Lattice-Based Logarithmic-Size Non-Interactive Deniable Ring Signatures

Abstract

Deniable ring signature can be regarded as group signature without group manager, in which a singer is capable of singing a message anonymously, but, if necessary, each ring member is allowed to confirm or disavowal its involvement in the signature via an interactive mechanism between the ring member and the verifier. This attractive feature makes the deniable ring signature find many applications in the real world. In this work, we propose an efficient scheme with signature size logarithmic to the cardinality of the ring. From a high level, we adapt Libert et al.’s zero-knowledge argument system (Eurocrypt 2016) to allow the prover to convince the verifier that its witness satisfies an additional condition. Then, using the Fait-Shamir transformation, we get a non-interactive deniable ring signature scheme that satisfies the anonymity, traceability, and non-frameability under the small integer solution assumption in the random oracle model.

1. Introduction

Ring signature was first formalized by Rivest et al. [1] to deal with situations, such as leaking secrets anonymously. Specifically, a signer first picks up several public keys to form a ring; then, it generates a signature anonymously on behalf of the ring using its secret key. Any verifier is unable to get any information about the real signer, except that the message is signed by one of the ring member. This appealing feature has made the ring signature find various applications in cryptography [1,2,3]. In some situations, however, the anonymity feature is not always desirable, as it allows a user who signs a false message to shift the blame to other ring members.

It is well-known that group signature [4,5,6,7,8,9] can prevent its members from abusing anonymity, in which users are able to sign messages anonymously, but, when a dispute occurs, the group manager possessing a group master secret key is capable of revoking the anonymity of misbehaving signers. However, group signature cannot handle the leaking secrets scenario, as the the manager is always able to trace the real signer who leaks a piece of invaluable information. Besides, group signature has much higher costs on managing a dynamic group. Finally, the members are anxious that their anonymity will be or has been violated by the manager without notification.

In 2006, Komano et al. [10] formalized the notion of Deniable Ring Signature (DRS), which is as flexible as the ring signature and allows the members to confirm whether they are the real signer or not. Specifically, by using an interactive mechanism between the ring member and the verifier, it enables the real signer to confirm its signed action and allows other ring members to deny their involvement. In short, DRS can be regarded as a ‘lightweight’ group signature, i.e., group signature without the manager. For the security requirements, the DRS should satisfy:

• Anonymity: Any adversary should not get any information from the signature, unless the ring members are required to confirm or disavow their involvement in the signature.
• Traceability: Any adversary should not generate a valid ring signature such that no member will be detected as the real signer via the confirmation/disavowal protocol. In other words, the real singer cannot deny its signature.
• Non-frameability: Any adversary should not produce a valid ring signature such that a ring member, whose secret key is unknown to the adversary, will be detected as the real signer via the confirmation/disavowal protocol. In other words, any adversary cannot frame an honest member.

In their pioneering work, Komano et al. [10] also presented a concrete scheme under the Decisional Diffie–Hellman (DDH) assumption. However, this assumption does not hold in the quantum world [11].

1.1. Contributions and Technical Overview

In this work, we propose an efficient lattice-based Non-interactive Deniable Ring Signature (NDRS) scheme. The notion NDRS, first formalized in Reference [12], means that the confirmation or disavowal of a signature is achieved in a non-interactive manner, instead of the interactive mechanism between the ring member and the verifier. In terms of effiency, our construction is efficient in the sense that the signature size is only logarithmic to the cardinality of the ring. In the aspect of security, our construction satisfies the anonymity, traceability, and non-frameability under the Small Integer Solution (SIS) assumption in the random oracle model.

From a high level, our scheme is a natural extension of the ring signature scheme in Reference [8] to the NDRS setting. In more detail, we adapt their argument system for a tree-based accumulator [8] to allow the prover to convince the verifier that the prover knows a witness which not only accumulates to the root of a Merkle tree but also satisfies some additional conditions. Specifically, compared with the ring signature scheme in Reference [8], we add one more additional condition, an non-interactive identification scheme used by the ring members to prove their identity. Combining zero-knowledge argument systems for two or more NP relations is a general strategy widely used in previous works, such as group signatures [8,9], policy-based signatures [13], compact e-cash [14], etc.

The starting point of our construction is the Zero Knowledge Argument of Knowledge ($\mathsf{ZKAoK}$) for the Merkle tree-based accumulator [8]. Specifically, the underlying hash function is defined by $h_{\mathbf{A}}\left(\mathbf{x}\right)=\mathsf{bin}(\mathbf{A}·\mathbf{x}modq)\in {\{0,1\}}^{m/2}$, where the uniformly random matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ serves as the common reference string, $\mathbf{x}\in {\{0,1\}}^m$ is the input vector, and $\mathsf{bin}(·)$ denotes the coordinate-wise binary decomposition of its input. Then, by using the framework of Stern’s protocol [15], Libert et al. [8] can prove knowledge of hash chain in a zero-knowledge fashion. Besides, through the Fait-Shamir transformation, they also build ring signature with logarithmic size in the number of ring. Note that their ring signature enjoys complete anonymity. To achieve our goal that each ring member is able to generate a piece of evidence demonstrating whether it is the real signer or not, we need another matrix $\mathbf{B}\in {\mathbb{Z}}_q^{n\times m}$ which acts as the public key of an identification scheme. In more detail, to sign a message M, a signer possessing his secret $\mathbf{x}$ generates a zero-knowledge argument system to show that:

Fact 1

$\mathbf{d}=h_{\mathbf{A}}\left(\mathbf{x}\right)$.

Fact 2

$\mathbf{d}$ is properly accumulated into the root of the Merkle tree.

Fact 3

$\mathbf{B}·\mathbf{x}=\mathbf{b}modq$.

We first use the procedure in Reference [8] as a sub-protocol to prove Fact 1 and Fact 2 in zero knowledge. The key point in our construction is to prove the secret in Fact 1 simultaneously satisfies Fact 3. To this end, we employ again the framework of Stern’s protocol [15] as a sub-protocol, such that it is compatible with the proof in Reference [8]. The details are presented in Section 3.

Then, we apply the Fait-Shamir transformation to our interactive protocol and obtain a signature scheme in the random oracle by repeating it $\kappa =\omega (logn)$ times to make the soundness error negligibly small. Generally, the anonymity of our NDRS scheme is based on the zero-knowledge property of the underlying argument system, while the traceability and the non-frameability are built on the fact that the underlying argument system is indeed an argument of knowledge. The description of the construction and its proof are described in Section 4.

1.2. Related Works

In 2006, Komano et al. [10] first introduced the notion of DRS and proposed a concrete DRS construction based on the DDH assumption. Recently, Gao et al. [12] put forward the NDRS notion, which is a direct generalization of DRS to the non-interactive setting. Besides, they proposed a concrete NDRS scheme under lattice assumptions, which is conjectured resistance against quantum computers. Their scheme, however, is shown to be insecure in Reference [16], as the scheme does not meet the ‘Traceability’ and ‘Non-frameability’ security requirements.

1.3. Organizations

We start in Section 2 by providing some background regarding NDRS and useful tools developed in Reference [8]. Then, in Section 3, we present an interactive protocol, which is the key component of our construction. In Section 4, we show the concrete scheme and its efficiency analysis and security proof. Finally, we conclude the paper with the obtained results.

2. Preliminaries

The set of integers $\{1,\dots ,k\}$ is denoted by $\left[k\right]$. If S is a finite set, $x\leftarrow S$ means that x is chosen uniformly at random from S. For $b\in \{0,1\}$, let $\overline{b}=1-b$. ⊕ denotes the bit XOR operation. For any positive integer q, denote by ${\mathbb{Z}}_q$ the quotient ring $\mathbb{Z}/\left(q\mathbb{Z}\right)$. Vectors, denoted by bold lowercase letters, are in column form. Matrices are represented in bold uppercase letters, and the concatenation of two matrices, say $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m_1}$ and $\mathbf{B}\in {\mathbb{Z}}_q^{n\times m_2}$, is denoted by $[\mathbf{A}\mid \mathbf{B}]\in {\mathbb{Z}}_q^{n\times (m_1+m_2)}$. The tensor product is denoted by ⊗. Let ${\mathsf{B}}_{2m}^m$ be the set of all vectors in ${\{0,1\}}^{2m}$ with Hamming weight m, and ${\mathcal{S}}_{2m}$ be the set of all permutations of $2m$ elements. The abbreviation PPT means “probabilistic polynomial time”.

Throughout the paper, we denote by n the security parameter and define: $q=\tilde{O}\left(n\right);k=\lceil logq\rceil ;m=2nk$. Let $\mathbf{G}={\mathbf{I}}_n\otimes {\mathbf{g}}^t\in {\mathbb{Z}}_q^{n\times nk}$, where ${\mathbf{g}}^t$ is the row vector

$${\mathbf{g}}^t=[124\cdots 2^{k-1}]\in {\mathbb{Z}}_q^{1\times k}.$$

Note that, for any $\mathbf{v}\in {\mathbb{Z}}_q^n$, we have $\mathbf{v}=\mathbf{G}·\mathsf{bin}\left(\mathbf{v}\right)$, where $\mathsf{bin}\left(\mathbf{v}\right)\in {\{0,1\}}^{nk}$ denotes the binary representation of $\mathbf{v}$.

2.1. Non-Interactive Deniable Ring Signature (NDRS)

For any positive integer $N\ge 2$, the ring R, formed by N users’ public keys, is denoted by $R=\{p{k}_{i_0},p{k}_{i_1},\dots ,p{k}_{i_{N-1}}\}$. For ease of notation, we simply let $R=\{p{k}_0,p{k}_1,\dots ,p{k}_{N-1}\}$ with ring size N. Now, we recall the definition and security requirements for the NDRS presented in Reference [12].

• $\mathsf{Setup}\left(1^n\right)$: Take as input n and output the system parameter $\mathsf{pp}$.
• $\mathsf{KeyGen}\left(\mathsf{pp}\right)$: Take as input $\mathsf{pp}$ and output a public/secret key pair $(pk,sk)$.
• $\mathsf{Sign}(\mathsf{pp},R,sk,M)$: Take as inputs $\mathsf{pp}$, a set of N public keys $R=\{p{k}_0,p{k}_1,\dots ,p{k}_{N-1}\}$, a secret key $sk$ for which its corresponding $pk\in R$ and a message M to be signed, and output a ring signature $\Sigma$.
• $\mathsf{Verify}(\mathsf{pp},R,M,\Sigma )$: Take as inputs $\mathsf{pp}$, R, M, and $\Sigma$, and output 1 if $\Sigma$ is valid or 0 otherwise.
• $\mathsf{EvidenceGen}(\mathsf{pp},R,s{k}_i,\Sigma )$: Take as inputs $\mathsf{pp}$, R, user i’s secret key $s{k}_i$, M, and $\Sigma$, and output a piece of evidence ${\xi }_i$.
• $\mathsf{EvidenckCheck}(\mathsf{pp},R,i,{\xi }_i,\Sigma )$: Take as inputs $\mathsf{pp}$, R, an identity index i of a user, M and $\Sigma$, and output “confirmation”, “disavowal”, or “reject”.

The correctness requirements for an NDRS scheme are formalized as follows:

• The signature $\Sigma$ generated by the $\mathsf{Sign}$ algorithm is properly accepted by the $\mathsf{Verify}$ algorithm, i.e., $\mathsf{Verify}(\mathsf{pp},R,M,\Sigma )=1$ for any $\mathsf{pp}\leftarrow \mathsf{Setup}\left(1^n\right)$, any $(pk,sk)\leftarrow \mathsf{KeyGen}\left(\mathsf{pp}\right)$, any R such that $pk\in R$ and any $M\in {\{0,1\}}^{*}$.
• The real signer of the signature $\Sigma$ will generate a piece of evidence such that the evidence check algorithm outputs “confirmation”, i.e.,

  $$\mathsf{EvidenckCheck}\left(\mathsf{pp},R,i,\mathsf{EvidenceGen}(\mathsf{pp},R,s{k}_i,\Sigma ),\Sigma \right)=‘‘\mathrm{confirmation}"$$

  for any valid signature $\Sigma$ generated by user i.
• The non-real signer should generate a piece of evidence such that the evidence check algorithm outputs “disavowal”, i.e.,

  $$\mathsf{EvidenceCheck}\left(\mathsf{pp},R,j,\mathsf{EvidenceGen}(\mathsf{pp},R,s{k}_j,\Sigma ),\Sigma \right)=‘‘\mathrm{disavowal}"$$

  for any ring member $j\ne i$.

For the security requirements, we adopt the notions and games in References [10,12]. Suppose each user has a public/private key pair supported by the Public Key Infrastructure (PKI). Let $\mathsf{List}$ be a public key content issued by PKI, and let $\mathsf{MList}$ be a list of malicious signers. Let $\mathsf{GSet}$ be a list of message-signature pairs generated through a challenge oracle query ${\mathsf{Ch}}_b(·)$. An adversary is able to make the following queries.

• $\mathsf{Add}\left(i\right)$: on input i, this oracle generates a key pair ($p{k}_i$, $s{k}_i$) for user i, adds i together with the key pair to $\mathsf{List}$, and returns $p{k}_i$.
• $\mathsf{Reg}(i,p{k}_i)$: on inputs i and $p{k}_i$, this oracle registers a new signer i with the given public key $p{k}_i$ in $\mathsf{List}$ and adds user i to $\mathsf{MList}$.
• $\mathsf{Crpt}\left(i\right)$: on input i, this oracle returns the secret key $s{k}_i$ and adds user i to $\mathsf{MList}$.
• $\mathsf{DRSig}(i_k;M,i_1,\dots ,i_{k-1},i_{k+1},\dots ,i_t)$: on inputs a specified user $i_k$, a message M, and a set of identities, this oracle returns a signature $\Sigma$ associated with the ring formed by the input identities, by using the secret key of user $i_k$.
• ${\mathsf{Ch}}_b(i_0,i_1,M)$: on inputs a pair of identities $(i_0,i_1)$ and M, this oracle returns the signature $\mathsf{Sign}(\mathsf{pp},\{p{k}_{i_0},p{k}_{i_1}\},s{k}_{i_b},M)$ for a challenge bit $b\leftarrow \{0,1\}$, and adds it to $\mathsf{GSet}$. This oracle is only used in the definition of anonymity.
• $\mathsf{EGen}(i,M,\Sigma )$: on inputs $i,M,\Sigma$, this oracle returns a piece of evidence demonstrating whether the entity i is the real signer or not. This oracle will reject the query if the input signature is an output from the challenge oracle in the experiment of anonymity.
• $\mathsf{Hash}(·)$: this oracle outputs a random string with a fixed length for an arbitrary input.

As mentioned before, an (N)DRS scheme should satisfy anonymity, traceability, and non-frameability. Each of these security requirements is formalized by an experiment, as shown in Figure 1.

• Anonymity

For an NDRS scheme, a security parameter n, and a PPT adversary $\mathcal{A}$, the property of anonymity is formalized using the experiment ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-b}\left(n\right)$, as described in Figure 1. The advantage ${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{anon}}\left(n\right)$ is defined as

$${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{anon}}\left(n\right)=|2\mathrm{Pr}[{\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-b}\left(n\right)=b]-1|.$$

An NDRS has anonymity if ${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-b}\left(n\right)$ is negligible for any PPT adversary $\mathcal{A}$ and security parameter n.

• Traceability

The property of traceability is formalized using the experiment ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)$, as shown in Figure 1. The advantage of the adversary is given by:

$${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)=\mathrm{Pr}[{\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)=1].$$

An NDRS is said to hold traceability if ${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)$ is negligible for any PPT adversary $\mathcal{A}$ and security parameter n.

• Non-frameability

The property of non-frameability is formalized using the experiment ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)$, as shown in Figure 1. The advantage of the adversary is defined as:

$${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)=\mathrm{Pr}[{\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)=1].$$

An NDRS is said to hold non-frameability if ${\mathbf{Adv}}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)$ is negligible for any PPT adversary $\mathcal{A}$ and security parameter n.

2.2. Average-Case Lattice Problems

In this subsection, we briefly recall the average-case Small Integer Soulution (SIS) problem (in the infinity norm version) and its hardness guarantees. For more details, see References [17,18,19,20].

Definition 1

(Reference [17]). Given uniformly random matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, the ${\mathsf{SIS}}_{n,m,q,\beta }^{\infty }$ problem asks to find a non-zero vector $\mathbf{x}\in {\mathbb{Z}}^m$ such that $\mathbf{A}·\mathbf{x}=\mathbf{0}modq$ and ${\parallel \mathbf{x}\parallel }_{\infty }\le \beta$.

The hardness of the $\mathsf{SIS}$ problem is guaranteed by a certain lattice problems in the worst case, such as the Shortest Independent Vector Problem (SIVP).

Theorem 1

(References [18,19,20]). If $m,\beta =\mathsf{poly}\left(n\right)$, and $q>\beta ·\tilde{O}\left(\sqrt{n}\right)$, then the ${\mathsf{SIS}}_{n,m,q,\beta }^{\infty }$ problem is at least as hard as the worst-case problem ${\mathsf{SIVP}}_{\gamma }$ for some $\gamma =\beta ·\tilde{O}\left(\sqrt{mn}\right)$. Specifically, for $\beta =1,q=\tilde{O}\left(n\right),m=2n\lceil logq\rceil$, the ${\mathsf{SIS}}_{n,m,q,1}^{\infty }$ problem is at least as hard as ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$.

2.3. Statistical Zero-Knowledge Argument Systems

Let $R:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to \{0,1\}$ be an $\mathsf{NP}$ relation. The interaction $\langle \mathcal{P},\mathcal{V}\rangle$ between a prover $\mathcal{P}$ and a verifier $\mathcal{V}$ is called an interactive argument system for the relation R if the following two conditions hold:

• Completeness

If $R(x,w)=1$, then

$$\mathrm{Pr}[\langle \mathcal{P}(x,w),\mathcal{V}(x)\rangle =1]=1.$$

• Soundness

If $R(x,w)=0$, then, for every PPT ${\mathcal{P}}^{*}$:

$$\mathrm{Pr}[\langle {\mathcal{P}}^{*}(x,w),V\left(x\right)\rangle =1]\le e,$$

where $e\in [0,1]$ is called the soundness error.

