Abstract
In this paper, we construct a revocable and linkable ring signature (RLRS) scheme, which enables a revocation authority to revoke the anonymity of the real signer in linkable ring signature scheme under any circumstances. In other words, the revocability of RLRS is mandatory. The proposed RLRS scheme inherits the desired properties of group signature (anonymity revocation) and linkable ring signature (spontaneous group formation and linkability). In addition, we proved the security of our scheme in the random oracle model. We also provided a revocable ring confidential transaction protocol based on our RLRS scheme, which embedded the revocability in ring confidential transaction protocol.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of-n signatures from a variety of keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_26
Au, M.H., Chow, S.S.M., Susilo, W., Tsang, P.P.: Short linkable ring signatures revisited. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 101–115. Springer, Heidelberg (2006). https://doi.org/10.1007/11774716_9
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Constant-size ID-based linkable and revocable-iff-linked ring signature. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 364–378. Springer, Heidelberg (2006). https://doi.org/10.1007/11941378_26
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Certificate based (linkable) ring signature. In: Dawson, E., Wong, D.S. (eds.) ISPEC 2007. LNCS, vol. 4464, pp. 79–92. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72163-5_8
Au, M.H., Liu, J.K., Susilo, W., Yuen, T.H.: Secure ID-based linkable and revocable-iff-linked ring signature with constant-size construction. Theoret. Comput. Sci. 469, 1–14 (2013)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_26
Brenig, C., Accorsi, R., Müller, G.: Economic analysis of cryptocurrency backed money laundering. In: ECIS (2015)
Cayrel, P.-L., Lindner, R., Rückert, M., Silva, R.: A lattice-based threshold ring signature scheme. In: Abdalla, M., Barreto, P.S.L.M. (eds.) LATINCRYPT 2010. LNCS, vol. 6212, pp. 255–272. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14712-8_16
Changlun, Z., Yun, L., Dequan, H.: A new verifiable ring signature scheme based on Nyberg-Rueppel scheme. In: 2006 8th International Conference on Signal Processing, vol. 4. IEEE (2006)
FBI: Bitcoin virtual currency: Unique features present distinct challenges for deterring illicit activity. Intelligence Assessment (2012)
Fujisaki, E.: Sub-linear size traceable ring signatures without random oracles. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 393–415. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19074-2_25
Fujisaki, E., Suzuki, K.: Traceable ring signature. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 181–200. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_13
Herranz, J., Sáez, G.: Forking lemmas for ring signature schemes. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 266–279. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_20
Houben, R., Snyers, A.: Cryptocurrencies and blockchain: legal context and implications for financial crime, money laundering and tax evasion (2018)
Huang, X., et al.: Cost-effective authentic and anonymous data sharing with forward security. IEEE Trans. Comput. 64(4), 971–983 (2015)
Lee, K.C., Wen, H.A., Hwang, T.: Convertible ring signature. IEE Proc.-Commun. 152(4), 411–414 (2005)
Liu, D.Y., Liu, J.K., Mu, Y., Susilo, W., Wong, D.S.: Revocable ring signature. J. Comput. Sci. Technol. 22(6), 785–794 (2007)
Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Linkable ring signature with unconditional anonymity. IEEE Trans. Knowl. Data Eng. 26(1), 157–165 (2013)
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
Liu, J.K., Wong, D.S.: On the security models of (threshold) ring signature schemes. In: Park, C., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 204–217. Springer, Heidelberg (2005). https://doi.org/10.1007/11496618_16
Liu, J.K., Wong, D.S.: Linkable ring signatures: security models and new schemes. In: Gervasi, O., et al. (eds.) ICCSA 2005. LNCS, vol. 3481, pp. 614–623. Springer, Heidelberg (2005). https://doi.org/10.1007/11424826_65
