#### Abstract

Digital signature schemes with additional properties have broad applications, such as in protecting the identity of signers allowing a signer to anonymously sign a message in a group of signers (also known as a ring). While these number-theoretic problems are still secure at the time of this research, the situation could change with advances in quantum computing. There is a pressing need to design PKC schemes that are secure against quantum attacks. In this paper, we propose a novel code-based threshold ring signature scheme with a leader-participant model. A leader is appointed, who chooses some shared parameters for other signers to participate in the signing process. This leader-participant model enhances the performance because every participant including the leader could execute the decoding algorithm (as a part of signing process) upon receiving the shared parameters from the leader. The time complexity of our scheme is close to Courtois et al.’s (2001) scheme. The latter is often used as a basis to construct other types of code-based signature schemes. Moreover, as a threshold ring signature scheme, our scheme is as efficient as the normal code-based ring signature.

#### 1. Introduction

Public-key cryptographic (PKC) method remains a topic of research interest partly due to its role in our increasingly digitalized society and the challenge of designing efficient and provably secure schemes with additional features required in contemporary applications. Existing PKC schemes are generally based on the hardness of number theory problems, such as factorization and discrete logarithm problems. While these number-theoretic problems are still secure at the time of this research, the situation could change with advances in quantum computing. For example, in the 1990s, Shor presented a quantum attack algorithm that could be used to solve both factorization and discrete logarithm problems in polynomial time with quantum computers [1, 2]. Thus, there is a pressing need to design PKC schemes that are secure against quantum attacks. Code-based PKC schemes, established by McEliece in 1978 [3], are one kind of such postquantum PKC schemes. Code-based PKC schemes are based on hard problems in coding theory and are considered as an appropriate solution to keep the message secure in the quantum era.

In 2001, Rivest et al. presented the ring signature as a digital signature scheme with additional property [4]. In a ring signature scheme, each member of the ring has a unique public-private key pair. For a message , any signer in the ring is able to generate a signature on with the private key and the ring public key which consists of the public keys of all signers in the ring. The user could only verify the validation of the signature without knowing who the true signer of the message is; thus, it preserves the anonymity of the signer. Due to this property, ring signature has many potential applications in real-world scenarios. One practical application is a company soliciting opinions from its employees. In order to improve the reliability of employee feedback, it is often necessary for multiple employees (which can be thousands in a large multinational corporation or company) to submit their opinions. At the same time, in order to prevent the retaliation of senior management or line supervisor, the true identity of the participating employees should not be revealed. Threshold ring signature is one appropriate solution for such an application, which enables the employees to reach a certain quantity to jointly generate a valid signature. Ring signature can also be used for data sharing in the cloud [5] and for privacy-preserving public auditing of shared data [6].

Since the notion of ring signatures was introduced, there have been a number of ring signature schemes proposed in the literature. Shacham and Waters [7] presented the first efficient ring signature scheme based on bilinear groups. The scheme is anonymous against full key exposure and unforgeable with respect to insider corruption. Kar [8] proposed an online/offline ring signature scheme whose security is based on both computational Diffie-Hellman and -CAA problems. The scheme satisfies signer ambiguity and enables the misbehavior of the signer to be detected. Wang et al. [9] presented a new concept of identity-based quotable ring signature which could be used to derive new ring signatures on substrings of an original message from an original ring signature on the original message. The scheme is based on bilinear pairing of composite order and proven to be secure under the assumption that the subgroup decision problem and computational Diffie-Hellman problem are hard. Zeng et al. [10]. proposed an efficient noninteractive deniable ring signature scheme and proved its security in the standard model. Nevertheless, all the aforementioned schemes [7–10] are based on the hard problems in number theory and thus will became insecure as soon as large quantum computers are built. There are also some alternative ring signature schemes that are based on the hard problems not affected by quantum computer attacks, such as the schemes based on NTRU lattices [11] and based on multivariate quadratic polynomials [12].

