Skip to main content

An efficient fully dynamic group signature with message dependent opening from lattice

Abstract

Message-dependent opening is one of the solutions to solve the problem of the tracing manager owns excessive power. In this paper, we present a new lattice-based fully dynamic group signature scheme with message-dependent opening by combining an improved version of the fully dynamic group signature scheme proposed by Ling et al and the double encryption paradigm. In addition, we propose an improved underlying zero knowledge protocol, it has a soundness error \(\frac {1}{\max (n,p)+1}\) that is better than the Stern-like protocol, which helps to bring down the communication complexity of the protocol and hence the signature scheme. Our scheme constrains the power of group managers by adding an admitter, and the signature size has a logarithmic relationship with the group size.

Introduction

Related work

Since the concept of group signature was proposed in Chaum and van Heyst (1991), it has become an important primitive to realize anonymous authentication. Group signature allows members in a group to sign messages on behalf of the group without revealing any information of the signer’s identity. At the same time, the signature could be traced to the signer when it is in dispute. In other words, there is an authority in the scheme called trace manager GMtrace who can de-anonymize the signature and trace it to the specific signer. But in many scenarios, GMtrace is given too much power as it can open all signatures whether the signer is valid or not. To solve this problem, there is an extension of the group signature in Sakai et al. (2012) to balance the traceability and privacy, it is called group signature scheme with message-dependent opening (GS-MDO). In the GS-MDO system, there is another participant named admitter, and the trace manager GMtrace could open one signature only when he work with the admitter. To open a signature Σ of message M, the admitter generates a token tM with respect to M using its secret key firstly, and sends tM to the trace manager GMtrace, then GMtrace uses its secret key and tM to open the signature. That is, the trace manager GMtrace can only open the signatures of messages specified by admitter. Subsequently, many other GS-MDO schemes were proposed based on different assumptions, such as decision linear (DLIN) (Sakai et al. 2012), strong Diffie-Hellman (Ohara et al. 2013), Decision 3-party Diffie-Hellman (D3DH) (Libert and Joye 2014), learning with error (LWE) and small integer solution (SIS) (Libert et al. 2016).

Lattice-based cryptography has attracted a lot of attention for its simple arithmetic operations and potential ability to resist quantum attack. However, compared with other non-lattice based cryptographic schemes, such as DDH, factoring, et al, the efficiency of lattice-based cryptographic schemes have not been solved well. The first lattice-based static group signature scheme is given in Gordon et al. (2010), its security is proven in RO model, and there is a linear relationship between signature size and group size N. Subsequently, the signature size was lowered up to O(logN) by different manners (Laguillaumie et al. 2013;Ling et al. 2015), such as bonsai tree (Langlois et al. 2014), Merkle hash tree (Libert et al. 2016) and lattice-based accumulators (Ling et al. 2017). In order to further satisfy the requirements of real applications, it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017) by combining the static group signature scheme inLibert et al. (2016) with the security model in Bootle et al. (2016). It includes an update algorithm in accumulator that is constructed based on hash Merkle tree, and both the security and the signature size were improved compared with the scheme in Libert et al. (2016). However, the schemes above all follow encryption-then-proof pattern, and rely heavily on zero-knowledge protocol in the proof process, which limits the improvement of efficiency and security. In order to break this bottleneck, there are currently two research lines: one is to try to remove the zero-knowledge proof protocol from the construction of group signature schemes, which is the research content in Katsumata and Yamada (2019). In other words, a lattice-based static group signature scheme without NIZK was proposed in Katsumata and Yamada (2019), and it is proved secure under the standard model. There is a natural idea: whether it is possible to construct a lattice-based fully dynamic group signature scheme that is provably secure under the standard model? To solve this problem, we tried to propose a construction in Sun and Liu (2020) and proved it to be secure under the standard model. The other is to improve the efficiency of zero-knowledge proof (Beullens 2020) and try to apply it to the construction of group signature schemes under the RO model. Our work in this paper gives a positive solution of the latter.

Our contribution

In this paper, we give a new fully dynamic group signature scheme over ring with message-dependent opening (FDGS-MDO) by combining an improved version of the fully dynamic group signature scheme in Ling et al. (2017) and the double encryption paradigm (Canetti et al. 2004), which uses our following zero knowledge proof of knowledge as a underlying protocol. Compared with the scheme in Sun et al. (2019), our scheme realizes the weaken of GMtrace’s power by adding another participant: admitter. Concretely, the admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter. And we also give an improved zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol, and we use it as the underlying protocol to improves the efficiency of the scheme in Sun et al. (2019).

We give the specific construction and security analysis of our zero knowledge proof of knowledge, which partially realizes the optimization idea in Beullens (2020). In Beullens (2020), it is necessary to transform an instance of SIS problem into an instance of the permuted kernel problem (PKP) firstly, and then prove its knowledge by using a Σ - protocol for latter, while in our work, we omit this transformation operation. In addition, in order to reduce the communication complexity of our underlying protocol, the prover does not need to send all commitments \(\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}\) and {comi}i[n] to the verifier in the first round of our protocol. We build two Merkle hash trees with the commitments \(\{\mathbf {com}_{ic}\}_{i\in [n],c\in \mathbb {Z}_{p}}\) and {comi}i[n] as leaves respectively, and send the roots u and \(\hat {\mathbf {u}}\) of the two trees to the verifier. In the third round of the protocol, the prover needs to send some additional messages to the verifier: the commitments comI,comIch for challenge (I,ch) and the witnesses wI,wIch that needed to recompute the roots. The verifier need to check that whether the roots \(\mathbf {u}', \hat {\mathbf {u}}'\) he recomputes are consistent with \(\mathbf {u}, \hat {\mathbf {u}}\) received in the first round. Our protocol has a soundness error \(\frac {1}{\max (n,p)+1}\), which is better than the soundness error \(\frac {2}{3}\) of the Stern-like protocol. Given a security parameter λ, our protocol need to be executed \(k'=\frac {\lambda }{\log (\max (n,p)+1)}\) times sequentially to realize a negligible soundness error 2λ, while the Stern-like need to be performed Θ(λ) times sequentially. So our protocol satisfies stronger soundness and it effectively reduce the communication complexity of the protocol, thus bring to the group signature scheme the stronger security property and smaller signature size.

In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in “Preliminaries” section. In “Syntax and security of fully dynamic group signature with message dependent opening” section, we present the syntax of the fully dynamic group signature scheme with message dependent opening. And the detailed construction of the scheme and its security analysis are presented in “The lattice-based dynamic group signature scheme with message-dependent opening” section. Finally, we present the underlying zero knowledge protocol and its security analysis in “The improved zero-knowledge protocol of knowledge” section, and conclusion in “Conclusion” section.

Preliminaries

The background of lattice

In this section, we will review some notations, definitions and theorems used for analysing our main results. Throughout this paper, set the security parameter λ, positive integer n=O(λ),p=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k\), and \(R=\mathbb {Z}[x]/f(x), f(x)=x^{n}+1, R_{q}=R/qR\), given vectors x=(x1,,xm),z=(z1,,zm), integer t, then \(\|\mathbf {x}\|_{t}=\left (\sum _{i=1}^{m} {|x_{i}|}^{t}\right)^{\frac {1}{t}}\) denotes its t-norm, (x|z) is a concatenation of the two vectors.

Definition 1

(The ring-SVP and ring-SIVP) (Lyubashevsky et al. 2013) Given a ring R, let γ≥1, then the ring- SVPγ problem is: given the ideal lattice \(\mathcal {I}\) over R, find out a non-zero short vector \(\mathbf {x}\in \mathcal {I}\), such that \(\|\mathbf {x}\|_{\infty }\leq \gamma \cdot \lambda _{1}(\mathcal {I})\). And the ring- SIVPγ problem could be defined similarly: find out n independent elements (x1,,xn) in \(\mathcal {I}\), such that \(\|(\mathbf {x}_{1},\cdots,\mathbf {x}_{n})\|_{\infty }\leq \gamma \cdot \lambda _{n}(\mathcal {I})\).

Definition 2

(The ring-\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\)) (Ling et al. 2015;Peikert 2016)Choose m elements \(a_{j}\overset {\$}{\leftarrow }R_{q}\) uniformly, let random vector \(\mathbf {A}=(a_{1},\cdots,a_{m})\in R_{q}^{m}\), positive real number β=poly(n), find out a non-zero short vector \(\mathbf {z}=(z_{1},\cdots,z_{m})\in R^{m}_{q}, \|\mathbf {z}\|_{\infty }\leq \beta \), such that

$$ f_{\mathbf{A}}(\mathbf{z})=\langle \mathbf{A},\mathbf{z}\rangle=\mathbf{A}^{\top}\cdot \mathbf{z}=\sum_{j} a_{j}\cdot z_{j}=0\in R_{q} $$

Numerous studies (Lyubashevsky and Micciancio 2006;Peikert and Rosen 2006;Peikert and Rosen 2007;Lyubashevsky 2008;Lyubashevsky 2012) have shown that if f(x) is irreducible polynomial with integer coefficients, \(m>\frac {\log q}{\log (2\beta)}, \gamma =16mn\log ^{2} n, q\geq \frac {\gamma \sqrt {n}}{4\log n}\), then the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,\beta }\) is at least as difficult as the problem ring-\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).

Definition 3

(The ring- LWE distribution) (Peikert 2016)For secret element \(s\in R_{q}, \mathcal {X}\) is the noise distribution in Rq with bound β, choose \(a\overset {\$}{\leftarrow } R_{q}, e\overset {\$}{\leftarrow }\mathcal {X}\) uniformly, then \(A_{s,\mathcal {X}}=(a,b=s\cdot a+e\mod q)\) is called the ring- LWE distribution in Rq×Rq.

Definition 4

(The decision ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\)) (Lyubashevsky et al. 2010;Peikert 2016) Let n,m≥1,q≥2, given m samples (aj,bj)Rq×Rq, which are sampled from one of the two distributions: \(A_{s,\mathcal {X}}\) and the uniform distribution in Rq×Rq, then the decision ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is to distinguish which one the samples are from.

Theorem 1

(Lyubashevsky et al. 2010)Let \(q=1\mod 2n, \beta \geq \omega (\sqrt {n\log n}), \gamma =n^{2}(q/\beta)(nm/ \log (nm))^{1/4}\), then there is an error distribution \(\mathcal {X}\) with bound β, such that the problem ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) is at least as difficult as the problem ring-\(\mathbf {SVP}^{\infty }_{\gamma }\) over \(\mathcal {I}\).

The sigma protocol

Definition 5

(The Σ-protocol) (Hazay and Lindell 2010)Given an NP relation R=(x,w){0,1}×{0,1}, a two party interactive protocol 〈P,V〉 is called Σ-protocol for relation R if it is a three-round public-coin protocol and satisfies the following requirements:

Completeness: For (x,w)R, if both prover P and verifier V follow this protocol, then Pr[〈P(x,w),V(x)〉=1]=1.

2-Special soundness: For any statement x, if there is an adversary \(\mathcal {A}\) that outputs with noticeable probability a pair of accepting transcripts (a,e,z) and (a,e,z) with ee, then one can extract a witness w such that (x,w)R.

Special honest verifier zero knowledge: For (x,w)R, there is a PPT simulator \(\mathcal {S}\) that given the statement x and a random challenge e outputs a transcript (a,e,z) that is indistinguishable from the probability distribution of transcripts of honest executions of the protocol on input (x,w)R, i.e. \(\mathcal {S}(x,e)\approx \langle P(x,w),V(x,e)\rangle \).

The zero-knowledge protocol used in this paper satisfies completeness, max(n,p)+1-special soundness and special honest-verifier zero knowledge, which depends heavily on the security (statistical hiding and computing binding) of the commitment scheme that used as a submodule in our zero-knowledge protocol. The detailed construction of our protocol and its security proof is given in “The improved zero-knowledge protocol of knowledge” section.

The dynamic algorithm of constructing lattice-based Merkle hash tree

The security of Merkle tree used in Sun et al. (2019) and here are all based on the collision-resistant hash functions, whereas the size and depth of the former are fixed, and that of the latter increase with the registration of users. For any t Rq,bin(t){0,1}k is its binary representation, let

$$ \begin{aligned} \mathbf{G}= \left[ \begin{array}{ccc} 1,2,4,\cdots,2^{\lceil\log q\rceil-1} & & \\ & \cdots & \\ & & 1,2,4,\cdots,2^{\lceil\log q\rceil-1}\\ \end{array} \right]\in \mathbb{Z}^{n\times k}_{q} \end{aligned} $$
(1)

then t=G·bin(t). let \(\mathcal {H}=\{h_{\mathbf {A}}|\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}\}, h_{\mathbf {A}}:\{0,1\}^{k}\times \{0,1\}^{k}\rightarrow \{0,1\}^{k}\) is collision-resistant hash functions based on the ring- SIS problem, where \(\mathbf {A}=[\mathbf {A}_{0}|\mathbf {A}_{1}]\in R_{q}^{m}, \mathbf {A}_{0},\mathbf {A}_{1}\overset {\$}{\leftarrow } R_{q}^{k}\) is an instance of the ring- SISm,q,1 problem, for arbitrary (u0,u1){0,1}k×{0,1}k, we have

$$h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{bin}(\mathbf{A}_{0}\cdot\mathbf{u}_{0}+\mathbf{A}_{1}\cdot\mathbf{u}_{1}\mod q)\in\{0,1\}^{k} $$

so the following equivalent relationship is true,

$$h_{\mathbf{A}}(\mathbf{u}_{0},\mathbf{u}_{1})=\mathbf{u} \Leftrightarrow \mathbf{A}_{0}\cdot \mathbf{u}_{0}+\mathbf{A}_{1}\cdot \mathbf{u}_{1}=\mathbf{G}\cdot \mathbf{u} \mod q $$

Suppose that there is an PPT adversary who can give two different uu such that hA(u)=hA(u), then we have Au mod q=Au mod q, i.e. A(uu)=0 mod q. Since uu,uu≠0,uu≤1, then uu is a solution to the ring- SISm,q,1 problem.

Let \(\mathcal {H}=\{h_{\mathbf {A}}|\mathbf {A}\in R_{q}^{m}\}\), then we give the following specific description of the dynamic updating algorithm TDA(t,d) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as a tree with depth 1, the value of leaves are 0, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first leaf with value 0 in all leaves, and assume that its index is it. Include a tree of depth j=logt where all leaves are 0 into the original one if there is not a such leaf. And take its root u and the root u of the original tree as two inputs of the hash function to compute a new root unew=hA(u,u) of the new Merkle tree. And for any i[2j+1], we have |bin(i)|=j+1. TUpdate: Let uj+1=d denote the value of the leaf corresponding to the ith user, bin(i−1)=(i1,,ij+1) is the binary description of integer i−1, its witness is w=(bin(i−1),(wj+1,,w1)). Update the value of notes recursively in the path uj,,u0 from the leaf uj+1 to root u, then output the witness w, a new root unew, where wj+1,,w1 and uj,,u0 satisfy the following relationship

$$ \forall l\in\{j,\cdots,1,0\}, \mathbf{u}_{l}=\left\{ \begin{array}{lcr} h_{\mathbf{A}}(\mathbf{u}_{l+1},\mathbf{w}_{l+1}), & \text{if}\ i_{l+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{l+1},\mathbf{u}_{l+1}), & \text{if}\ i_{l+1}=1 \end{array}\right. $$
(2)

Let unew=u0 be the new root of the Merkle tree.

Given the variable t, the computational complexity of algorithm TUpdate(t,d) is O(logt), and it satisfies the following property

Theorem 2

Suppose that the problem ring-\(\mathbf {SIS}^{\infty }_{m,q,\beta }\) is difficult, let R={d0,,dt} be the set of the leaves related to users who have been registered, then the algorithm TDA(t,d) is secure. And given a negligible function negl(λ), for any PPT adversary \(\mathcal {A}\), the following inequality is true

$$ \Pr[(\mathbf{d}^{*},\mathbf{w}^{*})\leftarrow \mathcal{A}(R',t):\mathbf{d}^{*}\notin R',\mathbf{u}=\mathbf{u}_{0}]\leq negl(\lambda) $$

Syntax and security of fully dynamic group signature with message dependent opening

Different from the general group signature scheme, there are four participants in a fully dynamic group signature scheme with message-dependent opening(FDGS-MDO): The group manager(GM update): Who is responsible to update the group information and the registration and revocation of users. The admitter(AM): who is responsible to generate a token tM that specifies the signatures associated with message M would be opened. The trace manager(GM trace): Given a signature and token tM, GM trace is responsible to trace the identity of signer when there is a dispute. The users: Who are usually appeared as a signer to sign messages or a verifier to verify signatures.

The definition of FDGS-MDO

A fully dynamic group signature scheme with message-dependent opening consists of the following polynomial-time algorithms: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk=(pp,mpk,opk), and the group secret key msk of GM update, the tracing secret key osk of GM trace and the secret key tsk of AM. GM update initializes the registration list reg and the group information info as , and we assume that they can only be edited by a party knowing msk. UKeyGen(pp)→(upk,usk): Given the public parameter pp, this algorithm outputs a user’s key pair (upk,usk). 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: This algorithm is an interactive protocol between a user and the group manager GM update. Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk=(bin(t−1),upkt,uskt). For the Issue algorithm, GM update runs the algorithm TDA(t,upkt) to update the Merkle hash tree, the group information infoτ, and the registered user list reg. \(\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S, for any iS, the group manager GM update runs algorithm TUpdate(bin(i−1),0k) to update the Merkle hash tree, the registered user list reg and the group information \(\mathbf {info}_{\tau _{new}}\). Sign(gpk,gski,infoτ,M)→Σ: On input group public key gpk, group information infoτ, this algorithm outputs a signature Σ to a message M signed by the user corresponding to ith leaf at τ or an error symbol if the user is illicit at τ, i.e. the user has not been registered or has been revoked at τ. Verify(gpk,Σ,infoτ,M)→0/1: Verify the signature Σ and output 1 if it is valid, otherwise output 0. TrapGen(gpk,tsk,M,reg,infoτ)→tM: This algorithm is operated by the admitter AM, it outputs a token tM for the corresponding message M. Trace(gpk,osk,tM,M,Σ,reg,infoτ)→(b,Πtrace): This algorithm is operated by the trace manager GM trace, it outputs the public key b of the signer who signed the message M at τ and generate a proof for this fact if the signature Σ is valid. Otherwise output . Judge(gpk,b,M,Πtrace,Σ,infoτ)→0/1: Verify the proof Πtrace generated by the trace manager GM trace, and output 1 if it is valid, otherwise output 0.

To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ, the group manager verifies that whether the value of the leaf corresponding to this signer is non-zero. And to avoid leaking any information about the signer’s identity, we use the extension-permutation technology (Libert et al. 2016) to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(di)=(di1,di2,,dik),i[t], choose a vector \(\mathbf {a}\overset {\$}{\leftarrow }\{0,1\}^{k-1}\) uniformly such that the Hamming weight of di′=(bin(di)|a){0,1}2k−1 is k. Given a random permutation \(\pi _{2k-1}\in \mathcal {S}_{2k-1}=\{\pi _{2k-1}|\pi _{2k-1}\) is a random permutation of elements in {0,1}2k−1}, the Hamming weight of π2k−1(di′) is k if and only if di≠0.

Security of FDGS-MDO scheme

A fully dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity against admitter, anonymity against opener, non-frameability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chalb, TL is the set of tokens generated by oracle Chalb. And oracles used in the proof are as follows: AddU(i): Add an honest user i into the set HUL at time τ. CreU(i,upki): Create a new user i whose public key upki is chosen by the adversary, which is invoked in the oracle SenToM. SenToM(i,Min): It is used to run the algorithm Join, on behalf of a corrupt user, together with the honest group manager GM update. SenToU(i,Min): It is used to run the algorithm Join, on behalf of the corrupt group manager GM update, together with a legitimate user i. RReg(i): Return the registration information regi of user i. MReg(i,ρ): Change the registration information regi of user i into ρ. RevealU(i): Return the signing secret key gski of user i to the adversary, and add i to the set BUL. Sign(i,M,τ): Return a signature to a message M signed by user i at time τ, and add this signature to the set SL. Chalb(infoτ,i0,i1,M): For any b{0,1}, Return the signature to a message M signed by user ib at time τ, and add this signature to the set CL. This requires that the users i0,i1 are all legitimate at time τ, and this oracle could be revoked only once. Trace(infoτ,Σ,M): Return the signer of a signature Σ signed at time τ and a proof of this fact, which requires that the signature ΣCL. TrapGen(infoτ,M): Return a token of the message M generated at time τ, which requires that the message MTL. UpdateG(S,τ): It allows the adversary to update some information about the group at time τ, which requires that each element in S is legitimate user’s public key at time τ. IsActive(infoτ,reg,i): Return 1 if and only if the user i is a legitimate member in the group at time τ, otherwise return 0.

Correctness: This property means that if the signer signs a message M honestly, the algorithm Verify can always output 1. With a token tM that outputted by the algorithm TrapGen, the trace manager GM trace can trace the identity of the signer by the algorithm Trace, and generates a proof Πtrace accepted by the algorithm Judge.

Anonymity against admitter: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle Trace. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against admitter for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)=1]\leq negl(\lambda)\).

Anonymity against opener: For any PPT adversary \(\mathcal {A}\), this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary \(\mathcal {A}\) could learn the secret key msk of GM update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle TrapGen. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against opener for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonO-b}(\lambda)=1]\leq negl(\lambda)\).

Non-frameability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM update and GM trace, and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies non-frame-ability for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1]\leq negl(\lambda)\).

Traceability: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary \(\mathcal {A}\) could learn the secret key of GM trace and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme is traceable for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)\).

Tracing soundness: For any PPT adversary \(\mathcal {A}\), the probability to generate a valid signature that traced to two different users is negligible, even though the adversary \(\mathcal {A}\) could learn the secret keys of GM update and GM trace, and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies tracing soundness for all PPT adversary \(\mathcal {A}\) if \(\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace-sound}(\lambda)=1]\leq negl(\lambda)\).

The lattice-based dynamic group signature scheme with message-dependent opening

The construction of the scheme

By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the fully dynamic group signature scheme with message-dependent opening, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ)→(pp,(mpk,msk),(opk,osk),tsk): Given the security parameter λ, let t>0 denote the number of registered users, l=logt,n=O(λ),p=O(λ), prime modules \(q=\tilde {O}(n^{1.5}), k=n\lceil \log q\rceil, m=2k\), real integer \(\beta >0, \mathcal {X}\) is the noise distribution bounded by β in R, \(\phantom {\dot {i}\!}H:\{0,1\}^{*}\rightarrow \{0,1\}^{k'}\) is a hash function for FS transformation, \(H':\{0,1\}^{*}\rightarrow \mathcal {X}^{k}\) is a collision resistant hash function, and \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008). Let \(\mathbf {A}\overset {\$}{\leftarrow } R_{q}^{m}, \mathbf {B}\overset {\$}{\leftarrow } R_{q}^{k}\). GM update chooses \(\mathbf {msk}\overset {\$}{\leftarrow }\{0,1\}^{m}\), computes mpk=A·msk, and initializes the registration list reg and the group information info as . GM trace chooses \(\mathbf {S}_{1},\mathbf {S}_{2}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{1},E_{2}\overset {\$}{\leftarrow }\mathcal {X}\), and computes \(P_{1}=\mathbf {S}_{1}^{\top }\mathbf {B}+E_{1}\in R_{q}, P_{2}=\mathbf {S}_{2}^{\top }\mathbf {B}+E_{2}\in R_{q}\). AM chooses \(\mathbf {S}_{3},\mathbf {S}_{4}\overset {\$}{\leftarrow }\mathcal {X}^{k}, E_{3},E_{4}\overset {\$}{\leftarrow }\mathcal {X}\). Set the GM trace’s key pair (opk,osk)=(P1,(S1,E1)), the GM update’s key pair (mpk,msk), and the AM’s secret key tsk=(S3,E3). Finally, the algorithm outputs the public parameter \(pp=(\lambda,n,p,q,k,m,\beta,\mathcal {X},H,Com,\mathbf {A},\mathbf {B})\), the group public key gpk=(pp,mpk,opk,tpk). UKeyGen(pp)→(upk,usk): The user chooses \(\mathbf {usk}\overset {\$}{\leftarrow } \{0,1\}^{m}\) uniformly as its secret key, and computes the related public key upk=bin(A·usk mod q), and upk{0,1}k. 〈Join(gpk,upk),Issue(gpk,msk,reg,info)〉: Assume that the new registered user is the t-th member in the group, and the user sends its public key upk to the group manager GM update, and if this algorithm goes well, the latter searches and denotes the first non-zero leaf as t if he approves the user’s application. Let \(\phantom {\dot {i}\!}\mathbf {upk}_{t'}=\mathbf {upk}, \mathbf {reg}_{t'}=\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ], \tau \) is the time the user registered, GM update includes \(\phantom {\dot {i}\!}\mathbf {reg}_{t'}\) into the registration list \(\phantom {\dot {i}\!}\mathbf {reg}:=(\mathbf {reg}_{1}[\mathbf {upk}_{1}][\tau ],\cdots,\mathbf {reg}_{t'}[\mathbf {upk}_{t'}][\tau ],\cdots,\mathbf {reg}_{t} [\mathbf {upk}_{t}][\tau ])\). Then GM update ru-ns the algorithm \(\phantom {\dot {i}\!}\mathbf {TDA}(\mathbf {bin}(t'),\mathbf {upk}_{t'})\) to update the Merkle tree, outputs the group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau }=(\mathbf {u},\{\mathbf {w}_{j}\}_{i_{j}})\) where u is the root and \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) are witnesses of all legal users, and updates the counter of registered users t=t+1. Let \(\phantom {\dot {i}\!}\mathbf {usk}_{t'}=\mathbf {usk}\), the user sets \(\phantom {\dot {i}\!}gsk_{t'}=(\mathbf {bin}(t'-1),\mathbf {upk}_{t'},\mathbf {usk}_{t'})\) as its signing secret key. \(\phantom {\dot {i}\!}\mathbf {Revoke}(gpk,S,\mathbf {msk},\mathbf {reg},\mathbf {info}_{\tau })\rightarrow \mathbf {info}_{\tau _{new}}\): Given the revocation list S that is the set of public keys of group members who would be revoked, and if \(\phantom {\dot {i}\!}S=\{\mathbf {upk}_{i_{1}},\cdots,\mathbf {upk}_{i_{r}}\}\) is not empty, where r≥1,ij[t],j[r], for every \(\phantom {\dot {i}\!}j\in [r], \mathbf {upk}_{i_{j}}\in S\), GM update runs the algorithm TUpdate in TDA(bin(ij−1),0k) to update the Merkle hash tree, then updates the registration list reg: changes \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[0^{k}][\tau _{new}]\) if \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}\in S\), otherwise changes \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}}[\mathbf {upk}_{i_{j}}][\tau ]\) to \(\phantom {\dot {i}\!}\mathbf {reg}_{i_{j}} [\mathbf {upk}_{i_{j}}][\tau _{new}]\), finally outputs the new group information \(\phantom {\dot {i}\!}\mathbf {info}_{\tau _{new}}=(\mathbf {u}_{new},\{\mathbf {w}_{j}\}_{i_{j}})\) that consists of a new root unew and witnesses \(\phantom {\dot {i}\!}\{\mathbf {w}_{j}\}_{i_{j}}\) of \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{j}}\), updates the counter of legitimate users t=tr. So, the leaves with value 0k in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk,gski,infoτ,M)→Σ: To sign a message M at τ by using the group information infoτ, the user related to the ith leaf verifies that whether there is a witness of bin(i−1) in infoτ firstly, if not, return . Otherwise, the user sends M to AM, receives \(P_{3}=\tilde {\mathbf {S}}_{3}^{\top }\mathbf {B}+E_{3}\) and \(P_{4}=\tilde {\mathbf {S}}_{4}^{\top }\mathbf {B}+E_{4}\) from it, where \(\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\|M), \tilde {\mathbf {S}}_{4}=H'(\mathbf {S}_{4}\|M)\), and obtains (bin(i−1),(wl,,w1)) from infoτ to do the follows: Choose random strings \(\mathbf {r}_{1},\mathbf {r}_{2},\mathbf {r}_{3},\mathbf {r}_{4}\overset {\$}{\leftarrow }\{0,1\}^{k}\), the user encrypts vector upki by making use of the double-encryption paradigm (Naor and Yung 1990) and the RLWE-based encryptionp scheme (Regev 2009;Lyubashevsky et al. 2013) to obtain the ciphertexts,

$$ \begin{aligned} \mathbf{c}_{1}=&(c_{1,1},\mathbf{c}_{1,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{1}\mod q,P_{1}\cdot \mathbf{r}_{1}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{upk}_{i}\mod q\right)\in R_{q}\times R_{q}^{k}, \end{aligned} $$
$$ \begin{aligned} \mathbf{c}_{2}=&(c_{2,1},\mathbf{c}_{2,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{2}\mod q,P_{2}\cdot \mathbf{r}_{2}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{upk}_{i}\mod q\right)\in R_{q}\times R_{q}^{k}. \end{aligned} $$

Then encrypt ciphertext c1,2 by using a method similar to the one above to obtain the ciphertexts,

$$\begin{aligned} \mathbf{c}_{3}=&(c_{3,1},\mathbf{c}_{3,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{3}\mod q,P_{3}\cdot \mathbf{r}_{3}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{c}_{1,2}\mod q\right)\in R_{q}\times R_{q}^{k},\\ \mathbf{c}_{4}=&(c_{4,1},\mathbf{c}_{4,2})\\=&\left(\mathbf{B}\cdot \mathbf{r}_{4}\mod q,P_{4}\cdot \mathbf{r}_{4}+\left\lceil\frac{q}{2}\right\rfloor\cdot\mathbf{c}_{1,2}\mod q\right)\in R_{q}\times R_{q}^{k}. \end{aligned} $$

Finally, the signer generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Πsign for: (1) It has legitimate witness ζ=(uski,upki,bin(i),wl,,w1,r1,,r4) such that the signer is a legitimate member in the group, i.e. upki≠0k, and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct. (2) (uski,upki) is a valid public-private key-pair. (3) (c1,c2) are two legitimate ciphertext of upki. (4) (c3,c4) are two legitimate ciphertext of c1,2.

Output the signature Σ=(c1,1,c2,c3,c4,Πsign). The NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. runs the underlying protocol \(k'=\lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\rceil \) times sequentially to obtain a negligible soundness error 2λ, and the transcript is \(\Pi _{sign}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)\), where

$$ \begin{aligned}\mathbf{ch} & =(ch_{1},\cdots,ch_{k'})\in([n]\times\mathbb{Z}_{p})^{k'} \\ &=\!H\!\left(M,\{\!(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})\!\}_{j=1}^{k'},\mathbf{A},\mathbf{u}_{\tau},\mathbf{B},\{P_{i}\}_{i=1}^{4},c_{1,1},\mathbf{c}_{2},\mathbf{c}_{3},\mathbf{c}_{4}\right) \end{aligned} $$

Verify(gpk,Σ,infoτ,M)→0/1: The verifier obtains the root uτ of the Merkle hash tree at τ from the group information infoτ, and verifies that whether the predicted challenge ch is true, outputs 0 if not, otherwise verifies the respond rspj that corresponding to \((\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\) and chj for each j[k], and outputs 1 if everything is correct, otherwise outputs 0. TrapGen(gpk,tsk,M,reg,infoτ)→tM: If a token tM for message M was already queried, answer consistently. Otherwise, compute \(\tilde {\mathbf {S}}_{3}=H'(\mathbf {S}_{3}\|M)\), let \(\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3})\), and outputs tM. Trace(gpk,osk,tM,M,Σ,reg,infoτ)→(b,Πtrace): Firstly, trace manager GM trace uses token tM to decrypt ciphertext c3 to get c1,2′, i.e. computes \(\mathbf {c}'_{1,2}=\left \lfloor \frac {(\mathbf {c}_{3,2}-\tilde {S}_{3}^{\top }\cdot c_{3,1})}{q/2}\right \rceil \in \{0,1\}^{k}\), and the ciphertexts c2 and c4 are only used in our proof. Let \(c^{\prime }_{1,1}=c_{1,1}\), then GM trace uses its tracing secret key osk to decrypt the ciphertext c1′=(c1,1′,c1,2′) and computes \(\mathbf {b}'=\left \lfloor \frac {(\mathbf {c}'_{1,2}-S_{1}^{\top }\cdot c'_{1,1})}{q/2}\right \rceil \in \{0,1\}^{k}\). If there is not a witness of b in infoτ or b=0k, output . Then GM trace generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) Πtrace for the fact that the user corresponding to b really generated a signature Σ to message M at τ. In other words, the trace manager GM trace should proof that he has \(\mathbf {t_{M}}=(\tilde {\mathbf {S}}_{3},E_{3}), \mathbf {S}_{1},\tilde {\mathbf {S}}_{3}\in R_{q}^{k}, E_{1},E_{3}\in R_{q}, \mathbf {y}_{1},\mathbf {y}_{3}\in R_{q}^{k}\), such that

$${} \begin{aligned} \|\mathbf{S}_{1}\|_{\infty},\|\tilde{\mathbf{S}}_{3}\|_{\infty}\leq\beta,|E_{1}|,|E_{3}|\leq\beta,\|\mathbf{y}_{1}\|_{\infty},\|\mathbf{y}_{3}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1}^{\top}\cdot \mathbf{B}+E_{1}=P_{1}\mod q \\ \tilde{\mathbf{S}}_{3}^{\top}\cdot \mathbf{B}+E_{3}=P_{3}\mod q \\ \mathbf{c}_{3,2}-\tilde{\mathbf{S}}_{3}^{\top}\cdot c_{3,1}=\mathbf{y}_{3}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{c}'_{1,2}\mod q \\ \mathbf{c}'_{1,2}-\mathbf{S}_{1}^{\top}\cdot c_{1,1}=\mathbf{y}_{1}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{b}'\mod q \end{aligned} $$

Similarly, the NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. GM trace runs the underlying protocol \(k'=\left \lceil \frac {\lambda }{\log _{2}(\max (n,p)+1)}\right \rceil \) times sequentially to obtain a negligible soundness error 2λ, and the transcript is \(\Pi _{trace}=\left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}, \{rsp_{j}\}_{j=1}^{k'}\right)\), where \(\mathbf {ch}\in ([n]\times \mathbb {Z}_{p})^{k'}\),

$$\begin{aligned} \mathbf{ch}=(ch_{1},\cdots,ch_{k'})=H\left(M,\{(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})\}_{j=1}^{k'},gpk,\Sigma,\mathbf{info}_{\tau},\mathbf{t_{M}},\mathbf{b}'\right) \end{aligned} $$

Finally, this algorithm outputs (b,Πtrace). Judge(gpk,b,M,Πtrace,Σ,infoτ)→0/1: Verify the proof Πtrace and output 1 if it is true, otherwise output 0.

Finally, a timestamp τ is given to each member in the group, the group manager GM update updates the group information infoτ once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information infoτ, we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ1<τ2, the group information \(\mathbf {info}_{\tau _{1}}\) is published earlier than \(\mathbf {info}_{\tau _{2}}\).

Analysis of the lattice-based FDGS-MDO scheme

In our scheme, it is not necessary to prepare a large storage space for the Merkle tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in Ling et al. (2017), our work could economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it (Table 1).

Table 1 Comparison of lattice-based group signature schemes in (Libert et al. 2016) and (Ling et al. 2017), in terms of efficiency and functionality

Complexity: Given a security parameter λ, the size of legitimate users t, \(l=\lceil \log t\rceil, n=O(\lambda), q=\tilde {O}(n^{1.5})=\tilde {O}(c\lambda ^{1.5})\) with a constant c, k=nlogq=O(λ logλ). Then the size of group public key gpk=(pp,mpk,opk,tpk) is |gpk|=O(nk)+k+O(k2)=O((λ logλ)2), the size of signing secret key gski=(bin(i),upki,uski) is \(|gsk_{i}|=l+3k=l+O(\lambda \log \lambda)=l+\tilde {O}(\lambda)\), and the size of signature Σ=(c1,1,c2,c3,c4,Πsign) is

$$\begin{aligned} |\Sigma|= & |\Pi_{sign}|+|c_{1,1}|+|\mathbf{c}_{2}|+|\mathbf{c}_{3}|+|\mathbf{c}_{4}| \\ = & k'\cdot(|(\mathbf{u}_{j},\hat{\mathbf{u}}_{j})|+|ch_{j}|+\cdot|rsp_{j}|)+1+3(k+1)\log q \\ = & k'\cdot(2k+\log p+\log n\!+2(\log q+k\log k)\!+2\lambda\!+D)\\&+1+3(k+1)\log q \\ = & O(l\lambda^{2}) \end{aligned} $$

The soundness error of our underlying protocol is \(\frac {1}{\max {(n,p)}+1}\), so we need to perform the protocol \(\frac {\lambda }{\log (\max (n,p)+1)}\) times sequentially to reach a negligible soundness error 2λ, and the generated group signature size is O(lλ2). To realize the same soundness error, the underlying protocol in Ling et al. (2017) need to be excluded Θ(λ) times sequentially, and the corresponding group signature size would be \(\tilde {O}(l\lambda ^{2})\). Let the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l= logN, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in Ling et al. (2017) over ring is O(l), and that of our work is roughly \(\frac {1}{2}O(l)\), So the expected computational complexity down almost by half. Correspondingly, the space complexity has been reduced by the same magnitude.

The security of the fully dynamic group signature scheme presented in this paper satisfies some security requirements given in Bootle et al. (2016): correctness, anonymity, non-frameability, traceability, and tracing soundness.

Correctness: Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature Σ=(c1,1,c2,c3,c4,Πsign) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature Σ to pass the verification of the algorithm Verify, and the algorithm Trace will take the token tM outputted by the algorithm TrapGen as one of the inputs to decrypt the ciphertext c3 and outputs c1,2, then let c1=(c1,1,c1,2), and uses its secret key osk to decrypt c1 and outputs the user public key b=upki with a probability approximate to 1 together with a proof Πtrace accepted by Judge. We need to compute \(\mathbf {e}_{1}=\mathbf {c}_{3,2}-\tilde {\mathbf {S}}_{3}^{\top }c_{3,1}=E_{3}\cdot \mathbf {r}_{3}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {c}_{1,2}\mod q\) and \(\mathbf {e}_{2}=\mathbf {c}_{1,2}-\mathbf {S}_{1}^{\top }c_{1,1}=E_{1}\cdot \mathbf {r}_{1}+\lfloor \frac {q}{2}\rfloor \cdot \mathbf {upk}_{i}\mod q\) when to decrypt a ciphertext, and for s=1,2, let bs′=(bs,1′,,bs,l′),es=(es,1,,es,l), for any j[l],

$$ b'_{s,j}=\left\{ \begin{aligned} 0, & if & 0 < |e_{s,j}| < \frac{q}{2} \\ 1, & if & \frac{q}{2} < |e_{s,j}| \end{aligned}\right. $$
(3)

Note that \(\|E_{s'}\cdot \mathbf {r}_{s'}\|_{\infty }<\frac {q}{5}\) for s=1,3, so b1′=c1,2,b2′=upki with overwhelming probability. Furthermore, because the user corresponding to upki is legitimate, then the witness w=(bin(i−1),wl,,w1) is included in the group information infoτ, and the value of the related leaf is not 0k. So, the algorithm Trace could always obtain a tuple (S1,E1,y,tM) that satisfies requirement. And finally, for the fact that the proof Πtrace is perfect completeness, the algorithm Judge outputs 1 with probability 1.

Theorem 3

The FDGS-MDO scheme satisfies anonymous against admitter, anonymous against opener, unforgeable, traceable and tracing soundness security requirements under the ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) and ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) assumptions in RO model.

The proof of Theorem in “The improved zero-knowledge protocol of knowledge” section consists of the following five lemmas.

Lemma 1

Suppose that the ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) problem is difficult, then the scheme in this paper is anonymous against admitter in RO model.

Proof

Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i0i1[t] given by \(\mathcal {A}\),

we say that the scheme satisfies anonymity if there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)=1\right ]\leq negl(\lambda)\). Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OPl,l[9].

Game0: Given two different legitimate users i0i1[t] by \(\mathcal {A}\), let b=0, the challenger \(\mathcal {C}\) runs the experiment \(\mathbf {Exp}_{DGS-MDO,\mathcal {A}}^{anonA-b}(\lambda)\) honestly by using i0.

Game1: This game is completely consistent with Game0 except that include (S2,E2) to osk, i.e. let osk=((S1,E1),(S2,E2)). And this change, to the view of the adversary \(\mathcal {A}\), makes no difference, Pr[OP1=1]= Pr[OP0=1].

Game2: This game is completely consistent with Game1 except that use a simulator Simtrace to simulate the real interactions of the protocol that generates Πtrace, i.e. replace the real transcript Πtrace with a simulated transcript of Simtrace. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Πtrace, Pr[OP2=1]− Pr[OP1=1]≤negl(λ).

Game3: This game is completely consistent with Game2 except that replace (S1,E1) with (S2,E2) when Simtrace simulates the oracle Trace. For a legitimate signature (c1,1,c2,c3,c4,Πsign), where c1,c2 are encryptions to different strings respectively, let F1 be a event of the above signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, and the view of \(\mathcal {A}\) may changing if F1 appears, however, it violates the soundness of the protocol that generates Πsign. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F1, i.e. Pr[OP3=1]− Pr[OP2=1]≤ Pr[F1]≤negl(λ).

Game4: This game is completely consistent with Game3 except that use a simulator Simsign to simulate the real interactions of the protocol that generates Πsign, i.e. replace the real transcript Πsign with a simulated transcript of Simsign. And the two transcripts are statistical indistinguishable because of the statistical zero-knowledge of Πsign, Pr[OP4=1]− Pr[OP3=1]≤negl(λ).

Game5: This game is completely consistent with Game4 except that change the ciphertext c1 into the encryption to \(\mathbf {upk}_{i_{1}}\) when initiate an inquiry to the oracle Chalb. And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S2,E2) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c1, so, Pr[OP5=1]− Pr[OP4=1]=negl(λ).

Game6: This game is completely consistent with Game5 except that replace (S2,E2) with (S1,E1) when Simtrace simulates the oracle Trace. For a legitimate signature (c1,1,c2,c3,c4,Πsign), where c1,c2 are encryptions to different strings respectively, let F2 be a event of the above signature inquiry initiated by \(\mathcal {A}\) to the oracle Trace, which violates the simulation soundness of the protocol that generates Πsign. And the change in this game, to the view of \(\mathcal {A}\), is indistinguishable except the incident F2, Pr[OP6=1]− Pr[OP5=1]≤ Pr[F2]≤negl(λ).

Game7: This game is completely consistent with Game6 except that change the ciphertext c2 into the encryption to \(\mathbf {upk}_{i_{1}}\). And the difference of the view of \(\mathcal {A}\) caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S1,E1) during the inquiry to the oracle Trace, so change c2 makes no difference to the view of the adversary, Pr[OP7=1]− Pr[OP6=1]=negl(λ).

Game8: This game is completely consistent with Game7 except that replace the simulator Simsign with a real protocol that generates Πsign, i.e. replace the simulated transcript of Simsign by a real transcript Πsign. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Πsign, Pr[OP8=1]− Pr[OP7=1]≤negl(λ).

Game9: This game is completely consistent with Game8 except that replace the simulator Simtrace with a real protocol that generates Πtrace, i.e. replace the simulated transcript of Simtrace by a real transcript Πtrace. And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol Πtrace, Pr[OP9=1]− Pr[OP8=1]≤negl(λ).

Finally, we could learn from the games above that the probability:

$${}\begin{aligned} & \Pr[OP_{9}=1]-\Pr[OP_{0}=1] \\ = & \Pr\left[\mathbf{Exp}_{FDGS-MDO,\mathcal{A}}^{anonA-1}(\lambda)\right]-\Pr\left[\mathbf{Exp}_{FDGS-MDO,\mathcal{A}}^{anonA-0}(\lambda)\right] \\ \leq & c\cdot negl(\lambda) \end{aligned} $$

where c is a constant. So, the scheme satisfies the property of anonymity against admitter. □

Lemma 2

Suppose that the ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) problem is difficult, then the scheme in this paper is anonymous against opener in RO model.

Proof

Assume that the size of legitimate users is t, the adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) are all PPT algorithms. For two different users i0i1[t] given by \(\mathcal {A}\),

the proof of property anonymity against opener is similar to that of anonymity against admitter, so we are not describe it in detail anymore. □

Lemma 3

Suppose that the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) is difficult, then the sche-me in this paper is unforgeable in the RO model.

Proof

Suppose that there ia a PPT adversary \(\mathcal {A}\) could forge a valid signature with a non-negligible probability ε, then there is a PPT algorithm \(\mathcal {B}\) could break the security of Merkle hash tree or solve the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with a non-negligible probability by invoking \(\mathcal {A}\) as a black box.

If there is a negligible function negl(λ), such that \(\Pr \left [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\leq negl(\lambda)\), then we say that the scheme is unforgeable. Given a random vector A, the challenger computes the public parameter pp honestly, then invokes the algorithm of \(\mathcal {A}\), runs the operations in the game \(\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)\), during this process, \(\mathcal {B}\) responds the inquiries of \(\mathcal {A}\) honestly. If the adversary \(\mathcal {A}\) wins the game and outputs \(\left (M^{*},\Sigma ^{*},i^{*},\Pi _{trace}^{*},\mathbf {info}_{\tau }\right)\) finally, then there is a non-negligible function ε, such that \(\Pr \left [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)=1\right ]\geq \epsilon \), and the algorithm \(\mathcal {B}\) could operate as follows: Decompose the signature Σ into \((c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}^{*}_{4},\Pi _{sign}^{*})\), where \(\Pi _{sign}=\left (\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*},\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}\right)\), because the adversary \(\mathcal {A}\) wins the game \(\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{unforge}(\lambda)\), so \(\left \{rsp_{j}^{*}\right \}_{j=1}^{k'}\) is a legitimate respond to \(\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch}^{*}\). Let \(\xi ^{*}=\left (M^{*},\left \{\left (\mathbf {u}^{*}_{j},\hat {\mathbf {u}}^{*}_{j}\right)\right \}_{j=1}^{k'},\mathbf {A},\mathbf {u}_{\tau },\{P_{i}\}_{i=1}^{4}, \mathbf {B},c^{*}_{1,1},\mathbf {c}_{2}^{*},\mathbf {c}_{3}^{*},\mathbf {c}_{4}^{*}\right)\), for the successful probability to guess H(ξ) is \(\phantom {\dot {i}\!}(np)^{-k'}\), so the adversary uses the ξ to initiate queries to the oracle H with overwhelming probability, and ξ is the preimage of H with probability \(\phantom {\dot {i}\!}\epsilon '=\epsilon -(np)^{-k'}\), let t{1,2,,QH} be the index of one inquiry, where QH is the number of inquiries that the adversary \(\mathcal {A}\) made to the oracle H. The inputs of the hash queries from 1th to tth are all ξ, and \(\mathcal {B}\) runs the operations of \(\mathcal {A}\) for t times. And the inputs of other hash queries from t+1th to QHth are something else, \(\mathcal {B}\) responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000;Pointcheval and Stern 1999), the probability of \(\mathcal {B}\) gets max(n,p)+1 different hash values \(\mathbf {ch}_{t^{*}}^{1},\cdots,\mathbf {ch}_{t^{*}}^{\max (n,p)+1}\in \{[n]\times \mathbb {Z}_{p}\}^{k'}\) to the same input ξ is non-negligible, and the pigeon hole principle tells us that there are at least two accept responds \(\phantom {\dot {i}\!}(rsp_{t^{*},1},rsp_{t^{*},2})\) with the same I and different ch, then what we could learn from the protocol that generates Πsign is that we could extract a witness \(\phantom {\dot {i}\!}\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4},\right)\), where \(\phantom {\dot {i}\!}w^{\prime }_{\tau }=\left (\mathbf {bin}(i'-1),\mathbf {w}'_{l,\tau },\cdots,\mathbf {w}'_{1,\tau }\right) \in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for d=1,2,d=3,4,j{0,l−1}, we have

$$ \left\{ \begin{aligned} \mathbf{u}_{j,\tau}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if\ i'_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if\ i'_{j+1}=1 \end{aligned} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i'}=\mathbf{G}\cdot \mathbf{upk}_{i'} \\ \mathbf{c}^{*}_{d}=\left(c^{*}_{d,1},\mathbf{c}^{*}_{d,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d},P_{d}\cdot \mathbf{r}'_{d}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i'}\right) \\ \mathbf{c}^{*}_{d'}=\left(c^{*}_{d',1},\mathbf{c}^{*}_{d',2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d'},P_{d'}\cdot \mathbf{r}'_{d'}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{c}^{*}_{1,2}\right) \end{aligned} \right. $$
(4)

We can learn from the correctness of the encryption scheme that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}\) and \(\mathbf {c}_{3}^{*}\) is the encryption to \(\mathbf {c}^{*}_{1,2}\). The algorithm Judge outputs 1 because of the fact that \(\mathcal {A}\) wins the game, and what we can learn from the soundness of the protocol that generates Πtrace is that \(\mathbf {c}_{1}^{*}\) is the encryption to \(\phantom {\dot {i}\!}\mathbf {upk}_{i^{*}}\), then \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}=\mathbf {upk}_{i^{*}}\) with overwhelming probability. By the correctness of the Merkle hash tree, the user i is legitimate. iHULBUL indicates that the adversary \(\mathcal {A}\) doesn’t know \(\phantom {\dot {i}\!}gsk_{i^{*}}=(\mathbf {bin}(i^{*}-1),\mathbf {upk}_{i'},\mathbf {usk}_{i^{*}})\). \(\phantom {\dot {i}\!}\mathbf {usk}_{i^{*}}\) was chosen by \(\mathcal {B}\) and \(\phantom {\dot {i}\!}\mathbf {A}\cdot \mathbf {usk}_{i^{*}}=\mathbf {G}\cdot \mathbf {upk}_{i'}\), so we have \(\phantom {\dot {i}\!}\Pr [\mathbf {usk}_{i^{*}}\not =\mathbf {usk}_{i'}]\geq \frac {1}{2}\). Let \(\phantom {\dot {i}\!}\mathbf {z}=\mathbf {usk}_{i^{*}}-\mathbf {usk}_{i'}\), then z0 and Az=0 mod q, so, the algorithm \(\mathcal {B}\) could solve the problem ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) with non-negligible probability. □

Lemma 4

Suppose that the ring-\(\mathbf {SIS}^{\infty }_{n,m,q,1}\) problem is difficult, then the sche-me in this paper is traceable in RO model.

Proof

Given a negligible function negl(λ), such that \(\Pr [\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)=1]\leq negl(\lambda)\), then we say that the scheme is traceable. In other words, If the adversary \(\mathcal {A}\) wins the game \(\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)\), the signature generated by \(\mathcal {A}\) is legitimate and it was traced to a revoked user or a legitimate user without a valid proof Πtrace to it, and next, we will explain that the probability of the fact that the adversary \(\mathcal {A}\) wins the game is negligible.

Let (infoτ,M,Σ) be a forged information by the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace}(\lambda)\), then the challenger could extract the identity (bin(i−1),Πtrace) by running the algorithm Trace. Decompose the signature Σ into (c1,1′,c2′,c3′,c4′,Πsign), where \(\Pi _{sign}=\left (\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)\). Since (infoτ,M,Σ) is a legitimate signature, \(\{rsp_{j}\}_{j=1}^{k'}\) are valid responds to \(\left \{\left (\mathbf {u}_{j},\hat {\mathbf {u}}_{j}\right)\right \}_{j=1}^{k'}, \mathbf {ch}\). Then we could extract a witness \(\zeta '=\left (\mathbf {usk}_{i'},\mathbf {upk}_{i'},w'_{\tau },\left \{\mathbf {r}'_{i}\right \}_{i=1}^{4}\right)\), which is similar to the property of unforgeability, where \(w^{\prime }_{\tau }=\left (\mathbf {bin}(i'-1),\mathbf {w}'_{l,\tau },\cdots, \mathbf {w}'_{1,\tau }\right)\in \{0,1\}^{l}\times (\{0,1\}^{k})^{l}\), such that for d=1,2,d=3,4,j{0,l−1}, we have

$$ \left\{ \begin{aligned} \mathbf{upk}_{i'}\not=0 \\ \mathbf{u}_{j,\tau}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1,\tau},\mathbf{w}_{j+1,\tau}), & if \ i'_{i+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1,\tau},\mathbf{u}_{j+1,\tau}), & if \ i'_{i+1}=1 \end{aligned} \right. \\ \mathbf{A}\cdot \mathbf{usk}_{i'}=\mathbf{G}\cdot \mathbf{upk}_{i'} \\ \mathbf{c}'_{d}=\left(c'_{d,1},\mathbf{c}'_{d,2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d},P_{d}\cdot \mathbf{r}'_{d}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{upk}_{i'}\right) \\ \mathbf{c}'_{d'}=\left(c'_{d',1},\mathbf{c}'_{d',2}\right)=\left(\mathbf{B}\cdot \mathbf{r}'_{d'},P_{d'}\cdot \mathbf{r}'_{d'}+\left\lfloor\frac{q}{2}\right\rceil\cdot\mathbf{c}'_{1,2}\right) \end{aligned} \right. $$
(5)

What we can learn from the correctness of the encryption scheme is that the ciphertext \(\phantom {\dot {i}\!}\mathbf {c}'_{1}\) could be decrypted to \(\phantom {\dot {i}\!}\mathbf {upk}_{i'}, \mathbf {c}'_{3}\) could be decrypted to \(\phantom {\dot {i}\!}\mathbf {c}'_{1,2}\), and we can learn from the correctness of the algorithm Trace that upki is the plaintext obtained from the ciphertext \(\phantom {\dot {i}\!}\mathbf {c}'_{1}\), so \(\phantom {\dot {i}\!}\mathbf {upk}_{i}=\mathbf {upk}_{i'}\) with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof Πtrace is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof Πtrace, and we can learn from the perfect completeness of the protocol that generates Πtrace that the algorithm Judge would accepts Πtrace with probability 1. In conclusion, the scheme in this paper is traceable. □

Lemma 5

The scheme in this paper satisfies the property of tracing soundness in RO model.

Proof

Suppose that the information \(\phantom {\dot {i}\!}(M,\Sigma,i_{0},\Pi _{trace,i_{0}}, i_{1},\Pi _{trace,i_{1}},\mathbf {info}_{\tau })\) is the output of the adversary \(\mathcal {A}\) in the game \(\mathbf {Exp}_{FDGS-MDO,\mathcal {A}}^{trace-sound}(\lambda)\), if the game outputs 1 finally, i.e. \(\phantom {\dot {i}\!}\mathbf {Judge}(gpk,\mathbf {upk}_{i_{b}},\mathbf {info}_{\tau }, \Pi _{trace},M,\Sigma)=1, i_{0}\not =i_{1}\not =\perp, \mathbf {Verify}(gpk,\mathbf {info}_{\tau },M,\Sigma)=1\), then we say that \(\mathcal {A}\) wins. Given Πtrace with \(\phantom {\dot {i}\!}\Pi _{trace}= \left (\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch},\{rsp_{j}\}_{j=1}^{k'}\right)\), the fact that the algorithm Judge outputs 1 indicates that \(\phantom {\dot {i}\!}\{rsp_{j}\}_{j=1}^{k'}\) are legitimate responds to \(\phantom {\dot {i}\!}\{(\mathbf {u}_{j},\hat {\mathbf {u}}_{j})\}_{j=1}^{k'},\mathbf {ch}\). For b=0,1,j=1,3, it is similarly to the property of unforgeability, we could extract \(\mathbf {S}_{1,b},\tilde {\mathbf {S}}_{3,b},E_{j,b},\mathbf {y}_{j,b}\), such that

$$\begin{aligned} \|\mathbf{S}_{1,b}\|_{\infty},\|\tilde{\mathbf{S}}_{3,b}\|_{\infty}\leq\beta,|E_{j,b}|\leq\beta,\|\mathbf{y}_{j,b}\|_{\infty}\leq\left\lceil\frac{q}{5}\right\rceil \\ \mathbf{S}_{1,b}^{\top}\cdot \mathbf{B}+E_{1,b}=P_{1,b}\mod q \\ \tilde{\mathbf{S}}_{3,b}^{\top}\cdot \mathbf{B}+E_{3,b}=P_{3,b}\mod q \\ \mathbf{c}_{3,2}-\tilde{\mathbf{S}}_{3,b}^{\top}\cdot c_{3,1}=\mathbf{y}_{3,b}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{c}_{1,2}\mod q \\ \mathbf{c}_{1,2}-\mathbf{S}_{1,b}^{\top}\cdot c_{1,1}=\mathbf{y}_{1,b}+\left\lfloor\frac{q}{2}\right\rfloor\cdot \mathbf{upk}_{i_{b}}\mod q \end{aligned} $$

then we have

$$ \begin{aligned} \left(\mathbf{S}_{1,0}^{\top}-\mathbf{S}_{1,1}^{\top}\right)\cdot c_{1,1}\,=\,(\mathbf{y}_{1,1}-\mathbf{y}_{1,0})\!+\left\lfloor\frac{q}{2}\right\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\mod q \end{aligned} $$

Suppose that \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}\not =\mathbf {upk}_{i_{0}}\), so \(\|\lfloor \frac {q}{2}\rfloor \cdot (\mathbf {upk}_{i_{1}}-\mathbf {upk}_{i_{0}})\|_{\infty }=\lfloor \frac {q}{2}\rfloor, \|\mathbf {y}_{1,1}-\mathbf {y}_{1,0}\|_{\infty } \leq 2\cdot \lceil \frac {q}{5}\rceil \), and

$$ \|(\mathbf{y}_{1,1}-\mathbf{y}_{1,0})+\lfloor\frac{q}{2}\rfloor\cdot (\mathbf{upk}_{i_{1}}-\mathbf{upk}_{i_{0}})\|_{\infty}>0 $$

then \(\mathbf {S}_{1,0}^{\top }\not =\mathbf {S}_{1,1}^{\top }\), we obtained two different solutions of the function \(\mathbf {S}_{1}^{\top }\cdot \mathbf {B}+E_{1}=P_{1}\mod q\), which is contradictory to the fact that there is at most one solution to the ring-\(\mathbf {LWE}_{n,m,q,\mathcal {X}}\) sample (B,P1). So, \(\phantom {\dot {i}\!}\mathbf {upk}_{i_{1}}=\mathbf {upk}_{i_{0}}\) with overwhelming probability. Similarly, if there are two different strings c1,2 and \(\phantom {\dot {i}\!}\mathbf {c}'_{1,2}\) w.r.t one ciphertext c3, then \(\phantom {\dot {i}\!}\mathbf {c}_{1,2}=\mathbf {c}'_{1,2}\) is also true with overwhelming probability. In other words, the probability of the fact that \(\mathcal {A}\) wins is negligible, so the scheme in this paper satisfies the property of tracing soundness. □

The improved zero-knowledge protocol of knowledge

Details of the protocol

Suppose that the size of the legitimate members in the group is t≥1 at time τ, for d=1,2,d=3,4,i[t],j[l−1], the underlying zero-knowledge protocol is used to prove the following relationships by utilizing the extending and permuting techniques (Stern 1996;Ling et al. 2017).

$$ \left\{ \begin{aligned} \mathbf{upk}_{i}\not=0 \\ \mathbf{u}_{j}=\left\{ \begin{aligned} h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1}), & if\ i_{j+1}=0 \\ h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1}), & if\ i_{j+1}=1 \end{aligned} \hspace{5mm}(\star) \right. \\ \mathbf{upk}_{i}=\mathbf{bin}(\mathbf{A}\cdot \mathbf{usk}_{i}) \\ \mathbf{c}_{d}=(c_{d,1},\mathbf{c}_{d,2})=(\mathbf{B}\cdot \mathbf{r}_{d},P_{d}\cdot \mathbf{r}_{d}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{upk}_{i}) \\ \mathbf{c}_{d'}=(c_{d',1},\mathbf{c}_{d',2})=(\mathbf{B}\cdot \mathbf{r}_{d'},P_{d'}\cdot \mathbf{r}_{d'}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{c}_{1,2}) \end{aligned} \right. $$
(6)

Given a bit b, a vector a, let \(\mathbf {ext}(b,\mathbf {a})=(\bar {b}\cdot \mathbf {a},b\cdot \mathbf {a})^{\top }, \mathbf {ext}_{2}(b)=(\bar {b},b)^{\top }\). Given bit b and vector \(\phantom {\dot {i}\!}\mathbf {a'}\), we can get similar results \(\phantom {\dot {i}\!}\mathbf {ext}(b',\mathbf {a'})=(\bar {b'}\cdot \mathbf {a'},b'\cdot \mathbf {a'})^{\top }, \mathbf {ext}_{2}(b')=(\bar {b'},b')^{\top }\). then we have the following equivalence relationship:

$$\begin{aligned} (\star) & \Leftrightarrow \bar{i}_{j+1}\cdot h_{\mathbf{A}}(\mathbf{u}_{j+1},\mathbf{w}_{j+1})+i_{j+1}\cdot h_{\mathbf{A}}(\mathbf{w}_{j+1},\mathbf{u}_{j+1})=\mathbf{u}_{j} \\ & \Leftrightarrow \bar{i}_{j+1}\!\cdot \!(\mathbf{A}_{0} \mathbf{u}_{j+1}\!+\mathbf{\!A}_{1}\mathbf{w}_{j+1})\,+\,i_{j+1}\!\cdot\! (\mathbf{A}_{0} \mathbf{w}_{j+1}\,+\,\mathbf{A}_{1}\mathbf{u}_{j+1})\!=\mathbf{\!G}\mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \left(\begin{aligned} \bar{i}_{j+1}\cdot \mathbf{u}_{j+1}\\ i_{j+1}\cdot \mathbf{u}_{j+1} \end{aligned}\right) +\mathbf{A}\cdot \left(\begin{aligned} i_{j+1}\cdot \mathbf{w}_{j+1}\\ \bar{i}_{j+1}\cdot \mathbf{w}_{j+1} \end{aligned}\right) =\mathbf{G}\cdot \mathbf{u}_{j} \mod q \\ & \Leftrightarrow \mathbf{A}\cdot \mathbf{ext}(i_{j+1},\mathbf{u}_{j+1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{j+1},\mathbf{w}_{j+1})=\mathbf{G}\cdot \mathbf{u}_{j} \mod q \end{aligned} $$

Then for d=1,2,d=3,4,i[t],bin(i−1)=(i1,,il), the Eq. (2) is equal to the following form

$$ \left\{ \begin{aligned} \mathbf{A}\cdot \mathbf{ext}(i_{1},\mathbf{u}_{1})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{1},\mathbf{w}_{1})-\mathbf{G}\cdot \mathbf{u}=0 \mod q \\ \mathbf{A}\cdot \mathbf{ext}(i_{2},\mathbf{u}_{2})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{2},\mathbf{w}_{2})-\mathbf{G}\cdot \mathbf{u}_{1}=0 \mod q \\ \hspace{2cm} \cdots \\ \mathbf{A}\cdot \mathbf{ext}(i_{l},\mathbf{upk}_{i})+\mathbf{A}\cdot \mathbf{ext}(\bar{i}_{l},\mathbf{w}_{l})-\mathbf{G}\cdot \mathbf{u}_{l-1}=0 \mod q \\ \mathbf{A}\cdot \mathbf{usk}_{i}-\mathbf{G}\cdot \mathbf{upk}_{i}=0\mod q \\ c_{d,1}=\mathbf{B}\cdot \mathbf{r}_{d}\mod q \\ \mathbf{c}_{d,2}=P_{d}\cdot \mathbf{r}_{d}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{upk}_{i}\mod q \\ c_{d',3}=\mathbf{B}\cdot \mathbf{r}_{d'}\mod q \\ \mathbf{c}_{d',2}=P_{d'}\cdot \mathbf{r}_{d'}+\lfloor\frac{q}{2}\rceil\cdot\mathbf{c}_{1,2}\mod q \end{aligned} \right. $$
(7)

Let \(\mathbf {B}_{n}^{2n}\) be the set of strings with length 2n, where the Hamming weight of each string is n, to illustrate the fact that the user’s public key upki≠0k, we pad upki with a random string with length k−1 to obtain a new string \(\mathbf {upk}_{i}^{*}\), such that \(\mathbf {upk}_{i}^{*}\in \mathbf {B}_{k}^{2k-1}\), then for any permutation \(\pi _{\mathbf {upk}_{i}}\in \mathcal {S}_{2k-1}\), we have

$$ \mathbf{upk}_{i}\not=0^{k}\Leftrightarrow \mathbf{upk}_{i}^{*}\in\mathbf{B}_{k}^{2k-1} \Leftrightarrow \pi_{\mathbf{upk}_{i}}(\mathbf{upk}_{i}^{*})\in\mathbf{B}_{k}^{2k-1} $$

We make similar operations for c1,2 to obtain \(\mathbf {c}_{1,2}^{*}\in \mathbf {B}_{k}^{2k-1}\), for each uski to obtain \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m}\), for any \(\pi _{\mathbf {usk}_{i}}\in \mathcal {S}_{2m}\), we have \(\mathbf {usk}_{i}^{*}\in \mathbf {B}_{m}^{2m} \Leftrightarrow \pi _{\mathbf {usk}_{i}}(\mathbf {usk}_{i}^{*})\in \mathbf {B}_{m}^{2m}\). Similarly, extend the vectors u1,,ul−1,w1,,wl,r1,,r4 to obtain \(\mathbf {u}_{1}^{*}\cdots,\mathbf {u}_{l-1}^{*}, \mathbf {w}_{1}^{*}\cdots,\mathbf {w}_{l}^{*}\in \mathbf {B}_{k}^{2k}, \mathbf {r}_{1}^{*},\cdots,\mathbf {r}_{4}^{*}\in \mathbf {B}_{k}^{2k}\). And then let \(\hat {\mathbf {u}}_{1}=\mathbf {ext}(i_{1},\mathbf {u}_{1}^{*}),\cdots,\hat {\mathbf {u}}_{l-1}=\mathbf {ext}(i_{l-1},\mathbf {u}_{l-1}^{*})\in \{0,1\}^{4k}, \hat {\mathbf {upk}_{i}}=\mathbf {ext}(i_{l},\mathbf {upk}_{i}^{*})\in \{0,1\}^{4k-2}, \hat {\mathbf {w}}_{1}=\mathbf {ext}(\bar {i_{1}},\mathbf {w}_{1}^{*}),\cdots,\hat {\mathbf {w}}_{l}=\mathbf {ext}(\bar {i_{l}}, \mathbf {w}_{l}^{*})\in \{0,1\}^{4k}\).

Given upki=(upki1,,upkik), for any j[k], let upkij′=ext2(upkij). For any \(b\in \{0,1\}, \mathbf {t}=(t_{0},t_{1})\in \mathbb {Z}^{2}\), let \(T_{b}(\mathbf {t})=(t_{b},t_{\bar {b}})\). Then for any bj{0,1}, we have \(\mathbf {upk}'_{ij}=\mathbf {ext}_{2}(upk_{ij})\Leftrightarrow T_{b_{j}}(\mathbf {upk'}_{ij})=\mathbf {ext}_{2}(upk_{ij}\oplus b_{j})\). Because bj is chosen randomly, so the operations above are equal to carry out a one-time pad to the user’s upkij by bj to hide it perfectly. And for c1,2 and \(\mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}\), we give similar operations.

Let \(\phantom {\dot {i}\!}r\in \{2k-1,2k\}, b\in \{0,1\}, \pi \in \mathcal {S}_{r}, \mathbf {t}=(t_{0},t_{1})^{T}\in \mathbb {Z}^{2r}, \mathbf {t'}=(t'_{0},t'_{1})\in \mathbb {Z}^{2}\), we define the permutation \(\phantom {\dot {i}\!}F_{b,\pi }(\mathbf {t})=(\pi (t_{b}),\pi (t_{\bar {b}})), F_{b,\pi }(\mathbf {t'})=(\pi (t'_{b}),\pi (t'_{\bar {b}}))\). Then for all \(\phantom {\dot {i}\!}b_{1},\cdots,b_{l}\in \{0,1\}, \phi _{\mathbf {u},1},\cdots,\phi _{\mathbf {u},l-1},\phi _{\mathbf {w},1},\cdots,\phi _{\mathbf {w},l}\in \mathcal {S}_{2k}, \pi _{\mathbf {upk}_{i}},\pi _{\mathbf {c}_{1}}\in \mathcal {S}_{2k-1}\), the following relationship is true,

$$ \begin{aligned} \left\{ \begin{aligned} \forall j\in[l-1], \hat{\mathbf{u}}_{j}=\mathbf{ext}(i_{j},\mathbf{u}_{j}^{*})\Leftrightarrow F_{b_{j},\phi_{\mathbf{u},j}}(\hat{\mathbf{u}}_{j})=\mathbf{ext}(i_{j}\oplus b_{j},\phi_{\mathbf{u},j}(\mathbf{u}_{j}^{*})) \\ \forall j\in[l], \hat{\mathbf{w}}_{j}=\mathbf{ext}(i_{j},\mathbf{w}_{j}^{*})\Leftrightarrow F_{b_{j},\phi_{\mathbf{w},j}}(\hat{\mathbf{w}}_{j})=\mathbf{ext}(i_{j}\oplus b_{j},\phi_{\mathbf{w},j}(\mathbf{w}_{j}^{*})) \\ \hat{\mathbf{upk}_{i}}=\mathbf{ext}(i_{l},\mathbf{upk}_{i}^{*})\Leftrightarrow F_{b_{l},\pi_{\mathbf{upk}_{i}}}(\hat{\mathbf{upk}_{i}})=\mathbf{ext}(i_{l}\oplus b_{l},\pi_{\mathbf{upk}_{i}}(\mathbf{upk}_{i}^{*})) \\ \hat{\mathbf{c}_{1,2}}=\mathbf{ext}(i_{l},\mathbf{c}_{1,2}^{*})\Leftrightarrow F_{b_{l},\pi_{\mathbf{c}_{1,2}}}(\hat{\mathbf{c}_{1,2}})=\mathbf{ext}(i_{l}\oplus b_{l},\pi_{\mathbf{c}_{1,2}}(\mathbf{c}_{1,2}^{*})) \end{aligned} \right. \end{aligned} $$
(8)

Let

$$\begin{aligned} \mathbf{z}=(\mathbf{u}_{1}^{*}\|\hat{\mathbf{u}}_{1}\|\hat{\mathbf{w}}_{1}\|\cdots\|\mathbf{u}_{l-1}^{*}\|\hat{\mathbf{u}}_{l-1}\|\hat{\mathbf{w}}_{l-1}\|\mathbf{upk}_{i}^{*}\|\hat{\mathbf{upk}_{i}}\|\\ \mathbf{c}_{1,2}^{*}\|\hat{\mathbf{c}_{1,2}}\|\hat{\mathbf{w}}_{l}\|\mathbf{usk}_{i}^{*}\|\mathbf{r}_{1}^{*}\|\cdots\|\mathbf{r}_{4}^{*}\|\mathbf{upk}'_{i1}\|\cdots\|\mathbf{upk}'_{ik}) \end{aligned} $$

then z{0,1}10kl+2m+16k−6, the equation (4) can be unified into one equation Az=U mod q, where A,U could be obtained from the public parameters. Let VALID be the set of vectors in {0,1}10kl+2m+16k−6 that satisfy the relationship above, let \(\bar {\mathcal {S}}=\mathcal {S}_{2k}^{2l-1}\times \mathcal {S}^{2}_{2k-1}\times \mathcal {S}_{2m}\times \mathcal {S}_{2l}^{4}\times \{0,1\}^{l}\) for any

$$\begin{aligned} \eta= & ((\phi_{\mathbf{u},1},\cdots,\phi_{\mathbf{u},l-1},\phi_{\mathbf{w},1},\cdots,\phi_{\mathbf{w},l}),\pi_{\mathbf{upk}_{i}},\\ & \pi_{\mathbf{c}_{1,2}},\pi_{\mathbf{usk}_{i}},(\pi_{r,1},\cdots,\pi_{r,4}),(b_{1},\cdots,b_{l}))\in\bar{\mathcal{S}} \end{aligned} $$

let Γη be the permutation for strings in {0,1}10kl+2m+16k−6, then we have

$$ \mathbf{z}\in \mathbf{VALID} \Leftrightarrow \Gamma_{\eta}(\mathbf{z})\in \mathbf{VALID} $$

After that, we could utilize our protocol and the equal relationship above to proof that zVALID, and Az=U mod q. Let D=10kl+2m+16k−6, the protocol is presented in Algorithm 1, where the commitment \(Com:\{0,1\}^{*}\times \{0,1\}^{m}\rightarrow \mathbb {Z}_{q}^{n}\) is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008).

Security analysis of the protocol

Theorem 4

Suppose that the commitment scheme used in this paper satisfies statistical hiding and computing binding, then our new zero knowledge protocol satisfies completeness, (max(n,p)+1)-special soundness and special honest-verifier zero knowledge.

Proof

Denote rsp=((comI,wI),(comIch,wIch),(rI′,rIch,xI)), we prove completeness, (max(n,p)+1)-special soundness and special honest-verifier zero knowledge separately:

Completeness: Suppose that the prover and verifier have run each step of the protocol honestly, then \(\mathbf {u}'=\mathbf {u} \wedge \hat {\mathbf {u}}'=\hat {\mathbf {u}}\) is true with overwhelming probability by the definition of TDA, and we have

$$ \mathbf{y}_{I}=\mathbf{A}'\mathbf{x}_{I}-ch\mathbf{U}\mod q=\mathbf{A}'\mathbf{r}_{I}+ch\mathbf{A}'\mathbf{z}-ch\mathbf{U}\mod q. $$

So if z is a solution to the instance (U,A), then U=Az mod q, which means that y=ArI, and the completeness of the protocol follow from the binding of the commitment scheme.

(max(n,p)+1)-special soundness: If there are (max(n,p)+1) valid transcripts, the pigeon hole principle tells us that there are at least two accept transcripts with the same I and different ch. Suppose \(\left ((\mathbf {u},\hat {\mathbf {u}}),(I,ch),\left ((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),\left (\mathbf {r}'_{I}, \mathbf {r}_{Ich},\mathbf {x}_{I}\right)\right)\right)\) and \(((\mathbf {u},\hat {\mathbf {u}}),(I,ch'),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich'},w_{Ich'}), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I})))\) are two valid transcripts with chch, one can efficiently extract a collision of the hash function \(h_{\mathbf {A}}\in \mathcal {H}\), a witness z such that U=Az by using the binding of the commitment scheme.

Suppose that ((auxI,comI),(I,ch),(rI′,rIch,xI)) and \(\phantom {\dot {i}\!}((\mathbf {aux}_{I},\mathbf {com}_{I}),(I,ch'), (\mathbf {r}'_{I},\mathbf {r}_{Ich'}, \mathbf {x}'_{I}))\) are two valid transcripts that are accepted by verifier. Let \(\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {A}'\mathbf {x}_{I}-ch\mathbf {U}\mod q\) and \(\phantom {\dot {i}\!}\mathbf {y}'_{I}=\mathbf {A}'\mathbf {x}'_{I}-ch'\mathbf {U}\mod q\), then we have \(\phantom {\dot {i}\!}\mathbf {com}_{I}=\mathbf {Com}\left (\mathbf {y}_{I},\mathbf {r}'_{I}\right)=\mathbf {Com}\left (\mathbf {y}'_{I},\mathbf {r}'_{I}\right)\), so the binding of the commitment implies that \(\phantom {\dot {i}\!}\mathbf {y}_{I}=\mathbf {y}'_{I}\), i.e. \(\phantom {\dot {i}\!}\mathbf {A}'(\mathbf {x}_{I}-\mathbf {x}'_{I})=(ch-ch')\mathbf {U}\).

In addition, comIch=Com(rI+chz mod q,rIch)=Com(xI,rIch) and \(\phantom {\dot {i}\!}\mathbf {com}_{Ich'}=\mathbf {Com}(\mathbf {r}_{I}+ch'\mathbf {z}\mod q,\mathbf {r}_{Ich'}) =\mathbf {Com}(\mathbf {x}'_{I},\mathbf {r}_{Ich'})\), so xI=rI+chz mod q and \(\phantom {\dot {i}\!}\mathbf {x}'_{I}=\mathbf {r}_{I}+ch'\mathbf {z}\mod q\) by the binding of the commitment.

$$\left. \begin{aligned} \mathbf{y}_{I}=\mathbf{y}'_{I}\\ \mathbf{A}'\mathbf{x}_{I}-ch\mathbf{U}\mod q=\mathbf{y}_{I}\\ \mathbf{A}'\mathbf{x}'_{I}-ch'\mathbf{U}\mod q=\mathbf{y}'_{I}\\ \mathbf{x}_{I}=\mathbf{r}_{I}+ch\mathbf{z}\mod q\\ \mathbf{x}'_{I}=\mathbf{r}_{I}+ch'\mathbf{z}\mod q \end{aligned} \right\}\Longrightarrow \mathbf{x}_{I}-\mathbf{x}'_{I}=(ch-ch')\mathbf{z} $$

Then one can compute z efficiently as a solution of the instance (U,A).

Special honest-verifier zero knowledge: In this proof, we construct a PPT simulator \(\mathcal {S}\) with inputs (U,A),{seedi}i[n] and (I,ch), it interacts with a (maybe dishonest) verifier and does the following things:

  1. 1.

    Sample \(\mathbf {r}'_{I}\stackrel {\$}{\leftarrow }\{0,1\}^{m}\), and compute rI,rIch from seedI.

  2. 2.

    Compute comI=Com(ArI mod q,rI′) honestly, commit to random dummy values to calculate the commitments comiI.

  3. 3.

    Compute a vector z by Gaussian elimination such that U=Az mod q.

  4. 4.

    Compute xI′=rI+chz mod q,comIch=Com(xI′,rIch), and commit to random dummy values to calculate the commitments comic for all iI and cch.

  5. 5.

    Run TDA(n,Bin(comi)) for i[n],TDA(np,Bin(comic)) for \(i\in [n], c\in \mathbb {Z}_{p}\), output the root u and \(\hat {\mathbf {u}}'\) respectively.

  6. 6.

    Output the transcript \(((\mathbf {u}',\hat {\mathbf {u}}'),(I,ch),((\mathbf {com}_{I},w_{I}), (\mathbf {com}_{Ich},w_{Ich}),(\mathbf {r}'_{I},\mathbf {r}_{Ich}, \mathbf {x}'_{I})))\).

It is clear that (rI′,rIch,xI′) and the corresponding real transcript are both uniformly distributed in {0,1}2λ×{0,1}D and hence follow the same distribution. (comI,comIch) and the corresponding real transcript are statistical indistinguishable by the hiding property of the commitment. By the definition of the collision resistant hash function, both (wI,wIch) and the corresponding real transcript are indistinguishable from uniform distribution, so (wI,wIch) and the corresponding real transcript are indistinguishable. Because the commitments comi,comic for all iI,cch are never opened, \((\mathbf {u}',\hat {\mathbf {u}}')\) also follows from the hiding property of the commitment and the definition of the hash function. So, the transcript outputted by \(\mathcal {S}\) and the real transcript of the protocol are computing indistinguishable. □

Conclusion

In this paper, we give a new ring-based fully dynamic group signature scheme with message-dependent opening. The efficiency of it is improved by an improved underlying zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol. This modification helps to bring down the communication complexity of the underlying zero knowledge protocol and hence the computational/space complexity of the group signature scheme. In addition, we add another participant - an admitter to our scheme to constrain the power of trace manager. The admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter.

Availability of data and materials

Not applicable.

References

  1. Beullens, W (2020) Sigma protocols for mq, pkp and sis, and fishy signature schemes. In: Canteaut A Ishai Y (eds)Proceedings of Conference EUROCRYPT: 10-14 May 2020, 183–211.. Springer, Zagreb.

    Google Scholar 

  2. Bootle, J, Cerulli A, Chaidos P, Ghadafi E, Groth J (2016) Foundations of fully dynamic group signatures. In: Manulis M, Sadeghi A-R, Schneider S (eds)Proceedings of Conference ACNS: 19-22 June 2016, 117–136.. Springer, Guildford.

    MATH  Google Scholar 

  3. Brickell, E, Pointcheval D, Vaudenay S, Yung M (2000) Design validations for discrete logarithm based signature schemes. In: Imai H Zheng Y (eds)Proceedings of Conference PKC: 18-20 January 2000, 276–292.. Springer, Melbourne.

    Google Scholar 

  4. Canetti, R, Halevi S, Katz J (2004) Chosen-ciphertext security from identity-based encryption. In: Cachin C Camenisch J (eds)Proceedings of Conference EUROCRYPT: 2-6 May 2004, 207–222.. Springer, Interlaken.

    Google Scholar 

  5. Chaum, D, van Heyst E (1991) Group signatures. In: Davies DW (ed)Proceedings of Conference EUROCRYPT: 8-11 April 1991, 257–265.. Springer, Brighton.

    Google Scholar 

  6. Gordon, SD, Katz J, Vaikuntanathan V (2010) A group signature scheme from lattice assumptions. In: Abe M (ed)Proceedings of Conference ASIACRYPT: 5-9 December 2010, 395–412.. Springer, Singapore.

    Google Scholar 

  7. Hazay, C, Lindell Y (2010) Sigma protocols and efficient zero-knowledge In: Efficient Secure Two-Party Protocols. Information Security and Cryptography.. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14303-8_6.

    Chapter  Google Scholar 

  8. Katsumata, S, Yamada S (2019) Group signatures without nizk: from lattice in the standard model. In: Ishai Y Rijmen V (eds)Proceedings of Conference EUROCRYPT: 19-23 May 2019, 312–344.. Springer, Darmstadt.

    Google Scholar 

  9. Kawachi, A, Tanaka K, Xagawa K (2008) Concurrently secure identification schemes based on the worst-case hardness of lattice problems. In: Pieprzyk J (ed)Proceedings of Conference ASIACRYPT: 7-11 December 2008, 372–389.. Springer, Singapore.

    MATH  Google Scholar 

  10. Laguillaumie, F, Langlois A, Libert B, Stehlé D (2013) Lattice-based group signatures with logarithmic signature size. In: Sako K Sarkar P (eds)Proceedings of Conference ASIACRYPT: 1-5 December 2013, 41–61.. Springer, Bengaluru.

    Google Scholar 

  11. Langlois, A, Ling S, Nguyen K, Wang H (2014) Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk H (ed)Proceedings of Conference PKC: 26-28 March 2014, 345–361.. Springer, Buenos.

    Google Scholar 

  12. Libert, B, Joye M (2014) Group signatures with message-dependent opening in the standard model. In: Benaloh J (ed)Proceedings of Conference CT-RSA: 25-28 February 2014, 286–306.. Springer, San Francisco.

    Google Scholar 

  13. Libert, B, Ling S, Nguyen K, Wang H (2016) Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin M Coron J-S (eds)Proceedings of Conference EUROCRYPT: 8-12 May 2016, 1–31.. Springer, Vienna.

    Google Scholar 

  14. Libert, B, Mouhartem F, Nguyen K (2016) A lattice-based group signature scheme with message-dependent opening. In: Manulis M, Sadeghi A-R, Schneider S (eds)Proceedings of Conference ACNS: 19-22 June 2016, 137–155.. Springer, Guildford.

    Google Scholar 

  15. Ling, S, Nguyen K, Wang HX (2015) Group signatures from lattices: simpler, tighter, shorter, ring-based. In: Katz J (ed)Proceedings of Conference PKC: 30 March-1 April 2015, 427–449.. Springer, Gaithersburg.

    Google Scholar 

  16. Ling, S, Nguyen K, Wang H, Xu Y (2017) Lattice-based group signatures: achieving full dynamicity with ease. In: Gollmann D, Miyaji A, Kikuchi H (eds)Proceedings of Conference ACNS: 10-12 July 2017, 293–312.. Springer, Kanazawa.

    Google Scholar 

  17. Lyubashevsky, V (2008) Lattice-based identification schemes secure under active attacks. In: Cramer R (ed)Proceedings of Conference PKC: 9-12 March 2008, 162–179.. Springer, Barcelona.

    Google Scholar 

  18. Lyubashevsky, V (2012) Lattice signatures without trapdoors. In: Pointcheval D Johansson T (eds)Proceedings of Conference EUROCRYPT: 15-19 April 2012, 738–755.. Springer, Cambridge.

    Google Scholar 

  19. Lyubashevsky, V, Micciancio D (2006) Generalized compact knapsacks are collision resistant. In: Bugliesi M, Preneel B, Sassone V, Wegener I (eds)Proceedings of Conference ICALP: 10-14 July 2006, 144–155.. Springer, Venice.

    Google Scholar 

  20. Lyubashevsky, V, Peikert C, Regev O (2010) On ideal lattices and learning with errors over rings. In: Gilbert H (ed)Proceedings of Conference EUROCRYPT: 30 May-3 June 2010, 1–23.. Riviera, Springer.

    Google Scholar 

  21. Lyubashevsky, V, Peikert C, Regev O (2013) A toolkit for ring-lwe cryptography. In: Johansson T Q.Nguyen P (eds)Proceedings of Conference EUROCRYPT: 26-30 May 2013, 35–54.. Springer, Athens.

    Google Scholar 

  22. Naor, M, Yung M (1990) Public-key cryptosystems provably secure against chosen ciphertext attacks In: Proceedings of the ACM Conference STOC: 1990, 427–437.. ACM DL, Baltimore.

    Google Scholar 

  23. Ohara, K, Sakai Y, Emura K, Hanaoka G (2013) A group signature scheme with unbounded message-dependent opening In: Proceedings of the ACM Conference AsiaCCS: 2013, 517–522.. ACM DL, Hangzhou.

    Google Scholar 

  24. Peikert, C (2016) A decade of lattice cryptography. Found Trends Theor Comput Sci 10:283–424.

    MathSciNet  Article  Google Scholar 

  25. Peikert, C, Rosen A (2006) Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices. In: Halevi S Rabin T (eds)Proceedings of Conference TCC: 4-7 March 2006, 145–166.. Springer, New York.

    Google Scholar 

  26. Peikert, C, Rosen A (2007) Lattices that admit logarithmic worst-case to average-case connection factors In: Proceedings of the ACM Conference STOC: 11-13 June 2007, 478–487.. ACM DL, San Diego.

    Google Scholar 

  27. Pointcheval, D, Stern J (1999) Security arguments for digital signatures and blind signatures. J Cryptol 13(3):361–396.

    Article  Google Scholar 

  28. Regev, O (2009) On lattices, learning with errors, random linear codes, and cryptography. J ACM 56:1–40.

    MathSciNet  Article  Google Scholar 

  29. Sakai, Y, Emura K, Hanaoka G, Kawai Y, Matsuda T, Omote K (2012) Group signatures with message-dependent opening. In: Abdalla M Lange T (eds)Proceedings of Conference Pairing: 16-18 May 2012, 270–294.. Springer, Cologne.

    Google Scholar 

  30. Stern, J (1996) A new paradigm for public key identification. IEEE Trans Inf Theory 42(6):1757–1768.

    MathSciNet  Article  Google Scholar 

  31. Sun, Y, Liu Y (2020) A lattice-based fully dynamic group signature scheme without nizk In: Proceedings of Conference INSCRYPT: 11-14 December 2020.. Springer, Guangzhou.

    Google Scholar 

  32. Sun, Y, Liu Y, Wu B (2019) An efficient full dynamic group signature scheme over ring. Cybersecurity 2(21). https://doi.org/10.1186/s42400-019-0037-8.

Download references

Acknowledgements

Not applicable.

Funding

This work was supported by the National Natural Science Foundation of China (Grant No.61932019, No.61772521, No.61772522) and the Key Research Program of Frontier Sciences, CAS (Grant No.QYZDB-SSW-SYS035).

Author information

Affiliations

Authors

Contributions

The first author conceived the idea of the study and wrote the paper; all authors discussed the results and revised the final manuscript. Both authors read and approved the final manuscript.

Corresponding author

Correspondence to Yiru Sun.

Ethics declarations

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Sun, Y., Liu, Y. An efficient fully dynamic group signature with message dependent opening from lattice. Cybersecur 4, 15 (2021). https://doi.org/10.1186/s42400-021-00076-8

Download citation

Keywords

  • Dynamic group signature
  • Message-dependent opening
  • NIZK
  • LWE
  • SIS