Liu, J.K., Wong, D.S.: Solutions to key exposure problem in ring signature. IJ Netw. Secur. 6(2), 170–180 (2008)
Liu, J.K., Yeo, S.L., Yap, W., Chow, S.S.M., Wong, D.S., Susilo, W.: Faulty instantiations of threshold ring signature from threshold proof-of-knowledge protocol. Comput. J. 59(7), 945–954 (2016)
Liu, J.K., Yuen, T.H., Zhou, J.: Forward secure ring signature without random oracles. In: Qing, S., Susilo, W., Wang, G., Liu, D. (eds.) ICICS 2011. LNCS, vol. 7043, pp. 1–14. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25243-3_1
Lv, J., Wang, X.: Verifiable ring signature. In: Proceedings of DMS 2003-The 9th International Conference on Distribted Multimedia Systems, pp. 663–667 (2003)
Nakamoto, S., et al.: Bitcoin: a peer-to-peer electronic cash system (2008)
Noether, S.: Ring signature confidential transactions for monero. IACR Cryptology ePrint Archive 2015, 1098 (2015)
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_32
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret: theory and applications of ring signatures. In: Goldreich, O., Rosenberg, A.L., Selman, A.L. (eds.) Theoretical Computer Science. LNCS, vol. 3895, pp. 164–186. Springer, Heidelberg (2006). https://doi.org/10.1007/11685654_7
Tsang, P.P., Au, M.H., Liu, J.K., Susilo, W., Wong, D.S.: A suite of non-pairing ID-based threshold ring signature schemes with different levels of anonymity (extended abstract). In: Heng, S.-H., Kurosawa, K. (eds.) ProvSec 2010. LNCS, vol. 6402, pp. 166–183. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-16280-0_11
Tsang, P.P., Wei, V.K.: Short linkable ring signatures for e-voting, e-cash and attestation. In: Deng, R.H., Bao, F., Pang, H.H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 48–60. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31979-5_5
Tsang, P.P., Wei, V.K., Chan, T.K., Au, M.H., Liu, J.K., Wong, D.S.: Separable linkable threshold ring signatures. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 384–398. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30556-9_30
Van Saberhagen, N.: Cryptonote v 2.0 (2013)
Xiong, H., Chen, Z., Li, F.: Bidder-anonymous english auction protocol based on revocable ring signature. Expert Syst. Appl. 39(8), 7062–7066 (2012)
Yuen, T.H., Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Threshold ring signature without random oracles. In: ASIACCS 2011, pp. 261–267. ACM (2011)
Yuen, T.H., Liu, J.K., Au, M.H., Susilo, W., Zhou, J.: Efficient linkable and/or threshold ring signature without random oracles. Comput. J. 56(4), 407–421 (2013). https://doi.org/10.1093/comjnl/bxs115
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A. Revocable Ring Confidential Transaction
Appendix A. Revocable Ring Confidential Transaction
In Appendix A, we present a revocable ring confidential transaction protocol based on our RLRS scheme.
\(\mathtt {Setup} (\lambda )\): Let \(\mathbb {G}\) be a group of prime order q such that underlying discrete logarithm problem is intractable. Let \(H_1 : \{0,1\}^* \rightarrow \mathbb {Z}_q\) and \(H_2 : \{0,1\}^* \rightarrow \mathbb {G}\) be two hash functions, and g, h are two generators in \(\mathbb {G}\). The public parameters are \(param = \{\mathbb {G}, g, h, q, H_1, H_2\}\)
\(\mathtt {KeyGen}(param)\): Randomly choose \(x \in \mathbb {Z}_q\) and compute \(y = g^x \pmod {q}\). The secret key is \(sk = x\) and the corresponding public key is \(pk = y\)
\(\mathtt {Mint}(a, pk)\): Given an amount a and a coin address pk, randomly choose \(r \in \mathbb {Z}_q\) and compute \(C = h^a g^r \pmod {q}\), where the coin in address pk is denoted as \(cn_{pk} = C\) and the corresponding coin key \(ck = r\). The public information of an account is \(act = (y,C)\) and the secrete information is \(ask = (x,r)\).
\(\mathtt {Spend}(A_s, R, m, t, \mathbb {Y}, M, pk_{rev})\): On input the spender s’s a set of m accounts \(A_s\), a set of t output accounts R, a set of n group public keys \(\mathbb {Y}\) such that \(\mathbb {Y} = Y_1, \dots , Y_n\), a transaction string M, and a revocation authority’s public key \(pk_{rev} = \tilde{y}\). The spender s can spend his/her m accounts to t output accounts by performing following steps:
-
1.
The spender s parses \(A_s = \{ack^{(k)}\}_{k \in [m]}\) into \(\{(y_s^{(1)}, C_s^{(1)}), \dots , (y_s^{(m)}, C_s^{(m)})\}\) and \(K_s = \{ask^{(k)}\}_{k \in [m]}\) into \(\{(x_s^{(1)}, r_s^{(1)}), \dots , (x_s^{(m)}, r_s^{(m)})\}\) where \(\{y_s^{(k)} = g^{x_s^{(k)}}\}_{k \in [m]}\) and \(\{C_s^{(k)} = h^{a_s^{(k)}}g^{r_s^{(k)}}\}_{k \in [m]}\)
-
2.
Denote R as a set of output accounts where \(R = \{pk_{out}^{(j)}\}_{j \in [t]}\), spender s randomly chooses \(r_1, \dots , r_t \in \mathbb {Z}_q\) and computes \(C_{out}^j = h^{a_{out}^{(j)}}g^{r_j}\) for \(j \in [t]\) where \(a_{out}^{(1)} + \dots + a_{out}^{(t)} = a_s^{(1)} + \dots + a_s^{(m)}\)
-
3.
The spender s uses a public key encryption scheme \(ENC_{pk}(\cdot )\) with public key pk to compute the cipher text \(ctxt_j = ENC_{pk_{out}^{(j)}}(r_j)\) for \(j \in [t]\) and send \(\{ctxt_j\}_{j \in [t]}\) to the corresponding receiver’s address.
-
4.
In order to ensure that the amount of output coins equal to input coins, the spender s creates a new public key
$$\begin{aligned} y_s^{(m+1)} = \frac{\prod _{k=1}^m (y_s^{(k)}\cdot C_s^{(k)})}{\prod _{j=1}^t C_{out}^{(j)}}. \end{aligned}$$Since \(a_{out}^{(1)} + \dots + a_{out}^{(t)} = a_s^{(1)} + \dots + a_s^{(m)}\), the \(m+1\) public key is
$$\begin{aligned} y_s^{(m+1)} = g^{\sum _{k=1}^m (x_s^{(k)} + r_s^{(k)}) - \sum _{j=1}^t r_j} = g^{x_s^{(m+1)}} \end{aligned}$$such that \(x_s^{(m+1)} = \sum _{k=1}^m (x_s^{(k)} + r_s^{(k)}) - \sum _{j=1}^t r_j\).
-
5.
The spender s randomly picks \(n-1\) group public keys from the blockchain, where each group contains \(m+1\) public keys. We denote these public keys as:
$$\begin{aligned} \begin{array}{c} Y_1 = \{y_1^{(1)}, \dots , y_1^{(m+1)}\}\\ \vdots \\ Y_{s-1} = \{y_{s-1}^{(1)}, \dots , y_{s-1}^{(m+1)}\}\\ Y_{s+1} = \{y_{s+1}^{(1)}, \dots , y_{s+1}^{(m+1)}\}\\ \vdots \\ Y_n = \{y_n^{(1)}, \dots , y_n^{(m+1)}\} \end{array} \end{aligned}$$The spender’s public key is further denoted as \(Y_s = \{y_s^{(1)}, \dots , y_s^{(m+1)}\}\).
-
6.
Compute \(m+1\) linking base as \(h_k = H_2(y_s^{(k)})\) for \(k \in [m+1]\) and the linking tags are \(L_k = h_k^{x_s^{(k)}}\) for \(k \in [m+1]\). We denote \(L = \{L_1, \dots , L_{m+1}\}\).
-
7.
Encrypt the spender’s \(m+1\) public keys by using revocation authority’s public key \(pk_{rev} = \tilde{y}\) as follows:
For \(k = 1, \dots , m+1\), randomly pick \(u_1, \dots , u_{m+1} \in \mathbb {Z}_q\) and compute:
-
(a)
\(CT_1^{(k)} = g^{u_k}\),
-
(b)
\(CT_2^{(k)} = \tilde{y}^{u_k}y_s^{(k)}\),
-
(c)
Combine the cipher text \(CX_k = (CT_1^{(k)}, CT_2^{(k)})\).
-
(a)
-
8.
For \(k = 1, \dots , m+1\), randomly pick \(t_1^{(k)}\), \(t_2^{(k)} \in \mathbb {Z}_q\) and compute:
-
(a)
\(a_{1,s}^{(k)} = g^{t_1^{(k)}}\) and \(a_{2,s}^{(k)} = (\frac{CT_2^{(k)}}{y_s^{(k)}})^{t_1^{(k)}}\),
-
(b)
\(c_{s+1}^\prime = H_1(\mathbb {Y}, L, M, \{a_{1,s}^{(1)}, a_{2,s}^{(1)}\}, \dots , \{a_{1,s}^{(m+1)}, a_{2,s}^{(m+1)}\})\),
-
(c)
\(\bar{a}_{1,s}^{(k)} = g^{t_2^{(k)}}\) and \(\bar{a}_{2,s}^{(k)} = h_k^{t_2^{(k)}}\),
-
(d)
\(c_{s+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{\bar{a}_{1,s}^{(1)}, \bar{a}_{2,s}^{(1)}\}, \dots , \{\bar{a}_{1,s}^{(m+1)}, \bar{a}_{2,s}^{(m+1)}\})\).
-
(a)
-
9.
Generate a linkable ring signature with a group of n public key vectors \(\mathbb {Y} = \{Y_1, \dots , Y_n\}\) using spender’s \(m+1\) secret keys \(\{x_s^{(1)}, \dots , x_s^{(m+1)}\}\) with \(m+1\) linking tags \(\{L_1, \dots , L_{m+1}\}\) and \(m+1\) ciphertexts \(\{CX_1, \dots , CX_{m+1}\}\) on some transaction string M as follows:
-
(a)
For \(i = s+1, \dots , n, 1, \dots , s-1\), randomly pick \(v_{1,i}^{(1)}, \dots , v_{1,i}^{(m+1)}\) and \(v_{2,i}^{(1)}, \dots , v_{2,i}^{(m+1)} \in \mathbb {Z}_q\) and compute:
-
(b)
\(a_{1,i}^{(k)} = g^{v_{1,i}^{(k)}}(CT_1^{(k)})^{c_i^\prime }\) and \(a_{2,i}^{(k)} = \tilde{y}^{v_{(1,i)}^{(k)}}(\frac{CT_2^{(k)}}{y_i^{(k)}})^{c_i^\prime }\) for \(k \in [m+1]\),
-
(c)
\(c_{i+1}^\prime = H_1(\mathbb {Y}, L, M, \{a_{1,i}^{(1)}, a_{2,i}^{(1)},\}, \dots , \{a_{1,i}^{(m+1)}, a_{2,i}^{(m+1)}\})\),
-
(d)
\(\bar{a}_{1,i}^{(k)} = g^{v_{2,i}^{(k)}}(y_i^{(k)})^{c_i^{\prime \prime }}\) and \(\bar{a}_{2,i}^{(k)} = h_k^{v_{2,i}^{(k)}}L_k^{(c_i^{\prime \prime })}\) for \(k \in [m+1]\),
-
(e)
\(c_{i+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{\bar{a}_{1,i}^{(1)}, \bar{a}_{2,i}^{(1)}\}, \dots , \{\bar{a}_{1,i}^{(m+1)}, \bar{a}_{2,i}^{(m+1)}\})\).
-
(a)
-
10.
For \(k = 1, \dots , m+1\), compute:
-
(a)
\(v_{1,s}^{(k)} = t_1^{(k)} - c_s^\prime u_k\),
-
(b)
\(v_{2,s}^{(k)} = t_2^{(k)} - c_s^{\prime \prime }x_s^{(k)}\).
-
(a)
-
11.
The signature is \(\sigma = (c_1^\prime , c_1^{\prime \prime }, \{v_{1,1}^{(1)}, \dots , v_{1,1}^{(m+1)}\}, \dots , \{v_{1,n}^{(1)}, \dots , v_{1,n}^{(m+1)}\},\) \(\{v_{2,1}^{(1)}, \dots , v_{2,1}^{(m+1)}\}, \dots , \{v_{2,n}^{(1)}, \dots , v_{2,n}^{(m+1)}\}, \{L_1, \dots , L_{m+1}\},\) \(\{CX_1, \dots , CX_{m+1}\})\).
\(\mathtt {Verify}(n, \mathbb {Y}, \sigma , M)\): The algorithm takes the input of a group \(\mathbb {Y} = \{Y_1, \dots , Y_2\}\) of n groups of public keys, a signature \(\sigma \), and a transaction string M. To verify a transaction, the verifier computes follows:
-
1.
First parse the \(m+1\) ciphertext \(CX_k = \{CT_1^{(k)}, CT_2^{(k)}\}_{k \in [m+1]}\)
-
2.
For \(i = 1, \dots , n\), compute
-
(a)
\(Z_{1,i}^{\prime (k)} = g^{v_{1,i}^{(k)}}(CT_1^{(k)})^{c_i^\prime }\) and \(Z_{2,i}^{\prime (k)} = \tilde{y}^{v_{1,i}^{(k)}}(\frac{CT_2^{(k)}}{y_i^{(k)}})^{c_i^\prime }\) for \(k \in [m+1]\),
-
(b)
\(c_{i+1}^\prime = H_1(\mathbb {Y}, L, M, \{Z_{1,i}^{\prime (1)}, Z_{2,i}^{\prime (1)}\}, \dots , \{Z_{1,i}^{\prime (m+1)}, Z_{2,i}^{\prime (m+1)}\})\) if \(i \ne n\),
-
(c)
\(Z_{1,i}^{\prime \prime (k)} = g^{v_{2,i}^{(k)}}(y_i^{(k)})^{c_i^{\prime \prime }}\) and \(Z_{2,i}^{\prime \prime (k)} = h_k^{v_{2,i}^{(k)}}(L_k)^{c_i^{\prime \prime }}\) for \(k \in [m+1]\),
-
(d)
\(c_{i+1}^{\prime \prime } = H_1(\mathbb {Y}, L, M, \{Z_{1,i}^{\prime \prime (1)}, Z_{2,i}^{\prime \prime (1)}\}, \dots , \{Z_{1,i}^{\prime \prime (m+1)}, Z_{2,i}^{\prime \prime (m+1)}\})\) if \(i \ne n\).
-
(a)
-
3.
Check whether
-
(a)
\(c_1^\prime \overset{?}{=} H_1(\mathbb {Y}, L, M, \{Z_{1,n}^{\prime (1)}, Z_{2,n}^{\prime (1)}\}, \dots , \{Z_{1,n}^{\prime (m+1)}, Z_{2,n}^{\prime (m+1)}\})\),
-
(b)
\(c_1^{\prime \prime } \overset{?}{=} H_1(\mathbb {Y}, L, M, \{Z_{1,n}^{\prime \prime (1)}, Z_{2,n}^{\prime \prime (1)}\}, \dots , \{Z_{1,n}^{\prime \prime (m+1)}, Z_{2,n}^{\prime \prime (m+1)}\})\).
-
(a)
\(\mathtt {Revoke}(n, \mathbb {Y}, sk_{rev}, \sigma )\): The algorithm receives a set \(\mathbb {Y} = \{Y_1, \dots , Y_n\}\) of n groups of public keys, a revocation authority’s private key \(sk_{rev} = \tilde{x}\), and a valid signature \(\sigma \). The revocation authority with the knowledge of secret key \(\tilde{x}\) corresponding to \(\tilde{y}\) decrypts the \(m+1\) ciphertexts to get \(m+1\) public keys which belong to the real spender as follows
-
1.
For \(k = 1, \dots , m+1\), parse \(CT_k = (CT_1^{(k)}, CT_2^{(k)})\).
-
2.
Get the k-th public key \(y_s^{\prime (k)} = CT_2^{(k)} / CT_1^{(k)^{\tilde{x}}}\) and output all public keys into a set of \(Y_s^\prime = \{y_s^{\prime (1)}, \dots , y_s^{\prime (m+1)}\}\).
-
3.
There exists a public key vector \(Y_s \in \mathbb {Y}\) such that \(Y_s = Y_s^\prime \).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, X., Liu, J.K., Steinfeld, R., Kuchta, V., Yu, J. (2020). Revocable and Linkable Ring Signature. In: Liu, Z., Yung, M. (eds) Information Security and Cryptology. Inscrypt 2019. Lecture Notes in Computer Science(), vol 12020. Springer, Cham. https://doi.org/10.1007/978-3-030-42921-8_1
Download citation
DOI: https://doi.org/10.1007/978-3-030-42921-8_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-42920-1
Online ISBN: 978-3-030-42921-8
eBook Packages: Computer ScienceComputer Science (R0)