Accountable Tracing Signatures from Lattices
aa r X i v : . [ c s . CR ] J a n Accountable Tracing Signatures from Lattices
San Ling, Khoa Nguyen, Huaxiong Wang, Yanhong Xu
Division of Mathematical Sciences,School of Physical and Mathematical Sciences,Nanyang Technological University, Singapore. { lingsan,khoantt,hxwang,xu0014ng } @ntu.edu.sg Abstract.
Group signatures allow users of a group to sign messagesanonymously in the name of the group, while incorporating a tracingmechanism to revoke anonymity and identify the signer of any message.Since its introduction by Chaum and van Heyst (EUROCRYPT 1991),numerous proposals have been put forward, yielding various improve-ments on security, efficiency and functionality. However, a drawback oftraditional group signatures is that the opening authority is given toomuch power, i.e., he can indiscriminately revoke anonymity and thereis no mechanism to keep him accountable. To overcome this problem,Kohlweiss and Miers (PoPET 2015) introduced the notion of accountabletracing signatures (
ATS ) - an enhanced group signature variant in whichthe opening authority is kept accountable for his actions. Kohlweiss andMiers demonstrated a generic construction of
ATS and put forward a con-crete instantiation based on number-theoretic assumptions. To the bestof our knowledge, no other
ATS scheme has been known, and the prob-lem of instantiating
ATS under post-quantum assumptions, e.g., lattices,remains open to date.In this work, we provide the first lattice-based accountable tracing sig-nature scheme. The scheme satisfies the security requirements suggestedby Kohlweiss and Miers, assuming the hardness of the Ring Short IntegerSolution (
RSIS ) and the Ring Learning With Errors (
RLWE ) problems.At the heart of our construction are a lattice-based key-oblivious encryp-tion scheme and a zero-knowledge argument system allowing to provethat a given ciphertext is a valid
RLWE encryption under some hiddenyet certified key. These technical building blocks may be of independentinterest, e.g., they can be useful for the design of other lattice-basedprivacy-preserving protocols.
Group signature is a fundamental cryptographic primitive introduced by Chaumand van Heyst [13]. It allows members of a group to anonymously sign messageson behalf of the group, but to prevent abuse of anonymity, there is an open-ing authority ( OA ) who can identify the signer of any message. While such atracing mechanism is necessary to ensure user accountability, it grants too muchpower to the opening authority. Indeed, in traditional models of group signatures,.g., [2,23,7,3,24,54,8], the OA can break users’ anonymity whenever he wants,and we do not have any method to verify whether this trust is well placed ornot.One existing attempt to restrict the OA ’s power is the proposal of groupsignatures with message-dependent opening (MDO) [53], in which the OA canonly identify the signers of messages admitted by an additional authority namedadmitter. However, this solution is still unsatisfactory. Once the OA has obtainedadmission to open a specific message, he can identify all the users, includingsome innocent ones, who have ever issued signatures on this specific message.Furthermore, by colluding with the admitter, the OA again is able to open allsignatures.To tackle the discussed above problem, Kohlweiss and Miers [25] put for-ward the notion of accountable tracing signatures ( ATS ), which is an enhancedvariant of group signatures that has an additional mechanism to make the OA accountable. In an ATS scheme, the role of the OA is incorporated into thatof the group manager ( GM ), and there are two kinds of group users: traceableones and non-traceable ones. Traceable users are treated as in traditional groupsignatures, i.e., their anonymity can be broken by the OA / GM . Meanwhile, itis infeasible for anyone, including the OA / GM , to trace signatures generatedby non-traceable users. When a user joins the group, the OA / GM first has todetermine whether this user is traceable and then he issues a corresponding(traceable/nontraceable) certificate to the user. In a later phase, the OA / GM reveals which user he deems traceable using an “accounting” algorithm, yieldingan intriguing method to enforce his accountability.As an example, let us consider the surveillance controls of a building, whichis implemented using an ATS scheme. On the one hand, the customers in thisbuilding would like to have their privacy protected as much as possible. On theother hand, the police who are conducting security check in this building wouldlike to know as much as they can. To balance the interests of these two parties,the police can in advance narrow down some suspects and asks the OA / GM tomake these suspected users traceable and the remaining non-suspected usersnon-traceable. To check whether the suspects entered the building, the policecan ask the OA / GM to open all signatures that were used for authentication atthe entrance. Since only the suspects are traceable, the group manager can onlyidentify them if they indeed entered this building. However, if a standard groupsignature scheme (e.g., [1,2,6,3]) were used, then the privacy of innocent userswould be seriously violated. In this situation, one might think that a traceablesignature scheme, as suggested by Kiayias, Tsiounis and Yung [23], would work.By requesting a user-specific trapdoor from the OA / GM , the police can trace allthe signatures created by the suspects. However, this only achieves privacy ofinnocent users against the police , but not against the group authorities . In fact,in a traceable signature scheme, the OA / GM has the full power to identify thesigners of all signatures and hence can violate the privacy of all users withoutbeing detected. In contrast, if an ATS scheme is used, then the OA / GM mustlater reveal which user he chose to be traceable, thus enabling his accountability.2n [25], besides demonstrating the feasibility of ATS under generic assump-tions, Kohlweiss and Miers also presented an instantiation based on number-theoretic assumptions, which remains the only known concrete
ATS construc-tion to date. This scheme, however, is vulnerable against quantum computersdue to Shor’s algorithm [55]. For the sake of not putting all eggs in one basket,it is therefore tempting to build schemes based on post-quantum foundations. Inthis paper, we investigate the design of accountable tracing signatures based onlattice assumptions, which are currently among the most viable foundations forpost-quantum cryptography. Let us now take a look at the closely related andrecently active topic of lattice-based group signatures.
Lattice-based group signatures.
The first lattice-based group signaturescheme was introduced by Gordon, Katz and Vaikuntanathan in 2010 [20]. Sub-sequently, numerous schemes offering improvements in terms of security andefficiency have been proposed [12,26,34,48,30,28,9,51]. Nevertheless, regardingthe supports of advanced functionalities, lattice-based group signatures are stillway behind their number-theoretic-based counterparts. Indeed, there have beenknown only a few lattice-based schemes [32,31,28,35,36] that depart from theBMW model [2] - which deals solely with static groups and which may be tooinflexible to be considered for a wide range of real-life applications. In partic-ular, although there was an attempt [31] to restrict the power of the OA inthe MDO sense, the problem of making the OA accountable in the context oflattice-based group signatures is still open. This somewhat unsatisfactory state-of-affairs motivates our search for a lattice-based instantiation of ATS . As wewill discuss below, the technical road towards our goal is not straightforward:there are challenges and missing building blocks along the way.
Our Results and Techniques.
In this paper, we introduce the first lattice-based accountable tracing signature scheme. The scheme satisfies the securityrequirements suggested by Kohlweiss and Miers [25], assuming the hardness ofthe Ring Short Integer Solution (
RSIS ) problem and the Ring Learning WithErrors (
RLWE ) problem. As all other known lattice-based group signatures, thesecurity of our scheme is analyzed in the random oracle model. For a securityparameter λ , our ATS scheme features group public key size and user secretkey size e O ( λ ). However, the accountability of the OA / GM comes at a price: thesignature size is of order e O ( λ ) compared with e O ( λ ) in a recent scheme by Linget al. [36].Let us now give an overview of our techniques. First, we recall that in an or-dinary group signature scheme [2,3], to enable traceability, the user is supposedto encrypt his identifying information and prove the well-formedness of the re-sulting ciphertext. In an ATS scheme, however, not all users are traceable. Wethus would need a mechanism to distinguish between traceable users and non-traceable ones. A possible method is to let traceable users encrypt their identitiesunder a public key ( pk ) such that only the OA / GM knows the underlying secretkey ( sk ), while for non-traceable users, no one knows the secret key. However,there seems to be no incentive for users to deliberately make themselves trace-able. We hence should think of a way to choose traceable users obliviously. An3nteresting approach is to randomize pk to a new public key epk so that it is in-feasible to decide how these keys are related without the knowledge of the secretkey and the used randomness. More specifically, when a user joins the group, the OA / GM first randomizes pk to epk and sends the latter to the user together witha certificate. The difference between traceable users and non-traceable ones liesin whether OA / GM knows the underlying secret key. Thanks to the oblivious-ness property of the randomization, the users are unaware of whether they aretraceable. Then, when signing messages, the user encrypts his identity using hisown randomized key epk (note that this “public key” should be kept secret) andproves the well-formedness of the ciphertext. Several questions regarding thisapproach then arise. What special kind of encryption scheme should we use?How to randomize the public key in order to get the desirable obliviousness?More importantly, how could the user prove the honest execution of encryptionif the underlying encryption key is secret?To address the first two questions, Kohlweiss and Miers [25] proposed thenotion of key-oblivious encryption ( KOE ) - a public-key encryption scheme inwhich one can randomize public keys in an oblivious manner. Kohlweiss andMiers showed that a
KOE scheme can be built from a key-private homomorphicpublic-key encryption scheme. They then gave an explicit construction based onthe ElGamal cryptosystem [18], where epk is obtained by multiplying pk by a ci-phertext of 1. When adapting this idea into the lattice setting, however, one hasto be careful. In fact, we observe that an implicit condition for the underlyingkey-private public-key encryption scheme is that its public key and ciphertextshould have the same algebraic form , which is often not the case for the schemesin the lattice setting, e.g., [52,19]. Furthermore, lattice-based encryption schemesfrom the Learning with Errors ( LWE ) problem or its ring version
RLWE ofteninvolve noise terms that grow quickly when one performs homomorphic opera-tions over ciphertexts. Fortunately, we could identify a suitable candidate: the
RLWE -based encryption scheme proposed by Lyubashevsky, Peiker and Regev(LPR) [43], for which both the public key and the ciphertext consist of a pairof ring elements. Setting the parameters carefully to control the noise growthin LPR, we are able to adapt the blueprint of [25] into the lattice setting andobtain a lattice-based
KOE scheme.To tackle the third question, we need a zero-knowledge ( ZK ) protocol forproving well-formedness of the ciphertext under a hidden encryption key, whichis quite challenging to build in the RLWE setting. Existing ZK protocols fromlattices belong to two main families. One line of research [37,38,4,5,41,44] de-signed very elegant approximate ZK proofs for ( R ) LWE and ( R ) SIS relationsby employing rejection sampling techniques. While these proofs are quite ef-ficient and compact, they only handle linear relations. In other words, theycan only prove knowledge of a short vector x satisfying y = A · x mod q , for public A and public y . This seems insufficient for our purpose. Another lineof research [33,34,14,30,29,36] developed decomposition/ extension/permutation This condition is needed so that epk can be computed as pk · enc (1) (multiplicativehomomorphic) or pk + enc (0) (additive homomorphic). secret-and-certified A together with short secret vector x satis-fying y = A · x mod q . Thus, Libert et al.’s work appears to be the “right”stepping stone for our case. However, in [29], quadratic relations were consid-ered only in the setting of general lattices, while here we have to deal with thering setting, for which the multiplication operation is harder to express, captureand prove in zero-knowledge. Nevertheless we manage to adapt their techniquesinto the ring lattices and obtain the desired technical building block.As discussed so far, we have identified the necessary ingredients - the LPRencryption scheme and Stern-like ZK protocols - for upgrading a lattice-basedordinary group signature to a lattice-based accountable tracing signature. Next,we need to find a lattice-based ordinary group signature scheme that is compati-ble with the those ingredients. To this end, we work with Ling et al.’s scheme [36],that also employs the LPR system for its tracing layer and Stern-like techniquesfor proving knowledge of a valid user certificate (which is a Ducas-Miccianciosignature [15,16] based on the hardness of the Ring Short Integer Solution ( RSIS )problem). We note that the scheme from [36] achieves constant-size signatures,which means that the signature size is independent of the number of users. Asa by-product, our signatures are also constant-size (although our constant islarger, due to the treatment of quadratic relations).A remaining aspect is how to enable the accountability of the OA / GM . Tothis end, we let the latter reveal the choice (either traceable or non-traceable) fora given user together with the randomness used to obtain the randomized publickey. The user then checks whether his epk was computed as claimed. However,the OA / GM may claim a traceable user to be non-traceable by giving awaymalicious randomness and accusing that the user had changed epk by himself. Toensure non-repudiation, OA / GM is required to sign epk and the users’ identifyinginformation when registering the user into the group. This mechanism in factalso prevents dishonest users from choosing non-traceable epk by themselves.The obtained ATS scheme is then proven secure in the random oracle modelunder the
RSIS and
RLWE assumptions, according to the security requirementsput forward by Kohlweiss and Miers [25]. On the efficiency front, as all knownlattice-based group signatures with advanced functionalities, our scheme is stillfar from being practical. We, however, hope that our result will inspire moreefficient constructions in the near future.
Organization.
In Section 2, we recall some background materials. In Section 3,we describe our key-oblivious encryption scheme from lattice assumptions. Ouraccountable tracing signature scheme is presented in Section 5.5
Background
Notations.
For a positive integer n , define the set { , , . . . , n } as [ n ], the set { , , . . . , n } as [0 , n ], and the set containing all the integers from − n to n as[ − n, n ]. Denote the set of all positive integers as Z + . If S is a finite set, then x $ ←− S means that x is chosen uniformly at random from S . Let a ∈ R m and b ∈ R m be two vectors for positive integers m , m . Denote ( a k b ) ∈ R m + m ,instead of ( a ⊤ , b ⊤ ) ⊤ , as the concatenation of these two vectors. Let q ≥ Z q = [ − q − , q − ]. In this work, let usconsider rings R = Z [ X ] / ( X n + 1) and R q = ( R/qR ), where n is a power of 2.Let τ be the coefficient embedding τ : R q → Z nq that maps a ring element v = v + v · X + . . . + v n − · X n − ∈ R q to a vector τ ( v ) = ( v , v , . . . , v n − ) ⊤ over Z nq . Define the ring homomorphism rot : R q → Z n × nq that maps a ring element a ∈ R q to a matrix rot ( a ) = (cid:2) τ ( a ) | τ ( a · X ) | · · · | τ ( a · X n − ) (cid:3) over Z n × nq (see,e.g., [45,58]). Using these two functions, the element product y = a · v over R q can be interpreted as the matrix-vector multiplication τ ( y ) = rot ( a ) · τ ( v ) over Z q . When working with vectors and matrices over R q , we generalize the notations τ and rot in the following way. For a vector v = ( v , . . . , v m ) ⊤ ∈ R mq , define τ ( v ) = ( τ ( v ) k · · · k τ ( v m )) ∈ Z mnq . For a matrix A = [ a | · · · | a m ] ∈ R × mq ,define rot ( A ) to be the matrix rot ( A ) = (cid:2) rot ( a ) | · · · | rot ( a m ) (cid:3) ∈ Z n × mnq . Using the generalized notations, we can interpret y = A · v over R q as matrix-vector multiplication τ ( y ) = rot ( A ) · τ ( v ) over Z q .For a = a + a · X + . . . + a n − · X N − ∈ R , we define k a k ∞ = max i ( | a i | ).Similarly, for vector b = ( b , . . . , b m ) ⊤ ∈ R m , we define k b k ∞ = max j ( k b j k ∞ ).We now recall the average-case problems RSIS and
RLWE associated with therings
R, R q , as well as their hardness results. Definition 1 ([39,50,40]).
Given a uniform matrix A = [ a | a | · · · | a m ] over R × mq , the RSIS ∞ n,m,q,β problem asks to find a ring vector b = ( b , b , . . . , b m ) ⊤ over R m such that A · b = a · b + a · b + · · · + a m · b m = 0 over R q and < k b k ∞ ≤ β . For polynomial bounded m, β and q ≥ β · e O ( √ n ), it was proven that the RSIS ∞ n,m,q,β problem is no easier than the SIVP γ problem in any ideal in the ring R , where γ = β · e O ( √ nm ) (see [39,50,27]). Definition 2 ([42,56,43]).
For positive integers n, m, q ≥ and a probabilitydistribution χ over the ring R , define a distribution A s,χ over R q × R q for s $ ←− R q in the following way: it first samples a uniformly random element a ∈ R q , an rror element e ← ֓ χ , and then outputs ( a, a · s + e ) . The target of the RLWE n,m,q,χ problem is to distinguish m samples chosen from a uniform distribution over R q × R q and m samples chosen from the distribution A s,χ for s $ ←− R q . Let q ≥ B = e O ( √ n ) be positive integers. χ is a distribution over R whichefficiently outputs samples e ∈ R with k e k ∞ ≤ B with overwhelming probabilityin n . Then there is a quantum reduction from the RLWE n,m,q,χ problem tothe
SIVP γ problem and the SVP γ problem in any ideal in the ring R , where γ = e O ( √ n · q/B ) (see [42,10,27,49]). It is shown that the hardness of the RLWE problem is preserved when the secret s is sampled from the error distribution χ (see [42,10]). We now recall the integer decomposition technique from [33]. For any pos-itive integer B , let δ B := ⌊ log B ⌋ + 1 = ⌈ log ( B + 1) ⌉ and the sequence B , . . . , B δ B , where B j = ⌊ B +2 j − j ⌋ , for any j ∈ [ δ B ]. It is then verifiable that P δ B j =1 B j = B . In addition, for any integer a ∈ [0 , B ], one can decompose a into a vector of the form idec B ( a ) = ( a (1) , a (2) , . . . , a ( δ B ) ) ⊤ ∈ { , } δ B , satis-fying ( B , B , . . . , B δ B ) · idec B ( a ) = a . The procedure of the decomposition ispresented below in a deterministic manner.1. a ′ := a
2. For j = 1 to δ B do:(i) If a ′ ≥ B j then a ( j ) := 1, else a ( j ) := 0;(ii) a ′ := a ′ − B j · a ( j ) .3. Output idec B ( a ) = ( a (1) , . . . , a ( δ B ) ) ⊤ .In [36], the above decomposition procedure is also utilized to deal with poly-nomials in the ring R q . Specifically, for B ∈ [1 , q − ], define the injective function rdec B that maps a ∈ R q with k a k ∞ ≤ B to a ∈ R δ B with k a k ∞ ≤
1, whichworks as follows.1. Let τ ( a ) = ( a , . . . , a n − ) ⊤ . For each i , let σ ( a i ) = 0 if a i = 0; σ ( a i ) = − a i <
0; and σ ( a i ) = 1 if a i > ∀ i , compute w i = σ ( a i ) · idec B ( | a i | ) = ( w i, , . . . , w i,δ B ) ⊤ ∈ {− , , } δ B .3. Form the vector w = ( w k . . . k w n − ) ∈ {− , , } nδ B , and let a ∈ R δ B bethe vector such that τ ( a ) = w .4. Output rdec B ( a ) = a .To deal with ring vectors of dimension m ∈ Z + and of infinity bound B ∈ Z + , we generalize the notion rdec B ( v ) in the following way: it maps a ringvector v = ( v , . . . , v m ) ⊤ ∈ R mq such that k v k ∞ ≤ B to a vector rdec B ( v ) = (cid:0) rdec B ( v ) k . . . k rdec B ( v m ) (cid:1) ∈ R mδ B , whose coefficients are in the set {− , , } .7ow, ∀ m, B ∈ Z + , we define matrices H B ∈ Z n × nδ B and H m,B ∈ Z nm × nmδ B as H B = B . . . B δ B . . . B . . . B δ B , and H m,B = H B . . . H B . Then we have τ ( a ) = H B · τ ( rdec B ( a )) mod q and τ ( v ) = H m,B · τ ( rdec B ( v )) . For simplicity reason, when B = q − , we will use the notation rdec insteadof rdec q − , and H instead of H q − . We recall the stateful and adaptively secure version of Ducas-Micciancio signa-ture scheme [15,16], which is used to enroll new users in our construction.Following [15,16], throughout this work, for any real constants c > α ≥ c − , define a series of sets T j = { , } c j of lengths c j = ⌊ α c j ⌋ for j ∈ [ d ],where d ≥ log c ( ω (log n )). For each tag t = ( t , t , . . . , t c j ) ⊤ ∈ T j for j ∈ [ d ],associate it with a ring element t ( X ) = P c j k =0 t k · X k ∈ R q . Let c = 0 and thendefine t [ i ] ( X ) = P c i − k = c i − t k · X k and t [ i ] = ( t c i − , . . . , t c i − ) ⊤ for i ∈ [ j ]. Thenone can check t = ( t [1] k t [2] k · · · k t [ j ] ) and t ( X ) = P ji =1 t [ i ] ( X ).This variant works with the following parameters. – Let n, m, q, k be some positive integers such that n ≥ m ≥ ⌈ log q ⌉ + 2, and q = 3 k . Define the rings R = Z [ X ] / ( X n + 1) and R q = R/qR . – Let the message dimension be m s = poly( n ). Also, let ℓ = ⌊ log q − ⌋ + 1, and m = m + k and m s = m s · ℓ . – Let integer β = e O ( n ) and integer d and sequence c , . . . , c d be as above. – Let S ∈ Z be a state that is 0 initially.The public verification key consists of the following: A , F ∈ R × mq ; A [0] , . . . , A [ d ] ∈ R × kq ; F ∈ R × ℓq ; F ∈ R × m s q ; u ∈ R q while the secret signing key is a Micciancio-Peikert [46] trapdoor matrix R ∈ R m × kq .When signing a message m ∈ R m s q , the signer first computes m = rdec ( m ) ∈ R m s , whose coefficients are in the set {− , , } . He then performs the followingsteps. – Set the tag t = ( t , t . . . , t c d − ) ⊤ ∈ T d , where S = P c d − j =0 j · t j , and compute A t = [ A | A [0] + P di =1 t [ i ] A [ i ] ] ∈ R × ( m + k ) q . Update S to S + 1.8 Choose r ∈ R m with k r k ∞ ≤ β . – Let y = F · r + F · m ∈ R q and u p = F · rdec ( y ) + u ∈ R q . – Employing the trapdoor matrix R , produce a ring vector v ∈ R m + k with A t · v = u p over the ring R q and k v k ∞ ≤ β . – Return the tuple ( t, r , v ) as a signature for the message m .To check the validity of the tuple ( t, r , v ) with respect to message m ∈ R m s q ,the verifier first computes the matrix A t as above and verifies the followingconditions: ( A t · v = F · rdec ( F · r + F · rdec ( m )) + u, k r k ∞ ≤ β, k v k ∞ ≤ β. He outputs 1 if all these three conditions hold and 0 otherwise.
Lemma 1 ([15,16]).
Given at most polynomially bounded number of signaturequeries, the above variant is existentially unforgeable against adaptive chosenmessage attacks assuming the hardness of the
RSIS n,m,q, e O ( n ) problem. We will work with statistical zero-knowledge argument systems, namely, in-teractive protocols where the ZK property holds against any cheating verifier,while the soundness property only holds against computationally bounded cheat-ing provers. More formally, let the set of statements-witnesses R = { ( y, w ) } ∈{ , } ∗ × { , } ∗ be an NP relation. A two-party game hP , Vi is called an interac-tive argument system for the relation R with soundness error e if the followingtwo conditions hold: – Completeness.
If ( y, w ) ∈ R then Pr (cid:2) hP ( y, w ) , V ( y ) i = 1 (cid:3) = 1 . – Soundness.
If ( y, w ) R, then ∀ PPT b P : Pr[ h b P ( y, w ) , V ( y ) i = 1] ≤ e. An argument system is called statistical ZK if for any b V ( y ), there exists a PPTsimulator S ( y ) having oracle access to b V ( y ) and producing a simulated transcriptthat is statistically close to the one of the real interaction between P ( y, w ) and b V ( y ). A related notion is argument of knowledge, which, for three-move proto-cols (commitment-challenge-response), requires the existence of a PPT extractortaking as input a set of valid transcripts with respect to all possible values of the“challenge” to the same “commitment” and outputting w ′ such that ( y, w ′ ) ∈ R.The statistical zero-knowledge arguments of knowledge (
ZKAoK ) presentedin this work are Stern-like [57] protocols. In particular, they are Σ -protocolsin the generalized sense defined in [21,4] (where 3 valid transcripts are neededfor extraction, instead of just 2). Stern’s protocol was originally proposed inthe context of code-based cryptography, and was later adapted into the latticesetting by Kawachi et al. [22]. Subsequently, it was empowered by Ling et al. [33]9o handle the matrix-vector relations where the secret vectors are of small infinitynorm, and further developed to design various lattice-based schemes. Libert etal. [28] put forward an abstraction of Stern’s protocol to capture a wider rangeof lattice-based relations. Now let us recall it. An Abstraction of Stern’s Protocol.
Let integers q, K, L be positive suchthat L ≥ K and q ≥
2, and
VALID ⊂ {− , , } L . Given a finite set S , asso-ciate every η ∈ S with a permutation Γ η of L elements such that the followingconditions hold: ( w ∈ VALID ⇐⇒ Γ η ( w ) ∈ VALID , If w ∈ VALID and η is uniform in S , then Γ η ( w ) is uniform in VALID . (1)Our target is to construct a statistical ZKAoK for the abstract relation R abstract of the following form:R abstract = (cid:8) ( M , u ) , w ∈ Z K × Lq × Z Kq × VALID : M · w = u mod q. (cid:9) To obtain the desired
ZKAoK protocol, one has to prove that w ∈ VALID and w satisfies the linear equation M · w = u mod q . To prove w ∈ VALID in a zero-knowledge manner, the prover chooses η $ ←− S and allows the verifierto check Γ η ( w ) ∈ VALID . According to the first condition in (1), the verifiershould be convinced that w is indeed from the set VALID . At the same time, theverifier cannot learn any extra information about w due to the second conditionin (1). Furthermore, to prove in ZK that the linear equation holds, the proverfirst chooses r w $ ←− Z Lq as a masking vector and then shows the verifier that theequation M · ( w + r w ) = M · r w + u mod q holds.In Figure 1, we describe in details the interaction between two PPT algo-rithms prover P and verifier V . The system utilizes a statistically hiding andcomputationally binding string commitment scheme COM (e.g., the
RSIS -basedscheme from [22]).
Theorem 1 ([28]).
Let
COM be a statistically hiding and computationally bind-ing string commitment scheme. Then the interactive protocol depicted in Figure 1is a statistical
ZKAoK with perfect completeness, soundness error / , and com-munication cost O ( L log q ) . Specifically: – There exists a polynomial-time simulator that on input ( M , u ) , with proba-bility / it outputs an accepted transcript that is within statistical distancefrom the one produced by an honest prover who knows the witness. – There exists a polynomial-time algorithm that, takes as inputs ( M , u ) andthree accepting transcripts on ( M , u ) , (CMT , , RSP ) , (CMT , , RSP ) , and (CMT , , RSP ) , outputs w ′ ∈ VALID such that M · w ′ = u mod q . The details of the proof appeared in [28] and are omitted here.10 . Commitment:
Prover chooses r w $ ←− Z Lq , η $ ←− S and randomness ρ , ρ , ρ for COM . Then he sends CMT = (cid:0) C , C , C (cid:1) to the verifier, where C = COM ( η, M · r w mod q ; ρ ) , C = COM ( Γ η ( r w ); ρ ) ,C = COM ( Γ η ( w + r w mod q ); ρ ) . Challenge: V sends back a challenge Ch $ ←− { , , } to P .3. Response:
According to the choice of Ch , P sends back RSP computed in thefollowing way: – Ch = 1: Let t w = Γ η ( w ), t r = Γ η ( r w ), and RSP = ( t w , t r , ρ , ρ ). – Ch = 2: Let η = η , w = w + r w mod q , and RSP = ( η , w , ρ , ρ ). – Ch = 3: Let η = η , w = r w , and RSP = ( η , w , ρ , ρ ). Verification:
When receiving RSP from P , V performs as follows: – Ch = 1: Check that t w ∈ VALID , C = COM ( t r ; ρ ), C = COM ( t w + t r mod q ; ρ ). – Ch = 2: Check that C = COM ( η , M · w − u mod q ; ρ ), C = COM ( Γ η ( w ); ρ ). – Ch = 3: Check that C = COM ( η , M · w ; ρ ) , C = COM ( Γ η ( w ); ρ ) . In each case, V returns 1 if and only if all the conditions hold. Fig. 1:
Stern-like
ZKAoK for the relation R abstract . We next recall the permuting techniques recently suggested by Ling et al. [36],which will be used throughout this paper.
Proving that z ∈ {− , , } . Let b an integer. Denote the integer b ′ ∈ {− , , } with b ′ = b mod 3 as [ b ] . For any z ∈ {− , , } , define vector enc ( z ) in thefollowing manner: enc ( z ) = (cid:0) [ z + 1] , [ z ] , [ z − (cid:1) ⊤ ∈ {− , , } . Namely, enc ( −
1) = (0 , − , ⊤ , enc (0) = (1 , , − ⊤ and enc (1) = ( − , , ⊤ .Let e ∈ {− , , } , define a permutation π e associated to e as follows. Ittransforms vector v = ( v ( − , v (0) , v (1) ) ⊤ ∈ Z into vector π e ( v ) = ( v ([ − e − ) , v ([ − e ] ) , v ([ − e +1] ) ) ⊤ . It is then verifiable that, for any z, e ∈ {− , , } , the equivalence belowholds. v = enc ( z ) ⇐⇒ π e ( v ) = enc ([ z + e ] ) . (2)In the context of Stern’s protocol, the above equivalence allows us to proveknowledge of z ∈ {− , , } , where z may have other constrains. Towards it, we11imply extend z to enc ( z ), sample a uniform e ∈ {− , , } , and then show theverifier π e ( enc ( z )) is of the form enc ([ z + e ] ). Due to the equivalence in (2),the verifier should be convinced that z is in the set {− , , } . Furthermore,the “one time pad” e fully hides the value of z . More importantly, the abovetechnique is extendable so that we can employ the same e for other positionswhere z appears. An example of that is to prove that z is involved in a product t · z , which we now recall. Proving that y = t · z . Let b ∈ { , } , denote the bit 1 − b as b and the additionoperation modulo 2 as ⊕ .For any t ∈ { , } and z ∈ {− , , } , let vector ext ( t, z ) ∈ {− , , } be ofthe following form: ext ( t, z ) = (cid:0) t · [ z +1] , t · [ z +1] , t · [ z ] , t · [ z ] , t · [ z − , t · [ z − (cid:1) ⊤ . Let b ∈ { , } and e ∈ {− , , } , define the permutation ψ b,e ( · ) associated to b, e as follows. It transforms vector v = (cid:0) v (0 , − , v (1 , − , v (0 , , v (1 , , v (0 , , v (1 , (cid:1) ⊤ ∈ Z into vector ψ b,e ( v ) of form ψ b,e ( v ) = (cid:0) v ( b, [ − e − ) , v ( b, [ − e − ) , v ( b, [ − e ] ) , v ( b, [ − e ] ) , v ( b, [ − e +1] ) , v ( b, [ − e +1] ) (cid:1) ⊤ . It can be easily checked that for any t, b ∈ { , } and any z, e ∈ {− , , } ,the following equivalence is satisfied. v = ext ( t, z ) ⇐⇒ ψ b,e ( v ) = ext ( t ⊕ b, [ z + e ] ) . (3)The same as in the case z ∈ {− , , } , the above equivalence (3) allows usto prove knowledge of y , where y is a product of secret integers t ∈ { , } and z ∈ {− , , } .Next, we recall the generalizations of the above two core techniques to proveknowledge of vector z ∈ {− , , } m as well as vector of the form (5). Proving that z ∈ {− , , } m . We first generalize the notion [ b ] to [ b ] forany b ∈ Z m , where [ b ] is the vector b ′ such that b ′ = b mod 3 coordinate-wise.For z = ( z , . . . , z m ) ⊤ ∈ {− , , } m , define the following extension: enc ( z ) = (cid:0) enc ( z ) k · · · k enc ( z m ) (cid:1) ∈ {− , , } m . Let e = ( e , . . . , e m ) ⊤ ∈ {− , , } m , define the permutation Π e associatedto e as follows. It maps vector v = ( v k . . . k v m ) ∈ Z m consisting of m blocksof size 3 to vector as follows: Π e ( v ) = (cid:0) π e ( v ) k . . . k π e m ( v m ) (cid:1) . Following (2), for any z , e ∈ {− , , } m , we obtain the following equivalence: v = enc ( z ) ⇐⇒ Π e ( v ) = enc ([ z + e ] ) . (4)12 andling a “mixing” vector. We now deal with a “mixing” vector of thefollowing form: y = (cid:0) z k t · z k . . . k t c d − · z (cid:1) , (5)where z ∈ {− , , } m and t = ( t , t , . . . , t c d − ) ⊤ ∈ { , } c d for m , c d ∈ Z + .First, we define the extension vector mix ( t , z ) ∈ {− , , } m +6 m c d of vector y in the following manner: (cid:0) enc ( z ) k ext ( t , z ) k . . . k ext ( t , z m ) k . . . k ext ( t c d − , z ) k . . . k ext ( t c d − , z m ) (cid:1) . Next, for b = ( b , · · · , b c d − ) ⊤ ∈ { , } c d and e = ( e , . . . , e m ) ⊤ ∈ {− , , } m ,we define the permutation Ψ b , e that works as follows. It maps vector v ∈ Z m +6 m c d of form v = (cid:0) v − k v , k . . . k v , m k . . . k v c d − , k . . . k v c d − , m (cid:1) , where block v − has length 3 m and each block v i,j has length 6, to vector Ψ b , e ( v )of form Ψ b , e ( v ) = (cid:0) Π e ( v − ) k ψ b ,e ( v , ) k . . . k ψ b ,e m ( v , m ) k . . . k ψ b cd − ,e ( v c d − , ) k . . . k ψ b cd − ,e m ( v c d − , m ) (cid:1) . Then, for all t , b ∈ { , } c d and z , e ∈ {− , , } m , one can check the followingequivalence holds: v = mix ( t , z ) ⇐⇒ Ψ b , e ( v ) = mix ( t ⊕ b , [ z + e ] ) . (6) We now recall the statistical zero-knowledge argument of knowledge of a validmessage-signature pair for the Ducas-Micciancio signature, as presented in [36].Let n, q, m, k, m, m s , ℓ, β, d, c , . . . , c d as specified in Section 2.3. The protocol issummarized below. – The public input consists of A , F ∈ R × mq ; A [0] , . . . , A [ d ] ∈ R × kq ; F ∈ R × ℓq ; F ∈ R × m s q ; u ∈ R q . – The secret input of the prover consists of message m ∈ R m s q and signature( t, r , v ), where ( t = ( t , . . . , t c − , . . . , t c d − , . . . , t c d − ) ⊤ ∈ { , } c d ; r ∈ R m ; v = ( s k z ) ∈ R m + k ; s ∈ R m ; z ∈ R k ; – The goal of the prover is to prove in ZK that k r k ∞ ≤ β , k v k ∞ ≤ β , and thatthe following equation A · s + A [0] · z + d X i =1 A [ i ] · t [ i ] · z = F · y + u (7)13olds for (cid:8) t [ i ] = P c i − j = c i − t j · X j (cid:9) di =1 and y = rdec ( F · r + F · rdec ( m )) ∈ R ℓ . (8)The next step is to transform the secret input into a vector w that belongsto a specific set VALID and reduce the considered statements (7) and (8) into M · w = u mod q for some public input M , u , in the form of the abstract protocolfrom Section 2.4. To realize this, we employ the following two steps. Decomposing-Unifying.
To begin with, we utilize the notations rot and τ from Section 2.1 and the decomposition techniques from Section 2.2.Let s ⋆ = τ ( rdec β ( s )) ∈ {− , , } nmδ β , z ⋆ = τ ( rdec β ( z )) ∈ {− , , } nkδ β and r ⋆ = τ ( rdec β ( r )) ∈ {− , , } nmδ β . Then, one can check that, equation (7) isequivalent to,[ rot ( A [0] ) · H k,β ] · z ⋆ + d X i =1 c i − X j = c i − [ rot ( A [ i ] · X j ) · H k,β ] · t j · z ⋆ +[ rot ( A ) · H m,β ] · s ⋆ − [ rot ( F )] · τ ( y ) = τ ( u ) mod q, and equation (8) is equivalent to[ rot ( F ) · H m,β ] · r ⋆ + [ rot ( F )] · τ ( rdec ( m )) − [ H ] · τ ( y ) = mod q. Rearrange the two derived equations using some basic algebra, we are ableto obtain the following unifying equation: M · w = u mod q, where u = ( τ ( u ) k ) ∈ Z nq and M are built from public input, and w =( w k w ) is built from secret input with w ∈ {− , , } ( kδ β + c d kδ β ) n and w ∈{− , , } nmδ β + nℓ + nm s and ( w = ( z ⋆ k t · z ⋆ k . . . k t c d − · z ⋆ ); w = ( s ⋆ k r ⋆ k τ ( y ) k τ ( rdec ( m ))) . Until now, we have transformed the secret input into a vector w whose co-efficients are in the set {− , , } and reduced statements (7) and (8) into M · w = u mod q , where M , u are public. Extending-Permuting.
Now the target is to transform the secret vector w toa vector w such that the conditions in (1) hold. Towards this goal, the extensionand permutation techniques described in Section 2.5 is employed.We first extend w = ( w k w ) as follows. w w ′ = mix (cid:0) t, z ⋆ (cid:1) ∈ {− , , } L ; (9) w w ′ = enc ( w ) ∈ {− , , } L . w = ( w ′ k w ′ ) ∈ {− , , } L , where L = L + L and L = ( kδ β + 2 c d kδ β )3 n ; L = 6 nmδ β + 3 nℓ + 3 nm s . According to the extension, adding suitable zero-columns to M to obtain a newmatrix M ∈ Z n × Lq such that M · w = M · w .We are ready to define the set VALID that consists of our transformed secretvector w , the set S , and the associated permutations { Γ η : η ∈ S} , such thatthe conditions in (1) are all satisfied.Let VALID be the set of all vectors v ′ = ( v ′ k v ′ ) ∈ {− , , } L such that thefollowing conditions hold: – v ′ = mix ( t, z ⋆ ) for some vectors t ∈ { , } c d and z ⋆ ∈ {− , , } nkδ β . – v ′ = enc ( w ) for vector w ∈ {− , , } L / .It is easy to see that w belongs to this special set VALID .Now, define S = { , } c d × {− , , } nkδ β × {− , , } L / . For each element η = ( b , e , f ) ∈ S , define an associated permutation Γ η as follows. It permutesvector v ⋆ = ( v ⋆ k v ⋆ ) ∈ Z L , where v ⋆ ∈ Z L and v ⋆ ∈ Z L , into vector of thefollowing form: Γ η ( v ⋆ ) = (cid:0) Ψ b , e ( v ⋆ ) k Π f ( v ⋆ ) (cid:1) . It then follows from the equivalences in (4) and (6) that
VALID , S , and Γ η satisfy the conditions in (1). Therefore, we have obtained an instance of theabstract protocol from Section 2.4. Up to this point, running the protocol ofFigure 1 results in the desired statistical ZKAoK protocol. The protocol hasperfect completeness, soundness error 2 /
3, and communication cost O ( L · log q ),which is of order O ( n · log n ) = e O ( λ ). We next recall the definitions of key-oblivious encryption (
KOE ), as introducedin [25]. A
KOE scheme consists of the following polynomial-time algorithms.
Setup ( λ ) : On input the security parameter λ , it outputs public parameter pp . pp is implicit for all algorithms below if not explicitly mentioned. KeyGen ( pp ) : On input pp , it generates a key pair ( pk , sk ). KeyRand ( pk ) : On input the public key pk , it outputs a new public key pk ′ forthe same secret key. Enc ( pk , m ) : On inputs pk and a message m , it outputs a ciphertext ct on thismessage. Dec ( sk , ct ) : On inputs sk and ct , it outputs the decrypted message m ′ . Correctness.
The above scheme must satisfy the following correctness re-quirement: For all λ , all pp ← Setup ( λ ), all ( pk , sk ) ← KeyGen ( pp ), all pk ′ ← KeyRand ( pk ), all m , Dec ( sk , Enc ( pk ′ , m )) = m . ecurity. The security requirements of a
KOE scheme consist of key randomiz-ability ( KR ), plaintext indistinguishability under key randomization ( INDr ), and key privacy under key randomization ( KPr ). Key Randomizability. KR requires that any adversary cannot determine howpublic keys are related to each other without possession of secret keys. Detailsare modelled in the experiment Exp
KRKOE , A ( λ ) in Fig 2.Define the advantage Adv
KRKOE , A ( λ ) of adversary A against KR of the KOE scheme as | Exp
KRKOE , A ( λ ) = 1] − | . A KOE scheme is key randomizable ifthe advantage of any PPT adversary A is negligible. Plaintext indistinguishability under key randomization.
INDr requiresthat any adversary cannot distinguish ciphertext of one message from ciphertextof another one even though the adversary is allowed to choose the two mes-sages and to randomize the public key. Details are modelled in the experiment
Exp
INDrKOE , A ( λ ) in Fig 2.Define the advantage Adv
INDrKOE , A ( λ ) of adversary A against INDr of the
KOE scheme as | Exp
INDrKOE , A ( λ ) = 1] − | . A KOE scheme is plaintext indistin-guishable under key randomization if the advantage of any PPT adversary A isnegligible. Exp
KRKOE , A ( λ ) b ← { , } , pp ← Setup ( λ ), ( pk , sk ) ← KeyGen ( pp ). pk ← KeyRand ( pk ), ( pk , sk ) ← KeyGen ( pp ). b ′ ← A ( pk , pk b ).Return ( b ′ = b ) . Exp
INDrKOE , A ( λ ) b ← { , } , pp ← Setup ( λ ), ( pk , sk ) ← KeyGen ( pp ).( pk ′ , r, m , m , st ) ← A ( pk ).If pk ′ = KeyRand ( pk , r ), then return ⊥ ; else ct ← Enc ( pk ′ , m b ). b ′ ← A ( ct , st ).Return ( b ′ = b ) . Exp
KPrKOE , A ( λ ) b ← { , } , pp ← Setup ( λ ); ( pk , sk ) ← KeyGen ( pp ), ( pk , sk ) ← KeyGen ( pp ).( m , pk ′ , r , pk ′ , r , st ) ← A ( pk , pk ).If ∃ c such that pk ′ c = KeyRand ( pk c , r c ), then return ⊥ ; else ct ← Enc ( pk ′ b , m ). b ′ ← A ( ct , st ).Return ( b ′ = b ) . Fig. 2:
Experiment to define security requirements of a
KOE scheme.
Key privacy under key randomization.
KPr requires that any adversarycannot distinguish ciphertext of a message under one public key from ciphertextof the same message under another public key even though the adversary isallowed to choose the message and to randomize the two public keys. Details aremodelled in the experiment
Exp
KPrKOE , A ( λ ) in Fig 2.16efine the advantage Adv
KPrKOE , A ( λ ) of adversary A against INDr of the
KOE scheme as | Exp
KPrKOE , A ( λ ) = 1] − | . A KOE scheme is key private under keyrandomization if the advantage of any PPT adversary A is negligible. We then recall the definition of accountable tracing signature (
ATS ), as intro-duced in [25]. An
ATS scheme involves a group manager ( GM ) who also serves asthe opening authority ( OA ), a set of users, who are potential group members. Asa standard group signature scheme (e.g. [2,3]), GM is able to identify the signerof a given signature. However, if GM is able to do so, there is an additional accounting mechanism that later reveals which user he chose to trace (traceableuser). Specifically, if a user suspects that he was traceable by group managerwho had claimed non-traceability of this user, then the user can resort to thismechanism to check whether group manager is honest/accountable or not. An ATS scheme consists of the following polynomial-time algorithms.
Setup ( λ ) : On input the security parameter λ , it outputs public parameter pp . pp is implicit for all algorithms below if not explicitly mentioned. GKeyGen ( pp ) : This algorithm is run by GM . On input pp , GM generates grouppublic key gpk and group secret keys: issue key ik and opening key ok . UKeyGen ( pp ) : Given input pp , it outputs a user key pair ( upk , usk ). Enroll ( gpk , ik , upk , tr ) : This algorithm is run by GM . Upon receiving a user publickey upk from a user, GM determines the value of the bit tr ∈ { , } , indicatingwhether the user is traceable ( tr = 1) or not. He then produces a certificate cert for this user according to his choice of tr . GM then registers this user tothe group and stores the registration information and the witness w escrw tothe bit tr , and sends cert to the user. Sign ( gpk , cert , usk , M ) : Given the inputs gpk , cert , usk and message M , this al-gorithm outputs a signature Σ on this message M . Verify ( gpk , M, Σ ) : Given the inputs gpk and the message-signature pair (
M, Σ ),this algorithm outputs 1 / Open ( gpk , ok , M, Σ ) : Given the inputs gpk , ok and the pair ( M, Σ ), this algo-rithm returns a user public key upk ′ and a proof Π open demonstrating thatuser upk ′ indeed generated the signature Σ . In case of upk ′ = ⊥ , Π open = ⊥ . Judge ( gpk , M, Σ, upk ′ , Π open ) : Given all the inputs, this algorithm outputs 1 / Account ( gpk , cert , w escrw , tr ) : Given all the inputs, this algorithm returns 1 con-firming the choice of tr and 0 otherwise. Correctness.
The above
ATS scheme requires that: for any honestly generatedsignature, the
Verify algorithm always outputs 1. Furthermore, if the user istraceable, then
Account algorithm outputs 1 when tr = 1, and the Open algorithmcan identify the signer and generate a proof Π open that will be accepted by the17 udge algorithm. On the other hand, if the user is non-traceable, then the Account algorithm outputs 1 when tr = 0, and the Open algorithm outputs ⊥ . Remark 1.
There is a minor difference between the syntax we describe here andthat presented by Kohlweiss and Miers [25]. Specifically, we omit the time epochwhen the user joins the group, since we do not consider forward and backwardtracing scenarios as in [25].
Security.
The security requirements of an
ATS scheme consist of anonymityunder tracing ( AuT ), traceability ( Trace ), and non-frameability ( NF ), anonymitywith accountability ( AwA ) and trace-obliviousness ( TO ). Anonymity under tracing.
AuT is the standard anonymity requirement ofgroup signatures (e.g. [2,3]). It guarantees that even when being traced, usersare anonymous to the adversary who does not hold the opening key. Details aremodelled in the experiment in Figure 3.
Exp
AuT − b ATS , A ( λ ) pp ← Setup ( λ ).( gpk , ik , ok ) ← GKeyGen ( pp ) .b ′ ← A Ch , Open ( gpk , ik )Return b ′ . Oracle
Open ( M, Σ )If Σ ∈ Q , then return ⊥ ,Else return( upk , Π ) ← Open ( ok , M, Σ ). Oracle Ch ( cert , cert , usk , usk , M, w escrw , w escrw , Σ ← Sign ( gpk , cert , usk , M ). Σ ← Sign ( gpk , cert , usk , M ).If ( Σ = ⊥ ∧ Σ = ⊥ ∧ Account ( gpk , cert , w escrw , ∧ Account ( gpk , cert , w escrw , Q ← Q ∪ { Σ b } return Σ b ,Else return ⊥ . Fig. 3:
Experiment to define anonymity under tracingDefine the advantage
Adv
AuTATS , A ( λ ) of adversary A against anonymity undertracing of the ATS scheme as | Pr[
Exp
AuT − ATS , A ( λ ) = 1] − Pr[
Exp
AuT − ATS , A ( λ ) = 1] | . An ATS scheme is anonymous under tracing if the advantage of any PPT adversary A is negligible. Traceability.
Traceability requires that every valid signature will trace tosomeone as long as the adversary does not hold both the certificate and usersecret key of a user who is not traceable (non-traceable user). As pointed out byKohlweiss and Miers [25], this is slightly different from the standard traceabilitygame (e.g. [2,3]), where all users are being traced by GM . In an ATS scheme, whenadversary queries certificate of a user of his choice, challenger will always generatea certificate according to tr = 1. In other words, the user of the adversary’schoice is a traceable user. This ensures that the adversary does not hold bothcertificate and user secret key for a non-traceable user. Details are modelled inthe experiment in Figure 4.Define the advantage Adv
TraceATS , A ( λ ) of adversary A against traceability ofthe ATS scheme as Pr[
Exp
TraceATS , A ( λ ) = 1]. An ATS scheme is traceable if theadvantage of any PPT adversary A is negligible.18 xp TraceATS , A ( λ ) pp ← Setup ( λ ).( gpk , ik , ok ) ← GKeyGen ( pp ) . ( M, Σ ) ← A UKG , Enroll , Sign , Open ( gpk ) . Return 0 if (
M, Σ ) ∈ Q or Verify ( gpk , M, Σ ) = 0.Else ( upk , Π ) ← Open ( ok , m, Σ ) . Return 1 if upk = ⊥ or Judge ( gpk , M, Σ, upk , Π ) = 0.Else return 0. Oracle
UKG ( pp )( upk , usk ) ← UKeyGen ( pp ). S [ upk ] = usk .Return upk . Oracle
Enroll ( upk , tr )Let tr ′ = ( upk / ∈ dom S ) ∈ { , } .( cert , w escrw ) ← Enroll ( ik , upk , tr ∨ tr ′ ) . Return cert . Oracle
Sign ( cert , M ) usk = S [ cert . upk ].If ( usk = ⊥ ) , return ⊥ . Else Σ ← Sign ( gpk , cert , usk , M ). Q = Q ∪ { ( m, Σ ) } .return Σ . Oracle
Open ( M, Σ )( upk , Π ) ← Open ( ok , M, Σ )Return ( upk , Π ). Fig. 4:
Experiment to define traceability.
Non-frameability.
It requires that the adversary cannot sign messages onbehalf of honest users, even though the adversary can corrupt GM and all otherusers. This ensures that signatures signed by a traceable user (traceable signa-tures) are non-repudiated. Details are modelled in the experiment in Figure 5. Exp
NFATS , A ( λ ) pp ← Setup ( λ ).( gpk , st ) ← A ( pp ) . If gpk . pp = pp , return ⊥ . ( M, Σ, upk , Π ) ← A UKG , Sign ( st ).Return 1 if (( M, Σ ) / ∈ Q ∧ Verify ( gpk , M, Σ ) = 1 ∧ upk ∈ dom ( S ) ∧ Judge ( gpk , M, Σ, upk , Π ) = 1). Oracle
UKG ( pp )( upk , usk ) ← UKeyGen ( pp ), S [ upk ] = usk .Return upk . Oracle
Sign ( cert , M ) usk = S [ cert . upk ].If ( usk = ⊥ ) return ⊥ .Σ ← Sign ( gpk , cert , usk , M ). Q = Q ∪ { ( M, Σ ) } . Return Σ . Fig. 5:
Experiment to define non-frameability.Define the advantage
Adv
NFATS , A ( λ ) of adversary A against non-frameabilityof the ATS scheme as Pr[
Exp
NFATS , A ( λ ) = 1]. An ATS scheme is non-frameable ifthe advantage of any PPT adversary A is negligible. Anonymity with accountability.
AwA requires that a user is anonymouseven from a corrupted group manager that has full control over the system aslong as this user is non-traceable. In other words, the certificate is generatedaccording to tr = 0. Details are modelled in the experiment in Figure 6.Define the advantage Adv
AwAATS , A ( λ ) of A against anonymity with account-ability of the ATS scheme as | Pr[
Exp
AwA − ATS , A ( λ ) = 1] − Pr[
Exp
AwA − ATS , A ( λ ) = 1] | .19 xp AwA − b ATS , A ( λ ) pp ← Setup ( λ ).( gpk , st ) ← A ( pp ) . If gpk . pp = pp , return ⊥ .b ′ ← A Ch ( st )Return b ′ . Oracle Ch ( cert , cert , usk , usk , M, w escrw , w escrw , Σ ← Sign ( gpk , cert , usk , M ). Σ ← Sign ( gpk , cert , usk , M ).If ( Σ = ⊥ ∧ Σ = ⊥ ∧ Account ( gpk , cert , w escrw , ∧ Account ( gpk , cert , w escrw , , return Σ b . Else return ⊥ . Fig. 6:
Experiment to define anonymity with accountability.An
ATS scheme is anonymous with accountability if the advantage of any PPTadversary A is negligible. Trace-obliviousness.
Trace-obliviousness requires that each user cannot de-termine whether they are being traced or not. Details are modelled in the ex-periment in Figure 7.
Exp TO − b ATS , A ( λ ) pp ← Setup ( λ ).( gpk , ik , ok ) ← GKeyGen ( pp ) .b ′ ← A Ch , Enroll , Open ( gpk )Return b ′ . Oracle
Enroll ( upk , tr )( cert , w escrw ) ← Enroll ( ik , upk , tr ) . Return cert . Oracle Ch ( upk )( cert , w escrw ) ← Enroll ( ik , upk , b ) .U = U ∪ { upk } , Return cert . Oracle
Open ( M, Σ )( upk , Π ) ← Open ( ok , M, Σ )If upk ∈ U , then return ⊥ ; Else return ( upk , Π ). Fig. 7:
Experiment to define trace-obliviousness.Define the advantage
Adv
TOATS , A ( λ ) of adversary A against trace-obliviousnessof the ATS scheme as | Pr[
Exp TO − ATS , A ( λ ) = 1] − Pr[
Exp TO − ATS , A ( λ ) = 1] | . An ATS scheme is trace-oblivious if the advantage of any PPT adversary A is negligible. In [25], Kohlweiss and Miers constructed a
KOE scheme based on ElGamal cryp-tosystem [18]. To adapt their blueprint into the lattice setting, we would needa key-private homomorphic encryption scheme whose public keys and cipher-texts should have the same algebraic form (e.g., each of them is a pair of ringelements). We observe that, the LPR
RLWE -based encryption scheme, under ap-propriate setting of parameters, does satisfy these conditions. We thus obtainan instantiation of
KOE which will then serve as a building block for our
ATS construction in Section 5. 20 .1 Description of Our KOE Scheme
Our
KOE scheme works as follows.
Setup ( λ ) : Given the security parameter λ , let n = O ( λ ) be a power of 2 and q = e O ( n ). Also let ℓ = ⌊ log q − ⌋ + 1. Define the rings R = Z [ X ] / ( X n + 1)and R q = R/qR . Let the integer bound B be of order e O ( √ n ) and χ be a B -bounded distribution over the ring R . This algorithm then outputs publicparameter pp = { n, q, ℓ, R, R q , B, χ } . KeyGen ( pp ) : Given the input pp , this algorithm samples s ← ֓ χ , e ← ֓ χ ℓ and a $ ←− R ℓq . Set pk = ( a , b ) = ( a , a · s + e ) ∈ R ℓq × R ℓq and sk = s . It then returns( pk , sk ). KeyRand ( pk ) : Given the public key pk = ( a , b ), it samples g ← ֓ χ , e ← ֓ χ ℓ and e ← ֓ χ ℓ . Compute( a ′ , b ′ ) = ( a · g + e , b · g + e ) ∈ R ℓq × R ℓq . This algorithm then outputs randomized public key as pk ′ = ( a ′ , b ′ ). Enc ( pk ′ , p ) : Given the public key pk ′ = ( a ′ , b ′ ) and a message p ∈ R q , it samples g ′ ∈ χ , e ′ ∈ χ ℓ and e ′ ∈ χ ℓ . Compute( c , c ) = ( a ′ · g ′ + e ′ , b ′ · g ′ + e ′ + ⌊ q/ ⌋ · rdec ( p )) ∈ R ℓq × R ℓq . This algorithm returns ciphertext as ct = ( c , c ). Dec ( sk , ct ) : Given sk = s and ct = ( c , c ), the algorithm proceeds as follows.1. It computes p ′′ = c − c · s ⌊ q/ ⌋ .
2. For each coefficient of p ′′ , – if it is closer to 0 than to − – if it is closer to − − – if it is closer to 1 than to 0 and −
1, then round it to 1.3. Denote the rounded p ′′ as p ′ ∈ R ℓq with coefficients in {− , , } .4. Let p ′ ∈ R q such that τ ( p ′ ) = H · τ ( p ′ ). Here, H ∈ Z n × nℓq is the decom-position matrix for elements of R q (see Appendix 2.2). Correctness.
Note that c − c · s = b ′ · g ′ + e ′ + ⌊ q/ ⌋ · rdec ( p ) − ( a ′ · g ′ + e ′ ) · s = e · g · g ′ + e · g ′ − e · s · g ′ + e ′ − e ′ · s + ⌊ q/ ⌋ · rdec ( p )where s, g, g ′ , e , e , e , e ′ , e ′ are B -bounded. Hence we have: k e · g · g ′ + e · g ′ − e · s · g ′ + e ′ − e ′ · s k ∞ ≤ n · B = e O ( n . ) ≤ (cid:6) q (cid:7) = e O ( n ) . Dec algorithm recovers rdec ( p ) and hence outputs p . Therefore, our KOE scheme iscorrect.
Security.
The security of our
KOE scheme is stated in the following theorem.
Theorem 2.
Under the
RLWE assumption, the described key-oblivious encryp-tion scheme satisfies: (i) key randomizability; (ii) plaintext indistinguishabilityunder key randomization; and (iii) key privacy under key randomization.
The proof of Theorem 2 is established by Lemma 2-4.
Lemma 2.
The key-oblivious encryption scheme described in Section 3.1 is keyrandomizable defined in Section 2.7 under
RLWE assumption.Proof.
Notice that the samples chosen according to A s,χ for some s ← ֓ χ areindistinguishable from random under the RLWE assumption. Therefore, the hon-estly generated public key pk = ( a , b ) ∈ R ℓq × R ℓq is indistinguishable from trulyrandom pair f pk = ( e a , e b ) ∈ R ℓq × R ℓq . Hence, we may replace pk with f pk and thismodification is negligible to the adversary.Let pk = ( e a · g + e , e b · g + e ) and pk = ( a ′ , a ′ · s ′ + e ′ ), where pk isindependent of f pk . When b = 0, adversary is given ( e a , e b , e a · g + e , e b · g + e ), whichare 2 ℓ samples chosen according to A g,χ . Therefore, ( f pk , pk ) is indistinguishablefrom 2 ℓ samples chosen according to U ( R q × R q ). When b = 1, adversary is given( e a , e b , a ′ , a ′ · s ′ + e ′ ). Since pk is independent of f pk , so we can replace pk witha truly random pair. Hence, ( f pk , pk ) is also indistinguishable from 2 ℓ sampleschosen according to U ( R q × R q ). Therefore, the adversary cannot distinguish thecase b = 0 from the case b = 1.It then follows that the advantage of any PPT adversary in the experiment Exp
KRKOE , A ( λ ) is negligible and hence our KOE scheme is key randomizable.
Lemma 3.
The key-oblivious encryption scheme described in Section 3.1 isplaintext indistinguishable under key randomization defined in Section 2.7 under
RLWE assumption.Proof.
Let A be any PPT adversary attacking the plaintext indistinguishabilityunder key randomization with advantage ǫ , we will show ǫ = negl( λ ) assum-ing the hardness of the RLWE problem. Specifically, we construct a sequenceof indistinguishable games G , G , G , G , G , such that, Adv A ( G ) = ǫ and Adv A ( G ) = 0. Game G : This is the real experiment
Exp
INDrKOE , A ( λ ). The challenger generatesa public key pk = ( a , b ) = ( a , a · s + e ) honestly, sends it to the adversary A ,receives back a randomized key pair pk ′ = ( a · g + e , b · g + e ), the randomnessused to generate pk ′ , and two messages p , p ∈ R q . The challenger firstchecks whether pk ′ is generated from the randomness or not. If not, thechallenger returns ⊥ . Otherwise, he samples b $ ←− { , } and encrypts the22essage p b to ciphertext ( c , c ) = ( a ′ · g ′ + e ′ , b ′ · g ′ + e ′ + ⌊ q/ ⌋ · rdec ( p b ))and sends ( c , c ) to the adversary A , who then outputs b ′ ∈ { , } . Thisgame outputs 1 if b ′ = b or 0 otherwise. By assumption, A has advantage ǫ in this game. Game G : In this game,we make a slight modification to the Game G : thepublic key pk is replaced with a truly random pair f pk = ( e a , e b ). By the RLWE n,q,ℓ,χ assumption, the adversary cannot distinguish pk = ( a , b ) fromuniform. It then follows that G is indistinguishable from G . We addition-ally remark that pk ′ obtained from randomizing f pk is indistinguishable fromrandom by the same assumption. Game G : In this game, we modify G as follows: instead of generating ( c , c )faithfully using the randomized public key pk ′ , we generate ciphertext ( c , c )as ( e a ′ · g ′ + e ′ , e b ′ · g ′ + e ′ + ⌊ q/ ⌋· rdec ( p b )), where f pk ′ = ( e a ′ , e b ′ ) is uniformlychosen over R ℓq × R ℓq . Since pk ′ obtained from randomizing f pk is indistinguish-able from random, this modification is indistinguishable to adversary A . Game G : In this game, we generate ( c , c ) as ( z , z + ⌊ q/ ⌋· rdec ( p b )), where( z , z ) ∈ R ℓq × R ℓq are uniformly random. The assumed hardness of the RLWE n,q,ℓ,χ problem implies that G and G are computationally indistin-guishable. Game G : In the game, we make a conceptual modification to G . Namely, wesample uniformly random z ′ ∈ R ℓq and z ′ ∈ R ℓq and let ( c , c ) = ( z ′ , z ′ ). Itis clear that G and G are statistically indistinguishable. Moreover, since G is no longer dependent on the challenger’s bit b , the advantage of A inthis game is 0.It follows from the above construction that the advantage ǫ of the adversary A is negligible. This concludes the proof. Lemma 4.
The key-oblivious encryption scheme described in Section 3.1 is keyprivate under key randomization defined in Section 2.7 under
RLWE n,q,χ as-sumption.Proof.
The proof of Lemma 4 is similar to that of Lemma 3, we briefly describeit here. As in Lemma 3, we construct a sequence of indistinguishable games G , G , G , G , such that, Adv A ( G ) = Adv
KPrKOE , A ( λ ) and Adv A ( G ) = 0.Game G is the experiment Exp
KPrKOE , A ( λ ), Game G modifies Game G byreplacing public key pk with truly random pair f pk while Game G modifiesGame G by replacing public key pk with another independent and randompair f pk . By the hardness of the RLWE n,q,ℓ,χ problem, these two modificationsare indistinguishable to any PPT adversary. In Game G , we further modifyGame G by generating the ciphertext ( c , c ) using f pk ′ chosen uniformly over R ℓq × R ℓq as in Lemma 3. By the same argument, this change is negligible to anyPPT adversary. Furthermore, since G is no longer dependent on the challenger’sbit b , the advantage of adversary in this game is 0. This ends the brief description.23 Handling Quadratically Hidden RLWE Relations
In Section 4.1, we extend the refined permuting technique recalled in Section 2.5to prove that a secret integer y is multiplication of two secret integers a ∈{− , , } and g ∈ {− , , } . We then describe our zero-knowledge protocol forhandling quadratic relations in the RLWE setting in Section 4.2. Specifically, wedemonstrate how to prove in zero-knowledge that a give vector c is a correct RLWE evaluation, i.e., c = a · g + e , where the hidden vectors a , e and element g may satisfy additional conditions. The protocol is developed based on Libertet al.’s work [29] on quadratic relations in the general lattice setting. y = a · g . For any a, g ∈ {− , , } , define vector mult ( a, g ) ∈{− , , } of the following form: mult ( a, g ) = (cid:0) [ a + 1] · [ g + 1] , [ a ] · [ g + 1] , [ a − · [ g + 1] , [ a + 1] · [ g ] , [ a ] · [ g ] , [ a − · [ g ] , [ a + 1] · [ g − , [ a ] · [ g − , [ a − · [ g − (cid:1) ⊤ . Then for any b, e ∈ {− , , } , we define the permutation φ b,e ( · ) that acts in thefollowing way. It maps vector v of the following form v = (cid:0) v ( − , − , v (0 , − , v (1 , − , v ( − , , v (0 , , v (1 , , v ( − , , v (0 , , v (1 , (cid:1) ⊤ ∈ Z into vector φ b,e ( v ) of the following form φ b,e ( v ) = (cid:0) v ([ − b − , [ − e − ) , v ([ − b ] , [ − e − ) , v ([ − b +1] , [ − e − ) ,v ([ − b − , [ − e ] ) , v ([ − b ] , [ − e ] ) , v ([ − b +1] , [ − e ] ) ,v ([ − b − , [ − e +1] ) , v ([ − b ] , [ − e +1] ) , v ([ − b +1] , [ − e +1] ) (cid:1) ⊤ . Then for any a, b, g, e ∈ {− , , } , one is able to check that the following equiv-alence is satisfied. v = mult ( a, g ) ⇐⇒ φ b,e ( v ) = mult ([ a + b ] , [ g + e ] ) . (10)Note that the above equivalence in (10) is essential to prove knowledge of suchsecret integer y in the framework of Stern’s protocol. We first extend y to vector v = mult ( a, g ), sample uniform b ∈ { , } and e ∈ {− , , } , and then demon-strate to the verifier φ b,e ( v ) = mult ( [ a + b ] , [ g + e ] ). Due to the equivalencein (10), the verifier should be convinced of the well-formedness of y and no extrainformation is revealed to him. Furthermore, the technique is extendable so thatwe can use the same “one time pads” b and e at the places where a and g appear,respectively.Now we generalize the above technique to prove knowledge of vector of thefollowing expansion form. We aim to obtain equivalence similar to (10), whichis useful in Stern’s framework. 24 andling an expansion vector. We now tackle an expansion vector y = expd ( a , g ) of the form y = ( y k . . . k y n − ) ∈ {− , , } n ℓδ B , where y i is of thefollowing form y i = ( a · g i, , . . . , a · g i,δ B , . . . , a nℓ · g i, , . . . , a nℓ · g i,δ B ) , g ∈ {− , , } nδ B is of the form g = ( g , , g , , . . . , g ,δ B , . . . , g n − , , g n − , , . . . , g n − ,δ B ) ⊤ , and a = ( a , . . . , a nℓ ) ⊤ ∈ {− , , } nℓ for some positive integers n, ℓ, δ B .Denote y = ( a i · g j,k ) i ∈ [ nℓ ] ,j ∈ [0 ,n − ,k ∈ [ δ B ] , we then define an extension ofthe expansion vector y as mult ( a , g ) = ( mult ( a i , g j,k )) i ∈ [ nℓ ] ,j ∈ [0 ,n − ,k ∈ [ δ B ] ∈{− , , } n ℓδ B .For e = ( e , , e , , . . . , e ,δ B , . . . , e n − , , e n − , , . . . , e n − ,δ B ) ⊤ ∈ {− , , } nδ B and b = ( b , . . . , b nℓ ) ⊤ ∈ {− , , } nℓ , we define the permutation Φ b , e ( · ) that be-haves as follows. It maps vector v ∈ Z n ℓδ B of the following form: (cid:0) v , , k · · · k v , ,δ B k · · · k v nℓ, , k · · · k v nℓ, ,δ B k v , , k · · · k v , ,δ B k · · · k v nℓ, , k · · · k v nℓ, ,δ B k· · · · v ,n − , k · · · k v ,n − ,δ B k · · · k v nℓ,n − , k · · · k v nℓ,n − ,δ B (cid:1) which consists of blocks of size 9, to vector Φ b , e ( v ) of the following form: (cid:0) φ b ,e , ( v , , ) k · · · k φ b ,e ,δB ( v , ,δ B ) k · · · k φ b nℓ ,e , ( v nℓ, , ) k · · · k φ b nℓ ,e ,δB ( v nℓ, ,δ B ) k φ b ,e , ( v , , ) k · · · k φ b ,e ,δB ( v , ,δ B ) k · · · k φ b nℓ ,e , ( v nℓ, , ) k · · · k φ b nℓ ,e ,δB ( v nℓ, ,δ B ) k· · · · φ b ,e n − , ( v ,n − , ) k · · · k φ b ,e n − ,δB ( v ,n − ,δ B ) k · · · k φ b nℓ ,e n − , ( v nℓ,n − , ) k · · · k φ b nℓ ,e n − ,δB ( v nℓ,n − ,δ B ) (cid:1) For any a , b ∈ {− , , } nℓ and any g , e ∈ {− , , } nδ B , it then follows from (10)that the following equivalence holds. v = mult ( a , g ) ⇐⇒ Φ b , e ( v ) = mult ([ a + b ] , [ g + e ] ) . (11) We are going to describe our statistical
ZKAoK protocol for the
RLWE relationwith hidden vector. Let q, ℓ, B be some integers and
R, R q be two rings, whichare specified as in Section 3.1. Our goal is to design a ZK argument system that25llows a prover P to convince a verifier V on input c ∈ R ℓq that P knows secrets a ∈ R ℓq , g ∈ R q and e ∈ R ℓq such that g and e are B -bounded and c = a · g + e . (12)Furthermore, this protocol should be extendable such that we are able to provethat the secrets a , g, e satisfy other relations.As in Section 2.6, we aim to obtain an instance of the abstract protocol fromSection 2.4. Decomposing-Unifying.
To start with, we also employ the notations rot and τ from Section 2.1 and the decomposition techniques from Section 2.2 to transformequation (12) into M · w = u mod q , where M , u are built from public input,and vector w is built from secret input and coefficients of which are in the set {− , , } .Let a = ( a , a , · · · , a ℓ ) ⊤ , τ ( g ) = ( g , · · · , g n − ) ⊤ , a ⋆i = τ ( rdec ( a i )) ∈ {− , , } nℓ ∀ i ∈ [ ℓ ], g ⋆ = τ ( rdec B ( g )) ∈ {− , , } nδ B . Let a ⋆i = ( a i, , a i, , · · · , a i,nℓ ) ⊤ ∀ i ∈ [ ℓ ], g ⋆ = ( g , , · · · g ,δ B , · · · , g n − , , · · · , g n − ,δ B ) ⊤ . We then have the fol-lowing: τ ( a i · g ) = rot ( a i ) · τ ( g ) = [ τ ( a i ) | τ ( a i · X ) | . . . | τ ( a i · X n − )] · τ ( g )= n − X j =0 τ ( a i · X j ) · g j = n − X j =0 rot ( X j ) · τ ( a i ) · g j = n − X j =0 rot ( X j ) · H · a ⋆i · g j = n − X j =0 rot ( X j ) · H · ( a i, · g j , . . . , a i,nℓ · g j ) ⊤ mod q Observe that, for each k ∈ [ nℓ ], we have a i,k · g j = a i,k · ( B , . . . , B δ B ) · ( g j, , . . . , g j,δ B ) ⊤ = ( B , . . . , B δ B ) · ( a i,k · g j, , . . . , a i,k · g j,δ B ) ⊤ Denote y i,j ∈ {− , , } nℓδ B of the following form: y i,j = ( a i, · g j, , . . . , a i, · g j,δ B , . . . , a i,nℓ · g j, , . . . , a i,nℓ · g j,δ B ) ⊤ , we then obtain ( a i, · g j , . . . , a i,nℓ · g j ) ⊤ = H ℓ,B · y i,j mod q. Define Q ∈ Z n × n ℓδ B q of the following form: Q = [ rot ( X ) · H · H ℓ,B | · · · | rot ( X n − ) · H · H ℓ,B ] . Let y i = ( y i, k · · · k y i,n − ) = expd ( a ⋆i , g ⋆ ) ∈ {− , , } n ℓδ B , we then obtain: τ ( a i · g ) = Q · y i mod q. e ⋆ = τ ( rdec B ( e )) ∈ {− , , } nℓδ B , Q = Q Q . . . Q ∈ Z nℓ × n ℓ δ B q . Now equation (12) is equivalent to τ ( c ) = ( τ ( a · g ) , . . . , τ ( a ℓ · g )) ⊤ + τ ( e )= Q · ( y k · · · k y ℓ ) + H ℓ,B · e ⋆ mod q Rearrange the above equivalent form using some basic algebra, we are ableto obtain an unifying equation of the following form: M · w = u mod q, where M is built from the public matrices Q and H ℓ,B , u is the vector τ ( c ),while w = ( y k · · · k y ℓ k e ⋆ ) ∈ {− , , } n ℓ δ B + nℓδ B . Extending-Permuting.
In this second step, we aim to transform the secret w to a vector w such that it satisfies the requirements specified by the abstractprotocol from section 2.4. In the process, the techniques introduced in Section 2.5and 4.1 are utilized.We first extend w = ( y k · · · k y ℓ k e ⋆ ) as follows. y i y ′ i = mult (cid:0) a ⋆i , g ⋆ (cid:1) ∈ {− , , } n ℓδ B , i ∈ [ ℓ ]; e ⋆ e ′ ⋆ = enc ( e ⋆ ) ∈ {− , , } L . Notice that for each i ∈ [ ℓ ], we have y i = expd ( a ⋆i , g ⋆ ). We then form vector w = ( y ′ k · · · k y ′ ℓ k e ′ ⋆ ) ∈ {− , , } L , where L = L + L ; L = 9 n ℓ δ B ; L = 3 nℓδ B . According to the extension, we insert appropriate zero-columns to matrix M ,obtaining a new matrix M ∈ Z nℓ × Lq such that the equation M · w = M · w holds.We now define the set VALID that includes our secret vector w , the set S ,and the associated permutations { Γ η : η ∈ S} , such that the conditions in (1)are satisfied.Let VALID be the set of all vectors v ′ = ( v ′ k · · · k v ′ ℓ k v ′ ℓ +1 ) ∈ {− , , } L suchthat the following conditions hold: – There exist a ⋆i ∈ {− , , } nℓ for each i ∈ [ ℓ ] and g ⋆ ∈ {− , , } nδ B suchthat v ′ i = mult ( a ⋆i , g ⋆ ). – There exists e ⋆ ∈ {− , , } nℓδ B such that v ′ ℓ +1 = enc ( e ⋆ ).It is easy to see that the obtained vector w belongs to the set VALID .Now let S = ( {− , , } nℓ ) ℓ × {− , , } nδ B × {− , , } nℓδ B , and associateevery element η = ( b , . . . , b ℓ , f , f ) ∈ S with permutation Γ η that behaves as27ollows. For a vector of the form v = ( v k · · · k v ℓ k v ℓ +1 ) ∈ Z L , where v i ∈ Z n ℓδ B for each i ∈ [ ℓ ] and v ℓ +1 ∈ Z L , it transforms v into vector Γ η ( v ) = (cid:0) Φ b , f ( v ) k · · · k Φ b ℓ , f ( v ℓ ) k Π f ( v ℓ +1 ) (cid:1) . It then follows from the equivalences in (4) and (11) that
VALID , S , and Γ η fulfillthe requirements specified in (1). Therefore, we have transformed the consideredstatement to a case of the abstract protocol from Section 2.4. To obtain thedesired statistical ZKAoK protocol, it suffices for the prover and verifier to run theinteractive protocol described in Figure 1. The protocol has perfect completeness,soundness error 2 / O ( L · log q ), which is of order O ( n · log n ) = e O ( λ ). In this section, we construct our
ATS scheme based on: (i) The Ducas-Miccianciosignature scheme (as recalled in Section 2.3); (ii) The
KOE scheme described inSection 3; and (iii) Stern-like zero-knowledge argument system that underlies our
ATS construction, which is obtained by smoothly combining previous techniquesas recalled in Section 2.6 and ours as described in Section 4.2.
Before describing our accountable tracing signature scheme in Section 5.2, let usfirst present the statistical
ZKAoK that will be invoked by the signer when gener-ating group signatures. Let n, q, k, ℓ, m, m, m s , d, c , · · · , c d , β, B be parametersas specified in Section 5.2. The protocol is summarized as follows. – The public input consists of A , F ∈ R × mq ; A [0] , . . . , A [ d ] ∈ R × kq ; F ∈ R × ℓq ; F ∈ R × m s q ; u ∈ R q ; B ∈ R mq ; c , , c , ∈ R ℓq , c , , c , ∈ R ℓq . – The secret input of the prover consists of message m = ( p k a ′ k b ′ k a ′ k b ′ )and the corresponding Ducas-Micciancio signature ( t, r , v ), a user secretkey x that corresponds to the public key p , and encryption randomness g ′ , g ′ , e ′ , , e ′ , , e ′ , , e ′ , , where p ∈ R q ; a ′ ∈ R ℓq ; b ′ ∈ R ℓq ; a ′ ∈ R ℓq ; b ′ ∈ R ℓq ; t = ( t , . . . , t c − , . . . , t c d − , . . . , t c d − ) ⊤ ∈ { , } c d ; r ∈ R m ; v = ( s k z ) ∈ R m + k ; s ∈ R m ; z ∈ R k ; x ∈ R m ; g ′ , g ′ ∈ R ; e ′ , , e ′ , , e ′ , , e ′ , ∈ R ℓ . The goal of the prover is to prove in ZK that k r k ∞ ≤ β , k v k ∞ ≤ β , k x k ∞ ≤ k g ′ i k ∞ ≤ B , k e i, k ∞ ≤ B , k e i, k ∞ ≤ B and that the following conditionshold: A t · v = F · rdec ( F · r + F · rdec ( m )) + u, B · x = p, for i ∈ { , } , c i, = a ′ i · g ′ i + e ′ i, , c i, = b ′ i · g ′ i + e ′ i, + ⌊ q/ ⌋ · rdec ( p ) . (13)Since we already established the transformations for the Ducas-Micciancio sig-nature in Section 2.6, we now focus on the transformations for other relations.Let a ′ i = ( a ′ i, , . . . , a ′ i,ℓ ) ⊤ , b ′ i = ( b ′ i, , . . . , b ′ i,ℓ ) ⊤ for each i ∈ { , } . First, weemploy the decomposition techniques in Section 2.2 to the following secrets. – Let x ⋆ = τ ( x ) ∈ {− , , } nm . – For each i ∈ { , } , each j ∈ [ ℓ ], compute a ⋆i,j = τ ( rdec ( a ′ i,j )) ∈ {− , , } nℓ , b ⋆i,j = τ ( rdec ( b ′ i,j )) ∈ {− , , } nℓ . – For i ∈ { , } , compute g ⋆i = τ ( rdec B ( g ′ i )) ∈ {− , , } nδ B . – For i ∈ { , } , compute e ⋆i, = τ ( rdec B ( e ′ i, )) ∈ {− , , } nℓδ B and e ⋆i, = τ ( rdec B ( e ′ i, )) ∈ {− , , } nℓδ B .Then the equation B · x = p over R q is equivalent to[ rot ( B )] · x ⋆ − [ H ] · τ ( rdec ( p )) = n mod q. (14)For each i ∈ { , } , each j ∈ [ ℓ ], let ( y i,j = expd ( a ⋆i,j , g ⋆i ) ∈ {− , , } n ℓδ B , z i,j = expd ( b ⋆i,j , g ⋆i ) ∈ {− , , } n ℓδ B . (15)From Section 4.2, we know that equations in (13) can be written as, for i ∈ { , } , ( τ ( c i, ) = [ Q ] · ( y i, k · · · k y i,ℓ ) + [ H ℓ,B ] · e ⋆i, ; τ ( c i, ) = [ Q ] · ( z i, k · · · k z i,ℓ ) + [ H ℓ,B ] · e ⋆i, + ⌊ q/ ⌋ · τ ( rdec ( p )) . (16)Following the procedure in Section 2.6, we form secret vectors w ∈ {− , , } ( kδ β + c d kδ β ) n , w ∈ {− , , } nmδ β + nℓ + nm s of the form: ( w = ( z ⋆ k t · z ⋆ k . . . k t c d − · z ⋆ ); w = ( s ⋆ k r ⋆ k τ ( y ) k τ ( rdec ( m ))) , where τ ( rdec ( m ))= ( τ ( rdec ( p )) k τ ( rdec ( a ′ )) k τ ( rdec ( b ′ )) k τ ( rdec ( a ′ )) k τ ( rdec ( b ′ )))= ( τ ( rdec ( p )) k a ⋆ , k · · · k a ⋆ ,ℓ k b ⋆ , k · · · k b ⋆ ,ℓ k a ⋆ , k · · · k a ⋆ ,ℓ k b ⋆ , k · · · k b ⋆ ,ℓ ) . τ ( rdec ( p )) has been included in w , we now combine the remaining secretvectors appearing in equations (14), (16) into w ∈ {− , , } nm +4 nℓδ B of theform w = (cid:0) x ⋆ k e ⋆ , k e ⋆ , k e ⋆ , k e ⋆ , (cid:1) and w ∈ {− , , } n ℓ δ B of the form w = (cid:0) y , k · · · k y ,ℓ k z , k · · · k z ,ℓ k y , k · · · k y ,ℓ k z , k · · · k z ,ℓ (cid:1) such that for i ∈ { , } , and j ∈ [ ℓ ], y i,j , z i,j satisfy the equations in (15).For the sake of simplicity when defining our tailored set VALID and permu-tation Γ η , we rearrange our secret vectors w , w into vector w ∈ {− , , } L ′ of the form w = (cid:0) s ⋆ k r ⋆ k τ ( y ) k τ ( rdec ( p )) k x ⋆ k e ⋆ , k e ⋆ , k e ⋆ , k e ⋆ , (cid:1) . and w ∈ {− , , } nℓ of the form w = (cid:0) a ⋆ , k · · · k a ⋆ ,ℓ k b ⋆ , k · · · k b ⋆ ,ℓ k a ⋆ , k · · · k a ⋆ ,ℓ k b ⋆ , k · · · k b ⋆ ,ℓ (cid:1) with L ′ = 2 nmδ β + 2 nℓ + nm + 4 nℓδ B . Now we form our secret vector as w = ( w k w k w k w ).Second, we apply the extension and permutation techniques from Section 2.5and Section 4.1 to our secret vectors w . Let w ′ = mix ( t, z ⋆ ) ∈ {− , , } L be the “mixing” vector obtained in equation (9), w ′ = enc ( w ) ∈ {− , , } L w ′ = enc ( w ) ∈ {− , , } L , and w ′ = Mult ( w ) ∈ {− , , } L be of thefollowing form: (cid:0) mult ( a ⋆ , , g ⋆ ) k · · · k mult ( a ⋆ ,ℓ , g ⋆ ) k mult ( b ⋆ , , g ⋆ ) k · · · k mult ( b ⋆ ,ℓ , g ⋆ ) k mult ( a ⋆ , , g ⋆ ) k · · · k mult ( a ⋆ ,ℓ , g ⋆ ) k mult ( b ⋆ , , g ⋆ ) k · · · k mult ( b ⋆ ,ℓ , g ⋆ ) (cid:1) , Where L = 3 kδ β +6 nkδ β c d , L = 3 L ′ , L = 12 nℓ , and L = 36 n ℓ δ B . Denote L = L + L + L + L . Form our extended vector w = ( w ′ k w ′ k w ′ k w ′ ) ∈{− , , } L .Following the process in Section 2.6 and Section 4.2, we are able to obtainpublic matrix/vector M and u such that the considered statement is reducedto M · w = u mod q . Therefore, we are prepared to define the set VALID thatincludes our secret vector w , the set S , and the associated permutations { Γ η : η ∈ S} , such that the conditions in (1) are satisfied.Let VALID be the set of all vectors v ′ = ( v ′ k v ′ k v ′ k v ′ ) ∈ {− , , } L such thatthe following requirements hold: – v ′ = mix ( t, z ⋆ ) for some t ∈ { , } c d and z ⋆ ∈ {− , , } nkδ β . – v ′ = enc ( w ) for some w ∈ {− , , } L ′ . – For j ∈ [4 ℓ ], there exists w ,j ∈ {− , , } nℓ and w = ( w , · · · k w , ℓ ) ∈{− , , } nℓ such that v ′ = ( enc ( w , ) k · · · k enc ( w , ℓ )) = enc ( w ).30 There exists g ⋆ , g ⋆ ∈ {− , , } nδ B and w ∈ {− , , } n ℓ δ B be of theform:( expd ( w , , g ⋆ ) k · · · k expd ( w , ℓ , g ⋆ ) k expd ( w , ℓ +1 , g ⋆ ) k · · · k expd ( w , ℓ , g ⋆ ))such that v ′ = Mult ( w ).It is verifiable that our secret vector w belongs to VALID .Now let S = { , } c d × {− , , } nkδ β × {− , , } L ′ × ( {− , , } nℓ ) ℓ × ( {− , , } nδ B ) , and associate every element η = ( f , f , f , f , , . . . , f , ℓ , f , , . . . , f , ℓ , f , f ) ∈ S with Γ η that works as follows. For a vector of form v ⋆ = ( v ⋆ k v ⋆ k v ⋆ k v ⋆ ) ∈ Z L ,where v ⋆i ∈ Z L i for i ∈ { , } , v ⋆ = ( v ⋆ , k · · · k v ⋆ , ℓ ) with v ⋆ ,j ∈ Z nℓ , and v ⋆ = ( v ⋆ , · · · k v ⋆ , ℓ ) with v ⋆ ,j ∈ Z n ℓδ B , it transforms v ⋆ into vector Γ η ( v ⋆ )( Ψ f , f ( v ⋆ ) k Π f ( v ⋆ ) k Π f , ( v ⋆ , ) k · · · k Π f , ℓ ( v ⋆ , ℓ ) k Π f , ( v ⋆ , ℓ +1 ) k · · · k Π f , ℓ ( v ⋆ , ℓ ) k Φ f , , f ( v ⋆ , ) k · · · k Φ f , ℓ , f ( v ⋆ , ℓ ) k Φ f , , f ( v ⋆ , ℓ +1 ) k · · · k Φ f , ℓ , f ( v ⋆ , ℓ ) )It then follows from the equivalences in (4), (6), and (11) that VALID , S , and Γ η satisfy the conditions in (1). Therefore, we have transformed the consideredstatement to a case of the abstract protocol from Section 2.4. To obtain thedesired statistical ZKAoK protocol, it suffices for the prover and verifier to run theinteractive protocol described in Figure 1. The protocol has perfect completeness,soundness error 2 / O ( L · log q ), which is of the order O ( n · log n ) = e O ( λ ). We assume there is a trusted setup such that it generates parameters of thescheme. Specifically, it generates a public matrix B for generating users’ keypairs, and two secret-public key pairs of our KOE scheme such that the secret keysare discarded and not known by any party. The group public key then consistsof three parts: (i) the parameters from the trusted setup, (ii) a verification keyof the Ducas-Micciancio signature, (iii) two public keys of our
KOE scheme suchthat the group manager knows both secret keys. The issue key is the Ducas-Micciancio signing key, while the opening key is any one of the correspondingsecret keys of the two public keys. Note that both the issue key and the openingkey are generated by the group manager.When a user joins the group, it first generates a secret-public key pair ( x , p )such that B · x = p . It then interacts with the group manager, who will determinewhether user p is traceable or not. If the user is traceable, group manager setsa bit tr = 1, randomizes the two public key generated by himself, and thengenerates a Ducas-Micciancio signature σ cert on user public key p and the two31andomized public keys ( epk , epk ). If the user is non-traceable, group managersets a bit tr = 0, randomizes the two public key generated from the trusted setup,and then generates a signature on p and epk , epk . If it completes successfully,the group manager sends certificate cert = ( p, epk , epk , σ cert ) to user p , registersthis user to the group, and keeps himself the witness w escrw that was ever usedfor randomization.Once registered as a group member, the user can sign messages on behalf ofthe group. To this end, the user first encrypts his public key p twice using his tworandomized public keys, and obtains ciphertexts c , c . The user then generatesa ZKAoK such that (i) he has a valid secret key x corresponding to p ; (ii) hepossesses a Ducas-Micciancio signature on p and epk , epk ; and (iii) c , c arecorrect ciphertexts of p under the randomized keys epk , epk , respectively. Sincethe ZKAoK protocol the user employs has soundness error 2 / κ = ω (log λ ) times to make the error negligibly small. Then, it ismade non-interactive via the Fiat-Shamir heuristic [17]. The signature then con-sists of the non-interactive zero-knowledge argument of knowledge ( NIZKAoK ) Π gs and the two ciphertexts. Note that the ZK argument together with doubleencryption enables CCA-security of the underlying encryption scheme, which isknown as the Naor-Yung transformation [47].To verify the validity of a signature, it suffices to verify the validity of theargument Π gs . Should the need arises, the group manager can decrypt using hisopening key. If a user is traceable, the opening key group manager possesses canbe used to correctly identify the signer. However, if a user is non-traceable, thenhis anonymity is preserved against the manager.To prevent corrupted opening, group manager is required to generate a NIZKAoK of correct opening Π open . Only when Π open is a valid argument, wethen accept the opening result. Furthermore, there is an additional accountingmechanism for group manager to reveal which users he had chosen to be trace-able. This is done by checking the consistency of tr and the randomized publickeys in user’s certificate with the help of the witness w escrw .We describe the details of our scheme below. Setup ( λ ) : Given the security parameter λ , it generates the following public pa-rameter. – Let n = O ( λ ) be a power of 2, and modulus q = e O ( n ), where q = 3 k for k ∈ Z + . Let R = Z [ X ] / ( X n + 1) and R q = R/qR .Also, let m ≥ ⌈ log q ⌉ + 2, ℓ = ⌊ log q − ⌋ + 1, m s = 4 ℓ + 1, and m = m + k and m s = m s · ℓ . – Let integer d and sequence c , . . . , c d be described in Section 2.3. – Let β = e O ( n ) and B = e O ( √ n ) be two integer bounds, and χ be a B -bounded distribution over the ring R . – Choose a collision-resistant hash function H FS : { , } ∗ → { , , } κ ,where κ = ω (log λ ), which will act as a random oracle in the Fiat-Shamirheuristic [17]. – Choose a statistically hiding and computationally binding commitmentscheme from [22], denoted as
COM , which will be employed in our ZK argument systems. 32 Let B $ ←− R × mq , a (0)1 $ ←− R ℓq , a (0)2 $ ←− R ℓq , s − , s − ← ֓ χ , e − , e − ← ֓ χ ℓ .Compute b (0)1 = a (0)1 · s − + e − ∈ R ℓq ; b (0)2 = a (0)2 · s − + e − ∈ R ℓq . This algorithm outputs the public parameter pp : { n, q, k, R, R q , ℓ, m, m s , m, m s , d, c , · · · , c d ,β, B, χ, H FS , κ, COM , B , { a (0) i , b (0) i } i ∈{ , } } . pp is implicit for all algorithms below if not explicitly mentioned. GKeyGen ( pp ) : On input pp , GM proceeds as follows. – Generate verification key A , F ∈ R × mq ; A [0] , . . . , A [ d ] ∈ R × kq ; F ∈ R × ℓq ; F ∈ R × m s q ; u ∈ R q and signing key R ∈ R m × kq for the Ducas-Micciancio signature fromSection 2.3. – Initialize the Naor-Yung double-encryption mechanism [47] with the key-oblivious encryption scheme described in Section 3.1. Specifically, sample s , s ← ֓ χ , e , e ← ֓ χ ℓ , a (1)1 $ ←− R ℓq , a (1)2 $ ←− R ℓq and compute b (1)1 = a (1)1 · s + e ∈ R ℓq ; b (1)2 = a (1)2 · s + e ∈ R ℓq . Set the group public key gpk , the issue key ik and the opening key ok asfollows: gpk = { pp , A , { A [ j ] } dj =0 , F , F , F , u, a (1)1 , b (1)1 , a (1)2 , b (1)2 } , ik = R , ok = ( s , e ) . GM then makes gpk public, sets the registration table reg = ∅ and hisinternal state S = 0. UKeyGen ( pp ) : Given the public parameter, the user first chooses x ∈ R m suchthat the coefficients are uniformly chosen from the set {− , , } . He thencalculates p = B · x ∈ R q . Set upk = p and usk = x . Enroll ( gpk , ik , upk , tr ) : Upon receiving a user public key upk from a user, GM determines the value of the bit tr ∈ { , } , indicating whether the user istraceable. He then does the following: – Randomize two pairs of public keys ( a ( tr )1 , b ( tr )1 ) and ( a ( tr )2 , b ( tr )2 ) as de-scribed in Section 3.1. Specifically, sample g , g ← ֓ χ , e , , e , ← ֓ χ ℓ , e , , e , ← ֓ χ ℓ . For each i ∈ { , } , compute epk i = ( a ′ i , b ′ i ) = ( a ( tr ) i · g i + e i, , b ( tr ) i · g i + e i, ) ∈ R ℓq × R ℓq . (17) – Set the tag t = ( t , t . . . , t c d − ) ⊤ ∈ T d , where S = P c d − j =0 j · t j , andcompute A t = [ A | A [0] + P di =1 t [ i ] A [ i ] ] ∈ R × ( m + k ) q .33 Let m = ( p k a ′ k b ′ k a ′ k b ′ ) ∈ R m s q . – Generate a signature σ cert = ( t, r , v ) on message rdec ( m ) ∈ R m s - whosecoefficients are in {− , , } - using his issue key ik = R . As in Section 2.3,we have r ∈ R m , v ∈ R m + k and ( A t · v = F · rdec ( F · r + F · rdec ( m )) + u, k r k ∞ ≤ β, k v k ∞ ≤ β. (18)Set certificate cert and w escrw as follows: cert = ( p, a ′ , b ′ , a ′ , b ′ , t, r , v ) , w escrw = ( g , e , , e , , g , e , , e , ) . GM sends cert to the user p , stores reg [ S ] = ( p, tr , w escrw ), and updates thestate to S + 1. Sign ( gpk , cert , usk , M ) : To sign a message M ∈ { , } ∗ using the certificate cert = ( p, a ′ , b ′ , a ′ , b ′ , t, r , v ) and usk = x , the user proceeds as follows. – Encrypt the ring vector rdec ( p ) ∈ R ℓq whose coefficients are in {− , , } twice. Namely, sample g ′ , g ′ ← ֓ χ , e ′ , , e ′ , ← ֓ χ ℓ , and e ′ , , e ′ , ← ֓ χ ℓ .For each i ∈ { , } , compute c i = ( c i, , c i, ) ∈ R ℓq × R ℓq as follows: c i, = a ′ i · g ′ i + e ′ i, ; c i, = b ′ i · g ′ i + e ′ i, + ⌊ q/ ⌋ · rdec ( p ) . – Generate a
NIZKAoK Π gs to demonstrate the possession of a valid tuple ζ of the following form ζ = ( p, a ′ , b ′ , a ′ , b ′ , t, r , v , x , g ′ , e ′ , , e ′ , , g ′ , e ′ , , e ′ , ) (19)such that(i) The conditions in (18) are satisfied.(ii) c and c are correct encryptions of rdec ( p ) with B -bounded ran-domness g ′ , e ′ , , e ′ , and g ′ , e ′ , , e ′ , , respectively.(iii) k x k ∞ ≤ B · x = p .This is achieved by running the protocol from Section 5.1, which is re-peated κ = ω (log λ ) times and made non-interactive via Fiat-Shamirheuristic [17] as a triple Π gs = ( { CMT i } κi =1 , CH , { RSP i } κi =1 ) where thechallenge CH is generated as CH = H FS ( M, { CMT i } κi =1 , ξ ) with ξ of thefollowing form ξ = ( A , A [0] , . . . , A [ d ] , F , F , F , u, B , c , c ) (20) – Output the group signature Σ = ( Π gs , c , c ). Verify ( gpk , M, Σ ) : Given the inputs, the verifier performs in the following man-ner. – Parse Σ as Σ = (cid:0) { CMT i } κi =1 , ( Ch , . . . , Ch κ ) , { RSP } κi =1 , c , c (cid:1) .If ( Ch , . . . , Ch κ ) = H FS (cid:0) M, { CMT i } κi =1 , ξ (cid:1) , output 0, where ξ is asin (20). 34 For each i ∈ [ κ ], run the verification phase of the protocol in Section 5.1to verify the validity of RSP i corresponding to CMT i and Ch i . If any ofthe verification process fails, output 0. – Output 1.
Open ( gpk , ok , M, Σ ) : Let ok = ( s , e ) and Σ = ( Π gs , c , c ). The group man-ager proceeds as follows. – Use s to decrypt c = ( c , , c , ) as in the decryption algorithm fromSection 3.1. The result is p ′ ∈ R q . – He then searches the registration information. If reg does not include anelement p ′ , then return ⊥ . – Otherwise, he produces a
NIZKAoK Π open to show the knowledge of atuple ( s , e , y ) ∈ R q × R ℓq × R ℓq such that the following conditions hold. k s k ∞ ≤ B ; k e k ∞ ≤ B ; k y k ∞ ≤ ⌈ q/ ⌉ ; a (1)1 · s + e = b (1)1 ; c , − c , · s = y + ⌊ q/ ⌋ · rdec ( p ′ ) . (21)Since the conditions in (21) only encounter linear secret objects withbounded norm, we can easily handled them using the Stern-like tech-niques from Sections 4.2 and 5.1. Therefore, we are able to have a sta-tistical ZKAoK for the above statement. Furthermore, the protocol is re-peated κ = ω (log λ ) times and made non-interactive via the Fiat-Shamirheuristic, resulting in a triple Π Open = ( { CMT i } κi =1 , CH , { RSP } κi =1 ),where CH ∈ { , , } κ is computed asCH = H FS (cid:0) { CMT i } κi =1 , a (1)1 , b (1)1 , M, Σ, p ′ (cid:1) . (22) – Output ( p ′ , Π Open ). Judge ( gpk , M, Σ, p ′ , Π open ) : Given all the inputs, this algorithm does the follow-ing. – If Verify algorithm outputs 0 or p ′ = ⊥ , return 0. – This algorithm then verifies the argument Π Open with respect to commoninput ( a (1)1 , b (1)1 , M, Σ, p ′ ), in the same way as in the algorithm Verify . Ifverification of the argument Π open fails, output 0. – Else output 1.
Account ( gpk , cert , w escrw , tr ) : Let the certificate be cert = ( p, a ′ , b ′ , a ′ , b ′ , t, r , v )and witness be w escrw = ( g , e , , e , , g , e , , e , ) and the bit tr , this algo-rithm proceeds as follows. – It checks whether ( t, r , v ) is a valid Ducas-Micciancio signature on themessage ( p, a ′ , b ′ , a ′ , b ′ ). Specifically, it verifies whether cert satisfiesthe conditions in (18). If not, output 0. – Otherwise, it then checks if ( a ′ , b ′ ) and ( a ′ , b ′ ) are randomization of( a ( tr )1 , ( b ( tr )1 ) and ( a ( tr )2 , ( b ( tr )2 ) with respect to randomness ( g , e , , e , )and ( g , e , , e , ), respectively. Specifically, it verifies whether the con-ditions in (17) hold. If not, output 0. – Else output 1. 35 .3 Analysis of Our ATS Scheme
Efficiency.
We first analyze the efficiency of our scheme from Section 5.2 interms of the security parameter λ . – The bit-size of the public key gpk is of order O ( λ · log λ ) = e O ( λ ). – The bit-size of the membership certificate cert is of order O ( λ · log λ ) = e O ( λ ). – The bit-size of a signature Σ is determined by that of the Stern-like NIZKAoK Π gs , which is of order O ( L · log q ) · ω (log λ ), where L is the bit-size of a vector w ∈ VALID from Section 5.1. Recall O ( L · log q ) = O ( λ · log λ ). Therefore,the bit-size of Σ is of order O ( λ · log λ ) · ω (log λ ) = e O ( λ ). – The bit-size of the Stern-like
NIZKAoK Π open is of order O ( λ · log λ ) · ω (log λ ) = e O ( λ ). Correctness.
For an honestly generated signature Σ for message M , we firstshow that the Verify algorithm always outputs 1. Due to the honest behavior ofthe user, when signing a message in the name of the group, this user possessesa valid tuple ζ of the form (19). Therefore, Π gs will be accepted by the Verify algorithm with probability 1 due to the perfect completeness of our argumentsystem.If an honest user is traceable, then
Account ( gpk , cert , w escrw ,
1) will output 1,implied by the correctness of Ducas-Micciancio signature scheme and honestbehaviour of group manager. In terms of the correctness of the
Open algorithm,we observe that c , − c , · s =( b ( tr )1 − a ( tr )1 · s ) · g · g ′ + e , · g ′ − e , · s · g ′ + e ′ , − e ′ , · s + ⌊ q/ ⌋ · rdec ( p ) , denoted as e e + ⌊ q/ ⌋ · rdec ( p ). In this case, tr = 1, b ( tr )1 − a ( tr )1 · s = e , and k e e k ∞ ≤ (cid:6) q (cid:7) . The decryption can recover rdec ( p ) and hence the real signerdue to the correctness of our key-oblivious encryption from Section 3.1. Thus,correctness of the Open algorithm follows. What is more, Π open will be acceptedby the Judge algorithm with probability 1 due to the perfect completeness of ourargument system.If an honest user is non-traceable, then again
Account ( gpk , cert , w escrw ,
1) willoutput 1. For the
Open algorithm, since b (0)1 − a (0)1 · s = a (0)1 · ( s − − s ) + e − ,then we obtain c , − c , · s = a (0)1 · ( s − − s ) · g · g ′ + e e + ⌊ q/ ⌋ · rdec ( p ) , where k e e k ∞ ≤ (cid:6) q (cid:7) . Observe that a (0)1 $ ←− R ℓq , and s − = s with overwhelmingprobability. Over the randomness of g , g ′ , the decryption algorithm describedin Section 3.1 will output a random element p ′ ∈ R q . Then, with overwhelmingprobability, p ′ is not in the registration table and the Open algorithm outputs ⊥ .It then follows that our scheme is correct. Security.
In Theorem 3, we prove that our scheme satisfies the security require-ments of accountable tracing signatures, as specified by Kohlweiss and Miers.36 heorem 3.
Under the
RLWE and
RSIS assumptions, the accountable tracingsignature scheme described in Section 5.2 satisfies the following requirementsin the random oracle model: (i) anonymity under tracing; (ii) traceability; (iii)non-frameability; (iv) anonymity with accountability; and (v) trace-obliviousness.
For the proofs of traceability and non-frameability, the lemma below from [36]is needed.
Lemma 5 ([36]).
Let B ∈ R × mq , where m ≥ ⌈ log q ⌉ + 2 . If x is a uniformelement over R m with k x k ∞ ≤ , then with probability at least − − n , thereexists a different x ′ ∈ R m with k x ′ k ∞ ≤ and B · x ′ = B · x ∈ R q . The proof of the Theorem 3 follows from Lemma 6-10 given below.
Lemma 6.
Assuming the hardness of the
RLWE problem, in the random ora-cle model, the given accountable tracing signature scheme is anonymous undertracing.Proof.
We prove this lemma using a series of indistinguishable games. In theinitial game, the challenger runs the experiment
Exp
AuT − ATS , A ( λ ) while in the lastgame, the challenger runs the experiment Exp
AuT − ATS , A ( λ ). Let W i be the eventthat the adversary outputs 1 in Game i . Game : This is exactly the experiment
Exp
AuT − ATS , A ( λ ), where the adversaryreceives a challenged signature ( Π ∗ gs , c ∗ , c ∗ ) ← Sign ( gpk , cert , usk , M ) inthe challenge phase with p = B · usk . So Pr[ W ] = Pr[ Exp
AuT − ATS , A ( λ ) = 1]. Game : We modify Game 0 as follows: the challenger will keep decryption key( s , e ) secret (by himself) instead of erasing it. However, the view of theadversary A is still the same as in Game 0. Therefore, Pr[ W ] = Pr[ W ]. Game : This game is the same as Game 1 with one exception: it generatessimulated proofs for the opening oracle queries by programming the randomoracle H FS . Note that the challenger still follows the original game (that is,it uses s to decrypt c ) to identify the real signer. The views of A in Game1 and Game 2 are statistically close due to the statistical zero-knowledgeproperty of our argument system. Therefore Pr[ W ] s ≈ Pr[ W ]. Game : This game modifies Game 2 as follows. It uses s instead of s toanswer the opening oracle queries. In other words, it now uses s to decrypt c to identify the signer. The view of the adversary in this game is identi-cal to that in Game 2 until event F , where A queries the opening oraclea valid signature ( Π gs , c , c ) with c , c encrypting distinct messages, hap-pens. Since the event F violates the soundness of our argument system, wehave | Pr[ W ] − Pr[ W ] | ≤ Pr[ F ] ≤ Adv sound Π gs ( λ ) = negl ( λ ). Game : This game changes Game 3 as follows. It generates a simulated proof Π ∗ gs in the challenge phase even though the challenger has the correct witnessto generate a real proof. Due to the statistical zero-knowledge property of ourargument system, this change is negligible to A . Therefore Pr[ W ] s ≈ Pr[ W ].37 ame : In this game, we modify Game 4 by modifying the distribution of thechallenged signature Σ ∗ = ( Π ∗ gs , c ∗ , c ∗ ) as follows. For i ∈ { , } , parse cert i = ( p i , a ′ ,i , b ′ ,i , a ′ ,i , b ′ ,i , t i , r i , v i ). Recall that in Game 4, both c ∗ and c ∗ encrypt the same message, i.e., rdec ( p ), under the randomized key( a ′ , , b ′ , ) and ( a ′ , , b ′ , ), respectively. Here we change c ∗ to be encryptionof rdec ( p ) and keep c ∗ unchanged. By the semantic security under key ran-domization of our key oblivious encryption scheme for public key ( a (1)1 , b (1)1 )(which is implied by the RLWE assumption since we no longer use s to opensignatures), the change made in this game is negligible to the adversary.Therefore we have | Pr[ W ] − Pr[ W ] | = negl ( λ ). Game : In this game, we further modify the distribution of the challengedsignature Σ ∗ . We change c ∗ to be encryption of rdec ( p ) under a fresh andthen randomized key. By the property of key privacy under key randomiza-tion of our key-oblivious encryption scheme, the change made in this game isnegligible to the adversary. Therefore we have | Pr[ W ] − Pr[ W ] | = negl ( λ ). Game : In this game, we again modify the distribution of the challenged signa-ture Σ ∗ . We change c ∗ to be encryption of rdec ( p ) under the randomized key( a ′ , , b ′ , ). By the same argument of indistinguishability between Game 6and Game 5, we have | Pr[ W ] − Pr[ W ] | = negl ( λ ). Game : This game is the same as Game 7 with one modification: it changesback to s for the opening oracle queries and erases ( s , e ) again. Thischange is indistinguishable to A until event F , where A queries a validsignature ( Π gs , c , c ) with c , c encrypting different messages to the open-ing oracle, occurs. Since event F violates the simulation soundness of ourargument system, we have | Pr[ W ] − Pr[ W ] | ≤ Adv ss Π gs ( λ ) = negl ( λ ). Game : In this game, we modify Game 8 by modifying the distribution of thechallenged signature Σ ∗ = ( Π ∗ gs , c ∗ , c ∗ ) again. It changes c ∗ to be encryptionof rdec ( p ) under the randomized key ( a ′ , , b ′ , ) in the challenge phase. Bythe same argument of indistinguishability from Game 4 to Game 7, we have | Pr[ W ] − Pr[ W ] | = negl ( λ ). Game : Note that in Game 9, both c ∗ and c ∗ encrypt the same message, i.e., rdec ( p ), under the randomized key ( a ′ , , b ′ , ) and ( a ′ , , b ′ , ), respectively.Therefore, the challenger has correct witness to generate Π ∗ gs . In this game,we modify Game 9 by switching back to a real proof Π ∗ gs in the challengephase. Then the views of A in Game 9 and Game 10 are statistically in-distinguishable by the statistical zero-knowledge property of our argumentsystem. Hence Pr[ W ] s ≈ Pr[ W ]. Game : This game changes Game 10 in one aspect. It now generates realproofs for the opening oracle queries. Due to the statistical zero-knowledgeproperty of our argument system, Game 10 and Game 11 are statistically in-distinguishable to A . In other words, we have Pr[ W ] s ≈ Pr[ W ]. This is in-deed the experiment Exp
AuT − ATS , A ( λ ). Hence, we have Pr[ W ] = Pr[ Exp
AuT − ATS , A ( λ ) =1]. 38s a result, we obtain | Pr[
Exp
AuT − ATS , A ( λ ) = 1] − Pr[
Exp
AuT − ATS , A ( λ ) = 1] | = negl ( λ ) , and hence our scheme is anonymous under tracing. Lemma 7.
Assuming the hardness of the
RSIS problem, in the random oraclemodel, the given accountable tracing signature scheme is traceable .Proof.
We show that the success probability ǫ of A against traceability is neg-ligible by the unforgeability of the Ducas-Micciancio signature recalled in Sec-tion 2.3, which in turn relies on the hardness of the RSIS problem, or by thehardness of solving a
RSIS instance directly.Let C be the challenger and honestly run the experiment Exp
TraceATS , A ( λ ). When A halts, it outputs ( M ∗ , Π ∗ gs , c ∗ , c ∗ ). Let us consider the case that A wins. Parse Π ∗ gs = ( { CMT ∗ i } κi =1 , CH ∗ , { RSP ∗ i } κi =1 ). Let ξ ∗ = ( A , A [0] , . . . , A [ d ] , F , F , F , u, B , c ∗ , c ∗ ) . Then CH ∗ = H FS (cid:0) M ∗ , { CMT ∗ i } κi =1 , ξ ∗ (cid:1) and for each i ∈ [ κ ], RSP ∗ i is a validresponse corresponding to CMT ∗ i and CH ∗ i . This is due to the fact that A winsand hence Π ∗ gs passes the verification process.We remark that A had queried the tuple (cid:0) M ∗ , { CMT ∗ i } κi =1 , ξ ∗ (cid:1) to the hashoracle H FS with all but negligible probability. Since we can only guess correctlythe value H FS (cid:0) M ∗ , { CMT ∗ i } κi =1 , ξ ∗ (cid:1) with probability 3 − κ , which is negligible.Therefore, A had queried the tuple (cid:0) M ∗ , { CMT ∗ i } κi =1 , ξ ∗ (cid:1) to H FS with probabil-ity ǫ ′ = ǫ − − κ . Let this tuple be the θ ∗ -th oracle query made by A and assume A had made Q H queries in total.Up to this point, the challenger C then replays the behaviour of A for atmost 32 · Q H /ǫ ′ times. In each new replay, A is given the same hash answers r , . . . , r θ ∗ − as in the original run for the first θ ∗ − r ′ θ ∗ , . . . , r ′ Q H for the remaining hashqueries. According to the forking lemma of Brickell et al. [11], with probability ≥ / B obtains 3-fork involving the same tuple (cid:0) M ∗ , { CMT ∗ i } κi =1 , ξ ∗ (cid:1) withpairwise distinct hash values CH (1) θ ∗ , CH (2) θ ∗ , CH (3) θ ∗ ∈ { , , } κ and correspondingvalid responses RSP (1) θ ∗ , RSP (2) θ ∗ , RSP (3) θ ∗ . We observe that with probability 1 − ( ) κ , there exists some j ∈ { , , . . . , κ } such that { CH (1) θ ∗ ,j , CH (2) θ ∗ ,j , CH (3) θ ∗ ,j } = { , , } .In other words, we obtain three valid responses RSP (1) θ ∗ ,j , RSP (2) θ ∗ ,j , RSP (3) θ ∗ ,j for all the challenges 1 , , ∗ j . Dueto the computational binding property of the COM scheme, C is able to extract ζ ∗ of form ζ ∗ = ( p ∗ , a ∗ , b ∗ , a ∗ , b ∗ , t ∗ , r ∗ , v ∗ , x ∗ , g ∗ , e ∗ , , e ∗ , , g ∗ , e ∗ , , e ∗ , )39uch that t ∗ ∈ T d , r ∗ , v ∗ have infinity bound β , g ∗ , e ∗ , , e ∗ , , g ∗ , e ∗ , , e ∗ , haveinfinity bound B , x ∗ has infinity bound 1; and equations B · x ∗ = p ∗ and A t ∗ · v ∗ = u + F · rdec ( F · r ∗ + F · rdec ( p ∗ k a ∗ k b ∗ k a ∗ k b ∗ ))hold, and c ∗ , c ∗ are ciphertexts of rdec ( p ∗ ) under the key ( a ∗ , b ∗ ) and ( a ∗ , b ∗ )with randomness ( g ∗ , e ∗ , , e ∗ , ) and ( g ∗ , e ∗ , , e ∗ , ), respectively.Since A wins the game, then either (i) the Open algorithm outputs ⊥ or (ii)the Open algorithm outputs ( p ′ , Π ∗ open ) with p ′ = ⊥ but the proof Π ∗ open is notaccepted by the Judge algorithm.By the unforgeability of the underlying signature scheme, with overwhelmingprobability, ( p ∗ , a ∗ , b ∗ , a ∗ , b ∗ , t ∗ , r ∗ , v ∗ ) is a certificate returned by the Enroll oracle. In other words, p ∗ is a registered user. If p ∗ is a non-traceable user, then A does not hold the user secret key of p ∗ , denoted as x ′ . Note that this is ensuredby the definition of traceability described in Section 2.8. With probability ≥ / x ∗ = x ′ by Lemma 5, in which case we obtain a vector y = x ∗ − x ′ = so that B · y = 0 and k y k ∞ ≤ k x ∗ k ∞ + k x ′ k ∞ ≤
2. This solves a
RSIS instance. Therefore,the
Open algorithm outputs ⊥ with negligible probability. In other words, case(i) happens with negligible probability. On the other hand, if p ∗ is a traceableuser. Then by the correctness of the underlying encryption scheme, the Open algorithm will output p ∗ . Furthermore, by the honest behaviour of decryption(performed by the honest challenger), the Judge algorithm always outputs 1. Thisimplies case (ii) occurs with negligible probability. This concludes the proof.
Lemma 8.
Assuming the hardness of the
RSIS problem, in the random oraclemodel, the given accountable tracing signature scheme is non-frameable.Proof.
We show that the success probability ǫ of A against non-frameability isnegligible assuming the hardness of solving a RSIS instance.Let C be the challenger and faithfully run the experiment Exp
NFATS , A ( λ ). When A halts, it outputs the tuple ( M ∗ , Π ∗ gs , c ∗ , c ∗ , p ∗ , Π ∗ open ). Let us consider the casethat A wins.The fact that A wins the game implies ( Π ∗ gs , c ∗ , c ∗ ) is a valid signature ofthe message M ∗ that was not obtained from queries. By the same extractiontechnique as in Lemma 7, we can extract witness x ′ ∈ R mq and p ′ ∈ R q suchthat k x ′ k ∞ ≤ B · x ′ = p ′ and c ∗ , c ∗ are correct encryptions of rdec ( p ′ ). By thecorrectness of the underlying encryption scheme, c ∗ will be decrypted to p ′ .The fact that A wins the game also implies Π ∗ open passes the verificationprocess of the Judge algorithm. Due to the soundness of the argument systemthat is used to generate Π ∗ open , c ∗ will be decrypted to p ∗ . Hence we have p ′ = p ∗ .We observe that A wins the game also implies that A does not know the usersecret key x ∗ that corresponds to p ∗ . Thus we obtain: B · x ′ = p ′ = p ∗ = B · x ∗ ,where k x ∗ k ∞ ≤
1. Lemma 5 implies that x ′ = x ∗ with probability at least 1 / y = x ′ − x ∗ = such that B · y = 0 and k y k ∞ ≤ k x ∗ k ∞ + k x ′ k ∞ ≤
2. However, under the hardness of the
RSIS problem,the success probability of A is negligible. This concludes the proof.40 emma 9. Assuming the hardness of the
RLWE problem, in the random ora-cle model, the given accountable tracing signature scheme is anonymous withaccountability.Proof.
The proof of this lemma is similar to Lemma 6 except that we do not needto switch between two decryption keys. This is because the randomized keys inthe certificate of the challenged users are obtained from the pairs ( a (0)1 , b (0)1 ) and( a (0)2 , b (0)2 ), which are not related to the opening key. The details are omittedhere. Lemma 10.
Assuming the hardness of the
RLWE problem, in the random oraclemodel, the given accountable tracing signature scheme is trace-oblivious.Proof.
We proceed through a sequence of hybrids. Let W i be the event thatadversary outputs 1 in Game i . Game : Let this game be the experiment
Exp TO − ATS , A ( λ ), where the adversaryreceives cert for user p of his choice. Parse cert as ( p, a ′ , b ′ , a ′ , b ′ , t, r , v ).Note that ( a ′ , b ′ ) and ( a ′ , b ′ ) are randomized keys from ( a (0)1 , b (0)1 ) and( a (0)2 , b (0)2 ), respectively. We then have Pr[ W ] = Pr[ Exp TO − ATS , A ( λ ) = 1]. Game : We modify Game 0 by replacing ( a ′ , b ′ ) with a new fresh key ( e a , e b )generated by the KeyGen algorithm of our
KOE scheme. It then follows fromthe key randomizability of our encryption scheme, this modification is neg-ligible to the adversary. Therefore, we have | Pr[ W ] − Pr[ W ] | = negl( λ ). Game : We modify Game 1 by replacing ( a ′ , b ′ ) with a new fresh key ( e a , e b )as in Game 1. By the same argument, we have | Pr[ W ] − Pr[ W ] | = negl( λ ). Game : We change Game 2 by replacing ( e a , e b ) with ( a ′ , b ′ ) that are ran-domized key from ( a (1)2 , b (1)2 ). By the key randomizability of our encryptionscheme, we have | Pr[ W ] − Pr[ W ] | = negl( λ ). Game : We change Game 3 by replacing ( e a , e b ) with ( a ′ , b ′ ) that are ran-domized key from ( a (1)1 , b (1)1 ). We then have | Pr[ W ] − Pr[ W ] | = negl( λ ).This is exactly the experiment Exp TO − ATS , A ( λ ). Therefore, we obtain Pr[ W ] =Pr[ Exp TO − ATS , A ( λ ) = 1].Therefore, we obtain | Pr[
Exp TO − ATS , A ( λ ) = 1] − Pr[
Exp TO − ATS , A ( λ ) = 1] | = negl( λ ).This implies that our scheme is trace-oblivious. Acknowledgements
The research is supported by Singapore Ministry of Education under ResearchGrant MOE2016-T2-2-014(S). Khoa Nguyen is also supported by the Gopalakr-ishnan – NTU Presidential Postdoctoral Fellowship 2018.41 eferences
1. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provablysecure coalition-resistant group signature scheme. In
CRYPTO 2000 , volume 1880of
LNCS , pages 255–270. Springer, 2000.2. M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: For-mal definitions, simplified requirements, and a construction based on general as-sumptions. In
EUROCRYPT 2003 , volume 2656 of
LNCS , pages 614–629. Springer,2003.3. M. Bellare, H. Shi, and C. Zhang. Foundations of group signatures: The case ofdynamic groups. In
CT-RSA 2005 , volume 3376 of
LNCS , pages 136–153. Springer,2005.4. F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven. Betterzero-knowledge proofs for lattice encryption and their application to group sig-natures. In
ASIACRYPT 2014 , volume 8873 of
LNCS , pages 551–572. Springer,2014.5. F. Benhamouda, S. Krenn, V. Lyubashevsky, and K. Pietrzak. Efficient zero-knowledge proofs for commitments from learning with errors over rings. In
ES-ORICS 2015 , volume 9326 of
LNCS , pages 305–325. Springer, 2015.6. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In
CRYPTO 2004 ,volume 3152 of
LNCS , pages 41–55. Springer, 2004.7. D. Boneh and H. Shacham. Group signatures with verifier-local revocation. In
CCS 2004 , pages 168–177. ACM, 2004.8. J. Bootle, A. Cerulli, P. Chaidos, E. Ghadafi, and J. Groth. Foundations of fullydynamic group signatures. In
ACNS 2016 , volume 9696 of
LNCS , pages 117–136,2016.9. C. Boschini, J. Camenisch, and G. Neven. Floppy-sized group signatures fromlattices. In
ACNS 2018 , volume 10892 of
LNCS , pages 163–182. Springer, 2018.10. Z. Brakerski, C. Gentry, and V. Vaikuntanathan. (leveled) fully homomorphicencryption without bootstrapping. In
ITCS 2012 , pages 309–325. ACM, 2012.11. E. F. Brickell, D. Pointcheval, S. Vaudenay, and M. Yung. Design validations fordiscrete logarithm based signature schemes. In
PKC 2000 , volume 1751 of
LNCS ,pages 276–292. Springer, 2000.12. J. Camenisch, G. Neven, and M. R¨uckert. Fully anonymous attribute tokens fromlattices. In
SCN 2012 , volume 7485 of
LNCS , pages 57–75. Springer, 2012.13. D. Chaum and E. van Heyst. Group signatures. In
EUROCRYPT 1991 , volume547 of
LNCS , pages 257–265. Springer, 1991.14. S. Cheng, K. Nguyen, and H. Wang. Policy-based signature scheme from lattices.
Des. Codes Cryptography , 81(1):43–74, 2016.15. L. Ducas and D. Micciancio. Improved short lattice signatures in the standardmodel. In
CRYPTO 2014 , volume 8616 of
LNCS , pages 335–352. Springer, 2014.16. L. Ducas and D. Micciancio. Improved short lattice signatures in the standardmodel.
IACR Cryptology ePrint Archive , 2014:495, 2014.17. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identificationand signature problems. In
CRYPTO 1986 , volume 263 of
LNCS , pages 186–194.Springer, 1986.18. T. E. Gamal. A public key cryptosystem and a signature scheme based on discretelogarithms. In
CRYPTO 1984 , volume 196 of
LNCS , pages 10–18, 1984.19. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices andnew cryptographic constructions. In
STOC 2008 , pages 197–206. ACM, 2008.
0. S. D. Gordon, J. Katz, and V. Vaikuntanathan. A group signature scheme fromlattice assumptions. In
ASIACRYPT 2010 , volume 6477 of
LNCS , pages 395–412.Springer, 2010.21. A. Jain, S. Krenn, K. Pietrzak, and A. Tentes. Commitments and efficient zero-knowledge proofs from learning parity with noise. In
ASIACRYPT 2012 , volume7658 of
LNCS , pages 663–680. Springer, 2012.22. A. Kawachi, K. Tanaka, and K. Xagawa. Concurrently secure identificationschemes based on the worst-case hardness of lattice problems. In
ASIACRYPT2008 , volume 5350 of
LNCS , pages 372–389. Springer, 2008.23. A. Kiayias, Y. Tsiounis, and M. Yung. Traceable signatures. In
EUROCRYPT2004 , volume 3027 of
LNCS , pages 571–589. Springer, 2004.24. A. Kiayias and M. Yung. Secure scalable group signature with dynamic joins andseparable authorities.
Int. Journal of Security and Networks , 1(1):24–45, 2006.25. M. Kohlweiss and I. Miers. Accountable metadata-hiding escrow: A group signaturecase study.
PoPETs , 2015(2):206–221, 2015.26. F. Laguillaumie, A. Langlois, B. Libert, and D. Stehl´e. Lattice-based group sig-natures with logarithmic signature size. In
ASIACRYPT 2013 , volume 8270 of
LNCS , pages 41–61. Springer, 2013.27. A. Langlois and D. Stehl´e. Worst-case to average-case reductions for module lat-tices.
Des. Codes Cryptography , 75(3):565–599, 2015.28. B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang. Signature schemeswith efficient protocols and dynamic group signatures from lattice assumptions. In
ASIACRYPT 2016 , volume 10032 of
LNCS , pages 373–403. Springer, 2016.29. B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang. Zero-knowledgearguments for matrix-vector relations and lattice-based group encryption. In
ASI-ACRYPT 2016 , volume 10032 of
LNCS , pages 101–131. Springer, 2016.30. B. Libert, S. Ling, K. Nguyen, and H. Wang. Zero-knowledge arguments for lattice-based accumulators: Logarithmic-size ring signatures and group signatures withouttrapdoors. In
EUROCRYPT 2016 , volume 9666 of
LNCS , pages 1–31. Springer,2016.31. B. Libert, F. Mouhartem, and K. Nguyen. A lattice-based group signature schemewith message-dependent opening. In
ACNS 2016 , volume 9696 of
LNCS , pages137–155. Springer, 2016.32. S. Ling, K. Nguyen, A. Roux-Langlois, and H. Wang. A lattice-based group signa-ture scheme with verifier-local revocation.
Theor. Comput. Sci. , 730:1–20, 2018.33. S. Ling, K. Nguyen, D. Stehl´e, and H. Wang. Improved zero-knowledge proofs ofknowledge for the ISIS problem, and applications. In
PKC 2013 , volume 7778 of
LNCS , pages 107–124. Springer, 2013.34. S. Ling, K. Nguyen, and H. Wang. Group signatures from lattices: Simpler, tighter,shorter, ring-based. In
PKC 2015 , volume 9020 of
LNCS , pages 427–449. Springer,2015.35. S. Ling, K. Nguyen, H. Wang, and Y. Xu. Lattice-based group signatures: Achiev-ing full dynamicity with ease. In
ACNS 2017 , volume 10355 of
LNCS , pages293–312. Springer, 2017.36. S. Ling, K. Nguyen, H. Wang, and Y. Xu. Constant-size group signatures fromlattices. In
PKC 2018 , volume 10770 of
LNCS , pages 58–88. Springer, 2018.37. V. Lyubashevsky. Fiat-shamir with aborts: Applications to lattice and factoring-based signatures. In
ASIACRYPT 2009 , volume 5912 of
LNCS , pages 598–616.Springer, 2009.38. V. Lyubashevsky. Lattice signatures without trapdoors. In
EUROCRYPT 2012 ,volume 7237 of
LNCS , pages 738–755. Springer, 2012.
9. V. Lyubashevsky and D. Micciancio. Generalized compact knapsacks are collisionresistant. In
ICALP 2006 , volume 4052 of
LNCS , pages 144–155. Springer, 2006.40. V. Lyubashevsky, D. Micciancio, C. Peikert, and A. Rosen. SWIFFT: A modestproposal for FFT hashing. In
FSE 2008 , volume 5086 of
LNCS , pages 54–72.Springer, 2008.41. V. Lyubashevsky and G. Neven. One-shot verifiable encryption from lattices. In
EUROCRYPT 2017 , volume 10210 of
LNCS , pages 293–323. Springer, 2017.42. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning witherrors over rings. In
EUROCRYPT 2010 , volume 6110 of
LNCS , pages 1–23.Springer, 2010.43. V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning witherrors over rings.
J. ACM , 60(6):43:1–43:35, 2013.44. V. Lyubashevsky and G. Seiler. Short, invertible elements in partially splittingcyclotomic rings and applications to lattice-based zero-knowledge proofs. In
EU-ROCRYPT 2018 , volume 10820 of
LNCS , pages 204–224. Springer, 2018.45. D. Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way functions.
Computational Complexity , 16(4):365–411, 2007.46. D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster,smaller. In
EUROCRYPT 2012 , volume 7237 of
LNCS , pages 700–718. Springer,2012.47. M. Naor and M. Yung. Public-key cryptosystems provably secure against chosenciphertext attacks. In
STOC 1990 , pages 427–437. ACM, 1990.48. P. Q. Nguyen, J. Zhang, and Z. Zhang. Simpler efficient group signatures fromlattices. In
PKC 2015 , volume 9020 of
LNCS , pages 401–426. Springer, 2015.49. C. Peikert, O. Regev, and N. Stephens-Davidowitz. Pseudorandomness of ring-lwefor any ring and modulus. In
STOC 2017 , pages 461–473. ACM, 2017.50. C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case as-sumptions on cyclic lattices. In
TCC 2006 , volume 3876 of
LNCS , pages 145–166.Springer, 2006.51. R. D. Pino, V. Lyubashevsky, and G. Seiler. Lattice-based group signatures andzero-knowledge proofs of automorphism stability.
IACR Cryptology ePrint Archive ,2018:779, 2018. Accepted to ACM CCS 2018.52. O. Regev. On lattices, learning with errors, random linear codes, and cryptography.In
STOC 2005 , pages 84–93. ACM, 2005.53. Y. Sakai, K. Emura, G. Hanaoka, Y. Kawai, T. Matsuda, and K. Omote. Groupsignatures with message-dependent opening. In
Pairing 2012 , volume 7708 of
LNCS , pages 270–294. Springer, 2012.54. Y. Sakai, J. C. N. Schuldt, K. Emura, G. Hanaoka, and K. Ohta. On the securityof dynamic group signatures: Preventing signature hijacking. In
PKC 2012 , volume7293 of
LNCS , pages 715–732. Springer, 2012.55. P. W. Shor. Algorithms for quantum computation: Discrete logarithms and fac-toring. In
FOCS 1994 , pages 124–134. IEEE Computer Society, 1994.56. D. Stehl´e, R. Steinfeld, K. Tanaka, and K. Xagawa. Efficient public key encryptionbased on ideal lattices. In
ASIACRYPT 2009 , volume 5912 of
LNCS , pages 617–635. Springer, 2009.57. J. Stern. A new paradigm for public key identification.
IEEE Trans. InformationTheory , 42(6):1757–1768, 1996.58. K. Xagawa. Improved (hierarchical) inner-product encryption from lattices.
IACRCryptology ePrint Archive , 2015:249, 2015., 2015:249, 2015.