Almost Fully Secured Lattice-Based Group Signatures with Veriﬁer-Local Revocation †

: An efﬁcient member revocation mechanism is a desirable feature when group signature schemes are applied in practical scenarios. Revocation methods, such as veriﬁer-local revocation (VLR), provide an efﬁcient member revocation in applications of group signatures. However, VLR-group signatures rely on a weaker security notion. On the other hand, group signature schemes for static groups gain stronger security with the full-anonymity security notion. Even though an outsider sees the secret signing keys of all group members in the full-anonymity, the signer is still anonymous. Achieving the full-anonymity for VLR group signature schemes is challenging due to the structure of secret signing keys. The secret signing keys of those schemes consist of tokens, which are used to manage revocation. The reveal of tokens may destroy the anonymity of the signers. We obtain stronger security for the lattice-based VLR group signature schemes by providing a new key generation method, which outputs revocation tokens without deriving from the members’ secret signing keys. We propose a new group signature scheme from lattices with VLR, which achieves stronger security than the previous related works. To avoid signature forgeries, we suggest a new zero-knowledge proof system that requires signers to validate themselves. Moreover, we output an efﬁcient tracing mechanism.


Introduction
Group signatures, first proposed by Chaum and van Heyst [1], permit members of a group to issue signatures in the name of the group while hiding their information (anonymity). In spite of the group manager, he/she can cancel the anonymity of the signatures and identify the owner of the signature (traceability). In other words, in group signature schemes, the signature receivers can only validate the signatures, he/she cannot identify the signers. Still, in the case of dispute, an authorized person (the group manager) can recognize the signer. Thus, the signer should be anonymous to the receivers (outsiders) and traceable to the authorities (the group manager). These two features (anonymity and traceability) make group signature schemes attractive to many real-life applications, namely, key-card access systems, digital right management, and anonymous printing.
After the group signatures were proposed, many proposals were presented with several improvements and security. For instance, Chen and Pedersen [2] and Ateniese and Tsudik [3] delivered new features such as coalition resistance, exculpability, and framing resistance. Then, Ateniese et al. [4] proposed a provably secure scheme in the random oracle model to overcome the weaknesses of the previous works. Later, Bellare et al. [5] formulated a stronger security model, namely, the BMW03 model, with two security requirements-full anonymity and full traceability, which implies the existing security properties. Even though the BMW03 model is known as the most reliable security model at present, it serves only static groups. By adopting the BMW03 model, several group signatures have been proposed, but constructing a scheme with an efficient member revocation and high-level security is a challenge.

Member Revocation Approaches
In the real world, almost all group settings are stateless. Member revocation is one of the principal features of a group. Both dismissed and retired members should be restricted from generating signatures on behalf of the group in the future. One naive approach for member revocation is replacing all the keys newly except for the revoking member when he/she is revoked. Thus, any revoked member cannot produce a valid signature because he does not know the new keys. As the re-key generation approach requires the distribution of newly generated keys to all the members, verifiers, and authorities, it is not suitable for groups with large number of members. Bresson and Stern [6] proposed a method which needs signers to show that the public revocation list does not hold his member certificate when signing. Camenisch et al. [7] suggested a revocation method using dynamic accumulators. While the accumulator hashes a broad set of inputs to one shorter value, dynamic accumulators allow the insertion and deletion of inputs dynamically. The technique proposed by Camenisch et al. [7] needs existing members to store revoked user data and to update their membership for each time that a member is revoked. Thus, the proposed method is a burden for existing group members.
Brickell [8] suggested a different revocation approach, titled verifier-local revocation (VLR). Afterwards, Boneh et al. [9] formalized VLR in their group signature scheme. In the VLR mechanism, every member has a revocation token, which identifies his/her status. Thus, the token of a member indicates whether he/she is revoked or not. When a user's membership is canceled, the revoking user's token is included on a list called revocation list (RL) and the latest revocation list is sent to the verifiers. The verifiers can use RL to authenticate the signer at the signature verification, i.e., whether the signer is an active member or not. As, in general, the number of verifiers in a group system is lower than the number of group members, the VLR mechanism is appropriate for large groups than other revocation approaches. Due to these possibilities, at the moment, VLR seems to be the most flexible revocation method.
In general, group signature schemes contain KeyGen, Sign, Verify, and Open. On the other hand, any VLR group signature scheme contains only the first three algorithms because instead of Open it has implicit tracing algorithm for tracing signers. The implicit tracing algorithm executes Verify for each user until it returns invalid. Then, the implicit tracing algorithm returns the index of the first user for which Verify returned invalid as the signer of the signature.
Early VLR group signature schemes were constructed on the bilinear mappings. Bilinear mappings are insecure in the font of quantum computers. One of the prominent solutions for quantum attack is lattice-based cryptography. Langlois et al. [10] proposed the first VLR group signature scheme from lattice assumptions.

Group Signature Schemes from Lattice Assumptions
Cryptography based on lattice assumptions has strong security proofs in reliance on the worst-case hardness of the lattice problems. Thus, lattice cryptography seems to be an outstanding solution against quantum computers. Moreover, the efficient implementation of lattice-based cryptography attracted researches more. revocation tokens are generated using secret signing keys and providing the secret keys to the adversary (as in full anonymity). Thus, they [20] delivered a different method to produce revocation tokens, which is independent of the secret signing keys. Later, employing the almost-full anonymity notion, several schemes [21][22][23] were proposed with different aspects. Among them, the scheme in [21] extended the almost-full anonymity notion to a new security notion to operate in fully dynamic group signature schemes with member registration and VLR. However, the scheme in [20] and its application schemes did not provide a concrete solution to secure schemes from forgery members, who replace real revocation token with a random value.
While the schemes mentioned above focused on achieving stronger security for VLR group signature schemes, the schemes provided in [24,25] tried to gain efficient revocation check at signature validation. The size of the revocation list increases dramatically when VLR schemes apply in systems where the members are joining for a short period. Long revocation lists increase the cost of authenticating the signer at the signature verification. To reduce the cost of verifying the signer, Chu et al. [24] proposed time-bound keys. Later, Perera et al. [25] employed Chu's proposal and presented a VLR group signature scheme with stronger security.

