An efficient ring signature scheme from pairings
Introduction
Ring signatures enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. This notion was first formally introduced by Rivest et al. [29], and ring signatures along with the related notion of ring ad hoc identification schemes have been studied extensively since then [1], [11], [10], [16], [8]. Ring signatures are related, but incomparable, to the notion of group signatures [14], [7], [13]. Group signatures have the additional feature that the anonymity of a signer can be traced by a designated group manager. On the other hand, ring signatures require neither a centralized group manager nor coordination among the various users (indeed, users may be unaware of each other at the time they generate their public keys), rings may be formed in an ad hoc manner, and users are given fine-grained control over the level of anonymity associated with any particular signature via selection of an appropriate ring. Ring signatures naturally lend themselves to a variety of applications which have been suggested already in previous works [29], [16], [28]. The original motivation was to allow secrets to be leaked anonymously. For example, a high-ranking government official can sign information with respect to the ring of all similarly high-ranking officials: the information can then be verified as coming from someone reputable without exposing the actual signer. Ring signatures can also be used to provide a member of a certain class of users access to a particular resource without explicitly identifying this member: note that there may be cases when third-party verifiability is required (e.g., to prove that the resource has been accessed) and so ring signatures, rather than ad hoc identification schemes, are needed. Finally, we mention the application to designated-verifier signatures [22] especially in the context of e-mail. Here, ring signatures enable the sender of an e-mail to sign the message with respect to the ring containing the sender and the receiver. The receiver is then assured that the e-mail originated from the sender but cannot prove this to any third party: it is sufficient to use a ring signature scheme which supports only rings of size two. Several ring signature schemes from pairings have been proposed [10], [34], [33], which are provable secure in the random oracle model. Recently, ring signature schemes secure without random oracles have been proposed [31], [30], [24]. However, unlike ID-based ring signature scheme [15], the number of pairing computations for all the ring signature schemes grow linearly with the size of the ring. Much works for pairing computation have also been done, including an denominator elimination method [4], the selection of pairing-friendly groups [5], the construction of pairing-friendly curves [6], [12], [18], [26], the methods to shorten the Miller loop [3] and etc. Although there have been many works discussing the complexity of pairings and how to speed up the pairing computation, the computation of the pairing still remains time-consuming. According to recent results, time required for a pairing computation is at least 2 times (at most 8 times) slower than that for a scalar multiplication on elliptic curves depending the selection of parameters and hardware platforms. Therefore, to construct a practically usable scheme, the number of pairing computations should be minimized. This paper focuses on the construction of a ring signature scheme with constant pairing computations.
The rest of this paper is organized as follows. In the following section, we describe basic tools and formal security models for ring signature schemes. In Section 3, we propose a new ring signature scheme with constant pairing computations and then provide its security proofs against existential forgery under an adaptive chosen-message attack and signer ambiguity in the random oracle model assuming that the Computational co-Diffie–Hellman problem is hard. Concluding remarks are given in Section 4.
Section snippets
Some definitions and assumptions
Let , and be cyclic groups of a large prime order p. We write and additively, and multiplicatively. We assume that the discrete logarithm problems in and are hard.
Admissible Pairing: We call e an admissible pairing if is a map with the following properties:
- 1.
Bilinearity: for all and for all .
- 2.
Non-degeneracy: There exist and such that .
- 3.
Computability: There is an efficient algorithm to compute for any
A new ring signature scheme from pairing
Now, we propose an efficient ring signature scheme, , based on bilinear pairings, and provide its security proofs and performance evaluations.
Conclusion
We proposed an efficient ring signature scheme in the bilinear groups for perfect anonymity, which is provably secure in the random oracle model under the co-CDH assumption. Our scheme is the first ring signature scheme whose computational complexity for pairing computations is independent of the ring size, i.e., it requires only two pairing computations. We investigated the performance of our scheme by choosing the Optimal-Ate pairing on the BN curve, BN254, defined over the prime field at the
Acknowledgements
This research was supported by the National Institute for Mathematical Sciences funded by Ministry of Science, ICT, and Future Planning of Korea (project No. B21503-1).
References (34)
- et al.
1-out-of-n signatures from a variety of keys
- D.F. Aranha, K. Karabina, P. Longa, C.H. Gebotys, J. Lopez, Faster explicit formulas for computing pairings over...
- et al.
Efficient pairing computation on supersingular abelian varieties
Des. Codes Crypt.
(2007) - et al.
Efficient algorithms for pairing-based cryptosystems
- et al.
On the selection of pairing-friendly groups
- et al.
Pairing-friendly elliptic curves of prime order
- et al.
Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions
- A. Bender, J. Katz, R. Morselli, Ring signatures: stronger definitions, and constructions without random oracles, in:...
- et al.
Identity-based encryption from the Weil pairing
- et al.
Aggregate and verifiably encrypted signatures from bilinear maps