#### DMCA

## Secure ID-Based Linkable and Revocable-iff-Linked Ring Signature with Constant-Size Construction

### Citations

393 | Short Signatures Without Random Oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...(q, t, )- SDH assumption holds in (G1,G2) if no t-time algorithm has advantage at least in solving the q-SDH problem in (G1,G2). The q-SDH assumption is shown to be true in the generic group model =-=[7]-=-. 3. Security Model 3.1. Definition The security definitions of ID-Based Linkable Ring Signature and IDBased Revocable-iff-Linked Ring Signature are very similar. Therefore we describe the security no... |

335 | Aggregate and Verifiably Encrypted Signatures from Bilinear Maps
- Boneh, Gentry, et al.
- 2003
(Show Context)
Citation Context ...his work is supported by ARC Future Fellowship FT0991397. Preprint submitted to Theoretical Computer Science April 23, 2012 Signatures 1. Introduction Ring Signature. A ring signature scheme (such as =-=[30, 1, 40, 8, 39, 17, 14]-=-) allows members of a group to sign messages on behalf of the group without any necessity to reveal their identities, i.e., providing signer anonymity. Additionally, it is impossible to decide whether... |

314 | Efficient group signature schemes for large groups.
- Camenisch, Stadler
- 1997
(Show Context)
Citation Context ..., providing signer anonymity. Additionally, it is impossible to decide whether two signatures have been issued by the same group member. In contrast to the notion of a group signature scheme (such as =-=[11, 10, 5]-=-), the group formation in a ring signature is spontaneous and there exists no group manager who is responsible for revoking the signer’s identity. That is, under the assumption that each user is alrea... |

157 | Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions
- Bellare, Micciancio, et al.
- 2003
(Show Context)
Citation Context ..., providing signer anonymity. Additionally, it is impossible to decide whether two signatures have been issued by the same group member. In contrast to the notion of a group signature scheme (such as =-=[11, 10, 5]-=-), the group formation in a ring signature is spontaneous and there exists no group manager who is responsible for revoking the signer’s identity. That is, under the assumption that each user is alrea... |

67 | 1-out-of-n signatures from a variety of keys,”
- Abe, Ohkubo, et al.
- 2002
(Show Context)
Citation Context ...his work is supported by ARC Future Fellowship FT0991397. Preprint submitted to Theoretical Computer Science April 23, 2012 Signatures 1. Introduction Ring Signature. A ring signature scheme (such as =-=[30, 1, 40, 8, 39, 17, 14]-=-) allows members of a group to sign messages on behalf of the group without any necessity to reveal their identities, i.e., providing signer anonymity. Additionally, it is impossible to decide whether... |

61 | M.: Threshold Ring Signatures and Applications to Ad-hoc Groups
- Bresson, Stern, et al.
- 2002
(Show Context)
Citation Context ...on group members can be totally unaware of being conscripted into the group. Applications of ring signature schemes include whistle blowing [30], anonymous membership authentication for ad hoc groups =-=[9]-=-, non-interactive deniable ring authentication [32], perfect concurrent signature [33] and multidesignated verifiers signature [22]. A “regular” ring signature is unlinkable. That is, no one can deter... |

54 |
Chaum and Eugène Van Heyst. Group signatures
- David
- 1991
(Show Context)
Citation Context ..., providing signer anonymity. Additionally, it is impossible to decide whether two signatures have been issued by the same group member. In contrast to the notion of a group signature scheme (such as =-=[11, 10, 5]-=-), the group formation in a ring signature is spontaneous and there exists no group manager who is responsible for revoking the signer’s identity. That is, under the assumption that each user is alrea... |

30 | Efficient Identity Based Ring Signature
- Chow, Yiu, et al.
- 2005
(Show Context)
Citation Context ...his work is supported by ARC Future Fellowship FT0991397. Preprint submitted to Theoretical Computer Science April 23, 2012 Signatures 1. Introduction Ring Signature. A ring signature scheme (such as =-=[30, 1, 40, 8, 39, 17, 14]-=-) allows members of a group to sign messages on behalf of the group without any necessity to reveal their identities, i.e., providing signer anonymity. Additionally, it is impossible to decide whether... |

29 | Constant-size dynamic k-TAA.
- Au, Susilo, et al.
- 2006
(Show Context)
Citation Context ...ledge. Following the same notation, the signature scheme corresponds to the protocol PK{(x) : y = gx} will be denoted as SPK{(x) : y = gx}(M). The Σ-protocol is inspired by the protocols described in =-=[4]-=-. Accumulators. An accumulator allows the representation of a set of elements, say, X = {x1, . . . , xn} by a short value v. For each element x in the set X , there exists a corresponding value wx, ca... |

17 | Unclonable group identification
- Damgard, Dupont, et al.
- 2006
(Show Context)
Citation Context ...nymity will be preserved in any circumstance. There are many applications for revocable-iff-linked ring signature. It can be applied in anonymous e-voting scheme [12], unclonable group identification =-=[15, 18]-=- and can be extended to k-times anonymous authentication [34, 18]. The scheme proposed by Au et al. [3] is in identity-based setting. However, it was later proven insecure [21]. The other secure schem... |

7 | Short linkable ring signatures revisited
- Au, Chow, et al.
- 2006
(Show Context)
Citation Context ...heme Signature ID anony. revoke Linking Size -based to PKG -iff-link Complexity Liu et al. [24] O(n) × N.A. × O(1) Tsang and Wei [37] O(1) × N.A. × O(1) Liu and Wong [26] O(n) × N.A. × O(1) Au et al. =-=[2]-=- O(1) × N.A. × O(1) Zheng et al. [41] O(n) × N.A. × O(1) Tsang et al. [38] O(n) × N.A. × O(n2) Tsang et al. [35] O(n) X X × O(n2) Chow et al. [13] O(1) X × × O(1) Fujisaki and Suzuki [19] O(n) × N.A. ... |

5 |
Benaloh and Michael de Mare. One-way accumulators: A decentralized alternative to digital sinatures (extended abstract
- Cohen
- 1993
(Show Context)
Citation Context ... corresponding value wx, called witness. Given v, x and wx, anyone can verify efficiently whether x is an element in the set that produces the accumulator value v. Accumulator was first introduced in =-=[6]-=-. Dodis et al. [16] illustrates how an accumulator can be used to construct constantsize ring signatures. Roughly, their idea is as follows. The signer produces a short value v, which is the accumulat... |

5 | Robust receipt-free election system with ballot secrecy and verifiability.
- Chow, Liu, et al.
- 2008
(Show Context)
Citation Context ...ng signatures can be linked if they are signed by the same signer. Linkable ring signatures are suitable in many different practical applications, such as ad-hoc network authentication [25], e-voting =-=[12]-=- and e-cash [36]. Regular ring signatures cannot be used for e-voting since any double votes remain undetectable as they are unlinkable. No one is able to find out whether any two signatures (with two... |

1 |
Tsz Hon Yuen. Constantsize id-based linkable and revocable-iff-linked ring signature
- Au, Liu, et al.
- 2006
(Show Context)
Citation Context ...f their group, while still keeping the actual signer anonymous to all the ‘outsiders’ (those who do not belong to the group). Revocable-iff-Linked Ring Signature.A Revocable-iff-Linked ring signature =-=[3, 19, 18]-=- ([19, 18] described the same context as “Traceable Ring Signature”) possesses the normal properties of a linkable ring signature. In addition, if two sigantures are linked (generated by the same user... |

1 |
Tsz Hon Yuen. Escrowed linkability of ring signatures and its applications
- Chow, Susilo
- 2006
(Show Context)
Citation Context ...with Revocableiff-Linked as an option. Our scheme has the following merits: 1. There are only 2 secure ID-based Linkable Ring Signature schemes. When compared to the first one proposed by Chow et al. =-=[13]-=-, our scheme achieves a higher level of anonymity. In our scheme, even the PKG cannot tell who is the actual signer. On the other side, the PKG in [13] can easily compute the signer of any given signa... |