Forward-Secure Linkable Ring Signatures from Bilinear Maps

We present the first linkable ring signature scheme with both unconditional anonymity and forward-secure key update: a powerful tool which has direct applications in elegantly addressing a number of simultaneous constraints in remote electronic voting. We propose a comprehensive security model, and construct a scheme based on the hardness of finding discrete logarithms, and (for forward security) inverting bilinear or multilinear maps of moderate degree to match the time granularity of forward security. We prove efficient security reductions—which, of independent interest, apply to, and are much tighter than, linkable ring signatures without forward security, thereby vastly improving the provable security of these legacy schemes. If efficient multilinear maps should ever admit a secure realisation, our contribution would elegantly address a number of problems heretofore unsolved in the important application of (multi-election) practical Internet voting. Even if multilinear maps are never obtained, our minimal two-epoch construction instantiated from bilinear maps can be combinatorially boosted to synthesise a polynomial time granularity, which would be sufficient for Internet voting and more.


Introduction
Ring signatures, and especially linkable ring signatures, garner much interest in the applied cryptographic community for their promise to simplify certain aspects of the notoriously hard problem of remote electronic voting, which has conflicting and often frustrating security requirements.In particular, linkability [1] or the closely related notion of traceability [2], make it easy to detect when the same signer has signed twice on the same matter, thereby preventing double spending in an electronic cash system, double voting in the same election.This, when combined with the anonymity properties of ring signatures, provides a secure mechanism to validate votes without breaking privacy.This paper is an extended version of our work in [3].
However, thus far, these signatures have not assisted in simultaneously resolving two critical issues in electronic voting.These two issues are: (1) how to register voters; and (2) how to ensure the voters' long term privacy.Indeed, at present, most proposed electronic voting schemes use cryptography which is likely to allow adversaries to break the privacy of the voters at some point in the future.
To address these issues, an offline key update mechanism would allow the potentially costly registration of a voter's public key to happen once, whereafter the corresponding private key can be refreshed or updated multiple times, efficiently and non-interactively, for use in subsequent elections.In this context, forward security refers to the notion that the leakage or compromise of an updated private key will not compromise one's privacy in a past election-or let an attacker forge signatures ostensibly in the past, which could be linked to real votes.For practical electoral systems in particular, it is important that the public-key update mechanism be efficient and non-interactive.The ideal public-key update is the identity function, or "no-op."The private-key update serves to provide forward security to protect old elections against future data exposure and compromises.
The related but different notion of unconditional anonymity refers to the inability, even by a computationally unbounded attacker, to identify a signer without knowledge of their private key.This notion is important to protect the voter against future increases in computational power (or cryptanalytic attacks, or quantum computers), once they have destroyed their private key after it is no longer needed.Together with linkability, these features make substantially easier the task of designing a secure and useable remote election protocol.Our forward-secure linkable ring signature scheme, when dropped into a number of existing election protocols, directly results in a straightforward and secure electronic voting solution without the cumbersome and procedurally risky steps that would normally be necessary to manage a dedicated key for each election.The additional improvements we detail in this extended version mean that, in many cases, the new scheme would also be more efficient.
Unfortunately-as often with the contradictory requirements of voting-it is easy to convince oneself that anonymity can only hold unconditionally if no authentic private key for the relevant signing ring is ever leaked, not even after having been updated.Indeed, if an adversary knows a voter's authentic private key, he can always trivially deanonymise their current and future votes using the linkability feature.The same is true for past votes if a past private key can be recovered, by brute force or by breaking a hardness assumption, from a current key.It is an interesting area of future research to see if a key update mechanism, perhaps context dependent, could be developed which would prevent the discovery of past private keys from future keys even for a computationally unbounded adversary.However, such a mechanism would seem to have too many interesting applications to not have been discovered already, unless it were highly non-trivial.In light of this, we deliberately choose to focus on the problem of achieving unconditional anonymity against outsiders, but only computational forward security against insiders in the sense of unforgeability and anonymity after key update.

Our Results
We present the first linkable ring signature with unconditional anonymity and forward-secure key update, which is a tool that enables significantly more simple and secure remote electronic voting, even within the framework of existing electronic voting protocols, and opens the door to a number of simplified general anonymous authentication protocols for online systems.
To achieve our result, we construct a linkable ring signature from unconditionally hiding commitments, and make sparing use of a bilinear pairing or multilinear map [4,5] to lift it to multiple time periods or "epochs".Without forward security or key update, our results are inspired by the linkable ring scheme from [1]-which we incidentally vastly improve via much tighter security reductions.(The original linkable ring signatures of Liu et al. [1,6] had proofs with losses exponential in the number of users, due to nested use of the forking lemma [7] on Pedersen commitments [8] in the random-oracle model.Our updated proofs and reductions are independent of the number of users, thanks to a single consolidated use of the forking lemma, and the same techniques directly apply to their construction.) To get forward security, we build from an l-multilinear map an O(k l )-time one-way private-key update mechanism which requires no public-key update-for some choice of k.We prove the scheme information-theoretically anonymous, and its other security properties from Discrete Logarithm and two multilinear-map hardness assumptions-one of which amounts to a natural generalisation of the neo-classic Multilinear Decoding Problem [4] and the other is a natural generalisation of Decisional Diffie-Hellman.Notably, a mere 2-linear map (also known as bilinear pairing) already gives us forward security for O(k 2 ) time periods.
This extended paper expands on our original [3] in numerous ways.The main new technical contribution is a new combinatorial trick which allows us to gain a quadratic number of time periods from bilinear maps.This is accompanied by updated and improved definitions and proofs.The updated definitions increase the adversary's powers, to better model insider attacks in particular.We have also taken advantage of the increased space available to provide more detailed discussion, including complexity analysis.

