# A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

**Contribution.**In this paper, we survey two group-oriented signatures, group signatures (GS) and ring signatures (RS), which are dominant in the privacy preservation of users. Thus, this survey paper reviews group signature and ring signature schemes including their syntaxes, security definitions, and the development of the two signatures that answer theoretical and practical challenges. Since both signatures have arguable mechanisms for identifying malicious users and preventing their actions, this paper specifically focuses on imbalanced tracing and anonymity features of group signatures and ring signatures. It provides existing mechanisms that address the extreme tracing power in group signatures and the excessive anonymity in ring signatures methods to balance tracing and anonymity in both group signatures and ring signatures. This paper also presents research directions that require attention to apply group signatures and ring signatures in practice. For instance, in the near future we will experience the quantum era during which most existing cryptosystems will be destroyed, including group signature and ring signature schemes. Thus long-term secured group signatures and ring signature schemes must be developed.

**Organization.**The rest of our paper is constructed as follows. We define group signatures, provide related security notions, and current works in Section 2. Following the same structure of Section 2, in Section 3 we detail ring signatures. Next in Section 4, we present the existing mechanisms in group signatures for tracing signers and the existing methods that address user misuses of anonymity in ring signatures. In Section 5, we compare group and ring signatures, explicitly by their tracing mechanisms, and describe the existing challenges in both signatures that should be addressed to improve future applications. In Section 6, we summarize our paper.

## 2. Group Signatures: Related Works

**gpk**, which is public and used by outside verifiers to validate the signatures of its users. Each group user has her own secret signing key

**gsk**with which she generates an anonymous signature for the group. As explained in Chaum and van Heyst’s first group signature schemes [1], a group has a manager that holds a special key called a group manager’s secret key

**gmsk**. This group manager defines his group, and any user in it can generate an anonymous signature on behalf of the group. Moreover, the group manager wields sufficient authority to revoke user anonymity. Thus a group signature scheme is comprised of at least three parties: a group manager, group members (users), and signature verifiers.

**Definition**

**1.**

`KeyGen`,

`Sign`,

`Verify`and

`Open`as in Table 1. The parameters $\lambda \in \mathbb{N}$ is the security parameter and $N\in \mathbb{N}$ is the number of group users (members).

#### 2.1. Security Notions

- Anonymity requires that no adversary can recover the user’s identity from her signature.
- Traceability requires that no adversary can forge a signature that cannot be traced.

- Full Anonymity requires that no adversary can recover a user’s identity from her signature even if the adversary corrupts every group member and can access the outcome of the signature opening (except the challenged signature). In other words, signatures generated by two distinct group users are computationally indistinguishable to an adversary who can corrupt every member (including signature-generating members) and who receives the user indices of the signatures that he formed. He cannot request the revealing of the challenged signature.
- Full Traceability requires that no adversary can forge a signature, even one produced by a coalition of group users and the group manager, that cannot be traced back to a member of the coalition.

#### 2.2. Current Works

## 3. Ring Signatures: Related Works

`Sign`for signature generation and

`Verify`for verification. A user with public key ${\mathbf{pk}}_{s}$ and secret key ${\mathbf{sk}}_{s}$ generates a signature $\mathsf{\Sigma}$ on a message M using a set of another users’ public keys without their awareness. When signing, the user forms a group from the public keys of other users and her public key ${\mathbf{pk}}_{1},\dots ,{\mathbf{pk}}_{s},\dots ,{\mathbf{pk}}_{n}$. This newly formed group is called a ring (R). The signer forms a ring to be anonymous and sends his signature with the ring to the verifier who can validate that one of the ring members generated it. Even though other ring members’ public keys are used for signing, since they are not practically involved, ordinary ring signatures only involve two parties: signer and verifier.

**Definition**

**2.**

`Sign`and

`Verify`as in Table 2.

**Definition**

**3.**

#### 3.1. Security Notions

- Anonymity requires that no adversary can recover the signer’s identity from a given signature.
- Unforgeability requires that no adversary can output a valid signature using a secret key whose associated public key is not in the presented ring.

- Anonymity (against full key exposure) requires even though an adversary gets a set of public keys S and allows to access the signing oracle, with any index i and any $R\not\subset S$, the adversary cannot distinguish the user from two adaptive indices in the given ring R, where $R\not\subset S$ and those challenging indices were not used for querying the signing oracle.
- Unforgeability requires that no adversary with given public key set S and access to signing oracle produce a valid forgery signature ${\mathsf{\Sigma}}^{*}\leftarrow \mathtt{Sign}(R,{\mathbf{sk}}_{\mathbf{i}},{\mathit{M}}^{*})$, where $R\not\subset S$ and i is not used for querying the signing oracle.

#### 3.2. Current Works

## 4. Identifying Signers in Group Signatures and Ring Signatures

#### 4.1. User Tracing Methods in Group Signatures

**tpk**), which is available in the group public key. As a result, only the tracing authority with the related secret key (

**tsk**) can decrypt the signature and identify the signer, confirming that no outsider other than the tracing manager can identify the signature originator. Such simple encryption and decryption make the tracing mechanism efficient and straightforward. The underlying non-interactive zero-knowledge (NIZK) protocols [86,87] employed by group signature schemes ensure that ciphertext C in given signature $\mathsf{\Sigma}$ is the correct encryption of signer’s id d. NIZK is a method that convinces an outsider (verifier) that the given statement is true without disclosing any information beyond the statement’s validity and without interacting with the statement verifier. It requires only sending a message once with a statement to the verifier to satisfy a standard common string.

