Computers and Mathematics with Applications 65 (2013) 1350–1359

Contents lists available at SciVerse ScienceDirect

Computers and Mathematics with Applications

journal homepage: www.elsevier.com/locate/camwa

A new way to generate a ring: Universal ring signature

Raylin Tso ∗
Computer Science Department, National Chengchi University, Wenshan, Taipei 11605, Taiwan

article info abstract

Keywords: A ring signature enables an individual of a group to sign a message on behalf of the group
Applied cryptography
without revealing the identity of the real signer. It is useful in the application of leaking
Message/signer ambiguous
authoritative secrets in an anonymous way. In this paper, we define a new type of ring
Privacy protection
Ring signature signature called ‘‘Universal Ring Signature’’ (US (1,n) ). In our scheme, a ring is not generated
Universal designated verifier signature by a signer but by a signature holder. A signer just sign a message by a ‘‘standard’’ digital
signature and when necessary, a signature holder can modify the standard digital signature
into a ring signature by spontaneously conscript arbitrarily n − 1 entities and/or n − 1
messages at most. In addition, the signature holder generating the US (1,n) is not required to
have any public/private key-pair. With this modification to the original ring signature, we
allow any signature holder (ie., user of the signature) to protect personal privacy including
signer anonymity and message ambiguity from the perspective of himself (instead of a
signer). This kind of new protocol is useful when a signature is actually a certificate signed
by a certificate issuer. We will show how to use this scheme to protect the identity of a
certificate issuer and protect some sensitive information on a certificate. We will also show
the relationship of our scheme with the standard ring signature and the relationship of
our scheme with the universal designated verifier signature. Our scheme can actually be
regarded as a generic construction of these two schemes. The security concerning to the
unforgeability and privacy are also defined and proved in the random oracle model.
© 2012 Elsevier Ltd. All rights reserved.

1. Introduction

The concept of a ring signature was first formalized by Rivest et al. [1]. It specifies a set of possible signers and a proof that
is intended to convince any verifier that the author of the signature belongs to this set, while hiding his identity. The scheme
provides signer ambiguous in the sense that a verifier cannot tell which user in this set actually produces the signature. Ring
signature schemes have been found useful in secure communications [2], group-oriented communication systems [3] or
many multi-user cryptographic applications such as electronic voting [4], whistle blowing [1], or anonymous membership
authentication for ad hoc groups [5–7]. Due to its usefulness, many extensions of a standard ring signature have been
proposed in the literature such as linkable ring signature [8], threshold ring signature [5], controllable ring signature [9],
ring signature from a variety of keys [10], and flexible k-out-of-n signature [11], etc.
Motivation: In all the existing ring signatures and their extensions, a ring can only be generated by a signer and not anyone
else. This means that ring signatures are useful for real signers only and privacy protection (i.e., anonymity) is provided
in perspectives of signers. If we can have a scheme in which a ring is generated by a signature holder who possess only a
standard digital signature, then we can extend the usefulness of a ring signature from real signers to signatures holders.
Since this time, privacy protection is provided in perspectives of signature holders. Therefore, it is nature to ask whether we
can have a ring signature where the ring is not generated by a signer but by a signature holder.

∗ Tel.: +886 2 2939 3091x62328.

E-mail addresses: raylin@cs.nccu.edu.tw, tsoraylin@gmail.com.

0898-1221/$ – see front matter © 2012 Elsevier Ltd. All rights reserved.
doi:10.1016/j.camwa.2012.01.039
 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359 1351

In addition, ring signatures (as well as all the extensions) can only provide signer anonymity. It has nothing to do with the
protection of the message to be signed. In other words, there exists no such a ring signature in which both the origin of the
signature and the contents of the corresponding message can be ambiguously verified concurrently. This kind of signature
will be useful in applications where messages or partial information of a message need to be protected, especially when it
needs to be protected from the perspective of a signature holder. For example, when using a certificate issued by a trusted
authority, the certificated holder may wish to hide some information on the certificate. Details of this kind of applications
will be discussed later in this section. This inspired us to modify standard ring signatures in order to satisfy this requirement.
Our Contributions: Motivated by the increasing interest in issues relating to the protection of personal privacy, we make an
extension of a standard ring signature and define a new type of ring signature scheme called a ‘‘Universal Ring Signature’’
(US (1,n) as an abbreviation). In a US (1,n) , a signer signed a document m by a standard digital signature and sent it to a
signature holder. Without a modification to the signature, anyone can of course verify the correctness of the signature, the
integrity of the document m, and the identity of the signer. However, when necessary, the user holding the signature can
modify the signature into a US (1,n) in which n different signatures on l(≤n) different messages (including m) signed by
k(≤n) different signers (including the original signer) are involved. Note that this implicitly implies the following cases:
(1) Message ambiguous: 1-out-of-n message is signed by a signer.
(2) Signer ambiguous: a message is signed by 1-out-of-n signer.
(3) Message and signer ambiguous: 1-out-of-n message is signed by 1-out-of-n signer.
In any case, a verifier, even with unlimited computational power, can only be convinced from the US (1,n) that one signer
has signed one message. But, it is statistically impossible for the verifier to specify the real signer and/or the real message. In
our proposal, all the processes in the proposed scheme are done ‘‘non-interactively’’ and the user generating such a US (1,n)
is not required to have any public/private key-pair.
Our US (1,n) protects a user’s privacy in a way that it enables a verifier to verify some information on a document but
prevents the verifier to verify the correctness of other information on the document, including the signer’s identity if
necessary. Using an US (1,2) as an example and assume a document m1 getting signed by a signer A contains two statements
(i.e., m1 = ς1 ∥ ς2 ) and the signature is σ . If the signature holder wants to make the statement ς1 and the signer’s identity
ambiguous, he then can generate an other document m2 = ς ′ ∥ ς2 where ς ′ ̸= ς1 and uses these two documents (i.e.,
m1 , m2 ), a public key PK b of a possible signer B, and the original signature σ from A as input to form an US (1,2) . Then, any
verifier, even with unlimited computation power, can only verify the correctness of ς2 but cannot know who (i.e., A or B) is
the real signer and whether the statement ς1 or ς ′ is true or not.
Details of possible applications: During the course of a person’s lifetime, one can find many cases in which a formal document,
such as a driver’s license, an insurance certificate, or a student ID card is required to be presented to a (non trusted) third
party. These certificates are signed by some trusted Certification Authorities (CA) in order to attest to the truth of certain
statements and attributes linked to the identity of the user to which the certificate is issued. Usually, those certificates
contain a lot of personal information while some of them may be necessary to be presented (to a third party) in one case but
not necessary in other cases. For example, a student ID card may involve a name of the holder, a student number representing
the holder, a birthday of the holder, a school name and a department where the holder belongs to. When a student wants
to apply for aid from a scholarship fund, he may be requested to show all the information on the ID card. On the other hand,
when he wants to buy a ticket with student discount, he may just need to show that the ID card is issued by a trusted CA
(a school in this case) and he is the person with the name on the card. The school name or the birthday of the holder, in
this case, is irrelevant to the qualification for buying the ticket. In the case of applying for membership of a (sports) club,
the name and the birthday of an applicant may be required. Usually we show our ID cards for the application in this case.
However, the ID card number, the address as well as the family structure included in the ID card may be irrelevant to the
application, and, an abuse of this information may cause damage to the applicant.
Due to the increased awareness of privacy issues, an owner of a certificate may wish that only the limited information
which is necessary for that specific case can be verified, while other information included in the certificate which is irrelevant
to the case cannot be verified by a third party. A naive solution to this problem is to ask the CA issuing the certificate to issue
a copy of the certificate case by case. That is, for case A, ask the CA to make a copy of the certificate in which only the
information required for that case is included. Next time, when the certificate is required for case B, ask the CA to make
another copy in which only the information required for case B is included. However, the essential problem is ‘‘whether this
kind of a friendly CA exists’’, especially when the CA is a government organization or a university.
An alternative solution to this problem is the adoption of an anonymous credentials [12–14]. An anonymous credential
system is a system in which a user can obtain a credential from an organization. In addition, the user can prove possession
of this credential to another organization without revealing anything more than the fact that she owns such a credential. An
anonymous credential system is of significant practical relevance because it is a good method of providing privacy for users.
However, the players in anonymous credential systems are interactive Turing machines. An interactive zero-knowledge
proof protocol is required between a signer and a user in order to generate an anonymous credential. Similarly, an interactive
zero-knowledge proof protocol is required between a user and a verifier in order to very the correctness of an anonymous
credential. This kind of systems is useless if a signer or a verifier is not willing to go through such an interactive process. In
addition, anonymous credentials provide anonymous properties for only users of credentials but not for both the user and
1352 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359

the signer. In other words, anonymous credentials provide no signer ambiguous. Nevertheless, this property is useful in case
for any owner of a certificate to show the validity of a certificate to any verifier without telling the truth about which CA
actually issued the certificate.
Nowadays, with the rapid development of computer science, certificates can be issued through the use of digital
signatures. We all know that a secure digital signature does not allow any alternation on the signed document since there is
no means to distinguish appropriate alternations from inappropriate forgeries. On the other hand, to prevent or to discourage
the abuse of personal information by a third party, in some cases, although we have to present the certificate to the third
party, but, we may hope that the irrelevant information included on the certificate (and the signer’s information if necessary)
can be kept secret to the verifier. At least, to be ambiguous from the view of the verifier. This paper addresses the issue of
how to deal with this problem ‘‘without the assistance of a signer’’ (i.e., we assume that signers are willing to produce a
certificate in a unique form and sign by a ‘‘standard digital signature only’’).
Paper organization: The rest of this paper is organized as follows: Section 2 gives some related works concerning to this paper.
In Section 3 we define the notion of a US (1,n) and review some preliminaries which will be required for our construction.
Section 4 is the proposed scheme. Section 5 gives the security requirements and the security proofs. The conclusion is given
in Section 6.

2. Related works

Ring signatures [1,10,11] provide only signer ambiguity. In our US (1,n) , the case (2) described in the above section is
similar to a ring signature. However, in our US (1,n) , the ring signature is produced publicly by any holder of a standard
signature instead of by the signer. This property is useful, for example, for any owner of a certificate to show the validity of
a certificate to any verifier without telling the truth about which CA actually issued the certificate.
In [15], Chen proposed two special digital signatures called ‘‘Oblivious Signatures’’. Tso et al. [16] in 2008 gave formal
definitions on the model of oblivious signatures and proposed an efficient oblivious signature scheme. In their first scheme,
the user can choose one of the n keys of a signer to get a message signed without revealing to the signer with which key
the message is signed. In their second scheme, the recipient can choose one of n messages to be signed without revealing
to the signer on which message the signature is made. Oblivious signatures mainly concern in the signing phase between a
user and a signer. Whereas, our scheme concerns in the verifying phase between a signature holder and a verifier. Although
the schemes in [15] can also provide the same property as the proposed scheme, it is achieved in an ‘‘interactive way’’
between the signer and the user. On the other hand, our schemes functions as a standard signature when no modification
is performed. When necessary, any holder of the signature can modify the original signature into a US (1,n) . That is what we
mean by the term ‘‘Universal’’ in the name.
On the other hand, Steinfeld et al., [17] proposed a Universal Designated-Verifier Signature (UDVS) which is also useful
for protecting a user’s privacy. Similar to our US (1,n) , a UDVS has the universal property and the convenience of use for a
signer to sign by a standard digital signature. However, the concept inside a UDVS is to modify a signature into a designated-
signature such that only the designated-verifier can verify the signature. It does not support the holder of the message to
hide partial information included in the message from the verifier. In addition, in order to verify a signature, a designated-
verifier must execute a ‘‘verifier key-registration protocol’’ (see [18] for more information) beforehand in order to force the
verifier to have his own public/private key-pair. This is different from our US (1,n) .
To prevent, or to discourage the abuse of personal information (in a formal document) by a third party, Content Extraction
Signatures [19] and the Sanitizable Signature from Miyazaki et al. [20] are proposed. These schemes allow the owner of a
digitally signed document to produce an ‘‘extracted signature’’ on selected extracted portions of the original document,
which can be verified by any third party without knowledge of the unextracted document portions. The concept inside
these schemes is to view a document as a collection of several portions (i.e., a collection of several facts or statements)
and ask the signer to sign the hashed values of each portion instead of the original document. These schemes requires the
agreement of the original author to perform such an division and extraction processes for the user. Our scheme solves this
problem by allowing the signer to sign using just standard digital signatures instead of some specific signature schemes.

3. Preliminaries and scheme model

3.1. Complexity assumptions

Definition 1 (Discrete Logarithm (DL) Problem). Let G be a finite group of prime order q ≥ 2λ where λ is a security parameter.
Let also g be a generator of G with order q. The DL problem is to output k of δ = g k mod q when given g , q, δ ∈ G.

The success probability that an algorithm F has in solving the DL problem in G is SuccDLF = Pr[F (g , δ) = k : δ = g ], where
k

the probability is over the random choice of g , δ in G and the random bits consumed by F .
2

The Discrete Logarithm (DL) assumption is that SuccDL F is negligible for any polynomial-time algorithm F (for the security
parameter κ ). As one of the fundamental complexity assumptions, DL assumption has been widely used in the security
analysis of cryptographic protocols.
 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359 1353

3.2. Three-move signatures

Our generic construction is based on any three-move signature schemes defined as below. In this section, we review the
three-move type signature schemes described in [10,21].
Key generation. On input a security parameter 1k , it outputs a private key sk and a public key pk.
Signing process. In three-move signatures, the signing process consists of three polynomial-time algorithms: A, H and Z.
1. A(r , sk) → a: On input a random string r and (optionally) a private key sk, algorithm A outputs a commitment string a.
2. H(m, a) → c: On input a message m and the commitment string a, algorithm H outputs a challenge string c. In most
cases, H is a hash function.
3. Z(sk, r , c ) → s: On input a private key sk, the random number r and the challenge string c, algorithm Z outputs a string
s.
The signature of the message m is σ = (s, c ).
Verifying process. The verification of three-move signatures consists of two polynomial-time algorithms: V and H.
1. V(pk, σ ) → z: On input a public key pk and a signature σ = (s, c ), algorithm V outputs a string z.
2. H(m, z ) → e: On input a message m and the string z, algorithm H outputs a string e. This algorithm is the same as H in
the signing process.
The verification result outputs ‘‘1’’ (if e = c) or ‘‘0’’ (otherwise).
Three-move signature schemes can be derived from three-move honest verifier zero-knowledge proofs (e.g., classic
Fiat–Shamir signature [22] and Schnorr signature [23]).

3.3. Witness hiding

The concepts of witness hiding was first defined by Feige and Shamir [22]. Witness hiding is a natural security
requirement and can replace zero knowledge in many cryptographic protocol.
In this paper, a witness hiding proof is used as a sub-protocol of our scheme in order to prove that the prover knows at
least one of the n solutions of the DL problems. Any witness hiding protocol in the DL-setting that is non-interactive could
be a candidate for our scheme. For example, the witness indistinguishable signature proposed by Cramer et al. [24] and the
ring signature scheme proposed by Abe et al. [10]. Below we review Abe et al.’s scheme [10] in the DL-setting.
Witness hiding protocol [10]: For each i from 1 to n, let gi be a generator of a cyclic group Gi of order pi and δi ∈ Gi be a random
element picked from Gi . Suppose Gi is a multiplicative cyclic group. The DL-problem defined in Gi is to find a xi such that
x
gi i = δi .
Assume a prover A who knows one of xi = loggi δi , 1 ≤ i ≤ n, and wants to prove this knowledge. Let L be the list of
{δ1 , . . . , δn } and the witness A knows xk = loggk δk . For each i from 1 to n, Hi : {0, 1}∗ → ∆i denotes a cryptographic one
way hash function where domain ∆i depends on δi .
(Witness proof)
• Initial step: Select α ← ∆k and compute ek = Ak (xk , α) and ck+1 = Hk+1 (L, ek ).
• Simulation step: For i = k + 1, . . . , n − 1, n, 1, . . . , k − 1, select si ← ∆i and compute ei = Vi (si , ci , δi ) and
ci+1 = Hi+1 (L, ei ).
• Real proof step: Compute sk = Zk (xk , α, ck ).
The witness hiding proof for the witness xk is WH (xk ) = (c1 , s1 , . . . , sn ).
(Verification) For i = 1, . . . , n, compute ei = Vi (si , ci , δi ) and then ci+1 = Hi+1 (L, ei ) if i ̸= n. Accept the proof if
c1 = H1 (L, en ) and reject otherwise.

3.4. Formal model for a universal ring signature

Unlike standard ring signatures, universal ring signatures are generated by anyone holding a standard signature. There
are three parties involved in a universal ring signature scheme US (1,n) :
– Signer: The owner of a private/public key pair who generates (standard) publicly verifiable signatures.
– Signature holder: The signature holder who, on receiving a standard signature from the original signer, generates a
universal ring signature from the standard signature.
– Verifier: The intended receiver and verifier of universal ring signatures.
Below, we formally define a universal ring signature scheme US (1,n) .

Definition 2. A US (1,n) scheme consists of six algorithms:

1. Key generation: A probabilistic polynomial-time algorithm (denoted by KGen) takes a security parameter 1ℓi as input
and outputs a private/public key-pair (ski , pki ) for a signer Ui . Notice that different signers may have different security
parameter 1ℓi .
1354 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359

2. Signing: A probabilistic/deterministic polynomial-time algorithm (denoted by Sign) takes a signing key sk and a message
m as input, and outputs a standard and publicly verifiable signature σ .
3. Public verification: A deterministic polynomial-time algorithm (denoted by PVer) takes a public key pk and a
message/signature pair (m, σ ) as input, and outputs 1 or 0.
4. Signature conversion: A probabilistic polynomial-time algorithm (denoted by SCon) takes a set of messages M (including
m), a set of public keys PK (including pk) and the signature σ as input, and outputs a 1-out-of-n signature σ̂ where
n ≤ |M | × |PK |.
5. Oblivious verification: A deterministic polynomial-time algorithm (denoted by OVer) takes M , PK and σ̂ as input, and
outputs 1 or 0.

4. Proposed scheme

To better understand our generic construction, we first give a concrete construction of universal ring signature based on
Schnorr signature [23].

4.1. Concrete example based on Schnorr signature

Kgen: Given a security parameter 1ℓi , this algorithm outputs the public key pki = (pi , qi , gi , Hi , yi ) and the corresponding
private key xi ∈R Z∗qi of the ith signer, where
• pi , qi : two large primes such that qi |(pi − 1).
• gi : an element of Z∗pi of order qi .
• Hi : {0, 1}∗ → Z∗qi is a cryptographic one way hash function.
x
• yi = gi i mod pi .

Sign: Given pki = (pi , qi , gi , Hi , yi ), a message m∗ ∈ {0, 1}∗ and the corresponding private key xi , this algorithm generates a
Schnorr signature σ ∗ = (r ∗ , s∗ ), where
• r ∗ = Hi (m∗ , gik mod pi ).
• k ∈R Z∗qi .
• s∗ = k − xi · r ∗ mod qi .
∗ ∗
PVer: Given pki , a message m∗ and a signature σ ∗ = (r ∗ , s∗ ), this algorithm outputs ‘‘1’’ if r ∗ = Hi (m∗ , yri gis mod pi ).
Otherwise, it outputs ‘‘0’’.
SCon: Let M = {m1 , . . . , mn } (where m∗ ∈ M) be the set of messages and PK = {pk1 , . . . , pkn } (where pki ∈ PK ) be the set
of public keys. M and PK are chosen by the signature holder who holds a valid signature σ ∗ = (r ∗ , s∗ ) on m∗ . For easy of
description, we use (rk , sk , mk ), k ∈ {1, . . . , n}, to replace (r ∗ , s∗ , m∗ ) in what follows.
1. The signature holder first calculates δi for each message mi ∈ M.
(a) If mi = mk , δk = (gk )sk mod pk .
r
(b) Otherwise, δi = αi /yi i mod pi . Here, αi is a random number in Z∗pi and ri = Hi (mi , αi ).
2. The ring signature US (1,n) on M and PK is
σ̂ ∗ = ((r1 , δ1 ), . . . , (ri , δi ), . . . , (rn , δn ), WH (sk )) .
Here, WH (sk ) is a witness hiding proof of sk , which is computed as follows.
β
• Select β ← Zqk and compute ck+1 = Hk+1 (L, gk mod pk ). Here L is the set of {δ1 , . . . , δn }.
ω c
• For i = k + 1, . . . , n − 1, n, 1, . . . , k − 1, select ωi ← Zqi and compute ci+1 = Hi+1 (L, gi i δi i mod pi ). Here, ‘‘n + 1’’ is
regarded as 1.
• Compute ωk = β − sk ck mod qk .
The witness hiding proof of sk is WH (sk ) = (c1 , ω1 , . . . , ωn ).

OVer: Given σ̂ ∗ = ((r1 , δ1 ), . . . , (ri , δi ), . . . , (rn , δn ), WH (sk )), together with a message set M and a public key set PK , the
verification is performed by two steps:
r
1. This step verifies {(r1 , δ1 ), . . . , (rj , δj ), . . . , (rn , δn )}. It outputs ‘‘1’’ if and only if ri = Hi (mi , yi i δi mod pi ) for each mi ∈ M.
ω c
2. This step verifies the witness hiding proof WH (sk ) = (c1 , ω1 , . . . , ωn ). For i = 1, . . . , n − 1, compute ei = gi i δi i mod pi
and ci+1 = Hi+1 (L, ei ). It outputs ‘‘1’’ if and only if c1 = H1 (L, gnωn δncn mod pn ).
The algorithm OVer outputs ‘‘1’’ if both steps output ‘‘1’’. Otherwise, it outputs ‘‘0’’.

4.2. The generic construction

We show in this section the generic construction of our scheme from any three-move signature schemes.
 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359 1355

KGen: On input a security parameter 1λk , this algorithm outputs a private/public key-pair (skk , pkk ), where yk ∈ pkk is in a
group ∆k generated by gk and skk = loggk yk .
Sign: To sign a message mk ∈ {0, 1}∗ , the signer generates
• h ←R ∆ k .
• a = Ak (skk , h).
• r = Hk (ms , a).
• s = Zk (skk , h, r ).
The publicly verifiable signature on ms is σs = (r , s).
PVer: This is the same as the verifying algorithm defined in Section 3.2.
SCon: Suppose the signature holder has a valid signature σ = (r , s) on the message mk under pkk . The signature holder first
chooses a message set M = {m1 , . . . , mn1 } (including mk ) and a public key set PK = {pk1 , . . . , pkn2 } (including pkk ). Let
pki = {∆i , Ai , Hi , Zi , Vi , yi } be each public key in PK . W.l.o.g., we assume n1 = n = n2 (i.e., |M | = |PK |). The generation of a
universal ring signature US (1,n) includes the following steps:
1. The signature holder first calculates δi for each message mi ∈ M.
(a) If mi = mk , δk = θ (s, gk ). Here θ is a polynomial-time function which outputs an element δk in ∆k satisfying
s = loggk δk .
(b) Otherwise, δi = I (αi , pki , ri , ∆i ). Here, αi is a random element in ∆i and ri = Hi (mi , αi ).
2. The ring signature US (1,n) on M and PK is
σ̂ = ((r1 , δ1 ), . . . , (ri , δi ), . . . , (rn , δn ), WH (s)) .
Here, WH (s) is a witness hiding proof of s. The purpose of WH (s) is to show that the signature holder knows at least
one loggi δi , 1 ≤ i ≤ n, which can be proved using the witness hiding protocol proposed in [10] (as we described in
Section 3.3).

OVer: There are two steps to verify a US (1,n) , σ̂ = ((r1 , δ1 ), . . . , (rj , δj ), . . . , (rn , δn ), WH (s)) of M = {m1 , . . . , mn1 } and
PK = {pk1 , . . . , pkn2 }.
1. This step verifies {(r1 , δ1 ), . . . , (rj , δj ), . . . , (rn , δn )}. It outputs ‘‘1’’ if and only if ri = Hi (mi , Vi (ri , δi , pki )) for all messages
in M.
2. This step verifies the witness hiding proof WH (s) and outputs ‘‘1’’ if and only if it is a correct witness hiding proof.
The algorithm OVer outputs ‘‘1’’ if both steps output ‘‘1’’. Otherwise, it outputs ‘‘0’’.

4.3. Relationships between our US (1,n) with other schemes

Our new scheme actually extends the definition of standard ring signatures. In our scheme, if there is only one message
and if we regard the singer and the signature holder as the same entity, then, it is easy seem that our scheme is identical to
the standard ring signatures.
On the other hand, our scheme is also an extension of universal designated verifier signatures [17]. In our scheme, if there
is only one message and two public keys; one for the original signer and the other one for the verifier, then it is easy seem
that our scheme will become a universal designated verifier signature scheme.
Therefore, our scheme can be regarded as a generic construction of a standard ring signature scheme and/or universal
designated verifier signature scheme.

4.4. Security consideration

For a US (1,n) scheme, the securities are defined separately for the original signature (PV-signature as an abbreviation)
σ signed by a signer and for the oblivious-verifiable signature (OV-signature as an abbreviation) σ̂ modified from σ by the
holder of the signature σ . The security requirements for a PV-signature σ are the completeness and the unforgeability of the
signature. On the other hand, the security requirements for an OV-signature σ̂ are the completeness of the OV-signature,
the unforgeability of the OV-signature, and the ambiguity of the OV-signature. The detail will be discussed in Section 5.

5. Security consideration

In this section, we formally define the security required for the proposed scheme and then give concrete security proofs
for the scheme.

5.1. Security requirements

As mentioned in Section 4.4, for a US (1,n) scheme, the securities are defined separately for the (public verifiable) PV-
signature σ signed by a signer and for the (oblivious verifiable) OV-signature σ̂ modified from σ by the holder of the
signature σ .
1356 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359

In the coming definitions, negl(λ) denotes any function which grows slower than λ1c for sufficiently large λ and some
constant c.
Security requirements for the PV-signature σ : This part is the same as those defined for the standard (publicly verifiable)
signature scheme. The security requirements for σ are the completeness and the unforgeability of the signature.
The completeness of a standard signature means that each properly signed signature by the signing algorithm Sign should
always be accepted by the public verification algorithm PVer with probability at least 1 − negl(λ). The probability is taken
over the coin flips of KGen, and Sign.
The unforgeability of σ is the Existential Unforgeability against Adaptive Chosen Message Attack (EUF-ACMA) [25] for a
standard publicly verifiable signature scheme, which is defined as follows:

Definition 3. A signature scheme is said to be EUF-ACMA secure, if for any polynomial-time adversary F , the advantage
defined by
pk ← KGen(1k ),
  
∆
AdvEUF-ACMA = Pr PV(pk∗ , m∗ , σ ∗ ) = 1  ∗ ∗
F
(m , σ ) ← F OS (pk)
is less than negl(λ). Here OS means the signing oracle. The probability is taken over the coin tosses of the algorithms, of the
oracles, and of the forger.

Security requirements for the OV-signature σ̂ : the security requirements for the OV-signature σ̂ are the completeness of σ̂ ,
the unforgeability of σ̂ , and the ambiguity of σ̂ .

Definition 4 (Completeness of σ̂ ). If a signature σ is signed properly by the signing algorithm Sign, in addition, if σ̂ ←
SCon(M , PK , σ ) is generated properly by the signature conversion algorithm SCon on the input of a set of messages M
(including the original message m with regard to σ ), a set of public keys PK (including the original public key with regard to
σ ) and the standard signature σ , then, with probability at least 1 − negl(λ), σ̂ satisfies OVer (σ̂ , PK , M ) = 1. The probability
is taken over the coin flips of KGen, Sign and SCon.

The unforgeability of the OV-signature σ̂ is defined by two different attacks: the unforgeability of σ̂ against a PV-verifier
(i.e., type I attack) and the unforgeability of σ̂ against an OV-verifier (i.e., type II attack). We first introduce the unforgeability
against type I attack via the following game.

Definition 5 (Game A). Let US = (KGen, Sign, PVer , SCon, OVer ) be a US (1,n) scheme. Let FPV be a probabilistic polynomial-
time (PPT) forging algorithm.
1. At any time, FPV can access a signing oracle OS . On input public parameters para, a message m and a public key of a
signer pk, the output from OS is a (standard) signature σ such that PVer (pk, m, σ ) = 1.
2. At any time, FPV can access all the hash functions in the proposed US (1,n) scheme. All these hash functions are treated as
random oracles. In addition, FPV is equipped with the signature conversion algorithm SCon. On input σ obtained from OS
at the above step, a message-set M including m and a public-key-set PK including pk, SCon generates an OV-signature σ̂
such that OVer (M , PK , σ̂ ) = 1.
3. The above steps can be executed in a polynomially many number of times and FPV can decide in an adaptive fashion when
to stop. Let t denote the number of executions of the above steps and σi for 1 ≤ i ≤ t denote the signature outputted by
OS in the i-th query.
4. FPV outputs a forged OV-signature σ̂ ∗ on input of a set of public keys PK ∗ and a set of messages M ∗ at his choice.
We say FPV wins Game A if OVer (σ̂ ∗ , M ∗ , PK ∗ ) = 1 and σi ∩ σ̂ ∗ = O for each i, 1 ≤ i ≤ t.

Intuitively, the unforgeability of an OV-signature against type I attack means that, with the knowledge of t standard PV-
signatures (σ1 , . . . , σt ) and the corresponding OV-signatures, to forge a new OV-signature σ̂ ∗ which is not originated or
converted from any one of the stand PV-signature in {σ1 , . . . , σt } is computationally impossible.
On the other hand, to define the unforgeability against type II attack, we introduce the following game.

Definition 6 (Game B). Let US = (KGen, Sign, PVer , SCon, OVer ) be a US (1,n) scheme. Let FOV be a PPT forging algorithm.
1. At any time, FOV can access an OV-signature oracle OV . On input a message-set M, and a public-key-set PK , the output
from OV is an OV-signature σ̂ such that OVer (PK , M , σ̂ ) = 1.
2. At any time, FOV can access all the hash functions in the proposed US (1,n) scheme. All these hash functions are treated
as random oracles.
3. FOV can continue the above steps in a polynomial number of times and decide in an adaptive fashion when to stop. Let t
denote the number of executions of the above steps and σ̂1 , . . . , σ̂t denote the OV-signatures output by OV .
4. FOV outputs a forged OV-signature σ̂ ∗ on input of a set of messages M ∗ and a set of public keys PK ∗ at his choice.
We say FOV wins Game B if OVer (σ̂ ∗ , M ∗ , PK ∗ ) = 1 and σ̂ ∗ ̸∈ {σ̂1 , . . . , σ̂t }.
 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359 1357

Intuitively, the unforgeability of an OV-signature against type II attack means that, with the knowledge of t OV-signatures
(σˆ1 , . . . , σ̂t ), to forge a new OV-signature σ̂ ∗ such that σ̂ ∗ ̸∈ {σˆ1 , . . . , σ̂t } is computationally impossible.

Definition 7 (Unforgeability of the OV-Signature). A US (1,n) scheme provides unforgeability of the OV-signature if, for any
PPT forging algorithm FPV that plays Game A, and any PPT forging algorithm FOV that plays Game B, FPV wins Game A with
probability less than or equal to negl(λ) and FOV wins Game B with probability less than or equal to negl(λ). The probabilities
are taken over the coin flips of KGen, Sign, SCon, FPV and FOV .

The ambiguity of the OV-signature is defined via the following game.

Definition 8 (Game C). Let US = (KGen, Sign, PVer , SCon, OVer ) be a US (1,n) scheme. Let A be an attacking algorithm with
unlimited computation power.

1. At any time, A can access a signing oracle OS . On input a message m and a public key of a signer pk, the output from OS
is a (standard) signature σ such that PVer (pk, m, σ ) = 1.
2. In addition, A is equipped with SCon. On input σ obtained from OS at the above step, a message-set M including m and
a public-key-set PK including pk, SCon generates an OV-signature σ̂ such that OVer (M , PK , σ̂ ) = 1.
3. The above steps can be executed in polynomially many number of times. After enough executions, A picks a message-set
M ∗ = {m1 , . . . , mn1 } and a public-key-set PK ∗ = {pk1 , . . . , pkn2 } at his choice and gives (M ∗ , PK ∗ ) to a challenger C as
A’s challenge. Here the restriction is |n1 + n2 | ≥ 3 with |n1 | ≥ 1 and |n2 | ≥ 1.
4. The challenger C randomly picks a message ma ∈ M ∗ and a public key pkb ∈ PK ∗ . Using the corresponding private key
skb of pkb , C does the following steps:
– σ(a,b) ← Sign(pkb , ma , skb ),
– σ̂(a,b) ← SCon(PK ∗ , M ∗ , σ(a,b) ),
and outputs σ̂(a,b) to A.
5. A can continue the steps 1 and 2 in a polynomial number of times and decide in an adaptive fashion when to stop.
6. Finally, A outputs (a′ , b′ ).

Assume t is the number of executions before A output (a′ , b′ ) and σ̂i for 1 ≤ i ≤ t is the output by SCon in the i-th execution.
We say that the attacking algorithm A wins the game if a′ = a, b′ = b and σ̂(a,b) ̸∈ {σ̂1 , . . . , σ̂t }.

Definition 9 (Ambiguity of an OV-Signature). A US (1,n) scheme provides ambiguity of an OV-signature if, for any attacking
algorithm A playing Game C, A wins in Game C with probability at most 1/n1 n2 + negl(λ). The probability is taken over the
coin flips of SSet , KGen, Sign, and SCon.

Intuitively, the ambiguity of an OV-signature means that it is ‘‘statistically’’ impossible for any attacker A to find which
one of the message/signature pairs in the OV-signature is really signed by the original signer.
We are now ready to prove the security of the proposed scheme. We prove the concrete scheme based on the Schnorr
Signature.
The completeness of the PV-signature σ ∗ and the OV-signature σ̂ ∗ is straightforward. In addition, σ ∗ is a standard Schnorr
signature. It has been proved in [26,27] to be EUF-ACMA secure (see Definition 3) in the random oracle model. Consequently,
in this section, we only consider the security concerning to the OV-signature σ̂ . We first prove the ambiguity of an OV-
signature.

Definition 10. An OV-signature of the proposed scheme provides ambiguity of the original message and/or the original
signer.

Proof. Let A be an adversary with unlimited computation power in Game C. W.l.o.g., we consider the simplified case and
assume that M = {m1 , m2 } and PK = {y} which are picked by A at step 3 of Game C. The challenger C randomly picks
mb ∈ M, signs mb with the private key corresponding to y and converts the standard signature on mb to an OV-signature as
the form: σ̂ ∗ = (WH (sb ), (r1 , δ1 ), (r2 , δ2 )). From σ̂ ∗ , A has to predict b ∈ {1, 2}.
Because of the completeness of σ̂ ∗ , each (ri , δi ), i ∈ {1, 2}, satisfies the equation ri = Hi (mi , yri δi mod pi ) and
appears to be a valid signature on mi . In addition, the witness hiding proof WH (sb ) proposed in [10] has been proved to
be unconditionally witness indistinguishable in the random oracle model. That is, WH (sb ) leaks no information on sb as well
as b ∈ {1, 2}. So, the witnesses sb = logg δ1 or logg δ2 are statistically indistinguishable and we conclude that A wins Game
C with probability exactly the same as random guessing of b. Consequently, the ambiguity of the message signed by the
signer is preserved. 

Definition 11. The OV-signature is EUF-ACMA secure.

1358 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359

Proof. We first proof the unforgeability against type I attack. It is sufficient to show that any Schnorr signature (r , s) on a
message m is convertible to a signature (r , δ) and a secret s = logg δ on the same message m, and vise versa.
From the proposed scheme, it is obvious that any Schnorr signature (r , s) on m is convertible to (r , δ) and a secret s such
that r = H (m, yr δ mod p) and s = logg δ .
On the contrary, assume σ̂ = (WH (s), (r1 , δ1 ), . . . , (rn , δn )) is a valid OV-signature on M = {m1 , . . . , mn } and
PK {pk1 , . . . , pkn }. If the OV-signature is forged by an adversary FPV without knowing the witness s, a solution of one of
the n DL-problems of δi to the basis gi , 1 ≤ i ≤ n, then WH (s) is a valid forgery of the witness hiding proof protocol
proposed in [10], which is contradict to the security proof of [10]. That is, if FPV can forge an OV-signature (via Game A)
without knowing the witness s, then, using the same security proof in [10], one can further use FPV to solve a DL-problem.
Therefore, we may assume that FPV knows the witness s which is equal to loggj δj for some j, 1 ≤ i ≤ j, if FPV wins in Game
A. Note that if FPV knows the witness sj , then, using the forking technique [27] or the generic forking technique [28] which
involves running the attacker FPV for solving our scheme twice, answering its i∗ -th Hj query differently in the two runs to
ωj −ωj′
obtain two distinct solutions (cj , ωj ) and (cj′ , ωj′ ), from which the solution sj = cj −cj′
can be recovered. Obviously, it is easy
rj rj
to see that (rj , sj ) is a valid Schnorr signature, since ( , mod pj ) =
Hj mj yj gj sj ( , δ mod pj ) = rj .
Hj mj y j j
We have proved that any Schnorr signature (r , s) on a message m is convertible to a signature (r , δ) and a secret s = logg δ
on the same message m, and vise versa. Moreover, the Schnorr signature is known to be EUF-ACMA secure based on the
hardness of the discrete-logarithm problem. Therefore, we conclude that our scheme is EUF-ACMA secure. This ends the
proof of the unforgeability against type I attack.
To prove the unforgeability against an type II attack, assume the adversary FOV outputs his forgery σ̂ ∗ ̸∈ {σ̂1 , . . . , σ̂t }
in Game B where each σ̂i represents the i-th output from the OV-signature oracle queried by FOV during the execution of
Game B.
We have shown in the above proof that an OV-signature is convertible to a standard (Schnorr) signature and vise versa.
Assume σ̂ ∗ is convertible to a standard signature σ ∗ and σ̂i convertible to σi for 1 ≤ i ≤ t, respectively.
• If FOV knows the witness s∗ corresponding to σ̂ ∗ , then, using the forking technique as described above, one can extract
s∗ from FOV and can convert σ̂ ∗ to σ ∗ , a valid Schnorr signature. Furthermore,
∗
– if σ ∗ = σi ∈ {σ1 , . . . , σt }, then s∗ = si and δ ∗ = g s = g si = δi for some i. Finding δi means finding the original
signature from the OV-signature σ̂i , which breaks the ambiguity of σ̂i . This contradicts Lemma 10 as well as the
ambiguity of WH (si ), the witness hiding proof in [10].
– if σ ∗ ̸∈ {σ1 , . . . , σt }, then σ ∗ is a successful forgery of the standard (Schnorr) signature. This contradicts the EUF-ACMA
security of the Schnorr signature.
• If FOV does not know the witness s∗ corresponding to σ̂ ∗ , then FOV forges WH (s∗ ) ∈ σ̂ ∗ without knowing the witness s∗ .
This contradicts the EUF-ACMA security of the witness hiding protocol [10].
Consequently, we conclude that the proposed scheme is EUF-ACMA secure. 

6. Conclusion

Motivated by the increasing interest in issues relating to the protection of personal privacy, we modified the standard
ring signatures and introduced a new type of ring signature scheme called a universal ring signature. Our scheme can be
used to protect a user’s privacy in a way that it enables a verifier to verify some information on a document but prevents
the verifier verifying the correctness of other information in the document, including the signer’s identity if necessary. The
formal model of the proposed scheme and the security notions for the scheme are also defined and proved. Implementation
or simulation of the proposed scheme is considered as future work.

References

[1] R. Rivest, A. Shamir, Y. Tauman, How to lead a secret, in: Advances in Cryptology—ASIACRYPT’01, in: Lecture Notes in Computer Science, vol. 2248,
2001, pp. 552–565.
[2] B. Xie, A. Kumar, D. Zhao, R. Reddy, B. He, On secure communication in integrated heterogeneous wireless networks, International Journal of
Information Technology, Communications and Convergence 1 (1) (2011) 4–23.
[3] S. Wang, Y. Tsai, C. Shen, P. Chen, Hierarchical key derivation scheme for group-oriented communication systems, International Journal of Information
Technology, Communications and Convergence 1 (1) (2011) 66–76.
[4] R. Cramer, M. Franklin, B. Schoenmakers, M. Yung, Multi-authority secret-ballot elections with linear work, in: Advances in Cryptology—
EUROCRYPT’96, in: Lecture Notes in Computer Science, vol. 1070, 1996, pp. 72–83.
[5] E. Bresson, J. Stern, M. Szydlo, Threshold ring signatures and applications to ad-hoc groups, in: Advances in Cryptology—CRYPTO’02, in: Lecture Notes
in Computer Science, vol. 2442, 2002, pp. 465–480.
[6] S. Prahmkaew, Performance evaluation of convergence ad hoc networks, Journal of Convergence 1 (1) (2011) 101–106.
[7] M. Imani, M. Taheri, M. Naderi, Security enhanced routing protocol for ad hoc networks, Journal of Convergence 1 (1) (2011) 43–48.
[8] J.K. Liu, V.K. Wei, D.S. Wong, Linkable spontaneous anonymous group signature for ad hoc groups, in: Proc. of ACISP’04, in: Lecture Notes in Computer
Science, vol. 3108, 2004, pp. 325–335.
[9] W. Gao, G. Wang, X. Wang, D. Xie, Controllable ring signatures, in: Proc. of WISA’06, in: Lecture Notes in Computer Science, vol. 2971, 2006, pp. 12–26.
[10] M. Abe, M. Ohkubo, K. Suzuki, 1-out-of-n signatures from a variety of keys, in: Advances in Cryptology—ASIACRYPT’02, in: Lecture Notes in Computer
Science, vol. 2501, 2002, pp. 415–432.
 R. Tso / Computers and Mathematics with Applications 65 (2013) 1350–1359 1359

[11] R. Tso, X. Yi, T. Ito, T. Okamoto, E. Okamoto, Design and analysis of ‘‘flexible’’ k-out-of-n signatures, in: Proc. of ATC’10, in: Lecture Notes in Computer
Science, vol. 6407, 2010, pp. 255–267.
[12] J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in: Advances in
Cryptology—EUROCRYPT’01, in: Lecture Notes in Computer Science, vol. 2045, 2001, pp. 93–118.
[13] J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in: Advances in Cryptology—CRYPTO’01, in: Lecture
Notes in Computer Science, vol. 3152, 2004, pp. 56–72.
[14] D. Chaum, Security without identification: transaction systems to make big brother obsolete, Communications of the ACM 28 (10) (1985) 1030–1044.
[15] L. Chen, Oblivious signatures, in: Proceedings of ESORICS’94, in: Lecture Notes in Computer Science, vol. 875, 1994, pp. 161–172.
[16] R. Tso, T. Okamoto, E. Okamoto, 1-out-of-n oblivious signatures, in: Proc. of ISPEC’08, in: Lecture Notes in Computer Science, vol. 4991, 2008, pp. 45–55.
[17] R. Steinfeld, L. Bull, H. Wang, J. Pieprzyk, Universal designated-verifier signatures, in: Advances in Cryptology–ASIACRYPT’03, in: Lecture Notes in
Computer Science, vol. 2894, 2003, pp. 523–542.
[18] R. Tso, J.M.G. Nieto, T. Okamoto, C. Boyd, E. Okamoto, Verifier-key-flexible universal designated-verifier signatures, in: Proc. of Cryptography and
Coding, 11th IMA International Conference, in: Lecture Notes in Computer Science, vol. 4887, 2007, pp. 403–421.
[19] R. Steinfeld, L. Bull, Y. Zheng, Content extraction signatures, in: Proc. of ICICS’01, in: Lecture Notes in Computer Science, vol. 2288, 2001, pp. 285–304.
[20] K. Miyazaki, G. Hanaoka, H. Imai, Digitally signed document sanitizing scheme based on bilinear maps, in: Proceedings of ASIACCS’06, 2006,
pp. 343–354.
[21] J.K. Liu, V.K. Wei, D.S. Wong, A separable threshold ring signature scheme, in: Proc. of ICISC’03, in: Lecture Notes in Computer Science, vol. 2971, 2004,
pp. 12–26.
[22] U. Feige, A. Shamir, Witness indistinguishable and witness hiding protocols, in: Proc. of STOC’90, 1990, pp. 416–426.
[23] C.P. Schnorr, Efficient signature generation by smart cards, Journal of Cryptology 4 (3) (1991) 161–174.
[24] R. Cramer, I. Damgȧrd, B. Schoenmakers, Proofs of partial knowledge and simplified design of witness hiding protocols, in: Advances in Cryptology—
CRYPTO’94, in: Lecture Notes in Computer Science, vol. 839, 1994, pp. 174–187.
[25] S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptively chosen message attacks, SIAM Journal on Computing 17 (2)
(1988) 281–308.
[26] D. Pointcheval, J. Stern, Security proofs for signature schemes, in: Advances in Cryptology—EUROCRYPT’96, in: Lecture Notes in Computer Science,
vol. 1070, 1996, pp. 387–398.
[27] D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures, Journal of Cryptology 13 (3) (2000) 361–396.
[28] M. Bellare, G. Neven, Multi-signatures in the plain public-key model and a general forking lemma, in: Proceedings of the 13th ACM Conference on
Computer and Communication Security, 2006, pp. 390–398.