Abstract
Anonymity is an inevitable and sensitive matter of concern, especially in the age where people are willing to use digital devices and Internet to deal with almost all things in their work and daily life. To support anonymity, modern cryptography is one of the most suitable choices in the algorithm level. Particularly, in the scenarios, such as e-voting, crypto-currency, and smart grid etc., a cryptographic primitive, called linkable ring signature, has shown its ability to handle anonymity problems. However, signature schemes will introduce additional costs to those e-commerce systems, so that they should be as efficient as possible. On the other side, a signature scheme that requires the public key infrastructure (PKI) brings much unnecessary inconvenience to its users, since typically, users of the aforementioned systems are not familiar with cryptographic skills and the system establishers are trusted by them in some sense. As a result, an identity-based (ID-based) signature scheme with small size fulfills the visible requirements of e-commerce systems. In this paper, we proposed an ID-based linkable ring signature scheme with logarithmic size from pairing and elliptic curve discrete logarithm problem (ECDLP), and gave all the security proofs in detail. Besides that, the scheme needs no trusted setup, except that the key generation center knows the secret key of each user and it is a property of ID-based cryptography in nature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Constant-size ID-based linkable and revocable-iff-linked ring signature. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 364–378. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_26
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction. Theor. Comput. Sci. 469, 1–14 (2013)
Au, M.H., Liu, J.K., Yuen, T.H., Wong, D.S.: ID-based ring signature scheme secure in the standard model. In: Yoshiura, H., Sakurai, K., Rannenberg, K., Murayama, Y., Kawamura, S. (eds.) IWSEC 2006. LNCS, vol. 4266, pp. 1–16. Springer, Heidelberg (2006). https://doi.org/10.1007/11908739_1
Awasthi, A.K., Lal, S.: ID-based ring signature and proxy ring signature schemes from bilinear pairings. Int. J. Netw. Secur. 4(2), 187–192 (2007)
Backes, M., Döttling, N., Hanzlik, L., Kluczniak, K., Schneider, J.: Ring signatures: logarithmic-size, no setup—from standard assumptions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 281–311. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_10
Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_4
Beullens, W., Katsumata, S., Pintore, F.: Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices. In: Moriai, S., Wang, H. (eds.) ASIACRYPT 2020. LNCS, vol. 12492, pp. 464–492. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64834-3_16
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C.: Short accountable ring signatures based on DDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 243–265. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_13
Chatterjee, R., et al.: Compact ring signatures from learning with errors. Cryptology ePrint Archive, Report 2021/942 (2021). https://ia.cr/2021/942
Hu, C., Liu, P.: An enhanced constant-size identity-based ring signature scheme. In: 2nd IEEE International Conference on Computer Science and Information Technology, pp. 587–590. IEEE (2009)
Chow, S.S.M., Wei, V.K., Liu, J.K., Yuen, T.H.: Ring signatures without random oracles. In: Symposium on Information, Computer and Communications Security, ASIACCS 2006, ACM, New York, NY, USA, pp. 297–302 (2006)
Chow, S.S.M., Yiu, S.-M., Hui, L.C.K.: Efficient identity based ring signature. In: Ioannidis, J., Keromytis, A., Yung, M. (eds.) ACNS 2005. LNCS, vol. 3531, pp. 499–512. Springer, Heidelberg (2005). https://doi.org/10.1007/11496137_34
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in Ad Hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9
Haque, A., Krenn, S., Slamanig, D., Striecks, C.: Logarithmic-size (linkable) threshold ring signatures in the plain model. Cryptology ePrint Archive, Report 2020/683 (2020), https://ia.cr/2020/683
