Revocable One-Time Ring Signature from Pairings

Han, Xu; Zhang, Dawei; Huang, Zongmin; Yao, Shuang; Wu, Zuodong

doi:https://doi.org/10.1155/2022/8021267

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Detectable, Traceable, and Manageable Blockchain Technologies

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 8021267 | https://doi.org/10.1155/2022/8021267

Revocable One-Time Ring Signature from Pairings

Xu Han,^1,2Dawei Zhang ,^1,2Zongmin Huang,^1,2Shuang Yao,^1,2and Zuodong Wu^1,2

Academic Editor: Yin Zhang

Received05 Apr 2022

Accepted22 Jul 2022

Published18 Aug 2022

Abstract

Ring signature is an anonymous signature that allows a person to sign a message on behalf of a self-formed group while concealing the identification of the signer. However, due to its anonymity and unlinkability, malicious or irresponsible signers can easily attack the signature without any responsibility in some scenarios. In this paper, we propose a novel revocable one-time ring signature (roRS) scheme from bilinear pairings, which introduces linkability and mandatory revocability into ring signature. In particular, linkability can resist the double-signing attack and mandatory revocability guarantees that a revocation authority can identify the actual signer when a suspicious signer appears in any situation. The computational complexity of pairing computations is constant, and the time of the revocation phase is more efficient than previous schemes. Furthermore, our scheme is provable secure in the random oracle model, using DL, CDH, and DBDH assumptions.

1. Introduction

Ring signature, initially proposed in 2001 by Rivest [1], is a variant of digital signature, which can prove that one among a set of spontaneous parties has already signed a message, without revealing the actual signer. And these spontaneous parties compose a particular set called a “ring.” More specifically, a ring member can sign the signature without reveal any identity information, namely, a verifier who uses ring members’ public keys only know whether the signature is true or not and cannot find out the actual signer, and the verifier has no clue who the signer is. As shown in Figure 1, first step, the actual signer uses private key and randomly chooses to generate by using the commit function ; then, the signer uses to compute the (j +1)-th challenge by hash function ; signer randomly picks a response and the (j +1)-th user’s public key to reconstruct the by the verify function and generates by hash function ; then, the ring is formed sequentially; finally, the signer uses to compute by the response function . In the whole process of generating a ring, we only need the actual signer’s private key and a set of users’ public keys which contains . In the view of the actual signer, users except the actual signer can be seen as decoys. When the verifier does the verifications, he/she does not know any information about the knowledge of the actual signer. As for security, ring signature not only provides regular properties, such as correctness and unforgeability which any signature schemes must possess, but also has the special feature, anonymity. Correctness requires a ring member who represents a ring to sign a message and unforgeability demands that an efficient adversary cannot forge a signature on behalf of a ring which the adversary knows nothing about one secret key of ring members. As for anonymity, it allows that ring signature schemes cannot leak any information about the identity of the actual signer, that is, no one can tell which key was used to produce a signature.

As an extension of ring signature, one-time ring signature can be known as linkable ring signature; the slight difference between these two kinds of ring signature is that signers in one-time ring signature use one-time key images to sign a signature, while signers in linkable ring signature take static ones. So we just need to introduce linkable ring signature in this section. Liu et al. [2] first put forward the concept of linkable ring signature (lRS). Beside the regular properties of ring signature, lRS provides two more special properties: non-slanderability and linkability. Non-slanderability guarantees that a ring member should not be entrapped that he has signed twice. Linkability requires that two signatures with the same ring on random messages must be linked if signed by the identical signer; thus, it can defeat the double-signing (double-spending) attack. This property is suitable in some practical applications; one scenario is on detecting double-voting in e-voting [3] systems. At the beginning of e-voting systems, we use ring signature schemes to implement the systems for its spontaneity, and there is no registration phase. The only requirement is that everyone has a public key pair which is considered as a well-known assumption in a ring. However, using classic ring signature as e-voting has a main problem. Anyone can vote more than once without being detected as ring signature schemes are unlinkable and anonymous. Thus, using lRS can solve this problem as double voting (double signing) can be detected easily, and anyone only can vote once in the system. Beside e-voting systems, lRS can also apply in other actual scenarios, such as ad hoc network authentication [4], blockchain-based applications [5, 6], and cryptocurrencies (Monero [7]). But in some actual transactions based on ring signature, when a ring signer has committed an offence, such as money laundering, online extortion, and terrorist financing, the authority needs to find out who is the actual signer among the ring members. Since lRS cannot let the actual signer be identified, the revocability of ring signature becomes necessary. Revocability requires that the authority can revoke the anonymity of ring signers when a suspicious signer does a transaction.

