A New Code-Based Linkable Threshold Ring Signature Scheme

Ren, Fang; Xiu, Haiyan; Ji, Chuxin; Zheng, Dong; Wu, Ziyi

doi:https://doi.org/10.1155/2022/3150714

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

The Convergence of Sensing, Communication, and Computing for Future Generation Wireless Networks

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 3150714 | https://doi.org/10.1155/2022/3150714

A New Code-Based Linkable Threshold Ring Signature Scheme

Fang Ren,^1,2Haiyan Xiu ,^1,2Chuxin Ji,¹Dong Zheng,^1,2and Ziyi Wu¹

Academic Editor: Lei Liu

Received04 Aug 2022

Revised07 Sept 2022

Accepted14 Sept 2022

Published03 Oct 2022

Abstract

In this paper, we construct a new code-based linkable threshold signature scheme whose security is based on the hardness of the syndrome decoding problem and general syndrome decoding problem. We show that our scheme is secure in terms of existential unforgeability, anonymity, nonslanderability, and linkability. The complexity of the signature size proposed in this paper is . Our method is particularly well suited for large free group voting systems. The greater the number of members in the ring, the more pronounced the advantage of the signature length is when compared to other schemes. That is, our scheme achieves a fixed length signature, independent of the number of ring members. In addition, our scheme has a very short public key, and the size is .

1. Introduction

The ring signature scheme is a special type of digital signature that was presented in 2001 by Rivest et al. [1]. It may also be regarded as a generalization of group signatures, while it varies from group signatures [2] in that ring signatures do not have a group administrator. Ring signature schemes enable a ring member to sign a message on the ring’s behalf while maintaining the anonymity of this ring’s members. In other words, although the actual message’s signer is unknown to the verifier, the verifier is aware that the signer belongs to this ring.

However, in some applications, such as e-voting, in order to limit the ability of an individual to sign, members must be willing to cooperate to generate a valid signature. Bresson et al. [3] used the notion of partitioning and combining functions to extend the ring signature scheme into a threshold ring signature scheme. A subset of -out-of- users in such a scheme cooperates to construct a signature while keeping the identity of the subgroup of users secret.

The first effective code-based threshold ring signature system was proposed by Melchor et al. [4]. Comparatively speaking, to other threshold ring signature schemes based on number theory, this scheme is designed based on the coded-Stern’s signature protocol, which is extremely quick and resistant to quantum attacks. The complexity of the signature length in this scheme is . The hardness of the -ary syndrome decoding problem was used by Cayrel et al. [5] to construct a code-based threshold ring signature scheme in 2012. A zero-knowledge identification protocol based on coding theory called AGS was the foundation for the threshold ring signature scheme introduced by Assidi et al. [6] in 2019. This scheme utilizes a double circulant code, which reduces the size of the public key. At the same time, the cheating probability of the AGS protocol is asymptotically equal to 1/2; thus, the number of repeated runs of the protocol becomes less, making the signature length significantly smaller, with a complexity of . The above schemes all use the Fiat-Shamir method to convert the identity authentication protocol into the threshold ring signature scheme, while another way to construct threshold ring signature is to combine the CFS signature algorithm with the Bresson threshold ring signature. In 2009, Dallot and Vergnaud [7]. proposed a provable security threshold ring signature scheme based on the CFS scheme. The Goppa parameterized bounded decoding problem and Goppa code distinguisher are the key to ensure the security of this scheme. Its signature length is 675N-228l, where N is the total number of ring members and l denotes how many signers there are.

In some applications, it may be desirable to keep the signer’s anonymity in a ring and provide the verifier the opportunity to determine whether two signatures on the same issues were issued by the same person. This is the driving force for the development of linkable ring signature schemes [8].

There are many linkable ring schemes based on the factoring and discrete logarithm problem [8–13]. Therefore, with the development of quantum computers, Shor’s algorithm poses a danger to their security [14]. In 2018, two quantum-resistant lattice-based linkable ring signatures schemes [15, 16] were proposed. The first code-based linkable ring signature scheme was presented by Branco and Mateus [17] in the same year. The complexity of this scheme is for both the public key size and the signature length. The public key size and signature length in [17] are slightly larger than those in [15, 16], but the private key size in [17] is much smaller than those in both schemes [15, 16].

