Keywords

1 Introduction

In 2008, Satoshi Nakamoto first proposed the blockchain to build cryptocurrency bitcoin as a public transaction ledger [34]. With the decentralization of blockchain, cryptocurrency bitcoin first solves double-spending problem without a central server. The blockchain and bitcoin have also provided inspirations for various applications offering value or trust [41]. In recent years, ring signature was deployed to build transaction protocols for blockchain-based cryptocurrencies. Monero is one of the popular cryptocurrencies that mainly focuses on anonymity, and its underlying CryptoNote protocol deploys ring signature as core cryptographic tools to provide anonymity [36].

The notion of ring signature was first proposed to leak secrets, by Rivest, Shamir and Tauman [35] with many extensions after that such as using different mathematical assumptions [16], based on different cryptosystems [2, 4, 5], with linkability and/or revocability [1, 3, 20, 22, 23, 25, 27, 40], with blinding feature [8], in a threshold setting [24, 39, 42, 44, 45], security enhancement [10, 18, 26, 28, 30,31,32] and efficiency improvement [21, 29, 43]. This cryptographic tool has ability to leak the endorsement of any messages signed by one member in a group, but does not reveal his identification. Compared with the group in group signatures [9], a ring is not managed by a group manager. Actually, ring members can be included in the ring completely unawarely. Since rings are ad-hoc, which means that the signing process cannot be controlled by any centralized authority after original setup.

In the past years, the security of most ring signature constructions holds in ROM (Random Oracle Model) [11] or CRS (Common Reference String) model [19]. In ASIACRYPT 2017, Malavolta et al. presented a generic ring signature construction that has anonymity and unforgeability in the standard model [33]. In their scheme, a ring signature protocol can be divided into two components: the re-randomizable key and the NIZK (Non-Interactive Zero-Knowledge) system. A novel feature of this scheme is that one can modify its NIZK system independently to obtain variants of the original scheme.

Bandwidth usage is one of the main targets for blockchain benchmarks, which influences transaction processing performance of blockchain significantly. To reduce bandwidth in blockchain, Groth et al. proposed a logarithmic-size ring signature for blockchain cryptocurrency [15]. Sun et al. proposed an accumulator-based transaction protocol for Monero to reduce transaction size [38]. These two works are both in the ROM. In this work, to improve the efficiency, we design a new assumption CL-KEA (Compact Linear Knowledge of Exponent Assumption), then a compact NIZK argument of knowledge under this assumption is proposed. With the remarkable properties of our compact NIZK, we build a compact ring signature scheme in standard model. Compared with Malavolta et al.’s scheme [33], the signature size of our scheme is smaller, and the verification computation is more efficient.

2 Preliminaries

In this work, we use \(\lambda \) to denote a security parameter, use negl(\(\lambda \)) to denote a negligible function in a security parameter \(\lambda \), and use [n] to denote a set \(\{1,...,n\}\) for a positive integer \(n\in \mathbb {N}\). We define \(y\leftarrow S\) for sampling y from a set S randomly.

2.1 Bilinear Maps

Let \(g_1\) and \(g_2\) be generators of two cyclic groups \((\mathbb {G}_1,\mathbb {G}_2)\) of large prime order p, respectively. There exits a homomorphism function \(\phi :\mathbb {G}_2\rightarrow \mathbb {G}_1\) and a bilinear map function \(e:\mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) which holds:

  • Non-degeneracy. \(e(g_1,g_2)\ne 1\).

  • Computability. All group operations in \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\), the homomorphism \(\phi \) and the map e are efficiently computable.

  • Bilinearity. For all \((a,b)\in \mathbb {Z}_p^2\) and \((C,D)\in \mathbb {G}_1\times \mathbb {G}_2\), \(e(C^a,D^b)=e(C,D)^{a\cdot b}\).

  • Homomorphism. For all \((D,E)\in \mathbb {G}_2^2\), \(\phi (D\cdot E)=\phi (D)\cdot \phi (E)\).

2.2 NIZK Arguments of Knowledge

Definition 1

(NIZK Arguments of Knowledge [14]). Let \(\mathcal {R}\) be a relation corresponding to a NP language \(\mathcal {L}\). NIZK arguments of knowledge have following ppt algorithms:

  • \((\alpha ,\theta )\leftarrow \mathcal {G}(1^\lambda )\): On input the security parameter \(\lambda \), this algorithm outputs a trapdoor \(\alpha \) and a common reference string \(\theta \).

  • \(\pi \leftarrow \mathcal {P}(\theta ,w,s)\): On input a \(\theta \), a witness w and a statement s, where \((w,s)\in \mathcal {R}\), this algorithm outputs a argument \(\pi \).

  • \(1/0\leftarrow \mathcal {V}(\theta ,\pi ,s)\): On input a \(\theta \), a proof \(\pi \) and a statement s, this algorithm outputs a bit b, which is 1 or 0.

  • \(\pi \leftarrow \mathcal {S}(\theta ,\alpha ,s)\): On input a \(\theta \), a trapdoor \(\alpha \) and a statement s, this algorithm outputs an argument \(\pi \).

  • \((s,\pi ,w)\leftarrow \mathcal {E}(\alpha ,\theta )\): On input a trapdoor \(\alpha \) and a \(\theta \), this algorithm outputs a statement s, a argument \(\pi \) and a witness w.

Definition 2

(Perfect Completeness). For all \(\lambda \in \mathbb {N}\), \((\alpha ,\theta )\leftarrow \mathcal {G}(1^\lambda )\) and \((w,s)\in \mathcal {R}\) such that

$$\begin{aligned} Pr [(\alpha ,\theta )\leftarrow \mathcal {G}(1^\lambda ),\pi \leftarrow \mathcal {P}(\theta ,w,s):1\leftarrow \mathcal {V}(\theta ,\pi ,s)]=1. \end{aligned}$$

Definition 3

(Perfect Zero-Knowledge). For all \(\lambda \in \mathbb {N}\), \((\alpha ,\theta )\leftarrow \mathcal {G}(1^\lambda )\) and \((w,s)\in \mathcal {R}\), there exists a simulator \(\mathcal {S}\) such that

$$\begin{aligned} Pr [\mathcal {P}(\theta ,w,s)=\mathcal {S}(\theta ,\alpha ,s)]=1. \end{aligned}$$

Definition 4

(Computational Knowledge Soundness). For all \(\lambda \in \mathbb {N}\), \((\alpha ,\theta )\leftarrow \mathcal {G}(1^\lambda )\), \((w,s)\in \mathcal {R}\) and any ppt adversary \(\mathcal {A}\), there is an extractor \(\mathcal {E}\) that has full access to the adversary it holds that

2.3 Ring Signature

Definition 5

(Ring Signature [6]). A ring signature protocol includes a triple of ppt algorithms RSig = (Gen, Sig, Ver) as follows:

  • \((vk,sk)\leftarrow \textsf {Gen} (1^\lambda )\): On input the security parameter \(\lambda \), this algorithm outputs a verification key vk and a signing key sk. Define the ring \(R=\{vk_i\}_{i\in [n]}\).

  • \(\sigma \leftarrow \textsf {Sig} (R,sk,m)\): On input a ring R, a signing key sk and a message m, this algorithm outputs a signature \(\sigma \).

  • \(1/0\leftarrow \textsf {Ver} (R,m,\sigma )\): On input a ring R, a message m and a signature \(\sigma \), this algorithm outputs a bit 1 which means the ring signature passes the verification. Otherwise, output a bit 0.

A ring signature must satisfies Anonymity and Unforgeability as defined in [6].

2.4 Programmable Hash Function

Definition 6

(Programmable Hash Function [17]). There are two algorithms H = (HGen,HEval) in the programmable hash function as follows:

  • \(k\leftarrow \textsf {HGen} (1^\lambda )\): On input the security parameter \(\lambda \), this algorithm generates a public key k.

  • \(c\leftarrow \textsf {HEval} (k,m)\): On input a public key k and a message \(m\in \{0,1\}^*\), this algorithm outputs a hash value c.

3 Overview of Malavolta et al.’s Scheme

In this section, we show an overview of Malavolta et al.’s scheme [33].

