Ring signature

Definition

Suppose that a group of entities each have public/private key pairs, (P₁, S₁), (P₂, S₂), ..., (P_n, S_n). Party i can compute a ring signature σ on a message m, on input (m, S_i, P₁, ..., P_n). Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P₁, ..., P_n. If a ring signature is properly computed, it should pass the check. On the other hand, it should be hard for anyone to create a valid ring signature on any message for any group without knowing any of the private keys for that group.

Applications and modifications

In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret. For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking White House official", without revealing which official signed the message. Ring signatures are right for this application because the anonymity of a ring signature cannot be revoked, and because the group for a ring signature can be improvised.

Another application, also described in the original paper, is for deniable signatures. Here the sender and the recipient of a message form a group for the ring signature, then the signature is valid to the recipient, but anyone else will be unsure whether the recipient or the sender was the actual signer. Thus, such a signature is convincing, but cannot be transferred beyond its intended recipient.

There were various works, introducing new features and based on different assumptions:

Threshold ring signatures

Unlike standard "t-out-of-n" threshold signature, where t of n users should collaborate to decrypt a message, this variant of a ring signature requires t users to cooperate in the signing protocol. Namely, t parties (i₁, i₂, ..., i_t) can compute a (t, n)-ring signature, σ, on a message, m, on input (m, S_i1, S_i2, ..., S_it, P₁, ..., P_n).

Linkable ring signatures

The property of linkability allows one to determine whether any two signatures have been produced by the same member (under the same private key). The identity of the signer is nevertheless preserved. One of the possible applications can be an offline e-cash system.

Traceable ring signature

In addition to the previous scheme the public key of the signer is revealed (if they issue more than one signatures under the same private key). An e-voting system can be implemented using this protocol.

Efficiency

Most of the proposed algorithms have asymptotic output size O ( n ) ; i.e., the size of the resulting signature increases linearly with the size of input (amount of public keys). That means that such schemes are impracticable for real use cases with sufficiently large n (for example, an e-voting with millions of participants). But for some application with relatively small median input size such estimate may be acceptable. CryptoNote implements O ( n ) ring signature scheme by Fujisaki and Suzuki in p2p payments to achieve sender's untraceability.

More efficient algorithms have appeared recently. There are schemes with the sublinear size of the signature, as well as with constant size.

Implementation

Here is a Python implementation of the original paper using RSA.

To sign and verify 2 messages in a ring of 4 users:

Crypto-currencies

The CryptoNote technology uses ring signatures. It was first implemented by Bytecoin (BCN) in July 2012.

The cryptocurrency ShadowCash uses traceable ring signature to anonymize the sender of a transaction. However, these were originally implemented incorrectly, resulting in a partial de-anonymization of ShadowCash from their first implementation until February 2016 by Monero Research Labs researcher, Shen Noether. Luckily only 20% of all the one-time keys in the system were affected by this bug, sender anonymity was compromised but receiver anonymity remained intact. A patch was submitted in a timely fashion to resolve the bug.