Efficient Lattice-Based Ring Signature Scheme without Trapdoors for Machine Learning

Machine learning (ML) and privacy protection are inseparable. On the one hand, ML can be the target of privacy protection; on the other hand, it can also be used as an attack tool for privacy protection. Ring signature (RS) is an effective way for privacy protection in cryptography. In particular, lattice-based RS can still protect the privacy of users even in the presence of quantum computers. However, most current lattice-based RS schemes are based on a strong trapdoor like hash-and-sign, and in such constructions, there is a hidden algebraic structure, that is, added to lattice so that the trapdoor shape is not leaked, which greatly affects the computational efficiency of RS. In this study, utilizing Lyubashevsky collision-resistant hash function over lattice, we construct an RS scheme without trapdoors based on ideal lattice via Fiat‒Shamir with aborts (FSwA) protocol. Regarding security, the proposed scheme satisfies unconditional anonymity against chosen setting attacks (UA-CSA), which is stronger than anonymity against full key exposure (anonymity-FKE), and moreover, our scheme satisfies unforgeability with respect to insider corruption (EU-IC). Regarding computational overhead, compared with other RS schemes that satisfy the same degree of security, our scheme has the highest computational efficiency, the signing and verification time costs of the proposed scheme are obviously better than those of other lattice-based RS schemes without trapdoors, which is more suitable for ML scenarios.


