Foundations of Ring Sampling

Authors: Viktoria Ronge (Friedrich-Alexander-Universität Erlangen-Nürnberg), Christoph Egger (Friedrich-Alexander-Universität Erlangen-Nürnberg), Russell W. F. Lai (Friedrich-Alexander-Universität Erlangen-Nürnberg), Dominique Schröder (Friedrich-Alexander-Universität Erlangen-Nürnberg), Hoover H. F. Yin (The Chinese University of Hong Kong 1 28 Nov. 2020)

Volume: 2021
Issue: 3
Pages: 265–288

Download PDF

Abstract: A ring signature scheme allows the signer to sign on behalf of an ad hoc set of users, called a ring. The verifier can be convinced that a ring member signs, but cannot point to the exact signer. Ring signatures have become increasingly important today with their deployment in anonymous cryptocurrencies. Conventionally, it is implicitly assumed that all ring members are equally likely to be the signer. This assumption is generally false in reality, leading to various practical and devastating deanonymizing attacks in Monero, one of the largest anonymous cryptocurrencies. These attacks highlight the unsatisfactory situation that how a ring should be chosen is poorly understood. We propose an analytical model of ring samplers towards a deeper understanding of them through systematic studies. Our model helps to describe how anonymous a ring sampler is with respect to a given signer distribution as an information-theoretic measure. We show that this measure is robust – it only varies slightly when the signer distribution varies slightly. We then analyze three natural samplers – uniform, mimicking, and partitioning – under our model with respect to a family of signer distributions modeled after empirical Bitcoin data. We hope that our work paves the way towards researching ring samplers from a theoretical point of view.

Keywords: Ring Signature, Anonymity, Monero

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.