Abstract
Ring signature allows a signer to generate a signature on behalf of a set of public keys, while a verifier can verify the signature without identifying who the actual signer is. In Crypto 2021, Yuen et al. proposed a new type of ring signature scheme called DualRing. However, it lacks forward security. The security of DualRing cannot be guaranteed if the signer’s secret key is compromised. To address this problem, we introduce forward-secure DualRing, in which a signer can periodically update their secret key using a “split-and-combine” method. A practical instantiation of our scheme enjoys a logarithmic complexity in signature size and key size. Implementation and evaluation further validate the practicality of our proposed scheme.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Double Ratchet Algorithm. https://www.signal.org/docs/specifications/doubleratchet
Our Source Code. https://github.com/SMC-SMU/Forward-secure-DualRing
X3DH Key Agreement Protocol. https://signal.org/docs/specifications/x3dh
Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n signatures from a variety of keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_26
Adida, B.: Helios: web-based open-audit voting. In: USENIX Security Symposium, 17, pp. 335–348 (2008)
Akinyele, J.A., et al.: Charm: a framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 3(2), 111–128 (2013)
Au, M.H., Susilo, W., Yiu, S.-M.: Event-oriented k-times revocable-iff-linked group signatures. In: Batten, L.M., Safavi-Naini, R. (eds.) ACISP 2006. LNCS, vol. 4058, pp. 223–234. Springer, Heidelberg (2006). https://doi.org/10.1007/11780656_19
Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_28
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: CCS, pp. 390–399 (2006)
Bender, A., Katz, J., Morselli, R.: Ring signatures: stronger definitions, and constructions without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 60–79. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_4
Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26
Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324(1), 71–90 (2003)
Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C.: Short accountable ring signatures based on DDH. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9326, pp. 243–265. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24174-6_13
Boyd, C., Gellert, K.: A modern view on forward security. Comput. J. 64(4), 639–652 (2021)
Boyen, X., Haines, T.: Forward-secure linkable ring signatures. In: Susilo, W., Yang, G. (eds.) ACISP 2018. LNCS, vol. 10946, pp. 245–264. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93638-3_15
Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., Tibouchi, M.: Efficient indifferentiable hashing into ordinary elliptic curves. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 237–254. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_13
Canetti, R., Halevi, S., Katz, J.: A forward-secure public-key encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_16
Di Raimondo, M., Gennaro, R.: New approaches for deniable authentication. In: CCS, pp. 112–121 (2005)
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in Ad Hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
Drijvers, M., Gorbunov, S., Neven, G., Wee, H.: Pixel: multi-signatures for consensus. In: USENIX, pp. 2093–2110 (2020)
Groth, J., Kohlweiss, M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 253–280. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_9
Haines, T., Boyen, X.: Votor: conceptually simple remote voting against tiny tyrants. In: Proceedings of the Australasian Computer Science Week Multiconference, pp. 1–13 (2016)
Lai, R.W., Ronge, V., Ruffing, T., Schröder, D., Thyagarajan, S.A.K., Wang, J.: Omniring: scaling private payments without trusted setup. In: ACM CCS, pp. 31–48 (2019)
Libert, B., Peters, T., Qian, C.: Logarithmic-size ring signatures with tight security from the DDH assumption. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11099, pp. 288–308. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98989-1_15
Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Linkable ring signature with unconditional anonymity. IEEE Trans. Knowl. Data Eng. 26(1), 157–165 (2013)
Liu, J.K., Wong, D.S.: Solutions to key exposure problem in ring signature. Int. J. Netw. Secur. 6(2), 170–180 (2008)
Liu, J.K., Yuen, T.H., Zhou, J.: Forward secure ring signature without random oracles. In: Qing, S., Susilo, W., Wang, G., Liu, D. (eds.) ICICS 2011. LNCS, vol. 7043, pp. 1–14. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25243-3_1
Lu, X., Au, M.H., Zhang, Z.: Raptor: a practical lattice-based (linkable) ring signature. In: Deng, R.H., Gauthier-Umaña, V., Ochoa, M., Yung, M. (eds.) ACNS 2019. LNCS, vol. 11464, pp. 110–130. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-21568-2_6
Miyaji, A., Nakabayashi, M., Takano, S.: Characterization of elliptic curve traces under FR-reduction. In: Won, D. (ed.) ICISC 2000. LNCS, vol. 2015, pp. 90–108. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45247-8_8
Park, S., Sealfon, A.: It wasn’t me! In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 159–190. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_6
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725
Yuen, T.H., Esgin, M.F., Liu, J.K., Au, M.H., Ding, Z.: DualRing: generic construction of ring signatures with efficient instantiations. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12825, pp. 251–281. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_10
Yuen, T.H., et al.: RingCT 3.0 for blockchain confidential transaction: shorter size and stronger security. In: Bonneau, J., Heninger, N. (eds.) FC 2020. LNCS, vol. 12059, pp. 464–483. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51280-4_25
Zagórski, F., Carback, R.T., Chaum, D., Clark, J., Essex, A., Vora, P.L.: Remotegrity: design and use of an end-to-end verifiable remote voting system. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 441–457. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_28
Acknowledgements
This work is supported by the EU’s research and innovation program: 952697 (ASSURED) and 101095634 (ENTRUST). These projects are funded by the UK government Horizon Europe guarantee and administered by UKRI. Yangguang Tian is partially supported by the National Natural Science Foundation of China under Grant No. 61872264. Yingjiu Li is supported in part by the Ripple University Blockchain Research Initiative.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Proof of Theorem 1
Proof
We define a sequence of games \(\mathbb {G}_i\), \(i=0, \cdots , 2\) and let \({\texttt{Adv}}_i^{\varSigma }\) denote the advantage of the adversary in game \(\mathbb {G}_i\). Assume that \({\mathcal {A}}\) issues at most q signing queries in each game.
-
\(\mathbb {G}_0\): This is original unforgeability game.
-