Introduction
Machine learning (ML) and privacy protection are inextricably linked. On the one hand, ML itself requires privacy protection, i.e., the training datasets and models in ML systems should not be disclosed. On the other hand, ML can also be an attack tool for privacy protection, and how to protect users' sensitive information is a challenging task under the increasingly powerful ML technology.
Ring signature (RS), introduced by Rivest et al. [1] in 2001, is an effective technique for privacy protection in cryptography, which on the one hand enables the recipient of the data to believe that the source of the data is reliable, and on the other hand, obscures the identity of the data owner so that the recipient cannot be sure who is the real owner of the data. In an RS scheme, each user has a public key, and the signer can autonomously collect user's public keys to form a ring without the permission or assistance of other users (where the signer is contained in the set of ring members), and the verifier only knows that the signature was generated under the ring, but is unsure which member's private key is used as the signing key. Due to the anonymity of RS, it is widely used in fields such as e-voting, anonymous membership authentication, and anonymous tip-off.
Since the seminal work of [1], the research on RS has been unprecedentedly active. A general framework for constructing 1-out-of-n signature schemes was introduced by Abe et al. [2], which can use different types of keys to construct signatures based on integer decomposition and discrete logarithm problems. After that, many RS schemes along with their associated authentication schemes [3][4][5][6][7][8][9][10] have been proposed. However, the security definitions of these RS schemes are weak, i.e., they have not considered for certain realistic attacks. Bender et al. [11] proposed new definitions of anonymity and the unforgeability of RS to cover these attacks. Bender et al. [11] divided anonymity into three levels according to the degree of security, where the strongest version is anonymity against full key exposure (Anonymity-FKE), i.e., even if adversary is given the private keys of all ring members, the adversary is still unable to guess who is the genuine signer of the given RS. Regarding existential unforgeability, there are also three levels: unforgeability against fixed-ring attacks (EU-FRA), unforgeability against chosen-subring attacks (EU-CSA), and unforgeability with respect to insider corruption (EU-IC). Based on EU-CSA, the strongest EU-IC means the adversary cannot succeed in forging a signature, even if the adversary is allowed to obtain the private keys of ring members via asking a corruption oracle.
Most previous RS schemes [1][2][3][4][5][6][7][9][10][11] are constructed under the assumptions of classical number theory, which are hardly resistant to quantum attacks [12]. In 1996, Ajtai [13] introduced the algebraic structure of lattice into cryptographic schemes. In the postquantum era, the new cryptosystem based on lattice has become a focus of research due to its merits of high asymptotic efficiency, simple operation, parallelizability, resistance to quantum attacks, and enjoying the average-to-worst reduction. e development of latticebased provably secure encryption has developed rapidly and has made great progress [14][15][16][17][18], while lattice-based digital signature has experienced a tortuous and bumpy process in the earlier years. First, Goldreich et al. [19] made an attempt at a lattice-based signature, then NTRU signature was proposed by Hoffstein et al. [20], and it was repaired and enhanced in [21,22]. However, these digital signature schemes [19,20,22] on lattice failed to be proved secure under the attacks of [23,24]. To date, provably secure signature schemes on lattice can be divided into two main branches: schemes with trapdoors and without trapdoors. Digital signature schemes with trapdoors started from the "hash-and-sign" signature scheme constructed by Gentry et al. [25] based on SIS assumption, which is also the first lattice-based signature scheme, that is, provably secure. and Peikert [26] improved the structure of trapdoors, that is, proposed by [27], proposed the concept of G trapdoors on lattice, and remarkably improved the computational efficiency of trapdoor generation algorithm on lattice. A digital signature scheme on an ideal lattice was proposed by Ducas and Micciancio [28], and its trapdoor is constructed utilizing the technique of [26]. ese trapdoors are deemed to be very suitable for lattice-based signature schemes, but the lattice is added with a hidden algebraic structure, which significantly affects the efficiency of signature schemes and is a payment that has to be considered. Digital signature schemes on lattice without trapdoors are mainly based on Stern's zeroknowledge proofs. Although the Stern-type protocol is powerful, the soundness error of a single execution of the protocol is 2/3. Such protocol needs to be repeated many times so that the soundness error drops to a negligible value, so it is difficult to further improve their efficiency. To the best of our knowledge, only Lyubashevsky signature schemes [29,30] without trapdoors are constructed not based on the Stern-type protocol, but on the Fiat-Shamir with aborts (FSwA) protocol, via which a very efficient digital signature scheme on lattice could be constructed.
Similar to a digital signature over lattice, lattice-based (linkable) RS can also be mainly divided into two branches, i.e., with trapdoors and without trapdoors. Lattice-based RS schemes with trapdoors have been extensively studied [31][32][33][34][35][36]. Notice that these lattice-based RS schemes with trapdoors, although are progressing about storage overhead, cannot always avoid the drawbacks brought by the structure of hash-and-sign, and the computational efficiency cannot be enhanced to a satisfactory level. Lattice-based RS schemes without trapdoors can be classified into membership proofsbased schemes and FSwA-based schemes. Several RS schemes [37][38][39][40] based on membership proofs have been proposed. Such RS schemes usually first construct a membership proof which is generally a zero-knowledge proof and then construct an RS scheme based on this proof. e efficiency of these RS schemes directly depends on that of underlying zero-knowledge proofs, which have the advantage that the signature length is usually O(log N), where N is the ring size, whereas the disadvantage is also obvious, i.e., the large and complex zero-knowledge proofs lead to low computational efficiency, and the length of RS could be large when N is small. (Linkable) RS schemes [41][42][43][44] based on FSwA are rather efficient in terms of computational efficiency, with the drawback that the signature length is common O(N), yet it is very suitable in small-scale scenarios. For RS on lattice, several schemes [37][38][39][40] can satisfy the strongest Anonymity-FKE and EU-IC defined by Bender et al. [11]. In fact, Aguilar Melchor et al. [41] defined stronger anonymity, i.e., unconditional anonymity against chosen setting attacks (UA-CSA), and inspired by Lyubashevsky signature scheme [29], Aguilar Melchor et al. [41] constructed two RS schemes (AM1 and AM2) utilizing latticebased collision-resistant hash function h ∈ H(D, D x , m) [45], both of which can achieve UA-CSA for anonymity; regarding unforgeability, AM1 and AM2 satisfy EU-CSA and EU-IC, respectively. However, we deem that Aguilar Melchor et al. do not make good use of h ∈ H(D, D x , m) in transforming Lyubashevsky digital signature [29] into RS, which causes the storage and computational overheads of both schemes of Aguilar Melchor et al. [41] to be large. In this work, via the FSwA protocol, we redesign an RS scheme on lattice without trapdoors using h ∈ H(D, D x , m) again, the main contributions are as follows: (1) Different from the RS schemes of Aguilar Melchor et al. [41] on lattice, in our key generation algorithm, the input value of h ∈ H(D, D x , m) is taken as a user's private key, the output value of h ∈ H(D, D x , m) is taken as a public key, that is, relevant to the private key, which makes the length of a public key is reduced from a polynomial vector of m dimensions to a polynomial. Our signing algorithm is designed based on the framework of the RS scheme of Abe et al. [2], which is based on the discrete-log assumption, and the proposed scheme will be more concise and efficient. (2) Under the improved security model of Aguilar Melchor et al. [41], the proposed RS scheme is rigorously proven to be safe. Regarding anonymity, our scheme satisfies the strongest UA-CSA; in terms of unforgeability, our scheme satisfies the strongest 2 Computational Intelligence and Neuroscience EU-IC. And under the random oracle model, the unforgeability of the proposed scheme could be reduced to the approximate shortest vector problem (SVP c ) over ideal lattice. (3) Finally, with respect to performance and security, the proposed scheme is comprehensively compared with several schemes [37,38,40,41]. e results show that compared with AM1 and AM2 of [41], the storage and computational overhead of our scheme are significantly reduced. In addition, compared with the computational overhead of other schemes, our scheme is remarkably superior, and is more suitable for ML applications.