To solve the problem of the multicandidate voting problem, Yuen et al. [18] proposed a linkable threshold ring signature scheme in 2013. Specifically, the members of the management committee can vote for multiple candidates, and each candidate can only become a candidate if he gets at least votes. This scheme achieves a signature size of . A lattice-based linkable threshold ring signature scheme is proposed in [19], which is suitable for applications that can be applied to multicategory voting systems while having a small signature length.

However, the linkable threshold ring signature proposed in this paper is different from all of the above schemes. We improve on that of [17] by taking into account the following scenarios. For instance, in free group voting, there are a total of people in the class; any students in the class can form a group to participate in voting, but each person in the class can only vote in at most one group. For one issue, each group can only participate in at most one vote; if someone participates in more than one group to vote multiple times, the signature will be linked. At the same time, we can know how many dishonest group members there are. To solve this problem, we propose a linkable threshold ring signature scheme. In the above example, is the number of ring members and is the threshold value.

In this paper, we give the first construction of a code-based linkable threshold ring signature scheme whose security is based on the general syndrome decoding (GSD) problem which is an NP problem. We prove that the linkable threshold ring signature scheme proposed in this paper has the security properties of existential unforgeability, anonymity, and linkability. To construct our proposal, we also give a variant of threshold GStern’s protocol, and then, we apply the Fiat-Shamir transform to it. We also prove that the threshold ring signature scheme proposed in this paper has security properties of complete, special sound, and honest-verifier-zero-knowledge (HVZK).

Overall, our protocol has a signature length linear in and the best-known complexity on when other number theory-based threshold ring signature schemes have complexity in and those based on code theory have complexity in . Our protocol has a public key size linear in , and the complexity is .

In our proposal, signatures can be linked to each other by the same vector , which is the syndrome of the secret key and a random matrix , where is generated by all public keys of the members in the ring and issue.

This paper is structured as follows: in the next section, the necessary preliminary knowledge needed in this paper is introduced. In Section 3, we present our threshold ring signature scheme and linkable threshold ring signature scheme. Section 4 is devoted to the security analysis of our proposed schemes. Experimental result analyses including key cost, signature size, efficiency, and property comparison are shown in Section 5. Finally, the conclusion is drawn in Section 6.

2. Preliminaries

In this section, we give the definition of the threshold ring signature scheme and linkable ring signature scheme. Then, we introduce the hard problem in coding theory that our scheme is based on. Finally, we present the security model we adopt.

2.1. Threshold Ring Signature

A -threshold ring signature scheme [6] consists four of polynomial time algorithms, defined as follows. (1)T.setup(1^λ): this algorithm generates system parameters with global public values by using the security parameter string 1^λ as input(2)T.KeyGen(params): this is a probabilistic polynomial-time (PPT) that accepts public parameters as input and returns a pair of secret and public keys as output .(3)T.Sign(params, t, pk^(N), sk^(t), m): this is a PPT algorithm for users of a ring that accepts public parameters params, a set of public keys, a set of secret keys , and a message as input. On message , the algorithm generates a -threshold ring signature(4)T.Verify(params, t, pk^(N), m, σ): this is a deterministic polynomial-time (DPT) that accepts as input public parameter params, a threshold value , a set of public keys, and a pair message/signature and returns 1 if the signature on is valid with regard to the set of public key and 0 otherwise

2.2. Linkable Ring Signature

A linkable ring signature scheme [16] consists of four polynomial time algorithms, defined as follows. (1) is a PPT algorithm that takes a security parameter λ as input and produces a pair of public and secret keys as output(2) is a PPT algorithm that takes a security parameter λ, actual signers’ public key , the corresponding secret key , and a message to be signed as inputs. It generates a signature σ(3) is a DPT algorithm that takes a security parameter λ, all ring members’ public key , a message , and a signature σ as input. Return “1” (indicating a valid signature) and “0” (indicating an invalid signature)(4) is a DPT algorithm that accepts a list of public key , two messages and , and two signatures σ₁ and σ₂ as input, where and , respectively. For linked signatures, it returns 1; otherwise, it returns 0

2.3. Hard Problems

2.3.1. Syndrome Decoding (SD) Problem

Let be the parity-check matrix of a random-linear code on , , is a positive integer. The problem is to find an satisfying and .

