Ring signature

In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys.

Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people.

One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature.

Ring signatures are similar to group signatures but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.

Ring signatures were invented by Ron Rivest, Adi Shamir, and Yael Tauman Kalai, and introduced at ASIACRYPT in 2001.

Suppose that a set of entities each have public/private key pairs, (P1, S1), (P2, S2), ..., (Pn, Sn).

Party i can compute a ring signature σ on a message m, on input (m, Si, P1, ..., Pn).

Anyone can check the validity of a ring signature given σ, m, and the public keys involved, P1, ..., Pn.

If a ring signature is properly computed, it should pass the check.

On the other hand, it should be hard for anyone to create a valid ring signature on any message for any set without knowing any of the private keys for that set.

[2] In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret.

For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking White House official", without revealing which official signed the message.

Another application, also described in the original paper, is for deniable signatures.

Here the sender and the recipient of a message form a group for the ring signature, then the signature is valid to the recipient, but anyone else will be unsure whether the recipient or the sender was the actual signer.

Thus, such a signature is convincing, but cannot be transferred beyond its intended recipient.

There were various works, introducing new features and based on different assumptions: Most of the proposed algorithms have asymptotic output size

; i.e., the size of the resulting signature increases linearly with the size of input (number of public keys).

That means that such schemes are impracticable for real use cases with sufficiently large

But for some application with relatively small median input size such estimate may be acceptable.

ring signature scheme by Fujisaki and Suzuki[5] in p2p payments to achieve sender's untraceability.

More efficient algorithms have appeared recently.

[7] The original paper describes an RSA based ring signature scheme, as well as one based on Rabin signatures.

They define a keyed "combining function"

is a trap-door function (i.e. an RSA public key in the case of RSA based ring signatures).

The equation is based on a symmetric encryption function

Under the assumptions of RSA, this implies knowledge of at least one of the inverses of the trap door functions

Generating a ring signature involves six steps.

Here is a Python implementation of the original paper using RSA.

To sign and verify 2 messages in a ring of 4 users: Monero and several other cryptocurrencies use this technology.

[citation needed] This article incorporates text available under the CC BY-SA 4.0 license.

Behaviour of the Rivest, Shamir, Tauman ring signature scheme