 Research
 Open access
 Published:
Threshold ring signature: generic construction and logarithmic size instantiation
Cybersecurity volume 7, Article number: 46 (2024)
Abstract
A ring signature is a variant of normal digital signature and protects the privacy of a specific signer in the sense that a ring signature can be verified, but the signer’s identity can only be traced to a limited set. The concept was further enhanced to threshold setting to distribute signing ability among several signers. Since threshold ring signature was introduced, it was a hard problem whether one can have efficient constructions for it. In this paper, we introduce a new generic construction of threshold ring signature, named GTRS, based on canonical identification of a specific form. Our signature consists of a polynomial (represented by \(n  t + 1\) coefficients) and a single response, resulting in significantly shorter threshold ring signatures. Instantiating the generic construction with specific DLbased components, e.g. Schnorr identification and a novel vector argument of knowledge developed in this paper, we obtain GTRSEC, which is shorter than all existing threshold ring signatures without any trusted setup.
Introduction
Ring signature (Rivest et al. 2001) is designed to protect the anonymity of a signer, which is widely used in blockchain applications. In a ring signature, before signing a message, a signer selects a specific group of users including himself (called a ring), and produce a signature according to the ring. The verifier can verify the resulting signature using the target message and the public keys associated with the ring, and remain oblivious to the identity of the actual signer. Several interesting variants have been introduced, including linkable ring signature (Liu et al. 2004; Lu et al. 2019), threshold ring signature (Bresson et al. 2002), and traceable ring signature (Fujisaki and Suzuki 2007).
Threshold ring signature (Bresson et al. 2002) integrates the principles of both a threshold mechanism and a ring signature. A public verifier, which is given a valid signature, can confidently ascertain that t anonymous signers in the ring sign the message. Inheriting the properties of ring signatures, threshold ring signature schemes must satisfy anonymous and unforgeability. Anonymity implies that the probability of any two subsets of size t within the ring R constituting the set of signers is equal. Unforgeability ensures that fewer than t signers are incapable of colluding to generate a valid signature.
Threshold ring signatures are applicable to multiuser systems and offer the advantage of generating signatures as long as t users are online, regardless of the status of other offline users. Threshold ring signatures are also wellsuited for decentralized systems, smoothly handling the dynamic joining and leaving of users. Furthermore, akin to ring signatures, threshold ring signatures find applications in areas like whistleblowing and privacy preserving cryptocurrencies.
Related work
Threshold ring signatures were introduced by Bresson et al. (2002), who constructed a scheme based on RSA with a signature size of \(O(n\log n)\), where n denotes the size of the ring. Subsequent work has focused on reducing the complexity of signature sizes based on various assumptions.
Several schemes achieve signatures linear in n (Aguilar Melchor et al. 2008; Petzoldt et al. 2012; Haque and Scafuro 2020), while others offer sublinear sizes (Yuen et al. 2013; Avitabile et al. 2022; Attema et al. 2021; Haque et al. 2022), even reaching O(t) in some cases (MunchHansen et al. 2021). Additionally, some schemes prioritize postquantum security (Aguilar Melchor et al. 2008; Cayrel et al. 2010; Bettaieb and Schrek 2013; Haque and Scafuro 2020). A summary of these schemes is provided in Table 1.
Avitabile et al. (2022) proposed an efficient transformation that, starting from stackable \(\varSigma\)protocols and a corresponding threshold relation \({\mathcal {R}}_t\), yields an efficient \(\varSigma\)protocol for \({\mathcal {R}}_t\) with a communication complexity of \(O(t \log n)\). From their toutofn proof over threshold relations, a threshold ring signature scheme can be derived. However, Avitabile et al. (2022) does not provide a specific instantiation. The logarithmicsize threshold ring signature by Haque et al. (2022) can be instantiated from a proof system NIWI, a public key encryption PKE, a verifiable random function VRF and a somewhere perfectly binding hash function SPB. However, when instantiated with discrete logarithm (DL), their signature is not sufficiently efficient. The constantsize construction by MunchHansen et al. (2021) can achieve stronger anonymity guarantees than traditional definitions. However, in order to generate the parameter of an accumulator, their concrete instantiation necessitates additional trust settings. Thus, we pose a question:
“Could we propose a compact and efficient threshold ring signature?”
Our contributions
In this paper, we give an affirmative answer to the above question. Since we do not introduce any new models or security definitions to threshold ring signatures, we view our contribution as proposing both a generic and an efficient specific instantiation for threshold ring signatures.
Our main contribution is a generic threshold ring signature named GTRS from a homomorphic identification. Applying FiatShamir transform, short signatures can be obtained, which consist of a polynomial with \(n  t + 1\) coefficients and a single response.
In addition to the generic construction, we build a logarithmicsize threshold ring signature from DL named GTRSEC, based on Schnorr identification, a new argument of knowledge Vector Argument extending Bulletproofs (Bünz et al. 2018) and FiatShamir transform. The vector argument may be of independent interest. To emphasize, GTRSEC is compact with \(O(\log n)\) signature complexity and shorter than all existing threshold ring signatures without trusted setup.
Technical overview
We first describe the generic construction named CDS, which can be derived by applying the FiatShamir heuristic to the proof framework used in Cramer et al. (1994) with a TypeT Canonical Identification (also a \(\varSigma\)protocol).
A TypeT Canonical Identification contains three functions as follows (where a user holding the keypair (pk, sk) is uniquely identified by his public key):

A: given a random number r (from \(\Omega _r\)), this function outputs a commitment a.

\(\textrm{CH}\): given a commitment a, this function outputs a challenge c.

Z: given c, r and a secret key sk, this function outputs a response z.
Subsequently, the verifier executes a function V to compute \(a'\) from c and z, and checks whether c is correct by running \(\textrm{CH}(a')\).
Overview of CDS
Let S and NS denote the set of signers and nonsigners, respectively. The signing process of CDS is as follows:

1.
The signer \(i\in S\) calls function A, takes a randomness \(r_i\) and outputs a commitment \(a_i\).

2.
For every \(j \in NS\), the involved signers calls function V, inputs \(c_j, z_j\) and outputs \(a_j\).

3.
After generating \(c_0 = H(m, t, \{({pk}_i, a_i)\}_{i\in R})\), the signers have \(n  t + 1\) points \(\{(i,c_i)\}_{i \in R\cup \{0\}}\) and generate a polynomial f by using Lagrange interpolation.

4.
The signer \(i\in S\) computes a challenge \(c_i = f(i)\) and a response \(z_i\) via the function Z.

5.
The signature is \((c_1, \ldots , c_n, z_1,\ldots , z_n)\).
Overview of GTRS
Now, we brief introduce our generic threshold ring signature named GTRS. \(\otimes\) and \(\oplus\) are both operations of commutative group. we use the symbol \(\bigotimes\) and \(\bigoplus\) to represent consecutive \(\otimes\) and \(\oplus\) operations, respectively:
We first define TypeT* Canonical Identification with three requirements:

V can be decomposed into two parts \(V_1, V_2\), i.e., \(a = V(pk, c, z) = V_1(pk, c)\otimes V_2(z)\).

\(V_2\) is homomorphic, i.e., \(V_2(z_1\oplus z_2) = V_2(z_1)\otimes V_2(z_2)\).

Given sk, c, \(\exists\) a function T that outputs \(\tilde{z}\), s.t. \(V_1(pk, c) = V_2(\tilde{z})\).
Note that Guillou–Quisquater identification (Guillou and Quisquater 1990) and Schnorr identification (elaborated upon in Sect. 2.3) are both TypeT* canonical identification.
The signing process of GTRS is as follows:

1.
The signer \(i\in S\) calls function A, takes a random value \(r_i\) and outputs a commitment \(a_i\).

2.
The involved signers choose random challenges \(c_j\) for every \(j \in NS\) and compute
$$\begin{aligned} E = \bigotimes _{i\in S} a_i \otimes \bigotimes _{j \in NS} V_1({pk}_j, c_j) \end{aligned}$$ 
3.
After generating \(c_0 = H(m, t, \{{pk}_i\}_{i\in R}, E)\), the involved signers use lagrange interpolation to generate a polynomial f.

4.
The signer \(i\in S\) computes a challenge \(c_i = f(i)\) and a response \(z_i\) via the function Z.

5.
The involved signers compute \(z = \bigoplus _{i\in S} z_i\).

6.
The final signature is (z, f).
Advantages of GTRS over CDS
Our generic construction GTRS has two advantages.
First, CDS consists of n challenges and n responses while GTRS consists of a polynomial f with \(n  t + 1\) coefficients and a response z. This can significantly save signature size.
Second, in CDS, each \(z_i\) is not related to other \(z_j\)’s, only to \(a_i\) and \(c_i\), hence combining all \(z_i\)’s is not trivial. Consequently, CDS can not achieve a logarithmicsize threshold ring signature. Contrarily, the instantiation of GTRS with discrete logarithm components, coupled with an argument of knowledge, achieves a logarithmic reduction in communication complexity.
DLbased instantiation of logarithmic size
In the DL setting, we use an argument of knowledge to compress the polynomial f. We introduce a novel proof system named Vector Argument. A verifier, who interacts with a prover and outputs accept, can confidently ascertain that the prover possesses a vector of scalars \((f_{1}, \ldots , f_{nt})\). This vector satisfies \(P = \prod _{i = 1}^{n  t} g_i^{f_i}\), where \(P = E \cdot g^{z} \cdot g_0^{f_0}\) and \(g_i = \prod _{j = 1}^{n} {pk}_j^{j^i}\) for \(i \in [n  t]\). We give a practical construction with size \(O(\log n)\). Combining all these components, we achieve GTRSEC, which is shorter than all existing threshold ring signatures without any trusted setup.
Preliminaries
This section provides an overview of pertinent notations and concepts.
Notations. We consistently employ \(\lambda\) as the security parameter throughout the paper. Let \([n] = \{1,\ldots ,n\}\) and \(\{a_i\}_{i\in [n]} = \{a_1,\ldots , a_n\}\), where \(n \in {\mathbb {N}}^{+}\). \(y \leftarrow S\) indicates that y is uniformly chosen from a set S. \(y \leftarrow f(x)\) means a randomized function/algorithm f inputs x and output y. We employ the abbreviations PPT, EPT, and DPT to denote probability polynomial time, expected polynomial time, and deterministic polynomial time, respectively. A function \(\mu (n): {\mathbb {N}}\rightarrow {\mathbb {R}}^{+}\) is negligible if, \(\forall\) positive polynomial \(\nu ()\), \(\exists n_0\), s.t. \(\forall n > n_0, \mu (n) < \frac{1}{\nu (n)}\).
Bold letters, such as \(\varvec{a}\), denote vectors. For two vectors \(\varvec{a} = (a_1, \ldots , a_n), \varvec{b} = (b_1, \ldots , b_n)\) and a integer c, we define \(\varvec{a}^c = (a_1^c, a_2^c, \ldots , a_n^c)\), \(\varvec{a} + c = (a_1 + c, \ldots , a_n + c)\), \(\varvec{a}^{\varvec{b}} = \prod _{i = 1}^{n} a_i^{b_i}\), and \(\varvec{a} \circ \varvec{b} = (a_1\cdot b_1,\dots , a_n\cdot b_n)\). For a integer \(d \in [n]\), we define \(\varvec{a}{[:d]} = (a_1,\ldots ,a_d)\) and \(\varvec{a}{[d:]} = (a_{d+1}, \cdots , a_n)\).
Numbertheoretic assumption
Definition 1
(Discrete Logarithm (DL) Assumption) The DL assumption holds if \(\forall\) PPT adversary \({\mathcal {A}}\),
Threshold ring signature
We describe the definition and associated security properties of threshold ring signature. Let U be the sequence of all added public keys. We use R to represent the indices of selected public keys from U and consistently enumerate \(R = \{1, 2, \ldots , n\}\). Denote S, NS as the set of signers and nonsigners, respectively. A signer i holding the publicprivate key pair \(({pk}_i, {sk}_i)\) is uniquely identified by his/her public key.
Definition 2
(toutofn threshold ring signature scheme) A toutofn threshold ring signature scheme \(\textrm{TRS}\) is four algorithms where:

\(\textrm{Setup}\). Given \(\lambda\), this PPT algorithm outputs public parameters pp (sometimes implicitly).

\(\textrm{KeyGen}\). Given the public parameters pp, this PPT algorithm outputs a public and private key pair (pk, sk).

\(\textrm{Sign}\). This interactive procedure involves the signers \(i \in S\) owning \({sk}_i\). Taking a ring R and a message m as a common input, they interact to jointly generate a signature \(\sigma\).

\(\textrm{Verify}\). Given a message m, a ring R, and a signature \(\sigma\), this DPT algorithm outputs 0/1.
A secure threshold ring signature scheme has three fundamental security requirements: correctness, unforgeability and anonymity. We use experiments (which is shown in Fig. 1) to describe the interaction with an adversary, where all oracles (specified in Fig. 2) can access an initially empty keyed dictionary \(D_{key}[\cdot ]\) and two initially empty sets \(Q_{corr}, Q_{sign}\). \(D_{key}[i]\) denote the keypair of the user i. \(Q_{corr}\) and \(Q_{sign}\) consists of all corrupted users and all signing queries, respectively.
Definition 3
(Correctness) \(\textrm{TRS}\) has correctness if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.,
Definition 4
(Unforgeability) \(\textrm{TRS}\) is unforgeable if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.,
Definition 5
(Anonymity) \(\textrm{TRS}\) has anonymity if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.
TypeT/TypeT* canonical identification
In Fig. 3, we give a formal definition of a TypeT canonical identification, which is a special authentication protocol and is necessary to satisfy the security requirement: SIKOA (special impersonation under key only attack) (Yuen et al. 2021).
Definition 6
(SIKOA) \(\textrm{TCID}\) is secure against SIKOA if, \(\forall pk\), \(\forall\) PPT \({\mathcal {A}}\),
On this basis, a TypeT* Canonical identification must additionally satisfy the following forms:

V can be decomposed into two parts \(V_1, V_2\), i.e., \(V(pk, c, z) = V_1(pk, c)\otimes V_2(z)\).

\(\exists\) a function T inputs sk, c and outputs \(\tilde{z}\), s.t. \(V_1(pk, c) = V_2(\tilde{z})\).