Preliminaries
represents the abbreviation of the set 1, 2, . . . , N { }. Let R be the set of real numbers, R + be the set of positive real numbers, and Z be the set of integers. For a finite set S, the symbol y←S denotes a random uniform sampling from S. e upper-case letter X is the random variable denoting a signature, and X←F denotes X as the output of the signature algorithm F. Vectors and matrices are denoted by lower-case (e.g., x) and upper-case (e.g., X) letters in italic & bold, respectively. In this work, we construct a cryptographic scheme on ring D � Z q [x]/ (x n + 1), where (x n + 1) is an irreducible polynomial, and all logarithms we use are base 2. Z q is the set of integers modulo q, elements in Z q are denoted by integers selected from the interval [− q − 1/2, q − 1/2], and then the elements in D are represented by n − 1 degree polynomials whose coefficients are taken from Z q . For a � i f i x i ∈ D, the common norms of a are given as follow: For a polynomial vector a � (a 1 , a 2 , . . . , a m ), where a 1 , a 2 , . . . , a m ∈ D, m is a positive integer, and the infinite norm with respect to a is defined as follows: Additionally, we will use the following notations: ‖g‖ ∞ ≤ mn 1.5 log n + n log 2 n , D y � g ∈ D: ‖g‖ ∞ ≤ mn 1.5 log n , e complexity of algorithms is measured using the standard asymptotic notations ω, O: Use the symbol O to suppress poly-logarithmic factors, and for example, for any constant c and c ′ ,

Lattice and Ideal
Lattice. Micciancio [46] first proposed the concept of cyclic lattice, which to a certain extent eliminated the drawbacks of big key size and operational inefficiency of cryptographic schemes on Euclidean lattice. Lyubashevsky and Micciancio [45] first proposed the definition of an ideal lattice, which is a lattice with a special algebraic structure and is a generalization of the cyclic lattice. In general, a Euclidean lattice is a subgroup of a group, and an ideal lattice is an ideal of a ring.
Definition 1 (lattice). Supposing matrix B is composed of a set of linearly independent vectors b 1 , b 2 , . . . , b m ∈ Z n , then the integer lattice generated by B is defined as: Definition 2 (q-ary lattice). Given a prime q, positive integers m, n, for any matrix A ∈ Z n×m q , the integer lattice, that is, m-dimensional full-rank is described as follows: Definition 3 (ideal lattice). Let f be a monic irreducible polynomial of degree n, the ideal I⊆Z[x]/(f), then an integer lattice L(B)⊆Z n such that L(B) � g mod f: g ∈ I is called an ideal lattice.

Hardness Assumption
Definition 4 (R-SIS q,m,β problem). Given a randomly chosen vector a ∈ D m , find the vector x ∈ D m such that a T · x � 0 satisfying 0 < ‖x‖ 2 ≤ β, where q, m are positive integers, β ∈ R + .
Definition 5 (SVP c ). Given a lattice L(B) and an approximation factor c ≥ 1, find a nonzero vector v on lattice such that ‖v‖ ∞ ≤ c‖u‖ ∞ holds for any vector u ∈ L(B).

