Universally Composable Traceable Ring Signature with Verifiable Random Function in Logarithmic Size

Abstract

Traceable ring signatures (TRSs) allow a signer to create a signature that maintains anonymity while enabling traceability if needed. It merges the characteristics of traditional ring signatures with the ability to trace signers, making it ideal for applications that demand both confidentiality and accountability. In a TRS scheme, a ring of potential signers generates a signature on a message without disclosing the actual signer’s identity. However, the identity can be traced if the signer uses the same tag for multiple signatures. This paper introduces a novel formal construction of TRS under universally composable (UC) security. We integrate verifiable random functions (VRFs) and zero-knowledge proofs for membership, employing Pedersen commitments. Our signature schemes maintain a logarithmic size while preserving the UC security guarantees. Additionally, we explore the potential to extend the property of one-time anonymity in TRS to K-time anonymity.

1. Introduction

In recent years, the field of traceable ring signatures (TRSs) has garnered significant attention due to its potential in the application of decentralized technologies, such as decentralized identifiers (DIDs) [1]. The functionality of TRS could expose the identities of malicious users while maintaining the anonymity of the other users. Despite the advancements made, there remains a critical gap in the understanding of the formulation under the security of universal composibility (UC) [2]. Existing literature, such as [3,4,5,6,7,8,9,10,11,12,13,14,15,16], predominantly focuses on different algorithms (some of which do not follow the typical security definitions of TRS) or different security models, yet overlooks the possibility of expanding TRS to support UC. This gap is particularly important because protocols that support UC security can operate under more realistic assumptions about the adversary’s capabilities, and UC security ensures that a protocol maintains its security properties even when composed with other protocols. Addressing this gap could improve the adaptability of the TRS scheme. Therefore, this study aims to design a UC functionality of TRS, propose one concrete construction with verifiable random function (VRF) and membership proof, and provide security proofs.

1.1. Background

• From Ring Signatures to Traceable Ring Signatures. Ring signatures have emerged as a significant cryptographic tool for ensuring anonymity while enabling verifiable signatures. Introduced by Rivest, Shamir and Tauman [17], a ring signature allows a member of a group to sign a message on behalf of the entire group without disclosing their identity. The signer remains anonymous as the system does not rely on a trusted manager or issuer; instead, a user can create a signature on behalf of a ring (a group that includes themselves), rendering the signer indistinguishable from the others. Consequently, no individual or group can exclusively control access to a signer’s identity. This feature has facilitated widespread adoption in various contexts, such as electronic voting [18], blockchain technologies, and cryptocurrencies [19,20].

However, the anonymity afforded by traditional ring signatures presents challenges, particularly in scenarios where accountability is paramount. For instance, in cases of misuse or fraudulent activities, such as double voting in e-voting systems, identifying the actual signer while preserving group privacy becomes essential. This necessity for both anonymity and traceability has driven the development of linkable ring signatures (LRSs) and traceable ring signatures (TRSs), variants specifically designed to address these challenges. While achieving different variants, the dominant anonymity is maintained, applicable primarily in standard scenarios, such as a single vote cast in a voting event.

LRS and TRS enhance the functionality of traditional ring signatures by incorporating mechanisms for accountability while preserving user anonymity. LRS, for example [21,22,23,24,25,26,27,28], enables the same signer to produce multiple signatures that can be linked, allowing for the detection of repeated signers across different messages without revealing their identities. This feature enhances tracking, proving advantageous in contexts like digital asset management [29,30,31,32,33]. Conversely, TRS introduces a mechanism that allows anyone in possession of the signatures to identify the signer in instances of misconduct while preserving the general anonymity of the group. This dual functionality renders TRS particularly appealing for applications requiring a balance between user privacy and oversight, such as in regulatory frameworks and secure communications. By integrating these features, TRS significantly broadens the potential applications of this cryptographic construct, paving the way for more robust privacy-preserving systems.

In the existing literature, numerous protocols with similar functionalities do not adhere to the TRS framework. We classify these protocols based on their alignment with the security definitions proposed by Fujisaki and Suzuki [3]. Several works [10,11,12,13,14,15,16] have proposed primitives that do not utilize the models outlined in [3]. These works ultimately achieve accountability by introducing additional mechanisms, such as the property of revokable-iff-linkable [10] and reporting mechanism [13,14], which we consider variants of TRS. In addition, existing research, such as [34,35], has examined different signature schemes within the framework of K-time anonymity as opposed to one-time anonymity. Generally, K-time anonymity stipulates that signers may sign for only K distinct messages associated with each issue (a unique identifier) to conceal their identities. However, this requirement requires more intricate security definitions.

• Significance of Traceability in Decentralized World. The advent of Web 3.0 (or Web3) has garnered public attention for its potential to revolutionize various industries and applications. This paradigm shift from the traditional centralized model (Web 2.0) to a more transparent and user-centric ecosystem is expected to facilitate new opportunities in value exchange, data ownership, and data management. A critical element of Web3 is DID [1], which can represent individuals, groups, or objects. By possessing a DID and its associated private key, users can disclose or withhold their credentials as desired in online interactions. Furthermore, a DID holder can use the private key to sign messages or conduct transactions. Maintaining traceability while ensuring the anonymity of users is a significant challenge in cryptography. Traceability enhances transparency, allowing users to track and verify transactions and interactions on the blockchain, thereby fostering trust and preventing fraud.

By combining TRS with the concept of DID, it may be possible to preserve anonymity while leveraging the decentralized identity features of DID. This integration could enable users to sign messages or transactions anonymously while linking their identity to a DID for verification purposes when necessary.

• VRFs Output Pseudorandom Values with Public Verifiability. Micali, Rabin, and Vadhan [36] introduced the concept of verifiable random functions (VRFs) and formalized their security properties. A VRF generates a random output that is both unpredictable and verifiable, allowing any party to confirm the output without needing access to the secret key used in its production. The significance of VRFs lies in their capacity to provide a reliable source of randomness in decentralized systems.

In studies such as [37,38,39], applications including cryptocurrency mining and randomized consensus mechanisms highlight the critical importance of the integrity of the random output for maintaining fairness and preventing manipulation. Furthermore, research efforts [40,41,42,43] have focused on optimizing the efficiency of VRFs while ensuring the preservation of their security properties. Additionally, [38] addressed VRFs within the framework of universally composable (UC) security, introducing additional security features such as unpredictability under malicious key generation (UMKG). However, the standard security definitions of VRF outlined in [36] do not account for the potential for malicious key generation.

• Ideal Functionalities versus Real-World Protocols in the UC Framework. Universally composable (UC) security [2] formalizes the intuition that a protocol remains secure even when executed concurrently with an arbitrary collection of other protocols. In the UC framework, a clear division is established between a functionality and a protocol. An ideal functionality $\mathcal{F}$ is an abstract, interactive Turing machine that encapsulates the target task, such as coin tossing, under the assumption of a perfectly trustworthy execution environment. It exposes a well-defined interface to external parties while concealing all internal states from the adversary $\mathcal{A}$, thereby capturing the security objectives in their strongest possible form. By contrast, a protocol $\mathrm{\Pi }$ comprises concrete algorithms implemented by real-world participants. The protocol code specifies local computations, message formats, and timing, and is subject to active attacks by a probabilistic polynomial-time (PPT) adversary $\mathcal{A}$. The UC definition requires that, for every $\mathcal{A}$, there exists a simulator $\mathcal{S}$ such that no environment $\mathcal{Z}$ can distinguish an execution of $\mathrm{\Pi }$ (or $\mathcal{A}$) from an execution of $\mathcal{F}$ (or $\mathcal{S}$). Intuitively, the functionality serves as the ideal security benchmark, while the protocol must emulate that benchmark even when composed with arbitrary other protocols.

1.2. Literature Review on TRS Schemes and Their Variants

During the development in recent years, the typical existing TRS protocols, such as [3,4,5,6,7,8,9] and other variants, such as [10,11,12,13,14,15,16] do not consider the involvement of UC security. In this subsection, we introduce them and organize the information in

Table 1. Comparison of our TRS scheme with other existing schemes, considering a ring size of n and a security parameter of $\lambda$. Notably, our protocol is the first TRS to achieve UC security.

Schemes	Nature	Size	Assumption	Security Model	Remarks
Fujisaki et al. (FS07) [3]	TRS	$O\left(n\right)$	DDH	ROM	-
Hu et al. (HL07) [4]	TRS	$O\left(n\right)$	DDH	ROM	Forward Security
Fujisaki (Fujisaki11) [5]	TRS	$O\left(\sqrt{n}\right)$	DDH	CRS	Type-1 pairing
Branco et al. (BM19) [6]	TRS	$O(logn)$	SD	ROM	Post-quantum resistant
Feng et al. (FLL+21) [7]	TRS	$O(logn)$	SIS, LWE	ROM, QROM	-
Wei et al. (WLB+23) [8]	TRS	$O(logn)$	MSIS, MLEW, CSIDH	ROM	Post-quantum resistant
Thanh Khuc et al. (TSD+25) [9]	TRS	$O(logn)$	Generic	Plain	NIWI
Au et al. (ALS+13) [10]	Rev-iff-Link	$O\left(n\right)$	DL, DDH, q-SDH	ROM	Type-2 pairing
Bootle et al. (BCC+15) [11]	Acc	$O(logn)$	DL, DDH	ROM	ElGamal, Com
Zhang et al. (ZLS+19) [12]	RLRS	$O\left(n\right)$	DL, DDH	ROM	ElGamal
Fraser et al. (FQ21) [13]	R&T	$O\left(n\right)$	DL, DDH	ROM	ElGamal, Com
Bultel et al. (BFQ21) [14]	R&T	$O\left(n\right)$	DL, DDH	ROM	Type-3 Bilinear ElGamal
Scafuro et al. (SZ21) [15]	TRS Variant	$O(n·{\lambda }^2)$	None	ROM	Post-quantum resistant
Kabaleeshwaran et al. (KK24) [16]	RLRS	$O\left(n\right)$	DL, DDH	ROM	ElGamal
This Work	TRS	$O(logn)$	DL, q-co-DBDHI,	ROM, UC	Com, Type-3 pairing

Abbreviations: Rev-iff-Link: Revocable-iff-linked Ring Signature; DL: Discrete Logarithm; RLRS: Revocable and Linkable Ring Signature; DDH: Decisional Diffie–Hellman; Acc: Accountable Ring Signature; ROM: Random Oracle Model; R&T: Report and Trace; q-SDH: q-Strong Diffie–Hellman; Com: Commitment Scheme; UC: Universal Composibility; SD: Syndrome Decoding; CSIDH: Commutative Supersingular Isogeny Diffie–Hellman; (M)SIS: (Module) Short Integer Solution; NIWI: Non-interactive Witness-Indistinguishable Proof; (M)LWE: (Module) Learning with Errors;

. We denote the size of the ring as n and a security parameter $\lambda$.

• Traceable Ring Signature. TRS is a variant of ring signature, providing flexibility on the maintenance of anonymity and accountability. Fujisaki and Suzuki (FS07) [3] proposed the first TRS with size $O\left(n\right)$. It formalized the security properties of TRS with correctness and public traceability, and the security definitions including exculpability, anonymity, and tag-linkability. Also, it proved that a traceable ring signature is unforgeable if it is tag-linkable and exculpable ([3], Theorem 2.6). Their scheme is under the DDH assumption and the random oracle model (ROM). In general, the signer’s identity will be disclosed if two signatures are signed for the same tag with different messages. The content of a tag usually includes a ring of signers and a identifier issue.

Since the idea from Fujisaki, many variants of TRS have been proposed, and we introduce some of them. Hu et al. (HL07) [4] introduced a version of TRS that offers forward security. The scheme ensures that even if the signer’s secret key is compromised, the generated signatures remain secure. This scheme is in the size of $O\left(n\right)$ and is proven secure in the ROM. Fujisaki (Fujisaki11) [5] presented a version of TRS in size $O\left(\sqrt{n}\right)$ that is proven secure under the DDH assumption and employs Type-1 bilinear pairing within the common reference string (CRS) model. In this framework, a trusted setup phase creates a CRS that is available to all parties, which may complicate usage in decentralized settings. A recent work by Thanh Khuc et al. (TSD+25) [9] introduced the first generic construction of TRS with logarithmic signature size that is secure in the plain model. It assumes no trusted setup or idealized components.

For post-quantum resistant TRS, we highlight three recent contributions. Branco et al. (BM19) [6] developed the first code-based TRS scheme utilizing the Fiat–Shamir transformation and the Stern protocol. However, this scheme has some security proof flaws identified in [7]. Feng et al. (FLL+21) [7] introduced a general framework for TRS and provided two concrete, efficient TRS schemes based on lattices and symmetric-key primitives, both proven secure in the quantum random oracle model. Both schemes feature logarithmic signature sizes. Recently, Wei et al. (WLB+23) [8] constructed two TRS schemes based on group actions that can be instantiated using isogenies and lattices. These schemes also maintain a logarithmic signature size and are secure in ROM.

• Existing Ring Signature Schemes with Similarities. Apart from the existing work using the typical security formulation of TRS defined by Fujisaki and Suzuki (FS07) [3], we introduce some existing work which we consider to be variants of TRS from the functional perspective. Mostly, they adopt different security models with the considerations on different basis and applications.

Au et al. (ALS+13) [10] proposed a ID-based linkable and revocable-iff-linked ring signature. The linkable version only considered the linkage between signatures of the same event and same link tag, without considering disclosing the signer’s identity, while the revocable-iff-linked version considered disclosure when the signatures are linked. It proposed a scheme using a Type-2 bilinear pairing and the random oracle model. Since the revocable-iff-linked version was extended from a linkable signature, it does not follow the security definitions of TRS.

Bootle et al. (BCC+15) [11] proposed an improved accountable ring signature with size $O(logn)$. The protocol is designed with an algorithm to open the signer’s identity of a specific signature, without considering the content of signature. In their construction, the Pedersen commitment [44] and a variant of membership proof considering ElGamal encryption [45] were adopted.

Zhang et al. (ZLS+19) [12] developed a revocable and linkable ring signature (RLRS) scheme with a size of $O\left(n\right)$. This scheme allows a revocation authority to disclose the identity of the real signer within a linkable ring signature context, ensuring both mandatory revocability and linkability. Additionally, the security of the scheme is proven in ROM.

Fraser and Quaglia (FQ21) [13] proposed a report and trace ring signature with the reporting mechanism using ElGamal encryption [45]. Here, in the reporting mechanism, the reporter is one of the ring members who generates a report. After receiving the report, a third-party tracer is able to reveal the identity of the signer being reported. However, the size of a signature is $O\left(n\right)$. Bultel et al. (BFQ21) [14] proposed an improvement in efficiency of [13] by introducing a new ElGamal variant based on bilinear pairing under the indistinguishability of a chosen-plaintext attack (IND-CPA).

Scafuro and Zhang (SZ21) [15] proposed a fast, key-oriented, post-quantum resistant scheme. It only requires the classic random oracle model, but it is of signature size $O(n·{\lambda }^2)$, where $\lambda$ is the security parameter. They introduced a one-time traceable ring signature, where all security properties hold assuming that a secret key is used at most once. Moreover, it described an approach to publishing “per-topic” keys under one main public key, in order to bootstrap signatures under different events with the same main key.

Kabaleeshwaran et al. (KK24) [16] introduce an efficient RLRS scheme, with security proven in the random oracle model. Compared to ZLS+19 [12], their scheme significantly enhances efficiency, reducing the time complexity of algorithms by a factor of four, while also halving the signature size. Nevertheless, the resultant size remains $O\left(n\right)$.

• Beyond One-Time Anonymity. One-time anonymity stipulates that signers are permitted to sign only one message for each identifier to conceal their identity. Several studies, including [3,4,5,6,7,8,9,10,11,12,13,14,15,16], have focused on this aspect of anonymity. However, in certain contexts, allowing signers to sign multiple messages can be more beneficial.

Research such as [34,35] has explored this topic, specifically considering the concept of K-time anonymity, which permits multiple signatures within a specified limit of K. For instance, Au et al. [34] proposed a group signature scheme that emphasizes both K-time anonymity and revocation linked to signatures. This scheme, however, relies on a group manager to oversee the K-time anonymity. Bultel et al. [35] demonstrated how K-time anonymity can be attained in delegation-supported signature schemes, particularly in proxy signatures and sanitizable signatures, which allow a delegate to modify certain components of signed messages. In general, a proxy signature allows a signer to authorize a delegate to sign messages on their behalf. Nonetheless, to the best of the author’s knowledge, there has been no direct study about K-time anonymity within the framework of traceable ring signatures.

1.3. Motivation

In this study, we explore the potential of extending the TRS security model to the UC framework [2], an area that has yet to be thoroughly investigated. Existing TRS protocols, such as those outlined in [3,4,5,6,7,8,9], along with various other variants [10,11,12,13,14,15,16], do not address the incorporation of UC security. Achieving TRS under the UC framework would ensure its compatibility with a wide range of cryptographic protocols. This leads to the central motivation of our investigation: is it feasible to construct a TRS scheme within the UC framework? We affirmatively answer this question and present our findings in this work. In this work, we concentrate on the construction that supports one-time anonymity. We also discuss the possibility of extending the schemes to accommodate K-time anonymity in Section 6.2.

To illustrate the significance of TRS, we consider two distinct scenarios.

• Decentralized Applications. Decentralization among tracers is crucial in certain contexts. The Web3 paradigm emphasizes the significance of decentralized identifiers (DIDs) [1] for enabling data ownership and management. The rapid development of decentralized protocols like blockchain and cryptocurrencies has led to an increased demand for a protocol that satisfies Web3 requirements. Cryptocurrencies like Monero [20,46] employ ring signatures to enhance privacy. However, traditional ring signatures cannot effectively trace abnormal transactions such as double-spending. Typically, third-party tracers are involved in achieving tracing objectives, such as [13,14], but this introduces potential risks, such as information leakage from a corrupted tracer or disruption of tracer availability due to DDoS attacks. Therefore, a scheme would be advantageous for protocols operating without any third parties, mitigating the associated risks and enhancing overall security.

• Publishing votes. In an e-voting scenario with a committee, the goal is to ensure the integrity of the voting process. The committee members form a ring and each member should ideally vote once. Signatures are used to verify the validity of the ballots on a bulletin board. However, if a member is corrupt or malicious, they may vote multiple times and compromise the results. Only achieving linkability is insufficient in this case. It becomes necessary to identify the signer for further actions like investigation or disqualification. Additionally, users may vote inadvertently more than once.

In such cases, the original and duplicate signatures should only be linked if the will expressed in the ballots is the same. It is important to note that in traditional voting, once a ballot is submitted, no changes to the will are allowed. To keep anonymity of the user and responsibility at the same time, a traceable ring signature scheme plays a significant role. The scheme allows a signer to keep her identity hidden while there exist some mechanisms to recover the identity of signers who violate the rules. For example, the existing e-voting application [47] was developed specifically to prevent double voting.

1.4. Our Contributions

We introduce a universally composable (UC) traceable ring signature (TRS) scheme that leverages verifiable random functions (VRFs) and incorporates a proposed related non-interactive zero-knowledge (NIZK) proof. Building on these foundational primitives, we present the ideal functionalities along with their corresponding security proofs. Our contributions can be summarized as follows:

• We propose a security definition for VRF within the UC framework, specifically designed to meet the security requirements of TRS. This definition includes an ideal functionality that captures the properties of uniqueness, provability, and pseudorandomness. We evaluate the security level of this proposed definition in the UC context and demonstrate its realization through the Dodis–Yampolskiy VRF (DY-VRF) [43], complete with a comprehensive security proof.
• We present a novel security definition for TRS within the UC framework. We define and prove the ideal functionality, which encompasses the properties of correctness, public traceability, tag-linkability, exculpability, and anonymity. Additionally, we realize this ideal TRS functionality through the integration of DY-VRF and a NIZK proof, along with a security proof in the UC setting. The size of the signature is $O(logn)$.

These two UC primitives are noteworthy and may hold independent interest in the field.

1.5. Technical Overview and Technical Challenges

• Technical Overview. Generally, our proposed traceable ring signature scheme takes advantage of the 1-out-of-n proof proposed by Groth and Kohlweiss [48] as a membership proof for the ring. Moreover, our construction is constructed in a Type-3 bilinear curve with the Dodis–Yampolskiy VRF (DY-VRF) [43].

