A Postquantum Linkable Ring Signature Scheme from Coding Theory

Liu, Xindong; Wang, Li-Ping

doi:https://doi.org/10.1155/2023/1794053

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 1794053 | https://doi.org/10.1155/2023/1794053

A Postquantum Linkable Ring Signature Scheme from Coding Theory

Xindong Liu^1,2and Li-Ping Wang^1,2

Academic Editor: Shadab Alam

Received12 Feb 2023

Revised19 Mar 2023

Accepted30 Nov 2023

Published26 Dec 2023

Abstract

Linkable ring signatures (LRSs) are ring signatures with the extended property that a verifier can detect whether two messages were signed by the same ring member. LRSs play an important role in many application scenarios such as cryptocurrency and confidential transactions. The first code-based LRS scheme was put forward in 2018. However, this scheme was pointed out to be insecure. In this paper, we put forward a code-based LRS scheme by constructing a new Stern-like interactive protocol and prove that it meets the security requirements of LRSs. We also give the specific parameters and the performance on the platform of our scheme.

1. Introduction

Ring signatures [1], a significant cryptographic primitive, enable a group user to sign a message on behalf of the group (called a ring) while protecting their privacy. Anonymity means that a verifier only can verify the correctness of the signature but cannot identify who is the actual signer in the ring. As an efficient privacy protection technology, ring signatures have been widely used in various scenarios such as e-voting [2], e-cash [3], and e-lottery [4, 5]. However, in many real-world applications, it is significant to not only protect the privacy of the signer but also require each signer to sign no more than once. For example, in an e-voting system, each person signs their ballot on behalf of all those eligible to vote, and each person is required to vote only once.

For more application scenarios, Liu et al. came up with the first linkable ring signature (LRS) scheme in 2004 [6]. LRSs are ring signatures with an extended property, where one can publicly verify whether two signatures were produced by the identical signer without knowing the identity of the signer. Compared to a ring signature scheme, an LRS scheme contains a tag generated by an issue and the signing keys of the entire ring user, where an issue can represent a vote or a business event. If a ring member outputs two signatures with an identical tag, two signatures will be linked. In a more restricted version of LRSs, a signer will be linked as soon as he signs twice. We call this kind of LRSs one-time LRSs. This property plays an important role in building cryptocurrencies, such as keeping the spender’s anonymity and avoiding double-spending attacks [7], since a sum of money can be used only once by a consumer no matter in any deal.

LRSs have been extensively researched based on the number theory problem [6, 8–10]. A general construction of LRSs was presented by Franklin and Zhang [11]. For the sake of linkability, they add a pseudorandom function (PRF) evaluation of the signer’s private key to any ring signature scheme and combine it with a zero-knowledge proof of the correct evaluation. In 2019, Wang et al. [12] put forward a general construction of one-time LRSs that adds one-time signatures to any ring signature scheme to achieve linkability. With the arrival of high-performance quantum computers, most classical asymmetric cryptography schemes will be broken since Shor [13] came up with a quantum algorithm to break the discrete logarithm problem and the factoring problem. Therefore, a number of quantum-safe LRS schemes have been put forward in the past few years, such as lattice-based LRS schemes [7, 14–16], code-based LRS schemes [17–19], and isogeny-based LRS schemes [15].

Code-based cryptography has flourished as one of the important fields of postquantum cryptography in recent years. The first signature scheme from coding theory is the Courtois–Finiasz–Sendrier (CFS) scheme [20]. After that, code-based signatures make a great development [21–23]. In 2007, Zheng et al. put forward the first ring signature scheme from coding theory [24]. Later, many other variants related to ring signatures appeared like threshold ring signatures [25, 26], traceable ring signatures [27], and group signatures [28–30]. In 2018, Branco and Mateus put forward the first code-based LRS scheme [18]. However, Feng et al. [31] point out that this scheme is not safe since the Cramer–Damgard–Schoenmakers (CDS) framework [32] was used to build the OR relationship. In 2020, Ren et al. proposed another code-based LRS scheme [19]. However, we found that once two signatures are linked, the information of the signer’s private key will be leaked since the output contains the information of the private key.

1.1. Our Contributions

For the purpose of not using the CDS framework, we design a new Stern-like interactive zero-knowledge (ZK) protocol, which is inspired by Ezerman et al. [33], as the building block of our LRS scheme. A prover can use this interactive ZK protocol to prove that he holds a small-weight solution to two instances of the syndrome decoding problem, which means the prover is a certified ring member with a unique label vector. Therefore, we employ the interactive ZK protocol to build our LRS scheme. Then, we prove that our LRS scheme is not only correct but also achieves the LRS security requirements. Finally, we analyzed the efficiency of the scheme and gave the running time on the platform.