Collision-Resistant Hash Functions and Bounding
‖ac mod (x n + 1)‖ ∞ . Lyubashevsky and Micciancio [45] defined a family of collision-resistant hash functions on ideal lattice, which are efficient functions based on the hardness of worst-case lattice problems, and showed that finding where x, y ∈ D m , c ∈ D.
). e following lemma shows that when D x is some limited domain (e.g., a set of small norm polynomials), solving the Col(h, D x ) problem is as hard as solving SVP c in the worst case on the lattice corresponding to the ideal inD x .
Lemma 1 (see [29]).Let n be any power of 2, In addition, we recall the following boundary Lemma to justify the security of the proposed scheme. Lemma 2 (Lemma 2.11 in [47] applied to our setting).Leta←D s , c be the response returned by the random oracleH (i.e.,c←D c ), then

Statistical Distance and Probabilistic
Lemma. e difference between two probability distributions can be measured by the statistical distance, and in the security proof of the proposed RS scheme, we complete the proof of anonymity by using it.
Definition 8 (statistical distance). For random variables X 0 and X 1 that are defined on a countable set S, if the set S is discrete, then the statistical distance between X 0 and X 1 is described as If the random variables X 0 and X 1 satisfy (1) , then X 0 and X 1 are statistically close.
Regarding statistical distances, there are the following common properties: In addition, to prove the convergence of our algorithms, the following probabilistic lemma will be used: Lemma 3 (Corollary 6.2 in [47]).For anys ∈ D m s , (1) Setup(1 λ ): Taking a security parameter λ as input, it outputs the public parameters pp. (2) KeyGen(pp): Taking the public parameters pp as input, it generates a pair of keys (pk, sk), where pk and sk denote the public and private keys, respectively. (3) Sign(pp, L pk , μ, sk π ): On input public parameters pp, ring L pk , message μ and the private key sk π of the signer U π (require that its corresponding public key pk π ∈ L pk ), it outputs an RS sig of U π on the message μ under ring L pk . (4) Verify(pp, L pk , μ, sig): On input public parameter pp, ring L pk , message μ and RS sig, if sig satisfies the verification conditions, it outputs 1; otherwise, it outputs 0.

Security
Model. For the above algorithms, an RS scheme is called to be secure if it satisfies the following definitions: correctness, anonymity, and unforgeability.
Definition 9 (correctness). If the signer signs honestly, i.e., according to the algorithms in Section 3.1, the Verify algorithm will always output 1 with overwhelming probability, that is, equality (11) holds.
Pr Verify pp, L pk , μ, sig � 1 pp←Setup 1 λ pk π , sk π ←KeyGen(pp) pk π ∈ L pk sig←Sign pp, L pk , μ, sk π Bender et al. [11] proposed the security definitions of RS under different security degrees, among which the highest degree in terms of anonymity is anonymity-FKE. Based on anonymity-FKE, Aguilar Melchor et al. [41] proposed a stronger definition, namely UA-CSA. In this work, the security proof of anonymity is based on the security model of UA-CSA.
Let's define a game between adversary A and challenger S Under UA-CSA since all secrets are known, the adversary can effectively simulate the signature and corrupt oracles, so these two oracles are no longer provided in the game and the procedure in which S generates pp and (pk, sk) is not required, since they will be generated by the adversary instead. e game is as follows: (i) Suppose l is the upper bound of ring member size in the system, the adversary submits to a set of public parameters pp, ring L pk � pk 1 , pk 2 , . . . , pk N , two private keys wins the game.
e advantage of winning the game is denoted by,

A dv anon
Definition 10 (anonymity). An RS scheme satisfies UA-CSA if A dv anon A is negligible for any polynomial-time adversary A.
Bender et al. [11] consider two cases when defining the strongest unforgeability EU-IC: (1) An adversary can trick some honest user into using the public keys that are adversarially generated to generate a signature. (2) e adversary can adaptively corrupt some ring members and obtain their keys. e strongest EU-IC with respect to RS is depicted by the game between adversary A and challenger A ′ as follows: (i) Setup phase: Given security parameter λ, A ′ runs the KeyGen algorithm to generate the user's public/ private key pairs, and sends public parameters pp and the maximum set of user's public keys S � (pk i ) i∈[l] to adversary A. (ii) Query phase: A is allowed to make adaptive queries to the signature oracle SO and the corrupt oracle CO.
(a) Signing query: A submits to A ′ the set of user's public keys L pk , message μ and π ∈ [l], where π is an index such that pk π ∈ L pk . On receiving (π, μ, L pk ), A ′ invokes the Sign algorithm to generate sig and send it to A. (b) Corruption query: A submits i(i ∈ [l]) to access corrupt oracle CO, then A ′ returns the relevant private key sk i to A.
(iii) Forgery phase: A outputs (μ * , L * pk , sig * ), and we call A gets the triumph if the below conditions are satisfied: (a) Verify(pp, L * pk , μ * , sig * ) � 1; (b) A never queried for the signature on ( * , μ * , L * pk ); (c) L * pk ⊆S\C, where C is the set of corrupted users. e advantage of A winning the game is depicted as:  (2) KeyGen(pp): Given public parameters pp, it picks r←D m s , then generates the public key pk � h(r) and sets the private key sk � r.

