Unconditionally Anonymous Ring and Mesh Signatures

We generalize the ring signature primitive into the more general notion of mesh signature. Ring signatures are anonymous signatures made by someone who wishes to hide in the anonymity of a larger crowd. All that the signer needs to assemble such a virtual crowd is her own private key and the public keys of the other members. The crowd composition is all that the verifier will be able to see. In a sense, a ring signature expresses an anonymous endorsement of a message by a disjunction of signers. Mesh signatures generalize this notion by allowing the combination of “atomic” (i.e., regular) signatures, by one or multiple signers from an arbitrary larger crowd, into virtually any monotone “endorsement formula” with much more expressive power than a simple disjunction. The verifier sees only that the endorsement is valid for the stated formula, not how the formula is satisfied. As a special case, mesh signatures extend the ring signature functionality to certificate chains. This is useful when the anonymity-seeking signer wishes to hide in a crowd comprising uncooperative people who do not even have a published signature verification key on record. We give an efficient linear-size construction based on bilinear maps in the common random string model. Our mesh signatures achieve everlasting perfect anonymity—an imperative for the archetypical whistle-blowing use case of ring signatures—and, as a special case, yield the first unconditionally anonymous ring signatures without random oracles or trusted setup authorities. Non-repudiation is achieved from a mild extension of the SDH assumption, named Poly-SDH, which we introduce and justify meticulously.