A Proof of Theorem 4.2

Lattice-Based Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease

Abstract

Lattice-based group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), eight other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, most of the existing constructions work only in the static setting where the group population is fixed at the setup phase. The only two exceptions are the schemes by Langlois et al. (PKC 2014) that handles user revocations (but new users cannot join), and by Libert et al. (Asiacrypt 2016) which addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked).

In this work, we provide the first lattice-based group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this non-trivial feat in a relatively simple manner. Starting with Libert et al.’s fully static construction (Eurocrypt 2016) - which is arguably the most efficient lattice-based group signature to date, we introduce simple-but-insightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zero-knowledge. The scheme satisfies the strong security requirements of Bootle et al.’s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.

Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zero-knowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message.

Keywords. lattice-based group signatures; full dynamicity; updatable Merkle trees; deniability

1 Introduction

Group signature, introduced by Chaum and van Heyst [15], is a fundamental anonymity primitive which allows members of a group to sign messages on behalf of the whole group. Yet, users are kept accountable for the signatures they issue since a tracing authority can identify them should the need arise. There have been numerous works on group signatures in the last quarter-century.

Ateniese et al. [2] proposed the first scalable instantiation meeting the security properties that can be intuitively expected from the primitive, although clean security notions were not available yet at that time. Bellare et al. [4] filled this gap by providing strong security notions for static groups, in which the group population is fixed at the setup phase. Subsequently, Kiayias and Yung [25] and Bellare et al. [5] established the models capturing the partially dynamic setting, where users are able to join the group at any time, but once they have done so, they cannot leave the group. Sakai et al. [47] strengthened these models by suggesting the notion of opening soundness, guaranteeing that a valid signature only traces to one user. Efficient schemes satisfying these models have been proposed in the random oracle model [43, 17] and in the standard model [21, 34].

One essential functionality of group signatures is the support for membership revocation. Enabling this feature in an efficient manner is quite challenging, since one has to ensure that revoked users are no longer able to sign messages and the workloads of other parties (managers, non-revoked users, verifiers) do not significantly increase in the meantime. Several different approaches have been suggested [10, 12, 50, 42, 6] to address this problem, and notable pairing-based constructions supporting both dynamic joining and efficient revocation were given in [40, 33, 32]. Very recently, Bootle et al. [7] pointed out a few shortcomings of previous models, and put forward stringent security notions for fully dynamic group signatures. They also demonstrated a construction satisfying these notions based on the decisional Diffie-Hellman (DDH) assumption, following a generic transformation from a secure accountable ring signature scheme [8].

Another interesting functionality of group signatures that we consider in this work is deniability, suggested by Ishida et al. [22]. It allows the tracing authority to provide a digital evidence that a given group user did not generate a signature in question. In [22], Ishida et al. discussed various situations in which such functionality helps to protect the privacy of users. For instance, suppose that the entrace/exit control of a building is implemented using a group signature scheme, and the police wants to check whether a suspect was in this building at the time of a crime. If the police asks the tracing authority to reveal the signers of all signatures generated during that time period, then this will seriously violate the privacy of innocent users. In such situation, deniable group signatures make it possible to prove that the signer of a given signature is not the suspect, while still keeping the signer’s identity secret. As shown by Ishida et al. [22], the main technical challenge towards realizing the deniability functionality consists of constructing a zero-knowledge proof/argument that a given ciphertext does not decrypt to a particular message. Such a mechanism is non-trivial to realize in general, but Ishida et al. [22] managed to achieve it from pairing-based assumptions.

For the time being, existing group signature schemes offering full dynamicity and/or deniability all rely on number-theoretic assumptions which are vulnerable to quantum attacks [48]. To avoid putting all eggs in one basket, it is thus encouraging to consider instantiations based on alternative, post-quantum foundations, e.g., lattice assumptions. In view of this, let us now look at the topic of lattice-based group signatures.

