Simpler Efficient Group Signatures from Lattices⋆,⋆⋆

Phong Q. Nguyen1, Jiang Zhang2, and Zhenfeng Zhang2

1 INRIA, France and Tsinghua University, Institute for Advanced Study, China2 Trusted Computing and Information Assurance Laboratory,

State Key Laboratory of Computer Science,Institute of Software, Chinese Academy of Sciences, China

http://www.di.ens.fr/˜pnguyen,jiangzhang09@gmail.com, zfzhang@tca.iscas.ac.cn

Abstract. A group signature allows a group member to anonymously sign mes-sages on behalf of the group. In the past few years, new group signatures basedon lattice problems have appeared: the most efficient lattice-based constructionsare due to Laguillaumie et al. (Asiacrypt ’13) and Langlois et al. (PKC ’14). Bothhave at least O(n2 log2 n logN)-bit group public key and O(n log3 n logN)-bitsignature, where n is the security parameter and N is the maximum number ofgroup members. In this paper, we present a simpler lattice-based group signature,which is more efficient by a O(logN) factor in both the group public key and thesignature size. We achieve this by using a new non-interactive zero-knowledge(NIZK) proof corresponding to a simple identity-encoding function. The securityof our group signature can be reduced to the hardness of SIS and LWE in therandom oracle model.

1 Introduction

In a group signature, each group member has a private key that is certified with itsidentity by the group manager. By using its private key, each group member is able tosign messages on behalf of the group without compromising its identity to the signa-ture verifier. Group signatures provide users a nice tradeoff between authenticity andanonymity (i.e., given a signature, the verifier is assured that someone in the groupsigned a message, but cannot determine which member of the group signed). However,such a functionality allows malicious group members to damage the whole group with-out being detected, e.g. signing some unauthorized/illegal messages. To avoid this, thegroup manager usually has a secret key which can be used to break anonymity.

Several real-life applications require properties of group signatures. For example,in trusted computing, a trusted platform module (TPM) usually has to attest certainstatements w.r.t. the current configurations of the host device to a remote party (i.e. theverifier) via a signature on corresponding messages. After the attestation, the verifier isassured that some remote device that contains a TPM authorized the messages. For user

⋆ The work is supported in part by China’s 973 program (No. 2013CB338003, 2013CB834205)and the National Natural Science Foundation of China (No. 61133013, 61170278, 91118006).

⋆⋆ c⃝ IACR 2015. This is the full version of a paper that will be published in the proceedings ofPKC 2015.

2

privacy, the signature is often required not to reveal the identity of the TPM. In fact,a variant of group signatures (namely, direct anonymous attestation (DAA) [26,33])has been implemented in TPM 1.2 [41] and TPM 2.0 [42] by the Trusted ComputingGroup. Another promising application is vehicle safety communications [43], wheregroup signatures can protect the privacy of users so that a broadcast message does notreveal the current location/speed of the vehicle. Besides, other applications of groupsignatures are found in anonymous communications, e-commerce systems etc.

Since their introduction by Chaum and van Heyst [32], group signatures have at-tracted much attention from the research community. Bellare, Micciancio and Warin-schi (BMW) [11] formalized the security of group signatures for static groups (wherethe group members are fixed in the system setup phase) in two main notions, i.e., fullanonymity and full traceability. Informally, full anonymity requires that an adversarywithout the group manager secret key should not be able to determine the signer’s iden-tity from a signature, even if it can access an open oracle that returns the identity of anyother (valid) signature. And full traceability implies that no collusion of group memberscan create a valid signature which cannot be traced back to one of them (by the groupmanager using the group manager secret key). Bellare et al. [11] also gave a theoreticalconstruction based on the existence of trapdoor permutations. In a weak variant of theBMW model where the adversary against anonymity is not given access to the open ora-cle (i.e., CPA-anonymity), Boneh et al. [16] constructed a short group signature schemebased on the Strong Diffie-Hellman (SDH) [15] and Decision Linear (DLIN) [16] as-sumptions in the random oracle model [13]. Besides, many papers focused on designingvarious group signatures based on different assumptions [9,28,20,21,39,40,1,47,46].

In recent years, lattice cryptography has attracted significant interest, due to severalpotential benefits: asymptotic efficiency, worst-case hardness assumptions, and secu-rity against quantum computers. A natural goal is to find lattice-based counterparts ofall classical cryptographic schemes. In 2010, Gordon et al. [38] made the first step inconstructing secure group signatures from lattices. They elegantly combined severalpowerful lattice-based tools [55,58,37] to build a group signature scheme where thesizes of both the group public key and signature was linear in the maximum numberN of group members. Later, Camenisch el al. [29] proposed a variant of [38] with im-provements both in efficiency (i.e., shorter group public key) and security (i.e., strongeradversary against anonymity), but the signature size of their scheme was still linearin N . Recently, two papers [44,45] have significantly decreased the signature size. Byfirst representing the identity of group members as a bit-string [19], and then apply-ing the “encrypt-and-prove” paradigm of [11,38], Laguillaumie et al. [44] constructedan efficient lattice-based group signature where both the sizes of the group public keyand the signature are proportional to logN (i.e., with bit-length slightly greater thanO(n2 log2 n logN) and O(n log3 n logN), respectively). Using similar identity rep-resentations together with the non-interactive zero-knowledge (NIZK) proof in [48],Langlois et al. [45] proposed a nice scheme without encryption, which achieves almostthe same asymptotical efficiency as that of [44], and provides an additional propertycalled verifier-local revocation [18]. Another interesting group signature is due to Ben-hamouda et al. [14], for which privacy holds under a lattice-based assumption but thesecurity is discrete-logarithm-based, i.e. it is not a pure lattice-based group signature.

3

A current and independent work of Ling, Nguyen and Wang [49] also try to designan efficient lattice-based group signature scheme. Specifically, by first constructing anice Stern-type [59] NIZK protocol, they propose a scheme which excels previous onesin [44,45] by a constant factor in terms of efficiency, i.e., all the sizes are still propor-tional to logN . Besides, they also show how to transform their basic scheme into thesetting of ideal lattices, which can save a factor of n in the size of group public key.

1.1 Our Results

In this paper, we present a new lattice-based group signature. Compared to the bestprevious lattice-based schemes [38,44,45], it is both simpler and more efficient, savinga O(logN) factor in both sizes of the group public key and the signature. As in [44],we first present a simple CPA-anonymous scheme, and then extend it to a scheme withCCA-anonymity. The security of both our schemes is provably based on the hardnessof the Small Integer Solutions (SIS) and Learning with Errors (LWE) problems in therandom oracle model, which are both as hard as several worst-case lattice problems,such as SIVPγ for some polynomial factor γ = poly(n).

In Table 1, we give a rough comparison with related lattice-based group signaturesin terms of the size of the group public-key, the group user secret key and the signature.There, n denotes the security parameter, and N is the maximum number of group users.The other two parameters m and q are both polynomial in n (and N ), and are usually de-termined by the underlying lattices used by those schemes. The integer t used in [44,45]and our scheme is a repetition parameter for obtaining NIZKs with negligible sound-ness error. For a security parameter n, one can set t = ω(logn) and m = O(n log n).The choice of q might be slightly different in those schemes either for security or forfunctionality. For example, q is explicitly required to be larger than N in our scheme.We note that this requirement might also be satisfied in the previous three schemes formost applications. Besides, even if N < q does not hold in previous schemes, the sizesof the group public-key and the signature in our scheme are still asymptotically shorter(since both N and q are polynomials in n, and logN = O(log q) holds).

Table 1. Rough Comparison of Overheads.

Schemes Group public-key User secret-key Signature Security

GKV10 [38] O(nmN log q) O(nm log q) O(nmN log q) CPA-anonymity

LLLS13 [44] O(nm logN log q) O(nm log q) O(tm logN log q) CCA-anonymity

LLNW14 [45] O(nm logN log q) O(m logN log q) O(tm logN log q log β)⋆ CCA-anonymity

Our scheme O(nm log q) O(nm log q) O(t(m+ logN) log q)⋆⋆ CCA-anonymity

⋆ β = ω(√n log q logn) logm is the integer norm bound in [45].

⋆⋆ Since N is always a polynomial in n (thus in m), this term is actually bounded byO(tm log q). Besides, we note that group signatures supporting opening should havea signature in bit-size at least logarithmic in N [11].

Since the schemes in [38,44] and ours follow a general “encrypt-and-prove” paradigmin [11], we also give a comparison of computational costs between the schemes in [38,44]

4

and ours at a very high level, i.e., in terms of the number of the underlying encryptionsand basic NIZK proofs, in Table 2. We note that such a comparison is less interestingto the scheme in [45], since it departs from the general paradigm and does not makeuse of any encryption. Although all three schemes use (almost) the same encryption(namely [58]), the NIZKs are very different. Concretely, Gordon et al. [38] used a N -OR variant of the witness-indistinguishable (WI) proof system for the gap version ofthe closest vector problem in [55], while the NIZKs used in [44] and ours are derivedfrom the more efficient protocol [51] for the ISIS problem. In Table 2, we simply com-pare the complexity of each algorithm of the schemes in [38,44] and ours, with respectto the number of basic operations in terms of encryptions and basic NIZKs.

Table 2. Rough Comparison of Computational Costs (The encryption and decryption of Regev’sLWE-based encryption [58] are denoted by enc. and dec., respectively. The proof and verificationof the corresponding basic NIZKs in [55,51] are denoted by pro. and ver., respectively)

Schemes Sign (enc.,pro.,ver.,dec.) Verify (enc.,pro.,ver.,dec.) Open (enc.,pro.,ver.,dec.)

GKV10 [38] (N,O(N),−,−) (−,−, O(N),−) (−,−,−, N/2)

LLLS13 [44] (1 + logN,O(logN),−,−) (−,−, O(logN),−) (−,−,−, 1 + logN)

Our scheme (1,≤ 5,−,−) (−,−,≤ 5,−) (−,−,−, 1)

However, we note that we do not provide a full comparison with all the schemesin [38,44,45], which would require at least a concrete analysis of the security reduction(running time, lattice approximation factor, success probability, etc.), which is usuallynot explicitly given in the literature.

1.2 Techniques

At a high level, the two constructions in [38,44] and our scheme use the same gen-eral paradigm as that of [11]. Roughly speaking, the group manager first generates thegroup public key gpk and group manager secret key gmsk. For a user with identityi ∈ 1, . . . , N (recall that N is the maximum number of group members, and is fixedat the system setup), the group manager computes the user’s secret key gski corre-sponding to an encoded “public key” H(gpk, i), where H is an encoding function that(uniquely) encodes the group user’s identity i in gski. When signing a message m, thegroup user proves to the verifier that he has a secret key gski for some i ∈ 1, . . . , N(i.e., to prove that he is a legal member of the group). The hardness of this generalparadigm usually lies in the choices of an appropriate encoding function H(gpk, i) anda compatible non-interactive zero-knowledge (NIZK) for the membership relations de-termined by H(gpk, i).

Gordon et al. [38] used a simple projective encoding function H(gpk, i) and a NIZKextended from [55] to construct the first lattice-based group signature. Informally, thegroup public key gpk consists of N independent public keys of the GPV signature [37],i.e., gpk = (pk1, . . . , pkN ) where pkj is an integer matrix over Zq for some positiveq ∈ Z, and all j ∈ 1, . . . , N. The encoding function simply outputs the i-th element

5

of gpk, i.e., H(gpk, i) := pki. Due to the particular choice of H(gpk, i), both the grouppublic key and the signature of [38] have a size linear in N .

At Asiacrypt ’13, by using an efficient encoding function inspired by Boyen’s lattice-based signature [19] and a NIZK derived from [51], Laguillaumie et al. [44] pro-posed a more efficient lattice-based group signature. Roughly speaking, the group pub-lic key gpk consists of ℓ = ⌊logN⌋ + 1 independent matrices over Zq, i.e., gpk =

(A1, . . . ,Aℓ). The encoding function is defined as H(gpk, i) :=∑ℓ

j=1 ijAj , where(i1, . . . , il) ∈ Zℓ

2 is the binary decomposition of i. We also note that Langlois et al. [45]constructed a lattice-based group signature with verifier-local revocation by using thesame identity encoding function but a different NIZK from [48]. Both schemes [44,45]decreased the sizes of the group public key and the signature to proportional to logN .