2.3.2. General Syndrome Decoding (GSD) Problem

Given , , and is a positive integer. The problem is to find an satisfying , , .

In [20], it is pointed out that by selecting and as inputs, the SD problem can be simplified to the GSD problem by Karp reduction. Therefore, SD and GSD problems are equivalent. Because the SD problem is NP-complete, the GSD problem is NP-complete.

2.4. Security Model

The security model we adopt is based on [9, 10], which enhances the security of the linkable ring signature scheme first proposed by Liu in 2004, capturing new and practical attacking scenarios and the properties more thoroughly. In this security model, the scheme must contain these properties: existential unforgeability, anonymity, nonslanderability, and linkability.

Suppose A is a PPT adversary and the security parameter is λ. Let be the number of members in the ring; is the set of public keys of all members in the ring and . A signing oracle called takes queries of the form and returns , for every between 1 and . is a corruption oracle that receives queries of the public key and outputs the responding secret key.

Existential unforgeability: for each message , if the adversary lacks a public key of this group, he is unable to forge a signature on behalf of this group. Consider the following game:


1.
2.
3.
4. return

where was not asked and A merely requested from [21]. The advantage that A wins the game of existentially unforgeable is

If we can prove that is negligible for all PPT adversaries, that is , then the linkable threshold ring signature scheme is existentially unforgeable.

Anonymity: an adversary cannot determine which member of the group has signed a specified message thanks to anonymity. Consider the following game:


1.
2.
3.
4. return

where the adversary is not permitted to ask questions with different , nor to ask both and or to both and with the same . The advantage that A wins the game of anonymity is

If we prove that , the scheme is anonymous.

Nonslanderability: an adversary cannot generate a signature that is connected to another user’s signature thanks to nonslanderability, which was initially mentioned in [11] and standardized in [8]. Consider the following game:


1.
2.
3.
4.
5.
6. return

where , , and neither , σ₁ nor , σ₂ was questioned nor responded to by . The advantage that A wins the game of nonslanderability is

If we prove that , the scheme has nonslanderability.

Linkability: this property ensures that it is impossible for a user to provide two valid signatures without linking. Consider the following game:


1.
2.
3.
4.
5. return

where and neither , σ₁ nor , σ₂ were questioned or responded to by . The advantage that A wins the game of linkability is

If we prove that , the scheme has linkability.

3. Proposed Scheme

3.1. Proposed Threshold GStern’s Protocol

In this section, we explain the main algorithm that composes our proposed threshold ring signature as given in Section 2.1.

As the go-between of both the signers and the verifier , the leader is also one of the signers. Let the -th signer’s first, second, and third commitments be denoted as , , and , respectively. The first, second, and third commitments produced by the leader will be denoted as , , and , accordingly. (1)Commitment phase: for all , commitments , , and are computed by the leader and other signers. As one of the signers, also calculates his commitments. Then, on the basis of the commitments of each signer, utilizing them constructs the master commitments , , and . After that, sends , , and to the verifier (2)Challenge phase: the verifier sends a random challenge 0, 1, or 2 to who broadcasts it to other signers(3)Response phase: the signers construct their responses based on the value of the given challenge and then transmit them to the leader . After that, delivers these responses, together with the data needed for verification, to (4)Verify phase: according to the challenge’s value, the verifier validates and , and , or and

(1) Parameters: , ,
(2) Private information: satisfying
(3) Public information: , , , , where , satisfying
and
(4) The prover : chooses , permutation , randomness , , for
commitments.
(i) let , , and .
(ii) let , , and
.
(iii) sends , , and to the verifier
(5) The verifier sends to , who transfers it to all the signers
(6) The signers
(i) : each signer sends to , then sends
to .
(ii) : each signer sends to , then sends
to .
(iii) : each signer sends to , then sends
, to .
(7) The verifier
(i) : the verifier uses to construct , , verifying that
is equal to and that is equal to
.
(ii) : the verifier uses to construct , , verifying that
is equal to and that is equal to
.
(iii) : the verifier uses to construct , , verifying that
is equal to , is equal to
and .

3.2. Proposed Linkable Ring Signature Scheme

In this section, we give the description of our new linkable threshold ring signature scheme in Algorithm 6. Our scheme is improved based on the linkable ring signature scheme [17]. More precisely, our scheme is constructed by using the noninteractive protocol obtained by applying the Fiat-Shamir transform [22] to threshold GStern’s protocol.

First, considering a ring with users, use the public information and a public cryptographic hash function to construct the matrix . Then, generate a set of random syndromes , where some are the vectors that have a linear relationship with the actual signer’s private information .

Then, apply the Fiat-Shamir transform to the threshold GStern’s protocol on input , where are the public information of all the ring members. From one point of view, the SD hard problem prevents the verifier from knowing which users computed . From another point of view, with regard to the same ring, will be a component of each signature that these users issue. If for the same issue, the intersection of the set in two valid message signatures is not empty, the verifier links the two signatures together and outputs . The number of signers involved in multiple signatures can be known by checking the number of identical .

(1) Parameters: , , satisfying ,
(2) KeyGen: for each prover , where denotes one of the all members in the ring, and
there are members in ring .
(i) randomly chooses satisfying
(ii) computes
(iii) Public information of : , ,
(iv) Private information of : satisfying and
(3) Sign: signers in ring sign the message
(i) Compute the matrix and , where
and is a public hash function which maps to
.
(ii) Apply the Fiat-Shamir transform to Algorithm 5 on input , where
, .
(a) Commitment Com are calculated according to Algorithm 5
(b) Simulate the verifier’s challenge as
(c) Calculate the corresponding responses RSP according to Algorithm 5
(d) Output the transcript
(iii) Output the pair of message and signature where ,
and , where denote the signers.
(4) Verify: the verifier
(i) Computes
(ii) Computes
(iii) According to Algorithm 5 and input verifies whether is a valid transcript. If the signature is valid, this stage outputs “1,”
otherwise, outputs “0.”
(5) Link: given two signatures and where , , , , where denote the signers, denote
other signers, and satisfying and , the verifier:
(i) Check if the intersection of the set and is empty
(ii) If the intersection is not empty, outputs “linked” and the same element from
two sets. Thus, it shows how many dishonest provers there are. Otherwise,
accepts it and outputs “nonlinked.”

4. Security Analysis

4.1. Security Analysis of Threshold Ring Signature

We prove that the protocol presented in Algorithm 5 satisfies the three properties: completeness, soundness, and HVZK.

Completeness: it is obvious that honest provers with access to a valid secret key can respond to any of the honest leader’s queries with the proper information, enabling him to calculate the master commitments. Meanwhile, to enable the honest verifier to confirm that these commitments are accurate, the leader is then allowed to provide the information needed. This means that the verifier will always accept the signature signed by the honest prover according to the above process. For example, for , the verifier can reconstruct the master commitment and using the knowledge of by utilizing the knowledge of and to recover all the . Cases and behave similarly. Thus, the protocol has perfect completeness.

Soundness: the proof of soundness for our protocol is identical to the proofs for Stern’s protocol since it is based on the generic construction in [23]. The soundness error is confined by 2/3 since the GSD problem is difficult. Meanwhile, our protocol may be thought of as a collection of parallel GSD scheme executions. This means that the soundness error for our protocol in a single round cannot exceed 2/3. More specifically, we consider the following cases according to the various values of challenges and . (1)When and , can be extracted from and by the simulator(2)When and , can be extracted from and by the simulator(3)When and , can be extracted from and by the simulator

HVZK: the proof is analogous to the proof of HVZK for Stern’s protocol in [23]. When , the simulator easily reveals and . When , the simulator gets , where . When , the simulator obtains a vector with weight .

