New Convertible Ring Signatures Based
on RSA
Kaibin Huang
*and Raylin Tso
** 1Department of Computer Science, National Chengchi University, Taipei 11605, Taiwan * [email protected] ** [email protected] Abstract
Convertible ring signatures with gradual revelation of non-signers (GR-CRS) is first introduced by Tso in 2010. With this scheme, a genuine signer can convert a ring signature into a traditional single signer digital signature. However, a genuine signer is also able to reveal part of non-signers while still preserving the unconditional signer anonymity. The GR-CRS scheme is very useful in many applications when some members in the ring signature are not trusted by some verifiers. However, we notice that Tso’s scheme is based on the discrete dogarithm assumption, and therefore, cannot work with schemes based on RSA. As we know, RSA is by far the most widely used public key cryptosystem, so it is natural to consider whether we could produce a GR-CRS scheme based on RSA. In this study, we address this problem by proposing a new GR-CRS scheme based on RSA. The security of the new scheme is rigorously proved using the random oracle model based on the hardness of the RSA assumption and the intractability of inverting cryptographic one-way hash functions. Keywords : convertible ring signature, provable security, random oracle, RSA, reveal non-signers
1
Introduction
A digital signature [7] is a mechanism for demonstrating the authenticity of a digital message or document. A valid digital signature allows a recipient to be confident that a message is not altered in transition and it is created by the known signer. There are a lot of useful applications and implements based on digital signature like [8] and [17]. However, the identity of signers on the sig-nature causes some problem in some specific conditions, like the sigsig-nature on a guilty judgment may make the judge at risk. In this case, we need some mech-anism like group-oriented signatures [5][13], which can prevent the disclosure of a signer’s identity.
Group-oriented signature is introduced to provide signer anonymity in real applications. In these schemes, a signer can arbitrarily choose several members to form a group (or known as a ring) and generate a group or ring signature
without the assistance of other members. After verifying the resultant signature, any verifier will be convinced by the signature that a message was generated and signed by a member of the group, but they cannot distinguish the genuine signer. Thus, the signer’s anonymity can be protected. This kind of signature scheme is very useful in applications when being applied to leak a secret.
From a formal perspective, group-oriented signatures belong to two major types: group signatures [4][6][12] and ring signatures [2][5][9] [11][13]. The ma-jor difference is that there is a trusted group manager who can convert the group signature into a conventional signature in group signatures when neces-sary; whereas, in ring signatures, there is no recall mechanism for disclosing the signer’s identity. The current study is focused on the design of ring signatures. Ring signature schemes have been proved useful in secure communications [16] and group-oriented communication systems [15].
Related work: The concept of the ring signature was first formalized by Rivest et al. [13] in 2001. The original scheme is not convertible; thus signer’s anonymity is maintained. Lee et al. [11] proposed the first convertible ring sig-nature scheme in 2005, where a genuine signer could convert the ring sigsig-nature into a conventional signature if it was necessary to verify the origin signer of a signature. In 2006, Gao et al. [9] note that Lee et al.’s scheme only provided informal security analysis rather than a rigorous security proof. In addition, the security model for the convertibility of ring signatures is also informal. Gao et al. [9] formalized the security model for the convertibility of ring signatures and also proposed a new ring signature scheme known as a controllable ring signa-ture. Compared with the original ring signature, the controllable ring signature provides new properties such as anonymous identification, linkability and con-vertibility. However, this new method does not support the gradual revelation of non-signers. A ring signature with gradual revelation of non-signers would allow a genuine signer to gradually reveal the identity of non-signers before con-verting a ring signature into a conventional signature. In other words, if there are n members in a ring signature with only one genuine signer (i.e., the other n − 1 members of the ring are signers), revealing the identity of one non-signer would mean that the ring signature will become an (n − 1)-participants ring signature. The ring signature is converted into a conventional signature after n − 1 identities of non-signers are all revoked; thus, anyone can know the identity of the genuine signer.
Motivation: The property of gradual non-signers revelation would be use-ful when some non-signers of the ring signature are not trusted by some verifiers. Ring signatures are typically used in applications of anonymously leaking se-crets, so the leaked secret may also not trusted by some verifiers if someone in the signing group is not trusted. In other words, even if the signature has passed the verification process, the signature may be rejected by some verifiers if some members of the group are not trusted. Rivest et al. [13] first note this problem and provided a solution in their modified ring signature scheme. How-ever, signer anonymity can only be guaranteed computationally difficult in their modified scheme. Tso [14] notes this problem and proposes a convertible ring signature with gradual revelation of non-signers (GR-CRS). Similar to Rivest et al.’s scheme, Tso’s scheme also allowed the gradual revelation of non-signers
and conversion of the ring signature into a conventional signature when all the non-signers are revoked. But, unlike Rivest et al.’s scheme, the signer anonymity was still preserved unconditionally in Tso’s scheme. Thus, attackers cannot find the genuine signer of a ring signature, even if they have unlimited computational power. However, we noted that Tso’s scheme is based on the discrete logarithm assumption, which means that RSA users with RSA public keys cannot grad-ually reveal non-signers while preserving the unconditional signer anonymity. RSA is by far the most widely used public key cryptosystem, so it is natural to consider whether we could produce a GR-CRS scheme in the RSA setting.
Our contribution: In this paper, we consult in Tso’s scheme [14] and Abe et al.’s ring signature [1], and propose a new GR-CRS scheme. An important feature is that our new scheme is based on RSA. As mentioned above, RSA is by far the most widely used public key cryptosystem; therefore it is important that the properties of GR-CRS provide additional functions for RSA users. In addition, our scheme is a modification of Abe et al.’s scheme, and therefore our scheme also inherits the advantages of Abe et al.’s scheme. Thus, our scheme allows the separability of public keys. This property means users can employee key pairs that may be generated by different Key generation centers (KGCs) within a single ring signature and the domains of keys need not be identical. The security of the new scheme was rigorously demonstrated using a random oracle model based on the hardness of the RSA assumption and the intractabil-ity of inverting cryptographic one-way hash functions.
Paper organization: The rest of this paper is organized as follows. Pre-liminaries will be introduced in section 2. The GR-CRS framework and security requirements are specified in sections 3. In section 4, we propose a new RSA-based convertible ring signature with gradual revelation of non-signers. The system accuracy and its security proof are described in section 5. Finally, we summarize the findings of our study and provide some comparisons with other related works in section 6.
2
Preliminaries
In the section, we review some preliminaries which are required in our scheme.
2.1
RSA
The RSA signature scheme [7] consists of three algorithms: Key generation, Sign and Verify.
• Key generation:
1. Choose two different large primes p and q, compute N = pq. 2. Compute ϕ(N ) = gcd(p−1)(q−1), where ϕ means the Euler function. 3. Select an integer e < ϕ(N ) and gcd(e, ϕ(N )) = 1.
4. Compute d, where d × e ≡ 1 mod ϕ(N ).
(N, e, H) is published as the public key, d is the secret key, which is kept secretly. H : {0, 1}∗→ ZN denotes a one-way hash function.
• Sign: to sign a message m, a signer with secret key d computes s as follows: s ≡ H(m)dmod N
• Verify: anyone accepts the signature s on the message m if and only if H(m) ≡ semod N
2.2
Strong RSA Assumption
As the definition in [3], for all probabilistic polynomial time algorithms A, some c > 0, and a sufficient large number k,
P r[ye≡ x mod n; e ∈ prime; e < n; n ∈RRSAmod k;
x ∈RZn7→ (y, e) ← A(n, x)] ≤ k−c
Thus the adversary A is given n and x as in the usual RSA assumption, but he may choose the exponent e for which he extracts the root. We are neither aware of any corroboration that it should be hard, nor can we break it. Four obvious attacks do not work, i.e., they are equivalent to breaking some other problem believed to be hard.
2.3
Discrete Logarithm Problem (DL problem)
Discrete logarithm problem is regarded as difficult in general. Let p and q be two large prime numbers, q|(p − 1), g ∈ Z∗p, order(g) = q; and G be a subgroup
of Z∗p, h is random selected in G.
DL problem: given g, h ∈ G and p, find x ∈ Zq that gx≡ h mod p.
2.4
Abe et al.’s Ring Signature Scheme (in all RSA case)
Abe’s scheme [1] is used as a building block to construct a new ring signature in our scheme. In this section, we briefly introduce Abe’s scheme as a preliminary. For i = 1 to n, let L = {(e1, N1), . . . , (en, Nn)} be RSA public keys and Hi :
{0, 1}∗→ Z
Ni be hash functions. A signer who has the private key dk generates a signature for message m as follows:
• Signature generation:
1. Initialization: select rk∈RZNkand compute ck+1= Hk+1(L, m, rk). 2. Forward sequence: for i = k + 1, . . . , n, 1, . . . , k − 1, select si∈RZNi,
and compute ci+1= Hi+1(L, m, ci+ seii mod Ni).
3. Shaping into a ring : compute sk= (rk− ck)dkmod Nk.
The resulting signature for m and L is σ = {c1, s1, . . . , sn}.
• Signature verification: for i = 1, . . . , n,
ri= ci+ seiimod Ni; if i 6= n, ci+1 = Hi+1(L, m, ri)
3
Model and security requirements of GR-CRS
In this section, we first define the model of GR-CRS [14]. Before that, let Ui
be all members of a ring signature, 1 ≤ i ≤ n; Uj denotes all non-signers,
1 ≤ j ≤ n, j 6= k; and Uk denotes the genuine signer.
3.1
Model of GR-CRS
Following the definitions in [14], the GR-CRS scheme includes SetUp, RSigGen, RSigVerify, Reveal, RevealVer, Convert and CSVerify, which are defined as follows:
• (pki, ski) ←SetUp(1λi): SetUp is a polynomial time algorithm that takes
a secure parameter λi as input and the output is the public/private key
pair of a user. Let L = {pk1, . . . , pkn} stand for the set composing of all
public keys. • (σ, z0
1, . . . , zk−10 , zk+10 , . . . , zn0) ←RSigGen(m, L, skk): RSigGen is a
poly-nomial time algorithm that takes a message m, the public key set L and the secret key skk of signer Uk as inputs, then outputs a signature σ on
message m, and a set of secret messages (z0
1, . . . , z0k−1, z0k+1, . . . , zn0).
• 1/0 ←RSigVerify(m, L, σ): RSigVerify is a polynomial time algorithm that takes a message m, the public key set L and a GR-CRS signature σ as inputs, then outputs 1 for accepting the signature; or 0 for rejecting. • z0
j←Reveal (Uj): Reveal is a polynomial time algorithm that takes a
mem-ber Ujas input, and then outputs his or her secret message zj0 for revealing.
• 1/0 ←RevealVer (z0
j): RevealVer is a polynomial time algorithm that takes
a secret message zj0 as input, then outputs 1 if Ujis not the genuine signer;
otherwise, it returns 0, which means nothing.
• Convert : After the genuine signer Ukoutputs a GR-CRS signature σ and
reveals n − 1 non-signers by publishing secrets (zk+10 , . . . , z0n, z10, . . . , zk−10 ),
the GR-CRS signature σ is converted into a traditional single-signer digital signature.
• 1/0 ←CSVerify(m, L, σ0): CSVerify is a polynomial time algorithm that
takes message m, the public key set L, a signature σ and n − 1 verified secret message (z10, . . . , zk−10 , zk+10 , . . . , zn0), then outputs 1 when the sig-nature is accepted; otherwise, it returns 0, which is regarded as rejected.
3.2
Security requirements of GR-CRS
The security of GR-CRS comes from four aspects: signer ambiguity, unforge-ability of the ring signature, un-revealunforge-ability of non-signers, and unforgeunforge-ability of the converted signature.
• Signer ambiguity: assume that there are n members U1, . . . , Unin the
GR-CRS scheme. The probability of guessing the genuine signer Uk should be
1/n. Furthermore, after revealing some several members Urevealed⊆ Uj,
it remains signer ambiguity, the probability of guessing the genuine signer Uk should be 1/(n − |Urevealed|).
• Unforgeability of the ring signature: let SO(L, m) be a signing oracle that takes public key set L and message m as inputs, then outputs a valid signature σ that can be verified by RSigVerify(m, L, σ). Assume that an attacker A may use signing oracle σ ← ASO(m, L) to get several valid GR-CRS signatures ¯σ = {(σ1, m1, L), (σ2, m2, L), . . . , (σx, mx, L)}, which
pass the RSigVerify verification. We say that a GR-CRS signature is unforgeable against adaptive chosen message attacks if A is not able to generate a new signature σ06∈ ¯σ related to (m0, L) even above assumption holds.
• Un-revealability of non-signers: to reveal non-signers, the genuine signer has to publish zj0 corresponding to user Uj which passes the RevealVer
verification. The un-revealability against non-signers implies that only the genuine signer is able to reveal non-signers by publishing secrete messages z0js in GR-CRS scheme. Only the genuine signer owns those secret infor-mation zj0s, and they should be difficult computed by those non-signers. • Unforgeability of the converted signature: assume that there is a signing
oracle SO(L, m) which takes public key set L and message m as inputs, then outputs a converted signature σ that can be verified by CSigVer-ify(m, L, σ). With the aid of SO, any adversary A can request some con-verted signatures ¯σ = {(σ1, m1, L), (σ2, m2, L), . . . , (σx, mx, L)}. We say
that a converted GR-CRS signature is unforgeable against adaptive cho-sen message attacks if A is not able to generate a new converted signature σ06∈ ¯σ related to (m0, L) even above assumption holds.
4
New CR-GRS Scheme Based on RSA
In this section, we propose our new RSA-based convertible ring signature scheme with the gradual revelation of non-signers. Similar to Tso’s scheme [14], our scheme provides unconditional signer anonymity. If necessary, a genuine signer can also reveal non-signers one-by-one. The new scheme adapts RSA as its core algorithm, which is different from Tso’s scheme.
• SetUp: each member Ui in the ring signature owns a pair of RSA-based
public keys pki = (Ni, ei, Hi) and its corresponding secret key ski = di.
Ni = piqi, where pi and qi are two large prime numbers with the same
bits. λi = ϕ(Ni) = gcd(pi − 1, qi− 1); ∀ni ∈ Ni : nλii ≡ 1 mod Ni.
Hi : {0, 1}∗ → Z∗Ni denotes one-way hash functions related to user Ui. L = {pk1, . . . , pkn} stands for the public key set.
• RSigGen: the signer Uk generates a convertible ring signature following:
1. Generate a set of public parameters (p, q, g, Hp, Hq), which p and q
are two large primes such that q|(p − 1); g is a generator of group Z∗p, whose order is q. Hp : {0, 1}∗ → Zp∗ and Hq : {0, 1}∗ → Z∗q are
secure one-way hash functions.
2. For each non-signer Uj, 1 ≤ j ≤ n, j 6= k, Uk generates random
numbers z0j∈RZ∗p, xj∈RZ∗Nj, yj∈RZ
∗
3. Pick α ∈RZ∗Nk, β ∈RZ
∗
q and γ ∈RZ∗q, then computes
zk ≡ gβ− Hp(ek) mod p, and ck+1= Hk+1(L, m, α, gγ)
4. Forward sequence: for j = k + 1, . . . , n, 1, . . . , k − 1 aj← cj+ x
ej
j mod Nj
bj← gyj(zj+ Hp(ej))Hq(cj)mod p
cj+1← Hj+1(L, m, aj, bj)
Closing the ring signature:
xk ≡ (α − ck)dk mod Nk, and yk ≡ γ − βHq(ck) mod q
5. The signer Ukpublishes the signature σ = (c1, (x1, y1, z1), . . . , (xn, yn, zn))
corresponding to the message m and keeps (z10, . . . , zk−10 , zk+1, . . . , zn0)
secret for revealing purpose.
• RSigVerify: anyone can verify the correctness of the signature σ. For i = 1 to n, compute
ai≡ ci+ xeiimod Ni
bi≡ gyi(zi+ Hp(ei))Hq(ci)mod p
ci+1= Hi+1(L, m, ai, bi)
After a round of verification, the ring signature σ is accepted if c1= cn+1.
• Reveal : to revoke Uj, the signer Uk reveals zj0.
• RevealVer : anyone can verify the validation by checking zj ?
= Hp(zj0). If
the equation is tenable, then, user Uj will be revoked.
• Convert : after gradually revealing n − 1 non-signers in the ring signature, the ring signature σ is converted to a single-signer digital signature. • CSVerify: this step first verifies RSigVer, and then verifies for i = 1 to n,
i 6= k, 1 ←RevealVer (z0
j). If they are all achieved, then the ring signature
σ passes the CSVerify.
Remark: the main difference between the genuine signer and other non-signer is determined by zi.
(
For those non-signers Uj, zj= Hp(zj0)
For the genuine signer Uk, zk ≡ gβ− Hp(ek) mod p
By the one-wayness of the hash function Hp, it is convinced that Uj is a
non-signer when the someone reveals a hash seed zj0 that satisfies zj= Hp(zj0).
5
Security proof
In this section, we first demonstrate its accuracy, and then infer the security of the new scheme, which include signer ambiguity, unforgeability of ring signa-tures, un-revealability of non-signers, and unforgeability of converted signatures.
5.1
Accuracy
(
In the step 3 of RSigGen: ck+1← Hk+1(L, m, α, gγ)
In the RSigVer phase, when i=k: ck+1← Hk+1(L, m, ak, bk)
Therefore, if ak = α and bk = gγ, the correctness of the scheme is sound. We
give an inference below:
ak≡ ck+ sekk≡ ck+ ((α − ck)dk)ek ≡ ck+ α − ck≡ α mod Nk
bk≡ gyk(zk+ Hp(ek))ck≡ gyk(gβ− Hp(ek) + Hp(ek))ck
≡ gyk· (gβ)ck≡ gγ−βck· gβck≡ gγmod p
5.2
Signer ambiguity
In our scheme, there are n ring members U1, . . . , Un. Thus, the probability of
guessing a genuine signer Ukin the ring is 1/n. After revealing several members
Urevealed⊆ Uj, it still achieves signer ambiguity and the probability of guessing
a genuine signer Uk in the ring is 1/(n − |Urevealed|).
Take advantages of those proof in [1] and [14], we can easily prove that the signature σ = (c1, (x1, y1, z1), . . . , (xn, yn, zn)) is unconditionally signer
am-biguous. Therefore, we simply prove that revealing phase does not reveal any information about genuine signers, even forcing unconditional powerful attack-ers.
Assume A is a powerful attacker who can overcome the DL-problem and the one-wayness of any one-way hash function. For any given zi, g, p and ei,
A can find a random number β such that zi ≡ gβ− Hp(ei) mod p. However,
A can also find another random number z0
i such that zi = Hp(z0i).
Paradox-ically, β indicates that Ui is a genuine signer, whereas zi0 indicates that Ui is
a non-signer. Consequently, even an unconditional powerful attacker cannot distinguish a genuine signer from those non-signers.
5.3
Unforgeability of ring signature
Our scheme ensures the unforgeability of the ring signature against an EF-ACMA attacker [10]. Here we reduce the security of our scheme to the security of Abe et al.’s 1-out-of-n signature scheme [1]. If there is a powerful adversary A who can forge a valid signature σ that passes the RSigVer algorithm, then a sim-ulator SIM can take A as a building block to forge a signature corresponding to Abe et al.’s ring signature scheme [1] as follows:
1. Let {(N1, e1, HAbe1), . . . , (Nn, en, HAben)} be all RSA based public keys of Abe et al.’s scheme which are generated by SIM. Each public key (Ni, ei, HAbei) corresponds to a user Ui, 1 ≤ i ≤ n. After generation, SIM publishes L = {(N1, e1), . . . , (Nn, en)} to A, and treats hash functions
Hi : {0, 1}∗ → ZNi, 1 ≤ i ≤ n as random oracles that are controlled by SIM. Let L0 ⊆ L be a subgroup of L, SIM also simulates a signing
oracle that outputs a valid signature for the proposed scheme with the input (L0, m) from any signing query made by the attacker A. To make a
correct response, SIM will query the corresponding hash oracles and the signing oracle of Abe et al.’s scheme.
2. SIM generates a set of public parameters (p, q, g) following the SetUp algorithm, and publishes them to A. Hash functions Hpand Hqare treated
as random oracles which are controlled by SIM.
3. When A requests a hash query Hi(L, m, ai, bi) to SIM, SIM first queries
HAbei(L, m, ai) to the hash oracle of Abe et al’s scheme, and then returns Hi(L, m, ai, bi) ← HAbei(L, m, ai) to A. Let L
0⊆ L, when A queries the
signing oracle (L0, m), SIM queries it to Abe’s signing oracle, and get a signature σAbe = (c1, s1sn). Next, SIM generates random numbers
y = (y1, . . . , yn), z = (z1, . . . , zn). Finally, SIM combines σAbe, y and
z, returns σ = (c1, (s1, y1, z1), . . . , (xn, yn, zn)) ← SO(L0, m) to A as the
signature.
4. If A finally generates a forged signature σ0 = (c01, (x01, y10, z01), . . . , (x0n, y0n, zn0)) which passes the signature verification process RSigVer, then SIM can forge a valid signature σAbe= (cAbe1, xAbe1, . . . , xAben) that will pass the verification process of Abe et al.’s signature scheme.
Abe et al. have proved that their scheme was secure against EF-ACMA attackers in a random oracle model, based on the hardness of a strong RSA assumption. Based on the same hardness assumption, our scheme is also secure against EF-ACMA attackers.
5.4
Un-revealability of non-signers
To reveal non-signers, signer Uk outputs zj0 that satisfies 1 ←RevealVer (zj0) to
reveal Uj. In our scheme, RevealVer is implemented using the formula zj =
Hp(zj0) where Hp denotes a one-way hash function. Those secret information
zj0s are held only by the genuine signer and it is computationally difficult to compute z0j from zj because of the one-wayness of the hash function Hp. Thus,
the un-revealability of non-signers depends on the computational difficulty of the ony-wayness of hash functions.
5.5
Unforgeability of converted ring signature
We have already proved the unforgeability of the original ring signature. Fur-thermore, we have also proved that the proposed scheme provides un-revealability against non-signers. Taken together, these two proofs demonstrate the unforge-ability of the converted ring signature.
6
Conclusion
In this paper, we follow the Tso’s idea in [14], and take Abe’s ring signature [1] as a building block to proposed a new GR-CRS scheme. One important feature is that our new scheme is based on RSA which is by far the most widely used public key cryptosystem. Our new scheme adds new functionality for RSA users. The security of the new scheme is proved in the random oracle model based on the hardness of the RSA assumption and the intractability of inverting
Table 1: Performance comparison
Sign RSigVerify Signature length (bits)
Abe et al. [1] (n + 1) Exp n Exp (n + 1)|N |
Our scheme 3n Exp 3n Exp (n + 1)|N | + n|p| + n|q|
Table 2: Feature comparison
Convertible Reveal non-signers Unconditional anonymous
Abe et al. [1] No No No
Controllable [9] Yes No Yes
Convertible [11] Yes No Yes
Our scheme Yes Yes Yes
cryptographic one-way hash functions. The performance comparison and feature comparison with other schemes is provided in the following tables. How to improve its performance including the computation cost and communication cost may be considered as a future work.
References
[1] Masayuki Abe, Miyako Ohkubo, and Koutarou Suzuki. 1-out-of-n signa-tures from a variety of keys. In ASIACRYPT, pages 415–432, 2002. [2] Amit K. Awasthi and Sunder Lal. Id-based ring signature and proxy ring
signature schemes from bilinear pairings. IACR Cryptology ePrint Archive, 2004:184, 2004.
[3] Niko Bari and Birgit Pfitzmann. Collision-free accumulators and fail-stop signature schemes without trees. In EUROCRYPT, pages 480–494, 1997. [4] Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of
group signatures: Formal definitions, simplified requirements, and a con-struction based on general assumptions. In EUROCRYPT, pages 614–629, 2003.
[5] Emmanuel Bresson, Jacques Stern, and Michael Szydlo. Threshold ring signatures and applications to ad-hoc groups. In CRYPTO, pages 465–480, 2002.
[6] Elodie Briefer, Thierry Aubin, Katia Lehongre, and Fanny Rybak. How to identify dear enemies: the group signature in the complex song of the skylark alauda arvensis. Journal of Experimental Biology, 211(3):317–326, 2008.
[7] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976.
[8] Dengguo Feng, Jing Xu, and Wei-Dong Chen. Generic constructions for strong designated verifier signature. JIPS, 7(1):159–172, 2011.
[9] Wei Gao, Guilin Wang, Xueli Wang, and Dongqing Xie. Controllable ring signatures. In WISA, pages 1–14, 2006.
[10] Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput., 17(2):281–308, 1988.
[11] Kuo-Chang Lee, Hsiang-An Wen, and Tzonelih Hwang. Convertible ring signature. In Communications, IEE Proceedings-, volume 152, pages 411– 414. IET, 2005.
[12] Joseph K. Liu, Victor K. Wei, and Duncan S. Wong. Linkable spontaneous anonymous group signature for ad hoc groups (extended abstract). In ACISP, pages 325–335, 2004.
[13] Ronald L. Rivest, Adi Shamir, and Yael Tauman. How to leak a secret. In ASIACRYPT, pages 552–565, 2001.
[14] Raylin Tso. Convertible ring signatures with gradual revelation of non-signers. Security and Communication Networks, 5(3):279–286, 2012. [15] Shiuh-Jeng Wang, Yuh-Ren Tsai, Chien-Chih Shen, and Pin-You Chen.
Hierarchical key derivation scheme for group-oriented communication sys-tems. IJITCC, 1(1):66–76, 2010.
[16] Bin Xie, Anup Kumar, David Zhao, Ranga Reddy, and Bing He. On secure communication in integrated heterogeneous wireless networks. IJITCC, 1(1):4–23, 2010.
[17] Mengsong Zou, Lansheng Han, Ming Liu, and Qiwen Liu. Virus detection method based on behavior resource tree. JIPS, 7(1):173–186, 2011.
