1. Introduction
Electronic voting is a hot theme in the field of information security today. Compared with traditional election methods, electronic voting is fairer, safer, more efficient, and convenient. And it also can save a lot of material and human resources. The most basic requirement of electronic voting is to ensure the anonymity of the voter's identity, the fairness of casting a ballot cycle, the authentication of the voter's identity, and the correctness of the election results. Some researchers have made a lot of efforts on the theoretical research of electronic voting and the design of voting schemes, but there are still many shortcomings in ensuring the anonymity of the voters' identity under quantum computers [1]-[10].
In 2001, the notion of ring signature was first reported by Rivest et al. [11]. Then, the ring signatures are used in many fields, such as anonymous electronic voting, anonymous identity verification, and blockchain. So far, cryptographers have proposed many ring signature schemes [12]-[26]. Most of these schemes are constructed by large integer prime factorization [11],[14],[17], discrete logarithm problems [12],[13] and bilinear pairing [15],[16],[18],[19],[21]. However, the large integer prime factorization problem and the discrete logarithm problem can be effectively tackled by Shor's quantum algorithm in polynomial time [27]. Lattice ciphers are considered to be the most prospective cryptographic primitives in the post-quantum era and have attracted widespread attention. The design of cipher schemes based on the lattice has become a hot topic [28]-[47]. Random oracle model (ROM) and standard model (SM) are the two security levels of digital signatures. Some cryptographers believe that the signature schemes under SM is easier to be applied in engineering than these under ROM. Many ring signature schemes based on lattice have been designed by cryptographers recently [40]-[47]. However, these signatures [40]-[47] have some shortcomings: the length of the verification key is too large or the anonymity of the ring signature scheme cannot be guaranteed. Therefore, constructing a lattice-based ring signature with a short verification key under SM is an issue that needs to be solved urgently.
Related Works In 2010, the first ring signature was constructed under SM by Brakerski et al. [22]. The hash-and-sign mode [19] was used in this scheme. And the security of the scheme is analyzed under the small integer solution (SIS) problem. But the signature length of the scheme is big. In the same year, the ring signature based on lattice under SM with a verification key length of (2𝑘𝑘 + 𝑁𝑁)𝑚𝑚𝑚𝑚log𝑞𝑞 was reported by Wang et al. [23]. The bonsai trees model [36] was used in this scheme which reduces the length of the verification key. In 2011, Wang et al. [24] reported two ring signatures and under the hash-and-sign mode [19] by lattice basis delegation technique [36]-[37]. One is a ring signature with a verification key length of 𝑁𝑁𝑁𝑁𝑁𝑁log𝑞𝑞 under ROM, and the other is a ring signature with a verification key length of (𝑁𝑁 + 𝑑𝑑)𝑚𝑚𝑚𝑚log𝑞𝑞 under SM. Although the second ring signature had a shorter signature size than Brakerski et al.’s scheme [22], the verification key length is still big. In 2016, the extended split-SIS problem was reported by Gao et al.. They reported a ring signature scheme based on the extended split-SIS problem with a shorter public key size [40]. But their scheme was constructed under ROM and cannot be well applied in practice. In 2018, an identity-based ring signature based on lattice was reported by Zhao et al., which solved the problem that traditional ring signatures need to rely on digital certificates, but this scheme is constructed under ROM and cannot be well applied in practice [41]. In the same year, Wang and Zhao used the Fiat-Shamir framework to design a ring signature without trapdoors under ROM [25]. Although their scheme is very efficient, the public key is still large, and the storage cost is high. In 2019, by using the extended split-SIS problem [40], a ring signature scheme under SM was reported by Gao et al. [42], but the verification key of their scheme is still too big, and there will be a much storage cost. In the same year, a non-interactive deniable ring signature based on lattice was reported by Gao et al. [43]. When there is a malicious signer, this scheme can reveal the actual signer and protect the legal rights of other signers. However, the signature size of this scheme is too large which requires a lot of storage costs. At the same time, it is constructed under ROM which reduces the security of the scheme. A ring signature based on lattice that supports stealth addresses was designed by Liu et al. [44]. The security and privacy requirements in cryptocurrencies can be captured by this scheme. But it is constructed under ROM and cannot be used in practice well. A linkable ring signature was reported by Lu et al., which could solve the unlinkable problem of signatures created by the same signer but did not provide good proof of security [45]. In 2020, Zhao et al. used some algebraic structures on the ideal lattice and MP12 trapdoor derivation technology to design a ring signature scheme that the verification key size is constant, but this scheme will expose the identity of the signer [46]. In 2021, an efficient linkable ring signature scheme based on lattice with scalability to multiple layers was reported by Ren et al.. However, the verification key size is still too big [47]. For above ring signature schemes, they are either constructed under ROM [25],[40],[41],[43],[44], have a relatively large verification key size or signature size [22]-[25],[42],[47], or have some security risks [45],[46].
In 2019, Kurbatov et al. proposed to apply ring signatures to the construction of anonymous electronic voting schemes, but they did not give a specific implementation [8]. In 2020, an anonymous and coercion-resistant distributed electronic voting scheme was reported by Zaghloul et al., which uses the conditions of the parties’ unwillingness to collude to reduce the possibility of voter information exposure [9]. However, in the post-quantum era, even if parties do not collude, the anonymity of the scheme cannot be guaranteed. In 2021, a distributed blockchain-based anonymous mobile electronic voting scheme was reported by Zaghloul et al., which increases the voter turnout rate during large-scale elections by using IoT devices. But in the post-quantum era, this scheme has security risks [10]. The above voting schemes have security risks in the post-quantum era.
Contributions
- A ring signature scheme based on lattice under SM is designed by us, which can realize the constant verified public key size. The ring signature scheme we proposed is based on identity, and therefore, it does not need to rely on digital certificates. We prove the anonymity against the full-key exposure and existential non-forgeability against insider corruption of our scheme under SM.
- Besides, we also extend our ring signature scheme to anonymous electronic voting by combining Shamir's (𝑡𝑡, 𝑛𝑛) threshold scheme [48]. Our voting scheme uses a lattice-based ring signature structure to ensure the anonymity of voters, uses landmarks to prevent multiple votes by one voter, and uses (𝑡𝑡, 𝑛𝑛) threshold scheme [48] to ensure the anonymity of votes before the ballots are made public. Finally, voters can use known information to determine whether their votes are counted to prevent the counting agency from losing votes privately.
2. Preliminaries
Notations. [𝑑] represents all positive integers from 1 to 𝑑. Vectors are expressed in lowercase italic bold letters. Matrix is represented by uppercase bold italic letters. ‖∙‖ represents the 𝑙2 norm. For matrix 𝑨 = [𝒂𝟏, ⋯ , 𝒂𝒎] ∈ R𝑛×𝑚, the 𝑖-th column vector is represented by 𝒂𝒊 . The Gram-Schmidt orthogonalization of vectors 𝒂𝟏, ⋯ , 𝒂𝒎 is represented by vectors ~𝒂𝟏, ⋯ , ~𝒂𝒎. The logarithm based on 2 is represented by the function log. The notations 𝑂𝑂 and 𝜔𝜔 represent the growth of functions.
