I-a Background and Motivation
Group signature  is a fundamental cryptographic primitive with two intriguing features. The first one is anonymity. It allows users of a group to anonymously sign documents on behalf of the whole group. The second one is traceability. There exists a tracing authority that can tie a given signature to the signer’s identity should the need arise. These two properties make group signatures highly useful in various real-life scenarios such as controlled anonymous printing services, digital right management systems, e-bidding and e-voting schemes. Theoretically, designing secure and efficient group signature schemes is of deep interest since doing so typically requires a sophisticated combination of carefully chosen cryptographic ingredients. Numerous constructions of group signatures have been proposed. Most of them, e.g., the respective schemes in [2, 3, 4, 5], and , are based on classical number-theoretic assumptions.
While number-theoretic-based group signatures, such as those in  and , can be very efficient, they would become insecure once the era of scalable quantum computing arrives . Prior to our work, the search for post-quantum group signatures, as a preparation for the future, has been quite active, with at least six published schemes [8, 9, 10, 11, 12, 13]. All of them are based on computational assumptions from lattices. Despite their theoretical interest, the schemes require significantly large key and signature sizes. None of them has been supported by implementation results. Our evaluation, in Section I-B below, shows that these lattice-based schemes are indeed very far from being practical. This somewhat unsatisfactory situation highlights two interesting challenges. The first one is to push post-quantum group signatures closer to practice. The second one is to bring more diversity in, with schemes from other candidates for post-quantum cryptography, e.g., code-based, hash-based, and multivariate-based. An easy-to-implement and competitively efficient code-based group signature scheme, for instance, would be highly desirable.
A code-based group signature, in the strongest security model for static groups as discussed in , typically requires the following three cryptographic layers.
The first layer requires a secure (standard) signature scheme to sign messages. Note that in most schemes based on the model in , a standard signature is also employed to issue the users’ secret keys. However, this is not necessary. The scheme constructed in this paper is an illustrative example. We observe that existing code-based signatures fall into two categories.
The “hash-and-sign” category consists of the CFS signature  and its modified versions [16, 17, 18]. The known security proofs for schemes in this category, however, should be viewed with skepticism. The assumption used in , for example, had been invalidated by the distinguishing attacks detailed in , while the new assumption proposed in  lies on a rather fragile ground.
The “Fiat-Shamir” category consists of schemes derived from Stern’s identification protocol in  and its variants in [21, 22], and  via the Fiat-Shamir transformation from . Although these schemes produce relatively large signatures, as the underlying protocol has to be repeated many times to make the soundness error negligibly small, their provable security, in the random oracle model, is well-understood.
The second layer demands a semantically secure encryption scheme to enable the tracing feature. The signer is constrained to encrypt its identifying information and to send the ciphertext as part of the group signature, so that the tracing authority can decrypt if and when necessary. This ingredient is also available in code-based cryptography, thanks to various CPA-secure and CCA-secure variants of the McEliece  and the Niederreiter  cryptosystems available in, e.g., [27, 28, 29], and .
The third layer requires a zero-knowledge (ZK) protocol that connects the previous two layers. This is essentially the bottleneck in realizing secure code-based group signatures. Specifically, the protocol should demonstrate that a given signature is generated by a certain certified group user who honestly encrypts its identifying information. Constructing such a protocol is quite challenging. There have been ZK protocols involving the CFS and Stern’s signatures, which yield identity-based identification schemes in [31, 32], and  and threshold ring signatures in  and . There have also been ZK proofs of plaintext knowledge for the McEliece and the Niederreiter cryptosystems . Yet we are unaware of any efficient ZK protocol that simultaneously deals with both code-based signature and encryption schemes in the above sense.
Designing provably secure group signature schemes has been a long-standing open question in code-based cryptography, as was also discussed in .
I-B Our Contributions
This work introduces two group signature schemes which are provably secure under code-based assumptions. Specifically, our basic scheme achieves the CPA-anonymity  and the traceability requirements in  in the random oracle model. We assume the hardness of the McEliece problem, the Learning Parity with Noise problem, and a variant of the Syndrome Decoding problem. The basic scheme is then extended to achieve anonymity in the strongest sense , i.e., CCA-anonymity, for which the adversary is allowed to adaptively query for the opening of group signatures. Our two schemes are the first of their respective classes.
Contributions to Code-Based Cryptography. By introducing provably secure code-based group signature schemes, we solve the open problem discussed earlier. Along the way, we introduce the following two new techniques for code-based cryptography, which might be of independent interest.
We design a ZK protocol for the randomized McEliece encryption scheme. The protocol allows the prover to convince the verifier that a given ciphertext is well-formed and that the hidden plaintext satisfies an additional condition. Such verifiable encryption protocols are useful, not only in constructing group signatures, but also in much broader contexts . It is worth noting that, prior to our work, verifiable encryption protocols for code-based cryptosystems only exist in a very basic form where the plaintext is publicly given , restricting their applications.
In our security proof of the traceability property, to obtain a reduction from the hardness of the Syndrome Decoding (SD) problem, we come up with an approach that, to the best of our knowledge, has not been considered in the literature before. Let us recall the (average-case) SD problem with parameters . Given a uniformly random matrix and a uniformly random syndrome
, the problem asks to find a vectorof Hamming weight , denoted by , such that . In our scheme, the key generation algorithm produces a public key that contains a matrix and syndromes , while users are given secret keys of the form such that . In the security proof, since we would like to embed an SD challenge instance
into the public key without being noticed, except with negligible probability, by the adversary, we have to require thatand the ’s produced by the key generation are indistinguishable from uniform.
One method to generate these keys is to employ the “hash-and-sign” technique from the CFS signature . Unfortunately, while the syndromes ’s could be made uniformly random, as the outputs of the random oracle, the assumption that the CFS matrix is computationally close to uniform for practical parameters is invalidated by the distinguishing attacks from .
Another method, pioneered by Stern , is to pick and the ’s uniformly at random. The corresponding syndromes ’s could be made computationally close to uniform if the parameters are set such that is slightly smaller than the value given by the Gilbert-Varshamov bound, i.e., such that . In such a case, the function acts as a pseudorandom generator . However, for these parameters, it is not guaranteed with high probability that a uniformly random SD instance has solutions, which would affect the success probability of the reduction algorithm.
Our work considers the case when is moderately larger than
, so that two conditions hold. First, the uniform distribution over the sethas sufficient min-entropy to apply the Left-over Hash Lemma from . Second, the SD problem with parameters admits solutions with high probability, yet remains intractable against the best known attacks from  and . Note that the variant of the SD problem considered in this work are not widely believed to be the hardest one [20, 41], but suitable parameters can be chosen such that the best known attacks run in exponential time. Further treatment on how to decide on the parameters will be given in Section VI. This approach gives us a new method to generate uniformly random vectors and a matrix so that the syndromes ’s corresponding to the ’s are statistically close to uniform. The approach, which somewhat resembles the technique used in  for the Inhomogeneous Small Integer Solution problem, is helpful in our security proof and, generally, in designing formal security reductions from the SD problem.
Contributions to Post-Quantum Group Signatures. Our constructions provide the first non-lattice-based alternatives to provably secure post-quantum group signatures. Our schemes feature public key and signature sizes linear in the number of group users , which are asymptotically not as efficient as the previously published lattice-based counterparts [10, 11, 12, 13]. However, when instantiated with practical parameters, our schemes behave much more efficiently than the scheme proposed in 
. The latter is arguably the current most efficient lattice-based group signature in the asymptotic sense. Indeed, our estimation shows that our basic scheme, which achieves theCPA-anonymity notion, gives public key and signature sizes that are times and times smaller, respectively, for an average-size group of users. As grows, the advantage lessens, but our basic scheme remains more efficient even for a huge group of users, a number which is roughly comparable to the current population of the Netherlands. Our extended scheme, which achieves the strongest anonymity notion, i.e., CCA-anonymity, introduces only a small overhead of about KB and KB in public key and signature sizes, respectively, compared to the basic scheme. Table I gives the details of our estimation. The parameters for our schemes are set as in Section VI. For the scheme in , we choose the commonly used lattice dimension and set the parameters and to satisfy the requirements given in [13, Section 5.1]. While our basic scheme and the scheme in  achieve the CPA-anonymity notion , our extended scheme achieves the CCA-anonymity notion . All schemes have soundness error .
We give actual implementation results for our proposed schemes to support their claim of feasibility. In our implementations, as presented later in Section VI, the actual signature sizes can be reduced thanks to an additional technique. Our schemes are the first post-quantum group signature that comes supported with an actual deployment analysis. The results, while not yielding a truly practical scheme, certainly help in bringing post-quantum group signatures closer to practice.
|Anonymity||Public Key Size||Signature Size|
|Ours||CPA||bits||( 642 KB)||bits||(1.07 MB)|
|bits||(5.13 MB)||bits||(2.21 MB)|
|bits||(1.16 GB)||bits||(294 MB)|
|CCA||bits||(1.08 MB)||bits||(1.25 MB)|
|bits||(5.56 MB)||bits||(2.39 MB)|
|bits||(1.16 GB)||bits||(294 MB)|
|||CPA||bits||(1.48 GB)||bits||(579 MB)|
I-C Overview of Our Techniques
Let and be positive integers. We consider a group of size , where each user is indexed by an integer . The secret signing key of user is a vector chosen uniformly at random from the set
. A uniformly random matrixand syndromes , such that , for all , are made public. Let us now explain the development of the three ingredients used in our basic scheme.
The Signature Layer. User can run Stern’s ZK protocol  to prove the possession of a vector such that . The constraint is proved in ZK by randomly permuting the entries of and showing that the permuted vector belongs to . The protocol is then transformed into a Fiat-Shamir signature . However, such a signature is publicly verifiable only if the index is given to the verifier.
The user can further hide its index to achieve unconditional anonymity among all users. This, incidentally, yields a ring signature  on the way, à la . Let . Let be the -dimensional unit vector with entry at the -th position and elsewhere. Observe that , and thus, the equation can be written as
where denotes addition modulo . Stern’s framework allows the user to prove in ZK the possession of satisfying this equation, where the condition can be justified using a random permutation.
The Encryption Layer. To enable the tracing capability of the scheme, we let user encrypt the binary representation of via the randomized McEliece encryption scheme . Specifically, we represent as , where . Given a public encrypting key , a ciphertext of is of the form
where is the encryption randomness, with , and , i.e., is a vector of weight in .
Connecting the Signature and Encryption Layers. User must demonstrate that it does not cheat, e.g., by encrypting some string that does not point to , without revealing . Thus, we need a ZK protocol that allows the user to prove that the vector used in (1) and the plaintext hidden in (2) both correspond to the same secret . The crucial challenge is to establish a connection, which must be verifiable in ZK, between the “index representation” and the binary representation . We show how to handle this challenge well.
Instead of working with , let us consider an extension of , defined as
We then suitably insert zero-rows into to obtain such that . Letting , we rewrite (2) as
Now, let be the inverse function of . For every , we carefully design two classes of permutations and , such that, for any ,
Given the equivalences, the protocol’s user samples a uniformly random vector and sends . The verifier, seeing that
should be convinced that and correspond to the same , yet the value of is completely hidden from its view since
acts essentially as a one-time pad.
The technique extending into and then permuting in a “one-time pad” fashion is inspired by a method originally proposed by Langlois et al. in  in a seemingly unrelated context. There, the goal is to prove that the message being signed under the Bonsai tree signature  is of the form , for some . Here, we adapt and develop their method to simultaneously prove two facts. First, the plaintext being encrypted under the randomized McEliece encryption is of the form . Second, the unit vector is used in the signature layer.
By embedding the above technique into Stern’s framework, we obtain an interactive ZK argument system, in which, given the public input , the user is able to prove the possession of a secret tuple satisfying (1) and (3). The protocol is repeated many times to achieve negligible soundness error, and then made non-interactive, resulting in a non-interactive ZK argument of knowledge . The final group signature is of the form , where is the ciphertext. In the random oracle model, the anonymity of the scheme relies on the zero-knowledge property of and the CPA-security of the randomized McEliece encryption scheme, while its traceability is based on the hardness of the variant of the SD problem discussed earlier.
Achieving CCA-Anonymity. Our basic group signature scheme makes use of the randomized McEliece encryption scheme that achieves only CPA-security. Hence, it only satisfies CPA-anonymity for which the adversary is not granted access to the signature opening oracle. To achieve the strongest notion of anonymity put forward in , i.e., CCA-anonymity, we would need a CCA2-secure encryption scheme so that we can respond to adaptive opening queries from the adversary by invoking the decryption oracle associated with the encryption mechanism. There are a number of known CCA2-secure code-based encryption schemes, e.g., [28, 29, 30]. They are, however, either too inefficient, say with ciphertext size quadratic in the security parameter, or incompatible with zero-knowledge protocols for proving the well-formedness of ciphertexts. Hence, they are unsuitable for our purpose. Instead, we exploit the fact that our verifiable encryption protocol for the randomized McEliece scheme is a simulation-sound ZK argument of knowledge. We then upgrade the encryption system further to a CCA2-secure one via the Naor-Yung twin-encryption paradigm . The protocol operates in Stern’s framework and satisfies the “quasi-unique responses” property in , deriving simulation-soundness from soundness. This fact was recently exploited by several group signature schemes, such as  and , which are based on Stern-like protocols.
Specifically, we will work with two public keys and of the randomized McEliece encryption scheme. The user now encrypts under each of the keys to obtain ciphertexts and , respectively, and extend the verifiable encryption protocol discussed above to prove that these ciphertexts are well-formed and correspond to the same plaintext , which is the binary representation of the user’s index . This extension is quite smooth, since the same techniques for handling ciphertext can be used to handle and . In the proof of CCA-anonymity, we then employ the strategy of  that makes use of the CPA-security of the underlying encryption scheme and the zero-knowledge, soundness and simulation-soundness of the resulting non-interactive argument. In terms of efficiency, our CCA-anonymous construction only has a small and reasonable overhead compared to its CPA-anonymous version, with one more McEliece encrypting matrix in the group public key and one more ciphertext equipped with its supporting ZK sub-protocol in the group signature.
I-D Related Works
The present paper is the full extension of our earlier work , which was published in the proceedings of ASIACRYPT 2015. Achieving CCA-anonymity for code-based group signatures was raised as an open question in . We are able to fully address the problem in this work.
In a work concurrent to and independent of , Alamélou et al. also proposed a code-based group signature scheme in  and, later on, in . Their scheme considers the setting of dynamic groups. It does not use any encryption mechanism to enable traceability. Instead, the authors rely on a modified version of Stern’s protocol that allows the opening authority to test whether each protocol execution is generated using a secret key of a given user. Unfortunately, such approach does not yield a secure group signature. Recall that Stern’s protocol admits a soundness error of in each execution. It has to be repeated times, where is the security parameter, to make the error negligibly small. Then, a valid signature is generated by an honest user if and only if the tests for all executions of the protocol yield the same user . Unfortunately, the testing mechanism used in their scheme fails to capture this crucial point. When running through protocol execution numbers , it stops and outputs user when it sees the first execution that points to . This shortcoming opens a room for cheating users to break the traceability and non-frameability of the scheme. Specifically, a cheating user , who wants to mislead the opening result to an innocent user , can simulate the first several protocol executions. The simulation can be done with noticeable probability using the transcript simulator associated with the protocol, because each execution admits a soundness error of . If the opening algorithm is run, it would return with noticeable probability. The remaining protocol executions are done faithfully with secret key for user . Thus, the construction in  and  is not secure. We note that a very similar testing mechanism for Stern-like protocols was used in  to avoid the use of encryption in their group signature. This had been broken. In , which is the corrected version of , the authors eventually had to rely on an encryption-like mechanism to enable traceability.
In a very recent work, Nguyen et al.  proposed a number of new code-based privacy-preserving cryptographic constructions, including the first code-based group signature scheme with logarithmic signature size – which resolves an interesting question we left open in . In their scheme, group users are associated with leaves in a code-based Merkle tree supported by a zero-knowledge argument of tree inclusion, which has communication cost linear in the tree depth (and hence, logarithmic in the number of users). Although their scheme achieves better asymptotic efficiency than ours, it yields signature size larger than MB even for small groups. In particular, for groups of size up to , the signatures are longer than those produced by our CPA-anonymous and CCA-anonymous schemes.
Subsequent to the publication of , a number of lattice-based group signatures have been proposed, bringing post-quantum group signatures much closer to practice. Examples include the works done in [49, 58, 50, 59], and . We believe that this interesting research direction will continue to attract attention from the community. The hope is that some provably secure and truly practical schemes can be realized in the near future.
Notations. Let be the security parameter and denote a negligible function in . We use if is chosen uniformly at random from the finite set . The symmetric group of all permutations of elements is denoted by . Bold capital letters, e.g., , denote matrices. Bold lowercase letters, e.g., , denote row vectors. We use to denote the transpose of x and to denote the (Hamming) weight of . We denote by the set of all vectors such that . Throughout the paper, we define a function which takes a non-negative integer as an input, and outputs the binary representation of such that , and a function which takes as an input the binary representation of , and outputs . All logarithms are in base .
Ii-a Background on Code-Based Cryptography
Definition 1 (The Syndrome Decoding problem)
The problem asks, given a uniformly random matrix and a uniformly random syndrome , for a vector such that . When , and , we say that the problem is hard if the success probability of any algorithm in solving the problem is at most .
In our security reduction, the following variant of the Left-over Hash Lemma for matrix multiplication over is used.
Lemma 1 (Left-over Hash Lemma, adapted from )
Let be a distribution over with min-entropy . For and , the statistical distance between the distribution of , where and is drawn from distribution , and the uniform distribution over is at most .
In particular, if is an integer such that and is the uniform distribution over , i.e., has min-entropy , then the statistical distance between the distribution of and the uniform distribution over is at most .
The Randomized McEliece Encryption Scheme. We employ the following randomized variant, suggested in , of the McEliece encryption scheme , where a uniformly random vector is concatenated to the plaintext.
: Select the parameters for a binary Goppa code. Choose integers and such that . Set the plaintext space as .
: Perform the following steps.
Produce a generator matrix of a randomly selected
Goppa code. Choose a random invertible matrixand a random permutation matrix . Let .
Output encrypting key and decrypting key .
: To encrypt a message , sample and , then output the ciphertext .
: Perform the following steps.
Compute and then where is an error-correcting algorithm with respect to . If fails, then return .
Compute , parse , where and , and return .
Definition 2 (The Decisional McEliece problem)
The problem is to distinguish if a given is a uniformly random matrix over or is generated by above. When , we say that the problem is hard if the success probability of any distinguisher is at most .
Definition 3 (The Decisional Learning Parity with (fixed-weight) Noise problem)
The problem, given a pair , is to distinguish whether is a uniformly random pair over or is obtained by choosing , , and outputting . When , we say that the problem is hard, if the success probability of any distinguisher is at most .
Ii-B Group Signatures
We follow the definition of group signatures provided in  for the case of static groups.
A group signature
is a tuple of the following four polynomial-time algorithms.
KeyGen: This randomized algorithm takes as input , where is the number of group users, and outputs , where is the group public key, is the group manager’s secret key, and with being the secret key for the group user of index .
Sign: This randomized algorithm takes as input a secret signing key for some and a message and returns a group signature on .
Verify: This deterministic algorithm takes as input the group public key , a message , a signature on . The output is either (Accept) or (Reject).
Open: This deterministic algorithm takes as input the group manager’s secret key , a message , a signature on . It outputs either an index , which is associated with a particular user, or , indicating failure.
A correct group signature scheme requires that, for all , all produced by , all , and all messages , we have
A secure group signature scheme must meet two security conditions.
Traceability: all signatures, even those produced by a coalition of group users and the group manager, can be traced back to a member of the coalition.
Anonymity: signatures generated by two distinct group users are computationally indistinguishable to an adversary who knows all of the user secret keys. In Bellare et al.’s model , the anonymity adversary is granted access to an opening oracle (CCA-anonymity). A relaxed notion, where the adversary cannot query the opening oracle (CPA-anonymity), was later proposed by Boneh et al. .
We now give the formal definitions of CPA-anonymity, CCA-anonymity and traceability.
A group signature is -anonymous if, for all polynomial and any PPT adversaries , the advantage of in the following experiment is negligible in .
Run and send to .
outputs two identities with a message . Choose a random bit and give to . Then, outputs a bit .
If , then succeeds. The advantage of is defined to be .
A group signature is -anonymous if for all polynomial and any PPT adversaries , the advantage of in the following experiment is negligible in .
Run and send to .
can make queries to the opening oracle. On input a message and a signature , the oracle returns to .
outputs two identities with a message . Choose a random bit and give to .
can make further queries to the opening oracle, with the exception that it cannot query for the opening of .
Finally, outputs a bit .
succeeds if . The advantage of is defined to .
A group signature is traceable if for all polynomial and any PPT adversaries , the success probability of in the following experiment is negligible in .
Run and send to .
may query the following oracles adaptively and in any order.
An oracle that on input , outputs .
An oracle that on input , a message , returns .
Let be the set of identities queried to .
Finally, outputs a message and a signature .
succeeds if and was never queried for , yet .
Iii The Underlying Zero-Knowledge Argument System
A statistical zero-knowledge argument system is an interactive protocol where the soundness property holds for computationally bounded cheating provers, while the zero-knowledge property holds against any cheating verifier. In this section we present a statistical zero-knowledge argument system which will serve as a building block in our group signature scheme in Section IV.
Before describing the protocol, we introduce several supporting notations and techniques. Let be a positive integer and . For and for , we write if and for all . An encoding function maps an integer , whose binary representation is , to the vector
Given a vector , we define two pertmutations. The first permutation transforms to , where for each , we have with . The second permutation maps to
Observe that, for any and any , we have
Let and . Then and . If , then . We have and
Iii-a The Interactive Protocol
We now present our interactive zero-knowledge argument of knowledge (ZKAoK). Let be positive integers, and . The public input consists of matrices , , the syndromes , and vectors . The protocol allows the prover to simultaneously convince the verifier in zero-knowledge that possesses a vector corresponding to certain syndrome with hidden index , and that and are correct encryptions of via two instances of the randomized McEliece encryption. Specifically, the secret witness of is a tuple that satisfies
Let and . We have and rewrite as . Let be the matrix obtained from by replacing its last rows by the rows . We then observe that .
Letting , we can equivalently rewrite (6) as
To prove that and while keeping secret, samples a uniformly random vector , sends , and shows that
To prove in zero-knowledge that , samples a uniformly random permutation , and shows that . Similarly, to prove in zero-knowledge that , a uniformly random permutation is employed.
Finally, to prove the linear equations in zero-knowledge, samples uniformly random “masking” vectors and shows that
Now let be a collision-resistant hash function, to be modelled as a random oracle. The prover and the verifier first perform the preparatory steps described above, and then interact as described in Figure 1.
Commitment: samples the uniformly random objects
It then sends the commitment to , where
Challenge: Upon receiving , sends a challenge to .
Response: responds based on Ch.
If : Reveal and . Let
Send to .
If : Reveal and . Let
Send to .
If : Reveal and . Let
Send to .
Verification: Upon receiving , proceeds based on Ch.
If : Let and .
Check that , ,