A Traceable Ring Signature Scheme Based on Coding Theory

Abstract

Traceable ring signatures are a variant of ring signatures which allows the identity of a user to be revealed, when it signs two different messages with respect to the same group of users. It has applications in e-voting and in cryptocurrencies, such as the well-known Monero. We propose the first traceable ring signature scheme whose security is based on the hardness of the Syndrome Decoding problem, a problem in coding theory which is conjectured to be unsolvable by both classical and quantum algorithms. To construct the scheme, we use a variant of Stern’s protocol and, by applying the Fiat-Shamir transform to it in an ingenious way, we obtain a ring signature that allows traceability. We prove that the resulting protocol has the standard security properties for traceable ring signatures in the random oracle model: tag-linkability, anonymity and exculpability. As far as we know, this is the first proposal for a traceable ring signature scheme in the post-quantum setting.

Appendices

A Sigma Protocols

1.1 A.1 Fiat-Shamir Transform

A sigma protocol \((\mathcal {P},\mathcal {V})\) is a three-round protocol between a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\) where the prover tries to convince the verifier about the validity of some statement. In this work, we are only interested in a particular case of sigma protocols which are proof of knowledge (PoK) protocols. Here, the prover \(\mathcal {P}\) convinces the verifier \(\mathcal {V}\), not only about the veracity of the statement, but also that \(\mathcal {P}\) has a witness for it. The three rounds of any sigma protocol are the commitment (\( com \)) by the prover, the challenge (\( ch \)) by the verifier and the response (\( resp \)) by the prover. A transcript \(( com , ch , resp )\) is said to be valid if the verifier accepts it as a valid proof.

A PoK must have the following properties: (i) completeness, which ensures that the verifier will accept the proof with high probability if the prover has the secret; (ii) special soundness, which ensures that there is an extractor such that, given two valid transcripts \(( com , ch , resp )\) and \(( com , ch ', resp ')\) where \( ch \ne ch '\), then it can extract the secret; and (iii) honest-verifier zero-knowledge (HVZK) which ensures that no information is gained by the verifier just by looking at the transcript. This is usually proven by showing the existence of a simulator that can generate transcripts that are computationally indistinguishable from transcripts generated by the interaction between the prover and the verifier. A detailed survey on sigma protocols can be found in [15].

The Fiat-Shamir transform [17] is a generic method to convert any PoK protocol that is complete, special sound and HVZK into a signature scheme. The security of the Fiat-Shamir transform is proven to be secure both in the random oracle model (ROM) [1] and in the quantum random oracle model (QROM) [25], under certain conditions.

The idea behind the Fiat-Shamir transform is that the prover simulates the challenge that is usually sent by the verifier. Since this challenge should be chosen uniformly at random, the prover sets the challenge according to a cryptographic hash function receiving as input the message to be signed and the commitment chosen previously by the prover. More precisely, given a proof of knowledge \((\mathcal {P},\mathcal {V})\), the prover computes \( com \), then it sets \( ch =\bar{f} ( com ,M)\) where \(\bar{f}\) is a cryptographic hash function and M is the message to be signed. Finally, it computes \( resp \) such that \(( com , ch , resp )\) is a valid transcript. The signature of M is \(( com , resp )\). To verify the validity of the signature, one just has to compute \(ch=\bar{f} ( com ,M)\) and check that \(( com , ch , resp )\) is a valid transcript.

1.2 A.2 CDS Construction

The Cramer-Damgård-Shoenmakers (CDS) construction [14] is a generic way to construct a proof of knowledge \((\mathcal {P}^*,\mathcal {V}^*)\) where the prover proves knowledge of the solution to some subset of instances of a problem, given any PoK protocol \((\mathcal {P},\mathcal {V})\) and a secret sharing scheme \(\mathcal {SS}\).

Given N instances of a problem, let A be the set of indexes for which the prover \(\mathcal {P}^*\) knows the solution. The idea behind the CDS construction is that the new prover \(\mathcal {P}^*\) simulates transcripts \(( com _j, ch _j, resp _j)\) for the instances it does not know the solution, that is, for \(j\notin A\). For the instances that it knows the secret, it computes the commitment \( com _i\), for \(i\in A\), following the protocol \((\mathcal {P},\mathcal {V})\). After receiving the commitments for all instances, the verifier sends a random bit string b to the prover. The string b will be interpreted as the secret in \(\mathcal {SS}\) and the challenges \( ch _j\), for \(j\notin A\), as shares such that they form an unqualified set. Now, this set of shares can be extended to a qualified set by choosing properly the challenges \( ch _i\), for \(i\in A\). The prover then computes valid transcripts \(( com _i, ch _i, resp _i)\) for \(i\in A\). It can do this because it has witnesses for these instances. Finally, the prover \(\mathcal {P}^*\) sends the transcripts \(( com _i, ch _i, resp _i)\) for all i to the verifier. The verifier can check that these are valid transcripts and that the shares \( ch _i\) constitute a qualified set for \(\mathcal {SS}\).

1.3 A.3 Stern’s Protocol

Stern’s protocol [24] is a protocol in which, given a matrix \(\mathbf {H}\) and a syndrome vector \(\mathbf {s}\), a prover proves the knowledge of an error vector \(\mathbf {e}\) with \(w(\mathbf {e})= t\) and syndrome \(\mathbf {s}\). The protocol is presented in Algorithm 4. Here, h denotes a cryptographic hash function.

The security of Stern’s protocol is based on the hardness of the SD problem. The protocol has been proven to be complete, special sound and HVZK and, furthermore, has a cheating probability of 2/3 [24].

B Auxiliary Results

1.1 B.1 Proof of Lemma 2

The probability of existing a vector \(\mathbf {x}\) such that \(\mathbf {H}\mathbf {x}^T=\mathbf {s}^T\) is the probability of \(\mathbf {H}\) being a matrix representing a surjective application, i.e., it is the probability of \(\mathbf {H}\) being a full rank matrix. Hence, we have to compute the probability of choosing \(k'\) linearly independent vectors of size n to form the rows of \(\mathbf {H}\). We have

Since \((2^n-1)\ge (2^n-2^{k'})\), \((2^n-2)\ge (2^n-2^{k'})\) and \((2^n-2^{k'-1})\ge (2^n-2^{k'})\), we have that

$$ \frac{(2^n-1)(2^n-2)(2^n-4)\dots (2^n-2^{k'})}{2^{k'n}}\ge \frac{\left( 2^n-2^{k'}\right) ^{k'+1}}{2^{k'n}}\ge \frac{\left( 2^n-2^{k'}\right) ^{k'}}{2^{k'n}}. $$

Now, note that

$$\frac{\left( 2^n-2^{k'}\right) ^{k'}}{2^{k'n}}=\frac{\left( 2^n(1-2^{k'-n})\right) ^{k'}}{2^{k'n}}=\left( 1-\frac{1}{2^{n-k'}}\right) ^{k'}.$$

So, it remains to show that

for \(k'\le n/2\). Note that the expression decreases with \(k'\) and so it is enough to show for \(k'=n/2\).

Expanding the expression on the left using the Binomial theorem we get

$$\left( 1-\frac{1}{2^{n/2}}\right) ^{n/2}=\displaystyle \sum ^{n/2}_{i=0}\left( {\begin{array}{c}n/2\\ i\end{array}}\right) \left( -\frac{1}{2^{n/2}}\right) ^i.$$

When \(i=0\) we have

$$\left( {\begin{array}{c}n/2\\ i\end{array}}\right) \left( -\frac{1}{2^{n/2}}\right) ^i=1.$$

The expression is maximal when \(i=n/4\). Hence, if we show that

when \(i=n/4\), then

In fact, it can be proved using Stirling approximation (which is tight) for n! that

$$\lim _{n\rightarrow \infty } n^b \left( {\begin{array}{c}n/2\\ n/4\end{array}}\right) \left( -\frac{1}{2^{n/2}}\right) ^{n/4}= 0$$

for any \(b\in \mathbb {N}\). Hence, we have shown that the expression \(\left( {\begin{array}{c}n/2\\ n/4\end{array}}\right) \left( -\frac{1}{2^{n/2}}\right) ^{n/4}\) goes to zero faster than any function of the form \(1/n^b\), for any \(b\in \mathbb {N}\). Thus, the expression is negligible in n and the result follows.   \(\square \)