Constant-size group signatures from lattices.

*(English)*Zbl 1406.94072
Abdalla, Michel (ed.) et al., Public-key cryptography – PKC 2018. 21st IACR international conference on practice and theory of public-key cryptography, Rio de Janeiro, Brazil, March 25–29, 2018. Proceedings. Part II. Cham: Springer (ISBN 978-3-319-76580-8/pbk; 978-3-319-76581-5/ebook). Lecture Notes in Computer Science 10770, 58-88 (2018).

Summary: Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan [S. D. Gordon et al., Asiacrypt 2010, Lect. Notes Comput. Sci. 6477, 395–412 (2010; Zbl 1253.94071)], ten other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, in all known constructions, one has to fix the number \(N\) of group users in the setup stage, and as a consequence, the signature sizes are dependent on \(N\).

In this work, we introduce the first constant-size group signature from lattices, which means that the size of signatures produced by the scheme is independent of \(N\) and only depends on the security parameter \(\lambda\). More precisely, in our scheme, the sizes of signatures, public key and users’ secret keys are all of order \(\widetilde{\mathcal{O}}(\lambda)\). The scheme supports dynamic enrollment of users and is proven secure in the random oracle model under the Ring Short Integer Solution (RSIS) and Ring Learning With Errors (RLWE) assumptions. At the heart of our design is a zero-knowledge argument of knowledge of a valid message-signature pair for the Ducas-Micciancio signature scheme [L. Ducas and D. Micciancio, Crypto 2014, Lect. Notes Comput. Sci. 8616, 335–352 (2014; Zbl 1345.94058)], that may be of independent interest.

For the entire collection see [Zbl 1384.94003].

In this work, we introduce the first constant-size group signature from lattices, which means that the size of signatures produced by the scheme is independent of \(N\) and only depends on the security parameter \(\lambda\). More precisely, in our scheme, the sizes of signatures, public key and users’ secret keys are all of order \(\widetilde{\mathcal{O}}(\lambda)\). The scheme supports dynamic enrollment of users and is proven secure in the random oracle model under the Ring Short Integer Solution (RSIS) and Ring Learning With Errors (RLWE) assumptions. At the heart of our design is a zero-knowledge argument of knowledge of a valid message-signature pair for the Ducas-Micciancio signature scheme [L. Ducas and D. Micciancio, Crypto 2014, Lect. Notes Comput. Sci. 8616, 335–352 (2014; Zbl 1345.94058)], that may be of independent interest.

For the entire collection see [Zbl 1384.94003].

##### MSC:

94A60 | Cryptography |