## How to leak a secret: Theory and applications of ring signatures (2006)

### Cached

### Download Links

- [www-static.cc.gatech.edu]
- [www.cc.gatech.edu]
- [research.microsoft.com]
- DBLP

### Other Repositories/Bibliography

Venue: | Essays in Theoretical Computer Science: in Memory of Shimon Even, volume 3895 of LNCS Festschrift |

Citations: | 6 - 0 self |

### BibTeX

@INPROCEEDINGS{Rivest06howto,

author = {Ronald L. Rivest and Adi Shamir and Yael Tauman},

title = {How to leak a secret: Theory and applications of ring signatures},

booktitle = {Essays in Theoretical Computer Science: in Memory of Shimon Even, volume 3895 of LNCS Festschrift},

year = {2006},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signer-ambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).

### Citations

3048 | A method for obtaining digital signatures and public-key cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ..., A2, . . . , Ar, where the signer Alice is As, for some value of s, 1 ≤ s ≤ r. To simplify the presentation and proof, we first describe a ring signature scheme in which all the ring members use RSA =-=[RSA78]-=- as their individual signature schemes. The same construction can be used for any other trapdoor one way permutation, but we have to modify it slightly in order to use trapdoor one way functions (as i... |

2830 | New Directions in Cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...verse permutation f −1 i efficiently, using trapdoor information (i.e., f −1 i (y) = ydi (mod ni), where di = e −1 i (mod φ(ni)) is the trapdoor information). This is the original DiffieHellman model =-=[DH76]-=- for public-key cryptography. Extending trapdoor permutations to a common domain The trapdoor RSA permutations of the various ring members will have domains of different sizes (even if all the moduli ... |

1386 | Random oracles are practical: a paradigm for designing efficient protocols
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ...ryption per ring membersboth to generate and to verify such signatures). The resultant signatures are unconditionally signer-ambiguous and secure in the random oracle model. This model, formalized in =-=[BR93]-=-, assumes that all parties have oracle access to a truly random function. There have been several followup papers on the theory and applications of ring signatures. We summarize these results in Secti... |

1250 | Untraceable electronic mail, return addresses, and digital pseudonyms - Chaum - 1981 |

458 | The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability - Chaum - 1988 |

296 |
How to construct pseudo-random permutations from pseudo-random functions
- Luby, Racko®
- 1988
(Show Context)
Citation Context ...cess to each gi, and to Ek) if the adversary can’t invert any of the trapdoor functions g1, g2, . . . , gr. For example, the function Ck,v(y1, y2, . . . , yr) = y1 ⊕ y2 ⊕ · · · ⊕ yr 1 It was shown in =-=[LR88]-=- that the ideal cipher model can always be reduced to the random oracle model (with some efficiency loss).s(where ⊕ is the exclusive-or operation on b-bit words) satisfies the first two of the above c... |

276 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Gramer, Damgard, et al.
- 1994
(Show Context)
Citation Context ...putations. Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. =-=[CDS94]-=-. Our constructions of such signatures are unconditionally signer-ambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or ve... |

187 | Foundations of Cryptography - Volume 2 (Basic Applications - Goldreich - 2004 |

170 | Onion routing for Anonymous and Private Internet Connections - Goldschlag, Reed, et al. - 1999 |

141 | Designated verifier proofs and their applications
- Jakobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...e scheme” which can authenticate messages to their intended recipients without having the nonrepudiation property. This concept was first introduced by Jakobsson, Sako and Impagliazzo at Eurocrypt 96 =-=[JSI96]-=-. A typical application is to enable users to authenticate casual emails without being legally bound to their contents. For example, two companies may exchange drafts of proposed contracts. They wish ... |

77 | ID-based blind signature and ring signature from pairings
- ZHANG, KIM
- 2002
(Show Context)
Citation Context ...specially desirable in applications which involve a large number of public keys in each execution, such as ring signatures. The first to construct an ID-based ring signature scheme were Zhang and Kim =-=[ZK02]-=-. Its security was analyzed in [Her03], based on bilinear pairings in the Random Oracle Model. Subsequent constructions of ID-based ring signatures appear in [HS04b,LW03a,AL03,TLW03,CYH04]. Identity-b... |

