LatticeBased Group Signatures: Achieving Full Dynamicity (and Deniability) with Ease
Abstract
Latticebased group signature is an active research topic in recent years. Since the pioneering work by Gordon, Katz and Vaikuntanathan (Asiacrypt 2010), eight other schemes have been proposed, providing various improvements in terms of security, efficiency and functionality. However, most of the existing constructions work only in the static setting where the group population is fixed at the setup phase. The only two exceptions are the schemes by Langlois et al. (PKC 2014) that handles user revocations (but new users cannot join), and by Libert et al. (Asiacrypt 2016) which addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked).
In this work, we provide the first latticebased group signature that offers full dynamicity (i.e., users have the flexibility in joining and leaving the group), and thus, resolve a prominent open problem posed by previous works. Moreover, we achieve this nontrivial feat in a relatively simple manner. Starting with Libert et al.’s fully static construction (Eurocrypt 2016)  which is arguably the most efficient latticebased group signature to date, we introduce simplebutinsightful tweaks that allow to upgrade it directly into the fully dynamic setting. More startlingly, our scheme even produces slightly shorter signatures than the former, thanks to an adaptation of a technique proposed by Ling et al. (PKC 2013), allowing to prove inequalities in zeroknowledge. The scheme satisfies the strong security requirements of Bootle et al.’s model (ACNS 2016), under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions.
Furthermore, we demonstrate how to equip the obtained group signature scheme with the deniability functionality in a simple way. This attractive functionality, put forward by Ishida et al. (CANS 2016), enables the tracing authority to provide an evidence that a given user is not the owner of a signature in question. In the process, we design a zeroknowledge protocol for proving that a given LWE ciphertext does not decrypt to a particular message.
Keywords. latticebased group signatures; full dynamicity; updatable Merkle trees; deniability
1 Introduction
Group signature, introduced by Chaum and van Heyst [15], is a fundamental anonymity primitive which allows members of a group to sign messages on behalf of the whole group. Yet, users are kept accountable for the signatures they issue since a tracing authority can identify them should the need arise. There have been numerous works on group signatures in the last quartercentury.
Ateniese et al. [2] proposed the first scalable instantiation meeting the security properties that can be intuitively expected from the primitive, although clean security notions were not available yet at that time. Bellare et al. [4] filled this gap by providing strong security notions for static groups, in which the group population is fixed at the setup phase. Subsequently, Kiayias and Yung [25] and Bellare et al. [5] established the models capturing the partially dynamic setting, where users are able to join the group at any time, but once they have done so, they cannot leave the group. Sakai et al. [47] strengthened these models by suggesting the notion of opening soundness, guaranteeing that a valid signature only traces to one user. Efficient schemes satisfying these models have been proposed in the random oracle model [43, 17] and in the standard model [21, 34].
One essential functionality of group signatures is the support for membership revocation. Enabling this feature in an efficient manner is quite challenging, since one has to ensure that revoked users are no longer able to sign messages and the workloads of other parties (managers, nonrevoked users, verifiers) do not significantly increase in the meantime. Several different approaches have been suggested [10, 12, 50, 42, 6] to address this problem, and notable pairingbased constructions supporting both dynamic joining and efficient revocation were given in [40, 33, 32]. Very recently, Bootle et al. [7] pointed out a few shortcomings of previous models, and put forward stringent security notions for fully dynamic group signatures. They also demonstrated a construction satisfying these notions based on the decisional DiffieHellman (DDH) assumption, following a generic transformation from a secure accountable ring signature scheme [8].
