ID-Based Ring Signature against Continual Side Channel Attack

Abstract

The security of the signature scheme is destroyed because its secret information of the signature system is leaked due to the side channel attack. Ring signature has good application value, which can provide more flexibility and complete anonymity. It can be used in some systems such as anonymous authentication in ad hoc networks, electronic voting and crypto coin based on blockchain. Because of the side channel attack, the private key of the ring signature system may be exposed, which may cause insecurity. We present a ring signature system against continuous side channel attack. Because of the symmetry of the ring, the user’s identity has good privacy protection. The proposed scheme is completely secure without a random oracle model and the private key disclosure rate is close to 1/3. Through the dual system technique, the existential unforgeability and unconditional anonymity of the scheme are proved in the composite order group based on the subgroup decision assumption.

1. Introduction

At present, some attackers attack the cryptographic system through a side channel [1,2,3,4,5]. With the help of the timing and energy consumption collected by a side channel, attackers can obtain secret information about a cryptographic system. The reference [1] shows the actual vulnerability of a deployed deep learning model to a timing side channel attack. By measuring the execution time of reasoning, the adversary can determine and reconstruct a model from a known depth learning model, and then use the existing technology to recover the remaining feature parameters. The vulnerability has been verified on Intel Compute Stick 2 and ResNet series models. Under these side channel attacks, if a system’s private information is disclosed, the security of this entire cryptographic system may be completely lost. Therefore, the design of leakage-resilient cryptographic schemes is a hotspot in the field of cryptography. The reference [6] shows that the key press sound of a tamper proof mechanical keyboard can be seized through two microphones that are placed near the device, and then the difference of the sound is used to distinguish those pressed keys. By attacking four PIN input devices, this low-cost side channel attack can correctly identify all 1200 keystrokes of two independent test devices of the same model. Of course, classic voice-based attacks usually use this fact that every key makes a unique sound to identify a pressed key. This paper [7] discussed an attack on a programmable RFID tag (TB-WISP 5.0) with broad application prospects. The attack started with the selected plaintext attack vulnerability in the simple two-way authentication protocol running by the target, and obtained the power consumption and electromagnetic leakage track of the target when running AES encryption by means of a non-trigger signal and non-invasive acquisition. By using these two tracks, the complete key information of this target is successfully recovered through the side channel analysis theory. The attack given in [8] is targeted at pairing implementations through correlation analysis. They improved one vertical side channel attack, and proposed one horizontal attack for pairing implementations. This paper constructs an identity based ring signature scheme that can resist persistent disclosure attacks. The scheme is completely secure and can resist the leakage of a private key by almost 1/3. In addition, our scheme also has anonymity, which well protects the privacy of the signer.

1.1. Related Works

1.1.1. Safety Model about Leakage Resilience

The security model is very important for cryptographic schemes. In the research of leakage resilient (LR) cryptography, the security models in the literature are mainly as follows.

Bounded leakage model: In order to resist the cold start attack [1], the work [9] gave the bounded leakage model (BLM). The adversary can select a computable function (which is also called the leakage function) to act on the key and obtain the output. The restriction on the leakage function is that the output information is shorter than the key information. The references [10,11,12] provided LR schemes in BLM.

Continual leakage model: The papers [13,14] put forward the “Continual Leakage Model” (CLM) respectively. A bounded limit was set on the leakage about two consecutive key renewals. That is to say, the key leakage amount in each cycle was limited, but the whole leakage amount can be unlimited in the entire operation process of the system. The references [15,16,17] gave LR schemes in CLM. We propose a secure ring signature scheme in the continuous leakage model.

Fully leakage resilience: The references [18,19] proposed that not only the key but also the random number used to generate the key can also be disclosed. The literature [19] gave a signature with fully leakage resilience (FLR): not only its key but also the random value used for signature may leak information.

Auxiliary input leakage model: The paper [20] proposed the auxiliary input model (AIM): the leakage function selected by the attackers takes the key and random value as its input, but the leakage function is difficult to inverse. The advantage of the adversary in solving the reversibility of the leakage function can be ignored.

1.1.2. Signature with Leakage Resilience

Katz et al. [19] proposed a signature scheme in BLM. The relative leakage rate of their scheme can be almost 1. The reference [21] gives a general method to transform a weak existence and unforgeability signature scheme in bounded leakage into a strong existence and unforgeability signature scheme through a leakage resilient hash function. The paper [22] gave three signature schemes with bounded leakage: (1) an LR group signature based on a black box model that is obtained through leakage-resilient CCA encryption and a leakage-resilient identity-based signature (IBS); (2) the leakage-resilient group signature scheme that is obtained by CCA encryption and LR signature; (3) the LR group signature scheme based on a black box model that is obtained through leakage-resilient CPA encryption and leakage-resilient IBS.

The papers [13,14] respectively constructed continual leakage-resilient signature schemes. The continual leakage considered in these two articles does not require the requirement of “only calculating leakage”. Based on general bilinear group model, Tseng et al. [23] proposed a certificateless signature with outsourcing function and resistance to persistent disclosure.

The paper [24] proposed a CLR signature scheme under the general bilinear group assumption. The paper [25] gave a signature scheme against full leakage, which can be extended to CLM.

In the case that one key leakage function is exponentially difficult to invert, the work [26] constructed a signature scheme that has the chosen message attack security. In order to avoid ordinary attacks (that is, disclosure can simply output forged signatures), the paper [27] constructed a signature scheme against selective auxiliary input disclosure. In selective AIM, the paper [24] proposed the first general fully LR signature scheme, gave a specific example and solved an open problem in [25].

Table 1. Comparisons of several leakage-resilient signature schemes.

Schemes	Models	Assumptions	Continuous Leakage Resilience	Leakage Models	Security
[13]-1	Standard Model	SXDH	Yes	CLM	LR
[13]-2	Standard Model	NIZK	Yes	CLM	LR
[13]-3	Standard Model	K-Linear	Yes	CLM	LR
[19]-1	Standard Model	UOWHF	No	BLM	LR
[19]-2	Standard Model	UOWHF	No	BLM	FLR
[19]-3	Standard Model	HCRHF	No	BLM	FLR
[25]	Standard Model	SPR, SNIWI	Yes	BLM	FLR
[26]-1	WAI	PHTIF	No	AIM	LR
[26]-2	AIM	EHTIF	No	AIM	LR
[27]	SAI	AIF, PHTIF	Yes	AIM	FLR

provides some comparisons of leakage and security about the main leakage-resilient signature schemes, where SAI represents the selective auxiliary input model, WAI represents the weak auxiliary input model, K-Linear stands for the K-dimension linear assumption, UOWHF stands for the universal one-way hash function, HCRHF stands for the homomorphic collision-resistant hash function family, SPR represents the second preimage resistance hash function cluster, SNIWI represents the statistically non-interactive witness indistinguishable proof system, AIF represents the auxiliary input function, PHTIF represents a leakage function that is polynomially difficult to inverse, EHTIF represents a function that is exponentially difficult to inverse, SXDH represents the symmetric external Diffie–Hellman assumption and NIZK represents non-interactive simulation-sound zero-knowledge proof system.

It can be seen from Table 1 that the research results about the leakage-resilient signature are mainly based on the standard model, and several ones are based on the auxiliary input model.

We use Figure 1 to show the relationship between the four models.

On the basis of BLM, if random number leakage is allowed, a fully leakage-resilient model can be obtained, where RL represents random number leakage. On the basis of BLM, if the selected leakage function is difficult to inverse, the auxiliary input model can be obtained, in which LF-DTI represents that the leakage function is difficult to invert. On the basis of BLM, if the key can be updated periodically, we can obtain a continuous leakage-resilient model. In this paper, we propose a secure ring signature scheme in the continuous leakage-resilient model.

1.2. Ring Signature and Our Contributions

Ring signature allows one user to generate signatures for a specific group [28] and can hide his real identity about the signer in the group. Ring signature can prove that one of a group for specific parties has signed specific information without disclosing who is the signer. These participants are called one ring R.

The paper [29] pointed out that ring signature does not require a group manager, but group signature does require a manager. Therefore, ring signature can provide anonymity.

