Non-interactive deniable ring signature without random oracles

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 206; 9:80 89 Published online 26 July 203 in Wiley Online Library (wileyonlinelibrary.com). DOI: 0.002/sec.859 SPECIAL ISSUE PAPER Non-interactive deniable ring signature without random oracles Shengke Zeng *, Qinyi Li 2, Zhiguang Qin 2 and Qing Lu 2 School of Mathematics and Computer Engineering, Xihua University, Chengdu, 60039, China 2 School of Computer Science and Engineering, University of Electronic Science and Technology of China, Chengdu 673, China ABSTRACT Ring signature scheme protects the privacy while signer is signing. In the ring signature scheme, the signer can randomly choose verification keys of entities and generate a signature on behalf of these entities. The generated signature can be verified by anyone by inputting all these verification keys. Consequently, a ring signature convinces a verifier that one member from these entities produces this signature without revealing which one. This property is good for the signer as his identity is not leaked. However, the signer also can make use of this capacity to generate a malicious signature on behalf of a ring. Because of the unconditional anonymity of ring signature, this signer cannot be traced to be responsible for his malicious signing. Group signature can avoid this problem because the group manager in the group signature can trace the actual signer by using the trapdoor. However, the group is fixed from the beginning and it needs a complicated setup algorithm. Deniable ring signature was introduced by Komano et al., which allows to revoke the anonymity of actual signer without the manager s help if necessary. The actual signer can confirm his signing for anyone through the confirmation protocol. On the other hand, non-signers in the ring can disavow this signing by the disavowal protocol. Therefore, the actual signer can be traced. However, Komano s scheme was proven in random oracles, and the traceability protocols (confirmation and disavowal protocols) are interactive. To improve Komano s construction, this work proposes a new efficient non-interactive deniable ring signature scheme in the standard model. It is a kind of ring signature and therefore, it does not require a setup algorithm, and the ring in the scheme is flexible. Copyright 203 John Wiley & Sons, Ltd. KEYWORDS deniable ring signature; standard model; NIWI proof system *Correspondence Shengke Zeng, School of Mathematics and Computer Engineering, Xihua University, Chengdu, 60039, China. zengshengke@gmail.com. INTRODUCTION Ring signature was introduced by Rivest et al. [], which gives a solution for signing a message anonymously. In such scheme, the signer randomly chooses some entities to form a set (including the signer) and then produces a signature on behalf of this set. Similar to the ring signature, the group signature [2] protects the privacy of the signer. However, the group signature requires a setup algorithm and a group manager who has the trapdoor when the member joins the set. Moreover, the set is fixed from the beginning in the group signature. It does not fit for the ad hoc manner. The ring signature has a more flexible frame. There is no special node (e.g. group manager) and does not require setup algorithm. If all the members public keys can be accessed, the ring signature scheme can be built. However, different from the group signature, the anonymity of the signer in the ring signature is unconditional (whereas in the group signature, the manager can trace the actual signer by using the trapdoor). Even all the private keys of members in one set (ring) are revealed, it cannot be determined who is the signer. This property incurs the malicious signing. The signer may make use of this capacity to publish some malicious signatures and does not need to be responsible for them. Deniable ring signature (DRS) [3] solved this problem. DRS is a variant of ring signatures. Therefore, it does not require a group manager, and it has a more flexible manner. It also provides efficient protocols to support the traceability. If there is no dispute arising, the signer of a given ring signature is concealed. However, if it requires to trace the actual signer to be responsible for his signing or the actual 80 Copyright 203 John Wiley & Sons, Ltd.

2 S. Zeng et al. Non-interactive deniable ring signature without random oracles signer wishes to obtain some prize, the disavowal or confirmation protocol is performed to achieve that. There are some scenarios that require DRS. Suppose a member who wants to leak a scandal to the government. In order to protect his identity, this whistleblower uses a ring signature scheme to leak this secret. Once the scandal is confirmed, the government may give a prize to the whistleblower. This member can run the confirmation protocol proposed in the DRS to confirm that he is the whistleblower of this secret. Take another example. Suppose a signer produces a ring signature maliciously. This signer must be traced and brought to justice. Because of the unconditional anonymity of the original ring signatures, the actual signer cannot be determined, although all the ring members are required to show their private keys. In this case, DRS is necessary. All the non-signers run the disavowal protocol proposed in DRS to convince the judge that they are not the signer while only the signer cannot pass the disavowal protocol. Hence, the actual signer is traced... Related work The notion of DRS was first proposed by Komano et al. [3]. This primitive is motivated by the notion of undeniable signature proposed by Chaum and van Antwerpen [4,5]. However, inherited from the undeniable signature scheme in [4,5], the confirmation/disavowal protocol in [3] is interactive. There are some other related works where the actual signer can be traced. Wu et al. [6] proposed Ad Hoc Group Signature using the accumulator [7] and the knowledge signature [8], which essentially is DRS. Their construction provides non-interactive self-traceability, and the signature size is constant. However, their security depends on Decisional Factorization Diffie-Hellman (DFDH) assumption, see Definition 4, which is a non-standard assumption. Liu et al. [9] proposed a revocable ring signature scheme where the signer s identity can be revealed by a set of authorities. Fujisaki [0,] introduced traceable ring signature. In [0,], if a signer performs a double signing on two different messages with the same tag, the actual signer can be identified. Zeng et al. [2,3] proposed a new efficient conditionally anonymous ring signature scheme in the random oracle model. Their schemes follow Komano et al. s model. However, the confirmation and disavowal algorithms of Zeng et al. are non-interactive, and their security depends on Decisional Bilinear Diffie- Hellman (DBDH) assumption, see Definition 5, which is a standard assumption. In order to improve the security, Zeng et al. also proposed a new framework for conditionally anonymous ring signature scheme without random oracles [4]. This framework is constructed by pseudorandom functions and generic NIZK proof system, thus it is inefficient..2. Motivation and contribution From the previous known works, Komano et al.[3], Wu et al. [6], and Zeng et al.[2,3] follow the framework of DRS, which are only secure in random oracles. As argued in [5], cryptographic protocols constructed under random oracles are not always secure in the real world. Although [4] is secure without random oracle, it is inefficient. Therefore, it is significant to construct an efficient non-interactive deniable ring signature scheme in the standard model. We construct a new efficient deniable ring signature in standard model in this work. This new scheme follows the security model of Komano et al.[3]. It is constructed by non-interactive witness-indistinguishable (NIWI) proof system [6,7] and sub-linear size ring signature scheme [8]. We provide the non-interactive confirmation protocol for the signer s confirmation on his signing, and the noninteractive disavowal protocol for non-signers disavowal. Moreover, the ring signature size is O p N [8](N is the ring size), which is sub-linear and is much shorter than [3] and [2,3]. We also give the formal proofs for the security without random oracles. Note that this paper is the full version of Zeng et al. [9] in ProvSec 202. We polish the description of the construction, and the security proofs in this paper are more rigorous. In addition, we analyze the performance of this scheme, and the detailed comparison among the related works are given in this paper. Organization. Section 2 introduces the preliminaries. Section 3 introduces the syntax and security model for DRS. Section 4 is our concrete construction and the performance analysis. The formal security proofs of our construction are presented in Section 5. The last section is the conclusion. 2. PRELIMINARIES 2.. Bilinear groups of composite order In this work, we apply the bilinear groups of composite order to our construction. This setting was introduced by Boneh, Goh, and Nissim (BGN) [20]. n is a composite with factorization of two primes p and q. G is a multiplicative cyclic group of order n. G p and G q are p-order and q-order subgroups of G, respectively. G T is a multiplicative cyclic group of order n. Oe : G G! G T is a bilinear map. The properties of such bilinear map are: Bilinearity. 8u, v 2 G, 8a, b 2 Z n, Oe(u a, v b )= Oe(u, v) ab. Non-degeneracy. Oe(g, g). Computability. All the group operations and the bilinear map must be efficiently computable Complexity assumptions Definition (Subgroup Decision Assumption [20]). Let n, G, GT, Oe, g be the paring parameters, where n = pq. The subgroup decision assumption states that it is impos- Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 8 DOI: 0.002/sec

3 Non-interactive deniable ring signature without random oracles S. Zeng et al. sible to distinguish a random element in G from a random element in G q. Definition 2 (Strong Diffie-Hellman Assumption (SDH) in G p [2]). SDH assumption states that, given, x, x2,, xt 2 G p as input, there is no Probabilistic Polynomial Time (PPT) attacker that can output a pair (c, /(x+c) ), where c 2 Z p. Definition 3 (t-pseudo Random Decisional Diffie-Hellman Inversion Assumption (PR-DDHI) in G p []). Let n, G, GT, Oe, g, p, q be the parameters mentioned in Definition and g p = g q. Attacker A with n, G, G T, Oe, g, p, q x+ may gain from BB signature oracle x () = gp with t queries, or a random oracle rand G p. The t-pr-ddhi assumption states that it is impossible for A to distinguish which oracle is returned to him. Note that t-pr-ddhi assumption holds in G = G p G q if t-pr-ddhi assumption holds in G p and G q []. Definition 4 (Decisional Factorization Diffie-Hellman Assumption (DFDH)). DFDH assumption states that, given two elements g, h G with unknown order, given two RSA integers a, b, it is difficult to decide log g hisa non-trivial factor of a or b. Definition 5 (Decisional Bilinear Diffie-Hellman Assumption (DBDH)). DBDH assumption states that, given two groups G and G 2 with orders q, given a generator P in group G, it is infeasible to distinguish (ap, bp, cp, Oe(P, P) abc ) from (ap, bp, cp, R), where a, b, c Z q,r G Underlying signature Our construction adopts the fully secure