Forward-Secure Group Signatures from Lattices

Group signature is a fundamental cryptographic primitive, aiming to protect anonymity and ensure accountability of users. It allows group members to anonymously sign messages on behalf of the whole group, while incorporating a tracing mechanism to identify the signer of any suspected signature. Most of the existing group signature schemes, however, do not guarantee security once users' secret keys are exposed. To reduce potential damages caused by key exposure attacks, Song (CCS 2001) put forward the concept of forward-secure group signatures (FSGS). For the time being, all known secure FSGS schemes are based on number-theoretic assumptions, and are vulnerable against quantum computers. In this work, we construct the first lattice-based FSGS scheme. In Nakanishi et al.'s model, our scheme achieves forward-secure traceability under the Short Integer Solution (SIS) assumption, and offers full anonymity under the Learning With Errors (LWE) assumption. At the heart of our construction is a scalable lattice-based key-evolving mechanism, allowing users to periodically update their secret keys and to efficiently prove in zero-knowledge that the key-evolution process is done correctly. To realize this essential building block, we first employ the Bonsai-tree structure by Cash et al. (EUROCRYPT 2010) to handle the key evolution process, and then develop Langlois et al.'s construction (PKC 2014) to design its supporting zero-knowledge protocol. In comparison to all known lattice-based group signatures (that are \emph{not} forward-secure), our scheme only incurs a very reasonable overhead: the bit-sizes of keys and signatures are at most O(log N), where N is the number of group users; and at most O(log^3 T), where T is the number of time periods.

[1]  David Cash,et al.  Bonsai Trees, or How to Delegate a Lattice Basis , 2010, Journal of Cryptology.

[2]  Hovav Shacham,et al.  Short Group Signatures , 2004, CRYPTO.

[3]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[4]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[5]  Dawn Xiaodong Song,et al.  Practical forward secure group signature schemes , 2001, CCS '01.

[6]  Mihir Bellare,et al.  Foundations of Group Signatures: Formal Definitions, Simplified Requirements, and a Construction Based on General Assumptions , 2003, EUROCRYPT.

[7]  Huaxiong Wang,et al.  Constant-Size Group Signatures from Lattices , 2018, Public Key Cryptography.

[8]  Damien Stehlé,et al.  Lattice-Based Group Signatures with Logarithmic Signature Size , 2013, ASIACRYPT.

[9]  Benoît Libert,et al.  A Lattice-Based Group Signature Scheme with Message-Dependent Opening , 2016, ACNS.

[10]  Jonathan Katz,et al.  Chosen-Ciphertext Security from Identity-Based Encryption , 2004, SIAM J. Comput..

[11]  Hovav Shacham,et al.  Group signatures with verifier-local revocation , 2004, CCS '04.

[12]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based PRFs and Applications to E-Cash , 2017, ASIACRYPT.

[13]  Moti Yung,et al.  Key Evolution Systems in Untrusted Update Environments , 2008, Inscrypt.

[14]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[15]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[16]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[17]  Sherman S. M. Chow Real Traceable Signatures , 2009, Selected Areas in Cryptography.

[18]  Miklós Ajtai,et al.  Generating hard instances of lattice problems (extended abstract) , 1996, STOC '96.

[19]  Zhenfeng Zhang,et al.  Simpler Efficient Group Signatures from Lattices , 2015, Public Key Cryptography.

[20]  Huaxiong Wang,et al.  Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-Based , 2015, Public Key Cryptography.

[21]  Chris Peikert,et al.  Hardness of SIS and LWE with Small Parameters , 2013, CRYPTO.

[22]  Ross J. Anderson,et al.  Two remarks on public key cryptology , 2002 .

[23]  Mihir Bellare,et al.  Foundations of Group Signatures: The Case of Dynamic Groups , 2005, CT-RSA.

[24]  Vinod Vaikuntanathan,et al.  Predicate Encryption for Circuits from LWE , 2015, CRYPTO.

[25]  Mihir Bellare,et al.  A Forward-Secure Digital Signature Scheme , 1999, CRYPTO.

[26]  David Cash,et al.  Fast Cryptographic Primitives and Circular-Secure Encryption Based on Hard Learning Problems , 2009, CRYPTO.

[27]  Sourav Mukhopadhyay,et al.  Forward Secure Efficient Group Signature in Dynamic Setting using Lattices , 2017, IACR Cryptol. ePrint Arch..

[28]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[29]  Xavier Boyen,et al.  Lattice Mixing and Vanishing Trapdoors A Framework for Fully Secure Short Signatures and more , 2010 .

[30]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[31]  Nobuo Funabiki,et al.  Forward-Secure Group Signatures from Pairings , 2010 .

[32]  Damien Stehlé,et al.  Improved Zero-Knowledge Proofs of Knowledge for the ISIS Problem, and Applications , 2013, Public Key Cryptography.

[33]  Jan Camenisch,et al.  Fully Anonymous Attribute Tokens from Lattices , 2012, SCN.

[34]  Marc Joye,et al.  A Practical and Provably Secure Coalition-Resistant Group Signature Scheme , 2000, CRYPTO.

[35]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[36]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[37]  Jacques Stern,et al.  A new paradigm for public key identification , 1996, IEEE Trans. Inf. Theory.

[38]  Brent Waters,et al.  Full-Domain Subgroup Hiding and Constant-Size Group Signatures , 2007, Public Key Cryptography.

[39]  Gene Itkis,et al.  Forward-Secure Signatures with Optimal Signing and Verifying , 2001, CRYPTO.

[40]  Jan Camenisch,et al.  Floppy-Sized Group Signatures from Lattices , 2018, IACR Cryptol. ePrint Arch..

[41]  Jens Groth,et al.  Fully Anonymous Group Signatures without Random Oracles , 2007, IACR Cryptol. ePrint Arch..

[42]  Huaxiong Wang,et al.  Lattice-Based Zero-Knowledge Arguments for Integer Relations , 2018, CRYPTO.

[43]  Jonathan Katz,et al.  A Forward-Secure Public-Key Encryption Scheme , 2003, Journal of Cryptology.

[44]  Huaxiong Wang,et al.  Zero-Knowledge Password Policy Check from Lattices , 2017, ISC.

[45]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[46]  Moti Yung,et al.  Group Signatures with Almost-for-Free Revocation , 2012, CRYPTO.

[47]  Chris Peikert,et al.  Generating Shorter Bases for Hard Random Lattices , 2009, Theory of Computing Systems.

[48]  Huaxiong Wang,et al.  Adaptive Oblivious Transfer with Access Control from Lattice Assumptions , 2017, ASIACRYPT.

[49]  Leonid Reyzin,et al.  A New Forward-Secure Digital Signature Scheme , 2000, ASIACRYPT.

[50]  GentryCraig,et al.  Leveled) Fully Homomorphic Encryption without Bootstrapping , 2014 .

[51]  Huaxiong Wang,et al.  Policy-based signature scheme from lattices , 2016, Des. Codes Cryptogr..

[52]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.

[53]  Huaxiong Wang,et al.  Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions , 2016, ASIACRYPT.

[54]  Aggelos Kiayias,et al.  Secure scalable group signature with dynamic joins and separable authorities , 2006, Int. J. Secur. Networks.

[55]  Vadim Lyubashevsky,et al.  Lattice-Based Group Signatures and Zero-Knowledge Proofs of Automorphism Stability , 2018, IACR Cryptol. ePrint Arch..

[56]  Moti Yung,et al.  Dynamic fully forward-secure group signatures , 2010, ASIACCS '10.

[57]  Keisuke Tanaka,et al.  Concurrently Secure Identification Schemes Based on the Worst-Case Hardness of Lattice Problems , 2008, ASIACRYPT.

[58]  Sabrina De Capitani di Vimercati,et al.  Guest Editorial: Special Issue on Computer and Communications Security , 2008, TSEC.

[59]  Moti Yung,et al.  Forward-secure signatures in untrusted update environments: efficient and generic constructions , 2007, CCS '07.

[60]  Jens Groth,et al.  Foundations of Fully Dynamic Group Signatures , 2016, Journal of Cryptology.

[61]  Huaxiong Wang,et al.  Lattice-Based Group Signatures: Achieving Full Dynamicity with Ease , 2017, ACNS.

[62]  Huaxiong Wang,et al.  Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption , 2019, Theor. Comput. Sci..

[63]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[64]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[65]  Huaxiong Wang,et al.  Zero-Knowledge Arguments for Lattice-Based Accumulators: Logarithmic-Size Ring Signatures and Group Signatures Without Trapdoors , 2016, Journal of Cryptology.

[66]  Stephan Krenn,et al.  Commitments and Efficient Zero-Knowledge Proofs from Learning Parity with Noise , 2012, ASIACRYPT.

[67]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2006/297. Forward-Secure Signatures with Untrusted Update , 2006 .

[68]  Ernest F. Brickell,et al.  Design Validations for Discrete Logarithm Based Signature Schemes , 2000, Public Key Cryptography.

[69]  Jens Groth Evaluating Security of Voting Schemes in the Universal Composability Framework , 2004, ACNS.

[70]  Shouhuai Xu,et al.  Key-Insulated Public Key Cryptosystems , 2002, EUROCRYPT.

[71]  Yutaka Kawai,et al.  Group Signatures with Message-Dependent Opening , 2012, Pairing.

[72]  Huaxiong Wang,et al.  Accountable Tracing Signatures from Lattices , 2018, IACR Cryptol. ePrint Arch..

[73]  Jan Camenisch,et al.  Better Zero-Knowledge Proofs for Lattice Encryption and Their Application to Group Signatures , 2014, ASIACRYPT.

[74]  Jonathan Katz,et al.  A Group Signature Scheme from Lattice Assumptions , 2010, IACR Cryptol. ePrint Arch..