Threshold ring signature: generic construction and logarithmic size instantiation

A ring signature is a variant of normal digital signature and protects the privacy of a specific signer in the sense that a ring signature can be verified, but the signer’s identity can only be traced to a limited set. The concept was further enhanced to threshold setting to distribute signing ability among several signers. Since threshold ring signature was introduced, it was a hard problem whether one can have efficient constructions for it. In this paper, we introduce a new generic construction of threshold ring signature, named GTRS, based on canonical identification of a specific form. Our signature consists of a polynomial (represented by \(n - t + 1\) coefficients) and a single response, resulting in significantly shorter threshold ring signatures. Instantiating the generic construction with specific DL-based components, e.g. Schnorr identification and a novel vector argument of knowledge developed in this paper, we obtain GTRS-EC, which is shorter than all existing threshold ring signatures without any trusted setup.

Ring signature (Rivest et al. 2001) is designed to protect the anonymity of a signer, which is widely used in blockchain applications. In a ring signature, before signing a message, a signer selects a specific group of users including himself (called a ring), and produce a signature according to the ring. The verifier can verify the resulting signature using the target message and the public keys associated with the ring, and remain oblivious to the identity of the actual signer. Several interesting variants have been introduced, including linkable ring signature (Liu et al. 2004; Lu et al. 2019), threshold ring signature (Bresson et al. 2002), and traceable ring signature (Fujisaki and Suzuki 2007).

Threshold ring signature (Bresson et al. 2002) integrates the principles of both a threshold mechanism and a ring signature. A public verifier, which is given a valid signature, can confidently ascertain that t anonymous signers in the ring sign the message. Inheriting the properties of ring signatures, threshold ring signature schemes must satisfy anonymous and unforgeability. Anonymity implies that the probability of any two subsets of size t within the ring R constituting the set of signers is equal. Unforgeability ensures that fewer than t signers are incapable of colluding to generate a valid signature.

Threshold ring signatures are applicable to multi-user systems and offer the advantage of generating signatures as long as t users are online, regardless of the status of other offline users. Threshold ring signatures are also well-suited for decentralized systems, smoothly handling the dynamic joining and leaving of users. Furthermore, akin to ring signatures, threshold ring signatures find applications in areas like whistleblowing and privacy preserving cryptocurrencies.

Related work

Threshold ring signatures were introduced by Bresson et al. (2002), who constructed a scheme based on RSA with a signature size of \(O(n\log n)\), where n denotes the size of the ring. Subsequent work has focused on reducing the complexity of signature sizes based on various assumptions.

Several schemes achieve signatures linear in n (Aguilar Melchor et al. 2008; Petzoldt et al. 2012; Haque and Scafuro 2020), while others offer sub-linear sizes (Yuen et al. 2013; Avitabile et al. 2022; Attema et al. 2021; Haque et al. 2022), even reaching O(t) in some cases (Munch-Hansen et al. 2021). Additionally, some schemes prioritize post-quantum security (Aguilar Melchor et al. 2008; Cayrel et al. 2010; Bettaieb and Schrek 2013; Haque and Scafuro 2020). A summary of these schemes is provided in Table 1.

Avitabile et al. (2022) proposed an efficient transformation that, starting from stackable \(\varSigma\)-protocols and a corresponding threshold relation \({\mathcal {R}}_t\), yields an efficient \(\varSigma\)-protocol for \({\mathcal {R}}_t\) with a communication complexity of \(O(t \log n)\). From their t-out-of-n proof over threshold relations, a threshold ring signature scheme can be derived. However, Avitabile et al. (2022) does not provide a specific instantiation. The logarithmic-size threshold ring signature by Haque et al. (2022) can be instantiated from a proof system NIWI, a public key encryption PKE, a verifiable random function VRF and a somewhere perfectly binding hash function SPB. However, when instantiated with discrete logarithm (DL), their signature is not sufficiently efficient. The constant-size construction by Munch-Hansen et al. (2021) can achieve stronger anonymity guarantees than traditional definitions. However, in order to generate the parameter of an accumulator, their concrete instantiation necessitates additional trust settings. Thus, we pose a question:

“Could we propose a compact and efficient threshold ring signature?”

Our contributions

In this paper, we give an affirmative answer to the above question. Since we do not introduce any new models or security definitions to threshold ring signatures, we view our contribution as proposing both a generic and an efficient specific instantiation for threshold ring signatures.

Our main contribution is a generic threshold ring signature named GTRS from a homomorphic identification. Applying Fiat-Shamir transform, short signatures can be obtained, which consist of a polynomial with \(n - t + 1\) coefficients and a single response.

In addition to the generic construction, we build a logarithmic-size threshold ring signature from DL named GTRS-EC, based on Schnorr identification, a new argument of knowledge Vector Argument extending Bulletproofs (Bünz et al. 2018) and Fiat-Shamir transform. The vector argument may be of independent interest. To emphasize, GTRS-EC is compact with \(O(\log n)\) signature complexity and shorter than all existing threshold ring signatures without trusted setup.

Technical overview

We first describe the generic construction named CDS, which can be derived by applying the Fiat-Shamir heuristic to the proof framework used in Cramer et al. (1994) with a Type-T Canonical Identification (also a \(\varSigma\)-protocol).

A Type-T Canonical Identification contains three functions as follows (where a user holding the key-pair (pk, sk) is uniquely identified by his public key):

• A: given a random number r (from \(\Omega _r\)), this function outputs a commitment a.

• \(\textrm{CH}\): given a commitment a, this function outputs a challenge c.

• Z: given c, r and a secret key sk, this function outputs a response z.

Subsequently, the verifier executes a function V to compute \(a'\) from c and z, and checks whether c is correct by running \(\textrm{CH}(a')\).

Overview of CDS

Let S and NS denote the set of signers and non-signers, respectively. The signing process of CDS is as follows:

1. 1.

   The signer \(i\in S\) calls function A, takes a randomness \(r_i\) and outputs a commitment \(a_i\).

2. 2.

   For every \(j \in NS\), the involved signers calls function V, inputs \(c_j, z_j\) and outputs \(a_j\).

3. 3.

   After generating \(c_0 = H(m, t, \{({pk}_i, a_i)\}_{i\in R})\), the signers have \(n - t + 1\) points \(\{(i,c_i)\}_{i \in R\cup \{0\}}\) and generate a polynomial f by using Lagrange interpolation.

4. 4.

   The signer \(i\in S\) computes a challenge \(c_i = f(i)\) and a response \(z_i\) via the function Z.

5. 5.

   The signature is \((c_1, \ldots , c_n, z_1,\ldots , z_n)\).

Overview of GTRS

Now, we brief introduce our generic threshold ring signature named GTRS. \(\otimes\) and \(\oplus\) are both operations of commutative group. we use the symbol \(\bigotimes\) and \(\bigoplus\) to represent consecutive \(\otimes\) and \(\oplus\) operations, respectively:

We first define Type-T* Canonical Identification with three requirements:

• V can be decomposed into two parts \(V_1, V_2\), i.e., \(a = V(pk, c, z) = V_1(pk, c)\otimes V_2(z)\).

• \(V_2\) is homomorphic, i.e., \(V_2(z_1\oplus z_2) = V_2(z_1)\otimes V_2(z_2)\).

• Given sk, c, \(\exists\) a function T that outputs \(\tilde{z}\), s.t. \(V_1(pk, c) = V_2(\tilde{z})\).

Note that Guillou–Quisquater identification (Guillou and Quisquater 1990) and Schnorr identification (elaborated upon in Sect. 2.3) are both Type-T* canonical identification.

The signing process of GTRS is as follows:

1. 1.

   The signer \(i\in S\) calls function A, takes a random value \(r_i\) and outputs a commitment \(a_i\).

2. 2.

   The involved signers choose random challenges \(c_j\) for every \(j \in NS\) and compute

   $$\begin{aligned} E = \bigotimes _{i\in S} a_i \otimes \bigotimes _{j \in NS} V_1({pk}_j, c_j) \end{aligned}$$
3. 3.

   After generating \(c_0 = H(m, t, \{{pk}_i\}_{i\in R}, E)\), the involved signers use lagrange interpolation to generate a polynomial f.

4. 4.

   The signer \(i\in S\) computes a challenge \(c_i = f(i)\) and a response \(z_i\) via the function Z.

5. 5.

   The involved signers compute \(z = \bigoplus _{i\in S} z_i\).

6. 6.

   The final signature is (z, f).

Advantages of GTRS over CDS

Our generic construction GTRS has two advantages.

First, CDS consists of n challenges and n responses while GTRS consists of a polynomial f with \(n - t + 1\) coefficients and a response z. This can significantly save signature size.

Second, in CDS, each \(z_i\) is not related to other \(z_j\)’s, only to \(a_i\) and \(c_i\), hence combining all \(z_i\)’s is not trivial. Consequently, CDS can not achieve a logarithmic-size threshold ring signature. Contrarily, the instantiation of GTRS with discrete logarithm components, coupled with an argument of knowledge, achieves a logarithmic reduction in communication complexity.

DL-based instantiation of logarithmic size

In the DL setting, we use an argument of knowledge to compress the polynomial f. We introduce a novel proof system named Vector Argument. A verifier, who interacts with a prover and outputs accept, can confidently ascertain that the prover possesses a vector of scalars \((f_{1}, \ldots , f_{n-t})\). This vector satisfies \(P = \prod _{i = 1}^{n - t} g_i^{f_i}\), where \(P = E \cdot g^{-z} \cdot g_0^{-f_0}\) and \(g_i = \prod _{j = 1}^{n} {pk}_j^{j^i}\) for \(i \in [n - t]\). We give a practical construction with size \(O(\log n)\). Combining all these components, we achieve GTRS-EC, which is shorter than all existing threshold ring signatures without any trusted setup.

This section provides an overview of pertinent notations and concepts.

Notations. We consistently employ \(\lambda\) as the security parameter throughout the paper. Let \([n] = \{1,\ldots ,n\}\) and \(\{a_i\}_{i\in [n]} = \{a_1,\ldots , a_n\}\), where \(n \in {\mathbb {N}}^{+}\). \(y \leftarrow S\) indicates that y is uniformly chosen from a set S. \(y \leftarrow f(x)\) means a randomized function/algorithm f inputs x and output y. We employ the abbreviations PPT, EPT, and DPT to denote probability polynomial time, expected polynomial time, and deterministic polynomial time, respectively. A function \(\mu (n): {\mathbb {N}}\rightarrow {\mathbb {R}}^{+}\) is negligible if, \(\forall\) positive polynomial \(\nu ()\), \(\exists n_0\), s.t. \(\forall n > n_0, \mu (n) < \frac{1}{\nu (n)}\).

Bold letters, such as \(\varvec{a}\), denote vectors. For two vectors \(\varvec{a} = (a_1, \ldots , a_n), \varvec{b} = (b_1, \ldots , b_n)\) and a integer c, we define \(\varvec{a}^c = (a_1^c, a_2^c, \ldots , a_n^c)\), \(\varvec{a} + c = (a_1 + c, \ldots , a_n + c)\), \(\varvec{a}^{\varvec{b}} = \prod _{i = 1}^{n} a_i^{b_i}\), and \(\varvec{a} \circ \varvec{b} = (a_1\cdot b_1,\dots , a_n\cdot b_n)\). For a integer \(d \in [n]\), we define \(\varvec{a}{[:d]} = (a_1,\ldots ,a_d)\) and \(\varvec{a}{[d:]} = (a_{d+1}, \cdots , a_n)\).

Number-theoretic assumption

Definition 1

(Discrete Logarithm (DL) Assumption) The DL assumption holds if \(\forall\) PPT adversary \({\mathcal {A}}\),

Threshold ring signature

We describe the definition and associated security properties of threshold ring signature. Let U be the sequence of all added public keys. We use R to represent the indices of selected public keys from U and consistently enumerate \(R = \{1, 2, \ldots , n\}\). Denote S, NS as the set of signers and non-signers, respectively. A signer i holding the public-private key pair \(({pk}_i, {sk}_i)\) is uniquely identified by his/her public key.

Definition 2

(t-out-of-n threshold ring signature scheme) A t-out-of-n threshold ring signature scheme \(\textrm{TRS}\) is four algorithms where:

• \(\textrm{Setup}\). Given \(\lambda\), this PPT algorithm outputs public parameters pp (sometimes implicitly).

• \(\textrm{KeyGen}\). Given the public parameters pp, this PPT algorithm outputs a public and private key pair (pk, sk).

• \(\textrm{Sign}\). This interactive procedure involves the signers \(i \in S\) owning \({sk}_i\). Taking a ring R and a message m as a common input, they interact to jointly generate a signature \(\sigma\).

• \(\textrm{Verify}\). Given a message m, a ring R, and a signature \(\sigma\), this DPT algorithm outputs 0/1.

A secure threshold ring signature scheme has three fundamental security requirements: correctness, unforgeability and anonymity. We use experiments (which is shown in Fig. 1) to describe the interaction with an adversary, where all oracles (specified in Fig. 2) can access an initially empty keyed dictionary \(D_{key}[\cdot ]\) and two initially empty sets \(Q_{corr}, Q_{sign}\). \(D_{key}[i]\) denote the key-pair of the user i. \(Q_{corr}\) and \(Q_{sign}\) consists of all corrupted users and all signing queries, respectively.

Experiments used to define correctness, unforgeability and anonymity of \(\textrm{TRS}\)

Full size image

Oracles given to the adversary in the experiments of Fig. 1. All oracles can access an initially empty keyed dictionary \(D_{key}[\cdot ]\) and two initially empty sets \(Q_{corr}, Q_{sign}\)

Full size image

Definition 3

(Correctness) \(\textrm{TRS}\) has correctness if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.,

Definition 4

(Unforgeability) \(\textrm{TRS}\) is unforgeable if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.,

Definition 5

(Anonymity) \(\textrm{TRS}\) has anonymity if, \(\forall\) PPT \({\mathcal {A}}\), \(\exists\) a negligible function \(\mu\), s.t.

Type-T/Type-T* canonical identification

In Fig. 3, we give a formal definition of a Type-T canonical identification, which is a special authentication protocol and is necessary to satisfy the security requirement: SI-KOA (special impersonation under key only attack) (Yuen et al. 2021).

A Type-T Canonical Identification \(\textrm{TCID}\)

Full size image

Definition 6

(SI-KOA) \(\textrm{TCID}\) is secure against SI-KOA if, \(\forall pk\), \(\forall\) PPT \({\mathcal {A}}\),

On this basis, a Type-T* Canonical identification must additionally satisfy the following forms:

• V can be decomposed into two parts \(V_1, V_2\), i.e., \(V(pk, c, z) = V_1(pk, c)\otimes V_2(z)\).

• \(\exists\) a function T inputs sk, c and outputs \(\tilde{z}\), s.t. \(V_1(pk, c) = V_2(\tilde{z})\).

• \(V_2\) is a homomorphic function, meaning that \(V_2(z_1\oplus z_2) = V_2(z_1)\otimes V_2(z_2)\).

Schnorr identification

Next, we briefly review the Schnorr identification. The \(\textrm{Setup}\) algorithm outputs \(pp = (g, p, {\mathbb {G}})\) and the \(\textrm{KeyGen}\) algorithm outputs \((pk = g^{sk},sk)\). Here, p is a prime, \({\mathbb {G}}\) is a group with order p, and g is a generator of \({\mathbb {G}}\). The functions used in \(\textrm{Commit}\), \(\textrm{Response}\) and \(\textrm{Verify}\) are defined as:

Obviously, \(V_2\) is homomorphic.

Let \(T(sk,c) = sk \cdot c = \tilde{z}\), then we have \(V_1(pk,c) = V_2(\tilde{z})\). Furthermore, Schnorr identification is secure against SI-KOA (Yuen et al. 2021). In summary, Schnorr identification constitutes a secure Type-T* canonical identification.

Arguments of knowledge

Consider a binary relation \({\mathcal {R}}\) that specifies a language in \(\textrm{NP}\). For each pair \((x, u) \in {\mathcal {R}}\), we refer to x as the statement and u as the witness.

An argument of knowledge \(({\mathcal {P}}, {\mathcal {V}})\) comprises two interactive algorithms, namely \({\mathcal {P}}, {\mathcal {V}}\). We use \(\langle {\mathcal {P}}(x), {\mathcal {V}}(u) \rangle = 1/0\) to indicate whether the verifier accepts or not. We express the transcript resulting from the interaction between \({\mathcal {P}}(x)\) and \({\mathcal {V}}(u)\) as \(\textrm{tr} \leftarrow \langle {\mathcal {P}}(x), {\mathcal {V}}(u) \rangle\).

An secure argument \(({\mathcal {P}},{\mathcal {V}})\) should satisfy two security properties defined as follows. Completeness guarantees that following the protocol honestly, \({\mathcal {P}}\) with a witness u for a statement x will always convince \({\mathcal {V}}\) of the fact \((x,w) \in {\mathcal {R}}\).

Definition 7

(Completeness) \(({\mathcal {P}}, {\mathcal {V}})\) has completeness if \(\forall\) PPT adversary \({\mathcal {A}}\):

Statistical witness-extended emulation (Bootle et al. 2016) implies that an emulator Emu exists if an adversary outputs a valid argument with some probability. The emulator can rewind the interaction to any prior move and subsequently resuming with different randomness. Finally, the emulator produces a witness w and a transcript following the same distribution with a real protocol execution.

Definition 8

(Statistical witness-extended emulation) An argument \(({\mathcal {P}}, {\mathcal {V}})\) satisfies statistical witness-extended emulation if \(\forall\) DPT \({\mathcal {P}}^*\), \(\exists\) an EPT extractor \(\textrm{Emu}\) s.t., \(\forall (x,u) \in {\mathcal {R}}\), \(\forall\) \({\mathcal {A}}\):

GTRS: Generic threshold ring signature based on a Type-T* canonical identification \(\textrm{T}\)

Full size image

We introduce a generic threshold ring signature scheme GTRS (which is shown in Fig. 4) based on a Type-T* canonical identification \(\textrm{T}\).

GTRS has three security properties: correctness, unforgeability and anonymity. Correctness of GTRS is straightforward. Let \(q_k\), \(q_c\), \(q_s\), and \(q_h\) be the number of queries to \(\textrm{OK}\), \(\textrm{OC}\), \(\textrm{OS}\), and H, respectively.

Theorem 1

GTRS has unforgeability if \(\textrm{T}\) is secure against SI-KOA, H is simulated as a random oracle, and \(2q_s(q_h+q_s-1) < p\).

Proof

\({\mathcal {A}}\) is a PPT adversary against the unforgeability of GTRS. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the SI-KOA of \(\textrm{T}\).

• 
  

  Setup. Given \(pp, {pk}^*\), \({\mathcal {B}}\) forwards pp to \({\mathcal {A}}\) and randomly selects \(i^* \in [1,q_k]\).

• Oracle Simulation. When \({\mathcal {A}}\) queries these oracles, \({\mathcal {B}}\) responses as follows:

  • \(\textrm{OK}(i)\): \({\mathcal {B}}\) returns \(\bot\) if \(D_{key}[i] \ne \bot\). If \(i \ne i^*\), \({\mathcal {B}}\) runs \(({pk}_i, {sk}_i)\leftarrow \mathrm {GTRS.KeyGen}()\); otherwise, \({\mathcal {B}}\) sets \(({pk}_i, {sk}_i) = ({pk}^*, \bot )\). \({\mathcal {B}}\) sets \(D_{key}[i] = ({pk}_i, {sk}_i)\) and returns \({pk}_i\).

  • \(\textrm{OC}(i)\): \({\mathcal {B}}\) declares failure if \(i = i^*\). \({\mathcal {B}}\) returns \(\bot\) if \(D_{key}[i] = \bot\). \({\mathcal {B}}\) adds i to \(Q_{corr}\) and returns \({sk}_i\).

  • \(\textrm{OS}(m, R, S)\): If \(\exists j \in R\), \(D_{key}[j] = \bot\), \({\mathcal {B}}\) returns \(\bot\). If \(i^* \notin S\), \({\mathcal {B}}\) returns \(\sigma \leftarrow \mathrm {GTRS.Sign}(m, \{{pk}_i\}_{i \in R}, \{{sk}_j\}_{j \in S})\). Otherwise, \({\mathcal {B}}\) randomly chooses a polynomial f of degree \(n - t\) and a response z based on the output distribution of Z. \({\mathcal {B}}\) computes \(E = V_2(z) \otimes \bigotimes _{i\in R} V_1({pk}_i, f(i))\). \({\mathcal {B}}\) sets \(H(m, t, R, E) = f(0)\) and declares failure if the value has already been set. \({\mathcal {B}}\) adds (m, R) to \(Q_{sign}\) and returns \(\sigma = (z,f)\).

• Challenge. \({\mathcal {A}}\) outputs \((m^*, R^*, \sigma ^*)\). \({\mathcal {B}}\) declares failure if \(i^* \not \in R^*\). \({\mathcal {B}}\) rewinds to the move where the tuple \((m^*, t, R^*, E^*)\) is asked to H and returns another \(c'\). Here, \(E^*\) is computed in the \(\mathrm {GTRS.Verify}\) algorithm. \({\mathcal {A}}\) produces another signature \(\sigma '=(z', f')\). If \(f^*(i^*) = f'(i^*)\), \({\mathcal {B}}\) declares failure.

  Let \(\tilde{z}^*=z^* \oplus \bigoplus _{i\in R^*\backslash \{i^*\}} T({sk}_i,f^*(i))\) and then we have:

  $$\begin{aligned} E^*&= \bigotimes _{i \in R^*} V_1({pk}_i,f^*(i)) \otimes V_2(z^*) \\&= V_1({pk}_{i^*}^*,f^*(i^*)) \otimes V_2(\tilde{z}^*) \end{aligned}$$

  Similarly we have:

  $$\begin{aligned} E^* = V_1({pk}^*,f'(i^*)) \otimes V_2(\tilde{z}') \end{aligned}$$

  \({\mathcal {B}}\) returns \((f^*(i^*), \tilde{z}^*, f'(i^*), \tilde{z}')\) to its challenger, which can break the SI-KOA.

• Probability Analysis. Let’s analyze the success probability (i.e., the probability of not declaring failure) of our algorithm \({\mathcal {B}}\).

  For queries to \(\textrm{OC}\), the success probability for the first query is \(\frac{q_k - 1}{q_k}\). After \(q_c\) queries, the success probability is not less than

  $$\begin{aligned} \frac{q_k - 1}{q_k} \cdot \frac{q_k}{q_k + 1} \cdots \frac{q_k - q_c}{q_k - q_c + 1} = \frac{q_k - q_c}{q_k} \end{aligned}$$

  For queries to \(\textrm{OS}\), the success probability for the first query is at least \((1 - \frac{q_h}{p})\). After \(q_s\) queries, the success probability is not less than

  $$\begin{aligned} &(1-\frac{q_h}{p})\cdots (1-\frac{q_s + q_h-1}{p}) \\&\quad \ge (1-\frac{q_s + q_h-1}{p})^{q_s} \\&\quad \ge 1-\frac{q_s(q_s + q_h-1)}{p} \\&\quad \ge 1/2 \end{aligned}$$

  The probability of \(i^* \in R^*\) is

  $$\begin{aligned}&1 - (1 - \frac{1}{{q_k} - {q_c}}) \,{\cdots }\,(1 - \frac{1}{{q_k} - {q_c} - (n - t)})\\&\quad = \frac{n - t + 1}{{q_k} - {q_c}} \end{aligned}$$

  Let \(\varepsilon\) be he probability of \({\mathcal {A}}\) producing a forgery. Then the success probability of \({\mathcal {B}}\) before rewinding is not less than:

  $$\begin{aligned} \varepsilon ' \ge \frac{\varepsilon (n-t+1)}{2q_k} \end{aligned}$$

  The success probability of rewinding is not less than \(\varepsilon ' / 8\) (Bellare and Neven 2006) and the probability of \(f^*(i^*) \ne f'(i^*)\) is not less than t/n.

  Consequently, the probability of \({\mathcal {B}}\) breaking the SI-KOA of \(\textrm{T}\) is

  $$\begin{aligned} \varepsilon '' \ge \frac{\varepsilon \cdot t \cdot (n-t+1)}{16n \cdot q_k} \end{aligned}$$

\(\square\)

Theorem 2

GTRS has anonymity if \(2q_s(q_h+q_s-1) < p\) and H is a random oracle.

Proof

We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of simulating all oracles interacting with a PPT adversary \({\mathcal {A}}\) that challenging the anonymity of GTRS.

Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on \(pp \leftarrow \mathrm {GTRS.Setup}(\lambda )\).

Oracle Simulation. When \({\mathcal {A}}\) queries these oracles, \({\mathcal {B}}\) responses as follows:

• \(\textrm{OK}(i)\): If \(D_{key}[i] \ne \bot\), \({\mathcal {B}}\) returns \(\bot\). \({\mathcal {B}}\) runs \(({pk}_i,{sk}_i)\leftarrow \textrm{GTRS}.\textrm{KeyGen}()\), sets \(D_{key}[i] = ({pk}_i, {sk}_i)\), and returns \({pk}_i\).

• \(\textrm{OC}(i)\): If \(D_{key}[i] \ne \bot\), \({\mathcal {B}}\) returns \(\bot\). \({\mathcal {B}}\) adds i to \(Q_{corr}\) and returns \({sk}_i\).

• \(\textrm{OS}(m, R, S)\): If \(\forall i \in R, D_{key}[i] \ne \bot\), \({\mathcal {B}}\) runs \(\sigma \leftarrow \mathrm {GTRS.Sign}(m, t, \{{pk}_i\}_{i \in R}, \{{sk}_j\}_{j \in S})\) and returns \(\sigma\).

Challenge. \({\mathcal {B}}\) receiving a message \(m^*\), a ring \(R^*\) and two uncorrupted signing sets \(S^*_0, S^*_1 \subset R^*\). \({\mathcal {B}}\) randomly chooses a \((n - t)\)-degree polynomial \(f^*\) and a random response \(z^*\). \({\mathcal {B}}\) computes \(E^* = V_2(z^*) \otimes \bigodot _{i\in R^*} V_1({pk}_i, f^*(i))\) and sets \(H(m^*, t, R^*, E^*) = f^*(0)\). \({\mathcal {B}}\) declares failure if the value has been queried. \({\mathcal {B}}\) randomly picks \(b\in \{0,1\}\) and returns \((z^*,f^*)\).

Output. \({\mathcal {A}}\) returns \(b'\).

Probability Analysis. \({\mathcal {A}}\) can only succeed with probability 1/2, as b is not used in the generation of \(\sigma ^*\). It is obvious that \({\mathcal {B}}\) declares failure only when a query appeared in the queries to H, and this probability is negligible. This completes the proof.\(\square\)

Non-interactive Vector Argument \(\textrm{NIVA}\)

Full size image

GTRS-EC: A Logarithmic-size DL-based Threshold Ring Signature

Full size image

Instantiating our generic construction with specific DL-based components, e.g. Schnorr identification and a novel vector argument developed in this section, a logarithmic-size threshold ring signature GTRS-EC can be obtained.

Vector argument

The vector argument extends from the inner product argument (Bünz et al. 2018), which serves as a proof system for the relation

A verifier, who interacts with a prover and outputs accept, can confidently ascertain that the prover has \(\varvec{a}\), s.t. \(P = \varvec{g}^{\varvec{a}}\).

Our Non-interactive Vector Argument \(\textrm{NIVA}\) is shown in Fig. 5. \(\textrm{NIVA}\) contains two algorithms named \(\textrm{Proof}\) and \(\textrm{Verify}\). We achieve logarithmic complexity by employing a recursive algorithm named \(\textrm{Recursion}\).

Theorem 3

The Non-interactive Vector Argument \(\textrm{NIVA}\) has statistical witness-extended emulation if DL assumption holds.

We give a security proof in the “Appendix 1”.

DL-based logarithmic-size threshold ring signature

We elaborate GTRS-EC in Fig. 6, which is a combination of Schnorr identification and our vector argument \(\textrm{NIVA}\).

Theorem 4

GTRS-EC is unforgeable if GTRS is unforgeable and \(\textrm{NIVA}\) has statistical witness-extended emulation.

Proof

If there is a PPT adversary \({\mathcal {A}}\) capable of breaking the unforgeability of GTRS-EC. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the unforgeability of GTRS.

• Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on a public parameter pp given from the challenge of GTRS.

• Oracle Simulation. When \({\mathcal {A}}\) requests a signing oracle query, \({\mathcal {B}}\) obtains \(\sigma =(z,f)\) by asking the signing oracle of GTRS. \({\mathcal {B}}\) computes E by running \(\mathrm {GTRS.Verify}\), and computes \(P, \varvec{g}, \varvec{a}\) by executing line 4–9 of \(\mathrm {GTRS-EC.Sign}\). Then \({\mathcal {B}}\) runs the \(\mathrm {NIVA.Proof}\) to obtain a proof \(\pi\) and returns \((z, A, \pi )\) to \({\mathcal {A}}\).

  When \({\mathcal {A}}\) requests other oracle query, \({\mathcal {B}}\) returns the answers obtained by asking the signing oracle of GTRS.

• Challenge. \({\mathcal {A}}\) returns \((m^*, R^*, \sigma ^* = (z^*, E^*, \pi ^*))\). \({\mathcal {B}}\) can compute \(f_0^* = H(m^*, t, \{{pk}_i\}_{i\in R^*}, E^*)\) and obtains \((f_1^*, f_2^*, \ldots , f_{n-t}^*)\) by running an extractor \(\textrm{Emu}\). \({\mathcal {B}}\) lets \(f^* = (f_0^*, f_1^*, \ldots , f_{n-t}^*)\) and \(\sigma ' = (z^*, f^*)\).

• Output. \({\mathcal {B}}\) returns \((m^*, R^*, \sigma ')\) to the challenger of GTRS, which contradicts to the unforgeability of GTRS.

\(\square\)

Theorem 5

GTRS-EC has anonymity if GTRS has anonymity.

Proof

If there is a PPT adversary \({\mathcal {A}}\) capable of breaking the anonymity of GTRS-EC. We prove that \(\exists\) a PPT algorithm \({\mathcal {B}}\) capable of breaking the anonymity of GTRS.

• Setup. \({\mathcal {B}}\) runs \({\mathcal {A}}\) on a public parameter pp given from the challenge of GTRS.

• Oracle Simulation. If \({\mathcal {A}}\) requests a oracle query, \({\mathcal {B}}\)’s responses align with the proof of unforgeability.

• Challenge. \({\mathcal {B}}\) receives \(m^*, R^*, S_0, S_1\) from \({\mathcal {A}}\) and forwards them to its challenger. \({\mathcal {B}}\) receives \((z^*, f^*)\) from challenger and returns \(\sigma ^*\) (which is computed by line 4–9 of GTRS-EC.Sign).

• Output. \({\mathcal {B}}\) is given \(b' \{0, 1\}\) from \({\mathcal {A}}\) and forwards it to its challenger. It is observe that if \({\mathcal {B}}\) succeeds, \({\mathcal {A}}\) also succeeds.

\(\square\)

Size of GTRS-EC

We compare our instantiation for threshold t and ring size n with other logarithmic-size DL-based threshold ring signature schemes without trusted setup in Table 2. All accumulator-based threshold ring signatures with O(t) signature complexity require a trusted setup. The lattice-based logarithmic threshold ring signatures (Aguilar Melchor et al. 2008; Bettaieb and Schrek 2013; Haque and Scafuro 2020) are still at least 100 times longer than DL-based construction. We can see that GTRS-EC is shorter than all existing threshold ring signatures without any trusted setup.

Not applicable.

The authors would like to thank the anonymous reviewers for their valuable comments.

This work is supported by National Natural Science Foundation of China (Nos. 62172404, 62172411, 61972094, 62202458).

Authors and Affiliations

1. Institute of Information Engineering, Chinese Academy of Sciences, No. 19 Shucun Rd., Haidian District, Beijing, 100084, China

   Huizhuo Wang, Yang Tao & Rui Zhang

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

   Huizhuo Wang & Rui Zhang

3. Key Laboratory of Cyberspace Security Defense, Beijing, China

   Huizhuo Wang, Yang Tao & Rui Zhang

Contributions

HW and YT proposed the generic threshold ring signature and the logarithmic DL-based threshold ring signature and drafted the manuscript. RZ participated in problem discussions and improvements of the manuscript. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Yang Tao.

Competing interests

The authors declare that they have no competing interests.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix 1: Security Proof for Theorem 3

First, we prove the security of the interactive version of our vector argument. Then using Fiat-Shamir heuristic, NIVA can be obtained.

Appendix 1.1: Forking Lemma

We provide an overview of the forking lemma (Bootle et al. 2016), which is necessary in the proof of our vector argument.

Consider a public-coin argument \(({\mathcal {P}}, {\mathcal {V}})\) with \(2k+1\) rounds and k challenges \((x_1, \ldots , x_k)\). Consider a \((n_1, \ldots , n_k)\)-tree of accepting transcripts with the following requirements.

• The statement is assigned to the root of the tree.

• The depth of the tree is k.

• Level \(i \in [k]\) has \(n_i\) descendants labeled with distinct challenges, where \(n_i \ge 1\).

• The tree has \(\prod _{i=1}^{k} n_i\) leaves, and each leaf represents an accepting transcripts with distinct challenges.

Theorem 6

(Forking Lemma Bootle et al. 2016) Let \(\text{ Emu }\) be a PPT extractor, which can extract a witness from a \((n_1, \ldots , n_k)\)-tree. For a negligible function \(\mu (\lambda )\), \(({\mathcal {P}}, {\mathcal {V}})\) has witness-extended emulation if, the success probability of \(\text{ Emu }\) is \(1 - \mu (\lambda )\), and \(\prod _{i=1}^{k} n_i\) is polynomially bounded in \(\lambda\).

Interactive vector argument for Relation 1

Full size image

Appendix 1.2: Security for our interactive vector argument

Then, we prove that our interactive vector argument (shown in Fig. 7) has statistical witness-extended emulation.

Proof

For witness-extended emulation, we show there exists a PPT extractor which uses \(3^{\log _2n}\) transcripts.

If \(d = \vert {g}\vert = 1\), the witness a is given to \({\mathcal {A}}\) and the relation \(P = g^a\) can be easily verified. Then, we show how to efficiently extract a witness \(\varvec{a}\) for each recursion with input \((P, \varvec{g})\). The extractor can get L, R from the prover \({\mathcal {P}}\).

After rewinding the prover 3 times, the extractor obtains vectors \(\varvec{a'}_{1}, \varvec{a'}_{2}, \varvec{a'}_{3} \in {\mathbb {Z}}_{p}^{d'}\) corresponding to different challenges \(\{x_i\}_{i\in [3]}\), s.t.

Then, we can compute \(v_1, v_2, v_3 \in {\mathbb {Z}}_p\) s.t.

Then, we compute

The extractor obtains

for relation \(P=\varvec{g}^{\varvec{a}}\). Finally, we observe that the extractor runs in EPT and uses \(3^{\log _2 d}\) transcripts in total. We can conclude that our interactive protocol has witness-extended emulation by using the Forking Lemma. \(\square\)

Appendix 1.3: Non-interactive vector argument

Applying Fiat-Shamir transformation, our non-interactive vector argument can be obtained. \({\mathcal {P}}\) computes \(H(L_i, R_i)\) to replace \(x_i\) in each recursion. \({\mathcal {V}}\) computes \(g = \varvec{g}^{\varvec{y}}\) and checks \(\varvec{L}^{x^2}P\varvec{R}^{x^{-2}} \overset{\text {?}}{=} g^a\), where \(y_i = \prod _{j = 1}^{\log _2 d} x_j^{f(i,j)}\) and

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions