Traceable ring signature (TRS), a variant of ring signature, allows a signer to sign a message anonymously labeled with a tag on behalf of a group of users, but may reveal the signer’s identity if he creates two signatures with the same tag. TRS provides accountable anonymity for users, and serves as an important role in e-voting systems and e-coupon services. However, current TRS schemes are built on hard problems in number theory that cannot resist quantum attackers. To address this issue, first, we propose a general framework of TRS, by using a non-interactive zero-knowledge proof of knowledge, a hash family, and a pseudorandom function with some additional properties. Then, by instantiating our framework, we give two concrete efficient TRS schemes from lattices and symmetric-key primitives respectively, and both of them are proven to be secure in the quantum random oracle model. Moreover, both schemes have logarithmic signature size.

可追踪的环形签名（TRS）是环形签名的一种变体，它允许签名者代表一组用户签名带有标签的匿名消息，但是如果签名者创建具有相同标签的两个签名，则可能会泄露签名者的身份。TRS为用户提供负责任的匿名性，并在电子投票系统和电子优惠券服务中扮演重要角色。但是，当前的TRS方案是建立在数论中无法抵抗量子攻击者的难题上。为了解决此问题，首先，我们通过使用非交互式零知识证明，哈希家族和具有某些其他属性的伪随机函数，提出TRS的通用框架。然后，通过实例化我们的框架，我们分别从晶格和对称密钥基元中给出了两个具体的有效TRS方案，并在量子随机预言模型中证明了它们都是安全的。而且，两种方案都具有对数签名大小。