Efficient Linkable Ring Signature Scheme over NTRU Lattice with Unconditional Anonymity

In cloud and edge computing, senders of data often want to be anonymous, while recipients of data always expect that the data come from a reliable sender and they are not redundant. Linkable ring signature (LRS) can not only protect the anonymity of the signer, but also detect whether two different signatures are signed by the same signer. Today, most lattice-based LRS schemes only satisfy computational anonymity. To the best of our knowledge, only the lattice-based LRS scheme proposed by Torres et al. can achieve unconditional anonymity. But the efficiency of signature generation and verification of the scheme is very low, and the signature length is also relatively long. With the preimage sampling, trapdoor generation, and rejection sampling algorithms, this study proposed an efficient LRS scheme with unconditional anonymity based on the e-NTRU problem under the random oracle model. We implemented our scheme and Torres et al.'s scheme, as well as other four efficient lattice-based LRS schemes. It is shown that under the same security level, compared with Torres et al.'s scheme, the signature generation time, signature verification time, and signature size of our scheme are reduced by about 94.52%, 97.18%, and 58.03%, respectively.


Introduction
In most scenarios involving data transmission, including blockchain, cloud computing, edge computing, etc., the sender of data usually wants to be anonymous, while the receiver of data always excepts the data to be reliable. Ring signature (RS) proposed by Rivest et al. [1] is a good technology that can meet the above requirements. RS has two essential security properties: (1) unforgeability, which requires the verifier is able to verify whether the signature was signed by a reliable signer; and (2) anonymity, which requires the verifier could not identify the real signer from a group of users. Similar to group signature [2,3], RS is group-oriented. However, different from group signature, in RS, the group is formed spontaneously, that is, there is no special manager, and the setup and revocation procedures are not required. Any user can select a group of ring members and sign any message with his own private key and the public keys of other members without their consent. And the verifier only can verify whether the signature comes from a member in the ring without knowing which member the signer is.
Due to the anonymity of RS, it is widely used in anonymous tip off, e-cash [4], and other fields. It is worth noting that while protecting the anonymity of signers, RS also brings a new problem, that is, the same signer can sign multiple times without being detected.
In 2004, Liu et al. [5] introduced an extended property called linkability to RS, and the corresponding primitive is now known as linkable ring signatures (LRS). LRS not only satisfies the properties of ordinary RS (such as correctness, unforgeability, and anonymity) but also can be used to judge whether two different signatures are signed by the same signer (linkability). LRS is useful in situations where anonymity and nonrepeatability are required. For example, in the system of blockchain [6], if some user signs the same amount of money twice, LRS will help the verifier detect it and the verifier will deny the second signature, thus avoiding the so-called "double spending" problem. In smart grid systems [7], the electricity consumption data of users are automatically collected by the smart meter, and specific electricity consumption information is fed back to the service provider. us, malicious attackers can infer the life and rest rules of the user from the large amount of electricity consumption data recorded by the smart meter. LRS can not only conceal the specific information of the meter user but also eliminate the redundant data of the same meter and provide the system with abnormal user monitoring and tracking functions.
In 2013, Liu et al. [8] constructed an unconditional anonymous linkable ring signature (UALRS) scheme, which addressed the open problem that RS could not have linkability and strong anonymity simultaneously and made it more secure. RS schemes have two types of anonymity: computational anonymity and unconditional anonymity. Computational anonymity refers to the protection of anonymity under certain number theory problems. e anonymity of RS is destroyed if this potential problem can be solved by an adversary. By contrast, unconditional anonymity means that the probability that any adversary with unlimited computing power and time knows the actual signer of a given RS is no better than random guessing. In other words, assuming that there are l users in RS, the probability of any adversary with unlimited computing power and time correctly indicating the public key of the actual signer is no more than 1/l.
It is not difficult to design a RS scheme with unconditional anonymity. In fact, most traditional RS schemes can satisfy unconditional anonymity [1,[9][10][11][12][13][14][15][16]. However, it is not an easy work to construct a UALRS scheme. e difficulty lies in the following two aspects. First, in a computational anonymous linkable ring signature (CALRS) scheme, the linking tag can always be designed as a pseudorandom function about the private key of the signer based on some mathematical problem. But unconditional anonymity means that the adversary has unlimited computing power, that is it can calculate out the solution of any NP-hard problem, such as NTRU-SIS, large integer factorization, discrete logarithm, and the preimage of a given hash value. erefore, only designing the linking tag using mathematical problems is not enough, and it should consider more skills. Second, in order to achieve unconditional anonymity, the generation and verification of a linking tag are often more complex, which may increase the length of public and private keys and signatures, as well as reduce the computational efficiency of the scheme. In fact, from 2004 to 2013, only the LRS scheme proposed by Liu et al. [8] can achieve unconditional anonymity.
e above schemes are all constructed based on classical number theory problems, that is, discrete logarithm and the decomposition of large integer problems. With the development of quantum computers, cryptosystems under classical number theory problems are faced with severe challenges. Shor [17] constructed a quantum algorithm in 1994 to solve the problem of large integer factorization in polynomial time under quantum computing conditions, and this algorithm made most existing public key cryptosystems no longer secure under quantum attacks.
In this case, post-quantum cryptography began to be studied by scholars in the field of cryptography. In the alternatives, lattice-based cryptography appeals to scholars because of its high efficiency, simplicity, high parallelizability, and strong provable security guarantees. In 2016, Libert et al. [18] constructed a lattice-based RS scheme based on zero-knowledge proofs and accumulators. ereafter, other lattice-based RS schemes have been proposed [19][20][21]. In 2017, Yang et al. [22] proposed a lattice-based LRS scheme based on week pseudorandom functions, accumulators, and zero-knowledge proofs. In 2018, Baum et al. [23] proposed the lattice-based one-time LRS scheme based on the module-SIS problem (a variant of SIS problem) and module-LWE problem (a variant of LWE problem). In the same year, Alberto Torres et al. [24] proposed a lattice-based one-time LRS scheme based on the ring-SIS problem. Subsequently, Zhang et al. [25] proposed a LRS scheme over ideal lattice based on the homomorphic commitment scheme and protocol. In 2019, Liu et al. [26] proposed a lattice-based LRS scheme supporting stealth addresses under the module-SIS and module-LWE problems. In 2020, Beullens et al. [27] constructed a LRS scheme whose signature size scales logarithmically with the ring size from isogeny and lattice assumptions.
However, in the above lattice-based LRS schemes, only Alberto Torres et al.'s scheme [24] satisfies unconditional anonymity. By analyzing Torres et al.'s scheme, it is found that in order to achieve unconditional anonymity, the linking tag of Torres et al.'s scheme is generated using an mdimensional polynomial vector over a polynomial ring. Since the linking tag is so large, Torres et al.'s scheme generates signatures m times longer than a normal CALRS scheme over a polynomial ring, and its efficiency in generating and verifying signatures is also significantly reduced.
Hoffstein et al. [28] proposed the NTRU lattice-based cryptosystem in 1996. Considering that it only involves multiplication on polynomial rings and small integer modulo operations, the NTRU-based cryptosystem usually requires smaller public and private keys and is more efficient compared with that on the general lattice. erefore, it has received extensive attention from scholars. In 2016, Zhang et al. [29] proposed an efficient RS scheme on NTRU lattice whose security can be reduced to the e-NTRU problem (a variant of the SIS problem on NTRU lattice) in the random oracle model. In 2019, Lu et al. [30] constructed Raptor, a practical NTRU lattice-based LRS scheme based on a variant of chameleon hash functions. In 2021, Tang et al. [31] constructed an identity-based LRS scheme over NTRU lattice by employing the technologies of trapdoor generation and rejection sampling. e security of this scheme relies on the small integer solution (SIS) problem on NTRU lattice.

Our Contribution.
To reduce the signature size, as well as promote the efficiency of signature generation and verification of lattice-based UALRS scheme [24], in this study, a LRS scheme is reconstructed on NTRU lattice, and its architecture is shown in Figure 1. e main contributions of this article are as follows: (1) In the key generation stage, the public and private keys of the LRS scheme are generated by the trapdoor and the preimage sampling algorithms on NTRU lattice. en, the linking tag is produced by the public and private keys of the signer, and a LRS 2 Computational Intelligence and Neuroscience is generated based on the signature algorithm of Zhang et al. [29] combined with the rejection sampling algorithm. (2) In terms of security analysis, strict security proof is conducted based on the security model of UALRS proposed by Liu et al. [8]. e result of the proof shows that the unforgeability and linkability of the proposed scheme can be reduced to the difficulty of e-NTRU problem under the random oracle model, and, meanwhile, the proposed scheme satisfies unconditional anonymity. (3) In terms of performance analysis, the proposed scheme is compared with the latest and efficient lattice-based LRS schemes in [23,24,26,27,30], and a detailed analysis is given. e possible parameter settings of the proposed scheme are also analyzed and provided under the premise of ensuring the security of the proposed scheme. (4) We implement our scheme and Torres et al.'s scheme [24], as well as other four efficient lattice-based LRS schemes [23,26,27,30], and it is shown that under the same security level, the signature generation and verification time of the proposed scheme are respectively reduced by 56.61% and 65.18%. Especially compared with Torres et al.'s scheme, the signature generation and verification time of the proposed scheme are respectively reduced by 94.52% and 97.18%, and the signature size of the proposed scheme is reduced by 58.03% on average.

