Non-interactive deniable ring signature without random oracles

摘要

Ring signature scheme protects the privacy while signer is signing. In the ring signature scheme, the signer can randomly choose verification keys of entities and generate a signature on behalf of these entities. The generated signature can be verified by anyone by inputting all these verification keys. Consequently, a ring signature convinces a verifier that one member from these entities produces this signature without revealing which one. This property is good for the signer as his identity is not leaked. However, the signer also can make use of this capacity to generate a malicious signature on behalf of a ring. Because of the unconditional anonymity of ring signature, this signer cannot be traced to be responsible for his malicious signing. Group signature can avoid this problem because the group manager in the group signature can trace the actual signer by using the trapdoor. However, the group is fixed from the beginning and it needs a complicated setup algorithm. Deniable ring signature was introduced by Komano et al., which allows to revoke the anonymity of actual signer without the manager's help if necessary. The actual signer can confirm his signing for anyone through the confirmation protocol. On the other hand, non-signers in the ring can disavow this signing by the disavowal protocol. Therefore, the actual signer can be traced. However, Komano's scheme was proven in random oracles, and the traceability protocols (confirmation and disavowal protocols) are interactive. To improve Komano's construction, this work proposes a new efficient non-interactive deniable ring signature scheme in the standard model. It is a kind of ring signature and therefore, it does not require a setup algorithm, and the ring in the scheme is flexible. Copyright (c) 2013 John Wiley & Sons, Ltd.