Short DL-Based Blacklistable Ring Signatures from DualRing

As one of privacy -enhancing authentications suitable for decentralized environments, ring signatures have intensively been researched. In ring signatures, each user can choose any ad -hoc set of users (specified by public keys) called a ring, and anonymously sign a message as one of the users. However, in applications of anonymous authentications, users may misbehave the service due to the anonymity, and thus a mechanism to exclude the anonymous misbehaving users is required. However, in the existing ring signature scheme, a trusted entity to open the identity of the user is needed, but it is not suitable for the decentralized environments. On the other hand, as another type of anonymous authentications, a decentralized blacklistable anonymous credential system is proposed, where anonymous misbehaving users can be detected and excluded by a blacklist. However, the DL -based instantiation needs O ( N ) proof size for the ring size N . In the research line of the DL -based ring signatures, an efficient scheme with O (log N ) signature size, called DualRing , is proposed. In this paper, we propose a DL -based blacklistable ring signature scheme extended from DualRing, where in addition to the short O (log N ) signature size for N , the blacklisting mechanism is realized to exclude misbehaving users. Since the blacklisting mechanism causes additional costs in our scheme, the signature size is O (log N + <euro> ), where <euro> is the blacklist size.