Abstract
Due to its emerging security and computational properties, lattice-based constructions are of prime concerns in recent research. Zero-knowledge evidences serve strongest security guarantees to cryptographic primitives. In this paper we formalize a new zero-knowledge argument (ZKA) suitable for lattice-based construction and employ it to security assurance of the proposed structure of attribute-based group signature on lattice assumption. To the best of our knowledge this paper proposes the first such construction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrawal, S., Boneh, D., Boyen, X.: Efficient lattice (H)IBE in the standard model. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 553–572. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_28
Ali, S.T., Amberker, B.: Attribute-based group signature without random oracles with attribute anonymity. Int. J. Inf. Comput. Secur. 6(2), 109–132 (2014)
Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 614–629. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_38
Bellare, M., Shi, H., Zhang, C.: Foundations of group signatures: the case of dynamic groups. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 136–153. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_11
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_4
Boyen, X.: Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 499–517. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_29
Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_1
Chaum, D., Van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
El Bansarkhani, R., El Kaafarani, A.: Post-quantum attribute-based signatures from lattice assumptions. IACR Cryptology ePrint Archive, 2016, p. 823 (2016)
Emura, K., Miyaji, A., Omote, K.: A dynamic attribute-based group signature scheme and its application in an anonymous survey for the collection of attribute statistics. Inf. Media Technol. 4(4), 1060–1075 (2009)
Escala, A., Herranz, J., Morillo, P.: Revocable attribute-based signatures with adaptive security in the standard model. In: Nitaj, A., Pointcheval, D. (eds.) AFRICACRYPT 2011. LNCS, vol. 6737, pp. 224–241. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21969-6_14
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008)
Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC 2008, pp. 197–206. ACM (2008)
Gordon, S.D., Katz, J., Vaikuntanathan, V.: A group signature scheme from lattice assumptions. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 395–412. Springer, Heidelberg (2010)
Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_29
Herranz, J., Laguillaumie, F., Libert, B., Ràfols, C.: Short attribute-based signatures for threshold predicates. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 51–67. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_4
Jia, X., Yupu, H., Juntao, G., Wen, G., Xuelian, L.: Attribute-based signatures on lattices. J. China Univ. Posts Telecommun. 23(4), 83–90 (2016)
Khader, D.: Attribute based group signature with revocation. IACR Cryptology ePrint Archive 2007, p. 241 (2007)
Khader, D.: Attribute based group signatures. IACR Cryptology ePrint Archive 2007, p. 159 (2007)
Laguillaumie, F., Langlois, A., Libert, B., Stehlé, D.: Lattice-based group signatures with logarithmic signature size. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8270, pp. 41–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42045-0_3
Langlois, A., Ling, S., Nguyen, K., Wang, H.: Lattice-based group signature scheme with verifier-local revocation. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 345–361. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54631-0_20
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Li, J., Kim, K.: Attribute-based ring signatures. IACR Cryptology EPrint Archive 2008, p. 394 (2008)
Liang, X., Cao, Z., Shao, J., Lin, H.: Short group signature without random oracles. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 69–82. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77048-0_6
Libert, B., Ling, S., Mouhartem, F., Nguyen, K., Wang, H.: Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 373–403. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53890-6_13
Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 1–31. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_1
Ling, S., Nguyen, K., Stehlé, D., Wang, H.: Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 107–124. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_8
Maji, H.K., Prabhakaran, M., Rosulek, M.: Attribute-based signatures: achieving attribute-privacy and collusion-resistance. IACR Cryptology ePrint Archive 2008, p. 328 (2008)
Maji, H.K., Prabhakaran, M., Rosulek, M.: Attribute-based signatures. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 376–392. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_24
Mao, X.-P., Chen, K.-F., Long, Y., Wang, L.-L.: Attribute-based signature on lattices. J. Shanghai Jiaotong Univ. (Sci.) 19(4), 406–411 (2014)
Micciancio, D., Vadhan, S.P.: Statistical zero-knowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_17
Nguyen, P.Q., Zhang, J., Zhang, Z.: Simpler efficient group signatures from lattices. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 401–426. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_18
