Erratum Erratum to ( An Efficient Code-Based Threshold Ring Signature Scheme with a Leader-Participant Model )

1Department of Computer and Information Technology, Zhejiang Police College, Hangzhou, Zhejiang Province, China 2Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, China 3Department of Computer Science and Engineering, University of North Texas, Denton, TX 76203, USA 4College of Information Engineering, China University of Geosciences, Wuhan, China 5Department of Information Systems and Cyber Security, University of Texas at San Antonio, San Antonio, TX 78249, USA


Introduction
Public-key cryptographic (PKC) method remains a topic of research interest partly due to its role in our increasingly digitalized society and the challenge of designing efficient and provably secure schemes with additional features required in contemporary applications.Existing PKC schemes are generally based on the hardness of number theory problems, such as factorization and discrete logarithm problems.While these number-theoretic problems are still secure at the time of this research, the situation could change with advances in quantum computing.For example, in the 1990s, Shor presented a quantum attack algorithm that could be used to solve both factorization and discrete logarithm problems in polynomial time with quantum computers [1,2].Thus, there is a pressing need to design PKC schemes that are secure against quantum attacks.Code-based PKC schemes, established by McEliece in 1978 [3], are one kind of such postquantum PKC schemes.Code-based PKC schemes are based on hard problems in coding theory and are considered as an appropriate solution to keep the message secure in the quantum era.
In 2001, Rivest et al. presented the ring signature as a digital signature scheme with additional property [4].In a ring signature scheme, each member of the ring has a unique public-private key pair.For a message , any signer in the ring is able to generate a signature on  with the private key and the ring public key which consists of the public keys of all signers in the ring.The user could only verify the validation of the signature without knowing who the true signer of the message  is; thus, it preserves the anonymity of the signer.Due to this property, ring signature has many potential applications in real-world scenarios.One practical application is a company soliciting opinions from its 2 Security and Communication Networks employees.In order to improve the reliability of employee feedback, it is often necessary for multiple employees (which can be thousands in a large multinational corporation or company) to submit their opinions.At the same time, in order to prevent the retaliation of senior management or line supervisor, the true identity of the participating employees should not be revealed.Threshold ring signature is one appropriate solution for such an application, which enables the employees to reach a certain quantity to jointly generate a valid signature.Ring signature can also be used for data sharing in the cloud [5] and for privacy-preserving public auditing of shared data [6].
Since the notion of ring signatures was introduced, there have been a number of ring signature schemes proposed in the literature.Shacham and Waters [7] presented the first efficient ring signature scheme based on bilinear groups.The scheme is anonymous against full key exposure and unforgeable with respect to insider corruption.Kar [8] proposed an online/offline ring signature scheme whose security is based on both computational Diffie-Hellman and -CAA problems.The scheme satisfies signer ambiguity and enables the misbehavior of the signer to be detected.Wang et al. [9] presented a new concept of identity-based quotable ring signature which could be used to derive new ring signatures on substrings of an original message from an original ring signature on the original message.The scheme is based on bilinear pairing of composite order and proven to be secure under the assumption that the subgroup decision problem and computational Diffie-Hellman problem are hard.Zeng et al. [10].proposed an efficient noninteractive deniable ring signature scheme and proved its security in the standard model.Nevertheless, all the aforementioned schemes [7][8][9][10] are based on the hard problems in number theory and thus will became insecure as soon as large quantum computers are built.There are also some alternative ring signature schemes that are based on the hard problems not affected by quantum computer attacks, such as the schemes based on NTRU lattices [11] and based on multivariate quadratic polynomials [12].
Bresson et al. extended the notion of ring signatures into threshold ring signatures, which are increasingly popular due to their practical utilities in comparison to the conventional ring signatures [13].Similar to ring signature schemes, a (, ) threshold ring signature scheme allows at least  signers in the ring of  signers to cooperate with each other to sign a message without leaking any identity information of the  signers.Existing threshold ring signature schemes are mostly based on the number theory [14][15][16][17]; hence, as mentioned above, such schemes could be insecure in the quantum world.To the best of our knowledge, Dallot and Vergnaud's scheme [18] and Aguilar Melchor et al. 's scheme [19] are the only two code-based threshold ring signature schemes published in the literature.Dallot and Vergnaud's scheme [18] combined Bresson et al. 's construction [13] and Courtois et al. 's signature [20], which results in the signature size twice the number of system users.Aguilar Melchor et al. 's scheme [19] is a generalization of Stern's identification and signature scheme [21] and has low efficiency in the signature size.
In this paper, we propose a novel code-based (, ) threshold ring signature scheme.The security of our proposed scheme is based on the hardness of the syndrome decoding (SD) problem (known to be an NP-complete problem) and the indistinguishability of Goppa codes from random linear codes.In the proposed scheme, a leader is appointed from the  signers, who chooses some shared parameters for other  − 1 signers to participate in the signing process.This leader-participant model enhances the performance because every participant including the leader could execute the decoding algorithm (as a part of signing process) concurrently and immediately upon receiving the shared parameters from the leader.
The rest of this paper is organized as follows: Section 2 presents background information and preliminaries.Section 3 describes our proposed method, whose security analysis is presented in Section 4 and efficiency is evaluated in Section 5. Conclusion is presented in Section 6.

