Group Signatures and Accountable Ring Signatures from Isogeny-based Assumptions

Group signatures are an important cryptographic primitive providing both anonymity and accountability to signatures. Accountable ring signatures combine features from both ring signatures and group signatures, and can be directly transformed to group signatures. While there exists extensive work on constructing group signatures from various post-quantum assumptions, there has not been any using isogeny-based assumptions. In this work, we propose the first construction of isogeny-based group signatures, which is a direct result of our isogeny-based accountable ring signature. This is also the first construction of accountable ring signatures based on post-quantum assumptions. Our schemes are based on the decisional CSIDH assumption (D-CSIDH) and are proven secure under the random oracle model (ROM)

Ring Group Signatures

In many applications of group signatures, not only a signer\u27s identity but also which group the signer belongs to is sensitive information regarding signer privacy. In this paper, we study these applications and combine a group signature with a ring signature to create a ring group signature, which specifies a set of possible groups without revealing which member of which group produced the signature. The main contributions of this paper are a formal definition of a ring group signature scheme and its security model, a generic construction and a concrete example of such a scheme. Both the construction and concrete scheme are provably secure if the underlying group signature and ring signature schemes are secure

ID-based Ring Signature and Proxy Ring Signature Schemes from Bilinear Pairings

In 2001, Rivest et al. firstly introduced the concept of ring signatures. A ring signature is a simplified group signature without any manager. It protects the anonymity of a signer. The first scheme proposed by Rivest et al. was based on RSA cryptosystem and certificate based public key setting. The first ring signature scheme based on DLP was proposed by Abe, Ohkubo, and Suzuki. Their scheme is also based on the general certificate-based public key setting too. In 2002, Zhang and Kim proposed a new ID-based ring signature scheme using pairings. Later Lin and Wu proposed a more efficient ID-based ring signature scheme. Both these schemes have some inconsistency in computational aspect. In this paper we propose a new ID-based ring signature scheme and a proxy ring signature scheme. Both the schemes are more efficient than existing one. These schemes also take care of the inconsistencies in above two schemes.Comment: Published with ePrint Archiv

New approaches to privacy preserving signatures

In this thesis we advance the theory and practice of privacy preserving digital signatures. Privacy preserving signatures such as group and ring signatures enable signers to hide in groups of potential signers. We design a cryptographic primitive called signatures with flexible public keys, which allows for modular construction of privacy preserving signatures. Its core is an equivalence relation between verification keys, such that key representatives can be transformed in their class to obscures their origin. The resulting constructions are more efficient than the state of the art, under the same or weaker assumptions. We show an extension of the security model of fully dynamic group signatures, which are those where members may join and leave the group over time. Our contribution here, which is facilitated by the new primitive, is the treatment of membership status as potentially sensitive information. In the theory of ring signatures, we show a construction of ring signatures which is the first in the literature with logarithmic signature size in the size of the ring without any trusted setup or reliance on non-standard assumptions. We show how to extend our techniques to the derived setting of linkable ring signatures, where different signatures of the same origin may be publicly linked. Here, we further revisit the notion of linkable anonymity, offering a significant strengthening compared to previous definitions.Diese Arbeit treibt die Theorie und Praxis der privatsphärewahrenden digitalen Signa- turen voran. Privatsphärewahrende Signaturen, wie Gruppen- oder Ringsignaturen erlauben es Zeichnern sich in einer Gruppe potenzieller Zeichner zu verstecken. Wir entwerfen mit Signatures with Flexible Public Keys einen kryptografischen Baustein zur modularen Konstruktion von privatsphärewahrenden Signaturen. Dessen Kern ist eine Äquivalenzrelation zwischen den Schlüsseln, sodass ein Schlüsselvertreter in seiner Klasse bewegt werden kann, um seinen Ursprung zu verschleiern. Darauf auf- bauende Konstruktionen sind effizienter als der Stand der Technik, unter gleichen oder schwächeren Annahmen. Wir erweitern das Sicherheitsmodell vollständig dynami- scher Gruppensignaturen, die es Mitgliedern erlauben der Gruppe beizutreten oder sie zu verlassen: Durch das neue Primitiv, wird die Behandlung der Mitgliedschaft als potenziell sensibel ermöglicht. In der Theorie der Ringsignaturen geben wir die erste Konstruktion, welche über eine logarithmische Signaturgröße verfügt, ohne auf eine Vorkonfiguration oder unübliche Annahmen vertrauen zu müssen. Wir übertragen unsere Ergebnisse auf das Feld der verknüpfbaren Ringsignaturen, die eine öffentliche Verknüpfung von zeichnergleichen Signaturen ermöglichen. Unsere Neubetrachtung des Begriffs der verknüpfbaren Anonymität führt zu einer signifikanten Stärkung im Vergleich zu früheren Definitionen

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users’ secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we only rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of membership of a secret committed value belonging to a public list of values

Repudiable Ring Signature: Stronger Security and Logarithmic-Size

Ring signatures allow a person to generate a signature on behalf of an ad hoc group, and can hide the true identity of the signer among the group. Repudiable ring signatures are the more strongly defined ring signatures, which can allow every non-signer to prove to others that the signature was not generated by himself. This paper has two main areas of focus. First, we propose a new requirement for repudiable ring signatures, which is that no one can forge a valid repudiation for others. Second, as a breakthrough, we present the first logarithmic-size repudiable ring signatures which do not rely on a trusted setup or the random oracle model. Specifically, our scheme can be instantiated from standard assumptions and the size of signatures and repudiations only grows logarithmically in the number of ring members. Besides, our scheme also provides a new construction of logarithmic-size standard ring signatures

Ring Signatures: Logarithmic Size, No Setup -- from Standard Assumptions

Ring signatures allow for creating signatures on behalf of an ad hoc group of signers, hiding the true identity of the signer among the group. A natural goal is to construct a ring signature scheme for which the signature size is short in the number of ring members. Moreover, such a construction should not rely on a trusted setup and be proven secure under falsifiable standard assumptions. Despite many years of research this question is still open. In this paper, we present the first construction of logarithmic-size ring signatures which do not rely on a trusted setup or the random oracle heuristic. Specifically, our scheme can be instantiated from standard assumptions and the size of signatures grows only logarithmically in the number of ring members. We also extend our techniques to the setting of linkable ring signatures, where signatures created using the same signing key can be linked

Collusion Resistant Revocable Ring Signatures and Group Signatures from Hard Homogeneous Spaces

Both ring signatures and group signatures are useful privacy tools, allowing signers to hide their identities within a set of other public keys, while allowing their signatures to be validated with respect to the entire set. Group signature schemes and revocable ring signature schemes both provide the additional ability for certain authorized members to revoke the anonymity on a signature and reveal the true signer—allowing management of abuse in the scheme. This work consists of two parts. Firstly, we introduce a stronger security notion—collusion resistance—for revocable ring signatures and show how to derive a group signature scheme from it, which provides a new approach to obtaining group signatures. This improves on the existing weak security model (e.g. with selfless anonymity) which fails to guarantee anonymity of members whose keys are exposed. Our stronger notion requires that the scheme remains secure against full key exposure in the anonymity game, and allows collusion among arbitrary members in the revocability game. Secondly (and more concretely), we construct a practical collusion-resistant revocable ring signature scheme based on hard homogenous spaces (HHS), and thus obtain a group signature scheme based on isogenies. To the best of our knowledge, the schemes given in this work are the first efficient post-quantum (collusion-resistant) revocable ring signature scheme, and the first efficient isogeny-based group signature scheme in the literature