Ring Signature with Weak Linkability and Its Applications

“…It is known that some convertible RS schemes have security flaws [6,7] because of the lack of a formal security analysis. As an example, in this paper, we show that the recent convertible RS scheme of [8] is vulnerable to an collusion attack such that colluding adversaries can deceive a verifier into accepting a fake proof on a true signer. As noted in [2,4], an original signer should not be replaced with a non-signer of a ring for convertibility.…”

“…Using a similar attack idea we can show that the deductible RS scheme in [8] is also vulnerable to collusion attacks. The deductibility property means that a real signer of an RS can prove that other parties in a ring did not generate the RS.…”

“…2 A collusion attack on the convertible RS scheme of [8] In this section, we show that the convertible RS scheme recently suggested in [8] has a vulnerability to collusion attacks. For completeness, we present the RS scheme.…”

“…Since the initial concept of a ring signature (RS) was introduced in [10] and formally constructed in [2], a number of RS schemes have been constructed and formal security models for an RS scheme have been studied in [1,[11][12][13][14][15][16][17]. Subsequently, various extensions such as an identity-based RS [18][19][20][21][22], a threshold RS [23,24], a linkable RS [8,19], an accountable RS [25], and a traceable RS [26] have been proposed [27]. We refer to [5,28,29] for a survey of ring signatures.…”

Collusion-resistant convertible ring signature schemes

“…It is known that some convertible RS schemes have security flaws [6,7] because of the lack of a formal security analysis. As an example, in this paper, we show that the recent convertible RS scheme of [8] is vulnerable to an collusion attack such that colluding adversaries can deceive a verifier into accepting a fake proof on a true signer. As noted in [2,4], an original signer should not be replaced with a non-signer of a ring for convertibility.…”

“…Using a similar attack idea we can show that the deductible RS scheme in [8] is also vulnerable to collusion attacks. The deductibility property means that a real signer of an RS can prove that other parties in a ring did not generate the RS.…”

“…2 A collusion attack on the convertible RS scheme of [8] In this section, we show that the convertible RS scheme recently suggested in [8] has a vulnerability to collusion attacks. For completeness, we present the RS scheme.…”

“…Since the initial concept of a ring signature (RS) was introduced in [10] and formally constructed in [2], a number of RS schemes have been constructed and formal security models for an RS scheme have been studied in [1,[11][12][13][14][15][16][17]. Subsequently, various extensions such as an identity-based RS [18][19][20][21][22], a threshold RS [23,24], a linkable RS [8,19], an accountable RS [25], and a traceable RS [26] have been proposed [27]. We refer to [5,28,29] for a survey of ring signatures.…”

Collusion-resistant convertible ring signature schemes

“…After that, Au et al [61] proposed a revocable-iff-linked ring signature in which the identity of the signer will be revealed if he signed twice or more. However, Jeone et al [62] showed that revocable-iff-linked ring signature scheme in [61] does not provide anonymity and suggested [63] an improved one with strong anonymity and weak linkability. Zheng et al [64] introduced a new linkable ring signature based on Gap Diffie-Hellman problem.…”

A taxonomy of ring signature schemes: Theory and applications

Efficient Revocable Linkable Ring Signatures