Ring_signature

Ring signature

Add article description

In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature. Ring signatures are similar to group signatures but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.

Ring signatures were invented by Ron Rivest, Adi Shamir, and Yael Tauman Kalai, and introduced at ASIACRYPT in 2001.^[1] The name, ring signature, comes from the ring-like structure of the signature algorithm.

Efficiency

Most of the proposed algorithms have asymptotic output size $O(n)$ ; i.e., the size of the resulting signature increases linearly with the size of input (number of public keys). That means that such schemes are impracticable for real use cases with sufficiently large $n$ (for example, an e-voting with millions of participants). But for some application with relatively small median input size such estimate may be acceptable. CryptoNote implements $O(n)$ ring signature scheme by Fujisaki and Suzuki^[5] in p2p payments to achieve sender's untraceability.

More efficient algorithms have appeared recently. There are schemes with the sublinear size of the signature,^[6] as well as with constant size.^[7]

Implementation

Original scheme

The original paper describes an RSA based ring signature scheme, as well as one based on Rabin signatures. They define a keyed "combining function" $C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ which takes a key $k$ , an initialization value $v$ , and a list of arbitrary values $y_{1},\dots y_{n}$ . $y_{i}$ is defined as $g_{i}(x_{i})$ , where $g_{i}$ is a trap-door function (i.e. an RSA public key in the case of RSA based ring signatures).

The function $C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ is called the ring equation, and is defined below. The equation is based on a symmetric encryption function $E_{k}$ :

C_{k,v}(y_{1},y_{2},\dots ,y_{n})=E_{k}(y_{n}\oplus E_{k}(y_{n-1}\oplus E_{k}(\dots \oplus E_{k}(y_{1}\oplus v)\dots )))

It outputs a single value $z$ which is forced to be equal to $v$ . The equation $v=C_{k,v}(y_{1},y_{2},\dots ,y_{n})$ can be solved as long as at least one $y_{i}$ , and by extension $x_{i}$ , can be freely chosen. Under the assumptions of RSA, this implies knowledge of at least one of the inverses of the trap door functions $g_{i}^{-1}$ (i.e. a private key), since $g_{i}^{-1}(y_{i})=x_{i}$ .

Signature generation

Generating a ring signature involves six steps. The plaintext is signified by $m$ , the ring's public keys by $P_{1},P_{2},\dots ,P_{n}$ .

Calculate the key $k={\mathcal {H}}(m)$ , using a cryptographic hash function. This step assumes a random oracle for ${\mathcal {H}}$ , since $k$ will be used as key for $E_{k}$ .
Pick a random glue value $v$ .
Pick random $x_{i}$ for all ring members but yourself ( $x_{s}$ will be calculated using the signer's private key), and calculate corresponding $y_{i}=g_{i}(x_{i})$ .
Solve the ring equation for $y_{s}$
Calculate $x_{s}$ using the signer's private key: $x_{s}=g_{s}^{-1}(y_{s})$
The ring signature now is the $(2n+1)$ -tuple $(P_{1},P_{2},\dots ,P_{n};v;x_{1},x_{2},\dots ,x_{n})$

Signature verification

Signature verification involves three steps.

Apply the public key trap door on all $x_{i}$ : $y_{i}=g_{i}(x_{i})$ .
Calculate the symmetric key $k={\mathcal {H}}(m)$ .
Verify that the ring equation holds $C_{k,v}(y_{1},y_{2},\dots ,y_{n})=v$ .

Python implementation

Here is a Python implementation of the original paper using RSA. Requires 3rd-party module PyCryptodome.

import os
import hashlib
import random
import Crypto.PublicKey.RSA

import functools

class Ring:
    """RSA implementation."""

    def __init__(self, k, L: int = 1024) -> None:
        self.k = k
        self.l = L
        self.n = len(k)
        self.q = 1 << (L - 1)

    def sign_message(self, m: str, z: int):
        self._permut(m)
        s = [None] * self.n
        u = random.randint(0, self.q)
        c = v = self._E(u)

        first_range = list(range(z + 1, self.n))
        second_range = list(range(z))
        whole_range = first_range + second_range

        for i in whole_range:
            s[i] = random.randint(0, self.q)
            e = self._g(s[i], self.k[i].e, self.k[i].n)
            v = self._E(v ^ e)
            if (i + 1) % self.n == 0:
                c = v

        s[z] = self._g(v ^ u, self.k[z].d, self.k[z].n)
        return [c] + s

    def verify_message(self, m: str, X) -> bool:
        self._permut(m)

        def _f(i):
            return self._g(X[i + 1], self.k[i].e, self.k[i].n)

        y = map(_f, range(len(X) - 1))
        y = list(y)

        def _g(x, i):
            return self._E(x ^ y[i])

        r = functools.reduce(_g, range(self.n), X[0])
        return r == X[0]

    def _permut(self, m):
        msg = m.encode("utf-8")
        self.p = int(hashlib.sha1(msg).hexdigest(), 16)

    def _E(self, x):
        msg = f"{x}{self.p}".encode("utf-8")
        return int(hashlib.sha1(msg).hexdigest(), 16)

    def _g(self, x, e, n):
        q, r = divmod(x, n)
        if ((q + 1) * n) <= ((1 << self.l) - 1):
            result = q * n + pow(r, e, n)
        else:
            result = x
        return result

To sign and verify 2 messages in a ring of 4 users:

size = 4
msg1, msg2 = "hello", "world!"

def _rn(_):
    return Crypto.PublicKey.RSA.generate(1024, os.urandom)

key = map(_rn, range(size))
key = list(key)

r = Ring(key)

for i in range(size):
    signature_1 = r.sign_message(msg1, i)
    signature_2 = r.sign_message(msg2, i)
    assert r.verify_message(msg1, signature_1) and r.verify_message(msg2, signature_2) and not r.verify_message(msg1, signature_2)

Share this article:

This article uses material from the Wikipedia article Ring_signature, and is written by contributors. Text is available under a CC BY-SA 4.0 International License; additional terms may apply. Images, videos and audio are available under their respective licenses.

[1] [1]
Rivest, Ronald L.; Shamir, Adi; Tauman, Yael (2001). "How to Leak a Secret". Advances in Cryptology — ASIACRYPT 2001. Lecture Notes in Computer Science. Vol. 2248. pp. 552–565. doi:10.1007/3-540-45682-1_32. ISBN 978-3-540-42987-6.

[2] [2]
Debnath, Ashmita; Singaravelu, Pradheepkumar; Verma, Shekhar (19 December 2012). "Efficient spatial privacy preserving scheme for sensor network". Central European Journal of Engineering. 3 (1): 1–10. doi:10.2478/s13531-012-0048-7. S2CID 137248994.

[3] [3]
E. Bresson; J. Stern; M. Szyd lo (2002). "Threshold Ring Signatures and Applications to Ad-hoc Groups" (PDF). Advances in Cryptology — CRYPTO 2002. Lecture Notes in Computer Science. Vol. 2442. pp. 465–480. doi:10.1007/3-540-45708-9_30. ISBN 978-3-540-44050-5.

[4] [4]
Liu, Joseph K.; Wong, Duncan S. (2005). "Linkable Ring Signatures: Security Models and New Schemes". Computational Science and Its Applications – ICCSA 2005. Lecture Notes in Computer Science. Vol. 2. pp. 614–623. doi:10.1007/11424826_65. ISBN 978-3-540-25861-2. {{cite book}}: |journal= ignored (help)

[FS07-5] [5]
Fujisaki, Eiichiro; Suzuki, Koutarou (2007). "Traceable Ring Signature". Public Key Cryptography: 181–200.

[6] [6]
Fujisaki, Eiichiro (2011). "Sub-linear size traceable ring signatures without random oracles". IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences. 95 (1): 393–415. Bibcode:2012IEITF..95..151F. doi:10.1587/transfun.E95.A.151.

[7] [7]
Au, Man Ho; Liu, Joseph K.; Susilo, Willy; Yuen, Tsz Hon (2006). "Constant-Size ID-Based Linkable and Revocable-iff-Linked Ring Signature". Progress in Cryptology - INDOCRYPT 2006. Lecture Notes in Computer Science. Vol. 4329. pp. 364–378. doi:10.1007/11941378_26. ISBN 978-3-540-49767-7.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

Ring_signature

Ring signature

Definition

Applications and modifications