an:07222949
Zbl 1444.94124
Zhang, Yanhua; Liu, Ximeng; Hu, Yupu; Zhang, Qikun; Jia, Huiwen
Lattice-based group signatures with verifier-local revocation: achieving shorter key-sizes and explicit traceability with ease
EN
Mu, Yi (ed.) et al., Cryptology and network security. 18th international conference, CANS 2019, Fuzhou, China, October 25--27, 2019. Proceedings. Cham: Springer. Lect. Notes Comput. Sci. 11829, 120-140 (2019).
2019
a
94A62
lattice-based group signatures; verifier-local revocation; Stern-type zero-knowledge proofs; identity-encoding technique; explicit traceability
Summary: For lattice-based group signatures (GS) with verifier-local revocation (VLR), it only requires the verifiers to possess up-to-date group information (i.e., a revocation list, RL, consists of a series of revocation tokens for revoked members), but not the signers. The first such scheme was introduced by \textit{A. Langlois} et al. in 2014 [PKC 2014, Lect. Notes Comput. Sci. 8383, 345--361 (2014; Zbl 1335.94063)], and subsequently, a full and corrected version (to fix a flaw in the original revocation mechanism) was proposed by \textit{S. Ling} et al. in 2018 [Theor. Comput. Sci. 730, 1--20 (2018; Zbl 1401.94163)]. However, both constructions are within the structure of a Bonsai Tree, and thus features bit-sizes of the group public-key and the member secret-key proportional to \(\log N\), where N is the maximum number of group members. On the other hand, the tracing algorithm for both schemes runs in a linear time in N (i.e., one by one, until the real signer is traced). Therefore for a large group, the tracing algorithm of conventional GS-VLR is not convenient and both lattice-based constructions are not that efficient.
In this work, we propose a much more efficient lattice-based GS-VLR, which is efficient by saving the \(\mathcal{O}(\log N)\) factor for both bit-sizes of the group public-key and the member secret-key. Moreover, we achieve this result in a relatively simple manner. Starting with \textit{K. Nguyen} et al.'s efficient and compact identity-encoding technique in 2015 [PKC 2015, Lect. Notes Comput. Sci. 9020, 427--449 (2015; Zbl 1345.94075)] -- which only needs a constant number of matrices to encode the member's identity, we develop an improved identity-encoding function, and introduce an efficient Stern-type statistical zero-knowledge argument of knowledge (ZKAoK) protocol corresponding to our improved identity-encoding function, which may be of independent cryptographic interest.
Furthermore, we demonstrate how to equip the obtained lattice-based GS-VLR with explicit traceability (ET) in some simple way. This attractive functionality, only satisfied in the non-VLR constructions, can enable the tracing authority in lattice-based GS-VLR to determine the signer's real identity in a constant time, independent of N. In the whole process, we show that the proposed scheme is proven secure in the random oracle model (ROM) based on the hardness of the Short Integer Solution (SIS) problem, and the Learning With Errors (LWE) problem.
For the entire collection see [Zbl 1428.68039].
Zbl 1335.94063; Zbl 1401.94163; Zbl 1345.94075