Score:1

Looking for a (partly) anonymous signature

cn flag
jjj

I am looking a way to sign a document, so that everyone could verify that one person out of a group did, but only a special person and/or the group could know who signed it.

Let's say, X chooses a group G of people (it can be assumed that everyone has some kind of known public key). Then a member Y of G should be able to sign a document such that everyone can verify that it was signed by someone in G (like a ring signature, for example), but members of G should know who did.

Additionally, I am interested in a similar technique, where not the members of G know who signed the document, but only X knows.

I thought of attaching an encrypted normal signatrue and ring-sign the entrire thing, but that way a member of G could attach random data and it would look ok for everyone outside.

This does not have to be achievd using ring signatures, as long as it is non intercative.

Thanks for help.

fgrieu avatar
ng flag
If the signature is generated by a trusted device such as a Smart Card, that's easy to arrange. Would that be OK?
jjj avatar
cn flag
jjj
@fgrieu How would one do it with a trusted device? This should be open to everyone without much afford, so smart cards are far from ideal
user77340 avatar
ie flag
should this signature be ad hoc? To achieve your goal, I think those group of people should generate a set of new signing keys. Otherwise, I think it is not easy to allow the members of the group to know who signs it while those outside the group don't.
jjj avatar
cn flag
jjj
@user77340 initial setup per group should only be done by X, so members don't have to do anything to be added. Maybe key generation can be done by X for every member (like in cryptonote).
fgrieu avatar
ng flag
A simple realization with trusted devices like Smart Cards uses an ordinary signature scheme with the same private key in each card, and a secret $K_i$ known only to the smart card in each card. To sign $M$, the smart card computes a hash $H$ of $M$, draws a random $R$, computes $S=\operatorname{HMAC}_{K_i}(R\mathbin\|M)$, and outputs $(R,S,\operatorname{Sign}(H(M)\mathbin\|R\mathbin\|S))$. Anyone can verify this signature with the public key. The Smart Card, and only it, can verify that $S$ matches $R,M$ by recomputing it. It's not possible to reuse $S$ with a different message.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.