Ring Signature from Bonsai Tree: How to Preserve the Long-Term Anonymity

Signer-anonymity is a central feature of ring signatures (RS) which enable a user to sign messages on behalf of an arbitrary set of users, called the ring, without revealing exactly which member of that ring actually generated the signature. The strong and long-term signer-ambiguous is a reassuring guarantee for the user hesitating to leak a secret, especially if the consequences of an identification are dire in some scenarios such as whistleblowing. The unconditional ambiguity notion, which protects the signer-ambiguous even confront with an infinitely powerful adversary, is considered for RS which wants to achieve long-term signer-ambiguous. However, the existing works that consider the unconditional ambiguity notion did not comprehensively and strictly capture the unconditional ambiguity notion, and the existing lattice-based RS constructions analyzed the unconditional ambiguity only in the random oracle model. In this paper, we reformalize the unconditional ambiguity notion for RS, which comprehensively and strictly captures the security requirements imposed by the practice. Then we propose a lattice-based RS construction with unconditional ambiguity and prove the security (unforgeability and signer-ambiguous) in the standard model.