Linkable Ring Signature for Privacy Protection in Blockchain-Enabled IIoT

Abstract

The blockchain-enabled industrial Internet of Things (IIoT) faces security threats such as quantum computing attacks and privacy disclosure. Targeting these issues, in this study, we design a new lattice-based linkable ring signature (LRS) scheme, which is used to achieve privacy protection for the blockchain-enabled IIoT. Firstly, by using the trapdoor generation algorithm on the lattice and the rejection sampling lemma, we propose a new lattice-based LRS scheme with anti-quantum security and anonymity. Then, we introduce it into blockchain. Through the stealth address and key image technologies, we construct a privacy protection scheme for blockchain in the IIoT, and this LRS scheme protects identity privacy for users through anonymous blockchain. In addition, it also can resist the double spending attack with the linking user’s signature. Lastly, we provide a security analysis, and it is proven that our ring signature scheme satisfies correctness, anonymity, unforgeability and linkability. Compared with other similar schemes, the performance simulation indicates that our scheme’s public key and signature are shorter in size, and its computation overhead and time cost are lower. Consequently, our novel LRS scheme is more secure and practical, which provides privacy protection and anti-quantum security for the blockchain-enabled IIoT.

1. Introduction

Recently, the integration of blockchain and the industrial Internet of Things (IIoT) has emerged as a novel trend and area of research within industrial applications [1,2]. However, smart objects attached to the IIoT interact with humans and also process their private data [3,4]. Moreover, information is collected in large quantities and disclosed to the Internet without the consent of specific persons. In data storage, privacy disclosure stands out as one of the most serious threats within the IIoT [5,6].

In 2008, Nakamoto proposed blockchain for the first time [7]. However, with the in-depth study of blockchain, more and more people take a skeptical attitude towards blockchain’s anonymity in bitcoin trading [8,9,10,11]. In 2016, Zerocash was designed, which satisfies anonymity [12]. Saberhagen et al. designed the CryptoNote protocol [13]. Afterwards, Monero was proposed based on this CryptoNote protocol by using a ring signature to achieve anonymity. Thus, the ring signature was proposed [14]. Then, Liu et al. proposed a new kind of ring signature scheme, which was called the linkable ring signature (LRS) [15]. In LRS, not only does the signer’s identity in a ring signature remain anonymous but two ring signatures that are signed by the same signer can also be linked [16]. Considering its advantages, the LRS scheme is suitable in many different practical applications, such as e-voting, e-money, supply chains, and healthcare [17,18,19]. However, it still faces a problem, which cannot be ignored in Monero and Zerocash [20]. More specifically, in 2018, Fedorov clearly pointed out the security risks of quantum computing in blockchain [21].

Fortunately, lattice-based cryptography has been proven to have anti-quantum security [22]. Afterwards, Ajtai provided an innovative algorithm for constructing random short lattices [23,24]. Gentry et al. put forward a trapdoor function to construct a cryptographic algorithm [25]. Subsequently, some lattice-based signature schemes were proposed based on the bonsai tree algorithm [26]. In 2010, Agrawal et al. proposed an efficient lattice basis delegation algorithm [27]. By using this algorithm, Wang proposed an identity-based ring signature scheme [28]. Lyubashevsky provided the rejection sampling lemma for constructing lattice-based signatures without using the hash-and-sign methodology. This signature scheme is provably secure based on the worst-case hardness of the $\tilde{O}\left({\mathrm{n}}^{1.5}\right)$-SIVP problem [29]. Then, a new ring signature scheme on lattice was proposed, and its security was proven under the random oracle model [30].

Facing quantum computing attacks and privacy disclosure issues in blockchain-enabled IIoT, we propose a new LRS scheme and introduce it into blockchain to design a new post-quantum blockchain (PQB) with privacy protection for IIoT.

The rest of this study is organized as follows. In Section 2, some definitions and lemmas of the lattice theories are presented. In Section 3, we propose a secure LRS scheme based on lattice. A security proof is presented in Section 4. In Section 5, this LRS scheme is introduced into blockchain; we construct a privacy protection scheme for blockchain in IIoT and present a performance analysis and efficiency comparison of our scheme with other schemes. In Section 6, conclusions are provided.

2. Preliminaries

2.1. Lattice and Hard Problem

In the following, $\mathbb{R}$ denotes the real number set, and $\mathbb{Z}$ denotes the positive integer set. Therefore, we use ${\mathbb{R}}^m$ to stand for the m-dimensional Euclidean vector space. In general, $m\in \mathbb{Z},n\in \mathbb{Z},m\ge n$. $L$ and $\Lambda$ denote lattice in the following content, vector $\mathit{x}=(x_1,x_2,\cdots ,x_{n-1},x_n{)}^T$ in the space ${\mathbb{Z}}^m$, and $‖\mathit{x}‖=\sqrt{x_1^2+x_2^2+\cdots x_{n-1}^2+x_n^2}$.

Definition 1. 

(Lattice): Suppose that there are n linearly independent vectors ${\mathbf{v}}_{\mathbf{1}},{\mathbf{v}}_{\mathbf{2}},\cdots ,{\mathbf{v}}_{\mathbf{n}}\in {\mathbb{Z}}^m$, so lattice L can be represented as follows.

$$\mathit{L}({\mathbf{v}}_{\mathbf{1}},{\mathbf{v}}_{\mathbf{2}},\cdots ,{\mathbf{v}}_{\mathbf{n}})=\left\{{\sum }_{i=1}^n{a}_i{\mathbf{v}}_{\mathbf{i}}\left|a_i\in \mathbb{Z},i=1,\cdots ,n\right.\right\}$$

(1)

Definition 2. 

