Group Signature with Verifier-Local Revocation Based on Coding Theory

Wang, Luping; Zhang, Kai; Qian, Haifeng; Chen, Jie

doi:https://doi.org/10.1155/2021/3259767

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 3259767 | https://doi.org/10.1155/2021/3259767

Group Signature with Verifier-Local Revocation Based on Coding Theory

Luping Wang,¹Kai Zhang,²Haifeng Qian,^1,3and Jie Chen^1,4

Academic Editor: Jin Wook Byun

Received13 Apr 2021

Revised06 Jul 2021

Accepted17 Jul 2021

Published21 Aug 2021

Abstract

Group signature with verifier-local revocation (VLR-GS) is a special variant of revocable group signature that not only allows a user to anonymously sign messages but also only requires the verifiers to possess some up-to-date revocation information. To date, a number of VLR-GS schemes have been proposed under bilinear groups and lattices, while they have not yet been instantiated based on coding theory. In this paper, we present a code-based VLR-GS scheme in the random oracle model, which is the first construction to the best of our knowledge. Concretely, our VLR-GS scheme does not rely on the traditional paradigm which utilizes an encryption scheme as a building block and achieves logarithmic-size group signature. To obtain the scheme, we first introduce a new code-based Stern-like interactive zero-knowledge protocol with member revocation mechanism based on syndrome decoding problem. Moreover, we employ the binary Goppa code embedded for our scheme with efficiency and security analysis.

1. Introduction

1.1. Group Signature

Group signature scheme is a fundamental cryptographic primitive that enables signer anonymity and has been extensively researched since introduced by Chaum and Van Heyst [1]. The anonymity indicates that any group member is allowed to issue signature for documents on behalf of the group, while the identity of the signer is anonymously hidden from a verifier. Concretely, it allows the group members to issue signatures on behalf of the whole group without compromising their identity information. When receiving an issued signing key from the group manager, a signer can generate a group signature on a certain message. Moreover, a verifier can verify the signature by only a group public key and cannot identify who is the actual signer even when the validity of the signature is verified.

At the same time, there is a serious problem that should be considered in the real-world applications. If a group member issues signatures for documents where he is not allowed to sign, this member should be revoked from the group. The membership of a revoked user should be canceled. That is to say, how to remove the signing capability of misbehaving users without affecting remaining members is a significant problem. This problem can be encountered in many application scenarios, such as in politics and business. For example, if illegal information sent by a malicious group member is reported, the group administrator will kick the malicious member out of the group after verification to ensure the safety of other legitimate members in the group. A naive method is to rebuild the group signature system for distributing system parameter to the unrevoked members; however, this certainly limits the practicality. Hence, support of membership revocation in group signature is highly desirable, which makes the notion of revocable group signature (RGS) to be proposed [2] and widely researched.

1.2. Revocable Group Signature

When considering member revocation, how to efficiently and securely revoke the signing ability of misbehaving members in a unrevoked user-unaware way is a major problem in group signature.

Traditionally, the revocation information should be sent to both signer and verifier in the revocable group signature schemes [3–5]. Later, the most employed method is the verifier-local revocation technique [6], which only requires the verifier to possess some up-to-date revocation information, that is, the revocation messages are only sent to signature verifier, not the signer. Hence, the VLR-GS is more widely deployed in real-world application due to its high efficiency and flexible operations.

Currently, a number of VLG-GS schemes have been proposed based on various security assumptions in the pairing-free, pairing, and lattice setting [7–10], while they have not been studied yet based on coding theory. So, in this paper, we give a generic construction of the code-based VLG-GS scheme, which can resist quantum computer attacks.

1.3. Our Contributions

Our main contribution is to give a generic construction for the code-based group signature scheme with support of verifier-local revocation function. For this purpose, we first design a code-based Stern-like interactive zero-knowledge (ZK) identification protocol with member revocation mechanism; this protocol allows the prover to convince the given ciphertext is well formed, and the hidden plaintext satisfies other additional conditions. Then, we utilize the new ZK protocol to construct the code-based revocable group signature scheme. Our structure departs from the traditional “sign-and-encrypt-and-prove” group signature paradigm and deviates from code-based encryptions. So, how to construct an interactive ZK protocol with member revocation mechanism under a code-based security assumption is the main problem we have solved. Finally, we give a formal security proof for its correctness, selfless anonymity (this is a slightly weaker notion than the CPA anonymity and CCA anonymity for group signature, where this work focuses on providing membership revocation functionality for group signature), and traceability and reduce its security to the hardness of the syndrome decoding (SD) problem. By instantiating the scheme with Goppa codes with parameter analysis, the public key size and the signature size in the scheme achieve and over , respectively, where is the number of group users.