In this work, we will employ the Stern-type $\mathsf{ZKAoK}$ [15], which is a $\Sigma$-protocol from a generalized point of view in References [21,22]. Besides, we will utilize the lattice-based string commitment scheme in Reference [23] $\mathsf{COM}:{\{0,1\}}^{*}\times {\{0,1\}}^{m/2}\to {\mathbb{Z}}_q^n$, which is statistically hiding and computationally binding under the assumption that ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$ is hard.

2.4. Lattice-Based Accumulator

We first recall a certain family of collision-resistant hash functions presented in Reference [8].

Definition 2.

The function family $\mathcal{H}:{\{0,1\}}^{nk}\times {\{0,1\}}^{nk}\to {\{0,1\}}^{nk}$ is given by $\mathcal{H}=\{h_{\mathbf{A}}:\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}\}$, where

$$h_{\mathbf{A}}({\mathbf{u}}_0,{\mathbf{u}}_1)=\mathsf{bin}({\mathbf{A}}_0·{\mathbf{u}}_0+{\mathbf{A}}_1·{\mathbf{u}}_{1}modq)\in {\{0,1\}}^{nk}.$$

for any $({\mathbf{u}}_0,{\mathbf{u}}_1)\in {\{0,1\}}^{nk}\times {\{0,1\}}^{nk}$, and $\mathbf{A}=[{\mathbf{A}}_0\mid {\mathbf{A}}_1]$ with ${\mathbf{A}}_0,{\mathbf{A}}_1\in {\mathbb{Z}}_q^{n\times nk}$.

Then, we recall the Merkle tree accumulator with $N=2^l$ leaves based on the hash function family $\mathcal{H}$ above.

• $\mathsf{TSetup}\left(1^n\right)$: On input n, output $\mathsf{pp}=\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$.
• $\mathsf{TAcc}(\mathbf{A},R\})$: Given $R={\{{\mathbf{d}}_j\in {\{0,1\}}^{nk}\}}_{j=0}^{N-1}$, let ${\mathbf{u}}_{j_1,\dots ,j_l}={\mathbf{d}}_j$, where $j_1,\dots ,j_l\in \{0,1\}$ is the l bits of j. Define the tree of depth l for the leaves ${\mathbf{u}}_{0,\dots ,0},\dots ,{\mathbf{u}}_{1,\dots ,1}$ as follows:
  • The nodes ${\mathbf{u}}_{b_1,\dots ,b_i}$ at depth $i\in \left[l\right]$ is given by $h_{\mathbf{A}}({\mathbf{u}}_{b_1,\dots ,b_i,0},{\mathbf{u}}_{b_1,\dots ,b_i,1})$.
  • The root $\mathbf{u}\in {\{0,1\}}^{nk}$ is defined as $h_{\mathbf{A}}({\mathbf{u}}_0,{\mathbf{u}}_1)$.
  Output $\mathbf{u}$ as the accumulator value.
• $\mathsf{TWitness}(\mathbf{A},R,\mathbf{d})$: If $\mathbf{d}\notin R$, output ⊥; otherwise, $\exists j\in [0,N-1]$ such that $\mathbf{d}={\mathbf{d}}_j$. Return the witness w defined by:

  $$w=\left((j_1,\dots ,j_l),({\mathbf{u}}_{j_1,\dots ,j_{l-1},\overline{j_l}},\dots ,{\mathbf{u}}_{j_1,\overline{j_2}},{\mathbf{u}}_{\overline{j_1}})\right)\in {\{0,1\}}^l\times {\left({\{0,1\}}^{nk}\right)}^l,$$

  where ${\mathbf{u}}_{j_1,\dots ,j_{l-1},\overline{j_l}},\dots ,{\mathbf{u}}_{j_1,\overline{j_2}},{\mathbf{u}}_{\overline{j_1}}$ are computed by $\mathsf{TAcc}(\mathbf{A},R)$.
• $\mathsf{TVerify}(\mathbf{A},\mathbf{u},\mathbf{d},w)$: Given witness

  $$w=\left((j_1,\dots ,j_l),({\mathbf{w}}_l,\dots ,{\mathbf{w}}_1)\right)\in {\{0,1\}}^l\times {\left({\{0,1\}}^{nk}\right)}^l,$$

  let ${\mathbf{v}}_l=\mathbf{d}$, and recursively compute ${\mathbf{v}}_{l-1},\dots ,{\mathbf{v}}_1,{\mathbf{v}}_0\in {\{0,1\}}^{nk}$ for $i\in \{l-1,\dots ,0\}$ as follows:

  $${\mathbf{v}}_i=\left\{\begin{array}{cc}{h}_{\mathbf{A}}({\mathbf{v}}_{i+1},{\mathbf{w}}_{i+1}),\hfill & \mathrm{if}{j}_{i+1}=0;\hfill \\ h_{\mathbf{A}}({\mathbf{w}}_{i+1},{\mathbf{v}}_{i+1}),\hfill & \mathrm{if}{j}_{i+1}=1.\hfill \end{array}\right.$$
  Return 1 if ${\mathbf{v}}_0=\mathbf{u}$; otherwise, return 0.

In Reference [8], the authors also design an argument system for the prover $\mathcal{P}$ to convince the verifier $\mathcal{V}$ that $\mathcal{P}$ knows a value-witness pair $(\mathbf{d},w)$ such that $\mathsf{TVerify}(\mathbf{A},\mathbf{u},\mathbf{d},w)=1$. Toward this goal, they develop the following supporting techniques, which are necessary in our construction, as well.

• Extension of $\mathbf{A}=[{\mathbf{A}}_0\mid {\mathbf{A}}_1]$ to ${\mathbf{A}}^{*}=[{\mathbf{A}}_0\mid {\mathbf{0}}^{n\times nk}\mid {\mathbf{A}}_1\mid {\mathbf{0}}^{n\times nk}]\in {\mathbb{Z}}_q^{n\times 2m}$.
• Extension of $\mathbf{G}$ to ${\mathbf{G}}^{*}=[\mathbf{G}\mid {\mathbf{0}}^{n\times nk}]\in {\mathbb{Z}}_q^{n\times m}$.
• Extensions of ${\mathbf{v}}_1,\dots ,{\mathbf{v}}_l,{\mathbf{w}}_1,\dots ,{\mathbf{w}}_l$ to ${\mathbf{v}}_1^{*},\dots ,{\mathbf{v}}_l^{*},{\mathbf{w}}_1^{*},\dots ,{\mathbf{w}}_l^{*}\in {\mathsf{B}}_m^{nk}$ by appending to each vector a length-$nk$ vector with suitable Hamming weight.
• For $i\in \{nk,m\},b\in \{0,1\}$ and $\mathbf{v}\in {\{0,1\}}^i$, let $\mathsf{ext}(b,\mathbf{v})$ denote the vector $\mathbf{z}\in {\{0,1\}}^{2i}$ of the form $\mathbf{z}=\left(\begin{array}{c}\overline{b}·\mathbf{v}\\ b·\mathbf{v}\end{array}\right).$
• For $b\in \{0,1\}$ and $\pi \in {\mathcal{S}}_m$, define the permutation $F_{b,\pi }$ that transforms $\mathbf{z}=\left(\begin{array}{c}{\mathbf{z}}_0\\ {\mathbf{z}}_1\end{array}\right)\in {\mathbb{Z}}_q^{2m}$ consisting of 2 blocks of size m into $F_{b,\pi }\left(\mathbf{z}\right)=\left(\begin{array}{c}\pi \left({\mathbf{z}}_b\right)\\ \pi \left({\mathbf{z}}_{\overline{b}}\right)\end{array}\right)$.

Observe that, for all $c,b\in \{0,1\},\pi ,\varphi \in {\mathcal{S}}_m$ and $\mathbf{v},\mathbf{w}\in {\{0,1\}}^m$,

$$\begin{array}{c}\mathbf{z}=\mathsf{ext}(c,\mathbf{v})\wedge \mathbf{v}\in {\mathsf{B}}_m^{nk}⟺F_{b,\pi }\left(\mathbf{z}\right)=\mathsf{ext}(c\oplus b,\pi \left(\mathbf{v}\right))\wedge \pi \left(\mathbf{v}\right)\in {\mathsf{B}}_m^{nk};\\ \mathbf{y}=\mathsf{ext}(\overline{c},\mathbf{w})\wedge \mathbf{w}\in {\mathsf{B}}_m^{nk}⟺F_{\overline{b},\varphi }\left(\mathbf{y}\right)=\mathsf{ext}(c\oplus b,\varphi \left(\mathbf{w}\right))\wedge \varphi \left(\mathbf{w}\right)\in {\mathsf{B}}_m^{nk}.\end{array}$$

3. The Underlying Zero-Knowledge Argument System

In this section, we present an interactive protocol, upon which our NDRS scheme is built. This protocol bears much resemblance to that in Section 4.2 of Reference [8], except that one more layer is added. Specifically, in our protocol, the prover $\mathcal{P}$ is able to convince the verifier $\mathcal{V}$ on input $(\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b})$ that $\mathcal{P}$ knows a secret tuple $(\mathbf{d},w,\mathbf{x})$ such that:

• $\mathbf{d}=h_{\mathbf{A}}\left(\mathbf{x}\right)\in {\{0,1\}}^{nk}$,
• $\mathsf{TVerify}(\mathbf{A},\mathbf{u},\mathbf{d},w)=1$,
• $\mathbf{B}·\mathbf{x}=\mathbf{b}modq\in {\mathbb{Z}}_q^n$.

More formally, the associated relation ${\mathrm{R}}_{\mathrm{NDRS}}$ is given by

$$\begin{array}{c}{\mathrm{R}}_{\mathrm{NDRS}}=\left\{\right((\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b})\in {\mathbb{Z}}_q^{n\times m}\times {\mathbb{Z}}_q^{n\times m}\times {\{0,1\}}^{nk}\times {\mathbb{Z}}_q^n;\hfill \\ \mathbf{d}\in {\{0,1\}}^{nk},w\in {\{0,1\}}^l\times {\left({\{0,1\}}^{nk}\right)}^l,\mathbf{x}\in {\{0,1\}}^m):\\ \hfill \mathbf{A}·\mathbf{x}=\mathbf{G}·\mathbf{d}modq\wedge \mathbf{B}·\mathbf{x}=\mathbf{b}modq\wedge \mathsf{TVerify}(\mathbf{A},\mathbf{u},\mathbf{d},w)=1\}.\end{array}$$

3.1. Description of the Interactive Protocol

The public parameters are $n,m,q,k,l,\mathbf{G},{\mathbf{G}}^{*},\widehat{\mathbf{A}}$, and $\widehat{\mathbf{B}}$, where

$$\widehat{\mathbf{A}}=[\mathbf{A}\mid {\mathbf{0}}^{n\times m}],\widehat{\mathbf{B}}=[\mathbf{B}\mid {\mathbf{0}}^{n\times m}]\in {\mathbb{Z}}_q^{n\times 2m}.$$

The prover $\mathcal{P}$, using its witness, prepares, according to Section 2.4, the following vectors:

$${\mathbf{v}}_i^{*},{\mathbf{w}}_i^{*}\in {\mathsf{B}}_m^{nk},{\mathbf{z}}_i=\mathsf{ext}(j_i,{\mathbf{v}}_i^{*}),{\mathbf{y}}_i=\mathsf{ext}({\overline{j}}_i,{\mathbf{w}}_i^{*}),$$

for all $i\in \left[l\right]$ such that

$$\left\{\begin{array}{cc}{\mathbf{A}}^{*}·{\mathbf{z}}_1+{\mathbf{A}}^{*}·{\mathbf{y}}_1=\mathbf{G}·\mathbf{u}modq;\hfill & \\ {\mathbf{A}}^{*}·{\mathbf{z}}_{i+1}+{\mathbf{A}}^{*}·{\mathbf{y}}_{i+1}={\mathbf{G}}^{*}·{\mathbf{v}}_i^{*}modq\hfill \end{array}\right.,$$

(1)

for all $i\in [l-1]$. Observe that ${\mathbf{G}}^{*}·{\mathbf{v}}_l^{*}=\mathbf{G}·\mathbf{d}$. First, $\mathcal{P}$ extends $\mathbf{x}$ into ${\mathbf{x}}^{*}\in {\mathsf{B}}_{2m}^m$. Clearly, $\widehat{\mathbf{A}}·{\mathbf{x}}^{*}=\mathbf{A}·\mathbf{x}$ and $\widehat{\mathbf{B}}·{\mathbf{x}}^{*}=\mathbf{B}·\mathbf{x}$. In Stern’s framework, a random permutation $\tau \leftarrow {\mathcal{S}}_{2m}$ and a random ‘mask’ ${\mathbf{r}}_{\mathbf{x}}\leftarrow {\mathbb{Z}}_q^{2m}$ give a $\mathsf{ZKAoK}$ of the secret $\mathbf{x}$ according to the equivalence ${\mathbf{x}}^{*}\in {\mathsf{B}}_{2m}^m\iff \tau \left({\mathbf{x}}^{*}\right)\in {\mathsf{B}}_{2m}^m$.

After these preparations, $\mathcal{P}$’s goal is to convince $\mathcal{V}$ that it knows the vectors ${\mathbf{v}}_i^{*},{\mathbf{w}}_i^{*}$, ${\mathbf{z}}_i,{\mathbf{y}}_i$ for all $i\in \left[l\right]$ and ${\mathbf{x}}^{*}\in {\mathsf{B}}_{2m}$ such that:

• Equation (1) holds;
• $\widehat{\mathbf{A}}·{\mathbf{x}}^{*}={\mathbf{G}}^{*}·{\mathbf{v}}_l^{*}modq$ and $\widehat{\mathbf{B}}·{\mathbf{x}}^{*}=\mathbf{b}modq$.

The interaction between $\mathcal{P}$ and $\mathcal{V}$ is detailed as follows.

1.

Commitment.$\mathcal{P}$ firstly picks the following randomness:

$$\begin{array}{c}{\rho }_1,{\rho }_2,{\rho }_3\in {\{0,1\}}^{m/2}\mathrm{for}\mathsf{COM}\\ \tau \leftarrow {\mathcal{S}}_{2m};b_1,\dots ,b_l\leftarrow \{0,1\};{\pi }_1,\dots ,{\pi }_l,{\varphi }_1,\dots ,{\varphi }_l\leftarrow {\mathcal{S}}_m\\ {\mathbf{r}}_{\mathbf{x}}\leftarrow {\mathbb{Z}}_q^{2m};{\mathbf{r}}_{{\mathbf{v}}_1},\dots ,{\mathbf{r}}_{{\mathbf{v}}_l}\leftarrow {\mathbb{Z}}_q^m;{\mathbf{r}}_{{\mathbf{z}}_1},\dots ,{\mathbf{r}}_{{\mathbf{z}}_l},{\mathbf{r}}_{{\mathbf{y}}_1},\dots ,{\mathbf{r}}_{{\mathbf{y}}_l}\leftarrow {\mathbb{Z}}_q^{2m}.\end{array}$$

Then, the commitment CMT=($C_1,C_2,C_3$) is sent to $\mathcal{V}$, where

$$\begin{array}{cc}\hfill C_1& =\mathsf{COM}(\tau ;\widehat{\mathbf{A}}·{\mathbf{r}}_{\mathbf{x}}-{\mathbf{G}}^{*}·{\mathbf{r}}_{{\mathbf{v}}_l};\widehat{\mathbf{B}}·{\mathbf{r}}_{\mathbf{x}};{\{b_i,{\pi }_i,{\varphi }_i\}}_{i=1}^l;{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{z}}_1}+{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{y}}_1};\hfill \\ \hfill & {\{{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{z}}_{i+1}}+{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{y}}_{i+1}}-{\mathbf{G}}^{*}·{\mathbf{r}}_{{\mathbf{v}}_i}\}}_{i=1}^{l-1};{\rho }_1)\hfill \\ \hfill C_2& =\mathsf{COM}\left(\tau \left({\mathbf{r}}_{\mathbf{x}}\right);{\{{\pi }_i\left({\mathbf{r}}_{{\mathbf{v}}_i}\right),F_{b_i,{\pi }_i}\left({\mathbf{r}}_{{\mathbf{z}}_i}\right),F_{{\overline{b}}_i,{\varphi }_i}\left({\mathbf{r}}_{{\mathbf{y}}_i}\right)\}}_{i=1}^l;{\rho }_2\right)\hfill \\ \hfill C_3& =\mathsf{COM}\left(\tau ({\mathbf{x}}^{*}+{\mathbf{r}}_{\mathbf{x}});{\{{\pi }_i({\mathbf{v}}_i^{*}+{\mathbf{r}}_{{\mathbf{v}}_i}),F_{b_i,{\pi }_i}({\mathbf{z}}_i+{\mathbf{r}}_{{\mathbf{z}}_i}),F_{{\overline{b}}_i,{\varphi }_i}({\mathbf{y}}_i+{\mathbf{r}}_{{\mathbf{y}}_i})\}}_{i=1}^l;{\rho }_3\right).\hfill \end{array}$$

2.

Challenge.$\mathcal{V}$ sends to $\mathcal{P}$ a challenge $Ch\leftarrow \{1,2,3\}$.

3.

Response.$\mathcal{P}$ sends the response RSP depending on $Ch$ as follows:

• $Ch=1$: Let ${\tilde{\mathbf{x}}}^{*}=\tau \left({\mathbf{x}}^{*}\right),{\tilde{\mathbf{r}}}_{\mathbf{x}}=\tau \left({\mathbf{r}}_{\mathbf{x}}\right)$, and, for each $i\in \left[l\right]$, let:

  $$\begin{array}{c}{\tilde{b}}_i=j_i\oplus b_i;{\tilde{\mathbf{v}}}_i^{*}={\pi }_i\left({\mathbf{v}}_i^{*}\right);{\tilde{\mathbf{w}}}_i^{*}={\varphi }_i\left({\mathbf{w}}_i^{*}\right)\\ {\tilde{\mathbf{r}}}_{{\mathbf{v}}_i}={\pi }_i\left({\mathbf{r}}_{{\mathbf{v}}_i}\right);{\tilde{\mathbf{r}}}_{{\mathbf{z}}_i}=F_{b_i,{\pi }_i}\left({\mathbf{r}}_{{\mathbf{z}}_i}\right);{\tilde{\mathbf{r}}}_{{\mathbf{y}}_i}=F_{{\overline{b}}_i,{\varphi }_i}\left({\mathbf{r}}_{{\mathbf{y}}_i}\right).\end{array}$$
  Set RSP=$\left({\tilde{\mathbf{x}}}^{*};{\tilde{\mathbf{r}}}_{\mathbf{x}};{\{{\tilde{b}}_i,{\tilde{\mathbf{v}}}_i^{*},{\tilde{\mathbf{w}}}_i^{*},{\tilde{\mathbf{r}}}_{{\mathbf{v}}_i},{\tilde{\mathbf{r}}}_{{\mathbf{z}}_i},{\tilde{\mathbf{r}}}_{{\mathbf{y}}_i}\}}_{i=1}^l;{\rho }_2;{\rho }_3\right)$.
• $Ch=2$: Let ${\tau }^{\prime }=\tau ,{\mathbf{s}}_{\mathbf{x}}={\mathbf{x}}^{*}+{\mathbf{r}}_{\mathbf{x}}$, and, for each $i\in \left[l\right]$, let:

  $$\begin{array}{c}{b}_i^{\prime }=b_i;{\pi }_i^{\prime }={\pi }_i;{\varphi }_i^{\prime }={\varphi }_i;\\ {\mathbf{s}}_{{\mathbf{v}}_i}={\mathbf{v}}_i^{*}+{\mathbf{r}}_{{\mathbf{v}}_i};{\mathbf{s}}_{{\mathbf{z}}_i}={\mathbf{z}}_i+{\mathbf{r}}_{{\mathbf{z}}_i};{\mathbf{s}}_{{\mathbf{y}}_i}={\mathbf{y}}_i+{\mathbf{r}}_{{\mathbf{y}}_i}.\end{array}$$
  Set RSP=$\left({\tau }^{\prime };{\mathbf{s}}_{\mathbf{x}};{\{b_i^{\prime },{\pi }_i^{\prime },{\varphi }_i^{\prime },{\mathbf{s}}_{{\mathbf{v}}_i},{\mathbf{s}}_{{\mathbf{z}}_i},{\mathbf{s}}_{{\mathbf{y}}_i}\}}_{i=1}^l;{\rho }_1;{\rho }_3\right)$.
• $Ch=3$: Let ${\tau }^{\prime \prime }=\tau ,{\mathbf{r}}_{\mathbf{x}}^{\prime }={\mathbf{r}}_{\mathbf{x}}$, and, for each $i\in \left[l\right]$, let:

  $$\begin{array}{c}{b}_i^{\prime \prime }=b_i;{\pi }_i^{\prime \prime }={\pi }_i;{\varphi }_i^{\prime \prime }={\varphi }_i;\\ {\mathbf{r}}_{{\mathbf{v}}_i}^{\prime }={\mathbf{r}}_{{\mathbf{v}}_i};{\mathbf{r}}_{{\mathbf{z}}_i}^{\prime }={\mathbf{r}}_{{\mathbf{z}}_i};{\mathbf{r}}_{{\mathbf{y}}_i}^{\prime }={\mathbf{r}}_{{\mathbf{y}}_i}.\end{array}$$
  Set RSP=$\left({\tau }^{\prime \prime };{\mathbf{r}}_{\mathbf{x}}^{\prime };{\{b_i^{\prime \prime },{\pi }_i^{\prime \prime },{\varphi }_i^{\prime \prime },{\mathbf{r}}_{{\mathbf{v}}_i}^{\prime },{\mathbf{r}}_{{\mathbf{z}}_i}^{\prime },{\mathbf{r}}_{{\mathbf{y}}_i}^{\prime }\}}_{i=1}^l;{\rho }_1;{\rho }_2\right)$.

4.

Verification. Given RSP, $\mathcal{V}$ proceeds as follows.

• $Ch=1$: Check that ${\tilde{\mathbf{x}}}^{*}\in {\mathsf{B}}_{2m}$ for $i\in \left[p\right]$, ${\tilde{\mathbf{v}}}_i^{*},{\tilde{\mathbf{w}}}_i^{*}\in {\mathsf{B}}_m^{nk}$ for $i\in \left[l\right]$ and that

  $$\begin{array}{cc}\hfill C_2& =\mathsf{COM}\left({\tilde{\mathbf{r}}}_{\mathbf{x}};{\{{\tilde{\mathbf{r}}}_{{\mathbf{v}}_i},{\tilde{\mathbf{r}}}_{{\mathbf{z}}_i},{\tilde{\mathbf{r}}}_{{\mathbf{y}}_i}\}}_{i=1}^l;{\rho }_2\right),\hfill \\ \hfill C_3& =\mathsf{COM}\left({\tilde{\mathbf{x}}}^{*}+{\tilde{\mathbf{r}}}_{\mathbf{x}};{\{{\tilde{\mathbf{v}}}_i^{*}+{\tilde{\mathbf{r}}}_{{\mathbf{v}}_i},\mathsf{ext}({\tilde{b}}_i,{\tilde{\mathbf{v}}}_i^{*})+{\tilde{\mathbf{r}}}_{{\mathbf{z}}_i},\mathsf{ext}({\tilde{b}}_i,{\tilde{\mathbf{w}}}_i^{*})+{\tilde{\mathbf{r}}}_{{\mathbf{y}}_i}\}}_{i=1}^l;{\rho }_3\right).\hfill \end{array}$$
• $Ch=2$: Check that

  $$\begin{array}{cc}\hfill C_1& =\mathsf{COM}({\tau }^{\prime };\widehat{\mathbf{A}}·{\mathbf{s}}_{\mathbf{x}}-{\mathbf{G}}^{*}·{\mathbf{s}}_{{\mathbf{v}}_l};\widehat{\mathbf{B}}·{\mathbf{s}}_{\mathbf{x}}-\mathbf{b};{\{b_i^{\prime },{\pi }_i^{\prime },{\varphi }_i^{\prime }\}}_{i=1}^l;\hfill \\ \hfill & {\mathbf{A}}^{*}·{\mathbf{s}}_{{\mathbf{z}}_1}+{\mathbf{A}}^{*}·{\mathbf{s}}_{{\mathbf{y}}_1}-\mathbf{G}·\mathbf{u};{\{{\mathbf{A}}^{*}·{\mathbf{s}}_{{\mathbf{z}}_{i+1}}+{\mathbf{A}}^{*}·{\mathbf{s}}_{{\mathbf{y}}_{i+1}}-{\mathbf{G}}^{*}·{\mathbf{s}}_{{\mathbf{v}}_i}\}}_{i=1}^{l-1};{\rho }_1),\hfill \\ \hfill C_3& =\mathsf{COM}\left({\tau }^{\prime }\left({\mathbf{s}}_{\mathbf{x}}\right);{\{{\pi }_i^{\prime }\left({\mathbf{s}}_{{\mathbf{v}}_i}\right),F_{b_i^{\prime },{\pi }_i^{\prime }}\left({\mathbf{s}}_{{\mathbf{z}}_i}\right),F_{{\overline{b}}_i^{\prime },{\varphi }_i^{\prime }}\left({\mathbf{s}}_{{\mathbf{y}}_i}\right)\}}_{i=1}^l;{\rho }_3\right).\hfill \end{array}$$
• $Ch=3$: Check that

  $$\begin{array}{cc}\hfill C_1& =\mathsf{COM}({\tau }^{\prime \prime };\widehat{\mathbf{A}}·{\mathbf{r}}_{\mathbf{x}}^{\prime }-{\mathbf{G}}^{*}·{\mathbf{r}}_{{\mathbf{v}}_l}^{\prime };\widehat{\mathbf{B}}·{\mathbf{r}}_{\mathbf{x}}^{\prime };{\{b_i^{\prime \prime },{\pi }_i^{\prime \prime },{\varphi }_i^{\prime \prime }\}}_{i=1}^l;{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{z}}_1}^{\prime }+{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{y}}_1}^{\prime };\hfill \\ \hfill & {\{{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{z}}_{i+1}}^{\prime }+{\mathbf{A}}^{*}·{\mathbf{r}}_{{\mathbf{y}}_{i+1}}^{\prime }-{\mathbf{G}}^{*}·{\mathbf{r}}_{{\mathbf{v}}_i}^{\prime }\}}_{i=1}^{l-1};{\rho }_1),\hfill \\ \hfill C_2& =\mathsf{COM}\left({\tau }^{\prime \prime }\left({\mathbf{r}}_{\mathbf{x}}^{\prime }\right);{\{{\pi }_i^{\prime \prime }\left({\mathbf{r}}_{{\mathbf{v}}_i}^{\prime }\right),F_{b_i^{\prime \prime },{\pi }_i^{\prime \prime }}\left({\mathbf{r}}_{{\mathbf{z}}_i}^{\prime }\right),F_{{\overline{b}}_i^{\prime \prime },{\varphi }_i^{\prime \prime }}\left({\mathbf{r}}_{{\mathbf{y}}_i}^{\prime }\right)\}}_{i=1}^l;{\rho }_2\right).\hfill \end{array}$$

$\mathcal{V}$ outputs 1 only if all the conditions hold in each cases. Otherwise, output 0.

3.2. Analysis of the Interactive Protocol

We summarize several properties of the above protocol in the following theorem. Since the proof of the properties of the protocol is similar with that of Reference [8], we omit the details. (See Appendix A)

Theorem 2.

The given interactive protocol has perfect completeness and communication cost $\tilde{O}(l·n)$. If $\mathsf{COM}$ is a statistically hiding and computationally binding string commitment scheme, then it is an $\mathsf{ZKAoK}$ for the relation ${\mathrm{R}}_{\mathrm{NDRS}}$.

4. Our Non-Interactive Deniable Ring Signature Scheme from Lattices

We now construct an NDRS scheme for rings with $N=2^l$ users (It can be easily adapted for any other values of N as in Reference [8].) and prove that our construction satisfies the security requirements: anonymity, traceability, and non-frameability. We use a public Pseudo-random Generator (PRG), and a random oracle ${\mathcal{H}}_{\mathsf{FS}}:{\{0,1\}}^{*}\to {\{1,2,3\}}^{\kappa }$.

• $\mathsf{Setup}\left(1^n\right)$: On input n, output $\mathsf{pp}=\mathbf{A}\leftarrow {\mathbb{Z}}_q^{n\times m}$.
• $\mathsf{KeyGen}\left(\mathsf{pp}\right)$: On input $\mathsf{pp}$, output $(pk,sk)=(\mathbf{d},\mathbf{x})$, where $\mathbf{x}\leftarrow {\{0,1\}}^m$, and $\mathbf{d}=\mathsf{bin}(\mathbf{A}·\mathbf{x}modq)$.
• $\mathsf{Sign}(\mathsf{pp},R,sk,M)$: On inputs $\mathsf{pp}$, $R=\{{\mathbf{d}}_0,\dots ,{\mathbf{d}}_{N-1}\}$, $sk$, and M, it works as follows (Notice that, for the public key $pk$ corresponding to the input $sk$, we have $pk\in R$.) to output the signature $\Sigma$.
  • Run $\mathsf{TAcc}(\mathbf{A},R)$ and obtain $\mathbf{u}\in {\{0,1\}}^{nk}$. Recall that $\mathbf{u}$ is the root of the Merkle tree defined on R.
  • Run $\mathsf{TWitness}(\mathbf{A},R,\mathbf{d})$ and obtain

    $$w=\left((j_1,\dots ,j_l)\in {\{0,1\}}^l,({\mathbf{w}}_l\dots ,{\mathbf{w}}_1)\in {\left({\{0,1\}}^{nk}\right)}^l\right).$$
    Recall that w is a witness to the fact that $\mathbf{d}\in R$.
  • Sample a seed $s\leftarrow {\{0,1\}}^n$, generate a matrix $\mathbf{B}=\mathsf{PRG}\left(s\right)\in {\mathbb{Z}}_q^{n\times m}$ and compute $\mathbf{b}=\mathbf{B}·\mathbf{x}modq$. Then, produce an $\mathsf{NIZKAoK}$$\Pi$ by repeating our interactive protocol $\kappa =\omega (logn)$ times. By using the Fiat-Shamir heuristic, we transform $\Pi$ to the triple

    $$\Pi =\left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathrm{CH},{\left\{{\mathrm{RSP}}_i\right\}}_{i=1}^{\kappa }\right),$$

    where

    $$\mathrm{CH}={\mathcal{H}}_{\mathsf{FS}}\left(M,{\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b},R\right)=(C{h}_1,\dots ,C{h}_{\kappa })\in {\{1,2,3\}}^{\kappa }.$$
  • Output $\Sigma =(s,\mathbf{b},\Pi )$.
• $\mathsf{Verify}(\mathsf{pp},R,M,\Sigma )$: Pm inputs $\mathsf{pp},R,M,\Sigma$, the verification procedure is detailed as follows:
  • Run $\mathsf{TAcc}(\mathbf{A},R)$ and obtain $\mathbf{u}$.
  • Parse $\Sigma =\left(s,\mathbf{b},{\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathrm{CH},{\left\{{\mathrm{RSP}}_i\right\}}_{i=1}^{\kappa }\right)$. Let $\mathbf{B}=\mathsf{PRG}\left(s\right)$. Output 0 if

    $$(C{h}_1,\dots ,C{h}_{\kappa })\ne {\mathcal{H}}_{\mathsf{FS}}\left(M,{\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b},R\right).$$
  • For $i=1,\dots ,\kappa$, check the validity of RSP${}_i$$w.r.t.$ CMT${}_i$ and $C{h}_i$. If all the conditions hold, output 1; otherwise, output 0.
• $\mathsf{EvidenceGen}(\mathsf{pp},R,s{k}_i,\Sigma )$: On inputs $\mathsf{pp}$, R, a secret key $s{k}_i={\mathbf{x}}^{\prime }$, and the pair $(s,\mathbf{b})$ contained in $\Sigma$, the algorithm produces a piece of evidence ${\xi }_i$ as follows:
  • Run $\mathsf{TAcc}(\mathbf{A},R)$ and obtain the Merkle tree’s root $\mathbf{u}\in {\{0,1\}}^{nk}$.
  • Let $p{k}_i={\mathbf{d}}^{\prime }=\mathsf{bin}(\mathbf{A}·{\mathbf{x}}^{\prime }modq)$. Generate a witness

    $$w^{\prime }=\left((j_1^{\prime },\dots ,j_l^{\prime })\in {\{0,1\}}^l,({\mathbf{w}}_l^{\prime }\dots ,{\mathbf{w}}_1^{\prime })\in {\left({\{0,1\}}^{nk}\right)}^l\right)$$

    to the fact that ${\mathbf{d}}^{\prime }\in R$ by running $\mathsf{TWitness}(\mathbf{A},R,{\mathbf{d}}^{\prime })$, i.e., ${\mathbf{d}}^{\prime }$ was properly accumulated in $\mathbf{u}$.
  • Let $\mathbf{B}=\mathsf{PRG}\left(s\right)$. Compute ${\mathbf{b}}^{\prime }=\mathbf{B}·{\mathbf{x}}^{\prime }modq$ and generate a $\mathsf{NIZKAoK}$${\Pi }^{\prime }$ as in the signing algorithm to demonstrate the possession of a valid pair $(p{k}_i,s{k}_i)=({\mathbf{d}}^{\prime },{\mathbf{x}}^{\prime })$ such that ${\mathbf{b}}^{\prime }=\mathbf{B}·{\mathbf{x}}^{\prime }modq$ and that ${\mathbf{d}}^{\prime }\in R$, i.e.,

    $${\Pi }^{\prime }=\left({\left\{{\mathrm{CMT}}_i^{\prime }\right\}}_{i=1}^{\kappa },{\mathrm{CH}}^{\prime },{\left\{{\mathrm{RSP}}_i^{\prime }\right\}}_{i=1}^{\kappa }\right),$$

    where

    $${\mathrm{CH}}^{\prime }={\mathcal{H}}_{\mathsf{FS}}\left({\left\{{\mathrm{CMT}}_i^{\prime }\right\}}_{i=1}^{\kappa },\mathbf{A},\mathbf{B},\mathbf{u},{\mathbf{b}}^{\prime },R\right)\in {\{1,2,3\}}^{\kappa }.$$
  • Output ${\xi }_i=(s,{\mathbf{b}}^{\prime },{\Pi }^{\prime })$. Note that ${\xi }_i$ can be seen just as a signature on the empty message with the given seed s (instead of choosing a random seed by the algorithm itself).
• $\mathsf{EvidenceCheck}(\mathsf{pp},R,i,{\xi }_i,\Sigma )$: On inputs $\mathsf{pp},R,i,{\xi }_i,\Sigma$, the evidence ${\xi }_i$ is checked as follows:
  • Check the validity of ${\xi }_i$ and $\Sigma$ by verifying the underlying protocols. If either is invalid, then output “reject”.
  • If $(s,{\mathbf{b}}^{\prime })=(s,\mathbf{b})$, then output “confirmation”; otherwise, output “disavowal”.

Analysis of Our NDRS Scheme

We first briefly analyze the correctness and efficiency properties.

Theorem 3

(Correctness and Efficiency). The NDRS scheme described in the previous section is correct and produces signatures of bit-size $\tilde{O}(n·logN)$.