Bresson et al. extended the notion of ring signatures into threshold ring signatures, which are increasingly popular due to their practical utilities in comparison to the conventional ring signatures [13]. Similar to ring signature schemes, a threshold ring signature scheme allows at least signers in the ring of signers to cooperate with each other to sign a message without leaking any identity information of the signers. Existing threshold ring signature schemes are mostly based on the number theory [14–17]; hence, as mentioned above, such schemes could be insecure in the quantum world. To the best of our knowledge, Dallot and Vergnaud’s scheme [18] and Aguilar Melchor et al.’s scheme [19] are the only two code-based threshold ring signature schemes published in the literature. Dallot and Vergnaud’s scheme [18] combined Bresson et al.’s construction [13] and Courtois et al.’s signature [20], which results in the signature size twice the number of system users. Aguilar Melchor et al.’s scheme [19] is a generalization of Stern’s identification and signature scheme [21] and has low efficiency in the signature size.

In this paper, we propose a novel code-based threshold ring signature scheme. The security of our proposed scheme is based on the hardness of the syndrome decoding (SD) problem (known to be an NP-complete problem) and the indistinguishability of Goppa codes from random linear codes. In the proposed scheme, a leader is appointed from the signers, who chooses some shared parameters for other signers to participate in the signing process. This leader-participant model enhances the performance because every participant including the leader could execute the decoding algorithm (as a part of signing process) concurrently and immediately upon receiving the shared parameters from the leader.

The rest of this paper is organized as follows: Section 2 presents background information and preliminaries. Section 3 describes our proposed method, whose security analysis is presented in Section 4 and efficiency is evaluated in Section 5. Conclusion is presented in Section 6.

#### 2. Preliminaries

##### 2.1. Definitions and Problems in Coding Theory

For the rest of this paper, we consider linear codes over binary field .

*Definition 1 (weight). *The (Hamming) weight of a vector (or word) , denoted by , is the number of nonzero bits in .

*Definition 2 (code). *An (linear) code is a linear -dimensional subspace of with minimum distance , which is defined as An code has the -error-correcting capability.

*Definition 3 (generator matrix and parity-check matrix). *A generator matrix of an code is a matrix whose rows form a basis of . A parity-check matrix of is a generator matrix of the dual of , which has the order .

The security of our threshold ring signature scheme is based on the following two hard problems in coding theory. Let denote the set of all vectors of length and weight .

*Problem 4 (Syndrome Decoding (SD)). **Input*. It includes an integer , a vector , and a random binary matrix .*Property*. Find a vector such that where denotes the transpose of vector (or matrix) . The advantage of adversary solves the SD problem denoted by , which is negligible since the SD problem was proven to be NP-complete in [22].

To describe the following Goppa Code Distinguishing (GCD) problem, we denote by the set of parity-check matrices of all binary irreducible Goppa codes and the set of the parity-check matrices of all random binary linear codes. Set .

*Problem 5 (Goppa Code Distinguishing (GCD)). **Input*. A matrix is randomly chosen from set .*Property*. Return s.t. .

Let be a probabilistic polynomial time (PPT) distinguisher for the GCD problem. The advantage, denoted by , of is defined as follows: The indistinguishability assumption of the GCD problem holds if is negligible.

##### 2.2. Threshold Ring Signature

We use the formal definition of threshold ring signature scheme following the work of Bresson et al. [13]. Let us assume that there are signers , , forming a ring and the threshold of generating a valid signature is with . For simplicity, we assume the first signers are the true signers in . A threshold ring signature scheme consists of four algorithms (*Setup, KeyGen, Sign, Verify*).

. The algorithm takes as input a security parameter and outputs the system public parameter .

. The algorithm takes as input the parameter and generates pairs of public-private key for the signers , . The public keys , , form the ring public key and each private key is sent to the signer via a secure channel, .

. The algorithm takes as input a message , the parameter , the ring public key , and a private key set of singers and outputs a threshold ring signature on .

. The algorithm takes as input the message , the ring public key , and the threshold ring signature and outputs if (, ) is a valid message-signature pair. Otherwise, the algorithm outputs .

##### 2.3. Security Model

A threshold ring signature scheme needs to satisfy the correctness, anonymity, and unforgeability properties.