Paper Organization.
In Section 2, we introduce some definitions, lemmas, difficult problems, and related algorithms which we will use to construct the scheme. We introduce the definition of LRS and the relevant security model in Section 3. Section 4 contains the construction and correctness statement of the LRS scheme and the proof of correctness. Section 5 contains the security statements of the proposed scheme and the proofs of unforgeability, unconditional anonymity, and linkability. In Section 6, we discuss the parameter settings and post-quantum security of the proposed scheme. Finally, in Section 7 and Section 8, we respectively give the performance analysis and experimental results of the proposed scheme and the lattice-based LRS schemes of [23,24,26,27,30] and also make a comparison between them.

Symbol Definition.
Descriptions of the used notations are listed in Table 1.

Related Definitions of NTRU Lattice
Sign (PP, L, m 1 , sk i ) User j User i where m and n are the rank and dimension of lattice Λ, respectively, and b 1 , b 2 , · · · , b m is called a basis of lattice Λ.
Definition 2 (convolutional polynomial ring). Let R � Z[x]/(x n + 1) be an ordinary polynomial ring. If the addition operation remains unchanged and the multiplication operation is replaced by a convolution operation on R, then R is called a convolution polynomial ring. Similarly, given a prime number q, the modulus convolution polynomial ring is R q � R/qR. Let f � n−1 i�0 f i x i , g � n−1 i�0 g i x i ∈ R q , then the two operations on R q are defined as follows: (i) Addition operation +: (ii) Convolution operation * : Definition 3 (anticirculant matrix). Let the coefficient vector of polynomial f be (f 0 , f 1 , · · · , f n−1 ). en, the coefficient vector of polynomial x · f is (−f n−1 , f 0 , · · · , f n−2 ) and the coefficient vector e anti-circulant matrix defined by polynomial f is as follows: Definition 4. (NTRU lattice). Let a positive integer q ≥ 2, n is a power of two and f, g ∈ R q , f − 1 ∈ R q be the inverse of f, h � g * f − 1 modq. e NTRU lattice corresponding to q and h is as follows: q is a set of basis matrices. A q,h can be uniquely determined by the polynomial h ∈ R q , whereas the others can be compressed during storage. us, the storage space required is relatively small. However, in NTRU lattice-based cryptographic schemes, A q,h cannot be used as a trapdoor basis because it has poor orthogonality.
Definition 5. (discrete gaussian distribution) [32]. For any σ > 0 and m-dimensional integer lattice Λ, the discrete Gaussian distribution on integer lattice Λ with vector c ∈ R m as the center and σ as the parameter is defined as follows: where Λ,c,σ be abbreviated as ρ m σ and D m Λ,σ , respectively. And throughout the article, D m c,σ denotes the discrete Gaussian distribution over Z m .

Related Algorithm
Lemma 1 (see [34]). Let an integer n � 2 k for k > 0, a prime number q � 1mod2n, and a parameter σ � 1.17 ���� q/2n. en, a probabilistic polynomial time (PPT) algorithm TrapGen(n, q, σ) can output a sample matrix B f,g ∈ Z 2n×2n q from (a distribution close to) D 2n×2n Set of m-dimensional column vectors over Z Z n×m q Set of matrices of n rows and m columns over Computational Intelligence and Neuroscience Lemma 2 (see [34]). Given a matrix B f,g and a parameter Definition 8 (rejection sampling algorithm) [35]. In 2012, Lyubashevsky proposed rejection sampling technique for the first time and gave the first signature scheme without trapdoor on lattice with this technique. It can be applied to the signature system and can make the distributions of the signature and private key independent of each other. us, it can effectively prevent the leakage of the private key.
, the statistical distance of output distributions of Algorithms 1 and 2 is less than 2 − ω(logm) /M.
Furthermore, the output probability of Algorithm 1 is at

Security Model
In this section, we present our security model and define related security concepts.

LRS Definition.
A LRS scheme consists of the following five PPT algorithms: (1) Setup(1 λ ): On input a security parameter λ, it outputs system public parameters PP.
(2) KeyGen(PP): On input the public parameters PP, it outputs a public/private key pair (pk i , sk i ).We denote by SK and PK the domains of possible private and public keys, respectively. respectively. It checks whether I 1 � ? I 2 and outputs "Link" if I 1 � I 2 ; otherwise, it outputs "Unlink." "Link" means that the two signatures are generated by the same signer, and "Unlink" means that the two signatures are generated by different signers.
Definition 9 (correctness). Correctness for LRS contains verification correctness and linking correctness simultaneously.
(ii) Linking Correctness: For two valid signatures σ 1 (m 1 ), σ 2 (m 2 ) generated by using the same private key, the probability of the algorithm Link(σ(m 1 ), σ(m 2 )) outputting "Unlink" is negligible. e formal definition of the correctness of the LRS scheme is shown in the following expressions: 3.2. Security Model. Generally, a LRS scheme should satisfy three security properties, namely unforgeability, anonymity, and linkability. According to the security model of UALRS proposed by Liu et al. [8] in 2013, this study uses a series of games between an adversary A and a challenger S to describe the security model of LRS. Supposing there are l members in the ring, these three properties are described as follows: Before defining unforgeability, anonymity, and linkability, we consider the following oracles, which together simulate the adversary's ability to break the security of the scheme.

Computational Intelligence and Neuroscience
JO (Joining Oracle): A inputs member index k, and S outputs the corresponding public key pk k ∈ PK to A CO (Corruption Oracle): A inputs a public key pk k ∈ PK, which is a query output of JO, and S returns the corresponding private key sk k ∈ SK SO (Signing Oracle): A inputs a public key list L � pk i 1 ≤ i ≤ l ∈ PK, and a message m ∈ 0, 1 { } * , and S returns a valid signature σ(m) In addition, in the random oracle model, a random oracle model HO is provided for users to query.

Unforgeability.
It means that users outside the ring cannot successfully forge a legal signature under the ring.
at is, if there is no private key of a member in the ring, even if the adversary obtains multiple valid message signature pairs, the probability of the adversary forging a valid signature successfully is negligible. Unforgeability for the LRS scheme is defined by the following game between an adversary A and a challenger S, in which A is given access to oracles JO, CO, SO, and HO: (i) e system public parameters PP are generated by challenger S and given to A (ii) A can access the oracles adaptively Definition 10 (unforgeability). If the advantage Adv Unf A of any PPT adversary A to win the unforgeability game is negligible, then the LRS scheme is unforgeable.

Unconditional Anonymity.
It means that given a ring signature, no one can guess the real signer. In other words, given the public keys of all the members of the ring, it is impossible for anyone to tell the public key of the actual signer with a probability larger than 1/l, where l denotes the cardinality of the ring, even the adversary has unlimited computing time and resources. e unconditional anonymity of LRS is described by the following game between an adversary A and a challenger S, where A is granted access to oracle JO: (i) e system public parameters PP are generated by challenger S and given to A; (ii) A can access the oracle JO adaptively; (iii) A gives S a public key list L � pk i 1 ≤ i ≤ l , which are query outputs of JO, and a message m * ∈ 0, 1 { } * . S randomly samples b ∈ 1, · · · , l { }, uses the signature key sk b corresponding to pk b to run algorithm Sign(PP, L, m, sk b ), and generates and gives A the signature σ(m * ); and (iv) A returns the guess value b ′ ∈ 1, · · · , l { }.
We express it as Adv Anon Definition 11 (unconditional anonymity). If the advantage Adv Anon A of any unbounded adversary A to win the anonymity game is negligible, then the LRS scheme is called to be unconditional anonymous.
It is worth noting that though only JO is given to A, since A has unbounded computation power, it can calculate out the solution of any NP-hard problem, such as NTRU-SIS, large integer factorization, discrete logarithm, as well as the preimage of a given hash value. erefore, unconditional anonymity in fact requires that in this case, A is still unable to reveal the pubic key of the actual signer of a RS with a probability higher than 1/l.

Linkability.
It means that two signatures generated by the same ring member can be linked. at is, an adversary who has less than two members' private keys in the ring cannot generate two valid signatures determined by the linking algorithm as "Unlink." e linkability of a LRS scheme is described by the following game between an adversary A and a challenger S, where A is granted access to oracles JO, CO, SO, and HO: (i) e system public parameters PP are generated by challenger S and given to A (ii) A can access the oracles adaptively (iii) A gives S two sets L 1 � pk i 1≤i≤ l 1 and L 2 � pk i 1≤i≤l 2 , messages m 1 , m 2 ∈ 0, 1 { } * , and signatures σ(m 1 ) and σ(m 2 ), where σ(m 1 ) and σ(m 2 ) contain the corresponding linking tags I 1 , I 2 , respectively A wins the game if (i) All public keys in L 1 ∪ L 2 are query outputs of JO is not an output of SO (iii) CO has been queried less than two times (iv) Link(σ(m 1 ), σ(m 2 )) � "Unlink" We express it as

Adv Link
A � Pr[Awins the game].
Definition 12 (linkability). If the advantage Adv Link A of any PPT adversary A to win the linkability game is negligible, then the LRS scheme is linkable.
Proof. Assuming σ(m) � (m, (z i ) 1 ≤ i ≤ l , v, I) is a signature generated by a member of the ring according to the algorithms under public key set L � h i 1 ≤ i ≤ l , then the following equation holds: Given that s k,0 + s k,1 * h k � I, we have By using the rejection sampling algorithm described in Definition 8, the distribution of (z i,0 , z i,1 ) is close to D n s (z i ) for 1 ≤ i ≤ l. us, by Lemma 3, we have z i � (z i,0 , z i,1 ) satisfies ‖z i ‖ ≤ s �� 2n √ with a probability at least 1 − 2 − ω(logn) . erefore, the proposed scheme satisfies verification correctness.
Assume member k calculates the linking tags of messages m 1 and m 2 as I 1 and I 2 , respectively. In the proposed scheme, I 1 � s k,0 + s k,1 * h k and I 2 � s k,0 + s k,1 * h k are generated by the signer's public and private keys, and thus this scheme satisfies linking correctness. is completes the proof.

Theorem 3 (unforgeability). Under the random oracle model, when the e-NTRU problem is intractable, the proposed LRS scheme is unforgeable.
Proof. Setup Phase: To solve the e-NTRU problem, S gets an instance (h i ) 1 ≤ i ≤ l Query Phase: Adversary A is allowed to access oracles JO, CO, SO, and HO, and S responds as follows: times at most, where l ′ ≥ l. S selects a subset X l with l random indexes. S assigns (h i ) 1 ≤ i ≤ l to these l indexes as their public keys, respectively. Moreover, for these l indexes, S does not know the corresponding private keys. We use l + 1, · · ·, l ′ to denote other indexes. With regard to other l ′ − l indexes, S obtains the public and private keys according to the algorithm KeyGen(PP). A inputs index j to query, and S outputs the corresponding public key. (iii) CO: A inputs a public key pk i � h i , S checks whether i belongs to X l . If so, then S stops; otherwise, S outputs the corresponding private key. (iv) SO: A inputs a ring public key set L � h i 1 ≤ i ≤ l , a public key h k , where k ∈ 1, · · · , l { }, and a message m ∈ 0, 1 { } * . S performs as follows: (1) If h k does not correspond to any element in the subset X l , then S knows its private key and generates the signature according to the signature algorithm Sign(PP, L, m, sk k ). Otherwise, we assume that h k is obtained by JO. (i) Verify(PP, L * , m * , σ(m * )) � ″ 1 ″ (ii) All of the public keys pk i � h i in L * are query outputs of JO (iii) A did not query CO about the public keys in L * (iv) σ(m * ) is not a query output of SO Analysis. Assuming the signature σ(m * ) is a valid signature, the following shows how S can solve the e-NTRU problem using the forged results of A. We will consider the following two situations: (i) If v * appears in the SO, and assume that σ(m) � (m, (z i,0 , z i,1 ) 1 ≤ i ≤ l , v * , I) is a query output of SO.
Given that the signature is valid, it satisfies Given that A successfully forged the signature, there is When the function H collides, S aborts (Abort I).
Otherwise, from (22) and (23), there is If v * appears in the H query and is stored as When the function H collides, S aborts (Abort II). Otherwise, from (23) and (26), there is S performs the following: when i ≠ k * , let z i,0 � r i,0 and z i,1 � r i,1 ; when i � k * , let z k * ,0 � r k * ,0 + v * I and z k * ,1 � r k * ,1 . en, we have Given (23), (27), and (28), we have us, the solution to the e-NTRU problem is Probability Analysis. e challenger S fails when Aborts I and II occur. e probability of H colliding is 1/2 n . Assume A can successfully forge the signature with probability ξ, 8 Computational Intelligence and Neuroscience then the probability of S solving the e-NTRU problem is ξ − 1/2 n × 2 � ξ − 1/2 n−1 . is completes the proof.
e anonymity proof of the signature is completed by the following game between adversary A and challenger S. If the signature distributions of l different members in the ring are computationally indistinguishable to adversary A, then this scheme satisfies anonymity.
Query Phase: A is allowed to access JO, and S responds as follows: JO: A inputs an index j to query. S runs the algorithm KeyGen(PP) to generate the public key pk j � h j and returns it to A. Challenge Phase: A inputs a public key list L � h i 1 ≤ i ≤ l , and a message m * ∈ 0, 1 { } * . S randomly chooses b ∈ 1, · · · , l { }, then runs Sign(PP, L, m * , sk b ) to generate the signature σ(m * ) � Sign(PP, L, m * , sk b ) and gives it A, where sk b is the private key corresponding to index b. Guess Phase: A gives a value b ′ ∈ 1, · · · , l { } as a guess for b. Analysis. Suppose A is an adversary with unlimited computing power. Next, we will show the advantage Adv Anon A of A in winning the anonymous game is negligible. We need to prove that the distributions of signatures generated with the private keys of different users are computationally indistinguishable.
First, even A is an adversary with unlimited computing power, from the JO query, or from the challenger signature (which contains a linkability tag), A still cannot deduce the private key, as well as the corresponding index.
at is because the randomness of the algorithms TrapGen and SamplePre makes each public key h b correspond to multiple pairs (s b,0 , s b,1 ), and which one is the actual private key of member b cannot be determined. Moreover, given a linking tag I � s b,0 + s b,1 * h b , to know which member generated the linking tag I, it is no better than random guessing for the adversary. In addition, it should be noticed that the signature σ(m * ) is generated by using not only a private key (s b,0 , s b,1 ) but also a set of random numbers. Lemma 3 guarantees that the distributions of (z b,0 , z b,1 ) and (z i,0 , z i,1 ) i ≠ b are indistinguishable, and the distribution of (z b,0 , z b,1 ) is independent of (s b,0 , s b,1 ). at is, in the view of the adversary, the signature σ(m * ) is independent of the index b of the actual signer. Hence, we can conclude that even an unbounded adversary cannot guess the index b with a probability greater than 1/l.
We can infer that when A is a normal adversary, that is, A has limited computing power and time, obviously it ccannot destroy the anonymity of the scheme. is completes the proof. Proof. We will show that if the proposed scheme satisfies unforgeability, then it will satisfy linkability. e linkability proof of the scheme is completed by the following game interaction between an adversary A and a challenger S.
(i) S generates the system public parameters PP and public and private keys (pk i , sk i ) 1 ≤ i ≤ l , and then sends PP to A (ii) A can access JO, CO, SO, and HO, and the process of accessing JO, CO, SO, and HO in the linkability game is the same as that in the unforgeability game (iii) Suppose A outputs two signatures σ 1 (m 1 ) � (m 1 , under public key set L, which satisfy the following conditions: (1) All public keys in L are outputs of JO Analysis. Assume A can generate two signatures σ 1 (m 1 ) and σ 2 (m 2 ) with a nonnegligible probability η while holding only one private key sk k , and ″ 1 ″ ←Verify(PP, L, m i , σ i (m i )) for i � 1, 2. Given that the proposed LRS scheme is unforgeable, these two signatures can be validated by the Verify algorithm if and only if A honestly generates signatures σ 1 (m 1 ) and σ 2 (m 2 ) using his private key sk k . In other words, we have I 1 � s k,0 + s k,1 * h k and I 2 � s k,0 + s k,1 * h k ′ . And since there is also only one public key corresponding to this private key, that is, h k � h k ′ , we have I 1 � I 2 . is indicates that the algorithm Link(σ 1 (m 1 ), σ 2 (m 2 )) returns "Link" when given two signatures σ 1 (m 1 ) and σ 2 (m 2 ). Hence, the advantage Adv link A of A is negligible. is completes the proof. □ 6. Discussion

Parameter Selection.
e security of the proposed scheme is based on the e-NTRU problem, which is reduced to the NTRU-SIS problem. e NTRU-SIS problem is to find two polynomials (u, v) ∈ R 2 q that satisfies u + v * h � 0modq and ‖u‖, ‖v‖ ≤ β in the NTRU lattice, which is in turn reduced to c-Ideal-SVP problem. Similar to [34,36], we use the "root Hermite factor c" which measures the hardness of c-Ideal-SVP problems to select the parameters.
If we look for a polynomial v in an n-dimensional lattice, which is greater than the n-th root of the determinant, then the associated c is ‖v‖ det(Λ) 1/n � c n . (30) According to [37], if we look for a small-size polynomial v in the NTRU lattice, the associated c is ������ � n/(2πe) · det(Λ) 1/n ‖v‖ � 0.4c n .
From the results in [36,38], if the value of c is approximately 1.007, to find the polynomial is at least 80 bits Computational Intelligence and Neuroscience hard. If the value of c is less than 1.004, to find the polynomial is at least 192 bits hard. e methods to attack the proposed scheme are mainly to attack the ring member's public key and the signature. e public key of the member i is a polynomial . So using (32) to calculate the value of c, we have c � ( � n √ /1.368) 1/2n . When n � 256, c ≈ 1.0048, it is at least 80 bits hard to attack the ring member's public key, and when n � 512, c ≈ 1.0027, it is at least 192 bits hard to attack the ring member's public key. e attack on the signature of the member i is to find a vector (z i,0 , z i,1 ) passing the verification algorithm without member i ′ s private key. It can be seen from Lemma 3, . Since s � 0.585/π ����������� q ln(2 + 2/η), where η � 2 − λ /2n, there is s � 1.4708 � q √ for n � 256 and s � 2.2089 � q √ for n � 512. So, computing the value of c by (28), we have When n � 256, c ≈ 1.0069, to attack the ring member's signature is at least 80 bits hard, and when n � 512, c ≈ 1.0041, to attack the ring member's signature is at least 192 bits hard. e recommended choice of the parameters is shown in Table 2.

Post-Quantum Security.
e proposed scheme is based on the hard assumption over lattice which is generally recognized to provide anti-quantum security. e security proof of the proposed scheme is unlikely to be extended to the Quantum Random Oracle Model [39] (QROM): in the security proof ( eorems 3 and 5), we use the adaptive programming of random oracle (RO) H, and this proof technique is inherent in the structure to some extent.
We note that other schemes built on QROM, such as [40,41], also use the form of RO programming (even if not adaptive). In addition, although Fiat-Shamir seems unlikely to be proved in QROM, to the best of our knowledge, there are no attacks on the protocols using these proof technologies, which stems from the use of RO.

Performance Analysis
In this section, the proposed LRS scheme is compared with the schemes [23,24,26,27,30] in terms of efficiency. We mainly compare these schemes in terms of elapsed time and storage space.
Comparison terms in Table 3 include signature generation cost, signature verification cost, unconditional anonymity, and difficult assumption. Comparison terms in Table 4 include public and private key, as well as signature size of each user. In Tables 3 and 4, n is the degree of polynomials, q � 1mod2n is a large prime number, l represents the cardinality of the ring, and k and v are integers. e time cost for the discrete Gaussian sampling algorithm and the rejection sampling algorithm running once are represented by T SD and T RS , respectively. In general, T SD > T RS . e time cost for polynomial-polynomial multiplication is represented by T Mul , and T Mul > T SD . e time overhead of hash, matrix-matrix addition, and polynomial-   [23] nlT SD + kn(2l − 1)T Mul + nT RS 2knlT Mul No MSIS, MLWE [24] knlT SD + k 2 n(2l + 1)T Mul + knT RS 2k 2 nlT Mul Yes R-SIS [26] knlT SD + kn(2l + 1)T Mul + knT RS 2knlT Mul No MSIS, MLWE [27] vnT SD + 5knT Mul logl 2knT Mul logl No MSIS, MLWE [30] 2n(l + 1)
In terms of signature generation cost, the proposed scheme mainly uses the Gaussian sampling algorithm 2l times, the polynomial-polynomial multiplication l times, and the rejection sampling algorithm once, respectively. Hence, the signature generation cost is 2nlT SD + nlT Mul + 2nT RS . In terms of signature verification cost, since the proposed scheme primarily runs polynomial-polynomial multiplication l times, the signature generation cost is about nlT Mul . From Table 3, due to T Mul > T SD > T RS , compared with the four schemes of [23,24,26,30], the proposed scheme has higher signature generation and verification efficiency. e signature generation and verification time of the proposed scheme is linearly related to the number of ring members l, while that of the scheme of [27] has a logarithmic relationship with l. erefore, when l is large, the signature generation and verification efficiency of the scheme of [27] is better than that of the proposed scheme. But when l is small, the proposed scheme is more efficient by the settings of relevant parameters. In addition, only Alberto Torres et al.'s scheme [24] and our scheme can achieve unconditional anonymity, while other four schemes only have computational anonymity. And the efficiency of signature generation and verification of our scheme is obviously higher than that of Torres et al.'s scheme.
In the proposed scheme, the public key of the member in the ring is a small polynomial h i ∈ R q generated by the trapdoor generation algorithm TrapGen, and the private key corresponds to two small polynomials in R q . erefore, the public and private key lengths of the proposed scheme are n logq and 2n logq, respectively. As shown in Table 4, the public and private key lengths of [23,24,26,27,30] are (kn logq, n logq), (n logq, kn logq), (3kn logq, kn logq), (kvn logq, vn logq), and (n logq, 9n logq), respectively. Hence, in terms of public key size, the public key size of the proposed scheme is similar to that of [24,30] and smaller than that of [23,26,27]. With respect to private key size, the private key size of the proposed scheme is larger than that of [23] and they are both smaller than that of [24,26,27,30]. For signature size, the signature size of the scheme [27] has a logarithmic relationship with l, while that of the other five schemes including the proposed scheme has a linear relationship with l. But the growth rate of signature size of [23,30] and the proposed scheme is obviously slower than that of [24,26].

Implementation and Evaluation
We implemented and evaluated the proposed LRS scheme on a typical laptop configured with a Windows 8.1 system, an Intel(R) Core(TM) i5-4210U CPU@1.70 GHz processor, and a 4.00 GB running memory. We selected parameters to make the proposed scheme secure, and detailed parameter settings are given in Table 5. We ran the signature generation and verification algorithms for 1000 times. And at security level λ � 80, the average running time of these algorithms of the five schemes under different numbers of ring members is shown in Table 6. It can be seen from Table 6 that the signature generation and verification of [24] take the longest time among the six schemes, while the signature generation and verification time of the proposed scheme is shorter than that of [23,24,26,30]. Compared with [27], when l ≤ 256, the proposed scheme has higher signature efficiency, but when l ≥ 512, the signature efficiency of the proposed scheme needs to be improved. On average, compared with the other five schemes, the signature generation and verification time of the proposed scheme is reduced by about 56.61% and 65.18%, respectively. Especially compared with [24], which also has unconditional anonymity as ours, the signature generation and verification time of the proposed scheme is reduced by about 94.52% and 97.18%, respectively.
At security level λ � 80, the comparison between the proposed scheme and the other five schemes on public/ private key size and signature size under different numbers of ring members is shown in Table 7. As for the public key size, the public key size of the proposed scheme is equal to that of [24,30] and smaller than that of [23,26,27]. With respect to private key size, the private key size of the proposed scheme is larger than that of [23] but is significantly smaller than that of [24,26,27,30]. In the case of signature size, the signature size of the proposed scheme is larger than that of [23] but is significantly smaller than that of [24,26,30]. When l ≥ 64, the signature size of the scheme in [27] is shorter than that of the proposed scheme. However, the scheme of [27] only has computational anonymity, while the proposed scheme has unconditional anonymity. Especially compared with [24], the signature size of the proposed scheme is reduced by 58.03% on average.
In addition, in the above experiment, we only completed the proof-of-concept work and did not consider potential

Conclusions
Based on the e-NTRU problem, this study constructed a LRS scheme on NTRU lattice by combining preimage and rejection sampling techniques. Under the random oracle model, the security of our LRS scheme was analyzed in detail. e analysis results show that our scheme satisfies the requirements of correctness, unforgeability, and linkability based on the intractability of the e-NTRU problem in the random oracle model. In particular, our scheme can achieve unconditional anonymity. e efficiency of the proposed scheme was analyzed in detail, and the optional parameter settings of the proposed scheme that meet the security requirements are given. Finally, the proposed scheme and other five latest lattice-based LRS schemes are implemented, which shows that under the same security level, the proposed scheme has higher signature generation and verification efficiency as well as shorter signature size compared with other five LRS schemes.
Data Availability e data that support of our findings are available at https:// github.com/wang-0218/ring-signature.

Conflicts of Interest
e authors declare that they have no conflicts of interest.