Keywords

1 Introduction

In the setting of group signatures introduced by Chaum and van Heyst [9], group members can generate signatures for the group anonymously (anonymity). On the other hand, the group manager can extract the identity of the group member who created the signature (traceability). Thus, the original group signature scheme has two core requirements, anonymity and traceability. Later more requirements such as unlinkability, unforgeability, and framing resistance have been proposed. However, the precise meaning of those requirements not always clear and sometimes their meaning overlap each other. Bellare et al. [2] (BMW03 model) proposed strong and formal definitions for the core requirements of the group signatures with two security notions called, full-anonymity and full-traceability. The full-anonymity and the full-traceability, which imply all the existing security notions provide a conceptual simplification since it requires to check only two security properties in a group signature scheme. However, the BMW03 model is for static groups, not for dynamic groups. In real-life almost all the group settings are stateless. Thus, member registration and member revocation requirements are essential when applying the group signature schemes in practice.

When a member is misbehaved, he should be punished. For instance, if a member issued a signature for an unnecessary document, he should be removed from the group. Member revocation in group signature schemes requires restricting members signing in future after revoking them. There are several member revocation methods. For instance, one revocation method is generating and distributing new keys for each member and verifiers or requesting each member to update their keys and generating the group public key newly. Since this requires to update all the unrevoked members and the verifiers, it is inconvenient to implement practically. Bresson et al. [5] suggested another revocation technique by extending the signing procedure of the scheme given in [8]. Their revocation method requires signers to proof at the zero-knowledge that his identity is not in the public list of revoked identities. However, this method causes the linear growth of the size of the group signatures with the number of revoked members. Thus it is a burden for the signers. Brickell [6] proposed a revocation method called Verifier-local revocation (VLR), which was subsequently formalized by Boneh et al. [4] in their scheme. VLR requires to pass revocation messages only to the verifiers when a member is revoked. In real-life scenarios, since the number of verifiers is much less than the number of members, passing messages only to the verifiers are efficient than any other revocation technique. Most of the group signature schemes (e.g., [3, 16]) operate in the bilinear map setting which will be insecure once quantum computers become a reality.

Lattice-based cryptography is the most prominent solution for the post-quantum cryptography. It provides provable security under worst-case hardness assumptions. Gorden et al. [11] suggested the first lattice-based group signature scheme. However, the sizes of both the group public key and the signature in their scheme increase with the number of members (N) (linear-barrier problem). Thus, it cannot apply to large groups. Then Camenisch et al. [7] presented a lattice-based group signature scheme with anonymous attribute token system, which still experiences the linear-barrier problem. Later, Languillaumie et al. [13] presented a scheme with a solution to the linear-barrier problem. However, the first three lattice-based group signature schemes follow LWE-based PKE (public-key encryption) scheme, and they are only for static groups.

Langlois et al. [14] proposed the first lattice-based group signature scheme which facilitates member revocation and free of LWE-based PKE. They have used VLR as the member revocation technique, and their scheme is more efficient while based on weaker security assumptions. In terms of security, their scheme satisfies a weaker security notion called selfless-anonymity. The VLR group signature schemes cannot employ the full-anonymity described in the BMW03 model directly because VLR group signature schemes use a token system to manage member revocation. Thus, each member has a token other than their secret signing key. In the full anonymity game between a challenger and an adversary as described in the BMW03 model, all the member secret signing keys are given to the adversary at the beginning. In VLR group signature schemes, revocation tokens cannot be given to the adversary because he can identify the signer of a signature using tokens. Other than that, secret signing keys cannot be given to him because he can derive the revocation token from the secret signing keys.

The present lattice-based VLR group signature schemes raise a problem, that is whether it is possible to design a VLR lattice-based group signature scheme in the BMW03 model that achieves the full-anonymity.

1.1 Our Contribution

The lattice-based VLR group signature scheme in [14] relies on the selfless-anonymity. Stronger security for VLR schemes can be achieved in two ways. One approach is by using a restricted-version of full anonymity. The other process is changing the methods in the scheme. We provide a new group signature scheme that can achieve the full-anonymity using the second method.

The previous lattice-based group signatures failed to obtain the full-anonymity because anyone possessing revocation tokens can execute signature verification algorithm and confirm whether the relevant member created the signature or not. For instance, in the anonymity game between a challenger and an adversary, if the adversary knows the revocation tokens of the challenging indices, then he can execute Verify with revocation tokens he has. If Verify returns Invalid, then he knows that the owner of the revocation token generated the signature. Thus, this leads to an assumption that the verifiers should not see the revocation tokens, especially the challenging indices’ revocation tokens. Based on this assumption, new security notions were proposed [18, 19]. However, none of them are as strong as full-anonymity because they do not provide all the revocation tokens to the adversary. Thus those security notions are restricted version of full-anonymity.

This paper suggests a scheme that can provide all the revocation tokens to the adversary even the challenged indices’ revocation tokens. In original VLR schemes, when revoking a member, the group manager adds the revoking member’s token into a list called revocation list (RL) and passes RL to the verifiers. Thus, Verify has an additional input RL, and the verifiers have to check whether the singer’s revocation token is not in the list other than verifying the signature. We suggest a new revocation method for VLR schemes that the group manager has to sign each revocation token before adding to RL. On the other hand, at the signature verification, the verifier has to check whether the revocation tokens in the list are signed by the group manager other than checking the signer’s revocation token is not in the list and signature is valid. Thus, even the adversary obtains any revocation token he cannot execute Verify because the adversary does not know the group manager’s secret key. Now, we can apply the full-anonymity for our VLR group signature scheme and provide all the member secret signing keys and revocation tokens including the challenging indices’ details to the adversary at the full-anonymity game.

As a result, we deliver a new lattice-based group signature scheme using VLR with new revocation and verification methods, that satisfies the full-anonymity.