BB signature scheme proposed by Boneh and Boyen [2] as underlying signature. It is secure against the strong existential forgery under an adaptive chosen message attack provided that SDH assumption is hard in G p (Definition 2). As Chandran et al. [8] pointed out, this signature scheme is also adapted to composite order groups. The fully secure BB signature under the composite order bilinear group and symmetric paring version is reviewed as follows: KeyGen. Given a group tuple n, G, G T, Oe, g, where g is the generator of G. Choose x, y Z n. The verification key is (g x, g y ). The signing key is (x, y). Signing. Given the signing key (x, y) and a message m, n o pick r Z n \ x+m y, compute = g x+yr+m 2 G. The signature is the pair (, r). Verification. Given the verification key (g x, g y ), the message m and the signature (, r). Check the equation Oe(, g x (g y ) r g m ) =? Oe(g, g). If it holds, accept (r, ). Theorem. The fully secure BB signature is unforgeable against the strong existential forgery under an adaptive chosen message attack if SDH assumption holds Non-interactive witness-indistinguishable proof A verifier V is convinced by a prover P about the truth of statement in a proof system. For (x,!) 2 R, where x is the statement,! is the witness for this statement, and R is a binary relation. Suppose L is an NP language consisting of such statements in relation to R. A pair of (P, V) is called a NIWI proof system for L if it satisfies the following properties (where is the security parameter): Completeness. For any common reference string crs 2 {0, }, V crs (x, P crs (x,!)) = holds with overwhelming probability. Adaptive soundness. For any attacker A, Pr[V crs (x, ) = : (x, ) A(crs), crs {0, } ] = 0 holds with overwhelming probability. Witness-indistinguishability. That is, Pr[(x,! 0,! ) A( ); P(, x,! 0 ): A() =^ (x,! 0 ), (x,! ) 2 R] Pr[(x,! 0,! ) A( ); P(, x,! ): A() =^ (x,! 0 ), (x,! ) 2 R] 2.5. Non-interactive witness-indistinguishable proofs for commitment scheme Now we intend to apply Groth-Sahai s efficient NIWI proofs [6,7] to commitments. These proofs are used to prove the commitments satisfying the bilinear paring product equations, such as: Oe(, g x g m )=Oe(g, g). This is a weak version of BB signature verification equation, we take it for example. The NIWI proofs are generated as follows: () Generate a commitment C to the variable, a commitment L to the variable g x by using the BGN commitment scheme [20]. Therefore, C = h r and L = g x h r 2, where h 2 G and r, r 2 Z n. (2) Plug in the commitments in place of the variables in the BB verification equation. That is: Oe(C, L g m )=Oe h r, g x h r 2 g m = Oe(, g x g m )Oe, h r 2 Oe g x+m, h r Oe h r, h r 2 = Oe(g, g)oe, h r 2 Oe g x+m, h r Oe h r, h r 2 = Oe(g, g)oe r 2 g (x+m)r h r r 2, h (3) Regard r 2 g (x+m)r h r r 2 as prover s NIWI proof. 82 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. DOI: 0.002/sec

4 S. Zeng et al. Non-interactive deniable ring signature without random oracles The NIWI proof convinces the verifier that the committed values in commitments C and L satisfying the BB verification equation (denoted by language L BB ). When h has order q, it gives us the soundness in G p. Because in this setting, we have the soundness key, where mod p and 0 mod q. Then the verifier is convinced that Oe C p, L p g m p = Oe(g p, g p )Oe(, h) = Oe(g p, g p ), where a p is denoted by a s projection on G p. Therefore, the soundness is achieved because = C p, g x = L p satisfy the BB signature verification equation in G p. This proof achieves the witness-indistinguishability when h has order n. In this setting, and g x are perfectly hidden in the commitments. Therefore, only may have some information about the witness. For = r 2 g (x+m)r h r r 2, any witness satisfies the proof because r and r 2 are random values. Therefore, the witnessindistinguishability holds. 3. MODEL OF DENIABLE RING SIGNATURE 3.. Syntax We denote the universe of members by U = {M, M 2,, M } and assume all the verification keys of members in U can be accessed. A signer M ik 2 U randomly chooses N entities M i,, M ik, M ik+,, M in from the set U. We denote the set M i,, M ik,, M in by ring R. For simplicity, the ring R is denoted by the set of verification key of M ij, where M ij 2 R. That is R = {vk, vk 2,, vk N }. Definition 6. A deniable ring signature scheme DRS = {KGen, DSig, DVer, Conf, Disa} consists of the following algorithms. () Key generation algorithm KGen. Given a security parameter, output the verification-signing keypair (vk i, sk i ) for member i. That is (vk i, sk i ) KGen( ). (2) Ring signing algorithm DSig. Suppose member k is the signer and vk k 2 R. Given a message m, a signing key sk k and the ring R, output the ring signature. That is, DSig(m, R; sk k ). (3) Ring verification algorithm DVer. Given (m,, R), determine the validity of ring signature w.r.t. (m, R). That is, /0 DVer(m,, R). (4) Confirmation Conf(m, R,, vk i ). Member i(vk i 2 R) runs this protocol to convince any verifier that the ring signature is produced by him. During this execution, both i and the verifier input (m, R,, vk i ), and i also input his private information sk i. Finally, the verifier either rejects or accepts i s confirmation. (5) Disavowal Disa(m, R,, vk i ). Member i(vk i 2 R) runs this protocol to convince any verifier that the ring signature is not produced by him. During this execution, both i and the verifier input (m, R,, vk i ), and i also input his private information sk i. Finally, the verifier either rejects or accepts i s disavowal Oracles We now introduce the following oracles, which will be utilized in the next sections. O sig (i, m, R). This is a