We present the first provably secure isogeny-based group signature (GS) and accountable ring signature (ARS) in the quantum random oracle model (QROM). We do so via introducing and constructing an intermediate primitive called the openable sigma protocol and demonstrating that any such protocol gives rise to a secure GS and ARS. Furthermore, QROM security is guaranteed if an additional perfect unique-response property (which is achieved via our tailored construction) is satisfied. Previous works by Beullens et al. (Eurocrypt 2022, Asiacrypt 2020) proposed isogeny-based GS and ARS with better efficiency but were only analyzed in the classical random oracle model (CROM). It is well-known that CROM security does not generally translate to QROM security; with the growing relevance of isogeny-based constructions in post-quantum cryptography, the current state of the art is unsatisfactory. Moreover, the aforementioned existing isogeny-based signatures were recently affected by the Fiat-Shamir with aborts (FSwA) flaw discovered by Barbosa et al. and Devevey et al. (CRYPTO 2023), leaving the provable security of isogeny-based signatures open to question once again. Our constructions are not only immune to the FSwA flaw but also provide stronger QROM security. As current QROM-secure ARS and GS schemes are mostly lattice-based, we offer a robust post-quantum alternative should lattice assumptions weaken.
翻译:我们首次在量子随机预言机模型(QROM)中提出了可证明安全的基于同源的群签名(GS)与可问责环签名(ARS)。为此,我们引入并构建了一种称为可开放Σ协议(openable sigma protocol)的中间原语,并证明任何此类协议均可导出安全的GS与ARS。此外,若满足额外的完美唯一响应特性(通过我们专门设计的构造实现),则可保证QROM下的安全性。Beullens等人(Eurocrypt 2022, Asiacrypt 2020)的先前工作提出了效率更优的基于同源的GS与ARS,但仅在经典随机预言机模型(CROM)中进行了安全性分析。众所周知,CROM下的安全性通常无法直接推广至QROM;随着基于同源的构造在后量子密码学中的重要性日益增长,当前的研究现状尚不完善。此外,上述现有的基于同源的签名方案近期受到Barbosa等人与Devevey等人(CRYPTO 2023)发现的带中止Fiat-Shamir(FSwA)漏洞的影响,使得基于同源的签名方案的可证明安全性再次面临质疑。我们的构造不仅免疫于FSwA漏洞,同时提供了更强的QROM安全性。鉴于当前QROM安全的ARS与GS方案大多基于格密码学,我们的工作为未来若格假设弱化时提供了可靠的后量子替代方案。