A New Code-Based Traceable Ring Signature Scheme

Qi, Yanhong; Wang, Li-Ping

doi:https://doi.org/10.1155/2022/3938321

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Analysis Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Security and Privacy Preservation in Blockchain-Based Intelligent Transportation Systems

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 3938321 | https://doi.org/10.1155/2022/3938321

A New Code-Based Traceable Ring Signature Scheme

Yanhong Qi^1,2and Li-Ping Wang^1,2

Academic Editor: Shichang Xuan

Received19 Nov 2021

Revised29 Jan 2022

Accepted10 Mar 2022

Published29 Apr 2022

Abstract

Traceable ring signatures (TRS) can reveal the identity of the signer if he signs two different messages on the same tag in the group of users. They are widely used in e-voting and cryptocurrencies such as Monero. However, there is still no secure code-based TRS scheme in the random oracle model (ROM). In this paper, we propose a code-based TRS scheme whose security is based on the hardness of the syndrome decoding problem and 2-regular null syndrome decoding problem. We show that our scheme is secure in the ROM in terms of tag-linkability, anonymity, and culpability. The signature size of our scheme is logarithmic in terms of the ring size.

1. Introduction

Ring signatures can be regarded as special group signatures, but they are differing from group signatures in that there is no group administrator in ring signatures. So, we cannot trace the real identity of the signer like group signatures. Ring signatures allow users from a group to sign messages on behalf of the group. The verifier of the ring signature can check the correctness of the signature but cannot know which person in the group is the real signer. If the same signer generates two signatures, the verifier cannot identity the signer. However, in many application scenarios [1–4], the signature represents the use by the signer of his rights, so it is important to be able to trace the signer who signs twice. For example, in a voting system for an event, users in the group can anonymously vote for the event. Dishonest users can use anonymity to vote multiple times for their own benefit. Therefore, in this case, a verifier wants to track the identities of dishonest users while protecting the privacy of honest users.

In order to solve this problem, the first traceable ring signature (TRS) scheme was proposed by Fujisaki and Suzuki [5]. TRS schemes have many applications in e-voting and cryptocurrencies such as Monero. A TRS scheme can track the dishonest’s information while protecting the privacy of honest users. A TRS scheme has a that contains public keys of the group members and an . For example, an may be an election or a social problem. Group members can post any signed and anonymous opinions on the only once per . If a member wants to support his first opinion and submits another signed opinion, his identity will be immediately revealed. More specifically, if the signer signs the same message twice with the same , one will see that the two signatures are linked. If the signer signs different messages with the same , a TRS scheme can not only prove that the two signatures are related but also expose the identity of the signer.

There are many TRS schemes [1–3, 6–8] based on factoring and discrete logarithm problems. With the emergence of large-scale quantum computers, most classic asymmetric cryptography is threatened because Shor’s algorithm can solve factoring and discrete logarithm problems in polynomial times [9]. Therefore, the postquantum secure TRS schemes have attracted much attention. Branco and Mateus proposed the first postquantum TRS scheme which is based on coding theory [10]. However, the TRS was pointed out to be unsafe due to the use of the Cramer-Damgård-Schoenmakers (CDS) framework [11] to construct OR relation in [12]. The authors in [12] also proposed a general framework and instantiated the framework with lattice-based building blocks. A hash-based one-time traceable ring signature was proposed in [13]. [14] was an extension of the work in [12]. In [14], not only lattice-based instantiation of the framework was given but also the instantiation based on symmetric-key primitives. Unlike the framework proposed in [14], we use a different way to construct the signing process and the detailed information is described in III.

Code-based cryptography is a hot topic because it is thought to be secure against attacks by quantum computers. The first code-based signature scheme appeared in 2001 [15], And then, code-based signature schemes have developed greatly in the last years [16–18]. The first code-based ring signature was proposed in 2007 [19]. After that, many variations related to ring signatures have been proposed, such as linkable ring signature schemes [20], threshold ring signature schemes [21–23], and group signature schemes [24–28]. However, there is still no secure code-based TRS scheme in the random oracle model (ROM).

