Adding Linkability to Ring Signatures with One-Time Signatures

Abstract

We propose a generic construction that adds linkability to any ring signature scheme with one-time signature scheme. Our construction has both theoretical and practical interest. In theory, the construction gives a formal and cleaner description for constructing linkable ring signature from ring signature directly. In practice, the transformation incurs a tiny overhead in size and running time. By instantiating our construction using the ring signature scheme [13] and the one-time signature scheme [12], we obtain a lattice-based linkable ring signature scheme whose signature size is logarithmic in the number of ring members. This scheme is practical, especially the signature size is very short: for \(2^{30}\) ring members and 100 bit security, our signature size is only 4 MB.

In addition, when proving the likability we develop a new proof technique in the random oracle model, which might be of independent interest.

A Comment on [19]

Lu et al. [19] adopted the definitions of anonymity, linkability and nonslanderability from [17]. Then, they gave a theorem which shows that the unforgeability is implied by linkability and nonslanderability. First review the definition of linkability and the theorem as follows:

The linkability in [19] is defined in terms of the following game between a challenger \(\mathcal {CH}\) and an adversary \(\mathcal {A}\):

1. 1.

   Setup. \(\mathcal {CH}\) runs \(pp\leftarrow \textsf {Setup}(1^{\lambda })\) and sends pp to \(\mathcal {A}\).

2. 2.

   Query. \(\mathcal {A}\) is given access to \(\mathcal {O}_{\text {join}}, \mathcal {O}_{\text {corrupt}}, \mathcal {O}_{\text {sign}}\) and may query the oracles in an adaptive manner.

3. 3.

   Output. \(\mathcal {A}\) outputs two pairs \(\{T_1, m_1, \sigma _1\}\) and \(\{T_2, m_2, \sigma _2\}\).

\(\mathcal {A}\) wins the game if

• all public keys in \(T_1\) and \(T_2\) are query outputs of \(\mathcal {O}_{\text {join}}\);

• \(\textsf {Vrfy}(T_1, m_1, \sigma _1)=\textsf {Vrfy}(T_2, m_2, \sigma _2)=accept\);

• \(\mathcal {A}\) queried \(\mathcal {O}_{\text {corrupt}}\) less than two times; and

• Link\((m_1, \sigma _1, m_2, \sigma _2)=unlinked\).

The advantage of \(\mathcal {A}\), denoted as \(\textsf {Adv}_{\mathcal {A}}^{ link }\), is defined by the probability that \(\mathcal {A}\) wins in the above game.

Definition 7

([19], Definition 11). A LRS scheme is linkable if for any polynomial-time adversary \(\mathcal {A}\), \( \textsf {Adv} _{\mathcal {A}}^{ link }\) is negligible in \(\lambda \).

Theorem 4

([19], Theorem 2). If a LRS scheme is linkable and nonslanderable, it is also unforgeable.

Issue 1. Theorem 4 does not hold for the definition of linkability in [19]. The content of theorem 4 was introduced in [2] which towards the security definitions in [2]. However, the definition of linkability in [19] is different from the definition in [2]. In [19], the adversary \(\mathcal {A}\) against unforgeability is allowed to make polynomially many \(\mathcal {O}_{\text {corrupt}}\) queries in the unforgeability game, whereas the adversary \(\mathcal {B}\) against linkability is restricted to make at most one \(\mathcal {O}_{\text {corrupt}}\) query in the linkability game. This means \(\mathcal {B}\) cannot simulate \(\mathcal {O}_{\text {corrupt}}\) for \(\mathcal {A}\) and thus \(\mathcal {B}\) cannot run \(\mathcal {A}\) to break the linkability.

Issue 2. There is a gap in the proof of linkability. They reduced the linkability of the LRS to the collision resistance of CH+ as follows: First, they embedded the collision resistance challenge \(hk_c\) into one of the public keys \(pk_I\) by computing \(pk_I=hk_c\oplus H(ovk_I)\). Second, the adversary \(\mathcal {A}\) outputs two signatures and they concluded that at least one of the signatures should be generated from the secret key that \(\mathcal {A}\) does not obtain because \(\mathcal {A}\) is allowed to make at most one \(\mathcal {O}_{\text {corrupt}}\) query. The signature is denoted as \((m^{*}, \sigma ^{*}, T^{*})\), where \(\sigma ^{*}=(\{(m_i^{*},r_i^{*})\}_{i\in [N]}, \tilde{\sigma }^{*},ovk^{*})\). Finally, they assumed \(pk_I\in T^{*}\) and used \((m^{*}, \sigma ^{*}, T^{*})\) to find a collision of \(hk_c\) according to the General Forking Lemma.

However, the collision resistance challenge may not be embedded into the output signatures of \(\mathcal {A}\). This means that \(hk_c\) is not used to generate the signature \((m^{*}, \sigma ^{*}, T^{*})\) although \(pk_I\in T^{*}\). The reason is that \(ovk^{*}\) may not equal to \(ovk_{\mathcal {I}}\) and thus \(hk_c\ne hk_i=pk_i\oplus H(ovk^{*})\) for every \(i\in [N]\). According to the signing algorithm of the LRS in [19], we can conclude that \(hk_c\) is independent of \(\sigma ^{*}\) if \(ovk^{*}\ne ovk_I\). Thus, the collision resistance of CH+ cannot be broken although \(\mathcal {A}\) has broken the linkability of the LRS.