A Practical Forward-Secure DualRing

Abstract

Ring signature allows a signer to generate a signature on behalf of a set of public keys, while a verifier can verify the signature without identifying who the actual signer is. In Crypto 2021, Yuen et al. proposed a new type of ring signature scheme called DualRing. However, it lacks forward security. The security of DualRing cannot be guaranteed if the signer’s secret key is compromised. To address this problem, we introduce forward-secure DualRing, in which a signer can periodically update their secret key using a “split-and-combine” method. A practical instantiation of our scheme enjoys a logarithmic complexity in signature size and key size. Implementation and evaluation further validate the practicality of our proposed scheme.

Appendices

A Proof of Theorem 1

Proof

We define a sequence of games \(\mathbb {G}_i\), \(i=0, \cdots , 2\) and let \({\texttt{Adv}}_i^{\varSigma }\) denote the advantage of the adversary in game \(\mathbb {G}_i\). Assume that \({\mathcal {A}}\) issues at most q signing queries in each game.

• \(\mathbb {G}_0\): This is original unforgeability game.

• \(\mathbb {G}_1\): This game is identical to game \(\mathbb {G}_0\) except the following difference: \({\mathcal {S}}\) randomly chooses a challenge epoch \(t^*\) and a challenge user \(\texttt{pk}_i\) regards a forgery from \({\mathcal {A}}\). \({\mathcal {S}}\) will output a random bit if \({\mathcal {A}}\)’s forgery does not occur at epoch \(t^*\) and user \(\texttt{pk}_i\). In this game, \({\mathcal {S}}\) honestly generates all initial signing keys during setup. In particular, \({\mathcal {S}}\) sets the break in epoch as \(\bar{t} = t^* + 1\). If \({\mathcal {A}}\) issues a break-in query at epoch \(\bar{t}'\) with respect to user \(\texttt{pk}_i\), such that \(\bar{t}' \ge \bar{t} \), then \({\mathcal {S}}\) returns \(\texttt{sk}_{(i, \bar{t}')}\) to \({\mathcal {A}}\). Since at most T epochs and n users exist in the system, we have

  $$\begin{aligned} {\texttt{Adv}}_0^{\varSigma }= T \cdot n \cdot {\texttt{Adv}}_1^{\varSigma } \end{aligned}$$

• \(\mathbb {G}_2\): This game is identical to game \(\mathbb {G}_1\) except that \({\mathcal {S}}\) outputs a random bit if a Forge event happens where \({\mathcal {A}}\)’s forgery is valid at epoch \(t^*\) under a public key set \(\textsf{PK}^*\) (that includes \(\texttt{pk}_i\)) while the corresponding signing key \(\texttt{sk}_{(i, t^*)}\) is not corrupted. Then we have

  $$\begin{aligned} \left| {\texttt{Adv}}_1^{\varSigma }-{\texttt{Adv}}_2^{\varSigma } \right| \le {\textrm{Pr}}[{\textbf {Forge}}]. \end{aligned}$$

