Forward Secure Efficient Group Signature in Dynamic Setting using Lattices

Transcription

1 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay Department of Mathematcs, Indan Insttute of Technology Kharagpur, Kharagpur , Inda {kansal,ratna,sourav}@maths.tkgp.ernet.n Abstract: Secret key exposure s at hgh rsk n the computng nfrastructure due to the ncrease n use of harmful devces. As a result, achevng forward secrecy s a preferable feature for any cryptosystem where the lfetme of a user s dvded nto dscrete tme perods. Forward secrecy preserves the securty of past perods even f the secret key s exposed. In ths work, we ntroduce the frst lattce based forward secure dynamc group sgnature scheme. The exstng forward secure group sgnature schemes are secure n the blnear settng, and becomes nsecure n the quantum computer perod. We employ a complete bnary tree whose leaves are assocated wth dscrete tme perods and label the nodes n a unque way that enables each node of the same depth to have dfferent Hammng weght. Ths helps the group manager to produce dstnct certfcates to dstnct users. Our scheme wthstands framng attack, ms-dentfcaton attack and preserves anonymty under the learnng wth errors (LWE) and short nteger soluton (SIS) assumptons. Keywords: Lattce based cryptography, Dynamc group sgnature, forward securty, anonymty, traceablty. 1 Introducton Group sgnature scheme enables any group member to produce a sgnature anonymously on behalf of the group and n case of msbehavor, the sgner can be traced out by a desgnated authorty, called the Openng Authorty (OA). Group sgnature has been ntroduced by Chaum and Heyst 16] n Snce then varous constructons of group sgnature have been proposed n classcal cryptography both n the random oracle model and standard model based on ether strong RSA or blnear map. Traceablty and anonymty are the securty attrbutes of any group sgnature. Traceablty ensures that only the group manager s able to determne whch member of the group ssued the legtmate sgnature whle anonymty 1

2 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 2 guarantees that no one other than the group manager should be able to determne any nformaton about the sgner. The confesson page on Facebook can be seen as an example of a group sgnature scheme. The confesson gven by ndvduals s anonymous and can be traced out only by the admnstrator. Group sgnature scheme can be broadly classfed nto two categores statc and dynamc. In statc group settng, all the sgnng keys of the members are fxed durng setup and hence the party handlng setup phase has a hgh degree trust whch s undesrable for practcal real lfe applcatons. To overcome ths problem, dynamc group settng has receved consderable attenton n the recent research communty whereby a member can jon the group at anytme and receves hs prvate sgnng key durng the jonng perod. Consequently, member denttes are not fxed at the ntal setup phase. Dynamc settng has two dfferent partes called group manager and openng authorty for ssung certfcates to users and to trace the sgnature respectvely. In case of statc settng, group manager acts as the openng authorty. The securty of statc group sgnatures was formalzed by Bellare et al. 7]. In 2004 Bellare, Sh, and Zhang 9] formally defned the dynamc case. Later, n 2010, Gordon et al. 20] presented the frst lattce based constructon of group sgnature scheme followed by a number of works based on lattces 14], 23], 24], 28], 31]]. Lattce based cryptography s a promsng tool even n quantum era as there s no quantum algorthm yet to solve hard problems from whch lattce based cryptosystems derve ther securty. Recently, n 2016, Lbert et al. 25] proposed the frst constructon of dynamc group sgnature based on lattces. Our contrbuton: We address the problem of desgnng effcent group sgnature scheme n dynamc settng from lattces featurng forward secrecy. Wth the ncreasng use of damagng tools n computng nfrastructure, there s hgh rsk n key exposure. Forward secrecy s acheved by parttonng the lfetme of a user nto dstnct and dscontnuous tme perods. It keeps the securty of past perods secure even when the secret key of the user s exposed. Introducng forward secrecy n a dynamc group sgnature scheme wthout blowng up the storage, communcaton and computaton overheads s a non-trval task. All the exstng works for group sgnature schemes wth forward secrecy are n blnear setup. There s no group sgnature based on lattces possessng forward secrecy so far to the best of our knowledge. In ths paper, we mprovse Lbert et al. 25] dynamc group sgnature scheme nto forward secure dynamc group sgnature scheme usng a complete bnary tree whose leaf nodes ndcate dscrete tme perods. We label each node of the tree n a sutable manner that enables nodes at the same depth to have dfferent Hammng weghts. When a user jons, t s ssued a certfcate for a tme perod by the group manager. We skllfully utlze the labelng of ths tree to generate dstnct matrces for dfferent users n ssung dstnct certfcates. Smlar to 25], we employ Gentry-Pekert-Vakuntanathan Identty based encrypton (GPV- IBE) 18] and zero knowledge argument of knowledge to generate sgnature. We provde a concrete securty analyss of our constructon aganst framng attack, ms-dentfcaton attack and anonymty attack followng the stronger noton of securty for forward secrecy specfed by Lbert et al. 26]. Our scheme acheves securty n the random oracle model under the hardness of learnng wth errors (LWE) problem and short nteger soluton (SIS) problem. We brefly summarze the comparson of our scheme wth the exstng lattce based group sgnature schemes 14], 20], 23], 25], 28] n Table 1 where N denotes the total number of group members and n s the securty parameter. More precsely, we note the

3 3 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Scheme Forward secure Dynamc Sgnature sze Publc key sze Certfcate sze GKV 20] No No N Õ(n2 ) N Õ(n2 ) - CNR 14] No No N Õ(n2 ) N Õ(n2 ) - LLLS 23] No No log N Õ(n) log N Õ(n2 ) - LNW1 28] No No log N Õ(n) log N Õ(n2 ) - LNW2 28] No No log N Õ(n) log N Õ(n) - LLMNW 25] No Yes log N Õ(n) log N Õ(n2 ) log N O(n) Ours Yes Yes log N Õ(n3 ) log N Õ(n2 ) log N Õ(n2 ) Table 1: Comparatve summary of lattce based group sgnature schemes followng: () The certfcate sze n our constructon s Õ(n2 ) log N whle that of 25] s O(n) log N, where N s the total allowable group members and n s the securty parameter. However, publc key sze n our scheme s same as of 25]. () In contrast to 25], our scheme uses delegaton process whereby the certfcate once ssued at the ntal tme, gets updated by the group members themselves wthout any nteracton wth the group manager. () The schemes 14], 20], 23], 28] are all statc where sgnng keys of the members are fxed durng setup. Although the scheme 25] s dynamc and has the flexblty to ssue secret key at the jonng tme of a user, t does not acheve forward secrecy. On contrary, our scheme s the only forward secure group sgnature scheme n dynamc settng that derves ts securty from the hard problems based on lattces. Paper Organzaton: The rest of the paper s organzed as follows. Secton 2, provdes prelmnares and background materals. Syntax and securty model of dynamc forward secure group sgnature scheme are presented n Secton 3. Our scheme s descrbed n Secton 4. The underlyng zero knowledge argument of knowledge s ncluded n Secton 5 and securty of our scheme s dscussed n Secton 6 respectvely. Fnally, the paper s concluded n Secton 7. 2 Background and Assumptons Notatons: Throughout the paper, we use the followng notatons unless otherwse stated: - We use lower bold case letters for vectors and upper bold case letters for matrces. Wherever log s used we assume that base s 2. We refer by the concatenaton of strngs or matrx columns and by the concatenaton of matrces. - The Eucldean norm of the vector x = {x 1, x 2,..., x n } s denoted by x = (x x x 2 n) 1/2 and nfnty norm s denoted by x = max x. The Gram-Schmdt 1 n orthogonalzaton of matrx A s denoted by Ã. Transpose of a matrx A s denoted by A t.

