Strongly Unforgeable Ring Signature Scheme from Lattices in the Standard Model

In a ring signature scheme, a user selects an arbitrary ring to be able to sign a message on behalf of the ring without revealing the signer’s identity. Whistle-blowers especially find this useful. To date, various ring signature schemes have been proposed, all considered to be secure as existentially unforgeable with respect to insider corruption; that is, an adversary who chooses ringmessage pairs for which he requests signatures, corrupts honest users, and obtains their signing keys can not produce forgeries for new ring-message pairs. Lattice-based ring signature schemes offer lower computational overhead and security from quantum attacks. In this paper, we offer a lattice-based scheme. We begin by showing that the existing ring signature schemes are not sufficiently secure, because existential unforgeability still permits a signer to potentially produce a new signature on previously signedmessages. Furthermore, we show that existing ring signature schemes from lattices are not even existentially unforgeablewith respect to insider corruption.We then improve previous schemes by applying, for the first time, the concept of strong unforgeability with respect to insider corruption to a ring signature scheme in lattices. This offers more security than any previous ring signature scheme: adversaries cannot produce new signatures for any ring-message pair, including previously signed ring-message pairs.


Introduction
Ring signatures were first introduced by Rivest et al. in 2001 in order to provide anonymity to signers [1]. The classic case of a signer who wishes to remain anonymous would be a whistleblower, who wants to identify a problem without exposing himself as the source. Anyone seeking to expose wrongdoing or leak a secret would want to remain anonymous. Prior to the advent of the ring signature, group signatures were the best way to achieve this; however, group signatures have a group manager who can identify the signer and so complete anonymity is not possible. By contrast, a signer can select a ring for the signature, and no one can trace which member of the ring is the actual signer.
In 2004, Dodis et al. proposed a ring signature scheme in the random oracle model using the Fiat-Shamir transformation [2,3]. In 2006, Bender et al. proposed new definitions of anonymity and existential unforgeability and first proposed ring signature schemes in the standard model [4]. In 2007, Shacham and Waters proposed efficient ring signature schemes in the standard model based on bilinear groups [5].
All of these early ring signatures used nonlattice based approaches. These cryptographic systems were based on integer factorization and discrete logarithmic problems based on average case problems. These nonlattice based approaches did not offer security against quantum computing attacks [12]. These early ring signatures also entailed more computational overhead because they require exponentiation, although they did offer existential unforgeability with respect to insider corruption and anonymity against full key exposure. Latticebased cryptographic systems held promise in reducing computational overhead since they only require linear operations on matrices [13][14][15][16][17][18].
In order to try to reduce computational overhead and make ring signatures secure against quantum computing attacks, Brakerski and Kalai introduced the first latticebased system for ring signatures in 2010, using ring trapdoor functions [19]. The lattice-based approach is based on worstcase problems, which offers the sought for security against quantum computing attacks; however, Brakerski-Kalai's ring 2 Journal of Applied Mathematics  [19] × × STM [20] × × ROM [21] × × ROM/STM [22] ⃝ × ROM Ours ⃝ ⃝ STM EU means the ring signature scheme is existentially unforgeable with respect to insider corruption, SU means the ring signature scheme is strongly unforgeable with respect to insider corruption, ROM means the ring signature scheme is secure in the random oracle model, and STM means the ring signature scheme is secure in the standard model. signature scheme did not satisfy existential unforgeability with respect to insider corruption. In 2010, Cayrel et al. proposed a threshold ring signature scheme over ideal lattices (ideal lattices are described as ideals of certain polynomial rings; that is, ideal lattices are a special case of lattices) in the random oracle model; however, Cayrel et al. 's threshold ring signature scheme did not satisfy existential unforgeability with respect to insider corruption [20]. In 2011, Wang and Sun proposed two ring signature schemes, one in the random oracle model and one in the standard model, using latticebased delegation techniques [21]. They claimed their ring signature schemes offered the existential unforgeability that had been lacking in Brakerski-Kalia's ring signature scheme, but they in fact did not (see Section 3). In 2013, Aguilar Melchor et al. proposed a new ring signature scheme over ideal lattices; however, Aguilar Melchor et al. 's ring signature scheme is only existentially unforgeable with respect to insider corruption in the random oracle model [22]. Table 1 shows the comparison of ring signature schemes.
In addition to showing that Wang and Sun's ring signature scheme does not offer existential unforgeability, we introduce a novel lattice-based ring signature scheme that reduces the computational overhead inherent in nonlattice based schemes while successfully offering existential unforgeability with respect to insider corruption. Indeed, we are the first to suggest strong unforgeability for ring signatures, which is stronger than existential unforgeability.
Before the work on strong unforgeability [23][24][25], if a signature scheme is existentially unforgeable, it has been considered to be secure. In other words, an adversary who chooses messages for which she requests signatures should not be able to produce signatures for new messages. However, in an existentially unforgeable signature scheme, the adversary could potentially produce a new signature on one or more of the previously signed messages. By contrast, if a signature scheme is strongly unforgeable, the adversary cannot ever produce a new signature for any message, including previously signed messages. Strongly unforgeable signature schemes can be especially useful in constructing chosen ciphertext secure encryption schemes and group signature schemes.
Similarly, existentially unforgeable ring signature schemes have been considered to be secure. In other words, an adversary who chooses ring-message pairs for which she requests signatures is not able to produce signatures for new ring-message pairs. In this paper, we are the first to design a securer ring signature scheme, implementing the concept of strong unforgeability and ensuring that the adversary cannot ever produce a new signature for any ring-message pair, including previously signed ring-message pairs. That is, suppose an adversary chooses some ring-message pairs, requests their signatures, and obtains a tuple of ring, message, and signature (R, m, ) along with other tuples of rings, messages, and signatures. If the adversary cannot ever produce a new signature for (R, m), or any signatures for any of the ring-message pairs, we say that the ring signature scheme is strongly unforgeable.
We accomplish this strong unforgeability using lattices in the standard model. Our ring signature scheme uses new trapdoor algorithms for lattices proposed by Micciancio and Peikert in 2012 [18]. They are much simpler, tighter, faster, and smaller than the existing algorithms. More concretely, their trapdoor algorithms do not run any expensive operation such as matrix inverse computations; their new trapdoor algorithms improved the quality from ≈ 20√ lg to ≈ 1.6√ lg for some small = poly( ) and a security parameter ; using their new trapdoor algorithms reduces the lattice dimension from > 5 lg to ≈ 2 lg . Therefore, our ring signature scheme is also much simpler, tighter, faster, and smaller than the existing lattice-based ring signature schemes. In fact, the lattice dimension of our ring signature scheme is ≈ 2(1 + ) lg for the number of ring users instead of > 5(1 + ) lg . Our ring signature scheme not only maintains anonymity against full key exposure but also offers strong unforgeability with respect to insider corruption in the standard model.

Our Contribution.
Our work makes three significant contributions. First, we show that all of Wang-Sun's ring signature schemes are insecure with respect to existential unforgeability. Second, we suggest the concept of strong unforgeability, which is a stronger notion than existential unforgeability, for ring signatures. None of the existing lattice-based ring signature schemes satisfy the conditions of strong unforgeability. Third, based on our new model, we construct a new ring signature scheme from lattices that is both anonymous against full key exposure and strongly unforgeable with respect to insider corruption in the standard model.

Our Approach.
As with most existing ring signature schemes for lattices, we design our ring signature scheme using trapdoor delegation techniques for lattices, which afford anonymity against full key exposure. In addition, in our ring signature scheme, like most of the existing signature schemes from lattices, the "hash-and-sign" paradigm is used. Wang and Sun also used the "hash-and-sign" paradigm, but they did so in a way that failed to ensure the security of their schemes. Both of Wang-Sun's ring signature schemes only hash the message, so that anyone can add a ring member and add another message, making it possible for anyone to produce a forgery. We address this problem in our ring signature scheme by hashing the message along with the ring and a random number. Because the ring is included in the Journal of Applied Mathematics 3 hash value, an adversary cannot change the ring. We have drawn on the concept of strong unforgeability in signature schemes from lattices to extend strong unforgeability to a ring signature scheme. One of the features of the existing strongly unforgeable signature schemes is that the signature algorithm samples a signature in a coset of the lattice (not in the original lattice). Our ring signature scheme uses this signature algorithm. This is the defining feature that makes our ring signature scheme strongly unforgeable with respect to insider corruption in the standard model.