  Let \({\mathcal {S}}\) be a challenger, who is given \((g, h, g^a, g^b, h^a, h^b, \cdots , h^{b^{\ell }}, {\mathsf {\hat{e}}})\), aiming to compute \({\mathsf {\hat{e}}}(g, h)^{ab^{\ell +1}}\). \({\mathcal {S}}\) sets up the game for \({\mathcal {A}}\) by creating n users and T epochs. We assume that each epoch \(t = t_1 || t_2 || \cdots || t_{\ell }\) is a \(\{ 1,2 \}\)-string of length \(\ell \). \({\mathcal {S}}\) pads zeros if an epoch’s length is less than \(\ell \). \({\mathcal {S}}\) randomly selects a challenge user and sets its public key as \(\texttt{pk}_i=g^b\). \({\mathcal {S}}\) honestly generates key pairs for n-1 users. To complete the setup, \({\mathcal {S}}\) computes the system parameters as \(h = h^{b^{\ell }} \cdot \bar{H}^{\gamma } \), \(h_1 = \bar{H}^{\gamma _1}/ h^{b^{\ell }}, \cdots , h_{\ell } = \bar{H}^{\gamma _{\ell }} / h^{b} \), and \(h_0 = \bar{H}^{ \delta } \cdot h^{b^{\ell } \cdot t_1^*} \cdots \cdot h^{b \cdot t_{\ell }^*} \), where \(t^* = t_1^* || t_2^* || \cdots || t_{\ell }^*\), and \(\gamma , \gamma _1, \cdots \gamma _{\ell }, \delta , \bar{z} \in {\mathbb {Z}_q}, \bar{H} = h^{\bar{z}} \in \mathbb {H}\). Note that the value \(h^{b^{\ell +1}} \cdot \bar{H}^{ b \cdot \gamma }\) associated with user \(\texttt{pk}_i\)’s signing key is unknown to \({\mathcal {S}}\). During the game, \({\mathcal {S}}\) can honestly answer \({\mathcal {A}}\)’s corrupt queries with respect to all users except the challenge user \(\texttt{pk}_i\). If \({\mathcal {A}}\) queries corrupt oracle on \(\texttt{pk}_i\), \({\mathcal {S}}\) aborts. Next, we show \({\mathcal {S}}\) can simulate a signing key at epoch \(t = t_1 || \cdots || t_k || \cdots || t_{\ell }\), where \(k \in [1, \ell ]\). Note that \(t_k \ne t_k^*\) means that t is not prefix of \(t^*\), and k is the smallest index at epoch t. Specifically, \({\mathcal {S}}\) first chooses \(z \in {\mathbb {Z}_q}\), and sets \( r = \frac{b^{k}}{t_k - t_k^*} + z \). Then, \({\mathcal {S}}\) computes a signing key with the following form

  $$\begin{aligned} ( g^r, h^{b} \cdot \underline{ (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r } , h_{k+1}^r, \cdots , h_{\ell }^r ) \end{aligned}$$

  (2)

  This is a well-formed key for epoch \(t = t_1 || \cdots || t_k \). We show that \({\mathcal {S}}\) can compute the underline term in (2).

  $$\begin{aligned} (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r & = [ \bar{H}^{ \delta } \cdot h^{b^{\ell } \cdot t_1^*} \cdots \cdot h^{b \cdot t_{\ell }^*} \cdot (\bar{H}^{\gamma _1}/ h^{b^{\ell }})^{t_1} \cdots (\bar{H}^{\gamma _{k}} / h^{b^{\ell - k + 1 }})^{t_k} ]^r \\ & = [ \bar{H}^{\delta + \varSigma _{i=1}^k t_i \cdot \gamma _i } \cdot \prod _{i=1}^{k-1} h_{\ell -i+1}^{t_i^* - t_i} \cdot h_{\ell - k +1}^{t_k^* - t_k} \cdot \prod _{i = k+1}^{\ell } h_{\ell -i +1}^{t_i^*} ]^r \\ & = Z \cdot h_{\ell - k +1}^{r (t_k^* - t_k)} \end{aligned}$$

  where Z is shown as follows

  $$\begin{aligned} Z = [ \bar{H}^{\delta + \varSigma _{i=1}^k t_i \cdot \gamma _i } \cdot \underline{\prod _{i=1}^{k-1} h_{\ell -i+1}^{t_i^* - t_i} } \cdot \prod _{i = k+1}^{\ell } h_{\ell -i +1}^{t_i^*} ]^r \end{aligned}$$

  \({\mathcal {S}}\) can compute all the terms in Z and the underline term in Z is equal to 1 because \(t_i = t_i^*\) for all \(i < k\). The remaining term in \((h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r\) is \(h_{\ell - k +1}^{r (t_k^* - t_k)}\). Since we set \( r = \frac{b^{k}}{t_k - t_k^*} + z \), we rewrite it as follows

  $$\begin{aligned} h_{\ell - k +1}^{r \cdot (t_k^* - t_k)} = h_{\ell -k +1}^{z (t_k^* - t_k)} \cdot h_{\ell - k +1}^{ (t_k^* - t_k) \frac{b^{k}}{t_k - t_k^*} } = \frac{h_{\ell - k +1}^{z (t_k^* - t_k) }}{h^{b^{\ell +1}}} \end{aligned}$$

  Hence, the second element in (2) is equal to

  $$\begin{aligned} h^{b} \cdot \underline{ (h_0 \cdot h_1^{t_1} \cdots h_k^{t_k} )^r } = h^{b^{\ell +1}} \cdot \bar{H}^{ b \cdot \gamma } \cdot Z \cdot \frac{h_{\ell - k +1}^{z (t_k^* - t_k) }}{h^{b^{\ell +1}}} = \bar{H}^{b \cdot \gamma } \cdot Z \cdot h_{\ell - k +1}^{z (t_k^* - t_k) } \end{aligned}$$

  To this end, \({\mathcal {S}}\) can simulate the second element in (2) because the unknown value \(h^{b^{\ell +1}}\) is cancelled out. Besides, the first element \(g^r\) in (2), and other elements \((h_{k+1}^r, \cdots , h_{\ell }^r)\) can be easily computed by \({\mathcal {S}}\) since they do not involve \(h^{b^{\ell +1}}\). This completes the simulation of signing key at epoch \(t \ne t^*\). \({\mathcal {S}}\) can simulate signing queries on different messages using the simulated signing keys at epoch \(t \ne t^*\). Another case is that \({\mathcal {S}}\) can simulate message-signature pairs at epoch \(t^*\). If \({\mathcal {A}}\) issues a signing query on a message m for a public key set \(\textsf{PK} = \{ \texttt{pk}_1 \cdots , \texttt{pk}_n \}\) (note that if \(\texttt{pk}_i \notin \textsf{PK}\), \({\mathcal {S}}\) aborts) at epoch \(t^*\), \({\mathcal {S}}\) performs the following operations to simulate a valid signature.

  • Choose \(c_i, \{ c_j \}_{j=1}^{n-1}, \widehat{r_1}, \widehat{r_2} \in {\mathbb {Z}_q}\) and \(h^* \in \mathbb {H}\), compute \(\sigma _1 = h^* \cdot F(t^*)^{\widehat{r_1}} , \sigma _2 = g^{\widehat{r_2}}\), where \(F(t^*) = h_0 \cdot h_1^{t_1^*} \cdots h_{\ell }^{t_{\ell }^*}\).

  • Set \(c_i = \texttt{H}(R||m|| \textsf{PK} ) - \sum _{j=1}^{n-1} c_j \), where \(R = \frac{ {\mathsf {\hat{e}}}( \texttt{pk}_i^{c_i} \cdot \prod _{j=1}^{n-1} \texttt{pk}_j^{c_j}, h ) }{{\mathsf {\hat{e}}}( g, h^* \cdot F(t^*)^{\widehat{r}} )}\) and \(\widehat{r} = \widehat{r_1} + \widehat{r_2} \).

  • Return \((m, \sigma )\) to \({\mathcal {A}}\), where \( \sigma = (c_1, \cdots , c_n, \sigma _1, \sigma _2)\).