(Lattice shortest independent vector problem (SIVP)): Given an n-dimensional lattice L, output a set of n linearly independent vectors $s_i$ and $‖s_i‖\le {\lambda }_n\left(L\right) (i=1,\dots ,n).$

Definition 3. 

(Lattice SIS problem): Suppose that we have a real constant $v>0$ and a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ where q is a prime. Find a non-zero vector $\mathbf{x}\in {\mathbb{Z}}^m$ such that $\mathbf{A}\mathbf{x}\equiv 0\mathrm{mod}q$ and $‖\mathbf{x}‖\le v$.

2.2. Trapdoor and Lemmas

Lemma 1 

[25]. Select a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ where prime number q > 2, B is a basis of ${\Lambda }_q^{\perp }\left(\mathbf{A}\right)$, the Gaussian parameter $s\ge \left|\right|\tilde{\mathbf{B}}\left|\right|\omega \left(logm\right)$. Thus, for any vector $\mathit{y}\in {\mathbb{Z}}_q^n$, there exists a probabilistic polynomial time (PPT) algorithm $SamplePre(\mathbf{A},\mathbf{B},\mathit{y},s)$, which can output a vector $\mathit{e}\in Z_q^m$ from a distribution that is close to $D_{{\Lambda }_q^{\perp }\left(\mathit{A}\right),s}$.

Lemma 2 

[25]. For any prime $q=poly\left(n\right)$ and any $m\ge 2n{\mathit{log}}^{2}q$, there exists a PPT algorithm $TrapGen\left(1^n\right)$, which can output a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ and a full-rank basis $\mathbf{S}\in {\mathbb{Z}}^{m\times m}$ of ${\Lambda }^{\perp }\left(\mathbf{A}\right)$. And the distribution of A is statistically close to uniform over ${\mathbb{Z}}_q^{n\times m}$, such that $\mathbf{A}\mathbf{S}=0\left(\mathit{mod}q\right)$ and $‖\mathbf{S}‖=O\left(m^{0.5}\right)$.

Lemma 3 

[27]. For a matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, the m-dimensional lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, the Gaussian parameter $s\ge ‖\tilde{T}‖\cdot s_R\sqrt{m}\omega \left(\sqrt{{\mathit{log}}^{3/2}m}\right)$, input a basis T of the lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, and it has the nonsingular matrix $\mathbf{R}={\mathbf{T}}^{-1}$, $\mathbf{R}\in {\mathbb{Z}}^{m\times m}$. By running the PPT algorithm $BasisDel(\mathbf{A},\mathbf{R},\mathbf{T},s)$, a basis $\mathbf{B}\in {\mathbb{Z}}^{m\times m}$ of ${\mathsf{\Lambda }}^{\perp }\left(\mathbf{A}{\mathbf{R}}^{-1}\right)$ can be obtained and with overwhelming probability $‖\tilde{\mathbf{B}}‖<s/\omega \left(\sqrt{\mathit{log}m}\right)$.

Lemma 4. Rejection sampling 

[29]. Suppose that V is a subset ${\mathbb{Z}}^m$ and each element v has norm less than t, $\sigma =\omega \left(t\sqrt{\mathit{log}m}\right)$, and $h:V\to \mathbb{R}$ is a probability distribution. Thus, there is a constant $M=O\left(1\right)$ such that output distribution statistical distance of the following two algorithms is less than $2^{-\omega \left(\mathit{log}m\right)}/M$.

Algorithm A: $v\leftarrow h$, $x\leftarrow D_{v,\sigma }^m$, output (x,v) with the probability $\mathit{min}(D_{\sigma }^m\left(x\right)/M{D}_{v,\sigma }^m\left(x\right), 1)$.

Algorithm B: $v\leftarrow h$, $x\leftarrow D_{\sigma }^m$, output (x,v) with the probability $1/M$.

The probability that algorithm A outputs something is at least $(1-2^{-\omega \left(\mathit{log}m\right)})/M$.

2.3. Related Work

Some related works from recent years of the blockchain-based LRS schemes and privacy-preserving blockchain mechanisms for IIoT are given in this section. In 2018, Wang et al. proposed a lattice-based ring signature scheme without trapdoors [31]. Gao et al. presented a new ring signature scheme from lattice in 2019 [32]. Through experiments under the same parameters, we find that this scheme’s signature size is large, which leads to its low efficiency. In 2021, Le et al. presented an identity-based LRS (IdLRS) in both integer lattice and ideal lattice settings [33]. Subsequently, Tang et al. constructed a new identity-based LRS scheme over NTRU lattice by employing the technologies of trapdoor generation and rejection sampling [34]. In 2022, Cao et al. proposed a new LRS scheme with lattice [35]. In this scheme, ring members’ public keys and the real signer’s private key are both used as the input of a hash function to obtain the output instead of the vector obeying the discrete Gaussian distribution selected in other schemes. In 2023, Cao et al. proposed an efficient LRS based on ideal lattice [36]. Subsequently, in 2024, Zhang et al. designed a lattice-based LRS scheme to provide accurate signature traceability mechanisms for transactions in the blockchain-enabled system [37]. It can protect the system by resisting the quantum attack. Then, Duan et al. presented a novel ring confidential transactions protocol by introducing the linkable threshold ring signature (LTRS) [38]. Afterwards, Xie et al. proposed a linkable, k-times traceable and revocable ring signature (Lk-TRS), which is used to construct a blockchain anonymous transaction system in 2025 [39].

The above method innovatively integrates and utilizes the security features of lattice-based cryptography and LRS, fully leveraging the excellent performance of lattice-based cryptography in resisting quantum computing attacks and the unique advantages of LRS in safeguarding user privacy, thereby achieving significant improvements in both the privacy protection and quantum security of blockchain-enabled IIoT. Unfortunately, in the above LRS schemes, both the amount of signature computation and the size of the signature will increase linearly with the number of ring members. This leads to overall low efficiency and insufficient practicality of the LRS scheme, especially in applications with a large number of users and transactions such as blockchain.

3. Lattice-Based LRS Scheme

3.1. Formal Definition

Suppose that the number of users in the ring is k, and $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$ represents all users in the ring.

Definition 4. 

(Linkable ring signature): The linkable ring signature scheme is usually composed of five PPT algorithms as follows.

Setup ($1^n$): Select a security parameter n. This Setup algorithm outputs public parameters PP and the master key Mk.

KeyGen: Input public parameters, the KeyGen algorithm can output the secret key pair (pk, sk) and a corresponding public key I. So, we can obtain a public key set $R=\{p{k}_1,p{k}_2,\cdots ,p{k}_k\}$.

Ringsign $\left(sk,R, M\right)$: Input public key set R of the ring, the signer’s key pair $(pk,sk)$ and the message $M\in \{0,1{\}}^{\ast }$. Run the Ringsign algorithm to output signature e of message M.

Ringverify (e, R, M): Input the public key set R, message M and ring signature e; if the signature e is reasonable, the Ringverify algorithm accepts or refuses.

Link $\left(I,v,v^{\prime }\right)$: Take a set $I=\left\{I_i\right\}$ and two signatures $v$ and $v^{\prime }$. Output “linked” or “independent”.

3.2. Security Model

Generally speaking, the linkable ring signature scheme should satisfy three important security properties, namely anonymity, unforgeability and linkability.

Anonymity. The anonymity is defined by a game between adversary $A$ with a challenger $C$ as follows.

KeyGen (n). Input a security parameter n, challenger $C$ runs KeyGen algorithm to output a private key sk and a public key pk for each game participant, and there are k participants, $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$. So, challenger $C$ obtains the public and private key pairs set $\left\{\right(p{k}_1,s{k}_1),(p{k}_2,s{k}_2),\cdots ,(p{k}_k,s{k}_k\left)\right\}$.

Queries. Set the public key set $R=\{p{k}_1,p{k}_2,\cdots ,p{k}_k\}$. Suppose adversary $A$ selects a participant I with his public key $p{k}_i\in R$. Challenger $C$ uses participant I’s public and private key pair $(p{k}_i,s{k}_i)$ and runs Ringsign algorithm to output the signature $v$; then, he returns $v$ to adversary $A$.

Challenge. Adversary $A$ submits a message $M^{\prime }$, ring $R^{\prime }$ and two other participants $\{I{D}_{a_0},I{D}_{a_1}\}\in U$. The challenger $C$ chooses a bit $b\in \{0,1\}$ and runs Ringsign algorithm to output signature $v^{\prime }$, then returns $v^{\prime }$ to adversary $A$.

Verify. If adversary $A$ outputs a guess $b^{\prime }\in \{0,1\}$ and $b^{\prime }=b$, adversary $A$ wins this game.

In this game, suppose that the probability of opponent a winning the game is $Su{c}_A^{anon}\left(n\right)$, and the advantage of adversary $A$ is $Ad{v}_A^{anon}\left(n\right)=Su{c}_A^{anon}\left(n\right)-1/2$. If for every probabilistic polynomial-time adversary $A$, the advantage $Ad{v}_A^{anon}\left(n\right)$ is negligible, the ring signature scheme is anonymous.

Unforgeability. Unforgeability is defined by using the game between an adversary $A$ with a challenger $C$ as follows.

Setup. The challenger $C$ runs Setup(n) algorithm to generate public parameters PP and MK, and sends PP to the adversary $A$. Then, adversary $A$ issues k queries on identity $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$.

Queries. Set the public key set $R=\{p{k}_1,p{k}_2,\cdots ,p{k}_k\}$. Suppose adversary $A$ selects a participant I with his public key $p{k}_i\in R$. Challenger $C$ uses participant I’s public and private key pair $(p{k}_i,s{k}_i)$. Adversary $A$ submits a ring $U_1\subseteq U$, private key $s{k}_i$ and message msg. The challenger $C$ runs Ringsign algorithm to output signature $v$, then returns $v$ to adversary $A$.

Forgery. The adversary $A$ outputs $(U_2,ms{g}^{\prime },v^{\prime })$, $A$ wins this game if:

(1)

Verify $(PP,U_2,ms{g}^{\prime },v^{\prime })$ = accept.

(2)

Adversary $A$ does not have the private key of the user in $U_2$.

(3)

$(U_2,ms{g}^{\prime })$ is not submitted to sign query.

Linkability. For two different messages $m_1$ and ${ m}_2$, the signer can obtain two different signatures $e_1$ and $e_2$. There exists a PPT algorithm $F,$ which verifies the probability of the same signer is not negligible. On the contrary, if the two different signatures $e_1$ and $e_2$ are signed by different signers, the PPT algorithm $F$ verifies that the probability of the same signer is negligible. Thus, the signature scheme is linkable.

3.3. Details of Our Scheme

Here, a security parameter $n\in \mathbb{Z}$, a prime $q\ge 2$, $m\ge 5n\mathit{lg}q$, and $H_1:{\left\{0,1\right\}}^{\ast }\to {\mathbb{Z}}_q^{m\times m}$ is a collision-resistant hash function. $H_2:{\mathbb{Z}}_q^m\times \{0,1{\}}^{\ast }\to \{v=\{-d,\cdots ,d{\}}^g:‖v‖\le t,d\in N^{+},t\in R\}$. Suppose that there are k users in the ring $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$. Our linkable ring signature scheme contains the five PPT algorithms as follows.

Setup  $\left(1^n\right)$: Select and input the security parameter $n$.

(1)

Based on Lemma 2, sender runs $TrapGen\left(1^n\right)$ and obtain a random matrix ${\mathbf{A}}_{\mathbf{0}}\in {\mathbb{Z}}_q^{n\times m}$ and a corresponding short basis ${\mathbf{S}}_0\in {{\mathsf{\Lambda }}_q}^{\perp }\left({\mathbf{A}}_{\mathbf{0}}\right)$. ${\mathbf{S}}_0\in {\mathbb{Z}}_q^{m\times m}$ is sender’s master key $MK={\mathbf{S}}_0$.

(2)

For each user $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$, the hash function takes as input ID, outputs $R=H_1\left(ID\right)$ and message $M\in {\left\{0,1\right\}}^d$. Thus, the public parameter $PP=\{{\mathit{A}}_{\mathbf{0}},H_1,H_2\}$.

KeyGen  $(PP,ms,MK)$: For each member, select each ID and input the Gaussian parameter $s$, MK, and PP.

Based on Lemma 3, sender runs $BasisDel({\mathbf{A}}_{\mathbf{0}},{\mathbf{H}}_1(\mathrm{I}\mathrm{D}),{\mathbf{S}}_{\mathbf{0}},s)$ and obtains his private key ${\mathbf{S}}_{ID}$. Thus, ${\mathbf{S}}_{ID }$ is a basis of ${\mathsf{\Lambda }}^{\perp }\left({\mathbf{A}}_{\mathbf{0}}{\mathbf{H}}_1\right(ID{)}^{-1})$, and his public key ${\mathbf{A}}_{ID}={\mathbf{A}}_{\mathbf{0}}{\mathbf{H}}_1(ID{)}^{-1}$.

RingSign $(PP,{\mathbf{S}}_{I{D}_i},M,U)$: Generate a signature by the following steps.

(1)

Randomly select a vector $\mathbf{V}\in R^{1\times m}$, compute ${\mathbf{I}}_i=\mathbf{V}{\mathbf{S}}_{{ID}_i}$.

(2)

Set $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$ and $j\in \{1,2,\cdots ,k\}$, select $s\ge ‖{\tilde{\mathbf{S}}}_{{ID}_i}‖\omega \left(\sqrt{logm}\right)$, then select vectors ${\mathit{u}}_j\leftarrow D_s^m$.

(3)

$s_i\leftarrow SamplePre\left({\mathbf{A}}_{{ID}_i},{\mathbf{S}}_{{ID}_i},s,u\right),x_i=s_i+{\mathit{u}}_i$

(4)

Compute $v=H_2\left({\sum }_{j=1}^k{A}_{I{D}_j}{\mathit{u}}_j,M\right)$.

(5)

Let $j=\{1,2,\cdots ,k\}$, if $j\ne i$, $x_j={\mathit{u}}_j$. If $j=i$, $x_j=x_i$.

(6)

Output the ring signature $e=(x_1,x_2,\cdots ,x_k,v,{\mathit{I}}_i)$.

Verify $(PP,U,M,e)$: Verifier can verify the correctness of this signature $e$ as follows.

(1)

For each $x_j$ and $j\in \{1,2,\cdots ,k\}$, verify $‖x_j‖\le s\sqrt{m}$.

(2)

Verify $v=H_2({\sum }_{j=1}^k{A}_{I{D}_j}{x}_j-A_{I{D}_i}{s}_i,M)$.

If the above conditions are satisfied, the verifier runs the following Link algorithm. Otherwise, this signature e will be rejected.

Link (I,e): There is a set I that these ${\mathit{I}}_i$ values are stored in, verifier checks if ${\mathit{I}}_i$ has been used in past signatures.

For two signatures $e_1=(x_1,x_2,\cdots ,x_k,v_1,{\mathit{I}}_1)$ and $e_2=(x_1,x_2,\cdots ,x_k,v_2,{\mathit{I}}_2)$, if ${\mathit{I}}_1={\mathit{I}}_2$, return 1 (linked) to indicate these two signatures are signed by the same user. If not, return 0 (unlinked).

Correctness. Suppose that there is a set l, and $j-l=\left\{i\right\}$, such that

$$\begin{array}{ll}{\sum }_{j=1}^k{A}_{{ID}_j}{x}_j-A_{{ID}_i}{s}_i& ={\sum }_{l=1}^k{A}_{{ID}_l}{\mathit{u}}_l+A_{{ID}_i}{x}_i-A_{{ID}_i}{s}_i\\ & ={\sum }_{l=1}^k{A}_{{ID}_l}{\mathit{u}}_l+A_{{ID}_i}\left(s_i+{\mathit{u}}_l\right)-A_{{ID}_i}{s}_i\\ & ={\sum }_{l=1}^k{A}_{{ID}_l}{\mathit{u}}_l+A_{{ID}_i}{s}_i+A_{{ID}_i}{\mathit{u}}_l-A_{{ID}_i}{s}_i\\ & ={\sum }_{j=1}^k{A}_{{ID}_j}{\mathit{u}}_j\end{array}$$

(2)

Such that $v=H_2({\sum }_{j=1}^k{A}_{I{D}_j}{x}_j-A_{I{D}_i}{s}_i,M)$. Therefore, this linkable ring signature scheme satisfies correctness.

4. Security Analysis

4.1. Anonymity

Theorem 1. 

Our proposed ring signature scheme satisfies anonymity.

Proof. 

Suppose that there is an adversary $A$ attacking this proposed ring signature scheme based on the anonymity’s definition. □

KeyGen. At first, challenger $C$ selects k users to obtain an ID set $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$. Then, for each user ID, input a security parameter n; challenger $C$ runs $TrapGen\left(1^n\right)$ algorithm and generates a uniformly random matrix ${\mathbf{A}}_{\mathbf{0}}\in {\mathbb{Z}}_q^{n\times m}$ with a corresponding short basis ${\mathbf{S}}_0\in {\mathsf{\Lambda }}_q^{\perp }\left({\mathbf{A}}_{\mathbf{0}}\right)$. At last, challenger $C$ runs $BasisDel({\mathbf{A}}_{\mathbf{0}},\mathbf{H}(ID),{\mathbf{S}}_{\mathbf{0}},s)$ to obtain the private key ${\mathbf{S}}_{ID}$. Similarly, a corresponding public key is ${\mathbf{A}}_{ID}={\mathbf{A}}_{\mathbf{0}}\mathbf{H}(ID{)}^{-1}$. There are k participants $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$, and challenger $C$ can obtain the public–private key pairs set $\left\{\right(p{k}_1,s{k}_1),(p{k}_2,s{k}_2),\cdots ,(p{k}_k,s{k}_k\left)\right\}$.

Queries. Challenger $C$ answers the hash queries, private key queries and signing queries of adversary $A$. Suppose adversary $A$ selects a participant with his ID. Challenger $C$ returns this ID’s public and private key pair $(p{k}_i,s{k}_i)$ and runs Ringsign algorithm to output signature $e=(x_1,x_2,\cdots ,x_k,v)$, then returns this signature $e$ to adversary $A$.

Challenge. Adversary $A$ submits a message $M^{\prime }$, ring $U^{\prime }$ and two other participants $\{I{D}_{a_0},I{D}_{a_1}\}\in U$. The challenger $C$ chooses a bit $b\in \{0,1\}$ and runs Ringsign algorithm to output signature $e^{\prime }=(x_1^{\prime },x_2^{\prime },\cdots ,x_k^{\prime },v^{\prime })$, then he returns this signature $e^{\prime }$ to adversary $A$.

Guess. Adversary $A$ outputs a guess $b^{\prime }\in \{0,1\}$ and verify $b^{\prime }=b$.

For the signature, if $j\ne a_b$, $x_j={\mathit{u}}_j$. If $j=a_b$, $x_j=x_i$. According to Lemma 4, $e=(x_1,x_2,\cdots ,x_k,v)$ is not distinguishable from Gauss distribution ${\left(D_{\sigma }^m\right)}^{l+1}$. Similarly, $e^{\prime }=(x_1^{\prime },x_2^{\prime },\cdots ,x_k^{\prime },v^{\prime })$ is also not distinguishable from ${\left(D_{\sigma }^m\right)}^{l+1}$. We can see that, because these two signatures, e and $e^{\prime }$, have the same distribution of the domain, they are computationally indistinguishable.

In summary, under the simulated environment, the adversary $A$ in this anonymity game advantage $Ad{v}_A^{anon}\left(n\right)=Su{c}_A^{anon}\left(n\right)-1/2$ is negligible in guessing the right identity.

4.2. Unforgeability

Theorem 2. 

Under the lattice SIS problem assumption, the proposed linkable ring signature scheme is existentially unforgeable.

Proof. 

Suppose that A is regarded as a PPT adversary. A is able to successfully attack this proposed scheme and forge a new signature. We use $\epsilon$ to denote the probability of success. Then, A is a subroutine, which can solve the lattice short integer solution problem via non-negligible probability. Thus, a PPT algorithm T is constructed, which is realized through interaction with the adversary A as follows. □

Setup. The challenger $C$ selects a user set $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$ and a user ${ID}_i(1\le i\le k)$. And $C$ runs the Setup $\left(1^n\right)$ algorithm to obtain PP and MK, and sends PP to $A$. Then, $A$ issues $k$ queries on identity $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$.

KeyGen. For $1\le i\le k$, challenger $C$ does as follow.

(1)

According to Lemma 2, challenger $C$ uses $TrapGen\left(1^n\right)$ to obtain a random matrix ${\mathbf{A}}_i\in {\mathbb{Z}}_q^{n\times m}$ with a corresponding short basis ${\mathbf{S}}_i\in {\mathsf{\Lambda }}^{\perp }({\mathbf{A}}_i,q)$. ${\mathit{S}}_i\in {\mathbb{Z}}_q^{m\times m}$ is sender’s master key $MK={\mathbf{S}}_i$.

(2)

For each user $U=\{I{D}_1,I{D}_2,\cdots ,I{D}_k\}$, the hash function outputs $R=H\left(ID\right)$. For message $M\in {\left\{0,1\right\}}^d$. $C$ obtains the public parameter $PP=\{{\mathit{A}}_{\mathbf{0}},H_1,H_2\}$. Then, $C$ transmits PP and U to $A$.

(3)

Run $BasisDel({\mathbf{A}}_i,\mathbf{H}(I{D}_i),{\mathbf{S}}_i,s)$ to generate a secret key ${\mathbf{S}}_{I{D}_i}$ which is a basis of ${\mathsf{\Lambda }}^{\perp }\left({\mathbf{A}}_i\mathbf{H}\right(I{D}_i{)}^{-1})$. Correspondingly, ${\mathbf{A}}_{I{D}_i}={\mathbf{A}}_i\mathbf{H}(I{D}_i{)}^{-1}$.

Queries. Challenger $C$ answers the following hash queries, private key queries and signing queries from adversary $A$.

(1)

Hash queries. Adversary $A$ chooses a user’s ${ID}_i$. Challenger $C$ checks the list $L_1$. If adversary $A$ submitted this query before, it will return the same result. Otherwise, Challenger $C$ runs the algorithm $R_i=H\left({ID}_i\right)$, returns to adversary $A$ and stores it in $L_1$.

(2)

Private key queries. Adversary $A$ selects a user ${ID}_i$ from U. Challenger $C$ checks the list $L_1$ and finds (${\mathbf{A}}_i,\mathbf{H}\left(I{D}_i\right),{\mathbf{S}}_i,s$). Then, challenger $C$ runs $BasisDel({\mathbf{A}}_i,\mathbf{H}({ID}_i),{\mathit{S}}_i,s)$ to return his private key ${\mathit{S}}_{{ID}_i}$ to adversary $A$ and store it in $L_2$.

(3)

Signing queries. Adversary $A$ submits a message M, a ring $U^{\prime }\subseteq U$ and ${ID}_i\in U^{\prime }$. Challenger $C$ runs Ringsign algorithm to output ring signature $e=(x_1,x_2,\cdots ,x_k,v)$, then return $e$ to adversary $A$.

Forgery. Adversary $A$ submits a message $M^{\prime }$, a ring $U_2\subseteq U$, a user ${ID}_a(1\le a\le l)$, adversary $A$ can forge a signature $e^{\prime }=(x_1^{\prime },x_2^{\prime },\cdots ,x_l^{\prime },v^{\prime })$. $A$ wins the game if:

(i)

Verify $e^{\prime }=(x_1^{\prime },x_2^{\prime },\cdots ,x_l^{\prime },v^{\prime })$ is accepted.

(ii)

Adversary $A$ does not have the private key of the user ${ID}_a(1\le a\le l)$ in $U_2$.

(iii)

$(U_2,M^{\prime })$ is not submitted to the signing query.

According to our signature scheme, it is shown that if $e^{\prime }=(x_1^{\prime },x_2^{\prime },\cdots ,x_l^{\prime },v^{\prime })$ is a legal signature of ring $U_2\subseteq U$, we have

$$A_{{ID}_j}{x^{\prime }}_j-A_{{ID}_i}{s^{\prime }}_i=A_{{ID}_j}{\mathbf{u}}_j$$

(3)

Because challenger $C$ can use private key queries to obtain the private key ${\mathbf{S}}_a$ of ${ID}_a$,${ e}^{″}=(x_1^{″},x_2^{″},\cdots ,x_l^{″},v^{″})$ is also a legal signature of ring $U_2\subseteq U$, so we have

$$A_{{ID}_j}{x^{\prime }}_j-A_{{ID}_i}{s^{\prime \prime }}_i=A_{{ID}_j}{\mathbf{u}}_j$$

(4)

Through the analysis of Equations (3) and (4), we have

$$A_{{ID}_j}{x^{\prime }}_j-A_{{ID}_i}{s^{\prime }}_i=A_{{ID}_j}{\mathbf{u}}_j=A_{{ID}_j}{x^{\prime }}_j-A_{{ID}_i}{s^{\prime \prime }}_i$$

(5)

So, $A_{{ID}_i}{s^{\prime \prime }}_i-A_{{ID}_i}{s^{\prime }}_i=0$; then, we have

$$A_{{ID}_i}{(s^{\prime \prime }}_i-{s^{\prime }}_i)=0$$

(6)

Let $f=s_i^{″}-s_i^{\prime }$, so $A_{{ID}_i}f=0\mathrm{m}\mathrm{o}\mathrm{d}q$, such that

$$‖f‖=‖s_i^{″}-s_i^{\prime }‖\le ‖s_i^{″}‖+‖s_i^{\prime }‖\le \sigma \sqrt{m}+\sigma \sqrt{m}=2\sigma \sqrt{m}$$

(7)

Consequently, it means that the result $(q,m,2\sigma \sqrt{m})$ is a non-zero solution to the lattice SIS problem.

At last, according to the preimage min-entropy property, the probability of the non-zero solution is not less than $SI{S}_{s\sqrt{m}}$. The probability that adversary $A$ successfully forges a legal signature is $\epsilon$, and $pro\left(i=1\right)=q_e^{-1}$. Therefore, the non-zero solution to the lattice $SI{S}_{q,m,2\sigma \sqrt{m}}$ problem with a negligible probability $\left(1-2^{-\omega \left(\mathit{lg}m\right)}\right)q_e^{-1}\epsilon$.

As shown in the calculation and analysis, the probability that adversary $A$ forges a legal and valid signature is negligible. Under the lattice SIS problem assumption, the proposed linkable ring signature scheme satisfies unforgeability. Thus, the proof of this theorem is completed.

4.3. Linkability

Theorem 3. 

The proposed ring signature scheme is linkable. Formally, adversary $A$ cannot produce $n+1$ valid signatures $e_i$ with key images ${\mathit{I}}_i\ne {\mathit{I}}_j$ for any $i,j\in \{1,\cdots ,n\}$.

Proof. 

Suppose that, for the sake of contradiction, adversary A can generate $n+1$ valid signatures. Since the secret key set $\left|S\right|=n$, there is at least one ${\mathbf{I}}_i$ which does not belong to the set I. Without a loss of generality, considering this event happened in $e_x=(x_1,x_2,\cdots ,x_k,v_x,{\mathbf{I}}_x)$, which is a valid signature, we have ${\mathbf{I}}_x=\mathbf{V}{\mathbf{S}}_x$. Because ${\mathbf{I}}_x$ does not belong to the set I, its secret key ${\mathbf{S}}_x$ does not belong to secret key set S. Therefore, ${\mathbf{I}}_x\ne {\mathbf{I}}_i=\mathbf{V}{\mathbf{S}}_i$ for $i\in \{1,\cdots ,n\}$ and it contradicts previous assumptions, in which adversary A can generate $n+1$ valid signatures. Consequently, our ring signature scheme is linkable. □

5. LRS-Based Blockchain for IIoT

5.1. Stealth Address

As described in CryptoNote, the stealth address technology is used in all transactions to provide privacy protection for the receiver. For instance, Alice and Bob have a transaction to make. In this transaction, Alice needs to pay her cryptocurrency to Bob. At first, Alice generates a one-time address for Bob and publishes it as a broadcast in the distributed network. Subsequently, Bob has to check each transaction by using his private key to identify which transaction belongs to him. Subsequently, he recovers this secret key corresponding to the destination address.

Through using a stealth address, the connection of a blockchain transaction’s output with the recipient’s wallet address is broken. More specifically, the actual destination address of a transaction is hidden with the stealth address in CryptoNote. For the sake of protecting the privacy of receivers in blockchain, we also produce stealth addresses as follows, which will be used as the verifying and signing key pairs in the PQB with privacy protection based on lattice.

5.2. Blockchain with Privacy Protection

According to the framework of CryptoNote, in this subsection, we introduce our LRS scheme into blockchain to design a secure PQB scheme with privacy protection for IIoT. Suppose that Alice wants to transfer her cryptocurrency to Bob from her address of a secret key pair $(p{k}_a,s{k}_a)$. As shown in Figure 1, we describe our scheme through the implementation of a transaction as follows.

Key generation. Alice and Bob run the KeyGen algorithm to obtain her/his secret key pairs $(p{k}_a,s{k}_a)$ and $(p{k}_b,s{k}_b)$, respectively. It should be noted that Alice’s secret key pair $(p{k}_a,s{k}_a)$ address has been used for receiving the cryptocurrency in the last transaction.

Key image. Bob randomly selects a string $b$. Then, he calculates $hash\left(b\right)$ and sends this hash value to Alice. Then, Alice calculates $Y=E_{p{k}_b}\left(hash\right(b\left)\right)$ and key image $X=hash\left(s{k}_a\right)$.

Transaction generation. Alice specifies n−1 foreign outputs with the same amount as her outputs and mixes all of these foreign outputs without other people’s participation. All previous transactions with outputs are added to the hash function. Then, this hash value h is signed by running the Ringsign algorithm, which generates a ring signature $e$. Afterwards, as shown in Figure 2, she inputs these outputs, Y, key image X, ring signature e and generates a new transaction tx.

Transaction verification. By running the Link algorithm, the miner nodes verify whether the cryptocurrency in the transaction has been consumed to prevent a double spending attack. Subsequently, miner nodes run the Verify algorithm to verify whether the signature of this transaction is correct. If it is correct, this transaction will be encapsulated in a new block. Otherwise, this transaction will be discarded.

Transaction confirmation. Bob checks this transaction. Afterwards, he extracts the destination key from this transaction and calculates $Y^{\prime }=E_{p{k}_b}\left(hash\right(b\left)\right)$. If $Y^{\prime }=Y$, this transaction is the one which Alice sends to Bob. Thus, Bob accepts this transaction, and he records $Y$ with $\mathrm{Output} i$ and $(p{k}_b,s{k}_b)$ in his wallet. When he wants to spend this coin with the destination address $Y$, he can use the corresponding one-time key pair $(p{k}_b,s{k}_b)$ to generate a new transaction as in the above steps.

Different from traditional blockchain, for each ring signature $e$, it can be checked by using the public key set in our proposed scheme instead of a unique public key. Before the owner uses the same key pair to generate a second signature, the identity of the signer cannot be distinguished from other users in the public key set. More specifically, by using our LRS scheme in PQB for IIoT, the signer’s identity in a ring signature remains anonymous, and two ring signatures, which are signed by the same signer, can be linked. Therefore, this new PQB not only protects the user’s privacy information but also resists the double spending attack. Additionally, as discussed above, the LRS scheme used in PQB satisfies unforgeability. With these above security advantages, the proposed PQB scheme enhances data security for IIoT.

5.3. Security and Comparison

As previously highlighted, the lattice-based cryptography algorithm represents a unique mathematical structural model. It has been rigorously demonstrated to possess robust resistance against quantum computing attacks, positioning it as an indispensable component in the future landscape of information security. Consequently, in line with the aforementioned considerations, we opted to employ lattice-based cryptography as the foundational framework for constructing our linkable ring signature scheme. In this study, our linkable ring signature scheme’s security mainly depends on the intractability of the SIS problem from lattice-based cryptography. And the lattice SIS problem in an average case can be reduced to the SIVP in the worst case, which is often used to construct signature schemes for resisting quantum computing attacks [40]. Therefore, our scheme has anti-quantum security.

Furthermore, lattice-based cryptography algorithms are matrix and vector operations, and the computation cost largely determines the cryptography algorithm’s efficiency, especially the public key size and signature size. In this subsection, it is assumed that the parameters (n, m, q, k) are the same in our scheme and other related lattice-based ring signature schemes. The detailed comparison results are shown in

Table 1. Comparison of computation costs.

Scheme	Public Key Size	Private Key	Signature Size
Ref. [32]	(3m + g + 1)nlogq	4m2logq	k(k + 1)mlogq
Ref. [33]	mnllogq	(m + nl)nlogq	(m + nl + n)k logq + n2logq + n
Ref. [34]	4n2logq	4nlogq	(2k + 1)n logq
Ref. [35]	2mnlogq	4m2logq	2(k + 1)mlogq
Our work	mnlogq	nlogq	mklogq

. Compared with other schemes, the results show that our public key size and signature size are shorter than those in Refs. [32,33,34,35]. Therefore, our scheme is efficient, with lower computation costs.

Meanwhile, T_tg, T_bd, T_eb, T_erb, T_rb, T_sp, T_gsp, T_mul are set to represent the average consumption time of the following algorithms, TrapGen, BasisDel, ExtBasis, ExtRandBasis, RandBasis, SamplePre, GenSamplePre and vector multiplication, respectively. Then, the master key generation time, user key generation time and signature generation time in these above ring signature schemes are compared, respectively, and the time cost comparison results are shown in

Table 2. Comparison of time costs.

Scheme	MK Generation	Secret Key Generation	Signature Generation
Ref. [30]	Ttg	m Teb + Trb	m Teb + Trb + 2m Tsp + m(k − g + 1) Tmul
Ref. [31]	kTtg	gTsp	m(k + 1) Tmul
Ref. [32]	Ttg	k Terb	2mk Tmul + Tgsp
Ref. [33]	Ttg	Tsd + Tmul	(2k + 1) Tmul
Ref. [34]	Ttg	k Tsp	(2k + 1) Tmul
Ref. [35]	Ttg	Trb + mTsp	2(k + 1) Tmul
Our work	Ttg	kTbd	Tsp + mk Tmul

. Among them, our ring signature scheme only uses the TrapGen algorithm once in the master key generation, and the user key generation adopts the BasisDel algorithm $k$ times. Using the rejection sampling lemma, the main steps of generating a ring signature adopt simple vector multiplication. Through this comprehensive comparison, it shows that in the transaction signature process, our scheme’s time cost is less than that in other schemes.

Furthermore, based on the parameters of 80-bit and 192-bit security levels in Ref. [41], and in combination with the parameter requirements of the scheme in our study, the parameters used in the experimental testing are set as follows. We consider two security level of 80-bit and 192-bit, and the parameters polynomial degree n and modulus q are set as n = 256; q = 2¹⁰, m = 3853 and n = 512; q = 2¹⁰, m = 7706, respectively. Other reasonable parameters include g = 256, k = 10, $l=⌈\mathit{log}q⌉=4$. Under two security levels of 80-bit and 192-bit, the public key size, signature size and private key of our proposed scheme and those in Refs. [32,33,34,35] are compared. The simulation results are shown in Figure 3, where (a) and (b) represent the 80-bit security level and 192-bit security level, respectively. As shown in Figure 3, the public key size and signature size of the transaction in our scheme are 362.42 KB and 14.11 KB for 80-bit security, 1444.87 KB and 28.22 KB for 192-bit security. Under the same security levels, our scheme achieves a significant reduction in public key size and signature size compared to Refs. [32,33,35]. In terms of the generated private key size, since the private key sizes in Refs. [32,35] are 4m²logq, according to the parameter settings of 80-bit and 192-bit security levels, it is obvious that their sizes are much larger than other schemes. Ref. [33]’s generated private key sizes at 80-bit and 192-bit security levels are 458.74 KB and 1834.97 KB, respectively. Ref. [34]’s private key sizes are 0.38 KB and 0.76 KB at 80-bit and 192-bit security levels, respectively. And our scheme’s private key sizes are 0.09 KB for 80-bit security and 0.19 KB for 192-bits security, which are significantly smaller than those in other schemes. After comprehensive comparisons, our LRS scheme for blockchain has lower computational overhead, reduces storage costs, and achieves higher efficiency.

6. Conclusions

This study contributes to privacy protection in the process of optimizing user privacy data sharing in blockchain-enabled IIoT. We design an LRS scheme with anti-quantum security and anonymity. This scheme is based on the lattice problem and has superior security. At the same time, the characteristics of LRS can better hide the personal privacy in blockchain. In particular, by combining the stealth address and key image technologies, this scheme is introduced into the construction of blockchain-enabled IIoT, which can support secure data sharing and ensure that data are not tampered with. Meanwhile, the combination of LRS and blockchain-enabled IIoT can effectively enhance the privacy and security of users. Then, it is proved that the LRS scheme in our construction satisfies the security requirements of correctness, unforgeability, anonymity, and linkability. The comparison of key sizes shows that the proposed LRS scheme is efficient and reduces data space overhead. Performance comparisons indicate that our scheme is more practical for IIoT. Our work provides new solutions to the privacy leakage problem of data sharing in the current IIoT system and promotes the application of blockchain in IIoT. In the field of the data sharing of IIoT, there are still several highly promising research directions that urgently need to be explored, especially identity authentication technology, refined data access control mechanisms, and efficient data retrieval strategies. These cutting-edge topics will constitute the content of our future research work.