Zero-Knowledge Proof for Lattice-Based Group Signature Schemes with Verifier-Local Revocation

Abstract

In group signature schemes, signers prove verifiers, their validity of signing through an interactive protocol in zero-knowledge. In lattice-based group signatures with Verifier-local revocation (VLR), group members have both secret signing key and revocation token. Thus, the members in VLR schemes should show the verifiers, that he has a valid secret signing key and his token is not in the revoked members list. These conditions are satisfied in the underlying interactive protocol provided in the first lattice-based group signature scheme with VLR suggested by Langlois et al. in PKC 2014. In their scheme, member revocation token is a part of the secret signing key and has an implicit tracing algorithm to trace signers. For a scheme which generates member revocation token separately, the suggested interactive protocol by Langlois et al. is not suitable. Moreover, if the group manager wants to use an explicit tracing algorithm to trace signers instead the implicit tracing algorithm given in VLR schemes, then the signer should encrypt his index at the time of signing, and the interactive protocol should show signer’s index is correctly encrypted. This work presents a combined interactive protocol that signer can use to prove his validity of signing, his separately generated revocation token is not in the revocation list, and his index is correctly encrypted required for such kind of schemes.