4.2. Security Analysis of Linkable Threshold Ring Signature

In this section, we present the analysis concerning the two aspects: correctness analysis and security analysis of the proposed scheme. We prove that the scheme has the usual properties for a linkable ring signature scheme: existential unforgeability, anonymity, nonslanderability, and linkability.

4.2.1. Completeness

The completeness of our linkable threshold ring signature is easily verified. When taking an honest signature as input, the verification algorithm’s output is always correct since the underlying protocol is complete.

4.2.2. Existential Unforgeability

Ref. [17] presents that existential unforgeability in the classical setting is a direct consequence of the fact that the signature is obtained by applying the Fiat-Shamir transform to a sigma protocol that is complete, special sound, and HVZK. The subprotocol called in the linkable threshold ring signature proposed in this paper, namely, Algorithm 5, has been proven to satisfy the above properties in Section 4.1, so our scheme satisfies the unforgeability.

Theorem 1. Our scheme is existentially unforgeable due to the hardness of the GSD problem.

4.2.3. Anonymity

An adversary will be unable to determine which subset of signers cooperates to sign a message due to anonymity. Supposing that we are capable of overcoming the anonymity and create an algorithm that handles the GSD problem, in order to demonstrate the anonymity of our scheme, Ref. [17] presents a method that the error vector’s nonnull coordinates must be known in advance, and the details are as follows. We are incapable of determining if the provided tuple is a legitimate public key or is just random. With some of the secrets known, we may create another tuple . There are two situations here. When is a GSD tuple, is also a GSD tuple, but when is a random tuple, it is likewise a random tuple. Because the GSD problem is computationally difficult, knowing locations has no effect on the security proof. To keep the same level of security, we just need to raise the settings.

Due to the fact that every signer only provides commitments and responses to as in typical zero-knowledge Stern’s scheme, it is not feasible for information to be leaked between signers throughout the protocol. The outputs of all the games do not include any information on because of the underlying protocol’s zero-knowledge feature as well as the GSD problem being challenging to solve. This means that the adversary’s likelihood of accurately estimating is 1/2; hence, there is little chance of adversary A winning the game.

Theorem 2. Our threshold ring signature scheme is anonymous due to the hardness of the GSD problem.

4.2.4. Linkability

We give the proof of public traceability from two cases: (i)Case 1. Suppose that there is at least one in the set of two distinct signers, where , . Therefore, we have . In this case, the output of the proposed scheme is linked(ii)Case 2. Suppose that , for all , . Thus, we have , , and . Therefore, the intersection of and is empty. That means the output of this scheme is accepted and nonlinked

It is worth noting that the same signers can sign different issues without being linked together, due to the collision resistance of hash function . Because the issue in is different, so is different. Hence, even though the same signers use the same private key , they will have different , so the intersection of the two signers remains empty in the link phase.

Theorem 3. Our scheme is linkable due to the hardness of the GSD problem.

4.2.5. Nonslanderability

Theorems 1 and 2 have been used by the authors in [16] to demonstrate that any linkable ring signature schemes that fulfill unforgeability and linkability also satisfy the nonslanderability condition.

Theorem 4. Our scheme is nonslanderable under the SD and GSD assumptions.

5. Experimental Result Analysis

In this section, we consider the efficiency of our scheme in four aspects: public key size, secret key size, signature length, and implementation efficiency. At last, we give the comparison of safety properties.

5.1. Key Cost Analysis

(1)Public key size: the public key in our scheme consists of and , where denotes one of all the members in the ring. The public key size of our scheme is bits. Hence, we achieve a size of public key in complexity(2)Secret key size: the secret key of each signer is a vector , and the bit length of is bits. The secret key size of our scheme is bits

According to decoding attacks in [24], we set the parameters of our scheme under 80-bit, 128-bit, and 256-bit security as follows. For 80-bit security, we denote the scheme proposed in this paper with parameters , , , and as Scheme 1. For 128-bit security, we denote the scheme proposed in this paper with parameters , , , and as Scheme 2. For 256-bit security, we denote the scheme proposed in this paper with parameters , , , and as Scheme 3.

