Lightweight Ring Signatures for Decentralized Privacy-preserving

Transactions

Lukas Malina

, Jan Hajny

, Petr Dzurenda

and Sara Ricci

Dept. of Telecommunications, Brno University of Technology, Technicka 12, Brno, Czech Republic

Dept. of Computer Science and Mathematics, Universitat Rovira i Virgili, Av. Pasos Catalans 26, Tarragona, Spain

Keywords:

Anonymity, Cryptography, e-Voting, Privacy, Rabin Cryptosystem, Ring Signatures, Transactions.

Abstract:

Current digital transactions such as e-payments and e-voting services, should be secure and also offer privacy

protection to their users in order to be widely used. This work focuses on advanced cryptographic solu-

tions based on ring signatures that provide anonymity to payment senders or to voters during e-voting. Since

more and more constrained mobile devices are used in current networks, the proposed technologies and so-

lutions should be also efﬁcient and provide reasonable computational complexity. In this paper, we present a

lightweight privacy-preserving ring signature scheme that is suitable for anonymous transactions and e-voting

services run in an environment with constrained devices such as handheld devices and IoT nodes. Our solution

provides the fast veriﬁcation of signatures without using heavy operations such as pairings and exponentiation.

Further, we add signature linkability and uniqueness in order to provide double-spending protection.

1 INTRODUCTION

Modern digital services such as e-voting or elec-

tronic payment transactions including various cryp-

tocurrencies, smart contracts and e-coins try to em-

ploy privacy protection and security properties for

their users. These properties can be achieved by

using many technologies such as privacy-enhancing

cryptographic constructions as zero knowledge pro-

tocols, ring signatures, blind signatures or by vari-

ous mixing network protocols. In current e-voting

solutions, voter’s anonymity is the main requirement

as in classic votes. E-voting systems should not be

used without this property. Similarly the users of

e-transactions also require privacy protection. The

privacy-preserving transactions can attract more users

who concern about their privacy. Nevertheless, these

privacy-preserving services must handle security risks

that could be caused by anonymity. Hence, the

solutions should be resistant to potential misusing,

e.g. double-spending, double-voting, tracing of vot-

ers/transaction senders and more. For example, the

most spread cryptocurrency Bitcoin is based on the

public blockchain that is a distributed public ledger.

This decentralized approach could be highly privacy-

invasive. On the one hand, Bitcoin transactions try

to keep privacy by using pseudonymous public keys.

On the other hand, the bitcoin users are not really

anonymous. Transactions and participants can be

linked and traced by the advanced analysis of the

public blockchain and by observing the Bitcoins un-

encrypted network. Recently, Conti et al. (Conti

et al., 2017) have presented a study of current pri-

vacy considerations in Bitcoin, the analysis of exist-

ing privacy-preserving solutions, and discuss privacy

related threats to Bitcoin users.

There are several advanced cryptographic con-

structions that can be deployed in order to provide

anonymous and secure transactions or votes. Group

signatures (GS) allow any group member to anony-

mously sign a message on behalf of the group. Only

group managers/issuers are able to add users and trace

or revoke users. Nevertheless, GS schemes are often

centralized and the group manager has to be a trusted

party. The environment of transactions is mostly de-

centralized. Therefore, ring signatures (RS) that are

similar to group signatures could be interesting con-

structions for these decentralized digital services. In

RS ﬁrstly deﬁned in (Rivest et al., 2001), a signer

signs a message with a private key and then publishes

a set of public keys together with own public key. On

the one hand, RS remove the centralization point of

a group manager. On the other hand, RS provide a

perfect privacy (untracebility) and signer is not able

to prove his/her signature (non-repudation). In order

to employ these constructions in transactions, double-

526

Malina, L., Hajny, J., Dzurenda, P. and Ricci, S.

Lightweight Ring Signatures for Decentralized Privacy-preserving Transactions.

DOI: 10.5220/0006890505260531

In Proceedings of the 15th International Joint Conference on e-Business and Telecommunications (ICETE 2018) - Volume 2: SECRYPT, pages 526-531

ISBN: 978-989-758-319-3

spending protection must be solved and provided.

In this paper, we focus on cryptographic solutions

based on ring signatures that could be suitable for

anonymous payment transactions and e-voting. We

propose a efﬁcient privacy-preserving signature solu-

tion based on fast ring signatures. Our proposal of-

fers signer anonymity, signature uniqueness and sig-

nature unforgeability that are desired properties in

digital voting and digital transactions scenarios. Our

solution provides a linkable mechanism by using key

images in order to ensure double-spending (double-

voting) protection.

1.1 State of the Art

Since the paper (Rivest et al., 2001) published in

2001, ring signatures and their implementation in

e-voting, anonymous data sharing, e-cash services

and other privacy-preserving services have been stud-

ied in many works, e.g. (Liu et al., 2004), (Tsang

and Wei, 2005), (Wu et al., 2006), (Chandran et al.,

2007), (Shacham and Waters, 2007), (Fujisaki and

Suzuki, 2007), (Liu et al., 2009), (Liu et al., 2014),

(Yang et al., 2015), (Noether et al., 2016), (Sun

et al., 2017). Ring signatures provide various prop-

erties (e.g. linkability, deniability, exculpability, dis-

avowal) and security assumptions. For example, Wu

et al. (Wu et al., 2006) present ad hoc group sig-

natures that combine some properties of group sig-

natures and ring signatures. These schemes provide

the privacy protection for self-organized groups. The

ad hoc group signature scheme removes the trusted

third party such as a group manager from a system

and adds the self-traceability property to ring signa-

tures. In a decentralized system, signers can produce

constant-sized anonymous signatures on behalf of the

group (a variable set of members). Furthermore, the

non-interactive deniable ring signature scheme (Zeng

et al., 2016) provides the conﬁrmation of signing (e.g.

a lottery game winner) and signature disavowal for

non-signers in the ring in order to a signer detection.

Nevertheless, both advanced ring signature schemes

do not offer double-spending protection.

Liu et al. (Liu et al., 2004) propose a linkable,

spontaneous and anonymous group (LSAG) signature

scheme. The scheme provides the culpability prop-

erty that allows an investigator to conduct that the au-

thorship of the signature belongs to the user. This

scheme also provides the linkability of two signa-

tures. Tsang and Wei (Tsang and Wei, 2005) extend

the short ring signature scheme construction of Dodis

et al. (Dodis et al., 2004) and discuss the application

of their scheme to E-voting, ofﬂine anonymous elec-

tronic cash and direct anonymous attestation. Dodis

et al. offer a constant-sized ring signature scheme se-

cured in Random Oracle model. Both constructions

are based on a three-move zero-knowledge proof-of-

knowledge system using the Fiat-Shamir transforma-

tion. Fujisaku and Suzuki (Fujisaki and Suzuki, 2007)

propose traceable ring signatures that use tags. The

tag consists of a list of ring members and the issue of

the event. The signer can sign only once per the event

in order to stay anonymous in the system. Van Saber-

hagen (Van Saberhagen, 2013) proposes CryptoNote

transactions that are based on a ring signature. Each

user of CryptoNote uses a set of public keys and pri-

vate keys. CryptoNote combines a Difﬁe-Hellman ex-

change, one-time signatures and the modiﬁcation of

ring signatures (Fujisaki and Suzuki, 2007). These

ring signatures have size n+1, where n is the size of

the sender anonymity. A veriﬁer also checks if trans-

actions have been already spent or not by a Link pro-

cedure. Noether et al. (Noether et al., 2016) pro-

pose Ring Conﬁdential Transactions (Ring CT) that

enhance the original CryptoNote protocol. They pro-

pose a Multilayered Linkable Spontaneous Anony-

mous Group signature (MLSAG) scheme that pro-

vides a signature on a set of n key vectors. Nev-

ertheless, many ring signature schemes have several

heavy computations (e..g. pairings, exponentiation,

point multiplication) and sizable signatures that de-

pends on the number of ring members.

The most related paper Yang et al. (Yang et al.,

2015) present the ring signatures based on the Ra-

bin cryptosystem. In their paper, the comparison

with existing ring signatures shows that the ring sig-

nature scheme is very efﬁcient in sign and verify

phases and does not need any pairings. Neverthe-

less, the Rabin signature in the signing phase usu-

ally take similar time like exponentiation in the RSA

decryption. Moreover, the scheme deﬁnes only two

properties: unconditionally signer ambiguity and ex-

istentially unforgeability and does not solve double-

spending by linkability and signature uniqueness. In

our paper, we aim to provide efﬁcient and privacy-

preserving ring signature solution that supports signa-

ture uniqueness and protect against double-spending

which is important in e-voting or anonymous transac-

tions.

1.2 Our Contribution

We design a lightweight privacy-preserving signature

solution that can be suitable for anonymous transac-

tions or e-voting services in a constrained environ-

ment such as IoT.

We modify the efﬁcient Yang’s ring signature

scheme (Yang et al., 2015) by the employing key im-

Lightweight Ring Signatures for Decentralized Privacy-preserving Transactions

527

age tags. Thus, our solution adds a signature unique-

ness property that provides double-spending protec-

tion of each transaction or vote. Furthermore, we

add a public key shufﬂing property in order to in-

crease user anonymity during signing messages (e.g.

transactions or votes). In the origin description of the

Yang’s ring signature scheme (Yang et al., 2015), the

signer’s public key is the last key in the list of pub-

lic keys. Therefore, the actual signer can be tracked

by his/her public key. In our solution, the veriﬁers or

observers are not able to recognize the actual signer

public key that could be any from the list. Moreover,

we precise several steps how to employ our solution

in anonymous transactions and e-voting scenarios.

2 BACKGROUND

In this section, the cryptography background and se-

curity properties are outlined.

2.1 Cryptography Used

In this work, we modify the ring signature scheme

(Yang et al., 2015) based on the Rabin cryptosystem

(Rabin, 1979).

The Rabin cryptosystem is essentially a special

version of RSA with an encryption key e = 2, and

it is secure under the factorization problem. The Ra-

bin cryptosystem is based on factoring N = pq, where

N is a public key and p and q are private keys. A

message M is encrypted as C = M

mod N. The de-

cryption process produces four possible roots of C

computed by using the Chinese Remainder Theorem

(CRT) and

√

C mod p and

√

C mod q. The integer C

is called a quadratic residue. The main beneﬁt of the

Rabin cryptosystem is that encryption computes only

single squaring in mod N. The decryption (signing) is

more expensive because of computing the quadratic

residue.

2.2 Security Properties

The proposed solution provides these security prop-

erties: Correctness, Signer Anonymity, Signature

Uniqueness, Signature Unforgeability and Signature

Linkability.

• Correctness - a valid signature is always accepted

(completeness) and an invalid signature is always

rejected (soundness).

• Signer Anonymity - a signature is produced by

one member from the set of public key holders.

Therefore, the identity of a signer is hidden in the

group and no one can determine the actual signer

from the signature.

• Signature Uniqueness - a valid signature on the

message could be created only once by a honest

signer. The second signature from the same signer

during one event (transaction, e-voting) is linked

by a key image and is rejected.

• Signature Unforgeability - a produced signature

is unforgeable. An attacker with negligible prob-

ability can produce a valid signature without the

corresponding private key.

• Signature Linkability - two valid signatures on

the same message m with one private/public key-

pair can be linked by the key image. This property

implies the double-spending/voting protection.

3 PROPOSED SOLUTION

In this section, we describe our proposed solution for

secure and privacy-preserving transactions or voting

based on ring signatures. We assume 3 parties: a

signer (a sender, a voter), a veriﬁer (a receiver of the

transaction or polling manager/bulletin board applica-

tion) and an investigator (a trusted third party which

detects dishonest signers). Our solution consists of

these phases: Key Generation, Signature Generation,

Signature Validation and Link Procedure.

3.1 Key Generation

In this phase, key pairs are generated. For i = 1,...,n,

where n is the number of ring users, each i-th user se-

lects two safe primes p

such that p

= 2p

+1,q

+ 1 where p

are primes. The i-th user securely

stores a private key that is p

and computes a pub-

lic key as N

= p

. The public key is then sent to an

ad hoc group of n users. The public parameters are

a set of public keys L = (N

,...,N

), a deﬁned hash

functions H

: {0, 1}

∗

→ Z

for i = 1, ...,n and a hash

function H : {0,1}

∗

→ QR(N

) used for key images,

where QR(N

) = {x ∈Z

s.t. x = y

for some y ∈Z

3.2 Signature Generation

We assume that a signer (e.g. a transaction sender/ a

voter) S signs the message m (e.g. transaction amount

with a metadata, ballot in e-voting) by the ring signa-

ture scheme.

Our proposal modiﬁes Yang et al. ring signature

scheme (Yang et al., 2015) that is based on the Rabin

scheme. Yang et al.’s ring signature scheme (Yang

SECRYPT 2018 - International Conference on Security and Cryptography

528

et al., 2015) deﬁnes only two properties: uncondition-

ally signer ambiguity and existentially unforgeability.

We modify this scheme and enhance it by the unique

tag in order to achieve a double-spending protection.

Moreover, we shufﬂe actual user public key in the list,

then, a veriﬁer (an observer) is not able to determine

which the public key has been used.

Let L = (N

,...,N

) is a list of n ring users’ pub-

lic keys, the signer j uses his/her private key (p

)

to produce a signature of the message m as (L,m,σ).

The j-th signer (S

) also computes a key image I =

H(p

||N

||ID

event

)

1/2

mod N

by the knowledge of the

factorization of N

and by applying the Chinese re-

mainder theorem. In order to enable the signer reuses

the keypair in more events (e.g. more transactions

or e-votes), the signer maps also an event identi-

ﬁer ID

event

(i.e. a transaction number or an e-voting

event). The key image commits signer’s public and

private keys and prevents the reuse the same keys dur-

ing one event.

The signer knows his/her private key (p

) and

public key N

and executes following steps:

1. S

chooses a random element r

∈ Z

and com-

putes:

h = H

(L||m||ID

event

j+1

= H

j+1

(h||r

2. For i = 1,...,n and i 6= j, S

randomly generates

element x

∈ Z

, i.e. for all other ring members.

3. S

successively computes in j modulo n, i.e. for

each i started from j+1, j + 2 .. .0 . . . j −1:

i+1

= H

i+1

(h||c

I + x

modN

4. If r

−c

I mod N

∈ QR(N

) then S

assigns t

−c

I mod N

, otherwise S

chooses another ele-

ment x

j−1

∈Z

j−1

and computes new c

from step

3 until r

−c

I is a quadratic residue.

5. S

solves x

= t

1/2

modN

by the knowledge of the

factorization of N

with using the Chinese remain-

der theorem. Square roots could be computed by

the Tonelli - Shanks algorithm or by its modiﬁca-

tions.

Finally, the signer produces the signature

σ =(I, c

,....,x

) on the message m in the

event ID

event

The computational and memory complexity could

be reduced if the signer chooses smaller subset of k

users’ public keys from n ring members. Neverthe-

less, the level of signer privacy is reduced as well.

3.3 Signature Validation

A veriﬁer (a transaction receiver or a polling man-

ager/bulletin board service) V checks the signature

on the message by checking the ring signature σ on

the message m and by checking its uniqueness in the

event ID

event

3.3.1 Ring Signature Veriﬁcation

The veriﬁer uses public parameters (L, H) and checks

the received ring signature σ =(I, c

,....,x

) on the

message m during the event ID

event

1. V computes h = H

(L||m||ID

event

2. For each i = 1,...,n, V restores r

= c

I +x

modN

3. For each i = 1,...,n − 1, V computes c

i+1

(h||r

4. If c

= H

(h||r

), the output is true and the sig-

nature is accepted and V continues by checking

the signature uniqueness. Otherwise, V rejects the

signature and the algorithm halts.

3.3.2 Signature Uniqueness Veriﬁcation

V checks if the image key I of the signature has

not been used in past signatures in the event ID

event

In case that the key image I is not presented in a

dataset of key images, the veriﬁer accepts the signa-

ture. Then, the key image of the signature is added

to the dataset of key images in order to prevent dou-

ble spending in the future. Otherwise, the signature

of the message (e.g. a transaction/vote) is marked as

the duplicated and it is rejected.

3.4 Link Procedure

In case that the n+1 or more ring signatures oc-

cur at the end of an event (e.g. transaction bulk,

closing e-voting) with n participants, an investiga-

tor (i.e. a third trusted party) runs this procedure

in order to detect among the members of the ring

such a malicious signer who produces more valid sig-

natures. The investigator precomputes all I

. Fur-

ther, each honest signer, which knows such pri-

vate key p

, securely sends to the investigator a set

of (H(r

||N

||ID

event

) mod N

,.. . H(p

||N

||ID

event

)

mod N

,.. . H(r

||N

||ID

event

) mod N

) in randomized

order. The investigator then checks that at least one

received H(p

||N

) mod N

= I

for i = 0 .. . n. The

mixed set of hash hides the index of the signer so the

signer is still anonymous against external parties.

4 SECURITY ANALYSIS

In this section, we provide the security analysis of the

proposed solution. We discuss these security proper-

Lightweight Ring Signatures for Decentralized Privacy-preserving Transactions

529

ties: correctness, signer anonymity, signature unique-

ness, signature unforgeability, signature linkability.

Theorem 1. Correctness - Completeness and

soundness are provided. A honest veriﬁer is always

able to accept a valid ring signature and reject a false

signature.

Proof. Suppose that a veriﬁer has correct public pa-

rameters such as set of public keys L = (N

,...,N

)

and a set of deﬁned hash functions. He/she can

check a signature σ =(I, c

,....,x

) on a message

m by restoring parameters r

and c

for each i from

1 to n and ﬁnally by checking c

= H

(h||r

). As-

sume that r

= c

I + x

modN

and somewhere in the

ring c

j+1

= H

j+1

(h||r

) = H

j+1

(h||c

I + x

mod N

) where x

= t

mod N

= r

−c

I mod N

so that

j+1

= H

j+1

(h||c

I + r

−c

Imod N

= H

j+1

(h||r

Theorem 2. Signer Anonymity - It is infeasible to

identify which private key creates the ring signature.

Proof. A veriﬁer uses a set L of n public keys and

is not able to identify which public key belongs to a

signer. The chance of guessing correctly which pub-

lic key is used to generate a given signature is neg-

ligibly greater than 1/n. We assume that the private

key is chosen at random and an adversary only knows

the public keys and not the other private keys. If the

adversary knows k private keys then the guessing of

signer key is negligibly greater than 1/(n −k).

Further, the key image I does not leak the signer

identity if the private keys are chosen at random. The

user anonymity holds also in the link procedure for

external observers due the signers who prove their

honesty by sending only basic hash of values in ran-

domized order.

Theorem 3. Signature Uniqueness - a signer is

able to produce only one valid signature on the mes-

sage by the one public/private keypair.

Proof. The key image I = H(p

||N

||ID

event

)

1/2

mod

of j-th user maps public and private keys and is in-

tegrated in the produced signature. A veriﬁer restores

= c

I + x

modN

for each i from 1 to n where I is a

part in all r

. In fact, if a malicious user tries to re-use

more times the same signature, the veriﬁer can detect

the re-use by checking the dataset of key images.

Theorem 4. Signature Unforgeability - it is hard

to produce a valid signature without a private key.

Proof. A signer without a private key p

is not

able to solve x

= t

1/2

modN

by using the knowledge

of the factorization of N

with factors p

. If an

adversary is successful in forgery, he/she must out-

put x

that satisﬁes such c

j+1

= H

j+1

(h||c

I + x

mod

) which causes that c

= H

(h||r

) = H

(h||c

I +

modN

) and encloses the ring. More formal analy-

sis for the property can be found in (Yang et al., 2015).

Theorem 5. Signature Linkability - it is hard to

produce n+1 valid signatures on the message by the n

public/private keypair.

Proof. The key image I = H(p

||N

||ID

event

)

1/2

mod

maps public and private keys of a honest signer,

event

and is integrated in the produced signature.

event

is also used in the ring signature. Any ob-

server (a veriﬁer) can link two signatures on the same

message during one event by I from one honest signer.

Hence, a honest signer cannot re-use more times the

valid signatures of one private/public keypair and a

correct H function. In case that a malicious signer

will try to produce a new signature with a different

key image but with same keypair, then the Link pro-

cedure detects this signature and rejects it. All signa-

tures with incorrect key images can be detected.

5 PERFORMANCE EVALUATION

This section discusses the computational complexity

of the proposed solution and compares signature sizes

and the complexity of most signiﬁcant phases such as

signing and veriﬁcation with other related works that

are based on ring signatures and provide linkability.

Table 1 provides the comparison of performance and

memory costs of the proposed ring signature scheme

and related schemes. We denote a pairing operation as

P, exponentiation as E, multiplication as M, squaring

as S. The relatively fast operations such as addition

and a hash function are omitted. N denotes the num-

ber of users in a ring/ad hoc group. In order to evalu-

ate the length of signatures, we use the following no-

tation, e.g. O(1) - constant size, O(

√

N) - semi-linear

size, O(N) - linear size.

In our solution and Yang et al. scheme (Yang

et al., 2015), the signing procedure employs the Ra-

bin signing that computes the square root of the pa-

rameter in modular arithmetic. We consider this oper-

ation as expensive as 1 exponentiation, therefore it is

noted as E also in our comparison. Yang et al. (Yang

et al., 2015) is the most efﬁcient scheme from the

compared schemes but does not support linkability.

Then, our solution, which provides signature unique-

ness and linkability by adding a key image, is very

efﬁcient during signing and veriﬁcation in comparing

with other related schemes.

6 CONCLUSIONS

We presented a lightweight privacy-preserving solu-

tion based on ring signatures. The solution provides

SECRYPT 2018 - International Conference on Security and Cryptography

530

Table 1: Performance comparison of related schemes.

Scheme Sign Verify Signature size

Liu et al. (Liu et al., 2004) (3+4(N −1))E + (1+2N)M (4N)E + 2NM O(N), N + 2

Fujisaki and Suzuki et al. (Fu-

jisaki and Suzuki, 2007)

(3+2N)E + (2+3N)M (4N)E + (3N)M O(N), 2N + 1

Chandran et al. (Chandran

et al., 2007)

(5+6

√

N+(N+1)/3)E+

√

N+8)M

(6+6

√

N)P + (3

√

N+1)E +

√

N +1)M

√

N),

√

N + 6

Liu et al. (Liu et al., 2009) NE N E O(N), 2N + 1

Liu et al. (Liu et al., 2014) (5+N)E+(4+N)M (4+N)E+(3+N)M O(N), N + 3

Yang et al. (Yang et al., 2015) E+NS NS O(N), N + 1

This solution 2E+2M+NS M+NS O(N), N + 2

anonymity, uniqueness, linkability and unforgeabil-

ity, and can be applied in applications with double-

spending and double-voting protection. The solution

does not use heavy operations. The ring signature ver-

iﬁcation takes only 1 multiplication and N squaring

which depends on the size of ring (N). Therefore,

the solution could be implemented in services running

in heterogeneous networks with small and medium

groups of constrained devices.

As future work, we would like to make the link

procedure more efﬁcient and integrate the proposed

ring signature scheme into a transaction model based

on blockchain.

ACKNOWLEDGEMENTS

Research described in this paper was ﬁnanced by the

National Sustainability Program under grant LO1401

and Ministry of Interior under grant VI20162018003.

REFERENCES

Chandran, N., Groth, J., and Sahai, A. (2007). Ring signa-

tures of sub-linear size without random oracles. In In-

ternational Colloquium on Automata, Languages, and

Programming, pages 423–434. Springer.

Conti, M., Lal, C., Ruj, S., et al. (2017). A survey on se-

curity and privacy issues of bitcoin. arXiv preprint

arXiv:1706.00916.

Dodis, Y., Kiayias, A., Nicolosi, A., and Shoup, V. (2004).

Anonymous identiﬁcation in ad hoc groups. In In-

ternational Conference on the Theory and Applica-

tions of Cryptographic Techniques, pages 609–626.

Springer.

Fujisaki, E. and Suzuki, K. (2007). Traceable ring signature.

In International Workshop on Public Key Cryptogra-

phy, pages 181–200. Springer.

Liu, J. K., Au, M. H., Susilo, W., and Zhou, J. (2009). On-

line/ofﬂine ring signature scheme. In International

Conference on Information and Communications Se-

curity, pages 80–90. Springer.

Liu, J. K., Au, M. H., Susilo, W., and Zhou, J. (2014). Link-

able ring signature with unconditional anonymity.

IEEE Transactions on Knowledge and Data Engineer-

ing, 26(1):157–165.

Liu, J. K., Wei, V. K., and Wong, D. S. (2004). Linkable

spontaneous anonymous group signature for ad hoc

groups. In Australasian Conference on Information

Security and Privacy, pages 325–335. Springer.

Noether, S., Mackenzie, A., et al. (2016). Ring conﬁdential

transactions. Ledger, 1:1–18.

Rabin, M. O. (1979). Digitalized signatures and public-

key functions as intractable as factorization. Technical

report, Massachusetts ints. of tech. Cambridge lab for

computer science.

Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How

to leak a secret. In International Conference on the

Theory and Application of Cryptology and Informa-

tion Security, pages 552–565. Springer.

Shacham, H. and Waters, B. (2007). Efﬁcient ring signa-

tures without random oracles. In International Work-

shop on Public Key Cryptography, pages 166–180.

Springer.

Sun, S.-F., Au, M. H., Liu, J. K., and Yuen, T. H. (2017).

Ringct 2.0: A compact accumulator-based (linkable

ring signature) protocol for blockchain cryptocurrency

monero. In European Symposium on Research in

Computer Security, pages 456–474. Springer.

Tsang, P. P. and Wei, V. K. (2005). Short linkable ring sig-

natures for e-voting, e-cash and attestation. In Inter-

national Conference on Information Security Practice

and Experience, pages 48–60. Springer.

Van Saberhagen, N. (2013). Cryptonote v 2. 0.

Wu, Q., Susilo, W., Mu, Y., and Zhang, F. (2006). Ad hoc

group signatures. In International Workshop on Secu-

rity, pages 120–135. Springer.

Yang, X., Wu, W., Liu, J. K., and Chen, X. (2015).

Lightweight anonymous authentication for ad hoc

group: A ring signature approach. In International

Conference on Provable Security, pages 215–226.

Springer.

Zeng, S., Li, Q., Qin, Z., and Lu, Q. (2016). Non-interactive

deniable ring signature without random oracles. Secu-

rity and Communication Networks, 9(12):1810–1819.

Lightweight Ring Signatures for Decentralized Privacy-preserving Transactions

531