Definitions and Problems in Coding
Theory.For the rest of this paper, we consider linear codes over binary field F 2 .
Definition 1 (weight).The (Hamming) weight of a vector (or word)  ∈ F  2 , denoted by (), is the number of nonzero bits in .
Definition 3 (generator matrix and parity-check matrix).A generator matrix  of an [, , ] code C is a  ×  matrix whose rows form a basis of C. A parity-check matrix  of C is a generator matrix of the dual of C, which has the order ( − ) × .
The security of our threshold ring signature scheme is based on the following two hard problems in coding theory.Let  , denote the set of all vectors of length  and weight .

Problem 4 (Syndrome Decoding (SD)).
Input.It includes an integer , a vector  ∈ F  2 , and a  ×  random binary matrix .
Property.Find a vector  ∈  , such that where V  denotes the transpose of vector (or matrix) V.The advantage of adversary A solves the SD problem denoted by Adv SD (A), which is negligible since the SD problem was proven to be NP-complete in [22].
To describe the following Goppa Code Distinguishing (GCD) problem, we denote by G 0 = Goppa( − , ) the set of parity-check matrices of all binary irreducible [, ] Goppa codes and G 1 = Rand( − , ) the set of the paritycheck matrices of all random binary [, ] linear codes.Set Problem 5 (Goppa Code Distinguishing (GCD)).
Input.A matrix  is randomly chosen from set G.
Let D be a probabilistic polynomial time (PPT) distinguisher for the GCD problem.The advantage, denoted by Adv , (D), of D is defined as follows: The indistinguishability assumption of the GCD problem holds if Adv , (D) is negligible.

(𝑡, 𝑁)
Threshold Ring Signature.We use the formal definition of threshold ring signature scheme following the work of Bresson et al. [13].Let us assume that there are  signers S  , 1 ≤  ≤ , forming a ring R and the threshold of generating a valid signature is  with  < .For simplicity, we assume the first  signers S 1 , . . ., S  are the true signers in R. A (, ) threshold ring signature scheme consists of four algorithms (Setup, KeyGen, Sign, Verify).
Setup().The algorithm takes as input a security parameter  and outputs the system public parameter P.

KeyGen(P).
The algorithm takes as input the parameter P and generates  pairs of public-private key (  ,   ) for the signers S  ∈ R, 1 ≤  ≤ .The  public keys   , 1 ≤  ≤ , form the ring public key  = { 1 ,  2 , . . .,   } and each private key   is sent to the signer S  via a secure channel, 1 ≤  ≤ .
Sign(, P, , ).The algorithm takes as input a message , the parameter P, the ring public key , and a private key set  = { 1 , . . .,   } of  singers and outputs a threshold ring signature  on .
Verify(, , ).The algorithm takes as input the message , the ring public key , and the threshold ring signature  and outputs 1 if (, ) is a valid message-signature pair.
Otherwise, the algorithm outputs 0.

Security Model.
A threshold ring signature scheme needs to satisfy the correctness, anonymity, and unforgeability properties.
Correctness.We say that a (, ) ring signature scheme satisfies the correctness property if, for any valid  private key set  and message , the following equation holds: Anonymity.We say that a (, ) ring signature scheme satisfies the anonymity property if, for a given messagesignature pair (, ), any attacker A has only the probability 1/ (   ) to determine the real signers participating in the signing process.More formally, the anonymity says that, for two message-signature pairs (,  0 ) and (,  1 ) signed by two signer sets {S 01 , . . ., S 0 } and {S 11 , . . ., S 1 }, respectively, the following absolute value is negligible: . ( Unforgeability.To define unforgeability, we introduce an attack model of (, ) threshold ring signatures.A PPT forger F is allowed to access a corruption oracle, a signature oracle, and a hash oracle and make adaptively queries on them.After the corruption queries, F can obtain at most  − 1 private keys of ring members.F can also use the signature queries to obtain threshold ring signatures for messages and signers chosen by F.Then, F attempts to forge a signature   on a chosen message   (note that   is not allowed to be an output of some signature oracle).We say that a (, ) threshold ring signature scheme satisfies the unforgeability property if, for any PPT attacker F, the probability, denoted by Suc F , that F succeeds in this attack is negligible.We remark that there is a special signer, referred to as leader, in our (, ) threshold ring signature scheme.The leader is randomly chosen during each sign process without any additional privileges.The leader in our scheme must act honestly.Otherwise, anonymity of  participating signers cannot be achieved.

Our Threshold Ring Signature Scheme
For simplicity, we denote V 1≤≤ to be the sequence V 1 , V 2 , . . ., V  .Our code-based (, ) threshold ring signature scheme can be described as follows.
Setup().Given a security parameter , the algorithm chooses integers , , , and  to, respectively, represent length, dimension, minimum distance, and error-correcting ability of the code underpinning our scheme.The algorithm outputs the system public parameter, P = (, , , ).

KeyGen(P).
Given P = (, , , ), the algorithm performs the following: and each private key   = (  ,   ,   , DEC   ) is sent to the signer S  via a secure channel, 1 ≤  ≤ .
(ii) For each S  , Otherwise, return to the previous step to recompute   .
(iii) Compute For all signers S  , 1 ≤  ̸ =  ≤ , the above signing processes can be concurrent.
(b) If  is an odd number, then compute Otherwise (i.e.,  is an even number), compute ) to obtain an vector    such that Otherwise, return to the first step executed by S  to choose another   .

Security Analysis
In the section, we analyze the security of our scheme, based on the security model defined in Section 2.3.
Recall that all the operations in this paper are executed over the binary field F 2 .If  is an odd number, then we have Otherwise (i.e.,  is an even number), we have To sum up, we have ℎ()  = ∑  =1 H    for both cases of .Together with the relation   ∈  , , 1 ≤  ≤ , we have This demonstrates that our threshold ring signature scheme satisfies the correctness property.= ), of random permuted Goppa codes as their public keys and the corresponding private keys will not be used.After that, C sends all  matrices to F. F queries the hash oracle and the sign oracle several times and seeks to obtain a valid signature for some message.We denote the probability that F wins Game 0 by Pr( 0 ).Game 1. C replaces the original hash function with the hash simulator H. C can respond to F as follows.
When F makes a query to the hash simulator Combining all these together, we have Suc F = Pr( 0 ) and In other words, if there is a PPT forger F which can forge a valid message-signature pair with a nonnegligible probability in attacking our scheme, then we can construct a PPT algorithm C to inverse the SD problem with a nonnegligible probability.Thus, we can conclude that our proposed threshold ring signature scheme is existentially unforgeable under the chosen message attack if both the GCD problem and SD problem are hard.

