Abstract
We consider threshold ring signatures (introduced by Bresson et al. [BSS02]), where any \(t \) signers can sign a message while anonymizing themselves within a larger (size-\(n \)) group. The signature proves that \(t \) members of the group signed, without revealing anything else about their identities.
Our contributions in this paper are two-fold. First, we strengthen existing definitions of threshold ring signatures in a natural way; we demand that a signer cannot be de-anonymized even by their fellow signers. This is crucial, since in applications where a signer’s anonymity is important, we do not want that anonymity to be compromised by a single insider. Our definitions demand non-interactive signing, which is important for anonymity, since truly anonymous interaction is difficult or impossible in many scenarios.
Second, we give the first rigorous construction of a threshold ring signature with size independent of \(n \), the number of users in the larger group. Instead, our signatures have size linear in \(t \), the number of signers. This is also a very important contribution; signers should not have to choose between achieving their desired degree of anonymity (possibly very large \(n \)) and their need for communication efficiency.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
List signatures [CSST06] are a related primitive. Like group signatures, list signatures require a group manager to set up the keys and parameters. However, in a list signature scheme, signers may only sign a certain amount of times before their anonymity is revoked.
- 2.
A similar approach to building a threshold ring signature scheme was mentioned by Yuen et al. [YLA+13] where they would instead use a traceable ring signature scheme [FS06]; however, it was not formalized or proven. As far as we can tell, the definition of security they use for a traceable ring signature scheme does not seem to allow such a proof.
- 3.
We could instead use a bilinear map accumulator [CKS09]; however, the use of such an accumulator would require an a-priori upper bound on the ring size.
- 4.
Our use of NIZK proofs requires the presence of a common reference string (CRS). At first glance, since a CRS is a form of setup, this might seem to make our construction a group signature scheme instead of a ring signature scheme. However, there is a qualitative difference between a CRS (which is a global and reusable trusted setup) and a per-user trusted setup (in group signatures, parties’ secret keys need to be distributed by a trusted party). In particular, once the CRS is generated in a trusted way (perhaps using an MPC ceremony), the parties in our system can generate their own keys independently.
- 5.
Even the most basic public-key type operation, a scalar multiplication in an elliptic curve, requires billions of gates [JLE17] when represented by a circuit. This needs to be multiplied by a function of n for any existing threshold ring signature, or t for our construction. While this is the state of the art, we cannot of course rule out that more efficient constructions might emerge in the future, and this could be an interesting venue for further research.
- 6.
This is by design; in the proof of anonymity, the authors need to create simulated NIWI proofs that are independent of the identities of the signers. They do this by additionally allowing a witness to demonstrate a relationship between two keys in the ring, where this relationship never holds between keys that are honestly generated. If an adversary was able to register maliciously generated keys, she could register two keys that do have this relationship, and use this to forge signatures with arbitrarily high threhsolds, as long as those two corrupt keys are in the ring in question.
- 7.
A similar idea was mentioned by Yuen et al. [YLA+13]; however, it was not formalized or proven. In particular, a stronger linkability property is needed from the underlying traceable ring signature scheme in order for the TRS construction to be secure. Additionally, since Yuen et al. focus on avoiding the random oracle assumption and we do not, we obtain a TRS construction with size \(O(t)\) signatures, while they obtain a TRS construction with size \(O(t \sqrt{n})\) signatures.).
- 8.
The signing set \(\mathcal {S}\) is only mentioned here for the sake of clarity. The set of signers is never leaked to the party who performs the combining of the signatures, as each signature is anonymous and does not leak the individual signers.
- 9.
Recall that the \(\mathsf {link} \) algorithm simply checks equality of two sub-strings in \(\sigma _i,\sigma _j\). Thus the running time of \(\mathsf {verify} \) can be made \(O(t \log (t))\) by sorting these strings and checking for repeated entries.
