An efficient fully dynamic group signature with message dependent opening from lattice

Message-dependent opening is one of the solutions to solve the problem of the tracing manager owns excessive power. In this paper, we present a new lattice-based fully dynamic group signature scheme with message-dependent opening by combining an improved version of the fully dynamic group signature scheme proposed by Ling et al and the double encryption paradigm. In addition, we propose an improved underlying zero knowledge protocol, it has a soundness error 1max(n,p)+1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$\frac {1}{\max (n,p)+1}$\end{document} that is better than the Stern-like protocol, which helps to bring down the communication complexity of the protocol and hence the signature scheme. Our scheme constrains the power of group managers by adding an admitter, and the signature size has a logarithmic relationship with the group size.


Related work
Since the concept of group signature was proposed in Chaum and van Heyst (1991), it has become an important primitive to realize anonymous authentication. Group signature allows members in a group to sign messages on behalf of the group without revealing any information of the signer's identity. At the same time, the signature could be traced to the signer when it is in dispute. In other words, there is an authority in the scheme called trace manager GM trace who can de-anonymize the signature and trace it to the specific signer. But in many scenarios, GM trace is given too much power as it can open all signatures whether the signer is valid or not. To solve this problem, there is an extension of the group signature in Sakai et al. (2012) to balance the traceability and privacy, it is called group signature scheme with message-*Correspondence: sunyiru@iie.ac.cn 1 State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Haidian District, Beijing, China 2 School of Cyber Security, University of Chinese Academy of Sciences, Huairou District, China Full list of author information is available at the end of the article dependent opening (GS-MDO). In the GS-MDO system, there is another participant named admitter, and the trace manager GM trace could open one signature only when he work with the admitter. To open a signature of message M, the admitter generates a token t M with respect to M using its secret key firstly, and sends t M to the trace manager GM trace , then GM trace uses its secret key and t M to open the signature. That is, the trace manager GM trace can only open the signatures of messages specified by admitter. Subsequently, many other GS-MDO schemes were proposed based on different assumptions, such as decision linear (DLIN) (Sakai et al. 2012), strong Diffie-Hellman (Ohara et al. 2013), Decision 3-party Diffie-Hellman (D3DH) (Libert and Joye 2014), learning with error (LWE) and small integer solution (SIS) .
Lattice-based cryptography has attracted a lot of attention for its simple arithmetic operations and potential ability to resist quantum attack. However, compared with other non-lattice based cryptographic schemes, such as DDH, factoring, et al, the efficiency of lattice-based cryptographic schemes have not been solved well. The first lattice-based static group signature scheme is given in Gordon et al. (2010), its security is proven in RO model, and there is a linear relationship between signature size and group size N. Subsequently, the signature size was lowered up to O(log N) by different manners (Laguillaumie et al. 2013;Ling et al. 2015), such as bonsai tree (Langlois et al. 2014), Merkle hash tree ) and lattice-based accumulators (Ling et al. 2017). In order to further satisfy the requirements of real applications, it is possible to realize the dynamic registration and revocation of users efficiently (Ling et al. 2017) by combining the static group signature scheme in  with the security model in Bootle et al. (2016). It includes an update algorithm in accumulator that is constructed based on hash Merkle tree, and both the security and the signature size were improved compared with the scheme in . However, the schemes above all follow encryptionthen-proof pattern, and rely heavily on zero-knowledge protocol in the proof process, which limits the improvement of efficiency and security. In order to break this bottleneck, there are currently two research lines: one is to try to remove the zero-knowledge proof protocol from the construction of group signature schemes, which is the research content in Katsumata and Yamada (2019). In other words, a lattice-based static group signature scheme without NIZK was proposed in Katsumata and Yamada (2019), and it is proved secure under the standard model. There is a natural idea: whether it is possible to construct a lattice-based fully dynamic group signature scheme that is provably secure under the standard model? To solve this problem, we tried to propose a construction in Sun and Liu (2020) and proved it to be secure under the standard model. The other is to improve the efficiency of zero-knowledge proof (Beullens 2020) and try to apply it to the construction of group signature schemes under the RO model. Our work in this paper gives a positive solution of the latter.