Our Contribution
In this paper, we present a VLR group signature scheme from lattices with stronger security. We select the almost-full anonymity suggested in [20] to secure our scheme, as it achieves stronger security than the naive VLR group signature schemes with separate token generation. The scheme given in [20] is based on general assumptions. We use modified Boyen's signature [15] given in [14] to generate revocation token in our lattice-based group signature scheme. Moreover, we use an extra public key parameter for making revocation tokens of the users.
As the tokens are independent of the secret signing keys in the proposing scheme, there is a risk that the revoked users are generating valid signatures with arbitrary tokens. As a solution for this weakness, we present a new zero-knowledge proof system by modifying the existing zero-knowledge proof system given in [26] and used in our scheme to avoid such kinds of forgeries. Thus, the proposed scheme employs the new protocol to convince the verifiers that the signer is indeed a valid group member with a real and active token.
The implicit tracing algorithm given in VLR group signature schemes is not suitable for large groups because the time consumption is high in tracing a signer. Thus, we use the explicit tracing algorithm in our scheme to identify any signer. Accordingly, we use the group manager's secret key to find the signers instead of executing Verify a linear time in the number of users as in previous VLR group signature schemes with the implicit tracing algorithm. As the explicit-tracing algorithm helps to capture any signer only decrypting the signature, this can be used for any large groups.
As a result, we propose a group signature scheme from lattice assumptions, which is almost fully secured; supports member revocation and tracing signers efficiently, which provides a new method to generate revocation tokens; and is suitable even for a large group. Moreover, using the proposed zero-knowledge protocol, we secure our scheme from forgery signers.

Road Map
In Section 2, we provide the preliminaries, and in Section 3, we discuss some of the existing security notions, the difficulty of adapting the BMW03 model to cope with revocation queries, and recall the security notion, almost-full anonymity. In Section 4, we provide a new zero-knowledge interactive protocol which supports the proposing scheme. In Section 5, we provide our VLR group signature scheme from lattices, including a different method for generation of revocation tokens, explicit tracing algorithm, and underlying interactive argument system. The proof of the correctness and the security of the scheme is discussed in Section 6. In Section 7, we conclude the paper and present open problems.

Notations
We express the set of integers {1, . . . , i} for any integer i ≥ 1 by [i]. We declare matrices by bold upper-case letters, vectors by bold lower-case letters, and we work with only column vectors. The concatenation of matrices A ∈ R n×m and B ∈ R n×k is expressed by [A|B] ∈ R n×(m+k) . The concatenation of vectors x ∈ R m and y ∈ R k is represented by (x y) ∈ R m+k . If D is a finite set, a $ ← D presents that a is selected uniformly at random from D. If D is a probability distribution, a $ ← D indicates that a is drawn according to D.
The security parameter of our scheme is n and the maximum number of expected group users is N = 2 . We express the binary representation of each user's index by a string as d ∈ {0, 1} . Based on n, we fix the other parameters as below.
Let k 1 := m + and k 2 := n + m + . Let χ be a b-bounded distribution over Z. The norm bound for LWE noises is integer b such that q/b = Õ (n).
are hash functions, modeled as random oracles.

Lattices
For integers r, m, prime q ≥ 2, B = [b 1 | · · · |b m ] ∈ Z r×m q , and z ∈ Z r , the lattice Λ(B) for B is declared as where r is the dimension of the lattice Λ(B). Gaussian distribution for a lattice: For a vector c and a parameter s > 0, the discrete Gaussian distribution ρ s,c (x) = e −π (x−c)/s 2 . The respective probability density function proportional to ρ s,c is D s,c (x) = ρ s,c (x)/s n for all x ∈ R n . The discrete Gaussian distribution with respect to a lattice Λ is D Λ,s,c (x) = D s,c (x)/D s,c (Λ) = ρ s,c (x)/ρ s,c (Λ) for all x ∈ Λ. As Z m is also a lattice, we can declare a discrete Gaussian distribution for Z m . By D Z m ,σ , the discrete Gaussian distribution for Z m around the origin with the standard deviation σ is expressed.

Lattice Hardness Assumptions
Here, we describe the hardness of computational problems of lattices that we use in our scheme. First, we define SIVP problem. Then, we outline the two main average-case problems-LWE and SIS-and the hardness of them. We prove our scheme's security based on their hardness.

Approximate Shortest Independent Vectors Problem (SIVP γ )
In general, finding a good basis for a given lattice is called the basis reduction problem and SIVP is one of basis reduction problems.

Learning With Errors (LWE)
Regev [28] introduced LWE problem, which is a lattice problem that is hard to solve. His work results in a reduction from worst-case lattice problems to a certain learning problem.
Definition 2 (Learning With Errors Problem -LWE n,q,χ [27]). For integers n, m ≥ 1, q ≥ 2, s ∈ Z n q , and χ, the distribution B s,χ is achieved by sampling uniformly random b ∈ Z n q and e ← χ, and returning the pair Search-LWE and Decision-LWE are the two versions of LWE problems. While Search-LWE is for finding the secret s, Decision-LWE id for distinguishing LWE samples and samples chosen according to the uniform distribution. For our scheme we employ Decision-LWE problem.
For β ≥ √ nω(log n), a prime power q, and distribution χ, solving LWE n,q,χ problem is at least as hard as solving SIVP γ , where γ =Õ(nq/β) [28,29] Ajtai [30] introduced SIS in a seminal work. SIS has served in many applications as identification schemes, one-way hash functions, and digital signatures.
Definition 3 (Short Integer Solution Problem -SIS n,m,q,β [27,28]). Given m uniformly random vectors b i ∈ Z n q , the columns of a matrix B ∈ Z n×m q , SIS requires to find a nonzero vector x ∈ Λ ⊥ (B) which forms x ≤ β and Bx = 0 mod q.
SIS problem is for homogeneous systems. Later, Gentry et al. [29] formalized its inhomogeneous version ISIS problem. Definition 4 (Inhomogeneous Short Integer Solution Problem (ISIS n,m,q,β ) [29]). Given matrix B ∈ Z n×m q with m uniformly random vectors a i ∈ Z n q and a uniformly random vector y ∈ Z n q , ISIS n,m,q,β requires to determine a nonzero vector x ∈ Λ ⊥ u (B) satisfying x ≤ β and B · x = y mod q.

Lattice-Related Trapdoors
For our construction, we require a family of functions such that each function capable of computing with any input but not feasible to invert the given input. Such a family of functions is called one-way functions. Trapdoor functions are one-way functions with secret information (trapdoor). Without this secret information, finding the inverse of the function is hard. We use trapdoor functions in our constructions as no one can identify the inverse of the function without the trapdoor.
We employ SampleD, which is a randomized nearest-plane algorithm discussed in [29,31].
• SampleD(T A , A, u, σ): For any vector u in the image of A, a trapdoor T A , and σ = ω( n log q log n) SampleD samples x ∈ Z m from the distribution D Z m ,σ , such that A · x = u mod q.
• GenTrap(n, m, q): For inputs integers n ≥ 1, q ≥ 2, and m ≥ 2n log q the efficient randomized algorithm GenTrap returns a matrix A ∈ Z n×m q and a trapdoor T A . The distribution of A is negl(n)-far from the uniform distribution.
• SamplePre(A, T A , u, σ): For a matrix A ∈ Z n×m q , a trapdoor basis T A , a target image u ∈ Z n q , and the standard deviation σ = ω( n log q log n), SamplePre samples e ∈ Z m from a distribution. e is within negligible statistical distance of D Λ u q (A),σ . • ExtBasis(T A , B): ExtBasis gets a matrix B ∈ Z n×m and a arbitrary T A of Λ ⊥ q (A) as inputs, where A is the top n × m submatrix of B, and returns a basis Moreover, for the construction of the underlying argument system discussed in Section 5, we employ two techniques: witness decomposition and extension (WitnessDE) and matrix extension (MatrixExt) detailed in [10].

•
WitnessDE results p vectors z 1 , . . . , z p ∈ SecretExt(d) for some d = d [1] · · · d[ ] ∈ {0, 1} on input x, where x is the witness of the prover d and d[i] is the i-th bit of the binary representation of d. , where A * is produced by attaching 2m zero-columns to each of the A's component-matrices.

VLR Group Signatures
VLR group signatures are for dynamic groups. When a member is revoked, VLR group signatures require distributing the revocation list only to the verifiers. In this section, first, we provide algorithms of group signature schemes for static groups. Then, we present the algorithms of VLR group signature schemes.
Algorithms of the group signature schemes for static settings are as below.
• KeyGen(n,N): This randomized PPT algorithm returns a group public key gpk, a group manager secret key gmsk, and group members' secret keys gsks. VLR group signature schemes consist of three PPT algorithms [9]. It does not have an Open algorithm as it uses the implicit tracing algorithm to identify the corrupted users. Implicit tracing algorithm employs grt as the tracing key. For a given valid (M, Σ) pair, authority, that knows all the tracing keys grt, can execute Verify(gpk, RL = grt[i], M, Σ) for all users until Verify outputs Invalid. The first index that Verify returns Invalid is the index of the signer. The implicit tracing algorithm fails if it returns Valid for all the members for the input signature. In the implicit tracing algorithm to detect a single user the group manager has to check almost all users until he/she finds the signer. The time consumption of the implicit tracing algorithm is high. Thus, it is not suitable for large groups.

Some Other Techniques
The underlying argument system given in Section 5 enables the signer to convince the verifier the validity of the signer, he is not being revoked, and his/her token is true.
We build our scheme based on the construction of Langloi's scheme [10]. Therefore, our scheme and a vector u ∈ Z n q . Each member has a revocation token to confirm their validity to sign on messages. On the other hand, the Revocation List, which is denoted by RL, contains all the revocation tokens of the revoked users. Thus, checking RL the verifiers can validate the signer.
One-time signature scheme OT S = (OGen, OSign, OVer): While OGen produces keys, OSign generates signature, and OVer allows the verification of the signatures [34]. Thus, OGen creates a signing/verification key pair (osk, ovk) for input (1 n ). On inputs osk and a message M, OSign makes a signature Σ. For given ovk, M, and Σ, OVer validates Σ [35]. OT S is a one-way function. One-way functions are simpler to implement and are computationally efficient than trapdoor functions. On the other hand, OT S schemes are digital signature schemes. Thus it necessary to produce keys for each message. As a result, created keys are unique for the particular messages.

Definitions of the Security Notations
First, this section discusses the existing security notions for anonymity. Then, it justifies the difficulties of achieving full-anonymity for VLR schemes with revocation query and defines the almost-full anonymity. Finally, it declares the security notion traceability.
Since Chaum and van Heyst [1] introduced group signatures, more security properties have been considered according to the requirements of different applications of group signature schemes. As a result, we have a large set of security requirements including anonymity, traceability, unlinkability, unforgeability, and collusion resistance whose definitions and relations to each other have not been clearly understood [5].
Simply, anonymity and traceability can be defined as below.
• Anonymity: no adversary should be able to determine the index of the signer from its signature, which is produced by one of the indices from two indistinguishable indices.

•
Traceability: no adversary should be able to produce a fake signature that cannot be traced.
Later, for static group signatures, Bellare et al. [5] formed two security standards: full anonymity and full traceability (the BMW03 model), which implies the existing unformalized requirements. In 2004, for group signatures with VLR, Boneh et al. [9] suggested a relaxed anonymity notions called selfless-anonymity.

•
Full anonymity allows the adversary to obtain secret keys of all the users and the verification key. Moreover, he/she can access the opening oracle. • Selfless-anonymity does not provide user secret keys without a request, but allows Signing, Corruption, and Revocation queries.
The selfless-anonymity game between a challenger C and an adversary A is as below.
The adversary is weaker in the selfless-anonymity game than the adversary in full anonymity game because in the selfless-anonymity game the adversary cannot access all the users' secret signing keys. The adversary has to determine the key which is used to generate the signature in this game.
• Initial Phase: The challenger C gets gpk, gsk, and grt from KeyGen algorithm and sends gpk to the adversary A. • Query Phase: A is allowed for the below three queries.

1.
Signing: A queries a signature for any message M and an user index i. Then, C sends back Σ = Sign(gpk, gsk[i], M).

2.
Corruption: A queries the secret signing key of user i, and C gives gsk[i].

3.
Revocation: A asks for the revocation token of user i, and C sends grt[i].
• Challenge Phase: A sends a message M and two distinct identities i 0 , i 1 , such that A did not make the corruption or revocation queries for i 0 , i 1 . Then, C picks a bit b $ ← {0,1}, produces and returns the signature Restricted Queries: A can do the above queries but with the below conditions.

1.
Signing: A is allowed to query as before.

2.
Corruption: A is not allowed to query for i 0 or i 1 .

3.
Revocation: A is not allowed to query for i 0 or i 1 .
• Guessing Phase: A sends a bit b as the guess of b. If b = b, then A wins.

The advantage of A winning the game is Adv
. We say that any group signature scheme is selfless-anonymous if Adv A is negligible.
The first VLR group signature scheme from lattices confines on the selfless-anonymity. Our goal is to present a lattice-based VLR group signature scheme with strong security. A naive adaptation of the full anonymity (BMW03 model) does not go well since it was presented for static groups.

Coping with Revocation queries for Full Anonymity
Since the full anonymity was originally proposed for static groups, the revocation query is not incorporated in the naive full anonymity game given in the BMW03 model or the other schemes that used the BMW03 model, such as in [14]. Our scheme is for dynamic-groups supporting member revocation. As we wish to make our VLR group signature scheme full-anonymous, we concern a security notion for "full anonymity with revocation query". On the other hand, we have to deal with the risk of giving revocation tokens to the adversary. Simply adding the revocation query given in the selfless-anonymity to the notion of the full anonymity will make our scheme insecure. The definition of the full anonymity after adding revocation query is as below.
• Initial Phase: The challenger C gets gpk, a group manager's secret key gmsk, and group users' secret signing keys gsk and revocation tokens grt, and then delivers (gpk, gsk) to the adversary A. • Query Phase: A is allowed to request token (grt) of any user and opening of any signature.
The adversary A still is allowed to access opening oracle with any signature except the signature challenged but he/she is not allowed for revocation queries. Here, if the adversary A calls the challenge phase with the indices whose revocation tokens are already queried, and if we generate the challenging signature without any restrictions, then the adversary A can guess the index that used to generate the challenging signature easily. The adversary A can execute Verify with all the revocation tokens he/she has, and figure the index of the generated signature. The advantage of A in winning the game is Adv A = | Pr[b = b] − 1/2|. As the adversary can obtain the tokens of the challenged indices, he/she can win the game easily. Thus, Adv A is not negligible.
In such a way, allowing the adversary A to query any revocation token and generating the challenged signature for the indices, even those indices' revocation tokens are queried, makes the scheme non-secured.
Because of this problem, we have to consider a security notion which has the restrictions of providing revocation tokens to the adversary. Thus, we use the almost-full anonymity given in [20], which is a restricted version of full anonymity.

Almost Full Anonymity
The idea of almost full anonymity is depicted in Figure 1. Here, as the naive full anonymity game, the challenger C creates the keys, and gives gpk and gsk to the adversary A. When A accesses the opening oracle with a message-signature pair (M, Σ), the oracle outputs Open(gmsk, M, Σ) as usual. Furthermore, A can request the token of any user d. Thus, C replies with grt[d]. The revocation query is not in the original notion of full anonymity. Then, A sends two valid identities i 0 , i 1 with a message M. Then, C chooses one of the two identities, which are not being queried before in revocation query phase, and outputs the signature Σ * . Here, signatures are not generated for the indices that have been queried for revocation tokens as the adversary A can use the tokens and execute Verify to check the generated signature. The goal of A is to recognize the index that is employed to produce Σ * . He/she is still allowed to access the opening oracle, but without the challenged signature, and he/she can request revocation token of any user except the challenging indices. The almost-full anonymity game between a challenger C and an adversary A is as below.

•
Initial Phase: C runs the algorithm KeyGen and gets gpk, gmsk, and group members' secret keys gsk and revocation tokens grt, and then sends (gpk, gsk) to A.
The adversary A still can query the opening oracle without the signature challenged, and he/she can request revocation tokens of any user except the indices used for challenge. We declare the advantage of A in the above game as Adv A = | Pr[b = b] − 1/2|. We say that any group signature is almost-full anonymous if for all polynomial N and for all adversaries, the Adv A is negligible in the security parameter n. Here, we discuss the almost-full anonymity with regards to the full anonymity and the selfless-anonymity. As in any other anonymity game, in the almost-full anonymity game, gpk is given to the adversary A and, as in the full-anonymity, all the user secret signing keys gsk are given to the adversary A at the beginning of the game. Even the member revocation tokens are generated; they are not provided to A in the initial phase. In the query phase, A can access Open as in the full-anonymity and request for revocation tokens as in the selfless-anonymity game. Then, A can output i 0 , i 1 , which are not used in the revocation query as in the selfless-anonymity. Still, A can access Open but not with the signature challenged, and he/she is permitted for further revocation queries except for indices challenged. Thus, the almost-full anonymity is stronger than the selfless-anonymity as all the users' secret signing keys are provided to the adversary. However, the almost-full anonymity is not as strong as the full anonymity because we cannot permit the adversary to access all the revocation tokens. However, all the users' secret signing keys are provided to the adversary. In the full anonymity given in the BMW03 model, all the secret signing keys of the users (the only secret key of the users in that scheme has) are provided to the adversary. However, in the VLR scheme, we have another user's key called tracing key (revocation token) which cannot disclose to the adversary without any restrictions. Thus we say the almost-full anonymity is a controlled variant of the full anonymity, and it is somewhat weaker than the full anonymity. A scheme to be fully anonymous, all the secret keys (both secret signing keys and revocation tokens) should be given to the adversary at the start of the game. The almost-full anonymity is a reasonable solution for our scheme rather than the selfless-anonymity. An attacker can identify the signer only if he gets hold of the signer's token. An attacker obtaining the exact signer' token is as rare.
The VLR group signature scheme in [10], generates revocation tokens grt by taking a part of the secret keys gsk. As we are providing all the users' secret signing keys to the adversary, and he/she can query revocation tokens, he/she can create challenged indices' tokens utilizing the secret keys he has. Thus, we take a different way to generate the revocation tokens, as discussed in Section 5. Thus, revocation tokens of our scheme are not derived from the secret signing keys.

Traceability
The naive definition of traceability in [1] is to determine the correctness of the opening algorithm. Therefore, for a valid signature signed by i with gsk[i], the opening algorithm should return i. Later, traceability appeared with an actual security requirement, that it is not able to create a signature which can not be locate to a group that generated the signature. However, the BMW03 model gave a much stronger notion called full-traceability, which can be regarded as a strong form of traceability and collusion resistance.
In the traceability game, the challenge of the adversary is to form a signature that cannot be traced. Any group signature scheme is traceable if no adversary can win this challenge. Therefore, we say that a VLR group signature scheme is traceable if the adversary cannot forge a signature that can be traced to one of the users in his coalition using the implicit tracing algorithm. The traceability game between a challenger C and an adversary A [10] is as follows.

•
Initial Phase: C obtains gpk, gsk, and grt. Then, C sends (gpk, grt) to A and sets corruption list U ← ∅. • Query Phase: A is allowed for the below queries.

1.
Signing: A requests a signature by sending a message M and a user index i, and C responds with Σ = Sign(gpk, gsk[i], M).

2.
Corruption: A queries for the secret key of any user i. The challenger C sends gsk[i] after adding i to U.
• Challenge Phase: A sends a message M * , a set of revocation tokens RL * , and a signature Σ * .

•
The forgery A wins if the followings are correct.

2.
Σ * traces to some id outside the coalition U\RL * or tracing algorithm returns failure symbol.

3.
Σ * is not gained by signing on M * . is the traceability game between the challenger C and the adversary A. We say that a group signature scheme is traceable if Adv trace A is negligible.

The Underlying Zero Knowledge Interactive Protocol
In the proposing scheme, as the tokens are separated from the secret signing keys, there is a risk of signers cheating their tokens at the time of signing. For instance, a revoked member can pick a random value as his/her token and generate a signature. As the fake token is not in the revocation list RL, the verifier thinks the signer is an active member. To prevent such forgeries, we require signers to prove that their token is valid. In other words, the signer should prove that for generating the signature he/she used token which is given at the setup stage. As the signer cannot show his token to outsiders, he/she needs a system to generate a proof while hiding his/her private data. Thus, we modify the zero-knowledge protocol given in [26], and provide a new zero-knowledge protocol that can satisfy the proposing scheme's requirements. Consequently, we present a new protocol as our scheme's underlying zero-knowledge interactive protocol that proves the signer is valid, his/her token is not revoked, and his/her token is real.
Zero Knowledge Interactive Protocol enables a prover (signer) to prove that he/she is a approved group member who has valid secret keys.
Let COM be the statistically hiding and computationally binding commitment scheme given in [36].
A combined interactive protocol is given in [26]. By using that protocol, a signer can prove the validity of signing, that his/her revocation token is not in the revocation list, and that his/her index is correctly encrypted. However, as we need the signer to prove that his token is real, which cannot be achieved by directly using the method in [26], we need to modify the protocol in [26].
When the protocol in [26] is used in a scheme which supports both VLR and the explicit tracing mechanism, we use public parameters, a matrix A = [A 0 |A 0 , a vector u ∈ Z n q , a matrix B ∈ Z n×m q , a matrix V ∈ Z m×n q , a vector v ∈ Z m q , a matrix P ∈ Z k 1 ×k 2 q , and another vector c ∈ Z k 1 q . The witness of the prover consists of a vector x (d) = (x 0 x 0 1 x 1 1 . . . x 0 x 1 ) ∈ Σ (2 +1)m for some d ∈ {0, 1} , a vector e 1 ∈ Z m , a vector r ∈ Z n q , and another vector e ∈ Z k 2 . The prover has to show the verifier that A · x = u mod q, e 1 ∞ ≤ β and V · (B · r) + e 1 = v mod q while keeping his identity d in secret. Moreover, the prover has to show his identity is correctly encrypted, such that e ∞ ≤ b and Pe + (0 k 1 − q/2 d) = c mod q.
In our scheme, we use the modified Boyen's signature given in [14] to make revocation tokens. In Boyen's signature schemes, it requires to show the verifier that A (d) z = u mod q, while hiding both d and z. The matrix A (d) is unique to the users as it is obtained by using user's index. The vector z is attained by using A (d) . We use the same method in our scheme to prove the validity of the revocation token. Thus, in our scheme, we use (A (d) · t) as the revocation token of the user and as a result, in addition to the proof given in [26], we should proof that A (d) · t = w mod q in zero-knowledge, while keeping both d and t in secret. Here w is a public parameter and t is generated using A (d) and w.
Using the method given in [14], we take following steps to prove and t = (x y) ∈ Z m . Thus, we get d y). We need to argue the position oft ∈ Z (1+ )m in zero-knowledge, for a given (Ā, w), such that t ∞ ≤ β andĀt = w mod q.

In our new zero-knowledge protocol the public inputs are a vector
, and a vector c ∈ Z k 1 q . The witness of the prover consists of a vector x (d) = (x 0 x 0 1 x 1 1 . . . x 0 x 1 ) ∈ Σ (2 +1)m for some d ∈ {0, 1} , a vector e 1 ∈ Z m , a vector t ∈ Z 2m q , and another vector e ∈ Z k 2 . The prover should persuade the verifier that A · x = u mod q, e 1 ∞ ≤ β and V · (A (d) · t) + e 1 = v mod q while hiding prover's identity d. Moreover, the prover has to show that his/her identity is correctly encrypted, such that e ∞ ≤ b and Pe + (0 k 1 − q/2 d) = c mod q and token is real, such that A (d) · t = w mod q.

Preparation
Step

•
The common inputs: , and P ∈ Z k 1 ×k 2 q and vectors u, w $ ← Z n q , v ∈ Z m q , and c ∈ Z k 1 q .

•
The prover's inputs: q , and a vector e ∈ Z k 2 . We use f instead of e 1 hereunder to discard the confusing e 1 with e.

•
The prover's target is to prove the verifier in zero-knowledge that e ∞ ≤ b and Pe + (0 k 1 − q/2 d) = c mod q (b is the norm bound for LWE noises and Before the interaction, both the prover and the verifier form the public matrices: A * ← MatrixExt(A), V * = V · A ∈ Z m×m q , I * ∈ {0, 1} m×3m (I * is gained by appending 2m zero-columns to the identity matrix of order m), P * = [P | 0 k 1 ×2k 2 ] ∈ Z k 1 ×3k 2 q , and Then, the prover uses the Decomposition-Extension technique provided in [10] with his/her witness vectors as below.

3.
Response: Based on the challenge, the prover computes and outputs the response RSP as below.

(7)
• Ch = 3: Parse RSP as in (5). Check whether ; {φ e,j }p j=1 ; P * · (∑p j=1 b j · h e,j ) + Qh d ;τ; ρ 1 ); If and only if all the conditions hold, the verifier returns Valid. Otherwise, he/she returns Invalid. As discussed in [26], we construct an efficient simulator S interacting with a (probably dishonest) verifierV, such that, only using the public input, S returns a simulated transcript that is statistically close to the one created in the real interaction by the honest prover. Thus, the simulator can successfully imitate the honest prover with probability negligibly far from 2/3.
We provide the analysis of the new underlying zero-knowledge protocol in Appendix A.

Our VLR Group Signature Scheme
In our scheme, we generate member revocation tokens using modified Boyen's signature as in [14]. Even when there is no direct relationship to the secret keys we obtain the revocation tokens by using the member-indices. Thus, each revocation token has a relation to each member's index, which is unique to the members. According to the scheme described in [10], revocation tokens can be obtained by a part of the public key and a part of the secret key. However, as we are giving all the secret keys to the adversary in the anonymity game, the adversary may construct the challenged indices' revocation tokens by studying the pattern of the queried revocation tokens and using the secret signing keys he has. Thus, we come with a solution to obtain revocation tokens in our scheme by using modified Boyen's signature.
Our scheme consists of four algorithms as below.
• KeyGen(n,N): On inputs, the security parameter n ∈ N and the number of group users N, this randomized PPT algorithm outputs a group public key gpk, a group manager secret key gmsk, a set of user secret keys gsk, and a set of user revocation tokens grt.

Description of Our Scheme
In this section, we present the construction of our scheme from lattices. Key Generation: KeyGen(n,N) creates a group public key gpk, a group manager secret key gmsk, group user secret signing keys gsk, and group user tokens grt as below.

1.
Run GenTrap(n, m, q) to obtain a matrix A 0 ∈ Z n×m q and a trapdoor T A .

5.
Execute algorithm GenTrap(n, m, q) from [29] to get a matrix B ∈ Z n×m q and a trapdoor T B . 6.
(k) Let the user revocation token be grt Finally, the algorithm returns, gpk = ((A, u, w) Signing: We employ the OT S scheme to secure the generating signatures. Then, we employ the underlying argument system to prove that the user is valid . Sign(gpk, gsk[ be hash functions, modeled as a random oracle.

2.
Encrypt the signer's index d as below.

5.
Generate the parameters for the interactive protocol to show the index d is encrypted correctly as follows. 6.
Repeat the underlying interactive protocol given in Section 4, t = ω(log n) times with the public parameters (A, u, w, B, V, v, P, c) and prover's witness (x, t, e 1 , e) to achieve the soundness error negligible. Then make it non-interactive by employing the Fiat-Shamir heuristic as a triple, Get OT S; sig = OSig(osk, (c 1 , c 2 , Π)).
Verification: On input gpk, RL= {{u i } i } ⊂ Z n q , M, and Σ, the algorithm Verify confirms Σ is valid on M and signer is a valid member by executing the following steps.
For k = 1 to t execute the verification steps of the commitment scheme in Section 4 with public parameters (A, u, w, B, V, v, P, c) to validate RSP (k) with respect to CMT (k) and Ch (k) . If any of the conditions does not hold then return invalid and abort. 7.
For each u i ∈ RL compute e i = v − V · u i mod q to verify whether there exists an index i satisfying e i ∞ ≤ β. If so output invalid. 8.
Return valid.
Open: To identify the signer of the given message M signature Σ pair Open(gmsk, M, Σ) functions as follows. Here, gmsk = T B is the group manager's secret key and Σ = (ovk, (c 1 , c 2 ), Π, sig).
For each i ∈ [ ] check whether d i is closer to 0 than q/2 mod q. If so d i = 0 else 1.

Correctness
We use the techniques in [14] and adapt the scheme provided in [10]. Even though we changed the revocation token generation with regards to the work in [10], there is no impact to the correctness of the scheme from new revocation token generation, as we check the signer's authenticity with RL separately and we prove the honesty of the token independently in zero-knowledge proof. We use the proof of correctness given in [10]. We prove the correctness of Open additionally.
proof. Fix a non-zero vector s ∈ Z n q . Then the vector V · s is uniformly distributed over Z m q . It then follows that . Applying a union-bound get An honest signer is able to obtain a valid witness (x, t, e 1 , e) for the underlying argument system with overwhelming probability. Moreover, the verification algorithm Verify will not return Invalid for the signature check after Step 6, because Step 6 validates the signature using the underlying zero-knowledge interactive protocol. In Step 7 of the verification algorithm Verify, the vector e i for every i can be delivered as If the verification algorithm Verify outputs Valid, that is e i ∞ ≤ β, for all i. This means grt[d] / ∈ RL. If there exists an index i, where grt[d] = u i , then e i = e 1 . Then, the signature should not pass the Step 7 of the verification process because e i ∞ = e 1 ∞ ≤ β.
Suppose there is a situation grt[d] / ∈ RL, i.e., for every i, the vector s i := grt[d] − u i mod q is non-zero. According to Lemma 1, V · s i ∞ > 2β with overwhelming probability. At the same time, In our scheme, the revocation token grt[d] = (A (d) t (d) ) of a member d is generated by using the public parameters A and w. Thus, the underlying zero-knowledge protocol of the verification algorithm checks whether the user token satisfies A (d) t (d) = w mod q in zero-knowledge. Thus, using the public parameters without revealing the A (d) or t (d) the signer should proof that his token is not being faked. On the other hand, because of this condition dishonest signers cannot generate a valid signature with a fake token that passes the signature verification. This confirms that only correct and honestly generated signatures can pass the signature verification.
Moreover, if the index of the signer is correctly encrypted in the ciphertext c at the time of signing, then the tracing algorithm Open returns the index of the signer correctly. Encryption of the index is guaranteed in the signing stage because no member can pass the underlying interactive protocol without correct encryption of the index via a LWE function. In addition to that, Verify returns Invalid if the ciphertext c is not correct encryption of the index because it cannot pass the underlying interactive protocol's checking without a correct encryption. Thus, this proves the correctness of the encryption of the index and that the tracing algorithm outputs the index of the correct signer.

Almost-Full Anonymity
Theorem 1. The proposed VLR group signature Section 5.1 is almost-full anonymous in the random oracle model under the LWE n,q,χ assumption.
We demonstrate the anonymity of our scheme using eight indistinguishable games, where Adv A (G 0 ) = and Adv A (G 7 ) = 0.
Game G 0 : This is the naive anonymity experiment. Here, we believe that the adversary A has advantage . At the beginning, the challenger C produces keys gpk, gmsk, gsk[d] d∈{0,1} , and grt[d] d∈{0,1} using KeyGen(n, N). Then, he/she hand overs gpk and gsk to A. The adversary A is allowed to query revocation tokens and opening of any signature. When A asks for a token of a user d the challenger C outputs grt[d]. When A queries for opening of any signature then C answers with Open(gmsk, M, Σ) using gmsk = T B . In the challenge phase, A sends a message M and two indices i 0 , i 1 ∈ {0, 1} , such that the adversary A did not make a revocation query for users The adversary A still can query for opening oracle except for challenged indices and he is not allowed for revocation queries with i 0 , i 1 . The adversary's challenge is to guess the index, that is employed to produce Σ * . Finally, A returns b ∈ {0, 1}. If b = b then A wins.
Game G 1 : In this game, a minor modification is done compared to G 0 . The OT S key pair (ovk * , osk * ), which is created at the signature generation in the real game, is produced at the initial stage of the game. Thus, at the query phase, if A queries for opening oracle with Σ = (ovk, (c 1 , c 2 ), Π, sig, v, ρ), where ovk = ovk * then the challenger C sends a random bit and terminates the game. As ovk * is created at the start, it does not have any relation to the adversary's queries. Accordingly, the probability of ovk = ovk * is insignificant. Besides, after the challenge signature Σ * = (ovk * , (c * 1 , c * 2 ), Π * , sig * , v * , ρ * ) is sent, if the adversary queries a valid signature Σ = (ovk, (c 1 , c 2 ), Π, sig, v, ρ) with ovk = ovk * then sig is a forged one. Therefore, the challenger terminating the game is irrelevant. Without losing the generality we believe that A does not ask for opening of a valid Σ with ovk = ovk * .
Game G 2 : Here, we replace the encrypting matrices B and G with randomly obtained B * and G * , and we program the random oracle H 1 according to B and G. In real anonymity game, B is obtained from GenTrap and G is generated at the signature generation. In this game, we get uniformly random B * ∈ Z n×m q and G * ∈ Z n× q . The challenger samples Y ← (D z m ,σ ) compute G = B * Y ∈ Z n× q and program H 1 (ovk * ) = G to respond the opening oracles querying with Σ = (ovk, (c 1 , c 2 ), Π, sig, v, ρ). This G is utilized to respond the opening and (ovk,Y,G) is saved to reuse when A repeats the same queries for H 1 (ovk). In the challenge phase, program H 1 (ovk) * = G * and compute (c * 1 , c * 2 ) to make Σ * . As the distribution of G is statistically close to uniform over Z n× q [29] and the distributions of G * , B * are statistically close to the real game [29], the games G 1 and G 2 are indistinguishable.
Game G 3 : Without producing the legitimate non-interactive proof Π, in this game, C simulates Π as discussed in Section 4. For each k ∈ [t], take a forged challenge Ch (k) and execute the interactive protocol. Then, program the random oracle H 1 respectively. The challenging signature Σ * = (ovk * , (c * 1 , c * 2 ), Π * , sig * , v * , ρ * ) is statistically close to the signature in the early games because the argument system is statistically zero-knowledge. Therefore, G 3 is indistinguishable from G 2 .
Game G 4 : The challenger replaces the naive revocation token used to generate the challenged signature Σ * = (ovk * , (c * 1 , c * 2 ), Π * , sig * , v * , ρ * ), where v = V · grt[i b ] + e 1 mod q, with a vector t sampled uniformly. We compute v = V · t + e 1 mod q, where t $ ← Z n q . V is uniformly random over Z m×n q , e 1 sampled from the error distribution χ, and we replace only grt[i b ] by t. As the rest of the game is the same as the previous game G 3 , this game is statistically indistinguishable from G 3 .
Game G 5 : In this game, we obtain v uniformly. Thus, we make the revocation token totally independent of the challenging bit b. We sample y $ ← Z m q and set v = y. In the above game, the pair (V, v) is a proper LWE n,q,χ instance, and in this game we replace v with truly uniformly sampled y. As the LWE n,q,χ problem is hard (Section 2), the games G 4 and G 5 are indistinguishable. Suppose there is an algorithm B for solving the LWE n,q,χ problem. Then, B can interact with A by answering the queries that A makes. When A queries for the revocation token of any group member, B can simply answer with a value chosen uniformly random such as y $ ← Z m q instead of providing grt. The rest of the game is the same as the original poof given in the previous game. If adversary A can distinguish whether the revocation token is generated or chosen randomly, the algorithm B succeeds. However, this contradicts the hardness of the LWE n,q,χ problem. Game G 6 : In this game, we modify the creation of ciphertext (c * 1 , c * 2 ) uniformly. Let c * 1 = x 1 and c * 2 = x 2 + q/2 d b , where x 1 ∈ Z m and x 2 ∈ Z are uniformly random and d b is the index of the challenger's bit. As the rest of the game is same as G 5 and the LWE n,q,χ problem is hard to solve, the games G 5 and G 6 are indistinguishable. Indeed, if A succeed on distinguishing two games, then A can also solve the LWE problem. That means, he/she can distinguish (B * , (B * ) T s + e 1 ) from (B * , z 1 ) and (G * , (G * ) T s + e 2 ) from (G * , z 2 ), which conflicts with the LWE n,q,χ assumption. Game G 7 : The challenger makes the challenging signature Σ * totally independent of the bit b. Let c * 1 = x 1 and c * 2 = x 2 , where x 1 ∈ Z m q and x 2 ∈ Z q are uniformly random. The games G 6 and G 7 are statistically indistinguishable. As this game G 7 is independent from the challenger's bit b, the advantage of the adversary winning the game Adv A is 0. Therefore, the above executed games prove that advantage of the adversary on almost-full anonymity of the scheme is negligible.
This concludes the proof of anonymity.

