Convertible ring signatures with gradual revelation of non-signers

Abstract

A ring signature enables a member of a group to sign any message on behalf of the group while hiding the identity of the real signer. On the other hand, a convertible ring signature is a kind of ring signature in which the real signer can convert it into an ordinary signature. In this way, the real signer can prove the ownership of a ring signature if necessary. In this paper, we introduce a new convertible ring signature with an additional property. That is, before converting a ring signature into an ordinary signature, we allow the real signer to reveal the identity of non-signers gradually. In other words, if there are n possible signers in a ring, then, by revealing one non-signer, it will become a ring signature with n − 1 possible signers. By revealing n − 1 non-signers, then, the ring signature comes to an ordinary signature, and anyone can verify who is the real signer. This property is useful when some non-signers of a ring signature are not trusted by a verifier (i.e., the signature will not be accepted if someone is a possible signer). Rivest, Shamir, and Tauman first mentioned this problem and gave a solution as their modified ring signature scheme. However, their modified scheme can only guarantee computational anonymity. Our new scheme provides the same property on one hand and still guarantees unconditional anonymity on the other hand. The security is rigorously proved in the random oracle model according to the formal definition.