A Hybrid Design of Linkable Ring Signature Scheme with Stealth Addresses

Li, Weizhou; Lin, Zhiqiang; Chen, Qi

doi:https://doi.org/10.1155/2022/1417607

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Advances in Security and Performance of Blockchain Systems

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 1417607 | https://doi.org/10.1155/2022/1417607

A Hybrid Design of Linkable Ring Signature Scheme with Stealth Addresses

Weizhou Li,¹Zhiqiang Lin,²and Qi Chen³

Academic Editor: Yuling Chen

Received13 Nov 2021

Revised14 Dec 2021

Accepted10 Jan 2022

Published07 Feb 2022

Abstract

Blockchain is a transformational technology which affects finance, Internet, and politics. However, many privacy protection problems for blockchain are waiting to be solved. In this study, we propose a novel linkable ring signature scheme with stealth addresses, which enables the payer and payee of the transaction to be anonymous and unlinkable in the cryptocurrency. The scheme is combined with an elliptic curve discrete logarithm (ECD logarithm)-based key encapsulation mechanism (KEM) stage and a lattice-based signature stage. The master public key and master secret key are much smaller compared with the previous scheme. Complete secure proof of the scheme is also presented in this study.

1. Introduction

1.1. Background

As a novel technology, blockchain technology has been widely used in many fields since its introduction in [1–6]. The development of blockchain is also inseparable from digital signatures. Digital signature provides security and authentication for information during the process of information dissemination, such as protecting user’s privacy and preventing double spending with the support of the anonymity and linkability of the ring signature scheme [7, 8].

In [9], the authors proposed a linkable ring signature scheme with stealth addresses denoted by SALRS. This scheme enables the payer and payee of the transaction to be anonymous and unlinkable in the cryptocurrency. Specifically, the linkable ring signature and stealth address [10–12] are employed in CryptoNote [10]. When a payer A wants to pay a payee B through a transaction, the payer B uses a stealth address to generate a derived public key. Then, the payer A uses the derived public key as the address of the payee B. Also, transactions cannot be identified because of the absence of the master public key. When the payee B, as a payer in transaction, wants to spend his coins on the derived public key, he generates a linkable ring signature with the support of a set of derived public keys. In order to verify the linkable ring signature, it is not necessary for anyone to find out that the actual signer is corresponding to the derived public key. When it comes to the linkability which can prevent double spending in a transaction, if two signatures are generated by the payee B corresponding to a derived public key, they will be detected as linked because the coin corresponding to the derived public key can be used only once. In this study, we focus on concrete construction of the SALRS scheme in order to enable both payer and payee of a transaction to be hidden in the cryptocurrency.

1.2. Our Contribution

We propose a novel concrete linkable ring signature scheme with stealth addresses based on the elliptic curve discrete logarithm (ECD logarithm) for the key encapsulation mechanism (KEM) stage and lattice for signature stage. The ECD-based KEM provides smaller keys. In particular, the size of the master public key is 510 bits, and the size of the master secret key is 512 bits, which is much smaller than the ones in the previous scheme in [9]. Moreover, all the secure properties which a SALRS should have, including unforgeability, linkability, nonslanderability, anonymity, master-public-key-unlinkability, and derived-public-key-unlinkability, still keep.

1.3. Organization of This Paper

The rest of the study is organized as follows. Preliminaries are given in Section 2. In Section 3, we formally propose the SALRS scheme. Afterwards, the security models of the SALRS scheme are presented in Section 4. As a vital content of this study, in Section 5, our concrete SALRS scheme is showed. In Section 6, we analyze and prove the security of our SALRS scheme. Moreover, efficiency analysis, especially less storage cost of our SALRS scheme, is introduced in Section 7. Finally, we summarize this study and come out conclusions in Section 8.

1.4. Related Work

There are a lot of classic linkable ring signature schemes relied on the hardness number-theoretic problems, such as [13, 14]. Many of them have specific application scenarios, for example, [15, 16] are based on certificates and identity-based, respectively. However, a lot of cryptographic schemes based on classical number theories are suffered from future quantum computer’s threats [17]. All the same, some advantages of cryptographic schemes relying on classical number theory, for example, the elliptic curve discrete logarithm [18], are faster calculation and less storage cost.

Lattice-based ring signatures were first introduced by Brakerski and Tauman-Kalai in 2010. They proposed a construction of ring signature scheme based on SIS assumption. Then, in 2013, Melchor et al. proposed a ring signature scheme based on LWE assumption. Until now, many lattice-based ring signature schemes have been proposed, such as [19–21].

