Keywords

1 Introduction

Ring signatures [28] allow one group member to generate signatures on behalf of this group, where the verifier can confirm that the signer belongs to this group but can not identify the signer. Thus, ring signatures can provide anonymity on the signer’s identity and have broad applications, such as Blockchain, ad-hoc networks, anonymous transactions, anonymous whistle-blowing, and so on.

In practical applications, secret keys of signers are revealed easily because of the careless store or internet attacks, etc. Moreover, once a secret key of a member of the group is exposed, an adversary can forge a valid signature on behalf of this group. Thus, the damage from the key exposure is particularly critical in ring signatures. In 2002, Anderson [4] introduced the forward security mechanism for signature schemes to reduce the impact caused by secret key exposure. Specifically, forward security of signatures guarantees that the exposure of a present secret key cannot affect the preceding generated signatures. Its core idea is a key evolution mechanism, where the lifetime of signature schemes is divided into \(\tau \) discrete time periods. When a time period is updated to the next one, a new secret key is also computed from the current one by this one-way key evolution, while the current secret key is deleted. Since the key evolution is one-way, the previously generated signature is still secure even if an adversary obtains a current secret key. Therefore, how to design a proper key evolution mechanism is the point of a forward secure ring signature.

On the other hand, current ring signatures are constructed based on the hardness of some number-theoretical problems, such as prime factorization problems, discrete logarithm problems, bilinear maps problems, etc. However, Shor’s quantum algorithm [30] shows that all these classical problems can be solved in polynomial time in a practical quantum computer. So Post-Quantum Cryptography (PQC) is widely studied to withstand the attack from quantum computers. In fact, some international standards organizations such as NIST, ISO, and IETF have been conducting PQC standardization projects for a long time. Generally, three primitives are focused on: Public-Key Encryption algorithms (PKE), Key Encapsulation Mechanisms (KEM), and digital signature (DS) schemes. Among the several categories, lattice-based cryptography is considered the most promising candidate for its robust security strength, comparative light communication cost, desirable efficiency, and excellent adaptation capabilities. Indeed, NIST announced three lattice-based PKE/KEM/signature algorithms over four candidate finalists in 2022.

1.1 Contributions and Approaches

In this paper, we proposed the first lattice-based ring signature scheme with forward security, which is expected to resist the attack from quantum computers. Under the inspiration of [24, 32], the proposed scheme is proved secure under the standard model. In this scheme, we combine the binary tree structure and lattice basis delegation technique to realize a key evolution mechanism. Based on this mechanism, secret keys are updated as the change of time periods, which is able to satisfy forward security.

In our work, we use leaf nodes in a binary tree structure of the depth l to discretize the lifetime into \(2^l\) intervals. The lattice trapdoor generation algorithm is used to obtain a matrix \(A_k\) along with a basis \(T_{A_k}\) of lattice \(\varLambda ^{\perp }_q(A_k)\) as the public key and the initial secret key of group member k, respectively. Without loss of generality, assume that the user with index i is the real signer, then \(A_i\) is the corresponding matrix of \({\textbf {root}}\) node in the binary tree. Then we choose 2l randomly uniform matrices \(A_j^{(b_j)}\) of the size as \(A_i\) for \(j\in \{1,2,\dots ,l\}\) and \(b_j\in \{0,1\}\). For each node \(\varTheta ^{(j)}=(\theta _1,\dots ,\theta _k,\dots ,\theta _j)\) with \(\theta _k\in \{0,1\}\) and \(k\in \{1,2,\dots ,j\}\), we set the corresponding matrix \(F_{\varTheta ^{(j)}}=[A_i||A_1^{(\theta _1)}||\dots ||A_j^{(\theta _j)}]\). We employ lattice basis extension algorithm to compute trapdoors of any nodes, inputting the corresponding matrix and the trapdoor of the \({\textbf {root}}\) node (or the trapdoor of its ancestor node). According to the property of the basis extension algorithm, the computation of lattice trapdoors can not be operated inversely, which realizes the one-way key evolution. After arranging the trapdoor of each node, we apply the minimal cover set to guarantee the signer’s secret key \(sk_{i,t}\) in time period t includes the ancestor trapdoor for time periods \(t'\) (\(t'\ge t\)) and does not include any trapdoor for time periods \(t''\) (\(t''<t\)).