In order to solve the above problem, we propose a novel revocable one-time ring signature (roRS) scheme. Our scheme can be applied in some blockchain transactions. For example, by using the functionality of ring signature, Monero [7] protects the privacy of the signer’s identity and provides autonomous mixing in transactions, but the unconditional anonymity of the ring signature makes difficult to regulate transactions for authorities. As for our scheme, a verifier can prevent the user’s double-spending behavior according to the linkability during the transactions, and a revocation authority can recover the public key of the transaction user by using the revocability of our scheme, thus restoring the transaction user’s identity.

1.1. Related Work

Rivest et al. [1] in 2001 proposed the first ring signature scheme, using trapdoor permutation based on the discrete logarithm problem assumption. Hereafter, many of schemes [8–11] followed this idea, but using different techniques has come out. For instance, Boneh et al. [12] first proposed a ring signature using bilinear pairings based on co-computational Diffie-Hellman (co-CDH) assumption. Cayrel et al. [13] presented a lattice-based ring signature scheme with modifying Melchor’s code-based method [14] to make the short integer solution (SIS) problem as a security assumption. As for proving the membership problem in ring signature, most of these schemes use non-interactive witness indistinguishable (NIWI) proofs [15] or dynamic accumulator [16] to be more efficient, and readers who want to learn more refer to [17–21].

Then, Liu et al. [2] first proposed a linkable ring signature (lRS) scheme in 2004. This scheme inherits the anonymity of ring signature and provides a new property called linkability to resist double-spending attempts in real transactions, and it is proven to be secured in the random oracle model. Tsang et al. [22] constructed the first separable linkable ring signature scheme with introducing the security notions of accusatory linkability and non-slanderability. Liu and Wong [23] enhanced the security model for adapting to new attacking scenarios, and proposed two polynomial-structured lRS schemes based on zero knowledge proof. In 2007, Zheng [24] designed an lRS scheme based on linear feedback shift register under discrete logarithm assumption. In 2014, Liu et al. [25] put forward the first unconditional anonymous lRS scheme and provide mandatory linkability. Recently, Noether [26] proposed a dual lRS scheme which key images are tied to both output one-time public keys in a dual, and this can be considered using in non-interactive refund transactions in Monero. Tang et al. [27] presented an identity-based lRS scheme by employing trapdoor generation and rejection sampling as the basic building tool under the SIS problem on NTRU lattice. Hu et al. [28] designed a lattice-based lRS scheme under the well-studied standard lattice assumptions (SIS and LWE) in the standard model.

Revocable ring signature, also called traceable ring signature, is presented to reduce and even revoke the anonymity of the signers mainly. In 2007, Liu et al. [29] first proposed a revocable ring signature that authorities can mandatory revoke the anonymity of the actual signer when authorities need in some scenarios, but this scheme cannot provide linkability against the double-signing attack. Fujisaki et al. [30] put forward a traceable ring signature which only can trace a signer who was double-signing, that is, the traceability is not mandatory. The similar constructions can be found in [17–21]. In [31], Fujisaki presented the first secure traceable ring signature scheme without random oracles in the common reference string model, and the signature size grows linearly with where is the number of users in the ring. Au et al. [32] adapted traceable ring signature to the identify-based setting with constant signature size and enhanced privacy. Recently, Feng et al. [33] designed a logarithmic-size traceable ring signature scheme from lattices which proved to be secure in the quantum random oracle model.

1.2. Motivation and Contributions

In this section, to be more concrete, we summarize that the contribution of our paper is as follows: (i)We present a novel revocable one-time ring signature scheme and define a perfect security model which provides the security properties: unforgeability, anonymity, linkability, non-slanderability, and revocability. And revocability of our scheme is mandatory(ii)We show that our scheme is provable secure in the random oracle model under the assumptions that discrete logarithm (DL) problem, computational Diffie-Hellman (CDH) problem, and decisional bilinear Diffie-Hellman (DBDH) problem are intractable(iii)We compare the efficiency of our scheme and previous schemes. Our scheme requires 4 times pairing computations which is independent of the size in the ring. Besides, the computational complexity in revocation part is more efficient than previous ones, and it only requires one scalar multiplication computation and one additional computation

2. Preliminaries

In this section, we introduce bilinear pairing and complex assumptions. They are utilized in the construction and provable security for our scheme. The notations used throughout the paper are described in Table 1.

2.1. Bilinear Pairing

Let and be cyclic groups of a large prime order . We write additively and multiplicatively. We assume that the discrete logarithm problems in and are intractable.

