An efficient ring signature scheme from pairings

Abstract

Ring signature is a group-oriented signature with privacy concerns: any verifier can be convinced that the message has been signed by one of the members in the group, but the actual signer remains unknown. Several ring signature schemes based on bilinear pairings have been proposed. However, computational complexity for pairing computations of these ring signature schemes grows linearly with the size of the ring. In this paper, we propose an efficient ring signature with constant pairing computations and give its exact security proofs in the random oracle model under the Computational co-Diffie–Hellman assumption. We then investigate the performance of our scheme by choosing the Optimal-Ate pairing on the BN curve defined over a prime field at a 128-bit security level.

Introduction

Ring signatures enable a user to sign a message so that a ring of possible signers (of which the user is a member) is identified, without revealing exactly which member of that ring actually generated the signature. This notion was first formally introduced by Rivest et al. [29], and ring signatures along with the related notion of ring ad hoc identification schemes have been studied extensively since then [1], [11], [10], [16], [8]. Ring signatures are related, but incomparable, to the notion of group signatures [14], [7], [13]. Group signatures have the additional feature that the anonymity of a signer can be traced by a designated group manager. On the other hand, ring signatures require neither a centralized group manager nor coordination among the various users (indeed, users may be unaware of each other at the time they generate their public keys), rings may be formed in an ad hoc manner, and users are given fine-grained control over the level of anonymity associated with any particular signature via selection of an appropriate ring. Ring signatures naturally lend themselves to a variety of applications which have been suggested already in previous works [29], [16], [28]. The original motivation was to allow secrets to be leaked anonymously. For example, a high-ranking government official can sign information with respect to the ring of all similarly high-ranking officials: the information can then be verified as coming from someone reputable without exposing the actual signer. Ring signatures can also be used to provide a member of a certain class of users access to a particular resource without explicitly identifying this member: note that there may be cases when third-party verifiability is required (e.g., to prove that the resource has been accessed) and so ring signatures, rather than ad hoc identification schemes, are needed. Finally, we mention the application to designated-verifier signatures [22] especially in the context of e-mail. Here, ring signatures enable the sender of an e-mail to sign the message with respect to the ring containing the sender and the receiver. The receiver is then assured that the e-mail originated from the sender but cannot prove this to any third party: it is sufficient to use a ring signature scheme which supports only rings of size two. Several ring signature schemes from pairings have been proposed [10], [34], [33], which are provable secure in the random oracle model. Recently, ring signature schemes secure without random oracles have been proposed [31], [30], [24]. However, unlike ID-based ring signature scheme [15], the number of pairing computations for all the ring signature schemes grow linearly with the size of the ring. Much works for pairing computation have also been done, including an denominator elimination method [4], the selection of pairing-friendly groups [5], the construction of pairing-friendly curves [6], [12], [18], [26], the methods to shorten the Miller loop [3] and etc. Although there have been many works discussing the complexity of pairings and how to speed up the pairing computation, the computation of the pairing still remains time-consuming. According to recent results, time required for a pairing computation is at least 2 times (at most 8 times) slower than that for a scalar multiplication on elliptic curves depending the selection of parameters and hardware platforms. Therefore, to construct a practically usable scheme, the number of pairing computations should be minimized. This paper focuses on the construction of a ring signature scheme with constant pairing computations.

The rest of this paper is organized as follows. In the following section, we describe basic tools and formal security models for ring signature schemes. In Section 3, we propose a new ring signature scheme with constant pairing computations and then provide its security proofs against existential forgery under an adaptive chosen-message attack and signer ambiguity in the random oracle model assuming that the Computational co-Diffie–Hellman problem is hard. Concluding remarks are given in Section 4.