Our contribution
In this paper, we give a new fully dynamic group signature scheme over ring with message-dependent opening (FDGS-MDO) by combining an improved version of the fully dynamic group signature scheme in Ling et al. (2017) and the double encryption paradigm (Canetti et al. 2004), which uses our following zero knowledge proof of knowledge as a underlying protocol. Compared with the scheme in Sun et al. (2019), our scheme realizes the weaken of GM trace 's power by adding another participant: admitter. Concretely, the admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter. And we also give an improved zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol, and we use it as the underlying protocol to improves the efficiency of the scheme in Sun et al. (2019).
We give the specific construction and security analysis of our zero knowledge proof of knowledge, which partially realizes the optimization idea in Beullens (2020). In Beullens (2020), it is necessary to transform an instance of SIS problem into an instance of the permuted kernel problem (PKP) firstly, and then prove its knowledge by using a -protocol for latter, while in our work, we omit this transformation operation. In addition, in order to reduce the communication complexity of our underlying protocol, the prover does not need to send all commitments {com ic } i∈[n],c∈Z p and {com i } i∈ [n] to the verifier in the first round of our protocol. We build two Merkle hash trees with the commitments {com ic } i∈[n],c∈Z p and {com i } i∈ [n] as leaves respectively, and send the roots u andû of the two trees to the verifier. In the third round of the protocol, the prover needs to send some additional messages to the verifier: the commitments com I , com Ich for challenge (I, ch) and the witnesses w I , w Ich that needed to recompute the roots. The verifier need to check that whether the roots u ,û he recomputes are consistent with u,û received in the first round. Our protocol has a soundness error 1 max(n,p)+1 , which is better than the soundness error 2 3 of the Stern-like protocol. Given a security parameter λ, our protocol need to be executed k = λ log(max(n,p)+1) times sequentially to realize a negligible soundness error 2 −λ , while the Stern-like need to be performed (λ) times sequentially. So our protocol satisfies stronger soundness and it effectively reduce the communication complexity of the protocol, thus bring to the group signature scheme the stronger security property and smaller signature size.
In the remainder of this paper, we start by reviewing some definitions, theorems used in the scheme, and the dynamic algorithm to construct the Merkle hash tree in "Preliminaries" section. In "Syntax and security of fully dynamic group signature with message dependent opening" section, we present the syntax of the fully dynamic group signature scheme with message dependent opening. And the detailed construction of the scheme and its security analysis are presented in "The lattice-based dynamic group signature scheme with message-dependent opening" section. Finally, we present the underlying zero knowledge protocol and its security analysis in "The improved zero-knowledge protocol of knowledge" section, and conclusion in "Conclusion" section.

The background of lattice
In this section, we will review some notations, definitions and theorems used for analysing our main results.
Throughout this paper, set the security parameter λ, pos- denotes its t-norm, (x|z) is a concatenation of the two vectors.
Definition 3 (The ring-LWE distribution) (Peikert 2016)For secret element s ∈ R q , X is the noise distribution Definition 4 (The decision ring-LWE n,m,q,X ) ( Lyubashevsky et al. 2010;Peikert 2016) Let n, m ≥ 1, q ≥ 2, given m samples (a j , b j ) ∈ R q × R q , which are sampled from one of the two distributions: A s,X and the uniform distribution in R q × R q , then the decision ring-LWE n,m,q,X is to distinguish which one the samples are from.

The sigma protocol
Definition 5 (The -protocol) (Hazay and Lindell 2010)Given an NP relation R = (x, w) ∈ {0, 1} * × {0, 1} * , a two party interactive protocol P, V is called -protocol for relation R if it is a three-round public-coin protocol and satisfies the following requirements: Completeness: For (x, w) ∈ R, if both prover P and verifier V follow this protocol, then Pr[ P(x, w), V (x) = 1] = 1.

2-Special soundness:
For any statement x, if there is an adversary A that outputs with noticeable probability a pair of accepting transcripts (a, e, z) and (a, e , z ) with e = e , then one can extract a witness w such that (x, w) ∈ R.
Special honest verifier zero knowledge: For (x, w) ∈ R, there is a PPT simulator S that given the statement x and a random challenge e outputs a transcript (a,e,z)

that is indistinguishable from the probability distribution of transcripts of honest executions of the protocol on input
The zero-knowledge protocol used in this paper satisfies completeness, max(n, p)+1-special soundness and special honest-verifier zero knowledge, which depends heavily on the security (statistical hiding and computing binding) of the commitment scheme that used as a submodule in our zero-knowledge protocol. The detailed construction of our protocol and its security proof is given in "The improved zero-knowledge protocol of knowledge" section.

