A
Formal Proof of Security of Zhang and Kim’s
ID-Based Ring Signature Scheme
?
Javier Herranz
Dept. Matem`atica Aplicada IV, Universitat Polit`ecnica de Catalunya
C. Jordi Girona, 1-3, M`odul C3, Campus Nord, 08034-Barcelona, Spain
Abstract. In this work we provide a formal analysis of the security of
an identity-based ring signature scheme proposed by Zhang and Kim in
[10]. We first define the security requirements that this kind of schemes
must satisfy; or in other words, the capabilities and goals of the most
p owerful attacks these schemes must remain secure against. Then we
prove, in the random oracle model, that the above-mentioned scheme
is secure against the defined attacks, assuming that the Computational
Diffie-Hellman problem is hard to solve.
1 Introduction
In a ring signature scheme, a user computes a signature on behalf of a set (or
ring) of users which contains himself. The goal is that any verifier must be
convinced that the signature has been computed by some member of this ring,
but he has no better way than at random to guess which member is the actual
author of the signature.
In practice, if the communications system is authenticated with the use of a
Public Key Infrastructure (PKI) based on certificates, the signer must first verify
that the public keys of the ring correspond (via a certificate) to the identities
of the users that he wants to include on the ring. Later, the verification process
of a ring signature obviously employs the public keys of the members of the
ring. Therefore, the verifier must first check that these public keys are actually
certificated as the ones of the members of the ring.
This means that the cost of both processes of generating and verifying a ring
signature substantially increases because of the necessary management of digital
certificates. Any possible alternative which avoids the necessity of a PKI is very
welcome if we want to design efficient public key cryptosystems, in particular
ring signature schemes where the numb er of certificates that must be checked in
each operation can be reasonably high.
Identity-based (from now on, ID-based) cryptography, introduced by Shamir
in 1984 [9], is a solution to this problem. The idea is that the public key of a
?
This
work was partially supported by Spanish Ministerio de Ciencia y Tecnolog´ıa
under project TIC 2003-00866.
Herranz J. (2004).
A Formal Proof of Security of Zhang and Kim’s ID-Based Ring Signature Scheme.
In Proceedings of the 2nd International Workshop on Security in Information Systems, pages 63-72
DOI: 10.5220/0002661000630072
Copyright
c
SciTePress
user can be easily (and publicly) computed from his identity (for example, from
a complete name, an e-mail or an IP address). Then, the secret key is derived
from the public key. In this way, certificates which link identities and public keys
are not needed any more, because anyone can easily verify that some public key
P K
U
corresponds in fact to user U . The process that generates secret keys from
public keys must be executed by an external entity, known as the master.
In this work we analyze the security of an ID-based ring signature scheme,
based on bilinear pairings. Let us do a brief overview of some works related to
ring signatures.
In [8], Rivest, Shamir and Tauman formalize the concept of ring signature
schemes, and propose a scheme which they prove existentially unforgeable under
adaptive chosen-message attacks, in the ideal cipher model, assuming the hard-
ness of the RSA problem. This scheme also uses a symmetric encryption scheme
and the notion of combining functions.
Bresson, Stern and Szydlo show in [3] that the scheme of [8] can be modified
in such a way that the new scheme is proved to achieve the same level of security,
but under the strictly weaker assumption of the random oracle model.
In [1], Abe, Ohkubo and Suzuki give general constructions of ring signature
schemes for a variety of scenarios, including those where signature schemes are
based on one-way functions, and those where signature schemes are of the three-
move type (for example, Schnorr’s signature scheme).
Some security results for generic ring signature schemes, as well as a new
specific scheme based on Schnorr’s signature scheme, are given by Herranz and
S´aez in [5].
Finally, the only ID-based ring signature scheme proposed until now (as far
as we know) is the one by Zhang and Kim [10], which is based on pairings.
However, they do not provide a formal proof of the existential unforgeability of
the proposed scheme.
We provide such a formal proof of security for this ID-based ring signature
scheme, assuming that the Computational Diffie-Hellman problem is hard to
solve. The proof uses standard techniques in the random oracle model [2], like
replaying attacks (formalized in the forking lemmas by Pointcheval and Stern
in [7]), which have been already employed to prove the security of other ring
signature schemes, for example [1, 5].
2 Zhang and Kim’s ID-Based Ring Signature Scheme
In this section we review the ID-based ring signature scheme proposed by Zhang
and Kim in [10]. We first explain some basics on bilinear parings and on ring
signature schemes.
2.1 A Note on Pairings
Let G
1
be an additive group of prime order q, generated by some element P . Let
G
2
be a multiplicative group with the same order q. We consider a pairing as a
map e : G
1
× G
1
→ G
2
with the following three properties:
64
1. It is bilinear, which means that given elements T
1
, T
2
, T
3
∈ G
1
, we have that
e(T
1
+ T
2
, T
3
) = e(T
1
, T
3
) · e(T
2
, T
3
) and e(T
1
, T
2
+ T
3
) = e(T
1
, T
2
) · e(T
1
, T
3
).
In particular, for all a, b ∈ Z
q
, we have e(aP, bP ) = e(P, P )
ab
= e(P, abP ) =
e(abP, P ).
2. The map e can be efficiently computed for any possible input pair.
3. The map e is non-degenerate: there exist elements T
1
, T
2
∈ G
1
such that
e(T
1
, T
2
) 6= 1
G
2
.
Combining properties 1 and 3, it is easy to see that e(P, P ) 6= 1
G
2
and that
the equality e(T
1
, P ) = e(T
2
, P ) implies that T
1
= T
2
.
The typical way of obtaining such pairings is by deriving them from the Weil
or the Tate pairing on an elliptic curve over a finite field. The interested reader
is referred to [11] for a complete bibliography of cryptographic works based on
pairings.
2.2 Ring Signatures
The idea of a ring signature is the following: a user wants to compute a signature
on a message, on behalf of a set (or ring) of users which includes himself. He
wants the verifier of the signature to be convinced that the signer of the message
is in effect some of the members of this ring. But he wants to remain completely
anonymous. That is, nobody will know which member of the ring is the actual
author of the signature.
These two informal requirements are ensured, if the scheme satisfies the fol-
lowing properties:
1.
Anonymity: any verifier should not have probability greater than 1/n to
guess the identity of the real signer who has computed a ring signature on
behalf of a ring of n members. If the verifier is a member of the ring distinct
from the actual signer, then his probability to guess the identity of the real
signer should not be greater than 1/(n − 1).
2. Unforgeability: among all the proposed definitions of unforgeability (see
[4]), we consider the strongest one: any attacker must have negligible prob-
ability of success in forging a valid ring signature for some message m on
behalf of a ring that does not contain himself, even if he knows valid ring
signatures for messages, different from m, that he can adaptively choose.
Ring signatures are a useful tool to provide anonymity in some scenarios. For
example, if a member of a group wants to leak to the media a secret information
about the group, he can sign this information using a ring scheme. Everybody
will be convinced that the information comes from the group itself, but anybody
could accuse him of leaking the secret.
A different application is the following: if the signer A of a message wants that
the authorship of the signature could be entirely verified only by some specific
user B, he can sign the message with respect of the ring {A, B}. The rest of
users could not know who between A and B is the author of the signature, but
B will be convinced that the author is A.
65
2.3 The Scheme
Zhang and Kim proposed in [10] the first ID-based ring signature scheme, fol-
lowing the idea behind the ring signature schemes proposed by Abe, Ohkubo
and Suzuki in [1]. We review Zhang and Kim’s scheme in this section.
Setup:
let G
1
be an additive group of prime order q, generated by some element
P . Let G
2
be a multiplicative group with the same order q. We need q ≥ 2
k
, where
k is the security parameter of the scheme. Let e : G
1
× G
1
→ G
2
be a pairing
as defined in Section 2.1. Let H
1
: {0, 1}
∗
→ G
1
− {0} and H
2
: {0, 1}
∗
→ Z
q
be
two hash functions (in the proof of security, we will assume that they behave as
random oracles [2]).
The master entity chooses at random his secret key x ∈ Z
∗
q
and publishes the
value Y = xP ∈ G
1
.
Secret key extraction: a user U, with identity ID
U
∈ {0, 1}
∗
, has public key
P K
U
= H
1
(ID
U
). When he requests the master for his matching secret key, he
obtains the value SK
U
= xP K
U
.
Ring signature: consider a ring U = {U
1
, . . . , U
n
} of users; for simplicity we de-
note P K
i
= P K
U
i
= H
1
(ID
U
i
). If some of these users U
s
, where s ∈ {1, . . . , n},
wants to anonymously sign a message m on behalf of the ring U, he acts as
follows:
1.
Choose a random T ∈ G
1
and compute c
s+1
= H
2
(U, m, e(T, P )).
2.
For i = s+1, . . . , s−1 (where i is considered modulo n), choose T
i
at random
in G
1
. Compute c
i+1
= H
2
(U, m, e(T
i
, P ) · e(c
i
P K
i
, Y )).
3.
Compute T
s
= T − c
s
SK
s
mod q.
4.
Define the signature of the message m made by the ring U = {U
1
, . . . , U
n
}
to be (U, m, c
0
, T
0
, T
1
, . . . , T
n−1
).
Verification:
the validity of the signature is verified by the recipient of the mes-
sage in the following way:
1. For i = 0, 1, . . . , n − 1, compute c
i+1
= H
2
(U, m, e(T
i
, P ) · e(c
i
P K
i
, Y )).
2. Accept the signature as valid if c
n
= c
0
, and reject it otherwise.
By using the bilinear property of the pairing e, it is easy to see that the
scheme is correct.
3 A Formal Security Analysis
In their paper [10], Zhang and Kim do not provide a formal proof of the security
of this scheme. Their arguments are quite heuristic or intuitive. They can be
enough for anonymity, but not for unforgeability. For example, they do not define
the capabilities of an adversary against an ID-based ring signature scheme. They
66
assert that the scheme is secure because in the case n = 1 the scheme is exactly
the ID-based signature scheme proposed by Hess in [6], and since this scheme is
proved to be secure, then the ring signature scheme is also secure. Clearly, this
argument is not enough. We give in this section a formal proof of the security
of their scheme, which employs some standard techniques, like replaying attacks
[7], already used to prove the security of other ring signature schemes [1, 5].
3.1 The Security Model
We must consider the most powerful attack against an ID-based ring signature
scheme, that we call chosen message and identities attack . Such an attacker A
is allowed to:
– make Q
1
queries to the random oracle H
1
and Q
2
queries to the random
oracle H
2
;
– ask for the secret key of Q
e
identities of its choice (extracting oracle);
– ask Q
s
times for valid ring signatures, on behalf of rings of its choice, of
messages of its choice (signing oracle).
The total number of queries must be polynomial in the security parame-
ter. The attacker is successful if it outputs, in polynomial time and with non-
negligible probability, a valid ring signature for some message m and some ring
of users U = {U
1
, . . . , U
n
} such that:
–
the attacker has not asked for the secret key of any of the members of the
ring U;
–
the attacker has not asked for a valid ring signature, on behalf of the ring
U, of message m.
3.2 The Computational Diffie-Hellman Problem
We consider the following well-known problem in the group G
1
of prime order
q, generated by P .
Definition 1.
Given the elements P, aP, bP ∈ G
1
, for some random values
a, b ∈ Z
∗
q
, the Computational Diffie-Hellman (CDH) problem consists of com-
puting the element abP .
The Computational Diffie-Hellman Assumption asserts that, if the order of
G
1
is q ≥ 2
k
, then any polynomial time algorithm that solves the CDH problem
has a success probability p
k
which is negligible in the security parameter k. In
other words, for all polynomial f(), there exists an integer k
0
such that p
k
<
1
f(k)
,
for all k ≥ k
0
.
67
3.3 Proving the Unforgeability of the Scheme
We start with a technical lemma which will be necessary for the proof of the
main result. Its proof can be found in [7].
Lemma 1. (The Splitting Lemma) Let A ⊂ X ×Y such that Pr [(x, y) ∈ A] ≥ δ.
For any α < δ, define
B = {(x, y) ∈ X × Y | Pr
y
0
∈Y
[(x, y
0
) ∈ A] ≥ δ − α}.
Then the following statements hold:
1.
Pr [B] ≥ α.
2.
For any (x, y) ∈ B, Pr
y
0
∈Y
[(x, y
0
) ∈ A] ≥ δ − α.
3. Pr [B|A] ≥ α/δ.
We prove now that the existence of a successful attack against the ID-based
ring signature scheme could be used to solve the Computational Diffie-Hellman
problem in G
1
(a proof by reduction). Since this problem is assumed to be hard,
we conclude that there does not exist such an attack. In this way, the scheme
is proved to be existentially unforgeable under chosen message and identities
attacks.
In this proof, we assume that the hash functions H
1
and H
2
behave as random
oracles [2].
Theorem 1. Let k be a security parameter, and let the order of G
1
be q ≥ 2
k
.
Let A be a probabilistic polynomial time Turing machine attacking the considered
ID-based ring signature scheme. We denote by Q
1
, Q
2
, Q
e
and Q
s
the number of
queries that A can ask to the random oracles H
1
and H
2
and to the extracting
and signing oracles, respectively. We denote by N the maximum cardinality of
the rings for which A asks for a valid signature.
Assume that A produces, within polynomial time t and with non-negligible
probability of success ε, a valid ring signature (U, m, c
0
, T
0
, T
1
, . . . , T
n−1
), such
that A has not asked for the secret key of any of the members of U, and has
not asked for a valid ring signature of m on behalf of the ring U. Assume that
q > max{(Q
1
+ Q
e
)
2
, 2N, 2Q
2
Q
s
} and that ε >
64 Q
2
2
q
.
Then the Computational Diffie-Hellman problem in G
1
can be solved with
probability ε
0
≥
9
100 Q
1
and in time t
0
≤
64Q
2
2
ε
t.
Proof.
Let (P, aP, bP ) be an input of the CDH problem in G
1
, for some ran-
dom a, b ∈ Z
∗
q
. We design a solver algorithm B that uses the attacker A as a
subroutine, and finds the solution of the CDH problem.
First, B runs the setup phase of the ID-based ring signature scheme, defining
the public master key as Y = aP . Then B runs the attacker A. The algorithm
B must simulate the environment of the attacker A; that is, it must provide
consistent answers to all the queries that A is allowed to make (random oracles
H
1
and H
2
, extracting and signing oracles).
68
Furthermore, B chooses at random a value ` ∈ {1, 2, . . . , Q
1
}. When the
attacker A makes the `-th query to the random oracle H
1
, with some identity
ID
`
, the algorithm B sets P K
`
= H
1
(ID
`
) = bP , and sends this value to the
attacker. Later, if the attacker A asks for the secret key of ID
`
to the extracting
oracle, then the algorithm B stops and outputs “fail”.
For the rest of identities {ID
j
}
1≤j≤Q
e
+Q
1
that A queries to the extracting
oracle or to the random oracle H
1
, B can provide consistent answers as follows:
B chooses a random element x
j
∈ Z
∗
q
and computes the values P K
j
= x
j
P and
SK
j
= x
j
Y , where Y is the master public key. Then B sets H
1
(ID
j
) = P K
j
,
and stores this relation in a random oracle list for H
1
. If the query was a random
oracle query, B sends to A the value P K
j
. If the query was an extracting query,
B sends to A the value SK
j
for the secret key, as well.
The only inconsistency problem happens if two different executions (with
different identities ID
i
and ID
j
) of this simulation result in the same value
P K
i
= P K
j
. The probability of such a collision is, however, less than
(Q
1
+Q
e
)
2
2
·
1
q
.
On the other hand, every time that A asks for a valid ring signature for a
message m and a ring U, the algorithm B proceeds as follows:
1.
Choose at random c
0
∈ Z
q
.
2.
For i = 0, 1, . . . , n − 1, choose T
i
at random in G
1
. If i 6= n − 1, compute
c
i+1
= H
2
(U, m, e(T
i
, P ) · e(c
i
P K
i
, Y )). In order to compute this value, the
algorithm B constructs, as before, a random oracle list for H
2
. If the input is
already in the list, it outputs the matching value. If not, it chooses a random
value in Z
q
, outputs it and stores the new relation in the list.
3.
Define H
2
(U, m, e(T
n−1
, P ) · e(c
n−1
P K
n−1
, Y )) to be c
0
. Store this relation
in the list for H
2
.
4.
Send the tuple (U, m, c
0
, T
0
, T
1
, . . . , T
n−1
) to A.
For the queries of A to the random oracle H
2
, the algorithm B proceeds in the
same way: it looks for the input in the list, outputting the matching value if it
finds it, or a random value otherwise. Now the risk is that, in step 3 of the above
simulation pro cess, the obtained tuple (U, m, e(T
n−1
, P ) · e(c
n−1
P K
n−1
, Y )) has
been already queried by A to the random oracle H
2
. The probability of such a
collision is less than
Q
2
q
for each execution of the signature simulation, and so
less than
Q
s
Q
2
q
for the whole process.
Summing up, the algorithm B successfully simulates the environment of A
with probability greater than ²
1
= (1 −
(Q
1
+Q
e
)
2
2q
)(1 −
Q
s
Q
2
q
).
We denote by ω the whole set of random tapes that take part in an attack
by A, with the environment simulated by B, but excluding the randomness
related to the oracle H
2
. The success probability of A in forging a valid ring
signature scheme is then taken over the space (ω, H
2
). If we denote by S the set
of successful executions of A, we have that Pr[(ω, H
2
) ∈ S] ≥ ε.
Now consider a ring signature (U, m, c
0
, T
0
, T
1
, . . . , T
n−1
) forged by A. We
denote as R
i
the value e(T
i
, P ) · e(c
i
P K
i
, Y ), for all i = 0, . . . , n − 1. We use the
notation Q
1
, Q
2
, . . . , Q
Q
2
for the different queries that A makes to the random
oracle H
2
. By the ideal randomness of this oracle, the probability that A has
69
not asked for some of the tuples (U, m, R
i
), with i = 0, . . . , n − 1 (and so A must
have guessed the corresponding output), is less than
n
q
≤
N
q
.
We refer as S
0
to the successful executions of A, with B simulating its envi-
ronment, where A has queried all the tuples (U, m, R
i
) in the forged signature
to the random oracle H
2
. We have that ²
2
= Pr[(ω, H
2
) ∈ S
0
] ≥ ε ²
1
(1 −
N
q
).
The restriction on the values of q, Q
1
, Q
2
, Q
e
and Q
s
in the statement of this
theorem implies that ²
2
> ε/8.
Because of the ring structure formed by the queries that A makes to the
random oracle H
2
, there exists at least one index k ∈ {1, 2, . . . , n} such that the
query Q
u
= (U, m, R
k
) was made to H
2
before the query Q
v
= (U, m, R
k−1
)
(that is, u < v ). This pair (u, v) is called then a gap index. If there are two
or more gap indexes in a forged signature, we consider only the one with the
smallest value u. This allows us to define the subset S
0
u,v
of S
0
as the set of
executions in S
0
whose gap index is (u, v). This gives us a partition of S
0
in
exactly
Q
2
(Q
2
+1)
2
classes.
If B invokes t
1
= 1/²
2
times the attacker A with randomly chosen (ω, H
2
),
it obtains a successful execution (˜ω,
˜
H
2
) ∈ S
0
u,v
, for some gap index (u, v), with
probability 1 − (1 − ²
2
)
1/²
2
= 1 −
·
³
1 +
1
−1/²
2
´
−1/²
2
¸
−1
≥ 1 − e
−1
> 3/5.
Now we define the set of gap indexes which are more likely to appear as
I = {(u, v) s.t. Pr[(ω, H
2
) ∈ S
0
u,v
| (ω, H
2
) ∈ S
0
] ≥
1
Q
2
(Q
2
+ 1)
}.
And the corresponding subset of successful executions as S
0
I
= {(ω, H
2
) ∈ S
0
u,v
s.t. (u, v) ∈ I}.
It holds that Pr[(ω, H
2
) ∈ S
0
I
| (ω, H
2
) ∈ S
0
] ≥ 1/2. In effect, since the sets
S
0
u,v
are disjoint, we have
Pr[(ω, H
2
) ∈ S
0
I
| ( ω, H
2
) ∈ S
0
] =
X
(u,v )∈I
Pr[(ω, H
2
) ∈ S
0
u,v
| ( ω, H
2
) ∈ S
0
] =
1 −
X
(u,v)/∈I
Pr[(ω, H
2
) ∈ S
0
u,v
| (ω, H
2
) ∈ S
0
].
Since the complement of I contains at most
Q
2
(Q
2
+1)
2
gap indexes, we have that
this probability is greater than 1 −
Q
2
(Q
2
+1)
2
·
1
Q
2
(Q
2
+1)
= 1/2. Therefore, with
probability at least 1/2, the specific successful execution (˜ω,
˜
H
2
) is in S
0
I
.
Consider any possible likely gap index (u, v) ∈ I; we have that
Pr[(ω, H
2
) ∈ S
0
u,v
] = Pr[( ω, H
2
) ∈ S
0
] · Pr[(ω, H
2
) ∈ S
0
u,v
| (ω, H
2
) ∈ S
0
] ≥
≥ ²
2
·
1
Q
2
(Q
2
+ 1)
.
We split H
2
as (H
0
2
, c
k
), where H
0
2
corresponds to the answers of all the queries to
H
2
except the query Q
v
, whose answer is denoted as c
k
. We apply the Splitting
70
Lemma (lemma 1), taking X = (ω, H
0
2
), Y = c
k
, A = S
0
u,v
, δ =
²
2
Q
2
(Q
2
+1)
and
α =
²
2
2Q
2
(Q
2
+1)
. The lemma says that there exists a subset of executions Ω
u,v
such that:
Pr[(ω, H
2
) ∈ Ω
u,v
| ( ω, H
2
) ∈ S
0
u,v
] ≥
α
δ
=
1
2
and such that, for any (ω, H
2
) ∈ Ω
u,v
:
Pr
c
0
k
[(ω, H
0
2
, c
0
k
) ∈ S
0
u,v
] ≥ δ − α =
²
2
2Q
2
(Q
2
+ 1)
.
Assuming that the concrete execution (˜ω,
˜
H
0
2
, ˜c
k
) is in S
0
I
, for some concrete
gap index (˜u, ˜v) ∈ I, then with probability greater than 1/2, the execution is also
in Ω
˜u,˜v
. In this case, if we now repeat t
2
=
³
²
2
2Q
2
(Q
2
+1)
−
1
q
´
−1
times the attack
A with fixed (˜ω,
˜
H
0
2
) and randomly chosen c
0
k
∈ Z
q
, we obtain with probability
again greater than 3/5 a new c
0
k
such that (˜ω,
˜
H
0
2
, c
0
k
) ∈ S
0
˜u,˜v
and such that
c
0
k
6= ˜c
k
.
Since we have imposed in the stating of the theorem that ε >
64Q
2
2
q
, we have
in particular that
²
2
2Q
2
(Q
2
+1)
>
2
q
, which implies that t
2
<
4Q
2
(Q
2
+1)
²
2
.
The total probability is then ²
3
≥
3
5
·
1
2
·
1
2
·
3
5
=
9
100
, and the polynomial
number of repetitions of the attack A is
t
1
+ t
2
<
1
²
2
+
4Q
2
(Q
2
+ 1)
²
2
<
8
ε
+
8 · 4 · Q
2
· 2Q
2
ε
=
64Q
2
2
+ 8
ε
.
Now consider the two successful executions of the attack (˜ω,
˜
H
0
2
, ˜c
k
) and
(˜ω,
˜
H
0
2
, c
0
k
) that the algorithm B has obtained. Since the random tapes and H
1
are identical, and the answers of the random oracle H
2
are the same until the
query Q
˜v
= (U, m, R
k−1
), we have in particular that the query Q
˜u
= (U, m, R
k
),
which happens before Q
˜v
, is also identical for the two executions. Therefore,
R
k
= e(T
k
, P ) · e(˜c
k
P K
k
, Y ) = e(T
0
k
, P ) · e(c
0
k
P K
k
, Y ), with c
0
k
6= ˜c
k
.
On the other hand, with probability 1/Q
1
, the choice of the index ` made by
B is a correct guess, and the public key P K
`
corresponds precisely to this P K
k
.
In particular, this means that the attacker A has not asked for the secret key
matching with P K
`
, and so the CDH-solver B has not output “fail”.
Summing up, with probability ε
0
≥
9
100 Q
1
and in time t
0
≤
64Q
2
2
+8
ε
t, the
algorithm B obtains values T
k
, T
0
k
, ˜c
k
, c
0
k
such that e(T
k
, P ) · e(˜c
k
P K
k
, Y ) =
e(T
0
k
, P ) · e(c
0
k
P K
k
, Y ), where P K
k
= P K
`
= bP and Y = aP .
Since the pairing e is bilinear and non-degenerate, the previous equality im-
plies that e(T
k
+ ˜c
k
abP, P ) = e(T
0
k
+ c
0
k
abP, P ) and so T
k
− T
0
k
= (c
0
k
− ˜c
k
)abP .
Since c
0
k
6= ˜c
k
, one can compute the inverse of c
0
k
− ˜c
k
modulo q, and therefore
B obtains the solution of the CDH problem:
abP =
1
c
0
k
− ˜c
k
(T
k
− T
0
k
) ∈ G
1
.
ut
71
Assuming that the Computational Diffie-Hellman problem cannot be solved
in polynomial time and with non-negligible probability, this theorem implies
that the Zhang and Kim’s ID-based ring signature scheme is unforgeable under
chosen message and identities attack.
4 Conclusions
In this work we provide a formal model to analyze the unforgeability of ID-based
ring signature schemes, by defining the goals and the capabilities of an adversary
against such a scheme. Then we prove that the scheme proposed by Zhang and
Kim in [10] achieves this level of security, in the random oracle model.
In some way this result completes the work of Zhang and Kim. They de-
signed the scheme and showed that it is unconditionally anonymous, but did not
formally prove its unforgeability.
Furthermore, the new formal security model could be used to analyze the
security of future proposals of ID-based ring signature schemes.
References
1. M. Abe, M. Ohkubo and K. Suzuki. 1−out−of−n signatures from a variety of keys.
Advances in Cryptology-Asiacrypt’02, LNCS 2501, Springer-Verlag, pp. 415–432
(2002).
2.
M. Bellare and P. Rogaway. Random oracles are practical: a paradigm for design-
ing efficient protocols. First ACM Conference on Computer and Communications
Security, pp. 62–73 (1993).
3. E. Bresson, J. Stern and M. Szydlo. Threshold Ring Signatures for Ad-hoc Groups.
Advances in Cryptology-Crypto’02, LNCS 2442, Springer-Verlag, pp. 465–480
(2002).
4. S. Goldwasser, S. Micali and R. Rivest. A digital signature scheme secure against
adaptative chosen-message attacks. SIAM Journal of Computing, 17 (2), pp. 281–
308 (1988).
5. J. Herranz and G. S´aez. Forking lemmas for ring signature schemes. Pro ceedings
of Indocrypt’03, LNCS 2904, Springer-Verlag, pp. 266–279 (2003).
6.
F. Hess. Efficient identity based signature schemes based on pairings. Proceedings
of SAC’02, LNCS 2595, Springer-Verlag, pp. 310–324 (2002).
7.
D. Pointcheval and J. Stern. Security arguments for digital signatures and blind
signatures. Journal of Cryptology, Vol. 13 (3), pp. 361–396 (2000).
8. R. Rivest, A. Shamir and Y. Tauman. How to leak a secret. Advances in
Cryptology-Asiacrypt’01, LNCS 2248, Springer-Verlag, pp. 552–565 (2001).
9.
A. Shamir. Identity-based cryptosystems and signature schemes. Advances in
Cryptology-Crypto’84, LNCS 196, pp. 47–53 (1984).
10.
F. Zhang and K. Kim. ID-base blind signature and ring signature from pairings.
Advances in Cryptology-Asiacrypt’02, LNCS 2501, Springer-Verlag, pp. 533–547
(2002).
11. The Pairing-Based Crypto Lounge. Web page maintained by Paulo Barreto:
http://planeta.terra.com.br/informatica/paulobarreto/pblounge.html
72