Libert, B., Peters, T., Qian, C.: Logarithmic-size ring signatures with tight security from the DDH assumption. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 288–308. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_15
Libert, B., Nguyen, K., Peters, T., Yung, M.: One-shot fiat-shamir-based nizk arguments of composite residuosity in the standard model. Cryptology ePrint Archive, Report 2020/1334 (2020), https://ia.cr/2020/1334
Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Linkable ring signature with unconditional anonymity. IEEE Trans. Knowl. Data Eng. 26(1), 157–165 (2014)
Liu, J.K., Wong, D.S.: Linkable ring signatures: security models and new schemes. In: Gervasi, O., et al. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 614–623. Springer, Heidelberg (2005). https://doi.org/10.1007/11424826_65
Lyubashevsky, V., Nguyen, N.K., Seiler, G.: Smile: set membership from ideal lattices with applications to ring signatures and confidential transactions. Cryptology ePrint Archive, Report 2021/564 (2021). https://ia.cr/2021/564
Nguyen, L.: Accumulators from bilinear pairings and applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30574-3_19
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Saberhagen, N.V.: CryptoNote v2.0 (2013). https://cryptonote.org/whitepaper.pdf
Sasson, E.B., et al.: Zerocash: decentralized anonymous payments from Bitcoin. In: Symposium on Security and Privacy–SP 2014, pp. 459–474. IEEE (2014)
Zhang, F., Chen, X.: Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05. Inf. Process. Lett. 109(15), 846–849 (2009). https://doi.org/10.1016/j.ipl.2009.04.002
Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_33
Zhang, H., Zhang, F., Tian, H., Au, M.H.: Anonymous post-quantum cryptocash. In: Meiklejohn, S., Sako, K. (eds.) FC 2018. LNCS, vol. 10957, pp. 461–479. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-662-58387-6_25
Acknowledgements
This work is supported by Guangdong Major Project of Basic and Applied Basic Research (2019B030302008) and the National Natural Science Foundation of China (No. 61972429).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Proof of Theorem 1
Proof
It is easy to see that an honestly generated signature can always pass the verification algorithm. We only explicitly deduce the two equations whose correctness are not shown directly. The first equation is responsible for checking that the linking tag is generated honestly.
The second equation is to show that the signer hold the corresponding signing key.
The correctness of the other equations could be verified easily. Â Â Â \(\square \)
B The Underlying Sigma-Protocol
We have noticed before that the current ID-based linkable ring signature scheme is the non-interactive version of a one-out-of many Sigma-protocol which we call it \(\varSigma _2\). The only difference between them is that in the Sigma-protocol, the hash digest \(x \in \mathbb {Z}_p\) is chosen uniformly at random by the verifier rather than computed from some predetermined values. Such a framework is inspired by [15], and actually, to build the aforementioned one-out-of-many Sigma-Protocol, another Sigma-Protocol (which we call it \(\varSigma _1\) for short) for proving that a commitment is opened to 1 or 0 is needed. As \(\varSigma _1\) is the same to the one in Sect. 2.3 in [15], we omit its description here. The only thing we need to know is that \(\sigma _1\) is perfect 2-special sound and perfect special honest verifier zero-knowledge.
Given the public parameters pp, public keys \(Q_0, \dots , Q_{n-1}\), linking tag \(I = e (V_\ell , K )\), and the event description event which fixes \(K = \mathcal {H}_2 (event)\), the NP relation to be proved by the prover (signer) who hold \(V_\ell = v Q_\ell \) is
In simple terms, the prover should convince the verifier that 1) his/her knowledge to the NP witness involves an integer \(\ell \in [0, n)\) and a group element \(V_\ell \in \mathbb {G}\); 2) the discrete logarithm between \(V_\ell \) and the \(\ell \)th public key \(Q_\ell \) is equal to that between the master public key P and the group generator G; 3) The linking tag is uniquely determined by \(V_\ell \) under the same pp and event.
Theorem 6
\(\varSigma _2\) is of \((m+1)\)-special soundness.
Proof
Suppose the adversary creates \(m+1\) accepting responses
to \(m+1\) distinct challenges \(x^{(0)} , \dots , x^{(m)}\). Using any two of the challenge-response pairs, the 2-special soundness of \(\varSigma _1\) ensures that we are able to extract an opening \((\ell _j, r_j) \in \{0,1\} \times \mathbb {Z}_p\) to \(A_j\) such that for \(j \in [1,m]\), \(A_j = \ell _j H + r_j G\). Additionally, from the first equation in the verification, we have
Define \(a_j^{(\alpha )} = w_j^{(\alpha )} - x^{(\alpha )} \ell _j\), and it is with overwhelming probability that \(a_j^{(\alpha )} = a_j^{(\alpha ^\prime )} {\mathop {=}\limits ^{\mathrm {def}}} a_j\) for all \(\alpha , \alpha ^\prime \in [0,m]\) (otherwise, we obtain at least one pair of distinct openings to \(B_j\)). Consequently, we have that \(w_j^{(\alpha )} = \ell _j x^{(\alpha )} + a_j\) for all \(\alpha \in [0,m]\) and \(j \in [1,m]\). For \(i \ne \ell \), we can see that \(\prod _{j=1}^m w^{(\alpha )}_{j, i_j}\) is a degree \(m-1\) polynomial in determinate x and for \(i = \ell \), it is a polynomial of degree m. So, from the last equation in the verification procedure, we have
where the third line of the above equation could be viewed as a polynomial of degree m with indeterminate \(x^{(\alpha )}\), and \(D_k^\prime \) is the coefficient of the k-th degree term. Since \(x^{(0)}, \dots , x^{(m)}\) are all different, we can find \(\beta _0, \beta _1, \dots , \beta _m\) so that the following equation holds.
Define \(V_\ell ^\prime = \sum _{\alpha =0}^m \beta _\alpha Z^{(\alpha )}\). Notice that
So we conclude that \(V_\ell ^\prime = v Q_\ell \). On the other side, from the equation which is responsible for checking the validity of linking tag, we have
so that with the \(m+1\) accepting transcripts, we obtain
By left multiplying (3) with \((\beta _0, \beta _1, \dots , \beta _m)\), we observe that
The above facts show that \((\ell , V_\ell ^\prime )\) is a valid witness for the statement in \(\mathcal {R}\). Â Â Â \(\square \)
Theorem 7
\(\varSigma _2\) is of special honest verifier zero-knowledge (SHVZK) if the commitment scheme is perfectly hiding.
Proof
On input a challenge \(x \in \mathbb {Z}_p\), the simulator first chooses \(w_j, y_j, z_j \leftarrow \mathbb {Z}_p\), for \(j \in [1,m]\). It is obvious that the distributions of these simulated responses are statistically close to that in a real proof. The simulator then picks \(\ell \leftarrow [0, n)\), \(r_j \leftarrow \mathbb {Z}_p\) and computes \(A_j = \ell _j H + r_j G\). Due to the properties of the commitment scheme \((A_j)_{j=1}^\tau \) are statistically indistinguishable from that of a real proof.
Subsequently, for \(j \in [1, \tau ]\), let \(a_j = f_j - \ell _j x\), and compute \((p_{i,j})_{i \in [0,n), k \in [1, m) } \). For \(k \in [1, \tau )\), it picks \(\rho _k \leftarrow \mathbb {Z}_p\) and computes \(D_k = \sum _{i=0}^{n-1} p_{i,k} Q_i + \rho _k G\), \(E_k = e(P, \rho _k K)\). The distributions of \(D_k\) and \(E_k\) are statistically close to uniform distribution in G and they are pairwise dependent since they use the same randomness as in a real proof.
Since \((B_j)_{j=1}^m\), \((C_j)_{j=1}^m\), \(D_0\), \(E_0\) are uniquely determined by the corresponding verification equations and the above generated parameters, the simulator computes
By the foregoing discussion, the distribution of the outputting transcript
is totally indistinguishable from that of a real proof. As a result, \(\varSigma _2\) is SHVZK.
   \(\square \)
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Nassurdine, M., Zhang, H., Zhang, F. (2021). Identity Based Linkable Ring Signature with Logarithmic Size. In: Yu, Y., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2021. Lecture Notes in Computer Science(), vol 13007. Springer, Cham. https://doi.org/10.1007/978-3-030-88323-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-88323-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88322-5
Online ISBN: 978-3-030-88323-2
eBook Packages: Computer ScienceComputer Science (R0)