Abstract

Linkable ring signatures (LRSs) are ring signatures with the extended property that a verifier can detect whether two messages were signed by the same ring member. LRSs play an important role in many application scenarios such as cryptocurrency and confidential transactions. The first code-based LRS scheme was put forward in 2018. However, this scheme was pointed out to be insecure. In this paper, we put forward a code-based LRS scheme by constructing a new Stern-like interactive protocol and prove that it meets the security requirements of LRSs. We also give the specific parameters and the performance on the platform of our scheme.

1. Introduction

Ring signatures [1], a significant cryptographic primitive, enable a group user to sign a message on behalf of the group (called a ring) while protecting their privacy. Anonymity means that a verifier only can verify the correctness of the signature but cannot identify who is the actual signer in the ring. As an efficient privacy protection technology, ring signatures have been widely used in various scenarios such as e-voting [2], e-cash [3], and e-lottery [4, 5]. However, in many real-world applications, it is significant to not only protect the privacy of the signer but also require each signer to sign no more than once. For example, in an e-voting system, each person signs their ballot on behalf of all those eligible to vote, and each person is required to vote only once.

For more application scenarios, Liu et al. came up with the first linkable ring signature (LRS) scheme in 2004 [6]. LRSs are ring signatures with an extended property, where one can publicly verify whether two signatures were produced by the identical signer without knowing the identity of the signer. Compared to a ring signature scheme, an LRS scheme contains a tag generated by an issue and the signing keys of the entire ring user, where an issue can represent a vote or a business event. If a ring member outputs two signatures with an identical tag, two signatures will be linked. In a more restricted version of LRSs, a signer will be linked as soon as he signs twice. We call this kind of LRSs one-time LRSs. This property plays an important role in building cryptocurrencies, such as keeping the spender’s anonymity and avoiding double-spending attacks [7], since a sum of money can be used only once by a consumer no matter in any deal.

LRSs have been extensively researched based on the number theory problem [6, 810]. A general construction of LRSs was presented by Franklin and Zhang [11]. For the sake of linkability, they add a pseudorandom function (PRF) evaluation of the signer’s private key to any ring signature scheme and combine it with a zero-knowledge proof of the correct evaluation. In 2019, Wang et al. [12] put forward a general construction of one-time LRSs that adds one-time signatures to any ring signature scheme to achieve linkability. With the arrival of high-performance quantum computers, most classical asymmetric cryptography schemes will be broken since Shor [13] came up with a quantum algorithm to break the discrete logarithm problem and the factoring problem. Therefore, a number of quantum-safe LRS schemes have been put forward in the past few years, such as lattice-based LRS schemes [7, 1416], code-based LRS schemes [1719], and isogeny-based LRS schemes [15].

Code-based cryptography has flourished as one of the important fields of postquantum cryptography in recent years. The first signature scheme from coding theory is the Courtois–Finiasz–Sendrier (CFS) scheme [20]. After that, code-based signatures make a great development [2123]. In 2007, Zheng et al. put forward the first ring signature scheme from coding theory [24]. Later, many other variants related to ring signatures appeared like threshold ring signatures [25, 26], traceable ring signatures [27], and group signatures [2830]. In 2018, Branco and Mateus put forward the first code-based LRS scheme [18]. However, Feng et al. [31] point out that this scheme is not safe since the Cramer–Damgard–Schoenmakers (CDS) framework [32] was used to build the OR relationship. In 2020, Ren et al. proposed another code-based LRS scheme [19]. However, we found that once two signatures are linked, the information of the signer’s private key will be leaked since the output contains the information of the private key.

1.1. Our Contributions

For the purpose of not using the CDS framework, we design a new Stern-like interactive zero-knowledge (ZK) protocol, which is inspired by Ezerman et al. [33], as the building block of our LRS scheme. A prover can use this interactive ZK protocol to prove that he holds a small-weight solution to two instances of the syndrome decoding problem, which means the prover is a certified ring member with a unique label vector. Therefore, we employ the interactive ZK protocol to build our LRS scheme. Then, we prove that our LRS scheme is not only correct but also achieves the LRS security requirements. Finally, we analyzed the efficiency of the scheme and gave the running time on the platform.

It should be pointed out that we do not use the techniques mentioned in the introduction to construct our LRS scheme. The first technique [11] needs secure PRFs with a succinct zero-knowledge system. The syndrome-based PRF [34] is the only proposed one with a zero-knowledge argument system. Nevertheless, such an argument system will lead to a very inefficient construction since given an input of length , the PRF will implement times of matrix multiplications. The second technique, to achieve one-time linkability through a one-time signature scheme, also increases the overhead of a concrete scheme. Our construction follows that of Baum et al. [14].

We assume a ring of size , each member of which is labeled . Let represent the public keys of the user and represent the secret key with Hamming weight , where , denote two matrices and , denote two row vectors. Let denote a matrix of size and denote a vector of length such that the -th position is 1 and the rest of the positions are 0. Therefore, there is and the equation can be reformulated as

Then, employs the secret key to get a vector

Next, we construct a Stern-like ZK scheme where a prover is able to make the verifier believe he holds a pair satisfying equations (1) and (2) with hidden index . By repeating this protocol a lot of times to make the soundness error negligible and employing the Fiat–Shamir transform [35], we get a transcript of the NIZK argument. The final form of our proposed LRS is . The size of our scheme, including the public key and the signature, is linearly related to . However, when setting the practical parameters, our scheme achieves better performance than that of the scheme put forward in [36] which is the best performance syndrome-based ring signature scheme with logarithmic signature size, as long as does not exceed [28].

We note that Ren et al. [19] attempt to build another code-based LRS scheme. Unfortunately, there is a lot of weakness in this construction. In detail, they use an insecure signature scheme to build their LRS scheme, which would result in the disclosure of the signer’s private key. We make an analysis in Section 6.

1.2. Roadmap

The remaining articles are structured as follows. In Section 2, we introduce many preliminaries needed in our paper. In Section 3, we first propose an interactive zero-knowledge protocol and then construct our LRS scheme. We give the security proof and some security parameters for our LRS scheme in Section 4. In Section 5, we present the implementation results of the proposed LRS scheme. In Section 6, we analyze Ren et al.’s scheme. Finally, in Section 7, we draw the conclusion.

2. Preliminaries

2.1. Notations

Let and represent a security parameter and a negligible function in , respectively. The set is abbreviated as . We denote with the addition modulo 2. If not specified explicitly, the bold lowercase and uppercase letters represent row vectors and matrices, respectively. The Hamming metric of a vector is represented by . The transpose of is represented by . Let be the set of vectors such that . Define a function I2B from a positive integer to its binary representation, so the inverse of I2B is written as B2I. For a distribution , the notation means that is sampled from the distribution . If is a set, then denotes that is randomly picked from .

2.2. Linkable Ring Signatures

We now introduce the definition of the LRSs. To keep things simple, is abbreviated as .

Definition 1. An LRS scheme contains four polynomial-time algorithms in which(i): taking as input, it publishes a pair of public and private keys (ii): taking the public keys , a message M, and a private key as input, it generates a signature (iii): taking the public keys , a message M, and a signature as input, it outputs either 1 (accept) or 0 (reject)(iv): taking the public keys , two messages , and two signatures such that and as input, it outputs or , where 1 means that and are issued by the same signer

2.2.1. Correctness

An LRS scheme achieves correctness if for any , and every messages , , the following holds:where and , .

We employ the security model of [6, 14], which contains the following four aspects: existential unforgeability, anonymity, nonframeability, and linkability. In order to build the games used in these security models, we define the following two oracles:(i): taking a query of the form as input, it generates a signature (ii): taking a as input, it outputs the corresponding

Let stand for a probabilistic polynomial-time (PPT) adversary and represent that queries the random oracle .

Definition 2 (existential unforgeability). An LRS scheme is existential unforgeable, if the advantage of is negligible in the following game:(1)(2)Here, cannot use to query the .
The advantage of breaking existential unforgeability is denoted by the following equation:

Definition 3 (anonymity). An LRS scheme is anonymous, if the advantage of is negligible in the following game:(1)(2)(3)(4)Here, cannot query the and the .
The advantage of breaking anonymity is denoted by the following equation:

Definition 4 (nonframeability). An LRS scheme is nonframeable, if the advantage of is negligible in the following game:(1)(2)(3)(4)(5)Here, cannot use the to query the .
The advantage of breaking nonframeability is denoted by the following equation:

Definition 5 (linkability). An LRS scheme is linkable, if the advantage of is negligible in the following game:(1)(2) The advantage of breaking linkability is denoted by the following equation:

Remark 6. In this work, the proof of existential unforgeability is not given. As shown in [37], it is easy to get existential unforgeability from linkability and nonframeability.

2.3. Cryptography in Coding Theory

We now introduce a few hard problems needed in our paper.

Problem 7 (syndrome decoding (SD) problem). Given a parity-check matrix , a syndrome , and a positive integer , the SD problem is to search for a solution satisfying and .

Problem 8 (general syndrome decoding (GSD) problem). Given two parity-check matrices , two syndromes , and a positive integer , the GSD problem is to search for a solution satisfying , , and .
Considering the matrix and the vector , we have . Therefore, the GSD problem is equivalent to the SD problem.

Problem 9 (codeword finding (CF) problem). Given a parity-check matrix and a positive integer , the CF problem is to search for a solution satisfying and .

Remark 10 (see [21]). For a binary linear code, the easy range for the weight of the SD problem and CF problem is .

Definition 11 (Gilbert–Varshamov (GV) bound). For a binary linear code, the GV bound is denoted by the following equation:

Remark 12. The SD problem has a unique solution with overwhelming probability if is less than .

Problem 13 (decisional syndrome decoding (DSD) problem [38]). Given a parity-check matrix and a syndrome , where the weight of the vector is at most , the DSD problem is to distinguish between a random vector and the syndrome .

Lemma 14 (leftover hash lemma [39]). Given a distribution over with min-entropy , a matrix , and a vector , the statistical distance between the distribution of and the corresponding uniform distribution is less than , where and .

2.4. Zero-Knowledge Proof and Stern Protocol

We will introduce the definition of the zero-knowledge argument systems in this section. We use the set of statements-witnesses to denote an NP-relation. We first introduce the definition of an interactive zero-knowledge argument system as follows.

Definition 15 (zero-knowledge argument systems [40]). Let represent an interactive algorithm between a prover and a verifier, and denote an NP-relation. We say the is a ZK argument for a relation , if the following three conditions hold:(i)Completeness: if , there is(ii)-Soundness: if , then for any PPT ,where is negligible.(iii)Statistical zero-knowledge: if there exists a PPT simulator which can interact with any and produce a simulated transcript , we have the following equation:where denotes the transcript of a real interaction’s transcript.Let be a setup algorithm about the protocol with an input , then return the parameters . The zero-knowledge property and simulation-extractability of noninteractive protocol are presented as follows.

Definition 16 (noninteractive zero-knowledge). Let denote a noninteractive protocol. The protocol is zero-knowledge for a relation , if a pair of PPT simulators are presented such that for any , there iswhere and first check that if the input is contained in , if so, outputs , and outputs ; otherwise, return .

Definition 17 (simulation-extractability). We say that achieves simulation-extractable with regard to a pair of PPT simulators , if there exists a PPT extractor such that for , there iswhere , represents all proofs produced by , is not contained in , and takes the input and outputs .

(1)Public parameters:.
(2)Private key: Samples such that .
(3)Public key: Samples and calculates .
(4)Prover:
 (i) Samples and .
 (ii) Calculates , , and sets .
 (iii) Sends to .
(5)Verifier:
 (i) Samples the challenge .
(6)Prover:
 (i) Case : Sets .
 (ii) Case : Sets .
 (iii) Case : Sets .
 (iv) Sends the response to .
(7)Verifier:
 (i) If , checks if and are true.
 (ii) If , checks if and are true.
 (iii) If , checks if and are true.
2.4.1. Stern Protocol

In 1996, Stern introduced a three-round zero-knowledge argument of knowledge (ZKAoK) for the SD problem in coding theory [41]. The system parameters are a public matrix , a syndrome , and a weight . According to the Stern protocol, anyone can verify whether the prover holds a solution with Hamming metric such that . If we embed the statistically hiding commitment scheme into it, then we can get a soundness error of . We describe the Stern protocol in Algorithm 1.

3. Our Code-Based Linkable Ring Signature

We first put forward an interactive zero-knowledge protocol, in which a prover can prove that he is a ring member with a label vector that is generated by his own private key. Based on this interactive zero-knowledge protocol, we construct our LRS scheme by Fiat–Shamir transform.

3.1. The Underlying Zero-Knowledge Protocol

In this section, our main result is to show a zero-knowledge argument system as the underlying protocol of our LRS scheme. First, we need to introduce a set of vectors and an important permutation, which are introduced in [28]. Let denote an integer and . Then, there are the following:(1)For and , let denote a vector of length such that the -th position is 1 and the rest of the positions are 0(2)Given a vector , we introduce the permutation : , where , for each For any and any , there is(3)For any vector and , we have

We build our interactive ZKAoK following the Stern framework and make a summarization as follows:(i)The public keys include two matrices and and syndromes (ii)The secret is a vector satisfying where the with hidden index (iii)It is the prover’s target to make others convince of the following relations:

Let . The relation is equivalent to , where denotes . Then, the relation can be rewritten as follows:

We use to denote a collision-resistant hash function. Next, we showed the details of the underlying interactive protocol in Algorithm 2.

Lemmas 14 and 18 point out that Algorithm 2 has the statistically zero-knowledge property and the special soundness property.

Lemma 18. The interactive protocol shown in Algorithm 2 is an argument with the statistical zero-knowledge property if the COM is a statistically hiding string commitment scheme.

Proof. We employ a simulator which can interact with the verifier after giving the public input . First, the simulator picks a, and then depending on the value chosen by , proceeds as follows.

Case 19. : randomly selects the following objects:Then, sets the as , in whichWhen the challenge is received, performs as follows:(i)If , lets and sends it to (ii)If , terminates the process and outputs (iii)If , lets and sends it to

(1)Public parameters:.
(2)Private key: Samples and .
(3)Public key:, where .
(4)Prover:
 (i) Samples the following uniformly random objects:
  
 (ii) Sets ,
  ,
  .
 (iii) Sets the as .
(5)Verifier:
 (i) Samples the .
(6)Prover:
 (i) If , sets .
 (ii) If , sets .
 (iii) If , sets .
 (iv) Sends .
(7)Verifier:
 (i) If , checks if and are true.
 (ii) If , checks if and are true.
 (iii) If , checks if and , are true.

Case 20. : computes and such thatand samples random objects as follows:where denotes the symmetric group of all permutations of elements.
Then, sets as the same as equation (18).
When is received, performs as follows:(i)If , lets and sends it to (ii)If , lets and sends it to (iii)If , terminates the process and outputs

Case 21. : samples random objects:computes and such thatThen, sets the as the same as equation (18).
When the challenge is received, performs as follows:(i)If , terminates the process and outputs (ii)If , lets and sends it to (iii)If , lets and sends it to Because is sampled from , the probability of terminating is . As the simulator outputs a successful transcript, the distribution of its outputs is indistinguishable from the real interaction.

Lemma 22. On the input of , there is an extractor that can obtain a pair from a and 3 valid to all 3 possible pairs . The witness satisfies the following equations:

Proof. We can construct an efficient knowledge extractor . Suppose that we have three valid transcripts ,, and of the proposed protocol, where , whereBecause of the collision-resistance property of , we haveTherefore, the knowledge extractor can extract the witness from , .

(1)Public parameters:.
(2)KeyGen: User :
 (i) Samples as private key.
 (ii) Calculates the public key and sets as .
(3)Sign: performs the following steps:
 (i) Calculates .
 (ii) Repeats Algorithm2 with the input times such that the soundness error is negligible and then obtains .
 (iii) Sets as .
 (iv) Sets the corresponding responses according to the step 6 of Algorithm2.
 (v) Sets the transcript .
 (vi) Outputs the linkable ring signature .
(4)Ver: Given a signature , the verifier
 (i) Calculates ;
 (ii) According to Algorithm2 with the input to check if is a valid transcript.
 (iii) If the above condition holds, it returns 1; otherwise, it returns 0.
(5)Link: When two signatures are received, the verifier parses and
 (i) Checks if and are correct.
 (ii) Checks if .
 (iii) If the above two conditions hold, it outputs 1; otherwise, it outputs 0.
3.2. Our Code-Based Linkable Ring Signature Protocol

Our LRS scheme is put forward in Algorithm 3. Roughly speaking, we construct an LRS by repeating the underlying ZKAoK protocol enough times so that the soundness error is negligible and applying the Fiat–Shamir transform.

Given two positive integers and such that , we choose a random matrix and two collision-resistant hash functions as follows:(i)(ii)

Here, stands for the repetition number of the underlying ZK protocol.

The function is used to generate the Fiat–Shamir transform, and is the one used in the underlying ZKAoK protocol.

During the key generation algorithm, the user randomly chooses a vector from the set and sets .

In the signing algorithm, the user gets the underlying protocol with in which and . By repeating the protocol many times and the Fiat–Shamir transform, he gets a NIZKAoK . The form of the proposed signature is , where .

Due to the validity of the NIZKAoK, the algorithm Ver always outputs 1. If two signatures and were generated by the same user , then by , the algorithm Link always outputs 1.

4. Analysis of the Proposed Protocol

We analyze the proposed LRS scheme from the aspects of correctness and security.

Theorem 23. Our LRS scheme achieves correctness with an overwhelming probability.

Proof. To explain that the given LRS scheme is correct, we first prove that the algorithm Ver always returns 1, if the signature was generated by a ring user honestly running algorithm , for any .
We observe that the algorithm is equivalent to the signer repeating the underlying protocol enough times and employing the Fiat–Shamir heuristic to it. Because of the perfect completeness and validness of the underlying protocol, we have Ver for any pair of generated by an honest signer.
As for the validity of the algorithm Link, it is straightforward to observe that if and were generated by the identical user , for any , where and , then by and , the algorithm Link always outputs 1.

Theorem 24. Our LRS scheme satisfies anonymity in the random oracle model because of the ZK property of Algorithm 2 and the intractability of the DSD problem.

Proof. We set the five hybrid games , and so as to explain that the proposed scheme satisfies anonymity. and represent the real anonymous game, in which and , respectively. We will prove that the sequence of games is indistinguishable from any adversary . The advantage of in is represented by .