Two Stories of Ring Signatures Yoshikazu Hanatani * Kazuo Ohta * *The University of Electro-Communications
Ring Signature : Present • In 2001, a ring signature scheme was proposed by Rivest, Shamir, Tauman. • The signature scheme convinces a verifier that a document has been signed by one of n independent signers.
Ring Signature : Present • A signer can connect the head and tail of the series of values by using own secret key. • A verifier computes series of values from the message and members’ public keys, and checks that a signature has a ring structure. Anyone cannot distinguish a part of the signature which is used secret key. Anyone cannot distinguish the actual signer.
Ring Signature : Old • Once upon a time, there was a signature scheme like a ring signature scheme in Japan. http://www.nihonkoenmura.jp/theme3/takarabito07.htm
Background • In 1756 (in the middle of Edo period), a signature wasgenerated as a proof of solidarity when farmers in a certain village resisted their ruler. • A purpose of the shape of this signature is to hide their leader.
Reason for a shape of ring • If members simply signed,the first signer would be suspected of the leader. • Members sequentially signed like a ring, try to hide the order of signers. • The members who participate in the signature take equal responsibility.
Derivation • The signature scheme is called “KARAKASARENPAN”. KARAKASA RENPAN Joint signatures An umbrella • Because the shape of the signature looks like Japanese traditional umbrella.
Various “KARAKASARENPAN” http://www.archives.pref.fukui.jp/fukui/07/zusetsu/C26/C261.htm http://asao20.hp.infoseek.co.jp/karakasa.htm http://www.pref.iwate.jp/~hp0910/korenaani/h/032.html
Comparison Ring signature “KARAKASARENPAN” Shape Ring Ring The number of signers n 1 Other’s cooperation Unnecessary Necessary A signer to shift the blame to members Possible Impossible Hide an actual signer Hide a members’ leader. Purpose
Ring Signature : Future • Ring Signature schemes which have an additional functionality, with which the involved members of the ring can deny the signature, are proposed. CRYPTO2002 Deniable ring authentication. M. Naor In preparing Toward the Fair Anonymous Signatures: Deniable Ring Signatures Yuichi Komano, Kazuo Ohta, Atsushi Shimbo, Shinichi Kawamura