2.1 Lattice
𝒃𝟏, 𝒃𝟐, ⋯ , 𝒃𝒏 are 𝑛𝑛 linearly independent vectors in R𝑛, let 𝑩 = [𝒃𝟏, 𝒃𝟐, ⋯ , 𝒃𝒏], 𝛬(𝑩) = {𝑩c = ∑𝒏𝒊=𝟏 bici |𝒄∈ Z𝑛} represent the n-dimensional lattice 𝛬 generated by the basis 𝑩, where 𝑩 is a basis of the lattice 𝛬⊥(𝑩). The orthogonal lattice 𝛬⊥(𝑩) = {𝒆 ∈ R𝑚|𝑩e = 𝟎 mod 𝑞, 𝑩 ∈ R𝑞𝑛×𝑚} [49].
2.2 Discrete Gaussians
For any 𝜂 > 0 and 𝒙 ∈ Rm, the discrete Gaussian function with 𝜂 as the parameter and 𝒗 ∈ Rm as the center is defined as 𝜌𝒗,𝜂(𝒙𝒙) = exp(−𝜋‖𝒙 − 𝒗‖2/𝜂2).
The discrete Gaussian function on lattice 𝛬 ⊆ Zm is defined as ∀ 𝒙 ∈ 𝛬, D𝛬,𝑣,𝜂(𝒙) = 𝜌𝑣,𝜂(𝒙)/𝜌𝑣,𝜂(𝛬), where 𝜌𝑣,𝜂(𝛬) = ∑𝒛∈𝛬 𝜌𝑣,𝜂(𝒛).
In particular, when representing a Gaussian function centered at 0, we often omit 0 [49].
2.3 Hard Problems on Lattice
The security of our ring signature scheme relies on the difficulty assumptions of the small integer solution (SIS) problem and the inhomogeneous small integer solution (ISIS) problem [32].
Definition 1 The small integer solution problem (SIS). A matrix 𝑨 ∈ R𝑞𝑛×𝑚, parameters are given, the target of SIS𝑞,𝑚,𝛽 is to find a nonzero integer vector 𝒗 ∈ Z𝑞𝑚, which satisfies 𝑨v = 𝟎 mod 𝑞 and ‖𝒗‖ ≤ 𝛽.
Definition 2 The inhomogeneous small integer solution problem (ISIS). A matrix 𝑨 ∈ R𝑞𝑛×𝑚, parameters 𝑛, 𝑚, 𝑞, 𝛽, a vector 𝒚 ∈ Z𝑞𝑚 are given, the target of ISIS𝑞,𝑚,𝛽 to find a nonzero integer vector 𝒗 ∈ Z𝑞𝑚, which satisfies 𝑨v = 𝒚 mod 𝑞 and ‖𝒗‖ ≤ 𝛽.
2.4 Trapdoor and Basis Delegation Functions for Lattices
Ref. [32] gives three polynomial algorithms (TrapGen, SampleD, SamplePre). The details are as follows:
The Gaussian smoothing parameter 𝜂 ≥ ‖𝑩‖ ∙ 𝜔(log𝑛) is used in the following algorithm [50].
TrapGen(1𝑛). 𝑛, 𝑞 = poly(𝑛), and 𝑚 ≥ 5𝑛log𝑞 as inputs, TrapGen(1𝑛) outputs (𝑨, 𝑻), where 𝑨 is statistically close to uniform on Z𝑞𝑛×𝑚 and 𝑻 is a trapdoor basis of 𝛬⊥(𝑨), which satisfies ‖𝑻‖ ≤ O(\(\sqrt{n \log q}\)).
SampleD(𝑨,𝜂). Sample an 𝒆 from distribution DZ𝑚,𝜂, where the distribution of 𝑨𝒆 is uniform on Z𝑞𝑛.
SamplePre(𝑨,𝑻,𝒚,𝜂). 𝑨 ∈ Z𝑞𝑛×𝑚, a trapdoor basis 𝑻 for 𝛬⊥(𝑨), a vector 𝒚 ∈ Z𝑞𝑛, and 𝜂 as inputs, SamplePre(𝑨,𝑻,𝒚,𝜂) outputs a vector 𝒆, which satisfies 𝑨𝒆 = 𝒚 mod 𝑞, 𝒆 ≤ 𝜂√𝑚 and 𝒆 is within negligible statistical distance of D𝛬⊥𝑦,𝜂.
BasisDel(𝑨,𝑹,𝑻,𝜂).[51] Let 𝑞 > 2, 𝑨 ∈ R𝑞𝑛×𝑚, 𝑹 be a matrix sampled from D𝑚×𝑚, and 𝑻 be a trapdoor basis of 𝛬⊥(𝑨), BasisDel(𝑨,𝑹,𝑻,𝜂) outputs a random trapdoor basis 𝑻∗ for 𝛬⊥(𝑨𝑹−𝟏), which satisfies ‖~𝑻∗‖ ≤ 𝜂√𝑚.
2.5 (𝒕, 𝒏) Threshold Scheme
The following are the details for (𝑡, 𝑛) threshold scheme [48].
1. Setup. The trusted agency 𝑇 distributes the initial secret number 𝑆 ≥ 0 among 𝑛 users.
- 𝑇 chooses a prime number 𝑝 > max (𝑆, 𝑛), and defines 𝑎0 = 𝑆.
- 𝑡 − 1 random independent coefficients 𝑎1, 𝑎2. . . , 𝑎𝑡−1 are selected by 𝑇. A random polynomial defined on the group Z𝑝 as follows:
\(f(x)=\sum_{i=0}^{t-1} a_{i} x^{i}\)
- 𝑇 calculates 𝑆𝑖 = 𝑓(𝑖) mod 𝑝(𝑖 ∈ [𝑛]), and safely transmits 𝑆𝑖 together with its corresponding public index 𝑖 to user 𝑃𝑖.
2. Recovery.
Any t users or more than 𝑡 users can restore the initial secret number 𝑆 by combining their secret shares. 𝑡 secret shares are equivalent to providing 𝑡 different points, so they can solve the 𝑡 unknowns 𝑎𝑖 in the equation 𝑓(𝑥) (0 ≤ 𝑖 ≤ 𝑡 − 1)(Lagrange interpolation polynomial method or Vandermonde matrix method). It is easy to know the secret number 𝑆 = 𝑎0 = 𝑓(0).
2.6 Basic Definition and Security Requirements of Ring Signature
2.6.1 Basic Definition of Ring Signature
The following three algorithms RS = (KeyGen, Ring - Sign, Ring - Verify) are basic algorithm for a ring signature.
KeyGen(𝑛, 𝑁): The security parameter 𝑛 as input, Key-Generator-Center (KGC) outputs the ring public parameters rpk and the ring members’ private keys ski for 𝑖 ∈ [𝑁].
Ring - Sign(rak, IDi, 𝑀, 𝑟): A signer’s identity IDi, ring set 𝑟 (𝑟 ⊆ [𝑁]) and a message 𝑀 are input, signer IDi outputs a ring signature 𝝈 on message 𝑀.
Ring - Verify(𝑟, 𝑀, 𝝈): Ring set 𝑟 and a signature 𝝈 on message 𝑀 are input. If Ring - Verify(𝑀, Ring - Verify(rak, IDi, 𝑀, 𝑟)) = 1 holds true, verifier outputs 1; Otherwise verifier outputs 0.
The security of our scheme includes anonymity and existential non-forgeability. The specific security definition is presented in Ref. [17]. The following are details.
2.6.2 Anonymity against the Full-Key Exposure
A ring signature (Gen, Sign, Verify), a probabilistic polynomial time (PPT) challenger 𝐶, and a PPT adversary 𝐴 are given, perform the following game:
1. Setup. The security parameter 𝑛𝑛 is given, and the public parameter rpk, the master secret key (MSK), and signer’s private key are generated through running the algorithm Setup by challenger 𝐶. Then adversary 𝐴 receives rpk from challenger 𝐶.
2. Signature queries. Adversary 𝐴 queries the signature with the ring set 𝑟, the message 𝑀 , and signer ID . A ring signature 𝝈ID ← Sign(𝑃𝑃, 𝑀, ID, 𝑟, skID) is returned to adversary 𝐴 by challenger 𝐶.
3. Private key queries. Adversary 𝐴 queries the private key with signer ID. The private key skID = TID is sent to adversary 𝐴 by challenger 𝐶.
4. Challenge. A signature query to challenger C on message 𝑀, a ring 𝑟, and two identities 𝐼D𝑏 ∈ 𝑟 (𝑏 ∈ {0, 1}) is submitted by adversary 𝐴. A random number 𝑏 ∈ {0,1} is picked by challenger C. Finally, a ring signature 𝝈𝑰D𝒃 ← Sign(𝑃𝑃, 𝑀,𝐼D𝑏, 𝑟, skID𝑏) is returned to adversary 𝐴 by challenger 𝐶.
5. Guess. A guess 𝑏′ is output by adversary 𝐴.
|Pr[b′ = b] − 1/2| is the superiority of adversary 𝐴 in this game. If the superiority of adversary 𝐴 is negligible, then this ring signature is considered to satisfy anonymity against full-key exposure.
2.6.3 Existential Non-forgeability against Insider Corruption
If for any PPT adversary 𝐴 and any polynominal 𝑛(∙), the probability that 𝐴 succeeds in the following game is negligible, then a ring signature scheme (Gen, Sign, Verify) is existentially unforgeable against insider corruption.
1. Algorithm Gen(1𝑘) generates key pairs {(pki, ski)}𝑖=1 𝑛(𝑘). the set of public keys {(pki}}𝑖=1 𝑛(𝑘) is given to 𝐴.
2. Adversary 𝐴 has the right to obtain signatures 𝝈 ← SignskID(𝑀, 𝑟) where 𝑀 is the message to be signed, 𝑟 is ring set and skID ∈ 𝑟.
3. 𝐴 has the right to obtain private key skID of signer with identity ID.
4. (𝑟∗, 𝑀∗, 𝝈∗) is output by adversary 𝐴. If Vrfyr*(𝑀∗, 𝝈∗) = 1, then adversary A succeeds. (∗, 𝑀∗, 𝝈∗) is never queried by 𝐴, and 𝑟∗ ⊆ 𝑆\𝐶, where 𝐶 represents the set of corrupt users.
2.7 The Basic Steps of Electronic Voting
For different electronic voting schemes, the implementation process is different. Generally speaking, implementation process of an electronic voting system includes the following 6 steps [52]-[56].
Step 1 Registration: A voter obtains a mark that can be verified by the registration agency. Some personal information and voting information of voters may be implicit in this mark.
Step 2 Signature: The management agency first verifies whether the voter has voted for the first time, and if not, rejects the signature; If it is the first vote, the management agency signs the message and transmits this signature to the voter.
Step 3 Voting: After obtaining the signature, the voter can construct a ballot that he considers safe and send it to the counting agency.
Step 4 Statistics: After receiving all the votes, the counting agency will make their numbers public.
Step 5 Verification: According to the information published by the ballot counting agency, voters can know whether their ballots have been counted correctly. If they find that their votes have been tampered with or not made public, they can protest.
Step 6 Disclosure: If voters have no objections, according to the ballot opening agreement, the counting agency can restore the information of votes and make them public.
3. Lattice-based Ring Signature and Its Application on Anonymous Electronic Voting
3.1 Ring Signature Scheme Based on Lattice
The following are the parameters required by our scheme.
Let 𝑁, 𝑛, 𝛽, 𝑞 ≥ 𝑁β ∙ 𝜔(√𝑛log𝑛), 𝑚 ≥ 5𝑛log𝑞, s ≥ O(√𝑛log𝑞)(the upper bound of the Gram-Schmidt size of the signer's private key) and Gaussian parameter 𝜂 ≥ s ∙ ω(√log𝑞).
A bit string distributed on {0,1}∗ represents the massage, define the anti-collision hash function H1:{0,1}∗ → {0,1}𝑑, where 𝑑 is a positive integer, and another anti-collision hash function H2:{0,1}∗ → Z𝑞𝑚×𝑚, H2(ID)~D𝑚×𝑚. The following describes our algorithm.
Algorithm 1 KeyGen.
The security parameter 𝑛, number of people in the ring 𝑁, 𝑚 ∈ 𝑍, prime 𝑞 ∈ Z, and 𝜂 ∈ R are inputs.
1. KGC (We assume that KGC is credible) computes (𝑨,𝑻) ← TrapGen(𝑛, 𝑚, 𝑞) where 𝑻 ∈ Z𝑞𝑚×𝑚, and selects vectors 𝒃𝟎, ⋯ , 𝒃𝒅 ← Z𝒒𝒏;
2. For 𝑖 ∈ [𝑁], define 𝑨𝒊 = 𝑨𝑯𝟐(IDi)−𝟏(IDi is the identity of 𝑖-th ring member), KGC extracts the basis 𝑻𝒊 ← BasisDel(𝑨, 𝑯𝟐(IDi),𝑻, 𝜂), where 𝑻𝒊 ∈ Z𝑞𝑚×𝑚 (‖~𝑻𝒊 ‖ ≤ 𝜂√𝑚) is a trapdoor basis of lattice 𝛬𝑞⊥(𝑨𝒊);
3. Set the ring public parameter rpk = {𝑁,𝑨,𝒃𝟎, ⋯ , 𝒃𝒅}, and ski = 𝑻𝒊, 𝑖 ∈ [𝑁] as the private key of 𝑖-th ring member.
Algorithm 2 Ring-Sign
The public key rpk = {𝑁,𝑨, 𝒃𝟎, ⋯ , 𝒃𝒅}, the identity IDi and sk𝑖 = 𝑻𝒊 of 𝑖-th signer, a message M ∈ {0,1}∗ and 𝑟 = {ID1, ⋯ , IDN} are input. The signer IDi computes as follows:
1. Let 𝑨∗ = ∑𝑁𝑖=1𝑨𝒊 = [𝒂𝟏∗ , ⋯ , 𝒂𝒎∗], 𝒌 = (𝒂𝟏∗𝑇 ,𝒂𝟐∗𝑇 , ⋯ , 𝒂𝒎∗𝑇), compute 𝝁 = 𝑯𝟏(𝒌, 𝑀) where 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]);
2. Compute 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊 and 𝑨𝒊 = 𝑨𝑯𝟐(IDi)−𝟏;
3. Randomly select 𝑹 ∈ Z𝑞𝑚×𝑚 , define 𝑩𝒊 = 𝑨𝒊𝑹−𝟏 , and extract the basis 𝑻𝒊∗ ← BasisDel(𝑨𝒊,𝑹, 𝑻𝒊, 𝜂) , where 𝑻𝒊∗ ∈ Z𝑞𝑚×𝑚 is a trapdoor basis of lattice 𝜦𝒒⊥(𝑩𝒊) and satisfies ‖~𝑻𝒊*‖ ≤ 𝜂√𝑚;
4. Compute 𝒆 ← SamplePre(𝑩𝒊,𝑻𝒊∗, 𝒃𝝁, 𝜂);
5. Output ring signature 𝝈 = {𝒆,𝑹∗ = 𝑯𝟐(IDi)−𝟏𝑹−𝟏}.
Algorithm 3 Ring-Verify
rpk , 𝑀, 𝜂, r={ ID1 , ⋯ , ID𝑁 } as inputs. Let 𝑨∗ = ∑ 𝑨𝒊 = ∑𝑁𝑖=1 = [𝒂𝟏∗ , ⋯ , 𝒂𝒎∗] , 𝒌 = (𝒂𝟏∗𝑇, 𝒂2∗𝑇 , ⋯ , 𝒂m∗𝑇). Verifier computes 𝑯𝟏(𝒌, 𝑀) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]) and 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊; Accept if the following conditions are fulfilled: 𝑨𝑹∗e=𝒃𝝁 mod 𝑞 and ‖𝒆‖ ≠ 0 and ‖𝒆‖ ≤ 𝜂√𝑚.
3.2 Anonymous Electronic Voting Scheme Based on Our Ring Signature Scheme
Fig. 1. The process of anonymous electronic voting
3.2.1 Parameters
- Voter: A voter has a legal public key and a legal private key;
- Registration agency: Registration agency KGC computes the private key and public key of voters;
- Management agency: skG and 𝑝k𝐺 are the private key and public key of management agency 𝐺 respectively;
- Counting agency: Counting agency is 𝐶𝑖 (𝑖 ∈ [𝑛]).
3.2.2 Scheme
1. Registration agreement
KGC computes (𝑨, 𝑻) ← TrapGen(𝑛, 𝑚, 𝑞), selects vectors 𝒃𝟎, ⋯ , 𝒃𝒅 ← Z𝑞𝑛, and makes 𝒃
- KGC computes 𝑨𝒊 = 𝑨𝑯𝟐(ID𝑖)−𝟏 , and extracts 𝑻𝒊 ← BasisDel(𝑨,𝟐(ID𝑖), 𝑻, 𝜂) , where 𝑻𝒊 ∈ Z𝑞𝑚×𝑚 is a trapdoor basis of lattice 𝜦𝒒⊥(𝑨𝒊) which satisfies ‖~𝑻𝒊‖ ≤ 𝜂√𝑚. Define the ID𝑖’s private key as sk = 𝑻𝒊 and ID𝑖’s public key as pk = 𝑨𝒊.
- 𝑉𝑖 selects a random bit string 𝒘𝒊 ∈ {0,1}∗ , calculates 𝒄𝒊 = ℎ(𝒘𝒊) (ℎ is a strong anti-collision hash function where ℎ:{0,1}∗ → Z𝑞𝑛 ), calculates sig ← SamplePre(𝑨𝒊,𝑻𝒊,𝒄𝒊,𝜂), and sends the (sig, 𝒄𝒊) to KGC. After KGC verifies that the signature is legal, KGC makes 𝒄𝒊 public. (It is assumed that KGC is a black box)
2. Management agreement
Voter 𝑉𝑖 uses the vote 𝑀 as the secret number of (𝑡, 𝑛) threshold scheme and calculates 𝑓(1), . . . , 𝑓(𝑛) respectively (𝑓 is a random polynomial). Voter 𝑉𝑖 randomly selects several legitimate voters to form a ring (including the current voter himself). It is assumed that 𝑛𝑛 voters are selected to form a ring 𝑟 = {ID1, ⋯ ,IDn}. The process of signature is performed as the following way:
- Let𝑨∗ = ∑𝒏𝒊=𝟏𝑨𝒊 = [𝒂𝟏∗, ⋯ , 𝒂m∗],𝒌 = (𝒂𝟏∗𝑇 ,𝒂2∗𝑇 , ⋯ , 𝒂m∗𝑇), compute 𝝁 = 𝑯𝟏(𝒌, 𝑓(1)) where 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]);
- Compute 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊 and 𝑨𝒊 = 𝑨𝑯𝟐(ID𝑖)−𝟏;
- Randomly select 𝑹 ∈ Z𝑞𝑚×𝑚, define 𝑩𝒊 = 𝑨𝒊𝑹−𝟏 , and extract a basis 𝑻𝒊∗ ← Basisdel(𝑨𝒊,𝑹,𝑻𝒊,𝜂) where 𝑻𝒊∗ ∈ Z𝑞𝑚×𝑚 (‖~𝑻𝒊*‖ ≤ 𝜂√𝑚) is a trapdoor basis of lattice 𝜦𝒒⊥(𝑩𝒊);
- Compute 𝒆 ← SamplePre(𝑩𝒊,𝑻𝒊∗,𝒃𝝁,𝜂) , and output ring signature 𝝈 = {𝒆,𝑹∗ = 𝑯𝟐(ID𝑖)−𝟏𝑹−𝟏}.
Finally, voter 𝑉𝑖 sends 𝝈 = {𝒆,𝑹∗ = 𝑯𝟐(ID𝑖)−𝟏𝑹−𝟏}, 𝑟 = {ID1, ⋯ ,IDn},𝒘𝒊, 𝑓(1)} to management agency 𝐺 through an anonymous channel. 𝐺 first verifies whether the signature is correct according to the following steps:
- Computes 𝑯𝟏(𝒌, 𝑓(1)) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]) and 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊;
- Accept if the following conditions are fulfilled: 𝑨𝑹∗𝒆 = 𝒃𝝁 and 𝒆 ≠ 0 and ‖𝒆‖ ≤ 𝜂√𝑚.
If the signature is not correct, then refuses to receive the data; Otherwise, calculates 𝒄𝒊′ = ℎ(𝒘𝒊), checks if there is already public 𝒄𝒊 that satisfies 𝒄𝒊 = 𝒄𝒊′ , if not, refuses to receive the data; If it is equal, then checks whether 𝑐𝒊 is already stored in the database, if it has been stored, which means that 𝑉𝑖 has voted once and refuses to receive data, if not, stores 𝑓(1) and 𝒄𝒊 in the database, and then uses its private key SKG to compute 𝝈𝑮 ← SamplePre(PKG, SKG, ℎ(𝝈, 𝒄𝒊), 𝜂). Finally sends 𝝈𝑮 to the signer 𝑉𝑖.
3. Voting agreement
If 𝑉𝑖 verifies that the signature 𝝈𝑮 is correct, then calculates the signature 𝝈𝒋 of 𝑓(𝑗) (the signature method is the same as the signature method of 𝑓(1)). Finally, 𝑉𝑖 sends (𝝈𝒋, 𝑓(𝑗), 𝑓(1), 𝝈𝑮, 𝒄𝒊) through an anonymous channel to the counting agency 𝐶𝑗(𝑗 ∈ [𝑁]). 𝐶𝑗 verifies whether the signature is correct, and publishes (𝑗, 𝒄𝒊, 𝑓(1)) if it is correct.
4. Collection agreement
If a voter 𝑉𝑖 finds that his (𝑗, 𝒄𝒊, 𝑓(1)) has not been published, he raises (𝑓(1), 𝝈𝑮) to protest. KGC asks 𝐶𝑗 to join (𝑗, 𝒄𝒊, 𝑓(1)).
5. Counting Agreement
After the voting is over, 𝑡 counting agencies calculate the vote 𝑀 of the voter 𝑉𝑖 according to the (𝑡, 𝑛) threshold scheme.
4. Security Analysis
4.1 Security Analysis of Ring Signature Scheme Based on Lattice
4.1.1 Correctness
When the verifier receives the ring signature 𝝈 = {𝒆,𝑹∗ = 𝑯𝟐(IDj)−𝟏𝑹−𝟏}, it runs the Algorithm 3 Ring-Verify to check whether the ring signature is legal or not. If 𝑨𝑹∗𝒆 ≠ 𝒃𝝁 or ‖𝒆‖ = 0 or ‖𝒆‖ > 𝜂√𝑚, the signature is illegal. Otherwise, combining the public key A, public parameter {𝒃𝟎, ⋯ , 𝒃𝒅}, message 𝑀 and r={ID1, ⋯ ,ID𝑛}, the correctness of our signature scheme mainly rely on the equation 𝑨𝑹∗e=𝒃𝝁 mod 𝑞. The detailed steps are described as follows:
Let 𝑨∗ = ∑𝒏𝒊=𝟏𝑨𝒊 = [𝒂𝟏∗, ⋯ ,𝒂𝒎∗], 𝒌 = (𝒂𝟏∗𝑇 ,𝒂𝟐∗𝑇 , ⋯ , 𝒂𝒎∗𝑇)
𝑯𝟏(𝒌, 𝑀) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑])
𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑]𝜇[𝑖]𝒃𝒊
According to the samplePre function, 𝑨𝑹∗e=[𝑨𝑯𝟐(ID𝑗)−𝟏𝑹−𝟏]𝒆 = 𝒃𝜇.
4.1.2 Anonymity against the Full-Key Exposure
Theorem 1 Complete anonymity against the full-key exposure is satisfied by the ring signature scheme based on lattice proposed in this paper.
Proof
1. Setup. There are a PPT adversary 𝐴 and a PPT challenger 𝐶. The security parameter 𝑛 is given. Challenger 𝐶 computes (𝑨, 𝑻) ← TrapGen(𝑛, 𝑚, 𝑞) , and outputs rpk = {𝑁,𝑨,𝒃𝟎, ⋯ ,𝒃𝒅} and the signer’s private key skj = 𝑻𝒋 (𝑗 ∈ [𝑁]). Then challenger 𝐶 sends rpk to adversary 𝐴.
2. Signature queries. Input the ring set 𝑟, the message 𝑀, and signer IDj. Adversary 𝐴 queries challenger 𝐶 for the signature. Challenger 𝐶 computes 𝝈𝒊 ← Ring − Sign(rpk,ID𝑖, 𝑀, 𝑟), and sends 𝝈𝒊 to adversary A.
3. Private key queries. Adversary 𝐴 randomly queries the private key 𝑻𝒋 corresponding to identiry IDj(𝑗 ∈ [𝑁]). Challenger C sends 𝑻𝒋 to adversary 𝐴.
4. Challenge. Challenger 𝐶 provides parameters to adversary A: message 𝑀, ring set 𝑟, and the public keys of two users ID0, ID1. Challenger 𝐶 arbitrarily selects 𝑏 ∈ {0,1}, inputs the corresponding private key 𝑻𝒃 of ID𝑏 , and computes 𝝈𝒃 ← Ring − Sign(rpk,ID𝑏,𝑀,𝑟). Finally 𝝈𝒃 is send to adversary 𝐴 by challenger 𝐶.
5. 𝑏′ is given by the adversary 𝐴.
In the above process, the signatures of the two users ID0 and ID1 are 𝝈𝟎 and 𝝈𝟏 respectively. Because 𝝈𝟎 and 𝝈𝟏 are obtained from D𝛬⊥(𝑩𝒃),𝜼 using SamplePre function, 𝝈𝟎 and 𝝈𝟏 have the same distribution structure. The statistical distance between 𝝈𝟎 and 𝝈𝟏 is negligible, so 𝝈𝟎 and 𝝈𝟏 are indistinguishable. Therefore, it is negligible that the superiority of adversary 𝐴𝐴 to win the game. This scheme satisfies complete anonymity against full-key exposure.
4.1.3 Non-forgeability against the Insider Corruption
Theorem 2 Let 𝑞, 𝑚, 𝑁, 𝜂, 𝛽, 𝑟 be set as parameters for the ring signature scheme and assume the SIS𝑞,𝑚,2𝜂√𝑚 problem is hard, existential non-forgeability against the insider corruption is satisfied by our ring signature scheme under SM.
Proof If there is an adversary 𝐴 that can break our scheme with the probability of 𝜖, then we can design a polynomial algorithm 𝐵 to work out the problem of SIS𝑞,𝑚,2𝜂√𝑚 with a possibility of at least ϵ(𝑞𝐸𝐶𝑞𝐸𝑞𝐸/2)−1. The total of queries of adversary 𝐴 is represented by 𝑞𝐸. The following is the detailed process.
Setup. Public parameters are generated by the algorithm 𝐵 as the following way.
1. Choose 𝑙 ∈ [𝑞𝐸] as the size of the ring, 𝑟 = {ID1, ⋯ ,ID𝑙};
2. Run TrapGen(𝑛, 𝑚, 𝑞) to generate 𝑨 ∈ Z𝑞𝑛×𝑚 and 𝑻 ∈ Z𝑞𝑚×𝑚, where 𝑻 ∈ Z𝑞𝑚×𝑚 is a trapdoor basis of 𝛬⊥(𝑨).
3. For each signer ID𝑖 in the ring.
- If 𝑖 ∈ [𝑞𝐸] and ID𝑖 ∉ 𝑟, select 𝑹 ∈ Z𝑞𝑚×𝑚, calculate 𝑨𝒊 = 𝑨𝑯𝟐(ID𝑖)−1𝑹−𝟏and 𝑻𝒊 ← BasisDel(𝑨,𝑹𝑯𝟐(ID𝑖), 𝑻, 𝜂), and finally store < ID𝑖,𝑨𝒊,𝑻𝒊 > in the database.
- If 𝑖 ∈ [𝑞𝐸] and ID𝑖 ∈ 𝑟 , calculate 𝑨𝒊 = 𝑨𝑯𝟐(IDi)−𝟏 and 𝑻𝒊 ← BasisDel(𝑨,𝑹𝑯𝟐(ID𝑖), 𝑻, 𝜂).
4. Select 𝑑 + 1 uniformly distributed short random vectors 𝒄𝟎, ⋯ , 𝒄d ∈ DZ𝑚,𝜏 (𝜏 = 𝛽/𝑑+1) and a specific signer ID𝑡 ∈ 𝑟, and calculate 𝒃𝒋 = ~𝑨t𝒄𝒋(𝑗 = 0, ⋯ , 𝑑).
5. Send system parameters < 𝑨, 𝒃𝟎, ⋯ , 𝒃𝒅 > to adversary 𝐴.
Query phase. 𝐵 responds the queries from 𝐴 .
1. Corruption query (ID𝑖). If ID𝑖 ∉ 𝑟, 𝐵 finds < ID𝑖,𝑨𝒊,𝑻𝒊 > in the database and returns 𝑻
2. Signing query (ID𝑖, 𝑀𝑖).
Let 𝑨∗ = ∑ 𝑛𝑖=1𝑨𝒊 = [𝒂𝟏∗, ⋯ ,𝒂𝒎*], 𝒌 = (𝒂𝟏∗ 𝑇, 𝒂𝟐∗ 𝑇, ⋯ , 𝒂m∗ 𝑇).
- If ID𝑖 = ID𝑡 , 𝐵 first calculates 𝑯𝟏(𝒌, 𝑀𝑖) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]). After that, algorithm 𝐵 calculates 𝒆𝑴𝒊 = 𝒄𝟎 + ∑𝑗∈[𝑑]𝜇[𝑗]𝒄𝒋 ∈ Z𝑞𝑛, and returns 𝒆𝑴𝒊 to adversary 𝐴.
- If < ID𝑖,𝑨𝒊,𝑻𝒊 > is in the database,the algorithm B first calculates 𝑯𝟏(𝒌, 𝑀𝑖) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]) and 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊 . After that, the algorithm 𝐵 calculates 𝒆𝑴𝒊 ← SamplePre(𝑨𝒊,𝑻𝒊,𝒃𝝁,𝜂) , and returns 𝒆𝑴𝒊 to adversary 𝐴.
- Otherwise, 𝐵 looks for ID𝑣 ∈ 𝑟 and < ID𝑣,𝑨𝒗, 𝑻𝒗 > is in the database. Algorithm 𝐵 calculates 𝑯𝟏(𝒌, 𝑀𝑖) = 𝝁 = (𝜇[1], 𝜇[2], ⋯ , 𝜇[𝑑]) , 𝒃𝝁 = 𝒃𝟎 + ∑𝑖∈[𝑑] 𝜇[𝑖]𝒃𝒊 , 𝒆𝑴𝒊 ← SamplePre(𝑨𝒗,𝑻𝒗, 𝒃𝝁, 𝜂), and returns 𝒆𝑴𝒊 to adversary 𝐴.
Forge phase. Finally, a forged signature < ID𝑖 ∗ , 𝑀𝑖∗, 𝒆∗ > is output by the adversary A. Let 𝑨∗ = ∑𝒏𝒊=𝟏 𝑨𝒊 = [𝒂𝟏∗, ⋯ ,𝒂𝒎*], 𝒌 = (𝒂𝟏∗ 𝑇, 𝒂𝟐∗ 𝑇, ⋯ , 𝒂m∗ 𝑇) . If ID𝑖∗ ≠ ID𝑡 , abort. Otherwise algorithm 𝐵 calculates 𝑯𝟏(𝒌𝒊, 𝑀𝑖∗ ) = 𝝁∗ = (𝜇∗[1], 𝜇∗[2], ⋯ ,𝜇∗[𝑑]) , 𝒆𝑴𝒊 ∗ = 𝒄𝟎 + ∑ 𝑖∈[𝑑] 𝜇∗[𝑖]𝒄𝒋 ∈ Z𝑞𝑛, and outputs 𝒆 = 𝒆∗ − 𝒆𝑴𝒊∗ as a solution. If 𝒆∗ is a legal signature, then we have 𝑨𝒕𝒆∗ = 𝒃𝝁∗ where ‖𝒆∗‖ ≤ 𝜂√𝑚. On the other hand, 𝒃𝝁∗ = 𝒃𝟎 + ∑𝑗∈[𝑑] 𝜇∗ [𝑗]𝒃𝒋 where 𝒃𝒋 = 𝑨∈ Z𝑞𝑛 , so we have 𝑨𝒕𝒆mi*= 𝒃𝝁∗ with ≤𝜂√𝑚. Therefore, 𝒆 = 𝒆∗ − 𝒆𝑴𝒊∗ can be used as a solution to the SIS𝑞,𝑚,2𝜂√𝑚 problem.
Remark The probability of exiting from the above process is at most 1 − (𝑞𝐸𝐶𝑞𝐸 𝑞𝐸/2 )−1, adversary 𝐴 outputs a forged signature < ID𝑖∗, 𝑀𝑖 ∗, 𝒆∗ > with the probability of 𝜖. Let 𝒆𝟎 = 𝒆∗ − 𝒆𝑴𝒊∗ , then ‖𝒆𝟎‖ = ‖𝒆∗ − 𝒆𝑴𝒊∗‖ ≤ ‖𝒆∗‖ + ‖𝒆𝑴𝒊∗‖ = 2𝜂√𝑚. The probability of ‖𝒆𝐸𝐶𝑞𝐸 𝑞𝐸/2 )−1.
4.2 Security Analysis of Anonymous Electronic Voting
Here we briefly analyze the security of our anonymous electronic voting.
Anonymity: The use of ring signature technology can make voters unconditionally anonymous. At the same time, our scheme satisfies anonymity under the condition of the quantum computer.
Uniqueness: Since the system will refuse voters to submit the bit string 𝒘 repeatedly, voters repeatedly. In addition, because the difficulty of stealing other people’s bit string 𝒘 is equivalent to solving the one-way hash problem, it is difficult for voters to submit votes by stealing other people’s bit string 𝒘. Therefore, in this design, each voter can only submit one legal ballot.
Confidentiality and fairness: (𝑡𝑡, 𝑛𝑛) threshold scheme is used to hide the content of the ballot so that the content of the ballot is confidential before the ballot is counted. And the ballots are counted after the vote is finished, so the result of the vote is fair.
Verifiability: Whether their votes are counted correctly can be verified by voters.
Legality: Suppose that a management agency 𝐺 colludes with an unqualified person and submits an illegal ballot. Meanwhile, the total of votes exceeds the number of registered people, and it will be discovered. The power of counting agency 𝐶 is decentralized, which skirts management organization 𝐺 and counting agency 𝐶 from colluding with cheating. When this situation happens, management agency 𝐺 takes the primary liability.
Traceability: If a malicious voter is found, the identity of the voter can be revealed through KGC.
Authentication: The identity of a voter can be verified with his private key.
Authorization: A voter can be authorized to vote by KGC.
Accounting: If a voter finds out that his ballot.
5. Results and Discussion
The previous ring signature schemes based on lattice have two main problems:
1. The size of the verification key is too large;
2. The anonymity of ring signatures cannot be guaranteed.
A ring signature scheme based on lattice that the length of verification key is constant is proposed by us. The master public key is used as the verification key, which ensures that the size of the verification key will not increase with the increase of the number of people in the ring. The identity of the signer is hidden through the random matrix, ensuring the anonymity of the ring signature. We prove the anonymity and the existential non-forgeability under SM. Finally, we extend our ring signature scheme to anonymous electronic voting by combining (𝑡𝑡, 𝑛𝑛) threshold scheme [48]. We briefly explained the security of our anonymous electronic voting scheme. Our anonymous electronic voting can guarantee anonymity under the conditions of quantum computers. At the same time, our anonymous voting scheme can prevent multiple votes by one voter, prevent the counting agency from losing votes privately, and ensure the anonymity of votes before the ballots are made public. The comparison between our ring signature scheme and other ring signature schemes is shown in Table 1. The comparison shows that our scheme has a smaller public key size, verification key size, private key size, and signature size than the schemes in Ref. [40] and Ref. [42]. At the same time, our scheme is constructed under the SM, which has more advantages than the scheme in Ref. [40]. Our scheme is more efficient in computational costs. The notations TBD, TTG and TSP represent the cost of the algorithms BasisDel , TrapFen and SamplePre respectively. And TGSP and TERB represent the cost of the algorithms GenSamplePre and ExtRandBasis used in Ref. [42] respectively. TSD and TE represent the cost of the algorithms SampleD and Exbasis used in Ref. [40] respectively. We elide the costs of hashing and addition operations. Algorithm BasisDel is faster than algorithm BasisDel. Therefore, it is more efficient in terms of both storage and computational cost for our scheme. The same methodology of Ref. [57] is used to select parameters in Table 2. 𝑁 represents the number of people in a ring.
Table 1. Comparison with the other schemes
Table 2. Parameters setting
6. Conclusion
In conclusion, we report a ring signature scheme based on the lattice, and the verification key size can keep constant. Specifically, we use the master public key as the verification key, which ensures that the size of the verification key is constant. The identity of the signer is hidden through the random matrix, ensuring the anonymity of the ring signature. Furthermore, we prove the anonymity and the existential non-forgeability under SM. Finally, we extend our ring signature scheme to anonymous electronic voting by combining (𝑡𝑡, 𝑛𝑛) threshold scheme. We briefly explained the security of our anonymity electronic voting scheme. Our anonymous electronic voting can guarantee anonymity under the conditions of quantum computers. Meanwhile, our anonymity voting scheme can prevent multiple votes by one voter, prevent the counting agency from losing votes privately, and ensure the anonymity of votes before the ballots are made public.
7. Future Work
In our ring signature scheme, we assume that the key distributor is a trusted organization. If KGC is not credible, our plan will not guarantee anonymity. But at present, it does not affect the expansion of the plan to anonymous electronic voting. In the future, we need to consider that how to solve the problem of untrusted KGC.
Acknowledgements
References
- J. C. Benaloh, M Yung, "Distributing the power of a government to enhance the privacy of voters," in Proc. of the Fifth Annual ACM Symposium on Principles of Distributed Computing, Calgary, Alberta, Canada, pp. 52-62, 1986.
- D. Chaum, "Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA," in Proc. of Workshop on the Theory and Application of Cryptographic Techniques, Davos, Switzerland, pp. 177-182, 1988.
- K. Ohta, "An electrical voting scheme using a single dministrator," IEICE Spring National Convention Record, vol. 296, 1988.
- K. R. Iversen, "A cryptographic scheme for computerized general elections," in Proc. of Annual International Cryptology Conference, Santa Barbara, California, USA, pp. 405-419, 1991.
- A. Fujioka, T. Okamoto and K. Ohta, "A practical secret voting scheme for large scale elections," in Proc. of International Workshop on the Theory and Application of Cryptographic Techniques, Gold Coast, Queensland, Australia, pp. 244-251, 1992.
- K. Sako, "Electronic voting system with objection to the center," in Proc. of 1992 Symposium on Cryptography and Information Security, 1992.
- L. F. Cranor, "Electronic voting: computerized polls may save money, protect privacy," XRDS: Crossroads, The ACM Magazine for Students, vol. 2, no. 4, pp. 12-16, 1996. https://doi.org/10.1145/332159.332163
- O. Kurbatov, P. Kravchenko, N. Poluyanenko, O. Shapoval, T. Kuznetsova, "Using ring signatures for an anonymous e-voting system," in Proc. of 2019 IEEE International Conference on Advanced Trends in Information Theory (ATIT), Kyiv, Ukraine, pp. 187-190, 2019.
- E. Zaghloul, T. Li, J. Ren, "Anonymous and coercion-resistant distributed electronic voting," in Proc. of 2020 International Conference on Computing, Networking and Communications (ICNC), Big Island, HI, USA, pp. 389-393, 2020.
- E. Zaghloul, T. Li, J. Ren, "d-BAME: distributed blockchain-based anonymous mobile electronic voting," IEEE Internet of Things Journal, vol. 8, no. 22, pp.16585-16597, 2021. https://doi.org/10.1109/JIOT.2021.3074877
- R. L. Rivest, A. Shamir, Y. Tauman, "How to leak a secret," in Proc. of International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, pp. 552-565, 2001.
- M. Abe, M. Ohkubo, K. Suzuki, "1-out-of-n signatures from a variety of keys," in Proc. of International Conference on the Theory and Application of Cryptology and Information Security. Queenstown, New Zealand, pp. 415-432, 2002.
- J. Herranz, G. Saez, "Forking lemmas for ring signature schemes," in Proc. of International Conference on Cryptology in India., New Delhi, India, pp. 266-279, 2003.
- Y. Dodis, A. Kiayias, A. Nicolosi, V. Shoup, "Anonymous identification in ad hoc groups," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, pp. 609-626, 2004.
- F. Zhang, R. Safavi-Naini, W. Susilo, "An efficient signature scheme from bilinear pairings and its applications," in Proc. of International Workshop on Public Key Cryptography, Singapore, pp. 277-290, 2004.
- A. K. Awasthi, S. Lal, "ID-based ring signature and proxy ring signature schemes from bilinear pairings," International Journal of Network Security, vol. 4, no. 2, pp. 187-192, 2007.
- A. Bender, J. Katz and R. Morselli, "Ring signatures: Stronger definitions, and constructions without random oracles," Journal of Cryptology, vol. 22, no. 1, pp. 114-138, 2009. https://doi.org/10.1007/s00145-007-9011-9
- H. Shacham, B. Waters, "Efficient ring signatures without random oracles," in Proc. of International Workshop on Public Key Cryptography, Beijing, China, pp. 166-180, 2007.
- X. Boyen, "Mesh signatures," in Proc. of Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, pp. 210-227, 2007.
- X. Boyen, "Lattice mixing and vanishing trapdoors: a framework for fully secure short signatures and more," in Proc. of International workshop on public key cryptography, Paris, France, pp. 499-517, 2010.
- L. Nguyen, "Accumulators from bilinear pairings and applications to id-based ring signatures and group membership revocation," IACR Cryptology ePrint Archive, vol. 2005, p. 123, 2005.
- Z. Brakerski, Y. T. Kalai, "A framework for efficient signatures, ring signatures and identity based encryption in the standard model," IACR Cryptology ePrint Archive, vol. 2010, pp. 1-44, 2010.
- F. H. Wang, Y. P. Hu, C. X. Wang, "A lattice-based ring signature scheme from bonsai trees," Journal of Electronics and Information Technology, vol. 32, no. 10, pp. 2400-2403, 2010. https://doi.org/10.3724/SP.J.1146.2009.01491
- J. Wang, B. Sun, "Ring signature schemes from lattice basis delegation," in Proc. of International Conference on Information and Communications Security, Beijing, China, pp. 15-28, 2011.
- S. Wang, R. Zhao and Y. Zhang, "Lattice-based ring signature scheme under the random oracle model," International Journal of High Performance Computing and Networking, vol. 11, no. 4, pp. 332-341, 2018. https://doi.org/10.1504/ijhpcn.2018.093236
- C. A. Melchor, S. Bettaieb, X. Boyen, L. Fousse, "Adapting lyubashevsky's signature schemes to the ring signature setting," in Proc. of AFRICACRYPT 2013, Cairo, Egypt, pp. 1-25, 2013.
- P. W. Shor, "Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer," SIAM review, vol. 41, no. 2, pp. 303-332, 1999. https://doi.org/10.1137/S0036144598347011
- D. Micciancio, C. Peikert, "Trapdoors for lattices: simpler, tighter, faster, smaller," in Proc. of Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, pp. 700-718, 2012.
- V. Lyubashevsky, Towards practical lattice-based cryptography, University of California, San Diego, USA, 2008.
- M. Ajtai, "Generating hard instances of lattice problems," in Proc. of the twenty-eighth annual ACM symposium on Theory of Computing, pp. 99-108, 1996.
- O. Regev, "On lattices, learning with errors, random linear codes, and cryptography," Journal of the ACM (JACM), vol. 56, no. 6, pp. 1-40, 2009. https://doi.org/10.1145/1568318.1568324
- C. Gentry, C. Peikert and V. Vaikuntanathan, "Trapdoors for hard lattices and new cryptographic constructions," in Proc. of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, pp. 197-206, 2008.
- D. Micciancio, O. Regev, "Lattice-based cryptography," Post-quantum cryptography, Cincinnati, OH, USA, pp. 147-191, 2009.
- V. Lyubashevsky, "Lattice signatures without trapdoors," in Proc. of Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cambridge, UK, pp. 738-755, 2012.
- P. Q. Nguyen, J. Zhang and Z. Zhang, "Simpler efficient group signatures from lattices," in Proc. of IACR International Workshop on Public Key Cryptography, Gaithersburg, MD, USA, pp. 401-426, 2015.
- D. Cash, D. Hofheinz, E. Kiltz, C. Peikert, "Bonsai trees, or how to delegate a lattice basis," Annual international conference on the theory and applications of cryptographic techniques, Monaco, French Riviera, pp. 523-552, 2010.
- D. Cash, D. Hofheinz, E. Kiltz, "How to delegate a lattice basis," IACR Cryptology ePrint Archive, vol. 2009, 2009.
- H. Chen, Y. Hu, Z. Lian, "Leveled homomorphic encryption in certificateless cryptosystem," Chinese Journal of Electronics, vol. 26, no. 6, pp. 1213-1220, 2017. https://doi.org/10.1049/cje.2017.07.008
- D. Xin, L. Yang, L. Yan, X. F. Song, "Identity-based fully homomorphic encryption from ring-lwe: arbitrary cyclotomics, tighter parameters, efficient implementations," in Proc. of 2019 2nd International Conference on Mathematics, Modeling and Simulation Technologies and Applications (MMSTA 2019), Atlantis Press, pp. 143-147, 2019.
- W. Gao, Y. P. Hu, B. C. Wang, J. Xie, "Improved lattice-based ring signature schemes from basis delegation," The Journal of China Universities of Posts and Telecommunications, vol. 23, no. 3, pp. 11-28, 2016. https://doi.org/10.1016/s1005-8885(16)60027-4
- G. M. Zhao, M. M. Tian, "A simpler construction of identity-based ring signatures from lattices," in Proc. of International Conference on Provable Security, Jeju, South Korea, pp. 277-291, 2018.
- W. Gao, Y. P. Hu, B. C. Wang, J. S. Chen, X. Wang, "Efficient ring signature scheme without random oracle from lattices," Chinese Journal of Electronics, vol. 28, no. 2, pp. 266-272, 2019. https://doi.org/10.1049/cje.2018.12.005
- W. Gao, L. Chen, Y. P. Hu, C. J. P. Newton, B. C. Wang, J. S. Chen, "Lattice-based deniable ring signatures," International Journal of Information Security, vol. 18, no. 3, pp. 355-370, 2019. https://doi.org/10.1007/s10207-018-0417-1
- Z. Liu, K. Nguyen, G. M. Yang, H. X. Wang, D. S. wong, "A lattice-based linkable ring signature supporting stealth addresses," in Proc. of European Symposium on Research in Computer Security, Luxembourg, pp. 726-746, 2019.
- X. Lu, M. H. Au, Z. Zhang, "Raptor: a practical lattice-based (linkable) ring signature," in Proc. of International Conference on Applied Cryptography and Network Security, Bogota, Colombia, pp. 110-130, 2019.
- Z. Q. Zhao, B. H. Ge, N. N. Zhao, P. K. Qin, H. Meng, "Efficient ring signature scheme on lattice," Application Research of Computers, vol. 38, no. 06, pp. 1855-1858, 2021.
- Y. Ren, H. Guan, Q. Zhao, "An efficient lattice-based linkable ring signature scheme with scalability to multiple layer," Journal of Ambient Intelligence and Humanized Computing, pp. 1-10, 2021.
- A. Shamir, "How to share a secret," Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979. https://doi.org/10.1145/359168.359176
- M. Ajtai, "Generating hard instances of the short basis problem," International Colloquium on Automata, Languages, and Programming, Prague, Czech Republic, pp. 1-9, 1999.
- D. Micciancio, O. Regev, "Worst-case to average-case reductions based on Gaussian measures," SIAM Journal on Computing, vol. 37, no. 1, pp. 267-302, 2007. https://doi.org/10.1137/s0097539705447360
- S. Agrawal, D. Boneh, X. Boyen, "Lattice basis delegation in fixed dimension and shorter-ciphertext hierarchical IBE," in Proc. of Annual Cryptology Conference, Santa Barbara, CA, USA, pp. 98-115, 2010.
- J. C. Benaloh, M. Yung, "Distributing the power of a government to enhance the privacy of voters," in Proc. of the Fifth Annual ACM Symposium on Principles of Distributed Computing, Calgary, Alberta, Canada, pp. 52-62, 1986.
- L. F. Cranor, "Electronic voting: computerized polls may save money, protect privacy," XRDS: Crossroads, The ACM Magazine for Students, vol. 2, no. 4, pp. 12-16, 1996. https://doi.org/10.1145/332159.332163
- M. Volkamer, "Requirements for electronic voting machines," Evaluation of Electronic Voting, pp. 73-91, 2009.
- G. O. Ofori-Dwumfuo, E. Paatey, "The design of an electronic voting system," Research Journal of Information Technology, vol. 3, no. 2, pp. 91-98, 2011.
- T. Hall, "Electronic voting," Electronic Democracy, pp. 153-176, 2012.
- C. Y. Li, Y. Tian, X. B. Chen, J. Li, "An efficient anti-quantum lattice-based blind signature for blockchain-enabled systems," Information Sciences, vol. 546, pp. 253-264, 2021. https://doi.org/10.1016/j.ins.2020.08.032