Ring signatures: should we securely delete the secret 't#' value after use?

Question

Ring signatures: should we securely delete the secret 't#' value after use?

cobratbq opened this issue 5 years ago · comments

If I understand the ring signatures correctly, the t# scalar (either t1 or t2 or t3) is the single secret value that should not be disclosed, because it could be used to determine which private key was used.
Should we then securely delete the secret t# scalar after the ring signature is generated? (This is not present in the ring signatures description.)

Sofía Celi · Answer 1 · Mon Jan 21 2019 06:29:35 GMT+0800 (China Standard Time)

Hey!

Thanks for the question.

If I understand the ring signatures correctly, the t# scalar (either t1 or t2 or t3) is the single secret value that should not be disclosed, because it could be used to determine which private key was used.

Not really. ti is just a random value that you generate. The reason they have a number is to help people while reading the spec; as it can be generalizes in t. The only value that you should keep secret is ai. As these are not values that stay in memory for longer than generating the ring signature, we don't explicitly say that they should be deleted. But, yeah, t1, c2, c3, r2, r3 should be erased once the signature is generated.

As far as I know, that only thing that can get you to infer the secret is if the the order of elements passed to the hash function and sent to the verifier depend on the secret known by the prover.

What I think you imply is:

sigma is: sigma = (c1, r1, c2, r2, c3, r3). An attacker knows therefore c1, r1, and, somehow, gets hold of t1. An attacker knows this formula: r1 = t1 - c1 * a1 (mod q), so they try:

t1 - c1
Multiplying that by some value until they get r1.

This is almost the same as A = g * a. An attacker will know, for example, A and g, and can always try to multiple g by something to get A.

See: https://www.doc.ic.ac.uk/~mrh/330tutor/ch06s02.html and https://en.wikipedia.org/wiki/Pollard's_kangaroo_algorithm

Now, something I want to check (I'll get back to you), if it matters that g, in this case, will be t1 - c1.

Thanks!

Sofía Celi · Answer 2 · Wed Feb 27 2019 01:23:00 GMT+0800 (China Standard Time)

I have started a discussion with Mike Hamburg around this. I'll put here the results. Just to clarify, what I'm worried is:

It is well know that it will take too much time for an attacker to do A = g * a, when knowing A and g, to get a. What worries me if an attacker can more efficiently get a if A = (x - y) * a, with the attacker knowing A, x, y. At first glance, I'll say NO. But I'll like to check.

Sofía Celi · Answer 3 · Wed Mar 27 2019 00:31:54 GMT+0800 (China Standard Time)

I will add the deletion of t. :)