ML-GS: Module Lattice-Based Group Signature Scheme

Pan, Deng; Yang, Yatao; Sun, Weitao; Wang, Shuaibo; Wang, Ke

doi:10.2478/ias-2025-0007

Full Article

1

Introduction

1.1

Background

Group signatures (GS) are a special class of digital signatures designed to provide privacy protection for groups. As a prominent research topic in public-key cryptography, GS has attracted increasing attention in recent years and has been applied in various multi-user scenarios. Any group member can generate a signature on behalf of the entire group. The validity of the signature can be publicly verified, but the identity of the actual signer remains hidden (anonymity). A group manager, equipped with a tracing key, can reveal the identity of the signer when necessary (traceability). Due to these two core properties, group signatures are well-suited for a range of network applications, such as electronic voting, vehicular networks, and anonymous cryptocurrencies [1–3]. Figure 1 illustrates the application of GS in electronic contract signing.

Most existing GS schemes are constructed based on traditional number-theoretic hardness assumptions, such as integer factorization and discrete logarithms. These problems are believed to be intractable for classical computers in polynomial time. However, the introduction of Shor algorithm [4] demonstrated that quantum computers can efficiently solve these problems, posing a significant threat to the cryptographic foundations of the current Internet infrastructure in the post-quantum era. Although the timeline for practical quantum computers remains uncertain, ongoing advances in quantum algorithms [5] suggest that their realization may not be far off. Considering this, the development of quantum-resistant cryptographic schemes has become an urgent and critical area of research.

In response to the disruptive threat that quantum computing poses to traditional cryptographic schemes, the National Institute of Standards and Technology (NIST) has launched a standardization process for post-quantum cryptography. Among the various candidates, lattice-based cryptography has emerged as one of the most promising approaches due to its strong security guarantees and practical efficiency. Since Ajtai's pioneering work in 1996 [6], which first introduced lattice problems into cryptography, subsequent research has shown that current quantum algorithms cannot efficiently solve the underlying hard problems on lattices [7]. In addition to quantum resistance, lattice-based schemes offer several desirable features, including worst-case to average-case reductions, parallelizability, and high computational efficiency. These advantages have made lattice-based group signature schemes a highly active area of research. Although existing lattice-based GS schemes have been proven secure under well-established lattice hardness assumptions, they still suffer from substantial storage overhead and relatively low signing efficiency, which remain key challenges for practical deployment.

In August 2024, NIST officially released the first set of post-quantum cryptographic standards, FIPS 203-205 [8–10], marking a critical milestone in the transition from classical to quantum-resistant cryptographic systems. Among them, FIPS 204 standardizes a lattice-based digital signature scheme known as Dilithium [11]. Dilithium is designed within the “Fiat-Shamir with Aborts” framework, which avoids the complexities of Gaussian sampling and enables a simple, efficient signing process. This construction has provided valuable insights for the design of GS scheme. In particular, by adopting Dilithium’s signature structure for the group member signing phase, it is possible to significantly improve signing speed and reduce signature size.

Based on the above, the motivation for proposing our new group signature scheme is as follows:

To address the urgent need for quantum-resistant group signatures: The advancement of quantum computing threatens the security of traditional group signature schemes, making the development of post-quantum alternatives a critical research imperative.
To overcome practical limitations in existing lattice-based group signatures: While lattice-based cryptography offers a promising path to quantum resistance, many current lattice-based group signature schemes are hindered by significant storage overhead and suboptimal signing efficiency, limiting their practical applicability.
To leverage recent advancements in post-quantum cryptography standards: The Dilithium signature scheme, standardized by NIST in FIPS 204, provides robust and efficient building blocks. We aim to adapt its core principles to the group signature setting to enhance performance and security.

In this paper, we propose a module lattice-based group signature scheme (ML-GS). Our specific contributions are as follows:

To ensure the dynamic joining of group members, we adopt a Gaussian preimage sampling technique over module lattices. The module nature of our construction enables flexible parameter selection to accommodate varying security levels. We also utilize a public matrix to generate identity vectors for each group member. This approach reduces the number of public matrices required for identity verification to just two, thereby significantly minimizing both public and private key sizes. Furthermore, the ML-GS scheme follows a sign-hybrid-encrypt paradigm, with its design centered around the FIPS 204 signature scheme, Dilithium [9]. We employ a dual-Dilithium signature mechanism to enhance efficiency and reduce the overall signature size. This construction guarantees that, when a valid signature is opened, the algorithm cannot reveal the identity of any signer other than the actual one. To ensure correct identity opening, the identity vectors of group members are encrypted using the K-PKE encryption scheme from FIPS 203 [8]. The resulting ciphertext is partially reused to derive randomness in the local signature generation process, while certain components of the local signature are embedded as plaintext in the sign -hybrid-encrypt mechanism.

Additionally, the ML-GS scheme achieves both anonymity and traceability in the Random Oracle Model (ROM), with its security grounded on the Module Learning With Errors (MLWE) and Module Short Integer Solution (MSIS) assumptions. Finally, we compare ML-GS scheme with a GS scheme [12] proposed at Eurocrypt 2022. The results show that our scheme achieves a 6% reduction in public key size and an 80% reduction in signature size, at the cost of a 16% increase in each member’s signing key size.

1.2

Related Work

In 2010, Gordon et al. [13] were the first to introduce a lattice-based GS scheme, constructed using non-interactive zero-knowledge (NIZK) proofs. While theoretically significant, their scheme suffered from impractically large signature sizes. In 2013, Laguillaumie et al. [14] proposed an improved scheme that reduced the signature size to a logarithmic scale relative to the number of group members. In 2015, Ling et al. [15] presented a GS scheme based on ideal lattices, which significantly reduced key and signature sizes by transitioning to a ring-based setting. In 2018, Ling et al. [16] introduced a constant-size GS scheme using the “constrained guessing” technique [17] to address the issue of linearly growing signature sizes. However, this scheme required overly large parameters and suffered from completeness issues in its NIZK component. NIZK remains a foundational technique in many lattice-based GS schemes [18–21]. In 2019, Katsumata et al. [22] proposed a GS scheme in the standard model, eliminating the need for NIZK proofs of group membership during signature verification. In 2024, Tang et al. [23] proposed an event-oriented linkable GS scheme that uses a linking algorithm to detect multiple signatures from the same signer, thereby preventing malicious abuse. In 2025, Zhang et al. [24] creatively combined the Chinese Remainder Theorem and the trapdoor sampling inverse transformation algorithm based on the GKV scheme [13] to design a new lattice-based group signature scheme, which ensures privacy protection for medical data in the medical field. In recent years, a growing number of GS schemes have been proposed and applied across a wide range of scenarios [25–29].

From the development trajectory of lattice-based group signatures outlined above, we can summarize that group signature schemes are typically constructed from multiple cryptographic components: a signature scheme is used to issue private keys to group members, zero-knowledge proofs ensure the anonymity of identities, and a lattice-based encryption scheme guarantees the traceability of signatures. In recent years, the continuous proposal of lattice-based signature schemes [30, 31] has also led to the ongoing optimization of key issuance in group signatures. In ML-GS, we use the [32] scheme to issue private keys to users. Instead of using zero-knowledge proofs to ensure member anonymity, we employ a dual Dilithium signature architecture. Simultaneously, the continuous advancements in lattice-based encryption schemes [33] also ensure the traceability of the ML-GS scheme.

The remainder of this paper is organized as follows: In Section 2, we present the basic notation and relevant algorithms. In Section 3, we introduce the definition and security model of group signatures. In Section 4, we describe the construction of the ML-GS scheme. In Section 5, we provide a security analysis of the ML-GS scheme. In Section 6, we analyze the efficiency of ML-GS and present comparative experiments. Finally, Section 7 concludes the paper.

2

Preliminaries

2.1

Definition of Symbols

The notations used in this paper are described in Table 1.

