A ring signature scheme allows one party to sign messages on behalf of an arbitrary set of users, called the ring. The anonymity of the scheme guarantees that the signature does not reveal which member of the ring signed the message. The ring of users can be selected "on-the-fly" by the signer and no central coordination is required. Ring signatures have made their way into practice in the area of privacy-enhancing technologies and they build the core of several cryptocurrencies. Despite their popularity, almost all ring signature schemes are either secure in the random oracle model or in the common reference string model. The only candidate instantiations in the plain model are either impractical or not fully functional. In this work, we close this gap by proposing a new construction paradigm for ring signatures without random oracles: We show how to efficiently instantiate full-fledged ring signatures from signature schemes with re-randomizable keys and non-interactive zero-knowledge. We obtain the following results: - The first almost practical ring signature in the plain model from standard assumptions in bilinear groups. - The first efficient ring signature in the plain model secure under a generalization of the knowledge of exponent assumption.
展开▼