An Efficient Identity Encoding. We use a more efficient and compact way to encodethe group member’s identity, by building upon the encoding technique introduced byAgrawal et al. [2] for identity-based encryption (IBE). Let the group public key gpkconsist of three matrices over Zn×m

q for some positive integers n,m, q, i.e., gpk =

(A1,A2,1,A2,2). We define H(gpk, i) = Ai := (A1∥A2,1+G(i)A2,2) where G(·) isa function from ZN to Zn×n

q . Then, the secret key of user i is a short basis of the classi-cal q-ary lattice Λi determined by H(gpk, i) = Ai, where Λi := e ∈ Zm s.t. Aie =0 mod q. When signing a message, user i samples a short vector ei from Λi (byusing the short basis of Λi) and encrypts it using Regev’s encryption [58]. Then, heproves to the verifier that ei is a short vector in a lattice determined by H(gpk, i) forsome i ∈ 1, . . . , N. But we do not know an efficient lattice-based NIZK suitable forthe membership relation determined by H(gpk, i).

Fortunately, since the maximum number of group members N is always boundedby a polynomial in the security parameter n, we actually do not need an encoding func-tion as powerful as for IBE [2], where there are possibly exponentially many users. Wesimplify the encoding function by defining H(gpk, i) := (A1∥A2,1 + iA2,2). (A sim-ilar combination of matrices has been used in a different way in [4,17,36] to constructfunctional encryption.) Namely, the identity function G(i) := i is used instead of afunction G : ZN → Zn×n

q . For collision resistance, we require that N < q. Since N isusually fixed at the system setup in group signatures for static groups such as [38,44,45]and ours, one can simply set q big enough (but still a polynomial in n) to satisfy therequirement. Hereafter, we assume that N < q always holds.

This encoding function provides two main benefits:

– Only three matrices are needed for the encoding function, which provides a shortgroup public key. By comparison, there are respectively at least O(N) and O(logN)matrices needed in [38] and [44].

– It gives a simple membership relation, which allows to construct an efficient NIZKproof for the relation (please see next paragraph). In [38,44], the NIZKs for rela-tively complex membership relations are obtained by involving many encryptions,which results in schemes with large computational costs and signature sizes.

A New Non-interactive Zero-Knowledge (NIZK). Recall that the secret key of user i is ashort basis Ti of the q-ary lattice Λi determined by Ai = (A1∥A2,1 + iA2,2). To sign

6

a message, user i first samples a short vector (x1,x2) by using Gentry et al.’s Gaussiansampling algorithm [37] such that A1x1 + (A2,1 + iA2,2)x2 = 0 mod q. Then, hegenerates an LWE encryption c of x1. The final signature σ consists of c, x2, a proofπ1 that c encrypts x1 correctly, and a proof π2 that there exists a tuple (x1, i) satisfyingA1x1 + iA2,2x2 = −A2,1x2 mod q, namely, σ = (c,x2, π1, π2).

The nice properties of the sampling algorithm in [37,31] guarantee that the publicx2 is statistically indistinguishable for all user i ∈ 1, . . . , N, namely, the verifiercannot determine the signer’s identity i solely from x2, however, he can efficientlydetermine it from (x1,x2), that’s why we choose to encrypt x1. The proof of π1 canbe generated by using the duality of LWE and Small Integer Solutions (SIS) [52], andthe NIZK proof for SIS [51] in a standard way. Thanks to our new identity encodingfunction H(gpk, i) and the public x2, we manage to design a NIZK proof (i.e., π2) forthe statement A1x1 + iA2,2x2 = −A2,1x2 mod q based on the hardness of SIS.

Formally, we introduce a new problem called split-SIS, which is a variant of SIS(and might be of independent interest). Given a split-SIS instance A1,A2,2 ∈ Zn×m

q ,the algorithm is asked to output a triple (x1,x2, h) such that x1,x2 ∈ Zm have smallnorms, and h < q = poly(n) is a positive integer satisfying A1x1 + hA2,2x2 = 0mod q. We first show that the split-SIS problem (associated with an appropriate solutionspace) is polynomially equivalent to the standard SIS problem. Then, we derive a familyof hash functions

H =

fA1,A2,2(x1,x2, h) = (A1x1+hA2,2x2 mod q,x2) :

(x1,x2, h) ∈ Zm × Zm × Z

A1,A2,2∈Zn×m

q

from our split-SIS problem, and prove that the hash function family H with appro-priate domain is one-way, collision-resistant, and statistically hiding with respect tothe third input (i.e., h). Combining those useful properties with the observation thatA1x1 + hA2,2x2 = (A1∥A2,2x2)(x1;h) mod q, we manage to adapt a Σ-protocolforH from existing protocols for standard ISIS problems [50,51,44], which can in turnbe transformed into a NIZK using the Fiat-Shamir transformation in the random or-acle model. This finally helps us obtain a lattice-based group signature scheme withO(tm log q)-bit signature, where the repetition parameter t = ω(log n) is due to ourNIZK as in [44,45].

In order to open a signature σ = (c,x2, π1, π2), the group manager only has todecrypt c to obtain x1, and computes an integer h < q satisfying A1x1 + hA2,2x2 =−A2,1x2 mod q. Note that such an integer is unique if A2,2x2 = 0 mod q for primeq. Replacing the CPA-encryption of x1 with a CCA one (i.e., by applying the CHKtransformation [30] to the IBE [2]), we obtain a CCA-anonymous group signature at aminimal price of doubling the sizes of the group public key and the signature.

1.3 On Membership Revocation

A group signature with opening allows the group manager to break the anonymity ofany valid signature, however, it cannot prevent a malicious group member from usinghis certificate. In practice, it may be desirable to support membership revocation, e.g.,to revoke the certificate of a malicious group member such that he cannot sign any

7

message in the future. Actually, membership revocation is an important and complexproblem and has been extensively studied in the literature [10,18,25,27,46,47]. In [45],Langlois et al. constructed a lattice-based group signature with verifier-local revocation,which was the first lattice-based group signatures supporting membership revocationand achieved the same asymptotic efficiency as that of [44]. For now, we do not knowhow to construct a simpler and efficient group signature with membership revocationfrom lattices.

1.4 Roadmap

After some preliminaries, we recall several useful tools and algorithms on lattices inSection 3. In Section 4, we introduce the split-SIS problems, and construct a NIZKproof for the split-SIS problems. We finally present our CPA-anonymous group sig-nature scheme in Section 5. The description of our CCA-anonymous group signaturescheme is given in Section 6.

2 Preliminaries

2.1 Notation

The set of real numbers (integers) is denoted by R (Z, resp.). By ←R we denote ran-domly choosing elements from some distribution (or the uniform distribution over somefinite set). For a variable x following some distribution D, we denote it by x v D. Forany integer N ∈ Z, we denote by [N ] the set of integers 0, 1, . . . , N − 1. Vectorsare in column form and denoted by bold lower-case letters (e.g., x). We view a matrixsimply as the set of its column vectors and denoted by bold capital letters (e.g., X).Denote the l2 and l∞ norm by ∥ · ∥ and ∥ · ∥∞, respectively. Define the norm of a ma-trix X as the norm of its longest column (i.e., ∥X∥ = maxi ∥xi∥). If the columns ofX = (x1, . . . ,xk) are linearly independent, let X = (x1, . . . , xk) denote the Gram-Schmidt orthogonalization of vectors x1, . . . ,xk taken in that order. For X ∈ Rn×m

and Y ∈ Rn×m′, (X∥Y) ∈ Rn×(m+m′) denotes the concatenation of the columns

of X followed by the columns of Y. Similarly, for X ∈ Rn×m and Y ∈ Rn′×m,(X;Y) ∈ R(n+n′)×m is the concatenation of the rows of X followed by the rows of Y.

Throughout this paper, we let n be the natural security parameter, so that all quanti-ties are implicitly dependent on n. The function log denotes the natural logarithm. Wewill frequently use the standard notation of O,ω for classifying the growth of func-tions. If f(n) = O(g(n) · logc(n)) for some constant c, we write f(n) = O(g(n)).By poly(n) we denote some arbitrary f(n) = O(nc) for some c. We say that a func-tion f(n) is negligible if for every positive c, we have f(n) < n−c for sufficientlylarge n. We denote an arbitrary such function by negl(n), and say that a probability isoverwhelming if it is 1− negl(n).

2.2 Group Signatures

We recall the definition and security model of group signatures. A (static) group signa-ture scheme GS consists of a tuple of four Probabilistic Polynomial Time (PPT) algo-rithms (KeyGen,Sign,Verify,Open):

8

– KeyGen(1n, 1N ): Take the security parameter n and the maximum number of groupmembers N as inputs, output the group public key gpk, the group manager secretkey gmsk and a vector of users’ keys gsk = (gsk1, . . . , gskN ), where gskj is thej-th user’s secret key for j ∈ 1, . . . , N.

– Sign(gpk, gskj ,M): Take the group public key gpk, the j-th user’s secret key gskj ,and a message M ∈ 0, 1∗ as inputs, output a signature σ of M .

– Verify(gpk,M, σ): Take the group public key gpk, a message M ∈ 0, 1∗ and astring σ as inputs, return 1 if σ is a valid signature of M , else return 0.

– Open(gpk, gmsk,M, σ): Take the group public key gpk, the group manager secretkey gmsk, a message M ∈ 0, 1∗, and a valid signature σ of M as inputs, outputan index j ∈ 1, . . . , N or a special symbol ⊥ in case of opening failure.

For correctness, we require that for any (gpk, gmsk,gsk) ← KeyGen(1n, 1N ),any j ∈ 1, . . . , N, any message M ∈ 0, 1∗, and any σ ← Sign(gpk, gskj ,M), thefollowing conditions hold with overwhelming probability:

Verify(gpk,M, σ) = 1 and Open(gpk, gmsk,M, σ) = j

For group signatures, there are two security notions: anonymity and traceability [11].The first notion, informally, says that anyone without the group manager secret key can-not determine the owner of a valid signature. The second notion says a set C of groupmembers cannot collude to create a valid signature such that the Open algorithm fails totrace back to one of them. In particular, this notion implies that any non-group membercannot create a valid signature.

Experiment ExpanonGS,A(n,N)

(gpk, gmsk,gsk)← KeyGen(1n, 1N )

(st, i0, i1,M∗)← AOpen(·,·)(gpk,gsk)

b←R 0, 1σ∗ ← Sign(gpk, gskib ,M

∗)

b′ ← AOpen(·,·)(st, σ∗)If b = b′ return 1, else return 0

Experiment ExptraceGS,A(n,N)

(gpk, gmsk,gsk)← KeyGen(1n, 1N )

(M∗, σ∗)← ASign(·,·),Corrupt(·)(gpk, gmsk)If Verify(gpk,M∗, σ∗) = 0 then return 0If Open(gmsk,M∗, σ∗) = ⊥ then return 1If ∃j∗ ∈ 1, . . . , N such that

Open(gpk, gmsk,M∗, σ∗) = j∗ and j∗ /∈ C,and (j∗,M∗) was not queried to Sign(·, ·) by A,

then return 1, else return 0

Fig. 1. Security games for group signatures

Definition 1 (Full anonymity). For any (static) group signature scheme GS, we asso-ciate to an adversary A against the full anonymity of GS experiment Expanon

GS,A(n,N)in the left-side of Fig. 1, where the Open(·, ·) oracle takes a valid message-signaturepair (M,σ) as inputs, outputs the index of the user whose secret key is used to create σ.In the guess phase, the adversary A is not allowed to make an Open query with inputs(M∗, σ∗). We define the advantage of A in the experiment as

AdvanonGS,A(n,N) =

∣∣∣∣Pr[ExpanonGS,A(n,N) = 1]− 1

2

∣∣∣∣ .

9

A group signature GS is said to be fully anonymous if the advantage AdvanonGS,A(n,N)

is negligible in n,N for any PPT adversary A.

In a weak definition of anonymity (i.e., CPA-anonymity), the adversary is not givenaccess to an open oracle. In this paper, we first present a CPA-anonymous scheme, thenwe extend it to satisfy full/CCA anonymity.

Definition 2 (Full traceability). For any (static) group signature scheme GS, we asso-ciate to an adversaryA against the full traceability of GS experiment Exptrace

GS,A(n,N)in the right-side of Fig. 1, where the Sign(·, ·) oracle takes a user index i and a messageM as inputs, returns a signature of M by using gski. The Corrupt(·) oracle takes auser index i as input, returns gski, and C is a set of user indexes that A submitted tothe Corrupt(·) oracle. The advantage of A in the experiment is defined as

AdvtraceGS,A(n,N) = Pr[Exptrace

GS,A(n,N) = 1].

A group signature GS is said to be fully traceable if the advantage AdvtraceGS,A(n,N) is

negligible in n,N for any PPT adversary A.

3 Lattices and Discrete Gaussians

An m-rank lattice Λ ⊂ Rn is the set of all integral combinations of m linearly indepen-

dent vectors B = (b1, . . . ,bm) ∈ Rn×m, i.e., Λ = L(B) =

∑mi=1 xibi : xi ∈ Z

.

