Lattice-Based Group Signature Scheme with Verifier-Local Revocation

Abstract: Abstract. Support of membership revocation is a desirable functionality for any group signature scheme. Among the known revocation approaches, verifier-local revocation (VLR) seems to be the most flexible one, because it only requires the verifiers to possess some up-to-date revocation information, but not the signers. All of the contemporary VLR group signatures operate in the bilinear map setting, and all of them will be insecure once quantum computers become a reality. In this work, we introduce the first l… Show more

“…Compared to the best previous lattice-based schemes [38,44,45], it is both simpler and more efficient, saving a O(log N ) factor in both sizes of the group public key and the signature. As in [44], we first present a simple CPA-anonymous scheme, and then extend it to a scheme with CCA-anonymity.…”

“…[29] proposed a variant of [38] with improvements both in efficiency (i.e., shorter group public key) and security (i.e., stronger adversary against anonymity), but the signature size of their scheme was still linear in N . Recently, two papers [44,45] have significantly decreased the signature size. By first representing the identity of group members as a bit-string [19], and then applying the "encrypt-and-prove" paradigm of [11,38], Laguillaumie et al [44] constructed an efficient lattice-based group signature where both the sizes of the group public key and the signature are proportional to log N (i.e., with bit-length slightly greater than O(n 2 log 2 n log N ) and O(n log 3 n log N ), respectively).…”

“…By first representing the identity of group members as a bit-string [19], and then applying the "encrypt-and-prove" paradigm of [11,38], Laguillaumie et al [44] constructed an efficient lattice-based group signature where both the sizes of the group public key and the signature are proportional to log N (i.e., with bit-length slightly greater than O(n 2 log 2 n log N ) and O(n log 3 n log N ), respectively). Using similar identity representations together with the non-interactive zero-knowledge (NIZK) proof in [48], Langlois et al [45] proposed a nice scheme without encryption, which achieves almost the same asymptotical efficiency as that of [44], and provides an additional property called verifier-local revocation [18]. Another interesting group signature is due to Benhamouda et al [14], for which privacy holds under a lattice-based assumption but the security is discrete-logarithm-based, i.e.…”

“…Specifically, by first constructing a nice Stern-type [59] NIZK protocol, they propose a scheme which excels previous ones in [44,45] by a constant factor in terms of efficiency, i.e., all the sizes are still proportional to log N . Besides, they also show how to transform their basic scheme into the setting of ideal lattices, which can save a factor of n in the size of group public key.…”

Simpler Efficient Group Signatures from Lattices

“…Compared to the best previous lattice-based schemes [38,44,45], it is both simpler and more efficient, saving a O(log N ) factor in both sizes of the group public key and the signature. As in [44], we first present a simple CPA-anonymous scheme, and then extend it to a scheme with CCA-anonymity.…”

“…[29] proposed a variant of [38] with improvements both in efficiency (i.e., shorter group public key) and security (i.e., stronger adversary against anonymity), but the signature size of their scheme was still linear in N . Recently, two papers [44,45] have significantly decreased the signature size. By first representing the identity of group members as a bit-string [19], and then applying the "encrypt-and-prove" paradigm of [11,38], Laguillaumie et al [44] constructed an efficient lattice-based group signature where both the sizes of the group public key and the signature are proportional to log N (i.e., with bit-length slightly greater than O(n 2 log 2 n log N ) and O(n log 3 n log N ), respectively).…”

“…By first representing the identity of group members as a bit-string [19], and then applying the "encrypt-and-prove" paradigm of [11,38], Laguillaumie et al [44] constructed an efficient lattice-based group signature where both the sizes of the group public key and the signature are proportional to log N (i.e., with bit-length slightly greater than O(n 2 log 2 n log N ) and O(n log 3 n log N ), respectively). Using similar identity representations together with the non-interactive zero-knowledge (NIZK) proof in [48], Langlois et al [45] proposed a nice scheme without encryption, which achieves almost the same asymptotical efficiency as that of [44], and provides an additional property called verifier-local revocation [18]. Another interesting group signature is due to Benhamouda et al [14], for which privacy holds under a lattice-based assumption but the security is discrete-logarithm-based, i.e.…”

“…Specifically, by first constructing a nice Stern-type [59] NIZK protocol, they propose a scheme which excels previous ones in [44,45] by a constant factor in terms of efficiency, i.e., all the sizes are still proportional to log N . Besides, they also show how to transform their basic scheme into the setting of ideal lattices, which can save a factor of n in the size of group public key.…”

Simpler Efficient Group Signatures from Lattices

“…In particular, the Groth scheme applies efficient zero-knowledge proofs for bilinear groups, which are known as Groth-Sahai proofs [26]. In addition to these schemes, lattice-based constructions were proposed [24,33,32,13].…”

Group Signature with Deniability: How to Disavow a Signature

Efficient Group Signature Scheme Over NTRU Lattice