A Novel Linkable Ring Signature on Ideal Lattices

Abstract

In this paper, a novel linkable ring signature scheme is constructed. The hash value of the public key in the ring and the signer’s private key are based on random numbers. This setting makes it unnecessary to set the linkable label separately for our constructed scheme. When judging the linkability, it is necessary to determine whether the number of the intersections of the two sets reaches the threshold related to the number of the ring members. In addition, under the random oracle model, the unforgeability is reduced to the $SV{P}_{\gamma }$ problem. The anonymity is proved based on the definition of statistical distance and its properties.

1. Introduction

In 2001, Rivest et al. [1] proposed the concept of ring signature. In a ring signature, the signer chooses several other users’ public keys to form a set with his own public key. In the signature verification phase, the verifier can confirm that the signature is generated by one of the ring members, but the verifier cannot find the real signer. There are many signature schemes that extend the original ring signature scheme to special scenarios, such as the deniable ring signature scheme in [2,3], the identity-based ring signature scheme in [4,5,6,7,8,9], and the linkable ring signature scheme in [10,11,12,13]. Linkable ring signature was a special ring signature proposed by Liu et al. [11]. Linkable ring signature is suitable for many practical scenarios, such as e-cash and e-voting. The general ring signature is not suitable for electronic voting because it is difficult to determine whether the same voter has voted more than once. Linkable ring signature can solve this problem, and the verifier can detect whether the generated votes are from the same voter through the linkable label. In 2021, Tang et al. [14] constructed an identity-based linkable ring signature scheme on NTRU lattice. In 2022, Ye et al. [15] constructed a linkable ring signature scheme on NTRU lattice. In [10,11,12,13,14,15], the linkability of the each signature scheme were determined by generating tags.

The signature schemes were based on the discrete logarithm in [1,11,13,16] and the bilinear pair in [17,18,19]. There are also parts of the literature that are based on lattices [3,14,20,21,22,23,24,25,26]. Lyubshvsky gave a signature scheme and a new hash function for calculating the difficulty problem based on ideal lattices in [27]. In [23], the first ring signature scheme was constructed by using the scheme [27]. In [3], a ring signature scheme with deniable property was constructed based on [3,27].

Based on [11,23,24], the output of the hash function of the public key in the ring and the signer’s private key are used to selecte random numbers. We give a new general structure of linkability, and construct a linkable ring signature scheme on ideal lattices (LRS).

Contributions

• Replace the random number in the signature algorithm in [23] with the hash value of the public key in the ring and the private key. Our signature scheme (LRS) and the scheme in [23] have the same length of the public key, the secret key and the signature output, but our LRS is linkable.

• In [10,11,12,13,14,15,25,26], the linkable criterion was that the linkability label was the same. Unlike this, in our scheme, the linkability criterion is to determine the maximum number of the elements in the intersection of the two sets rather than the number of the ring members.

2. Preliminaries

2.1. Notations

The notations is in Table 1.

Table 1. Notations.

Symbol	Description
$\left|S\right|$	If $S=\{s_1,s_2,\dots ,s_n\}$, then $\left|S\right|=n$.
$\left[i\right]$	$\{1,2,\dots ,i\}$.
$x\stackrel{\$}{\leftarrow }S$	x is a uniformly random sample from the set S.
${\mathbb{Z}}_p$	$\mathbb{Z}/p\mathbb{Z}$.
$\mathbb{D}$	$\{a\in {\mathbb{Z}}_p\left[x\right]/⟨x^n+1⟩:a={\sum }_{i=0}^{n-1}{a}_i{x}^i,a_i\in \{-\frac{p-1}{2},\dots ,\frac{p-1}{2}\}\}$.
$\mathbb{L}$	the ideal lattice.
${\parallel a\parallel }_{\infty }$	${\parallel a\parallel }_{\infty }=ma{x}_i\left(a_i\right)$, where $a={\sum }_{i=0}^n{a}_i{x}^i\in \mathbb{Z}\left[x\right]$.
$\widehat{\mathbf{a}}$	$\widehat{\mathbf{a}}=(a_1,a_2,\dots ,a_m)\in {\left(\mathbb{Z}\left[x\right]\right)}^m$.
$\parallel \widehat{\mathbf{a}}{\parallel }_{\infty }$	$\parallel \widehat{\mathbf{a}}{\parallel }_{\infty }=ma{x}_i{\parallel a_i\parallel }_{\infty }$, where $a_i\in \mathbb{Z}\left[x\right]$.

2.2. Hash Functions

Definition 1

([28]). For $m\in {\mathbb{Z}}^{+}$ and ${\mathbb{D}}_h\subseteq \mathbb{D}$, let $\mathcal{H}(\mathbb{D},{\mathbb{D}}_h,m)=\{h_{\widehat{\mathit{a}}}:\widehat{\mathit{a}}\in {\mathbb{D}}^m\}$ be the function family such that for any $\widehat{\mathit{z}}=(z_1,z_2,\dots ,z_m)\in {\mathbb{D}}_h^m$, $h_{\widehat{\mathit{a}}}\left(\widehat{\mathit{z}}\right)=\widehat{\mathit{a}}·\widehat{\mathit{z}}={\Sigma }_{i\in \left[m\right]}{a}_i{z}_i\in \mathbb{D}$, where $\widehat{\mathit{a}}=(a_1,a_2,\dots ,a_m)$.

According to [28], for $\widehat{\mathbf{y}},\widehat{\mathbf{y}}\in {\mathbb{D}}_h^m$, $c\in \mathbb{D}$ and $h\in \mathcal{H}(\mathbb{D},{\mathbb{D}}_h,m)$, then

$$\begin{array}{c}\hfill h(\widehat{\mathbf{y}}+{\widehat{\mathbf{y}}}^{\prime })=h\left(\widehat{\mathbf{y}}\right)+h\left({\widehat{\mathbf{y}}}^{\prime }\right),\end{array}$$

$$\begin{array}{c}\hfill h\left(c\widehat{\mathbf{y}}\right)=c·h\left(\widehat{\mathbf{y}}\right).\end{array}$$

Definition 2

([28] Collision Problem). For $m\in {\mathbb{Z}}^{+}$, ${\mathbb{D}}_h\subseteq \mathbb{D}$ and $h\in \mathcal{H}(\mathbb{D},{\mathbb{D}}_h,m)$, the Collision Problem Col$(h,{\mathbb{D}}_h)$ asks to find $\widehat{\mathit{y}},{\widehat{\mathit{y}}}^{\prime }\in {\mathbb{D}}_h^m$ and $\widehat{\mathit{y}}\ne {\widehat{\mathit{y}}}^{\prime }$ such that $h\left(\widehat{\mathit{y}}\right)=h\left({\widehat{\mathit{y}}}^{\prime }\right)$.

