Forking Lemmas for Ring Signature Schemes

Herranz, Javier; Sáez, Germán

doi:10.1007/978-3-540-24582-7_20

Cited by 105 publications

(66 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The instantiation of their scheme based on the discrete logarithm assumption and using the same group for all users is similar to our ring signature except their Σ-protocol based on techniques from [CDS94] give signatures that grow linearly in the size of the ring. Herranz and Sáez [HS03] also give a linear size ring signature based on the discrete logarithm problem in the random oracle model. There are also several pairing-based constructions of ring signatures including [BGLS03,CWLY06,SW07,Boy07,CGS07].…”

Section: Related Workmentioning

confidence: 99%

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

Groth

Kohlweiss

2015

Advances in Cryptology - EUROCRYPT 2015

128

105

View full text Add to dashboard Cite

Abstract. We construct a 3-move public coin special honest verifier zero-knowledge proof, a so-called Sigma-protocol, for a list of commitments having at least one commitment that opens to 0. It is not required for the prover to know openings of the other commitments. The proof system is efficient, in particular in terms of communication requiring only the transmission of a logarithmic number of commitments. We use our proof system to instantiate both ring signatures and zerocoin, a novel mechanism for bitcoin privacy. We use our Sigma-protocol as a (linkable) ad-hoc group identification scheme where the users have public keys that are commitments and demonstrate knowledge of an opening for one of the commitments to unlinkably identify themselves (once) as belonging to the group. Applying the Fiat-Shamir transform on the group identification scheme gives rise to ring signatures, applying it to the linkable group identification scheme gives rise to zerocoin. Our ring signatures are very small compared to other ring signature schemes and we only assume the users' secret keys to be the discrete logarithms of single group elements so the setup is quite realistic. Similarly, compared with the original zerocoin protocol we rely on a weak cryptographic assumption and do not require a trusted setup. A third application of our Sigma protocol is an efficient proof of membership of a secret committed value u belonging to a public list L = {λ1, . . . , λN }.

show abstract

Section: Related Workmentioning

confidence: 99%

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

Groth

Kohlweiss

2015

Advances in Cryptology - EUROCRYPT 2015

128

105

View full text Add to dashboard Cite

show abstract

“…For instance, in the case of a five-pass identification scheme, the signer replaces the two moves given from the verifier by the outputs of some random oracles, he sets the transcript (σ 1 ||h 1 ||σ 2 ||h 2 ||σ 3 ) as a signature of a message M , where h 1 and h 2 the outputs of two hash functions H 1 respectively H 2 modeled as random oracles, and the σ 1 , σ 2 and σ 3 the values given from the prover as in the identification scheme. Similarly to [20], the authors of [4] generalize the forking lemma even more for ring signatures schemes in order to give security arguments for such a class of signature.…”

Section: Signature Schemes From Identification Schemesmentioning

confidence: 99%

An Improved Threshold Ring Signature Scheme Based on Error Correcting Codes

Cayrel

Alaoui

Hoffmann

et al. 2012

Arithmetic of Finite Fields

View full text Add to dashboard Cite

Abstract. The concept of threshold ring signature in code-based cryptography was introduced by Aguilar et al. in [1]. Their proposal uses Stern's identification scheme as basis. In this paper we construct a novel threshold ring signature scheme built on the q-SD identification scheme recently proposed by Cayrel et al. in [14]. Our proposed scheme benefits of a performance gain as a result of the reduction in the soundness error from 2/3 for Stern's scheme to 1/2 per round for the q-SD scheme. Our threshold ring signature scheme uses random linear codes over the field Fq, secure in the random oracle model and its security relies on the hardness of an error-correcting codes problem (namely the q-ary syndrome decoding problem). In this paper we also provide implementation results of the Aguilar et al. scheme and our proposal, this is the first efficient implementation of this type of code-based schemes.

show abstract

“…We remark that the scheme of [16] serves as a natural example of a scheme that is unforgeable against fixed-ring attacks, but which is not unforgeable against chosen-subring attacks (in the random oracle model); this was subsequently fixed in [15]. We defer a detailed discussion to the full version [4].…”

Section: Separations Between the Security Definitionsmentioning

confidence: 99%

“…This notion was first formally introduced by Rivest, Shamir, and Tauman [20], and ring signatures -along with the related notion of ring/ad-hoc identification schemes -have been studied extensively since then [5,19,1,23,16,11,22,18,2]. Ring signatures are related, but incomparable, to the notion of group signatures [6].…”

Section: Introductionmentioning

confidence: 99%

Ring Signatures: Stronger Definitions, and Constructions Without Random Oracles

Bender¹,

Katz

Morselli³

2008

SSRN Journal

View full text Add to dashboard Cite

Abstract. Ring signatures, first introduced by Rivest, Shamir, and Tauman, enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. In contrast to group signatures, ring signatures are completely "ad-hoc" and do not require any central authority or coordination among the various users (indeed, users do not even need to be aware of each other); furthermore, ring signature schemes grant users fine-grained control over the level of anonymity associated with any particular signature. This paper has two main areas of focus. First, we examine previous definitions of security for ring signature schemes and suggest that most of these prior definitions are too weak, in the sense that they do not take into account certain realistic attacks. We propose new definitions of anonymity and unforgeability which address these threats, and then give separation results proving that our new notions are strictly stronger than previous ones. Next, we show two constructions of ring signature schemes in the standard model: one based on generic assumptions which satisfies our strongest definitions of security, and a second, more efficient scheme achieving weaker security guarantees and more limited functionality. These are the first constructions of ring signature schemes that do not rely on random oracles or ideal ciphers.

show abstract

Forking Lemmas for Ring Signature Schemes

Cited by 105 publications

References 16 publications

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

One-Out-of-Many Proofs: Or How to Leak a Secret and Spend a Coin

An Improved Threshold Ring Signature Scheme Based on Error Correcting Codes

Ring Signatures: Stronger Definitions, and Constructions Without Random Oracles

Contact Info

Product

Resources

About