Identity-Based Linkable Ring Signature on NTRU Lattice

Tang, Yongli; Xia, Feifei; Ye, Qing; Wang, Mengyao; Mu, Ruijie; Zhang, Xiaohang

doi:https://doi.org/10.1155/2021/9992414

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Discussion Implementation and Evaluation Conclusions Appendix Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 9992414 | https://doi.org/10.1155/2021/9992414

Identity-Based Linkable Ring Signature on NTRU Lattice

Yongli Tang,¹Feifei Xia,¹Qing Ye,¹Mengyao Wang,¹Ruijie Mu,¹and Xiaohang Zhang²

Academic Editor: Mohamed Amine Ferrag

Received22 Mar 2021

Revised04 Aug 2021

Accepted16 Aug 2021

Published16 Sept 2021

Abstract

Although most existing linkable ring signature schemes on lattice can effectively resist quantum attacks, they still have the disadvantages of excessive time and storage overhead. This paper constructs an identity-based linkable ring signature (LRS) scheme over NTRU lattice by employing the technologies of trapdoor generation and rejection sampling. The security of this scheme relies on the small integer solution (SIS) problem on NTRU lattice. We prove that this scheme has unconditional anonymity, unforgeability, and linkability under the random oracle model (ROM). Through the performance analysis, this scheme has a shorter size of public/private keys, and when the number of ring members is small (such as ), this scheme has a shorter signature size compared with other existing latest lattice-based LRS schemes. The computational efficiency of signature has also been further improved since it only involves multiplication in the polynomial ring and modular operations of small integers. Finally, we implemented our scheme and other similar schemes, and it is shown that the time for the signature generation and verification of this scheme decreases roughly by 44.951% and 33.503%, respectively.

1. Introduction

With the rise in cryptocurrencies represented by Bitcoin in recent years, blockchain [1] technology has attracted widespread attention. It is increasingly being used for electronic voting, medical information sharing, and intellectual property. However, the transmission and storage of data on the blockchain are publicly visible and anyone can access it. Only through the approach of “pseudo-anonymity” to protect the privacy of both parties in the transaction cannot satisfy complete privacy protection requirements. Also, researchers pointed out that ring signature is one of the approaches which are expected to solve this problem.

Rivest et al. [2] first proposed ring signature at Asiacrypt 2001. In the ring signature scheme, any ring member can produce a signature by using their own private key and the public keys of all members. The verifier can only identify whether the signature is produced by a ring member and cannot determine which specific member generated the signature. Therefore, ring signature is anonymous and can be widely used in electronic cash, electronic voting, etc. Most ring signatures are designed based upon conventional public key infrastructure (PKI). Under the PKI system, the user’s identity information and public key are bound together by a digital certificate. If the number of ring members is excessive, the management, storage, and verification of certificates will occupy a large amount of system resources and become the bottleneck of the whole system. Shamir [3] constructed an identity-based cryptography to tackle the problems mentioned, in which the public key is calculated by the key generation center (KGC) according to the user’s identity information (e.g., ID number, e-mail address, and so on). Then, the user’s private key is obtained based on the system master secret key (MSK) and public key. KGC no longer needs to manage a series of certificates. Since it improves the computation performance of the system and avoids certificate management, identity-based cryptography has gained wide attention in these years.

In 2002, Zhang and Kim [4] proposed the first identity-based ring signature. Subsequently, many such schemes [5–8] have been proposed. Liu et al. [9] incorporated linkability into ordinary ring signatures and constructed the first LRS scheme based upon the discrete logarithm problem (DLP) in 2004. Besides having the anonymity and unforgeability of ordinary ring signatures, LRS can also detect whether the user has completed two or more signatures with the identical private key. When applied to the blockchain, it effectively verifies whether users have double-spending problems while protecting the privacy of blockchain users. Currently, LRS performs a pivotal role in the application domains such as cryptocurrency, electronic elections, and electronic cash [10–12]. Au et al. [13] first designed an identity-based constant-size LRS scheme in 2013, and its security is proved based upon DLP under the ROM. The LRS with unconditional anonymity was given by Liu et al. [14] in the same year, which further improved the security of LRS and made up for the weaknesses of linkability and strong anonymity in ring signature that cannot be realized simultaneously. In 2019, Deng et al. [15] constructed the most efficient identity-based LRS scheme, which requires only seven pairing operations in signature generation and verification. The above schemes are mainly founded on classical number theory problems (e.g., the large integer decomposition [16] and the finite field discrete logarithm problem [17]). These cryptosystems will be breached in polynomial time due to the threats brought by the attacks of quantum computers. Shor [18] pointed that the scheme constructed on the classical number theory problems will no longer be safe in that it cannot effectively resist quantum attacks. If the ring signature is still designed based upon the classical number theory problems, the security of ring signature will be difficult to guarantee in the quantum era.

In the course of searching for the replacement of traditional public key cryptography, the public key cryptosystem on lattice is becoming a prominent candidate for anti-quantum attack cryptographic algorithm. Besides, since it mostly involves matrix-vector multiplication and polynomial-polynomial multiplication operations on lattice, compared with the schemes designed on classical number theory problems, the new lattice-based cryptosystem has attracted extensive attention because it has better asymptotic efficiency and parallelization and is resistant to quantum attacks and other merits. In 2010, Rückert [19] first designed an identity-based ring signature over lattice. In 2012, Tian et al. [20] gave an efficient identity-based ring signature on lattice, and the safety is proved under choosing subring and adaptive chosen-message attack, which to some extent could improve the security of this scheme. However, the computational efficiency of the signature is low owing to the large length of the key and signature. Then, other identity-based cryptosystems [21–23] were proposed. In 2017, Yang et al. [24] constructed the first LRS on lattice based on the accumulator, zero-knowledge proof, and weak pseudo-random function. In 2018, Torres et al. [25] designed a lattice-based LRS with unconditional anonymity, and the security of this scheme relies on the hardness of the SIS [26] problem. The signature generation is more efficient because the rejection sampling algorithm is adopted, and this scheme is applied to the confidentiality agreement for promotion. That same year, Baum et al. [27] produced a more efficient LRS scheme based upon the collision-resistance hash function on lattice, whose security is based on the problem of Module-LWE and Module-SIS. In 2020, Beullens et al. [28] gave the logarithmic LRS from isogeny and lattice assumptions; the length of the signature has a logarithmic relationship with the number of ring members. But they generally have the disadvantages of high communication costs and lower computation performance. However, the NTRU lattice is a particular lattice based on the polynomial ring, which attracts wide attention because the signature is designed on the NTRU lattice cryptosystem requiring a shorter size of key and signature, and the efficiency of computational can be improved greatly. In 2019, Lu et al. [29] designed the first practical and efficient LRS based upon the chameleon hash plus (CH+) function on NTRU lattice. The signature length of this scheme is short, and the efficiency of signature generation is further promoted compared with other similar lattice-based schemes.

1.1. Our Construction

To decrease the signature length and further promote the efficiency of computation for the LRS scheme, we constructed an identity-based LRS scheme over NTRU lattice, and the architecture of the proposed scheme is shown in Figure 1. Our main contributions are as follows. (1) Combining NTRU lattice with identity-based ring signature and adopting the compact Gaussian sampler (CGS) algorithm and rejection sampling techniques to design an identity-based LRS. (2) We proved that the scheme proposed in this paper has unconditional anonymity, unforgeability, and linkability under the ROM. The unforgeability of this scheme relies on the SIS problem over NTRU lattice. (3) The performance analyses in two sides of time costs and storage overhead are provided in detail. It is indicated that this scheme has a smaller size of key and signature, and the computational efficiency of signature generation and verification has also been further increased through the comparison with other similar schemes. Finally, we implemented our scheme and other schemes [15, 28, 29], and it is shown that the time for signature generation and verification of this scheme decreases roughly by 44.951% and 33.503%, respectively, compared with other three existing latest LRS schemes [15, 28, 29]. Compared with latest lattice-based LRS schemes [28, 29], the proposed scheme has the smallest public and private key size and also has the smallest signature size when .

1.2. Organization

The remainder of this paper is structured as follows. At first, we introduce the symbols, NTRU lattice, the NTRU-SIS problem, and some algorithms in Section 2. Then, we introduce the definition and security model of identity-based LRS in Section 3. In Section 4, we introduce the proposed scheme. The security analysis of this scheme is shown in Section 5. In Section 6, we discuss how initial parameters are selected and point at the next research directions. In Section 7, we make a detailed performance comparison with other three existing schemes [15, 28, 29]. Finally, we present the experimental results of this scheme and related schemes in Section 8.

2. Preliminaries

2.1. Symbol Definition

For the convenience of presentation, the descriptions of the used notations are illustrated in Table 1.

Besides the symbols in Table 1, this paper also uses symbols such as , which are commonly used symbols for computation complexity.

2.2. Related Definitions of NTRU Lattice

Definition 1 (convolutional polynomial ring). Let ring ; when the addition operation on remains unchanged and the multiplication operation can be replaced by a convolution operation, then is called a convolution polynomial ring. Therefore, given a prime number and a modular convolution polynomial ring .
Let ; then, the two operations on are defined as follows:(1)Addition operation +: .(2)Convolution operation : .

Definition 2 (anti-circular matrices). Let polynomial , and the coefficient vector of the polynomial is ; then, the coefficient vector of the polynomial is . By analogy, the coefficient vector of the polynomial is . That is, the anti-circular matrix is composed of polynomial vectors formed by successive cyclic shifts of the polynomial . So, the anti-circular matrix can be expressed as a vector. The anti-circular matrix formed by polynomial is as follows:

Definition 3 (NTRU lattice). is a security parameter and is a power-of-two integer; let a prime and polynomials , satisfying is reversible, where . Then, the NTRU lattice related to and is as follows:NTRU lattice is a dimension full-rank lattice, is a set of basis matrix of NTRU lattice, and it is uniquely defined by the polynomial . Therefore, the space required to store the basis matrix is small. However, in the application of NTRU lattice-based cryptosystem, cannot be used as a trapdoor basis because has a very large orthogonal defect when the polynomial is uniformly distributed.

Definition 4 (discrete Gaussian distribution). For any and vector , the discrete Gaussian distribution centered on vector over the lattice is described as follows:where .
When , the Gaussian distribution on and the discrete distribution on lattice can also be defined as and , respectively.

Lemma 1. Given any parameter and positive integer , the following formulas hold [30]:(1).(2)For any vector and , there is .(3).

2.3. The NTRU-SIS Problems

Definition 5 (the SIS problem on NTRU lattice, NTRU-SIS). Given parameters , polynomial , and a real number , the NTRU-SIS problem is defined as follows: finding two non-zero small polynomials satisfying and .
NTRU-SIS Assumption. Given system linear equations of modulo , without knowing the trapdoor, the advantage of finding two non-zero small polynomials that meet and can be neglected for any probabilistic polynomial time (PPT) algorithm.

2.4. Related Algorithms

Definition 6 (trapdoor generation algorithm on NTRU lattice). Given integers and , where and , and a prime , let a parameter and satisfying . The PPT algorithm [31] can output a polynomial and a set of short basis on NTRU lattice .

Definition 7 (discrete Gaussian sampling function). In 2015, Lyubasevsky and Prest [32] proposed the compact Gaussian sampler (CGS) algorithm that can quickly implement discrete Gaussian distribution sampling on NTRU lattice.

Theorem 1. This is a more efficient polynomial time algorithm [32]: on inputting a lattice basis , Gaussian parameter , and center vector , the algorithm can output the sampling on distribution .

Lemma 2. Let a parameter , where , such that the statistical distance between the output of and the distribution is no more than .

Definition 8 (rejection sampling). In 2012, Lyubasevsky [30] proposed the rejection sampling and, based on this technology, first designed the signature scheme without trapdoor on the lattice. This technology can be applied to the signature system, which obtains the signature with a definite probability and makes the distribution of the signature and private key separate from one another so that the signature private key can be effectively prevented from leaking. The conclusions are as follows.

Lemma 3. For any , we have .

Theorem 2. Let be a probability distribution; for any constant , the statistical distance of output distribution between Algorithm 1 and Algorithm 2 is less than .

Algorithm 1. : output with the probability of .

Algorithm 2. : output with the probability of .
Furthermore, the output probability of Algorithm 1 is at least .

