Ring signature

Last updated February 25, 2024

In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature. Ring signatures are similar to group signatures but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.

Definition

Suppose that a set of entities each have public/private key pairs, (P₁, S₁), (P₂, S₂), ..., (P_n, S_n). Party i can compute a ring signature σ on a message m, on input (m, S_i, P₁, ..., P_n). Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P₁, ..., P_n. If a ring signature is properly computed, it should pass the check. On the other hand, it should be hard for anyone to create a valid ring signature on any message for any set without knowing any of the private keys for that set.^[2]

Applications and modifications

Behaviour of the Rivest, Shamir, Tauman ring signature scheme Ring-signature.svg — Behaviour of the Rivest, Shamir, Tauman ring signature scheme

In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret. For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking White House official", without revealing which official signed the message. Ring signatures are right for this application because the anonymity of a ring signature cannot be revoked, and because the group for a ring signature can be improvised.

Another application, also described in the original paper, is for deniable signatures. Here the sender and the recipient of a message form a group for the ring signature, then the signature is valid to the recipient, but anyone else will be unsure whether the recipient or the sender was the actual signer. Thus, such a signature is convincing, but cannot be transferred beyond its intended recipient.

There were various works, introducing new features and based on different assumptions:

Threshold ring signatures: ^[3] Unlike standard "t-out-of-n" threshold signature, where t of n users should collaborate to decrypt a message, this variant of a ring signature requires t users to cooperate in the signing protocol. Namely, t parties (i₁, i₂, ..., i_t) can compute a (t, n)-ring signature, σ, on a message, m, on input (m, S_i₁, S_i₂, ..., S_{i_t}, P₁, ..., P_n).
Linkable ring signatures: ^[4] The property of linkability allows one to determine whether any two signatures have been produced by the same member (under the same private key). The identity of the signer is nevertheless preserved. One of the possible applications can be an offline e-cash system.
Traceable ring signature: ^[5] In addition to the previous scheme the public key of the signer is revealed (if they issue more than one signatures under the same private key). An e-voting system can be implemented using this protocol.

Efficiency

Most of the proposed algorithms have asymptotic output size $O(n)$ ; i.e., the size of the resulting signature increases linearly with the size of input (number of public keys). That means that such schemes are impracticable for real use cases with sufficiently large $n$ (for example, an e-voting with millions of participants). But for some application with relatively small median input size such estimate may be acceptable. CryptoNote implements $O(n)$ ring signature scheme by Fujisaki and Suzuki^[5] in p2p payments to achieve sender's untraceability.

More efficient algorithms have appeared recently. There are schemes with the sublinear size of the signature,^[6] as well as with constant size.^[7]

Implementation

Original scheme

The original paper describes an RSA based ring signature scheme, as well as one based on Rabin signatures. They define a keyed "combining function" $C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ which takes a key $k$ , an initialization value $v$ , and a list of arbitrary values $y_{1},\dots y_{n}$ . $y_{i}$ is defined as $g_{i}(x_{i})$ , where $g_{i}$ is a trap-door function (i.e. an RSA public key in the case of RSA based ring signatures).

The function $C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ is called the ring equation, and is defined below. The equation is based on a symmetric encryption function $E_{k}$ :

C_{k,v}(y_{1},y_{2},\dots ,y_{n})=E_{k}(y_{n}\oplus E_{k}(y_{n-1}\oplus E_{k}(\dots \oplus E_{k}(y_{1}\oplus v)\dots )))

It outputs a single value $z$ which is forced to be equal to $v$ . The equation $v=C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ can be solved as long as at least one $y_{i}$ , and by extension $x_{i}$ , can be freely chosen. Under the assumptions of RSA, this implies knowledge of at least one of the inverses of the trap door functions $g_{i}^{-1}$ (i.e. a private key), since $g_{i}^{-1}(y_{i})=x_{i}$ .

Signature generation

Generating a ring signature involves six steps. The plaintext is signified by $m$ , the ring's public keys by $P_{1},P_{2},\dots ,P_{n}$ .