1.4. Technique Overview

The main building block of our VLR group signature scheme is an interactive ZK protocol. The protocol allows a prover to convince the verifier that he is a certified group member (i.e., he possesses a valid secret signing key) and that he has not been revoked (i.e., his “revocation token” is not in the verifier’s blacklist). We can repeat the protocol many times to make the soundness error negligibly small.

We consider a group of size , and each user is identified by a string denoting the binary representation of his index in the group. To get an extension of , inspired by the Bonsai tree signature originally proposed by Cash et al. in [11], which was first introduced into the code theory by Ezerman et al. [12], here we adapt and develop their method to manage the Bonsai tree of a difficult code-based problem, and hence a group user with identity is issued a Bonsai signature under its identity. That is, we have a small vector with ’s Hamming weight and , where is a subtree defined by .

The anonymity implies that the signer’s identity is hidden from the verifier; therefore, the matrix should not be explicitly given. We utilize the extension method in [7]: we add suitable zero blocks to vector to obtain an extended vector , where the added zero blocks are , We then have , and . Namely is a solution to the syndrome decoding instance given by the whole Bonsai tree. To prove in zero-knowledge the possession of such a vector , we adapt the “Stern extension” proof system, and the user identity is hidden by a “one-time pad” technique. As a result, the user can anonymously prove his group membership.

To enable membership revocation, the secret key of each group member should make the first block related with ; then, the revocation token could be formulated as . With well-chosen parameters and sample from a proper distribution, the token can therefore be statistically close to uniform over . In fact, when a user is asked to sample a uniformly random vector and to compute a commitment using a (code-based) collision-resistant hash function , for which the value is part of the committed string. Depending on the verifier’s challenge, the user will either reveal or .

1.5. Related Work

Group signature schemes have been well studied based on bilinear pairing [6, 13–17]. In 2018, Ishida et al. and Perera and Koshiba [18, 19] gave two group signature frameworks, respectively, which accorded to the traditional “sign-and-encrypt” paradigm and could achieve a high level of anonymity: (almost) full anonymity. However, because the secure code-based signature scheme cannot be realized for a while, the code-based instantiation scheme cannot be presented. Later, a number of lattice-based and code-based group signature schemes have been proposed, which can resist quantum computer attacks. Gordon et al. [20] designed the first lattice-based group signature scheme whose public key size and signature size are linear in the number of group members . Recently, there are several efficient lattice-based constructions [7, 21, 22] that have been proposed, whose group public key size and signature size are proportional to . The first code-based group signature scheme was proposed by Alamélou et al. in [23], which allows to dynamically add new members during the lifetime of the group. In 2015, Ezerman et al. [12] proposed the first provably secure group signature scheme from code-based assumptions which satisfies CPA anonymity and traceability requirements in the random oracle model, whose security is reduced to the hardness of the syndrome decoding problem. Moreover, the first rank code-based group signature was proposed by Alamélou et al. [24], which achieves dynamic in a relaxed pattern based on the BSZ model of Bellare et al. [13]. Nevertheless, there is no instantiation code-based group signature scheme with support of revocation functionality.

The concept of VLR-GS was first considered by Brickell [25] and Kiayias et al. [26] and then formalized by Boneh and Shacham [6]. The state-of-the-art VLR-GS constructions are usually given in the bilinear map. The first lattice-based VLR-GS scheme was given by Langlois et al. [7]. In 2020, Yin et al. [27] proposed a lattice-based VLR-GS scheme and realized full anonymity. However, this property cannot be implemented in code-based group signature scheme temporarily, for the research about code cryptography is not mature as lattice's.

1.6. Organization

Section 2 recalls some preliminary knowledge for our work, including code-based cryptography and group signature. In Section 3, we introduce a code-based “Stern-like” interactive protocol, which supports member revocation. We construct a code-based VLR group signature scheme and give its security analysis in Section 4. In the end, we conclude our work in Section 5.

2. Preliminaries

In this section, we present some notations and technical tools used in this work.

2.1. Notations

If is a finite set, denotes the operation of picking an element of uniformly at random and assigning the result to a variable . Let be a positive integer, and we denote . Let be the set of all vectors such that , where is the Hamming weight of vector . In addition, we use bold lowercase and capital letters to denote vectors and matrices, respectively.

2.2. General Definitions

Definition 1 (linear codes). A linear error-correcting code over a finite field is a -dimensional subspace of -dimensional linear space , and co-dimension is . Let matrix be a generator matrix of code , and the row vectors of form a base of , i.e., .
Note that is not unique. In addition, the code can also be defined by a parity-check matrix such that , and hence the check matrix of code is not unique as well. Besides, any row vector of is orthogonal to any row vector of the generating matrix of , i.e., . For any vector , define the syndrome of as , where is a codeword of if and only if .
Besides, we say that (respectively, ) is in systematic form if it is of the form (respectively, ).