The dual lattice of Λ is defined to be Λ∗ =x ∈ span(Λ) : ∀ v ∈ Λ, ⟨x,v⟩ ∈ Z

.

For x ∈ Λ, define the Gaussian function ρs,c(x) over Λ ⊆ Zn centered at c ∈ Rn

with parameter s > 0 as ρs,c(x) = exp(− π∥x− c∥2/s2

). Letting ρs,c(Λ) =∑

x∈Λ ρs,c(x), define the discrete Gaussian distribution over Λ as DΛ,s,c(y) =ρs,c(y)ρs,c(Λ) ,

where y ∈ Λ. The subscripts s and c are taken to be 1 and 0 (respectively) when omit-ted. For large enough s, almost all the elements from DΛ,s,c are not far from c.

Lemma 1 ([54,37]). For any n-dimensional lattice Λ with basis B ∈ Rn×n, vectorc ∈ Rn, and reals ϵ ∈ (0, 1), s ≥ ∥B∥ · ω(

√log n), we have Prx←RDΛ,s,c

[∥x− c∥ >s√n] ≤ 1−ϵ

1+ϵ · 2−n.

For any α ∈ R+, integer q ∈ Z, let Ψα be the distribution over T = R/Z of a normalvariable with mean 0 and standard deviation α/

√2π, reduced modulo 1. The discrete

distribution Ψα over Zq is the random variable ⌊q ·X⌉ mod q, where X ←R Ψα. Forsimplicity, we denote χα := Ψα.

Lemma 2 ([3]). Let e be some vector in Zm and let y←R χmα . Then the quantity |eTy|

treated as an integer in [0, q−1] satisfies |eTy| ≤ ∥e∥qαω(√logm)+∥e∥

√m/2 with

all but negligible probability in m. In particular, if x←R χα is treated as an integer in[0, q − 1] then |x| ≤ qαω(

√logm) + 1/2 with all but negligible probability in m.

We also need the following three useful facts from the literature:

10

Lemma 3 ([37]). Let n be a positive integer, q be a prime, and m ≥ 2n log q. Then forall but a 2q−n fraction of all A ∈ Zn×m

q and for any s ≥ ω(√logm), the distribution

of u = Ae mod q is statistically close to uniform over Znq , where e←R DZm,s.

Lemma 4 (Generalized Leftover Hash Lemma [34]). If H = H : X → Y H∈His a family of universal hash functions. Then, for any random variables W ∈ Xand I , the statistical difference between (H,H(W ), I) and (H,U, I) is at most 1

2 ·√2−H∞(W |I)|Y |, where H and U are uniformly distributed over H and Y , respec-

tively.

Lemma 5 ([2]). Let q be a prime, m > (n + 1) log q +ω(log n) and k = poly(n).Let the matrices A,B,R be uniformly and randomly chosen from Zn×m

q ,Zn×kq , and

−1, 1m×k, respectively. Then for all vectors w ∈ Zmq , the distribution of (A,AR,

RTw) is statistically close to the distribution of (A,B,RTw).

3.1 Learning with Errors (LWE) and Small Integer Solutions (SIS)

Let n ∈ Z+ and q = q(n) be integers, α ∈ R+, χα be some discrete Gaussian distribu-tion over Zq, and s ∈ Zn

q be some vector. Define As,χα ⊆ Znq × Zq as the distribution

of the variable (a,aT s + x), where a ←R Znq , x ←R χα, and all the operations

are performed in Zq. For m independent samples (a1, y1), . . . , (am, ym) from As,χα ,we denote it in matrix form (A,y) ∈ Zn×m

q × Zmq , where A = (a1, . . . ,am) and

y = (y1, . . . , ym)T . We say that an algorithm solves LWEq,χα if, for randomly cho-sen s ∈ Zn

q , given polynomial samples from As,χα it outputs s with overwhelmingprobability. The decisional variant of LWE is that, for a uniformly chosen s ←R Zn

q ,an algorithm is asked to distinguish As,χα from the uniform distribution over Zn

q × Zq

(with only polynomial samples). For certain modulus q, the average-case decisionalLWE problem is polynomially equivalent to its worst-case search version [58,56,8].

Proposition 1 ([58]). Let α = α(n) ∈ (0, 1) and let q = q(n) be a prime such thatαq > 2

√n. If there exists an efficient (possibly quantum) algorithm that solves LWEq,χα ,

then there exists an efficient quantum algorithm for approximating SIVP in the l2 norm,in the worst case, to within O(n/α) factors.

The Small Integer Solution (SIS) problem was introduced by Ajtai [5], but its nameis due to Micciancio and Regev [54], who improved Ajtai’s connection between SISand worst-case lattice problems.

Definition 3 (Small Integer Solution). The Small Integer Solution (SIS) problem in l2norm is: Given an integer q, a uniformly random matrix A ∈ Zn×m

q , and a real β, finda non-zero integer vector e ∈ Zm such that Ae = 0 (mod q) and ∥e∥ ≤ β.

Definition 4 (Inhomogeneous Small Integer Solution). The Inhomogeneous SmallInteger Solution (ISIS) problem in l2 norm is: Given an integer q, a uniformly randommatrix A ∈ Zn×m

q , a random syndrome u ∈ Znq , and real β ∈ R, find an integer vector

e ∈ Zm such that Ae = u (mod q) and ∥e∥ ≤ β.

11

The ISIS problem is an inhomogenous variant of SIS. Both problems were shownto be as hard as certain worst-case lattice problems.

Proposition 2 ([37]). For any polynomially bounded m,β = poly(n) and prime q ≥β · ω(

√n log n), the average-case problems SISq,m,β and ISISq,m,β are as hard as

approximating SIVP in the worst case to within certain γ = β · O(√n) factors.

3.2 q-ary Lattices and Trapdoors

Let A ∈ Zn×mq for some positive integers n,m and q. Consider the following two

integer lattices:

Λ⊥q (A) =

e ∈ Zm s.t. Ae = 0 mod q

Λq(A) =

y ∈ Zm s.t. ∃s ∈ Zn, ATs = y mod q

The two q-ary lattices defined above are dual when properly scaled, namely Λ⊥q (A) =

qΛq(A)∗ and Λq(A) = qΛ⊥q (A)∗. Moreover, for any h ∈ Z∗q , we have: Λ⊥q (A) =

Λ⊥q (hA).In 1999, Ajtai [6] showed how to sample an essentially uniform matrix A together

with a short basis of Λ⊥q (A). This trapdoor generation algorithm has been significantlyimproved in [7,53].

Proposition 3 ([7]). For any δ0 > 0, there is a PPT algorithm TrapGen that, on inputa security parameter n, an odd prime q = poly(n), and integer m ≥ (5 + 3δ0)n log q,outputs a statistically (mq−δ0n/2)-close to uniform matrix A ∈ Zn×m

q and a ba-sis TA ⊂ Λ⊥q (A) such that with overwhelming probability ∥TA∥ ≤ O(n log q)

and ∥TA∥ ≤ O(√n log q) = O(

√m). In particular, if let δ0 = 1

3 , we can choosem ≥ ⌈6n log q⌉.

The following proposition is implied by [31, Lem. 3.2 and Lem. 3.3], which showsthat there is an efficient algorithm to extract a random basis for (A∥B) by using a shortbasis of A such that the new basis statistically hides the information of its input basis.

Proposition 4 ([31]). There is a PPT algorithm ExtRndBasis which takes a matrixA′ = (A∥B) ∈ Zn×(m+m′)

q , a basis TA ∈ Zm×mq of Λ⊥q (A), an arbitrary matrix

B ∈ Zn×m′

q , and a real s ≥ ∥TA∥ ·ω(√logm) as inputs, outputs a random basis TA′

of Λ⊥q (A′) satisfying ∥TA′∥ ≤ s(m+m′) and ∥TA′∥ ≤ s

√m+m′.

Equipped with the above proposition, and the proof technique of [2, Th. 4], weobtain the following useful proposition:

Proposition 5. Let q > 2,m > n, there is a PPT algorithm ExtBasisRight whichtakes matrix A′ = (C∥A∥AR +B) ∈ Zn×(2m+m′)

q , a uniformly and randomly cho-sen R ∈ −1, 1m×m, a basis TB of Λ⊥q (B), arbitrary C ∈ Zn×m′

q and a Gaus-sian parameter s > ∥TB∥ ·

√mω(logm), outputs a basis TA′ of Λ⊥q (A

′) satisfying∥TA′∥ ≤ s(2m+m′) and ∥TA′∥ ≤ s

√2m+m′.

12

Proof. As shown in the proof of [2, Th. 4], we can use TB to efficiently sample a basisTA for the matrix A = (A∥AR + B) satisfying ∥TA∥ ≤ ∥TB∥ ·

√mω(√logm),

then we can apply Proposition 4 to obtain a basis TA′ for A′ = (C∥A) satisfying∥TA′∥ ≤ s

√2m+m′. Besides, by the property of the ExtRndBasis algorithm, the

claim still holds no matter how the (columns of) matrix C appears in A′. The following SuperSamp algorithm allows us to sample a random matrix B to-

gether with a short basis such that the columns of B lie in a prescribed affine subspaceof Zn

q .

Proposition 6 ([44]). Let q > 2,m > ⌈6n log q + n⌉, there is a PPT algorithmSuperSamp which takes matrices A ∈ Zn×m

q and C ∈ Zn×nq as inputs, and outputs

an almost uniform matrix B ∈ Zn×mq such that ABT = C, and a basis TB of Λ⊥q (B)

satisfying ∥TB∥ ≤ m1.5 · ω(√logm) and ∥TB∥ ≤ m · ω(

√logm).

Given a basis of Λ⊥q (A), there is an efficient algorithm to solve the (I)SIS problemas follows.

Proposition 7 ([37]). There is a PPT algorithm SamplePre that, given a basis TA

of Λ⊥q (A), a real s ≥ ∥TA∥ · ω(√logm) and a vector u ∈ Zn

q , outputs a vectore v DZm,s satisfying Ae = u.

3.3 Non-interactive Zero-Knowledge Proofs of Knowledge

In 2013, Laguillaumie et al. [44] adapted the protocol of [50,51] to obtain a zero-knowledge proof of knowledge for the ISIS problem in the random oracle model. Con-cretely, there is a non-interactive zero-knowledge proof of knowledge (NIZKPoK) forthe ISIS relations

RISIS = (A,y, β;x) ∈ Zn×mq × Zn

q × R× Zm : Ax = y and ∥x∥ ≤ β.

In particular, there is a knowledge extractor which, given two valid proofs with thesame commitment message but two different challenges, outputs a witness x′ satisfying∥x′∥ ≤ O(βm2) and Ax′ = y. By using the duality between LWE and ISIS, thereexists an NIZKPoK for the LWE relation:

RLWE = (A,b, α; s) ∈ Zn×mq × Zm

q × R× Znq : ∥b−AT s∥ ≤ αq

√m.

Actually, as noted in [52], given a random matrix A ∈ Zn×mq such that the columns

of A generate Znq (this holds with overwhelming probability for a uniformly random

A ∈ Zn×mq ), one can compute a matrix G ∈ Z(m−n)×m

q such that 1) the columnsof G generate Zm−n

q ; 2) GAT = 0. Thus, to prove (A,b, α; s) ∈ RLWE, one caninstead prove the existence of e such that ∥e∥ ≤ αq

√m and Ge = Gb. In particular,

in the construction of our group signature we need to prove that for given (A,b) ∈Zn×mq × Zm

q , there exist short vectors (e,x) such that ∥e∥ ≤ αq√m, ∥x∥ ≤ β and

b = AT s+pe+x for some s ∈ Znq , where p ≥ (αq

√m+β)m2. Similarly, this can also

be achieved by proving the existence of short vectors e and x such that pGe +Gx =

13

Gb using the NIZKPoK for ISIS relations. Formally, denoting γ = max(αq√m,β),

there exists an NIZKPoK for the extended-LWE (eLWE) relations

ReLWE = (A,b, γ; s, e,x) ∈ Zn×mq × Zm

q × R× Znq × Z2m :

b = AT s+ pe+ x and ∥e∥ ≤ γ and ∥x∥ ≤ γ.

4 Split-SIS Problems

Given uniformly random matrices (A1,A2) ∈ Zn×mq ×Zn×m

q , integer N = N(n) andβ = β(n), an algorithm solving the split-SISq,m,β,N problem is asked to output a tuple(x = (x1;x2), h) ∈ Z2m × Z such that

– x1 = 0 or hx2 = 0– ∥x∥ ≤ β, h ∈ [N ], and A1x1 + hA2x2 = 0.

