Efficient Linkable Ring Signature Scheme over NTRU Lattice with Unconditional Anonymity

Ye, Qing; Wang, Mengyao; Meng, Hui; Xia, Feifei; Yan, Xixi

doi:https://doi.org/10.1155/2022/8431874

Computational Intelligence and Neuroscience

On this page

Abstract Introduction Preliminaries Discussion Implementation and Evaluation Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Lightweight Computational Intelligence for Sequential Data Analysis in Edge Computing

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 8431874 | https://doi.org/10.1155/2022/8431874

Efficient Linkable Ring Signature Scheme over NTRU Lattice with Unconditional Anonymity

Qing Ye,¹Mengyao Wang,¹Hui Meng,¹Feifei Xia,¹and Xixi Yan¹

Academic Editor: Le Sun

Received18 Mar 2022

Revised02 Apr 2022

Accepted07 Apr 2022

Published13 May 2022

Abstract

In cloud and edge computing, senders of data often want to be anonymous, while recipients of data always expect that the data come from a reliable sender and they are not redundant. Linkable ring signature (LRS) can not only protect the anonymity of the signer, but also detect whether two different signatures are signed by the same signer. Today, most lattice-based LRS schemes only satisfy computational anonymity. To the best of our knowledge, only the lattice-based LRS scheme proposed by Torres et al. can achieve unconditional anonymity. But the efficiency of signature generation and verification of the scheme is very low, and the signature length is also relatively long. With the preimage sampling, trapdoor generation, and rejection sampling algorithms, this study proposed an efficient LRS scheme with unconditional anonymity based on the e-NTRU problem under the random oracle model. We implemented our scheme and Torres et al.’s scheme, as well as other four efficient lattice-based LRS schemes. It is shown that under the same security level, compared with Torres et al.’s scheme, the signature generation time, signature verification time, and signature size of our scheme are reduced by about 94.52%, 97.18%, and 58.03%, respectively.

1. Introduction

In most scenarios involving data transmission, including blockchain, cloud computing, edge computing, etc., the sender of data usually wants to be anonymous, while the receiver of data always excepts the data to be reliable. Ring signature (RS) proposed by Rivest et al. [1] is a good technology that can meet the above requirements. RS has two essential security properties: (1) unforgeability, which requires the verifier is able to verify whether the signature was signed by a reliable signer; and (2) anonymity, which requires the verifier could not identify the real signer from a group of users. Similar to group signature [2, 3], RS is group-oriented. However, different from group signature, in RS, the group is formed spontaneously, that is, there is no special manager, and the setup and revocation procedures are not required. Any user can select a group of ring members and sign any message with his own private key and the public keys of other members without their consent. And the verifier only can verify whether the signature comes from a member in the ring without knowing which member the signer is.

Due to the anonymity of RS, it is widely used in anonymous tip off, e-cash [4], and other fields. It is worth noting that while protecting the anonymity of signers, RS also brings a new problem, that is, the same signer can sign multiple times without being detected.

In 2004, Liu et al. [5] introduced an extended property called linkability to RS, and the corresponding primitive is now known as linkable ring signatures (LRS). LRS not only satisfies the properties of ordinary RS (such as correctness, unforgeability, and anonymity) but also can be used to judge whether two different signatures are signed by the same signer (linkability). LRS is useful in situations where anonymity and nonrepeatability are required. For example, in the system of blockchain [6], if some user signs the same amount of money twice, LRS will help the verifier detect it and the verifier will deny the second signature, thus avoiding the so-called “double spending” problem. In smart grid systems [7], the electricity consumption data of users are automatically collected by the smart meter, and specific electricity consumption information is fed back to the service provider. Thus, malicious attackers can infer the life and rest rules of the user from the large amount of electricity consumption data recorded by the smart meter. LRS can not only conceal the specific information of the meter user but also eliminate the redundant data of the same meter and provide the system with abnormal user monitoring and tracking functions.

In 2013, Liu et al. [8] constructed an unconditional anonymous linkable ring signature (UALRS) scheme, which addressed the open problem that RS could not have linkability and strong anonymity simultaneously and made it more secure. RS schemes have two types of anonymity: computational anonymity and unconditional anonymity. Computational anonymity refers to the protection of anonymity under certain number theory problems. The anonymity of RS is destroyed if this potential problem can be solved by an adversary. By contrast, unconditional anonymity means that the probability that any adversary with unlimited computing power and time knows the actual signer of a given RS is no better than random guessing. In other words, assuming that there are users in RS, the probability of any adversary with unlimited computing power and time correctly indicating the public key of the actual signer is no more than .

It is not difficult to design a RS scheme with unconditional anonymity. In fact, most traditional RS schemes can satisfy unconditional anonymity [1, 9–16]. However, it is not an easy work to construct a UALRS scheme. The difficulty lies in the following two aspects. First, in a computational anonymous linkable ring signature (CALRS) scheme, the linking tag can always be designed as a pseudorandom function about the private key of the signer based on some mathematical problem. But unconditional anonymity means that the adversary has unlimited computing power, that is it can calculate out the solution of any NP-hard problem, such as NTRU-SIS, large integer factorization, discrete logarithm, and the preimage of a given hash value. Therefore, only designing the linking tag using mathematical problems is not enough, and it should consider more skills. Second, in order to achieve unconditional anonymity, the generation and verification of a linking tag are often more complex, which may increase the length of public and private keys and signatures, as well as reduce the computational efficiency of the scheme. In fact, from 2004 to 2013, only the LRS scheme proposed by Liu et al. [8] can achieve unconditional anonymity.

