Lattice-Based Group Signature with Message Recovery for Federal Learning

Abstract

Federal learning and privacy protection are inseparable. The participants in federated learning need to be the targets of privacy protection. On the other hand, federated learning can also be used as a tool for privacy attacks. Group signature is regarded as an effective tool for preserving user privacy. Additionally, message recovery is a useful cryptographic primitive that ensures message recovery during the verification phase. In federated learning, message recovery can reduce the transmission of parameters and help protect parameter privacy. In this paper, we propose a lattice-based group signature with message recovery (GS-MR). We then prove that the GS-MR scheme has full anonymity and traceability under the random oracle model, and we reduce anonymity and traceability to the hardness assumptions of ring learning with errors (RLWE) and ring short integer solution (RSIS), respectively. Furthermore, we conduct some experiments to evaluate the sizes of key and signature, and make a performance comparison between three lattice-based group signature schemes and the GS-MR scheme. The results show that the message–signature size of GS-MR is reduced by an average of 39.17% for less than 2000 members.

1. Introduction

Federated learning is a decentralized machine learning paradigm that enables collaborative model training without the need for centralized data aggregation. Multiple parties, such as devices or organizations, participate by computing model updates or gradients locally and exchanging them with a central server [1]. Due to its characteristics, federated learning has gained increasing attention, particularly in the fields of healthcare, finance, and the Internet of Things (IoT) [2,3,4]. However, in federated learning, the importance of protecting the privacy of participants cannot be overlooked [2]. Therefore, protecting sensitive information becomes a challenging task in the ever-evolving landscape of federated learning. Based on this premise, group signatures have emerged as an effective tool for protecting user privacy due to their anonymity and traceability properties.

Group signature, as a special type of digital signature [5], is a research hotspot in public key cryptography. In the group signature scheme, each member of the group is issued with a signing key, allowing them to generate signatures anonymously by using the signing key (anonymity); if there is an abuse of signature power by malicious group members, the group signature scheme has an entity called the group manager, which can break anonymity by deriving specific signatories from the signature. Due to the characteristics of group signature, it can be applied in federated learning to achieve anonymity preservation and parameter integrity, as well as to prevent dishonest participants from transmitting malicious data, etc.

However, in conventional group signatures, to ensure message integrity, signers must send the message along with the signature to the verifier. This poses a significant problem: during the process of verifying the correctness of the signature, the verifier needs to receive all the parameters of the message–signature pairs, with the message often taking up a significant portion. To address the above problem, Nyberg et al. [6] introduced the concept of message recovery: It enables the sender to avoid sending the signed message and to send only the signature, and it can recover the message while confirming the validity of the signature. This obviously decreases the quantity of information that needs to be transferred, which saves transmission bandwidth. Moreover, it is more convenient for both the sender and the receiver. The implementation of message recovery is considered as an encoding method [7,8], as it involves adding additional information to the signature to achieve message recoverability. Since then, Islam et al. [9] have proposed a signature scheme for message recovery with specified verifiers based on elliptic curves and bilinear pairs, and the scheme was proven to be secure under the stochastic prediction model. In 2020, Kazmirchuk et al. [10] proposed a provably secure elliptic curve-based digital signature authentication scheme with message recovery. Their scheme uses a hash token function instead of a hash function, allowing for reversed signature and verification procedures and message recovery from the signature r-component. In 2013, Tian et al. [11] first introduced the concept of message recovery to lattice-based cryptography. In 2023, Wu et al. [12] proposed an identity-based proxy signature scheme on the lattice, and it also worked with message recovery. The difference between traditional digital signatures and message recovery signatures is shown in Figure 1.

Nevertheless, to the best of our knowledge, the group signature schemes currently proposed do not possess the functionality of message recovery. This will directly result in group members having to send additional messages to the verifier. Therefore, constructing a group signature scheme with message recovery (GS-MR) will reduce the amount of data received by the verifier and provide greater transparency and application scalability to group privacy scenarios. Furthermore, in domains such as federated learning, the GS-MR scheme has significant advantages over traditional group signature schemes. For example, in federated learning, participants train the model locally and send the model parameter updates to a central server, which aggregates these parameter updates and distributes the aggregated model parameters to the participants. The GS-MR scheme can be used to verify the integrity of the model parameters transmitted by the central server and to recover the original model update information. This ensures that the model parameters are not tampered with during the transmission process and provides verifiability of the results to the participants. In addition, in certain scenarios, such as model analysis or debugging of model updates, federated learning may require the recovery of the original participant data without centralizing the raw data on the central server. The GS-MR scheme can facilitate the recovery of participants’ original data from the group signatures, eliminating the need for centralized data collection. This helps protect the privacy of subscriber data and reduces the need for data transmission.

With the continuous breakthroughs in the field of quantum computing, group signature schemes based on traditional number theory constructions are becoming insecure. In 1996, Ajtai [13] introduced the lattice as a cryptographic system with a special algebraic structure. In the post-quantum era, lattice-based cryptography has become a hot research topic in cryptography because of its high asymptotic efficiency, parallelizability, and simplicity of operation. In addition, probabilistic polynomial-time efficient methods for solving difficult problems on lattice do not yet exist under quantum computers [14]. Thanks to the multiple advantages of lattices, Gordon et al. [15] pioneered the construction of the first lattice-based group signature scheme. Gordon’s scheme has high theoretical value, but its signature length is too long to be of practical consequence. Ling et al. [16] proposed the first lattice-based constant-size group signature scheme at PKC 2018. They used the “restricted guessing” technique of Ducas and Micciancio’s signature scheme [17] and solved the problem of linear growth of the signature size, but the parameters of their scheme were set too large and there were soundness errors in NIZK proof in their scheme. In the subsequent research on lattice-based group signature constructions, numerous improved schemes have been proposed [18,19,20,21,22,23]. Furthermore, many lattice-based group signature schemes have been proven to be secure in the standard model, such as [24]. However, to the best of our knowledge, a lattice-based GS-MR scheme has not been proposed thus far. Therefore, we aim to construct a lattice-based GS-MR scheme to provide potential security assurance for federated learning scenarios in the quantum era.

Our Contribution

We constructed the first lattice-based GS-MR scheme from lattice assumption. In the GS-MR scheme, the message will be recovered in full while the signature is verified as being correct. Therefore, in the rest of this paper, we will use the verification parameter to represent the total size of the message–signature required for the verification phase. The specific contributions are as follows:

(1)

We construct a GS-MR based on the Abe-Okamoto signature scheme [25] (ASS) combined with the sign-hybrid-encrypt framework. In the key generation phase, we combine a ring version of Boyen’s signature scheme (BSS) with an algorithm for generating ring trapdoors to distribute private signing keys to the group members. In the signature generation phase, the member’s identity ID is first encrypted into cipher text using a double encryption algorithm with CCA-security [26] (LPR encryption scheme) to ensure the anonymity and traceability of the group member’s identity; The encrypted result is then used as part of the input to the LSS combined with the ASS to generate the final signature.

(2)

We prove that the GS-MR scheme satisfies correctness (with message recoverability), full anonymity, and traceability under the random oracle model (ROM). In addition, the anonymity of GS-MR relies on ring learning with errors assumption (RLWE), and the traceability of GS-MR relies on the short integer solution assumption (RSIS).

(3)

We have experimentally performed some simple evaluations of the proposed GS-MR scheme, which include a comparison of the key and verification parameters, respectively. Then, we compare three existing lattice-based group signature schemes [19,24,27] with the proposed GS-MR scheme and perform an exhaustive verification parameter size analysis. According to the results of the analysis, the proposed GS-MR scheme reduces the verification parameter size by an average of 39.17%.