Let be a bilinear group generator that, on input of a security parameter , outputs a description of bilinear groups (,,,) such that and are cyclic groups of prime order , is a generator of , and a map satisfies the following properties: (i)Bilinear: and : (ii)Non-degenerate: There exists , such that (iii)Computability: The map is efficiently computability for any

2.2. Complexity Assumptions

Definition 1 Discrete logarithm (DL) assumption. We say that the DL assumption holds if for any polynomial-time adversary , the following advantage is negligible function in :

Definition 2 Computational Diffie-Hellman (CDH) assumption. Let be a group generator that, on input of a security parameter , outputs a cyclic group. We say that the CDH assumption holds if for any polynomial-time adversary , the following advantage is negligible function in :

Definition 3 Decisional bilinear Diffie-Hellman (DBDH) assumption. Let be a bilinear pairing, . For , given the tuples , we say that the DBDH assumption holds if for any polynomial-time adversary , the following advantage is negligible function in :

3. Security Model

In this section, we give the security model and the security notions of our revocable one-time ring signature.

3.1. Definition of Revocable One-Time Ring Signature

3.1.1. Revocable One-time Ring Signature

Revocable one-time ring signature (roRS) scheme is the tuples (Setup, KeyGen, Sign, Verify, Link, and Revoke). (i): The setup algorithm is a probabilistic polynomial time algorithm which takes as input a security parameter and outputs a set of public parameters (ii): The key generation algorithm is a probabilistic polynomial time algorithm which takes as input public parameters and outputs a private/public key pair . Respectively, we denote and as the domain of possible private keys and possible public keys(iii): The signing algorithm is a probabilistic polynomial time algorithm which takes as input a key image , a private key , a message , a revocation authority’s public key , and a list of public keys in which includes the one corresponding to and produces a signature (iv): The signature verification algorithm is a probabilistic polynomial time algorithm which takes as input the key image , a set of public keys in , a revocation authority’s public key , a message , and a signature and returns accept or reject(v): The linking algorithm which takes as input key images , a set of public keys in , and a set of public keys in , messages and , and signatures and , such that and and returns linked or unlinked(vi): The revoking algorithm is a probabilistic polynomial time algorithm which takes as input a set of public keys in , a valid signature , and a secret key of the revocation authority and returns a public key in

3.1.2. Correctness

A revocable one-time ring signature scheme should satisfy the following: (i)Verification correctness: A signature signed by honest signers is verified to be valid as follows:(ii)Linking correctness: Two signatures with the same event description generated by the same secret key of the identical signer must be linkable(iii)Revocation Correctness: The revocation authority can reveal an honest signer’s public key with overwhelming probability

3.2. Notions of Security

Security of our roRS scheme has five aspects: unforgeability, anonymity, linkability, non-slanderability, and revocability.

Formally, we capture attack behaviors as adversarial queries to oracles implemented by a challenger . We provide adversary the following oracles. (i)JO (joining oracle). : . queries this oracle for adding a new user to the system. keeps track of this type of queries by maintaining a list , which is initially empty. Upon receiving a fresh query, responds as below: picks random public parameters , runs to obtain . records in , and then returns to . This type of oracle captures can observe the public keys of honest users in the system(ii)CO (corruption oracle). : . queries this oracle with a public key in . keeps track of this type of queries by maintaining a list , which is initially empty. Upon receiving a fresh query, records in . returns the associated to and moves this entry to . This oracle captures can corrupt some honest users and return private key (iii)SO (signing oracle). : . queries this oracle with (a key image , a set of public keys, a revocation authority’s public key , and a message ) and subjects to the restriction that . keeps track of this type of queries by maintaining a list , which is initially empty. Upon receiving a fresh query, responds as below: runs , records on the list , and then sends to . This oracle captures can generate a signature itself

3.2.1. Unforgeability

We define unforgeability via the following security experiment between and :

Here, , , and is a key image. is a revocation authority’s public key, and all public keys are in . No public keys are in . is not in . is the successful probability of adversary who wins the unforgeability security experiment.

The process of unforgeability security experiment is briefly described as follow: (1) runs with security parameter and sends the public parameter to (2) is allowed to make queries to , , and according to any adaptive strategy(3) outputs a forgery signature

The conditions that wins the experiment are as follows: (1)All public keys are outputs of (2)=accept, and is not the output of (3)No public keys have been queried to

Our roRS satisfies unforgeability if no PPT adversary has non-negligible advantage in the above experiment.

Definition 4 Unforgeability. A revocable one-time ring signature scheme is unforgeable, if for every probabilistic polynomial-time adversary , the advantage is negligible in .

3.2.2. Anonymity

We define anonymity via the following security experiment between and :

Here, , , and is a key image. is a revocation authority’s public key, and is chosen by in . is a corresponding private key of . is the successful probability of adversary who wins the anonymity security experiment.

The process of anonymity security experiment is briefly described as follow: (1) runs with security parameter and sends the public parameter to (2) is allowed to make queries to according to any adaptive strategy(3) gives a set of public keys in such that all of the public keys in are query outputs of , a key image and a message . Parse the set as . randomly picks and computes , where is a corresponding private key of . is given to (4) outputs a guess

So our roRS satisfies anonymity if no PPT adversary has non-negligible advantage in the above experiment.

Definition 5 Anonymity. A revocable one-time ring signature scheme is anonymous, if for every probabilistic polynomial-time adversary , the advantage is negligible in .

3.2.3. Linkability

We define linkability via the following security experiment between and :

Here, , ; , a message and signature , ; is a key image, and is a revocation authority’s public key. All chosen by are in . are not in , has been queried less than 2 times. is the successful probability of adversary who wins the linkability security experiment.

The process of linkability security experiment is briefly described as follows: (1) runs with security parameter and sends the public parameter to (2) is allowed to make queries to , , and according to any adaptive strategy(3) outputs a forgery signature

The conditions that wins the experiment are as follows: (1)All public keys are outputs of (2)=accept, and is not the output of (3) can only at most queried 1 time and at most have one user’s private key(4)= unlinked

So our roRS satisfies linkability if no PPT adversary has non-negligible advantage in the above experiment.

Definition 6 Linkability. A revocable one-time ring signature scheme is linkable, if for every probabilistic polynomial-time adversary , the advantage is negligible in .

3.2.4. Non-slanderability

We define non-slanderability via the following security experiment between and :

Here, , message , and signature ; is a revocation authority’s public key, and is a key image. is subject to the restriction that chosen by is not allowed to be either in or . All of the public keys in and are in . and are not in . is the successful probability of adversary who wins the non-slanderability security experiment.

The process of non-slanderability security experiment is briefly described as follows: (1) runs with security parameter and sends the public parameter to (2) is allowed to make queries to , , and according to any adaptive strategy(3) outputs a forgery signature

The conditions that wins the experiment are as follows: (1)=accept(2) is not an output of (3) has not been queried to (4)All public keys are in ; are query outputs of (5)=linked

So our roRS satisfies non-slanderability if no PPT adversary has non-negligible advantage in the above experiment.

Definition 7 Non-slanderability. A revocable one-time ring signature scheme is non-slanderous, if for every probabilistic polynomial-time adversary , the advantage is negligible in .

3.2.5. Revocability

We define revocability via the following security experiment between and :

Here, , , signature , and is a revocation authority’s public key, and is a key image. All chosen by are in . are not in , has been queried less than 2 times, that is, can only obtain at most one private key denotes as , and is the corresponding public key of . is the successful probability of adversary who wins the revocability security experiment.

The process of revocability security experiment is briefly described as follows: (1) runs with security parameter and sends the public parameter to (2) is allowed to make queries to , , and according to any adaptive strategy(3) outputs a forgery signature

The conditions that wins the experiment are as follows: (1)=accept(2) is not an output of (3)All public keys are query outputs of (4) has been queried less than 2 times, that is, can only obtain at most one private key denotes as (5) for

So our roRS satisfies revocability if no PPT adversary has non-negligible advantage in the above experiment.

Definition 8 Revocability. A revocable one-time ring signature scheme is revocable, if for every probabilistic polynomial-time adversary , the advantage is negligible in .

4. Construction

In this section, we propose our new revocable one-time ring signature (roRS) scheme. Our scheme is constructed as follows:

Setup: Let and be two groups with prime order ; is an additive group and is a multiplicative group. is the generator of and a bilinear pairing . Let and be two cryptographic hash functions and be a deterministic hash function. And the public parameters .

KeyGen: A ring user randomly picks and computes . So the user has secret key and public key pair . The secret key of the revocation authority is , and the corresponding public key is = .

Sign: Let be a set of users’ public keys in the ring. So a ring user has his own key pair . Additionally, the user has given a message ; then, the user with the knowledge of computes a signature of knowledge as follows: (1)Compute the key image : First, use a hash function with to make one signer only have the corresponding one key image.

; then, compute the key image with the signer’s private key and ,. (2)Randomly choose , and compute: First make proof of knowledge for private key , and then construct for the revoking phase and for the verification phase:(3)Randomly choose , where ; and randomly choose , where . Then, set the following transformations for all users in the ring:(4)Get the non-interactive challenge:(5)Randomly choose , where and . Then when , make a hash function to be a random number for verifiers. Compute , where (6)Then, when , use notions above and compute:

Compute as a random number: then make a hash function as a random number for : use private key to make the response when : (7)To close the ring, set (8)Output the signature

Verify: Given the tuples , the verifier carries out the following steps: (1)Compute and , , and , where (2)Check whether and . If two equalities hold, accept the signature; otherwise, reject it

Link: On receive the tuples: The verifier checks if both and are two valid signatures. If yes, then outputs link if . Otherwise, reject.

Revoke: On receive the tuples . The revocation authority first checks whether is a valid signature. If it holds, continue; otherwise, reject. In order to revoke the anonymity of the actual signer, the revocation authority makes as follows:

If there exists , such that , where is the public key of the actual signer.

5. Correctness Analysis

5.1. Verification Correctness

On correctness, using the bilinearity and nondegeneracy of the pairing , a signature is correctly verified by the Verify algorithm as follows:

5.1.1. Linking Correctness

On linking correctness, the signer computes the key image as follows:

Therefore, the user can only compute the key image once with the same event description.

5.1.2. Revoking Correctness

On revoking correctness, the revocation authority can successfully identify the actual signer’s public key as follows: where is the revocation authority’s private key and is the actual signer’s public key.

6. Security Analysis

In this section, the security proofs of the proposed scheme are given.

Theorem 9 Unforgeability. Our proposed scheme is unforgeable in the random oracle model with the CDH assumption.

Proof. Suppose there exists a PPT adversary with advantage , which means that can forge a valid signature with probability . Then, we use a simulator to solve the CDH problem. Let be a given instance, where is randomly picked in and . Through the adversary , we use the simulator which outputs the CDH solution . randomly selects as the actual signer in the simulation. So the simulator simulates the oracles by interacting with the adversary in the nature way as follows: (1)Setup: sets and . randomly chooses and sets . is given the public parameters , and the public keys (2)Queries: queries the oracles , , and in this phase, and sets several lists to record the queries and answers. These lists are initially empty(i)-queries: maintains and checks a corresponding list as queries hash values. If an entry for the query is found in , returns the same answer to . Otherwise, generates a random value as an answer to , and then the query and the answer are added in (ii)-queries: maintains a list . When issues a query , randomly chooses and sets as the answer. The query and the answer then are stored in list (iii)-queries: maintains a list . When issues a query , randomly chooses and sets as the answer. The query and the answer then are stored in list (iv)-queries: When queries at the th query, returns the corresponding public key to . When queries at the th query(), randomly chooses and returns as the corresponding public key. The query and the answer then are stored in list (v)-queries: When queries with the public key which is an output of , first checks if . If yes, fails and stops. Otherwise, returns the corresponding as the corresponding secret key. The query and the answer then are stored in list (vi)-queries: When queries with a tuple . If , outputs a signature by Sign algorithm. Otherwise, maintains a list with a tuple and performs as follows: (1) retrieves the list , if is found, and then takes the value . If not, randomly selects a new value and adds to the list (2) computes (3) chooses a random (4) chooses and randomly, where and ; and computes and and then selects in such that (5) randomly picks and computesand stores the value to . If there has a collision with hash values in , do Step (5) again until no collision happen (6) computes and then outputs as a response to Since each response is independently and uniformly distributed, all responses in the simulation are as in the real attack. Besides, all responses to are valid, and the output in signing query can be verified with the Verify algorithm. Therefore, from ’s view, the simulation is indistinguishable from the real attack. Now, has the tuple , then by using Forking Lemma for ring signature [34], rewinds the same random tape to let obtain another tuple such that for all and . Then, there exists , that is, Therefore, can compute as a solution to solve CDH problem. Due to the Forking Lemma, the probability of successful rewind simulation is at least . Then, can solve the CDH problem with probability at least.

Theorem 10 Anonymity. Our proposed scheme is anonymous in the random oracle model with the DBDH assumption.

