How to Leak a Secret: Theory and Applications of Ring Signatures

  • Ronald L. Rivest
  • Adi Shamir
  • Yael Tauman
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3895)


In this work we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way that can only be verified by its intended recipient, and to solve other problems in multiparty computations.

Our main contribution lies in the presentation of efficient constructions of ring signatures; the general concept itself (under different terminology) was first introduced by Cramer et al. [CDS94]. Our constructions of such signatures are unconditionally signer-ambiguous, secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption. We also describe a large number of extensions, modifications and applications of ring signatures which were published after the original version of this work (in Asiacrypt 2001).


Signature Scheme Ring Signature Message Authentication Code Random Oracle Model Ring Equation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AL03]
    Awasthi, A.K., Lal, S.: ID-based Ring Signature and Proxy Ring Signature Schemes from Bilinear Pairings. In: Cryptology ePrint Archive: Report 2004/184Google Scholar
  2. [AM04]
    Ateniese, G., de Medeiros, B.: Identity-based chameleon hash and applications. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 164–180. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. [AOS02]
    Abe, M., Ohkubo, M., Suzuki, K.: 1-out-of- n Signatures from a Variety of Keys. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 415–432. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  4. [BGLS03]
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verfiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. [BR93]
    Bellare, M., Rogaway, P.: Random Oracles are Practical: a Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  6. [BSS02]
    Bresson, E., Stern, J., Szydlo, M.: Threshold Ring Signatures and Applications to Ad-Hoc Groups (Extended abstract). In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 465–480. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. [Cam97]
    Camenisch, J.: Efficient and Generalzied Group Sigmatures. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 465–479. Springer, Heidelberg (1997)Google Scholar
  8. [Ch81]
    Chaum, D.: Untraceable Electronic Mail, Return Addresses and Digital Pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  9. [Ch88]
    Chaump, D.: The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability. Journal of Cryptology 1(1), 65–75 (1988)MathSciNetGoogle Scholar
  10. [CDS94]
    Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
  11. [CHY04]
    Chow, S.S.M., Hui, L.C.K., Yiu, S.M.: Identity Based Threshold Ring Signature. In Cryptology ePrint Archive: Report 2004/179Google Scholar
  12. [CV91]
    Chaum, D., Van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)Google Scholar
  13. [CYH04]
    Chow, S.S.M., Yiu, S.M., Hui, L.C.K.: Efficient Identity Based Ring Signature. In Cryptology ePrint Archive: Report 2004/327Google Scholar
  14. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inform. Theory IT-22, 644–654 (1976)CrossRefMathSciNetGoogle Scholar
  15. [DKNS04]
    Dodis, Y., Kiayias, A., Nicolosi, A., Shoup, V.: Anonymous Identification in Ad-Hoc Groups. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 609–626. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. [G04]
    Goldreich, O.: Foundations of Cryptography: Volume 2 – Basic Applications. Cambridge University Press, Cambridge (2004)Google Scholar
  17. [GRS99]
    Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Onion Routing for Anonymous and Private Internet Connections. Communications of the ACM 42(2), 39–41 (1999)CrossRefGoogle Scholar
  18. [Her03]
    Herranz, J.: A Formal Proof of Security of Zhang and Kim’s ID-Based Ring Signature Scheme. In: WOSIS 2004, pp. 63–72 (2004)Google Scholar
  19. [HO05]
    Hanatani, Y., Ohta, K.: Two Stories of Ring Signatures. Crypto 2005 rump session talk, Available at, A photo of the 1756 ”ring signature” is available at
  20. [HS03]
    Herranz, J., Saez, G.: Forking Lemmas in the Ring Signatures’ Scenario. In: Cryptology ePrint Archive: Report 2003/067Google Scholar
  21. [HS04a]
    Herranz, J., Saez, G.: Ring Signature Schemes for General Ad-Hoc Access Structures. In: Castelluccia, C., Hartenstein, H., Paar, C., Westhoff, D. (eds.) ESAS 2004. LNCS, vol. 3313, pp. 54–65. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. [HS04b]
    Herranz, J., Saez, G.: New Identity-Based Ring Signature Schemes. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 27–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. [HS04c]
    Herranz, J., Saez, G.: Distributed Ring Signatures for Identity-Based Scenarios. In: Cryptology ePrint Archive: Report 2004/190Google Scholar
  24. [HW79]
    Hardy, G.H., Wright, E.M.: An Introduction to the Theory of Numbers, 5th edn. Oxford (1979)Google Scholar
  25. [JSI96]
    Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996)Google Scholar
  26. [KT03]
    Kuwakado, H., Tanaka, H.: Threshold Ring Signature Scheme Based on the Curve. IPSJ JOURNAL Abstract, 44, 8–32Google Scholar
  27. [LR88]
    Luby, M., Rackoff, C.: How to construct pseudorandom permutations from pseudorandom functions. SIAM J. Computing 17(2), 373–386 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  28. [LRCK04]
    Lv, J., Ren, K., Chen, X., Kim, K.: Ring Authenticated Encryption: A New Type of Authenticated Encryption. In: The 2004 Symposium on Cryptography and Information Security, vol. 1(2), pp. 1179–1184 (2004)Google Scholar
  29. [LW03a]
    Lin, C.Y., Wu, T.C.: An Identity Based Ring Signature Scheme from Bilinear Pairings. In: Cryptology ePrint Archive, Report 2003/117 (2003)Google Scholar
  30. [LW03b]
    Lv, J., Wang, X.: Verifiable Ring Signature. In: Proc. of DMS 2003 - The 9th International Conference on Distribted Multimedia Systems, pp. 663–667 (2003)Google Scholar
  31. [LWW03]
    Liu, J.K., Wei, V.K., Wong, D.S.: Wong A Separable Threshold Ring Signature Scheme. In: Lim, J.-I., Lee, D.-H. (eds.) ICISC 2003. LNCS, vol. 2971, pp. 12–26. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  32. [LWW04]
    Liu, J.K., Wei, V.K., Wong, D.S.: Linkable Spontaneous Anonymous Group Signatures for Ad Hoc Groups (Extended Abstract). In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  33. [Na02]
    Naor, M.: Deniable Ring Authentication. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 481–498. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  34. [Rab79]
    Rabin, M.: Digitalized signatures as intractable as factorization. Technical Report MIT/LCS/TR-212, MIT Laboratory for Computer Science (January 1979)Google Scholar
  35. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2), 120–126 (1978)zbMATHCrossRefMathSciNetGoogle Scholar
  36. [Sha84]
    Shamir, A.: Identity Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  37. [SCPY94]
    De Santis, A., Di Crescenzo, G., Persiano, G., Yung, M.: On monotone formula closure of SZK. In: Proc. 35th FOCS, pp. 454–465. IEEE, New York (1994)Google Scholar
  38. [SM03]
    Susilo, W., Mu, Y.: Non-Interactive Deniable Ring Authentication. In: the 6th International Conference on Information Security and Cryptology ICISC 2003, pp. 397–412 (2003)Google Scholar
  39. [SM04]
    Susilo, W., Mu, Y.: Deniable Ring Authentication Revisited. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 149–163. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  40. [TLW03]
    Tang, C., Liu, Z., Wang, M.: An Improved Identity-Based Ring Signature Scheme from Bilinear Pairings. In: NM Research Preprints, MMRC, AMSS, Academia, Sinica, No. 22, Beijing, pp. 231–234 (December 2003)Google Scholar
  41. [TWC+04]
    Tsang, P.P., Wei, V.K., Chan, T.K., Au, M.H., Liu, J.K., Wong, D.S.: Separable Linkable Threshold Ring Signatures. In: Canteaut, A., Viswanathan, K. (eds.) INDOCRYPT 2004. LNCS, vol. 3348, pp. 384–398. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  42. [Wei04]
    Wei, V.K.: A Bilinear Spontaneous Anonymous Threshold Signature for Ad Hoc Groups. In: Cryptology ePrint Archive: Report 2004/039Google Scholar
  43. [WFLW03]
    Wong, D.S., Fung, K., Liu, J.K., Wei, V.K.: On the RS-Code Construction of Ring Signature Schemes and a Threshold Setting of RST. In: Qing, S., Gollmann, D., Zhou, J. (eds.) ICICS 2003. LNCS, vol. 2836, pp. 34–46. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  44. [XY04]
    Xu, S., Yung, M.: Accountable Ring Signatures: A Smart Card Approach. In: Sixth Smart Card Research and Advanced Application IFIP Conference, pp. 271–286Google Scholar
  45. [ZK02]
    Zhang, F., Kim, K.: ID-Based Blind Signature and Ring Signature from Pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ronald L. Rivest
    • 1
  • Adi Shamir
    • 2
  • Yael Tauman
    • 1
  1. 1.Laboratory for Computer ScienceMassachusetts Institute of TechnologyCambridgeUSA
  2. 2.Computer Science departmentThe Weizmann InstituteRehovotIsrael

Personalised recommendations