First, the signer who obtains the system parameter generates the key pair $(\mathsf{vk},\mathsf{sk})$. After the signing algorithm, the signer generates the signature $\sigma$ in the form of $\sigma =(c,Z,Q,W,\pi )$ on $(T,m)$, where $T=(R,\mathsf{issue})$, R is the ring, issue is a unique identifier, and m is the message. In the signature, $\pi$ is the instance of the zero-knowledge proof including the membership proof. Moreover, Z is the signature in ${\mathbb{G}}_1$, c is the hash of related information, and $Q,W$ are the outputs of DY-VRF.

With sufficient information (including the system parameter param, the tag T and the message m), anyone is able to verify a particular signature $\sigma$. And, with the system parameter param, anyone is able to trace the origin of two signatures ${\sigma }_1=(c_1,Z_1,Q_1,W_1,{\pi }_1)$ and ${\sigma }_2=(c_2,Z_2,Q_2,W_2,{\pi }_2)$ signed with the same tag T, on messages $m_1,m_2$, respectively. The trace algorithm may (1) output Accept if the input message–signature pairs are independent; (2) output Reject if either one of the signature fails to pass the verification algorithm; (3) output a key $\overline{\mathsf{vk}}\in R$ if $m_1\ne m_2$; and (4) output Linked if $c_1=c_2$.

• Technical Challenges. The primary technical challenge of this research lies in the formal security functionalities and the proof of the proposed schemes.

In order to achieve UC security of DY-VRF and our TRS scheme, we first formalized the UC ideal functionalities. Next, we proceed to prove that our protocol achieves UC security based on the first step. The aim of a UC-security proof is to establish indistinguishability between the real world and the ideal world scenarios, rendering the requirement for the adversary impracticable, as it fails to simulate the dynamics of the real world accurately. To overcome this challenge, alternative strategies need to be employed in the UC-security proof. These strategies typically involve constructing simulations that capture the desired security properties while maintaining indistinguishability between the real and ideal worlds. By carefully designing and analyzing these simulations, it becomes possible to establish UC-security guarantees for the proposed schemes.

In this work, we utilize a membership proof [48] to maintain a signature size of $O(logn)$. This proof achieves perfect $(N+1)$-special soundness and perfect special honest verifier zero-knowledge (SHVZK), provided that the commitment scheme is both perfectly binding and hiding, with $n=2^N$. However, the standard construction of the membership proof in [48] only verifies the possession of the secret key corresponding to one of the public keys in the ring. To prove membership while also establishing relationships between values in the signature tuple, a specialized design is necessary to satisfy both requirements. In general, we leverage the binding property to create a tailored approach to extend the proof of the relationship from possession. The additional values introduced in the proof will not reveal any extra information through potential calculations.

1.6. Organization

In this work, we first introduce the mathematical background in Section 2. We then recall the security requirements of VRF, propose our UC functionality of VRF, and present the realization with DY-VRF in Section 3, followed with security proofs. Then, we recall the security requirements of TRS, and propose our new UC functionality of TRS followed with security proof in Section 4. And, we present the realization and proof of TRS in UC, and the formulation of the zero-knowledge proof in Section 5. Finally, we present the discussion in Section 6. We present a roadmap of this work in Figure 1.

2. Preliminaries

2.1. Bilinear Pairing

According to the classification by Galbraith et al. [49], there are two generalized forms of pairings used in cryptographic literature: $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$ and $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, where ${\mathbb{G}}_1$, $G_2$, ${\mathbb{G}}_T$ are cyclic groups of prime order p. These pairings are further categorized into three basic types based on different instantiations.

• Type-1 pairing: In the form of $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$;
• Type-2 pairing: In the form of $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, but there is an efficiently computable homomorphism $\varphi :{\mathbb{G}}_2\to {\mathbb{G}}_1$;
• Type-3 pairing: In the form of $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, and there are no efficiently computable homomorphisms between ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$,

In this work, we adopt Type-3 pairing, with the following details described below.

• Type-3 pairing. Consider $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, where ${\mathbb{G}}_1$, $G_2$, ${\mathbb{G}}_T$ are cyclic groups of prime order p. Assuming $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ and $x,y\in {\mathbb{Z}}_p$, the bilinear pairing function follows the properties (1) bilinearity: $\mathsf{e}(g_1^x,g_2^y)=\mathsf{e}(g_1^y,g_2^x)=\mathsf{e}{(g_1,g_2)}^{xy}$; (2) non-degeneracy: $\mathsf{e}(g_1,g_2)\ne 1$; (3) efficiency: $\mathsf{e}$ is efficiently computable.

2.2. Security Assumptions

Definition 1 (Discrete logarithm Assumption (DLOG)).

If an algorithm $\mathcal{A}$ runs in time at most $t_{\mathsf{dlog}}$ and runs with a negligible probability ${ϵ}_{\mathsf{dlog}}$ such that

$$Pr[x\in {\mathbb{Z}}_p:\mathcal{A}(g,g^x)=x)]\ge {ϵ}_{\mathsf{dlog}},$$

it $(t_{\mathsf{dlog}},{ϵ}_{\mathsf{dlog}})$-breaks the DLOG assumption. The DLOG assumption is $(t_{\mathsf{dlog}},{ϵ}_{\mathsf{dlog}})$-secure if there are no algorithm $(t_{\mathsf{dlog}},{ϵ}_{\mathsf{dlog}})$-solutions to the DLOG problem.

Definition 2

(q-co-Decisional Bilinear Diffie–Hellman Inversion Assumption (q-co-DBDHI) [50]). An algorithm $\mathcal{A}$$(t_{\mathsf{dbdhi}},{ϵ}_{\mathsf{dbdhi}})$-breaks the q-co-DBDHI assumption if $\mathcal{A}$ runs with a negligible probability ${ϵ}_{\mathsf{dbdhi}}$ and in time at most $t_{\mathsf{dbdhi}}$ such that

$$\left|Pr[\begin{array}{cc}\hfill & x\in {\mathbb{Z}}_p\setminus \left\{0\right\};b\leftarrow \{0,1\};\mathrm{\Gamma }\leftarrow {\mathbb{G}}_T\hfill \\ \hfill & b^{\prime }\leftarrow \mathcal{A}(g_1,g_1^x,\dots ,g_1^{x^q},g_2,g_2^x,\dots ,g_2^{x^q},(\mathsf{e}{(g_1,g_2)}^{{\displaystyle \frac{1}{x}}}{)}^{1-b}·{\mathrm{\Gamma }}^b)\hfill \end{array}:\begin{array}{c}b=b^{\prime }\hfill \end{array}\right]-{\displaystyle \frac{1}{2}}|\ge {ϵ}_{\mathsf{dbdhi}}.$$

It is a variant of q-DBDHI assumption [50], which considers a Type-3 bilinear curve.

2.3. Homomorphic Commitment Scheme

A non-interactive commitment scheme (CS) consists of two polynomial-time algorithms $(\mathsf{CS}.\mathsf{KeyGen},\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}})$, with specified a message space ${\mathcal{M}}_{\mathsf{ck}}$, a randomness space ${\mathcal{R}}_{\mathsf{ck}}$ and a commitment space ${\mathcal{C}}_{\mathsf{ck}}$, defined below.

• $\mathsf{CS}.\mathsf{KeyGen}\left(1^{\lambda }\right)\to \mathsf{ck}$: On input a security parameter $\lambda$, the setup algorithm outputs a commitment key ck.
• $\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}}(m;r)$: On input of a message $m\in {\mathcal{M}}_{\mathsf{ck}}$ and a randomness $r\in {\mathcal{R}}_{\mathsf{ck}}$, the commitment algorithm outputs a commitment $\upsilon \in {\mathcal{C}}_{\mathsf{ck}}$, such that $\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}}:{\mathcal{M}}_{\mathsf{ck}}\times {\mathcal{R}}_{\mathsf{ck}}\to {\mathcal{C}}_{\mathsf{ck}}$.

To open a commitment, one reveals m and r allowing anyone to verify that $\upsilon$ is indeed a commitment to m. Moreover, it achieves the homomorphic property such that

$$\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}}(m_0;r_0)·\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}}(m_1;r_1)=\mathsf{CS}.{\mathsf{Com}}_{\mathsf{ck}}(m_0+m_1;r_0+r_1).$$

And, we require that the scheme is hiding and binding.

• Hiding. The hiding property ensures that the commitment itself does not reveal any information about the committed value. The adversary should not be able to guess the value or gain any partial knowledge about it from the commitment.

Definition 3

(Hiding). For all PPT stateful adversaries $\mathcal{A}$, the commitment scheme achieves the hiding property, and given a negligible function $\mathsf{negl}$, such that

$$|Pr[\begin{array}{c}\mathsf{ck}\leftarrow \mathsf{CS}.\mathsf{KeyGen}\left(1^{\lambda }\right);(m_0,m_1)\leftarrow \mathcal{A}\left(\mathsf{ck}\right);\hfill \\ b\leftarrow \{0,1\};\upsilon \leftarrow {\mathsf{Com}}_{\mathsf{ck}}(m_b;·);b^{\prime }\leftarrow \mathcal{A}\left(\upsilon \right)\hfill \end{array}:\begin{array}{c}b=b^{\prime }\hfill \end{array}]-{\displaystyle \frac{1}{2}}|\le \mathsf{negl}\left(\lambda \right).$$

• Binding. The binding property ensures that once a commitment is made, the committer cannot change the value they committed to. They cannot open the commitment with a different value from the one they originally committed to.

Definition 4

(Binding). For all PPT stateful adversaries $\mathcal{A}$, the commitment scheme achieves binding property, and given a negligible function $\mathsf{negl}$, such that

$$Pr[\begin{array}{c}\mathsf{ck}\leftarrow \mathsf{CS}.\mathsf{KeyGen}\left(1^{\lambda }\right);\hfill \\ (m_0,r_0,m_1,r_1)\leftarrow \mathcal{A}\left(\mathsf{ck}\right)\hfill \end{array}:\begin{array}{c}{m}_0\ne m_1\hfill \\ {\mathsf{Com}}_{\mathsf{ck}}(m_0;r_0)={\mathsf{Com}}_{\mathsf{ck}}(m_1;r_1)\hfill \end{array}]\le \mathsf{negl}\left(\lambda \right).$$

In this work, we adopt the typical Pedersen Commitment [44] schemes for the membership proof in [48], which achieves the homomorphic propery. We recall the definition below.

Definition 5

(Pedersen Commitment [44], ${\mathrm{\Pi }}_{\mathsf{Ped}}$). Pedersen commitment is a homomorphic commitment scheme which consists of the algorithms below.

• $\mathsf{Ped}.\mathsf{KeyGen}\left(1^{\lambda }\right)$: It constructs a cyclic group $\mathbb{G}$ with prime order p and samples generators $g_1$ and $h_1$. It outputs the commitment key $\mathsf{ck}=(\mathbb{G},p,g_1,h_1)$.
• $\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(m;r)$: The commit algorithm intakes the message $m\in {\mathbb{Z}}_p$ and the randomness $r\in {\mathbb{Z}}_p$. It outputs the commitment $h_1^m{g}_1^r$.

2.4. Non-Interactive Zero-Knowledge (NIZK) Proofs and Sigma-Protocols

The NIZK for a relation $\mathcal{R}:{\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }\to \{0,1\}$ is a tuple of PPT algorithms $\mathsf{NIZK}=(\mathsf{NIZK}.\mathsf{Setup},\mathsf{NIZK}.\mathsf{Prove},$$\mathsf{NIZK}.\mathsf{Verify})$. The language ${\mathcal{L}}_{\mathcal{R}}$ is defined as ${\mathcal{L}}_{\mathcal{R}}=\left\{\theta \right|\exists w:\mathcal{R}(\theta ,w)=1\}$, where $\theta$ is a statement, and w is the witness. The algorithms of NIZK are defined below.

• $\mathsf{NIZK}.\mathsf{Setup}\left(1^{\lambda }\right)\to \mathsf{crs}$: On input of the security parameter $\lambda$, the setup algorithm returns a common reference string (CRS) $\mathsf{crs}$.
• $\mathsf{NIZK}.\mathsf{Prove}(\mathsf{crs},\theta ,w)\to \pi$: On input of the CRS $\mathsf{crs}$, the statement $\theta$ and the witness w, the prover algorithm outputs a proof $\pi$.
• $\mathsf{NIZK}.\mathsf{Verify}(\mathsf{crs},\theta ,\pi )\to \{0,1\}$: On input of the CRS $\mathsf{crs}$, the statement $\theta$ and the proof $\pi$, the verification algorithm outputs 1 if $\pi$ is valid, and 0 otherwise.

The proof system should satisfy perfect completeness such that a prover with a witness w for $x\in \mathcal{L}$ can convince the verifier of this fact. Moreover, it should satisfy computational soundness and computational zero-knowledgeness, such that the following definitions stand.

Definition 6

(Perfect Completeness). For $\lambda \in \mathbb{N}$, a NIZK scheme achieves perfect completeness, such that $Pr[\mathsf{NIZK}.\mathsf{Verify}(\mathsf{crs},\theta ,\mathsf{NIZK}.\mathsf{Prove}(\mathsf{crs},\theta ,w))=1]$, where $\mathsf{crs}\leftarrow \mathsf{NIZK}.\mathsf{Setup}\left(1^{\lambda }\right)$.

Definition 7

(Computational Soundness). For any PPT adversary $\mathcal{A}$, NIZK achieves computational soundness, and given a negligible function $\mathsf{negl}$, such that

$$Pr[\begin{array}{c}\mathsf{crs}\leftarrow \mathsf{NIZK}.\mathsf{Setup}\left(\lambda \right)\hfill \\ (\theta ,\pi )\leftarrow \mathcal{A}\left(\mathsf{crs}\right)\hfill \end{array}:\begin{array}{c}\mathcal{R}(\theta ,w)=0\wedge \hfill \\ \mathsf{NIZK}.\mathsf{Verify}(\mathsf{crs},\theta ,\pi )=1\hfill \end{array}]\le \mathsf{negl}\left(\lambda \right).$$

Before we define the property of computational zero-knowledgeness, we first define two PPT algorithms $(\mathsf{NIZK}.\mathsf{SimSetup},\mathsf{NIZK}.\mathsf{Simulate})$ for simulation below.

4.

$\mathsf{NIZK}.\mathsf{SimSetup}\left(1^{\lambda }\right)\to ({\mathsf{crs}}^{\prime },\tau )$: It outputs a simulated CRS ${\mathsf{crs}}^{\prime }$ and a simulation trapdoor $\tau$.

5.

$\mathsf{NIZK}.\mathsf{Simulate}({\mathsf{crs}}^{\prime },\theta ,\tau )\to {\pi }^{\prime }$: It produces a simulated proof ${\pi }^{\prime }$, without knowing the witness.

Moreover, the ${\mathcal{O}}_{\mathsf{Prove}}$ oracle is defined as: First, it returns ⊥ if $\mathcal{R}(\theta ,w)=0$, and continues otherwise. Then, it runs and receives ${\pi }_0\leftarrow \mathsf{NIZK}.\mathsf{Prove}(\mathsf{crs},\theta ,w)$ and ${\pi }_1\leftarrow \mathsf{NIZK}.\mathsf{Simulate}({\mathsf{crs}}^{\prime },\theta ,\tau )$, where $({\mathsf{crs}}^{\prime },\tau )\leftarrow \mathsf{NIZK}.\mathsf{SimSetup}\left(1^{\lambda }\right)$. Finally, it returns ${\pi }_b$ where b is a random bit.

Definition 8

(Computational Zero-Knowledgeness). For any adversary $\mathcal{A}$, NIZK achieves computational zero-knowledgeness, and given a negligible function $\mathsf{negl}$, such that

$$|Pr[\begin{array}{c}(\mathsf{crs},\tau )\leftarrow \mathsf{Setup}\left(1^{\lambda }\right)\hfill \\ b^{\ast }\leftarrow {\mathcal{A}}^{{\mathcal{O}}_{\mathsf{Prove}}}\left(\mathsf{crs}\right)\hfill \end{array}:\begin{array}{c}\hfill b=b^{\ast }\end{array}]-{\displaystyle \frac{1}{2}}|\le \mathsf{negl}\left(\lambda \right).$$

• Sigma-protocols. A $\mathrm{\Sigma }$-protocol is a special type of three-move interactive proof system that allows a prover to convince a verifier that a statement is true. The prover sends an initial message to the verifier, the verifier picks a random public coin challenge $\mathsf{chal}\leftarrow {\{0,1\}}^{\lambda }$, and the prover responds to the challenge. Finally, the verifier checks the transcript of the interaction and decides whether the proof should be accepted or rejected.

We will, in our instantiation, use NIZK proofs in the random oracle model obtained by applying the Fiat–Shamir transformation [51] to interactive $\mathrm{\Sigma }$-protocols. A $\mathrm{\Sigma }$-protocol is developed for a relation $\mathcal{R}$ with respect to a tuple ($\mathrm{\Sigma }$.Setup, $\mathrm{\Sigma }$.Prove, $\mathrm{\Sigma }$.Verify), which is defined below.

• $\mathrm{\Sigma }.\mathsf{Setup}\left(1^{\lambda }\right)\to \mathsf{crs}$: On input of the security parameter $\lambda$, it outputs a common reference string crs.
• $\mathrm{\Sigma }.\mathsf{Prove}(\mathsf{crs},\theta ,w)\to m^{\prime }$: On input of the reference string crs, a statement $\theta$ and a witness w, it generates an initial message $m^{\prime }$.
• $\mathrm{\Sigma }.\mathsf{Verify}(\mathsf{crs},\theta ,m^{\prime },\mathsf{chal},z^{\prime })\to \{0,1\}$ on input of the reference string crs, a statement $\theta$, an initial message $m^{\prime }$, a random challenge $\mathsf{chal}$, and a response $z^{\prime }$, it verifies the proof and outputs either 1 for acceptance or 0 for rejection.

In addition to completeness, we require $\mathrm{\Sigma }$-protocols to possess two key properties: Special Honest Verifier Zero-Knowledge (SHVZK) and n-Special Soundness. [48]:

• SHVZK: Given any statement $\theta \in {\mathcal{L}}_{\mathcal{R}}$ and any verifier challenge $\mathsf{chal}$, it is possible to simulate a transcript of the protocol.
• n-Special Soundness: For any statement $\theta$, we can extract w, such that $(\theta ,w)\in \mathcal{R}$, from n accepting transcripts ${(m^{\prime },{\mathsf{chal}}_i,z_i^{\prime })}_{i=1}^n$ for $\theta \in {\mathcal{L}}_{\mathcal{R}}$ where the challenges ${\mathsf{chal}}_i$ are distinct.

2.5. Membership Proof

Groth and Kohlweiss [48] proposed a zero-knowledge proof called membership proof (or one-out-of-many proof). It is an efficient logarithmic-size zero-knowledge proof for a list of commitments having at least one commitment that opens to 0. Since it is not required for the prover to know openings of the other commitments, it is instantiated as a variant of the ring signature. We recall the required mathematical background and the sigma-protocol for the membership proof in Appendix A.

3. UC-Security on Verifiable Random Function

Micali, Rabin and Vadhan [36] proposed the notion of verifiable random function (VRF), and formalized the security properties. In general, VRF is a pseudorandom function with non-interactive proof of correctness of its output. In this section, we first recall the security definitions of VRF in Section 3.1. We then propose our UC model on VRF and the realization of Dodis–Yampolskiy’s VRF (DY-VRF) [43] in Section 3.2 and Section 3.3, followed with security proofs.

3.1. Typical Definitions of Verifiable Random Function

The interface of VRF defined in [36] is recalled below.

Definition 9

(Verifiable Random Function [36]). The verifiable random function is defined with the interface $\mathsf{VRF}=(\mathsf{VRF}.\mathsf{Setup},\mathsf{VRF}.\mathsf{KeyGen},\mathsf{VRF}.\mathsf{EvalProve},\mathsf{VRF}.\mathsf{Verify})$ such that

1. 

