### It wasn't me! Repudiability and Unclaimability of Ring Signatures

Sunoo Park and Adam Sealfon

##### Abstract

Ring signatures, introduced by [RST01], are a variant of digital signatures which certify that one among a particular set of parties has endorsed a message while hiding which party in the set was the signer. Ring signatures are designed to allow anyone to attach anyone else's name to a signature, as long as the signer's own name is also attached. But what guarantee do ring signatures provide if a purported signatory wishes to denounce a signed message---or alternatively, if a signatory wishes to later come forward and claim ownership of a signature? Prior security definitions for ring signatures do not give a conclusive answer to this question: under most existing definitions, the guarantees could go either way. That is, it is consistent with some standard definitions that a non-signer might be able to repudiate a signature that he did not produce, or that this might be impossible. Similarly, a signer might be able to later convincingly claim that a signature he produced is indeed his own, or not. Any of these guarantees might be desirable. For instance, a whistleblower might have reason to want to later claim an anonymously released signature, or a person falsely implicated in a crime associated with a ring signature might wish to denounce the signature that is framing them and damaging their reputation. In other circumstances, it might be desirable that even under duress, a member of a ring cannot produce proof that he did or did not sign a particular signature. In any case, a guarantee one way or the other seems highly desirable. In this work, we formalize definitions and give constructions of the new notions of repudiable, unrepudiable, claimable, and unclaimable ring signatures. Our repudiable construction is based on VRFs, which are implied by several number-theoretic assumptions (including strong RSA or bilinear maps); our claimable construction is a black-box transformation from any standard ring signature scheme to a claimable one; and our unclaimable construction is derived from the lattice-based ring signatures of [BK10], which rely on hardness of SIS. Our repudiable construction also provides a new construction of standard ring signatures.

Available format(s)
Category
Public-key cryptography
Publication info
A major revision of an IACR publication in CRYPTO 2019
Keywords
Ring signatures
Contact author(s)
asealfon @ mit edu
History
2020-04-01: last of 2 revisions
See all versions
Short URL
https://ia.cr/2019/135

CC BY

BibTeX

@misc{cryptoeprint:2019/135,
author = {Sunoo Park and Adam Sealfon},
title = {It wasn't me! Repudiability and Unclaimability of Ring Signatures},
howpublished = {Cryptology ePrint Archive, Paper 2019/135},
year = {2019},
note = {\url{https://eprint.iacr.org/2019/135}},
url = {https://eprint.iacr.org/2019/135}
}

Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.