1.3.
Organization of the Paper. The remainder of our paper is organized as follows. In Section 2, we describe related work and preliminaries. We will describe early ring signature schemes, existing lattice-based schemes, and chameleon hash functions. In Section 3, we analyze Wang-Sun's ring signature schemes and show that they do not provide existential unforgeability as they purport to do. In Section 4, we address our security model for ring signatures, describing anonymity against full key exposure and our new concept of strong unforgeability. In Section 5, we construct our ring signature scheme and demonstrate that it is secure in both of these respects. In Section 6, we will make our concluding comments.

Preliminaries
The security parameter in this paper is . We denote the real numbers and integers by R and Z, respectively. For a positive integer , we let [1, ] = {1, . . . , }. We denote vectors by lower-case bold letters (e.g., k) and assume that k is a column vector. ‖k‖ means the Euclidean norm of k. We denote matrices by upper-case bold letters (e.g., A) and represent the -by-identity matrix as I . We use standard big-notation, and, if ( ) = ( ( ) ⋅ log ) for any fixed integer , then we denote ( ) =̃( ( )). = poly( ) means ∈ Θ( ) for some positive integer . If | ( )| < 1/ for sufficiently large and any > 0, then a function : R → R is negligible. We denote any negligible function by negl( ). An overwhelming probability is greater than or equal to 1 − ( ), where ( ) is a negligible function. When k is randomly chosen from a set R, we use the notation k ← R. The statistical distance between two distributions and over a countable domain D is denoted by Δ( , ) = 1/2 ⋅ ∑ ∈D | ( ) − ( )|.

Lattices.
In this paper, we consider -dimensional integer lattices. An -dimensional integer lattice Λ is defined as follows: where B = {b 1 , . . . , b } ⊂ Z is a basis. The dual lattice Λ * of Λ is defined as follows: We use a -ary lattice, which is one of -dimensional integer lattices. For a parity-check matrix A ∈ Z × , a -ary lattice Λ ⊥ (A) is defined as follows: where and are positive integers and 0 ∈ Z is a zero vector.
The SIS (short integer solution) problem in lattices is defined as follows.
Definition 1. Given a uniformly random matrix A ∈ Z × for any desired = poly( ), the SIS , problem is to find a nonzero vector k ∈ Z such that Ak = 0(mod ) and ‖k‖ ≤ .
The hardness of the SIS problem follows from [13,26,27]. For ≥ ⋅√ ⋅ (√log ), the SIS problem in the average case is known to be as hard as approximating the SIVP (shortest independent vectors problem) under quantum reductions to withiñ( ⋅ √ ) factors in the worst case.
We now review Gaussian distributions over lattices. First, we recall the Gaussian function as follows: where H is a -dimensional subspace of R , ≥ 1, > 0, x ∈ H, and the Gaussian function centered at c ∈ H. The continuous distribution with density function is defined as follows: Then, the discrete distribution with density function over a lattice Λ is defined as follows: where Λ ⊂ H spans H and x ∈ Λ. Next, we define the Gaussian parameter which is a lattice quantity.
Definition 2 (see [27,28]). For an -dimensional integer lattice Λ and a real number > 0, the Gaussian parameter is the Gaussian function (centered at 0) for 1/ , Λ ⊂ H spans H, and Λ * is the dual lattice of Λ.
In this paper, we also use the following fact.
Lemma 4 (see [18]). There exists a probabilistic polynomial time algorithm GenTrap(A, H) that takes a parity-check matrix A ∈ Z × , an invertible matrix H ∈ Z × , ≥ 1, = ( log ), ≥ 2, and outputs a parity-check matrix A ∈ Z × with its trapdoor T such that (i) GenTrap(A, H) uses some fixed primitive matrix G ∈ Z × whose columns generate all of Z ; (iv) the statistical distance between the distribution of A and the uniform distribution is negligible; (v) 1 (T) = ⋅ ( √ + √ ) holds with an overwhelming probability, where 1 (T) is the maximal singular value of T and > 0; The trapdoor Gaussian sampling algorithm SampleD(A, T, H, u, ) proposed by Micciancio and Peikert in 2012 [18] has the following properties.
Lemma 5 (see [18]). There exists a probabilistic polynomial time algorithm SampleD(A, T, H, u, ) that takes a parity- if is a power of 2, or = √ 5 otherwise), ≥ 1, = ( log ), ≥ 2, and outputs a vector k such that (i) SampleD(A, T, H, u, ) uses some fixed primitive matrix G ∈ Z × whose columns generate all of Z ; (ii) the statistical distance between the distribution of k and the distribution of Micciancio and Peikert in 2012 [18] has the following properties.