Okamoto, T., Takashima, K.: Efficient attribute-based signatures for non-monotone predicates in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 35–52. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_3
Patel, B.K., Jinwala, D.: Anonymity in attribute-based group signatures. In: Thilagam, P.S., Pais, A.R., Chandrasekaran, K., Balakrishnan, N. (eds.) ADCONS 2011. LNCS, vol. 7135, pp. 495–504. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29280-4_58
Regev, O.: On lattices, learning with errors, random linear codes and cryptography. In: STOC 2005, pp. 84–93. ACM (2005)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Shahandashti, S.F., Safavi-Naini, R.: Threshold attribute-based signatures and their application to anonymous credential systems. In: Preneel, B. (ed.) AFRICACRYPT 2009. LNCS, vol. 5580, pp. 198–216. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02384-2_13
Zhang, Y., Hu, Y., Jiang, M.: An attribute-based signature scheme from lattice assumption. Wuhan Univ. J. Nat. Sci. 20(3), 207–213 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Definitions
Discrete Gaussians. Let \(\mathtt {L}\) be a subset of \(\mathtt {\mathbb {Z}^{m}}\). For a vector \(\mathtt {c\in \mathbb {R}^m}\) and a positive \(\mathtt {\sigma \in \mathbb {R}}\), define
The discrete Gaussian distribution over \(\mathtt {L}\) with center \(\mathtt {c}\) and parameter \(\mathtt {s}\) is given by \(\mathtt {\mathcal { D}_{L,s,c}(y)=\frac{\rho _{s,c}(y)}{\rho _{s,c}(L)}}\), for all \(\mathtt {y\in L}\). The distribution \(\mathtt {\mathcal { D}_{L,s,c}}\) is usually defined over the lattice \(\mathtt {L=\Lambda _{q}^{\bot }(A)}\) for \(\mathtt {A\in \mathbb {Z}_{q}^{n\times m}}\).
The security of our construction and the underlying building blocks is based on the hardness of \(\mathtt {SIVP_{\tilde{\mathcal {O}}(n)}}\) and \(\mathtt {LWE}\) problems which we recall in the following two definitions.
B Non-interactive Zero-Knowledge Proof
A non-interactive proof system \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) for a relation R with setup consists of four PPT algorithms: a setup algorithm \(\mathcal {G}\), a common reference string (CRS) generation algorithm \(\mathcal {K}\), a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\). The setup algorithm outputs public parameters I and a commitment key ck. The CRS generation algorithm takes (I, ck) as input and outputs a CRS \(\varSigma \). The prover \(\mathcal {P}\) takes as input \((I,\varSigma ,x,\omega )\), where x is the statement and \(\omega \) is the witness, and outputs a proof \(\pi \). The verifier \(\mathcal {V}\) takes as input \((I,\varSigma ,x,\pi )\) and outputs 1 if the proof is acceptable and 0 otherwise. \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is non-interactive proof system for R if it has the following properties:
Completeness. A non-interactive proof is complete if an honest prover can convince an honest verifier whenever the statement belongs to the language and the prover holds a witness testifying to this fact. For all adversaries \(\mathcal {A}\) we have:
Soundness. A non-interactive proof is sound if it is impossible to prove a false statement x which is not an element of a language L. We say \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is perfectly sound if for all adversaries \(\mathcal {A}\) we have:
Knowledge Extraction. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is a proof of knowledge for R if there exists a knowledge extractor \(\mathcal {E}=(\mathcal {E}_1,\mathcal {E}_2)\) with the following properties: For all PPT adversaries \(\mathcal {A}\) we have
For all adversaries \(\mathcal {A}\) holds
Zero-Knowledge. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is a composable NIZK proof if there exists a PPT simulator \((\mathcal {S}_1,\mathcal {S}_2)\) such that for all PPT adversaries \(\mathcal {A}\) we have
and for all adversaries \(\mathcal {A}\) holds:
where \(\mathcal {A}\) outputs \((I,x,\omega )\in R\). We obtain a strong notion of zero-knowledge, called composable zero-knowledge [15]. It implies standard zero-knowledge and is simpler to work with, because it separates the computational indistinguishability into two parts considering the CRS and the proofs respectively.
Simulation Soundness. We say that \((\mathcal {G},\mathcal {K},\mathcal {P},\mathcal {V})\) is simulation sound if a PPT adversary \(\mathcal { A}\) cannot prove false statements even if he have seen simulated proofs of arbitrary statements: For all PPT adversaries \(\mathcal {A}\) we have
C Preimage Sampling Function
In this section, we recall the notion of preimage sampling functions (PSF) introduced in [13]. The idea of that function is a combination of a trapdoor construction for integer lattices and an efficient discrete Gaussian sampling algorithm. Let \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{\nu \times \mu }}\) be a uniform matrix and \(\mathtt {\mathbf {T_A}}\) the corresponding basis for the lattice \(\mathtt {\Lambda ^{\bot }(\mathbf {A})}\), which can be used as a trapdoor for finding small non-zero solution \(\mathtt {\mathbf {e}\in \mathbb {Z}_{q}^{\mu }}\) of the equation \(\mathbf {Ae=0}\mod q\).
Definition 11
(PSF). Let \(\mathtt {\lambda }\) be a security parameter, \(\mathtt {\nu }\) a security dimension and \(\mathtt {\mu }\) a dimension of the lattice base. Let \(\mathtt {s\ge L\omega (\sqrt{\log m})}\) be some discrete Gaussian parameter. A PSF family consists of maps \(\mathtt {f_{A}: \mathbb {D}_{Z^{\mu },s}\rightarrow \mathbb {Z}_{q}^{\nu }}\) with the domain \(\mathtt {\mathbb {D}_{\mathbb {Z}_{q}^{\mu },s}=\{\mathbf {e}\in \mathbb {Z}^{\mu }:\left\| \mathbf {e}\right\| \le \sqrt{m}s\}\subseteq \mathbb {Z}^{\mu }}\) and is specified by the following four algorithms:
-
\(\underline{\mathtt {TrapGen}\mathtt {(1^{\lambda })}}:\) On input security parameter \(\mathtt {1^{\lambda }}\) it outputs a uniform matrix \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{\nu \times \mu }}\) and a basis \(\mathtt {\mathbf {T_{A}}}\) of \(\mathtt {\Lambda ^{\bot }(\mathbf {A})}\) such that \(\mathtt {\left\| \mathbf {\tilde{T}_A}\right\| \le L}\), where \(\mathtt {L}\) is the circuit depth. The public parameters are \(\mathtt {(\mathbf {A},q)}\) and the preimage-sampling trapdoor is \(\mathtt {\mathbf {T_A}}\).
-
\(\underline{\mathtt {EvalFun}\mathtt {(\mathbf {A},q,\mathbf {e})}}:\) On input public parameters \(\mathtt {(\mathbf {A},q)}\) and a point \(\mathtt {\mathbf {e}\in \mathbb {D}_{\mathbb {Z}_{q}^{\mu },s}}\), the algorithm outputs the image \(\mathtt {f_{\mathbf {A}}(\mathbf {e})=\mathbf {Ae}\mod q\in \mathbb {Z}_{q}^{\nu }}\).
-
\(\underline{\mathtt {SampleDom}\mathtt {(\mathbb {I}^{\mu \times \mu },s)}}\): On input the identity matrix \(\mathtt {\mathbb {I}^{\mu \times \mu }}\) and a Gaussian parameter \(\mathtt {s}\), it outputs a vector \(\mathtt {\mathbf {e}\leftarrow \mathtt {SampleGaussian}(\mathbb {I}^{\mu \times \mu },s,0)}\), i.e. \(\mathtt {\mathbf {e}\sim \mathcal { D}_{\mathbb {Z}_{q}^{\mu },s}}\).
-
(\(\mathtt {SampleGaussian}\mathtt {(\mathbb {I}^{\mu \times \mu },s,c)}\) algorithm works as follows. On input a basis \(\mathtt {\mathbf {I}^{\mu \times \mu }}\) for a Lattice \(\varLambda \subset \mathbb {R}^{\mu }\) a parameter \(\mathtt {s\ge \omega (\sqrt{m})}\) and a center \(\mathtt {\mathbf {c}\in \mathbb {R}^{\mu }}\), it outputs a lattice vector \(\mathtt {\mathbf {x}\in \Lambda }\), such that \(\mathtt {\mathbf {x}\sim \mathcal { D}_{\Lambda ,s,c}}\)).
-
\(\underline{\mathtt {SamplePre}\mathtt {(\mathbf {A},q,\mathbf {T_A},s,\mathbf {u})}}\): On input public parameters \(\mathtt {(\mathbf {A},q)}\) and a trapdoor \(\mathtt {\mathbf {T_A}}\), a Gaussian parameter \(\mathtt {s}\) and a target image \(\mathtt {\mathbf {u}\in \mathbb {Z}_{q}^{n}}\), the algorithm samples \(\mathtt {\mathbf {e}\in \mathbb {D}_{\mathbb {Z}^{\mu },s}}\) from \(\mathtt {\mathcal { D}_{\mathbb {Z}^{\mu },s}}\), such that \(\mathtt {\mathbf {Ae}=\mathbf {u}(\mod q)}\). It first finds a solution \(\mathtt {\mathbf {c}\in \mathbb {Z}^{\mu }}\) in the linear system \(\mathtt {\mathbf {Ac}=\mathbf {u}(\mod q)}\).
