Identity-based quotable ring signature

We present a new notion of identity-based quotable ring signature. This new cryptographic primitive can be used to derive new ring signatures on substrings of an original message from an original ring signature on the original message, which is generated by the actual signer included in the ring. No matter whether a ring signature is originally generated or is quoted from another valid ring signature, it will convince the verifier that it is generated by one of the ring members, without revealing any information about which ring member is the actual signer. The set of ring members could be arbitrarily selected by the actual signer without need of other ring members' approval. The actual signer is anonymous among this set of ring members. At the same time, the verifier could not distinguish whether a ring signature is originally generated or is quoted from another ring signature. In this paper, we propose a concrete identity-based quotable ring signature scheme based on bilinear pairing. We make use of bilinear groups of composite order. The construction is identity-based to alleviate the problem of certificate verification, especially for applications involving a large number of public keys in each execution such as ring signature schemes. The proposed scheme is proven to be anonymous under the assumption that the Subgroup Decision Problem is hard, selectively unforgeable against adaptively chosen message attacks in the random oracle model under the assumption that the Computational DiffieHellman problem is hard, and strongly context hiding