ring signing oracle and holds vk i 2 R. When it is queried, this oracle returns a ring signature DSig(m, R; sk i ). O cor (i). This is a corruption oracle. When it is queried, this oracle returns the signing key sk i. O c/d (i, m,, R). This is a confirmation/disavowal oracle. When it is queried, this oracle simulates the communication transcript executed between the prover (the actual signer/non-signer) and the verifier. This oracle helps the attacker to determine the actual signer of a ring signature w.r.t. (m, R) Security model We now introduce the security model of DRS, which is stated in [3]. This model consists of anonymity, unforgeability, traceability, and non-frameability. Anonymity. This property requires that a distinguisher D cannot determine the signer of a ring signature even though it queries to the signing, corruption, and confirmation/disavowal oracles. Formally, D receives all the verification keys {vk i } 2 U from its challenger. Then, D makes queries to O sig, O cor, and O c/d, adaptively; and the corresponding answers are returned from its challenger. After these queries, D challenges a fresh message m *,a ring R *, and two verification keys, say vk i0, vk i 2 R *. In turn, D receives a challenge ring signature * DSig m *, R * ; sk ib from its challenger. In this phase, the bit b 2 {0, } is randomly chosen by challenger. After receiving *, D can access to aforementioned oracles except O cor (i b ) and O c/d (i b, m *, *, R * ). Finally, D outputs bit b 0. Denote Succ anon (D) the event b 0 = b. Define Adv anon D () =ˇˇˇPr[Succ anon (D)] 2 ˇˇˇ. A deniable ring signature scheme DRS satisfies the anonymity if Adv anon D () is negligible. Unforgeability. This property requires that a forger F cannot produce a ring signature on a fresh message m * on behalf of an uncorrupted ring R * even though it can access to the signing, corruption, and confirmation/disavowal oracles. Formally, F receives all the verification keys {vk i } 2 U from its challenger. Then, F makes queries to O sig, O cor, and O c/d, adaptively; and the corresponding answers are returned from its challenger. After these queries, F challenges a fresh message m * and an uncorrupted ring R *. Finally, F produces a forgery * w.r.t. (m *, R * ). During Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 83 DOI: 0.002/sec

5 Non-interactive deniable ring signature without random oracles S. Zeng et al. this game, F cannot be allowed to access to O sig (, m *, R * ). F succeeds if DVer(m *, R *, * ). Denote the success of F by Succ uf (F). A deniable ring signature scheme DRS satisfies the unforgeability if Pr[Succ uf (F)] is negligible. Traceability. This property essentially means that one member in the ring R can be traced to be responsible for a consistent (i.e. it passes the verification) ring signature. Formally, an adversary A receives all the verification keys {vk i } 2 U from its challenger. Then, A makes queries to O sig, O cor and O c/d, adaptively; and the corresponding answers are returned from its challenger. After these queries, A outputs a triple ( *, m *, andr * ) and plays the role of each i 2 R * to run the disavowal protocol with its challenger. A succeeds if it succeeds in the disavowal for all i 2 R *. Denote the success of A by Succ tr (A). A deniable ring signature scheme DRS satisfies the traceability if Pr[Succ tr (A)] is negligible. Non-frameability. This property represents that an adversary A cannot generate a ring signature to claim an uncorrupted member is the actual signer. In other words, non-signer (uncorrupted member) can pass the disavowal protocol with overwhelming probability. Formally, A receives all the verification keys {vk i } 2 U from its challenger. Then, A makes queries to O sig, O cor, and O c/d, adaptively; and the corresponding answers are returned from its challenger. After these queries, A outputs a triple ( *, m *, R * ) and uncorrupted member, say vk I 2 R *. During this game, A cannot access to O sig (I, m *, R * ). This challenger runs the disavowal protocol with A by using sk I. A succeeds if the challenger fails in the disavowal protocol. Denote the success of A by Succ nf (A). A deniable ring signature scheme DRS satisfies the nonframeability if Pr[Succ tr (A)] is negligible. 4. CONSTRUCTION We propose our concrete construction of non-interactive deniable ring signature scheme in this section. In order to understand our construction well, we first give the high-level description of this scheme. Then, we present a concrete construction and performance analysis. We will also compare our scheme with other related works. 4.. High level Consider a ring R = {vk,, vk N }. Suppose a signer (whose verification key is vk k 2 R) who wants to generate a ring signature on message m on behalf of ring R. The first step, signer k produces a fully secure BB signature on the message m by using his signing key sk k =(x k, y k ) [2]: BB = g x k +y k r+m. This signature BB cannot be committed [20] if we want to trace it. On the other hand, if BB is publicly accessed, any verifier can determine the signer of BB because of the public verifiability. Therefore, the anonymity cannot be achieved. The solution is to modify the verification key of member k to vk k = g x k Oh e k, g y k Oh d k and the corresponding signing key is sk k =(x k, e k, y k, d k ). In other words, the new verification keys can be regarded as the commitments to the verification keys for BB signature. Thus, it is impossible to determine the consistency between BB and verification key vk k. Then, the signer generates a commitment C to his verification key vk k and produces the NIWI proofs [6,7]. These proofs are used to prove the partial