Traceable ring signatures: general framework and post-quantum security

Abstract

Traceable ring signature (TRS), a variant of ring signature, allows a signer to sign a message anonymously labeled with a tag on behalf of a group of users, but may reveal the signer’s identity if he creates two signatures with the same tag. TRS provides accountable anonymity for users, and serves as an important role in e-voting systems and e-coupon services. However, current TRS schemes are built on hard problems in number theory that cannot resist quantum attackers. To address this issue, first, we propose a general framework of TRS, by using a non-interactive zero-knowledge proof of knowledge, a hash family, and a pseudorandom function with some additional properties. Then, by instantiating our framework, we give two concrete efficient TRS schemes from lattices and symmetric-key primitives respectively, and both of them are proven to be secure in the quantum random oracle model. Moreover, both schemes have logarithmic signature size.

Appendices

Analysis of Cramer et al.’s techniques

In this section, we show that applying Cramer et al’s techniques [20] to a sigma protocol with 3-special soundness cannot lead to an OR composition. Instead, the resulted protocol is even not an argument.

Let \(\varSigma =(D_{com},D_{ch}=\{1,2,3\},D_{resp},P_\varSigma ^1,P_\varSigma ^2,V_\varSigma )\) be a sigma protocol for the relation R, where \(D_{com},D_{ch},D_{resp}\) are domains of the three messages, \(P_\varSigma ^1,P_\varSigma ^2\) are prover algorithms that generate the first and the third messages, and \(V_{\varSigma }\) is the verification algorithm. We assume \(\varSigma \) is complete, HVZK, and 3-special sound. Let \(S_\varSigma \) be its HVZK simulator. We consider the (1, 2) OR composition, that is, to build a protocol demonstrate that \((x_0,x_1)\in L_{OR}:=\{(x_0,x_1):\exists w^*, i\in \{0,1\}, \textit{ s.t. } R(x_i,w^*)=1 \}\). Using Cramer et al’s techniques, such a protocol is built as follows:

1. 1.

   Public inputs: \(x_0\) and \(x_1\). Private input to the prover P is \((i,w^*)\).

2. 2.

   Commitment: P runs \(com_i\leftarrow P_\varSigma ^1(x_i,w^*)\), and runs \((com_{1-i},ch_{1-i},resp_{1-i})\leftarrow S_{\varSigma }(x_{1-i})\), then outputs \(COM=(com_0,com_1)\) .

3. 3.

   Challenge: The verifier V randomly chooses \(ch\hookleftarrow \{1,2,3\}\).

4. 4.

   Response: P computes \(ch_i=ch-ch_{1-i} \bmod 3\), and runs \(resp_i\leftarrow P_\varSigma ^2(x_i,ch_i,w^*)\), and returns \((resp_0,resp_1,ch_0,ch_1)\).

5. 5.

   Verify: V runs \(ok_0\leftarrow V_\varSigma (x_0,com_0,ch_0,resp_0)\) and \(ok_1\leftarrow V_\varSigma (x_1,com_1,ch_1,resp_1)\). It returns 1 iff \(ok_0=ok_1=1\) and \(ch_0+ch_1=ch\).

We now perform an attack on the above protocol, by constructing a malicious prover \(\bar{P}\), which selects \((x_0,x_1)\notin L_{OR}\) but can also generate a valid proof. Our attack is started with an observation that it is possible for the simulator \(S_\varSigma \) to compute valid tuples \((com,ch',resp')\) and (com, ch, resp) for \(ch\ne ch'\), while \(ch,ch'\) are arbitrarily chosen by \(\bar{P}\). This is not a special assumption. Actually, the simulator in Stern protocol has such an ability. The malicious prover \(\bar{P}\) proceeds as follows.

1. 1.

   Commitment: \(\bar{P}\) runs \(\{(com_0,1,resp_0),(com_0,2,resp_0')\}\leftarrow S_{\varSigma }(x_0)\) and

   \(\{(com_1,1,resp_1),(com_1,2,resp_1')\}\leftarrow S_{\varSigma }(x_1)\).

2. 2.

   Challenge: The verifier V randomly chooses \(ch\hookleftarrow \{1,2,3\}\).

3. 3.

