How to Leak a Secret

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2248)


In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature.Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination:any user can choose any set of possible signers that includes himself,and sign any message by using his secret key and the others’ public keys,without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritativ secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signer-ambiguous, provably secure in the random oracle model,and exceptionally efficient:adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.


signature scheme ring signature scheme signer-ambiguous signature scheme group signature scheme designated verifier signature scheme 


  1. 1.
    Jan Camenisch. Efficient and generalized group signatures. In Walter Fumy, editor, Advances in Cryptology — Eurocrypt’ 97,pages 465–479,Berlin,1997.Springer. Lecture Notes in Computer Science 1233.Google Scholar
  2. 2.
    David Chaum and Eugène Van Heyst. Group signatures.In D.W. Davies,editor, Advances in Cryptology — Eurocrypt’ 91, pages 257–265,Berlin,1991.Springer-Verlag.Lecture Notes in Computer Science No.547.Google Scholar
  3. 3.
    Ronald Cramer, Ivan Damgård,and Berry Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Yvo Desmedt,editor, Advances in Cryptology — CRYPTO’ 94,pages 174–187,Berlin,1994.Springer-Verlag.Lecture Notes in Computer Science Volume 839.Google Scholar
  4. 4.
    W. Diffie and M.E. Hellman.New directions in cryptography. IEEE Trans.Inform.Theory,IT-22:644–654,November1976.Google Scholar
  5. 5.
    G.H. Hardy and E.M. Wright.An Introduction to the Theory of Numbers.Oxford, fifth edition,1979.Google Scholar
  6. 6.
    M. Jakobsson, K. Sako,and R. Impagliazzo.Designated verifier proofs and their applications.In Ueli Maurer,editor, Advances in Cryptology — EuroCrypt’ 96, pages 143–154,Berlin,1996.Springer-Verlag.Lecture Notes in Computer Science Volume 1070.Google Scholar
  7. 7.
    M. Luby and C. Rackoff How to construct pseudorandom permutations from pseudorandom functions. SIAM J.Computing,17(2):373–386,April 1988.zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    M. Rabin.Digitalized signatures as intractable as factorization.Technical ReportMIT/LCS/TR-212,MIT Laboratory for Computer Science,January 1979.Google Scholar
  9. 9.
    Ronald L. Rivest, Adi Shamir,and Leonard M. Adleman. A method for obtaining digital signatures and public-key cryptosystems.Communications of the ACM,21(2):120–126,1978.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    Alfredo De Santis, Giovanni Di Crescenzo, Giusepp Persiano,and Moti Yung. On monotone formula closure of SZK.In Proc. 35th FOCS,pages 454–465. IEEE, 1994.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  1. 1.Laboratory for Computer ScienceMassachusetts Institute of TechnologyCambridge
  2. 2.Computer Science departmentThe Weizmann InstituteRehovotIsrael

Personalised recommendations