Escrowed linkability of ring signatures and its applications
Ring signatures allow a user to sign anonymously on behalf of a group of spontaneously conscripted members. Two ring signatures are linked if they are issued by the same signer. We introduce the notion of Escrowed Linkability of ring signatures, such that only a Linking Authority can link two ring signatures; otherwise two ring signatures remain unlinkable to anyone. We give an efficient instantiation, and discuss the applications of escrowed linkability, like spontaneous traceable signature and anonymous verifiably encrypted signature. Moreover, we propose the first short identity-based linkable ring signatures from bilinear pairings. All proposals are provably secure under the random oracle model.