At present, ring signature is used in many different applications, such as a report system [28] or making it unable to track cryptocurrency transactions [30], ad hoc network anonymous authentication [31,32,33] and electronic voting [34]. Ring signature as an anonymous technology is used in blockchain-based cryptocurrencies, such as Monroe Coin [35].

The work [36] presented a ring signature against a bounded leakage attack. Au et al. [37] provided an identity-based ring signature (IBRS) scheme without a random oracle model. Inspired by the scheme [37], Zhao et al. [38] constructed a new identity-based ring signature scheme without a random oracle model. The schemes in [37,38] adopted dual-system encryption technology in security proof, thus achieving full security and full anonymity under the standard model.

The ring signature scheme has many application scenarios. Figure 2 shows a specific application scenario of anonymously signing files. For example, there are six members of the board of directors of a company, each of whom has the right to sign documents. Suppose one of them needs to sign a controversial document. On the one hand, he hopes that the identity of his board members will be recognized so that the documents can have legal validity. On the other hand, in order to avoid some troubles, he does not hope that his specific personal information will be disclosed. If we use a ring signature system, this problem can be solved well. Ring signature is to use the identity information of all the ring members and the private key of the signer to sign the message. The ring members send their identity (ID) information to the private key generation center (KGC). KGC generates the ring members’ private keys and sends them to the ring signers. The user’s identity has symmetry or equivalence. A member of the ring signs the message M sent by the user and sends the signature to the verifier. The verifier can verify the validity of the signature through the identity of all members in the ring, but he cannot know who is the specific signer. In this way, the identity information of the signer can be well protected.

On the basis of the reference [38], this paper provided the syntax definition of leakage resilient ring signature scheme, constructed a new IBRS scheme through dual-system technology and proved the security of this scheme without a random oracle model. Our scheme may resist the persistent disclosure of a private key.

We put forward a new ring signature scheme under the continual leakage model. More specifically, we made the following contributions in this article:

First, we describe the security syntax of ring signature against persistent leakage and the definition of unforgeability. The resulting leakage model is stronger than that given in the paper [36].

Second, a concrete IBRS scheme is presented. According to dual-system technology [36,38], the obtained ring signature scheme can be proved to be unforgeable against continuous leakage attack. In fact, the leakage rate can be adjusted by a parameter n.

Third, the proposed ring signature scheme is secure in the standard model. The proposed scheme has unconditional anonymity, which well protects users’ privacy. In this way, the security model considered in this paper is stronger than that of the scheme [36].

2. Preliminary Knowledge

There are many symbols that need to be used in our scheme. For ease of reading, the main symbols are given in

Table 2. Some related symbols.

Symbols	Descriptions
$\mathsf{\Omega }$	A bilinear group generation algorithm
$\phi$	Bilinear group description
$G$, $G^{\prime }$	Two cyclic groups with order $N$
$e$	Bilinear mapping
LR	Leakage resilient
CLR	Continuous leakage resilient
Start	System’s initialization algorithm
Extract	Private key generation algorithm
KeyU	Private key updation algorithm
Sign	Signature algorithm
Verify	Signature verification algorithm
$G_{n_1}$, $G_{n_2}$, $G_{n_3}$	Subgroups in $G$ with order $n_1,n_2$ and $n_3$
$\kappa$	The safety parameter
$C_1$	Random value of $G_{n_1}$
$C_2,D_2,W_2$	Random values of $G_{n_2}$
$C_3,D_3$	Random values of $G_{n_3}$
$params$	System parameters
$\alpha$	Master key
$K_{I{D}_1}$	The private key of identity $I{D}_i$
$\widehat{K_{I{D}_i}}$	The updation private key of identity $I{D}_i$
$H_1$	A collision resistant hash function
$M$	A message
$R$	The identity set of ring signature
$\omega$	Ring signature
${\mathrm{GM}}_{\mathrm{R}}$	The real security game
$L_K$	The leakage bound of a private key
$\mathcal{A}$	The adversary
$\mathcal{S}$	The simulator

.

2.1. Some Marks

$\mathsf{\Omega }$ represents an algorithm. $\phi \leftarrow \mathbb{Z}$ represents that $\phi$ is randomly chosen from $\mathbb{Z}$. $n_1,n_2,$ and $n_3$ respectively represent three primes whose length are $\xi$ bits. $G$ and $G^{\prime }$ are all cyclic groups with order $N=n_1{n}_2{n}_3$, and the unit element is marked as 1. $g\leftarrow G$ means that an element $g$ is randomly selected from $G$. ${\{0,1\}}^{\ast }$ represents any long bit string that is composed of 0 and 1. $Z_N$ represents an integer ring and the module is $N$. $x\leftarrow Z_N$ indicates $x$ is randomly selected from $Z_N$. $I=\{I{D}_1,\dots ,I{D}_p\}$ represents a collection of user identities. ${\{u_i,v_i\}}_{i=1}^p\hspace{0.17em}=\hspace{0.17em}$$\{u_1,v_1,u_2,v_2,\dots ,u_p,v_p\}$ represents $2p$ elements. $\overrightarrow{\theta }\in Z_N^{n+1}$ represents $n+1$ random elements from $Z_N$.

2.2. Composite Order Bilinear Group

A group generation algorithm $\mathsf{\Omega }$ inputs security parameters $\kappa$, outputs bilinear group $G$, and builds a group system $\phi =(N=n_1{n}_2{n}_3,G,G^{\prime },e)$, in which bilinear mapping $e:G\times G\to G^{\prime }$ satisfies these two conditions.

Bilinear: $\forall g,h\in G\mathrm{and}p,q\leftarrow Z_N,e(g^p,h^q)={(g,h)}^{pq}$.

Non degeneracy: $\exists u\in G$ such that the order of $e(u,u)$ equals to $N$ in $G^{\prime }$.

Let $G_{n_1},G_{n_2},$ and $G_{n_3}$ stand for subgroups in $G$ with order $n_1,n_2,$ and $n_3$, respectively. Because $G_{n_1}$ and $G_{n_3}$ are symmetrical, the actions of $G_{n_1}$ and $G_{n_3}$ can be interchanged. $G_{n_2}$ is used to obtain leakage resilient function. $G_{n_1}{}_{n_2}$ represents subgroups of $G$ with order $n_1{n}_2$. When $g_i\leftarrow G_{n_i},g_j\leftarrow G_{n_j}$ and $i\ne j$, $e(g_i,g_j)$ is the identity element in $G^{\prime }$. For example, if $g_1\leftarrow G_{n_1}$ and $g_2\leftarrow G_{n_2}$ such that $e(g_1,g_2)=1$, this property is called orthogonality about $G_{n_1},G_{n_2},$ and $G_{n_3}$.

2.3. Assumptions

Assumption 1. 

Given the algorithm $\mathsf{\Omega }$ that outputs a bilinear group $\phi =(N=n_1{n}_2{n}_3,G,G^{\prime },e)\leftarrow \mathsf{\Omega }$. For the selected parameters: $g_1,C_1\leftarrow G_{n_1}$, $C_2,D_2\leftarrow G_{n_2}$, $C_3,D_3\leftarrow G_{n_3}$ and $\mathrm{Q}=(\phi ,g_1,C_1{C}_2,C_3,D_2{D}_3)\leftarrow \mathsf{\Omega }$, it is indistinguishable for $T_1\leftarrow G$ and $T_2\leftarrow G_{n_1{n}_3}$.

$T_1$ can only be expressed in terms of a product of the elements in $G_{n_1},G_{n_2}$ and $G_{n_3}$, which are called $G_{n_1}$ component of $T_1$, $G_{n_2}$ component of $T_1$ and $G_{n_3}$ component of $T_1$ respectively. In the same way, $T_2$ can only be expressed by a product of the elements in $G_{n_1}$ and $G_{n_3}$.

Assumption 2. 

Given the algorithm $\mathsf{\Omega }$ that outputs a bilinear group $\phi =(N=n_1{n}_2{n}_3,G,G^{\prime },e)\leftarrow \mathsf{\Omega }$. For the selected parameters: $g_1\leftarrow G_{n_1}$, $\alpha ,s\leftarrow Z_N$, $C_2,D_2,W_2\leftarrow G_{n_2}$, $C_3\leftarrow G_{n_3}$, and $\mathrm{Q}=(\phi ,g_1,g_1^{\alpha }{C}_2,C_3,g_1^s{D}_2,W_2)\leftarrow \mathsf{\Omega }$, it is difficult to calculate $T=e{(g_1,g_1)}^{\alpha s}$.