1.2 Related Works

Forward Security: Anderson [4] first introduced forward security in signatures, which protects the use of past secret keys even if the current key is revealed. Bellare et al. [5] further formalized the definition of forward secure signatures and provided a construction based on the hardness assumption of the integer factorization problem. Then, Abdalla et al. [1] and Itkis et al. [18] did respectively some work to improve the efficiency of [5]. Besides, many forward secure cryptosystems were given, such as forward secure public key encryption systems [7, 10, 12], forward secure group signatures [9, 21, 22, 27], forward secure blind signatures [13, 19, 20], forward secure ring signatures [23, 24], forward secure linkable ring signature [8], etc.

Lattice-Based Signatures: In 2008, Gentry et al. [15] proposed a lattice-based signature scheme using a preimage sampling algorithm. On the one hand, this work showed a “hash-and-sign” paradigm that can achieve high computing speed with a compact design and owns a shorter output size. On the other hand, this paradigm has some shortcomings, i.e., limitations to parameter sets, difficulty in conducting high-speed implementation, and inability to withstand side-channel attacks [25]. In 2010, Cash et al. [11] designed a lattice basis delegation technique that allows obtaining a short basis of a designated lattice from a short basis of a related lattice. They also showed a lattice-based signature scheme with this technique. Many current lattice-based signature schemes adopt this delegation technique to expand the lattice bases. In 2011, Wang et al. [32] constructed a lattice-based ring signature using the delegation algorithm. In 2011, Yu et al. [33] constructed an identity-based signature scheme with forward security. Further, Ling et al. [22] proposed the first forward secure group signature from lattices in 2019. Then, Le et al. [20] gave the first forward secure blind signature from lattices. Simultaneously, Feng et al. [14] gave a traceable ring signature from lattices. In 2022, Hu et al. [17] gave a lattice-based linkable ring signature scheme with the standard model.

Ring Signatures: Rivest et al. [28] first proposed a ring signature in 2001. Then many ring signature schemes [6, 16, 29, 31] were constructed, whose security models do not rely on random oracles. However, the above schemes do not consider forward security and post-quantum security either. In 2008, Liu et al. [23] first proposed a forward secure ring signature to reduce the damage from the key exposure, and they also gave a construction under the random oracle model. Further, Liu et al. [24] showed a forward secure ring signature based on the bilinear maps without random oracles.

To sum up, due to the apparent resistance to quantum computing attacks, lattice-based cryptography has attracted more and more attention. In particular, the forward security of signatures is considered one of the most promising ways to minimize the damage caused by secret key exposure. However, to the authors’ knowledge, there is no lattice-based ring signature scheme with forward security. The work in this paper aims to fill this gap.

1.3 Organization

The rest of the paper is organized as follows. Section 2 shows preliminaries on lattice, hardness assumptions, and related algorithms. We introduce the syntax of ring signature with forward security in Sect. 3. In Sect. 4, the specific construction in lattices is given. Finally, we conclude our work in Sect. 5.

2 Preliminaries

2.1 Lattices

Given positive integers nm and some linearly independent vectors b\(_i \in \mathbb {R}^m\) for \(i\in \{1,2,\dots ,n\}\), the set generated by the above vectors \(\varLambda (\)b\(_1,\dots ,\)b\(_n)=\{\varSigma ^n_{i=1}x_i\)b\(_i|x_i\in \mathbb {Z}\}\) is a lattice. The set \(\{\)b\(_1,\dots ,\)b\(_n\}\) is a lattice basis. m is the dimension and n is the rank. One lattice is full-rank if its dimension equals to the rank, namely, \(m=n\).

Definition 1

For positive integers nm and a prime q, a matrix \(A\in \mathbb {Z}^{n\times m}_q\) and a vector \({\textbf {u}}\in \mathbb {Z}^n_q\), define two sets:

$$\begin{aligned} \varLambda ^{\perp }_q(A):=\{{\textbf {e}}\in \mathbb {Z}^m|A{\textbf {e}}={\textbf {0}} \mod q \}\\ \varLambda ^{{\textbf {u}}}_q(A):=\{{\textbf {e}}\in \mathbb {Z}^m|A {\textbf {e}}={\textbf {u}} \mod q\}. \end{aligned}$$

Assuming that \(T\in \mathbb {Z}^{m\times m}\) is a basis of \(\varLambda ^{\perp }_q(A)\), T is a basis of \(\varLambda ^{\perp }_q(BA)\) for a full-rank \(B \in \mathbb {Z}_q^{n\times n}\).