signature BB is consistent with vk k. Finally, the signer proves the committed verification key vk k belongs to ring R according to sub-linear size ring signature algorithm [8]. Generally speaking, the verification key of the signer is perfect hiding in the commitment, hence anonymity holds. Because the partial signature BB is not committed by randomness, the non-signer in ring R can disavow the generation of BB. Therefore, the traceability and non-frameability are achieved. The unforgeability holds because of the unforgeability of BB signature Construction Setup Choose two safe primes p, q and compute n = pq. Choose two multiplicative cyclic groups G, G T of orders n. A bilinear map Oe : G G! G T. g is a random generator of G. Choose s, s 2, s 3 Z n, set h = g s, Oh = g s 2 and Qh = g s 3. Choose vk crs G 2. H : {0, } *! Z n is a collision-free hash function. Let crs = G, G T, n, Oe, g, h, Oh, Qh, vk crs, H be the common reference string. KGen( ) Upon the security parameter, member i chooses x i, y i, e i, d i Z n as his signing key sk i and sets the corresponding verification key vk i = g x i Oh e i, g y i Oh d i. DSig(m, R; sk k ) Suppose a signer k wants to produce a ring signature on message m on behalf of ring R = {vk,, vk N }. His signing algorithm is as follows: () Generate a hash value on (m, R): = H(m, R). (2) Generate a BB signature by using his partial signing key (x k, y k ): choose r Z n and compute BB = g x k +y k r+. (3) Produce a proof: = h x k +y k r+. is used to prevent the signer from making 0 BB,but ( BB ) q =( 0 ) q. (4) Compute C = h r by choosing r Z n. (5) Make a BGN commitment to vk k [20] by choosing r 2, r 3 Z n : C 2 = g x k Oh e kh r 2, C 3 = g y k Oh d kh r 3. (6) Produce NIWI proofs e k +d k r = g x k +y k r+ h r (e k +d k r) r 2 +r 3 r 2 = g x k +y k r+ +(x k+y k r+)r h r (r 2 +r 3 r) 84 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. DOI: 0.002/sec

6 S. Zeng et al. Non-interactive deniable ring signature without random oracles (, 2 ) are used to prove BB is consistent with vk k (committed in (C 2, C 3 )). That is ( BB C,, C 2, C 3 ) 2 L BB. (7) Generate a NIWI proof to prove that vk k in (C 2, C 3 ) belongs to ring R according to sub-linear ring signature algorithm [8]: (C 2, C 3,(vk crs, vk,, vk N )) 2 L N+ sub The common input is (C 2, C 3, vk crs, R); The witness for prover is (vk k, r 2, r 3 ) such that C 2 = g x k Oh e kh r 2, C 3 = g y k Oh d kh r 3 (8) The ring signature = (r, BB,, C, C 2, C 3,, 2, ). DVer(m, R, ) Upon (, R, m), the verifier first computes the hash value = H(m, R) and checks the following equations: () Oe( BB, h) =Oe(g, ) (2) Oe BB C, C 2 C3 r g = Oe(g, g)oe, Oh Oe( 2, h) If the two equations hold, then the verifier checks the validity of. All the verifications pass, the verifier accepts the ring signature is valid w.r.t. (m, R) and outputs ; otherwise outputs 0. e k +d k r Confirmation protocol Conf. Suppose the actual signer (member k) wants to confirm his signing of. He produces a confirmation proof c = g x k +y k r+ and publishes r c. Anyone can check Oe BB, g x k Oh e k g y k Oh k d g = Oe(g, g)oe c, Oh by inputting k s verification key vk k = g x k Oh e k, g y k Oh d k, the ring signature and (m, R). The verifier is convinced member k s confirmation if this equation holds. Disavowal protocol Disa. Suppose the nonsigner, i.e., member j wants to disavow this signing of. Upon (, m, R), he computes = H(m, R) and outputs a disavowal proof d = ( j, j, c ), where j = g xj+yjr+, j = Qh ej+djr c = g xj+yjr+.ifoe j, Qh = Oe j, g e.g. Oe j, g x j Oh e j g y j Oh d j r g = Oe(g, g)oe xj+yjr+ and holds, c is valid c, Oh and j BB, the verifier accepts member j s disavowal. Remark. In the ring signatures [8,22], the signer makes commitments to his standard signature and his verification key. It cannot be traced because the standard signature is perfectly hiding in the commitment. Therefore, their schemes cannot be converted to deniable ring signature. Hence, the standard signature (BB signature) cannot be committed if we want to realize the disavowal protocol. However, the standard signature cannot be published for the anonymity. We solve this problem by modifying the verification key of the standard signature. In this way, the consistency of public standard signature and verification key cannot be determined, and the anonymity is not broken. On the other hand, because the standard signature is public, the non-signers can make use of it to disavow the signing by showing a different valid standard signature, the traceability and non-frameability are achieved. Remark 2. If a signer who wants to violate the traceability, he computes BB 0 = BBh by using random. Because BB 0 q = (BB ) q, the malicious signer also could present valid ring signature. When performing the disavowal protocol, he computes BB and passes the disavowal by showing BB BB 0. In order to prevent this attack, producing in DSig is necessary. Because is used to prevent a malicious signer from making another BB 0 BB, but BB 0 q =(BB ) q Performance and comparison In this section, we first analyze the performance of this construction and then compare it with other deniable ring signatures. Because our scheme is inherited from the sub-linear size ring signature [8], the signature size is O p N, and it takes O p N exponentiations to complete the ring signing and O p N pairings to complete the ring verification (N is quantity of members in the ring). In the traceability phase, our confirmation protocol requires three exponentiations and two parings, and our disavowal protocol requires five exponentiations and four parings (Oe(g, g) is fixed and can be pre-computed). The keypairs of the members in