Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Deniable ring signature can be regarded as group signature without group manager, in which a singer is capable of singing a message anonymously, but, if necessary, each ring member is allowed to confirm or disavowal its involvement in the signature via an interactive mechanism between the ring member and the verifier. This attractive feature makes the deniable ring signature find many applications in the real world. In this work, we propose an efficient scheme with signature size logarithmic to the cardinality of the ring. From a high level, we adapt Libert et al.’s zero-knowledge argument system (Eurocrypt 2016) to allow the prover to convince the verifier that its witness satisfies an additional condition. Then, using the Fait-Shamir transformation, we get a non-interactive deniable ring signature scheme that satisfies the anonymity, traceability, and non-frameability under the small integer solution assumption in the random oracle model.


Introduction
Ring signature was first formalized by Rivest et al. [1] to deal with situations, such as leaking secrets anonymously. Specifically, a signer first picks up several public keys to form a ring; then, it generates a signature anonymously on behalf of the ring using its secret key. Any verifier is unable to get any information about the real signer, except that the message is signed by one of the ring member. This appealing feature has made the ring signature find various applications in cryptography [1][2][3]. In some situations, however, the anonymity feature is not always desirable, as it allows a user who signs a false message to shift the blame to other ring members.
It is well-known that group signature [4][5][6][7][8][9] can prevent its members from abusing anonymity, in which users are able to sign messages anonymously, but, when a dispute occurs, the group manager possessing a group master secret key is capable of revoking the anonymity of misbehaving signers. However, group signature cannot handle the leaking secrets scenario, as the the manager is always able to trace the real signer who leaks a piece of invaluable information. Besides, group signature has much higher costs on managing a dynamic group. Finally, the members are anxious that their anonymity will be or has been violated by the manager without notification.
In 2006, Komano et al. [10] formalized the notion of Deniable Ring Signature (DRS), which is as flexible as the ring signature and allows the members to confirm whether they are the real signer or not. Specifically, by using an interactive mechanism between the ring member and the verifier, it enables the real signer to confirm its signed action and allows other ring members to deny their involvement. In short, DRS can be regarded as a 'lightweight' group signature, i.e., group signature without the manager. For the security requirements, the DRS should satisfy: • Anonymity: Any adversary should not get any information from the signature, unless the ring members are required to confirm or disavow their involvement in the signature. • Traceability: Any adversary should not generate a valid ring signature such that no member will be detected as the real signer via the confirmation/disavowal protocol. In other words, the real singer cannot deny its signature. • Non-frameability: Any adversary should not produce a valid ring signature such that a ring member, whose secret key is unknown to the adversary, will be detected as the real signer via the confirmation/disavowal protocol. In other words, any adversary cannot frame an honest member.
In their pioneering work, Komano et al. [10] also presented a concrete scheme under the Decisional Diffie-Hellman (DDH) assumption. However, this assumption does not hold in the quantum world [11].

Contributions and Technical Overview
In this work, we propose an efficient lattice-based Non-interactive Deniable Ring Signature (NDRS) scheme. The notion NDRS, first formalized in Reference [12], means that the confirmation or disavowal of a signature is achieved in a non-interactive manner, instead of the interactive mechanism between the ring member and the verifier. In terms of effiency, our construction is efficient in the sense that the signature size is only logarithmic to the cardinality of the ring. In the aspect of security, our construction satisfies the anonymity, traceability, and non-frameability under the Small Integer Solution (SIS) assumption in the random oracle model.
From a high level, our scheme is a natural extension of the ring signature scheme in Reference [8] to the NDRS setting. In more detail, we adapt their argument system for a tree-based accumulator [8] to allow the prover to convince the verifier that the prover knows a witness which not only accumulates to the root of a Merkle tree but also satisfies some additional conditions. Specifically, compared with the ring signature scheme in Reference [8], we add one more additional condition, an non-interactive identification scheme used by the ring members to prove their identity. Combining zero-knowledge argument systems for two or more NP relations is a general strategy widely used in previous works, such as group signatures [8,9], policy-based signatures [13], compact e-cash [14], etc.
The starting point of our construction is the Zero Knowledge Argument of Knowledge (ZKAoK) for the Merkle tree-based accumulator [8]. Specifically, the underlying hash function is defined by h A (x) = bin(A · x mod q) ∈ {0, 1} m/2 , where the uniformly random matrix A ∈ Z n×m q serves as the common reference string, x ∈ {0, 1} m is the input vector, and bin(·) denotes the coordinate-wise binary decomposition of its input. Then, by using the framework of Stern's protocol [15], Libert et al. [8] can prove knowledge of hash chain in a zero-knowledge fashion. Besides, through the Fait-Shamir transformation, they also build ring signature with logarithmic size in the number of ring. Note that their ring signature enjoys complete anonymity. To achieve our goal that each ring member is able to generate a piece of evidence demonstrating whether it is the real signer or not, we need another matrix B ∈ Z n×m q which acts as the public key of an identification scheme. In more detail, to sign a message M, a signer possessing his secret x generates a zero-knowledge argument system to show that: Fact 2 d is properly accumulated into the root of the Merkle tree.
We first use the procedure in Reference [8] as a sub-protocol to prove Fact 1 and Fact 2 in zero knowledge. The key point in our construction is to prove the secret in Fact 1 simultaneously satisfies Fact 3. To this end, we employ again the framework of Stern's protocol [15] as a sub-protocol, such that it is compatible with the proof in Reference [8]. The details are presented in Section 3.
Then, we apply the Fait-Shamir transformation to our interactive protocol and obtain a signature scheme in the random oracle by repeating it κ = ω(log n) times to make the soundness error negligibly small. Generally, the anonymity of our NDRS scheme is based on the zero-knowledge property of the underlying argument system, while the traceability and the non-frameability are built on the fact that the underlying argument system is indeed an argument of knowledge. The description of the construction and its proof are described in Section 4.

Related Works
In 2006, Komano et al. [10] first introduced the notion of DRS and proposed a concrete DRS construction based on the DDH assumption. Recently, Gao et al. [12] put forward the NDRS notion, which is a direct generalization of DRS to the non-interactive setting. Besides, they proposed a concrete NDRS scheme under lattice assumptions, which is conjectured resistance against quantum computers. Their scheme, however, is shown to be insecure in Reference [16], as the scheme does not meet the 'Traceability' and 'Non-frameability' security requirements.

Organizations
We start in Section 2 by providing some background regarding NDRS and useful tools developed in Reference [8]. Then, in Section 3, we present an interactive protocol, which is the key component of our construction. In Section 4, we show the concrete scheme and its efficiency analysis and security proof. Finally, we conclude the paper with the obtained results.

Preliminaries
The set of integers {1, . . . , k} is denoted by [k]. If S is a finite set, x ← S means that x is chosen uniformly at random from S. For b ∈ {0, 1}, letb = 1 − b. ⊕ denotes the bit XOR operation. For any positive integer q, denote by Z q the quotient ring Z/(qZ). Vectors, denoted by bold lowercase letters, are in column form. Matrices are represented in bold uppercase letters, and the concatenation of two matrices, say A ∈ Z n×m 1 q and B ∈ Z n×m 2 q , is The tensor product is denoted by ⊗. Let B m 2m be the set of all vectors in {0, 1} 2m with Hamming weight m, and S 2m be the set of all permutations of 2m elements. The abbreviation PPT means "probabilistic polynomial time".
Throughout the paper, we denote by n the security parameter and define: q = O(n); k = log q ; m = 2nk. Let G = I n ⊗ g t ∈ Z n×nk q , where g t is the row vector Note that, for any v ∈ Z n q , we have v = G · bin(v), where bin(v) ∈ {0, 1} nk denotes the binary representation of v.

Non-Interactive Deniable Ring Signature (NDRS)
For any positive integer N ≥ 2, the ring R, formed by N users' public keys, is denoted by R = {pk i 0 , pk i 1 , . . . , pk i N−1 }. For ease of notation, we simply let R = {pk 0 , pk 1 , . . . , pk N−1 } with ring size N. Now, we recall the definition and security requirements for the NDRS presented in Reference [12].
• Setup(1 n ): Take as input n and output the system parameter pp. • KeyGen(pp): Take as input pp and output a public/secret key pair (pk, sk).

•
Sign(pp, R, sk, M): Take as inputs pp, a set of N public keys R = {pk 0 , pk 1 , . . . , pk N−1 }, a secret key sk for which its corresponding pk ∈ R and a message M to be signed, and output a ring signature Σ.
• Verify(pp, R, M, Σ): Take as inputs pp, R, M, and Σ, and output 1 if Σ is valid or 0 otherwise. • EvidenceGen(pp, R, sk i , Σ): Take as inputs pp, R, user i's secret key sk i , M, and Σ, and output a piece of evidence ξ i . • EvidenckCheck(pp, R, i, ξ i , Σ): Take as inputs pp, R, an identity index i of a user, M and Σ, and output "confirmation", "disavowal", or "reject".
The correctness requirements for an NDRS scheme are formalized as follows: 1. The signature Σ generated by the Sign algorithm is properly accepted by the Verify algorithm, i.e., Verify(pp, R, M, Σ) = 1 for any pp ← Setup(1 n ), any (pk, sk) ← KeyGen(pp), any R such that pk ∈ R and any M ∈ {0, 1} * .

2.
The real signer of the signature Σ will generate a piece of evidence such that the evidence check algorithm outputs "confirmation", i.e., EvidenckCheck pp, R, i, EvidenceGen(pp, R, sk i , Σ), Σ = "confirmation" for any valid signature Σ generated by user i.
For the security requirements, we adopt the notions and games in References [10,12]. Suppose each user has a public/private key pair supported by the Public Key Infrastructure (PKI). Let List be a public key content issued by PKI, and let MList be a list of malicious signers. Let GSet be a list of message-signature pairs generated through a challenge oracle query Ch b (·). An adversary is able to make the following queries.
• Add(i): on input i, this oracle generates a key pair (pk i , sk i ) for user i, adds i together with the key pair to List, and returns pk i . • Reg(i, pk i ): on inputs i and pk i , this oracle registers a new signer i with the given public key pk i in List and adds user i to MList. Hash(·): this oracle outputs a random string with a fixed length for an arbitrary input.
As mentioned before, an (N)DRS scheme should satisfy anonymity, traceability, and non-frameability. Each of these security requirements is formalized by an experiment, as shown in Figure 1.

Anonymity
For an NDRS scheme, a security parameter n, and a PPT adversary A, the property of anonymity is formalized using the experiment Exp anon−b NDRS,A (n), as described in Figure 1. The advantage Adv anon NDRS,A (n) is defined as An NDRS has anonymity if Adv anon−b NDRS,A (n) is negligible for any PPT adversary A and security parameter n. Figure 1. Experiments of anonymity, traceability, and non-frameability.

Traceability
The property of traceability is formalized using the experiment Exp trace NDRS,A (n), as shown in Figure 1. The advantage of the adversary is given by: An NDRS is said to hold traceability if Adv trace NDRS,A (n) is negligible for any PPT adversary A and security parameter n.

Non-frameability
The property of non-frameability is formalized using the experiment Exp nf NDRS,A (n), as shown in Figure 1. The advantage of the adversary is defined as: An NDRS is said to hold non-frameability if Adv nf NDRS,A (n) is negligible for any PPT adversary A and security parameter n.

Average-Case Lattice Problems
In this subsection, we briefly recall the average-case Small Integer Soulution (SIS) problem (in the infinity norm version) and its hardness guarantees. For more details, see References [17][18][19][20].
Definition 1 (Reference [17]). Given uniformly random matrix A ∈ Z n×m q , the SIS ∞ n,m,q,β problem asks to find a non-zero vector x ∈ Z m such that A · x = 0 mod q and x ∞ ≤ β.
The hardness of the SIS problem is guaranteed by a certain lattice problems in the worst case, such as the Shortest Independent Vector Problem (SIVP). [18][19][20]). If m, β = poly(n), and q > β · O( √ n), then the SIS ∞ n,m,q,β problem is at least as hard as the worst-case problem SIVP γ for some γ = β · O( √ mn). Specifically, for β = 1, q = O(n), m = 2n log q , the SIS ∞ n,m,q,1 problem is at least as hard as SIVP O(n) .

Statistical Zero-Knowledge Argument Systems
be an NP relation. The interaction P, V between a prover P and a verifier V is called an interactive argument system for the relation R if the following two conditions hold:
In this work, we will employ the Stern-type ZKAoK [15], which is a Σ-protocol from a generalized point of view in References [21,22]. Besides, we will utilize the lattice-based string commitment scheme in Reference [23] which is statistically hiding and computationally binding under the assumption that SIVP O(n) is hard.

Lattice-Based Accumulator
We first recall a certain family of collision-resistant hash functions presented in Reference [8].
Then, we recall the Merkle tree accumulator with N = 2 l leaves based on the hash function family H above.
Output u as the accumulator value.
Return the witness w defined by: where u j 1 ,...,j l−1 ,j l , . . . , u j 1 ,j 2 , uj 1 are computed by TAcc(A, R). • TVerify(A, u, d, w): Given witness Return 1 if v 0 = u; otherwise, return 0. In Reference [8], the authors also design an argument system for the prover P to convince the verifier V that P knows a value-witness pair (d, w) such that TVerify(A, u, d, w) = 1. Toward this goal, they develop the following supporting techniques, which are necessary in our construction, as well.
. . , w * l ∈ B nk m by appending to each vector a length-nk vector with suitable Hamming weight.

The Underlying Zero-Knowledge Argument System
In this section, we present an interactive protocol, upon which our NDRS scheme is built. This protocol bears much resemblance to that in Section 4.2 of Reference [8], except that one more layer is added. Specifically, in our protocol, the prover P is able to convince the verifier V on input (A, B, u, b) that P knows a secret tuple (d, w, x) such that: More formally, the associated relation R NDRS is given by

Description of the Interactive Protocol
The public parameters are n, m, q, k, l, G, G * ,Â, andB, wherê The prover P, using its witness, prepares, according to Section 2.4, the following vectors: v for all i ∈ [l] such that In Stern's framework, a random permutation τ ← S 2m and a random 'mask' r x ← Z 2m q give a ZKAoK of the secret x according to the equivalence After these preparations, P's goal is to convince V that it knows the vectors v * i , w * i , z i , y i for all i ∈ [l] and x * ∈ B 2m such that: The interaction between P and V is detailed as follows.
and that • Ch = 2: Check that V outputs 1 only if all the conditions hold in each cases. Otherwise, output 0.

Analysis of the Interactive Protocol
We summarize several properties of the above protocol in the following theorem. Since the proof of the properties of the protocol is similar with that of Reference [8], we omit the details. (See Appendix A) Theorem 2. The given interactive protocol has perfect completeness and communication cost O(l · n). If COM is a statistically hiding and computationally binding string commitment scheme, then it is an ZKAoK for the relation R NDRS .

Our Non-Interactive Deniable Ring Signature Scheme from Lattices
We now construct an NDRS scheme for rings with N = 2 l users (It can be easily adapted for any other values of N as in Reference [8].) and prove that our construction satisfies the security requirements: anonymity, traceability, and non-frameability. We use a public Pseudo-random Generator (PRG), and a random oracle H FS : {0, 1} * → {1, 2, 3} κ . (Notice that, for the public key pk corresponding to the input sk, we have pk ∈ R.) to output the signature Σ.

1.
Run TAcc(A, R) and obtain u ∈ {0, 1} nk . Recall that u is the root of the Merkle tree defined on R.

2.
Run TWitness(A, R, d) and obtain Recall that w is a witness to the fact that d ∈ R.

3.
Sample a seed s ← {0, 1} n , generate a matrix B = PRG(s) ∈ Z n×m q and compute b = B · x mod q. Then, produce an NIZKAoK Π by repeating our interactive protocol κ = ω(log n) times. By using the Fiat-Shamir heuristic, we transform Π to the triple 1.
Run TAcc(A, R) and obtain u.

3.
For i = 1, . . . , κ, check the validity of RSP i w.r.t. CMT i and Ch i . If all the conditions hold, output 1; otherwise, output 0.
• EvidenceGen(pp, R, sk i , Σ): On inputs pp, R, a secret key sk i = x , and the pair (s, b) contained in Σ, the algorithm produces a piece of evidence ξ i as follows: 1.

2.
Let pk i = d = bin(A · x mod q). Generate a witness to the fact that d ∈ R by running TWitness(A, R, d ), i.e., d was properly accumulated in u.

3.
Let B = PRG(s). Compute b = B · x mod q and generate a NIZKAoK Π as in the signing algorithm to demonstrate the possession of a valid pair (pk i , sk i ) = (d , x ) such that b = B · x mod q and that d ∈ R, i.e., Output ξ i = (s, b , Π ). Note that ξ i can be seen just as a signature on the empty message with the given seed s (instead of choosing a random seed by the algorithm itself).
• EvidenceCheck(pp, R, i, ξ i , Σ): On inputs pp, R, i, ξ i , Σ, the evidence ξ i is checked as follows: 1. Check the validity of ξ i and Σ by verifying the underlying protocols. If either is invalid, then output "reject". 2.

Analysis of Our NDRS Scheme
We first briefly analyze the correctness and efficiency properties.

Theorem 3 (Correctness and Efficiency
). The NDRS scheme described in the previous section is correct and produces signatures of bit-size O(n · log N).

Correctness.
It is easy to check that: • By the perfect completeness of the argument system presented in the previous section, each member of a ring is always capable of obtaining a tuple (x, d, w) such that (A, B, u, b), d, w, x ∈ R NDRS .
Thus, by the Fiat-Shamir heuristic, the ring signature on M is valid.
• Meanwhile, for any signature Σ = (s, b, Π), the real signer can always produce a piece of valid evidence ξ = (s, b , Π ) such that b = b , i.e., EvidenceCheck outputs 'confirmation'. • By the randomness of the secret keys x, x ← {0, 1} m , the non-real signer can always produce a piece of valid evidence ξ = (s, b, Π) such that b = B · x mod q = b = B · x mod q with overwhelming probability.
Efficiency. It is not hard to check that the underlying interactive procedure in previous section has communication cost O(l · n); therefore, the resulting signature has bit-size O(κ · l · n + n) = O(n · log N).
Now, we analyze the security requirements: anonymity, traceability, and non-frameability.

Theorem 4 (Anonymity).
Assume that COM is a statistical hiding commitment scheme. Then, our NDRS scheme provides statistical anonymity in the random oracle model.

Proof.
We consider a sequence of games. The challenger C runs experiment Exp anon−0 NDRS,A (n) in the first game, while, in the last one, it runs Exp anon−1 NDRS,A (n).

Game G (b)
0 : Exactly, it is the real experiment Exp anon−b NDRS,A (n), where the adversary is given a challenge signature Σ * ← Sign(pp, {pk i 0 , pk i 1 }, sk i b , M * ). Namely, given (i 0 , i 1 , M * ), the challenger C chooses a random b ← {0, 1} and computes a legitimate signature Σ * using the secret key sk i b = x i b of user i b :

2.
Run TWitness(A, R, d i b ) and obtain a witness w i b to the fact that Sample a seed s ← {0, 1} n , generate matrix B = PRG(s) ∈ Z n×m q and compute b = B · x i b mod q. Then, produce a NIZKAoK Π with public input (A, B, u, b) and prover's witness (d i b , w i b , x i b ), i.e., Output Σ * = (B, b, Π).
Game G 1 : Generally, this game is identical to G (b) 0 , except that the challenge signature Σ * is made independent of the coin b, while preserving the statistical closeness to G 1.
In Step 3, we change how the vector b is generated. Specifically, C samples b ← Z n q uniformly at random, instead of computing b = B · x i b mod q.

2.
In addition, in Step 3, the proof Π contained in the challenge signature Σ * is produced in the simulation manner by C's programming on the random oracle H FS (·).
Observe that, for each j ∈ [κ], Ch j is uniformly distributed in {1, 2, 3}, satisfying the requirement on the output of the random oracle. Besides, CMT j and RSP j are prepared in the same way as in Lemma A2 for proving the zero-knowledge property, implying that the challenge signature is valid. Finally, notice that the vector b in this game or G Next, we prove the traceability and the non-frameability. Before doing so, we first recall two useful lemmas.
Lemma 1 (Reference [8]). For any matrix A ∈ Z n×m q and a uniform random x ∈ {0, 1} m , the probability that there exists another x ∈ {0, 1} m \{x} such that A · x = A · x mod q is at least 1 − 2 n·log q−m .
Lemma 2 (Reference [13]). Let SS be a signature scheme with security parameter n. Let A be a PPT algorithm whose input consists only of public data and which can ask q H > 0 queries to the random oracle. Assume that A produces within time bound T a valid signature of message M with probability . Then, within time 32 · T · q H / and with probability > 1/2, a replay of A outputs 3 valid signatures of M: for the same {CMT i } κ i=1 such that CH (1) , CH (2) , CH (3) are pairwise distinct.
Theorem 5 (Traceability and Non-frameability). Our NDRS scheme provides traceability and non-frameability in the random oracle model if the SIVP O(n) is hard.
Proof. Assume that there exists a PPT A has nonnegligible advantage in the experiment Exp trace NDRS,A (n) or Exp nf NDRS,A (n), i.e., A is able to output a valid signature Σ * on message M * under some ring R * = (pk i 0 , . . . , pk i r ) = (d 0 , . . . , d r ) such that • either EvidenceCheck(pp, R * , i j , ξ i j , Σ * ) will output 'disavowal' for each j ∈ {0, . . . , r}, where ξ i j is a piece of evidence generated by user i j ; • or EvidenceCheck(pp, R * , i j * , ξ i j * , Σ * ) will output 'confirmation' for some honest user i j * .
We construct an algorithm B that solves the SIVP O(n) problem with nonnegligible probability. Let pp = A. During the game, B generates the secrets of all the queried users as in the real scheme. With these secret keys, B is capable of faithfully answering all the queries. For the random oracle H FS (·), we assume without loss of generality that: (1) A makes any given query to H FS (·) only once; (2) if A outputs a signature, then A had previously queried H FS (·). When A halts, it outputs a valid triple (R * , M * , Σ * ), where We denote by q H the upper bound on the number of queries that A makes to H FS (·). Then, by Lemma 2, when B runs up to 32 · q H / extra executions of A with the same random tap and inputs as in the first execution, with probability at least 1/2, A will get a 3-fork responses CH (1) , CH (2) , CH (3) (pairwise distinct) from the oracle H FS (·).
With probability 1 − (7/9) κ , there exists some j ∈ [κ] for which the j-th bits of CH (1) , CH (2) , and CH (3) j } = {1, 2, 3}. By the soundness of the argument system for the relation R NDRS , B is able to extract a tuple (d * , w * , x * ) from the responses RSP (1) j , RSP (2) j , RSP (3) j such that According to the value of d * , there are two cases: . This means B can use (R * , d * , w * ) to break the security of the underlying accumulator, whose security is based on the assumption that SIVP O(n) is hard [8].
• d * ∈ R * = (d 0 , . . . , d r ), i.e., d * = d j * . Note that the secret key sk i j * consists of a vector According to the experiments with respect to traceability and non-frameability, we distinguish the following two cases to discuss the probability that x i j * = x * .

-
In the experiment Exp trace NDRS,A (n), A has corrupted user i j * , acts as the real malicious signer, and manages to evade the traceability. We claim that x i j * = x * , since A will otherwise be detected as the real singer by the algorithm EvidenceCheck (pp, R * , i j * , ξ i j * , Σ), where ξ i j * contains an element b = B * · x i j * mod q.

-
In the experiment Exp nf NDRS,A (n), A did not corrupt user i j * , and temps to produce a valid signature such that the target victim i j * will be detected as the real signer. We claim that x i j * = x * with probability greater than 1/2 by the following two facts: (1) There exists another vector x * ∈ {0, 1} m such that A · x * = A · x i j * mod q by Lemma 1. (2) The underlying argument system is zero-knowledge, which implies witness indistinguishability; thus, A can hardly get useful information from the signing queries.
In conclusion, in the experiment Exp trace NDRS,A (n) or Exp nf NDRS,A (n), a successful attacker A implies an attacker B that either defeats the soundness of the argument system, or breaks the security of the accumulator, or directly solves an SIS ∞ n,m,q,1 instance A. Thus, our scheme provides traceability and non-frameability in the random oracle model, assuming that the SIVP O(n) problem is hard.

Conclusions
In this work, we propose an efficient lattice-based NDRS scheme by using the techniques developed in Reference [8]. Our scheme has signature size only logarithmic to the ring size, and we prove its security in the random oracle model under the SIS assumption. Notice that, in our NDRS scheme, each secret key can only be used, at most, k − 1 times for producing ring signatures, where k = log q; otherwise, the secret key will be figured out from B's and corresponding b's. The direct way to increase the number of ring signatures for each user is to increase the parameter q, which will reduce efficiency. A better way is to develop new techniques that is able to authenticate the user's identity while producing the ring signature for relative small q. We leave it as a future work.

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Proof of Theorem 2
Our proof follows closely from that of Lemma 4 in Reference [8].
Completeness and Efficiency. It can be checked that the protocol has perfect completeness: if P is honest and follows the protocol, then V always outputs 1. The communication cost of the protocol is of order O(l · m · log q) = O(l · n).
Lemma A1 (Zero-Knowledge Property). Assume that COM is a statistical hiding commitment scheme, then the protocol is a statistical zero-knowledge proof.
Proof. To show the zero-knowledge property, we construct an efficient simulator S that outputs a simulated transcript statistically indistinguishable from the one produced by the honest prover.
The simulator S first randomly samples Ch ← {1, 2, 3}, which serves as a prediction of the challenge value thatV will not choose.
. Finally, send the commitment CMT computed as in case Ch = 1.
After receiving Ch fromV,Ŝ responds as follows.
• If Ch = 1: Send • If Ch = 2: Output ⊥ and abort. • If Ch = 3: Send RSP computed in the same manner as in the case (Ch = 1, Ch = 3). Ch = 3 : First, S sample randomness as in the case Ch = 2. Then, send the commitments CMT=(C 1 , C 2 , C 3 ), where C 2 , C 3 are computed as in Ch = 1, and C 1 is computed as After receiving Ch fromV,Ŝ responds as follows.
Because COM is statistically hiding, we have that, whenever S does not halt, it will output an accepting transcript, whose distribution is statistically close to that of the real prover. Besides, S halts with probability 1/3. Therefore, S can successfully emulate the honest prover with probability 2/3.
To show the argument of knowledge property, it is enough to show that the protocol has the special soundness property [24].
Lemma A2 (Argument of Knowledge Property). Assume that COM is a statistical hiding commitment scheme, and then there exists an efficient knowledge extractor K that, given 3 valid responses (RSP 1 , RSP 2 , RSP 3 ) to the same commitment CMT, outputs a triple (d , w , x ) such that (A, B, u, b); d , w , x ∈ R NDRS . Proof. Denote the 3 valid responses (RSP 1 , RSP 2 , RSP 3 ) to the same commitment CMT as follows: The validity of RSP 1 implies that x * ∈ B m 2m and ∀ i ∈ [l] : v * i , w * i ∈ B nk m . Besides, we have: τ = τ ; τ (r x ) = r x ; τ (s x ) = x * + r x , A · s x − G * · s v l =Â · r x − G * · r v l mod q, B · s x = b +B · r x mod q, A * · s z 1 + A * · s y 1 − G · u = A * · r z 1 + A * · r y 1 mod q, and, for each i ∈ [l − 1]: A * · s z i+1 + A * · s y i+1 − G * · s v i = A * · r z i+1 + A * · r y i+1 − G * · r v i mod q, and, for all i ∈ [l]: Now, the knowledge extractor K takes the following steps to extract the secret.