1 Introduction
-
Anonymous online bidding at auction Particularly for high value items bidders at auction often wish to remain anonymous. This scheme allows bidders to remain anonymous, but ensures that a successful bidder, having second thoughts, is unable to deny that they made the winning bid. The auction house knows where the bids are coming from and can, if necessary, find out the identity of the winning bidder.
-
Online criminal detection and reward system The police rely on information from the public and, for serious crimes, often offer rewards for useful information. This scheme allows an informant to initially provide information anonymously and then, once the criminal is safely behind bars, to claim their reward while preventing someone else fraudulently doing so.
-
Anonymous disclosure system Many organizations encourage workers to report illegal or abusive behavior by their colleagues. This scheme allows workers to do so anonymously, while guarding against malicious accusations as if an accusation is found to be false the accuser can always be traced.
-
Non-frameable official e-signatures A group of workers in an office can all be given the authority to sign contracts and the other party to the contract knows that they have received a valid signature. The workers in the office know that they must take proper care when signing contracts as, if necessary, the signature of the contract can be traced back to them. Obviously, this could be achieved using a group signature, but knowing that the signed document came from a known set of individuals can make the recipient feel more trusting and help build the business relationship.
1.1 Contributions
1.2 Related works
2 Preliminaries
2.1 Notation
2.2 Collision-resistant hash functions
2.3 Statistical distance
3 Syntax and security properties of an NDRS scheme
3.1 Syntax
-
\(\mathsf {Setup}(1^k)\). This setup algorithm generates the system parameters, and it takes as input a positive integer k that is a security parameter, and outputs a set of public system parameters denoted by \(\mathbb {P}\).
-
\(\mathsf {KeyGen}(\mathbb {P})\). This key generation algorithm takes as input the system parameters \(\mathbb {P}\), and outputs a public/secret key pair for each possible signer. If the index of the signer is i, the key pair is denoted by \((pk_i, sk_i)\).
-
\(\mathsf {Sign}(\mathbb {P}, R, sk_j, \mu )\). This signing algorithm takes as input the system parameters \(\mathbb {P}\), a set of l public keys R belonging to l ring members (for simplicity, let \(R = (pk_1,\)\(\ldots , pk_l)\)), a secret key of a real signer (\(j \in [l]\)) \(sk_j\) and a message to be signed \(\mu \), and outputs a ring signature \(\sigma \).
-
\(\mathsf {Verify}(\mathbb {P}, R, \mu , \sigma )\). This verification algorithm takes as input the system parameters \(\mathbb {P}\), the set of ring member public keys R, the message to be signed \(\mu \) and the ring signature \(\sigma \), and outputs “accept” or “reject”.
-
\(\mathsf {EvidenceGen}(\mathbb {P}, R, sk_i, \mu , \sigma )\). This evidence generation algorithm takes as input the system parameters \(\mathbb {P}\), the set of \(\ell \) ring member public keys R, a secret key of the evidence generator (\(i \in [\ell ]\)) \(sk_i\), the message to be signed \(\mu \) and the ring signature \(\sigma \), and outputs a piece of evidence \(\xi _{i}\).
-
\(\mathsf {EvidenceCheck}(\mathbb {P}, R, i, \xi _{i}, \mu , \sigma )\). This evidence checking algorithm takes as input the system parameters \(\mathbb {P}\), the set of ring member public keys R, the index of the ring member, the evidence \(\xi _{i}\), the message that was signed \(\mu \) and the signature \(\sigma \), and outputs “confirmation”, “disavowal” or “failed”.
3.2 Security properties
-
Correctness The scheme is correct provided that any ring signature generated by the signing algorithm properly is accepted by the verification algorithm and the signer of the ring signature is identified by the confirmation/disavowal protocol.
-
Anonymity This property is preserved provided that a ring signature hides the identity of the real signer within all the ring members. This condition will, of course, be negated if the ring members are required to confirm or disavow their part in any signature.
