Next Article in Journal
Event-Triggered Discrete-Time ZNN Algorithm for Distributed Optimization with Time-Varying Objective Functions
Next Article in Special Issue
RBFAC: A Redactable Blockchain Framework with Fine-Grained Access Control Based on Flexible Policy Chameleon Hash
Previous Article in Journal
A Transparent and Flexible Absorber for Electromagnetic Interference Suppression, Designed for 5G Communication and Sub-6G Applications
Previous Article in Special Issue
Building Traceable Redactable Blockchain with Time-Verifiable Chameleon Hash
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Logarithmic NTRU-Based Certificateless Ring Signature in E-Voting Applications

1
School of Cyberspace Security, Xi’an University of Posts and Telecommunications, Xi’an 710121, China
2
School of Cyber Engineering, Xidian University, Xi’an 710071, China
*
Author to whom correspondence should be addressed.
Electronics 2025, 14(7), 1358; https://doi.org/10.3390/electronics14071358
Submission received: 7 February 2025 / Revised: 20 March 2025 / Accepted: 26 March 2025 / Published: 28 March 2025
(This article belongs to the Special Issue Applied Cryptography and Practical Cryptoanalysis for Web 3.0)

Abstract

:
In electronic voting systems, a large number of voters are often required to vote. It is also necessary to ensure the security of the voters and the fairness of the vote. The use of ring signatures is very suitable for e-voting systems because of their special anonymity. Among the many types of ring signatures, certificateless ring signature (CRS) stands out because it does not require certificates and avoids the need to completely trust the key generation center (KGC). In this paper, we propose a certificateless ring signature based on the special structure of the number theory research unit (NTRU) lattice, which utilizes the Merkle tree and seed tree to split commitments and integrate them again to generate signatures. At the same time, we embed the NTRU small integer solution (NTRU-SIS) problem and provide a detailed proof of security under the random oracle model (ROM). In efficiency, the Merkle tree makes the signature size logarithmically increase with the ring scale. In the era of big data explosion, this feature enables the proposed scheme to maintain a comparatively short signature size even when the number of ring members N is very large. When N = 8 , the signature size is 61.08 KB; when N increases to 512, the size is 65.02 KB. From the data, we can observe that the signature size grows slowly, by only 4 KB when N grows exponentially, which is much slower than ring signatures with linear growth.

1. Introduction

Throughout history, voting has witnessed the development of human civilization. Whether a small meeting or a large-scale election, voting is an important part of the process. In ancient times, voting was done on paper, which was convenient daily. However, as the number of people grows, or in the case of large-scale elections, paper ballots have many drawbacks. In addition to consuming a lot of manpower and resources, they have the disadvantages of being easily tampered with, and the election process may not be transparent. With the advent of the internet, e-voting has greatly improved the situation. In 1981, Chaum and David [1] proposed an electronic voting protocol. Just a few years later, Fujioka et al. [2] proposed the first large-scale use of a blind signature-based voting protocol, which allowed the use of electronic signatures to skyrocket. However, there was a risk of forgery, and even though Cong and Hu [3] later modified the protocol, it still led to the problem of voters’ identities being revealed. Over the past four decades, researchers have engaged in many efforts towards making e-voting meet basic security needs as well as enabling richer applications. At present, the underlying cryptographic techniques of anonymous e-voting protocols are divided into three types: blind signature, ring signature, and proxy signature.
A ring signature is a type of decentralized signature invented by Ron Rivest, Adi Shamir, and Yael Tauman [4] in 2001. Since then, the most commonly used ring signatures have mainly been RSA and elliptic curve ring signatures, both of which are mainly based on traditional number-theoretic problems. As early as 1994, Shor [5] proposed a prime factorization algorithm, which did not have too much impact on the traditional cryptosystems due to technical limitations. However, with the development of quantum computing, traditional cryptosystems are no longer secure. Thus, scholars have set their eyes on post-quantum cryptography solutions such as lattice-based cryptosystems. In 2018, NIST put out an open call for cryptography projects that included lattice cryptography. In recent years, lattice ring signatures have become a hot research topic among scholars, and many efficient lattice ring signature schemes have been proposed [6,7,8,9]. However, the lack of uniform standards for parameter selection in the lattice has led to a slow process of practical application. In addition to resisting quantum attacks, lattice cryptography has the advantages of worst-case to average-case reductions, good efficiency, and more. Among the many lattice-based cryptosystems, the number theory research unit (NTRU) lattice is widely used in many fields for its simplicity, fast computation speed, and small storage space. The NTRU cryptosystem was first proposed by Silverman, Hoffstein, and Pipher [10] in 1996. Its security is based on the shortest vector problem (SVP) on the lattice, meaning that it can resist attacks from the Shor algorithm and improve its performance.
Today, earlier electronic voting systems can no longer meet requirements in terms of efficiency and security. As early as 1983, Shamir [11] proposed an identity-based cryptosystem. Soon after, Zhang and Kim [12] presented the first identity-based ring signature (IBRS), which has also been adapted to e-voting. However, it requires certificate management and excessive KGC powers, meaning that it is not applicable in certain practical situations. In 2003, Al-Riyami and Paterson [13] proposed a certificateless cryptosystem that does not require certificates and can also reduce the authority of KGC. Figure 1 shows the difference between these two types of signatures when generating a user’s private key. Combining certificateless capability with ring signatures has greatly impacted certain application scenarios requiring efficient and flexible authentication. Certificateless ring signatures have good efficiency and are unforgeable, making them well-suited for e-voting systems.
However, there are many problems with existing certificateless ring signatures. Most certificateless ring signatures are not quantum-resistant and are very vulnerable to some quantum attacks. In certain practical scenarios, there is a lack of functionality expansion and inefficiency. In addition, there are problems with key storage, a widely recognized industry standard has not yet been formed, and there are few actual deployment cases. In [14,15], both schemes are based on bilinear pairs and lack resistance to quantum attacks. In [16,17], both have quantum resistance and provide corresponding application scenarios, but are less efficient. In [18], the scheme has quantum resistance, but there is no corresponding application scenario. Furthermore, it is large in terms of size, although the size is constant.
To solve the above problems, this paper proposes a certificateless ring signature scheme on an NTRU lattice (NTRU-CRS) based on an anonymous e-voting system.
1. First, the proposed scheme is based on the NTRU-SIS hard assumption, which guarantees users’ identities using the properties of the Merkle tree accumulator. By combining this with certificateless cryptography, no certificate management is required. In this way, the proposed scheme has improved efficiency while also restricting the power of the KGC.
2. In terms of security, a detailed proof of the proposed scheme’s security is provided, including its correctness, anonymity, and unforgeability. In particular, we provide a proof of security for unforgeability against two different adversaries: an external adversary and a malicious KGC.
3. In terms of effectiveness analysis, the signature size of NTRU-CRS is logarithmically related to the number of ring members N. In terms of signature time overhead, NTRU-CRS outperforms other similar schemes.
In the subsequent section, we introduce the related works on certificateless ring signatures. Section 3 provides some related preliminaries. Section 4 contains the specific parameter settings and details of our proposed scheme. In Section 5, specific security proofs are shown. Section 6 compares the performance of our scheme with other similar schemes. In Section 7, we present the application of the scheme in anonymous voting systems. The final Section 8 and Section 9 summarize the work and make suggestions for its future, respectively.