3.1 NIZK

Firstly, we recall the language \(\mathcal {L}\) corresponding to disjunction of discrete logarithm defined in [33] as follows:

$$\begin{aligned} \mathcal {L}\,=\,\{\{A_i\}_{i\in [n]}\in \mathbb {G}_1^n:\exists (a,i):g_1^a=A_i\}. \end{aligned}$$

Then we recall the NIZK system of [33] as Fig. 1.

Fig. 1.
figure 1

NIZK for disjunctive statements in Malavolta et al.’s scheme [33]

Full size image

As we can see, this NIZK argument doesn’t need random oracles and the security is mainly based on L-KEA (Linear Knowledge of Exponent Assumption). We note that although there exists a common reference string in their NIZK, it doesn’t mean their ring signatures need the CRS, we talk about it later.

3.2 Ring Signature

Then we show the generic ring signature constructions introduced by Malavolta et al. as Fig. 2. Their novel work is based on re-randomizable keys [12] and the above NIZK arguments of knowledge. To make their ring signature scheme independent with the CRS, they divide the CRS of NIZK into a part of each verification key, achieving that the CRS of NIZK is not the CRS of ring signature. A potential feature of their ring signature is that the NIZK argument of knowledge is a independent component, thus it can be modified with other valid NIZK systems, such as [13, 14].

Fig. 2.
figure 2

Ring signature scheme in Malavolta et al.’s scheme [33]

Full size image

An obvious deficiency of their ring signature scheme is the signature size. In their scheme, a signature includes two proofs of NIZK arguments of knowledge and each proof consists of 2n group points for a n-sized ring. Consequently, their signature consists of \((4n\,+\,3)\) group points and an integer.

4 Our NIZK Arguments of Knowledge

We propose a new NIZK argument of knowledge to improve efficiencies of [33]. Our main idea is to compress the size of NIZK argument without changing degrees of the polynomials in the security proof of assumption, thus the security of new NIZK arguments of knowledge holds as before. We note that our NIZK is secure based on CL-KEA, which is a variant of L-KEA.

4.1 Complexity Assumptions

Assumption 1

(Compact Linear Knowledge of Exponent (CL-KEA)). For all \(\lambda \in \mathbb {N}\), \(n\in \textsf {poly} (\lambda )\) and ppt adversaries \(\mathcal {A}\) there is a ppt algorithm \(\mathcal {E}_\mathcal {A}\) with full access to \(\mathcal {A}\) it holds that

W.l.o.g., we use \(\mathcal {O}\) to represent the set of five oracles with the generic group model from [7] and we randomly pick encoding functions \((\gamma _1,\gamma _2,\gamma _T)\) corresponding to groups \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\) in the following.

Theorem 1

For all \(\lambda \in \mathbb {N}\), \(n\in \textsf {poly} (\lambda )\) and ppt adversaries \(\mathcal {A}\) with oracle access to \(\mathcal {O}\) there is a ppt extractor \(\mathcal {E}_A\) with full access to \(\mathcal {A}\) such that

Proof

We construct an extractor \(\mathcal {E}\) as follows.

  1. 1.

    \(\mathcal {E}\) initializes 3 lists \((\mathcal {W}_1,\mathcal {W}_2,\mathcal {W}_T)\).

  2. 2.

    \(\mathcal {E}\) randomly picks \(s_1\leftarrow \{0,1\}^*\), \(s_2\leftarrow \{0,1\}^*\) and \(s_x\leftarrow \{0,1\}^*\), then it adds \((1,s_1)\) to \(\mathcal {W}_1\), adds \((1,s_2)\) to \(\mathcal {W}_2\) and adds \((x,s_x)\) to \(\mathcal {W}_1\). We note that the entries of the lists can be denoted by (Fs), where F is a generic polynomial and s is a randomly picked string.

  3. 3.

    \(\mathcal {E}\) simulates the queries of \(\mathcal {A}\) to the oracle set \(\mathcal {O}\):

    • On input 2 strings \((s_i,s_j)\), \(\mathcal {E}\) first retrieves \(F_i\) and \(F_j\) from lists \(\mathcal {W}_1\), \(\mathcal {W}_2\) or \(\mathcal {W}_T\). Next it calculates \(F_k=F_i\pm F_j\) and outputs \(s_k\) if \((F_k,s_k)\in \mathcal {W}_*\).

    • On input 2 strings \((s_i,s_j)\), \(\mathcal {E}\) first retrieves \(F_i\) and \(F_j\) from lists \(\mathcal {W}_1\) or \(\mathcal {W}_2\). Next it calculates \(F_k=F_i\cdot F_j\) and outputs \(s_k\) if \((F_k,s_k)\in \mathcal {W}_T\).

    • On input a string \(s_k\), \(\mathcal {E}\) first retrieves \(F_k\) from list \(\mathcal {W}_2\). Next it outputs \(s_i\) if \((F_k,s_i)\in \mathcal {W}_1\).

    Whenever \((F_k,s_*)\notin \mathcal {W}_*\), \(\mathcal {E}\) randomly picks \(s_k'\leftarrow \{0,1\}^*\), adds \((F_k,s_k')\) to the corresponding list \(\mathcal {W}_*\) and outputs \(s_k'\).

  4. 4.

    At some time, \(\mathcal {E}\) receives a tuple \((q,\{a_i,t_i\}_{i\in [n]})\) from \(\mathcal {A}\).

  5. 5.

    For all \(i\in [n]\), \(\mathcal {E}\) retrieves \(F_{a_i}\) from list \(\mathcal {W}_1\), which corresponds to \(a_i\).

  6. 6.

    If some \(F_{a_i}\) is a constant (deg\(_x(F_{a_i})=0\)), \(\mathcal {E}\) returns \(F_{a_i}\). Otherwise it aborts.

Whenever \(\mathcal {E}\) doesn’t abort, we denote the element that \(\mathcal {E}\) outputs by o, thus \(\gamma _1(o)=a_i\). Then we prove this happens with negligible probability.

Our prove includes three lemmas, first we recall the lemma in [37]:

Lemma 1

Let \(F(\{x_i\}_{i\in [m]})\) be a polynomial and \(\textsf {deg} (F)\le d\), p be the largest prime dividing a integer \(n'\) and we randomly generate \(\{x_i\}_{i\in [m]}\leftarrow \mathbb {Z}_{n'}^m\) it holds that:

$$\begin{aligned} Pr [F(\{x_i\}_{i\in [m]})=0\,\,\,\mathrm{mod}\,\,\,n']\le \frac{d}{p} \end{aligned}$$

Lemma 1 provides any polynomials \(F=0\) with deterministic maximum probability. As our extractor described above, we note that deg\(_x(F_i)\le 1\) and deg\(_x(F_j)\le 1\), then deg\(_x(F_k)\le 2\), where \((F_i,s_i)\in \mathcal {W}_1\), \((F_j,s_j)\in \mathcal {W}_2\) and \((F_k,s_k)\in \mathcal {W}_T\).

Lemma 2

For all \((F_{a_i},s_{a_i})\in \mathcal {W}_1\) and \((F_{t_i},s_{t_i})\in \mathcal {W}_2\) it holds that:

$$\begin{aligned} Pr [\textsf {deg} _x(F_{t_i})= 1\wedge \textsf {deg} _x(F_{a_i})= 1]\le \textsf {negl} (\lambda ). \end{aligned}$$

Proof

Let \(F_q\) be a polynomial such that \((F_q,s_q)\in \mathcal {W}_1\), thus deg\(_x(F_q)\le 1\). If we assume \(F_q=\sum _{i\in [n]}F_{t_i}\cdot F_{a_i}\), it is obvious that for all \(i\in [n]\) either \(F_{t_i}\) or \(F_{a_i}\) must be a constant. For some random \(x\leftarrow \mathbb {Z}_p\), it is required that \(F_q(x)=\sum _{i\in [n]}F_{t_i}(x)\cdot F_{a_i}(x)\).

By Lemma 1 we know that:

$$\begin{aligned} Pr [ F_q(x)-\sum _{i\in [n]}F_{t_i}(x)\cdot F_{a_i}(x)=0]\le \frac{1}{p} \end{aligned}$$

where \(\frac{1}{p}\) is negligible. It follows that

$$\begin{aligned} Pr [F_q-\sum _{i\in [n]}F_{t_i}\cdot F_{a_i}\ne 0]\le \frac{1}{p}. \end{aligned}$$

Then we conclude that

$$\begin{aligned} Pr [\textsf {deg}_x(F_{t_i})=0\vee \textsf {deg}_x(F_{a_i})=0]\ge \epsilon (\lambda ) \end{aligned}$$

where \(\epsilon \) is a non-negligible function.     \(\square \)

Here we note that \(\textsf {deg}_x(F_{t_i})=\textsf {deg}_x(F_{a_i})=0\) doesn’t contradict our theorem.

