FORCING OUT A CONFESSION

Threshold Discernible Ring Signatures

Swarun Kumar, Shivank Agrawal

Indian Institute of Technology, Madras, India

Ramarathnam Venkatesan, Satya Lokam

Microsoft Research, Bangalore, India

C. Pandu Rangan

Indian Institute of Technology, Madras, India

Keywords:

Ring signatures, Step out, Threshold discernible, Veriﬁable secret sharing.

Abstract:

Ring signature schemes (Rivest et al., 2001) enable a signer to sign a message and remain hidden within an

arbitrary group A of n people, called a ring. The signer may choose this ring arbitrarily without any setup

procedure or the consent of anyone in A. Among several variations of the notion, step out ring signatures

introduced in (Klonowski et al., 2008) address the issue of a ring member proving that she is not the original

signer of a message, in case of dispute. First we show that the scheme in (Klonowski et al., 2008) has

several ﬂaws and design a correct scheme and prove formally the security of the same. Then we use the basic

constructs of our scheme to design a protocol for a new problem, which we refer to as threshold discernible

ring signatures. In threshold discernible ring signatures, a group B of t members can co-operate to identify the

original signer of a ring signature that involved a group A of n alleged signers, where B ⊂ A and n > t. This is

the ﬁrst time that this problem is considered in the literature and we formally prove the security of our novel

scheme in the random oracle model.

1 INTRODUCTION

Ring signatures, introduced in (Rivest et al., 2001),

allow a signer to sign a message on behalf of an arbi-

trary group A of n people, called the ring. The signer

may hide behind the arbitrarily chosen ring A, without

any setup procedure or the consent of the other mem-

bers of A. Such signatures have been expanded to var-

ious applications: deniable ring authentication (Naor,

2002; Susilo and Mu, 2004), linkable ring signature

schemes that allow one to link signatures signed by

the same person, short versions of linkable ring signa-

ture (Tsang and Wei, 2005; Au et al., 2006). Further-

more, identity based ring signature schemes, which

allow ring construction across different identity-based

master domains (Cheng et al., 2004; Awasthi and Lal,

2005; Savola, 2006) and confessible threshold ring

signature (Chen et al., 2006), where the actual signer

can prove that she has created the signature, have also

been proposed in literature.

Even though the original intent was to keep the

real signer anonymous, in the event of a dispute, a

member of the ring A may want to prove that she was

not the actual signer of a particular message. A new

variant called step out ring signature was introduced

in (Klonowski et al., 2008); here the real signer can

prove that she created the signature, while any one

else in the ring can prove that she is not the origi-

nal signer. Their proposal was an intermediate solu-

tion between the classical ring and group signatures,

and can be used for instance in e-auction schemes,

and this is the only scheme present in the literature.

However, our attack presented here shows that their

scheme allows a third party, who is not a member of

the ring, to forge a signature on behalf of the ring.

In another scenario, we break the anonymity of the

signer of a ring signature. Hence, till date, there is no

correct and provably secure scheme available for step

379

Kumar S., Agrawal S., Venkatesan R., Lokam S. and Pandu Rangan C. (2010).

FORCING OUT A CONFESSION - Threshold Discernible Ring Signatures.

In Proceedings of the International Conference on Security and Cryptography, pages 379-388

DOI: 10.5220/0002984203790388

 SciTePress

out ring signatures.

Exposing the identity of the original signer of a

ring signature may arise in several other contexts as

well. Suppose a petitioner wishes to send a complaint

regarding certain government ofﬁcials on behalf of

several people, say the residents of her locality. The

signer wishes to remain anonymous in order to pre-

vent harassment from the concerned ofﬁcials. How-

ever, any resident who disagrees with the complaint

must have the right to prove that she is not the peti-

tioner. At the same time, a sufﬁciently large threshold

of the residents should be able to discover the identity

of the petitioner, in case the complaint was malicious.

Consider a joint bank account scenario, where n

people share a single account. Any account holder

among these n people is authorized to sign and trans-

act with the bank. The bank will only knowthat some-

one among these n people has signed, but will not

know the exact identity of the signer. Hence the sit-

uation cannot afford a centralized manager. Now, in

case of fraud by any one of the n members, anythresh-

old of t people among the n members can cooperate

and identify the fraudulent person.

Our Contributions. We perform cryptanalysis on

the step out ring signature scheme (Klonowski et al.,

2008) and identify defects in unforgeability and

anonymity. We additionally provide appropriate mod-

iﬁcations in order to present a provably secure step

out ring signature scheme under the random oracle

model.

We introduce the concept of threshold discernible

ring signatures, where a threshold of t signers are to-

gether capable of ﬁnding the identity of the original

signer. This may be applied, for example, to situa-

tions where a message has been maliciously signed

on behalf of a ring of signers and a majority (or a

threshold t) of the ring members decide to unmask

the original signer of the message. We shall use the

basic constructs of our modiﬁed step out ring signa-

ture scheme to produce a threshold discernible ring

signature scheme.

2 PRELIMINARIES

We shall consider rings with n members, denoted by

,··· ,U

. Let p,q be large primes (p,q >> n),

q|p− 1, and G =< g > be an order q cyclic subgroup

of Z

∗

. For the sake of simplicity we shall skip “mod

p” if it follows from the context. We assume that user

holds a private key x

; the corresponding public

key is y

= g

. The key y

is publicly available. H de-

notes a secure hash function {0, 1}

∗

→ {0, 1}

, where

k is a ﬁxed constant. We assume that the following

assumptions are fulﬁlled in G:

Deﬁnition 1 - Decisional Difﬁe-Hellman Assump-

tion. Let G be a cyclic group generated by g of order

q. Let A

DDH

be an algorithm that has to distinguish

= (g,g

) from c

= (g,g

) for ran-

domly chosen a, b,c ∈ Z

. Let Adv

ddh

= |Pr[A (c

) =

1] − Pr[A (c

) = 1]| be called the advantage of A in

breaking the DDH problem.

The DDH assumption holds for G, if advan-

tage Adv

ddh

is negligible for each probabilistic

polynomial-time algorithm A , i.e. Adv

ddh

< ε

ddh

where ε

ddh

is negligible.

Deﬁnition 2 - Discrete Logarithm (DL) Assump-

tion. Let G be a cyclic group generated by g of order

q. Let A be an algorithm such that on input g

, where

a ∈ Z

, A should output a. Let Succ

= Pr[A (g

) =

a] be called the success of A in breaking the DL prob-

lem.

The DL assumption holds in G, if for each proba-

bilistic polynomial-time algorithm A , success Succ

is negligible, i.e. Succ

< ε

where ε

is negligible.

2.1 SKDL Proof of Knowledge

The SKDL proof of knowledge is a signature of

knowledge of discrete logarithms deﬁned in (Ca-

menisch, 1997). It is based on the Schnorr signature

scheme (Schnorr, 1991). This signature proves the

knowledge of x : y = g

in the context of a message

m. We explain the construction and veriﬁcation be-

low.

SKDL Construction. The construction

SKDL(g,y,m) is described below. It is executed

by the prover who possesses x : y = g

. Note that g is

a generator of the group G.

1. Pick r ←

∗

2. Calculate c = H (g||y||g

||m).

3. Calculate

s = r− cx (1)

The procedure returns the values (c,s).

SKDL Veriﬁcation. The veriﬁcation procedure

SKDL

(g,y,m) is executed by the veriﬁer and checks

if:

= H (g||y||g

||m)

This proves that the prover is aware of discrete loga-

rithm x = log

(y) without actually revealing x.

SECRYPT 2010 - International Conference on Security and Cryptography

380

2.2 SEQDL Proof of Knowledge

The step-out ring signature scheme in (Klonowski

et al., 2008) is based on a signature of knowl-

edge of equality of discrete logarithms (SEQDL). Let

g, ˆg, ˆy

∈ G and tuples (y

,··· ,y

),(w

,··· ,w

) ∈ G

SEQDL allows a prover to prove in zero-knowledge

that log

ˆg

ˆy

= log

) for some index j, with j not

revealed to the veriﬁer.

Preliminaries. Recall that G is an order q cyclic

subgroup of Z

∗

with g as its generator. Let U

a prover who has the following information:

– Y = (y

,··· ,y

) ∈ G

– For a speciﬁc index j, U

knows x

: y

= g

Note that U

is not aware of the discrete loga-

rithms of y

∈ Y : i 6= j.

– W = (w

,··· ,w

) ∈ G

and (r

,··· ,r

) ∈ Z

where w

= g

for all i = 1, · · · ,n. Note that unless

is the signer, she is not aware of the discrete

logarithms of w

∈ W : i 6= j.

– ˆg ∈ G, which is randomly chosen by the signer

and ˆy = ˆg

Using these values, U

wishes to convince the veriﬁer

that the discrete logarithms log

ˆg

ˆy

and log

) are

equal, with the index j not revealed to the veriﬁer. U

achieves this by executing the SEQDL construction

algorithm and passing the outputs to the SEQDL ver-

iﬁcation algorithm. The details are given below:

SEQDL Construction. The SEQDL construc-

tion algorithm, run by the U

, is SEQDL( ˆg,g

, ˆy

,Y,W,m). Typically, the vector W is cho-

sen by the signer. However, W may be created and

used in different ways provide three different mecha-

nisms for stepping out, as discussed in section 4. The

construction of SEQDL is as follows:

1. Pick random elements r ∈ Z

and c

∈ Z

, for

i ∈ {1,··· ,n}\{ j}.

2. For all i ∈ {1, · · · , n}\{ j}, user U

computes:

← ˆg

ˆy

← g

)

← ˆg

← g

(2)

3. We denote Y = y

||···||y

, W = w

||···||w

4. Compute:

← H ( ˆg||g|| ˆy

||Y||W||t

||u

||···||t

||u

||m)

−

∑

i<n,i6= j

(3)

← r − (x

+ r

mod q (4)

The algorithm ﬁnally returns (C, S) where C =

,··· ,c

) , S = (s

,··· ,s

SEQDL Veriﬁcation. Given a signature

SEQDL( ˆg, g ,x

, ˆy

,Y,W,m) = (C, S), with

parameters ˆg, g, ˆy

, Y, W, and a message m, the

veriﬁcation algorithm V

SEQDL

( ˆg, g, ˆy

,Y,W,C,S, m),

run by the veriﬁer, checks if:

∑

i=1

= H ( ˆg||g|| ˆy

||Y||W|| ˆg

ˆy

||g

)

||···

|| ˆg

ˆy

||g

)

||m)

(5)

The veriﬁer returns 1 if the above condition succeeds,

0 otherwise. When veriﬁcation returns 1, the veri-

ﬁer is convinced of the equality of discrete logarithms

log

ˆg

ˆy

and log

) with the index j ∈ {1,··· ,n}

unknown to the veriﬁer.

3 STEP OUT RING SIGNATURES

(SRS)

3.1 Scheme Outline

Let us assume that U

is the real signer and

,··· ,U

are all ring members. Let the private and

public key of user U

be x

and y

= g

respectively.

For Step-out Ring Signatures (SRS) we have the

following procedures:

Signing Procedure. S

SRS

(g, ˆg,x

,Y,m) is a ran-

domized algorithm that takes generator g and a

random element ˆg ∈< g >, ˆg 6= 1, the secret key

, the set of public keys y

,··· ,y

⊂< g > and a

message m. It returns a signature σ.

Veriﬁcation Procedure. V

SRS

(σ,m) is a deter-

ministic algorithm that takes a message m, and a

signature σ for m. It returns a bit: 1 or 0 to indicate

whether σ is valid, i.e. someone having a public key

in a set Y indicated by σ has signed m.

Confession Procedure. Let σ be a step-out

ring signature on m produced by member U

of the

ring. In the confession procedure, U

proves that

she is indeed the original signer of m and produced

σ. Towards this, U

produces a confession record

′

, which is yet another signature by U

on m.

The veriﬁer runs C

SRS

(σ,σ

′

,m), a deterministic

algorithm which takes as input σ, σ

′

, m and the

public key y

of user U

, and returns either a bit

1 to conﬁrm that U

has created σ or a bit 0 otherwise.

Step-out Procedure. Let σ be a step-out ring

signature on m produced by member U

of the ring.

During step-out, a ring member U

,i 6= j proves that

she not the original signer of m. Here, U

produces

FORCING OUT A CONFESSION - Threshold Discernible Ring Signatures

381

step-out records σ

′′

,σ

′′′

, which are SRS signatures

for the message ˜m =“I have not signed m”. The

veriﬁer runs D

SRS

(σ,m,σ

′′

,σ

′′′

, ˜m), a deterministic

algorithm which takes as input σ, σ

′′

, σ

′′′

, m and the

public key y

of user U

, and returns either a bit 1 to

conﬁrm that U

has not created σ or a bit 0 otherwise.

3.2 Step Out Ring Signatures

We recall the signing and veriﬁcation procedures of

the step out ring signature scheme in (Klonowski

et al., 2008).

3.2.1 Signing Algorithm

The signing algorithm is run by user U

with private

key x

to produce a ring signature corresponding to

n users with public keys Y = (y

,··· ,y

). Note that

parameter ˆg ∈ G is randomly chosen by the signer.

Algorithm S

SRS

(g, ˆg,x

,Y,m)

repeat

,··· ,r

←

∗

← g

for each i = 1,··· ,n

until (y

6= y

for each i 6= j)

ˆw ← ˆg

, ˆy ← ˆg

, ˆy

← ˆy ˆw

(C,S) ← SEQDL( ˆg,g, x

, ˆy

,Y,W,m)

Y ← y

,··· ,y

W ← w

,··· ,w

σ ← (g, ˆg, ˆy, ˆw,Y,W,C,S)

return (m,σ)

3.2.2 Veriﬁcation Algorithm

This algorithm is run by a veriﬁer using only public

information. Algorithm V

SEQDL

veriﬁes the SEQDL

proof of knowledge output by the signer.

Algorithm V

SRS

(σ,m)

ˆy

← ˆy ˆw

d ← V

SEQDL

( ˆg,g, ˆy

,Y,W,C,S, m)

if d = 1

then return 1

else return 0

3.2.3 Scenarios for r

Three different ways of using parameter r

, target-

ing three different applications, are suggested in

(Klonowskiet al.,2008):

1. The numbers r

are created by the signer at ran-

dom. They are kept secret unless the signer en-

ables a member of a ring to step out.

2. The numbers r

are given together with the signa-

ture. In this case the ring participants can imme-

diately step out.

3. U

generates r

herself and publishes w

. More-

over, each w

can be a kind of time stamp - a signa-

ture generated with w

has to be created no earlier

than at the time of creating w

4 CRYPTANALYSIS OF SCHEME

We have found weaknesses in the paper in the case of

scenario (1) and scenario (2) above. We explain these

below:

4.1 Forgery in Scenario 1

Under scenario 1, we show that it is easy for anyone,

even without the knowledge of any of the ring mem-

bers’ secret keys, to produce ˆy

for some j such

that log

ˆg

ˆy

= log

). We explain an algorithm

SRS

which forges a signature of (Klonowski et al.,

2008) in this manner below:

4.1.1 Forger Algorithm

Algorithm F

SRS

(g, ˆg,Y,m)

repeat

←

∗

for each i ∈ {1, · · · , n}\{ j}

← g

for each i ∈ {1, · · · , n}\{ j}

α ←

∗

← g

until (y

6= y

for each i 6= k)

β ←

∗

ˆw ← ˆg

, ˆy ← ˆg

α−β

, ˆy

← ˆy ˆw

(C,S) ← SEQDL( ˆg, g,α − β,β, ˆy

,Y,W,m)

Y ← y

,··· ,y

W ← w

,··· ,w

σ ← (g, ˆg, ˆy, ˆw,Y,W,C,S)

return (m,σ)

4.1.2 Validity

We will show that the signature produced by F

SRS

veriﬁes successfully. Note that the veriﬁcation algo-

rithm V

SRS

(σ,m) will in turn call V

SEQDL

( ˆg, g, ˆy

ˆg

,Y,W,C,S, m). By construction in equation (2)

and (3), veriﬁcation equation (5) holds provided:

)

= g

and ˆg

ˆy

= ˆg

However, these hold, since by construction in (4),

r = s

+ c

α. Hence the forged signature is consid-

ered valid.

SECRYPT 2010 - International Conference on Security and Cryptography

382

4.1.3 Salient Features

The above algorithm clearly does not use private in-

formation x

to forge a ring signature. If this were per-

formed by the k

ring member, she can step out using

the value r

. An adversary can also allow every ring

member other than the j

one to step out by releasing

the values r

for each i ∈ {1,··· ,n}\{ j}. In fact, it

can be shown that the forged sign is indistinguishable

from a signature by the j

ring member in polynomial

time. In the next section we will demonstrate how to

ﬁx this break. We will provide a corrected scheme

and unforgeability proof in the following sections.

4.2 Break of Anonymity in Scenario 2

The anonymity of the signer can be broken in the sec-

ond scenario using the parameter ˆw. Since the param-

eters r

are released together with the signature, a dis-

tinguisher simply tests if ˆg

= ˆw for each i = 1,··· ,n.

According to the protocol, this will only hold for the

signer j, thus revealing the identity of the signer.

5 MODIFIED STEP OUT RING

SIGNATURES

We will explain in this section how we can modify the

step out ring signature scheme to restore unforgeabil-

ity and anonymity.

5.0.1 Providing Unforgeability

The signer generates a random value r

, but uses only

the value x

+ r

in equation (4) of the SEQDL pro-

tocol for generating the components, (c, s). However,

there is no proof of knowledge of r

(or the other r

’s)

insisted by the veriﬁcation algorithm. Hence a forger

can generate the value ‘x

+ r

’ in an arbitrary manner

without even knowing or proving that she knows x

and r

individually. This is exactly what we did in our

forgery algorithm by reverse engineering the (x

)

values. In fact, in our forging algorithm the values α

and β are chosen in such a way that when α − β and

β are used as parameters for SEQDL, the algorithm

produces the same value that SEQDL would have pro-

duced with x

and r

. Hence, to ﬁx the above problem,

we add SKDL’s for w

’s and verify them during veri-

ﬁcation.

5.0.2 Providing Anonymity

The anonymity can be broken if the parameter ˆw is

known and the signature σ output by the signer con-

tains ˆw explicitly as a part of it. Notice that σ contains

both ˆw and ˆy but the veriﬁcation algorithm needs only

the product ˆwˆy. Hence, it is sufﬁcient to provide only

the product value ˆwˆy as a component of σ instead of

providing ˆw and ˆy as separate components. As one

can not compute ˆw from the product ˆwˆy, this modiﬁ-

cation prevents one from breaking the anonymity. In

fact, we formally prove the same.

5.1 Modiﬁed SRS Scheme

The modiﬁed SRS scheme overcomes the ﬂaws of the

step out ring signature scheme in (Klonowski et al.,

2008). This uses the SKDL which is a zero knowl-

edge proof of discrete logarithm.

5.1.1 Modiﬁed Signing Algorithm

The algorithm is run by user U

with private key x

to produce a ring signature corresponding to n users

with public keysY = (y

,··· ,y

). Note that parameter

ˆg ∈ G is randomly chosen by the signer.

Algorithm S

MSRS

(g, ˆg,x

,··· ,y

,m)

repeat

,··· ,r

←

∗

← g

for each i = 1,··· ,n

until (y

6= y

for each i 6= j)

ˆy

← ˆg

,··· ,c

,··· ,s

) ← SEQDL( ˆg, g,x

, ˆy

,··· ,y

,··· ,w

,m)

Y ← y

,··· ,y

W ← w

,··· ,w

σ = (g, ˆg, ˆy

,Y,W,c

,··· ,c

,··· ,s

{SKDL(g,w

,m),i = 1,··· , n})

return(m,σ)

5.1.2 Modiﬁed Veriﬁcation Algorithm

This algorithm is run by a veriﬁer using only public

information. Algorithm V

SKDL

is used to verify the

SKDL proofs of knowledge output by the signer.

Algorithm V

MSRS

(σ,m)

if(V

SKDL

(g,w

,m) = 0,

for any i = 1,··· ,n)

then return 0

d ← V

SEQDL

( ˆg, g, ˆy

,··· ,y

,··· ,w

,··· ,c

,··· ,s

,m)

if d = 1

then return 1

else return 0

FORCING OUT A CONFESSION - Threshold Discernible Ring Signatures

383

5.1.3 Modiﬁed Confession Algorithm

We denote Y

′

= (y

′

,··· ,y

′

) , Y

′′

= (y

′′

,··· ,y

′′

) ,

′′′

= (y

′′′

,··· ,y

′′′

). The confession record σ

′

(g, ˆg, ˆy, ˆw,Y

′

,W, SEQDL( ˆg,g,x

, ˆy. ˆw,Y

′

,W,m)) is a

new signature with the same parameters g, ˆg,W as in

σ and some new set of potential signers Y

′

: Y ∩Y

′

}, where y

stands at the same position in both se-

quences.

The confession algorithm veriﬁes whether a mem-

ber of the ring U

has generated the ring signature σ

by obtaining σ

′

from her as shown below. Note that

the veriﬁer veriﬁes σ

′

using V

SRS

because the SKDL’s

corresponding to W have already been veriﬁed in the

veriﬁcation of σ.

Algorithm C

MSRS

(σ,σ

′

,m)

if(the same g, ˆg, ˆy, ˆw,W were used in σ and σ

′

) then

← V

MSRS

(σ,m),d

← V

SRS

(σ

′

,m)

if(d

= d

= 1 and {y

} = Y ∩Y

′

and y

stands

on position j in Y

′

) then

return 1 else return 0

else return 0

5.1.4 Modiﬁed Step-out Algorithm

We deﬁne the step-out records σ

′′

, σ

′′′

below:

– σ

′′

= (g,ˆg, ˆy

′′

, ˆw

′′

,W, SEQDL( ˆg,g,x

, ˆy

′′

. ˆw

′′

,W, ˜m)) - a SRS signature with the same pa-

rameters g, ˆg,W as in σ and ˆy

′′

= ˆg

, ˆw

′′

= ˆg

some new set of potential signers Y

′′

, for the con-

trol message ˜m = “I have not signed m”.

– σ

′′′

= (g,ˆg, ˆy

′′

, ˆw

′′

′′′

,W, SEQDL( ˆg,g,x

ˆy

′′

. ˆw

′′

, Y

′′′

,W, ˜m)) - a SRS signature for the same

control message ˜m with the same g, ˆg, ˆw

′′

and Y

′′′

such that Y

′′

∩ Y

′′′

= {y

} and y

stands

on the same position in Y

′′

and Y

′′′

. Moreover,

′′

6= y

′′′

for i

6= i

The step-out algorithm veriﬁes whether a member of

the ring U

has not generated the ring signature σ by

obtaining (σ

′′

,σ

′′′

) from her as shown below. Note

that the veriﬁer veriﬁes σ

′′

and σ

′′′

using V

SRS

be-

cause the SKDL’s corresponding to W have already

been veriﬁed in the veriﬁcation of σ.

Algorithm D

MSRS

(σ,m,σ

′′

,σ

′′′

, ˜m)

if(the same g, ˆg,W were used in σ,σ

′′

,σ

′′′

and the same ˆy

′′

, ˆw

′′

were used in σ

′′

,σ

′′′

) then

← V

MSRS

(σ,m),d

← V

SRS

(σ

′′

, ˜m),

← V

SRS

(σ

′′′

, ˜m)

if(d

= d

= 1 and {y

} = Y

′′

∩Y

′′′

and y

stands at the same position in Y

′′

and Y

′′′

and ˆy ˆw 6= ˆy

′′

ˆw

′′

) then

return 1 else return 0

else return 0

6 ANALYSIS

6.1 Unforgeability

Informally, forking lemma(Pointcheval, 2005) for

adaptive chosen message attacks states that if an al-

gorithm A can with non-negligible probability ε, pro-

duce a valid signature (m,σ

,h,σ

) without know-

ing the secret key, then, a replay of the attacker A

may output two valid signatures (m, σ

,h,σ

) and

(m,σ

′

,σ

′

) such that h 6= h

′

, within a bounded time

and non-negligible probability. Forking lemma is ap-

plicable for modiﬁed step-out ring signatures. This

can be proved similar to (Klonowski et al., 2008), the

difference being the computation of SKDL’s by the

simulators. We state the lemma below.

Lemma 1. Modiﬁed SRS signatures can be simu-

lated by a simulator, with oracle access to H , under

DDH assumption without knowing the corresponding

secret signing keyand with distribution probability in-

distinguishable from SRS signatures produced by a

legitimate signer.

Now, we shall construct an adversary that can

solve the DL problem by ﬁnding x

= log

for some

i. Note that the y

’s are supplied to the forger as input.

Hence a DL solver attempting to ﬁnd log

X can do so

by setting y

= X for some t. With success probability

1/n, this is the index of the signer whose signature the

forger generates.

6.1.1 Construction of DL Solver

We now apply forking lemma in the chosen

message attack scenario (section 2.1). The

signature σ is written as (σ

,h,σ

) where:

= ( ˆg, ˆy

,W,u

,··· ,u

,··· ,t

where u

, t

are constructed like in (2)

h = (H( ˆg||g|| ˆy

||Y||W||u

||t

||...||u

||t

||m),

{H(g||w

||g

˜s

˜c

||m),i = 1,··· , n}

= (C,S, ˜c

, ˜s

,··· , ˜c

, ˜s

)

After acquiring two valid signatures (σ

,h,σ

) and

(σ

′

,σ

′

), such that h 6= h

′

and σ

6= σ

′

, the DL

solver can compute the x

= log

) corresponding

to the signer whose signature the forger generated.

The solver ﬁrst computes α

= x

+ r

′

− s

)/(c

− c

′

) for all i = 1,··· , n where c

6= c

′

which holds due to equation 4 in SEQDL con-

struction. It then computes r

′

= (˜s

′

− ˜s

)/( ˜c

− ˜c

′

)

for all i = 1,··· ,n where ˜c

6= ˜c

′

, which is evident

from equation (1) in SKDL construction. Finally, it

computes x

′

= α

− r

′

for all obtained values of α

and r

′

. Clearly, if the forger produced a signature by

the user with public key y

, then solver has obtained

SECRYPT 2010 - International Conference on Security and Cryptography

384

′

: g

′

= y

Hence the solver has the solution to the DL

problem x

′

= log

X provided j = t. The probability

that this happens is 1/n. Since we assume that the

DL assumption holds, the above algorithm must have

negligible probability of success, therefore the forger

has negligible success probability too.

6.2 Anonymity

The anonymity argument in (Klonowski et al., 2008)

can be readily extended to the proof of anonymity of

the modiﬁed scheme. As the r

’s are chosen randomly,

the SKDLs reveal no additional information about the

signer. Also, the proof of anonymity in (Klonowski

et al., 2008) assumes that the only distinguishing

property of two signature tuples of the form σ =

(m,g, ˆg, ˆw,y

) by two different

signers 1 and 2, is that in the former, log

) =

log

ˆg

( ˆy ˆw) and in the latter, log

) = log

ˆg

( ˆy ˆw).

However, the fact that the adversary, in scenario 2,

may use r

= log

ˆg

( ˆw), when r

is released along with

the signature was not considered. This can be recti-

ﬁed when the product ˆy

= ˆy ˆw is released with the

signature instead of the individual values ˆy, ˆw.

6.3 Security of Confession and Step Out

We will prove the following lemmas in order to show

the security of confession and step-out protocols in

our modiﬁed step-out ring signature scheme.

Lemma 2. A confession has a positive outcome

only if performed by the original signer of a modiﬁed

step-out ring signature according to protocol.

Proof. Since V

SEQDL

( ˆg, g, ˆy

,Y,W,C,S, m) = 1,

there exists α such that g

∈ {y

,··· ,y

}

and ˆg

= ˆy ˆw. Moreover, if σ

′

is constructed

appropriately and V

MSRS

(σ

′

,m) = 1, then g

∈

′

,··· ,y

′

} as well. So g

∈ {y

,··· ,y

}

∩ {y

′

,··· ,y

′

}. Since {y1,...,yn} ∩ {y

′

,...,y

′

}

= {y

}, and y

6= y

′

for i

6= i

, we know that

= y

, so in this case user U

was a creator of σ

and C

MSRS

(σ,σ

′

,m) = 1.

Lemma 3. A step-out has a positive outcome

only if performed by a ring-member of a modiﬁed

step-out ring signature, other than the original signer,

according to protocol.

Proof. It is easy to see that the see that σ

′′′

a confession that a message ˜m has been signed as σ

′′

by the user U

: y

= Y

′′

∩Y

′′′

. Clearly, this user is a

member of the ring. We will show that the outcome of

the step-out procedure performed by this user is posi-

tive. Let us assume that D

MSRS

(σ,m,σ,σ,y

, ˜m) = 0.

This happens if ˆy ˆw = ˆy

′′

ˆw

′′

. As in the proof of

Lemma 1, we can see that the signatures σ

′′

and σ

′′′

guarantee that there exists α

′

such that g

′

= y

and ˆg

′

= ˆy

′′

ˆw

′′

. So α = log

) = log

ˆg

( ˆy

′′

ˆw

′′

) =

log

ˆg

( ˆy ˆw) = log

), where U

is the signer of σ.

We have got that y

= y

, but this contradicts the

assumption about generating secrets r

and computing

during the signing procedure, provided i 6= j.

Let us consider the case when an actual signer

attempts to step-out. When performing the step-out

procedure and generating signatures σ

′

and σ

′′

, the

user U

has to generate y

′′

= g

. However, this

product is the same as in σ, so this would lead to a

failure of the test of the step-out procedure.

7 THRESHOLD DISCERNIBLE

RING SIGNATURES

Threshold discernible ring signatures are ring signa-

tures where a threshold of t signers are together capa-

ble of ﬁnding the identity of the original signer. This

may be applied for example to situations where a mes-

sage has been maliciously signed on behalf of a ring

of signers and a majority (or a thresholdt) of the sign-

ers decide to unmask the original signer of the mes-

sage.

We extend the modiﬁed step out ring signature

scheme from section 6.3 to allow threshold discerni-

bility. The signing algorithm additionally outputs a

set of veriﬁably encrypted shares of the secret l =

log

( ˆg). This can be done using veriﬁable sharing

of discrete logarithms (Stadler, 1996) and veriﬁable

encryption of discrete logarithms (Stadler, 1996; Ca-

menisch and Shoup, 2003). Once l is gathered by

any set of t ring members, the original signer is eas-

ily found by inspecting for which index i of the ring

members, the equation (y

)

= ˆy

holds. This is the

index of the original signer.

7.1 Preliminaries

We assume the same settings and complexity assump-

tions as the SRS signature scheme as in section 2.

The algorithm uses a veriﬁable encryption scheme

(Stadler, 1996; Camenisch and Shoup, 2003; Ca-

menisch and Damgard, 2000). The notations used

for this scheme are explained below. We also explain

Shamir’s secret sharing scheme (Rivest et al., 2001)

which is used in the veriﬁable secret sharing of dis-

crete logarithms (Stadler, 1996).

FORCING OUT A CONFESSION - Threshold Discernible Ring Signatures

385

7.1.1 Veriﬁable Encryption

We denote veriﬁable encryption of a discrete loga-

rithm α = log

(β) under public key PK as VE

(α :

β = g

). This denotes the cipher-text created by the

Encrypt algorithm. The encryption scheme has three

algorithms namely:

1. Encrypt(α : β = g

): Takes a message α, a public

key PK and outputs cipher text VE

(α : β = g

)

where g,β = g

are publicly known.

2. Decrypt(VE

(α : β = g

)): Takes a cipher-text

(α : β = g

) and obtains the original mes-

sage α. This requires the secret key SK.

3. Verify(VE

(α : β = g

)): Takes the cipher-text

(α : β = g

) and veriﬁes the zero knowledge

proof that the cipher text indeed encrypts α such

that β = g

7.1.2 Shamir’s Secret Sharing Scheme

A (t, n) secret sharing scheme is a scheme where a

secret d is shared among n users where only a coali-

tion of size at least t can recover the secret. Such a

scheme was proposed by Shamir (Rivest et al., 2001)

and is explained below. A user U

has a well known

public parameter α

∈ Z

Preliminaries. Let q be a large prime (q >> n), and

d ∈ Z

be the secret to be shared. There are n ≥t users

in total.

Share. (d) The dealer chooses a random polyno-

mial f(x) = d +

∑

t−1

i=1

, of degree t − 1 from Z

[x]

where the constant term is set to d. The dealer then

distributes the secret shares s

= f (α

), to the i

user, for each i = 1···n.

Reconstruct. ((α

),··· , (α

|S|

)) This pro-

cess is a simple polynomial interpolation to com-

pute f (0) = d. Suppose a coalition S,|S| ≥ t,S =

,··· , v

|S|

} wants to reconstruct the secret. They

can compute the secret polynomial f(x) and the secret

by Lagranges polynomial interpolation:

f(0) =

∑

i∈S

,where λ

∏

′

∈S\{i}

j − j

′

i− j

′

The additional requirement to Shamir’s secret shar-

ing our scheme requires is that the shared secrets are

encrypted and these encrypted portions must still be

veriﬁable.

7.2 Scheme Description

Outline. Let us assume that U

is the real signer and

,··· ,U

are all ring members. Let the private and

public key of user U

be x

and (y

= g

,α

) respec-

tively, where α

∈ Z

. For Threshold Discernible Ring

Signatures (TDS) we have the following procedures:

Signing Procedure. S

TDS

(g,x

, y

,··· ,y

,··· ,α

, t, m) is an algorithm that takes gen-

erator g, the secret key x

, the set of public keys

,··· ,y

} ⊂< g >, threshold t and a message m. It

returns a threshold discernible signature σ.

Veriﬁcation Procedure. V

TDS

(m,σ) is an algo-

rithm that takes a message m, and a signature σ for

m. It returns a bit: 1 or 0 to indicate whether σ is

valid, i.e., someone having a public key in a set Y in-

dicated by σ has signed m, and whether it is indeed

threshold discernible by t of the members of the ring.

Threshold Distinguisher Procedure. T

TDS

(m,σ)

is an algorithm that takes a message m, and a signa-

ture σ for m, and returns i, the index of the original

signer among the public key sequence Y in the sig-

nature σ. The algorithm requires inputs by at least t

signers among the n members of the ring indicated by

σ.

7.3 Signing Algorithm

The signing algorithm veriﬁably encrypts n shares

of the secret l = log

( ˆg), along with the MSRS sig-

nature. It performs the sharing by encrypting the

values of t − 1 degree polynomial function f(x) =

l +

∑

t−1

j=1

, at n points viz. at x = α

,··· ,α

Algorithm S

TDS

(g,x

,··· ,y

,α

,··· ,α

,t, m)

, f

,··· , f

t−1

←

∗

← g

,i = 1,··· ,t − 1

l ←

∗

\{1}

ˆg ← g

← l +

∑

t−1

j=1

, i = 1,··· ,n

← VE

: g

= ˆg

∏

t−1

j=1

), i = 1,··· , n

← S

MSRS

(g, ˆg,x

,··· ,y

,m)

σ ← (σ

,{V

: i = 1,··· ,n}, {F

: i = 1,··· ,t − 1})

return (m,σ)

7.4 Veriﬁcation Algorithm

The veriﬁcation algorithm veriﬁes the MSRS sig-

nature as well as the veriﬁably encrypted shares of

the secret l. The veriﬁcation algorithm must check

SECRYPT 2010 - International Conference on Security and Cryptography

386

whether t is an acceptable value based on the required

policy. For instance, one may require that t = ⌈

⌉.

Algorithm V

TDS

(m,σ)

if (Verify(VE

: g

= ˆg

∏

t−1

j=1

)) = 0

for any i = 1,··· ,n)

return 0

return V

MSRS

(m,σ)

7.5 Threshold Distinguisher Algorithm

The threshold distinguisher algorithm requires that at

least t of the signers in the ring share their respec-

tive s

’s. It is required that each of these s

’s are such

that S

= ˆg

∏

t−1

j=1

= g

. Now, using Lagrange’s in-

terpolation formula, the function f, hence the value

f(0) = l, can be computed. Once l is computed,

the veriﬁer checks for which value of i, the equation,

)

= ˆy

holds. This i is the index of the original

signer.

Algorithm T

TDS

(m,σ)

if (V

TDS

(m,σ) = 0)

then return ⊥

Obtain s

= Decrypt(VE

: g

= ˆg

∏

t−1

j=1

))

from t signers w.l.o.g. i = 1, · · · ,t.

l ← Reconstruct((α

),··· ,(α

))

for i = 1 to n

if ((y

)

= ˆy

)

then return i

return ⊥

7.6 Security

In this section we deﬁne the security models for

threshold discernible ring signatures. Due to lack of

space, we provide sketches of the security proofs. De-

tailed proofs will be providedin the full version of this

paper.

A threshold discernible ring signature (TDS)

scheme must follow the following conditions:

Unforgeability. Unforgeability in threshold dis-

cernible ring signatures requires that no entity other

than a member of the ring must be able to produce

a ring signature with non-negligible advantage in

polynomial time.

For security proof of unforgeability we formalize

the attacks of a forger F

TDS

in the chosen-message

scenario. We consider the following experiment of

running a forger F

TDS

Experiment Exp

TDS

for k = 1 to q

max

query for (m

, σ

), such that V

TDS

(σ

) = 1

let (m,σ) ← F

SRS

(g, ˆg,y

,...,y

,m,(m

,σ

),...

,(m

,σ

))

if V

SRS

(σ,m) = 1 return 1

else return 0

Then we deﬁne the advantage Adv

TDS

of the forger.

TDS

as the probability Pr[Exp

TDS

= 1].

Theorem 1. Threshold discernible ring signatures

are secure against forgery, i.e., Adv

TDS

is negligibly

small.

Proof Sketch: We assume the following secu-

rity results on the veriﬁable secret sharing of

discrete logarithms. This means that no poly-

nomial time adversary can with non-negligible

probability produce veriﬁably encrypted shares

= {V

,i = 1,··· , n},{F

,i = 1,··· ,t − 1} of secret

l, without knowledge of the secret l. Additionally in

veriﬁable secret sharing of discrete logarithms, no set

of t − 1 or fewer users can obtain the secret l from σ

in polynomial time with non-negligible probability.

These results can be obtained from (Stadler, 1996).

This guarantees that the quantity σ

cannot be

produced without the prior knowledge of l such that

ˆg = g

by any adversary. Note that l is the only

common value used in generation of σ

and σ

. As

is an MSRS signature, the unforgeability of σ

follows from the unforgeability of σ

. Hence the

tuple (σ

,σ

) is unforgeable.

Threshold Anonymity. Threshold anonymity in

threshold discernible ring signatures requires that no

entity other than a group of at least t ring members

must be able to identify the original signer of a ring

signature with non-negligible advantage in polyno-

mial time.

Theorem 2. Let A

ATDS

be a probabilistic polyno-

mial time algorithm that can distinguish between

,σ

produced by two different signers for an

arbitrary message m by any group of t − 1 signers

among n signers. Let advantage of A

ATDS

be deﬁned

as Adv

ATDS

= Pr[A(σ

) = b], where b ∈ {x, y}. We

say that the scheme provides threshold anonymity,

if for any efﬁcient algorithm A

ATDS

the value of

Adv

ATDS

is at most negligibly greater than 1/n. The

threshold discernible ring signature scheme discussed

above has the threshold anonymity property.

Proof Sketch: From the anonymity of MSRS

FORCING OUT A CONFESSION - Threshold Discernible Ring Signatures

387

no polynomial time algorithm can discover the

original signer of σ using the component σ

alone.

This ensures that no group of size below t can ﬁnd

the original signer of a signature σ

. Additionally, in

veriﬁable secret sharing of discrete logarithms, no set

of t − 1 or fewer users can obtain the secret l from σ

in polynomial time with non-negligible probability.

Hence l cannot be obtained to ﬁnd the original signer

of σ

, unless a group of at least t users cooperate.

Hence, threshold anonymity holds for the signature

(σ

,σ

) and theorem 2 holds.

8 CONCLUSIONS AND OPEN

PROBLEMS

Step out ring signatures, introduced in (Klonowski

et al., 2008), had security ﬂaws. We identiﬁed those

ﬂaws present in the scheme and ﬁxed them in order

to make it secure. We have introduced the new con-

cept of the Threshold discernible ring signature using

the corrected version of the step out ring signature.

Our scheme is proved secure under DDH assumption.

The problem of ﬁnding a scheme which is secure in

the standard model and formulating step out ring sig-

natures using bilinear groups remain open.

REFERENCES

Au, M. H., Chow, S. S. M., Susilo, W., and Tsang, P. P.

(2006). Short linkable ring signatures revisited. In

EuroPKI, pages 101–115. Springer.

Awasthi, A. K. and Lal, S. (2005). Id-based ring signature

and proxy ring signature schemes from bilinear pair-

ings. CoRR.

Camenisch, J. (1997). Efﬁcient and generalized group sig-

natures. In EUROCRYPT, pages 465–479. Springer.

Camenisch, J. and Damgard, I. (2000). Veriﬁable encryp-

tion, group encryption, and their applications to sepa-

rable group signatures and signature sharing schemes.

In ASIACRYPT, pages 331–345. Springer.

Camenisch, J. and Shoup, V. (2003). Practical veriﬁable

encryption and decryption of discrete logarithms. In

CRYPTO, pages 126–144. Springer.

Chen, Y.-S., Lei, C.-L., Chiu, Y.-P., and Huang, C.-Y.

(2006). Confessible threshold ring signatures. In

ICSNC ’06: Proceedings of the International Con-

ference on Systems and Networks Communication,

page 25. IEEE Computer Society.

Cheng, W., Lang, W., Yang, Z., Liu, G., and Tan, Y. (2004).

An identity-based proxy ring signature scheme from

bilinear pairings. In ISCC ’04: Proceedings of the

Ninth International Symposium on Computers and

Communications 2004 Volume 2 (ISCC”04), pages

424–429. IEEE Computer Society.

Klonowski, M., Krzywiecki, L., Kutylowski, M., and

Lauks, A. (2008). Step-out ring signatures. In MFCS

’08: Proceedings of the 33rd international symposium

on Mathematical Foundations of Computer Science,

pages 431–442. Springer-Verlag.

Klonowski, M., Krzywiecki, L., Kutyowski, M., and Lauks,

A. (2009). Step-out group signatures. Computing,

85(1-2):137–151.

Naor, M. (2002). Deniable ring authentication. In CRYPTO

’02: Proceedings of the 22nd Annual International

Cryptology Conference on Advances in Cryptology,

pages 481–498. Springer-Verlag.

Pointcheval, D. (2005). Provable security for public key

schemes. In Contemporary Cryptology, pages 133–

190. Birkhuser Basel.

Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How

to leak a secret. In ASIACRYPT ’01: Proceedings of

the 7th International Conference on the Theory and

Application of Cryptology and Information Security,

pages 552–565. Springer-Verlag.

Savola, R. (2006). A requirement centric framework for

information security evaluation. In IWSEC, pages 48–

59. Springer.

Schnorr, C.-P. (1991). Efﬁcient signature generation by

smart cards. J. Cryptology, pages 161–174.

Stadler, M. (1996). Publicly veriﬁable secret sharing. In

EUROCRYPT, pages 190–199. Springer-Verlag.

Susilo, W. and Mu, Y. (2004). Deniable ring authentication

revisited. In ACNS, pages 149–163. Springer.

Tsang, P. P. and Wei, V. K. (2005). Short linkable ring sig-

natures for e-voting, e-cash and attestation. In ISPEC,

pages 48–60. Springer.

SECRYPT 2010 - International Conference on Security and Cryptography

388