2. Related Works

Yum and Lee [19] proposed a generic construction for a certificateless signature in 2004, which they constructed using an identity- and certificate-based signature. After this, the idea of certificateless signatures began to be applied to different types of signatures. In 2007, Chow et al. [20] constructed a CRS scheme and provided a security model for it. Subsequently, Chang et al. [21] modified the security requirements of certificateless signatures in 2009 and proposed a new CRS. Most earlier types of CRS used bilinear pairings; Deng et al. [22] first proposed a CRS without pairing in 2015. Most later CRS examples [23,24,25] were constructed based on bilinear pairing, but these are generally inefficient.
With the development of the internet and quantum computing, certificateless ring signatures based on traditional hard problems have long been unsatisfactory in the face of the threat of massive data and quantum attacks. The lattice approach provides scholars with a new way of thinking due to its high efficiency and resistance to quantum attacks. In 2015, Tian et al. [26] proposed the first certificateless signature on the lattice, and encountered the problem that the scheme needs to store matrices, leading to unsatisfactory efficiency. Later scholars focused their research on improving efficiency and addressing diverse practical scenarios. In 2016, Xie et al. [27] proposed a certificateless signature scheme based on the NTRU lattice, which had improved efficiency to the one in [26]. In 2020, Deng et al. [14] proposed an elliptic curve-based linkable CRS, which effectively solves the above problem in e-voting or transactions. At the same time, Bouakkaz [15] proposed a CRS scheme based on bilinear pairs suitable for the vehicular ad hoc networks. However, neither of these schemes is quantum-resistant. In the following year, Zhang and Chen [16] proposed a CRS on the lattice with a blockchain sharing economy transaction scheme that can protect users’ privacy via the principle of bimodal Gaussian rejection sampling, which greatly reduces the sampling time in the signature phase. In 2022, Dong et al. [18] proposed a lattice-based CRS with constant-size. While this approach improves the security and efficiency of the scheme through bimodal Gaussian sampling, the signature size is too large, meaning that it lacks practical value. In 2023, Yu et al. [17] proposed an NTRU-based CRS based on the RSIS assumption, which is generated using the rejection sampling technique with the help of the polynomial ring structure of the NTRU lattice, effectively improving efficiency. This year, Zhang et al. [28] proposed a CRS on lattice for Internet of Things applications. As in [17], bimodal Gaussian sampling is used to improve the efficiency of key generation. In particular, the traceability function is supplemented for practical applications. Current related schemes focus on efficiency improvements as well as additional practical functionality. Although all of the above schemes have improved efficiency, the signature size increases significantly with N when the number of ring members is too large.

3. Preliminaries

3.1. Notation

On the ring Z [ X ] / ( q , X n + 1 ) , the norm is defined via the coefficient vector of the polynomial. Specifically, elements in R q are uniquely represented as polynomials with coefficients confined to the following ranges: when the modulus q is even, the coefficients are integers in the interval ( q / 2 , q / 2 ) ; when the modulus q is odd, the coefficients are integers in the interval [ ( q 1 ) / 2 , ( q 1 ) / 2 ] .

3.2. NTRU Lattice

Definition 1
(NTRU lattice). Let n be an integer and a power of 2; q is a prime number and q 2 . Polynomials f, g R q , h = g f 1 mod q . The matrix A = A n ( H ) I n q I n 0 n generates a 2n dimension full-rank lattice Λ q , h which is the NTRU lattice:
Λ q , h = { ( u , v ) R 2 | u + v h = 0 mod q } .
Here, we introduce the NTRU-SIS hard problem on which the security of the proposed scheme largely depends. We take this definition from [29].
Definition 2
(NTRU-SIS). If n,m,q are all integers, a positive real β 0 , and the polynomial h = g f 1 mod q R q , then the NTRU-SIS is to find two polynomials ( u , v ) R q 2 such that u + v h = 0 mod q and | | u | | , | | q | | β .

3.3. The Related Algorithms

The following are some of the algorithms needed for the scheme. The details of algorithms are provided in [30], and are mainly as follows:
  • TrapGen NTRU ( 1 n ) : Let n and k be integers, where k > 3 and n = 2 k , and where q = 1 mod 2 n is a prime number. The parameter β = 1.17 q / 2 n and f , g , F , G R satisfying f · F g · G = q . A probabilistic polynomial-time (PPT) algorithm TrapGen NTRU outputs a polynomial h = g f 1 mod q and a matrix B f , g = A n ( g ) A n ( f ) A n ( G ) A n ( F ) Z q 2 n × 2 n .
  • SamplePre ( B f , g , s , t ) : This algorithm inputs a matrix B f , g , a Gaussian parameter s = 0.585 π q ln ( 2 + 2 / η ) for η = 2 λ / 2 n , and a polynomial t R q . It outputs z = ( z 1 , z 2 ) from D h + c , s such that z 1 + h z 2 = t , z s 2 n .

3.4. Certificateless Ring Signature

This subsection provides the definition and security requirements for a standard certificateless ring signature.
Definition 3.
A CRS scheme mainly consists of seven PPT algorithms, which are as follows: Setup, Extract-Partial-Private-Key, Set-Secret-Value, Set-Private-Key, Set-Public-Key, CLR.Sign, and CLR.Verify:
  • Setup ( 1 λ ) : The algorithm generates the master public key M P K , the master secret key M S K , and the public parameter P P through the security parameter λ .
  • Extract Partial Private Key ( M S K , I D ) : The KGC utilizes the algorithm that generates the user’s partial private key s I D from the master secret key M S K and the user’s identity  I D .
  • Set Secret Value ( I D ) : Using the identity I D , the user randomly selects a secret value  s I D .
  • Set Private Key ( s I D , s I D ) : The algorithm uses the partial private key s I D generated by the KGC and a secret value s I D selected by the user as input to output the full private key S K .
  • Set Public Key ( S K ) : The algorithm generates the user’s public key P K using the full private key S K .
  • CLR . Sign ( μ , R , S K ) : The algorithm inputs the message μ , the ring R, and the user’s private key S K , then outputs the corresponding signature σ .
  • CLR . Verify ( R , μ , σ ) : The algorithm verifies the message μ , the ring R, and the signature σ , then outputs 1 if accepted and 0 if rejected.
In addition to these, there are three properties of certificateless ring signatures: correctness, anonymity, and unforgeability. Correctness means that as long as the generated signature is valid, it can be successfully verified. Anonymity means that even if the adversary knows the private keys of the ring members, they cannot know the identity of the signer in the ring. Finally, unforgeability means that an adversary cannot generate a valid signature without the user’s private key. There are two types of adversaries; type 1 is an external attacker ( A 1 ), which carries out public key replacement attacks, while type 2 is the malicious KGC ( A 2 ) which knows the master private key M S K .