The structure of this paper is as follows. In Section 2, we introduce the symbols, lattice, the RSIS and RLWE problems, and some algorithms. In Section 3, we introduce the definition and security model of the GS-MR scheme. Then, we introduce the proposed scheme in Section 4. The security analysis is shown in Section 5. Section 6 presents the efficiency analysis. The last section is a summary of the paper.

2. Preliminaries

2.1. Symbol Definition

The symbols that appear in this paper are described in Glossary.

2.2. Definition of the Lattice

Let $\mathit{A}=\{{\mathit{a}}_1,{\mathit{a}}_2,...,{\mathit{a}}_m|{\mathit{a}}_i\in {ℝ}_{}^n\}$ be a set of linearly independent column vectors; and the lattice composed of this set of vectors is defined as follows:

$$\Lambda (\mathit{A})=ℒ({\mathit{a}}_1,{\mathit{a}}_2,...,{\mathit{a}}_m)=\{\mathit{A}\mathit{x}|\mathit{x}\in {\mathbb{Z}}_{}^m\},$$

(1)

and $\mathit{A}$ is called the base of lattice $\Lambda (\mathit{A})$. Most cryptosystems are constructed using an integer lattice, i.e., ${\mathit{a}}_i\in {\mathbb{Z}}^n$. If $n=m$, then $\Lambda (\mathit{A})$ is said to be a full-rank lattice.

Definition 1.

Given matrix $\mathit{A}\in {\mathbb{Z}}_q^{n\times m}$ and $\mathit{u}\in {\mathbb{Z}}_q^n$, define the following two $q-module$ lattices:

$${\Lambda }_q^{\perp }(\mathit{A})=\{\mathit{x}\in {\mathbb{Z}}_{}^m:\mathit{A}\mathit{x}=\mathbf{0}\mathrm{mod}q\},$$

(2)

$${\Lambda }_q^{\mathit{u}}(\mathit{A})=\{\mathit{x}\in {\mathbb{Z}}_{}^m|\mathit{A}\mathit{x}=\mathit{u}\mathrm{mod}q\}.$$

(3)

2.3. Ring Variants of the Lattice and the Relevant Difficult Problems

Although lattice-based cryptographic constructions are resistant to quantum attacks, they have not been developed commercially until now because of their low computational efficiency. Due to the use of the expansion of a two-dimensional matrix as an operation, the complexity of the lattice operation is always $O\left(nm\log q\right)\approx O(n^2)$. To address this issue, we employed the lattice of ideals, a special algebraic system known as an ideal lattice, and applied SIS and LWE to polynomial ring settings.

Definition 2.

$RSI{S}_{n,m,q,\beta }$ problem. Given $\mathit{a}=(a_1,...,a_2)\in {ℛ}_q^{1\times m}$, the $RSI{S}_{n,m,q,\beta }$ is defined as follows: find $\mathit{x}=(x_1,...,x_m)\in {ℛ}_q^m$ satisfying $\mathit{a}\mathit{x}=\mathbf{0}\mathrm{mod}q$ and $||x|{|}_{\infty }\le \beta$. For $m>\log q/\log (2\beta )$, $\gamma =16\beta mn{\log }^{2}n$, and $q\ge \gamma \sqrt{n}/4\log n$, the $RSI{S}_{n,m,q,\beta }$ problem is as difficult as the $Ideal-SV{P}_{\gamma }$ problem [28].

Definition 3.

$RLW{E}_{n,m,q,\chi }$ problem. Define a vector $\mathit{s}\in {ℛ}_q$ and a distribution $\chi$ on $ℛ$. Given $e\leftarrow \chi$ and a randomly chosen $\mathit{A}\in {ℛ}_q$ to obtain $(\mathit{A},\mathit{A}\mathit{s}+\mathit{e})$, the $RLW{E}_{n,m,q,\chi }$ is defined as finding an $\mathit{s}\in {ℛ}_q$ from $(\mathit{A},\mathit{A}\mathit{s}+\mathit{e})$.$(\mathit{A},\mathit{A}\mathit{s}+\mathit{e})$ and $(\mathit{A},y)$ are indistinguishable, where $\mathit{A}\in {ℛ}_q$, and $y\leftarrow {ℛ}_q$. The $RLW{E}_{n,m,q,\chi }$ problem is at least as difficult as the $Ideal-SV{P}_{\gamma }$ problem [26].

2.4. Boyen’s Signature Algorithm and Its Ring Variants

The BSS [29] is a hybrid algorithm on the lattice. The parameters of BSS are as follows: given security parameter $\lambda$ and message length $\mathcal{l}$, let $q=ploy(n)$, $m\ge 2n\log q$, $\sigma =\Omega (\sqrt{\mathcal{l}n\log q})$ and $\beta =\sigma \omega (\sqrt{\log m})$. The BSS key generation algorithm is as follows:

(a)

The algorithm $TrapGen(n,m,q)$ [30] produces an $\mathit{A}$ and a trapdoor base ${\mathit{T}}_{\mathit{A}}$ of ${\Lambda }^{\perp }(\mathit{A})$, where $\mathit{A}$ is statistically close to uniform over ${\mathbb{Z}}_q^{n\times m}$ and $T_{\mathit{A}}\in {\mathbb{Z}}^{m\times m}$ is a short basis for ${\Lambda }^{\perp }(\mathit{A})=\{\mathit{x}\in {\mathbb{Z}}^m:\mathit{A}\cdot \mathit{x}=\mathbf{0}\mathrm{mod}q\}$.

(b)

Randomly chooses matrices ${\mathit{A}}_0,{\mathit{A}}_1....{\mathit{A}}_{\mathcal{l}}\in {\mathbb{Z}}_q^{n\times m}$ and vector $\mathit{u}\in {\mathbb{Z}}_q^n$.

(c)

Output the public key $PK=(\mathit{A},{\mathit{A}}_0,{\mathit{A}}_1....{\mathit{A}}_{\mathcal{l}},\mathit{u})$ and the signing key $sk={\mathit{T}}_{\mathit{A}}$.

The BSS signature algorithm is as follows: Upon the input of a fixed-length message $\mathit{d}=(d_1,....d_{\mathcal{l}})\in {\{0,1\}}^{\mathcal{l}}$, the signature algorithm first computes ${\mathit{A}}_{(\mathit{d})}=[\mathit{A}|{\mathit{A}}_0+{\displaystyle {\sum }_{i=1}^{\mathcal{l}}{d}_i{\mathit{A}}_i}]\in {\mathbb{Z}}_q^{n\times 2m}$; then, it runs the lattice base delegation algorithm $ExtBasis({\mathit{A}}_{(d)},T_{\mathit{A}})$ [31] to generate a short base ${\mathit{T}}_{(d)}$ of ${\Lambda }^{\perp }({\mathit{A}}_{(d)})$, and finally runs the preimage sample algorithm $Sample({\mathit{T}}_{(d)},{\mathit{A}}_{(d)},\mathit{u},\sigma )$ [30] to obtain a signature $\mathit{z}\in {\mathbb{Z}}^{2m}$, satisfying $||\mathit{z}|{|}_{\infty }\le \beta$ and ${\mathit{A}}_{(d)}\mathit{z}=\mathit{u}\mathrm{mod}q$.

By applying BSS to the polynomial ring setting [32] and setting the parameter $m$ to $m=\Omega (\log q)$, the signature size can be reduced from $\mathcal{l}O(n^2)$ to $\mathcal{l}O(n)$. The signing public key in the ring variant of BSS is $PK=(\mathit{a},{\mathit{a}}_0,....{\mathit{a}}_{\mathcal{l}},\mathit{u})\in {({ℛ}_q^m)}^{\mathcal{l}+2}\times {ℛ}_q$ and the signing key is $sk={\mathit{T}}_{\mathit{a}}\in {\mathbb{Z}}^{nm\times nm}$. The security of the ring variant of BSS is based on the difficulty of $R{\mathrm{SIS}}_{n,m,q,{\beta }^{}}$, which can be reduced to the hardness assumptions of $SV{P}_{\mathcal{l}\cdot \tilde{O}(n^2)}^{}$.