Efficiency Analysis
In this section, we evaluate the efficiency of our threshold ring signature scheme, in terms of the public key size, the signature size, and the time complexity of the signing process.
Time Complexity of the Signing Process.We omit the consideration of computing a hash function because it is a fast operation compared to other operations involved in our (, ) threshold ring signature scheme.As previously discussed in Section 3, each signer S  in our scheme should compute a vector   (see (8), (12), and ( 13)), 1 ≤  ≤ .The time complexity of computing   is (( − )( − )).According to Engelbert et al. [23], a fast decoding algorithm has time complexity ( 2 ); therefore, we should execute ! decoding algorithms on average to generate a decodable syndrome [20].So the total time complexity of the signing process in our threshold ring signature scheme is as follows: 2! ( (( − ) ( − ) ) +  ( 2 )) .
Note that the time complexity of the signing process in our scheme is independent of the number of signers.The factor of the complexity of our method is two, rather than , in comparison to the CFS scheme [20].This is because  − 1 signers (with the exception of the leader) can undertake concurrent operations in our scheme.This enables our scheme to be an efficient code-based threshold ring signature scheme.

Conclusion
In this paper, we proposed a novel threshold ring signature scheme based on the hard problems in coding theory.We prove that our method satisfies correctness, unforgeability, and anonymity.In comparison to other postquantum digital signature schemes, our scheme has a lower signature size.Our scheme also uses the leader-participant model to allow signers to sign messages concurrently.This significantly reduces the time complexity of the signing process.
Future research includes exploring practical applications of the proposed scheme and implementing a prototype of the scheme for evaluation in a real-world context (e.g., in an Internet of Battlefield Things application).
4.2.Anonymity.Assume that there is an adversary A who receives two valid message-signature pairs (,  0 = ( 01 ,  02 , ...,  0 )) and (,  1 = ( 11 ,  12 , ...,  1 )) generated by two sets {S 01 , ..., S 0 } and {S 11 , ..., S 1 } of signers, respectively.From the view of A, each vector   ,  = 0, 1,  = 1, 2, ..., , in the signatures  0 or  1 is completely random.This results in a negligible absolute value |Pr[A(  ) = |←  {0, 1},   ← {S 1 , ..., S  }] − 1/2| and, hence, our threshold ring signature scheme satisfies the anonymity property.4.3.Unforgeability.We prove the unforgeability using the attack model in Section 2.3.Let F be a PPT algorithm that has a nonnegligible probability Suc F in attacking our proposed (, ) threshold ring signature scheme.Using F, we construct another PPT algorithm C to solve the SD problem with nonnegligible advantage.That is, given a random ( − ) ×  matrix   and a random decodable syndrome   , C can find a vector   ∈  , , s.t.     =    .Thus, C plays the following games with F. Game 0. C randomly chooses an index  from {1, 2, . . ., } and sets the public key   of the signer S  as   .For all other signers, C chooses  − 1 parity-check matrices, denoted by   (1 ≤  ≤ ,  ̸ H, H stores an index  in a list Λ() associated with message .If Λ() is empty, then H just chooses a random vector   ∈ F  Game 2. C replaces the signature oracle with the signing simulator .C can respond to F as follows.When F makes a query to  on message ,  chooses a random index  ∈ F 2 and sets Λ() = .Then, C runs H with input .If there is no   ∈  , , then  aborts; otherwise,  outputs   and sets Λ() empty.Game 2 differs from Game 1 only in the case that  aborts.The probability that  aborts is at most  Sim /2  , where  Sim represents the maximum query times to the .It follows that the probability, denoted by Pr( 2 ), of F winning Game 2 satisfies     Pr ( 1 ) − Pr ( 2 ) Game 3. C replaces the public key (the permuted parity-check matrix of random Goppa codes) with the parity-check matrix of random linear code for each signer in this game.According to the indistinguishability assumption (see Section 2), F has only a negligible advantage Adv , (F) in solving the GCD problem.That is, we have the probability that F wins Game 3 as |Pr( 3 ) − Pr( 2 )| = Adv , (F).The wining condition is changed in this game.C picks a random number  in {1, . ..,  H }, where  H is the maximum query times to H. F should generate the -th forgery message-signature pair which can pass the verification.Hence, the probability of F wining this game is Pr( 4 ) = Pr( 3 )/ H .We remark that if F wins Game 4, then F is able to inverse the SD problem (i.e., find a vector   ∈  , s.t.     =    ).Hence, we have Pr( 4 ) = Adv SD (C).