2 Preliminaries

2.1 Notations

For any integer \(k\ge 1\), we denote the set of integers \(\{1, \ldots , k\}\) by [k]. We denote matrices by bold upper-case letters such as \(\mathbf{A}\), and vectors by bold lower-case letters, such as \(\mathbf x\). We assume that all vectors are in column form. While the concatenation of matrices \(\mathbf{A} \in \mathbb {R}^{n\times m}\) and \(\mathbf{B}\in \mathbb {R}^{n\times k}\), is denoted by \([\mathbf{A} | \mathbf{B}] \in \mathbb {R}^{n\times (m+k)}\) the concatenation of vectors \(\mathbf{x} \in \mathbb {R}^m\) and \(\mathbf{y}\in \mathbb {R}^k\) is denoted by \((\mathbf{x}\Vert \mathbf{y}) \in \mathbb {R}^{m+k}\). If S is a finite set, \(b {\mathop {\leftarrow }\limits ^{\$}} S\) means that b is chosen uniformly at random from S.

Throughout this paper, we present the security parameter as n and the maximum number of members in a group as \(N = 2^{\ell } \in \textsf {poly}(n)\). We choose other parameters as in scheme [14] as given in Table 1.

Table 1. Parameters of the scheme
Full size table

Let \(\mathcal {H}\): \(\{0,1\}^* \rightarrow \{1,2,3\}^t\), and \(\mathcal {G}\): \(\{0,1\}^* \rightarrow \mathbb {Z}_q^{n \times m}\) be hash functions, modeled as random oracles. We use one-time signature scheme \(\mathcal {OTS}\) = (OGen, OSign, OVer), where OGen is the key generation algorithm of \(\mathcal {OTS}\) key pair (ovk, osk), OSign is signature generation and OVer is signature verification functions.

2.2 Lattices

Let q be a prime and \(\mathbf{B} = [ \mathbf{b}_1 | \cdots | \mathbf{b}_m ] \in \mathbb {Z}_q^{r\times m}\) be linearly independent vectors in \(\mathbb {Z}_q^r\). The r-dimensional lattice \(\varLambda (\mathbf{B})\) for \(\mathbf B\) is defined as

$$\begin{aligned} \varLambda (\mathbf{B}) = \{ \mathbf{y}\in \mathbb {Z}^r \mid \mathbf{y} \equiv \mathbf{B}{} \mathbf{x} \bmod q \text { for some }{} \mathbf{x}\in \mathbb {Z}_q^m \}, \end{aligned}$$

which is the set of all linear combinations of columns of \(\mathbf B\) and m is the rank of \(\mathbf B\).

We consider a discrete Gaussian distribution for a lattice. The Gaussian function centered in a vector \(\mathbf c\) with parameter \(s>0\) is defined as \(\rho _{s,\mathbf{c}}(\mathbf{x})=e^{-\pi \Vert (\mathbf{x}-\mathbf{c})/s\Vert ^2}\) and the corresponding probability density function proportional to \(\rho _{s,\mathbf{c}}\) is defined as \(D_{s,\mathbf{c}}(\mathbf{x}) = \rho _{s,\mathbf{c}}(\mathbf{x})/s^n\) for all \(\mathbf{x}\in \mathbb {R}^n\). The discrete Gaussian distribution with respect to a lattice \(\varLambda \) is defined as \(D_{\varLambda , s, \mathbf{c}}(\mathbf{x}) = D_{s,\mathbf{c}}(\mathbf{x})/D_{s,\mathbf{c}}(\varLambda ) = \rho _{s,\mathbf{c}}(\mathbf{x})/\rho _{s,\mathbf{c}}({\varLambda })\) for all \(\mathbf{x}\in \varLambda \). Since \(\mathbb {Z}^m\) is also a lattice, we can define a discrete Gaussian distribution for \(\mathbb {Z}^m\). By \(D_{\mathbb {Z}^m,\sigma }\), we denote the discrete Gaussian distribution for \(\mathbb {Z}^m\) around the origin with the standard deviation \(\sigma \).

2.3 Lattice-Related Properties

The security of our scheme depends on the hardness of Learning With Errors (LWE) and two homogeneous and Inhomogeneous Short Integer Solution Problems (SIS and ISIS).

Definition 1

(LWE [17]). \( {LWE}\) is parametrized by \(\textit{n}, \textit{m}\ge 1, q \ge 2\), and \(\chi \). For \({\varvec{s}} \in \mathbb {Z}_q^n\), the distribution \(A _{{\varvec{s}},\chi }\) is obtained by sampling \({\varvec{a}} \in \mathbb {Z}_q^n\) uniformly at random and \(e \leftarrow \chi \), and outputting the pair \(({\varvec{a}}, {\varvec{a}}^T \cdot {\varvec{s}} + e )\).

There are two versions of LWE problem, Search-LWE and Decision-LWE. While Search-LWE requires to find the secret s, Decision-LWE requires to distinguish LWE samples and samples chosen according to the uniform distribution. We use the hardness of Decision-LWE problem.

For a prime power q, \(b \ge \sqrt{n}\omega (\log n)\), and distribution \(\chi \), solving \(LWE_{n, q, \chi }\) problem is at least as hard as solving \(SIVP_{\gamma }\) (Shortest Independent Vector Problem), where \(\gamma = \tilde{O} (nq/b)\) [21].

Definition 2

(SIS [17, 21]). Given m uniformly random vectors \({\varvec{a}}_{\textit{i}} \in \mathbb {Z}_q^n\), forming the columns of a matrix \({\varvec{A}} \in \mathbb {Z}_q^{n\times m}\), find a nonzero vector \({\varvec{x}} \in \varLambda ^{\perp }({\varvec{A}})\) such that \(||{\varvec{x}}||\le \beta \) and \({\varvec{Ax}} = 0 \mod q\).

Definition 3

(ISIS [14]). Given m uniformly random vectors \({\varvec{a}}_{\textit{i}} \in \mathbb {Z}_q^n\), forming the columns of a matrix \({\varvec{A}} \in \mathbb {Z}_q^{n\times m}\), find a vector \({\varvec{x}} \in \varLambda ^{\perp }_{{\varvec{u}}}(\mathbf A )\) such that \(||{\varvec{x}}||\le \beta \).