It can be seen from Table 1 that under the 80-bit security level, if there are 100 ring members, the length of the public key is 0.051 Mbytes. For fixed , with 80-bit security, the public key size in [4] is 4.23 kbytes, that in [5] is 400 kbytes, and that in [6] is 8.56 kbytes. The length of the public key in this paper is shorter than that of [5] and longer than that of the scheme in [4, 6]. However, their public key lengths all have the complexity of .

5.2. Signature Length Analysis

In our scheme, the proof σ determines the signature length, and its complexity is in our scheme, where is the threshold value. The signature size of our scheme specifically consists of the following three aspects: (i) the size of three hash values of commitments is 3λ bits, depending on the security parameter λ. (ii) The size of response is bits in each situation when , , or . (iii) The size of the vector set is bits. The threshold GStern’s protocol needs to be repeated times due to the cheating probability (for instance, to achieve security level with 2¹²⁸, needs to be equal to 220). In conclusion, the signature size is bits in our scheme. Hence, we achieve a size of signature in complexity.

From the above analysis, it can be found that the signature length of the proposed scheme in this paper is only related to the threshold value and not to the number of ring members . Therefore, compared with other variable-length signature schemes, our scheme can achieve fixed-length signatures.

The practical results presented in Table 2 shows clearly the signature length of our scheme. Considering a particular example with and under the 80-bit security level, the threshold ring signature length of the scheme in [4] is 2 Mbytes, the signature length of the scheme in [5] is 2.3 Mbytes, and the signature length of our scheme is 2.1 Mbytes. These three values are in close proximity to each other. However, the signature lengths in both [4, 5] grow linearly as the number of ring members increases, while the signature length in our scheme is fixed. For example, when , the signature length in [4, 5] is obviously longer than our scheme, which is several times that of our scheme.

For fixed and with 80-bit security, compared with the current best performing threshold ring signature scheme, the signature length of the scheme in [6] is 4.1 Mbytes and the signature length of this paper is 4.2 Mbytes, which are very close to each other, but for larger systems, i.e., with more members in the ring, the advantage of this scheme can be shown. As long as the threshold value is determined, the length of signature is fixed for any number of ring members.

Compared with the lattice-based linkable threshold ring signature [19], the signature length reaches 0.28 Mbytes at the 111-bit security level with and , which is longer than the signature length of our scheme using the same parameters at a higher security level. As the ring membership increases, the signature length of [19] reaches 1.75 Mbytes when reaches 5000, which is much larger than our scheme. It can be seen that our scheme is especially suitable for large systems, and the larger the number of ring members, the more the advantages of this scheme can be demonstrated.

5.3. Implementation Efficiency

The following tables show the timings we have obtained for a Python implementation. We give the implementation of our scheme on an Intel(R) Xeon(R) Gold 6148 CPU @ 2.40 GHz, running Windows 10.

In the following case, the parity check matrices we used are random. The following table shows the keygen time, sign time, and verify time when the ring members are set to 100 and the number of actual provers is 2. The keygen time is consumed for the generation of the necessary public and private keys.

It is vital to note that the implementation given in this paper is a proof of concept. Additionally, the experimental results in this paper are supported by the fact that the exchange of information between the leader and the provers occurs within the on the same computer or even in the same executable file. In contrast, in real life, different provers will be located on different computers, transmitting information with the leader through the network before each other, and the performance of the computers varies; in such a heterogeneous scenario, there are problems such as communication delays, so the interaction process will be dominated by the slowest provers. In order to reduce the network delay, we can make our scheme more efficient through edge computing in the wireless network [25–28].

In Table 3, we give some timing for the proposed linkable threshold ring signature. The saving using other matrix types such as systematic form matrices is negligible compared to the gained signature.

5.4. Comparison of Safety Features

In this section, we compare our scheme with five schemes from [4–6, 17, 19] in terms of security properties. As can be seen from Table 4, all six schemes are code-based signature schemes that are resistant to quantum attacks. In terms of linkability, only the scheme in [17, 19] and our scheme have linkability properties. In terms of threshold, all schemes except [17] have threshold properties.

Both [19] and our scheme, as shown in Table 4, have both linkable and threshold features, as well as being resistant to quantum attacks. The three features listed above provide the variety of possibilities for signature application scenarios.

6. Conclusions

Linkable threshold ring signature schemes have a wide range of applications, such as free group voting. In this paper, we propose a new code-based linkable threshold ring signature scheme, which is well suited for large voting systems. Our scheme is constructed by using the noninteractive protocol obtained by applying the Fiat-Shamir transform to a variety of GStern’s protocol. The signature size of our scheme is in , and the size of public key is . We also provide the existential unforgeability, anonymity, nonslanderability, and linkability of our scheme, and so, our scheme is secure in ROM due to the difficulty of the SD problem and GSD problem.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there is no conflict of interest regarding the publication of this paper.

Acknowledgments

This paper was supported by the National Natural Science Foundation of China (Program No. 61902315), the Natural Science Basic Research Plan of Shaanxi Province of China (Program Nos. 2021JM-463 and 2022JM-353), the Scientific Research Program funded by the Education Department of Shaanxi Province (No. 22JK0560), and the Graduate Innovation Fund of Xi’an University of Posts and Telecommunications (CXJJLY202021).