*Correctness*. We say that a ring signature scheme satisfies the correctness property if, for any valid private key set and message , the following equation holds:

*Anonymity*. We say that a ring signature scheme satisfies the anonymity property if, for a given message-signature pair , any attacker has only the probability to determine the real signers participating in the signing process. More formally, the anonymity says that, for two message-signature pairs and signed by two signer sets and , respectively, the following absolute value is negligible:

*Unforgeability*. To define unforgeability, we introduce an attack model of threshold ring signatures. A PPT forger is allowed to access a corruption oracle, a signature oracle, and a hash oracle and make adaptively queries on them. After the corruption queries, can obtain at most private keys of ring members. can also use the signature queries to obtain threshold ring signatures for messages and signers chosen by . Then, attempts to forge a signature on a chosen message (note that is not allowed to be an output of some signature oracle). We say that a threshold ring signature scheme satisfies the unforgeability property if, for any PPT attacker , the probability, denoted by , that succeeds in this attack is negligible.

We remark that there is a special signer, referred to as leader, in our threshold ring signature scheme. The leader is randomly chosen during each sign process without any additional privileges. The leader in our scheme must act honestly. Otherwise, anonymity of participating signers cannot be achieved.

#### 3. Our Threshold Ring Signature Scheme

For simplicity, we denote to be the sequence . Our code-based threshold ring signature scheme can be described as follows.

. Given a security parameter , the algorithm chooses integers , , , and to, respectively, represent length, dimension, minimum distance, and error-correcting ability of the code underpinning our scheme. The algorithm outputs the system public parameter, .

. Given , the algorithm performs the following:(i) For each signer in the ring , choose a parity-check matrix of a -error-correcting irreducible Goppa code, which has a corresponding fast decoding algorithm , .(ii) For each signer , choose a random binary invertible matrix and a random permutation matrix , .(iii) Compute(iv) For each signer , set the private key and public key , . The ring public key is and each private key is sent to the signer via a secure channel, .

. Given message , system parameter , ring public key , and private key set of signers, where for each , the algorithm first elects a leader randomly from the involved signer set . Note that is just a signer participating in the signing process without any additional privileges. The signing processes are executed as follows:(i) For each , , randomly choose , , and compute where is a one-way collision-resistant hash function.(ii) For each , , compute . If is a decodable syndrome, compute to obtain a vector such that Otherwise, return to the previous step to recompute .(iii) Compute For all signers , , the above signing processes can be concurrent. (iv) Each sends generated vectors , , to the leader .(v) Upon receiving all vectors , , executes the following steps:(a) For each , choose a random under the condition . Set(b) If is an odd number, then compute Otherwise (i.e., is an even number), compute (c) Compute . If is a decodable syndrome, compute to obtain an vector such that Otherwise, return to the first step executed by to choose another . (d) Compute(e) Output as the threshold ring signature on the message .

. Given the ring public key and a message-signature pair , the verifier can check the validity of by executing the following steps:(i)Check if holds for each . If it does not, output and terminate the verification process.(ii)Check if holds. If it holds, output , and , otherwise.

#### 4. Security Analysis

In the section, we analyze the security of our scheme, based on the security model defined in Section 2.3.

##### 4.1. Correctness

Let be a valid message-signature pair generated by signers , , as in Section 3. First, it is clear that each has length and weight , based on our construction (see (10), (11), and (15)). Thus, holds for each . Now it remains to show (16): Starting from the right side of the equation, we have Next, we consider two cases with respect to the value of . Recall that all the operations in this paper are executed over the binary field . If is an odd number, then we have Otherwise (i.e., is an even number), we have To sum up, we have for both cases of . Together with the relation , , we have This demonstrates that our threshold ring signature scheme satisfies the correctness property.

##### 4.2. Anonymity

Assume that there is an adversary who receives two valid message-signature pairs and generated by two sets and of signers, respectively. From the view of , each vector , , , in the signatures or is completely random. This results in a negligible absolute value and, hence, our threshold ring signature scheme satisfies the anonymity property.

##### 4.3. Unforgeability

We prove the unforgeability using the attack model in Section 2.3. Let be a PPT algorithm that has a nonnegligible probability in attacking our proposed threshold ring signature scheme. Using , we construct another PPT algorithm to solve the SD problem with nonnegligible advantage. That is, given a random matrix and a random decodable syndrome , can find a vector , s.t. . Thus, plays the following games with .