$\mathsf{VRF}.\mathsf{Setup}\left(1^{\lambda }\right)\to \mathsf{param}$: With the security parameter λ, it generates a list of system parameters param.

2. 

$\mathsf{VRF}.\mathsf{KeyGen}\left(\mathsf{param}\right)\to (\mathsf{vvk},\mathsf{vsk})$: On input of the system parameters param, it generates a key pair $(\mathsf{vvk},\mathsf{vsk})$.

3. 

$\mathsf{VRF}.\mathsf{EvalProve}(\mathsf{param},\mathsf{vsk},\alpha )\to (Q,W)$: On input, a signing key vsk and a value $\alpha \in {\{0,1\}}^{\alpha \left(\lambda \right)}$, it outputs a value $Q\in {\{0,1\}}^{Q\left(\lambda \right)}$ and a proof W. Denote $\alpha \left(\lambda \right)$ and $Q\left(\lambda \right)$ as polynomial bounded and efficiently computable functions in λ.

4. 

$\mathsf{VRF}.\mathsf{Verify}(\mathsf{param},\mathsf{vvk},\alpha ,Q,W)\to b$: On input a signing key vsk, a value α, a value Q, and a proof W, it outputs a bit $b\in \{0,1\}$.

Next, we recall that VRF follows properties including uniqueness, provability, and pseudorandomness from [36,43].

• Uniqueness. The property of uniqueness provides only one valid proof for each input.

Definition 10

(Uniqueness). For all $\lambda \in \mathbb{N}$ and $\alpha \in {\{0,1\}}^{\alpha \left(\lambda \right)}$, the VRF scheme achieves the property of uniqueness, if $\mathsf{param}\leftarrow \mathsf{VRF}.\mathsf{Setup}\left(1^{\lambda }\right)$, $(\mathsf{vvk},\mathsf{vsk})\leftarrow \mathsf{VRF}.\mathsf{KeyGen}\left(\mathsf{param}\right)$ and $(Q_1,W_1)\leftarrow \mathsf{VRF}.\mathsf{EvalProve}(\mathsf{param},\mathsf{vsk},\alpha )$, for any arbitrary value $Q_2\in {\{0,1\}}^{Q\left(\lambda \right)}$ and any arbitrary proof $W_2$ such that $Q_1\ne Q_2$ and $W_1\ne W_2$, it holds that

$$Pr[\mathsf{VRF}.\mathsf{Verify}(\mathsf{param},\mathsf{vvk},\alpha ,Q_2,W_2)=1]=\mathsf{negl}\left(\lambda \right),$$

where $\mathsf{negl}(·)$ is a negligible function.

• Provability. The property of provability ensures that outputs and proofs generated from consistent inputs will verify each other.

Definition 11

(Provability). For all $\lambda \in \mathbb{N}$ and $\alpha \in {\{0,1\}}^{\alpha \left(\lambda \right)}$, the VRF scheme achieves the property of provability, if $\mathsf{param}\leftarrow \mathsf{VRF}.\mathsf{Setup}\left(1^{\lambda }\right)$, $(\mathsf{vvk},\mathsf{vsk})\leftarrow \mathsf{VRF}.\mathsf{KeyGen}\left(\mathsf{param}\right)$ and $(Q,W)\leftarrow \mathsf{VRF}.\mathsf{EvalProve}(\mathsf{param},\mathsf{vsk},\alpha )$, it holds that

$$Pr[\mathsf{VRF}.\mathsf{Verify}(\mathsf{param},\mathsf{vvk},\alpha ,Q,W)=1]=1-\mathsf{negl}\left(\lambda \right),$$

where $\mathsf{negl}(·)$ is a negligible function.

• Pseudorandomness. The property of residual pseudorandomness ensures that the adversary cannot distinguish between outputs and random values.

Definition 12

(Pseudorandomness). We say that a VRF achieves the property of pseudorandomness if, for every PPT adversary $\mathcal{A}=({\mathcal{A}}_1,{\mathcal{A}}_2)$, it holds that $\mathcal{A}$ has a negligible advantage ${\mathbf{Adv}}_{\mathsf{ResPse}}^{\mathcal{A}}$ in the following experiment ${\mathbf{Exp}}_{\mathsf{ResPse}}^{\mathcal{A}}\left(1^{\lambda }\right)$:

1. 

Generate $\mathsf{param}\leftarrow \mathsf{VRF}.\mathsf{Setup}\left(1^{\lambda }\right)$.

2. 

Generate $(\mathsf{vvk},\mathsf{vsk})\leftarrow \mathsf{VRF}.\mathsf{KeyGen}\left(\mathsf{param}\right)$.

3. 

The experiment provides $1^{\lambda }$ and $\mathsf{vvk}$ to ${\mathcal{A}}_1$. The adversary ${\mathcal{A}}_1$ is allowed to run the oracle $\mathsf{VRF}.{\mathsf{EvalProve}}_{\mathsf{vsk}}$ for at most $s\left(\lambda \right)$ times (when the first input is $1^{\lambda }$), where $\mathsf{VRF}.{\mathsf{EvalProve}}_{\mathsf{vsk}}$ is the evaluation oracle with respect to $\mathsf{vsk}$.

4. 

${\mathcal{A}}_1$ outputs $({\alpha }^{\prime },\mathsf{state})$. The experiment generates $(r_1,·)=\mathsf{VRF}.\mathsf{EvalProve}(\mathsf{param},\mathsf{vsk},{\alpha }^{\prime })$ and $r_2={\{0,1\}}^{Q\left(\lambda \right)}$.

5. 

The experiment samples $b\leftarrow \{1,2\}$ and provides $(r_b,\mathsf{state})$ to ${\mathcal{A}}_2$.

6. 

${\mathcal{A}}_2$ outputs a guess $b^{\prime }\in \{1,2\}$. The experiment outputs 1 if $b^{\prime }=b$, ${\alpha }^{\prime }\in {\{0,1\}}^{\alpha \left(\lambda \right)}$, and α was not queried to $\mathsf{VRF}.{\mathsf{EvalProve}}_{\mathsf{vsk}}$ by $\mathcal{A}$. It outputs 0 otherwise.

The probability of $\mathcal{A}$ winning the game is in relation to its advantage as:

$${\mathbf{Adv}}_{\mathsf{ResPse}}^{\mathcal{A}}=|Pr[{\mathbf{Exp}}_{\mathsf{ResPse}}^{\mathcal{A}}\left(1^{\lambda }\right)=1]-1/2|.$$

3.2. Security Model of VRF in the UC Framework

In this subsection, we present our version of UC framework of VRF ${\mathcal{F}}_{\mathsf{VRF}}$ in Functionality 1. It follows the standard VRF security definition in [43], as recalled above. Our definition of the UC framework for VRF simultaneously captures the properties of uniqueness and provability. We will subsequently demonstrate that the ideal functionality ${\mathcal{F}}_{\mathsf{VRF}}$ is equivalent to satisfying the security model of pseudorandomness, as stated in Theorem 1. We assume that this ideal functionality operates under fixed system parameters, thereby streamlining the VRF.Setup functionality interface. This approach eliminates the need for repetitive checks on the rationality of system parameters in subsequent interfaces, enhancing the overall efficiency.

Functionality 1 (The Verifiable Random Function Functionality ${\mathcal{F}}_{\mathsf{VRF}}$). The functionality ${\mathcal{F}}_{\mathsf{VRF}}$ is parameterized with a security parameter λ and a tuple of system parameter param. Upon receiving $(\mathsf{VRF}.\mathsf{KeyGen},\mathsf{sid})$ from party ${\mathcal{P}}_i$: 1.  Send $(\mathsf{VRF}.\mathsf{KeyGen},\mathsf{sid},{\mathcal{P}}_i)$ to $\mathcal{S}$. 2.  Upon receiving $(\mathsf{sid},{\mathcal{P}}_i,\mathsf{vvk})$ from $\mathcal{S}$, verify that vvk is unique, record $({\mathcal{P}}_i,\mathsf{vvk})$ and return $(\mathrm{VRF-Key},\mathsf{sid},\mathsf{vvk})$. 3.  Initialize the table $\mathsf{Table}(\mathsf{vvk},·)$ to empty. Upon receiving $(\mathsf{VRF}.\mathsf{EvalProve},\mathsf{sid},\alpha )$ from party ${\mathcal{P}}_i$: 1.  Verify that some pair $({\mathcal{P}}_i,\mathsf{vvk})$ is recorded. If not, ignore the request. 2.  Else, send $(\mathsf{VRF}.\mathsf{EvalProve},\mathsf{sid},\alpha )$ to $\mathcal{S}$, and receive $(\mathrm{VRF-Evaluation},\mathsf{sid},\alpha ,W)$ from $\mathcal{S}$. 3.  If the value $\mathsf{Table}(\mathsf{vvk},\alpha )$ is undefined, verify that W is unique, pick a random $Q\in {\{0,1\}}^{Q\left(\lambda \right)}$, and set $\mathsf{Table}(\mathsf{vvk},\alpha )=(Q,W)$. Else, retrieve the record $\mathsf{Table}(\mathsf{vvk},\alpha )=(Q,W)$. In any case, output $(\mathrm{VRF-Evaluation},\mathsf{sid},Q,W)$. Upon receiving $(\mathsf{VRF}.\mathsf{Verify},\mathsf{sid},\alpha ,Q,W,{\mathsf{vvk}}^{\prime })$ from party ${\mathcal{P}}_i$: 1.  It sends $(\mathsf{VRF}.\mathsf{Verify},\mathsf{sid},\alpha ,Q,W,{\mathsf{vvk}}^{\prime })$ to $\mathcal{S}$. 2.  Upon receiving $(\mathrm{VRF.Verify},\mathsf{sid},\alpha ,Q,W,{\mathsf{vvk}}^{\prime })$ from $\mathcal{S}$, return $(\mathrm{VRF-Verification},\mathsf{sid},\alpha ,Q,W,b)$, where b is determined with the following conditions: (a)  If $\mathsf{vvk}={\mathsf{vvk}}^{\prime }$ for some record pair in form of $(·,\mathsf{vvk})$, and the entry $\mathsf{Table}(\mathsf{vvk},\alpha )$ equals $(Q,W)$, set $b=1$. (Unique Provability) (b)  Else, if $\mathsf{vvk}={\mathsf{vvk}}^{\prime }$ for some record pair in form of $(·,\mathsf{vvk})$, but no entry $\mathsf{Table}(\mathsf{vvk},\alpha )$ in form of $(Q,W)$ is recorded, set $b=0$. (Complete Provability) (c)  Else, initialize the table $\mathsf{Table}({\mathsf{vvk}}^{\prime },·)$ to empty, and set $b=0$.

Theorem 1.

If an arbitrary protocol ${\mathrm{\Pi }}^{\prime }$ can realize our ${\mathcal{F}}_{\mathsf{VRF}}$, then it is secure in the pseudorandomness property of a verifiable random function.

Proof. 

We first assume that ${\mathrm{\Pi }}^{\prime }$ does not satisfy the pseudorandomness property. Subsequently, we construct an environment $\mathcal{Z}$ such that for all simulators $\mathcal{S}$, it can distinguish the interaction with ${\mathrm{\Pi }}^{\prime }$ from the interaction with the ideal world adversary $\mathcal{S}$ and ${\mathcal{F}}_{\mathsf{VRF}}$.

• Pseudorandomness. If ${\mathrm{\Pi }}^{\prime }$ lacks pseudorandomness, a successful distinguisher D exists, which can break the pseudorandomness property of ${\mathrm{\Pi }}^{\prime }$, with a non-negligible advantage. The distinguisher D can be viewed as a signer within $\mathcal{Z}$. At first, $\mathcal{Z}$ invokes a party $\mathcal{P}$ with $(\mathsf{KeyGen},\mathsf{sid})$ and gives the returned verification key $\mathsf{vvk}$ to D. Subsequently, $\mathcal{Z}$ relays all messages communicated between the distinguisher D and the parties $\mathcal{P}$. The distinguisher D is also allowed to call the evaluation oracle for at most $s\left(\lambda \right)$ times. With calls from D with the value ${\alpha }^{\prime }$, $\mathcal{Z}$ activates $\mathcal{P}$ with $(\mathsf{VRF}.\mathsf{EvalProve},\mathsf{sid},{\alpha }^{\prime })$. Next, if $\mathcal{Z}$ obtains a valid response $(\mathrm{VRF-Evaluation},\mathsf{sid},r_1,·)$ from $\mathcal{P}$, $\mathcal{Z}$ samples $r_2\leftarrow {\{0,1\}}^{Q\left(\lambda \right)}$ and returns $r_b$ to D where $b\in \{1,2\}$. Finally, D returns $b^{\ast }$ as the guess of the random coin b chosen by $\mathcal{Z}$. Here, $\mathcal{Z}$ returns $b^{\ast }\stackrel{?}{=}b$.

Considering that D is a successful distinguisher for ${\mathrm{\Pi }}^{\prime }$ in the real world, D will then guess the coin b with a non-negligible advantage. However, in the ideal world, no matter how the simulator $\mathcal{S}$ is implemented, we observe that the bit b remains secure in $\mathcal{Z}$, and the ideal functionality ${\mathcal{F}}_{\mathsf{VRF}}$ does not communicate any information related to b to $\mathcal{S}$. It follows that the coins b are independent of D and $\mathcal{S}$, and even an unbounded D cannot guess such b with probability better than 1/2. It follows that there is a distinguisher between the real and the ideal worlds.

It is proven that ${\mathrm{\Pi }}^{\prime }$ holds the property of pseudorandomness, which contradicts the assumption. □

Remark 1.

The formulation of the UC functionality for VRF in Functionality 1 may hold independent interest. It is important to note that in this functionality we do not allow the adversary to generate any malicious keys. This limitation could be viewed as a weaker version of the UC functionality when considering a standalone VRF scheme. However, it aligns well with the security requirements of TRS. We will discuss this aspect in Section 6.1.

3.3. Realizing ${\mathcal{F}}_{\mathsf{VRF}}$ with Dodis-Yampolskiy VRF (DY-VRF)

In this work, we utilize the Dodis-Yampolskiy VRF (DY-VRF) within our TRS scheme. Dodis and Yampolskiy introduced this variant of VRF in [43], which operates on groups equipped with bilinear maps and is based on the q-DBDHI assumption [50]. The DY-VRF has been proven to achieve the properties of uniqueness, provability, and pseudorandomness. In this subsection, we revisit the construction of DY-VRF as detailed in Protocol 1 and demonstrate that it securely realizes the ideal functionality ${\mathcal{F}}_{\mathsf{VRF}}$ in Theorem 2.

Protocol 1 (Dodis-Yampolskiy VRF [43], ${\mathrm{\Pi }}_{\mathrm{DY-VRF}}$). $\mathsf{VRF}.\mathsf{Setup}\left(1^{\lambda }\right)$→$\mathsf{param}$: The setup algorithm constructs three cyclic groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, ${\mathbb{G}}_T$ of order p based on an bilinear-based elliptic curve with the bilinear pairing $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$. It samples random generators $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$. It outputs ${\mathsf{param}}_{\mathsf{VRF}}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,g_1,g_2)$. $\mathsf{VRF}.\mathsf{KeyGen}\left({\mathsf{param}}_{\mathsf{VRF}}\right)$: It samples $\mathsf{vsk}\in {\mathbb{Z}}_p$ and calculates $\mathsf{vvk}=g_1^{\mathsf{vsk}}$. It outputs $(\mathsf{vvk},\mathsf{vsk})$. $\mathsf{VRF}.\mathsf{EvalProve}({\mathsf{param}}_{\mathsf{VRF}},\mathsf{vsk},\alpha )$: It calculates $\delta ={\displaystyle \frac{1}{\mathsf{vsk}+\alpha }}$, $Q=\mathsf{e}{(g_1,g_2)}^{\delta }$ and the proof $W=g_2^{\delta }$. It outputs $(Q,W)$. $\mathsf{VRF}.\mathsf{Verify}({\mathsf{param}}_{\mathsf{VRF}},\mathsf{vvk},\alpha ,Q,W)$: If the inputs satisfy both $\mathsf{e}(g_1^{\alpha }·\mathsf{vvk},W)=\mathsf{e}(g_1,g_2)$ and $Q=\mathsf{e}(g_1,W)$, it outputs $b=1$, otherwise $b=0$.

Theorem 2.

Protocol 1 (${\mathrm{\Pi }}_{\mathrm{DY-VRF}}$) securely realizes ${\mathcal{F}}_{\mathsf{VRF}}$ under the q-co-DBDHI assumption.

Proof. 

We prove that an ideal simulator $\mathcal{S}$ can be constructed for any real-world adversary $\mathcal{A}$. It is indistinguishable between the ideal execution with $\mathcal{S}$ and ${\mathcal{F}}_{\mathsf{VRF}}$ and the real execution with $\mathcal{A}$ for all environments $\mathcal{Z}$.

We build a black-box simulation of $\mathcal{A}$ with simulator $\mathcal{S}$, relaying all communication between the simulated $\mathcal{A}$ and the environment $\mathcal{Z}$ and acting on behalf of the honest parties. Setup. We first describe the setup of the simulator $\mathcal{S}$. $\mathcal{S}$ receives the q-co-DBDHI tuple $(A_0,A_1,\dots ,A_q,B_0,B_1,\dots ,B_q,\mathrm{\Gamma })$ from the experiment, where $A_i={\left(g_1^{\prime }\right)}^{{\tau }^i}\in {\mathbb{G}}_1$ and $B_i={\left(g_2^{\prime }\right)}^{{\tau }^i}\in {\mathbb{G}}_2$ for $i\in [0,q]$, and some unknown $\tau \in {\mathbb{Z}}_p$. Note that $g_1^{\prime }\in {\mathbb{G}}_1$, $g_2^{\prime }\in {\mathbb{G}}_2$ and $\mathrm{\Gamma }\in {\mathbb{G}}_T$. Moreover, it samples $q_h$ distinct values $w_i,{\mathsf{issue}}_i\in {\mathbb{Z}}_p$ such that the sets ${\left\{w_i\right\}}_{i=1}^{q_h}$ and ${\left\{{\mathsf{issue}}_i\right\}}_{i=1}^{q_h}$ have no mutual values. To simulate the items related to the outputs, it defines:

• $f\left(z\right)={\prod }_{i=1}^{q_h}(z+w_i)={\sum }_{j=0}^{q_h}{c}_j·z^j$ for some coefficients $c_j\in {\mathbb{Z}}_p$,
• $f_i\left(z\right)={\displaystyle \frac{f\left(z\right)}{z+{\mathsf{issue}}_i}}={\sum }_{j=0}^{q_h-1}{d}_j·z^j$ for some coefficients $d_j\in {\mathbb{Z}}_p$.

However, $\mathcal{S}$ may be calculated. For each user in $i\in [1,q_h]$, the simulator can set $y=\tau -\mathsf{issue}$, for a value of issue different from ${\left\{{\mathsf{issue}}_i\right\}}_{i=1}^{q_h}$. Note that we do not know the exact value of y since $\tau$ is a secret. However, $\mathcal{S}$ may calculate $({\left(g_1^{\prime }\right)}^y,\dots ,{\left(g_1^{\prime }\right)}^{y^q},{\left(g_2^{\prime }\right)}^y,$$\dots ,{\left(g_2^{\prime }\right)}^{y^q})$ from $({\left(g_1^{\prime }\right)}^{\tau },\dots ,{\left(g_1^{\prime }\right)}^{{\tau }^q},{\left(g_2^{\prime }\right)}^{\tau },$$\dots ,{\left(g_2^{\prime }\right)}^{{\tau }^q})$ using the approach of [43] with the above polynomials.

