Fuzzy Identity-Based Ring Signature from Lattices

In this paper, a construction of a fuzzy identity-based ring signature scheme (LFIBRS) is proposed. Our LFIBRS combines the characteristics of both the fuzzy identity-based signature (FIBS) and the ring signature. On the one hand, a signature issued under an identity 
 
 ID
 
 can be verified by any identity 
 
 
 ID
 
 ′
 
 
 
 that is “close enough” to the identity 
 
 ID
 
 . Since biometric identification is the well-known most popular and reliable identification method, our LFIBRS can be applied in such a situation whenever it is required for official audit or supervision that the signer’s real identity is needed to be authenticated. On the other hand, LFIBRS provides anonymity under the random oracle model. In addition, LFIBRS provides unforgeability under the small integer solution (SIS) lattice hardness assumption which can resist large-scale quantum computer attacks in the future.


Introduction
Ring signatures, which were first suggested by Rivest, Shamir, and Tauman [1], allow signing a message on behalf of a spontaneous set of signers, without breaking the anonymity of the signatory. Recently, many versions of ring signature schemes based on this concept have been constructed.
Nevertheless, numerous ring signature schemes concern classical number theory or algebraic mathematical assumptions, such as large integer factoring problem [1,2], discrete logarithm problem [3][4][5], and bilinear pairing problems [6][7][8][9][10]. None of the schemes are secure with the onset of powerful quantum computers. Among the current postquantum cryptographic candidates, lattice-based cryptography has attracted significant attention of cryptographers recently. In 2008, the first ring signature scheme on lattice was constructed by Gentry et al. [11] and then a lot of ring signature schemes have been constructed [12][13][14]. Shamir [15] introduced an identity-based cryptosystem. Later, Sahai and Waters [16] put forward the concept of fuzzy identity-based encryption (FIBE), and they regarded identities as a set of biometric attributes rather than any string. Since then, many kinds of fuzzy identity-based signature schemes have been constructed [17][18][19][20][21]. As one of the most promising research alternatives of postquantum cryptography, lattice-based cryptography has attracted great attention due to its several potential advantages: asymptotic efficiency, the worst-case hardness hypothesis, and the security against quantum computing.
How to design a secure and efficient lattice-based cryptosystem is a very interesting and challenging problem. In this manuscript, based on the work of [21,22], a fuzzy identity ring signature scheme based on the computational difficulty problem on lattices is constructed by combining the characteristics of fuzzy identity signature and ring signature.

Related Work.
Wang et al. [23] proposed a lattice-based ring signature scheme in the Bonsai tree model, which was based on the hard assumption of SIS problem; meanwhile, unforgeability had been proved in both the random oracle and standard model. Wang [24] and Jia et al. [22] proposed identity-based ring signature scheme from lattice which was based on the hard assumption of SIS problem. As we know, Yao and Li [19] constructed the first FIBS scheme based on the hard assumption of SIS problem. By using the Bonsai tree techniques, they proved that their scheme was secure in the random oracle model. Recently, Zhang et al. [21] proposed an extended version of Yao and Li's FIBS scheme and claimed that it could capture more expressive attributes in a large universe. Besides, their version was proved to be strongly unforgeable against selective chosen-identity and adaptive chosen-message attacks (SU-sID-CMA) secure in the standard model.

Contributions.
In this paper, we propose a fuzzy identity-based ring signature scheme (LFIBRS) based on the hard assumption of SIS problem and prove that it is unforgeable in the random oracle model. In this work, we focus on combining the characteristics of ring signature and the fuzzy identity-based signature from lattices, and it makes our scheme be able to provide biometric authentication and maintain anonymity at the same time.
1.3. Structure of the Paper. In Section 2, some mathematical symbols, integer lattices, and statistical distance are defined. Section 3 gives the framework of the signature scheme. e construction of our signature scheme is described in Section 4. e security of our LFIBRS is proved in Section 5. Finally, some comparisons with some other referred works and conclusion remarks are given.

