LINKABLE RING SIGNATURES FOR BLOCKCHAIN PRIVACY PROTECTION

LRS_PKI: A novel blockchain-based PKI framework using linkable ring signatures

<p>Anonymity is a necessary property for a ring signature scheme and also its variant such as linkable ring signature and traceable ring signature schemes, which are especially useful in blockchains. Intuitively, those variants were designed for detecting or seeking the dishonest signatory, however, at the cost of reducing the anonymity of a traditional ring signature. As a result, while various constructions of strongly anonymous ring signatures were well-known, a linkable ring signature scheme with the same property was an open problem for a long time. In this work, we launched a so-called denying attack to show the gap between an arbitrary ring signature and linkable ring signature transparently, which further confirmed the widely believed impossibility in building a linkable ring signature with both strong anonymity and strong linkability. For a concrete instance, we also applied this attack to the scheme in IEEE TKDE, which to the best of our knowledge is the unique linkable ring signature both with strong anonymity and strong linkability so far. The concrete attack is easily launched in blockchain so that it shows the impossibility of providing strong anonymity via linkable ring signature for blockchain applications, since strong likability is indispensable.</p> <p> </p>

Aiming at the problems of large key size and low computation efficiency of linkable ring signature (LRS) schemes from lattice, we construct a LRS scheme based on the RLWE (learning with errors from ring) commitment scheme and further apply the proposed LRS scheme to blockchain to construct an anonymous post-quantum cryptocurrency model. Concretely, we first prove through setting parameters reasonably, we can make a RLWE-based commitment scheme to have homomorphism; Then use the RLWE-based homomorphic commitment scheme, combined with the Σ-protocol and Fiat-Shamir heuristic to construct a LRS scheme; Finally, by combining the proposed LRS scheme with blockchain we present an anonymous post-quantum cryptocurrency model. Analysis shows that compared with the previous LRS schemes, since the proposed LRS scheme is constructed based on the intractability of RLWE problem which can be reduced to SVP (shortest vector problem) on lattice, it can both resist the quantum computer attacks and have smaller key size, signature size and higher computational efficiency. The proposed cryptocurrency model uses the proposed LRS scheme to ensure the sender’s anonymity and the one-time stealth address to guarantee the recipient’s anonymity, which can both protect users’ identities and resist quantum attacks.

Fiat-Shamir with aborts is a technique to transform a lattice-based identification scheme to a signature scheme introduced by Lyubashevsky (in Asiacrypt 2009). The scheme is also provably secure based on some standard lattice problems. In this paper, we show how to generically transform a signature scheme, obtained by Fiat-Shamir transformation from the ring learning with errors problem (RLWE), to a ring signature. The ring signature obtained with this transformation possesses standard security notions like unforgeability and anonymity. We also show how to achieve a linkable ring signature from the ring signature using a collision-resistant hash function. Linkable ring signatures are an important cryptographic tool as it protects signer anonymity and link signatures from the same signer. The linkable ring signature obtained from this transformation performs at par with the other lattice-based solutions for linkable ring signature, which does not require high-end zero-knowledge proofs.

Linkable ring signatures is a useful cryptographic tool for constructing applications such as ones relative to electronic voting (e-voting), digital cashes (e-cashes) as well as cloud computing. Equipped with linkable ring signatures, e-voting, e-cash systems can simultaneously enjoy the privacy and the unreusability properties thanks to the anonymity and the linkability of linkable ring signatures. Likewise, cloud servers can enjoy a privacy-preserving ability, a flexible access control and an efficient security management with linkable ring signatures. Moreover, linkable ring signatures built in the identity-based setting would help to remove the expense of using the conventional public key infrastructure and also could be applied to the user management. This primitive hence would be suitable for huge-scale applications. In this paper, we present the first identity-based linkable ring signatures (IdLRS) in both integer lattice and ideal lattice setting. The proposed IdLRS is proved secure in the random oracle model and based on the hardness of the short integer solution and ring short integer solution assumption. We also implement the proposed idLRS as a proof of concept and then do some experiments to evaluate the running times and the sizes.

A ring signature is an anonymous signature that implements both the authentication of the message and the anonymity of the signer. In a “normal” ring signature scheme, the same signer can generate multiple ring signatures, but the verifier cannot find this fact. Linkable ring signature (LRS) solves the problem. In the setting, the identity of the signer is still anonymous, and if the same signer generates multiple ring signatures, the verifier can confirm the fact. Linkable ring signatures are applied to some actual scenarios, such as e-cash, e-voting and ad-hoc network authentication. In this paper, we presented a new identity-based linkable ring signature scheme that avoids certificate management. We then gave the security proofs in the random oracle model (ROM) and compared the efficiency of it with the previous schemes. The new scheme requires only 7 pairing operations in signing and verifying. It is the most efficient linkable ring signature in the identity-based setting.

A linkable ring signature allows a user to sign anonymously on behalf of a group while ensuring that multiple signatures from the same user are detected. Applications such as privacy-preserving e-voting and e-cash can leverage linkable ring signatures to significantly improve privacy and anonymity guarantees. To scale to systems involving large numbers of users, short signatures with fast verification are a must. Concretely efficient ring signatures currently rely on a trusted authority maintaining a master secret, or follow an accumulator-based approach that requires a trusted setup.In this work, we construct the first linkable ring signature with both logarithmic signature size and verification that does not require any trusted mechanism. Our scheme, which relies on discrete-log type assumptions and bilinear maps, improves upon a recent concise ring signature called DualRing by integrating improved preprocessing arguments to reduce the verification time from linear to logarithmic in the size of the ring. Our ring signature allows signatures to be linked based on what message is signed, ranging from linking signatures on any message to only signatures on the same message.We provide benchmarks for our scheme and prove its security under standard assumptions. The proposed linkable ring signature is particularly relevant to use cases that require privacy-preserving enforcement of threshold policies in a fully decentralized context, and e-voting.