Proof. Suppose there exists a PPT adversary with advantage . Then, we use a simulator to solve the DBDH problem. Let be a given instance, where is random picked in , , and . Through the adversary , the simulator ’s objective is to determine whether .
So the simulator simulates the oracles by interacting with the adversary as follows: (1)Setup: The challenge signature is created using the randomly picked public key in . randomly chooses and sets . In addition, sets and . is given the system parameters and the public keys of signers(2)Queries: does the same queries with the oracles ( and ) as Theorem 9(3)Then, queries , and performs the steps as follows:(1) retrieves the list , if is found, and then takes the value . If not, randomly selects a new value and adds to the list (2) sets and and computes (3) chooses a random (4) chooses and randomly, where and ; and computes and and then selects in such that(5) randomly picks and computesand stores the value to . If there has a collision with hash values in , do this step again until no collision happens. (6) computes and then outputs as a response to gives to , and can query the random oracles adaptively and returns a bit . Suppose guesses that the signer’s index is . If cannot identify a signer, returns 0. If , it returns 1; if , it returns 0; otherwise, it returns 1/0 with equal probability. If , then . And when returns 0, from ’s view, all signers has equal probability to sign the signature. Suppose has advantage in the simulation, then we set . The probability of the right choice is computed as Therefore, can determine whether with the probability than if can win, contradiction occurs.

Theorem 11 Linkability. Our proposed scheme is linkable in the random oracle model with the discrete logarithm assumption.

Proof. In order to prove linkability of our roRS scheme, we perform the same setting of oracle queries as the proof in Theorem 9, and we allow to give the public parameters, where has at most one private key , and this private key can correspond to two different keys in ring group for . (When queries the , can only get one private key. can be allowed to get only one private key.)
So through the queries, can output two valid signatures: and the key image of is , and the key image of is .
For , rewinds the same tape with a different value to obtain another valid signature . Then, we obtain If , abort. If , we have where and .
For , rewinds the same tape with a different value to obtain another valid signature . Then, we obtain If , abort. If , we have Therefore, and . Two signatures are linked. can break DLP, and the advantage of is negligible since the rewind simulation is successful.

Theorem 12 Non-slanderability. Our proposed scheme is non-slanderable in the random oracle model with the discrete logarithm assumption.

Proof. In order to prove non-slanderability of our roRS scheme, we perform the same setting of oracle queries as the proof in Theorem 9; the adversary can query to get any public key, but cannot be allowed to query the signer’s public key . But can give simulator the tuples . uses the tuple to generate a valid signature which is the key image computed using . ( can keep querying oracles with the restriction of submitting to .)
Suppose generates another valid signature which is computed by and is not an output of . Additionally, and are linked. Therefore, which means . So , it can imply that knows the secret key corresponding to . This is opposite to our assumption that cannot query to get the secret key of .

Theorem 13 Revocability. Our proposed scheme is revocable in the random oracle model if the construction is unforgeable.

Proof. In order to prove revocability of our roRS scheme, we perform the same setting of oracle queries as the proof in Theorem 9, and we allow give the public parameters, where can get one private key denoted as corresponding to in from . Due to the fact that is randomly and independently distributed, cannot tell out the corresponding secret keys according to our assumption. Then, we suppose that can generate a valid signature successfully for contradiction. The valid signature must be generated by because our proposed scheme is unforgeable. There exists a case that can break revocability in our scheme. We consider one case that can break revocability of our scheme. randomly selects and performs the Sign algorithm; but on behalf of closing the ring, must know the secret key (). Due to our assumption that can only get one private key, contradiction occurs.

7. Efficiency Analysis

In this section, performance analysis is shown in Table 2. The efficiency computational cost and signature size between our proposed scheme and several signature schemes such as revocable ring signature [29], traceable ring signature [30] and so on. Then, we have several computational notions need to define as follows in Table 3.

We do the comparison about computation cost on the size of signature schemes and the timings of signing and verifying with [25, 29, 30, 35, 36], where is the number users included in the group.

From Table 2, we compare our scheme with [25, 35, 36] in signature size, signing, verifying, assumption and security model. We can see that roRS and [25, 35, 36] have the same level of computational complexity in terms of signature size and signature signing. As for verifying, we only need the constant pairing computations which show more efficient than [25, 35, 36] constructed from bilinear pairings similarly. And our security model is built in the random oracle model that is different from [25, 36] built in the standard model.

In Table 4, in relation to the revocation phase, we only need one scalar multiplication computation and one addition computation compared with pairing computations in [29] and addition computations and scalar multiplication computations in [30]. As for the functionality of roRS and [29, 30], [29] cannot achieve the linkability, and [30] cannot provide mandatory revocability; nevertheless, we have accomplished the linkability and the mandatory revocation simultaneously in the random oracle.

