# Anti-Quantum Lattice-Based Ring Signature Scheme and Applications in VANETs

^{1}

^{2}

^{3}

^{*}

## Abstract

**:**

## 1. Introduction

#### 1.1. Related Works

#### 1.2. Motivation

#### 1.3. Our Contribution

- (1)
- Combining lattice-based cryptography with a ring signature, we construct a secure lattice-based ring signature under the random oracle model. The proposed scheme satisfies unconditional anonymity and unforgeability. The unforgeability of the proposed ring signature scheme is reduced to the difficult assumption of the small integer solution (SIS) on the lattice.
- (2)
- Our scheme also provides a certain degree of unconditional anonymity for ring members and ensures signature unforgeability.
- (3)
- We give a detailed performance analysis and provide applications of our scheme in VANETs, and the results show that our scheme is significantly better than the ongoing schemes. Our scheme satisfies security requirements in VANETs.

#### 1.4. Outline

## 2. Preliminaries

#### 2.1. Notations

#### 2.2. Lattices and Lattice Problems

#### 2.3. Hard Problems for q-ary Lattices

**Definition**

**1.**

**Lemma**

**1.**

**Lemma**

**2.**

**Lemma**

**3.**

#### 2.4. Chameleon Hash Function

## 3. System Models

#### 3.1. Basic Model

#### 3.2. Threat Model

- (1)
- $\mathcal{A}$ creates a group of public parameters $\mathcal{P}=(L,n,m,q)$, a ring $R=(p{k}_{1},\dots ,p{k}_{n})$, two secret keys ($s{k}_{{i}_{0}},s{k}_{{i}_{1}})$, and a message $\mu $.
- (2)
- $\mathcal{A}$ is permitted to make ring-signing queries and corruption queries. $\mathcal{C}$ responds with ${\sigma}_{L}(\mu )=Sign(p{k}_{s},s{k}_{s},R,\mu )$ as a ring-signing query. The signer of an index $s$ performs a corruption query. Finally, $\mathcal{C}$ sends $s{k}_{s}$ to $\mathcal{A}$.
- (3)
- $\mathcal{A}$ requests a challenge to $\mathcal{C}$ with the values $({i}_{0},{i}_{1},R,\mu )$; $\mathcal{C}$ calculates two challenge signatures.${\sigma}_{{i}_{0}}=Ring-sign(\mathcal{P},s{k}_{{i}_{0}},R,\mu )$ and ${\sigma}_{{i}_{1}}=Ring-sign(\mathcal{P},s{k}_{{i}_{1}},R,\mu )$; $\mathcal{C}$ responds to $\mathcal{A}$ with ${\sigma}_{{i}_{0}}$, ${\sigma}_{{i}_{1}}$.
- (4)
- $\mathcal{A}$ responds a guess ${b}^{\prime}$ and wins the game if ${b}^{\prime}=b$.

- (1)
- $\mathcal{A}$ creates a group of public parameters $\mathcal{P}=(L,n,m,q)$, a ring $R=(p{k}_{1},\dots ,p{k}_{n})$, two secret keys ($s{k}_{{i}_{0}},s{k}_{{i}_{1}})$, and a message $\mu $.
- (2)
- $\mathcal{A}$ is permitted to make ring-signing queries and corruption queries. $\mathcal{C}$ responds with ${\sigma}_{L}(\mu )=Sign(p{k}_{s},s{k}_{s},R,\mu )$ as a ring-signing query. The signer of an index $s$ performs a corruption query. Finally, $\mathcal{C}$ sends $s{k}_{s}$ to $\mathcal{A}$.
- (3)
- $\mathcal{A}$ sends the result $(R,{\mu}^{*},{\sigma}_{L}{(\mu )}^{*})$ to the challenger, and $\mathcal{A}$ is considered as successful if $Sign-Verify(R,{\mu}^{*},{\sigma}_{L}{(\mu )}^{*})=1$, where ${\mu}^{*}\notin \mu $.

## 4. The Proposed Scheme Description

Algorithm 1 KeyGen algorithm |

Input: A security parameter $\lambda $Output: The public parameters $\mathcal{P}$1: Let $L=\{1,2,\dots ,n\}$ and $q$ be a prime number; 2: Define three sets ${D}_{{\sigma}_{1}}^{m},{D}_{{\sigma}_{2}}^{m},{D}_{{\sigma}_{3}}^{m}$, hash function $h:{\{0,1\}}^{*}\to \{v:v\in {\{-1,0,1\}}^{n},{\Vert v\Vert}_{1}\le \kappa \}$, and nearly injective mapping $F:{\{0,1\}}^{\kappa}\to {\mathbb{B}}_{2q}^{n}$; 3: Set $\widehat{A}=({A}_{1},{A}_{2},\dots ,{A}_{n}),{A}_{i}\in {\mathbb{Z}}_{2q}^{n\times m}$ and $\widehat{S}=({S}_{1},{S}_{2},\dots ,{S}_{n}),{S}_{i}\in {\mathbb{Z}}_{2q}^{m\times n}$ such that ${A}_{i}{S}_{i}=q{I}_{n}\mathrm{mod}2q$; 4: Set $(pk,sk)=(\widehat{A},\widehat{S})$; |

5: Output $\mathcal{P}=(L,pk,h,F,n,m,q)$. |

- (1)
- For all $i\in L$, calculate ${h}_{i}={x}_{i}+{A}_{i}{k}_{i}\mathrm{mod}2q$, where $L=\{1,2,\dots ,n\}$.
- (2)
- Calculate $e=({\displaystyle {\sum}_{i\in L}{h}_{i}}\mathrm{mod}2q,\mu )$ and $\tilde{e}=F(e)$.
- (3)
- Pick a random bit $b\in \{0,1\}$; calculate ${s}_{j}={y}_{j}+{k}_{j}+{(-1)}^{b}{S}_{j}\tilde{e}$, where $i=j$.
- (4)
- For $i\ne j$, compute ${s}_{i}={y}_{i}+{k}_{i}\mathrm{mod}2q$.
- (5)
- Publish ${\sigma}_{L}(\mu )=({\{{s}_{i}\}}_{i\in L=\{1,2,\dots ,n\}},e)$.

Algorithm 2 Ring-signing algorithm |

Input: A message $\mu $, a long-term key ${S}_{j}$, public keys $\widehat{A}=({A}_{1},{A}_{2},\dots ,{A}_{n})$Output: The signature ${\sigma}_{L}(\mu )$1: Calculate ${h}_{i}={x}_{i}+{A}_{i}{k}_{i}\mathrm{mod}2q$, ${x}_{i}={A}_{i}{y}_{i}\mathrm{mod}2q$, where $i\in L=\{1,2,\dots ,n\}$; 2: Calculate $e=({\displaystyle {\sum}_{i\in L}{h}_{i}}\mathrm{mod}2q,\mu )$ and $\tilde{e}=F(e)$; 3: For $i\in L=\{1,2,\dots ,n\}$ and $i\ne j$, compute ${s}_{i}={y}_{i}+{k}_{i}\mathrm{mod}2q$; 4: Pick $b\in \{0,1\}$; compute ${s}_{j}={y}_{j}+{k}_{j}+{(-1)}^{b}{S}_{j}\tilde{e}$, where $i=j$; 5: Continue the next steps with probability $\frac{1}{M\mathrm{exp}(-\frac{{\Vert {S}_{j}\cdot e\Vert}^{2}}{2{\sigma}^{2}})\mathrm{cosh}(\frac{\u2329{s}_{j},{S}_{j}\cdot e\u232a}{{\sigma}^{2}})}$, otherwise Restart;6: Output ${\sigma}_{L}(\mu )=({\{{s}_{i}\}}_{i\in L=\{1,2,\dots ,n\}},e)$. |

- (1)
- ${s}_{i}\leftarrow {D}_{{\sigma}_{3}}^{m}$
- (2)
- $e=({\displaystyle {\sum}_{i\in L}{A}_{i}{s}_{i}+q\tilde{e}}\mathrm{mod}2q,\mu )$

Algorithm 3 Ring-verify algorithm |

Input: The signature ${\sigma}_{L}(\mu )$; public keys $\widehat{A}=({A}_{1},{A}_{2},\dots ,{A}_{n})$Output: Accept or Reject1: If ${s}_{i}\leftarrow {D}_{{\sigma}_{3}}^{m}$, then continue;2: else if ${\Vert {s}_{i}\Vert}_{2}\le {B}_{2}$, then continue;3: else if ${\Vert {s}_{i}\Vert}_{\infty}\le q/4$, then continue;4: else if $e=({\displaystyle {\sum}_{i\in L}{A}_{i}{s}_{i}+q\tilde{e}}\mathrm{mod}2q,\mu )$, then Accept,else Reject;5: Output Accept or Reject. |

**Theorem**

**1.**

**Proof.**

## 5. Correctness and Security Analysis

#### 5.1. Correctness

#### 5.2. Security Analysis

**Lemma**

**4.**

**Proof.**

**Theorem**

**2.**

**Proof.**

- (1)
- For all $i\in L=\{1,2,\dots ,n\}$, calculate ${h}_{i}={x}_{i}+{A}_{i}{k}_{i}\mathrm{mod}2q$, ${x}_{i}={A}_{i}{y}_{i}\mathrm{mod}2q$, where $i\in L=\{1,2,\dots ,n\}$.
- (2)
- Calculate $e=({\displaystyle {\sum}_{i\in L}{h}_{i}}\mathrm{mod}2q,\mu )$ and $\tilde{e}=F(e)$.
- (3)
- Pick a random bit $b\in \{0,1\}$; calculate ${s}_{j}={y}_{j}+{k}_{j}+{(-1)}^{b}{S}_{j}\tilde{e}$, where $i=j$.
- (4)
- For $i\ne j$, compute ${s}_{i}={y}_{i}+{k}_{i}\mathrm{mod}2q$.
- (5)
- Publish ${\sigma}_{L}(\mu )=({\{{s}_{i}\}}_{i\in L=\{1,2,\dots ,n\}},e)$.

**Theorem**

**3.**

**(Unforgeability)**: Our ring signature scheme is unforgeable by insider corruption assuming that the SIS problem is hard.

**Proof.**

## 6. Performance Evaluation

#### 6.1. Parameter Selection

#### 6.2. Efficiency Analysis

#### 6.3. Performance Comparison

## 7. Sharper Ring Rignatures

- (1)
- Set ${S}_{q,j}^{T}\in {R}_{q}^{(m-1)\times 1}$ and ${S}_{2q,j}^{T}=({S}_{q,j}^{T},1)\in {R}_{2q}^{m\times 1}$ such that ${A}_{2q,i}{S}_{2q,i}=q$.
- (2)
- For all $i\in L$, calculate ${h}_{i}={x}_{i}+{A}_{2q,i}{y}_{i}\mathrm{mod}2q$, where $L=\{1,2,\dots ,m\}$.
- (3)
- Calculate $e=({\u230a{\displaystyle {\sum}_{i\in L}{h}_{i}}\u230b}_{d},\mu )$, where ${\u230a{\displaystyle {\sum}_{i\in L}{h}_{i}}\u230b}_{d}$ denotes high-order bits of $\sum}_{i\in L}{h}_{i$.
- (4)
- Calculate $\tilde{e}\leftarrow F(e)$.
- (5)
- Pick a random bit $b\in \{0,1\}$; calculate ${s}_{j}={y}_{j}+{k}_{j}+{(-1)}^{b}{S}_{2q,j}\tilde{e}$, where $i=j$.
- (6)
- For $i\ne j$, compute ${s}_{i}={y}_{i}+{k}_{i}\mathrm{mod}2q$.
- (7)
- Publish ${\sigma}_{L}(\mu )=({\{{s}_{i}\}}_{i\in L=\{1,2,\dots ,n\}},e)$.

- (1)
- ${s}_{i}\leftarrow {D}_{{\sigma}_{3}}^{m}$
- (2)
- $e=({\u230a{\displaystyle {\sum}_{i\in L}{A}_{2q,i}{s}_{i}+q\tilde{e}}\u230b}_{d},\mu )$

## 8. Applications in VANETs

#### 8.1. Experimental Simulation

#### 8.2. Simulation Results

## 9. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Chaum, D.; Van Heyst, E. Group Signatures. In Eurocrypt; Cramer, R., Ed.; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3494, pp. 457–473. [Google Scholar]
- Rivest, R.; Shamir, A.; Tauman, Y. How to Leak a Secret, Advances in Cryptology-ASIACRYPT 2001; Laboratory for Computer Science, Massachusetts Institute of Technology: Cambridge, MA, USA, 2001. [Google Scholar]
- Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available online: https://bitcoin.org/bitcoin.pdf (accessed on 10 September 2021).
- Gentry, C.; Peikert, C.; Vaikuntanathan, V. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing STOC’08, Victory, BC, Canada, 17–20 May 2008; pp. 197–206. [Google Scholar]
- Buchmann, J.; Lindner, R.; Ruckert, M.; Schneider, M. Post-quantum cryptography: Lattice signatures, computing. Computing
**2009**, 86, 105–125. [Google Scholar] [CrossRef] [Green Version] - Boyen, X. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2010; pp. 499–517. [Google Scholar]
- Brakerski, Z.; Kalai, Y.T. A framework for efficient signatures, ring signatures and identity-based encryption in the standard model. IACR Cryptol. ePrint Arch.
**2010**, 2010, 86. [Google Scholar] - Liu, J.K.; Au, M.H.; Susilo, W.; Zhou, J. Linkable ring signature with unconditional anonymity. IEEE Trans. Knowl. Data Eng.
**2014**, 26, 157–165. [Google Scholar] [CrossRef] - Duan, J.; Gu, L.; Zheng, S. ARCT: An efficient aggregating ring confidential transaction protocol in blockchain. IEEE Access
**2020**, 8, 198118–198130. [Google Scholar] [CrossRef] - Jia, H.; Tang, C.; Zhang, Y. Lattice-based logarithmic-size non-interactive deniable ring signatures. Entropy
**2021**, 23, 980. [Google Scholar] [CrossRef] [PubMed] - Wang, Z.; Tang, D.; Yang, H.; Li, F. A public key encryption scheme based on a new variant of LWE with small cipher size. J. Syst. Archit.
**2021**, 117, 102165. [Google Scholar] [CrossRef] - Xiang, X.Y.; Li, H.; Wang, M.Y.; Zhao, X.W. Efficient multi-party concurrent signature from lattices. Inf. Process. Lett.
**2016**, 116, 497–502. [Google Scholar] [CrossRef] - Wang, S.; Zhao, R. Lattice-based ring signature scheme under the random oracle model. Int. J. High-Perform. Comput. Netw.
**2018**, 11, 332–341. [Google Scholar] [CrossRef] - Torres, A.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Kuchta, V.; Bhattacharjee, N.; Au, M.H.; Cheng, J. Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice ringct v1.0). In Proceedings of the Australasian Conference on Information Security and Privacy, Wollongong, Australia, 11–13 July 2018; Volume 2018, p. 379. Available online: http://eprint.iacr.org/2018/379.pdf (accessed on 10 September 2021).
- Torres, W.A.; Kuchta, V.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Cheng, J. Lattice RingCT v2.0 with multiple input and multiple output wallets. IACR Cryptol. ePrint Arch.
**2019**, 2019, 569. [Google Scholar] - Cui, Y.; Cao, L.; Zhang, X.; Zeng, G. Ring signature based on lattice and VANET privacy preservation. Chin. J. Comput.
**2017**, 40, 1–14. [Google Scholar] - Liu, J.; Yu, Y.; Jia, J.; Wang, S.; Fan, P.; Wang, H.; Zhang, H. Lattice-based double-authentication-preventing ring signature for security and privacy in vehicular ad-hoc networks. Tsinghua Sci. Technol.
**2019**, 24, 575–584. [Google Scholar] [CrossRef] - Esgin, M.F.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Liu, D. Short lattice-based one-out-of-many proofs and applications to ring signatures. In Applied Cryptography and Network Security—ACNS 2019; Springer: Cham, Germany, 2019; pp. 67–88. [Google Scholar]
- Groth, J.; Kohlweiss, M. One-out-of-many proofs: Or how to leak a secret and spend a coin. In Advances in Cryptology—EUROCRYPT 2015, Part II; Springer: Berlin/Heidelberg, Germany, 2015; pp. 253–280. [Google Scholar]
- Langlois, A.; Stehle, D. Worst-case to average-case reductions for module lattices. Des. Codes Cryptogr.
**2015**, 75, 565–599. [Google Scholar] [CrossRef] - Feng, H.; Liu, J.; Li, D.; Li, Y.-N.; Wu, Q. Traceable ring signatures: General framework and post-quantum security. Des. Codes Cryptogr.
**2021**, 89, 1111–1145. [Google Scholar] [CrossRef] - Ajtai, M. Determinism versus non-determinism for linear time RAMs (extended abstract). In Proceedings of the 31st Annual ACM Symposium on Theory of Computing, Atlanta, GA, USA, 1–4 May 1999; ACM Press: New York City, NY, USA, 1999; pp. 632–641. [Google Scholar]
- Micciancio, D.; Regev, O. Worst-case to average-case reductions based on Gaussian measures. In Proceedings of the 45th Annual Symposium on Foundations of Computer Science, Rome, Italy, 17–19 October 2004; IEEE Computer Society Press: Piscataway, NJ, USA, 2004; pp. 372–381. [Google Scholar]
- Lyubashevsky, V. Lattice signatures without trapdoors. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, 15–19 April 2012; Springer: Berlin/Heidelberg, Germany, 2012. [Google Scholar]
- Zhang, Y.; Liu, Y.; Guo, Y.; Zheng, S.; Wang, L. Adaptively secure efficient (H)IBE over ideal lattice with short parameters. Entropy
**2020**, 22, 1247. [Google Scholar] [CrossRef] [PubMed] - Ducas, L.; Durmus, A.; Lepoint, T.; Lyubashevshy, V. Lattice signatures and bimodal gaussians. In Advances in Cryptology-CRYPTO 2013; Springer: Berlin/Heidelberg, Germany, 2013; Volume 8042, pp. 40–56. [Google Scholar]
- Mundhe, P.; Yadav, V.K.; Verma, S.; Venkatesan, S. Efficient lattice-based ring signature for message authentication in VANETs. IEEE Syst. J.
**2020**, 14, 5463–5474. [Google Scholar] [CrossRef] - Han, L.; Cao, S.; Yang, X.; Zhang, Z. Privacy protection of VANET based on traceable ring signature on ideal lattice. IEEE Access
**2020**, 8, 206581–206591. [Google Scholar] [CrossRef] - Cai, Y.; Zhang, H.; Fang, Y. A conditional privacy protection scheme based on ring signcryption for vehicular Ad Hoc networks. IEEE Internet Things J.
**2021**, 8, 647–656. [Google Scholar] [CrossRef] - Cao, J.; Yu, P.; Xiang, X.; Ma, M.; Li, H. Anti-quantum fast authentication and data transmission scheme for massive devices in 5G NB-IoT system. IEEE Internet Things J.
**2019**, 6, 9794–9805. [Google Scholar] [CrossRef] - Secure Hash Standard. FIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995. Available online: http://csrc.nist.gov/publications/fips/fips1802/fips180-2.pdf (accessed on 20 July 2018).

Parameter | Description | Sample |
---|---|---|

$n$ | Polynomial ring degree | 512 |

$q$ | Large prime | ${2}^{25}$ |

$m$ | Polynomial ring size | 6 |

$\lambda $ | Security parameter | 100 |

$\delta $ | Hermite factor | 1.007 |

$\kappa $ | Random Oracle weight | 14 |

$\eta $ | Correctness | 1.1 |

${\sigma}_{1}=12\sqrt{\kappa}$ | Rejection sampling | 45 |

${M}_{1}$ | Rejection sampling | 1.0027 |

${\sigma}_{2}=12\eta {\sigma}_{1}\sqrt{m\kappa}$ | Gaussian standard deviation | ${2}^{12.5}$ |

${M}_{2}$ | Rejection sampling | 1.0027 |

${\sigma}_{3}=12\eta {\sigma}_{2}\sqrt{m}$ | Gaussian standard deviation | ${2}^{17.5}$ |

${M}_{3}$ | Rejection sampling | 1.0027 |

Public key size | ${n}^{2}m\mathrm{log}2q$ | 4992 KB |

Secret key size | ${n}^{2}m\mathrm{log}2q$ | 4992 KB |

Signature size | $nm\mathrm{log}(12\sigma )$ | 672 KB |

Security Level (bits) | Signature Size (KB) |
---|---|

100 | 672 |

128 | 684 |

256 | 768 |

512 | 825 |

Schemes | Ring-Sign Costs | Ring-Verify Costs | Signature Length |
---|---|---|---|

Cui et al. [16] | $5n{T}_{mult}{+\mathrm{T}}_{h}$ | $5n{T}_{mult}+{T}_{n}$ | $2(n+1)m$ |

Liu et al. [17] | $2n{T}_{mult}+n{T}_{h}$ | $2n{T}_{mult}+n{T}_{h}$ | $(n+1)m$ |

Mundhe et al. [27] | $(3n+1){T}_{mult}+2{T}_{h}$ | $2n{T}_{mult}+2{T}_{h}$ | $(n+1)m$ |

Feng et al. [21] scheme 1 | $n{T}_{mult}+{T}_{n}+2{T}_{h}$ | $n{T}_{mult}+{T}_{n}+2{T}_{h}$ | $(n+1)m$ |

Feng et al. [21] scheme 2 | $3n{T}_{mult}+{T}_{n}+2{T}_{h}$ | $3n{T}_{mult}+{T}_{n}+2{T}_{h}$ | $(n+1)m$ |

Han et al. [28] | $4n{T}_{mult}+2{T}_{h}$ | $4n{T}_{mult}+2{T}_{h}$ | $(n+1)m$ |

Ours | $(2n-1){T}_{mult}+2{T}_{h}$ | $(n+1){T}_{mult}+2{T}_{h}$ | $nm+\kappa (\kappa \le m)$ |

Schemes | Unconditional Anonymity | Strong Unforgeability | Message Integrity |
---|---|---|---|

Wang et al. [11] | No | Yes | Yes |

Cui et al. [16] | No | No | Yes |

Liu et al. [17] | No | No | Yes |

Mundhe et al. [27] | Yes | No | Yes |

Feng et al. [21] | No | No | Yes |

Han et al. [28] | Yes | Yes | Yes |

Cai et al. [29] | No | No | Yes |

Ours | Yes | Yes | Yes |

Parameter | Value |
---|---|

Speed of vehicle | 20 km/h |

Transmission range | 100 m |

Time interval | 2 s |

MAC type | IEEE 802.11p |

Number of lanes | 4 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Jiao, C.; Xiang, X.
Anti-Quantum Lattice-Based Ring Signature Scheme and Applications in VANETs. *Entropy* **2021**, *23*, 1364.
https://doi.org/10.3390/e23101364

**AMA Style**

Jiao C, Xiang X.
Anti-Quantum Lattice-Based Ring Signature Scheme and Applications in VANETs. *Entropy*. 2021; 23(10):1364.
https://doi.org/10.3390/e23101364

**Chicago/Turabian Style**

Jiao, Chunhong, and Xinyin Xiang.
2021. "Anti-Quantum Lattice-Based Ring Signature Scheme and Applications in VANETs" *Entropy* 23, no. 10: 1364.
https://doi.org/10.3390/e23101364