Verifiable Ring Signature Jiqiang LV and Xinmei WANG National Key Lab. of ISN, Xidian University Xi’an, Shaanxi Province 710071,China Lvjiqiang AT hotmail.com, xmwang AT xidian.edu.cn
Abstract: We introduce a verifiable ring signature that not only has all the properties of a ring signature, but also the following property: if the actual signer is willing to prove to the verifier that he actually signs the signature, then the verifier can correctly determine whether he is the actual signer among the possible signers. Keywords: Public-key cryptography, Digital signature, Ring signature
1
Introduction
Ring signature is introduced by Rivest et al. in [1], which has the following properties: the verifier can’t tell which member of a set of possible signers actually produced the signature; Unlike group signature introduced in [2], ring signature has no group managers, no setup procedures and no cooperation, that is, any user can sign on behalf of any set to which he belongs, and he can choose a new set to each message without getting the content or assistance of the other members. Recently, some research has been done on ring signature [3,4,5,6] . [3] proposes an ID-based ring signature , [4] extends the ring signature in [1] to a threshold scheme and [5] considers a ring authentication scheme that accepts variety of public-keys and a threshold of signers. In addition to the properties of ring signature described above, it could be useful if there were some secret information, though which the signer could prove that it is he who signs the signature if he was willing to do so later. We will call such signatures verifiable ring signatures. A verifiable ring signature can be used in some situations, such as when the police want to arrest a criminal but don’t know some clues about him, so they promise to prize the person who provides the most important clue after the criminal is arrested. A person may provide the police with something, but he is not certain that his message is the most important one during the process. So he can first sign the message anonymously and later he can prove to the police that it is he who provide the important clue after the message is announced to be the most important one. The paper is organized as following: In section 2, we introduce some related knowledge that will be used in our scheme; In section 3, we present our verifiable ring signature; In section 4, we give a simple cryptanalysis of our scheme. The final section of the paper is a conclusion. _______________________________________ P
P
This paper is published in CANS’03 --- Third International Workshop on Cryptology and Network Security, DMS Proceedings, pp. 663-665, U.S.A, September 2003
2
Related Works Witness Indistinguishable Signatures [7]
2.1
P
Let p i , qi be large primes, g i be a base point of GF ( pi ) whose order is qi . Let xi , yi be yi g i
xi
mod pi . Here xi is the private key and ( yi pi , qi , g i ) is
the public key. Let L be a set of ( yi pi , qi , g i ) for i 0,1, , n 1 . Let h : 0,1 0,1l be a publicly available hash function, where l is larger than the
largest qi . A signer who owns private key x s generates a signature for message M with public key list L that includes his own public key, in the following way. Simulation
step:For
i 0,1, , n 1, i s ,
select
si , ci from
GF (qi )
and
compute z i g i si yi ci mod p i ; Real
proof step:Select rs from GF (q s ) and computes
z s g s s mod p s r
c h( L, M , z 0 , , z n 1 ) c s c (c0 c s 1 c s 1 c n1 )
: bitwise XOR
s s rs cs xs mod q s . The resulting signature is c0 , s 0 , , c n1 , s n 1 . A ( L, M , ) is valid if
c0 c n1 H ( L, M , g 0 s0 y 0 c0 mod p 0 ,, g n 1 sn 1 y n 1cn1 mod p n1 ) . 2.2
RSA-Based Ring Signatures [1] P
Let f i : 0,1l 0,1l be a trapdoor one-way permutation where its inverse, f i 1 , can be computed only if the trapdoor information is known. Let E, D be a symmetric-key encryption and decryption function whose message space is 0,1l . Let h be a hash function whose output domain matches to the key-space of E, D .
1
Given f 0 , , f n1 , the signer who can compute f s generates a signature, for message M in the following way, Initialization:Randomly selects c0 from 0,1l and computes rn1 Dk (c0 ) where k h(M ) ;
Forward sequence:For i 0, , s 1 , randomly selects
si from
0,1l
and
computes ci 1 E k (ci f i ( si )) ; Backword sequence:For i n 1, , s 1 , randomly selects si from 0,1l and computes ri 1 Dk (ri f i ( si )) ; ring:Computes s s f s1 (c s rs ) .