60 |
Identity based cryptosystems and signature schemes
- Shamir
- 1984
(Show Context)
Citation Context ...g are [Wei04,KT03,WFLW03] (where security is proved in the Random Oracle Model). Identity-based Ring Signature Schemes. Shamir introduced in 1984 the concept of Identity-based (ID-based) cryptography =-=[Sha84]-=-. The idea is that the public-key of a user can be publicly computed from his identity (for example, from a complete name, an email or an IP address). ID-based schemes avoid thesnecessity of certifica... |

54 | 1-out-of-n signatures from variety of keys
- Abe, Ohkubo, et al.
- 2002
(Show Context)
Citation Context ...mes. A ring signature scheme is said to be separable if all participants can choose their keys independently with different parameter domains and for different types of signature schemes. Abe et. al. =-=[AOS02]-=- were the first to address the problem of constructing a separable ring signature scheme. They show how to construct a ring signature scheme from a mixture of both trapdoor-type signature schemes (suc... |

46 | Anonymous identification in ad-hoc groups
- Dodis, Kiayias, et al.
- 2004
(Show Context)
Citation Context ...constructing accountable ring signatures. The framework is based on a compiler that transforms a traditional ring signature scheme into an accountable one. Short Ring Signature Schemes. Dodis et. al. =-=[DKNS04]-=- were the first to construct a ring signature scheme in which the length of an “actual signature” is independent of the size of the ad hoc group (where an “actual signature” does not include the group... |

45 | Threshold ring signatures and applications to ad-hoc groups
- Bresson, Stern, et al.
- 2002
(Show Context)
Citation Context ...s truly random answers to new queries of the form Ek(x) and E −1 (y), provided only that they are consistent with previous k answers and with the requirement that Ek be a permutation. It was shown in =-=[BSS02]-=- that the ideal cipher model can be reduced to the random oracle model without almost any efficiency loss. 1 For simplicity we use the ideal cipher model in this presentation. 4.3 Hash functions We as... |

44 |
Chaum and Eugène van Heyst. Group signatures
- David
- 1991
(Show Context)
Citation Context ...r-ambiguous signature scheme, group signature scheme, designated verifier signature scheme.s1 Introduction The general notion of a group signature scheme was introduced in 1991 by Chaum and van Heyst =-=[CV91]-=-. In such a scheme, a trusted group manager predefines certain groups of users and distributes specially designed keys to their members. Individual members can then use these keys to anonymously sign ... |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...l. [CDS94] show how to produce witness-indistinguishable interactive proofs. Such proofs could be combined with the Fiat-Shamir technique to produce ring signature schemes. Similarly, DeSantis et al. =-=[SCPY94]-=- show that interactive SZK for random self-reducible languages are closed under monotone boolean operations, and show the applicability of this result to the construction of a ring signature scheme (a... |

31 | Deniable Ring Authentication
- Naor
(Show Context)
Citation Context ...ny xi (including xs) has a pre-image under f.s7 Followup Papers In this section we summarize the followup papers on the theory and applications of ring signatures. Deniable Ring Signature Schemes. In =-=[Na02]-=- Naor defined the notion of Deniable Ring Authentication. This notion allows a member of an ad hoc subset of participants (a ring) to convince a verifier that a message m is authenticated by one of th... |

26 | Linkable spontaneous anonymous group signature for ad hoc groups
- Liu, Wei, et al.
- 2004
(Show Context)
Citation Context ...ignature schemes (such as Discrete Log based). This was extended in [LWW03] to the threshold setting. Linkable Ring Signature Schemes. The notion of linkable ring signatures, introduced by Liu et al. =-=[LWW04]-=-, allows anyone to determine if two ring signatures are signed by the same group member. In [LWW04] they also presented a linkable ring signature scheme that can be extended to the threshold setting. ... |