2.2 Hardness Assumption

Definition 2 (Small integer solution, SIS problem)

Given an integer q, a matrix \(A\in \mathbb {Z}_q^{n\times m}\) and a real \(\beta >0\), find a nonzero integer vector \({\textbf {e}}\in \mathbb {Z}^m\) such that \(A{\textbf {e}}=0\mod q\) and \(\Vert {\textbf {e}}\Vert \le \beta \).

The SIS problem [15, 26] has been proved as hard as approximating the worst-case Gap-SVP (smallest vector problem) and SIVP with certain factors.

2.3 Lattice Algorithms

Definition 3 (Gaussian distribution)

Given parameter \(\sigma \in \mathbb {R}^+\), a vector \({\textbf {c}}\in \mathbb {R}^{m}\) and a lattice \(\varLambda \), \(\textbf{D}_{\varLambda , \sigma , {\textbf {c}}}\) is a discrete gaussian distribution over \(\varLambda \) with a center c and a parameter \(\sigma \), denoted by \(\textbf{D}_{\varLambda , \sigma , {\textbf {c}}}= \dfrac{\rho _{\sigma , {\textbf {c}}({\textbf {x}})}}{\rho _{\sigma , {\textbf {c}}(\varLambda )}}\) for \( \forall {\textbf {x}}\in \varLambda \), where \(\rho _{\sigma , {\textbf {c}}(\varLambda )}=\sum _{{\textbf {x}}\in \varLambda }\rho _{\sigma , {\textbf {c}}({\textbf {x}})}\) and \(\rho _{\sigma , {\textbf {c}}({\textbf {x}})}=\exp (-\pi \dfrac{\Vert {\textbf {x}}-{\textbf {c}}\Vert ^2}{\sigma ^2})\). When \({\textbf {c}}=0\), \(\textbf{D}_{\varLambda , \sigma , 0}\) can be abbreviated as \(\textbf{D}_{\varLambda , \sigma }\).

Lemma 1 (TrapGen algorithm)

[2, 3, 15]. Given integers nmq with \(q>2\) and \(m\geqslant 6n\log q\) as the input, there is a probabilistic polynomial-time (PPT) algorithm TrapGen, outputs a matrix \(A\in \mathbb {Z}_q^{n\times m}\) along with a basis \(T_{A}\) of the lattice \(\varLambda _q^{\perp }(A)\), namely, \(A\cdot T_A=0\mod q\), where the distribution of A is statistically close to uniform on \(\mathbb {Z}_q^{n\times m}\), and the Gram-Schmidt norm \(\Vert \widetilde{T_A}\Vert \leqslant O(\sqrt{n\log q})\).

Lemma 2 (ExtBasis algorithm)

[11]. Given an arbitrary matrix \(A\in \mathbb {Z}_q^{n\times m}\) whose columns generate the group \(\mathbb {Z}_q^n\), an arbitrary basis \(S\in \mathbb {Z}^{m\times m}\) of \(\varLambda _q^{\perp }(A)\) and an arbitrary matrix \(A' \in \mathbb {Z}_q^{n\times m'}\), there is a deterministic polynomial-time algorithm ExtBasis which can output a basis \(S''\) of \(\varLambda _q^{\perp }(A'')\subseteq \mathbb {Z}_q^{m''\times m''}\) such that \(\Vert \widetilde{S}\Vert =\Vert \widetilde{S''}\Vert \), where \(A''=A||A'\), \(m''=m+m'\). Moreover, the above results apply to the situation that the columns of \(A'\) are prepended to A. This algorithm can be denoted by \(S''\leftarrow ExtBasis(A'',S)\).