Shaping into a
The resulting signature is c0 , s 0 , s1 , , s n 1 . A signature
is
valid if
cn c0 holds
after
computing
k h(M ) and
ci 1 E k (ci f i ( si )) for i 0, , n 1 .
During the above scheme, Rivest et al. define a family of keyed combining functions C k ,v ( y1 , y 2 , , y r ) , which is still very useful in our scheme. Every keyed combining function C k ,v ( y1 , y 2 , , y r ) takes as input a key k , an initialization value v , and arbitrary values y1 , y 2 , , y r in 0,1b . Each such combining function uses Ek as a sub-procedure, and produces as output a value z in 0,1b , such that given any fixed values for k and v . Each such combining function has the following four proprieties, 1.
Permutation on each input: For each s , 1 s r , and for any fixed values of all the other inputs yi , i s , the function C k ,v ( y1 , y 2 , , y r ) is a one-toone mapping from y s to the output z .
2.
Efficiently solvable for any single input: For each s , 1 s r , given a b -bit
value z and values for all inputs yi except y s , it is possible to
efficiently find a b -bit value for y s such that
C k ,v ( y1 , y 2 , , y r ) z .
3.
Infeasible to solve verification equation for all inputs without trapdoors: Given k, v and z , it is infeasible for an adversary to solve the equation C k ,v ( g1 ( x1 ), g 2 ( x 2 ), , g r ( x r )) z for x1 , x 2 , x r if the adversary can’t
invert any of the trap-door functions g 1 , g 2 , , g r .
3
Our Verifiable Ring Signature Before proceeding, we assume the existence of a publicly defined symmetric
encryption algorithm E such that for any key k of length l , the function Ek is a permutation over b -bit strings. And we also assume the existence of a publicly defined collision-resistant hash function h that maps arbitrary inputs to strings of length l , which are used as keys for E . 3.1
Key Generation Each ring member, such as the i -th member Ai of the ring members does the
following, Let p i be a prime such that it is hard to compute discrete logarithms in GF ( pi ) , qi be a prime divisor of pi 1 , o i be a large prime devisor of qi 1 , g i be a base
point of GF ( pi ) whose order is qi ; The private key of Ai is x Ai that meets
x Ai qi
and
y Ai g i x Ai mod
3.2
the
corresponding
public-key
is
( y A pi , qi , g i ) i
where
pi .
DL-Based Trapdoor Functions
The trap-door function g i ( , ) is defined as gi (, ) y Ai gi mod pi ,
its inverse function g i 1 ( y ) is defined as g i 1 ( y ) ( , ) , where K
y g i K gi mod pi ,
(1)
mod qi ,
(2)
x Ai K g i K mod qi ,
(3)
K is an random integer that meets K oi .
3.3
Signature Generation
Step 1.First, the signer, As , computes the symmetric key k as the hash of the message M to be signed: k h(M ) ; Step 2.Second, the signer, As , picks an initialization value v uniformly at random from 0,1b ; Step 3.Third, the signer, As , picks random i , i , for all the other ring members (1 i r , i s ) uniformly and independently, and computes yi g i ( i , i ) ;
Step 4.Fourth, the signer, As , solves the following equation for y s :
C k ,v ( y1 , y 2 ,, y r ) v . Step 5.Fifth, the signer, As , uses his knowledge of his trap-door function in order to invert g s 1 ( y ) on ys to obtain ( s , s ) g s 1 ( y s ) , First, chooses a random integer K ( q ) , computes s by equation 1, and keeps K secret; Second, computes s by equation 2; Finally, computes s by equation 3. Step 6.The signature on the message M is
A1 , A2 , , Ar ; v; ( 1 , 1 ), ( 2 , 2 ), , ( s , s ) . 3.4
Signature Verification
Step 1.First, the verifier for i 1,2, , r , computes yi g i ( i , i ) ; Step 2.Second, the verifier hashes the message M to compute the encryption key k : k h (M ) ;
Step 3.Finally, the verifier checks that the yi ’s satisfy the fundamental equation: C k ,v ( y1 , y 2 , , y r ) v .
