DualDory: Logarithmic-Verifier Linkable Ring Signatures Through Preprocessing

Abstract

A linkable ring signature allows a user to sign anonymously on behalf of a group while ensuring that multiple signatures from the same user are detected. Applications such as privacy-preserving e-voting and e-cash can leverage linkable ring signatures to significantly improve privacy and anonymity guarantees. To scale to systems involving large numbers of users, short signatures with fast verification are a must. Concretely efficient ring signatures currently rely on a trusted authority maintaining a master secret, or follow an accumulator-based approach that requires a trusted setup.

In this work, we construct the first linkable ring signature with both logarithmic signature size and verification that does not require any trusted mechanism. Our scheme, which relies on discrete-log type assumptions and bilinear maps, improves upon a recent concise ring signature called DualRing by integrating improved preprocessing arguments to reduce the verification time from linear to logarithmic in the size of the ring. Our ring signature allows signatures to be linked based on what message is signed, ranging from linking signatures on any message to only signatures on the same message.

We provide benchmarks for our scheme and prove its security under standard assumptions. The proposed linkable ring signature is particularly relevant to use cases that require privacy-preserving enforcement of threshold policies in a fully decentralized context, and e-voting.

A A Security Analysis

Due to space limitations, we only provide proof sketches to the main theorems of the paper. The full proofs are deferred to an extended version that can be found here [3].

Theorem 4

(Correctness). DualDory satisfies correctness (Definition 7).

Proof (Sketch)

We show that \(\textsf{RS}.\textsf{Verify}(\underline{\smash {pk}},m,\textsf{prfx},\textsf{RS}.\textsf{Sign}(\underline{\smash {pk}},sk,m,\textsf{prfx})) = 1\). Let \(\underline{\smash {pk'}} = (\textsf{com}/pk_i)_{i=1}^{n}\) and recall that \(\textbf{A}= e( \textsf{com}, \tilde{\varGamma }) / \textbf{A}_0= e(\underline{\smash {pk'}}, \underline{\smash {\tilde{\varGamma }}})\), \(\textbf{B}= e(\underline{\smash {\varGamma }},\tilde{P}^{\underline{\smash {c}}})\), \(\textbf{C}= e( Q^y/ X, \tilde{P})\), \(\textbf{D}= e( \underline{\smash {P}}, \underline{\smash {\tilde{\varGamma }}})\) and \(\textbf{E}= e(P^{H(\textbf{A},X)}, \tilde{P})\). Parse the last input element as \((X,y,\textbf{B},\pi _1,\pi _2,\sigma _\textrm{Tag},\textsf{tag},\textsf{com})\). Following DualRing: \(Q^y/X= \prod _{i=1}^{n}{pk'}_i^{c_i}\) and \(\sum _{i=1}^{n} c_i = H(\textbf{A},X)\). Therefore, \(\textbf{C}= e(\underline{\smash {pk'}}, \tilde{P}^{\underline{\smash {c}}})\) and \(\textbf{E}= e( \underline{\smash {P}}, \tilde{P}^{\underline{\smash {c}}}) \).

\(\textsf{V}_\textrm{PProd}(\textsf{pp}_\textrm{PProd}, (\textbf{A},\textbf{B},\textbf{C}),\pi _1) = 1\) because \(\pi _1 \leftarrow \textsf{P}_\textrm{PProd}(\textsf{pp}_\textrm{PProd}, (\textbf{A},\textbf{B},\textbf{C}), (\underline{\smash {pk'}},\tilde{P}^{\underline{\smash {c}}}))\). Similarly, \(\pi _2 \leftarrow \textsf{P}_\textrm{PProd}(\textsf{pp}_\textrm{PProd}, (\textbf{D},\textbf{B},\textbf{E}), (\underline{\smash {P}},\tilde{P}^{\underline{\smash {c}}}))\) and \(\textsf{V}_\textrm{PProd}(\textsf{pp}_\textrm{PProd}, (\textbf{D},\textbf{B},\textbf{E}),\pi _2) = 1\). Finally, \(\sigma _\textrm{Tag}\leftarrow \textsf{S}_\textrm{Tag}(\textsf{pp}_\textrm{Tag},(\textsf{prfx},\textsf{tag},\textsf{com}), ({sk},r), m|| \pi _1 || \pi _2)\), which means that

\(\textsf{V}_\textrm{Tag}(\textsf{pp}_\textrm{Tag},(\textsf{prfx},\textsf{tag},\textsf{com}), \sigma _\textrm{Tag}, m|| \pi _1 || \pi _2) = 1\).

The correctness properties related to linking are straightforward.

Theorem 5

DualDory is anonymous (Definition 11) in the random oracle model under the DDH assumption.

Proof (Sketch)

Given an adversary \(\mathcal {A}\) which wins the anonymity game (Definition 11) with non-negligible advantage. We show that there is a distinguisher \(\mathcal {D} \), which leverages \(\mathcal {A}\) to break the DDH assumption in \(\mathbb {G}_1\) in the random oracle model.

Let \(\textsf{BGpp}:= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P,\tilde{P})\leftarrow \textsf{BG}.\textsf{Gen}(1^\lambda )\), and let \((U, V, W) \in \mathbb {G}_1^3\) be sampled either as a DDH tuple or uniformly at random. The distinguisher \(\mathcal {D} \) receives \(\textsf{BGpp}\) and \((U, V, W)\) as input. \(\mathcal {D} \) then sets the public key \(pk_j\) of one the signers to \(U\) while computing the public keys of the remaining signers honestly. To simulate the output of signature queries \((pk_j, m, \textsf{prfx})\) without knowledge of the secret key \(sk_j\) matching \(pk_j\), \(\mathcal {D} \) programs random oracle \(H'\) such that \(H'(\textsf{prfx}) = V^{r'}\) for \(r'\leftarrow \mathbb {Z}_{p}\) and computes \(\textsf{tag}= W^{r'}\). \(\mathcal {D} \) also programs random oracle \(H\) in such a way that it is able to produce a tag proof that verifies correctly. Note that the DualRing and the arguments of knowledge of bilinear pairing product parts in DualDory can be computed honestly by \(\mathcal {D} \) (\(\mathcal {D} \) does not need \(sk_j\)). Now if \((U, V, W)\) is a DDH tuple, then the simulated signature is statistically indistinguishable from a signature generated following DualDory. If not, then \(\mathcal {A}\) cannot tell the difference thanks to DDH assumption, given that the simulated signature verifies correctly.

At the end of the anonymity game, \(\mathcal {A}\) outputs two public keys \(\{pk^*_0, pk^*_1\}\). If we assume that \(\mathcal {A}\) issues \(n-2\) corruption queries where \(pk_j\) does not show, then \(pk_j \in \{pk_0^*, pk_1^*\}\). Let \(pk_j = pk_0^*\). \(\mathcal {D} \) then simulates a signature using public key \(pk_0^*\) and outputs the result to \(\mathcal {A}\). \(\mathcal {A}\) accordingly, outputs its guess b. To break DDH, \(\mathcal {D} \) returns \(1 -b\).

Note that if \((U, V, W)\) is a DDH tuple, then \(\mathcal {A}\) will output the correct guess \(b = 0\) with a non-negligible advantage, and \(\mathcal {D} \) breaks DDH by outputting 1. If not, then \(\mathcal {A}\) will perform no better than a random guess, and so will \(\mathcal {D} \). Actually, tuple \((\textsf{com}, \textsf{tag}, \sigma _\textrm{Tag})\) in the signature leaks no information whatsoever about the underlying secret key – \(\textsf{com}\) is perfectly hiding, \(\textsf{tag}= W^{r}\) is a random group element and \(\sigma _\textrm{Tag}\) is computed without using any secret keys.

Theorem 6

DualDory is prefix linkable (Definition 12) in the random oracle model under the SXDH assumption.

Proof (Sketch)

Assume there is an adversary \(\mathcal {A}\) which breaks the prefix linkability of DualDory. We construct an adversary \(\mathcal {B} \) which uses \(\mathcal {A}\) to break the DPair assumption with two generators which is implied by SXDH. Let \(\textsf{BGpp}:= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P,\tilde{P})\leftarrow \textsf{BG}.\textsf{Gen}(1^\lambda )\), and let \((P_1, P_2)\) be two additional generators of \(\mathbb {G}_1\). Adversary \(\mathcal {B} \) receives \(\textsf{BGpp}\) and \((P_1, P_2)\) as input. \(\mathcal {B} \)’s goal is to output two generators \((\tilde{P}_1, \tilde{P}_2) \in \mathbb {G}_2^2\) such that \(e(P_1, \tilde{P}_1)e(P_2, \tilde{P}_2) = 1\). To that end, \(\mathcal {B} \) computes \(n\) pairs \((sk_i, pk_i) = (sk_i, P_1^{sk_i}), i \in [n]\), sets Pedersen commitment generators to \((P_1, P_2)\) and simulates the prefix linkability game honestly. At the end of the game, \(\mathcal {A}\) outputs \(n+1\) tuples \((m_{i}, \textsf{prfx}, \sigma _{i})\) for \(i\in [n+1]\). We parse \(\sigma _{i}\) as \((X_{i},y_{i},\textbf{B}_{i},\pi _{1,i},\pi _{2,i},\sigma _{\textrm{Tag},i},\textsf{tag}_{i},\textsf{com}_{i})\). If \(\mathcal {A}\) wins the prefix linkability game, then \(\textsf{tag}_{i}\), \(\textsf{tag}_{j}\) are all pairwise distinct for \(i\ne j\in [n+1]\). By the soundness of tag proof, this implies that \(\textsf{tag}_{i} = H'(\textsf{prfx})^{sk'_i} \ne \textsf{tag}_{j} = H'(\textsf{prfx})^{sk'_j}\). In particular, using the simulation extractability of tag proof, \(\mathcal {B} \) is able to extract \(n+1\) pairs \((sk'_{i}, r_{i}), i\in [n]\) that satisfy \(\mathcal {R}_\textrm{Tag}\). It follows that there is \(sk'_{i} \not \in \{sk_1, ..., sk_n\}, i\in [n+1]\). Assume that \(sk'_{n+1} \not \in \{sk_1, ..., sk_n\}\). Applying the knowledge soundness of arguments of knowledge of bilinear pairing products (Theorem 1) to \(\pi _{1, {n+1}}\) allows us to extract \(\underline{\smash {\tilde{\varOmega }}}\) such that \(e((\frac{\textsf{com}_{n+1}}{pk_i})_{i=1}^{n}, \underline{\smash {\tilde{\varOmega }}}) = e(\frac{P_2^{y_{n+1}}}{X_{n+1}}, \tilde{P})\) and \(e(\underline{\smash {P}}, \underline{\smash {\tilde{\varOmega }}}) = e(P, \tilde{P}^{c})\) with \(c= H(\textbf{A}, X_{n+1})\). Now to break the DPair assumption, we use the forking lemma on hash \(H(\textbf{A}, X_{n+1})\) to extract another witness \(\underline{\smash {\tilde{\varOmega }}}'\) such that \(e((\frac{\textsf{com}_{n+1}}{pk_i})_{i=1}^{n}, \underline{\smash {\tilde{\varOmega }}}') = e(\frac{P_2^{y'_{n+1}}}{X_{n+1}}, \tilde{P})\) and \(e(\underline{\smash {P}}, \underline{\smash {\tilde{\varOmega }}}') = e(P, \tilde{P}^{c'})\) with \(c' = H(\textbf{A}, X_{n+1})\). Replacing \(\textsf{com}_{n+1}\) with \(P_1^{sk'_{n+1}}P_2^{r_{n+1}}\) and \(pk_{i}\) with \(P_1^{sk_{i}}\), and using the bilinearity of \(e\), we get: \( e\left( P_1, \prod _{i=1}^{n}(\frac{\tilde{\varOmega }_{i}}{\tilde{\varOmega }'_{i}})^{(sk'_{n+1}-sk_{i})}\right) e\left( P_2, \frac{\tilde{P}^{y'_{n+1}}}{\tilde{P}^{y_{n+1}}}\prod _{i=1}^{n}(\frac{\tilde{\varOmega }_{i}}{\tilde{\varOmega }'_{i}})^{r_{n+1}}\right) = 1\). \(\mathcal {B} \) breaks DPair by outputting \(\tilde{P}_1 = \prod _{i=1}^{n}(\frac{\tilde{\varOmega }_{i}}{\tilde{\varOmega }'_{i}})^{(sk'_{n+1}-sk_{i})}\) and \(\tilde{P}_2 = \frac{\tilde{P}^{y'_{n+1}}}{\tilde{P}^{y_{n+1}}}\prod _{i=1}^{n}(\frac{\tilde{\varOmega }_{i}}{\tilde{\varOmega }'_{i}})^{r_{n+1}} = \frac{\tilde{P}^{y'_{n+1}}}{\tilde{P}^{y_{n+1}}}\tilde{P}^{(c-c')r_{n+1}}\). Thanks to the Schwartz-Zippel lemma, we show that \(\tilde{P}_1\) and \(\tilde{P}_2\) are generators of \(\mathbb {G}_2\) with probability \(1-1/p\).

Theorem 7

DualDory is prefix non-slanderable (Definition 13) in the random oracle model under the SXDH assumption.

Proof (Sketch)

Suppose there is an adversary \(\mathcal {A}\) that breaks the prefix non-slanderability of DualDory. We construct, in the random oracle model, an adversary \(\mathcal {B} \) which uses \(\mathcal {A}\) to break the discrete logarithm in \(\mathbb {G}_1\), which is implied by the SXDH assumption. Assume that \(\mathcal {B} \) would like to compute \({u} = \log _{P}(U)\). Accordingly, \(\mathcal {B} \) sets one of the signers’ public key to \(pk_{j} = U\), while generating the rest of the public keys honestly. To simulate answers to signing queries \((pk_{j}, m, \textsf{prfx})\) to oracle \(\textsf{SO}_{\underline{\smash {pk}}}\) in the non-slanderability experiment, \(\mathcal {B} \) programs \(H'\) to return \(P^{r'}\) as \(H'(\textsf{prfx})\). This allows \(\mathcal {B} \) to compute \(\textsf{tag}= pk_{j}^{r'} = H'(\textsf{prfx})^{sk_{j}}\). \(\mathcal {B} \) then leverages the simulatability of signatures of knowledge to simulate a tag proof that verifies correctly. Before any corruption query, \(\mathcal {A}\) outputs forgery \((m', \textsf{prfx}', \sigma ')\). \(\mathcal {B} \) using random oracle \(H'\) checks if the corresponding \(\textsf{tag}' = pk_{j}^{r'}\) for some \(r'\leftarrow \mathbb {Z}_{p}\). If so, then thanks to simulation extractability of tag proof, \(\mathcal {B} \) extracts \(sk_j = \log _{P}(U)\).

Theorem 8

If a ring signature \(\textsf{RS}\) is prefix-linkable (Definition 12) and non-slanderable (Definition 13), then it is also unforgeable (Definition 10).

Proof (Sketch)

Assume that a ring signature \(\textsf{RS}\) is prefix linkable. We show in what follows that if there is an adversary \(\mathcal {A}\) that wins the unforgeability game, then there is another adversary \(\mathcal {B} \) that breaks non-slanderability. The intuition is that \(\mathcal {B} \) simulates the unforgeability game for \(\mathcal {A}\) using the game for non-slanderability. At the end of the simulated unforgeability game, \(\mathcal {A}\) outputs a forgery \((m', \textsf{prfx}', \sigma ')\), which \(\mathcal {B} \) returns as the first forgery in the non-slanderability game (i.e., before any corruption query). \(\mathcal {B} \) then queries signing oracle \(\textsf{SO}_{\underline{\smash {pk}}}\) in the non-slanderability game with \(n\) signing queries \((pk_i, m_i, \textsf{prfx}')\) for \(i \in [n]\). Given the prefix linkability of \(\textsf{RS}\), there exists \(j \in [n]\) such that \(\textsf{RS}.\textsf{Link}(\underline{\smash {pk}}, m_{j}, \sigma _{j}, m', \sigma ', \textsf{prfx}') = 1\), breaking thus non-slanderability. Similarly, we can show that if \(\textsf{RS}\) is non-slanderable, then \(\mathcal {B} \) can break prefix linkability with the help of an adversary \(\mathcal {A}\) that wins the unforgeability game.