The above schemes are all constructed based on classical number theory problems, that is, discrete logarithm and the decomposition of large integer problems. With the development of quantum computers, cryptosystems under classical number theory problems are faced with severe challenges. Shor [17] constructed a quantum algorithm in 1994 to solve the problem of large integer factorization in polynomial time under quantum computing conditions, and this algorithm made most existing public key cryptosystems no longer secure under quantum attacks.

In this case, post-quantum cryptography began to be studied by scholars in the field of cryptography. In the alternatives, lattice-based cryptography appeals to scholars because of its high efficiency, simplicity, high parallelizability, and strong provable security guarantees. In 2016, Libert et al. [18] constructed a lattice-based RS scheme based on zero-knowledge proofs and accumulators. Thereafter, other lattice-based RS schemes have been proposed [19–21]. In 2017, Yang et al. [22] proposed a lattice-based LRS scheme based on week pseudorandom functions, accumulators, and zero-knowledge proofs. In 2018, Baum et al. [23] proposed the lattice-based one-time LRS scheme based on the module-SIS problem (a variant of SIS problem) and module-LWE problem (a variant of LWE problem). In the same year, Alberto Torres et al. [24] proposed a lattice-based one-time LRS scheme based on the ring-SIS problem. Subsequently, Zhang et al. [25] proposed a LRS scheme over ideal lattice based on the homomorphic commitment scheme and protocol. In 2019, Liu et al. [26] proposed a lattice-based LRS scheme supporting stealth addresses under the module-SIS and module-LWE problems. In 2020, Beullens et al. [27] constructed a LRS scheme whose signature size scales logarithmically with the ring size from isogeny and lattice assumptions.

However, in the above lattice-based LRS schemes, only Alberto Torres et al.’s scheme [24] satisfies unconditional anonymity. By analyzing Torres et al.’s scheme, it is found that in order to achieve unconditional anonymity, the linking tag of Torres et al.’s scheme is generated using an m-dimensional polynomial vector over a polynomial ring. Since the linking tag is so large, Torres et al.’s scheme generates signatures m times longer than a normal CALRS scheme over a polynomial ring, and its efficiency in generating and verifying signatures is also significantly reduced.

Hoffstein et al. [28] proposed the NTRU lattice-based cryptosystem in 1996. Considering that it only involves multiplication on polynomial rings and small integer modulo operations, the NTRU-based cryptosystem usually requires smaller public and private keys and is more efficient compared with that on the general lattice. Therefore, it has received extensive attention from scholars. In 2016, Zhang et al. [29] proposed an efficient RS scheme on NTRU lattice whose security can be reduced to the e-NTRU problem (a variant of the SIS problem on NTRU lattice) in the random oracle model. In 2019, Lu et al. [30] constructed Raptor, a practical NTRU lattice-based LRS scheme based on a variant of chameleon hash functions. In 2021, Tang et al. [31] constructed an identity-based LRS scheme over NTRU lattice by employing the technologies of trapdoor generation and rejection sampling. The security of this scheme relies on the small integer solution (SIS) problem on NTRU lattice.

1.1. Our Contribution

To reduce the signature size, as well as promote the efficiency of signature generation and verification of lattice-based UALRS scheme [24], in this study, a LRS scheme is reconstructed on NTRU lattice, and its architecture is shown in Figure 1. The main contributions of this article are as follows:(1)In the key generation stage, the public and private keys of the LRS scheme are generated by the trapdoor and the preimage sampling algorithms on NTRU lattice. Then, the linking tag is produced by the public and private keys of the signer, and a LRS is generated based on the signature algorithm of Zhang et al. [29] combined with the rejection sampling algorithm.(2)In terms of security analysis, strict security proof is conducted based on the security model of UALRS proposed by Liu et al. [8]. The result of the proof shows that the unforgeability and linkability of the proposed scheme can be reduced to the difficulty of e-NTRU problem under the random oracle model, and, meanwhile, the proposed scheme satisfies unconditional anonymity.(3)In terms of performance analysis, the proposed scheme is compared with the latest and efficient lattice-based LRS schemes in [23, 24, 26, 27, 30], and a detailed analysis is given. The possible parameter settings of the proposed scheme are also analyzed and provided under the premise of ensuring the security of the proposed scheme.(4)We implement our scheme and Torres et al.’s scheme [24], as well as other four efficient lattice-based LRS schemes [23, 26, 27, 30], and it is shown that under the same security level, the signature generation and verification time of the proposed scheme are respectively reduced by 56.61% and 65.18%. Especially compared with Torres et al.’s scheme, the signature generation and verification time of the proposed scheme are respectively reduced by 94.52% and 97.18%, and the signature size of the proposed scheme is reduced by 58.03% on average.

1.2. Paper Organization

In Section 2, we introduce some definitions, lemmas, difficult problems, and related algorithms which we will use to construct the scheme. We introduce the definition of LRS and the relevant security model in Section 3. Section 4 contains the construction and correctness statement of the LRS scheme and the proof of correctness. Section 5 contains the security statements of the proposed scheme and the proofs of unforgeability, unconditional anonymity, and linkability. In Section 6, we discuss the parameter settings and post-quantum security of the proposed scheme. Finally, in Section 7 and Section 8, we respectively give the performance analysis and experimental results of the proposed scheme and the lattice-based LRS schemes of [23, 24, 26, 27, 30] and also make a comparison between them.

2. Preliminaries

2.1. Symbol Definition

Descriptions of the used notations are listed in Table 1.

2.2. Related Definitions of NTRU Lattice

Definition 1 (lattice). Lattice generated by linearly independent vectors is the set of linear combinations of all integer coefficients of the linearly independent vectors, namelywhere and are the rank and dimension of lattice , respectively, and is called a basis of lattice .

Definition 2 (convolutional polynomial ring). Let be an ordinary polynomial ring. If the addition operation remains unchanged and the multiplication operation is replaced by a convolution operation on , then is called a convolution polynomial ring. Similarly, given a prime number , the modulus convolution polynomial ring is .
Let , then the two operations on are defined as follows:(i)Addition operation :(ii)Convolution operation :

Definition 3 (anticirculant matrix). Let the coefficient vector of polynomial be . Then, the coefficient vector of polynomial is and the coefficient vector of polynomial is . The anti-circulant matrix defined by polynomial is as follows:

Definition 4. (NTRU lattice). Let a positive integer , is a power of two and , be the inverse of , . The NTRU lattice corresponding to and is as follows:Apparently, lattice is a -dimensional full-rank lattice, and is a set of basis matrices. can be uniquely determined by the polynomial , whereas the others can be compressed during storage. Thus, the storage space required is relatively small. However, in NTRU lattice-based cryptographic schemes, cannot be used as a trapdoor basis because it has poor orthogonality.

Definition 5. (discrete gaussian distribution) [32]. For any and -dimensional integer lattice , the discrete Gaussian distribution on integer lattice with vector as the center and as the parameter is defined as follows:where . When , let and be abbreviated as and , respectively. And throughout the article, denotes the discrete Gaussian distribution over .

2.3. Hardness Assumption

Definition 6 (NTRU small-integer solution, NTRU-SIS) [33]. For a polynomial and a real number , to find two nonzero polynomials such that and .

Definition 7 (extended NTRU, e-NTRU) [29]. Given polynomials , where , to find a tuple of short polynomials , such that

Theorem 1 (see [29]). Let integer and integer , then the e-NTRU problem is polynomially equivalent to the NTRU-SIS problem.

2.4. Related Algorithm

Lemma 1 (see [34]). Let an integer for , a prime number , and a parameter . Then, a probabilistic polynomial time (PPT) algorithm can output a sample matrix from (a distribution close to) and a polynomial on the NTRU lattice .

Lemma 2 (see [34]). Given a matrix and a parameter for , where is the security parameter. For any polynomial , a PPT algorithm may output , such that .

Definition 8 (rejection sampling algorithm) [35]. In 2012, Lyubashevsky proposed rejection sampling technique for the first time and gave the first signature scheme without trapdoor on lattice with this technique. It can be applied to the signature system and can make the distributions of the signature and private key independent of each other. Thus, it can effectively prevent the leakage of the private key.

Lemma 3. Let , , and is a probability distribution. Then, for constant , the statistical distance of output distributions of Algorithms 1 and 2 is less than .

Algorithm 1. , , output with probability .

Algorithm 2. , , output with probability .
Furthermore, the output probability of Algorithm 1 is at least .

3. Security Model

In this section, we present our security model and define related security concepts.

3.1. LRS Definition

A LRS scheme consists of the following five PPT algorithms:(1): On input a security parameter , it outputs system public parameters .(2): On input the public parameters , it outputs a public/private key pair .We denote by SK and PK the domains of possible private and public keys, respectively.(3): On input the public parameters , a public key list , a message , and private key , it outputs a signature , which contains a linking tag .(4): On input the system public parameters , a public key list , a message , and a signature , if is valid, it outputs “1”; otherwise, it outputs “0.”(5): On input two signatures , where and are the signatures of different messages and under the same ring, which contain linking tags and , respectively. It checks whether and outputs “Link” if ; otherwise, it outputs “Unlink.” “Link” means that the two signatures are generated by the same signer, and “Unlink” means that the two signatures are generated by different signers.

Definition 9 (correctness). Correctness for LRS contains verification correctness and linking correctness simultaneously.(i)Verification Correctness: For a valid signature , the probability of the algorithm outputting “0” is negligible.(ii)Linking Correctness: For two valid signatures generated by using the same private key, the probability of the algorithm outputting “Unlink” is negligible. The formal definition of the correctness of the LRS scheme is shown in the following expressions:

3.2. Security Model

Generally, a LRS scheme should satisfy three security properties, namely unforgeability, anonymity, and linkability. According to the security model of UALRS proposed by Liu et al. [8] in 2013, this study uses a series of games between an adversary A and a challenger S to describe the security model of LRS. Supposing there are members in the ring, these three properties are described as follows:

Before defining unforgeability, anonymity, and linkability, we consider the following oracles, which together simulate the adversary’s ability to break the security of the scheme. (Joining Oracle): A inputs member index , and S outputs the corresponding public key to A (Corruption Oracle): A inputs a public key , which is a query output of , and S returns the corresponding private key (Signing Oracle): A inputs a public key list , and a message , and S returns a valid signature

In addition, in the random oracle model, a random oracle model is provided for users to query.

3.2.1. Unforgeability

It means that users outside the ring cannot successfully forge a legal signature under the ring. That is, if there is no private key of a member in the ring, even if the adversary obtains multiple valid message signature pairs, the probability of the adversary forging a valid signature successfully is negligible. Unforgeability for the LRS scheme is defined by the following game between an adversary A and a challenger S, in which A is given access to oracles , , , and :(i)The system public parameters are generated by challenger S and given to A(ii)A can access the oracles adaptively(iii)A gives S a list of public keys, a message , and a signature

A wins the game if(i)(ii)All public keys in are obtained by querying (iii)Any public key in has not been input to (iv) is not obtained by querying

We express it as

Definition 10 (unforgeability). If the advantage of any PPT adversary A to win the unforgeability game is negligible, then the LRS scheme is unforgeable.

3.2.2. Unconditional Anonymity

It means that given a ring signature, no one can guess the real signer. In other words, given the public keys of all the members of the ring, it is impossible for anyone to tell the public key of the actual signer with a probability larger than , where denotes the cardinality of the ring, even the adversary has unlimited computing time and resources. The unconditional anonymity of LRS is described by the following game between an adversary A and a challenger S, where A is granted access to oracle :(i)The system public parameters are generated by challenger S and given to A;(ii)A can access the oracle adaptively;(iii)A gives S a public key list , which are query outputs of , and a message . S randomly samples , uses the signature key corresponding to to run algorithm , and generates and gives A the signature ; and(iv)A returns the guess value .

We express it as

Definition 11 (unconditional anonymity). If the advantage of any unbounded adversary A to win the anonymity game is negligible, then the LRS scheme is called to be unconditional anonymous.
It is worth noting that though only is given to A, since A has unbounded computation power, it can calculate out the solution of any NP-hard problem, such as NTRU-SIS, large integer factorization, discrete logarithm, as well as the preimage of a given hash value. Therefore, unconditional anonymity in fact requires that in this case, A is still unable to reveal the pubic key of the actual signer of a RS with a probability higher than .

3.2.3. Linkability

It means that two signatures generated by the same ring member can be linked. That is, an adversary who has less than two members’ private keys in the ring cannot generate two valid signatures determined by the linking algorithm as “Unlink.” The linkability of a LRS scheme is described by the following game between an adversary A and a challenger S, where A is granted access to oracles , , , and :(i)The system public parameters are generated by challenger S and given to A(ii)A can access the oracles adaptively(iii)A gives S two sets and , messages , and signatures and , where and contain the corresponding linking tags , , respectively

A wins the game if(i)All public keys in are query outputs of (ii)For , such that is not an output of (iii) has been queried less than two times(iv)

We express it as

Definition 12 (linkability). If the advantage of any PPT adversary A to win the linkability game is negligible, then the LRS scheme is linkable.

4. Scheme Construction

(1): On input the security parameter and integer , where , a ring of , a prime , two parameters and , where , choose a collision-resistant hash function , and output .(2): On input the system public parameters , the following steps should be performed:(i)Run the trapdoor generation algorithm to generate ;(ii)Randomly choose , and let such that ; and(iii)Output a public key list , and the private key for the member : .(3): On input the system public parameters , the public key list , a message , and a private key , the member performs the following steps:(i)Compute linking tag(ii)For , sample random vectors .(iii)Let(iv)If , compute if , compute(v)Continue with probability , where ; otherwise restart.(vi)Output signature .(4): On input the system parameters , the public key list , a message , and a signature , output “1” if and only if the following conditions are true; otherwise, output “0”:(5): On input two signatures and , which contains linking tags and , respectively, the following steps should be performed:

Verify whether . If , then return “Link”; otherwise, return “Unlink.”

Theorem 2 (correctness). The proposed LRS scheme satisfies correctness.

Proof. Assuming is a signature generated by a member of the ring according to the algorithms under public key set , then the following equation holds:Given that , we haveHence,By using the rejection sampling algorithm described in Definition 8, the distribution of is close to for . Thus, by Lemma 3, we have satisfies with a probability at least . Therefore, the proposed scheme satisfies verification correctness.
Assume member calculates the linking tags of messages and as and , respectively. In the proposed scheme, and are generated by the signer's public and private keys, and thus this scheme satisfies linking correctness. This completes the proof.

5. Security Analysis

Theorem 3 (unforgeability). Under the random oracle model, when the e-NTRU problem is intractable, the proposed LRS scheme is unforgeable.

Proof. Setup Phase: To solve the e-NTRU problem, S gets an instance
Query Phase: Adversary A is allowed to access oracles , , , and , and S responds as follows:(i): A inputs , S first checks whether there is the relevant record in the list . If so, then the same query result is returned to A. Otherwise, S randomly picks and gives A an integer , and adds the tuple to the list .(ii): Suppose A can only access the oracle times at most, where . S selects a subset with random indexes. S assigns to these indexes as their public keys, respectively. Moreover, for these indexes, S does not know the corresponding private keys. We use to denote other indexes. With regard to other indexes, S obtains the public and private keys according to the algorithm . A inputs index to query, and S outputs the corresponding public key.(iii): A inputs a public key , S checks whether belongs to . If so, then S stops; otherwise, S outputs the corresponding private key.(iv): A inputs a ring public key set , a public key , where , and a message . S performs as follows:(1)If does not correspond to any element in the subset , then S knows its private key and generates the signature according to the signature algorithm . Otherwise, we assume that is obtained by .(2)S checks the list to find the record corresponding to the index . Then, S randomly chooses and sets the output of to .(3)S returns a signature with probability , where .Forgery Phase: After the simulation, A gives signature about to S satisfying the following conditions:(i)(ii)All of the public keys in are query outputs of (iii)A did not query about the public keys in (iv) is not a query output of Analysis. Assuming the signature is a valid signature, the following shows how S can solve the e-NTRU problem using the forged results of A. We will consider the following two situations:(i)If appears in the , and assume that is a query output of . Given that the signature is valid, it satisfies Given that A successfully forged the signature, there is When the function collides, S aborts (Abort I). Otherwise, from (22) and (23), there is Therefore, is a solution to the e-NTRU problem.(ii)If appears in the query and is stored as in , then, When the function collides, S aborts (Abort II). Otherwise, from (23) and (26), there is S performs the following: when , let and ; when , let and . Then, we have Given (23), (27), and (28), we have Thus, the solution to the e-NTRU problem is .Probability Analysis. The challenger S fails when Aborts I and II occur. The probability of colliding is . Assume A can successfully forge the signature with probability , then the probability of S solving the e-NTRU problem is . This completes the proof.

Theorem 4 (unconditional anonymity). The proposed scheme satisfies unconditional anonymity.

Proof. The anonymity proof of the signature is completed by the following game between adversary A and challenger S. If the signature distributions of different members in the ring are computationally indistinguishable to adversary A, then this scheme satisfies anonymity. Query Phase: A is allowed to access , and S responds as follows: : A inputs an index to query. S runs the algorithm to generate the public key and returns it to A. Challenge Phase: A inputs a public key list , and a message . S randomly chooses , then runs to generate the signature and gives it A, where is the private key corresponding to index . Guess Phase: A gives a value as a guess for . Analysis. Suppose A is an adversary with unlimited computing power. Next, we will show the advantage of A in winning the anonymous game is negligible. We need to prove that the distributions of signatures generated with the private keys of different users are computationally indistinguishable.First, even A is an adversary with unlimited computing power, from the query, or from the challenger signature (which contains a linkability tag), A still cannot deduce the private key, as well as the corresponding index. That is because the randomness of the algorithms and makes each public key correspond to multiple pairs , and which one is the actual private key of member cannot be determined. Moreover, given a linking tag , to know which member generated the linking tag , it is no better than random guessing for the adversary. In addition, it should be noticed that the signature is generated by using not only a private key but also a set of random numbers. Lemma 3 guarantees that the distributions of and are indistinguishable, and the distribution of is independent of . That is, in the view of the adversary, the signature is independent of the index of the actual signer. Hence, we can conclude that even an unbounded adversary cannot guess the index with a probability greater than .
We can infer that when A is a normal adversary, that is, A has limited computing power and time, obviously it ccannot destroy the anonymity of the scheme. This completes the proof.

Theorem 5 (linkability). Under the random oracle model, if the proposed scheme is unforgeable, then for any PPT adversary A, the proposed scheme is linkable.

Proof. We will show that if the proposed scheme satisfies unforgeability, then it will satisfy linkability. The linkability proof of the scheme is completed by the following game interaction between an adversary A and a challenger S.(i)S generates the system public parameters and public and private keys , and then sends to A(ii)A can access , , , and , and the process of accessing , , , and in the linkability game is the same as that in the unforgeability game(iii)Suppose A outputs two signatures and under public key set , which satisfy the following conditions:(1)All public keys in are outputs of (2)For , such that is not an output of (3)A accesses once at mostAnalysis. Assume A can generate two signatures and with a nonnegligible probability while holding only one private key , and for . Given that the proposed LRS scheme is unforgeable, these two signatures can be validated by the Verify algorithm if and only if A honestly generates signatures and using his private key . In other words, we have and . And since there is also only one public key corresponding to this private key, that is, , we have . This indicates that the algorithm returns when given two signatures and . Hence, the advantage of A is negligible. This completes the proof.

6. Discussion

6.1. Parameter Selection

The security of the proposed scheme is based on the e-NTRU problem, which is reduced to the NTRU-SIS problem. The NTRU-SIS problem is to find two polynomials that satisfies and in the NTRU lattice, which is in turn reduced to -Ideal-SVP problem. Similar to [34, 36], we use the “root Hermite factor ” which measures the hardness of -Ideal-SVP problems to select the parameters.

If we look for a polynomial in an -dimensional lattice, which is greater than the root of the determinant, then the associated is

According to [37], if we look for a small-size polynomial in the NTRU lattice, the associated is

From the results in [36, 38], if the value of is approximately 1.007, to find the polynomial is at least 80 bits hard. If the value of is less than 1.004, to find the polynomial is at least 192 bits hard.

The methods to attack the proposed scheme are mainly to attack the ring member's public key and the signature.

The public key of the member is a polynomial . The attack on is to find two nonzero small-size polynomial that satisfies . By Lemma 1 we know, . So using (32) to calculate the value of , we have . When , , it is at least 80 bits hard to attack the ring member's public key, and when , , it is at least 192 bits hard to attack the ring member’s public key.

The attack on the signature of the member is to find a vector passing the verification algorithm without member private key. It can be seen from Lemma 3, . Since , where , there is for and for . So, computing the value of by (28), we have

When , , to attack the ring member’s signature is at least 80 bits hard, and when , , to attack the ring member's signature is at least 192 bits hard. The recommended choice of the parameters is shown in Table 2.

6.2. Post-Quantum Security

The proposed scheme is based on the hard assumption over lattice which is generally recognized to provide anti-quantum security. The security proof of the proposed scheme is unlikely to be extended to the Quantum Random Oracle Model [39] (QROM): in the security proof (Theorems 3 and 5), we use the adaptive programming of random oracle (RO) , and this proof technique is inherent in the structure to some extent.

We note that other schemes built on QROM, such as [40, 41], also use the form of RO programming (even if not adaptive). In addition, although Fiat–Shamir seems unlikely to be proved in QROM, to the best of our knowledge, there are no attacks on the protocols using these proof technologies, which stems from the use of RO.

7. Performance Analysis

In this section, the proposed LRS scheme is compared with the schemes [23, 24, 26, 27, 30] in terms of efficiency. We mainly compare these schemes in terms of elapsed time and storage space.

Comparison terms in Table 3 include signature generation cost, signature verification cost, unconditional anonymity, and difficult assumption. Comparison terms in Table 4 include public and private key, as well as signature size of each user. In Tables 3 and 4, is the degree of polynomials, is a large prime number, represents the cardinality of the ring, and and are integers. The time cost for the discrete Gaussian sampling algorithm and the rejection sampling algorithm running once are represented by and , respectively. In general, . The time cost for polynomial-polynomial multiplication is represented by , and . The time overhead of hash, matrix-matrix addition, and polynomial-polynomial addition is ignored because these operations take less time. We mainly focus on time-consuming operations, such as matrix-matrix multiplication and polynomial-polynomial multiplication.

In terms of signature generation cost, the proposed scheme mainly uses the Gaussian sampling algorithm times, the polynomial-polynomial multiplication times, and the rejection sampling algorithm once, respectively. Hence, the signature generation cost is . In terms of signature verification cost, since the proposed scheme primarily runs polynomial-polynomial multiplication times, the signature generation cost is about . From Table 3, due to , compared with the four schemes of [23, 24, 26, 30], the proposed scheme has higher signature generation and verification efficiency. The signature generation and verification time of the proposed scheme is linearly related to the number of ring members , while that of the scheme of [27] has a logarithmic relationship with . Therefore, when is large, the signature generation and verification efficiency of the scheme of [27] is better than that of the proposed scheme. But when is small, the proposed scheme is more efficient by the settings of relevant parameters. In addition, only Alberto Torres et al.’s scheme [24] and our scheme can achieve unconditional anonymity, while other four schemes only have computational anonymity. And the efficiency of signature generation and verification of our scheme is obviously higher than that of Torres et al.’s scheme.

In the proposed scheme, the public key of the member in the ring is a small polynomial generated by the trapdoor generation algorithm , and the private key corresponds to two small polynomials in . Therefore, the public and private key lengths of the proposed scheme are and , respectively. As shown in Table 4, the public and private key lengths of [23, 24, 26, 27, 30] are , , , , and , respectively. Hence, in terms of public key size, the public key size of the proposed scheme is similar to that of [24, 30] and smaller than that of [23, 26, 27]. With respect to private key size, the private key size of the proposed scheme is larger than that of [23] and they are both smaller than that of [24, 26, 27, 30]. For signature size, the signature size of the scheme [27] has a logarithmic relationship with , while that of the other five schemes including the proposed scheme has a linear relationship with . But the growth rate of signature size of [23, 30] and the proposed scheme is obviously slower than that of [24, 26].

8. Implementation and Evaluation

We implemented and evaluated the proposed LRS scheme on a typical laptop configured with a Windows 8.1 system, an Intel(R) Core(TM) i5-4210U [email protected] GHz processor, and a 4.00 GB running memory. We selected parameters to make the proposed scheme secure, and detailed parameter settings are given in Table 5. We ran the signature generation and verification algorithms for 1000 times. And at security level , the average running time of these algorithms of the five schemes under different numbers of ring members is shown in Table 6. It can be seen from Table 6 that the signature generation and verification of [24] take the longest time among the six schemes, while the signature generation and verification time of the proposed scheme is shorter than that of [23, 24, 26, 30]. Compared with [27], when , the proposed scheme has higher signature efficiency, but when , the signature efficiency of the proposed scheme needs to be improved. On average, compared with the other five schemes, the signature generation and verification time of the proposed scheme is reduced by about 56.61% and 65.18%, respectively. Especially compared with [24], which also has unconditional anonymity as ours, the signature generation and verification time of the proposed scheme is reduced by about 94.52% and 97.18%, respectively.

At security level , the comparison between the proposed scheme and the other five schemes on public/private key size and signature size under different numbers of ring members is shown in Table 7. As for the public key size, the public key size of the proposed scheme is equal to that of [24, 30] and smaller than that of [23, 26, 27]. With respect to private key size, the private key size of the proposed scheme is larger than that of [23] but is significantly smaller than that of [24, 26, 27, 30]. In the case of signature size, the signature size of the proposed scheme is larger than that of [23] but is significantly smaller than that of [24, 26, 30]. When , the signature size of the scheme in [27] is shorter than that of the proposed scheme. However, the scheme of [27] only has computational anonymity, while the proposed scheme has unconditional anonymity. Especially compared with [24], the signature size of the proposed scheme is reduced by 58.03% on average.

In addition, in the above experiment, we only completed the proof-of-concept work and did not consider potential optimization algorithms, such as the polynomial-polynomial multiplication based on FFT.

9. Conclusions

Based on the e-NTRU problem, this study constructed a LRS scheme on NTRU lattice by combining preimage and rejection sampling techniques. Under the random oracle model, the security of our LRS scheme was analyzed in detail. The analysis results show that our scheme satisfies the requirements of correctness, unforgeability, and linkability based on the intractability of the e-NTRU problem in the random oracle model. In particular, our scheme can achieve unconditional anonymity. The efficiency of the proposed scheme was analyzed in detail, and the optional parameter settings of the proposed scheme that meet the security requirements are given. Finally, the proposed scheme and other five latest lattice-based LRS schemes are implemented, which shows that under the same security level, the proposed scheme has higher signature generation and verification efficiency as well as shorter signature size compared with other five LRS schemes.

Data Availability

The data that support of our findings are available at https://github.com/wang-0218/ring-signature.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (Grant no. 61802117), Support Plan of Scientific and Technological Innovation Team in Universities of Henan Province (Grant no. 20IRTSTHN013), the Youth Backbone Teacher Support Program of Henan Polytechnic University (Grant no. 2018XQG-10), and Key Scientific Research Project of Henan Higher Education Institutions (Grant no. 20A413005).

References

R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret, Advances in Cryptology - ASIACRYPT 2001,” in Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, pp. 552–565, Berlin, Heidelberg, November 2001.
View at: Publisher Site | Google Scholar
D. Chaum and E. van Heyst, “Group Signatures,” Workshop on the Theory and Application of Cryptographic Techniques, Springer, Berlin, Heidelberg, pp. 257–265, 1991.
View at: Publisher Site | Google Scholar
D. Boneh, X. Boyen, and H. Shacham, “Short group signatures, Advances in Cryptology - CRYPTO 2004,” in Proceedings of the Annual International Cryptology Conference, pp. 41–55, Santa Barbara, CA, USA, August 2004.
View at: Publisher Site | Google Scholar
P. P. Tsang and V. K. Wei, “Short Linkable Ring Signatures for E-Voting, E-Cash and Attestation,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 48–60, Singapore, April 2005.
View at: Publisher Site | Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups, Information Security and Privacy,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 325–335, Sydney, Australia, July 2004.
View at: Publisher Site | Google Scholar
X. Li, Y. Mei, J. Gong, F. Xiang, and Z. Sun, “A blockchain privacy protection scheme based on ring signature,” IEEE Access, vol. 8, pp. 76765–76772, 2020.
View at: Publisher Site | Google Scholar
F. Tang, J. Pang, K. Cheng, and Q. Gong, “Multiauthority traceable ring signature scheme for smart grid based on blockchain,” Wireless Communications and Mobile Computing, vol. 2021, Article ID 5566430, 2021.
View at: Publisher Site | Google Scholar
J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 157–165, 2013.
View at: Google Scholar
M.-J. Qin, Y.-L. Zhao, and Z.-J. Ma, “Practical constant-size ring signature,” Journal of Computer Science and Technology, vol. 33, no. 3, pp. 533–541, 2018.
View at: Publisher Site | Google Scholar
X. Zhang and C. Ye, “A Novel Privacy protection of Permissioned Blockchains with Conditionally Anonymous Ring Signature,” Cluster Computing, vol. 25, pp. 1–15, 2022.
View at: Publisher Site | Google Scholar
H. Yu and W. Wang, “Certificateless Network Coding Ring Signature Scheme,” Security and Communication Networks, vol. 2021, Article ID 8029644, 2021.
View at: Google Scholar
F. Tang, J. Pang, K. Cheng, and Q. Gong, “Multiauthority Traceable Ring Signature Scheme for Smart Grid Based on Blockchain,” Wireless Communications and Mobile Computing, vol. 2021, Article ID 5566430, 2021.
View at: Google Scholar
K. Gu, X. Dong, X. Dong, and L. Wang, “Efficient traceable ring signature scheme without pairings,” Advances in Mathematics of Communications, vol. 14, no. 2, pp. 207–232, 2020.
View at: Publisher Site | Google Scholar
T. X. Khuc, T. N. Nguyen, H. Q. Le et al., “Efficient unique ring signature for blockchain privacy protection,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 391–407, Australia, Nov 2021.
View at: Google Scholar
S. Bouakkaz and F. Semchedine, “A certificateless ring signature scheme with batch verification for applications in VANET,” Journal of Information Security and Applications, vol. 55, Article ID 102669, 2020.
View at: Publisher Site | Google Scholar
H. Lin and M. Wang, “Repudiable Ring Signature: Stronger Security and Logarithmic-Size,” Computer Standards & Interfaces, vol. 80, 2022.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial Time Algorithms for Discrete Logarithms and Factoring on a Quantum Computer,” in Proceedings of the International Algorithmic Number Theory Symposium, 289 pages, London, May 1994.
View at: Publisher Site | Google Scholar
B. Libert, S. Ling, K. Nguyen, and H. Wang, “Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors, Advances in Cryptology - EUROCRYPT 2016,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 1–31, Zagreb, Oct 2016.
View at: Publisher Site | Google Scholar
M. F. Esgin, R. Steinfeld, J. K. Liu, and D. Liu, “Lattice-based Zero-Knowledge Proofs: New Techniques for Shorter and Faster Constructions and Applications,” in Proceedings of the Annual International Cryptology Conference, pp. 115–146, CA, USA, Aug 2019.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, N. K. Nguyen, and G. Seiler, “SMILE: set membership from ideal lattices with applications to ring signatures and confidential transactions, Advances in Cryptology - CRYPTO 2021,” in Proceedings of the Annual International Cryptology Conference, pp. 611–640, Aug 2021.
View at: Publisher Site | Google Scholar
C. Cao, L. You, and G. Hu, “Fuzzy Identity-Based Ring Signature from Lattices,” Security and Communication Networks, vol. 2021, 2021.
View at: Google Scholar
R. Yang, M. H. Au, J. Lai, Q. Xu, and Z. Yu, “Lattice-based techniques for accountable anonymity: composition of abstract stern's protocols and weak PRF with efficient protocols from LWR,” IACR Cryptol. ePrint Arch., p. 781, 2017.
View at: Google Scholar
C. Baum, H. Lin, and S. Oechsner, “Towards Practical Lattice-Based One-Time Linkable Ring Signatures,” in Proceedings of the International Conference on Information and Communications Security, pp. 303–322, Lille, France, October 2018.
View at: Publisher Site | Google Scholar
W. A. Alberto Torres, R. Steinfeld, A. Sakzad et al., “Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice RingCT v1.0), Information Security and Privacy,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 558–576, Perth, WA, Australia, NOV 2018.
View at: Publisher Site | Google Scholar
H. Zhang, F. Zhang, H. Tian, and M. H. Au, “Anonymous post-quantum Cryptocash,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 461–479, Nieuwpoort Curaçao, February 2018.
View at: Publisher Site | Google Scholar
Z. Liu, K. Nguyen, G. Yang, H. Wang, and D. S. Wong, “A Lattice-Based Linkable Ring Signature Supporting Stealth Addresses,” in Proceedings of the European Symposium on Research in Computer Security, pp. 726–746, Luxemberg, September 2019.
View at: Publisher Site | Google Scholar
W. Beullens, S. Katsumata, and F. Pintore, “Calamari and Falafl: Logarithmic (Linkable) Ring Signatures from Isogenies and Lattices,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 464–492, Daejeon, South Korea, December 2020.
View at: Publisher Site | Google Scholar
J. Hoffstein, J. Pipher, and J. H. Silverman, “NTRU: a ring-based public key cryptosystem,” in Proceedings of the Algorithm Number Theory (ANTS III), pp. 267–288, Oregon, USA, June 1998.
View at: Publisher Site | Google Scholar
Y. Zhang, Y. Hu, J. Xie, and M. Jiang, “Efficient ring signature schemes over NTRU Lattices,” Security and Communication Networks, vol. 9, no. 18, pp. 5252–5261, 2016.
View at: Publisher Site | Google Scholar
X. Lu, M. H. Au, and Z. Zhang, “Raptor: a practical lattice-based (linkable) ring signature, Applied Cryptography and Network Security,” in Proceedings of the International Conference on Applied Cryptography and Network Security, pp. 110–130, Bogota, Colombia, June 2019.
View at: Publisher Site | Google Scholar
Y. Tang, F. Xia, Q. Ye, M. Wang, R. Mu, and X. Zhang, “Identity-based Linkable Ring Signature on NTRU Lattice,” Security and Communication Networks, vol. 2021, 2021.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst‐case to average‐case reductions based on Gaussian measures,” SIAM Journal on Computing, vol. 37, no. 1, pp. 267–302, 2007.
View at: Publisher Site | Google Scholar
D. Stehlé and R. Steinfeld, “Making NTRU as Secure as Worst-Case Problems over Ideal Lattices,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 27–47, Tallinn, Estonia, May 2011.
View at: Google Scholar
L. Ducas, V. Lyubashevsky, and T. Prest, “Efficient identity-based encryption over NTRU lattices,” Lecture Notes in Computer Science, vol. 8874, pp. 22–41, 2014.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice Signatures without Trapdoors,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 738–755, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
N. Gama and P. Q. Nguyen, “Predicting lattice reduction,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 31–51, Istanbul, Turkey, April 2008.
View at: Google Scholar
L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice Signatures and Bimodal Gaussians,” in Proceedings of the Annual Cryptology Conference, pp. 40–56, Santa Barbara, CA, USA, Augest 2013.
View at: Publisher Site | Google Scholar
Y. Chen and P. Q. Nguyen, “Bkz 2.0: better lattice security estimates,” Advances in Cryptology-ASIACRYPT 2011-,” in Proceedings of the 17th International Conference on the Theory and Application of Cryptology and Information Security, pp. 1–20, Seoul, South Korea, December 2011.
View at: Google Scholar
D. Boneh, Ö. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry, “Random Oracles in a Quantum W,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 41–69, Seoul, South Korea, 2011.
View at: Publisher Site | Google Scholar
R. Del Pino, V. Lyubashevsky, N. Gregory, and G. Seiler, “Practical quantum-safe voting from lattices,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 1565–1581, New YorkNYUnited State, Oct 2017.
View at: Publisher Site | Google Scholar
D. Leo, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D. Stehlé, “Crystals–dilithium: Digital Signatures from Module Lattices,” 2017, http://eprint.iacr.org/2017/633.
View at: Google Scholar

Copyright

Copyright © 2022 Qing Ye et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

519

Downloads

570

Citations