3. Formal Description and Security Model

3.1. Formal Description

Start: The private key generation (PKG) center executes the algorithm. It inputs security parameter $\kappa$. It outputs the parameter $params$ and master key $msk$. PKG keeps $msk$ as secret and releases $params$ publicly.

Extract: PKG runs the algorithm. It inputs the user identity $ID$, obtains the user private key $K_{ID}$ and sends $K_{ID}$ to the user.

KeyU: It generates an updated private key $\widehat{K_{I{D}_i}}$ for a given user $I{D}_i\in Z_N$ and his private key $K_{I{D}_i}$$=(\overrightarrow{K_{i,0}},K_{i,1},K_{i,2})$.

Sign: The algorithm inputs $params$, users’ identities $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$ of the ring, one private key $K_{I{D}_{\pi }}$ for the user $I{D}_{\pi }$ and a message $M\in {\{0,1\}}^{*}$. It obtains the ring signature $\omega$ on the message $M$.

Verify: The algorithm is executed by the verifier. It inputs $params$, users’ identity set $R$, message $M\in {\{0,1\}}^{*}$ and ring signature $\omega$, and gives the output: valid or invalid.

3.2. Security Definition

The security of the identity based leakage resilient ring signature reflects the unforgeability and anonymity, which are characterized by the next two definitions.

Definition 1. 

For a leakage-resilient IBRS scheme, if any adversary can only gain negligible advantages in the following game ${\mathrm{GM}}_{\mathrm{R}}$, it is said to be unforgeable for adaptive chosen message and identity attacks. The attacker $\mathcal{A}$ plays a game ${\mathrm{GM}}_{\mathrm{R}}$ with the challenger $\mathcal{C}$.

In the game ${\mathrm{GM}}_{\mathrm{R}}$: $\mathcal{C}$ holds a list $\mathcal{L}=\{(\mathcal{H},\mathcal{I},\mathcal{K},\mathcal{L})\}$, where $\mathcal{H}$ represents the handle’s space, $\mathcal{I}$ represents the identity’s space, $\mathcal{K}$ represents private key’s space and $\mathcal{L}$ represents leakage amount. Suppose that $\mathcal{H}=\mathbb{N}$ and $\mathcal{L}=\mathbb{N}$.

${\mathrm{GM}}_{\mathrm{R}}$:

Initialization: The challenger $\mathcal{C}$ runs the algorithm Start. It inputs security parameter $\kappa$. It generates $params$ and $msk$. $\mathcal{C}$ keeps $msk$ as secret and releases $params$ to the attacker $\mathcal{A}$.

$\mathcal{A}$ can ask some information as follows.

$\mathcal{O}-C(ID)$: Given one identity $ID$, $\mathcal{C}$ looks for this item about $ID$ within $\mathcal{L}$. Once $ID$ is in the list $\mathcal{L}$, the algorithm is terminated. Otherwise, $\mathcal{C}$ runs the Extract to obtain the private key $K_{ID}$. Then it updates $h\leftarrow h+1$ and adds $(h,ID,K_{ID},0)$ to the list $\mathcal{L}$.

An attacker $\mathcal{A}$ interrogates the handle $h$ for private key disclosure. $\mathcal{A}$ selects a leakage function and inputs the private key to get its output of the function. $\mathcal{C}$ finds the item about $h$ in $\mathcal{L}$. If the obtained item is $(h,ID,K_{ID},L)$, $\mathcal{C}$ determines whether $L+|f(K_{ID})|\le L_K$ is true ($L_K$ is the upper bound of private key disclosure). If it is correct, $\mathcal{C}$ sends $f(K_{ID})$ to $\mathcal{A}$ and updates $(h,ID,K_{ID},L)$ by $(h,ID,K_{ID},L+|f(K_{ID})|)$. Otherwise, $\mathcal{C}$ outputs ⊥.

$\mathcal{O}-R(h)$: An attacker $\mathcal{A}$ queries the private key for $h$. $\mathcal{C}$ searches for this item in $\mathcal{L}$. If an item $(h,ID,K_{ID},L)$ is found, $\mathcal{C}$ sends $K_{ID}$ to $\mathcal{A}$.

Signature query: An attacker $\mathcal{A}$ selects a set $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$ with $p$ users and a message $M$. The challenger $\mathcal{C}$ runs Sign algorithm to generate signature $\omega$ about $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$ and the message and sends $\omega$ to $\mathcal{A}$.

Forgery: The attacker $\mathcal{A}$ outputs a forged signature $(M^{\ast },R^{\ast },{\omega }^{\ast })$ for the identity set $R^{*}$ on a message $M^{*}$. As long as these next three conditions hold, the attacker may win the game.

① ${\omega }^{*}$ is a valid signature for ring users $R^{*}$ on a message $M^{*}$. That is, it can pass the signature verification algorithm.

② $(R^{*},M^{*})$ was not asked.

③ The private key of any member in $R^{*}$ has not been queried.

The superiority for an attacker $\mathcal{A}$ is described by this probability that $\mathcal{A}$ wins in the above game: ${\mathrm{Adv}}_{\mathcal{A}}=\mathrm{Pr}[\mathcal{A}succeeds]$.

If in ${\mathrm{GM}}_{\mathrm{R}}$, all PPT adversaries can only gain negligible advantages, the scheme is said to be secure against private key disclosure under adaptive chosen message, and identity attack and cannot be forged.

Definition 2. 

For a leakage-resilient IBRS scheme, if any attacker can only distinguish the real signer over the advantage of random guess for any ring signature, the scheme is unconditionally anonymous.

4. Ring Signature Scheme against Persistent Leakage

Based on the composite order group assumptions, an identity-based ring signature scheme against continual leakage resilience (CLR-IBRS) is proposed, which is composed of the next five algorithms.

Start: This algorithm selects a bilinear group $G$ with order $N=n_1{n}_2{n}_3$, wherein $\log n_1=\log n_2=\log n_3=\xi$. It uses a collision resistant hash correspondence to map any long identity to $Z_N$: $H_1:{\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }\to Z_N$. It randomly selects $g_1,u_1,u_2,h_1\in G_{n_1}$, $x_1,x_2,\dots ,x_n\in Z_N$, $g_3\in G_{n_3}$ and $\alpha \in Z_N$.

The public parameters are:

$params=\{N,g_1,g_3,h_1,g_1^{x_1},g_1^{x_2},\dots ,g_1^{x_n},u_1,u_2,H_1,e{(g_1,g_1)}^{\alpha }\}$.

The master key is $\alpha$.

Extract: For any given user $I{D}_i\in R$($R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$, which is the identity set of ring signature), the private key generation algorithm randomly selects $r_i\in Z_N$, $y_{i,1},y_{i,2},\dots ,y_{i,n}\in Z_N$, $\overrightarrow{{\theta }_i}\in Z_N^{n+1}$ and ${\vartheta }_i,{\sigma }_i\in Z_N$. It obtains this private key:

$$\begin{array}{ll}{K}_{I{D}_i}& =(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{h}_1{)}^{r_i}>.g_3^{{\overrightarrow{\theta }}_i},g_1^{r_i}{g}_3^{{\vartheta }_i},u_2^{r_i}{g}_3^{{\sigma }_i})\\ & =(\overrightarrow{K_{i,0}},K_{i,1},K_{i,2})\end{array}$$

We use key extension technology to obtain the leakage resilience. The key extension increases the entropy of the key essentially, so that it can retain certain entropy even if part of the information is leaked. Thus, it can ensure the security of the system.

The private key has good symmetry. $K_{i,1}$ and $K_{i,2}$ have exactly the same form.

