No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
How to Leak a Secret
Abstract
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature.Unlike
group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination:any
user can choose any set of possible signers that includes himself,and sign any message by using his secret key and the others’
public keys,without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritativ secrets
in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other
problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is
unconditionally signer-ambiguous, provably secure in the random oracle model,and exceptionally efficient:adding each ring
member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
... As a result, many organizations started a standardization process for post-quantum resistant cryptographic algorithms where NIST took the lead by initiating a standardization process in 2017 [208], resulting in the selection of four schemes in 2022 [209]: CRYSTALS-Kyber [14] for public-key encryption and key establishment, CRYSTALS-Dilithium [96], FALCON [112], and SPHINCS+ [12] for digital signatures. PQC is currently a highly active research area, wherein various new PQC signatures are built with extended features (Group [69], Ring [227] signatures, and Multi-signatures [151]), and NIST initiated a new standardization effort for additional PQC digital signatures [1]. ...
... In addition to threshold digital signatures, other models of distributed signatures with special features, also called exotic signatures, such as Group signatures [69], Ring signatures [227], and Multi-signatures [151] exist. These exotic signatures offer distributed security under different settings that are applicable in various domains such as Blockchain [38], Cryptocurrency [158], IoT [172], Cloud [253], and others. ...
... (i) The existing surveys discuss some distributed signatures mainly with custom thresholding (and in some rare cases with generic) approaches but do not offer an exhaustive examination from both custom and MPC-based generic methodologies with vis-a-vis comparison. (ii) This gap widens since existing work does not encompass custom and MPC-based thresholding of conventional and NIST-PQC standards as well as a wide variety of exotic features (e.g., [69,151,227]). The importance of a wide range of thresholding capabilities is highlighted by NIST's recent call as the Multi-party Threshold Cryptography (MPTC) project [49]. ...
... Privacy preservation is necessary for various NextG networked applications (e.g., blockchains, e-voting), but GP signatures are not designed with privacy in mind. Privacypreserving authentication has been an active research area for decades, yet deployment of privacy-enhanced signatures (e.g., group [7], ring [8], and blind signatures [9]) are lacking at best in current systems. The consideration of privacy and anonymity for digital signatures also has been discussed in NIST's MPTC project [6], and balancing between performance, robustness, and privacy are mentioned as major challenges. ...
... In light of these insights, we present a forward-looking course outlining the forthcoming signatures suitable for NextG networked systems. This analysis lay out Group [7], Ring [8], and Blind signatures [9] in terms of efficiency and outlines potential synergies among them. Further, it highlights the need for constructing PQ secure privacypreserving signatures and the need for distributed constructions as recommended by the NIST's MPTC project. ...
... Ring Signatures: Ring signatures (RS s) [8] stand apart from GS s for not requiring setup procedures, group managers, and revocation mechanisms. When signing a message, each participant, possessing a private and public key set, selects a subset of other participants' public keys, including their own, to form an anonymous group known as a ring. ...
Authentication and integrity are foundational security services for trustworthy systems and the prerequisite of privacy preservation. At the heart of these services lies digital signatures, widely deployed in real-life applications and supported by various standards. Yet, newly emerging next-generation (NextG) networked systems are vastly distributed, include many resource-limited components, and demand advanced features such as privacy, anonymity, and post-quantum (PQ) security. However, the current signature standards and specialized signatures only meet some of these important requirements in isolation. Hence, there is a significant gap in the state-of-the-art in identifying the needs of emerging networked systems and synergizing them with the features of advanced signatures. In this work, we strive to mitigate this gap by uniting burgeoning ubiquitous systems with advancements in digital signatures and then envisioning the trust via signatures with extended features for NextG networked systems. We investigate the current signature standardizations and advanced constructions for their potentials and drawbacks in three essential aspects of NextG networks-decentralized, privacy-preserving, and resource-constraint settings. We first analyze threshold cryptography efforts proffered by NIST, both from secure multi-party computation and custom design constructions, with applications on distributed systems like blockchains, federated cloud, and NextG Public Key Infrastructures (PKIs) in mind. We then investigate the intersections of distributed signatures and privacy-preservation techniques for privacy-sensitive NextG applications (e.g., medical, cryptocurrency). We also focus on research gaps for resource and time-limited systems and identify suitable signatures to remedy this gap for security-critical applications (e.g., vehicular networks, smart grids). Finally, we discuss potential directions for these ubiquitous NextG systems and advanced signatures in the PQ era. We expect that our vision contributes to the narrowing of the gap in NextG networked applications and emerging digital signatures, thereby aiding practitioners and field experts to lay the foundations of authentication services for NextG systems.
... This approach substantially increases the number of certificates that the user needs to manage. The second technology, anonymous signature, such as ring signature [3] , blind signature [4] , etc., is very suitable for strong anonymity practical applications. Many anonymity mechanisms may not provide traceability due to their inherent system structure, which could lead to anonymity abuse and illegal activities such as fraud. ...
... w/ 2 Rg to prove the correct random operation was performed (equivalent to prove it did perform effective randomization with the correct private key). It first computes3 D Q 1 m , then computes D NIZKf.m;˛/j 3 D Q 1 m^X 1 D g1 g. Finally, user U generates the randomized certificate Cert 0 D .Cert 0 ; 3 ; / D . ...