Another interesting functionality of group signatures that we consider in this work is deniability, suggested by Ishida et al. [22]. It allows the tracing authority to provide a digital evidence that a given group user did not generate a signature in question. In [22], Ishida et al. discussed various situations in which such functionality helps to protect the privacy of users. For instance, suppose that the entrace/exit control of a building is implemented using a group signature scheme, and the police wants to check whether a suspect was in this building at the time of a crime. If the police asks the tracing authority to reveal the signers of all signatures generated during that time period, then this will seriously violate the privacy of innocent users. In such situation, deniable group signatures make it possible to prove that the signer of a given signature is not the suspect, while still keeping the signer’s identity secret. As shown by Ishida et al. [22], the main technical challenge towards realizing the deniability functionality consists of constructing a zeroknowledge proof/argument that a given ciphertext does not decrypt to a particular message. Such a mechanism is nontrivial to realize in general, but Ishida et al. [22] managed to achieve it from pairingbased assumptions.
For the time being, existing group signature schemes offering full dynamicity and/or deniability all rely on numbertheoretic assumptions which are vulnerable to quantum attacks [48]. To avoid putting all eggs in one basket, it is thus encouraging to consider instantiations based on alternative, postquantum foundations, e.g., lattice assumptions. In view of this, let us now look at the topic of latticebased group signatures.
Latticebased group signatures. Latticebased cryptography has been an exciting research area since the seminal works of Regev [45] and Gentry et al. [19]. Along with other primitives, latticebased group signature has received noticeable attention in recent years. The first scheme was introduced by Gordon, Katz and Vaikuntanathan [20] whose solution produced signature size linear in the number of group users . Camenisch et al. [13] then extended [20] to achieve anonymity in the strongest sense. Later, Laguillaumie et al. [26] put forward the first scheme with the signature size logarithmic in , at the cost of relatively large parameters. Simpler and more efficient solutions with signature size were subsequently given by Nguyen et al. [44] and Ling et al. [36]. Libert et al. [30] obtained substantial efficiency improvements via a construction based on Merkle trees which eliminates the need for GPV trapdoors [19]. More recently, a scheme supporting messagedependent opening (MDO) feature [46] was proposed in [31]. All the schemes mentioned above are designed for static groups.
The only two known latticebased group signatures that have certain dynamic features were proposed by Langlois et al. [27] and Libert et al. [28]. The former is a scheme with verifierlocal revocation (VLR) [6], which means that only the verifiers need to download the uptodate group information. The latter addresses the orthogonal problem of dynamic user enrollments (but users cannot be revoked). To achieve those partially dynamic functionalities, both of the proposals have to incorporate relatively complicated mechanisms
The discussed above situation is somewhat unsatisfactory, given that the full dynamicity feature is highly desirable in most applications of group signatures (e.g., protecting the privacy of commuters in public transportation), and it has been achieved based on numbertheoretic assumptions. This motivates us to work on fully dynamic group signatures from lattices. Besides, considering that the journey to partial dynamicity in previous works [27, 28] was shown not easy, we ask ourselves an inspiring question: Can we achieve full dynamicity with ease? Furthermore, given that deniability is an attractive and nontrivial functionality [22], can we also realize it with ease in the context of latticebased group signatures? At the end of the day, it is good to solve an open research question, but it would be even better and more exciting to do this in a simple way. To make it possible, we will likely need some new and insightful ideas.
Our Results and Techniques. Our main contribution is the first fully dynamic group signature from lattices. The scheme satisfies the strong security requirements put forward by Bootle et al. [7], under the Short Integer Solution (SIS) and the Learning With Errors (LWE) assumptions. As in all previous latticebased group signatures, our scheme is analyzed in the random oracle model. Additionally, we incorporate the deniability functionality suggested by Ishida et al. [22] into Bootle et al.’s model, and then demonstrate how to make our fully dynamic group signature scheme deniable.
Scheme 




Model 



GKV [20]  yes  static  NA  ?  
CNR [13]  yes  static  NA  ?  
LLLS [26]  yes  static  NA  ?  
LLNW [27]  yes  VLR 

?  
NZZ [44]  yes  static  NA  ?  
LNW [36]  yes  static  NA  
LLNW [30]  FREE  static  NA  
LLM+ [28]  yes 

NA  
LMN [31]  yes  MDO  NA  ?  
Ours  FREE 


yes 
For a security parameter parameter and maximum expected number of group users , our scheme features signature size and group public key size
. The user’s secret key has bitsize . At each epoch when the group information is updated, the verifiers only need to download an extra bits in order to perform verification of signatures
Our starting point is the scheme [30], which works in the static setting. Instead of relying on trapdoorbased ordinary signatures as in prior works, the LLNW scheme employs on a SISbased Merkle tree accumulator. For a group of users, the manager chooses uniformly random vectors ; hashes them to , respectively; builds a tree on top of these hash values; and publishes the tree root . The signing key of user consists of and the witness for the fact that was accumulated in . When issuing signatures, the user proves knowledge of a valid pair and of the tree path from to . The user also has to encrypt the binary representation of his identity , and prove that the ciphertext is wellformed. The encryption layer is also latticetrapdoorfree, since it utilizes the NaorYung doubleencryption paradigm [41] with Regev’s LWEbased encryption scheme [45]. To upgrade the LLNW scheme directly into a fully dynamic group signature, we now let the user compute the pair on his own (for enabling nonframeability), and we employ the following three ideas/techniques.
First, we add a dynamic ingredient into the static Merkle tree accumulator from [30]. To this end, we equip it with an efficient updating algorithm with complexity : to change an accumulated value, we simply update the values at the corresponding leaf and along its path to the root.
Second, we create a simple rule to handle user enrollment and revocation efficiently (i.e., without resetting the whole tree). Specifically, we use the updating algorithm to set up the system so that: (i) If a user has not joined the group or has been revoked, the value at the leaf associated with him is set as ; (ii) When a user joins the group, that value is set as his public key . Our setup guarantees that only active users (i.e., who has joined and has not been revoked at the given epoch) have their nonzero public keys accumulated into the updated root. This rule effectively separates active users who can sign from those who cannot: when signing messages, the user proceeds as in the LLNW scheme, and is asked to additionally prove in zeroknowledge that . In other words, the seemingly big gap between being fully static and being fully dynamic has been reduced to a small difference!
Third, the arising question now is how to additionally prove the inequality in the framework of the Sternlike [49] protocol from [30]. One would naturally expect that this extra job could be done without losing too much in terms of efficiency. Here, the surprising and somewhat unexpected fact is that we can actually do it while gaining efficiency, thanks to the following simple idea. Recall that, in [30], to prove knowledge of , an extension technique from [35] is employed, in which is extended into a vector of dimension . We note that, the authors of [35] also suggested a slightly modified version of their technique, that allows to simultaneously prove that and is nonzero while working only with dimension . This intriguing tweak enables us to obtain a zeroknowledge protocol with slightly lower communication cost, and hence, group signatures with slightly smaller size than in [30].
Another problem we have to overcome is that the fully dynamic setting requires a proof of correct opening, which boils down to proving correct decryption for Regev’s encryption scheme [45]. It involves modular linear equations with boundednorm secrets, and can be handled using Sternlike techniques from [35, 28].
Now, to equip the obtained fully dynamic group signature scheme with the deniability functionality, we first incorporate Ishida et al.’s notion of deniability [22] into Bootle et al.’s model [7]. Then we describe how to make our scheme deniable, via a zeroknowledge argument of knowledge that a given Regev ciphertext [45] does not decrypt to a given message. The latter reduces to proving knowledge of a nonzero vector satisfying a modular linear equation, where is the difference between the result of decryption and the given message. This in turn can be handled by developing the above method for proving inequality in the framework of Stern’s protocol.
To summarize, we solve the prominent open question of achieving full dynamicity in the field of latticebased group signatures. The scheme can be easily extended to a deniable group signature. Moreover, our solution is simple and comparatively efficient. Our results, while not yielding truly practical schemes, would certainly help to enrich the field and bring latticebased group signatures one step closer to practice.
Remarks. This article is the full, extended version of [37], published in the proceedings of ACNS 2017. In comparison with [37], the present version additionally introduces the deniability feature to the obtained fully dynamic group signature scheme, and provides details of all the security proofs.
Organization. In Section 2, we recall some background on fully dynamic group signatures and latticebased cryptography. Section 3 develops an updatable Merkle tree accumulator. Our main scheme is constructed and analyzed in Section 4. In Section 5, we demonstrate how to achieve deniability. Some details are deferred to the appendix.
2 Preliminaries
2.1 Notations
In this paper, all vectors are column vectors. The concatenation two column vectors and is denoted by for simplicity. Let and be the Euclidean () norm and infinity () norm of a vector respectively. For , denotes logarithm of with base . Denote as the set .
2.2 Fully Dynamic Group Signatures
We recall the definition and security notions of fully dynamic group signatures () presented by Bootle et al. [7]. An scheme involves the following entities: a group manager that determines who can join the group, a tracing manager who can open signatures, and a set of users who are potential group members. Users can join/leave the group at the discretion of . We assume will publish some information regularly associated with a distinct index (referred as epoch hereafter). Without loss of generality, assume there is onetoone correspondence between information and the associated epoch. The information describes changes of the group, e.g., current group members or members that are excluded from the group. We assume the published group information is authentic. By comparing current group information with previous one, it allows any party to identify revoked users at current epoch. For simplicity assume if is published before , i.e., the epoch preserves the order in which the corresponding group information was published. In existing models, the keys of authorities are supposed to be generated honestly; while in [7], Bootle et al. consider a stronger model where the keys of authorities can be maliciously generated by the adversary.
Syntax of fully dynamic group signatures. An scheme is a tuple of following polynomialtime algorithms.

. On input security parameter , this algorithm generates public parameters .

. This is an interactive protocol between the group manager and the tracing manager . If it completes successfully, algorithm outputs a manager key pair . Meanwhile, initializes the group information and the registration table . The algorithm outputs a tracing key pair . Set group public key .

. Given public parameters , this algorithm generates a user key pair .

. This is an interactive algorithm run by a user and . If it completes successfully, this user becomes a group member with an identifier and the algorithm stores secret group signing key while algorithm stores registration information in the table with index .

. This is an algorithm run by to update group information while advancing the epoch. Given ,, , registration table , a set of active users to be removed from the group, computes new group information and may update the table . If there is no change to the group, outputs .

. This algorithm outputs a group signature on message by user . It outputs if this user is inactive at epoch .

. This algorithm checks the validity of the signature on message at epoch .

. This is an algorithm run by . Given the inputs, returns an identity of a group member who signed the message and a proof indicating this tracing result or if it fails to trace to a group member.

. This algorithm checks the validity of outputted by the algorithm.
Correctness and security of fully dynamic group signatures. As put forward by Bootle et al. [7], an scheme must satisfy correctness, anonymity, nonframeability, traceability and tracing soundness.
Correctness demands that a signature generated by an honest and active user is always accepted by algorithm , and that algorithm can always identify that user, as well as produces a proof accepted by algorithm .
Anonymity requires that it is infeasible for any PPT adversary to distinguish signatures generated by two active users of its choice at the chosen epoch, even if it can corrupt any user, can choose the key of , and is given access to the oracle.
NonFrameability makes sure that the adversary cannot generate a valid signature that traces to an honest user even if it can corrupt all other users, and can choose keys of both managers.
Traceability ensures that the adversary cannot produce a valid signature that cannot be traced to an active user at the chosen epoch, even if it can corrupt any user and can choose the key of .
Tracing Soundness requires that it is infeasible to produce a valid signature that traces to two different users, even if all group users and both managers are fully controlled by the adversary.
We will define these requirements using a set of experiments, in which the adversary has access to a set of oracles. The oracles use the following global variables: is a list of users whose keys are generated honestly. is a list of users whose secret signing keys are revealed to the adversary; is a list of users whose public keys are chosen by the adversary; is a set of signatures that are generated by the oracle ; is a set of signatures that are generated by the oracle .

. This oracle adds an honest user to the group at current epoch. It returns and adds to the list .

. This oracle allows the adversary to create a new user by choosing the key as . It then adds to the list . It returns if . This actually prepares for calling the oracle .