References
Au, M.H., Chow, S.S.M., Susilo, W., Tsang, P.P.: Short linkable ring signatures revisited. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 101–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11774716_9
Benaloh, J., de Mare, M.: One-way accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48285-7_24
Bresson, E., Stern, J., Szydlo, M.: Threshold ring signatures and applications to ad-hoc groups. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 465–480. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_30
Chen, J., Hu, Y., Gao, W., Liang, H.: Lattice-based threshold ring signature with message block sharing. KSII Trans. Internet Inf. Syst. 13, 1003–1019 (2018)
Camenisch, J., Kohlweiss, M., Soriente, C.: An accumulator based on bilinear maps and efficient revocation for anonymous credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_27
Canard, S., Schoenmakers, B., Stam, M., Traoré, J.: List signature schemes. Discrete Appl. Math. 154(2), 189–201 (2006). Coding and Cryptography
Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991). https://doi.org/10.1007/3-540-46416-6_22
Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in Ad hoc groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_36
Fujisaki, E., Suzuki, K.: Traceable ring signature. Cryptology ePrint Archive, Report 2006/389 (2006). https://eprint.iacr.org/2006/389
Franklin, M., Zhang, H.: A framework for unique ring signatures. Cryptology ePrint Archive, Report 2012/577 (2012). https://eprint.iacr.org/2012/577
Franklin, M., Zhang, H.: Unique ring signatures: a practical construction. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 162–170. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_13
Haque, A., Krenn, S., Slamanig, D., Striecks, C.: Logarithmic-size (linkable) threshold ring signatures in the plain model. Cryptology ePrint Archive, Report 2020/683 (2020). https://eprint.iacr.org/2020/683
Haque, A., Scafuro, A.: Threshold ring signatures: new definitions and post-quantum security. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds.) PKC 2020. LNCS, vol. 12111, pp. 423–452. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45388-6_15
Jayaraman, B., Li, H., Evans, D.: Decentralized certificate authorities. CoRR, abs/1706.03370 (2017)
Liu, J.K.: Ring signature. In: Li, K.-C., Chen, X., Susilo, W. (eds.) Advances in Cyber Security: Principles, Techniques, and Applications, pp. 93–114. Springer, Singapore (2019). https://doi.org/10.1007/978-981-13-1483-4_5
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
Munch-Hansen, A.: Stronger notions and a more efficient construction of threshold ring signatures, 06 2020
Munch-Hansen, A., Orlandi, C., Yakoubov, S.: Stronger notions and a more efficient construction of threshold ring signatures. Cryptology ePrint Archive, Report 2020/678 (2020). https://eprint.iacr.org/2020/678
Okamoto, T., Tso, R., Yamaguchi, M., Okamoto, E.: A k-out-of-n ring signature with flexible participation for signers. IACR Cryptol. ePrint Arch. 2018, 728 (2018)
Petzoldt, A., Bulygin, S., Buchmann, J.: A multivariate based threshold ring signature scheme. Cryptology ePrint Archive, Report 2012/194 (2012). https://eprint.iacr.org/2012/194
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Tsang, P.P., Wei, V.K.: Short linkable ring signatures for e-voting, e-cash and attestation. In: Deng, R.H., Bao, F., Pang, H.H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 48–60. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31979-5_5
Yuen, T.H., Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Threshold ring signature without random oracles, 01 2011
Yuen, T.H., Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Efficient linkable and/or threshold ring signature without random oracles. Comput. J. 56(4), 407–421 (2013)
Zhou, G., Zeng, P., Yuan, X., Chen, S., Choo, K.-K.: An efficient code-based threshold ring signature scheme with a leader-participant model. Secur. Commun. Netw. (2017)
Acknowledgements
The authors would like to thank the anonymous reviewers for their useful feedback. This research was supported by: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 669255 (MPCPRO); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 803096 (SPEC) and the Defense Advanced Research Projects Agency (DARPA) under Contract No. HR001120C0085. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Defense Advanced Research Projects Agency (DARPA).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Munch-Hansen, A., Orlandi, C., Yakoubov, S. (2021). Stronger Notions and a More Efficient Construction of Threshold Ring Signatures. In: Longa, P., Ràfols, C. (eds) Progress in Cryptology – LATINCRYPT 2021. LATINCRYPT 2021. Lecture Notes in Computer Science(), vol 12912. Springer, Cham. https://doi.org/10.1007/978-3-030-88238-9_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-88238-9_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-88237-2
Online ISBN: 978-3-030-88238-9
eBook Packages: Computer ScienceComputer Science (R0)