A Postquantum Linkable Ring Signature Scheme from Coding Theory

. Linkable ring signatures (LRSs) are ring signatures with the extended property that a verifer can detect whether two messages were signed by the same ring member. LRSs play an important role in many application scenarios such as cryptocurrency and confdential transactions. Te frst code-based LRS scheme was put forward in 2018. However, this scheme was pointed out to be insecure. In this paper, we put forward a code-based LRS scheme by constructing a new Stern-like interactive protocol and prove that it meets the security requirements of LRSs. We also give the specifc parameters and the performance on the platform of our scheme.


Introduction
Ring signatures [1], a signifcant cryptographic primitive, enable a group user to sign a message on behalf of the group (called a ring) while protecting their privacy.Anonymity means that a verifer only can verify the correctness of the signature but cannot identify who is the actual signer in the ring.As an efcient privacy protection technology, ring signatures have been widely used in various scenarios such as e-voting [2], e-cash [3], and e-lottery [4,5].However, in many real-world applications, it is signifcant to not only protect the privacy of the signer but also require each signer to sign no more than once.For example, in an e-voting system, each person signs their ballot on behalf of all those eligible to vote, and each person is required to vote only once.
For more application scenarios, Liu et al. came up with the frst linkable ring signature (LRS) scheme in 2004 [6].LRSs are ring signatures with an extended property, where one can publicly verify whether two signatures were produced by the identical signer without knowing the identity of the signer.Compared to a ring signature scheme, an LRS scheme contains a tag generated by an issue and the signing keys of the entire ring user, where an issue can represent a vote or a business event.If a ring member outputs two signatures with an identical tag, two signatures will be linked.In a more restricted version of LRSs, a signer will be linked as soon as he signs twice.We call this kind of LRSs one-time LRSs.Tis property plays an important role in building cryptocurrencies, such as keeping the spender's anonymity and avoiding double-spending attacks [7], since a sum of money can be used only once by a consumer no matter in any deal.
LRSs have been extensively researched based on the number theory problem [6,[8][9][10].A general construction of LRSs was presented by Franklin and Zhang [11].For the sake of linkability, they add a pseudorandom function (PRF) evaluation of the signer's private key to any ring signature scheme and combine it with a zero-knowledge proof of the correct evaluation.In 2019, Wang et al. [12] put forward a general construction of one-time LRSs that adds one-time signatures to any ring signature scheme to achieve linkability.With the arrival of high-performance quantum computers, most classical asymmetric cryptography schemes will be broken since Shor [13] came up with a quantum algorithm to break the discrete logarithm problem and the factoring problem.Terefore, a number of quantum-safe LRS schemes have been put forward in the past few years, such as lattice-based LRS schemes [7,[14][15][16], code-based LRS schemes [17][18][19], and isogeny-based LRS schemes [15].
Code-based cryptography has fourished as one of the important felds of postquantum cryptography in recent years.Te frst signature scheme from coding theory is the Courtois-Finiasz-Sendrier (CFS) scheme [20].After that, codebased signatures make a great development [21][22][23].In 2007, Zheng et al. put forward the frst ring signature scheme from coding theory [24].Later, many other variants related to ring signatures appeared like threshold ring signatures [25,26], traceable ring signatures [27], and group signatures [28][29][30].In 2018, Branco and Mateus put forward the frst code-based LRS scheme [18].However, Feng et al. [31] point out that this scheme is not safe since the Cramer-Damgard-Schoenmakers (CDS) framework [32] was used to build the OR relationship.In 2020, Ren et al. proposed another code-based LRS scheme [19].However, we found that once two signatures are linked, the information of the signer's private key will be leaked since the output contains the information of the private key.
1.1.Our Contributions.For the purpose of not using the CDS framework, we design a new Stern-like interactive zeroknowledge (ZK) protocol, which is inspired by Ezerman et al. [33], as the building block of our LRS scheme.A prover can use this interactive ZK protocol to prove that he holds a small-weight solution to two instances of the syndrome decoding problem, which means the prover is a certifed ring member with a unique label vector.Terefore, we employ the interactive ZK protocol to build our LRS scheme.Ten, we prove that our LRS scheme is not only correct but also achieves the LRS security requirements.Finally, we analyzed the efciency of the scheme and gave the running time on the platform.
It should be pointed out that we do not use the techniques mentioned in the introduction to construct our LRS scheme.Te frst technique [11] needs secure PRFs with a succinct zeroknowledge system.Te syndrome-based PRF [34] is the only proposed one with a zero-knowledge argument system.Nevertheless, such an argument system will lead to a very inefcient construction since given an input of length l, the PRF will implement l times of matrix multiplications.Te second technique, to achieve one-time linkability through a one-time signature scheme, also increases the overhead of a concrete scheme.Our construction follows that of Baum et al. [14].
We assume a ring of size N � 2 l , each member of which is labeled i ∈ 1, . . ., N { }.Let (H, T, s i ) represent the public keys of the user U i and e i represent the secret key with Hamming weight t, where H ∈ F k×n 2 , T ∈ F k×n 2 denote two matrices and denote a matrix of size k × N and x i denote a vector of length N such that the i-th position is 1 and the rest of the positions are 0. Terefore, there is S • x ⊤ i � s ⊤ i and the equation H • e ⊤ i � s ⊤ i can be reformulated as Ten, U i employs the secret key to get a vector Next, we construct a Stern-like ZK scheme where a prover is able to make the verifer believe he holds a pair (e i , x i ) satisfying equations ( 1) and ( 2) with hidden index i.By repeating this protocol a lot of times to make the soundness error negligible and employing the Fiat-Shamir transform [35], we get a transcript v of the NIZK argument.Te fnal form of our proposed LRS is (r, v).Te size of our scheme, including the public key and the signature, is linearly related to N.However, when setting the practical parameters, our scheme achieves better performance than that of the scheme put forward in [36] which is the best performance syndrome-based ring signature scheme with logarithmic signature size, as long as N does not exceed 2 16  [28].
We note that Ren et al. [19] attempt to build another code-based LRS scheme.Unfortunately, there is a lot of weakness in this construction.In detail, they use an insecure signature scheme to build their LRS scheme, which would result in the disclosure of the signer's private key.We make an analysis in Section 6.