For any m, \(\beta = \textsf {poly}(n)\), and for any \(q \ge \beta \cdot \omega (\sqrt{n \log n})\), solving \(SIS_{n, m, q, \beta }\) problem or \(ISIS_{n, m, q, \beta }\) problem with non-negligible probability is at least as hard as solving \(SIVP_{\gamma }\) problem, for some \(\gamma = \tilde{O}(\beta \sqrt{n})\) [10].

2.4 Lattice-Related Algorithms

We use a randomized nearest-plane algorithm, called, SampleD [10, 15] and preimage sampleable trapdoor functions (PSTFs) GenTrap [1, 10, 15].

  • SampleD(R, A, u, \(\sigma \)) outputs \(\mathbf x \in \mathbb {Z}^m\) sampled from the distribution \(D_{\mathbb {Z}^m,\sigma }\) for any vector u in the image of A, a trapdoor R and \(\sigma = \omega (\sqrt{n \log q \log n})\). The output x should satisfy the condition \(\mathbf A \cdot \mathbf x = \mathbf u \bmod q\).

  • GenTrap(n, m, q) is an efficient randomized algorithm that outputs a matrix \(\mathbf A \in \mathbb {Z}_q^{n \times m} \) and a trapdoor matrix R for given any integers \(\textit{n}\ge 1, \textit{q}\ge 2\), and sufficiently large \(\textit{m} = 2n \log \textit{q}\). The distribution of the output A is negl(n)-far from the uniform distribution.

2.5 VLR Group Signature

The VLR group signature scheme consists of three PPT algorithms [4] since the implicit tracing algorithm is used to trace the misbehaved users.

  • KeyGen(n, N): This randomized PPT algorithm takes as inputs the security parameter n and the maximum number of group members N, and outputs a group public key gpk, a vector of user secret keys gsk = \((\mathbf {gsk}[0], \mathbf {gsk}[1],\ldots , \mathbf {gsk}[\textit{N}-1])\), and a vector of user revocation tokens grt = \((\mathbf {grt}[0], \mathbf {grt}[1], \ldots , \mathbf {grt}[\textit{N}-1])\).

  • Sign(gpk, gsk[d], M): This randomized algorithm takes a secret signing key gsk[d] and a message \(\textit{M} \in \{0,1\}^* \) as inputs and returns a signature \(\varSigma \).

  • Verify(gpk, RL, \(\varSigma \), M): This deterministic algorithm verifies whether the given \(\varSigma \) is a valid signature using the given group public key gpk and the message M. Then validates that the signer not being revoked using RL.

Implicit Tracing Algorithm: Any VLR group signature scheme has an implicit tracing algorithm that uses grt as the tracing key and traces a signature to at least one group user who generated it. For an input valid signature \(\varSigma \) on a message M run Verify(gpk, RL, \(\varSigma \), M) for each \(\textit{i} = 0,\ldots , \textit{N}-1\). It outputs the index of the first user for the verification algorithm returns invalid. The tracing algorithm fails if this algorithm verifies properly for all users on the given signature.

3 Definitions of the Security Notations

In this section first, we describe the core requirements presented in the original group signatures. Then we define the full-anonymity and the full-traceability delivered in the BMW03 model. Later, we describe the selfless-anonymity notion provided in the group signatures with VLR. Finally, we discuss the reasons for the difficulties of achieving the full-anonymity for the existing VLR group signature schemes.

Simply saying,

  • Anonymity requires that no adversary without group manager’s key recovers the identity of the user from its signature, which is generated by one of the indices from two indistinguishable indices.

  • Traceability requires that no adversary forges a signature that cannot be traced.

3.1 Full Anonymity and Full Traceability

Bellare et al. [2] delivered a standard security model (BMW03 model) for group signatures with two strong security properties, full anonymity and full traceability. Definitions of the full anonymity and full traceability are provided below.

Full Anonymity

The full-anonymity game between a challenger and an adversary is as follows. The adversary is strong as he has given all the member secret keys. At the beginning of the game, all the user secret keys gsk and the public key gpk are given to the adversary, and he can see the outcome of the tracing algorithm.

  • Initial Phase: The challenger C runs KeyGen to obtain (gpk, gmsk, gsk). Then gives (gpk, gsk) to the adversary A.

  • Query Phase: The adversary A can access the opening oracle, which results with Open(gmsk, M, \(\varSigma \)) when queried with a message M and a signature \({\varSigma }\).

  • Challenge Phase: The adversary A outputs a message M and two distinct identities \(i_0,i_1\). The challenger C selects a bit b \(\overset{\$}{\leftarrow }\) {0,1}, generates a signature \(\varSigma ^* \), and sends to the adversary A. The adversary still can query the opening oracle except the signature challenged.

  • Guessing Phase: Finally, A outputs a bit \(b^\prime \), the guess of \(b\). If \(b^\prime =b\), then the adversary A wins.

Definition 4

Let \( {A }\) be an adversary against the anonymity of a group signature scheme \( {GS }\). The advantage of \( {A }\) in the above full-anonymity game is

$$\begin{aligned} {\varvec{Adv}}^{anon}_{GS ,A }(\textit{n}, \textit{N}) = |\Pr [{\varvec{Exp}}^{anon}_{GS ,A }(\textit{n}, \textit{N}) = 1] -1/2|. \end{aligned}$$

A group signature scheme is full-anonymous if \({\varvec{Adv}}^{anon}_{GS ,A }\) is negligible.

Full Traceability

As explained in [2] the group public key gpk and the group manager’s secret key gmsk are given to the adversary A at the beginning of the game, and the adversary A makes queries as the following game.

  • Initial Phase: The challenger C runs KeyGen to obtain (gpk, gmsk, gsk). Then gives gpk and gmsk to the adversary A and sets U \(\leftarrow \) \(\emptyset \).

  • Query Phase: The adversary A can do the following queries.

    1. 1.

      Signing: The adversary A requests a signature for any message M and user index i, and the challenger C returns \(\varSigma \) = Sign(gpk, gsk[i], M).

    2. 2.

      Corruption: The adversary A queries for the secret key of any user i. The challenger C adds i to U and returns gsk[i].

  • Challenge Phase: A outputs a message \(\textit{M}^*\) and a signature \(\varSigma ^*\).

  • The forgery adversary A wins if the followings are true.

    1. 1.

      \(\varSigma ^*\) is accepted as a valid signature on the message \(\textit{M}^*\).

    2. 2.

      \(\varSigma ^*\) traces to some user outside the coalition U or tracing algorithm fails.

    3. 3.

      \(\varSigma ^*\) not obtained by signing on \(\textit{M}^*\).

Definition 5

Let \( {A }\) be an adversary against the traceability of a group signature scheme \( {GS }\). The advantage of \( {A }\) in the above full-traceability game is

$$\begin{aligned} {\varvec{Adv}}^{trace}_{GS ,A }(\textit{n}, \textit{N}) = \Pr [{\varvec{Exp}}^{trace}_{GS ,A }(\textit{n}, \textit{N}) = 1]. \end{aligned}$$

A group signature scheme is full-traceable if \({\varvec{Adv}}^{trace}_{GS ,A }\) is negligible.

3.2 Selfless-Anonymity

Selfless-anonymity is a relaxed anonymity, and it differs from the full-anonymity by the limitations it has. The selfless-anonymity provides none of the member secret keys to the adversary, but only the group public key is given. However, even with these weaknesses, the selfless-anonymity facilitates any member to determine whether his secret signing key is used to generate a particular signature if he forgets whether he signed the message.

The selfless-anonymity game between a challenger and an adversary is as follows.

The adversary in the selfless-anonymity game is weaker than the adversary in the full anonymity game since the adversary has not given any secret key in the selfless-anonymity game. The adversary has to determine which of the two adaptively chosen keys generated the challenging signature.

  • Initial Phase: The challenger C runs KeyGen to obtain (gpk, gsk, grt). Then gives gpk to the adversary A.

  • Query Phase: The adversary A can make the following queries.

    1. 1.

      Signing: The adversary A requests a signature for any message \(\textit{M} \in \{0, 1\}^*\) with any user index i, and C returns \(\varSigma \) = Sign(gpk, gsk[i], M).

    2. 2.

      Corruption: The adversary A queries for the secret key of any user i, and the challenger C returns gsk[i].

    3. 3.

      Revocation: The adversary A queries for the revocation token of any user i, and the challenger C returns grt[i].

  • Challenge Phase: The adversary A outputs a message \(\textit{M}^*\) and two distinct identities \(i_0,i_1\), such that A did not make the corruption or revocation queries for \(i_0,i_1\). The challenger C selects a bit b \(\overset{\$}{\leftarrow }\) {0, 1}, computes signature \( \varSigma ^* \)=Sign(\(\mathbf {gpk}, \mathbf {gsk}[\textit{i}_b], \textit{M}^*\)) for \(i_b\), and sends the challenging signature \(\varSigma ^* \) to the adversary A.

  • Restricted Queries: Even after the challenge phase the adversary A can make queries but with following restrictions.

    • Signing: The adversary A can query as before.

    • Corruption: The adversary A cannot query for \( i_0\) or \( i_1\).

    • Revocation: The adversary A cannot query for \( i_0\) or \( i_1\).

  • Guessing Phase: Finally, the adversary A outputs a bit \(b^\prime \), the guess of \(b\). If \(b^\prime =b\), then A wins.

Definition 6

Let \( {A }\) be an adversary against the anonymity of a VLR group signature scheme \( {DGS }\). The advantage of \( {A }\) in the above selfless-anonymity game is

$$\begin{aligned} {\varvec{Adv}}^{anon}_{DGS ,A }(\textit{n}, \textit{N}) = |\Pr [{\varvec{Exp}}^{anon}_{DGS ,A }(\textit{n}, \textit{N}) = 1] -1/2|. \end{aligned}$$

A VLR group signature scheme is selfless-anonymous if \({\varvec{Adv}}^{anon}_{DGS ,A }\) is negligible.

3.3 Difficulties of Achieving the Full-Anonymity for VLR Schemes

The full-anonymity is suggested for static groups. Thus, members have only secret signing keys. Even the secret signing key is used to generate signatures, by using the secret signing keys nobody can guess the signer. But the members in VLR schemes have another secret attribute called revocation token. Revealing revocation tokens to the outsiders makes the scheme insecure. For instance, if an adversary knows the user \(i_0\)’s revocation token \(\mathbf {grt}[\textit{i}_0]\), then the adversary can confirm whether the user \(i_0\) generated the given signature or not by executing Verify by replacing RL with \(\mathbf {grt}[\textit{i}_0]\) as depicted in Fig. 1. According to the full-anonymity game in Fig. 1 if \(\varSigma _b\) is generated by user \(i_0\), then Verify return Res as Invalid for \(i_0\). Thus it confirms that user \(i_0\) generated the signature. Moreover, since VLR group signatures derive the revocation tokens from the secret signing keys, the selfless-anonymity also restricts revealing the secret signing keys.

Fig. 1.
figure 1

Full anonymity for VLR schemes

Full size image

Because of these reasons, to obtain stronger security for VLR group signature schemes, we need a restricted version of full anonymity or new scheme with different methods.

4 New Lattice-Based VLR Scheme

The new scheme requests the group manager to sign revoking member’s token before adding to the revocation list RL. Thus the group manager signs the revoking member’s revocation token grt using the group manager secret key gmsk. Accordingly, at the signature verification, the verifier has to check whether the revocation tokens in RL are signed by the group manager. For this, the verifier executes Verify with the group manager’s public key. Because of this reason an adversary who knows the revocation token of any member i cannot replace RL in Verify(gpk, M, \(\varSigma \), RL) with the i’s revocation token grt[i] and check whether the user i generated the signature or not. The signature verification algorithm rejects verifying the given signature because the adversary is providing a revocation token which is not signed by the group manager.