Notations.
In this section, we make use of the following notations: [i]: e set 1, 2, . . . , i { } x←S: x is sampled uniformly at random from the set S ‖z‖: e Euclidean norm of z ‖A‖: e norm of ‖A‖ as the norm of its longest column ‖A‖ � max i ‖A i ‖ A: e matrix after Gram-Schmidt orthogonalization

Integer Lattices
e m-dimensional lattice Λ generated by B is as follows: Definition 2. For prime q ≥ 2 and matrix A ∈ Z n×m , define For s > 0, define the Gaussian function on R m with center c: ∀e ∈ R m , ρ s,c (e) � exp(− π‖e − c‖ 2 /s 2 ). For m-dimensional lattice Λ, define ρ s,c (Λ) � e∈Λ ρ s,c (e). For c ∈ R m and s > 0, define the discrete Gaussian distribution over Λ as follows: ∀e ∈ Λ, D Λ,s,c � ρ s,c (e)/ρ s,c (Λ). For convenience, if c � O, we denote D Λ,s,c as D Λ,s .

Lattice-Related Algorithms.
How to obtain a matrix A with a low Gram-Schmidt norm basis for Λ ⊥ q (A) was introduced by Ajtai [25], and two improved algorithms were proposed by [26,27], respectively. Lemma 1 (see [26]). Let integers q ≥ 3 be odd, n ≥ 1, and m � 2n log q . ere exists a PPT algorithm TrapGen(q, n, m) that outputs A and T A such that A is statistically close to a uniform matrix in Z n×m q and ����� � n log q ) with all but a negligible probability in n.
In this subsection, we recall several useful facts on lattices in the literatures [1,28], in order to generate another short basis for a lattice which contains a sublattice isomorphic to the original. Lemma 2 (Lemma 3.2 of [28]). On input A ∈ Z n×m q , whose columns generate the entire group Z n q and an arbitrary B ∈ Z n×m′ q , given a basis Moreover, this statement holds even for any given permutation of the columns of A ′ .

Lemma 3 (Lemma 3.3 of [28]). On input
and no information specific to T A is leaked.
We adopt the preimage sampling lemma from the discrete Gaussian distribution over lattices, which is shown in [11].
Lemma 4 (see [11]). Assume integer q ≥ 2, A ∈ Z n×m q , and real 0 < ϵ < 1. Let T A be a short basis for Λ ⊥ q (A); parameter In [22], Lemma 4 is extended to the matrix sampling algorithm, which is repeated as follows.

Lemma 5
(see [22]). On input A ∈ Z n×m q , s ≥ ‖T‖ · ω( ���� log n ). Given a short basis T for Λ ⊥ q (A) and arbitrary matrix V ∈ Z n×k q , there is a polynomial-time algorithm SampleMatPre(A, T, s, V), which outputs a matrix S ∈ Z m×k q , so that AS � V, V and D Λ ⊥ (A) are statistically close, and ‖V‖ ≤ s �� m √ holds with overwhelming probability.
Rejection sampling is an important technology of latticebased signature scheme, which is proposed by Lyubashevsky in [29]. In the signing process, we output the candidate signature in a certain probability without using a preimage sampling algorithm; hence, the distribution of the output signature is independent of the private key of the signer. With regard to the technique of rejecting sampling, we use the two following results. Lemma 6 (Lemma 4.4 of [29]). For any σ > 0 and integer m, the following inequalities hold: Moreover, the probability that A outputs something is at least (1 − 2 − ω(log m) )/M.

Statistical Distance.
e statistical distance measures how different two probability distributions are. In order to be employed in the anonymity of our scheme, we recall it as follows.
Definition 3 (Definition 8.5 of [30]). Let X and X ′ be two random variables over a countable set S. e statistical distance between X and X ′ is defined by e following lemmas show that the statistical distance cannot be increased by a randomized algorithm.
Lemma 7 (Proposition 8.9 of [30]). Let X 1 , X 2 , . . . , X k and Y 1 , Y 2 , . . . , Y k be two lists of totally independent random variables. en, Lemma 8 (Proposition 8.10 of [30]). Assume that X and X ′ are two random variables over set S. For any (possibly randomized) function f with domain S, the statistical distance between f(X) and f(X ′ ) is at most e SIS problem is as hard as the worst-case lattice problem; it was proved by Ajtai [25] for the first time,and then by Micciancio and Regev [31] and Gentry et al. [11]. We recall it as follows.

Definition 4.
e SIS problem in the Euclidean norm is that, given an integer q, a matrix A ∈ Z n×m q , and a positive real β, the goal is to find a nonzero vector e ∈ Z m satisfying Ae � Omodq, and ‖e‖ ≤ β. Lemma 9 (Theorem 5.16 of [31]). For poly-bounded m, β � poly(n), and prime q ≥ β · ω( ����� � n log n ), the average-case SIS q,n,m,β problem is as hard as approximating the shortest independent vector problem SIVP c to within certain

System Framework and Security Model of LFIBRS Scheme
A fuzzy identity-based ring signature scheme consists of the following four probabilistic polynomial-time (PPT) algorithms: SetUp(q, n, m): e Private Key Generator (PKG) runs a PPT algorithm that takes the security parameter n as input and generates the system parameters PP, an error tolerance parameter k, and master keys MK. e system parameters PP are made public and master keys MK are kept secret.

KeyExt(ID, PP, MK):
It is a PPT algorithm that takes an identity ID, the public parameters PP, and the master keys MK as input and outputs secret keys SK and public key A ID associated with the ID. Sign((μ, sk, PK, PP): It is a PPT algorithm that takes the public parameters PP, the public keys PK � PK ID 〈i〉 i∈ [l] corresponding to the identities of l ring members, the secret keys SK associated with an identity ID, and a message μ as input and outputs a signature σ. Verify(μ, σ, ID ′ , PP, PK): It is a deterministic algorithm that takes the public parameters PP, an fuzzy identity ID ′ s, the message μ, the public keys PK, and the corresponding signature σ as input and outputs "1" or "0." e correctness of a ring signature scheme with fuzzy identity means that the verification algorithm always outputs "1" for a legal signature and "0" for an illegal signature.

Security Properties.
A security ring signature must satisfy anonymity and unforgeability. e formal definition of the security model is given as follows.

Security and Communication Networks
Definition 6 (anonymity). If there is no polynomial-time adversary A to win the following games with an advantage that cannot be ignored, the LFIBRS scheme is signerambiguous.
(1) Setup: input system parameters n and C to generate and send public parameter PP and the maximum possible user set U N � ID 〈1〉 , ID 〈2〉 , . . . , ID 〈N〉 to A. (2) Query: A performs a polynomially bounded number of queries.
. . , ID 〈il * 〉 ⊆U N , and uses the master key MK to generate the secret key SK i 0 and SK i 1 which corresponds to ID i 0 and ID i 1 . C randomly selects b ∈ 0, 1 { } and then calls the signature algorithm to generate the signature A wins the game.

e advantage is defined as Adv
Definition 7 (unforgeability). If there is no polynomial time adversary A to win the following games with an advantage that cannot be ignored, then the LFIBRS scheme is said to be unforgeable.
(1) Setup: C exposes parameters PP and identity set U N and sends them to A. (2) Query: adversary A can perform polynomial query: Private key query: C calls the private key extraction algorithm, obtains the secret key SK corresponding to the identity ID, and returns it to A Signature query: C calls the signature algorithm to get the signature σ of the message μ and returns it to A (3) Forgery: the adversary A submits (i * , ID ′ * , PK, μ * , σ * ), if the following conditions are true: (1) σ * is a legal signature (2) A did not query the private key of ID ′ * (3) A did not query ID ′ * and μ * ; then A won the game e advantage is defined as

Construction of LFIBRS
In this part, we present our construction of LFIBRS from lattice. e LFIBRS consists of four probability polynomialtime algorithms Setup, KeyExt, Sign, and Verify. We have incorporated different notations of the proposed LFIBRS scheme in the following.

