Revocable and Linkable Ring Signature

Abstract

In this paper, we construct a revocable and linkable ring signature (RLRS) scheme, which enables a revocation authority to revoke the anonymity of the real signer in linkable ring signature scheme under any circumstances. In other words, the revocability of RLRS is mandatory. The proposed RLRS scheme inherits the desired properties of group signature (anonymity revocation) and linkable ring signature (spontaneous group formation and linkability). In addition, we proved the security of our scheme in the random oracle model. We also provided a revocable ring confidential transaction protocol based on our RLRS scheme, which embedded the revocability in ring confidential transaction protocol.

Appendix A. Revocable Ring Confidential Transaction

In Appendix A, we present a revocable ring confidential transaction protocol based on our RLRS scheme.

\(\mathtt {Setup} (\lambda )\): Let \(\mathbb {G}\) be a group of prime order q such that underlying discrete logarithm problem is intractable. Let \(H_1 : \{0,1\}^* \rightarrow \mathbb {Z}_q\) and \(H_2 : \{0,1\}^* \rightarrow \mathbb {G}\) be two hash functions, and g, h are two generators in \(\mathbb {G}\). The public parameters are \(param = \{\mathbb {G}, g, h, q, H_1, H_2\}\)

\(\mathtt {KeyGen}(param)\): Randomly choose \(x \in \mathbb {Z}_q\) and compute \(y = g^x \pmod {q}\). The secret key is \(sk = x\) and the corresponding public key is \(pk = y\)

\(\mathtt {Mint}(a, pk)\): Given an amount a and a coin address pk, randomly choose \(r \in \mathbb {Z}_q\) and compute \(C = h^a g^r \pmod {q}\), where the coin in address pk is denoted as \(cn_{pk} = C\) and the corresponding coin key \(ck = r\). The public information of an account is \(act = (y,C)\) and the secrete information is \(ask = (x,r)\).

\(\mathtt {Spend}(A_s, R, m, t, \mathbb {Y}, M, pk_{rev})\): On input the spender s’s a set of m accounts \(A_s\), a set of t output accounts R, a set of n group public keys \(\mathbb {Y}\) such that \(\mathbb {Y} = Y_1, \dots , Y_n\), a transaction string M, and a revocation authority’s public key \(pk_{rev} = \tilde{y}\). The spender s can spend his/her m accounts to t output accounts by performing following steps:

1. 1.

   The spender s parses \(A_s = \{ack^{(k)}\}_{k \in [m]}\) into \(\{(y_s^{(1)}, C_s^{(1)}), \dots , (y_s^{(m)}, C_s^{(m)})\}\) and \(K_s = \{ask^{(k)}\}_{k \in [m]}\) into \(\{(x_s^{(1)}, r_s^{(1)}), \dots , (x_s^{(m)}, r_s^{(m)})\}\) where \(\{y_s^{(k)} = g^{x_s^{(k)}}\}_{k \in [m]}\) and \(\{C_s^{(k)} = h^{a_s^{(k)}}g^{r_s^{(k)}}\}_{k \in [m]}\)

2. 2.

   Denote R as a set of output accounts where \(R = \{pk_{out}^{(j)}\}_{j \in [t]}\), spender s randomly chooses \(r_1, \dots , r_t \in \mathbb {Z}_q\) and computes \(C_{out}^j = h^{a_{out}^{(j)}}g^{r_j}\) for \(j \in [t]\) where \(a_{out}^{(1)} + \dots + a_{out}^{(t)} = a_s^{(1)} + \dots + a_s^{(m)}\)

3. 3.

   The spender s uses a public key encryption scheme \(ENC_{pk}(\cdot )\) with public key pk to compute the cipher text \(ctxt_j = ENC_{pk_{out}^{(j)}}(r_j)\) for \(j \in [t]\) and send \(\{ctxt_j\}_{j \in [t]}\) to the corresponding receiver’s address.

4. 4.

   In order to ensure that the amount of output coins equal to input coins, the spender s creates a new public key

   $$\begin{aligned} y_s^{(m+1)} = \frac{\prod _{k=1}^m (y_s^{(k)}\cdot C_s^{(k)})}{\prod _{j=1}^t C_{out}^{(j)}}. \end{aligned}$$

   Since \(a_{out}^{(1)} + \dots + a_{out}^{(t)} = a_s^{(1)} + \dots + a_s^{(m)}\), the \(m+1\) public key is

   $$\begin{aligned} y_s^{(m+1)} = g^{\sum _{k=1}^m (x_s^{(k)} + r_s^{(k)}) - \sum _{j=1}^t r_j} = g^{x_s^{(m+1)}} \end{aligned}$$

   such that \(x_s^{(m+1)} = \sum _{k=1}^m (x_s^{(k)} + r_s^{(k)}) - \sum _{j=1}^t r_j\).

5. 5.

   The spender s randomly picks \(n-1\) group public keys from the blockchain, where each group contains \(m+1\) public keys. We denote these public keys as:

   $$\begin{aligned} \begin{array}{c} Y_1 = \{y_1^{(1)}, \dots , y_1^{(m+1)}\}\\ \vdots \\ Y_{s-1} = \{y_{s-1}^{(1)}, \dots , y_{s-1}^{(m+1)}\}\\ Y_{s+1} = \{y_{s+1}^{(1)}, \dots , y_{s+1}^{(m+1)}\}\\ \vdots \\ Y_n = \{y_n^{(1)}, \dots , y_n^{(m+1)}\} \end{array} \end{aligned}$$

   The spender’s public key is further denoted as \(Y_s = \{y_s^{(1)}, \dots , y_s^{(m+1)}\}\).

6. 6.

   Compute \(m+1\) linking base as \(h_k = H_2(y_s^{(k)})\) for \(k \in [m+1]\) and the linking tags are \(L_k = h_k^{x_s^{(k)}}\) for \(k \in [m+1]\). We denote \(L = \{L_1, \dots , L_{m+1}\}\).

7. 7.

   Encrypt the spender’s \(m+1\) public keys by using revocation authority’s public key \(pk_{rev} = \tilde{y}\) as follows:

   For \(k = 1, \dots , m+1\), randomly pick \(u_1, \dots , u_{m+1} \in \mathbb {Z}_q\) and compute:

   1. (a)

      \(CT_1^{(k)} = g^{u_k}\),

   2. (b)

      \(CT_2^{(k)} = \tilde{y}^{u_k}y_s^{(k)}\),

   3. (c)

      Combine the cipher text \(CX_k = (CT_1^{(k)}, CT_2^{(k)})\).

8. 8.

   For \(k = 1, \dots , m+1\), randomly pick \(t_1^{(k)}\), \(t_2^{(k)} \in \mathbb {Z}_q\) and compute:

   1. (a)

      \(a_{1,s}^{(k)} = g^{t_1^{(k)}}\) and \(a_{2,s}^{(k)} = (\frac{CT_2^{(k)}}{y_s^{(k)}})^{t_1^{(k)}}\),

   2. (b)

      \(c_{s+1}^\prime = H_1(\mathbb {Y}, L, M, \{a_{1,s}^{(1)}, a_{2,s}^{(1)}\}, \dots , \{a_{1,s}^{(m+1)}, a_{2,s}^{(m+1)}\})\),

   3. (c)

      \(\bar{a}_{1,s}^{(k)} = g^{t_2^{(k)}}\) and \(\bar{a}_{2,s}^{(k)} = h_k^{t_2^{(k)}}\),

   4. (d)

      \(c_{s+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{\bar{a}_{1,s}^{(1)}, \bar{a}_{2,s}^{(1)}\}, \dots , \{\bar{a}_{1,s}^{(m+1)}, \bar{a}_{2,s}^{(m+1)}\})\).

9. 9.

   Generate a linkable ring signature with a group of n public key vectors \(\mathbb {Y} = \{Y_1, \dots , Y_n\}\) using spender’s \(m+1\) secret keys \(\{x_s^{(1)}, \dots , x_s^{(m+1)}\}\) with \(m+1\) linking tags \(\{L_1, \dots , L_{m+1}\}\) and \(m+1\) ciphertexts \(\{CX_1, \dots , CX_{m+1}\}\) on some transaction string M as follows:

   1. (a)

      For \(i = s+1, \dots , n, 1, \dots , s-1\), randomly pick \(v_{1,i}^{(1)}, \dots , v_{1,i}^{(m+1)}\) and \(v_{2,i}^{(1)}, \dots , v_{2,i}^{(m+1)} \in \mathbb {Z}_q\) and compute:

   2. (b)

      \(a_{1,i}^{(k)} = g^{v_{1,i}^{(k)}}(CT_1^{(k)})^{c_i^\prime }\) and \(a_{2,i}^{(k)} = \tilde{y}^{v_{(1,i)}^{(k)}}(\frac{CT_2^{(k)}}{y_i^{(k)}})^{c_i^\prime }\) for \(k \in [m+1]\),

   3. (c)

      \(c_{i+1}^\prime = H_1(\mathbb {Y}, L, M, \{a_{1,i}^{(1)}, a_{2,i}^{(1)},\}, \dots , \{a_{1,i}^{(m+1)}, a_{2,i}^{(m+1)}\})\),

   4. (d)

      \(\bar{a}_{1,i}^{(k)} = g^{v_{2,i}^{(k)}}(y_i^{(k)})^{c_i^{\prime \prime }}\) and \(\bar{a}_{2,i}^{(k)} = h_k^{v_{2,i}^{(k)}}L_k^{(c_i^{\prime \prime })}\) for \(k \in [m+1]\),

   5. (e)

      \(c_{i+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{\bar{a}_{1,i}^{(1)}, \bar{a}_{2,i}^{(1)}\}, \dots , \{\bar{a}_{1,i}^{(m+1)}, \bar{a}_{2,i}^{(m+1)}\})\).

10. 10.

    For \(k = 1, \dots , m+1\), compute:

    1. (a)

       \(v_{1,s}^{(k)} = t_1^{(k)} - c_s^\prime u_k\),

    2. (b)

       \(v_{2,s}^{(k)} = t_2^{(k)} - c_s^{\prime \prime }x_s^{(k)}\).

11. 11.

    The signature is \(\sigma = (c_1^\prime , c_1^{\prime \prime }, \{v_{1,1}^{(1)}, \dots , v_{1,1}^{(m+1)}\}, \dots , \{v_{1,n}^{(1)}, \dots , v_{1,n}^{(m+1)}\},\) \(\{v_{2,1}^{(1)}, \dots , v_{2,1}^{(m+1)}\}, \dots , \{v_{2,n}^{(1)}, \dots , v_{2,n}^{(m+1)}\}, \{L_1, \dots , L_{m+1}\},\) \(\{CX_1, \dots , CX_{m+1}\})\).

\(\mathtt {Verify}(n, \mathbb {Y}, \sigma , M)\): The algorithm takes the input of a group \(\mathbb {Y} = \{Y_1, \dots , Y_2\}\) of n groups of public keys, a signature \(\sigma \), and a transaction string M. To verify a transaction, the verifier computes follows:

1. 1.

   First parse the \(m+1\) ciphertext \(CX_k = \{CT_1^{(k)}, CT_2^{(k)}\}_{k \in [m+1]}\)

2. 2.

   For \(i = 1, \dots , n\), compute

   1. (a)

      \(Z_{1,i}^{\prime (k)} = g^{v_{1,i}^{(k)}}(CT_1^{(k)})^{c_i^\prime }\) and \(Z_{2,i}^{\prime (k)} = \tilde{y}^{v_{1,i}^{(k)}}(\frac{CT_2^{(k)}}{y_i^{(k)}})^{c_i^\prime }\) for \(k \in [m+1]\),

   2. (b)

      \(c_{i+1}^\prime = H_1(\mathbb {Y}, L, M, \{Z_{1,i}^{\prime (1)}, Z_{2,i}^{\prime (1)}\}, \dots , \{Z_{1,i}^{\prime (m+1)}, Z_{2,i}^{\prime (m+1)}\})\) if \(i \ne n\),

   3. (c)

      \(Z_{1,i}^{\prime \prime (k)} = g^{v_{2,i}^{(k)}}(y_i^{(k)})^{c_i^{\prime \prime }}\) and \(Z_{2,i}^{\prime \prime (k)} = h_k^{v_{2,i}^{(k)}}(L_k)^{c_i^{\prime \prime }}\) for \(k \in [m+1]\),

   4. (d)

      \(c_{i+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{Z_{1,i}^{\prime \prime (1)}, Z_{2,i}^{\prime \prime (1)}\}, \dots , \{Z_{1,i}^{\prime \prime (m+1)}, Z_{2,i}^{\prime \prime (m+1)}\})\) if \(i \ne n\).

3. 3.

   Check whether

   1. (a)

      \(c_1^\prime \overset{?}{=} H_1(\mathbb {Y}, L, M, \{Z_{1,n}^{\prime (1)}, Z_{2,n}^{\prime (1)}\}, \dots , \{Z_{1,n}^{\prime (m+1)}, Z_{2,n}^{\prime (m+1)}\})\),

   2. (b)

      \(c_1^{\prime \prime } \overset{?}{=} H_1(\mathbb {Y}, L, M, \{Z_{1,n}^{\prime \prime (1)}, Z_{2,n}^{\prime \prime (1)}\}, \dots , \{Z_{1,n}^{\prime \prime (m+1)}, Z_{2,n}^{\prime \prime (m+1)}\})\).

\(\mathtt {Revoke}(n, \mathbb {Y}, sk_{rev}, \sigma )\): The algorithm receives a set \(\mathbb {Y} = \{Y_1, \dots , Y_n\}\) of n groups of public keys, a revocation authority’s private key \(sk_{rev} = \tilde{x}\), and a valid signature \(\sigma \). The revocation authority with the knowledge of secret key \(\tilde{x}\) corresponding to \(\tilde{y}\) decrypts the \(m+1\) ciphertexts to get \(m+1\) public keys which belong to the real spender as follows

1. 1.

   For \(k = 1, \dots , m+1\), parse \(CT_k = (CT_1^{(k)}, CT_2^{(k)})\).

2. 2.

   Get the k-th public key \(y_s^{\prime (k)} = CT_2^{(k)} / CT_1^{(k)^{\tilde{x}}}\) and output all public keys into a set of \(Y_s^\prime = \{y_s^{\prime (1)}, \dots , y_s^{\prime (m+1)}\}\).

3. 3.

   There exists a public key vector \(Y_s \in \mathbb {Y}\) such that \(Y_s = Y_s^\prime \).