Definition 3

([28]). For $\gamma >1$, monic polynomial $\mathbf{f}$ and a lattice $\mathbb{L}$ corresponding to an ideal in the ring $\mathbb{Z}\left[x\right]/⟨\mathbf{f}⟩$, the $\mathbf{f}-sv{p}_{\gamma }$ problem asks to find $g\in \mathbb{L}$ such that ${\parallel g\parallel }_{\infty }\le \gamma {\lambda }_1^{\infty }\left(\mathbb{L}\right)$, where ${\lambda }_1$ is the length of the shortest nonzero vector on $\mathbb{L}$.

In Theorem 3.1 of the literature [27], if $\mathbf{f}=x^n+1$ (where $n=2^k,k\in {\mathbb{Z}}^{+}$), we can get the following theorem.

Theorem 1

([27]). Let $\mathbb{D}={\mathbb{Z}}_p\left[x\right]/⟨x^n+1⟩$ be a ring (where $n=2^k,k\in {\mathbb{Z}}^{+}$). Define the set ${\mathbb{D}}_h={\{y\in \mathbb{D}:\parallel y\parallel }_{\infty }\le d,d\in {\mathbb{Z}}^{+}\}$. Let $\mathcal{H}(\mathbb{D},{\mathbb{D}}_h,m)$ be a function family as in Definition 1 such that $m>\frac{logp}{log2d}$ and $p\ge 4dm{n}^{1.5}logn$. If there is a polynomial-time algorithm that can solve Col$(h_{\widehat{\mathit{a}}},{\mathbb{D}}_h)$ for random $h_{\widehat{\mathit{a}}}\in \mathcal{H}(\mathbb{D},{\mathbb{D}}_h,m)$ with some non-negligible probability, then there is a polynomial-time algorithm that can solve $(x^n+1)-SV{P}_{\gamma }\left(\mathbb{L}\right)$ for every lattice corresponding to an ideal in $\mathbb{D}$, where $\gamma =16dmn{log}^{2}n$.

2.3. Statistical Distance

Definition 4

([29]). Let X and $X^{\prime }$ be two random variables over a countable set S. The statistical distance between X and $X^{\prime }$ is defined by

$$\begin{array}{c}\hfill \Delta (X,X^{\prime })=\frac{1}{2}\sum _{x\in S}|\mathrm{Pr}[X=x]-Pr[X^{\prime }=x]|.\end{array}$$

3. Framework and Security Model of LRS Scheme

Our LRS consists five probabilistic polynomial time (PPT) algorithms.

• $\mathbf{SetUp}$: Input the security parameter n, and output the public parameter $\mathbb{P}$.
• $\mathbf{KeyGen}$: Input $\mathbb{P}$, and output of a keypair $(pk,sk)$.
• $\mathbf{Sign}$: Input $\mathbb{P}$, a singer’s $(pk,sk)$, a message $\mu$ and the ring $PK$ ($pk\in PK$), and output a signature $\sigma$.
• $\mathbf{Verify}$: Input the signature $\sigma$, and output “1” or “0”.
• $\mathbf{Link}$: Input two valid signatures $({\sigma }_1,{\sigma }_2)$, and output “1” or “0”.

The LRS is correct that the verification algorithm outputs “1” for the valid signature and “0” for the invalid signature.

Security Properties

The LRS satisfies the unforgeabilityy, anonymit and linkability which is similar to [11,13,23].

Definition 5

(Unforgeability). The LRS is unforgeable if there is no PPT $\mathcal{A}$ to win the following games with an advantage that cannot be ignored.

$\mathbf{Setup}$: $\mathcal{C}$ calls LRS-SetUp to generate the parameters $\mathbb{P}$ and calls LRS-KeyGen to generate the keypair $(p{k}_i,s{k}_i)$, and sends the parameters $\mathbb{P}$ and all public keys $p{k}_i$ to $\mathcal{A}$.

$\mathbf{Query}$: the adversary $\mathcal{A}$ can perform polynomial Hash queries, Extract queries and Signature queries.

$\mathbf{Forgery}$: the adversary $\mathcal{A}$ submits $(i^{*},PK,{\mu }^{*},{\sigma }^{*})$, if the following conditions are true:

(1) 

$\mathcal{A}$ did not query the private key of $p{k}_{i^{*}}$;

(2) 

$\mathcal{A}$ did not query $(p{k}_{i^{*}},{\mu }^{*})$’s signature, then $\mathcal{A}$ won the game.

The advantage is defined as ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{forge}}=Pr[\mathbf{LRS}-\mathbf{Verify}(i^{*},PK,{\mu }^{*},{\sigma }^{*})=1]$.

Definition 6

(Anonymity). The LRS scheme is said to be anonymous if there is no PPT $\mathcal{A}$ to win the following games with an advantage that cannot be ignored.

$\mathbf{Setup}$: $\mathcal{C}$ calls LRS-SetUp to generate the parameters $\mathbb{P}$ and calls LRS-KeyGen to generate the keypair $(p{k}_i,s{k}_i)$, and sends $\mathbb{P}$ and all public keys $p{k}_i$ to $\mathcal{A}$.

$\mathbf{Query}$: the $\mathcal{A}$ performs a polynomially bounded number of Hash queries, Extract queries and Signature queries.

$\mathbf{Challenge}$: $\mathcal{C}$ selects $b\in \{0,1\}$ and calls LRS-Sign $(b,PK,s{k}_{ib},\mu )$ (where $PK$, $s{k}_{ib}$ and μ are corresponding to the ring, the private key and the message respectively) to generate the signature ${\sigma }_{b,PK,s{k}_{ib},\mu }$. $\mathcal{A}$ did not query $(b,PK,s{k}_{ib},\mu )$’s signature.

$\mathbf{Guess}$: $\mathcal{A}$ outputs $b^{\prime }$ as a guess of b. If $b^{\prime }=b$, then $\mathcal{A}$ wins the game.

The advantage is defined as ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{anon}}=|Pr[b^{\prime }=b]-\frac{1}{2}|$.

Definition 7

(Linkability). LRS scheme is said to be linkable if for PPT $\mathcal{A}$ to win the following games with an advantage that cannot be ignored.

$\mathbf{Setup}$: $\mathcal{C}$ calls LRS-SetUp to generate the parameters $\mathbb{P}$ and calls LRS-KeyGen to generate teh keypair $(p{k}_i,s{k}_i)$, and sends $\mathbb{P}$ and all public keys $p{k}_i$ to $\mathcal{A}$.

$\mathbf{Query}$: the $\mathcal{A}$ performs a polynomially bounded number of Hash queries, Extract queries and Signature queries.

$\mathbf{Challenge}$: $\mathcal{C}$ selects $b\in \{0,1\}$ and calls LRS-Sign $(b,PK,s{k}_{ib},\mu )$ (where $PK$, $s{k}_{ib}$ and μ are corresponding to the ring, the private key and the message respectively) to generate the signature ${\sigma }_{b,PK,s{k}_{ib},\mu }$. $\mathcal{A}$ did not query $(b,PK,s{k}_{ib},\mu )$’s signature.

$\mathbf{Guess}$: $\mathcal{A}$ outputs bit $b^{\prime }$ as a guess of b. If $b^{\prime }=b$ and $b^{\prime }\ne 1-b$, then $\mathcal{A}$ wins the game.

The advantage is defined as ${\mathsf{Adv}}_{\mathcal{A}}^{\mathrm{link}}=\left|Pr[b^{\prime }=b\wedge b^{\prime }\ne 1-b]\right|$.

4. Construction of Our LRS

The LRS consists of five PPT algorithms: ParamGen, KeyGen, Sign, Verify and Link. The parameter settings are as follows:

D: $\{f\in \mathbb{D}:\parallel f{\parallel }_{\infty }\le m{n}^{1.5}logn+\sqrt{n}logn\}$.

$D_c$: $\{f\in \mathbb{D}:\parallel f{\parallel }_{\infty }\le 1\}$.

$D_y$: $\{f\in \mathbb{D}:\parallel f{\parallel }_{\infty }\le m{n}^{1.5}logn\}$.

G: $\{f\in \mathbb{D}:\parallel f{\parallel }_{\infty }\le m{n}^{1.5}logn-\sqrt{n}logn\}$.

H: ${\{0,1\}}^{*}\to G^m$.

$H_1$: ${\{0,1\}}^{*}\to D_y^m$.

$H_2$: ${\{0,1\}}^{*}\to D_c$.

$\mathcal{H}$: a family of hash function: $D^m\to \mathbb{D}$.

4.1. LRS-Setup

Step 1. Pick $k\in {\mathbb{Z}}^{+}$.

Step 2. Pick $n=2^{\lambda }$, where $\lambda \in {\mathbb{Z}}^{+}$ and $\lambda >k$. Let $m=3logn$.

Step 3. Pick p as a prime and $p>n^4$, $p\equiv 3\mathrm{mod}8$.

Step 4. Pick $h\stackrel{\$}{\leftarrow }\mathcal{H}$.

Step 5. Output $\mathbb{P}=(k,n,m,h)$.

4.2. LRS-KeyGen

Step 1. Pick $\widehat{\mathbf{s}}\stackrel{\$}{\leftarrow }{D}_c^m$.

Step 2. Compute $P=h\left(\widehat{\mathbf{s}}\right)$.

Step 3. Output $(pk,sk)=(P,\widehat{\mathbf{s}})$.

4.3. LRS-Sign

Input a message $\mu$, a ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}\subseteq \mathbb{D}$, a private key ${\widehat{\mathbf{s}}}_j$ associated to the public key $P_j\in PK$, and do the following:

Step 1. For $i\in \left[l\right]\setminus \left\{j\right\}$, compute ${\widehat{\mathbf{u}}}_i=H(PK\setminus \left\{P_i\right\},{\widehat{\mathbf{s}}}_j)$.

Step 2. For $i=j$, compute ${\widehat{\mathbf{u}}}_j=H_1(PK\setminus \left\{P_j\right\},{\widehat{\mathbf{s}}}_j)$.

Step 3. Compute $R_j=h\left({\widehat{\mathbf{u}}}_j\right)$.

Step 4. Compute $c_{j+1}=H_2(\mu ,R_j)$.

Step 5. Compute

$$\begin{array}{ccc}& & R_{j+1}=h\left({\widehat{\mathbf{u}}}_{j+1}\right)-c_{j+1}·P_{j+1}\hfill \\ & & c_{j+2}=H_2(\mu ,R_{j+1})\hfill \\ & & R_{j+2}=h\left({\widehat{\mathbf{u}}}_{j+2}\right)-c_{j+2}·P_{j+2}\hfill \\ & & c_{j+3}=H_2(\mu ,R_{j+2})\hfill \\ & & \cdots \hfill \\ & & R_{l-1}=h\left({\widehat{\mathbf{u}}}_{l-1}\right)-c_{l-1}·P_{l-1}\hfill \\ & & c_l=H_2(\mu ,R_{l-1})\hfill \\ & & R_l=h\left({\widehat{\mathbf{u}}}_1\right)-c_l·P_l\hfill \\ & & c_1=H_2(\mu ,R_l)\hfill \\ & & R_1=h\left({\widehat{\mathbf{u}}}_1\right)-c_1·P_l\hfill \\ & & c_2=H_2(\mu ,R_1)\hfill \\ & & \cdots \hfill \\ & & R_{j-1}=h\left({\widehat{\mathbf{u}}}_{j-1}\right)-c_{j-1}·P_{j-1}\hfill \\ & & c_j=H_2(\mu ,R_{j-1})\hfill \end{array}$$

Step 6. For $i=j$, compute ${\widehat{\mathbf{z}}}_j={\widehat{\mathbf{u}}}_j+c_j\widehat{\mathbf{s}}$. If ${\widehat{\mathbf{z}}}_j\in D_y^m$ does not hold, then go back to reselect public keys.

Step 7. For $i\in \left[l\right]\setminus \left\{j\right\}$, ${\widehat{\mathbf{z}}}_i={\widehat{\mathbf{u}}}_i$.

Step 8. Output $\sigma =({\widehat{\mathbf{z}}}_1,{\widehat{\mathbf{z}}}_2,\dots ,{\widehat{\mathbf{z}}}_l,c_l)$.

4.4. LRS-Verify

Input the message $\mu$, the ring $PK$, the signature $\sigma =({\widehat{\mathbf{z}}}_1,{\widehat{\mathbf{z}}}_2,\dots ,{\widehat{\mathbf{z}}}_l,c_l)$, and check the following steps:

Step 1. Compute

$$\begin{array}{ccc}& & R_l=h\left({\widehat{\mathbf{z}}}_l\right)-c_l·P_l\hfill \\ & & c_{l+1}=H_2(\mu ,R_l)\hfill \\ & & R_{l+1}=h\left({\widehat{\mathbf{z}}}_1\right)-c_{l+1}·P_1\hfill \\ & & c_{l+2}=H_2(\mu ,R_{l+1})\hfill \\ & & \cdots \hfill \\ & & R_{2l-1}=h\left({\widehat{\mathbf{z}}}_{l-1}\right)-c_2·P_{l-1}\hfill \\ & & c_{2l}=H_2(\mu ,R_{2l-1})\hfill \end{array}$$

Step 2. If $c_{2l}=c_l$, then output “1”, otherwise output “0”.

4.5. LRS-Link

Input two valid signatures ${\sigma }_0=({\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0},c_{l0})$, ${\sigma }_1=({\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1},c_{l1})$ and do the following:

Step 1. If $|\{{\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0}\}\cap \{{\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1}\}|\ge l-1$ holds, then output “0”.

Step 2. Otherwise, output “1”.

4.6. LRS-Correctness

1.

From Corollary 6.2 of [27], we obtain that the probability of ${\widehat{\mathbf{z}}}_j\in G^m$ is approximately $1/e$;

2.

We need to show $R_j=h\left({\widehat{\mathbf{u}}}_j\right)=h\left({\widehat{\mathbf{z}}}_j\right)-c_j·P_j$. Since ${\widehat{\mathbf{z}}}_j={\widehat{\mathbf{u}}}_j+c_j\widehat{\mathbf{s}}$, we have $R_j=h\left({\widehat{\mathbf{u}}}_j\right)=h({\widehat{\mathbf{z}}}_j-c_j\widehat{\mathbf{s}})=h\left({\widehat{\mathbf{z}}}_j\right)-c_{j}h\left(\widehat{\mathbf{s}}\right)=h\left({\widehat{\mathbf{z}}}_j\right)-c_j{P}_j$.

4.7. Construction of Our RS

By changing the first and second steps of the LRS-Sign, the following ring signature scheme (RS) can be obtained.

The parameter setting is the same as LRS

• RS-Setup

This part is the same as LRS-Setup.

• RS-KeyGen

This part is the same as LRS-KeyGen.

• RS-Sign

Input $\mu$, a ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}\subseteq \mathbb{D}$, a private key ${\widehat{\mathbf{s}}}_j$ associated to $P_j\in PK$, and do the following:

Step 1. For $i\in \left[l\right]\setminus \left\{j\right\}$, picks ${\widehat{\mathbf{u}}}_i\stackrel{\$}{\leftarrow }{D}_y^m$.

Step 2. For $i=j$, pick ${\widehat{\mathbf{u}}}_j\stackrel{\$}{\leftarrow }{G}^m$.

Step 3. Compute $R_j=h\left({\widehat{\mathbf{u}}}_j\right)$.

Step 4. Compute $c_{j+1}=H_2(\mu ,R_j)$.

Step 5. Compute

$$\begin{array}{ccc}& & R_{j+1}=h\left({\widehat{\mathbf{u}}}_{j+1}\right)-c_{j+1}·P_{j+1}\hfill \\ & & c_{j+2}=H_2(\mu ,R_{j+1})\hfill \\ & & R_{j+2}=h\left({\widehat{\mathbf{u}}}_{j+2}\right)-c_{j+2}·P_{j+2}\hfill \\ & & c_{j+3}=H_2(\mu ,R_{j+2})\hfill \\ & & \cdots \hfill \\ & & R_{l-1}=h\left({\widehat{\mathbf{u}}}_{l-1}\right)-c_{l-1}·P_{l-1}\hfill \\ & & c_l=H_2(\mu ,R_{l-1})\hfill \\ & & R_l=h\left({\widehat{\mathbf{u}}}_1\right)-c_l·P_l\hfill \\ & & c_1=H_2(\mu ,R_l)\hfill \\ & & R_1=h\left({\widehat{\mathbf{u}}}_1\right)-c_1·P_l\hfill \\ & & c_2=H_2(\mu ,R_1)\hfill \\ & & \cdots \hfill \\ & & R_{j-1}=h\left({\widehat{\mathbf{u}}}_{j-1}\right)-c_{j-1}·P_{j-1}\hfill \\ & & c_j=H_2(\mu ,R_{j-1})\hfill \end{array}$$

Step 6. For $i=j$, compute ${\widehat{\mathbf{z}}}_j={\widehat{\mathbf{u}}}_j+c_j\widehat{\mathbf{s}}$. If ${\widehat{\mathbf{z}}}_j\in D_y^m$ does not hold, then go back to reselect public keys.

Step 7. For $i\in \left[l\right]\setminus \left\{j\right\}$, ${\widehat{\mathbf{z}}}_i={\widehat{\mathbf{u}}}_i$

Step 8. Output $\sigma =({\widehat{\mathbf{z}}}_1,{\widehat{\mathbf{z}}}_2,\dots ,{\widehat{\mathbf{z}}}_l,c_l)$.

•RS-Vrify

This part is the same as LRS-Vrify.

5. Security Analysis

We will prove that our LRS satisfies unforgeability, anonymity and linkability.

Theorem 2

(Unforgeability). If there is a PPT algorithm $\mathcal{A}$ which can forge the LRS signature with probabilistic ϵ at most q times random oracle H. Then for $h\stackrel{\$}{\leftarrow }\mathcal{H}(\mathbb{D},m)$, there is a PPT algorithm $\mathcal{B}$ that outputs a solution to $Col(h,\mathbb{D})$ with probability at least

$$\begin{array}{c}\hfill (ϵ-\frac{1}{|D_c|})(\frac{\epsilon -\frac{1}{|D_c|}}{q}-\frac{1}{|D_c|})-\frac{1}{|D_c|}.\end{array}$$

Proof of Theorem 2.

$\mathcal{B}$ gives an $h\in \mathcal{H}(\mathbb{D},m)$, picks a secret key $\widehat{\mathbf{s}}\stackrel{\$}{\leftarrow }{D}_c^m$ and computes the public key $P=h\left(\widehat{\mathbf{s}}\right)$.

$\mathcal{B}$ creates two empty lists $L_1,L_2$ to record the queries of adversary $\mathcal{A}$.

$\mathbf{Setup}$: Executing the LRS-Setup, $\mathcal{B}$ gives $\mathcal{A}$ the parameters $\mathbb{P}=(k,n,m,h)$.

$\mathbf{Query}$: For the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}\subseteq \mathbb{D}$, where $P_l=P$, $\mathcal{B}$ performs the following operations:

Hash query:

1.

$\mathcal{A}$ sends message $\mu$ to $\mathcal{B}$. For $i\in [l-1]$, $\mathcal{B}$ picks ${\widehat{\mathbf{y}}}_i\in D_y^m$ and ${\widehat{\mathbf{y}}}_l\in G^m$. $\mathcal{B}$ queries $L_1$ and returns the same record if there is already the query;

2.

Otherwise, $\mathcal{B}$ picks $c_l\in D_c$ and passes $c_l$ to $\mathcal{A}$. $\mathcal{B}$ records

$$(\mu ,PK,({\widehat{\mathbf{y}}}_1,{\widehat{\mathbf{y}}}_2,\dots ,{\widehat{\mathbf{y}}}_l),c_l)$$

to $L_1$.

Extract query:

1.

$\mathcal{B}$ queries $L_2$ first. If $(P_l,{\widehat{\mathbf{s}}}_i)$ has already been queried, $\mathcal{B}$ returns $(P_l,{\widehat{\mathbf{s}}}_i)$;

2.

Otherwise, $\mathcal{B}$ picks ${\widehat{\mathbf{s}}}_i\in D_c^m$, and passes to $\mathcal{A}$. $\mathcal{B}$ records $(P_l,{\widehat{\mathbf{s}}}_i)$ to $L_2$.

Sign query:

$\mathcal{A}$ sends message $\mu$, the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}\subseteq \mathbb{D}$, where $P_l=P$. $\mathcal{B}$ operates as follows:

1.

$\mathcal{B}$ checks $L_1$. If $(\mu ,PK,({\widehat{\mathbf{y}}}_1,{\widehat{\mathbf{y}}}_2,\dots ,{\widehat{\mathbf{y}}}_l),c_l)$ does not exist, go to Hash query and record $(\mu ,PK,({\widehat{\mathbf{y}}}_1,{\widehat{\mathbf{y}}}_2,\dots ,{\widehat{\mathbf{y}}}_l),c_l)$ in $L_1$.

2.

$\mathcal{B}$ checks $L_2$. If $(P_i,{\widehat{\mathbf{s}}}_i)$ does not exist, go to Extract query and record $(P_i,{\widehat{\mathbf{s}}}_i)$ in $L_2$.

3.

$\mathcal{B}$ checks $L_1$ and $L_2$. $\mathcal{B}$ seeks the record $(\mu ,P,({\widehat{\mathbf{y}}}_1,{\widehat{\mathbf{y}}}_2,\dots ,{\widehat{\mathbf{y}}}_l),c_l)$ in $L_1$ and the record $(P_l,{\widehat{\mathbf{s}}}_i)$ in $L_2$;

4.

Let ${\widehat{\mathbf{z}}}_j={\widehat{\mathbf{y}}}_j(j\ne l)$, ${\widehat{\mathbf{z}}}_l={\widehat{\mathbf{y}}}_l+c_l\widehat{\mathbf{s}}$, $\mathcal{B}$ returns the signature $({\widehat{\mathbf{z}}}_1,{\widehat{\mathbf{z}}}_2,\dots ,{\widehat{\mathbf{z}}}_l,c_l)$.

Forgery:

$\mathcal{A}$ sends a message ${\mu }^{*}$, the ring

$$P{K}^{*}=\{P_{i{1}^{*}},P_{i{2}^{*}},\dots ,P_{i{l}^{*}}\}\subseteq \mathbb{D}$$

and forges signature $({\widehat{\mathbf{z}}}_1^{*},{\widehat{\mathbf{z}}}_2^{*},\dots ,{\widehat{\mathbf{z}}}_l^{*},c_l^{*})$ by the real signer $P_{i{l}^{*}}$ to $\mathcal{B}$, the following hold:

1.

$\mathcal{A}$ has not inquired the private key of the public key $P_{i{l}^{*}}$;

2.

$\mathcal{A}$ has not inquired $(P{K}^{*},{\mu }^{*})$’s signature.

Suppose the signature $({\widehat{\mathbf{z}}}_1^{*},{\widehat{\mathbf{z}}}_2^{*},\dots ,{\widehat{\mathbf{z}}}_l^{*},c_l^{*})$ is legal signature of message ${\mu }^{*}$ and $P{K}^{*}$. $\mathcal{B}$ first queries $L_1$ to find $({\mu }^{*},P{K}^{*},({\widehat{\mathbf{y}}}_1^{*},{\widehat{\mathbf{y}}}_2^{*},\dots ,{\widehat{\mathbf{y}}}_l^{*}),c_l^{*})$ and queries $L_2$ to find $(P_{i{l}^{*}},{\widehat{\mathbf{s}}}_{i{l}^{*}})$. If $({\mu }^{*},P{K}^{*},({\widehat{\mathbf{y}}}_1^{*},{\widehat{\mathbf{y}}}_2^{*},\dots ,{\widehat{\mathbf{y}}}_l^{*}),c_l^{*})$ is not in $L_1$, the game ends. Otherwise, since $({\widehat{\mathbf{z}}}_1^{*},{\widehat{\mathbf{z}}}_2^{*},\dots ,{\widehat{\mathbf{z}}}_l^{*},c_l^{*})$ can pass the verification, we obtain

$$\begin{array}{c}\hfill h\left({\widehat{\mathbf{y}}}_l^{*}\right)=h({\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}})=h\left({\widehat{\mathbf{z}}}_l^{*}\right)-c_l^{*}{P}_{i{l}^{*}}.\end{array}$$

(1)

$\mathcal{B}$ answers $\mathcal{A}$’s query again and answers all queries consistently except Hash returned by the $c_l$ query. By Lemma 3.1 in [30], $\mathcal{A}$ produces another forged signature $({\widehat{\mathbf{z}}}_1^{\prime },{\widehat{\mathbf{z}}}_2^{\prime },\dots ,{\widehat{\mathbf{z}}}_l^{\prime },c_l^{\prime })$, we obtain

$$\begin{array}{c}\hfill h\left({\widehat{\mathbf{y}}}_l^{*}\right)=h({\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}})=h\left({\widehat{\mathbf{z}}}_l^{\prime }\right)-c_l^{\prime }{P}_{i{l}^{*}}.\end{array}$$

(2)

From (1) and (2), we obtain $h({\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}})=h({\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}})$. If ${\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}}\ne {\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}}$, since ${\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}},{\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}}\in D_y^m$, we solved the problem $Col(h,\mathbb{D})$.

$\mathcal{B}$ extracts the secret key $\widehat{\mathbf{s}}$ of $P_l$, and lets $z_i^{″}={\widehat{\mathbf{y}}}_i^{*}$ (if $i\ne l$), ${\widehat{\mathbf{z}}}_l^{″}={\widehat{\mathbf{y}}}_l^{*}+c_l\widehat{\mathbf{s}}$. It is easy to see that $({\widehat{\mathbf{z}}}_1^{″},{\widehat{\mathbf{z}}}_2^{″},\cdots ,{\widehat{\mathbf{z}}}_l^{″},c_l)$ can pass the verification, so

$$\begin{array}{c}\hfill h\left({\widehat{\mathbf{y}}}_l^{*}\right)=h({\widehat{\mathbf{z}}}_l^{″}-c_l^{*}\widehat{\mathbf{s}})=h\left({\widehat{\mathbf{z}}}_l^{″}\right)-c_l^{*}{P}_{i{l}^{*}}.\end{array}$$

(3)

$\mathcal{B}$ continues the calculation. Let $z_i^{‴}={\widehat{\mathbf{y}}}_i^{*}$ (if $i\ne l$), ${\widehat{\mathbf{z}}}_l^{‴}={\widehat{\mathbf{y}}}_l^{*}+c_l^{\prime }\widehat{\mathbf{s}}$. We will obtain $({\widehat{\mathbf{z}}}_1^{‴},{\widehat{\mathbf{z}}}_2^{‴},\dots ,{\widehat{\mathbf{z}}}_l^{‴},c_l^{\prime })$ can pass the verification, so

$$\begin{array}{c}\hfill h\left({\widehat{\mathbf{y}}}_l^{*}\right)=h({\widehat{\mathbf{z}}}_l^{‴}-c_l^{\prime }\widehat{\mathbf{s}})=h\left({\widehat{\mathbf{z}}}_l^{‴}\right)-c_l^{\prime }{P}_{i{l}^{*}}.\end{array}$$

(4)

From (1) and (3), we obtain $h\left({\widehat{\mathbf{z}}}_l^{*}\right)=h\left({\widehat{\mathbf{z}}}_l^{″}\right)$. If ${\widehat{\mathbf{z}}}_l^{*}\ne {\widehat{\mathbf{z}}}_l^{″}$, since ${\widehat{\mathbf{z}}}_l^{*},{\widehat{\mathbf{z}}}_l^{″}\in G^m$, we solved the problem $Col(h,\mathbb{D})$.

From (2) and (4), we obtain $h\left({\widehat{\mathbf{z}}}_l^{\prime }\right)=h\left({\widehat{\mathbf{z}}}_l^{‴}\right)$. If ${\widehat{\mathbf{z}}}_l^{\prime }\ne {\widehat{\mathbf{z}}}_l^{‴}$, since ${\widehat{\mathbf{z}}}_l^{\prime },{\widehat{\mathbf{z}}}_l^{‴}\in G^m$, we also solved the problem $Col(h,\mathbb{D})$.

If ${\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}}={\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}}$, ${\widehat{\mathbf{z}}}_l^{*}={\widehat{\mathbf{z}}}_l^{″}$, ${\widehat{\mathbf{z}}}_l^{\prime }={\widehat{\mathbf{z}}}_l^{‴}$, from (3) and (4), we obtain $h({\widehat{\mathbf{z}}}_l^{*}-c_l^{*}\widehat{\mathbf{s}})=h({\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }\widehat{\mathbf{s}})$. As discussed in Theorem 6.6 in [27], we can get ${\widehat{\mathbf{z}}}_l^{*}-c_l^{*}\widehat{\mathbf{s}}\ne {\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }\widehat{\mathbf{s}}$.

If

$$\begin{array}{c}\hfill {\widehat{\mathbf{z}}}_l^{*}-c_l^{*}\widehat{\mathbf{s}}={\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }\widehat{\mathbf{s}},\end{array}$$

(5)

from (5) and ${\widehat{\mathbf{z}}}_l^{*}-c_l^{*}{\widehat{\mathbf{s}}}_{i{l}^{*}}={\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }{\widehat{\mathbf{s}}}_{i{l}^{*}}$, we obtain

$$\begin{array}{c}\hfill ({\widehat{\mathbf{s}}}_{i{l}^{*}}-\widehat{\mathbf{s}})(c_l^{*}-c_l^{\prime })=0.\end{array}$$

Since $\parallel {\widehat{\mathbf{s}}}_{i{l}^{*}}{\parallel }_{\infty }\le 1,\parallel \widehat{\mathbf{s}}{\parallel }_{\infty }\le 1,\parallel c_l^{*}{\parallel }_{\infty }\le 1,{\parallel c_l^{\prime }\parallel }_{\infty }\le 1$, we obtain $\parallel {\widehat{\mathbf{s}}}_{i{l}^{*}}-\widehat{\mathbf{s}}{\parallel }_{\infty }\le 2,{\parallel c_l^{*}-c_l^{\prime }\parallel }_{\infty }\le 2$, so $\parallel ({\widehat{\mathbf{s}}}_{i{l}^{*}}-\widehat{\mathbf{s}})(c_l^{*}-c_l^{\prime }){\parallel }_{\infty }\le 4n$.

Since $p>n^4$, $4n\le \frac{p}{2}$, so the product $({\widehat{\mathbf{s}}}_{i{l}^{*}}-\widehat{\mathbf{s}})(c_l^{*}-c_l^{\prime })$ is $\mathbf{0}$ in the ring ${\mathbb{Z}}_p\left[x\right]/⟨x^n+1⟩$, it also must be $\mathbf{0}$ in the ring ${\mathbb{Z}}_p\left[x\right]/⟨x^n+1⟩$. Because $x^n+1$ is irreducible over the integers, ${\mathbb{Z}}_p\left[x\right]/⟨x^n+1⟩$ is an integral domain, therefore either ${\widehat{\mathbf{s}}}_{i{l}^{*}}-\widehat{\mathbf{s}}=\mathbf{0}$ or $c_l^{*}-c_l^{\prime }=0$. Since $c_l^{*}\ne c_l^{\prime }$ and ${\widehat{\mathbf{s}}}_{i{l}^{*}}\ne \widehat{\mathbf{s}}$, so

$$\begin{array}{c}\hfill {\widehat{\mathbf{z}}}_l^{*}-c_l^{*}\widehat{\mathbf{s}}\ne {\widehat{\mathbf{z}}}_l^{\prime }-c_l^{\prime }\widehat{\mathbf{s}}.\end{array}$$

Thus the problem $Col(h,\mathbb{D})$ was solved.

Suppose the probability that $\mathcal{B}$ can successfully solve $Col(h,\mathbb{D})$ is ${ϵ}^{\prime }$.

When $({\widehat{\mathbf{z}}}_1^{*},{\widehat{\mathbf{z}}}_2^{*},\dots ,{\widehat{\mathbf{z}}}_l^{*},c_l^{*})$ is not in $L_1$, the probability that $c_l^{*}$ passing the LRS-verify is $\frac{1}{|D_c|}$.

By Lemma 3.1 in [30], we get that the probability of Equation (2) is

$$\begin{array}{c}\hfill (ϵ-\frac{1}{|D_c|})(\frac{\epsilon -\frac{1}{|D_c|}}{q}-\frac{1}{|D_c|}).\end{array}$$

From the above analysis, we can see that

$$\begin{array}{c}\hfill {\epsilon }^{\prime }\ge (ϵ-\frac{1}{|D_c|})(\frac{\epsilon -\frac{1}{|D_c|}}{q}-\frac{1}{|D_c|})-\frac{1}{|D_c|}.\end{array}$$

From Theorem 1, we obtain that $Col(h,\mathbb{D})$ is based on solving $(x^n+1)-Sv{p}_{\gamma }\left(\mathbb{L}\right)$ (where $\gamma =\tilde{O}\left(n^3\right))$ for every lattice $\mathbb{L}$ corresponding to an ideal $\mathbb{D}$. □

Theorem 3

(Anonymity). For $b\in \{0,1\}$, ${\sigma }_{b,PK,s{k}_{ib},\mu }$ are the outputs of the algorithm LRS-Sign $(b,PK,s{k}_{ib},\mu )$, where $PK$, $s{k}_{ib}$ and μ are corresponding to the ring, the private key and the message respectively. For any PPT adversary, when $s{k}_{i0}$ and $s{k}_{i1}$ are unknown, then

$$\begin{array}{c}\hfill \Delta ({\sigma }_{0,P,s{k}_{ib},\mu },{\sigma }_{1,P,s{k}_{ib},\mu })=0.\end{array}$$

Therefore, LRS is anonymous.

Proof of Theorem 3.

$\mathbf{Setup}$: This part is the same as in Theorem 2.

$\mathbf{Query}$: This part is the same as Theorem 2.

$\mathbf{Challenge}$: $\mathcal{C}$ selects the message $\mu$, keypair $(p{k}_{ib},s{k}_{ib})$, the ring $PK$ and $p{k}_{ib}\in PK$, then randomly selects $b\in \{0,1\}$ and calls LRS-Sign$(b,PK,s{k}_{ib},\mu )$ to generate the signature ${\sigma }_{b,PK,s{k}_{ib},\mu }$.

$\mathbf{Guess}$: $\mathcal{A}$ outputs $b^{\prime }$.

Suppose the signature with private key $s{k}_{i0}$ outputs

$${\sigma }_{0,P,s{k}_{i0},\mu }=({\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0},c_{l0}),$$

the signature with private key $s{k}_{i1}$ outputs

$${\sigma }_{1,P,s{k}_{i1},\mu }=({\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1},c_{l1}).$$

The following only need to prove that ${\sigma }_{0,P,s{k}_{i0},\mu }$ and ${\sigma }_{1,P,s{k}_{i1},\mu }$ are statistically indistinguishable.

From Proposition 8.9, 8.10 of [29] and trigonometric inequality, we can get

$$\begin{array}{cc}\hfill \Delta ({\sigma }_{0,P,s{k}_{i0},\mu },{\sigma }_{1,P,s{k}_{i1},\mu })& =\Delta (({\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0},c_{l0}),({\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1},c_{l1}))\hfill \\ \hfill & \le \Delta ((P_1,P_2,\dots ,P_l,s{k}_{i0}),(P_1,P_2,\dots ,P_l,s{k}_{i1}))\hfill \\ \hfill & \le \Delta (s{k}_{i0},s{k}_{i1})\hfill \\ \hfill & =\frac{1}{2}\sum _{\widehat{\mathbf{a}}\in D_c^m}|Pr[s{k}_{i0}=\widehat{\mathbf{a}}]-Pr[s{k}_{i1}=\widehat{\mathbf{a}}]|\hfill \\ \hfill & =\frac{1}{2}\sum _{\widehat{\mathbf{a}}\in D_c^m}|\frac{1}{|D_c^m|}-\frac{1}{|D_c^m|}|\hfill \\ \hfill & =0.\hfill \end{array}$$

□

Theorem 4

(Linkability). If H is collision resistant and the number of ring members is not less than three, then the LRS signature scheme is linkable.

Proof of Theorem 4.

$\mathbf{Setup}$: This part is the same as in Theorem 2.

$\mathbf{Query}$: This part is the same as Theorem 2.

$\mathbf{Challenge}$:

1.

$\mathcal{C}$ hands a message $\mu$ and uses the LRS-KeyGen to generate key pair

$$(P_{k0},{\widehat{\mathbf{s}}}_{k0}),(P_{k1},{\widehat{\mathbf{s}}}_{k1}).$$

2.

$\mathcal{C}$ picks the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}$ and $\{P_{k0},P_{k1}\}\subseteq PK$. $\mathcal{C}$ calls LRS-Sign to generate the signatures ${\sigma }_0=({\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0},c_{l0})$ and ${\sigma }_1=({\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1},c_{l1})$.

3.

$\mathcal{C}$ picks $b\in \{0,1\}$, then reselects ${\mu }^{*}$ and uses the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}$ to call the LRS-KeyGen to generate the signature ${\sigma }_b^{\prime }=({\widehat{\mathbf{z}}}_{1b}^{\prime },{\widehat{\mathbf{z}}}_{2b}^{\prime },\dots ,{\widehat{\mathbf{z}}}_{lb}^{\prime },c_{lb}^{\prime })$. $\mathcal{C}$ sends ${\sigma }_b^{\prime }$ to $\mathcal{A}$.

$\mathbf{Guess}$: $\mathcal{A}$ outputs bit $b^{\prime }$.

$\mathcal{A}$ decides which of

$$|\{{\widehat{\mathbf{z}}}_{10},{\widehat{\mathbf{z}}}_{20},\dots ,{\widehat{\mathbf{z}}}_{l0}\}\cap \{{\widehat{\mathbf{z}}}_{1b}^{\prime },{\widehat{\mathbf{z}}}_{2b}^{\prime },\dots ,{\widehat{\mathbf{z}}}_{lb}^{\prime }\}|\ge l-1$$

and

$$|\{{\widehat{\mathbf{z}}}_{11},{\widehat{\mathbf{z}}}_{21},\dots ,{\widehat{\mathbf{z}}}_{l1}\}\cap \{{\widehat{\mathbf{z}}}_{1b}^{\prime },{\widehat{\mathbf{z}}}_{2b}^{\prime },\dots ,{\widehat{\mathbf{z}}}_{lb}^{\prime }\}|\ge l-1$$

holds. If the first is true, output $b^{\prime }=0$, if the second is true, output $b^{\prime }=1$.

Next, we will discuss it in two ways.

1.

When ${\widehat{\mathbf{s}}}_{kb}={\widehat{\mathbf{s}}}_{k0}$, because the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}$ is the same and the calculated ${\widehat{\mathbf{u}}}_i$ is the same, there is at most one output ${\widehat{\mathbf{z}}}_i$ of the signature output which is different from the real signer’s subscript, so there are identical ${\widehat{\mathbf{z}}}_i$ at least $l-1$. That is, when the signature is signed by the same private key for different messages, it can be completely determined.

2.

when ${\widehat{\mathbf{s}}}_{kb}\ne {\widehat{\mathbf{s}}}_{k0}$, because the ring $PK={\left\{P_i\right\}}_{i\in \left[l\right]}$ is the same and H is strong anti-collision, when calculating ${\widehat{\mathbf{u}}}_i=H(PK\setminus \left\{P_i\right\},{\widehat{\mathbf{s}}}_j)$, the probability that the hash values ${\widehat{\mathbf{u}}}_i=H(PK\setminus \left\{P_i\right\},{\widehat{\mathbf{s}}}_{kb})$ and ${\widehat{\mathbf{u}}}_i=H(PK\setminus P_i,{\widehat{\mathbf{s}}}_{k0})$ are equal can be negligible. Therefore, only one probability is negligible at most with the same output value as the real signer subscript.

Since there are at least three ring members and at least two ${\widehat{\mathbf{z}}}_i$’s are not the same, when the signature is not the same signer, it can be determined with overwhelming probability.

□

6. Efficiency Analysis

In Table 2, we set $\theta =m{n}^{1.5}logn-\sqrt{n}logn$ and l is the number of ring members. From Table 2, we may conclude that the public key, secret key and signature sizes of our scheme are equal to the scheme in [23], the size of the signature is smaller than the scheme in [3], and the size of the signature is larger than the scheme in [15].

Table 2. Communication overhead comparison (in bits).

Scheme	Public Key	Secret Key	Signature
GW [3]	$mnlogp$	$2mnlogp$	$2mnlog\theta +2ln+(m+1)nlogp$
AM [15]	$nlogp$	$2nlogp$	$nllogp$
AM [23]	$mnlogp$	$2mnlogp$	$2mnlog\theta +2n$
RS	$mnlogp$	$2mnlogp$	$2mnlog\theta +2n$
LRS	$mnlogp$	$2mnlogp$	$2mnlog\theta +2n$

In Table 3, m is the number of components of a polynomial vector and l is the number of ring members. When calculating the time complexity, some lightweight operations (hash function and random number selecting) are not taken into account. It mainly calculates the time cost of polynomial multiplication ($T_{Mul}$) and polynomial inversion ($T_{Inv}$). The runtime of the discrete Gaussian sampling algorithm, the rejection sampling algorithm, the trapdoor generation algorithm and the SamplePre algorithm [15] are represented by $T_{Sd}$, $T_{Rs}$, $T_{Trap}$ and $T_{Sam}$, respectively. In [15], $T_{Trap}$, $T_{Sam}$, $T_{Sd}$ and $T_{Rs}$ are used for keypair and the signature. From Table 3, we may conclude that the signature cost and the verification cost in our scheme are smaller than the scheme in [3], and the keypair cost is smaller than the scheme in [3,23].

Table 3. Comparison of time costs.

Scheme	Keypair	Signature	Verification
GW [3]	$(2m-1)T_{Mul}+T_{Inv}$	$(2l+4m+3l-2)T_{Mul}$	$(2lm+3)T_{Mul}$
YQ [15]	$T_{Mul}+T_{Trap}+T_{Sam}$	$l{T}_{Mul}+2T_{Sd}+2T_{Rs}$	$l{T}_{Mul}$
AM [23]	$(2m-1)T_{Mul}+T_{Inv}$	$(lm+m)T_{Mul}$	$(lm+1)T_{Mul}$
RS	$m{T}_{Mul}$	$(lm+m+l-1)T_{Mul}$	$(lm+l)T_{Mul}$
LRS	$m{T}_{Mul}$	$(lm+m+l-1)T_{Mul}$	$(lm+l)T_{Mul}$

Table 4 shows the comparison of our signature scheme with the other four schemes in terms of their functionality. The deniable ring signature can prove that the ring member has not signed the signature when necessary. The linkable ring signature can determine whether two signatures are those of the same signer in the ring member. Both the deniable ring signature and the linkable ring signature are ring signatures with special properties, which can be applied to special real situations. From Table 4, we may conclude that LRS and YQ [15] are linkable and secure in case of a quantum attack.

Table 4. Comparison of functionality.

Scheme	Quantum-Resistance	Deniability	Linkability
LJ [11]	No	No	Yes
GW [3]	Yes	Yes	No
YQ [15]	Yes	No	Yes
AM [23]	Yes	No	No
RS	Yes	No	No
LRS	Yes	No	Yes

7. Conclusions

In this paper, the LRS is constructed based on the $SV{P}_{\gamma }\left(\mathbb{L}\right)$ problem. In LRS, the linkable label is embedded into the randomly selected vector of the signature process in the constructed signature scheme in [23], which means that although the signature output form of our scheme is the same as in the scheme in [23], our scheme is linkable. In the future, we hope to construct a linkable and deniable ring signature scheme.