2.5. Gaussian Distribution and Rejection Sampling

Definition 4.

Given any $\sigma >0$ and vector $\mathit{c}\in {ℝ}_{}^m$, the Gaussian distribution centered on $\mathit{c}$ is defined as follows: $D_{\sigma ,\mathit{c}}^m=\exp (-\pi ||\mathit{x}-\mathit{c}|{|}^2/{\sigma }^2)/{\displaystyle \sum _{x\in \mathbb{Z}}{\rho }_{\sigma ,\mathit{c}}^m(x)}$. Gaussian distributions on ${ℝ}^m$ are abbreviated as $D_{\sigma }^m$ when $\mathit{c}=\mathbf{0}$. In the GS-MR scheme, $\mathit{x}\leftarrow D_{\sigma }^m$ is defined over ${ℛ}_q$, which means that every coefficient of $\mathit{x}$ obey distribution $D_{\sigma }^m$.

Lemma 1.

[33]. Given any $\sigma$ and a positive integer $m$, the following equations are satisfied:

(1)

$\mathrm{Pr}[\mathit{x}\leftarrow D_{\sigma }^m:||\mathit{x}||>2\sigma \sqrt{m}]<2^{-m/4}$.

(2)

$\mathrm{Pr}[\mathit{x}\leftarrow D_{\sigma }^1:||\mathit{x}||>\sigma k]<2^{-k^2/2}$

Lemma 2.

[34]. Rejection sampling algorithm. Let $V=\{\mathit{v}\in {\mathbb{Z}}^m:||\mathit{v}||<t\}$, $\sigma =\omega (t\sqrt{\log m})$, and $h:V\to ℝ$ and there exists a universal upper bound $M\in ℝ$. Then, the statistical distance between the output distributions of the following two algorithms is less than $2^{-\omega (\log m)}/M$.

2.6. Key Generation-Related Algorithms

Lemma 3.

[16]. Trapdoor generation algorithm $TrapGe{n}_{R_q}(n,m,q)$. On input parameters $n, m$ and a prime $q$, the algorithm outputs a polynomial vector $\mathit{a}\in {ℛ}_q^{1\times m}$, and a set of parametrically smaller bases ${\mathit{T}}_{\mathit{a}}\in {\mathbb{Z}}^{nm\times nm}$ on the lattice ${\Lambda }_q^{\perp }(Rot(\mathit{a}))$, where $Rot(\mathit{a})$ and ${\mathbb{Z}}^{n\times nm}$ are statistically close in distribution and satisfy $||{\mathit{T}}_{\mathit{a}}||\le O\left(\sqrt{n\log q}\right)$.

Lemma 4.

[35]. Lattice base delegation algorithm $BasisDel(\mathit{A},\mathit{R},{\mathit{T}}_{\mathit{A}},\sigma )$. On input $\mathit{A}\in {\mathbb{Z}}^{n\times m}$, a base ${\mathit{T}}_{\mathit{A}}$ of ${\Lambda }^{\perp }(\mathit{A})$, an invertible matrix $\mathit{R}\in {\mathbb{Z}}^{m\times m}$, and a standard deviation $\sigma \ge ||{\stackrel{\mathbf{~}}{\mathit{T}}}_{\mathit{A}}||\cdot ({\sigma }_R\sqrt{m}\cdot \omega ({\log }^{3/2}m))$, where ${\sigma }_R=\sqrt{n\log q}\omega (\sqrt{\log m})$, the algorithm outputs a base ${\mathit{T}}_{\mathit{B}}$ of ${\Lambda }^{\perp }(\mathit{B})$, where $\mathit{B}=\mathit{A}{\mathit{R}}^{-1}$, and $||{\stackrel{\mathbf{~}}{\mathit{T}}}_{\mathit{B}}||<\sigma /\omega (\sqrt{\log m})$.

Lemma 5.

[16]. Preimage sample algorithm $SamplePr{e}_{{ℛ}_q}(\mathit{a},{\mathit{T}}_{\mathit{a}},u,\sigma )$. On input $\mathit{a}\in {ℛ}_q^{1\times m}$ and a base ${\mathit{T}}_{\mathit{a}}$ of ${\Lambda }^{\perp }(Rot(\mathit{a}))$, a Gaussian parameter $\sigma$, and any polynomial vector $u\in ℛ$, there exists a algorithm $SamplePr{e}_{{ℛ}_q}(\mathit{a},{\mathit{T}}_{\mathit{a}},u,\sigma )$, which outputs a polynomial vector $\mathit{e}\in {ℛ}_{}^m$ satisfying $\mathit{a}\mathit{e}=u\mathrm{mod}q$.

3. Definition of GS-MR Scheme and Security Model

3.1. Definition

A GS-MR scheme contains four probabilistic polynomial time (PPT) algorithms:

(1)

$KeyGen(1^{\lambda },1^N):$ this takes the security parameter $\lambda$ and maximum group members $N$ as the inputs, and outputs the group public key $gpk$, group member’s signing key $gsk$, and group manager’s tracking key $gtk$.

(2)

$Sign(gpk,M,gs{k}_{\pi },{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N):$ this takes the group public key $gpk$, a message $M$, the signing key $gs{k}_{\pi }$, and a group member’s identity set ${\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N$ as the inputs, and outputs a signature $SIG$ of $M$ under $gs{k}_{\pi }$.

(3)

$Verify(gpk,SIG,{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N):$ this takes the public key $gpk$, a signature $SIG$, and a group member’s identity set ${\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N$ as the inputs, and outputs “Valid” and complete message $M$ if the signature $SIG$ is a valid signature on the message $M$, or “Invalid” otherwise.

(4)

$Open(gpk,SIG,gtk):$ this takes the group public key $gpk$, a signature $SIG$, and the tracking key $gtk$ as the inputs, outputs the member identity $\mathit{I}{\mathit{D}}_{\pi }$ of the signer if the signature $SIG$ is “Valid”, checked using $Verify$, or $\perp$ otherwise.

3.2. Security Model

In the GS-MR scheme, three properties are required: correctness, anonymity, and traceability. Correctness includes validation correctness, open correctness, and message recoverability, where validation correctness means that the group signature output by the signature algorithm can be successfully verified, recoverability means that the complete signed message can be recovered when the group signature is successfully verified, and open correctness denotes the ability to acquire the right signer’s identity from a valid signature. We will describe the strong anonymity of the GS-MR scheme through the CCA (Chosen Ciphertext Attack) security model, as detailed in Definition 5. We will describe the traceability of the GS-MR scheme using Definition 6. To describe the security model of GS-MR, the present paper leverages the security definitions for group signatures of varying strengths provided by Bellare et al. [36]. Through a corresponding game between a challenger $\mathcal{S}$ and an adversary $\mathcal{A}$, the anonymity and traceability guaranteed by the GS-MR scheme will be depicted.

We summarize three distinct query types that an adversary $\mathcal{A}$ can ask in the corresponding games, as well as the possible responses that the challenger $\mathcal{S}$ can give to those queries.

(a)

Corrupt query: $\mathcal{A}$ makes a corrupt query on a member’s index $i\in [N]$ and $\mathcal{S}$ returns a corresponding signing key $gs{k}_i$.

(b)

Signing query: $\mathcal{A}$ makes a signing query on an index $i$ and a message $M$, and $\mathcal{S}$ runs the algorithm $Sign(gpk,M,gs{k}_i)\to \mathrm{SIG}$, and returns the signature $SIG$ to $\mathcal{A}$.