Related Work
Group signatures were introduced by Chaum et al. [9].They allow the members of a group to generate signatures which can only be verified as emanating from one authorised signer within that group, with the additional property that the signature can be "opened" to reveal the true signer.The ability to open a signature is an important requirement in certain managed applications, but presents an unacceptable privacy loophole in the context of electronic voting.(In the UK, there is a requirement that a judge be able to order a voter's ballot revealed.Group signatures would be perfect for such subtle voter intimidation, although Continentals would of course disapprove.) Ring signatures are a variation of group signatures which allow neither pre-authorisation of keys nor deanonymisation of signatures, and hence, do not have those privacy issues.Ring signatures were first presented by Rivest et al. [10] as a way to leak secrets anonymously.Rivest et al.'s initial suggested application was the leaking of information by a cabinet minister.Their scheme also had the nice property that the keys involved could belong to different public key schemes, which made setup very flexible.Since then, many variants have been proposed to suit a large number of applications.For elections, double voting is a major issue which vanilla ring signatures are not readily able to rectify.Linkable ring signatures [6] and traceable ring signatures [2] have been proposed as a way to address this issue.Nevertheless, neither of [2,6] or their variants provides forward security; hence, in a voting application they would require impractically frequent re-registration of new keys to ensure acceptable levels of privacy.
Subsequent notable results in that area include Liu et al. [1], who presented a linkable ring signature with unconditional anonymity, but still without forward security.Our scheme addresses this shortcoming, by providing an offline (non-interactive) private-key-update mechanism with forward security (as well as much improved security reduction tightness over the previous schemes).There are also emerging variants based on cryptographic accumulators as well as post-quantum variants.

Multilinear Maps
Following the blockbuster impact of bilinear maps on cryptography, the question of using multilinear maps for cryptographic applications was first studied at a theoretical level by Boneh and Silverberg [11].Nearly a decade later, Garg et al. [4] proposed the first practical candidate construction, based on lattice problems.There have since been several additional candidates from lattice-and number-based assumptions, as well as attacks and repair attempts [5,[12][13][14][15], with the side of the "offence" presently having the upper hand.
Generally speaking, multilinear maps are useful in allowing more complicated structures in cryptographic constructions.For instance, Diffie-Hellman key exchange in a group supports two parities, with a bilinear map three parties, but on an l-linear map would support l parties.The added structure also allows new techniques to be used which have no equivalence on bilinear maps or standard groups.
Our basic scheme relies on a multilinear generalisation of the Discrete Logarithm problem, which is a weaker assumption than the myriad of Diffie-Hellman variants and extensions typically found in cryptographic constructions based on bilinear or multilinear maps.Our combinatorially boosted version relies on natural generalisations of Computational and Decisional Diffie-Hellman.However, it should be noted that there are no currently unbroken candidates for multilinear maps, and hence the construction in this work is currently only realisable with bilinear pairings.
Our vastly improved security reductions for this class of unconditionally anonymous linkable ring signature scheme with or without forward security still apply, although, providing substantial improvements to the concrete security of [1,6].We discuss in Section 3.2 the major issues at hand regarding the known multilinear-map candidate constructions.

Voting Systems
In the world of election systems research, the recent Helios [16] protocol is, perhaps, the best known secure Internet voting scheme.It has seen a significant variety of expansions and applications [17,18], but one of its shortcomings is that the voters have to place (too) much trust on the election authority.Our linkable ring signature construction would fit nicely within the Helios protocol to enable powerful anonymous authentication and achieve privacy against the election authority, a property which is not achieved by most implementations of Helios.(In its standardised version [19], Helios relies on a mixnet technique to distribute the election authority's ability to deanonymise.Even for Helios implementations that use this technique, the ability to enforce anonymity in the authentication mechanism itself would provide stronger privacy guarantees.)More generally, and beyond election systems, our new signature scheme can be used as a general rate-limited (rate limitation in the context of authentication refers to an intentional bound on the number of uses, typically one, that can be made of a credential on a given target) anonymous authentication system with forward secrecy and information-theoretic privacy.

Definitions
A forward secure linkable ring signature (FS-LRS) scheme is a tuple of three probabilistic polynomial time algorithms (Setup, KeyGen, and Sign) and four deterministic polynomial time algorithms (Verify, Link, PubKeyUpd, and PriKeyUpd).(Our definitions are fairly direct forward-secure variants of Liu et al. [ We stress that in our current definitions PubKeyUpd and PriKeyUpd are deterministic functions.While it is interesting to consider systems where these functions might be randomised, this would need to be carefully considered.We are particularly concerned that randomised functions might severely limit the applications in which the signatures could be deployed.

Correctness Notions
To be functional, an FS-LRS scheme must satisfy the following:

•
Verification correctness: Signatures signed correctly will verify.

•
Updating correctness: For any time period of the system, the secret key derived from the private-key update function will create a valid signature on a ring, verifiable using the public key derived using the public-key update.
• Linking correctness: Two honestly created signatures on the same event and time period will link if and only if they have the same signer.(This is implied by the two security notions of linkability and non-slanderability; see below.)

