We construct an efficient dynamic group signature (or more generally an accountable ring signature) from isogeny and lattice assumptions. Our group signature is based on a simple generic construction that can be instantiated by cryptographically hard group actions such as the CSIDH group action or an MLWE-based group action. The signature is of size \(O(\log N)\), where N is the number of users in the group. Our idea builds on the recent efficient OR-proof by Beullens, Katsumata, and Pintore (Asiacrypt’20), where we efficiently add a proof of valid ciphertext to their OR-proof and further show that the resulting non-interactive zero-knowledge proof system is online extractable. Our group signatures satisfy more ideal security properties compared to previously known constructions, while simultaneously having an attractive signature size. The signature size of our isogeny-based construction is an order of magnitude smaller than all previously known post-quantum group signatures (e.g., 6.6 KB for 64 members). In comparison, our lattice-based construction has a larger signature size (e.g., either 126 KB or 89 KB for 64 members depending on the satisfied security property). However, since the \(O(\cdot )\)-notation hides a very small constant factor, it remains small even for very large group sizes, say \(2^{20}\).

我们从同源和晶格假设构建了一个有效的动态群签名（或更一般地一个负责任的环签名）。我们的群签名基于一个简单的通用构造，可以通过加密硬群操作（例如 CSIDH 群操作或基于 MLWE 的群操作）来实例化。签名的大小为\(O(\log N)\)，其中N是组中的用户数。我们的想法建立在 Beullens、Katsumata 和 Pintore (Asiacrypt'20) 最近的高效 OR-proof 基础上，我们有效地将有效密文的证明添加到他们的 OR-proof 中，并进一步表明由此产生的非交互式零知识证明系统可在线提取. 与以前已知的构造相比，我们的群签名满足更理想的安全属性，同时具有有吸引力的签名大小。我们基于等基因构造的签名大小比所有以前已知的后量子组签名小一个数量级（例如，64 个成员为 6.6 KB）。相比之下，我们基于格的构造具有更大的签名大小（例如，64 个成员的签名大小为 126 KB 或 89 KB，具体取决于满足的安全属性）。然而，由于\(O(\cdot )\) -notation 隐藏了一个非常小的常数因子，即使对于非常大的组大小，它仍然很小，比如\(2^{20}\)。