3. Definition of Identity-Based LRS and Security Model

3.1. Definition of Identity-Based LRS

An identity-based LRS [14, 33] is composed of five PPT algorithms:(1): it inputs a security parameter , the number of ring members , and returns the public parameters , and system master private key .(2): it inputs public parameters , user identity , and system master private key and returns a pair of public\private key .(3): it inputs public parameters , ring user identity set , a message , and signature private key of user and outputs the ring signature of user on a message , which contains the linkability tag .(4): it inputs public parameters , ring user identity set , a message , and a signature ; if is valid, the verifier returns “valid”; otherwise, it outputs “invalid.”(5): it inputs two ring signatures and verifies . If equal, the verifier returns “link.” It indicates that are produced by identical signer; otherwise, it outputs “unlink.”

3.2. Security Model

An identity-based LRS scheme definition of security should meet linkability in addition to correctness, anonymity, and unforgeability of ordinary ring signatures. Correctness includes verification correctness and linking correctness (refer to Definition 9 for details). Anonymity implies that the attacker is unable to confirm which specific member of the ring generated the signature, and our scheme has strong anonymity, that is, unconditional anonymity (refer to Definition 10 for details). Unforgeability means that the members outside of the ring cannot, instead of the real signer, sign without the signer’s private key (refer to Definition 11 for details). Linkability means that users with only one private key cannot give two signatures, which successfully pass the detection of the linking algorithm (refer to Definition 12 for details). This paper is based upon the security model proposed by Liu et al. [14], using a series of games between a challenger C and an adversary A to characterize the security definition of this scheme. The adversary A can call on the random oracle and the oracles under the ROM.(i)Registration oracle: A chooses a random user’s identity to query and C uses the algorithm to return the corresponding public key .(ii)Corruption oracle: A chooses a random user’s identity to query and C uses the algorithm to return the corresponding private key .(iii)Signing oracle: A inputs ring user identity set , a message , and user’s identity to query, and C gives a valid signature through running algorithm.

Definition 9 (correctness). The correctness of the LRS scheme contains verification correctness and linking correctness simultaneously.(1)Verification correctness: requires signature generated by users honestly in accordance with the specification; the probability of algorithm outputting “invalid” is negligible.(2)Linking correctness: requires two valid signatures and produced with the identical private key for the same signer; the probability of algorithm outputting “unlink” is negligible.The formal definition of the correctness of the LRS is as follows:

3.2.1. Unconditional Anonymity

Even if A possesses unlimited computational resources (with unbounded computation power and time), it can compute the corresponding private key when a public key is given. It is not feasible to distinguish the signer’s identity with a probability larger than 1/2. The unconditional anonymity of the LRS scheme is defined by the following game between an adversary A and a challenger C.(1)Setup: on receiving a security parameter and the number of ring members , C calls the algorithm to get the public parameters and system master private key and gives the public parameters to A.(2)Query: A is allowed to make adaptive inquiries to above oracles.(3)Challenge: A inputs ring user identity set and a message and chooses two user identities for signing queries; C randomly selects a number and then obtains the signature . This signature is given to A.(4)Guess: A gives guess . The adversary A wins if the conditions described below are satisfied:(a).(b) cannot be input by and .

The advantage of A is denoted by

Definition 10 (unconditional anonymity). The LRS scheme is unconditionally anonymous if the advantage for any PPT adversary A.

3.2.2. Unforgeability

The unforgeability of the LRS scheme is defined by the following game between an adversary A and a challenger C.(1)Setup: given a security parameter and the number of ring members , C calls the algorithm to get the public parameters and system master private key and sends the public parameters to A.(2)Query: A is allowed to make adaptive inquiries to above oracles.(3)Forge: A gives C a tuple . The adversary A wins if the conditions described below are satisfied:(a)(b)All of the public keys in are inquiry outputs of .(c)The identity of anyone in has not been input to .(d) is not an inquiry output of .

The advantage of A is denoted by

Definition 11 (unforgeability). The LRS scheme is unforgeable if the advantage for any PPT adversary A.

3.2.3. Linkability

The linkability of the LRS scheme is defined by the following game between an adversary A and a challenger C.(1)Setup: on receiving a security parameter and the number of ring members , C calls the algorithm to get the public parameters and system master private key and gives the public parameters to A.(2)Query: A is allowed to make adaptive inquiries to above oracles.(3)Forge: A gives C two message-signature pairs , and the two signatures contain corresponding two linkability tags . The adversary A wins if the conditions described below are satisfied:(a) for .(b)(c)All of the public keys in are outputs of .(d)A has inquired less than two times (that is, A has one private key of users at most).(e) are not inquired outputs of .

The advantage of A is denoted by

Definition 12 (linkability). The LRS scheme is linkable if the advantage for any PPT adversary A.

4. Scheme Construction

To decrease the signature length and promote the computational efficiency of existing LRS schemes. We designed an identity-based LRS scheme over NTRU lattice by employing technologies of trapdoor generation algorithm [31] and rejection sampling [30]. The construction idea of this paper is to introduce identity-based cryptography into the efficient NTRU lattice-based ring signature. During the system setup process, the system’s master key uses the trapdoor generation [31] algorithm to obtain NTRU lattice. In the key generation period, the private key is produced based upon the compact Gaussian sampler (CGS) algorithm [32], which effectively improves the speed of user key extraction. In the signature generation phase, through using the rejection sampling [30] technique to generate signature with a certain probability, the distribution of signature and private key is independent of each other, and the computational efficiency of signature is further optimized and improved. The proposed identity-based LRS scheme is as follows:(1): by inputting a security parameter and the number of ring members , it sets integer , where integer , and chooses a prime number , a parameter , and a Gaussian parameter , where . It sets polynomial ring , and KGC obtains the public parameters and the system master private key MSK according to the following steps.(a)KGC uses algorithm to generate a uniform and randomized polynomial together with a short basis on lattice .(b)Selects two collision-resistance hash functions .(c)The system master private key of KGC is , and master public key is .(d)Outputs the public parameters and keeps the system master private key secret.(2): given the public parameters , user’s identity , and system master private key , KGC obtains a pair of public\private key as follows.(a)Calculates the public key is .(b)Uses CGS sampling algorithm to generate , then .(c)Randomly chooses polynomial vectors and returns user’s private key .(3): receives the public parameters , ring user identity set , a message , and private key of user . The signing process is as follows:(a)Calculates as the linkability tag, where .(b)Randomly chooses polynomial vectors , and the vectors corresponding to short polynomials in .(c)Sets .(d)If , it sets ; if , it calculates .(e)By probability , it outputs as the signature, where .(4): receives the public parameters , ring user identity set , a message , and a ring signature . For , calculates and verifies whether the following conditions hold:(a).(b). If conditions (a) and (b) are satisfied, the verifier will return “Valid” and then accept the message signed by a member of the ring user identity set ; otherwise, it outputs “Invalid.”(5): on inputting two signatures , the verifier does these steps: Inputs two signatures and and verifies ; if , it outputs “Link”; otherwise, it outputs “Unlink.”

5. Security Analysis

Theorem 3 (correctness). The proposed identity-based LRS scheme is correct.

Proof. The proof is given in Appendix A.

Theorem 4 (unconditional anonymity). The proposed identity-based LRS scheme is unconditionally anonymous.

Proof. The proof is given in Appendix B.

Theorem 5 (unforgeability). The proposed identity-based LRS scheme is unforgeable under the ROM, if the SIS problem on the NTRU is hard.

Proof. The proof is given in Appendix C.

Theorem 6 (linkability). The proposed identity-based LRS scheme is linkable under the ROM, if the proposed LRS scheme is unforgeable.

Proof. The proof is given in Appendix D.

6. Discussion

We now discuss how the initial parameters are selected and point at the future research direction.

6.1. Parameter Selection

The security of the proposed scheme is based on the NTRU-SIS problem, which is defined as follows: finding two non-zero small polynomials satisfying and . This problem can be reduced to the -ideal-SVP problem. According to the literature [34, 35], the value of measures the hardness of -ideal-SVP problem. We use the root-Hermite factor (RHF) to analyze the security level of the scheme and set the relevant parameters. According to the literature [34], if a polynomial vector is found in an -dimensional lattice and the vector is greater than the root of the determinant, then the relative RHF is

If the small-size polynomial vector is found in the NTRU lattice , then the relative RHF is

According to the results of literature [35, 36], when the value of is approximately 1.007, finding the vector satisfying the condition is at least 80-bits hard. When the value of is less than 1.004, finding the vector satisfying the condition is at least 192-bits hard.

The methods of attacking the proposed scheme are mainly attacks on the public keys of ring members and the signatures.

In the proposed scheme, the public key of ring member is . The attack on is to find two non-zero small-size polynomials in the NTRU lattice that satisfy . According to Definition 6, . The value of is calculated by (9), and we have . When , , attacking the public key of ring members is at least 80-bits hard, and when , , attacking the public key of ring members is at least 192-bits hard.

In the proposed scheme, the signature of ring member is . The attack on the signature is to find vectors through the verification algorithm without the private key of the ring member . Then, the value of is calculated by formula (8), and we have

From Lemma 3 and Theorem 2, , and we have

The Gaussian parameter is defined as , where . Through further calculation, the following results can be obtained.

When , , attacking the signature of ring members is at least 80-bits hard, and when , , attacking the signature of ring members is at least 192-bits hard. The main parameters of this scheme are defined in Table 2.

6.2. Post-Quantum Security

It is generally believed that the proposed scheme constructed based on the hardness assumption over lattices may provide post-quantum security. On the other hand, the security proof of the proposed scheme is unlikely to carry over to the quantum random oracle model [37] (QROM). We use adaptive programming of the RO and in the security proof (Theorems 4–6). This proof technology is inherent to the construction to some extent.

We learned that other construction schemes in the QROM, such as [38, 39], also use a form of RO programming (even if they are not adaptive). As far as we know, though it seems unlikely that the Fiat–Shamir can be proven in the QROM, there are no attacks on the protocols using these proof techniques which are derived from the use of the RO. If the security of the scheme is proved in the QROM, the construction process of the proposed scheme may be subverted. In the next step, we will consider constructing an identity-based LRS on the NTRU lattice under the QROM.

7. Performance Analysis

In this section, we choose three similar schemes to carry out efficiency analysis and comparison with our scheme. They are, respectively, the identity-based LRS scheme based on the bilinear pairings constructed by Deng et al. [15], the logarithmic (linkable) ring signatures on lattice from isogeny and lattice assumptions given by Beullens et al. [28], and the practical lattice-based LRS based upon the chameleon hash plus (CH+) function designed by Lu et al. [29]. We will perform efficiency analysis of our scheme and the other three schemes [15, 28, 29] and mainly focus on two areas: time costs and storage overhead.

The time cost comparison and difficult assumption of the four schemes are listed in Table 3. Comparison terms in Table 3 include signature generation cost, signature verification cost, difficult assumption,and other comparisons. This paper mainly analyzes relatively time-consuming processes such as matrix-vector multiplication and polynomial-polynomial multiplication operation, the pairing operation, and exponentiation operation. The relatively less time-consuming operations such as hash operation, polynomial and matrix addition, and subtraction operation are ignored. In Tables 3 and 4, represents a positive integer, is a large prime number, represents the number of ring members, and and are small integers, e.g., . , respectively, represent the time spent for the discrete Gaussian sampling algorithm and the algorithm rejection sampling run once, and generally, . represents the pairing operation, and represent the scalar multiplication operation in additive group and the exponentiation operation in group , respectively. Besides, and , respectively, defined the time cost running the polynomial-polynomial multiplication and matrix-vector multiplication operation times, and generally, .

The scheme [15] is designed based on DBDH problem, which cannot resist the attack from a quantum computer, while the other three schemes are designed on lattice which can resist quantum computer attack. So, we only list the efficiency of the scheme and no longer compare it with other three schemes. However, in Section 8, the experimental evaluation of scheme [15] will be carried out and compared with our scheme. With respect to signature generation, our scheme mainly uses times of the Gaussian sampling algorithm, times of the polynomial-polynomial multiplication operations, and one-time rejection sampling algorithm. Therefore, the time cost of signature generation is . From Table 3, our scheme achieves higher efficiency in signature generation compared with the scheme of [29]. The signature generation time of scheme [28] has logarithmic relationship with the number of ring members while our scheme has linear relationship with . When becomes larger, it is believed that the signature generation time of [28] is superior to that of our scheme. However, when is small, which scheme has better signature generation efficiency depends on the concrete setting of relevant parameters, e.g., . In terms of signature verification, our scheme mainly carries out times of polynomial-polynomial multiplication operations. Therefore, the signature verification time cost of the proposed scheme is . Compared with the scheme of [29], the proposed scheme obviously has higher efficiency. The comparison of signature verification is similar to that of signature generation between the scheme of [28] and ours. Moreover, our scheme provides identity-based properties, which effectively avoids the problem of certificate management. However, neither scheme [28] nor scheme [29] has this property. When the number of ring members is large, the management and verification of certificates will take up a lot of system resources and the efficiency of signature and verification will be affected.

The storage overhead comparison of the four schemes is shown in Table 4; comparison terms include the size of public/private key and the signature size. On the size of public/private key, the public key is defined as a -dimensional vector, and the private key matches the four small polynomials in the ring in this paper. Therefore, the size of public key is , and the size of private key is . For scheme [15], the public key and private key are elements in group . Therefore, the public\private key size is . Regarding scheme [28], the public key is obtained by multiplying two random ring polynomials from and , respectively, and the private key is defined as ring polynomials from . Therefore, the public\private key size is and , respectively. In scheme [29], the public key is defined as a small polynomial in the ring , and the private key matches the nine small polynomials in the ring . Therefore, the size of public key is , and the size of private key is . According to the comprehensive analysis, scheme [15] has the smallest public and private key size, the public key length of the proposed scheme is much smaller than [28], and the private key of the proposed scheme is significantly smaller than that of [29]. Moreover, when , the length of the private key of this scheme is also smaller than that of scheme [28]. For signature size, the signature generated in this article is . The polynomial vectors correspond to the small-size polynomials in the ring . Therefore, the signature size of our scheme is . After comparison, the signature length of this scheme is smaller than that of scheme [29]. Because the signature size of scheme [28] is logarithmic, when the number of ring members is large, the signature length of the proposed scheme is larger than that of scheme [28] and needs to be further optimized. Although the signature size of the proposed scheme is longer than that of [15], our scheme is designed based on hardness assumption over lattice and can effectively resist quantum attacks, while the scheme of [15] cannot.

8. Implementation and Evaluation

The parameter setting in our scheme is given in Table 5 such that the proposed scheme is secure, and we implemented the scheme under the operating environment indicated in Table 6. We ran the signature generation and signature verification algorithms 1000 times, respectively. The specific time comparison results of our scheme and the schemes of [15, 28, 29] at security level in the case of different numbers of ring members are shown in Table 7 (let the length of be 160 bits and 512 bits, respectively, in the scheme of [15], and let in the scheme of [28], respectively; scheme [29] has the same parameter settings as our scheme). According to Table 7, the signature generation and verification time costs of our scheme are shorter than those of [15, 29]. Compared with the scheme in [28], the proposed scheme has higher signature calculation efficiency when . When , the verification time cost of the proposed scheme is smaller than that of [28]. However, when the ring members are large, the signature generation and verification efficiency of our scheme need to be improved compared with [28]. Finally, we use Table 8 to show the specific time costs of the signature generation and verification of our scheme under two different parameter types (I, II) when the number of ring members is different. After calculation, on average, the signature generation time cost of our scheme decreases roughly by 44.951%, and the signature verification time cost also decreases roughly by 33.503% compared with the other three schemes [15, 28, 29]. To show the advantage of our scheme in view of time costs more intuitively, we draw Figures 2 and 3. They, respectively, depict the signature generation and verification time costs of our scheme compared with other schemes under different numbers of ring members at security level . In summary, our scheme achieves relatively higher computational efficiency.

The size of public/private key and signature of the schemes of [15, 27, 28] and our scheme at security level under different numbers of ring members are listed in Table 9. On the size of public key, the public key size of our scheme is equal to that of scheme [29] but is significantly smaller than that of scheme [28]. In terms of private key size, the scheme in [29] has the biggest private key, and the scheme of [15] has the smallest private key. However, the scheme of [15] is designed based on classical number theory problem (DBDH) and cannot resist quantum attacks. Compared with other lattice-based schemes, the proposed scheme has obvious advantages in key storage overhead. In view of signature size, the signature length of our scheme is short and is significantly better than that of [29]. When , the signature length of scheme [28] is shorter than that of our scheme, but note that scheme of [28] is not identity-based, which has the problem of certificate management. After further calculation, the size of signature decreases roughly by 32.078% compared with the scheme of [29] on average. Finally, we give the signature size of the proposed scheme under different parameter types (I, II) and different number of ring members in Table 10.

9. Conclusions

Linkable ring signature performs a very important role in cryptography. Compared with ordinary ring signatures, it could not only protect the user’s identity privacy but also detect whether a user has completed two or more signatures with the same private key by running the linking algorithm. Moreover, lattice-based linkable ring signature can resist the attacks of quantum algorithms. When applied to the blockchain, besides protecting the privacy of both parties in the transaction, it can effectively prevent the emergence of “double-spending” problems. This paper based on the NTRU-SIS assumption constructed an identity-based LRS scheme over NTRU lattice [40]. Performance analysis and experiments show that this scheme has a smaller size of key and signature, thus reducing storage overhead. Since the NTRU lattice is a public key cryptosystem on account of the polynomial ring, the calculation process only involves multiplication in the polynomial ring and modular operations of small integers, which further improves the productivity of signature generation and signature verification of this scheme. This scheme has higher computation performance and lower communication and storage overhead, and it can be applied to more application scenarios than ordinary ring signature.

Appendix

A. Identity-Based LRS: Correctness Requirements

In this part, we prove that this scheme has correctness, unconditional anonymity, unforgeability, and linkability under the random oracle model (ROM).

A.1. Correctness of SigGen

Proof. Suppose signature is valid and generated by a member of the ring user identity set ; then, the following equations hold:From the signing process, we can easily to know that the following equation is true:When , where , according to Lemma 1, we know that , satisfying with overwhelming probability. When , we have , . and generated by the rejection sampling algorithm, where , according to Lemma 3 and Theorem 2, are statistically indistinguishable from Gaussian distribution (the statistical distance is ). Therefore, and for are established with overwhelming probability. The proposed identity-based LRS scheme meets verification correctness.

A.2. Correctness of SigLink

Proof. Suppose the signer uses the same private key to sign message and message , respectively. There are and . and are obtained by the same randomly generated polynomial . If a signer calculates signature with the same private key , . The proposed identity-based LRS scheme meets linking correctness. So, our scheme is of correctness.

B. Security Analysis: Unconditional Anonymity

Proof. The game between a challenger C and an adversary A is used to prove unconditional anonymity. If A is computationally indistinguishable for the two signature distributions, the proposed scheme meets unconditional anonymity. Consider the game indicated below:(1)Setup phase: C enters a security parameter and the number of ring members and does these steps as follows:(a)Sets a set of ring user identities .(b)Chooses two collision-resistance hash functions at random.(c)Uses algorithm to generate a uniform and randomized polynomial together with a short basis on lattice .(d)Computes the public key of user and runs CGS sampling algorithm to generate ; then, , and it chooses at random and returns the private key .(e)Returns the public parameters and the public keys of to A and keeps the system master private key and user private keys secret, for .(2)Query phase: A is allowed to make adaptive inquiries to above oracles.(a)Hash query:(i) query: A inputs user’s identity and C returns vector to A.(ii) query: A inputs a message , ring user identity set , and linkability tag and randomly chooses polynomial vector , . C randomly chooses an integer to A.(b)Corruption query: A inputs user’s identity , and C gives the private key .(c)Signing query: A inputs ring user identity set , a message , and a user’s identity , and C runs algorithm and returns a signature to A.(3)Challenge phase: A inputs a message , ring user identity set , and two users’ identity , and C selects a random bit , calculates corresponding signature private key and then runs algorithm, and returns as the signature of user on the message .(4)Guess phase: A gives the guess and satisfies which have not been input to and at the same time.Analysis. Next, we analyze the advantage of A in winning the game of unconditional anonymity which is negligible. It just needs to explain that the distribution of generated with the of user and generated with the of user by the challenger C is computationally indistinguishable.
According to the signing process, the signature is generated by a randomly selected user in ring . It constructs a signature based upon the fact that a public key matches multiple secret keys in this scheme. The identity corresponds to each possible actual signer. There is a private key uniquely corresponding to the linkability tag . The signature can be generated by any signer who has a private key and randomly selected polynomial vectors .
For , when , polynomial vectors ; when , polynomial vectors , and and are obtained by using rejection sampling algorithm, where . According to Lemma 3 and Theorem 2, is statistically close to (the statistical distance is ). Linkability tag is statistically close to random distribution . So, and are indistinguishable. Similarly, for , when , polynomial vectors ; when , polynomial vectors , . and are obtained by using rejection sampling algorithm, where . According to Lemma 3 and Theorem 2, is statistically close to (the statistical distance is ). Linkability tag is statistically close to random distribution . So, the signatures and are indistinguishable. Therefore, the two signatures and have the same discrete Gaussian distribution, and the distribution between two signatures is computationally indistinguishable. The signature can be generated by any user holding the private key and polynomial vectors can be randomly chosen. Even if A with unbounded computation power can calculate the private key of the ring member , since the private key obeys a random distribution, the private key that uniquely matches the linkability tag cannot be calculated. That is, the correct value of cannot be output with a probability better than random guessing. The probability of A giving right guess can be neglected. So, our scheme has unconditional anonymity.

C. Security Analysis: Unforgeability

Proof. The game between a challenger C and an adversary A is used to prove unforgeability. Suppose that the signature is successfully forged by A with a non-negligible probability . We will show how C uses the forged results of A to find a set of non-zero small-size polynomials satisfying to construct a solution of the SIS problem on NTRU lattice. Hash functions are treated as random oracles, and C creates four lists to store queries, queries, corruption queries, and signing queries of A. All four lists are initialized to empty.
Now consider the game as indicated below:(1)Setup phase: To solve the NTRU-SIS problem, C obtains an instance . Then,inputs security parameter , and the number of ring members , does these steps as following: (a)Sets a set of ring user identities .(b)Chooses two collision-resistance hash functions at random.(c)Calculates the public key of user .(d)Outputs as public parameters.(2)Query phase: A is allowed to make adaptive inquiries to above oracles.(a)Hash query:(i) query: A inputs user’s identity to query. C checks list ; if A has made the same inquiry, it returns the same inquiry result. Otherwise, it returns vector to A. It adds to the list .(ii) query: A inputs a message , ring user identity set , and linkability tag and randomly chooses polynomial vectors , to query. C checks list . If A has made the same inquiry, it returns the same inquiry result. Otherwise, C randomly chooses an integer to A. It adds to the list .(b)Registration query: A inputs user’s identity to query; suppose that A can only perform query for times at most, where . C selects a subset with indexes at random. We use to define the index of (where C does not know the associated private key) and use to denote the index of . When , it sets vector as the public key corresponding to each index in ; when , C calculates the public key by algorithm. Upon the query, C gives the corresponding public key . It adds the new tuple to the list .(c)Corruption query: A inputs user’s identity to query; if , C halts. Otherwise, C gives the corresponding private key through the algorithm. It adds to the list .(d)Signing query: A inputs a new ring user identity set , a message , and a user identity to query. C simulates the following two different situations:(i) If , C checks the lists and finds the corresponding records and does these steps (if the lists are empty, C obtains the signature based on algorithm):(1) If , it sets ; if , it calculates .(2) By probability , it outputs the signature .(ii) If , C does these steps:(1) Randomly chooses polynomial vectors .(2) Checks the lists and finds the corresponding records ; if is not queried, perform the query according to the above steps.(3) Sets ; if collision occurs, that is, the value has been assigned to some query, repeat the above steps.(4) Outputs the signature .(3)Forgery phase: A submits a signature after the simulation.Analysis. First, for each different query, the value returned by C is randomly selected. It is the same as the randomly distributed value output by the function in the real life. For the signature query of message , polynomial vectors , in the returned signature . and . Therefore, is a legal signature.
If the forgery of is valid, the following will show how C uses the forged results of A to solve NTRU-SIS problem. We mainly analyze from the following two situations:(i)If appears in the signing query, suppose the output of the query is . Since the signature is a valid signature, it satisfies If A successfully forges the signature , we have If function collision occurs, C aborts the game. Otherwise, from (C.1) and (C.2): That is, Set , where is the answer to the problem of NTRU-SIS.(ii)If appears in the query, C finds in list , satisfyingIf function collision occurs, C aborts the game. Otherwise, from (C.2) and (C.5):C does as follows: if , it sets ; if , it sets , . We haveAccording to (C.2), (C.6), and (C.8), the signature is valid. That is,If , C aborts the game.
If , let . Also, the following holds:Set , where is a solution of the NTRU-SIS problem.
Probability Analysis. We assume that A can successfully forge with probability and then analyze the probability that C can successfully find . C will abandon and abort the game in the following cases, and then the simulation failed.(1)When function collision occurs, the probability of signature being verified is .(2)When . This means that the private key matching signature and the private key corresponding to the forged signature are equal. In the view of A, the signature and the private key are independent of each other when the private key is not known. Therefore, the probability that is negligible.Hence, we have a probability of higher than to solve the difficult problem of NTRU-SIS. This is in contradiction to the assumption. So, our scheme has unforgeability.

D. Security Analysis: Linkability

Proof. The game between a challenger C and an adversary A is used to prove the linkability. According to the definition of linkability, assume that adversary A can win the linkability game in Definition 12 with a non-negligible probability .
Now consider the game as indicated below:(1)C uses algorithm to obtain the public parameters and system master private key MSK and returns the public parameters to A.(2)A is allowed to make adaptive inquiries to above oracles.(a)Hash query:(i) query: A inputs user’s identity , and C returns vector to A.(ii) query: A inputs a message , ring user identity set , and linkability tag and randomly selects polynomial vectors , , and C randomly chooses an integer to A.(b)Registration query: A inputs the identity of user , and C gives the public key to A.(c)Corruption query: A inputs the identity of user , and C sends the private key to A.(d)Signing query: A inputs ring user identity set , a message , and a user’s identity , and C runs the algorithm and returns a signature to A.(3)A outputs two signatures , and the following is satisfied:(a)All of the public keys in are outputs of .(b)A has inquired less than two times (that is, A has one private key of users at most).(c) are not inquired outputs of .Analysis. Suppose A with a non-negligible probability outputs two ring signatures and while holding only one signature private key, and there is , . Since our scheme is unforgeable, signatures and can be verified by the algorithm which returns “Valid” only when these two signatures are generated by A according to the specification honestly. In other words, and . Since A only holds one private key, , where the polynomial is a randomly chosen public parameter. So, we have . It means that these two signatures and will return “Link” when verified by the algorithm. This is in contradiction to the assumption in Definition 12; the advantage of A is negligible. So, our scheme has linkability.

Data Availability

Our results are available on https://github.com/xff-github/NTRU.git.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This study was supported by the National Natural Science Foundation of China (grant no. 61802117), Support Plan of Scientific and Technological Innovation Team in Universities of Henan Province (grant no. 20IRTSTHN013), and the Youth Backbone Teacher Support Program of Henan Polytechnic University (grant no. 2018XQG-10).

References

S. Nakamoto, “Bitcoin. A peer-to-peer electronic cash system[EB/OL],” 2017, http://www.bitcoin.org/bitcoin. Pdf.
View at: Google Scholar
R. L. Rivest, A. Shamir, and Y. Tauman, “How to leak a secret,” in Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security, pp. 552–565, Gold Coast, Australia, November 2001.
View at: Publisher Site | Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of the Workshop on the Theory and Application of Cryptographic Techniques, pp. 47–53, Springer, Santa Barbara, CA, USA, August 1985.
View at: Google Scholar
F. Zhang and K. Kim, “ID-based blind signature and ring signature form pairing,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, vol. 58-4, pp. 305–732, Queenstown, New Zealand, November 2002.
View at: Google Scholar
C. Y. Liu and T. C. Wu, “An identity-based ring signature scheme from bilinear pairings,” in Proceedings of the 18th International Conference on Advanced Information Networking and Applications, p. 182, IEEE, Fukuoka, Japan, March 2004.
View at: Publisher Site | Google Scholar
J. Herranz and G. Sáez, “New identity-based ring signature schemes,” in Proceedings of the Information and Communications Security, 6th International Conference, ICICS 2004, pp. 27–39, Malaga, Spain, 2004.
View at: Publisher Site | Google Scholar
S. S. M. Chow, S.-M. Yiu, and L. C. K. Hui, “Efficient identity based ring signature,” in Proceedings of the International Conference on Applied Cryptography and Network Security 2005, pp. 499–512, Springer, New York, NY, USA, June 2005.
View at: Publisher Site | Google Scholar
Y. Q. Zhao, Q. Q. Lai, Y. Yu et al., “ID-based ring signature in the standard model,” Tien Tzu Hsueh Pao/Acta Electronica Sinica, vol. 46, no. 4, pp. 1019–1024, 2018.
View at: Google Scholar
J. K. Liu, V. K. Wei, and D. S. Wong, “Linkable spontaneous anonymous group signature for ad hoc groups,” in Proceedings of the Australasian Conference on Information Security and Privacy, pp. 325–335, Springer, Sydney, Australia, July 2004.
View at: Publisher Site | Google Scholar
J. K. Liu, M. H. Au, X. Huang, W. Susilo, J. Zhou, and Y. Yu, “New insight to preserve online survey accuracy and privacy in big data era,” in Proceedings of the 19th European Symposium on Research in Computer Security, vol. 7-11, pp. 182–199, Springer, Poland, Europe, September 2014.
View at: Publisher Site | Google Scholar
P. P. Tsang and V. K. Wei, “Short linkable ring signatures for E-voting, E-cash and attestation,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 48–60, Singapore, 2005 April.
View at: Publisher Site | Google Scholar
S. Noether, “Ring signature confidential transactions for monero,” 2015, https://eprint.iacr.org/2015/1098.pdf.
View at: Google Scholar
M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen, “Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction,” Theoretical Computer Science, vol. 469, pp. 1–14, 2013.
View at: Publisher Site | Google Scholar
J. K. Liu, M. H. Man Ho Au, W. Susilo, and J. Zhou, “Linkable ring signature with unconditional anonymity,” IEEE Transactions on Knowledge & Data Engineering, vol. 26, pp. 157–165, 2013.
View at: Publisher Site | Google Scholar
L. Deng, Y. Jiang, and B. Ning, “Identity-based linkable ring signature scheme,” IEEE Access, vol. 7, pp. 153969–153976, 2019.
View at: Publisher Site | Google Scholar
T. EIGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, vol. 31, pp. 469–472, 1985.
View at: Publisher Site | Google Scholar
R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Communications of the ACM, vol. 21, no. 2, pp. 120–126, 1978.
View at: Publisher Site | Google Scholar
P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM Journal on Computing, vol. 26, no. 5, pp. 1484–1509, 1997.
View at: Publisher Site | Google Scholar
M. Rückert, “Strongly unforgeable signatures and hierarchical identity-based signatures from lattices without random oracles,” in Proceedings of the International Workshop on Post-quantum Cryptography, pp. 182–200, Springer, Darmstadt, Germany, May 2010.
View at: Publisher Site | Google Scholar
M.-M. Tian, L.-S. Huang, and W. Yang, “Efficient lattice-based ring signature scheme,” Chinese Journal of Computers, vol. 35, no. 4, pp. 712–718, 2012.
View at: Publisher Site | Google Scholar
Z. Liu, Y. Hu, X. Zhang, and F. Li, “Efficient and strongly unforgeable identity-based signature scheme from lattices in the standard model,” Security and Communication Networks, vol. 6, no. 1, pp. 69–77, 2013.
View at: Publisher Site | Google Scholar
K. Wang, Y. Mu, and W. Susilo, “Identity-based quotable ring signature,” Information Sciences, vol. 321, pp. 71–89, 2015.
View at: Publisher Site | Google Scholar
M. Tian and L. Huang, “Identity-based signatures from lattices: simpler, faster, shorter,” Fundamenta Informaticae, vol. 145, no. 2, pp. 171–187, 2016.
View at: Publisher Site | Google Scholar
R. Yang, M. H. Au, J. Lai, Q. Zu, and Z. Yu, “Lattice-based techniques for accountable Anonymity: composition of abstract stems protocols and weak PRF with efficient protocols from LWE,” 2017, https://eprint.iacr.org/2017/781.
View at: Google Scholar
W. A. Torres, R. Steinfeld, A. Sakzad et al., “Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain(lattice ringct v1.0),” 2018, https://eprint.iacr.org/2018/379.pdf.
View at: Google Scholar
M. Ajtai, “Generating hard instances of the short basis problem,” in Proceedings of the International Colloquium on Automata, Languages a-nd Programming, pp. 1–9, Springer, Prague, Czech Republic, July 1999.
View at: Publisher Site | Google Scholar
C. Baum, H. Lin, and S. Oechsner, “Towards practical lattice-based one-time linkable ring signature,” in Proceedings of the 20th International Conference on Information and Communications Security, pp. 303–322, Springer, France, October 2018.
View at: Google Scholar
W. Beullens, S. Katsumata, and F. Pintore, “Calamari and falafl: logarithmic (linkable) ring signatures from isogenies and lattices,” in Advances in Cryptology– ASIACRYPT 2020. ASIACRYPT 2020, S. Moriai and H. Wang, Eds., vol. 12492, Springer, Cham, 2020.
View at: Publisher Site | Google Scholar
X. Lu, M. H. Au, and Z. Zhang, “Raptor: a practical lattice-based (linkable) ring signature,” in Applied Cryptography and Network Security. ACNS 2019, R. Deng, V. Gauthier-Umaña, M. Ochoa, and M. Yung, Eds., vol. 11464, Springer, Cham, 2019.
View at: Publisher Site | Google Scholar
V. Lyubashevsky, “Lattice signatures without trapdoors,” in Proceedings of the 31st Annual International Conference on Theory and Applications of Cryptographic Techniques, pp. 738–755, Springer-Verlag, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
D. Stehlé and R. Steinfeld, “Making NTRUEncrypt and NTRUSign as secure as worst-case problems over ideal lattices,” vol. 4, Iacr Cryptology Eprint Archive, 2013, http://eprint.iacr.org/2013/004.
View at: Google Scholar
V. Lyubashevsky and T. Prest, “Quadratic time, linear space algorithms for gram-schmidt orthogonalization and Gaussian sampling in structured Lattices,” in Proceedings of the 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques(EuroCrypt 2015), pp. 789–815, Sofia, Bulgaria, 2015.
View at: Publisher Site | Google Scholar
J. Groth and M. Kohlweiss, “One-out-of-many proofs: or how to leak a secret and spend a coin,” Advances in Cryptology–EUROCRYPT 2015, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar
L. Ducas, V. Lyubashevsky, and T. Prest, “Efficient identity-based encryption over NTRU lattices,” in Proceedings of the 20th International Conference on the Theory and Applications of Cyrptology and Information Security (ASIACRYPT 2014), pp. 22–41, LNCS 8874, Kaoshiung, China, 2014.
View at: Publisher Site | Google Scholar
N. Gama and P. Q. Nguyen, “Predicting lattice reduction,” in Advances in Cryptology–EUROCRYPT 2008. EUROCRYPT 2008, N. Smart, Ed., vol. 4965, pp. 31–51, Springer, Berlin, Heidelberg, 2008.
View at: Google Scholar
Y. Chen and P. Q. Nguyen, “Bkz 2.0: better lattice security estimates,” in Proceedings of the 17th. International Conference on the Theory and Application of Cryptology and Information Security, D. H. Lee and X. Wang, Eds., pp. 1–20, Seoul, South Korea, December 2011.
View at: Publisher Site | Google Scholar
D. Boneh, Ö. Dagdelen, M. Fischlin, A. Lehmann, C. Schaffner, and M. Zhandry, “Random oracles in a quantum world,” in Lecture Notes in Computer Science, pp. 41–69, Springer, Berlin, Germany, 2011.
View at: Publisher Site | Google Scholar
R. del Pino, V. Lyubashevsky, G. Neven, and G. Seiler, “Practical quantum-safevoting from lattices,” 2017, https://eprint.iacr.org/2017/1235.pdf.
View at: Publisher Site | Google Scholar
D. Leo, T. Lepoint, V. Lyubashevsky, P. Schwabe, G. Seiler, and D. Stehlé, “Crystals–dilithium: digital signatures from module lattices,” 2017, http://eprint.iacr.org/2017/633.
View at: Google Scholar
N. Howgrave-Graham, J. Pipher, J. H. Silverman, and W. Whyte, “NTRUSign: digital signatures using the NTRU Lattice,” in Cryptographers Track at the RSA Conference, pp. 120–140, Springer, San Francisco, CA, USA, April 2003.
View at: Google Scholar

Copyright

Copyright © 2021 Yongli Tang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

729

Downloads

637

Citations