davies DW (ed)Proceedings of Conference EUROCRYPT: 811 April 1991, 257–265.. Springer, Brighton.
Gordon, SD, Katz J, Vaikuntanathan V (2010) A group signature scheme from lattice assumptions. In: Abe M (ed)Proceedings of Conference ASIACRYPT: 59 December 2010, 395–412.. Springer, Singapore.
Hazay, C, Lindell Y (2010) Sigma protocols and efficient zeroknowledge In: Efficient Secure TwoParty Protocols. Information Security and Cryptography.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/9783642143038_6.
Katsumata, S, Yamada S (2019) Group signatures without nizk: from lattice in the standard model. In: Ishai Y Rijmen V (eds)Proceedings of Conference EUROCRYPT: 1923 May 2019, 312–344.. Springer, Darmstadt.
Kawachi, A, Tanaka K, Xagawa K (2008) Concurrently secure identification schemes based on the worstcase hardness of lattice problems. In: Pieprzyk J (ed)Proceedings of Conference ASIACRYPT: 711 December 2008, 372–389.. Springer, Singapore.
Laguillaumie, F, Langlois A, Libert B, Stehlé D (2013) Latticebased group signatures with logarithmic signature size. In: Sako K Sarkar P (eds)Proceedings of Conference ASIACRYPT: 15 December 2013, 41–61.. Springer, Bengaluru.
Langlois, A, Ling S, Nguyen K, Wang H (2014) Latticebased group signature scheme with verifierlocal revocation. In: Krawczyk H (ed)Proceedings of Conference PKC: 2628 March 2014, 345–361.. Springer, Buenos.
Libert, B, Joye M (2014) Group signatures with messagedependent opening in the standard model. In: Benaloh J (ed)Proceedings of Conference CTRSA: 2528 February 2014, 286–306.. Springer, San Francisco.
Libert, B, Ling S, Nguyen K, Wang H (2016) Zeroknowledge arguments for latticebased accumulators: logarithmicsize ring signatures and group signatures without trapdoors. In: Fischlin M Coron JS (eds)Proceedings of Conference EUROCRYPT: 812 May 2016, 1–31.. Springer, Vienna.
Libert, B, Mouhartem F, Nguyen K (2016) A latticebased group signature scheme with messagedependent opening. In: Manulis M, Sadeghi AR, Schneider S (eds)Proceedings of Conference ACNS: 1922 June 2016, 137–155.. Springer, Guildford.
Ling, S, Nguyen K, Wang HX (2015) Group signatures from lattices: simpler, tighter, shorter, ringbased. In: Katz J (ed)Proceedings of Conference PKC: 30 March1 April 2015, 427–449.. Springer, Gaithersburg.
Ling, S, Nguyen K, Wang H, Xu Y (2017) Latticebased group signatures: achieving full dynamicity with ease. In: Gollmann D, Miyaji A, Kikuchi H (eds)Proceedings of Conference ACNS: 1012 July 2017, 293–312.. Springer, Kanazawa.
Lyubashevsky, V (2008) Latticebased identification schemes secure under active attacks. In: Cramer R (ed)Proceedings of Conference PKC: 912 March 2008, 162–179.. Springer, Barcelona.
Lyubashevsky, V (2012) Lattice signatures without trapdoors. In: Pointcheval D Johansson T (eds)Proceedings of Conference EUROCRYPT: 1519 April 2012, 738–755.. Springer, Cambridge.
Lyubashevsky, V, Micciancio D (2006) Generalized compact knapsacks are collision resistant. In: Bugliesi M, Preneel B, Sassone V, Wegener I (eds)Proceedings of Conference ICALP: 1014 July 2006, 144–155.. Springer, Venice.
Lyubashevsky, V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Gilbert H (ed)Proceedings of Conference EUROCRYPT: 30 May3 June 2010, 1–23.. Riviera, Springer.
Lyubashevsky, V, Peikert C, Regev O (2013) A toolkit for ringlwe cryptography. In: Johansson T Q.Nguyen P (eds)Proceedings of Conference EUROCRYPT: 2630 May 2013, 35–54.. Springer, Athens.
Naor, M, Yung M (1990) Publickey cryptosystems provably secure against chosen ciphertext attacks In: Proceedings of the ACM Conference STOC: 1990, 427–437.. ACM DL, Baltimore.
Ohara, K, Sakai Y, Emura K, Hanaoka G (2013) A group signature scheme with unbounded messagedependent opening In: Proceedings of the ACM Conference AsiaCCS: 2013, 517–522.. ACM DL, Hangzhou.
Peikert, C (2016) A decade of lattice cryptography. Found Trends Theor Comput Sci 10:283–424.
Peikert, C, Rosen A (2006) Efficient collisionresistant hashing from worstcase assumptions on cyclic lattices. In: Halevi S Rabin T (eds)Proceedings of Conference TCC: 47 March 2006, 145–166.. Springer, New York.
Peikert, C, Rosen A (2007) Lattices that admit logarithmic worstcase to averagecase connection factors In: Proceedings of the ACM Conference STOC: 1113 June 2007, 478–487.. ACM DL, San Diego.
Pointcheval, D, Stern J (1999) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396.
Regev, O (2009) On lattices, learning with errors, random linear codes, and cryptography. J ACM 56:1–40.
Sakai, Y, Emura K, Hanaoka G, Kawai Y, Matsuda T, Omote K (2012) Group signatures with messagedependent opening. In: Abdalla M Lange T (eds)Proceedings of Conference Pairing: 1618 May 2012, 270–294.. Springer, Cologne.
Stern, J (1996) A new paradigm for public key identification. IEEE Trans Inf Theory 42(6):1757–1768.
Sun, Y, Liu Y (2020) A latticebased fully dynamic group signature scheme without nizk In: Proceedings of Conference INSCRYPT: 1114 December 2020.. Springer, Guangzhou.
Sun, Y, Liu Y, Wu B (2019) An efficient full dynamic group signature scheme over ring. Cybersecurity 2(21). https://doi.org/10.1186/s4240001900378.
Acknowledgements
Not applicable.
Funding
This work was supported by the National Natural Science Foundation of China (Grant No.61932019, No.61772521, No.61772522) and the Key Research Program of Frontier Sciences, CAS (Grant No.QYZDBSSWSYS035).
Author information
Authors and Affiliations
Contributions
The first author conceived the idea of the study and wrote the paper; all authors discussed the results and revised the final manuscript. Both authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Sun, Y., Liu, Y. An efficient fully dynamic group signature with message dependent opening from lattice. Cybersecur 4, 15 (2021). https://doi.org/10.1186/s42400021000768
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400021000768
Keywords
 Dynamic group signature
 Messagedependent opening
 NIZK
 LWE
 SIS