4 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 4 - The notaton A represents that A s a matrx followng dstrbuton. A vector u Z m denotes a column vector of sze m 1 wth nteger entres. - A functon f(n) Õ(g(n)) ndcates f(n) O(g(n) logk g(n)), for some k N. We say that a functon f s neglgble n λ f f = λ ω(1). - Two dstrbutons X and Y, defned over a countable doman D, are sad to be statstcally closed f ther statstcal dfference, 1 P rx = α] P ry = α] s neglgble. 2 - Two problems are computatonally equvalent f one can be reduced to the other. In other words, both the problems are essentally as hard or as easy. - A vector v s sad to be a short vector f gven a bass B of an n-dmensonal lattce Λ(B), we have v γ(n)λ(λ), where γ s an approxmaton factor taken to be a functon of the lattce dmenson n and λ(λ) = mn v. v Λ(B) {0} Defnton 1. (Lattce). Let B = {b } n be a lnearly ndependent set of vectors of R n. A lattce generated by B s defned as Λ(B) = { c b : c Z}, the set of all nteger lnear b B combnatons of b B. The set B s sad to be a bass of the lattce Λ. For q N, matrx A Z n m q and vector u Z n q, we defne the followng three q-ary lattces generated by A: Λ q (A) = {x Z m : Ax = 0 mod q} Λ u q (A) = {x Z m : Ax = u mod q} Λ q (A) = {x Z m : A t s = x mod q, for some s Z n q }, where m, n are ntegers wth m n 1. Defnton 2. (Gaussan dstrbuton over a lattce). For a lattce Λ and a real number σ > 0, dscrete Gaussan dstrbuton over Λ centered at 0, denoted by D Λ,σ, s defned as: y Λ, D Λ,σ y] exp( π y 2 /σ 2 ), meanng that D Λ,σ y] s proportonal to exp( π y 2 /σ 2 ). Lemma 2.1. For any n-dmensonal lattce Λ, and for σ > 0, (a) P r b DΛ,σ b nσ] 1 2 Ω(n) 6], and (b) there exsts the followng probablstc polynomal tme (PPT) algorthms : () GPVSample(B, σ) (b Λ) 12]. On nput a bass B of a lattce Λ and a ratonal number σ B Ω( log n), ths algorthm outputs a vector b Λ wth dstrbuton D Λ,σ. Here B s the Gram-Schmdt orthogonalzaton of B. () SamplePre(A, T A, u, σ) (x Λ u q (A)) 18]. Ths algorthm takes as nput a matrx A Z n m q, a short bass T A of Λ q (A), a vector u whose premage s to be sampled and the standard devaton σ of the dstrbuton from whch the premage s to be sampled. The algorthm returns a short vector x Λ u q (A) sampled from a dstrbuton statstcally close to D Λ u q (A),σ whenever Λ u q (A) s non empty.e., x satsfes the relaton Ax = u mod q. α

5 5 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces () TrapGen(1 n, 1 m, q) (A, T A ) 4]. Takng 1 n, 1 m, q as nput, ths algorthm outputs a matrx A Z n m q and a bass T A of Λ q (A) such that A s wthn the statstcal dstance 2 Ω(n) to U(Z n m q ) and T A O( n log q). Here U(Z n m q ) s the unform dstrbuton of nteger matrces of order n m and T A s the Gram-Schmdt orthogonalzaton of T A. (v) ExtBass(A, Ā, T A) (T A Ā) 15]. Gven a matrx A whose columns span Z n q, a bass T A of Λ q (A) and an arbtrary matrx Ā, ths algorthm outputs a bass T A Ā of Λ q (A Ā) such that T A Ā = T A. (v) SampleRght(A, C, R, T C, σ, u) (b Z 2m ) 1]. On nput two matrces A, C Z n m q, a low norm matrx R Z m m, a short bass T C Z m m of Λ q (C), a vector u Z n q and a parameter σ T C Ω( log n), ths algorthm outputs a random vector b Z 2m satsfyng A AR + C]b = u mod q wth dstrbuton statstcally close to the Gaussan dstrbuton D Λ,σ where Λ denote the shfted lattce {x Z 2m : A AR + C]x = u mod q}. (v) BassDel(A, R, T A, σ) (B = AR 1, T B )2]. Ths algorthm takes as nput a matrx A Z n m q, a Z q -nvertble matrx R Z m m sampled from (D Z m,σ) m (dstrbuton on matrces n Z m m ), a bass T A of Λ q (A), and a real parameter σ > 0 and outputs a matrx B = AR 1 along wth a bass T B of Λ q (B). (v) SampleRwthBass(A) (R, T B )2]. On nput a matrx A, ths algorthm outputs a random Z q -nvertble low norm matrx R and a bass T B of Λ q (B) as follows: (1) TrapGen(1 n, 1 m, q) (B, T B ). (2) for = 1, 2,..., m do (a) SamplePre(B, T B, a, σ) (r Λ a q (B)).e., Br = a mod q. (b) Repeat step (a) untl r Z q s lnearly ndependent of r 1, r 2,..., r 1. (3) Form a matrx R Z m m wth sampled r s as R = (r 1, r 2,..., r m ). end do Thus BR = A mod q or B = AR 1 mod q. 2.1 Hardness Assumptons Defnton 3. (Inhomogeneous short nteger soluton (ISIS)3]). Gven an nteger q, a matrx A Z n m q, a vector u Z n q and a real number β, the ISIS problem s to fnd an nteger vector e Z m such that Ae = u mod q wth e β. Remark 1. If a bound on e s not gven, then the equaton Ae = u mod q s solvable n polynomal tme usng Gauss elmnaton. The ISIS problem s to fnd e of the equaton

6 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 6 Ae = u mod q wth e β whch s dffcult. However, f a short bass T A of Λ u q (A) s known then ISIS problem can be effcently solved. Defnton 4. (Short nteger soluton (SIS)3]). Gven an nteger q, a matrx A Z n m q, and a real number β, the SIS problem s to fnd an nteger vector e Z m such that Ae = 0 mod q wth e β. Defnton 5. (Learnng wth errors (LWE)32]). Let χ be a dstrbuton on Z, n 1 be any nteger and p 2 be any prme. For any s Z n p, gven arbtrarly many samples of the form (a, a, s + e) wth a unform n Z n p and e s sampled from χ, the search LWE problem s to fnd s and the decsonal LWE problem s to dstngush the dstrbuton of (a, a, s + e) from the unform dstrbuton U(Z n p Z p ). Here a, s = a t s. The search LWE and the decsonal LWE are computatonally equvalent 30]. 2.2 Node Select Algorthm 26] Nodes(t 1 + 1, t 2, G) (SubsetHN). Followng Lbert et al. 26], we descrbe ths procedure n Algorthm 1 whch on nput a tme nterval (t 1 + 1, t 2 ), a complete bnary tree G, returns a subset SubsetHN of hangng nodes n the gven tme nterval. Let the heght of the bnary tree G be l. Then the number of leaves n G s T = 2 l. The leaves of G denote the tme perod whch are bnary strngs. Each node n G s assgned a label n such a way that no two nodes at the same level have the same Hammng weght. One such assgnment of labels s shown n Fgure 1. 0 depth depth depth depth 3 Fgure 1: Node Labelng The root s at depth 0 and s assgned label 0. The two nodes at depth 1 are each assgned label of 2 bts, say, 00 and 01 wth dfferent Hammng weghts. The 4 = 2 2 nodes at depth