LFIBRS Setup.
is phase can be described as follows: Step 1. For i ∈ [l], run Trapgen(q, n, m) to generate a uniformly random matrix E i ∈ Z n×m q together with a short basis Step 2. Run Trapgen(q, n, m) to generate a uniformly random matrix B ∈ Z n×m q together with a short basis T B for Λ ⊥ (B), such that‖T B ‖ ≤ O( ����� � n log q ).
Step 3. For i ∈ [l], randomly choose matrix F i in Z n×m q .
Step 4. Randomly choose matrices B, C in Z n×m q and D in Z m×m q .
Step 5. Select hash functions Step 6. Select an error tolerance parameter k such that k ≤ l − 1.
Step 7. Output public parameters PP and master keys MK:

LFIBRS-KeyExt.
Input a user whose identify I D � (ID 1 , ID 2 , . . . , ID l ); ID i ∈ Z m q and i ∈ [l]. Let us do the steps as follows: Step 2. For i ∈ [l], compute matrix T G i using algorithm RandBasis(G i , ExtBasis(T E i , E i ), s 0 ).
Step 3. Compute PK I D � [B|H 2 (I D)D], PK I D ∈ Z n×2m q . We remark that PK I D � [B|H 2 (I D)D] plays the role of the associated public key.
Step 4. Compute the matrix T PK I D using algorithm RandBasis(PK I D , ExtBasis(T B , B), s 0 ).
Step 5. Run SampleMatpre(PK I D , T PK I D , s, C) to generate S I D ∈ Z 2m×m q and PK I D S I D � C, such that Step 6. Output PK I D and SK � ( T G i , G i i∈ [l] , S I D ). PK I D is the I D's public key and SK � ( T G i , G i i∈ [l] , S I D ) are the corresponding secret keys.

LFIBRS-Sign.
Input a message μ and the public keys PK � PK ID 〈i〉 i∈ [l] corresponding to the identities of l ring members where the identity ID 〈π〉 (π ∈ [l]) of the real signer is related to the public key PK ID 〈π〉 and the secret keys SK π � ( T G i , G i i∈ [l] , S ID 〈π〉 ). e signing process is as follows: Step 1. Compute v 1 � H 3 (μ, PK).
Step 2. v 1 � (v 11 , v 12 , . . . , v 1m ) ∈ Z m q . e Shamir's secret sharing scheme is applied to every coordinate v a 1 of v 1 , that is, when a ∈ [m], the polynomial with degree k − 1 is constructed in Z m q , such that p a (0) � v 1a . Step 4. For i ∈ [l], call algorithm SamplePre(G i , T G i , v a , s 2 ) to calculate e i ∈ Z 2m q .
Step 6. Let z π � S ID 〈π〉 · v + e π , and call algorithm A in eorem 1; if there is output, output z π ; otherwise, reselect the public key and go to the first step.

4.4.
LFIBRS-Verify. Input the fuzzy identity ID ′ � (ID 1 ′ , ID 2 ′ , . . . , ID l ′ ), public parameters PP, message μ, the public keys PK � PK ID 〈i〉 i∈ [l] , and the signature σ. e verification process is given as follows: . If it is true, continue to the next step. Otherwise, stop.
Step ))), continue to the next step. Otherwise, stop.

LFIBRS-Parameters.
e safety parameter of scheme FIBRS is n, and other parameters are set as follows: (1) Since TrapGen(q, n, m) is called, m � 2n log q is set by Lemma 1.

LFIBRS-Correctness.
e correctness analysis is briefly described as follows: (1) According to eorem 1 and Lemma 6, the signature will output z j with overwhelming probability. (2) According to Lemma 4, when the real identity can pass the verification in step 1 of the verification process, the next step can be continued. (3) e following formula is established: PK ID 〈i〉 e i .

Security Analysis
Next, we will prove that the above LFIBRS scheme satisfies anonymity and unforgeability as required.
erefore, the proposed LFIBRS scheme is computationally anonymous under the random oracle model.

Proof.
e adversary A is a probabilistic polynomial-time Turing machine, which is allowed to make queries to the following oracles: Setup: C performs the following operations to generate the public parameter PP and all user identities U N and sends them to A. Query: adversary A can send the following query to C, and C will return the query result to A. Without losing generality, let A not repeat the query. C performs the following operations: Hash query: (1) A submits a user ID 〈i〉 � (ID 〈i〉 1 , ID 〈i〉 2 , . . . , ID 〈i〉 l ) to C, and, for j ∈ [l], C selects H 1 (ID 〈i〉 j ) ∈ Z n×n q to return it to A (2) A submits the user ID 〈i〉 to C, and C selects H 2 (ID 〈i〉 ) ∈ Z n×m q to return it to A (3) A submits a message μ and the public keys PK � PK ID 〈i〉 i∈ [l] corresponding to the identities of l ring members, where the identity ID 〈π〉 (π ∈ [l]) to C and C selects v 1 ∈∈ Z n q to return it to A Security and Communication Networks 5 (4) A submits a message μ and the public keys PK � PK ID 〈i〉 i∈ [l] corresponding to the identities of l ring members, and C selects v ∈ v ∈ Z m q : ‖v‖ ≤ t to return it to A Extract query: A adaptively selects a user ID 〈i〉 (i ∈ [N]) to C. C returns the secret key SK ID 〈i〉 of the corresponding user ID 〈i〉 . Sign query: A submits message μ, the identity subset U � ID 〈i1〉 , ID 〈i2〉 , . . . , ID 〈il〉 ⊆U N , and the user ID 〈it〉 ∈ U to B. B operates as follows: (1) C runs the algorithm LFIBRS − KeyExt to get the corresponding public keys subring PK � PK ID 〈it〉 t∈ [l] corresponding to the identities of l ring members, where the identity ID 〈it〉 (π ∈ [l]) (2) Input the message μ, public keys subring PK � PK ID 〈it〉 t∈ [l] , and secret key SK ID 〈it〉 ; C runs the algorithm LFIBRS − Sign and returns the signature (z 1 , z 2 , . . . , z l , v) of the user ID 〈it〉 Challenge: C selects μ * and the identity subset U * � ID 〈i1 * 〉 , ID 〈i2 * 〉 , . . . , ID 〈il * 〉 ⊆U N and uses the master key MK to generate the secret keys SK i 0 and SK i 1 corresponding to ID i 0 , where ID i 1 , ID i 0 ∈ U * . C randomly selects b ∈ 0, 1 { } and then calls the signature algorithm to generate the signature σ i b . Guess: A outputs bit b ′ .
Suppose that there is a polynomial-time adversary A that forges the signature of LFIBRS scheme with the probability of ϵ. Next, the polynomial-time algorithm B is constructed to solve the SIS q,n,m,β problem by using the ability of adversary A to forge signature.
B gives an example of SIS q,n,m,β problem and uses the ability of A to give a solution.
(1) B selects randomly matrix B in Z n×m q (2) B finds a nonzero vector e ∈ Z m q to make Be � O mod q and ‖e‖ ≤ β First of all, B creates three empty lists L 1 , L 2 , L 3 to store the queries of adversary A, H 2 and H 4 , and secret key. e interaction between B and A is as follows: Setup: B performs the following operations to generate the public parameter PP and all user identities U N and sends them to A.
(1) Determine the maximum possible user set U N � ID 〈1〉 , ID 〈2〉 , . . . , ID 〈N〉 and a challenge user (1) A submits message μ to B. For i ∈ [l], B randomly selects y i ∈ D 2m s 1 . B queries the list L 2 and returns the same result if they already have been checked (2) Otherwise, B randomly selects v ∈ v ∈ Z m q : ‖v‖ ≤ t and sends v to A and B adds (μ, U, (y 1 , y 2 , . . . , y l ), v) to the list L 2 Extract query: A adaptively selects a user ID 〈i〉 (i ∈ [N]) to B. B checks list L 1 to find (ID 〈i〉 , PK i , T B i ) and then uses (ID 〈i〉 , PK i , Security and Communication Networks . Add (ID 〈i〉 , S i ) to the list L 3 . Sign query: A submits message μ, the identity subset U � ID 〈i1〉 , ID 〈i2〉 , . . . , ID 〈il〉 ⊆U N , and the user ID 〈it〉 ∈ U to B. B operates as follows: (1) B checks the list L 2 . If (μ, U, (y 1 , y 2 , . . . , y l ), v) was not recorded, go to hash query 2 and record (μ, U, (y 1 , y 2 , . . . , y l ), v) in the list L 2 (2) B checks the list L 3 . If (ID 〈i〉 , S i ) was not recorded, go to extract query and record (ID 〈i〉 , S i ) in the list L 3 (3) B checks the lists L 2 and L 3 . B looks for the corresponding record (μ, U, (y 1 , y 2 , . . . , y l ), v) in L 2 and the record (ID 〈i〉 , S i ) in L 3 (4) Let z j � y j (j ≠ t) and z j � S i v + y j (j � t); B returns the signature (z 1 , z 2 , . . . , z l , v) of the user ID 〈it〉 Forgery: A submits message μ * , the identity subset U * � ID 〈i1 * 〉 , ID 〈i2 * 〉 , . . . , ID 〈il * 〉 ⊆U N , and forged signature (z * 1 , z * 2 , . . . , z * l , v * ) by the user ID 〈it * 〉 ∈ U * to B, meeting the following conditions: (1) A has not asked for the private key of the user ID 〈it * 〉 (2) A did not ask for (U * , μ * )'s signature e signature (z * 1 , z * 2 , . . . , z * l , v * ) is used in the following, which is an example of the identity subset U * 's legal signature of message μ * to solve the SIS q,n,m,β problem given at the beginning. B first queries L 2 to find (μ * , U * , (y * 1 , y * 2 , . . . , y * l ), v * ). If (μ * , U * , (y * 1 , y * 2 , . . . , y * l ), v * ) does not exist, then the game is terminated immediately. Otherwise, since (z * 1 , z * 2 , . . . , z * l , v * ) is a legal signature, we obtain B extracts the key S it * of ID 〈it * 〉 in Table L 3 , and let It is easy to see that (z 1 ′ , z 2 ′ , . . . , z l ′ , v * ) is also a legal signature, so From (10) and (11), we obtain it is easy to check that e is the solution of the SIS q,n,m,β problem that is put forward at the beginning.
In the following analysis, B can successfully find the probability ϵ ′ of e. B will give up the game in the three following situations, which implies that the game fails.

Efficiency Analysis
In Table 1, we set the following: |PP|: public parameters size |MK|: master key size |sk|: secret key size |σ|: signature size From Table 1, we may conclude that the communication and time cost of our scheme are larger than those of the

Scheme
Reference [21], work-1 Reference [21], work-2 [22] is work Ext − Cost lT 1 lT 1 T 3 + T 5 + T 8 (l + 1)T 1 + T 7 Sig − Cost nT 2 + lT 4 nT 2 + lT 4 m(l + 1)T 6 mT 1 + lT 3 Ver − Cost k(nT 5 + T 6 ) k(nT 5 + T 6 ) (l + 1)T 5 (C k l + l + 1)T 5 scheme in [22], and only the size of private key is smaller than that of [21]. In Table 2, we set the following: Ext − Cost: secret key extraction cost Sig − Cost: signing cost Ver − Cost: verification cost T 1 : the cost of RandBasis(ExtBasis) T 2 : the cost of Shamir's secret sharing operation T 3 : the cost of SampleMatpre T 4 : the cost of SamplePre T 5 : the cost of matrix product T 6 : the cost of scalar multiplication T 7 : the cost of BasisDel T 8 : the cost of matrix inversion From Table 2, we may conclude that our scheme has higher verification cost than those in [21,22].

Conclusions
In this paper, we construct a fuzzy identity ring signature scheme based on SIS problem and prove its unforgeability in random oracle model. In particular, this scheme requires that the number of ring members be equal to the number of fuzzy identity coordinates. When the number of the components of the identity vector is greater than the number of the ring members, a certain number of temporary identities can be added as the ring members, so that the number of the ring members is equal to the number of the components of the identity vector. When the number of the ring members is more than the number of the components of the identity vector, a certain number of vector components will be randomly selected from Z m q to expand the number of components of the identity vector. A signature issued under an identity ID can be verified by any identity ID ′ that is "close enough" to the identity ID.
is property allows our signature scheme to have an application in biometric authentication. Compared with the existing signature scheme of fuzzy identity, the scheme has the anonymity of ring signature which fuzzy identity signature does not have, so the efficiency of verification operation is lower. As the third step in the verification process, the worst case is to calculate C k l times, so when the signature scheme is used and C k l is too large in this paper, the verification efficiency will be very low. In the future, we hope to improve the algorithm of FIBRS to improve the efficiency of verification signature algorithm.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that there are no conflicts of interest.