Logarithmic-Size Post-Quantum Linkable Ring Signatures Based on Aggregation Operations

<p>Anonymity is a necessary property for a ring signature scheme and also its variant such as linkable ring signature and traceable ring signature schemes, which are especially useful in blockchains. Intuitively, those variants were designed for detecting or seeking the dishonest signatory, however, at the cost of reducing the anonymity of a traditional ring signature. As a result, while various constructions of strongly anonymous ring signatures were well-known, a linkable ring signature scheme with the same property was an open problem for a long time. In this work, we launched a so-called denying attack to show the gap between an arbitrary ring signature and linkable ring signature transparently, which further confirmed the widely believed impossibility in building a linkable ring signature with both strong anonymity and strong linkability. For a concrete instance, we also applied this attack to the scheme in IEEE TKDE, which to the best of our knowledge is the unique linkable ring signature both with strong anonymity and strong linkability so far. The concrete attack is easily launched in blockchain so that it shows the impossibility of providing strong anonymity via linkable ring signature for blockchain applications, since strong likability is indispensable.</p> <p> </p>

We propose a generic construction that adds linkability to any ring signature scheme with one-time signature scheme. Our construction has both theoretical and practical interest. In theory, the construction gives a formal and cleaner description for constructing linkable ring signature from ring signature directly. In practice, the transformation incurs a tiny overhead in size and running time. By instantiating our construction using the ring signature scheme [13] and the one-time signature scheme [12], we obtain a lattice-based linkable ring signature scheme whose signature size is logarithmic in the number of ring members. This scheme is practical, especially the signature size is very short: for \(2^{30}\) ring members and 100 bit security, our signature size is only 4 MB.

A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. A linkable ring signature (LRS) scheme additionally allows anyone to determine if two ring signatures have been signed by the same group member. Recently, Dodis et al. [18] gave a short (constant-sized) ring signature scheme. We extend it to the first short LRS scheme, and reduce its security to a new hardness assumption, the Link Decisional RSA (LD-RSA) Assumption. We also extend [18]’s other schemes to a generic LRS scheme and a generic linkable group signature scheme. We discuss three applications of our schemes. Kiayias and Yung [22] constructed the first e-voting scheme which simultaneously achieves efficient tallying, public verifiability, and write-in capability for a typical voter distribution under which only a small portion writes in. We construct an e-voting scheme based on our short LRS scheme which achieves the same even for all worst-case voter distribution. Direct Anonymous Attestation (DAA) [6] is essentially a ring signature scheme with certain linking properties that can be naturally implemented using LRS schemes. The construction of an offline anonymous e-cash scheme using LRS schemes is also discussed.

A ring signature is an anonymous signature that implements both the authentication of the message and the anonymity of the signer. In a “normal” ring signature scheme, the same signer can generate multiple ring signatures, but the verifier cannot find this fact. Linkable ring signature (LRS) solves the problem. In the setting, the identity of the signer is still anonymous, and if the same signer generates multiple ring signatures, the verifier can confirm the fact. Linkable ring signatures are applied to some actual scenarios, such as e-cash, e-voting and ad-hoc network authentication. In this paper, we presented a new identity-based linkable ring signature scheme that avoids certificate management. We then gave the security proofs in the random oracle model (ROM) and compared the efficiency of it with the previous schemes. The new scheme requires only 7 pairing operations in signing and verifying. It is the most efficient linkable ring signature in the identity-based setting.

DualRing is a novel generic construction introduced by Yuen et al. (CRYPTO’21), which can transform a special kind of (Type-T*) canonical identification scheme to a ring signature scheme. Compared with the classical approaches, this method can get a shorter signature. In this paper, we construct a new middle-product learning with errors (MPLWE)-based ring signature scheme by using this framework. Specifically, we propose a new MPLWE-based identification scheme, which is compatible with the DualRing, then we obtain a ring signature scheme by using DualRing framework. We also show how to achieve linkability from this ring signature by using a collision resistant hash function. In the end, we provide available parameter options for our (linkable) ring signature scheme. Under these parameters, the signature size of our linkable ring signature is $2-40 \times $ shorter (depending on the ring size) than the previous MPLWE-based scheme by Das et al. (Africacrypt’19).

Aiming at the problems of large key size and low computation efficiency of linkable ring signature (LRS) schemes from lattice, we construct a LRS scheme based on the RLWE (learning with errors from ring) commitment scheme and further apply the proposed LRS scheme to blockchain to construct an anonymous post-quantum cryptocurrency model. Concretely, we first prove through setting parameters reasonably, we can make a RLWE-based commitment scheme to have homomorphism; Then use the RLWE-based homomorphic commitment scheme, combined with the Σ-protocol and Fiat-Shamir heuristic to construct a LRS scheme; Finally, by combining the proposed LRS scheme with blockchain we present an anonymous post-quantum cryptocurrency model. Analysis shows that compared with the previous LRS schemes, since the proposed LRS scheme is constructed based on the intractability of RLWE problem which can be reduced to SVP (shortest vector problem) on lattice, it can both resist the quantum computer attacks and have smaller key size, signature size and higher computational efficiency. The proposed cryptocurrency model uses the proposed LRS scheme to ensure the sender’s anonymity and the one-time stealth address to guarantee the recipient’s anonymity, which can both protect users’ identities and resist quantum attacks.

Ensuring the information security and privacy of users in the Internet of Vehicles (IoV) is crucial for gaining user trust and promoting the application of vehicular networks. This article designs an efficient linkable ring signature (LRS) scheme on the basis of the middle‐product learning with errors (MP‐LWE) problem and applies it to vehicular networks to resist quantum computer attacks. First, a new authentication scheme based on the MP‐LWE problem is proposed. In addition, it is demonstrated to be compatible with the DualRing framework. Then, according to the transformation of DualRing, a new efficient ring signature scheme based on the MP‐LWE problem is obtained. With anti‐collision hash functions to assign a specific tag to each user, this ring signature scheme is converted into a secure LRS scheme. Subsequently, under the random oracle model, the unforgeability, anonymity, and linkability of the LRS scheme are shown. Furthermore, by integrating the scheme constructed in this article with blockchain technology and applying it to IoV scenarios, it effectively ensures the privacy of vehicle identities during communication and the reliability of messages and significantly improves communication efficiency. The signature length of the LRS scheme designed in the present study is 4–20 times shorter than that of similar schemes. Regarding time overhead, the total time overhead of our scheme can be reduced by 14.72%–40.38%.

A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. [20], additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are linked). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to well-known hardness assumptions. In particular, we introduce the security notions of accusatory linkability and non-slanderability to linkable ring signatures. Our scheme supports “event-oriented” linking. Applications to such linking criterion is discussed.

Linked or unlinked: A systematic review of linkable ring signature schemes

The blockchain-enabled industrial Internet of Things (IIoT) faces security threats such as quantum computing attacks and privacy disclosure. Targeting these issues, in this study, we design a new lattice-based linkable ring signature (LRS) scheme, which is used to achieve privacy protection for the blockchain-enabled IIoT. Firstly, by using the trapdoor generation algorithm on the lattice and the rejection sampling lemma, we propose a new lattice-based LRS scheme with anti-quantum security and anonymity. Then, we introduce it into blockchain. Through the stealth address and key image technologies, we construct a privacy protection scheme for blockchain in the IIoT, and this LRS scheme protects identity privacy for users through anonymous blockchain. In addition, it also can resist the double spending attack with the linking user’s signature. Lastly, we provide a security analysis, and it is proven that our ring signature scheme satisfies correctness, anonymity, unforgeability and linkability. Compared with other similar schemes, the performance simulation indicates that our scheme’s public key and signature are shorter in size, and its computation overhead and time cost are lower. Consequently, our novel LRS scheme is more secure and practical, which provides privacy protection and anti-quantum security for the blockchain-enabled IIoT.

Identity-based quotable ring signature

Fiat-Shamir with aborts is a technique to transform a lattice-based identification scheme to a signature scheme introduced by Lyubashevsky (in Asiacrypt 2009). The scheme is also provably secure based on some standard lattice problems. In this paper, we show how to generically transform a signature scheme, obtained by Fiat-Shamir transformation from the ring learning with errors problem (RLWE), to a ring signature. The ring signature obtained with this transformation possesses standard security notions like unforgeability and anonymity. We also show how to achieve a linkable ring signature from the ring signature using a collision-resistant hash function. Linkable ring signatures are an important cryptographic tool as it protects signer anonymity and link signatures from the same signer. The linkable ring signature obtained from this transformation performs at par with the other lattice-based solutions for linkable ring signature, which does not require high-end zero-knowledge proofs.

Most proposed multi-bank e-cash protocols in the literature have been developed based on group signatures in which the member revocation problem is inevitable. In this paper, we propose a new multi-bank e-cash protocol by using blind ring signatures and linkable ring signatures, by which the client anonymity control and bank anonymity control are achieved respectively. Since our blind ring signature scheme and linkable ring signature scheme are both based on XTR, we conclude that our protocol is secure and efficient.

A 1-out-of-N ring signature scheme, introduced by Rivest, Shamir, and Tauman-Kalai (ASIACRYPT ’01), allows a signer to sign a message as part of a set of size N (the so-called “ring”) which are anonymous to any verifier, including other members of the ring. Threshold ring (or “thring”) signatures generalize ring signatures to t-out-of-N parties, with \(t \ge 1\), who anonymously sign messages and show that they are distinct signers (Bresson et al., CRYPTO’02).Until recently, there was no construction of ring signatures that both (i) had logarithmic signature size in N, and (ii) was secure in the plain model. The work of Backes et al. (EUROCRYPT’19) resolved both these issues. However, threshold ring signatures have their own particular problem: with a threshold \(t \ge 1\), signers must often reveal their identities to the other signers as part of the signing process. This is an issue in situations where a ring member has something controversial to sign; he may feel uncomfortable requesting that other members join the threshold, as this reveals his identity.Building on the Backes et al. template, in this work we present the first construction of a thring signature that is logarithmic-sized in N, in the plain model, and does not require signers to interact with each other to produce the thring signature.We also present a linkable counterpart to our construction, which supports a fine-grained control of linkability. Moreover, our thring signatures can easily be adapted to achieve the recent notions of claimability and repudiability (Park and Sealfon, CRYPTO’19).

Ring signature is a group-oriented signature in which the signer can spontaneously form a group and generate a signature such that the verifier is convinced the signature was generated by one member of the group and yet does not know who actually signed. Linkable ring signature is a variant such that two signatures can be linked if and only if they were signed by the same person. Recently, the first short linkable ring signature has been proposed. The short signature length makes it practical all of a sudden to use linkable ring signature as a building block in various cryptographic applications. However, we observed a subtle and yet imperative blemish glossed over by their security model definition which, if not carefully understood and properly handled, could lead to unanticipated security threats. Inspired by the recent refinement of security definitions in conventional ring signatures, we formalize a new and better security model for linkable ring signature schemes that takes into account realistic adversarial capabilities. We show that the new model is strictly stronger than all existing ones in the literature. Under our new model, we propose a new short linkable ring signature scheme, improved upon the existing scheme.