International Association for Cryptologic Research

International Association
for Cryptologic Research


Patrick P. Tsang


A Suite of ID-Based Threshold Ring Signature Schemes with Different Levels of Anonymity
Since the introduction of Identity-based (ID-based) cryptography by Shamir in 1984, numerous ID-based signature schemes have been proposed. In 2001, Rivest et al. introduced ring signature that provides irrevocable signer anonymity and spontaneous group formation. In recent years, ID-based ring signature schemes have been proposed and all of them are based on bilinear pairings. In this paper, we propose the first ID-based threshold ring signature scheme that is not based on bilinear pairings. We also propose the first ID-based threshold `linkable' ring signature scheme. We emphasize that the anonymity of the actual signers is maintained even against the private key generator (PKG) of the ID-based system. Finally we show how to add identity escrow to the two schemes. Due to the different levels of signer anonymity they support, the schemes proposed in this paper actually form a suite of ID-based threshold ring signature schemes which is applicable to many real-world applications with varied anonymity requirements.
Separable Linkable Threshold Ring Signatures
A ring signature scheme is a group signature scheme with no group manager to setup a group or revoke a signer. A linkable ring signature, introduced by Liu, et al. \cite{LWW04}, additionally allows anyone to determine if two ring signatures are signed by the same group member (a.k.a. they are \emph{linked}). In this paper, we present the first separable linkable ring signature scheme, which also supports an efficient thresholding option. We also present the security model and reduce the security of our scheme to well-known hardness assumptions. In particular, we introduce the security notions of {\em accusatory linkability} and {\em non-slanderability} to linkable ring signatures. Our scheme supports ``event-oriented'' linking. Applications to such linking criterion is discussed.
Short Linkable Ring Signatures for E-Voting, E-Cash and Attestation
Patrick P. Tsang Victor K. Wei
A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. A \emph{linkable} ring signature (LRS) scheme additionally allows anyone to determine if two ring signatures have been signed by the same group member. Recently, Dodis et al. \cite{DKNS04} gave a short (constant-sized) ring signature scheme. We extend it to the first short LRS scheme, and reduce its security to a new hardness assumption, the Link Decisional RSA (LD-RSA) Assumption. We also extend \cite{DKNS04}'s other schemes to a generic LRS scheme and a generic linkable group signature scheme. We discuss three applications of our schemes. Kiayias and Yung \cite{KY04} constructed the first e-voting scheme which simultaneously achieves efficient tallying, public verifiability, and write-in capability for a typical voter distribution under which only a small portion writes in. We construct an e-voting scheme based on our short LRS scheme which achieves the same even for all worst-case voter distribution. Direct Anonymous Attestation (DAA) \cite{BCC04} is essentially a ring signature scheme with certain linking properties that can be naturally implemented using LRS schemes. The construction of an offline anonymous e-cash scheme using LRS schemes is also discussed.