A code-based group signature scheme

Quentin Alamélou, Olivier Blazy, Stéphane Cauchie, Philippe Gaborit
2016 Designs, Codes and Cryptography  
This work is the extended version of [1] which proposed the first code-based group signature. The new group signature scheme we present here has numerous advantages over all existing post-quantum constructions and even competes (in terms of properties) with pairing based constructions: it allows to add new members during the lifetime of the group (dynamic). Plus, it appears that our scheme might be extended into a traceable signature according to the definition of Kiayias, Tsiounis and Yung [2]
more » ... (KTY model) while handling membership revocation. Our security is based on a relaxation of the model of Bellare, Shi and Zhang [3] (BSZ model) verifying the properties of anonymity, traceability and non-frameability. The main idea of our scheme consists in building an offset collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix for the syndrome decoding problem, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's authentication protocol. For applications, we consider the case of the code-based CFS signature scheme [4] of Courtois, Finiasz and Sendrier. If one denotes by N the number of group members, CFS leads to signatures and public keys sizes in N 1/ √ log(N ) . Along with this work, we also introduce a new kind of proof of knowledge, Testable weak Zero Knowledge (TwZK), implicitly covered in the short version of this paper [1]. TwZK proofs appear particularly well fitted in the context of group signature schemes: it allows a verifier to test whether a specific witness is used without learning anything more from the proof. Under the Random Oracle Model (ROM), we ensure the security of our scheme by defining the One More Syndrome Decoding problem, a new code-based problem related to the Syndrome Decoding problem [5]. A group signature scheme allows members of a group to issue signatures on behalf of the group in an anonymous but revocable way: an opener is able to revoke anonymity of the actual signer in case of abuse. Since its introduction by Chaum and van Heyst [6], group signatures have been extensively studied. Bellare et al. [7] (BMW model) first gave formal security properties of group signature. Later, Bellare, Shi and Zhang [3] extended this model to dynamic groups (BSZ model). Numerous efficient group signatures such as [8, 9, 10] were proposed but only proven secure in a relaxation security of [7] . Delerablée and Pointcheval [11] proposed the first practical scheme fully fitting BSZ in the random oracle model (ROM) whereas Groth [12] also provided such a scheme but secure in the standard model. Then, as an improvement of group signatures, Kiayias, Tsiounis and Yung, suggested traceable signatures schemes in [2]. In addition to classic properties of a group signature scheme, a traceable signature enables the opening authority to delegate its revoking (or opening) capability to sub-openers but only against specific users. This gives two crucial advantages: subopeners can run in parallel and authorities can monitor misbehaving users and then preserve honest users anonymity. The first efficient traceable signatures, provably secure in the standard model, were introduced by Libert and Yung in [13] . All these aforesaid schemes are pairing-based constructions. It was then worth looking for alternative since their security might collapse in front of quantum computers and that they involve heavy computations. Thus, many lattice-based constructions have been proposed such as [14] who first designed a lattice-based group signature scheme with both public key and signature size linear in the number of group members N . Recently, numerous works such as [15, 16, 17, 18] proposed more efficient lattice-based constructions where both sizes the group public keys and signatures are proportional to log(N ). In a concurrent and posterior work, Ezerman et al. [19] also designed a code based group signature that suffers weaker features in terms of size of parameters and properties. Plus, it is interesting to notice that, with the recent exception of [20], all lattice and code based constructions base their security on the static model of [7] meaning that our scheme constituted the first post-quantum dynamic group signature scheme. Because of a restriction for adding new users (procedure Join), our scheme ensures security properties of traceability, anonymity and non-frameability in a relaxation of the BSZ model. Indeed, the security of our protocol is ensured only when an adversary can add honest users (oracle joinP ) that may be corrupted later while the BSZ model requires to fulfill security even in presence of an adversary adding already corrupted users: it led us to define our construction as weakly dynamic. The main idea of our scheme consists in building an offset collision of two syndromes associated to two different matrices: a random one which enables to build a random syndrome from a chosen small weight vector; and a trapdoor matrix, which permits to find a small weight preimage of the previous random syndrome to which a fixed syndrome is added. These two small weight vectors will constitute the group member's secret signing key whose knowledge will be proved thanks to a variation of Stern's protocol. Our contributions In this work, we propose a generic construction for designing the first codebased group signature. In a concurrent and independent work, [19] proposed a group signature scheme based on coding assumptions but only fitting the limited BMW model and with signatures and public key sizes linear in the number of group members. Our security is based on a relaxation of the restrictive BSZ model with the properties of anonymity,
doi:10.1007/s10623-016-0276-6 fatcat:dbp7brdbs5hslptj5suxv7765e