Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys

Vincent Yu <> Sat, 15 March 2014 21:40 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 41A3B1A01AC for <>; Sat, 15 Mar 2014 14:40:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uguRI7yfRaL9 for <>; Sat, 15 Mar 2014 14:40:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 68E591A01BB for <>; Sat, 15 Mar 2014 14:40:44 -0700 (PDT)
Received: from (localhost []) by (Postfix) with SMTP id 30B5DC00F6 for <>; Sat, 15 Mar 2014 21:40:36 +0000 (UTC)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS; Sat, 15 Mar 2014 21:40:35 +0000 (UTC)
Message-ID: <>
Date: Sat, 15 Mar 2014 17:40:32 -0400
From: Vincent Yu <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Nicholas Cole <>,
References: <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
OpenPGP: id=d28d7c4078b3742a; url=
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="TBqkS0j86Ev4AQQGGTUiFhoW9u3aR4mFv"
Subject: Re: [openpgp] Proposal for a separable ring signature scheme compatible with RSA, DSA, and ECDSA keys
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 15 Mar 2014 21:40:48 -0000

On 03/15/2014 04:40 PM, Nicholas Cole wrote:
> On Sat, Mar 15, 2014 at 8:33 PM, Nicholas Cole <> wrote:
>> On Saturday, 15 March 2014, Jon Callas <> wrote:
>>> Now on the other hand, ages ago, we discussed ring signatures, and a use
>>> case that I wanted to do was to make it so that whenever Alice sends Bob a
>>> signed email or other casual message, she would (could?) sign it with a ring
>>> signature of her key and Bob's. Bob knows that he didn't sign it so he knows
>>> that Alice did.
>>> Of course, it's one of those things that are cool, and yet it's hard to
>>> say what it actually does to improve anything.
>> It also breaks the metaphor of a 'signature' too: the signatures we
>> currently have work in a very similar way to the ideal real-world signature.
>> This type of signature doesn't: it is a signature only specific people can
>> verify, or rather, a signature that could have been made by any one of a
>> number of people. The problem might then become proving you were *not* the
>> person who made it, rather than the person who did, and proving a negative
>> is impossible. I think for that reason I'm not sure would welcome it being
>> added to gpg.  "Yes, that is a signature that I could have made, but I
>> didn't" is not an easy position...
> And thinking about it even further, it compounds a problem that
> someone (was it you, Jon?) has written about in the past.  Even though
> we all know that key UIDs can be signed by complete strangers, users
> are *often* disconcerted by this fact (which is why there is a
> no-modifier flag, even if keyservers have never respected it and even
> if it would make the use of OpenPGP even more complicated).  Still, a
> naive user of an OpenPGP program may draw incorrect inferences about
> social relationships from UID signatures.  Imagine the outcry of users
> if they discovered that documents were in the wild that 'might' have
> been signed by them...
> N.

This reminds me that I used the name "signer-ambiguous signature" in 
some of the early drafts of my proposal. This name concisely describes 
the most important property of ring signatures. Now that I think about 
it, that is a much better name than "ring signature" for implementations 
to present to their end users.

"Signer-ambiguity" was coined by Rivest et al. to describe ring 
signatures in their seminal paper in 2001, so it's well-connected to the 
concept of ring signatures in the literature.

Unless there are severe objections, I will modify the proposal to use 
the phrase "signer-ambiguous signature" to refer generally to the 
signatures produced by the scheme, and use "ring signature" only as 
technical term for the specific scheme that was chosen to provide