Lemma 3

For all \((F_{t_i},s_{t_i})\in \mathcal {W}_2\):

$$\begin{aligned} Pr [\forall i\in [n]:\textsf {deg} _x(F_{t_i})=0]\le \textsf {negl} (\lambda ). \end{aligned}$$

Proof

We assume that for all \(i\in [n]\):

$$\begin{aligned} Pr [\forall i\in [n]:\textsf {deg} _x(F_{t_i})=0]\ge \epsilon (\lambda ). \end{aligned}$$

As we argued that \(\sum _{i\in [n]}F_{t_i}(x)=x\), it is required that

$$\begin{aligned} Pr [\sum _{i\in [n]}F_{t_i}(x)-x=0]\ge \epsilon (\lambda ) \end{aligned}$$

where \(\sum _{i\in [n]}F_{t_i}(x)\) is some random constant. Obviously this contradicts Lemma 1. Thus we conclude that there exits at least one i such that \(\textsf {deg}_x(F_{t_i})=0\).

    \(\square \)

By Lemmas 2 and 3 we show that there exits an i:

$$\begin{aligned} Pr [\textsf {deg} _x(F_{t_i})=1\wedge \textsf {deg} _x(F_{a_i})=0]\le \textsf {negl} (\lambda ) \end{aligned}$$

which follows that the extractor \(\mathcal {E}\) returns o with negligible probability.    \(\square \)

4.2 Our Construction

Then we propose a new NIZK argument of knowledge. Our scheme is described in Fig. 3. The biggest improvement we make is to sum all \(Q_i\) to obtain one element Q in the process of proving, and then we replace \(Q_i\) with Q to reduce the size of argument. At the same time, the smaller argument size yields less pairing computations in the verification process. Thus our construction saves almost half of storage space of signature and reduces almost half of pairing computations. When n is large, the effect of this improvement is obvious.

Fig. 3.
figure 3

NIZK for disjunctive statements.

Full size image

Theorem 2

The scheme in Fig. 3 has perfect zero-knowledge.

Proof

We construct a simulator \(\mathcal {S}(\theta ,\alpha ,s)\) to prove perfect zero-knowledge as follows:

  1. 1.

    \(\mathcal {S}\) parses the common reference string \(\theta \) as \(T\in \mathbb {G}_2\) and parses a statement s as \(\{A_i\}_{i\in [n]}\in \mathbb {G}_1^n\).

  2. 2.

    \(\mathcal {S}\) randomly picks a \(j\leftarrow [n]\) and \(\{t_i\}_{i\in [n]\backslash j}\leftarrow \mathbb {Z}_p^{n-1}\), it computes \(\{T_i=(g_2)^{t_i}\}_{i\in [n]\backslash j}\) and \(\{Q_i=(A_i)^{t_i}\}_{i\in [n]\backslash j}\).

  3. 3.

    \(\mathcal {S}\) computes

    $$\begin{aligned} T_j=\frac{T}{\prod _{i\in [n]\backslash j}g_2^{t_i}} \end{aligned}$$
    $$\begin{aligned} Q_j= A_j^{\alpha -\sum _{i\in [n]\backslash j}t_i} \end{aligned}$$
    $$\begin{aligned} Q=\prod _{i\in [n]}Q_i. \end{aligned}$$
  4. 4.

    \(\mathcal {S}\) outputs \((Q,\{T_i\}_{i\in [n]})\).

As this simulation is efficient, we note that \(\{T_i\}_{i\in [n]}\) is picked identically to \(\mathcal {P}\) and \(Q=\prod _{i\in [n]}A_i^{\textsf {Dlog}_{g_1}(T_i)}\). It shows that the scheme has perfect zero-knowledge.

    \(\square \)

Theorem 3

The scheme in Fig. 3 has computational knowledge soundness.

Proof

We construct an extractor \(\mathcal {E}\) to prove computational knowledge soundness as follows:

\(\mathcal {E}(\alpha ,\theta )\). This extractor runs the adversaries \(\mathcal {A}\) on the \(\theta \) and receives \((s=\{A_i\}_{i\in [n]},\pi =(Q,\{T_i\})\). As we defined above, \(\mathcal {E}\) has full access to \(\mathcal {A}\) to obtain \((s,\pi ,w)\). For all \(i\in [n]\), it outputs (ai) when \(A_i=g_1^a\).

We note that if \(\prod _{i\in [n]}T_i=T=g_2^\alpha \) and \(\textsf {Dlog}_{g_1}(Q)=\sum _{i\in [n]}\textsf {Dlog}_{g_2}(T_i)\cdot \textsf {Dlog}_{g_1}(A_i)\), the extraction is successful. As CL-KEA we described above, it happens with \(\epsilon (\lambda )\).    \(\square \)

5 Compact Ring Signature

In this section, we present a compact ring signature scheme based on our proposed NIZK arguments of knowledge. Before introducing our ring signature scheme, we first recall the corresponding language described in [33].

$$\begin{aligned} \mathcal {L}=\left\{ \begin{array}{r} (\{k_i\}_{i\in [n]},c,\{z_i\}_{i\in [n]},z',m)\in \mathbb {G}_1^{\lambda \cdot n+1}\times \mathbb {G}_2^{n+1}\times \{0,1\}^*:\\ \exists (\rho ,\delta ,i):\displaystyle \frac{z'}{z_i}=g_2^\rho \wedge c=\textsf {HEval} (k_i,m)^\delta \end{array} \right\} . \end{aligned}$$

This language can be separated into two sub-languages as follows:

$$\begin{aligned} \mathcal {L}_1=\left\{ \begin{array}{r} (\{z_i\}_{i\in [n]},z')\in \mathbb {G}_2^{n+1}:\\ \exists (\rho ,i):\displaystyle \frac{z'}{z_i}=g_2^\rho \end{array} \right\} . \end{aligned}$$
$$\begin{aligned} \mathcal {L}_2=\left\{ \begin{array}{r} (\{k_i\}_{i\in [n]},c,m)\in \mathbb {G}_1^{\lambda \cdot n+1}\times \{0,1\}^*:\\ \exists (\delta ,i):c=\textsf {HEval} (k_i,m)^\delta \end{array} \right\} . \end{aligned}$$

We note that \(\mathcal {L}\) essentially includes two NIZK arguments of knowledge for disjunctive discrete logarithms \((\frac{z'}{z_i},\rho )\) and \((c,\delta )\) as above. It is easy to see the first language \(\mathcal {L}_1\) works well with their NIZK arguments of knowledge. However we have no idea for the second one, in their scheme the set \(\{\textsf {HEval}(k_i,m)^\delta \}_{i\in [n]\backslash j}\) is not public to all and not generated. To make it compatible we make some small changes such that:

$$\begin{aligned} \mathcal {L}_2'=\left\{ \begin{array}{r} (\{k_i\}_{i\in [n]},c,m)\in \mathbb {G}_1^{\lambda \cdot n}\times \mathbb {G}_2\times \{0,1\}^*:\\ \exists (\displaystyle \frac{1}{\delta },i):\textsf {HEval} (k_i,m)=c^\frac{1}{\delta } \end{array} \right\} . \end{aligned}$$

First we change the witness from \((\delta ,i)\) to \((\frac{1}{\delta },i)\), thus the corresponding disjunctive discrete logarithm becomes \((\textsf {HEval}(k_i,m),\frac{1}{\delta })\). Then we change the range of hash function from \(\mathbb {G}_1\) to \(\mathbb {G}_2\). From these two changes, it is easy to show that both \(\mathcal {L}_1\) and \(\mathcal {L}_2'\) can work well with their NIZK arguments of knowledge, same to ours. More details about this feature are shown in Figs. 4 and 5.