Roadmap.
Te remaining articles are structured as follows.In Section 2, we introduce many preliminaries needed in our paper.In Section 3, we frst propose an interactive zero-knowledge protocol and then construct our LRS scheme.We give the security proof and some security parameters for our LRS scheme in Section 4. In Section 5, we present the implementation results of the proposed LRS scheme.In Section 6, we analyze Ren et al.'s scheme.Finally, in Section 7, we draw the conclusion.

Preliminaries
2.1.Notations.Let λ and negl(λ) represent a security parameter and a negligible function in λ, respectively.Te set 1, 2, . . ., z { } is abbreviated as [z].We denote with ⊕ the addition modulo 2. If not specifed explicitly, the bold lowercase and uppercase letters represent row vectors and matrices, respectively.Te Hamming metric of a vector y is represented by w(y).Te transpose of x is represented by x ⊤ .Let B(N, t) be the set of vectors v ∈ F N 2 such that w(v) � t.Defne a function I2B from a positive integer to its binary representation, so the inverse of I2B is written as B2I.For a distribution F, the notation b ← F means that b is sampled from the distribution F. If X is a set, then x ← $ X denotes that x is randomly picked from X. Pr

Linkable Ring
where We employ the security model of [6,14], which contains the following four aspects: existential unforgeability, anonymity, nonframeability, and linkability.In order to build the games used in these security models, we defne the following two oracles: Defnition 2 (existential unforgeability).An LRS scheme LRS � (KeyGen, Sign, Ver, Link) is existential unforgeable, if the advantage of A is negligible in the following game: Here, A cannot use M to query the Sign(•).Te advantage of breaking existential unforgeability is denoted by the following equation: Defnition 3 (anonymity).An LRS scheme LRS � (KeyGen, Sign, Ver, Link) is anonymous, if the advantage of A is negligible in the following game: (1) Here, A cannot query the Sign(•, sk 1 ) and the Sign(•, sk 2 ).Te advantage of breaking anonymity is denoted by the following equation: Defnition 4 (nonframeability).An LRS scheme LRS � (KeyGen, Sign, Ver, Link) is nonframeable, if the advantage of A is negligible in the following game: (1) Here, A cannot use the M 2 to query the Sign(•, sk 1 ).
Te advantage of breaking nonframeability is denoted by the following equation: Defnition 5 (linkability).An LRS scheme LRS � (KeyGen, Sign, Ver, Link) is linkable, if the advantage of A is negligible in the following game: (1) Te advantage of breaking linkability is denoted by the following equation: Security and Communication Networks Remark 6.In this work, the proof of existential unforgeability is not given.As shown in [37], it is easy to get existential unforgeability from linkability and nonframeability.