(c)

Opening query: $\mathcal{A}$ makes an opening query on a signature $SIG$, and $\mathcal{S}$ calls the algorithm $Open(gpk,SIG,gtk)$ to output a member identity $\mathit{I}{\mathit{D}}_i$, and returns the member’s identity $\mathit{I}{\mathit{D}}_i$ to $\mathcal{A}$; otherwise, it returns to $\perp$.

Definition 5.

(Full Anonymity) The property of anonymity in the GS-MR scheme implies that signatures produced by any two distinct signers are computationally indistinguishable. The GS-MR scheme meets full anonymity if for any PPT adversary $\mathcal{A}$, $\mathcal{A}$’s advantage in GAME I in Figure 2 can be negligible.

Definition 6.

(Traceability) The property of traceability in the GS-MR scheme implies that the advantage of generating a non-openable signature or blaming for other members is negligible. The GS-MR scheme meets traceability if for any PPT adversary $\mathcal{A}$, $\mathcal{A}$’s advantage in GAME II in Figure 2 can be negligible.

4. Scheme Construction

In the proposed GS-MR scheme, each group member has a fixed length of identity information $\mathit{I}\mathit{D}=(d_1,d_2,...,d_l)\in {\{0,1\}}^l$. The parameters of GS-MR are as follows: Let $\lambda$ be the security parameter, and $N$ be the maximum group members. Specifically, let Gaussian parameters ${\sigma }_1=poly(n)$ and ${\sigma }_2=nm\omega ({\log }^{2}m)\log q$ and modulus $q\ge \beta \omega (n\log n)$ be prime, where $\beta =ploy(n)$ and $m>\log q/\log (2{\sigma }_1\sqrt{2n})$. The noise boundary of $RLW{E}_{n,m,q,\chi }$ is set to an integer $b$ and satisfies $b=\tilde{O}(n^{5/4})$ and $q/b=\mathcal{l}\tilde{O}(n)$. Choose four hash functions: $H_1:{\mathbb{Z}}_q^n\to {\{0,1\}}^{l_1+l_2}$,$H_2:{\{0,1\}}^{*}\to \{\mathit{v}\in {\{-1,0,1\}}^m,||\mathit{v}||\le t\}$, $F_1:{\{0,1\}}^{l_2}\to {\{0,1\}}^{l_1}$ and $F_2:{\{0,1\}}^{l_1}\to {\{0,1\}}^{l_2}$ to be modeled as random oracles.

The GS-MR scheme we proposed is as follows:

$KeyGen(1^{\lambda },1^N):$ given $\lambda$ and $N$, the group manager performs Algorithm 1.

Algorithm 1:$KeyGen(1^n,1^N)$

1: $(\mathit{a}\mathbf{,}{\mathit{T}}_{\mathit{a}})\leftarrow TrapGe{n}_{{ℛ}_q}(n,m,q)$

2: $\mathrm{Randomly} \mathrm{choose} {\mathit{a}}_0,{\mathit{a}}_1....{\mathit{a}}_l\leftarrow {ℛ}_q^{m\times m}$

3: $\mathbf{for} \mathbf{all} 1\le i\le N$ do

4:  ${\mathit{D}}_{\mathit{i}}=\mathit{a}\cdot {({\displaystyle {\sum }_{j=1}^l{d}_j{\mathit{a}}_j})}^{-1}$

5:  ${\mathit{T}}_{{\mathit{D}}_{\mathit{i}}}\leftarrow BasisDel(Rot(\mathit{a}),{\displaystyle {\sum }_{j=1}^{l}Rot({\mathit{a}}_{\mathit{j}})d_j},{\mathit{T}}_{\mathit{a}},{\sigma }_2)$

6:  ${\mathit{e}}_{\mathit{i}}\leftarrow SamplePr{e}_{{ℛ}_q}({\mathit{D}}_{\mathit{i}},{\mathit{T}}_{{\mathit{D}}_{\mathit{i}}},u,{\sigma }_2)$, such that ${\mathit{D}}_{\mathit{i}}{\mathit{e}}_{\mathit{i}}=u\mathrm{mod}q$

7:  ${\mathrm{gsk}}_i={\mathit{e}}_{\mathit{i}}$

8: $\mathbf{end} \mathbf{for}$

9: $\mathrm{Randomly} \mathrm{choose} u\leftarrow ℛ$, $f\leftarrow {ℛ}_q^{}$, $s\leftarrow \chi$, $e\leftarrow \chi$

10: $\mathrm{Calculate} g=(f\otimes s+e)\mathrm{mod}q$

11: $\mathbf{Out}\mathbf{put}: gpk=[\mathit{a},{\mathit{a}}_0,{\mathit{a}}_1...{\mathit{a}}_l,u,f,g]$, $gtk=s$, $gsk={\left\{{\mathit{e}}_i\right\}}_{i=1}^N$

$Sign(gpk,M,gs{k}_{\pi },{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N):$ given $gpk$, message $M\in {\{0,1\}}^{l_2}$, signing key $gs{k}_i={\mathit{e}}_i$ and a group member’s identity set ${\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N$, the signer runs Algorithm 2.

Algorithm 2:$Sign(gpk,M,gs{k}_{\pi },{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N)$

1: $\mathbf{for} \mathbf{all} 1\le i\le N$ do

2:  ${\mathit{y}}_i\leftarrow D_{{\sigma }_1}^m$

3:  $\mathrm{Calculate} {\mathit{D}}_i=\mathit{a}\cdot {({\displaystyle {\sum }_{j=1}^l{d}_j{\mathit{a}}_j})}^{-1}$

4: $\mathbf{end} \mathbf{for}$

5: $\mathrm{Calculate} \alpha =H({\displaystyle {\sum }_{j=1}^N{\mathit{D}}_j{\mathit{y}}_j})$

6: $\mathrm{Calculate} M^{\prime }=F_1(M)||(F_2(F_1(M))\oplus M)$

7: $\mathrm{Calculate} r=M^{\prime }\oplus \alpha$

8: $\mathrm{Expend} \mathit{I}{\mathit{D}}_{\pi }$ to $\stackrel{-}{\mathit{I}{\mathit{D}}_{\pi }}=(0^{n-l}||\mathit{I}\mathit{D})\in {\{0,1\}}^n$

9: $I{D}_{\pi }^{\prime }={\tau }^{-1}(\stackrel{-}{\mathit{I}{\mathit{D}}_{\pi }})\in ℛ$

10: $\mathrm{Randomly} \mathrm{choose} w\leftarrow \chi ,e_1,e_2\leftarrow \chi$

11: $\mathrm{Calculate} (c_1=f\otimes w+e_1,c_2=g\otimes w+e_2+[q/2]I{D}_i^{\prime })\in {ℛ}_q^2$

12: $\mathit{v}=H_2(r,c_1,c_2)$

13: $\mathbf{for} \mathbf{all} 1\le i\le N$ do

14:  if $i\ne \pi$, then ${\mathit{z}}_i={\mathit{y}}_i$

15:  else calculate ${\mathit{z}}_i={\mathit{e}}_i\mathit{v}+{\mathit{y}}_i$, and outputs $({\mathit{z}}_i,r)$ with probability $\min (1,D_{{\sigma }_1}^m({\mathit{z}}_i)/M{D}_{e_i{v}_{,{\sigma }_1}}^m({\mathit{z}}_i))$.

16: $\mathbf{end} \mathbf{for}$

17: $\Pi ={\left\{{\mathit{z}}_i\right\}}_{i=1}^N$

18: Output: $SIG=\left(\Pi ,(c_1,c_2),r\right)$

$Verify(gpk,SIG,{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N):$ given $gpk$, signature $SIG$ and identity set ${\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N$, the verifier performs Algorithm 3.