Lemma 3 (GenSamplePre algorithm)

[11, 32]. Given a matrix \(A_R=[A_1||A_3]\) and a short basis \(B_R\) of the lattice \(\varLambda _q^{\perp }(A_R)\), a parameter \(\delta \ge \Vert \widetilde{B_R}\Vert \cdot \omega (\sqrt{\log n})\), a vector \({\textbf {y}}\in \mathbb {Z}_q^n\), there is an algorithm \(GenSamplePre(A_S,A_R,B_R,{} {\textbf {y}},\delta )\) to sample a preimage \({\textbf {e}}\) which is within negligible statistical distance of \(D_{\varLambda _q^{{\textbf {y}}}(A_S),\delta }\), namely, \(A_S {\textbf {e}}={\textbf {y}}\mod q\), where \(A_1\in \mathbb {Z}_q^{n\times k_1m}\), \(A_2\in \mathbb {Z}_q^{n\times k_2m},A_3\in \mathbb {Z}_q^{n\times k_3m},A_4\in \mathbb {Z}_q^{n\times k_4m}\), \(A_S=[A_1||A_2||A_3||A_4]\), and \(k_1,k_2,k_3,k_4\) are positive integers.

The TrapGen algorithm will be used to generate the public-secret key pairs in the following scheme. And the GenSamplePre algorithm can be achieved by invoking preimage sample algorithm which was introduced in [15]. The ExtBasis algorithm will be used to update keys as the change of time periods.

3 Syntax of Forward Secure Ring Signature

This section shows the model of forward secure ring signature and its security model which was first proposed in [24]. The security of ring signatures is required with two points, anonymity and unforgeability.

3.1 System Model

One forward secure ring signature scheme consists of five algorithms, \(\varPi \) = (Setup, KeyGen, KeyUpdate, Sign, Verify), which was first introduced by Liu et al. [24].

  • \(pp \leftarrow \) Setup(\(\lambda \)): Given the security parameter \(\lambda \) as the input, the setup algorithm outputs the system public parameter pp.

  • \((pk_i,sk_{i,0})\leftarrow \) KeyGen(pp): Given the public parameter pp, the key generation algorithm outputs the public-secret key pair \((pk_i,sk_{i,0})\) of user i at the original time, namely, the time period \(t=0\).

  • \(sk_{i,t+1}\leftarrow \) KeyUpdate(\(sk_{i,t},t \)): Given the secret key \(sk_{i,t}\) of user i with the time period t as the input, this key update algorithm generates a new secret key \(sk_{i,t+1}\) at the time period \(t+1\), and deletes the previous secret key \(sk_t\).

  • \(\sigma _t \leftarrow \) Sign(\(sk_{i,t}, {\textbf {m}}, R, t\)): Given a time period t, the secret key \(sk_{i,t}\), a set R of public keys (represents the ring of users) and the message \({\textbf {m}}\) as the input, this algorithm returns a signature \(\sigma _t\).

  • Verify(\(R, {\textbf {m}},\sigma _t, t\)): Given public keys set R, signature \(\sigma _t\), message \({\textbf {m}}\), and the time period t as the input, the algorithm outputs 1 for accept, namely, the signature is valid for this message. Otherwise returns 0 for reject.

3.2 Anonymity

The anonymity implies an adversary cannot tell which member of a ring generates signatures. Here we show a game between a challenge \(\mathscr {C}\) and an adversary \(\mathscr {A}\) to describe the anonymity against full key exposure [6] on forward secure ring signature. Compared with the definition of anonymity in the standard ring signature, the adversary in this model is given secret keys with the original time period instead of having the right to access a corruption oracle, which means the adversary can obtain the secret keys of all users for any time period.

  • Setup: The challenger \(\mathscr {C}\) runs \({\textbf {KeyGen}}\) algorithm for \(n'\) times to get public-secret key pairs \((pk_1, sk_{1,0}),\dots , (pk_{n'}, sk_{n',0})\), then \(\mathscr {C}\) sends the public key set \(R=\{pk_1,\dots ,pk_{n'}\}\) and the secret key set \(\{sk_{1,0},\dots ,sk_{n',0}\}\) at original time period to the adversary \(\mathscr {A}\).

  • Query 1: \(\mathscr {A}\) queries adaptively signing oracle and submits a message \({\textbf {m}}\), a time period t, a ring set R with group members’ public keys, a public key \(pk_i\in R\), challenger \(\mathscr {C}\) runs \({\textbf {Sign}}\) algorithm to respond signing oracle queries.

  • Challenge: \(\mathscr {A}\) chooses a time \(t^*\), a group size \(n^*\), a message \({\textbf {m}}^*\), a set \(R^*\) of \(n^*\) public keys which satisfies two public keys \(pk_{i_0}, pk_{i_1}\in R\) are included in \(R^*\), and sends them to \(\mathscr {C}\). \(\mathscr {C}\) selects randomly a bit \(b\in \{0,1\}\) and runs \(\sigma ^*_{t^*}\leftarrow {\textbf {Sign}}(t^*, n^*, R^*, sk_{i_b,t^*},{\textbf {m}}^*)\). The challenger sends signature \(\sigma ^*_{t^*}\) to \(\mathscr {A}\).

  • Query 2: \(\mathscr {A}\) is allowed to query the signing oracle adaptively.

  • Guess: \(\mathscr {A}\) returns a guess \(b'\).

\(\mathscr {A}\) wins this game if \(b'=b\) holds. The advantage that \(\mathscr {A}\) wins this game for the security parameter \(\lambda \) is

$$\begin{aligned} {\textbf {Adv}}_{\mathscr {A}}^{Anon}(\lambda )=|Pr[b=b']-\dfrac{1}{2}|. \end{aligned}$$

Definition 4

A forward secure ring signature scheme is anonymous, if for any PPT adversary \(\mathscr {A}\), the defined advantage \({\textbf {Adv}}_{\mathscr {A}}^{Anon}(\lambda )\) is negligible.

3.3 Forward Security

The forward security of ring signature schemes is described by the following game which was first introduced in [24]. Here an adversary cannot output a valid signature \(\sigma _{t^*}^*\) for a message \({\textbf {m}}^*\), a ring \(R^*\), and a time period \(t^*\), such that \(Verify({\textbf {m}}^*,\sigma _{t^*}^*, t^*)=1\) unless either one of public keys in \(R^*\) is generated by the adversary or a user whose public key is contained in \(R^*\) signs \({\textbf {m}}^*\). The details of this game are as follows:

  • Setup: The challenger runs \({\textbf {KeyGen}}\) algorithm for \(n'\) times and obtains some public key and original secret key pairs \((pk_1, sk_{1,0}),\dots , (pk_{n'}, sk_{n',0})\), then he sends the set of public keys \(S=(pk_1,\dots ,pk_{n'})\) to the adversary.

  • Query phase: \(\mathscr {A}\) queries the following oracles adaptively.

    • Corruption oracle query \((sk_{i,t}\leftarrow CO(pk_i,t))\): Inputting a public key \(pk_i\in S\) and a time t, the oracle outputs secret key \(sk_{i,t}\).

    • Signing oracle query \(SO(t,n,R, pk_i,{\textbf {m}})\): Inputting a time t, a group size n, a set of n public keys R, a public key \(pk_i\in R\) and a message \({\textbf {m}}\), this oracle outputs a signature \(\sigma _t\) with the time t.

  • Output: \(\mathscr {A}\) outputs a signature \(\sigma ^*_{t^*},\) a ring \(R^*\) with the number \(n^*\) of users, a time \(t^*\) and a message \({\textbf {m}}^*\).

\(\mathscr {A}\) wins the game if the following conditions holds:

  1. 1.

    \(Verify({\textbf {m}}^*,\sigma ^*_{t^*}, t^*)=1\),

  2. 2.

    \(R^*\subseteq S\),

  3. 3.

    for all \(pk^*_i\in R^*\), there is no \(CO(pk^*_i,t')\) query with time \(t'\leqslant t^*\),

  4. 4.

    there is no \(SO(t^*,n^*,R^*,{\textbf {m}}^*)\) query.

Definition 5

A ring signature scheme is unforgeable with forward security, if for all PPT adversary \(\mathscr {A}\), the advantage \(Adv_{\mathscr {A}}^{fs}(\lambda )\) that \(\mathscr {A}\) wins the above game is negligible on the security parameter \(\lambda \).

4 Lattice-Based Construction

In this section, we first show a framework how to generally assign time periods, and generate the corresponding lattice trapdoor for each node in a binary tree. Then, we propose a lattice-based forward secure ring signature scheme.

4.1 Description of Key Update with Time Periods

Our construction employs binary tree structure and lattice basis delegation technique, ExtBasis algorithm, to realize the update of secret keys with the change of time periods. The details are described as follows.

  • Time arrangement in Binary Tree:

    • We assign the time periods \(t\in \{0,1,\dots ,2^l-1\}\) to leaf nodes of a binary tree with depth l from left to right. Assume that \(l=3\), then the number of time intervals is 8.

    • On each time period t, there is an unique path \(t=(t_1,\dots ,t_l)\) from the root node to leaf node. And for the ith level, \(t_i=0\) if the node in this path is left node, otherwise \(t_i=1\). Similarly, for the ith level node (\(i\ne l\)), its path from the root node to this node is denoted uniquely by \(\varTheta ^{(i)}=(\theta _1,\dots ,\theta _i)\), where \(\theta _i\in \{0,1\}\) is defined as same as \(t_i\).

  • Update of lattice trapdoor of nodes:

    • TrapGen algorithm is run to obtain a random matrix \(A_0\in \mathbb {Z}_q^{n\times m}\) and a lattice basis \(T_{A_0}\) of lattice \(\varLambda ^{\perp }(A_0)\). We define the corresponding matrix \(F_{\varTheta ^{(i)}}=[A_0||A_1^{(\theta _1)}||\dots ||A_i^{(\theta _i)}]\) for \(\varTheta ^{(i)}\), and the matrix \(F_t=[A_0||A_1^{(t_1)}||\dots ||A_l^{(t_l)}]\) for a time period t, where \(A^{(b)}_i\) are random matrices for \(i\in \{1,2,\dots ,l\}\) and \(b\in \{0,1\}\). \(A_0\) is regarded as the corresponding matrix of root node and \(T_{A_0}\) is a lattice trapdoor for root node.

    • Considering the computation of a corresponding lattice trapdoor \(T_{\varTheta ^{(i)}}\) for the node \(\varTheta ^{(i)}\) of the binary tree, we employ lattice basis extension algorithm ExtBasis. There are two following situations.

      1. *

        Given the original lattice trapdoor \(T_{A_0}\), the trapdoor \(T_{\varTheta ^{(i)}}\) can be computed as follows:

        $$\begin{aligned} T_{\varTheta ^{(i)}}\leftarrow ExtBasis(F_{\varTheta ^{(i)}}, T_{A_0}), \end{aligned}$$

        where \(F_{\varTheta ^{(i)}}=[A_0||A_1^{(\theta _1)}||\dots ||A_i^{(\theta _i)}]\).

      2. *

        The trapdoor \(T_{\varTheta ^{(i)}}\) can also be computed from its any ancestor’s trapdoor. For example, given \(T_{\varTheta ^{(k)}}\),

        $$\begin{aligned} T_{\varTheta ^{(i)}}\leftarrow ExtBasis(F_{\varTheta ^{(i)}}, T_{\varTheta ^{(k)}}), \end{aligned}$$

        where \(F_{\varTheta ^{(i)}}=[A_0||A_1^{(\theta _1)}||\dots ||A_i^{(\theta _i)}]\) and \(\varTheta ^{(i)}=(\theta _1,\dots ,\theta _k,\theta _{k+1},\dots ,\theta _i)\) for \(k<i\). That is to say, the trapdoor \(T_{\varTheta ^{(i)}}\) is a basis of the lattice \(\varLambda ^{\perp }(F_{\varTheta ^{(i)}})\).

    • The above methods are also suitable for computing lattice trapdoors for time periods (i.e., leaf nodes), if its ancestor’s lattice trapdoor is known.

Fig. 1.
figure 1

Binary tree of depth \(l=3\): without losing generality, assume that the signer is a user with the index i in the group, then the corresponding matrix for root node is \(A_i\) and its trapdoor is \(T_{A_i}\). Assume that \(t=1\), its path contains nodes marked with “red” background and there are the corresponding matrix \(F_{i,001}=[A_i||A_1^{(0)}||A_2^{(0)}||A_3^{(1)}]\) and its trapdoor \(T_{001}\) in node “001”. When the time period is changed from \(t=2\) to \(t=3\), the minimal cover is updated from \(Node(2)=\{01,1\}\) to \(Node(3)=\{011,1\}\) and the secret key is also updated from \(sk_{i,2}=\{T_{01},T_1\}\) to \(sk_{i,3}=\{T_{011},T_1\}\). (Color figure online)

Full size image

4.2 Our Lattice-Based Proposal

Here, we show the lattice-based construction which uses the key evolution (KV) mechanism on the binary tree to achieve the key update and forward security.