-
Traceability This property is preserved provided that any adversary cannot produce a ring signature that can pass the verification algorithm, but with this signature, no entity is detected as the real signer by the confirmation/disavowal protocol.
-
Non-frameability This property is preserved provided that any adversary cannot produce a ring signature that can pass the verification algorithm, but with this signature, an entity, whose signing key is not known by the adversary, is detected as the real signer by the confirmation/disavowal protocol.
-
\(\mathsf {Add}(i)\) : The adding user oracle with the input i is invoked to add an honest signer with identity i to List. If a signer with identity i already exists, then the oracle returns \(\epsilon \) that indicates the query is invalid. Otherwise, the oracle runs the key generation algorithm to create a public/secret key pair (\(pk_i\), \(sk_i\)) for the signer, adds the signer along with the key to List, and then returns \(pk_i\).
-
\(\mathsf {Reg}(i, pk_i)\) : Using the signer register oracle with the input of the identity i and the corresponding public key \(pk_i\), an adversary can register a new signer i with the public key \(pk_i\) in List. The oracle also adds the signer to MList.
-
\(\mathsf {Crpt}(i)\) : The corrupting oracle with the input i is utilized to corrupt the signer whose identity is i. An adversary can draw the secret key \(sk_i\) of the signer from the oracle. If the signer i does not exist yet, the oracle can first call the adding oracle internally and then respond to the corrupting oracle. The oracle also adds the signer to MList.
-
\(\mathsf {DRSig}(i_k;M,i_1,\ldots , i_{k-1}, i_{k+1},\ldots , i_l)\) : The deniable ring signing oracle is given the identity of a real signer with index \(i_k\), a message M, and identities of a set of entities \(i_1 ,\ldots , i_{k-1}\), \(i_{k+1},\ldots , i_l\), who with \(i_k\) form a ring, and outputs a deniable ring signature \(\sigma \) associated with the ring.
-
\({\textsf {Ch}}_{\textsf {b}}(i_0, i_1,M)\) : The challenge oracle is utilized in the definition of the anonymity. Given two indexes \((i_0, i_1)\), a message M and a challenge bit \(b\in \{0,1\}\), the oracle returns a target non-interactive deniable ring signature \(\mathsf {Sign}(\mathbb {P},\{pk_{i_0}, pk_{i_1}\},sk_{i_b},M)\) on the message M with the signer ring members of \(i_0\) and \(i_1\). The challenge oracle adds the target signature to GSet. Note that an adversary cannot corrupt either of the signers \(i_0\) and \(i_1\); moreover, the adversary cannot access the \(\mathsf {EGen}\) query for a target signature within \(\mathsf {GSet}\).
-
\(\mathsf {EGen}(i,M,\sigma )\) : The evidence generation oracle, given the identity i and message-signature pair \((M,\sigma )\), where \(\sigma \) is a deniable ring signature and i is one of the associated ring members, returns a piece of evidence demonstrating whether the entity i is the real signer of the signature \(\sigma \) or not. This oracle will reject the query if the signature being input is an output from the challenge oracle in the experiment of anonymity.
-
\(\mathsf {Hash}(m)\) : If security of an NDRS scheme is based on a random oracle model, this oracle, given a input data string with an arbitrary length, outputs a random number with a fixed length.
3.2.1 Correctness
-
the signature \(\sigma \) generated by the \(\mathsf {Sign}\) algorithm properly is accepted by the \(\mathsf {Verify}\) algorithm;
-
the real signer of the signature \(\sigma \) is identified by the output of the \(\mathsf {EvidenceGen}\) algorithm;
-
the non-real signer of the signature \(\sigma \) is cleared by the output of the \(\mathsf {EvidenceGen}\) algorithm.