For each $i\in [1,q_h]$, $\mathcal{S}$ is able to calculate the required values during the simulation. First, $\mathcal{S}$ may compute $g_{1,i}={\left(g_1^{\prime }\right)}^{f\left(y\right)}$ $={\prod }_{j=0}^{q_h}{\left(g_1^{\prime }\right)}^{y^j{c}_j}$ and $g_{2,i}={\left(g_2^{\prime }\right)}^{f\left(y\right)}$ $={\prod }_{j=0}^{q_h}{\left(g_2^{\prime }\right)}^{y^j{c}_j}$. With the above settings, $\mathcal{S}$ is able to compute $g_{1,i}^y={\prod }_{j=0}^{q_h}{\left({\left(g_1^{\prime }\right)}^{y^{j+1}}\right)}^{c_j}$. The simulator $\mathcal{S}$ then calculates $q_h$ instances of the following items using ${\lambda }_i\in {\mathbb{Z}}_p$ for $i\in [1,q_h]$:

• ${\mathsf{vvk}}_i={\left(g_{1,i}^y\right)}^{{\lambda }_i}$,
• $W_i={\left(g_2^{\prime }\right)}^{f_i\left(y\right)}={\prod }_{k=0}^{q_h-1}{\left(g_2^{\prime }\right)}^{y^k{d}_k}=g_{2,i}^{{\displaystyle \frac{1}{y+{\mathsf{issue}}_i}}}$, and
• $Q_i=\mathsf{e}(g_1^{\prime },W_i)$.

Simulation. We describe a simulator $\mathcal{S}$ that operates in the following manner.

• Upon receiving a message $(\mathsf{VRF}.\mathsf{KeyGen},\mathsf{sid},{\mathcal{P}}_i)$ from ${\mathcal{F}}_{\mathsf{VRF}}$, a new value $\mathsf{vsk}$ is randomly selected. $\mathcal{S}$ inserts $({\mathcal{P}}_i,{\mathsf{vvk}}_i)$ in the internal registry of keys, where ${\mathsf{vvk}}_i={\left(g_{1,i}^{y_i}\right)}^{{\lambda }_i}$. In the case that the key exists already, $\mathcal{S}$ returns fail and terminates. Otherwise, it returns $(\mathrm{TRS-Key},\mathsf{sid},{\mathcal{P}}_i,{\mathsf{vvk}}_i)$ to ${\mathcal{F}}_{\mathsf{VRF}}$.
• Upon receiving a message $(\mathsf{VRF}.\mathsf{EvalProve},\mathsf{sid},{\mathcal{P}}_i,\alpha )$ from ${\mathcal{F}}_{\mathsf{VRF}}$, $\mathcal{S}$ retrieves the verification key vvk of ${\mathcal{P}}_i$ and checks if $\alpha$ has been queried before. If $\alpha$ has been queried before, the value Q that corresponds to $\alpha$ in the Table for ${\mathsf{vvk}}_i$ is recovered. If $\alpha$ has not been queried before, $\mathcal{S}$ sets $Q=Q_i$ and $W=W_i$. Subsequently, the tuple $(Q,W)$ has been stored for future reference. Finally, $\mathcal{S}$ returns $(\mathrm{VRF-Evaluation},\mathsf{sid},Q,W)$ to ${\mathcal{F}}_{\mathsf{VRF}}$.
• Upon receiving $(\mathsf{VRF}.\mathsf{Verify},\mathsf{sid},\alpha ,Q,W,{\mathsf{vvk}}^{\prime })$ from ${\mathcal{F}}_{\mathsf{VRF}}$, check if the record $(Q,W)$ exists to obtain a bit b. We set $b=1$ when the record exists; otherwise, $b=0$. It returns $(\mathsf{verification},\mathsf{sid},\alpha ,Q,$$W,b)$ to ${\mathcal{F}}_{\mathsf{VRF}}$.

This gives a full description of the ideal-model simulator. Note that in the black-box simulation, we use fake values (the value of $\delta$), we claim that the differences are undetectable for the environment $\mathcal{Z}$. This is proven through a sequence of games transforming an execution in the ideal-model scenario into one which is equal to the one of the actual protocol.

• Experiment ${\mathsf{Game}}_0$ describes the original attack of $\mathcal{Z}$ on the ideal-model simulation (including the black-box simulation of $\mathcal{A}$).
• In ${\mathsf{Game}}_1$, the simulator changes the computation of Q and W to $Q=\mathsf{e}{(g_1,g_2)}^{\delta }$ and $W=g_2^{\delta }$, where $\delta ={\displaystyle \frac{1}{\mathsf{vsk}+\alpha }}$. Because of the q-co-DBDHI assumption, $\mathcal{Z}$’s output behavior will not change with a non-negligible probability when facing ${\mathsf{Game}}_1$ instead of ${\mathsf{Game}}_0$.

All the steps in the final game now are exactly as in an attack on the real protocol with adversary $\mathcal{A}$, with the restriction that only $q_h$ queries could be made. Therefore, the environment’s output in the ideal-model simulation (${\mathsf{Game}}_0$) and the real-world execution (${\mathsf{Game}}_1$) are indistinguishable. □

4. Traceable Ring Signature and Its UC Functionality

In this section, we first recall the definition and security model for TRS in Section 4.1. Our design of the UC functionality of TRS is presented in Section 4.2.

4.1. Definitions

Fujisaki and Suzuki [3] introduced the concept of TRS and formalized its security properties. In this section, we will revisit the formal definitions established in their work, following the framework refined by Thanh Khuc et al. [9].

Definition 13

(Traceable Ring signature $\mathsf{TRS}$). The traceable ring signature is defined with the interface $\mathsf{TRS}=(\mathsf{TRS}.\mathsf{Setup},\mathsf{TRS}.\mathsf{KeyGen},\mathsf{TRS}.\mathsf{Sign},\mathsf{TRS}.\mathsf{Verify},\mathsf{TRS}.\mathsf{Trace})$ such that

1. 

$\mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$→$\mathsf{param}$: With the security parameter λ, it generates a list of system parameters param.

2. 

$\mathsf{TRS}.\mathsf{KeyGen}\left(\mathsf{param}\right)\to (\mathsf{vk},\mathsf{sk})$: On input of the system parameter param, it generates a key pair $(\mathsf{vk},\mathsf{sk})$.

3. 

$\mathsf{TRS}.\mathsf{Sign}(\mathsf{param},\mathsf{sk},T,m)\to \sigma$: On input a signing key sk, a tag $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$ and a message $m\in {\{0,1\}}^{\ast }$, it generates a signature σ.

4. 

$\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m,\sigma )\to f$: On input a tag $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, a signature σ and a message $m\in {\{0,1\}}^{\ast }$, it outputs a bit $f\in \{0,1\}$.

5. 

$\mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m_1,{\sigma }_1,m_2,{\sigma }_1)\to h$: On input a tag $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, and any message-signature pairs $(m_1,{\sigma }_1)$ and $(m_2,{\sigma }_2)$, it outputs $h\in \{\mathsf{Accept},\mathsf{Reject},\mathsf{Linked},$${\mathsf{vk}}_i\}$.

We first recall that TRS follows properties including correctness and public traceability.

• Correctness. Correctness ensures that a signature generated by honest users will be accepted by the verification algorithm with an overwhelming probability.

Definition 14

(Correctness). For all $\lambda \in \mathbb{N}$ and all $n\in \mathsf{poly}\left(\lambda \right)$, all $i\in \left[n\right]$, all $m\in {\{0,1\}}^{\ast }$, the TRS scheme is correct, if $\mathsf{param}\leftarrow \mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$, $({\mathsf{sk}}_i,{\mathsf{vk}}_i)\leftarrow \mathsf{TRS}.\mathsf{KeyGen}\left(\mathsf{param}\right)$, and $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$ for some issue, $\sigma \leftarrow \mathsf{TRS}.\mathsf{Sign}(\mathsf{param},\mathsf{sk},T,m)$, and it holds that

$$Pr[\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m,\sigma )=1]=1-\mathsf{negl}\left(\lambda \right),$$

where $\mathsf{negl}(·)$ is a negligible function.

• Public Traceability. The property of public traceability ensures that anyone can examine any two message-signature pairs along with their associated tags using the Trace algorithm. This algorithm allows for two signatures to be linked if they are signed by the same origin on the same message and bear the same tag. Conversely, the signatures can be traced if they originate from the same signer on distinct messages while still sharing the same tag.

The motivation of this property is to establish a message–tag–bound form of linkability that achieves a balance between anonymity and accountability. If the signer reuses only the tag, the resulting signatures become publicly linkable. Conversely, if the signer reuses both the tag and the message, the signer’s public key becomes publicly traceable. This straightforward deterrent discourages the malicious practice of issuing contradictory statements under anonymity, since equivocation becomes traceable. Furthermore, this property does not require a trusted tracing authority, a secret key, or an interactive protocol, thereby reducing the requisite trust assumptions and operational overhead relative to traditional group signature opening mechanisms.

Definition 15

(Public Traceability). For all $\lambda \in \mathbb{N}$, all $n\in \mathsf{poly}\left(\lambda \right)$, all $i\in \left[n\right]$, all issue, and all $m_1,m_2\in {\{0,1\}}^{\ast }$, the TRS scheme is public traceable, if $\mathsf{param}\leftarrow \mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$, $({\mathsf{sk}}_i,{\mathsf{vk}}_i)\leftarrow \mathsf{TRS}.\mathsf{KeyGen}\left(\mathsf{param}\right)$, and $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, ${\sigma }_1\leftarrow \mathsf{TRS}.\mathsf{Sign}(\mathsf{param},{\mathsf{sk}}_i,T,m_1)$ and ${\sigma }_2\leftarrow \mathsf{TRS}.\mathsf{Sign}(\mathsf{param},{\mathsf{sk}}_j,T,m_2)$, it holds that:

1. 

If $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m_1,{\sigma }_1)=1$ and $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m_2,{\sigma }_2)=1$,

$$\begin{array}{c}\hfill \mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m_1,{\sigma }_1,m_2,{\sigma }_2)=\{\begin{array}{ccc}\mathsf{Accept}\hfill & elseif& i\ne j,\hfill \\ \mathsf{Linked}\hfill & elseif& m_1=m_2,\hfill \\ {\mathsf{vk}}_i\hfill & elseif& m_1\ne m_2,\hfill \end{array}\end{array}$$

2. 

Otherwise (if at least one of the input message–signature pairs cannot pass TRS.Verify),

$$\begin{array}{c}\hfill \mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m_1,{\sigma }_1,m_2,{\sigma }_2)=\mathsf{Reject},\end{array}$$

with overwhelming probability.

Next, we will revisit the formal definitions of the security requirements for TRS, which include exculpability, anonymity, and tag-traceability.

• Exculpability. The property of exculpability ensures that an honest ring user cannot be held accountable for signing the same tag more than once. Specifically, it guarantees that an adversary cannot generate a signature that would reveal the identity of the target signer when combined with a signature produced by that user using a publicly traceable algorithm. In the exculpability experiment, all user keys are generated internally within the experiment. Subsequently, the adversary may acquire knowledge of certain users’ secrets. However, the adversary is explicitly prohibited from adding their own key to the user’s ring.

Definition 16

(Exculpability). For every PPT adversary $\mathcal{A}$, we say that a TRS is exculpable if ${\mathbf{Adv}}_{\mathsf{Excu}}^{\mathcal{A}}$ is a negligible advantage in the following experiment ${\mathbf{Exp}}_{\mathsf{Excu}}^{\mathcal{A}}\left(1^{\lambda }\right)$:

1. 

Generate $\mathsf{param}\leftarrow \mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$.

2. 

For all $i=1,\dots ,n$, by using random coins $r_i$, generate $({\mathsf{vk}}_i,{\mathsf{sk}}_i)\leftarrow \mathsf{TRS}.\mathsf{KeyGen}(\mathsf{param},r_i)$. The experiment sets $R=({\mathsf{vk}}_i,{\mathsf{sk}}_i)$.

3. 

A public key $\mathsf{vk}\in R$ is chosen and provided to the experiment by the adversary.

4. 

Except for a random coin used to generate the pair of keys $(\mathsf{vk},\mathsf{sk})$, the experiment provides all other random coins to the adversary $\mathcal{A}$.

5. 

$\mathcal{A}$ is able to access the signing oracle $\mathsf{TRS}.{\mathsf{Sign}}_{\mathsf{sk}}$ with respect to param and sk to query signing any $(T,\widehat{m})$, where $T=(R,\mathsf{issue})$. Denote the output signature by $\widehat{\sigma }$.

6. 

In the end, $\mathcal{A}$ outputs two pairs of message–signature pairs $(T,m,\sigma )$ and $(T,m^{\prime },{\sigma }^{\prime })$, where $T=(R,\mathsf{issue})$ and $\mathsf{vk}\in R$.

7. 

The experiment outputs 1 if the following conditions hold:

(a) 

$\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m,\sigma )=1$ and $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m^{\prime },{\sigma }^{\prime })=1$,

(b) 

$\mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m,\sigma ,m^{\prime },{\sigma }^{\prime })=\mathsf{vk}$.

(c) 

At least of $(T,m,\sigma )$ and $(T,m^{\prime },{\sigma }^{\prime })$ are not linked to any $(T,\widehat{m},\widehat{\sigma })$ in the query / answer list between $\mathcal{A}$ and $\mathsf{TRS}.{\mathsf{Sign}}_{\mathsf{sk}}$.

Otherwise, the experiment outputs 0.

The probability of $\mathcal{A}$ winning the game is in relation to its advantage as:

$${\mathbf{Adv}}_{\mathsf{Excu}}^{\mathcal{A}}=Pr[{\mathbf{Exp}}_{\mathsf{Excu}}^{\mathcal{A}}\left(1^{\lambda }\right)=1].$$

• Anonymity. The property of anonymity guarantees that a signer’s identity remains indistinguishable from that of any potential ring member, provided that the signer does not sign two different messages associated with the same tag. Moreover, signatures generated under distinct tags are unlinkable, ensuring that it is impossible to ascertain whether they were produced by the same signer. In the anonymity experiment, the adversary is constrained to querying the signing oracle for each tag T only once per message.

Definition 17

(Anonymity). For every PPT adversary $\mathcal{A}$, we say that a TRS is anonymous if ${\mathbf{Adv}}_{\mathsf{Anon}}^{\mathcal{A}}$ is a negligible advantage in the following experiment ${\mathbf{Exp}}_{\mathsf{Anon}}^{\mathcal{A}}\left(1^{\lambda }\right)$:

1. 

Generate $\mathsf{param}\leftarrow \mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$.

2. 

For all $i=0,1$, generate $({\mathsf{vk}}_i,{\mathsf{sk}}_i)\leftarrow \mathsf{TRS}.\mathsf{KeyGen}\left(\mathsf{param}\right)$.

3. 

Sample $b\leftarrow \{0,1\}$.

4. 

A public key $\mathsf{vk}\in R$ is chosen and provided to the experiment by the adversary.

5. 

The experiment provides ${\mathsf{vk}}_0$ and ${\mathsf{vk}}_1$ to $\mathcal{A}$, and $\mathcal{A}$ is able to append new keys to the global public key list R. The experiment requires both ${\mathsf{vk}}_0$ and ${\mathsf{vk}}_1$ must be collected in R. Moreover, $\mathcal{A}$ can access three signing oracles $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_b}$, $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_0}$ and $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_1}$, where

• $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_b}$ is challenge signing oracle with respect to ${\mathsf{sk}}_b$ for signing $(T,m)$. The experiment requires if $(T,m)$ and $(T^{\prime },m^{\prime })$ are two queries of $\mathcal{A}$ to the challenge signing oracle $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_b}$ then $T^{\prime }\ne T$.
• $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_0}$ (resp. $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_1}$ ) is the signing oracle with respect to ${\mathsf{sk}}_1$ (resp. ${\mathsf{sk}}_0$) for signing $(T,m)$. The experiment requires if $(T,m$) is a query of $\mathcal{A}$ to $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_b}$ and $(T^{\prime },m^{\prime })$ is a query of $\mathcal{A}$ to $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_0}$ or $\mathsf{TRS}.{\mathsf{Sign}}_{{\mathsf{sk}}_1}$ then $T^{\prime }\ne T$.

6. 

$\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$. The experiment outputs 1 if $b^{\prime }=b$. Otherwise, it outputs 0.

The probability of $\mathcal{A}$ winning the game is in relation to its advantage as:

$${\mathbf{Adv}}_{\mathsf{Anon}}^{\mathcal{A}}=|Pr[{\mathbf{Exp}}_{\mathsf{Anon}}^{\mathcal{A}}\left(1^{\lambda }\right)=1]-1/2|.$$

• Tag-linkability. The property of tag-linkability guarantees that every pair of signatures generated by the same signer for the same tag is linked. If any two signatures are not linked, the maximum number of signatures associated with the same tag cannot exceed the total number of members in that tag. In the tag-linkability experiment, all user keys are generated internally within the experiment. Subsequently, the adversary may acquire knowledge of certain users’ secrets. However, the adversary is explicitly prohibited from adding their own key to the user’s ring.

Definition 18

(Tag-linkability). For every PPT adversary $\mathcal{A}$, we say that a TRS is tag-linkable if ${\mathbf{Adv}}_{\mathsf{TagLink}}^{\mathcal{A}}$ is a negligible advantage in the following experiment ${\mathbf{Exp}}_{\mathsf{TagLink}}^{\mathcal{A}}\left(1^{\lambda }\right)$:

1. 

Generate $\mathsf{param}\leftarrow \mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$.

2. 

For all $i=1,\dots ,n$, generate $({\mathsf{vk}}_i,{\mathsf{sk}}_i)\leftarrow \mathsf{TRS}.\mathsf{KeyGen}(\mathsf{param},r_i)$ by using random coins $r_i$. The experiment sets $R=({\mathsf{vk}}_i,{\mathsf{sk}}_i)$.

3. 

To generate the keys to the adversary $\mathcal{A}$, the experiment provides all random coins $r_i$ for all $i=1,\dots ,n$.

4. 

Adversary outputs $T=(R,\mathsf{issue})$ and $(n+1)$ message-signature pairs, $(m_1,{\sigma }_1),\dots ,$$(m_{n+1},{\sigma }_{n+1})$.

5. 

The experiment outputs 1 if the following conditions hold:

(a) 

$\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m_i,{\sigma }_i)=1$, $\forall i\in [n+1]$.

(b) 

$\mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m_i,{\sigma }_i,m_j,{\sigma }_j)=\mathsf{Accept}$, $\forall i,j\in [n+1]$ s.t. $i\ne j$.

Otherwise, the experiment outputs 0.

The probability of $\mathcal{A}$ winning the game is in relation to its advantage as:

$${\mathbf{Adv}}_{\mathsf{TagLink}}^{\mathcal{A}}=Pr[{\mathbf{Exp}}_{\mathsf{TagLink}}^{\mathcal{A}}\left(1^{\lambda }\right)=1].$$

If a traceable ring signature is tag-linkable and exculpable, it is unforgeable ([3], Theorem 2.6).

4.2. Security Model of TRS in the UC Framework

Considering the UC security model, we present the functionality ${\mathcal{F}}_{\mathsf{TRS}}$ of TRS in Functionality 2. We first introduce our definition of TRS within the UC framework, which captures both the properties of correctness and public traceability. Subsequently, we will prove that ${\mathcal{F}}_{\mathsf{TRS}}$ is equivalent to satisfy the security requirements of exculpability, anonymity, and tag-linkability, as stated in Theorem 3. We assume that this ideal functionality operates under fixed system parameters, which simplifies the TRS.Setup functionality interface.

In contrast to conventional ring signatures and linkable ring signatures, the TRS model does not adhere to the typical unforgeability requirement [3]. Instead, the security models of exculpability and tag-linkability inherently imply unforgeability, as shown in ([3], Theorem 2.6). Based on the security experiments outlined in Section 4.1, an adversary aiming to compromise exculpability and tag-linkability would need to produce two and $n+1$ message–signature pairs, respectively. All signatures generated by the adversary must successfully pass the signature verification algorithm and satisfy additional criteria to undermine the security framework. Thus, the signature verification component addresses only a subset of the security requirements associated with exculpability and tag-linkability, as indicated in Step 1(c) of the signature verification component of ${\mathcal{F}}_{\mathsf{TRS}}$.

Functionality 2 (The ideal traceable ring signature functionality ${\mathcal{F}}_{\mathsf{TRS}}$). The functionality ${\mathcal{F}}_{\mathsf{TRS}}$ is parameterized with a tuple of system parameter param. It interacts with n parties ${\mathcal{P}}_1,\dots ,{\mathcal{P}}_n$ (the signatories), and a simulator $\mathcal{S}$. Moreover, it initializes an empty set $L_{\mathcal{P}}$. Denote $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, where ${\mathsf{vk}}_i$ is the verification key of ${\mathcal{P}}_i$ and an arbitrary issue. Key Generation.  Upon receiving $(\mathsf{TRS}.\mathsf{KeyGen},\mathsf{sid})$ from a party ${\mathcal{P}}_i$: 1.  If the record of $({\mathcal{P}}_i,{\mathsf{vk}}_i)$ exists in memory, send $(\mathrm{TRS-Key},\mathsf{sid},{\mathsf{vk}}_i)$ to ${\mathcal{P}}_i$ and nothing is recorded. 2.  Otherwise, send $(\mathsf{TRS}.\mathsf{KeyGen},\mathsf{sid},{\mathcal{P}}_i)$ to $\mathcal{S}$. After $\mathcal{S}$ responses $(\mathrm{TRS-Key},\mathsf{sid},{\mathcal{P}}_i,{\mathsf{vk}}_i)$, send $(\mathrm{TRS-Key},\mathsf{sid},{\mathsf{vk}}_i)$ to ${\mathcal{P}}_i$. After that, record $({\mathcal{P}}_i,{\mathsf{vk}}_i)$ and update $L_{\mathcal{P}}=L_{\mathcal{P}}\cup \left\{{\mathsf{vk}}_i\right\}$. Signature Generation.  Upon receiving $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m,{\mathsf{vk}}_i)$ from a party ${\mathcal{P}}_i$: 1.  Send $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m,{\mathsf{vk}}_i,{\mathcal{P}}_i)$ to $\mathcal{S}$, and receive the response $(\mathrm{TRS-Signature},\mathsf{sid},T,m,{\mathsf{vk}}_i,{\mathcal{P}}_i)$ from $\mathcal{S}$. 2.  If ${\mathcal{P}}_i$ is not compromised, and either the ring R is incorrectly formed or ${\mathsf{vk}}_i\notin L_{\mathcal{P}}$, output an error message to ${\mathcal{P}}_i$. Otherwise, check if there is a record $(T,m,\sigma ,{\mathsf{vk}}_i,0)$ in memory. If found, output an error message to ${\mathcal{P}}_i$. Otherwise, record $(T,m,\sigma ,{\mathsf{vk}}_i,1)$ and return $(\mathrm{TRS-Signature},\mathsf{sid},T,m,\sigma ,{\mathsf{vk}}_i)$ to ${\mathcal{P}}_i$, Signature Verification.  Upon receiving $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m,\sigma )$: 1.  Send $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m,\sigma )$ to $\mathcal{S}$. Upon receiving $(\mathrm{TRS.Verify},\mathsf{sid},T,m,\sigma ,f^{\prime })$, return $(\mathrm{TRS-Verification},\mathsf{sid},T,m,\sigma ,f)$, where f is determined with the following conditions: (a)  If R is well formed and the record of $(T,m,\sigma ,1)$ exists in memory, set $f=1$. (Correctness) (b)  Otherwise, if R is well formed and the record of $(T,m,\sigma ,1)$ does not exist in memory, set $f=0$. (This condition contributes to partial requirement of both  Exculpability  and  Tag-linkability.) (c)  Otherwise, if the record of $(T,m,\sigma ,g)$ exists in memory, set $f=g$. (Consistency) (d)  Otherwise, set $f=f^{\prime }$. Trace.  Upon receiving $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2)$: 1.  Run signature verification on $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m_1,{\sigma }_1)$ and $(\mathsf{Verify},\mathsf{sid},T,m_2,{\sigma }_2)$. Upon receiving $(\mathrm{TRS-Verification},\mathsf{sid},T,m_1,{\sigma }_1,f_1^{\prime })$ and $(\mathrm{TRS-Verification},\mathsf{sid},T,m_2,{\sigma }_2,f_2^{\prime })$, check the values of $f_1^{\prime }$ and $f_2^{\prime }$. If at least one of the value of $f_1^{\prime }$ and $f_2^{\prime }$ is 0, return $(\mathrm{TRS-Traced},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2,\mathsf{Reject})$. (Public Traceability  (1)) 2.  Otherwise, send $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2)$ to $\mathcal{S}$. Upon receiving $(\mathrm{TRS-Traced},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2,h^{\prime })$ from $\mathcal{S}$, return $(\mathrm{TRS-Traced},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2,h)$, where h is determined with the following conditions: (a)  If the record $(T,m_1,{\sigma }_1,v_1,1)$ and $(T,m_2,{\sigma }_2,v_2,1)$ exist in memory, where $v_1\ne v_2$, set $h=\mathsf{Accept}$. (Public Traceability  (2)) (b)  If the record of $(T,m_1,{\sigma }_1,v_1,1)$ and $(T,m_2,{\sigma }_2,v_2,1)$ exists in memory, where $v_1=v_2$ and $m_1=m_2$, set $h=\mathsf{Linked}$. (Public Traceability  (3)) (c)  If the record of $(T,m_1,{\sigma }_1,v_1,1)$ and $(T,m_2,{\sigma }_2,v_2,1)$ exists in memory, where $v_1=v_2$ and $m_1\ne m_2$, set $h=v_1$. (Public Traceability  (4)) (d)  Otherwise, set $h=h^{\prime }$.

Theorem 3.

If an arbitrary protocol ${\mathrm{\Pi }}^{\prime \prime }$ can realize our ${\mathcal{F}}_{\mathsf{TRS}}$, then it is secure in the tag-linkability, exculpability and anonymity models of traceable ring signatures.

Proof. 

We first assume that ${\mathrm{\Pi }}^{\prime \prime }$ does not satisfy any one of the traceable ring signature security models. Subsequently, we construct an environment $\mathcal{Z}$ such that for all simulators $\mathcal{S}$, it can distinguish the interaction with ${\mathrm{\Pi }}^{\prime \prime }$ from the interaction with the ideal world adversary $\mathcal{S}$ and ${\mathcal{F}}_{\mathsf{VRF}}$.

• Tag-linkability. First, if ${\mathrm{\Pi }}^{\prime \prime }$ lacks tag-linkability, a successful forger $F_1$ exists, which can break the tag-linkability property of ${\mathrm{\Pi }}^{\prime \prime }$, with a non-negligible advantage. The environment $\mathcal{Z}$ internally runs an instance of $F_1$. $\mathcal{Z}$ invokes parties ${\mathcal{P}}_i$, where $i\in [1,\dots ,n]$, with $(\mathsf{TRS}.\mathsf{KeyGen},\mathsf{sid})$, and gives the returned verification key ${\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]}$ to $F_1$. When $\mathcal{Z}$ receives a signature query $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m_i,{\mathsf{vk}}_i)$ from the forger $F_1$, where $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, $\mathcal{Z}$ activates each ${\mathcal{P}}_i$ to obtain the signature results and forwards it to $F_1$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_1$ to count the number of $(\mathrm{TRS-Signature},\mathsf{sid},T,m_i,{\sigma }_i,{\mathsf{vk}}_i)$ received from the party ${\mathcal{P}}_i$. When the simulated $F_1$ outputs $n+1$ forged message–signature pairs, $\mathcal{Z}$ runs $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},m_i,{\sigma }_i,{\mathsf{vk}}_i)$, where $i=1,\dots ,n+1$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_2$ to count the number of 1’s from the verification process. If $\mathcal{Z}$ finds that ${\mathsf{cnt}}_2\le {\mathsf{cnt}}_1$ it returns 0, it returns 1 otherwise. Moreover, $\mathcal{Z}$ runs $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},m_i,{\sigma }_i,m_j,{\sigma }_j)$, where $i,j=1,\dots ,n+1$ and $i\ne j$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_3$ to count the number of Accept received from the party ${\mathcal{P}}_i$. If $\mathcal{Z}$ finds that $n(n+1)\le {\mathsf{cnt}}_3$ it returns 0 otherwise it returns 1.

In the real world, because $F_1$ is a successful forger, with a non-negligible probability, $\mathcal{Z}$ will observe ${\mathsf{cnt}}_2=n+1$, ${\mathsf{cnt}}_1\le n$, and ${\mathsf{cnt}}_3=n(n+1)$. It follows that when $\mathcal{Z}$ operates in the real world, it returns 1 with a non-negligible probability.

In the ideal world, when a verifier receives $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m_i,{\sigma }_i)$ in the verification stage and $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},m_i,{\sigma }_i,m_j,{\sigma }_j)$ in the trace stage, he will forward such messages to ${\mathcal{F}}_{\mathsf{TRS}}$, and ${\mathcal{F}}_{\mathsf{TRS}}$ will check if the message–signature pair is a forgery using the information he possesses. Based on the definition of ${\mathcal{F}}_{\mathsf{TRS}}$, ${\mathsf{cnt}}_2$ is equal to the number of records with $(T,·,·,{\mathsf{vk}}^{\ast },1)$. By the definition of the signature generation stage, it is equal to the total number of $(\mathrm{TRS-Signature},\mathsf{sid},·,·,·)$ messages obtained from the party $\mathcal{P}$. Hence, we have ${\mathsf{cnt}}_2={\mathsf{cnt}}_1$, and $\mathcal{Z}$ always returns 0 in the ideal world for the verification stage. Therefore, there is a distinguisher between the real and the ideal world for any implementation of $\mathcal{S}$.

• Exculpability. Second, if ${\mathrm{\Pi }}^{\prime \prime }$ lacks exculpability, a successful forger $F_2$ exists, which can break the exculpability property of ${\mathrm{\Pi }}^{\prime \prime }$, with a non-negligible advantage. The environment $\mathcal{Z}$ internally runs an instance of $F_2$. $\mathcal{Z}$ invokes parties ${\mathcal{P}}_i$, where $i\in [1,\dots ,n]$, with $(\mathsf{TRS}.\mathsf{KeyGen},\mathsf{sid})$, and gives the returned verification key ${\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]}$ to $F_2$. The forger $F_2$ is allowed to call signature queries $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m_i,\mathsf{vk})$, where $T=(R={\left\{{\mathsf{vk}}_i\right\}}_{\left[n\right]},\mathsf{issue})$, for multiple times for a fixed verification key $\mathsf{vk}\in R$ selected by itself. When $\mathcal{Z}$ receives a signature query $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m_i,\mathsf{vk})$ from the forger $F_2$, $\mathcal{Z}$ activates the party $\mathcal{P}$ who owns $\mathsf{vk}$ to obtain the signature results and forwards it to $F_2$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_4$ to count the number of $(\mathrm{TRS-Signature},\mathsf{sid},T,·,·,\mathsf{vk})$ received from the party ${\mathcal{P}}_i$. When the simulated $F_2$ outputs two message-signature pairs $(T,m_1,{\sigma }_1)$ and $(T,m_2,{\sigma }_2)$, $\mathcal{Z}$ runs $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m_i,{\sigma }_i)$ for $i\in [1,2]$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_5$ to count the number of 1’s from the verification process. If $\mathcal{Z}$ finds that ${\mathsf{cnt}}_5<2$ it returns 0, continues otherwise. Next, $\mathcal{Z}$ runs $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2)$, $\mathsf{vk}$ should be traced from the trace stage and continues, it returns 0 otherwise. Finally, $\mathcal{Z}$ runs $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_1,{\sigma }_1,m_j,{\sigma }_j)$ and $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_2,{\sigma }_2,m_j,{\sigma }_j)$, where j are the indices of the total number of signature queries, except queries related to $(T,m_1,{\sigma }_1)$ and $(T,m_2,{\sigma }_2)$. $\mathcal{Z}$ uses ${\mathsf{cnt}}_6$ to count the number of Linked from the trace process. If $\mathcal{Z}$ finds that ${\mathsf{cnt}}_6>0$ it returns 0, otherwise returns 1.

In the real world, because $F_2$ is a successful forger, with a non-negligible probability, $\mathcal{Z}$ will observe that ${\mathsf{cnt}}_4\le n$. And, ${\sigma }_1$ and ${\sigma }_2$ could be verified successfully, i.e., ${\mathsf{cnt}}_5=2$. Moreover, $\mathsf{vk}$ will be traced from the trace stage, and at least one of the message-signature pairs from $F_2$ is not linked to any other message-signature pair in the query list, i.e., ${\mathsf{cnt}}_6=0$. It follows that when $\mathcal{Z}$ operates in the real world, it returns 1 with a non-negligible probability.

In the ideal world, when a verifier receives $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m_i,{\sigma }_i)$ for $i\in [1,2]$ in the verification stage, he will forward such messages to ${\mathcal{F}}_{\mathsf{TRS}}$, and ${\mathcal{F}}_{\mathsf{TRS}}$ will check if the message-signature pair is a forgery using the information he possesses. Based on the definition of ${\mathcal{F}}_{\mathsf{TRS}}$, ${\mathsf{cnt}}_5$ is equal to the count of records with $(T,m_1,{\sigma }_1,\mathsf{vk},1)$ and $(T,m_2,{\sigma }_2,\mathsf{vk},1)$. Hence, we have ${\mathsf{cnt}}_5=1$, and $\mathcal{Z}$ always returns 0 in the ideal world for the verification stage. Therefore, there is a distinguisher between the real and the ideal world for any implementation of $\mathcal{S}$.

• Anonymity. Third, if ${\mathrm{\Pi }}^{\prime \prime }$ lacks anonymity, a successful distinguisher D exists, which can break the anonymity property of ${\mathrm{\Pi }}^{\prime \prime }$, with a non-negligible advantage. The distinguisher D can be viewed as a signer within $\mathcal{Z}$. At first, $\mathcal{Z}$ invokes the parties ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$ with $(\mathsf{TRS}.\mathsf{KeyGen},\mathsf{sid})$, and gives the returned verification key ${\mathsf{vk}}_1$ and ${\mathsf{vk}}_2$ to D. Subsequently, $\mathcal{Z}$ relays all messages communicated between the distinguisher D and the parties ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$. The distinguisher D is also allowed to call additional key generation queries as other parties ${\mathcal{P}}_j$, and to append new keys to the ring R, thus generating new tags. With calls from D, $\mathcal{Z}$ activates ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$ with $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T_b,m_b,{\mathsf{vk}}_b,{\mathcal{P}}_b)$ and $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T_{1-b},m_{1-b},{\mathsf{vk}}_{1-b},{\mathcal{P}}_{1-b})$, where b is a random bit chosen by $\mathcal{Z}$, and $T_b\ne T_{1-b}$. Next, if $\mathcal{Z}$ obtains two valid responses $(\mathrm{TRS-Signature},\mathsf{sid},T_b,m_b,{\sigma }_b,{\mathsf{vk}}_b),(\mathrm{TRS-Signature},\mathsf{sid},T_{1-b},m_{1-b},{\sigma }_{1-b},{\mathsf{vk}}_{1-b})$ from ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$, respectively, $\mathcal{Z}$ returns the two message–signature pairs $(m_0,{\sigma }_0)$ and $(m_1,{\sigma }_1)$ to D. Finally, D returns $b^{\ast }$ as the guess of the random coin b chosen by $\mathcal{Z}$. Here, $\mathcal{Z}$ returns $b^{\ast }\stackrel{?}{=}b$.

Consider that D is a successful distinguisher for ${\mathrm{\Pi }}^{\prime \prime }$ in the real world, D will guess the coin b with a non-negligible advantage. However, in the ideal world, no matter how the simulator $\mathcal{S}$ is implemented, we observe that the bit b remains secure in $\mathcal{Z}$, and the ideal functionality ${\mathcal{F}}_{\mathsf{TRS}}$ does not communicate any information related to b to $\mathcal{S}$. It follows that the coins b are independent of D and $\mathcal{S}$, and even an unbounded D cannot guess such b with probability better than 1/2. It follows that there is a distinguisher between the real and the ideal worlds.

It is proven that ${\mathrm{\Pi }}^{\prime \prime }$ holds the security of tag-linkability, exculpability and anonymity, which contradicts the assumption. □

5. A UC-Secure TRS Construction

In this section, we present the construction of our UC-secure TRS. We first define the functionalities of the building blocks involved in Section 5.1. Then, we present the construction of TRS in Section 5.2. Next, we propose and prove the actual protocol of the signature zero-knowledge (SPK) proof as the realization of the NIZK functionality in Section 5.3 as a building block of our TRS scheme. Finally, we present the security proof of our TRS scheme in Section 5.4.

5.1. Ideal Functionalities

• The Ideal UC Zero-Knowledge Functionality ${\mathcal{F}}_{\mathsf{ZK}}^{\mathcal{R}}$ for a binary relation $\mathcal{R}$. We provide the ideal zero-knowledge functionality ${\mathcal{F}}_{\mathsf{ZK}}$ in Functionality 3. Denote $\theta$ as the statement, w as the witness, $\pi$ as the proof, and $ϵ$ as an empty string. We follow the ideal functionality ([52], Section 5.2), which is defined by $\left(\right(\theta ,w),\theta )\to (ϵ,\mathcal{R}(\theta ,w\left)\right)$. Note that any zero-knowledge proof of knowledge fulfills the ${\mathcal{F}}_{\mathsf{ZK}}$ functionality [52], and the Fiat–Shamir paradigm [51] could be applied to switch the Sigma protocols to become non-interactive zero-knowledge (NIZK) in the random oracle model. As in [52], denote $\tilde{\ell }:{\{0,1\}}^{\ast }\to {\{0,1\}}^{\ast }$ as the information leakage function.

Functionality 3 (The Ideal UC Zero-Knowledge Functionality ${\mathcal{F}}_{\mathsf{ZK}}^{\mathcal{R}}$ for a binary relation $\mathcal{R}$). Wait for (1) an input message $(\mathsf{Prove},\theta ,w)$ from $\mathcal{P}$ such that $(\theta ,w)\in \mathcal{R}$, then send the message $(\mathsf{Prove},\tilde{\ell }\left(\theta \right))$ to $\mathcal{S}$; (2) an input message ready from $\mathcal{V}$ and send ready to $\mathcal{S}$. Wait for the message lock from $\mathcal{S}$. Wait for (1) a message $\mathsf{finish}$ from $\mathcal{S}$, then send the output message finish to $\mathcal{P}$; (2) a message proof from $\mathcal{S}$, then send the output message $(\mathsf{proof},\theta )$ to $\mathcal{V}$.

• Ideal UC NIZK Functionality ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$ for relation $\mathcal{R}$. We provide the ideal NIZK functionality ${\mathcal{F}}_{\mathsf{NIZK}}$ in Functionality 4 following ([53], Figure 3). Denote $\theta$ at the statement, w at the witness, $\pi$ at the proof. We further recall that [54] proved that simulation-extractability is necessary for UC security of NIZK.

Functionality 4 (The Ideal UC NIZK Functionality ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$ for a NP relation $\mathcal{R}$). Proof:  Upon receiving $(\mathsf{Prove},\mathsf{sid},\theta ,w)$ from the prover $\mathcal{P}$, it check if $\mathcal{R}(\theta ,w)=1$, halts if it is failed, continues otherwise. Then, it sends $(\mathsf{Prove},\mathcal{P},\mathsf{sid},\theta )$ to $\mathcal{S}$. Upon receiving $(\mathsf{proof},\mathsf{sid},\pi )$ from $\mathcal{S}$, record $(\mathsf{sid},\theta ,w,\pi )$ and send $(\mathsf{proof},\mathsf{sid},\pi )$ to $\mathcal{P}$. Verification:  Upon receiving $(\mathsf{Verify},\mathsf{sid},\theta ,\pi )$ from the verifier $\mathcal{V}$, it check if $(\mathsf{sid},\theta ,w,\pi )$ is stored, return $(\mathsf{verification},\mathsf{sid},\theta ,\pi ,\mathcal{R}(\theta ,w\left)\right)$ to $\mathcal{V}$ and records $(\mathsf{sid},\theta ,w,\pi )$. Else, send $(\mathsf{Verify},\mathcal{V},\mathsf{sid},\theta ,\pi )$ to $\mathcal{S}$. Upon receiving $(\mathsf{witness},\mathsf{sid},w)$ from $\mathcal{S}$, return $(\mathsf{verification},\mathsf{sid},\theta ,\pi ,\mathcal{R}(\theta ,w\left)\right)$ to $\mathcal{V}$ and store $(\mathsf{sid},\theta ,w,\pi )$.

• Ideal UC Commitment Functionality ${\mathcal{F}}_{\mathsf{Com}}$. We provide a simple ideal commitment functionality ${\mathcal{F}}_{\mathsf{Com}}$ in Functionality 5. The functionality is different from the multi-party version such as in [55], in which the functionality acts as a platform to transfer message. For the version of Functionality 5, it generally returns and records the commitments to the same party. Furthermore, it is evident that the Pedersen commitment scheme ${\mathrm{\Pi }}_{\mathsf{Ped}}$ defined in Definition 5 securely realizes ${\mathcal{F}}_{\mathsf{Com}}$ under the discrete logarithm (DLOG) assumption.

Functionality 5 (The Ideal UC Commitment Functionality ${\mathcal{F}}_{\mathsf{Com}}$). Upon receiving $(\mathsf{Commit},\mathsf{sid},\mathsf{ssid},a)$ from a party ${\mathcal{P}}_i$, where $a\in {\{0,1\}}^{\lambda }$, send the message $(\mathsf{Receipt},\mathsf{sid},\mathsf{ssid},{\mathcal{P}}_i,a,r)$ to $\mathcal{S}$, where $r\leftarrow {\{0,1\}}^{\lambda }$ is random. Upon receiving, $(\mathsf{Commited},\mathsf{sid},\mathsf{ssid},{\mathcal{P}}_i,a,r,a^{\prime })$ from $\mathcal{S}$, record $(\mathsf{sid},\mathsf{ssid},{\mathcal{P}}_i,a,r,a^{\prime })$, where $a^{\prime }$ is the commitment. Ignore any future Commit messages with the same ssid from ${\mathcal{P}}_i$.

5.2. Construction of TRS

In this subsection, we present the concrete construction of TRS in Protocol 2. In our construction, the tag is defined as $T=(R,\mathsf{issue})$, where R is the ring and $\mathsf{issue}$ is the unique identifier in ${\mathbb{Z}}_p$. The ring $R=\{{\mathsf{vk}}_0,\dots ,{\mathsf{vk}}_{n-1}\}$ consists of n public keys such that ${\left\{{\mathsf{vk}}_i\right\}}_{i=0}^{n-1}={\left\{(X_i,{\mathsf{vvk}}_i)\right\}}_{i=0}^{n-1}$, where $X_i=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;x_i)$, ${\mathsf{vvk}}_i=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;{\mathsf{vsk}}_i)$, and secret keys $x_i\in {\mathbb{Z}}_p$ and ${\mathsf{vsk}}_i\in {\mathbb{Z}}_p$ for $i\in [0,n-1]$. Moreover, $\ell \in [0,n-1]$ represents the index number of the public key of the signer in the ring R. For simplicity, we omit the session parameter sid. The formal proof will be presented in Theorem 5 in Section 5.4, after we present and prove the zero-knowledge proof building block in Section 5.3.

Our construction incorporates two values, $X_i$ and ${\mathsf{vvk}}_i$, as the public key vk of a ring member, while the membership proof in [48] considers only a single value. To address this issue, we broaden the scope of the membership proof by considering both the secret keys and the mathematical relationships among the elements in the signature tuple.

Protocol 2 (${\mathrm{\Pi }}_{\mathsf{TRS}}$, securely computing ${\mathcal{F}}_{\mathsf{TRS}}$ with ${\mathcal{F}}_{\mathsf{Com}}$, ${\mathcal{F}}_{\mathsf{VRF}}$ and ${\mathcal{F}}_{\mathsf{NIZK}}$). $\mathsf{TRS}.\mathsf{Setup}\left(1^{\lambda }\right)$: It calls $\mathsf{VRF}.\mathsf{Setup}\left(\mathsf{param}\right)$ and receives ${\mathsf{param}}_{\mathsf{VRF}}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,g_1,g_2)$, where ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ and = ${\mathbb{G}}_T$ are three cyclic groups of order p based on a bilinear-based elliptic curve with the bilinear pairing $\mathsf{e}:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$, and $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$ are random generators. Moreover, it defines an additional generator $h_1\in {\mathbb{G}}_1$, and hash functions ${\mathrm{H}}_1,{\mathrm{H}}_2:{\{0,1\}}^{\ast }\to {\mathbb{Z}}_p$. It outputs $\mathsf{param}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,g_1,h_1,g_2,{\mathrm{H}}_1,{\mathrm{H}}_2)$.$\mathsf{TRS}.\mathsf{KeyGen}\left(\mathsf{param}\right)$: The key generation algorithm generates the key pair using the key generation algorithm. It 1.  randomly chooses $x\leftarrow {\mathbb{Z}}_p$, calculates $X=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;x)=g_1^x$. 2.  calls $\mathsf{VRF}.\mathsf{KeyGen}\left({\mathsf{param}}_{\mathsf{VRF}}\right)$ and receives $(\mathsf{vvk},\mathsf{vsk})$, where ${\mathsf{param}}_{\mathsf{VRF}}=({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,p,g_1,g_2)$, $\mathsf{vvk}=g_1^{\mathsf{vsk}}$ and $\mathsf{vsk}\in {\mathbb{Z}}_p$. 3.  sets $\mathsf{vk}=(X,\mathsf{vvk})$ and $\mathsf{sk}=(x,\mathsf{vsk})$, outputs $(\mathsf{vk},\mathsf{sk})$. $\mathsf{TRS}.\mathsf{Sign}(\mathsf{param},\mathsf{sk},T,m)$: The signing algorithm generates a signature σ on a message m and the tag $T=(R,\mathsf{issue})$. In this algorithm, we denote that the public key of a signer by $\mathsf{vk}=(X,\mathsf{vvk})\in R$ with index ℓ, where $0\le \ell \le n-1$, such that $R=\{{\mathsf{vk}}_0,\dots ,{\mathsf{vk}}_{\ell -1},\mathsf{vk},{\mathsf{vk}}_{\ell +1},\dots ,{\mathsf{vk}}_{n-1}\}$ is the ring of the signers. Moreover, $\mathsf{issue}\in {\mathbb{Z}}_p$ is a unique identifier. The signer $\mathcal{P}$ 1.  calls $\mathsf{VRF}.\mathsf{EvalProve}({\mathsf{param}}_{\mathsf{VRF}},\mathsf{vvk},\mathsf{issue})$ and receives $(Q,W)$, where $Q=\mathsf{e}{(g_1,g_2)}^{\delta }$, $W=g_2^{\delta }$ and $\delta ={\displaystyle \frac{1}{\mathsf{vsk}+\mathsf{issue}}}$. 2.  computes $Z=g_1^{\delta }·X^c$, where $c={\mathrm{H}}_1(T,m,Q,W)$. 3.  sends $\mathsf{SPK}.\mathsf{Prove}(\mathsf{param},\mathsf{ck},(T,m,c,Z,Q,W),(\ell ,x,\mathsf{vsk}\left)\right)$ to ${\mathrm{\Pi }}_{\mathsf{SPK}}^{\mathcal{R}}$ (realization on ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$, will be introduced in Protocol 3 in Section 5.3) for the relation $\mathcal{R}$: $$\mathcal{R}=\left\{\begin{array}{c}\mathsf{param},\mathsf{ck},\hfill \\ \left(\right(T,m,c,Z,Q,W),\hfill \\ (\ell ,x,\mathsf{vsk}))\hfill \end{array}\right|\begin{array}{c}\forall i:X_i\in {\mathbb{G}}_1\wedge {\mathsf{vvk}}_i\in {\mathbb{G}}_1\wedge \ell \in \{0,\dots ,n-1\}\wedge \hfill \\ x\in {\mathbb{Z}}_p\wedge \mathsf{vsk}\in {\mathbb{Z}}_p\wedge \hfill \\ X=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;x)\wedge \mathsf{vvk}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;\mathsf{vsk})\wedge \hfill \\ \mathsf{e}(Z,g_2)=\mathsf{e}(g_1,W)·\mathsf{e}{(X_{\ell },g_2)}^c\wedge \hfill \\ \mathsf{e}({\mathsf{vvk}}_{\ell },W)·\mathsf{e}(g_1^{\mathsf{issue}},W)=\mathsf{e}(g_1,g_2)\hfill \end{array}\},$$ and receives π, where $\mathsf{ck}=({\mathbb{G}}_1,p,g_1,h_1)$. 4.  outputs $\sigma =(c,Z,Q,W,\pi )$ as the signature on $(T,m)$. $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m,\sigma )$: The verify algorithm verifies the input signature tuple $\sigma =(c,Z,Q,W,\pi )$ on $(T,m)$. It verifies π by calling $\mathsf{SPK}.\mathsf{Verify}(\mathsf{param},\mathsf{ck},(T,m,c,Z,Q,W),\pi )$ and checks if $Q=\mathsf{e}(g_1,W)$. It outputs 1 if the all verification passes, 0 otherwise.$\mathsf{TRS}.\mathsf{Trace}(\mathsf{param},T,m_1,{\sigma }_1,m_2,{\sigma }_2)$: It intakes the input of two signatures ${\sigma }_1=(c_1,Z_1,Q_1,W_1,{\pi }_1)$ and ${\sigma }_2=(c_2,Z_2,Q_2,W_2,{\pi }_2)$, for $T=(R,\mathsf{issue})$, where $R=\{{\mathsf{vk}}_0,\dots ,{\mathsf{vk}}_{n-1}\}$ and ${\left\{{\mathsf{vk}}_i\right\}}_{i=0}^{n-1}={\left\{(X_i,{\mathsf{vvk}}_i)\right\}}_{i=0}^{n-1}$. It computes the following items. 1.  If $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m_1,{\sigma }_1)=0$ or $\mathsf{TRS}.\mathsf{Verify}(\mathsf{param},T,m_2,{\sigma }_2)=0$, output $\mathsf{Reject}$. 2.  If $c^{\prime }=c$, output $\mathsf{Linked}$. 3.  If $(\overline{X},·)\in R$, where $\overline{X}={(Z_2/Z_1)}^{1/(c_2-c_1)}$, output $\overline{\mathsf{vk}}=(\overline{X},\overline{\mathsf{vvk}})$. 4.  Otherwise, it outputs $\mathsf{Accept}$.

5.3. Realizing ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$

In this subsection, we present a building block of our TRS scheme, which is the zero-knowledge proof in Protocol 3. After that, we will present the formal proof in Theorem 4. For the sake of clarity, we omit the session parameter sid.

This construction primarily follows the membership proof outlined in [48], with some additional elements tailored to fit ${\mathrm{\Pi }}_{\mathsf{TRS}}$. Without loss of generality, we assume that $n=2^N$, as per [48], which ensures that the size of the signature is $O(logn)$. In Protocol 3, we consider the relation $\mathcal{R}$ defined in Protocol 2.

We express i and ℓ as $i=i_1\left|\right|\dots \left|\right|i_N$ and $\ell ={\ell }_1\left|\right|\dots \left|\right|{\ell }_N$ in binary form, and define the Kronecker delta as ${\delta }_{i\ell }={\prod }_{j=1}^N{\delta }_{i_j{\ell }_j}$, where ${\delta }_{i\ell }=1$ when $i=\ell$ and otherwise ${\delta }_{i\ell }=0$ (see Definition A1). The rationale behind the this proof is to reformulate the values to be proven as ${\prod }_{i=1}^{n-1}{X}_i^{{\prod }_{j=1}^N{\delta }_{i_j{\ell }_j}}$ and ${\prod }_{i=1}^{n-1}{\mathsf{vvk}}_i^{{\prod }_{j=1}^N{\delta }_{i_j{\ell }_j}}$. These expressions serve as a commitment to 0.

Before the proof, the prover obtains the ring $R=\{{\mathsf{vk}}_0,\dots ,{\mathsf{vk}}_{n-1}\}$ such that ${\left\{{\mathsf{vk}}_i\right\}}_{i=0}^{n-1}={\left\{(X_i,{\mathsf{vvk}}_i)\right\}}_{i=0}^{n-1}$, where ${\left\{X_i\right\}}_{i=0}^{n-1}$ and ${\left\{{\mathsf{vvk}}_i\right\}}_{i=0}^{n-1}$ are Pedersen commitments.

In the sigma-protocols for ${\ell }_j\in \{0,1\}$, the prover reveals values $f_{1,1},\dots ,f_{1,N},f_{2,1},\dots ,$$f_{2,N}$ of the form $f_{1,j}=a_{1,j}+e·{\ell }_j$ and $f_{2,j}=a_{2,j}+e·{\ell }_j$. Let $f_{1,j,1}=f_{1,j}$, $f_{1,j,0}=e-f_{1,j}=-a_{1,j}+e·(1-{\ell }_j)=-a_{1,j}+{\delta }_{0{\ell }_j}·e$, $f_{2,j,1}=f_{2,j}$ and $f_{2,j,0}=e-f_{2,j}=-a_{2,j}+e·(1-{\ell }_j)=-a_{2,j}+{\delta }_{0{\ell }_j}·e$. For each i, we have the product ${\prod }_{j=1}^N{f}_{1,j,i_j}$ and ${\prod }_{j=1}^N{f}_{2,j,i_j}$. These products are polynomials of the form:

$$\begin{array}{cc}\hfill p_i\left(e\right)& =\prod _{j=1}^N({\delta }_{i_j{\ell }_j}·e)+\sum _{k=0}^{N-1}{p}_{i,k}·e^k={\delta }_{i\ell }{e}^N+\sum _{k=0}^{N-1}{p}_{i,k}{e}^k,\hfill \\ \hfill q_i\left(e\right)& =\prod _{j=1}^N({\delta }_{i_j{\ell }_j}·e)+\sum _{k=0}^{N-1}{q}_{i,k}·e^k={\delta }_{i\ell }{e}^N+\sum _{k=0}^{N-1}{q}_{i,k}{e}^k.\hfill \end{array}$$

In this work, we present our proof in a non-interactive approach. In the proof, the prover will send commitments ${\left\{R_{1,d_k}\right\}}_{k=1}^{N-1}$ and ${\left\{R_{2,d_k}\right\}}_{k=1}^{N-1}$ that are used to cancel out the low-order coefficients corresponding to $e^0,\dots ,e^{N-1}$. Meanwhile, the high-order coefficient for $e^N$ ensures that the commitment $X_{\ell }$ and ${\mathsf{vvk}}_{\ell }$ can be opened to 0. At the end, the verifier could check that

$$\begin{array}{c}\hfill \prod _{i=0}^{n-1}{X}_i^{{\prod }_{j=1}^N{f}_{1,j,i_j}}·\prod _{k=0}^{N-1}{R}_{1,d_k}^{-e^k}and\prod _{i=0}^{n-1}{\mathsf{vvk}}_i^{{\prod }_{j=1}^N{f}_{2,j,i_j}}·\prod _{k=0}^{N-1}{R}_{2,d_k}^{-e^k}\end{array}$$

are commitments to 0 in a non-interactive approach. Therefore, according to the Schwartz–Zippel Lemma (see Definition A3), this has a negligible probability of being true unless $X_{\ell }$ and ${\mathsf{vvk}}_{\ell }$ are indeed commitments to 0.

Moreover, we prove the mathematical relationship between values in the signature. This scheme randomly chooses additional parameters ${\left\{u_{1,k}\right\}}_{k=0}^{N-1},{\left\{u_{2,k}\right\}}_{k=0}^{N-1},v_1,v_2\in {\mathbb{Z}}_p$. It introduces the commitments with randomness involving ${\left\{{\rho }_{1,k}\right\}}_{k=0}^{N-1}$ and ${\left\{{\rho }_{2,k}\right\}}_{k=0}^{N-1}$. This approach maintains $(N+1)$-special soundness regarding the secret values of x and $\mathsf{vsk}$.

Protocol 3 (${\mathrm{\Pi }}_{\mathsf{SPK}}^{\mathcal{R}}$, securely computing ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$ on the relation $\mathcal{R}$ with ${\mathcal{F}}_{\mathsf{Com}}$). $\mathsf{SPK}.\mathsf{Prove}(\mathsf{param},\mathsf{ck},\theta ,w)$: It parses $\theta =(T,m,c,Z,Q,W)$ and $w=(\ell ,x,\mathsf{vsk})$. It computes the following items: 1.  For $j=1,\dots ,N$, the prover samples $r_{1,j},r_{2,j},a_{1,j},a_{2,j},s_{1,j},s_{2,j},t_{1,j},t_{2,j},{\rho }_{1,k},{\rho }_{2,k},$ $u_{1,k},u_{2,k},v_1,v_2\leftarrow {\mathbb{Z}}_p$, sets $k=j-1$, and computes $R_{1,{\ell }_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_j;r_{1,j})$, $R_{2,{\ell }_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_j;r_{2,j})$, $R_{1,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(a_{1,j};s_{1,j})$, $R_{2,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(a_{2,j};s_{2,j})$, $R_{1,b_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_j·a_{1,j};t_{1,j})$, $R_{2,b_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_j·a_{2,j};t_{2,j})$, $R_{1,d_k}={\prod }_{i=0}^{n-1}{X}_i^{p_{i,k}}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;{\rho }_{1,k})$, $R_{2,d_k}={\prod }_{i=0}^{n-1}{\mathsf{vvk}}_i^{q_{i,k}}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;{\rho }_{2,k})$ $R_{1,u_k}=\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;{\rho }_{1,k})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;u_{1,k}),g_2)$, $R_{2,u_k}=\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;{\rho }_{2,k})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;u_{2,k}),W)$, $R_{1,v}=\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;v_1),g_2)$, $R_{2,v}=\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;v_2),W)$. 2.  It computes $e={\mathrm{H}}_2(T,m,c,Z,Q,W,{\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,a_j}\right\}}_{j=1}^N,{\left\{R_{2,a_j}\right\}}_{j=1}^N,$ ${\left\{R_{1,b_j}\right\}}_{j=1}^N,{\left\{R_{2,b_j}\right\}}_{j=1}^N,R_{1,d_0},{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},R_{2,d_0},{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},R_{1,u_0},{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},$ $R_{2,u_0},{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},R_{1,v},R_{2,v})$. 3.  For $j=1,\dots ,N$, it calculates $f_{1,j}=a_{1,j}+e·{\ell }_j$, $f_{2,j}=a_{2,j}+e·{\ell }_j$, $z_{1,a_j}=s_{1,j}+e·r_{1,j}$, $z_{2,a_j}=s_{2,j}+e·r_{2,j}$, $z_{1,b_j}=t_{1,j}+(e-f_{1,j})·r_{1,j}$, $z_{2,b_j}=t_{2,j}+(e-f_{2,j})·r_{2,j}$, $z_{1,d}=x·e^N-{\sum }_{k=0}^{N-1}{\rho }_{1,k}·e^k$, $z_{2,d}=\mathsf{vsk}·e^N-{\sum }_{k=0}^{N-1}{\rho }_{2,k}·e^k$, $z_{1,u}=v_1·e^N-{\sum }_{k=0}^{N-1}{u}_{1,k}·e^k$, $z_{2,u}=v_2·e^N-{\sum }_{k=0}^{N-1}{u}_{2,k}·e^k$. 4.  It outputs $\pi =({\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},$${\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},R_{1,v},R_{2,v},e,{\left\{f_{1,j}\right\}}_{j=1}^N,{\left\{f_{2,j}\right\}}_{j=1}^N,{\left\{z_{1,a_j}\right\}}_{j=1}^N,{\left\{z_{2,a_j}\right\}}_{j=1}^N,{\left\{z_{1,b_j}\right\}}_{j=1}^N,$${\left\{z_{2,b_j}\right\}}_{j=1}^N,z_{1,d},z_{2,d},z_{1,u},z_{2,u})$. $\mathsf{SPK}.\mathsf{Verify}(\mathsf{param},\mathsf{ck},\theta ,\pi )$: It parses $\theta =(T,m,c,Z,Q,W)$ and $\pi =({\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,$${\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},R_{1,v},R_{2,v},e,{\left\{f_{1,j}\right\}}_{j=1}^N,$${\left\{f_{2,j}\right\}}_{j=1}^N,{\left\{z_{1,a_j}\right\}}_{j=1}^N,{\left\{z_{2,a_j}\right\}}_{j=1}^N,{\left\{z_{1,b_j}\right\}}_{j=1}^N,{\left\{z_{2,b_j}\right\}}_{j=1}^N,$ $z_{1,d},z_{2,d},z_{1,u},z_{2,u})$. 1.  It computes the following items: For all $j\in \{1,\dots N\}$, $R_{1,a_j}^{\prime }=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(f_{1,j};z_{1,a_j})·R_{1,{\ell }_j}^{-e}$, For all $j\in \{1,\dots N\}$, $R_{2,a_j}^{\prime }=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(f_{2,j};z_{2,a_j})·R_{2,{\ell }_j}^{-e}$, For all $j\in \{1,\dots N\}$, $R_{1,b_j}^{\prime }=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{1,b_j})·R_{1,{\ell }_j}^{-(e-f_{1,j})}$, For all $j\in \{1,\dots N\}$, $R_{2,b_j}^{\prime }=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{2,b_j})·R_{2,{\ell }_j}^{-(e-f_{2,j})}$, $R_{1,d_0}^{\prime }={\prod }_{i=0}^{n-1}\left(X_i^{{\prod }_{j=1}^N{f}_{1,j,i_j}}\right)·{\prod }_{k=1}^{N-1}{R}_{1,d_k}^{-e^k}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d})$, $R_{2,d_0}^{\prime }={\prod }_{i=0}^{n-1}\left({\mathsf{vvk}}_i^{{\prod }_{j=1}^N{f}_{2,j,i_j}}\right)·{\prod }_{k=1}^{N-1}{R}_{2,d_k}^{-e^k}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d})$, The value $R_{1,u_0}^{\prime }$: $$\begin{array}{cc}\hfill R_{1,u_0}^{\prime }=(& \mathsf{e}{(g_1,W)}^{-e^N}·\mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,u}),g_2)}^c·\hfill \\ \hfill & \mathsf{e}{(Z,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{1,u_k}^{-c·e^k}·R_{1,v}^{c·e^N}{)}^{1/c},\hfill \end{array}$$ The value $R_{2,u_0}^{\prime }$: $$\begin{array}{cc}\hfill R_{2,u_0}^{\prime }=& \mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,u})·g_1^{-e^N·\mathsf{issue}},W)·\hfill \\ \hfill & \mathsf{e}{(g_1,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{2,u_k}^{-e^k}·R_{2,v}^{e^N},\hfill \end{array}$$ where $f_{1,j,1}=f_{1,j}$, $f_{2,j,1}=f_{2,j}$, $f_{1,j,0}=e-f_{1,j}$, and $f_{2,j,0}=e-f_{2,j}$. 2.  It accepts with output 1 if all the following items are true: ${\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,a_j}\right\}}_{j=1}^N,{\left\{R_{2,a_j}\right\}}_{j=1}^N,{\left\{R_{1,b_j}\right\}}_{j=1}^N,{\left\{R_{2,b_j}\right\}}_{j=1}^N,$$R_{1,d_0}^{\prime },{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},R_{2,d_0}^{\prime },{\left\{R_{2,d_k}\right\}}_{k=0}^{N-1}\in {\mathcal{C}}_{\mathsf{ck}}(={\mathbb{G}}_1)$, $R_{1,u_0}^{\prime },{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},R_{2,u_0}^{\prime },{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},$$R_{1,v},R_{2,v}\in {\mathbb{G}}_T$, ${\left\{f_{1,j}\right\}}_{j=1}^N,{\left\{f_{2,j}\right\}}_{j=1}^N,{\left\{z_{1,a_j}\right\}}_{j=1}^N,{\left\{z_{2,a_j}\right\}}_{j=1}^N,{\left\{z_{1,b_j}\right\}}_{j=1}^N,{\left\{z_{2,b_j}\right\}}_{j=1}^N,z_{1,d},z_{2,d},z_{1,u},$$z_{2,u}\in {\mathbb{Z}}_p$, $e={\mathrm{H}}_2(T,m,c,Z,Q,W,{\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,a_j}^{\prime }\right\}}_{j=1}^N,{\left\{R_{2,a_j}^{\prime }\right\}}_{j=1}^N,$${\left\{R_{1,b_j}^{\prime }\right\}}_{j=1}^N,{\left\{R_{2,b_j}^{\prime }\right\}}_{j=1}^N,R_{1,d_0}^{\prime },{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},R_{2,d_0}^{\prime },{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},R_{1,u_0}^{\prime },{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},$$R_{2,u_0}^{\prime },{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},R_{1,v},R_{2,v})$. Otherwise, it outputs 0.

Theorem 4.

Protocol 3 (${\mathrm{\Pi }}_{\mathsf{SPK}}^{\mathcal{R}}$) securely realizes ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$ in the ${\mathcal{F}}_{\mathsf{Com}}$-hybrid world with the random oracle model for a relation $\mathcal{R}$. That is, ${\mathrm{\Pi }}_{\mathsf{SPK}}^{\mathcal{R}}$ achieves completeness, special honest verifier zero-knowledge (SHVZK), and $(N+1)$-special soundness, if the commitment scheme ${\mathrm{\Pi }}_{\mathsf{Ped}}$ is (perfectly) hiding and binding, under the discrete logarithm (DLOG) assumption.

Proof. 

In this proof, we demonstrate that the protocol ${\mathrm{\Pi }}_{\mathsf{SPK}}$ in Protocol 3 achieves three key properties: completeness, special honest verifier zero-knowledge (SHVZK), and $(N+1)$-special soundness. Since Protocol 3 mainly follows the idea of the membership proof with extra items, our approach aims to follow the proof from ([48], Theorem 3) and we present full proof below.

• Completeness. It is observed that ${\prod }_{j=1}^N{f}_{1,j,i_j}$ and ${\prod }_{j=1}^N{f}_{2,j,i_j}$ are polynomials in the challenge e of the form $p_i\left(e\right)={\delta }_{i\ell }{e}^N+{\sum }_{k=0}^{N-1}{p}_{i,k}{e}^k$ and $q_i\left(e\right)={\delta }_{i\ell }{e}^N+{\sum }_{k=0}^{N-1}{q}_{i,k}{e}^k$, where ${\delta }_{i\ell }$ is a Kronecker delta such that ${\delta }_{i\ell }=1$ when $i=\ell$ and otherwise 0 (see Definition A1). If $X_{\ell }$ and ${\mathsf{vvk}}_{\ell }$ are commitments to 0, we get $X_{\ell }^{{\prod }_{j=1}^N{f}_{1,j,i_j}}$ and ${\mathsf{vvk}}_{\ell }^{{\prod }_{j=1}^N{f}_{2,j,i_j}}$ is a commitment to 0, while the other commitments $X_i$ and ${\mathsf{vvk}}_i$ get raised to polynomials of degree $N-1$ in e as $X_i^{{\prod }_{j=1}^N{f}_{1,j,i_j}}$ and ${\mathsf{vvk}}_i^{{\prod }_{j=1}^N{f}_{2,j,i_j}}$ in the verification equation. Moreover, it is observed that

  $$\begin{array}{cc}\hfill 1=& \mathsf{e}{(g_1,W)}^{-e^N}·\mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,u}),g_2)}^c\hfill \\ \hfill 1=& \mathsf{e}{(g_1,g_2^{{\displaystyle \frac{1}{\mathsf{vsk}+\mathsf{issue}}}})}^{-e^N}·\mathsf{e}{(g_1^{-x·e^N+{\sum }_{k=0}^{N-1}{\rho }_{1,k}·e^k-v_1·e^N+{\sum }_{k=0}^{N-1}{u}_{1,k}·e^k},g_2)}^c\hfill \\ \hfill 1=& \mathsf{e}{(g_1^{{\sum }_{k=0}^{N-1}{\rho }_{1,k}·e^k+{\sum }_{k=0}^{N-1}{u}_{1,k}·e^k},g_2)}^c·\mathsf{e}{(g_1^{-v_1},g_2)}^{c·e^N}·\mathsf{e}{(g_1^{{\displaystyle \frac{1}{\mathsf{vsk}+\mathsf{issue}}}+x·c},g_2)}^{-e^N}\hfill \\ \hfill 1=& \prod _{k=0}^{N-1}\mathsf{e}{(g_1^{{\rho }_{1,k}+u_{1,k}},g_2)}^{c·e^k}·\mathsf{e}{(g_1^{v_1},g_2)}^{-c·e^N}·\mathsf{e}{(Z,g_2)}^{-e^N}\hfill \\ \hfill \Rightarrow & R_{1,u_0}=(\mathsf{e}{(g_1,W)}^{-e^N}·\mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,u}),g_2)}^c·\hfill \\ \hfill & \mathsf{e}{(Z,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{1,u_k}^{-c·e^k}·R_{1,v}^{c·e^N}{)}^{1/c},\hfill \end{array}$$

  and

  $$\begin{array}{cc}\hfill & \mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,u})·g_1^{-\mathsf{issue}·e^N},W)\hfill \\ \hfill =& \mathsf{e}(g_1^{{\sum }_{k=0}^{N-1}{\rho }_{2,k}·e^k-v_2·e^N+{\sum }_{k=0}^{N-1}{u}_{2,k}·e^k-(\mathsf{vsk}+\mathsf{issue})·e^N},g_2^{{\displaystyle \frac{1}{\mathsf{vsk}+\mathsf{issue}}}})\hfill \\ \hfill =& \mathsf{e}(g_1^{{\sum }_{k=0}^{N-1}{\rho }_{2,k}·e^k+{\sum }_{k=0}^{N-1}{u}_{2,k}·e^k},W)·\mathsf{e}(g_1^{-v_2·e^N},W)·\mathsf{e}{(g_1,g_2)}^{-e^N}\hfill \\ \hfill \Rightarrow & R_{2,u_0}=\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,u})·g_1^{-e^N·\mathsf{issue}},W)·\hfill \\ \hfill & \mathsf{e}{(g_1,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{2,u_k}^{-e^k}·R_{2,v}^{e^N}.\hfill \end{array}$$

  With this in mind, straightforward verification shows that the protocol is perfectly complete.
• Special Honest Verifier Zero-Knowledge (SHVZK). Given the challenge $e\in {\{0,1\}}^{\lambda }$, it starts by choosing the elements of the response uniformly at random as ${\left\{f_{1,j}\right\}}_{j=1}^N,{\left\{f_{2,j}\right\}}_{j=1}^N,$ ${\left\{z_{1,a_j}\right\}}_{j=1}^N,{\left\{z_{2,a_j}\right\}}_{j=1}^N,{\left\{z_{1,b_j}\right\}}_{j=1}^N,{\left\{z_{2,b_j}\right\}}_{j=1}^N,$ $z_{1,d},z_{2,d},z_{1,u},z_{2,u}\leftarrow {\mathbb{Z}}_p$. It then chooses ${\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,$ ${\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1},R_{1,v},R_{2,v}\leftarrow \mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;·)$ as random commitments to 0. It computes $R_{1,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(f_{1,j};z_{1,a_j})·R_{1,{\ell }_j}^{-e}$, $R_{2,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(f_{2,j};z_{2,a_j})·R_{2,{\ell }_j}^{-e}$, $R_{1,b_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{1,b_j})·R_{1,{\ell }_j}^{-(e-f_{1,j})}$, $R_{2,b_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{2,b_j})·R_{2,{\ell }_j}^{-(e-f_{2,j})}$ for all $j\in \{1,\dots N\}$. Moreover, it computes

  $$\begin{array}{cc}\hfill R_{1,d_0}=& \prod _{i=0}^{n-1}{X}_i^{{\prod }_{j=1}^N{f}_{1,j,i_j}}·\prod _{k=1}^{N-1}{R}_{1,d_k}^{-e^k}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d}),\hfill \\ \hfill R_{2,d_0}=& \prod _{i=0}^{n-1}{\mathsf{vvk}}_i^{{\prod }_{j=1}^N{f}_{2,j,i_j}}·\prod _{k=1}^{N-1}{R}_{2,d_k}^{-e^k}·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d}),\hfill \\ \hfill R_{1,u_0}& =(\mathsf{e}{(g_1,W)}^{-e^N}·\mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{1,u}),g_2)}^c·\hfill \\ \hfill & \mathsf{e}{(Z,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{1,u_k}^{-c·e^k}·R_{1,v}^{c·e^N}{)}^{1/c},\hfill \\ \hfill R_{2,u_0}& =\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;-z_{2,u})·g_1^{-e^N·\mathsf{issue}},W)·\hfill \\ \hfill & \mathsf{e}{(g_1,g_2)}^{e^N}·\prod _{k=1}^{N-1}{R}_{2,u_k}^{-e^k}·R_{2,v}^{e^N},\hfill \end{array}$$

  where $f_{1,j,1}=f_{1,j}$, $f_{2,j,1}=f_{2,j}$, $f_{1,j,0}=e-f_{1,j}$, and $f_{2,j,0}=e-f_{2,j}$. It returns the simulated transcript $({\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,a_j}\right\}}_{j=1}^N,{\left\{R_{2,a_j}\right\}}_{j=1}^N,{\left\{R_{1,b_j}\right\}}_{j=1}^N,{\left\{R_{2,b_j}\right\}}_{j=1}^N,$ ${\left\{R_{1,d_k}\right\}}_{k=0}^{N-1},{\left\{R_{2,d_k}\right\}}_{k=0}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=0}^{N-1},{\left\{R_{2,u_k}\right\}}_{k=0}^{N-1},R_{1,v},R_{2,v},e,{\left\{f_{1,j}\right\}}_{j=1}^N,{\left\{f_{2,j}\right\}}_{j=1}^N,{\left\{z_{1,a_j}\right\}}_{j=1}^N$, ${\left\{z_{2,a_j}\right\}}_{j=1}^N$, ${\left\{z_{1,b_j}\right\}}_{j=1}^N,{\left\{z_{2,b_j}\right\}}_{j=1}^N$, $z_{1,d},z_{2,d},z_{1,u},z_{2,u})$.

We will now demonstrate that an adversary capable of distinguishing the simulation from a real argument with an advantage of $\epsilon$ can be transformed into an adversary that compromises the hiding property of the commitment scheme with an advantage of ${\displaystyle \frac{\epsilon }{2N-1}}$. First, we observe that in both real and simulated proofs, ${\left\{f_{1,j}\right\}}_{j=1}^N,$${\left\{f_{2,j}\right\}}_{j=1}^N,$ ${\left\{z_{1,a_j}\right\}}_{j=1}^N,$${\left\{z_{2,a_j}\right\}}_{j=1}^N,$ ${\left\{z_{1,b_j}\right\}}_{j=1}^N,$${\left\{z_{2,b_j}\right\}}_{j=1}^N,$ $z_{1,d},z_{2,d},z_{1,u},z_{2,u}$ are uniformly random in ${\mathbb{Z}}_p$. And, the verification equations uniquely determine ${\left\{R_{1,a_j}\right\}}_{j=1}^N,{\left\{R_{2,a_j}\right\}}_{j=1}^N,{\left\{R_{1,b_j}\right\}}_{j=1}^N,{\left\{R_{2,b_j}\right\}}_{j=1}^N,R_{1,d_0},R_{2,d_0},R_{1,u_0},$$R_{2,u_0}$ conditioned on ${\left\{f_{1,j}\right\}}_{j=1}^N,{\left\{f_{2,j}\right\}}_{j=1}^N,{\left\{z_{1,a_j}\right\}}_{j=1}^N,{\left\{z_{2,a_j}\right\}}_{j=1}^N,{\left\{z_{1,b_j}\right\}}_{j=1}^N,{\left\{z_{2,b_j}\right\}}_{j=1}^N,z_{1,d},z_{2,d},$$z_{1,u},z_{2,u}$, both in real and simulated proofs. The adversary’s advantage of $\epsilon$ must therefore stem from its ability to differentiate between real and simulated commitments ${\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,d_k}\right\}}_{k=1}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=1}^{N-1},{\left\{R_{2,u_k}\right\}}_{k=1}^{N-1}$. A standard hybrid argument provides us with an advantage of ${\displaystyle \frac{\epsilon }{2N-1}}$ in breaking the hiding property of the commitment scheme.

• $(N+1)$-Special Soundness. We adopt the approach from ([48], Theorem 3) by illustrating how to transform an adversary with a probability $\epsilon$ of breaking $(N+1)$-special soundness into another adversary with approximately the same runtime, which maintains a probability $\epsilon$ of violating the binding property of the commitment scheme.

With the original challenge $e^{\left(0\right)}$, the extractor rewinds on $e^{\left(1\right)},\dots ,e^{\left(N\right)}$ to $N+1$, and distinct accepting responses are generated as $(f_1^{\left(0\right)},\dots ,z_{2,d}^{\left(0\right)}),\dots ,(f_1^{\left(N\right)},\dots ,z_{2,d}^{\left(N\right)})$, on the same initial message $({\left\{R_{1,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{2,{\ell }_j}\right\}}_{j=1}^N,{\left\{R_{1,a_j}\right\}}_{j=1}^N,{\left\{R_{2,a_j}\right\}}_{j=1}^N,{\left\{R_{1,b_j}\right\}}_{j=1}^N,{\left\{R_{2,b_j}\right\}}_{j=1}^N,{\left\{R_{1,d_k}\right\}}_{k=0}^{N-1},$ ${\left\{R_{2,d_k}\right\}}_{k=0}^{N-1},{\left\{R_{1,u_k}\right\}}_{k=0}^{N-1}{\left\{R_{2,u_k}\right\}}_{k=0}^{N-1},R_{1,v},R_{2,v})$.

The 2-special soundness of the protocol allows us to extract the openings of $X_{{\ell }_1},\dots ,X_{{\ell }_N}$ of the form $R_{1,{\ell }_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_{1,j};r_{1,j})$ and openings of ${\mathsf{vvk}}_{{\ell }_1},\dots ,{\mathsf{vvk}}_{{\ell }_N}$ of the form $R_{2,{\ell }_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}({\ell }_{2,j};r_{2,j})$ with ${\ell }_{1,j},{\ell }_{2,j}\in \{0,1\}$. From the verification equations, we are able to get openings of $R_{1,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(a_{1,j};s_{1,j})$ and $R_{2,a_j}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(a_{2,j};s_{2,j})$. Moreover, it must hold for all challenges that $f_{1,j}^{\left(0\right)}={\ell }_j{e}^{\left(0\right)}+a_{1,j},\dots ,f_{1,j}^{\left(N\right)}={\ell }_j{e}^{\left(N\right)}+a_{1,j}$, and $f_{2,j}^{\left(0\right)}={\ell }_j{e}^{\left(0\right)}+a_{2,j},\dots ,f_{2,j}^{\left(N\right)}={\ell }_j{e}^{\left(N\right)}+a_{2,j}$ for all $j\in \{1,\dots ,N\}$, unless the adversary successfully breaks the binding property of the commitment scheme.

From $f_{1,j}$’s and $f_{2,j}$’s, we get $f_{1,j,i}={\ell }_{j}e+a_{1,j}$, $f_{2,j,i}={\ell }_{j}e+a_{2,j}$, $f_{1,j,0}=(1-{\ell }_j)e-a_{1,j}$, and $f_{2,j,0}=(1-{\ell }_j)e-a_{2,j}$. For $i\ne \ell$, we get that ${\prod }_{j=1}^N{f}_{1,j,i_j}$ and ${\prod }_{j=1}^N{f}_{2,j,i_j}$ are polynomials of the form $p_{\ell }\left(e\right)=e^N+\dots$ and $q_{\ell }\left(e\right)=e^N+\dots$. we could express the verifications using $z_{1,d}$ and $z_{2,d}$ as

$$X_{\ell }^{e^N}·\prod _{k=0}^{N-1}{C}_{1,{\ast }_k}^{e^k}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{1,d})$$

and

$${\mathsf{vvk}}_{\ell }^{e^N}·\prod _{k=0}^{N-1}{C}_{2,{\ast }_k}^{e^k}=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{2,d})$$

for some fixed $C_{1,{\ast }_0},\dots ,C_{1,{\ast }_{N-1}},C_{2,{\ast }_0},\dots ,C_{2,{\ast }_{N-1}}$ that can be computed from the commitments in the statement and the initial messages.

Note that the vectors $(1,e^{\left(\psi \right)},\dots ,{\left(e^{\left(\psi \right)}\right)}^N)$, where $\psi \in \{0,\dots ,N\}$, can be interpreted as rows of a Vandermonde matrix (see Definition A2). Additionally, since $e^{\left(1\right)},\dots ,e^{\left(N\right)}$ are all distinct, the matrix is invertible, allowing us to find a linear combination $({\eta }_0,\dots ,{\eta }_N)$ of the rows that yields the vector $(0,\dots ,0,1)$. By combining the $(N+1)$ accepting verification equations, we get

$$\begin{array}{cc}\hfill X_{\ell }=\prod _{\psi =0}^N{\left(X_{\ell }^{{\left(e^{\left(\psi \right)}\right)}^N}·\prod _{k=0}^{N-1}{C}_{1,{\ast }_k}^{{\left(e^{\left(\psi \right)}\right)}^k}\right)}^{{\eta }_{\psi }}& =\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}\left(0;\sum _{\psi =0}^N{\eta }_{\psi }·z_{1,d}^{\left(\psi \right)}\right).\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill {\mathsf{vvk}}_{\ell }=\prod _{\psi =0}^N{\left(X_{\ell }^{{\left(e^{\left(\psi \right)}\right)}^N}·\prod _{k=0}^{N-1}{C}_{2,{\ast }_k}^{{\left(e^{\left(\psi \right)}\right)}^k}\right)}^{{\eta }_{\psi }}& =\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}\left(0;\sum _{\psi =0}^N{\eta }_{\psi }·z_{2,d}^{\left(\psi \right)}\right).\hfill \end{array}$$

This gives us the extracted openings of $X_{\ell }$ and ${\mathsf{vvk}}_{\ell }$ to 0 with values $x={\sum }_{\psi =0}^N{\eta }_{\psi }·z_{1,d}^{\left(\psi \right)}$ and $\mathsf{vsk}={\sum }_{\psi =0}^N{\eta }_{\psi }·z_{2,d}^{\left(\psi \right)}$.

Next, we demonstrate that the extracted values align with the expressions in the bilinear verifications. Similarly, we can express the bilinear verifications using $z_{1,d}$, $z_{2,d}$, $z_{1,u}$ and $z_{2,u}$ as

$$\begin{array}{cc}\hfill & \mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{1,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{1,u}),g_2)}^c\hfill \\ \hfill =& {\left(R_{1,v}^{e^N}·\prod _{k=0}^{N-1}{C}_{3,{\ast }_k}^{e^k}\right)}^c·\mathsf{e}{(Z,g_2)}^{e^N}·\mathsf{e}{(g_1,W)}^{-e^N}\hfill \\ \hfill =& {\left(\mathsf{e}{(X_{\ell },g_2)}^{e^N}·R_{1,v}^{e^N}·\prod _{k=0}^{N-1}{C}_{3,{\ast }_k}^{e^k}\right)}^c\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill \mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{2,d})·\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;z_{2,u}),W)& =R_{2,v}^{e^N}·\prod _{k=0}^{N-1}{C}_{4,{\ast }_k}^{e^k}·\mathsf{e}{(g_1,g_2)}^{e^N}·\mathsf{e}{(g_1^{\mathsf{issue}},W)}^{-e^N}\hfill \\ \hfill & =\mathsf{e}{({\mathsf{vvk}}_{\ell },W)}^{e^N}·R_{2,v}^{e^N}·\prod _{k=0}^{N-1}{C}_{4,{\ast }_k}^{e^k}\hfill \end{array}$$

for some fixed $C_{3,{\ast }_0},\dots ,C_{3,{\ast }_{N-1}},C_{4,{\ast }_0},\dots ,C_{4,{\ast }_{N-1}}$ that can be computed from the initial messages. By combining the $(N+1)$ accepting verification equations, we get

$$\begin{array}{cc}\hfill {\left(R_{1,v}·\mathsf{e}(X_{\ell },g_2)\right)}^c& =\prod _{\psi =0}^N{\left(\mathsf{e}{(X_{\ell },g_2)}^{{\left(e^{\left(\psi \right)}\right)}^{N}N}·R_{1,v}^{{\left(e^{\left(\psi \right)}\right)}^N}·\prod _{k=0}^{N-1}{C}_{3,{\ast }_k}^{{\left(e^{\left(\psi \right)}\right)}^k}\right)}^{c·{\eta }_{\psi }}\hfill \\ \hfill & =\mathsf{e}{(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}\left(0;\sum _{\psi =0}^N{\eta }_{\psi }·\left(z_{1,d}^{\left(\psi \right)}+z_{1,u}^{\left(\psi \right)}\right)\right),g_2)}^c\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill R_{2,v}·\mathsf{e}({\mathsf{vvk}}_{\ell },W)& =\prod _{\psi =0}^N{\left(\mathsf{e}{({\mathsf{vvk}}_{\ell },W)}^{{\left(e^{\left(\psi \right)}\right)}^N}·R_{2,v}^{{\left(e^{\left(\psi \right)}\right)}^N}·\prod _{k=0}^{N-1}{C}_{4,{\ast }_k}^{{\left(e^{\left(\psi \right)}\right)}^k}\right)}^{{\eta }_{\psi }}\hfill \\ \hfill & =\mathsf{e}(\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}\left(0;\sum _{\psi =0}^N{\eta }_{\psi }·\left(z_{2,d}^{\left(\psi \right)}+z_{2,u}^{\left(\psi \right)}\right)\right),W).\hfill \end{array}$$

This gives us the extracted openings of $R_{1,v}$ and $R_{2,v}$ to 0 with values $v_1={\sum }_{\psi =0}^N{\eta }_{\psi }·z_{1,u}^{\left(\psi \right)}$ and $v_2={\sum }_{\psi =0}^N{\eta }_{\psi }·z_{2,u}^{\left(\psi \right)}$. □

5.4. Security Analysis of Our TRS

Theorem 5.

Protocol 2 (${\mathrm{\Pi }}_{\mathsf{TRS}}$) securely realizes ${\mathcal{F}}_{\mathsf{TRS}}$ in the $({\mathcal{F}}_{\mathsf{Com}},{\mathcal{F}}_{\mathsf{VRF}},{\mathcal{F}}_{\mathsf{NIZK}})$-hybrid world with the random oracle model under the discrete logarithm (DLOG) assumption; if ${\mathrm{\Pi }}_{\mathsf{Ped}}$ achieves (perfectly) hiding and binding, ${\mathrm{\Pi }}_{\mathrm{DY-VRF}}$ achieves pseudorandomness, and ${\mathrm{\Pi }}_{\mathsf{SPK}}^{\mathcal{R}}$ achieves the properties of special honest-verifier zero-knowledge and $(N+1)$-special soundness.

Proof. 

Setup. The setup of the simulator $\mathcal{S}$ follows mainly the setup in Theorem 2, with the following additional items:

• $Y_i={\left(g_1^{\prime }\right)}^{f_i\left(y\right)}={\prod }_{k=0}^{q_h-1}{\left(g_1^{\prime }\right)}^{y^k{d}_k}=g_{1,i}^{{\displaystyle \frac{1}{y+{\mathsf{issue}}_i}}}$.

Simulation. We describe a simulator $\mathcal{S}$ that controls the random oracle H and operates in the following manner.

• Upon receiving $(\mathsf{TRS},\mathsf{KeyGen},\mathsf{sid},{\mathcal{P}}_i)$ from ${\mathcal{F}}_{\mathsf{TRS}}$, $\mathcal{S}$ calls $(\mathsf{VRF}.\mathsf{KeyGen},\mathsf{sid},{\mathcal{P}}_i)$ to ${\mathcal{F}}_{\mathsf{VRF}}$ and receives $(\mathrm{VRF-Key},\mathsf{sid},{\mathcal{P}}_i,{\mathsf{vvk}}_i)$. Moreover, it randomly selects $x_i\leftarrow {\mathbb{Z}}_p$ and generates $X_i=g_{1,i}^{x_i}$. In the case that the key exists already, $\mathcal{S}$ returns fail and terminates. Otherwise, it returns $(\mathrm{TRS-Key},\mathsf{sid},{\mathcal{P}}_i,{\mathsf{vk}}_i)$ to ${\mathcal{F}}_{\mathsf{TRS}}$, where ${\mathsf{vk}}_i=(X_i,{\mathsf{vvk}}_i)$.
• Upon receiving $(\mathsf{TRS}.\mathsf{Sign},\mathsf{sid},T,m,{\mathsf{vk}}_i,{\mathcal{P}}_i)$ from ${\mathcal{F}}_{\mathsf{TRS}}$, $\mathcal{S}$ calls $(\mathsf{VRF}.\mathsf{EvalProve},\mathsf{sid},\mathsf{issue})$ and receives $(\mathrm{VRF-Evaluation},\mathsf{sid},Q,W)$. Moreover, it calculates $Z=Y_i·X_i^c$, where $c=\mathrm{H}(T,m,Q,W)$. In case $\mathrm{H}(T,m,Q,W)$ has already been queried before, recover the the corresponding value c; otherwise, randomly select a unique c and record $(T,m,Q,W,c)$ in the table of the random oracle H. In case this is not feasible and would make the table inconsistent, $\mathcal{S}$ returns fail and terminates. After that, it sets $\theta =(T,m,c,Z,Q,W)$ and $\omega =(\ell ,x,\mathsf{vsk})$ calls $(\mathsf{Prove},\mathsf{param},\mathsf{ck},\theta ,\omega )$ to ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$, and receives $(\mathsf{proof},\mathsf{sid},\pi )$. Finally, it outputs $(\mathrm{TRS-Signature},\mathsf{sid},T,m,\sigma ,{\mathsf{vk}}_i)$ to ${\mathcal{F}}_{\mathsf{TRS}}$, where $\sigma =(c,Z,Q,W,\pi )$.
• Upon receiving $(\mathsf{TRS}.\mathsf{Verify},\mathsf{sid},T,m,\sigma ,{\mathsf{vk}}_i)$ from ${\mathcal{F}}_{\mathsf{TRS}}$, verify $\pi$ by calling $(\mathsf{Verify},\mathsf{sid},\theta ,\pi )$ to ${\mathcal{F}}_{\mathsf{NIZK}}^{\mathcal{R}}$ and receive $(\mathsf{verification},\mathsf{sid},\omega ,\pi ,\mathcal{R}(\theta ,\omega \left)\right)$ such that $\mathcal{R}(\theta ,\omega )$ is a bit b. If $b=1$, it further verifies if $Q=(g_{1,i},W)$. If so, returns $(\mathrm{TRS-Verification},\mathsf{sid},T,m,\sigma ,{\mathsf{vk}}_i,1)$. If $b=1$ but the check of $Q=(g_{1,i},W)$ fails, output fail and terminate. Otherwise, it returns $(\mathrm{TRS-Verification},\mathsf{sid},T,m,\sigma ,{\mathsf{vk}}_i,0)$. Note that ${\mathcal{F}}_{\mathsf{VRF}}$ will return the correct output to the verifier.
• Upon receiving $(\mathsf{TRS}.\mathsf{Trace},\mathsf{sid},T,m_1,{\sigma }_1,m_2,{\sigma }_2)$ from ${\mathcal{F}}_{\mathsf{TRS}}$, it parses ${\sigma }_1=(c_1,Z_1,Q_1,$$W_1,{\pi }_1)$ and ${\sigma }_2=(c_2,Z_2,Q_2,W_2,{\pi }_2)$. If $c_1=c_2$, return $(\mathrm{TRS-Traced},\mathsf{sid},T,m_1,{\sigma }_1,m_2,$${\sigma }_2,\mathsf{Linked})$. Otherwise, it calculates $\overline{X}={(Z_2/Z_1)}^{1/(c_2-c_1)}$ and outputs $\overline{\mathsf{vk}}=(\overline{X},\overline{\mathsf{vvk}})$ if $(\overline{X},·)\in R$. Otherwise, return $(\mathrm{TRS-Traced},\mathsf{sid},T,m_1,{\sigma }_1,m_2,$${\sigma }_2,\mathsf{Accept})$. Note that the cases of Reject are handled by $\mathsf{TRS}.\mathsf{Verify}$.
• Upon receiving a query $(T,m,Q,W)$ from the random oracle H, select a distinct c at random, store $(T,m,Q,W,c)$ and return c. In any other query with the same input $(T,m,Q,W)$, return the same c.

This gives a full description of the ideal-model simulator. Note that in the black-box simulation, we use fake values (the value of $Y_i$, and thus Z), and we claim that the differences are undetectable for the environment $\mathcal{Z}$. This is proven through a sequence of games transforming an execution in the ideal-model scenario into one which is equal to the one of the actual protocol.

• Experiment ${\mathsf{Game}}_0$ describes the original attack of $\mathcal{Z}$ on the ideal-model simulation (including the black-box simulation of $\mathcal{A}$).
• In ${\mathsf{Game}}_1$, the simulator changes the computation of $X_i$ to $X_i=\mathsf{Ped}.{\mathsf{Com}}_{\mathsf{ck}}(0;x_i)=g_1^{x_i}$ where $x_i\in {\mathbb{Z}}_p$ is random. Because of the DLOG assumption, $\mathcal{Z}$’s output behavior will not change with a non-negligible probability when facing ${\mathsf{Game}}_1$ instead of ${\mathsf{Game}}_0$.
• In ${\mathsf{Game}}_2$, the simulator changes the computation of Z to $Z=g_1^{\delta }·X_i^c$, where $\delta ={\displaystyle \frac{1}{\mathsf{vsk}+\alpha }}$. Moreover, the simulator changes the computation of Q and W to $Q=\mathsf{e}{(g_1,g_2)}^{\delta }$ and $W=g_2^{\delta }$. Because of the DLOG assumption and the pseudorandomness of DY-VRF, $\mathcal{Z}$’s output behavior will not change with a non-negligible probability when facing ${\mathsf{Game}}_2$ instead of ${\mathsf{Game}}_1$.
• In ${\mathsf{Game}}_3$, the simulator changes the computation of $\pi$ to the actual proof using $(\ell ,x,\mathsf{vsk})$. By the special honest-verifier zero-knowledge (SHVZK) property, this substitution is indistinguishable for the environment $\mathcal{Z}$.

All the steps in the final game now are exactly as in an attack on the real protocol with adversary $\mathcal{A}$, with the restriction that only $q_h$ queries could be made. Therefore, the environment’s output in the ideal-model simulation (${\mathsf{Game}}_0$) and the real-world execution (${\mathsf{Game}}_3$) are indistinguishable. □

6. Discussion

In this section, we examine several related topics pertinent to this work. Specifically, we provide a comparison of existing UC functionalities of VRF in Section 6.1. Additionally, we explore the potential for extending this research to accommodate K-time anonymity in Section 6.2.

6.1. UC Formulation of VRF

In Section 3.2, we formalized a VRF functionality, denoted ${\mathcal{F}}_{\mathsf{VRF}}$, which mirrors the classic, stand-alone security definition of DY-VRF [43]. In this subsection, we compare ${\mathcal{F}}_{\mathsf{VRF}}$ with stronger UC–VRF models, explain why the absence of unpredictability under malicious key generation (UMKG) does not undermine our TRS construction, and support this claim through a comparative analysis of three multi-party deployment scenarios.

• Comparison between UC-VRF Functionalities. David et al. [38] introduced the functionality of the VRF in their work on Ouroboros Praos. It is a provably secure proof-of-stake protocol, and is the first to achieve security against adaptive adversaries while remaining scalable in a genuinely practical sense. This functionality was also adopted in the subsequent work Ouroboros Genesis [39]. However, their UC formulation cannot be derived from the standard VRF security definitions, as it includes additional security features, such as UMKG. This design was intended to meet extra security requirements specific to their scheme, making it not a pure or typical VRF.

In contrast, the DY-VRF protocol [43] fails to satisfy the property of UMKG [38]. If an adversary is allowed to generate its own key pair, the reliability of the VRF output distribution cannot be guaranteed. In particular, in the DY-VRF setting, a properly constructed malicious key can substantially distort the resulting output distribution.

In this work, we present a VRF functionality ${\mathcal{F}}_{\mathsf{VRF}}$ that adheres to the standard VRF security definition from [43]. Therefore, it can be viewed as a weaker version of the UC formulation of VRF, yet it is of independent interest. In the VRF functionality with UMKG [38] is able to act as a random oracle. However, the standard VRF in this work could not present a uniform distribution in the outputs; therefore, extra information may possibly be leaked from the distribution if malicious keys are injected.

Both VRF functionalities could be adopted to different protocols according to the security requirements, and we will discuss on this later in this subsection.

• Irrelevance of UMKG for TRS. In the context of existing security models for TRS, such as those in [3], malicious key generation is not permitted. The security definitions of TRS are revisited in Section 4.1. Therefore, a UC formulation of VRF with typical security features aligns well with the requirements of TRS.

TRS operate on a static ring, such that all public keys are fixed and publicly known before any signature is produced. It is impossible for a malicious signer to craft a malformed key prior to ring formation according to the definitions of security properties stated in Section 4.1. Moreover, the malicious signer is not allowed to swap in a fresh adversarial key after the ring is fixed. Since no adversary can inject a key once signatures start, the UMKG threat is absent. Incorporating UMKG into the ideal world would yield no extra real-world power and would unnecessarily complicate the simulation.

• Applying VRF Functionalities to Various Multi-party Settings. We consider different multi-party scenarios involving VRF functionalities. Since both the typical VRF functionality from this work and the VRF functionality with UMKG [38] could be adopted to different protocols according to the security requirements, we consider two use cases.

First, we consider late key registration of the TRS scheme. Typical security definitions of TRS do not consider malicious key generation, thus the standard VRF functionality in this work is suitable to use. However, if we consider a possible future extension on dynamic-membership TRS, the definition is no longer the same as the typical TRS. In this possible extension, new keys are allowed to be appended to the ring. The signer is able to generate signatures on the dynamic ring, and the identity of the signer could still be revoked if she signs on different messages. In the idea of dynamic-membership TRS, the security property of UMKG is necessary since adversaries are allowed to generate the secret and public key pair in the protocol.

Second, we consider possible key management, such as key revocation and key refresh in TRS. In the case of key revocation, we consider two approaches. If the method of key revocation is blacklisting, a blacklist of revoked public keys is published and the verifiers reject rings containing them, thus the property of UMKG remains irrelevant. If ring reconstitution is considered, a fresh ring is generated without the revoked keys, along with new tags. This refreshes the keys in the static ring. Similarly, in the case of key refresh, the keys in the static ring are refreshed after a specific condition. In most of the cases, new keys will be generated. Therefore, the property of UMKG is necessary.

6.2. Possibility on Allowing K-Time Anonymity

Apart from the applications mentioned in Section 1.3, considering a TRS scheme with K-time anonymity may offer significant advantages. This concept has been previously explored in various studies, including its application in group signature schemes such as [34], anonymous signature schemes such as [35], and anonymous authentication schemes such as [56,57].

• Modifying Security Definitions and UC Functionality. To extend our scheme to support K-time anonymity, we first need to modify the security definition of TRS as defined by Fujisaki and Suzuki [3]. Specifically, we must revisit the properties of public traceability and tag-linkability, and even introduce new security properties. (1) We need to specify conditions that allow for the tracing of signatures while accommodating the K-time anonymity, including limits on the number of signatures accepted; and (2) Modifications should clarify how to manage links between signatures, ensuring that they can be distinguished while still maintaining anonymity across multiple instances. Next, it is essential to update the definition of the UC functionality to incorporate the properties that support K-time anonymity. This involves creating a comprehensive security model that addresses the unique challenges posed by K-time anonymity.

• Construction Design. Once the new security definitions are established, the actual construction of the TRS scheme should be designed to align with these updated definitions, ensuring that it effectively supports K-time anonymity while maintaining the desired security properties.

The main technical challenge lies in formulating a comprehensive security model that adequately captures all necessary properties while remaining robust against potential adversarial strategies. Moreover, another technical challenge lies in constructing an actual protocol and proving the security.

7. Conclusions

In this work, we have formalized the functionality of TRS within the framework of UC security. Furthermore, we present a UC functionality of VRF that aligns with the security definition of TRS. Our construction of TRS is detailed, along with the corresponding zero-knowledge proof, which utilizes the Pedersen commitment [44], DY-VRF [43], and the membership proof from [48]. We demonstrate the security of our construction under the UC framework, supported by formal proofs.