Table 1.

Notation Definition

Notations	Description
$Z_{q}^{n}$ Z_q^n	n-dimensional vector over modulo q
$Z_{q}^{n \times m}$ Z_q^{n \times m}	n × m matrix over modulo q
R	polynomial Z[[x] / (x^d + 1)
R_q	quotient ring Z[_q[x] / (x^d + 1)
x ← D	x is sampled from the distribution D
∥a∥	$\sqrt{\sum a_{i}^{2}}$ \sqrt {\sum {a_i^2} }
∥a∥_∞	$\max_{j} \| a_{j} \|$ \mathop {\max }\limits_j \left\| {{a_j}} \right\|
∥w∥	$\sqrt{\sum {‖ w_{i} ‖}^{2}}$ \sqrt {\sum {{{\left\\| {{w_i}} \right\\|}^2}} } , where w = (w₀, …., w)∈ R^k
∥w∥_∞	$\max_{j} {‖ w_{j} ‖}_{\infty}$ \mathop {\max }\limits_j {\left\\| {{w_j}} \right\\|_\infty }, where w = (w₀, …., w_k) ∈ R^k
⊥	the algorithm outputs fail
negl(λ)	a non-negligible function about λ
B	the set of integers representable by a single byte, i.e., {0,1,…,255}

2.2

Hardness Assumption

Definition 1

(MLWE_m,n,x problem[34]. Set distribution, χ = {a ∈ R,∥a∥_∞ ≤ 1}, select a matrix $A \in R_{q}^{m \times n}$ {\bf{A}} \in {\rm{R}}_q^{m \times n} and a distributions (s, e) ← χⁿ × χ^m chosen from χ, the MLWE_q,m,n problem is to distinguish between m samples drawn from (A, As + e) and $(A, b) \leftarrow R_{q}^{m \times n} \times R_{q}^{m}$ ({\bf{A}},{\bf{b}}) \leftarrow {\rm{R}}_q^{m \times n} \times {\rm{R}}_q^m.

Definition 2

(MSIS_n,m,β problem[34]). Select a matrix $A \in R_{q}^{n \times m}$ {\bf{A}} \in {\rm{R}}_q^{n \times m}, find a vector z ∈ R^m such that Az = 0 and 0 ≤∥z∥≤ β.

Lemma 1

[35]. For any standard deviation σ > 0 and positive integer k, the following formula holds:

1)
Pr[x ← D_σ :|x|> kσ] ≤ 2e^−k²/2.
2)
$\Pr [x \leftarrow D_{σ}^{n} : ‖ x ‖ > \sqrt{2 n} \cdot σ] < 2^{- n / 4}$ \Pr \left[ {x \leftarrow D_\sigma ^n:x > \sqrt {2n} \;\cdot\;\sigma } \right] < {2^{ - n/4}}.

The rejection sampling algorithm is illustrated in Figure 2. Next, we present a crucial lemma regarding rejection sampling, which ensures that the response values in our zero-knowledge protocol do not reveal any sensitive information.

Lemma 2

[36]. Given a probability distribution h : V ← [0,1], where $V = {\vec{v} \in R^{n}, ‖ \vec{v} ‖ < T}$ V = \left\{ {\overrightarrow {\bf{v}} \in {{\rm{R}}^n},\overrightarrow {\bf{v}} < T} \right\}. Let v ← h, $y \leftarrow D_{ς}^{n}$ {\bf{y}} \leftarrow D_\varsigma ^n and z = y + v. Then the probability that Rej(z, v, ξ) outputs b = 1 is within 1/3 + 2⁻¹⁰⁰, and when b = 1, the statistical distance between the distribution of z and $D_{ς}^{n}$ D_\varsigma ^n is within 2⁻¹⁰⁰.

2.3

Trapdoor Sampling Technique on Module Lattices

To issue signing keys to group members, a trapdoor sampling algorithm is used to sample short vectors. In 2021, Bert et al. [32] proposed an efficient preimage sampling technique on module lattices, which exhibits high modularity. Depending on the modularity and specific requirements of different schemes, the operations on R_q can be easily adjusted. Based on this, we introduce two algorithms.

Given a tool vector $g^{T} = [\begin{array}{l} 1 & b & b^{2} & \dots & b^{k - 1} \end{array}]$ {g^T} = \left[ {\matrix{ 1 \hfill & b \hfill & {{b^2}} \hfill & \ldots \hfill & {{b^{k - 1}}} \hfill \cr } } \right], where k = log_bq. In the modular setting, we can construct a matrix $G = I_{d} \otimes g^{T} = [\begin{array}{l} g^{T} \\ g^{T} \\ ⋱ \\ g^{T} \end{array}] \in R^{d \times d k^{,}}$ {\bf{G}} = {{\bf{I}}_d} \otimes {{\bf{g}}^T} = \left[ {\matrix{ {{{\bf{g}}^T}} \hfill & {} \hfill & {} \hfill & {} \hfill \cr {} \hfill & {{{\bf{g}}^T}} \hfill & {} \hfill & {} \hfill \cr {} \hfill & {} \hfill & \ddots \hfill & {} \hfill \cr {} \hfill & {} \hfill & {} \hfill & {{{\bf{g}}^T}} \hfill \cr } } \right] \in {{\rm{R}}^{d \times d{k^,}}} and G-lattice $Λ_{q}^{⊥} (g^{T}) \in R_{q}^{d k}$ \Lambda _q^ \bot \left( {{{\bf{g}}^T}} \right) \in {\rm{R}}_q^{dk}. After introducing the G-lattice, we have the following lemma.

Lemma 3.

Let q, d be positive integers, $H \in R_{q}^{d \times d}$ {\bf{H}} \in {\rm{R}}_q^{d \times d}, and σ be a Gaussian parameter. There exists a polynomial - time algorithm (PPT) TrapGen(H, η) that outputs a random matrix A ∈ R^d×m and a matrix T ∈ R^m×m, where T is a trapdoor with label H.

Lemma 4.

Let T ∈ R^2d×dk be the trapdoor of matrix A ∈ R^d×m, where $H \in R_{q}^{d \times d}$ {\bf{H}} \in {\rm{R}}_q^{d \times d} is the label of T. Given a vector $u \in R_{q}^{d}$ {\bf{u}} \in R_q^d and a Gaussian parameter α. Then there exists a PPT algorithm SamplePre(A, T, H, u, η) that outputs a vector x, whose distribution is statistically close to $D_{Λ_{q}^{u} (A), η}$ {D_{\Lambda _q^u(A),\eta }}.

Lemma 5.

Let n,q,k,m,η are the parameters set in the scheme, and m = d(k + 2), then SamplePre(A, T_A, u, η) algorithm output s satisfies As = u. Under the MSIS_n,k,m,q,β assumption (where $β = 2 η \sqrt{m n}$ \beta = 2\eta \sqrt {mn} ), it holds that $‖ s ‖ \leq 2 η \sqrt{m n}$ {\bf{s}} \le 2\eta \sqrt {mn} .

2.4

K-PKE Encryption Scheme

The FIPS 203 standard's key encapsulation protocol [8] is centered around an encryption scheme based on the MLWE problem. This standard provides a public-key encryption scheme, K-PKE, that is secure under CPA (Chosen Plaintext Attack). In our design of ML-GS, we will use K-PKE to encrypt group members' identity information, and the encrypted result will serve as a commitment value as part of the signature generation process.

K-PKE consists of three components: K-PKE.KeyGen, K-PKE.Encrypt and K-PKE.Decrypt. Below, we briefly describe these three algorithms according to the requirements of our scheme.