If the above equation holds, the verifier accepts the signature as valid. Reject otherwise. 3.5
Signer Verification If the actual signer, As , is willing to prove to the verifier that he actually signs
the signature, then he does the following, Step 1.First, the signer , As ,sends secretly the secret integer g sK to the verifier; Step 2.Second, the verifier checks that if the g sK satisfies the equation:
y g
s y gs K If s
gsK
K K gs
s
mod p s . mod p s , the verifier accepts that As is the real signer.
Reject otherwise.
4
Cryptanalysis of the Scheme First, the adversary can randomly choose an integer s , 1 s r , and a b -bit value
v ,and then he can chooses all the ( i , i ) except ( s , s ) . By the definition of trap-door functions, he can computes all the yi except y s according to i , i ; Then he can computes y s from C k ,v ( y1 , y 2 , , y r ) v ; But because he doesn’t know the secret keys
x A s , so he will face the DL problem when he
solves s , s from y s . However, he can guess a pair s ' , s ' , but the probability of success is
qs 1 . Because p s is a large prime, the probability is negligible. ps qs ps
The adversary can always obtain y s and ( s , s ) , but when he wants to solve the secret keys
x A s from y s and ( s , s ) , he must again face the DL problem of
solving K g s K from g s
K g s K
.
As for the security of Signer Verification, it is obviously a DL problem if a person wants to fake the actual signer. Though the verifier could get the g sK in the process of signer verification, he couldn’t get the secret keys x A s , for he can’t get
K g s K from g sK .
It should be stressed that the signer, As , should choose different random K every time when he signs. Otherwise, if the verifier receives two same g sK form two signatures signed by As , he can get the following two equations:
K gs K gs
K
K
x As mod q s
x As mod q s
.
Then, the verifier can solve out As ’s private key
x As .
From above, our proposed ring signature satisfies: Signer-ambiguity that it is infeasible to identify who among the possible signers generates a signature; Unforgeability that the signature can only be produced by one of the ring members; Verifiability that the verifier can be convinced who is the real signer if the signer wants to reveal himself.
5
Conclusions
We propose a verifiable ring signature which has not only all the properties of a ring signature, but the property that the verifier can correctly determine who among the possible signers actually signs the signature if the signer is willing to reveal that it is he who signs the signature. Acknowledgment: This work was supported by National 973 Project Foundation of China (G1999035804). References: [1] Ronald L.Rivest, Adi Shamir and Yael Tauman. How to Leak a Secret. Advances in Cryptology- ASIACRYPT 2001, LNCS 2248. pp.257-265. Springer- Verlag,2001. [2] David Chaum and Eugene Van Heyst. Group Signatures. Advances in CryptologyEurocrypt’91, LNCS 547, pp.257-265. Springer-Verlag,1991. [3] Fangguo Zhang and Kwangjo Kim. ID-Based Blind Signature and Ring Signature from Pairings. Advances in Cryptology- ASIACRYPT 2002, LNCS 2501. pp.533-547. Springer- Verlag,2002. [4] E.Bresson, J.Stern and M.Szydlo. Threhold ring signature and application to ad-hoc groups. CRYPTO2002, LNCS 2442,pp.465-480. Springer-Verlag, 2002. [5] M.Naor. Deniable Ring Authentication. CRYPTO2002, LNCS 2442,pp.481-498. Springer- Verlag,2002. [6] Masayuki Abe,Miyako Ohkubo and Koutarou Suzuki. 1-out-of-n Signatures from a Variety of Keys. Advances in Cryptology- ASIACRYPT 2002, LNCS 2501. pp.397-414. Springer- Verlag,2002. [7] R.Cramer, I.Damgard and B. Schoenmakers. Proofs of partial knowledge and simplified
design of witness hiding protocols. CRYPTO’94, LNCS 839,pp.174-187. SpringerVerlag,1994.