Deniable ring authentication revisited

Abstract

Ring signatures allow a signer in an ad-hoc group to authenticate a message on behalf of the group without revealing which member actually produced the signature [8]. Recently, this notion has been extended by Naor by introducing Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad-hoc sub-set of participants is authenticating a message without revealing which member has issued the signature, and the verifier V cannot convince any third party that message m was indeed authenticated. Unfortunately, the scheme proposed in [7] requires an interactive protocol, which requires an assumption that an anonymous routing channel (eg. MIX-net) exists. Having this restriction, the primitive cannot be used in practice without the existence of the anonymous routing channel. In this paper, we introduce a non-interactive version of deniable ring authentication. This work proposes a deniable ring authentication without any interactive protocol required (cf. [7]). We present a generic construction that can convert any existing ring signature schemes to deniable ring authentication schemes. Our generic construction combines any ring signature scheme with an ID-based chameleon hash function. We also present three ID-based chameleon hash functions and show that our schemes outperform the construction proposed in [2]. © Springer-Verlag Berlin Heidelberg 2004.