Lattice-based group signatures. Lattice-based cryptography has been an exciting research area since the seminal works of Regev [45] and Gentry et al. [19]. Along with other primitives, lattice-based group signature has received noticeable attention in recent years. The first scheme was introduced by Gordon, Katz and Vaikuntanathan [20] whose solution produced signature size linear in the number of group users . Camenisch et al. [13] then extended [20] to achieve anonymity in the strongest sense. Later, Laguillaumie et al. [26] put forward the first scheme with the signature size logarithmic in , at the cost of relatively large parameters. Simpler and more efficient solutions with signature size were subsequently given by Nguyen et al. [44] and Ling et al. [36]. Libert et al. [30] obtained substantial efficiency improvements via a construction based on Merkle trees which eliminates the need for GPV trapdoors [19]. More recently, a scheme supporting message-dependent opening (MDO) feature [46] was proposed in [31]. All the schemes mentioned above are designed for static groups.

The only two known lattice-based group signatures that have certain dynamic features were proposed by Langlois et al. [27] and Libert et al. [28]. The former is a scheme with verifier-local revocation (VLR[6], which means that only the verifiers need to download the up-to-date group information. The latter addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked). To achieve those partially dynamic functionalities, both of the proposals have to incorporate relatively complicated mechanisms1 and both heavily rely on lattice trapdoors.

The discussed above situation is somewhat unsatisfactory, given that the full dynamicity feature is highly desirable in most applications of group signatures (e.g., protecting the privacy of commuters in public transportation), and it has been achieved based on number-theoretic assumptions. This motivates us to work on fully dynamic group signatures from lattices. Besides, considering that the journey to partial dynamicity in previous works [27, 28] was shown not easy, we ask ourselves an inspiring question: Can we achieve full dynamicity with ease? Furthermore, given that deniability is an attractive and non-trivial functionality [22], can we also realize it with ease in the context of lattice-based group signatures? At the end of the day, it is good to solve an open research question, but it would be even better and more exciting to do this in a simple way. To make it possible, we will likely need some new and insightful ideas.

Our Results and Techniques. Our main contribution is the first fully dynamic group signature from lattices. The scheme satisfies the strong security requirements put forward by Bootle et al. [7], under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. As in all previous lattice-based group signatures, our scheme is analyzed in the random oracle model. Additionally, we incorporate the deniability functionality suggested by Ishida et al. [22] into Bootle et al.’s model, and then demonstrate how to make our fully dynamic group signature scheme deniable.

Scheme
Sig.
size
Group
PK size
Signer’s
SK size
Trap-
door?
Model
Extra info
per epoch
Denia-
bility
GKV [20] yes static NA ?
CNR [13] yes static NA ?
LLLS [26] yes static NA ?
LLNW [27] yes VLR
Sign: no
Ver:
?
NZZ [44] yes static NA ?
LNW [36] yes static NA
LLNW [30] FREE static NA
LLM+ [28] yes
partially
dynamic
NA
LMN [31] yes MDO NA ?
Ours FREE
fully
dynamic
Sign:
Ver:
yes
Table 1: Comparison of known lattice-based group signatures, in terms of efficiency and functionality. The comparison is done based on two governing parameters: security parameter and the maximum expected number of group users . As for the scheme from [27], denotes the number of revoked users at the epoch in question. In the last column, “” means that the respective scheme can directly achieve the deniability feature via our technique, while “?” indicates that we do not know how to do so for the respective scheme.

For a security parameter parameter and maximum expected number of group users , our scheme features signature size and group public key size . The user’s secret key has bit-size . At each epoch when the group information is updated, the verifiers only need to download an extra bits in order to perform verification of signatures2, while each active signer only has to download bits. In Table 1, we give a detailed comparison of our scheme with known lattice-based group signatures, in terms of efficiency and functionality. The full dynamicity feature is achieved with a very reasonable cost and without having to rely on lattice trapdoors. Somewhat surprisingly, our scheme even produces shorter signatures than the scheme from [30] - which is arguably the most efficient lattice-based group signature known to date. Furthermore, these results are obtained in a relatively simple manner, thanks to three main ideas/techniques discussed below.

Our starting point is the scheme [30], which works in the static setting. Instead of relying on trapdoor-based ordinary signatures as in prior works, the LLNW scheme employs on a SIS-based Merkle tree accumulator. For a group of users, the manager chooses uniformly random vectors ; hashes them to , respectively; builds a tree on top of these hash values; and publishes the tree root . The signing key of user consists of and the witness for the fact that was accumulated in . When issuing signatures, the user proves knowledge of a valid pair and of the tree path from  to . The user also has to encrypt the binary representation of his identity , and prove that the ciphertext is well-formed. The encryption layer is also lattice-trapdoor-free, since it utilizes the Naor-Yung double-encryption paradigm [41] with Regev’s LWE-based encryption scheme [45]. To upgrade the LLNW scheme directly into a fully dynamic group signature, we now let the user compute the pair on his own (for enabling non-frameability), and we employ the following three ideas/techniques.

First, we add a dynamic ingredient into the static Merkle tree accumulator from [30]. To this end, we equip it with an efficient updating algorithm with complexity : to change an accumulated value, we simply update the values at the corresponding leaf and along its path to the root.

Second, we create a simple rule to handle user enrollment and revocation efficiently (i.e., without resetting the whole tree). Specifically, we use the updating algorithm to set up the system so that: (i)- If a user has not joined the group or has been revoked, the value at the leaf associated with him is set as ; (ii)- When a user joins the group, that value is set as his public key . Our setup guarantees that only active users (i.e., who has joined and has not been revoked at the given epoch) have their non-zero public keys accumulated into the updated root. This rule effectively separates active users who can sign from those who cannot: when signing messages, the user proceeds as in the LLNW scheme, and is asked to additionally prove in zero-knowledge that . In other words, the seemingly big gap between being fully static and being fully dynamic has been reduced to a small difference!

Third, the arising question now is how to additionally prove the inequality in the framework of the Stern-like [49] protocol from [30]. One would naturally expect that this extra job could be done without losing too much in terms of efficiency. Here, the surprising and somewhat unexpected fact is that we can actually do it while gaining efficiency, thanks to the following simple idea. Recall that, in [30], to prove knowledge of , an extension technique from [35] is employed, in which is extended into a vector of dimension . We note that, the authors of [35] also suggested a slightly modified version of their technique, that allows to simultaneously prove that and is non-zero while working only with dimension . This intriguing tweak enables us to obtain a zero-knowledge protocol with slightly lower communication cost, and hence, group signatures with slightly smaller size than in [30].

Another problem we have to overcome is that the fully dynamic setting requires a proof of correct opening, which boils down to proving correct decryption for Regev’s encryption scheme [45]. It involves modular linear equations with bounded-norm secrets, and can be handled using Stern-like techniques from [35, 28].

Now, to equip the obtained fully dynamic group signature scheme with the deniability functionality, we first incorporate Ishida et al.’s notion of deniability [22] into Bootle et al.’s model [7]. Then we describe how to make our scheme deniable, via a zero-knowledge argument of knowledge that a given Regev ciphertext [45] does not decrypt to a given message. The latter reduces to proving knowledge of a non-zero vector satisfying a modular linear equation, where is the difference between the result of decryption and the given message. This in turn can be handled by developing the above method for proving inequality in the framework of Stern’s protocol.

To summarize, we solve the prominent open question of achieving full dynamicity in the field of lattice-based group signatures. The scheme can be easily extended to a deniable group signature. Moreover, our solution is simple and comparatively efficient. Our results, while not yielding truly practical schemes, would certainly help to enrich the field and bring lattice-based group signatures one step closer to practice.

Remarks. This article is the full, extended version of [37], published in the proceedings of ACNS 2017. In comparison with [37], the present version additionally introduces the deniability feature to the obtained fully dynamic group signature scheme, and provides details of all the security proofs.

Organization. In Section 2, we recall some background on fully dynamic group signatures and lattice-based cryptography. Section 3 develops an updatable Merkle tree accumulator. Our main scheme is constructed and analyzed in Section 4. In Section 5, we demonstrate how to achieve deniability. Some details are deferred to the appendix.

2 Preliminaries

2.1 Notations

In this paper, all vectors are column vectors. The concatenation two column vectors and is denoted by for simplicity. Let and be the Euclidean () norm and infinity () norm of a vector respectively. For , denotes logarithm of with base . Denote as the set .

2.2 Fully Dynamic Group Signatures

We recall the definition and security notions of fully dynamic group signatures () presented by Bootle et al. [7]. An scheme involves the following entities: a group manager  that determines who can join the group, a tracing manager  who can open signatures, and a set of users who are potential group members. Users can join/leave the group at the discretion of . We assume will publish some information  regularly associated with a distinct index (referred as epoch hereafter). Without loss of generality, assume there is one-to-one correspondence between information and the associated epoch. The information describes changes of the group, e.g., current group members or members that are excluded from the group. We assume the published group information is authentic. By comparing current group information with previous one, it allows any party to identify revoked users at current epoch. For simplicity assume if is published before , i.e., the epoch preserves the order in which the corresponding group information was published. In existing models, the keys of authorities are supposed to be generated honestly; while in [7], Bootle et al. consider a stronger model where the keys of authorities can be maliciously generated by the adversary.

Syntax of fully dynamic group signatures. An scheme is a tuple of following polynomial-time algorithms.

. On input security parameter , this algorithm generates public parameters .

. This is an interactive protocol between the group manager and the tracing manager . If it completes successfully, algorithm outputs a manager key pair . Meanwhile, initializes the group information and the registration table . The algorithm outputs a tracing key pair . Set group public key .

. Given public parameters , this algorithm generates a user key pair .

. This is an interactive algorithm run by a user and . If it completes successfully, this user becomes a group member with an identifier and the algorithm stores secret group signing key  while algorithm stores registration information in the table with index .

. This is an algorithm run by to update group information while advancing the epoch. Given ,, , registration table , a set of active users to be removed from the group, computes new group information and may update the table . If there is no change to the group, outputs .

. This algorithm outputs a group signature on message by user . It outputs if this user is inactive at epoch .

. This algorithm checks the validity of the signature on message at epoch .

. This is an algorithm run by . Given the inputs, returns an identity of a group member who signed the message and a proof indicating this tracing result or if it fails to trace to a group member.

. This algorithm checks the validity of outputted by the algorithm.

Correctness and security of fully dynamic group signatures. As put forward by Bootle et al. [7], an scheme must satisfy correctness, anonymity, non-frameability, traceability and tracing soundness.

Correctness demands that a signature generated by an honest and active user is always accepted by algorithm , and that algorithm can always identify that user, as well as produces a proof accepted by algorithm .

Anonymity requires that it is infeasible for any PPT adversary to distinguish signatures generated by two active users of its choice at the chosen epoch, even if it can corrupt any user, can choose the key of , and is given access to the oracle.

Non-Frameability makes sure that the adversary cannot generate a valid signature that traces to an honest user even if it can corrupt all other users, and can choose keys of both managers.

Traceability ensures that the adversary cannot produce a valid signature that cannot be traced to an active user at the chosen epoch, even if it can corrupt any user and can choose the key of .

Tracing Soundness requires that it is infeasible to produce a valid signature that traces to two different users, even if all group users and both managers are fully controlled by the adversary.

We will define these requirements using a set of experiments, in which the adversary has access to a set of oracles. The oracles use the following global variables: is a list of users whose keys are generated honestly. is a list of users whose secret signing keys are revealed to the adversary; is a list of users whose public keys are chosen by the adversary; is a set of signatures that are generated by the oracle ; is a set of signatures that are generated by the oracle .

. This oracle adds an honest user to the group at current epoch. It returns and adds to the list .

. This oracle allows the adversary to create a new user by choosing the key as . It then adds to the list . It returns  if . This actually prepares for calling the oracle .

. This oracle engages in the protocol between the adversary, who corrupts the user in the list , and the honest -executing group manager.

. This oracle engages in the protocol between the adversary, who corrupts the group manager, and the honest executing user in the list .

. This oracle returns registration information of user .

. This oracle modifies to any chosen by the adversary.

. This oracle returns secret signing key to the adversary, and adds this user to the list .

. This oracle returns a signature on the message by the user at epoch , and then add the signature to the list .

. This oracle receives inputs from the adversary, returns a signature on by the user at epoch , and then adds the signature to the list . It is required that the two challenged users are active at epoch and this oracle can only be called once.

. This oracle returns the signer of the signature together with a proof, with respect to the epoch . We require that the signature is not in the list .

. This oracle allows the adversary to update the group at current epoch . It is required that is a set of active users at current epoch.

We also need the following polynomial-time algorithm in security experiments to ease composition.

: It outputs if this user is active at epoch and otherwise.

We refer the readers to [7] for detailed descriptions of the above oracles.

Definition 1

For any security parameter and any PPT adversary , we define correctness and security experiments in Fig. 1.

For correctness, non-frameability, traceability and tracing soundness, the advantage of the adversary is defined as the probability of outputting  in the corresponding experiment. For anonymity, the advantage is defined as the absolute difference of probability of outputting  between experiment and experiment .

A fully dynamic group signature scheme is said to be correct and secure (i.e., anonymous, non-frameable, traceable and tracing sound) if the advantages of the adversary in all considered experiments are negligible in .

Experiment:

.

.

Set . .

If or or or , return .

, .

Return if

Experiment:

.

.

Return if did not accept or ’s output is not well-formed.

Denote the output of as , and set .

. Return .

Experiment:

.

.

Return if ’s output is not well-formed, otherwise set .

.

Return if

.

Experiment:

.

.

Return if did not accept or ’s output is not well-formed.

Denote the output of as , and set .

.

If , return .

.

Return if .

Experiment:

. .

Return if ’s output is not well-formed, otherwise set .

.

Return if .

Figure 1: Experiments to define security requirements of .

2.3 Background on Lattices

We recall the average-case lattice problems SIS and LWE, together with their hardness results.

Definition 2 ([1, 19])

The problem is as follows: Given uniformly random matrix , find a non-zero vector such that  and

If , and , then the problem is at least as hard as worst-case lattice problem for some (see, e.g., [19, 39]). Specifically, when , , , the problem is at least as hard as with .

In the last decade, numerous SIS-based cryptographic primitives have been proposed. In this work, we will extensively employ such constructions:

  • Our group signature scheme is based on the Merkle tree accumulator from [30], which is built upon a specific family of collision-resistant hash functions.

  • Our zero-knowledge argument systems use the statistically hiding and computationally binding string commitment scheme from [24].

For appropriate setting of parameters, the security of the above two constructions can be based on the worst-case hardness of .

In the group signature in Section 4, we will employ the multi-bit version of Regev’s encryption scheme [45], presented in [23]. The scheme is based on the hardness of the LWE problem.

Definition 3 ([45])

Let , , and let be a probability distribution on . For , let be the distribution obtained by sampling and , and outputting . The problem asks to distinguish  samples chosen according to (for ) and samples chosen according to the uniform distribution over .

If is a prime power, is the discrete Gaussian distribution , where , then is as least as hard as (see [45, 38, 39]).

2.4 Stern-like Protocols for Lattice-Based Relations

The zero-knowledge (ZK) argument systems appearing in this paper operate in the framework of Stern’s protocol [49]. Let us now recall some background. This protocol was originally proposed in the context of code-based cryptography, and was later adapted into the lattice setting by Kawachi et al. [24]. Subsequently, it was empowered by Ling et al. [35] to handle the matrix-vector relations associated with the SIS and LWE problems, and further developed to design several lattice-based schemes: group signatures [27, 36, 30, 31, 28], policy-based signatures [16] and group encryption [29].

Stern-like protocols are quite useful in the context of lattice-based privacy-preserving systems, when one typically works with modular linear equations of the form - where , are public, and one wants to prove in ZK that secret vectors satisfy certain constraints, e.g., they have small norms and/or have coordinates arranged in a special way. The high-level ideas can be summarized as follows. If the given constraints are invariant under certain type of permutations of coordinates, then one readily uses uniformly random permutations to prove those constraints. Otherwise, one performs some pre-processings with to reduce to the former case. Meanwhile, to prove that the modular linear equation holds, one makes use of a standard masking technique.

The basic protocol consists of moves: commitment, challenge, response. If the statistically hiding and computationally binding string commitment scheme from [24] is employed in the first move, then one obtains a statistical zero-knowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error , and communication cost , where denotes the total bit-size of the secret vectors. In many applications, the protocol is repeated times, for security parameter , to achieve negligible soundness error, and then made non-interactive via the Fiat-Shamir heuristic [18]. In the random oracle model, this results in a non-interactive zero-knowledge argument of knowledge (NIZKAoK) with bit-size .

3 Updatable Lattice-Based Merkle Hash Trees

We first recall the lattice-based Merkle-tree accumulator from [30], and then, we equip it with a simple updating algorithm which allows to change an accumulated value in time logarithmic in the size of the accumulated set. This updatable hash tree will serve as the building block of our construction in Section 4.

3.1 Cryptographic Accumulators

An accumulator scheme is a tuple of polynomial-time algorithms defined below.

On input security parameter , output the public parameter .

On input a set of data values, output an accumulator value .

On input a data set and a value , output if ; otherwise output a witness  for the fact that  is accumulated in . (Typically, the size of should be short (e.g., constant or logarithmic in ) to be useful.)

On input accumulator value and a value-witness pair , output  (which indicates that is valid for the accumulator ) or .

An accumulator scheme is called correct if for all , we have for all .

A natural security requirement for accumulators, as considered in [3, 12, 30], says that it is infeasible to prove that a value was accumulated in a value if it was not. This property is formalized as follows.

Definition 4 ([30])

An accumulator scheme is called secure if for all PPT adversaries :

3.2 The LLNW Merkle-tree Accumulator

Notations. Hereunder we will use the notation to indicate that is chosen uniformly at random from finite set . For bit , we let .

The Merkle-tree accumulator scheme from [30] works with parameters , , , and . The set is identified by . Define the “powers-of-2” matrix

Note that for every , we have , where denotes the binary representation of . The scheme is built upon the following family of SIS-based collision-resistant hash functions.

Definition 5

The function family mapping to is defined as , where for with , and for any , we have:

Note that .

A Merkle tree with leaves, where is a positive integer, then can be constructed based on the function family as follows.

Sample , and output .

For every , let be the binary representation of , and let . Form the tree of depth  based on the leaves as follows:

  1. At depth , the node , for all , is defined as .

  2. At depth : The root is defined as .

The algorithm outputs the accumulator value .

If , return . Otherwise, for some with binary representation . Output the witness defined as:

for computed by algorithm .

Let the given witness be of the form:

The algorithm recursively computes the path as follows: and

(1)

Then it returns if . Otherwise, it returns .

The following lemma states the correctness and security of the above Merkle tree accumulator.

Lemma 1 ([30])

The given accumulator scheme is correct and is secure in the sense of Definition 4, assuming the hardness of the problem.

3.3 An Efficient Updating Algorithm

Unlike the static group signature scheme from [30], our fully dynamic construction of Section 4 requires to regularly edit the accumulated values without having to reconstruct the whole tree. To this end, we equip the Merkle tree accumulator from [30] with a simple, yet efficient, updating algorithm: to change the value at a given leaf, we simply modify all values in the path from that leaf to the root. The algorithm, which takes as input a bit string and a value , is formally described below.

Given the tree in Section 3.2, algorithm performs the following steps:

  1. Let be the current value at the leaf of position determined by , and let be its associated witness.

  2. Set and recursively compute the path as in (1).

  3. Set ; ; .

It can be seen that the provided algorithm runs in time . In Fig. 2, we give an illustrative example of a tree with leaves.

Figure 2: A Merkle tree with leaves, which accumulates the data blocks into the value at the root. The bit string and the pink nodes form a witness to the fact that is accumulated in . If we replace by a new value , we only need to update the yellow nodes.

4 Our Fully Dynamic Group Signatures from Lattices

In this section, we construct our lattice-based fully dynamic group signature and prove its security in Bootle et al.’s model [7]. We start with the LLNW scheme [30], which works in the static setting.

While other constructions of lattice-based group signatures employ trapdoor-based ordinary signature schemes (e.g., [9, 14]) to certify users, the LLNW scheme relies on a SIS-based Merkle tree accumulator which we recalled in Section 3.2. The GM, who manages a group of users, chooses uniformly random vectors ; hashes them to , respectively; builds a tree on top of these hash values; and lets the tree root be part of the group public key. The signing key of user consists of and the witness for the fact that was accumulated in . When generating group signatures, the user proves knowledge of a valid pair and of the tree path from to . The user also has to encrypt the binary representation