Security Model
Security of FS-LRS has five aspects: unconditional anonymity, linkability, non-slanderability, forward-secure unforgeability, and forward-secure anonymity.(Ideally, we would be able to achieve forward-secure unconditional anonymity, and hence combine the first and last security properties.However, intuitively this property appears to be too strong to be achievable.)

Reflections
In our initial paper, we presented our definitions following fairly directly from Liu et al. in [1].In this paper, we have made a few changes; primarily, we have strengthened the adversary's powers in the anonymity definitions.We have also modified the signing oracle to allow the adversary access to genuine signatures where the adversary does not know who the signer is.This is to better reflect the real adversary's powers in electronic voting.We note that our definitions and reductions are strictly stronger and tighter than Liu et al.
If a forward-secure linkable ring signature could be developed with much stronger privacy than any present solution, this would dramatically simply the security definitions.However, at present it is difficult to write definitions which closely match the expected level of security without being overly verbose.For instance, Liu et al.'s definition of privacy does not provide the adversary with access to genuine signatures, other than the challenge.In any deployed scheme, the adversary would having access to such signatures and hence the model clearly fails to capture reality.However, Liu et al.'s scheme appears to have a minimal loss of privacy under a differential privacy attack.This case highlights both the inadequacies of the model and the strength of the scheme.In summary, we believe our definitions capture well the intuitive definition of security; nevertheless, it is an interesting area of future research to present a scheme with stronger privacy that allows the simplification of the security model.

Oracles
The following oracles model the ability of the adversary to break the scheme: The Joining Oracle, upon request, adds a new user to the system, and returns the public key pk of the new user at the time t.• sk i,t ←CO(pk i , t).The Corruption Oracle, on input a previously joined public key pk i , returns the matching secret key sk i at the time t.• σ ←SO(event, n, pk t , pk Π , M, t).The Signing Oracle, on input an event-id event, a group size n, a set pk t of n public keys, a set of public keys of possible signers pk Π ⊂ pk t , a message M, and a time t, returns a valid signature σ .
We omit the time and user subscripts t, i when clear from context.In particular, our public key does not undergo updating, so pk t will be independent of t.

•
h ←H(x).The Random Oracle, on input x, returns h independently and uniformly at random.If an x is repeated, the same h will be returned again.

Unconditional Anonymity
It should not be possible for an adversary A to tell the public key of the signer with a probability larger than 1/n , where n is the number of uncorrupted keys in the ring, even if the adversary has unlimited computing resources.Specifically, FS-LRS unconditional anonymity is defined in a game between a challenger C and an unbounded adversary A with access to J O, SO, CO: 1. C generates and gives A the system parameters param.2. A may query J O,SO, and CO according to any adaptive strategy.3. A gives C an event-id e, a time t, a group size n, a set of pk t of n public keys such that all of the public keys in pk t are query outputs of J O and no key in pk t has been input to SO in a set which was not a superset of pk t , a message M, and a time t.Parsing the set pk t as {pk 1 , ..., pk n }, C picks π ∈ {1, ..., n} uniformly from the uncorrupted subset and computes σ π = Sign(e, n, pk t , sk π , M, t), where sk π is a valid private key corresponding to pk π at time t.The signature σ π is given to A. 4. A outputs a guess π ∈ {1, ..., n}.

We denote the adversary's advantage by Adv
Definition 1. Unconditional Anonymity.An FS-LRS scheme is unconditionally anonymous if, for all unbounded adversaries A, Adv Anon A (λ) is zero.

Linkability
It should be infeasible for the same signer to generate two signatures for the same event and time, such that they are determined to be unlinked.Linkability for an FS-LRS scheme is defined in a game between a challenger C and an adversary A with access to oracles J O, CO, SO and H: 1. C generates and gives A the system parameters param.2. A may query the oracles according to any adaptive strategy.3. A gives C an event-id event, a time t, two sets pk t 1 , pk t 2 of public keys of sizes n 1 , n 2 , two messages M 1 , M 2 , and two signatures σ 1 , σ 2 .
A wins the game if: • All of the public keys in pk t i are query outputs of J O; • Verify(event, n i , pk t i , M i , σ i ,t) = accept for σ 1 , σ 2 not outputs of SO; • At most one query has been made to CO; and • Link(σ 1 , σ 2 ) = unlinked.
We denote the adversary's advantage as Adv Link A (λ) = Pr[A wins the game].
Definition 2. Linkability.An FS-LRS scheme is linkable if for all Probabilistic Polynomial-Time (PPT) adversaries A, Adv Link A (λ) is negligible.

Non-Slanderability
Non-slanderability ensures that no signer can generate a signature which is determined to be linked with another signature not generated by the signer.FS-LRS non-slanderabilty is defined in a game between a challenger C and an adversary A with access to the oracles J O, CO, SO and H: 1. C generates and gives A the system parameters param.2. A may query the oracles according to any adaptive strategy.3. A gives C an event-id event, a time t, a group size n, a message M, a set of n public keys pk t , and the public key of an insider pk π ∈ pk t .C uses the private key sk π correspoing to pk π to run Sign(event, n, pk t , sk π , M, t) and to produce a signature σ given to A. 4. A queries oracles adaptively.In particular, A is allowed to query any public key which is not pk π to CO. Definition 3. Non-slanderabilty.An FS-LRS scheme is non-slanderable if for any PPT adversaries A, 2.2.6.Forward-Secure Unforgeability Forward-secure unforgeability ensures that it is not feasible for an adversary with a private key for a time period strictly greater than t to create valid signatures for any period less than or equal to t. Forward-secure unforgeability is defined in the following game between a challenger C and an adversary A given access to the oracles J O, CO, SO and H:

Forward-Secure Anonymity
Forward-secure anonymity ensures that it is not feasible for an adversary with a private key for a time period strictly greater than t to de-anonymise signatures for any time period less than or equal to t. Forward-secure anonymity is defined in a game between a challenger C and an adversary A given access to oracles J O, CO, and SO and the random oracle: 1. C generates and gives A the system parameters param.2. A may query the oracles according to any adaptive strategy.

