A Novel Linkable Ring Signature on Ideal Lattices

In this paper, a novel linkable ring signature scheme is constructed. The hash value of the public key in the ring and the signer’s private key are based on random numbers. This setting makes it unnecessary to set the linkable label separately for our constructed scheme. When judging the linkability, it is necessary to determine whether the number of the intersections of the two sets reaches the threshold related to the number of the ring members. In addition, under the random oracle model, the unforgeability is reduced to the SVPγ problem. The anonymity is proved based on the definition of statistical distance and its properties.


Introduction
In 2001, Rivest et al. [1] proposed the concept of ring signature. In a ring signature, the signer chooses several other users' public keys to form a set with his own public key. In the signature verification phase, the verifier can confirm that the signature is generated by one of the ring members, but the verifier cannot find the real signer. There are many signature schemes that extend the original ring signature scheme to special scenarios, such as the deniable ring signature scheme in [2,3], the identity-based ring signature scheme in [4][5][6][7][8][9], and the linkable ring signature scheme in [10][11][12][13]. Linkable ring signature was a special ring signature proposed by Liu et al. [11]. Linkable ring signature is suitable for many practical scenarios, such as e-cash and e-voting. The general ring signature is not suitable for electronic voting because it is difficult to determine whether the same voter has voted more than once. Linkable ring signature can solve this problem, and the verifier can detect whether the generated votes are from the same voter through the linkable label. In 2021, Tang et al. [14] constructed an identity-based linkable ring signature scheme on NTRU lattice. In 2022, Ye et al. [15] constructed a linkable ring signature scheme on NTRU lattice. In [10][11][12][13][14][15], the linkability of the each signature scheme were determined by generating tags.
Based on [11,23,24], the output of the hash function of the public key in the ring and the signer's private key are used to selecte random numbers. We give a new general structure of linkability, and construct a linkable ring signature scheme on ideal lattices (LRS).

Contributions
• Replace the random number in the signature algorithm in [23] with the hash value of the public key in the ring and the private key. Our signature scheme (LRS) and the scheme in [23] have the same length of the public key, the secret key and the signature output, but our LRS is linkable.
• In [10][11][12][13][14][15]25,26], the linkable criterion was that the linkability label was the same. Unlike this, in our scheme, the linkability criterion is to determine the maximum number of the elements in the intersection of the two sets rather than the number of the ring members.

Notations
The notations is in Table 1.
x $ ← S x is a uniformly random sample from the set S.

Definition 3 ([28]
). For γ > 1, monic polynomial f and a lattice L corresponding to an ideal in the ring Z[x]/ f , the f − svp γ problem asks to find g ∈ L such that g ∞ ≤ γλ ∞ 1 (L), where λ 1 is the length of the shortest nonzero vector on L.
In Theorem 3.1 of the literature [27], if f = x n + 1 (where n = 2 k , k ∈ Z + ), we can get the following theorem. Theorem 1 ([27]). Let D = Z p [x]/ x n + 1 be a ring (where n = 2 k , k ∈ Z + ). Define the set D h = {y ∈ D : y ∞ ≤ d, d ∈ Z + }. Let H(D, D h , m) be a function family as in Definition 1 such that m > log p log 2d and p ≥ 4dmn 1.5 log n. If there is a polynomial-time algorithm that can solve Col(hâ, D h ) for random hâ ∈ H(D, D h , m) with some non-negligible probability, then there is a polynomial-time algorithm that can solve (x n + 1) − SVP γ (L) for every lattice corresponding to an ideal in D, where γ = 16dmn log 2 n.

Statistical Distance
Definition 4 ([29]). Let X and X be two random variables over a countable set S. The statistical distance between X and X is defined by

Framework and Security Model of LRS Scheme
Our LRS consists five probabilistic polynomial time (PPT) algorithms.
• SetUp: Input the security parameter n, and output the public parameter P . • KeyGen: Input P, and output of a keypair (pk, sk). • Sign: Input P, a singer's (pk, sk), a message µ and the ring PK (pk ∈ PK), and output a signature σ. • Verify: Input the signature σ, and output "1" or "0". • Link: Input two valid signatures (σ 1 , σ 2 ), and output "1" or "0". The LRS is correct that the verification algorithm outputs "1" for the valid signature and "0" for the invalid signature.

Definition 5 (Unforgeability).
The LRS is unforgeable if there is no PPT A to win the following games with an advantage that cannot be ignored.
Setup: C calls LRS-SetUp to generate the parameters P and calls LRS-KeyGen to generate the keypair (pk i , sk i ), and sends the parameters P and all public keys pk i to A.
Query: the adversary A can perform polynomial Hash queries, Extract queries and Signature queries.
Forgery: the adversary A submits (i * , PK, µ * , σ * ), if the following conditions are true: (1) A did not query the private key of pk i * ; (2) A did not query (pk i * , µ * )'s signature, then A won the game.
The advantage is defined as Adv Definition 6 (Anonymity). The LRS scheme is said to be anonymous if there is no PPT A to win the following games with an advantage that cannot be ignored.
Setup: C calls LRS-SetUp to generate the parameters P and calls LRS-KeyGen to generate the keypair (pk i , sk i ), and sends P and all public keys pk i to A. Query: the A performs a polynomially bounded number of Hash queries, Extract queries and Signature queries.
Challenge: C selects b ∈ {0, 1} and calls LRS-Sign(b, PK, sk ib , µ) (where PK, sk ib and µ are corresponding to the ring, the private key and the message respectively) to generate the signature σ b,PK,sk ib ,µ . A did not query (b, PK, sk ib , µ)'s signature.
Guess: A outputs b as a guess of b. If b = b, then A wins the game. The advantage is defined as Adv anon Definition 7 (Linkability). LRS scheme is said to be linkable if for PPT A to win the following games with an advantage that cannot be ignored. Setup: C calls LRS-SetUp to generate the parameters P and calls LRS-KeyGen to generate teh keypair (pk i , sk i ), and sends P and all public keys pk i to A.
Query: the A performs a polynomially bounded number of Hash queries, Extract queries and Signature queries.
Challenge: C selects b ∈ {0, 1} and calls LRS-Sign(b, PK, sk ib , µ) (where PK, sk ib and µ are corresponding to the ring, the private key and the message respectively) to generate the signature σ b,PK,sk ib ,µ . A did not query (b, PK, sk ib , µ)'s signature.
Guess: A outputs bit b as a guess of b. If b = b and b = 1 − b, then A wins the game. The advantage is defined as Adv link

Construction of Our LRS
The LRS consists of five PPT algorithms: ParamGen, KeyGen, Sign, Verify and Link. The parameter settings are as follows: H: a family of hash function: D m → D.
Step 3. Pick p as a prime and p > n 4 , p ≡ 3 mod 8.

LRS-Sign
Input a message µ, a ring PK = {P i } i∈[l] ⊆ D, a private keyŝ j associated to the public key P j ∈ PK, and do the following: Step Step 2. For i = j, computeû j = H 1 (PK \ {P j },ŝ j ).
Step 5. Compute Step 6. For i = j, computeẑ j =û j + c jŝ . Ifẑ j ∈ D m y does not hold, then go back to reselect public keys.
We need to show

Construction of Our RS
By changing the first and second steps of the LRS-Sign, the following ring signature scheme (RS) can be obtained.
The parameter setting is the same as LRS

• RS-Setup
This part is the same as LRS-Setup.

• RS-KeyGen
This part is the same as LRS-KeyGen.
• RS-Sign Input µ, a ring PK = {P i } i∈[l] ⊆ D, a private keyŝ j associated to P j ∈ PK, and do the following: Step 3. Compute R j = h(û j ).
Step 5. Compute Step 6. For i = j, computeẑ j =û j + c jŝ . Ifẑ j ∈ D m y does not hold, then go back to reselect public keys.

• RS-Vrify
This part is the same as LRS-Vrify.

Security Analysis
We will prove that our LRS satisfies unforgeability, anonymity and linkability.
Proof of Theorem 2. B gives an h ∈ H(D, m), picks a secret keyŝ $ ← D m c and computes the public key P = h(ŝ).
B creates two empty lists L 1 , L 2 to record the queries of adversary A. Setup: Executing the LRS-Setup, B gives A the parameters P = (k, n, m, h). Query: For the ring PK = {P i } i∈[l] ⊆ D, where P l = P, B performs the following operations: Hash query:

1.
A sends message µ to B. For i ∈ [l − 1], B picksŷ i ∈ D m y andŷ l ∈ G m . B queries L 1 and returns the same record if there is already the query; 2.
Otherwise, B picksŝ i ∈ D m c , and passes to A. B records (P l ,ŝ i ) to L 2 . Sign query: A sends message µ, the ring PK = {P i } i∈[l] ⊆ D, where P l = P. B operates as follows: 1.

2.
B checks L 2 . If (P i ,ŝ i ) does not exist, go to Extract query and record (P i ,ŝ i ) in L 2 .
A has not inquired the private key of the public key P il * ; 2.

Proof of Theorem 4. Setup:
This part is the same as in Theorem 2. Query: This part is the same as Theorem 2. Challenge: 1. C hands a message µ and uses the LRS-KeyGen to generate key pair (P k0 ,ŝ k0 ), (P k1 ,ŝ k1 ).
Next, we will discuss it in two ways.

1.
Whenŝ kb =ŝ k0 , because the ring PK = {P i } i∈[l] is the same and the calculatedû i is the same, there is at most one outputẑ i of the signature output which is different from the real signer's subscript, so there are identicalẑ i at least l − 1. That is, when the signature is signed by the same private key for different messages, it can be completely determined.

2.
whenŝ kb =ŝ k0 , because the ring PK = {P i } i∈[l] is the same and H is strong anticollision, when calculatingû i = H(PK \ {P i },ŝ j ), the probability that the hash valueŝ u i = H(PK \ {P i },ŝ kb ) andû i = H(PK \ P i ,ŝ k0 ) are equal can be negligible. Therefore, only one probability is negligible at most with the same output value as the real signer subscript.
Since there are at least three ring members and at least twoẑ i 's are not the same, when the signature is not the same signer, it can be determined with overwhelming probability.

Efficiency Analysis
In Table 2, we set θ = mn 1.5 log n − √ n log n and l is the number of ring members. From Table 2, we may conclude that the public key, secret key and signature sizes of our scheme are equal to the scheme in [23], the size of the signature is smaller than the scheme in [3], and the size of the signature is larger than the scheme in [15]. Table 2. Communication overhead comparison (in bits).

Scheme
Public Key Secret Key Signature GW [3] mn log p 2mn log p 2mn log θ + 2ln + (m + 1)n log p AM [15] n log p 2n log p nl log p AM [23] mn log p 2mn log p 2mn log θ + 2n RS mn log p 2mn log p 2mn log θ + 2n LRS mn log p 2mn log p 2mn log θ + 2n In Table 3, m is the number of components of a polynomial vector and l is the number of ring members. When calculating the time complexity, some lightweight operations (hash function and random number selecting) are not taken into account. It mainly calculates the time cost of polynomial multiplication (T Mul ) and polynomial inversion (T Inv ). The runtime of the discrete Gaussian sampling algorithm, the rejection sampling algorithm, the trapdoor generation algorithm and the SamplePre algorithm [15] are represented by T Sd , T Rs , T Trap and T Sam , respectively. In [15], T Trap , T Sam , T Sd and T Rs are used for keypair and the signature. From Table 3, we may conclude that the signature cost and the verification cost in our scheme are smaller than the scheme in [3], and the keypair cost is smaller than the scheme in [3,23].

Scheme
Keypair Signature Verification GW [3] (2m − 1)T Mul + T Inv (2l + 4m + 3l − 2)T Mul (2lm + 3)T Mul YQ [15] T Mul + T Trap + T Sam lT Mul + 2T Sd + 2T Rs lT Mul AM [23] (2m − 1)T Mul + T Inv (lm + m)T Mul (lm + 1)T Mul RS mT Mul (lm + m + l − 1)T Mul (lm + l)T Mul LRS mT Mul (lm + m + l − 1)T Mul (lm + l)T Mul Table 4 shows the comparison of our signature scheme with the other four schemes in terms of their functionality. The deniable ring signature can prove that the ring member has not signed the signature when necessary. The linkable ring signature can determine whether two signatures are those of the same signer in the ring member. Both the deniable ring signature and the linkable ring signature are ring signatures with special properties, which can be applied to special real situations. From Table 4, we may conclude that LRS and YQ [15] are linkable and secure in case of a quantum attack.