Recall that the standard SISq,m′,β problem asks an algorithm to find a root of thehash function fA(x) = Ax = 0 mod q for a uniformly chosen matrix A and a“narrow” domain Dm′,β := x ∈ Zm′

: ∥x∥ ≤ β. While for the split-SISq,m,β,N

problem, the algorithm is allowed to “modify” the function by defining fA′(x′) =A′x′ for A′ = (A1∥A2x2) with arbitrarily x2 ∈ Dm,β , and outputs a root x′ =(x1, h) ∈ Dm,β × [N ]. Intuitively, the split-SISq,m,β,N problem is not harder thanSISq,2m,β problem. Since if x = (x1,x2) is a solution of the SISq,2m,β instance A =(A1∥A2), (x, 1) is a solution of the split-SISq,m,β,N instance (A1,A2) with N ≥ 1.

However, for prime q = q(n), and N = N(n) < q of a polynomial in n, weshow in the following theorem that the split-SISq,m,β,N problem is at least as hard asSISq,2m,β . Thus, the average-case hardness of the split-SIS problem is based on theworst-case hardness of SIVP by Proposition 2.

Theorem 1 (Hardness of Split-SIS Problems). For any polynomial m = m(n), β =β(n), N = N(n), and any prime q ≥ β · ω(

√n log n) > N , the split-SISq,m,β,N

problem is polynomially equivalent to SISq,2m,β problem. In particular, the average-case split-SISq,m,β,N is as hard as approximating the SIVP problem in the worst caseto within certain γ = β · O(

√n) factors.

Proof. The direction from split-SISq,m,β,N to SISq,2m,β is obvious. We now prove theother direction. Assume that there is an algorithm A that solves split-SISq,m,β,N withprobability ϵ, we now construct an algorithm B that solves SISq,2m,β with probabilityat least ϵ/N (recall that N is a polynomial in n). Formally, given a SISq,2m,β instanceA = (A1∥A2) ∈ Zn×2m

q , B randomly chooses an integer h∗ ←R [N ]. If h∗ = 0, Bsets A = A. Otherwise, B sets A = (h∗A1∥A2). Since q is a prime and N < q (i.e.,h∗ = 0 is invertible in Zq), we have that A is uniformly distributed over Zn×2m

q . Then,B gives A = (A1∥A2) to A, and obtains a solution (x = (x1;x2), h) ∈ Z2m × [N ]satisfying A1x1+hA2x2 = 0. If h∗ = h, B aborts. (Since h∗ is randomly chosen from[N ], the probability Pr[h∗ = h] is at least 1/N .) Otherwise, B returns y = (x1;0) ifh∗ = 0, else returns y = x. The first claim follows from the fact that y = 0, ∥y∥ ≤ β

and Ay = 0. Combining this with Proposition 2, the second claim follows.

14

4.1 A Family of Hash functions from Split-SIS Problems

We define a new family of hash functions based on the split-SIS problem, which plays akey role in reducing the sizes of the group public key and the signature in our construc-tion. Formally, for integers n,m, prime q, and polynomial β = β(n) ≥ ω(

√logm),

N = N(n) < q, we define Dm,β = x ←R DZm,β : ∥x∥ ≤ β√m, and a

hash function family Hn,m,q,β,N = fA : Dm,β,N → Znq × Dm,βA∈Zn×2m

q, where

Dm,β,N := Dm,β × Dm,β × [N ]. For index A = (A1∥A2) ∈ Zn×2mq , and input

(x1,x2, h) ∈ Dm,β,N , the hash value fA(x1,x2, h) := (A1x1 + hA2x2,x2) ∈Znq ×Dm,β . In the following, we show three properties ofHn,m,q,β,N , which are useful

to construct zero-knowledge proofs for the function inHn,m,q,β,N .

Theorem 2 (One-Wayness). For parameters m > 2n log q, β = β(n) > 2·ω(√logm),

prime q = q(n), and polynomial N = N(n) < q, if the split-SISq,m,√5mβ,N problem

is hard, then the family of hash functionsHn,m,q,β,N is one-way.

Proof. Assume that there is an algorithmA that breaks the one-wayness ofHn,m,q,β,N ,we construct an algorithm B that solves the split-SISq,m,

√5mβ,N problem. Actually,

given a split-SISq,m,√5mβ,N instance A = (A1∥A2) ∈ Zn×2m

q , B randomly chooses(x1,x2) ∈ DZm,β × DZm,β and h ←R [N ], and computes y = fA(x1,x2, h) =(A1x1 + hA2x2,x2). Then, it gives (A,y) to A, and obtains (x′1,x

′2, h′) satisfying

(A1x′1+h′A2x

′2,x′2) = y. Finally, if h ≥ h′, B outputs (x1, x2, h) = (x1−x′1,x2, h−

h′). Else, B outputs (x1, x2, h) = (x′1 − x1,x2, h′ − h).

It is easy to check that A1x1 + hA2x2 = 0 mod q, h ∈ [N ], and ∥(x1; x2)∥ ≤√5mβ with overwhelming probability by the standard tail inequality of the Gaussian

distribution DZm,β . We finish this proof by showing that Pr[x1 = 0] is negligible in n.Note that A can only obtain the information about x1 from A1x1. By [37, Lem. 5.2],this only leaks the distribution t + DΛ⊥

q (A1),β,−t for any t satisfying A1t = A1x1.Namely, x1 should be uniformly distributed over t + DΛ⊥

q (A1),β,−t from the view ofA. Combining this with [57, Lem. 2.16], we have Pr[x1 = x′1] is negligible in n. Inother words, we have Pr[x = 0] = 1− negl(n), which completes the proof.

Since fA(x1,0, h) = fA(x1,0, 0) holds for all h ∈ [N ], the function Hn,m,q,β,N

with domain Dm,β,N := Dm,β ×Dm,β × [N ] are not collision-resistant. However, ifwe slightly restrict the domain of Hn,m,q,β,N to exclude the above trivial case, we canprove that the family of Hn,m,q,β,N is collision-resistant. Formally, we slightly restrictthe domain ofHn,m,q,β,N to be D′m,β,N = (x1,x2, h) ∈ Dm,β,N : x2 = 0.

Theorem 3 (Collision-Resistance). For parameter m = m(n), β = β(n), prime q =q(n), and polynomial N = N(n) < q, if the split-SISq,m,

√5mβ,N problem is hard, then

the family of hash functionsHn,m,q,β,N with domain D′m,β,N is collision-resistant.

Proof. Assume there is a PPT algorithm A that can find collisions of Hn,m,q,β,N withnon-negligible probability ϵ, we construct an algorithm B solving split-SISq,m,

√5mβ,N

with the same probability. Concretely, after obtaining a split-SISq,m,√5mβ,N instance

A = (A1∥A2), B directly gives A to A, and obtains a pair of collisions (x1,x2, h) ∈D′m,β,N and (x′1,x

′2, h′) ∈ D′m,β,N satisfying (x1,x2, h) = (x′1,x

′2, h′) and fA(x1,

x2, h) = fA(x′1,x′2, h′). Note that in this case, we must have x2 = x′2 = 0. If

15

h ≥ h′, B returns (x1, x2, h) = (x1 − x′1,x2, h − h′), else it returns (x1, x2, h) =(x′1−x1,x2, h

′− h). By the assumption that (x1,x2, h) = (x′1,x′2, h′), the inequality

(x1, h) = 0 holds in both cases, i.e., we always have x1 = 0 or hx2 = 0. The claimfollows from the fact that ∥(x1; x2)∥ ≤

√5mβ and h ∈ [N ].

Finally, we show that the family of hash functionsHn,m,q,β,N statistically hides itsthird input.

Theorem 4. Let parameter m > 2n log q, β = β(n) > ω(√logm), prime q = q(n),

and polynomial N = N(n). Then, for a randomly chosen A = (A1∥A2) ∈ Zn×2mq ,

and arbitrarily x2 with norm ∥x2∥ ≤ β√m, the statistical distance between the fol-

lowing two distributions:

(A, fA(x1,x2, h), h) : x1 ←R Dm,β , h←R [N ]

and(A, (u,x2), h) : u←R Zn

q , h←R [N ]

is negligible in n.

Proof. Since the second output of fA(x1,x2, h) (i.e., x2) is independent from thechoices of h, we only have to show that, for arbitrarily x2 and h, the distributionA1x1 + hA2x2 : x1 ←R Dm,β is statistically close to uniform over Zn

q . Actu-ally, using the fact that β ≥ ω(

√logm) together with Lemma 3, we have that the

distribution of A1x1 is statistically close to uniform over Znq when x1 ←R DZm,β . The

claim of this theorem follows from the fact that the statistical distance between DZm,β

and Dm,β is negligible, and that the distribution u + hA2x2 : u ←R Znq is exactly

the uniform distribution over Znq for arbitrary x2 ∈ Dm,β , h ∈ [N ].

4.2 Zero-Knowledge Proof of Knowledge for the Hash Functions

In this subsection, we present a proof of knowledge protocol for the family of hash func-tions Hn,m,q,β,N . Concretely, given a matrix A = (A1∥A2), a vector y = (y1,y2) ∈Znq × Zm with 0 < ∥y2∥ ≤ β

√m, the prover can generate a proof of knowledge of

x = (x1,x2, h) ∈ Z2m+1 satisfying ∥x1∥ ≤ β√m, h ∈ [N ] and fA(x1,x2, h) =

(Ax1+hA2x2,x2) = y. Since x2 must be equal to y2, the protocol is actually a proofof knowledge for the relation

Rsplit-SIS = (A,y, β,N ;x1, h) ∈ Zn×2mq × (Zn

q × Zm)× R× Z× Zm × Z :A1x1 + hA2y2 = y1, ∥x1∥ ≤ β

√m and h ∈ [N ].

Intuitively, we can adapt a variant of the protocols for ISIS relations in [50,51,44]for our purpose, since one can rewrite y1 = A1x1 + hA2y2 = (A1∥A2y2)(x1;h).However, this may not work when N ≫ β. Since the basic idea of [50,51,44] is touse randomness from a “large width” distribution (compared to the distribution of thewitness) to hide the distribution of the witness, the width of the randomness distributionshould be sufficiently larger than N in our case, which might lead to a proof withoutsoundness guarantee.

16

Fortunately, we can borrow the “bit-decomposition” technique from [23,22,24] todeal with large N . The idea is to decompose h ∈ [N ] into a vector of small elements,and then prove the existence of such a vector for h. Formally, for any h ∈ [N ], wecompute the representation of h in base β = ⌊β⌋, namely, a ℓ-dimension vector vh =

(v0, . . . , vℓ−1) ∈ Zℓ such that 0 ≤ vi ≤ β − 1 and h =∑ℓ−1

i=0 viβi, where ℓ =

⌈logβ N⌉. Denote b = A2y2, compute D = (b, βb, . . . , βℓ−1b) ∈ Zn×ℓq . It is easy

to check that for any vector e ∈ Zℓ, there exists a h′ ∈ Zq such that De = h′b

mod q. (h′ ∈ Zq is unique if b = 0.) In particular, we have that y1 = Ax, whereA = (A1∥D) ∈ Zn×(m+ℓ)

q , x = (x1;vh) ∈ Zm+ℓ and ∥x∥ ≤ β√m+ ℓ. Since β > 2

and N is a polynomial in n, we have ℓ≪ m and ∥x∥ < η = β√2m.

We first present a Σ-protocol for the function family Hn,m,q,β,N , which repeats abasic protocol with single-bit challenge t = ω(logn) times in parallel. As in [51,44],the basic protocol makes use of the rejection sampling technique to achieve zero-knowledge. Formally, let γ = η ·m1.5, denote ζ(z,y) = 1−min(

DZm+ℓ,γ(z)

Ml·DZm+ℓ,y,γ(z) , 1),

where y, z ∈ Zm+ℓ, and the constant Ml ≤ 1 + O( 1m ) is set according to Lemma 4.5

in [51], the protocol is depicted in Fig 2.

Prover Verifier

CRS: A ∈ Zn×(m+ℓ)q ,y1 ∈ Zn

q

Private input: x ∈ Zm+ℓ

For i ∈ 0, . . . , t− 1ei ←R DZm+ℓ,γ

ui = Aei

U = (u0, . . . ,ut−1)c←R 0, 1t

c = (c0, . . . , ct−1)zi = ei + cixSet zi = ⊥ with probability ζ(zi, cix)

Z = (z0, . . . , zt−1)Set di = 1 if ∥zi∥ ≤ 2γ

√m + ℓ

and Azi = ui + ciy1

Accept iff∑

i di ≥ 0.65t

Fig.2.Σ-protocolforRsplit-SIS

By[51,Th.4.6]wehavePr[zi=⊥]≈1Ml=1−O(

1m)foreachi∈0,...,t−1.

Inaddition,Pr[∥zi∥≤2γ√m+ℓ|zi=⊥]=1−negl(m)by[51,Lem.4.4].A

simplecalculationshowsthatthecompletenesserroroftheprotocolisatmost2−Ω(t)

(whenmissufficientlylarge,e.g.,m>100).Besides,theprotocolhasthepropertyofspecialHonest-VerifierZeroKnowledge(HVZK).Namely,givenachallengeci,thereexistsasimulatorSthatoutputsadistribution(ui,ci,zi)statisticallyclosetotherealtranscriptdistribution.Concretely,Sfirstchooseszi←RDZm+ℓ,γ,andcomputesui=Azi−ciy1modq.Then,itsetszi=⊥withprobability1−

1Ml,andout-

puts(ui,ci,zi).ByTheorem4,thetermAzi(modq)isstatisticallyclosetouniformoverZ

nq,thusthedistributionofuiisstatisticallyclosetothatintherealproof.More-

17

over, by [51, Th. 4.6], the distribution of zi is also statistically close to that in the realtranscripts.

Finally, since the binary challenges (i.e., c ) are used, the above protocol has theproperty of special soundness. Actually, given two transcripts (U, c,Z) and (U, c′,Z′)with distinct challenges c = c′, one can extract a “weak” witness x′ = zi−z′i for somei satisfying Ax′ = y1 and ∥x′∥ ≤ 4γ

√2m.

Applying the “Fiat-Shamir Heuristic” [35] in a standard way, one can obtain anNIZKPoK by computing c = H(ρ,U), where H : 0, 1∗ → 0, 1t is modeled as arandom oracle, and ρ represents all the other auxiliary inputs, e.g., a specified messageM to be signed. Finally, due to the nice property of Σ-protocol, one can easily combinethe protocol to prove EQ-relation, OR-relation, and AND-relation, we omit the details.

5 A Simple and Efficient Group Signature from Lattices

In this section, we present our CPA-anonymous lattice-based group signature, whichcan be easily extended to support CCA anonymity by replacing the underlying encryp-tion with a CCA one.

5.1 Our Construction

Assume that the security parameter is n, and δ is a real such that n1+δ > ⌈(n+1) log q+n⌉, all other parameters m, s, α, β, η, p, q are determined as follows:

m = 6n1+δ

s = m · ω(logm)

β = s√2m · ω(

√log 2m) = m1.5 · ω(log1.5 m)

p = m2.5β = m4 · ω(log1.5 m)

q = m2 ·max(pm2.5 · ω(logm), 4N) = m2.5 max(m6 · ω(log2.5 m), 4N)α = 2

√m/q

η = max(β, αq)√m = m2 · ω(log1.5 m)

(1)

Now, we present our group signature GS = (KeyGen,Sign,Verify, Open):

– KeyGen(1n, 1N ): Take the security parameter n and the maximum number N ofgroup members as inputs, set an integer m ∈ Z, primes p, q ∈ Z, and s, α, β, η ∈ Ras above, and choose a hash function H : 0, 1∗ → 0, 1t (modeled as randomoracle) for the NIZKPoK proof, where t = ω(log n). Then, the algorithm proceedsas follows:1. Compute (A1,TA1) ← TrapGen(n,m, q), and randomly choose A2,1,A2,2

←R Zn×mq .

2. Compute (B,TB)← SuperSamp(n,m, q,A1,0).3. For j = 1, . . . , N , define Aj = (A1∥A2,1 + jA2,2), extract a basis TAj

←ExtRndBasis(Aj , TA1 , s) such that ∥TAj

∥ ≤ s√2m.

18

4. Define the group public key gpk = A1,A2,1,A2,2,B, the group managersecret key gmsk = TB, and the group member’s secret keys gsk = gskj =TAjj∈1,...,N

– Sign(gpk, gskj ,M): Take the group public key gpk = A1,A2,1,A2,2,B, thej-th user’s secret key gskj = TAj

, and a message M ∈ 0, 1∗ as inputs, proceedas follows:1. Compute (x1,x2)← SamplePre(Aj ,TAj

, β,0), where x1,x2 ∈ DZm,β .2. Choose s←R Zn

q , e←R χα, and compute

c = BT s+ pe+ x1

3. Generate a NIZKPoK proof π1 of (s, e,x1) such that (B, c, η; s, e,x1) ∈ReLWE.

4. Let β := ⌊β⌋ and ℓ = ⌈logβ N⌉, define b = A2,2x2, and D = (b, βb, . . . ,

βℓ−1b) ∈ Zn×ℓq . Generate a NIZKPoK π2 of x1, e, and vj = (v0, . . . , vℓ−1) ∈

Zℓβ

of j ∈ [N ] such that,

A1c+A2,1x2 = (pA1)e−Dvj , andA1c = (pA1)e+A1x1

(2)

where the challenge is computed by H(c,x2, π1,M,Com), and Com is thecommitment message for the NIZKPoK proof of π2. (Note that the proof, i.e.,π2, is actually a standard composition of our protocol in Section 4.2 and theprotocol for RISIS [44,51] according to the nice property of the underlying Σ-protocol. More discussions are given in the the appendix A.)

5. Output the signature σ = (c,x2, π1, π2).– Verify(gpk,M, σ): Parse σ = (c,x2, π1, π2), return 1 if ∥x2∥ ≤ β

√m, A2,2x2 =

0, and the proofs π1, π2 are valid, else return 0.– Open(gpk, gmsk,M, σ): Parse gpk = A1,A2,1,A2,2,B and gmsk = TB,

compute x1 by decrypting c using TB. Then, compute y0 = A2,2x2 and y1 =−A1x1 −A2,1x2. If y0 = 0 and there is a j ∈ Z∗q such that y1 = j · y0 mod q,output j, else output ⊥.

Remark 1. One can decrypt c by first computing TTB · c = TT

B(pe + x1) mod q. If∥TT

B(pe + x1)∥∞ < q/2, one can expect that TTB(pe + x1) = (TT

Bc mod q) holdsover Z. Thus, x = (pe+x1) can be solved by using Gaussian elimination over Z sinceTB ∈ Zm×m is full-rank. Finally, x1 = x mod p can be successfully recovered if∥x1∥∞ < p/2.

For the correctness of our group signature scheme, we have the following theorem.

Theorem 5. Assume n is the security parameter, and all other parameters m, s, α, β,η, p, q are functions of n defined as in (1), where p, q are primes. Then, the group signa-ture GS is correct, and the group public key and the signature have bit-length 4nm log qand O(tm log q), respectively, where t = ω(logn).

19

Proof. Since we set m = 6n1+δ > ⌈6n log q + n⌉, the two algorithms TrapGen andSuperSamp can work correctly with overwhelming probability. In particular, we have∥TA1∥ ≤ O(

√m), and ∥TB∥ ≤ m1.5 ·O(

√logm) by Proposition 3 and Proposition 6.

By Proposition 4, we have ∥TAj∥ ≤ s

√2m for all i ∈ 1, . . . , N with overwhelming

probability. Since the group public key only contains four matrices over Zn×mq , it has

bit-size 4nm log q = O(nm log q).For the Sign algorithm, since β = s

√2m · ω(

√log 2m) ≥ ∥TAj

∥ · ω(√log 2m),

we have x1,x2 v DZm,β by the correctness of the SamplePre algorithm in [37], and∥xi∥ ≤ β

√m with overwhelming probability. In addition, since e is chosen from

χα, we have ∥e∥ ≤ αq√m with overwhelming probability. By the choices of η =

max(β, αq)√m, the algorithm can successfully generate the proofs π1 and π2. For the

bit-length of the signature σ = (c,x2, π1, π2), we know that both the bit-length of cand x2 are at most m log q. In addition, if we set the repetition parameter t = ω(log n)for the proof π1 and π2, the bit-length of π1 and π2 are at most (3m − n)t log q and(2m + 2n + ℓ)t log q, respectively. Thus, the total bit-length of the signature σ is lessthan 2m log q + (5m + n + ℓ)t log q = O(t(m + logN) log q) = O(tm log q) sinceℓ = ⌈logβ N⌉ ≪ n and m = O(n log q).

Note that x2 v DZm,β ,1 therefore Pr[A2,2x2 = 0] ≤ O(q−n) by Lemma 3.Moreover, by the completeness of π1 and π2, the algorithm Verify will work correctlywith overwhelming probability. As for the Open algorithm, we only have to show thatwe can correctly decrypt x1 from c by using TB. Since TT

B · c = TTB(pe + x1)

mod q holds, one can expect that TTB(pe + x1) = (TT

Bc mod q) holds over Z if∥TT

B(pe + x1)∥∞ < q/2. Thus, one can solve x = (pe + x1) by Gaussian elimina-tion over Z since TB ∈ Zm×m is full-rank. Moreover, by the choices of p and β, wehave ∥x1∥∞ ≤ ∥x1∥ < p, therefore x1 can be recovered by computing x mod p. Wefinish this proof by showing that ∥TT

B(pe+ x1)∥∞ < q/2. Actually, by Lemma 2 andLemma 1, we have ∥pe+x1∥ ≤ 3m6 ·ω(log3 m). By Proposition 6, we have ∥TB∥ ≤m1.5 ·ω(

√logm). It is easy to check that ∥TT

B(pe+x1)∥∞ ≤ 3m8 ·ω(log3.5 m)≪ q,which satisfies the requirement.

5.2 The Security.

For security, namely CPA-anonymity and full traceability, we have the following twotheorems.

Theorem 6 (CPA-Anonymity). Under the LWE assumption, our group signature GSis CPA-anonymous in the random oracle model.

Proof. We prove Theorem 6 via a sequence of games.In game G0, the challenger honestly generates the group public key gpk = A1,

A2,1,A2,2,B, the group manager secret key gmsk = TB, and the group member’s1 As noted by Cash et al. [31], the output distribution of the SamplePre algorithm in [37] is

statistically close to the distribution (x1,x2) that samples as follows: randomly choose x2 ←R

DZm,s, and then compute x1 using TA1 to satisfy the condition A1x1+(A2,1+jA2,2)x2 =0. We note that this is also the reason why we do not encrypt x2 as in [44], since it leaks littleinformation about j without x1.

20

secret key gsk = gskj = TAjj∈1,...,N by running the KeyGen algorithm. Then,

it gives (gpk,gsk) to the adversary A, and obtains a message M , and two user in-dexes i0, i1 ∈ 1, . . . , N. Finally, the challenger randomly chooses a bit b←R 0, 1,computes σ∗ = (c∗,x∗2, π

∗1 , π∗2)← Sign(gpk, gskib ,M), and returns σ∗ to A.

In Game G1, the challenger behaves almost the same as in G0, except that it usesthe NIZKPoK simulators (by appropriately programming the random oracle) to gener-ate π∗1 , π

∗2 . By the property of the NIZKPoKs, G1 is computationally indistinguishable

from G0.In Game G2, the challenger behaves almost the same as in G1, except that it first

chooses x∗2 from DZm,β , and then uses TA1 to extract x∗1 such that Aib(x∗1;x∗2) = 0.

By the property of the SamplePre algorithm from [37,31], Game G2 is statisticallyclose to Game G1

In Game G3, the challenger behaves almost the same as in G2, except that it com-putes c∗ = u+ x∗1 with a randomly chosen u←R Zm

q .

Lemma 6. Under the LWE assumption, Game G3 is computationally indistinguishablefrom Game G2.

Proof. Assume there is an algorithm A which distinguishes G2 from G3 with non-negligible probability. Then, there is an algorithm B that breaks the LWE assumption.Formally, given a LWE tuple (B, u) ∈ Zn×m

q × Zmq , B sets B = pB, and computes

(A1,TA1) ← SuperSamp(n,m, q,B,0). Then, it chooses A2,1,A2,2 ←R Zn×mq .

For j = 1, . . . , N , define Aj = (A1∥A2,1 + jA2,2), extract a random basis TAj←

ExtRndBasis(Aj ,TA1 , s). Finally, B gives the group public key gpk = A1,A2,1,A2,2,B, and the group members’ secret keys gsk = gskj = TAj

j∈1,...,N to A.Note that the distributions of gpk,gsk are statistically close to that in Game G2 and G3

by Proposition 4.When generating the challenge signature, B behaves the same as the challenger in

G2, except that it computes c = pu + x∗1. We note that if (B, u) is a LWE tuple withrespect to the error distribution χα, c is the same as in G2. Otherwise, we have that puis uniformly distributed over Zm

q (since p, q are primes, and p < q), which shows that chas the same distribution as in G3. If A can distinguish G2 from G3 with advantage ϵ,then B can break the LWE assumption with advantage ϵ− negl(k).

In Game G4, the challenger behaves almost the same as in G3, except that it ran-domly chooses c∗ ←R Zm

q .

Lemma 7. In Game G4, the probability that b′ = b is exactly 1/2.

Proof. The claim follows from the fact that the signature σ∗ in G4 is independent fromthe choice of ib.

Theorem 7 (Traceability). Under the SIS assumption, our group signature GS is fullytraceable in the random oracle model.

Proof. Assume that there is an adversary A that breaks the full traceability of GS, weconstruct an algorithm B breaking the SIS assumption. Formally, B is given a matrixA ∈ Zm

q and tries to find a solution x ∈ Zmq such that ∥x∥ ≤ poly(m) and Ax = 0.

21

Setup. B randomly chooses R ←R −1, 1m×m and j∗ ←R −4m2.5N + 1, . . . ,4m2.5N − 1, and computes (A2,2,TA2,2) ← TrapGen(n,m, q). Then, it setsA1 = A and A2,1 = A1R−j∗A2,2. Finally, compute (B,TB)← SuperSamp(n,m, q,A1,0), and give the group public key gpk = A1,A2,1,A2,2,B, and thegroup manager secret key gmsk = TB to the adversary A.

Secret Key Queries. Upon receiving the secret key query for user j from A, B abortsif j = j∗ or j /∈ 1, . . . , N. Otherwise, it defines Aj = (A1∥A2,1 + j∗A2,2) =(A1∥A1R+(j−j∗)A2,2), extracts a random basis TAj

← ExtBasisRight(Aj ,R,

TA2,2 , s),2 and returns it to A.

Sign Queries. Upon receiving a signing query for message M under user j from A, Breturns ⊥ if j /∈ 1, . . . , N. Else if j = j∗, B generates a signature on M usingthe NIZKPoK simulators for π1 and π2 (i.e., by simply choosing c ←R Zm

q andx2 ←R DZm,s). Otherwise, it generates the signature by first extracting the j-thuser’s secret key as in answering the secret key queries.

Forge. Upon receiving a forged valid signature σ = (c,x2, π1, π2) with probability ϵ,B extracts the knowledge e,x1 and vj with norm at most 4ηm2 by programmingthe random oracle twice to generate two different “challenges”. By the forkinglemma of [12], B can succeed with probability at least ϵ(ϵ/qh − 2−t), where qhis the maximum number of hash queries of A. Then, B decrypts c using TB, andobtains (e′,x′1), and distinguishes the following cases:

– If (x′1, e′) = (x1, e), we have A1c = pA1e+A1x1 = pA1e

′+A1x′1. Thus,

x = p(e−e′)+(x1−x′1) is a solution of the SIS problem,B returns x as its ownsolution. Note that in this case, we have ∥x∥ ≤ 8(p+1)ηm2 = m8 ·ω(log3 m).

– Otherwise, if (x′1, e′) = (x1, e), we have A1x1 +A2,1x2 + jA2,2x2 = 0 ac-

cording to equation (2) of π2, where j =∑ℓ−1

i=0 viβi and vh = (v0, . . . , vℓ−1).

A simple calculation indicates that |j| < 4m2.5N < q (we note that ∥vh∥ ≤4ηm2 = 4βm2.5). Since A2,2x2 = 0 and q is a prime, the open algorithmwill always output j, namely, it will never output ⊥. In addition, if j = j∗, Baborts. Otherwise, B returns x = x1 +Rx2 as its own solution.Since j∗ is randomly chosen from −4m2.5N + 1, . . . , 4m2.5N − 1, theprobability that j∗ = j is at least 1

8m2.5N . Conditioned on j∗ = j, we haveA1x1 + A2,1x2 + jA2,2x2 = A1x1 + A1Rx2 = 0, which shows thatx = x1 +Rx2 is a solution of the SIS problem, in particular, we have ∥x∥ ≤ηm2.5 · ω(

√logm) = m4.5ω(log2 m) by [2, Lem. 5].

In all, the probability that B solves the SIS problem is at least ϵ(ϵ/qh−2−t)8m2.5N , which

is non-negligible if ϵ is non-negligible. Moreover, since the norm of x is at most m8 ·ω(log3 m) and q ≥ m8.5 · ω(log2.5 m), we have that the security of our scheme isbased on the hardness of the SIVP problem in the worst case to within a polynomialapproximation factor, by Proposition 2.

6 Achieving Full Anonymity

In this section, we present a group signature scheme with CCA-anonymity. First, weintroduce a primitive called full-rank differences function.

2 Recall that TA2,2 is also a short basis of Λ⊥q (j ·A2,2) for all j = 0 mod q.

22

Definition 5 ([2]). Let q be a prime and n be a positive integer. We say that a functionH : Zn

q → Zn×nq is an encoding with full-rank differences (FRD) if:

– for any x = y, the matrix H(x)−H(y) ∈ Zn×nq is full rank;

– H is computable in polynomial time in n log q.

Let SIG = (KeyGen,Sign,Ver) be a one-time strongly existentially unforgeable(ot-sEUF) signature scheme (please refer to Appendix B for a formal definition), andH : 0, 1∗ → Zn×n

q be an encoding with full-rank differences. Assume that the se-curity parameter is n, and δ is a real such that n1+δ > ⌈(n + 1) log q + n⌉, all otherparameters m, s, α, β, η, p, q are determined as follows:

m = 6n1+δ

s = m · ω(logm)

β = s√3m · ω(

√log 3m) = m1.5 · ω(log1.5 m)

p = m2.5β = m4 · ω(log1.5 m)

q = m2.5 ·max(pm2.5 · ω(logm), 4N) = m2.5 max(m6.5 · ω(log2.5 m), 4N)α = 2

√m/q

η = max(β, αq√m)√2m = m2 · ω(log1.5 m)

(3)

Now, we extend our basic group signature GS to GS ′ = (KeyGen,Sign,Verify,Open)by replacing the underlying encryption with a CCA one:

– KeyGen(1n, 1N ): Take the security parameter n and the maximum number of groupmembers N as inputs, set an integer m ∈ Z, primes p, q ∈ Z, and s, α, β, η ∈ Ras in (3), and choose a hash function H : 0, 1∗ → 0, 1t (modeled as randomoracle) for the NIZKPoK proof, where t = ω(log n). Then, the algorithm proceedsas follows:1. Compute (A1,1,TA1,1) ← TrapGen(n,m, q), and randomly choose A1,2,

A2,1,A2,2 ←R Zn×mq . Denote A1 = (A1,1∥A1,2) ∈ Zn×2m

q .2. Randomly choose B2,1 ←R Zn×m

q , compute (B1,TB1)← SuperSamp(n,m,

q,A1,1,−A1,2BT2,1) and (B2,2,TB2,2)← SuperSamp(n,m, q,A1,2,0). It is

easy to check that for any matrix C, we have A1(B1∥B2,1 +CB2,2)T = 0.

3. For j = 1, . . . , N , define Aj = (A1∥A2,1 + jA2,2) ∈ Zn×3mq , extract a

random basis TAj← ExtRndBasis(Aj ,TA1,1 , s).

4. Define the group public key gpk = A1,1,A1,2,A2,1,A2,2,B1,B2,1,B2,2,the group manager secret key gmsk = TB1 , and the group member’s secretkey gsk = gskj = TAj

j∈1,...,N.– Sign(gpk, gskj ,M): Take the group public key gpk = A1,1,A1,2,A2,1,A2,2,B1,B2,1,B2,2, the j-th user’s secret key gskj = TAj

, and a message M ∈0, 1∗, proceed as follows:1. Compute (x1,x2) ← SamplePre(Aj ,TAj

,0, β), where x1 ∈ DZ2m,β ,x2 ∈DZm,β .

2. Generate a one-time signature verification and signing keys (svk, ssk) ←SIG.KeyGen(1k), denote Bsvk = (B1∥B2,1+H(svk)B2,2) ∈ Zn×2m

q . Ran-domly choose s←R Zn

q , e←R χmα , and R←R 0, 1m×m, compute

c = BTsvks+ pe+ x1, where e =

(e

RTe

)

23

3. Generate a NIZKPoK proof π1 of (e,x1) so that (Bsvk, c, η; s, e,x1) ∈ ReLWE.4. Let β := ⌊β⌋ and ℓ = ⌈logβ N⌉, define b = A2,2x2, and D = (b, βb, . . . ,

βℓ−1b) ∈ Zn×ℓq . Generate a NIZKPoK π2 of x1, e = (e;RTe), and vj =

(v0, . . . , vℓ−1) ∈ Zℓβ

of j ∈ [N ] such that,

A1c+A2,1x2 = (pA1)e−Dvj , andA1c = (pA1)e+A1x1

(4)

where the challenge is computed by H(svk, c,x2, π1,M,Com), and Com isthe commitment message for the NIZKPoK proof of π2.

5. Denote σ1 = (c,x2, π1, π2), compute σ2 = SIG.Sign(ssk, σ1), return thegroup signature σ = (svk, σ1, σ2).

– Verify(gpk,M, σ): Parse σ = (svk, σ1 = (c,x2, π1, π2), σ2), return 1 if SIG.Ver(svk, σ1, σ2) = 1, ∥x2∥ ≤ β

√m, A2,2x2 = 0, and the proofs π1, π2 are valid, else

return 0.– Open(gpk, gmsk,M, σ): Parse gpk = A1,1,A1,2,A2,1,A2,2,B1,B2,1,B2,2

and gmsk = TB1 . Denote Bsvk = (B1∥B2,1 +H(svk)B2,2) ∈ Zn×2mq , extract

a basis TBsvk← ExtRndBasis(Bsvk, TB1 , s

√m · ω(

√logm)). Compute x1 by

decrypting c using TBsvk, and let y1 = A2,2x2 and y2 = −A1x1 − A2,1x2. If

y1 = 0 and there is a j ∈ Z∗q such that y2 = j · y1, return j, else ⊥.

We summarize the correctness of GS ′ in the following theorem. The proof is verysimilar to Theorem 5, we omit the details.

Theorem 8. Assume that n is the security parameter, and all other parameters m, s, α,β, η, p, q are functions of n defined as in (3), where p, q are primes. Then, the groupsignature GS ′ is correct, and the group public key and the signature have bit-lengthO(nm log q) and O(tm log q)+ lSIG , respectively, where lSIG is the total bit-length ofthe verification key and signature (i.e., svk and σ2) of the underlying one-time signa-ture.

6.1 Full Anonymity

Theorem 9 (Full Anonymity). Under the LWE assumption, our group signature GS ′is fully anonymous in the random oracle model.

Proof. We prove the theorem via a sequence of games.In game G0, the challenger honestly creates the group public key gpk = A1,1,

A1,2,A2,1,A2,2,B1, B2,1,B2,2, the group manager’s secret key gmsk = TB1 ,and the group member’s secret key gsk = gskj = TAj

j∈1,...,N by running theKeyGen algorithm. Then, it gives (gpk,gsk) to the adversary, and obtains a messageM , and two user indexes i0, i1. Finally, the challenger chooses a bit b←R 0, 1, com-putes σ∗ = (svk∗, σ∗1 = (c∗,x∗2, π

∗1 , π∗2), σ

∗2) ← Sign(gpk, gskib ,M), and returns σ∗

to the adversary A.In Game G1, the challenger behaves almost the same as in G0, except that it uses the

NIZKPoK simulators (by appropriately programming the random oracle) to generateπ∗1 , π

∗2 . By the property of the NIZKPoKs, G1 is indistinguishable from G0.

24

In Game G2, the challenger behaves almost the same as in G1, except that it gener-ates a one-time signature key pair (svk∗, ssk∗) ← SIG.KeyGen(1k) at the beginningof the experiment, and aborts when A outputs a valid signature σ = (svk∗, σ1, σ2) =σ∗, where σ∗ is the challenge signature.

Lemma 8. If the signature SIG is one-time strongly existentially unforgeable (ot-sEUF)for any PPT forger, then Game G2 is computationally indistinguishable from G1.

Proof. If there is an adversaryA that outputs a valid signature σ = (svk∗, σ1, σ2) = σ∗,we can construct a forger F that breaks the strong unforgeability of SIG. Actually,given a challenge verification key svk∗ from the challenger of the ot-sEUF securitygame (please refer to Appendix B), F behaves almost the same as the challenger inG2 to simulate the attack environment for A, except that it uses svk∗ in generating thechallenge signature σ∗ by making a signing query to its own signing oracle. WheneverA outputs a valid signature σ = (svk∗, σ1, σ2) = σ∗, F returns (σ1, σ2) as its ownforgery. Obviously, if A can output a valid signature with probability ϵ, F can suc-cessfully forge a signature for the underlying one-time signature almost with the sameprobability ϵ.

In Game G3, the challenger behaves almost the same as in G2, except that it firstchooses x2 from DZm,β , and then uses the trapdoor TA1,1 to extract x1 such thatAib(x1;x2) = 0. By the property of the SamplePre algorithm in [37,31], we havethat Game G3 is statistically close to Game G2 .

In Game G4, the challenger behaves almost the same as in G3, except that it com-putes c∗ = u+ x1 for a randomly chosen u←R Z2m

q .

Lemma 9. Under the LWE assumption, Game G4 is computationally indistinguishablefrom Game G3.

Proof. Assume that there is an algorithm A which distinguishes G3 from G4 with non-negligible probability. We will show that there is an algorithm B breaking the LWEassumption. Formally, given a LWE tuple (B,u) ∈ Zn×m

q ×Zmq , B sets B1 = pB. Ran-

domly choose A1,2,A2,1,A2,2 ←R Zn×mq and R ∈ 0, 1m×m, generate a one-time

signature pair (svk∗, ssk∗)← SIG.KeyGen(1k). Then, it computes the public parame-ters (B2,2,TB2,2)← SuperSamp(n,m, q,A1,2,0), B2,1 = B1R−H(svk∗)B2,2, and(A1,1,TA1,1)← SuperSamp(n,m, q,B1,−B2,1A

T1,2). Denote A1 = (A1,1∥A1,2).

For j = 1, . . . , N , define Aj = (A1∥A2,1 + jA2,2), extract a random basisTAj

← ExtRndBasis(Aj , TA1,1 , s). Finally, B gives the group public key gpk =A1,1,A1,2,A2,1,A2,2, B1,B2,1,B2,2, and the group member’s secret key gsk =gskj = TAj

j∈1,...,N to A, and keeps TB2,2 secret. Note that the distribution ofgpk,gsk is statistically close to that in Game G3 and G4.

If A submits a valid signature σ = (svk∗, σ1, σ2) = σ∗ to the open oracle, Baborts as in Game G3. Otherwise, B defines Bsvk = (B1∥B2,1 + H(svk)B2,2) =

(B1∥B1R+ (H(svk)−H(svk∗))B2,2), and extracts TBsvk= ExtBasisRight(Bsvk,

R,TB2,2 , s√m · ω(

√logm)) (we note that TB2,2 is also a basis for Λ⊥q (CB2,2) for

any full-rank C ∈ Zn×nq , since Λ⊥q (CB2,2) = Λ⊥q (B2,2)). Finally, it uses TBsvk

asdescribed in the Open algorithm to answer this query.

25

When generating the challenge signature, B works the same as in G2, except that it

computes c = p

(u

RTu

)+ x1. We note that if (B,u) is a LWE tuple for distribution

χα, c is the same as in G3. Otherwise, we show that(

uRTu

)is statistically close to

uniform over Z2mq in Lemma 10, which shows that the distribution of c is statistically

close to that in G4. Thus, ifA can distinguish G3 from G4 with advantage ϵ, then B canbreak the LWE assumption with advantage ϵ− negl(k). This completes the proof.

Lemma 10. Given randomly chosen B1 ←R Zn×mq and u ←R Zm

q , the distributionof (B1R,u,RTu) is statistically close to uniform over Zn×m

q × Zmq × Zm

q , where Ris randomly chosen from −1, 1m×m.

Proof. By Lemma 5, the distribution (B1R,u,RTu) is statistically close to (C,u,RTu), where C is randomly chosen from Zn×m

q . Since the hash function defined byinner-product is a family of universal hash functions we have that the statistical distancebetween (u,RTu) and (u,v) for uniformly chosen v ∈ Zm

q is at most 12

√2−m2+m log q

by Lemma 4, which is negligible in n if m ≥ 2n + log q (thus, the choice of m =Ω(n log q) suffices). This shows that (B1R,u,RTu) is statistically close to (C,u,v).

In Game G5, the challenger behaves almost the same as in G1, except that it ran-

domly chooses c∗ ←R Z2mq .

Lemma 11. In Game G5, the probability that b′ = b is exactly 1/2.

Proof. This lemma follows from the fact that the signature σ∗ in G5 is independent fromthe choice of ib.

6.2 Traceability

Theorem 10 (Traceability). Under the SIS assumption, our group signature GS ′ isfully traceable in the random oracle model.

Proof. Assume that there is an adversary A that breaks the full traceability of GS ′, weconstruct an algorithm B that breaks the SIS assumption. Formally, B is given a SISmatrix A ∈ Zm

q and tries to find a solution x ∈ Zmq such that ∥x∥ ≤ poly(m) and

Ax = 0.

Setup. The algorithm B sets A1,1 = A. Generate (A2,2,TA2,2)← TrapGen(n,m, q).Randomly choose R1,R2 ←R −1, 1m×m and j∗ ←R −4m2.5N + 1, . . . ,4m2.5N − 1, and compute A1,2 = A1,1R1, A2,1 = A1,1R2 − j∗A2,2. LetA1 = (A1,1∥A1,2) ∈ Zn×2m

q . Randomly choose B2,1 ←R Zn×mq , and com-

pute (B1,TB1)← SuperSamp(n,m, q,A1,1,−A1,2BT2,1). Then, compute (B2,2,

TB2,2)← SuperSamp(n, m, q,A1,2,0). Give the group public key gpk = A1,1,A1,2,A2,1,A2,2,B1,B2,1,B2,2, the group manager’s secret key gmsk = TB1

to the adversary A.

26

Secret Key Queries. Upon receiving the secret key query for user j from A, B abortsif j = j∗ or j /∈ 1, . . . , N. Otherwise, define Aj = (A1∥A2,1 + jA2,2) =(A1∥A2,1R2+(j−j∗)A2,2), return the secret key TAj

← ExtBasisRight(Aj ,R2,TA2,2 , s) to A.

Sign Queries. Upon receiving a signing query for message M under user j from A, Breturns ⊥ if j /∈ 1, . . . , N. Else if j = j∗, B generates a signature on M usingthe NIZKPoK simulators for π1 and π2. Otherwise, it generates the signature byfirst extracting the corresponding key as in answering the secret key queries.

Forge. Upon receiving a forged valid signature σ = (svk, σ1 = (c,x2, π1, π2), σ2)with probability ϵ,B extracts the knowledge e,x1 and vj with normal at most 4ηm2

by programming the random oracle twice to generate two different “challenges”.By the forking lemma of [12], B can succeed with probability at least ϵ(ϵ/qh−2−t),where h is the maximum number of hash queries ofA. Then, B decrypts c to obtaine′,x′1, and distinguishes the following two cases:

– If (x′1, e′) = (x1, e), we have A1c = pA1e

′ +A1x′1 = pA1e +A1x1. Let

y = (y1;y2) = p(e − e′) + (x1 − x′1), we have 0 = A1y = A1,1y1 +A1,2y2 = A1,1(y1 + R1y2). Namely, x = y1 + R1y2 is a solution of theSIS problem, B returns x as its own solution. Note that in this case, we have∥x∥ ≤ (p+ 1)ηm2.5 · ω(

√logm) = m8.5ω(log3.5 m).

– Else if (x′1, e′) = (x1, e), we have A1x1+A2,1x2+jA2,2x2 = 0 according to

equation (4) of π2, where j =∑ℓ−1

i=0 viηi and vj = (v0, . . . , vℓ−1). A simple

calculation indicates that |j| < 4m2.5N < q. Since A2,2x2 = 0 and q is aprime, the open algorithm will always output j, namely, it will never output ⊥.In addition, if j = j∗, B aborts. Otherwise, B returns x = x1,1 + R1x1,2 +R2x2 as its own solution, where x1 = (x1,1;x1,2).Since j∗ is randomly chosen from −4m2.5N +1, . . . , 4m2.5N −1, we havethe probability that j∗ = j is at least 1

8m2.5N . Conditioned on j∗ = j, we haveA1,1x1,1+A1,2x1,2+A2,1x2+jA2,2x2 = A1,1(x1,1+R1x1,2+R2x2) = 0,which shows that x = x1,1+R1x1,2+R2x2 is a solution of the SIS problem.In particular, we have ∥x∥ ≤ ηm2.5 · ω(

√logm) = m4.5 · ω(log2 m) by [2,

Lem. 5].

In all, the probability that B solves the SIS problem is at least ϵ(ϵ/qh−2−t)8m2.5N , which is

non-negligible if ϵ is non-negligible. Moreover, the norm of x is polynomial in m.

Acknowledgments. We would like to thank Kang Yang for his helpful comments onthe related work of group signatures, and the anonymous reviewers of PKC 2015 forkind suggestions on our paper. We are also grateful to Sherman Chow for bringing theirwork to our attention.

References

1. M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, and M. Ohkubo. Structure-preservingsignatures and commitments to group elements. In T. Rabin, editor, CRYPTO 2010, volume6223 of LNCS, pages 209–236. Springer-Verlag, 2010.

27

2. S. Agrawal, D. Boneh, and X. Boyen. Efficient lattice (H)IBE in the standard model. InH. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 553–572. SpringerBerlin / Heidelberg, 2010.

3. S. Agrawal, D. Boneh, and X. Boyen. Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE. In T. Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages98–115. Springer Berlin / Heidelberg, 2010.

4. S. Agrawal, D. Freeman, and V. Vaikuntanathan. Functional encryption for inner productpredicates from learning with errors. In D. Lee and X. Wang, editors, ASIACRYPT 2011,volume 7073 of LNCS, pages 21–40. Springer Berlin Heidelberg, 2011.

5. M. Ajtai. Generating hard instances of lattice problems (extended abstract). In 28th AnnualACM Symposium on Theory of Computing (STOC), pages 99–108, New York, NY, USA,1996. ACM.

6. M. Ajtai. Generating hard instances of the short basis problem. In J. Wiedermann, P. vanEmde Boas, and M. Nielsen, editors, ICALP 1999, volume 1644 of LNCS, pages 706–706.Springer Berlin / Heidelberg, 1999.

7. J. Alwen and C. Peikert. Generating shorter bases for hard random lattices. In STACS, pages75–86, 2009.

8. B. Applebaum, D. Cash, C. Peikert, and A. Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In S. Halevi, editor, CRYPTO 2009,volume 5677 of LNCS, pages 595–618. Springer Berlin Heidelberg, 2009.

9. G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik. A practical and provably secure groupsignature scheme. In M. Bellare, editor, CRYPTO 2000, volume 1880 of LNCS, pages 255–270. Springer-Verlag, 2000.

10. G. Ateniese, D. Song, and G. Tsudik. Quasi-efficient revocation of group signatures. InM. Blaze, editor, Financial Cryptography, volume 2357 of Lecture Notes in Computer Sci-ence, pages 183–197. Springer Berlin Heidelberg, 2002.

11. M. Bellare, D. Micciancio, and B. Warinschi. Foundations of group signatures: Formal defi-nitions, simplified requirements, and a construction based on general assumptions. In E. Bi-ham, editor, EUROCRYPT 2003, volume 2656 of LNCS, pages 614–629. Springer BerlinHeidelberg, 2003.

12. M. Bellare and G. Neven. Multi-signatures in the plain public-key model and a generalforking lemma. In 13th ACM Conference on Computer and Communications Security (CCS),pages 390–399, New York, NY, USA, 2006. ACM.

13. M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficientprotocols. In 1st ACM conference on Computer and Communications Security (CCS), pages62–73. ACM Press, 1993.

14. F. Benhamouda, J. Camenisch, S. Krenn, V. Lyubashevsky, and G. Neven. Better zero-knowledge proofs for lattice encryption and their application to group signatures. In ASI-ACRYPT 2014 (to appear).

15. D. Boneh and X. Boyen. Short signatures without random oracles. In C. Cachin and J. Ca-menisch, editors, EUROCRYPT 2004, volume 3027 of LNCS, pages 56–73. Springer-Verlag,2004.

16. D. Boneh, X. Boyen, and H. Shacham. Short group signatures. In M. Franklin, editor,CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer-Verlag, 2004.

17. D. Boneh, V. Nikolaenko, and G. Segev. Attribute-based encryption for arithmetic circuits.Cryptology ePrint Archive, Report 2013/669, 2013.

18. D. Boneh and H. Shacham. Group signatures with verifier-local revocation. In 11th ACMConference on Computer and Communications Security (CCS), pages 168–177, New York,NY, USA, 2004. ACM.

28

19. X. Boyen. Lattice mixing and vanishing trapdoors: A framework for fully secure short sig-natures and more. In P. Nguyen and D. Pointcheval, editors, PKC 2010, volume 6056 ofLNCS, pages 499–517. Springer Berlin / Heidelberg, 2010.

20. X. Boyen and B. Waters. Compact group signatures without random oracles. In S. Vaudenay,editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 427–444. Springer-Verlag, 2006.

