In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, a ring signature is a type of
digital signature
A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very high confidence that the message was created b ...
that can be performed by any member of a set of users that each have
keys
Key or The Key may refer to:
Common meanings
* Key (cryptography), a piece of information that controls the operation of a cryptography algorithm
* Key (lock), device used to control access to places or facilities restricted by a lock
* Key (map ...
. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine ''which'' of the set's members' keys was used to produce the signature. Ring signatures are similar to
group signature A group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991. For example, a group signature scheme could b ...
s but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.
Ring signatures were invented by
Ron Rivest
Ronald Linn Rivest (; born May 6, 1947) is a cryptographer and an Institute Professor at MIT. He is a member of MIT's Department of Electrical Engineering and Computer Science (EECS) and a member of MIT's Computer Science and Artificial Intell ...
,
Adi Shamir
Adi Shamir ( he, עדי שמיר; born July 6, 1952) is an Israeli cryptographer. He is a co-inventor of the Rivest–Shamir–Adleman (RSA) algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identificat ...
, and
Yael Tauman Kalai
Yael Tauman Kalai is a cryptographer and theoretical computer scientist who works as a Senior Principal Researcher at Microsoft Research New England and as an adjunct professor at MIT in the Computer Science and Artificial Intelligence Lab.
Edu ...
, and introduced at
ASIACRYPT in 2001. The name, ''ring signature'', comes from the ring-like structure of the signature
algorithm
In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
.
Definition
Suppose that a set of entities each have public/private key pairs, (''P''
1, ''S''
1), (''P''
2, ''S''
2), ..., (''P''
''n'', ''S''
''n''). Party ''i'' can compute a ring signature σ on a message ''m'', on input (''m'', ''S''
''i'', ''P''
1, ..., ''P''
''n''). Anyone can check the validity of a ring signature given σ, ''m'', and the public keys involved, ''P''
1, ..., ''P''
''n''. If a ring signature is properly computed, it should pass the check. On the other hand, it should be hard for anyone to create a valid ring signature on any message for any set without knowing any of the private keys for that set.
Applications and modifications
In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret. For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking
White House
The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in 1800. ...
official", without revealing which official signed the message. Ring signatures are right for this application because the anonymity of a ring signature cannot be revoked, and because the group for a ring signature can be improvised.
Another application, also described in the original paper, is for
deniable signatures. Here the sender and the recipient of a message form a group for the ring signature, then the signature is valid to the recipient, but anyone else will be unsure whether the recipient or the sender was the actual signer. Thus, such a signature is convincing, but cannot be transferred beyond its intended recipient.
There were various works, introducing new features and based on different assumptions:
;Threshold ring signatures: Unlike standard "''t''-out-of-''n''"
threshold signature, where ''t'' of ''n'' users should collaborate to decrypt a message, this variant of a ring signature requires ''t'' users to cooperate in the signing
protocol
Protocol may refer to:
Sociology and politics
* Protocol (politics), a formal agreement between nation states
* Protocol (diplomacy), the etiquette of diplomacy and affairs of state
* Etiquette, a code of personal behavior
Science and technology
...
. Namely, ''t'' parties (''i''
1, ''i''
2, ..., ''i''
''t'') can compute a (''t'', ''n'')-ring signature, σ, on a message, ''m'', on input (''m'', ''S''
''i''1, ''S''
''i''2, ..., ''S''
''i''''t'', ''P''
1, ..., ''P''
''n'').
;Linkable ring signatures: The property of linkability allows one to determine whether any two signatures have been produced by the same member (under the same private key). The identity of the signer is nevertheless preserved. One of the possible applications can be an offline
e-cash system.
;Traceable ring signature:
In addition to the previous scheme the public key of the signer is revealed (if they issue more than one signatures under the same private key). An
e-voting system can be implemented using this protocol.
Efficiency
Most of the proposed algorithms have
asymptotic
In analytic geometry, an asymptote () of a curve is a line such that the distance between the curve and the line approaches zero as one or both of the ''x'' or ''y'' coordinates tends to infinity. In projective geometry and related contexts, ...
output size
; i.e., the size of the resulting signature increases linearly with the size of input (number of public keys). That means that such schemes are impracticable for real use cases with sufficiently large
(for example, an e-voting with millions of participants). But for some application with relatively small
median
In statistics and probability theory, the median is the value separating the higher half from the lower half of a data sample, a population, or a probability distribution. For a data set, it may be thought of as "the middle" value. The basic fe ...
input size such estimate may be acceptable.
CryptoNote
CryptoNote is an application layer protocol designed for use with cryptocurrencies that aims to solve specific problems identified in Bitcoin. Namely:
* Traceability of transactions
* The proof-of-work function (see Bitcoin network)
* Irregular ...
implements
ring signature scheme by Fujisaki and Suzuki
in p2p payments to achieve sender's untraceability.
More efficient algorithms have appeared recently. There are schemes with the sublinear size of the signature, as well as with constant size.
Implementation
Original scheme
The original paper describes an
RSA based ring signature scheme, as well as one based on
Rabin signatures. They define a
keyed "combining function"
which takes a key
, an initialization value
, and a list of arbitrary values
.
is defined as
, where
is a trap-door function (i.e. an RSA public key in the case of RSA based ring signatures).
The function
is called the ring equation, and is defined below. The equation is based on a
symmetric encryption function :
:
It outputs a single value
which is forced to be equal to
. The equation
can be solved as long as at least one
, and by extension
, can be freely chosen. Under the assumptions of RSA, this implies knowledge of at least one of the inverses of the trap door functions
(i.e. a private key), since
.
Signature generation
Generating a ring signature involves six steps. The plaintext is signified by
, the ring's public keys by
.
# Calculate the key
, using a
cryptographic hash function
A cryptographic hash function (CHF) is a hash algorithm (a map of an arbitrary binary string to a binary string with fixed size of n bits) that has special properties desirable for cryptography:
* the probability of a particular n-bit output re ...
. This step assumes a
random oracle
In cryptography, a random oracle is an oracle (a theoretical black box) that responds to every ''unique query'' with a (truly) random response chosen uniformly from its output domain. If a query is repeated, it responds the same way every time th ...
for
, since
will be used as key for
.
# Pick a random glue value
.
# Pick random
for all ring members but yourself (
will be calculated using the signer's private key), and calculate corresponding
.
# Solve the ring equation for
# Calculate
using the signer's private key:
# The ring signature now is the
-tuple
Signature verification
Signature verification involves three steps.
# Apply the public key trap door on all
:
.
# Calculate the symmetric key
.
# Verify that the ring equation holds
.
Python implementation
Here is a
Python
Python may refer to:
Snakes
* Pythonidae, a family of nonvenomous snakes found in Africa, Asia, and Australia
** ''Python'' (genus), a genus of Pythonidae found in Africa and Asia
* Python (mythology), a mythical serpent
Computing
* Python (pro ...
implementation of the original paper using
RSA. Requires 3rd-party module PyCryptodome.
import os
import hashlib
import random
import Crypto.PublicKey.RSA
import functools
class Ring:
"""RSA implementation."""
def __init__(self, k, L: int = 1024) -> None:
self.k = k
self.l = L
self.n = len(k)
self.q = 1 << (L - 1)
def sign_message(self, m: str, z: int):
self._permut(m)
s = one* self.n
u = random.randint(0, self.q)
c = v = self._E(u)
first_range = list(range(z + 1, self.n))
second_range = list(range(z))
whole_range = first_range + second_range
for i in whole_range:
s = random.randint(0, self.q)
e = self._g(s self.k e, self.k n)
v = self._E(v ^ e)
if (i + 1) % self.n 0:
c = v
s = self._g(v ^ u, self.k d, self.k n)
return + s
def verify_message(self, m: str, X) -> bool:
self._permut(m)
def _f(i):
return self._g(X + 1 self.k e, self.k n)
y = map(_f, range(len(X) - 1))
y = list(y)
def _g(x, i):
return self._E(x ^ y
r = functools.reduce(_g, range(self.n), X
return r X
def _permut(self, m):
msg = m.encode("utf-8")
self.p = int(hashlib.sha1(msg).hexdigest(), 16)
def _E(self, x):
msg = f"".encode("utf-8")
return int(hashlib.sha1(msg).hexdigest(), 16)
def _g(self, x, e ,n):
q, r = divmod(x, n)
if((q + 1) * n) <= ((1 << self.l) - 1):
result = q * n + pow(r, e, n)
else:
result = x
return result
To sign and verify 2 messages in a ring of 4 users:
size = 4
msg1, msg2 = "hello", "world!"
def _rn(_):
return Crypto.PublicKey.RSA.generate(1024, os.urandom)
key = map(_rn, range(size))
key = list(key)
r = Ring(key)
for i in range(size):
signature_1 = r.sign_message(msg1, i)
signature_2 = r.sign_message(msg2, i)
assert r.verify_message(msg1, signature_1) and r.verify_message(msg2, signature_2) and not r.verify_message(msg1, signature_2)
Cryptocurrencies
The
CryptoNote
CryptoNote is an application layer protocol designed for use with cryptocurrencies that aims to solve specific problems identified in Bitcoin. Namely:
* Traceability of transactions
* The proof-of-work function (see Bitcoin network)
* Irregular ...
technology uses ring signatures. It was first implemented by Bytecoin.
ShadowCash
The cryptocurrency ShadowCash uses traceable ring signature to anonymize the sender of a transaction. However, these were originally implemented incorrectly, resulting in a partial de-anonymization of ShadowCash from their first implementation until February 2016 by
Monero
Monero (; Abbreviation: XMR) is a decentralized cryptocurrency. It uses a public distributed ledger with privacy-enhancing technologies that obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses tradi ...
Research Labs researcher, Shen Noether. Luckily only 20% of all the one-time keys in the system were affected by this bug, sender anonymity was compromised but receiver anonymity remained intact. A patch was submitted in a timely fashion to resolve the bug.
Monero
Monero
Monero (; Abbreviation: XMR) is a decentralized cryptocurrency. It uses a public distributed ledger with privacy-enhancing technologies that obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses tradi ...
uses ring signatures to obsufacte the true spend in a transaction. A ring signature makes use of a user's account keys and a number of public keys (also known as outputs) pulled from the blockchain using a triangular distribution method. Over the course of time, past outputs could be used multiple times to form possible signer participants. In a "ring" of possible signers, all ring members are equal and valid. There is no way an outside observer can tell which of the possible signers in a signature group belongs to the user's account. So, ring signatures ensure that transaction outputs are untraceable. Moreover, there are no fungibility issues with Monero given that every transaction output has plausible deniability (e.g. the network can not tell which outputs are spent or unspent).
[{{Cite web, url=https://www.getmonero.org/resources/moneropedia/ringsignatures.html, title=Moneropedia: Ring Signature, website=getmonero.org, access-date=1 November 2022]
References
Public-key cryptography
Digital signature schemes