Open Access
Wuhan Univ. J. Nat. Sci.
Volume 28, Number 4, August 2023
Page(s) 317 - 323
Published online 06 September 2023

© Wuhan University 2023

Licence Creative CommonsThis is an Open Access article distributed under the terms of the Creative Commons Attribution License (, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

0 Introduction

In some special applications today, based on computational intelligence[1,2], identity authentication requires anonymous authentication to protect user's privacy information[3]. Anonymous authentication is divided into unconditional anonymous authentication and traceable anonymous authentication. Unconditional anonymous authentication can verify that the user belongs to an anonymous set, but the user's true identity cannot be obtained. At the same time, criminals often use unconditional anonymity to engage in criminal activities, since their true identity cannot be traced, they cannot be punished. In order to prevent illegal and criminal activities from being unable to trace their true identity, traceable anonymous authentication schemes have emerged.

Anonymous authentication is often accompanied by anonymous signature. Using ring signature[4], with the help of an administrator and a verifier, Tian et al[5] can trace the privacy identity of the authenticator. But the program only needs an administrator and a verifier to complete the tracing, which increases the risk of conspiracy attack. Using the democratic group signature[6], Liu et al[7] can trace the authenticator's privacy identity through cooperation with members whose number exceeds the threshold. However, the anonymous set size of the scheme is the total number of members n, and the authenticator cannot choose the anonymous set on its own. By using 1/n signature[8], the authenticator can independently choose the anonymous set, so Yin et al[9] can threshold trace the authenticator's privacy identity.

Anonymous authentication first needs to ensure the anonymity of users, and in some special applications, it is necessary to verify whether the identity authentication of the same person is the same in different occasions without disclosing the user's real identity. For example, anonymous electronic voting not only needs to ensure the anonymity of the voter's identity, but also needs to avoid repeated voting. But none of the above traceable anonymous authentication schemes have this linkable authentication. If the linkablity feature of ring signature is applied to anonymous authentication, linkable authentication can be achieved. Beullens et al[10] constructed linkable ring signatures (LRS) from isogeny and lattice assumptions. However, either the speed of isogeny-based LRS is relatively slow,or the lattice based LRS has larger signatures. Liu et al[11] proposed a linkable spontaneous anonymous group (LSAG) signature scheme, which enables two signatures of the same signer to be linked. In addition, they demonstrated the security of the signature using an improved bifurcation lemma. In this paper, based on the LSAG signature scheme, a selective linkable threshold tracing anonymous authentication scheme is proposed.

Based on the decisional Diffie-Hellman (DDH) assumption and discrete logarithm assumption, the proposed scheme can achieve linkable authentication without disclosing the user's real identity. The main contributions of this paper can be summarized as follows:

1) By embedding the linkable label to the authentication signature, the proposed scheme can achieve linkable authentication.

2) By using threshold joint tracing, the proposed scheme can realize anonymous tracing.

3) By the simulation experiment, the implementation time of the proposed scheme is slightly better than other similar schemes. Based on the DDH assumption and discrete logarithm assumption, the security of the scheme has been proven in the scheme analysis.

The rest of this paper is organized as follows. Some relevant basic theories are proposed in Section 1. A new anonymous authentication scheme is introduced in Section 2. Security analysis is provided in Section 3. Further analysis is performed in Section 4 and the conclusion is made in Section 5.

1 Preliminary

1.1 DDH Assumption

Let be a cyclic group of prime order q, which is determined by some security parameter n. For sufficient large q, define two 4-tuples and , where . The DDH problem is to distinguish the two tuples.

A probabilistic polynomial time (PPT) distinguisher D's advantage is defined as

If the advantage of any distinguisher is negligible in n, we say that the DDH assumption holds.

1.2 Linkable Ring Signature

Assuming that n users make up the ring , the public/private key pair for each user in the ring is , signer uses its own private key and the public key collection of all members to generate a ring signature on message m.

1) Ring signature generation algorithm

Enter the message m, public key set UA, the private key of signer , and add the linkable label . Output linkable ring signature .

2) Ring signature verification algorithm

Enter output 0 or 1. 0 indicates that the signature is invalid, and 1 indicates that the signature is valid. The linkable ring signature needs to meet the following properties.

Correctness: Any member of the ring can execute the ring signature generation algorithm and pass the ring signature verification algorithm.

Anonymity: The probability of identifying ring membership by ring signature is less than 1/n, that is, ring membership remains anonymous.

Unforgeability: Illegal members falsify the signature of signer , thus it is impossible to verify the algorithm by linkable ring signature.

Linkability: If two signatures

have the same linkable label , it can be judged that the two signatures were signed by the same signer.

2 Proposed Anonymous Authentication Scheme

2.1 System Initialization

n members make up a collection of , exposing {p,q,g,t,H,}. Among them, p and q are large prime numbers, and , g is the q-order element on , t is the threshold value, H is one-way hash function, is the identity of the member .

Step 1   Each randomly selects the secondary polynomial , exposes the polynomial coefficient commitment , calculates , and sends it to via a secure channel, retaining the .




Step 2   checks the correctness of through formula (4) , calculates the private key according to formula (5) and keeps secret, will be disclosed as the public key. Other members can verify the correctness of through the formula (7).





2.2 Anonymous Authentication

Suppose the message that needs to be signed is , and the public key set is . The authenticator uses the private key and the public key set UA to generate the signature σ using the linkable ring signature[11], and sends σ to the verifier . If the result outputs 1, belongs to the collection U, otherwise it does not belong to the collection U. The authentication process consists of two algorithms: signature generation and signature authentication.

1) Signature generation

The authenticator follows the steps below.

Step 1   Select random number , calculate and expose , and linkable label .




Step 2   For , select random number and secure Hash function , calculate .


For , select random number , calculate , make .


Step 3   Calculate .


Step 4   Generate the signature and send it to the verifier .


2) Signature authentication

The verifier receives the signature , and verifies the correctness of the ring signature.

For , is calculated in (15) and is calculated in accordance with the formula (16). If the formula (17) is established and the signature is correct, belongs to set U, output 1. Otherwise, does not belong to set U, output 0.




2.3 Linkable Authentication

In different situations, the authenticator may produce a different signature. To prevent consistency attacks, two different signatures need to be non-related. However, on special occasions, such as anonymous electronic voting systems, anonymous authentication requires linkable authentication in order to prevent duplicate voting.

Two different authentication signatures are and .



If the authenticator uses the same , anonymous authentication is relevant. Otherwise, it is not. The authenticator determines whether the anonymous identity is relevant by verifying that two different anonymous authentications have the same .

2.4 Anonymous Tracing

Linkable authentication can only prove whether two authentication are relevant and does not obtain the true identity of the authenticator. In some cases, the anonymous identity of the authenticator also needs to be traced. For example, in the anonymous electronic voting system, some users use anonymous identities to repeatedly vote. At this time, it is necessary to trace the anonymous identities of such users. In order to prevent random tracing, this scheme uses threshold joint tracing.

Assume that the t members consist of an anonymous trace set , and follow the steps below.

Step 1   Use private key and to jointly calculate .


In the formula,


Step 2   Query the public , calculate the identity information of the authenticator according to formula (22).


3 Characteristics Analysis

Theorem 1   (Anonymous authentication) Under DDH assumption, the authenticator's anonymous identity can pass authentication.

Proof   It is available by formula (12), when ,

When , it is available by formula (11) and (13),

It can be seen that is consistent with , that is, the sequence is consistent during the generation and authentication of ring signatures, so there is

formula (17) is valid, can pass authentication.

During the signature generation process, the contained in the signature sent by the authenticator is randomly selected and evenly distributed on . Therefore, the probability that the verifier calculates the true identity of the authenticator from the authentication signature is which is negligible. That is, the authenticator's identity can pass anonymous authentication.

Theorem 2   (Signature unforgeability) Under adaptive chosen message and selective public key attack, signature generation satisfies unforgeability.

Proof   Referring to the non-counterfeiting proof method[12], it is assumed that there is a probabilistic polynomial algorithm PPT, a stochastic predictor , and a signature prophecy machine . Counterfeiter A can simulate signature prophecy machine through PPT simulator sim, get each , and in line with the signature prophecy machine prophecy. Because the private key cannot be obtained, A only uses and to simulate the signature generation process, and generate a signature . A follows the steps below.

Step 1   Randomly select , and compute and .

Step 2   For , randomly select , calculate , . Among them, let .

Step 3   Let , find , and then find .

Step 4   Output signature

When A forges signature , it is necessary to inquire n times , . A's inquiry about is negligible. Assuming that q-th are the n inquiries that satisfy the consistency with the validation equation, where is an inquiry into the stochastic predictor satisfying , k is a gap in the ring signature . So, A forges signature for (q,k)-forged signature.

At the beginning of the simulation, A selects a pair(q,k) through sim, and can query the stochastic predictor up to times, and the signature prophecy machine can be asked for up to times. Within the time , A takes the probability to ensure that the q-th query is in accordance with the authentication process, and receives

where , is a polynomial function, and can only carry on polynomial secondary growth under the security parameter k.

When asked about , authentication-related queries have occurred and the sim returns the value of . Let , A finds , then A finds from , and finally creates ring signature

However, we found that the signature forgery process is in contradiction with the difficulty in solving discrete logarithm. Therefore, the signature generation satisfies unforgeability.

Theorem 3   (Linkable authentication) For a signature , forger A is unlikely to falsify another signature associated with the same linkable label of the authenticator .

Proof   Based on the understanding of linkability in Section 2.3, if the of two signatures are the same, the two signatures are relevant. Under normal circumstances, when anonymous authentication occurs, if the two generated signatures need to be linkable, the authenticator will choose the same by himself. Therefore, the main task of the proof is that the forger A cannot falsify another signature with the same associated with the identity of the authenticator.

As can be seen from Theorem 2, non-ring members can not falsify the legal signature, so the following is mainly to prove that other members outside the ring can not falsify the legal signature associated with the authenticator.

Known the authenticator has produced a legitimate signature , forger A forged the signature , associated with . From the proof of Theorem 2, A needs to find from , which is in contradiction with the difficulty in solving discrete logarithm at the present stage. Therefore, the anonymous authentication of this scheme has linkable authentication.

Theorem 4   (Threshold traceability) The threshold number of members can jointly trace the identity of the authenticator.

When the identity of the authenticator needs to be traced, each member of t tracing members use the private key and the identification to jointly calculate Ek, the identity of is obtained by the formula (22). According to (20), (8), (21), (3), we have

By (22) and (9), we get

4 Further Analysis

4.1 Property Comparison

Compared with the threshold traceable anonymous authentication scheme mentioned in the preface, the proposed scheme has the properties of anonymous authentication, signature unforgeability, threshold traceability, linkable authentication, as shown in Table 1.

Table 1

Property comparison

4.2 Computational Cost Comparison

The following mainly compares this scheme with Liu et al's scheme[7] and Yin et al's scheme[9] at the computational cost. Assuming that Texp represents the calculation cost of the modulus index, Tmul represents the cost of the modulus multiplication calculation, and the time complexity of the modulus plus, XOR, or other operations is quite small and negligible. n is the number of members, t is the threshold value, and d is the size of the anonymous collection. In the initialization stage, both the proposed scheme and Liu et al's schemeadopt the secret sharing method without trusted center to compute member's private and public keys at the cost of , while Yin et al's scheme allows members to choose their own keys and then collaborate to generate the system's key at the cost of . In the anonymous authentication stage, the proposed scheme uses the linkable ring signature, and the calculation cost is . In the anonymous tracing stage, the proposed scheme uses threshold tracing, and the calculation cost is . See Table 2 for details.

The data in Table 2 shows that the calculation cost of this scheme is similar to that of Liu et al's scheme at various stages, and the anonymous authentication stage is even smaller. On the premise of similar calculation cost, this scheme also has linkable authentication, which is more suitable for special applications such as anonymous electronic voting.

Table 2

Computational cost comparison

4.3 Simulation Experiment

By the simulation experiment, the proposed scheme is compared with Liu et al's scheme[7] and Yin et al's scheme[9] for execution time. The elliptic curve [13] with the finite field is chosen, where p is a large prime number of 512 bits. The hardware of the simulation is i3-8100T CPU, 8 GB RAM and the software is Windows 10 64 bits OS, codeblocks-17.12 software. The execution time of the three schemes is shown in Fig.1. Figure 1(a) shows the execution time required for anonymous authentication, and Fig.1(b) shows the execution time required for anonymous tracing.

thumbnail Fig. 1

Execution time for three schemes

From Fig.1(a), we can see that in the anonymous authentication process, the execution time of the proposed scheme is slightly longer than that of Yin et al's scheme, but much shorter than that of Liu et al's. Figure 1(b) shows that the execution time of anonymous tracing in the proposed scheme is shorter than that of the other two schemes. Therefore, the implementation time of the proposed scheme is slightly better than that of the other two schemes.

5 Conclusion

The selectively linkable threshold tracing anonymous authentication scheme proposed in this paper, with the help of the linkable ring signature, adds the linkable tag to the authentication signature, which can not only can realize the threshold tracing, but also realize linkable authentication. In the special application of anonymous authentication and linkable authentication, such as anonymous electronic voting, this scheme has a good application prospect.


  1. Yang J Q, Chen C H, Li J Y, et al. Compressed-encoding particle swarm optimization with fuzzy learning for large-scale feature selection[J]. Symmetry, 2022, 14(6): 1142. [NASA ADS] [CrossRef] [Google Scholar]
  2. Tang Y M, Pan Z F, Pedrycz W, et al. Viewpoint-based kernel fuzzy clustering with weight information granules[J]. IEEE Transactions on Emerging Topics in Computational Intelligence, 2023, 7(2): 342-356. [CrossRef] [Google Scholar]
  3. Ateniese G, Herzberg A, Krawczyk H, et al. Untraceable mobility or how to travel incognito[J]. Computer Networks, 1999, 31(8):871-884. [CrossRef] [Google Scholar]
  4. Rivest R L, Shamir A, Tauman Y. How to leak a secret[C]// Proceedings of ASIACR-YPT'01. Berlin: Springer-Verlag, 2001: 552-565. [Google Scholar]
  5. Tian Z J, Wang J L, Wu Y X. A dynamic anonymous authentication scheme with identity escrow[J]. Journal of Electronics & Information Technology, 2005, 27(11):1737-1740. [Google Scholar]
  6. Manulis M.Democratic group signature: On an example of joint ventures[C]// Proceedings of ACM Symposium on Information, Computer and Communications Security. New York: ACM Press, 2006: 191-196. [Google Scholar]
  7. Liu F B, Zhang K, Li H, et al. Threshold traceability anonymous authentication scheme without trusted center for adhoc network[J]. Journal of Communications, 2012, 33(8): 208-213. [Google Scholar]
  8. Abe M, Ohkubo M, Suzuki K. 1-out-of-n signatures from a variety of keys[C]// Proceedings of ASIACRYPT'02. Berlin:Springer-Verlag, 2002: 415-423. [Google Scholar]
  9. Yin F M, Hou Z F, Pu G N. Self-selecting share threshold traceable anonymous authentication scheme[J]. Journal of Wuhan University (Natural Science Edition), 2015, 61(6): 549-553. [MathSciNet] [Google Scholar]
  10. Beullens W, Katsumata S, Pintore F. Calamari and falafl: logarithmic (linkable) ring signatures from isogenies and lattices[C]// Advances in Cryptology-ASIACRYPT 2020. Cham:Springer-Verlag, 2020: 464-492. [MathSciNet] [Google Scholar]
  11. Liu J K, Wei V K, Wong D S. Linkable spontaneous anonymous group signature for ad hoc groups[C]// Australasian Conference on Information Security and Privacy. Berlin: Springer-Verlag, 2004: 325-335. [Google Scholar]
  12. Zhang W F, Xiong D,Wang X M, et al. Selectively linkable and convertible ring signature based on RSA public key cryptosystem[J]. Chinese Journal of Computers, 2017, 40(5): 1168-1180. [MathSciNet] [Google Scholar]
  13. Ming Y, Shen X Q. PCPA: A practical certificateless conditional privacy preserving authentication scheme for vehicular ad hoc networks[J]. Sensors, 2018, 18(5): 1573-1596. [CrossRef] [PubMed] [Google Scholar]

All Tables

Table 1

Property comparison

Table 2

Computational cost comparison

All Figures

thumbnail Fig. 1

Execution time for three schemes

In the text

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.