Abstract
Traceable ring signatures are a variant of ring signatures which allows the identity of a user to be revealed, when it signs two different messages with respect to the same group of users. It has applications in e-voting and in cryptocurrencies, such as the well-known Monero. We propose the first traceable ring signature scheme whose security is based on the hardness of the Syndrome Decoding problem, a problem in coding theory which is conjectured to be unsolvable by both classical and quantum algorithms. To construct the scheme, we use a variant of Stern’s protocol and, by applying the Fiat-Shamir transform to it in an ingenious way, we obtain a ring signature that allows traceability. We prove that the resulting protocol has the standard security properties for traceable ring signatures in the random oracle model: tag-linkability, anonymity and exculpability. As far as we know, this is the first proposal for a traceable ring signature scheme in the post-quantum setting.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We refer the reader to [15] for a more detailed introduction on sigma protocols.
- 2.
The name GStern’s protocol comes from Generalized Stern’s protocol.
- 3.
That is, at least one of the messages (\(M_1\) or \(M_2\)) was not asked in a query to the oracle .
References
Abdalla, M., An, J.H., Bellare, M., Namprempre, C.: From identification to signatures via the Fiat-Shamir transform: minimizing assumptions for security and forward-security. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 418–433. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7_28
Alamélou, Q., Blazy, O., Cauchie, S., Gaborit, P.: A practical group signature scheme based on rank metric. In: Duquesne, S., Petkova-Nikova, S. (eds.) WAIFI 2016. LNCS, vol. 10064, pp. 258–275. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-55227-9_18
Alamélou, Q., Blazy, O., Cauchie, S., Gaborit, P.: A code-based group signature scheme. Designs Codes Crypt. 82(1), 469–493 (2017). https://doi.org/10.1007/s10623-016-0276-6
Ambainis, A., Rosmanis, A., Unruh, D.: Quantum attacks on classical proof systems: the hardness of quantum rewinding. In: Proceedings of the 2014 IEEE 55th Annual Symposium on Foundations of Computer Science FOCS 2014, pp. 474–483. IEEE Computer Society, Washington, DC, USA (2014). https://doi.org/10.1109/FOCS.2014.57
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction. Theor. Comput. Sci. 469, 1–14 (2013). http://www.sciencedirect.com/science/article/pii/S0304397512009528
Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20: How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_31
Berlekamp, E.R., McEliece, R.J., van Tilborg, H.: On the inherent intractability of certain coding problems. IEEE Trans. Inf. Theory (corresp.) 24(3), 384–386 (1978)
Bernstein, D.J.: Grover vs. mceliece. In: Sendrier, N. (ed.) PQCrypto 2010. LNCS, vol. 6061, pp. 73–80. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12929-2_6
Boneh, D., Dagdelen, Ö., Fischlin, M., Lehmann, A., Schaffner, C., Zhandry, M.: Random oracles in a quantum world. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 41–69. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_3
Branco, P., Mateus, P.: A code-based linkable ring signature scheme. In: Baek, J., Susilo, W., Kim, J. (eds.) ProvSec 2018. LNCS, vol. 11192, pp. 203–219. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01446-9_12
Canteaut, A., Chabaud, F.: A new algorithm for finding minimum-weight words in a linear code: application to McEliece’s cryptosystem and to narrow-sense bch codes of length 511. IEEE Trans. Inf. Theory 44(1), 367–378 (1998)
Canto Torres, R., Sendrier, N.: Analysis of information set decoding for a sub-linear error weight. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 144–161. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8_10
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Damgård, I.: On \(\sigma \)-protocols. Lecture Notes, University of Aarhus, Department for Computer Science (2002)
Ezerman, M.F., Lee, H.T., Ling, S., Nguyen, K., Wang, H.: A provably secure group signature scheme from code-based assumptions. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 260–285. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_12
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Fujisaki, E.: Sub-linear size traceable ring signatures without random oracles. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 393–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_25
Fujisaki, E., Suzuki, K.: Traceable ring signature. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 181–200. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_13
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
May, A., Meurer, A., Thomae, E.: Decoding random linear codes in \(\tilde{\cal{O}}(2^{0.054n})\). In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_6
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997). https://doi.org/10.1137/S0097539795293172
Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_2
Unruh, D.: Post-quantum security of Fiat-Shamir. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 65–95. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_3
Van Saberhagen, N.: CryptoNote v 2.0 (2013)
Acknowledgments
The first author would like to thank the support from DP-PMI and FCT (Portugal) through the grant PD/BD/135181/2017.
