Identity Based Linkable Ring Signature with Logarithmic Size

Abstract

Anonymity is an inevitable and sensitive matter of concern, especially in the age where people are willing to use digital devices and Internet to deal with almost all things in their work and daily life. To support anonymity, modern cryptography is one of the most suitable choices in the algorithm level. Particularly, in the scenarios, such as e-voting, crypto-currency, and smart grid etc., a cryptographic primitive, called linkable ring signature, has shown its ability to handle anonymity problems. However, signature schemes will introduce additional costs to those e-commerce systems, so that they should be as efficient as possible. On the other side, a signature scheme that requires the public key infrastructure (PKI) brings much unnecessary inconvenience to its users, since typically, users of the aforementioned systems are not familiar with cryptographic skills and the system establishers are trusted by them in some sense. As a result, an identity-based (ID-based) signature scheme with small size fulfills the visible requirements of e-commerce systems. In this paper, we proposed an ID-based linkable ring signature scheme with logarithmic size from pairing and elliptic curve discrete logarithm problem (ECDLP), and gave all the security proofs in detail. Besides that, the scheme needs no trusted setup, except that the key generation center knows the secret key of each user and it is a property of ID-based cryptography in nature.

Appendices

Appendix

A Proof of Theorem 1

Proof

It is easy to see that an honestly generated signature can always pass the verification algorithm. We only explicitly deduce the two equations whose correctness are not shown directly. The first equation is responsible for checking that the linking tag is generated honestly.

$$\begin{aligned} x^m I - \sum _{k=0}^{m-1} x^k E_{k}= & {} x^n \cdot e(V_\ell , K) - e (P, \sum _{k=0}^{n-1} x^k \rho _k K) \\= & {} e(x^n V_\ell , K) - e (\sum _{k=0}^{n-1} x^k \rho _k P, K) \\= & {} e (x^n V_\ell - \sum _{k=0}^{n-1} x^k \rho _k P, K) \\= & {} e (Z, K) . \end{aligned}$$

The second equation is to show that the signer hold the corresponding signing key.

$$\begin{aligned}&e \left( \sum _{i=0}^{n-1} (\prod _{j=1}^m w_{j,i_j} ) Q_i + \sum _{k=0}^{m-1} (-x^k)D_k , P \right) \\= & {} e \left( \sum _{i=0}^{n-1} (\delta _{i\ell } x^m + \sum _{k=1}^{m-1} p_{i,k} x^k ) Q_i - \sum _{k=0}^{m-1} ((\sum _{i=0}^{n-1} p_{i,k} Q_i ) + \rho _k G) x^k , P \right) \\= & {} e \left( \sum _{i=0}^{n-1} \delta _{i\ell } x^m Q_i - \sum _{k=0}^{m-1} \rho _k x^k G, P \right) \\= & {} e \left( x^m Q_\ell - \sum _{k=0}^{m-1} \rho _k x^k G, vG \right) \\= & {} e \left( x^m V_\ell - \sum _{k=0}^{m-1} \rho _k x^k P, G \right) \\= & {} e \left( Z, G \right) \end{aligned}$$

The correctness of the other equations could be verified easily.    \(\square \)

B The Underlying Sigma-Protocol

We have noticed before that the current ID-based linkable ring signature scheme is the non-interactive version of a one-out-of many Sigma-protocol which we call it \(\varSigma _2\). The only difference between them is that in the Sigma-protocol, the hash digest \(x \in \mathbb {Z}_p\) is chosen uniformly at random by the verifier rather than computed from some predetermined values. Such a framework is inspired by [15], and actually, to build the aforementioned one-out-of-many Sigma-Protocol, another Sigma-Protocol (which we call it \(\varSigma _1\) for short) for proving that a commitment is opened to 1 or 0 is needed. As \(\varSigma _1\) is the same to the one in Sect. 2.3 in [15], we omit its description here. The only thing we need to know is that \(\sigma _1\) is perfect 2-special sound and perfect special honest verifier zero-knowledge.

Given the public parameters pp, public keys \(Q_0, \dots , Q_{n-1}\), linking tag \(I = e (V_\ell , K )\), and the event description event which fixes \(K = \mathcal {H}_2 (event)\), the NP relation to be proved by the prover (signer) who hold \(V_\ell = v Q_\ell \) is

In simple terms, the prover should convince the verifier that 1) his/her knowledge to the NP witness involves an integer \(\ell \in [0, n)\) and a group element \(V_\ell \in \mathbb {G}\); 2) the discrete logarithm between \(V_\ell \) and the \(\ell \)th public key \(Q_\ell \) is equal to that between the master public key P and the group generator G; 3) The linking tag is uniquely determined by \(V_\ell \) under the same pp and event.

Theorem 6

\(\varSigma _2\) is of \((m+1)\)-special soundness.

Proof

Suppose the adversary creates \(m+1\) accepting responses

$$ \{ w_{1}^{(\alpha )}, \dots , w_{m}^{(\alpha )}, y_{1}^{(\alpha )}, \dots , y_{m}^{(\alpha )}, z_{1}^{(\alpha )}, \dots , ,z_{m}^{(\alpha )} , Z^{(\alpha )}\}_{\alpha \in [0 , m] } $$

to \(m+1\) distinct challenges \(x^{(0)} , \dots , x^{(m)}\). Using any two of the challenge-response pairs, the 2-special soundness of \(\varSigma _1\) ensures that we are able to extract an opening \((\ell _j, r_j) \in \{0,1\} \times \mathbb {Z}_p\) to \(A_j\) such that for \(j \in [1,m]\), \(A_j = \ell _j H + r_j G\). Additionally, from the first equation in the verification, we have

$$ \begin{array}{rcl} x^{(\alpha )} A_j + B_j &{} = &{} w_j^{(\alpha )} H + y_j^{(\alpha )} G \\ &{} \Downarrow &{} \\ B_j &{} = &{} w_j^{(\alpha )} H + y_j^{(\alpha )} G - x^{(\alpha )} A_j \\ &{} \Downarrow &{} \\ B_j &{} = &{} w_j^{(\alpha )} H + y_j^{(\alpha )} G - x^{(\alpha )} (\ell _j H + r_j G ) \\ &{} \Downarrow &{} \\ B_j &{} = &{} (w_j^{(\alpha )} - x^{(\alpha )} \ell _j ) H + (y_j^{(\alpha )} - x^{(\alpha )} r_j ) G . \end{array} $$

Define \(a_j^{(\alpha )} = w_j^{(\alpha )} - x^{(\alpha )} \ell _j\), and it is with overwhelming probability that \(a_j^{(\alpha )} = a_j^{(\alpha ^\prime )} {\mathop {=}\limits ^{\mathrm {def}}} a_j\) for all \(\alpha , \alpha ^\prime \in [0,m]\) (otherwise, we obtain at least one pair of distinct openings to \(B_j\)). Consequently, we have that \(w_j^{(\alpha )} = \ell _j x^{(\alpha )} + a_j\) for all \(\alpha \in [0,m]\) and \(j \in [1,m]\). For \(i \ne \ell \), we can see that \(\prod _{j=1}^m w^{(\alpha )}_{j, i_j}\) is a degree \(m-1\) polynomial in determinate x and for \(i = \ell \), it is a polynomial of degree m. So, from the last equation in the verification procedure, we have

$$\begin{aligned}&e \left( \sum _{i=0}^{n-1} (\prod _{j=1}^m w_{j,i_j}^{(\alpha )} ) Q_i + \sum _{k=0}^{m-1} (-(x^{(\alpha )})^k)D_k , P \right) \\= & {} e \left( (x^{(\alpha )})^m Q_\ell + \sum _{i=0}^{n-1} \sum _{k=0}^{m-1} p_{i,k} (x^{(\alpha )})^k Q_i - \sum _{k=0}^{m-1} (x^{(\alpha )})^kD_k , P \right) \\= & {} e \left( (x^{(\alpha )})^m Q_\ell + \sum _{k=0}^{m-1} (x^{(\alpha )})^k D_k^\prime , P \right) \\= & {} e \left( Z^{(\alpha )}, G \right) , \end{aligned}$$

where the third line of the above equation could be viewed as a polynomial of degree m with indeterminate \(x^{(\alpha )}\), and \(D_k^\prime \) is the coefficient of the k-th degree term. Since \(x^{(0)}, \dots , x^{(m)}\) are all different, we can find \(\beta _0, \beta _1, \dots , \beta _m\) so that the following equation holds.

$$ \left( \begin{array}{cccc} (x^{(0)})^0 &{} (x^{(1)})^0 &{} \dots &{} (x^{(m)})^0 \\ (x^{(0)})^1 &{} (x^{(1)})^1 &{} \dots &{} (x^{(m)})^1 \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ (x^{(0)})^m &{} (x^{(1)})^m &{} \dots &{} (x^{(m)})^m \\ \end{array} \right) \cdot \left( \begin{array}{c} \beta _0 \\ \beta _1 \\ \vdots \\ \beta _m \end{array} \right) = \left( \begin{array}{c} 0 \\ 0 \\ \vdots \\ 0\\ 1 \end{array} \right) . $$

Define \(V_\ell ^\prime = \sum _{\alpha =0}^m \beta _\alpha Z^{(\alpha )}\). Notice that

$$\begin{aligned} e(V_\ell ^\prime , G)= & {} e\left( \sum _{\alpha =0}^m \beta _\alpha \cdot Z^{(\alpha )}, G \right) \\= & {} e \left( \sum _{\alpha =0 }^m \beta _\alpha \left( (x^{(\alpha )})^m Q_\ell + \sum _{k=0}^{m-1} (x^{(\alpha )})^k D_k^\prime \right) , P \right) \\= & {} e \left( \sum _{\alpha =0 }^m \left( \beta _\alpha (x^{(\alpha )})^m \right) Q_\ell + \sum _{k=0}^{m-1} \left( \sum _{\alpha =0}^m \beta _\alpha (x^{(\alpha )})^k \right) D_k^\prime , P \right) \\= & {} e \left( Q_\ell , P \right) \\= & {} e \left( v Q_\ell , G \right) . \end{aligned}$$

So we conclude that \(V_\ell ^\prime = v Q_\ell \). On the other side, from the equation which is responsible for checking the validity of linking tag, we have

$$ \left( x^{(\alpha )} \right) ^n I - e\left( P, \sum _{k=0}^{n-1} \left( x^{(\alpha )} \right) ^k E_{k} \right) = e (Z^{(\alpha )}, K) , $$

so that with the \(m+1\) accepting transcripts, we obtain

$$\begin{aligned} \begin{pmatrix} 1 &{} (x^{(0)})^{1} &{} \cdots &{} (x^{(0)})^{m} \\ 1 &{} (x^{(1)})^{1} &{} \cdots &{} (x^{(1)})^{m} \\ \vdots &{} \vdots &{} \ddots &{} \vdots \\ 1 &{} (x^{(m)})^{1} &{} \cdots &{} (x^{(m)})^{m} \end{pmatrix} \begin{pmatrix} E_{0} \\ E_{1} \\ \vdots \\ I \end{pmatrix} = \begin{pmatrix} e (Z^{(0)}, K) \\ e (Z^{(1)}, K) \\ \vdots \\ e (Z^{(m)}, K) \\ \end{pmatrix} . \end{aligned}$$

(3)

By left multiplying (3) with \((\beta _0, \beta _1, \dots , \beta _m)\), we observe that

$$ I = \sum _{\alpha = 0}^m \beta _\alpha \cdot e \left( Z^{(\alpha )} ,K\right) = e\left( \sum _{\alpha = 0}^m \beta _\alpha \cdot Z^{(\alpha )}, K \right) = e(V^\prime _\ell , K) = v \cdot e (Q_\ell , K) . $$

The above facts show that \((\ell , V_\ell ^\prime )\) is a valid witness for the statement in \(\mathcal {R}\).    \(\square \)

Theorem 7

\(\varSigma _2\) is of special honest verifier zero-knowledge (SHVZK) if the commitment scheme is perfectly hiding.

Proof

On input a challenge \(x \in \mathbb {Z}_p\), the simulator first chooses \(w_j, y_j, z_j \leftarrow \mathbb {Z}_p\), for \(j \in [1,m]\). It is obvious that the distributions of these simulated responses are statistically close to that in a real proof. The simulator then picks \(\ell \leftarrow [0, n)\), \(r_j \leftarrow \mathbb {Z}_p\) and computes \(A_j = \ell _j H + r_j G\). Due to the properties of the commitment scheme \((A_j)_{j=1}^\tau \) are statistically indistinguishable from that of a real proof.

Subsequently, for \(j \in [1, \tau ]\), let \(a_j = f_j - \ell _j x\), and compute \((p_{i,j})_{i \in [0,n), k \in [1, m) } \). For \(k \in [1, \tau )\), it picks \(\rho _k \leftarrow \mathbb {Z}_p\) and computes \(D_k = \sum _{i=0}^{n-1} p_{i,k} Q_i + \rho _k G\), \(E_k = e(P, \rho _k K)\). The distributions of \(D_k\) and \(E_k\) are statistically close to uniform distribution in G and they are pairwise dependent since they use the same randomness as in a real proof.

Since \((B_j)_{j=1}^m\), \((C_j)_{j=1}^m\), \(D_0\), \(E_0\) are uniquely determined by the corresponding verification equations and the above generated parameters, the simulator computes

$$\begin{aligned} B_j= & {} w_j H + y_j G - x A_j , \text { for } j \in [1, m] \\ C_j= & {} z_j G - (x - w_j) A_j , \text { for } j \in [1, m] \\ D_0= & {} \sum _{i=0}^{n-1} (\prod _{j=1}^m w_{j,i_j} ) Q_i + \sum _{k=1}^{m-1} (-x^k)D_k - r G \\ E_0= & {} x^m I - \sum _{k=1}^{m-1} x^k E_k - e(Z, K) . \end{aligned}$$

By the foregoing discussion, the distribution of the outputting transcript

$$\begin{aligned} \left( (A_j,B_j, C_j), D_{j-1}, E_{j=1}^m , x, (w_j)_{j=1}^m, (y_j)_{j=1}^m, (z_j)_{j=1}^m, Z \right) \end{aligned}$$

is totally indistinguishable from that of a real proof. As a result, \(\varSigma _2\) is SHVZK.

   \(\square \)