Correctness and Convergence of the Scheme
Theorem 1 (correctness). e proposed RS scheme satisfies correctness.

Computational Intelligence and Neuroscience
Proof. When sig is a signature generated according to the signature algorithm, then (a) in step (ii) and step (iv) of Sign ensure that (r z,i ) i∈ [N] are elements in D m z . In addition, we have the following equations: To sum up, the polynomial sequence c 1 , c 2 , . . . , c N in the verification process is equal to that in the signature process, so it must pass the verification of the Verify algorithm, and the proposed scheme is correct. □ Theorem 2 (convergence). Under the parameter settings of algorithm Setup, the expected runtime of the proposed scheme isO(n), and algorithm Sign is expected to repeat no more than three times. Proof.
e proposed RS scheme is made up of four algorithms: Setup, KeyGen, Sign and Verify e Setup algorithm selects a hash function h ∈ H(D, D x , m) (i.e., pick mn random numbers from − (q − 1)/2, − (q − 1)/ 2 + 1, . . . , (q − 1)/2} ), the time for the step is negligible. e step of generating a single user's private/public keys in KeyGen is to randomly select a vector r←D m s , which simply involves randomly selecting mn numbers from the set − � n √ log n, . . . , � n √ log n , and then calculating pk � h(r), which takes O(n) time according to Lemma 2.16 from [47].
e Sign algorithm is to randomly selects a vector u←D m y and N − 1 vectors r z,i ←D m z , then calculate small polynomial multiplication c i pk i and hash function h ∈ H(D, D x , m)N times, and access random oracles N times. e time of Sign algorithm running once is O(n) from [47], but if r z,π ∉ D m z , then the operations of Sign need to be repeated again. Lemma 3 states that for any r←D m s , Pr u←D m y ,c←D s [u + cr ∈ D m z ] � 1/e − o(1). erefore, we will iterate Sign no more than three times and the runtime of Sign is also O(n). Finally, the Verify algorithm needs to calculate small polynomial multiplication c i pk i and function h ∈ H(D, D x , m)N times, and access random oracles N times, thus the running time is also O(n).

Anonymity.
Before proving the anonymity of the proposed scheme, we first give and prove the following lemma, which shows that for an adversary who has the ability to distinguish two ring signatures based on adversariallychosen private keys and the corresponding c π associated with the private keys, the statistical distance between the following two sets of random variables Y 0 and Y 1 is negligible.
Define two sets of random variables , β) that are obtained from the Sign algorithm with input (pp, L pk , μ, sk i 0 ) and (pp, L pk , μ, sk i 1 ), where the first N components of Y b represent the first N outputs (r z,i ) i∈ [N] of sig i b , and the (N+1)-th component of Y b represents c π corresponding to sig i b , b← 0, 1 { }. In addition, we use Lemma 4. If Y 0 and Y 1 are random variables obtained from two legitimate signatures, and these two legitimate signatures are generated by private keys sk i 0 , sk i 1 which are adversariallychosen, we have Proof. First define a set D c (sk i 0 , sk i 1 ) � d ∈ D c : ‖sk i 0 d‖ ∞ , ‖sk i 1 d‖ ∞ ≤ n log 2 n}. According to Lemma 2, it is concluded that almost all elements of D c are in D c (sk i 0 , sk i 1 ). Even if the private keys sk i 0 , sk i 1 ∈ D s , n ≥ λ are chosen by the adversary, Lemma 2 will also guarantee that |D c (sk i 0 , is a negligible function. en divide the statistical distance Δ(Y 0 , Y 1 ) into two parts, we have formulas (16) and (17). Next we will discuss Δ(Y 0 , Y 1 ) in two steps, first to prove that formula (16) is negligible (Step 1), and then to prove that formula (17) is equal to zero (Step 2).