Traditional public key infrastructure (PKI) only provides authentication for network communication, and the standard X.509 certificate used in this architecture reveals the user's identity. This lack of privacy protection no longer satisfies the increasing demands for personal privacy. Though an optimized anonymous PKI certificate realizes anonymity, it has the potential to be abused due to the lack of identity tracking. Therefore, maintaining a balance between user anonymity and traceability has become an increasing requirement for current PKI. This paper introduces a novel traceable self-randomization certificate authentication scheme based on PKI architecture that achieves both anonymity and traceability. We propose a traceable self-randomization certificate authentication scheme based on the short randomizable signature. Specifically, certificate users can randomize the initial certificate and public key into multiple anonymous certificates and public keys by themselves under the premise of traceability, which possesses lower computational complexity and fewer interactive operations. Users can exhibit different attributes of themselves in different scenarios, randomizing the attributes that do not necessarily need to be displayed. Through security and performance analysis, we demonstrate the suitability of the improved PKI architecture for practical applications. Additionally, we provide an application of the proposed scheme to the permissioned blockchain for supervision.
... To address the challenge of enabling anonymous authentication, Rivest et al. (2001) proposed a Ring Signature scheme. However, this scheme lacks the capability to ascertain whether two signatures were issued by the same participant, a shortcoming that, if employed in survey research, may introduce the risk of a participant submitting responses multiple times. ...
Survey research holds significant importance in various areas related to Information Systems (IS), spanning from academia to the business context and public governance. However, it is common for many research endeavors to face challenges related to the data authenticity, whether due to unauthorized access by individuals or incorrect responses stemming from a lack of anonymity for participants. This paper presents an ongoing research endeavor aimed at developing a web application based on Linkable Ring Signatures scheme capable of enabling the anonymous authentication of participants in surveys. In particular, this objective of this paper lies in the methodological design proposal and an architectural model. Regarding the contributions for IS research and practice, we introduce a novel architectural model based on the Linkable Ring Signature to ensure anonymous authenticity in survey research. We also emphasize the importance of fostering trust in survey participation and its design/process.
... Chaum [23] presented one of the earliest ideas for the use of the Blind Signatures (BS) scheme in e-voting, and BS allows voters to sign their ballots without exposing the content of their votes to the voting authority. The schemes proposed by Rivest et al. [24] and Benaloh [25] are later approaches for adopting the BS scheme in e-voting. ...
This article presents a novel e-voting scheme that combines Group Identity-based Identification (GIBI) with Homomorphic Encryption (HE) based on the discrete logarithmic assumption. The proposed scheme uses the Schnorr-like GIBI scheme for voter identification and authorization using zero-knowledge proofs to ensure the
anonymity
and
eligibility
of voters. The voter v
<sub>i,j</sub>
is granted the authorization to cast a valid vote for a single candidate C
<sub>k</sub>
. The use of distributed ElGamal provides
fairness
while the use of partial shares for decryption enables
individual
and
universal verifiability
without the need for a central authority. The proposed scheme is secure under various scenarios and
robust
in the random oracle model. The GIBI-HE scheme offers a promising solution for e-voting, providing a sustainable and accessible environment for voters while supporting the
unreusability
of votes and protecting the
privacy
of voters.
... This system endows a user with the capability to append an anonymous signature amidst a set of users (i.e., a "ring"), all the while ensuring that a singular user does not produce multiple distinct signatures. Unlike classical ring signatures [30], linkable variants possess a salient attribute: should a user sign the same information multiple times, these signatures can be intricately linked. In this work, buyers use LRS to sign ratings when evaluating sellers or products, and the verifiers (sellers or other users) cannot identify the signer from the signature, thus protecting the signer's privacy. ...
E-commerce platforms incorporate reputation systems that allow buyers to rate sellers after transactions. However, existing reputation systems face challenges such as privacy leakage, linkability, and multiple rating attacks. The feedback data can inadvertently expose user information privacy because they reveal the buyers’ identities and preferences, which deters a significant number of users from providing their ratings. Moreover, malicious actors can exploit data analysis and machine learning techniques to mine user privacy from the rating data, posing serious threats to user security and trust. This study introduces ARS-Chain, a pioneering and secure blockchain-driven anonymous reputation-sharing framework tailored for e-commerce platforms. The core of ARS-Chain is a dynamic ring addition mechanism with linkable ring signatures (LRS), where the number of LRS rings is dynamically added in alignment with the evolving purchase list, and LRS link tags are constructed with the LRS rings and item identifiers. Further, a consortium blockchain is introduced to store these anonymous ratings on e-commerce platforms. As a result, ARS-Chain ensures full anonymity while achieving cross-platform reputation sharing, making rating records unlinkable, and effectively countering multiple rating attacks. The experimental results confirm that ARS-Chain significantly enhances user information privacy protection while maintaining system performance, having an important impact on the construction of trust mechanisms for e-commerce platforms.
... In response to the problems of differential privacy, relevant researchers have proposed using ring signatures to protect user identity privacy while improving user experience. The concept of a ring signature, introduced by Rivest et al. in 2001, originated as a simplified form of group signature [15]. The main purpose of ring signatures is to solve the problem of hiding the identity of the real signer during the message transmission process. ...
With the rapid increase in smart grid users and the increasing cost of user data transmission, proposing an encryption method that does not increase the construction cost while increasing the user ceiling has become the focus of many scholars. At the same time, the increase in users will also lead to more security problems, and it is also necessary to solve the privacy protection for users during information transmission. In order to solve the above problems, this paper proposes an aggregated ring encryption scheme based on the SM2 algorithm with special features, referred to as SM2-CLARSC, based on the certificateless ring signcryption mechanism and combining with the aggregate signcryption. SM2-CLARSC is designed to satisfy the basic needs of the smart grid, and it can be resistant to replay attacks, forward security and backward security, etc. It has better security and higher efficiency than existing solutions. Comparing SM2-CLARSC with existing typical solutions through simulation, the result proves that this solution has more comprehensive functions, higher security, and significant computational efficiency improvement.
... The fourth category includes the schemes [24][25][26][27][28][29][30] which are based on the ring signature. Rivest et al. [31] solve the issues in group signature by introducing a new concept called ring signature. Ring signature provides more advantages than group signature including no group manager, strong traceability and anonymity. ...
Nowadays, the traditional transportation systems are being replaced by the Vehicular Ad-hoc Networks (VANETs) based intelligent transportation system. In VANETs, vehicles communicate by sending messages over the open environment, which leads to danger of different privacy and security issues, so it becomes necessary to prevent those messages from various privacy and security attacks. To prevent from those attacks, a new certificateless ring signature scheme is proposed in this paper. The proposed technique uses the concept of batch verification. The formal security analysis of the proposed scheme is done using RoR model. We use the AVISPA tool to show the formal security verification of the proposed scheme to prove that the scheme is resistant to active and passive attacks. In the performance analysis, the proposed scheme is compared with the existing schemes and the results show that our scheme has less computation cost and communication cost.
... Group/ring signatures [22,75] let a verifier verify that a message was sent by a member of a group, without learning which member. This resembles our TraceOut query if we map the group of senders with the subset of input ciphertexts. ...
We introduce the notion of traceable mixnets. In a traditional mixnet, multiple mix-servers jointly permute and decrypt a list of ciphertexts to produce a list of plaintexts, along with a proof of correctness, such that the association between individual ciphertexts and plaintexts remains completely hidden. However, in many applications, the privacy-utility tradeoff requires answering some specific queries about this association, without revealing any information beyond the query result. We consider queries of the following types: a) given a ciphertext in the mixnet input list, whether it encrypts one of a given subset of plaintexts in the output list, and b) given a plaintext in the mixnet output list, whether it is a decryption of one of a given subset of ciphertexts in the input list. Traceable mixnets allow the mix-servers to jointly prove answers to the above queries to a querier such that neither the querier nor a threshold number of mix-servers learn any information beyond the query result. Further, if the querier is not corrupted, the corrupted mix-servers do not even learn the query result. We first comprehensively formalise these security properties of traceable mixnets and then propose a construction of traceable mixnets using novel distributed zero-knowledge proofs (ZKPs) of set membership and of a statement we call reverse set membership. Although set membership has been studied in the single-prover setting, the main challenge in our distributed setting lies in making sure that none of the mix-servers learn the association between ciphertexts and plaintexts during the proof. We implement our distributed ZKPs and show that they are faster than state-of-the-art by at least one order of magnitude.
... For protecting user's privacy in signature scheme, in 2001, ring signature was first proposed [17]. The design of ring signature is very useful and valuable. ...
Applying blockchain to copyright protection is currently a popular research trend. However, the characteristics of blockchain open data also lead to the threat of copyright privacy leakage. Targeting at this issue, we design a secure digital copyright protection scheme based on blockchain and ring signature algorithm, which can achieve privacy protection of copyright information and improve the efficiency of data authentication. In this paper, we design a new ring signature scheme based on lattice. In this scheme, by using the lattice basis delegation algorithm, user’s public-private key pair is generated without expanding the dimension of lattice. Subsequently, according to the rejection sampling, message is signed by signer’s secret keys and other ring participants’ public keys. It can reduce scheme’s computational complexity. Finally, by combining ring signatures with blockchain technology, a new copyright protection scheme is proposed. More importantly, this scheme is proven to be secure with its correctness and anonymity. Meanwhile, it has less communication costs and shorter key sizes than those in other similar schemes. The results show that the proposed new scheme has good performance and efficiency.
... The use of signatures is important to ensure authenticity but, in general, this removes the anonymity of the signer. Rivest et al. [21] propose the ring signatures model, which is a signature scheme based on a group of public keys of possible signers. The main feature is that it is possible to guarantee that a message ( ) was signed using a private key ( ) associated with a public key ( ) belonging to a set of possible public keys ( ) without disclosing , to guarantee the anonymity of the signer. ...
Voting is essential to assure democracy. The voting process is supported by mission-critical systems that have among others functional, cybersecurity, and data privacy requirements. Comprehensive approaches are required to identify the requirements and technologies needed to design the solution. STPA is a method for identifying system safety requirements that have been extended to identify cybersecurity requirements. LINDDUN is a privacy threat modeling methodology that supports analysts in privacy-eliciting and mitigating threats in software architectures. Blockchain is a technology that uses a peer-to-peer computer network as a public distributed ledger. We propose an approach that uses STPA and its extensions to identify the cybersecurity and data privacy requirements, and incorporates the blockchain technology to design the solution for the mission-critical e-voting system. We built a proof of concept of the solution and performed cybersecurity and data privacy tests. The tests showed that the solution meets the critical cybersecurity and data privacy requirements. The major contributions of this paper include an approach that employs cybersecurity and data privacy threat modeling techniques to enhance the STPA analysis of a system, and the design of a Blockchain-based, verifiable e-voting system.
... One of the members will sign a transaction and send it to the network. Ring signatures were invented by Ron Rivest, Adi Shamir, and Yael Tauman Kalai and introduced at ASIACRYPT in 2001 (Rivest et al., 2001). The primary purpose of the ring signature is to hide the identity of the sender. ...
