I Introduction
Ia Background and Motivation
Group signature [1] is a fundamental cryptographic primitive with two intriguing features. The first one is anonymity. It allows users of a group to anonymously sign documents on behalf of the whole group. The second one is traceability. There exists a tracing authority that can tie a given signature to the signer’s identity should the need arise. These two properties make group signatures highly useful in various reallife scenarios such as controlled anonymous printing services, digital right management systems, ebidding and evoting schemes. Theoretically, designing secure and efficient group signature schemes is of deep interest since doing so typically requires a sophisticated combination of carefully chosen cryptographic ingredients. Numerous constructions of group signatures have been proposed. Most of them, e.g., the respective schemes in [2, 3, 4, 5], and [6], are based on classical numbertheoretic assumptions.
While numbertheoreticbased group signatures, such as those in [3] and [4], can be very efficient, they would become insecure once the era of scalable quantum computing arrives [7]. Prior to our work, the search for postquantum group signatures, as a preparation for the future, has been quite active, with at least six published schemes [8, 9, 10, 11, 12, 13]. All of them are based on computational assumptions from lattices. Despite their theoretical interest, the schemes require significantly large key and signature sizes. None of them has been supported by implementation results. Our evaluation, in Section IB below, shows that these latticebased schemes are indeed very far from being practical. This somewhat unsatisfactory situation highlights two interesting challenges. The first one is to push postquantum group signatures closer to practice. The second one is to bring more diversity in, with schemes from other candidates for postquantum cryptography, e.g., codebased, hashbased, and multivariatebased. An easytoimplement and competitively efficient codebased group signature scheme, for instance, would be highly desirable.
A codebased group signature, in the strongest security model for static groups as discussed in [14], typically requires the following three cryptographic layers.

The first layer requires a secure (standard) signature scheme to sign messages. Note that in most schemes based on the model in [14], a standard signature is also employed to issue the users’ secret keys. However, this is not necessary. The scheme constructed in this paper is an illustrative example. We observe that existing codebased signatures fall into two categories.
The “hashandsign” category consists of the CFS signature [15] and its modified versions [16, 17, 18]. The known security proofs for schemes in this category, however, should be viewed with skepticism. The assumption used in [16], for example, had been invalidated by the distinguishing attacks detailed in [19], while the new assumption proposed in [18] lies on a rather fragile ground.
The “FiatShamir” category consists of schemes derived from Stern’s identification protocol in [20] and its variants in [21, 22], and [23] via the FiatShamir transformation from [24]. Although these schemes produce relatively large signatures, as the underlying protocol has to be repeated many times to make the soundness error negligibly small, their provable security, in the random oracle model, is wellunderstood.

The second layer demands a semantically secure encryption scheme to enable the tracing feature. The signer is constrained to encrypt its identifying information and to send the ciphertext as part of the group signature, so that the tracing authority can decrypt if and when necessary. This ingredient is also available in codebased cryptography, thanks to various CPAsecure and CCAsecure variants of the McEliece [25] and the Niederreiter [26] cryptosystems available in, e.g., [27, 28, 29], and [30].

The third layer requires a zeroknowledge (ZK) protocol that connects the previous two layers. This is essentially the bottleneck in realizing secure codebased group signatures. Specifically, the protocol should demonstrate that a given signature is generated by a certain certified group user who honestly encrypts its identifying information. Constructing such a protocol is quite challenging. There have been ZK protocols involving the CFS and Stern’s signatures, which yield identitybased identification schemes in [31, 32], and [33] and threshold ring signatures in [34] and [35]. There have also been ZK proofs of plaintext knowledge for the McEliece and the Niederreiter cryptosystems [36]. Yet we are unaware of any efficient ZK protocol that simultaneously deals with both codebased signature and encryption schemes in the above sense.
Designing provably secure group signature schemes has been a longstanding open question in codebased cryptography, as was also discussed in [37].
IB Our Contributions
This work introduces two group signature schemes which are provably secure under codebased assumptions. Specifically, our basic scheme achieves the CPAanonymity [4] and the traceability requirements in [14] in the random oracle model. We assume the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. The basic scheme is then extended to achieve anonymity in the strongest sense [14], i.e., CCAanonymity, for which the adversary is allowed to adaptively query for the opening of group signatures. Our two schemes are the first of their respective classes.
Contributions to CodeBased Cryptography. By introducing provably secure codebased group signature schemes, we solve the open problem discussed earlier. Along the way, we introduce the following two new techniques for codebased cryptography, which might be of independent interest.

We design a ZK protocol for the randomized McEliece encryption scheme. The protocol allows the prover to convince the verifier that a given ciphertext is wellformed and that the hidden plaintext satisfies an additional condition. Such verifiable encryption protocols are useful, not only in constructing group signatures, but also in much broader contexts [38]. It is worth noting that, prior to our work, verifiable encryption protocols for codebased cryptosystems only exist in a very basic form where the plaintext is publicly given [36], restricting their applications.

In our security proof of the traceability property, to obtain a reduction from the hardness of the Syndrome Decoding (SD) problem, we come up with an approach that, to the best of our knowledge, has not been considered in the literature before. Let us recall the (averagecase) SD problem with parameters . Given a uniformly random matrix and a uniformly random syndrome
, the problem asks to find a vector
of Hamming weight , denoted by , such that . In our scheme, the key generation algorithm produces a public key that contains a matrix and syndromes , while users are given secret keys of the form such that . In the security proof, since we would like to embed an SD challenge instanceinto the public key without being noticed, except with negligible probability, by the adversary, we have to require that
and the ’s produced by the key generation are indistinguishable from uniform.One method to generate these keys is to employ the “hashandsign” technique from the CFS signature [15]. Unfortunately, while the syndromes ’s could be made uniformly random, as the outputs of the random oracle, the assumption that the CFS matrix is computationally close to uniform for practical parameters is invalidated by the distinguishing attacks from [19].
Another method, pioneered by Stern [20], is to pick and the ’s uniformly at random. The corresponding syndromes ’s could be made computationally close to uniform if the parameters are set such that is slightly smaller than the value given by the GilbertVarshamov bound, i.e., such that . In such a case, the function acts as a pseudorandom generator [39]. However, for these parameters, it is not guaranteed with high probability that a uniformly random SD instance has solutions, which would affect the success probability of the reduction algorithm.
Our work considers the case when is moderately larger than
, so that two conditions hold. First, the uniform distribution over the set
has sufficient minentropy to apply the Leftover Hash Lemma from [40]. Second, the SD problem with parameters admits solutions with high probability, yet remains intractable against the best known attacks from [42] and [43]. Note that the variant of the SD problem considered in this work are not widely believed to be the hardest one [20, 41], but suitable parameters can be chosen such that the best known attacks run in exponential time. Further treatment on how to decide on the parameters will be given in Section VI. This approach gives us a new method to generate uniformly random vectors and a matrix so that the syndromes ’s corresponding to the ’s are statistically close to uniform. The approach, which somewhat resembles the technique used in [44] for the Inhomogeneous Small Integer Solution problem, is helpful in our security proof and, generally, in designing formal security reductions from the SD problem.
Contributions to PostQuantum Group Signatures. Our constructions provide the first nonlatticebased alternatives to provably secure postquantum group signatures. Our schemes feature public key and signature sizes linear in the number of group users , which are asymptotically not as efficient as the previously published latticebased counterparts [10, 11, 12, 13]. However, when instantiated with practical parameters, our schemes behave much more efficiently than the scheme proposed in [13]
. The latter is arguably the current most efficient latticebased group signature in the asymptotic sense. Indeed, our estimation shows that our basic scheme, which achieves the
CPAanonymity notion, gives public key and signature sizes that are times and times smaller, respectively, for an averagesize group of users. As grows, the advantage lessens, but our basic scheme remains more efficient even for a huge group of users, a number which is roughly comparable to the current population of the Netherlands. Our extended scheme, which achieves the strongest anonymity notion, i.e., CCAanonymity, introduces only a small overhead of about KB and KB in public key and signature sizes, respectively, compared to the basic scheme. Table I gives the details of our estimation. The parameters for our schemes are set as in Section VI. For the scheme in [13], we choose the commonly used lattice dimension and set the parameters and to satisfy the requirements given in [13, Section 5.1]. While our basic scheme and the scheme in [13] achieve the CPAanonymity notion [4], our extended scheme achieves the CCAanonymity notion [14]. All schemes have soundness error .We give actual implementation results for our proposed schemes to support their claim of feasibility. In our implementations, as presented later in Section VI, the actual signature sizes can be reduced thanks to an additional technique. Our schemes are the first postquantum group signature that comes supported with an actual deployment analysis. The results, while not yielding a truly practical scheme, certainly help in bringing postquantum group signatures closer to practice.
Anonymity  Public Key Size  Signature Size  
Ours  CPA  bits  ( 642 KB)  bits  (1.07 MB)  
bits  (5.13 MB)  bits  (2.21 MB)  
bits  (1.16 GB)  bits  (294 MB)  
CCA  bits  (1.08 MB)  bits  (1.25 MB)  
bits  (5.56 MB)  bits  (2.39 MB)  
bits  (1.16 GB)  bits  (294 MB)  
[13]  CPA  bits  (1.48 GB)  bits  (579 MB) 
IC Overview of Our Techniques
Let and be positive integers. We consider a group of size , where each user is indexed by an integer . The secret signing key of user is a vector chosen uniformly at random from the set
. A uniformly random matrix
and syndromes , such that , for all , are made public. Let us now explain the development of the three ingredients used in our basic scheme.The Signature Layer. User can run Stern’s ZK protocol [20] to prove the possession of a vector such that . The constraint is proved in ZK by randomly permuting the entries of and showing that the permuted vector belongs to . The protocol is then transformed into a FiatShamir signature [24]. However, such a signature is publicly verifiable only if the index is given to the verifier.
The user can further hide its index to achieve unconditional anonymity among all users. This, incidentally, yields a ring signature [45] on the way, à la [46]. Let . Let be the dimensional unit vector with entry at the th position and elsewhere. Observe that , and thus, the equation can be written as
(1) 
where denotes addition modulo . Stern’s framework allows the user to prove in ZK the possession of satisfying this equation, where the condition can be justified using a random permutation.
The Encryption Layer. To enable the tracing capability of the scheme, we let user encrypt the binary representation of via the randomized McEliece encryption scheme [27]. Specifically, we represent as , where . Given a public encrypting key , a ciphertext of is of the form
(2) 
where is the encryption randomness, with , and , i.e., is a vector of weight in .
Connecting the Signature and Encryption Layers. User must demonstrate that it does not cheat, e.g., by encrypting some string that does not point to , without revealing . Thus, we need a ZK protocol that allows the user to prove that the vector used in (1) and the plaintext hidden in (2) both correspond to the same secret . The crucial challenge is to establish a connection, which must be verifiable in ZK, between the “index representation” and the binary representation . We show how to handle this challenge well.
Instead of working with , let us consider an extension of , defined as
We then suitably insert zerorows into to obtain such that . Letting , we rewrite (2) as
(3) 
Now, let be the inverse function of . For every , we carefully design two classes of permutations and , such that, for any ,
Given the equivalences, the protocol’s user samples a uniformly random vector and sends . The verifier, seeing that
should be convinced that and correspond to the same , yet the value of is completely hidden from its view since
acts essentially as a onetime pad.
The technique extending into and then permuting in a “onetime pad” fashion is inspired by a method originally proposed by Langlois et al. in [11] in a seemingly unrelated context. There, the goal is to prove that the message being signed under the Bonsai tree signature [47] is of the form , for some . Here, we adapt and develop their method to simultaneously prove two facts. First, the plaintext being encrypted under the randomized McEliece encryption is of the form . Second, the unit vector is used in the signature layer.
By embedding the above technique into Stern’s framework, we obtain an interactive ZK argument system, in which, given the public input , the user is able to prove the possession of a secret tuple satisfying (1) and (3). The protocol is repeated many times to achieve negligible soundness error, and then made noninteractive, resulting in a noninteractive ZK argument of knowledge . The final group signature is of the form , where is the ciphertext. In the random oracle model, the anonymity of the scheme relies on the zeroknowledge property of and the CPAsecurity of the randomized McEliece encryption scheme, while its traceability is based on the hardness of the variant of the SD problem discussed earlier.
Achieving CCAAnonymity. Our basic group signature scheme makes use of the randomized McEliece encryption scheme that achieves only CPAsecurity. Hence, it only satisfies CPAanonymity for which the adversary is not granted access to the signature opening oracle. To achieve the strongest notion of anonymity put forward in [14], i.e., CCAanonymity, we would need a CCA2secure encryption scheme so that we can respond to adaptive opening queries from the adversary by invoking the decryption oracle associated with the encryption mechanism. There are a number of known CCA2secure codebased encryption schemes, e.g., [28, 29, 30]. They are, however, either too inefficient, say with ciphertext size quadratic in the security parameter, or incompatible with zeroknowledge protocols for proving the wellformedness of ciphertexts. Hence, they are unsuitable for our purpose. Instead, we exploit the fact that our verifiable encryption protocol for the randomized McEliece scheme is a simulationsound ZK argument of knowledge. We then upgrade the encryption system further to a CCA2secure one via the NaorYung twinencryption paradigm [51]. The protocol operates in Stern’s framework and satisfies the “quasiunique responses” property in [48], deriving simulationsoundness from soundness. This fact was recently exploited by several group signature schemes, such as [49] and [50], which are based on Sternlike protocols.
Specifically, we will work with two public keys and of the randomized McEliece encryption scheme. The user now encrypts under each of the keys to obtain ciphertexts and , respectively, and extend the verifiable encryption protocol discussed above to prove that these ciphertexts are wellformed and correspond to the same plaintext , which is the binary representation of the user’s index . This extension is quite smooth, since the same techniques for handling ciphertext can be used to handle and . In the proof of CCAanonymity, we then employ the strategy of [52] that makes use of the CPAsecurity of the underlying encryption scheme and the zeroknowledge, soundness and simulationsoundness of the resulting noninteractive argument. In terms of efficiency, our CCAanonymous construction only has a small and reasonable overhead compared to its CPAanonymous version, with one more McEliece encrypting matrix in the group public key and one more ciphertext equipped with its supporting ZK subprotocol in the group signature.
ID Related Works
The present paper is the full extension of our earlier work [53], which was published in the proceedings of ASIACRYPT 2015. Achieving CCAanonymity for codebased group signatures was raised as an open question in [53]. We are able to fully address the problem in this work.
In a work concurrent to and independent of [53], Alamélou et al. also proposed a codebased group signature scheme in [54] and, later on, in [55]. Their scheme considers the setting of dynamic groups. It does not use any encryption mechanism to enable traceability. Instead, the authors rely on a modified version of Stern’s protocol that allows the opening authority to test whether each protocol execution is generated using a secret key of a given user. Unfortunately, such approach does not yield a secure group signature. Recall that Stern’s protocol admits a soundness error of in each execution. It has to be repeated times, where is the security parameter, to make the error negligibly small. Then, a valid signature is generated by an honest user if and only if the tests for all executions of the protocol yield the same user . Unfortunately, the testing mechanism used in their scheme fails to capture this crucial point. When running through protocol execution numbers , it stops and outputs user when it sees the first execution that points to . This shortcoming opens a room for cheating users to break the traceability and nonframeability of the scheme. Specifically, a cheating user , who wants to mislead the opening result to an innocent user , can simulate the first several protocol executions. The simulation can be done with noticeable probability using the transcript simulator associated with the protocol, because each execution admits a soundness error of . If the opening algorithm is run, it would return with noticeable probability. The remaining protocol executions are done faithfully with secret key for user . Thus, the construction in [54] and [55] is not secure. We note that a very similar testing mechanism for Sternlike protocols was used in [11] to avoid the use of encryption in their group signature. This had been broken. In [56], which is the corrected version of [11], the authors eventually had to rely on an encryptionlike mechanism to enable traceability.
In a very recent work, Nguyen et al. [57] proposed a number of new codebased privacypreserving cryptographic constructions, including the first codebased group signature scheme with logarithmic signature size – which resolves an interesting question we left open in [53]. In their scheme, group users are associated with leaves in a codebased Merkle tree supported by a zeroknowledge argument of tree inclusion, which has communication cost linear in the tree depth (and hence, logarithmic in the number of users). Although their scheme achieves better asymptotic efficiency than ours, it yields signature size larger than MB even for small groups. In particular, for groups of size up to , the signatures are longer than those produced by our CPAanonymous and CCAanonymous schemes.
Subsequent to the publication of [53], a number of latticebased group signatures have been proposed, bringing postquantum group signatures much closer to practice. Examples include the works done in [49, 58, 50, 59], and [60]. We believe that this interesting research direction will continue to attract attention from the community. The hope is that some provably secure and truly practical schemes can be realized in the near future.
Ii Preliminaries
Notations. Let be the security parameter and denote a negligible function in . We use if is chosen uniformly at random from the finite set . The symmetric group of all permutations of elements is denoted by . Bold capital letters, e.g., , denote matrices. Bold lowercase letters, e.g., , denote row vectors. We use to denote the transpose of x and to denote the (Hamming) weight of . We denote by the set of all vectors such that . Throughout the paper, we define a function which takes a nonnegative integer as an input, and outputs the binary representation of such that , and a function which takes as an input the binary representation of , and outputs . All logarithms are in base .
Iia Background on CodeBased Cryptography
We first recall the Syndrome Decoding problem. It is wellknown to be NPcomplete [61], and is widely believed to be intractable in the average case for appropriate choice of parameters [20, 41].
Definition 1 (The Syndrome Decoding problem)
The problem asks, given a uniformly random matrix and a uniformly random syndrome , for a vector such that . When , and , we say that the problem is hard if the success probability of any algorithm in solving the problem is at most .
In our security reduction, the following variant of the Leftover Hash Lemma for matrix multiplication over is used.
Lemma 1 (Leftover Hash Lemma, adapted from [40])
Let be a distribution over with minentropy . For and , the statistical distance between the distribution of , where and is drawn from distribution , and the uniform distribution over is at most .
In particular, if is an integer such that and is the uniform distribution over , i.e., has minentropy , then the statistical distance between the distribution of and the uniform distribution over is at most .
The Randomized McEliece Encryption Scheme. We employ the following randomized variant, suggested in [27], of the McEliece encryption scheme [25], where a uniformly random vector is concatenated to the plaintext.