Calculate the key $k={\mathcal {H}}(m)$ , using a cryptographic hash function. This step assumes a random oracle for ${\mathcal {H}}$ , since $k$ will be used as key for $E_{k}$ .
Pick a random glue value $v$ .
Pick random $x_{i}$ for all ring members but yourself ( $x_{s}$ will be calculated using the signer's private key), and calculate corresponding $y_{i}=g_{i}(x_{i})$ .
Solve the ring equation for $y_{s}$
Calculate $x_{s}$ using the signer's private key: $x_{s}=g_{s}^{-1}(y_{s})$
The ring signature now is the $(2n+1)$ -tuple $(P_{1},P_{2},\dots ,P_{n};v;x_{1},x_{2},\dots ,x_{n})$

Signature verification

Signature verification involves three steps.

Apply the public key trap door on all $x_{i}$ : $y_{i}=g_{i}(x_{i})$ .
Calculate the symmetric key $k={\mathcal {H}}(m)$ .
Verify that the ring equation holds $C_{k,v}(y_{1},y_{2},\dots ,y_{n})=v$ .

Python implementation

Here is a Python implementation of the original paper using RSA. Requires 3rd-party module PyCryptodome.

importosimporthashlibimportrandomimportCrypto.PublicKey.RSAimportfunctoolsclassRing:"""RSA implementation."""def__init__(self,k,L:int=1024)->None:self.k=kself.l=Lself.n=len(k)self.q=1<<(L-1)defsign_message(self,m:str,z:int):self._permut(m)s=[None]*self.nu=random.randint(0,self.q)c=v=self._E(u)first_range=list(range(z+1,self.n))second_range=list(range(z))whole_range=first_range+second_rangeforiinwhole_range:s[i]=random.randint(0,self.q)e=self._g(s[i],self.k[i].e,self.k[i].n)v=self._E(v^e)if(i+1)%self.n==0:c=vs[z]=self._g(v^u,self.k[z].d,self.k[z].n)return[c]+sdefverify_message(self,m:str,X)->bool:self._permut(m)def_f(i):returnself._g(X[i+1],self.k[i].e,self.k[i].n)y=map(_f,range(len(X)-1))y=list(y)def_g(x,i):returnself._E(x^y[i])r=functools.reduce(_g,range(self.n),X[0])returnr==X[0]def_permut(self,m):msg=m.encode("utf-8")self.p=int(hashlib.sha1(msg).hexdigest(),16)def_E(self,x):msg=f"{x}{self.p}".encode("utf-8")returnint(hashlib.sha1(msg).hexdigest(),16)def_g(self,x,e,n):q,r=divmod(x,n)if((q+1)*n)<=((1<<self.l)-1):result=q*n+pow(r,e,n)else:result=xreturnresult

To sign and verify 2 messages in a ring of 4 users:

size=4msg1,msg2="hello","world!"def_rn(_):returnCrypto.PublicKey.RSA.generate(1024,os.urandom)key=map(_rn,range(size))key=list(key)r=Ring(key)foriinrange(size):signature_1=r.sign_message(msg1,i)signature_2=r.sign_message(msg2,i)assertr.verify_message(msg1,signature_1)andr.verify_message(msg2,signature_2)andnotr.verify_message(msg1,signature_2)

Cryptocurrencies

Monero and several other cryptocurrencies use this technology.^{[ citation needed ]}

Related Research Articles

The Digital Signature Algorithm (DSA) is a public-key cryptosystem and Federal Information Processing Standard for digital signatures, based on the mathematical concept of modular exponentiation and the discrete logarithm problem. DSA is a variant of the Schnorr and ElGamal signature schemes.

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature on a message gives a recipient confidence that the message came from a sender known to the recipient.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, the Elliptic Curve Digital Signature Algorithm (ECDSA) offers a variant of the Digital Signature Algorithm (DSA) which uses elliptic-curve cryptography.