*Game 0*. randomly chooses an index from and sets the public key of the signer as . For all other signers, chooses parity-check matrices, denoted by , of random permuted Goppa codes as their public keys and the corresponding private keys will not be used. After that, sends all matrices to . queries the hash oracle and the sign oracle several times and seeks to obtain a valid signature for some message. We denote the probability that wins Game 0 by .

*Game 1*. replaces the original hash function with the hash simulator . can respond to as follows.

When makes a query to the hash simulator , stores an index in a list associated with message . If is empty, then just chooses a random vector and computes as the output of the simulator. Otherwise (i.e., ), picks a random from and computes as the output of the simulator. In both cases, outputs a random . So we have the probability that wins Game 1 equal to .

*Game 2*. replaces the signature oracle with the signing simulator . can respond to as follows.

When makes a query to on message , chooses a random index and sets . Then, runs with input . If there is no , then aborts; otherwise, outputs and sets empty.

Game 2 differs from Game 1 only in the case that aborts. The probability that aborts is at most , where represents the maximum query times to the . It follows that the probability, denoted by , of winning Game 2 satisfies

*Game 3*. replaces the public key (the permuted parity-check matrix of random Goppa codes) with the parity-check matrix of random linear code for each signer in this game. According to the indistinguishability assumption (see Section 2), has only a negligible advantage in solving the GCD problem. That is, we have the probability that wins Game 3 as .

*Game 4*. The wining condition is changed in this game. picks a random number in , where is the maximum query times to . should generate the -th forgery message-signature pair which can pass the verification. Hence, the probability of wining this game is .

We remark that if wins Game 4, then is able to inverse the SD problem (i.e., find a vector s.t. ). Hence, we have .

Combining all these together, we have and In other words, if there is a PPT forger which can forge a valid message-signature pair with a nonnegligible probability in attacking our scheme, then we can construct a PPT algorithm to inverse the SD problem with a nonnegligible probability. Thus, we can conclude that our proposed threshold ring signature scheme is existentially unforgeable under the chosen message attack if both the GCD problem and SD problem are hard.

#### 5. Efficiency Analysis

In this section, we evaluate the efficiency of our threshold ring signature scheme, in terms of the public key size, the signature size, and the time complexity of the signing process.

*The Public-Key Size*. As mentioned in Section 3, the ring public key in our threshold ring signature scheme is , in which each is an matrix over , . Hence, the ring public key has size bits.

*The Signature Size*. The signature in our scheme is , where , . This results in a signature of size bits.

*Time Complexity of the Signing Process*. We omit the consideration of computing a hash function because it is a fast operation compared to other operations involved in our threshold ring signature scheme. As previously discussed in Section 3, each signer in our scheme should compute a vector (see (8), (12), and (13)), . The time complexity of computing is . According to Engelbert et al. [23], a fast decoding algorithm has time complexity ; therefore, we should execute decoding algorithms on average to generate a decodable syndrome [20]. So the total time complexity of the signing process in our threshold ring signature scheme is as follows:

Note that the time complexity of the signing process in our scheme is independent of the number of signers. The factor of the complexity of our method is two, rather than , in comparison to the CFS scheme [20]. This is because signers (with the exception of the leader) can undertake concurrent operations in our scheme. This enables our scheme to be an efficient code-based threshold ring signature scheme.

#### 6. Conclusion

In this paper, we proposed a novel threshold ring signature scheme based on the hard problems in coding theory. We prove that our method satisfies correctness, unforgeability, and anonymity. In comparison to other postquantum digital signature schemes, our scheme has a lower signature size. Our scheme also uses the leader-participant model to allow signers to sign messages concurrently. This significantly reduces the time complexity of the signing process.

Future research includes exploring practical applications of the proposed scheme and implementing a prototype of the scheme for evaluation in a real-world context (e.g., in an Internet of Battlefield Things application).

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

The work was supported in part by the NSFC-Zhejiang Joint Fund for the Integration of Industrialization and Informatization under Grant no. U1509219, the Shanghai Natural Science Foundation under Grant no. 17ZR1408400, the National Natural Science Foundation of China under Grant no. 61632012, and the Shanghai Sailing Program under Grant no. 17YF1404300.