1 Introduction

Digital signatures are one of the most important concepts in the area of cryptography. They permit a party to generate a key pair (SKPK), give PK to the public and add certain information \(\varOmega \) - called the signature - to a message m. \(\varOmega \) is derived using the private (or signing) key SK and later allows a verifier, equipped with the public verification key PK, to attest that the signer indeed generated \(\varOmega \) for this specific message m. Verification is done in a way such that only a party who possesses certain secret information that only the signer has, namely the secret signing key SK, can generate a valid signature for PK.

Ring signatures, which were first suggested by Rivest, Shamir, and Tauman [40], relax the condition of having exactly one pair (SKPK) for signing and verification to a certain extent. They allow a party among a set of N participants to sign a message on behalf of all of them. Here it is crucial that the verifier cannot identify the party that signed the message, while nobody outside of the N participants should be able to sign a message as if he was a participant himself. In comparison to group signatures, the set of parties does not need to be known ahead of time, but only when the signature is generated. Therefore, no key-generation algorithm which generates correlated randomness for all N parties needs to be involved and the rings can be set up ad-hocFootnote 1.

For such a ring signature, each signer could issue an arbitrary number of signatures. Fujisaki and Suzuki introduced the notion of traceable ring signatures [17], where the signer signs a message with respect to a list of ring members and a public issue such as an election. There is a public procedure to determine whether two signatures come from one signer, i.e., the signer is linked if a signer signs the same message with respect to the same list of ring member and same issue twice [16]. A related idea is so-called linkable ring signatures, in which case the true signer will be linked when he signs two messages (different or identical) with respect to the same ring. In a more restricted version of linkable ring signatures, one-time linkable ring signatures, a signer is linked as soon as he reveals two signatures. This property has proven to be vital in the construction of cryptocurrencies, such as to prevent double spending attacks and to preserve the anonymity of a spender since the address or the respective secret key in the design of the anonymous cryptocurrency is supposed to be one-time [37].

1.1 Related Work

Lattice-Based Signature Schemes. The line of work on lattice-based signature schemes was, to the best of our knowledge, initiated by Goldreich et al. [19], while the first practical construction was based on NTRU [22]. A scheme that fits into this line of work is the provably secure construction due to Gentry et al., also called hash-and-sign [18]. This approach, where the signing key is a secret trapdoor which is used to sample a short lattice vector, was further developed in [9, 15]. A different direction, called Fiat Shamir with Aborts, was first explored by Lyubashevsky [28, 29]. Very efficient signature schemes such as Tesla [21] and Dilithium [14] have been designed within this framework.

(Linkable) Ring Signature Schemes. There exists a wealth of literature on ring signature and linkable ring signature schemes such as [6, 16, 17, 27, 40] and we only list some of the relevant works here. However, the above mentioned signature schemes have a signature size that is linearly dependent on the number of users N in the ring. The Groth-Kohlweiss framework [20] is based on homomorphic commitments and provides a ring signature scheme with a logarithmic signature size. Franklin and Zhang [16] propose a general framework for linkable ring signatures. They extend the “PRF made public” paradigm by Bellare and Goldwasser [5] in order to provide linkability by combining a PRF evaluation of the secret key with a NIZK proof of correct evaluation. The smallest ring signatures to date have constant signature size and are based on accumulators. The construction by Dodis et al. [13] uses accumulators based on the strong RSA assumption, while Nguyen’s [36] relies on pairing-based cryptography. There exists also a linkable version of [13] by Tsang and Wei [42] that retains the constant-sized signatures. There exist candidates for post-quantum ring signature schemes such as hash-based [12, 23] or multi-variate-quadratic-equation based constructions [35]. Neither of them provide linkability in their current form, but they can potentially be extended to do so.

Lattice-Based Ring Signature Schemes. Lattice-based ring signatures were first introduced explicitly through the work of Brakerski and Tauman-Kalai [10] who proposed a general framework for ring signatures in the standard model and showed how to instantiate it based on the SIS assumption. The resulting signatures have size O(mN) for message length m and ring size N. Subsequently, Wang and Sun [43] proposed two ring signatures schemes from the SIS assumption in the random oracle and standard model, respectively, both of linear signature size. The first ring signature scheme based on the LWE assumption was proposed by Melchor et al. [33] and is an extension of [28] to the ring signature setting. Like the previous schemes, it yields signatures of linear size. Recently, Libert et al. [25] proposed the first lattice-based ring signature scheme with only logarithmic signature size using a Merkle-tree based construction.

Concurrent Work. In concurrent work, Torres et al. [41] present a construction that is very similar to ours. When comparing the actual parameters of both, we have a larger size of the public keys, but compare favorably in the signature size.

1.2 Our Contribution

We present a lattice-based linkable ring signature scheme based on the Module-SIS and Module-LWE problem. Our scheme has a signature size which is linear in N. It is therefore asymptotically less efficient than e.g. [12, 23, 25]. However, we show that in terms of signature size our construction outperforms or performs as good as [12, 25] for comparable security levels for ring sizes \(N\lessapprox 128\) and beats [23] for rings of small size. A comparison can be found in Table 1 below.

Table 1. Comparison with existing work
Full size table

The authors of [12] present two different, highly optimized constructions of ring signatures in their work. We mention numbers for both to allow for fair comparison (outperforming one of the two for \(N=128\)). We want to stress that using known techniques [14] and by choosing parameters more aggressively it is possible to reduce the public key and signature size in our setting further, but such optimizations are beyond the scope of this work. Furthermore, [12, 23, 25] are not linkable in their current form, so one can expect a further increase in their proof size to compute a linkability tag. Though our work only outperforms [23] for small (\(N \le 20\)) ring sizes, this is exactly the range that cryptocurrencies need: the recommended ring size of the most popular cryptocurrency using linkable ring signatures, Monero, at the time of writing was \(N=5\). As mentioned before, using [14], would make it possible to reduce the ring signature size further to also outperform [23] for \(N\lessapprox 64\).

1.3 Technical Overview

As mentioned before, the standard approach for transforming a ring signature scheme into a linkable ring signature scheme, following Franklin and Zhang [16], is to add a PRF evaluation of the signer’s secret key to the signature, as well as a zero-knowledge proof of correct evaluation of the PRF under one of the secret keys corresponding to the public keys. This generic approach applies to any ring signature scheme and was explored for lattice-based PRFs in [25, 26, 44]. However, such proofs come with quite a substantial overhead. Our construction instead follows the approach of Liu et al. [27] that avoids this technique. The main observation is that the signer in their scheme has two “public” keys: One that is published before signature generation as part of the ring of signers, and the other one that is appended to each signature. Hence, another“public key” under different public parameters that corresponds to the signer’s secret signing key can be used as linkability tag. Since both kinds of public keys share the same algebraic structure, the two “public keys” of the signer, i.e. the actual public key and the linkability tag, can be tied together without appending another non-interactive zero-knowledge proof to the signature.

Since our construction will be based on the (Module-)SIS and (Module-)LWE problem, the public keys of the parties are of the form \(PK = \varvec{A}\varvec{r}\) for secret key \(\varvec{r}\) and public matrix \(\varvec{A}\). Linkability will be ensured by providing linkability tags \(I = \varvec{B}\varvec{r}\) for another public matrix \(\varvec{B}\). Interestingly, the reason why our construction achieves only one-time linkability is inherent in this approach: any evaluation \(\varvec{B} \varvec{r}\) leaks information about \(\varvec{r}\). If a fresh matrix \(\varvec{B}\) is generated for each ring, then a malicious party can receive more leakage on \(\varvec{r}\) than intended and hence may be able to recover the signer’s secret key.

In order to obtain more efficient lattice-based (linkable) ring signatures, it may be tempting to try to instantiate current sublinear-size ring signatures in the lattice setting. Note, however, that this is far from trivial, as these solutions are specifically tailored to a certain assumption like Dodis et al.’s accumulator-based ring signatures [13], or suffer from the well-known problem that hard lattice assumptions do not provide enough algebraic structure to support existing sublinear approaches based on homomorphic operations like that of Groth and Kohlweiss [20].

Paper Organization

In Sect. 2 we will introduce some definitions and lemmas concerning lattice-based constructions which we will need throughout this work. Moreover, we will give definitions for linkable ring signatures (following previous work). Section 3 contains the construction and security statements. The main parts of the proofs are deferred to Appendix A, whereas we discuss the practicality of our scheme in Sect. 4. In this Section, we also provide a sample parameter set for our construction together with estimates for the size of signatures.

2 Preliminaries

We will use [N] as shorthand for the set \(\{1, \dots , N\}\). Let R be the cyclotomic ring , where \(\nu =2^p\) and \(p \in \mathbb {N}^+\). Let q be an odd prime and define . Here \(\mathbb {Z}_q\) denotes the integers modulo q, which will be represented as elements from the interval \(\left[ - {\frac{{q - 1}}{2}}, {\frac{{q - 1}}{2}} \right] \). For \(f=\sum _i f_i X^i \in R\), the norms of f are defined as

$$\begin{aligned} {l_1}:{\left\| f \right\| _1} = \sum \nolimits _i {\left| {{f_i}} \right| }, ~ {l_2}:{\left\| f \right\| _2} = {\left( {\sum \nolimits _i {{{\left| {{f_i}} \right| }^2}} } \right) ^{1/2}},~{l_\infty }:{\left\| f \right\| _\infty } = \mathop {\max }\limits _i \left| {{f_i}} \right| . \end{aligned}$$

If \(f \in R_q\), then we will represent each coset from \(\mathbb {Z}_q\) with its unique representative from the aforementioned interval and consider the norm of the obtained \(\mathbb {Z}\)-vector. Let \(S_{\beta }\) denote the set of elements \(x \in R\) with \(l_\infty \)-norm at most \(\beta \). Let \(\mathbf {0}_v\in \mathbb {Z}^{v \times v}\) and \(\mathbf {I}_v \in \mathbb {Z}^{v \times v}\) denote the zero and identity matrix over \(\mathbb {Z}\).

Remark 1

We use the following standard relations among different l-norms of a vector in R as defined above:

  1. 1.

    If \(f, g \in R\) such that \(\left\| f\right\| _\infty \le \beta \), \(\left\| g\right\| _1 \le \gamma \), then \(\left\| fg\right\| _\infty \le \beta \gamma \).

  2. 2.

    If \(f \in R\), \(\varvec{g} \in R^v\) satisfy that \(\left\| f\right\| _2 \le \beta \), \(\left\| \varvec{g}\right\| _\infty \le \gamma \), then \(\left\| f\varvec{g}\right\| _2 \le \sqrt{v}\nu \beta \gamma \).

We require a subset D of \(R_q\) which consists of short invertible elements such that the difference of any two distinct elements from this set is also invertible. It was shown in [32] that as long as q is a prime that satisfies \(q=17\mod 32\) and \(q>2^{20}\), then the set \(D=\left\{ {d \in {R_q}|{{\left\| d \right\| }_\infty } \le 1,{{\left\| d \right\| }_1} \le \kappa } \right\} \) satisfies this requirement. We use \(\bar{D}\) to denote the set of values \(D+D\) excluding 0.

2.1 Normal Distribution and Rejection Sampling

The continuous normal distribution over \(\mathbb {R}^\nu \) centered at \(\varvec{u}\in \mathbb {R}^\nu \) with standard deviation \(\sigma \) has probability density function

$$ \rho _{\varvec{u},\sigma }^\nu (\varvec{x}) = \frac{1}{\sqrt{2\pi }\sigma } \cdot \exp \left( \frac{-||\varvec{x}-\varvec{u}||_2^{2}}{2\sigma ^2} \right) $$

The discrete normal distribution over \(R^v\) centered at \(\varvec{u}\in R^v\) with standard deviation \(\sigma \) is given by the distribution function (for all \(\varvec{x} \in R^{v}\))

$$ \mathcal {N}_{\varvec{u},\sigma }(\varvec{x})= \rho _{\varvec{u},\sigma }^{v \cdot \nu }(\varvec{x})/\rho _{\sigma }^{v \cdot \nu }(R^v), $$

where we omit the subscript \(\varvec{u}\) when it is zero. We use the following standard tail-bound due to Banaszczyk:

Lemma 1

Let \(\mathcal {N}_{\varvec{u},\sigma }\) be defined as above. Then

$$\begin{aligned} \Pr \left[ {{{\left\| \varvec{z} \right\| }_2} > 2\sigma \sqrt{v\nu }|\varvec{z} \leftarrow \mathcal {N}_\sigma ^v} \right] < {2^{-v\nu }} \end{aligned}$$

For our ring signature scheme, we use rejection sampling to hide the secret signing key. The basic idea of rejection sampling is to abort the protocol with a certain probability such that the distribution of the response is independent of the secret input. We adopt the rejection sampling lemma from [29]:

Lemma 2

Let V be a subset of \(R^v\) in such that all elements have \({\left\| \cdot \right\| _2}\)-norms less than T, \(\sigma \in \mathbb {R}\) such that \(\sigma =\omega (T \sqrt{\log (v\nu )})\), and \(h: V \rightarrow \mathbb {R}\) be a probability distribution. Then there exists an \(M=O(1)\) such that the output distribution of the following two algorithms \(\mathcal {A}\), \(\mathcal {S}\) is within statistical distance \(2^{-\omega (\log (v\nu ))}/M\):

  • \(\mathcal {A}\) :

    1. 1.

      \(\varvec{u} \leftarrow h\)

    2. 2.

      \(\varvec{z} \leftarrow \mathcal {N}^v_{\varvec{u},\sigma }\)

    3. 3.

      output \(\left( {\varvec{u},\varvec{z}} \right) \) with probability \(\min \left( {\frac{1}{M} {\frac{{{\mathcal{N}^v_\sigma }\left( \varvec{z} \right) }}{{{\mathcal{N}_{\varvec{u},\sigma }^v}\left( { \varvec{z}} \right) }}} ,1} \right) \)

  • \(\mathcal {S}\) :

    1. 1.

      \(\varvec{u} \leftarrow h\)

    2. 2.

      \(\varvec{z} \leftarrow \mathcal {N}^v_{\sigma }\)

    3. 3.

      output \(\left( {\varvec{u},\varvec{z}} \right) \) with probability 1/M

Moreover, the probability that \(\mathcal {A}\) outputs a value is at least \(\frac{1-2^{-\omega (\log (v\nu ))}}{M}\).

