Cryptanalysis of a non-interactive deniable ring signature scheme


A ring signature scheme allows a signer to sign a message anonymously, while the deniable ring signature scheme, introduced by Komano et al., guarantees that the signer should be involved in opening the signer anonymity. Gao et al. proposed the first lattice-based deniable ring signature scheme and claimed that their scheme satisfies the following security requirements: anonymity, traceability and non-frameability. In this work, we demonstrate that their scheme does not satisfy the latter two requirements. Specifically, we show that: (1) A malicious signer can produce a valid ring signature that violates traceability; (2) a malicious signer can also generate a valid ring signature that breaks non-frameability. Our attacks are simple and efficient, with successful probability close to 1. Then, we give a simple countermeasure to thwart the attack in (2). To prevent our attack in (1) is non-trivial, but we point out that a deniable ring signature scheme without the traceability property can still find applications in some specific situations.

This is a preview of subscription content, access via your institution.

Fig. 1


  1. 1.

    Recall that the ring signature generated by the honest user 3 will contain a term \(A'=h_{{\hat{b}}'}(\hat{s_3})-H_1(3\Vert \hat{a_3})\cdot S\); then, the pair \(\big ({\hat{b}}',~A'+H_1(3\Vert \hat{a_3})\cdot S\big )\) is exactly what we need.

  2. 2.

    Note that in the original (N)DRS schemes, the real signer can be detected by any verifier when other ring members are required to confirm or disavow their part in the signature.


  1. 1.

    Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret: theory and applications of ring signatures. Theor. Comput. Sci. Essays Mem Shimon Even 3895(23), 164–186 (2006).

    MathSciNet  Article  Google Scholar 

  2. 2.

    Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous identification in ad hoc groups. In: Christian, C., Camenisch, J.L. (eds.) EUROCRYPT’04—Proceedings of International Conference on the Theory and Applications of Cryptographic Techniques, Lecture Notes in Computer Science, vol. 3027, pp. 609–626. Springer, Berlin (2004).

  3. 3.

    Naor, M.: Deniable ring authentication. In: Yung, M. (eds.) CRYPTO’02–Proceedings of 22nd Annual International Cryptology Conference, Lecture Notes in Computer Science, vol. 2442, pp. 481–498. Springer, Berlin (2002).

  4. 4.

    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) Advances in Cryptology—EUROCRYPT 1991, pp. 257–265. Springer, Berlin (1991).

  5. 5.

    Bellare, M., Micciancio, D., Warinschi, B.: Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions. In: Biham, E. (ed.) Advances in Cryptology—EUROCRYPT 2003, pp. 614–629. Springer, Berlin (2003).

  6. 6.

    Boyen, X., Waters, B.: Compact group signatures without random oracles. In: Vaudenay, S. (ed.) Advances in Cryptology—EUROCRYPT 2006, pp. 427–444. Springer, Berlin (2006).

  7. 7.

    Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) Advances in Cryptology—ASIACRYPT 2007, pp. 164–180. Springer, Berlin (2007).

  8. 8.

    Libert, B., Ling, S., Nguyen, K., Wang, H.: Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors. In: Fischlin, M., Coron, J.S. (eds.) Advances in Cryptology, EUROCRYPT 2016, pp. 1–31. Springer, Berlin (2016).

  9. 9.

    Komano, Y., Ohta, K., Shimbo, A., Kawamura, S.: Toward the fair anonymous signatures: deniable ring signatures. In: Pointcheval, D. (ed.) CT-RSA 2006—Topics in Cryptology, pp. 174–191. Springer, Berlin (2006).

  10. 10.

    Gao, W., Chen, L., Hu, Y., Newton, C., Wang, B., Chen, J.: Lattice-based deniable ring signatures. Int. J. Inf. Secur. (2018).

    Article  Google Scholar 

  11. 11.

    Shor, P.W.: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. Comput. 26(5), 1484–1509 (1997).

    MathSciNet  Article  MATH  Google Scholar 

  12. 12.

    Aguilar-Melchor, C., Bettaieb, S., Boyen, X., Fousse, L., Gaborit, P.: Adapting Lyubashevsky’s signature schemes to the ring signature setting. In: Youssef, A., Nitaj, A., Hassanien, A.E. (eds.) AFRICACRYPT 2013–Progress in Cryptology: 6th International Conference on Cryptology in Africa, pp. 1–25. Springer, Berlin (2013).

  13. 13.

    Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoring-based signatures. In: Matsui, M. (ed.) ASIACRYPT 2009—Advances in Cryptology: 15th International Conference on the Theory and Application of Cryptology and Information Security, pp 598–616. Springer, Berlin (2009).

  14. 14.

    Brakerski, Z., Kalai, Y.T.: A framework for efficient signatures, ring signatures and identity-based encryption in the standard model. Cryptology Eprint Archive, Report 2010/086 (2010).

  15. 15.

    Wang, F., Hu, Y., Wang, C.: A lattice-based ring signature scheme from bonsai trees. J. Electron. Inf. Technol. 32(10), 2400 (2010).

    Article  Google Scholar 

Download references


Funding was provided by the National Key R&D Program of China (Grant No. 2017YFB0802000), the Foundation of National Natural Science of China (Grant Nos. 61802075, 61802241, 61672412, 61772147, U19B2021, U1736111), the National Cryptography Development Fund (Grant Nos. MMJJ20170104, MMJJ20170117, MMJJ20180111), the Guangdong Province Natural Science Foundation of Major Basic Research and Cultivation Project (Grant No. 2015A030308016), the Project of Ordinary University Innovation Team Construction of Guangdong Province (Grant No. 2015KCXTD014), the Collaborative Innovation Major Projects of Bureau of Education of Guangzhou City (Grant No. 1201610005) and the National Natural Science Foundation of Shaanxi Province (Grant No. 2020ZDLGY08-04).

Author information



Corresponding author

Correspondence to Huiwen Jia.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Human participants or animals performed

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Jia, H., Tang, C. Cryptanalysis of a non-interactive deniable ring signature scheme. Int. J. Inf. Secur. 20, 103–112 (2021).

Download citation


  • Deniability
  • Ring signature
  • Lattice-based cryptography
  • Cryptanalysis