   Response: If \(ch=1\), \(\bar{P}\) returns \((com_0,2,resp_0')\) and \((com_1,2,resp_1')\); If \(ch=2\), \(\bar{P}\) returns \((com_0,1,resp_0)\) and \((com_1,1,resp_1)\); If \(ch=3\), \(\bar{P}\) returns \((com_0,1,resp_0)\) and \((com_1,2,resp_1')\);

It is easy to see the proof is valid. Thus, the protocol is not sound.

Preliminary

1.1 Pseudorandom function family

A PRF family \(F: \mathcal {K}\times \mathcal {X}\rightharpoonup \mathcal {Y}\) can be described by the following two algorithms.

• \(k\leftarrow \text {Gen}(1^\lambda )\). Take as input the security parameter \(1^\lambda \), and output a key \(k\in \mathcal {K}\).

• \(y\leftarrow F_{k}(x)\). Evaluate the input x on the PRF with key k.

In our TRS construction, we require \(\mathcal {Y}=\{0,1\}^*\).

The standard security definition of a PRF is pseudorandomness.

Definition 9

(Pseudorandomness, [52]) A function \(F: \mathcal {K}\times \mathcal {X}\rightharpoonup \mathcal {Y}\) is pseudorandom, if no PPT adversary \(\mathcal {A}\) making polynomial-bounded queries can distinguish between a truly random function in \(\mathcal {F}[\mathcal {X}:\mathcal {Y}]\) and the function \(F_k\) for a random \(k \in \mathcal {K}\), where \(\mathcal {F}[\mathcal {X}:\mathcal {Y}]\) is the set of all functions F with the domain \(\mathcal {X}\) and range \(\mathcal {Y}\). Formally, for any PPT \(\mathcal {A}\), we have

$$\begin{aligned} \Pr \left[ \mathcal {A}^{F_{k}}\left( 1^\lambda \right) =1, k\leftarrow \text {Gen}(1^\lambda )\right] - \Pr \left[ \mathcal {A}^{O}(1^\lambda )=1, O\leftarrow \mathcal {F}[\mathcal {X}:\mathcal {Y}]\right] \le \text {negl}(\lambda ). \end{aligned}$$

1.2 Non-interactive zero-knowledge proof of knowledge

A NIZKPoK \(\varPsi =(\text {Setup}_\varPsi ,\mathcal {P},\mathcal {V})\) for a relation R allows users to prove the knowledge of the witness w for a statement x s.t. \(R(x,w)=1\). More precisely, it consists of the following three algorithms.

• \(pp\leftarrow \text {Setup}_{\varPsi }(1^\lambda ).\) Only take as input the security parameter \(1^\lambda \), and output the public parameter pp.

• \(\vartheta \leftarrow \mathcal {P}(pp,x,w).\) Take as inputs pp, a public statement x and its associated witness w. It outputs a proof \(\vartheta \).

• \(\nu \leftarrow \mathcal {V}(pp,x,\vartheta ).\) Take as inputs the public parameter pp, a statement x and a proof \(\vartheta \). It outputs \(\nu =1\) if the \(\vartheta \) is a valid proof. Otherwise, it outputs \(\nu =0\).

The correctness of a NIZKPoK means that the verifier \(\mathcal {V}\) always outputs 1 for an honestly generated proof when \(R(x,w)=1\). We consider the zero-knowledge property and simulation-extractability of the NIZKPoK.

Zero-knowledge property says that a malicious verifier cannot infer anything except validity of the statement through interacting with the prover.

Definition 10

(Zero-knowledge) A non-interactive protocol \(\varPsi =(\text {Setup}_\varPsi ,\mathcal {P},\mathcal {V})\) for a relation R is zero-knowledge, if there exists a pair of PPT algorithms called simulator \((S_O,S_P)\) s.t. for every PPT adversary \(\mathcal {A}\), we have that

$$\begin{aligned} \begin{aligned}&|\Pr \left[ b=1:pp\leftarrow \text {Setup}_\varPsi (1^\lambda ), b\leftarrow \mathcal {A}^{\mathcal {O}_1(pp,\cdot ,\cdot )}(pp)\right] \\&\quad -\Pr \left[ b=1:(pp,\tau )\leftarrow S_O(1^\lambda ),b\leftarrow \mathcal {A}^{\mathcal {O}_2(pp,\tau ,\cdot )}(pp)\right] |\le \text {negl}(\lambda ). \end{aligned} \end{aligned}$$

where \(\mathcal {O}_1\) and \(\mathcal {O}_2\) first check that the input \((x,w)\in R\), else return \(\perp \); otherwise \(\mathcal {O}_1\) returns \(\pi \leftarrow \mathcal {P}(pp,x,w)\), and \(\mathcal {O}_2\) returns \(\pi \leftarrow S_P(pp,\tau ,x)\).