Algorithm 3: $Verify(gpk,SIG,{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N)$

1: $\mathrm{Parse} \Pi =({\mathit{z}}_1,{\mathit{z}}_2,....,{\mathit{z}}_N)$

2: $\mathbf{for} \mathbf{all} 1\le i\le N$ do

3:  $\mathrm{Calculate} {\mathit{D}}_{\mathit{i}}=\mathit{a}\cdot {({\displaystyle {\sum }_{j=1}^l{d}_j{\mathit{a}}_j})}^{-1}$

4: $\mathbf{end} \mathbf{for}$

5: $\mathrm{Calculate} \alpha =H_1({\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{z}}_i-u{H}_2(r,{\mathit{c}}_1,{\mathit{c}}_2)})$

6: $\mathrm{Set} M^{\prime }=\alpha \oplus r$

7: $\mathrm{Set} M=|M^{\prime }{|}_{l2}\oplus F_2(|M^{\prime }{|}^{l1})$

8: $\mathbf{if} F_1(M)=|M^{\prime }{|}^{l_1} \mathrm{and} ||\mathit{z}||\le 2\sigma \sqrt{m} \mathbf{then}$

9:  $\mathbf{return} “\mathrm{Valid}”$

10: $\mathbf{else}$

11:  $\mathbf{return} “\mathrm{Invalid}”$

12: $\mathbf{end} \mathbf{if}$

$Open(gpk,SIG,gtk):$ given $gpk$, signature $SIG$, and tracking key $gtk$, the group manager performs Algorithm 4.

Algorithm 4: $Open(gpk,SIG,gtk)$

1: $I{D}^{*}=(d_i^{*})=c_2-c_{1}s \mathrm{where} i=1,....,n$

2: $\mathbf{for} \mathbf{all} i \mathrm{such} \mathrm{that} 1\le i\le n$ do

3:  $\mathbf{if} d_i^{*}\approx ⌊q/2⌋ \mathbf{then}$

4:    $d_i^{\prime }=1$

5:  $\mathbf{else}$

6:    $d_i^{\prime }=0$

7: $\mathbf{end} \mathbf{for}$

8: $I{D}^{\prime }=(d_1^{\prime },d_2^{\prime },....,d_n^{\prime })$

9: $\stackrel{-}{\mathit{I}{\mathit{D}}_{\pi }}=\tau (I{D}^{\prime })={({\overline{d}}_0,{\overline{d}}_1,....,{\overline{d}}_{n-1})}^T\in {\mathbb{Z}}_q^n$

10: $\mathbf{if} \stackrel{-}{\mathit{I}{\mathit{D}}_{\pi }} \mathrm{satisfy} \mathrm{format} (0^{n-l}||\mathit{I}\mathit{D}) \mathbf{then}$

11:  $\mathbf{return} \mathit{I}\mathit{D}$

12: $\mathbf{else}$

13:  $\mathbf{return}\perp$

5. Security Analysis

We prove that the proposed GS-MR scheme satisfies correctness (validation correctness, message recoverability, and open correctness), full anonymity, and traceability.

Theorem 1 (correctness).

The GS-MR scheme is correct.

Proof of Theorem 1.

(1)

Verification correctness and message recoverability.

Given a legal and valid signature, the following equation holds:

$$\begin{array}{ll}{\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i}{\mathit{z}}_i-u{H}_2(r,c_1,c_2)& ={\displaystyle \sum _{i\in [N]\backslash \left\{\pi \right\}}{\mathit{D}}_i{\mathit{y}}_i+{\mathit{D}}_{\pi }{\mathit{z}}_{\pi }-u{H}_2(r,c_1,c_2)},\\ & ={\displaystyle \sum _{i\in [N]\backslash \left\{\pi \right\}}{\mathit{D}}_i{\mathit{y}}_i+{\mathit{D}}_{\pi }({\mathit{e}}_{\pi }\mathit{v}+{\mathit{y}}_{\pi })-u{H}_2(r,c_1,c_2),}\\ & ={\displaystyle \sum _{i=1}^N{\mathit{D}}_i{\mathit{y}}_i+u}\mathit{v}-u{H}_2(r,c_1,c_2),\\ & ={\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{y}}_i}.\end{array}$$

(4)

Then, we have

$$M^{\prime }=H_1({\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{y}}_i})\oplus r=H_1({\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{z}}_i-u{H}_2(r,c_1,c_2)})\oplus r,$$

(5)

and since

$$M^{\prime }=F_1(M)||(F_2(F_1(M))\oplus M),$$

(6)

we can recover the message

$$M={[M^{\prime }]}_{l_2}\oplus F_2({[M^{\prime }]}^{l_1})$$

(7)

From it, and the message $M$ must satisfy $F_1(M)={[M^{\prime }]}^{l_1}$. On the other hand, when $i\ne \pi$ and ${\mathit{z}}_i={\mathit{y}}_i$, where ${\mathit{y}}_i\leftarrow D_{{\sigma }_1}^m$, according to Lemma 1, $||{\mathit{z}}_i||\in {[N]}_{/\left\{\pi \right\}}$ satisfies $||{\mathit{z}}_i||\le 2\sigma \sqrt{m}$ with overwhelming probability; when $i=\mathit{\pi }$, we have ${\mathit{z}}_i={\mathit{e}}_i\mathit{v}+{\mathit{y}}_i$, and where ${\mathit{y}}_i\leftarrow D_{{\sigma }_1}^m$, according to Lemma 2, ${\mathit{z}}_i$ is statistically indistinguishable from Gaussian distribution $D_{{\sigma }_1}^m$. Therefore, for all ${\mathit{z}}_i$, $||{\mathit{z}}_i||\le 2\sigma \sqrt{m}$ is established with overwhelming probability.

(2)

Opening correctness

The correctness of opening depends on the accuracy of the underlying LPR encryption, and the parameter settings described in Section 4. of this paper meet the correctness requirements of the encryption scheme, assuming that $SIG=\left(\Pi ,(c_1,c_2),r\right)$ is a signature generated by an honest member $i$ through the algorithm $Sign(gpk,M,gs{k}_i,{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N).$ Regarding the validity of the open algorithm, we show that

$$\begin{array}{ll}{c}_2-c_{1}s& =g\otimes w+e_2+⌊q/2⌋I{D}_i^{\prime }-(f\otimes w+e_1)\otimes s\\ & =(f\otimes s+e)\otimes w+e_2+⌊q/2⌋I{D}_i^{\prime }-(f\otimes w+e_1)\otimes s\\ & =ew+e_2-e_{1}s+⌊q/2⌋I{D}_i^{\prime },\end{array}$$

(8)

where $||w|{|}_{\infty },||e_1|{|}_{\infty },||e_2|{|}_{\infty }\le b$. Note that $b=\tilde{O}(n^{5/4})$ and $q/b=\mathcal{l}\tilde{O}(n)$, it can therefore be concluded that $||ew+e_2-e_{1}s|{|}_{\infty }\le 2n·b^2+b=\tilde{O}(n^{3.5})\ll [q/10]$. Next, we determine the value of the $\mathit{I}\mathit{D}$ based on the value of each component of $c_2-c_1$. The algorithm $Open(gpk,SIG,gtk)$ then recovereds the $\mathit{I}\mathit{D}$ with a probability of 1. □

Theorem 2 (full anonymity).

The GS-MR scheme meets full anonymity under ROM if the $RLW{E}_{n,m,q,\chi }$ problem is hard.

Proof of Theorem 2.

Let $\mathcal{A}$ be any PPT adversary in Definition 1; the following proves that the GS-MR scheme satisfies the anonymity requirement by showing that the four games $G_0, G_0^{\prime }, G_1, G_1^{\prime }$ are indistinguishable.