Formally, we combine \(\mathcal {L}_1\) and \(\mathcal {L}_2'\) as follows:

$$\begin{aligned} \mathcal {L}'=\left\{ \begin{array}{r} (\{k_i\}_{i\in [n]},\{z_i\}_{i\in [n]},z',c,m)\in \mathbb {G}_1^{\lambda \cdot n}\times \mathbb {G}_2^{n+2}\times \{0,1\}^*:\\ \exists (\rho ,\displaystyle \frac{1}{\delta },i):\displaystyle \frac{z'}{z_i}=g_2^\rho \wedge \textsf {HEval} (k_i,m)=c^\frac{1}{\delta } \end{array} \right\} . \end{aligned}$$
Fig. 4.
figure 4

Proving of NIZK arguments of knowledge.

Full size image

5.1 Scheme Description

Based on primitives, our ring signature RSig = (Gen,Sig,Ver) includes three algorithms as follows:

  • Gen(\(1^\lambda \)): on input a security parameter \(\lambda \), this algorithm randomly picks \(x\leftarrow \mathbb {Z}_p\), \(\beta \leftarrow \mathbb {Z}_p\) and generates k by calling HGen(\(1^\lambda \)). It calculates \(z=g_1^x\) and \(C=g_2^\beta \), outputs (skvk), where \(vk=(z,k,C)\) is a verification key and \(sk=x\) is a signing key.

  • Sig(\(R,sk_j,m\)): on input \(R=\{vk_i\}_{i\in [n]}\), a signing key \(sk_j\) and a message m, this algorithm randomly picks \((s,\rho ,\delta )\leftarrow \mathbb {Z}_p^3\), generates a re-randomizable signing key \(sk_j'=sk_j+\rho \) and corresponding re-randomizable verification key \(z_j'=z_j\cdot g_1^\rho \), computes \(c_i=\phi (\textsf {HEval}(k_i,m||R))\in \mathbb {G}_1\), \(c\,=\,\textsf {HEval}(k_j,m||R)^\delta \in \mathbb {G}_2\) and \(y=c^{\frac{1}{x'+s}}\). This algorithm proves two statements as follows:

    • Prove a statement \((R,z')\) by calling \(\mathcal {P}\left( \prod _{i\in [n]}C_i,(R,z'),(\rho ,j)\right) \) as Fig. 4 and outputs \(\pi _1\).

    • Call \(\mathcal {P}\left( \prod _{i\in [n]}C_i,(R,c_i,c),(\frac{1}{\delta },j)\right) \) to prove a statement \((R,c_i)\) as Fig. 4 and outputs \(\pi _2\).

    As a result, this algorithm outputs \(\sigma =(\pi _1,\pi _2,c,y,s,z')\).

  • Verify(\(R,m,\sigma \)): on input a ring \(R=\{vk_i\}_{i\in [n]}\), a message m and a signature \(\sigma \), compute \(c_i=\phi (\textsf {HEval}(k_i,m||R))\in \mathbb {G}_1\). First this algorithm verifies two statements as follows:

    • Verify a statement \((R,z')\) by calling \(\mathcal {V}\left( \prod _{i\in [n]}C_i,(R,z'),\pi _1\right) \) as Fig. 5 and outputs \(b_1\).

    • Verify a statement \((R,c_i)\) by calling \(\mathcal {V}\left( \prod _{i\in [n]}C_i,(R,c_i,c),\pi _2\right) \) as Fig. 5 and outputs \(b_2\).

    Then if \(e(z'\cdot g_1^s,y)=e(g_1,c)\wedge b_1=1\wedge b_2=1\) it returns 1. Otherwise it returns 0.

Fig. 5.
figure 5

Verification of NIZK arguments of knowledge.

Full size image

5.2 Scheme Analysis

The Anonymity and Unforgeability of this kind of ring signature have been proven in [33], we don’t show details again. We compare Malavolta et al.’s scheme and ours in Table 1.

Table 1. Comparisons between Malavolta et al.’s scheme[33] and ours
Full size table

As shown in the table, both L-KEA and CL-KEA are secure in the generic group model, thus the improvements are not at the expense of security. On the other hand, we do not change the sizes of signing key and verification key. Our main contribution is that we reduce almost half of the signature size and half of pairing computations in verification, when n is large.

6 Conclusion

In this work, first we propose a new NIZK argument of knowledge. With its good properties, a compact ring signature scheme is constructed in the standard model. Compared with the Malavolta et al.’s scheme [33], our construction reduces the signature size and pairing computations in verification process. We believe this improvement will reduce bandwidth cost in blockchain in the future.