The dynamic algorithm of constructing lattice-based Merkle hash tree
The security of Merkle tree used in Sun et al. (2019) and here are all based on the collision-resistant hash functions, whereas the size and depth of the former are fixed, and that of the latter increase with the registration of users. For any t ∈ R q , bin(t) ∈ {0, 1} k is its binary representation, let G = ⎡ ⎣ 1, 2, 4, · · · , 2 log q −1 · · · 1, 2, 4, · · · , 2 log q −1 q is an instance of the ring-SIS m,q,1 problem, for arbitrary (u 0 , u 1 ) ∈ {0, 1} k × {0, 1} k , we have h A (u 0 , u 1 ) = bin(A 0 · u 0 + A 1 · u 1 mod q) ∈ {0, 1} k so the following equivalent relationship is true, Suppose that there is an PPT adversary who can give two different u = u such that h A (u) = h A (u ), then we have Au mod q = Au mod q, i.e. A(u − u ) = 0 mod q. Since u = u , u − u = 0, u − u ∞ ≤ 1, then u − u is a solution to the ring-SIS m,q,1 problem.
Let H = {h A |A ∈ R m q }, then we give the following specific description of the dynamic updating algorithm TDA(t, d * ) to construct and update the Merkle tree that is used to record the registered users and partial group information in this paper: TSetup: Initialize the Merkle tree as a tree with depth 1, the value of leaves are 0, and its root is u. Let t denote the number of legal members in the group. TJoin: Search for the first leaf with value 0 in all leaves, and assume that its index is i ≤ t. Include a tree of depth j = log t where all leaves are 0 into the original one if there is not a such leaf. And take its root u and the root u of the original tree as two inputs of the hash function to compute a new root u new = h A (u, u ) of the new Merkle tree. And for any i ∈[ 2 j+1 ], we have |bin(i)| = j + 1. TUpdate: Let u j+1 = d * denote the value of the leaf corresponding to the ith user, bin(i − 1) = (i 1 , · · · , i j+1 ) is the binary description of integer i − 1, its witness is w = (bin(i − 1), (w j+1 , · · · , w 1 )). Update the value of notes recursively in the path u j , · · · , u 0 from the leaf u j+1 to root u, then output the witness w, a new root u new , where w j+1 , · · · , w 1 and u j , · · · , u 0 satisfy the following relationship ∀l ∈ {j, · · · , 1, 0}, Let u new = u 0 be the new root of the Merkle tree.
Given the variable t, the computational complexity of algorithm TUpdate(t, d * ) is O(log t), and it satisfies the following property Theorem 2 Suppose that the problem ring-SIS ∞ m,q,β is difficult, let R = {d 0 , · · · , d t } be the set of the leaves related to users who have been registered, then the algorithm TDA(t, d * ) is secure. And given a negligible function negl(λ), for any PPT adversary A, the following inequality is true Syntax and security of fully dynamic group signature with message dependent opening Different from the general group signature scheme, there are four participants in a fully dynamic group signature scheme with message-dependent opening(FDGS-MDO): The group manager(GM update ): Who is responsible to update the group information and the registration and revocation of users. The admitter(AM): who is responsible to generate a token t M that specifies the signatures associated with message M would be opened. The trace manager(GM trace ): Given a signature and token t M , GM trace is responsible to trace the identity of signer when there is a dispute. The users: Who are usually appeared as a signer to sign messages or a verifier to verify signatures.

The definition of FDGS-MDO
A fully dynamic group signature scheme with messagedependent opening consists of the following polynomialtime algorithms: On input the security parameter λ, this algorithm outputs the public parameter pp, group public key gpk = (pp, mpk, opk), and the group secret key msk of GM update , the tracing secret key osk of GM trace and the secret key tsk of AM. GM update initializes the registration list reg and the group information info as ∅, and we assume that they can only be edited by a party knowing msk. UKeyGen(pp) → (upk, usk): Given the public parameter pp, this algorithm outputs a user's key pair (upk, usk). Join(gpk, upk), Issue(gpk, msk, reg, info) : This algorithm is an interactive protocol between a user and the group manager GM update . Assume that the new registered user is the tth member in the group, the user become a legitimate member of the group if the algorithm goes well, and the Join algorithm sets its signing secret key gsk = (bin(t − 1), upk t , usk t ). For the Issue algorithm, GM update runs the algorithm TDA(t, upk t ) to update the Merkle hash tree, the group information info τ , and the registered user list reg. Revoke(gpk, S, msk, reg, info τ ) → info τ new : Given the revocation list S, for any i ∈ S, the group manager GM update runs algorithm TUpdate(bin(i − 1), 0 k ) to update the Merkle hash tree, the registered user list reg and the group information info τ new . Sign(gpk, gsk i , info τ , M) → : On input group public key gpk, group information info τ , this algorithm outputs a signature to a message M signed by the user corresponding to ith leaf at τ or an error symbol ⊥ if the user is illicit at τ , i.e. the user has not been registered or has been revoked at τ . Verify(gpk, , info τ , M) → 0/1: Verify the signature and output 1 if it is valid, otherwise output 0. TrapGen(gpk, tsk, M, reg, info τ ) → t M : This algorithm is operated by the admitter AM, it outputs a token t M for the corresponding message M.
This algorithm is operated by the trace manager GM trace , it outputs the public key b of the signer who signed the message M at τ and generate a proof for this fact if the signature is valid. Otherwise output ⊥. Judge(gpk, b , M, trace , , info τ ) → 0/1: Verify the proof trace generated by the trace manager GM trace , and output 1 if it is valid, otherwise output 0.
To verify that whether the signer is legitimate or not, i.e. the signer has registered and not be revoked when he signs a message M at τ , the group manager verifies that whether the value of the leaf corresponding to this signer is non-zero. And to avoid leaking any information about the signer's identity, we use the extensionpermutation technology  to hide it. In other words, suppose that the binary representation of the value of the leaf that corresponding to the signer is bin(

Security of FDGS-MDO scheme
A fully dynamic group signature scheme needs to satisfies the following properties: correctness, anonymity against admitter, anonymity against opener, non-frameability, traceability, and tracing soundness. Before the specific description, we would like to give a brief description of oracles and special symbols used in the proof firstly. HUL is the set of honest users whose secret keys are generated honesty. BUL is the set of users whose signing secret keys are sent to the adversary. CUL is the set of users whose public keys are chosen by the adversary. SL is the set of signatures generated by oracle sign. CL is the set of signatures generated by oracle Chal b , TL is the set of tokens generated by oracle Chal b . And oracles used in the proof are as follows: Correctness: This property means that if the signer signs a message M honestly, the algorithm Verify can always output 1. With a token t M that outputted by the algorithm TrapGen, the trace manager GM trace can trace the identity of the signer by the algorithm Trace, and generates a proof trace accepted by the algorithm Judge.
Anonymity against admitter: For any PPT adversary A, this property means that it is impossible to distinguish signatures generated by two legitimate users with a nonnegligible probability, even though the adversary A could learn the secret key msk of GM update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle Trace. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against admitter for all PPT Anonymity against opener: For any PPT adversary A, this property means that it is impossible to distinguish signatures generated by two legitimate users with a non-negligible probability, even though the adversary A could learn the secret key msk of GM update and the secret key tsk of AM, corrupt any user, and is given the access to the oracle TrapGen. Given a negligible function negl(λ), a DFGS-MDO scheme is anonymous against opener for all Non-frameability: For any PPT adversary A, the probability to generate a valid signature that traced to a legitimate user is negligible, even though the adversary A could learn the secret keys of GM update and GM trace , and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies non-frame-ability Traceability: For any PPT adversary A, the probability to generate a valid signature that traced to a illicit user is negligible, even though the adversary A could learn the secret key of GM trace and corrupt some of the users. Given a negligible function negl(λ), a DFGS- Tracing soundness: For any PPT adversary A, the probability to generate a valid signature that traced to two different users is negligible, even though the adversary A could learn the secret keys of GM update and GM trace , and corrupt some of the users. Given a negligible function negl(λ), a DFGS-MDO scheme satisfies tracing soundness for all PPT adversary

The lattice-based dynamic group signature scheme with message-dependent opening
The construction of the scheme By using the dynamic algorithm to construct the Merkle hash tree and the formal definition of the fully dynamic group signature scheme with message-dependent opening, the specific construction of the scheme in this paper could be defined as follows: GKeyGen(λ) → (pp, (mpk, msk), (opk, osk), tsk): Given the security parameter λ, let t > 0 denote the number of registered users, l = log t , n = O(λ), p = O(λ), prime modules q =Õ(n 1.5 ), k = n log q , m = 2k, real integer β > 0, X is the noise distribution bounded by β in R, H : {0, 1} * → {0, 1} k is a hash function for FS transformation, H : {0, 1} * → X k is a collision resistant hash function, and Com : {0, 1} * × {0, 1} m → Z n q is a string commitment scheme with properties of statistical hiding and computational binding (Kawachi et al. 2008) and initializes the registration list reg and the group information info as ∅. GM trace chooses S 1 , S 2 $ ← X k , E 1 , E 2 $ ← X , and computes P 1 = S 1 B + E 1 ∈ R q , Set the GM trace 's key pair (opk, osk) = (P 1 , (S 1 , E 1 )), the GM update 's key pair (mpk, msk), and the AM's secret key tsk = (S 3 , E 3 ). Finally, the algorithm outputs the public parameter pp = (λ, n, p, q, k, m, β , X , H, Com, A, B), the group public key gpk = (pp, mpk, opk, tpk). UKeyGen(pp) → (upk, usk): The user chooses usk $ ← {0, 1} m uniformly as its secret key, and computes the related public key upk = bin(A · usk mod q), and upk ∈ {0, 1} k . Join(gpk, upk), Issue(gpk, msk, reg, info) : Assume that the new registered user is the t-th member in the group, and the user sends its public key upk to the group manager GM update , and if this algorithm goes well, the latter searches and denotes the first non-zero leaf as t if he approves the user's application. Let upk t = upk, reg t = reg t [ upk t ] [ τ ], τ is the time the user registered, GM update includes reg t into the registration list reg : ) . Then GM update ru-ns the algorithm TDA(bin(t ), upk t ) to update the Merkle tree, outputs the group information info τ = (u, {w j } i j ) where u is the root and {w j } i j are witnesses of all legal users, and updates the counter of registered users t = t + 1. Let usk t = usk, the user sets gsk t = (bin(t − 1), upk t , usk t ) as its signing secret key. Revoke(gpk, S, msk, reg, info τ ) → info τ new : Given the revocation list S that is the set of public keys of group members who would be revoked, and if S = {upk i 1 , · · · , upk i r } is not empty, where r ≥ 1, i j ∈[ t], j ∈[ r], for every j ∈[ r], upk i j ∈ S, GM update runs the algorithm TUpdate in TDA(bin(i j −1), 0 k ) to update the Merkle hash tree, then updates the registration list reg: consists of a new root u new and witnesses {w j } i j of upk i j , updates the counter of legitimate users t = t − r. So, the leaves with value 0 k in the Merkle tree corresponding to the potential users who have not been registered or those have been revoked. Sign(gpk, gsk i , info τ , M) → : To sign a message M at τ by using the group information info τ , the user related to the ith leaf verifies that whether there is a witness of bin(i − 1) in info τ firstly, if not, return ⊥. Otherwise, the user sends M to AM, receives P 3 =S 3 B + E 3 and P 4 =S 4 B + E 4 from it, whereS 3 = H (S 3 M),S 4 = H (S 4 M), and obtains (bin(i − 1), (w l , · · · , w 1 )) from info τ to do the follows: Choose random strings r 1 , r 2 , r 3 , r 4 $ ← {0, 1} k , the user encrypts vector upk i by making use of the double-encryption paradigm (Naor and Yung 1990) and the RLWE-based encryptionp scheme (Regev 2009;Lyubashevsky et al. 2013) to obtain the ciphertexts, Then encrypt ciphertext c 1,2 by using a method similar to the one above to obtain the ciphertexts, Finally, the signer generates a non-interactive zero-knowledge argument of knowledge(NIZKAoK) sign for: (1) It has legitimate witness ζ = (usk i , upk i , bin(i), w l , · · · , w 1 , r 1 , · · · , r 4 ) such that the signer is a legitimate member in the group, i.e. upk i = 0 k , and the values of nodes in the path that from the leaf corresponding to the user to the root are all correct.
Output the signature = (c 1,1 , c 2 , c 3 , c 4 , sign ). The NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. runs the underlying protocol k = λ log 2 (max(n,p)+1) times sequentially to obtain a negligible soundness error 2 −λ , and the transcript is Verify(gpk, , info τ , M) → 0/1: The verifier obtains the root u τ of the Merkle hash tree at τ from the group information info τ , and verifies that whether the predicted challenge ch is true, outputs 0 if not, otherwise verifies the respond rsp j that corresponding to (u j ,û j ) and ch j for each j ∈[ k ], and outputs 1 if everything is correct, otherwise outputs 0.
Similarly, the NIZKAoK mentioned above is obtained from the interactive protocol in the latter section by FS transformation, i.e. GM trace runs the underlying protocol k = λ log 2 (max(n,p)+1) times sequentially to obtain a negligible soundness error 2 −λ , and the transcript is Finally, this algorithm outputs (b , trace ). Judge(gpk, b , M, trace , , info τ ) → 0/1: Verify the proof trace and output 1 if it is true, otherwise output 0.
Finally, a timestamp τ is given to each member in the group, the group manager GM update updates the group information info τ once a new user registered or a legitimate member has been revoked, which indicates that the user can not sign a message M before a registration or after a revocation. Given a group information info τ , we can confirm the timestamp τ uniquely, and vice versa. For any two timestamps τ 1 < τ 2 , the group information info τ 1 is published earlier than info τ 2 .

