A Framework for Efficient Enhanced Privacy ID from Group Actions
摘要
Enhanced Privacy ID (EPID) is a variant of group signature that allows a revocation manager to revoke signing keys and signatures. It maintains a corresponding key revocation list and signature revocation list in parallel, making it widely used for device attestation in real-world trusted execution environments and included in ISO/IEC standards. However, the EPID signature schemes currently applied in standards are vulnerable to attacks by quantum computers. In recent years, several post-quantum secure EPID schemes have been proposed. Notably, Chen et al. (PQCrypto 2024) introduced an efficient hash-based EPID scheme featuring an additional concrete non-interactive zero-knowledge proof to verify signer non-revocation. This proof has linear complexity relative to the signature revocation list size. We identify room for efficiency improvements of this proof in linear complexity and highlight the need for a more generalized approach to post-quantum secure EPID scheme construction. In this paper, we propose a general framework for constructing post-quantum secure EPID schemes based on the OR sigma protocol from admissible pair of group actions. We instantiate this framework using isogeny and lattice-based techniques. The core technique of our approach involves generating a revocation tokens list based on a randomized current signature revocation list and embedding its proof into the OR sigma protocol, eliminating the need to produce an independent proof. Compared to the most efficient post-quantum secure counterpart by Chen et al. (PQCrypto 2024) under the same group size, signature revocation list size, and at a higher security level (NIST-2 vs. NIST-1), our lattice-based EPID instantiation achieves a 4.33 \(\times \) reduction in signature size while maintaining comparable signing and verification times. Additionally, our isogeny-based instantiation represents the first EPID scheme constructed using isogeny and achieves the smallest signature size among existing post-quantum secure counterparts. Furthermore, our security analysis demonstrates that the proposed scheme satisfies anonymity and unforgeability under the random oracle model.