8. Conclusion

In this literature, we proposed a novel revocable one-time ring signature scheme based on bilinear pairings, which is provable secure under the DL, DBDH, and CDH assumptions in the random oracle model. In our scheme, we have simultaneously introduced linkability and mandatory revocability to distinguish from other ring signature schemes. In particular, linkability can prevent the double-signing attack, and mandatory revocability guarantees that a revocation authority can identify the actual signer when the actual signer commits a crime in transactions. The scheme about revocation phase requires only one scalar multiplication computation and one additional computation, and the pairing computations in the timings of verifying phase is constant. And constructing provable security revocable one-time ring signature schemes from lattices to resist quantum attackers is an interesting problem that we leave open for further research.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This paper was supported by the National Natural Science Foundation of China (Grant no. U21A20463). We thank Zhang et al. [37] who have provided the inspiration for our scheme.

References

R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” Advances in Cryptology-ASIACRYPT 2001, Springer Berlin Heidelberg, Berlin, Heidelberg, 2001.
View at: Google Scholar
J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge and Data Engineering, vol. 26, no. 1, pp. 157–165, 2014.
View at: Publisher Site | Google Scholar
P. P. Tsang and V. K. Wei, “Short Linkable Ring Signatures for E-Voting, E-Cash and Attestation,” Information Security Practice and Experience, Springer Berlin Heidelberg, Berlin, Heidelberg, 2005.
View at: Publisher Site | Google Scholar
Y. Dodis, A. Kiayias, A. Nicolosi, and V. Shoup, “Anonymous Identification in Ad Hoc Groups,” Advances in Cryptology-EUROCRYPT 2004, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 609–626, 2004.
View at: Publisher Site | Google Scholar
K. Kajita, K. Ogawa, and E. Fujisaki, “A constant-size signature scheme with a tighter reduction from the cdh assumption,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E103.A, no. 1, pp. 141–149, 2020.
View at: Publisher Site | Google Scholar
W. Wang, J. Song, G. Xu, Y. Li, H. Wang, and C. Su, “Contractward: automated vulnerability detection models for ethereum smart contracts,” IEEE Transactions on Network Science and Engineering, vol. 8, no. 2, pp. 1133–1144, 2021.
View at: Publisher Site | Google Scholar
S. Noether, A. Mackenzie, and T. M. Research Lab, “Ring confidential transactions,” Ledger, vol. 1, pp. 1–18, 2016.
View at: Publisher Site | Google Scholar
M. Abe, M. Ohkubo, and K. Suzuki, “1-out-of-n signatures from a variety of keys,” Advances in Cryptology-ASIACRYPT 2002, pp. 415–432, 2002.
View at: Publisher Site | Google Scholar
A. Bender, J. Katz, and R. Morselli, “Ring signatures: stronger definitions, and constructions without random oracles,” Theory of Cryptography, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 60–79, 2006.
View at: Publisher Site | Google Scholar
R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret: theory and applications of ring signatures,” Theoretical Computer Science, Springer, pp. 164–186, 2006.
View at: Google Scholar
H. Shacham and B. Waters, “Efficient ring signatures without random oracles,” International Workshop on Public Key Cryptography, Springer, pp. 166–180, 2007.
View at: Publisher Site | Google Scholar
D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” Advances in Cryptology --- EUROCRYPT 2003, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 416–432, 2003.
View at: Publisher Site | Google Scholar
P.-L. Cayrel, R. Lindner, M. Rückert, and R. Silva, “A lattice-based threshold ring signature scheme,” Progress in Cryptology-LATINCRYPT 2010, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 255–272, 2010.
View at: Publisher Site | Google Scholar
J. K. Liu, T. H. Yuen, and J. Zhou, “Forward secure ring signature without random oracles,” Information and Communications Security, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 1–14, 2011.
View at: Publisher Site | Google Scholar
R. Cramer, I. Damgård, and B. Schoenmakers, “Proofs of partial knowledge and simplified design of witness hiding protocols,” Advances in Cryptology-CRYPTO ‘94, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 174–187, 1994.
View at: Publisher Site | Google Scholar
J. Camenisch and A. Lysyanskaya, “Dynamic accumulators and application to efficient revocation of anonymous credentials,” Advances in Cryptology-CRYPTO 2002, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 61–76, 2002.
