How to Leak a Secret: Theory and Applications of Ring Signatures

In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others' public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signer-ambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).

[1]  Germán Sáez,et al.  Ring Signature Schemes for General Ad-Hoc Access Structures , 2004, ESAS.

[2]  Masayuki Abe,et al.  1-out-of-n Signatures from a Variety of Keys , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[3]  Paul F. Syverson,et al.  Onion routing , 1999, CACM.

[4]  Giovanni Di Crescenzo,et al.  On monotone formula closure of SZK , 1994, Proceedings 35th Annual Symposium on Foundations of Computer Science.

[5]  Anne Canteaut,et al.  Progress in Cryptology - INDOCRYPT 2004, 5th International Conference on Cryptology in India, Chennai, India, December 20-22, 2004, Proceedings , 2004, INDOCRYPT.

[6]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[7]  Aggelos Kiayias,et al.  Anonymous Identification in Ad Hoc Groups , 2004, EUROCRYPT.

[8]  Yuliang Zheng,et al.  Advances in Cryptology — ASIACRYPT 2002 , 2002, Lecture Notes in Computer Science.

[9]  Kwangjo Kim,et al.  ID-Based Blind Signature and Ring Signature from Pairings , 2002, ASIACRYPT.

[10]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[11]  Ivan Damgård,et al.  Proofs of Partial Knowledge and Simplified Design of Witness Hiding Protocols , 1994, CRYPTO.

[12]  Ueli Maurer,et al.  Advances in Cryptology — EUROCRYPT ’96 , 2001, Lecture Notes in Computer Science.

[13]  Victor K.-W. Wei A Bilinear Spontaneous Anonymous Threshold Signature for Ad Hoc Groups , 2004, IACR Cryptol. ePrint Arch..

[14]  Walter Fumy,et al.  Advances in Cryptology — EUROCRYPT ’97 , 2001, Lecture Notes in Computer Science.

[15]  Tzong-Chen Wu,et al.  An identity-based ring signature scheme from bilinear pairings , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[16]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[17]  Hidenori Kuwakado,et al.  Threshold ring signature scheme based on the curve , 2003, IEEE International Symposium on Information Theory, 2003. Proceedings..

[18]  Hovav Shacham,et al.  Aggregate and Verifiably Encrypted Signatures from Bilinear Maps , 2003, EUROCRYPT.

[19]  Hannes Hartenstein,et al.  Security in Ad-hoc and Sensor Networks, First European Workshop, ESAS 2004, Heidelberg, Germany, August 6, 2004, Revised Selected Papers , 2005, ESAS.

[20]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[21]  Information Security and Privacy , 1996, Lecture Notes in Computer Science.

[22]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[23]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[24]  Xiaofeng Chen,et al.  Ring Authenticated Encryption: A New Type of Authenticated Encryption , 2004 .

[25]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[26]  Germán Sáez,et al.  New Identity-Based Ring Signature Schemes , 2004, ICICS.

[27]  Aggelos Kiayias,et al.  Advances in Cryptology - EUROCRYPT 2004 , 2004 .

[28]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[29]  Tang Chun-ming,et al.  An improved identity-based ring signature scheme from bilinear pairings , 2005 .

[30]  Amit K. Awasthi,et al.  ID-based Ring Signature and Proxy Ring Signature Schemes from Bilinear Pairings , 2007, Int. J. Netw. Secur..

[31]  Germán Sáez,et al.  Forking Lemmas for Ring Signature Schemes , 2003, INDOCRYPT.

[32]  Joseph K. Liu,et al.  Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups (Extended Abstract) , 2004, ACISP.

[33]  Xiukun Wang,et al.  Verifiable ring signature , 2003 .

[34]  Germán Sáez,et al.  New Distributed Ring Signatures for General Families of Signing Subsets , 2004, IACR Cryptol. ePrint Arch..

[35]  Germán Sáez,et al.  Distributed Ring Signatures for Identity-Based Scenarios , 2004, IACR Cryptology ePrint Archive.

[36]  Yi Mu,et al.  Non-interactive Deniable Ring Authentication , 2003, ICISC.

[37]  Giuseppe Ateniese,et al.  Identity-Based Chameleon Hash and Applications , 2004, Financial Cryptography.

[38]  Jacques Stern,et al.  Threshold Ring Signatures and Applications to Ad-hoc Groups , 2002, CRYPTO.

[39]  Jan Camenisch,et al.  Efficient and Generalized Group Signatures , 1997, EUROCRYPT.

[40]  Oded Goldreich,et al.  The Foundations of Cryptography - Volume 2: Basic Applications , 2001 .

[41]  Moni Naor,et al.  Deniable Ring Authentication , 2002, CRYPTO.

[42]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[43]  Germán Sáez,et al.  Forking Lemmas in the Ring Signatures' Scenario , 2003, IACR Cryptol. ePrint Arch..

[44]  Joseph K. Liu,et al.  On the RS-Code Construction of Ring Signature Schemes and a Threshold Setting of RST , 2003, ICICS.

[45]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[46]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[47]  Markus Jakobsson,et al.  Designated Verifier Proofs and Their Applications , 1996, EUROCRYPT.

[48]  Jongin Lim,et al.  Information Security and Cryptology - ICISC 2003 , 2003, Lecture Notes in Computer Science.

[49]  Yvo Desmedt,et al.  Advances in Cryptology — CRYPTO ’94 , 2001, Lecture Notes in Computer Science.

[50]  Siu-Ming Yiu,et al.  Efficient Identity Based Ring Signature , 2005, ACNS.

[51]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[52]  Shouhuai Xu,et al.  Accountable Ring Signatures: A Smart Card Approach , 2004, CARDIS.

[53]  Siu-Ming Yiu,et al.  Identity Based Threshold Ring Signature , 2004, IACR Cryptol. ePrint Arch..

[54]  Joseph K. Liu,et al.  Separable Linkable Threshold Ring Signatures , 2004, INDOCRYPT.

[55]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[56]  Siu-Ming Yiu,et al.  A Secure Modified ID-Based Undeniable Signature Scheme , 2003, IACR Cryptol. ePrint Arch..

[57]  Yi Mu,et al.  Deniable Ring Authentication Revisited , 2004, ACNS.

[58]  Joseph K. Liu,et al.  A Separable Threshold Ring Signature Scheme , 2003, ICISC.

[59]  E. T. An Introduction to the Theory of Numbers , 1946, Nature.

[60]  Javier Herranz A formal proof of security of Zhang and Kim's ID-based ring signature scheme , 2004, WOSIS.