It samples a vector \(\mathtt {\mathbf {d}\leftarrow \mathtt {SampleGaussian}(\mathbf {T_A},s,-\mathbf {c})\sim \mathcal { D}_{\Lambda ^{\bot }(\mathbf {A},s,-\mathbf {c})}}\) and outputs vector \(\mathtt {\mathbf {e}=\mathbf {c}+\mathbf {d}\in \mathbb {Z}^{\mu }}\).
Lemma 1
There exists a PPT algorithm \(\mathtt {\mathtt {ExtBasis}}\), that takes as input a matrix \(\mathtt {\mathbf {B}\in \mathbb {Z}_{q}^{n\times m}}\) and a basis \(\mathtt {\mathbf {T_A}}\) of \(\mathtt {\Lambda _{q}^{\bot }(\mathbf {A})}\), where \(\mathtt {\mathbf {A}\in \mathbb {Z}_{q}^{n\times m'}}\) is a submatrix of \(\mathtt {\mathbf {B}}\) and outputs a basis \(\mathtt {\mathbf {T_{B}}}\) of the extended lattice \(\mathtt {\Lambda _{q}^{\bot }(\mathbf {B})}\) with the property \(\mathtt {\left\| \widetilde{\mathbf {T}_{B}}\right\| \le \left\| \widetilde{\mathbf {T}_{A}}\right\| }\).
D Security Analysis of Theorem 3
Proof
In order to provide the proof of this theorem we are using the following lemmas:
Lemma 2
If the underlying public key encryption systems are IND-CCA secure and the NIZK proof is simulation sound and zero-knowledge, then our ABGSL scheme is fully-anonymous under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem.
Lemma 3
Our ABGS scheme is attribute anonymous under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem and if the underlying public key encryption scheme is IND-CCA secure and the underlying NIZK proofs is simulation-sound and computationally zero-knowledge provable.
Lemma 4
If the underlying public key encryption is IND-CCA secure, digital signature scheme is unforgeable against chosen message attacks and the NIZK proofs are simulation sound, then our ABGS scheme is fully-traceable under the hardness of \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem.
Due to page limit we only provide a sketch of Lemma 1. The full proof will be given in the full version of this paper.
Proof of Lemma 2. Let \(\mathcal { A}_\mathtt {{uan}}\) be an adversary against the user’s full-anonymity in the ABGSL scheme. We design an adversary \(\mathtt {\mathcal { B}_{\gamma }\in (\mathcal { B}_{SIVP},\mathcal { B}_{pke},\mathcal { B}_{sig})}\) against the \(\mathtt {SIVP_{\mathcal { O}(\lambda )}}\) problem or against IND-CCA security of the underlying encryption scheme or against unforgeability of the underlying signature scheme, respectively. We show how to construct \(\mathcal { B}_{\gamma }\) to simulate \(\mathcal { A}_{uan}\).
Setup: Algorithm \(\mathtt {\mathcal { B}_{SIVP}}\) simulates public parameters and master secret key by first sampling the following vectors: \(\mathtt {\mathbf {a_{i}^{1},\ldots ,a_{i}^{\mu }}\in \left( \mathbb {Z}_{q}^{\nu }\right) ^{\mu }}\), where \(\mathtt {i\in [0,l]}\). It sets \(\mathtt {\mathbf {A}=[\mathbf {a_{0}^{1}}|\ldots |\mathbf {a_{0}^{\mu }}]}\) and analogously \(\mathtt {\mathbf {A_i}=[\mathbf {a_{i}^{1}}}\mathtt {|\ldots |\mathbf {a_{i}^{\mu }}]}\), for each \(\mathtt {i\in [1,l]}\). \(\mathcal { B}_{SIVP}\) samples for each \(i\in [l]\) a uniformly random matrix \(\mathtt {\mathbf {B}_i}\) and uses \(\mathtt {TrapGen}\) algorithm on input these matrices to generate \(msk=\mathbf {T_{A,i}}\). To simulate public and secret key of the underlying encryption scheme, \(\mathtt {\mathcal { B}_{pke}}\) runs its \(\mathtt {\mathtt {Setup}(1^{\lambda })}\) algorithm of Regev’s encryption scheme on input security parameter and outputs and a master secret key \(\mathtt {gmpk=\mathbf {B},gmsk=\mathbf {T_B}}\). \(\mathtt {\mathcal { B}_{pke}}\) forwards these values to \(\mathtt {\mathcal { A}_{uan}}\). In order to simulate secret and public keys of key issuing authorities, algorithm \(\mathtt {\mathcal { B}_{sig}}\) proceeds similarly to algorithm \(\mathtt {\mathcal { B}_{pke}}\) by running its own \(\mathtt {\mathtt {Setup}}\) algorithm and outputting \(\mathtt {sk_{kia}, pk_{kia}}\). The detailed description of the adversary \(\mathtt {\mathcal { A}_{uan}}\) is given in the following experiment:
-
(1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)
-
(2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)
-
(3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)
-
(4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)
-
(5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)
For all users \(\mathtt {i\in [n]}\) run \(\mathtt {(pk_i,sk_i)\leftarrow \mathtt {Setup}_s(1^{\lambda })}\).
Compute \(\mathtt {cert_i\leftarrow \mathtt {Sign}(sk_{kia},\left\langle i,pk_i\right\rangle )}\). Make oracle queries to \(\mathcal { O}\mathtt {Setup}\) and \(\mathcal { O}\mathtt {Decrypt}\) of the public key encryption scheme.
Queries to \(\mathcal { O}\mathtt {ABGOpen}(\cdot ,\cdot )\): Whenever \(\mathtt {\mathcal { A}_{uan}}\) calls its opening oracle on input a message \(\mathtt {m}\) and a signature \(\sigma \), algorithm \(\mathtt {\mathcal { B}_{\gamma }}\) simulates these opening queries by first simulating the secret key of the group manager. In case the oracle’s output is \(\mathtt {m}\), it returns 1 to \(\mathcal { A}_{uan}\) adversary.
To simulate user’s attribute-based secret key, algorithm \(\mathtt {\mathcal { B}_{\gamma }}\) is invoked and proceeds as follows taking as input public parameters \(\mathtt {param}\) and the simulated master secret key \(\mathtt {msk=\{\mathbf {T_{A,i}}\}_{i\in [l]}}\). It chooses a random set of attributes it wants to be challenged on, \(\mathbb {A}_i=\{a_1,\ldots ,a_{\kappa }\}\), where \(\kappa \in [0,N-1]\). \(\mathcal { B}_{SIVP}\) associates each attribute \(a_{j}\) with a leaf of the Merkle-tree \(d_{j}\), where \(j\in [0,N-1]\) by assigning to each attribute \(a_j\) a binary string in \(\{0,1\}^{\nu }\) via the following computation \((\mathtt {bin\cdot \mathbf {A}_i\cdot \mathbf {u_{j}}\mod q})=\mathbf {d_{j}}\). Let \(\mathtt {R=(\mathbf {d}_{0},\ldots ,\mathbf {d}_{N-1})}\). \(\mathcal { B}_{SIVP}\) runs \(\mathtt {Tcalc}(R)\) to generate the complete tree and the values \(\mathtt {\mathbf {u,v}}\) for the hash function of the root node \(F_{0}(\mathbf {u,v})\). It uses the set \(\mathtt {R}\) and one of the tree leaves \(\mathtt {\mathbf {d}_j}\) as input of \(\mathtt {TWitness}\) algorithm to generates the witness of the zero-knowledge proof:
To simulate the valid credentials provided by the key issuing authority for each user i with k distinct attributes \(\mathtt {u_{j}^{(i)},j\in [k],i\in [N]}\), \(\mathcal { B}_{SIVP}\) first computes a sum of the different attributes and sets \(\mathbf {u}^{(i)}=\sum \limits _{j=1}^{k}\mathbf {u}_j^{(i)}\). It samples values \(\mathtt {\mathbf {z_{i}}}\) by running the algorithm \(\mathtt {\mathtt {SamplePre}(\mathbf {A_i,q,T_{A,i}},s,\mathbf {u}^{(i)})}\). It returns the attribute-based secret key \(usk[i]=\mathtt {sk_{\mathbb {A}_i}=(\mathbf {z}_{i},w^{(i)},\mathbf {d}^{(i)})}\), where the tuple \(\mathtt {\mathbf {d}^{(i)}=(d_{j_1}^{(i)},\ldots ,d_{j_k}^{(i)})}\), describes a set of attributes, \(\mathtt {\mathbb {A}_{i}}\) of an user \(\mathtt {i}\).
Challenge: When \(\mathtt {\mathcal { A}_{uan}}\) outputs \(\mathtt {(state,i_0,i_1,m)}\), it picks a bit \(\mathtt {b\in \{0,1\}}\) and computes a signature \(\mathtt {\sigma _b\leftarrow \mathtt {ABGSign}(param,usk[i_b],m,\Gamma )}\), simulator invokes its \(\mathtt {\mathcal { B}_{SIVP}}\), who randomly simulates two messages \(\mathtt {m_0,m_1}\).
Furthermore \(\mathcal { A}_{uan}\) invokes the \(\mathcal { B}_{ots}\) algorithm to simulates the keys of OTS scheme by running \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}}\). The verification key \(vk_{ots}\) will be a part of the NIZK proof. \(\mathtt {\mathcal { B}_{SIVP}}\) signs \(\mathtt {vk_{ots}}\) using simulated secret key \(\mathtt {usk[i]}\), where the secret key simulation is given by a random guess with probability \(1/|\mathcal { K}|\) with the key space \(\mathtt {\mathcal { K}}\). The guessing probability reduces \(\mathtt {\mathcal { B}_{\gamma }}\)s advantage to win the game. If the guess of the keys does not match with the real secret key, the simulation aborts. The signature procedure continues as follows: Taking \(\mathtt {K}\) and the verification key \(\mathtt {vk_{ots}}\) as a message, it runs encapsulation algorithm of the underlying DEM scheme, \(\mathtt {\hat{\sigma }=\mathtt {Encrypt}(vk_{ots})}\). Furthermore \(\mathtt {\mathcal { B}_{pke}}\) of the underlying encryption scheme is invoked, which outputs a ciphertext encrypting user’s certificate \(\mathtt {cert_{i_b}}\), and signature \(\mathtt {\hat{\sigma }}\), i.e. \(\mathtt {C\leftarrow \mathtt {Encrypt}(gmpk,\left\langle i_b,pk_{i_b},cert_{i_b},\hat{\sigma },R'\right\rangle )}\), where \(\mathtt {R'}\) is a randomness used in the NIZK proof. Finally taking as input a message m, verification key \(\mathtt {vk_{ots}}\), ciphertext C and the corresponding proof \(\mathtt {\pi }\), \(\mathtt {\mathcal { B}}_{sig}\) runs the signature algorithm of the underlying OTS scheme and outputs \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}(m,vk_{ots},C,\pi )}\). Furthermore, simulator runs the NIZK proof \(\pi _1\) from the ABS scheme to show the possession of a valid tuple \(\mathtt {(\mathbf {z_i}, \mathbf {d^{(i)}}, \mathbf {w^{(i)}}, \mathbf {x_i})}\). Furthermore, it proves that \(\mathtt {C}\) is an encryption of \(\mathtt {(j_1,\ldots ,j_l)}\) with random values \(\mathtt {\mathbf {x_i}}\). The final signature is equal to \(\mathtt {\Sigma =(C,\pi )}\). We note that whenever \(\mathtt {\mathcal { A}_{uan}}\) is submitting a query \(\mathtt {(C,\pi ')}\) to the opening oracle, simulator invokes its \(\mathtt {\mathcal { B}_{pke}}\) algorithm and forwards the query to its decryption oracle. Finally it outputs a bit \(\mathtt {b}\) and terminates the simulation.
Distinguisher for Zero-Knowledge. Distinguisher involved in the NIZK proof is given in the following description of the algorithm \(\mathtt {\mathcal { D}(choose,\lambda ,R')}\):
-
(1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)
-
(2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)
-
(3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)
-
(4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)
-
(5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)
-
End for:
-
(a). \(\mathtt {(state,i_0,i_1,m^{*},vk_{ots}^{*},\Gamma ^{*})\leftarrow \mathcal { A}_{uan}^{\mathcal { O}\mathtt {ABGOpen}(\cdot )}(\cdot )}\);
-
(b). \(\mathtt {b\in \{0,1\},R\in \{0,1\}^{\lambda }}\);
-
(c). \(\mathtt {C^{*}\leftarrow \mathtt {Encrypt}(gmpk,\left\langle i_b,pk_{i_b},cert_{i_b},\hat{\sigma }^{*},R'\right\rangle )}\);
-
(d). \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}_{ots}(m^{*},vk_{ots}^{*},C^{*},\pi ^{*})}\).
We note that distinguisher \(\mathtt {\mathcal { D}}\) can answer any queries submitted by \(\mathtt {\mathcal { A}_{uan}}\), because it is in possession of group manager’s secret key, which can be used to open the signatures. The output of the challenge phase is a signature given as \(\mathtt {(pk_e,pk_s,m,C)}\) together with a witness. In the second stage, distinguisher takes as input a proof \(\mathtt {\pi }\) and creates a group signature \(\mathtt {\Sigma =(C,\pi ,\sigma _{ots})}\) and outputs it to the adversary \(\mathtt {\mathcal { A}_{uan}}\). Finally, the distinguisher \(\mathtt {\mathcal { D}}\) outputs the same value as that one of the output of \(\mathtt {\mathcal { A}_{uan}}\).
Soundness of NIZK proof. In order to prove simulation soundness of the NIZK proof, we consider the following game where an adversary \(\mathtt {\mathcal { A}_{ss}}\) against simulation soundness of NIZK is playing against a challenger, who is represented by the adversary against our ABGS scheme:
-
(1.) \(\mathtt {(vk_{ots},sk_{ots})\leftarrow \mathtt {Setup}_{ots}(1^{\lambda })}\)
-
(2.) \(\mathtt {(gmpk,gmsk)\leftarrow \mathtt {Setup}_e(1^{\lambda })}\)
-
(3.) \(\mathtt {(pk_{kia},sk_{kia})\leftarrow \mathtt {Setup}_s(1^{\lambda })}\)
-
(4.) \(\mathtt {(crs,R')\leftarrow \mathtt {SIM}(generate,\lambda )}\)
-
(5.) Set \(\mathtt {gpk=(\lambda ,R',gmpk,pk_{kia},vk_{ots})}\)
-
End for:
-
(a). \(\mathtt {m^{*},\Gamma ^{*},\sigma ^{*}\leftarrow \mathcal { A}_{uan}^{\mathcal { O}\mathtt {ABGOpen}(param,gmsk,\cdot )}(param,msk,\cdot )}\);
-
(b). \(\mathtt {C\leftarrow \mathtt {Encrypt}(pk_e,\left\langle i_b,pk_{i_b},cert_{i_b},\sigma _b,R'\right\rangle )}\);
-
(c). \(\mathtt {\sigma _{ots}\leftarrow \mathtt {Sign}_{ots}(m^{*},vk_{ots}^{*},C^{*},\pi ^{*})}\);
-
(d). \(\mathtt {\pi \leftarrow \mathtt {SIM}(prove,crs,param,m^{*},\sigma ^{*},sk_{\mathbb {A}},\Gamma ^{*})}\).
Make oracle queries to \(\mathcal { O}\mathtt {ABGKeyGen}\) to simulate user’s attribute-based secret key \(\mathtt {sk_{\mathbb {A}_i}}\).
Run \(\mathtt {\mathtt {Verify}(param,\sigma _{ots},\pi ,C)}\) of the NIZK proof. If \(\mathtt {\mathcal { A}_{uan}}\) outputs a valid tuple \(\mathtt {(\sigma _{ots},\pi ',C)}\), output \(\mathtt {(param,crs,\sigma _{ots},\pi ',C)}\).
Due to the page limit we provide only the final result of adversary’s success. For the detailed analysis of this proof, we refer to the later full version of this paper. Finally we conclude that the advantage of an adversary \(\mathtt {\mathcal { A}_{uan}}\) is given by the following combined inequation:
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Kuchta, V., Sahu, R.A., Sharma, G., Markowitch, O. (2018). On New Zero-Knowledge Arguments for Attribute-Based Group Signatures from Lattices. In: Kim, H., Kim, DC. (eds) Information Security and Cryptology – ICISC 2017. ICISC 2017. Lecture Notes in Computer Science(), vol 10779. Springer, Cham. https://doi.org/10.1007/978-3-319-78556-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-78556-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-78555-4
Online ISBN: 978-3-319-78556-1
eBook Packages: Computer ScienceComputer Science (R0)