View at: Publisher Site | Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Constant-size id-based linkable and revocable-iff-linked ring signature,” Progress in Cryptology-INDOCRYPT 2006, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 364–378, 2006.
View at: Publisher Site | Google Scholar
I. R. Jeong, J. O. Kwon, and D. H. Lee, “Ring signature with weak linkability and its applications,” IEEE Transactions on Knowledge and Data Engineering, vol. 20, no. 8, pp. 1145–1148, 2008.
View at: Publisher Site | Google Scholar
J. K. Liu and D. S. Wong, “Linkable ring signatures: security models and new schemes,” Computational Science and Its Applications-ICCSA 2005, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 614–623, 2005.
View at: Publisher Site | Google Scholar
M.-J. Qin, Y.-L. Zhao, and Z.-J. Ma, “Practical constant-size ring signature,” Journal of Computer Science and Technology, vol. 33, no. 3, pp. 533–541, 2018.
View at: Publisher Site | Google Scholar
T. H. Yuen, J. K. Liu, M. H. Au, W. Susilo, and J. Zhou, “Efficient linkable and/or threshold ring signature without random oracles,” The Computer Journal, vol. 56, no. 4, pp. 407–421, 2013.
View at: Publisher Site | Google Scholar
P. P. Tsang, V. K. Wei, T. K. Chan, M. H. Au, J. K. Liu, and D. S. Wong, “Separable linkable threshold ring signatures,” Progress in Cryptology-INDOCRYPT 2004, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 384–398, 2005.
View at: Publisher Site | Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” Information Security and Privacy, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 325–335, 2004.
View at: Publisher Site | Google Scholar
D. Zheng, X. Li, K. Chen, and J. Li, “Linkable ring signatures from linear feedback shift register,” Emerging Directions in Embedded and Ubiquitous Computing, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 716–727, 2007.
View at: Publisher Site | Google Scholar
D. Y. Liu, J. K. Liu, Y. Mu, W. Susilo, and D. S. Wong, “Revocable ring signature,” Journal of Computer Science and Technology, vol. 22, no. 6, pp. 785–794, 2007.
View at: Publisher Site | Google Scholar
C. A. Melchor, P.-L. Cayrel, P. Gaborit, and F. Laguillaumie, “A new efficient threshold ring signature scheme based on coding theory,” IEEE Transactions on Information Theory, vol. 57, no. 7, pp. 4833–4842, 2011.
View at: Publisher Site | Google Scholar
Y. Tang, F. Xia, Q. Ye, M. Wang, R. Mu, and X. Zhang, “Identity-based linkable ring signature on ntru lattice,” Security and Communication Networks, vol. 2021, Article ID 9992414, 17 pages, 2021.
View at: Publisher Site | Google Scholar
M. Hu and Z. Liu, Lattice-Based Linkable Ring Signature in the Standard Model, Cryptology ePrint Archive, 2022.
L. Li, J. Liu, L. Cheng et al., “Creditcoin: a privacy-preserving blockchain-based incentive announcement network for communications of smart vehicles,” IEEE Transactions on Intelligent Transportation Systems, vol. 19, no. 7, pp. 2204–2220, 2018.
View at: Publisher Site | Google Scholar
E. Fujisaki and K. Suzuki, “Traceable ring signature,” International Workshop on Public Key Cryptography, Springer, pp. 181–200, 2007.
View at: Publisher Site | Google Scholar
E. Fujisaki, “Sub-linear size traceable ring signatures without random oracles,” Topics in Cryptology-CT-RSA 2011, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 393–415, 2011.
View at: Publisher Site | Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Secure id-based linkable and revocable-iff-linked ring signature with constant-size construction,” Theoretical Computer Science, vol. 469, pp. 1–14, 2013.
View at: Publisher Site | Google Scholar
H. Feng, J. Liu, D. Li, Y.-N. Li, and Q. Wu, “Traceable ring signatures: general framework and post-quantum security,” Designs, Codes and Cryptography, vol. 89, no. 6, pp. 1111–1145, 2021.
View at: Publisher Site | Google Scholar
J. Herranz and G. Sáez, “Forking lemmas for ring signature schemes,” Progress in Cryptology - INDOCRYPT 2003, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 266–279, 2003.
View at: Publisher Site | Google Scholar
F. Zhang, R. Safavi-Naini, and W. Susilo, “An efficient signature scheme from bilinear pairings and its applications,” International workshop on public key cryptography, Springer, pp. 277–290, 2004.
View at: Google Scholar
S. Schäge and J. Schwenk, “A cdh-based ring signature scheme with short signatures and public keys,” Financial Cryptography and Data Security, Springer Berlin Heidelberg, Berlin, Heidelberg, pp. 129–142, 2010.
View at: Publisher Site | Google Scholar
X. Zhang, J. K. Liu, R. Steinfeld, V. Kuchta, and J. Yu, “Revocable and linkable ring signature,” Information Security and Cryptology, Springer International Publishing, Cham, pp. 3–27, 2020.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Xu Han et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

478

Downloads

350

Citations