this construction seem long. The verification key requires 2G elements, and the signing key requires 4Z n elements. However, the confirmation and disavowal protocols in this proposal are non-interactive, and the scheme is secure without random oracles. In comparison, the signature size in [3] is O(N), and their signing and verification algorithms cost O(N) exponentiations, respectively. The confirmation protocol and disavowal protocols cost 4 exponentiations. The verification key requires G q, and the signing key needs Z q element. However, their confirmation and disavowal protocols are interactive. The signature size in [6] is constant, and the signer in scheme [6] is required to conduct N exponentiations to generate the group public key in the beginning. If the group is changed frequently, this group key cannot be pre-computed. Therefore, their signing/verfication also needs O(N) exponentiations, and their traceability protocols need O(N) exponentiations in this case. The verification key in [6] is RSA composite n, and the signing key is the corresponding factorizations p and q. The confirmation/disavowal protocol is non-interactive. For the scheme in [2], the signature size is O(N), and the signing and verification algorithms need O(N) scalar multiplications. The computation in their confirmation and disavowal pro- Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 85 DOI: 0.002/sec

7 Non-interactive deniable ring signature without random oracles S. Zeng et al. Table I. Comparison between [3,6,2] and our scheme. Schemes Signature Size (vk i, sk i ) DSig DVer Conf Disa Interactive ROM [3] O(N) (G p,z p ) O(N)e O(N)e (4)e (4)e Yes Yes [6] O() (Z n,2z p ) O(N)e O(N)e O(N)e O(N)e No Yes [2] O(N) (G p,z p ) O(N)m O(N)m 3p+6e 3p+7e No Yes Ours O p N (2G,4Z n ) O p N e O p N p 2p+3e 4p+5e No No p: pairing; e: exps; m: scalar multiplicative; : security parameter; N: size of ring R tocols are only constant. Their key size is the same as [3], and the confirmation/disavowal protocol is non-interactive. The schemes in [3,6] and [2] are only secure in the random oracles. Table I summarizes the comparison of the four deniable ring signatures in costs, key sizes, and security. 5. SECURITY A secure deniable ring signature should achieve anonymity, unforgeability, traceability, and nonframeability [3]. In this section, we present the formal description to show that our construction satisfies the four properties without random oracles. Anonymity. Generally speaking, the anonymity states that no one can determine the actual signer of a given ring signature * even though he can access to O c/d, O sig and O cor oracles. Suppose the challenge members (verification keys) are (vk 0, vk ) 2 R *. During this game, only O cor (b) and O c/d (b, m *, *, R * ) for b = 0, cannot be queried. Theorem 2. The proposal satisfies the anonymity if 2 - PR-DDHI assumption holds in G. Proof. When h has order n, the commitments (the verification key vk k ) are perfectly hiding, and the NIWI proofs are perfectly witness-indistinguishable. Thus, the ring signature except BB cannot leak the identity of the signer. The following is to show that the attacker also cannot break the anonymity from BB. Suppose D is a distinguisher that violates the anonymity of our scheme. Given the target verification keys vk 0, vk, D should output bit b 0. Bit b is the hidden bit as the description in the formal model for Anonymity. Let vk 0 = g x 0 Oh d 0, g y 0 Oh e 0 and vk = g x Oh d, g y Oh e. Our proof is the sequence of game technique. Let G 0 be the real anonymity game except that b is fixed to. Then, we revise G 0 into a sequence of games G, G 2, G 3 (b in G 3 is fixed to 0) and show the distance between the neighboring games is negligible. For each i 2 {0,, 2, 3}, let View(G i, D) be the view of D in G i, which implies D s output. Let E(G i ) be the event that D outputs in G i.wesetp i = Pr[E(G i )]. Note that p 0 = Pr[b 0 = b = ], p 3 = Pr[b 0 = b = 0] and Adv anon D () = p 0 p 3. Game G. We revise G 0 to G such that D in G is returned to a random value rand from random oracle instead of BB = g x +y r+ when D makes a challenge query. We claim p 0 p 6 (). Lemma. p 0 p 6 (), where () is the probability of breaking the 2 -PR-DDHI assumption in G. Proof. We argue that View(G 0, D) = View(G, D). In the game G, the challenger randomly chooses Nx and sets rand = g Nx. In order to make the simulation in G perfect, the challenger uses the trapdoor Nx to simulate the challenge ring signature. First, the challenger outputs crs = G, G T, n, Oe, g, h, Oh, Qh, vk crs, H as the real environment except simulating vkcrs = g Nx Oh e, vkcrs 2 = Oh d by randomly chosen e, d. Upon D s challenge (m *, R * ) and (vk 0, vk ) 2 R *, the challenger outputs BB * =( rand) Nx * +, where * = H(m *, R * ) (while in G 0, D is returned BB * = g x +y r * + * from BB signature oracle). Then, challenger produces s, proof BB * = * where s = log g h. Then, challenger generates C * normally by using random value r and produces BGN commitments C 2 *, C* 3 to vkcrs, vk2 crs by using random values r 2, r 3 respectively. After that, the e+dr challenger outputs * = BB * * h r (e+dr *), 2 * = BB * r2 +r 3 r * Nx + g * r h r r2 +r 3 r * by randomly chosen r *. Finally, the challenger generates a NIWI proof * to prove C 2 *, C* 3, vk crs, R * 2 L N+ sub. Note that, the witness for the challenger is vk crs, r 2, r 3, such that C 2 * = vk crs hr 2, C 3 * = vk2 crs hr 3. For the witness indistinguishability of *, D cannot make the difference from the game G 0. Because there is no gap between View(G 0, D) and View(G, D), the distance p 0 p is only from that D can distinguish a random value from BB signature oracle. Therefore, p 0 p 6 () if2 -PR-DDHI assumption holds. Game G 2. We revise G to G 2 such that b is fixed to 0. Lemma 2. p p 2 =0 86 Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. DOI: 0.002/sec

8 S. Zeng et al. Non-interactive deniable ring signature without random oracles Proof. Neither x 0 nor x is used to return the challenge ring signature in both G and G 2, therefore View(G, D) = View(G 2, D). p p 2 = 0 holds. Game G 3. We revise G 2 to G 3 such that D in G 3 is returned a BB signature BB * = g x 0 +y 0 r * + * instead of a random value when D makes a challenge query. Lemma 3. p 2 p 3 6 (), where () is the probability of breaking the 2 -PR-DDHI assumption in G. Proof. In game G 3, the challenger simulates the ring signing oracle normally by using a real BB signature BB * = g x 0 +y 0 r * + *. Note that * is simulated by using s where s = log g h and 2 * is simulated by knowing e 0 and d 0. Obviously, this simulation is perfect. Therefore, there is no distance between View(G 2, D) and View(G 3, D). Thus, p 2 p 3 6 () holds if 2 -PR-DDHI assumption is true. By collecting Lemma to Lemma 3, Adv anon D () = p 0 p 3 =negl(), and we immediately complete this proof. Unforgeability. Unforgeability requires that no one can forge a signature * on message m * on behalf of an uncorrupted ring R *. According to the description of the security model, the attacker can access to O cor, O sig, and O c/d except O cor (i)(vk i 2 R * ) and O sig (, m *, R * ). This property is reduced to the unforgeability of BB signature, which relies on the SDH assumption in G p. Formally, Theorem 3. This proposal satisfies the unforgeability if BB signature scheme is unforgeable, and the subgroup decision assumption holds. Proof. Suppose F is a forger who violates the unforgeability of our scheme. C is F s challenger whose goal is to forge a BB signature. C is given (G, n, p, q, G p, G q,, h), where G is the group of order n = pq, p, and q are primes; G p and G q are the p-order; and q-order subgroups of G respectively, 2 G p and h 2 G q. C is also given the BB signature verification key (, 2 )ing p. Setup. C picks s, Ou, Qu Z q, sets g = h s, Oh = h Ou, Qh = h Qu. G T is an n-order multiplicative group. C randomly chooses vk crs G 2. There exists a bilinear map Oe : GG! G T. H : {0, } *! Z n is a collision-free hash function. C gives crs = G, G T, n, Oe, g, h, Oh, Qh, vk crs, H to F. Because of the subgroup decision assumption, the parameter crs is perfect in F s view. KGen( ). C randomly choose an index i *, s.t. vk i * 2 U, where U =. For each i i *, C picks x i, y i, e i, d i Z n and sets sk i =(x i, y i, e i, d i ), vk i = g x i Oh e i, g y i Oh d i.for i = i *, C picks t, t 2 Z q and sets vk i * = Oh t, 2 Oh t 2. Note that, for C s chosen, only sk i * is not known to C, and it is C s goal to produce a forgery on behalf of member i *. C publishes {vk i } i=. C s simulation for F s queries is as follows: O cor (i): If i = i *, C aborts it; otherwise, C returns (x i, y i, e i, d i )tof. O sig (i, m, R): If i i *, C produces the ring signature by using the signing key sk i =(x i, y i, e i, d i ) normally, e.g. DSig(m, R; sk i ); If i = i *, C simulates this oracle as follows: () Ask its signing oracle on vk i * w.r.t = H(m, R) and receive the BB signature O 2 G p, r from its challenger; (2) Check Oe O, r 2 = Oe(, ) holds or not. If not, abort it, otherwise, continue; (3) Choose t 0 Z q and compute BB = Oh t 0 2 G p G q ; (4) Compute = h s t 0; (5) Choose r, r 2, r 3 Z q and compute C = h r, C 2 = Oh t h r 2, C 3 = 2 Oh t 2 h r 3; (6) Compute = h (t 0+r )(t +t 2 r), 2 = h (t 0+r )(r 2 +r 3 r+s) s 2 ; (7) Produce by using the witness vk i * = Oh t, 2 Oh t 2 according to [8]. is a NIWI proof which is used to prove vk i * 2 R; C s simulation on O sig (i *, m, R) is = (r, BB,, C, C 2, C 3,, 2, ). Note from the elementary number theory, for any cyclic group G of order n = pq, we can decompose G = G p G q. A crucial point is that if u 2 G p and v 2 G q, then Oe(u, v) =, which implies that for all u, u 2 2 G p, v, v 2 2 G q, Oe(u v, u 2 v 2 ) = Oe(u, u 2 ) Oe(v, v 2 ) holds. We apply this property to the aforementioned ring signing simulation. O c/d (i, m, R, ): If i i *, C produces c/d, i and i by using sk i =(x i, y i, e i, d i ). If i = i *, upon (, m, R), C generates = H(m, R) and produces i = Oh t 0, i = h s t 0 Qu, c = h t 0(t +t 2 r)+(t 0 s s 2 )Ou. d = i, i, c. In the end of the game, F outputs a forgery * = r *, BB *, *, C*, C* 2, C* 3, *, * 2, * on message m * on behalf of ring R *.Ifi * R *, C aborts. Otherwise, C picks BB *. Because * is a valid forgery, BB * must be consistent with a verification key, say vk i 2 R *. Therefore, C is convinced that Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 87 DOI: 0.002/sec

9 Non-interactive deniable ring signature without random oracles S. Zeng et al. Oe * BB C*, C* 2! r C 3 * * g * = Oe(g, g)oe *, Oh Oe 2 *, h holds. Choose, such that mod p and! 0 r mod q. Raise both sides of Oe BB * C*, C* 2 C 3 * * g * = Oe(g, g)oe *, Oh Oe 2 *, h to power, then we get! r Oe BB * C*, C* 2 C 3 * * g * = Oe(g, g) Oe *, Oh Oe 2 *, h Oe BB *, ( 2 ) r* * = Oe h r, h r Oe BB *, r* 2 * = Oe(, ) It is easy to see that BB * satisfies the BB signature verification. That means, BB * is a valid forgery on message H(m *, R * ) w.r.t. the verification key (, 2 ). Note that, C succeeds in this forgery if i = i *. Therefore, the probability that C s success is R * F, where F is the probability that F wins in the unforgeability game. Traceability. This property requires that one member in R must be traced for a consistent ring signature. In other words, this member cannot pass the disavowal protocol. Theorem 4. If NIWI proofs are sound, then this proposal satisfies the traceability. Proof. Upon (, m, R), there must exist a member, say vk k 2 R cannot pass the disavowal protocol. This proceeds in two steps:. must be consistent with vk k. Because, 2 are sound NIWI proofs for { BB C, C 2, C 3 } 2 L BB, BB must be consistent with the verification keys vk k, which is committed in (C 2, C 3 ). On the other hand, is a valid NIWI proof, therefore, vk k 2 R holds. 2. If BB is consistent with vk k, then M k cannot pass the disavowal protocol. Otherwise, M k outputs BB 0 r BB to pass Oe BB 0, gx k Oh e k g y k Oh k d g = Oe(g, g) Oe c, Oh. Because Oh if from G q, choose, such that mod p and 0 mod q. We r raise both sides of Oe BB 0, gx k Oh e k g y k Oh k d g = Oe(g, g) Oe c, Oh to power, then we get Oe p 0, g p x k g y kr p g p = Oe(g p, g p ). That means, p 0 = 0 q BB is Mk s BB signature on (r, ) ing p. On the other hand, BB is also a valid BB signature of M k on (r, ), and ( BB ) q is the projection of BB on G p. Hence, we obtain BB 0 q q = BB,but BB BB 0, which contradicts. Non-frameability. This property requires that an attacker cannot frame an uncorrupted member, say M i as the actual signer of a ring signature if M i did not produce it. Because is valid, BB must be consistent with one verification key committed in (C 2, C 3 ). On the other hand, if this uncorrupted member M i is framed, he does not pass the disavowal protocol. That means, i = BB holds. It implies BB is a valid signature on behalf of M i. Because M i did not generate and M i is not corrupted, BB is a valid forgery. Therefore, the non-frameability is reduced to the unforgeability of BB signature. 6. CONCLUSION We propose an efficient non-interactive deniable ring signature scheme in this paper. This construction preserves the anonymity for the signer if there is no dispute. The signer can use our confirmation protocol to confirm his signing, and the disavowal protocol is used to trace the malicious signer. Moreover, the traceability protocols are non-interactive, and this scheme is secure without random oracles. ACKNOWLEDGEMENTS Authors would like to thank anonymous referees for their valuable comments. This work is supported by NSFC (No ), Government Basic Research Support for Universities (No. ZYGX200X05), Fundamental Research Funds for the Central Universities (No. ZYGX20J068), and Opening Project of Shanghai Key Laboratory of Integrate Administration Technologies for Information Security (No. AGK200007). REFERENCES. Rivest RL, Shamir A, Tauman Y. How to leak a secret. In Proceeding of ASIACRYPT, LNCS Springer- Verlag: Berlin, 200; Chaum D, van Heyst E. Group signature. In Proceeding of Eurocrypt, LNCS 547. Springer-Verlag: Berlin, 99; Komano Y, Ohta K, Shimbo A, Kawamura S. Toward the fair anonymous signatures: deniable ring signatures. In Proceeding of CT-RSA, LNCS Springer- Verlag: Berlin, 2006; Chaum D, van Antwerpen H. Undeniable signatures. In Proceedings of Crypto, LNCS 435. Springer-Verlag: Berlin, 989; Chaum D. Zero-knowledge undeniable signatures. In Proceedings of Eurocrypt, LNCS 473. Springer- Verlag: Berlin, 990; Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. DOI: 0.002/sec

10 S. Zeng et al. Non-interactive deniable ring signature without random oracles 6. Wu Q, Susilo W, Mu Y, Zhang F. Ad hoc group signatures. In Proceeding of IWSEC, LNCS Springer-Verlag: Berlin, 2006; Benaloh J, de Mare M. One-way accumulators: a decentralized alternative to digital signatures. In Proceedings of Eurocrypt, LNCS 765. Springer-Verlag: Berlin, 993; Camenisch J, Michels M. A group signature scheme based on an RSA variant. In Proceedings of Asiacrypt, LNCS 54. Springer-Verlag: Berlin, 998; Liu D, Liu J, Mu Y, Susilo W, Wong D. Revocable ring signature. Journal of Computer Science and Technology 2007; 22(6): Fujisaki E, Suzuki K. Traceable ring signature. In Proceedings of PKC, LNCS Springer-Verlag: Berlin, 2007; Fujisaki E. Sub-linear size traceable ring signatures without random oracles. In Proceedings of CT-RSA, LNCS Springer-Verlag: Berlin, 20; Zeng S, Jiang S, Qin Z. A new conditionally anonymous ring signature. In Proceeding of COCOON, LNCS Springer-Verlag: Berlin, 20; Zeng S, Jiang S, Qin Z. An efficient conditionally anonymous ring signature in the random oracle model. Theoretical Computer Science 202; 46: 06 4, Elsevier. 4. Zeng S, Jiang S. A new framework for conditionally anonymous ring signature. The Computer Journal 203, Oxford University, DOI: 0.093/comjnl/bxt Canetti R, Goldreich O, Halevi S. The random oracle methodology. In Proceeding of STOC. ACM: New York, 998; In Proceeding of STOC, ACM: New York, 6. Groth J, Ostrovsky R, Sahai A. Perfect non-interactive zero knowledge for NP. In Proceeding of Eurocrypt, LNCS Springer-Verlag: Berlin, 2006; Groth J, Sahai A. Efficient non-interactive proof systems for bilinear groups. In Proceeding of Eurocrypt, LNCS Springer-Verlag: Berlin, 2008; Chandran N, Groth J, Sahai A. Ring signatures of sublinear size without random oracles. In Proceeding of ICALP, LNCS Springer-Verlag: Berlin, 2007; Zeng S, Qin Z, Lu Q, Li Q. Efficient and random oracle-free conditionally anonymous ring signature. In Proceeding of ProvSec, LNCS Springer-Verlag: Berlin, 202; Boneh D, Goh E, Nissim K. Evaluating 2-DNF formulas on ciphertexts. In Proceeding of TCC, LNCS Springer-Verlag: Berlin, 2005; Boneh D, Boyen X. Short signatures without random oracles. In Proceeding of Eurocrypt, LNCS Springer-Verlag: Berlin, 2004; Shacham H, Water B. Efficient ring signatures without random oracles. In Proceeding of PKC, LNCS Springer-Verlag: Berlin, 2007; Security Comm. Networks 206; 9: John Wiley & Sons, Ltd. 89 DOI: 0.002/sec