Deniable ring signature scheme based on the ISRSAC digital signature algorithm

Difficult problem of factoring large integers

The decomposition of a large integer as the product of its prime factors, or the representation of a large integer as the product of two or more prime numbers, is known as the difficulty factoring large integers problem. The description of the problem can be simply expressed as: given a large integer n, find two prime numbers p, q such that n = p⋅q. In this problem, the size of n is usually very large, far beyond what a computer can solve in a reasonable amount of time. The problem cannot be solved efficiently using a polynomial algorithm. This means that extracting its prime factor from a large integer requires a considerable number of computational resources and time. Therefore, the problem is considered “difficult”.

The hard challenge of massive integer factorization serves as the foundation for the RSA encryption technique. The intricacy of factoring a big integer into the product of two prime integers forms the foundation of the security of the RSA encryption technique. A major concern to contemporary computer security is the possibility of cracking communication encrypted using RSA if someone can successfully solve the huge integer factorization problem.

Although the difficult problem of large integer factorization is theoretically considered a difficult problem, there are still algorithms that can be used to solve large integer factorization in some specific cases. For example, prime factorization algorithms, such as Pollard’s rho algorithm, the secondary sieving method, and the number field sieving method, can efficiently decompose large integers in certain situations. However, these algorithms typically only operate with a limited range of integers. For larger integers, they become time-consuming and impractical.

ISRSAC digital signature algorithm

This section briefly introduces the digital signature algorithm based on ISRSAC, which includes four PPT algorithms: System initialization (Setup), key generation algorithm (KeyGen), signature generation algorithm (Sign), and signature verification algorithm (Verify).

1. System initialization (Setup): given the safety parameters λ, randomly select two large prime numbers p and q, where p ≠ q, p > 3, q > 3, calculate n = p⋅q⋅(p − 1)⋅(q − 1), m = p⋅q. Randomly select an integer r, where this condition of r is met: p > 2^r < q, and then calculate $\alpha \left(n\right)=\frac{\left(p-1\right)\left(q-1\right)\left(p-2^r\right)\left(q-2^r\right)}{2^r}$.

2. Key generation algorithm (KeyGen): Select the public key e, where 1 < e < α(n), gcd(e, α(n)) = 1. Calculate the private key d, where d⋅e ≡ 1(modα(n)). In summary, determine the public key (e, m) and private key (d, n).

3. Signature generation algorithm (Sign): Suppose the plaintext is M, the hash function is H, and the hash value is H(M). The private key is (d, n), calculated S ≡ H(M)^d(modm) as the signature of H(M).

4. Signature verification algorithm (Verify): Verify the signature S on the message M, compute H(M) using the same hash function, and use public key (e, m) to verify if H(M) = S^e(modm) is correct. If the equation is correct, then the signature is accepted.

Security model

In this subsection, we describe the Oracle machines used in the security model. The following symbol descriptions are given in Table 1.

1. Join Oracle (Add(ID_i) → pk_i): Call Join Oracle Machine in order to add the identification of the truthful signer ID_i to the List. The oracle machine returns ϵ if there is already a signer with identification ID_i. If not, a key-generating process is executed by the oracle machine, which appends the signer (together with its public key) to the List. At last, pk_i is returned by the oracle machine.

2. Register oracle machine (Reg(ID_i, pk_i)): An attacker can register a new signer with the public key pk_i in the List by using a signer to register an oracle. Signers were also added to MList by the oracle machine.

3. Corrupt Oracle (Crpt(ID_i, pk_i) → sk_i): Corrupting the signatories of the identity ID_i by use of a corrupt oracle. The key sk_i of signer P_i can be extracted by an attacker from the oracle.

4. Signature oracle machine (DRSig(ID_k; M, ID₁, …, ID_k−1, ID_k+1, …, ID_L′, List) → σ): The signature σ of the honest signer and the entity is output given the identity of the honest signer P_ik, message M, and entity P_i1, …, P_ik−1, P_ik+1, …, P_L′ of the signature oracle.

5. Challenge Oracle (Ch_b(ID₀, ID₁, M) → σ): Anonymity is defined as using a challenge machine. Given the identity (i₀, i₁) and message M, the oracle machine provides the target signature S(sk_i0, M, pk_i0, pk_i1) from P_i0 and P_i1 for M for a challenge bit b ∈ 0, 1. Keep in mind that attackers are not limited to weakening signers P_i0 and P_i1. Furthermore, the target’s signature would be protected against an attacker’s ability to execute the P_i0 and P_i1 confirmation/denial protocols. The attacker challenges the oracle machine to add the target signature to the GSet in the event that it is confirmed or denied.

6. Confirm/Deny Oracle (C/D(ID_i, M, σ)): Given an identity ID_i and a message signature pair (M, σ), a confirm/deny oracle verifies if P_i is an honest signer by executing the confirm/deny protocol and communicating with the attacker. An oracle does not execute the confirmation/denial procedure if an attacker inserts a target signature that questions the results.

On the basis of the mentioned above, we improve the security model mentioned above and provide the necessary characteristics of a deniable ring signature, which are traceability, non-frameability, accuracy, and anonymity.

Deniable ring signature

Definition 1. Deniable Ring Signature Scheme

The member (victim) whose public key is used to create the ring signature in a deniable ring signature scheme may assert that false allegations were made against them. Without a group administrator, the scheme is a group signature scheme. To represent the quantity of signers in the system, we use L. According to the definition that follows, the signer P_ik dynamically chooses L′ − 1 entities P_i1, …, P_ik−1, P_ik+1, …, P_iL′ from the signer list that PKI publishes, and then performs the signature algorithm by entering their own private key and the entity’s public key collection.

The general construction algorithm for a deniable ring signature is as follows:

1. System initialization (Setup (λ) → params): Given the security parameters λ, output the system parameters params.

2. Key generation (KeyGen (params → (pk_i, sk_i))): Output the public–private key pair (pk_i, sk_i) of user A_i given the system parameters params.

3. Signing (Sign (m, sk_i, L) → σ): Given the message m, the user $A_i^{\prime }s$ (1 ≤ i ≤ n) private key sk_i, and public key list L = {pk₁, …, pk_i, …, pk_n}, output the signature value. Among them, the public key list L is composed of randomly selecting the n − 1 users’ public key for the user, plus its own public key pk_i, that is L = {pk₁, …, pk_i, …, pk_n}.

4. Verification (Verify (m, σ, L) → accept/reject): given the message m, signature value σ, public key list L, if σ is a legal signature, output “accept”; otherwise, output “reject”.

5. Confirmation (Confirm: P⇔V): The interaction algorithm between the prover P (i.e., signer A_i) and the verifier V, the verifier V has a message m, signature value σ, public key list L, and the prover P proves that the ring signature was generated by it through the confirmation algorithm.

6. Disavowal (Disavow: P⇔V): An algorithm for the interaction between the prover P (non-signer A_j, j ≠ i) and the verifier V, the verifier V has a message m, signature value σ, public key list L, and the prover P denies that the ring signature was generated by the disavowal algorithm.

Security properties

The security model proposed in Komano et al. (2006) gives the required properties of a deniable ring signature: correctness, unforgeability, anonymity, traceability, and non-frameability.

Definition 2. Correctness: We argue that the disavowal ring signature is correct, and the confirmation/disavowal algorithm may identify the signer of the signature if the signature generated by the right signature algorithm is approved by the verification method. With respect to adversary A, safety parameters k, and experiment $Ex{p}_{DRS,A}^{corr}\left(k\right)$, we formally characterize the correctness of the deniable ring signature as follows:

1. Initialize the list: List←0̸, MList←0̸, GSet←0̸.

2. Adversary A inquires the oracle machine: (ID_k; M; ID₁, …, ID_L′)←A(1^k, Add(⋅), Reg(⋅, ⋅), Crpt(⋅), C/D(⋅, ⋅, ⋅), DRSign(⋅; ⋅, ⋅)).