This work is funded by FCT/MEC through national funds and when applicable co-funded by FEDER – PT2020 partnership agreement under the project UID/EEA/50008/2013, and IT internal project QBigData, FCT through national funds, by FEDER, through COMPETE 2020, and by Regional Operational Program of Lisbon, under projects Confident PTDC/EEI-CTP/4503/2014, QuantumMining POCI-01-0145-FEDER-031826 and Predict PTDC/CCI-CIF/ 29877/2017. It was funded by European project H2020-SU-ICT-2018-2020.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Sigma Protocols
1.1 A.1 Fiat-Shamir Transform
A sigma protocol \((\mathcal {P},\mathcal {V})\) is a three-round protocol between a prover \(\mathcal {P}\) and a verifier \(\mathcal {V}\) where the prover tries to convince the verifier about the validity of some statement. In this work, we are only interested in a particular case of sigma protocols which are proof of knowledge (PoK) protocols. Here, the prover \(\mathcal {P}\) convinces the verifier \(\mathcal {V}\), not only about the veracity of the statement, but also that \(\mathcal {P}\) has a witness for it. The three rounds of any sigma protocol are the commitment (\( com \)) by the prover, the challenge (\( ch \)) by the verifier and the response (\( resp \)) by the prover. A transcript \(( com , ch , resp )\) is said to be valid if the verifier accepts it as a valid proof.
A PoK must have the following properties: (i) completeness, which ensures that the verifier will accept the proof with high probability if the prover has the secret; (ii) special soundness, which ensures that there is an extractor such that, given two valid transcripts \(( com , ch , resp )\) and \(( com , ch ', resp ')\) where \( ch \ne ch '\), then it can extract the secret; and (iii) honest-verifier zero-knowledge (HVZK) which ensures that no information is gained by the verifier just by looking at the transcript. This is usually proven by showing the existence of a simulator that can generate transcripts that are computationally indistinguishable from transcripts generated by the interaction between the prover and the verifier. A detailed survey on sigma protocols can be found in [15].
The Fiat-Shamir transform [17] is a generic method to convert any PoK protocol that is complete, special sound and HVZK into a signature scheme. The security of the Fiat-Shamir transform is proven to be secure both in the random oracle model (ROM) [1] and in the quantum random oracle model (QROM) [25], under certain conditions.
The idea behind the Fiat-Shamir transform is that the prover simulates the challenge that is usually sent by the verifier. Since this challenge should be chosen uniformly at random, the prover sets the challenge according to a cryptographic hash function receiving as input the message to be signed and the commitment chosen previously by the prover. More precisely, given a proof of knowledge \((\mathcal {P},\mathcal {V})\), the prover computes \( com \), then it sets \( ch =\bar{f} ( com ,M)\) where \(\bar{f}\) is a cryptographic hash function and M is the message to be signed. Finally, it computes \( resp \) such that \(( com , ch , resp )\) is a valid transcript. The signature of M is \(( com , resp )\). To verify the validity of the signature, one just has to compute \(ch=\bar{f} ( com ,M)\) and check that \(( com , ch , resp )\) is a valid transcript.
1.2 A.2 CDS Construction
The Cramer-Damgård-Shoenmakers (CDS) construction [14] is a generic way to construct a proof of knowledge \((\mathcal {P}^*,\mathcal {V}^*)\) where the prover proves knowledge of the solution to some subset of instances of a problem, given any PoK protocol \((\mathcal {P},\mathcal {V})\) and a secret sharing scheme \(\mathcal {SS}\).
Given N instances of a problem, let A be the set of indexes for which the prover \(\mathcal {P}^*\) knows the solution. The idea behind the CDS construction is that the new prover \(\mathcal {P}^*\) simulates transcripts \(( com _j, ch _j, resp _j)\) for the instances it does not know the solution, that is, for \(j\notin A\). For the instances that it knows the secret, it computes the commitment \( com _i\), for \(i\in A\), following the protocol \((\mathcal {P},\mathcal {V})\). After receiving the commitments for all instances, the verifier sends a random bit string b to the prover. The string b will be interpreted as the secret in \(\mathcal {SS}\) and the challenges \( ch _j\), for \(j\notin A\), as shares such that they form an unqualified set. Now, this set of shares can be extended to a qualified set by choosing properly the challenges \( ch _i\), for \(i\in A\). The prover then computes valid transcripts \(( com _i, ch _i, resp _i)\) for \(i\in A\). It can do this because it has witnesses for these instances. Finally, the prover \(\mathcal {P}^*\) sends the transcripts \(( com _i, ch _i, resp _i)\) for all i to the verifier. The verifier can check that these are valid transcripts and that the shares \( ch _i\) constitute a qualified set for \(\mathcal {SS}\).
1.3 A.3 Stern’s Protocol
Stern’s protocol [24] is a protocol in which, given a matrix \(\mathbf {H}\) and a syndrome vector \(\mathbf {s}\), a prover proves the knowledge of an error vector \(\mathbf {e}\) with \(w(\mathbf {e})= t\) and syndrome \(\mathbf {s}\). The protocol is presented in Algorithm 4. Here, h denotes a cryptographic hash function.
The security of Stern’s protocol is based on the hardness of the SD problem. The protocol has been proven to be complete, special sound and HVZK and, furthermore, has a cheating probability of 2/3 [24].
B Auxiliary Results
1.1 B.1 Proof of Lemma 2
The probability of existing a vector \(\mathbf {x}\) such that \(\mathbf {H}\mathbf {x}^T=\mathbf {s}^T\) is the probability of \(\mathbf {H}\) being a matrix representing a surjective application, i.e., it is the probability of \(\mathbf {H}\) being a full rank matrix. Hence, we have to compute the probability of choosing \(k'\) linearly independent vectors of size n to form the rows of \(\mathbf {H}\). We have
Since \((2^n-1)\ge (2^n-2^{k'})\), \((2^n-2)\ge (2^n-2^{k'})\) and \((2^n-2^{k'-1})\ge (2^n-2^{k'})\), we have that
Now, note that
So, it remains to show that
for \(k'\le n/2\). Note that the expression decreases with \(k'\) and so it is enough to show for \(k'=n/2\).
Expanding the expression on the left using the Binomial theorem we get
When \(i=0\) we have
The expression is maximal when \(i=n/4\). Hence, if we show that
when \(i=n/4\), then
In fact, it can be proved using Stirling approximation (which is tight) for n! that
for any \(b\in \mathbb {N}\). Hence, we have shown that the expression \(\left( {\begin{array}{c}n/2\\ n/4\end{array}}\right) \left( -\frac{1}{2^{n/2}}\right) ^{n/4}\) goes to zero faster than any function of the form \(1/n^b\), for any \(b\in \mathbb {N}\). Thus, the expression is negligible in n and the result follows. \(\square \)
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Branco, P., Mateus, P. (2019). A Traceable Ring Signature Scheme Based on Coding Theory. In: Ding, J., Steinwandt, R. (eds) Post-Quantum Cryptography. PQCrypto 2019. Lecture Notes in Computer Science(), vol 11505. Springer, Cham. https://doi.org/10.1007/978-3-030-25510-7_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-25510-7_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25509-1
Online ISBN: 978-3-030-25510-7
eBook Packages: Computer ScienceComputer Science (R0)