Article history:

Received 15 August 2014

Received in revised form 27 March 2015

Accepted 22 May 2015

Available online 29 May 2015

Keywords:

Identity-based cryptography

Quotable signature

Ring signature

We present a new notion of identity-based quotable ring signature. This new cryptographic to identify the actual signer than at random guessing which member is the actual signer. The actual signer remain setup pro ke the ano of the actual signer. Ring signature schemes can be considered as simplified group signature schemes which consist users without managers. Recently, in order to realize an efficient ring signature scheme provably secure in the st http://dx.doi.org/10.1016/j.ins.2015.05.033 0020-0255/ 2015 Elsevier Inc. All rights reserved. ⇑ Corresponding author.

E-mail addresses: kw909@uowmail.edu.au (K. Wang), ymu@uow.edu.au (Y. Mu), wsusilo@uow.edu.au (W. Susilo).

Information Sciences 321 (2015) 71–89

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier .com/locate / inspletely anonymous. On the other hand, unlike the group signature schemes, there are no group manager, no no revocation procedure, and no coordination in traditional ring signature schemes. There is no way to revos comcedure, nymity of only andard1. Introduction

In the ring signature schemes, the actual signer can choose arbitrary other ring members to form a ring that includes himself. The actual signer anonymously signs messages by using his private key and other members’ public keys on behalf of the whole ring. There is no requirement to get other members’ approval. On one hand, similar with the group signature schemes, the verifier must be convinced that a signature has been generated by a member of this ring, but could not have a better wayprimitive can be used to derive new ring signatures on substrings of an original message from an original ring signature on the original message, which is generated by the actual signer included in the ring. No matter whether a ring signature is originally generated or is quoted from another valid ring signature, it will convince the verifier that it is generated by one of the ring members, without revealing any information about which ring member is the actual signer. The set of ring members could be arbitrarily selected by the actual signer without need of other ring members’ approval. The actual signer is anonymous among this set of ring members. At the same time, the verifier could not distinguish whether a ring signature is originally generated or is quoted from another ring signature.

In this paper, we propose a concrete identity-based quotable ring signature scheme based on bilinear pairing. We make use of bilinear groups of composite order. The construction is identity-based to alleviate the problem of certificate verification, especially for applications involving a large number of public keys in each execution such as ring signature schemes.

The proposed scheme is proven to be anonymous under the assumption that the Subgroup

Decision Problem is hard, selectively unforgeable against adaptively chosen message attacks in the random oracle model under the assumption that the Computational

Diffie–Hellman problem is hard, and strongly context hiding. 2015 Elsevier Inc. All rights reserved.Identity-based quotable ring signature

Kefeng Wang ⇑, Yi Mu, Willy Susilo

Centre for Computer and Information Security Research, School of Computer Science and Software Engineering, University of Wollongong, Wollongong,

NSW 2522, Australia a r t i c l e i n f o a b s t r a c t

Our Contributions. For the first time, this paper presents a provably secure (correct, anonymous, selectively unforgeable, 72 K. Wang et al. / Information Sciences 321 (2015) 71–89and strongly context hiding) identity-based quotable ring signature scheme based on bilinear pairing, under the Subgroup

Decision Problem assumption and Computational Diffie–Hellman assumption in the composite order groups. We also present a security model and concrete security analysis by the reduction to prove the security of the proposed scheme. More precisely, we can show that if there exists an attacker who can identify the actual signer among a ring of members, then the Subgroup Decision Problem is solved, and if there exists an attacker who can selectively forge a valid quotable ring signature, then the Computational Diffie–Hellman problem is solved. We also prove the scheme is strongly context hiding in a statistical definition.

The security proof about the unforgeability is proved in the random oracle model. As mentioned in [2], the random oracle might be removed by using the Waters hash and proof techniques [29], or by using the Dual System techniques [30]. The identity-based quotable ring signature scheme introduced in this paper is already quite complicated. In order to avoid making it more obscure, we do not adopt those potential candidate approaches.

Paper Organization. The rest of this paper is organized as follows. Section 2 introduces some related work that has been studied in the literature. Section 3 introduces some mathematical background used throughout this paper. In Section 4, we recall some known results about homomorphic encryption and NIZK, which are used as building blocks in the proposed scheme. In Section 5, we propose a notion of identity-based quotable ring signature and present a concrete scheme based on bilinear pairing in the composite order groups. We also present a security model and security proofs about correctness, anonymity, selectively unforgeability against adaptively chosen message attacks and strongly context hiding property in this section. Finally, Section 6 concludes the paper. 2. Related work

In 1984, Shamir [27] introduced the concept of identity-based cryptography to simplify key management procedures in traditional public key setting. In the identity-based setting, user’s public key could be easily and publicly computed from his identity. Digital certificates are not needed.