\(V_2\) is a homomorphic function, meaning that \(V_2(z_1\oplus z_2) = V_2(z_1)\otimes V_2(z_2)\).
Schnorr identification
Next, we briefly review the Schnorr identification. The \(\textrm{Setup}\) algorithm outputs \(pp = (g, p, {\mathbb {G}})\) and the \(\textrm{KeyGen}\) algorithm outputs \((pk = g^{sk},sk)\). Here, p is a prime, \({\mathbb {G}}\) is a group with order p, and g is a generator of \({\mathbb {G}}\). The functions used in \(\textrm{Commit}\), \(\textrm{Response}\) and \(\textrm{Verify}\) are defined as:
Obviously, \(V_2\) is homomorphic.
Let \(T(sk,c) = sk \cdot c = \tilde{z}\), then we have \(V_1(pk,c) = V_2(\tilde{z})\). Furthermore, Schnorr identification is secure against SIKOA (Yuen et al. 2021). In summary, Schnorr identification constitutes a secure TypeT* canonical identification.
Arguments of knowledge
Consider a binary relation \({\mathcal {R}}\) that specifies a language in \(\textrm{NP}\). For each pair \((x, u) \in {\mathcal {R}}\), we refer to x as the statement and u as the witness.
An argument of knowledge \(({\mathcal {P}}, {\mathcal {V}})\) comprises two interactive algorithms, namely \({\mathcal {P}}, {\mathcal {V}}\). We use \(\langle {\mathcal {P}}(x), {\mathcal {V}}(u) \rangle = 1/0\) to indicate whether the verifier accepts or not. We express the transcript resulting from the interaction between \({\mathcal {P}}(x)\) and \({\mathcal {V}}(u)\) as \(\textrm{tr} \leftarrow \langle {\mathcal {P}}(x), {\mathcal {V}}(u) \rangle\).
An secure argument \(({\mathcal {P}},{\mathcal {V}})\) should satisfy two security properties defined as follows. Completeness guarantees that following the protocol honestly, \({\mathcal {P}}\) with a witness u for a statement x will always convince \({\mathcal {V}}\) of the fact \((x,w) \in {\mathcal {R}}\).
Definition 7
(Completeness) \(({\mathcal {P}}, {\mathcal {V}})\) has completeness if \(\forall\) PPT adversary \({\mathcal {A}}\):
Statistical witnessextended emulation (Bootle et al. 2016) implies that an emulator Emu exists if an adversary outputs a valid argument with some probability. The emulator can rewind the interaction to any prior move and subsequently resuming with different randomness. Finally, the emulator produces a witness w and a transcript following the same distribution with a real protocol execution.
Definition 8
(Statistical witnessextended emulation) An argument \(({\mathcal {P}}, {\mathcal {V}})\) satisfies statistical witnessextended emulation if \(\forall\) DPT \({\mathcal {P}}^*\), \(\exists\) an EPT extractor \(\textrm{Emu}\) s.t., \(\forall (x,u) \in {\mathcal {R}}\), \(\forall\) \({\mathcal {A}}\):
Generic threshold ring signature construction
We introduce a generic threshold ring signature scheme GTRS (which is shown in Fig. 4) based on a TypeT* canonical identification \(\textrm{T}\).
GTRS has three security properties: correctness, unforgeability and anonymity. Correctness of GTRS is straightforward. Let \(q_k\), \(q_c\), \(q_s\), and \(q_h\) be the number of queries to \(\textrm{OK}\), \(\textrm{OC}\), \(\textrm{OS}\), and H, respectively.
Theorem 1
GTRS has unforgeability if \(\textrm{T}\) is secure against SIKOA, H is simulated as a random oracle, and \(2q_s(q_h+q_s1) < p\).
Proof
\({\mathcal {A}}\) is a PPT adversary against the unforgeability of GTRS. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the SIKOA of \(\textrm{T}\).

Setup. Given \(pp, {pk}^*\), \({\mathcal {B}}\) forwards pp to \({\mathcal {A}}\) and randomly selects \(i^* \in [1,q_k]\).

Oracle Simulation. When \({\mathcal {A}}\) queries these oracles, \({\mathcal {B}}\) responses as follows:

\(\textrm{OK}(i)\): \({\mathcal {B}}\) returns \(\bot\) if \(D_{key}[i] \ne \bot\). If \(i \ne i^*\), \({\mathcal {B}}\) runs \(({pk}_i, {sk}_i)\leftarrow \mathrm {GTRS.KeyGen}()\); otherwise, \({\mathcal {B}}\) sets \(({pk}_i, {sk}_i) = ({pk}^*, \bot )\). \({\mathcal {B}}\) sets \(D_{key}[i] = ({pk}_i, {sk}_i)\) and returns \({pk}_i\).

\(\textrm{OC}(i)\): \({\mathcal {B}}\) declares failure if \(i = i^*\). \({\mathcal {B}}\) returns \(\bot\) if \(D_{key}[i] = \bot\). \({\mathcal {B}}\) adds i to \(Q_{corr}\) and returns \({sk}_i\).

\(\textrm{OS}(m, R, S)\): If \(\exists j \in R\), \(D_{key}[j] = \bot\), \({\mathcal {B}}\) returns \(\bot\). If \(i^* \notin S\), \({\mathcal {B}}\) returns \(\sigma \leftarrow \mathrm {GTRS.Sign}(m, \{{pk}_i\}_{i \in R}, \{{sk}_j\}_{j \in S})\). Otherwise, \({\mathcal {B}}\) randomly chooses a polynomial f of degree \(n  t\) and a response z based on the output distribution of Z. \({\mathcal {B}}\) computes \(E = V_2(z) \otimes \bigotimes _{i\in R} V_1({pk}_i, f(i))\). \({\mathcal {B}}\) sets \(H(m, t, R, E) = f(0)\) and declares failure if the value has already been set. \({\mathcal {B}}\) adds (m, R) to \(Q_{sign}\) and returns \(\sigma = (z,f)\).


Challenge. \({\mathcal {A}}\) outputs \((m^*, R^*, \sigma ^*)\). \({\mathcal {B}}\) declares failure if \(i^* \not \in R^*\). \({\mathcal {B}}\) rewinds to the move where the tuple \((m^*, t, R^*, E^*)\) is asked to H and returns another \(c'\). Here, \(E^*\) is computed in the \(\mathrm {GTRS.Verify}\) algorithm. \({\mathcal {A}}\) produces another signature \(\sigma '=(z', f')\). If \(f^*(i^*) = f'(i^*)\), \({\mathcal {B}}\) declares failure.
Let \(\tilde{z}^*=z^* \oplus \bigoplus _{i\in R^*\backslash \{i^*\}} T({sk}_i,f^*(i))\) and then we have:
$$\begin{aligned} E^*&= \bigotimes _{i \in R^*} V_1({pk}_i,f^*(i)) \otimes V_2(z^*) \\&= V_1({pk}_{i^*}^*,f^*(i^*)) \otimes V_2(\tilde{z}^*) \end{aligned}$$Similarly we have:
$$\begin{aligned} E^* = V_1({pk}^*,f'(i^*)) \otimes V_2(\tilde{z}') \end{aligned}$$\({\mathcal {B}}\) returns \((f^*(i^*), \tilde{z}^*, f'(i^*), \tilde{z}')\) to its challenger, which can break the SIKOA.

Probability Analysis. Let’s analyze the success probability (i.e., the probability of not declaring failure) of our algorithm \({\mathcal {B}}\).
For queries to \(\textrm{OC}\), the success probability for the first query is \(\frac{q_k  1}{q_k}\). After \(q_c\) queries, the success probability is not less than
$$\begin{aligned} \frac{q_k  1}{q_k} \cdot \frac{q_k}{q_k + 1} \cdots \frac{q_k  q_c}{q_k  q_c + 1} = \frac{q_k  q_c}{q_k} \end{aligned}$$For queries to \(\textrm{OS}\), the success probability for the first query is at least \((1  \frac{q_h}{p})\). After \(q_s\) queries, the success probability is not less than
$$\begin{aligned} &(1\frac{q_h}{p})\cdots (1\frac{q_s + q_h1}{p}) \\&\quad \ge (1\frac{q_s + q_h1}{p})^{q_s} \\&\quad \ge 1\frac{q_s(q_s + q_h1)}{p} \\&\quad \ge 1/2 \end{aligned}$$The probability of \(i^* \in R^*\) is
$$\begin{aligned}&1  (1  \frac{1}{{q_k}  {q_c}}) \,{\cdots }\,(1  \frac{1}{{q_k}  {q_c}  (n  t)})\\&\quad = \frac{n  t + 1}{{q_k}  {q_c}} \end{aligned}$$Let \(\varepsilon\) be he probability of \({\mathcal {A}}\) producing a forgery. Then the success probability of \({\mathcal {B}}\) before rewinding is not less than:
$$\begin{aligned} \varepsilon ' \ge \frac{\varepsilon (nt+1)}{2q_k} \end{aligned}$$The success probability of rewinding is not less than \(\varepsilon ' / 8\) (Bellare and Neven 2006) and the probability of \(f^*(i^*) \ne f'(i^*)\) is not less than t/n.
Consequently, the probability of \({\mathcal {B}}\) breaking the SIKOA of \(\textrm{T}\) is
$$\begin{aligned} \varepsilon '' \ge \frac{\varepsilon \cdot t \cdot (nt+1)}{16n \cdot q_k} \end{aligned}$$
\(\square\)
Theorem 2
GTRS has anonymity if \(2q_s(q_h+q_s1) < p\) and H is a random oracle.
Proof
We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of simulating all oracles interacting with a PPT adversary \({\mathcal {A}}\) that challenging the anonymity of GTRS.
Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on \(pp \leftarrow \mathrm {GTRS.Setup}(\lambda )\).
Oracle Simulation. When \({\mathcal {A}}\) queries these oracles, \({\mathcal {B}}\) responses as follows:

\(\textrm{OK}(i)\): If \(D_{key}[i] \ne \bot\), \({\mathcal {B}}\) returns \(\bot\). \({\mathcal {B}}\) runs \(({pk}_i,{sk}_i)\leftarrow \textrm{GTRS}.\textrm{KeyGen}()\), sets \(D_{key}[i] = ({pk}_i, {sk}_i)\), and returns \({pk}_i\).

\(\textrm{OC}(i)\): If \(D_{key}[i] \ne \bot\), \({\mathcal {B}}\) returns \(\bot\). \({\mathcal {B}}\) adds i to \(Q_{corr}\) and returns \({sk}_i\).

\(\textrm{OS}(m, R, S)\): If \(\forall i \in R, D_{key}[i] \ne \bot\), \({\mathcal {B}}\) runs \(\sigma \leftarrow \mathrm {GTRS.Sign}(m, t, \{{pk}_i\}_{i \in R}, \{{sk}_j\}_{j \in S})\) and returns \(\sigma\).
Challenge. \({\mathcal {B}}\) receiving a message \(m^*\), a ring \(R^*\) and two uncorrupted signing sets \(S^*_0, S^*_1 \subset R^*\). \({\mathcal {B}}\) randomly chooses a \((n  t)\)degree polynomial \(f^*\) and a random response \(z^*\). \({\mathcal {B}}\) computes \(E^* = V_2(z^*) \otimes \bigodot _{i\in R^*} V_1({pk}_i, f^*(i))\) and sets \(H(m^*, t, R^*, E^*) = f^*(0)\). \({\mathcal {B}}\) declares failure if the value has been queried. \({\mathcal {B}}\) randomly picks \(b\in \{0,1\}\) and returns \((z^*,f^*)\).
Output. \({\mathcal {A}}\) returns \(b'\).
Probability Analysis. \({\mathcal {A}}\) can only succeed with probability 1/2, as b is not used in the generation of \(\sigma ^*\). It is obvious that \({\mathcal {B}}\) declares failure only when a query appeared in the queries to H, and this probability is negligible. This completes the proof.\(\square\)
Our logarithmicsize threshold ring signature
Instantiating our generic construction with specific DLbased components, e.g. Schnorr identification and a novel vector argument developed in this section, a logarithmicsize threshold ring signature GTRSEC can be obtained.
Vector argument
The vector argument extends from the inner product argument (Bünz et al. 2018), which serves as a proof system for the relation
A verifier, who interacts with a prover and outputs accept, can confidently ascertain that the prover has \(\varvec{a}\), s.t. \(P = \varvec{g}^{\varvec{a}}\).
Our Noninteractive Vector Argument \(\textrm{NIVA}\) is shown in Fig. 5. \(\textrm{NIVA}\) contains two algorithms named \(\textrm{Proof}\) and \(\textrm{Verify}\). We achieve logarithmic complexity by employing a recursive algorithm named \(\textrm{Recursion}\).
Theorem 3
The Noninteractive Vector Argument \(\textrm{NIVA}\) has statistical witnessextended emulation if DL assumption holds.
We give a security proof in the “Appendix 1”.
DLbased logarithmicsize threshold ring signature
We elaborate GTRSEC in Fig. 6, which is a combination of Schnorr identification and our vector argument \(\textrm{NIVA}\).
Theorem 4
GTRSEC is unforgeable if GTRS is unforgeable and \(\textrm{NIVA}\) has statistical witnessextended emulation.
Proof
If there is a PPT adversary \({\mathcal {A}}\) capable of breaking the unforgeability of GTRSEC. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the unforgeability of GTRS.

Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on a public parameter pp given from the challenge of GTRS.

Oracle Simulation. When \({\mathcal {A}}\) requests a signing oracle query, \({\mathcal {B}}\) obtains \(\sigma =(z,f)\) by asking the signing oracle of GTRS. \({\mathcal {B}}\) computes E by running \(\mathrm {GTRS.Verify}\), and computes \(P, \varvec{g}, \varvec{a}\) by executing line 4–9 of \(\mathrm {GTRSEC.Sign}\). Then \({\mathcal {B}}\) runs the \(\mathrm {NIVA.Proof}\) to obtain a proof \(\pi\) and returns \((z, A, \pi )\) to \({\mathcal {A}}\).
When \({\mathcal {A}}\) requests other oracle query, \({\mathcal {B}}\) returns the answers obtained by asking the signing oracle of GTRS.

Challenge. \({\mathcal {A}}\) returns \((m^*, R^*, \sigma ^* = (z^*, E^*, \pi ^*))\). \({\mathcal {B}}\) can compute \(f_0^* = H(m^*, t, \{{pk}_i\}_{i\in R^*}, E^*)\) and obtains \((f_1^*, f_2^*, \ldots , f_{nt}^*)\) by running an extractor \(\textrm{Emu}\). \({\mathcal {B}}\) lets \(f^* = (f_0^*, f_1^*, \ldots , f_{nt}^*)\) and \(\sigma ' = (z^*, f^*)\).

Output. \({\mathcal {B}}\) returns \((m^*, R^*, \sigma ')\) to the challenger of GTRS, which contradicts to the unforgeability of GTRS.
\(\square\)
Theorem 5
GTRSEC has anonymity if GTRS has anonymity.
Proof
If there is a PPT adversary \({\mathcal {A}}\) capable of breaking the anonymity of GTRSEC. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the anonymity of GTRS.

Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on a public parameter pp given from the challenge of GTRS.

Oracle Simulation. If \({\mathcal {A}}\) requests a oracle query, \({\mathcal {B}}\)’s responses align with the proof of unforgeability.

Challenge. \({\mathcal {B}}\) receives \(m^*, R^*, S_0, S_1\) from \({\mathcal {A}}\) and forwards them to its challenger. \({\mathcal {B}}\) receives \((z^*, f^*)\) from challenger and returns \(\sigma ^*\) (which is computed by line 4–9 of GTRSEC.Sign).

Output. \({\mathcal {B}}\) is given \(b' \{0, 1\}\) from \({\mathcal {A}}\) and forwards it to its challenger. It is observe that if \({\mathcal {B}}\) succeeds, \({\mathcal {A}}\) also succeeds.
\(\square\)
Size of GTRSEC
We compare our instantiation for threshold t and ring size n with other logarithmicsize DLbased threshold ring signature schemes without trusted setup in Table 2. All accumulatorbased threshold ring signatures with O(t) signature complexity require a trusted setup. The latticebased logarithmic threshold ring signatures (Aguilar Melchor et al. 2008; Bettaieb and Schrek 2013; Haque and Scafuro 2020) are still at least 100 times longer than DLbased construction. We can see that GTRSEC is shorter than all existing threshold ring signatures without any trusted setup.
Availability of data and materials
Not applicable.
References
Aguilar Melchor C, Cayrel PL, Gaborit P (2008) A new efficient threshold ring signature scheme based on coding theory. In: Buchmann J, Ding J (eds) Postquantum cryptography, second international workshop, PQCRYPTO 2008. Springer, pp 1–16
Aranha DF, HallAndersen M, Nitulescu A et al (2022) Count me in! Extendability for threshold ring signatures. In: Hanaoka G, Shikata J, Watanabe Y (eds) PKC 2022, part II, LNCS, vol 13178. Springer, pp 379–406
Attema T, Cramer R, Fehr S (2021) Compressing proofs of koutofn partial knowledge. In: Malkin T, Peikert C (eds) CRYPTO 2021, part IV, LNCS, vol 12828. Springer, pp 65–91
Avitabile G, Botta V, Friolo D et al (2022) Efficient proofs of knowledge for threshold relations. In: Atluri V, Di Pietro R, Jensen CD et al (eds) ESORICS 2022, part III, LNCS, vol 13556. Springer, pp 42–62
Avitabile G, Botta V, Fiore D (2023) Extendable threshold ring signatures with enhanced anonymity. In: Boldyreva A, Kolesnikov V (eds) PKC 2023, part I, LNCS, vol 13940. Springer, pp 281–311
Bellare M, Neven G (2006) Multisignatures in the plain publickey model and a general forking lemma. In: Juels A, Wright RN, De Capitani di Vimercati S (eds) ACM CCS 2006. ACM Press, Berlin, pp 390–399
Bettaieb S, Schrek J (2013) Improved latticebased threshold ring signature scheme. In: Gaborit P (ed) Postquantum cryptography—5th international workshop, PQCrypto 2013. Springer, pp 34–51
Bootle J, Cerulli A, Chaidos P et al (2016) Efficient zeroknowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin M, Coron JS (eds) EUROCRYPT 2016, part II, LNCS, vol 9666. Springer, pp 327–357
Bresson E, Stern J, Szydlo M (2002) Threshold ring signatures and applications to adhoc groups. In: Yung M (ed) CRYPTO 2002, LNCS, vol 2442. Springer, pp 465–480
Bünz B, Bootle J, Boneh D, et al (2018) Bulletproofs: short proofs for confidential transactions and more. In: 2018 IEEE symposium on security and privacy. IEEE Computer Society Press, pp 315–334
Cayrel PL, Lindner R, Rückert M et al (2010) A latticebased threshold ring signature scheme. In: Abdalla M, Barreto PSLM (eds) LATINCRYPT 2010, LNCS, vol 6212. Springer, pp 255–272
Cramer R, Damgård I, Schoenmakers B (1994) Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt Y (ed) CRYPTO’94, LNCS, vol 839. Springer, pp 174–187
Fujisaki E, Suzuki K (2007) Traceable ring signature. In: Okamoto T, Wang X (eds) PKC 2007, LNCS, vol 4450. Springer, pp 181–200
Guillou LC, Quisquater JJ (1990) A “paradoxical’’ indentitybased signature scheme resulting from zeroknowledge. In: Goldwasser S (ed) CRYPTO’88, LNCS, vol 403. Springer, pp 216–231
Haque A, Scafuro A (2020) Threshold ring signatures: new definitions and postquantum security. In: Kiayias A, Kohlweiss M, Wallden P et al (eds) PKC 2020, part II, LNCS, vol 12111. Springer, pp 423–452
Haque A, Krenn S, Slamanig D, et al (2022) Logarithmicsize (linkable) threshold ring signatures in the plain model. In: Hanaoka G, Shikata J, Watanabe Y (eds) PKC 2022, part II, LNCS, vol 13178. Springer, pp 437–467
Liu JK, Wong DS (2005) On the security models of (threshold) ring signature schemes. In: Park C, Chee S (eds) ICISC 04, LNCS, vol 3506. Springer, pp 204–217
Liu JK, Wei VK, Wong DS (2004) Linkable spontaneous anonymous group signature for ad hoc groups (extended abstract). In: Wang H, Pieprzyk J, Varadharajan V (eds) ACISP 04, LNCS, vol 3108. Springer, pp 325–335
Lu X, Au MH, Zhang Z (2019) Raptor: a practical latticebased (linkable) ring signature. In: Deng RH, GauthierUmaña V, Ochoa M et al (eds) ACNS 19, LNCS, vol 11464. Springer, pp 110–130
MunchHansen A, Orlandi C, Yakoubov S (2021) Stronger notions and a more efficient construction of threshold ring signatures. In: Longa P, Ràfols C (eds) LATINCRYPT 2021, LNCS, vol 12912. Springer, pp 363–381
Okamoto T, Tso R, Yamaguchi M, et al (2018) A \(k\)outof\(n\) ring signature with flexible participation for signers. Cryptology ePrint Archive, Report 2018/728
Petzoldt A, Bulygin S, Buchmann J (2012) A multivariate based threshold ring signature scheme. Cryptology ePrint Archive, Report 2012/194
Rivest RL, Shamir A, Tauman Y (2001) How to leak a secret. In: Boyd C (ed) ASIACRYPT 2001, LNCS, vol 2248. Springer, pp 552–565
Wong DS, Fung K, Liu JK et al (2003) On the RScode construction of ring signature schemes and a threshold setting of RST. In: Qing S, Gollmann D, Zhou J (eds) ICICS 03, LNCS, vol 2836. Springer, pp 34–46
Yuen TH, Liu JK, Au MH et al (2011) Threshold ring signature without random oracles. In: Cheung BSN, Hui LCK, Sandhu RS et al (eds) ASIACCS 11. ACM Press, pp 261–267
Yuen TH, Liu JK, Au MH et al (2013) Efficient linkable and/or threshold ring signature without random oracles. Comput J 56(2):407–421
Yuen TH, Esgin MF, Liu JK et al (2021) DualRing: generic construction of ring signatures with efficient instantiations. In: Malkin T, Peikert C (eds) CRYPTO 2021, Part I, LNCS, vol 12825. Springer, pp 251–281
Acknowledgements
The authors would like to thank the anonymous reviewers for their valuable comments.
Funding
This work is supported by National Natural Science Foundation of China (Nos. 62172404, 62172411, 61972094, 62202458).
Author information
Authors and Affiliations
Contributions
HW and YT proposed the generic threshold ring signature and the logarithmic DLbased threshold ring signature and drafted the manuscript. RZ participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.
Corresponding author
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix 1: Security Proof for Theorem 3
Appendix 1: Security Proof for Theorem 3
First, we prove the security of the interactive version of our vector argument. Then using FiatShamir heuristic, NIVA can be obtained.
Appendix 1.1: Forking Lemma
We provide an overview of the forking lemma (Bootle et al. 2016), which is necessary in the proof of our vector argument.
Consider a publiccoin argument \(({\mathcal {P}}, {\mathcal {V}})\) with \(2k+1\) rounds and k challenges \((x_1, \ldots , x_k)\). Consider a \((n_1, \ldots , n_k)\)tree of accepting transcripts with the following requirements.

The statement is assigned to the root of the tree.

The depth of the tree is k.

Level \(i \in [k]\) has \(n_i\) descendants labeled with distinct challenges, where \(n_i \ge 1\).

The tree has \(\prod _{i=1}^{k} n_i\) leaves, and each leaf represents an accepting transcripts with distinct challenges.
Theorem 6
(Forking Lemma Bootle et al. 2016) Let \(\text{ Emu }\) be a PPT extractor, which can extract a witness from a \((n_1, \ldots , n_k)\)tree. For a negligible function \(\mu (\lambda )\), \(({\mathcal {P}}, {\mathcal {V}})\) has witnessextended emulation if, the success probability of \(\text{ Emu }\) is \(1  \mu (\lambda )\), and \(\prod _{i=1}^{k} n_i\) is polynomially bounded in \(\lambda\).
Appendix 1.2: Security for our interactive vector argument
Then, we prove that our interactive vector argument (shown in Fig. 7) has statistical witnessextended emulation.
Proof
For witnessextended emulation, we show there exists a PPT extractor which uses \(3^{\log _2n}\) transcripts.
If \(d = \vert {g}\vert = 1\), the witness a is given to \({\mathcal {A}}\) and the relation \(P = g^a\) can be easily verified. Then, we show how to efficiently extract a witness \(\varvec{a}\) for each recursion with input \((P, \varvec{g})\). The extractor can get L, R from the prover \({\mathcal {P}}\).
After rewinding the prover 3 times, the extractor obtains vectors \(\varvec{a'}_{1}, \varvec{a'}_{2}, \varvec{a'}_{3} \in {\mathbb {Z}}_{p}^{d'}\) corresponding to different challenges \(\{x_i\}_{i\in [3]}\), s.t.
Then, we can compute \(v_1, v_2, v_3 \in {\mathbb {Z}}_p\) s.t.
Then, we compute
The extractor obtains
for relation \(P=\varvec{g}^{\varvec{a}}\). Finally, we observe that the extractor runs in EPT and uses \(3^{\log _2 d}\) transcripts in total. We can conclude that our interactive protocol has witnessextended emulation by using the Forking Lemma. \(\square\)
Appendix 1.3: Noninteractive vector argument
Applying FiatShamir transformation, our noninteractive vector argument can be obtained. \({\mathcal {P}}\) computes \(H(L_i, R_i)\) to replace \(x_i\) in each recursion. \({\mathcal {V}}\) computes \(g = \varvec{g}^{\varvec{y}}\) and checks \(\varvec{L}^{x^2}P\varvec{R}^{x^{2}} \overset{\text {?}}{=} g^a\), where \(y_i = \prod _{j = 1}^{\log _2 d} x_j^{f(i,j)}\) and
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Wang, H., Tao, Y. & Zhang, R. Threshold ring signature: generic construction and logarithmic size instantiation. Cybersecurity 7, 46 (2024). https://doi.org/10.1186/s42400024002339
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s42400024002339