Multilinear Maps
Since multilinear maps can be naturally presented as a generalisation of bilinear maps, and conversely bilinear maps as a concrete case of multilinear maps, we present the rest of our work using the the following multilinear map notation.
Our notation is similar to that used by Zhandry in [20].Let E be an l−linear map over additive cyclic groups [G] 1 , .., [G] l of prime order q, where [G] 0 = Z q and all [G] i for i = 1, ..., l are homomorphic to (Z q , +).Let [α] i denote the element α ∈ Z q raised to the level-i group [G] i , for i ∈ (0, .., l).Let α ∈ R [G] i denote the random sampling of an element in [G] i .We have access to efficient functions: The cryptographic security of multilinear maps requires, among other things, that multiplication within any [G] i be hard for i > 0.
We generalise the notation above and denote by

Multilinear Assumptions
The discrete log problem when stated using multilinear map notation is as follows: Definition 6 (Multilinear Discrete-log Problem (MDLP) [4]).For any PPT algorithm A, the probability This definition generalises to i-Decoding Problem (i-DP) to which the unforgability of our initial results reduced.Definition 7 (i-Decoding Problem (i-DP) [4]).For any PPT algorithm A, the probability Pr[A([δ] i ) = [δ] j ] is negligible, where j < i and δ ∈ R Z q .
A related assumption to i-Decoding Problem is the k-Sub-exponent Multilinear Decoding Problem (k-SMDP).We note in passing that a specific case of k-SMDP where k = 3 on a Bilinear pairing is the Bilinear Computational Diffie-Hellman Problem.Definition 8 (k-Sub-exponent Multilinear Decoding Problem.).For any PPT algorithm A, the probability Pr The adversary A is given access to an oracle HO which given [ w, q] 0 returns [a w i i ] q .A only wins if [∏ a e i i ] b * ∑ e i −1 cannot be trivially derived from any [a w i i ] q .
In our unforgeability-related reductions, we reduce to the (k, b)-Generalised Multilinear Decoding Problem for convenience and conciseness.Depending on the parameters with which our scheme was instantiated, this means the proof implies a reduction to one of the three specific cases: 1.If configured similar to Liu et al. [1], it reduces to MDLP. 2. If configured similar to our initial results, it reduces to i-DP. 3.If configured to exploit the combinatorial trick, it reduces to k-SMDP.
In the same way that the Discrete Log Problem is generalised to Multilinear Discrete Log Problem (MDLP), the Decisional Diffie-Hellman problem generalises to Multilinear Decisional Diffie-Hellman (MDDH) problem.Intuitively, given three group elements, it is infeasible to tell if one is the product of the others, provided that the sum of any two levels is greater than maximum allowed.
Definition 10 (Multilinear Decisional Diffie-Hellman Problem i-(MDDH)).For any PPT A, the distinguishing probability Pr The parallel to k-SMDP for anonymity is k-Sub-exponent Multilinear Decisional Diffie-Hellman.We, again, note in passing that a specific case of k-SMDDH where k = 3 on a Bilinear pairing is the Bilinear Decisional Diffie-Hellman Problem.* ∑ e i ≥ 1.The adversary A is given access to an oracle HO which given [ w, q] 0 returns [a w i i ] q .A only wins if [∏ a e i i ] b * ∑ e i −1 cannot be trivially derived from any [a w i i ] q .

Definition 11 (Sub-exponent Multilinear Decisional Diffie-Hellman Problem k-(SMDDH)). For any PPT A, the distinguishing probability Pr
In our forward-anonymity reduction, we reduce to the (k, b)-Generalised Sub-exponent Multilinear Decisional Diffie-Hellman Problem for convenience and conciseness.Depending on the parameters with which our scheme was instantiated, this means the proof implies a reduction to one of the three specific cases: 1.If configured similar to Liu et al. [1], it reduces to DDH. 2. If configured similar to our initial results, it reduces to i-MDDH.
3. If configured to exploit the combinatorial trick, it reduces to k-SMDDH.

Is Multilinearity Achievable?
Three major multilinear map candidates have been proposed in [4,14,15].Since their introduction, they have been the targets of many attacks, patches, and more attacks that remain unpatched.
One powerful class of attacks on multilinear maps are the so-called "zeroising" attacks; they run in polynomial time but require the availability of an encoding of zero in the lower levels of the multilinear ladder [4,21].There are also sub-exponential and quantum attacks [22][23][24].Further to this, recently Miles et al. introduced a class of "annihilation" attacks on multilinear maps [25].
There are reasons to believe that multilinear maps may be unrealisable.In particular, their near-equivalence to indistinguishability obfuscation [26]-an extremely powerful tool which in an even stronger variant is known not to exist [27]-is worrying.Furthermore, Boneh and Silverberg [11], in their original paper on applications of hypothetical multilinear maps, presented several results which cast doubt on the likeliness of multilinear maps' existence, and soberingly conclude that "such maps might have to either come from outside the realm of algebraic geometry, or occur as 'unnatural' computable maps arising from geometry." If multilinear maps fail to be repaired, bilinear maps still give us an efficient two-period FS-LRS scheme that can be combinatorially boosted to multiple periods.

Notation
For conciseness, we use a number of specific notations.We use a mod b to denote the remainder of a divided by b.Given two vectors of group elements of equal length a 1 and a 2 we will use a δ to refer to (a

Intuition
We now give the basic intuition of the scheme.We note that the first two paragraphs apply to almost all schemes following from Liu et al. [1].The formal details follow in Section 4.6.
To ensure unconditional anonymity in spite of linkability, a Pedersen commitment can provide unconditional hiding with computational binding of the private key in the public key.The Pedersen commitment uses a common reference string consisting of two elements [g] and [h] of unknown relation.The private key is a pair [x] and [y] whose commitment, [gx + hy] is the public key.A multilinear map can then raise and ratchet the private key at each time period, which provides forward security.
In the signature, we use the Fiat-Shamir heuristic on two knowledge-of-discrete-logarithm proofs, rolled into one.Using a topic specific value d, the signer proves firstly that they know x behind f = dx, and secondly that they know x and y such that gx + hy is one of the public keys.Random challenges c i serve as decoys for the other public keys.Since both the real challenge c and the decoy challenges c i are uniformly random, an adversary is unable to discern which party signed.This basic system, described above, is adapted with a combinatorial trick which, for a choice of k, leverages an l-linear map for ∑ l i=1 ( k+i−1 i ) time periods. (See our preliminary results in [3] for a clean presentation of the basic system with full details.We stress that the general system, presented here, implies the preliminary results but is more complicated in its presentation.)The value k ≥ 1 may be freely chosen but the public key and private key sizes are linear in k.

Explanation of Parameters
We wish to avoid presenting, and proving, the generalised version-based on the combinatorial trick-separately from our initial result.For this reason, the presentation that follows is deliberately abstract and parameterised so that both the general version and the original result are special cases.This is necessary since neither version is a special cases of the other.The abstract presentation also means that the proofs are the same for both.We parameterise on four inputs: 1.The multilinear map size l 2. The combinatorial constant k 3. The initial public key level b 4. The number of time periods T Our initial result in [3] is a special case of the following construction where k = 1 and b = l.The variant including the combinatorial trick is a special case where b = 1.To make the paper easier to read, we present a slightly simplified construction which requires that b is either 1 or l.We believe that the more general construction for an arbitrary choice of b ≤ l works but since it significantly complicates the presentation we omit the details.

Time t to Key Indices
The public key for a time period t is a particular multiplicative combination of public key vector.For instance, for the case of l = 2, k = 3, b = 1, the initial public key vector is . After the signer generates the initial private key vector, they store 0 for the length of the election, and temporally store [x 1 ] 0 , [x 2 ] 0 , [x 3 ] 0 .We call the vector stored for the length of the election the semi-private key vector since it need only be kept secret for unconditional anonymity but even if it where public, it would not allow an adversary to break privacy without breaking (k,b)-GMDDH.
To sign at time t, the signer needs the private key for that time and the semi-private key vector.The nine time periods have the following states, shown in Table 1.

Time Period Public Key Private Key
Private Store We denote PK(t ∈ T ) the function which when given a time period t returns the set of indices needed to generate public key for that time period.We denote the output of PK(t) as τ and the cardinality of τ as κ.This function is very easy to evaluate if the value for t − 1 is known, so in high-use situations it would be practical to remember the previous value and increment.However, if a more direct method is desirable, one possible implementation follows in Algorithm 1.

. Public Key Structure
When b = l, as in our original results, the public keys have a very simple structure.However, the public key in the extended version, for a time t and τ = PK(t), is of the form [∏ i∈τ Z i ] κ .For example, if τ = (1, 2), then the public key is [g 2 x 1 x 2 + gx 1 hy 2 + gx 2 hy 1 + h 2 y 1 y 2 ].To simply the presentation, we let KP(i, τ, x, y) = ∑ j∈( τ i )j ∈( τ/j k−i ) (∏ ι∈j x ι ∏ ι∈j y ι ).In the example above, KP(0, (1, 2), x, y) = y 1 y 2 , KP(1, (1, 2), x, y) = x 1 y 2 + x 2 y 1 and KP(2, (1, 2), x, y) = x 1 x 2 .The public key can be generated as ∑ κ i=0 g i h κ−i KP(i, τ, x, y).We sometimes just write KP(i), when τ, x, y are clear from context.Take as input: The multilinear map size l, the combinatorial constant k, the initial key level b, and the number of time periods T ≥ 1.It is required that bk+ ∑ l i=b+1 ( k+i−1 i ) ≥ T .Denote by t ∈ (0, 1, 2, ...,T −1) the current time period.Run a multilinear map setup algorithm to construct a bounded-level l-multilinear map and obtain its public parameters mmpp.Let H i denote the ith element in a family of hash functions H such that for the duration of the election and [ x] 0 temporarily.4.6.3.Sign(param, event, n, pk t , sk π , M, t) On input (event, n, pk t , sk π , M, t), with: event some description, n the ring size, pk = {pk 1 , ..., pk n } = {[ Z 1 ] b , ..., [ Z n ] b } the ring public keys, sk π the signer's secret key with public key pk π ∈ pk t (without loss of generality (w.l.o.g.) π ∈ [1, n]), M the message, and t the time period.The signer runs PK(t) and gets τ whose cardinality we denote κ, and generates the specific public keys The signer (holder of sk π = ([∏ j∈τ x j ] ν , ..., [∏ j∈τ y j ] 0 ) does the following: then check and output whether , two messages M 1 and M 2 , an event description event, and a time t, first check whether the two signatures are valid.If yes, output linked 4.6.6.Private-Key Update(param, sk t ) In a given time period t, to update the private key store for time period t + 1, run PK(t) and get τ.Let ν = κ + (T mod b) − 1. Remove ([∏ j∈τ x j ] ν from the private key store and, if ν < l. If b = 1, for all α ∈ (1, ..., τ κ ) add to the store [x α ∏ j∈τ x j ] ν+1 , else add to the store [∏ j∈τ x j ] ν+1 .(We note again that this can be done very efficiently incrementally but we present a more general approach).
If ν = l no update is required.
4.6.7.Public-Key Update(param, Z t ) The public key does not need to be updated in our scheme.

Space and Time Complexity
We briefly detail the complexity of the scheme when instantiated on bilinear maps.The complexity is parameterised over the size of the ring n and the number of time periods T .The complexity is shown in Table 2.The exact complexity of the signing and verifying algorithms depends on what optimisations are used, which in turn depends on the context of deployment, in all cases the constant is small.The table makes clear the main advantage of our construction; namely, that the key size is sublinear in the number of time periods which preserving the asymptotic complexity of singing and verifying.

Verification Correctness
For verification correctness, it suffices to show that the verification values K and K calculated by each party are the same.We denote by [K s ] and [K v ], K as calculated by the signer and verifier respectively; we adopt the same notation for K .The equations below show that For K: For K :

Linking Correctness
For a given event event, time t, and private key, the linking component , is completely deterministic.Since the linking component is deterministic, under the above conditions, given any two signatures a simple equality check on the linking component suffices.Conversely, for a given event event, time t, and two different private keys, the linking element will be different.(While it is possible for two different private keys to have the same public key, violating the assertion above, this would also break the Pedersen commitments and reveal the relationship between g and h.It is also possible for the hash function to collide.These events are assumed of negligible probability.)

Update Correctness
To simplify the presentation we present the argument for b= 1 and b = l separately.If b = l, the "effective" public key for the first l time periods will be [x 1 g + y 1 h] l and then [x 2 g + y 2 h] l for the next l and so on.At every time period, the signer must be able to calculate the private key ([x t/l ] t mod l , [y t/l ] 0 ).The private key update ensures the signer will always be able to generate private keys for the remaining "effective" public keys.First, notice that the signer always has [ y] 0 and that they start with [ x] 0 .Secondly, the private key update for a time t removes [x t/l ] t mod l from the private key store and, and adds to the store [x t/l ] (t mod l)+1 .
If b = 1, then the public keys are defined as a multiplicative combination of the initial public keys ([Z 1 ] 1 , ..., [Z k ] 1 ).Although the order in which the keys are used is optimised to reduce the private key size, the set of public keys for all time periods is composed of all the ways to choose k initial keys, with replacement, at level k for all k ∈ (1, ..., l); we denote these combinations by τ.For each public key denoted [∏ j∈τ Z j ] κ , the corresponding private key is ([∏ j∈τ x j ] ν , ..., [∏ j∈τ y j ] 0 ).To see that private key update ensures the signer will always be able to generate private key for the remaining public keys: First, notice that the signer always has [ y] 0 and that they start with [ x] 0 .Secondly, the private key update removes the current private key [∏ j∈τ x j ] ν from the private key store, and adds to the store [x α ∏ j∈τ x j ] ν+1 for α ∈ (1, ..., τ κ ).

Security
The proofs (other than the forward security ones) are similar to those of Liu et al. [1].Despite the structural similarities, all of our reductions are exponentially more efficient.
Theorem 1.The FS-LRS scheme is forward-secure against forgeries in the random-oracle model, if (k,b)-GMDP is hard.
Proof.We show that the ability of the adversary to make corruption queries at times later than t does not allow it to calculate the private key or forge signatures at time t, without breaking (k, b)-GMDP.

•
Random Oracles H i : For query input H 0 ("GENERATOR-g"), B returns [g] 0 .For query input H b ("GENERATOR-h"), B returns [h] b .For other queries, B randomly picks For the remaining indices it generates the public/private key pair as in the scheme.Upon the jth query, B returns the matching public key.
and sets the H 0 oracle output of B's simulation and real life.
For one successful simulation, suppose the forgery returned by A, on an event event, time t and a set of public keys pk t ∈ [1, ..., n], is In the random-oracle model, A must have queried H l−ν (t||event), denoted by [d] l−ν , and queried and [K ] l must be the same in both signatures since we rewind only to the point of random oracle query.In the rewound execution, we force a change in the H 0 oracle output to the query which determines ] ν .We demonstrate the correctness of the extraction, below, by showing that since [K] simultaneously satisfies two equations the correctness follows by simple algebraic manipulation and the format of the keys.

[K] = [K]
We begin by substituting [K] for the two equations it satisfies, By subtraction, we have By subtraction, we have By division, By the forking lemma [7], the chance of each successful rewind simulation is at least ξ/4, where ξ is the probability that A successfully forges a signature.Hence, the probability that for a given adversary A we can extract [∏ j∈τ α j ] ν is ξ 4 times the probability that pk t ⊆ (1, ..., n).
Theorem 2. The FS-LRS scheme is unconditionally anonymous.
Proof.The proof of unconditional anonymity is largely unchanged from [1], since both schemes rely on Pederson commitments.For each J O query, a value ) is returned for some random pair ([ x], [ y]).The challenge signature is created from the key of a random user in the ring.In contrast to Liu et al., we do allow the adversary access to the signing oracle.The access we grant gives the adversary the ability to learn, and therefore we assume knowledge of, the set of all genuine [ x i ] in the challenge ring.Crucially, it does not grant the ability to learn which key part belongs to which public key.
In what follows, we show that the advantage of the adversary is information-theoretically zero.
Therefore, in the view of the adversary, the signature σ is independent to the value π, the index of the actual signer.We conclude that even an unbounded adversary cannot guess the value of π better than at random.In details: 1. Part I. Let x, y be so that for i = 1 to n.For each π ∈ {1, ..., n}, consider the values Since σ 1 = σ 2 and they are unlinked, by definition of linkability, we have Since, by definition of the game, the σ i are both valid for the same time and event, Therefore, at most one [ f i ] l , and hence σ i , encodes the pair (∏ i∈τ x π,i , ..., ∏ i∈τ y π,i ) which we gave to the adversary.We extract on the unrelated signature.Therefore, we have [r 1 0 ] κ−1 = [r 2 0 ] κ−1 and find a response [α] κ−1 to the GMDP challenge as: ] We demonstrate the correctness of the extraction, below, by showing that since [K] simultaneously satisfies two equations the correctness follows by simple algebraic manipulation and the format of the keys.

[K] = [K]
We begin by substituting [K] for the two equations it satisfies, By subtraction, we have By subtraction, we have By distributivity, we have By division, we have ] By the forking lemma [7], the chance of each successful rewind simulation is at least ξ/4, where ξ is the probability that A successfully forges a signature.Hence, the probability that for a given adversary A we can extract [∏ j∈τ α j ] ν is ξ Theorem 4. The FS-LRS is non-slanderable in the ROM, if (k,b)-GMDP is hard.
Proof.We use the setting of Theorem 1.A can query any oracle other than to submit a chosen public key pk π to CO or include pk π ∈ pk π to SO.It then gives B: the key pk π , a list of public keys pk t pk π (w.l.o.g., we have | pk t | = n), a message M, a description event, and a time t.In return, B generates a signature σ([ f ] l , ...) using the standard method for the signing oracle, and gives it back to A. Recall, we let [ f ] l = [d * ∏ j∈τ a j x π,j ] l .A continues to query various oracles, expect that it is not allowed to submit pk π to CO. Suppose A produces another valid signature σ * = ([ f ] l , .) that was not an output from SO but is linkable to σ.Since they are linkable, we have The probability that, for a given adversary A, we can extract [∏ j∈τ α j ] ν is ξ 4n .
Theorem 5.The FS-LRS scheme is forward-secure anonymous in the random-oracle model, if MDDH is hard.
Proof.We show that the ability of the adversary to make corruption queries at times later than t does not allow it to de-anonymise signatures at time t or earlier, without breaking (κ,b)-MDDH, and hence the system achieves forward-secure anonymity.In this proof, we start by guessing the break point t at which the adversary's will choose to be challenged.
At some point, A requests to be challenged on e, t, n, pk t , M. B sets H l−ν (e||t) = [β] l−ν , samples i ∈ [n], sets [ f ] l = [γ ∏ i∈τ x i + β ∑ κ−1 i=1 g i−κ h κ−i KP(i)] l , and then performs the remaining steps of the signing oracle as above.Notice that if [γ] l is equal to [∏ κ i=1 a e i i β] l then this signature is normally formed; however, if [γ] l is a random group element than the linking element is random, while the rest of the signature is independent of the signer.If A successfully guesses i then B guesses that [γ] = [αβ], otherwise B guesses that [γ] is random.

Conclusions
We have presented the first linkable ring signature scheme with both unconditional anonymity and forward-secure key update.By expanding upon of our work in [3], we have shown how a combinatorial trick can allow bilinear pairings to synthesise a polynomial time granularity for forward security.This is a powerful tool which has direct applications in elegantly addressing a number of simultaneous constraints in remote electronic voting.We have also presented a comprehensive security model which better reflects real requirements than existing definitions.We then proved our construction secure under these definitions by reducing to natural bilinear or multilinear generalisations of the computational and decisional Diffie-Hellman Problems.
and ∑ e i ≤ l.The adversary A is given access to an oracle HO which given [ w] 0 returns [a w i i ] ∑ w i −1 .A only wins if [ e] cannot be trivially derived from any [ w].It is to the k-Sub-exponent Multilinear Decoding Problem that our combinatorial boosted variant's unforgability reduces.All three of the definitions presented so far are specific cases of the (k, b)-Generalised Multilinear Decoding Problem ((k, b)-GMDP).Definition 9 ((k, b)-Generalised Multilinear Decoding Problem.).For any PPT algorithm A, the probability Pr . The adversary A is given access to an oracle HO which given [ w] 0 returns [a w i i ] ∑ w i −1 .A only wins if [ e] cannot be trivially derived from any [ w].As with the previous set of assumptions we present a generalised assumption which includes both MDDH and SMDDH as specific cases.We call this assumption Generalised Sub-exponent Multilinear Decisional Diffie-Hellman Problem (k, b).Definition 12 (Generalised Sub-exponent Multilinear Decisional Diffie-Hellman Problem (k, b)-(GMDDH)).For any PPT A, the distinguishing probability Pr[A([ e] 0 , [ α] b , [β] l−b * ∑ e i +1 , [γ] l ) = "true" − A([ e] 0 , [ α] b , [β] l−b * ∑ e i +1 , [α e i i β] l ) = "true"] is negligible, where [ α] b ∈ r [G k ] b and β, γ ∈ R Z q and b

PriKeyUpd(param, sk
t ) given a private key sk at time t, produces the corresponding private key for time t + 1.
5. A outputs n * , n * public keys pk * t , a message M * , and a signature σ * = σ .We denote the adversary's advantage by Adv NS A (λ) = Pr[A wins the game].
A wins the game if: • Verify(event, n * , pk * t , M * , σ * , t) = accept on σ * not an output of SO; • all of the public keys in pk * t , pk t are query outputs of J O; • pk π has not been queried to CO; and • Link(σ * , σ ) = linked.
1. C generates and gives A the system parameters param.2. A may query the oracles according to any adaptive strategy.3. A gives C an event-id e, a group size n, a set pk t of n public keys, a message M, a time t and a signature σ.
A wins the game if:•Verify(e, n, pk t , M, σ, t) = accept; • all of the public keys in pk t are query outputs of J O; • no public keys in pk t have been input to CO at time t or earlier; and • σ is not a query output of SO.We denote the adversary's advantage by Adv FS−Un f A (λ) = Pr[A wins the game].Definition 4. Forward-Secure Unforgability.An FS-LRS scheme is forward-secure against forgeries if for PPT adversaries A, Adv FS−Un f A (λ) is negligible.
3. A gives C an event-id e, a time t, a group size n, a set of pk t of n public keys such that all of the public keys in pk t are query outputs of J O, and a message M, Parsing the set pk t as {pk 1 , ..., pk n }.C randomly picks π ∈ {1, ..., n}, and computes σ π = Sign(e, n, pk t , sk π , M, t), where sk π is a valid private key corresponding to pk π at time t.The signature σ π is given to A. 4. A outputs a guess π ∈ {1, ..., n}.
t have been input to CO at time t or earlier.We denote the adversary's advantage by Adv FS−Anon A (λ) = Pr[A wins the game].Definition 5. Forward-Secure Anonymity.An FS-LRS scheme is forward-secure anonymous if for any PPT adversaries A, Adv FS−Anon A (λ) is negligible.

Table 1 .
Overview of state changes.
Index generation for time period t.

Table 2 .
Space and time complexity analysis.
returns [a] i .• Joining Oracle J O: Assume A can only query J O for a maximum n times, where n ≥ n.W.l.o.g., (1, ..., n) will be the indices for which B does not know the private keys and embeds the challenge, and (n + 1, ..., n ) be the indices for which a private key is known.For the first n indices, B chooses • Corruption Oracle CO: On input a public key pk i obtained from J O, and a time t, B checks whether it is corresponding to [n + 1, n ], if yes, then B returns the private key.Otherwise, B calls O(τ, ν)returns sk i = ([∏ j∈τ x i,j α j ] ν , ..., [∏ j∈τ y i,j ] 0 ).•SigningOracleSO:On input a signing query for event event, a set of public keypk t = {[ Z 1 ] b , ..., [ Z n ] b }, the public key for the signer [ Z π ] b , where π ∈ [1, n],and a message M, and time t, B simulates as follows:1.If the query of H l−ν (t||event) has not been made, carry out the H-query of t||event as described above.Set[d] l−ν to H l−ν (t||event).Note that B knows the [λ] 0 that corresponds to [d] l−ν .B sets [ f ] l = [d * ∑ κ i=1 g i−κ h κ−i KP(i)] l ,which it can compute from the challenge [ α] b .2. If π ∈ (n + 1, ..., n ), B knows the private key and computes the signature according to the algorithm.3. Otherwise, B randomly chooses a ring ([pk 1 ], ..., [pk n ]) on message M, event event and time t, there exists a matching private key ([KP(κ)], ..., [KP(0)]) for each possible public key [∏ i∈τ Z π,i ], for any π ∈ {1, ..., n}, that can construct the linking tag • Corruption Oracle CO: On input a public key pk i obtained from J O, and a time t, B checks whether it is corresponding to [n + 1, n ], if yes, then B returns the private key.Otherwise, B calls O(τ, ν)returns sk i = ([∏ j∈τ x i,j α j ] ν , ..., [∏ j∈τ y i,j ] 0 ).•SigningOracleSO:On input a signing query for event event, a set of public keys pk t = {[Z 1 ] l , ..., [Z n ] l }, the public key for the signer [Z π ] l where π ∈ [1, n], a message M, and a time t, B simulates as follows:1.If the query of H l−ν (t||event) has not been made, carry out the H-query of t||event as described above.Set[d] l−ν to H l−ν (t||event).Note that B knows the [λ] 0 that corresponds to [d] l−ν .2. B randomly chooses [r 0 ] 0 ∈ R [G] 0 and [r 1 ] ν ∈ R [G] ν and [c i ] 0 ∈ R [G]0 for all i ∈ [1, n] and sets the H 0 oracle output of