Ring Signatures of Sub- linear Size without Random Oracles Nishanth Chandran Jens Groth Amit Sahai University of California Los Angeles TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A AAA A A

In an anonymous fast-food chain

Whistleblowing

Ring signature vk 1 vk 3 vk 2 sk 2 signature

Properties Parties with public verification keys Parties with public verification keys A ring is any subset of the parties A ring is any subset of the parties Any party can choose a ring that includes herself and make a ring signature Any party can choose a ring that includes herself and make a ring signature...without the other parties cooperating or even being aware of the ring signature being formed...without the other parties cooperating or even being aware of the ring signature being formed The ring signature is anonymous The ring signature is anonymous

Related work Rivest, Shamir and TaumanAsiacrypt 2001 O(N) elements in random oracle model Rivest, Shamir and TaumanAsiacrypt 2001 O(N) elements in random oracle model Dodis, Kiayias, Nicolosi and ShoupEurocrypt 2004 O(1) elements in random oracle model Dodis, Kiayias, Nicolosi and ShoupEurocrypt 2004 O(1) elements in random oracle model Bender, Katz and MorselliTCC 2006 Construction without random oracles Bender, Katz and MorselliTCC 2006 Construction without random oracles Chow, Wei, Liu and YuenASIACCS 2006 Shacham and WatersePrint 2006 O(N) elements Chow, Wei, Liu and YuenASIACCS 2006 Shacham and WatersePrint 2006 O(N) elements BoyenEurocrypt 2007 O(N) elements, perfect anonymity BoyenEurocrypt 2007 O(N) elements, perfect anonymity Our contribution O(√N) elements, perfect anonymity Our contribution O(√N) elements, perfect anonymity

Ring signature functionality Common reference string: CRSGen(1 k ) ! ½ Key pair: Gen( ½ ) ! (vk, sk) Ring signature for R=(vk 1,...,vk N ): Sign ½, sk (m, R) ! sig Verification: Verify ½, R (m, sig)  {0,1}

Informal definition Perfect correctness: Any member of a ring can make a ring signature Perfect correctness: Any member of a ring can make a ring signature Perfect anonymity: Ring signature leaks no information about which ring member signed the message Perfect anonymity: Ring signature leaks no information about which ring member signed the message Computational unforgeability: Poly-time adversary without knowledge of any ring member’s secret key cannot forge signature. Not even when given access to adaptive chosen (message, ring, signer)-attack Computational unforgeability: Poly-time adversary without knowledge of any ring member’s secret key cannot forge signature. Not even when given access to adaptive chosen (message, ring, signer)-attack

Bilinear group of order n G, G T cyclic groups of order n = pq G = G p  G q g generator for G bilinear map e: G  G  G T e(u a, v b ) = e(u, v) ab e(g, g) generates G T

Commitment [Boneh-Goh-Nissim] Public key: hord(h) = n or q Commitment to m c = mh r where r  Z n Perfect hiding if ord(h) = n Perfect binding in G p if ord(h) = q : m q = c q Subgroup decision problem: ord(h) = n or ord(h) = q

Signature [Boneh-Boyen] Verification key: v = g x Signature on y|y|< |p| (  |√n|) s = g 1/(x+y) Verification e(vg y, s) = e(g, g) Strong Diffie-Hellman assumption in G p Hard to compute (y, g 1/(x+y) ) given input g, g x, g x 2,..., g x l

Common reference string:(n, G, G T, e, g, h) Verification keys:v = g x Ring signature (m, x, v  R=(v 1,...,v N ) 1.make one-time signature on (m, R) using one-time verification key y 2. sign y as s = g 1/(x+y) 3.commit to v and s as C = vh r, L = sh t 4.make perfect WI proof (C, L) sign on y 5.make perfect WI proof C contains v  R Ring signature scheme

Perfect Witness-Indistinguishable proof for commited signature on y [Groth-Sahai] Commitments C = vh r, L = sh t WI proof: ¼ = (g y v) t s r h rt Verify:e(g y C, L) = e(g, g) e(h, ¼ ) Complete:e(g y vh r, sh t ) = e(g y v, s) e(h, (g y v) t s r h rt ) Perfect WI (ord(h)=n): All (v, r, s, t) give same ¼ Sound (ord(h)=q): e((g y C) q, L q ) = e(g q, g q )

WI proof for commitment to v  R v 1 v 2... v √N v √N+1 v √N+2... v 2√N  v N-√N+1 v N-√N+2... v N 1 g  1 = e(g,v 2 ) e(g,v √N+2 )  e(g,v N-√N+2 ) h r 1 h r 2 h r √N e(h,*) Commitment C = vh r and ring R = (v 1,...,v N ) WI proof that PIR-request is well-formedWI proof that v is in one of those

Sketch of security proof Perfect anonymity Perfect anonymity Commitments are perfectly hiding (ord(h) = n)... so they can contain Boneh-Boyen signature for any honest party... and the proofs are perfectly witness indistinguishable Computational unforgeability Computational unforgeability Switch to ord(h) = q Commitments are perfectly extractable... so they must contain valid signature in G p... so we can forge Boneh-Boyen signatures

CRS = (n, G, G T, e, g, h)ord(h) = n Malicious authority can select h of order q Key generation: v i = g x i, h i chosen at random in G When signing pick t at random and use With overwhelming probability ord(h) = n Overcoming a bad CRS

Summary Ring signature scheme PIR-techniques + GS proofs Ring signature scheme PIR-techniques + GS proofs Size O(√N) group elements Size O(√N) group elements Relies on composite order bilinear groups subgroup decision strong Diffie-Hellman in G p Relies on composite order bilinear groups subgroup decision strong Diffie-Hellman in G p Common reference string perfect anonymity Common reference string perfect anonymity Untrusted common reference string statistical anonymity Untrusted common reference string statistical anonymity