A Novel Linkable Ring Signature on Ideal Lattices

Round 1

Reviewer 1 Report

In this paper, the authors propose the novel linkable ring signature (LRS) on ideal lattices and claim that LRS has a linkability property. 

The LRS scheme designed in this paper successfully achieves the contribution they claim and proposes a complete security analysis for anonymity, unforgeability, and linkability, in addition, this paper also proposes the comparison of LRS and other signature schemes in the efficient analysis section. Here are some recommendations:

 

1. It is recommended to introduce the settings of the security game in the security model section.

2. In line 46, "for any..." may be an inaccurate description after comparing it with the following mathematical formula. It is suggested that some adjustments can be made to this definition.

3. In this paper, some mathematical symbols may be misused, such as the description of \mathbb{D} in Table 1, where the index may be n-1, and in line 118, l and 1 are sometimes misused. It is recommended that the notation of this paper can be checked a little more.

 

Author Response

Reviewers' comments and our corresponding replies are given as follows.

Reviewer #1: In this paper, the authors propose the novel linkable ring signature (LRS) on ideal lattices and claim that LRS has a linkability property. 

The LRS scheme designed in this paper successfully achieves the contribution they claim and proposes a complete security analysis for anonymity, unforgeability, and linkability, in addition, this paper also proposes the comparison of LRS and other signature schemes in the efficient analysis section. Here are some recommendations:

1. It is recommended to introduce the settings of the security game in the security model section.

Reply: Definition 5, Definition 6 and Definition 7 have been modified into the security game model. After the modification, the original Theorem 2 becomes Theorem 3, and the original Theorem 3 becomes Theorem 2.

2. In line 46, "for any..." may be an inaccurate description after comparing it with the following mathematical formula. It is suggested that some adjustments can be made to this definition.

Reply: Detailed modifications have been made in Definition 1.

3. In this paper, some mathematical symbols may be misused, such as the description of \mathbb{D} in Table 1, where the index may be n-1, and in line 118, l and 1 are sometimes misused. It is recommended that the notation of this paper can be checked a little more.

Reply: It has been checked and modified in full text, and the modified parts are marked in yellow. We have carefully checked and revised our manuscript for the notations. 

Author Response File: Author Response.docx

Reviewer 2 Report

This article is about the linkable ring signature (LRS) on ideal lattices.

 

I find the topic interesting and topical. However, a few points require comments from the authors:

1) The Introduction could be extended significantly. Also, you should rethink the structure of the article. I mainly mean creating a Related work section with a detailed description of similar works. Also, definitions 5-7 would perhaps fit better in the Preliminaries section.

2) There are typos in the text, e.g., Collision Problem in definition 2.

3) References are quite old. I suggest updating them. This also involves paying attention to similar works in the literature and discussing them.

4) A practical dimension of the presented algorithms in the form of a part devoted to Implementation and Evaluation would be useful.

5) Table 3 shows a comparison with other algorithms in three criteria (Quantum-resistance, Deniability, and Linkability). In my opinion, these LRS results require additional commentary. The more so that the text does not directly discuss, for example, criterion 1 and why the proposed algorithm meets this criterion.

Author Response

Reviewers' comments and our corresponding replies are given as follows.

Reviewer #2: I find the topic interesting and topical. However, a few points require comments from the authors:

• The Introduction could be extended significantly. Also, you should rethink the structure of the article. I mainly mean creating a related work section with a detailed description of similar works. Also, Definitions 5-7 would perhaps fit better in the Preliminaries section.

Reply: The introduction has been expanded and some more related works have been described. Definition 5, Definition 6 and Definition 7 have been modified.

• There are typos in the text, e.g., Collision Problem in Definition 2.

Reply: We have carefully checked and revised our manuscript for these typos and grammatical errors.

• References are quite old. I suggest updating them. This also involves paying attention to similar works in the literature and discussing them.

Reply: A up-to-date literature is added and compared in the revised article. The added paper is as follows:

[15] Ye, Q.; Wang, M.; Meng, H. Efficient Linkable Ring Signature Scheme over NTRU Lattice with Unconditional Anonymity. Computational Intelligence and Neuroscience 2022, 2022, 1-14.

• A practical dimension of the presented algorithms in the form of a part devoted to Implementation and Evaluation would be useful.

Reply: Table 3 is added for the comparison of the time complexity. In the revised article, the original Table 3 has become Table 4. The discussion content added after our modification is as follows.

In Table 3, m is the number of the components of a polynomial vector and l is the number of the ring members. When we calculate the time complexity, some lightweight operations (hash function and random number selection) have not been considered. We mainly calculates the time cost of the polynomial multiplication (T_Mul) and polynomial inversion (T_Inv). The runtime of the discrete Gaussian sampling algorithm, the rejection sampling algorithm, the trapdoor generation algorithm and the SamplePre algorithm [15] are represented by T_Sd, T_Rs, T_Trap and T_Sam, respectively. In [15], T_Sam, T_Sam, T_Sd and T_R are used for keypair and the signature. From Table 3, we may conclude that the signature cost and the verification cost in our scheme are smaller than the scheme in [3], and the keypair cost is smaller than the scheme in [3, 23].

• Table 3 shows a comparison with other algorithms in three criteria (Quantum-resistance, Deniability, and Linkability). In my opinion, these LRS results require additional commentary. The more so that the text does not directly discuss, for example, criterion 1 and why the proposed algorithm meets this criterion.

Reply: The more discussion is given and the revised content is as follows.

Table 4 shows the comparison of our signature scheme with the other four schemes in terms of their functionality. The deniable ring signature can prove that the ring member has not signed the signature when it is necessary. The linkable ring signature can determine whether two signatures are the signatures signed by the same signer in the ring member. Both the deniable ring signature and the linkable ring signature are the ring signatures with special properties, which can be applied to special real situations. From Table 4, we may conclude that LRS and YQ [15] are linkable and secure for quantum attack.

Round 2

Reviewer 2 Report

Thanks to the authors for their answers. I still have a note about typos - they still appear in the text, e.g. Collision Problom.