#### 4.2. Preventing Malicious User Actions in Ring Signatures

## 5. Discussion

#### 5.1. Comparison of Group Signatures and Ring Signatures

#### 5.2. Identifying User-Misbehaviors in Group Signatures and Ring Signatures

#### 5.3. Main Challenges and Future Research Trends in Group Signatures and Ring Signatures

- Balancing Traceability and Anonymity while Achieving Other FeaturesPrivacy is a right possessed by every user. On the other hand, traceability is required to prevent user attacks. We need well-balanced signature schemes.Although numerous group and ring signatures address the extreme tracing power in group signatures and excessive anonymity in ring signatures, no clear winner has emerged with a perfect tracing method that balances user anonymity and traceability. Each approach provides a specific solution ideal for a particular scenario. This is reasonable since the requirements of practical scenarios differ. However, an ideal tracing method for group signatures must satisfy the following criteria: it must decentralize the tracing authority without requiring the involvement of another centralized authority; it must protect innocent users’ anonymity; it must control the data that the tracer can access and hold the tracer accountable. Providing the best tracing solution for group signatures (while maintaining other features like efficient member revocation) is challenging. For instance, the existing group signatures with verifier-local revocation schemes [29,39,41,89] that present efficient member revocation have inefficient tracing mechanism. Even though we can obtain efficient tracing by an identity-escrow technique, still other authority like issuer who supports member registration can trace users based on their revocation tokens. On the other hand, the existing approaches that tried to provide privacy-preserved traceability failed to satisfy such requirements as decentralized tracing, accountability, and efficiency. Moreover, we identified a lack of discussion in tracking malicious tracers. The behavior of the tracers must be accountable to protect the long-term privacy of users. Ring signatures also have problems, including the growth of the ring size in notable tracing approaches.Providing well-balanced, privacy-preserved traceability or preventing user attacks while maintaining features like flexibility and efficiency is necessary when applying group signatures and ring signatures in real life. Thus researchers should consider the impact on those features when proposing solutions that balance traceability and anonymity in both group and ring signatures.
- Long Term Security for Group Signatures and Ring SignaturesQuantum computing and the security of current cryptographic systems against quantum attacks have become a hot topic in the cryptoworld.Most available group signature and ring signature schemes are not safe against quantum attacks. Since Peter Shor [116] showed that many number-theoretical problems are vulnerable to quantum attacks, researchers tend to construct schemes from quantum-safe cryptographic primitives like lattice cryptography and code-based cryptography. However, due to simple construction and high efficiency most of the presented proposals are still based on number-theoretical hardness assumptions. Recently, the National Institute of Standards and Technology (NIST) published post-quantum public key cryptosystems and digital signatures that were selected as the third-round finalist in their standardization project for post-quantum cryptosystems (https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization, accessed on 10 January 2022). In the future, the constructors of group and ring signatures should focus on schemes that satisfy standards like provided by NIST to protect their systems from quantum attacks. At the same time, some research groups, including that of Professor Johannes Buchmann, TU Darmstadt, Germany (https://longtermsecurity.org/, accessed on 10 January 2022), provide a platform for researchers to discuss the challenges of achieving long-lived systems and proposing theoretical and practical solutions. Projects like PQCrypto H2020 (www.pqcrypto.eu.org, accessed on 10 January 2022) are devoted to post-quantum and long-term security. Those projects show the importance of such security to conduct more researches. Recently, Grontas et al. [117] proposed a security model for long-lived e-voting systems. One research direction is taking Grontas’ proposal as a starting point and conducting research on long-lived applications of group and ring signatures.
- Preventing Implementation Hindrances in Group Signatures and Ring SignaturesGroup and ring signature proposals should be realistically administered in real-world applications and secured in actual systems.The first group and ring signatures introduced were not applicable for real applications due to efficiency and security problems. For instance, the size of the first group and ring signatures grew linearly with the number of group users. This linear problem was later solved in both signature schemes. However, we still face difficulties when applying group signatures and ring signatures schemes that were proposed in the theoretical world in the real world. For instance, the security model proposed in theoretical group signature and ring signature schemes did not capture all the side-channel attacks that happened after implementing them in actual situations. An attacker can observe the time consumptions taken for signing messages of different sizes and capture some of the signing key’s information. Attacks on practical systems done by observing leakages like consumption of time, power, and electro magnetic radiation for a system process known as side-channel attacks. Studying side-channel attacks and proposing leakage-resilient signatures is another interesting research area. Since the proposals of group and ring signatures are eventually employed in physical, privacy-preserving applications like vehicle safety communications, e-cash, and e-voting, we have to be concerned with potential efficiency and security hindrances during their implementations. Recently, Huang et al. [118] presented three new black-box constructions of a leakage-resilient group signature.

## 6. Conclusions

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Conflicts of Interest

## References

- Chaum, D.; Van Heyst, E. Group signatures. In Workshop on the Theory and Application of of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1991; Volume 547, pp. 257–265. [Google Scholar]
- Rivest, R.L.; Shamir, A.; Tauman, Y. How to leak a secret. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, 9–13 December 2001; Volume 2248, pp. 552–565. [Google Scholar]
- Chaurasia, B.K.; Verma, S.; Bhasker, S. Message broadcast in VANETs using group signature. In Proceedings of the 2008 Fourth International Conference on Wireless Communication and Sensor Networks, Indore, India, 12–14 October 2008; pp. 131–136. [Google Scholar]
- Emura, K.; Hayashi, T. Road-to-vehicle communications with time-dependent anonymity: A lightweight construction and its experimental results. IEEE Trans. Veh. Technol.
**2017**, 67, 1582–1597. [Google Scholar] [CrossRef] - Brickell, E.; Camenisch, J.; Chen, L. Direct anonymous attestation. In Proceedings of the 11th ACM conference on Computer and Communications Security, Washington, DC, USA, 25–29 October 2004; pp. 132–145. [Google Scholar]
- Agarwal, A.; Saraswat, R. A survey of group signature technique, its applications and attacks. Int. J. Eng. Innov. Technol. (IJEIT)
**2013**, 2, 28–35. [Google Scholar] - Meiklejohn, S. An Exploration of Group and Ring Signatures. 2011. Available online: https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.308.8751&rep=rep1&type=pdf (accessed on 2 March 2021).
- Bellare, M.; Micciancio, D.; Warinschi, B. Foundations of group signatures: Formal definitions, simplified requirements, and a construction based on general assumptions. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003; Volume 2656, pp. 614–629. [Google Scholar]
- Ateniese, G.; Tsudik, G. Group signatures á la carte. In SODA; SIAM: Philadelphia, PA, USA, 1999; Volume 17, pp. 848–849. [Google Scholar]
- Chen, L.; Pedersen, T.P. New group signature schemes. In Workshop on the Theory and Application of of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1994; Volume 950, pp. 171–181. [Google Scholar]
- Camenisch, J.; Lysyanskaya, A. Signature schemes and anonymous credentials from bilinear maps. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004; Volume 3152, pp. 56–72. [Google Scholar]
- Boneh, D.; Boyen, X.; Shacham, H. Short group signatures. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 2004; Volume 3152, pp. 41–55. [Google Scholar]
- Kiayias, A.; Yung, M. Group signatures with efficient concurrent join. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2005; Volume 3494, pp. 198–214. [Google Scholar]
- Furukawa, J.; Imai, H. An efficient group signature scheme from bilinear maps. In Proceedings of the Australasian Conference on Information Security and Privacy, Brisbane, Australia, 4–6 July 2005; Volume 3574, pp. 455–467. [Google Scholar]
- Delerablée, C.; Pointcheval, D. Dynamic fully anonymous short group signatures. In Proceedings of the International Conference on Cryptology in Vietnam, Hanoi, Vietnam, 25–28 September 2006; Volume 4341, pp. 193–210. [Google Scholar]
- Bichsel, P.; Camenisch, J.; Neven, G.; Smart, N.P.; Warinschi, B. Get shorty via group signatures without encryption. In Proceedings of the International Conference on Security and Cryptography for Networks, Amalfi, Italy, 13–15 September 2010; Volume 6280, pp. 381–398. [Google Scholar]
- Pointcheval, D.; Sanders, O. Short randomizable signatures. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 29 February–4 March 2016; Volume 9610, pp. 111–126. [Google Scholar]
- Libert, B.; Mouhartem, F.; Peters, T.; Yung, M. Practical “signatures with efficient protocols” from simple assumptions. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, Xi’an, China, 30 May–3 June 2016; pp. 511–522. [Google Scholar]
- Ateniese, G.; Camenisch, J.; Hohenberger, S.; De Medeiros, B. Practical Group Signatures without Random Oracles. IACR Cryptol. EPrint Arch.
**2005**, 2005, 385. [Google Scholar] - Boyen, X.; Waters, B. Compact group signatures without random oracles. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, St. Petersburg, Russia, 8 May–1 June 2006; Volume 4004, pp. 427–444. [Google Scholar]
- Ateniese, G.; Camenisch, J.; Joye, M.; Tsudik, G. A practical and provably secure coalition-resistant group signature scheme. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 20–24 August 2000; Volume 1880, pp. 255–270. [Google Scholar]
- Lyuu, Y.D.; Wu, M.L. Convertible group undeniable signatures. In Proceedings of the Conference on the Theory and Application of Cryptography, Amsterdam, The Netherlands, 28 April 28–2 May 2002; Volume 2587, pp. 48–61. [Google Scholar]
- Kiayias, A.; Yung, M. Extracting group signatures from traitor tracing schemes. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Warsaw, Poland, 4–8 May 2003; Volume 2656, pp. 630–648. [Google Scholar]
- Bellare, M.; Shi, H.; Zhang, C. Foundations of group signatures: The case of dynamic groups. In Proceedings of the Cryptographers’ Track at the RSA Conference, San Francisco, CA, USA, 14–18 February 2005; Volume 3376, pp. 136–153. [Google Scholar]
- Gordon, S.D.; Katz, J.; Vaikuntanathan, V. A group signature scheme from lattice assumptions. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Singapore, 5–9 December 2010; Volume 6477, pp. 395–412. [Google Scholar]
- Sakai, Y.; Emura, K.; Hanaoka, G.; Kawai, Y.; Matsuda, T.; Omote, K. Group Signatures with Message-Dependent Opening. In Proceedings of the International Conference on Pairing-Based Cryptography, Cologne, Germany, 16–18 May 2012; Volume 7708, pp. 270–294. [Google Scholar]
- Krenn, S.; Samelin, K.; Striecks, C. Practical group-signatures with privacy-friendly openings. In Proceedings of the 14th International Conference on Availability, Reliability and Security, Canterbury, UK, 26–29 August 2019; pp. 1–10. [Google Scholar]
- Camenisch, J.; Stadler, M. Efficient group signature schemes for large groups. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 1997; Volume 1294, pp. 410–424. [Google Scholar]
- Boneh, D.; Shacham, H. Group signatures with verifier-local revocation. In Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington, DC, USA,, 25–29 October; 2004; pp. 168–177. [Google Scholar]
- Bootle, J.; Cerulli, A.; Chaidos, P.; Ghadafi, E.; Groth, J. Foundations of fully dynamic group signatures. In Proceedings of the International Conference on Applied Cryptography and Network Security, Guildford, UK, 19–22 June 2016; Volume 9696, pp. 117–136. [Google Scholar]
- Camenisch, J. Efficient and generalized group signatures. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Konstanz, Germany, 11–15 May 1997; Volume 1233, pp. 465–479. [Google Scholar]
- Barić, N.; Pfitzmann, B. Collision-free accumulators and fail-stop signature schemes without trees. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Konstanz, Germany, 11–15 May 1997; Volume 1233, pp. 480–494. [Google Scholar]
- Fujisaki, E.; Okamoto, T. Statistical Zero-Knowledge Protocols to Prove Modular Polynomial Relations. IEICE TRANSACTIONS Fundam. Electron. Commun. Comput. Sci.
**1999**, 82, 81–92. [Google Scholar] - Ling, S.; Nguyen, K.; Wang, H. Group signatures from lattices: Simpler, tighter, shorter, ring-based. In Proceedings of the IACR International Workshop on Public Key Cryptography, Gaithersburg, MD, USA, 30 March–1 April 2015; Volume 9020, pp. 427–449. [Google Scholar]
- Alamélou, Q.; Blazy, O.; Cauchie, S.; Gaborit, P. A code-based group signature scheme. Des. Codes Cryptogr.
**2017**, 82, 469–493. [Google Scholar] [CrossRef][Green Version] - Groth, J. Fully anonymous group signatures without random oracles. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, 2–6 December 2007; Volume 4833, pp. 164–180. [Google Scholar]
- Libert, B.; Ling, S.; Mouhartem, F.; Nguyen, K.; Wang, H. Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, 4–8 December 2016; Volume 10032, pp. 373–403. [Google Scholar]
- Ateniese, G.; Song, D.; Tsudik, G. Quasi-efficient revocation of group signatures. In Proceedings of the International Conference on Financial Cryptography, Southampton, Bermuda, 11–14 March 2002; Volume 2357, pp. 183–197. [Google Scholar]
- Nakanishi, T.; Funabiki, N. Verifier-local revocation group signature schemes with backward unlinkability from bilinear maps. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Chennai, India, 4–8 December 2005; Volume 3788, pp. 533–548. [Google Scholar]
- Nakanishi, T.; Fujii, H.; Hira, Y.; Funabiki, N. Revocable group signature schemes with constant costs for signing and verifying. In Proceedings of the International Workshop on Public Key Cryptography, Irvine, CA, USA, 18–20 March 2009; Volume 3788, pp. 463–480. [Google Scholar]
- Langlois, A.; Ling, S.; Nguyen, K.; Wang, H. Lattice-Based Group Signature Scheme with Verifier-Local Revocation. In Proceedings of the International Workshop on Public Key Cryptography, Buenos Aires, Argentina, 26–28 March 2014; Volume 8383, pp. 345–361. [Google Scholar]
- Garms, L. Variants of Group Signatures and Their Applications. 2020. Available online: https://pure.royalholloway.ac.uk/portal/files/38498511/2020garmslhphd.pdf (accessed on 10 March 2021).
- Khader, D. Attribute Based Group Signatures. IACR Cryptol. EPrint Arch.
**2007**, 2007, 159. [Google Scholar] - Kuchta, V.; Sahu, R.A.; Sharma, G.; Markowitch, O. On new zero-knowledge arguments for attribute-based group signatures from lattices. In Proceedings of the International Conference on Information Security and Cryptology, Seoul, Korea, 29 November–1 December 2017; Volume 10779, pp. 284–309. [Google Scholar]
- Camenisch, J.; Groth, J. Group signatures: Better efficiency and new theoretical aspects. In Proceedings of the International Conference on Security in Communication Networks, Amalfi, Italy, 8–10 September 2004; Volume 3352, pp. 120–133. [Google Scholar]
- Guo, J.; Baugh, J.P.; Wang, S. A group signature based secure and privacy-preserving vehicular communication framework. In Proceedings of the 2007 Mobile Networking for Vehicular Environments, Anchorage, AK, USA, 11 May 2007; pp. 103–108. [Google Scholar]
- Bender, A.; Katz, J.; Morselli, R. Ring signatures: Stronger definitions, and constructions without random oracles. In Theory of Cryptography Conference; Springer: Berlin/Heidelberg, Germany, 2006; Volume 3876, pp. 60–79. [Google Scholar]
- Shacham, H.; Waters, B. Efficient ring signatures without random oracles. In Proceedings of the International Workshop on Public Key Cryptography, Beijing, China, 16–20 April 2007; Volume 4450, pp. 166–180. [Google Scholar]
- Abe, M.; Ohkubo, M.; Suzuki, K. 1-out-of-n signatures from a variety of keys. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, 1–5 December 2002; Volume 2501, pp. 415–432. [Google Scholar]
- Boneh, D.; Gentry, C.; Lynn, B.; Shacham, H. Aggregate and verifiably encrypted signatures from bilinear maps. In Proceedings of the International conference on the theory and applications of cryptographic techniques, Warsaw, Poland, 4–8 May 2003; Volume 2656, pp. 416–432. [Google Scholar]
- Bresson, E.; Stern, J.; Szydlo, M. Threshold ring signatures and applications to ad-hoc groups. In Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2002; Volume 2442, pp. 465–480. [Google Scholar]
- Dodis, Y.; Kiayias, A.; Nicolosi, A.; Shoup, V. Anonymous identification in ad hoc groups. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Volume 3027, pp. 609–626. [Google Scholar]
- Herranz, J.; Sáez, G. Forking lemmas for ring signature schemes. In Proceedings of the International Conference on Cryptology in India, New Delhi, India, 8–10 December 2003; Volume 2904, pp. 266–279. [Google Scholar]
- Liu, J.K.; Wei, V.K.; Wong, D.S. Linkable spontaneous anonymous group signature for ad hoc groups. In Proceedings of the Information Security and Privacy: 9th Australasian Conference, Sydney, Australia, 13–15 July 2004; Volume 3108, pp. 325–335. [Google Scholar]
- Naor, M. Deniable ring authentication. In Proceedings of the 22nd Annual International Cryptology Conference, Santa Barbara, CA, USA, 18–22 August 2002; Volume 2442, pp. 481–498. [Google Scholar]
- Xu, J.; Zhang, Z.; Feng, D. A ring signature scheme using bilinear pairings. In Proceedings of the Information Security Applications: 5th International Workshop, WISA 2004, Jeju Island, Korea, 23–25 August 2004; Volume 3325, pp. 160–169. [Google Scholar]
- Bootle, J.; Cerulli, A.; Chaidos, P.; Ghadafi, E.; Groth, J.; Petit, C. Short accountable ring signatures based on DDH. In Proceedings of the 20th European Symposium on Research in Computer Security, Vienna, Austria, 21–25 September 2015; Volume 9326, pp. 243–265. [Google Scholar]
- Huang, J.; Huang, Q.; Susilo, W. Leakage-resilient ring signature schemes. Theor. Comput. Sci.
**2019**, 759, 1–13. [Google Scholar] [CrossRef] - Deng, L.; Shi, H.; Gao, Y. Certificateless Linkable Ring Signature Scheme. IEEE Access
**2020**, 8, 54641–54651. [Google Scholar] [CrossRef] - Zhang, F.; Kim, K. ID-based blind signature and ring signature from pairings. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Queenstown, New Zealand, 1–5 December 2002; Volume 2501, pp. 533–547. [Google Scholar]
- Dwork, C.; Naor, M.; Sahai, A. Concurrent zero-knowledge. J. ACM (JACM)
**2004**, 51, 851–898. [Google Scholar] [CrossRef] - Gu, K.; Wu, N. Constant Size Traceable Ring Signature Scheme without Random Oracles. IACR Cryptol EPrint Arch.
**2018**, 2018, 288. [Google Scholar] - Chandran, N.; Groth, J.; Sahai, A. Ring signatures of sub-linear size without random oracles. In Proceedings of the International Colloquium on Automata, Languages, and Programming, Wroclaw, Poland, 9–13 July 2007; Volume 4596, pp. 423–434. [Google Scholar]
- Chow, S.S.; Yap, W.S. Certificateless Ring Signatures. IACR Cryptol EPrint Arch.
**2007**, 2007, 236. [Google Scholar] - Zhang, L.; Zhang, F.; Wu, W. A provably secure ring signature scheme in certificateless cryptography. In Proceedings of the First International Conference, Wollongong, Australia, 1–2 November 2007; Volume 4784, pp. 103–121. [Google Scholar]
- Chang, S.; Wong, D.S.; Mu, Y.; Zhang, Z. Certificateless threshold ring signature. Inf. Sci.
**2009**, 179, 3685–3696. [Google Scholar] [CrossRef] - Baudron, O.; Fouque, P.A.; Pointcheval, D.; Stern, J.; Poupard, G. Practical multi-candidate election system. In Proceedings of the Twentieth Annual ACM Symposium on Principles of Distributed Computing, Newport, RI, USA, 26–29 August 2001; pp. 274–283. [Google Scholar]
- Cramer, R.; Franklin, M.; Schoenmakers, B.; Yung, M. Multi-Authority Secret-Ballot Elections with Linear Work; EUROCRYPT 1996; Springer: Berlin/Heidelberg, Germany, 1996; Volume 1070, pp. 72–83. [Google Scholar]
- Wu, Y. An e-Voting System Based on Blockchain and Ring Signature. 2017. Available online: https://dgalindo.es/mscprojects/yifan.pdf (accessed on 14 March 2021).
- Tsang, P.P.; Wei, V.K. Short linkable ring signatures for e-voting, e-cash and attestation. In Proceedings of the First international conference on Information Security Practice and Experience, Singapore, 11–14 April 2005; Volume 3439, pp. 48–60. [Google Scholar]
- Malina, L.; Hajny, J.; Dzurenda, P.; Ricci, S. Lightweight Ring Signatures for Decentralized Privacy-preserving Transactions. In Proceedings of the 15th International Joint Conference, ICETE 2018, Porto, Portugal, 26–28 July 2018; pp. 692–697. [Google Scholar]
- Chaum, D.; Pedersen, T.P. Wallet databases with observers. In Proceedings of the 12th Annual International Cryptology Conference, Santa Barbara, CA, USA, 16–20 August 1992; Volume 740, pp. 89–105. [Google Scholar]
- Brands, S. Untraceable off-line cash in wallet with observers. In Proceedings of the 3th Annual International Cryptology Conference, Santa Barbara, CA, USA, 22–26 August 1993; Volume 773, pp. 302–318. [Google Scholar]
- Goldschlag, D.M.; Stubblebine, S.G. Publicly verifiable lotteries: Applications of delaying functions. In Proceedings of the International Conference on Financial Cryptography, Anguilla, British West Indies, 23–25 February 1998; Volume 1465, pp. 214–226. [Google Scholar]
- Kushilevitz, E.; Rabin, T. Fair e-lotteries and e-casinos. In Proceedings of the Cryptographer’s Track at RSA Conference 2001, San Francisco, CA, USA, 8–12 April 2001; Volume 2020, pp. 100–109. [Google Scholar]
- Chow, S.S.; Hui, L.C.; Yiu, S.M. Identity based threshold ring signature. In Proceedings of the 7th International Conference, Seoul, Korea, 2–3 December 2004; Volume 25, pp. 218–232. [Google Scholar]
- Melchor, C.A.; Cayrel, P.L.; Gaborit, P.; Laguillaumie, F. A new efficient threshold ring signature scheme based on coding theory. IEEE Trans. Inf. Theory
**2011**, 57, 4833–4842. [Google Scholar] [CrossRef][Green Version] - Fujisaki, E.; Suzuki, K. Traceable ring signature. In Proceedings of the 10th International Conference on Practice and Theory in Public-Key Cryptography, Beijing, China, 16–20 April 2007; Volume 4450, pp. 181–200. [Google Scholar]
- Tso, R. A new way to generate a ring: Universal ring signature. Comput. Math. Appl.
**2013**, 65, 1350–1359. [Google Scholar] [CrossRef] - bin Abdullah, N.; Muftic, S. Security protocols with privacy and anonymity of users. Univers. J. Commun. Netw.
**2015**, 3, 89–98. [Google Scholar] [CrossRef][Green Version] - Camenisch, J.; Lysyanskaya, A. A signature scheme with efficient protocols. In Proceedings of the Third International Conference, SCN 2002, Amalfi, Italy, 11–13 September 2002; Volume 2576, pp. 268–289. [Google Scholar]
- Wei, V.K. Tracing-by-linking group signatures. In Proceedings of the 8th International Conference, ISC 2005, Singapore, 20–23 September 2005; Volume 3650, pp. 149–163. [Google Scholar]
- Hwang, J.Y.; Chen, L.; Cho, H.S.; Nyang, D. Short dynamic group signature scheme supporting controllable linkability. IEEE Trans. Inf. Forensics Secur.
**2015**, 10, 1109–1124. [Google Scholar] [CrossRef] - Au, M.H.; Liu, J.K.; Susilo, W.; Yuen, T.H. Constant-size ID-based linkable and revocable-iff-linked ring signature. In Proceedings of the 7th International Conference on Cryptology in India, Kolkata, India, 11–13 December 2006; Volume 4329, pp. 364–378. [Google Scholar]
- Li, P.; Lai, J. LaT-Voting: Traceable Anonymous E-Voting on Blockchain. In Proceedings of the 13th International Conference, NSS 2019, Sapporo, Japan, 15–18 December 2019; Volume 11928, pp. 234–254. [Google Scholar]
- Feige, U.; Lapidot, D.; Shamir, A. Multiple non-interactive zero knowledge proofs based on a single random string. In Proceedings of the [1990] 31st Annual Symposium on Foundations of Computer Science, St. Louis, MO, USA, 22–24 October 1990; pp. 308–317. [Google Scholar]
- Blum, M.; De Santis, A.; Micali, S.; Persiano, G. Noninteractive zero-knowledge. SIAM J. Comput.
**1991**, 20, 1084–1118. [Google Scholar] [CrossRef][Green Version] - Brickell, E. An Efficient Protocol for Anonymously Providing Assurance of the Container of the Private Key. Trusted Comp. Group (April 2003), 2003; submitted. [Google Scholar]
- Libert, B.; Vergnaud, D. Group Signatures with Verifier-Local Revocation and Backward Unlinkability in the Standard Model. In Proceedings of the 8th International Conference on Cryptology and Network Security, Kanazawa, Japan, 12–14 December 2009; Volume 5888, pp. 498–517. [Google Scholar]
- Kiayias, A.; Tsiounis, Y.; Yung, M. Traceable signatures. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Volume 3027, pp. 571–589. [Google Scholar]
- Libert, B.; Mouhartem, F.; Nguyen, K. A Lattice-Based Group Signature Scheme with Message-Dependent Opening. In Proceedings of the 2016 Annual Meeting and Courses, Orlando, FL, USA, 10–14 February 2016; Volume 9696, pp. 137–155. [Google Scholar]
- Manulis, M. Democratic group signatures: On an example of joint ventures. In Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2006, Taipei, Taiwan, 21–24 March 2006; p. 365. [Google Scholar]
- Manulis, M.; Sadeghi, A.R.; Schwenk, J. Linkable democratic group signatures. In Proceedings of the Information Security Practice and Experience: Second International Conference, Ispec 2006, Hangzhou, China, 11–14 April 2006; Volume 3903, pp. 187–201. [Google Scholar]
- Ibrahim, M.H. Resisting Traitors in Linkable Democratic Group Signatures. Int. J. Netw. Secur.
**2009**, 9, 51–60. [Google Scholar] - Zheng, D.; Li, X.; Ma, C.; Chen, K.; Li, J. Democratic Group Signatures with Threshold Traceability. IACR Cryptol. EPrint Arch.
**2008**, 2008, 112. [Google Scholar] - Ghadafi, E. Efficient distributed tag-based encryption and its application to group signatures with efficient distributed traceability. In Proceedings of the Third International Conference on Cryptology and Information Security in Latin America, Florianópolis, Brazil, 17–19 September 2014; Volume 8895, pp. 327–347. [Google Scholar]
- Blömer, J.; Juhnke, J.; Löken, N. Short group signatures with distributed traceability. In Proceedings of the Mathematical Aspects of Computer and Information Sciences: 6th International Conference, MACIS 2015, Berlin, Germany, 11–13 November 2015; Volume 9582, pp. 166–180. [Google Scholar]
- Gennaro, R.; Goldfeder, S.; Ithurburn, B. Fully Distributed Group Signatures. 2019. Available online: https://www.orbs.com/wp-content/uploads/2019/04/Crypto_Group_signatures-2.pdf (accessed on 3 March 2021).
- Kohlweiss, M.; Miers, I. Accountable metadata-hiding escrow: A group signature case study. Proc. Priv. Enhancing Technol.
**2015**, 2015, 206–221. [Google Scholar] [CrossRef][Green Version] - Ling, S.; Nguyen, K.; Wang, H.; Xu, Y. Accountable tracing signatures from lattices. In Proceedings of the Cryptographers’ Track at the RSA Conference 2019, San Francisco, CA, USA, 4–8 March 2019; Volume 11405, pp. 556–576. [Google Scholar]
- Ishida, A.; Emura, K.; Hanaoka, G.; Sakai, Y.; Tanaka, K. Group signature with deniability: How to disavow a signature. IEICE TRANSACTIONS Fundam. Electron. Commun. Comput. Sci.
**2017**, 100, 1825–1837. [Google Scholar] [CrossRef] - Benjumea, V.; Choi, S.G.; Lopez, J.; Yung, M. Fair traceable multi-group signatures. In Proceedings of the International Conference on Financial Cryptography and Data Security, San Francisco, CA, USA, 4–8 March 2008; Volume 5143, pp. 231–246. [Google Scholar]
- Lu, T.; Li, J.; Zhang, L.; Lam, K.Y. Group Signatures with Decentralized Tracing. In Proceedings of the International Conference on Information Security and Cryptology, Seoul, Korea, 4–6 December 2019; pp. 435–442. [Google Scholar]
- Xu, S.; Yung, M. Accountable ring signatures: A smart card approach. In Smart Card Research and Advanced Applications VI; Springer: Berlin/Heidelberg, Germany, 2004; Volume 153, pp. 271–286. [Google Scholar]
- Jeong, I.R.; Kwon, J.O.; Lee, D.H. Ring signature with weak linkability and its applications. IEEE Trans. Knowl. Data Eng.
**2008**, 20, 1145–1148. [Google Scholar] [CrossRef] - Torres, W.A.A.; Steinfeld, R.; Sakzad, A.; Liu, J.K.; Kuchta, V.; Bhattacharjee, N.; Au, M.H.; Cheng, J. Post-quantum one-time linkable ring signature and application to ring confidential transactions in blockchain (lattice RingCT v1. 0). In Proceedings of the 23rd Australasian Conference on Information Security and Privacy (ACISP 2018), Wollongong, Australia, 11–13 July 2018; Volume 10946, pp. 558–576. [Google Scholar]
- Lu, X.; Au, M.H.; Zhang, Z. Raptor: A practical lattice-based (linkable) ring signature. In Proceedings of the 17th International Conference on Applied Cryptography and Network Security (ACNS 2019), Bogotá, Colombia, 5–7 June 2019; Volume 11464, pp. 110–130. [Google Scholar]
- Boyen, X.; Haines, T. Forward-secure linkable ring signatures. In Proceedings of the 23rd Australasian Conference on Information Security and Privacy (ACISP 2018), Wollongong, Australia, 11–13 July 2018; Volume 10946, pp. 245–264. [Google Scholar]
- Baum, C.; Lin, H.; Oechsner, S. Towards practical lattice-based one-time linkable ring signatures. In Proceedings of the Iformation and Communications Security–20th International Conference, ICICS 2018, Lille, France, 29–31 October 2018; Volume 11149, pp. 303–322. [Google Scholar]
- Chaum, D. Blind signatures for untraceable payments. In Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 1983; pp. 199–203. [Google Scholar]
- Chaum, D.; Fiat, A.; Naor, M. Untraceable electronic cash. In Proceedings of the 8th Annual International Cryptology Conference, Santa Barbara, CA, USA, 21–25 August 1990; Volume 403, pp. 319–327. [Google Scholar]
- Okamoto, T.; Ohta, K. Universal electronic cash. In Proceedings of the 11th Annual International Cryptology Conference, Santa Barbara, CA, USA, 11–15 August 1991; Volume 576, pp. 324–337. [Google Scholar]
- Camenisch, J.; Hohenberger, S.; Lysyanskaya, A. Compact e-cash. In Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, 22–26 May 2005; Volume 3494, pp. 302–321. [Google Scholar]
- Branco, P.; Mateus, P. A traceable ring signature scheme based on coding theory. In Proceedings of the 10th International Conference, PQCrypto 2019, Chongqing, China, 8–10 May 2019; Volume 11505, pp. 387–403. [Google Scholar]
- Han, L.; Cao, S.; Yang, X.; Zhang, Z. Privacy Protection of VANET Based on Traceable Ring Signature on Ideal Lattice. IEEE Access
**2020**, 8, 206581–206591. [Google Scholar] [CrossRef] - Shor, P.W. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Rev.
**1999**, 41, 303–332. [Google Scholar] [CrossRef] - Grontas, P.; Pagourtzis, A.; Zacharakis, A. Security models for everlasting privacy. IACR Cryptol EPrint Arch.
**2019**, 2019, 1193. [Google Scholar] - Huang, J.; Huang, Q.; Susilo, W. Leakage-resilient group signature: Definitions and constructions. Inf. Sci.
**2020**, 509, 119–132. [Google Scholar] [CrossRef]

Algorithm | Purpose | Input | Output |
---|---|---|---|

KeyGen | Key Generation | ${1}^{\lambda}$ and ${1}^{N}$ | gpk, gmsk, gsk, where gsk = {gsk[i] ${\}}_{i\in \{1,\dots ,N\}}$ |

Sign | Signature Generation | gpk, gsk[i], M | a signature $\mathsf{\Sigma}$ |

Verify | Signature Verification | gpk, M, $\mathsf{\Sigma}$ | 1 (valid) or 0 (invalid) |

Open | Identifying the Signer | gmsk, M, $\mathsf{\Sigma}$ | index i of the signer or ⊥ if the user cannot be traced |

Algorithm | Purpose | Input | Output |
---|---|---|---|

Sign | Signature Generation | $R,{\mathbf{sk}}_{s},$ M | $\mathsf{\Sigma}$ |

Verify | Signature Verification | $R,\mathsf{\Sigma}$, M | 1 (valid) or 0 (invalid) |

Algorithm | Purpose | Input | Output |
---|---|---|---|

KeyGen | Key Generation | security parameter $\lambda $ | a public and secret key pair ($\mathbf{pk},\mathbf{sk}$) |

Sign | Signature Generation | $R,{\mathbf{sk}}_{s},$ M | $\mathsf{\Sigma}$ |

Verify | Signature Verification | $R,\mathsf{\Sigma}$, M | 1 (valid) or 0 (invalid) |

Tracing Approach | Level of User Privacy/Traceability | Application Example |
---|---|---|

Standard tracing [8] | Suspected users: traceable | In key-card access system, group manager can track user activities. |

Innocent users: traceable | ||

User dependent opening [90] | Suspected users: traceable | When highest bidder in an auction refuses to pay, authority can cancel any other bids by same user without revealing other users. |

Innocent users: non traceable | ||

Decentralized tracing [93] | Suspected users: traceable | When a panel member wants to discuss a fellow (anonymous) member’s submitted paper, he can identify him/her. |

Innocent users: traceable | ||

User anonymity is only safe from outsiders | ||

Message-dependent opening [26] | Suspected message related users: traceable | Identifying users who entered a park at a particular time at which a crime happened in it. |

Innocent users (not related to the message): non traceable | ||

Distributed tracing [96] | Suspected users: traceable | Shareholders agree to find a malicious employee. |

Innocent users: traceable | ||

Accountable tracing [99] | Suspected users: traceable | Police request a housing complex owner to narrow down surveillance control to suspected list. |

Innocent users: non traceable |

Tracing Approach | Level of User Privacy/Traceability | Application Example |
---|---|---|

Accountable ring signature scheme [104] | Users are traceable only to their tracer | Users post in any online forums without registering. However, a forum owner can identify a user who violated conduct code. |

Linkable ring signatures [54] | User anonymity is safe. Only linkability of signatures is identified | This prevents voting again during e-voting without identifying user. |

Traceable ring signatures [78] | Dishonest users’ public keys are traced | Unclonable group identification without group manager: honest user can prove his membership anonymously, but user clones are detected. |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Perera, M.N.S.; Nakamura, T.; Hashimoto, M.; Yokoyama, H.; Cheng, C.-M.; Sakurai, K. A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity. *Cryptography* **2022**, *6*, 3.
https://doi.org/10.3390/cryptography6010003

**AMA Style**

Perera MNS, Nakamura T, Hashimoto M, Yokoyama H, Cheng C-M, Sakurai K. A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity. *Cryptography*. 2022; 6(1):3.
https://doi.org/10.3390/cryptography6010003

**Chicago/Turabian Style**

Perera, Maharage Nisansala Sevwandi, Toru Nakamura, Masayuki Hashimoto, Hiroyuki Yokoyama, Chen-Mou Cheng, and Kouichi Sakurai. 2022. "A Survey on Group Signatures and Ring Signatures: Traceability vs. Anonymity" *Cryptography* 6, no. 1: 3.
https://doi.org/10.3390/cryptography6010003