A Provably Secure Group Signature Scheme from Code-Based Assumptions
29 Nov 2015-pp 260-285
TL;DR: The scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem.
Abstract: We solve an open question in code-based cryptography by introducing the first provably secure group signature scheme from code-based assumptions. Specifically, the scheme satisfies the CPA-anonymity and traceability requirements in the random oracle model, assuming the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. Our construction produces smaller key and signature sizes than the existing post-quantum group signature schemes from lattices, as long as the cardinality of the underlying group does not exceed the population of the Netherlands $${\approx }2^{24}$$ users. The feasibility of the scheme is supported by implementation results. Additionally, the techniques introduced in this work might be of independent interest: a new verifiable encryption protocol for the randomized McEliece encryption and a new approach to design formal security reductions from the Syndrome Decoding problem.
Citations
More filters
30 Oct 2017
TL;DR: In this article, a new class of post-quantum digital signature schemes is proposed, which derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and have extremely small keypairs.
Abstract: We propose a new class of post-quantum digital signature schemes that: (a) derive their security entirely from the security of symmetric-key primitives, believed to be quantum-secure, and (b) have extremely small keypairs, and, (c) are highly parameterizable. In our signature constructions, the public key is an image y=f(x) of a one-way function f and secret key x. A signature is a non-interactive zero-knowledge proof of x, that incorporates a message to be signed. For this proof, we leverage recent progress of Giacomelli et al. (USENIX'16) in constructing an efficient Σ-protocol for statements over general circuits. We improve this Σ-protocol to reduce proof sizes by a factor of two, at no additional computational cost. While this is of independent interest as it yields more compact proofs for any circuit, it also decreases our signature sizes. We consider two possibilities to make the proof non-interactive: the Fiat-Shamir transform and Unruh's transform (EUROCRYPT'12, '15,'16). The former has smaller signatures, while the latter has a security analysis in the quantum-accessible random oracle model. By customizing Unruh's transform to our application, the overhead is reduced to 1.6x when compared to the Fiat-Shamir transform, which does not have a rigorous post-quantum security analysis. We implement and benchmark both approaches and explore the possible choice of f, taking advantage of the recent trend to strive for practical symmetric ciphers with a particularly low number of multiplications and end up using Low MC (EUROCRYPT'15).
180 citations
08 May 2016
TL;DR: This paper provides an efficient method of proving statements using involved extensions of Stern's protocol to efficiently prove the membership of some element in a zero-knowledge manner, and describes new lattice-based group and ring signatures in the random oracle model.
Abstract: An accumulator is a function that hashes a set of inputs into a short, constant-size string while preserving the ability to efficiently prove the inclusion of a specific input element in the hashed set. It has proved useful in the design of numerous privacy-enhancing protocols, in order to handle revocation or simply prove set membership. In the lattice setting, currently known instantiations of the primitive are based on Merkle trees, which do not interact well with zero-knowledge proofs. In order to efficiently prove the membership of some element in a zero-knowledge manner, the prover has to demonstrate knowledge of a hash chain without revealing it, which is not known to be efficiently possible under well-studied hardness assumptions. In this paper, we provide an efficient method of proving such statements using involved extensions of Stern's protocol. Under the Small Integer Solution assumption, we provide zero-knowledge arguments showing possession of a hash chain. As an application, we describe new lattice-based group and ring signatures in the random oracle model. In particular, we obtain: i The first lattice-based ring signatures with logarithmic size in the cardinality of the ring; ii The first lattice-based group signature that does not require any GPV trapdoor and thus allows for a much more efficient choice of parameters.
166 citations
04 Dec 2016
TL;DR: This work provides new tools enabling the design of anonymous authentication systems whereby new users can join the system at any time, and provides the first lattice-based group signature supporting dynamically growing populations of users.
Abstract: A recent line of works --- initiated by Gordon, Katz and Vaikuntanathan Asiacrypt 2010 --- gave lattice-based constructions allowing users to authenticate while remaining hidden in a crowd. Despite five years of efforts, known constructions are still limited to static sets of users, which cannot be dynamically updated. This work provides new tools enabling the design of anonymous authentication systems whereby new users can join the system at any time.
Our first contribution is a signature scheme with efficient protocols, which allows users to obtain a signature on a committed value and subsequently prove knowledge of a signature on a committed message. This construction is well-suited to the design of anonymous credentials and group signatures. It indeed provides the first lattice-based group signature supporting dynamically growing populations of users.
As a critical component of our group signature, we provide a simple joining mechanism of introducing new group members using our signature scheme. This technique is combined with zero-knowledge arguments allowing registered group members to prove knowledge of a secret short vector of which the corresponding public syndrome was certified by the group manager. These tools provide similar advantages to those of structure-preserving signatures in the realm of bilinear groups. Namely, they allow group members to generate their own public key without having to prove knowledge of the underlying secret key. This results in a two-message joining protocol supporting concurrent enrollments, which can be used in other settings such as group encryption.
Our zero-knowledge arguments are presented in a unified framework where: i The involved statements reduce to arguing possession of a $$\{-1,0,1\}$$-vector $$\mathbf {x}$$ with a particular structure and satisfying $$\mathbf {P}\cdot \mathbf {x} = \mathbf {v} \bmod q$$ for some public matrix $$\mathbf {P}$$ and vector $$\mathbf {v}$$; ii The reduced statements can be handled using permuting techniques for Stern-like protocols. Our framework can serve as a blueprint for proving many other relations in lattice-based cryptography.
122 citations
Cites methods from "A Provably Secure Group Signature S..."
...To handle the constraint w ∈ CorEnc(m), we adapt the permuting technique from [58,40,60]....
[...]
...Below we will describe the notations and techniques, adapted from recent works on Stern-like protocols [61,58,40,60], that we will employ in the next subsections to handle 3 different constraints of the witness vectors....
[...]
19 Jun 2016
TL;DR: This paper proposes the first GS-MDO candidate based on lattice assumptions, and combines the group signature of Ling, Nguyen and Wang with two layers of identity-based encryption with suitable zero-knowledge argument systems.
Abstract: Group signatures are an important anonymity primitive allowing users to sign messages while hiding in a crowd. At the same time, signers remain accountable since an authority is capable of de-anonymizing signatures via a process called opening. In many situations, this authority is granted too much power as it can identify the author of any signature. Sakai et al. proposed a flavor of the primitive, called Group Signature with Message-Dependent Opening (GS-MDO), where opening operations are only possible when a separate authority (called “admitter”) has revealed a trapdoor for the corresponding message. So far, all existing GS-MDO constructions rely on bilinear maps, partially because the message-dependent opening functionality inherently implies identity-based encryption. This paper proposes the first GS-MDO candidate based on lattice assumptions. Our construction combines the group signature of Ling, Nguyen and Wang (PKC’15) with two layers of identity-based encryption. These components are tied together using suitable zero-knowledge argument systems.
50 citations
TL;DR: Tillich et al. as discussed by the authors proposed the first code-based group signature scheme, which allows to add new members during the lifetime of the group (dynamic) and can be extended into a traceable signature according to the definition of Kiayias et al (KTY model).
Abstract: This work is the extended version of Alamelou et al. (in: Tillich et al. (eds.) The 9th International workshop on coding and cryptography 2015 (WCC2015), 2015) which proposed the first code-based group signature. The new group signature scheme we present here has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to add new members during the lifetime of the group (dynamic). Plus, it appears that our scheme might be extended into a traceable signature according to the definition of Kiayias et al. (in: Cachin and Camenisch (eds.) Advances in cryptology--EUROCRYPT 2004, 2004) (KTY model) while handling membership revocation. Our security is based on a relaxation of the model of Bellare et al. (in: Topics in cryptology--CT-RSA 2005, 2005) (BSZ model) verifying the properties of anonymity, traceability and non-frameability. The main idea of our scheme consists in building an offset collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications, we consider the case of the code-based CFS signature scheme (Nicolas in Advances in cryptology--ASIACRYPT 2001, 2001) of Courtois, Finiasz and Sendrier. If one denotes by N the number of group members, CFS leads to signatures and public keys sizes in $$N^{1/\sqrt{{\log }(N)}}$$N1/log(N). Along with this work, we also introduce a new kind of proof of knowledge, Testable weak Zero Knowledge (TwZK), implicitly covered in the short version of this paper (Alamelou et al. in: Tillich et al. (eds.) The 9th international workshop on coding and cryptography 2015 (WCC2015), 2015). TwZK proofs appear particularly well fitted in the context of group signature schemes: it allows a verifier to test whether a specific witness is used without learning anything more from the proof. Under the random oracle model (ROM), we ensure the security of our scheme by defining the One More Syndrome Decoding problem, a new code-based problem related to the syndrome decoding problem (Berlekamp et al. in IEEE Trans Inf Theory 24(3):384---386, 1978).