3.5. Index-Hiding Merkle Tree

The index-hiding Merkle tree method [31] is an efficient way of displaying the exact position of an element, which is achieved by hashing a set of elements A = ( a 0 , , a N ) to construct a Merkle tree. In the following discussion, we consider a slight modification of the traditional Merkle tree construction in which we use three algorithms and a hash function H C o l l = { 0 , 1 } { 0 , 1 } 2 λ , as shown in Table 1:
  • MerkleTree ( A ) ( r o o t , t r e e ) : This algorithm inputs some elements A = ( a 1 , , a 2 k ) , where k N . It then generates a Merkle tree using the hash function H C o l l , producing leaf and root nodes. Finally, it outputs the root node r o o t and the entire tree description  t r e e .
  • Path ( t r e e , I ) p a t h : This algorithm inputs t r e e and an index I [ 2 k ] , then outputs the path of I , p a t h = ( p 1 , , p k ) .
  • RecRoot ( a , p a t h ) r o o t : This algorithm inputs an element a A and the path of a, p a t h = ( p 1 , , p k ) . It reconstructs r o o t from the element a and the hash values of its sibling and ancestor nodes. Finally, it outputs the reconstructed root node r o o t = h k .
As shown in Figure 2, all the elements require lexicographical ordering, where H in the figure represents H C o l l and H ( · ) stands for the hash on its child nodes. At the bottom is the original data block; the tree structure is generated by hashing the original data block from bottom to top. Regarding the explanation of the path, for example, the red leaf node is the target node, and its corresponding path consists of the yellow nodes.
Here we briefly state a lemma that we will use in the proof, namely, that the distribution of a I in the tree is only related to the distribution D and not to the index I. In addition, details of the relevant proofs of the properties of the Merkle tree are provided in [32].

3.6. Seed Tree

Let us first define a pseudorandom generator Expand : { 0 , 1 } λ + log 2 ( M 1 ) { 0 , 1 } 2 λ for any λ , M N and instantiate it as a random oracle, where λ , M N . We build a complete binary tree with λ bit seed values by splitting Expand ( s e e d | | d ) into two halves, where left (right) is the left (right) child node and d is the unique identifier of its parent node. Such a binary tree is called a seed tree. It can generate many pseudorandom values; in addition, when any subset is chosen for exposure, it is guaranteed not to reveal information about the undisclosed values. Below, we provide details on the four algorithms related to the seed tree, as shown in Table 2.
  • Seedtree O ( s e e d r o o t , M ) l e a f i i [ M ] : This algorithm inputs a root seed s e e d r o o t and an integer M N . It generates a complete binary tree with M leaf nodes using O ( Expand | | s e e d d | | d ) as outputs.
  • Release O ( s e e d r o o t , c ) s e e d s i n t e r n a l : This algorithm inputs a root seed s e e d r o o t and challenge c 0 , 1 M , then outputs a list s e e d s i n t e r n a l , where the seeds corresponds to c i = 1 ;
  • RecLeaves O ( s e e d s i n t e r n a l , c ) l e a f i c i = 1 : This algorithm inputs a list s e e d s i n t e r n a l and challenge c 0 , 1 M , then recovers the l e a f i c i = 1 as outputs.
  • SimulateSeeds O ( c ) s e e d s i n t e r n a l : The algorithm inputs challenge c 0 , 1 M , which is used to identify the set of leaf nodes c i = 1 . Then, for each of these leaf nodes, a seed is randomly selected from the set. Finally, the algorithm outputs the set of these seeds, referred to as s e e d s i n t e r n a l .
In simple terms, a seed tree is a binary tree structure built from random values. On the one hand, it generates the random values required by schemes, while on the other, it enables the distribution or routing of challenge values in zero-knowledge protocols.
Here, we remain brief in our lemma stating that RecLeaves O and SimulateSeeds O produce the same leaf values. In short, SimulateSeeds O can prove that from the view of someone who only knows seeds i n t e r n a l and c, all the leaves with index i that have c i = 0 are indistinguishable from uniformly random values. For an adversary A who queries the random oracle Q times, the distribution consisting of leaves and s e e d s i n t e r n a l generated by RecLeaves O and SimulateSeeds O distinguishes their advantage as only Q 2 λ . For details, see [32].

4. Constructions

4.1. Setup

The system chooses λ and n as the system parameters, where n = 2 k . q = 1 mod 2 n is a prime number. Here, β and s are two parameters that satisfy β = 1.17 q / 2 n and s = 0.585 / π q ln ( 2 + 2 η ) , where η = 2 λ / 2 n . In addition, N , M , K are all integers and satisfy M > λ as well as M K 2 λ . H 0 : { 0 , 1 } R q and H F S : { 0 , 1 } { 0 , 1 } M randomly select a polynomial h R q . Finally, the public parameter p p : = { q , β , s , M , K , h , H 0 , H F S }

4.2. Key Generation

  • The KGC utilizes the algorithm TrapGen NTRU ( 1 λ , 1 n ) to generate a master public key h R q and master secret key B f , g Z q 2 n × 2 n .
  • The user enters their identity ID, then the KGC runs SamplePre ( B f , g , s , ( H 0 ( I D ) , 0 ) ) to generate s I D = ( s i 1 , s i 2 ) T , where s i 1 , s i 2 R q and satisfies H 0 ( I D ) = s i 1 + h s i 2 , s I D s 2 n .
  • The user randomly selects two small secrets s i 1 , s i 2 R q . Let p I D = s i 1 + h s i 2 and s I D = ( s i 1 , s i 2 ) .
  • At this point, the user’s public key is ( p I D , I D ) and their private key is S K = ( s I D , s I D ) .

4.3. Signing Algorithm

Let the ring R be composed of N users, where each user has an identity I D j with an index j (where j [ N ] ); I D J is the signer and μ { 0 , 1 } is a signing message. Additionally, the scheme employs M iterations to ensure unforgeability, as shown in Algorithm 1.
  • Random sampling of a s a l t and a seed s e e d r o o t from { 0 , 1 } 2 λ and { 0 , 1 } λ , respectively.
  • Call Seedtree O ( s e e d r o o t , s a l t , M ) to compute ( s e e d 1 , , s e e d M ) .
  • Call Expand ( s e e d i ) to obtain a set of randomness ( y i 1 , , y i 4 , r i 1 , , r i N ) , where r i j { 0 , 1 } λ , j [ N ] .
  • c o m = ( s a l t , r o o t 1 , , r o o t M ) are generated through the following steps:
    Compute w j 1 = y i 1 + h y i 2 + H 0 ( I D j ) .
    Compute w j 2 = y i 3 + h y i 4 + p I D .
    Call Com ( w j 1 | | w j 2 | | r i j ) to compute C j , where Com is an algorithm for hiding commitment.
    Call Merkletree ( C 1 , , C j , , C N ) to compute ( r o o t i , t r e e i ) .
  • Compute the commitments c o m = ( s a l t , r o o t 1 , , r o o t M ) .
  • Compute the challenge value c h a l l with H F S ( μ , R , c o m ) = ( c 1 , , c M ) { 0 , 1 } M . There are only two types of challenges, c i = 0 and c i = 1 ; here, they are processed in batches. The processing steps are as follows:
    For c i = 0 , compute z i 1 = ( y i 1 + s i 1 , y i 2 + s i 2 ) and z i 2 = ( y i 3 + s i 1 , y i 4 + s i 2 ) . Call Path = ( t r e e i , I D J ) to obtain p a t h i and let rsp i = ( z i 1 , z i 2 , p a t h i , r i j ) .
    For c i = 1 , let rsp i = s e e d i .
  • Call Release O ( s e e d r o o t , c h a l l , s a l t ) to compute s e e d s i n t e r n a l .
  • Let r s p = ( s e e d s i n t e r n a l , r s p c i = 0 ) .
  • The signature σ = ( s a l t , c h a l l , r s p ) .
Electronics 14 01358 i001

4.4. Verification Algorithm

After receiving the signature, the verifier needs to analyze the signature, as shown in Algortithm 2.
  • Call RecCom ( R , s a l t , c h a l l , r s p ) to recover c o m = ( s a l t , r o o t 1 , , r o o t M ) .
  • Call RecLeaves O ( s e e d s i n t e r n a l , c ) to recover r s p c i = 1 .
    For c i = 0 , use r s p i = ( z i , p a t h i , b ) to compute w j 1 = y i 1 + h y i 2 + s i 1 + h s i 2 , w j 2 = y i 3 + h y i 4 + s i 1 + h s i 2 , C i = Com ( w j 1 | | w j 2 | | r i j ) , and r o o t = RecRoot ( C i , p a t h i ) . If r o o t i = r o o t i , then the output is “accept”; otherwise, the output is “reject”.
    For c i = 1 , compute the corresponding r o o t from s e e d i in r s p . If r o o t i = r o o t i , then return “accept”.
Electronics 14 01358 i002

5. Security Analysis

A certificateless ring signature needs to fulfill the three basic properties: correctness, anonymity, and unforgeability. In particular, in the case of unforgeability, it needs to be proved against both an external adversary and an internal adversary, respectively. The difference between the two adversaries is shown in Table 3. Finally, potential security problems that the scheme may encounter are described, mainly side-channel attacks and forward security problems.

5.1. Basic Security Properties Analysis

Theorem 1.
The NTRU-CRS scheme is correct.
Proof. 
According to the signature algorithm, if the signature is valid, then
w j 1 = y i 1 + h y i 2 + H 0 ( I D j ) = y i 1 + h y i 2 + s i 1 + h s i 2 = w j 1 ,
w j 2 = y i 3 + h y i 4 + p I D = y i 3 + h y i 4 + s i 1 + h s i 2 = w j 2 .
From the above, it is clear that C i = C i generated by ( w j 1 | | w j 2 ) and ( w j 1 | | w j 2 ) ; thus, r o o t i = r o o t i holds. Our scheme is correct. □
Theorem 2.
Under the assumption that NTRU-SIS is hard, H F S ( · ) is collision-resistant, our scheme is anonymous in the ROM.
Proof. 
Anonymity is proved by a game between A and C . The distribution of the two signatures is statistically indistinguishable for A . Then, our scheme is anonymous.
Setup phase. The challenger C completes the following setup based on the inputs λ and n along with the number of ring members N.
  • Determining the ring R = ( I D 1 , I D 2 , , I D N ) .
  • Generating the related public parameters p p : = { q , β , s , M , K , H 0 , h } using the Setup algorithm, where H 0 is a collision-resistant hash function.
  • Calling TrapGen NTRU ( 1 λ , 1 n ) to generate the master public key MPK and secret key MSK.
The challenger C makes the p p and MPK open, while the MSK is kept secret.
Query phase. The adversary A can make adaptive inquiries about the following random oracles:
  • Corruption query: The adversary A enters the user identity I D j R , then the challenger C computes H 0 ( I D j ) and randomly chooses two small-size secrets s i 1 , s i 2 R q to compute s i 1 + h s i 2 . In addition, C uses SamplePre to compute H 0 ( I D j ) = s i 1 + h s i 2 , then returns S K to A and stores I D j into L c o .
  • H F S challenge oracle query: The adversary A first asks C for the challenge of ( μ , R , c o m ) , then the challenger C first searches the list L H F S = ( μ , R , c o m , c h a l l ) and returns it to A if it exists. Otherwise, C randomly selects a challenge value from the challenge space, returns it to A , and stores it in L H F S .
  • Signing query: The adversary A inquires about identity I D j (a message μ under ring R { I D 1 , , I D N } such that I D j R ). If σ exists, then the challenger C checks L s i g = ( μ , R , σ ) to return σ ; otherwise, C computes the corresponding private key S K and calls the H F S challenge oracle query to generate the signature with the signing algorithm, returns σ , and stores it in L s i g = ( μ , R , σ ) .
Challenge phase. The adversary A submits a message μ , a ring R , and two identities I D j 0 , I D j 1 R to the challenger C . Then, C randomly selects b { 0 , 1 } to generate the corresponding signature σ R ( μ ) = ( s a l t , c h a l l , r s p ) using the signature algorithm.
Guess phase. The adversary A outputs their guess of b { 0 , 1 } .
Analysis. For c i = 0 , the signature is divided into three parts, where s a l t is a random number and c h a l l is a string of 0,1 bits. Both are indistinguishable from the adversary A as to whether the signer is b or 1 − b. Here, r i j is also a random number in r s p , and the remaining y and z are statistically indistinguishable under the effect of rejection sampling [33]. Finally, from Lemma 2 . 10 in [32], p a t h relies only on the distribution, and the adversary cannot obtain any information about the user’s index. For c i = 1 , the signature is s e e d i n t e r n a l at this point, and it follows from Lemma 2 . 11 in [32] that the adversary A distinguishes between the s e e d i n t e r n a l generated by SimulateSeeds and Release with probability only Q 2 λ . In summary, our scheme is anonymous. □
Theorem 3.
Under the assumption that NTRU-SIS is hard, H 0 ( · ) and H F S ( · ) are CRHFs, our scheme is unforgeable in the ROM (Type 1).
Proof. 
We utilize an interactive game between A 1 and C for the proof of unforgeability. We emphasize that unforgeability is under an adaptive chosen-message-and-identity attack (EUF-IDRS-CMIA). The adversary A 1 is an external attacker who can perform a public key replacement attack. After obtaining an N T R U S I S q , n , 2 s 2 n instance related to a polynomial h R q , the challenger C aims to output two non-zero small polynomials ( u , v ) R q 2 that satisfy u + v h = 0 mod q , ( u , v ) 2 s 2 n . Suppose that the adversary A 1 can output a forgery with a non-negligible probability ϵ ; then, the challenger C can break the NTRU-SIS problem with a non-negligible probability ϵ . The game is described as follows:
Setup phase. The challenger C first receives an instance h and runs Setup to generate p p : = { q , β , s , M , K , h } , embeds h into M P K as M P K = h , and sends p p and M P K to the adversary A 1 .
Query phase. The adversary A 1 can make adaptive inquiries about the following random oracles.
  • H 0 query: The adversary A 1 inquires about identity I D j and the challenger C checks the 3-tuples list L H 0 = ( I D , s I D , H 0 ( I D ) ) . If exists, they return H 0 ( I D j ) to A 1 . Otherwise, C randomly chooses two small-size polynomials ( s i 1 , s i 2 ) R q 2 and computes H 0 ( I D ) = s i 1 + h s i 2 and ( s i 1 , s i 2 ) s 2 n , returns H 0 ( I D j ) to A 1 , and finally stores ( I D , s I D , H 0 ( I D ) ) in the list L H 0 , where s I D = ( s i 1 , s i 2 ) .
  • Register query: When adversary A 1 inquires about identity I D j , the challenger C first checks the 3-tuples list L c = ( I D , s I D , p I D ) . If it exists, they return ( p I D , I D ) ; otherwise, C randomly chooses two small-size secret values s i 1 , s i 2 R q and computes p I D = s i 1 + h s i 2 . Finally, they store ( I D , s I D , p I D ) and return ( p I D , I D ) to the adversary A 1 . This query can only be made at most N times.
  • Partial-Private-Key query: The adversary A 1 inquires about identity I D j and the challenger C checks L H 0 for the partial private key s I D . If it does not exist, they respond by calling oracle H 0 . This query can only be made at most q c times.
  • Public-Key-Replacement query: The adversary A 1 provides I D j and a new public key p I D j , then C searches for the public key corresponding to the I D j and replaces it by p I D j . The challenger C records this replacement by adding them to L R = ( I D , p I D , p I D ) . This query can only be made at most N q c times.
  • H F S query: The adversary A 1 inquires about the challenge of ( μ , R , c o m ) , then C searches for the four-tuples list L H F S = ( μ , R , c o m , c h a l l ) . If c h a l l exists, it is returned to A 1 . Otherwise, C randomly selects a challenge from the challenge space, returns it to A 1 , and stores it in L H F S . The query can be queried at most q f times.
  • Signing query: The adversary A 1 inquires about identity I D j , a message μ under ring R { I D 1 , , I D N } such that I D j R . If the signature exists, then the challenger C checks L s i g = ( μ , R , σ ) and returns it. Otherwise, C checks L c = ( I D , s I D , p I D ) and L H 0 = ( I D , s I D , H 0 ( I D ) ) to generate the signature with the signing algorithm, returns σ , and stores it in L s i g = ( μ , R , σ ) . If the corresponding private key is not found in the two lists, then the corresponding oracle is called. Note that I D j L R .
Forgery Phase. Through a series of queries, the adversary A 1 generates a valid forgery ( μ , R , σ ) about I D R . This forgery must be verified and must satisfy the following three conditions:
  • σ is a valid signature.
  • The adversary A 1 did not query anyone for part of the private key in R and there is no public key replacement in R .
  • The forgery σ does not appear in the signing query.
Analysis. Assume that the probability that the adversary succeeds in forging a signature is ϵ and that the probability of the challenger C solving N T R U S I S q , n , 2 s 2 n by taking advantage of adversary A 1 ’s ability is ϵ .
From the forking lemma [34], it follows that two valid signatures ( μ , R , σ ) and ( μ , R , σ ) are output by A 1 with probability ϵ ¯ = ϵ · ( ϵ q 2 M ) , where R = R , μ = μ , c o m = c o m but c h a l l c h a l l . Because y i is a random number, we have
w j 1 w j 1 = s i 1 s i 1 + h ( s i 2 s i 2 ) = 0 .
The case for w j 2 and w j 2 is similar. In addition, r s p can be extracted only when all c h a l l are 0 with probability ( 1 ( 3 / 4 ) M ) . Because ( s I D , s I D ) 2 s 2 n , the challenger C solves the N T R U S I S q , n , 2 s 2 n problem with a probability of
ϵ ϵ ¯ · ( 1 ( 3 / 4 ) M ) = ϵ · ( ϵ q f 2 M ) · ( 1 ( 3 / 4 ) M ) .
If ϵ is non-negligible, then ϵ is non-negligible. However, N T R U S I S q , n , 2 s 2 n is hard, which contradicts this. Thus, our scheme is unforgeable for adversary A 1 . □
Theorem 4.
Under the assumption that NTRU-SIS is hard, H 0 ( · ) and H F S ( · ) are CRHFs, our scheme is unforgeable in the ROM (Type 2).
Proof. 
Here, adversary A 2 is an internal attacker that has the MSK and can compute a part of any user’s private key. In general, the adversary here simulates a malicious KGC. Similar to the above, the challenger C finds a set of polynomials ( u , v ) R q 2 that satisfies u + v h = 0 mod q to break NTRU-SIS with probability ϵ by utilizing an adversary A 2 that can output a forgery with probability ϵ . The game is as follows:
Setup phase. Suppose that the challenger C receives an NTRU-SIS instance related to h , runs Setup and TrapGen to generate p p : = { q , β , s , M , K } and ( M S K , M P K ) , then sends p p and M S K to the adversary.
Query phase. The adversary A 2 can make adaptive inquiries about the following random oracles.
  • H 0 query: The adversary A 2 inquires about identity I D j , then the challenger C checks the 3-tuples list L H 0 = ( I D , s I D , H 0 ( I D ) ) . If it exists, they return H 0 ( I D j ) to A 2 ; otherwise, C uses SamplePre to generate s I D , stores ( I D , s I D , H 0 ( I D ) ) , and returns H 0 ( I D ) .
  • Register query: The adversary A 2 inquires about identity I D j and the challenger C checks the 3-tuples list L c = ( I D , s I D , p I D ) . If it exists, they return ( p I D , I D ) ; otherwise, C randomly chooses two small-size secret values s i 1 , s i 2 R q and computes s i 1 + h s i 2 , then stores ( I D , s I D , p I D ) and returns ( p I D , I D ) to the adversary A 2 .
  • Partial-Private-Key query: The adversary A 2 can use the master private key to compute anyone’s partial private key.
  • Public-Key-Replacement query: This is the same query as adversary A 1 .
  • H F S query: The adversary A 2 asks for a challenge about ( μ , R , c o m ) , then C searches list L H F S = ( μ , R , c o m , c h a l l ) and returns C h a l l if it exists. Otherwise, C randomly selects a challenge from the challenge space and stores it in list L H F S while returning it to A 2 . The query can be queried at most q f times.
  • Signing query: The same query as adversary A 1 .
Forgery Phase. Eventually, the adversary A 2 outputs a forgery ( μ , R , σ ) about I D R , which must satisfy the following:
  • σ is a valid signature.
  • The adversary A 2 cannot ask for anyone’s secret value in R .
  • The adversary A 2 cannot replace users’ public keys in R .
  • The forgery σ does not appear in the signing query.
Analysis. For the adversary A 2 , consistent with the analysis for adversary A 1 , the forging is still based on the forking lemma. We have
w j 2 w j 2 = s i 1 s i 1 + h ( s i 2 s i 2 ) = 0 .
Meanwhile, the probability of the challenger C solving the NTRU-SIS problem is
ϵ ϵ ¯ · ( 1 ( 3 / 4 ) M ) = ϵ · ( 1 q f 2 M ) · ( 1 ( 3 / 4 ) M ) .
If ϵ is non-negligible, then ϵ is non-negligible. However, N T R U S I S q , n , 2 s 2 n is hard, which contradicts this. Thus, our scheme is unforgeable for adversary A 2 . □

5.2. Potential Security Threats

1. Regarding side-channel attacks, the security of NTRU-CRS is based on the hardness of NTRU-SIS. If a side-channel attack could extract private keys, then this attack could then be leveraged to construct a corresponding algorithm that solves the NTRU-SIS problem. This directly contradicts the assumed hardness of NTRU-SIS, thereby demonstrating the scheme’s inherent resistance to such attacks.
  • The use of temporary random numbers (e.g., s a l t , s e e d r o o t ) and dynamically generated commitments (via Merkle and seed trees) during the signature process reduces the direct exposure of long-term keys. Even if some of the random numbers are captured by the side-channel, it is difficult for an adversary to reuse the leaked information to forge historical or future signatures due to the independence of the random parameters for each signature.
  • When generating signature responses (e.g., z i 1 , z i 2 ), the use of rejection sampling ensures that the output distribution is indistinguishable from the random noise statistic, reducing the possibility of recovering the private key through side-channel analysis.
2. Regarding forward security, the security reduction of NTRU-SIS to the shortest vector problem (SVP) on lattices ensures that even adversaries equipped with quantum computing capabilities cannot efficiently break the forward security, as solving the SVP under quantum algorithms remains computationally infeasible. In addition to this, the tools in the scheme can also address forward security problems.
  • During the signature process, independent random numbers (e.g., s a l t , s e e d r o o t ) are generated each time, and these parameters are bound to the message and ring members to ensure the uniqueness of each signature. Even if the long-term private key is compromised, an adversary cannot reconstruct the random numbers required for historical signatures.
  • The Merkle tree generates c o m and p a t h , which ensure that each signed commitment is independent and untamperable. Even if an attacker obtains part of the private key, it cannot forge the historical commitments.
  • The random numbers generated by the seed tree ensure that the random numbers in each signature phase are independent. Even if some of the seeds are compromised, the unexposed seeds remain safe, thereby protecting historical signatures.

6. Efficiency and Comparison

We have selected five similar works for comparison. Among these five works, refs. [35,36] and use identity-based signatures, while [16,17,18] use certificateless ring signatures. For a better multidimensional comparison, we compare them in terms of private keys, signature sizes, types of signature sizes, signature cryptosystems, and hardness assumptions. As shown in Table 4, SK and Sig are private key and signature sizes. Most of the related works are linear-size signatures, except for [18]. In terms of hardness assumptions, there are more NTRU-SIS schemes.
For a more intuitive comparison, we summarize the parameters in the different references in Table 5, where we add the parameters. In [18], m = 8030 , while in our scheme M = 1749 , K = 16 , and λ = 168 . In order to better compare the communication overhead and time overhead of different schemes with the same security, we refer to [35] when choosing n. According to [30], the calculated root Hermite factor is less than 1.007; thus NTRU-CRS. has a security level of at least 80 bits.
In Table 6, we provide the signature sizes and private key sizes for different schemes under different numbers of ring members N. Some of the data are taken from references others have been estimated. Our scheme has a large size relative to other schemes for N = 8 , while with N = 64 it becomes the shortest among all schemes. This is because our size is only log N to the number of ring members N. As the number of ring members increases by a multiple of 2, the size of our scheme increases by only 1–2 KB. In terms of private key size, ours has the smallest private key size due to the chosen parameters and the NTRU lattice.
In Figure 3, it can be seen that when N is small, there is no significant size difference in the remaining schemes except for [18]. It uses a ring signature of constant size, which is advantageous only for rings of a particular size. The remaining schemes grow in size as N increases. However, the line for our scheme is almost parallel to the x-axis, which indicates that there is no significant increase in its size. When N reaches 512, it has the best size among all the schemes.
The experimental environment consisted of a Windows 10 operating system environment with a 12th Gen Intel(R) Core(TM) i5-12400F @ 2.50 GHz CPU and 8.00 GB of RAM, implemented using Python 3.6. Table 7 lists the time consumption of different operations in the signature and verification algorithms. For the seed tree-related algorithms in the scheme, most involve sorting operations, and their time overhead is considered negligible. In the Merkle tree, the algorithms are solely composed of hash functions, and their computational costs are grouped into the hash function time calculations.
Table 8 compares the signing time overhead of NTRU-CRS with the schemes from [35,36]. For the small ring, the signing time of NTRU-CRS is significantly shorter than that of [35] while remaining closely comparable to [36]. When the number of ring members increases to 128, NTRU-CRS achieves nearly twice the efficiency of the best comparison scheme. The computational cost of NTRU-CRS in the signing algorithm is primarily concentrated in commitment generation and Merkle tree structure.
Table 9 compares the verification time overhead. Because NTRU-CRS calculates two values during the signing algorithm, it requires two verification steps during the validation phase. This results in verification efficiency for NTRU-CRS that is nearly identical to the other two schemes.
Figure 4 shows a graph comparing the respective signing times and verification times. Regarding signing time overhead, NTRU-CRS does not show a significant advantage when N is small; however, as N increases, our scheme gradually demonstrates superior signing efficiency. For the verification algorithm, all three compared schemes exhibit nearly identical performance. Considering the combined advantages in terms of both time and communication overhead, NTRU-CRS maintains strong efficiency while preserving security.

7. Application

In an e-voting system, anonymity and unforgeability are critically important. To ensure the fairness of voting and prevent candidates from bribing or coercing voters, it is essential to maintain the confidentiality of voters’ identities. Unforgeability is also vital to preventing collusion between voters and candidates to fabricate ballots, which could ultimately manipulate the voting outcome.
From a system feasibility perspective, NTRU-CRS exhibits a logarithmic advantage in size, enabling it to maintain low communication overhead even when N is large. In terms of time consumption, our scheme demonstrates a significant advantage in signing time, while its verification time remains comparable to similar schemes. Therefore, the proposed electronic voting system offers distinct advantages in both time and communication overhead, striking an optimal balance between efficiency and scalability.
As shown in Figure 5, the anonymous voting system based on our certificateless ring signature consists of six parts: the Registrar, Votes, Ring, Verifier, Counters, and Bulletin Board. The workflow of the system is shown below.
First, voters submit their identities (ID or mobile phone number) to the registrar. The registrar uses the IDs to generate partial private keys. In addition, the voters generate their partial private keys. When the voters cast their votes, they request their partial private keys from the registrar and transmit them securely. After obtaining the two parts of the private keys (which are combined to form the complete private key), the voters use their complete private keys to vote on behalf of the entire ring. At this point, there is no way for the counters and verifier to know who signed, only that it is the signature of a ring member. After receiving all the ballots, the verifier verifies all the votes to ensure that all votes are valid and were cast by their voters. Finally, the counters tally the results and publish them on the bulletin board.

8. Conclusions

The certificateless ring signature scheme on the NTRU lattice proposed in this paper is well-suited for anonymous e-voting systems. We provide strict security proofs under the random oracle model based on the NTRU-SIS hardness assumption, which not only guarantees the anonymity of voters but also protects against forgery of signatures by both external and internal attackers. In terms of efficiency, there is no need to manage certificates, making it more efficient and flexible. In particular, the signature size is logarithmically related to the number of ring members. When the number of ring members is small, it will be larger than the general certificateless ring signature; however, when N is large enough, the signature size grows very little, making it ideal for large voting systems.

9. Future Work

Although innovative in its efficiency, the NTRU-CRS scheme proposed in this paper still has many shortcomings in various aspects of the current rapid iteration of lattice cryptography that are waiting to be optimized by scholars.
  • Construction of a blockchain-based voting system utilizing NTRU-CRS: Compared with NTRU-CRS, blockchain technology enables distributed nodes to collectively maintain voting records, thereby eliminating centralized vote-counting authorities and preventing single-point tampering or manipulation. Each voting record is packaged into blocks as transactions, with consensus mechanisms used to ensure data consistency. Considering blockchain’s technological maturity, its implementation offers greater convenience and efficiency, enabling the practical deployment of a decentralized and high-efficiency anonymous voting system.
  • Enhancing the functional capabilities of NTRU-CRS: The current scheme lacks functional extensions; potential improvements could address challenges in diverse application scenarios by incorporating features such as linkability, traceability, and others to elevate its practical utility.
  • Improving resistance to side-channel attacks through RAM isolation, masking techniques, etc.

Author Contributions

Conceptualization, W.G. and T.F.; methodology, W.G., S.R., and T.F.; software, S.J. and S.R.; validation, W.G., X.D., and Z.Z.; formal analysis, W.G., T.F., and S.R.; investigation, W.G.; resources, W.G. and X.D.; writing—original draft preparation, W.G., T.F., and S.J.; writing—review and editing, W.G., T.F., S.R., and S.J.; visualization, X.D.; supervision, Z.Z.; project administration, Z.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This work is supported by the National Natural Science Foundation of China under Grant Nos. 62002288, 62372370, and 62102299, the Key Research and Development Program of Shaanxi (No. 2023-YBGY-015), the Henan Key Laboratory of Network Cryptography Technology (No. LNCT2022-A05), and the Youth Innovation Team of Shaanxi Universities (No. 23JP160).

Data Availability Statement

The original contributions presented in the study are included in the article; further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

Nomenclature

Z set of integers
N set of natural numbers
q , n positive integers
Z q the ring of integers modulo q
R q Z [ X ] / ( q , X n + 1 )
A , B matrices
O the random oracle

References

  1. Chaum, D.L. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. Acm 1981, 24, 84–90. [Google Scholar]
  2. Fujioka, A.; Okamoto, T.; Ohta, K. A practical secret voting scheme for large scale elections. In Proceedings of the Advances in Cryptology—AUSCRYPT’92: Workshop on the Theory and Application of Cryptographic Techniques, Gold Coast, Queensland, Australia, 13–16 December 1992; Proceedings 3. Springer: Berlin/Heidelberg, Germany, 1993; pp. 244–251. [Google Scholar]
  3. Cong, Q.R.; Hu, J.C. E-elections based on elliptic curve blind digital signature. Jisuanji Gongcheng/Comput. Eng. 2010, 36, 156–158. [Google Scholar]
  4. Rivest, R.L.; Shamir, A.; Tauman, Y. How to leak a secret. In Proceedings of the Advances in Cryptology—ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 9–13 December 2001; Proceedings 7. Springer: Berlin/Heidelberg, Germany, 2001; pp. 552–565. [Google Scholar]
  5. Shor, P.W. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar]
  6. Nguyen, T.N.; Ta, A.T.; Le, H.Q.; Duong, D.H.; Susilo, W.; Guo, F.; Fukushima, K.; Kiyomoto, S. Efficient unique ring signatures from lattices. In Proceedings of the European Symposium on Research in Computer Security; Springer: Berlin/Heidelberg, Germany, 2022; pp. 447–466. [Google Scholar]
  7. Wen, J.; Bai, L.; Yang, Z.; Zhang, H.; Wang, H.; He, D. LaRRS: Lattice-based revocable ring signature and its application for VANETs. IEEE Trans. Veh. Technol. 2023, 73, 739–753. [Google Scholar] [CrossRef]
  8. Ye, Q.; Lang, Y.; Guo, H.; Tang, Y. Efficient lattice-based traceable ring signature scheme with its application in blockchain. Inf. Sci. 2023, 648, 119536. [Google Scholar]
  9. Chen, X.; Xu, S.; Gao, S.; Guo, Y.; Yiu, S.M.; Xiao, B. FS-LLRS: Lattice-based linkable ring signature with forward security for cloud-assisted electronic medical records. IEEE Trans. Inf. Forensics Secur. 2024, 19, 8875–8891. [Google Scholar] [CrossRef]
  10. Hoffstein, J. NTRU: A Ring Based Public Key Cryptosystem. In Proceedings of the International Algorithmic Number Theory Symposium (Ants III); Springer: Berlin/Heidelberg, Germany, 1998. [Google Scholar]
  11. Shamir, A. Identity-based cryptosystems and signature schemes. In Proceedings of the Advances in Cryptology: Proceedings of CRYPTO 84 4; Springer: Berlin/Heidelberg, Germany, 1985; pp. 47–53. [Google Scholar]
  12. Zhang, F.; Kim, K. ID-based blind signature and ring signature from pairings. In Proceedings of the Advances in Cryptology—ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, 1–5 December 2002; Proceedings 8. Springer: Berlin/Heidelberg, Germany, 2002; pp. 533–547. [Google Scholar]
  13. Al-Riyami, S.S.; Paterson, K.G. Certificateless public key cryptography. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2003; pp. 452–473. [Google Scholar]
  14. Deng, L.; Shi, H.; Gao, Y. Certificateless linkable ring signature scheme. IEEE Access 2020, 8, 54641–54651. [Google Scholar]
  15. Bouakkaz, S.; Semchedine, F. A certificateless ring signature scheme with batch verification for applications in VANET. J. Inf. Secur. Appl. 2020, 55, 102669. [Google Scholar]
  16. Zhang, M.; Chen, X. A Post-quantum Certificateless Ring Signature Scheme for Privacy-Preserving of Blockchain Sharing Economy. In Proceedings of the Artificial Intelligence and Security: 7th International Conference, ICAIS 2021, Dublin, Ireland, 19–23 July 2021; Proceedings, Part II 7. Springer: Berlin/Heidelberg, Germany, 2021; pp. 265–278. [Google Scholar]
  17. Yu, H.; Hui, W. Certificateless ring signature from NTRU lattice for electronic voting. J. Inf. Secur. Appl. 2023, 75, 103496. [Google Scholar]
  18. Dong, S.; Zhou, Y.; Yang, Y.; Yao, Y. A certificateless ring signature scheme based on lattice. Concurr. Comput. Pract. Exp. 2022, 34, e7385. [Google Scholar]
  19. Yum, D.H.; Lee, P.J. Generic construction of certificateless signature. In Proceedings of the Australasian Conference on Information Security and Privacy; Springer: Berlin/Heidelberg, Germany, 2004; pp. 200–211. [Google Scholar]
  20. Chow, S.S.; Yap, W.S. Certificateless Ring Signatures. 2007. Available online: https://www.google.com.hk/url?sa=t&source=web&rct=j&opi=89978449&url=https://eprint.iacr.org/2007/236.pdf&ved=2ahUKEwjsk86qjKyMAxWigP0HHSPIM1AQFnoECBoQAQ&usg=AOvVaw1BPOQoNyVaqe0zPhO_miiK (accessed on 25 March 2025).
  21. Chang, S.; Wong, D.S.; Mu, Y.; Zhang, Z. Certificateless threshold ring signature. Inf. Sci. 2009, 179, 3685–3696. [Google Scholar]
  22. Deng, L. Certificateless ring signature based on RSA problem and DL problem. Rairo-Theor. Inform. Appl. Inform. ThÉOrique Appl. 2015, 49, 307–318. [Google Scholar] [CrossRef]
  23. Zhang, L.; Zhang, F.; Wu, W. A provably secure ring signature scheme in certificateless cryptography. In Proceedings of the Provable Security: First International Conference, ProvSec 2007, Wollongong, Australia, 1–2 November 2007; Proceedings 1. Springer: Berlin/Heidelberg, Germany, 2007; pp. 103–121. [Google Scholar]
  24. Wang, H.; Han, S. A provably secure threshold ring signature scheme in certificateless cryptography. In Proceedings of the 2010 International Conference of Information Science and Management Engineering, Shaanxi, China, 7–8 August 2010; Volume 1, pp. 105–108. [Google Scholar]
  25. Zhang, Y.; Zeng, J.; Li, W.; Zhu, H. A certificateless ring signature scheme with high efficiency in the random oracle model. Math. Probl. Eng. 2017, 2017, 7696858. [Google Scholar] [CrossRef]
  26. Tian, M.; Huang, L. Certificateless and certificate-based signatures from lattices. Secur. Commun. Networks 2015, 8, 1575–1586. [Google Scholar] [CrossRef]
  27. Xie, J.; Hu, Y.; Gao, J.; Gao, W.; Jiang, M. Efficient certificateless signature scheme on NTRU lattice. Ksii Trans. Internet Inf. Syst. (TIIS) 2016, 10, 5190–5208. [Google Scholar]
  28. Zhang, Y.; Duan, P.; Li, C.; Zhang, H.; Ahmad, H. Preserving Privacy of Internet of Things Network with Certificateless Ring Signature. Sensors 2025, 25, 1321. [Google Scholar] [CrossRef] [PubMed]
  29. Stehlé, D.; Steinfeld, R. Making NTRU as secure as worst-case problems over ideal lattices. In Proceedings of the Advances in Cryptology–EUROCRYPT 2011: 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, 15–19 May 2011; Proceedings 30. Springer: Berlin/Heidelberg, Germany, 2011; pp. 27–47. [Google Scholar]
  30. Ducas, L.; Lyubashevsky, V.; Prest, T. Efficient identity-based encryption over NTRU lattices. In Proceedings of the Advances in Cryptology–ASIACRYPT 2014: 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, 7–11 December 2014; Proceedings, Part II 20. Springer: Berlin/Heidelberg, Germany, 2014; pp. 22–41. [Google Scholar]
  31. Merkle, R.C. A digital signature based on a conventional encryption function. In Proceedings of the Conference on the Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1987; pp. 369–378. [Google Scholar]
  32. Beullens, W.; Katsumata, S.; Pintore, F. Calamari and Falafl: Logarithmic (linkable) ring signatures from isogenies and lattices. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security; Springer: Berlin/Heidelberg, Germany, 2020; pp. 464–492. [Google Scholar]
  33. Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2012; pp. 738–755. [Google Scholar]
  34. Bellare, M.; Neven, G. Multi-signatures in the plain public-key model and a general forking lemma. In Proceedings of the 13th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 390–399. [Google Scholar]
  35. Ye, Q.; Wang, M.; Meng, H.; Xia, F.; Yan, X. Efficient Linkable Ring Signature Scheme over NTRU Lattice with Unconditional Anonymity. Comput. Intell. Neurosci. 2022, 2022, 8431874. [Google Scholar]
  36. Tang, Y.; Xia, F.; Ye, Q.; Wang, M.; Mu, R.; Zhang, X. Identity-Based Linkable Ring Signature on NTRU Lattice. Secur. Commun. Netw. 2021, 2021, 9992414. [Google Scholar] [CrossRef]
Figure 1. Differences between CRS and IBRS for SK generation.
Figure 1. Differences between CRS and IBRS for SK generation.
Electronics 14 01358 g001
Figure 2. Path of the Merkle tree.
Figure 2. Path of the Merkle tree.
Electronics 14 01358 g002
Figure 3. Signature size comparison [17,18,35,36].
Figure 3. Signature size comparison [17,18,35,36].
Electronics 14 01358 g003
Figure 4. Comparison of time [35,36].
Figure 4. Comparison of time [35,36].
Electronics 14 01358 g004
Figure 5. Certificateless ring signature in an anonymous e-voting system.
Figure 5. Certificateless ring signature in an anonymous e-voting system.
Electronics 14 01358 g005
Table 1. Related algorithms (Merkle tree).
Table 1. Related algorithms (Merkle tree).
AlgorithmInputOutput
MerkleTree Aroot, tree
Path tree, Ipath
RecRoot a, pathroot
Table 2. Related algorithms (seed tree).
Table 2. Related algorithms (seed tree).
AlgorithmInputOutput
Seedtree O s e e d r o o t , M l e a f i
Release O s e e d r o o t , c s e e d s i n t e r n a l
RecLeaves O s e e d i n t e r n a l , c l e a f i c i = 1
SimulateSeeds O c s e e d s i n t e r n a l
Table 3. Comparison of different adversaries.
Table 3. Comparison of different adversaries.
Type of AdversaryType 1Type 2
Replacement of public keyYesNo
Knowing MSKNoYes
Attack targetSignature forgery through replacement attacksSignature forgery with MSK
Simulated objectExternal adversaryMalicious KGC
Table 4. Comparison of schemes.
Table 4. Comparison of schemes.
SchemesSKSigGrowthCertificatelessAssumptions
[35] n log q ( 2 N + 1 ) n log q linearNoNTRU-SIS
[18] m k log q ( 2 + n ) m log q constantYesSIS
[16] m n log q ( N m + n ) log q linearYesSIS
[36] 4 n log q ( 2 N + 1 ) n log q linearNoNTRU-SIS
[17] 2 n log q ( 2 N + 1 ) n log q linearYesR-SIS
This work 2 n log q M + ( M + 2 ) λ + K ( 2 n log q + 2 λ log N ) logarithmicYesNTRU-SIS
Table 5. Parameters.
Table 5. Parameters.
Schemenq
[35]256 2 32
[18]1257377
[36]256 2 32
[17]256 2 26
This work256 2 23
Table 6. Comparison of storage overhead (KB).
Table 6. Comparison of storage overhead (KB).
SchemeSignatureSigning KeySecurity Level
N = 8 N = 64 N = 128 N = 512
[35]18.53140.61280.131117.252.1880 bits
[18]1599.631599.631599.631599.632517.21
[36]38.71339.27675.912695.7510.5280 bits
[17]13.81104.81208.81832.811.62
This work61.0863.0563.7165.021.43>80 bits
Table 7. Comparison of operation time ( μ s).
Table 7. Comparison of operation time ( μ s).
OperationDescriptionOperation Time
T H hash function time50.60
T P matrix or vector addition time1.20
T M matrix or vector multiplication time123.4
Table 8. Comparison of signature time (ms).
Table 8. Comparison of signature time (ms).
SchemeSignature Time
N = 8 N = 128 N = 512 N = 2048
[35]10.36109.04364.531367.06
[36]2.1475.26261.021012.7
This work3.3945.23180.71722.61
Table 9. Comparison of verification time (ms).
Table 9. Comparison of verification time (ms).
SchemeSignature Time
N = 8 N = 128 N = 512 N = 2048
[35]4.6349.81162.53622.34
[36]0.7449.92162.72622.56
This work6.9649.49185.07623.44
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Gao, W.; Fu, T.; Ren, S.; Jin, S.; Dong, X.; Zhao, Z. Logarithmic NTRU-Based Certificateless Ring Signature in E-Voting Applications. Electronics 2025, 14, 1358. https://doi.org/10.3390/electronics14071358

AMA Style

Gao W, Fu T, Ren S, Jin S, Dong X, Zhao Z. Logarithmic NTRU-Based Certificateless Ring Signature in E-Voting Applications. Electronics. 2025; 14(7):1358. https://doi.org/10.3390/electronics14071358

Chicago/Turabian Style

Gao, Wen, Tianyou Fu, Simeng Ren, Shixuan Jin, Xiaoli Dong, and Zhen Zhao. 2025. "Logarithmic NTRU-Based Certificateless Ring Signature in E-Voting Applications" Electronics 14, no. 7: 1358. https://doi.org/10.3390/electronics14071358

APA Style

Gao, W., Fu, T., Ren, S., Jin, S., Dong, X., & Zhao, Z. (2025). Logarithmic NTRU-Based Certificateless Ring Signature in E-Voting Applications. Electronics, 14(7), 1358. https://doi.org/10.3390/electronics14071358

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop