[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Next Article in Journal
Factor Investment or Feature Selection Analysis?
Previous Article in Journal
Reconstruction of Random Structures Based on Generative Adversarial Networks: Statistical Variability of Mechanical and Morphological Properties
You seem to have javascript disabled. Please note that many of the page functionalities won't work as expected without javascript enabled.
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Privacy-Preserving Reputation Evaluation System with Compressed Revocable One-Time Ring Signature (CRORS)

1
School of Computer and Information Technology, Beijing Jiaotong University, Beijing 100044, China
2
Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing 100044, China
*
Author to whom correspondence should be addressed.
Mathematics 2025, 13(1), 8; https://doi.org/10.3390/math13010008
Submission received: 25 November 2024 / Revised: 18 December 2024 / Accepted: 21 December 2024 / Published: 24 December 2024

Abstract

:
Reputation evaluation systems are vital for online platforms, helping users make informed choices based on the trustworthiness of products, services, or individuals. Ensuring privacy and trust in these systems is critical to allow users to provide feedback without fear of retribution or identity exposure. The ring signature (RS), enabling anonymous group-based signing, has garnered attention for building secure and private reputation systems. However, RS-based systems face significant challenges, including the inability to identify malicious users who repeatedly sign the same message, the lack of mechanisms to reveal identities involved in unlawful activities, and a linear growth in signature size with the number of ring members, which poses storage challenges for certain applications. Addressing these limitations, we propose a compressed revocable one-time ring signature (CRORS) scheme leveraging compressible proofs under the Diffie–Hellman Decision and Discrete Logarithm assumptions in the random oracle model. CRORS ensures anonymity, unforgeability, one-time linkability, non-slanderability, and revocability. The one-time linkability feature prevents double-signing, while revocability enables identity disclosure for regulatory enforcement. Additionally, the signature size is reduced to O ( log n ) , significantly enhancing storage efficiency. These improvements make CRORS particularly suitable for blockchain-based reputation systems with ever-growing storage demands. Theoretical analysis validates its effectiveness and practicality.

1. Introduction

Reputation evaluation systems have become indispensable in today’s digital landscape, playing a crucial role in building trust among users of online service platforms. The systems empower users to assess the credibility and reliability of entities, which can include products, services, businesses, or individuals. A fundamental requirement for the effectiveness of such systems is the ability for users to provide honest feedback without revealing their identities, ensuring privacy and trust. Reputation evaluation systems serve as intermediaries that collect, aggregate, and display user-generated content, such as ratings and reviews, to help other users make informed decisions. These systems are employed in a wide range of online service platforms, including e-commerce systems [1], social media networks [2,3], and peer-to-peer marketplaces [4]. In online restaurant systems, customers can evaluate the food and restaurant after enjoying the food in an online restaurant. However, due to intense market competition, some restaurants may engage in personal attacks or malicious harassment against customers who leave negative feedback. This results in evaluators becoming hesitant to publish impartial evaluations, ultimately damaging the reputation of online service platforms. Additionally, due to the lack of privacy protection, evaluators’ identities are revealed in the comment areas, further discouraging customers from evaluating restaurants online. Meanwhile, certain restaurants enlist users who have not dined in restaurants to repeatedly evaluate their restaurants multiple times as a means of boosting their own rating or to maliciously slander the evaluations of their competitors, thereby deceiving customers and causing competition imbalance.
Kinateder et al. [5] presented a reputation evaluation system that incorporated a trusted mechanism within the recommender’s platform to gather sensitive recommendations. Schaub et al. [6] proposed a decentralized and anonymity-preserved reputation system, utilizing blockchain technology, ideal for e-commerce applications, providing trustworthiness without the need for trusting third parties or fellow users. Liu et al. [7] designed an effective and anonymous reputation system by utilizing randomizable signatures. This system provides confidentiality for individual reviews and protects consumers’ identities, revealing only the aggregated review statistics for retailers. Qi et al. [8] presented a blockchain-assisted, protected reputation system that eliminates e-commerce platform trust while ensuring the authenticity of sellers’ reputations. The concept of purchasing-endorsed feedback and a three-party collaboration protocol combats the injection of counterfeit feedback. An et al. [9] introduced an ID-based dynamic group signature scheme for reputation evaluation systems, which effectively handles group member additions and revocations while eliminating the complexities of certificate management and safeguarding users’ identity privacy. However, despite these advantages, such reputation evaluation systems often entail high implementation costs. Furthermore, they lack mechanisms for supervision and tracking while maintaining privacy protection. One promising solution to address these concerns for reputation evaluation systems is to use digital signatures, like ring signatures.
The ring signature (RS), originally introduced by Rivest et al. [10], has emerged as a widely used cryptographic primitive that guarantees the privacy of users. RS allows a user to anonymously sign a message on behalf of a self-selected group, referred to as a “ring”. It ensures the anonymity of the actual signer while enabling any verifier to validate the ring signature without identifying the specific member responsible for it. The design of RS is primarily driven by two objectives: spontaneity and anonymity. Spontaneity enables the signer to independently form a ring without prior communication with other members, ensuring an unbiased and random selection of the group. Unlike group signature schemes, RS eliminates the need for a group manager or a secret-sharing setup phase, which is a direct outcome of its spontaneous nature. Anonymity, also known as signer indistinguishability, ensures that the actual signer’s identity remains hidden within the ring. Therefore, RS can be particularly suited for decentralized systems and has gained attention due to the development of blockchains [11]. However, in some RS-based systems, without a manager in RS, users may abuse their anonymity to sign one message multiple times, such as double-spending, which is not allowed in these systems.
So to limit this excessive anonymity in RS, in 2004, a linkable ring signature (LRS) scheme was presented by Liu et al. [12]. LRS retains the fundamental characteristics of traditional RS while incorporating the feature of linkability, which ensures that users’ anonymity is preserved. Linkability allows the detection of a user who signs the same message multiple times. This property is critical in blockchain-based cryptocurrency systems, as it helps prevent double-spending attacks while maintaining user anonymity by ensuring that each UTXO is used only once. LRS can be applied in some real-life scenarios, such as e-voting [13], e-cash [14], and the RingCT in Monero cryptocurrency [15].
Then, in order to identify the malicious users, the concept of traceable ring signature (TRS), also known as revocable ring signature (RRS), was proposed. In 2007, Fujisaki et al. [16] designed a TRS scheme. The TRS scheme is capable of revealing the identities of malicious users if a malicious user signs the same message twice and produces two different signatures. The revocability of TRS can reveal the identities of malicious users and enhance the trustworthiness of TRS. TRS can be applied in revocable e-cash systems [17] and anonymous offline coupon services [18,19].
Therefore, we consider the schemes above and incorporate one-time linkability and revocability into RS to construct our new scheme, Compressed Revocable One-time Ring Signature (CRORS), for reputation evaluation systems. We allow a user in our scheme to anonymously sign only one signature, which is called one-time linkability in this work. We incorporate a revocation authority into our scheme, allowing it to utilize its secret key to disclose the identities of actual users when necessary. Our scheme ensures mandatory revocability, enabling the revocation authority to lift user anonymity and identify the actual user at any time.

1.1. Related Work

Ring Signature. Since the first RS scheme was proposed in 2001 by Rivest et al. [10], extensive research was devoted to this area, and more RS schemes [12,16,20,21,22,23,24] were proposed. Among them, Refs. [21,23,24] constructed RS schemes based on dynamic accumulators [25], and Refs. [12,16,22] used zero-knowledge proof of partial knowledge [26] to construct RS. The original motivation in RS is to ensure the anonymity of ring members. However, in certain scenarios such as e-voting applications, once malicious ring users exist, they can vote many times without revealing their own identities, which can lead to double-spending.
Linkable Ring Signature. To limit the abuse of anonymity in RS, Liu et al. [12] proposed an LRS scheme in 2004, which can check whether two valid signatures were signed by the same user and still maintain user’s anonymity. Following that, various LRS schemes [24,27,28,29,30,31,32,33] were put forward. Of these, ref. [24] constructed an identity-based LRS with constant signature size. Ref. [28] gave the generic construction for LRS. Ref. [30] proposed a logarithmic-size LRS in the standard model and provided a stronger security model for LRS. Ref. [31] presented a one-time LRS that satisfies both untraceability and unlinkability payments for anonymous transactions and provides one-time linkability to detect if a user generates multiple signatures while still keeping user’s identity privacy. Refs. [27,32,33] constructed blockchain confidential transaction protocols based on LRS. While LRS can identify when a malicious user signs the same message multiple times, it does not provide honest users with the ability to uncover the identities of these malicious users.
Revocable (Traceable) Ring Signature. So in order to revoke the identity of a malicious user, the concept of TRS was introduced by Fujisaki et al. [16] in 2007. RRS can reveal the identities of malicious ring users while maintaining the anonymity of the honest users. Subsequently, various RRS schemes [18,34,35,36,37,38] were proposed. Among them, Ref. [34] proposed an RRS with mandatory revocability by using bilinear pairings. Ref. [35] reduced the signature size in [16] to sub-linear, and it was proven to be secure in the common reference string (CRS) model. Ref. [36] suggested an identity-based TRS with constant signature size from bilinear pairings. Ref. [37] proposed a k-times full TRS, which can trace the same user when he generated more than k signatures. Refs. [18,38] constructed lattice-based TRS to resist attacks by quantum computers.
Concurrent Work. Zhang et al. [17] proposed a revocable and linkable ring signature with similarities to our construction. When comparing the signature size, our construction offers logarithmic size in n while [17] gives a linear-size signature in n. In addition, we achieve one-time linkability; that is, a ring user can only use his private and public key pair one time to sign one message.

1.2. Motivations and Contributions

Motivations. Although RS provides anonymity to ring members, it poses potential challenges in certain scenarios, such as e-voting, e-cash, and blockchain [32]. Some malicious users can abuse this excessive anonymity of RS to sign the same message without restriction, thereby introducing security risks. For instance, in some blockchain-based reputation evaluation systems, the identity of honest users should be concealed, and malicious users should be detected once they engage in double-spending behavior, that is, when they sign one message multiple times. Then, the revocation authority needs to regulate the users. It can revoke the anonymity of malicious users at any time while ensuring the privacy of honest users’ identities remains protected. Moreover, to protect the identity of honest users fom being revealed, we set the user’s private key and public key to be one-time use. When the user signs another message, they need a run-key generation algorithm again to obtain a fresh private–public key pair. The one-time property ensures that multiple reputation comments cannot be linked to any user. Another point that should be considered is the signature size in these reputation evaluation systems, considering the structural features of blockchain-based reputation evaluation systems, which maintain a continuously growing chain structure to record multiple records that require a small signature size.
Taking these concerns into account, we propose a CRORS scheme to meet these requirements for reputation evaluation systems. First, CRORS allows a user to generate only one signature. Once a malicious user signs one message twice and produces two signatures, the one-time linkability of CRORS can detect this malicious user. Second, the revocability of CRORS can reveal malicious users in need while still preserving the anonymity of honest users. Third, we optimize the signature size of CRORS. Compared with other schemes, such as [17,31], where the signature size grows linearly with n, our CRORS scheme reduces the signature size to logarithmic-size ( O ( l o g n ) ). This reduction allows our CRORS scheme to be applied in blockchain-based reputation evaluation applications, where large-scale anonymous users are required to form the ring and a constantly growing chain to record multiple records.
Contributions.
  • Design of the CRORS Scheme with Strong Security Properties. We propose a Compressed Revocable One-Time Ring Signature (CRORS) scheme tailored for reputation evaluation systems, which incorporates five critical security properties: unforgeability, anonymity, one-time linkability, non-slanderability, and mandatory revocability. The one-time linkability property ensures that a user can generate at most one valid signature for a specific message, effectively preventing double-spending. The mandatory revocability feature allows the anonymity of malicious users to be lifted when necessary, supporting user accountability. To address unique threats in our application scenarios, we formalize the security model for CRORS and introduce precise definitions for one-time linkability and non-slanderability.
  • Efficient Compression of Ring Signatures. By leveraging techniques inspired by [39], our scheme achieves a significant reduction in signature size, compressing the ring signature length from linear complexity ( O ( n ) ) in previous schemes down to logarithmic complexity ( O ( l o g n ) ). This space optimization significantly reduces storage overhead, making the scheme practical for systems with large-scale anonymity sets.
  • Provable Security Analysis in the Random Oracle Model. We provide a provable security analysis of our proposed scheme within the random oracle model. The analysis is based on the computational hardness assumptions of the discrete logarithm (DL) problem and the decision bilinear Diffie–Hellman (DBDH) problem. The security analysis provides formal guarantees for the scheme’s robustness and reliability.
  • Comprehensive Theoretical and Experimental Analysis. We perform both theoretical and experimental analyses to evaluate the efficiency and practicality of the proposed CRORS scheme. Theoretical analysis shows that our scheme achieves a logarithmic signature size of O ( l o g n ) , significantly reducing storage and communication overhead compared to previous schemes with linear complexity. Experimental results further validate the theoretical findings, showing that the CRORS scheme maintains competitive signing and verification times, even as the number of ring members increases. Combined with its ability to compress signature sizes, the CRORS scheme is well suited for reputation evaluation systems, where efficiency, scalability, and privacy are essential.

2. Preliminaries

In this part, we provide an outline of the assumptions and technologies employed, and the notations are defined in Table 1.

2.1. Cyclic Groups and Assumptions

We consider cyclic groups G and G T of prime order q, assuming that the discrete logarithm (DL) problem in both G and G T is computationally hard.
  • Bilinear. a , b Z q , g G ; then, we have e ( g a , g b ) = e ( g , g ) a b .
  • Non-Degenerate. For any g G , there exists an element e ( g , g ) 1 .
  • Computability. The bilinear map e ( g , g ) can be efficiently computed for any g G .
Definition 1 (Discrete Logarithm (DL) Assumption).
For the pairs ( g , g a ) , where g a G , the discrete logarithm (DL) assumption holds if the advantage ε D L of any polynomial-time adversary A in solving the DL problem is negligible under the security parameter κ:
ε D L : = P r A D L ( g a , g ) = a : a Z q = negl ( κ )
Definition 2 (Decision Bilinear Diffie–Hellman (DBDH)).
For the tuples ( g , Z , g a , g b , g c ) , where Z G T , we state that the decision bilinear Diffie–Hellman (DBDH) assumption holds if the advantage ε D B D H for by any polynomial-time adversary A is negligible with respect to the security parameter κ:
ε D B D H : = P r A D B D H ( g , e ( g , g ) a b c , g a , g b , g c ) = 1 P r A D B D H ( g , Z , g a , g b , g c ) = 1 = negl ( κ )

2.2. Compressed Partial Knowledge Proofs

The concept of partial knowledge proofs, first proposed by Cramer et al. [26], can be three-move honest-verifier proofs that enable a prover to demonstrate a verifier that the prover has knowledge of k out of n (where k , n Z q , k n ) secrets, without revealing k secrets. Partial knowledge proofs are essential in the formation of RS, but as the ring members n increases, the size grows linearly, which brings a challenge for the practical implementation of RS. So in this work, we invoke the technique of [39] to design partial knowledge proofs with logarithmic communication complexity in the ring. By using Fiat–Shamir transformation [40], we change interactive proofs into non-interactive ones that are suitable for the CRORS scheme. There are some symbols in the protocols that need to be defined as follows.
We define the vectors g = ( g 1 , , g n ) G n and u = ( u 1 , , u n ) Z q n ; then, we have the multi-exponentiation g u = i = 1 n g i u i . Also v = ( v 1 , , v n ) Z q n and h = ( h 1 , , h n ) G n for the following operations.
  • g h = ( g 1 h 1 , g 2 h 2 , , g n h n ) G n , g c = ( g 1 c , g 2 c , , g n c ) G n and
  • u v = ( u 1 v 1 , u 2 v 2 , , u n v n ) Z q n for any c Z q .
And the left and right of vectors can be set, g L = ( g 1 , , g n 2 ) , g R = ( g n 2 + 1 , , g n ) G n / 2 , and so as u: u L = ( u 1 , , u n 2 ) , u R = ( u n 2 + 1 , , u n ) Z q n / 2 for any even dimension n.
Moreover, we define a group homomorphism commitment f : Z q n G , and the left and right of the homomorphism f can be defined as follows:
f L : Z q n / 2 G , u f ( u , 0 ) ,
f R : Z q n / 2 G , u f ( 0 , u ) ,
where u Z q n / 2 with n 2 zeros.
We introduce the Pedersen vector commitment [41] scheme, which provides the properties of hiding and binding. A prover commits a vector u Z q n to output a commitment C o m , which can be formed
C o m = h γ g u ,
where h G , g G n and γ Z q .
Then we construct the compressed partial knowledge proofs by using the technique of [39]. First, we give the following relation for a 1-out-of-n partial knowledge proof:
R P A R T I A L = ( g , P 1 , , P n G ; S = π 1 , , n , x π Z q ) : P i = g x i f o r a l l i S
Protocol 1 for relation R P A R T I A L , referred to as P A R T I A L and its detail is presented concisely in Table 2 for clarity. We denote P as a prover and denote V as a verifier. P A R T I A L is a compressed non-interactive protocol. The prover needs to compute a polynomial p ( X ) = 1 + i = 1 n 1 a i X i (where X 1 , , n ) to reduce the n-out-of-n partial knowledge case to the 1-out-of-n partial knowledge, and y Z q 2 n 1 . Then, we construct the Pedersen commitment to provide evidence to the verifier that the prover has knowledge of the secret. Moreover, we invoke the amortized protocol A M O R H O M to handle situations where the prover needs to open many linear forms ( y 1 , , y 2 n ) on one multi-exponentiation P ¯ . The communication costs of P A R T I A L only need logarithmic-size elements from the prover to the verifier.
We utilize the polynomial amortization technique, which is commonly used in secure multi-party computation (MPC) [42], in order to apply it to P A R T I A L and consider the following relation R A M O R H O M under the amortization scenario:
R A M O R H O M = ( P ¯ , f 1 , , f 2 n ; y ϕ ) : P ¯ = g y ϕ , f 1 = f 1 ( y ϕ ) , , f 2 n = f 2 n ( y ϕ )
where y ϕ = ( y 1 , , y 2 n ) = ( y , 0 ) = ( a 1 , , a n 1 , 0 , , p ( π ) x π , , 0 2 n 1 , 0 ) Z q 2 n . The prover first uses the hash function to compute a random value c ρ Z q given to the verifier, then the prover to compute the group homomorphism F = i = 1 2 n f i ( y ϕ ) c ρ i 1 , and the prover and verifier run c with P ¯ = g y ϕ and y = F ( y ϕ ) . The details of the protocol for relation R A M O R H O M , which are referred to as A M O R H O M , are outlined in Protocol 2 (Table 3).
As for c , it contains a non-interactive ∑-protocol and a compression mechanism 1 . We make the relation R c of c as follows:
R c = ( P ¯ G , F G T ; y ϕ Z q 2 n : P ¯ = g y ϕ , F = F ( y ϕ )
Protocol 3 in Table 4, denoted by c  , is a special honest-verifier zero-knowledge (HVZK) argument of knowledge with a logarithmic-size communication complexity for relation R c and needs to use 1 recursively in order to minimize communication costs. When the dimension of the witness in c reduces to four, the protocol aborts.
Finally, the compression mechanism 1 is a non-interactive proof, denoted by 1 , designed for relation R f . It aims to reduce the communication cost down to a logarithmic size by dividing vectors into two uniformly distributed parts at every recursive iteration. The relation is defined as follows, and 1 is described in Table 5.
R f = ( Q G , F G T ; z Z q n : Q = g z , F = F ( z )
As for another adaption, pairing-based k-out-of-n partial knowledge proofs, it works similarly to the basic protocol P A R T I A L , and the details can be read in [43]. And the communication costs of the pairing-based protocol is also logarithmic-size.

3. System Framework and Security Requirements

3.1. System Overview

In this section, we introduce an online restaurant reputation evaluation system based on our CRORS scheme. We set the online service platform as the revocation authority; that is, the manager of online service platform can revoke the identities of malicious users when the malicious users make untruthful comments on the system. The visiting customers are set as the users in the ring. Visiting customers can anonymously provide evaluations for the food and the restaurant. If a customer submits multiple evaluations for the same restaurant, the system managers and other users can link these evaluations to the same individual within the ring. To mitigate malicious evaluations, managers have the ability to reveal the actual identities of evaluators when necessary. It is assumed that the online service system managers are trustworthy. Figure 1 illustrates the structure of the restaurant reputation evaluation system.

3.2. Workflow of the Proposed System

The workflow of the proposed system in Figure 2 is as follows.
Step 1. The manager of an online service platform system runs the C R O R S . S e t u p algorithm to generate system parameters and gives the system parameters and the public key of the manager to everyone.
Step 2. When a customer visits an online restaurant, the customer provides his/her public key to and from the ring spontaneously. The customer runs the C R O R S . K e y G e n algorithm to obtain the private–public key pair.
Step 3. Customers can evaluate the attended restaurant either before or after dining and submit their feedback in the evaluation comment section by executing the C R O R S . S i g n algorithm.
Step 4. Anyone can verify the ring signature in the evaluation comment section by executing the C R O R S . V e r i f y algorithm. This allows the verifier to confirm that the evaluator is a legitimate customer who attended the restaurant without revealing the actual identity of the customer.
Step 5. When there are multiple evaluation comments written by the same customer, the manager can detect the customer corresponding to the two ring signatures by running C R O R S . L i n k algorithm immediately.
Step 6. In the case of false or malicious evaluation comments, the manager can identify the customer associated with the ring signature by executing the C R O R S . R e v o k e algorithm.

3.3. Definition of Compressed Revocable One-Time Ring Signature

A compressed revocable one-time ring signature (CRORS) scheme consists of the following six probabilistic polynomial-time (PPT) algorithms: C R O R S . S e t u p , C R O R S . K e y G e n , C R O R S . S i g n , C R O R S . V e r i f y , C R O R S . L i n k , and C R O R S . R e v o k e .
  • p p C R O R S . S e t u p ( κ ) : Given the security parameter κ , the C R O R S . S e t u p algorithm generates public parameters p p .
  • ( x i , y i ) C R O R S . K e y G e n ( p p ) : The C R O R S . K e y G e n algorithm outputs a key pair ( x i , y i ) based on the public parameters p p . The private keys and public keys are denoted as S K and P K , respectively.
  • σ C R O R S . S i g n ( x i , Y , y r e v , M ) : With a private key x i , public keys Y= ( y 1 , , y n ) , the revocation authority’s public key y r e v and message M, the C R O R S . S i g n algorithm produces a signature σ . The message space can be denoted as M ˚ and the signature space as σ ˚ .
  • a c c e p t / r e j e c t C R O R S . V e r i f y ( Y , y r e v , M , σ ) : The C R O R S . V e r i f y algorithm takes public keys Y= ( y 1 , , y n ) , the public key y r e v of the revocation authority, the message M, and signature σ as input and outputs either a c c e p t or r e j e c t .
  • l i n k e d / u n l i n k e d C R O R S . L i n k ( I 1 , I 2 , Y 1 , Y 2 , M , σ 1 , σ 2 ) : Given two key images I 1 and I 2 , two lists Y 1 and Y 2 of public keys, one message M, and two signatures σ 1 and σ 2 , where
    C R O R S . V e r i f y ( Y 1 , y r e v , M , σ 1 ) = a c c e p t and C R O R S . V e r i f y ( Y 2 , y r e v , M , σ 2 ) = a c c e p t , the C R O R S . L i n k algorithm outputs l i n k e d or u n l i n k e d .
  • y i C R O R S . R e v o k e ( Y , σ , x r e v ) : For public keys Y=( y 1 , , y n ), a signature σ and the revocation authority’s secret key x r e v , the C R O R S . R e v o k e algorithm yields a public key y i .
Correctness. A CRORS scheme must satisfy the following properties:
  • Verification Correctness: With overwhelming probability with regards to the signature signed by an honest ring, the user can be verified as valid.
  • Linking Correctness: Two ring signatures created using the same secret key of a user with the same key image must be linkable, ensuring that they can be identified as originating from the same signer.
  • Revocation Correctness: The revocation authority has the ability to disclose the actual user’s public key.

3.4. Definitions of Security Requirements

The security of the CRORS scheme is evaluated based on five core security requirements, namely unforgeability, anonymity, one-time linkability, non-slanderability, and revocability.
Then, adaptive queries to oracles implemented by a challenger C are used to capture attack behaviors. The adversary A can query the following three oracles, which we describe below.
  • JO (Joining Oracle).  y i JO ( ) . This oracle allows A to introduce a new user into the system. The challenger C maintains a list T j o i n to track such queries. Upon receiving a new request, C randomly selects public parameters p p , executes ( x i , y i ) C R O R S . K e y G e n ( p p ) to derive ( x i , y i ) , records ( x i , y i ) in T j o i n , and returns y i ( y i P K ) to A . This oracle allows A to access and observe the public keys of the users.
  • CO (Corruption Oracle).  x i CO ( y i ) . When a public key y i P K in T j o i n is given, the oracle outputs a private key. Upon a new query, C keeps a record by adding y i to a list T c o r r u p t , initially empty. Then, C supplies the adversary A with the corresponding private key x i S K , allowing A to compromise users.
  • SO (Signing Oracle).  σ SO ( Y , y r e v , y π , M ) . For a request involving public keys Y = ( y 1 , , y n ), the revocation authority’s public key y r e v P K , one public key y π , and one message M, the oracle returns one signature. The challenger C manages a list T s i g n , logging each query’s generated signature σ in T s i g n and then provides σ to A , facilitating the adversary’s acquisition of a valid ring signature.
Unforgeability: The property of unforgeability is defined through the security experiment E A u n f between an adversary A and a challenger C , as shown in Equation (7).
A d v A u n f ( κ ) = P r C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t y i T j o i n σ T s i g n , , i 1 , n : p p C R O R S . S e t u p ( κ ) ; ( Y , y r e v , M , σ ) A JO , CO , SO ( p p ) ;
Here, Y = y 1 , , y n , where y i P K with i 1 , n . y r e v P K is the public key of the revocation authority. All public keys are set as in T j o i n , and none are in the set T c o r r u p t . Additionally, the signature σ is not included in the set T s i g n . We denote the probability that the adversary A makes a successful attack as A d v A u n f ( κ ) .
The unforgeability experiment E A u n f proceeds as follows:
  • A invokes the C R O R S . S e t u p algorithm with κ , resulting in p p .
  • A makes adaptive queries to JO , CO and SO .
  • A provides the challenger C with public keys Y = y 1 , , y n , the revocation authority’s public key y r e v , one message M, and one forgery signature σ .
A wins the experiment under the following conditions:
  • All public keys originate from JO ;
  • C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t , and σ is not produced by SO ;
  • All public keys in Y remain unqueried to CO .
Definition 3 (Unforgeability).
A CRORS scheme is considered unforgeable when the advantage A d v A u n f ( κ ) of any probabilistic polynomial-time (PPT) adversary A is negligible in κ.
Anonymity: The property of anonymity is defined through the security experiment E A a n o involving C and A as expressed in Equation (8).
A d v A a n o ( κ ) = P r b = b : p p C R O R S . S e t u p ( κ ) ; ( y π 0 , y π 1 , Y , y r e v , M ) A JO , CO , SO ( p p ) ; b 0 , 1 ; σ b C R O R S . S i g n ( x π b , Y , y r e v , M ) ; b A SO ( σ b ) ; 1 2
Here y π 0 , y π 1 Y , Y= y 1 , , y n , where y i P K for i 1 , n . y r e v P K is a public key of the revocation authority, and b is randomly chosen from 0 and 1. x π b represents the associated private key of y π b . We denote the probability that the adversary A makes a successful attack as A d v A a n o ( κ ) .
The anonymity experiment E A a n o proceeds as follows:
  • A executes the C R O R S . S e t u p algorithm with κ to obtain p p .
  • A adaptively queries JO , CO and SO .
  • A provides two public keys ( y π 0 , y π 1 ) P K , both of which are outputs from JO , along with public keys Y = y 1 , , y n , the public key y r e v P K of a revocation authority and one message M. C randomly selects a coin b = 0 , 1 and computes σ b = C R O R S . S i g n ( x π b , Y , M , y r e v ) with x π b being the associated private key. A receives the ring signature σ b .
  • A produces a bit b 1 , , n . If b = b , the output is 1; otherwise, it is 0.
A wins the experiment if
  • ( y π 0 , y π 1 ) are not used in CO ;
  • b = b leads to an output of 1.
Definition 4 (Anonymity).
A CRORS scheme is considered anonymous when the advantage A d v A a n o ( κ ) of any PPT adversary A is negligible in κ.
One-time linkability: The property of one-time linkability is described through the security experiment E A o t l i n k between a challenger C and an adversary A as depicted in Equation (9).
A d v A o t l i n k ( κ ) = P r C R O R S . V e r i f y ( Y , y r e v , M , σ i ) = a c c e p t y k T j o i n , k 1 , n C R O R S . L i n k ( · , σ i , σ j ) = u n l i n k e d , i , j 1 , n + 1 , i j : p p C R O R S . S e t u p ( κ ) ; ( y r e v , Y , M ) A JO , CO ( p p ) ; ( σ 1 , , σ n + 1 ) A SO ( p p ) ;
Here Y= y 1 , , y n , where y k P K with k 1 , n . y r e v is a public key of a revocation authority. All public keys are set as in T j o i n . σ i is one valid signature in T s i g n with i 1 , n + 1 . We denote the probability of a successful attack by the adversary A as A d v A o t l i n k ( κ ) .
The one-time linkability experiment E A o t l i n k proceeds as follows:
  • A executes the C R O R S . S e t u p algorithm with κ to output p p .
  • A makes adaptive queries to JO , CO and SO .
  • A provides C a set Y of n public keys Y = y 1 , , y n , the revocation authority’s public key y r e v , one message M, and n + 1 signatures ( σ 1 , , σ n + 1 ) .
A wins under these conditions:
  • All public keys are generated by JO ;
  • C R O R S . V e r i f y ( Y , y r e v , M , σ i ) = a c c e p t for i 1 , n + 1 ;
  • C R O R S . L i n k ( · , σ i , σ j ) = u n l i n k e d for i , j 1 , n + 1 , i j .
Definition 5 (One-time Linkability).
A CRORS scheme is considered one-time-linkable when the advantage A d v A o t l i n k ( κ ) of any PPT adversary A is negligible in κ.
Non-slanderability: The property of non-slanderability is defined through the security experiment E A n s between a challenger C and an adversary A in Equation (10).
A d v A n s ( κ ) = P r C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t σ σ σ T s i g n y π T c o r r u p t y π T s i g n C R O R S . L i n k ( · , σ , σ ) = u n l i n k e d   : p p C R O R S . S e t u p ( κ ) ; ( Y , y r e v , M , y π ) A JO , SO ( p p ) ; x π A CO ( p p ) ; σ C R O R S . S i g n ( x π , Y , y r e v , M ) ; ( Y , y r e v , M , σ ) A JO , CO , SO ( σ ) ;
Here, Y , Y P K , σ , σ σ ˚ . A is constrained in that the public key y π selected by A cannot be included in either the T c o r r u p t or T s i g n . Furthermore, all public keys in both Y and Y are members of the T j o i n . Additionally, it is required that σ and σ are not equal and t σ t a h is not an element of the T s i g n . We denote the probability that the adversary A makes a successful attack as A d v A n s ( κ ) .
The non-slanderability experiment E A n s proceeds as follows:
  • A executes the C R O R S . S e t u p algorithm with a security parameter κ to output the public parameters p p .
  • A makes adaptive queries to JO , CO and SO .
  • A provides the challenger C public keys Y = y 1 , , y n , the public key y r e v of the revocation authority, one message M, and a public key y π that has not been in either T c o r r u p t or T s i g n .
  • A queries the oracle CO to obtain only one secret key x π and then queries the oracle SO and obtains a valid signature σ .
  • A outputs a forgery signature σ ( σ σ ) with a list Y of n public keys Y = y 1 , , y n , the public key y r e v of the revocation authority, and one message M.
A wins under these conditions:
  • C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t ;
  • y π has not been queried to CO ;
  • σ is not produced by SO ;
  • All public keys are in Y and Y are produced by JO ;
  • C R O R S . L i n k ( · , σ , σ ) = u n l i n k e d .
Definition 6 (Non-slanderability).
A CRORS scheme is considered non-slanderous when the advantage A d v A n s ( κ ) of any PPT adversary A is negligible in κ.
Revocability: The property of revocability is defined through the security experiment E A r e v involving C and A as depicted in Equation (11).
A d v A r e v ( κ ) = P r C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t y i T j o i n σ T s i g n y j = C R O R S . R e v o k e ( n , Y , σ , x r e v ) , i , j 1 , n , j π : p p C R O R S . S e t u p ( κ ) ; x π A CO ( p p ) ; ( Y , y r e v , M , σ ) A JO , CO , SO ( p p ) ;
Here, Y= y 1 , , y n , where y i P K with i 1 , n . y r e v is the public key of the revocation authority. Any public key y i chosen by A must belong to the T j o i n , and the signature σ cannot be in T s i g n . Moreover, the number of queries in CO is less than two, which implies that A can obtain only one private key identified as x π at most. We denote the probability that the adversary A makes a successful attack as A d v A r e v ( κ ) .
The revocability experiment E A r e v proceeds as follows:
  • A invokes the C R O R S . S e t u p algorithm with κ to derive p p .
  • A makes adaptive queries to JO , CO and SO .
  • A can obtain a single private key x π via CO .
  • A submits to C the public keys Y = y 1 , , y n , the revocation authority’s public key y r e v , one message M, and one forgery signature σ .
A wins the experiment if
  • C R O R S . V e r i f y ( Y , y r e v , M , σ ) = a c c e p t ;
  • σ is not produced by SO ;
  • All public keys are generated by JO ;
  • CO is queried at most once, indicating that A can obtain a single private key x π ;
  • y j = C R O R S . R e v o k e ( Y , σ , x r e v ) , where j π .
Definition 7 (Revocability).
A CRORS scheme is considered revocable when the advantage A d v A r e v ( κ ) of any PPT adversary A is negligible in κ.

4. Constructing Compressed Revocable One-Time Ring Signature

In this part, we construct a novel scheme for a compressed revocable one-time ring signature (CRORS). The CRORS scheme is designed as follows:
Setup: Let two groups G and G T be defined, both with prime order q, where q > 2 κ . Let g and h be the generators of G , and let e : G × G G t e T be a bilinear pairing. Additionally, define a cryptographic hash function H : 0 , 1 Z q . A random value r 1 Z p is selected, and the value R = g r 1 is computed. The public parameters p p = ( G , G T , e , g , h , H , q , R ) .
KeyGen: A ring user i randomly selects an element x i from Z p and then computes the corresponding public key y i as y i = g x i . Thus, user i has a secret and public key pair ( x i , y i ) = ( x i , g x i ) . The ring is defined by the set of public keys Y = y 1 , , y n , and the index of the actual user is denoted by π with 1 π n . Denote the private/public key pair of a revocation authority ( x ^ , y ^ ) , and so the corresponding public key can be computed as y ^ = g x ^ . And the details can be found in Algorithm 1.
Algorithm 1 CRORS.KeyGen( 1 κ , n )
Input: 
A security parameter κ
Output: 
A private–public key pair ( x π , y π ) of the user π , the private–public key pair ( x ^ , y ^ ) of TA
1:
Select π , 1 π n , as the index of the actual user
2:
The user π random selects x π Z q
3:
y π g x π
4:
TA random selects x ^ Z q
5:
y ^ = g x ^
6:
Return ( x π , y π ) , ( x ^ , y ^ )
Sign: Consider a set of n users’ public keys denoted as Y = y 1 , y 2 , , y n forming a ring. So a ring user π ( 1 π n ) has their own key pair ( x π , y π ) = ( x π , g x π ) . Let M 0 , 1 be a message that a user π wants to sign with the knowledge of the secret key x π . The details are shown in Algorithm 2. The user π then generates the signature as follows:
  • The user π computes the key image I and the revoking tag E as I = E = e ( R , y ^ ) x π .
  • Produce a non-interactive zero-knowledge proof denoted as S P K using the following procedure:
    S P K x i : i [ 1 , n ] y i = g x i i [ 1 , n ] I = E = e ( R , y ^ ) x i ( M )
    (For a detailed description of the S P K notation, the reader is referred to [44].
  • Output the signature σ of M with respect to Y, R, I π , and T (the transcript of S P K  (12)). An instantiation of S P K (12) can be found in Section 5.
Algorithm 2 CRORS.Sign( x π , y π , Y , R , I π , M )
Input: 
A private–public key pair ( x π , y π ) , the random values R and the message M
Output: 
Signature σ
1:
The user π computes I = E e ( R , y ^ ) x π
2:
T S P K x i : i [ 1 , n ] y i = g x i i [ 1 , n ] I = E = e ( R , y ^ ) x i ( M ) , where T is the transcript
3:
Return σ
Verify: The verifier performs the verification of S P K (12) given the tuples ( σ , Y , I , M , y ^ ) .
One-time link: Upon receiving two tuples, ( · , I 1 , σ 1 ) , ( · , I 2 , σ 2 ) . σ 1 and σ 2 are checked by the verifier if both are valid. Should both signatures prove to be valid, if I 1 = I 2 , the outputs are l i n k e d . Otherwise, reject. The details are shown in Algorithm 3.
Algorithm 3 CRORS.One-time Link( σ 1 , σ 2 )
Input: 
Two signatures σ 1 = ( · , I 1 , · ) and σ 2 = ( · , I 2 , · )
Output: 
l i n k e d or u n l i n k e d
1:
if  σ 1  and  σ 2  are invalid then
2:
    Reject σ 1 , σ 2 and abort the procedure
3:
else
4:
    if  I 1 = I 2  then
5:
        Return  l i n k e d
6:
    else
7:
        Return  u n l i n k e d
8:
    end if
9:
end if
Revoke: Upon receiving the tuples ( I , Y , y ^ , M , σ ) , initially, the revocation authority verifies if the signature σ is valid. If σ is invalid, it is subsequently rejected. In contrast, if the signature is valid, the revocation authority uses the private key x ^ to check the underlying equation as follows:
E = ? e ( y i , R ) x ^ , 1 i n
When the equation is satisfied, it follows that i = π . Therefore, based on the algorithm R e v o k e ( Y , σ , x ^ ) , the public key y π is revealed, indicating that the actual ring user π is the one who generated the signature. The details are shown in Algorithm 4.
Algorithm 4 CRORS.Revoke( Y , σ , x r e v )
Input: 
The public keys of vehicles Y = y 1 , , y n , a signature σ , a private key x r e v of a TA
Output: 
The actual user π
1:
The TA uses his private key x r e v = x to do the following steps:
2:
if  E = e ( y i , R ) x ^   then
3:
    Return The actual user π
4:
else
5:
    Abort
6:
end if

5. An Instantiation of CRORS

In the present study, an instantiation of S P K (12) within our proposed scheme is provided in this section. The S P K (12) relation is subsequently reviewed in the following way:
S P K x i : i [ 1 , n ] y i = g x i i [ 1 , n ] I i = E i = e ( R , y ^ j ) x i ( M )
First, we divide S P K (12) into two parts for clear presentation:
S P K x i : i [ 1 , n ] y i = g x i ( M )
S P K x i : i [ 1 , n ] I i = E i = e ( R , y ^ ) x i ( M )
To generate a transcript of S P K (15), given Y, it is necessary for the actual user, denoted as x π ( 1 π n ), to demonstrate the knowledge of x π among n distinct discrete logarithms x i , where y i = g x i for 1 i n , while simultaneously ensuring that π remains undisclosed. We describe the following relation for this 1-out-of-n partial knowledge proof:
R P A R T I A L S P K ( 15 ) = ( g , y 1 , , y n G ; S = π 1 , , n , x π Z q ) : y i = g x i f o r a l l i S
So we run P A R T I A L S P K ( 15 ) to produce a proof Δ S P K ( 15 ) from Table 6, Table 7, Table 8 and Table 9, where y ( 2 ) = ( y 1 ( 2 ) , , y 2 n 1 ( 2 ) ) = ( a 1 , , a n 1 , 0 , , p ( π ) x π , , 0 ) Z q 2 n 1 . And we instantiate f j ( x ) as a group homomorphism: f j ( x ) : = g i = 1 j x i , where x = ( x 1 , , x n ) . Then, the output commitment C o m ( 2 ) and the non-interactive proof Δ S P K ( 15 ) Z q 4 × G 4 l o g 2 ( 2 n ) 5 .
To generate a transcript of S P K (16), given Y, it is necessary for the actual user, denoted as x π ( 1 π n ), to demonstrate knowledge of x π among n distinct discrete logarithms x i , where I = E = e ( R , y ^ ) x π , while simultaneously ensuring that π remains undisclosed. We describe the following relation for this 1-out-of-n partial knowledge proof:
R P A R T I A L S P K ( 9 ) = ( e ( R , y ^ ) G T ; S = π 1 , , n , x π Z q ) : I = E = e ( R , y ^ ) x i f o r a l l i S
So we run P A R T I A L S P K ( 16 ) to produce a proof Δ S P K ( 16 ) from Table 10, Table 11, Table 12 and Table 13, where y ( 4 ) = ( y 1 ( 4 ) , , y 2 n 1 ( 4 ) ) = ( a 1 , , a n 1 , 0 , , p ( π ) x π , , 0 ) Z q 2 n 1 . And we instantiate f j ( x ) as a group homomorphism: f j ( x ) : = g i = 1 j x i , where x = ( x 1 , , x n ) . Then, we output commitment C o m ( 4 ) and the non-interactive proof Δ S P K ( 16 ) Z q 4 × G 4 l o g 2 ( 2 n ) 6 × G T .

6. Correctness Analysis

Verification Correctness. The verifier only needs to confirm if the ring signature part is right, that is, the relation in S P K (12):
S P K x i : i [ 1 , n ] y i = g x i ( M )
S P K (19) satisfies the definition of verification correctness. As we can see in the instantiation of S P K (19) from Table 6, Table 7, Table 8 and Table 9 in Section 5, the proof needs to iterate the number of ring members from n to 4, so we can use any of these iterations to prove the correctness of the entire proof S P K (19). From Table 8, when V receives ( z ( 2 ) ) from P in one certain iteration, we can calculate as follows:
F ( z ( 2 ) ) = c ( 2 ) F L ( z ( 2 ) ) + F R ( z ( 2 ) ) = c ( 2 ) F L ( z L ( 2 ) + c ( 2 ) z R ( 2 ) ) + F R ( z L ( 2 ) + c ( 2 ) z R ( 2 ) ) = c ( 2 ) F L ( z L ( 2 ) ) + ( c ( 2 ) ) 2 F L ( z R ( 2 ) ) + F R ( z L ( 2 ) ) + c ( 2 ) F R ( z R ( 2 ) ) = F R ( z L ( 2 ) ) + ( c ( 2 ) F L ( z L ( 2 ) ) + c ( 2 ) F R ( z R ( 2 ) ) ) + ( c ( 2 ) ) 2 F L ( z R ( 2 ) ) = a ( 2 ) + c ( 2 ) F + ( c ( 2 ) ) 2 b ( 2 )
( ( g ( 2 ) ) ) ( z ( 2 ) ) = ( g L c ( 2 ) g R ) ( z L ( 2 ) + c ( 2 ) z R ( 2 ) ) = ( g L ) c ( 2 ) ( z L ( 2 ) + c ( 2 ) z R ( 2 ) ) ( g R ) ( z L ( 2 ) + c ( 2 ) z R ( 2 ) ) = g R z L ( 2 ) ( g L c ( 2 ) z L ( 2 ) g R c ( 2 ) z R ( 2 ) ) g L ( c ( 2 ) ) 2 z R ( 2 ) = A ( 2 ) ( y ¯ ( 2 ) ) c ( 2 ) ( B ( 2 ) ) ( c ( 2 ) ) 2 = Q ( 2 )
As for Table 9, it can be seen as one iteration in Table 8, so the proof of S P K (19) is sound; that is, the verification is correct.
One-time linking correctness. In order to ensure one-time linking correctness, the user needs to compute the key image as follows:
I = e ( R , y ^ ) x π
As we can see in Equation (22), the private key of a user is bound with the key image; that is, for the same key image, the user can only generate one ring signature.
Revoking Correctness. On revoking correctness, consider that the revocation part in S P K (12) is shown as follows:
S P K x i : i [ 1 , n ] E = e ( R , y ^ ) x i ( M )
S P K (23) satisfies the definition of revocation correctness. The successful identification of the actual user can be achieved by the revocation authority through a private key denoted by x ^ :
e ( y i , R ) x ^ = e ( y i , g ) x ^ r 1 = e ( y i , y ^ ) r 1 = E = e ( R , y ^ ) x π i f f i = π
Therefore, according to the Revoke algorithm, the actual user appears.

7. Security Analysis

In this section, we present the security proofs for the constructed scheme. And a full security analysis is provided in Appendix A.

7.1. Unforgeability

Theorem 1 (Unforgeability).
The CRORS scheme is secure against the chosen message and public-key attacks, as demonstrated under the random oracle model, provided that the discrete logarithm (DL) assumption is computationally hard.

7.2. Anonymity

Theorem 2 (Anonymity).
The CRORS scheme ensures anonymity, as proven under the random oracle model, assuming the DBDH assumption holds.

7.3. One-Time Linkability

Theorem 3 (One-time Linkability).
The CRORS scheme ensures one-time linkability, as proven under the random oracle model, assuming that the discrete logarithm (DL) assumption is computationally hard to solve.

7.4. Non-Slanderability

Theorem 4 (Non-slanderability).
The CRORS scheme guarantees non-slanderability, as proven under the random oracle model, provided that the DL assumption is computationally hard.

7.5. Revocability

Theorem 5 (Revocability).
The CRORS scheme ensures revocability even in the presence of chosen message and public-key attacks, as demonstrated under the random oracle model.

8. Performance Analysis

In this section, we assess the performance of our proposed scheme through both theoretical and experimental analysis. We define n as the number of ring members in the ring and l as the number of revocation authorities. To precisely evaluate the average execution times of cryptographic operations in the relevant protocols, we performed 1000 repeated experiments utilizing the Charm cryptographic library [45], executed on a machine equipped with an Intel i7-1260P CPU @ 4.70 GHz and 4.00 GB RAM. Table 14 provide the descriptions, data size, and average computation times of the cryptographic operations involved.
In theoretical analysis, our study focuses on the complexity of computation and the ring signature size among some listed schemes. As for Table 15, we show the result on some properties. We present a CRORS scheme that offers the unique feature of mandatory revocability while simultaneously ensuring one-time linkability. With mandatory revocability, the revocation authority retains the ability to reveal the identities of ring users at any given time, which is suitable for regulation in some blockchain-based confidential transactions. As for one-time linkability, we construct this kind of key image I to achieve its one-time signing. Considering that the user may carry out many confidential transactions in the actual blockchain-based applications, the key image I not only can ensure the confidentiality of transactions because of its one-time signing but also can prevent the double-spending attack. Though [17] have similar properties to our scheme, they do not consider the importance of one-time linkability.
Table 16 shows the theoretical analysis comparison results in terms of the computational time complexity of sign, verification, revocation and linking. According to Table 16, the number of computational time costs in sign and verification nearly grows linearly in n, which is similar to other listed schemes. Though [17] uses the ElGamal public key encryption technique in constructing the revocation component, which yields a faster computational time than our scheme, we adopt bilinear pairing, as proposed by Liu [34], to enhance the flexibility of the revocation process, requiring only a single pairing operation in the best-case scenario.
As can be seen in Table 17, we compare the signature size with [16,17,31,34]. Observably, the size of the ring signature experiences linear growth concerning the length of the ring, as evidenced in other schemes. When n grows large, the length of the ring signature can be an intractable problem for the storage space in some blockchain-based confidential transactions. Accordingly, we have developed a CRORS scheme that can be achieved with a logarithmic size of ( O ( l o g n ) ), which can greatly reduce the storage space. This is one of the important contributions of our scheme. We use the method of compressed partial knowledge proofs [39] to introduce the ring signature and reduce its signature size from O ( n ) down to O ( l o g n ) . This means the storage space we need in our scheme saves much space compared with other schemes.
Table 18 presents the performance metrics of our scheme’s signature signing and verification processes under varying ring sizes ( n = 8 , 16 , 32 , 64 ) , with l = 1 set in the scheme. The signing time in our scheme is primarily influenced by operations with O ( n l o g n ) complexity, including bilinear pairings and multiplications. These computationally intensive operations result in a longer signing time compared to other schemes. The key reason for this increase lies in the need to compress the ring signature length, reducing its classical O ( n ) complexity to O ( l o g n ) . This compression is achieved through the extensive use of bilinear mappings and multiplication operations. It is worth noting that in practical applications, such as Monero, where the typical number of ring members is around 11, our scheme demonstrates a signing time of approximately 320 ms. This duration is acceptable in real-world scenarios, particularly for use cases involving privacy-preserving cryptocurrency transactions. As shown in Table 18, the verification time in our scheme is shorter than that of other schemes. This efficiency stems from the fact that only the logarithmic-length compressed signature needs to be verified during the process. As a result, the verification time achieves a logarithmic-level complexity, making our scheme highly efficient and suitable for practical deployment in scenarios requiring frequent signature verifications.
To provide a clearer illustration of the advantages of the CRORS scheme with varying ring sizes, Figure 3 depicts the comparison of signature sizes across different schemes. As the number of ring members n increases, our proposed CRORS scheme demonstrates a notably slower growth rate in signature size compared to other schemes. Specifically, when the ring size exceeds approximately 47 members, the signature size in CRORS begins to exhibit a significant reduction relative to the alternative schemes, which continue to scale linearly. A key contribution of our scheme lies in its ability to compress the signature size to a logarithmic scale as the number of ring members grows. Unlike traditional schemes, where signature size grows linearly with n, the CRORS scheme achieves substantial efficiency by reducing the signature complexity from O ( n ) to O ( l o g n ) . This is clearly observed in the figure, where the CRORS curve levels off and becomes nearly flat as n increases. Such behavior is particularly advantageous for applications requiring large-scale anonymity and privacy, such as blockchain-based transactions, e-voting systems, or other confidential communication protocols. Moreover, the ability of the CRORS scheme to achieve this logarithmic compression without compromising security or functionality underscores its suitability for real-world deployments with large-scale anonymity sets. By minimizing the overhead in terms of signature size while maintaining efficiency, our scheme provides a scalable solution for privacy-preserving systems operating with hundreds or even thousands of ring members.

9. Conclusions

This paper proposes a novel compressed revocable one-time ring signature (CRORS) scheme designed for reputation evaluation systems. It is constructed to ensure security under DL and DBDH assumptions in the random oracle model. The CRORS scheme achieves one-time linkability and mandatory revocability simultaneously. That is, CRORS allows only one user to anonymously generate one signature on one message, and one user can be detected once they sign two signatures. Additionally, CRORS scheme introduces a revocation authority to identify any malicious ring users in need, without compromising the anonymity of honest users. CRORS scheme is evaluated through theoretical analysis, which indicates that our scheme’s ring size demands only logarithmic-size ( O ( l o g n ) ) in n. Consequently, it can significantly decrease the required storage space in some blockchain-based reputation evaluation systems. The proposed scheme has the potential to be used in some blockchain-based reputation evaluation systems that need to be regulated and to prevent double-spending attacks. And constructing a CRORS scheme that can offer provable security against quantum attacks based on lattices or code theory presents a compelling problem for future research.

Author Contributions

Formal analysis, X.H.; Writing—original draft, X.H.; Writing—review & editing, X.H. and D.Z.; Supervision, X.H.; Project administration, D.Z.; Funding acquisition, D.Z. All authors have read and agreed to the published version of the manuscript.

Funding

The research has been supported by the National Natural Science Foundation of China (Grant no. U21A20463) and the Natural Science Foundation of Beijing, China (Grant no. M23019).

Data Availability Statement

The data will be made available by the authors on request.

Acknowledgments

We would like to thank Fuchun Guo for his helpful comments and insightful suggestions.

Conflicts of Interest

The authors declare no conflicts of interest.

Appendix A. The Proof of Security

Appendix A.1. Unforgeability

Proof. 
Let the adversary A use the oracles H , JO , CO and SO , where the challenger C maintains separate empty lists to log the queries and the answers. C then simulates the oracles as follows:
  • H -queries: When A queries a hash, C manages a list L H for tracking these entries. If a matching entry is found, C returns the stored result; otherwise, it generates one random value, responds to A , and records the query–answer pair in L H .
  • JO -queries: For each ith ( 1 i n ) query by A to JO , C returns the the associated public key and logs the query–answer pair in L JO .
  • CO -queries: When receiving a query containing the public key y i from JO , C verifies if i = π . If true, the query is rejected, ending the process. If false, C provides the corresponding private key and logs it in L CO .
  • SO -queries: For a tuple ( I , M , Y , y π ) provided by A , if y i y π , C produces a signature σ using the C R O R S . S i g n algorithm. However, when y i = y π , C stores the tuple ( I , y π ) in L s i g n and, while lacking the private keys, generates a signature as follows:
    • If y π appears in L JO , it is assigned as the π th element in JO . Otherwise, C derives the signature by selecting τ Z q and calculating I = E = e ( y π , y ^ ) τ , where y ^ i represents the revocation authority’s public key.
    • C generates and outputs σ to A , ensuring that the adversary cannot distinguish the simulated environment created by C from the real environment.
Given the CRORS scheme’s setup, unforgeability derives primarily from the ring signature within S P K (12), more precisely in S P K (19). In the E A u n f , the discrete logarithms x i for the public keys y i in set Y remain unqueried by A . After an SO query, A can obtain a signature σ that resembles one genuinely signed by the user π . For contradiction, suppose A uses a set of n ( 1 ) ( n ( 1 ) = n ) public keys to forge a signature σ ( 1 ) after the l-th query. Then, C rewinds and simulates the l-th query. C retrieves A ’s output and Turing transcript T to check for a successful forgery signature. If successful, it proceeds; otherwise, it aborts. Rewinding T produces a new transcript T . Post-simulation, A returns its output, allowing C to resolve the DL problem of y π and y ^ , yielding x π and x ^ , which contradicts the DL hardness assumption. Theorem 1 is thus proven, and the adversary’s success rate is constrained by ϵ 4 , as per the forking lemma [46]. □

Appendix A.2. Anonymity

Proof. 
Considering the anonymity of our scheme, we analyze the three components of S P K (12), including the ring signature component denoted as S P K (19), the link component referred to as Equation (22), and the revocation component designated as S P K (23). S P K (19) has been proven to be anonymous in RS [10], where the established model employed is as robust as that utilized in the experiment E A a n o . And Equation (22) has been instantiated in a conventional linkable ring signature, which is crucial in the link part and ensures anonymity already. So now we only need to discuss the revocation part, S P K (23). To address the DBDH problem, we construct the following steps. To solve the DBDH problem, let i n s t = ( P 1 , P 2 , P 3 = g a 3 , P 4 ) , where the goal is to determine if P 4 = e ( P 1 , P 2 ) a 3 , given ( P 1 , P 2 , P 3 ) G and P 4 G T . Set P 1 = P 1 , P 2 = P 2 and P 4 = P 4 . After a coin toss b 0 / 1 , assign P 3 b = P 3 and P 3 1 b as a random element in G .
In experiment E A a n o , we select α i Z q randomly and define y i = g α i for i = 1 , , N . Assign y π 0 = P 3 b and y π 1 = P 3 1 b . For the l revocation authorities, set E = P 4 α = e ( P 1 , P 2 ) α a 3 b , and let R = P 1 , P 2 = P 2 α . C then provides the adversary with a valid signature σ , associating the user with either y π 0 or y π 1 based on the identification process outcome. After the identification, A outputs b . If b = b , C outputs 1; otherwise, it flips a coin to output b .
Given the assumption in E A a n o , we have P r [ b = b | i n s t D B D H ] = 1 2 + ϵ and P r [ b = b | i n s t D B D H ] = 1 2 . Thus, the probability of A solving the DBDH problem is P r [ A s o l v e s D B D H p r o b l e m ] = 1 2 + P r [ i n s t = 1 | i n s t D B D H ] P r [ i n s t = 1 | i n s t D B D H ] = 1 2 + P r [ b = b | i n s t D B D H ] + P r [ b b | i n s t D B D H ] · P r [ b = 1 | i n s t D B D H b b ] P r [ i n s t = 1 | i n s t D B D H ] = P r [ b = b | i n s t D B D H ] P r [ b b | i n s t D B D H ] · P r [ b = 1 | i n s t D B D H b b ] = 1 2 + ( ϵ + 1 2 ) + ( 1 ( ϵ + 1 2 ) ) · 1 2 1 2 1 2 · 1 2 = 1 2 + ϵ 2 . □

Appendix A.3. One-Time Linkability

Proof. 
To establish the one-time linkability, we adopt the oracles set up in Theorem 1. Here, C has access to at most one private key x π (where 1 π n ), which it supplies to A during a CO query. We then employ the technique of double-rewind simulation at two suitable points. Assuming A uses the private key x π to generate two unlinkable signatures σ and σ , let us denote the two key images as I = e ( R , y ^ ) x π and I = e ( R , y ^ ) x π for each signature. For σ , C rewinds and re-simulates the transcript after t e h l -th query, producing a valid signature σ ˜ . By repeating the rewind simulation, C retrieves another signature σ ˜ , allowing it to derive x π and x π . Since x π = x π , it follows that I = e ( R , y ^ ) x π = e ( R , y ^ ) x π = I , meaning σ and σ are linked. This successfully resolves the DLP, confirming Theorem 3. □

Appendix A.4. Non-Slanderability

Proof. 
Considering the non-slanderability of the CRORS scheme, we adopt the oracles’ setting described in Appendix A.1 and we only need to use the key image for this proof, namely Equation (22). According to the security experiment E A n s , A can query the oracle CO to obtain any public keys, except for the true user’s public key y π . Upon receiving the tuples ( y π , Y , M , y ^ ) from A , C produces a valid signature σ = ( I , · ) by using x π , where I π denotes the key image. A can make queries on the oracles while being prevented from obtaining y π during the process of querying CO . For contradiction, we assume that A produces another valid signature σ = ( I , · ) using the private key x π , such that σ is not the output of SO and it can be inferred from the above that σ and σ are linked. Since the two signatures are linked, this implies that
I = e ( R , y ^ ) x π = I = e ( R , y ^ ) x π
Hence, the equality x π = x π can be inferred, thereby indicating that the secret key x π corresponding to y π is known to A . This conflicts with our prior assumption that A cannot obtain the secret key of y π by querying CO . □

Appendix A.5. Revocability

Proof. 
In order to prove revocability of our CRORS scheme, we adopt the oracles’ setting described in Appendix A.1, and we only need S P K (23) in the revocation part to proof our scheme revocable. In experiment E A r e v , A is limited to acquiring only a single private key, x π , from a given ring and cannot obtain additional private keys, given the unforgeability of the setup. Moreover, all public keys in P K are independently generated, preventing A from deducing any corresponding private key. Consequently, if a PPT adversary A successfully completes E A r e v and generates a valid signature σ , it implies that σ relies on the private key x π .
For contradiction, assume the revocation authority holds a key pair ( x ^ , y ^ ) and uses it in the R e v o k e algorithm: y γ C R O R S . R e v o k e ( Y , σ , x ^ ) where y γ y π . This leads to the following equation:
E e ( y π , R ) x ^ = e ( R , y ^ ) x π
Since the signature σ passes verification, it implies that A possesses x i as per S P K (12), allowing the computation of:
E = e ( R , y ^ ) x i
where x i is a private key. Comparing the Equations (A2) and (A3), we conclude e ( R , y ^ ) x π e ( R , y ^ ) x i x π x i . Hence, A must know two distinct private keys x π and x i . This contradicts our initial assumption that A could only acquire a single private key, completing the proof for Theorem 5. □

References

  1. Pramudito, D.K.; Pettalongi, S.S.; Tawil, M.R.; Hermila, A.; Zein, A. Application of Rapid Application Development Method to Design E-Commerce Systems in National Expedition Company to Increase Marketing Effectiveness. J. Inf. Dan Teknol. 2024, 6, 144–149. [Google Scholar] [CrossRef]
  2. Pakura, S.; Rudeloff, C. How entrepreneurs build brands and reputation with social media PR: Empirical insights from start-ups in Germany. J. Small Bus. Entrep. 2023, 35, 153–180. [Google Scholar] [CrossRef]
  3. Nie, L.; Lin, C.; Liao, K.; Liu, S.; Zhao, Y. Unsupervised deep image stitching: Reconstructing stitched features to images. IEEE Trans. Image Process. 2021, 30, 6184–6197. [Google Scholar] [CrossRef] [PubMed]
  4. Ihle, C.; Trautwein, D.; Schubotz, M.; Meuschke, N.; Gipp, B. Incentive mechanisms in peer-to-peer networks—A systematic literature review. ACM Comput. Surv. 2023, 55, 1–69. [Google Scholar] [CrossRef]
  5. Kinateder, M.; Pearson, S. A privacy-enhanced peer-to-peer reputation system. In Proceedings of the International Conference on Electronic Commerce and Web Technologies, Prague, Czech Republic, 2–5 September 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 206–215. [Google Scholar]
  6. Schaub, A.; Bazin, R.; Hasan, O.; Brunie, L. A trustless privacy-preserving reputation system. In Proceedings of the ICT Systems Security and Privacy Protection: 31st IFIP TC 11 International Conference, SEC 2016, Ghent, Belgium, 30 May–1 June 2016; Proceedings 31. Springer: Berlin/Heidelberg, Germany, 2016; pp. 398–411. [Google Scholar]
  7. Liu, D.; Alahmadi, A.; Ni, J.; Lin, X.; Shen, X. Anonymous reputation system for IIoT-enabled retail marketing atop PoS blockchain. IEEE Trans. Ind. Inform. 2019, 15, 3527–3537. [Google Scholar] [CrossRef]
  8. Qi, S.; Li, Y.; Wei, W.; Li, Q.; Qiao, K.; Qi, Y. Truth: A blockchain-aided secure reputation system with genuine feedbacks. IEEE Trans. Eng. Manag. 2022, 71, 12433–12447. [Google Scholar] [CrossRef]
  9. An, H.; He, D.; Bao, Z.; Peng, C.; Liu, Q. An identity-based dynamic group signature scheme for reputation evaluation systems. J. Syst. Archit. 2023, 139, 102875. [Google Scholar] [CrossRef]
  10. Rivest, R.L.; Shamir, A.; Tauman, Y. How to leak a secret. In Proceedings of the Advances in Cryptology—ASIACRYPT 2001: 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 9–13 December 2001; Proceedings 7. Springer: Berlin/Heidelberg, Germany, 2001; pp. 552–565. [Google Scholar]
  11. Nakamoto, S. Bitcoin: A Peer-to-Peer Electronic Cash System. 2008. Available online: https://klausnordby.com/bitcoin/Bitcoin_Whitepaper_Document_HD.pdf (accessed on 24 May 2009).
  12. Liu, J.K.; Wei, V.K.; Wong, D.S. Linkable spontaneous anonymous group signature for ad hoc groups. In Proceedings of the ACISP, Sydney, Australia, 13–15 July 2004; Springer: Berlin/Heidelberg, Germany, 2004; Volume 4, pp. 325–335. [Google Scholar]
  13. Hajian Berenjestanaki, M.; Barzegar, H.R.; El Ioini, N.; Pahl, C. Blockchain-based e-voting systems: A technology review. Electronics 2023, 13, 17. [Google Scholar] [CrossRef]
  14. Xue, Y.; Lu, X.; Au, M.H.; Zhang, C. Efficient linkable ring signatures: New framework and post-quantum instantiations. In Proceedings of the European Symposium on Research in Computer Security, Bydgoszcz, Poland, 16–20 September 2024; Springer: Berlin/Heidelberg, Germany, 2024; pp. 435–456. [Google Scholar]
  15. Duan, J.; Zheng, S.; Wang, W.; Wang, L.; Hu, X.; Gu, L. Concise RingCT Protocol Based on Linkable Threshold Ring Signature. IEEE Trans. Dependable Secur. Comput. 2024, 21, 5014–5028. [Google Scholar] [CrossRef]
  16. Fujisaki, E.; Suzuki, K. Traceable ring signature. In Proceedings of the Public Key Cryptography-PKC 2007: 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, 16–20 April 2007; Proceedings 10. Springer: Berlin/Heidelberg, Germany, 2007; pp. 181–200. [Google Scholar]
  17. Zhang, X.; Liu, J.K.; Steinfeld, R.; Kuchta, V.; Yu, J. Revocable and linkable ring signature. In Proceedings of the Information Security and Cryptology: 15th International Conference, Inscrypt 2019, Nanjing, China, 6–8 December 2019; Revised Selected Papers 15. Springer: Berlin/Heidelberg, Germany, 2020; pp. 3–27. [Google Scholar]
  18. Liang, J.; Huang, Q.; Huang, J.; Lan, L.; Au, M.H.A. An identity-based traceable ring signatures based on lattice. Peer-to-Peer Netw. Appl. 2023, 16, 1270–1285. [Google Scholar] [CrossRef]
  19. Guo, J.; Du, Y.; Sun, Z.; Wu, R.; Wu, X.; Zhang, L.; Zheng, T. SRAKN: Secure roaming authentication and key negotiation protocol for space information network. Comput. Commun. 2023, 206, 22–37. [Google Scholar] [CrossRef]
  20. Boneh, D.; Gentry, C.; Lynn, B.; Shacham, H. Aggregate and verifiably encrypted signatures from bilinear maps. In Proceedings of the Advances in Cryptology-EUROCRYPT 2003: International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003; Proceedings 22. Springer: Berlin/Heidelberg, Germany, 2003; pp. 416–432. [Google Scholar]
  21. Qin, M.J.; Zhao, Y.L.; Ma, Z.J. Practical constant-size ring signature. J. Comput. Sci. Technol. 2018, 33, 533–541. [Google Scholar] [CrossRef]
  22. Zhang, F.; Kim, K. ID-based blind signature and ring signature from pairings. In Proceedings of the Advances in Cryptology—ASIACRYPT 2002: 8th International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, 1–5 December 2002; Proceedings 8. Springer: Berlin/Heidelberg, Germany, 2002; pp. 533–547. [Google Scholar]
  23. Dodis, Y.; Kiayias, A.; Nicolosi, A.; Shoup, V. Anonymous identification in ad hoc groups. In Proceedings of the Advances in Cryptology-EUROCRYPT 2004: International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Proceedings 23. Springer: Berlin/Heidelberg, Germany, 2004; pp. 609–626. [Google Scholar]
  24. Au, M.H.; Liu, J.K.; Susilo, W.; Yuen, T.H. Constant-size ID-based linkable and revocable-iff-linked ring signature. In Proceedings of the Progress in Cryptology-INDOCRYPT 2006: 7th International Conference on Cryptology in India, Kolkata, India, 11–13 December 2006; Proceedings 7. Springer: Berlin/Heidelberg, Germany, 2006; pp. 364–378. [Google Scholar]
  25. Camenisch, J.; Lysyanskaya, A. Dynamic accumulators and application to efficient revocation of anonymous credentials. In Proceedings of the Crypto, Santa Barbara, CA, USA, 18–22 August 2002; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2442, pp. 61–76. [Google Scholar]
  26. Cramer, R.; Damgård, I.; Schoenmakers, B. Proofs of partial knowledge and simplified design of witness hiding protocols. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 21–25 August 1994; Springer: Berlin/Heidelberg, Germany, 1994; pp. 174–187. [Google Scholar]
  27. Alberto Torres, W.A.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Kuchta, V.; Bhattacharjee, N.; Au, M.H.; Cheng, J. Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice RingCT v1. 0). In Proceedings of the Information Security and Privacy: 23rd Australasian Conference, ACISP 2018, Wollongong, NSW, Australia, 11–13 July 2018; Proceedings 23. Springer: Berlin/Heidelberg, Germany, 2018; pp. 558–576. [Google Scholar]
  28. Liu, J.K.; Wong, D.S. Enhanced security models and a generic construction approach for linkable ring signature. Int. J. Found. Comput. Sci. 2006, 17, 1403–1422. [Google Scholar] [CrossRef]
  29. Liu, J.K.; Au, M.H.; Susilo, W.; Zhou, J. Linkable ring signature with unconditional anonymity. IEEE Trans. Knowl. Data Eng. 2013, 26, 157–165. [Google Scholar] [CrossRef]
  30. Backes, M.; Döttling, N.; Hanzlik, L.; Kluczniak, K.; Schneider, J. Ring signatures: Logarithmic-size, no setup-from standard assumptions. In Proceedings of the Advances in Cryptology-EUROCRYPT 2019: 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Darmstadt, Germany, 19–23 May 2019; Proceedings, Part III 38. Springer: Berlin/Heidelberg, Germany, 2019; pp. 281–311. [Google Scholar]
  31. Van Saberhagen, N. CryptoNote v 2.0. 2013. Available online: https://c3.coinlore.com/pdf/bytecoin-bcn-white-paper.pdf (accessed on 17 October 2013).
  32. Sun, S.F.; Au, M.H.; Liu, J.K.; Yuen, T.H. Ringct 2.0: A compact accumulator-based (linkable ring signature) protocol for blockchain cryptocurrency monero. In Proceedings of the Computer Security–ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, 11–15 September 2017; Proceedings, Part II 22. Springer: Berlin/Heidelberg, Germany, 2017; pp. 456–474. [Google Scholar]
  33. Yuen, T.H.; Sun, S.f.; Liu, J.K.; Au, M.H.; Esgin, M.F.; Zhang, Q.; Gu, D. Ringct 3.0 for blockchain confidential transaction: Shorter size and stronger security. In Proceedings of the Financial Cryptography and Data Security: 24th International Conference, FC 2020, Kota Kinabalu, Malaysia, 10–14 February 2020; Revised Selected Papers 24. Springer: Berlin/Heidelberg, Germany, 2020; pp. 464–483. [Google Scholar]
  34. Liu, D.Y.; Liu, J.K.; Mu, Y.; Susilo, W.; Wong, D.S. Revocable ring signature. J. Comput. Sci. Technol. 2007, 22, 785–794. [Google Scholar] [CrossRef]
  35. Fujisaki, E. Sub-linear size traceable ring signatures without random oracles. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2012, 95, 151–166. [Google Scholar] [CrossRef]
  36. Au, M.H.; Liu, J.K.; Susilo, W.; Yuen, T.H. Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction. Theor. Comput. Sci. 2013, 469, 1–14. [Google Scholar] [CrossRef]
  37. Bultel, X.; Lafourcade, P. k-times full traceable ring signature. In Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES), Salzburg, Austria, 31 August–2 September 2016; pp. 39–48. [Google Scholar]
  38. Liang, J.; Huang, J.; Huang, Q.; Lan, L.; Au, M.H.A. A Lattice-Based Certificateless Traceable Ring Signature Scheme. Information 2023, 14, 160. [Google Scholar] [CrossRef]
  39. Attema, T.; Cramer, R.; Fehr, S. Compressing proofs of k-out-of-n partial knowledge. In Proceedings of the Advances in Cryptology-CRYPTO 2021: 41st Annual International Cryptology Conference, CRYPTO 2021, Virtual Event, 16–20 August 2021; Proceedings, Part IV. Springer: Berlin/Heidelberg, Germany, 2021; pp. 65–91. [Google Scholar]
  40. Fiat, A.; Shamir, A. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Proceedings of the Crypto, Santa Barbara, CA, USA, 11–15 August 1986; Springer: Berlin/Heidelberg, Germany, 1986; Volume 86, pp. 186–194. [Google Scholar]
  41. Pedersen, T.P. Non-interactive and information-theoretic secure verifiable secret sharing. In Proceedings of the Advances in Cryptology-CRYPTO’91: Proceedings; Springer: Berlin/Heidelberg, Germany, 2001; pp. 129–140. [Google Scholar]
  42. Goldreich, O. Secure Multi-Party Computation; Weizmann Institute of Science: Rehovot, Israel, 1998; 108p. [Google Scholar]
  43. Attema, T.; Cramer, R.; Rambaud, M. Compressed Σ-protocols for bilinear group arithmetic circuits and application to logarithmic transparent threshold signatures. In Proceedings of the Advances in Cryptology-ASIACRYPT 2021: 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 6–10 December 2021; Proceedings, Part IV. Springer: Berlin/Heidelberg, Germany, 2021; pp. 526–556. [Google Scholar]
  44. Camenisch, J.; Stadler, M. Efficient group signature schemes for large groups. In Proceedings of the Advances in Cryptology-CRYPTO’97: 17th Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; Proceedings 17. Springer: Berlin/Heidelberg, Germany, 1997; pp. 410–424. [Google Scholar]
  45. Akinyele, J.A.; Garman, C.; Miers, I.; Pagano, M.W.; Rushanan, M.; Green, M.; Rubin, A.D. Charm: A framework for rapidly prototyping cryptosystems. J. Cryptogr. Eng. 2013, 3, 111–128. [Google Scholar] [CrossRef]
  46. Herranz, J.; Sáez, G. Forking lemmas for ring signature schemes. In Proceedings of the International Conference on Cryptology in India, New Delhi, India, 8–10 December 2003; Springer: Berlin/Heidelberg, Germany, 2003; pp. 266–279. [Google Scholar]
Figure 1. The restaurant reputation evaluation system.
Figure 1. The restaurant reputation evaluation system.
Mathematics 13 00008 g001
Figure 2. Workflow of the restaurant reputation evaluation system.
Figure 2. Workflow of the restaurant reputation evaluation system.
Mathematics 13 00008 g002
Figure 3. Comparison of the signature size [16,17,31,34].
Figure 3. Comparison of the signature size [16,17,31,34].
Mathematics 13 00008 g003
Table 1. Notations.
Table 1. Notations.
SymbolDescription
κ The security parameter
qThe prime order
gThe generator of G
G T , G The cyclic groups of prime order q
H H : 0 , 1 Z q , a cryptographic hash function
e e : G × G G T , a bilinear pairing
Table 2. Protocol 1 P A R T I A L for relation R P A R T I A L .
Table 2. Protocol 1 P A R T I A L for relation R P A R T I A L .
GIVEN PUBLIC: h G , g G 2 n 1
INPUT ( g , P 1 , P 2 , , P n ; S = π , x π )
P i = g x i where i S
P (Prover) V (Verifier)
p ( X ) = 1 + ( i = 1 n 1 a i X i )
( p ( i ) = 0 , f o r i S )
y = ( a 1 , , a n 1 ,
0 , , p ( π ) x π , , 0 n )
γ R Z q , C o m = g y h γ
C o m
Run A M O R H O M ,
prove y satisfies
P i = g y i + n 1 P i j y j i j ,
for i 1 , , n
Table 3. Protocol 2 A M O R H O M for relation R A M O R H O M .
Table 3. Protocol 2 A M O R H O M for relation R A M O R H O M .
INPUT ( P ¯ , f 1 , , f 2 n ; y ϕ )
P V
c ρ = H ( f 1 , , f 2 n ) c ρ
F = i = 1 2 n f i ( y ϕ ) c ρ i 1
Run c ( P ¯ , F ; y ϕ )
Table 4. Protocol 3 c   for relation R c .
Table 4. Protocol 3 c   for relation R c .
GIVEN PUBLIC:  g G 2 n
INPUT ( P ¯ , F ; y ϕ )
P ¯ = g y ϕ , F = F ( y ϕ )
P V
r c R Z q 2 n
A 1 = g r , t c = F ( r c )
c 0 = H ( A 1 , t c )
z = c 0 y ϕ + r c
Q 1 = A 1 P ¯ c 0 , F ( z ) = c 0 F + t
A = g R z L , B = g L z R
a = F R ( z L ) , b = F L ( z R )
c = H ( a , A , b , B )
g = g L c g R G n
Q c = A Q 1 c B c 2 , F = c F L + F R
z = z L + c z R
z
if( z Z q 4 ): F ( z ) = ? a + c 2 b + c y ,
( g ) z = ? Q c
elseRun 1 ( Q c , F ; z ) with
GIVEN PUBLIC: g
Do the loop until z Z q 4
Table 5. Protocol 4 compression mechanism 1   for relation R f .
Table 5. Protocol 4 compression mechanism 1   for relation R f .
GIVEN PUBLIC: g G n
INPUT ( Q c , F ; z )
Q c = ( g ) z , F = F ( z )
P V
A = ( g R ) z L , B = ( g L ) z R
a = F R ( z L ) , b = F L ( z R )
c 1 = H ( A , a , B , b )
g = ( g L ) c 1 g R G n / 2
Q c = A Q c c 1 B c 1 2 , F = c 1 F L + F R
z = z L + c 1 z R
z
F ( z ) = ? c 1 F + c 1 2 b + a
( g ) z = ? Q c
Table 6. Protocol 5 P A R T I A L S P K ( 15 ) for relation R P A R T I A L S P K ( 15 ) .
Table 6. Protocol 5 P A R T I A L S P K ( 15 ) for relation R P A R T I A L S P K ( 15 ) .
GIVEN PUBLIC: g G 2 n 1 , h G
INPUT ( g , y 1 , , y n ; S = π , x π )
g x i = y i where i S
P V
p ( X ) = 1 + i = 1 n 1 a i X i
( p ( i ) = 0 , f o r i S )
y ( 2 ) = ( a 1 , , a n 1 ,
0 , , p ( π ) x π , , 0 n )
γ ( 2 ) R Z q ,
C o m ( 2 ) = g y ( 2 ) h γ ( 2 )
C o m ( 2 )
Run A M O R H O M S P K ( 15 )
prove y ( 2 ) satisfies
g y i + n 1 ( 2 ) y i j = 1 2 n 1 y j ( 2 ) i j = y i ,
i 1 , , n
Table 7. Protocol 6 A M O R H O M S P K ( 15 ) for relation R A M O R H O M S P K ( 15 ) .
Table 7. Protocol 6 A M O R H O M S P K ( 15 ) for relation R A M O R H O M S P K ( 15 ) .
INPUT ( y ¯ ( 2 ) , f 1 ( 2 ) , , f 2 n ( 2 ) ; y ϕ ( 2 ) )
P V
c ρ ( 2 ) = H ( f 1 ( 2 ) , , f 2 n ( 2 ) ) c ρ ( 2 )
F = i = 1 2 n f i ( y ϕ ( 2 ) ) ( c ρ ( 2 ) ) i 1
Run c S P K ( 7 ) ( y ¯ ( 2 ) , F ; y ϕ ( 2 ) )
Table 8. Protocol 7 c S P K ( 15 ) for relation R c S P K ( 15 ) .
Table 8. Protocol 7 c S P K ( 15 ) for relation R c S P K ( 15 ) .
GIVEN PUBLIC: g G 2 n
INPUT ( y ¯ ( 2 ) , F ; y ϕ ( 2 ) )
y ¯ ( 2 ) = g y ϕ ( 2 ) , F = F ( y ϕ ( 2 ) )
P V
r ( 2 ) R Z q 2 n
A 1 ( 2 ) = g r ( 2 ) , t ( 2 ) = F ( r ( 2 ) )
c 0 ( 2 ) = H ( A 1 ( 2 ) , t ( 2 ) )
z ( 2 ) = c 0 ( 2 ) y ϕ ( 2 ) + r ( 2 )
Q 1 ( 2 ) = A 1 ( 2 ) ( y ¯ ( 2 ) ) c 0 ( 2 )
F ( z ( 2 ) ) = c 0 ( 2 ) F + t ( 2 )
A ( 2 ) = g R z L ( 2 ) , a ( 2 ) = F R ( z L ( 2 ) )
B ( 2 ) = g L z R ( 2 ) , b ( 2 ) = F L ( z R ( 2 ) )
c ( 2 ) = H ( A ( 2 ) , B ( 2 ) , a ( 2 ) , b ( 2 ) )
( g ( 2 ) ) = g L c ( 2 ) g R G n
Q ( 2 ) = A ( 2 ) ( y ¯ ( 2 ) ) c ( 2 ) ( B ( 2 ) ) ( c ( 2 ) ) 2
F = c ( 2 ) F L + F R
( z ( 2 ) ) = z L ( 2 ) + c ( 2 ) z R ( 2 )
( z ( 2 ) )
if( ( z ( 2 ) ) Z q 4 ): F ( z ( 2 ) ) = ?
a ( 2 ) + c ( 2 ) F + ( c ( 2 ) ) 2 b ( 2 ) ,
( ( g ( 2 ) ) ) ( z ( 2 ) ) = ? Q ( 2 )
elseRun
1 S P K ( 15 ) ( Q ( 2 ) , F ; ( z ( 2 ) ) )
with GIVEN PUBLIC: g
Do the loop until ( z ( 2 ) ) Z q 4
Table 9. Protocol 8 compression mechanism 1 S P K ( 15 ) for relation R f S P K ( 15 ) .
Table 9. Protocol 8 compression mechanism 1 S P K ( 15 ) for relation R f S P K ( 15 ) .
GIVEN PUBLIC: g G n
INPUT ( Q ( 2 ) , F ; ( z ( 2 ) ) )
Q ( 2 ) = g ( z ( 2 ) ) , F = F ( ( z ( 2 ) ) )
P V
A = g R ( z ( 2 ) ) L , a = F R ( ( z ( 2 ) ) L )
B = g L ( z ( 2 ) ) R , b = F L ( ( z ( 2 ) ) R )
c 1 ( 2 ) = H ( A , B , a , b )
g = g L c 1 ( 2 ) g R G n / 2
( Q ( 2 ) ) = A ( Q ( 2 ) ) c 1 ( 2 ) ( B ) ( c 1 ( 2 ) ) 2
F = c 1 ( 2 ) F L + F R
( z ( 2 ) ) = ( z ( 2 ) ) L + c 1 ( 2 ) ( z ( 2 ) ) R
( z ( 2 ) )
( g ) ( z ( 2 ) ) = ? ( Q ( 2 ) ) ,
F ( ( z ( 2 ) ) ) = ? a + c 1 ( 2 ) F + ( c 1 ( 2 ) ) 2 b
Table 10. Protocol 9 P A R T I A L S P K ( 16 ) for relation R P A R T I A L S P K ( 16 ) .
Table 10. Protocol 9 P A R T I A L S P K ( 16 ) for relation R P A R T I A L S P K ( 16 ) .
GIVEN PUBLIC: g G 2 n 1 , h G
INPUT ( E ; S = π , x π )
e ( R , y ^ ) x i = E where i S
P V
p ( X ) = ( i = 1 n 1 a i X i ) + 1
( p ( i ) = 0 , f o r i S )
y ( 4 ) = ( a 1 , , a n 1 ,
0 , , p ( π ) x π , , 0 n )
γ ( 4 ) R Z q ,
C o m ( 4 ) = h γ ( 4 ) · g y ( 4 )
· e ( R , y ^ )
C o m ( 4 )
Run A M O R H O M S P K ( 9 ) ,
prove y ( 4 ) satisfies
e ( R , , y ^ ) y i + n 1 ( 4 ) · E a = 1 n 1 y a ( 4 ) i a = E ,
for i 1 , , n
Table 11. Protocol 10 A M O R H O M S P K ( 16 ) for relation R A M O R H O M S P K ( 16 ) .
Table 11. Protocol 10 A M O R H O M S P K ( 16 ) for relation R A M O R H O M S P K ( 16 ) .
INPUT ( y ¯ ( 4 ) , f 1 ( 4 ) , , f 2 n ( 4 ) ; y ϕ ( 4 ) )
P V
c ρ ( 4 ) = H ( f 1 ( 4 ) , , f 2 n ( 4 ) ) c ρ ( 4 )
F = i = 1 2 n f i ( y ϕ ( 4 ) ) ( c ρ ( 4 ) ) i 1
Run c S P K ( 9 ) ( y ¯ ( 4 ) , F ; y ϕ ( 4 ) )
Table 12. Protocol 11 c S P K ( 16 ) for relation R c S P K ( 16 ) .
Table 12. Protocol 11 c S P K ( 16 ) for relation R c S P K ( 16 ) .
GIVEN PUBLIC: g , h
INPUT ( y ¯ ( 4 ) , F ; y ϕ ( 4 ) )
y ¯ ( 4 ) = g y ϕ ( 4 ) e ( R , f ( y ϕ ( 4 ) ) ) ,
F = F ( y ϕ ( 4 ) )
P V
r ( 4 ) R Z q 2 n , ρ R Z q
A 1 ( 4 ) = g r ( 4 ) e ( R , f ( r ( 4 ) ) )
t ( 4 ) = F ( r ( 4 ) )
c 0 ( 4 ) = H ( A 1 ( 4 ) , t ( 4 ) )
z = c 0 ( 4 ) y ϕ ( 4 ) + r ( 4 )
μ = c 0 ( 4 ) ψ + ρ
z ( 4 ) = ( z , μ )
Q 1 ( 4 ) = A 1 ( 4 ) ( y ¯ ( 4 ) ) c 0 ( 4 )
F ( z ( 4 ) ) = c 0 ( 4 ) F + t ( 4 )
A ( 4 ) = g R z L ( 4 ) e ( R , f ( z L ( 4 ) ) )
a ( 4 ) = F R ( z L ( 4 ) )
B ( 4 ) = g L z R ( 4 ) e ( R , f ( z R ( 4 ) ) )
b ( 4 ) = F L ( z R ( 4 ) )
c ( 4 ) = H ( A ( 4 ) , B ( 4 ) , a ( 4 ) , b ( 4 ) )
( g ( 4 ) ) = g L c ( 4 ) g R G n
Q ( 4 ) = A ( 4 ) ( y ¯ ( 4 ) ) c ( 4 ) ( B ( 4 ) ) ( c ( 4 ) ) 2
F = c ( 4 ) F L + F R
( z ( 4 ) ) = z L ( 4 ) + c ( 4 ) z R ( 4 )
( z ( 4 ) )
if( ( z ( 4 ) ) Z q 4 ): ( ( g ( 4 ) ) ) ( z ( 4 ) ) e ( R , f ( ( z ( 4 ) ) ) )
= ? Q ( 4 ) ,
F ( ( z ( 4 ) ) ) = ?
a ( 4 ) + c ( 4 ) F + ( c ( 4 ) ) 2 b ( 4 )
elseRun
1 S P K ( 9 ) ( Q ( 4 ) , F ; ( z ( 4 ) ) , ψ )
with GIVEN PUBLIC: g
Do the loop until ( z ( 4 ) ) Z q 4
Table 13. Protocol 12 compression mechanism 1 S P K ( 16 ) for relation R f S P K ( 16 ) .
Table 13. Protocol 12 compression mechanism 1 S P K ( 16 ) for relation R f S P K ( 16 ) .
GIVEN PUBLIC: g
INPUT ( Q ( 4 ) , F ; ( z ( 4 ) ) , ψ )
Q ( 4 ) = g ( z ( 4 ) ) e ( R , f ( ( z ( 4 ) ) ) )
F = F ( ( z ( 4 ) ) )
P V
A = g R ( z ( 4 ) ) L e ( R , f ( ( z ( 4 ) ) L ) )
a = F R ( ( z ( 4 ) ) L )
B = g L ( z ( 4 ) ) R e ( R , f ( ( z ( 4 ) ) R ) )
b = F L ( ( z ( 4 ) ) R )
c 1 ( 4 ) = H ( A , B , a , b )
g = g L c 1 ( 4 ) g R G n / 2
( Q ( 4 ) ) = A ( Q ( 4 ) ) c 1 ( 4 ) ( B ) ( c 1 ( 4 ) ) 2
F = c 1 ( 4 ) F L + F R
( z ( 4 ) ) = ( z ( 4 ) ) L + c 1 ( 4 ) ( z ( 4 ) ) R
( z ( 4 ) )
( g ) ( z ( 4 ) ) e ( R , f ( ( z ( 4 ) ) ) ) = ? ( Q ( 4 ) ) ,
F ( ( z ( 4 ) ) ) = ? a + c 1 ( 4 ) F + ( c 1 ( 4 ) ) 2 b
Table 14. Data size and execution times of cryptographic operations.
Table 14. Data size and execution times of cryptographic operations.
NotationDescriptionSize/Times
| Z q | The size of the elements in Z q 32 bytes
| G | The size of the elements in G 64 bytes
| G T | The size of the elements in G T 64 bytes
T E One exponentiation computation0.0519 ms
T M One modular multiplication computation0.2169 ms
T A One modular addition computation0.0188 ms
T P One pairing computation5.1963 ms
hOne hash-to-point operation0.0165 ms
Table 15. Property comparisons between schemes.
Table 15. Property comparisons between schemes.
UnforgeabilityAnonymityNon-SlanderabilityOne-Time
Linkability
Mandatory
Revocability
[10]××
[12]×
[31]×
[29]×
[28]×
[24]×
[35]×
[34]×
[16]×
[18]×
[17]
CRORS
Table 16. Computational efficiency comparison.
Table 16. Computational efficiency comparison.
SchemeSignVerifyRevokeLink
[34]h+2 l T P +
( 2 n + 2 ) T M +
( n + 2 ) T A
l T P +h+ ( 2 n +
l ) T M + ( l n +
2 n ) T A + l T E
n T P -
[16]3h+ ( 5 n +
1 ) T E + ( 3 n
2 ) T M + ( n +
1 ) T A
3 h + 3 n T M
+ 5 n T E
+ n T A
4 h +
2 n T M +
2 n T E
h + T E
[31] h + ( 4 n 2 ) T E
+ ( 2 n 4 ) T M
+ ( n + 2 ) T A
h + ( 4 n + 4 ) T E
+ ( 2 n + 2 ) T M
+ ( n + 1 ) T A
- h + T E
[17](2n+1)h  + ( 8 n
1) T E + ( 5 n
1) T M +2 T A
8n  T E +
5 n T M +
2 n h
T M +
T E
h + T E
CRORS 4 l o g 2 ( 2 n ) h +
( 12 n l o g 2 ( 2 n ) + 4 n
+ 1 ) T E + ( 20 n
4 ) l o g 2 ( 2 n ) T M
+ 8 n l o g 2 ( 2 n ) T A
+ ( 2 n 1 ) T P
4 n l o g 2 ( 2 n ) T E
+ 4 l o g 2 ( 2 n ) T A
+ 6 l o g 2 ( 2 n ) T M
n T P T P
Table 17. Comparison between schemes.
Table 17. Comparison between schemes.
SchemeSignature Size
[34] ( 2 n + 1 ) | Z q | + ( l + 1 ) | G |
[16](2n+1) | Z q |
[31](2n) | Z q | +| G |
[17](2n+2) | Z q | +3 | G |
CRORS ( 8 l o g 2 ( 2 n ) 10 ) | G |+7| Z q |+| G T |
Table 18. Running times of CRORS.
Table 18. Running times of CRORS.
SchemeTime Cost in Sign (ms)Time Cost in Verify (ms)
n = 8n = 16n = 32n = 64n = 8n = 16n = 32n = 64
[34]14.649818.270625.512239.99549.403213.324821.16836.8544
[16]7.118414.550129.414459.14247.331114.612729.175958.3023
[31]4.3649.645920.213141.36015.958311.239921.803142.9295
[17]9.742919.739.622179.45028.9417.8835.7671.52
CRORS309.805569.7171310.124242957.704646.33687.9219.505211.0894
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Han, X.; Zhang, D. A Privacy-Preserving Reputation Evaluation System with Compressed Revocable One-Time Ring Signature (CRORS). Mathematics 2025, 13, 8. https://doi.org/10.3390/math13010008

AMA Style

Han X, Zhang D. A Privacy-Preserving Reputation Evaluation System with Compressed Revocable One-Time Ring Signature (CRORS). Mathematics. 2025; 13(1):8. https://doi.org/10.3390/math13010008

Chicago/Turabian Style

Han, Xu, and Dawei Zhang. 2025. "A Privacy-Preserving Reputation Evaluation System with Compressed Revocable One-Time Ring Signature (CRORS)" Mathematics 13, no. 1: 8. https://doi.org/10.3390/math13010008

APA Style

Han, X., & Zhang, D. (2025). A Privacy-Preserving Reputation Evaluation System with Compressed Revocable One-Time Ring Signature (CRORS). Mathematics, 13(1), 8. https://doi.org/10.3390/math13010008

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop