A new ring signature scheme with signer-admission property Chih-Hung Wang, Chih-Yu Liu Information Sciences, Volume 177, Issue 3, 1 February 2007, Pages 747-754 Presenter: 楊智雄 2006-11-29

Outline Introduction Ring signature Proposed scheme Conclusion 2006-11-29

Introduction Ring signature is a simplified group signature was proposed in 2001 Two properties of ring signature Signer-ambiguity Setup-free This paper constructs signer-admission property into ring signature 2006-11-29

Ring signature 2006-11-29

Ring signature (conti.) Signer (users) Verifier 1.Compute k=h(m) 2.Pick a random glue value v 3.Pick random xi , 1≦i ≦r, i≠s and compute yi=gi(xi) 4.Solve Ck,v(y1,y2,...ys...yr)=v 5.Compute xs=gs-1(ys) (P1,P2,..,Pr ;v;x1,x2,..,xr) 1.Compute yi=gi(xi) , for i=1,2,...,r 2.Compute k=h(m) 3.Verify the following equation Ck,v(y1,y2,...ys...yr)=v 2006-11-29

Proposed scheme(1/4) Signature generation: Let the signer is As and the message is m Choose σ,z ,and compute a=gσmod p and b=az mod p Compute symmetric key k=h(m∥a) ⊕b Choose w ,and compute R=aw mod p and ε=w+z．F(m∥a,R) mod p 2006-11-29

Proposed scheme(2/4) Pick random xi , 1≦i ≦r, i≠s and compute yi=gi(xi) Choose random value v and solve Ck,v(y1,y2,...ys...yr)=v Compute xs=gs-1(ys) Output ring signature (P1,P2,..,Pr;v;x1,x2,..,xr;a,b,R,ε) 2006-11-29

Proposed scheme(3/4) Signature verification Let the signer is As and the message is m Check whether aε=R．bF(m∥a ,R) mod p compute yi=gi(xi) for i=1,2,...,r k=h(m∥a) ⊕b Verify the following equation Ck,v(y1,y2,...ys...yr)=v 2006-11-29

Proposed scheme(4/4) Signer-admission Signer (users) Designated verifier 1.Randomly choose γ,t 2.Compute λ=aγmod p 3.Compute commitment c = gλPKvt mod p c Randomly choose δ δ ω=γ+z δ (mod p) λ, t , ω Check c=gλPKvt mod p aω=λbδ mod p 2006-11-29

Conclusion Proposed an extended ring signature with a signer-admission property Using designated verifier proof to achieve signer-admission property 2006-11-29