7 7 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces 2 requre = 3-bt each wth dfferent Hammng weghts and are assgned labels, say, 000, 001, 011, 111. Smlarly, all the 2 p nodes at depth p can be assgned (2 p 1)-bt labels wth dfferent Hammng weghts. For a node w, let w dep denotes ts depth and w num denotes ts assgned label. Note that w num s a bnary strng of length 2 w dep 1 where 0 wdep l. There are total T = 2 l tme perods {1, 2,..., T } and the perod t corresponds to the t-th node at depth l from left havng (2 l 1)-bt label denoted by wnum. t 1 Let Path(u) be the set of all nodes on the path from u to the root of the tree G. If a node w s a left or a rght chld of some node n Path(u) wth w / Path(u), then w s a hangng node wth respect to Path(u). For a node u at depth l, ts left and rght chld are denoted by u 0, u 1 respectvely. For nstance, let w t 1 1 num = , w t 2 num = then X 1 = {000, 00, 0} and X 2 = {111, 01, 0}. For all w X 1, SubsetHN = {001} and for all w X 2, SubsetHN = SubsetHN {011}. Hence the resultant ouput s SubsetHN= {001, 011}. Remark 2. Node Select algorthm outputs a subset of hangng nodes n such a way that the exactly one ancestor of each leaf between the tme perod t 1 and t 2 1 are beng selected. Algorthm 1: Nodes(t 1 + 1, t 2, G) Input : t 1 + 1, t 2, G Output: SubsetHN f(t > t 2 ) then return 0; else X 1, X 2, SubsetHN ; X 1 X 1 Path(w t 1 1 num ); X 2 X 2 Path(w t 2 num ); // w t 2 for(w X 1 ) do f(w 1 / X 1 X 2 ) then SubsetHN SubsetHN {w 1 } end f end do for(w X 2 ) do f(w 0 / X 1 X 2 ) then end f end do end f return SubsetHN; SubsetHN SubsetHN {w 0 } // w t 1 1 num s the labelng of the node at perod t 1 num s the labelng of the node at perod t // Here w 1 s the rght chld of w // Here w 0 s the left chld of w

8 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay GPV-IBE 18] The dentty based encrypton (IBE) by Gentry, Pekert and Vakuntanathan 18] s a 4-tuple GPV-IBE= (Setup, Extract, Enc, Dec) consstng of 3 PPT algorthms Setup, Extract, Enc and a determnstc algorthm Dec. GPV-IBE.Setup(1 n, 1 m, q) (MPK, MSK). A trusted thrd party, called a key generaton centre (KGC), runs ths PPT algorthm by executng TrapGen(1 n, 1 m, q) (A, T A ) descrbed n Lemma 1.1(b)() and generates a random matrx A Zq n m along wth a bass T A of Λ q (A) such that A s wthn the statstcal dstance 2 Ω(n) to U(Z n m q ) and T A O( n log q). The KGC also chooses a cryptographcally secure hash functon F : {0, 1} Z n r q for any nteger r 1. It sets the master publc key MPK=(A, F, m, n, q) and the master secret key MSK=T A. The KGC makes MPK publc and keeps MSK secret to tself. GPV-IBE.Extract(MPK, MSK, d) (sk d ). Ths PPT algorthm s run by the KGC. The user wth dentty d asks for ts secret to the KGC. If the dentty d {0, 1} has already been quered and (d, E) s n the local storage of the KGC for some E Z r m q then t returns E to the user. Otherwse, the KGC computes R = F(d) Z n r q and generates E SamplePre(A, T A, R, σ) by usng multverson of Lemma 1.1(b)(), where F, A are extracted from MPK and T A from MSK. Here σ s chosen by the KGC and E Z r m q s an element of the lattce Λ R q (A) wth a dstrbuton statstcally close to D Λ R q (A),σ. Consequently, E satsfes the equaton AE = R mod q. The KGC sends sk d = E through a secure channel to the user as ts secret key. GPV-IBE.Enc(MPK, d, b) (p, c). Ths PPT algorthm s executed by an encrptor to encrypt a bt strng b {0, 1} r usng MPK=(A, F, m, n, q). The encryptor wth dentty d {0, 1} samples s U(Z n q ), x χ m, y χ r, where χ s the LWE dstrbuton; computes p = A t s + x Z m q ; sets c = R t s + y + b q/2 Z r q where R = F(d); fnally, sends the cphertext (p,c) over a publc channel. GPV-IBE.Dec(sk d, (p, c)) (0 1). It s a determnstc algorthm run by the decryptor. The decryptor computes b = (b 1, b 2,..., b r) = c E t p Z r q, usng ts own secret key sk d =E Z r m q. For = 1, 2,..., r, t outputs b = 0 f b s closed to 0 mod q; otherwse returns b = 1. We have b = g t s + y + b q/2 e t (A t s + x) and also Ae = g mod q. So compute b = (y e t x) + b q/2 ; output 1 f b s close to q/2 than to 0 modulo q; otherwse output 0. Correctness: Let δ > 0 satsfyng Pr x χ m,y χ y e t x < q ] > 1 δ. Then the probablty 5 of decrypton error s atmost δ. Securty: Let q 5σ(m + 1), σ ω( log m) and m 2n log q. Then the GPV-IBE scheme s CPA-secure and anonymous, assumng that LWE q,χ s hard.

9 9 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces 2.4 Decomposton-Extenson Technque 27] Ths secton descrbes a procedure Ext for extendng and a procedure Dec-Ext for extendng as well as decomposng a vector followng Lng et al. 27]. Let m be an arbtrary dmenson and B be an nfnty norm bound. Let B 2 m = {x {0, 1} 2m : x has exactly m co-ordnates equal to j, for every j {0, 1}} and B 3 mp = {x { 1, 0, 1} 3mp : x has exactly mp co-ordnates equal to j, j { 1, 0, 1}} where p = log 2 B + 1. Let S 3mp be the set of permutatons of 3mp length vectors. Then for any π S 3mp, we have ŵ B 3 mp π(ŵ) B 3 mp. Ext m (w) (ŵ B 2 m) 25]. Ths algorthm takes an nput a vector w {0, 1} m wth λ 0, λ 1 respectvely the number of 0 s and number of 1 s n w. It selects a random vector w havng exactly (m λ 0 ) many 0 s and (m λ 1 ) many 1 s and outputs the extended vector ŵ = (w w) B 2 m. Then for any permutaton π : B 2 m B 2 m, we have ŵ B 2 m π(ŵ) B 2 m. Dec-Ext m,p (w) (ŵ B 3 mp) 25]. On nput w = (w 1, w 2,..., w m ), w B, B], 1 m,, ths algorthm works as follows: Frst, defne a fnte super-decreasng sequence {B j } p j=1 of ntegers by settng B 1 = B and B 2 j = B (B 1+B 2 + +B j 1 ) for 2 j p; 2 As {B j } s super-decreasng, for any v B, B], one can effcently compute v (1), v (2),..., v (p) { 1, 0, 1} such that p B j v (j) = v. Note that v (1), v (2),..., v (p) j=1 { 1, 0, 1} s a soluton of the subset sum problem wth weghts {B j } p j=1 and capacty v and s solvable n polynomal tme when the sequence {B j } p j=1 s super decreasng. Next, defne an m mp matrx K m,b as B 1 B 2... B p K m,b = I m B 1 B 2... B p ] = and set K m,b = K m,b 0 m 2mp ] Z m 3mp. B 1 B 2... B p... B 1 B 2... B p For the gven vector w = (w 1, w 2,..., w m ) t, one can effcently compute w (1), w (2),..., w (p) { 1, 0, 1} correspondng to each w B, B], 1 m, satsfyng p j=1 B j w (j) = w. Then K m,b w = w for the vector w = (w (1) 1,..., w (p) 1, w (1) 2,..., w (p) 2,..., w (1) m,..., w (p) m ) { 1, 0, 1} mp. Append a 2mp length vector w to w, followng the procedure Ext to obtan ŵ = (w w) B 3 mp. As the last 2mp columns of K m,b are all 0, the vector ŵ satsfes K m,b ŵ = K m,b w = w.

10 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 10 Example 1. Let B = 3 and m = 2. Consder the vector w = (w 1, w 2 ) t = ( 2, 1) t where w 1, w 2 B, B]. We generate the super-decreasng sequence {B j } p j=1 of ntegers where p = log B + 1 = 2 by settng B 1 = 3 = 2, B 2 2 = 3 B 1 = 1. 2 Now, w 1 = 2 = 2.w (1) w (2) 1 gves w (1) 1 = 1, w (2) 1 = 0. Smlarly, w 2 = 1 = 2.w (1) w (2) 2 gves w (1) 2 = 0, w (2) 2 = 1 Therefore, w = (w (1) 1, w (2) 1, w (1) 2, w (2) 2 ) = ( 1, 0, 0, 1) { 1, 0, 1} mp satsfes K m,b ] w = w, where K m,b = K 2,3 s an m mp matrx gven by K 2,3 = I 2 B 1, B 2 ] =. Next we set, ] K 2,3 = Note that the number of 1 s, 0 s, 1 s n w are respectvely λ 1 = 1, λ 0 = 2, λ 1 = 1. We append to w a vector w of length 2mp = = 8 havng mp λ 1 = 3 many 1 s, mp λ 0 = 2 many 0 s, mp λ 1 = 3 many 1 s followng the procedure Ext and obtan an extended vector ŵ = (w w) that satsfes K 2,3 ŵ = w. For nstance, we can choose w = (0, 1, 1, 1 1, 1, 1, 0) and hence ŵ = (w w) = ( 1, 0, 0, 1 0, 1, 1, 1 1, 1, 1, 0). Then K 2,3 ŵ = , 0, 0, 1, 0, 1, 1, 1, 1, 1, 1, 0] t = ( 2, 1) t = w ] 2.5 Zero Knowledge Argument Systems In ths secton, we descrbe zero knowledge argument of knowledge (ZKAoK) for the relaton Px = v gven n 25]. Here P s any matrx and v s a vector (or matrx), both publcly avalable and x s a secret vector (or matrx) wth some condtons to be proven n zeroknowledge. Utlzng permutaton, Stern desgned n 34] a protocol that proves the Hammng weght of a bnary vector x n zero-knowledge. Lng et al. 27] extended Stern s protocol to prove the possesson of any vector (or matrx) x, wth a bound on the norm of x usng procedure Dec-Ext descrbed n Secton 2.4. Let q 2 and D, L be two postve ntegers. We consder a subset VALID of all L-length strngs over { 1, 0, 1}. Let S be any fnte set of permutatons such that for any π S, we can assocate a permutaton T π of L elements satsfyng

11 11 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces x VALID T π (x) VALID If x VALID and π s unform n S then T π (x) s unform n VALID. } (1) A zero knowledge argument protocol should satsfy followng three propertes: Correctness: Honest prover wll convnce the verfer on provng a true statement. That s the probablty of verfer acceptng a true statement s 1. Soundness: A cheatng prover cannot convnce the verfer on provng a false statement. Thus the probablty of verfer acceptng a false statement s neglgble. In case of proof of knowledge, soundness s replaced by a stronger noton called Knowledge Extractor. For every cheatng prover there exsts an algorthm Knowledge Extractor whch extracts the wtness nvolved n the nteracton between the prover and the verfer. Zero knowledge: If the statement proven by the prover s true then the cheatng verfer learns only the fact that the statement s true. A ZKAoK for the relaton R = {(P, v) Z D L q Z D q, x VALID : Px = v mod q} s a 3-round protocol ZKAoK=(Commtment, Challenge, Response,Verfcaton) between a prover and a verfer, both havng access to P and v, and works as follows: 1. ZKAoK.Commtment(P, v, x) (COM = (C 1, C 2, C 3 )). The prover (a) samples randomness ρ 1, ρ 2, ρ 3 for generatng commtments and r U(Z L q ), π U(S) where S s a fnte set of permutaton. (b) computes the commtment, COM = (C 1, C 2, C 3 ) where C 1 = CMT 1 (π, Pr; ρ 1 ) uses randomness ρ 1, C 2 = CMT 2 (T π (r); ρ 2 ) uses randomness ρ 2, C 3 = CMT 3 (T π (x + r); ρ 3 ) uses randomness ρ 3 and CMT, = 1, 2, 3, s a statstcally hdng and computatonally bndng commtment scheme where the hdng property holds even aganst all-powerful recevers, whle the bndng property holds only for polynomally bounded senders. (c) sends COM to the verfer. 2. ZKAoK.Challenge(P, v) (Ch U({1, 2, 3})). The verfer sends a challenge Ch U({1, 2, 3}) to the prover. 3. ZKAoK.Response(Ch,ρ 1, ρ 2, ρ 3, π, T π, r, x) (RSP). The prover sends a response RSP computed as follows: (a) f Ch= 1, then the prover sets t x = T π (x), t r = T π (r) and RSP= (t x, t r, ρ 2, ρ 3 ). (b) f Ch= 2, then the prover sets π 2 = π, y = x + r and RSP= (π 2, y, ρ 1, ρ 3 ). (c) f Ch= 3, then the prover sets π 3 = π, r 3 = r and RSP= (π 3, r 3, ρ 1, ρ 2 ). Here ρ 1, ρ 2, ρ 3 are the randomness pcked by the prover n generatng the commtment CMT usng the procedure ZKAoK.Commtment. 4. ZKAoK.Verfcaton(P, v, RSP, COM, CMT 1, CMT 2, CMT 3 ) (VRF). On recevng the response RSP from the prover, the verfer proceeds as follows:

12 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 12 (a) f Ch= 1, then the verfer checks whether t x VALID and C 2 = CMT 2 (t r ; ρ 2 ), C 3 = CMT 3 (t x + t r ; ρ 3 ), where C 2, C 3 are extracted from COM and t x, t r, ρ 2, ρ 3 from RSP. (b) f Ch= 2, then the verfer checks whether C 1 = CMT 1 (π 2, Py v; ρ 1 ), C 3 = CMT 3 (T π2 (y); ρ 3 ), usng C 1, C 3 from COM and π 2, y, ρ 1, ρ 3 from RSP. (c) f Ch= 3, then the verfer checks whether C 1 = CMT 1 (π 3, Pr 3 ; ρ 1 ), C 2 = CMT 2 (T π3 (r 3 ); ρ 2 ), where C 1, C 2 are obtaned from COM and π 3, r 3, ρ 1, ρ 3 are from RSP. In each case, the verfer outputs VRF = 1 f the verfcaton succeeds, otherwse outputs VRF = 0. Remark 3. The above protocol s repeated s = ω(log n) tmes to acheve neglgble soundness error and can be made non-nteractve usng Fat-Shamr heurstc 17] as a trple Π = ({COM γ } s γ=1, Ch, {RSP} s γ=1) where Ch = H(M, {COM γ } s γ=1, aux) {1, 2, 3} s where H : {0, 1} {1, 2, 3} s s a hash functon and aux s some auxllary nformaton gven as nput. Theorem ] The protocol n Fgure 2 s a statstcal ZKAoK for the relaton R wth perfect completeness, soundness error 2/3, and the communcaton cost O(L log q). Theorem 2.3. (Improved Forkng Lemma)13] Let A be a probablstc polynomal tme (PPT) Turng machne called Attacker and a PPT smulator B. Let l, q be real numbers such that l q. If A can fnd a vald sgnature (M, σ, h) wth non-neglgble probablty 4 ɛ > 4 n less than Q q H number of hash queres where h = H((M, σ)) then wth non-neglgble constant probablty 1 replays of A and B wth dfferent random oracles, ɛ A wll output (l + 1) par wse dstnct vald sgnatures. 96 wth (1+24Q Hl log(2l)) 3 Dynamc Forward Secure Group Sgnature Scheme (FS-GS)26] 3.1 Syntax We descrbe below the syntax and noton of dynamc fully forward secure group sgnature (FS-GS) followng Kayas-Yung 22]. The concept of forward secure sgnature was demonstrated by Anderson n 5] and was characterzed formally by Bellare and Mner 8]. A FS-GS=(Setup, Jon, Update, Sgn, Verfy, Open) scheme s run among a group manager (GM), users (U ) and an openng authorty (OA) where FS-GS.Verfy and FS-GS.Open are determnstc algorthms whle FS-GS.Setup, FS-GS.Jon, FS-GS.Update, and FS-GS.Sgn are probablstc algorthms.

13 13 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Fgure 2: Zero Knowledge Argument of Knowledge Prover (P, v) Verfer (P, v) Secret: x satsfyng Px = v Samples: Randomness ρ 1, ρ 2, ρ 3 for COM and r U(Z L q ), π U(S) Computes: C 1 = CMT 1 (π, Pr; ρ 1 ) C 2 = CMT 2 (T π (r); ρ 2 ) C 3 = CMT 3 (T π (x + r); ρ 3 ) COM = (C 1, C 2, C 3 ) CMT Ch U({1, 2, 3}) Ch f Ch = 1 then RSP = (t x = T π (x), t r = T π (r), ρ 2, ρ 3 ) f Ch = 2 then RSP = (π 2 = π, y = x + r, ρ 1, ρ 3 ) f Ch = 3 then RSP = (π 3 = π, r 3 = r, ρ 1, ρ 2 ) RSP f Ch = 1 then check whether t x VALID, C 2 = CMT 2 (t r ; ρ 2 ), C 3 = CMT 3 (t x + t r ; ρ 3 ) f Ch = 2 then check whether C 1 = CMT 1 (π 2, Py v; ρ 2 ), C 3 = CMT 3 (T π2 (y); ρ 3 ) f Ch = 3 then check whether C 1 = CMT 1 (π 3, Pr 3 ; ρ 1 ), C 2 = CMT 2 (T π3 (r 3 ); ρ 2 ) In each case, the verfer outputs VRF = 1 f the verfcaton succeeds, otherwse outputs VRF = 0.

14 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 14 () FS-GS.Setup(λ, T ) (Y, S GM, S OA, St). It s run by a trusted thrd party, called the key generaton center (KGC), the KGC gven a securty parameter λ N, maxmum allowable tme perod T, outputs the publc parameter Y, group manager s secret key S GM and openng authorty s prvate key S OA. Whle S GM, S OA are gven to the respectve authortes through secure channels, Y s publczed. The KGC also ntalzes a publc state, St=(St users, St trans ), consstng of a set data structure St users and a strng data structure St trans, ntally set as St users = and St trans = ɛ. () FS-GS.Jon (GM, U) (Y, T ) (cert,t1 t 2, sec,t1 t 2, St). It s an nteractve protocol between the GM and the user U who wants to be a group member. Ths protocol manages two Turng machnes J user and the J GM controlled respectvely by U and GM. These Turng machnes, on nput Y, T, generates a secret key sec,t1 t 2 and a certfcate cert,t1 t 2 n some tme nterval t 1, t 2 ] 1, T ] selected by the GM for each user U. Let J user (Y, T ), J GM (Y, t 1, t 2, T, S GM, St)] denotes the executon between U and GM after whch U receves ts certfcate cert,t1 t 2 generated by the GM through a secure communcaton channel. The secret key sec,t1 t 2 of U s generated by U. On successful completon of the protocol, the user U sets ts secret key sec,t1 t 2 and the GM updates the publc state St=(St users, St trans ) as St users = St users {} and St trans = St trans, t 1, t 2, transcrpt,. () FS-GS.Update(Y, t, t 2, sec,t t2, cert,t t2 ) (sec,t+1 t2, cert,t+1 t2 ). It s a randomzed algorthm executed by the user U. On nput of Y, t, t 2 ] 1, T ], a vald membershp certfcate cert,t t2 and correspondng membershp secret sec,t t2, ths algorthm allows U to obtan ts updated membershp certfcate cert,t+1 t2 and membershp secret sec,t+1 t2 for the subsequent tme perod t + 1. (v) FS-GS.Sgn (sec,t1 t 2, cert,t1 t 2, Y, M) (σ). Gven sec,t1 t 2, cert,t1 t 2, Y and the message M, the user U runs ths algorthm and outputs a sgnature σ on the message M. (v) FS-GS.Verfy(σ, t, M, Y) (1 0). The verfer, on recevng the message M, sgnature σ and a tme perod t, nvokes ths algorthm usng Y to check whether the produced sgnature σ s a vald sgnature on M or not durng the tme perod t. If σ s a vald sgnature, the verfer returns 1; otherwse outputs 0. (v) FS-GS.Open(σ, t, M, Y, S OA, St) ( ). The openng authorty OA wth ts secret key S OA along wth Y, t, σ, M and St runs ths algorthm and returns ether the dentty of the group member that has produced the sgnature σ on M durng the tme perod t or an openng falure. A state St s sad to be vald f t can be attaned from St=(, ɛ) by a Turng machne havng access to the oracle J GM. Every membershp certfcate ncludes a unque tag (dentty) specfc to user generated by the GM. As n Kayas-Yung 22], we use notaton, cert,t1 t 2 Y sec,t1 t 2 to ndcate that there exsts some con tosses ϖ for J GM run by the GM and J user run by the user U such that for some vald publc state St, the executon of J user (Y, T ), J GM (Y, t 1, t 2, T, S GM, St)](ϖ) ssues

