Efficient identity based ring signature scheme in prime order group

Aiming at the problem of long signature generation and verification time caused by low operation efficiency in ring signature algorithm based on composite order group, an asymmetric identity based ring signature scheme based on prime order group is proposed. The model definition and specific identity based ring signature scheme design of the proposed scheme are described, and the correctness and security of the proposed scheme are analyzed. Finally, the efficiency of the core operation part of the algorithm is explained. Compared with the correlation signature algorithm based on composite order group, the optimization has a great improvement in operation overhead and performance, and the designed scheme is unforgeable. The designed signature scheme meets the unconditional anonymity and unforgeability of ring signature.


Introduction
With the increasingly serious problem of network information security, hijacking transmission data, tampering and forging sender messages in important transaction scenarios such as e-commerce have greatly reduced people's trust in network information. The reliability and effectiveness of transmission data has become the focus of research. At this time, the emergence of a new technology "digital signature" has solved the pain point of information security, The basis of digital signature technology is mainly cryptography and applied mathematics. The signer has a public key and private key before sending the message, signs the message through the key pair and sends it together with the message. The receiver verifies the signature to confirm whether the data is complete and effective, which solves the risk of hijacking and tampering in previous single data transmission.
In 2001, three cryptologists, Rivest, Shamir and Tauman, first proposed the concept of ring signature. It is a simplified group signature. Any member of the ring can send message signatures in the name of the ring. The receiver verifies the ring signature. The ring signature cannot be determined to be sent by that member, but only knows that the signature comes from a member of the ring [1]. All members of the ring are equal and fair. There is no distinction between managers, nor the establishment and cancellation process of the ring. It has good anonymity. A typical application scenario of ring signature is anonymous reporting. In an organization, informants in the organization can use the public keys of other members to sign a report together with their own public and private keys. The manager (verifier) will see that such a report is indeed initiated by someone in the organization, but the manager will not know which member initiated the report. In this way, when the authenticity of the report is ensured, the informant is hidden to avoid some adverse consequences to the informant, such as malicious retaliation. Ring signature technology still has many inherent shortcomings. For example, using a general ring signature, the signer successfully hides among a group of people and is difficult to be found. Therefore, relying solely on the ring signature, the signer can make two different remarks on the same problem and then not be found. In this way, it is likely to become the fuse of contradictions. Whether it is used for false disclosure, repeated false voting, or troublesome repeated consumption of the same currency in cryptocurrency, it is an unavoidable problem. Therefore, in order to enhance the privacy of the transaction and ensure its reliability. The privacy and security features of ring signature are widely used in practical applications. For example, the electronic voting system needs security requirements such as transparency, anonymity and public counting. The electronic voting scheme based on ring signature can solve the problems of voters' anonymity, repeated voting and public verification, so as to ensure that no person or institution can obtain the intermediate voting results before the end of voting, improve the fairness requirements of electronic counting.
Ring signature technology hides the address of the transaction initiator by mixing the signature of the transaction initiator with other bait signatures. Because ring signature technology can significantly improve the information security of platform participants, it has attracted extensive attention from people in the field of block chain and information security. Ring signature is a kind of group signature, but its special feature is that there is no uniformly managed trust center, which is anonymous for the verifier of the signature [2]. Since the concept of ring signature was proposed, it has attracted extensive research for different use scenarios. Literature [3] proves and proposes a ring signature scheme based on the standard model. Literature [4] constructs a strong ring signature algorithm, and combines the proof process for security under the standard model. Literature [5] and literature [6] propose a scheme based on complexity assumption (Diffie-Hellman) The ring signature method reduces the number of operations of bilinear pairs, and designs an anti collusion convertible ring signature, which can verify the signer's identity and ensure that other members of the ring do not generate a signature. Document [7] combines ring signature and bilinear mapping, and proves the security. Document [8] proposes a network signature, which can realize pan Chinese ring signature results through combined signature. The methods proposed in document [9] and document [10] involve bilinear pair operation, and the efficiency of bilinear pair operation will be greatly reduced with the increase of the number of members. Document [11] proposes an identity based ring signature method. In the security proof, the encryption technology of composite order bilinear group is used to achieve complete anonymity, which is less efficient than the prime order group algorithm used in this paper. According to reference [12], the 160 bit prime order group with order n and the 1024 bit composite order group can achieve the same security level, but the bilinear pair operation cost of the composite order group is much greater than that of the prime order group. Therefore, the identity based ring signature scheme based on the bilinear pair operation of the prime order group is of great significance.
Combined with the previous research methods, this paper designs an authentication based ring signature scheme of prime order group, which can construct identity based ring signature on prime order group. Compared with the bilinear pairing operation of composite order group, it greatly reduces the operation overhead and improves the efficiency of signature generation and verification. Through security analysis, it is verified that the scheme has the security characteristics of anti identity attack and unconditional anonymity. Firstly, this paper introduces the relevant knowledge needed by the authentication based ring signature scheme. Secondly, the identity based ring signature model based on prime order group is designed, and the security definition model of the scheme is analyzed. Finally, the scheme description and security analysis and verification are carried out in detail. When G1 is not equal to G2 we call this an asymmetric bilinear mapping. For S1∈G1 and S2∈ G2, S1~S2 is used to indicate that S1 and S2 have the same discrete logarithm, where S1 is based on P1 and S2 is based on P2.

Ring signature algorithm
With regard to ring signature, people are generally confused about the double flower problem caused by anonymity. For example, under the ring signature platform, I purchased a service from the seller. How can the platform hide my identity and prevent "double flower" and other problems to ensure the safety of the transaction?
As for the double flower problem. The "double flower problem", also known as the "double payment problem", vividly says that anyone who receives electronic money can copy it and send it arbitrarily for many times. The outside world cannot confirm whether there is repeated payment in a transaction.
In the ring signature system, the real identity of the consumer initiator is hidden, and other participants do not know who is the real sender, which brings inconvenience to prevent the double flower problem. Key mirroring technology, that is, the same public key will produce the same key image, and all nodes in the system will maintain a set of key images that have been seen. If the key image of a transaction appears in the set, it is considered valid. In this way, each transaction is different through the key image, and the participants can easily detect and judge whether it is double flower.
In addition, it should be pointed out that encryption with ring signature technology will increase the transaction volume and have higher requirements for performance. Ring signature is the origin of the signature of the implicit parameters of ring according to certain rules, and the main purpose of the algorithm is used to ensure that the signer can use a completely anonymous way for signing messages, the scope of the signer can choose to be anonymous or signature object group, group membership and signature receiver didn't know they contained in which members of the ring, It is also uncertain who is the real message signer in the ring members. There is no group establishment process and centralized management organization, and there is no need to join and quit the ring in advance. The formation of the ring is the ring members designated by the signer according to the needs.
Ring signature algorithm definition: in a ring with n members, the ring signature algorithm mainly includes initialization, private key generation, signature generation and signature verification.
Initialization: Run PKG key generator, input security parameter γ, output master key MSK and system public parameter Params.
Private key generation: Each ring member has a unique identity ID, and the private key SkID is output by entering the master key MSK.
Signature generation: input system public parameters Params, identity set {ID1, ID2,…,IDn}, the message m and the user's private key SkID, output the final ring signature δ.
Verify signature: input system public parameter Params, identity set {ID1, ID2,…,IDn}, message m, and ring signature result δ are verified, and success is output, otherwise fail is output.

Security requirements of ring signature
(1) Unconditional anonymity: for a given identity set {ID1,ID2,…,IDn}, message m and ring signature δ. Even with powerful computing ability, the challenger cannot find out the real signer with a higher probability than random guessing, that is, the highest probability of the challenger guessing the identity of the real signer is 1/n.
(2) Unforgeability: if the challenger does not know any private key of the ring member, even if it obtains the ring signature result generated by other members through illegal means, the challenger cannot forge legitimate message signature.
(3) Good features: it can realize the unconditional anonymity of signers to protect privacy, signers can also realize the related functions of group signature, there is no administrator and third party authority in decentralization, signers can also specify their own anonymous range, etc. (2) Private key generation: aiming to unique ID, r∈Zp, KID∈Zp is randomly selected, and the calculation process of private key is as follows: id=H0(ID), AID=α*P2+r*V2, BID=r*U, CID=r*(id*Q2+KID*W2+U2), DID=r*P2. The output private key is SKID = (AID, BID, CID, DID) and sends the private key and set {KID, P2, V2, U, Q2, W2, U2} to the user with the ID.

Scheme description
(3) Signature generation: set identity set = {ID1, ID2, … , IDn}, the signer is the π user in the identity set and its identity number is ID. The ring signature algorithm for generating message m is as follows: Suppose i∈[n], calculate idi=H0(IDi) and M= H1(m, set).

Safety analysis
(1) Correctness. The signature generated by the ring signature algorithm needs to be verified by the receiver to ensure the correctness of the generated signature. The verification process is as follows: � e(T 1 , A i ) * e(T 2 , B i ) n i=1 * e(T 3 , D i ) = e(P 1 , P 2 ) αs * e(P 1 , P 2 ) Ms * e(W 1 , P 2 ) s * �∑ i + n i=1 � = e(P 1 , P 2 ) αs * e(P 1 , P 2 ) Ms * � � (2) Unforgeability. In the scheme where the ring signature member is n, it is assumed that the Challenger inputs security parameters γ, public parameter params is obtained through the initialization algorithm, and then the query key generation algorithm can be initiated in polynomial time. Enter your own unique identity ID and public parameters to obtain the returned private key SKID. Enter the identity set {ID1, ID2… IDn} and message m to obtain the ring signature result of an identity base δ。 The Challenger finally enters the ring signature δ, {ID1, ID2…IDn} and message m are verified. Since the identity set and message have not appeared before, according to the complexity assumption in Chapter 1.2, the probability of the Challenger passing the verification is ε, this is negligible.

Performance analysis
For the comparison between the prime order group signature scheme proposed in this paper and the ring signature scheme based on composite order group in reference [13], we use Intel i7 processor, 8g memory and Linux operating system, install PBC library and GMP library, call basic cryptography related operation functions, and write the algorithm implementation part of ring signature in C language for testing. When the number of ring members n is set to 100, the calculation cost of the comparison document [13] and the scheme in this paper is shown in Table 1. It can be seen that the calculation cost of prime order group is much less than that of composite order group.

Conclusions
In this paper, a ring signature scheme based on bilinear mapping function of prime order group for authentication is proposed. It has unconditional anonymity and signature verifiability to the signer, has advantages in protecting the signer's personal privacy, improves the security of message signature, and solves the problem of large operation consumption based on composite order group, With the linear growth of ring signature members, the advantages are more obvious.