3. If {ID₁, ID₂, …, ID_i, …, ID_n}⁄ ∈ List \MList, then return 1.

4. Simulator calculations $\sigma \leftarrow S\left(s{k}_{i_k},M,p{k}_{i_1},\dots ,p{k}_{i_L}^{\prime }\right)$, if verified $V\left(M,\sigma ,p{k}_{i_1},\dots ,p{k}_{i_L^{\prime }}\right)=0$, then return 1.

5. If the returned disavowal algorithm from C/D(ID_k, M, σ) executed successfully, then return 1.

6. If the returned confirmation algorithm from C/D(ID_j ≠ ID_i, M, σ) executed successfully, then return 1.

7. In other cases, return 0.

The definition of adversary A’s advantage is as follows: $Ad{v}_{\Sigma ,A}^{corr}=Pr\left[Ex{p}_{\Sigma ,A}^{corr}=1\right]$. The deniable ring signature strategy is correct if the advantage $Ad{v}_{\Sigma ,A}^{corr}$ is small compared to any PPT opponent A.

Definition 3. Unforgeability: Through the experiments between simulator S and PPT adversary A to formally define unforgeability. First, the simulator S generates the system parameter and sends it to the adversary, then initializes each list, A adaptive query oracle, output message, public key list, and forged signatures, and then passes through the verification function to verify.

Formal definition: For a deniable ring signature, an arbitrary adversary A, define the experiment $Ex{p}_{\Sigma ,A}^{euf}$ as follows:

1. Initialize the list: List←0̸, MList←0̸, GSet←0̸.

2. Adversary A asks the oracle for messages, public keys, and forged signatures: $\left(M,{\sigma }^{\ast },p{k}_{i_1},\dots ,p{k}_{i_L^{\prime }}\right)\leftarrow A\left(1^k,Add\left(\cdot \right),Reg\left(\cdot ,\cdot \right),Crpt\left(\cdot \right),C/D\left(\cdot ,\cdot ,\cdot \right),DRSign\left(\cdot ;\cdot ,\cdot \right)\right)$ and σ^∗ is not obtained by querying the signature oracle machine DRSign(⋅; ⋅, ⋅).

3. For all i ∈ [1, n], the identity ID_i⁄ ∈ List \MList corresponding to pk_i.

4. If $V\left(M,\sigma ,p{k}_{i_1},\dots ,p{k}_{i_L^{\prime }}\right)=1$, then return 1; otherwise, return 0.

The opponent A’s advantage is defined as follows: $Ad{v}_{\Sigma ,A}^{euf}=Pr\left[Ex{p}_{\Sigma ,A}^{euf}=1\right]$. For every PPT opponent A, the deniable ring signature method is unforgeable if the advantage $Ad{v}_{\Sigma ,A}^{euf}$ is insignificant.

Definition 4. Anonymity: Through the experiments between simulator S and PPT adversary A to formally define unforgeability. The simulator S generates the system parameter and sends it to the adversary, then initializes each list, A adaptive query oracle, outputs a bit d.

Formal definition: We describe the experiment $Ex{p}_{DRS,A}^{anon-b}\left(k\right)$ for a deniable ring signature, an arbitrary adversary A , a bit b ∈ 0, 1, and a security parameter k as follows:

1. Initialize the list: List←0̸, MList←0̸, GSet←0̸.

2. Adversary A inquires the oracle machine, outputs a bit d ∈ 0, 1, return d: d←A(1^k, Ch_b(⋅, ⋅, ⋅), Add(⋅), Reg(⋅, ⋅), Crpt(⋅), C/D(⋅, ⋅, ⋅), DRSign(⋅; ⋅, ⋅)).

Defining the advantages of an adversary A:

$Ad{v}_{\Sigma ,A}^{anon}=\left|Pr\left[Ex{p}_{\Sigma ,A}^{anon-1}=1\right]-Pr\left[Ex{p}_{\Sigma ,A}^{anon-0}=1\right]\right|=\left|2Pr\left[Ex{p}_{\Sigma ,A}^{anon-b}=b\right]-1\right|$.