22 |
Digitized Signatures as Intractable as Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...he same construction can be used for any other trapdoor one way permutation, but we have to modify it slightly in order to use trapdoor one way functions (as in, for example, Rabin’s signature scheme =-=[Rab79]-=-). 4.1 RSA trapdoor permutations Each ring member Ai has an RSA public key Pi = (ni, ei) which specifies the trapdoor one-way permutation fi of Zni: fi(x) = x ei (mod ni) . We assume that only Ai know... |

20 | Identity-based Chameleon Hash and Applications
- Ateniese, Medeiros
(Show Context)
Citation Context ...be associated with a pair of secret and public keys (corresponding to the chameleon hash family). They then showed in [SM04] how to use any ring signature scheme and an ID based chameleon hash family =-=[AM04]-=- to construct a deniable ring signature scheme. In this construction the verifier is only assumed to have his ID published. Threshold and General Access Ring Signature Schemes. A t-threshold ring sign... |

20 | Efficient identity based ring signature - Chow, Yiu, et al. |

16 | Separable linkable threshold ring signatures - Tsang, Wei, et al. |

14 | ID-based Ring Signature and Proxy Ring Signature Schemes from Bilinear Pairings - Awasthi, Lal - 2007 |

14 |
A Separable Threshold Ring Signature Scheme
- Liu, Wei, et al.
- 2003
(Show Context)
Citation Context ...to construct a ring signature scheme from a mixture of both trapdoor-type signature schemes (such as RSA based) and threemove-type signature schemes (such as Discrete Log based). This was extended in =-=[LWW03]-=- to the threshold setting. Linkable Ring Signature Schemes. The notion of linkable ring signatures, introduced by Liu et al. [LWW04], allows anyone to determine if two ring signatures are signed by th... |

12 |
An Introduction to the Theory of Numbers. Oxford, fifth edition
- Hardy, Wright
- 1979
(Show Context)
Citation Context ...o exist in other natural combining functions such as addition mod 2 b . Assume that we use the RSA trapdoor functions gi(xi) = x 3 i (mod ni) where all the moduli ni have the same size b. It is known =-=[HW79]-=- that any nonnegative integer z can be efficiently represented as the sum of exactly nine nonnegative integer cubes x3 1 + x3 2 + . . . + x3 9. If z is a b-bit target value, we can expect each one of ... |

11 | New identity-based ring signature schemes - Herranz, Saez |

7 | On the RS-code construction of ring signature schemes and a threshold setting - Wong, Fung, et al. - 2003 |

6 |
Non-interactive Deniable Ring Authentication
- Susilo, Mu
(Show Context)
Citation Context ...ing authentication based on any secure encryption scheme. The scheme is interactive. Susilo and Mu [SM03,SM04] constructed non interactive deniable ring authentication protocols. They first showed in =-=[SM03]-=- how to use any ring signature scheme and a chameleon hash family to construct a deniable ring signature scheme. In this construction the verifier is assumed to be associated with a pair of secret and... |

5 |
Verifiable ring signature
- Lv, Wang
(Show Context)
Citation Context ...n be extended to the threshold setting. Their construction was improved in [TWC+04], who presented a separable linkable threshold ring signature scheme. Verifiable Ring Signature Schemes. Lv and Wang =-=[LW03b]-=- formalized the notion of verifiable ring signatures, which has the following additional property: if the actual signer is willing to prove to a recipient that he signed the signature, then the recipi... |

4 |
Deniable Ring Authentication Revisited
- Susilo, Mu
- 2004
(Show Context)
Citation Context ...a deniable ring signature scheme. In this construction the verifier is assumed to be associated with a pair of secret and public keys (corresponding to the chameleon hash family). They then showed in =-=[SM04]-=- how to use any ring signature scheme and an ID based chameleon hash family [AM04] to construct a deniable ring signature scheme. In this construction the verifier is only assumed to have his ID publi... |

3 | Forking Lemmas in Ring Signatures’ Scenario - Herranz, Sáez - 2003 |

3 | Threshold Ring Signature Scheme Based on the Curve - Kuwakado, Tanaka - 2003 |

2 |
A formal proof of security of Zhang and Kim's ID-based ring signature scheme
- Herranz
- 2003
(Show Context)
Citation Context ...hich involve a large number of public keys in each execution, such as ring signatures. The first to construct an ID-based ring signature scheme were Zhang and Kim [ZK02]. Its security was analyzed in =-=[Her03]-=-, based on bilinear pairings in the Random Oracle Model. Subsequent constructions of ID-based ring signatures appear in [HS04b,LW03a,AL03,TLW03,CYH04]. Identity-based Threshold Ring Signature Schemes.... |

2 |
Ring authenticated encryption: a new type of authenticated encryption
- Lv, Ren, et al.
- 2004
(Show Context)
Citation Context ...om Oracle Model assuming the existence of accumulators with one-way domain (which in turn can be based on the Strong RSA Assumption). Ring Authenticated Encryption. An authenticated encryption scheme =-=[LRCK04]-=- allows the verifier to recover and verify the message simultaneously. Lv et al. [LRCK04] introduced a new type of authenticated encryption, called ring authenticated encryption, which loosely speakin... |

2 | A Bilinear Spontaneous Anonymous Threshold Signature for Ad Hoc Groups, Cryptology ePrint Archive - Wei |

2 |
Accountable ring signatures: a smart card approach
- Xu, Yung
(Show Context)
Citation Context ...hoosing the xi values for the non-signers in a pseudorandom rather than a truly random way. Accountable Ring Signaure Schemes. An accountable ring signature scheme, a notion introduces by Xu and Yung =-=[XY04]-=-, ensures the following: anyone can verify that the signature is generated by a user belonging to a set of possible signers (that may be chosen on-the-fly), whereas the actual signer can nevertheless ... |

1 | Aggregate and Verfiably Encrypted Signatures from Bilinear Maps - Boneh, Gentry, et al. |

1 |
Efficient and Generalzied Group Sigmatures
- Camenisch
(Show Context)
Citation Context ...gnatures or multiparty constructions, which are quite inefficient. For example, Chaum et al. [CV91]’s schemes three and four, and the two signature schemes in Definitions 2 and 3 of Camenisch’s paper =-=[Cam97]-=- can be viewed as ring signature schemes. However the former schemes require zero-knowledge proofs with each signature, and the latter schemes require as many modular exponentiations as there are memb... |

1 | C.K.Hui, and S.M.Yiu. Identity Based Threshold Ring Signature - Chow, Lucas |

1 |
Ring Signature Schemes for General Ad-Hoc Access Structures
- Herranz, Saez
(Show Context)
Citation Context ...ature scheme. His scheme is interactive and its security is based only the existence of secure encryption schemes. There have been subsequent works which consider the general access scenario, such as =-=[HS04a]-=-. The work of Bresson et. al. [BSS02] contains a construction of a threshold ring signature scheme (proven secure in the Random Oracle Model under the RSA Assumption). Subsequent works which consider ... |

1 |
Distributed Ring Signatures for Identity-Based Scenarios
- Herranz, Saez
(Show Context)
Citation Context ...reshold Ring Signature Schemes. ID-based threshold ring signature schemes proven secure in the Random Oracle Model, under the bilinear pairings were constructed in [CHY04,HS04c]. This was extended in =-=[HS04c]-=-, to a general access setting, where any subset of users S can cooperate to compute an anonymous signature on a message, on behalf of any family of users that includes S. Separable Ring Signature Sche... |

1 | An Identity Based Ring Signature Scheme from Bilinear Pairings - Lin, Wu - 2003 |

1 | An Improved IdentityBased Ring Signature Scheme from Bilinear Pairings - Tang, Liu, et al. - 2003 |