\(\mathbb {G}_1\): This game is identical to game \(\mathbb {G}_0\) except the following difference: \({\mathcal {S}}\) randomly chooses a challenge epoch \(t^*\) and a challenge user \(\texttt{pk}_i\) regards a forgery from \({\mathcal {A}}\). \({\mathcal {S}}\) will output a random bit if \({\mathcal {A}}\)’s forgery does not occur at epoch \(t^*\) and user \(\texttt{pk}_i\). In this game, \({\mathcal {S}}\) honestly generates all initial signing keys during setup. In particular, \({\mathcal {S}}\) sets the break in epoch as \(\bar{t} = t^* + 1\). If \({\mathcal {A}}\) issues a break-in query at epoch \(\bar{t}'\) with respect to user \(\texttt{pk}_i\), such that \(\bar{t}' \ge \bar{t} \), then \({\mathcal {S}}\) returns \(\texttt{sk}_{(i, \bar{t}')}\) to \({\mathcal {A}}\). Since at most T epochs and n users exist in the system, we have
$$\begin{aligned} {\texttt{Adv}}_0^{\varSigma }= T \cdot n \cdot {\texttt{Adv}}_1^{\varSigma } \end{aligned}$$ -
\(\mathbb {G}_2\): This game is identical to game \(\mathbb {G}_1\) except that \({\mathcal {S}}\) outputs a random bit if a Forge event happens where \({\mathcal {A}}\)’s forgery is valid at epoch \(t^*\) under a public key set \(\textsf{PK}^*\) (that includes \(\texttt{pk}_i\)) while the corresponding signing key \(\texttt{sk}_{(i, t^*)}\) is not corrupted. Then we have
$$\begin{aligned} \left| {\texttt{Adv}}_1^{\varSigma }-{\texttt{Adv}}_2^{\varSigma } \right| \le {\textrm{Pr}}[{\textbf {Forge}}]. \end{aligned}$$Let \({\mathcal {S}}\) be a challenger, who is given \((g, h, g^a, g^b, h^a, h^b, \cdots , h^{b^{\ell }}, {\mathsf {\hat{e}}})\), aiming to compute \({\mathsf {\hat{e}}}(g, h)^{ab^{\ell +1}}\). \({\mathcal {S}}\) sets up the game for \({\mathcal {A}}\) by creating n users and T epochs. We assume that each epoch \(t = t_1 || t_2 || \cdots || t_{\ell }\) is a \(\{ 1,2 \}\)-string of length \(\ell \). \({\mathcal {S}}\) pads zeros if an epoch’s length is less than \(\ell \). \({\mathcal {S}}\) randomly selects a challenge user and sets its public key as \(\texttt{pk}_i=g^b\). \({\mathcal {S}}\) honestly generates key pairs for n-1 users. To complete the setup, \({\mathcal {S}}\) computes the system parameters as \(h = h^{b^{\ell }} \cdot \bar{H}^{\gamma } \), \(h_1 = \bar{H}^{\gamma _1}/ h^{b^{\ell }}, \cdots , h_{\ell } = \bar{H}^{\gamma _{\ell }} / h^{b} \), and \(h_0 = \bar{H}^{ \delta } \cdot h^{b^{\ell } \cdot t_1^*} \cdots \cdot h^{b \cdot t_{\ell }^*} \), where \(t^* = t_1^* || t_2^* || \cdots || t_{\ell }^*\), and \(\gamma , \gamma _1, \cdots \gamma _{\ell }, \delta , \bar{z} \in {\mathbb {Z}_q}, \bar{H} = h^{\bar{z}} \in \mathbb {H}\). Note that the value \(h^{b^{\ell +1}} \cdot \bar{H}^{ b \cdot \gamma }\) associated with user \(\texttt{pk}_i\)’s signing key is unknown to \({\mathcal {S}}\). During the game, \({\mathcal {S}}\) can honestly answer \({\mathcal {A}}\)’s corrupt queries with respect to all users except the challenge user \(\texttt{pk}_i\). If \({\mathcal {A}}\) queries corrupt oracle on \(\texttt{pk}_i\), \({\mathcal {S}}\) aborts. Next, we show \({\mathcal {S}}\) can simulate a signing key at epoch \(t = t_1 || \cdots || t_k || \cdots || t_{\ell }\), where \(k \in [1, \ell ]\). Note that \(t_k \ne t_k^*\) means that t is not prefix of \(t^*\), and k is the smallest index at epoch t. Specifically, \({\mathcal {S}}\) first chooses \(z \in {\mathbb {Z}_q}\), and sets \( r = \frac{b^{k}}{t_k - t_k^*} + z \). Then, \({\mathcal {S}}\) computes a signing key with the following form
$$\begin{aligned} ( g^r, h^{b} \cdot \underline{ (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r } , h_{k+1}^r, \cdots , h_{\ell }^r ) \end{aligned}$$(2)This is a well-formed key for epoch \(t = t_1 || \cdots || t_k \). We show that \({\mathcal {S}}\) can compute the underline term in (2).
$$\begin{aligned} (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r & = [ \bar{H}^{ \delta } \cdot h^{b^{\ell } \cdot t_1^*} \cdots \cdot h^{b \cdot t_{\ell }^*} \cdot (\bar{H}^{\gamma _1}/ h^{b^{\ell }})^{t_1} \cdots (\bar{H}^{\gamma _{k}} / h^{b^{\ell - k + 1 }})^{t_k} ]^r \\ & = [ \bar{H}^{\delta + \varSigma _{i=1}^k t_i \cdot \gamma _i } \cdot \prod _{i=1}^{k-1} h_{\ell -i+1}^{t_i^* - t_i} \cdot h_{\ell - k +1}^{t_k^* - t_k} \cdot \prod _{i = k+1}^{\ell } h_{\ell -i +1}^{t_i^*} ]^r \\ & = Z \cdot h_{\ell - k +1}^{r (t_k^* - t_k)} \end{aligned}$$where Z is shown as follows
$$\begin{aligned} Z = [ \bar{H}^{\delta + \varSigma _{i=1}^k t_i \cdot \gamma _i } \cdot \underline{\prod _{i=1}^{k-1} h_{\ell -i+1}^{t_i^* - t_i} } \cdot \prod _{i = k+1}^{\ell } h_{\ell -i +1}^{t_i^*} ]^r \end{aligned}$$\({\mathcal {S}}\) can compute all the terms in Z and the underline term in Z is equal to 1 because \(t_i = t_i^*\) for all \(i < k\). The remaining term in \((h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r\) is \(h_{\ell - k +1}^{r (t_k^* - t_k)}\). Since we set \( r = \frac{b^{k}}{t_k - t_k^*} + z \), we rewrite it as follows
$$\begin{aligned} h_{\ell - k +1}^{r \cdot (t_k^* - t_k)} = h_{\ell -k +1}^{z (t_k^* - t_k)} \cdot h_{\ell - k +1}^{ (t_k^* - t_k) \frac{b^{k}}{t_k - t_k^*} } = \frac{h_{\ell - k +1}^{z (t_k^* - t_k) }}{h^{b^{\ell +1}}} \end{aligned}$$Hence, the second element in (2) is equal to
$$\begin{aligned} h^{b} \cdot \underline{ (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r } = h^{b^{\ell +1}} \cdot \bar{H}^{ b \cdot \gamma } \cdot Z \cdot \frac{h_{\ell - k +1}^{z (t_k^* - t_k) }}{h^{b^{\ell +1}}} = \bar{H}^{b \cdot \gamma } \cdot Z \cdot h_{\ell - k +1}^{z (t_k^* - t_k) } \end{aligned}$$To this end, \({\mathcal {S}}\) can simulate the second element in (2) because the unknown value \(h^{b^{\ell +1}}\) is cancelled out. Besides, the first element \(g^r\) in (2), and other elements \((h_{k+1}^r, \cdots , h_{\ell }^r)\) can be easily computed by \({\mathcal {S}}\) since they do not involve \(h^{b^{\ell +1}}\). This completes the simulation of signing key at epoch \(t \ne t^*\). \({\mathcal {S}}\) can simulate signing queries on different messages using the simulated signing keys at epoch \(t \ne t^*\). Another case is that \({\mathcal {S}}\) can simulate message-signature pairs at epoch \(t^*\). If \({\mathcal {A}}\) issues a signing query on a message m for a public key set \(\textsf{PK} = \{ \texttt{pk}_1 \cdots , \texttt{pk}_n \}\) (note that if \(\texttt{pk}_i \notin \textsf{PK}\), \({\mathcal {S}}\) aborts) at epoch \(t^*\), \({\mathcal {S}}\) performs the following operations to simulate a valid signature.
-
Choose \(c_i, \{ c_j \}_{j=1}^{n-1}, \widehat{r_1}, \widehat{r_2} \in {\mathbb {Z}_q}\) and \(h^* \in \mathbb {H}\), compute \(\sigma _1 = h^* \cdot F(t^*)^{\widehat{r_1}} , \sigma _2 = g^{\widehat{r_2}}\), where \(F(t^*) = h_0 \cdot h_1^{t_1^*} \cdots h_{\ell }^{t_{\ell }^*}\).
-
Set \(c_i = \texttt{H}(R||m|| \textsf{PK} ) - \sum _{j=1}^{n-1} c_j \), where \(R = \frac{ {\mathsf {\hat{e}}}( \texttt{pk}_i^{c_i} \cdot \prod _{j=1}^{n-1} \texttt{pk}_j^{c_j}, h ) }{{\mathsf {\hat{e}}}( g, h^* \cdot F(t^*)^{\widehat{r}} )}\) and \(\widehat{r} = \widehat{r_1} + \widehat{r_2} \).
-
Return \((m, \sigma )\) to \({\mathcal {A}}\), where \( \sigma = (c_1, \cdots , c_n, \sigma _1, \sigma _2)\).