Our Contributions. In this paper, we propose a new code-based TRS scheme in the ROM. Our scheme is an improvement on [10]. Instead of using the CDS framework in [10], we employ an accumulator [29] to construct the OR relation. Our scheme is based on the syndrome decoding (SD) problem and 2-regular null syndrome decoding (2-RNSD) problem, and we give the security analysis of the scheme in the ROM. More precisely, we construct a new protocol called Acc-GStern’s protocol by adding new relationships to the GStern’s protocol [10]. The GStern’s protocol is for a prover to prove that he has the knowledge of an error vector for two instances of the SD problem. The Acc-GStern’s protocol is for one prover to prove that not only does he have the knowledge of a witness for one of the several instances of the general syndrome decoding (GSD) problem but also he has values that can correctly be accumulated into the root of the code-based Merkle-tree.

Consider members in the ring. For , let be the public keys of each user , and the corresponding private key is . To sign a message, collects the public keys of remaining members in the ring and uses them to get a hash value . Then, uses his secret key to get a vector and adds a hash function on to get. Next, the user uses a special hash function [29] to get the leaves of the Merkle-tree and applies the Fiat-Shamir transform [30] on the Acc-GStern’s protocol to get the signature. If the signer signs two different messages in the same ring, the identity of the signer is revealed.

The remainder of this paper is as follows: Section 2 introduces the necessary preliminary knowledge needed in this paper. In Section 3, we present our TRS scheme. The security proof and analysis of the scheme are given in Section 4. Efficiency is shown in Section 5. Finally, the conclusion is drawn in Section 6.

2. Preliminaries

2.1. Notations

Let us start with some notations. We write as the set and use to denote the set. We use to represent the sequence . Vectors and matrices will be represented in boldface lowercase letters and bold capital letters, respectively. If is a finite set, it means that is chosen uniformly at random from . If is an algorithm, we use to show that when running with input , the output of this algorithm is . Let be the Hamming weight of the vector . We represent the transpose of in terms of . The bit-wise addition operation modulo 2 is denoted by . The function which is negligible under the parameter is denoted by , i.e., , where represents any polynomial in .

2.2. Hard Problems

In this section, we are going to cover some of the difficult problems used later.

Problem 1. (syndrome decoding (SD) problem). Letbe a parity-check matrix of anrandom linear code,be a binary vector,be an integer, findsuch that, and.
This problem is proven to be NP-complete in the worst case [31]. The distance between the uniform distribution over and is negligible [25].

Lemma 1. (see [10]). Let, and. Letbe a random matrix inandbe a random vector in. The probability that one can findthat satisfiesis negligible.

Problem 2. (general syndrome decoding (GSD) problem). Letbe binary matrices,be binary vectors, andbe an integer. The problem is to findsuch thatand.
The RSD problem is also proved to be NP-complete since the SD problem can be trivially reduced to the GSD problem [10].

Lemma 2. Let, and. Letbe two random matrices inandbe two random vectors in. The probability that one can findthat satisfiesandis negligible.

Definition 1. (see [32]). A regular word is a vector of length n and weight w, and it has exactly one nonzero position in each w intervals. Furthermore, if the weight of each interval is two or zero, the word is called 2-regular. A 2-regular word is the sum of two regular words.

Problem 3. (2-regular null syndrome decoding (2-RNSD) problem). Let, and. Letbe a randomly matrix. The problem is to find a nonzero 2-regular wordsuch that.
This problem turns out to be NP hard in the worst case [32].

Definition 2. (see [33]). For any probabilistic polynomial time adversary, a collision-resistant hash functionsatisfies
, where is a negligible function.

Definition 3 (see [14]). A noninteractive protocolfor a relationis zero-knowledge, if there exists a pair of PPT algorithms called simulators.t. for every PPT adversary, we have thatwhere and first validate that the input , else return ; otherwise, outputs , and outputs .

2.3. Merkle-Tree-Based Accumulator

In this section, we first introduce a Merkle-tree-based accumulator scheme [29] which is a building block of our traceable ring scheme. The accumulator is a one-way membership function that takes a set as input and outputs a constant size value . At the same time, a value has a short witness , which makes the verifier believe that was accumulated to . The accumulator based on Merkle-tree structure is efficient and is also based on the following code-based hash function .

Definition 4. (see [29]). Letbe an encoding function that mapsto. Consider a random matrix, where. The hash functionmappingis defined as

Lemma 3 (see [29]). The above function familyis collision-resistant if the 2-RNSD problem is hard.
The accumulator scheme consists of four algorithms:(1): the input is public parameters . The output is a key for the hash function.(2): the input is all the elements in that treats each element as a leaf node of the Merkle-tree. The output is the root note , which is also called the accumulated value, accumulating by .(3): the input is . If , the output is the witness for . Otherwise, the output is .(4): the inputs are , and . In order to obtain the accumulate value , the verifier checks whether is the valid hash path of .

2.4. Traceable Ring Signatures

In this section, we give the definition and security model of traceable ring signatures. For simplicity of discussion, we denote , where is the public key of each user in the ring. Let be a string that represents the target of the signature (for example, a transaction or an election).

2.4.1. Syntax

A TRS scheme contains four polynomial time algorithms defined as follows.(i): the input is the security parameter . generates public and secret parameters and outputs the pair of public and secret key .(ii): the inputs are the secret of the user , a tag , and a message . The output is a signature on message with the tag . The contains all the members in the ring and should be in .(iii): the inputs are the tag , the signature , and the message . The output is if accepting the signature or if not accepting it.(iv): the inputs are the tag and two message/signature pairs , that correspond to private keys and , respectively. If and , the output is , that is either equal to , , or :

The correctness conditions of TRS are completeness and public traceability. The definitions are given as follows:

Definition 5. (completeness). Letandfor some. If for all and all, it holds that.

Definition 6. (public traceability). A TRS satisfies public traceable if the following conditions are satisfied: for all, for, and, it holds with an overwhelming probability of equation (1).

2.4.2. Security Definitions

We use the security model in [5]. The security requirements of traceable ring signatures include the following three properties: tag-linkability, anonymity, and exculpability. The requirement of unforgeability (as defined in ordinary ring signatures) is not essential because the signature is unforgeable if a TRS satisfies both tag-linkability and exculpability [5].

Suppose is a probabilistic polynomial time (PPT) adversary and the security parameter is . Let be the number of members in the ring; be the tag. By , we denote a function which is negligible on the parameters and .

(1) Tag-Linkability. Take the security parameter as input, output , and valid pairs of message/signature. The adversary can get pairs of message/signature by accessing pairs of public and secret keys. The adversary’s advantage over the scheme is :where is(1)(2)If all , and .

If for all the PPT adversaries , , the scheme satisfies tag-linkability.

(2) Anonymity. Let be a PPT adversary, , are two public/secret key pairs generated by . Consider the following game:(1)(2)(3)(4)If , output 1; otherwise, output 0.

Let be a signing oracle. cannot ask queries to with different tags nor can ask queries with the same tag to both and or and . If the output of this game is 1, the adversary wins the game. The advantage that wins the game is

If , the scheme is anonymous.

(3) Exculpability. This requirement is presented to ensure the adversary cannot construct two valid pairs of message/signature without knowing the secret key of the user . The game is described as follows:(1)(2)(3)(4)output a.

In this game, and . For the message/signature pairs that accesses the signing oracle cannot link to at least one of the or . This means that there is at least one message in and that has not been queried in the . The advantage that wins the following game is

If , the TRS satisfies exculpability.

3. A Code-Based TRS Scheme

3.1. A Proof of Knowledge Protocol

We use a so-called GStern’s protocol in [10] to construct our TRS scheme. Given and in the GSD problem, the prover wants the verifier to confirm that he has a small weight vector such that and . In other words, the protocol is a proof of knowledge protocol for the GSD problem. To be self-contained, we give the detailed description in Algorithm 1, in which denotes a cryptographic hash function.

(1)	Parameters:
(2)	Private information: and .
(3)	Public information:, where and
	.
(4)	The prover:
(i)	chooses and a permutation .
(ii)	sets , ,
(iii)	and .
(iv)	sends , , and .
(5)	The verifier: - sends .
(6)	The prover:
(i)	if , sets .
(ii)	if , sets .
(iii)	if , sets .
(iv)	sends .
(7)	The verifier:
(i)	if , accepts if and .
(ii)	if , accepts if and .
(iv)	if , accepts if , and .

The GStern’s protocol satisfies the following three natures: completeness, special soundness, and honest-verifier zero-knowledge (HVZK) [10]. To construct our TRS scheme, we apply the code-based Merkle-tree accumulator [29] to GStern’s protocol. The statistical zero-knowledge argument of the accumulator allows the prover to convince the verifier , under zero-knowledge conditions, that knows a value correctly accumulated into the code-based Merkle-tree root described above. Let the uniformly random matrix and the accumulated value be the input. The goal of is to convince that he has a value and a valid witness . The relationship with the accumulator is . The authors of [29] gave specific techniques how to reduce the relationship to the abstract relationship , where are obtained by doing some transforms to . In other words, if we want to construct relation , we only need to construct relation . We summarize the above method into the new protocol Acc-GStern’s protocol described in Algorithm 2. The denotes a commitment scheme and is a finite set, where each is associated with a permutation of elements. In addition, is a subset of .

(1)	Parameters:.
(2)	Private information:.
(3)	Public information:
(i)	, where and .
(ii)	, where .
(4)	The prover:- chooses , , a permutation , a permutation , randomness , , for .
(i)	sets , , and .
(ii)	sets , . and .
(iii)	sends , , , , , and .
(5)	The verifier:
(i)	sends .
(6)	The prover:
(i)	if , computes , sets .
(ii)	if , computes sets .
(iii)	if , computes sets .
(iv)	sends .
(7)	The verifier:
(i)	if , accepts if .
(ii)	if , accepts if .
(iii)	if , accepts if , .

Lemma 4. The protocol presented in Algorithm 2 is complete, special sound, and HVZK.

Proof. Our new protocol is a combination of GStern’s protocol and the accumulator protocol. If an honest prover follows the protocol, then he always gets accepted by the verifier. Thus, the protocol has perfect completeness. If there is a simulator who extracts a valid witness from two valid transcripts and of Acc-GStern’s protocol with , where , and are commitments, challenges, and responses, respectively, he can extract a valid witness. We consider the following cases:(1)When and , the simulator can extract from and . For , the simulator can extract from .(2)When and , the simulator can extract from and . For , the simulator can extract from and .(3)When and , the simulator can extract from and and the simulator can extract from and .Finally, we prove HVZK of the protocol. When , the simulator easily reveals , , , and . When , the simulator gets , where and reveals a vector , where . When , the simulator obtains a vector with weight and a vector of length .

3.2. Description of the Scheme

In this section, we give the description of our new TRS scheme in Algorithm 3. Generally speaking, the scheme is constructed by using the noninteractive protocol which is obtained by combining Acc-GStern’s protocol with Fiat-Shamir transform [30].

First, we use the public information and a collision-resistant hash function to construct the matrix . Then, we construct a set of random syndromes , …, , one of which, i.e., some , is a vector associated with the secret key of the actual signer. When the same signer signs two different messages with the same tag, the vector will be the same and so we can identity the signer. We also use a collision-resistant hash function to generate the other , where , to prevent the signer from cheating.

Let be the members of the ring, and be the public keys of the members. The tag is . Let be a string of signed targets (for example, an election or a transaction). Let and be three different collision-resistant hash functions. The hash function is the special function used in the accumulator as we defined in Definition 4. In addition, is the function applied times on input .

(1)	Parameters:.
(2)	KeyGen: For each user
(i)	randomly chooses such that .
(ii)	computes .
(iii)	.
(iv)	.
(3)	Sign: To generate a signature on message , the user
(i)	computes and .
(ii)	sets .
(iii)	computes , for .
(iv)	computes , for all , and defines .
(v)	computes and .
(vi)	let be the public input of the protocol , and let be the secret inputs. Then, the user runs to generate a noninteractive proof .
(vii)	outputs the signature .
(4)	Verify: To verify the signature on message , the verifier
(i)	computes , for all .
(ii)	computes , for all , and defines .
(iii)	computes .
(iv)	let be the public input of the protocol . Then, the verifier runs to get .
(v)	if , outputs 1. Otherwise, outputs 0.
(5)	Trace: When the verifier is given two signatures and , where and , the verifier
(i)	if and , continue.
(ii)	computes and for all .
(iii)	if for all , outputs .
(iv)	else if only one index makes , outputs .
(v)	otherwise, outputs .

4. Security and Analysis

In this section, we present the analysis of our TRS scheme from two aspects: correctness analysis and security analysis.

4.1. Correctness Analysis

If a TRS scheme satisfies completeness and public traceability which are given in Definition 5 and Definition 6, respectively, we say that the TRS scheme is correct.

4.1.1. Completeness

The completeness of our TRS is easily verified. Since and are collision-resistant hash functions, and is generated by the tag and the secret key , the signer can always generate all and for all , just like in the signing algorithm. The verifier can recover all from and also recover all . Due to the completeness of the underlying protocol, the output of the verification algorithm is always 1 when the input of the verification algorithm is the honest signature .

4.1.2. Public Traceability

Next, we give the proof of public traceability from three cases:(i)Case 1. Suppose that , . Therefore, we have , and we get for all . In this case, the output of is always .(ii)Case 2. Suppose that . So, we have . However, due to the collision resistance of the hash function , we have , for with overwhelming probability. Therefore, only in the two sequences and . In this case, the output of is always .(iii)Case 3. Suppose that and . Thus, we have , , and . Then, due to the hash function, we have for all with overwhelming probability. If and , we obtain . If the output of the algorithm is not , there must be some , satisfying . However, we have and . Due to the collision resistance of hash functions and the difficulty of the GSD problem, the probability of the existence of and is negligible. Therefore, the output of is with overwhelming probability.

4.2. Security Analysis

We use the security definition of TRS in [5], which formalized security requirements called anonymity, tag-linkability, and exculpability.

Theorem 1. Our scheme is secure in the random oracle model, i.e., satisfying anonymity, tag-linkability, and exculpability.

We prove Theorem 1 from the following three aspects: proof for anonymity, proof for tag-linkability, and proof for exculpability.

4.2.1. Proof for Anonymity

To show that our scheme satisfies anonymity, we define a PPT adversary , a challenger , and a series of games , . There are three signing oracles: . The advantage of the adversary in is denoted by .

: this game is just like the game defined in (2), in which . The adversary can access three oracles. The challenger honestly runs the oracle with corresponding secret keys to reply to ’s queries to these there oracles.

: let be the simulators of the protocol . The challenger runs to simulate the public parameters, instead of running of the protocol . When the adversary makes queries to , the challenger runs to answer the query.

Due to Definition 3, we have

: the difference between and is that the challenger creates an empty table . We assume that the sequence is computed by the user , and is the position of in . The adversary gets access to and the query is .The challenger does not use to get . The challenger checks whether there is a tuple in , where is the vector in together with . If the tuple exists, then uses and runs the simulator to generate the signature. Otherwise, the challenger randomly chooses a vector , sets , and adds to . Then, the challenger generates the signature using .

Due to the GSD problem, the adversary cannot calculate from and the public parameters. So, cannot distinguish and :

: the difference between and is that the challenger uses to generate and answers the query to . : the difference between and is the value of b. defines .

Due to the zero-knowledge property of the underlying protocol and the hardness of the GSD problem, the outputs of all the above games contain nothing about . Therefore, the adversary can guess the right with probability and the advantage that the adversary wins the game is negligible.

4.2.2. Proof for Tag-Linkability

We assume that the PPT adversary is and the sequence is contained in the signature which can be reconstructed from . The message/signature pairs with tag are generated by the adversary . Suppose that wins the tag-linkability game. Thus, we have ; and .

Let and be the sets of all the parameters honestly generated in our construction and all the parameters generated by the simulator , respectively. Due to the zero-knowledge property of the protocol, cannot distinguish and . Therefore, there is an extractor that can extract a witness for each . There is at most only one witness with overwhelming probability because of the hardness of the GSD problem, and correspondingly, and . Since only contains public keys, there must exist in the sequence . Since all public keys in are distinct, we have . Finally, we get , which means that two signatures and cannot be accepted by . However, this contradicts our previous assumptions.

4.2.3. Proof for Exculpability

Suppose that is a PPT adversary. We define the following games . : this is the real exculpability game. In this game, the challenger runs to generate , where is the position of in . runs to reply to ’s queries to . : the challenger runs the simulator of the protocol to generate the public parameters and randomly chooses . creates an empty table to record each query. The challenger receives a query to and the secret key corresponds to the public key in , where is the position of in . However, does not compute in terms of . If is not in the table , where is the vector in together with , he randomly chooses a vector and adds to the table and generates the signature with . Otherwise, sets as and uses the simulator to generate the signature.

Due to the zero-knowledge property of the underlying protocol and the hardness of the GSD problem, the advantage that distinguishes and is

Then, we show that a successful attack is impossible in . If can output two valid pairs and , the two valid pairs can satisfy:(1) and ,(2), where is the position of in .

We consider the following two cases:(i)Case 1. Suppose that one of those two pairs can be linked with the table and the pair is . Therefore, there is a pair in that can be linked with where and are the vectors in in the target pair and are the vectors corresponding to . We can get a witness from the extractor of the protocol . In this way, the elements in the pair should satisfy , and for all , and due to that the two pairs are linked, and , for all . However, is generated by the simulator of the protocol and the vectors , are randomly chosen in in . Considering the hardness of the GSD problem, the adversary cannot generate the valid and .(ii)Case 2. Suppose that neither of the two pairs can be associated with the table . So, we have , which means that , for all . We can also extract the witness and from and , respectively. We have and , which holds that . If , the will output . However, is chosen randomly in in , and so cannot construct a vector which satisfies and . In this condition, we have . Due to the hardness of the GSD problem, the probability that the adversary constructs the valid is negligible. Therefore, the adversary cannot have a successful attack.

5. Efficiency

In this section, we consider the efficiency of our scheme in three aspects: public key sizes, secret key sizes, and signature sizes.(1)Public key size: the public key in our scheme consists of and vectors , for . The public key size of our scheme is bits.(2)Secret key size: the secret key of each signer is a vector , and the bit length of is .(3)Signature size: the signature size in our scheme is determined by the proof , and the bit length of the signature is . Specifically, the signature size of our scheme includes the following three aspects: the size of three hash values and three commitments is bits, where is the security parameter. For each case, , or , the size of response is bits, where . The bit size of the vector is . The repetition number of Acc-GStern’s protocol is defined as (for example, if the cheating probability of Acc-GStern’s protocol is approximately , ). To sum up, the signature size of our scheme is bits. Since and is the ring size, our signature size is logarithmic in the ring size.

According to decoding attacks in [34–36], we set the parameters of our scheme under 128 bit and 256 bit security in Table 1.

We give the implementation of our scheme on an Intel(R) Core(TM) i5-1035G1 CPU @ 2.20 GHz, and we implemented our scheme based on Python. We use the first set of parameters in Table 1 to implement our scheme. The running time of to generate a pair of is about 3 ms. However, due to the use of the hash function defined in Definition 4, the total running time for our signature scheme to generate a signature is about 2 minutes.

Since our scheme is an improvement over [10], the signature size in the original scheme is linear in the number of ring size, while the signature size of our scheme is logarithmic in the ring size. To the best of our knowledge, there are no other code-based TRS schemes. However, for some applications, the key and signature sizes of our scheme are still large. Finding new techniques to reduce the sizes of code-based traceable ring signature schemes and improve the efficiency of code-based traceable ring signature schemes are our future research direction.

6. Conclusion

In this paper, we construct a new code-based TRS scheme. The signature size of our scheme is logarithmic in the size of the ring. We then provide the tag-linkability, anonymity, and exculpability of our scheme and so our scheme is secure in the random oracle model under the assumption of the hardness of the SD problem and the 2-RNSD problem.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The work of L.P. Wang was supported in part by the National Natural Science Foundation of China (Grant no. 61872355), Mathematical Tianyuan Foundation of National Natural Science Foundation of China (Grant No.12026427), and National Key Research and Development Program of China (No. 2018YFA0704703).

References

E. Fujisaki, “Sub-linear size traceable ring signatures without random oracles,” in Proceedings of the Topics in Cryptology - CT-RSA 2011 - The Cryptographers’ Track at the RSA Conference 2011, pp. 393–415, Springer, San Francisco, CA, USA, 14 February 2011.
View at: Publisher Site | Google Scholar
C. Hu and D. Li, “Forward-secure traceable ring signature,” in Proceedings of the 8th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, pp. 200–204, IEEE Computer Society, Qingdao, China, 30 July 2007.
View at: Publisher Site | Google Scholar
X. Bultel and P. Lafourcade, “k-times full traceable ring signature,” in Proceedings of the 2016 11th International Conference on Availability, Reliability and Security, ARES 2016, pp. 39–48, IEEE, Salzburg, Austria, 31 August 2016.
View at: Publisher Site | Google Scholar
S. S. M. Chow, J. K. Liu, and D. S. Wong, “Robust receipt-free election system with ballot secrecy and verifiability,” in Proceedings of the Network and Distributed System Security Symposium, NDSS 2008, The Internet Society, San Diego, California, USA, 24 February 2008.
View at: Google Scholar
E. Fujisaki and K. Suzuki, “Traceable ring signature,” in Proceedings of the Public Key Cryptography - PKC 2007, 10th International Conference on Practice and Theory in Public-Key Cryptography, pp. 181–200, Springer, Beijing, China, 16 April 2007.
View at: Publisher Site | Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Secure id-based linkable and revocable-iff-linked ring signature with constant-size construction,” Theoretical Computer Science, vol. 469, no. 1–14, pp. 1–14, 2013.
View at: Publisher Site | Google Scholar
F. Tang, J. Pang, K. Cheng, and Q. Gong, “Multiauthority traceable ring signature scheme for smart grid based on blockchain,” Wireless Communications and Mobile Computing, vol. 2021, Article ID 5566430, 9 pages, 2021.
View at: Publisher Site | Google Scholar
X. Peng, K. Gu, Z. Liu, and W. Zhang, “Traceable identity-based ring signature for protecting mobile iot devices,” in Proceedings of the Data Mining and Big Data - 6th International Conference, DMBD 2021, pp. 158–166, Springer, Guangzhou, China, 20 October 2021.
View at: Publisher Site | Google Scholar
P. W. Shor, “Algorithms for quantum computation: discrete logarithms and factoring,” in Proceedings of the 35th Annual Symposium on Foundations of Computer Science, pp. 124–134, IEEE Computer Society, Santa Fe, New Mexico, USA, 20 November 1994.
View at: Publisher Site | Google Scholar
P. Branco and P. Mateus, “A traceable ring signature scheme based on coding theory,” in Proceedings of the International Conference on Post-Quantum Cryptography, pp. 387–403, Springer, Chongqing, China, 29 May 2019.
View at: Publisher Site | Google Scholar
R. Cramer, I. Damgård, and B. Schoenmakers, “Proofs of partial knowledge and simplified design of witness hiding protocols,” in Proceedings of the Advances in Cryptology - CRYPTO ’94, 14th Annual International Cryptology Conference, pp. 174–187, Springer, Santa Barbara, California, USA, 21 August 1994.
View at: Publisher Site | Google Scholar
H. Feng, J. Liu, Q. Wu, and Y.-N. Li, “Traceable ring signatures with post-quantum security,” in Proceedings of the Topics in Cryptology - CT-RSA 2020 - The Cryptographers’ Track at the RSA Conference 2020, pp. 442–468, Springer, San Francisco, CA, USA, 24 February 2020.
View at: Publisher Site | Google Scholar
A. Scafuro and B. Zhang, “One-time traceable ring signatures,” in Proceedings of the Computer Security - ESORICS 2021 - 26th European Symposium on Research in Computer Security, pp. 481–500, Springer, Darmstadt, Germany, 4 October 2021.
View at: Publisher Site | Google Scholar
H. Feng, J. Liu, D. Li, Y.-N. Li, and Q. Wu, “Traceable ring signatures: general framework and post-quantum security,” Designs, Codes and Cryptography, vol. 89, no. 6, pp. 1111–1145, 2021.
View at: Publisher Site | Google Scholar
N. T. Courtois, M. Finiasz, and N. Sendrier, “How to achieve a mceliece-based digital signature scheme,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 157–174, Springer, 2001.
View at: Publisher Site | Google Scholar
N. Aragon, O. Blazy, P. Gaborit, A. Hauteville, and G. Zémor, “Durandal: a rank metric based signature scheme,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2019 - 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 728–758, Springer, Darmstadt, Germany, 19 May 2019.
View at: Publisher Site | Google Scholar
T. Debris-Alazard, N. Sendrier, and J.-P. Tillich, “Wave: a new family of trapdoor one-way preimage sampleable functions based on codes,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2019 - 25th International Conference on the Theory and Application of Cryptology and Information Security, pp. 21–51, Springer, Kobe, Japan, 8 December 2019.
View at: Publisher Site | Google Scholar
E. Persichetti, “Efficient one-time signatures from quasi-cyclic codes: a full treatment,” Cryptography, vol. 2, no. 4, p. 30, 2018.
View at: Publisher Site | Google Scholar
D. Zheng, X. Li, and K. Chen, “Code-based ring signature scheme,” International Journal on Network Security, vol. 5, no. 2, pp. 154–157, 2007.
View at: Google Scholar
P. Branco and P. Mateus, “A code-based linkable ring signature scheme,” in Proceedings of the Provable Security - 12th International Conference, ProvSec 2018, pp. 203–219, Springer, Jeju, South Korea, 25 October 2018.
View at: Publisher Site | Google Scholar
C. Aguilar Melchor, P.-L. Cayrel, P. Gaborit, and F. Laguillaumie, “A new efficient threshold ring signature scheme based on coding theory,” IEEE Transactions on Information Theory, vol. 57, no. 7, pp. 4833–4842, 2011.
View at: Publisher Site | Google Scholar
L. Dallot and D. Vergnaud, “Provably secure code-based threshold ring signatures,” in Proceedings of the Cryptography and Coding, 12th IMA International Conference, Cryptography and Coding 2009, pp. 222–235, Springer, Cirencester, UK, 15 December 2009.
View at: Publisher Site | Google Scholar
H. Assidi, E. B. Ayebie, and E. M. Souidi, “An efficient code-based threshold ring signature scheme,” Journal of Information Security and Applications, vol. 45, pp. 52–60, 2019.
View at: Publisher Site | Google Scholar
Q. Alamélou, O. Blazy, S. Cauchie, and P. Gaborit, “A practical group signature scheme based on rank metric,” in Proceedings of the Arithmetic of Finite Fields - 6th International Workshop, WAIFI 2016, pp. 258–275, Springer, Ghent, Belgium, 13 July 2016.
View at: Publisher Site | Google Scholar
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, “A provably secure group signature scheme from code-based assumptions,” in Proceedings of the Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, pp. 260–285, Springer, Auckland, New Zealand, 29 December 2015.
View at: Publisher Site | Google Scholar
B. E. Ayebie, H. Assidi, and E. M. Souidi, “A new dynamic code-based group signature scheme,” in Proceedings of the Codes, Cryptology and Information Security - Second International Conference, C2SI 2017, pp. 346–364, Springer, Rabat, Morocco, 10 April 2017.
View at: Publisher Site | Google Scholar
Q. Alamélou, O. Blazy, S. Cauchie, and P. Gaborit, “A code-based group signature scheme,” Designs, Codes and Cryptography, vol. 82, no. 1-2, pp. 469–493, 2017.
View at: Publisher Site | Google Scholar
M. F. Ezerman, H. T. Lee, S. Ling, K. Nguyen, and H. Wang, “Provably secure group signature schemes from code-based assumptions,” IEEE Transactions on Information Theory, vol. 66, no. 9, pp. 5754–5773, 2020.
View at: Publisher Site | Google Scholar
K. Nguyen, H. Tang, H. Wang, and N. Zeng, “New code-based privacy-preserving cryptographic constructions,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 25–55, Springer, Kobe, Japan, 4 December 2019.
View at: Publisher Site | Google Scholar
A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” in Proceedings of the Advances in Cryptology - CRYPTO ’86, pp. 186–194, Springer, Santa Barbara, California, USA, 11 August 1986.
View at: Publisher Site | Google Scholar
E. Berlekamp, R. McEliece, and H. Van Tilborg, “On the inherent intractability of certain coding problems (corresp.),” IEEE Transactions on Information Theory, vol. 24, no. 3, pp. 384–386, 1978.
View at: Publisher Site | Google Scholar
D. Augot, M. Finiasz, and N. Sendrier, “A family of fast syndrome based cryptographic hash functions,” in Proceedings of the Progress in Cryptology - Mycrypt 2005, First International Conference on Cryptology, pp. 64–83, Springer, Kuala Lumpur, Malaysia, 28 September 2005.
View at: Publisher Site | Google Scholar
Y. Zhang, D. He, F. Zhang, X. Huang, and D. Li, “An efficient blind signature scheme based on SM2 signature algorithm,” in Proceedings of the Information Security and Cryptology - 16th International Conference, Inscrypt 2020, pp. 368–384, Springer, Guangzhou, China, 11 December 2020.
View at: Publisher Site | Google Scholar
R. C. Torres and N. Sendrier, “Analysis of information set decoding for a sub-linear error weight,” in Proceedings of the Post-Quantum Cryptography - 7th International Workshop, PQCrypto 2016, pp. 144–161, Springer, Fukuoka, Japan, 24 February 2016.
View at: Publisher Site | Google Scholar
A. Becker, A. Joux, A. May, and A. Meurer, “Decoding random binary linear codes in 2 n/20: how 1 + 1 = 0 improves information set decoding,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2012 - 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 520–536, Springer, Cambridge, UK, 15 April 2012.
View at: Publisher Site | Google Scholar
D. J. Bernstein, T. Lange, C. Peters, and P. Schwabe, “Faster 2-regular information-set decoding,” in Proceedings of the Coding and Cryptology - Third International Workshop, IWCC 2011, pp. 81–98, Springer, Qingdao, China, 30 May 2011.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Yanhong Qi and Li-Ping Wang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

527

Downloads

480

Citations