Keywords

1 Introduction

Conventional cryptocurrencies such as Bitcoin or Ethereum support the pseudonym level of anonymity, namely, the wallet addresses and the real identities are delinked while transactions are linked. For privacy coins, such as Monero or Zcash, one of the objectives in terms of anonymity is to keep both the payer and payee of a transaction anonymous and unlinkable.

For example, in CryptoNote [25], Linkable Ring Signature (LRS) [20] and Key Derivation Mechanism [25] (KeyDerM) are employed. When a payer, say Alice, wants to pay Bob (the payee) through a transaction, Alice uses KeyDerM to generate a derived public key from Bob’s master public key \({\mathsf {MPK}}\), and uses as Bob’s address in the transaction. As \({\mathsf {MPK}}\) never appears, transactions involving Bob as the receiver cannot be identified. KeyDerM is also referred to as the Stealth Address (SA) [27] mechanism. When Bob wants to spend his coins on the derived public key \(\mathsf {DPK}\), i.e. acting as the payer of a transaction \(\mathsf{TX}\), he generates a linkable ring signature \(\sigma \) on the transaction \(\mathsf{TX}\) (as the message) under a set (referred to as a ‘ring’) of derived public keys R such that \(\mathsf {DPK}\in R\). Anyone can verify \(\sigma \) without being able to find out the actual signer is corresponding to \(\mathsf {DPK}\). The linkability is used for detecting any double-spending attempt, namely if two signatures are generated by Bob corresponding to \(\mathsf {DPK}\), they will be detected as linked as the coin corresponding to \(\mathsf {DPK}\) is supposed to be used only once.

LRS and SA have attracted much attention recently in the community, for example, [5, 8, 9, 11, 21, 22, 26, 28], and in cryptocurrencies, for example, Monero [24], which uses LRS and CryptoNote’s KeyDerM as its underlying building blocks, and has a market capitalization valued at more than 1 billion USD [10]. However, as shown in Table 1, all the existing works [1,2,3, 14,15,16, 19, 20, 29,30,31] either only consider LRS or SA in the setting of standard signature schemes [11, 21] rather than both of these primitives. Even in CrypotNote [25] and Monero [24], LRS and SA are both considered, but still separately rather than being analyzed under a unified security model, despite that LRS and SA are used in a tightly-coupled fashion in both CryptoNote and Monero. In particular, the signing keys and public keys used in LRS are generated by the SA mechanism. It is not known whether the security and privacy properties still hold when keys used by LRS are generated by the SA mechanism, while the SA mechanism does not generate keys independently.

The linkability of LRS requires that if two signatures are generated under the same key pair, these signatures can be linked publicly. Another feature of LRS, referred to as non-slanderability, requires that an adversary cannot frame a user by creating a signature that is linked to a signature of the user. Anonymity requires that for a signature with respect to ring R, no one can identify the real signer’s public key out of R. When considering these security and privacy requirements of LRS, we investigate under the assumption that each key pair is generated independently. However, this is no longer the fact when LRS is used in CryptoNote or Monero as keys are generated using the SA mechanism. For SA, the master-public-key-unlinkability [21] property requires that given a derived public key and the corresponding (standard) signatures, an adversary cannot tell the master public key, from which the derived public key is generated, out of a set of known master public keys. Another requirement called derived-public-key-unlinkability [21] captures that given two derived public keys and corresponding (standard) signatures, an adversary cannot tell whether the two derived public keys are from the same master public key.

As Linkable Ring Signature and Stealth Address are used in practical scenarios, i.e., cryptocurrencies, another concern is whether the security and privacy models, under which they are analyzed, capture the scenarios well. In particular, in cryptocurrencies, an attacker may create some public keys maliciously and issue transactions using these public keys as payee’s addresses. As long as these malicious created keys are well-formed, they will get into the blockchain as the normal ones and a user may include these malicious created keys in their rings to sign their transactions. As a result, to be practical, the security and privacy models must consider the attacks in such a scenario, which referred to as adversarially-chosen-key attacks. However, as shown in Table 1, the existing linkability models either do not consider the adversarially-chosen-key attacks or consider them but do not capture the application scenarios of cryptocurrencies.

Table 1. Comparison with existing LRS and SA schemes
Full size table

1.1 Our Results

To address the above concerns, in this paper, we propose a new cryptographic primitive, named Linkable Ring Signature Scheme with Stealth Addresses (SALRS), which comprehensively and strictly captures the security and privacy requirements of hiding the payer and payee of a transaction in cryptocurrencies. Particularly, all the security models (namely strong unforgeability, signer-linkability, and signer-non-slanderability) and privacy models (namely signer-anonymity, master-public-key-unlinkability, and derived-public-key-unlinkability) are defined under SALRS, rather than under Linkable Ring Signature or Stealth Address separately. Also, all the models strictly capture the practical requirements of cryptocurrencies, especially the adversarially-chosen-key attacks.

We also propose a lattice-based SALRS construction and prove its security and privacy in the random oracle model. In other words, our construction provides strong confidence on security and privacy in twofolds: being proved under strong models which capture the practical scenarios of cryptocurrencies, and being potentially quantum-resistant. The efficiency analysis also shows that our lattice-based SALRS scheme is practical for real implementations. Table 1 shows a comparison between our results in this work and the existing works on Linkable Ring Signature and Stealth Address. It is worth noting that although lattice-based Linkable Ring Signature schemes [5, 22, 28, 32] have been proposed recently, to the best of our knowledge, no lattice-based Stealth Address scheme has been introduced so far. Also, although some lattice-based ring signature schemes [13, 18] can achieve logarithmic signature size in terms of the number of signers in the ring, these schemes are mainly of theoretical interest since they will produce much larger signatures for a normal ring size in real scenarios. In other words, our construction is the first practical and potentially quantum-resistant solution that hides the payers and payees of transactions in cryptocurrencies.

1.2 Outline

In Sect. 2 we propose and formalize the primitive Linkable Ring Signature Scheme with Stealth Addresses (SALRS), including the algorithm definitions and the security and privacy models. In Sect. 3 we propose a lattice-based SALRS construction, and prove its security and privacy in Sect. 4. The paper is concluded in Sect. 5.

2 Definitions of SALRS

In this section, we first define the SALRS system, which captures the cryptographic functionalities that a cryptocurrency needs to hide the payers and payees of the transactions. Then we formalize the security and privacy models that strictly capture the practical scenarios in cryptocurrencies.

2.1 Algorithm Definition

A Linkable Ring Signature Scheme with Stealth Addresses (SALRS) consists of the following algorithms:

  • \(\mathsf{Setup}( \lambda ) \rightarrow \mathsf{PP}\). This is a probabilistic algorithm. On input a security parameter \(\lambda \), the algorithm outputs system public parameters \(\mathsf{PP}\).

    The system public parameters PP are common parameters used by all participants in the system, for example, the message space \(\mathcal{M}\), the hash functions, etc. In the following, \(\lambda \) and \(\mathsf{PP}\) are implicit input parameters to every algorithm.

  • \(\mathsf{MasterKeyGen}() \rightarrow (\mathsf{MPK}, \mathsf{MSK})\). This is a probabilistic algorithm. The algorithm outputs a (master public key, master secret key) pair \((\mathsf{MPK}, \mathsf{MSK})\).

    Each user runs \(\mathsf{MasterKeyGen}\) algorithm to generate his (master public key, master secret key) pair.

  • \(\mathsf{DerivedPublicKeyGen}( \mathsf{MPK} ) \rightarrow \mathsf{DPK}\). This is a probabilistic algorithm. On input a master public key \(\mathsf{MPK}\), the algorithm outputs a derived public key \(\mathsf{DPK}\).

    Anyone can run this algorithm to generate a fresh derived public key from a master public key.

  • \(\mathsf{DerivedPublicKeyOwnerCheck}( \mathsf{DPK}, \mathsf{MPK}, \mathsf{MSK} ) \rightarrow 1/0\). This is a deterministic algorithm. On input a derived public key \(\mathsf{DPK}\) and a (master public key, master secret key) pair \((\mathsf{MPK}, \mathsf{MSK})\), the algorithm outputs a bit \(b \in \{0,1\}\), with \(b=1\) meaning that \(\mathsf{DPK}\) is a valid derived public key generated from MPK and \(b=0\) otherwise.

    The owner of a master public key can use this algorithm to check whether a public key is derived from his master public key. In a cryptocurrency, a payee can use this algorithm to check whether he is the intended receiver of a coin on the public key.

  • \(\mathsf{DerivedPublicKeyPublicCheck}( \mathsf{DPK} ) \rightarrow 1/0\). This is a deterministic algorithm. On input a derived public key \(\mathsf{DPK}\), the algorithm outputs a bit \(b \in \{0,1\}\), with \(b=1\) meaning that \(\mathsf{DPK}\) is a well-formed derived public key and \(b=0\) otherwise.

    Anyone can use this algorithm to check whether a derived public key is well-formed. In a cryptocurrency, a payer can use this algorithm to check whether the derived public keys owned by others are well-formed so that he can use them as ring numbers for his ring signature generation.

  • \(\mathsf{Sign}(M, R, \mathsf{DPK}, (\mathsf {MPK}, \mathsf {MSK}) ) \rightarrow \sigma \). On input a message M, a ring of well-formed derived public keys \(R=(\mathsf{DPK}_1, \dots , \mathsf{DPK}_r)\)Footnote 1, a derived public key \(\mathsf{DPK} \in R\), and the master key pair \((\mathsf {MPK}, \mathsf {MSK})\) for \(\mathsf{DPK}\), the algorithm outputs a signature \(\sigma \) on the message M with respect to the ring R.

    The derived public keys \(\mathsf{DPK}_1, \dots , \mathsf{DPK}_r\) may be generated from different master public keys.

  • \(\mathsf{Verify}(M, R, \sigma ) \rightarrow 1/0\). This is a deterministic algorithm. On input a message M, a ring of well-formed derived public keys R, and a purported signature \(\sigma \) on the message M with respect to the ring R, the algorithm outputs a bit \(b \in \{0,1\}\), with \(b=1\) meaning valid and \(b=0\) otherwise.

  • \(\mathsf{Link}(M_0, R_0, \sigma _0, M_1, R_1, \sigma _1) \rightarrow 1/0\). This is a deterministic algorithm. On input two valid signatures \((M_0, R_0, \sigma _0)\), \((M_1, R_1,\sigma _1)\), the algorithm outputs a bit \(b \in \{0,1\}\), with \(b=1\) meaning linked and \(b=0\) meaning unlinked.

Correctness. The scheme must satisfy the following correctness property: Let \(\mathsf{PP} \leftarrow \mathsf{Setup}( \lambda )\),

  • for any \((\mathsf{MPK}, \mathsf{MSK}) \leftarrow \mathsf{MasterKeyGen}()\), \(\mathsf{DPK} \leftarrow \mathsf{DerivedPublicKeyGen}\)\((\mathsf{MPK})\), it holds that \(\mathsf{DerivedPublicKeyOwnerCheck}(\mathsf{DPK}, \mathsf{MPK}, \mathsf{MSK}) = 1\) and

    \(\mathsf{DerivedPublicKeyPublicCheck}(\mathsf{DPK}) = 1\).

  • for any message \(M \in \mathcal{M}\), any ring of well-formed derived public keys R, and any \(\mathsf{DPK}_s \in R\) such that \(\mathsf{DerivedPublicKeyOwnerCheck}(\mathsf{DPK}_s, \mathsf{MPK},\) \(\mathsf{MSK}) = 1\) for some master key \((\mathsf{MPK}, \mathsf{MSK})\), it holds that \(\mathsf{Verify}(M, R, \mathsf{Sign}(M, R, \mathsf{DPK}_s,\) \(\mathsf{MPK}, \mathsf{MSK})) =1\).

  • for any messages \(M_0, M_1 \in \mathcal{M }\), any well-formed derived public key rings \(R_0, R_1\), and any \(\mathsf{DPK}_{s_0} \in R_0, \mathsf{DPK}_{s_1} \in R_1\) such that

    \(\mathsf{DerivedPublicKeyOwnerCheck}(\mathsf{DPK}_{s_i}, \mathsf{MPK}_i,\) \(\mathsf{MSK}_i) = 1\) for some master key \((\mathsf{MPK}_i,\) \(\mathsf{MSK}_i)\) (\(i=0,1\)), let \(\sigma _i \leftarrow \mathsf{Sign}(M_i, R_i, \mathsf{DPK}_{s_i},\) \(\mathsf{MPK}_i, \mathsf{MSK}_i)\) \((i=0,1)\). It holds that \(\mathsf{Link}( M_0, R_0, \sigma _0, M_1, R_1, \sigma _1) = 1\) if \(\mathsf{DPK}_{s_0} = \mathsf{DPK}_{s_1}\), and \(\Pr [\mathsf{Link}( M_0, R_0, \sigma _0, M_1, R_1, \sigma _1) = 0] \ge 1 - negl(\lambda ) \) if \(\mathsf{DPK}_{s_0} \ne \mathsf{DPK}_{s_1}\), where negl is a negligible function.

Remark: Note that it is open on whether the \(\mathsf{Sign}\) algorithm is probabilistic or deterministic, which may depend on the concrete constructions.

2.2 Security and Privacy Models of SALRS

Below we define the security and privacy for SALRS. The security includes unforgeability, signer-linkability, and signer-non-slanderability, while the privacy includes signer-anonymity, master-public-key-unlinkability and derived-public-key-unlinkability. Unforgeability captures that only the user knowing the secret key for some public key in a ring can generate a valid signature with respect to the ring. Signer-linkability captures that with respect to one derived public key, if the key owner generates two or multiple valid signatures, these signatures will be detected to be linked, and this captures the security requirement of preventing double-spending in cryptocurrencies. Signer-non-slanderability captures that no one can frame other users by creating a signature that is linked to a signature of the target user. Signer-anonymity captures that given a valid signature with respect to a ring of derived public keys, no one can identify the signer’s derived public key out of the ring. Master-public-key-unlinkability captures that given a derived public key and the corresponding signatures, no one can tell which master public key, out of a set of known master public keys, is the one from which it was derived. Derived-public-key-unlinkability captures that given two derived public keys and the corresponding signatures, no one can tell whether they are derived from the same master public key. Signer-anonymity captures the privacy-protection requirement in cryptocurrency of hiding the payer, while master-public-key-unlinkability and derived-public-key-unlinkability captures the privacy-protection requirements of hiding the payee and cutting the link between the payees of different transactions, respectively.

With these security and privacy models, SALRS captures the security and privacy-protection requirements of cryptocurrencies in the most practical setting. Especially, the rings are allowed to contain the derived public keys that an adversary generated from his own master public keys. This reflects the situations in practice that, an attacker may generate some derived public keys from his own master public keys, and issue transactions among these keys, attempting to launch some attacks, such as double-spending, or to compromise other users’ security and/or privacy. On the other side, we show that signer-linkability and signer-non-slanderability together implies unforgeability, and master-public-key-unlinkability implies derived-public-key-unlinkability. Thus, for a SALRS construction, we only needs to focus on its signer-linkability, signer-non-slanderability, signer-anonymity, and master-public-key-unlinkability.

Definition 1 (Strong Unforgeability)

A SALRS scheme is strongly unforgeable if for any probabilistic polynomial time (PPT) adversary \(\mathcal{A}\) and for any polynomial \(n(\cdot )\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{euf}\), denoted by \(Adv_\mathcal{A}^{euf}\), is negligible.

  1. 1.

    Setup. \(\mathsf{PP} \leftarrow \mathsf{Setup}( \lambda ; \omega )\) is run, where \(\omega \) is the randomness used in \(\mathsf{Setup}()\). \(\mathsf{PP}\) and \(\omega \) are given to \(\mathcal A\).

    \(\{ (\mathsf{MPK}_i, \mathsf{MSK}_i) \leftarrow \mathsf{MasterKeyGen}() \}_{i=1}^{n(\lambda )}\) are run and \(\{ \mathsf{MPK}_i \}_{i=1}^{n(\lambda )}\) are given to \(\mathcal A\).

    An empty set \(L_{dpk} = \emptyset \) is initialized, which will be used to store the valid derived public keys derived from the target master public keys. Note that \(L_{dpk}\) captures the scenarios that the valid derived public keys are stored on the blockchain and are publicly accessible.

    Note that giving to \(\mathcal{A}\) the randomness \(\omega \), which is used by the \(\mathsf{Setup}\) algorithm, implies the setup is public. This is to capture that the security does not rely on a trusted setup which may incur concerns on the existing of trapdoors.

  2. 2.

    Probing Phase. \(\mathcal A\) can adaptively query the following oracles:

    • Derived Public Key Adding Oracle \(\mathsf{ODPKAdd}(\cdot , \cdot )\):

      On input a derived public key \(\mathsf{DPK}\) and a master public key \(\mathsf{MPK}_i\), this oracle returns \(b \leftarrow \mathsf{DerivedPublicKeyOwnerCheck}( \mathsf{DPK}, \mathsf{MPK}_i,\) \(\mathsf{MSK}_i)\) to \(\mathcal A\). If \(b = 1\), set \(L_{dpk} = L_{dpk} \cup \{ \mathsf{DPK} \}\).

      This captures that \(\mathcal A\) can try and test whether the derived public keys generated by him are accepted by the owner of the corresponding master public key.

    • Signing Oracle \(\mathsf{OSign}(\cdot , \cdot , \cdot )\):

      On input a message \(M \in \mathcal{M}\), a ring of well-formed derived public keys R, and a derived public key \(\mathsf{DPK} \in R \cap L_{dpk}\), this oracle returns \(\sigma \leftarrow \mathsf{Sign}( M, R, \mathsf{DPK},\) \({\mathsf {MPK}_{i}}, {\mathsf {MSK}_{i}})\) to \(\mathcal A\), where \(({\mathsf {MPK}_{i}}, {\mathsf {MSK}_{i}})\) is the master key pair for \(\mathsf{DPK}\).

      Note that it only requires that the derived public key \(\mathsf{DPK}\) is in \(L_{dpk}\), i.e., the attacking targets for which the master secret keys are unknown to the adversary, without requiring \(R \subseteq L_{dpk}\). This captures that \(\mathcal A\) can obtain the signatures for messages, derived public key ring, and derived public key of its choice, where the ring may contain deprived public keys which are created by the adversary even from the master public keys which are also created by the adversary (referred to as adversarially-chosen-key attack ).

  3. 3.

    Output Phase. \(\mathcal A\) outputs a message \(M^* \in \mathcal{M}\), a ring of well-formed derived public keys \(R^*\), and a signature \(\sigma ^*\).

Let \(S_{so} = \{(M, R, \mathsf{DPK}, \sigma ) \}\) be the query-answer tuples for \(\mathsf{OSign(\cdot , \cdot , \cdot )}\). \(\mathcal{A}\) succeeds if (1) \(\mathsf{Verify}(M^*,\) \(R^*, \sigma ^*) = 1\), and (2) \(R^* \subseteq L_{dpk}\), and (3) \((M^*, R^*, ?, \sigma ^*) \notin S_{so}\), where ‘?’ means wildcard, i.e. \((M^*, R^*, \sigma ^*)\) is not a (message, derived public key ring, signature) tuple obtained by querying \(\mathsf{OSign}(\cdot , \cdot , \cdot )\). The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{euf} = \Pr [ \mathcal{A} ~succeeds ] \).

Remark: In the above model, as the adversarially-chosen-key attacks are considered, i.e., the adversary is allowed to specify the derived public key ring to contain well-formed derived public keys generated from the master public keys created by himself, it is not necessary to provide an oracle of corrupting the master secret keys in \(\{ \mathsf MSK \}_{i=1}^{n(\lambda )}\). The situations for the following models are similar.

Definition 2 (Signer-linkability)

A SALRS scheme is signer-linkable if for any PPT adversary \(\mathcal{A}\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{snlink}\), denoted by \({Adv}_\mathcal{A}^{snlink}\), is negligible.

  1. 1.

    Setup. \(\mathsf{PP} \leftarrow \mathsf{Setup}( \lambda ; \omega )\) is run, where \(\omega \) is the randomness used in \(\mathsf{Setup}()\). \(\mathsf{PP}\) and \(\omega \) are given to \(\mathcal A\).

  2. 2.

    Output Phase. \(\mathcal A\) outputs \(k(\ge 2)\) (message, ring of well-formed derived public keys, signature) tuples \((M_i^*, R_i^*, \sigma _i^*)\) \((i=1, \dots , k)\).

\(\mathcal{A}\) succeeds if (1) \(\mathsf{Verify}(M_i^*, R_i^*, \sigma _i^*) = 1\) \((i=1, 2, \dots , k)\),

and (2) \(\mathsf{Link}(M_i^*, R_i^*, \sigma _i^*, M_j^*, R_j^*, \sigma _j^*) = 0~\forall i, j \in [1, k]~s.t.~ i \ne j\), and (3) \(| \cup _{i=1}^k R^*_i | < k\). The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{snlink} = \Pr [ \mathcal{A} ~succeeds ] \).

Remark: Note that the adversary’s target is to attack the linkability property of the system, rather than attacking other users, thus we do not need to consider the target master public keys or derived public keys. Also, as the adversary is allowed to create the master public keys and derived public keys of its choice, we do not need to consider the signing oracles, corruption oracles, etc.

Definition 3 (Signer-non-slanderability)

A SALRS scheme is signer-non-slanderable if for any PPT adversary \(\mathcal{A}\) and for any polynomial \(n(\cdot )\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{snnsl}\), denoted by \({Adv}_\mathcal{A}^{snnsl}\), is negligible.

  1. 1.

    Setup. Same as that of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  2. 2.

    Probing Phase. Same as that of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  3. 3.

    Output Phase. \(\mathcal A\) outputs two (message, ring of well-formed derived public keys, signature) tuples \((\hat{M}, \hat{R}, \hat{\sigma })\) and \((M^*, R^*, \sigma ^*)\).

Let \(S_{so} = \{(M, R, \mathsf{DPK}, \sigma ) \}\) be the query-answer tuples for \(\mathsf{OSign(\cdot , \cdot , \cdot )}\). \(\mathcal{A}\) succeeds if (1) \(\mathsf{Verify}(M^*,\) \(R^*, \sigma ^*) = 1\), and (2) \((\hat{M}, \hat{R}, \hat{\mathsf{DPK}}, \hat{\sigma }) \in S_{so}\) for some \(\hat{\mathsf{DPK}} \in \hat{R} \cap L_{dpk}\), and (3) \((M^*, R^*, \hat{\mathsf{DPK}}, \sigma ^* ) \notin S_{so}\), and (4) \(\mathsf{Link}(M^*, R^*, \sigma *, \hat{M}, \hat{R},\) \(\hat{\sigma }) = 1\). The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{snnsl} = \Pr [\mathcal{A} ~succeeds ]\).

Definition 4 (Signer-Anonymity)

A SALRS scheme is signer-anonymous if for any PPT adversary \(\mathcal{A}\) and for any polynomial \(n(\cdot )\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{snano}\), denoted by \({Adv}_\mathcal{A}^{snano}\), is negligible.

  1. 1.

    Setup. Same as that of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  2. 2.

    Probing Phase 1. Same as the Probing Phase of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  3. 3.

    Challenge Phase. \(\mathcal{A}\) outputs a message \(M^*\), a ring of well-formed derived public keys \(R^*\), and two distinct indices \(1 \le i_0, i_1 \le n(\lambda )\), such that

    (1) \(\mathsf{DPK}_{i_0}, \mathsf{DPK}_{i_1} \in R^* \cap L_{dpk}\), and

    (2) none of \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}_{i_0})\), \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}_{i_1})\) was queried. A random bit \(b \in \{0,1\}\) is chosen, and \(\mathcal{A}\) is given the signature \(\sigma \leftarrow \mathsf{Sign}(M^*, R^*,\) \(\mathsf{DPK}_{i_b}, \mathsf{MPK}, \mathsf{MSK})\), where \((\mathsf{MPK}, \mathsf{MSK})\) is the master key pair for \(\mathsf{DPK}_{i_b}\).

  4. 4.

    Probing Phase 2. Same as the Probing Phase 1, but with the restriction that none of \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}_{i_0})\), \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}_{i_1})\) is queried.

  5. 5.

    Output Phase. \(\mathcal{A}\) outputs a bit \(b'\) as its guess to b.

The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{snano} = | \Pr [b'=b]- \frac{1}{2} |\).

Definition 5 (Master-Public-Key-Unlinkability)

A SALRS scheme is Master Public-Key-Unlinkable if for any PPT adversary \(\mathcal{A}\) and for any polynomial \(n(\cdot )\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{mpkunl}\), denoted by \({Adv}_\mathcal{A}^{mpkunl}\), is negligible.

  1. 1.

    Setup. Same as that of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  2. 2.

    Probing Phase 1. Same as the Probing Phase of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  3. 3.

    Challenge. \(\mathcal{A}\) outputs two distinct indices \(1 \le i_0, i_1 \le n(\lambda )\). A random bit \(b \in \{0,1\}\) is chosen, and \(\mathsf{DPK}^* \leftarrow \mathsf{DerivedPublicKeyGen}( \mathsf{MPK}_{i_b})\) is given to \(\mathcal{A}\). Set \(L_{dpk} = L_{dpk} \cup \{\mathsf{DPK}^* \}\).

  4. 4.

    Probing Phase 2. Same as Phase 1, except that \(\mathsf{ODPKAdd}(\mathsf{DPK}^*, \mathsf{MPK}_{i_j})\) (for \(j \in \{0, 1\}\)) cannot be queried.

  5. 5.

    Guess. \(\mathcal{A}\) outputs a bit \(b' \in \{0,1\}\) as its guess to b.

The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{mpkunl} = | \Pr [b'=b]- \frac{1}{2} |\).

Remark: Note that \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}^*)\) can be queried. This captures that neither the derived public key or the signatures leak the corresponding master public key.

Definition 6 (Derived-Public-Key-Unlinkability)

A SALRS scheme is Derived Public-Key-Unlinkable if for any PPT adversary \(\mathcal{A}\) and for any polynomial \(n(\cdot )\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{dpkunl}\), denoted by \({Adv}_\mathcal{A}^{dpkunl}\), is negligible.

  1. 1.

    Setup. Same as that of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  2. 2.

    Probing Phase 1. Same as the Probing Phase of \(\mathsf{Game}_\mathsf{euf}\) in Def. 1.

  3. 3.

    Challenge. \(\mathcal{A}\) outputs two distinct indices \(1 \le i_0, i_1 \le n(\lambda )\).

    A random bit \(c \in \{0,1\}\) is chosen.

    Compute \(\mathsf{DPK}^*_0 \leftarrow \mathsf{DerivedPublicKeyGen}( \mathsf{MPK}_{i_c})\).

    A random bit \(b \in \{0,1\}\) is chosen.

    If \(b=0\), compute \(\mathsf{DPK}^*_1 \leftarrow \mathsf{DerivedPublicKeyGen}( \mathsf{MPK}_{i_c})\),

    otherwise, compute \(\mathsf{DPK}^*_1 \leftarrow \mathsf{DerivedPublicKeyGen}( \mathsf{MPK}_{i_{1-c}})\).

    \((\mathsf{DPK}^*_0, \mathsf{DPK}^*_1)\) are given to \(\mathcal{A}\). Set \(L_{dpk} = L_{dpk} \cup \{\mathsf{DPK}^*_0, \mathsf{DPK}^*_1\}\).

  4. 4.

    Probing Phase 2. Same as Probing Phase 1, except that \(\mathsf{ODPKAdd}(\mathsf{DPK}^*_j,\) \(\mathsf{MPK}_{i_k})\) (for \(j,k \in \{0, 1\}\)) can be queried on at most one \(j \in \{0,1\}\).

  5. 5.

    Guess. \(\mathcal{A}\) outputs a bit \(b' \in \{0,1\}\) as its guess to b, i.e., guess whether \(\mathsf{DPK}^*_0\) and \(\mathsf{DPK}^*_1\) are from the same master public key.

The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{dpkunl} = | \Pr [b'=b]- \frac{1}{2} |\).

Remark: Note that \(\mathsf{OSign}(\cdot , \cdot , \mathsf{DPK}^*_j)\) (for \(j=0,1\)) can be queried, and this captures that neither the derived public keys or the corresponding signatures leak whether they are from the same master public key.

As the above models captures the security and privacy requirements that the practice imposes on SALRS, the following two theorems show that for a SALRS scheme, we only need to consider its signer-linkability, signer-non-slanderability, signer-anonymity, and master-public-key-unlinkability.

Theorem 1

If a SALRS scheme is signer-linkable and siner-non-slanderable, then it is strongly unforgeable.

Proof

The proof resembles that for a similar conclusion in the setting of Traceable Ring Signature in [16]. We give the proof in Appendix A.

Theorem 2

If a SALRS scheme is master-public-key-unlinkable, then it is derived-public-key-unlinkable.

Proof

Observe \(\mathsf{Game}_\mathsf{mpkunl}\) and \(\mathsf{Game}_\mathsf{dpkunl}\), it is easy to see that, if there exists an adversary \(\mathcal{A}\) that wins \(\mathsf{Game}_\mathsf{dpknul}\) with non-negligible advantage, we can construct an algorithm \(\mathcal{B}\) that interacts with \(\mathcal{A}\) for game \(\mathsf{Game}_\mathsf{dpknul}\), and makes use of \(\mathcal{A}\)’s output to win \(\mathsf{Game}_\mathsf{mpkunl}\) with non-negligible advantage. We defer the proof details to the full version.

3 Our Construction

In this section, we first present some preliminaries in Sect. 3.1, including the concept of key-privacy in Key-Encapsulation Mechanism (KEM), which we will use as a building block for our SALRS construction, and some background of lattice. Then we propose a lattice-based SALRS construction in Sect. 3.2 and give the concrete parameters and building blocks in Sect. 3.3.

3.1 Preliminaries

3.1.1 Key-Privacy in KEM

Our construction will use KEM as a building block, but requires the underlying KEM to have an additional property, referred to as key-privacy, which asks that an adversary in possession of a ciphertext not be able to tell which specific public key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary. It is worth mentioning that Bellare et al. [6] considered a similar concept on the setting of Public Key Encryption (PKE). Below we extend the usual KEM and formalize the concept of KEM with key-privacy.

Syntax. To capture the practice better, we augment the usual formalization of KEM to cover the cases that users may share some fixed “global" information.

A key-encapsulation mechanism (KEM) scheme is a tuple of probabilistic polynomial-time algorithms \((\mathsf{Setup}, \mathsf{KeyGen}, \mathsf{Encaps}, \mathsf{Decaps})\) such that:

  • \(\mathsf{Setup}( \lambda ) \rightarrow \mathsf{GP}\). On input a security parameter \(\lambda \), the algorithm outputs system global parameters \(\mathsf{GP}\).

    The system global parameters GP are common parameters used by all participants in the system, which may be just the security parameter \(\lambda \), or include some additional information, for example, the key space, the ciphertext space, the hash functions, etc. As we will consider the key-privacy, here we require that \(\mathsf{GP}\) include the key space \(\mathcal{K}\) and ciphertext space \(\mathcal{C}\).

  • \(\mathsf{KeyGen}(\mathsf{GP}) \rightarrow (\mathsf{PK}, \mathsf{SK})\). This is a probabilistic algorithm. On input \(\mathsf{GP}\), the algorithm outputs a (public key, secret key) pair \((\mathsf{PK}, \mathsf{SK})\).

  • \(\mathsf{Encaps}(\mathsf{GP}, \mathsf{PK}) \rightarrow (C, \kappa )\). This is a probabilistic algorithm. On input \(\mathsf{GP}\) and a public key \(\mathsf{PK}\), the algorithm outputs a ciphertext \(C \in \mathcal{C}\) and a key \(\kappa \in \mathcal{K}\).

  • \(\mathsf{Decaps}(\mathsf{GP}, C, \mathsf{PK}, \mathsf{SK}) \rightarrow \kappa / \bot \). This is a deterministic algorithm. On input \(\mathsf{GP}\), a ciphertext \(C \in \mathcal{C}\), and a (public key, secret key) pair \((\mathsf{PK}, \mathsf{SK})\), the algorithm outputs a key \(\kappa \in \mathcal{K}\) or a special symbol \(\bot \) to indicate rejection.

Correctness. It is required that with all but negligible probability over \(\mathsf{GP} \leftarrow \mathsf{Setup}(1^{\lambda })\), \((\mathsf{PK}, \mathsf{SK}) \leftarrow \mathsf{KeyGen}(\mathsf{GP})\), and the random coins of \(\mathsf{Encaps}\), if \(\mathsf{Encaps}(\mathsf{GP},\) \(\mathsf{PK})\) outputs \((C, \kappa )\), then \(\mathsf{Decaps}(\mathsf{GP}, C,\) \(\mathsf{PK}, \mathsf{SK})\) outputs \({\kappa }\).

Security and Key-Privacy. Below we formalize the security and key-privacy models.

Definition 7 (CCA-Security of KEM)

A KEM scheme is CCA-secure if for any PPT adversary \(\mathcal{A}\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{ccasec}\), denoted by \({Adv}_\mathcal{A}^{ccasec}\), is negligible.

  1. 1.

    Setup. \(\mathsf{GP} \leftarrow \mathsf{Setup}( \lambda ; \omega )\) is run, where \(\omega \) is the randomness used in \(\mathsf{Setup}()\). \(\mathsf{GP}\) and \(\omega \) are given to \(\mathcal A\). \((\mathsf{PK}, \mathsf{SK}) \leftarrow \mathsf{KeyGen}(\mathsf{GP})\) is run and \(\mathsf{PK} \) is given to \(\mathcal A\).

    Note that giving to \(\mathcal{A}\) the randomness \(\omega \), which is used by the \(\mathsf{Setup}\) algorithm, implies the setup is public. This is to capture that the security does not rely on a trusted setup which may incur the concerns on the existing of trapdoors.

  2. 2.

    Challenge Phase. \((C^*, \kappa ) \leftarrow \mathsf{Encaps}(\mathsf{GP}, \mathsf{PK})\) is run. A random bit b is chosen. If \(b=0\), set \(\kappa ^* := \kappa \), otherwise choose a uniformly random \(\kappa ^* \overset{R}{\leftarrow } \mathcal{K}\). \(\mathcal{A}\) is given \((C^*, \kappa ^*)\).

  3. 3.

    Probing Phase. \(\mathcal A\) can adaptively query an oracle \(\mathsf{ODecaps}(\cdot )\), which takes a ciphertext \(C \in \mathcal{C}\) and returns \(\kappa \leftarrow \mathsf{Decaps}( \mathsf{GP}, C, \mathsf{PK}, \mathsf{SK})\) to \(\mathcal A\), with the restriction that \(\mathcal{A}\) cannot query \(\mathsf{ODecaps}(\cdot )\) on the challenge \(C^*\).

  4. 4.

    Output Phase. \(\mathcal{A}\) outputs a bit \(b'\).

The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{ccasec} = | \Pr [b'=b]- \frac{1}{2} |\).

Definition 8 (CCA-Key-Indistinguishability of KEM)

A KEM scheme is CCA-key-indistinguishable if for any PPT adversary \(\mathcal{A}\), the advantage of \(\mathcal{A}\) in the following game \(\mathsf{Game}_\mathsf{ccaki}\), denoted by \({Adv}_\mathcal{A}^{ccaki}\), is negligible.

  1. 1.

    Setup. Same as that of \(\mathsf{Game}_\mathsf{ccasec}\).

  2. 2.

    Challenge Phase. \((C, \kappa ^*) \leftarrow \mathsf{Encaps}(\mathsf{GP}, \mathsf{PK})\) is run. A random bit b is chosen. If \(b=0\), set \(C^* := C\), otherwise choose a uniformly random \(C^* \overset{R}{\leftarrow } \mathcal{C}\). \(\mathcal{A}\) is given \((C^*, \kappa ^*)\).

  3. 3.

    Probing Phase. Same as that of \(\mathsf{Game}_\mathsf{ccasec}\).

  4. 4.

    Output Phase. \(\mathcal{A}\) outputs a bit \(b'\).

The advantage of \(\mathcal{A}\) is \({Adv}_\mathcal{A}^{ccaki} = | \Pr [b'=b]- \frac{1}{2} |\).

3.1.2 Lattice Background

Rings, Norms and Invertible Ring Elements. Let q be an even (resp. odd) positive integer, and denote by \(\mathbb {Z}_q\) the integers modulo q, which will be represented in the range \(( - \frac{q}{2}, \frac{q}{2}]\) (resp. \([ - \frac{q-1}{2}, \frac{q-1}{2}]\)). Let n be an positive integer, and let \(R\) and \(R_q\) be the rings \(\mathbb {Z}[X]/(X^n +1)\) and \(\mathbb {Z}_q[X]/(X^n+1)\), respectively. For \(w = a_0 + a_1X + \ldots + a_{n-1}X^{n-1} \in R\), define the \(l_{\infty }, l_1\) and \(l_2\) norms of w as follows:

$$\begin{aligned} \Vert w\Vert _\infty = \max _i | a_i |, ~~~~~~\Vert w\Vert _1 = \sum _i | a_i |,~~~~~~ \Vert w\Vert _2 = \sqrt{|a_0|^2 + \ldots + |a_{n-1}|^2}. \end{aligned}$$

Similarly, for \(\mathbf {w} = (w_1, \ldots , w_k) \in R^k\), define:

$$\begin{aligned} \Vert \mathbf {w}\Vert _\infty = \max _i \Vert w_i\Vert _\infty , ~~~~~ \Vert \mathbf {w}\Vert _1 = \sum _i \Vert w_i \Vert _1, ~~~~~ \Vert \mathbf {w}\Vert _2 = \sqrt{\Vert w_1\Vert _2^2 + \ldots + \Vert w_{k}\Vert _2^2}. \end{aligned}$$

Let \(S_\eta \) denote the set of all elements \(w \in R\) such that \(\Vert w\Vert _\infty \le \eta \). As shown in [23], for prime \(q>2^{20}\) such that \(q = 17 \bmod 32\), and for \(\eta < \frac{1}{\sqrt{8}} \cdot q^{1/8}\), all non-zero elements of \(S_\eta \) are invertible in \(R_q\).

Let \(\mathbf {B}_{\theta }\) denote the set of all elements in \(R_q\) such that have \(\theta \) coefficients that are either \(-1\) or 1 and the rest are 0. Again, for prime \(q>2^{20}\) such that \(q = 17 \bmod 32\), all elements of \(\mathbf {B}_{\theta }\) are invertible and the difference of any two distinct elements from \(\mathbf {B}_{\theta }\) is also invertible in \(R_q\).

(Inhomogeneous) Module-SIS. The Inhomogeneous Module-SIS problem with parameters \((n, q, k, \ell , \beta )\) consists in finding \(\mathbf {x} \in R^{k+\ell }\) such that \(\Vert \mathbf {x}\Vert _2 \le \beta \) and \([\mathbf {A} \mid \mathbf {I}] \cdot \mathbf {x} = \mathbf {t}\), for uniformly random \(\mathbf {A} \in R_q^{k \times \ell }\), \(\mathbf {t} \in R_q^k\) and \(k \times k\) identity matrix \(\mathbf {I}\). The problem can be adapted straightforwardly into its infinity-norm version, where \(\mathbf {x}\) must satisfy \(\Vert \mathbf {x}\Vert _\infty \le \beta \). The homogeneous version is defined with \(\mathbf {t} = \mathbf {0}\) and \(\mathbf {x} \ne \mathbf {0}\).

Module-LWE. The Module-LWE problem with parameters \((n,q,k, \ell , \eta )\) is as follows. Let \(\mathbf {A} \in R_q^{k \times \ell }\) be a uniformly random matrix. Let \(\mathbf {b} = \mathbf {A} \mathbf {s} + \mathbf {e} \in R_q^k\), where \(\mathbf {s} \in S_\eta ^\ell \), \(\mathbf {e} \in S_\eta ^k\) have entries chosen according to some distribution over \(S_\eta \) (e.g., the uniform distribution or a Gaussian distribution). The search variant of Module-LWE asks to recover \(\mathbf {s}\) given \((\mathbf {A}, \mathbf {b})\). The decision variant (decision-Module-LWE) asks to distinguish \((\mathbf {A}, \mathbf {b})\) from a uniformly random pair over \(R_q^{k \times \ell } \times R_q^k\). In this paper, similar to [5], we use a transformed version of the decision-Module-LWE problem, which is to distinguish \((\mathbf A, As)\) from \((\mathbf A, r)\) where \(\mathbf{A} \leftarrow R_q^{k \times l}\), \(\mathbf{s} \leftarrow S_\eta ^l\) and \(\mathbf{r} \leftarrow R_q^k\).

As shown in [17], the Module-SIS and Module-LWE problems enjoy worst-case to average-case reductions from hard problems in module lattices. Concrete parameters of these problems that provide high post-quantum security against the best known attacks are given in Dilithium [12] and Kyber [7].

3.2 Construction

  • \(\mathsf{Setup}( 1^{\lambda } ) \rightarrow \mathsf{PP}\). On input a security parameter \(\lambda \), the algorithm sets the parameters nqklm\(\eta , \gamma , \theta \) as specified in Sect. 3.3 below. Let \(\varPi _{kem}\) be a lattice-based KEM scheme which is CCA-secure and CCA-key indistinguishable, and let \(\mathcal{C}_{kem}\) and \(\mathcal{K}_{kem}\) denote \(\varPi _{kem}\)’s ciphertext space and key space, respectively. Let \(H_\mathsf{A}: \{0,1\}^* \mapsto R_q^{k \times l}\), \(\mathsf{ExpandV}: \mathcal{K}_{kem} \mapsto S_\eta ^l\), \(H_{\theta }: \{0,1\}^* \mapsto \mathbf {B}_{\theta }\), and \(H_m:R_q^k \mapsto R_q^{m \times l}\) be functions that will be viewed as random oracles in the analyses. The algorithm does:

    1. 1.

      Choose a random string \(cstr \in \{0,1\}^*\), and set \(\mathbf {A}:= H_\mathsf{A}(cstr)\).

    2. 2.

      Run \(\mathsf{GP}_{kem} \leftarrow \varPi _{kem}.\mathsf{Setup}(1^{\lambda }; \omega )\), where \(\omega \) is the randomness used in \( \varPi _{kem}.\mathsf{Setup}()\).

    3. 3.

      Output the public parameters

      $$\begin{aligned} \mathsf{PP} = \big ( n, q, k, l, m, \eta , \gamma , \theta , ( H_\mathsf{A}, cstr, \mathbf {A}), (\varPi _{kem}, \omega , \mathsf{GP}_{kem}), ~~\\ {\mathsf {ExpandV}}, H_{\theta } , H_m \big ). \end{aligned}$$

    Note that including \((H_\mathsf{A}, cstr)\) and \(\omega \) in \(\mathsf{PP}\) is to ensure that no one knows any trapdoor for matrix \(\mathbf {A}\) and \( \mathsf{GP}_{kem}\) respectively.

    In the following, \(\mathsf{PP}\) are implicit input parameters to every algorithm.

  • \(\mathsf{MasterKeyGen}() \rightarrow ({\mathsf {MPK}}, {\mathsf {MSK}})\). On input the implicit inputs, namely, the public parameters \(\mathsf{PP}\), the algorithm does:

    1. 1.

      Run \((\mathsf{PK}_{kem}, \mathsf{SK}_{kem}) \leftarrow \varPi _{kem}.\mathsf{KeyGen}(\mathsf{GP}_{kem})\).

    2. 2.

      Choose a uniformly random \({{\mathbf {s}}} \overset{R}{\leftarrow } S_{\eta }^l\), and set \({\mathbf {t}} \leftarrow \mathbf {A}{\mathbf {s}}\).

    3. 3.

      Output master public key \({\mathsf {MPK}}\) and master secret key \({\mathsf {MSK}}\)

  • \(\mathsf{DerivedPublicKeyGen}( {\mathsf {MPK}} ) \rightarrow {\mathsf {DPK}}\). On input a master public key \({\mathsf {MPK}} = \big ( \mathsf{PK}_{kem}, {\mathbf {t}} \big )\), the algorithm does:

    1. 1.

      Run \((C, \kappa ) \leftarrow \varPi _{kem}.\mathsf{Encaps}(\mathsf{PK}_{kem})\).

    2. 2.

      Set \({\mathbf {s}}' := \mathsf {ExpandV}(\kappa ) \in S_{\eta }^l\), \({\mathbf {t}}' \leftarrow \mathbf {A}{\mathbf {s}}'\), and set \(\hat{{\mathbf {t}}} \leftarrow {\mathbf {t}} + {\mathbf {t}}'\).

    3. 3.

      Output a derived public key \( {\mathsf {DPK}} := (C, \hat{{\mathbf {t}}}). \)

  • \(\mathsf{DerivedPublicKeyOwnerCheck}( {\mathsf {DPK}}, {\mathsf {MPK}}, {\mathsf {MSK}} ) \rightarrow 1/0\). On input a derived public key \({\mathsf {DPK}}\) and a (master public key, master secret key) pair \(({\mathsf {MPK}}, {\mathsf {MSK}})\) with \({\mathsf {MPK}} = (\mathsf{PK}_{kem}, {\mathbf {t}} )\), and \({\mathsf {MSK}} = (\mathsf{SK}_{kem}, {\mathbf {s}})\), the algorithm does:

    1. 1.

      Check whether \({\mathsf {DPK}} \in \mathcal{C}_{kem} \times R_q^{k}\) holds. If it does not hold, return 0, otherwise, parse \({\mathsf {DPK}}\) to \({\mathsf {DPK}}:=(C, \hat{{\mathbf {t}}}) \in C_{kem} \times R_q^k\).

    2. 2.

      Run \(\kappa \leftarrow \varPi _{kem}.\mathsf{Decaps}(C, \mathsf{PK}_{kem}, \mathsf{SK}_{kem})\).

    3. 3.

      Set \({\mathbf {s}}' := \mathsf {ExpandV}(\kappa )\) and \({\mathbf {t}}' \leftarrow \mathbf {A}{\mathbf {s}}'\).

    4. 4.

      If \(\hat{{\mathbf {t}}} \overset{?}{=} {\mathbf {t}} + {\mathbf {t}}'\) holds, return 1, otherwise return 0.

  • \(\mathsf{DerivedPublicKeyPublicCheck}( {\mathsf {DPK}}) \rightarrow 1/0\). On input a derived public key \({\mathsf {DPK}}\), the algorithm checks whether \({\mathsf {DPK}} \in \mathcal{C}_{kem} \times R_q^{k}\) holds. If it holds, return 1, otherwise return 0.

  • \(\mathsf{Sign}( M, R, {\mathsf {DPK}}, ({\mathsf {MPK}}, {\mathsf {MSK}})) \rightarrow \sigma \). On input a message M, a ring of well-formed derived public keys \(R = ({\mathsf {DPK}}_1, \dots , {\mathsf {DPK}}_r)\), a derived public key \({\mathsf {DPK}} \in R\), and the master key pair \(({\mathsf {MPK}}, {\mathsf {MSK}})\) for \({\mathsf {DPK}}\) where \({\mathsf {MPK}} = (\mathsf{PK}_{kem}, {\mathbf {t}} )\) and \({\mathsf {MSK}} = (\mathsf{SK}_{kem}, {\mathbf {s}})\), the algorithm does:

    1. 1.

      For \(i=1\) to r, parse \({\mathsf {DPK}}_i := (C_i, \hat{{\mathbf {t}}}_i) \in \mathcal{C}_{kem} \times R_q^k\) and set \(\mathbf {H}_i := H_m(\hat{{\mathbf {t}}}_i)\).

    2. 2.

      Let \(\bar{i}\) be the index of \({\mathsf {DPK}}\) in R, i.e. \({\mathsf {DPK}}={\mathsf {DPK}}_{\bar{i}} = (\mathcal{C}_{\bar{i}}, \hat{{\mathbf {t}}}_{\bar{i}} )\).

      Run \(\kappa \leftarrow \varPi _{kem}.\mathsf{Decaps}(C_{\bar{i}}, \mathsf{PK}_{kem},\) \(\mathsf{SK}_{kem})\). Set \({\mathbf {s}}'_{\bar{i}} := \mathsf {ExpandV}(\kappa )\) and \(\hat{{\mathbf {s}}}_{\bar{i}} \leftarrow {\mathbf {s}} + {\mathbf {s}}'_{\bar{i}}\). Note that it holds that \(\hat{{\mathbf {t}}}_{\bar{i}} = \mathbf {A}\hat{{\mathbf {s}}}_{\bar{i}}\).

    3. 3.

      Set \(\mathbf {I}\leftarrow \mathbf {H}_{\bar{i}} \hat{{\mathbf {s}}}_{\bar{i}}\).

    4. 4.

      Choose a uniformly random \({\mathbf {y}} \overset{R}{\leftarrow } S_{\gamma }^l\).

    5. 5.

      Set \(\mathbf {w}_{\bar{i}} \leftarrow \mathbf {A}\mathbf {y}\), \(\mathbf {v}_{\bar{i}} \leftarrow \mathbf {H}_{\bar{i}} \mathbf {y}\).

    6. 6.

      For \(i=\bar{i}+1, \dots , r, 1, \dots , \bar{i}-1\), do

      1. (a)

        Set \(c_i \leftarrow H_{\theta }(M, R, \mathbf {w}_{i-1}, \mathbf {v}_{i-1}, \mathbf {I})\).Footnote 2

      2. (b)

        Choose a uniformly random \({\mathbf {z}}_i \leftarrow S_{\gamma - 2 \theta \eta }^l\).

      3. (c)

        Set \(\mathbf {w}_i \leftarrow \mathbf {A}\mathbf {z}_i - c_i \hat{{\mathbf {t}}}_i\), \(\mathbf {v}_i \leftarrow \mathbf {H}_i \mathbf {z}_i - c_i \mathbf {I}\).

    7. 7.

      Set \(c_{\bar{i}} \leftarrow H_{\theta }(M, R, \mathbf {w}_{\bar{i}-1}, \mathbf {v}_{\bar{i}-1}, \mathbf {I})\).

    8. 8.

      Set \(\mathbf {z}_{\bar{i}} \leftarrow \mathbf {y}+ c_{\bar{i}} \hat{{\mathbf {s}}}_{\bar{i}}\).

    9. 9.

      If \(\mathbf {z}_{\bar{i}} \in S_{\gamma - 2\theta \eta }^l\), output \(\sigma := (c_1, \{\mathbf {z}_i\}_{i=1}^r, \mathbf {I}) \in \mathbf {B}_{\theta } \times (S_{\gamma -2\eta \theta }^l)^r \times R_q^m\), otherwise go to Step 4.

  • \(\mathsf{Verify}(M, R, \sigma ) \rightarrow 1/0\). On input a message M, a ring of well-formed derived public keys \(R = ({\mathsf {DPK}}_1, \dots , {\mathsf {DPK}}_r)\), and a signature \(\sigma = (c_1, \{\mathbf {z}_i\}_{i=1}^r, \mathbf {I})\), the algorithm does:

    1. 1.

      If \((c_1 \notin \mathbf {B}_{\theta }) \vee (\exists i \in \{1, \dots , r\} ~s.t.~ \mathbf {z}_i \notin S_{\gamma - 2\theta \eta }^l)\), then return 0.

    2. 2.

      For \(i=1, 2, \dots , r\), do

      1. (a)

        Parse \({\mathsf {DPK}}_i\) to \({\mathsf {DPK}}_i := (C_i, \hat{{\mathbf {t}}}_i) \in \mathcal{C}_{kem} \times R_q^k\) and set \(\mathbf {H}_i := H_m(\hat{{\mathbf {t}}}_i)\).

      2. (b)

        Set \(\mathbf {w}_i \leftarrow \mathbf {A}\mathbf {z}_i - c_i \hat{{\mathbf {t}}}_i, \mathbf {v}_i \leftarrow \mathbf {H}_i \mathbf {z}_i - c_i \mathbf {I}\).

      3. (c)

        Set \(c_{i+1} \leftarrow H_{\theta }(M, R, \mathbf {w}_{i}, \mathbf {v}_{i}, \mathbf {I})\).

    3. 3.

      If \(c_{r+1} \overset{?}{=} c_1\) holds, return 1, otherwise return 0.

  • \(\mathsf{Link}(M_0, R_0, \sigma _0, M_1, R_1, \sigma _1) \rightarrow 1/0\). On input two valid (message, derived public key ring, signature) tuples \((M_0, R_0, \sigma _0)\), \((M_1, R_1,\sigma _1)\) where \(\sigma _0 = (c^{(0)}_1, \{\mathbf {z}^{(0)}_i\}_{i=1}^{r_0}, \mathbf {I}^{(0)})\), \(\sigma _1 = (c^{(1)}_1, \{\mathbf {z}^{(1)}_i\}_{i=1}^{r_1}, \mathbf {I}^{(1)})\), if \(\mathbf {I}^{(0)} \overset{?}{=} \mathbf {I}^{(1)}\) holds, the algorithm returns 1, otherwise returns 0.

3.3 Correctness and Concrete Parameters

This section analyzes the correctness of the proposed lattice-based SALRS scheme, specifies the parameters achieving 128 bits of security and evaluates the efficiency of the scheme.

Correctness. We first note that, the validity and well-formedness of a derived public key \(\mathsf {DPK}\), as verified by algorithms DerivedPublicKeyOwnerCheck and DerivedPublicKeyPublicCheck respectively, follows directly from the construction of \(\mathsf {DPK}\), the correctness of the underlying KEM scheme \(\varPi _{kem}\) and the fact that \(\hat{\mathbf {t}} = \mathbf {t} + \mathbf {A}\mathbf {s}' = \mathbf {t} + \mathbf {t}' \in R_q^k\). Next, for an honestly generated signature \(\sigma = (c_1, \{\mathbf {z}_i\}_{i=1}^r, \mathbf {I})\), it holds that \(c_1 \in \mathbf {B}_{\theta }\) and \(\mathbf {z}_i \in S_{\gamma - 2\theta \eta }^l\) for all \(i \in \{1, \dots , r\}\). Furthermore, by construction, the value \(c_{r+1}\) computed at Step 2 of algorithm Verify satisfies \(c_{r+1} = c_1\). Therefore, \(\sigma \) is accepted by Verify.

We next analyze the correctness of algorithm Link. Let \(\sigma _0 = (c^{(0)}_1, \{\mathbf {z}^{(0)}_i\}_{i=1}^{r_0}, \mathbf {I}^{(0)})\) and \(\sigma _1 = (c^{(1)}_1, \{\mathbf {z}^{(1)}_i\}_{i=1}^{r_1}, \mathbf {I}^{(1)})\) be generated by \(\mathsf{Sign}( M_0,\)\( R_0, \mathsf {DPK}_0, (\mathsf {MPK}_0, \mathsf {MSK}_0))\) and \(\mathsf{Sign}( M_1, R_1, \mathsf {DPK}_1, (\mathsf {MPK}_1, \mathsf {MSK}_1))\), respectively. For \(i=0,1\), let \(\mathsf {DPK}_i = (C_i, \hat{\mathbf {t}}_i)\) and note that \(\mathbf {I}^{(i)} = H_m(\hat{\mathbf {t}}_i)\hat{\mathbf {s}}_i\), where \(\hat{\mathbf {s}}_i = \mathbf {s}_i + \mathbf {s}'_i\) and \(\mathbf {s}_i, \mathbf {s}'_i\) are generated as specified by the scheme. Note that, if \(\mathsf {DPK}_0 = \mathsf {DPK}_1\), then we have \(\hat{\mathbf {s}}_0 = \hat{\mathbf {s}}_1\) and thus, \(\mathbf {I}^{(0)} = \mathbf {I}^{(1)}\). In this case, algorithm \(\mathsf {Link}\) outputs 1.

In the case \(\mathsf {DPK}_0 \ne \mathsf {DPK}_1\), we will demonstrate that, with overwhelming probability, algorithm \(\mathsf {Link}\) outputs 0. Indeed, if \(\hat{\mathbf {t}}_0 \ne \hat{\mathbf {t}}_1\), then \(H_m(\hat{\mathbf {t}}_0), H_m(\hat{\mathbf {t}}_1)\) are uniformly random and distinct, \(\hat{\mathbf {s}}_0\) and \(\hat{\mathbf {s}}_1\) are also distinct. Hence, the probability that \(\mathbf {I}^{(0)} = H_m(\hat{\mathbf {t}}_0)\hat{\mathbf {s}}_0 = H_m(\hat{\mathbf {t}}_1)\hat{\mathbf {s}}_1 = \mathbf {I}^{(1)}\) is negligible (this is true if small elements of \(R_q\) are invertible). Now, suppose that \(\hat{\mathbf {t}}_0 = \hat{\mathbf {t}}_1\) and \(C_0 \ne C_1\). Then, unless one accidentally finds a collision where \(\hat{\mathbf {s}}_0 \ne \hat{\mathbf {s}}_1\) and \(\mathbf {A}\hat{\mathbf {s}}_0 = \mathbf {A}\hat{\mathbf {s}}_1\) (which happens only with negligible probability), we must have \(\hat{\mathbf {s}}_0 = \hat{\mathbf {s}}_1\). The latter may occur in two scenarios:

  • \(\mathbf {s}_0 \ne \mathbf {s}_1\) and \(\mathbf {s}'_0 \ne \mathbf {s}'_1\), but \(\mathbf {s}_0 + \mathbf {s}'_0 = \mathbf {s}_1 + \mathbf {s}'_1\). Due to the randomness of the generations of \(\mathbf {s}_0, \mathbf {s}_1, \mathbf {s}'_0, \mathbf {s}'_1\), this scenario only happens with negligible probability.

  • \(\mathbf {s}_0 = \mathbf {s}_1\) and \(\mathbf {s}'_0 = \mathbf {s}'_1\). Note that, if \(\mathbf {s}_0, \mathbf {s}_1\) are obtained by two different executions of algorithm MasterKeyGen, then \(\mathbf {s}_0 = \mathbf {s}_1\) only happens with negligible probability. Furthermore, two different executions of algorithm DerivePublicKeyGen with \(C_0 \ne C_1\) should produce distinct \(\mathsf {s}'_0, \mathbf {s}'_1\) with overwhelming probability.

The above analysis shows that the given SALRS scheme is correct with overwhelming probability.

Lattice-Based Instantiation of the KEM Scheme \(\varPi _{kem}\) . We employ Kyber [7] to instantiate \(\varPi _{kem}\), by setting \(\mathsf{GP}_{kem}\) contains only the parameters \((n, k, q, \eta , d_u, d_v, d_t)\) and the hash function. Note that, the ciphertext in the CPA version of Kyber is pseudorandom based on the Decision Module-LWE (D-MLWE) assumption, and it hides not only the plaintext but also the public key. The CCA version of Kyber thus can be easily shown to satisfy not only CCA-security but also CCA-key-indistinguishability. For concreteness, we will use the Kyber variant Kyber768, which features public key size 1184 bytes and ciphertext size 1088 bytes.

Signing Trials. At Step 9 of the signing algorithm, if \(\mathbf {z}_{\bar{i}} = \mathbf {y}+ c_{\bar{i}} \hat{\mathbf {s}}_{\bar{i}} \not \in S_{\gamma - 2\theta \eta }^l\), then the signer has to go back to Step 4. Let us compute the probability of such restarting for uniformly random \({\mathbf {y}} \overset{R}{\leftarrow } S_{\gamma }^l\), \(c_{\bar{i}} \in \mathbf {B}_\theta \) and \(\hat{\mathbf {s}}_{\bar{i}} = \mathbf {s}+ \mathbf {s}'_{\bar{i}} \in S_{2\eta }^l\). First, we have \(\mathbf {x}: = c_{\bar{i}} \hat{\mathbf {s}}_{\bar{i}} \in S_{2\theta \eta }^l\). For each entry \(y_j \overset{R}{\leftarrow } [-\gamma , \gamma ]\) of \(\mathbf {y}\), and each entry \(x_j \in [-2\theta \eta , 2\theta \eta ]\) of \(\mathbf {x}\), the probability that \(y_j + x_j\) falls into the “safe zone” \([-(\gamma - 2\theta \eta ), \gamma - 2\theta \eta ]\) is exactly the ratio between the cardinalities of the range \([-(\gamma - 2\theta \eta ), \gamma - 2\theta \eta ]\) and the range \([-\gamma , \gamma ]\). Therefore, we have:

$$\begin{aligned} \mathrm {Pr}\big [\mathbf {z}_{\bar{i}} \in S_{\gamma - 2\theta \eta }^l\big ] = \frac{|S_{\gamma -2\theta \eta }^l|}{|S_{\gamma }^l|} = \big (1 - \frac{2\theta \eta }{\gamma + 1/2}\big ) \approx e^{-2nl\theta \eta /\gamma }, \end{aligned}$$

where we use the fact that parameter \(\gamma \) is set to be large compared to 1 / 2. As a result, the probability of restarting is approximately close to \(1 - e^{-2nl\theta \eta /\gamma }\). In particular, if we set parameters \(n, l, \theta , \eta , \gamma \) so that \(2nl\theta \eta /\gamma < \log _e(3)\) (see below), then, on average, the signer has to run Step 4-Step 9 of the signing algorithm less than 3 times.

Concrete Parameters and Efficiency. To set parameters that yield a scheme with at least 128 bits of security, we rely on the parameters and analyses of Dilithium [12], Kyber [7, 23] and [4]. In particular, modulus q is set so that every element of \(R_q\) with infinity norm less than \(\frac{1}{\sqrt{8}}\cdot 2^{35/8}\) is invertible, and parameters \(n, l, \theta , \eta , \gamma \) are set so that the number of signing trials is less than 3 on average. Similar to [12], we can use SHAKE-256 to implement the functions \(H_\mathsf{A}, {\mathsf {ExpandV}},\) and \(H_m\), and use the SampleInBall algorithm in [12, Fig. 2] to implement \(H_{\theta }\). Table 2 shows the concrete parameters and efficiency of the proposed lattice-based SALRS.

Table 2. Concrete parameters and efficiency of the proposed lattice-based SALRS.
Full size table

4 Proofs of Security and Privacy

Theorem 3

The SALRS scheme is signer-linkable in the random oracle model.

Proof

We prove that the SALRS scheme is signer-linkable under the Module-SIS (MSIS) assumption. Due to space limitation, we defer the proof details to the full version.

Theorem 4

The SALRS scheme is signer-anonymous in the random oracle model.

Proof

We prove that the SALRS scheme has signer-anonymity under the Decision Module-LWE (D-MLWE) assumption. Due to space limitation, we defer the proof details to the full version.

Theorem 5

The SALRS scheme is signer-non-slanderable in the random oracle model.

Proof

We prove that the SALRS scheme is signer-non-slanderable under the Module-SIS (MSIS) and Decision Module-LWE (D-MLWE) assumptions. Due to space limitation, we defer the proof details to the full version.

Theorem 6

The SALRS scheme is master-public-key-unlinkable in the random oracle model.

Proof

Suppose the underlying KEM scheme is CCA secure and CCA Key Indistinguishable, we prove that the SALRS scheme is master-public-key-unlinkable under the Decision Module-LWE (D-MLWE) assumption. Due to space limitation, we defer the proof details to the full version.

5 Conclusion

In this paper, we proposed a new cryptographic primitive, referred to as Linkable Ring Signature Scheme with Stealth Addresses (SALRS), which comprehensively and strictly captures the security and privacy requirements of hiding the payer and payee of the transactions in cryptocurrencies. We also proposed a lattice-based SALRS construction and proved its security and privacy in the random oracle model. As a result, our construction provides strong confidence on security and privacy in twofolds, being proved under strong models which capture the practical scenarios of cryptocurrencies, and being potentially quantum-resistant. The efficiency analysis also shows that our lattice-based SALRS scheme is practical for real implementations.