Looking for a (partly) anonymous signature

jjj

2/26/23, 3:29 PM

I am looking a way to sign a document, so that everyone could verify that one person out of a group did, but only a special person and/or the group could know who signed it.

Let's say, X chooses a group G of people (it can be assumed that everyone has some kind of known public key). Then a member Y of G should be able to sign a document such that everyone can verify that it was signed by someone in G (like a ring signature, for example), but members of G should know who did.

Additionally, I am interested in a similar technique, where not the members of G know who signed the document, but only X knows.

I thought of attaching an encrypted normal signatrue and ring-sign the entrire thing, but that way a member of G could attach random data and it would look ok for everyone outside.

This does not have to be achievd using ring signatures, as long as it is non intercative.

Thanks for help.

0 + 0

signature

anonymity

data-privacy

fgrieu

2/26/23, 3:57 PM

If the signature is generated by a trusted device such as a Smart Card, that's easy to arrange. Would that be OK?

jjj

2/26/23, 4:01 PM

@fgrieu How would one do it with a trusted device? This should be open to everyone without much afford, so smart cards are far from ideal

user77340

2/27/23, 2:51 AM

should this signature be ad hoc? To achieve your goal, I think those group of people should generate a set of new signing keys. Otherwise, I think it is not easy to allow the members of the group to know who signs it while those outside the group don't.

jjj

2/27/23, 10:24 AM

@user77340 initial setup per group should only be done by X, so members don't have to do anything to be added. Maybe key generation can be done by X for every member (like in cryptonote).

fgrieu

2/28/23, 2:47 PM

A simple realization with trusted devices like Smart Cards uses an ordinary signature scheme with the same private key in each card, and a secret $K_i$ known only to the smart card in each card. To sign $M$, the smart card computes a hash $H$ of $M$, draws a random $R$, computes $S=\operatorname{HMAC}_{K_i}(R\mathbin\|M)$, and outputs $(R,S,\operatorname{Sign}(H(M)\mathbin\|R\mathbin\|S))$. Anyone can verify this signature with the public key. The Smart Card, and only it, can verify that $S$ matches $R,M$ by recomputing it. It's not possible to reuse $S$ with a different message.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Looking for a (partly) anonymous signature

TH: กำลังมองหาลายเซ็นที่ไม่ระบุตัวตน (บางส่วน)

RO: Se caută o semnătură (parțial) anonimă

RU: Ищу (частично) анонимную подпись

VI: Tìm kiếm một chữ ký nặc danh (một phần)

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.