K – PKE.KeyGen(): The algorithm samples two vectors s and e from a binomial distribution and generates a matrix a from a uniform distribution. It computes the public key key ek_PKE = (a,b), where $b = {NTT}^{- 1} \hat{(a \circ \hat{s})} + e$ {\bf{b}} = {{\mathop{\rm NTT}\nolimits} ^{ - 1}}\widehat {({\bf{a}}\; \circ \;\widehat {\bf{s}})} + {\bf{e}}, the private key dk_PKE = s, and outputs (ek_PKE, dk_PKE).

K – PKE.Encrypt(ek_PKE,m,r): The algorithm takes a public key ek_PKE, a message m, and a random bit seed r, and randomly selects a vector r, e₁, e₂ from a binomial distribution. It then computes, $u = {NTT}^{- 1} \hat{(a \circ \hat{r})} + e_{1} v = {NTT}^{- 1} (\hat{b} \circ \hat{r}) + e_{2} + m$ u = {{\mathop{\rm NTT}\nolimits} ^{ - 1}}\widehat {({\bf{a}} \circ \widehat {\bf{r}})} + {{\bf{e}}_1}\quad v = {{\mathop{\rm NTT}\nolimits} ^{ - 1}}(\widehat {\bf{b}} \circ \widehat {\bf{r}}) + {{\bf{e}}_2} + m, and outputs the ciphertext ct = (u, v).

K-PKE.Decrypt(dk_PKE, ct): The algorithm takes a private key dk_PKE, a ciphertext ct, computes $m = (v - {NTT}^{- 1} (\hat{s} \circ \hat{u}))$ m = \left( {v - {{{\mathop{\rm NTT}\nolimits} }^{ - 1}}(\hat s \circ \hat u)} \right) and outputs the plaintext m.

3

Definition of Group Signature and Security Model

3.1

Definition of Group Signature

In this section, the proposed ML-GS scheme follows the fundamental definition of group signatures introduced by Bellare et al. [37].

Definition 3 (ML-GS).

An ML-GS scheme consists of the following five PPT algorithms.

ML-GS.Setup(1^λ): Given a security parameter λ, the algorithm outputs a group public key gpk, a group trapdoor key gmk, a tracing key gtk for the group manager, and an empty registration list ^reg.
ML – GS.KeyGen(gpk, gmk, i, reg): Given the gpk, gmk, a member's identity i, and the registration list reg, the algorithm outputs the member’s signing key sk_i.
ML – GS.Sign(gpk, sk_i, M): Given the gpk, sk_i, and a message M, the algorithm outputs a signature σ.
ML – GS.Verify(gpk, M, σ): Given the gpk, M and a signature σ, the algorithm outputs “Valid” if the signature is valid; otherwise, it outputs “Invalid”.
ML – GS.Open(gpk, gtk, M, σ, reg): Given the gpk, gtk, M, σ and the registration list reg, the algorithm outputs a member index i ∈ [N] or ⊥.

3.2

Correctness

Verification correctness: $\Pr [0 \leftarrow ML - GS . Verify (g p k, M, σ) | \begin{matrix} g p k, g m k, g t k \leftarrow ML - GS . Setup (1^{λ}) \\ s k_{i} \leftarrow ML - GS . Key Gen (g p k, g m k, i) \\ σ \leftarrow ML - GS . Sign (g p k, s k_{i}, M) \end{matrix}] \leq n e g l (n) .$ \Pr {\mkern 1mu} \left[ {0 \leftarrow {\rm{ML}} - {\rm{GS}}.{\mathop{\rm Verify}\nolimits} (gpk,M,\sigma )\left| {\matrix{ {gpk,gmk,gtk \leftarrow {\rm{ML}} - {\rm{GS}}.{\mathop{\rm Setup}\nolimits} \left( {{1^\lambda }} \right)} \cr {s{k_i} \leftarrow {\rm{ML}} - {\rm{GS}}.{\mathop{\rm Key}\nolimits} {\mathop{\rm Gen}\nolimits} (gpk,gmk,i)} \cr {\sigma \leftarrow {\rm{ML}} - {\rm{GS}}.{\mathop{\rm Sign}\nolimits} \left( {gpk,s{k_i},M} \right)} \cr } } \right.} \right] \le negl(n).

Opening correctness: $\Pr [⊥ \leftarrow ML-GS .Open (g p k, g t k, M, σ, r e g) | \begin{matrix} g p k, g m k, g t k, r e g \leftarrow ML-GS .Setup (1^{λ}) \\ s k_{i} \leftarrow ML-GS .KeyGen (g p k, g m k, i, r e g) \\ σ \leftarrow ML-GS .Sign (g p k, s k_{i}, M) \\ 1 \leftarrow ML-GS .Verify (g p k, M, σ) \end{matrix}] \leq n e g l (n) .$ \Pr \left[ { \bot \leftarrow {\rm{ ML - GS}}{\rm{.Open }}(gpk,gtk,M,\sigma ,reg)\left| {\matrix{ {gpk,gmk,gtk,reg \leftarrow {\rm{ ML - GS}}{\rm{.Setup }}\left( {{1^\lambda }} \right)} \cr {s{k_i} \leftarrow {\rm{ ML - GS}}{\rm{.KeyGen }}(gpk,gmk,i,reg)} \cr {\sigma \leftarrow {\rm{ ML - GS}}{\rm{.Sign }}\left( {gpk,s{k_i},M} \right)} \cr {1 \leftarrow {\rm{ ML - GS}}{\rm{.Verify }}(gpk,M,\sigma )} \cr } } \right.} \right] \le negl(n).

The group signature scheme should guarantee the message reliability. The ML-GS scheme satisfies the message authentication requirements by ensuring that only legitimate group members can generate valid signatures through the modular lattice assumptions and the FIPS 204 standard signature structure, and that any attempts to forge signatures are equivalent to solving the MLWE/MSIS problem. The validity of a signature can be publicly verified, but only the signer can generate a legitimate signature for the corresponding message (integrity and authenticity are guaranteed).

3.3

Security Model

The security requirements of GS scheme vary depending on different application scenarios. According to the summary by Bellare et al. [37], the two most fundamental security properties of group signatures are anonymity and traceability. Anonymity ensures that the identity of the actual signer is indistinguishable to external observers. ML-GS guarantees that the verification of a valid signature does not reveal the signer’s identity. In our scheme, the identity vector of the group member is concealed during the signing process using K-PKE encryption standardized in FIPS 203. Combined with a dual-Dilithium mechanism and random masking, we construct a "sign-hybrid-encrypt" structure. Traceability allows the group manager to reveal the identity of the signer when necessary, ensuring that the signer cannot deny their signing behavior. Our design guarantees traceability: any attack aiming to break traceability is shown to be as hard as solving the underlying MSIS problem. In our security proof, we demonstrate that, assuming the hardness of MSIS, no adversary can forge a valid signature and falsely attribute it to another group member.

We first introduce three random oracles.

O_corrupt(i) Given a member's identity i, returns a signing key sk_i.
_sign(i,M): Given a member's identity i and a message M, returns a signature σ ← ML – GS. Sign(gpk, sk_i, M).
OP(M, σ): Given a message M and a signature σ, if the signature is the correct signature of the member for the message M, returns the identity i; otherwise, it returns ⊥.

Definition 4 (Anonymity).

The ML-GS scheme achieves anonymity if no adversary can identify the actual signer of a valid group signature. Specifically, the scheme is said to satisfy anonymity if every adversary's advantage in the corresponding security game (see Figure 3) remains negligible.

Definition 5 (Traceability).

Traceability guarantees that, even in the presence of collusion among group members and with access to the group manager’s tracing key, the adversary cannot forge a signature that resists correct attribution. The ML-GS scheme satisfies this property if the adversary's advantage in the traceability game (see Figure 4) is negligible.

4

ML-GS Scheme

4.1

ML-GS Setup

The setup algorithm ML-GS.Setup takes the security parameter λ as input. First, it invokes the trapdoor generation algorithm TrapGen to generate a matrix A and its corresponding trapdoor T_A, preparing for the issuance of signing keys to the group members.

The algorithm K-PKE.KeyGen generate an encrypted public-private key pair (ek_PKE, dk_PKE)‥ This step ensures that during the signature generation phase, the signer's identity is correctly encrypted, and during the opening phase, the signer's identity is correctly decrypted using the private key.

A random seed ζ is selected and expanded using an XOF function (such as SHAKE-256, denoted as H in this paper) to generate additional random values. Specifically:

1)
A 64-byte public key random seed ρ. It can be used to randomly sample a polynomial vector u and a polynomial matrix B from ExpandPK algorithm.
2)
A 32-byte private key random seed ρ′‥ It can be used to sample and generate the signing key for the member during the key generation phase.

Finally, the registration list reg is initialized as empty. The setup algorithm is shown in Algorithm 1.

Algorithm 1 ML–GS.Setup(1^λ)

$(A, T_{A}) \in R_{q}^{k \times l} \times R_{q}^{l \times l} \leftarrow TrapGen (k, l, q)$ \left( {{\bf{A}},{{\bf{T}}_A}} \right) \in {\rm{R}}_q^{k \times l} \times {\rm{R}}_q^{l \times l} \leftarrow {\mathop{\rm TrapGen}\nolimits} (k,l,q)
(ek_PKE = (a, b), dk_PKE = s) ← K-PKE.KeyGen()
ζ ← B³²
ρ, ρ' ∈ B⁶⁴ × B³² ← H(ζ)
$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\rm{ ExpandPK}}(\rho )
reg = {}
return gpk = (ρ, A, a, b), gmk = (<′, T_A), gtk = s, reg = {}

4.2

ML-GS Key Generation

The key generation algorithm ML-GS.KeyGen takes gpk, gmk, the identity i of the member and the registration list reg as inputs. First, the private key random seed ρ'. is expanded into a polynomial vector $x_{i} \in S_{η}^{k}$ {x_i} \in S_\eta ^k through the ExpandS algorithm, which is taken as part of the member's signing key. Then, calculate the public identity vector g_i = Bx_i, and another part of the signing key, s_i, ‘is output through the trapdoor sampling algorithm Sample(A, T_A, u – g_i, η). Finally, the identity vector g_i is added to the registration list and output member i's signing key gsk_i = (x_i, s_i) The key generation algorithm is shown in Algorithm 2.

Algorithm 2 ML-GS.KeyGen(gpk, gmk, i, reg)

$x_{i} \in S_{η}^{k} \leftarrow ExpandS (ρ^{'})$ {x_i} \in S_\eta ^k \leftarrow {\mathop{\rm ExpandS}\nolimits} \left( {{\rho ^\prime }} \right)
$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\mathop{\rm ExpandPK}\nolimits} (\rho )
g_i = Bx_i
$s_{i} \in R_{q}^{l \times 1} \leftarrow SamplePre (A, T_{A}, u - g_{i}, η)$ {{\bf{s}}_i} \in {\rm{R}}_q^{l \times 1} \leftarrow {\mathop{\rm SamplePre}\nolimits} \left( {{\bf{A}},{{\bf{T}}_A},{\bf{u}} - {{\bf{g}}_i},\eta } \right)
reg ← reg ∪ {g_i}
return gsk_i = (x_i, s_i)

4.3

ML-GS Signing

The signing algorithm ML-GS.Sign takes gpk, sk_i and M as input. First, the public key random seed ρ is used to expand the public parameters u, B through the ExpandPK algorithm, and then the identity vector g_i is computed. Before signing the message, it is concatenated with seed ρ to produce a 64-byte message representation μ.

Signing algorithm consists of rejection sampling loop and an encryption. The specific steps are as follows:

To obtain the signature, the signing algorithm first encrypts the member's identity vector g_i using the encryption algorithm of K-PKE. It then selects two vectors y₁, y₂ from a Gaussian distribution $D_{γ_{1}}^{k}$ D_{{\gamma _1}}^k computes the commitment (w₁, w₂), and uses the message representation μ and the ciphertext of g_i to generate challenge values ${\tilde{c}}_{1}, {\tilde{c}}_{2}$ {{\tilde c}_1},{{\tilde c}_2}. Finally, the signature algorithm generates the final challenge value $\tilde{c}$ {\tilde c} by combining the ciphertext value of ${\tilde{c}}_{1}$ {{\tilde c}_1}, and ${\tilde{c}}_{2}$ {{\tilde c}_2} using the hash function H, and produces the final signature value through the rejection sampling algorithm. The final signature σ contains the challenge value ${\tilde{c}}_{2}$ {{\tilde c}_2}, all ciphertext information, and the response value z₁, z₂. The signing algorithm is shown in Algorithm 3.

Algorithm 3 ML-GS.Sign(gpk, sk_i, M)

$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\rm{ ExpandPK }}(\rho )
g_i = Bx_i
μ ← H(ρ∥M)
(z₁, z₂) = ⊥
while (z₁, z₂) = ⊥ do
r, r′ ← B⁶⁴
ct₁ ← K-PKE.Encrypt(a, b, g_i, r)
$y_{1}, y_{2} \leftarrow D_{γ_{1}}^{k} \times D_{γ_{1}}^{l}$ {{\bf{y}}_1},{{\bf{y}}_2} \leftarrow D_{{\gamma _1}}^k \times D_{{\gamma _1}}^l
(w₁, w₂) = (By₁, By₁ + Ay₂)
${\tilde{c}}_{1} \leftarrow H (μ ‖ w_{1} ‖ c t_{1})$ {{\tilde c}_1} \leftarrow H\left( {\mu \left\| {\;{{\bf{w}}_1}\;} \right\|\;c{t_1}} \right)
${\tilde{c}}_{2} \leftarrow H (μ ‖ w_{2} ‖ c t_{1})$ {{\tilde c}_2} \leftarrow H\left( {\mu \left\| {\;{{\bf{w}}_2}\;} \right\|\;c{t_1}} \right)
$c t_{2} \leftarrow K-PKE .Encrypt (a, b, {\tilde{c}}_{1}, r^{'})$ c{t_2} \leftarrow {\rm{ K - PKE}}{\rm{.Encrypt }}\left( {{\bf{a}},{\bf{b}},{{\tilde c}_1},{r^\prime }} \right)
$\tilde{c} \leftarrow H ({\tilde{c}}_{2} ‖ c t_{2})$ \tilde c \leftarrow H\left( {{{\tilde c}_2}c{t_2}} \right)
$c \leftarrow SampleInBall (\tilde{c})$ c \leftarrow {\rm{ SampleInBall }}(\tilde c)
(Z₁, z₂) = (y + cx_i, y₂ + cs
if Rej(z₁, cx_i, γ₁) = 0 or Rej(z₂, cs_i, γ₁) = 0, then (z₁, z₂) = ⊥
$r e t u r n σ = ({\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2})$ {\bf{return}}{\rm{ }}\sigma = \left( {{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right)

4.4

ML-GS Verifying

The verification algorithm ML-GS.Verify takes the group public key gpk, a message M, and a signature σ as input. First, the public key random seed ρ is used to expand the public parameters u, B through the ExpandPK algorithm, and then the hash ρ and message M into a 64-byte message representation μ. Next, the challenge value ${\tilde{c}}_{2}$ {{\tilde c}_2} from the signature part and the ciphertext ct₂ are used to obtain the challenge value ${\tilde{c}}_{2}$ {{\tilde c}_2}. Finally, the verification algorithm checks the validity of z₁, z₂ and verifies whether the reconstructed value $w_{2}^{'}$ {\bf{w}}_2^\prime matches the signer's commitment hash ${\tilde{c}}_{2}$ {{\tilde c}_2}. The verification algorithm is shown in Algorithm 4.

Algorithm 4 ML-GS.Verify(gpk, M,σ)

$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\rm{ ExpandPK }}(\rho )
μ ← H(ρ∥M)
$\tilde{c} = H ({\tilde{c}}_{2} ‖ c t_{2})$ \tilde c = {\rm{H}}\left( {{{\tilde c}_2}c{t_2}} \right)
$c = SampleInBall (\tilde{c})$ c = {\rm{ SampleInBall }}(\tilde c)
$w_{2}^{'} = B z_{1} + A z_{2} - u c$ {\bf{w}}_2^\prime = {\bf{B}}{z_1} + {\bf{A}}{z_2} - {\bf{u}}c
if ∥z₁∥_∞≤ B and ∥z₂∥_∞≤B and ${\tilde{c}}_{2} = H (μ ‖ w_{2}^{'} ‖ c t_{1})$ {{\tilde c}_2} = H\left( {\mu \left\| {\;{\bf{w}}_2^\prime \;} \right\|c{t_1}} \right) then
return "Valid
else
return "Invalid"

4.5

ML-GS Opening

The opening algorithm ML-GS.Open takes gpk, the tracing key gtk, a message M, a signature σ, and the registration list reg as input. First, as in the verification algorithm, it reconstructs u, B, μ, $\tilde{c}$ {\tilde c}. Then, using the decryption algorithm of the K-PKE scheme and the tracing key s, it recovers the identity vector g_i and ${\tilde{c}}_{1}$ {{\tilde c}_1}. If g_i ∈ reg and ${\tilde{c}}_{1} = H (μ ‖ B z_{1} - g_{i} c ‖ c t_{1})$ {{\tilde c}_1} = H\left( {\mu \left\| {{\bf{B}}{z_1} - {{\bf{g}}_i}c} \right\|c{t_1}} \right), the algorithm returns the identity i; otherwise, it returns ⊥. The open algorithm is shown in Algorithm 5.

Algorithm 5 ML-GS.Open(gpk, gtk, M, σ, reg)

$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\rm{ ExpandPK }}(\rho )
μ ← H(ρ∥M)
$\tilde{c} \leftarrow H ({\tilde{c}}_{2} ‖ \tilde{c} t_{2})$ \tilde c \leftarrow H\left( {{{\tilde c}_2}\tilde c{t_2}} \right)
$c = SampleInBall (\tilde{c})$ c = {\rm{ SampleInBall }}(\widetilde {\rm{c}})
g_i = K-PKE.Decrypt(s, ct₁)
${\tilde{c}}_{1} = K-PKE . Decrypt (s, c t_{2})$ {{\tilde c}_1} = {\rm{ K - PKE}}{\rm{.}}{\mathop{\rm Decrypt}\nolimits} \left( {{\bf{s}},c{t_2}} \right)
if ${\tilde{c}}_{1} = H (μ ‖ B z_{1} - g_{i} c ‖ c t_{1})$ {{\tilde c}_1} = H\left( {\mu \left\| {{\bf{B}}{z_1} - {{\bf{g}}_i}c\;} \right\|c{t_1}} \right) and g_i ∈ reg then
return i
else
return ⊥

4.6

Correctness Analysis

In this section, we prove the correctness of the ML - GS scheme, mainly including the verification correctness and the opening correctness. Suppose the signature $σ = ({\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2})$ \sigma = \left( {{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right) is a valid signature generated by a group member for the message M under the group public key gpk = (ρ, A, a, b).

1)Verification correctness

The verifier first recovers the public key (u, B), the hash value μ of the message M, and the challenge $\tilde{c}$ {\tilde c}, and calculates the commitment $w_{2}^{'}$ {\bf{w}}_2^\prime . If all coefficients of \z₁, z₂ are less than γ₁ – β, and the commitment $w_{2}^{'}$ {\bf{w}}_2^\prime , and the ciphertext ct₁ is equal to $\tilde{c}$ {\tilde c}, then the signature is accepted. Next, we will provide the proofs for these two parts of verification passing.

a) ${‖ z_{1} ‖}_{\infty} \leq γ_{1} - β \land {‖ z_{2} ‖}_{\infty} \leq γ_{1} - β$ {\left\| {{{\bf{z}}_1}} \right\|_\infty } \le {\gamma _1} - \beta \wedge {\left\| {{{\bf{z}}_2}} \right\|_\infty } \le {\gamma _1} - \beta

During the signature stage, according to step 16 of the signature algorithm procedure, if any coefficient of z₁, z₂ are greater than γ₁ – β, it will lead to the failure of the rejection sampling output, and recalculation will be done with the new masking vector y_i. Therefore, the correct signatures output by the signature algorithm procedure will all satisfy $‖ z ‖_{\infty} \leq γ_{1} - β$ {\bf{z}}{_\infty } \le {\gamma _1} - \beta .

b) ${\tilde{c}}_{2} = H (μ ‖ w_{2}^{'} ‖ c t_{1})$ {{\tilde c}_2} = H\left( {\mu \left\| {{\bf{w}}_2^\prime } \right\|c{t_1}} \right)

First, according to step 5 of the verification algorithm, we have $w_{2}^{'} = B z_{1} + A z_{2} - u c$ {\bf{w}}_2^\prime = {\bf{B}}{{\bf{z}}_1} + {\bf{A}}{{\bf{z}}_2} - {\bf{uc}}. Since z₁ = y₁ + cx_i, z₂ = y₂ + cs_i,1, we can obtain: 1 $\begin{array}{l} w_{2}^{'} = B z_{1} + A z_{2} - u c \\ = B (y_{1} + c x_{i}) + A (y_{2} + c s_{i}) - u c \\ = B y_{1} + A y_{2} + B c x_{i} + A c s_{i} - u c \end{array}$ \matrix{ {{\bf{w}}_2^\prime = {\bf{B}}{{\bf{z}}_1} + {\bf{A}}{{\bf{z}}_2} - {\bf{uc}}} \hfill \cr { = {\bf{B}}\left( {{{\bf{y}}_1} + c{{\bf{x}}_i}} \right) + {\bf{A}}\left( {{{\bf{y}}_2} + c{{\bf{s}}_i}} \right) - {\bf{u}}c} \hfill \cr { = {\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2} + {\bf{B}}c{{\bf{x}}_i} + {\bf{A}}c{{\bf{s}}_i} - {\bf{u}}c} \hfill \cr }

Then, according to steps 3 and 7 of the key generation algorithm, we know that: g_i = Bx_i, As_i = u – g_i. Combining with formula (1), we can get: 2 $\begin{array}{l} w_{2}^{'} = B y_{1} + A y_{2} + B c x_{i} + A c s_{i} - u c \\ = B y_{1} + A y_{2} + g_{i} c + A s_{i} c - (A s_{i} + g_{i}) c \\ = B y_{1} + A y_{2} + g_{i} c - g_{i} c \end{array}$ \matrix{ {{\bf{w}}_2^\prime = {\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2} + {\bf{B}}c{{\bf{x}}_i} + {\bf{A}}c{{\bf{s}}_i} - {\bf{u}}c} \hfill \cr { = {\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2} + {{\bf{g}}_i}c + {\bf{A}}{{\bf{s}}_i}c - \left( {{\bf{A}}{{\bf{s}}_i} + {{\bf{g}}_i}} \right)c} \hfill \cr { = {\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2} + {{\bf{g}}_i}c - {{\bf{g}}_i}c} \hfill \cr } we can get: $w_{2}^{'} = B y_{1} + A y_{2} = w_{2}$ {\bf{w}}_2^\prime = {\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2} = {{\bf{w}}_2}.

2) Therefore, we can obtain ${\tilde{c}}_{2} = H (μ ‖ w_{2} ‖ c t_{1}) = H (μ ‖ w_{2}^{'} ‖ c t_{1})$ {{\tilde c}_2} = H\left( {\mu \left\| {{{\bf{w}}_2}} \right\|c{t_1}} \right) = H\left( {\mu \left\| {{\bf{w}}_2^\prime } \right\|c{t_1}} \right).

Opening correctness

Based on the security guarantees of the Kyber encryption algorithm specified in FIPS 203 [8], the K-PKE.Decrypt algorithm can recover the identity matrix g_i and the challenge value ${\tilde{c}}_{1}$ {{\tilde c}_1} with overwhelming probability. If the signature was generated by a legitimate group member and is valid, then the identity vector satisfies g_i ∈ reg according to the registration table. Moreover, from Step 10 of the signing algorithm, we obtain w₁ = By₁ = Bz₁ – g_ic and ${\tilde{c}}_{1} = H (μ ‖ B z_{1} - g_{i} c ‖ c t_{1})$ {{\tilde c}_1} = H\left( {\mu \left\| {{\bf{B}}{{\bf{z}}_1} - {{\bf{g}}_i}c} \right\|c{t_1}} \right). Therefore, the opening correctness of the ML-GS scheme is ensured.

5

Security Analysis

To prove that the ML-GS scheme satisfies anonymity, we first construct a simulator algorithm. If an adversary A is able to break the anonymity of a signature generated by the simulator, then there exists a challenger B that can extract a solution to the M-LWE problem. The simulator algorithm is shown in Algorithm 6.

Algorithm 6 Sign_Simulator(gpk, i, M)

$(u, B) \in R_{q}^{k} \times R_{q}^{k \times k} \leftarrow ExpandPK (ρ)$ ({\bf{u}},{\bf{B}}) \in {\rm{R}}_q^k \times {\rm{R}}_q^{k \times k} \leftarrow {\rm{ ExpandPK }}(\rho )
g_i = Bx_i
μ ← H(ρ∥M)
r, r’ ← B⁶⁴
ct₁ ← K-PKE.Encrypt(a, b, g_i, r)
$y_{1}, y_{2} \leftarrow D_{γ_{1}}^{k} \times D_{γ_{1}}^{l}$ {{\bf{y}}_1},{{\bf{y}}_2} \leftarrow D_{{\gamma _1}}^k \times D_{{\gamma _1}}^l
${\tilde{c}}_{1} \leftarrow B^{32}$ {{\tilde c}_1} \leftarrow {{\rm{B}}^{32}}
${\tilde{c}}_{2} \leftarrow B^{32}$ {{\tilde c}_2} \leftarrow {{\rm{B}}^{32}}
$c t_{2} \leftarrow K-PKE .Encrypt (a, b, {\tilde{c}}_{1}, r^{'})$ c{t_2} \leftarrow {\rm{ K - PKE}}{\rm{.Encrypt }}\left( {{\bf{a}},{\bf{b}},{{\tilde c}_1},{r^\prime }} \right)
$\tilde{c} \leftarrow H ({\tilde{c}}_{2} ‖ c t_{2})$ \tilde c \leftarrow H\left( {{{\tilde c}_2}c{t_2}} \right)
$c \leftarrow SampleInBall (\tilde{c})$ c \leftarrow {\rm{SampleInBall}}(\tilde c)
$z_{1} \leftarrow D_{γ_{1}}^{k}$ {{\bf{z}}_1} \leftarrow D_{{\gamma _1}}^k
$z_{2} \leftarrow D_{γ_{1}}^{l}$ {{\bf{z}}_2} \leftarrow D_{{\gamma _1}}^l
(w₁, w₂) = (Bz₁ – g_ic, Bz₁ + Az₂ – uc)
if H oracle has queried about w₁ or w₂ then
Abort
else
Program ${\tilde{c}}_{1} \leftarrow H (μ ‖ w_{1} ‖ c t_{1})$ {{\tilde c}_1} \leftarrow H\left( {\mu \left\| {{{\bf{w}}_1}} \right\|c{t_1}} \right) and ${\tilde{c}}_{2} \leftarrow H (μ ‖ w_{2} ‖ c t_{1})$ {{\tilde c}_2} \leftarrow H\left( {\mu \left\| {{{\bf{w}}_2}} \right\|c{t_1}} \right)
return $σ = ({\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2})$ \sigma = \left( {{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right)

Theorem 1.

The statistical distance between the output of the ML-GS signing algorithm and that of a simulated algorithm which does not take the member's secret key as input is negligible.

Proof.

The only difference between the real signing algorithm and the simulated one lies in the generation of the response value z₁, z₂ and the challenge value ${\tilde{c}}_{1}, {\tilde{c}}_{2}$ {{\tilde c}_1},{{\tilde c}_2}. In the simulation, the challenge ${\tilde{c}}_{2}$ {{\tilde c}_2} is chosen uniformly at random, whereas in the real signing algorithm is ${\tilde{c}}_{2} = H (μ ‖ w_{2} ‖ c t_{1}) = H (μ ‖ B y_{1} + A y_{2} ‖ c t_{1})$ {{\tilde c}_2} = H\left( {\mu \left\| {{{\bf{w}}_2}} \right\|c{t_1}} \right) = H\left( {\mu \left\| {{\bf{B}}{{\bf{y}}_1} + {\bf{A}}{{\bf{y}}_2}} \right\|c{t_1}} \right), the random oracles H are programmed to respond consistently with previous queries. When the value By₁ + Ay₂ matches a previously queried value, the simulation algorithm and the real signing algorithm may behave differently. However, the probability of such a collision, denoted as 1/2^256τ, is negligible. The same reasoning applies to the proof for ${\tilde{c}}_{1}$ {{\tilde c}_1}.

In the signing algorithm, the output z₁, z₂ obtained through the rejection sampling procedure is statistically indistinguishable from a uniform sample over distribution $S_{γ_{1} - β}^{k}$ S_{{\gamma _1} - \beta }^k. Therefore, the statistical distance between the outputs of the signing algorithm and the simulation algorithm is negligible under the parameters given in this paper.

Theorem 2.

The proposed ML-GS scheme satisfies anonymity based on the hardness of the MLWE problem in ROM.

Proof.

We prove that the ML-GS scheme satisfies anonymity through a sequence of games.

Game0: The challenger B runs the setup and key generation algorithms normally, and gives the group public key gpk and the member's signing key gsk_i = (x_i, s_i). When A makes an opening query O_open(gpk, gmsk, ·), returns either i ∈ [N] or ⊥. Therefore, A selects two identities i₀, i₁ and message M to send to B. Then, B chooses a bit b ∈ {0,1} and sends the signature σ ← ML-GS.Sign(gpk, gsk_{i_b}, M) to A. Finally, A outputs a guess b′ for the signer’s identity i_b.

Game1: This game is identical to Game0, except that the signing algorithm is replaced with the simulated algorithm Sign_Simulator.

In Game1, the simulated algorithm is used to generate signatures, so the ciphertexts ct₁ and ct₂ are the only means by which the attacker can obtain information about the signer's identity, i.e., $\begin{array}{l} c t_{1} \leftarrow K-PKE .Encrypt (a, b, g_{i}, r) \\ c t_{2} \leftarrow K-PKE .Encrypt (a, b, {\tilde{c}}_{1}, r^{'}) \end{array}$ \matrix{ {c{t_1} \leftarrow {\rm{K - PKE}}{\rm{.Encrypt }}\left( {{\bf{a}},{\bf{b}},{{\bf{g}}_i},r} \right)} \hfill \cr {c{t_2} \leftarrow {\rm{K - PKE}}{\rm{.Encrypt }}\left( {{\bf{a}},{\bf{b}},{{\tilde c}_1},{r^\prime }} \right)} \hfill \cr }

Game2 : The challenger B first runs the key generation algorithm to generate an encryption key pair and sends the public key (a, b) to A. Then, A selects two random messages M₀ and M₁ and sends them to B, B randomly selects a bit b ∈ {0,1} and returns the ciphertext ct ← K-PKE.Encrypt(M₀) to A. Finally, A outputs a guess b′. According to FIPS 203 [8], the K-PKE scheme satisfies IND-CPA (indistinguishability under chosen-plaintext attacks) security. Therefore, Pr[Game2] ≤ 1/2 + negl, and we conclude that Game1 does not leak any information about the signer’s identity.

Combining the above games, we conclude that Pr[Game0] ≤ 1/2 + negl. Therefore, the ML-GS scheme satisfies anonymity.

Theorem 3.

The proposed ML-GS scheme satisfies traceability based on the hardness of the MSIS problem in ROM.

Proof.

Assume that the adversary A can break the traceability of the scheme in the game defined by Definition 5 with non-negligible probability. Then we can construct a PPT algorithm C that breaks the MSIS problem with non-negligible probability. When A queries the signing oracle Osign:

If i ≠ j, then run the honest signing algorithm and return ML-GS.Sign(gpk,sk_i, ·);
If i = j, then C runs the simulator algorithm and returns the output of the simulator algorithm σ ← ^{Sign_Simuiator.}
When the corruption oracle O_corrupt is queried about i ∈ [N]:
If i ≠ j, then C returns gsk_i;
If i = j, then C returns ⊥.
After the query phase ends, A outputs a signature $σ = ({\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2})$ \sigma = \left( {{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right).

The first case is σ is a valid signature for j. In the ROM, H(μ ∥ w₁ ∥ ct₁) and H(μ ∥ w₂ ∥ ct₁) have already been queried, and O_sign returned ${\tilde{c}}_{1}$ {{\tilde c}_1} and ${\tilde{c}}_{2}$ {{\tilde c}_2} while processing messages from A. Similarly, A can obtain another signature $σ^{'} = ({\tilde{c}}_{2}, z_{1}^{'}, z_{2}^{'}, c t_{1}^{'}, c t_{2}^{'})$ {\sigma ^\prime } = \left( {{{\tilde c}_2},{\bf{z}}_1^\prime ,{\bf{z}}_2^\prime ,ct_1^\prime ,ct_2^\prime } \right). We define $w_{1}^{'} = B z_{1}^{'} - g_{i}^{'} c$ {\bf{w}}_1^\prime = {\bf{Bz}}_1^\prime - {\bf{g}}_i^\prime c and $w_{2}^{'} = B z_{1}^{'} + A z_{2}^{'} - u c$ {\bf{w}}_2^\prime = {\bf{Bz}}_1^\prime + {\bf{Az}}_2^\prime - {\bf{u}}c, then we have: $H (μ ‖ w_{1} ‖ c t_{1}) = H (μ^{'} ‖ w_{1}^{'} ‖ c t_{1}^{'}); H (μ ‖ w_{2} ‖ c t_{1}) = H (μ^{'} ‖ w_{2}^{'} ‖ c t_{1}^{'}) .$ {\rm{H}}\left( {\mu \left\| {\;{{\bf{w}}_1}\;} \right\|\;c{t_1}} \right) = {\rm{H}}\left( {{\mu ^\prime }\left\| {\;{\bf{w}}_1^\prime \;} \right\|ct_1^\prime } \right){\rm{ ; H}}\left( {\mu \left\| {\;{{\bf{w}}_2}\;} \right\|c{t_1}} \right) = {\rm{H}}\left( {{\mu ^\prime }\left\| {\;{\bf{w}}_2^\prime \;} \right\|ct_1^\prime } \right).

In the ROM, we have $(μ, {\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2}) \neq ({\tilde{c}}_{2}, z_{1}^{'}, z_{2}^{'}, c t_{1}^{'}, c t_{2}^{'})$ \left( {\mu ,{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right) \ne \left( {{{\tilde c}_2},{\bf{z}}_1^\prime ,{\bf{z}}_2^\prime ,ct_1^\prime ,ct_2^\prime } \right), and the following conditions hold: $B (z_{1} - z_{1}^{'}) = 0; B (z_{1} - z_{1}^{'}) + A (z_{2}^{'} - z_{2}) = 0.$ {\bf{B}}\left( {{z_1} - z_1^\prime } \right) = 0;{\bf{B}}\left( {{z_1} - z_1^\prime } \right) + {\bf{A}}\left( {z_2^\prime - {z_2}} \right) = 0.

Since ${‖ z_{i}^{'} - z_{i} ‖}_{\infty} \leq 2 B (i \in 1, 2)$ {\left\| {{\bf{z}}_i^\prime - {{\bf{z}}_i}} \right\|_\infty } \le 2B\;(i \in 1,2), it follows that $z_{1} - z_{1}^{'}$ {{\bf{z}}_1} - {\bf{z}}_1^\prime is a solution to MSIS_n,m,β. Therefore, A cannot output a valid signature for j in the game $G a m e_{E L G S, A}^{t r a c e} (λ)$ Game_{ELGS,{\rm{A}}}^{{\rm{ }}trace }\left( \lambda \right).

Another case is when the output of the opening algorithm is ⊥. If g_i ≠ reg, then we have $B (z_{1}^{'} - z_{1}^{'}) + A (z_{2}^{'} - z_{2}^{'}) = 0$ {\bf{B}}\left( {z_1^\prime - z_1^\prime } \right) + {\bf{A}}\left( {z_2^\prime - z_2^\prime } \right) = {\bf{0}} mod q.

Alternatively, when ${\tilde{c}}_{1} \neq H (μ ‖ B z_{1} - g_{i} c ‖ c t_{1}) \land g_{i} \neq r e g$ {{\tilde c}_1} \ne H\left( {\mu \left\| {\;{\bf{B}}{{\bf{z}}_1} - {{\bf{g}}_i}c\;} \right\|c{t_1}} \right)\; \wedge \;{g_i} \ne reg, we have $B (z_{1}^{'} - z_{1}^{'}) + A (z_{2}^{'} - z_{2}^{'}) - u (c^{'} - c) = 0$ {\bf{B}}\left( {z_1^\prime - z_1^\prime } \right) + {\bf{A}}\left( {z_2^\prime - z_2^\prime } \right) - {\bf{u}}\left( {{c^\prime } - c} \right) = {\bf{0}} mod q. Like the proof in the above cases, this will break the security of the MSIS problem.

6

Auxiliary Functions

Next, we provides some subroutines used in the scheme construction presented in Section 4 (e.g., ExpandPK). These Algorithms 7 and 8 are inspired by examples from the FIPS 204 standard [9], with certain modifications made to align with the scheme proposed in this paper. For more fundamental subroutines, such as SampleInBall, please refer to the FIPS 204 standard.

Algorithm 7 ExpandPK( ρ)

Samples a k vector u and a k × k matrix B,’.

for i from 0 to k -1 do
ρ′ ← ρ ∥ IntegerToBytes(i,2)
u[i] ← RejNTTPoly(ρ′)
for i from 0 to k -1 do
for j from 0 to k -1 do
ρ′ → ρ ∥ IntegerToBytes(i, 1) ∥ IntegerToBytes(j, 1)
B[i, j] ← RejNTTPoly(ρ′)
return (u, B)

Algorithm 8 ExpandS(ρ)

Samples a vector x, each with polynomial coordinates whose coefficients are in [–η, η]

for i from 0 to k -1 do
ρ′ → ρ ∥ IntegerToBytes(i,1)
x[i] ← RejBoundedPoly(ρ′)
return x

7

Efficiency Analysis

7.1

Parameter Setting

Our proposed ML-GS scheme is constructed based on hard problems over lattices. We evaluate its security using two sets of parameters and corresponding estimations, as shown in Table 2. First, under the parameter set PARM I, and based on the estimation by enumeration [38], the ML-GS scheme achieves 96 bits post-quantum security level, which meets the Category I standard defined by the NIST. Similarly, PARM II enables our scheme to achieve 154 bit post-quantum security.

Table 2.

The Parameters for ML-GS Scheme

Parameter	Recommended Parameters
Parameter	PARM I	PARM II
q	1073738753	1073738753
Q	3329	3329
n	256	256
(k, l)	(4,4)	(6,5)
η	83832	83290
η₁	3	3
τ	39	49
$γ_{1} \geq 11 τ \sqrt{k n} η$ {\gamma _1} \ge 11\tau \sqrt {kn} \eta	≈ 2³¹	≈ 2³¹
BKZ blocksize b to break SIS	364	583
Classical security	106	170
Quantum security	96	154

7.2

Time efficiency analyzes

The main time-consuming operations in the ML-GS scheme stem from trapdoor generation and sampling algorithms over module lattices. In evaluating the computational efficiency of the ML-GS scheme, we primarily focus on operations that consume significant time, while omitting those with relatively low overhead, such as polynomial addition and hash operations. We employed the Sage Math library and conducted performance tests under a Windows 11 operating system with an AMD Ryzen 5 5600G 3.9 GHz processor. The average runtime of these time-consuming operations was measured over 1000 executions. The computation times for trapdoor generation and sampling algorithms are presented in Table 3.

Table 3.

Algorithm Notations and Execution Time (ms)

Notation	Description	Execution time
T_M–TrapGen	Trapdoor generation algorithm on module lattices	248.09
T_M–Sample	Trapdoor sampling algorithm on module lattices	31.10

We tested the setup, key generation, signing, and verification algorithms of the ML-GS scheme under two sets of security parameters, and the results are shown in Table 4.

Table 4.

The Time Cost for ML-GS Scheme

	Setup	KeyGen	Sign	Verify
PARM I	248.09	56.54	89.04	57.24
PARM II	426.40	96.12	179.67	114.48

Next, we compare our scheme with two lattice-based GS schemes: Lyubashevsky et al. introduced their scheme in 2022 [12], and Tang et al. proposed theirs in 2024 [23]. The comparison results regarding time computation overhead are shown in Table 5. Here, d denotes the number of polynomial matrix multiplications, T_M represents the total time cost of these multiplications, and T_S and T_V refer to the time required for non-interactive zero-knowledge proof generation and verification, respectively.

Table 5.

The comparison of time cost

	KeyGen	Signature	Verify	Security
[12]	T_Sample	3dT_Mul + T_S	dT_Mul + T_S	CPA-Anonymity
[23]	T_Sample	7dT_Mul + T_S	2dT_Mul + T_S	CPA-Anonymity
[ours]	T_M–Sample	5dT_Mul	3dT_Mul	CCA-Anonymity

To make the comparison results more intuitive, we conducted simulated implementations of the main time-consuming operations for both schemes and the ML-GS scheme. Figure 5 presents the specific comparison of time overhead.

As shown in Figure 5, the ML-GS scheme significantly outperforms existing solutions in all core operations. Key generation is over 75% faster, signing time is reduced by up to 69%, and verification is about 30% faster. These improvements highlight the efficiency and practicality of our scheme for real-time applications.

7.3

Storage efficiency analyzes

The sizes of the keys and signatures are calculated as follows:

Group public key. The group public key consists of a public random seed ρ, a public matrix A, and a K-PKE key pair (a, b). Therefore, its size is 32 + 32kl⌈log₂ q⌉ + 32k(k + 1)⌈log₂ Q⌉ bits.

Group trapdoor key. The group trapdoor key consists of a secret random seed ρ and a trapdoor matrix T_A. Thus, its size is 32 + 32l²⌈log₂ q⌉ bits.

Group tracing key. The group tracing key includes only the K-PKE decryption key s. Hence, its size is 32k⌈log₂ η₁⌉ bits.

Signing key. The group member's signing secret key consists of a random short vector x and a sampled short vector s. To compute the size of s, we refer to Lemma 5. Accordingly, the total size is $32 k ⌈ \log_{2} η ⌉ + 32 l ⌈ \log_{2} (2 η \sqrt{d (\log_{2} q + 2) n}) ⌉$ 32k\left\lceil {{{\log }_2}\eta } \right\rceil + 32l\left\lceil {{{\log }_2}\left( {2\eta \sqrt {d\left( {{{\log }_2}q + 2} \right)n} } \right)} \right\rceil bits.

Signature. A signature σ consists of $({\tilde{c}}_{2}, z_{1}, z_{2}, c t_{1}, c t_{2})$ \left( {{{\tilde c}_2},{{\bf{z}}_1},{{\bf{z}}_2},c{t_1},c{t_2}} \right). The total size of the signature is 32 + 32 + 32(k + l)log₂(12γ₁) + 1024k bits.

Based on the above calculations of the storage overhead for each key and signature, Figure 6 presents the communication cost of the ML-GS scheme under two parameter sets. As shown in Figure 6, the group public key incurs the largest overhead in the ML-GS scheme, reaching 22.5 KB under PARM I, followed by the group trapdoor key, which costs 15 KB. This substantial cost mainly results from the trapdoor setup and preimage sampling over lattices, which require relatively large parameter settings.

Regarding the signature size, thanks to the signature architecture adopted from FIPS 204, our scheme exhibits a unique advantage among lattice-based group signature schemes. Under the PARM I parameter set that achieves a 96-bit post-quantum security level, the signature size is only 12.75 KB.

To demonstrate the efficiency of the ML-GS scheme in terms of storage cost, we compare our scheme with scheme [12] and [23], and the comparison results are shown in Table 6. For a fair comparison, we evaluate ML-GS under PARM II, which provides the same post-quantum security level as scheme [12] and [23].

Table 6.

Comparison of Storage Cost

	Public Key Size	Secret Key Size	Signature Size
[12]	48KB	6KB	92KB
[23]	268.5KB	68.7KB	386.1KB
Ours	44.9KB	7KB	18.0KB

From Table 6, it can be seen that the public key size of our scheme is reduced by approximately 6.46% compared to scheme [12]’s 48KB, and by about 83.32% compared to scheme [23]’s 268.5KB, effectively lowering storage overhead. The secret key size is 7KB, which is slightly increased by 16.67% compared to [12], but reduced by 89.75% compared to [23]’s 68.7KB, maintaining a relatively low key burden. More notably, the signature size is only 18.0KB, representing a reduction of approximately 80.43% and 95.34% compared to the 92KB of [12] and 386.1KB of [23], respectively.

However, compared with some existing group signature schemes based on zero - knowledge proofs, our ML - GS scheme also has some drawbacks when it comes to tracing the identity of group members. That is, the ML - GS.Open algorithm in the opening phase requires a registration list reg as an input parameter. The registration list contains the identity vectors of all registered group members. Therefore, as the number of group members increases, the overhead cost of the opening algorithm for the group administrator will increase.

8

Conclusion

This paper presents a module lattice-based group signature scheme, ML-GS, designed to achieve efficient signing performance and privacy protection while remaining resilient against quantum attacks. The scheme builds upon the standardized post-quantum signature algorithm FIPS 204 and incorporates a dual-Dilithium signing algorithm along with the K-PKE encryption scheme from FIPS 203. By employing a “sign-hybrid-encryp”structure, ML-GS achieves both member anonymity and traceability. Under the Random Oracle Model, we prove that ML-GS satisfies anonymity and traceability based on the hardness of the Module Learning With Errors and Module Short Integer Solution assumptions. Compared to existing group signature schemes at the same security level, ML-GS achieves a 6% reduction in public key size and an 80% reduction in signature size, with only a slight increase in private key size, demonstrating its practicality and promise in constructing efficient and scalable group signature systems.

As future work, we aim to address the communication overhead introduced using the registration list in the opening algorithm. We also plan to further optimize the communication and computational efficiency of the scheme and explore its deployment in real-world privacy-preserving applications.

ML-GS: Module Lattice-Based Group Signature Scheme

Full Article

Paradigm

My account