  The simulator \({\mathcal {S}}\) can simulate the case \((\mathsf{PK^*}, t^*, m, \sigma )\) using the same method described above. Specifically, \({\mathcal {S}}\) sets \(c_i = \texttt{H}(R||m|| \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j \) (i.e., replaces \(\textsf{PK}\) with \(\mathsf{PK^*}\)). For key update, \({\mathcal {S}}\) keeps track of the current epoch t without returning anything to \({\mathcal {A}}\). For break in query, \({\mathcal {S}}\) needs to simulate a signing key \(\texttt{sk}_{(i, \bar{t})}\) with respect to user \(\texttt{pk}_i\), such that \(t^* < \bar{t}\). \({\mathcal {S}}\) can simulate \(\texttt{sk}_{(i, \bar{t})}\) using the same method described in the case of \(t \ne t^*\), and return it to \({\mathcal {A}}\). At some point, if \({\mathcal {A}}\) outputs a forgery on a message \(m^*\) for a public key set \(\mathsf{PK^*}\) and \(t^*\) in the form of \( (m^*, c_1^* , \cdots , c_n^*, \sigma _1^*, \sigma _2^*)\), such that

  $$\begin{aligned} \sigma _1^* & = [ h^{b^{\ell + 1 }} \cdot \bar{H}^{b \cdot \gamma } \cdot \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } ]^{c_i^*} \cdot ( \bar{H}^{ \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* } )^{\widehat{r_1^*}} \\ \sigma _2^* & = g^{\widehat{r_2^*}}/ g^{r^* \cdot c_i^*} \end{aligned}$$

  where \(c_i^* = \texttt{H}( R^* ||m^* || \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j^* , R^* = {\mathsf {\hat{e}}}( \prod _{j=1}^{n-1} \texttt{pk}_j^{c_j^*}, h ) \cdot {\mathsf {\hat{e}}}( g, (\bar{H}^{ \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* })^{\widehat{r^*}} ) \), and \(\widehat{r^*} = \widehat{r_1^*} + \widehat{r_2^*}\) (note that \( r^*, \widehat{r_1^*}, \widehat{r_2^*} \) are chosen by \({\mathcal {A}}\)), then \({\mathcal {S}}\) checks the following conditions.

  • The public key set \(\mathsf{PK^*}\) includes the challenge user \(\texttt{pk}_i\).

  • The message-signature pair \((m^*, c_1^*, \cdots , c_n^*, \sigma _1^*, \sigma _2^*)\) was not previously generated by \({\mathcal {S}}\).

  • The signature \((\sigma _1^*, \sigma _2^*)\) is valid on message \(m^*\) and public key set \(\mathsf{PK^*}\) according to the Verify process.

  If all the above conditions hold, \({\mathcal {S}}\) regards it as a valid forgery. The next step is that \({\mathcal {S}}\) rewinds the game according to the forking lemma [9], and obtains another valid forgery \( (\sigma _1', \sigma _2') \) with a different \(c_i^{*'} = \texttt{H}( R^*|| m^*|| \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j^* \) (note that the different value \(c^{*'}\) happens with probability 1/n). Eventually, \({\mathcal {S}}\) computes the following equations

  $$\begin{aligned} E & = (\sigma _1 /\sigma _1')^{1/ (c_i^* - c_i^{*'}) } = h^{b^{\ell + 1 }} \cdot \bar{H}^{b \cdot \gamma } \cdot \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } \\ F & = (\sigma _2' /\sigma _2)^{1/( c_i^{*'} - c_i^* ) } = g^{r^*} \\ D & = \frac{{\mathsf {\hat{e}}}( g^a, E )}{ {\mathsf {\hat{e}}}(g^a , \bar{H}^{b \cdot \gamma } ) {\mathsf {\hat{e}}}( F, h^{a \cdot ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* )} ) } \\ & = [\frac{{\mathsf {\hat{e}}}(g^a, h^{b^{\ell + 1 }} ) {\mathsf {\hat{e}}}(g^a , \bar{H}^{b \cdot \gamma } ) {\mathsf {\hat{e}}}( g^a, \bar{H}^{ r^* ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* ) } ) }{ {\mathsf {\hat{e}}}(g^a , h^{b \cdot \bar{r} \cdot \gamma } ) {\mathsf {\hat{e}}}( g^{ r^* }, h^{a \cdot ( \delta + \sum _{i=1}^{|t^*|} \gamma _i \cdot t_i^* )} ) }] \\ & = {\mathsf {\hat{e}}}(g, h)^{a b^{\ell + 1} } \end{aligned}$$

  It is easy to see that D is the solution to the wBDHI problem. Therefore, we have

  $$\begin{aligned} \left| {\textrm{Pr}}[{\textbf {Forge}}] \right| \le {\texttt{Adv}}_{{\mathcal {A}}}^{\text {wBDHI}}(\lambda ). \end{aligned}$$

By combining the above results together, we have

$$\begin{aligned} {\texttt{Adv}}_{\mathcal {A}}^{\varSigma }(\lambda ) \le T \cdot n \cdot {\texttt{Adv}}_{{\mathcal {A}}}^{\text {wBDHI}}(\lambda ). \end{aligned}$$

B Proof of Theorem 2

Proof

The simulation is performed between an adversary \({\mathcal {A}}\) and a simulator \({\mathcal {S}}\). The goal of simulator \({\mathcal {S}}\) is to break anonymity. In this simulation, \({\mathcal {S}}\) simulates \(\texttt{H}\) as a random oracle.

\({\mathcal {S}}\) setups the game for \({\mathcal {A}}\) by creating n users with the corresponding key pairs \(\{ (\texttt{pk}_i, \texttt{sk}_i) \leftarrow \textsf{KeyGen} (\textsf{PP}; w_i) \}\), where \( \textsf{PP} \leftarrow \textsf{Setup} (1^{\lambda })\). \({\mathcal {S}}\) gives \(\{ \texttt{pk}_i \}^n\) to \({\mathcal {A}}\). \({\mathcal {S}}\) also chooses a random bit b.

During the training phase, if \({\mathcal {A}}\) issues a signing query on a message m, a set of public keys \(\textsf{PK}\) with the signer index j at epoch t, then \({\mathcal {S}}\) generates \( \sigma \leftarrow \textsf{Sign} ( \textsf{PP}, \texttt{sk}_{(j, t)} , m, \textsf{PK}, t ) \) and returns it to \({\mathcal {A}}\).

During the challenge phase, if \({\mathcal {A}}\) issues a signing query on a message \(m^*\), a set of public keys \(\mathsf{PK^*}\), two indices \((i_0, i_1)\) and an epoch \(t^*\), then \({\mathcal {S}}\) simulates the signature \(\sigma ^* = ( \sigma _1^*, \sigma _2^*, c_1^*, \cdots , c_n^* )\) using the same method described in the above game \(\mathbb {G}_2\) (i.e., the case of \(t = t^*\)). Eventually, \({\mathcal {S}}\) returns \(\sigma ^*\) and \(\{ w_i \}^n\) to \({\mathcal {A}}\). Recall that in the simulation of signature \(\sigma ^*\), \({\mathcal {S}}\) picks \(c_1^*, \cdots , c_n \) at random in \({\mathbb {Z}_q}\), and sets \(c_i = \texttt{H}( R^* || m^* || \mathsf{PK^*} ) - \sum _{j=1}^{n-1} c_j\) in the random oracle. The distribution of message-signature pair \(( m^*, \sigma ^* )\) is correct. Note that the commutative operation \(\sum _{i=1}^n c_i \) is also uniformly distributed in \({\mathbb {Z}_q}\), and \({\mathcal {S}}\) aborts if the hash value \(\texttt{H}( R^* || m^* || \mathsf{PK^*} )\) is already set by the random oracle \(\texttt{H}\).

Finally, \({\mathcal {S}}\) outputs whatever \({\mathcal {A}}\) outputs. Since b is not used in the simulation of message-signature pair in the challenge phase (i.e., \({\mathcal {S}}\) simulates a valid signature without using the signing key \(\texttt{sk}_{(i_b, t^*)}\)), \({\mathcal {A}}\) wins only with probability 1/2.