In the full-anonymity game depicted in Fig. 1 when the adversary tries to execute Verify with the revocation token of \(i_0\) and \(i_1\) he gets Invalid as the response in both cases because he fails to provide tokens with the group manager’s signature. Thus, the adversary cannot understand the signer of the given signature. Therefore, the new scheme can employ the full-anonymity by giving all the members’ secret signing keys and tokens to the adversary.

4.1 Description of the Scheme

We use the scheme in [14] as the base and construct our new scheme as follows.

Key Generation: This randomized algorithm KeyGen(n, N) works as below.

  1. 1.

    Run PPT algorithm GenTrap(n, m, q) to get \( \mathbf A _0 \in \mathbb {Z}_q^{n \times m} \) and a trapdoor \(\mathbf {T}_\mathbf{A }\).

  2. 2.

    Sample u \(\overset{\$}{\leftarrow }\) \(\mathbb {Z}_q^n \) and \(\mathbf A _i^b \) \(\overset{\$}{\leftarrow }\) \(\mathbb {Z}_q^{n \times m} \) for each \(b \in \{0,1\} \) and \(i \in [\ell ] \).

  3. 3.

    Set the matrix A = [\(\mathbf A _0 | \mathbf A _1^0 | \mathbf A _1^1 |\ldots |\mathbf A _{\ell }^0 | \mathbf A _{\ell }^1\)] \(\in \mathbb {Z}_q^{n \times (2\ell + 1)m}.\)

  4. 4.

    Run GenTrap(n,m,q) to obtain \(\mathbf B \in \mathbb {Z}_q^{n \times m} \) and a trapdoor \(\mathbf T _\mathbf B \).

  5. 5.

    For each group member select a \(\ell \)-bit string as the index d and generate secret signing keys and revocation tokens as below.

    1. (a)

      Let d = \(d[1]\ldots d[\ell ] \in \{0,1\}^{\ell }\) be the binary representation of index d.

    2. (b)

      Sample vectors \(\mathbf x _1^{d[1]},\ldots ,\mathbf x _{\ell }^{d[\ell ]} \) \(\hookleftarrow \) \(D_{\mathbb {Z}^m,\sigma } \).

    3. (c)

      Compute z = \( \sum _{i=1}^{\ell } \mathbf A _i^{d[i]} \cdot \mathbf x _i^{d[i]} \bmod \) q.

    4. (d)

      Get \( \mathbf x _0 \in \mathbb {Z}^m\) \(\leftarrow \) \(\textsf {SampleD} (\mathbf T _\mathbf{A }, \mathbf A _0,\mathbf u -\mathbf z ,\sigma ) \).

    5. (e)

      Let \( \mathbf x _1^{1-d[1]},\ldots ,\mathbf x _{\ell }^{1-d[\ell ]}\) be zero vectors \( \mathbf 0 ^m\).

    6. (f)

      Define \(\mathbf x = (\mathbf x _0||\mathbf x _1^0||\mathbf x _1^1||\ldots ||\mathbf x _{\ell }^0||\mathbf x _{\ell }^1) \in \mathbb {Z}^{(2\ell +1)m}\). If \( ||\mathbf x ||_\infty \le \beta \) then proceed else repeat from (b).

    7. (g)

      Let the user secret signing key be gsk[d] = \(\mathbf x ^{(\textit{d})}\) and revocation token be grt[d] = \(\mathbf A _0 \cdot \mathbf x _\mathbf 0 \in \mathbb {Z}^n_q\).

Finally we obtain, the group public key gpk = \((\mathbf A , \mathbf B , \mathbf u )\), the group manager’s secret key gmsk = \(\mathbf T _\mathbf B \), the group manager’s public key gmpk = B, group members’ secret signing keys gsk = (gsk[0], gsk[1],..., gsk[\(N-1\)]), and their revocation tokens grt = (grt[0], grt[1],..., grt[\(N-1\)]).

Signing: The randomized algorithm Sign(\(\mathbf {gpk}, \mathbf {gsk}, \textit{M}\)) generates \(\varSigma \) on a message M as follows.

  1. 1.

    Generate a one-time-signature \(\mathcal {OTS}\) key pair (ovk, osk) using OGen.

  2. 2.

    Sample \(\rho \) \(\overset{\$}{\leftarrow }\) \(\{0,1\}^n\), let V = \(\mathcal {G}(\mathbf A , \mathbf u , \textit{M}, \rho ) \in \mathbb {Z}_q^{m \times n}\).

  3. 3.

    Sample \(\mathbf e \) \(\leftarrow \) \(\chi ^m\).

  4. 4.

    Compute \(\mathbf v = \mathbf V \cdot (\mathbf A _0 \cdot \mathbf x _\mathbf 0 ) + \mathbf e \mod q\) (\({||\mathbf e ||}_{\infty }\le \beta \) with overwhelming probability and \((\mathbf A _0 \cdot \mathbf x _\mathbf 0 )\) is the revocation token grt of user i).

  5. 5.

    Repeat the zero knowledge interactive protocol of the commitment described in Sect. 4.2 \(t=\omega (\log n)\) times with the public parameter (A, u, V, v) and prover’s witness (x, e) to make the soundness error negligible and proof that user is certified. Then make it non-interactive using the Fiat-Shamir heuristic as a triple, \(\varPi \) = \((\{CMT^{(k)}\}_{k=1}^t,CH, \{RSP^{(k)}\}_{k=1}^t)\), where CH = \((\{Ch^{(k)}\}_{k=1}^t) = \mathcal {H}(M, \mathbf A , \mathbf u , \mathbf V , \mathbf v , \{CMT^{(k)}\}_{k=1}^t) \in \{1, 2, 3\}^t\).

  6. 6.

    Compute \(\mathcal {OTS}; \textit{sig} = \mathsf {OSig}(\mathbf {osk}, \varPi )\).

  7. 7.

    Output signature \(\varSigma \) = \((\mathbf {ovk},\textit{M}, \rho , \mathbf v , \varPi , \textit{sig})\).

Verification: Verify(gpk, M, \(\varSigma \), \(RL = \{\{\mathbf {u}_i\}_i\}\)) verifies the given signature \(\varSigma \) is valid on the given message M and signer is a valid member as follows.

  1. 1.

    Parse the signature \(\varSigma \) as \((\mathbf {ovk},\textit{M}, \rho , \mathbf v , \varPi , \textit{sig})\).

  2. 2.

    If \(\textsf {OVer}(\mathbf {ovk}, \varPi , \textit{sig})\) = 0 then return 0.

  3. 3.

    Get V = \(\mathcal {G}(\mathbf A , \mathbf u , \textit{M}, \rho ) \in \mathbb {Z}_q^{m \times n}\).

  4. 4.

    Parse \(\varPi \) as \((\{CMT^{(k)}\}_{k=1}^t,\{Ch^{(k)}\}_{k=1}^t, \{RSP^{(k)}\}_{k=1}^t)\).

  5. 5.

    If \((Ch^{(1)}, \ldots , Ch^{(t)}) \ne \mathcal {H}(M, \mathbf A , \mathbf u , \mathbf V , \mathbf v , \{CMT^{(k)}\}_{k=1}^t) \) return 0 else proceed.

  6. 6.

    For \(k=1\) to \(t\) run the verification steps of the commitment scheme to validate \(RSP^{(k)}\) with respect to \(CMT^{(k)}\) and \(Ch^{(k)}\). If any of the conditions fails then output invalid and hold.

  7. 7.

    For each \(\mathbf u _{\textit{i}} \in RL\),

    1. (a)

      Parse \(\mathbf u _{\textit{i}}\) as (\(\mathbf {grt}_i, \varSigma _{rt_i}\)).

    2. (b)

      Check whether \(\mathbf {grt}_i\) is signed by the group manager by executing Verify(\(\mathbf {gmpk}, \mathbf {grt}_i, \varSigma _{rt_i}\)), where gmpk is the group manager’s public key. If Verify(\(\mathbf {gmpk}, \mathbf {grt}_i, \varSigma _{rt_i}\)), returns Invalid then return Invalid.

    3. (c)

      Compute \(\mathbf e '_{\textit{i}} = \mathbf v - \mathbf V \cdot \mathbf {grt}_i \mod q\) to check whether there exists an index i such that \({||\mathbf e '_{\textit{i}}||}_{\infty }\le \beta \). If so return invalid.

  8. 8.

    Return valid.

Revoke: The algorithm Revoke(gpk, gmsk, grt[i], RL) takes the group manager’s secret key gmsk, revoking member’s revocation token grt[i], and latest revocation list RL and proceeds as follows.

  1. 1.

    Generate a signature for the revoking token as \(\varSigma _{rt_i}\) = Sign(gmsk, grt[i]).

  2. 2.

    Add revoking token and generated signature to RL, \(RL \leftarrow RL \cup (\mathbf {grt}_i, \varSigma _{rt_i})\).

  3. 3.

    Return RL.

4.2 The Underlying ZKAoK for the Group Signature Scheme

Zero-Knowledge Interactive Protocol is the main building block of the scheme as it allows a signer to argue that he is a certified group member who has a valid secret key and who has not been revoked.

Let COM be the statistically hiding and computationally binding commitment scheme described in [12].

Our scheme can be seen as an adaptation of [14]. Thus we can use the protocol described in [14]. We use matrix A = [\(\mathbf A _0 | \mathbf A _1^0 | \mathbf A _1^1 |\ldots |\mathbf A _{\ell }^0 | \mathbf A _{\ell }^1\)] \(\in \mathbb {Z}_q^{n \times (2\ell + 1)m} \), \(\mathbf V \in \mathbb {Z}^{m \times n}_q\), u \(\in \) \(\mathbb {Z}_q^n\), and \(\mathbf v \in \mathbb {Z}^m_q\) as the public parameters. The witness of the prover is the vector \(\mathbf x ^{(d)} = (\mathbf x _0||\mathbf x _1^0||\mathbf x _1^1||...||\mathbf x _{\ell }^0||\mathbf x _{\ell }^1) \in \varSigma ^{(2\ell +1)m} \) for some \(d \in \{0,1\}^{\ell }\) and vector \(\mathbf e \in \mathbb {Z}^m\). While keeping prover’s identity d in secret he has to convince the verifier that,

  1. 1.

    \(\mathbf A \cdot \mathbf x = \mathbf u \bmod q\) and d is hidden in \(\mathbf x ^{(d)}\).

  2. 2.

    \(||\mathbf e ||_{\infty } \le \beta \) and \(\mathbf V \cdot (\mathbf A _0 \cdot \mathbf x _0) + \mathbf e = \mathbf v \mod q\).

5 Analysis of the Scheme

This paper provides a new scheme that satisfies the full-anonymity. However, the restricted versions of full-anonymity called almost-full anonymity [19] and dynamical-almost-full anonymity [18] are efficient than the proposed scheme because those schemes do not require the group manager to sign member revoking tokens. Moreover, in the selfless-anonymity, any user can check whether he created a particular signature or not. But in the proposed scheme this is not possible since the users do not know the group manager’s secret key. However, in terms of security, the new scheme is much stronger than any other security applied for VLR schemes.

5.1 Correctness

For all gpk, gmsk, gmpk, gsk, and grt,

\(\textsf {Verify}(\mathbf {gpk}, \textit{M}, \textsf {Sign}(\mathbf {gpk}, \mathbf {gsk}[\textit{i}], \textit{M}), RL)\) = Valid \(\iff \) \(\mathbf {grt}[\textit{i}] \notin RL\) and

For all (\(\mathbf {grt}_i, \varSigma _{rt_i}\)) in RL, Verify(\(\mathbf {gmpk}, \mathbf {grt}_i, \varSigma _{rt_i}\)) = Valid.

Verify in the proposed scheme only accepts signatures generated on given messages and which are only generated by active members. If the revocation token of the signer is in RL, then his signature is not accepted by Verify. Similarly Sign also checks whether the signer can satisfy those requirements. The underlying interactive protocol confirms that only active members can generate signatures and signers have to possess valid secret signing key.

5.2 Anonymity

Theorem 1

In the random oracle model, the proposed scheme is full anonymous based on the hardness of \(Decision\text {-}LWE_{n, q, \chi }\) problem.

Proof. We define a sequence of games conducted between a challenger C and an adversary A, where the advantage of the adversary is negligible in the last game. Game 0 is the original full-anonymity game which provides all the members’ secret signing keys and revocation tokens to the adversary at the beginning. The adversary can request the index of the signer by giving a signature. We prove that the games are indistinguishable, based on \(\mathcal {OTS}\), the zero-knowledge property of the underlying argument system, and the hardness of the \(Decision\text {-}LWE_{n, q, \chi }\) problem. Game 4 is the last game which is independent of the bit \(b \in \{0, 1\}\).

Game 0: The challenger C runs KeyGen(\(1^n, 1^N\)) to obtain the group public key gpk = \((\mathbf A , \mathbf B , \mathbf u )\), the group manager’s secret key gmsk =\(\mathbf T _\mathbf B \), the group manager’s public key gmpk = B, group members’ secret signing keys gsk = (gsk[0], gsk[1],..., gsk[\(N-1\)]), and their revocation tokens grt = (grt[0], grt[1],..., grt[\(N-1\)]). The challenger C gives the group public key gpk and all the group members’ secret keys gsk and revocation tokens grt to the adversary A. In the query phase, A can request to reveal index of the signer for any signature. In the challenge phase, the adversary A sends two indices (\(i_0, i_1\)) together with a message \(\textit{M}^*\) and the challenger C generates and sends back the challenging signature \(\varSigma ^*\) = \((\mathbf {ovk},\textit{M}^*, \rho , \mathbf v , \varPi , \textit{sig})\) for a random bit \(b \leftarrow \{0, 1\}\). The adversary’s goal is to identify which index is used to generate the challenging signature. A returns \(b^\prime \). If \(b^\prime = b\) then the experiment returns 1 or 0 otherwise.

Game 1: In this game, the challenger C makes a slight modification with respect to Game 0. In the real experiment (Game 0) the one-time key pair (ovk, osk) is generated at the signature generation. In this game, C generates the one-time key pair (\(\mathbf {ovk}^*, \mathbf {osk}^*\)) at the beginning of the game. If the adversary A accesses the opening oracle with a valid signature \(\varSigma \) = (\(\mathbf {ovk},\textit{M}, \rho , \mathbf v , \varPi , \textit{sig}\)), where ovk = \(\mathbf {ovk}^*\), C returns a random bit and aborts. However, A comes up with a signature \(\varSigma \), where ovk = \(\mathbf {ovk}^*\) contradicts the strong unforgeability of \(\mathcal {OTS}\), and since \(\mathbf {ovk}^*\) is independent of the adversary’s view, the probability of ovk = \(\mathbf {ovk}^*\) is negligible. Even after seeing the challenging signature if A comes up with a valid signature \(\varSigma \)  where ovk = \(\mathbf {ovk}^*\), then sig is a forged one-time signature, which defeats the strong unforgeability of \(\mathcal {OTS}\). Thus, we assume that A does not request for opening of a valid signature with \(\mathbf {ovk}^*\) and the challenger aborting the game is negligible.

Game 2: In this game, without honestly generating the legitimate non-interactive proof \(\varPi \), the challenger C simulates the proof \(\varPi ^*\) without using the witness. C invokes the simulator for each \(k \in [t]\) and then programs the random oracle \(\mathcal {H}\) accordingly. The challenging signature \(\varSigma ^*=(\mathbf {ovk}^*,\textit{M}^*, \rho , \mathbf {v}, \varPi ^*, \textit{sig})\) is statistically close to the challenging signature in the previous game because the argument system is statistically zero-knowledge. Thus Game 2 is indistinguishable from Game 1.

Game 3: In this game, the challenger C replaces the original revocation token by a vector sampled uniformly random. The original game has \(\mathbf {v}=\mathbf {V}\cdot \mathbf {grt}[\textit{i}_b]+\mathbf e \mod q\), where V is uniformly random over \(\mathbb {Z}^{m \times n}_q\) and \(\mathbf e \) is sampled from the error distribution \(\chi \). In this game C samples a vector \(\mathbf t {\mathop {\leftarrow }\limits ^{\$}} \mathbb {Z}^n_q\) uniformly and computes \(\mathbf v =\mathbf V \cdot \mathbf t +\mathbf e \mod q\). The challenger C replaces only the revocation token \(\mathbf {grt}[\textit{i}_b]\) with t. The rest of the game is same as Game 2. Thus, the two games are statistically indistinguishable.

Game 4: Game 3 has \(\mathbf v =\mathbf V \cdot \mathbf t +\mathbf e _1 \mod q\). In this game the challenger C makes \(\mathbf v \) truly uniform by sampling \(\mathbf y {\mathop {\leftarrow }\limits ^{\$}} \mathbb {Z}^m_q\) and setting \(\mathbf v =\mathbf y \). Thus, C makes revocation token totally independent of the bit \(b\). In Game 3, (V, v) pair is a proper \(LWE_{n, q, \chi }\) instance. Thus, the distribution of the pair (V, v) is computationally close to the uniform distribution over \(\mathbb {Z}^{m \times n}_q \times \mathbb {Z}^m_q\). Game 3 and Game 4 are indistinguishable, under the assumption of the hardness of \(LWE_{n, q, \chi }\) problem. If the adversary can distinguish v from y, then he can solve Decision-LWE problem.

Hence, these games prove that the new scheme is secure with full anonymity.

5.3 Traceability

Theorem 2

Based on the hardness of \({\varvec{SIS}}^\infty _{n,(\ell +1)\cdot m,q,2\beta }\) problem, the proposed scheme is traceable, in the random oracle model.

We construct a PPT algorithm \(\mathcal {F}\) that solves SIS problem with non-negligible probability. The forgery \(\mathcal {F}\) is given the verification key (A, u) and then he generates the key pair (B, \(\mathbf T _\mathbf{B }\)). The forgery \(\mathcal {F}\) passes gpk = (A, u, B) and gmsk = \(\mathbf T _\mathbf{B }\) and responds to the A’s queries as follow.

  • Signatures queries: If A queries signature of user d on a random message M, then \(\mathcal {F}\) returns simulated \(\varSigma = \textsf {Sign}(\mathbf {gpk}, \mathbf {gsk[}{} \textit{d}{} \mathbf ] ,\textit{M})\).

  • Corruption queries: The corruption set CU is initially set to be empty. If A queries the secret key of any user d, then \(\mathcal {F}\) adds d to the set CU and returns \(\mathbf {gsk[}{} \textit{d}{} \mathbf ] \).

  • Queries to the random oracles \(\mathcal {H}, \mathcal {G}\) are handled by consistently returning uniformly random values in \(\{1,2,3\}^t\). For each \(k \le q_\mathcal {H}\), we let \(r_{k }\) denote the answer to the k-th query.

Finally, A outputs a message \(\textit{M}^*\), revocation data \(\textit{RL}^*\) and a non-trivial forged signature \(\varSigma ^*\), which satisfies the requirements of the traceability game, where \(\varSigma ^*\) such that Verify(\(\mathbf {gpk}, M^*, \varSigma ^*, \textit{RL}^*\)) = \(\textsf {Valid}\) and implicit tracing algorithm fails, or returns a user index \(j^*\) outside of the coalition \(CU {\setminus } \textit{RL}^*\).

\(\mathcal {F}\) exploits the forgery as below.

We require that the adversary A always queries \(\mathcal {H}\) on input (\(\textit{M}^*, \mathbf A , \mathbf u , \mathbf V ^*, \mathbf v ^*, \{CMT^{(k)}\}_{k=1}^t\)). As a result, with probability at least \(\epsilon - 3^{-t}\), there exists certain \(\kappa ^* \le q_{\mathcal {H}}\) such that the \(\kappa ^*\)-th oracle queries involve the tuple (\(M^*, \mathbf A , \mathbf u , \mathbf V ^*, \mathbf v ^*, \{CMT^{(k)}\}_{k=1}^t\)). For any fixed \(\kappa ^*\) run A many times and input as in the original run. For each repeated run, A returns same output \(r^{\prime }_{\kappa ^*}, \dots , r^{\prime }_{\kappa ^*-1}\) for the first \(\kappa ^*\) − 1 queries as in initial run and from the \(\kappa ^*\)-th query onwards return fresh random values \(r^{\prime }_{\kappa ^*}, \ldots , r^{\prime }_{q\mathcal {H}}\overset{\$}{\leftarrow }\{1,2,3\}^t\). The forking lemma [20], Lemma 7] implies that, with probability larger than 1/2, algorithm \(\mathcal {F}\) can obtain a 3-fork involving tuple (\(\textit{M}^*, \mathbf A , \mathbf u , \mathbf V ^*, \mathbf v ^*, \{CMT^{(k)}\}_{k=1}^t\)) after less than \(32 \cdot {q\mathcal {H}}/(\epsilon - 3^{-t})\) executions of A. Let the responses of \(\mathcal {F}\) with respect to the 3-fork branches be

$$\begin{aligned} r^{(1)}_{\kappa ^*} = (Ch^{(1)}_1, \dots , Ch^{(1)}_t); r^{(2)}_{\kappa ^*} = (Ch^{(2)}_1, \dots , Ch^{(2)}_t); r^{(3)}_{\kappa ^*} = (Ch^{(3)}_1, \dots , Ch^{(3)}_t). \end{aligned}$$

A simple calculation shows that \(Pr[\exists j \in \{1, \dots , t\}: \{Ch^{(1)}_i, Ch^{(2)}_i, Ch^{(3)}_i\}] = \{1, 2, 3\} 1-(7/9)^t\).

Under the condition of the existence of such index i, one parses the 3 forgeries corresponding to the fork branches to obtain (\(RSP^{(1)}_i, RSP^{(2)}_i, RSP^{(3)}_i\)).

Then by using the knowledge extractor \(\zeta \) of the underlying argument system, we can extract vectors (\(\mathbf y , \mathbf e \)). These vectors satisfy the followings.

  1. 1.

    \( \mathbf{y = (\mathbf y _0||\mathbf y _1^0||\mathbf y _1^1||\dots ||\mathbf y _{\ell }^0||\mathbf y _{\ell }^1)}\) for some \(d \in \{0, 1\}^{\ell }\), and \(\mathbf A \cdot \mathbf y = \mathbf u \mod q\).

  2. 2.

    \( {||\mathbf e ^*||_{\infty } \le \beta }\) and \(\mathbf V ^* \cdot (\mathbf A _0 \cdot \mathbf y _0) + \mathbf e ^* = \mathbf v ^* \mod q\).

Remaining proof is same as the proof given in [14]. Thus finally, we can obtain a vector, which is a valid solution to the SIS problem. This concludes the proof of traceability.

6 Conclusion

This paper provides a new scheme with new methods for member revocation and signature verifications. As a result, the proposed scheme was able to achieve the full-anonymity becoming the first lattice-based group signature scheme with VLR that achieves the full-anonymity in comparison with known lattice-based group signature schemes. However, the group manager has to sign every revoking members’ s token. This leads to an open problem because the security of the scheme depends on the trust of the group manager. If the group manager’s information is revealed, then the scheme is not secure.