Two extensions of the ring signature scheme of Rivest–Shamir–Taumann

doi:10.1016/j.ins.2011.11.011

Information Sciences

Volume 188, 1 April 2012, Pages 338-345

https://doi.org/10.1016/j.ins.2011.11.011 Get rights and content

Abstract

Two extensions of RST (Rivest, Shamir and Taumann) ring signature are proposed which keep the form of RST ring signature unchanged. One extension is to implement the verifiability property with which the real signer is able to prove that she actually signed the ring signature if she publishes her secret value. In contrast to the available verifiable ring signatures, this scheme is very simple, secure and efficient. In this scheme only the glue value of RST ring signature is replaced by the output of a hash function which takes as input a secret value and some signature parameters and the real signer is able to prove himself any times. The other extension is to construct an anonymous subliminal channel in RST ring signature so that the subliminal sender (the real signer) is able to keep herself subliminal anonymous to the subliminal receiver. The subliminal anonymity is implemented for the first time in this paper. In addition, if the sender wants to revoke the subliminal anonymity, she is able to use the first extension.

Introduction

In 2001, Rivest, Shamir and Taumann first formalized the concept of the ring signature based on a trapdoor one-way function and presented a provably secure ring signature scheme in the random oracle model [14] which we called RST ring signature. Ring signature can be used to leak a secret anonymously because it has no group manager, no setup procedures, and no cooperation among ring members. For example, Alice, an employee of a company, wants to disclose a secret of her boss to a journalist without revealing her identity. She can use a ring signature to sign the message and hide her identity by choosing other employees as the ring members. Since then many provably secure ring signatures were presented in the random oracle model or in the standard model, e.g. [1], [4], [6], [7], [17], [19].

In the research of ring signatures, how to implement the verifiability of the real signer is an important problem, that is, the real signer is able to prove that she actually signed the ring signature. However, in RST ring signature one cannot determine who the real signer is. So far there have been some solutions to this problem. In [6], [8], [12], [13], [17], the verifiability is implemented based on the difficult problems to solve discrete logarithms in a finite field or to factorize the number which is the product of two large prime numbers. The computation complexity of the verification is very high. Some of the schemes can only be verified one time, that is, after a real signer publishes her secret parameters to prove himself, anybody else can do the same thing by using the published secret parameters. In this paper, one extension is proposed to implement the verifiability property. In contrast to the available verifiable ring signatures, this scheme is very simple, secure and efficient. The real signer is able to prove himself any times. The verifiable ring signature in [9] is also simple and efficient, but it requires an extra parameter. Our scheme keeps the form of RST ring signature unchanged.

The other extension of RST ring signature is proposed to construct an anonymous subliminal channel so that the subliminal sender (the real signer) is able to keep herself subliminal anonymous to the subliminal receiver when she wants to deliver military intelligence. With the anonymous subliminal channel the subliminal sender can avoid the risk of the receiver’s exposing her identity to any third party. The subliminal channels discovered by Simmons [15] in 1978 are covert channels established in digital signatures and authentication systems by exploiting the inherent randomness of the cryptosystems and are used to send a secret message to an authorized receiver. Any unauthorized receiver is not able to be aware of the existence of the subliminal channels. To the best of our knowledge, up to now the available subliminal channels such as the channels in [3], [5], [10], [11], [16] are not able to realize the subliminal anonymity which requires two necessary conditions: (a) the creator (such as a signer) of the carrier is anonymous and (b) the encryption of subliminal messages must use public-key encryption algorithms, which requires large subliminal capacity. Obviously ring signatures are the natural carriers because there are many random parameters in ring signatures which can be used to transmitted subliminal messages and in ring signatures the signers are unconditionally anonymous. In addition, if the sender wants to revoke the subliminal anonymity, she is able to use the first extension method.

Section snippets

RSA-based pseudorandom hybrid public-key encryption algorithm

In this section, we give an RSA-based pseudorandom hybrid public-key encryption algorithm that can be used to encrypt arbitrary subliminal messages. The output of the algorithm is uniformly distributed in U_π, where π denotes the size of the cipher-text.

RSA-OAEP [2] is a provably secure public-key encryption algorithm in the random oracle model. The encryption algorithm of RSA-OAEP is briefly reviewed as follows: let p and q be two large prime numbers, N = pq, e and d be two integers such that ed = 1

Proposed verifiable ring signature scheme

In this section, we propose a new verifiable ring signature scheme which consists of three algorithms: ring-sign, ring-verify, opening and convincing.

(i)
Ring-sign algorithm: (by modifying the Step3 of RST ring signature scheme in Section 2.3)
- Step 3′:
  A_s randomly selects r_s ∈ {0, 1}^l, keeps r_s secret as a convincing proof, then computes $\begin{matrix} v = h (x_{1} ‖ \dots ‖ x_{s - 1} ‖ x_{s + 1} ‖ \dots ‖ x_{n} ‖ r_{s}) and their own y_{s}, where \\ α = D_{k} (y_{s + 1} \oplus D_{k} (y_{s + 2} \oplus D_{k} (\dots \oplus D_{k} (v)))), \\ β = E_{k} (y_{s - 1} \dots \oplus E_{k} (y_{2} \oplus E_{k} (y_{1} \oplus (v)))), \\ y_{s} = α \oplus β . \end{matrix}$
The final ring signature is S = (e₁, … , e_n, v, x₁, … , x_n) which

Proposed ring signature scheme with anonymous subliminal channels

In this section, we shall propose a ring signature scheme with an anonymous subliminal channel based on RST ring signature, in which the subliminal sender (the real signer) is able to keep herself subliminal anonymous to the subliminal receiver. Two necessary conditions are required in our scheme:

(a)
The creator (such as a signer) of the carrier is anonymous. Obviously, ring signatures are the natural carriers.
(b)
Only public-key crypto algorithms can be used to encrypt subliminal messages, which

Conclusions

In this paper, firstly, a simple, efficient and secure verifiable ring signature has been proposed by replacing the glue value of the RST ring signature with the output of a hash function which takes as input a secret value and some signature parameters. No extra parameters are introduced. In this scheme only one-time hash computation is required to implement the verifiability property and the real signer is able to prove himself any times. Up to now the proposed verifiable ring signature is

Acknowledgements

The authors want to thank the reviewers of Information Science for their very helpful comments. This work is supported by the National Natural Science Foundation of China (60903200, 60603010); The Natural Science Basic Research Plan in Shaanxi Province of China (2006F19); The Fundamental Research Funds for the Central Universities.

References (19)

S. Chang et al.
Certificateless threshold ring signature
Information Sciences
(2009)
C.-L. Chen et al.
A traceable E-cash transfer system against blackmail via subliminal channel
Electronic Commerce Research and Applications
(2009)
J. Herranz
Identity-based ring signatures from RSA
Theoretical Computer Science
(2007)
D.-R. Lin et al.
A digital signature with multiple subliminal channels and its applications
Computers and Mathematics with Applications
(2010)
C.-H. Wang et al.
A new ring signature scheme with signer-admission property
Information Sciences
(2007)
J. Yu
Forward-secure identity-based signature: security notions and construction
Information Sciences
(2011)
M. Abe, M.Ohkubo, K.Suzuki, 1-out-of-n Signatures from a Variety of Keys, Advances in Cryptology: Proceedings of...
M. Bellare et al.
Optimal asymmetric encryption: how to encrypt with RSA
J.-M. Bohli, R. Steinwandt, On subliminal channels in deterministic signature schemes, in: The 7th Annual International...

There are more references available in the full text version of this article.

Cited by (12)

Keyed hash function based on a dynamic lookup table of functions
2012, Information Sciences
In this paper, we present a novel keyed hash function based on a dynamic lookup table of functions. More specifically, we first exploit the piecewise linear chaotic map (PWLCM) with secret keys used for producing four 32-bit initial buffers and then elaborate the lookup table of functions used for selecting composite functions associated with messages. Next, we convert the divided message blocks into ASCII code values, check the equivalent indices and then find the associated composite functions in the lookup table of functions. For each message block, the four buffers are reassigned by the corresponding composite function and then the lookup table of functions is dynamically updated. After all the message blocks are processed, the final 128-bit hash value is obtained by cascading the last reassigned four buffers. Finally, we evaluate our hash function and the results demonstrate that the proposed hash algorithm has good statistical properties, strong collision resistance, high efficiency, and better statistical performance compared with existing chaotic hash functions.
Generic security-amplifying methods of ordinary digital signatures
2012, Information Sciences
Digital signatures are one of the most fundamental primitives in cryptography. In this paper, three new paradigms are proposed to obtain signatures that are secure against existential forgery under adaptively chosen message attacks (fully-secure, in short), from any weakly-secure signature. These transformations are generic, simple, and provably secure in the standard model. In the first paradigm, based on a weakly-secure signature scheme, the construction of a fully-secure signature scheme requires one-time signature additionally. However, the other two are built only on weakly-secure signatures. To the best of our knowledge, it is observed for the first time in this paper that two weakly-secure signature schemes are sufficient to construct a fully-secure signature scheme.
Based on the new proposed paradigms, several efficient instantiations without random oracles are also presented. We also show that these fully-secure signature schemes have many special interesting properties in application.
Achieving Anonymous and Covert Reporting on Public Blockchain Networks
2023, Mathematics
Blockchain-based whistleblowing service to solve the problem of journalistic conflict of interest
2022, Annales des Telecommunications/Annals of Telecommunications
The Applications of Blockchain in the Covert Communication
2022, Wireless Communications and Mobile Computing
Secure Data Fusion Analysis on Certificateless Short Signature Scheme Based on Integrated Neural Networks and Elliptic Curve Cryptography
2022, EAI Endorsed Transactions on Scalable Information Systems

View all citing articles on Scopus

View full text

Two extensions of the ring signature scheme of Rivest–Shamir–Taumann

Abstract

Introduction

Section snippets

RSA-based pseudorandom hybrid public-key encryption algorithm

Proposed verifiable ring signature scheme

Proposed ring signature scheme with anonymous subliminal channels

Conclusions

Acknowledgements

Information Sciences

Electronic Commerce Research and Applications

Theoretical Computer Science

Computers and Mathematics with Applications

Information Sciences

Information Sciences

Optimal asymmetric encryption: how to encrypt with RSA