Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Traceable Signatures from Lattices

Nam Tran, Khoa Nguyen, Dongxi Liu, Josef Pieprzyk, Willy Susilo

TL;DR

The paper delivers a fully lattice-based traceable signature scheme that remains secure in the quantum setting by proving security in the quantum random oracle model. It builds on a dynamic group-signature framework, combining lattice primitives (SIS/LWE), a lattice-based GPV-IBE with CHK transformation, and a ZK/Unruh framework to realize user-specific tracing and self-tracing. The construction achieves traceability, non-frameability, and CCA-anonymity under standard lattice assumptions, with a detailed efficiency analysis showing poly-time operations and a signature size of $O(\lambda^3 \log^3 \lambda)$. This work provides the first complete post-quantum traceable-signature candidate with rigorous QROM security, broadening the practical reach of privacy-preserving yet accountable anonymous-signature systems.

Abstract

Traceable signatures (Kiayas et al., EUROCRYPT 2004) is an anonymous digital signature system that extends the tracing power of the opening authority in group signatures. There are many known constructions of traceable signatures, but all are based on number-theoretic/pairing assumptions. For such reason, they may not be secure in the presence of quantum computers. This work revisits the notion of traceable signatures and presents a lattice-based construction provably secure in the quantum random oracle model (QROM).

Traceable Signatures from Lattices

TL;DR

The paper delivers a fully lattice-based traceable signature scheme that remains secure in the quantum setting by proving security in the quantum random oracle model. It builds on a dynamic group-signature framework, combining lattice primitives (SIS/LWE), a lattice-based GPV-IBE with CHK transformation, and a ZK/Unruh framework to realize user-specific tracing and self-tracing. The construction achieves traceability, non-frameability, and CCA-anonymity under standard lattice assumptions, with a detailed efficiency analysis showing poly-time operations and a signature size of . This work provides the first complete post-quantum traceable-signature candidate with rigorous QROM security, broadening the practical reach of privacy-preserving yet accountable anonymous-signature systems.

Abstract

Traceable signatures (Kiayas et al., EUROCRYPT 2004) is an anonymous digital signature system that extends the tracing power of the opening authority in group signatures. There are many known constructions of traceable signatures, but all are based on number-theoretic/pairing assumptions. For such reason, they may not be secure in the presence of quantum computers. This work revisits the notion of traceable signatures and presents a lattice-based construction provably secure in the quantum random oracle model (QROM).

Paper Structure

This paper contains 26 sections, 12 theorems, 61 equations, 5 figures, 1 table, 5 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Notations
  4. Lattices
  5. Hardness Assumptions
  6. Statistical Lemmas
  7. Discrete Gaussian and Trapdoor Sampling
  8. Traceable Signatures
  9. A Traceable Signature Scheme from Lattices
  10. Technical Overview
  11. Description of the Scheme
  12. Analysis of the Scheme
  13. Correctness and Efficiency
  14. Correctness
  15. Efficiency
  16. ...and 11 more sections

Key Result

Lemma 4

Let $\beta = \mathsf{poly}(n)$, $q \geq (4\beta + 1)^2$ and $m \geq 3n$. Then, over the randomness of $\mathbf{B} \stackrel{\$}{\leftarrow} \mathbb{Z}_q^{m \times n}$, we have

Figures (5)

  • Figure 1: Experiment $\mathsf{Exp}_{\mathcal{TS},\mathcal{A}}^{\mathsf{trace}}(\lambda)$ defining traceability.
  • Figure 2: Experiment $\mathsf{Exp}_{\mathcal{TS},\mathcal{A}}^{\mathsf{frame}}(\lambda)$ defining non-frameability.
  • Figure 3: Experiment $\mathsf{Exp}_{\mathcal{TS},\mathcal{A}}^{\mathsf{anon}}(\lambda)$ defining CCA-anonymity, the adversary is not allowed to make trivial query to reveal/claiming/opening oracles.
  • Figure 4: A prover $\mathcal{P}$, generates an NIZK proof $\pi$ for $(x, w) \in \mathcal{R}$.
  • Figure 5: Verifier $\mathcal{V}$ checks the validity of a proof $\pi$ on statement $x$.

Theorems & Definitions (23)

  • Definition 1
  • Definition 2
  • Definition 3: KYY21
  • Lemma 4: LLNW14
  • Lemma 5: Leftover Hash Lemma, adapted from GKPV10
  • Theorem 6: Ban93Regev05
  • Proposition 1: MP12
  • Definition 7: Correctness
  • Definition 8
  • Definition 9
  • ...and 13 more