Cryptography in Coding Teory
. We now introduce a few hard problems needed in our paper.
Problem 7 (syndrome decoding (SD) problem).Given a parity-check matrix H ∈ F k×n 2 , a syndrome s ∈ F k 2 , and a positive integer w, the SD (n, k, w) problem is to search for a solution e satisfying H • e ⊤ � s ⊤ and w(e) ≤ w.

Problem 8 (general syndrome decoding (GSD) problem). Given two parity-check matrices H, G ∈ F k×n
2 , two syndromes s, r ∈ F k 2 , and a positive integer w, the GSD (n, k, w) problem is to search for a solution e satisfying H • e ⊤ � s ⊤ , G • e ⊤ � r ⊤ , and w(e) ≤ w.
Considering the matrix E ⊤ � [H ⊤ ‖G ⊤ ] and the vector p � [s‖r], we have E • e ⊤ � p ⊤ .Terefore, the GSD (n, k, w) problem is equivalent to the SD (n, 2k, w) problem.Remark 10 (see [21]).For a binary [n, k] linear code, the easy range for the weight w of the SD problem and CF problem is

Problem 9 (codeword fnding (CF) problem). Given a parity-check matrix H ∈ F k×n
Defnition 11 (Gilbert-Varshamov (GV) bound).For a binary [n, k] linear code, the GV bound d GV is denoted by the following equation: Remark 12. Te SD problem has a unique solution with overwhelming probability if w is less than d GV .
Problem 13 (decisional syndrome decoding (DSD) problem [38]).Given a parity-check matrix H ∈ F k×n 2 and a syndrome s � H • e ⊤ , where the weight of the vector e is at most w, the DSD (n, k, w) problem is to distinguish between a random vector r and the syndrome s.Lemma 14 (leftover hash lemma [39]).Given a distribution F over F n 2 with min-entropy s, a matrix G ← $ F k×n 2 , and a vector r ← F, the statistical distance between the distribution of (G, G • r ⊤ ) and the corresponding uniform distribution is less than μ, where μ > 0 and k ≤ s − 2 log(1/μ) − O(1).

Zero-Knowledge Proof and Stern
Protocol.We will introduce the defnition of the zero-knowledge argument systems in this section.We use the set of statementswitnesses to denote an NP-relation.We frst introduce the defnition of an interactive zeroknowledge argument system as follows.
Defnition 15 (zero-knowledge argument systems [40]).Let (P, V) represent an interactive algorithm between a prover and a verifer, and C denote an NP-relation.We say the (P, V) is a ZK argument for a relation C, if the following three conditions hold: (ii) ϵ-Soundness: if (a, b) ∉ C, then for any PPT  P, where η is negligible.(iii) Statistical zero-knowledge: if there exists a PPT simulator S(a) which can interact with any V(a) and produce a simulated transcript I sim , we have the following equation: where I real denotes the transcript of a real interaction's transcript.
Let Setup(λ) Π be a setup algorithm about the protocol Π with an input λ, then return the parameters pp.Te zeroknowledge property and simulation-extractability of noninteractive protocol are presented as follows.
Defnition 16 (noninteractive zero-knowledge).Let Π � (Setup Π , P, V) denote a noninteractive protocol.Te protocol Π � (Setup Π , P, V) is zero-knowledge for a relation C, if a pair of PPT simulators (S 1 , S 2 ) are presented such that for any A, there is where where C(a, b) ≠ 1, V represents all proofs produced by S 2 , ϑ * is not contained in V, and O(pp, τ, •) takes the input a and outputs S 2 (pp, τ, a).

Stern Protocol.
In 1996, Stern introduced a threeround zero-knowledge argument of knowledge (ZKAoK) for the SD problem in coding theory [41].Te system parameters are a public matrix H ∈ F k×n 2 , a syndrome s ∈ F k 2 , and a weight w.According to the Stern protocol, anyone can verify whether the prover holds a solution e ∈ F n 2 with Hamming metric w such that H • e ⊤ � s ⊤ .If we embed the statistically hiding commitment scheme into it, then we can get a soundness error of 2/3.We describe the Stern protocol in Algorithm 1.

Our Code-Based Linkable Ring Signature
We frst put forward an interactive zero-knowledge protocol, in which a prover can prove that he is a ring member with a label vector r that is generated by his own private key.Based on this interactive zero-knowledge protocol, we construct our LRS scheme by Fiat-Shamir transform.

Te Underlying Zero-Knowledge Protocol.
In this section, our main result is to show a zero-knowledge argument system as the underlying protocol of our LRS scheme.First, we need to introduce a set of vectors and an important permutation, which are introduced in [28].Let l denote an integer and N � 2 l .Ten, there are the following: (1) For y � (y 1 , . . ., y N ) ∈ F N 2 and k ∈ [N], let δ N k denote a vector of length N such that the k-th position is 1 and the rest of the positions are 0 (2) Given a vector a � (a 1 , . . ., a l ) ∈ F l 2 , we introduce the permutation ϕ a : For any j ∈ [N] and any a ∈ F l 2 , there is (3) For any vector x, y ∈ F N 2 and a ∈ F l 2 , we have ϕ a (x + y) � ϕ a (x) + ϕ a (y) We build our interactive ZKAoK following the Stern framework and make a summarization as follows: (i) Te public keys include two matrices H and T and N syndromes s 1 , . . ., s N   (ii) Te secret is a vector e j ∈ B(n, t) satisfying H • e ⊤ j � s ⊤ j where the s j ∈ s 1 , . . ., s N   with hidden index j (iii) It is the prover's target to make others convince of the following relations: , where x denotes δ N j .Ten, the relation can be rewritten as follows: We use COM to denote a collision-resistant hash function.Next, we showed the details of the underlying interactive protocol in Algorithm 2.
Lemmas 14 and 18 point out that Algorithm 2 has the statistically zero-knowledge property and the special soundness property.

Lemma 18. Te interactive protocol shown in Algorithm 2 is an argument with the statistical zero-knowledge property if
the COM is a statistically hiding string commitment scheme.
Proof.We employ a simulator S which can interact with the verifer  V after giving the public input (H, S, T, r).First, the simulator S picks a  Ch ∈ 0, 1, 2 { }, and then depending on the value ch chosen by  V,S proceeds as follows.
When ch is received, S performs as follows: Ten, S sets the CMT as the same as equation (18).When the challenge ch is received, S performs as follows: (i) If ch � 0, terminates the process and outputs ⊥ (ii) If ch � 1, lets resp � (r 1 ⊕ e ′ , r 2 ⊕ x ′ , δ, a, ϵ 1 , ϵ 3 ) and sends it to  V (iii) If ch � 2, lets resp � (δ(r 1 ), δ(e ′ ), ϕ a (r 2 ), ϕ a (x ′ ), ϵ 2 , ϵ 3 ) and sends it to  V Because ch is sampled from 0, 1, 2 { }, the probability of S terminating is 1/3.As the simulator S outputs a successful transcript, the distribution of its outputs is indistinguishable from the real interaction.Lemma 22. On the input of (H, S, T, r), there is an extractor E that can obtain a pair (e, x) from a CMT � (c 1 , c 2 , c 3 ) and 3 valid (resp 1 , resp 2 , resp 3 ) to all 3 possible pairs (ch 1 , ch 2 , ch 3 ).Te witness (e, x) satisfes the following equations: Proof.We can construct an efcient knowledge extractor E. Suppose that we have three valid transcripts (CMT, ch 1 , resp 1 ),(CMT, ch 2 , resp 2 ), and (CMT, ch 3 , resp 3 ) of the proposed protocol, where ch 1 ≠ ch 2 ≠ ch 3 , where Because of the collision-resistance property of COM, we have Terefore, the knowledge extractor E can extract the witness (e, x) from e � r 1 ⊕ e ⊕ r 1 �, x � r 2 ⊕ x ⊕ r 2 .□ 3.2.Our Code-Based Linkable Ring Signature Protocol.Our LRS scheme is put forward in Algorithm 3. Roughly speaking, we construct an LRS by repeating the underlying ZKAoK protocol enough times so that the soundness error is negligible and applying the Fiat-Shamir transform.
Given two positive integers N and l such that N � 2 l , we choose a random matrix H and two collision-resistant hash functions as follows: Here, p stands for the repetition number of the underlying ZK protocol.
Te function h 1 is used to generate the Fiat-Shamir transform, and h 2 is the one used in the underlying ZKAoK protocol.
During the key generation algorithm, the user U i randomly chooses a vector e i from the set B(n, t) and sets In the signing algorithm, the user U i gets the underlying protocol with (H, S, T, r) in which S � [s ⊤ 1 , . . ., s ⊤ N ] and r ⊤ � T • e ⊤ i .By repeating the protocol many times and the Fiat-Shamir transform, he gets a NIZKAoK Π. Te form of the proposed signature is (r, v), where v ← P(pp, pk, sk).
Due to the validity of the NIZKAoK, the algorithm Ver always outputs 1.If two signatures (r, v, M) and (r ′ , v ′ , M ′ ) were generated by the same user U i , then by r ⊤ � T • e ⊤ i � r ′ ⊤ , the algorithm Link always outputs 1.

Analysis of the Proposed Protocol
We analyze the proposed LRS scheme from the aspects of correctness and security.

Theorem 23. Our LRS scheme achieves correctness with an overwhelming probability.
Proof.To explain that the given LRS scheme is correct, we frst prove that the algorithm Ver (pk, M, σ) always returns We observe that the algorithm Sign is equivalent to the signer repeating the underlying protocol enough times and employing the Fiat-Shamir heuristic to it.Because of the perfect completeness and validness of the underlying protocol, we have Ver (pk, M, σ) � 1 for any pair of (M, σ) generated by an honest signer.
As for the validity of the algorithm Link, it is straightforward to observe that if σ and σ ′ were generated by the identical user U i , for any i ∈ [N], where σ � (r, v) and σ ′ � (r ′ , v ′ ), then by r ⊤ � T • e ⊤ i and r ′ ⊤ � T • e ⊤ i , the algorithm Link (pk, M, M ′ , σ, σ ′ ) always outputs 1.

□ Theorem 24. Our LRS scheme satisfes anonymity in the random oracle model because of the ZK property of Algorithm 2 and the intractability of the DSD problem.
Proof.We set the fve hybrid games G 0 , G 1 , G 2 , G 3 , and G 4 so as to explain that the proposed scheme satisfes anonymity.G 0 and G 4 represent the real anonymous game, in which p � 0 and p � 1, respectively.We will prove that the sequence of games is indistinguishable from any adversary A. Te advantage of A in G i is represented by Adv anon A,G i (λ).G 0 : Tis is a real anonymous game where p � 0. In this game, the challenger C performs KeyGen to generate pk � (H, T, s 1 , . . ., s N ) and sk � (e 1 , . . ., e N ).Te adversary A can ask queries to three oracles, which are Sign(•, sk 0 ), Sign(•, sk 1 ), and Sign(•, sk p ). C honestly responds to the inquiries from the above three oracles by employing the private key to execute the Sign algorithm.
G 1 : Compared with the previous game, we set the following changes: C runs the simulator (S 1 , S 2 ) instead of faithfully executing the underlying protocol and does the following steps: (1) Outputs the parameters by running S 1 instead of executing the setup algorithm of the NIZKAoK (2) Uses the simulation proof to reply to the queries of A by running S 2 , when the adversary A accesses Sign sk p Since the underlying protocol is zero-knowledge, there is Ten, C records the tuple (M i , r i p ) in the table and produces the signature with r i p by running the simulator S 2 .In G 2 , the vector r i p is randomly sampled from F k 2 instead of being evaluated by T • e ⊤ p .Due to the intractability of the DSD problem, we have Terefore, there is (1) Public parameters: n, k, w ∈ N, N(log N � l).
G 3 : Te modifcation between G 3 and G 2 is that the r i p is evaluated by sk 1 instead of being randomly sampled in G 2 .In addition to the above modifcation, the other steps of G 3 are the same as those of G 2 G 4 : Tis is a real anonymity game where p � 1.
Te above proof shows that A cannot distinguish G 0 from G 4 with nonnegligible probability.Terefore, it is impossible for A to distinguish whether p is 1 or 0. Proof.Let A denote an adversary who breaks the linkability of the Algorithm 3. It implies that A is able to output N + 1 pairs of tuples (M i , σ i ) satisfying the following: (1) Ver(pk, M i , We use I real to denote the real interface, in which all the parameters are honestly produced, and I simo to denote the simulator's interface, in which all parameters are produced by the simulator S 1 .Because the underlying protocol is zeroknowledge (Lemma 18), A cannot tell the diference between the two interfaces.For I simo , there is an extractor E which can obtain a pair (e i , x i ), where x i � δ N i , for every message-signature pair (M i , σ i ) satisfying the following equation: Since there are only N public keys contained in the ring, there must exist δ N i � δ N k , i ≠ k, so the following hold: where s i stands for the i-th column of S. Since we suppose A breaks the linkability of the scheme, there is  Proof.We set the following two hybrid games to explain that breaking the nonframeability property is as intractable as solving the GSD problem.G 0 : Tis is a real nonframeability game regarding the challenge public key pk π .In this game, C runs KeyGen to get pk � (H, T, s 1 , . . ., s N ) and sk � (e 1 , . . ., e N ).Te adversary A submits queries to the given oracles Sign(•) and Co(•) with the limitation that he cannot query the corruption oracle Co(•) with the public key pk π .G 1 : C employs the simulator of the NIZKAoK to output the parameters and selects Ten, C establishes an empty table.When receiving a query (j, M), C frst checks if a pair (j, M, r j ) exists in the table.If it does, C employs the simulator S 2 to produce the signature with the vector r j .If not, r j is set as r j � r ← $ Z k 2 .C records the pair (j, M, r j ) in the table and produces the signature combining r j by employing the simulator S 2 .Since the underlying protocol has the zero-knowledge property, it is impossible for a PPT adversary to distinguish Game 1 from Game 0 Ten, we show that it is impossible to successfully attack in G 1 .Assume A can forge a pair (M, σ � (r, v)) such that (1) Ver(pk, M, σ) � 1 (2) Link(pk, M, σ, M * , σ * ) � 1, the signature σ * returned by C on a signing query (π, M * ) Since (σ � (r, v), σ ′ � (r * , v * )) can be linked, we have r � r * .Since the underlying noninteractive protocol achieves the simulation-extractability, there is an extractor that puts v as input and returns the witness w � (e, δ N π ) satisfying the following equation: However, since the vector y π is output by the simulator and the vector r * is sampled from Z k 2 in G 1 , it means the adversary A can break the GSD problem.Terefore, this is a contradiction, which means that there is no way of breaking the nonframeability of our LRS scheme.

Parameters and Key Size
We make an analysis of the key and signature size and give the parameters for our scheme under 80-bit security.
(1) Public key size: the public key is composed of (H, T, S) ∈ Z k×n 2 × Z k×n 2 × Z k×N 2 and its size is k(2n + N) bits.
(2) Private key size: the private key e i ∈ Z n 2 is n bit-size.(3) Signature size: the signature σ is composed of a transcript v and a vector r.In detail, the signature size contains the following parts: (i) Te commitment CMT is 6λ bit-size.
(ii) If the challenge ch � 0 and ch � 1, the response resp is n + N + nlogn + l + 2λ bit-size; otherwise, the response resp is 2(n + N) + 2λ bit-size.Tus, the size of response resp is no more than n(log n + 1) + N+ log N + 2λ bit-size.
Security and Communication Networks (iii) Te vector r is k bit-size and the underlying protocol is repeated p times.Terefore, the signature size is no more than by p(n(log n + 1) We use seeds to replace permutations in the underlying protocol to reduce the signature size.
Te parameters should satisfy not only that the SD problem and the GSD problem are hard but also that the distributions of s i are indistinguishable from the uniform distribution, for any i ∈ [N].
According to Lemma 14 and the information set decoding algorithm [42], the parameters (n, k, w) were chosen as (2800, 600, 132) so that the CF problem and the GSD problem are intractable under the 80-bit security, and the statistical distance of the distribution s i between the uniform distribution is 2 − 80 , for any i ∈ [N].Te positive integer w is moderately larger than the GV bound but belongs to the difcult range of the CF problem and the GSD problem.
Remark 27.For the intractability of the GSD problem, k does not exceed n/4.We perform our scheme on an Intel Core i7-8750H CPU@2.20 GHz and 4 GB of memory.For each set of parameters, the performance of our LRS scheme is presented in Table 1.

Analysis of Ren et al.'s Scheme
We frst describe Ren et al.'s scheme [19] in Algorithm 4 and then analyze a serious weakness in their scheme.Let A, B ← F (n−k)×n q be two matrices and H: H(•) ⟶ F q be a hash function.Teir scheme is built as follows.
Te above scheme is not safe because the attacker is able to obtain the private key from a large number of signatures.
Observed that the signature σ � (d 1 , z 1 , . . ., z N , t π ) signed by U π , except z π is generated by the private key e π , other z i are randomly generated during the signing process.So the distribution of z π , determined by e π , is diferent from the other distributions of z i , i � [N], i ≠ π.If an adversary A can obtain multiple signatures that are linked to each other, he can perform statistical analysis on these signatures to obtain the identity of the signer.Terefore, A can obtain  A can compute z π ′ � d −1 π u + e π .And the random vector u ′ � d −1 π u is of low Hamming weight, and hence, the support set of u ′ is small.Terefore, Persichetti [23] points out that a simple statistical analysis will recover the private key e π .Te problem stems from the fact that the small weight vector u that is added to d π e π is not sufcient to cover up the support of the private key.
Our analysis suggests that this scheme not only fails to satisfy anonymity but also leaks the secret of the signer.

Conclusion
In this paper, we put forward a new LRS scheme, which achieves existential unforgeability, anonymity, nonframeability, and linkability since the intractability of the CF problem, the DSD problem, and the GSD problem.Te key point of this work is to construct a Stern-like ZK protocol in which a prover can prove that he is a member of this ring with a certain tag generated by his private key.Te sizes of public keys and signatures of our scheme are linearly related to the size of the ring N. We ran this scheme with diferent numbers of users on a computer and gave the corresponding results.Finally, we point out that Ren et al.'s scheme is insecure because an adversary can get the private key of the signer by doing a simple statistical analysis.
(i) Sign(•): taking a query of the form (M, i) as input, it generates a signature σ ← Sign(M, sk i ) (ii) Co(•): taking a pk i , i ∈ [N] as input, it outputs the corresponding sk i Let A stand for a probabilistic polynomial-time (PPT) adversary and A O represent that A queries the random oracle O.

2 and a positive
integer w, the CF (n, k, w) problem is to search for a solution e satisfying H • e ⊤ � 0 ⊤ and w(e) ≤ w.

Security and Communication Networks 1 ,
if the signature σ was generated by a ring user U i honestly running algorithm Sign(M, sk i ), for any i ∈ [N].

□ Theorem 25 .
Our LRS scheme satisfes linkability in the random oracle model based on the CF problem and the simulation-extractability of the underlying interactive protocol.

□ Theorem 26 .
Our LRS scheme satisfes nonframeability in the random oracle model based on the GSD problem and the simulation extractability of Algorithm 2.
O 1 and O 2 frst check that if the input (a, b) is contained in C, if so, O 1 outputs π ← P(pp, a, b), and O 2 outputs π ← S 2 (pp, a, τ); otherwise, return ⊥.Defnition 17 (simulation-extractability).We say that Π � (Setup Π , P, V) achieves simulation-extractable with regard to a pair of PPT simulators (S 1 , S 2 ), if there exists a PPT extractor E such that for A, there is terminates the process and outputs ⊥
Tus, we have e i ≠ e k .Otherwise, it contradicts the previous assumption.Terefore, by equation (30), we have H • (e ⊤ i ⊕ e ⊤ k ) � 0 ⊤ .It implies that a PPT A is able to break the CF problem which contradicts the intractability of the CF problem.