It should be pointed out that we do not use the techniques mentioned in the introduction to construct our LRS scheme. The first technique [11] needs secure PRFs with a succinct zero-knowledge system. The syndrome-based PRF [34] is the only proposed one with a zero-knowledge argument system. Nevertheless, such an argument system will lead to a very inefficient construction since given an input of length , the PRF will implement times of matrix multiplications. The second technique, to achieve one-time linkability through a one-time signature scheme, also increases the overhead of a concrete scheme. Our construction follows that of Baum et al. [14].

We assume a ring of size , each member of which is labeled . Let represent the public keys of the user and represent the secret key with Hamming weight , where , denote two matrices and , denote two row vectors. Let denote a matrix of size and denote a vector of length such that the -th position is 1 and the rest of the positions are 0. Therefore, there is and the equation can be reformulated as

Then, employs the secret key to get a vector

Next, we construct a Stern-like ZK scheme where a prover is able to make the verifier believe he holds a pair satisfying equations (1) and (2) with hidden index . By repeating this protocol a lot of times to make the soundness error negligible and employing the Fiat–Shamir transform [35], we get a transcript of the NIZK argument. The final form of our proposed LRS is . The size of our scheme, including the public key and the signature, is linearly related to . However, when setting the practical parameters, our scheme achieves better performance than that of the scheme put forward in [36] which is the best performance syndrome-based ring signature scheme with logarithmic signature size, as long as does not exceed [28].

We note that Ren et al. [19] attempt to build another code-based LRS scheme. Unfortunately, there is a lot of weakness in this construction. In detail, they use an insecure signature scheme to build their LRS scheme, which would result in the disclosure of the signer’s private key. We make an analysis in Section 6.

1.2. Roadmap

The remaining articles are structured as follows. In Section 2, we introduce many preliminaries needed in our paper. In Section 3, we first propose an interactive zero-knowledge protocol and then construct our LRS scheme. We give the security proof and some security parameters for our LRS scheme in Section 4. In Section 5, we present the implementation results of the proposed LRS scheme. In Section 6, we analyze Ren et al.’s scheme. Finally, in Section 7, we draw the conclusion.

2. Preliminaries

2.1. Notations

Let and represent a security parameter and a negligible function in , respectively. The set is abbreviated as . We denote with the addition modulo 2. If not specified explicitly, the bold lowercase and uppercase letters represent row vectors and matrices, respectively. The Hamming metric of a vector is represented by . The transpose of is represented by . Let be the set of vectors such that . Define a function I2B from a positive integer to its binary representation, so the inverse of I2B is written as B2I. For a distribution , the notation means that is sampled from the distribution . If is a set, then denotes that is randomly picked from .

2.2. Linkable Ring Signatures

We now introduce the definition of the LRSs. To keep things simple, is abbreviated as .

Definition 1. An LRS scheme contains four polynomial-time algorithms in which(i): taking as input, it publishes a pair of public and private keys (ii): taking the public keys , a message M, and a private key as input, it generates a signature (iii): taking the public keys , a message M, and a signature as input, it outputs either 1 (accept) or 0 (reject)(iv): taking the public keys , two messages , and two signatures such that and as input, it outputs or , where 1 means that and are issued by the same signer

2.2.1. Correctness

An LRS scheme achieves correctness if for any , and every messages , , the following holds:where and , .

We employ the security model of [6, 14], which contains the following four aspects: existential unforgeability, anonymity, nonframeability, and linkability. In order to build the games used in these security models, we define the following two oracles:(i): taking a query of the form as input, it generates a signature (ii): taking a as input, it outputs the corresponding

Let stand for a probabilistic polynomial-time (PPT) adversary and represent that queries the random oracle .

Definition 2 (existential unforgeability). An LRS scheme is existential unforgeable, if the advantage of is negligible in the following game:(1)(2)Here, cannot use to query the .
The advantage of breaking existential unforgeability is denoted by the following equation:

Definition 3 (anonymity). An LRS scheme is anonymous, if the advantage of is negligible in the following game:(1)(2)(3)(4)Here, cannot query the and the .
The advantage of breaking anonymity is denoted by the following equation:

Definition 4 (nonframeability). An LRS scheme is nonframeable, if the advantage of is negligible in the following game:(1)(2)(3)(4)(5)Here, cannot use the to query the .
The advantage of breaking nonframeability is denoted by the following equation:

Definition 5 (linkability). An LRS scheme is linkable, if the advantage of is negligible in the following game:(1)(2) The advantage of breaking linkability is denoted by the following equation:

Remark 6. In this work, the proof of existential unforgeability is not given. As shown in [37], it is easy to get existential unforgeability from linkability and nonframeability.

2.3. Cryptography in Coding Theory

We now introduce a few hard problems needed in our paper.

Problem 7 (syndrome decoding (SD) problem). Given a parity-check matrix , a syndrome , and a positive integer , the SD problem is to search for a solution satisfying and .

Problem 8 (general syndrome decoding (GSD) problem). Given two parity-check matrices , two syndromes , and a positive integer , the GSD problem is to search for a solution satisfying , , and .
Considering the matrix and the vector , we have . Therefore, the GSD problem is equivalent to the SD problem.

Problem 9 (codeword finding (CF) problem). Given a parity-check matrix and a positive integer , the CF problem is to search for a solution satisfying and .

Remark 10 (see [21]). For a binary linear code, the easy range for the weight of the SD problem and CF problem is .

Definition 11 (Gilbert–Varshamov (GV) bound). For a binary linear code, the GV bound is denoted by the following equation:

Remark 12. The SD problem has a unique solution with overwhelming probability if is less than .

Problem 13 (decisional syndrome decoding (DSD) problem [38]). Given a parity-check matrix and a syndrome , where the weight of the vector is at most , the DSD problem is to distinguish between a random vector and the syndrome .

Lemma 14 (leftover hash lemma [39]). Given a distribution over with min-entropy , a matrix , and a vector , the statistical distance between the distribution of and the corresponding uniform distribution is less than , where and .

2.4. Zero-Knowledge Proof and Stern Protocol

We will introduce the definition of the zero-knowledge argument systems in this section. We use the set of statements-witnesses to denote an NP-relation. We first introduce the definition of an interactive zero-knowledge argument system as follows.

Definition 15 (zero-knowledge argument systems [40]). Let represent an interactive algorithm between a prover and a verifier, and denote an NP-relation. We say the is a ZK argument for a relation , if the following three conditions hold:(i)Completeness: if , there is(ii)-Soundness: if , then for any PPT , where is negligible.(iii)Statistical zero-knowledge: if there exists a PPT simulator which can interact with any and produce a simulated transcript , we have the following equation: where denotes the transcript of a real interaction’s transcript.Let be a setup algorithm about the protocol with an input , then return the parameters . The zero-knowledge property and simulation-extractability of noninteractive protocol are presented as follows.

Definition 16 (noninteractive zero-knowledge). Let denote a noninteractive protocol. The protocol is zero-knowledge for a relation , if a pair of PPT simulators are presented such that for any , there iswhere and first check that if the input is contained in , if so, outputs , and outputs ; otherwise, return .

Definition 17 (simulation-extractability). We say that achieves simulation-extractable with regard to a pair of PPT simulators , if there exists a PPT extractor such that for , there iswhere , represents all proofs produced by , is not contained in , and takes the input and outputs .

(1)	Public parameters:.
(2)	Private key: Samples such that .
(3)	Public key: Samples and calculates .
(4)	Prover:
	(i) Samples and .
	(ii) Calculates , , and sets .
	(iii) Sends to .
(5)	Verifier:
	(i) Samples the challenge .
(6)	Prover:
	(i) Case : Sets .
	(ii) Case : Sets .
	(iii) Case : Sets .
	(iv) Sends the response to .
(7)	Verifier:
	(i) If , checks if and are true.
	(ii) If , checks if and are true.
	(iii) If , checks if and are true.

2.4.1. Stern Protocol

In 1996, Stern introduced a three-round zero-knowledge argument of knowledge (ZKAoK) for the SD problem in coding theory [41]. The system parameters are a public matrix , a syndrome , and a weight . According to the Stern protocol, anyone can verify whether the prover holds a solution with Hamming metric such that . If we embed the statistically hiding commitment scheme into it, then we can get a soundness error of . We describe the Stern protocol in Algorithm 1.

3. Our Code-Based Linkable Ring Signature

We first put forward an interactive zero-knowledge protocol, in which a prover can prove that he is a ring member with a label vector that is generated by his own private key. Based on this interactive zero-knowledge protocol, we construct our LRS scheme by Fiat–Shamir transform.

3.1. The Underlying Zero-Knowledge Protocol

In this section, our main result is to show a zero-knowledge argument system as the underlying protocol of our LRS scheme. First, we need to introduce a set of vectors and an important permutation, which are introduced in [28]. Let denote an integer and . Then, there are the following:(1)For and , let denote a vector of length such that the -th position is 1 and the rest of the positions are 0(2)Given a vector , we introduce the permutation : , where , for each For any and any , there is(3)For any vector and , we have

We build our interactive ZKAoK following the Stern framework and make a summarization as follows:(i)The public keys include two matrices and and syndromes (ii)The secret is a vector satisfying where the with hidden index (iii)It is the prover’s target to make others convince of the following relations:

Let . The relation is equivalent to , where denotes . Then, the relation can be rewritten as follows:

We use to denote a collision-resistant hash function. Next, we showed the details of the underlying interactive protocol in Algorithm 2.

Lemmas 14 and 18 point out that Algorithm 2 has the statistically zero-knowledge property and the special soundness property.

Lemma 18. The interactive protocol shown in Algorithm 2 is an argument with the statistical zero-knowledge property if the COM is a statistically hiding string commitment scheme.

Proof. We employ a simulator which can interact with the verifier after giving the public input . First, the simulator picks a, and then depending on the value chosen by , proceeds as follows.

Case 19. : randomly selects the following objects:Then, sets the as , in whichWhen the challenge is received, performs as follows:(i)If , lets and sends it to (ii)If , terminates the process and outputs (iii)If , lets and sends it to

(1)	Public parameters:.
(2)	Private key: Samples and .
(3)	Public key:, where .
(4)	Prover:
	(i) Samples the following uniformly random objects:

	(ii) Sets ,
	,
	.
	(iii) Sets the as .
(5)	Verifier:
	(i) Samples the .
(6)	Prover:
	(i) If , sets .
	(ii) If , sets .
	(iii) If , sets .
	(iv) Sends .
(7)	Verifier:
	(i) If , checks if and are true.
	(ii) If , checks if and are true.
	(iii) If , checks if and , are true.

Case 20. : computes and such thatand samples random objects as follows:where denotes the symmetric group of all permutations of elements.
Then, sets as the same as equation (18).
When is received, performs as follows:(i)If , lets and sends it to (ii)If , lets and sends it to (iii)If , terminates the process and outputs

Case 21. : samples random objects:computes and such thatThen, sets the as the same as equation (18).
When the challenge is received, performs as follows:(i)If , terminates the process and outputs (ii)If , lets and sends it to (iii)If , lets and sends it to Because is sampled from , the probability of terminating is . As the simulator outputs a successful transcript, the distribution of its outputs is indistinguishable from the real interaction.

Lemma 22. On the input of , there is an extractor that can obtain a pair from a and 3 valid to all 3 possible pairs . The witness satisfies the following equations:

Proof. We can construct an efficient knowledge extractor . Suppose that we have three valid transcripts ,, and of the proposed protocol, where , whereBecause of the collision-resistance property of , we haveTherefore, the knowledge extractor can extract the witness from , .

(1)	Public parameters:.

(2)	KeyGen: User :
	(i) Samples as private key.
	(ii) Calculates the public key and sets as .
(3)	Sign: performs the following steps:
	(i) Calculates .
	(ii) Repeats Algorithm2 with the input times such that the soundness error is negligible and then obtains .
	(iii) Sets as .
	(iv) Sets the corresponding responses according to the step 6 of Algorithm2.
	(v) Sets the transcript .
	(vi) Outputs the linkable ring signature .
(4)	Ver: Given a signature , the verifier
	(i) Calculates ;
	(ii) According to Algorithm2 with the input to check if is a valid transcript.
	(iii) If the above condition holds, it returns 1; otherwise, it returns 0.
(5)	Link: When two signatures are received, the verifier parses and
	(i) Checks if and are correct.
	(ii) Checks if .
	(iii) If the above two conditions hold, it outputs 1; otherwise, it outputs 0.

3.2. Our Code-Based Linkable Ring Signature Protocol

Our LRS scheme is put forward in Algorithm 3. Roughly speaking, we construct an LRS by repeating the underlying ZKAoK protocol enough times so that the soundness error is negligible and applying the Fiat–Shamir transform.

Given two positive integers and such that , we choose a random matrix and two collision-resistant hash functions as follows:(i)(ii)

Here, stands for the repetition number of the underlying ZK protocol.

The function is used to generate the Fiat–Shamir transform, and is the one used in the underlying ZKAoK protocol.

During the key generation algorithm, the user randomly chooses a vector from the set and sets .

In the signing algorithm, the user gets the underlying protocol with in which and . By repeating the protocol many times and the Fiat–Shamir transform, he gets a NIZKAoK . The form of the proposed signature is , where .

Due to the validity of the NIZKAoK, the algorithm Ver always outputs 1. If two signatures and were generated by the same user , then by , the algorithm Link always outputs 1.

4. Analysis of the Proposed Protocol

We analyze the proposed LRS scheme from the aspects of correctness and security.

Theorem 23. Our LRS scheme achieves correctness with an overwhelming probability.

Proof. To explain that the given LRS scheme is correct, we first prove that the algorithm Ver always returns 1, if the signature was generated by a ring user honestly running algorithm , for any .
We observe that the algorithm is equivalent to the signer repeating the underlying protocol enough times and employing the Fiat–Shamir heuristic to it. Because of the perfect completeness and validness of the underlying protocol, we have Ver for any pair of generated by an honest signer.
As for the validity of the algorithm Link, it is straightforward to observe that if and were generated by the identical user , for any , where and , then by and , the algorithm Link always outputs 1.

Theorem 24. Our LRS scheme satisfies anonymity in the random oracle model because of the ZK property of Algorithm 2 and the intractability of the DSD problem.

Proof. We set the five hybrid games , and so as to explain that the proposed scheme satisfies anonymity. and represent the real anonymous game, in which and , respectively. We will prove that the sequence of games is indistinguishable from any adversary . The advantage of in is represented by . : This is a real anonymous game where . In this game, the challenger performs to generate and . The adversary can ask queries to three oracles, which are , and . honestly responds to the inquiries from the above three oracles by employing the private key to execute the algorithm. : Compared with the previous game, we set the following changes: runs the simulator instead of faithfully executing the underlying protocol and does the following steps:(1)Outputs the parameters by running instead of executing the setup algorithm of the NIZKAoK(2)Uses the simulation proof to reply to the queries of by running , when the adversary accesses Since the underlying protocol is zero-knowledge, there is : Compared with , has the following modifications: The challenger establishes a table with an empty initial state. When makes a query to , first checks if there is a tuple in the table, where is included in . If it exists, then the challenger produces the signature with the by running the simulator . If not, the is set as . Then, records the tuple in the table and produces the signature with by running the simulator . In , the vector is randomly sampled from instead of being evaluated by . Due to the intractability of the DSD problem, we have Therefore, there is : The modification between and is that the is evaluated by instead of being randomly sampled in . In addition to the above modification, the other steps of are the same as those of : This is a real anonymity game where .The above proof shows that cannot distinguish from with nonnegligible probability. Therefore, it is impossible for to distinguish whether is 1 or 0.

Theorem 25. Our LRS scheme satisfies linkability in the random oracle model based on the CF problem and the simulation-extractability of the underlying interactive protocol.

Proof. Let denote an adversary who breaks the linkability of the Algorithm 3. It implies that is able to output pairs of tuples satisfying the following:(1)(2)We use to denote the real interface, in which all the parameters are honestly produced, and to denote the simulator’s interface, in which all parameters are produced by the simulator . Because the underlying protocol is zero-knowledge (Lemma 18), cannot tell the difference between the two interfaces. For , there is an extractor which can obtain a pair , where , for every message-signature pair satisfying the following equation:Since there are only public keys contained in the ring, there must exist , so the following hold:where stands for the -th column of .
Since we suppose breaks the linkability of the scheme, there is . Thus, we have . Otherwise, it contradicts the previous assumption. Therefore, by equation (30), we have . It implies that a PPT is able to break the CF problem which contradicts the intractability of the CF problem.

Theorem 26. Our LRS scheme satisfies nonframeability in the random oracle model based on the GSD problem and the simulation extractability of Algorithm 2.

Proof. We set the following two hybrid games to explain that breaking the nonframeability property is as intractable as solving the GSD problem. : This is a real nonframeability game regarding the challenge public key . In this game, runs to get and . The adversary submits queries to the given oracles and with the limitation that he cannot query the corruption oracle with the public key . : employs the simulator of the NIZKAoK to output the parameters and selects . Then, establishes an empty table. When receiving a query , first checks if a pair exists in the table. If it does, employs the simulator to produce the signature with the vector . If not, is set as . records the pair in the table and produces the signature combining by employing the simulator . Since the underlying protocol has the zero-knowledge property, it is impossible for a PPT adversary to distinguish Game 1 from Game 0Then, we show that it is impossible to successfully attack in . Assume can forge a pair such that(1)(2), the signature returned by on a signing query Since can be linked, we have . Since the underlying noninteractive protocol achieves the simulation-extractability, there is an extractor that puts as input and returns the witness satisfying the following equation:However, since the vector is output by the simulator and the vector is sampled from in , it means the adversary can break the GSD problem. Therefore, this is a contradiction, which means that there is no way of breaking the nonframeability of our LRS scheme.

5. Parameters and Key Size

We make an analysis of the key and signature size and give the parameters for our scheme under 80-bit security.(1)Public key size: the public key is composed of and its size is bits.(2)Private key size: the private key is bit-size.(3)Signature size: the signature is composed of a transcript and a vector . In detail, the signature size contains the following parts:(i)The commitment is bit-size.(ii)If the challenge and , the response is bit-size; otherwise, the response is bit-size. Thus, the size of response is no more than log bit-size.(iii)The vector is bit-size and the underlying protocol is repeated times. Therefore, the signature size is no more than by bit-size.

We use seeds to replace permutations in the underlying protocol to reduce the signature size.

The parameters should satisfy not only that the SD problem and the GSD problem are hard but also that the distributions of are indistinguishable from the uniform distribution, for any .

According to Lemma 14 and the information set decoding algorithm [42], the parameters were chosen as (2800, 600, 132) so that the CF problem and the GSD problem are intractable under the 80-bit security, and the statistical distance of the distribution between the uniform distribution is , for any . The positive integer is moderately larger than the GV bound but belongs to the difficult range of the CF problem and the GSD problem.

Remark 27. For the intractability of the GSD problem, k does not exceed n/4.
We perform our scheme on an Intel Core i7-8750H CPU@2.20 GHz and 4 GB of memory. For each set of parameters, the performance of our LRS scheme is presented in Table 1.

6. Analysis of Ren et al.’s Scheme

We first describe Ren et al.’s scheme [19] in Algorithm 4 and then analyze a serious weakness in their scheme. Let be two matrices and be a hash function. Their scheme is built as follows.

(1)	Public parameters:.

(2)	KeyGen: User :
	(i) Samples and .
	(ii) Calculates .
(3)	Sign: In order to sign the message , :
	(i) Calculates .
	(ii) Samples with .
	(iii) Sets
	For .
	(iv) Samples with .
	(v) Sets , in which:

	(vi) Sets .
	(vii) Outs the signature .
(4)	Ver: Given the signature , the verifier:
	(1) For , calculates

	(2) If and for , is accepted, otherwise rejected.

The above scheme is not safe because the attacker is able to obtain the private key from a large number of signatures.

Observed that the signature signed by , except is generated by the private key , other are randomly generated during the signing process. So the distribution of , determined by , is different from the other distributions of , . If an adversary can obtain multiple signatures that are linked to each other, he can perform statistical analysis on these signatures to obtain the identity of the signer. Therefore, can obtain by removing those not generated by . In other words, gets a lot of signatures generated by the same signer.

can compute . And the random vector is of low Hamming weight, and hence, the support set of is small. Therefore, Persichetti [23] points out that a simple statistical analysis will recover the private key . The problem stems from the fact that the small weight vector that is added to is not sufficient to cover up the support of the private key.

Our analysis suggests that this scheme not only fails to satisfy anonymity but also leaks the secret of the signer.

7. Conclusion

In this paper, we put forward a new LRS scheme, which achieves existential unforgeability, anonymity, nonframeability, and linkability since the intractability of the CF problem, the DSD problem, and the GSD problem. The key point of this work is to construct a Stern-like ZK protocol in which a prover can prove that he is a member of this ring with a certain tag generated by his private key. The sizes of public keys and signatures of our scheme are linearly related to the size of the ring . We ran this scheme with different numbers of users on a computer and gave the corresponding results. Finally, we point out that Ren et al.’s scheme is insecure because an adversary can get the private key of the signer by doing a simple statistical analysis.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported by the National Natural Science Foundation of China under Grant no. 62372446 and the National Key Research and Development Program of China under Grant no. 2018YFA0704703.

References

R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Advances in Cryptology-ASIACRYPT 2001, C. Boyd, Ed., vol. 2248, pp. 552–565, Springer, Berlin, Germany, 2001.
View at: Google Scholar
F. Rodríguez-Henríquez, D. Ortiz-Arroyo, and C. García-Zamora, “Yet another improvement over the mu-varadharajan e-voting protocol,” Computer Standards & Interfaces, vol. 29, no. 4, pp. 471–480, 2007.
View at: Publisher Site | Google Scholar
B. Libert, S. Ling, K. Nguyen, and H. Wang, Zero-Knowledge Arguments for Lattice-Based Prfs and Applications to e-Cash, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2017.
D. M. Goldschlag and S. G. Stubblebine, “Publicly verifiable lotteries: applications of delaying functions,” in Financial Cryptography, Second International Conference, FC’98, R. Hirschfeld, Ed., vol. 1465, pp. 214–226, Springer, Berlin, Germany, 1998.
View at: Google Scholar
E. Kushilevitz and T. Rabin, “Fair e-lotteries and e-casinos,” in Topics in Cryptology-CT-RSA 2001, the Cryptographer’s Track at RSA 2001, D. Naccache, Ed., vol. 2020, pp. 100–109, Springer, Berlin, Germany, 2001.
View at: Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, Linkable Spontaneous Anonymous Group Signature For Ad Hoc Groups, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2004.
W. A. A. Torres, R. Steinfeld, A. Sakzad et al., Post-Quantum One-Time Linkable Ring Signature And Application To Ring Confidential Transactions In Blockchain (Lattice Ringct V1.0), IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2018.
J. K. Liu and D. S. Wong, “Linkable ring signatures: security models and new schemes,” in Computational Science and its Applications - ICCSA 2005, O. Gervasi, M. L. Gavrilova, V. Kumar et al., Eds., vol. 3481, pp. 614–623, Springer, Berlin, Germany, 2005.
View at: Google Scholar
M. H. Au, S. S. M. Chow, W. Susilo, and P. P. Tsang, “Short linkable ring signatures revisited,” in Public Key Infrastructure, Third European PKI Workshop: Theory and Practice, EuroPKI 2006, A. S. Atzeni and A. Lioy, Eds., vol. 4043, pp. 101–115, Springer, Berlin, Germany, 2006.
View at: Google Scholar
J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 157–165, 2014.
View at: Publisher Site | Google Scholar
M. K. Franklin and H. Zhang, A Framework for Unique Ring Signatures, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2012.
X. Wang, Y. Chen, and X. Ma, “Adding linkability to ring signatures with one-time signatures,” in Information Security-22nd International Conference, ISC 2019, Z. Lin, C. Papamanthou, and M. Polychronakis, Eds., vol. 11723, pp. 445–464, Springer, Berlin, Germany, 2019.
View at: Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar
C. Baum, H. Lin, and S. Oechsner, “Towards practical lattice-based one-time linkable ring signatures,” in Information and Communications Security-20th International Conference, ICICS 2018, D. Naccache, S. Xu, S. Qing et al., Eds., vol. 11149, pp. 303–322, Springer, Berlin, Germany, 2018.
View at: Google Scholar
W. Beullens, S. Katsumata, and F. Pintore, Calamari and Falafl: Logarithmic (Linkable) Ring Signatures From Isogenies and Lattices, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2020.
X. Lu, M. H. Au, and Z. Zhang, Raptor: A Practical Lattice-Based (Linkable) Ring Signature, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2018.
A. Barenghi, J. Biasse, T. Ngo, E. Persichetti, and P. Santini, “Advanced signature functionalities from the code equivalence problem,” International Journal of Computer Mathematics: Computer Systems Theory, vol. 7, no. 2, pp. 112–128, 2022.
View at: Publisher Site | Google Scholar
P. Branco and P. Mateus, “A code-based linkable ring signature scheme,” in Provable Security-12th International Conference, ProvSec 2018, J. Baek, W. Susilo, and J. Kim, Eds., vol. 11192, pp. 203–219, Springer, Berlin, Germany, 2018.
View at: Google Scholar
Y. Ren, Q. Zhao, H. Guan, and Z. Lin, “On design of single-layer and multilayer code-based linkable ring signatures,” IEEE Access, vol. 8, pp. 17854–17862, 2020.
View at: Publisher Site | Google Scholar
N. T. Courtois, M. Finiasz, and N. Sendrier, How to Achieve A Mceliece-Based Digital Signature Scheme, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2001.
N. Aragon, O. Blazy, P. Gaborit, A. Hauteville, and G. Zémor, Durandal: A Rank Metric Based Signature Scheme, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2018.
T. Debris-Alazard, N. Sendrier, and J. Tillich, “Wave: a new family of trapdoor one-way preimage sampleable functions based on codes,” in Advances in Cryptology-ASIACRYPT 2019, S. D. Galbraith and S. Moriai, Eds., vol. 11921, pp. 21–51, Springer, Berlin, Germany, 2019.
View at: Google Scholar
E. Persichetti, “Efficient one-time signatures from quasi-cyclic codes: a full treatment,” Cryptography, vol. 2, no. 4, p. 30, 2018.
View at: Publisher Site | Google Scholar
D. Zheng, X. Li, and K. Chen, “Code-based ring signature scheme,” International Journal on Network Security, vol. 5, no. 2, pp. 154–157, 2007.
View at: Google Scholar
C. Aguilar Melchor, P. Cayrel, P. Gaborit, and F. Laguillaumie, “A new efficient threshold ring signature scheme based on coding theory,” IEEE Transactions on Information Theory, vol. 57, no. 7, pp. 4833–4842, 2011.
View at: Publisher Site | Google Scholar
L. Dallot and D. Vergnaud, “Provably secure code-based threshold ring signatures,” in Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009, M. G. Parker, Ed., vol. 5921, pp. 222–235, Springer, Berlin, Germany, 2009.
View at: Google Scholar
P. Branco and P. Mateus, A Traceable Ring Signature Scheme Based On Coding Theory, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2019.
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, “Provably secure group signature schemes from code-based assumptions,” IEEE Transactions on Information Theory, vol. 66, no. 9, pp. 5754–5773, 2020.
View at: Publisher Site | Google Scholar
Q. Alamélou, O. Blazy, S. Cauchie, and P. Gaborit, “A code-based group signature scheme,” Designs, Codes and Cryptography, vol. 82, no. 1-2, pp. 469–493, 2017.
View at: Publisher Site | Google Scholar
O. Blazy, P. Gaborit, and D. T. Mac, “A rank metric code-based group signature scheme,” in Code-Based Cryptography-9th International Workshop, CBCrypto 2021, A. Wachter-Zeh, H. Bartz, and G. Liva, Eds., vol. 13150, pp. 1–21, Springer, Berlin, Germany, 2021.
View at: Google Scholar
H. Feng, J. Liu, D. Li, Y. Li, and Q. Wu, “Traceable ring signatures: general framework and post-quantum security,” Designs, Codes and Cryptography, vol. 89, no. 6, pp. 1111–1145, 2021.
View at: Publisher Site | Google Scholar
R. Cramer, I. Damgård, and B. Schoenmakers, “Proofs of partial knowledge and simplified design of witness hiding protocols,” in Advances in Cryptology - CRYPTO ’94, Y. Desmedt, Ed., vol. 839, pp. 174–187, Springer, Berlin, Germany, 1994.
View at: Google Scholar
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, A Provably Secure Group Signature Scheme From Code-Based Assumptions, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2015.
C. Brunetta, B. Liang, and A. Mitrokotsa, “Code-based zero knowledge PRF arguments,” in Information Security-22nd International Conference, ISC 2019, Z. Lin, C. Papamanthou, and M. Polychronakis, Eds., vol. 11723, pp. 171–189, Springer, Berlin, Germany, 2019.
View at: Google Scholar
A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” in Advances in Cryptology-CRYPTO ’86, A. M. Odlyzko, Ed., vol. 263, pp. 186–194, Springer, Berlin, Germany, 1986.
View at: Google Scholar
K. Nguyen, H. Tang, H. Wang, and N. Zeng, New Code-Based Privacy-Preserving Cryptographic Constructions, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2019.
E. Fujisaki and K. Suzuki, Traceable Ring Signature, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 2006.
B. Applebaum, Y. Ishai, and E. Kushilevitz, “Cryptography with constant input locality,” Journal of Cryptology, vol. 22, no. 4, pp. 429–469, 2009.
View at: Publisher Site | Google Scholar
S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, “Robustness of the learning with errors assumption,” in Innovations in Computer Science-ICS 2010, A. C. Yao, Ed., pp. 230–240, Tsinghua University Press, Beijing, China, 2010.
View at: Google Scholar
M. Bellare, M. Jakobsson, and M. Yung, Round-Optimal Zero-Knowledge Arguments Based On Any One-Way Function, IACR Cryptology ePrint Archive, Bellevue, WA, USA, 1997.
J. Stern, “A new paradigm for public key identification,” IEEE Transactions on Information Theory, vol. 42, no. 6, pp. 1757–1768, 1996.
View at: Publisher Site | Google Scholar
R. C. Torres and N. Sendrier, “Analysis of information set decoding for a sub-linear error weight,” in Post-quantum Cryptography-7th International Workshop, PQCrypto 2016, T. Takagi, Ed., vol. 9606, pp. 144–161, Springer, Berlin, Germany, 2016.
View at: Google Scholar

Copyright

Copyright © 2023 Xindong Liu and Li-Ping Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

228

Downloads

156

Citations