KeyU: For a given user $I{D}_i\in Z_N$ and the private key $K_{I{D}_i}$$=(\overrightarrow{K_{i,0}},K_{i,1},K_{i,2})$, the private key updation algorithm randomly selects $\Delta r_i\in Z_N$, $\overrightarrow{\Delta {\theta }_i}\in Z_N^{n+1}$ and $\Delta {\vartheta }_i,\Delta {\sigma }_i\in Z_N$. It calculates the private key:

$$\begin{array}{l}\widehat{K_{I{D}_i}}=(\widehat{\overrightarrow{K_{i,0}}},\widehat{K_{i,1}},\widehat{K_{i,2}})=(\overrightarrow{K_{i,0}}.g_3^{\overrightarrow{\Delta {\theta }_i}},K_{i,1}.g_3^{\Delta {\vartheta }_i},K_{i,2}.g_3^{\Delta {\sigma }_i})\\ =(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}^{-x_j{y}_{i.j}})(u_1^{I{D}_i}{h}_1{)}^{r_i+\Delta r_i}>\\ .g_3^{{\overrightarrow{\theta }}_i}.g_3^{\overrightarrow{\Delta {\theta }_i}},g_1^{r_i+\Delta r_i}.g_3^{{\vartheta }_i}.g_3^{\Delta {\vartheta }_i},u_2^{r_i+\Delta r_i}{g}_3^{{\sigma }_i}.g_3^{\Delta {\sigma }_i})\\ =(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}}){(u_1^{I{D}_i}{h}_1)}^{{r^{\prime }}_i}>.g_3^{{{\overrightarrow{\theta }}^{\prime }}_i},g_1^{{r^{\prime }}_i}{g}_3^{{{\vartheta }^{\prime }}_i},u_2^{{r^{\prime }}_i}{g}_3^{{{\sigma }^{\prime }}_i})\end{array}$$

where ${\overrightarrow{{\theta }^{\prime }}}_i$ is used to indicate ${\overrightarrow{\theta }}_i+\overrightarrow{\Delta {\theta }_i}$, ${{\vartheta }^{\prime }}_i$ is used to indicate ${\vartheta }_i+\Delta {\vartheta }_i$, ${{\sigma }^{\prime }}_i$ is used to indicate ${\sigma }_i+\Delta {\sigma }_i$ and ${r^{\prime }}_i$ is used to indicate $r_i+\Delta r_i$.

Sign: For a message $M\in {\{0,1\}}^{*}$ and $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$, which is the identity set of ring signature, supposing that the actual signer is $I{D}_{\pi }$($I{D}_{\pi }\in R$), the algorithm calculates $m=H_1(M,R)$ and selects the random numbers ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$,) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

For every $i\in \text{{}1,2,\dots ,p\text{}}$, it computes:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}}){(u_1^{I{D}_i}{u}_2^m{h}_1)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i},B_i=g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =\overrightarrow{K_{\pi ,0}}\ast <1,1,\dots \dots ,1,g_1^{{\tau }_{\pi }}(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{K}_{\pi ,2}^m>g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & & =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}>\\ & & .g_3^{{\overrightarrow{\theta }}_{\pi }}<1,1,\dots \dots ,1,g_1^{{\tau }_{\pi }}(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{K}_{\pi ,2}^m>g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & & =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}\\ & & .g_1^{{\tau }_{\pi }}(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & & =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}\\ & & .(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & B_{\pi }& =K_{\pi ,1}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}=g_1^{r_{\pi }}\ast g_3^{{\rho }_1}.g_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}=g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}{g}_3^{{\rho }_1}\end{array}$$

It outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{i=1}_p^{}$. For an adversary, the received signature is indistinguishable from the true signature.

Verify: The receiver receives a signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$ of the identity set $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$ on a message $M$. He calculates $m=H_1(M,R)$, randomly selects $s\in Z_N$, and verifies whether ${\displaystyle \prod _{i=1}^p\frac{e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_i)}{e({(u_1^{I{D}_i}{u}_2^m{h}_1)}^s,B_i)}}\stackrel{?}{=}e{(g_1,g_1)}^{\alpha s}$. If the equation is not valid, the receiver rejects it. Otherwise, the receiver accepts it.

Correctness:

(1)

$$\begin{array}{l}ifi\ne \pi ,\\ e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_i)\\ =e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i})\\ =e(g_1^s,g_1^{{\tau }_i}(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i})\\ ifi=\pi ,\\ e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_{\pi })\\ =e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,\\ <g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}.(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{r_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }})\\ =e(g_1^s,g_1^{\alpha }{g}_1^{{\tau }_{\pi }}(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}.(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{r_{\pi }}{g}_3^{{\sigma }_{\pi }})\end{array}$$

(2)

$$\begin{array}{l}fori\ne \pi ,\\ e((u_1^{I{D}_i}{u}_2^m{h}_1{)}^s,B_i)=e((u_1^{I{D}_i}{u}_2^m{h}_1{)}^s,g_1^{{\lambda }_i}{g}_3^{{\eta }_i})=e(g_1^{{\lambda }_i},(u_1^{I{D}_i}{u}_2^m{h}_1{)}^s)\\ fori=\pi ,\\ e((u_1^{I{D}_i}{u}_2^m{h}_1{)}^s,B_{\pi })=e((u_1^{I{D}_i}{u}_2^m{h}_1{)}^s,g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}{g}_3^{{\rho }_1})=e(g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }},(u_1^{I{D}_i}{u}_2^m{h}_1{)}^s)\end{array}$$

(3)

$$\begin{array}{l}{\displaystyle \prod _{i=1}^p\frac{e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_i)}{e({(u_1^{I{D}_i}{u}_2^m{h}_1)}^s,B_i)}}\\ ={\displaystyle \prod _{i\ne \pi }^{}\frac{e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_i)}{e({(u_1^{I{D}_i}{u}_2^m{h}_1)}^s,B_i)}}.\frac{e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s>,{\overrightarrow{A}}_{\pi })}{e({(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^s,B_{\pi })}\\ ={\displaystyle \prod _{i\ne \pi }^{}\frac{e(g_1^s,g_1^{{\tau }_i}{(u_1^{I{D}_i}{u}_2^m{h}_1)}^{{\lambda }_i})}{e(g_1^{{\lambda }_i},{(u_1^{I{D}_i}{u}_2^m{h}_1)}^s)}}.\frac{e(g_1^s,g_1^{\alpha }{g}_1^{{\tau }_{\pi }}{(u_1^{I{D}_{\pi }}{h}_1)}^{r_{\pi }}.{(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }})}{e(g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }},{(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^s)}\\ =e(g_1^s,g_1^{{\tau }_1+{\tau }_2+\dots +{\tau }_p})e(g_1^s,g_1^{\alpha })\frac{e(g_1^s,{(u_1^{I{D}_{\pi }}{h}_1)}^{r_{\pi }}{u}_2^{m{r}_{\pi }})}{e(g_1^{r_{\pi }},{(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^s)}\\ =e(g_1^s,g_1^{\alpha })\frac{e(g_1^s,{(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^{r_{\pi }})}{e(g_1^{r_{\pi }},{(u_1^{I{D}_{\pi }}{u}_2^m{h}_1)}^s)}\\ =e(g_1^s,g_1^{\alpha })\end{array}$$

In fact, we have made two major contributions. The first is to obtain a leakage-resilient ring signature scheme through private key extension technology. The second is to obtain a continuously leakage-resilient ring signature scheme through the introduction of key updating technology such as the literature [14].

To facilitate the observation of our contribution, we use Figure 3, Figure 4 and Figure 5 to show the original scheme and our improvements to the original scheme. The original scheme has no leakage resilience. The original scheme is represented in Figure 3.

The key extension technology increases the entropy of the key essentially, so that it can retain certain entropy even if part of the information is leaked. Thus, it can ensure the security of the system. Our leakage-resilient scheme is shown in Figure 4.

As time goes on, the leakage will increase, and the entropy of the key will always fall below the given limit, making the system insecure. In order to avoid this situation, the key update algorithm was added to our scheme. As long as the key is updated, the system will continue to be secure. Our continuous leakage-resilient scheme is shown in Figure 5.

5. Safety Proof

Theorem 1. 

If Assumptions 1 and 2 hold, the ring signature scheme proposed in this paper is unforgeable.

Proof. 

Signature can be divided into normal signature and semi-functional (SF) signature. The signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$ generated by the normal signature algorithm is a normal signature. If the signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$ consists of ${\overrightarrow{A}}_i$ and $B_i$ $(i=1,\dots ,p)$ which are composed of the elements in the subgroup $G_{n_1}$, $G_{n_2}$ and $G_{n_3}$, it is called a semi-functional signature.

Correspondingly, the private key is divided into normal key and semi-functional key. The private key $K_{I{D}_i}=(\overrightarrow{K_{i,0}},K_{i,1},K_{i,2})$ generated by the normal key generation algorithm is called the normal key. If the key $K_{I{D}_i}=(\overrightarrow{K_{i,0}},K_{i,1},K_{i,2})$ consists of some elements in subgroups $G_{n_1}$, $G_{n_2}$ and $G_{n_3}$, it is called a semi-functional key.

Security proof is obtained through a series of indistinguishable games. Next, we will present a series of games.

${\mathrm{GM}}_{\mathrm{R}}$: It is the real game, where the private key and signature returned to the attacker are normal.

${\mathrm{GM}}_0$: It is similar to the game ${\mathrm{GM}}_{\mathrm{R}}$. The differences are that the identity $I{D}_i$ asked by the attacker and the challenge identity $I{D}^{*}$ meet the conditions $I{D}^{*}\ne I{D}_i\mathrm{mod}{n}_2$, and for any two ring identity sets and messages meet the conditions $(R,M)\ne (R^{\prime },M^{\prime })$ and $H_1(R,M)\ne H_1(R^{\prime },M^{\prime })$.

${\mathrm{GM}}_{\mathrm{i}}$($i\in [1,q]$): The restrictions in ${\mathrm{GM}}_0$ are needed here. In addition, considering the first $i$ inquiries, $\mathcal{C}$ responds with the SF key and signature. Considering the remaining inquiries, $\mathcal{C}$ responds with one normal key or signature.

Proof of Theorem 1. 

The specific proof is completed by the following four lemmas.

Lemma 1.  

The maximum amount of private key leakage is $L_K=(n-2\kappa -1)\xi$.

The conclusion 1 given in the reference [13] is helpful to lemma 1.

Conclusion 1. 

Given the primes $t$, and $d_1\ge d_2\ge 2$ ($d_1,d_2\in N$), $X\leftarrow Z_t^{d_1\times d_2}$, $Y\leftarrow R{k}_1(Z_t^{d_2\times 1})$ and $\mathsf{\Gamma }\leftarrow Z_t^{d_1}$, if $f$ is one function $f:Z_t^{d_1}\to W$, where $|W|\le 4\cdot (1-\frac{1}{t})\cdot t^{d_2-1}\cdot {\epsilon }^2$, this statistical distance $SD((X,f(X\cdot Y)),(X,f(\mathsf{\Gamma }))\le \epsilon$ ($\epsilon$ is a value that can be ignored).

From conclusion 1, it is easy to obtain the following Corollary 1.

Corollary 1. 

For $d_1\ge 3$ and a prime $t$, we select $\overrightarrow{\delta }\leftarrow Z_t^{d_1},\overrightarrow{\tau }\leftarrow Z_t^{d_1}$ and ${\overrightarrow{\tau }}^{\prime }\leftarrow Z_t^{d_1}$ such that ${\overrightarrow{\tau }}^{\prime }$ and $\overrightarrow{\delta }$ are orthogonal modulo $t$ by dot product. For the leakage function $f:Z_t^{d_1}\to W$, if $|W|\le 4\cdot (1-\frac{1}{t})\cdot t^{d_1-2}\cdot {\epsilon }^2$, the statistical distance $SD((\overrightarrow{\delta },f({\overrightarrow{\tau }}^{\prime })),(\overrightarrow{\delta },f(\overrightarrow{\tau })))$ is negligible. That is to say, $SD((\overrightarrow{\delta },f({\overrightarrow{\tau }}^{\prime })),(\overrightarrow{\delta },f(\overrightarrow{\tau })))\le \epsilon$ where $\epsilon$ is negligible.

In fact, according to conclusion 1, if we suppose that $\overrightarrow{\delta }$ matches $X$, $\overrightarrow{\tau }$ matches $X\cdot Y$ and ${\overrightarrow{\tau }}^{\prime }$ matches $\mathsf{\Gamma }$. In conclusion 1, the prime $d_2\ge 2$ because we need $d_2-1>0$. Similarly, if we need $d_1-2>0$, we should let the prime $d_1\ge 3$. Thus, we can easily obtain Corollary 1.

Proof of Lemma 1. 

According to conclusion 1, we let $d_2=d_1-1$. Therefore, $\overrightarrow{\tau }$ matches $\mathsf{\Gamma }$, and orthogonal basis for $\overrightarrow{\delta }$ matches $X$. Therefore, the distribution of ${\overrightarrow{\tau }}^{\prime }$ is the same as that of $X\cdot Y$, where $Y\leftarrow R{k}_1(Z_t^{(d_1-1)\times 1})$ and $X\leftarrow Z_t^{d_1\times (d_1-1)}$. Thus, the statistical distance $SD((\overrightarrow{\delta },f({\overrightarrow{\tau }}^{\prime })),(\overrightarrow{\delta },f(\overrightarrow{\tau })))$$=dist((X,f(X\cdot T)),(X,f(\mathsf{\Gamma }))$.

Considering $n=d_1-1$, $n_2=t$ and $\epsilon =n_2^{-\kappa }$, we can obtain $\log \left|W\right|\le$$(n-1)\log n_2-2\kappa \log n_2$$=(n-2\kappa -1)\log n_2$ = $(n-2\kappa -1)\xi$, where $\log n_2=\xi$. Correspondingly, the upper bound of leakage is $L_K=(n-2\kappa -1)\xi$. □

Lemma 2. 

Suppose that there is an adversary $\mathcal{A}$who obtains $|Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_{\mathrm{R}}}-Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_0}|\ge \epsilon$, the simulator $\mathcal{S}$ can break Assumption 1.

Proof of Lemma 2. 

Given $g_1,C_1{C}_2,C_3,D_2{D}_3$, $\mathcal{S}$ and $\mathcal{A}$ simulate ${\mathrm{GM}}_{\mathrm{R}}$ or ${\mathrm{GM}}_0$. Assuming that the advantage that $\mathcal{A}$ distinguishes the game ${\mathrm{GM}}_{\mathrm{R}}$ from ${\mathrm{GM}}_0$ can reach $\epsilon$, $\mathcal{A}$ can find out two identities $ID$ and $I{D}^{*}$ that meet the conditions $ID\ne I{D}^{*}\mathrm{mod}N$ and $ID-I{D}^{*}$ can be divided by an integer $n_2$. The nontrivial attractor of $N$ can be obtained by computing $z=\gcd (ID-I{D}^{*},N)$ with the help of the discovered identity. Let $v=\frac{N}{z}$. There are three cases to be considered.

(1) $z$ or $v$ is $n_1$, and the other is $n_2{n}_3$, which can be judged by checking ${(D_2{D}_3)}^z=1$ or ${(D_2{D}_3)}^v=1$. It may be assumed that $z=n_1$ and $v=n_2{n}_3$. $\mathcal{S}$ judges whether $e(T^z,C_1{C}_2)=1$. If it is true, $T$ does not contain the ingredient of $G_{n_2}$. Otherwise, $T$ contains the ingredient of $G_{n_2}$.

(2) $z$ or $v$ is $n_2$, and the other is $n_1{n}_3$, which can be judged by checking ${(C_1{C}_2)}^z=1$ or ${(C_1{C}_2)}^v=1$. It may be assumed that $z=n_2$ and $v=n_1{n}_3$. $\mathcal{S}$ judges whether $T^v=1$. If it is true, $T$ does not contain the ingredient of $G_{n_2}$. Otherwise, $T$ contains the ingredient of $G_{n_2}$.

(3) $z$ or $v$ is $n_3$, and the other is $n_1{n}_2$, which can be judged by checking $C_3^z=1$ or $C_3^v=1$. It may be assumed that $z=n_3$ and $v=n_1{n}_2$. $\mathcal{S}$ judges whether $e(T^z,D_2{D}_3)=1$. If it is true, $T$ does not contain the ingredient of $G_{n_2}$. Otherwise, $T$ contains the ingredient of $G_{n_2}$. □

Lemma 3. 

Suppose that there is an adversary $\mathcal{A}$who obtains $|Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_{\mathrm{k}-1}}-Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_{\mathrm{k}}}|\ge \epsilon$, the simulator $\mathcal{S}$ can break Assumption 1.

Proof idea. Assuming that this number about private key inquiries by adversary is $q_E$ and this number of signature queries is $q_S$. When an adversary asks for signature, the obtained private keys are SF ones because of the previous key query. Assuming this number about key queries in the game is $i$, the simulator $\mathcal{S}$ will determine whether the signature and private key are semi-functional or normal based on $i$ and $k$. The proof is divided into two parts based on the relationship of $k$ and $q_E$. In case 1, the adversary asks $q_E$ times for the key. In case 2, the adversary asks for $q_S$ signatures.

Proof of Lemma 3. Case 1. 

When $0<k<q_E$, the adversary asks for $q_E$ times about the key.

Initialization: Given $g_1,C_1{C}_2,C_3,D_2{D}_3$ and $T$, $\mathcal{S}$ and $\mathcal{A}$ simulate ${\mathrm{GM}}_{\mathrm{k}-1}$ or ${\mathrm{GM}}_{\mathrm{k}}$. The challenger issues system parameters $params=\{N,g_1,g_3,h_1=g_1^{b_1},u_1=g_1^{a_1},u_2=g_1^{a_2},H_1,e{(g_1,g_1)}^{\alpha }\}$ to the adversary, where $\alpha ,a_1,a_2,b_1\in Z_N$ are randomly selected and $H_1$ is a hash function.

Private key inquiry: In ${\mathrm{GM}}_{\mathrm{k}}$($0<k<q_E$), the adversary asks for the $v$-th private key of the identity $I{D}_i$.

When $0<v<k$, with regard to this $v$-th private key inquiry for identity $I{D}_i\in Z_N$, the simulator produces an SF one. $\mathcal{S}$ selects randomly $r_i\in Z_N$, $y_{i,1},y_{i,2},\dots ,y_{i,n}\in Z_N$, $\overrightarrow{{\theta }_i}\in Z_N^{n+1}$ and ${\vartheta }_i,{\sigma }_i\in Z_N$. Then, $\mathcal{S}$ calculates the private key: $K_{I{D}_i}$$=(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}}){(u_1^{I{D}_i}{h}_1)}^{r_i}>.(D_2{D}_3{)}^{{\overrightarrow{\theta }}_i},g_1^{r_i}(D_2{D}_3{)}^{{\vartheta }_i},u_2^{r_i}(D_2{D}_3{)}^{{\sigma }_i})$.

The adversary thinks that the received private key is correct.

$$=(<T^{w_{k,1}},\dots ,T^{w_{k,n}},(g_1^{\alpha }{\displaystyle \prod _{j=1}^n{g}_1^{-x_j{w}_{k,j}})T^{z_k}>g_3^{{\overrightarrow{\theta }}_k},}T{g}_3^{{\vartheta }_k},T^{a_2}{g}_3^{{\sigma }_k})$$

When $v=k$, for the $v$-th private key inquiry of identity $I{D}_i\in Z_N$, the simulator computes $z_k=a_{1}I{D}_k+b$. $\mathcal{S}$ selects randomly $r_i\in Z_N$, $w_{k,1},w_{k,2},\dots ,w_{k,n}\in Z_N$, $\overrightarrow{{\theta }_k}\in Z_N^{n+1}$ and ${\vartheta }_k,{\sigma }_k\in Z_N$ Then, $\mathcal{S}$ calculates the private key: $=(<T^{w_{k,1}},\dots ,T^{w_{k,n}},(g_1^{\alpha }{\displaystyle \prod _{j=1}^n{g}_1^{-x_j{w}_{k,j}})T^{z_k}>g_3^{{\overrightarrow{\theta }}_k},}T{g}_3^{{\vartheta }_k},T^{a_2}{g}_3^{{\sigma }_k})$.

In the event that $T\in G_{p_1{p}_3}$, this private key is normal. In the event that $T\in G$, this obtained private key is an SF one.

When $k<v<q_E$, for the $v$-th private key inquiry of identity $I{D}_i\in Z_N$, the simulator generates a normal private key. $\mathcal{S}$ selects randomly $r_i\in Z_N$, $y_{i,1},y_{i,2},\dots ,y_{i,n}\in Z_N$, $\overrightarrow{{\theta }_i}\in Z_N^{n+1}$ and ${\vartheta }_i,{\sigma }_i\in Z_N$. Then, $\mathcal{S}$ calculates the private key: $K_{I{D}_i}$$=(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}}){(u_1^{I{D}_i}{h}_1)}^{r_i}>.g_3^{{\overrightarrow{\theta }}_i},g_1^{r_i}\ast g_3^{{\vartheta }_i},u_2^{r_i}{g}_3^{{\sigma }_i})$.

The adversary thinks that the received private key is correct.

Signature: The adversary queries the signature of the message $M\in {\{0,1\}}^{*}$ and group members $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$. Assuming that the actual signer is $I{D}_{\pi }$($I{D}_{\pi }\in R$), $\mathcal{S}$ calculates $m=H_1(M,R)$ and selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i},B_i=g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}.(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}{g}_3^{{\rho }_1}\end{array}$$

$\mathcal{S}$ outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$. For an adversary, the received signature is indistinguishable from the true signature. □

Proof of Lemma 3. Case 2.  

When $q_E<k<q_E+q_S$, the adversary asks for $q_S$ times about the key.

Initialization: Given $g_1,C_1{C}_2,C_3,D_2{D}_3$, $\mathcal{S}$ and $\mathcal{A}$ simulate ${\mathrm{GM}}_{\mathrm{k}-1}$ or ${\mathrm{GM}}_{\mathrm{k}}$. The challenger issues system’s parameter $params=\{N,g_1,g_3,h_1=g_1^{b_1},u_1=g_1^{a_1},u_2=g_1^{a_2},H_1,e{(g_1,g_1)}^{\alpha }\}$ to $\mathcal{A}$, wherein $\alpha ,a_1,a_2,b_1\in Z_N$ are randomly selected. $H_1$ is a hash function.

Private key inquiry: In ${\mathrm{GM}}_{\mathrm{k}}$($0<k<q_E$), since the $q_E$ private key queries have been performed, when an adversary performs the $v$-th private key query $\mathcal{S}$ sends a semi-functional private key to him.

Signature: The adversary queries a signature of a message $M\in {\{0,1\}}^{*}$ and group members $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$.

When $k<v<q_E+q_S$, assuming that the actual signer is $I{D}_{\pi }$($I{D}_{\pi }\in R$), $\mathcal{S}$ calculates $m=H_1(M,R)$ and selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i},\\ & B_i& =g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}\\ & & .(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}{g}_3^{{\rho }_1}\end{array}$$

$\mathcal{S}$ outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$. For an adversary, the received signature is indistinguishable from the true signature.

When $q_E<v<k$, assuming that the actual signer is $I{D}_{\pi }$ ($I{D}_{\pi }\in R$), $\mathcal{S}$ calculates $m=H_1(M,R)$ and selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

$\mathcal{S}$ invokes this signature algorithm to achieve one semi-functional signature.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i},B_i=g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},\\ & & g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}.(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.(D_2{D}_3{)}^{{\overrightarrow{\rho }}_{\pi }}{g}_3^{{\overrightarrow{\theta }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}(D_2{D}_3{)}^{{\rho }_1}{g}_3^{{\eta }_{\pi }}\end{array}$$

$\mathcal{S}$ outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$.

When $j=k$, assuming that the actual signer is $I{D}_{\pi }$($I{D}_{\pi }\in R$), $\mathcal{S}$ calculates $m=H_1(M,R)$ and selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

$\mathcal{S}$ invokes the signature algorithm to achieve one normal signature.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i}\\ & B_i& =g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<T^{y_{\pi ,1}},T^{y_{\pi ,2}},\dots ,T^{y_{\pi ,n}},g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}}).(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}.T^{z_k+a_{2}m}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}T{g}_3^{{\eta }_{\pi }}\end{array}$$

If $T\in G_{p_1{p}_3}$, $\mathcal{S}$ simulates ${\mathrm{GM}}_{\mathrm{k}-1}$. If $T\in G$, $\mathcal{S}$ simulates the game ${\mathrm{GM}}_{\mathrm{k}}$. Then, if $\mathcal{A}$ can distinguish between ${\mathrm{GM}}_{\mathrm{k}-1}$ and ${\mathrm{GM}}_{\mathrm{k}}$, $\mathcal{S}$ can distinguish between $T\in G_{p_1{p}_3}$ and $T\in G$. □

Lemma 4. 

Suppose that there is an adversary $\mathcal{A}$ who obtains $|Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_{\mathrm{R}}}-Ad{v}_{\mathcal{A}}^{{\mathrm{GM}}_{{\mathrm{q}}_{{}_{\mathrm{E}}}{+\mathrm{q}}_{{}_{\mathrm{S}}}}}|\ge \epsilon$, the simulator $\mathcal{S}$ can break Assumption 2.

Proof of Lemma 4. 

Initialization: Given $g_1,g_1^{\alpha }{C}_2,C_3,g_1^s{D}_2,W_2$ and $T$, $\mathcal{S}$ and $\mathcal{A}$ simulates ${\mathrm{GM}}_{{\mathrm{q}}_{{}_{\mathrm{E}}}{+\mathrm{q}}_{{}_{\mathrm{S}}}}$. The challenger issues system’s public information $params=\{N,g_1,g_3,h_1=g_1^{b_1},u_1=g_1^{a_1},u_2=g_1^{a_2},H_1,e{(g_1,g_1)}^{\alpha }=e(g_1^{\alpha }{C}_2,g_1)\}$ to $\mathcal{A}$, wherein $\alpha ,a_1,a_2,b_1\in Z_N$ are randomly selected. $H_1$ is a hash function.

Private key inquiry: When the adversary performs the $v$-th private key query $\mathcal{S}$ sends a semi-functional private key to him. $\mathcal{S}$ selects randomly $r_i\in Z_N$, $y_{i,1},y_{i,2},\dots ,y_{i,n}\in Z_N$, $\overrightarrow{{\theta }_i}\in Z_N^{n+1}$, ${\vartheta }_i,{\sigma }_i\in Z_N$ and $c,d,z\in Z_N$. Then, $\mathcal{S}$ calculates the private key: $K_{I{D}_i}$$=(<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots ,g_1^{y_{i,n}},g_1^{\alpha }{C}_2{W}_2^c({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}}){(u_1^{I{D}_i}{h}_1)}^{r_i}>.C_3^{\overrightarrow{\theta }},g_1^{r_i}{W}_2^d{C}_3^{{\vartheta }_i},u_2^{r_i}{W}_2^z{C}_3^{{\sigma }_i})$.

Signature: The adversary queries the signature of a message $M\in {\{0,1\}}^{*}$ and ring members $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$.

Assuming that the actual signer is $I{D}_{\pi }$($I{D}_{\pi }\in R$), $\mathcal{S}$ calculates $m=H_1(M,R)$ and selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

$\mathcal{S}$ invokes this signature algorithm to achieve one semi-functional signature.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i}\\ & B_i& =g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},g_1^{\alpha }{C}_2{W}_2^c({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{h}_1{)}^{r_i}\\ & & .(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}(u_2^{r_i}{W}_2^z{C}_3^{{\sigma }_i}{)}^m{g}_3^{{\sigma }_{\pi }}>.(D_2{D}_3{)}^{{\overrightarrow{\rho }}_{\pi }}{g}_3^{{\overrightarrow{\theta }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}{W}_2^d{C}_3^{{\vartheta }_i}{g}_3^{{\eta }_{\pi }}\end{array}$$

$\mathcal{S}$ outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$.

Forged signature: $\mathcal{A}$ gives one forged signature for this message $M\in {\{0,1\}}^{*}$ and group members $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$. The simulator calculates $m=H_1(M,R)$, and randomly selects $s\in Z_N$. $\mathcal{S}$ calculates ${\displaystyle \prod _{i=1}^p\frac{e(<g_1^{s{x}_1},g_1^{s{x}_2},\dots ,g_1^{s{x}_n},g_1^s{D}_2>,{\overrightarrow{A}}_i)}{e({\left(g_1^s{D}_2\right)}^{a_{1}I{D}_i+a_{2}m+b},B_i)}}\stackrel{?}{=}e{(g_1,g_1)}^{\alpha s}$. In this way, if the adversary forges signature successfully the simulator can break hypothesis 2 by the adversary.

In case they are equal, $\mathcal{S}$ outputs “reject”. Otherwise, $\mathcal{S}$ outputs “accept”.

The above four lemmas prove that the scheme given in this paper is unforgeable. In the proof, the adversary does not need to provide the challenge identity in advance, and only adaptively selects the attack object after the private key inquiry, so the scheme is fully secure. □ □ □

Theorem 2. 

The given scheme is unconditionally anonymous.

Proof of Theorem 2. 

Unconditional anonymity can be obtained by playing the next two games between the attacker and the simulator. Let ${\mathrm{Game}}_0$ and ${\mathrm{Game}}_1$ simulate signature about $I{D}_0$ and $I{D}_1$ respectively. If the two games are indistinguishable from each other for the attacker, the scheme is unconditionally anonymous.

${\mathrm{Game}}_0$:

Initialization:

The simulator $\mathcal{S}$ inputs the parameter $\delta$ and invokes this Start algorithm to produce the master key $\alpha$ and system’s parameter $params$. $\mathcal{S}$ chooses one bilinear group $G$ with order $N=n_1{n}_2{n}_3$. Hash function $H_1:{\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }\to Z_N$ has the virtue of resisting collision. $\mathcal{S}$ randomly selects $g_1,u_1,u_2,h_1\in G_{n_1}$, $x_1,x_2,\dots ,x_n\in Z_N$, $g_3\in G_{n_3}$ and $\alpha \in Z_N$.

The public parameters are $params=\{N,g_1,g_3,h_1,g_1^{x_1},g_1^{x_2},\dots ,g_1^{x_n},u_1,u_2,H_1,e{(g_1,g_1)}^{\alpha }\}$.

The master key is $\alpha$.

The public parameters are sent to the attacker.

Signature: $\mathcal{A}$ inquiries this signature about a message $M\in {\{0,1\}}^{*}$ and the identities $I{D}_0$ and $I{D}_1$ and group members $R=\{I{D}_1,I{D}_2,\dots ,I{D}_p\}$($I{D}_0,I{D}_1\in R$). Assuming that the actual signer is $I{D}_{\pi }=I{D}_0$, $\mathcal{S}$ calculates $m=H_1(M,R)$ and generates the private key $K_{I{D}_0}$ for $I{D}_0$. $\mathcal{S}$ selects the random number ${\lambda }_i,{\tau }_i\in Z_N$, ${\overrightarrow{\rho }}_i\in Z_N^{n+1}$, ${\eta }_i\in Z_N$($i=1,2,\dots ,p$) such that ${\tau }_1+{\tau }_2+\dots +{\tau }_p=0$.

For $i=1,2,\dots ,p$, $\mathcal{S}$ calculates:

$$\begin{array}{lll}i\ne \pi & {\overrightarrow{A}}_i& =<g_1^{y_{i,1}},g_1^{y_{i,2}},\dots \dots ,g_1^{y_{i,n}},g_1^{{\tau }_i}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{i,j}})(u_1^{I{D}_i}{u}_2^m{h}_1{)}^{{\lambda }_i}>g_3^{{\overrightarrow{\rho }}_i}\\ & B_i& =g_1^{{\lambda }_i}{g}_3^{{\eta }_i}\\ i=\pi & {\overrightarrow{A}}_{\pi }& =<g_1^{y_{\pi ,1}},g_1^{y_{\pi ,2}},\dots ,g_1^{y_{\pi ,n}},\\ & & g_1^{\alpha }{g}_1^{{\tau }_{\pi }}({\prod }_{j=1}^n{g}_1^{-x_j{y}_{\pi ,j}})(u_1^{I{D}_{\pi }}{h}_1{)}^{r_{\pi }}.(u_1^{I{D}_{\pi }}{u}_2^m{h}_1{)}^{{\lambda }_{\pi }}{u}_2^{m{r}_{\pi }}{g}_3^{{\sigma }_{\pi }}>.g_3^{{\overrightarrow{\theta }}_{\pi }}.g_3^{{\overrightarrow{\rho }}_{\pi }}\\ & B_{\pi }& =g_1^{r_{\pi }}{g}_1^{{\lambda }_{\pi }}{g}_3^{{\eta }_{\pi }}{g}_3^{{\rho }_1}\end{array}$$

$\mathcal{S}$ outputs the ring signature $\omega =\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$ and sends it to the attacker $\mathcal{A}$.

${\mathrm{Game}}_1$: It is similar to ${\mathrm{Game}}_0$. The difference is that the simulator generates the private key $K_{I{D}_1}$ of $I{D}_1$. The real signer is $I{D}_{\pi }=I{D}_1$. $\mathcal{S}$ uses $K_{I{D}_1}$ to generate a signature ${\omega }_1=\{{\overrightarrow{A}}_i,B_i\}{}_{i=1}^p$ and sends it to the attacker $\mathcal{A}$.

Since the random elements ${\{{\lambda }_i,{\tau }_i,{\eta }_i,{\overrightarrow{\rho }}_i\}}_{i=1}^p$ and ${\{{{\lambda }^{\prime }}_i,{{\tau }^{\prime }}_i,{{\eta }^{\prime }}_i,{{\overrightarrow{\rho }}^{\prime }}_i\}}_{i=1}^p$ required in the two signatures have the same distributions, the obtained signatures ${\omega }_0$ and ${\omega }_1$ are also the same distributions. As far as the adversary is concerned, ${\mathrm{Game}}_1$ and ${\mathrm{Game}}_0$ are indistinguishable. Thus, the advantage of the adversary in correctly identifying the signer is equal to random guess. Therefore, the proposed ring signature scheme satisfies the unconditional anonymity security. □

6. Continual Leakage Resilience

Theorem 3. 

Under the standard model, the presented scheme has continuous leakage resilience.

Proof of Theorem 3. 

By using the private key update algorithm given in Part 4, similar to that in the paper [14], continual leakage resilience is achieved. This algorithm KeyU inputs $K_{I{D}_i}$ and $params$, and generates one new private key $\widehat{K_{I{D}_i}}$. For KeyU, some additional random values are added to that in the original private key. For the added value is also randomly selected, the new random values of the private key and the original ones have the same distributions. Furthermore, the new private key has the same distribution with that original one. After running the KeyU algorithm, the private key can be refreshed. As long as this algorithm KeyU is run periodically, the given scheme can continuously resist side channel attacks.

In fact, the key is updated periodically. The selection of cycle is usually based on the statistical results. For example, when the private key leaks to 70% of the given upper bound, we update the private key. However, the statistical results are ex post facto and hysteretic. We usually take conservative measures, that is, we update the key in a very short period (such as every 10 min). □

7. Leakage Performance Analysis

For our proposed scheme, $n_1,n_2$ and $n_3$ are three primes with $\xi$ bits length. The private key is $3(n+3)\xi$ bits. The upper bound for private key disclosure is $(n-2\kappa -1)\xi$ bits, among which $n\ge 2$ is a variable integer. When the value of $n$ changes, the leakage performance of the scheme also changes. $\kappa$ represents one positive value. The private key leakage rate reaches $\frac{(n-2\kappa -1)\xi }{3(n+3)\xi }=\frac{(n-2\kappa -1)}{3(n+3)}$.

It should be emphasized that $n$ varies according to actual needs. When the system needs a higher leakage rate, we take the larger $n$. Correspondingly, the private key becomes longer, and the leakage-resilience ability is stronger. When the system needs a lower leakage rate, we take the smaller $n$. Correspondingly, the private key will be shorter. When $n$ is very large, the leakage rate may almost approach 1/3.

The scheme in this paper was compared with the literature [36] and related schemes [37,38] in composite order group.

SDM indicates standard model. ROM indicates random oracle model. CLR symbolizes continual leakage resilience. $E$, $P$ and $M_G$ represent exponential operation, pairing operation and multiplication operation of the elements in group $G$. $p$ represents this total number about ring members and $l$ represents selected special values. $n$ is a variable value, which is adjusted according to the specific leakage performance. In fact, when $n=2$, the leakage resilience about our scheme is better. S-$l$ represents the second $l$-representation problem. GSD represents the general subgroup decision hypothesis. These rows of Start, Extract, Sign and Verify represent the computational cost of the start algorithm, private key generation algorithm, signature algorithm and verify algorithm, respectively.

It can be seen from

Table 3. The comparisons of the security and calculation efficiency about our scheme with some related schemes of [36,37,38].

	Ours Scheme	[36]	[38]	[37]
Model	SDM	RO	SDM	SDM
Assumption	GSD	S-$l$	GSD	GSD
Leakage Resilience	√	√	×	×
CLR	√	×	×	×
Start	$P$	$plE$	$P$	$P$
Extract	$(5+n)E$	$pE$	$5E$	$7E$
Sign	$(5p+1+n)E$	$\begin{array}{l}(pl+l-1)E\\ +(pl-1)M_G+lH\end{array}$	$(5p+1)E$	$7(p+1)E$
Verify	$\begin{array}{l}(4p+n)E\\ +2pP\end{array}$	$\begin{array}{l}l(p+1)E\\ +pl{M}_G+lH\end{array}$	$4pE+2pP$	$\begin{array}{l}(4p+7)E\\ +(4p+7)P\end{array}$

that our scheme is based on the standard model and has good security. The computational efficiency of our scheme is superior to that of the scheme [36,37]. Compared with the scheme [38], our scheme has the ability to resist the side channel attack, so the computation cost of the private key generation algorithm, the signature and verification algorithm is a little higher. Although the greater the $n$ is, the greater the leakage rate is, it is worth mentioning that in real applications even if $n=2$ the leakage resilience of the given scheme is very good. For details, please refer to [39,40,41].

We provide

Table 4. The relationship between $\mathit{n}$ and the leakage rate.

$\mathit{n}$	2	3	4	5	….	$\mathit{n}$	…
leakage rate	$\frac{1}{15}$	$\frac{1}{9}$	$\frac{1}{7}$	$\frac{1}{6}$	….	$\frac{(n-1)}{3(n+3)}$	…

to analyze the relationship between $n$ and the leakage rate,

As can be seen from Table 4, when $n=2$, the system can tolerate the leakage of 1/15 of keys, and when $n=5$, it can tolerate the leakage of 1/6. These are relatively good leakage-resilient performances.

Moreover, when $n=2$, we present simulation experiments to derive the running time of the respective algorithms of our scheme.

We carried out experimental simulation on the given scheme. The experimental platform was a PC with 64-bit operating system Windows 10, 3.40 GHz main frequency, 8.00G RAM and Intel (R) Core (TM) i7-6700 CPU. Based on the Java Pairing Based Cryptography Library 2.0.0 [42], we used Eclipse 4.4.1 for simulation software. The 160 bits composite order elliptic curve $y^2=x^3+x$ was selected for our experiment.

When $n=2$ and $p=3$, the start algorithm needs 0.085 s, the private key generation algorithm takes 0.175 s, the signature algorithm needs 0.450 s, and the verification algorithm needs 0.910 s. Such time is basically acceptable for most devices.

8. Conclusions

This paper constructed an identity-based ring signature scheme under the standard model. The scheme was existentially unforgeable and unconditionally anonymous. At the same time, the scheme also had the performance of continual leakage-resilience, which can resist the continuous disclosure of private keys. The ring signature does not require a manager. The signer can only select a set of possible signers, obtain their public key, and then publish the set. All members are equal. The ring signature itself cannot reveal the signer unless the signer wants to expose or add additional information to the signature. For example, a group of officials need someone to sign the document in real name, without disclosing which official signs the information. At this time, our ring signature meets the requirements very well.

The proposed scheme is completely secure without random oracle model and the private key leakage rate is close to 1/3. Through the dual system technique, the existential unforgeability and unconditional anonymity of the scheme are proved in the composite order group based on the subgroup decision assumption.

The revocable signature scheme also has a good application scenario. How to construct a revocable signature scheme against side channel attacks deserves further research.