References

R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” International conference on the theory and application of cryptology and information security, Springer, Berlin, Heidelberg, pp. 552–565, 2001.
View at: Publisher Site | Google Scholar
D. Chaum, E. van Heyst, and Group Signatures, “Advances in cryptology —EUROCRYPT 1991,” Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, vol. 547, pp. 257–265, 1991.
View at: Publisher Site | Google Scholar
E. Bresson, J. Stern, and M. Szydlo, “Threshold ring signatures and applications to ad-hoc groups,” in Annual International Cryptology Conference, pp. 465–480, Springer, Berlin, Heidelberg, 2002.
View at: Google Scholar
C. A. Melchor, P. L. Cayrel, and P. Gaborit, “A new efficient threshold ring signature scheme based on coding theory,” IEEE Transactions on Information Theory, vol. 57, no. 7, pp. 4833–4842, 2011.
View at: Publisher Site | Google Scholar
P. L. Cayrel, S. M. E. Yousfi Alaoui, and G. Hoffmann, “An improved threshold ring signature scheme based on error correcting code,” International Workshop on the Arithmetic of Finite Fields, Springer, Berlin, Heidelberg, pp. 45–63, 2012.
View at: Google Scholar
H. Assidi, E. B. Ayebie, and E. M. Souidi, “An efficient code-based threshold ring signature scheme,” Journal of information security and applications, vol. 45, pp. 52–60, 2019.
View at: Publisher Site | Google Scholar
L. Dallot and D. Vergnaud, “Provably secure code-based threshold ring signatures,” in IMA International Conference on Cryptography and Coding, pp. 222–235, Springer, Berlin, Heidelberg, 2009.
View at: Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” Australasian Conference on Information Security and Privacy, Springer, Berlin, Heidelberg, pp. 325–335, 2004.
View at: Google Scholar
M. H. Au, S. S. M. Chow, and W. Susilo, Short Linkable Ring Signatures Revisited, European Public Key Infrastructure Workshop, Springer, Berlin, Heidelberg, 2006.
J. K. Liu and D. S. Wong, “Linkable ring signatures: Security models and new schemes,” International Conference on Computational Science and Its Applications, Springer, Berlin, Heidelberg, pp. 614–623, 2005.
View at: Google Scholar
J. K. Liu, M. H. Au, and W. Susilo, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 157–165, 2013.
View at: Google Scholar
P. P. Tsang and V. K. Wei, “Short linkable ring signatures for e-voting, e-cash and attestation,” International Conference on Information Security Practice and Experience, Springer, Berlin, Heidelberg, pp. 48–60, 2005.
View at: Google Scholar
P. P. Tsang, V. K. Wei, and T. K. Chan, “Separable linkable threshold ring signatures,” International Conference on Cryptology in India, Springer, Berlin, Heidelberg, pp. 384–398, 2004.
View at: Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Review, vol. 41, no. 2, pp. 303–332, 1999.
View at: Publisher Site | Google Scholar
C. Baum, H. Lin, and S. Oechsner, “Towards practical lattice-based one-time linkable ring signatures,” International Conference on Information and Communications Security, Springer, Cham, pp. 303–322, 2018.
View at: Google Scholar
W. A. Alberto Torres, R. Steinfeld, and A. Sakzad, “Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (Lattice RingCT v1.0),” Australasian Conference on Information Security and Privacy, Springer, Cham, pp. 558–576, 2018.
View at: Google Scholar
P. Branco and P. Mateus, “A code-based linkable ring signature scheme,” International Conference on Provable Security, Springer, Cham, pp. 203–219, 2018.
View at: Google Scholar
T. H. Yuen, J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Efficient linkable and/or threshold ring signature without random oracles,” The Computer Journal, vol. 56, no. 4, pp. 407–421, 2013.
View at: Publisher Site | Google Scholar
L. S. Zhuang, J. Chen, and Q. Y. Wang, “Lattice-based linkable threshold ring signature in E-voting,” Journal of Cryptologic Research, vol. 8, no. 3, pp. 402–416, 2021.
View at: Google Scholar
P. Branco and P. Mateus, “A traceable ring signature scheme based on coding theory,” International Conference on Post-Quantum Cryptography, Springer, Cham, pp. 387–403, 2019.
View at: Publisher Site | Google Scholar
A. Bender, J. Katz, and R. Morselli, “Ring signatures: stronger definitions, and constructions without random oracles,” Theory of Cryptography Conference, Springer, Berlin, Heidelberg, pp. 60–79, 2006.
View at: Google Scholar
A. Fiat and A. Shamir, “How to prove yourself: practical solutions to identification and signature problems,” Conference on the theory and application of cryptographic techniques, Springer, Berlin, Heidelberg, pp. 186–194, 2006.
View at: Google Scholar
J. Stern, “A new identification scheme based on syndrome decoding,” Annual International Cryptology Conference, Springer, Berlin, Heidelberg, pp. 3–21, 1993.
View at: Google Scholar
A. Canteaut and F. Chabaud, “A new algorithm for finding minimum-weight words in a linear code: application to McEliece's cryptosystem and to narrow-sense BCH codes of length 511,” IEEE Transactions on Information Theory, vol. 44, no. 1, pp. 367–378, 1998.
View at: Publisher Site | Google Scholar
J. Feng, W. Zhang, Q. Pei, J. Wu, and X. Lin, “Heterogeneous computation and resource allocation for wireless powered federated edge learning systems,” IEEE Transactions on Communications, vol. 70, no. 5, pp. 3220–3233, 2022.
View at: Publisher Site | Google Scholar
J. Feng, L. Liu, Q. Pei, and K. Li, “Min-max cost optimization for efficient hierarchical federated learning in wireless edge networks,” IEEE Transactions on Parallel and Distributed Systems, vol. 33, no. 11, pp. 2687–2700, 2022.
View at: Google Scholar
L. Liu, M. Zhao, M. Yu, M. A. Jan, D. Lan, and A. Taherkordi, “Mobility-aware multi-hop task offloading for autonomous driving in vehicular edge computing and networks,” IEEE Transactions on Intelligent Transportation Systems, pp. 1–14, 2022.
View at: Google Scholar
H. Han, L. Fang, W. Lu, W. Zhai, Y. Li, and J. Zhao, “A GCICA grant-free random access scheme for M2M communications in crowded massive MIMO systems,” IEEE Internet of Things Journal, vol. 9, no. 8, pp. 6032–6046, 2022.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Fang Ren et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

309

Downloads

307

Citations