Security and Cryptography for Networks

Volume 6280 of the series Lecture Notes in Computer Science pp 363-380

The Fiat–Shamir Transform for Group and Ring Signature Schemes

  • Ming Feng LeeAffiliated withDept. Computer Science, University of Bristol
  • , Nigel P. SmartAffiliated withDept. Computer Science, University of Bristol
  • , Bogdan WarinschiAffiliated withDept. Computer Science, University of Bristol

* Final gross prices may vary according to local VAT.

Get Access


The Fiat-Shamir (FS) transform is a popular tool to produce particularly efficient digital signature schemes out of identification protocols. It is known that the resulting signature scheme is secure (in the random oracle model) if and only if the identification protocol is secure against passive impersonators. A similar results holds for constructing ID-based signature schemes out of ID-based identification protocols.

The transformation had also been applied to identification protocols with additional privacy properties. So, via the FS transform, ad-hoc group identification schemes yield ring signatures and identity escrow schemes yield group signature schemes. Unfortunately, results akin to those above are not known to hold for these latter settings and the security of the resulting schemes needs to be proved from scratch, or worse, it is often simply assumed.

In this paper we provide the missing foundations for the use of the FS transform in these more complex settings. We start with defining a formal security model for identity escrow schemes (a concept proposed earlier but never rigorously formalized). Our main result constists of necessary and sufficient conditions for an identity escrow scheme to yield (via the FS transform) a secure group signature schemes. In addition, using the similarity between group and ring signature schemes we give analogous results for the latter primitive.