Ring Group Signatures

Liqun Chen
2012 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications  
In many applications of group signatures, not only a signer's identity but also which group the signer belongs to is sensitive information regarding signer privacy. In this paper, we study these applications and combine a group signature with a ring signature to create a ring group signature, which specifies a set of possible groups without revealing which member of which group produced the signature. The main contributions of this paper are a formal definition of a ring group signature scheme
more » ... nd its security model, a generic construction and a concrete example of such a scheme. Both the construction and concrete scheme are provably secure if the underlying group signature and ring signature schemes are secure. 1 which are not bound to an individual signer. In the literature, an anonymous signature using a group public key is commonly known as a Group Signature (GS for short) [17] , and an anonymous signature using multiple public keys is commonly known as a Ring Signature (RS for short) [31]. Motivation of this work Given a GS, as proposed over 20 years ago by Chaum and van Heyst [17], its signer's identity is hidden in a group, of which the signer is a member, but the group's identity is revealed. It is not difficult to see that in many applications, not only the signer identity but also the group identity might contain some sensitive information which affects signer privacy. Here are a few examples of such applications: Example 1. Affiliation membership authentication. In a social network, only legitimate members from those affiliations having a contract with the network service provider are allowed to access to the network. A user need to prove that he is a legitimate member of a set of legitimate affiliations but does not have to shown his identity from a specific affiliation. Example 2. Vehicle communications. A modern vehicular ad hoc network (VANET), as discussed in [21, 30] , allows legitimate vehicles to communicate with each other. To take part in the network, a driver is required proving that his vehicle is properly registered, but is not required to show with which registration authority. Example 3. Computing platform attestation. By using the trusted computing technology, such as this in [12, 35] , a Trusted Platform Module (TPM) can attest correctness of platform configurations. The owner of a TPM wants not only to hide the TPM identity but also not to disclose from which authority the TPM obtains an attestation credential. Example 4. Fair exchanges between enterprises. When two companies, say A and B, work on a sensitive contract, neither A nor B wants the other company to be able to tell a third party that A or B has signed the contract before both the companies exchange their signatures to each other, and neither of them wants to reveal which individual employee signs the contract on behalf of the company. Protection of group identities in these applications is thus a matter of importance. Our motivation of this work is to design a special type of GSs with the property of hiding group identities. We observe the nature of each
doi:10.1109/trustcom.2012.246 dblp:conf/trustcom/Chen12 fatcat:pdclevq3kveqlin6nkyd2uas4u