When the deniable ring signature technique is anonymous, it means that the advantage $Ad{v}_{\Sigma ,A}^{anon}$ is negligible in comparison to any PPT opponent A.

Definition 5. Traceability: Traceability means that a real signer of a deniable ring signature can be traced by a confirmation/denial algorithm, through the experiments between simulator S and PPT adversary A to formally define unforgeability. The simulator S generates the system parameter and sends it to the adversary, then initializes each list, A adaptive query oracle, output message, public key list and signatures, and then passes through the verification function to verify.

Formal definition: For a deniable ring signature, arbitrary adversary A, and security parameters k, define the experiment $Ex{p}_{DRS,A}^{trace}\left(k\right)$ shown as follows:

1. Initialize the list: List←0̸, MList←0̸, GSet←0̸.

2. Adversary A inquires the oracle machine, outputs messages, public key lists, and signatures: $\left(M,\sigma ,p{k}_{i_1}\right),\dots ,p{k}_{i_L^{\prime }}\leftarrow A\left(1^k,Add\left(\cdot \right),Reg\left(\cdot ,\cdot \right),Crpt\left(\cdot \right),C/D\left(\cdot ,\cdot ,\cdot \right),DRSign\left(\cdot ;\cdot ,\cdot \right)\right)$.

3. If $V\left(M,\sigma ,p{k}_{i_1},\dots ,p{k}_{i_L^{\prime }}\right)=0$, then return 0.

4. If users $P_{i_1},\dots ,P_{i_L^{\prime }}$ can deny (M, σ), then return 1; otherwise, return 0.

Define the advantage of the adversary A: $Ad{v}_{\Sigma ,A}^{trace}=Pr\left[Ex{p}_{\Sigma ,A}^{trace}=1\right]$. If the advantage $Ad{v}_{\Sigma ,A}^{trace}$ is negligible against any PPT adversary A, then the deniable ring signature scheme is traceable.

Definition 6. Non-frameability: Non-frameability means that adversary A enables non-signers to deny signatures and ensures that adversary A cannot frame real signers, through the experiments between simulator S and PPT adversary A to formally define unforgeability. The simulator S generates the system parameter and sends it to the adversary, then initialize each list, A adaptive query oracle, output message, public key list and signatures, and then through the verification function to verify.

Formal definition: For a deniable ring signature, arbitrary adversary A, and security parameters k, define the experiment $Ex{p}_{DRS,A}^{nf}\left(k\right)$ shown as follows:

1. Initialize the list: List←0̸, MList←0̸, GSet←0̸.

2. Adversary A inquires the oracle machine, outputs messages, public key lists, and signatures: $\left(M,\sigma ,p{k}_{i_1},\dots ,p{k}_{i_L^{\prime }}\right)\leftarrow A\left(1^k,Add\left(\cdot \right),Reg\left(\cdot ,\cdot \right),Crpt\left(\cdot \right),C/D\left(\cdot ,\cdot ,\cdot \right),DRSign\left(\cdot ;\cdot ,\cdot \right)\right)$.

3. If V(M, σ, pk_i1, …, pk_iL′) = 0, then return 0.

4. If the following conditions are met, return 1; otherwise, return 0.

   1. The existence of user P_it cannot be denied (M, σ), t ∈ [1, L]′, i.e., user P_it is not the signer.

   2. Adversary A has not been queried Crpt(ID_t), or DRSign(ID_t; M, ID₁, …, ID_t−1, ID_t+1, .., ID_L).

Define the advantage of the adversary A: $Ad{v}_{\Sigma ,A}^{nf}=Pr\left[Ex{p}_{\Sigma ,A}^{nf}=1\right]$. If the advantage $Ad{v}_{\Sigma ,A}^{nf}$ is negligible against any PPT adversary A, then the deniable ring signature scheme is not defamatory.

Scenario description

This section will introduce the design of a deniable ring signature scheme based on ISRSAC, which consists of six PPT algorithms.

1. System initialization (Setup (λ) → params): Given the security parameters λ, output the system parameter params.

2. Key generation (KeyGen (params) → (pk; sk)): Given the system parameter params, the user in the ring performs the following steps:

   1. Select two large integers p and q, where p > 3, q > 3, generate n = p⋅q⋅(p − 1)⋅(q − 1), m = p⋅q.

   2. Randomly select an integer r that meets the conditions p > 2^r < q and generate α(n) = ((p − 1)(q − 1)(p − 2^r)(q − 2^r))/2^r.

   3. Select the public key index e to satisfy 1 < e < α(n) and gcd(e, α(n)) = 1.

   4. Calculate the private key index d, meet the condition: e⋅d ≡ 1(modα(n)).

   5. Output the public–private key pair pk = (e, n), sk = (d, m).

3. Signature generation (Sign (m; sk_i; L) → sig): Given the message M, the private key sk_i of the signer A_i, the signer forms a list L = pk₁, …, pk_n of public keys through n − 1 random users’ public keys and their own private keys, hash function H(M):[0, 1]^∗ → Z_m, perform the following steps:

   1. User A_i calculates $S_i=H{\left(M\right)}^{d_i}\cdot {\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}\left(\mathrm{}modn\right)$.

   2. The other ring members calculate S_j = H(M)^e_ie_j(modn), where j = 1, 2, …, i, …, n.

   3. Output (S₁, S₂, …, S_n) about the ring signature of M.

4. Verification (Verify (m; sig; L) → (accept/reject): The verifier receives the message M′ and the ring signature value $\left(S_1^{\prime },\dots ,S_n^{\prime }\right)$, and execute the following steps:

   1. Calculate the value of H(M′).

   2. Calculate the value of ${\prod }_{j=1}^n{S_j^{\prime }}^{e_j}$.

   3. Determine whether there is ${\prod }_{j=1}^n{S_j^{\prime }}^{e_j}\equiv H\left(M^{\prime }\right)\left(\mathrm{}modn\right)$. If satisfied, output “accept”; otherwise, output “reject”.

5. Confirmation (Confirm: (P⇔V): An interaction algorithm between the prover P (i.e., signer) and the verifier V that the prover P can use to prove that it generated the corresponding ring signature. The verifier V has a message M, signature value $\left(S_1^{\prime },S_2^{\prime },\dots ,S_n^{\prime }\right)$, and public key list L, and the prover P proves through a confirmation algorithm that the ring signature was generated by it. The confirmation steps are as follows:

   1. P → V: The prover selects $t\in Z_q^{\ast }$ randomly, calculate R = H(M)^t(modn), and sent R to the verifier.

   2. V←P: The validator picks $u\in Z_q^{\ast }$ at random and sends u to the prover.

   3. P → V: The prover calculates w = t − u⋅d_i(modn) and sends w to the verifier, where $d_i={log}_{H\left(M\right)}^{\frac{S_i}{{\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}}}\left(\mathrm{}modn\right)$. The verifier verifies whether $R=H{\left(M\right)}^w{\left(\frac{{\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}}{A}\right)}^u\left(\mathrm{}modn\right)$ is valid, and if so, determines that the signature is signed by the prover.

6. Disavowal (Disavow: (P⇔V): The disavowal algorithm is an interactive algorithm between the prover P(non − signerA_j, j ≠ i) and the verifier V, which the prover P can use to deny that a ring signature has ever been generated. The algorithm requires the participation of three parties, three transmissions, and is implemented using the public key system. The unique identity of the user A_j is I_Aj transformed by the hash function to obtain the corresponding hash value J_Aj = H(I_Aj), and the trusted arbitrator T assigns the key function S_Aj = (H_Aj)^−d_j(modn) to A_j. The negative steps as follows:

   1. P → V: The prover P chooses a random number r, 1 ≤ r ≤ n − 1, calculates x = r^e(modn), where r is the secret random number chosen by P, P sends (I_Aj, x) to V.

   2. V←P: The verifier V selects the random number u, 1 ≤ u ≤ e, and sends u to P.

   3. P → V: The prover P calculate $y=r\cdot S_{A_j}^u\left(\mathrm{}modn\right)$, send to the verifier V, after V receives y, V calculates I_Aj from J_Aj = H(I_Aj) and $J_A^u\cdot Y^e\left(\mathrm{}modn\right)$, if the result is not equal to x, then the signature is considered not signed by the prover.

Theorem 1. The deniable ring signature based on ISRSAC satisfies correctness

Proof: Assuming that the disavowal ring signature value of the generated message M is σ = (S₁, …, S_n), the correctness of the verification, confirmation and disavowal algorithms of the signature scheme were discussed below.

The correctness of the verification algorithm: Suppose the received message is M′, whose ring signature $\left(S_1^{\prime },\dots ,S_n^{\prime }\right)$ is composed of the $S_i^{\prime }$ through the H₁(⋅) operation in the signature generation algorithm, according to the equation ${\prod }_{i=1}^n{S}_i^{\prime e_i}=S_{\pi }^{\prime e_{\pi }}\cdot {\prod }_{j=1,j\ne \pi }^n{S}_i^{\prime e_i}$, where $S_{\pi }^{\prime }=H_1{\left(M^{\prime }\right)}^{d_{\pi }}\cdot {\prod }_{i=1,i\ne \pi }^n{H}_1{\left(M^{\prime }\right)}^{-e_i^2}\left(\mathrm{}modn\right)$ and ${\prod }_{i=1,i\ne \pi }^n{S}_i^{\prime e_i}={\prod }_{i=1,i\ne \pi }^n{H}_1{\left(M^{\prime }\right)}^{e_{\pi }{e}_i^2}\left(\mathrm{}modn\right)$. Then we have: ${\prod }_{i=1}^n{S}_i^{\prime e_{\pi }}=S_{\pi }^{\prime e_{\pi }}\cdot {\prod }_{j=1,j\ne \pi }^n{S}_j^{\prime e_j}=H_1{\left(M^{\prime }\right)}^{d_{\pi }{e}_{\pi }}\cdot {\prod }_{i=1,i\ne \pi }^n{H}_1{\left(M^{\prime }\right)}^{-e_{\pi }{e}_i^2}\left(\mathrm{}modn\right)=H_1\left(M^{\prime }\right)\left(\mathrm{}modn\right)$. Therefore, the signature verification algorithm satisfies the correctness.

The correctness of the confirmation algorithm: The signer indicates that the message M has been signed by the confirmation algorithm, and the final verifier needs to verify whether the following equation is established $R=H{\left(M\right)}^w{\left(\frac{S_i}{{\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}}\right)}^u\left(\mathrm{}modn\right)$. Because the interaction phase has been calculated: $d_i={log}_{H\left(M\right)}^{\frac{S_i}{{\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}}}\left(\mathrm{}modn\right)$ and $\frac{S_i}{{\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}}=H{\left(M\right)}^{d_i}\left(\mathrm{}modn\right)$, it is possible to verify the correctness of the algorithm, that is, to verify the equation. A non-signer cannot indicate that a message M was signed by an confirmation algorithm, because the non-signer does not know d_i and cannot generate w that satisfies the equation w = t − u⋅d_i(modn), i.e., a non-signer can only make the equation established by guessing the value of d_i, $d_i\in Z_q^{\ast }$, then the probability that the non-signer indicates that the message was signed by the confirmation algorithm is 1/q, which can be ignored.

Theorem 2. If the probability of an adversary A winning in any polynomial time is negligible, then the deniable ring signature based on ISRSAC satisfies unforgeability

Proof: A simulator S can be built to solve the big integer factorization problem with a non-negligible advantage, assuming that there exists a PPT opponent A that is capable of forging signatures.

1. System establishment stage:

   1. The simulator S generates system parameters params and sends them to the adversary A;

   2. The simulator S initialize the lists: List←0̸, MList←0̸, GSet←0̸;

   3. The simulator S sets n ring members $\left\{A_1^{\ast },A_2^{\ast },\dots ,A_n^{\ast }\right\}$, so that each member’s public key is $p{k}_i^{\ast }=\left(e_i,n_i\right)$, i = 1, 2, …, n, and sends it to the adversary A.

2. Inquiry stage:

   1. The adversary A adaptively queries the oracle machine Add(⋅) and returns the user’s public key pk_i;

   2. The adversary A adaptively queries the corrupt oracle machine Crpt(⋅) and returns the user’s private key sk_i;

   3. The adversary A adaptively queries the signature oracle DRSign(⋅) to return the signature value σ = Sign(m, sk_i, pk₁, …, pk_n);

   4. The adversary A adaptive inquiry confirmation/denial oracle machine C/D(⋅, ⋅, ⋅).

3. Challenge stage: The adversary A returns a forged signature σ^∗, and for the same signed message and signer identity, if the adversary A successfully forges an unqueried signature σ^∗, the ring signature value S_i in the ring signature (S₁, …, S_n) is generated by $S_i=H{\left(M\right)}^{d_i}\cdot {\prod }_{j=1,j\ne i}^{n}H{\left(M\right)}^{-e_j^2}\left(\mathrm{}modn\right)$ in the deniable ring signature scheme based on ISRSAC, and obviously the private key d_i is required for the signing process. In the event that the adversary A is successful in forging the ring signature, it will be imperative to ascertain the private key d_i of the ring member A_i. Since the adversary A relies on the challenging task of breaking large integers to crack private keys, the probability σ^∗ of the adversary’s successful forgery is small, meaning that the scheme satisfies the unforgeability requirement.

Theorem 3. The deniable ring signature based on ISRSAC satisfies anonymity

Proof: The simulator S generates system parameters params and sends them to the adversary A. The adversary A adaptively queries each oracle machine, and sends the signed message M^∗ and the public key ring L^∗ = {pk₁, …, pk_n} to the simulator S. The simulator randomly selects one π(1 ≤ π ≤ n), calculates σ_π←RSign(M^∗, n, L^∗, sk_π), and sends σ_π to the adversary A.A guesses the corresponding value π′. If π′ ≡ π , then the simulation succeeds; otherwise, the simulation fails.

Assuming that the adversary A’s computing power is unlimited and all publicly available parameter information in the scheme is known, adaptive access to all oracle machines is available. The simulator S randomly selects a ring member w to sign the message m. It can be seen S_j = H(M)^e_ie_j(modn) from the deniable ring signature based on ISRSAC algorithm that when w constructing each ring signature value, it is necessary to first randomly generate a public–private key pair that is distinguishable from the existing member, that is, the probability of the ring member generating all S_i is 1/n, 1/n, …, 1/n (n in total), that is, the probability of any ring member generating the value of the ring signature is 1/n, 1/n, …, 1/n (n in total). Therefore, the probability that the adversary A can successfully distinguish the real signer among the members in the ring is not greater than 1/n, and the probability of simulation success is negligible, that is, $Ad{v}_{\Sigma ,A}^{anon}=|2Pr\left[Ex{p}_{\Sigma ,A}^{anon-b}=b\right]-1|$ is negligible, so it is proved that the deniable ring signature scheme based on ISRSAC satisfies anonymity.

Analysis of communication overhead

We employ the following symbols in our experiments: The symbols p, c, e, m, n, and k represent paring, elliptic curves, exponentiation, and scalar multiplications, respectively. The variables |q|, |z|, and |G| represent the number of bits of the prime numbers q, z and the number of bits of the components in group G.

Komano et al. (2006) first put up the idea of deniable ring signature, which is similar to a group signature scheme without the need for a group manager. However, the computational expense of signing and verifying is more than that of group signatures, and the signature algorithm’s communication overhead is (2n + 1)|q| + |G|.

Compared with the scheme of Komano et al. (2006), the deniable ring signature scheme designed based on the SM2 national secret algorithm has less communication overhead in the signature algorithm; that is (n + 2)|q| + |G|, which is more practical.

The deniable ring signature scheme designed by Gao et al. (2018) based on the lattice leads to a larger signature size due to the addition of repudiation, and the scheme can resist quantum attacks, so it has a certain price in terms of signature size, and has non-interaction and repudiation.

The conditional anonymous ring signature scheme proposed by Zeng, Jiang & Qin (2012) under the security model of Komano et al. (2006) is four times faster in the signing and verification stages, and has a constant cost because the scheme confirms and denies the protocol as non-interactive.

In order to significantly reduce the amount of time needed for communication, Jiang et al. (2021) introduced a lightweight anonymous authentication mechanism for VANETs based on the combination of ring signature and blockchain technology. User authentication simply needs to confirm whether the identity information is stored on the blockchain. The blockchain consensus technology simultaneously places the onus of privacy protection on users.

In the deniable ring signature based on ISRSAC algorithm proposed in this study, the output signature value is σ = (S₁, S₂, …, S_n), where $S_1,S_2,\dots ,S_n\in Z_q^{\ast }$. The communication cost of the signature algorithm is n|q|, that is, the communication cost of the signature algorithm has a linear relationship with the ring member. In the confirmation algorithm, the communication content is t, R, u, w, where $t,R,u,w\in Z_q^{\ast }$, that is, the confirmation algorithm communication overhead is 4|q|. In a disavowal algorithm, the communication content is x, u, y, where $x,u,y\in Z_q^{\ast }$, that is, the disavowal algorithm communication overhead is 3|q|. A comparative analysis of the above programs is shown in Table 2.

For visual comparison, we set |q| = 512 bits, |G| = 256 bits. The comparison of the signing communication overhead of each scheme is shown in Fig. 1.

Analysis of computational overhead

In the analysis of computational overhead, three schemes of interactive confirmation/denial algorithms are selected for comparison. We use T_mul to represent the point multiplication of elements on G; T_add to represent the addition of dots of elements on G; T_H1 means to execute the hash function $H_1:{\left\{0,1\right\}}^n\to Z_q^{\ast }$; T_H2 means to execute the hash function H₂:{0, 1}ⁿ → G; T_inv represents the inverse operation performed on $Z_q^{\ast }$. The deny phase is set to round v = 1. The comparison of the computational overhead of the deniable ring signature scheme based on ISRSAC, the deniable ring signature based on SM2 and scheme Komano et al. (2006) is shown in Table 3.

In summary, the deniable ring signature based on ISRSAC has good practicality and is suitable for scenarios such as the anonymous authentication system. It can be used to implement an anonymous authentication system in which users can provide a ring signature to prove that they have an identity or authority while still being able to deny their own signature and protect personal privacy.

In digital asset transactions, anonymity and non-repudiation of transaction behavior are ensured. Trading participants can use a deniable ring signature to prove that they have sufficient funds to trade while also denying their own signature, preventing others from tracking the flow of their funds.

In secure communication, it can be used to ensure the confidentiality and non-repudiation of communications. The sender can sign messages using a deniable ring signature while denying its own signature, protecting the confidentiality of the communication and avoiding denial signatures by third parties.

In digital proof of stake, it can be applied to digital proof of stake, such as digital copyright protection. Copyright owners can use a deniable ring signature to prove that they own copyright to digital content while also being able to deny their own signature to prevent others from denying copyright attribution.

In summary, the deniable ring signature based on ISRSAC demonstrates good practicality and is suitable for scenarios such as anonymous authentication systems. It can be employed to establish an anonymous authentication system wherein users can furnish a ring signature to authenticate their identity or authority yet retain the ability to repudiate their own signature, thus safeguarding personal privacy.