The existing works on the linkable ring signature and stealth address have been proposed, e.g., [8, 22]. However, most of the existing works above either merely consider linkable ring signature or stealth address rather than both of them. Fortunately, literature [9] has successfully proposed a new cryptographic primitive denoted by SALRS. The new cryptographic primitive has not only combined the linkable ring signature with the stealth address but also captured adversarially chosen key attacks in the linkability model. Additionally, it is also potentially quantum resistant.

2. Preliminaries

In this section, before showing our concrete SALRS construction, we give some preliminary results about the mathematical background concerning bilinear maps and lattice and complexity assumptions. For more details, please refer to [23–26].

2.1. Mathematical Background

Let , , and be the groups of prime order p, and be a generator of (i = 1,2). Set , and there exists no efficient homomorphism between and . We say that e: is a bilinear, efficient, and computable map if it satisfies the following two properties.(1)Bilinear: for a,b, where the integers modulo p is denoted by , we have e(, ) = e.(2)Efficient: e(, ) 1.

Let q and n be two positive integers, and denote the integers modulo q by , which will be represented in the range (-] or [-], where q is even or odd, respectively. Let R and be the rings [X]/(Xⁿ +1) and [X]/(Xⁿ +1), respectively. We set r = + X + + Xⁿ⁻¹ R and r = ( ) to define the , , and norms of r and r as follows:(1)(2)(3)(4)(5)(6)

We also denote two sets:(1)S\{rRr\}(2)\{r, r has coefficients that are 1 and the rest are 0\}

2.2. Complexity Assumptions

The security of our novel SALRS scheme is based on bilinear Diffie-Hellman 1 assumption, module-SIS assumption, and module-LWE assumption.

2.2.1. Bilinear Diffie-Hellman 1 (BDH-1) Assumption

Let , , and be groups of prime order p, and be a generator of (i = 1,2). Set , and there exists no efficient homomorphism between and . e: is a bilinear, efficient, and computable map. The Bilinear Diffie-Hellman 1 (BDH-1) problem is that given , , , , compute e(, ), where a, b.

2.2.2. Module-SIS Assumption

The module-SIS problem with parameters (n, q, k, l, ) is that for uniformly random A, t, , and k k identity matrix I, find x, , such that x and [AI]x = t. The problem can be adapted into the infinity-norm version, where x. Additionally, the homogeneous version of the module-SIS problem is defined with t = 0 and x 0.

2.2.3. Module-LWE Assumption

The module-LWE problem with parameters (n, q, k, l, ) is that for uniformly random A, let b = As + e , where s , e have their entries selected concerning some distributions (uniform distribution, Gaussian distribution) over . There are two versions about module-LWE. The search variant of module-LWE is to find s given (A, b). The decision variant is to distinguish (A, b) from a uniformly random pair over , . In this study, we use a transformed version of the decision variant of module-LWE, which is to distinguish (A, As) from (A, r), where A, , s, , and r, .

3. SALRS Scheme

The syntax of linkable ring signature scheme with stealth addresses (SALRS) was first purposed by [9], which realizes the cryptographic functions that a cryptocurrency wants to hide payers and payees of transactions. There are eight algorithms in a SALRS scheme.

Setup PP: the input to this algorithm is a security parameter and outputs the public parameters PP.

MasterKeyGen (PP) (MPK, MSK): the input to this algorithm is the public parameters (PP) and outputs the user’s master key pair (MPK, MSK) (master public key, master secret key).

DerivedPublicKeyGen (MPK) DPK: the input to this algorithm is a master public key (MPK) and outputs the derived public key (DPK).

DerivedPublicKeyOwnerCheck (DPK, MPK, MSK) 1/0: the input to this algorithm is a derived public key (DPK) and a master key pair (MPK, MSK) and outputs b\{0,1\}. 1 and 0 indicate that the derived public key (DPK) is valid or invalid, respectively.

DerivedPublicKeyPublicCheck (DPK) 1/0: the input to this algorithm is a derived public key (DPK) and outputs b\{0,1\}. 1 and 0 indicate that the derived public key (DPK) is well-formed or not well-formed, respectively.

Sign (M, R, DPK, MPK, MSK) : the input to this algorithm is a message M, a ring of well-formed derived public keys R = (where we regard the public key ring R as an order set, namely, it consists of the public keys which are ordered and have indexes), a derived public key DPK R, and a master key pair (MPK, MSK) for the derived public key (DPK) and outputs a signature .

Verify(M, R, ) 1/0: the input to this algorithm is a message M, a ring of well-formed derived public keys R, and a signature and outputs b\{0,1\}. 1 and 0 indicate that the signature is valid or invalid, respectively.

Link (, , , , , ) 1/0: the input to this algorithm is two valid (message M, derived public key ring R, signature ) tuples (, , ) and (, , ) and outputs 0 or 1. 1 and 0 indicate that the two signatures are linked or unlinked, respectively.

4. Security Model of SALRS

A SALRS scheme should be correctness, unforgeable, linkable, nonslanderable, anonymous, master-public-key-unlinkable, and derived-public-key-unlinkable, which ensure the scheme satisfying the security and privacy protection requirements of cryptocurrencies in most practical settings.

In the following games, we use or n() to denote any probabilistic polynomial time (PPT) adversary or polynomial, respectively.

4.1. Correctness

Correctness means that one can derive a “right” feedback while honestly performing the protocols.

Let PP setup ,(1)For any (MPK, MSK) MasterKeyGen (PP) and any DPK DerivedPublicKeyGen (MPK), we have DerivedPublicKeyOwnerCheck (DPK, MPK, MSK) = 1 and DerivedPublicKeyPublicCheck (DPK) = 1.(2)For any message M, any ring of well-formed derived public keys R, and any derived public key DPK R, such that DerivedPublicKeyOwnerCheck (DPK, MPK, MSK) = 1 for some master key pair (MPK, MSK), we have verify (M, R, sign (M, R, DPK, MPK, MSK)) = 1.(3)For any message , any ring of well-formed derived public keys , and any derived public key , , such that DerivedPublicKeyOwnerCheck (, , ) = 1 for some master key pair (, ), let sign (, , , , ) (i = 0,1). We have link (, , , , , ) = 1 if = , and Pr[link (, , , , , ) = 0] 1 negl if , where negl is a negligible function.

4.2. Unforgeability

Unforgeability means that only the user who knows the secret key for some public key in a ring can generate a valid signature.

4.2.1. Setup

PP setup is run. PP is given to . are run and are given to .

4.2.2. Probing Phase

can query the following oracles:(1)Derived Public Key Adding Oracle, ODPKAdd(): it means that ODPKAdd (DPK, MPK) returns b DerivedPublicKeyOwnerCheck (DPK, MPK, MSK) to . If b = 1, set = \{DPK\}, where = is initialized.(2)Signing Oracle, OSign(): it means that OSign (M, R, DPK), where DPK

R, , returns sign (M, R, DPK, MPK, MSK) to , where (MPK, MSK) is the master key pair for DPK.

4.2.3. Output Phase

outputs a message , a ring of well-formed derived public keys , and a signature .

Let = \{(M, R, DPK, )\} be the query-answer tuples for OSign. succeeds if(1)Verify (, , ) = 1 and(2) and(3)(, , ?, ) , where ? means that (, , ) is not a tuple obtained by querying OSign.

Definition 1. The SALRS is unforgeable if for all , is negligible, where = Pr[ succeeds]. We name the game for unforgeability .

4.3. Linkability

Linkability means that if the key owner generates two or multiple valid signatures with respect to one derived public key, the signatures will be found to be linked.

4.3.1. Setup

PP setup is run. PP is given to .

4.3.2. Output Phase

outputs k (k (2) tuples (, , ) (i = 1,…,k).

succeeds if(1)Verify (, , ) = 1 and(2)Link (, , , , , ) = 0(i, j [1,k], s.t. i j) and(3).

Definition 2. The SALRS is linkable if for all , is negligible, where = Pr[ succeeds]. We name the game for linkability Game link.

4.4. Nonslanderability

Nonslanderability means that no one can frame other users by creating a signature which is linked to a signature of the target user.

4.4.1. Setup

Same as that of .

4.4.2. Probing Phase

Same as that of .

4.4.3. Output Phase

outputs two tuples (, , ) and (, , ).

Let = \{(M, R, DPK, )\} be the query-answer tuples for OSign. succeeds if(1)Verify (, , ) = 1 and(2)(, , ) for some derived public keys , and(3)(, , , ) and(4)Link (, , , , , ) = 1

Definition 3. The SALRS is nonslanderable if for all , is negligible, where = Pr[ succeeds]. We name the game for nonslanderability .

4.5. Anonymity

Anonymity means that no one can identify the signer’s derived public key out of the ring, with a valid signature with respect to a ring of derived public keys.

