Abstract
Linkable ring signatures (LRSs) are ring signatures with the extended property that a verifier can detect whether two messages were signed by the same ring member. LRSs play an important role in many application scenarios such as cryptocurrency and confidential transactions. The first codebased LRS scheme was put forward in 2018. However, this scheme was pointed out to be insecure. In this paper, we put forward a codebased LRS scheme by constructing a new Sternlike interactive protocol and prove that it meets the security requirements of LRSs. We also give the specific parameters and the performance on the platform of our scheme.
1. Introduction
Ring signatures [1], a significant cryptographic primitive, enable a group user to sign a message on behalf of the group (called a ring) while protecting their privacy. Anonymity means that a verifier only can verify the correctness of the signature but cannot identify who is the actual signer in the ring. As an efficient privacy protection technology, ring signatures have been widely used in various scenarios such as evoting [2], ecash [3], and elottery [4, 5]. However, in many realworld applications, it is significant to not only protect the privacy of the signer but also require each signer to sign no more than once. For example, in an evoting system, each person signs their ballot on behalf of all those eligible to vote, and each person is required to vote only once.
For more application scenarios, Liu et al. came up with the first linkable ring signature (LRS) scheme in 2004 [6]. LRSs are ring signatures with an extended property, where one can publicly verify whether two signatures were produced by the identical signer without knowing the identity of the signer. Compared to a ring signature scheme, an LRS scheme contains a tag generated by an issue and the signing keys of the entire ring user, where an issue can represent a vote or a business event. If a ring member outputs two signatures with an identical tag, two signatures will be linked. In a more restricted version of LRSs, a signer will be linked as soon as he signs twice. We call this kind of LRSs onetime LRSs. This property plays an important role in building cryptocurrencies, such as keeping the spender’s anonymity and avoiding doublespending attacks [7], since a sum of money can be used only once by a consumer no matter in any deal.
LRSs have been extensively researched based on the number theory problem [6, 8–10]. A general construction of LRSs was presented by Franklin and Zhang [11]. For the sake of linkability, they add a pseudorandom function (PRF) evaluation of the signer’s private key to any ring signature scheme and combine it with a zeroknowledge proof of the correct evaluation. In 2019, Wang et al. [12] put forward a general construction of onetime LRSs that adds onetime signatures to any ring signature scheme to achieve linkability. With the arrival of highperformance quantum computers, most classical asymmetric cryptography schemes will be broken since Shor [13] came up with a quantum algorithm to break the discrete logarithm problem and the factoring problem. Therefore, a number of quantumsafe LRS schemes have been put forward in the past few years, such as latticebased LRS schemes [7, 14–16], codebased LRS schemes [17–19], and isogenybased LRS schemes [15].
Codebased cryptography has flourished as one of the important fields of postquantum cryptography in recent years. The first signature scheme from coding theory is the Courtois–Finiasz–Sendrier (CFS) scheme [20]. After that, codebased signatures make a great development [21–23]. In 2007, Zheng et al. put forward the first ring signature scheme from coding theory [24]. Later, many other variants related to ring signatures appeared like threshold ring signatures [25, 26], traceable ring signatures [27], and group signatures [28–30]. In 2018, Branco and Mateus put forward the first codebased LRS scheme [18]. However, Feng et al. [31] point out that this scheme is not safe since the Cramer–Damgard–Schoenmakers (CDS) framework [32] was used to build the OR relationship. In 2020, Ren et al. proposed another codebased LRS scheme [19]. However, we found that once two signatures are linked, the information of the signer’s private key will be leaked since the output contains the information of the private key.
1.1. Our Contributions
For the purpose of not using the CDS framework, we design a new Sternlike interactive zeroknowledge (ZK) protocol, which is inspired by Ezerman et al. [33], as the building block of our LRS scheme. A prover can use this interactive ZK protocol to prove that he holds a smallweight solution to two instances of the syndrome decoding problem, which means the prover is a certified ring member with a unique label vector. Therefore, we employ the interactive ZK protocol to build our LRS scheme. Then, we prove that our LRS scheme is not only correct but also achieves the LRS security requirements. Finally, we analyzed the efficiency of the scheme and gave the running time on the platform.
It should be pointed out that we do not use the techniques mentioned in the introduction to construct our LRS scheme. The first technique [11] needs secure PRFs with a succinct zeroknowledge system. The syndromebased PRF [34] is the only proposed one with a zeroknowledge argument system. Nevertheless, such an argument system will lead to a very inefficient construction since given an input of length , the PRF will implement times of matrix multiplications. The second technique, to achieve onetime linkability through a onetime signature scheme, also increases the overhead of a concrete scheme. Our construction follows that of Baum et al. [14].
We assume a ring of size , each member of which is labeled . Let represent the public keys of the user and represent the secret key with Hamming weight , where , denote two matrices and , denote two row vectors. Let denote a matrix of size and denote a vector of length such that the th position is 1 and the rest of the positions are 0. Therefore, there is and the equation can be reformulated as
Then, employs the secret key to get a vector
Next, we construct a Sternlike ZK scheme where a prover is able to make the verifier believe he holds a pair satisfying equations (1) and (2) with hidden index . By repeating this protocol a lot of times to make the soundness error negligible and employing the Fiat–Shamir transform [35], we get a transcript of the NIZK argument. The final form of our proposed LRS is . The size of our scheme, including the public key and the signature, is linearly related to . However, when setting the practical parameters, our scheme achieves better performance than that of the scheme put forward in [36] which is the best performance syndromebased ring signature scheme with logarithmic signature size, as long as does not exceed [28].
We note that Ren et al. [19] attempt to build another codebased LRS scheme. Unfortunately, there is a lot of weakness in this construction. In detail, they use an insecure signature scheme to build their LRS scheme, which would result in the disclosure of the signer’s private key. We make an analysis in Section 6.
1.2. Roadmap
The remaining articles are structured as follows. In Section 2, we introduce many preliminaries needed in our paper. In Section 3, we first propose an interactive zeroknowledge protocol and then construct our LRS scheme. We give the security proof and some security parameters for our LRS scheme in Section 4. In Section 5, we present the implementation results of the proposed LRS scheme. In Section 6, we analyze Ren et al.’s scheme. Finally, in Section 7, we draw the conclusion.
2. Preliminaries
2.1. Notations
Let and represent a security parameter and a negligible function in , respectively. The set is abbreviated as . We denote with the addition modulo 2. If not specified explicitly, the bold lowercase and uppercase letters represent row vectors and matrices, respectively. The Hamming metric of a vector is represented by . The transpose of is represented by . Let be the set of vectors such that . Define a function I2B from a positive integer to its binary representation, so the inverse of I2B is written as B2I. For a distribution , the notation means that is sampled from the distribution . If is a set, then denotes that is randomly picked from .
2.2. Linkable Ring Signatures
We now introduce the definition of the LRSs. To keep things simple, is abbreviated as .
Definition 1. An LRS scheme contains four polynomialtime algorithms in which(i): taking as input, it publishes a pair of public and private keys (ii): taking the public keys , a message M, and a private key as input, it generates a signature (iii): taking the public keys , a message M, and a signature as input, it outputs either 1 (accept) or 0 (reject)(iv): taking the public keys , two messages , and two signatures such that and as input, it outputs or , where 1 means that and are issued by the same signer
2.2.1. Correctness
An LRS scheme achieves correctness if for any , and every messages , , the following holds:where and , .
We employ the security model of [6, 14], which contains the following four aspects: existential unforgeability, anonymity, nonframeability, and linkability. In order to build the games used in these security models, we define the following two oracles:(i): taking a query of the form as input, it generates a signature (ii): taking a as input, it outputs the corresponding
Let stand for a probabilistic polynomialtime (PPT) adversary and represent that queries the random oracle .
Definition 2 (existential unforgeability). An LRS scheme is existential unforgeable, if the advantage of is negligible in the following game:(1)(2)Here, cannot use to query the .
The advantage of breaking existential unforgeability is denoted by the following equation:
Definition 3 (anonymity). An LRS scheme is anonymous, if the advantage of is negligible in the following game:(1)(2)(3)(4)Here, cannot query the and the .
The advantage of breaking anonymity is denoted by the following equation:
Definition 4 (nonframeability). An LRS scheme is nonframeable, if the advantage of is negligible in the following game:(1)(2)(3)(4)(5)Here, cannot use the to query the .
The advantage of breaking nonframeability is denoted by the following equation:
Definition 5 (linkability). An LRS scheme is linkable, if the advantage of is negligible in the following game:(1)(2) The advantage of breaking linkability is denoted by the following equation:
Remark 6. In this work, the proof of existential unforgeability is not given. As shown in [37], it is easy to get existential unforgeability from linkability and nonframeability.
2.3. Cryptography in Coding Theory
We now introduce a few hard problems needed in our paper.
Problem 7 (syndrome decoding (SD) problem). Given a paritycheck matrix , a syndrome , and a positive integer , the SD problem is to search for a solution satisfying and .
Problem 8 (general syndrome decoding (GSD) problem). Given two paritycheck matrices , two syndromes , and a positive integer , the GSD problem is to search for a solution satisfying , , and .
Considering the matrix and the vector , we have . Therefore, the GSD problem is equivalent to the SD problem.
Problem 9 (codeword finding (CF) problem). Given a paritycheck matrix and a positive integer , the CF problem is to search for a solution satisfying and .
Remark 10 (see [21]). For a binary linear code, the easy range for the weight of the SD problem and CF problem is .
Definition 11 (Gilbert–Varshamov (GV) bound). For a binary linear code, the GV bound is denoted by the following equation:
Remark 12. The SD problem has a unique solution with overwhelming probability if is less than .
Problem 13 (decisional syndrome decoding (DSD) problem [38]). Given a paritycheck matrix and a syndrome , where the weight of the vector is at most , the DSD problem is to distinguish between a random vector and the syndrome .
Lemma 14 (leftover hash lemma [39]). Given a distribution over with minentropy , a matrix , and a vector , the statistical distance between the distribution of and the corresponding uniform distribution is less than , where and .
2.4. ZeroKnowledge Proof and Stern Protocol
We will introduce the definition of the zeroknowledge argument systems in this section. We use the set of statementswitnesses to denote an NPrelation. We first introduce the definition of an interactive zeroknowledge argument system as follows.
Definition 15 (zeroknowledge argument systems [40]). Let represent an interactive algorithm between a prover and a verifier, and denote an NPrelation. We say the is a ZK argument for a relation , if the following three conditions hold:(i)Completeness: if , there is(ii)Soundness: if , then for any PPT , where is negligible.(iii)Statistical zeroknowledge: if there exists a PPT simulator which can interact with any and produce a simulated transcript , we have the following equation: where denotes the transcript of a real interaction’s transcript.Let be a setup algorithm about the protocol with an input , then return the parameters . The zeroknowledge property and simulationextractability of noninteractive protocol are presented as follows.
Definition 16 (noninteractive zeroknowledge). Let denote a noninteractive protocol. The protocol is zeroknowledge for a relation , if a pair of PPT simulators are presented such that for any , there iswhere and first check that if the input is contained in , if so, outputs , and outputs ; otherwise, return .
Definition 17 (simulationextractability). We say that achieves simulationextractable with regard to a pair of PPT simulators , if there exists a PPT extractor such that for , there iswhere , represents all proofs produced by , is not contained in , and takes the input and outputs .

2.4.1. Stern Protocol
In 1996, Stern introduced a threeround zeroknowledge argument of knowledge (ZKAoK) for the SD problem in coding theory [41]. The system parameters are a public matrix , a syndrome , and a weight . According to the Stern protocol, anyone can verify whether the prover holds a solution with Hamming metric such that . If we embed the statistically hiding commitment scheme into it, then we can get a soundness error of . We describe the Stern protocol in Algorithm 1.
3. Our CodeBased Linkable Ring Signature
We first put forward an interactive zeroknowledge protocol, in which a prover can prove that he is a ring member with a label vector that is generated by his own private key. Based on this interactive zeroknowledge protocol, we construct our LRS scheme by Fiat–Shamir transform.
3.1. The Underlying ZeroKnowledge Protocol
In this section, our main result is to show a zeroknowledge argument system as the underlying protocol of our LRS scheme. First, we need to introduce a set of vectors and an important permutation, which are introduced in [28]. Let denote an integer and . Then, there are the following:(1)For and , let denote a vector of length such that the th position is 1 and the rest of the positions are 0(2)Given a vector , we introduce the permutation : , where , for each For any and any , there is(3)For any vector and , we have
We build our interactive ZKAoK following the Stern framework and make a summarization as follows:(i)The public keys include two matrices and and syndromes (ii)The secret is a vector satisfying where the with hidden index (iii)It is the prover’s target to make others convince of the following relations:
Let . The relation is equivalent to , where denotes . Then, the relation can be rewritten as follows:
We use to denote a collisionresistant hash function. Next, we showed the details of the underlying interactive protocol in Algorithm 2.
Lemmas 14 and 18 point out that Algorithm 2 has the statistically zeroknowledge property and the special soundness property.
Lemma 18. The interactive protocol shown in Algorithm 2 is an argument with the statistical zeroknowledge property if the COM is a statistically hiding string commitment scheme.
Proof. We employ a simulator which can interact with the verifier after giving the public input . First, the simulator picks a, and then depending on the value chosen by , proceeds as follows.
Case 19. : randomly selects the following objects:Then, sets the as , in whichWhen the challenge is received, performs as follows:(i)If , lets and sends it to (ii)If , terminates the process and outputs (iii)If , lets and sends it to

Case 20. : computes and such thatand samples random objects as follows:where denotes the symmetric group of all permutations of elements.
Then, sets as the same as equation (18).
When is received, performs as follows:(i)If , lets and sends it to (ii)If , lets and sends it to (iii)If , terminates the process and outputs
Case 21. : samples random objects:computes and such thatThen, sets the as the same as equation (18).
When the challenge is received, performs as follows:(i)If , terminates the process and outputs (ii)If , lets and sends it to (iii)If , lets and sends it to Because is sampled from , the probability of terminating is . As the simulator outputs a successful transcript, the distribution of its outputs is indistinguishable from the real interaction.
Lemma 22. On the input of , there is an extractor that can obtain a pair from a and 3 valid to all 3 possible pairs . The witness satisfies the following equations:
Proof. We can construct an efficient knowledge extractor . Suppose that we have three valid transcripts ,, and of the proposed protocol, where , whereBecause of the collisionresistance property of , we haveTherefore, the knowledge extractor can extract the witness from , .

3.2. Our CodeBased Linkable Ring Signature Protocol
Our LRS scheme is put forward in Algorithm 3. Roughly speaking, we construct an LRS by repeating the underlying ZKAoK protocol enough times so that the soundness error is negligible and applying the Fiat–Shamir transform.
Given two positive integers and such that , we choose a random matrix and two collisionresistant hash functions as follows:(i)(ii)
Here, stands for the repetition number of the underlying ZK protocol.
The function is used to generate the Fiat–Shamir transform, and is the one used in the underlying ZKAoK protocol.
During the key generation algorithm, the user randomly chooses a vector from the set and sets .
In the signing algorithm, the user gets the underlying protocol with in which and . By repeating the protocol many times and the Fiat–Shamir transform, he gets a NIZKAoK . The form of the proposed signature is , where .
Due to the validity of the NIZKAoK, the algorithm Ver always outputs 1. If two signatures and were generated by the same user , then by , the algorithm Link always outputs 1.
4. Analysis of the Proposed Protocol
We analyze the proposed LRS scheme from the aspects of correctness and security.
Theorem 23. Our LRS scheme achieves correctness with an overwhelming probability.
Proof. To explain that the given LRS scheme is correct, we first prove that the algorithm Ver always returns 1, if the signature was generated by a ring user honestly running algorithm , for any .
We observe that the algorithm is equivalent to the signer repeating the underlying protocol enough times and employing the Fiat–Shamir heuristic to it. Because of the perfect completeness and validness of the underlying protocol, we have Ver for any pair of generated by an honest signer.
As for the validity of the algorithm Link, it is straightforward to observe that if and were generated by the identical user , for any , where and , then by and , the algorithm Link always outputs 1.
Theorem 24. Our LRS scheme satisfies anonymity in the random oracle model because of the ZK property of Algorithm 2 and the intractability of the DSD problem.
Proof. We set the five hybrid games , and so as to explain that the proposed scheme satisfies anonymity. and represent the real anonymous game, in which and , respectively. We will prove that the sequence of games is indistinguishable from any adversary . The advantage of in is represented by .