- Ring signature
In
cryptography , a ring signature is a type ofdigital signature that can be performed by any member of a group of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular group of people. One of the security properties of a ring signature is that it should be difficult to determine "which" of the group members' keys was used to produce the signature. Ring signatures are similar togroup signature s but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature, and second, any group of users can be used as a group without additional setup.Ring signatures were invented byRon Rivest ,Adi Shamir , andYael Tauman , and introduced atASIACRYPT in 2001. [ [http://www.springerlink.com/content/kxkndv9rgk8lu3h9/ "How to leak a secret"] ,Ron Rivest ,Adi Shamir , andYael Tauman , ASIACRYPT 2001.] The name "ring signature" comes from the ring-like structure of the signaturealgorithm .Definition
Suppose that a group of entities each have public/private key pairs, ("PK"1, "SK"1), ("PK"2, "SK"2), ... ,("PK""n", "SK""n"). Party "i" can compute a ring signature σ on a message "m", on input ("m", "SK""i", "PK"1, ... , "PK""n"). Anyone can check the validity of a ring signature given σ, "m", and the public keys involved, "PK"1, ... , "PK""n". If a ring signature is properly computed, it should pass the check. On the other hand, it should be hard for anyone to create a valid ring signature on any message for any group without knowing any of the secret keys for that group.
Applications
In the original paper, Rivest, Shamir, and Tauman described ring signatures as a way to leak a secret. For instance, a ring signature could be used to provide an anonymous signature from "a high-ranking
White House official", without revealing which official signed the message. Ring signatures are right for this application because the anonymity of a ring signature cannot be revoked, and because the group for a ring signature can be improvised.Another application, also described in the original paper, is for
deniable signature s. A ring signature where the group is the sender and the recipient of a message will only seem to be a signature of the sender to the recipient: anyone else will be unsure whether the recipient or the sender was the actual signer. Thus, such a signature is convincing, but cannot be transferred beyond its intended recipient.References
Wikimedia Foundation. 2010.