. This oracle engages in the protocol between the adversary, who corrupts the user in the list , and the honest executing group manager.

. This oracle engages in the protocol between the adversary, who corrupts the group manager, and the honest executing user in the list .

. This oracle returns registration information of user .

. This oracle modifies to any chosen by the adversary.

. This oracle returns secret signing key to the adversary, and adds this user to the list .

. This oracle returns a signature on the message by the user at epoch , and then add the signature to the list .

. This oracle receives inputs from the adversary, returns a signature on by the user at epoch , and then adds the signature to the list . It is required that the two challenged users are active at epoch and this oracle can only be called once.

. This oracle returns the signer of the signature together with a proof, with respect to the epoch . We require that the signature is not in the list .

. This oracle allows the adversary to update the group at current epoch . It is required that is a set of active users at current epoch.
We also need the following polynomialtime algorithm in security experiments to ease composition.
: It outputs if this user is active at epoch and otherwise.
We refer the readers to [7] for detailed descriptions of the above oracles.
Definition 1
For any security parameter and any PPT adversary , we define correctness and security experiments in Fig. 1.
For correctness, nonframeability, traceability and tracing soundness, the advantage of the adversary is defined as the probability of outputting in the corresponding experiment. For anonymity, the advantage is defined as the absolute difference of probability of outputting between experiment and experiment .
A fully dynamic group signature scheme is said to be correct and secure (i.e., anonymous, nonframeable, traceable and tracing sound) if the advantages of the adversary in all considered experiments are negligible in .
2.3 Background on Lattices
We recall the averagecase lattice problems SIS and LWE, together with their hardness results.
Definition 2 ([1, 19])
The problem is as follows: Given uniformly random matrix , find a nonzero vector such that and
If , and , then the problem is at least as hard as worstcase lattice problem for some (see, e.g., [19, 39]). Specifically, when , , , the problem is at least as hard as with .
In the last decade, numerous SISbased cryptographic primitives have been proposed. In this work, we will extensively employ such constructions:

Our group signature scheme is based on the Merkle tree accumulator from [30], which is built upon a specific family of collisionresistant hash functions.

Our zeroknowledge argument systems use the statistically hiding and computationally binding string commitment scheme from [24].
For appropriate setting of parameters, the security of the above two constructions can be based on the worstcase hardness of .
In the group signature in Section 4, we will employ the multibit version of Regev’s encryption scheme [45], presented in [23]. The scheme is based on the hardness of the LWE problem.
Definition 3 ([45])
Let , , and let be a probability distribution on . For , let be the distribution obtained by sampling and , and outputting . The problem asks to distinguish samples chosen according to (for ) and samples chosen according to the uniform distribution over .
2.4 Sternlike Protocols for LatticeBased Relations
The zeroknowledge (ZK) argument systems appearing in this paper operate in the framework of Stern’s protocol [49]. Let us now recall some background. This protocol was originally proposed in the context of codebased cryptography, and was later adapted into the lattice setting by Kawachi et al. [24]. Subsequently, it was empowered by Ling et al. [35] to handle the matrixvector relations associated with the SIS and LWE problems, and further developed to design several latticebased schemes: group signatures [27, 36, 30, 31, 28], policybased signatures [16] and group encryption [29].
Sternlike protocols are quite useful in the context of latticebased privacypreserving systems, when one typically works with modular linear equations of the form  where , are public, and one wants to prove in ZK that secret vectors satisfy certain constraints, e.g., they have small norms and/or have coordinates arranged in a special way. The highlevel ideas can be summarized as follows. If the given constraints are invariant under certain type of permutations of coordinates, then one readily uses uniformly random permutations to prove those constraints. Otherwise, one performs some preprocessings with to reduce to the former case. Meanwhile, to prove that the modular linear equation holds, one makes use of a standard masking technique.
The basic protocol consists of moves: commitment, challenge, response. If the statistically hiding and computationally binding string commitment scheme from [24] is employed in the first move, then one obtains a statistical zeroknowledge argument of knowledge (ZKAoK) with perfect completeness, constant soundness error , and communication cost , where denotes the total bitsize of the secret vectors. In many applications, the protocol is repeated times, for security parameter , to achieve negligible soundness error, and then made noninteractive via the FiatShamir heuristic [18]. In the random oracle model, this results in a noninteractive zeroknowledge argument of knowledge (NIZKAoK) with bitsize .
3 Updatable LatticeBased Merkle Hash Trees
We first recall the latticebased Merkletree accumulator from [30], and then, we equip it with a simple updating algorithm which allows to change an accumulated value in time logarithmic in the size of the accumulated set. This updatable hash tree will serve as the building block of our construction in Section 4.
3.1 Cryptographic Accumulators
An accumulator scheme is a tuple of polynomialtime algorithms defined below.

On input security parameter , output the public parameter .

On input a set of data values, output an accumulator value .

On input a data set and a value , output if ; otherwise output a witness for the fact that is accumulated in . (Typically, the size of should be short (e.g., constant or logarithmic in ) to be useful.)

On input accumulator value and a valuewitness pair , output (which indicates that is valid for the accumulator ) or .
An accumulator scheme is called correct if for all , we have for all .
A natural security requirement for accumulators, as considered in [3, 12, 30], says that it is infeasible to prove that a value was accumulated in a value if it was not. This property is formalized as follows.
Definition 4 ([30])
An accumulator scheme is called secure if for all PPT adversaries :
3.2 The LLNW Merkletree Accumulator
Notations. Hereunder we will use the notation to indicate that is chosen uniformly at random from finite set . For bit , we let .
The Merkletree accumulator scheme from [30] works with parameters , , , and . The set is identified by . Define the “powersof2” matrix
Note that for every , we have , where denotes the binary representation of . The scheme is built upon the following family of SISbased collisionresistant hash functions.
Definition 5
The function family mapping to is defined as , where for with , and for any , we have:
Note that .
A Merkle tree with leaves, where is a positive integer, then can be constructed based on the function family as follows.

Sample , and output .

For every , let be the binary representation of , and let . Form the tree of depth based on the leaves as follows:

At depth , the node , for all , is defined as .

At depth : The root is defined as .
The algorithm outputs the accumulator value .


If , return . Otherwise, for some with binary representation . Output the witness defined as:
for computed by algorithm .

Let the given witness be of the form:
The algorithm recursively computes the path as follows: and
(1) Then it returns if . Otherwise, it returns .
The following lemma states the correctness and security of the above Merkle tree accumulator.
3.3 An Efficient Updating Algorithm
Unlike the static group signature scheme from [30], our fully dynamic construction of Section 4 requires to regularly edit the accumulated values without having to reconstruct the whole tree. To this end, we equip the Merkle tree accumulator from [30] with a simple, yet efficient, updating algorithm: to change the value at a given leaf, we simply modify all values in the path from that leaf to the root. The algorithm, which takes as input a bit string and a value , is formally described below.
Given the tree in Section 3.2, algorithm performs the following steps:

Let be the current value at the leaf of position determined by , and let be its associated witness.

Set and recursively compute the path as in (1).

Set ; ; .
It can be seen that the provided algorithm runs in time . In Fig. 2, we give an illustrative example of a tree with leaves.
4 Our Fully Dynamic Group Signatures from Lattices
In this section, we construct our latticebased fully dynamic group signature and prove its security in Bootle et al.’s model [7]. We start with the LLNW scheme [30], which works in the static setting.
While other constructions of latticebased group signatures employ trapdoorbased ordinary signature schemes (e.g., [9, 14]) to certify users, the LLNW scheme relies on a SISbased Merkle tree accumulator which we recalled in Section 3.2. The GM, who manages a group of users, chooses uniformly random vectors ; hashes them to , respectively; builds a tree on top of these hash values; and lets the tree root be part of the group public key. The signing key of user consists of and the witness for the fact that was accumulated in . When generating group signatures, the user proves knowledge of a valid pair and of the tree path from to . The user also has to encrypt the binary representation of his identity