Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Ling, San; Nguyen, Khoa; Wang, Huaxiong; Xu, Yanhong

doi:10.1016/j.tcs.2019.03.023

Cited by 18 publications

(5 citation statements)

References 52 publications

(184 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Specifically, compared with the ring signature scheme in Reference [8], we add one more additional condition, an non-interactive identification scheme used by the ring members to prove their identity. Combining zero-knowledge argument systems for two or more NP relations is a general strategy widely used in previous works, such as group signatures [8,9], policy-based signatures [13], compact e-cash [14], etc.…”

Section: Contributions and Technical Overviewmentioning

confidence: 99%

“…It is well-known that group signature [4][5][6][7][8][9] can prevent its members from abusing anonymity, in which users are able to sign messages anonymously, but, when a dispute occurs, the group manager possessing a group master secret key is capable of revoking the anonymity of misbehaving signers. However, group signature cannot handle the leaking secrets scenario, as the the manager is always able to trace the real signer who leaks a piece of invaluable information.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Jia

Tang

Zhang

2021

Entropy

View full text Add to dashboard Cite

Deniable ring signature can be regarded as group signature without group manager, in which a singer is capable of singing a message anonymously, but, if necessary, each ring member is allowed to confirm or disavowal its involvement in the signature via an interactive mechanism between the ring member and the verifier. This attractive feature makes the deniable ring signature find many applications in the real world. In this work, we propose an efficient scheme with signature size logarithmic to the cardinality of the ring. From a high level, we adapt Libert et al.’s zero-knowledge argument system (Eurocrypt 2016) to allow the prover to convince the verifier that its witness satisfies an additional condition. Then, using the Fait-Shamir transformation, we get a non-interactive deniable ring signature scheme that satisfies the anonymity, traceability, and non-frameability under the small integer solution assumption in the random oracle model.

show abstract

Section: Contributions and Technical Overviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Jia

Tang

Zhang

2021

Entropy

View full text Add to dashboard Cite

show abstract

“…Following our initial conference publication [8], other works adopted and extended our security model. Ling et al [47] used our model to prove the security of their fully dynamic group signature scheme, which is the first fully dynamic construction based on hardness of lattice assumptions. Our model was recently extended by Backes et al [12] to include two additional security properties called join and leave privacy, which capture the privacy of users over the time span of their group membership status.…”

Section: Background and Related Workmentioning

confidence: 99%

Foundations of Fully Dynamic Group Signatures

Bootle

Cerulli²,

Chaidos

et al. 2020

J Cryptol

View full text Add to dashboard Cite

Group signatures allow members of a group to anonymously sign on behalf of the group. Membership is administered by a designated group manager. The group manager can also reveal the identity of a signer if and when needed to enforce accountability and deter abuse. For group signatures to be applicable in practice, they need to support fully dynamic groups, i.e., users may join and leave at any time. Existing security definitions for fully dynamic group signatures are informal, have shortcomings, and are mutually incompatible. We fill the gap by providing a formal rigorous security model for fully dynamic group signatures. Our model is general and is not tailored toward a specific design paradigm and can therefore, as we show, be used to argue about the security of different existing constructions following different design paradigms. Our definitions are stringent and when possible incorporate protection against maliciously chosen keys. We consider both the case where the group management and tracing signatures are administered by the same authority, i.e., a single group manager, and also the case where those roles are administered by two separate authorities, i.e., a group manager and an opening authority. We also show that a specialization of our model captures existing models for static and partially dynamic schemes. In the process, we identify a subtle gap in the security achieved by group signatures using revocation lists. We show that in such schemes new members achieve a slightly weaker notion of traceability. The flexibility of our security model allows to capture such relaxation of traceability.

show abstract

“…On the contrary, our scheme obtains full-dynamicity as well as deniability feature. In comparison to the group signature scheme of Ling et al [29] that uses lattices, our construction works favourably in terms of efficiency. The scheme [29] offers signature size of O(λ log N log q), the group public key size O((λ 2 + λ log N ) log q) and the user's secret signing key size O(λ log q) + log N for prime modulus q = O(n 3/2 ).…”

mentioning

confidence: 97%

“…In this work, we focus on designing a secure and efficient group signature scheme based on the hardness of the generic decoding problem having flexibility in joining and revoking group users at any preferred time. Our starting point is the group signature scheme of Ling et al [29] that uses lattices and relies on the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. We aim to design a post-quantum secure fully-dynamic group signature scheme with relatively short signature.…”

mentioning

confidence: 99%

Post-quantum secure fully-dynamic logarithmic-size deniable group signature in code-based setting

Dey

Dutta

2024

AMC

View full text Add to dashboard Cite

Since its introduction by Chaum and Heyst, group signature has been one of the most active areas of cryptographic research with numerous applications to computer security and privacy. Group signature permits the members of a group to sign a document on behalf of the entire group keeping signer's identity secret and enabling disclosure of the signer's identity if required. In this work, we present the first code-based fully-dynamic group signature scheme which allows group members to join or leave the group at any point of time. We employ a code-based updatable Merkle-tree accumulator in our design to achieve logarithmic-size signature and utilize randomized Niederreiter encryption to trace the identity of the signer. More positively, we equipped our scheme with deniability characteristic whereby the tracing authority can furnish evidence showing that a given member is not the signer of a particular signature. Our scheme satisfies the security requirements of anonymity, non-frameability, traceability and tracing-soundness in the random oracle model under the hardness of generic decoding problem. We emphasize that our scheme provides full-dynamicity, features deniability in contrast to the existing code-based group signature schemes and works favourably in terms of signature size, group public key size and secret key size.

show abstract

Lattice-based group signatures: Achieving full dynamicity (and deniability) with ease

Cited by 18 publications

References 52 publications

Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Foundations of Fully Dynamic Group Signatures

Post-quantum secure fully-dynamic logarithmic-size deniable group signature in code-based setting

Contact Info

Product

Resources

About