  • Setup(\(\lambda \)): Given security parameter \(\lambda \) as input, set the number of time period \(\tau =2^l\) where l is the depth of the binary tree, set system parameters \(n,m,q,d, \delta \), where nm are integer, q is prime, d represents the length of the signed messages, \(\delta \) is the parameter of sampling algorithm, the maximum number of users max, the setup algorithm performs as follows:

    • Choose 2l random matrices \( A_1^{(0)}, A_1^{(1)},\dots , A_l^{(0)}, A_l^{(1)}\in \mathbb {Z}^{n\times m}_q\),

    • Choose random and independent matrices \(C_0,C_1,\dots ,C_d\in \mathbb {Z}^{n\times m}_q\),

    • Outputs the public parameter \(pp=(q,n,m,d,\delta ,\tau , max, A_1^{(0)}, A_1^{(1)},\dots , A_l^{(0)}, A_l^{(1)},\) \( C_0,C_1,\dots ,C_d)\).

  • KeyGen(pp): Given the public parameter pp, the key generation algorithm performs as follows.

    • For the user with index i (\(1\le i \le max\)), run TrapGen(nmq) algorithm to obtain a random matrix \(A_i\) and a basis \(T_{A_i}\) of lattice \(\varLambda ^{\perp }(A_i)\),

    • Returns the public-secret key \((pk_i,sk_{i,0})=(A_i,T_{A_i})\) for user i.

  • KeyUpdate(\(pp, sk_{i,t}, pk_i\)): Given the public parameter pp, a secret key \(sk_{i,t}\) with the time period t and public key \(pk_i=A_i\) of a user with the index i as input, the key update algorithm invokes ExtBasis algorithm combining with the binary tree, and returns the updated secret key \(sk_{i,t+1}\) in the time period \(t+1\). The details of key evolution mechanism to achieve the secret key update are as follows:

    • For any leaf node t in the binary tree, a minimal cover Node(t) represents the smallest set that contains an ancestor of all leaves in \(\{t, t+1,\dots ,\tau -1\}\) but does not contains any ancestors of any leaf in \(\{0,1,\dots ,t-1\}\). For example, as shown in Fig. 1, \(Node(0)=\{{\textbf {root}}\}\), \(Node(1)=\{001,01,1\}\), \(Node(2)=\{01,1\}\), \(Node(3)=\{011,1\}\), \(Node(4)=\{1\}\), \(Node(5)=\{101,11\}\), \(Node(6)=\{11\}\), \(Node(7)=\{111\}\).

    • Based on the rules in the Sect. 4.1, each node in the binary tree owns the corresponding trapdoor, for example, for the node “01” in Level 2, its lattice trapdoor is denoted by \(T_{01}\) which is a basis of lattice \(\varLambda _q^{\perp }(F_{i,01})\) and \(F_{i,01}=[A_i||A_1^{(0)}||A_2^{(1)}]\). Then the secret key \(sk_t\) at the time period t consists of trapdoors of all nodes in the set Node(t). In Fig. 1, we have \(sk_{i,0}=\{T_{A_i}\}\), \(sk_{i,1}=\{T_{001}, T_{01}, T_{1}\}\), where \(T_{001}, T_{01}, T_{1}\) are the corresponding trapdoor (basis) for \(F_{i,001}=[A_i||A_1^{(0)}||A_2^{(0)}||A_3^{(1)}]\), \(F_{i, 01}=[A_i||A_1^{(0)}||A_2^{(1)}]\), \(F_{i,1}=[A_i||A_1^{(1)}]\), respectively.

    • To realize the update from \(sk_{i,t}\) to \(sk_{i,t+1}\), the signer i determines firstly the minimal cover \(Node(t+1)\), then grabs all trapdoors of nodes which are in \(Node(t+1)\) by using the methods introduced in Sect. 4.1, and deletes the trapdoors of nodes in \(Node(t)\backslash Node(t+1)\) to realize the one-way key evolution mechanism. Finally, the signer can obtain the secret key \(sk_{i,t+1}\). For example, given \(sk_{i,1}=\{T_{001},T_{01}, T_1\}\), then \(sk_{i,2}=\{T_{01},T_1\}\), where \(Node(1)\backslash Node(2)=\{001\}\) and \(T_{001}\) will be deleted.

    • This algorithm outputs the secret key \(sk_{i,t+1}\) of the signer with index i in the time period \(t+1\), and deletes the secret key \(sk_{i,t}\).

  • Sign(\({\textbf {m}}, sk_{i,t}, R,t\)): Given a ring of N users with public keys \(R=\{A_1,A_2,\dots , A_N\}\), the message \({\textbf {m}}\in \{0\}\times \{0,1\}^d\) with the length of \(d+1\), the signer i with the secret key \(sk_{i,t}\) at the time period t generates a signature as follows:

    • The signer i checks firstly if \(sk_{i,t}\) contains the trapdoor \(T_{ \varTheta ^{(t)}}\). Otherwise, he runs \(ExtBasis(F_{\varTheta ^{(t)}}, T_{\varTheta ^{(k)}})\) to compute \(T_{\varTheta ^{(t)}}\), where \(T_{\varTheta ^{(k)}}\) is an ancestor basis of \(T_{\varTheta ^{(t)}}\) in the secret key \(sk_{i,t}\),

    • Set \(C_{{\textbf {m}}}=\sum _{j=0}^d(-1)^{{\textbf {m}}[j]}C_j\in \mathbb {Z}_q^{n\times m}\), where \({\textbf {m}}[j]\) is the jth bit of the message \({\textbf {m}}\),

    • Runs \(GenSamplePre(A_{R,t}, F_{i,t}, T_{ \varTheta ^{(t)}},{\textbf {0}}, \delta )\) to obtain \({\textbf {e}}\in \mathbb {Z}_q^{[N(l+1)+1]m}\) which satisfies \(A_{R,t}\cdot {\textbf {e}}={\textbf {0}} \mod q\), where \(F_{i,t}=[A_i||A_1^{(t_1)}||\dots ||A_l^{(t_l)}]\), \(A_{R,t}=[F_{1,t}||F_{2,t}||\dots ||F_{N,t}||C_{{\textbf {m}}}]\),

    • Returns \(\sigma _t={\textbf {e}}\) as the ring signature of \({\textbf {m}}\) during the time period t.

  • Verify(\(R, {\textbf {m}},\sigma _t, t\)): The verify algorithm performs as follows:

    • Compute \(C_{{\textbf {m}}}=\sum _{j=0}^d(-1)^{{\textbf {m}}[j]}C_j\),

    • Accept if \(A_{R,t}\cdot {\textbf {e}}= {\textbf {0}} \mod q\) holds and \(\Vert {\textbf {e}}\Vert \leqslant \delta \sqrt{[N(l+1)+1]m}\), receive this signature. Otherwise, reject it.

Correctness: According to the GenSamplePre algorithm, the vector \({\textbf {e}}\) satisfies \(A_{R,t}\cdot {\textbf {e}}={\textbf {0}} \mod q\) and \(\Vert {\textbf {e}}\Vert \leqslant \delta \sqrt{[N(l+1)+1]m}\) with overwhelming probability. \({\textbf {e}}\) is within negligible statical distance of \(D_{\varLambda _q^{\perp }(A_{R,t}),\delta }\).

4.3 Security Analysis

Theorem 1

The proposed ring signature scheme is fully-anonymous, if \(SIS_{q,N(l+1)m,\delta }\) problem is intractable, where N is the size of ring.

Theorem 2

The proposed ring signature is unforgeable with forward security, if \(SIS_{q,N(1+2l)m,\delta }\) problem is hard, where N is the size of the challenge ring.

The proof of Theorem 1 and Theorem 2 can be found in the full version [34].

5 Conclusion

This paper shows the first lattice-based ring signature scheme with forward security under the standard model. Our proposal combines lattice delegation techniques with a binary tree structure to realize a key evolution mechanism. Based on this one-way evolution mechanism, secret keys can be updated timely with generating nodes in the binary tree, which guarantees that the exposure of a current secret key can not threaten the past signatures. Moreover, our scheme is expected to be post-quantum secure due to its underlying security assumption on the hardness of the SIS problem in lattice theory. The meaningful future work is to optimize the size of public parameters and signature.