Linkable Ring Signatures, Stealth Addresses and Mixer Contracts

Towards true anonymity

Linkable Ring Signatures, Stealth Addresses and Mixer Contracts

Towards true anonymity

Ring signatures

A ring signature is a digital signature that is created by a member of a group which each have their own keys. It is then not be possible to determine the person in the group who has created the signature. A ring signature provides anonymity, unforgivably and collusion resistance. The method was initially created by Ron Rivest, Adi Shamir, and Yael Tauman in 2001, and in their paper they proposed the White house leak dilemma.

In a ring signature we define a group of entities who each have their own public/private key pairs of (P1, S1), (P2, S2), …, (Pn, Sn). If we want an entity i to sign a message (message), they use their own secret key (si), but the public keys of the others in the group (m,si,P1…Pn). It should then be possible to check the validity of the group by knowing the public key of the group, but not possible to determine a valid signature if there is no knowledge of the private keys within the group.

So let’s say that Trent, Bob, Eve and Alice are in a group, and they each have their own public and secret keys. Bob now wants to sign a message from the group. He initially generates a random value v, and then generates random values (xi) for each of the other participants, but takes his own secret key (si) and uses it to determine a different secret key, and which reverse of the encryption function. He now takes the message and takes a hash of it, and thus creates a key (k). This key will be used with symmetric encryption to encrypt each of the elements of the ring (Ek), and then each element of the ring uses an EX-OR function from the previous element (Figure 1).

Each of the random values for the other participants are then encrypted with the public key of the given participant. Bob then computes the value of ys in order to create the ring (the result of the ring must equal v). He will then inverse this value to produce the equivalent private key (xs). Bob now releases the overall signature, and the random x values, along with the computed secret key. To check the signature, the receive just computes the ring, and checks that the result matches the sent signature.

I have created a demonstration of the original method here, and here is an outline presentation of the method [slides]:

Within a blockchain environment we can gather a number of users into a group, and then use a ring signature to keep anonymity. It will then be extremely difficult to tell which of the users in the group signed for the transaction, especially if the users have the same levels of transactions.

Linkable ring signatures

A linkable ring signature allows one person in the group to sign on behalf of the group, but has the addition of a tag so that an external verifier can know that the signature has been produced by a defined signer, but where they cannot tell who the signer is. The linkable ring signature method is used within the Monero cryptocurrency and defined by the Ring Confidential Transaction (RingCT).

In the case below, Bob adds a tag to the signature, and where Victor, if he knew the tag could see that it was Bob who signed for it. Victor and Bob use a stealth address (more information is defined here), which allows Victor to determine the privacy key for the public key that Bob has used to sign onto the ring. The smart contract then just matches the signatures of this private key, and will sign from the ring to Victor’s new address.

Ring signatures and the mixing contract

Within an anonymised infrastructure, we can create a stealth address which is a one time address for a transaction. This can generate a key pair for the transaction and then perform the transaction.

Linkable ring signatures can then be used with stealth addresses to create mixing contract, and which has this operation:

  1. A contract is created to verify ring signatures, receive and distribute cryptocurrency. This contract define the minimum number of users that are required to enter into the contract. There will be a number of senders and which link to a number of recipients.
  2. Each sender generates a new key pair and then sends the public key to the recipient it wants to receive funds. They then generate a shared secret key (the stealth address — more details on these here). The sender then sends its newly created public key to the contract.
  3. The contract then waits for enough senders to participate in the contract. When this happens, it will have a list of the public keys for all the senders.
  4. Each recipient will then remember the public key of its sender, and map the secret key that is associated with it.
  5. The recipient then sends a signature to the contract, along with a tag.
  6. The contract will then match the tag to one of the public keys that it has, and then release the funds to the recipient.

Conclusions

Within linked ring signatures we can add a tag, and then use this with a stealth address for the one-time transaction mapping to happen. This is the way that Monero hides the details of a transaction.