Correctness. It is easy to check that:

• By the perfect completeness of the argument system presented in the previous section, each member of a ring is always capable of obtaining a tuple $(\mathbf{x},\mathbf{d},w)$ such that

  $$\left((\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b}),\mathbf{d},w,\mathbf{x}\right)\in {\mathrm{R}}_{\mathrm{NDRS}}.$$
  Thus, by the Fiat-Shamir heuristic, the ring signature on M is valid.
• Meanwhile, for any signature $\Sigma =(s,\mathbf{b},\Pi )$, the real signer can always produce a piece of valid evidence $\xi =(s,{\mathbf{b}}^{\prime },{\Pi }^{\prime })$ such that $\mathbf{b}={\mathbf{b}}^{\prime }$, i.e., $\mathsf{EvidenceCheck}$ outputs ‘confirmation’.
• By the randomness of the secret keys $\mathbf{x},{\mathbf{x}}^{\prime }\leftarrow {\{0,1\}}^m$, the non-real signer can always produce a piece of valid evidence $\tilde{\xi }=(s,\tilde{\mathbf{b}},\tilde{\Pi })$ such that $\mathbf{b}=\mathbf{B}·\mathbf{x}modq\ne {\mathbf{b}}^{\prime }=\mathbf{B}·{\mathbf{x}}^{\prime }modq$ with overwhelming probability.

Efficiency. It is not hard to check that the underlying interactive procedure in previous section has communication cost $\tilde{O}(l·n)$; therefore, the resulting signature has bit-size $\tilde{O}(\kappa ·l·n+n)=\tilde{O}(n·logN)$.

Now, we analyze the security requirements: anonymity, traceability, and non-frameability.

Theorem 4

(Anonymity). Assume that $\mathsf{COM}$ is a statistical hiding commitment scheme. Then, our NDRS scheme provides statistical anonymity in the random oracle model.

Proof. 

We consider a sequence of games. The challenger $\mathcal{C}$ runs experiment ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-0}\left(n\right)$ in the first game, while, in the last one, it runs ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-1}\left(n\right)$.

Game G${}_0^{\left(b\right)}$:

Exactly, it is the real experiment ${\mathbf{Exp}}_{NDRS,\mathcal{A}}^{\mathsf{anon}-b}\left(n\right)$, where the adversary is given a challenge signature ${\Sigma }^{*}\leftarrow \mathsf{Sign}(\mathsf{pp},\{p{k}_{i_0},p{k}_{i_1}\},s{k}_{i_b},M^{*})$. Namely, given $(i_0,i_1,M^{*})$, the challenger $\mathcal{C}$ chooses a random $b\leftarrow \{0,1\}$ and computes a legitimate signature ${\Sigma }^{*}$ using the secret key $s{k}_{i_b}={\mathbf{x}}_{i_b}$ of user $i_b$:

• Run $\mathsf{TAcc}(\mathbf{A},R)$ and obtain $\mathbf{u}\in {\{0,1\}}^{nk}$, where $R=\{p{k}_{i_0},p{k}_{i_1}\}$.
• Run $\mathsf{TWitness}(\mathbf{A},R,{\mathbf{d}}_{i_b})$ and obtain a witness $w_{i_b}$ to the fact that ${\mathbf{d}}_{i_b}=\mathbf{A}·{\mathbf{x}}_{i_b}modq\in R$.
• Sample a seed $s\leftarrow {\{0,1\}}^n$, generate matrix $\mathbf{B}=\mathsf{PRG}\left(s\right)\in {\mathbb{Z}}_q^{n\times m}$ and compute $\mathbf{b}=\mathbf{B}·{\mathbf{x}}_{i_b}modq$. Then, produce a $\mathsf{NIZKAoK}$$\Pi$ with public input $(\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b})$ and prover’s witness $({\mathbf{d}}_{i_b},w_{i_b},{\mathbf{x}}_{i_b})$, i.e.,

  $$\Pi =\left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathrm{CH},{\left\{{\mathrm{RSP}}_i\right\}}_{i=1}^{\kappa }\right),$$

  where

  $$\mathrm{CH}={\mathcal{H}}_{\mathsf{FS}}\left(M^{*},{\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b},R\right)\in {\{1,2,3\}}^{\kappa }.$$
• Output ${\Sigma }^{*}=(\mathbf{B},\mathbf{b},\Pi )$.

Game G${}_1$:

Generally, this game is identical to G${}_0^{\left(b\right)}$, except that the challenge signature ${\Sigma }^{*}$ is made independent of the coin b, while preserving the statistical closeness to G${}_0^{\left(b\right)}$. In more detail, the following modifications are introduced with respect to G${}_0^{\left(b\right)}$:

• In Step 3, we change how the vector $\mathbf{b}$ is generated. Specifically, $\mathcal{C}$ samples $\mathbf{b}\leftarrow {\mathbb{Z}}_q^n$ uniformly at random, instead of computing $\mathbf{b}=\mathbf{B}·{\mathbf{x}}_{i_b}modq$.
• In addition, in Step 3, the proof $\Pi$ contained in the challenge signature ${\Sigma }^{*}$ is produced in the simulation manner by $\mathcal{C}$’s programming on the random oracle ${\mathcal{H}}_{\mathsf{FS}}(·)$.

  (a)

  For each $j\in \left[\kappa \right]$, choose a ‘fake challenge’ ${\overline{Ch}}_j\leftarrow \{1,2,3\}$ and prepare the ‘commitment’ ${\mathrm{CMT}}_j$ according to ${\overline{Ch}}_j$. Then, randomly pick a ‘real challenge’ $C{h}_j\leftarrow \{1,2,3\}\setminus \left\{{\overline{Ch}}_j\right\}$.

  (b)

  Program the random oracle and set

  $$\mathrm{CH}={\left\{C{h}_j\right\}}_{j=1}^{\kappa }={\mathcal{H}}_{\mathsf{FS}}\left(M^{*},{\left\{{\mathrm{CMT}}_j\right\}}_{j=1}^{\kappa },\mathbf{A},\mathbf{B},\mathbf{u},\mathbf{b},R\right).$$

  (c)

  Prepare the ‘response’ ${\left\{{\mathrm{RSP}}_j\right\}}_{j=1}^{\kappa }$ in accordance with the normal procedure.

  (d)

  Output

  $${\Sigma }^{*}=(s,\mathbf{b},\Pi )=\left(s,\mathbf{b},{\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathrm{CH},{\left\{{\mathrm{RSP}}_i\right\}}_{i=1}^{\kappa }\right).$$

Observe that, for each $j\in \left[\kappa \right]$, $C{h}_j$ is uniformly distributed in $\{1,2,3\}$, satisfying the requirement on the output of the random oracle. Besides, ${\mathrm{CMT}}_j$ and ${\mathrm{RSP}}_j$ are prepared in the same way as in Lemma A2 for proving the zero-knowledge property, implying that the challenge signature is valid. Finally, notice that the vector $\mathbf{b}$ in this game or G${}_0^{\left(b\right)}$ follows a uniform distribution over ${\mathbb{Z}}_q^n$. As a result, G${}_0^{\left(b\right)}$ and G${}_1$ are statistically indistinguishable.

Now, we obtain a sequence of indistinguishable games G${}_0^{\left(0\right)}$, G${}_1$ and G${}_0^{\left(1\right)}$. Since G${}_1$ is independent of the random coin b, the advantage of $\mathcal{A}$ in G${}_1$ is 0. Then, we have the advantage of $\mathcal{A}$ in G${}_0^{\left(0\right)}$ and G${}_0^{\left(1\right)}$ is negligible. This completes the proof. □

Next, we prove the traceability and the non-frameability. Before doing so, we first recall two useful lemmas.

Lemma 1

(Reference [8]). For any matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ and a uniform random $\mathbf{x}\in {\{0,1\}}^m$, the probability that there exists another ${\mathbf{x}}^{\prime }\in {\{0,1\}}^m\setminus \left\{\mathbf{x}\right\}$ such that $\mathbf{A}·\mathbf{x}=\mathbf{A}·{\mathbf{x}}^{\prime }modq$ is at least $1-2^{n·logq-m}$.

Lemma 2

(Reference [13]). Let $\mathcal{SS}$ be a signature scheme with security parameter n. Let $\mathcal{A}$ be a PPT algorithm whose input consists only of public data and which can ask $q_{\mathsf{H}}>0$ queries to the random oracle. Assume that $\mathcal{A}$ produces within time bound T a valid signature $\left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },\mathrm{CH},{\left\{{\mathrm{RSP}}_i\right\}}_{i=1}^{\kappa }\right)$ of message M with probability ϵ. Then, within time $32·T·q_{\mathsf{H}}/ϵ$ and with probability ${ϵ}^{\prime }>1/2$, a replay of $\mathcal{A}$ outputs 3 valid signatures of M:

$$\begin{array}{c}\left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },{\mathrm{CH}}^{\left(1\right)},{\left\{{\mathrm{RSP}}_i^{\left(1\right)}\right\}}_{i=1}^{\kappa }\right),\left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },{\mathrm{CH}}^{\left(2\right)},{\left\{{\mathrm{RSP}}_i^{\left(2\right)}\right\}}_{i=1}^{\kappa }\right),\\ \left({\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa },{\mathrm{CH}}^{\left(3\right)},{\left\{{\mathrm{RSP}}_i^{\left(3\right)}\right\}}_{i=1}^{\kappa }\right)\end{array}$$

for the same ${\left\{{\mathrm{CMT}}_i\right\}}_{i=1}^{\kappa }$ such that ${\mathrm{CH}}^{\left(1\right)},{\mathrm{CH}}^{\left(2\right)},{\mathrm{CH}}^{\left(3\right)}$ are pairwise distinct.

Theorem 5

(Traceability and Non-frameability). Our NDRS scheme provides traceability and non-frameability in the random oracle model if the ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$ is hard.

Proof. 

Assume that there exists a PPT $\mathcal{A}$ has nonnegligible advantage $ϵ$ in the experiment Exp${}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)$ or Exp${}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)$, i.e., $\mathcal{A}$ is able to output a valid signature ${\Sigma }^{*}$ on message $M^{*}$ under some ring $R^{*}=(p{k}_{i_0},\dots ,p{k}_{i_r})=({\mathbf{d}}_0,\dots ,{\mathbf{d}}_r)$ such that

• either $\mathsf{EvidenceCheck}(\mathsf{pp},R^{*},i_j,{\xi }_{i_j},{\Sigma }^{*})$ will output ‘disavowal’ for each $j\in \{0,\cdots ,r\}$, where ${\xi }_{i_j}$ is a piece of evidence generated by user $i_j$;
• or $\mathsf{EvidenceCheck}(\mathsf{pp},R^{*},i_{j^{*}},{\xi }_{i_{j^{*}}},{\Sigma }^{*})$ will output ‘confirmation’ for some honest user $i_{j^{*}}$.

We construct an algorithm $\mathcal{B}$ that solves the ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$ problem with nonnegligible probability. Let $\mathsf{pp}=\mathbf{A}$. During the game, $\mathcal{B}$ generates the secrets of all the queried users as in the real scheme. With these secret keys, $\mathcal{B}$ is capable of faithfully answering all the queries. For the random oracle ${\mathcal{H}}_{\mathsf{FS}}(·)$, we assume without loss of generality that: (1) $\mathcal{A}$ makes any given query to ${\mathcal{H}}_{\mathsf{FS}}(·)$ only once; (2) if $\mathcal{A}$ outputs a signature, then $\mathcal{A}$ had previously queried ${\mathcal{H}}_{\mathsf{FS}}(·)$.

When $\mathcal{A}$ halts, it outputs a valid triple $(R^{*},M^{*},{\Sigma }^{*})$, where

$${\Sigma }^{*}=\left(s^{*},{\mathbf{b}}^{*},{\left\{{\mathrm{CMT}}_i^{*}\right\}}_{i=1}^{\kappa },{\mathrm{CH}}^{*},{\left\{{\mathrm{RSP}}_i^{*}\right\}}_{i=1}^{\kappa }\right).$$

We denote by $q_{\mathcal{H}}$ the upper bound on the number of queries that $\mathcal{A}$ makes to ${\mathcal{H}}_{\mathsf{FS}}(·)$.

Then, by Lemma 2, when $\mathcal{B}$ runs up to $32·q_{\mathcal{H}}/ϵ$ extra executions of $\mathcal{A}$ with the same random tap and inputs as in the first execution, with probability at least $1/2$, $\mathcal{A}$ will get a 3-fork responses ${\mathrm{CH}}^{\left(1\right)},{\mathrm{CH}}^{\left(2\right)},{\mathrm{CH}}^{\left(3\right)}$ (pairwise distinct) from the oracle ${\mathcal{H}}_{\mathsf{FS}}(·)$.

With probability $1-{(7/9)}^{\kappa }$, there exists some $j\in \left[\kappa \right]$ for which the j-th bits of ${\mathrm{CH}}^{\left(1\right)},{\mathrm{CH}}^{\left(2\right)}$, and ${\mathrm{CH}}^{\left(3\right)}$ are $\{C{h}_j^{\left(1\right)},C{h}_j^{\left(2\right)},C{h}_j^{\left(3\right)}\}=\{1,2,3\}$. By the soundness of the argument system for the relation ${\mathrm{R}}_{\mathrm{NDRS}}$, $\mathcal{B}$ is able to extract a tuple $({\mathbf{d}}^{*},w^{*},{\mathbf{x}}^{*})$ from the responses ${\mathrm{RSP}}_j^{\left(1\right)},{\mathrm{RSP}}_j^{\left(2\right)},{\mathrm{RSP}}_j^{\left(3\right)}$ such that

$$\mathbf{A}·{\mathbf{x}}^{*}=\mathbf{G}·{\mathbf{d}}^{*}modq,\mathsf{TVerify}(\mathbf{A},{\mathbf{u}}^{*},{\mathbf{d}}^{*},w^{*})=1.$$

According to the value of ${\mathbf{d}}^{*}$, there are two cases:

• ${\mathbf{d}}^{*}\notin R^{*}=({\mathbf{d}}_0,\dots ,{\mathbf{d}}_r)$. This means $\mathcal{B}$ can use $(R^{*},{\mathbf{d}}^{*},w^{*})$ to break the security of the underlying accumulator, whose security is based on the assumption that ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$ is hard [8].
• ${\mathbf{d}}^{*}\in R^{*}=({\mathbf{d}}_0,\dots ,{\mathbf{d}}_r)$, i.e., ${\mathbf{d}}^{*}={\mathbf{d}}_{j^{*}}$. Note that the secret key $s{k}_{i_{j^{*}}}$ consists of a vector ${\mathbf{x}}_{i_{j^{*}}}\in {\{0,1\}}^m$ such that $\mathbf{A}·{\mathbf{x}}_{i_{j^{*}}}=\mathbf{G}·{\mathbf{d}}_{j^{*}}modq$. If ${\mathbf{x}}_{i_{j^{*}}}\ne {\mathbf{x}}^{*}$, then ${\mathbf{x}}_{i_{j^{*}}}-{\mathbf{x}}^{*}\in {\{-1,0,1\}}^m$ is a valid solution for the ${\mathsf{SIS}}_{n,m,q,1}$ instance $\mathbf{A}$.
  According to the experiments with respect to traceability and non-frameability, we distinguish the following two cases to discuss the probability that ${\mathbf{x}}_{i_{j^{*}}}\ne {\mathbf{x}}^{*}$.

  -

  In the experiment Exp${}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)$, $\mathcal{A}$ has corrupted user $i_{j^{*}}$, acts as the real malicious signer, and manages to evade the traceability. We claim that ${\mathbf{x}}_{i_{j^{*}}}\ne {\mathbf{x}}^{*}$, since $\mathcal{A}$ will otherwise be detected as the real singer by the algorithm $\mathsf{EvidenceCheck}$$(\mathsf{pp},R^{*},i_{j^{*}},{\xi }_{i_{j^{*}}},\Sigma )$, where ${\xi }_{i_{j^{*}}}$ contains an element $\mathbf{b}={\mathbf{B}}^{*}·{\mathbf{x}}_{i_{j^{*}}}modq$.

  -

  In the experiment Exp${}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)$, $\mathcal{A}$ did not corrupt user $i_{j^{*}}$, and temps to produce a valid signature such that the target victim $i_{j^{*}}$ will be detected as the real signer. We claim that ${\mathbf{x}}_{i_{j^{*}}}\ne {\mathbf{x}}^{*}$ with probability greater than $1/2$ by the following two facts: (1) There exists another vector ${\mathbf{x}}^{*}\in {\{0,1\}}^m$ such that $\mathbf{A}·{\mathbf{x}}^{*}=\mathbf{A}·{\mathbf{x}}_{i_{j^{*}}}modq$ by Lemma 1. (2) The underlying argument system is zero-knowledge, which implies witness indistinguishability; thus, $\mathcal{A}$ can hardly get useful information from the signing queries.

In conclusion, in the experiment Exp${}_{NDRS,\mathcal{A}}^{\mathsf{trace}}\left(n\right)$ or Exp${}_{NDRS,\mathcal{A}}^{\mathsf{nf}}\left(n\right)$, a successful attacker $\mathcal{A}$ implies an attacker $\mathcal{B}$ that either defeats the soundness of the argument system, or breaks the security of the accumulator, or directly solves an ${\mathsf{SIS}}_{n,m,q,1}^{\infty }$ instance $\mathbf{A}$. Thus, our scheme provides traceability and non-frameability in the random oracle model, assuming that the ${\mathsf{SIVP}}_{\tilde{O}\left(n\right)}$ problem is hard. □

5. Conclusions

In this work, we propose an efficient lattice-based NDRS scheme by using the techniques developed in Reference [8]. Our scheme has signature size only logarithmic to the ring size, and we prove its security in the random oracle model under the SIS assumption. Notice that, in our NDRS scheme, each secret key can only be used, at most, $k-1$ times for producing ring signatures, where $k=logq$; otherwise, the secret key will be figured out from $\mathbf{B}$’s and corresponding $\mathbf{b}$’s. The direct way to increase the number of ring signatures for each user is to increase the parameter q, which will reduce efficiency. A better way is to develop new techniques that is able to authenticate the user’s identity while producing the ring signature for relative small q. We leave it as a future work.