Ring signature is a group-oriented signature in which the signer can spontaneously form a group and generate a signature such that the verifier is convinced the signature was generated by one member of the group and yet does not know who actually signed. Linkable ring signature is a variant such that two signatures can be linked if and only if they were signed by the same person. Recently, the first short linkable ring signature has been proposed. The short signature length makes it practical all of a sudden to use linkable ring signature as a building block in various cryptographic applications. However, we observed a subtle and yet imperative blemish glossed over by their security model definition which, if not carefully understood and properly handled, could lead to unanticipated security threats. Inspired by the recent refinement of security definitions in conventional ring signatures, we formalize a new and better security model for linkable ring signature schemes that takes into account realistic adversarial capabilities. We show that the new model is strictly stronger than all existing ones in the literature. Under our new model, we propose a new short linkable ring signature scheme, improved upon the existing scheme.

The notion of linkable ring signature, introduced by Liu et al. in 2004, provides signer anonymity and spontaneity, but at the same time, allows anyone to determine whether two signatures have been issued by the same group member (linkability).In 2006, Liu-Wong capture stronger notions of signer anonymity and linkability than the original ones proposed by Liu et al. in 2004. And, they proposed a generic approach for constructing a linkable ring signature scheme. In 2007, Au-Liu-Susilo-Yuen proposed certificate based linkable ring signature. In 2005, Tsang-Wei proposed short linkable ring signatures for E-voting, E-cash and attestation. Through cryptanalysis, we found that all these three linkable ring signature schemes can't satisfy the linkability. Anyone in the ring can impersonate other member to sign the linkable ring signature. In addition, most of the proposed linkable ring signature schemes can not also satisfy the linkability. To design secure linkable ring signature scheme is still an open problem.

Ring signatures enable a user to sign a message so that a ring of possible signers is identified, without revealing exactly which member of that ring actually generated the signature. This concept has been used to construct new cryptographic applications, such as designated signatures, concurrent signatures, etc. To avoid being abused, the concept of linkable ring signatures was introduced. In this concept, when two ring signatures are produced by the same signer, then anyone can link the signatures. In this paper, we introduce a new concept called linkable ring signature with designated linkability that lies between the two. In this new concept, the ring signatures remain anonymous from the public’s point of view. However, they can only be linked by a designated party, whenever necessary. This notion allows the privacy of the signer, but additionally, it also limits the receiver from being abused. We present a generic construction for such schemes, and proceed with an instantiation of our generic construction that is built from the existing linkable ring signature scheme due to Liu et al.

First proposed in CryptoNote, a collection of popular privacy-centric cryptocurrencies have employed Linkable Ring Signature and a corresponding Key Derivation Mechanism (KeyDerM) for keeping the payer and payee of a transaction anonymous and unlinkable. The KeyDerM is used for generating a fresh signing key and the corresponding public key, referred to as a stealth address, for the transaction payee. The stealth address will then be used in the linkable ring signature next time when the payee spends the coin. However, in all existing works, including Monero, the privacy model only considers the two cryptographic primitives separately. In addition, to be applied to cryptocurrencies, the security and privacy models for Linkable Ring Signature should capture the situation that the public key ring of a signature may contain keys created by an adversary (referred to as adversarially-chosen-key attack), since in cryptocurrencies, it is normal for a user (adversary) to create self-paying transactions so that some maliciously created public keys can get into the system without being detected .

A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to well-known hardness assumptions. In particular, we introduce the security notions of accusatory linkability and non-slanderability to linkable ring signatures. Our scheme supports “event-oriented” linking. Applications to such linking criterion is discussed.

Linkable ring signature scheme with stronger security guarantees

Linked or unlinked: A systematic review of linkable ring signature schemes

There are many papers whose authors propose various approaches to the construction of electronic voting (e-voting) systems that are resistant to various types of attacks. The two main properties of such systems are anonymity and verifiability. To provide anonymity, a blind signature or a ring signature is often used. To provide verifiability, distributed ledger technologies, in particular blockchain, have recently been used. One of these systems has been presented at ICCSA 2019. This system is implemented using Hyperledger Fabric blockchain platform and uses a blind signature to provide anonymity. One of the disadvantages of this system is that a compromised signer (an organizer generating a blind signature) could independently create valid ballots without detection. In this paper, we modify this system by replacing a blind signature with a linkable ring signature in order to eliminate this disadvantage. As a result, we combine linkable ring signature, Idemix and blockchain technologies to construct a decentralized anonymous e-voting system that does not rely on a trusted signer and can achieve the following properties: eligibility, unreusability, anonymity, and verifiability. In addition, the use of both a linkable ring signature and Idemix allows us to construct a two-stage anonymization, that increases the versatility of the proposed system. This allows us to use a blockchain platform (for example, Hyperledger Fabric) to implement the e-voting system, without making changes to platform standard signature scheme.