□
Step 1. Considering the case of β ∉ D c (sk i 0 , sk i 1 ), generally, since and since for any b ∈ 0, 1 is calculated by the hash function H(L pk , μ, t π− 1 ), where t π − 1 � h(r z,π− 1 )− c π− 1 pk π− 1 , thus β ∈ D c and the probability that Y (N+1) b is equal to the given value β is 1/|D c |. Note that even hash function h ∈ H(D, D x , m) is adversarially chosen, it does not affect the probability that Y (N+1) 0 is equal to a given β.
and since almost all elements of Dc are in D c (sk i 0 , sk i 1 ) from Lemma 2, it is evident that the probability of β ∉ D c (sk i 0 , sk i 1 ) is negligible. And then we get Step 2. To prove that the value of formula (17) is zero, it is only necessary to prove that each term in formula (17) is zero. Since the last component of Y b is derived from a random oracle H, the probability that Y (N+1) 0 and Y (N+1) 1 are equal to a given value β is the same. en it is only necessary to prove that the following equation about conditional probabilities holds: For Sinceβ ∈ D c (sk i 0 , sk i 1 ), α i b ∈ D m z , we have ‖sk i 0 β‖ ∞ , ‖sk i 1 β‖ ∞ ≤ n log 2 n, ‖α i b ‖ ∞ ≤ mn 1.5 log n − n log 2 n, then ‖α i 0 − sk i 0 β‖ ∞ � ‖α i 1 − sk i 1 β‖ ∞ ≤ mn 1.5 log n. us, the values of both α i 0 − sk i 0 β and α i 1 − sk i 1 β belong to the set D m y . And erefore, it can be proved that equation (20) holds, i.e., the proof of the lemma is completed.
Suppose that in the game of anonymity in Section 3.2, pp are adversarially chosen according to the Setup algorithm, pk i 0 and pk i 1 are adversarially generated according to the KeyGen algorithm, message μ and ring L pk are also chosen by adversary. e challenger chooses b← 0, 1 { } and invokes Computational Intelligence and Neuroscience Sign(pp, L pk , μ, sk b ) to generate a signature, and give it to the adversary. Define the random variable X b,pp,sk i b ,μ,L pk to represent the signature generated by the challenger, and the following theorem shows that the statistical distance between X 0,pp,sk i 0 ,μ,L pk and X 1,pp,sk i 1 ,μ,L pk is negligible.
Theorem 3 (anonymity). e proposed scheme satisfies UA-CSA, i.e., for the adversary in Definition  10,X b,pp,sk i b ,μ,L pk ←Sign(pp, L pk , μ, sk i Proof. Regarding X b,pp,sk i b ,μ,L pk , it is known from the signing process, By Lemma 3 and eorem 2, we know that r z,i is indistinguishable from a randomly selected vector in D m z . And since the first component c 1 in X b,pp,sk i b ,μ,L pk is from a random oracle, the statistical distance Δ(X 0,pp,sk i 0 ,μ,L pk , X 1,pp,sk i 1 ,μ,L pk ) � n − ω (1) for an ordinary adversary A. However, for an UA-CSA adversary, obviously, such an analysis is not rigorous enough. e following will focus on the verification process, whether the adversary can distinguish the two signatures based on adversarially-chosen private keys and c π associated with the private keys.
Since the first component c 1 of X b,pp,sk i b ,μ,L pk is obtained by accessing a random oracle, and it is not directly related to the associated private key, thus the discussion with respect to c 1 is not necessary. We only need to prove that for an UA-CSA adversary, the statistical distance between the defined Y 0 , Y 1 is negligible. By Lemma 4 it is known that Δ(Y 0 , Y 1 ) � n − ω(1) , thus for an UA-CSA adversary, the probability of winning the anonymity game is also negligible.
at completes the proof. □ 5.2. Unforgeability. Before proving unforgeability, the following lemma is first given and proved. Proof.
By subtracting the two equations, we have (r ′ − r)(c ′ − c) � 0. Since the equation holds in ring Z q [x]/(x n + 1), it does not directly deduce that r ′ � r or c ′ � c holds. Due to ‖r ′ ‖ ∞ , ‖r‖ ∞ ≤ � n √ log n, ‖c ′ ‖ ∞ , ‖c‖ ∞ ≤ 1, then the absolute values of the coefficients of r ′ − r and c ′ − c are no more than 2 � n √ log n and 2, respectively. When r ′ − r is multiplied by c ′ − c in ring Z[x]/(x n + 1), the absolute value of the coefficients of (r ′ − r)(c ′ − c) is no more than 4n 1.5 log n. Since q ≫ 4n 1.5 log n, if (r ′ − r)(c ′ − c) � 0 holds in ring Z q [x]/(x n + 1), then it must also hold in ring Z[x]/(x n + 1). And since c ≠ c ′ , then it must have r ′ � r, which is contradictory to the assumption, thus the lemma is proved. □ Theorem 4 (unforgeability). Under the random oracle model, if there exists a polynomial-time adversary A who can validly forge a RS signature about the proposed scheme with probability ε, then for a random-chosen h ∈ H (D, D x , m), there is a polynomial-time algorithm A ′ that can obtain a solution to Col(h, D x ) with probability at least ε 2 /2(ψ + 3Nζ), where N, ζ and ψ are the number of ring members, the maximum times that A accesses SO and directly accesses HO, respectively.
Proof. Suppose there exists an EU-IC adversary A who can validly forge a signature against the proposed scheme with non-negligible probability ε, then there exists a challenger A ′ who can solve Col(h, D x ) with non-negligible probability ε ′ .
Suppose the number of maximum ring members in the system is l � l(λ), and given a hash function family H(D, D x , m), A ′ obtains an instance (h) from the Col(h, D x ) oracle as an input. A ′ maintains two lists L 1 and L 2 , which are initialized to be null. For i ∈ [l], A ′ honestly runs the Keygen algorithm to generate the key pair (pk i , sk i ), and stores the tuple (i, pk i , sk i ) in list L 1 . A ′ gives the public key set S � pk 1 , pk 2 , . . . , pk l to A, and then A ′ simulates oracles and responds to the queries from A in the following manner: Hash query HO: A submits a set of ring members L pk � (pk 1 , pk 2 , . . . , pk N ) ⊂ S, message μ ∈ 0, 1 { } * and t i ∈ D, A ′ inquires the list L 2 , and if the tuple (L pk , μ, t i , c i+1 ) exists, A ′ returns c i+1 to A. Otherwise, A ′ randomly selects c i+1 ∈ D c and returns it to A, and adds (L pk , μ, t i , c i+1 ) to the list L 2 .
Signing query SO: A submits an index π, a message μ ∈ 0, 1 { } * and a set of ring members L pk � (pk 1 , pk 2 , . . . , pk N ) (which may contain some public keys generated by A in an arbitrary way). Note that since A ′ knows the private keys of all members in set S, and in general, A will not query signatures about a user outside S, which is meaningless. A ′ responds to this query by honestly running the Sign algorithm.
Corruption query CO: A can make corruption query about any user U i (i ∈ [l]). If A makes a query on (i, pk i ), A ′ first obtains the tuple (i, pk i , sk i ) by looking for the list L 1 , and then returns sk i to A.
Forgery phase: Suppose that after finishing the above queries, A outputs a valid forgery (μ * , L * pk , sig * ) with nonnegligible probability, ε and A did not ask for any signature on ( * , μ * , L * pk ), where L * pk ⊆S\C and C is the set of corrupted users.
Analysis. Define p as the maximum times HO is queried during A's attack. By eorem 2, we know that it takes at most 3NHO queries to produce a RS, and since A can make SO queries at most ζ times, the value of p is at most ψ + 3Nζ. Suppose that sig * � (c * 1 , (r * z,i ) i∈ [N] ) can pass the verification

Discussion
From eorem 4, it is known that if an adversary succeeds in forging an RS against the proposed scheme, then the challenger can find a collision for a randomly chosen hash function h a ( * ) in H(D, D x , m). From [29], solving Col(h, D x ) is equivalent to finding a vector u ∈ Λ ⊥ q (A) on lattice Λ ⊥ q (A) � u ∈ Z mn s.t. Au � 0(mod q) satisfying ‖u‖ ∞ ≤ 2(mn 1.5 log n + n log 2 n) where It was shown in [49] that in a reasonable amount of time, the algorithm for finding short vectors on a random lattice will generate a vector no less than 1.01 n times the shortest vector over the lattice. Furthermore, based on the experiments of [49], Micciancio and Regev [50] conduct experiments on lattices very similar to Λ ⊥ q (A), and proves that the length of the shortest vector, which can be found on Λ ⊥ q (A) by using the well-known lattice reduction algorithm, is Computational Intelligence and Neuroscience erefore, in order to make Col(h, D x ) be intractable, we should set the parameters in such a manner that requires 2(mn 1.5 log n + n log 2 n) to be smaller than formula (29). For example, n � 512, q ≈ 2 41 , then calculate 2(mn 1.5 log n+ n log 2 n) ≈ 2 20.1 , while the infinite norm of the shortest vector ‖z‖ ∞ that can be found by formula (29) is around 2 29.6 . Table 1 gives several sets of parameter settings and security levels for our scheme.

Efficiency
In this section, in respect of efficiency and security, we compare our scheme with five lattice-based RS schemes without trapdoors: the RS schemes of [37,38,40] and the two RS schemes AM1 and AM2 of [41]. e comparison results of storage overhead and computational overhead are listed in Table 2 and 3, respectively. λ is a security parameter, n > λ is a power of 2, N is the number of ring members, and q is a large prime number. In estimating the computational efficiency of each scheme, we mainly focus on the relatively time-consuming operations, such as polynomial inversion and polynomial-polynomial multiplication, while ignoring the less time-consuming operations such as polynomialpolynomial addition and cryptographic hash operation H. e notation T poly− inv denotes the computational overhead of running polynomial-polynomial multiplication in D once, T poly− mul denotes the computational overhead of running polynomial inversion once, normally T poly− inv > T poly− mul . T v denotes the time spent in performing λ times sanity checks of parameters in the signing phase of AM2. T c denotes the computational overhead of selecting a compliant signing key in the signing phase of AM2.
From Table 2, the signature size of [37,38,40] is O(log N), while the signature size of AM1, AM2 and ours is O(N). Without loss of generality, n ≥ � n √ log n, thus compared with AM1, AM2, our scheme has smaller public/ private key size and signature size.
ese schemes [37,38,40] all use complex and bloated zero-knowledge proofs, and it is very difficult for us to calculate their computational overheads. Among these schemes [37,38,40], only the relatively concise scheme of [38] gives its computational overheads analysis. erefore, we only compare the computational cost of [38,41] and our scheme. We adopt the calculation method of efficiency in  Table 2: Comparison of storage overhead and security.

Scheme
Public key size Private key size Signature size UA-CSA EU-IC [37] O(n log q) O(n log n) O(log (Nn)n log 2 n) Yes Yes [38] O(n log q) O(n) O(log 5 Nn log 2 n) Yes Yes [40] O(n log q) O(n) O(log Nn log (nq)) Yes Yes AM1 of [41] O(n log n log q) O(n log n) O(Nn log n log (n 1.5 log 2 n)) Yes No AM2 of [41] O(λn log n log q) O(λn log n) O(Nn log n log (n 1.5 log 2 n)) Yes Yes Ours O(n log q) O(n log ( � n √ log n)) O(Nn log (n 1.5 log n)) Yes Yes Table 3: Comparison of computational overhead at security level λ � 128.
To make the comparison results more intuitive, Figures 1  and 2 show the comparison between [38,41] and ours in terms of computational overhead under different ring sizes.

Conclusions
Although lattice-based RS schemes are resistant to attacks by quantum computers, there still exists a big gap between them and the schemes that are based on traditional numbertheoretic assumptions with respect to computational efficiency. To further boost the computational efficiency of RS on lattice, this work constructs a lattice-based RS scheme without trapdoors under the random oracle model. Based on a collision-resistant hash function on ideal lattice, our scheme is designed via the FSwA protocol. Our scheme avoids the use of trapdoors or sampling techniques that have high computational overhead and does not involve complex zero-knowledge proofs which are usually used in RS schemes without trapdoors. e proposed scheme is more concise and efficient. Meanwhile, in terms of anonymity and unforgeability, our scheme is proven to satisfy the strongest UA-CSA and EU-IC, respectively. Next, we plan to investigate NTRU lattice-based RS scheme without trapdoors, which will be the first combination of NTRU lattice and RS without trapdoors.
Data Availability e figures and tables used to support the findings of this study are included in the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.