The trapdoor delegation algorithm
Lemma 6 (see [18]). There exists a probabilistic polynomial time algorithm

and outputs a trapdoor T corresponding to
, T, H , ) uses some fixed primitive matrix G ∈ Z × whose columns generate all of Z ; (ii) the statistical distance between the distribution of T and the Gaussian distribution with is negligible; (iii) 1 (T ) ≤ ⋅ (√ + √ ) holds with an overwhelming probability; (iv) DelTrap works even if the columns of A = [A ‖ A 1 ] are randomly permuted; We use a set of invertible elements in a certain ring R = Z / ( ) introduced by Micciancio and Peikert in 2012 [18].

Correctness.
A ring signature scheme RS is correct if, for any valid ring signature corresponding to (R, m), the RS.Vrfy(R, m, ) algorithm outputs 1 with an overwhelming probability.
Generally, ring signatures should be required to satisfy conditions of anonymity and unforgeability. Definitions of anonymity against full key exposure and existential unforgeability with respect to insider corruption were proposed by Bender et al. [4].

Related Work
In this section, we review the existing ring signature schemes from lattices. In 2010, Brakerski and Kalai proposed the first ring signature scheme from lattices, using ring trapdoor functions [19]. However, the Brakerski-Kalai's ring signature scheme is only existentially unforgeable under chosen subring attacks; that is, the Brakerski-Kalai's ring signature scheme does not guarantee that their scheme is existentially unforgeable with respect to insider corruption, because existential unforgeability under chosen subring attacks is a weaker security notion than the existential unforgeability with respect to insider corruption.
In 2011, Wang and Sun proposed two ring signature schemes in the random oracle model and in the standard model, using lattice-based delegation techniques [21]. They claimed that Wang-Sun's ring signature schemes offered existential unforgeability with respect to insider corruption, but Wang-Sun's ring signature schemes in fact did not. In this section, we discuss the definition of existential unforgeability with respect to insider corruption and show that all of Wang-Sun's ring signature schemes are not existentially unforgeable with respect to insider corruption.

Existential Unforgeability with respect to Insider Corruption.
In 2006, Bender et al. developed the definitions of anonymity and existential unforgeability for ring signatures [4]. Bender et al. developed four kinds of anonymity and three kinds of existential unforgeability, with anonymity against full key exposure and existential unforgeability with respect to insider corruption being the securest of these. The insider corruption means that an adversary can corrupt honest users and obtain their signing keys. Since then, most existing ring signature schemes are based on Bender et al. 's definitions. In 2011, Wang and Sun proposed two ring signature schemes and claimed that these two ring signature schemes were existentially unforgeable with respect to insider corruption, so we now discuss existential unforgeability with respect to insider corruption, before concluding that their ring signature schemes are not existentially unforgeable.
Existential unforgeability with respect to insider corruption for a ring signature scheme RS = {RS.Gen, RS.Sign, RS.Vrfy} is defined by the game Game eu RS,F ( ) between a challenger C and a forger F as follows.
(ii) Signing Queries. F sends ( , R, m) such that V ∈ R∩S to C. We note that R may not be a subset of S. C runs RS.Sign( , R, m) to obtain and returns it to F.
(iii) Corruption Queries. F sends such that V ∈ S to C. C returns to F and adds V to CU.
The advantage of F in the above game is defined as follows: Otherwise, the algorithm outputs 0.
We now show that we can construct a forger F mounting an existential forgery attack with a nonnegligible success probability. Let C be a challenger in the game of existential unforgeability. F sends ( , R, m * ) to C in the Signing Queries phase and receives a ring signature k corresponding to ( , R, m * ). Then, F makes a forgery (R * , m * , k * ) such that R * is a proper (or strict) superset of R (i.e.; R ⊊ R * ).
] by inserting zeros into k, where k ∈ Z 2 and 0 ∈ Z . Note that the following equation holds: Clearly, the Euclidean norms of k and k * are the same, and the tuple (R * , m * , k * ) satisfies the verification algorithm (i.e.; WS.Vrfy(R * , m * , k * ) = 1). Therefore, Wang-Sun's ring signature scheme in the random oracle model is not existentially unforgeable with respect to insider corruption. Wang-Sun's ring signature scheme in the standard model can similarly be broken.

Anonymity against Full Key Exposure.
We first recall the definition of anonymity against full key exposure in [4]. Anonymity against full key exposure for a ring signature scheme RS = {RS.Gen, RS.Sign, RS.Vrfy} is defined by the following game Game an RS,A ( ) between a challenger C and an adversary A. (ii) Signing Queries. A sends ( , R, m) such that V ∈ R∩S to C. We note that R may not be a subset of S. C runs RS.Sign( , R, m) to obtain and returns to A.
(iii) Corruption Queries. A sends such that V ∈ S to C. C returns to A and adds V to CU.
(iv) Challenge. A sends ( 0 , 1 , R, m) such that V 0 ∈ R ∩ S and V 1 ∈ R ∩ S to C. We note that R may not be a subset of S. C randomly chooses a bit and returns ← RS.Sign( , R, m) to A.
(v) Output. A guesses and outputs . If = , then A wins the game Game an RS,A ( ). We note that V 0 or V 1 may be in CU.
The advantage of A in the above game is defined as follows:

Strong Unforgeability with respect to Insider Corruption.
We propose strong unforgeability with respect to insider corruption for ring signatures. This is a stronger condition than existential unforgeability. The strong unforgeability of ring signatures is based on the existential unforgeability defined in [4]. Strong unforgeability with respect to insider corruption for a ring signature scheme RS = {RS.Gen, RS.Sign, RS.Vrfy} is defined by the following game Game su RS,F between a challenger C and a forger F.  F sends ( , R , m ) such that V ∈ R ∩ S to C. We note that R may not be a subset of S. C runs RS.Sign( , R , m ) to obtain and returns to F. (iii) Corruption Queries. For 1 ≤ ≤ , F sends such that V ∈ S to C. C returns to F and adds V to CU.
is the ordered concatenation of matrices in R. Then, the algorithm outputs 1 if Otherwise, the algorithm outputs 0.
Correctness. We show that our ring signature scheme SRS is correct. The SRS.Sign( , R, m) algorithm can sample k from a distribution whose statistical distance from D Λ ⊥ u (A R, ), is negligible using the SampleD and DelTrap algorithms with T such that A R, ⋅ k = u(mod ) and ‖k‖ ≤ ⋅ √ with an overwhelming probability [15,18,27]. Therefore, our ring signature scheme SRS is correct.

Anonymity against Full Key Exposure of Our Construction.
We now show that our ring signature scheme SRS is anonymous against full key exposure in the standard model. The signing algorithm with = T samples k from a distribution whose statistical distance from D Λ ⊥ u (A R, ), is negligible. Therefore, the statistical distance between the distribution of k 0 and the distribution of k 1 is negligible. We also note that the distributions of r 0 and r 1 are the same. Therefore, the advantage Adv an SRS,A of A is negligible.

Strong Unforgeability with respect to Insider Corruption of Our Construction.
We now show that our ring signature scheme SRS is strongly unforgeable with respect to insider corruption in the standard model.
Proof of Theorem 10. We show that, if a forger exists F with a nonnegligible probability, we can construct an algorithm A solving the SIS , problem.
Assume that F outputs a forgery (R * , m * , * = (k * , r * )) in the game of strong unforgeability. Then, there exist three cases.
Note that the number of signing queries is at most , and (R , m , r ) are used in the th signing queries.
For the first case, we can construct A conducting a collision attack on H(⋅, ⋅) using F. A simulates the game of strong unforgeability with F as follows.
A calculates k ← SampleD(A R, , T, u, ( ⋅ √ ℎ ) ⋅ (√log ) 2 ) from a distribution whose statistical dis- A returns = T to F and adds V = A to CU.
(iv) Output. A outputs (R * , m * , * = (k * , r * )). For any To reduce the average-case SIS problem to the worst-case SIVP in lattices, ≥ ⋅√ ⋅ (√log ) should hold. Therefore, ≥ ⋅ √ ⋅ (√log ) = √ |R| + |m| + 4 ⋅ 2 ⋅ ⋅ √ ⋅ (√log ) . Naturally, For the second case, we can construct A attacking the SIS , problem using F. Assume that the number of corrupted users is at most . A simulates the game of strong unforgeability with F as follows. For 0 ≤ ≤ ℎ, A computes H as follows: where is the th element in and ℎ(⋅) is a ring homomorphism.
For 0 ≤ ≤ ℎ, A chooses R ← D × Z, (√log ) and computes the following: C and is the th element in . such that V ∈ R ∩ S to A. A samples r with trapdoor information such that = H(R ‖ m , r ).
Note that the distributions of k and D Λ ⊥ u (A‖C ), are the same.
Then, the maximal singular value of R is as follows: (iii) Corruption Queries. If F asks for , where = 1, A aborts. Otherwise, A returns = T and adds V = A to CU.
Therefore, we obtain the following equation: From the above equation, we have that Let z ∈ Z + be [ I −R * I ] ⋅ (k * − k) and let z ∈ Z + +1 be [ z 0 ]. Then, Az = 0(mod ) and A outputs z as a SIS solution to A .
The Euclidean norm of k * is as follows: Because ‖k‖ = ‖k * ‖ = (ℎ 1/2 ⋅ ⋅ 3/2 ⋅ 3/2 ) ⋅ (√log ) 3 and k * − k ̸ = 0, ‖z ‖ = ‖z‖ = (ℎ ⋅ ⋅ 2 ⋅ 2 ) ⋅ (√log ) 4 = . To reduce the average-case SIS problem to the worst-case SIVP in lattices, ≥ ⋅√ ⋅ (√log ) should hold. Therefore, We note that A succeeds in its forgery if it correctly guesses and t. The probability of A correctly guessing is 1/ , and the probability of correctly guessing t is 1/ . Therefore, where is the number of users and is the upper bound of the number of corrupted users. For the third case, we can construct A attacking the SIS , problem using F. Assume that the number of corrupted users is at most . A simulates the game of strong unforgeability with F as follows.
where is the th element in and ℎ(⋅) is a ring homomorphism.
For 0 ≤ ≤ ℎ, A chooses R ← D × Z, (√log ) and computes the following: If any has as a prefix, H 0 + ∑ ℎ =1 , H = 0 ∈ Z × , where , is the th element in . Otherwise, such that V ∈ R ∩ S to A. A samples r with trapdoor information such that = H(R ‖ m , r ).
(iii) Corruption Queries. If F asks for , where = 1, A aborts. Otherwise, A returns = T and adds V = A to CU.
To reduce the average-case SIS problem to the worst-case SIVP in lattices, ≥ ⋅√ ⋅ (√log ) should hold. Therefore, We note that A succeeds in its forgery if A correctly guesses * and t such that * has as a prefix. The probability of A correctly guessing * such that * has as a prefix is 1/((ℎ − 1) ⋅ + 1). The probability that A correctly guesses t is 1/ . Therefore, where is the number of users and is the upper bound of the number of corrupted users. Our ring signature scheme has the property that the upper bound of the number of corrupted users should be constant. In proving strong unforgeability with respect to insider corruption for our ring signature scheme, the advantage of a forger is limited by the advantage of the SIS problem solver factored by , where is the number of users and is the upper bound of the number of corrupted users. The lower and upper bounds of are as follows [30]: If = /2 (i.e., the maximal value of ), the lower and upper bounds on are as follows: Thus, the value of /2 grows exponentially if grows polynomially; that is, the upper bound of corrupted users, , in our ring signature scheme needs to be some constant.
Therefore, our ring signature scheme SRS is strongly unforgeable with respect to insider corruption in the standard model.

Conclusion
In this paper, we have shown that all of Wang-Sun's ring signature schemes are not in fact existentially unforgeable. We then have developed the more secure concept of strong unforgeability for ring signatures and have suggested a new ring signature scheme from lattices in the standard model that satisfies strong unforgeability. Our ring signature scheme is anonymous against full key exposure and is strongly unforgeable with respect to insider corruption in the standard model.