A Ring Signature Scheme Using

Bilinear Pairings
Jing Xu, Zhenfeng Zhang, Dengguo Feng
State Key Laboratory of Information Security,
Institute of Software, Chinese Academy of Sciences
August 19, 2004
Introduction
In this paper, we propose a ring signature scheme based on the
bilinear pairings, which is secure against chosen message attack
without random oracles.
Based on this ring signature scheme, a concurrent signature
scheme for fair exchange of signatures is constructed.
1
Ring Signature
Ring signature: an entity signs a message on behalf of a set of
members that includes himself.
The verier is convinced that it was produced by some member
of the ring, but he does not obtain any information about which
member of the ring actually signed.
The real signer can include the identities of the members of
the ring that he chooses, and probably without their consent.
2
Dierent from Group Signature:
The idea behind group signature schemes is very similar to that
of ring signatures, but with some variations.
A group manager in charge of the join and revocation of the
members. Therefore, a user cannot modify the composition of
the group.
Group manager can recover the real identity of the signer of a
message, in the case of a legal dispute.
3
Brief History:
In 2001, Rivest, Shamir and Tauman formalize the notion of
ring signature, and propose a scheme based on RSA, secure in
the ideal cipher model, random oracle model (a modication).
Abe, Ohkubo and Suzuki give general constructions for a va-
riety of scenarios, including those based on one-way functions,
and those are of the three-move-type.
Dodis, et al propose a constant-size ring signatures using the
Fiat-Shamir transform (doesnt rely on the size of the ring).
4
The Bilinear Pairing
Let (G, +) and (V, ) be groups with prime order q, P be a gen-
erator of G. Let e : GG V be a pairing satisfying:
1. Bilinearity: P, Q, R G, e(P + Q, R) = e(P, R)e(Q, R) and
e(P, Q+R) = e(P, Q)e(P, R). In particular, for any a, b Z
q
,
e(aP, bP) = e(P, P)
ab
= e(P, abP) = e(abP, P).
2. Non-degeneracy: There exists P, Q G, such that e(P, Q) = 1.
3. Computability: e(P, Q) can be computed eciently.
5
The q-SDH Problem
In Eurocrypt04, Boneh and Boyen proposed a new complexity
assumption called the Strong Die-Hellman assumption. Us-
ing this assumption, short signature, and secure identity based
encryption without random oracles have been proposed.
The q-Strong Die-Hellman Problem. The q-SDH problem
in G is dened as follows: given a (q+1)-tuple (P, xP, x
2
P, , x
q
P)
as input, output a pair
_
c,
1
(x+c)
P
_
where c Z
p
. An algorithm
6
A has advantage in solving q-SDH in G if
Pr
_
A(P, xP, x
2
P, , x
q
P) =
_
c,
1
(x +c)
P
__
> .
where the probability is over the random choice of generator
P G,, the random choice of x Z
p
, and the random bits
consumed by A.
The (q, t, )-SDH assumption says that, no t-time algorithm has
advantage at least in solving the q-SDH problem in G.
Ring Signature Algorithms
Ring-sign: A user A
t
(1 t n) wants to compute a ring signa-
ture on behalf of a ring A
1
, A
2
, , A
n
. A probabilistic algorithm
Input: a message m, the public keys pk
1
, pk
2
, , pk
n
of the ring
and his secret key sk
t
.
Output: a ring signature for the message m.
Ring-verify: A deterministic algorithm, takes as input a m, ,
the public keys of all the members, and outputs accept or reject.
7
Properties of a Ring Signature
Correctness: A correct ring-signature must be accepted by any
verier with overwhelming probability.
Anonymity: Any verier should not have probability 1/n to
guess the identity of the real signer, (1/(n 1) for insiders).
Unforgeability: Any attacker must not have non-negligible prob-
ability of success in forging a valid ring signature for some mes-
sage m on behalf of a ring that does not contain himself.
8
The Proposed Ring Signature Scheme
Let (G, +) and (G, ) be groups of prime order q, e : GG V
be a bilinear map, P be a generator of G.
Key Generation. For a particular user, pick x
s
, y
s
Z

p
at ran-
dom, and compute u
s
= x
s
P, v
s
= y
s
P.
The users public key is (u
s
, v
s
). The corresponding secret key is
(x
s
, y
s
).
9
Ring Signing. Given public keys (u
1
, v
1
), (u
2
, v
2
), , (u
n
, v
n
),
a message m Z

p
, and a private key (x
s
, y
s
) corresponding to
(u
s
, v
s
) for some s, choose r Z

p
and a
i
Z

p
(1 i n) at
random. Compute
i
= a
i
P for all i = s, and

s
=
1
m+x
s
+y
s
r
_
P

i=s
a
i
(mP +u
i
+rv
i
)
_
.
Output the ring signature
= (
1
,
2
, ,
n
, r).
10
Ring Verication. Given public keys (u
1
, v
1
), (u
2
, v
2
), ,
(u
n
, v
n
), a message m Z

p
, and a ring signature = (
1
,
2
, ,
n
, r),
verify that
n

i=1
e(mP +u
i
+rv
i
,
i
) = e(P, P). (1)
11
Analysis of the Proposed Scheme
Correctness. The correctness of this scheme follows from.
e(mP +u
s
+rv
s
,
s
)
=
_
mP +u
s
+r
s
v
s
,
1
m+x
s
+y
s
r
_
P

i=s
a
i
(mP +u
i
+rv
i
)
__
= e
_
P, P

i=s
a
i
(mP +u
i
+rv
i
)
_
= e(P, P)

i=s
e(P, a
i
(mP +u
i
+rv
i
))
1
.
12
Anonymity. The identity of the signer is unconditionally pro-
tected: For any algorithm A , any set of users U, and a random
u U, the probability Pr[A() = u] is at most
1
|U|
, where is
any ring signature on U generated with private key SK
u
.
For n = 1, our ring signature is actually the short signature
scheme proposed by Boneh and Boyen.
13
Security-continued
The above signature are based on short signature without ran-
dom oracles, and the idea come from Boneh and Gentrys ring
signature (based on BLS short signature, secure in the random
oracles).
However, it is nontrivial to prove its security without random
oracles. The diculty lies in: The
i
s cannot be aggregated as
e(
i
, mP +u
i
) = e(

, (m+x)P).
14
An variant without random oracles
Key Generation. For a particular user, pick x
s
, y
s
, z
s
Z

p
at
random, and compute u
s
= x
s
P, v
s
= y
s
P, w
s
= z
s
P. The
users public key is (u
s
, v
s
, w
s
). The corresponding secret key is
(x
s
, y
s
, z
s
).
15
Ring Signing. Given public keys (u
1
, v
1
, w
1
), , (u
n
, v
n
, w
n
), a
message m Z

p
, and a private key (x
s
, y
s
, z
s
), choose r
R
Z

p
and a
i
Z

p
(1 i n). Compute
i
= a
i
P for all i = s, and

s
=
1
mx
s
+y
s
+z
s
r
_
P

i=s
a
i
(mu
i
+v
i
+rw
i
)
_
.
Output the ring signature = (
1
,
2
, ,
n
, r). The corre-
sponding verication equation is
n

i=1
e(mu
i
+v
i
+rw
i
,
i
) = e(P, P). (2)
16
Sketch of a proof: As the proof in [BB04], we rst consider a
weak ring signature, in which the adversary submit all signature
queries before seeing the public key. The weak ring signature is

s
=
1
mx
s
+y
s
_
P

i=s
a
i
(mu
i
+v
i
)
_
,
i
= a
i
P(i = s).
which will be veried as
n

i=1
e(mu
i
+v
i
,
i
) = e(P, P).
If one can forge a valid weak ring signature, then q-SDH problem
is solvable.
17
Given a tuple (P, xP, x
2
P, , x
q
P), let f(y) =

n
i=1
(y +m
i
), and
P

= f(x)P, u
i
= t
i
f(x)P = t
i
P

, v
i
= t
i
xf(x)P = t
i
xP

.
As for a ring signature query on m
k
, the simulator computes

s
=
1
t
i
_
f(x)
x +m
k
P

j=s
a
j
t
j
P

_
=
1
m
k
t
i
+t
i
x
_
P

j=s
a
j
(m
k
u
j
+v
j
)
_
and
i
= a
i
P

for i = s. It is easy to see that they satises

n

i=1
e(m
k
u
i
+v
i
,
i
) = e(P

, P

).
If an adversary can forge a weak ring signature

= (

1
,

2
, ,

n
)
on a message m

, then we have
n

i=1
e(m

u
i
+v
i
,
i
) =
n

i=1
e
_
m

+xP

,
t
i
i
_
=
_
n

i=1

t
i
i
, (m

+x)P

_
= e(P

, P

).
Thus we can deduce
n

i=1

t
i
i
=
1
m

+x
P

=
f(x)
m

+x
P,
from which one can successfully compute
1
m

+x
P. Thus
_
m

,
1
m

+x
P
_
is a solution of q-SDH problem.
Then by the similar method as that of [BB04], one can show
that, the security of the ring signature can be reduced to the
weak form.
A concurrent signature can be constructed based on the above
ring signature.
Any Question ?
18