The simulator \({\mathcal {S}}\) can simulate the case \((\mathsf{PK^*}, t^*, m, \sigma )\) using the same method described above. Specifically, \({\mathcal {S}}\) sets \(c_i = \texttt{H}(R||m|| \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j \) (i.e., replaces \(\textsf{PK}\) with \(\mathsf{PK^*}\)). For key update, \({\mathcal {S}}\) keeps track of the current epoch t without returning anything to \({\mathcal {A}}\). For break in query, \({\mathcal {S}}\) needs to simulate a signing key \(\texttt{sk}_{(i, \bar{t})}\) with respect to user \(\texttt{pk}_i\), such that \(t^* < \bar{t}\). \({\mathcal {S}}\) can simulate \(\texttt{sk}_{(i, \bar{t})}\) using the same method described in the case of \(t \ne t^*\), and return it to \({\mathcal {A}}\). At some point, if \({\mathcal {A}}\) outputs a forgery on a message \(m^*\) for a public key set \(\mathsf{PK^*}\) and \(t^*\) in the form of \( (m^*, c_1^* , \cdots , c_n^*, \sigma _1^*, \sigma _2^*)\), such that
$$\begin{aligned} \sigma _1^* & = [ h^{b^{\ell + 1 }} \cdot \bar{H}^{b \cdot \gamma } \cdot \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } ]^{c_i^*} \cdot ( \bar{H}^{ \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* } )^{\widehat{r_1^*}} \\ \sigma _2^* & = g^{\widehat{r_2^*}}/ g^{r^* \cdot c_i^*} \end{aligned}$$where \(c_i^* = \texttt{H}( R^* ||m^* || \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j^* , R^* = {\mathsf {\hat{e}}}( \prod _{j=1}^{n-1} \texttt{pk}_j^{c_j^*}, h ) \cdot {\mathsf {\hat{e}}}( g, (\bar{H}^{ \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* })^{\widehat{r^*}} ) \), and \(\widehat{r^*} = \widehat{r_1^*} + \widehat{r_2^*}\) (note that \( r^*, \widehat{r_1^*}, \widehat{r_2^*} \) are chosen by \({\mathcal {A}}\)), then \({\mathcal {S}}\) checks the following conditions.
-
The public key set \(\mathsf{PK^*}\) includes the challenge user \(\texttt{pk}_i\).
-
The message-signature pair \((m^*, c_1^*, \cdots , c_n^*, \sigma _1^*, \sigma _2^*)\) was not previously generated by \({\mathcal {S}}\).
-
The signature \((\sigma _1^*, \sigma _2^*)\) is valid on message \(m^*\) and public key set \(\mathsf{PK^*}\) according to the Verify process.
If all the above conditions hold, \({\mathcal {S}}\) regards it as a valid forgery. The next step is that \({\mathcal {S}}\) rewinds the game according to the forking lemma [9], and obtains another valid forgery \( (\sigma _1', \sigma _2') \) with a different \(c_i^{*'} = \texttt{H}( R^*|| m^*|| \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j^* \) (note that the different value \(c^{*'}\) happens with probability 1/n). Eventually, \({\mathcal {S}}\) computes the following equations
$$\begin{aligned} E & = (\sigma _1 /\sigma _1')^{1/ (c_i^* - c_i^{*'}) } = h^{b^{\ell + 1 }} \cdot \bar{H}^{b \cdot \gamma } \cdot \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } \\ F & = (\sigma _2' /\sigma _2)^{1/( c_i^{*'} - c_i^* ) } = g^{r^*} \\ D & = \frac{{\mathsf {\hat{e}}}( g^a, E )}{ {\mathsf {\hat{e}}}(g^a , \bar{H}^{b \cdot \gamma } ) {\mathsf {\hat{e}}}( F, h^{a \cdot ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* )} ) } \\ & = [\frac{{\mathsf {\hat{e}}}(g^a, h^{b^{\ell + 1 }} ) {\mathsf {\hat{e}}}(g^a , \bar{H}^{b \cdot \gamma } ) {\mathsf {\hat{e}}}( g^a, \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } ) }{ {\mathsf {\hat{e}}}(g^a , h^{b \cdot \bar{r} \cdot \gamma } ) {\mathsf {\hat{e}}}( g^{ r^* }, h^{a \cdot ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* )} ) }] \\ & = {\mathsf {\hat{e}}}(g, h)^{a b^{\ell + 1} } \end{aligned}$$It is easy to see that D is the solution to the wBDHI problem. Therefore, we have
$$\begin{aligned} \left| {\textrm{Pr}}[{\textbf {Forge}}] \right| \le {\texttt{Adv}}_{{\mathcal {A}}}^{\text {wBDHI}}(\lambda ). \end{aligned}$$ -
By combining the above results together, we have
B Proof of Theorem 2
Proof
The simulation is performed between an adversary \({\mathcal {A}}\) and a simulator \({\mathcal {S}}\). The goal of simulator \({\mathcal {S}}\) is to break anonymity. In this simulation, \({\mathcal {S}}\) simulates \(\texttt{H}\) as a random oracle.
\({\mathcal {S}}\) setups the game for \({\mathcal {A}}\) by creating n users with the corresponding key pairs \(\{ (\texttt{pk}_i, \texttt{sk}_i) \leftarrow \textsf{KeyGen} (\textsf{PP}; w_i) \}\), where \( \textsf{PP} \leftarrow \textsf{Setup} (1^{\lambda })\). \({\mathcal {S}}\) gives \(\{ \texttt{pk}_i \}^n\) to \({\mathcal {A}}\). \({\mathcal {S}}\) also chooses a random bit b.
During the training phase, if \({\mathcal {A}}\) issues a signing query on a message m, a set of public keys \(\textsf{PK}\) with the signer index j at epoch t, then \({\mathcal {S}}\) generates \( \sigma \leftarrow \textsf{Sign} ( \textsf{PP}, \texttt{sk}_{(j, t)} , m, \textsf{PK}, t ) \) and returns it to \({\mathcal {A}}\).
During the challenge phase, if \({\mathcal {A}}\) issues a signing query on a message \(m^*\), a set of public keys \(\mathsf{PK^*}\), two indices \((i_0, i_1)\) and an epoch \(t^*\), then \({\mathcal {S}}\) simulates the signature \(\sigma ^* = ( \sigma _1^*, \sigma _2^*, c_1^*, \cdots , c_n^* )\) using the same method described in the above game \(\mathbb {G}_2\) (i.e., the case of \(t = t^*\)). Eventually, \({\mathcal {S}}\) returns \(\sigma ^*\) and \(\{ w_i \}^n\) to \({\mathcal {A}}\). Recall that in the simulation of signature \(\sigma ^*\), \({\mathcal {S}}\) picks \(c_1^*, \cdots , c_n \) at random in \({\mathbb {Z}_q}\), and sets \(c_i = \texttt{H}( R^* || m^* || \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j\) in the random oracle. The distribution of message-signature pair \(( m^*, \sigma ^* )\) is correct. Note that the commutative operation \(\sum _{i=1}^n c_i \) is also uniformly distributed in \({\mathbb {Z}_q}\), and \({\mathcal {S}}\) aborts if the hash value \(\texttt{H}( R^* || m^* || \mathsf{PK^*} )\) is already set by the random oracle \(\texttt{H}\).
Finally, \({\mathcal {S}}\) outputs whatever \({\mathcal {A}}\) outputs. Since b is not used in the simulation of message-signature pair in the challenge phase (i.e., \({\mathcal {S}}\) simulates a valid signature without using the signing key \(\texttt{sk}_{(i_b, t^*)}\)), \({\mathcal {A}}\) wins only with probability 1/2.
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Li, N., Li, Y., Miyaji, A., Tian, Y., Yuen, T.H. (2023). A Practical Forward-Secure DualRing. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_23
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_23
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)