Definition 2 (syndrome decoding problem, SDP). Let be a parity check matrix for a random linear code over and let a vector be chosen uniformly at random in and an integer . Find a vector such that .
When , we say that the SD problem is hard, if the success probability of any PPT algorithm in solving the problem is at most .
In our security reduction, the following variant of the left-over hash lemma for matrix multiplication over is used.

Lemma 1 (left-over hash lemma [12]). Let be a distribution over with min-entropy . For and , . and is drawn from distribution , the statistical distance between the distribution of and the uniform distribution over is at most .

In particular, if is an integer such that and is the uniform distribution over (i.e., has min-entropy ), then the statistical distance between the distribution of and the uniform distribution over is at most .

2.3. Stern’s Protocol

The identification protocols are very important for enhancing the security of network services and smart cards, where the zero-knowledge (ZK) protocol is a convincing primitive to suggest that a protocol can be reused without any security loss.

An efficient code-based ZK protocol was first proposed by Stern [28] as shown in Figure 1 (we give a modification with employing hamming metric), which is a 3-pass prover-verifier protocol. The prover makes a zero-knowledge proof to the verifier solving a SD instance on a low density weight secret . Let be the set of all permutations that keep the propositions in Section 3.1. Hence, the protocol suffers a distinguishable issue since a verifier with the knowledge of is able to check whether a given witness was actually involved during the protocol or not. Function is modelled as a random oracle: . Note that the prover and the verifier in the protocol with a cheating probability 2/3 are assumed to be honest, in such a way that, the completeness, soundness, and zero knowledge can be thus achieved [29].

Given the public information , the prover needs to prove the knowledge of such that .

2.4. Group Signature with Verifier-Local Revocation (VLR-GS)

Generally, a VLR-GS scheme consists of the following three algorithms [6]:(1): on inputting a security parameter and group size , this algorithm outputs a group public key , a vector of user secret keys , and a vector of user’s revocation tokens .(2): on inputting , a user secret key , and a message , this algorithm outputs a signature .(3): on inputting , a set of revocation tokens (a subset of the elements of ), a signature , and the message , this algorithm outputs either or . The output indicates that is a valid signature on message under , and the signer is a suitable user who has not been revoked.

Remark 1. Any VLR-GS scheme has an implicit tracing algorithm using as the tracing key, where the tracing algorithm works as follows: when inputting a valid signature on a message , it reveals the signer of by running , for and outputs the first index when the verification algorithm returns . The tracing algorithm fails if and only if the given signature is verified for all .

2.4.1. Security Definition

A secure VLR group signature scheme must satisfy the following three requirements:.

(1) Correctness. For all , all , and all ,

(2) Selfless Anonymity. The goal of an adversary in the selfless anonymity game (i.e., Figure 2) is to determine that a signature is generated by which secret key from two adaptively chosen keys. The challenger randomly chooses a bit and the adversary returns a guess on the value. More precisely, submits two challenge users and and the challenger issues a signature under .

In the experiment, the sets and consist of the honest users and corrupted users, respectively. returns and adds into if user , where the set is the list of users whose signatures on message exists. provides a user’s secret key and moves to if user . provides a user’s revocation token if user .

The adversary may query an oracle with a group public key at any point during its execution, with the exception that it is not allowed to make any corruption or revocation query for user or in the second query stage. The adversary wins the game when , and thus the probability of this event is defined as . Now, we define the advantage of in the experiment as

(3) Traceability. The goal of an adversary in the traceability game is to forge a signature that cannot be traced to which group user using the implicit tracing algorithm. Finally, the adversary outputs a message , a set of revocation tokens , and a signature .

In the experiment, the sets and consist of the honest users and corrupted users, respectively, and the set consists of corrupt users which is initially empty. Hence, the adversary wins the game if (i) ; (ii) the (implicit) tracing algorithm fails or traces to a user outside of the coalition ; (iii) the signature is nontrivial, i.e., did not obtain by making a signing query on . The traceability game is formally defined in Figure 3.

The probability that wins the game is defined as . We define the advantage of as

3. The Underlying Zero-Knowledge Interactive System

3.1. Some Specific Sets

Before describing the protocol, we introduce several supporting sets of vectors and permutations that will be extensively used throughout this work, which is inspired by Langlois et al. [7]. Let be a positive integer and , and we have(1): the set of all that includes blocks with size in . For any user , the has the following zero blocks , …, .(2)When given , we define the following two permutations of :(a)The set of all permutations that keep the following propositions: if , then , where each permutation can transform any word for all and with same weight that leak any information about their support (in fact, the operation in [29] meets the above proposition: for any , such that , it is possible to find a invertible matrix such that ).(b)The set as , where for , is a permutation: .