Simulation-extractability captures that if a prover with access to simulation oracle can produce a valid proof, then there is an extractor that can extract a witness by interacting with the prover.

Definition 11

(Simulation-extractability) A non-interactive protocol \(\varPsi =(\text {Setup}_\varPsi ,\mathcal {P},\mathcal {V})\) is simulation-extractable w.r.t a simulator \((S_O,S_P)\), if there exists a PPT algorithm (called extractor) \(\mathcal {E}\) s.t. for every PPT adversary \(\mathcal {A}\), we have that

$$\begin{aligned} \begin{aligned}&\Pr \left[ R(x,w)\ne 1 \wedge \vartheta ^* \notin \mathbb {S}\wedge \nu =1: \left( pp,\tau ,e\right) \leftarrow S_O\left( 1^\lambda \right) ,\right. \\&\quad \left. \left( x,\vartheta ^*\right) \leftarrow \mathcal {A}^{\mathcal {O}(pp,\tau ,\cdot )}(pp), \nu \leftarrow \mathcal {V}\left( pp,x,\vartheta ^*\right) , w\leftarrow \mathcal {E}^{\mathcal {A}}\left( x,\vartheta ^*,e\right) \right] \in \text {negl}(\lambda ), \end{aligned} \end{aligned}$$

where \(\mathbb {S}\) denotes all proofs output by the simulator \(S_P\), and \(\mathcal {O}(pp,\tau ,\cdot )\) on the input x returns \(S_P(pp,\tau ,x)\).

1.3 Hash family

A hash family \(\mathcal {H}\) is described by a pair of PPT algorithms \(\{\mathsf {HK},{H}_{hk}\}\) below where \(k,\nu ,\mu \) are polynomials.

• \(\mathsf {HK}(1^{\lambda })\) outputs a hash key \(hk\in \{0,1\}^{k(\lambda )}\);

• \({H}_{hk}(u)\) takes as inputs a hash key hk and a preimage \(u\in \{0,1\}^{\nu (\lambda )}\), and outputs a hash value \(v\in \{0,1\}^{\mu (\lambda )}\).

A hash family is said collision-resistant, if for any PPT adversary \(\mathcal {A}\), for a randomly generated key \(hk\leftarrow \mathsf {HK}(1^\lambda )\), given hk \(\mathcal {A}\) cannot find two distinct inputs \(a_1,a_2\) such that \(H_{hk}(a_1)=H_{hk}(a_2)\).

The multi-input correlation intractability is a random-oracle-like property of a hash family, caputuring the infeasibility of finding preimages \(u_1,\ldots ,u_t\) such that \((u_1,\ldots ,u_t,H_{hk}(u_1),\ldots ,H_{hk}(u_t))\) satisifies a certain sparse relation.(When \(t=1\), it is refered as single-input correlation intractability.) We follow the definition presented in [33, 40].

Definition 12

(Sparse relation) A relation ensemble \(R=\{R_{\lambda }\subset (\{0,1\}^{\nu (\lambda )})^{t(\lambda )}\times (\{0,1\}^{\mu (\lambda )})^{t(\lambda )} \}\) is sparse, if for every \((u_1,\ldots ,u_t)\) it holds that

$$\begin{aligned} \Pr \left[ \left( v_1,\ldots ,v_t\right) \leftarrow \left( \{0,1\}^{\mu (\lambda )}\right) ^{t(\lambda )}: \left( u_1,\ldots ,u_t,v_1,\ldots ,v_t\right) \in R_\lambda \right] \in \mathsf {negl}(\lambda ). \end{aligned}$$

Definition 13

(Multi-input correlation intractability) A hash family \(\mathcal {H}=(\mathsf {HK},H)\) is correlation intractable w.r.t. a relation ensemble \(R=\{R_{\lambda }\subset (\{0,1\}^{\nu (\lambda )})^{t(\lambda )}\times (\{0,1\}^{\mu (\lambda )})^{t(\lambda )} \}\), if for any efficient adversary \(\mathcal {A}\), it holds that

$$\begin{aligned} \begin{aligned}&\Pr \left[ hk\leftarrow \mathsf {HK}(1^\lambda );\left( u_1,\ldots ,u_t\right) \leftarrow \mathcal {A}(hk):\right. \\&\quad \left. \left( u_1,\ldots ,u_t,H_{hk}\left( u_1\right) ,\ldots ,H_{hk}(u_t)\right) \in R_\lambda \right] \in \mathsf {negl}(\lambda ). \end{aligned} \end{aligned}$$

In the (quantum) random oracle model, the simplest construction is a (quantum) random oracle that provably satisifies the multi-input correlation intractability w.r.t. every sparse relation. In the standard model, while a hash family satisfying this property for all sparse relations does not exist [17], there are a few constructions [33, 40] that were presented for a class of sparse relations. We note in advance that the hash family needed in this work might not be instantiated by existing standard-model constructions [33, 40]. Nontheless, we will analyze our construction by assuming the multi-input correlation intractability of \(\mathcal {H}\) insteading of modeling it as a (quantum) random oracle. The details will be discussed in Sect. 3.

1.4 Computational problems and useful results in lattice-based cryptography

On lattices, there are several well-studied computational problems.

Definition 14

(\( {SIS}_{n,m,q,\beta }\),[2]) Let \(n,m,q\in \mathbb {N}\), and a real number \(\beta >0\), the Small Integer Solution (SIS) problem is: given a uniformly random matrix \(\mathbf {A}\in \mathbb {Z}_{q}^{n\times m}\), to find a non-zero vector \(\mathbf {e}\in \mathbb {Z}^m\), such that \(\mathbf {A}\cdot \mathbf {e}=\mathbf {0}\bmod q\) and \(\Vert \mathbf {e}\Vert _{\infty }\le \beta \), where \(\Vert \cdot \Vert _{\infty }\) denotes the maximal norm.

Definition 15

(\( {LWE}_{n,q,\chi }\),[44]) Let \(n,q\ge 2\), \(\mathbf {s}\in \mathbb {Z}_q^n\), and \(\chi \) be an efficiently sampleable B-bounded distribution over \(\mathbb {Z}\), the distribution \(A_{s,\chi }\) over \(\mathbb {Z}_q^n\times \mathbb {Z}_q\) is obtained by sampling \(\mathbf {a}\hookleftarrow \mathbb {Z}_q^n\) and \(e\hookleftarrow \chi \) and returning \((\mathbf {a},\mathbf {b}=\mathbf {a}\cdot \mathbf {s}+e)\). The (decisional) Leaning with Errors (\(\text {LWE}_{n,q,\chi }\)) problem is: given \(m=poly(n)\) samples, which may be all sampled from \(A_{\mathbf {s},\chi }\) or all sampled from the uniform distribution over \(\mathbb {Z}_q^n\times \mathbb {Z}_q\), to determine which distribution that the m samples are from.

The following lemma is proved in [7], which implies a reduction from the \(\text {LWE}\) problem to the Learning with Rounding (LWR) [7] problem.

Lemma 8

Let \(\chi \) be a B-bounded distribution over \(\mathbb {Z}\). Let \(q\ge p\cdot B\cdot n^{\omega (1)}\). Then, for any distribution over \(\mathbf {s}\in \mathbb {Z}_q^n\),

$$\begin{aligned} \Pr \left[ \lfloor \mathbf {A}\cdot \mathbf {s}\rceil _p\ne \lfloor \mathbf {A}\cdot \mathbf {s}+\mathbf {e}\rceil _p: \mathbf {A}\hookleftarrow \mathbb {Z}_q^{m\times n}, \mathbf {e}\hookleftarrow \chi ^m\right] =\text {negl}(n). \end{aligned}$$

The following lemma is directly from [1] and [44]. It is a generalization of the leftover hash lemma [8].

Lemma 9

Let \(m>(n+1)\log q+\omega (\log n)\) and q be prime. Let \(\mathbf {A},\mathbf {B} \hookleftarrow \mathbb {Z}_{q}^{m\times n}\), and \(\mathbf {R}\hookleftarrow \{-1,1\}^{m\times m}\). We have \((\mathbf {A},\mathbf {B})\approx (\mathbf {A},\mathbf {R}\cdot \mathbf {A}). \)

This result can be easily extended to the following corollary.

Corollary 4

Let \(m>(n+1)\log q+\omega (\log n)\) and q be prime, \(L=\text {poly}(n)\). Let \(\mathbf {A},\mathbf {B}_1,\ldots ,\mathbf {B}_L \hookleftarrow \mathbb {Z}_{q}^{m\times n}\), and \(\mathbf {R}_1,\ldots ,\mathbf {R}_L\hookleftarrow \{-1,1\}^{m\times m}\). We have \((\mathbf {A},\mathbf {B}_1,\)

\(\ldots ,\mathbf {B}_L)\approx (\mathbf {A},\mathbf {R}_1\cdot \mathbf {A},\ldots ,\mathbf {R}_L\cdot \mathbf {A})\).

1.5 Stern protocols

Stern protocols [47] are a special class of sigma protocols. In each execution of a Stern protocol, the transcript between the prover and verifier consists of three messages (com, ch, resp). The first message com called commitment and the third message resp called response are sent by the prover, and the second message ch called challenge is uniformly sampled from a fixed domain by the verifier. The Stern protocols were originally proposed for demonstrating the possession of a short vector w.r.t. a syndrome matrix [47], and recently were used to prove many relations appearing in the lattice-based cryptogrpahy [38]. More precisely, Stern protocols can prove relations that can be transformed to the following relation which we call the Stern relation.

Definition 16

(Stern Relation) Let \(\mathbb {V}\subset \{-1,0,1\}^{d}\), \(n_i,d_i,q_i\) be positive integers for \(i\in [N]\), where \(\sum _{i=1}^N d_i=d\), the Stern relation is defined as

$$\begin{aligned} \begin{aligned} R_{S}=&\left\{ \left\{ \left( \mathbf {M}_i\in \mathbb {Z}_{q_i}^{n_i\times d_i},\mathbf {v}_i\in \mathbb {Z}_{q_i}^{n_i}\right) \right\} _{[N]};\varUpsilon _i\in \{-1,0,1\}^{d_i}:\right. \\&\left. \mathbf {M}_i\cdot \varUpsilon _i=\mathbf {v}_i \bmod q_i, \forall i\in [N], \left( \varUpsilon _1^T|\ldots |\varUpsilon _N^T\right) \in \mathbb {V}\right\} . \end{aligned} \end{aligned}$$

Permutations are the main techniques used in Stern protocols. To handle a Stern relation, we need an eligible set of permutations (ESP) for the set \(\mathbb {V}\), defined as follows.

Definition 17

(Eligible Set of Permutations (ESP)) Let \(\mathbb {S}\) be a finite set s.t. each element \(\varphi \in \mathbb {S}\) can be associated with a permutation \(\varPhi _{\varphi }\) over d elements. We call \(\mathbb {E}_S=\{\varPhi _{\varphi }|\varphi \in \mathbb {S}\}\) is an eligible set of permutations for \(\mathbb {V}\), if

$$\begin{aligned} \left\{ \begin{aligned}&\varUpsilon \in \mathbb {V}\Longleftrightarrow \varPhi _{\varphi }(\varUpsilon )\in \mathbb {V};\\&\text {if }\varUpsilon \in \mathbb {V}\text { and }\varphi \text { is uniform in }\mathbb {S},\text { then }\varPhi _{\varphi }(\varUpsilon ) \text { is uniform in }\mathbb {V}. \end{aligned} \right. \end{aligned}$$

For a Stern relation \(R_S\) with an ESP \(\mathbb {E}_S\), Libert et al. [37] presented a Stern protocol, to demonstrate the knowledge of \(\{\varUpsilon _i\}_{[N]}\) for the public tuple \(\{(\mathbf {M}_i,\mathbf {v}_i)\}_{[N]}\). Their results can be summarized in the following lemma.

Lemma 10

([37]) Assuming an ESP \(\mathbb {E}_S=\{\varPhi _{\varphi }|\varphi \in \mathbb {S}\}\) for the set \(\mathbb {V}\) of the Stern relation \(R_{S}\), there is a Stern protocol for \(R_S\) with transcript size of \(\widetilde{\mathcal {O}}(\sum _i d_i\cdot \log q_i)\). In particular, the Stern protocol is perfectly complete, and has the following properties.

1. 1.

   Statistical Honest-Verifier Zero-knowledge There exists a PPT algorithm called simulator, that takes as inputs \(\{\mathbf {M}_i,\mathbf {v}_i \}_{[N]}\), and outputs an accepted transcript statistically close to that produced by the real prover and the real verifier.

2. 2.

   3-Special Soundness There exists a PPT algorithm called extractor, that takes as inputs a commitment com and valid responses \((resp_1,resp_2,resp_3)\) to three distinct challenges \((ch_1,ch_2,ch_3)\), and outputs a witness \(W= (\varUpsilon _1^T|\) \(\ldots |\varUpsilon _N^T)\in \mathbb {V}\) s.t. \(\mathbf {M}_i\cdot \varUpsilon _i=\mathbf {v}_i\), \(\forall i\in [N]\).

We refer readers to [37] for a full description of Stern protocols.

1.6 Merkle-tree-based accumulator

An accumulator is a one-way membership function that takes as input a set R, and outputs a constant-size value u. Meanwhile, a value \(d\in R\) has a short witness w to convince verifiers that d was accumulated to u.

In this work, we consider Merkle-tree-based accumulators. In general, such an accumulator scheme consists of four algorithms (A-Setup, A-Acc, A-Witness, A-Verify). \(\mathbf{A}-Setup (\lambda )\) generates a key for the hash function, as the public parameter pp. \(\mathbf{A}-Acc (pp,R)\) accumulates all elements in R, by taking each element as a leaf node of a Merkle tree and outputting the root node u as the accumulator value. \(\mathbf{A}-Witness (pp,R,u,d)\) outputs the hash path of d in the Merkle tree as the witness w. \(\mathbf{A}-Verify (pp,u,d,w)\) just checks whether w is the hash path for d or not.

Roughly speaking, the correctness of an accumulator scheme means that

$$1\leftarrow \text {A-Verify}(pp,\text {A-Acc}(pp,R),\mathbf {d},\text {A-Witness}(pp,R,d)), \text{ for } \text{ all } d\in R$$

holds for all \(pp\leftarrow \text {A-Setup}(\lambda )\). We call an accumulator scheme secure if there is no PPT adversary can forge a witness \(w^*\) for some \(d^*\notin R\) s.t. A-Verify\((pp,u,d^*,\) \(w^*)=1\). Formal definitions refer to [36].

Libert et.al [36] presented an lattice-based accumulator scheme by instantiating the Merkle-tree with a carefully designed hash function \(\mathcal {H}=(Gen,h)\). In detail,

$$\begin{aligned} Gen(\lambda ):= \mathbf {A}=\left[ \mathbf {A}_0|\mathbf {A}_1\right] \hookleftarrow \mathbb {Z}_q^{n\times (m+m)},\quad h_{\mathbf {A}}\left( \mathbf {u}_0,\mathbf {u}_1\right) := \text {bin}\left( \mathbf {A_0}\mathbf {u}_0+\mathbf {A_1}\mathbf {u}_1\right) , \end{aligned}$$

(A)

where \(n,q,m\in \mathbb {N}\), \(\mathbf {u}_0,\mathbf {u}_1\in \{0,1\}^{m}\), and the map \(\text {bin}:\mathbb {Z}_q^n\rightarrow \{0,1\}^{n\lceil \log q\rceil }\) is obtained by replacing each entry of a vector by its binary expansion. In particular, we set \(m=n\lceil \log q\rceil \) when \(\mathcal {H}\) is used in the accumulator.

Lemma 11

([36]) The function family \(\mathcal {H}\) is collision-resistant, if the \(\text {SIS}_{n,2m,q,1}\) problem is hard.

Lemma 12

([36]) The accumulator scheme is correct and secure, assuming the hardness of \(\text {SIS}_{n,2m,q,1}\) problem.

Libert et al. [36] also presented a Stern protocol \(\varPsi _A\) with proof size \(\widetilde{\mathcal {O}}(n\log L \cdot \log q )\) to demonstrate that there is secret element \(\mathbf {d}\in \mathbb {Z}_q^n\) that was accumulated to a public accumulator value \(\mathbf {u}\) which is computed from a set R with L elements.