$G_0:$$G_0$ is denoted as the experiment with $b=0$ in GAME I. First, the system is set up, and the challenger $\mathcal{S}$ calls the algorithm $KeyGen(1^n,1^N)$ to generate $gpk$, $gtk$, and $gsk={\left\{{\mathit{e}}_i\right\}}_{i=1}^N$. Then, $\mathcal{S}$ sends $gpk$ and $gsk={\left\{{\mathit{e}}_i\right\}}_{i=1}^N$ to $\mathcal{A}$. $\mathcal{A}$ is permitted to make the following adaptive queries:

(a)

Signing query: $\mathcal{A}$ makes a signing query on an index $i$ and a message $M$, and then $\mathcal{S}$ returns the signature $SIG=\left(\Pi ,(c_1,c_2),r\right)$ to $\mathcal{A}$.

(b)

Opening query: $\mathcal{A}$ makes an opening query on a signature $SIG$, $\mathcal{S}$ calls the algorithm $Open(gpk,SIG,gtk)$ to output a member identity $\mathit{I}{\mathit{D}}_i$, and returns the member’s identity $\mathit{I}{\mathit{D}}_i$ to $\mathcal{A}$; otherwise, it returns to $\perp$.

$\mathcal{A}$ selects two indexes $i_0,i_1\in [N]$ with $i_0\ne i_1$ and a message $M$, and sends them to $\mathcal{S}$. Then, $\mathcal{S}$ calls the signature algorithm $Sign(PK,M,gs{k}_{i_0},{\left\{I{D}_i\right\}}_{i=1}^N)$ and sends the signature $SIG=(\Pi ,(c_1,c_2),r)$ to $\mathcal{A}$.

$G_0^{\prime }:$$G_0^{\prime }$ was modified from $G_0$ When calling the algorithm $Sign(gpk,M,gs{k}_{i_0},{\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N)$ to generate a signature, calculate ${\mathit{z}}_{i_0}={\mathit{e}}_{i_0}\mathit{v}+{\mathit{y}}_{i_0}$ and ${\mathit{z}}_{i_1}={\mathit{e}}_{i_1}\mathit{v}+{\mathit{y}}_{i_1}$ in addition to the remaining steps in the signature generation process (calculate the values of $j\notin \{i_0,i_1\}$ and ${\mathit{z}}_j$ according to the scheme described above).

$G_1:$$G_1$ is identical to $G_0$ with the exception that $\mathcal{S}$ chooses $b=1$ rather than $b=0$.

$G_1^{\prime }:$$G_1^{\prime }$ is identical to $G_0^{\prime }$. □

Lemma 6.

$G_0$ and $G_0^{\prime }$ are computationally indistinguishable.

Proof of Lemma 6.

In the $G_0$ and $G_0^{\prime }$ games, the difference in signatures lies in the calculation of ${\mathit{z}}_{i_1}$. According to Lemma 2, the value ${\mathit{z}}_{i_1}$ produced via rejection sampling in $G_0^{\prime }$ is statistically equivalent to the value produced by the Gaussian distribution $D_{{\sigma }_1}^m$ (statistical distance less than $2^{-\omega (\log m)}/M$). In $G_0$, the value of ${\mathit{z}}_{i_1}$ is taken from the Gaussian distribution $D_{{\sigma }_1}^m$ and so the games $G_0$ and $G_0^{\prime }$ are computationally indistinguishable. □

Lemma 7.

$G_1$ and $G_1^{\prime }$ are computationally indistinguishable.

Proof of Lemma 7.

The indistinguishability of computation between $G_1$ and $G_1^{\prime }$ (where $b=1$ in the context of the GAME I model) is proved in the same way as described above. □

Lemma 8.

If the $RLW{E}_{n,m,q,\beta }$ problem is hard, $G_0^{\prime }$ and $G_1^{\prime }$ are computationally indistinguishable.

Proof of Lemma 8.

Games $G_1^{\prime }$ and $G_0^{\prime }$ are similar, except for the computation of the part containing member information $c_2$ in the signature (which includes the identity of the member $i_1$). Therefore, it is only necessary to prove that the signature $SI{G}^{\prime }=({\Pi }^{\prime },(c_1^{\prime },c_2^{\prime }),r^{\prime })$ generated in $G_0^{\prime }$ and the signature $SIG*=(\Pi *,(c_1^{*},c_2^{*}),r*)$ in $G_1^{\prime }$ are indistinguishable in computation.

The $c_2^{\prime }$ and $c_2^{*}$ can be seen as the LPR encryption of different member identities ($i_0$ and $i_1$) according to the LPR encryption scheme [26], which is indistinguishable (satisfies IND-CCA security) under the $RLW{E}_{n,m,q,\beta }$ assumption. Therefore, for an adversary $\mathcal{A}$, $c_2^{\prime }$ and $c_2^{*}$ are indistinguishable in computation. Combined with the above proof, $SI{G}^{\prime }=({\Pi }^{\prime },(c_1^{\prime },c_2^{\prime }),r^{\prime })$ and $SIG*=(\Pi *,(c_1^{*},c_2^{*}),r*)$ are statistically indistinguishable. Therefore, $G_0^{\prime }$ and $G_1^{\prime }$ are indistinguishable in computation. □

In conclusion, $G_0, G_0^{\prime }, G_1, G_1^{\prime }$ are statistically indistinguishable. Therefore, for any adversary $\mathcal{A}$, when facing GAME I defined at the beginning of this paper, the advantage of winning the game is $Adv=|\mathrm{Pr}[b^{\prime }=b]-1/2|+negl(n)$, indicating that $\mathcal{A}$ has no advantage in winning the anonymity game. It can be inferred that the GS-MR scheme satisfies the anonymity requirement.

Theorem 3 (full traceability).

The GS-MR scheme meets full traceability under ROM if the $RSI{S}_{n,m,q,\beta }$ problem is hard.

Proof of Theorem 3.

When proving the traceability of the GS-MR scheme, there are two key components: (1) The algorithm $Sign$ generates legal signatures that can be traced back to the identities of their signers. (2) No adversary can forge a legal and untraceable group signature. First, as shown in Theorem 1, the GS-MR scheme is proven to correctly open any valid signature and query the identity details of the signer. Therefore, the following proof focuses on the second point, namely, that it is impossible for any PPT adversary to successfully construct a legally and untraceable signature. □

Let $\mathcal{A}$ be any PPT algorithm defined in Definition 6 that can forge a signature with a non-negligible advantage after numerous inquiries. Then, a challenger $\mathcal{S}$ can be built to solve the $RSI{S}_{n,m,q,\beta }$ problem with a non-negligible advantage.

Let the challenger $\mathcal{S}$ maintain three lists $l_1,l_2,C,\Gamma$, and initialize them as empty. Then, $\mathcal{S}$ honestly runs the algorithm $KeyGen(1^{\lambda },1^N)$ of the scheme, with input security parameter $\lambda$ and maximum member group ${\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N$, randomly selects $j\in \{1,2,....,N\}$, generates $gpk, gs{k}_j, gtk$, and then sends $gpk$ and $gtk$ to $\mathcal{A}$. In response to $\mathcal{A}$’s inquiry, $\mathcal{S}$ replied as follows ($\mathcal{A}$ had conducted relevant $H_1$ queries and $H_2$ queries prior to performing signing and corrupt queries):

(a)

$H_1$ query. $\mathcal{A}$ selects N polynomial vectors ${\mathit{y}}_j\leftarrow D_{{\sigma }_1}^m$ to $\mathcal{S}$. $\mathcal{S}$ first checks list $L_1$. If $\mathcal{A}$ has previously submitted the same query, $\mathcal{S}$ directly returns the same query result. Otherwise, $\mathcal{S}$ selects a random vector $\alpha \in {\{-1,0,1\}}^{l_1+l_2}$ and returns it to $\mathcal{A}$. For this query, $\mathcal{S}$ records $({\left\{{\mathit{y}}_i\right\}}_{i=1}^N,\alpha )$ in the list $L_1$.