15 15 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces, sec,t1 t 2, cert,t1 t 2 to J user (.e., to U ). Correctness: The correctness of FS-GS s as follows: (a) No two entres of St trans should share the same tag and St users = St trans. (b) If, sec,t1 t 2, cert,t1 t 2 s obtaned by J user (.e., U ) on honestly runnng J user (Y, T ), J GM (Y, t 1, t 2, T, S GM, St)], then cert,t1 t 2 Y sec,t1 t 2. Here Y, S GM, S OA, St are generated by executng FS-GS.Setup(λ, T ). (c) Let cert,t1 t 2 Y sec,t1 t 2 be as n (b) and, sec,t t2, cert,t t2 for t 1 t t 2 s obtaned by runnng FS-GS.Update(Y, k, t 2, sec,k t2, cert,k t2 ) (sec,k+1 t2, cert,k+1 t2 ), successvely for k = t 1, t 1 + 1,..., t 1. Then cert,t t2 Y sec,t t2 and FS-GS.Verfy(FS-GS.Sgn(sec,t1 t 2, cert,t t2, Y, M), t, M, Y) = 1. (d) For any, cert,t1 t 2, sec,t1 t 2 obtaned by U on executon of J user (Y, t 1, t 2, T ), J GM (Y, t 1, t 2, T, S GM, St)] for some vald state St, let, cert,t t2, sec,t t2 be derved by FS-GS.Update algorthm as n (c). Now f σ = FS-GS.Sgn(sec,t t2, cert,t t2, Y, M), then FS-GS.Open(σ, t, M, Y, S OA, St) =. 3.2 Securty Model Securty attrbutes of FS-GS scheme are formalzed by three experments () ms-dentfcaton attack () framng attack and () anonymty attack. An adversary A nvokes several oracles accessble n the attack games and nteracts wth a stateful nterface I that mantans the followng varables: State I : a data structure representng the state of the nterface I; U = St users : the number of currently nvolved members n the group; Sgs: a database of sgnatures generated by the sgnng oracle FS-GS.Sgn; U a : collecton of adversarally controlled users snce ther admsson; U b : collecton of honest users wth adversary as the dshonest group manager. The state of the nterface I s State I = (State pr, State pub ) where State pr = (cert,t1 t 2, S GM, S OA ) and State pub = (St users, St trans, Y, St corr ) where Y, S GM, S OA and St = (St users, St trans ) are generated by I on nvokng FS-GS.Setup(λ, T ) and St corr store pars of the form (, t) wth St users and t {1, 2,..., T } representng s corrupted (.e., U b ) at tme perod t. Each record stored n Sgs s of the form (, t, M, σ) ndcates the message M s sgned by U durng the perod t. The adversary has access to the transcrpt St trans of the FS-GS.Jon protocol but not to user s membershp secret for users n U b. The adversary A s gven access to the followng oracles whle mountng attacks.

16 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 16 Q pub, Q keygm, Q keyoa. When adversary A nvokes the oracles Q pub, Q keygm, Q keyoa, the nterface I wth State I returns Y, S GM, S OA respectvely to A by extractng them from State I. Q a jon. The adversary A can ntroduce users under ts control (users n U a ) by queryng the oracle Q a jon. On nput t 1, t 2 {1, 2,.., T }, the nterface I executes FS-GS.Jon actng as the GM that controls the Turng machne J GM and nteracts wth a malcous user U that controls the Turng machne J user. If the protocol s successful, then the nterface I ncrements U by 1, and updates St=(St users, St trans ) addng ndex of the malcous user U to both U a and St users, and updatng St trans as St trans = St trans, t 1, t 2, transcrpt. Q b jon. Ths query enables the adversary A to ntroduce honest users whle actng as the dshonest GM. The adversary A acts as the GM and handles the Turng machne J GM n executng algorthm FS-GS.Jon whle the Turng machne J user s controlled by an honest user U, who wants to be a member. If the protocol successfully termnates, then the nterface I ncrements U by 1, adds user ndex to both U b and St users, and updates St trans as St trans = St trans, t 1, t 2, transcrpt. The Interface I fnally stores the membershp certfcate cert,t1 t 2 n a prvate part of State I. Q sg (M,, t) (σ ). On queryng a tuple (M,, t) consstng of a message M, an ndex, and a tme perod t, the nterface I frst checks f State pr contans sec,t1 t 2, cert,t1 t 2 for some t 1, t 2 {1, 2,..., T } wth t 1 t t 2 and U U b. If so, I calls FS- GS.Update(Y, k, t 2, sec,k t2, cert,k t2 ) for k = t 1, t 1 +1,..., t to generate the par (cert,t t2, sec,t t2 ), returns a sgnature σ FS-GS.Sgn(sec,t t2, cert,t t2, Y, M) to A on behalf of user U for the perod t and updates Sgs=Sgs, t, M, σ. Otherwse, the nterface I returns to A. Q open (M, σ, t) ( ). Gven a vald tuple (M, σ, t) from the adversary, the nterface I runs the openng algorthm FS-GS.Open(σ, t, M, Y, S OA, St) ( ) wth the current state St=(St users, St trans ). Let S = {(M, σ, t) FS-GS.Verfy(σ, t, M, Y) = 1} and Q S open denotes a restrcted oracle that apples openng algorthm FS-GS.Open only for the vald tuples (M, σ, t) whch are not n S. Q read and Q wrte. These queres permt the adversary A to read and wrte the contents n State I = (State pr, State pub ). By Q read queres, the adversary A can read State I but cannot read State pr of State I where membershp secrets are stored after Q b jon queres. On the other hand, Q wrte query allows the adversary A to update State I by ntroducng users n U b wthout alterng, removng or reusng the already exstng certfcates. Q corrupt (, t) ((cert,t t2, sec,t t2 ) ). On recevng query (, t), where St users and t {1, 2,..., T } from A, the nterface I checks f U b and St trans has a record of the form, t 1, t 2, transcrpt for some t 1, t 2 {1, 2,..., T } wth t 1 t t 2. If not, returns. Else, I extracts cert,t1 t 2, sec,t1 t 2 from State pr and teratvely call algorthm FS-GS.Update(Y, k, t 2, sec,k t2, cert,k t2 ) for k = t 1, t 1 + 1,..., t 1 to generate cert,t t2 and sec,t t2 for t > t 1. It provdes all these nformaton to the adversary and stores (, t) n St corr. Once a user gets corrupted, t remans corrupted thereafter.

17 17 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces The securty aganst ms-dentfcaton, framng and anonymty attacks are formally descrbed below: 1. Ms-dentfcaton Attack: Ths attack s modeled by the experment Exp ms d A (λ, T) descrbed n Algorthm 2 between an adversary A and the nterface I. In ths attack, A gets the publc parameter Y by Q pub query and State pub by Q read query. Besdes, A has the power to manpulate the openng authorty gven access to S OA by queryng Q keyoa oracle. It can also launch new dshonest members n the group by makng Q a jon queres whereby St gets updated and A receves all the secret nformaton of the dshonest members. The am of the adversary A s to produce a vald sgnature σ on a message M durng the tme perod t that does not belong to any adversarally controlled member (.e., of U a ) endowed wth the ablty to sgn durng the perod t. Defnton 6. A FS-GS scheme over T perods s secure aganst ms-dentfcaton attack f Adv ms d A (λ, T ) = P rexp ms d A (λ, T ) = 1] negl(λ), where negl s a neglgble functon n λ. Algorthm 2: Exp ms d A (λ, T ) State I = (St, Y, S GM, S OA ) FS-GS.Setup(λ, T ); (M, t, σ ) A(Q pub, Q a jon, Q read, Q keyoa ); f (FS-GS.Verfy(σ, t, M, Y) = 0) then return 0; else = FS-GS.Open(σ, t, M, Y, S OA, St); f ( / U a ) then return 1; else f (, t 1, t 2, transcrpt St trans ] t 1 t t 2 ]) then return 0; else return 1; end f end f end f 2. Framng Attack: Ths attack game s formally descrbed by the experment Exp fra A (λ) n Algorthm 3 whch s played between an adversary A and the nterface I. The adversary A has gven the power to make the whole system ncludng the group manager and the openng authorty both colludes aganst some honest user. In ths attack, the adversary A s capable to access the secret keys of both the GM and the OA. Actng as a dshonest group manager, A can ntroduce honest members usng Q jon queres. At the same moment, A can corrupt the honest members of U b by nvokng Q corrupt queres. It also has the power to observe the system when user produce sgnatures wth Q sg queres, and can create dummy users wth Q wrte queres. The adversary s goal s to (a) ether frame an uncorrupted group member or (b) generate a sgnature that opens to some corrupt member for a perod proceedng the one where that member was not

18 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 18 a group member. Defnton 7. A FS-GS scheme over T perods s secure aganst framng attack f Adv fra A (λ) = P rexp fra A (λ) = 1] negl(λ), where negl s a neglgble functon n λ. Algorthm 3: Exp fra A (λ) State I = (St, Y, S GM, S OA ) FS-GS.Setup(λ, T); (M, t, σ ) A(Q pub, Q keygm, Q b jon, Q sg, Q corrupt, Q wrte, Q read, Q keyoa ); f (FS GS.Verfy(σ, t, M, Y) = 0) then return 0; else = FS-GS.Open(σ, t, M, Y, S OA, St); f(, t 1, t 2, transcrpt St trans such that (t 1 t t 2 )] (, t ) St corr such that t t ]) then return 0; else f( (j U b such that j=) (j, t, M, ) / Sgs) then return 1; else return 0; end f end f end f 3. Anonymty Attack: The formal noton of ths attack game s modeled by the experment Exp anon A (λ, T ) outlned n Algorthm 4 between an adversary A and the nterface I. It conssts of 2 stages. The frst stage s the play stage, where the adversary A s allowed to make Q wrte queres and has access to Q open oracle. At the end of ths stage, A chooses (M, t ) and two pars (sec 0,t t, cert 0 0,t t ), (sec 0 1,t t, cert 1 1,t t ), consstng of a 1 well formed membershp secret and a membershp certfcate for perods t, t b,2 ] for b {0, 1}, and auxlary nformaton aux. The nterface generates a sgnature σ usng (sec d,t t, cert d d,t t ) by flppng a far con d {0, 1}. The am of the adversary A s to output a guess d for the guess stage. Defnton 8. A FS-GS scheme s fully anonymous for any PPT adversary A, f Adv anon (A) := P rexp anon A (λ) = 1] 1/2 negl(λ), where negl s a neglgble functon n λ. 4 Descrpton of Our FSGS Scheme FSGS.Setup(λ, T ) (Y, S GM, S OA, St). Gven a securty parameter λ > 0 and maxmum allowable tme perod T = 2 l for some nteger l, the KGC chooses an nteger n of sze O(λ), a prme modulus q of sze Õ(ln3 ) such that T q and an nteger

19 19 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Algorthm 4: Exp anon A (λ) ( State I = (St, Y, S GM, S OA ) FS-GS.Setup(λ, T); aux, M, t, (sec 0,t t, cert 0 0,t t ), (sec 0 1,t t, cert 1 1,t t )) 1 A(Play: Q pub, Q keygm, Q open, Q read, Q wrte ); f ( (cert b,t t b Y sec b,t t ) where b {0, 1}] cert b 0,t t = cert 0 1,t t ]) then 1 return 0; else d U{0, 1}; σ FS-GS.Sgn(sec d,t t, cert d d,t t, Y, M ); d d A(guess, σ, aux : Q pub, Q keygm, Q {(M,σ,t )} open, Q read, Q wrte ); f (d = d) then return 1; else return 0; end f end f µ wth µ log l. The system supports atmost N = 2 µ members. The KGC sets m = 2n log q, selects real numbers σ of sze Ω( n log q log n), β of sze σω(log m) and γ of sze nω(log n). Here O, Ω, ω are the standard asymptotc notatons and Õ s as defned n Secton 2. The KGC executes the followng steps to generate the publc key Y, and the prvate keys S OA of the openng authorty (OA) and S GM of the group manager (GM) respectvely and ntalzes the state St. () It chooses random matrces M 0, M 1, {A k } µ k=0, D U(Zn m q ), D 0, D 1 U(Z 2n 2m q ), F U(Z 4n 4m q ), and a vector u U(Z n q ). It also selects three quantum secure hash functons whch wll be modeled as random oracle n the securty analyss H : {0, 1} {1, 2, 3} s, H 0 : {0, 1} Zq n 2m and H 2 : {0, 1} I, where s s an nteger of sze ω(log n), I s a set of m m nvertble matrces over Z q wth columns havng low norm and also pcks a one tme sgnature OTS=(G, S, V), where G, S, V are the key generaton, sgnng and verfcaton algorthms respectvely. () The KGC runs the key generaton algorthm DSg.KeyGen of a dgtal sgnature scheme DSg=(KeyGen, Sgn, Verfy) and generates sgnng-verfcaton key par (usk], uvk]) for each user U, N]. We assume that uvk table s publc and anyone can access the genune copy of the verfcaton key of any user. () The KGC runs TrapGen(1 n, 1 m, q) (A, T A ) and TrapGen(1 n, 1 m, q) (B, T B ) as descrbed n Lemma 1.1(b)() n Secton 2 and outputs matrces A, B Z n m q wth short bases T A of Λ q (A) and T B of Λ q (B). The short bass T A s the secret key S GM of the GM utlzed to ssue certfcates to the new users whle T B s the master secret key S OA of the OA employed to trace the sgner. (v) Intalzes the publc state St = (St users, St trans ) = (, ε).

20 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 20 (v) The KGC publshes the group publc key Y = (M 0, M 1, A, {A k } µ k=0, B, D, D 0, D 1, F, u, OTS, DSg, H, H 0, H 2, β, γ, σ) and sends S OA = T B to the OA and S GM = T A to the GM through a secure communcaton channel. chooses λ, l, n, µ, q sets m, σ, β, γ, N, T chooses M 0, M 1, {A k } µ k=0, D, D 0, D 1, F, u selects H, H 0, OTS, DSg generates (A, T A ) TrapGen(1 n, 1 m, q) generates (B, T B ) TrapGen(1 n, 1 m, q) sets S GM = T A, S OA = T B sends S GM = T A to the GM and S OA = T B to the OA sets St = (St users, St trans ) = (, ε) publshes Y = (M 0, M 1, A, {A k } µ k=0, B, D, D 0, D 1, F, u, OTS, DSg, H, H 0, H 2 β, γ, σ) FSGS.Jon (Y, T ) (GM,U) (cert,t1 t 2, sec,t1 t 2, St). It s an nteractve protocol run between the GM and the user U. The GM and the user U runs the Turng machnes J GM and J user respectvely. On completon of the protocol, U receves ts membershp certfcate cert,t1 t 2 from the GM through a secure communcaton channel for the tme nterval t 1, t 2 ] and fxes ts secret key sec,t1 t 2 whle the GM updates the publc state St=(St users, St trans ) (ntally set to be (, ε) by the KGC) as follows. () The user U samples z (0) D Z 4m,σ meanng z (0) s an nteger column vector of length 4m chosen from dscrete Gaussan wth standard devaton σ. The user U computes v (0) = F z (0) mod q, sg = DSg.Sgn(usk], v (0) ) and sends (v (0), sg ) to the GM. () The GM runs DSg.Verfy(uvk], sg, v (0) ). If the verfcaton fals then the GM aborts. Otherwse, f v (0) s not prevously used by a regstered member, then the GM chooses a µ-bt dentty d = (d 1], d 2],..., d µ]) {0, 1} µ and a tme nterval t 1, t 2 ] 1, T ] for user U and uses the secret key S GM = T A to ssue a new certfcate to U as follows: The GM computes the matrx A d = A Ā] Zn 2m q, wth Ā = A 0 + d k]a k where A, {A k } µ k=0 are extracted from the publc key Y, and d k] ndcates the kth bt of the dentty d of user U. It runs ExtBass(A, Ā, T A) (T A Ā = T Ad ) as n Lemma 1.1(b)(v) of Secton 2 to generate a short bass T Ad of Λ q (A d ).

21 21 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces The GM samples a short vector s D Z 2m,σ. Note that by Lemma 1.1(a) n Secton 2, s 2mσ. As x x n x for any x R n, we have s σω(log m) = β. By usng the short bass T Ad of Λ q (A d ) as mentoned n Remark 1 n Secton 2, the GM computes a short vector d = d,1 d,2 ] t Z 2m wth d β, d,1, d,2 Z m, satsfyng A d d = u + D r mod q (2) where r = bn(d 0 bn(v (0) ) + D 1 s ) mod q (3) Here bn(v (0) ) stands for the bnary representaton of the vector v (0). Observe that D 1 s Z 2n 1 and D 0 bn(v (0) ) Zq 2n 1 as bn(v (0) ) s of length 4n log q = 2m. We also pont out that T Ad s computable only by the GM, as T A s known only to the GM and the µ-bt dentfer d for user U s selected by the GM tself. Thus, the GM can compute the short vector d wth d β. The GM then runs the algorthm Nodes(t 1 + 1, t 2, G) to dentfy the collecton of subset of hangng nodes SubsetHN as explaned n Secton 2.2 where G s the complete bnary tree of heght l wth T = 2 l leaves each ndcatng a tme perod. For each node w = (w num, w dep ) SubsetHN where w num {0, 1} s the label of the node w and w dep Z, 0 w dep l, s ts depth n the tree G of heght l, the GM does the followng: (a) computes the matrx A,w = A d Āw] wth Āw = M 0 + wt(w num )M 1 A 0 + α k A k ] where α 1 α 2...α µ = 0 µ δ bn(w dep ), α k {0, 1}, δ = len(bn(w dep )) denotes the length of bn(w dep ) and wt(w num ) represents the Hammng weght of w num ; Note that wt(w num ) and w dep helps to generate dfferent matrces A w for each w SubsetHN. By our choce of labelng, Hammng weghts are dfferent at the same level so n ths case w num ensures for dfferent matrces whereas w dep guarantees to get dfferent matrces each tme when Hammng weghts are same at dfferent depth. (b) executes ExtBass(A d, Āw, T Ad ) (T = T Ad Ā,w A w ) to generate a short bass T A,w of Λ q (A,w ); (c) samples short vector s (0),w D Z 2m,σ,.e., s (0),w 2mσ wth hgh probablty whereby s (0),w σω(log m) = β as guaranteed by Lemma 1.1(a).

22 Meenaksh Kansal, Ratna Dutta and Sourav Mukhopadhyay 22 (d) computes a short vector x (0),w satsfyng = x(0),w,1 x(0),w,2 x(0),w,3 ]t wth x (0),w β A,w x (0),w = u + D bn(d 0 bn(v (0) ) + D 1 s (0),w ) mod q (4) by usng the short bass T Aw of Λ q (A w ) as stated n Remark 1 of Secton 2 where x (0),w,1 Z2m and x (0),w,2, x(0),w,3 Zm. Note that the knowledge of T Ad s requred to compute T Aw and knowledge of T A s requred to compute T Ad usng the algorthm ExtBass. As the GM knows the short bass T A, t can generate a short vector x (0),w wth x(0),w β. The GM computes H 2 (d 0) = R (0), where R (0) s a Z q - nvertble matrx of sze m m whose columns have low norm, sets C (0) = A(R (0) ) 1, and runs the delegaton algorthm BassDel(A, R (0), T A, σ) (C (0), T (0) C ) as n Lemma 1.1(b)(v) n Secton 2 to generate a short bass T C (0) of Λ q (C (0) ). () The GM fnally ssues the membershp certfcate ( ) cert,t1 t 2 = d, d, s, {x (0),w, s(0),w } w SubsetHN Nodes(t 1 +1,t 2,G), C (0), T (0) C, t 1, t 2 ] to the user U through a secure communcaton channel. The GM updates the publc state St by storng n St users and transcrpt = (v (0),, uvk], sg, t 1, t 2 ]) n St trans. (v) The user U verfes d β, s β satsfyng Eq 2 and for all w SubsetHN Nodes(t 1 + 1, t 2, G), x (0),w β and s (0),w β satsfyng Eq 4. Also t checks C (0) = A(H 2 (d 0)) 1. If any of these verfcaton fals, then U aborts. Otherwse U sets ts secret key sec,t1 t 2 = z (0) and defnes cert,t1 t 2 as ts membershp certfcate correspondng to ts secret key sec,t1 t 2 = z (0) for the tme nterval t 1, t 2 ].

23 23 Forward Secure Effcent Group Sgnature n Dynamc Settng usng Lattces Fgure 3: Jon Algorthm User U (usk], T, Y) GM (T A, uvk], Y) Chooses: z (0) Computes: v (0) = F.z (0) mod q sg = DSg.Sgn(usk], v (0) ) ( v (0) ), sg, uvk] Runs: DSg.Verfy(usk],sg, v (0) ) f (verfcaton succeeds) then Selects: t 1, t 2 ] 1, T ] and d = d 1],..., d µ] {0, 1} µ Computes: A d = A Ā] Generates: T Ad ExtBass(A, Ā, T A) Selects: s Computes: d satsfyng Eq (2) usng T Ad Generates: SubsetHN Nodes(t 1 + 1, t 2, G) for (each w SubsetHN) do Computes: A,w = A d Āw], Generates: T Aw ExtBass(A d, Āw, T Ad ), Selects: {s (0),w }, Computes: {x (0),w } usng T A,w. end do Computes: R (0) and Sets: C (0) = A(R (0) ) 1 Generates: (C (0) ) BassDel(A, R (0), T A, σ), T (0) C Stores: cert,t1 t 2 = (d, d, s, {x (0),w, s(0), t 1, t 2 ]) T C (0),w } w SubsetHN, Stores: transcrpt = (v (0),, uvk], sg, t 1, t 2 ]) Sets: sec,t1 t 2 = z (0) cert,t1 t 2