40 citations
References
More filters
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms on a quantum computer and gave an efficient randomized algorithm for these two problems, which takes a number of steps polynomial in the input size of the integer to be factored.
Abstract: A digital computer is generally believed to be an efficient universal computing device; that is, it is believed able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems which are generally thought to be hard on a classical computer and which have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, e.g., the number of digits of the integer to be factored.
7,427 citations
01 Jan 1987
TL;DR: Simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys are described.
Abstract: In this paper we describe simple identification and signature schemes which enable any user to prove his identity and the authenticity of his messages to any other user without shared or public keys. The schemes are provably secure against any known or chosen message attack if factoring is difficult, and typical implementations require only 1% to 4% of the number of modular multiplications required by the RSA scheme. Due to their simplicity, security and speed, these schemes are ideally suited for microprocessor-based devices such as smart cards, personal computers, and remote control systems.
4,193 citations
"A Provably Secure Group Signature S..." refers methods in this paper
...The “Fiat-Shamir” category consists of schemes derived from Stern’s identification protocol in [20] and its variants in [21], [22], and [23] via the Fiat-Shamir transformation from [24]....
[...]
...The protocol is then transformed into a Fiat-Shamir signature [24]....
[...]
TL;DR: In this paper, the authors considered factoring integers and finding discrete logarithms, two problems that are generally thought to be hard on classical computers and that have been used as the basis of several proposed cryptosystems.
Abstract: A digital computer is generally believed to be an efficient universal computing device; that is, it is believed to be able to simulate any physical computing device with an increase in computation time by at most a polynomial factor. This may not be true when quantum mechanics is taken into consideration. This paper considers factoring integers and finding discrete logarithms, two problems that are generally thought to be hard on classical computers and that have been used as the basis of several proposed cryptosystems. Efficient randomized algorithms are given for these two problems on a hypothetical quantum computer. These algorithms take a number of steps polynomial in the input size, for example, the number of digits of the integer to be factored.
2,856 citations
15 Aug 2004
TL;DR: In this article, the authors proposed a group signature scheme based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption.
Abstract: We construct a short group signature scheme. Signatures in our scheme are approximately the size of a standard RSA signature with the same security. Security of our group signature is based on the Strong Diffie-Hellman assumption and a new assumption in bilinear groups called the Decision Linear assumption. We prove security of our system, in the random oracle model, using a variant of the security definition for group signatures recently given by Bellare, Micciancio, and Warinschi.
1,956 citations
Proceedings Article•
[...]
08 Apr 1991
TL;DR: A new type of signature for a group of persons, called a group signature, which has the following properties: only members of the group can sign messages; and if necessary, the signature can be "opened", so that the person who signed the message is revealed.
Abstract: In this paper we present a new type of signature for a group of persons, called a group signature, which has the following properties: (i) only members of the group can sign messages; (ii) the receiver can verify that it is a valid group signature, but cannot discover which group member made it; (iii) if necessary, the signature can be "opened", so that the person who signed the message is revealed.
The group signatures are a "generalization" of the credential/ membership authentication schemes, in which one person proves that he belongs to a certain group.
We present four schemes that satisfy the properties above. Not all these schemes arc based on the same cryptographic assumption. In some of the schemes a trusted centre is only needed during the setup; and in other schemes, each pason can create the group he belongs to.
1,853 citations
"A Provably Secure Group Signature S..." refers background in this paper
...Group signature [1] is a fundamental cryptographic primitive with two intriguing features....
[...]