(b)

$H_2$ query. $\mathcal{A}$ selects a message $M$, and $c_1, c_2$, and submits them to $\mathcal{S}$. $\mathcal{S}$ first checks list $L_2$. If $\mathcal{A}$ has previously submitted the same query, $\mathcal{S}$ directly returns the same query result. Otherwise, $\mathcal{S}$ selects a random vector $\mathit{v}\in {\{-1,0,1\}}^m$ and returns it to $\mathcal{A}$. For this query, $\mathcal{S}$ records $(M,\mathit{v},c_1,c_2)$ in the list $L_2$.

(c)

Corrupt query. $\mathcal{A}$ inputs $k\in [N]$, if $k=j$, $\mathcal{S}$ terminates the game; if $k\ne j$, $\mathcal{S}$ sends the signing key $gs{k}_k$ to $\mathcal{A}$. For this query, $\mathcal{S}$ records $(k,{\mathit{e}}_k)$ in the list $C$.

(d)

Signing query. $\mathcal{A}$ inputs $k\in [N]$ and message $M$, if $k=j$, $\mathcal{S}$ will modify ${\mathit{z}}_i$ in the algorithm $Sign$ to ${\mathit{z}}_i={\mathit{y}}_i$, and return the signature $SIG$ to $\mathcal{A}$; if $k\ne j$, $\mathcal{S}$ honestly runs the algorithm $Sign$ and returns the signature $SIG$ to $\mathcal{A}$. For this query, $\mathcal{S}$ records $(k,M)$ in the list $\Gamma$.

After a series of queries, $\mathcal{A}$ outputs a forged group signature $SI{G}^{*}=({\Pi }^{*},(c_1^{*},c_2^{*}),r^{*})$. If the signature $SI{G}^{*}$ satisfies Definition 6, it implies that $\mathcal{A}$ wins GAME II. We analyzed the following two aspects:

(1)

Assuming that $SI{G}^{*}$ is a valid signature and satisfies $Open(gpk,SI{G}^{*},gtk)=j$. Since the signature is valid, it follows that ${\mathit{v}}^{*}=H_2({\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{z}}_i-u{v}^{*},c_1,c_2})$; Furthermore, since the signature $SIG$ forged by $\mathcal{A}$ can satisfy the verification correctness, we have ${\mathit{v}}^{*}=H_2({\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{z}}_i},c_1^{*},c_2^{*})$. As the collision probability of the hash-oracle is negligible, we can see that $c_1=c_1^{*}$ and $c_2=c_2^{*}$, and therefore we can conclude that

$${\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i({\mathit{z}}_i-{\mathit{z}}_i^{*})}=\mathbf{0}\mathrm{mod}q,$$

(9)

since ${\displaystyle {\sum }_{i=1}^N||{\mathit{z}}_i-{\mathit{z}}_i^{*}}||\le b$, it follows that ${\displaystyle {\sum }_{i=1}^N({\mathit{z}}_i-{\mathit{z}}_i^{*}})$ is a solution to the $RSI{S}_{n,m,q,\beta }$ problem.

(2)

Assuming $Open(gpk,SI{G}^{*},gtk)=\perp$, the forged signature $SI{G}^{*}=({\Pi }^{*},(c_1^{*},c_2^{*}),r^{*})$ produced by the adversary $\mathcal{A}$ satisfies the following condition

$$\mathit{I}{\mathit{D}}_k^{*}\notin {\left\{\mathit{I}{\mathit{D}}_i\right\}}_{i=1}^N \mathrm{i}.\mathrm{e}., {\mathit{D}}_k=\mathit{a}\cdot {({\displaystyle {\sum }_{i=1}^l{d}_{i(k)}{\mathit{a}}_i})}^{-1}\ne \mathit{a}\cdot {({\displaystyle {\sum }_{i=1}^l{d}_{i(k)}^{*}{\mathit{a}}_i})}^{-1}={\mathit{D}}_k^{*}.$$

(10)

Since the above condition can be verified by the algorithm $Verify(gpk,SIG,{\left\{I{D}_i\right\}}_{i=1}^N)$, we have

$$\begin{array}{l}{\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{z}}_i^{*}}-u{\mathit{v}}^{*}={\displaystyle {\sum }_{i=1}^N{\mathit{D}}_i{\mathit{y}}_i^{*}} i.e. {\mathit{D}}_k^{*}{\mathit{z}}_k^{*}-u{\mathit{v}}^{*}={\mathit{D}}_k^{*}{\mathit{y}}_k^{*}.\\ \end{array}$$

(11)

Let

$${\mathit{D}}_k^{*}{\mathit{z}}_k-u{\mathit{v}}^{*}={\mathit{D}}_k^{*}({\mathit{e}}_k{\mathit{v}}^{*}+{\mathit{y}}_k^{*})-u{\mathit{v}}^{*}={\mathit{D}}_k^{*}{\mathit{y}}_k^{*}.$$

(12)

From Equations (11) and (12), we can obtain

$${\mathit{D}}_k^{*}(({\mathit{e}}_i^{*}-{\mathit{e}}_i){\mathit{v}}^{*})=\mathbf{0}\mathrm{mod}q.$$

(13)

Since $||({\mathit{e}}_i^{*}-{\mathit{e}}_i)v^{*}|{|}_{\infty }\le 4{\sigma }_{1}t\sqrt{m},$ $({\mathit{e}}_i^{*}-{\mathit{e}}_i){\mathit{v}}^{*}$ is a solution to the $RSI{S}_{n,m,q,\beta }$ problem.

Based on the proof of the two above cases, if the adversary $\mathcal{A}$ wins GAME II, then the challenger $\mathcal{S}$ will obtain a solution to the $RSI{S}_{n,m,q,\beta }$ problem. However, the $RSI{S}_{n,m,q,\beta }$ problem is to solvedifficult under the parameters provided in this paper, and so $\mathcal{A}$ cannot satisfy the two conditions mentioned above. Therefore, the GS-MR scheme has full traceability.

6. Implementation and Efficiency Analysis

As proof of concept, in order to understand the practicality of group signatures with recoverable messages, we simply performed some implementations of the GS-MR scheme. We have shown implementations of the GS-MR, which were experimented with using an AMD Ryzen 5 5600G @ 3.90GHz CPU with 16GB of RAM. The programs were compiled using SageMath and Python 3.8. A selection of some program parameters were first shown. Then, based on these parameters, some corresponding outputs in the GS-MR scheme were experimentally derived. In

Table 1. Theoretical estimation of key size and message–signature size.

	Form	Size
Public Key	$(\mathrm{a},{\mathrm{a}}_0,...,{\mathrm{a}}_l,u,f,g)$	$(nm+ln{m}^2+3n){\log }_{2}q$
Signing Key	${\mathit{e}}_i$	$nm\cdot D_{{\sigma }_3}$
Tracking Key	$gtk=s$	$n{\log }_{2}q$
Message–Signature	$\left(\Pi ,(c_1,c_2),r\right)+M$	$Nm\cdot D_{{\sigma }_1}+2n{\log }_{2}q+l_2$

, we summarize the theoretical estimates of the key size and signature size of GS-MR, where “$n\cdot S$ denotes $n$ elements in a set $S$”.

We followed the parameter settings of Luo et al. [37] and also considered the security of the parameter settings in this paper.

• To keep $(\mathit{a}\mathbf{,}{\mathit{T}}_{\mathit{a}})\leftarrow TrapGe{n}_{{ℛ}_q}(n,m,q)$ working safely, set $q\ge 2$, $m\ge 1$, and $\overline{m}\ge$$\log q/\log (2{\sigma }_1\sqrt{2n})$.
• For the Gaussian parameter in $BasisDel(\mathit{A},\mathit{R},{\mathit{T}}_{\mathit{A}},\sigma )$, we chose ${\sigma }_R=\sqrt{n\log q}\omega (\sqrt{\log m}),$ and according to Pino [38], let ${\sigma }_2\ge ||{\stackrel{\mathbf{~}}{\mathit{T}}}_{\mathit{A}}||\cdot ({\sigma }_R\sqrt{m}\cdot \omega ({\log }^{3/2}m))$.
• For Gaussian parameters in rejection sampling, we chose ${\sigma }_1=\omega (t\sqrt{\log m})\approx 12\cdot t\cdot \sqrt{nm}$.
• For the choice of $M$ in rejection sampling, according to Definition 4, if $\sigma =12||\mathit{c}||,$ then the probability of $e^{1+1/288}/M\ge D_{\sigma }^m(x)/M\cdot D_{c,\sigma (x)}^m$ and $e^{1+1/288}/M\ge 3/M$ is greater than $1-2^{-100}$. Then, we can fix $M=3$.

Specifically, we will use the following specific parameters for our experiments:

$p{p}_1:q=2^{24},n=512,m=3,t=14,\overline{m}=1536,M=3,{\sigma }_1\approx 6641.8455$,${\sigma }_2=1165.2235$.

$p{p}_2:q=2^{27},n=512,m=4,t=14,\overline{m}=2048,M=3,{\sigma }_1\approx 7602.8121$,${\sigma }_2=1504.2467$.

$p{p}_3:q=2^{29},n=1024,m=3,t=14,\overline{m}=3072,M=3,{\sigma }_1\approx 9311.5051$,${\sigma }_2=1822.4527$.

In

Table 2. Public key, signing key and tracking key sizes (in KB).

Parameters	$\mathit{P}{\mathit{P}}_1$	$\mathit{P}{\mathit{P}}_2$	$\mathit{P}{\mathit{P}}_3$
Public key (Theo.)	$171$	$335$	$414$
Public key (Exp.)	$196$	$367$	$443$
Signing key (Theo.)	$3.00$	$4.00$	$6.00$
Signing key (Exp.)	$3.13$	$4.17$	$6.29$
Tracking key (Theo.)	$1.50$	$1.70$	$1.80$
Tracking key (Exp.)	$1.55$	$1.75$	$1.87$

, we summarize the real output key values of the GS-MR scheme (i.e., public key, signing key, and tracking key) for three specific parameters compared to their theoretical estimates. For a more intuitive display, we plotted Figure 3 to visualize the variations in key sizes under different parameter settings. Based on Table 2 and Figure 3a, it can be observed that the storage cost of our GS-MR scheme mainly lies in the group public key. In Figure 3b, it can be seen that the signing key and tracking key of the GS-MR scheme are only the size of single-digit KB under the three sets of parameters. Although the signed message is not to be used as an input parameter in the verification phase, we also performed a comparative experiment with the signature and message–signature pairs. Subsequently, we conducted 10 experiments for each of the specific group orders 128, 256, 512, and 1024 to compare the signature size and the total length of message-signature under different scenarios (for Section 4, we fixed the value of $l_2=2^{19}$). Based on the experimental results, we evaluated the average signature size, as shown in

Table 3. Signature and message–signature pairs size (in KB).

Parameters	$\mathit{N}=128$	$\mathit{N}=256$	$\mathit{N}=512$	$\mathit{N}=1024$
Signature	155	309	617	1233
Message-Signature	219	373	681	1296
Signature	229	457	913	1825
Message-Signature	293	521	977	1889
Signature	365	729	1457	2913
Message-Signature	429	794	1521	2977

and Figure 4, which indicates that the signature size of GS-MR increases linearly with the number of group members. With a fixed message, the proportion of the message size decreases as the group size increases. However, we believe that our GS-MR scheme is still feasible. Particularly in small group environments with a low channel bandwidth and poor communication quality, the proposed GS-MR scheme can ensure a smaller total parameter transmission and alleviate concerns regarding the impact of channel noise on message transmission.

To further demonstrate the advantages of the GS-MR scheme, we performed a progressive efficiency analysis and verification parameter size comparison between three lattice-based group signature schemes and the GS-MR scheme. They were, respectively, the group signature scheme with indexed attribute-based signature (ABS) proposed by Katsumata et al. [24], the group signature scheme with forward security and constant size proposed by Canard et al. [27], and the lattice-based dynamic group signature scheme proposed by Huang et al. [19]. In

Table 4. Comparison of the progressive efficiency of group signatures.

Scheme	Public Key Size	Private Key Size	Signature Size	Message Recovery
Katsumata [24]	$O(\lambda ·N)$	$O(\lambda )$	$O(\lambda ·N)$	No
Canard [27]	$O(\lambda ·\log N)$	$O(\lambda )$	$O(\lambda )$	No
Huang [19]	$O({\lambda }^2)$	$O(\lambda )$	$O(\lambda ·\log N)$	No
Ours	$O(\lambda )$	$O(\lambda )$	$O(\lambda ·N)$	Yes

, we compare these three group signature schemes [19,24,27] with the GS-MR scheme, where $\lambda$ is the security parameter and $N=2^l=poly\left(n\right)$ is the number of group members. From Table 4, it can be seen that the group public keys in [19,24,27] are all related to the maximum number of group members $N$, whereas the public and private keys in our scheme and [19] are fixed values. However, in this paper, we needed to use the lattice-based delegation algorithm to generate member signing keys, causing the signature length to be linearly related to $N$. However, none of the above compared schemes have message recovery in the verification phase.

For a more intuitive comparison, we chose fixed values for these schemes to compare the size of the verification parameter for different schemes under the same number of group members. We selected some fixed parameters while ensuring the security of the above comparison schemes. Let $n=2^9,m=4,q=2^{27},$ ${\sigma }_1\approx 7602.8121$, and ${\sigma }_2=1504.2467$. Finally, all schemes select a fixed message $\mathrm{M}={\{0,1\}}^{l_2}$ in the signature generation stage, where $l_2=2^{19}$. The comparison of the size of the verification parameters is shown in

Table 5. Comparison of the size of verification parameter.

Scheme	Size of Verification Parameter (KB)
	$\mathit{N}=128$	$\mathit{N}=256$	$\mathit{N}=512$	$\mathit{N}=1024$	$\mathit{N}=2048$
Katsumata [24]	741.80	1477.75	2949.75	5893.75	11781.70
Canard [27]	3033.75	3033.75	3033.75	3033.75	3033.75
Huang [19]	693.10	1033.10	1513.70	2673.70	3373.70
Ours	293.75	521.75	977.75	1889.75	3649.75

and Figure 5.

From Figure 5, it can be seen that compared to the other three schemes, the size of the verification parameters in the GS-MR scheme is the shortest when the number of group members $N\le 1024$ is considered, with an average reduction of 53.02%. However, the signature size of GS-MR increases linearly with $N$, and at $N\ge 2048$, the verification parameter size is no longer advantageous compared to the Canard scheme [27] and the Huang scheme [27]. Overall, the proposed GS-MR scheme reduces the verification parameter size by an average of 39.17% compared to the schemes of [19,24,27].

7. Conclusions

In this paper, we proposed a lattice-based group signature with message recovery. The scheme achieves message recoverability in the validation phase, thus eliminating the need for group members to send additional messages as validation. And the GS-MR scheme ensures privacy and integrity in collaborative settings, benefiting applications where data security is crucial. It has potential applications in secure data sharing, blockchain systems, and federal learning. Then, we prove that the GS-MR scheme achieves full anonymity and traceability properties based on the difficulty of RSIS and RLWE problems. We also performed some experiments to evaluate the sizes of key and signature. Finally, we compare the GS-MR scheme with three group signature schemes and the result shows that the verification parameter of the GS-MR scheme was reduced by an average of 39.17% for less than 2000 members. Constructing a group signature scheme with controlled linkability under the quantum oracle model will be an attractive research topic for the future.