Traceability
In the random oracle model, we say that our VLR group signature scheme is traceable if the SIS ∞ n,( +1)m,q,2β problem is hard.

Lemma 2 ([29]
). For any m, β = poly(n), and for any q ≥ β.ω( n log n), solving a random instance of the SIS 2 n,m,q,β or ISIS 2 n,m,q,β problem with non-negligible probability is at least as hard as approximating the SIVP 2 γ problem on any lattice of dimension n to within certain γ = β ·Õ( √ n) factors.
Based on Lemma 2 and Theorem 2, we prove that the proposed scheme is traceable in the random oracle.
Suppose there is an adversary A who can break the computational binding property of the commitment scheme COM with non-negligible probability. Therefore, A can find answers for the SIS ∞ n,( +1)m,q,2β problem. Thus, without losing the generality, we believe that COM is computationally binding.
Let forger F be a PPT algorithm that solves the SIS ∞ n,( +1)m,q,2β problem with non-negligible probability.
The forgery F is given the verification key (A, u, w). F then produces a key pair (B, T B ) and interacts with the adversary A by sending gpk = ((A, u), B) and responding to the A's queries as below. Finally, A sends a message M * , revocation data RL * , and a non-trivial forged signature Σ * , which fulfills the requirements of the traceability game, where such that Verify(gpk, M * , RL * , Σ * ) = Valid and Open fails or outputs an user index outside of the coalition CU \ RL * Now let us show how F exploits the forgery. We assume that A always queries H 2 on input (M, {CMT (k) } t k=1 , c 1 , c 2 ) before H 1 . Thus, with probability at least − 3 −t , there exists certain k * ≤ q H such that the k * -th oracle queries involves the tuple (M, {CMT (k) } t k=1 , c 1 , c 2 ). Then, for any fixed k * , execute A many times and input as in the original run. For each repeated execution, A gives the same results for the first k * -1 queries as in the initial run and from the k * -th query onward he/she outputs fresh random values. As stated in the forking lemma [ [37], Lemma 7], with probability larger than 1/2, algorithm F can get a 3-fork involving tuple (M, {CMT (k) } t k=1 , c 1 , c 2 ) after less than 32 · qH/( − 3 −t ) executions of A. Let the outputs of F with respect to the 3-fork branches be i } = {1, 2, 3}1 − (7/9) t . Under the condition of the existence of such index i, one parses the three forgeries related to the fork branches to get (RSP (1) i , RSP (2) i , RSP i ). Then, by employing the knowledge extractor of the underlying argument system, we can obtain vectors (y, e * 1 , t * , e * ). We can get (s * , e * 1 , e * 2 ) from e * , which satisfy the following.
It then follows that grt[j * ] / ∈ RL and j * / ∈ CU. As a result, (y, d * ) is a valid forgery. Furthermore, the analysis of the forgery signature shows that if A has non-negligible success probability returns in polynomial time, then so does F . This satisfies the proof of traceability.
For a challenge Ch fromV, SIM responds as follows.
-If Ch = 3: Output ⊥ and abort. As COM is statistically hiding, the distribution of the commitment CMT and the distribution of the challenge Ch fromV for every case considered above are statistically close to those in the real interaction. Therefore, the probability that the simulator outputs ⊥ is negligibly close to 1/3. Thus, the simulator SIM can successfully imitate the honest prover with probability negligibly close to 2/3.

Appendix A.4. Argument of Knowledge
Here, we prove that if COM is computationally binding, then the given protocol is an argument of knowledge. For a given commitment CMT and three valid responses RSP (1) , RSP (2) , RSP (3) to all three possible values of the challenge Ch, a valid witness can be extracted.
Moreover, for each j ∈ [p], let t j = (s t,j − h t,j ). Then, φ t,j (t j ) = φ t,j (s t,j ) − φ t,j (h t,j ) = a t,j ∈ B 3m , which implies that t j ∈ B 3m . Lett = ∑ p j=1 β j · t j ∈ Z 3m and by dropping the last 2m coordinates fromt obtain t ∈ Z m . We can declare We can obtain the relation V * ·t + I * ·f = v mod q ⇐⇒ V * · (A (d) · t ) + f = v mod q. and A * · p ∑ j=1 β j · t j = A (d) · t = w mod q.
For each j ∈ [p], let e j = (s e,j − h e,j ). Then φ e,j (e j ) = φ e,j (s e,j ) − φ e,j (h e,j ) = a e,j ∈ B 3k , which implies that e j ∈ B 3k . Letê = ∑p j=1 b j · e j and by dropping the last 2k coordinates fromê obtain e ∈ Z k . We can declare, Now, e ∞ ≤ b, and P * e + Qd * = Pe + (0 k− q/2 d) = c mod q.