A Lattice-Based Group Signature Scheme with Message-Dependent Opening

Libert, Benôıt; Mouhartem, Fabrice; Nguyen, Khoa

doi:10.1007/978-3-319-39555-5_8

Cited by 43 publications

(18 citation statements)

References 45 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This protocol was originally proposed in the context of code-based cryptography, and was later adapted into the lattice setting by Kawachi et al [24]. Subsequently, it was empowered by Ling et al [35] to handle the matrix-vector relations associated with the SIS and LWE problems, and further developed to design several lattice-based schemes: group signatures [27,36,30,31,28], policybased signatures [16] and group encryption [29].…”

Section: Stern-like Protocols For Lattice-based Relationsmentioning

confidence: 99%

See 1 more Smart Citation

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling

Nguyen

Wang

et al. 2019

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), eight other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, most of the existing constructions work only in the static setting where the group population is fixed at the setup phase. The only two exceptions are the schemes by Langlois et al. (PKC 2014) that handles user revocations (but new users cannot join), and by Libert et al. (Asiacrypt 2016) which addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked).In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.'s fully static construction (Eurocrypt 2016) -which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. The scheme satisfies the strong security requirements of Bootle et al.'s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message.

show abstract

Section: Stern-like Protocols For Lattice-based Relationsmentioning

confidence: 99%

“…Libert et al [30] obtained substantial efficiency improvements via a construction based on Merkle trees which eliminates the need for GPV trapdoors [19]. More recently, a scheme supporting message-dependent opening (MDO) feature [46] was proposed in [31]. All the schemes mentioned above are designed for static groups.…”

Section: Introductionmentioning

confidence: 99%

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling

Nguyen

Wang

et al. 2019

Theoretical Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Constructing an unbounded GS-MDO scheme secure in the standard model with constant-size signatures is an interesting open problem. Libert, Mouhartem, and Nguyen [47] proposed a lattice-based (unbounded) GS-MDO scheme in the random oracle model. Their scheme was proved secure from the short integer solution (SIS) assumption and the learning with errors (LWE) assumption.…”

Section: Security and Communication Networkmentioning

confidence: 99%

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

Emura

Hanaoka

Kawai

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

This paper introduces a new capability for group signatures called message-dependent opening. It is intended to weaken the high trust placed on the opener; i.e., no anonymity against the opener is provided by an ordinary group signature scheme. In a group signature scheme with message-dependent opening (GS-MDO), in addition to the opener, we set up an admitter that is not able to extract any user’s identity but admits the opener to open signatures by specifying messages where signatures on the specified messages will be opened by the opener. The opener cannot extract the signer’s identity from any signature whose corresponding message is not specified by the admitter. This paper presents formal definitions of GS-MDO and proposes a generic construction of it from identity-based encryption and adaptive non-interactive zero-knowledge proofs. Moreover, we propose two specific constructions, one in the standard model and one in the random oracle model. Our scheme in the standard model is an instantiation of our generic construction but the message-dependent opening property is bounded. In contrast, our scheme in the random oracle model is not a direct instantiation of our generic construction but is optimized to increase efficiency and achieves the unbounded message-dependent opening property. Furthermore, we also demonstrate that GS-MDO implies identity-based encryption, thus implying that identity-based encryption is essential for designing GS-MDO schemes.

show abstract

“…With regard to advanced features, there have been proposed several schemes [33,34,46,48,40,47] and they are still behind their counterparts in the number-theoretic setting. Specifically, [33,34,46,48] deal with dynamic user enrollments and/or revocations of misbehaving users while [40,47] attempt to restrict the power of the tracing manager or keep his actions accountable. For the time being, the problem of making GS secure against the key exposure problem is still open in the context of lattices.…”

Section: Introductionmentioning

confidence: 99%

Forward-Secure Group Signatures from Lattices

Ling

Nguyen

Wang

et al. 2019

Post-Quantum Cryptography

Self Cite

View full text Add to dashboard Cite

Group signature is a fundamental cryptographic primitive, aiming to protect anonymity and ensure accountability of users. It allows group members to anonymously sign messages on behalf of the whole group, while incorporating a tracing mechanism to identify the signer of any suspected signature. Most of the existing group signature schemes, however, do not guarantee security once secret keys are exposed. To reduce potential damages caused by key exposure attacks, Song (ACM-CCS 2001) put forward the concept of forward-secure group signature (FSGS), which prevents attackers from forging group signatures pertaining to past time periods even if a secret group signing key is revealed at the current time period. For the time being, however, all known secure FSGS schemes are based on number-theoretic assumptions, and are vulnerable against quantum computers.In this work, we construct the first lattice-based FSGS scheme. Our scheme is proven secure under the Short Integer Solution and Learning With Errors assumptions. At the heart of our construction is a scalable lattice-based key evolving mechanism, allowing users to periodically update their secret keys and to efficiently prove in zero-knowledge that key evolution process is done correctly. To realize this essential building block, we first employ the Bonsai tree structure by Cash et al. (EURO-CRYPT 2010) to handle the key evolution process, and then develop Langlois et al.'s construction (PKC 2014) to design its supporting zeroknowledge protocol.

show abstract

A Lattice-Based Group Signature Scheme with Message-Dependent Opening

Cited by 43 publications

References 45 publications

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Group Signatures with Message-Dependent Opening: Formal Definitions and Constructions

Forward-Secure Group Signatures from Lattices

Contact Info

Product

Resources

About