21. X. Boyen and B. Waters. Full-domain subgroup hiding and constant-size group signatures. InT. Okamoto and X. Wang, editors, PKC 2007, volume 4450 of LNCS, pages 1–15. Springer-Verlag, 2007.

22. Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully homomorphic encryption withoutbootstrapping. Innovations in Theoretical Computer Science, ITCS, pages 309–325, 2012.

23. Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard)LWE. In IEEE 52nd Annual Symposium on Foundations of Computer Science (FOCS), pages97 –106, 2011.

24. Z. Brakerski and V. Vaikuntanathan. Lattice-based FHE as secure as PKE. In 5th Conferenceon Innovations in Theoretical Computer Science (ITCS), pages 1–12, New York, NY, USA,2014. ACM.

25. E. Bresson and J. Stern. Efficient revocation in group signatures. In K. Kim, editor, PKC2001, volume 1992 of Lecture Notes in Computer Science, pages 190–206. Springer BerlinHeidelberg, 2001.

26. E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation. In 11th ACM Confer-ence on Computer and Communications Security (CCS), pages 132–145. ACM Press, 2004.

27. J. Camenisch and A. Lysyanskaya. Dynamic accumulators and application to efficient re-vocation of anonymous credentials. In M. Yung, editor, CRYPTO 2002, volume 2442 ofLecture Notes in Computer Science, pages 61–76. Springer Berlin Heidelberg, 2002.

28. J. Camenisch and A. Lysyanskaya. Signature schemes and anonymous credentials frombilinear maps. In M. Franklin, editor, CRYPTO 2004, volume 3152 of LNCS, pages 56–72.Springer-Verlag, 2004.

29. J. Camenisch, G. Neven, and M. Ruckert. Fully anonymous attribute tokens from lattices. InI. Visconti and R. Prisco, editors, Security and Cryptography for Networks (SCN), volume7485 of LNCS, pages 57–75. Springer Berlin Heidelberg, 2012.

30. R. Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption.In C. Cachin and J. Camenisch, editors, EUROCRYPT 2004, volume 3027 of LNCS, pages207–222. Springer Berlin / Heidelberg, 2004.

31. D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert. Bonsai trees, or how to delegate a latticebasis. In H. Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 523–552.Springer Berlin / Heidelberg, 2010.

32. D. Chaum and E. van Heyst. Group signatures. In D. W. Davies, editor, EUROCRYPT 1991,volume 547 of LNCS, pages 257–265. Springer-Verlag, 1991.

33. L. Chen and J. Li. Flexible and scalable digital signatures in TPM 2.0. In 20th ACM Confer-ence on Computer and Communications Security (CCS), pages 37–48. ACM Press, 2013.

34. Y. Dodis, O. Rafail, L. Reyzin, and A. Smith. Fuzzy extractors: How to generate strong keysfrom biometrics and other noisy data. SIAM Journal on Computing, 38:97–139, 2008.

35. A. Fiat and A. Shamir. How to prove yourself: Practical solutions to identification andsignature problems. In A. Odlyzko, editor, CRYPTO 1986, volume 263 of LNCS, pages186–194. Springer Berlin Heidelberg, 1987.

36. C. Gentry, S. Gorbunov, S. Halevi, V. Vaikuntanathan, and D. Vinayagamurthy. How tocompress (reusable) garbled circuits. Cryptology ePrint Archive, Report 2013/687, 2013.

37. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new crypto-graphic constructions. In 40th Annual ACM Symposium on Theory of Computing (STOC),pages 197–206, New York, NY, USA, 2008. ACM.

29

38. S. Gordon, J. Katz, and V. Vaikuntanathan. A group signature scheme from lattice assump-tions. In M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS, pages 395–412. SpringerBerlin / Heidelberg, 2010.

39. J. Groth. Simulation-sound NIZK proofs for a practical language and constant size groupsignatures. In X. Lai and K. Chen, editors, ASIACRYPT 2006, volume 4284 of LNCS, pages444–459. Springer-Verlag, 2006.

40. J. Groth. Fully anonymous group signatures without random oracles. In K. Kurosawa, editor,ASIACRYPT 2007, volume 4833 of LNCS, pages 164–180. Springer-Verlag, 2007.

41. T. C. Group. TCG TPM specification 1.2. Available athttp://www.trustedcomputinggroup.org, 2003.

42. T. C. Group. TCG TPM specification 2.0. Available athttp://www.trustedcomputinggroup.org/resources/tpm_library_specification,2013.

43. I. P. W. Group, VSC Project. Dedicated short range communications (DSRC), 2003.44. F. Laguillaumie, A. Langlois, B. Libert, and D. Stehle. Lattice-based group signatures with

logarithmic signature size. In K. Sako and P. Sarkar, editors, ASIACRYPT 2013, volume 8270of LNCS, pages 41–61. Springer Berlin Heidelberg, 2013.

45. A. Langlois, S. Ling, K. Nguyen, and H. Wang. Lattice-based group signature scheme withverifier-local revocation. In H. Krawczyk, editor, PKC 2014, volume 8383 of LNCS, pages345–361. Springer Berlin Heidelberg, 2014.

46. B. Libert, T. Peters, and M. Yung. Group signatures with almost-for-free revocation. InR. Safavi-Naini and R. Canetti, editors, CRYPTO 2012, volume 7417 of LNCS, pages 571–589. Springer-Verlag, 2012.

47. B. Libert, T. Peters, and M. Yung. Scalable group signatures with revocation. InD. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages609–627. Springer-Verlag, 2012.

48. S. Ling, K. Nguyen, D. Stehle, and H. Wang. Improved zero-knowledge proofs of knowledgefor the isis problem, and applications. In K. Kurosawa and G. Hanaoka, editors, PKC 2013,volume 7778 of LNCS, pages 107–124. Springer Berlin Heidelberg, 2013.

49. S. Ling, K. Nguyen, and H. Wang. Group signatures from lattices: simpler, tighter, shorter,ring-based. In PKC 2015 (to appear).

50. V. Lyubashevsky. Lattice-based identification schemes secure under active attacks. InR. Cramer, editor, PKC 2008, volume 4939 of LNCS, pages 162–179. Springer Berlin Hei-delberg, 2008.

51. V. Lyubashevsky. Lattice signatures without trapdoors. In D. Pointcheval and T. Johans-son, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages 738–755. Springer BerlinHeidelberg, 2012.

52. D. Micciancio and P. Mol. Pseudorandom knapsacks and the sample complexity of LWEsearch-to-decision reductions. In P. Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS,pages 465–484. Springer Berlin Heidelberg, 2011.

53. D. Micciancio and C. Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. InD. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages700–718. Springer Berlin Heidelberg, 2012.

54. D. Micciancio and O. Regev. Worst-case to average-case reductions based on gaussian mea-sures. SIAM J. Comput., 37:267–302, 2007.

55. D. Micciancio and S. Vadhan. Statistical zero-knowledge proofs with efficient provers: Lat-tice problems and more. In D. Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages282–298. Springer Berlin Heidelberg, 2003.

56. C. Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extendedabstract. In 41st Annual ACM Symposium on Theory of Computing (STOC), pages 333–342,New York, NY, USA, 2009. ACM.

30

57. C. Peikert and A. Rosen. Efficient collision-resistant hashing from worst-case assumptionson cyclic lattices. In S. Halevi and T. Rabin, editors, TCC 2006, volume 3876 of LNCS,pages 145–166. Springer Berlin / Heidelberg, 2006.

58. O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In 37Annual ACM Symposium on Theory of Computing (STOC), pages 84–93, New York, NY,USA, 2005. ACM.

59. J. Stern. A new paradigm for public key identification. Information Theory, IEEE Transac-tions on, 42(6):1757–1768, Nov 1996.

A The Proof of π2 in Our Group Signature

In this section, the notations are the same as in the description of our group signature inSection 5. Let t0 := A1c+A2,1x2, t1 := A1c. Let y0 = e,y1 = x1 ∈ Zm, and y2 =vj ∈ Zℓ. In our group signature, we need to generate a NIZKPoK proof (i.e., π2) forthe following relation:

Rcom = (A1, D, t0, t1, η;y0,y1,y2) ∈ Zn×(m+l)q × Z2n

q × R× Z2mq × Zℓ :

t0 = (pA1)y0 −Dy2, t1 = (pA1)y0 +A1y1, and ∥yi∥ ≤ η.

The proof is essentially achieved by combining our protocol from Section 4.2 (i.e., forthe equation t0 = (pA1)y0 −Dy2) and the standard protocol for RISIS from [44,51](i.e., for the equation t1 = (pA1)y0 +A1y1). We present the basic combined protocolwith single-bit challenge in Fig. 3.

Prover Verifier

CRS: (A1,D) ∈ Zn×(m+ℓ)q , t0, t1 ∈ Zn

q

Private input: y0 = e,y1 = x1 ∈ Zm,

and y2 = vj ∈ Zℓ

y′0,y

′1 ←R DZm,γ ,y

′2 ←R DZℓ,γ

u0 = (pA1)y′0 −Dy′

2u1 = (pA1)y

′0 + A1y

′1

u0,u1

c←R 0, 1c

zi = y′i + cyi for i = 0, 1, 2

Set zi = ⊥ with probability ζ(zi, ciyi)z0, z1, z2

Accept iff ∥zi∥ ≤ 2γ√m and

(pA1)z0 −Dz2 = u0 + ct0 and(pA1)z0 + A1z1 = u1 + ct1

Fig.3.ThebasicΣ-protocolforRelationRcom

Asbefore,duetotheuseofaone-bitchallenge,giventwoacceptedtranscriptswiththesamefirstmessagebutdifferentchallenges:((u0,u1),1,(z0,z1,z2))and((u0,u1),0,(z′

0,z′1,z′

2)),onecanrecovera“weak”witness(z0,z1,z2)∈Z2m+ℓ

satisfyingt0=(pA1)z0−Dz2,t1=(pA1)z0+A1z1,and∥zi∥≤4γ

√m,wherezi=zi−z′

i

andγ=ηm1.5

.Besides,thesimulatorforthespecialHonest-VerifierZeroKnowledge(HVZK)propertysimplyworksasfollows:givenachallengec∈0,1,itchooses

31

z0, z1 ←R DZm,γ , z2 ←R DZℓ,γ , and computes u0 = (pA1)z0 − Dz2 − ct0, andu1 = (pA1)z0 +A1z1 − ct1. Then, it sets zi = ⊥ with probability 1 − 1

Ml, and out-

puts ((u0,u1), c, (z0, z1, z2)). By Lemma 3, the distribution of (u0,u1) is statisticallyclose to uniform over Zn

q × Znq (since (pA1)z0 and A1z1 are both statistically close to

Znq ), which is the same as that in the transcript of a real proof. In addition, by [51, Th.

4.6], the distribution of (z0, z1, z2) is also statistically close to that in the real transcript.Like the protocol in [51,44] and ours in Section 4.2, we have to use a t = ω(log n)

parallel repetitions of the basic protocol in Fig. 3 to achieve negligible soundness error.The final NIZKPoK protocol used in our group signature is obtained by using the Fiat-Shamir transformation in a standard way. Namely, the challenges c = (c1, . . . , ct) arecomputed by using a hash function (modeled as a random oracle) with inputs all thepublic information such as all the t independent pairs (u0,u1), and the message M tobe signed.

B One-time Strongly Unforgeable Signatures

In this section, we recall the definition and security model of signatures. Formally, asignature scheme SIG consists of three PPT algorithms (KeyGen,Sign,Ver):

– KeyGen(1n): Take as input the security parameter n, output a verification key svkand a signing key ssk.

– Sign(ssk,M): Take as inputs a signing key ssk and a message M (in some implicitmessage space), output a signature σ.

– Ver(svk,M, σ): Take as inputs a verification key svk, a message M , and a signa-ture σ, output a bit b ∈ 0, 1 (where b = 1 indicates “acceptance” and b = 0indicates “rejection”).

We require that for all (svk, ssk) ← KeyGen(n), and all M in the message space,the probability that Ver(svk,M,Sign(ssk,M)) = 1 holds with overwhelming prob-ability. In particular, σ is said to be a valid signature for the message M under theverification key svk if Ver(svk,M, σ) = 1.

A signature scheme is said to be strongly existentially unforgeable under a one-timechosen message attack if for any PPT forger F , its advantage

Advot-sEUFSIG,F (n) = Pr[Expot-sEUF

SIG,F (n) = 1]

in the following experiment is negligible in the security parameter n:

Experiment Expot-sEUFSIG,F (n)

(svk, ssk)← KeyGen(1n)(st,M∗)← F(svk)σ∗ = Sign(ssk,M∗)(M ′, σ′)← F(st, σ∗)Return 1 if

Ver(svk,M ′, σ′) = 1 and (M ′, σ′) = (M∗, σ∗)Else return 0