Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease

In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) - which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. Our design approach consists of upgrading Libert et al.'s static construction (EUROCRYPT 2016) - which is arguably the most efficient lattice-based group signature to date - into the fully dynamic setting. Somewhat surprisingly, our scheme produces slightly shorter signatures than the former, thanks to a new technique for proving inequality in zero-knowledge without relying on any inequality check. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message

Lattice-based Group Signature Scheme with Verifier-local Revocation

International audienceSupport of membership revocation is a desirable functionality for any group signature scheme. Among the known revocation approaches, verifier-local revocation (VLR) seems to be the most flexible one, because it only requires the verifiers to possess some up-to-date revocation information, but not the signers. All of the contemporary VLR group signatures operate in the bilinear map setting, and all of them will be insecure once quantum computers become a reality. In this work, we introduce the first lattice-based VLR group signature, and thus, the first such scheme that is believed to be quantum-resistant. In comparison with existing lattice-based group signatures, our scheme has several noticeable advantages: support of membership revocation, logarithmic-size signatures, and weaker security assumption. In the random oracle model, our scheme is proved to be secure based on the hardness of the SIVP_{SoftO(n^{1.5})}$ problem in general lattices - an assumption that is as weak as those of state-of-the-art lattice-based standard signatures. Moreover, our construction works without relying on encryption schemes, which is an intriguing feature for group signatures

Efficient Dynamic Group Signature Scheme with Verifier Local Revocation and Time-Bound Keys using Lattices

Revocation is an important feature of group signature schemes. Verifier Local Revocation (VLR) is a popular revocation mechanism which involves only verifiers in the revocation process. In VLR, a revocation list is maintained to store the information about revoked users. The verification cost of VLR based schemes islinearly proportional to the size of recvocation list. In many applications, the size of revocation list grows with time, which makes the verification process expensive. In this paper, we propose a lattice based dynamic group signature using VLR and time bound keys to reduce the size of revocation list to speed up the verification process. In the proposed scheme, an expiration date is fixed for signing key of each group member, and verifiers can find out (at constantcost) if a signature is generated using an expired key. Hence revocation information of members who are revoked before signing key expiry date (premature revocation) are kept in revocation list, and other members are part of natural revocation. This leads to a significant saving on the revocation check by assuming natural revocation accounts for large fraction of the total revocation. This scheme also takes care of non-forgeability of signing key expiry date

A Code-Based Group Signature Scheme

International audienceIn this work we propose the first code-based group signature. As it will be described below, its security is based on a relaxation of the model of Bel-lare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. Furthermore, it has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to dynamically add new members and signature and public key sizes are constant with respect to the number of group members. Last but not least, our scheme can be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [19] (KTY model) and handles membership revocation. The main idea of our scheme consists in building a collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications , we consider the case of the code-based CFS signature scheme [11] of Courtois, Finiasz and Sendrier

Foundations of Fully Dynamic Group Signatures

Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability

Concept and Construction of Group Signature with self-proof capacity for confirming and denying

With privacy-preserving and traceability properties, group signature is a cryptosystem with central role in cryptography. And there are lots of application scenarios. A new extension concept of group signature is presented, namely group signature with self-proof capacity. For a legitimate group signature, the real signer can prove that the signature is indeed signed by him/her. While for the other members of the group, they can prove that the signature is not signed by him/her. The former can be used for claiming money reward from the police, while the latter can be used for proving one's innocent in a criminal investigation

Lattice-based Group Signature Scheme with Verier-local Revocation

Support of membership revocation is a desirable functionality for any group signature scheme. Among the known revocation approaches, verifier-local revocation (VLR) seems to be the most flexible one, because it only requires the verifiers to possess some up-to-date revocation information, but not the signers. All of the contemporary VLR group signatures operate in the bilinear map setting, and all of them will be insecure once quantum computers become a reality. In this work, we introduce the first lattice-based VLR group signature, and thus, the first such scheme that is believed to be quantum-resistant. In comparison with existing lattice-based group signatures, our scheme has several noticeable advantages: support of membership revocation, logarithmic-size signatures, and milder hardness assumptions. In the random oracle model, our scheme is proven secure based on the hardness of the SIVP_O(n^{2.5}) problem in general lattices. Moreover, our construction works without relying on public-key encryption schemes, which is an intriguing feature for group signatures

A Revocable Group Signature Scheme with Scalability from Simple Assumptions and Its Application to Identity Management

Group signatures are signatures providing signer anonymity where signers can produce signatures on behalf of the group that they belong to. Although such anonymity is quite attractive considering privacy issues, it is not trivial to check whether a signer has been revoked or not. Thus, how to revoke the rights of signers is one of the major topics in the research on group signatures. In particular, scalability, where the signing and verification costs and the signature size are constant in terms of the number of signers N, and other costs regarding signers are at most logarithmic in N, is quite important. In this paper, we propose a revocable group signature scheme which is currently more efficient compared to previous all scalable schemes. Moreover, our revocable group signature scheme is secure under simple assumptions (in the random oracle model), whereas all scalable schemes are secure under q-type assumptions. We implemented our scheme by employing Barreto-Lynn-Scott curves of embedding degree 12 over a 455-bit prime field (BLS-12-455), and Barreto-Naehrig curves of embedding degree 12 over a 382-bit prime field (BN-12-382), respectively, by using the RELIC library. We showed that the online running times of our signing algorithm were approximately 14 msec (BLS-12-455) and 11 msec (BN-12-382), and those of our verification algorithm were approximately 20 msec (BLS-12-455) and 16 msec (BN-12-382), respectively. Finally, we showed that our scheme is applied to an identity management system proposed by Isshiki et al

SoK: Privacy-Preserving Signatures

Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency