# PDF Archive

Easily share your PDF documents with your contacts, on the Web and Social Networks.

## Reduced Multilayer Linkable Spontaneous Anonymous Group Signatures v4.1 .pdf

Original filename: Reduced Multilayer Linkable Spontaneous Anonymous Group Signatures v4.1.pdf

### Document preview

Reduced  Multilayer  Linkable  Spontaneous  Anonymous  Group
Signatures  v4.1  (RMLSAG  v4.1)
Based  on  Noether  in  Ring  Confidential  Transactions  (2015).  This  is  an  alternative
generalization  of  Back’s  ring  signature  scheme  (bLSAG)  which  changes  multi-­‐input
signature  size  from  m(n+1)+1  in  MLSAG  to  m2+n+1,  a  change  of  [(m-­‐1)(n-­‐m)]  *  32
bytes  per  ring  signature  of  mixin  level  n-­‐1  and  m  inputs.  Size  is  reduced  when  n  &gt;  m.
Does  not  solve  index  problem  (attackers  know  all  real  inputs  share  the  same  index).
Produces  (m2  -­‐  m)  extra  key  images  that  do  not  need  to  be  checked  against  the
database.
Ring  R  containing  public  keys  {𝐾!,! }  for  i  ∈  {1,  2,  ...,  n}  and  j  ∈  {1,  2,  ...,  m}  for  which
we  know  the  private  keys  {𝑘!,! }  corresponding  to  the  subset  {𝐾!,! }  for  some  secret
index  π.  Hash  function  𝐻! 𝑥    returns  some  integer  in  {1,  2,  …,  l}  where  l  is  the
(prime)  order  of  generator  G’s  subgroup  in  elliptic  curve  EC.  Hash  function  𝐻! 𝑥
returns  a  point  in  that  subgroup.  Message  m  is  signed.
Signature
1. Calculate  key  images  𝐾!,! = 𝑘!,! 𝐻! 𝐾!,!  for  all  a,  u  ∈  {1,  2,  ...,  m}.
2. Generate  random  number  α  ∈R  Zl,  and  random  numbers  ri  ∈R  Zl  for  i  ∈  {1,  2,  ...,  n}
(except  i  =  π)
Define:  𝑣!  and  𝑤!  are  used  to  uniquely  anchor  each  key  image,  so  signers  are  forced
to  report  all  real  key  images  to  pass  verification
𝑣! = 𝐻! 𝐾!,! , … , 𝐾!,!
𝑤! = 𝐻! 𝐾!,! , … , 𝐾!,!

Define:  𝐿!  and  𝐹!  will  be  the  seed  terms
𝐿! = 𝛼𝐺
!

𝐹! = 𝛼

𝑤! 𝐻! 𝐾!,!

!!!

3. Compute  (seed  the  signature)
cπ+1  =  Hq(m,  𝐿! ,  𝐹! )
Define:  𝐿!  and  𝐹!  are  used  to  build  the  signature  after  it  is  seeded
!

𝐿! = 𝑟! + 𝑐!
!

𝐹! = 𝑟! [

𝑣! 𝐾!,!
!!!

!

!

𝑤! 𝐻! 𝐾!,! ]   +   𝑐! [
!!!

𝑣! 𝑤! 𝐾!,! ]
!!! !!!

4. For  i  =  π+1,  π+2,  ...,  n,  1,  2,  ...,  π−1  calculate,  replacing  n+1→1,
ci+1  =  Hn(m,  𝐿! ,  𝐹! )
5. Define  rπ  such  that
𝛼 = 𝑟! + 𝑐!

!
!!! 𝑣! 𝑘!,!  (mod  l)

The  ring  signature  contains  the  signature  σ(m)  =  (c1,  r1,  ...,  rn,  𝐾 1,1,  ...,  𝐾 1,m  ,  𝐾 2,1,
…,  𝐾 2,m  ,  …,  𝐾 m,m),  and  the  ring  R.
Verification

The  verification  of  a  signature  is  done  in  the  following  manner
1. For  i  =  1,  ...,  n  compute,  replacing  n+1→1,
c′i+1  =  Hn(m,  𝐿! ,  𝐹! )
2. If  c′1  =  c1  then  the  signature  is  valid