4.5.1. Setup

Same as that of .

4.5.2. Probing Phase 1

Same as the probing phase of .

4.5.3. Challenge Phase

outputs a message , a ring of well-formed derived public keys , and two distinct indices 1 , n, such that(1), (2)None of OSign with and was queried.

A random bit b\{0,1\} is chosen, and is given the sign (, , , MPK, MSK), where (MPK, MSK) is the master key pair for .

4.5.4. Probing Phase 2

Same as the probing phase 1, but with the restriction that OSign with and cannot be queried.

4.5.5. Output Phase

outputs a bit as its guess to b.

Definition 4. The SALRS is anonymous if for all , is negligible, where = . We name the game for anonymity .

4.6. Master-Public-Key-Unlinkability

Master-public-key-unlinkability means that with the support of a derived public key and the corresponding signatures, no one can distinguish which master public key is the one which it was derived from.

4.6.1. Setup

Same as that of .

4.6.2. Probing Phase 1

Same as the probing phase of .

4.6.3. Challenge

outputs two distinct indices 1 , n. A random bit b\{0,1\} is chosen, and DerivedPublicKeyGen is given to . Set = , \}.

4.6.4. Probing Phase 2

Same as the probing phase 1, with the restriction that ODPKAdd (, ) (j\{0,1\}) cannot be queried.

4.6.5. Output Phase

outputs a bit \{0,1\} as its guess to b.

Definition 5. The SALRS is master-public-key-unlinkable if for all , is negligible, where = . We name the game for master-public-key-unlinkability .

4.7. Derived-Public-Key-Unlinkability

Derived-public-key-unlinkability means that with the support of two derived public keys and the corresponding signatures, no one can figure out whether they are derived from the same master public key.

4.7.1. Setup

Same as that of .

4.7.2. Probing Phase 1

Same as the probing phase of .

4.7.3. Challenge

outputs two distinct indices 1 i₀,i₁n. A random bit c\{0,1\} is chosen. Compute DerivedPublicKeyGen.

A random bit b\{0,1\} is chosen. If b = 0, compute DerivedPublicKeyGen; otherwise, compute DerivedPublicKeyGen. (, ) are given to . Set = , \{, \}.

4.7.4. Probing Phase 2

Same as the probing phase 1, with the restriction that ODPKAdd (, ) (j, k\{0,1\}) can only be queried on at most one j \{0,1\}.

4.7.5. Output Phase

outputs a bit , \{0,1\} as its guess to b.

Definition 6. The SALRS is derived-public-key-unlinkable, if for all , is negligible, where = . We name the game for derived-public-key-unlinkability .

5. Our Concrete Scheme of SALRS

In this section, as a building block for our SALRS construction, we first introduce our novel concrete key encapsulation mechanism (KEM) based on the elliptic curve discrete logarithm. Then, we propose our concrete SALRS construction.

5.1. KEM Based on Elliptic Curve Discrete Logarithm

Formally, our novel concrete KEM based on the elliptic curve discrete logarithm consists of algorithms as follows.

5.1.1. Setup Params

The input to this algorithm is a security parameter and outputs system global parameters params.

The params are generated as follows. Let , , and be groups of prime order p, be an integer group of order p, be a generator of (i = 1,2), and e: be a bilinear, efficient, and computable map. Set , and there exists no efficient homomorphism between and . H: is a collision-resistant hash function. Then, we set params=(, , , , , , H).

5.1.2. KeyGen (params) (pk, sk)

The input to this algorithm is the params and output a (public key, secret key) pair (pk, sk).

The pair (pk, sk) is generated as follows. First, choose a random and then compute . Finally, the pair (pk, sk) is set as (pk, sk)=(, ).

5.1.3. Encaps (pk, params) (AD, K)

The input to this algorithm is the pk and params, and output a ciphertext AD and a key K. We let and denote the ciphertext space and key space, respectively.

The pair (AD, K) is generated as follows. First, choose a random r, compute the key , compute HVH(e(pk, )), and then compute . Finally, set (AD, K)=(, ).

5.1.4. Decaps (params, AD, pk, sk) K/

The input to this algorithm is the params, ciphertext AD, public key pk, and secret key sk and outputs a key K or a special symbol to indicate rejection.

The K/ is generated as follows. If r, the equation AD = holds, where SHVH(e(, )), output a key K = ; otherwise, output a special symbol .