In cryptography, a Schnorr signature is a digital signature produced by the Schnorr signature algorithm that was described by Claus Schnorr. It is a digital signature scheme known for its simplicity, among the first whose security is based on the intractability of certain discrete logarithm problems. It is efficient and generates short signatures. It was covered by U.S. patent 4,995,082 which expired in February 2010.

An undeniable signature is a digital signature scheme which allows the signer to be selective to whom they allow to verify signatures. The scheme adds explicit signature repudiation, preventing a signer later refusing to verify a signature by omission; a situation that would devalue the signature in the eyes of the verifier. It was invented by David Chaum and Hans van Antwerpen in 1989.

KCDSA is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over $, but an elliptic curve variant (EC-KCDSA) is also specified.$

The ElGamal signature scheme is a digital signature scheme which is based on the difficulty of computing discrete logarithms. It was described by Taher Elgamal in 1985.

In cryptography, a Lamport signature or Lamport one-time signature scheme is a method for constructing a digital signature. Lamport signatures can be built from any cryptographically secure one-way function; usually a cryptographic hash function is used.

In cryptography, the Rabin signature algorithm is a method of digital signature originally proposed by Michael O. Rabin in 1978.

A BLS digital signature—also known as Boneh–Lynn–Shacham (BLS)—is a cryptographic signature scheme which allows a user to verify that a signer is authentic.

In cryptography, the unbalanced oil and vinegar (UOV) scheme is a modified version of the oil and vinegar scheme designed by J. Patarin. Both are digital signature protocols. They are forms of multivariate cryptography. The security of this signature scheme is based on an NP-hard mathematical problem. To create and validate signatures, a minimal quadratic equation system must be solved. Solving $m$ equations with $n$ variables is NP-hard. While the problem is easy if $m$ is either much much larger or much much smaller than $n$ , importantly for cryptographic purposes, the problem is thought to be difficult in the average case when $m$ and $n$ are nearly equal, even when using a quantum computer. Multiple signature schemes have been devised based on multivariate equations with the goal of achieving quantum resistance.

In hash-based cryptography, the Merkle signature scheme is a digital signature scheme based on Merkle trees and one-time signatures such as the Lamport signature scheme. It was developed by Ralph Merkle in the late 1970s and is an alternative to traditional digital signatures such as the Digital Signature Algorithm or RSA. NIST has approved specific variants of the Merkle signature scheme in 2020.

In cryptography, subliminal channels are covert channels that can be used to communicate secretly in normal looking communication over an insecure channel. Subliminal channels in digital signature crypto systems were found in 1984 by Gustavus Simmons.

In cryptography, Very Smooth Hash (VSH) is a provably secure cryptographic hash function invented in 2005 by Scott Contini, Arjen Lenstra and Ron Steinfeld. Provably secure means that finding collisions is as difficult as some known hard mathematical problem. Unlike other provably secure collision-resistant hashes, VSH is efficient and usable in practice. Asymptotically, it only requires a single multiplication per log(n) message-bits and uses RSA-type arithmetic. Therefore, VSH can be useful in embedded environments where code space is limited.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Coppersmith's attack describes a class of cryptographic attacks on the public-key cryptosystem RSA based on the Coppersmith method. Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent e is small or when partial knowledge of a prime factor of the secret key is available.

ACE is the collection of units, implementing both a public key encryption scheme and a digital signature scheme. Corresponding names for these schemes — «ACE Encrypt» and «ACE Sign». Schemes are based on Cramer-Shoup public key encryption scheme and Cramer-Shoup signature scheme. Introduced variants of these schemes are intended to achieve a good balance between performance and security of the whole encryption system.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

References

This article incorporates text available under the CC BY-SA 4.0 license.

↑ Rivest, Ronald L.; Shamir, Adi; Tauman, Yael (2001). "How to Leak a Secret". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. 2248. pp. 552–565. doi:10.1007/3-540-45682-1_32. ISBN 978-3-540-42987-6.
↑ Debnath, Ashmita; Singaravelu, Pradheepkumar; Verma, Shekhar (19 December 2012). "Efficient spatial privacy preserving scheme for sensor network". Central European Journal of Engineering. 3 (1): 1–10. doi: 10.2478/s13531-012-0048-7 . S2CID 137248994.
↑ E. Bresson; J. Stern; M. Szyd lo (2002). "Threshold Ring Signatures and Applications to Ad-hoc Groups" (PDF). Advances in Cryptology — CRYPTO 2002. Lecture Notes in Computer Science. Vol. 2442. pp. 465–480. doi: 10.1007/3-540-45708-9_30 . ISBN 978-3-540-44050-5.
↑ Liu, Joseph K.; Wong, Duncan S. (2005). "Linkable Ring Signatures: Security Models and New Schemes". Computational Science and Its Applications – ICCSA 2005. Lecture Notes in Computer Science. Vol. 2. pp. 614–623. doi:10.1007/11424826_65. ISBN 978-3-540-25861-2.{{cite book}}: |journal= ignored (help)
1 2 Fujisaki, Eiichiro; Suzuki, Koutarou (2007). "Traceable Ring Signature". Public Key Cryptography: 181–200.
↑ Fujisaki, Eiichiro (2011). "Sub-linear size traceable ring signatures without random oracles". IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. 95 (1): 393–415. Bibcode:2012IEITF..95..151F. doi:10.1587/transfun.E95.A.151.
↑ Au, Man Ho; Liu, Joseph K.; Susilo, Willy; Yuen, Tsz Hon (2006). "Constant-Size ID-Based Linkable and Revocable-iff-Linked Ring Signature". Progress in Cryptology - INDOCRYPT 2006. Lecture Notes in Computer Science. Vol. 4329. pp. 364–378. doi:10.1007/11941378_26. ISBN 978-3-540-49767-7.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Rivest, Ronald L.; Shamir, Adi; Tauman, Yael (2001). "How to Leak a Secret". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. 2248. pp. 552–565. doi:10.1007/3-540-45682-1_32. ISBN 978-3-540-42987-6.

[2] Debnath, Ashmita; Singaravelu, Pradheepkumar; Verma, Shekhar (19 December 2012). "Efficient spatial privacy preserving scheme for sensor network". Central European Journal of Engineering. 3 (1): 1–10. doi: 10.2478/s13531-012-0048-7 . S2CID 137248994.

[3] E. Bresson; J. Stern; M. Szyd lo (2002). "Threshold Ring Signatures and Applications to Ad-hoc Groups" (PDF). Advances in Cryptology — CRYPTO 2002. Lecture Notes in Computer Science. Vol. 2442. pp. 465–480. doi: 10.1007/3-540-45708-9_30 . ISBN 978-3-540-44050-5.

[4] Liu, Joseph K.; Wong, Duncan S. (2005). "Linkable Ring Signatures: Security Models and New Schemes". Computational Science and Its Applications – ICCSA 2005. Lecture Notes in Computer Science. Vol. 2. pp. 614–623. doi:10.1007/11424826_65. ISBN 978-3-540-25861-2.{{cite book}}: |journal= ignored (help)

[FS07-5] 1 2 Fujisaki, Eiichiro; Suzuki, Koutarou (2007). "Traceable Ring Signature". Public Key Cryptography: 181–200.

[6] Fujisaki, Eiichiro (2011). "Sub-linear size traceable ring signatures without random oracles". IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. 95 (1): 393–415. Bibcode:2012IEITF..95..151F. doi:10.1587/transfun.E95.A.151.

[7] Au, Man Ho; Liu, Joseph K.; Susilo, Willy; Yuen, Tsz Hon (2006). "Constant-Size ID-Based Linkable and Revocable-iff-Linked Ring Signature". Progress in Cryptology - INDOCRYPT 2006. Lecture Notes in Computer Science. Vol. 4329. pp. 364–378. doi:10.1007/11941378_26. ISBN 978-3-540-49767-7.

[1]

[2]

[3]

[4]

[5]

[6]

[7]