The Internet of Things (IoT) is an emerging field of technology with a huge scope of its applicability in various industries and a wide range of societal needs, including medical sciences. However, IoT suffers from many limitations like energy, resource constraints, scalability, security, availability, etc. Software-Defined Networking (SDN) is another similar technology that has many features that are capable of solving many of the limitations of the conventional IoT system. So, suitably incorporating SDN technology into the conventional IoT system, an improved version of IoT namely an SDN-based IoT network system has been evolved. This system is capable of resolving many of the limitations of IoT. Since this newer SDN-based IoT version is enriched with better energy and resources, it can undertake higher computational loads to resolve security issues. In the security domain, Blockchain is a state-of-the-art security-based technology in recent times which has already been implemented in the fields of cryptocurrency effectively. So, Many research opportunities emerge out in adapting Blockchain-based technology suitable for the SDN-based IoT Networking domain. This paper deals with the investigations carried out by the past researchers on various security aspects of the IoT, SDN, and SDN-based IoT systems and their solutions using various technologies, including that of Blockchain. It was concluded that the convergence of Blockchain in IoT and SDN and its combination (SDN-based IoT) resolved many security issues. Many prominent research gaps still persist here to be resolved. This can be dealt with as a future scope of research opportunities in the domain.
... In electronic voting systems, one of the main issues is anonymity, i.e., the relationship between the voter and his ballot cannot be disclosed. We adopt the one-time ring signature (OTRS) proposed by Nicolas van Saberhagen [15,16], which ensures that a voter with one key pair can sign a ballot only once. The parameters in OTRS are defined as follows [17]: F q is a cyclic group with a prime number q as its order, E(F q ) refers to an elliptic curve defined over the finite group F q . ...
E-voting protocols based on the blockchain can ensure secure and fair voting without a trusted third party. Nonetheless, the majority of current blockchain-based voting protocols only permit yes/no voting for a single candidate. This paper proposes an electronic voting protocol utilizing blockchain technology that supports score voting for multiple candidates. Compared with conventional yes/no voting methods, the main challenges of score-based voting are how to ensure that the score assigned for each candidate by a voter is in a defined range, the sum of scores voted by one voter is a predefined constant and the privacy of the voting scores is protected. In our protocol, two types of zero-knowledge proofs, i.e., zero-knowledge proof for set membership (ZKSM) and zero-knowledge sum proof (ZKSP) are used to satisfy the two key requirements of the score constraint. Meanwhile, based on the distributed ElGamal encryption algorithm and Paillier algorithm, we design a novel encryption algorithm to encrypt the ballots, which improves the efficiency of computing the voting results while supporting robustness so that even if some voters abstain or cast invalid votes, the voting results can still be directly computed by each voter without restarting the protocol. The security analysis shows that our voting protocol achieves maximal ballot secrecy, anonymity, eligibility, resistance against multi-voting, robustness, and dispute-freeness. The performance analysis demonstrates the effectiveness and practicality of our voting protocol.
... Ring signatures [1], a signifcant cryptographic primitive, enable a group user to sign a message on behalf of the group (called a ring) while protecting their privacy. Anonymity means that a verifer only can verify the correctness of the signature but cannot identify who is the actual signer in the ring. ...
Linkable ring signatures (LRSs) are ring signatures with the extended property that a verifier can detect whether two messages were signed by the same ring member. LRSs play an important role in many application scenarios such as cryptocurrency and confidential transactions. The first code-based LRS scheme was put forward in 2018. However, this scheme was pointed out to be insecure. In this paper, we put forward a code-based LRS scheme by constructing a new Stern-like interactive protocol and prove that it meets the security requirements of LRSs. We also give the specific parameters and the performance on the platform of our scheme.
... Therefore, an excellent on-chain governance voting mechanism needs to consider anonymity. Currently, mixed network [42], group signature [43], and ring signature [44] can be used to achieve the anonymity of voting. • Coercion freeness: Coercion means an attacker requires a voter to vote for a particular candidate or abstain. ...
After the Ethereum DAO attack in 2016, which resulted in significant economic losses, blockchain governance has become a prominent research area. However, there is a lack of comprehensive and systematic literature review on blockchain governance. To deeply understand the process of blockchain governance and provide guidance for the future design of the blockchain governance model, we provide an in-depth review of blockchain governance. In this paper, first we introduce the consensus algorithms currently used in blockchain and relate them to governance theory. Second, we present the main content of off-chain governance and investigate two well-known off-chain governance projects. Third, we investigate four common on-chain governance voting techniques, then summarize the seven attributes that the on-chain governance voting process should meet, and finally analyze four well-known on-chain governance blockchain projects based on the previous research. We hope this survey will provide an in-depth insight into the potential development direction of blockchain governance and device future research agenda.
... In a ring signature (see Figs. 4 and 5), the signature is mixed with signatures from other members of a group (referred to as a ring), making it impossible S. Dhar et al. for anyone, except the actual signer, to determine the identity of the signer. The concept of Ring Signature was initially proposed by Rivest in 2001 [16]. We can successfully achieve both the objectives of ensuring Signers' Anonymity and guaranteeing Signature Correctness. ...
... Mixing services, introduced initially by Chaum [14], allow users to obscure both the identity of communication participants and the content of the communication, serving as a means to obfuscate transaction histories and reduce the risk of de-anonymization when integrated into blockchain networks. Ring signatures enable a user, as a part of a 'ring' of members, to sign a message without revealing the specific member responsible for the signature [15]. ZKP is a cryptographic technique designed to establish the validity of a given statement without revealing any additional information [16]. ...
To meet the increasing electricity demand and achieve the goals of “carbon peaking” and “carbon neutrality”, it is urgent to develop a new power system with new energy as the main body and large‐scale integration of power intelligent electronic devices. However, the large‐scale access to intelligent devices will bring new network security issues. In response to network security threats, a power grid network security situational awareness system is established to assess the security situation of the power grid and strengthen the network security. Cloud data sharing enables security monitoring data to flow faster and be fully used to facilitate security situational research and judgment. Nevertheless, in reality, issues such as privacy leakage, data tampering, and unauthorized access hinder the application of cloud data sharing. To solve the above problems, we propose a new secure sharing scheme for power system security monitoring data based on batch verification ring signature. In this scheme, we design a batch verification ring signature algorithm to guarantee users' anonymity and promote the efficiency of data sharing. Then, we formally prove that our scheme achieves three security features: anonymity, confidentiality, and unforgeability. Finally, experimental simulations show that our scheme's computational cost is less than half that of other schemes, which also has lower communication overhead.
Blockchain has attracted significant attention in recent years due to its potential to revolutionize various industries by providing trustlessness. To comprehensively examine blockchain systems, this article presents both a macro-level overview on the most popular blockchain systems, and a micro-level analysis on a general blockchain framework and its crucial components. The macro-level exploration provides a big picture on the endeavors made by blockchain professionals over the years to enhance the blockchain performance while the micro-level investigation details the blockchain building blocks for deep technology comprehension. More specifically, this article introduces a general modular blockchain analytic framework that decomposes a blockchain system into interacting modules and then examines the major modules to cover the essential blockchain components of network, consensus, and distributed ledger at the micro-level. The framework as well as the modular analysis jointly build a foundation for designing scalable, flexible, and application-adaptive blockchains that can meet diverse requirements. Additionally, this article explores popular technologies that can be integrated with blockchain to expand functionality and highlights major challenges. Such a study provides critical insights to overcome the obstacles in designing novel blockchain systems and facilitates the further development of blockchain as a digital infrastructure to service new applications.
Blockchain is a promising and growing technology for providing reliable and secure decentralized solutions. Nevertheless, it encounters many research challenges. Some of the main challenges in the blockchain are smart contract management, key management, and further improvements in security, privacy, and scalability. These challenges can be addressed by leveraging suitable and efficient cryptographic primitives. Therefore, this chapter aims to investigate and present a brief description of cryptographic primitives employed in the blockchain. Additionally, for each cryptographic primitive, a few research problems are also postulated that can be of independent interest.
At present, PBFT has become an important consensus mechanism in the blockchain due to its high efficiency. In PBFT, a primary node must be chosen. If the primary node is attacked, PBFT needs to select a new node as the primary node. The continuous occurence of such attacks makes PBFT become much less efficient. Considering the importance of the primary node, this paper proposes an improved model of PBFT with anonymity and proxy. The linkable ring signature technology is utilized to hide the primary node in the ordinary nodes, which can significantly reduce the risk of the primary node being attacked. This countermeasure improves the security of PBFT to some extent. Moreover, in this scheme, each node has its corresponding proxy node. When a node is not online for participating in the PBFT, its proxy node can be authorized to complete the whole steps in the consensus, which improves the reliability of PBFT.
Accountable ring signatures close the gap between ring signatures and group signatures. They support a designated opener who can identify signers when necessary while allowing for the most excellent possible flexibility in selecting the ring. Accountable ring signatures were first informally defined by Xu and Yung at CARDIS 2004. They present a compiler that transforms a traditional ring signature scheme into an accountable one by using a trusted model on the smart cards. At ESORICS 2015, Bootle et al. introduced a formal security model for accountable ring signatures. In addition, they also present a generic construction for accountable ring signatures in the random oracle model. In terms of the security proof model, the plain model is preferable since it requires neither any assumptions that sometimes do not exist in practice nor any trusted setup assumptions. Until now, there has been no construction of accountable ring signatures in the plain model, even with a linear signature size. In this paper, we present the first generic construction of accountable ring signature schemes that have the logarithmic signature size and are secure in the plain model using standard assumptions.
Ring signatures allow a ring member to produce signatures on behalf of all ring users but remain anonymous. At PKC 2022, Chatterjee et al. defined post-quantum ring signatures with post-quantum anonymity and post-quantum blind-unforgeability. Assuming the hardness of the learning with errors problem, they proposed a generic construction that transforms any blind-unforgeable (BU) secure signature into a post-quantum ring signature in the standard model. However, the signature size grows linearly to the number of ring members.
In this paper, we revisit the construction of Chatterjee et al. and present a compiler converting any BU secure signature into a compact (i.e., the signature size is logarithmically (or lower) dependent on the ring size) post-quantum ring signature in the standard model. Additionally, inspired by the work of Boneh et al. at CRYPTO 2013, we show how to transform any existentially unforgeable under a chosen message attack (EUF-CMA) secure signature into a BU secure signature. Hence, through our work, one can easily build a compact post-quantum ring signature in the standard model directly from any EUF-CMA secure signature.
Traceable ring signature (TRS) is a variation of ring signature, allowing to expose the user’s identity whenever he signs two different messages under the same tag. The accountable anonymity of TRS makes it widely used in many restrained anonymous applications, e.g., e-voting system, offline coupon service. Traditional TRS schemes are built on mathematical problems, which are believed to be easy to solve by quantum computers. While numerous post-quantum (traceable) ring signature schemes have been proposed so far, there has been no TRS scheme based on isogenies proposed. We construct two TRS schemes from group actions that can be instantiated with isogenies and lattices. The critical technique is to generate multiple tags for the message and design an OR sigma protocol to generate proofs for multiple tag sets, which provides traceability for the TRS scheme. The signature size can be expressed as \(O(\log N)\), where N represents the ring size. Based on different instantiation parameters, our proposed scheme enables ring members to negotiate the signature size and signing time according to their specific requirements. Moreover, we prove the security of our scheme under the standard random oracle model.
Industrial blockchain is believed to be a promising technology for modern industries. Despite the capacity of blockchain to protect users’ privacy, its inherent transparency renders data provenance traceable, a situation that does not fully guarantee the confidentiality of users and data sources. Users’ preferences, habits, identity, and other sensitive privacy information can be analyzed by adversaries after collecting a series of users’ requests. This paper integrates existing oracle technologies and proposes a distributed oracle architecture DISOC based on TOTP and ring signature to overcome the privacy shortcomings of traditional oracles. DISOC can be used to implement trustworthy off-chain data sharing from different data source with strong privacy-preservation. It can effectively protect the privacy of data sources while protecting user privacy to mitigate potential data leakage issues. After analysis and testing, DISOC can perfectly meet the data sharing needs and privacy preservation of multiple data sources.
Privacy protection ensures that individuals have control over personal data, preventing abuse and preserving trust in the use of online services. In the “Digital Era”, where the collection, storage and processing of personal information have become ubiquitous, data privacy emerges as a relevant topic. In this sense, laws were created, such as the General Data Protection Law (LGPD) in Brazil and the General Data Protection Regulation (GDPR) in Europe, to control privacy and the processing of personal data. The article presents a comparative analysis of 2 (two) data privacy mechanisms, the Zero-Knowledge Proof (ZKP) and Ring Signatures, used in Blockchain, aiming at the legal and regulatory implications with the LGPD and GDPR. The comparative study between ZKP and Ring Signatures highlights the flexibility of ZKP in various contexts, including voting and secure authentication systems, while Ring Signatures offer significant advantages in terms of scalability and efficiency in systems where subscriber anonymity is considered fundamental. Furthermore, the legal and regulatory implications of the ZKP are discussed, mainly in relation to LGPD and GDPR. Finally, the article concludes that the comparative analysis offers insights into applications, challenges and legal and regulatory implications, particularly in relation to data privacy and compliance with regulations such as LGPD and GDPR.
Ring signature schemes provide anonymity but suffer from the double-spending problem if uncontrolled overused in blockchain transactions. In the unique ring signature scheme, each member in the ring can only generate one signature for one message at most on behalf of the ring, which can effectively prevent the problem of double spending. However, most of the existing unique ring signature schemes are constructed based on the difficult problems of traditional cryptography, which are not safe in the post-quantum environment. This paper design and propose a lattice based unique ring signature scheme, which can provide anonymity protection for the transaction initiator when users trade, and can prevent malicious users from double flower attacks, ensuring the legitimacy of the transaction, and this scheme is safe in the quantum environment.
Strong designated verifier signature schemes rely on sender-privacy to hide the identity of the creator of a signature to all but the intended recipient. This property can be invaluable in, for example, the context of deniability, where the identity of a party should not be deducible from the communication sent during a protocol execution. In this work, we explore the technical definition of sender-privacy and extend it from a 2-party setting to an n-party setting. Afterwards, we show in which cases this extension provides stronger security and in which cases it does not.
The Lattice Isomorphism Problem (LIP) asks whether two given lattices are isomorphic via an orthogonal linear transformation. At Eurocrypt 2022, Ducas and van Woerden provide a solid foundation for LIP as a promising candidate for post-quantum cryptography. They then propose a digital signature HAWK from LIP in the hash-then-sign framework, whose module version was recently investigated by Ducas et al. at Asiacrypt 2022. HAWK is one of the brightest prospects at round one of the NIST for additional digital signatures. In this paper, we build the first (linkable) ring signature schemes based on the hardness of LIP. The proposed signatures have the logarithmic size in the number of ring users. Our signature size is significantly smaller than several ring signatures based on other underlying problems when the number of users in the ring is large.
To this end, we leverage group action properties of LIP and follow the Merkle tree-based construction of Beullens, Katsumata and Pintore at Asiacrypt 2020 in the context of isogeny-based cryptography, with suitable adaptions to lattice isomorphism group actions.
In the context of smart grids, bidirectional transmission of electricity information enables real-time electricity generation tailored to consumer needs. However, ensuring user privacy during data collection has emerged as a significant concern with the proliferation of data collection and transmission capabilities. Existing solutions such as group signature and pseudonym systems have limitations, such as lack of trustworthiness in group signature administrators and increased system costs associated with pseudonym storage. To address these drawbacks, this paper proposes a certificateless ring signcryption scheme with conditional privacy protection based on the SM2 algorithm. The scheme efficiently enables users to ring signcryption transmitted messages, thereby concealing the sender’s identity from the message receiver. This approach resolves the privacy concerns mentioned earlier. In addition, tracking algorithm and batch verification algorithm have been designed to improve computational efficiency while also providing the ability for trusted parties to track malicious users. This scheme achieves conditional privacy preservation while avoiding substantial storage costs for power resources. Compared to the latest available programmes, our proposed scheme offers enhanced efficiency and lower communication costs. It represents a novel and effective solution for privacy protection in smart grids, ensuring secure data transmission while minimizing system overhead.
This paper introduces Bicameral and Auditably Private Signatures (BAPS) – a new privacy-preserving signature system with several novel features. In a BAPS system, given a certified attribute \(\textbf{x}\) and a certified policy P, a signer can issue a publicly verifiable signature \(\varSigma \) on a message m as long as \((m, \textbf{x})\) satisfies P. A noteworthy characteristic of BAPS is that both attribute \(\textbf{x}\) and policy P are kept hidden from the verifier, yet the latter is convinced that these objects were certified by an attribute-issuing authority and a policy-issuing authority, respectively. By considering bicameral certification authorities and requiring privacy for both attributes and policies, BAPS generalizes the spirit of existing advanced signature primitives with fine-grained controls on signing capabilities (e.g., attribute-based signatures, predicate signatures, policy-based signatures). Furthermore, BAPS provides an appealing feature named auditable privacy, allowing the signer of \(\varSigma \) to verifiably disclose various pieces of partial information about P and \(\textbf{x}\) when asked by auditor(s)/court(s) at later times. Auditable privacy is intrinsically different from and can be complementary to the notion of accountable privacy traditionally incorporated in traceable anonymous systems such as group signatures. Equipped with these distinguished features, BAPS can potentially address interesting application scenarios for which existing primitives do not offer a direct solution.
We provide rigorous security definitions for BAPS, following a “sim-ext” approach. We then demonstrate a generic construction based on commonly used cryptographic building blocks, which employs a sign-then-commit-then-prove design. Finally, we present a concrete instantiation of BAPS, that is proven secure in the random oracle model under lattice assumptions. The scheme can handle arbitrary policies represented by polynomial-size Boolean circuits and can address quadratic disclosing functions. In the construction process, we develop a new technical building block that could be of independent interest: a zero-knowledge argument system allowing to prove the satisfiability of a certified-and-hidden Boolean circuit on certified-and-committed inputs.
Many IoT applications require users to share their devices’ location, and enhanced privacy-protection means sharing location anonymously, unlinkably and without relying on any administrators. But under such protection, it is difficult to trust shared location data, which may be from unregistered devices or from the same one’s multiple logins or from the cloned device ID, even be generated by an attacker without any devices! Such untrusted location sharing cheats system, misleads users, even attacks system. To the best of our knowledge, such problems have not been solved in a decentralized system. To solve them in one scheme, we put forward the first decentralized accumulator for device registration and construct the first practical decentralized anonymous authentication for device login. When logging in, the device provides a special knowledge proof, which integrates zero-knowledge (for privacy) with knowledge-leakage (for identifying abnormal behaviors) designing for blockchain (for decentralization). Therefore, in our system, only registered IoT devices can upload location data and their logins are anonymous and unlinkable, while login exceeding K times in a system period or cloning ID to login concurrently can be identified and tracked without any trusted centers. In addition, we provide the security proofs and the application examples of the proposed scheme. And the efficiency analysis and experimental data show that the performance of our scheme can meet the needs of real-world location sharing on IoT.
Suppose we are given a proof of knowledge
$
\mathcal{P}
$
\mathcal{P}
in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing
scheme
$
\mathcal{S}
$
\mathcal{S}
on n participants. Then under certain assumptions on
$
\mathcal{P}
$
\mathcal{P}
and
$
\mathcal{S}
$
\mathcal{S}
, we show how to transform
$
\mathcal{P}
$
\mathcal{P}
into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets defined by
$
\mathcal{S}
$
\mathcal{S}
. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, we get a witness hiding protocol, even if
$
\mathcal{P}
$
\mathcal{P}
did not have this property. Our results can be used to efficiently implement general forms of group oriented identification
and signatures. Our transformation produces a protocol with the same number of rounds as
$
\mathcal{P}
$
\mathcal{P}
and communication complexity n times that of
$
\mathcal{P}
$
\mathcal{P}
. Our results use no unproven complexity assumptions.
We investigate structural properties of statistical zero knowledge
(SZK) both in the interactive and in the non-interactive model.
Specifically, we look into the closure properties of SZK languages under
monotone logical formula composition. This gives rise to new protocol
techniques. We show that interactive SZK for random self reducible
languages (RSR) (and for co-RSR) is closed under monotone Boolean
operations. Namely, we give SZK proofs for monotone Boolean formulae
whose atoms are statements about an SZK language which is RSR (or a
complement of RSR). All previously known languages in SZK are in these
classes. We then show that if a language L has a non-interactive SZK
proof system then honest-verifier interactive SZK proof systems exist
for all monotone Boolean formulae whose atoms are statements about the
complement of L. We also discuss extensions and generalizations
Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S , we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to a subset of n problem instances corresponding to a qualified set of participants. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances are independently generated, this can lead to witness hiding protocols, even if P did not have this property. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P . Our results use no unproven complexity assumptions. AMS Subject Classification (1991): 94A60 CR Subject Classification (1991): D.4.6 Ke...
Let Fn be the set of all functions from n bits to n bits. Let fn specify for each key k of a given length a function fkn ∈ Fn. We say fn is pseudorandom if the following two properties hold:
(1)
Given a key k and an input α of length n, the time to evaluate fkn (α) is polynomial in n.
(2)
If a random key k is chosen, fkn “looks like” a random function chosen from Fn to any algorithm which is allowed to evaluate fkn at polynomial in n input values.
Let P2n be the set of permutations (1-1 onto functions) from 2n bits to 2n bits. Let p2n specify for each key k of a given length a permutation pk2n ∈ P2n. We present a simple method for describing p2n in terms of fn. The method has the property that if fn is pseudo-random then p2n is also pseudo-random. The method was inspired by a study of the security of the Data Encryption Standard. This result, together
with the result of Goldreich, Goldwasser and Micali [GGM], implies that if there is a pseudo-random number generator then
there is a pseudo-random invertible permutation generator. We also prove that if two permutation generators which are “slightly
secure” are cryptographically composed, the result is more secure than either one alone.
We show how to efficiently construct a pseudorandom invertible permutation generator from a pseudorandom function generator. Goldreich, Goldwasser and Micali ["How to construct random functions," Proc. 25th Annual Symposium on Foundations of Computer Science, October 24–26, 1984.] introduce the notion of a pseudorandom function generator and show how to efficiently construct a pseudorandom function generator from a pseudorandom bit generator. We use some of the ideas behind the design of the Data Encryption Standard for our construction. A practical implication of our result is that any pseudorandom bit generator can be used to construct a block private key cryptosystem which is secure against chosen plaintext attack, which is one of the strongest knownattacks against a cryptosystem
. For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature. Generally, authentication of messages and off-the-record messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but private conversations to take place. Our solution guarantees that only the specified verifier can be convinced by the proof, even if he shares all his secret information with entities that want to get convinced. Our solution is based on trap-door commitments [4], allowing the designated verifier to open up commitments in any way he wants. We demonstrate how a trap-door commitment scheme can be used to constr...
We introduce a new class of public-key functions involving a number n = pq having two large prime factors. As usual, the key n is public, while p and q are the private key used by the issuer for production of signatures and function inversion. These functions can be used for all the applications involving public-key functions proposed by Diffie and Hellman, including digitalized signatures. We prove that for any given n, if we can invert the function y = E (x1) for even a small percentage of the values y then we can factor n. Thus, as long as factorization of large numbers remains practically intractable, for appropriate chosen keys not even a small percentage of signatures are forgeable. Breaking the RSA function is at most hard as factorization, but is not known to be equivalent to factorization even in the weak sense that ability to invert all function values entails ability to factor the key. Computation time for these functions, i.e. signature verification, is several hundred times faster than for the RSA scheme. Inversion time, using the private key, is comparable. The almost-everywhere intractability of signature-forgery for our functions (on the assumption that factoring is intractable) is of great practical significance and seems to be the first proved result of this kind.
The concept of group signatures was introduced by Chaum et al. at Eurocrypt ’91. It allows a member of a group to sign messages anonymously on behalf of the group. In case of a later dispute a designated group manager can revoke the anonymity and identify the originator of a signature. In this paper we propose a new efficient group signature scheme. Furthermore we present a model and the first realization of generalized group signatures. Such a scheme allows to define coalitions of group members that are able to sign on the group’s behalf.
In this paper we present a new type of signature for a group of persons, called a group signature, which has the following properties: (i) only members of the group can sign messages; (ii) the receiver can verify that it is a valid group signature, but cannot discover which group member made it; (iii) if necessary, the signature can be "opened", so that the person who signed the message is revealed. The group signatures are a "generalization" of the credential/ membership authentication schemes, in which one person proves that he belongs to a certain group. We present four schemes that satisfy the properties above. Not all these schemes arc based on the same cryptographic assumption. In some of the schemes a trusted centre is only needed during the setup; and in other schemes, each pason can create the group he belongs to.
An encryption method is presented with the novel property that publicly re- vealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: 1. Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intended recipient. Only he can decipher the message, since only he knows the corresponding decryption key. 2. A message can be \signed" using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed en- cryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in \electronic mail" and \electronic funds transfer" systems. A message is encrypted by representing it as a number M, raising M to a publicly specied
An encryption method is presented with the novel property that publicly revealing an encryption key does not thereby reveal the corresponding decryption key. This has two important consequences: Couriers or other secure means are not needed to transmit keys, since a message can be enciphered using an encryption key publicly revealed by the intended recipient. Only he can decipher the message, since only he knows the corresponding decryption key.
A message can be “signed” using a privately held decryption key. Anyone can verify this signature using the corresponding publicly revealed encryption key. Signatures cannot be forged, and a signer cannot later deny the validity of his signature. This has obvious applications in “electronic mail” and “electronic funds transfer” systems. A message is encrypted by representing it as a number M, raising M to a publicly specified power e, and then taking the remainder when the result is divided by the publicly specified product, n , of two large secret prime numbers p and q. Decryption is similar; only a different, secret, power d is used, where e * d = 1(mod (p - 1) * (q - 1)). The security of the system rests in part on the difficulty of factoring the published divisor, n .
In this paper we present a new type of signature for a group of persons, called a group signature, which has the following properties:
only members of the group can sign messages;
the receiver can verify that it is a valid group signature, but cannot discover which group member made it;
if necessary, the signature can be “opened”, so that the person who signed the message is revealed.
These group signatures are a “generalization” of the credential/membership authentication schemes, in which one person proves that he belongs to a certain group.
We present four schemes that satisfy the properties above. Not all these schemes are based on the same cryptographic assumption. In some of the schemes a trusted centre is only needed during the setup; and in other schemes, each person can create the group he belongs to.
Two kinds of contemporary developments in cryptography are examined. Widening applications of teleprocessing have given rise to a need for new types of cryptographic systems, which minimize the need for secure key distribution channels and supply the equivalent of a written signature. This paper suggests ways to solve these currently open problems. It also discusses how the theories of communication and computation are beginning to provide the tools to solve cryptographic problems of long standing.
Introduction In this work 1 we assume that we are given an interactive proof where the prover P convinces the verifier V that P knows some secret. Typically, the secret is the preimage under some one-way function of a publicly known piece of information. Thus the secret could be for example a discrete log or an RSA root. Such a proof is called a proof of knowledge [5], and can be used in practice to design identification schemes or signature systems. 1 Partly done during Cramer's and Schoenmaker's visit at Aarhus University. We assume in the following that the proof of knowledge has a special form in that the verifier only sends uniformly chosen bits. This is also known as a public coin protocol. For simplicity, we restrict ourselves to 3-round protocols, where the prover speaks first (generalization of our results to any number of rounds is possible). We also