5.2. Concrete SALRS Construction

5.2.1. Setup PP

The input to this algorithm is a security parameter , the algorithm sets the parameters n, q, k, l, m, , , and , let : R, expandV: , : \ , and : be functions which are random oracles. The algorithm runs:(1)Set A (cstr), where cstr is a random string belonging to (2)Run params KEMsetup .

Output the public parameters, PP = (n, q, k, l, m, , , , , cstr, A, KEM, params, expandV, , ). PP are implicit input parameters to every algorithm as follows.

5.2.2. MasterKeyGen (PP) (MPK, MSK)

The input to this algorithm is the PP; the algorithm runs:(1)(pk, sk)KEMKeyGen (params)(2)Set tAs, where s

Output MPK (pk, t) and MSK (sk, s).

5.2.3. DerivedPublicKeyGen (MPK) DPK

The input to this algorithm is the MPK = (pk, t); the algorithm runs:(1)Run (AD, K) KEMEncaps (pk, params).(2)Set expandV (K) , , , and t + .

Output DPK (AD, ).

5.2.4. DerivedPublicKeyOwnerCheck (DPK, MPK, MSK) 1/0

The input to this algorithm is a DPK, and pair (MPK, MSK) with MPK = (pk, t) and MSK = (sk, s); the algorithm runs:(1)If DPK , , set DPK (AD, ) , ; otherwise, return 0.(2)Run K KEMDecaps (params, AD, pk, sk).(3)Set expandV (K) and .

If = t + , return 1; otherwise, return 0.

5.2.5. DerivedPublicKeyPublicCheck (DPK) 1/0

The input to this algorithm is DPK; the algorithm runs: if DPK , , return 1; otherwise, return 0.

5.2.6. Sign (M, R, DPK, MPK, MSK)

The input to this algorithm is a message M, a ring of well-formed derived public keys R = , a derived public key DPK R, and the master key pair for DPK, where MPK = (pk, t) and MSK = (sk, s); the algorithm runs:(1)Set (, ) , and , () (i = 1, ,r).(2)Let be DPK = = (, ), run K KEMDecaps (params, , pk, sk). Set expand (K) and s+ .(3)Use and above, and set I .(4)Set Ay and y, where y .(5)Set (M, R, , , I), where we set (M, R, , , I), and set , and I, where , i = +1, ,r,1, 1.(6)Set (M, R, , , I).

Set y + . If , , output (c,\{\ , I) , (S)^r ; otherwise, return to (4).

5.2.7. Verify (M, R, ) 1/0

The input to this algorithm is a message M, a ring of well-formed derived public keys R = , and a signature =(,\, I); the algorithm runs:(1)If or , i\{1, ,r\}, return 0.(2)Set (, ) (, ) and () (i = 1, ,r). Then, set , I, and (M, R, , , I).

If = , return 1; otherwise, return 0.

5.2.8. Link (, , , , , ) 1/0

The input to this algorithm is two valid (message M, derived public key ring R, and signature ) tuples (, , ) and (, , ), where =(,\, ) and =(,\, ); the algorithm runs: if = , return 1; otherwise, return 0.

6. Security Analysis of Our SALRS Construction

Now, we prove that our construction has the usual properties for a SALRS such as correctness, unforgeability, anonymity, linkability, nonslanderability, master-public-key-unlinkability, and derived-public-key-unlinkability.

6.1. Correctness Analysis

It is obvious that from our SALRS construction, (1) and (2) of correctness are satisfied. Therefore, we next prove (3) of correctness. Let = (,, ) be generated by sign (, , , , ) (j = 0,1) and let = (, ).(1)If = , we have = , and then = . In this case, we have link outputs 1.(2)If , we now prove that link outputs 0 with overwhelming probability. If , we can see that (), () are distinct. and are distinct. Then we have the result that the probability of = () =

() = is negligible. If = but , we want to prove = . We consider . If and = A = A = , its probability is negligible, so we must have = . = have two cases.(1) and : The probability of this scenario is negligible because of the randomness of , , , and .(2) = and = :

The probability of s = is negligible because two different executions of algorithm DerivedPublicKeyGen with will produce distinct = with overwhelming probability. This completes the correctness analysis.

6.2. Security Analysis

We use to denote any probabilistic polynomial time (PPT) adversary in security games.

Theorem 1. The SALRS construction is linkable.

Proof. We now prove that our SALRS construction is linkable under module-SIS assumption. If succeeds because (3) of linkability holds, it means that i,j [1,k] and i j, = where and . Then, we set = (, ) and = (, ), and we have = = A = . With the support of module-SIS assumption, we have = with overwhelming probability, which also means = with overwhelming probability. From (1) of linkability and (1) of correctness, we have = sign (, , , , ) and = sign (, R, , , ). Finally, from (3) of correctness, we can find that (2) of linkability is not satisfied. This completes the proof.

Theorem 2. The SALRS construction is nonslanderable.

Proof. We now prove that our SALRS construction is nonslanderable under the correctness of the SALRS scheme. If succeeds, from (1) and (2) of nonslanderability and (1) of correctness, we have = sign (, , , , ) and = sign (, , , , ). Because of (4) of nonslanderability and (3) of correctness, we have = with overwhelming probability. So, we can find that (3) of nonslanderability is not satisfied. This completes the proof.

Lemma 1. (See [9]). If a SALRS scheme is linkable and nonslanderable, then it is unforgeable.

Theorem 3. The SALRS construction is unforgeable.

Proof. According to Theorem 1, Theorem 2, and Lemma 1, our SALRS scheme is unforgeable. This completes the proof.

Theorem 4. The SALRS construction is anonymous.

Proof. We now prove that our SALRS construction is anonymous under the decision module-LWE assumption. If succeeds, we set = (,\, I) and = (, ) (b\{0,1\}). From algorithm sign, we have I = . It means that can distinguish and , which contradicts the decision module-LWE assumption. This completes the proof.

Theorem 5. The SALRS construction is master-public-key-unlinkable.

Proof. We now prove that our SALRS construction is master-public-key-unlinkable under the BDH-1 assumption. If succeeds, we set = (AD, ), AD = , and = (i\{0,1\}), that means that can distinguish (, ) with a nonnegligible probability. From the algorithm DerivedPublicKeyGen, we have = + , = , = expandV (K), and (AD, K) KEMEncaps (pk, params), where K = . It is obvious that because of the randomness of r and K = in the algorithm Decaps, cannot distinguish K with an overwhelming probability. Therefore, cannot distinguish , so cannot distinguish with an overwhelm probability.
We now prove that cannot distinguish with an overwhelming probability too. If can distinguish with a nonnegligible probability , we can construct a PPT algorithm that solves the BDH-1 problem. To be specific, we assume that and play the game , and simulates the challenger and tries to solve the BDH-1 problem. Suppose the BDH-1 instance (, , , ) is given to . initializes system parameters and gets params=(, , , , , , H) from KEM. Then, interacts with as follows.

6.2.1. Setup

sends params to .

6.2.2. Query 1

(1)Key pair query: asks to use the algorithm KeyGen of KEM to compute a key pair (pk, sk)=(, ) and return it to . can only query at most times for key pairs.(2)Public key query: ask to use the algorithm KeyGen of KEM to compute a key pair (pk, sk) and return the public key pk to . can only query at most times for key pairs.(3)Hash query: sets a hash list Hlist. Hlist is initialized as an empty set. When submits a random element to , answers as follows. If it has not appeared in Hlist, choose a random element z and returns it to . Then, stores the tuple (, z) in Hlist. Otherwise, finds out the tuple (, z) and returns z to . can only query at most times for hash queries.

6.2.3. Challenge

chooses a public key from (1) of query 1 and sends it to . chooses a random bit , \{0,1\}; if = 0, sets = and computes Encaps (, params) and then returns them to . Otherwise, chooses a random element , and sets = and returns them to .

6.2.4. Query 2

can make queries as he does in query 1 except secret keys for .

6.2.5. Guess

Finally, outputs a bit as the guess of .

If can distinguish , then can guess the answer. Then, chooses tuple (, z) in Hlist, which satisfies = e. Then, outputs z as the solution to BDH-1 problem. The probability that solves the BDH-1 problem is that Pr[succeeds] = Pr[ ( = )]Pr[ (z = e(, ))].

If succeeds in obtaining a solution of BDH-1 problem, the following conditions must be satisfied:(1)Pr[ ( = )] ( correctly chooses pk).(2)Pr[ (z = e(, ))] ( correctly chooses z).

Therefore, we have Pr[succeeds] ). It means that the probability of the fact that solves BDH-1 problem is nonnegligible, which contradicts BDH-1 assumption. This completes the proof.

Lemma 2. (See [9]). If a SALRS scheme is master-public-key-unlinkable, then it is derived-public-key-unlinkable.

Theorem 6. The SALRS construction is derived-public-key-unlinkable.

Proof. According to Theorem 5 and Lemma 2, our SALRS scheme is derived-public-key-unlinkable. This completes the proof.

7. Efficiency Analysis

In this section, we make a comparison with the efficiency of the SALRS scheme in [9]. The parameters n, l, k, q, m, , , and are set to be same as which in [9], i.e., n = 256, l = 5, k = 3, q and q = 17 mod 32, m = 1, = 60, = 3, and = 699453. Additionally, the functions , , , and expandV are set to be same as which in [9], that is to say, we use SHAKE-256 to implement the functions , , and expandV and use the algorithm SampleInBall to implement . Moreover, with the parameter selection above, we have the fact that in order to obtain the signature in our SALRS scheme, the signer has to run Step 4Step 6 of algorithm sign at most twice. Because, the probability of restarting of Step 4Step 6, which can be easily worked out, is , .

From [10, 18, 27], we can obtain an instantiation of KEM where the system global parameters params of KEM are set to be the public parameters of the stealth address scheme in [27]. Especially, the group in our novel concrete KEM is instantiated to be the special elliptic curve called Ed25519 in [18].

The Ed25519 curve in [18] obviously tells us that in our SALRS scheme, the size of public key pk, secret key sk, or ciphertext AD is (256–1) 2 = 510 bits, 256 2 = 512 bits, or (256–1) 2 = 510 bits, respectively. On the other hand, the efficiency analysis of the SALRS scheme in [9] also tells us that its size of public key, secret key, or ciphertext is 1088 bytes, 2400 bytes, or (1184–32) = 1152 bytes, respectively. With the datum above, we can find that the size of public key in our SALRS scheme is smaller than that in [9], which means that from the construction of master public key (MPK), the size of MPK in our SALRS scheme is also smaller than that in [9]. The same applies to the master secret key (MSK) and derived public key (DPK). It comes out a conclusion that with regard to the size of MPK, MSK, and DPK, our SALRS scheme has less storage cost.

8. Conclusion

In this study, the linkable ring signature scheme with stealth addresses were addressed. Then, we proved the security of proposed schemes under the assumptions of BDH-1 problem, module-SIS problem, and module-LWE problem. The results showed that our schemes have all the properties that a linkable ring signature scheme with stealth addresses should have, i.e., unforgeability, anonymity, linkability, nonslanderability, master-public-key-unlinkability, and derived-public-key-unlinkability. Efficiency analysis showed that our SALRS scheme has less storage cost than the SALRS scheme in [9] under the same security conditions.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was supported in part by the National Key Research and Development Program of China (2021YFA1000600), the City School Joint Funding Project of Guangzhou City (202102010377), and the National Natural Science Foundation of China (61702124).

References

S. Nakamoto, “Bitcoin: a peer-to-peer electronic cash system,” Decentralized Business Review, p. 21260, 2008, https://bitcoin.org/bitcoin.pdf.
View at: Google Scholar
K. Christidis and M. Devetsikiotis, “Blockchains and smart contracts for the internet of things,” Ieee Access, vol. 4, pp. 2292–2303, 2016.
View at: Publisher Site | Google Scholar
T. Li, Y. Chen, Y. Wang et al., “Rational protocols and attacks in blockchain system,” Security and Communication Networks, vol. 2020, Article ID 8839047, 11 pages, 2020.
View at: Publisher Site | Google Scholar
T. Li, Z. Wang, G. Yang, Y. Cui, Y. Chen, and X. Yu, “Semi‐selfish mining based on hidden Markov decision process,” International Journal of Intelligent Systems, vol. 36, no. 7, pp. 3596–3612, 2021.
View at: Publisher Site | Google Scholar
T. Li, Z. Wang, Y. Chen, C. Li, Y. Jia, and Y. Yang, “Is semi-selfish mining available without being detected?” International Journal of Intelligent Systems, 2021.
View at: Google Scholar
Y. Chen, J. Sun, Y. Yang, T. Li, X. Niu, and H. Zhou, “Psspr: a source location privacy protection scheme based on sector phantom routing in wsns,” International Journal of Intelligent Systems, 2021.
View at: Publisher Site | Google Scholar
S. Noether, “Ring signature confidential transactions for monero,” IACR Cryptol. ePrint Arch., vol. 1098, p. 2015, 2015.
View at: Google Scholar
S.-F. SunM. H. Au, J. K. Liu, and T. H. Yuen, “Ringct 2.0: a compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero,” in Proceedings of the Computer Security - ESORICS 2017. In European Symposium on Research in Computer Security, pp. 456–474, Springer, Oslo, Norway, September 2017.
View at: Publisher Site | Google Scholar
Z. Liu, K. Nguyen, G. Yang, H. Wang, and D. S. Wong, “A lattice-based linkable ring signature supporting stealth addresses,” in Lecture Notes in Computer Science, pp. 726–746, Springer, Berlin, Germany, September 2019.
View at: Publisher Site | Google Scholar
N. Van Saberhagen, Cryptonote,v. 2.0, 2013, https://goo.gl/kfojVZ.
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” in Proceedings of the Information Security and Privacy. In Australasian Conference on Information Security and Privacy, pp. 325–335, Springer, Sydney, Australia, 2004.
View at: Publisher Site | Google Scholar
P. Todd, “Stealth addresses,” Post on Bitcoin development mailing list, 2014, https://www.mail-archive.com/[email protected]/msg03613.html.
View at: Google Scholar
J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 157–165, 2013.
View at: Publisher Site | Google Scholar
M. H. Au, S. S. M. Chow, W. Susilo, and P. P. Tsang, “Short linkable ring signatures revisited,” in Proceedings of the Public Key Infrastructure. In European Public Key Infrastructure Workshop, pp. 101–115, Springer, Turin, Italy, June 2006.
View at: Publisher Site | Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Certificate based (linkable) ring signature,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 79–92, Springer, Hong Kong, China, 2007.
View at: Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Secure id-based linkable and revocable-iff-linked ring signature with constant-size construction,” Theoretical Computer Science, vol. 469, pp. 1–14, 2013.
View at: Publisher Site | Google Scholar
L. Ducas, A. Durmus, T. Lepoint, and V. Lyubashevsky, “Lattice Signatures and Bimodal Gaussians,” in Proceedings of the Annual Cryptology Conference Advances in Cryptology - CRYPTO 2013, pp. 40–56, Springer, Santa Barbara, CA, USA, August 2013.
View at: Publisher Site | Google Scholar
D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang, “High-speed high-security signatures,” Journal of cryptographic engineering, vol. 2, no. 2, pp. 77–89, 2012.
View at: Publisher Site | Google Scholar
W. A. A. Torres, R. steinfeld, A. sakzad et al., “Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice ringct v1. 0),” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 558–576, Springer, Wollongong, Australia, July 2018.
View at: Google Scholar
C. Baum, H. Lin, and S. Oechsner, “Towards practical lattice-based one-time linkable ring signatures,” in Proceedings of the International Conference on Information and Communications Security, pp. 303–322, Springer, Lille, France, October, 2018.
View at: Publisher Site | Google Scholar
Y. Ren, H. Guan, and Q. Zhao, “An efficient lattice-based linkable ring signature scheme with scalability to multiple layer,” Journal of Ambient Intelligence and Humanized Computing, vol. 2021, pp. 1–10, 2021.
View at: Publisher Site | Google Scholar
N. Courtois and R. Mercer, “Stealth address and key management techniques in blockchain systems,” in Proceedings of the 3rd International Conference on Information Systems Security and Privacy ICISSP, pp. 559–566, Porto, Portugal, January 2017.
View at: Publisher Site | Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Proceedings of the Advances in Cryptology - CRYPTO 2001, pp. 213–229, Springer, California, CA, USA, August 2001.
View at: Publisher Site | Google Scholar
A. Langlois and D. Stehlé, “Worst-case to average-case reductions for module lattices,” Designs, Codes and Cryptography, vol. 75, no. 3, pp. 565–599, 2015.
View at: Publisher Site | Google Scholar
S. D. Galbraith, K. G. Paterson, and N. P. Smart, “Pairings for cryptographers,” Discrete Applied Mathematics, vol. 156, no. 16, pp. 3113–3121, 2008.
View at: Publisher Site | Google Scholar
M. S. Kiraz and O. Uzunkol, “Still wrong use of pairings in cryptography,” 2016, https://www.researchgate.net/publication/301855144_Still_Wrong_Use_of_Pairings_in_Cryptography.
View at: Google Scholar
J. Fan, Z. Wang, Y. Luo, J. Bai, Y. Li, and Y. Hao, “A new stealth address scheme for blockchain,” in Proceedings of the ACM Turing Celebration Conference-China, pp. 1–7, Chendu, China, 2019.
View at: Google Scholar

Copyright

Copyright © 2022 Weizhou Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

623

Downloads

511

Citations