When given , and , it can be checked that

Therefore, in the following ZK protocol, to prove that for some and , one can instead prove that for , it satisfies

3.2. The Interactive Protocol

The interactive protocol generally follows Stern’s protocol whose security is reduced to the SD problem and makes a zero-knowledge proof to a verifier on a small weight secret with solving a SD instance . The protocol needs to be repeated times to reduce the soundness error negligibly small. The protocol is summarized as follows:(i)The public parameters consist of a matrix , and a vector and .(ii)The witness of a prover includes a vector for some secret . The additional input of a verifier is a set whose cardinality is at most .(iii)The goal of the prover is to let the verifier convince the following issues with zero knowledge that (1) and , while is kept secret; (2) .

3.2.1. Description of the Protocol

Let be a collision-resistant hash function to be modelled as a random oracle. The prover’s witness is , for which we employ an additional commitment to enable the revocation mechanism. The prover and the verifier interact as follows.(1)Commitment: the prover samples a string , a permutation , and a vector . Then, it sends the commitment CMT = to the verifier, where(2)Challenge: the verifier sends to the prover.(3)Response: based on the challenge, the prover computes as(4)Verification: receiving , the verifier outputs if and only if the following three conditions hold. Otherwise, he outputs . The conditions are as follows:(i)Case : parses and checks(ii)Case : parses and checks for :(iii)Case : parses and checks:

3.2.2. Analysis of the Protocol

We use the following theorem to summarize some properties of the interactive protocol.

Theorem 1 (see [7]). If is a collision-resistant hash function, modelled as a random oracle, then the interactive protocol described in Section 3.2.1 is a ZK protocol of knowledge with perfect completeness, soundness error 2/3, and communication cost .

In particular, there exists an efficient knowledge extractor that, on inputting a commitment CMT and 3 valid responses (, , ) corresponding to all 3 possible values of the challenge , outputs a vector satisfying , where for some , and .

It can be seen that the given interactive protocol is perfectly complete, i.e., if the prover possesses a valid witness , the verifier always outputs according to this protocol. Indeed, given satisfying and , as discussed above, prover can always obtain satisfying and . As a result, prover should always pass verifier’s verification in the case and , and in the case , it suffices to note that verifier simply checks for honest computations of and .

Besides, the interactive protocol is statistically zero knowledge if is modelled as a random oracle [12].

4. A Code-Based VLR-GS

In this section, we will describe and analyze our code-based VLR-GS scheme. First, we need to introduce an important tool for our scheme: trapdoor matrix, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added.

Definition 3 (trapdoor matrix [23]). A trapdoor matrix family is a couple of polynomial algorithms such that(i): outputs a pair according to the security parameter , where the is the value range of .(ii): outputs with a non-negligible probability, some such as assuming , and . Notice that appears randomly from , and it returns if no solution is found.(iii)(Correctness): for all and all vectors , we have .(iv)(One-wayness): for all PPT adversary , we have a negligible probability:Hence, we say that is a trapdoor matrix and is a trapdoor key if was generated by .

4.1. Description of the Scheme

4.1.1. Key Generation

On input the security parameter , an expected number of group users and a positive integer . The key generation algorithm works as follows:(1)Select parameters , , for the syndrome decoding problem, such that .(2)Run to get a trapdoor matrix and a trapdoor key .(3)Sample and for all . Define the matrix .(4)For a group user with index , and do the following: :(a)Sample vectors and compute . Then, sample vector with . Let , …, be zero vectors , and define ; if , then go to step (b); else, repeat step (a).(b)Let the secret key of the group manager be , the user secret key be , and the revocation token be .(5)The algorithm outputs and where

4.1.2. Signing Algorithm

Let be a hash function, modelled as a random oracle, where is the repeat number of the ZK protocol described in Section 3.2.1. Given , we use the secret key to sign a message , and the user runs as follows:(1)Generate a proof that the user is a certified group member and has not been revoked; this is done by repeating the ZK protocol with times to achieve a negligible soundness error. With the public parameter and prover’s witness , we make it noninteractive with the Fiat–Shamir heuristic as a triple: where as .(2)Output the group signature:

4.1.3. Verification Algorithm

On inputting , a set of tokens whose cardinality is at most , a message , and a purported group signature on , the verifier runs the deterministic algorithm as follows:(1)Parse the group signature as as in formula (14).(2)Return if(3)For , run the verification of the ZK protocol to check the validity of with respect to and . Output and terminate, if any of the verification conditions does not hold.(4)Output .

Remark 2. According to the above key generation algorithm, we can get some observations as follows:(1)According to Lemma 1, the distribution of is statistically close to uniform over . Hence, the distribution of is statistically close to uniform over .(2)The secret key of a group user indexed by satisfies and .(3)The distribution of revocation token is statistically close to uniform over , and the tokens of two different group users should be different. In each rare event of conflict, the algorithm simply resamples the key and token for the user indexed by .

4.2. Security and Efficiency Analysis

4.2.1. Security

The correctness, selfless anonymity, and traceability of our VLR-GS are stated in Theorems 2–4, respectively.

Theorem 2. The VLR-GS scheme described in Section 4.1 is correct with an overwhelming probability.

Proof. According to the correctness requirement, it is necessary to prove that for all , , generated by , all , and all , we haveWe can observe that , with overwhelming probability, the honest signer index can obtain a valid witness to be used in the underlying argument system. Then, thanks to the perfect completeness of the latter protocol, the satisfy formula (5) is a valid triple and the algorithm always outputs for any message .
Suppose that the verification algorithm outputs , and we have . If there exists an index such that , i.e., a group user indexed by with the secret key satisfies and , the verification algorithm always outputs since it cannot pass the verification of the interactive protocol described in Section 3.2.1. Finally, the verification algorithm outputs with an overwhelming probability when .

Theorem 3. The proposed code-based VLR-GS scheme described in Section 4.1 is selfless-anonymous under the SD assumption in the random oracle model.

Proof. Let be any PPT adversary that aims to break the selfless anonymity security of the scheme. We define a sequence of hybrid games , and , for , where Game : the original selfless anonymity game in which the bit chosen by the challenger is . Game : a game similar to , except the game performs signing algorithm in an honest manner, and generates a legitimate signature. Game : a game similar to , except the game replaces the token with a value selected uniformly random over . Game : a game executes a proper SD problem instance.We continue to prove that each of the two games is indistinguishable based on the zero-knowledge property of the underlying argument and the hardness of the SD problem. In the end, the selfless anonymity of our scheme then follows from the fact that game is independent of the bit .
Game. The game runs as follows.(1)Run to obtain , set , and give to the adversary .(2)Based on the queries issued by , we have(i)If queries the signature on any message and user , return .(ii)If queries the corruption of user , set and return .(iii)If queries the revocation of user , set and return .(3) outputs a message and such that , and .(4)Generate a signature , and return to .(5) can still make queries as before, but not allowed to ask for , , and .(6)Finally, outputs a bit .Game. This game makes the following modification with respect to Game in Step 4, instead of generating a signature as follows: run the preparation steps of the signing algorithm in an honest manner; then simulate the noninteractive ZK protocol . This is done by invoking the simulator of the argument in Theorem 1 for each repetition and programming the random oracle accordingly. Since the underlying argument is statistically zero knowledge, the distribution of is statistically close to that of the legitimate . Output .
It can be seen that is statistically close to the signature outputted by Step 4 in Game . Hence, we can conclude that Game and Game are statistically indistinguishable.
Game. In this game, we introduce the following modification with respect to game . In , the token is unknown to , since it is statistically close to uniform over and with . Here, we replace as and compute . The remaining of the game is same as in Game .
Hence, we can conclude that Game and Game are statistically indistinguishable.
Game. Note that in previous games, the pair () is a right SD instance, and hence its distribution is computationally close to the uniform distribution over under the SD assumption. In the game, we let truly be uniform by sampling and setting . The remaining of the game is same as in Game . Clearly, the advantage of the adversary in this game is 0. Hence, we can conclude that and are computationally indistinguishable if the SD problem is hard.
Finally, based on the combined observations on for the bit , we havewhere “s” means statistically indistinguishable and “c” means computationally indistinguishable. The result shows that the advantage of an adversary winning in game for is negligible. This concludes the proof.

Theorem 4. Suppose there is a PPT traceability adversary against our VLR-GS scheme with a success probability in the random oracle model; then, there is an algorithm that solves the SD problem with a success probability polynomially related to .

Proof. Suppose there is an adversary that can break the computational blinding property of employed by the underlying argument with a non-negligible probability; then, we can use to solve the SD problem. Therefore, without loss of generality, we assume that is a collision-resistant hash function. Now, we construct a PPT algorithm solving the SD problem with a non-negligible probability, which works as follows. Challenge: the algorithm receives a challenge SD instance, that is, a uniformly random matrix and a vector , and it wins the challenge if it can produce a nonzero vector such that and . Setup: performs the following steps:(1)Sample , where each coordinate of is sampled from with length . If , then repeat the sampling; otherwise, compute .(2)Run with times and let the outputs be .(3)Pick a target index , and define , where and for each and .(4)Define the secret key and revocation token for user as follows: where for : .(5)Generate the secret key and the revocation token for each user , where , as follows:(a)Let be the first bit from the left where . Since , then exists. It follows that .(b)Sample , …, and let(c)Sample .(d)For each , let and . If each rare event that happens, then repeat the sampling. Otherwise, set and .(6)Let be Note that by the construction, the distribution of is statistically close to that of the real scheme, and the choice of is hidden from the adversary. Hence, the algorithm gives to . Queries: the algorithm answers the queries of as follows:(i)Corruption queries: at the beginning, the corruption set is set to be empty. If queries the secret key of any user , then adds to the set and returns .(ii)Signatures queries: if queries a signature of user on arbitrary message , then returns . The queries to the random oracles and are handled by consistently returning uniformly random values in the respective ranges. For each , we let denote the answer to the -th query. Forgery: eventually, outputs a message , a set of tokens , and a nontrivial forged signature such that , and the implicit tracing algorithm fails or traces to a user outside of the coalition . The algorithm exploits the forgery as follows.(1)One can argue that must have queried on inputs ; otherwise, the probability behaves as for the choice of being completely hidden from ’s view. Therefore, the probability is at least , and there certainly exists such that is the -th oracle query.(2) picks as the target forking point and replays many times with the same random tape and inputs as in the original run. In each rerun, for the first is given the same answers as in the initial run; however, from the -th query onwards, replies with fresh random values . The improved forking lemma of Pointcheval and Vaudenay ([30], Lemma 7) implies that with probability larger than 1/2, the algorithm can obtain a 3-fork involving the tuple after less than replays of . Now, let the answers of with respect to the 3-fork branches be Intuitively, we can get that . With the index , one parses the 3 forgeries corresponding to the fork branches to obtain and make them be 3 responses in relation with 3 different challenges for a same . Since is a collision-resistant hash function, we can invoke Theorem 1 to extract satisfying , where for some and . Since the VLR-GS is sound which leads to , is obtained from removing the zero blocks from . Note that by the construction, one has and . In other words, is a valid solution to the challenge SD instance . Finally, we can conclude that if has a success probability with running time in attacking the traceability of our group signature scheme, then has the success probability of at least with running time at most . This concludes the proof of the traceability property.

4.2.2. Efficiency

The algorithms described in Section 4.1 can be implemented in polynomial time by selecting appropriate parameters. Asymptotically, for any code and a group with group members, the public key size is over , and the group signature size is over , where is the number of repetitions of the protocol described in Section 3.2.1.

In addition, we have made a comparative analysis of the latest research studies of revocable group signature schemes in Table 1. In this table, references [18, 19] are two VLR-GS frameworks with the traditional “sign-and-encrypt” paradigm, which can achieve a high level of anonymity: (almost-) full anonymity. But, the code-based instantiation scheme seems not readily available, as code-based signatures for which there are efficient zero-knowledge proofs of knowledge of message/signature pairs are not known to date. Scheme [27] is a lattice-based VLR-GS scheme; like our scheme, it can resist quantum computer attacks. Scheme [27] achieves full anonymity. However, it cannot be realized in code-based group signature scheme temporarily. The scheme [12] introduced the first provably secure group signature scheme from code-based assumptions in a static group. References [23, 31] are the other two code-based group signature schemes, and they allow to dynamically add new members (weakly dynamic) but cannot realize the membership revocation. In summary, our scheme is the first code-based group signature scheme that realizes membership revocation, but unfortunately, it does not serve member registration. Next, we will consider further constructing a fully dynamic group signature system simultaneously supporting dynamic user enrolments and user revocations.

4.3. Implementation Results

Our code-based VLR group signature scheme can be implemented in polynomial time by selecting parameters carefully. For a code, a group with group members, asymptotically, the public key mainly consists of , and the group public key size is over . For the group signature size, the commitment achieves the bit size with (the security parameter should be greater than 80), and for each of the cases , and , the size of response is , and hence the group signature size is over , where is the repetition number of the protocol described in Section 3.2.1. The running time of revocation check (i.e., the check against when ) is linear with the number of revoked users.

We present the basic implementation results to demonstrate the feasibility, where the scheme is generic and can be used with any code. The binary Goppa codes are embedded since they constitute well-suited candidates for the instantiating introduced in our scheme. To achieve a 80-bit security level, we set the SD parameters as , so that the distribution of is -close to the uniform distribution over and that the SD problem is intractable with respect to the best known attacks. The protocol is repeated at least 140 times to make the soundness error negligibly small (less than .) We employ SHA-3 as an instantiation for the used hash functions, where it leads to the public key of size bits for users and bits for users. And the signature size is bits for users and bits for users, with the bit size of any message .

5. Conclusion

In this work, we propose the first code-based group signature scheme with membership revocation, whose security is reduced to the hardness of the syndrome decoding problem. The main idea of our work is to build a new Stern-like interactive identification protocol with member revocation mechanism. Our structure departs from the traditional “sign-and-encrypt-and-prove” group signature paradigm and does not rely on a specific encryption primitive.

To the best of our knowledge, the construction presented here is the first one for code-based group signature scheme that supports member revocation, although it could still be improved for efficiency. In the future work, we will focus on improving the current building in terms of performance (for example, achieving both dynamic registration and efficient revocation of users), efficiency (for example, making the group signature size less dependent or independent of the group size), and CCA anonymity.

Moreover, in terms of practical application, group signature scheme with membership revocation is a useful cryptographic primitive. With the development of the openness of wireless network, the mobile device and application (app) security are increasingly important [32], and authentication and anonymity issues in mobile environments must be concerned. The network communication between mobile users and cloud servers may suffer from various attacks, such as impersonation attack and password guessing attack. So, it is indispensable to establish an authentication and key agreement (AKA) protocol to protect the conversations between the users with mobile devices and remote servers in various application environments. To be practical, a two-factor/multifactor AKA protocol [33, 34] must satisfy the following security goals: (1) truly two-factor/multifactor security, that is, if an attacker gains any part of the authentication factors, the attacker cannot successfully figure out the remaining factors; (2) anonymity and untraceability, including identity protection and user untraceability; (3) local and secure password update. Actually, the unforgeability, anonymity, and other attributes of an AKA protocol just meet the security requirements of a VLR-GS scheme. So, we firmly believe that the application research studies of VLR-GS system in mobile device authentication and two-factor/multifactor authentication schemes are worthy of discussion in the future. Moreover, we can consider using a zero-knowledge proof protocol to ensure the security of user identity, utilizing a key encapsulation mechanism to protect the session-key security in an AKA protocol.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

This research was supported by the National Natural Science Foundation of China (61972156, 61802248, 61632012, U1705264, and 61961146004), the “Chenguang Program” supported by Shanghai Education Development Foundation and Shanghai Municipal Education Commission (no. 18CG62), the National Key Research and Development Program of China (2018YFA0704701), and the Fundamental Research Funds for the Central Universities.