: Select the parameters for a binary Goppa code. Choose integers and such that . Set the plaintext space as .

: Perform the following steps.

Produce a generator matrix of a randomly selected
Goppa code. Choose a random invertible matrix
and a random permutation matrix . Let . 
Output encrypting key and decrypting key .


: To encrypt a message , sample and , then output the ciphertext .

: Perform the following steps.

Compute and then where is an errorcorrecting algorithm with respect to . If fails, then return .

Compute , parse , where and , and return .

The scheme described above is CPAsecure in the standard model, assuming the hardness of the problem and the problem [27, 62]. We now recall these two problems.
Definition 2 (The Decisional McEliece problem)
The problem is to distinguish if a given is a uniformly random matrix over or is generated by above. When , we say that the problem is hard if the success probability of any distinguisher is at most .
Definition 3 (The Decisional Learning Parity with (fixedweight) Noise problem)
The problem, given a pair , is to distinguish whether is a uniformly random pair over or is obtained by choosing , , and outputting . When , we say that the problem is hard, if the success probability of any distinguisher is at most .
IiB Group Signatures
We follow the definition of group signatures provided in [14] for the case of static groups.
Definition 4
A group signature
is a tuple of the following four polynomialtime algorithms.

KeyGen: This randomized algorithm takes as input , where is the number of group users, and outputs , where is the group public key, is the group manager’s secret key, and with being the secret key for the group user of index .

Sign: This randomized algorithm takes as input a secret signing key for some and a message and returns a group signature on .

Verify: This deterministic algorithm takes as input the group public key , a message , a signature on . The output is either (Accept) or (Reject).

Open: This deterministic algorithm takes as input the group manager’s secret key , a message , a signature on . It outputs either an index , which is associated with a particular user, or , indicating failure.
A correct group signature scheme requires that, for all , all produced by , all , and all messages , we have
A secure group signature scheme must meet two security conditions.

Traceability: all signatures, even those produced by a coalition of group users and the group manager, can be traced back to a member of the coalition.

Anonymity: signatures generated by two distinct group users are computationally indistinguishable to an adversary who knows all of the user secret keys. In Bellare et al.’s model [14], the anonymity adversary is granted access to an opening oracle (CCAanonymity). A relaxed notion, where the adversary cannot query the opening oracle (CPAanonymity), was later proposed by Boneh et al. [4].
We now give the formal definitions of CPAanonymity, CCAanonymity and traceability.
Definition 5
A group signature is anonymous if, for all polynomial and any PPT adversaries , the advantage of in the following experiment is negligible in .

Run and send to .

outputs two identities with a message . Choose a random bit and give to . Then, outputs a bit .
If , then succeeds. The advantage of is defined to be .
A group signature is anonymous if for all polynomial and any PPT adversaries , the advantage of in the following experiment is negligible in .

Run and send to .

can make queries to the opening oracle. On input a message and a signature , the oracle returns to .

outputs two identities with a message . Choose a random bit and give to .

can make further queries to the opening oracle, with the exception that it cannot query for the opening of .

Finally, outputs a bit .
succeeds if . The advantage of is defined to .
A group signature is traceable if for all polynomial and any PPT adversaries , the success probability of in the following experiment is negligible in .

Run and send to .

may query the following oracles adaptively and in any order.

An oracle that on input , outputs .

An oracle that on input , a message , returns .
Let be the set of identities queried to .


Finally, outputs a message and a signature .
succeeds if and was never queried for , yet .
Iii The Underlying ZeroKnowledge Argument System
A statistical zeroknowledge argument system is an interactive protocol where the soundness property holds for computationally bounded cheating provers, while the zeroknowledge property holds against any cheating verifier. In this section we present a statistical zeroknowledge argument system which will serve as a building block in our group signature scheme in Section IV.
Before describing the protocol, we introduce several supporting notations and techniques. Let be a positive integer and . For and for , we write if and for all . An encoding function maps an integer , whose binary representation is , to the vector
Given a vector , we define two pertmutations. The first permutation transforms to , where for each , we have with . The second permutation maps to
Observe that, for any and any , we have
(4)  
(5) 
Example 1
Let and . Then and . If , then . We have and
Iiia The Interactive Protocol
We now present our interactive zeroknowledge argument of knowledge (ZKAoK). Let be positive integers, and . The public input consists of matrices , , the syndromes , and vectors . The protocol allows the prover to simultaneously convince the verifier in zeroknowledge that possesses a vector corresponding to certain syndrome with hidden index , and that and are correct encryptions of via two instances of the randomized McEliece encryption. Specifically, the secret witness of is a tuple that satisfies
(6) 
Let and . We have and rewrite as . Let be the matrix obtained from by replacing its last rows by the rows . We then observe that .
Letting , we can equivalently rewrite (6) as
(7) 
To obtain a ZKAoK for relation (7) in Stern’s framework [20], proceeds as follows.
To prove that and while keeping secret, samples a uniformly random vector , sends , and shows that
By the equivalences observed in (4) and (5), the verifier will be convinced about the facts to prove. Furthermore, since essentially acts as a onetime pad, the secret remains perfectly hidden.
To prove in zeroknowledge that , samples a uniformly random permutation , and shows that . Similarly, to prove in zeroknowledge that , a uniformly random permutation is employed.
Finally, to prove the linear equations in zeroknowledge, samples uniformly random “masking” vectors and shows that
(8) 
Now let be a collisionresistant hash function, to be modelled as a random oracle. The prover and the verifier first perform the preparatory steps described above, and then interact as described in Figure 1.

Commitment: samples the uniformly random objects
It then sends the commitment to , where

Challenge: Upon receiving , sends a challenge to .

Response: responds based on Ch.

If : Reveal and . Let
Send to .

If : Reveal and . Let
Send to .

If : Reveal and . Let
Send to .


Verification: Upon receiving , proceeds based on Ch.

If : Let and .
Check that , ,

Comments
There are no comments yet.