Ring Signatures of Ring Signatures of Sub-linear Size Sub-linear Size

without Random without Random OraclesOracles

Nishanth ChandranNishanth Chandran

Jens GrothJens Groth

Amit SahaiAmit Sahai

University of California Los University of California Los AngelesAngeles

In an anonymous fast-In an anonymous fast-food chainfood chain

WhistleblowingWhistleblowing

Ring signatureRing signature

vk1

vk3

vk2

sk2

signature

PropertiesProperties

Parties with public verification keysParties with public verification keys A ring is any subset of the partiesA ring is any subset of the parties Any party can choose a ring that Any party can choose a ring that

includes herself and make a ring includes herself and make a ring signaturesignature

...without the other parties ...without the other parties cooperating or even being aware of cooperating or even being aware of the ring signature being formedthe ring signature being formed

The ring signature is anonymousThe ring signature is anonymous

Related workRelated work Rivest, Shamir and TaumanRivest, Shamir and Tauman Asiacrypt Asiacrypt

20012001O(N) elements in random oracle modelO(N) elements in random oracle model

Dodis, Kiayias, Nicolosi and ShoupDodis, Kiayias, Nicolosi and Shoup Eurocrypt Eurocrypt 20042004

O(1) elements in random oracle modelO(1) elements in random oracle model Bender, Katz and MorselliBender, Katz and Morselli TCC 2006TCC 2006

Construction without random oraclesConstruction without random oracles Chow, Wei, Liu and YuenChow, Wei, Liu and Yuen ASIACCS 2006ASIACCS 2006

Shacham and WatersShacham and Waters ePrint 2006ePrint 2006O(N) elementsO(N) elements

BoyenBoyen Eurocrypt 2007Eurocrypt 2007O(N) elements, perfect anonymityO(N) elements, perfect anonymity

Our contributionOur contributionO(√N) elements, perfect anonymityO(√N) elements, perfect anonymity

Ring signature Ring signature functionalityfunctionality

Common reference string:

CRSGen(1k) ! ½

Key pair:

Gen(½) ! (vk, sk)

Ring signature for R=(vk1,...,vkN):

Sign½,sk(m, R) ! sig

Verification:

Verify½,R(m, sig) {0,1}

Informal definitionInformal definition Perfect correctness:Perfect correctness:

Any member of a ring can make a ring Any member of a ring can make a ring signaturesignature

Perfect anonymity:Perfect anonymity:Ring signature leaks no information about Ring signature leaks no information about which ring member signed the messagewhich ring member signed the message

Computational unforgeability:Computational unforgeability:Poly-time adversary without knowledge of Poly-time adversary without knowledge of any ring member’s secret key cannot forge any ring member’s secret key cannot forge signature. Not even when given access to signature. Not even when given access to adaptive chosen (message, ring, signer)-adaptive chosen (message, ring, signer)-attackattack

Bilinear group of order nBilinear group of order n

G, GT cyclic groups of order n = pq

G = Gp Gq

g generator for G

bilinear map e: G G GT

e(ua, vb) = e(u, v)ab

e(g, g) generates GT

Commitment [Boneh-Goh-Commitment [Boneh-Goh-Nissim]Nissim]

Public key: h ord(h) = n or q

Commitment to m

c = mhr where r Zn

Perfect hiding if ord(h) = n

Perfect binding in Gp if ord(h) = q : mq = cq

Subgroup decision problem:

ord(h) = n or ord(h) = q

Signature [Boneh-Boyen]Signature [Boneh-Boyen]Verification key: v = gx

Signature on y |y|< |p| (|√n|)

s = g1/(x+y)

Verification

e(vgy, s) = e(g, g)

Strong Diffie-Hellman assumption in Gp

Hard to compute (y, g1/(x+y)) given input

g, gx, gx2, ..., gxl

Common reference string: (n, G, GT, e, g, h)

Verification keys: v = gx

Ring signature (m, x, v R=(v1,...,vN)

1. make one-time signature on (m, R) using one-time verification key y

2. sign y as s = g1/(x+y)

3. commit to v and s as C = vhr, L = sht

4. make perfect WI proof (C, L) sign on y

5. make perfect WI proof C contains v R

Ring signature schemeRing signature scheme

Perfect Witness-Perfect Witness-Indistinguishable proof for Indistinguishable proof for

commited signature on y commited signature on y [Groth-Sahai][Groth-Sahai]

Commitments C = vhr, L = sht

WI proof: ¼ = (gyv)tsrhrt

Verify: e(gyC, L) = e(g, g) e(h, ¼)

Complete:e(gyvhr, sht) = e(gyv, s) e(h, (gyv)tsrhrt)

Perfect WI (ord(h)=n): All (v, r, s, t) give same ¼

Sound (ord(h)=q): e((gyC)q, Lq) = e(gq, gq)

WI proof for commitment to WI proof for commitment to v v R R

v1 v2 . . . v√N

v√N+1 v√N+2 . . . v2√N

vN-√N+1 vN-√N+2 . . . vN

1

g

1

=

e(g,v2)

e(g,v√N+2

)

e(g,vN-

√N+2)

hr1

hr2

hr√N

e(h,*)

e(h,*)

e(h,*)

Commitment C = vhr and ring R = (v1,...,vN)

WI proof that PIR-request is well-formed

WI proof that v is in one of those

Sketch of security proofSketch of security proof Perfect anonymityPerfect anonymity

Commitments are perfectly hiding (ord(h) Commitments are perfectly hiding (ord(h) = n)= n)

... so they can contain Boneh-Boyen ... so they can contain Boneh-Boyen signature for signature for any honest partyany honest party

... and the proofs are perfectly witness ... and the proofs are perfectly witness indistinguishable indistinguishable

Computational unforgeabilityComputational unforgeabilitySwitch to ord(h) = qSwitch to ord(h) = qCommitments are perfectly extractableCommitments are perfectly extractable... so they must contain valid signature in ... so they must contain valid signature in

GGpp

... so we can forge Boneh-Boyen signatures... so we can forge Boneh-Boyen signatures

CRS = (n, G, GT, e, g, h) ord(h) = n

Malicious authority can select h of order q

Key generation:

vi = gxi , hi chosen at random in G

When signing pick t at random and use

With overwhelming probability ord(h) = n

Overcoming a bad CRSOvercoming a bad CRS

h=QN

i=1hti ¡ 1

i

SummarySummary Ring signature schemeRing signature scheme

PIR-techniques + GS proofsPIR-techniques + GS proofs Size O(√N) group elementsSize O(√N) group elements Relies on composite order bilinear Relies on composite order bilinear

groupsgroupssubgroup decisionsubgroup decisionstrong Diffie-Hellman in Gstrong Diffie-Hellman in Gpp

Common reference stringCommon reference stringperfect anonymityperfect anonymity

Untrusted common reference stringUntrusted common reference stringstatistical anonymitystatistical anonymity