3.2.2 Anonymity
3.2.3 Traceability
3.2.4 Non-frameability
4 Construction of NDRS
4.1 \(\mathsf {Setup}(1^{k})\)
k
| integer security parameter |
n
| integer: power of 2 greater than k |
p
| prime: order of \(\Theta (n^{4+c})\) such that \(p\equiv 3\mod 8\) |
m
| integer: \((3+2c/3)\log n\) |
\(\mathbb {D}\)
| quotient ring of polynomials: \({\mathbb {Z}}_p[x]/\langle x^{n}+1\rangle \) |
\(D_h\)
|
\(\{g\in \mathbb {D}:\Vert g\Vert _{\infty }\le mn^{1.5}\log n+\sqrt{n}\log n\}\)
|
\(D_y\)
|
\(\{g\in \mathbb {D}:\Vert g\Vert _{\infty }\le mn^{1.5}\log n\}\)
|
\(D_z\)
|
\(\{g\in \mathbb {D}:\Vert g\Vert _{\infty }\le mn^{1.5}\log n-\sqrt{n}\log n\}\)
|
\(D_{s}\)
|
\(\{g\in \mathbb {D}:\Vert g\Vert _{\infty }\le 1\}\)
|
S
| an element of \(\mathbb {D}\): \(S \leftarrow \mathbb {D}\) and \(S \ne 0\) |
\(\mathbb {H}\)
| a family of hash functions: \(D_{h}^m \rightarrow \mathbb {D}\) |
\(H_1\)
| a hash function: \(\{0, 1\}^* \rightarrow D_{s}\) |
\(H_2\)
| a hash function: \(\{0, 1\}^* \rightarrow D_{s}\) |
\(H_3\)
| a hash function: \(\{0, 1\}^* \rightarrow D_{s}\) |
4.2 \(\mathsf {KeyGen}(\mathbb {P})\)
4.3 \(\mathsf {Sign}(\mathbb {P}, R, sk_j, \mu )\)
4.4 \(\mathsf {Verify}(\mathbb {P}, R, \mu , \sigma )\)
-
all of the inputs are in their correct places.
-
\(A \ne 0 \mod S\).
-
for \(\forall i\), check \({\hat{z}}_i\in D^{m}_{z}\).
4.5 \(\mathsf {EvidenceGen}(\mathbb {P}, R, sk_i, \mu , \sigma )\)
4.6 \(\mathsf {EvidenceCheck}(\mathbb {P}, R, i, \xi _{i},\mu , \sigma )\)
5 Security analysis
-
\(\mathsf {Add}(i)\): adding a user;
-
\(\mathsf {Reg}(i, pk_i)\): registering a signer;
-
\(\mathsf {Crpt}(i)\): corrupting a signer;
-
\(\mathsf {DRSig}(i_k, M, i_1, \ldots , i_{k-1}, i_{k+1}, \ldots , i_l)\): generating a signature;
-
\({\mathsf {C}}{\mathsf {h}}_\textsf {b}(i_0, i_1, M)\): getting a challenging signature \(\sigma _b\);
-
\(\mathsf {EGen}(i, M, \sigma )\): generating an evidence;
-
\(\mathsf {Hash}(m)\): getting a hash value.
-
\(\mathsf {Add}(i)\): If \(i\in \mathbf { List}\), return \(\perp \); otherwise generate \(h_{{\hat{a}}_i}\) for \({\hat{s}}_i\leftarrow _{R}D^{m}_{s}\), add \((i,{\hat{s}}_i, h_{{\hat{a}}_i})\) into List, and returns \(h_{{\hat{a}}_i}\).
-
\(\mathsf {Reg}(i,h_{{\hat{{{\varvec{a}}}}}_{{\varvec{i}}}})\): If \(i\in \mathbf { List}\), return \(\perp \); otherwise set \(h_{{\hat{a}}_i}\) as a public key of the signer with index i, add \((i, \cdot , h_{{\hat{a}}_i})\) into List and i into MList.
-
\(\mathsf {Crpt}(i)\): If \(i\notin \mathbf {List}\setminus \mathbf {MList}\), return \(\perp \); otherwise add i into MList and return \({\hat{s}}_i\).
-
\(\mathsf {Hash}(x_\alpha ,x_\beta ,A,{\tilde{R}},\mu ; 2/3)\): If \((x_\alpha ,x_\beta ,A,{\tilde{R}},\mu ;v)\in \mathbf {HList}\), return v. If not, choose \(v\leftarrow D_{s}\) and program \(H(x_\alpha ,x_\beta ,A\), \({\tilde{R}},\)\(\mu )=v\) for \(H = \{H_2, H_3\}\), add \((x_\alpha ,x_\beta ,A,{\tilde{R}},\mu ;v)\) into \(\mathbf {HList}\), and return v.
-
\(\mathsf {DRSign}(j, \mu , U)\): \(\forall i \in U\) including j, if \(i \notin \mathbf {List} \setminus \mathbf {MList}\), return \(\perp \). Otherwise there are two cases:(i)If \(sk_j \in \mathsf {List}\), following the \(\mathsf {Sign}\) algorithm create and return a signature \(\sigma \);(ii)If \(sk_j \notin \mathsf {List}\), choose \({\hat{b}}\) at random, set \(\sigma _j = h_{{\hat{b}}}(\hat{s_j})\) at random (note that this is handled as a random oracle without the knowledge of \(\hat{s_j}\)). Compute \(A = \sigma _j - H_1(j||{\hat{a}}_j) \cdot S\), choose \(z_i\) and \(v_i\) at random and set \(v =\sum _{i}v_i\) as \(H(\sum _{i}\alpha _i,\sum _{i}\beta _i,A,{\tilde{R}},\mu )\) (again this is handled as a random oracle without the knowledge of \(\alpha _i\) and \(\beta _i\)), then compute \(\alpha _i = h_{{\hat{a}}_i}({\hat{z}}_i) - S \cdot v_i\) and \(\beta _i = h_{{\hat{b}}}({\hat{z}}_i) - (H_1(i||{\hat{a}}_i) \cdot S + A) \cdot v_i\), and return the signature \(\sigma = ({\hat{b}}, A, {\tilde{z}}_U, {\tilde{z}}_U)\).
-
\(\mathsf {EGen}(i,\mu , \sigma )\): If \(i\notin \mathbf {List}\setminus \mathbf {MList}\), return \(\perp \). Otherwise, there are two cases:(i)If \(sk_i \in \mathsf {List}\), following the \(\mathsf {EvidenceGen}\) algorithm create and return the evidence \(\sigma _e\);(ii)If \(sk_i \notin \mathsf {List}\), forge the signature \(\sigma _e\) by controlling the random oracle hash function \(H'\) and return the value \(\sigma _e\).
-
\({\mathsf {C}}{\mathsf {h}}_\textsf {b}(i_0,i_1,\mu ^{*},R^{*})\): If \(i_0\) or \(i_1 \notin \mathbf {List}\setminus \mathbf {MList}\) return \(\perp \). Otherwise, choose \({\hat{b}}_0\), \({\hat{b}}_1\) at random, and compute \(\sigma _{i_0}\) and \(\sigma _{i_0}\) with \({\hat{s}}_{i_0}\) and \({\hat{s}}_{i_1}\), respectively, by following the \(\mathsf {Sign}\) algorithm. Choose \(b \in \{0, 1\}\) at random and return \(\sigma _{i_b}\).
-
An NDRS signature is based on Aguilar-Melchor et al’s ring signature [10] that is associated with the l-ring long-term public keys R. Via Lemma 1, we show that due to the Aguilar-Melchor et al. ring signature is unforgeable, if a given ring signature from our NDRS scheme can be accepted by running the Verify algorithm, it must be created by a “real-signer” under its private key corresponding to its public key that must be one from R.
-
A signature from the proposed NDRS scheme includes another ring signature that is associated with the ephemeral l-ring public keys \(\sigma _i\) for \(i = \{1, \ldots , l\}\). Via Lemma 2, we show that due to the Lyubashevsky signature scheme [19] is unforgeable, if a given ring signature from our NDRS scheme can be accepted by running the Verify algorithm, it must be created by a “real-signer” under its private key corresponding to its ephemeral public key that must be one from the l-ring public keys \(\sigma _i\) for \(i \in \{1, \ldots , l\}\).
-
A Schnorr-type of signature-based knowledge proof is used in our NDRS scheme as a connection between these two ring signatures. We show that due to the unforgeability of these two ring signatures and the nature of the Schnorr signature-based proof, this connection indicates that these two ring signatures must share the same real-signer, say i. This means that one of the \(\sigma _i\) value is a real public key corresponding to the real private key \(sk_i = {\hat{s}}_i\). The difference is that the long-term public key \(pk_i\) is associated with the long-term base \({\hat{a}}_i\), (i.e., \(S = h_{{\hat{a}}_i}({\hat{s}}_i)\)) and the ephemeral public key is associated with the random base \({\hat{b}}\) (i.e., \(\sigma _i = h_{{\hat{b}}}({\hat{s}}_i) \)).
-
The evidence in the proposed NDRS scheme is based on the Lyubashevsky lattice-based signature scheme [19], and it includes two Lyubashevsky signatures, both in the Schnorr-type of signature-based knowledge proof format. Using Lemma 3, we show that the evidence is also unforgeable assume that the Lyubashevsky signature is unforgeable. Following the same observation discussed before, these two signatures in the same evidence share the same private key.
6 Comparison with previous work
6.1 Wang and Sun [18]
-
Public key A matrix \({\mathbf {A}}\in {\mathbb {Z}}_q^{n\times m}\) defines a lattice, \(\Lambda ^{\perp }({\mathbf {A}})\)\(=\)\(\{{\mathbf {e}}\in {\mathbb {Z}}^m:{\mathbf {A}}{\mathbf {e}}=0 \mod q\}\).
-
Secret key A matrix \({\mathbf {B}}\in {\mathbb {Z}}^{m\times m}\), a short basis for the lattice \(\Lambda ^{\perp }({\mathbf {A}})\) with \(||{\mathbf {B}}||\le O(n\log q)\). For this comparison we take \(||{\mathbf {B}}||\le C n\log q\), for some constant C and set \(n_B=C n\log q/\sqrt{m}\).
-
Signature The ring of public keys, \({\mathbf {A}}_R=\{{\mathbf {A}}_1,\ldots ,{\mathbf {A}}_l\}\) with \({\mathbf {A}}_i\in {\mathbb {Z}}_q^{n\times m}\) and a vector \({\mathbf {e}}\in {\mathbb {Z}}^{N m}\) with \(||{\mathbf {e}}||\le r\sqrt{l m}\).
6.2 Aguilar-Melchor et al. [10]
-
Public key A vector of polynomials, \({\hat{a}}\in \mathbb {D}^m\).
-
Secret key A vector of polynomials, \({\hat{s}}\in \mathbb {D}^m_{s}\).
-
Signature The ring of public keys, \(\{{\hat{a}}_1, \ldots , {\hat{a}}_l\}\) with \({\hat{a}}_i\in \mathbb {D}^m\), a vector \({\tilde{z}}_U=({\hat{z}}_1, \ldots , {\hat{z}}_l)\) with \({\hat{z}}_i\in \mathbb {D}^m_z\) and a polynomial, \(v\in \mathbb {D}_{s}\).
6.3 Our scheme
-
Signature The ring of public keys, \(\{{\hat{a}}_1, \ldots , {\hat{a}}_l\}\) with \({\hat{a}}_i\in \mathbb {D}^m\), a vector of polynomials, \({\hat{b}}\in \mathbb {D}^m\), a polynomial, \(A\in \mathbb {D}\), a vector \({\tilde{z}}_U=({\hat{z}}_1, \ldots , {\hat{z}}_l)\) with \({\hat{z}}_i\in \mathbb {D}^m_z\) and a vector of polynomials, \({\tilde{v}}_U=(v_1, \ldots , v_l)\) with \(v_i\in \mathbb {D}_{s}\).