References

D. Chaum and E. Van Heyst, “Group signatures,” in Advances in Cryptology, pp. 257–265, Springer, Berlin, Germany, 1991.
View at: Publisher Site | Google Scholar
H.-J. Kim, J. I. Lim, and D. H. Lee, “Efficient and secure member deletion in group signature schemes,” in Information Security and Cryptology, ICISC, pp. 150–161, Springer, Berlin, Germany, 2000.
View at: Google Scholar
G. Ateniese, J. Camenisch, M. Joye, and G. Tsudik, “A practical and provably secure coalition-resistant group signature scheme,” in Advances in Cryptology, pp. 255–270, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar
C. Jan and J. Groth, “Group signatures: better efficiency and new theoretical aspects,” in Proceedings of the 2004 International Conference on Security in Communication Networks, Springer, Amalfi, Italy, 2004.
View at: Google Scholar
C. Jan and L. Anna, “Dynamic accumulators and application to efficient revocation of anonymous credentials,” in Advances in Cryptology, pp. 61–76, Springer, Berlin, Germany, 2002.
View at: Google Scholar
D. Boneh and H. Shacham, “Group signatures with verifier-local revocation,” in Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, DC, USA, 2004.
View at: Publisher Site | Google Scholar
A. Langlois, S. Ling, K. Nguyen, and H. Wang, “Lattice-based group signature scheme with verifier-local revocation,” in Public-Key Cryptography—PKC 2014, pp. 345–361, Springer, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar
T. Nakanishi, H. Fujii, Y. Hira, and N. Funabiki, “Revocable group signature schemes with constant costs for signing and verifying,” in Public Key Cryptography—PKC 2009, pp. 463–480, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
L. Wei and J. Liu, “Shorter verifier-local revocation group signature with backward unlinkability,” in Pairing-Based Cryptography, pp. 136–146, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
S. Zhou and D. Lin, “Shorter verifier-local revocation group signatures from bilinear maps,” in Cryptology and Network Security, pp. 126–143, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
D. Cash, D. Hofheinz, E. Kiltz, and C. Peikert, “Bonsai trees, or how to delegate a lattice basis,” in Advances in Cryptology, pp. 523–552, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, “A provably secure group signature scheme from code-based assumptions,” in Advances in Cryptology, pp. 260–285, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
M. Bellare, D. Micciancio, and B. Warinschi, “Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions,” in Advances in Cryptology, pp. 614–629, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar
D. Boneh, X. Boyen, and H. Shacham, “Short group signatures,” in Advances in Cryptology, pp. 41–55, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
C. Jan and L. Anna, “Signature schemes and anonymous credentials from bilinear maps,” in Advances in Cryptology, pp. 56–72, Springer, Berlin, Germany, 2004.
View at: Google Scholar
C. Delerablée and D. Pointcheval, “Dynamic fully anonymous short group signatures,” in Progress in Cryptology VIETCRYPT, pp. 193–210, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
J. Groth, “Fully anonymous group signatures without random oracles,” in Advances in Cryptology, pp. 164–180, Springer, Berlin, Germany, 2007.
View at: Google Scholar
A. Ishida, Y. Sakai, K. Emura, G. Hanaoka, and K. Tanaka, “Fully anonymous group signature with verifier-local revocation,” in Security and Cryptography for Networks, Springer, Berlin, Germany, 2018.
View at: Google Scholar
M. N. S. Perera and T. Koshiba, “Fully dynamic group signature scheme with member registration and verifier-local revocation,” Mathematics and Computing, Springer, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
S. D. Gordon, J. Katz, and V. Vaikuntanathan, “A group signature scheme from lattice assumptions,” in Advances in Cryptology, pp. 395–412, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
S. Ling, K. Nguyen, and H. Wang, “Group signatures from lattices: simpler, tighter, shorter, ring-based,” in Public-Key Cryptography—PKC 2015, pp. 427–449, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
P. Q. Nguyen, J. Zhang, and Z. Zhang, “Simpler efficient group signatures from lattices,” in Public-Key Cryptography—PKC 2015, pp. 401–426, Springer, Berlin, Germany, 2015.
View at: Google Scholar
Q. Alamélou, B. Olivier, S. Cauchie, and P. Gaborit, “A code-based group signature scheme,” Designs, Codes and Cryptography, vol. 82, no. 1-2, pp. 469–493, 2017.
View at: Publisher Site | Google Scholar
Q. Alamélou, O. Blazy, S. Cauchie, and P. Gaborit, “A practical group signature scheme based on rank metric,” in Arithmetic of Finite Fields, pp. 258–275, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
E. Brickell, An Efficient Protocol for Anonymously Providing Assurance of the Container of a Private Key, Trusted Computing Group, Beaverton, OR, USA, 2003.
A. Kiayias, Y. Tsiounis, and M. Yung, “Traceable signatures,” in Advances in Cryptology, pp. 571–589, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar
Y. Yin, Q. Zhang, H. Jia, Y. Zhang, and X. Liu, “On new zero-knowledge proofs for fully anonymous lattice-based group signature scheme with verifier-local revocation,” in Proceedings of the 2020 Applied Cryptography and Network Security Workshops, Rome, Italy, 2020.
View at: Google Scholar
J. Stern, “A new identification scheme based on syndrome decoding,” in Advances in Cryptology, pp. 13–21, Springer, Berlin, Germany, 1993.
View at: Google Scholar
P. Gaborit, J. Schrek, and G. Zémor, “Full cryptanalysis of the Chen identification protocol,” in Post-Quantum Cryptography, pp. 35–50, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
D. Pointcheval and S. Vaudenay, “On provable security for digital signature algorithms,” Tech. Rep., 1996, Technical report LIENS-96-17.
View at: Google Scholar
B. E. Ayebie, H. Assidi, and E. M. Souidi, “A new dynamic code-based group signature scheme,” in Proceedings of the 2017 International Conference on Codes, Cryptology, and Information Security, Rabat, Morocco, 2017.
View at: Publisher Site | Google Scholar
Q. Jiang, N. Zhang, J. Ni, J. Ma, and K. Choo, “Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles,” IEEE Transactions on Vehicular Technology, vol. 69, pp. 9390–9401, 2020.
View at: Publisher Site | Google Scholar
S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices,” IEEE Transactions on Dependable and Secure Computing, 2020.
View at: Publisher Site | Google Scholar
D. Wang and P. Wang, “Two birds with one stone: two-factor authentication with security beyond conventional bound,” IEEE Transactions on Dependable and Secure Computing, vol. 15, pp. 708–722, 2016.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2021 Luping Wang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies