Two-Party (Blind) Ring Signatures and Their Applications

Ring signatures, introduced by Rivest, Shamir and Tauman, attest the fact that one member from a ring of signers has endorsed the message but no one can identify who from the ring is actually responsible for its generation. It was designed canonically for secret leaking. Since then, various applications have been discovered. For instance, it is a building block of optimistic fair exchange, destinated verifier signatures and ad-hoc key exchange. Interestingly, many of these applications require the signer to create a ring signature on behalf of two possible signers (a two-party ring signature) only. An efficient two-party ring signature scheme due to Bender, Katz, and Morselli, is known. Unfortunately, it cannot be used in many of the aforementioned applications since it is secure only in a weaker model. In this paper, we revisit their construction and proposed a scheme that is secure in the strongest sense. In addition, we extend the construction to a two-party blind ring signature. Our proposals are secure in the standard model under well-known number-theoretic assumptions. Finally, we discuss the applications of our construction, which include designated verifier signatures, optimistic fair exchange and fair outsourcing of computational task.