Analysis of the lattice-based FDGS-MDO scheme
In our scheme, it is not necessary to prepare a large storage space for the Merkle tree standby before a signature is generated, namely we only need to extend or update the Merkle hash tree when a user needs a registration or be revoked. Compared with the scheme in Ling et al. (2017), our work could economize considerable storage space, and there is also no limits on the upper bound of the size of the group as long as the storage space is allowed. In addition, the fact that the scheme is implemented based on ring could help to reduce the computational complexity and space complexity of it (Table 1).
Complexity: Given a security parameter λ, the size of legitimate users t, l = log t , n = O(λ), q = O(n 1.5 ) =Õ(cλ 1.5 ) with a constant c, k = n log q = O(λ log λ). Then the size of group public key gpk = (pp, mpk, opk, tpk) , and the size of signature = (c 1,1 , c 2 , c 3 , c 4 , sign ) is Table 1 Comparison of lattice-based group signature schemes in  and (Ling et al. 2017), in terms of efficiency and functionality

Schemes
Security level Signature size Group PK size Signer's SK size Trapdoor? Model  2 3 ω(λ)Õ (λ · l)Õ(λ 2 · l)Õ(λ) yes MDO (Ling et al. 2017) 2 3 ω(λ)Õ (λ · l)Õ(λ 2 + λ · l)Õ(λ) + l free fully dynamic The scheme in ) is static and that in (Ling et al. 2017) is fully dynamic, the similarity is that both of them use the Stern-like protocol with a soundness error 2 | | =| sign | + |c 1,1 | + |c 2 | + |c 3 | + |c 4 | =k · (|(u j ,û j )| + |ch j | + ·|rsp j |) + 1 + 3(k + 1) log q =k · (2k + log p + log n+ 2(log q + k log k)+ 2λ+ D) The soundness error of our underlying protocol is 1 max (n,p)+1 , so we need to perform the protocol λ log(max(n,p)+1) times sequentially to reach a negligible soundness error 2 −λ , and the generated group signature size is O(lλ 2 ). To realize the same soundness error, the underlying protocol in Ling et al. (2017) need to be excluded (λ) times sequentially, and the corresponding group signature size would beÕ(lλ 2 ). Let the upper bounds of the size of the group in (Ling et al. 2017) and that in our work are the same and denoted as N, let l = log N, then the expected computational complexity of realizing the dynamic registration and revocation of the counterpart of the scheme in Ling et al. (2017) over ring is O(l), and that of our work is roughly 1 2 O(l), So the expected computational complexity down almost by half. Correspondingly, the space complexity has been reduced by the same magnitude.
The security of the fully dynamic group signature scheme presented in this paper satisfies some security requirements given in Bootle et al. (2016): correctness, anonymity, non-frameability, traceability, and tracing soundness.
Correctness: Now, we give a specific description of the correctness of our scheme according to the perfect completeness of the underlying protocol and the correctness of the encryption scheme. If the signature = (c 1,1 , c 2 , c 3 , c 4 , sign ) is generated by a legitimate user, then the perfect completeness of the underlying protocol could help the signature to pass the verification of the algorithm Verify, and the algorithm Trace will take the token t M outputted by the algorithm TrapGen as one of the inputs to decrypt the ciphertext c 3 and outputs c 1,2 , then let c 1 = (c 1,1 , c 1,2 ), and uses its secret key osk to decrypt c 1 and outputs the user public key b = upk i with a probability approximate to 1 together with a proof trace accepted by Judge. We need to compute e 1 = c 3,2 −S 3 c 3,1 = E 3 · r 3 + q 2 · c 1,2 mod q and e 2 = c 1,2 − S 1 c 1,1 = E 1 · r 1 + q 2 · upk i mod q when to decrypt a ciphertext, and for s = 1, 2, let b s = (b s,1 , · · · , b s,l ), e s = (e s,1 , · · · , e s,l ), for any j ∈[ l], Note that E s · r s ∞ < q 5 for s = 1, 3, so b 1 = c 1,2 , b 2 = upk i with overwhelming probability. Furthermore, because the user corresponding to upk i is legitimate, then the witness w = (bin(i − 1), w l , · · · , w 1 ) is included in the group information info τ , and the value of the related leaf is not 0 k . So, the algorithm Trace could always obtain a tuple (S 1 , E 1 , y, t M ) that satisfies requirement. And finally, for the fact that the proof trace is perfect completeness, the algorithm Judge outputs 1 with probability 1.

Theorem 3
The FDGS-MDO scheme satisfies anonymous against admitter, anonymous against opener, unforgeable, traceable and tracing soundness security requirements under the ring-LWE n,m,q,X and ring-SIS ∞ n,m,q,1 assumptions in RO model.
The proof of Theorem in "The improved zero-knowledge protocol of knowledge" section consists of the following five lemmas.

Lemma 1 Suppose that the ring-LWE n,m,q,X problem is difficult, then the scheme in this paper is anonymous against admitter in RO model.
Proof Assume that the size of legitimate users is t, the adversary A and challenger C are all PPT algorithms. For two different users i 0 = i 1 ∈[ t] given by A, we say that the scheme satisfies anonymity if there is a negligible function negl(λ), such that Pr Exp anonA−b DGS−MDO,A (λ) = 1 ≤ negl(λ). Given a negligible function negl(λ), we will finish this proof by hybrid games. Let the output of each game is OP l , l ∈[ 9].
Game2: This game is completely consistent with Game1 except that use a simulator Sim trace to simulate the real interactions of the protocol that generates trace , i.e. replace the real transcript trace with a simulated transcript of Sim trace . And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of trace , Pr[ Game3: This game is completely consistent with Game2 except that replace (S 1 , E 1 ) with (S 2 , E 2 ) when Sim trace simulates the oracle Trace. For a legitimate signature (c 1,1 , c 2 , c 3 , c 4 , sign ), where c 1 , c 2 are encryptions to different strings respectively, let F 1 be a event of the above signature inquiry initiated by A to the oracle Trace, and the view of A may changing if F 1 appears, however, it violates the soundness of the protocol that generates sign . And the change in this game, to the view of A, is indistinguishable except the incident F 1 , i.e. Pr[ Game4: This game is completely consistent with Game3 except that use a simulator Sim sign to simulate the real interactions of the protocol that generates sign , i.e. replace the real transcript sign with a simulated transcript of Sim sign . And the two transcripts are statistical indistinguishable because of the statistical zeroknowledge of sign , Pr[ Game5: This game is completely consistent with Game4 except that change the ciphertext c 1 into the encryption to upk i 1 when initiate an inquiry to the oracle Chal b . And the difference of the view of A caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S 2 , E 2 ) during the inquiry to the oracle Trace, which makes no difference by substitute the ciphertext c 1 , so, Pr Game6: This game is completely consistent with Game5 except that replace (S 2 , E 2 ) with (S 1 , E 1 ) when Sim trace simulates the oracle Trace. For a legitimate signature (c 1,1 , c 2 , c 3 , c 4 , sign ), where c 1 , c 2 are encryptions to different strings respectively, let F 2 be a event of the above signature inquiry initiated by A to the oracle Trace, which violates the simulation soundness of the protocol that generates sign . And the change in this game, to the view of A, is indistinguishable except the incident F 2 , Pr[ Game7: This game is completely consistent with Game6 except that change the ciphertext c 2 into the encryption to upk i 1 . And the difference of the view of A caused by this change is negligible for the semantic security of the encryption scheme. The challenger responds with (S 1 , E 1 ) during the inquiry to the oracle Trace, so change c 2 makes no difference to the view of the adversary, Pr[ OP 7 = 1] − Pr[ OP 6 = 1] = negl(λ).
Game8: This game is completely consistent with Game7 except that replace the simulator Sim sign with a real protocol that generates sign , i.e. replace the simulated transcript of Sim sign by a real transcript sign . And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol sign , Pr[ OP 8 = 1] − Pr[ OP 7 = 1] ≤ negl(λ). Game9: This game is completely consistent with Game8 except that replace the simulator Sim trace with a real protocol that generates trace , i.e. replace the simulated transcript of Sim trace by a real transcript trace . And the two transcripts are statistical indistinguishable because of the statistical zero knowledge of the protocol trace , Pr[ OP 9 = 1] − Pr[ OP 8 = 1] ≤ negl(λ).
Finally, we could learn from the games above that the probability: where c is a constant. So, the scheme satisfies the property of anonymity against admitter.
Lemma 2 Suppose that the ring-LWE n,m,q,X problem is difficult, then the scheme in this paper is anonymous against opener in RO model.
Proof Assume that the size of legitimate users is t, the adversary A and challenger C are all PPT algorithms. For two different users i 0 = i 1 ∈[ t] given by A, the proof of property anonymity against opener is similar to that of anonymity against admitter, so we are not describe it in detail anymore.

Lemma 3 Suppose that the problem ring-SIS ∞
n,m,q,1 is difficult, then the sche-me in this paper is unforgeable in the RO model. Proof Suppose that there ia a PPT adversary A could forge a valid signature with a non-negligible probability , then there is a PPT algorithm B could break the security of Merkle hash tree or solve the problem ring-SIS ∞ n,m,q,1 with a non-negligible probability by invoking A as a black box.
If there is a negligible function negl(λ), such that Pr Exp unforge FDGS−MDO,A (λ) = 1 ≤ negl(λ), then we say that the scheme is unforgeable. Given a random vector A, the challenger computes the public parameter pp honestly, then invokes the algorithm of A, runs the operations in the game Exp , A, u τ , {P i } 4 i=1 , B, c * 1,1 , c * 2 , c * 3 , c * 4 , for the successful probability to guess H(ξ * ) is (np) −k , so the adversary uses the ξ * to initiate queries to the oracle H with overwhelming probability, and ξ * is the preimage of H with probability = − (np) −k , let t * ∈ {1, 2, · · · , Q H } be the index of one inquiry, where Q H is the number of inquiries that the adversary A made to the oracle H. The inputs of the hash queries from 1th to t * th are all ξ * , and B runs the operations of A for t * times. And the inputs of other hash queries from t * + 1th to Q H th are something else, B responds by independent values respectively. By the Forking lemma in (Brickell et al. 2000;Pointcheval and Stern 1999), the probability of B gets max(n, p) + 1 different hash values ch 1 t * , · · · , ch max(n,p)+1 t * ∈ {[ n] ×Z p } k to the same input ξ * is non-negligible, and the pigeon hole principle tells us that there are at least two accept responds (rsp t * ,1 , rsp t * ,2 ) with the same I and different ch, then what we could learn from the protocol that generates sign is that we could We can learn from the correctness of the encryption scheme that c * 1 is the encryption to upk i and c * 3 is the encryption to c * 1,2 . The algorithm Judge outputs 1 because of the fact that A wins the game, and what we can learn from the soundness of the protocol that generates trace is that c * 1 is the encryption to upk i * , then upk i = upk i * with overwhelming probability. By the correctness of the Merkle hash tree, the user i * is legitimate. i * ∈ HUL \ BUL indicates that the adversary A doesn't know gsk i * = (bin(i * − 1), upk i , usk i * ). usk i * was chosen by B and A·usk i * = G·upk i , so we have Pr[ usk i * = usk i ] ≥ 1 2 . Let z = usk i * − usk i , then z = 0 and Az = 0 mod q, so, the algorithm B could solve the problem ring-SIS ∞ n,m,q,1 with non-negligible probability.  (λ), the signature generated by A is legitimate and it was traced to a revoked user or a legitimate user without a valid proof trace to it, and next, we will explain that the probability of the fact that the adversary A wins the game is negligible.

Lemma 4 Suppose that the ring-SIS
Let (info τ , M, ) be a forged information by the adversary A in the game Exp trace FDGS−MDO,A (λ), then the challenger could extract the identity (bin(i − 1), trace ) by running the algorithm Trace. Decompose the signature into c 1,1 , c 2 , c 3 , c 4 , sign , where , ch. Then we could extract a wit- What we can learn from the correctness of the encryption scheme is that the ciphertext c 1 could be decrypted to upk i , c 3 could be decrypted to c 1,2 , and we can learn from the correctness of the algorithm Trace that upk i is the plaintext obtained from the ciphertext c 1 , so upk i = upk i with overwhelming probability, and the probability that a valid signature be traced to a revoked user is negligible. In fact, we can learn from the security of Merkle hash tree that the probability that the valid signature above be traced to a revoked user with a valid proof trace is negligible. Because of the fact that the challenger has the legitimate witness to generate a valid proof trace , and we can learn from the perfect completeness of the protocol that generates trace that the algorithm Judge would accepts trace with probability 1. In conclusion, the scheme in this paper is traceable. Given trace with trace = {(u j ,û j )} k j=1 , ch, {rsp j } k j=1 , the fact that the algorithm Judge outputs 1 indicates that {rsp j } k j=1 are legitimate responds to {(u j ,û j )} k j=1 , ch. For b = 0, 1, j = 1, 3, it is similarly to the property of unforgeability, we could extract S 1,b ,S 3,b , E j,b , y j,b , such that then S 1,0 = S 1,1 , we obtained two different solutions of the function S 1 · B + E 1 = P 1 mod q, which is contradictory to the fact that there is at most one solution to the ring-LWE n,m,q,X sample (B, P 1 ). So, upk i 1 = upk i 0 with overwhelming probability. Similarly, if there are two different strings c 1,2 and c 1,2 w.r.t one ciphertext c 3 , then c 1,2 = c 1,2 is also true with overwhelming probability. In other words, the probability of the fact that A wins is negligible, so the scheme in this paper satisfies the property of tracing soundness.

Security analysis of the protocol
Theorem 4 Suppose that the commitment scheme used in this paper satisfies statistical hiding and computing binding, then our new zero knowledge protocol satisfies completeness, (max(n, p) + 1)-special soundness and special honest-verifier zero knowledge.
Proof Denote rsp = ((com I , w I ), (com Ich , w Ich ), (r I , r Ich , x I )), we prove completeness, (max(n, p) + 1)-special soundness and special honest-verifier zero knowledge separately: Completeness: Suppose that the prover and verifier have run each step of the protocol honestly, then u = u ∧û =û is true with overwhelming probability by the definition of TDA, and we have y I = A x I − chU mod q = A r I + chA z − chU mod q.
So if z is a solution to the instance (U, A ), then U = A z mod q, which means that y = A r I , and the com-

Prover(U, A , z) Verifier(U, A )
For i ∈[ n] do seed i , r i $ ← {0, 1} m , generate r i ∈ {0, 1} D from seed i , com i := Com(A r i mod q, r i ). For c ∈ Z p do generate r ic ∈ {0, 1} m from seed i , com ic := Com(r i + cz mod q, r ic ). End For End For Run TDA(n, Bin(com ic )) for i ∈[ n], output the root u. Run TDA(np, Bin(com i )) for i ∈[ n], c ∈ Z p , output the rootû. (max(n, p) + 1)-special soundness: If there are (max(n, p) + 1) valid transcripts, the pigeon hole principle tells us that there are at least two accept transcripts with the same I and different ch. Suppose (u,û), (I, ch), (com I , w I ), (com Ich , w Ich ), r I , r Ich , x I and ((u,û), (I, ch ), ((com I , w I ), (com Ich , w Ich ), (r I , r Ich , x I ))) are two valid transcripts with ch = ch , one can efficiently extract a collision of the hash function h A ∈ H, a witness z such that U = A z by using the binding of the commitment scheme.
Suppose that (aux I , com I ), (I, ch), r I , r Ich , x I and ((aux I , com I ), (I, ch ), (r I , r Ich , x I )) are two valid transcripts that are accepted by verifier. Let y I = A x I − chU mod q and y I = A x I − ch U mod q, then we have com I = Com y I , r I = Com y I , r I , so the binding of the commitment implies that y I = y I , i.e. A (x I − x I ) = (ch − ch )U.
In addition, com Ich = Com(r I + chz mod q, r Ich ) = Com(x I , r Ich ) and com Ich = Com(r I + ch z mod q, r Ich ) = Com(x I , r Ich ), so x I = r I + chz mod q and x I = r I + ch z mod q by the binding of the commitment. y I = y I A x I − chU mod q = y I A x I − ch U mod q = y I x I = r I + chz mod q Then one can compute z efficiently as a solution of the instance (U, A ). Special honest-verifier zero knowledge: In this proof, we construct a PPT simulator S with inputs (U, A ), {seed i } i∈ [n] and (I, ch), it interacts with a (maybe dishonest) verifier and does the following things: 1. Sample r I $ ← {0, 1} m , and compute r I , r Ich from seed I . 2. Compute com I = Com(A r I mod q, r I ) honestly, commit to random dummy values to calculate the commitments com i =I . 3. Compute a vector z by Gaussian elimination such that U = A z mod q. 4. Compute x I = r I + chz mod q, com Ich = Com(x I , r Ich ), and commit to random dummy values to calculate the commitments com ic for all i = I and c = ch. 5. Run TDA(n, Bin(com i )) for i ∈[ n], TDA(np, Bin (com ic )) for i ∈[ n], c ∈ Z p , output the root u andû respectively. 6. Output the transcript ((u ,û ), (I, ch), ((com I , w I ), (com Ich , w Ich ), (r I , r Ich , x I ))).
It is clear that r I , r Ich , x I and the corresponding real transcript are both uniformly distributed in {0, 1} 2λ × {0, 1} D and hence follow the same distribution. (com I , com Ich ) and the corresponding real transcript are statistical indistinguishable by the hiding property of the commitment. By the definition of the collision resistant hash function, both (w I , w Ich ) and the corresponding real transcript are indistinguishable from uniform distribution, so (w I , w Ich ) and the corresponding real transcript are indistinguishable. Because the commitments com i , com ic for all i = I, c = ch are never opened, (u ,û ) also follows from the hiding property of the commitment and the definition of the hash function. So, the transcript outputted by S and the real transcript of the protocol are computing indistinguishable.

Conclusion
In this paper, we give a new ring-based fully dynamic group signature scheme with message-dependent opening. The efficiency of it is improved by an improved underlying zero knowledge proof of knowledge that has smaller soundness error than Stern-like protocol. This modification helps to bring down the communication complexity of the underlying zero knowledge protocol and hence the computational/space complexity of the group signature scheme. In addition, we add another participant -an admitter to our scheme to constrain the power of trace manager. The admitter could generate tokens with respect to messages by using its secret key such that the trace manager can only open signatures of messages specified by the admitter.