In [29], the author remarks that if \(\sigma = \alpha T, \alpha >0\) and \(M=\exp \left( 12/\alpha +1/(2\alpha ^2)\right) \) then the output of both algorithms will be within statistical distance \(2^{-100}/M\) and \(\mathcal {A}\) will output a value with probability at least \(\dfrac{1-2^{-100}}{M}\). As an example, assume that we want the signing algorithm to succeed in each iteration with probability 1/3, i.e. we want to set \(M=3\). Then following the reasoning in [29], we can set \(\sigma =11\cdot T \). This means that the output of the signing algorithm is indistinguishable from the simulator except with probability \({\approx }\,\,2^{-98}\), which we deem sufficient for our application.

2.2 Module-SIS and Module-LWE

The security of our linkable ring signature scheme will be based on the hardness of two problems, Module-SIS and Module-LWE [24]. These problems are variants of the well-known SIS [1] and LWE [39] problems, but over modules that are defined over polynomial rings. This is a generalized version of the Ring-SIS and Ring-LWE problems [30, 31, 38]. Using Module-lattice assumptions comes with two advantages: (i) while they are a generalization of ideal-lattice assumptions, they still retain some structure which is necessary to construct a large space of short, invertible elements which is necessary for our construction; and (ii) there is evidence that module lattices of larger rank are less prone to certain attacks than ideal-lattices [3, 8].

The homogeneous Module-SIS problem consists of finding a vector \(\varvec{r}\) of small norm such that \(\varvec{A}\varvec{r}=0\) for a given, structured matrix \(\varvec{A}\).

Definition 1

\((\textsc {MSIS}_{h, v, t}).\) Given \(\varvec{A} \leftarrow R_q^{h \times v}\), find \(\varvec{r} \in R^v\) such that

\(\varvec{A} \varvec{r} = 0\) and \(0 < {\left\| \varvec{r} \right\| _2} \le t\).

Our scheme also uses the Decisional Module-LWE problem. In \(\textsc {D}\hbox {-}\textsc {MLWE}\), the problem consists of distinguishing noisy linear equations from random.

Definition 2

\((\textsc {D}\hbox {-}\textsc {MLWE}_{h, v, \beta }).\) Let \(\varvec{A} \leftarrow R_q^{h \times v}\). Then distinguish the distributions

$$\begin{aligned} (\varvec{A}, \varvec{A} \varvec{r}) ~ \text { and } ~ (\varvec{A}, \varvec{u}) \end{aligned}$$

where \(\varvec{r} \leftarrow S^v_\beta \) and \(\varvec{u} \leftarrow R_q^h\).

Here, we use a special instance of the Module-LWE problem where the secret has the same distribution as the noiseFootnote 2.

If two samples (with different matrices, but same secret vector \(\varvec{r}\)) are issued by the challenger, then this can still be related to a \(\textsc {D}\hbox {-}\textsc {MLWE}\) instance but with different parameters, as the following proposition shows.

Proposition 1

Let \(\varvec{A}, \varvec{B} \leftarrow R_q^{h\times v}\), \(\varvec{r} \leftarrow S_\beta ^v\) and \(\varvec{c}, \varvec{d} \leftarrow R_q^h\). Then

$$ (\varvec{A}, \varvec{A} \varvec{r}, \varvec{B}, \varvec{B} \varvec{r}) \approx _c (\varvec{A}, \varvec{c}, \varvec{B}, \varvec{d}) $$

given the \(\textsc {D}\hbox {-}\textsc {MLWE}_{2h, v, \beta }\)-problem is hard.

Proof

Consider the matrices \(\varvec{E} = \left[ {\begin{array}{*{20}{c}} \varvec{A}\\ \varvec{B} \end{array}} \right] \), and \(\varvec{E}\varvec{r}=\left[ {\begin{array}{*{20}{c}} \varvec{A}\varvec{r}\\ \varvec{B}\varvec{r} \end{array}} \right] \). Then distinguishing the above distributions is equivalent to distinguishing

$$\left( \varvec{E}, \varvec{E}\varvec{r}\right) \approx _c \left( \varvec{E}, \left[ {\begin{array}{*{20}{c}} \varvec{c}\\ \varvec{d} \end{array}} \right] \right) $$

This is the definition of the \(\textsc {D}\hbox {-}\textsc {MLWE}_{2h, v, \beta }\) problem.   \(\square \)

Our construction will moreover rely on a third problem, namely the Search Module-LWE problem. It can be seen as an inhomogeneous \(\textsc {MSIS}\) instance where the target is known to have a short preimage under \(\varvec{A}\).

Definition 3

\((\textsc {S}\hbox {-}\textsc {MLWE}_{h, v, \beta }).\) Sample a uniformly random \(\varvec{r}\leftarrow S_\beta ^v\). Given \(\left( \varvec{A} \leftarrow R_q^{h \times v}\!\!,\right. \left. \varvec{s}=\varvec{A}\varvec{r} \right) \) find \(\varvec{r}' \in R^v\) such that \(\varvec{A} \varvec{r}' = \varvec{s}\) and \(0 < {\left\| \varvec{r}' \right\| _\infty } \le \beta \).

Fixing \(h,v,\beta \) of an \(\textsc {S}\hbox {-}\textsc {MLWE}\)-instance, it is easy to see that any algorithm \(\mathcal {A}\) that solves \(\textsc {S}\hbox {-}\textsc {MLWE}\)-instances can also solve \(\textsc {D}\hbox {-}\textsc {MLWE}\)-instances with the same parameters in comparable time and with similar probability. For the converse direction, Langlois and Stehlé [24] showed that, for certain parameter sets, \(\textsc {S}\hbox {-}\textsc {MLWE}\) can be reduced to \(\textsc {D}\hbox {-}\textsc {MLWE}\).

2.3 Linkable Ring Signatures

The formal syntax and security model of linkable ring signatures, sometimes also called linkable spontaneous anonymous group signatures, can be found in [17, 27]. Definitions of linkable ring signatures with adaptation to the cryptocurrency scenario can be found in [37]. Our definitions are in the spirit of [17, 20, 27].

Definition 4

(Linkable Ring Signature). A linkable ring signature scheme consists of five algorithms:

  • \(\mathbf {Setup}(1^\lambda )\): Generates and outputs public parameters PP available to all users.

  • \(\mathbf {KGen}(PP)\): Generates a public key PK and a private signing key SK.

  • \(\mathbf {Sign}_{PP, SK_\ell }(m, L)\): Outputs a signature \(\varOmega \) on the message \(m \in \{0, 1\}^\star \) with respect to the ring \(L=(PK_1, \dots , PK_N)\). Here, (\(PK_\ell , SK_\ell \)) is a valid key pair output by \(\mathbf {KGen} (PP)\), and \(PK_\ell \in L\).

  • \(\mathbf {Vfy}(m, L, \varOmega )\): Verifies a purported ring signature \(\varOmega \) on a message m with respect to the ring of public keys L. It outputs a bit \(b\in \{0,1\}\).

  • \(\mathbf {Link}(m_1, m_2,\varOmega _1,\varOmega _2)\)Footnote 3: Takes as inputs two messages \(m_1, m_2\) as well as two signatures \(\varOmega _1\) and \(\varOmega _2\) and outputs \(b\in \{0,1\}\).

The above algorithms form a linkable ring signature scheme if the following three definitions of correctness, signer anonymity, linkability and exculpability are fulfilled.

Definition 5

(Correctness). Let \(N\ge 1\). Then \(\forall t\in [N],~\forall \{i_1,\ldots , i_t\} \subset [N], k\in \{i_1,\ldots , i_t\} \) and \(\forall m\in \{0,1\}^*\) it holds that

$$ \Pr \left[ \begin{array}{c|c} \mathbf {Vfy} (m,L,\varOmega )= 0 ~ &{} ~ \begin{array}{l} PP\leftarrow \mathbf {Setup} (), \\ \{PK_i \leftarrow \mathbf {KGen} (PP) \}_{i \in [N]}, \\ L=(PK_{i_1},\dots ,PK_{i_t} ), \\ \varOmega = \mathbf {Sign} _{PP,SK_k}(m,L) \end{array} \end{array} \right] \le {\text {negl}}(\lambda ) $$

Signer anonymity captures the intuition that if the targeted signer is not corrupted, then the probability that the adversary can identify him as the true signer among all uncorrupted parties is negligible.

Definition 6

(Signer Anonymity). Let \(L=(PK_1,\dots ,PK_N)\) be a list of public keys and \(D_t\) be any set of \(0\le t<N\) signing keys such that \(\forall SK_i \in D_t ~ \exists PK_i \in L: ~ (PK_i, SK_i) \text { is generated by }{} \mathbf {KGen} \). A ring signature scheme is signer anonymous if for any PPT algorithm \(\mathcal {E}\), on inputs of any message m, sets \(L,D_t\) as defined above and any valid signature \(\varOmega \) on L and m generated using \(SK_\ell \not \in D_t\), then

$$ \left| {\Pr \left[ {\mathcal {E}\left( {m,L,{D_t},\varOmega } \right) = \ell } \right] - \frac{1}{{N - t}}} \right| \le {\text {negl}}(\lambda )\text {.} $$

Let \(PP\leftarrow \mathbf {Setup}(1^\lambda )\). For the following two definitions we assume the existence of two oracles \(\mathcal {O}_K, \mathcal {O}_S\):

  • Key generation oracle \(\mathcal {O}_K\): On input of a bit b generate a random keypair (PKSK) \(\leftarrow \mathbf {KGen}(PP)\). If \(b=0\) then output PK, otherwise (PKSK).

  • Signing oracle \(\mathcal {O}_S\): On input (Lmi) where \(L=(PK_1,\dots ,PK_N)\) are public keys generated by \(\mathcal {O}_K\), \(i\in [N]\) and \(\mathcal {O}_K\) did not output \(SK_i\) and \(m\in \{0,1\}^*\), return \(\varOmega \leftarrow \mathbf {Sign}_{PP,SK_i}(m,L)\). If a key in L was not queried before, then output \(\bot \).

The idea behind the Linkability definition is as follows: if the same signer generates two signatures, then the algorithm \(\mathbf {Link}\) will identify this with overwhelming probability. It is important that this not only holds against honest use of the algorithm \(\mathbf {Sign}\), but arbitrary adversaries.

Definition 7

(Linkability). Let \(\mathcal {A}\) be a PPT algorithm with oracle access to \(\mathcal {O}_K, \mathcal {O}_S\). \(\mathcal {A}\) is given \(1^\lambda \) and PP as input and outputs a list \(L\subseteq \overline{L}\) (where \(\overline{L}\) is the set of all keys queried from \(\mathcal {O}_K\)) of length N together with \(N+1\) values \(\{(m_i, \varOmega _i)\}_{i \in [N+1]}\). Then the scheme is linkable if, for every such \(\mathcal {A}\),

$$ \Pr \left[ \begin{array}{l} \forall i\in [N+1]:\, \mathbf {Vfy} (m_i,L,\varOmega _i)=1, \\ \forall i,j\in [N+1], \,i\ne j : \, \mathbf {Link} (m_i, m_j, \varOmega _i, \varOmega _j)=0 \end{array} \right] \le {\text {negl}}(\lambda ). $$

The above only talks about the setting of generating signatures without being traceable. Equally important is the setting where signatures are signed by two different parties, where we require that their tags must be distinct. This then, of course, in particular includes the case of the \(\mathbf {Sign}\) algorithm. This property is important in the setting of cryptocurrencies where one might otherwise be able to issue fake transactions on behalf of another party.

Definition 8

(Exculpability). Let \(\mathcal {A}\) be a PPT algorithm with oracle access to \(\mathcal {O}_K, \mathcal {O}_S\). \(\mathcal {A}\) is given \(1^\lambda \) and PP as input and outputs a list \(L\subseteq \overline{L}\) (where \(\overline{L}\) is the set of all keys queried from \(\mathcal {O}_K\)) of length N together with two pairs \((m_1, \varOmega _1), (m_2,\varOmega _2)\) with \(\mathbf {Vfy} (m_1,L,\varOmega _1)=\mathbf {Vfy} (m_2, L,\varOmega _2)=1\), not both queried to \(\mathcal {O}_S\). Let \(M\subset L\) be set of \(PK_i\) for which \(\mathcal {A}\) did not obtain \(SK_i\) from \(\mathcal {O}_K\). Then

$$ \Pr \left[ \begin{array}{l|l} \mathbf {Link} (L,m_1,m_2,\varOmega _1,\varOmega _2)=1 ~ &{} ~ \begin{array}{l} \exists PK_i \in M, \exists m\in \{0,1\}^*, \\ \exists j\in \{1,2\}: \, \\ \big [ \varOmega \leftarrow \mathbf {Sign} _{PP,SK_i}(m,L), \\ \mathbf {Link} (m,m_j,\varOmega ,\varOmega _j)=1 \big ] \end{array} \end{array} \right] \le {\text {negl}}(\lambda ). $$

Remark 2

In our scheme, we do not give a definition and proof for existential unforgeability. As was observed in [17] the above definitions imply this property, as any algorithm breaking existential unforgeability can be used in a black-box setting to break exculpability (see [17, Theorem 2.6]).

3 Constructing Linkable Ring Signatures

In this section, we will describe our linkable ring signature scheme and prove its security. Our proposed scheme can be considered as an adaption of the linkable ring signature scheme proposed in [27] to the lattice setting. However, while most linkable signature schemes such as the one proposed in [16] require the use of a pseudorandom function to achieve linkability, our scheme demonstrates that the linkability for one-time ring signature schemes can be obtained without using a pseudorandom function to generate the tag.

If a scheme is not one-time, then this PRF is evaluated on the secret (or public) key of the signing party and a description of the actual ring L. In our case, it is not necessary to include the ring L into the tag computation (as the scheme is one-time) and we attach a tag derived from the secret key only. Concretely, each party will have a private key \(\varvec{r}_i\) together with a public key \(PK_i = \varvec{A} \varvec{r}_i\), where \(\varvec{A}\) is a random length-compressing matrix and \(\varvec{r}_i\) is a vector of small norm. Thus, \(PK_i\) is an evaluation of the public collision-resistant hash function \(f_{\varvec{A}}(\cdot ): \varvec{x} \mapsto \varvec{A} \varvec{x}\) on the private input \(\varvec{r}_i\).

During the signing process, the signer will generate two rings of signatures (similar to [27, 40] but twice): the first is a ring consisting of signatures for all the N public keys and generated using \(f_{\varvec{A}}\) whereas the second ring uses a different CRHF \(f_{\varvec{B}}\). This function \(f_{\varvec{B}}(\cdot ): \varvec{x} \mapsto \varvec{B} \varvec{x}\) uses a different public matrix \(\varvec{B}\) having the same dimensions as \(\varvec{A}\). The crucial point to interleave these rings is that they are built simultaneously, using the same challenges and blinding value in each step. For this to be verifiable, the signer must now include his \(I_i\) in the signature, which serves the same purpose as the public key \(PK_i\) in the first ring. We will show that the signer is bound to use his own value \(I_i\) if he wants to generate a valid signature and will therefore produce a collision if a second signature is revealed.

Let \(H: \{0,1\}^* \rightarrow D\) be a cryptographic hash function where D is the challenge space defined in Sect. 2. The algorithms of our scheme are defined as follows:

  • \(\mathbf {Setup}(1^\lambda )\): Sample two random matrices \(\varvec{A}, \varvec{B} \leftarrow R_q^{h \times v}\) and set \(PP=(\varvec{A}, \varvec{B})\).

  • \(\mathbf {KGen}(PP)\): Sample \(\varvec{r} \leftarrow S_{\beta }^v\) and then generate the public key \(PK = \varvec{A}\varvec{r}\) as well as the signing key \(SK = \varvec{r}\).

  • \(\mathbf {Sign}_{PP, SK_\ell }(m, L)\):  

    1. 1.

      Compute the tag \(I_\ell = \varvec{B} \varvec{r}_\ell \).

    2. 2.

      Sample \(\varvec{u} \leftarrow \mathcal {N}_{\sigma }^{v}\) and set \(d_{\ell +1}\leftarrow H(L, I_\ell , m, \varvec{A} \varvec{u}, \varvec{B} \varvec{u})\).

    3. 3.

      For each \(i=\ell +1, \dots , N, 1, \dots , \ell -1\):

      1. (a)

        Sample \(\varvec{r}_{z, i} \leftarrow {\mathcal {N}_{\sigma }^{v}}\).

      2. (b)

        Set \({t_{i,1}} = \varvec{A} \varvec{r}_{z,i} - {d_i} P{K_{i}}\) and \({t_{i,2}} = \varvec{B}\varvec{r}_{z,i} - {d_i}{I_\ell }\) as well as \(d_{(i\mod N)+1} \leftarrow H(L, I_\ell , m, t_{i,1}, t_{i,2})\).

    4. 4.

      Compute \({\varvec{r}_{z,\ell }} ={\varvec{u} } + {d_{\ell }}{\varvec{r}_\ell }\).

    5. 5.

      Abort with probability \(1 - \min \left( {1,\frac{{\mathcal{N}_\sigma ^v\left( {{\varvec{r}_{z,\ell }}} \right) }}{{M\cdot \mathcal{N}_{{d_\ell }{{\varvec{r}}_\ell },\sigma }^v\left( {{\varvec{r}_{z,\ell }}} \right) }}} \right) \), otherwise output the signature \(\varOmega =\left( {{d_1}, \left( \varvec{r}_{z,i}\right) _{i \in [N]},{I_\ell }} \right) \).

  • \(\mathbf {Vfy}(m, L, \varOmega )\):  

    1. 1.

      For \(i \in [ N]\), check whether \(\left\| { {{{\varvec{r}}_{z,i}}} }\right\| _2 \le 2\sigma \sqrt{\nu v}\), else output 0.

    2. 2.

      For \(i \in [N]\), compute \({t'_{i,1}} = \varvec{A} \varvec{r}_{z,i} - {d_i}P{K_{i}}\), \({t'_{i,2}} = \varvec{B} \varvec{r}_{z,i} - {d_i}{I_\ell }\) as well as .

    3. 3.

      If then output 1, else output 0.

  • \(\mathbf {Link}(\varOmega _1, \varOmega _2)\): Given

    $$\varOmega _1=\left( {{d_1^{(1)}},\left( \varvec{r}_{z,i}^{(1)}\right) _{i \in [N]},{I^{(1)}_\ell }} \right) \text { and } \varOmega _2=\left( {{d_1^{(2)}},\left( \varvec{r}_{z,i}^{(2)}\right) _{i \in [N]},{I^{(2)}_\ell }} \right) , $$

    return 1 if \(I^{(1)}_\ell =I^{(2)}_\ell \) and 0 otherwise.

Correctness can easily be verified using Lemmas 1 and 2.

3.1 Security

We now give the security statements of our construction. Due to length constraints, the proofs for these can be found in Appendix A.

Theorem 1

(Signer Anonymity). The proposed ring signature scheme provides signer anonymity in the (programmable) random oracle model assuming hardness of the \(\textsc {D}\hbox {-}\textsc {MLWE}_{2h,v,\beta }\)-problem.

Theorem 2

(Linkability). Assume that there exists an algorithm \(\mathcal {A}\) that breaks linkability with probability \(\epsilon \), in time at most s, with at most \(q_H\) queries to \(\mathcal {O}_K\) and \(q_S\) queries to \(\mathcal {O}_S\). Then there exists an algorithm \(\mathcal {M}\) that breaks a \(\textsc {MSIS}_{h,v,t}\)-instance with probability \(\left( \epsilon - \frac{1}{|\overline{D}|-q_H-Nq_S}\right) ^2 /\left( (N^2+N) q_H\right) ^2\) in time \(O(N^2\cdot q_H\cdot s)\) where \(t=4\sigma \sqrt{v \cdot \nu } + 2\cdot \kappa \cdot v \cdot \nu ^{1.5}\cdot \beta \).

Theorem 3

(Exculpability). Assume that there exists an algorithm \(\mathcal {A}\) that breaks exculpability with probability \(\epsilon \), in time at most s, with at most \(q_H\) queries to \(\mathcal {O}_K\) and \(q_S\) queries to \(\mathcal {O}_S\). Then there exists an algorithm \(\mathcal {M}\) that either breaks an \(\textsc {S}\hbox {-}\textsc {MLWE}_{2h,v,\beta }\) instance or an \(\textsc {MSIS}_{h,v,t}\)-instance with probability

$$\left( \frac{(N-1)\epsilon }{N} - \frac{1}{|\overline{D}|-q_H-Nq_S}\right) ^2 /\left( (N^2+N)(q_H+N\cdot q_S)\right) ^2$$

in time \(O(N\cdot q_H\cdot s)\) where \(t=4\sigma \sqrt{v \cdot \nu } + 2\cdot \kappa \cdot v \cdot \nu ^{1.5}\cdot \beta \).

4 Discussion

We now discuss questions surrounding the practicality of our scheme and hint at future research directions.

Practical Considerations. The runtime of \(\mathbf {Vfy}\) is essentially the N-fold runtime of the verification of a regular lattice-based signature scheme. For signing, the computation and sampling of \(I_\ell ,\varvec{u}\) as well as \(\varvec{r}_{r,j}, \varvec{A} \varvec{r}_{z,j},\varvec{B} \varvec{r}_{z,j}\) for \(j\ne \ell \) can be done offline. The size of the total signature is approximately the size of N individual lattice-based signatures, as can be seen in Table 2.

As the basis of our construction, we chose a simple signature scheme without optimizations. Following the outline of our algorithms, one can instantiate it with e.g. [14] and then use their key-compression technique: this optimization is important when it comes to signature size.

Parameter Selection. In our construction, the \(\textsc {D}\hbox {-}\textsc {MLWE}\)-instance from Theorem 1 and the \(\textsc {S}\hbox {-}\textsc {MLWE}\)-instance in Theorem 3 have the same dimensions and bounds. Moreover, it was already mentioned in Sect. 2.2 that any algorithm which solves the \(\textsc {S}\hbox {-}\textsc {MLWE}\) problem in time h with success probability \(\epsilon \) can be turned into a distinguisher for \(\textsc {D}\hbox {-}\textsc {MLWE}\) for the same dimension with essentially the same runtime and success probability. It thus suffices in the parameter selection to look at the \(\textsc {D}\hbox {-}\textsc {MLWE}\)-instance only.

Table 2. Parameter settings for our scheme
Full size table

Unfortunately, it seems like the security reduction cannot be used for the choice of parameters, as it is inherently non-tight: from the proofs in Sect. 3, we see that the reductions have a huge loss in terms of success probability (both due to the use of the Forking Lemma and because the runtime is proportional to the number of queries of \(\mathcal {A}\) to H). If one attempts to obtain a good success probability of the reduction, the estimated runtime gets rather large. We leave a proof with a tighter reduction that can be used to instantiate our construction as an open problem.

Instead, we chose the parameters of our scheme such that the \(\textsc {MSIS},\textsc {D}\hbox {-}\textsc {MLWE}\)-problems are hard given that the reduction succeeds (see Table 2). As baseline, we assume hardness of at least 128 bits using all currently known lattice reduction attacks. This is reflected by requiring that lattice reduction will have to achieve a Root Hermite factor of less than 1.003 to break our scheme. For the given parameters, the security relies only on Module-SIS/LWE with \(h=1\) i.e. Ring-SIS/LWE, but increasing \(h,v,\kappa \) and thus decreasing \(\nu \) would allow to base the hardness on Module-SIS/LWE with a larger rank with only a minor increase in the size of the signature.

To choose actual parameters, we use the LWE simulator with sparse secrets from [2, 4] for \(\textsc {D}\hbox {-}\textsc {MLWE}\). Moreover, we use [34] to assess the hardness of our obtained SIS instanceFootnote 4. The size estimates in Table 2 are in Kilobytes/Megabytes (as in related work), we bound the size of each coefficient of \(\varvec{r}_{z,i}\) assuming it is within a \(6\sigma \)-interval.

Post-Quantum Security. It is widely believed that hardness assumptions used in our scheme may offer security in a post-quantum era. On the other hand, it is unlikely that our security proofs carry over to the Quantum Random Oracle Model (QROM, see e.g. [7]): we use adaptive programming of the RO H in Theorem 1, and adaptive rewinding in Theorems 2 and 3. Both of these proof techniques are somewhat inherent to the construction.

We note that other candidate constructions in the QROM such as [11, 14] also use a form of RO programming (even though not adaptively). Moreover, though it seems unlikely that the Forking Lemma can be proven in the QROM, there exist no attacks on protocols using these proof techniques which stem from this use of the RO, to the best of our knowledge.