arxiv: 2605.11715 · v1 · submitted 2026-05-12 · 💻 cs.CR

Recognition: 2 theorem links

· Lean Theorem

Deanonymizable Scoped Linkable Ring Signatures

Montassar Naghmouchi , Maryline Laurent

Authors on Pith no claims yet

Pith reviewed 2026-05-13 05:55 UTC · model grok-4.3

classification 💻 cs.CR

keywords ring signatureslinkable ring signaturesdeanonymizationdecentralized accountabilityscoped linkabilityconsent managementblockchain signatures

0 comments

The pith

DSLRS adds scoped linkability via dynamic key images and decentralized threshold deanonymization via embedded ElGamal components to standard ring signatures.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Ring signatures deliver strong anonymity and flexible group formation but typically omit built-in ways to link related signatures inside one context or to recover a signer's identity when accountability is required. DSLRS introduces scopes together with dynamic key images so that signatures remain unlinkable across different contexts yet become linkable inside the same scope. Two ElGamal ciphertexts are embedded directly inside the signature generation, enabling a k-of-N network of nodes to collaborate and extract the signer's public key on demand. The construction is formally defined and reduced to the ECDLP and DDH assumptions in the random oracle model, after which the paper presents a blockchain instantiation for consent management.

Core claim

DSLRS is a ring signature scheme that uses context-specific dynamic key images to enforce scoped linkability while embedding two ElGamal components that let a threshold network of honest nodes collaboratively recover the signer's public key, all while preserving anonymity outside the authorized deanonymization case; the scheme is proven secure under ECDLP and DDH in the ROM with formal definitions and reduction proofs supplied.

What carries the argument

Two ElGamal ciphertexts embedded inside the ring-signature generation that permit collaborative extraction of the signer's public key by a k-of-N deanonymization network, paired with context-dependent dynamic key images that enforce scoped linkability.

If this is right

Signatures produced inside one scope become publicly linkable while signatures from different scopes remain unlinkable.
A threshold subset of the deanonymization network can recover the signer's identity without needing a single trusted opener.
The scheme directly supports blockchain consent-management flows that require both patient anonymity and conditional accountability.
Security reductions hold in the random oracle model under the elliptic-curve discrete-log and decisional-Diffie-Hellman assumptions.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same embedded-ElGamal technique could be reused in other threshold-accountability settings such as anonymous voting with selective audit.
Placing the k-of-N network on a public blockchain would require separate incentive or slashing mechanisms to keep nodes honest.
The construction leaves open whether the same scoped-linkability property can be obtained under post-quantum assumptions.

Load-bearing premise

A k-of-N decentralized network of nodes will operate honestly enough that an authorized threshold can extract the signer's public key without the network itself introducing collusion risks that undermine the accountability guarantee.

What would settle it

An efficient algorithm that either forges a valid DSLRS signature, links two signatures from different scopes, or prevents an honest majority of the k-of-N network from recovering the signer's public key, while still respecting the ECDLP and DDH assumptions.

read the original abstract

Although ring signatures offer highly desirable privacy requirements like anonymity and ad-hoc group formation with signer autonomy, they partially lack trust requirements like linkability and accountability that are required for strict use-cases, such as consent management in healthcare. Existing signature schemes fail to natively integrate scoped linkability with decentralized accountability (on-demand deanonymization) in a single scheme without relying on separate commitments or a centralized opener. We therefore introduce Deanonymizable Scoped Linkable Ring Signatures (DSLRS). The originality of the DSLRS is manifold. DSLRS uses scopes (context identifiers) and dynamic key images to provide scoped linkability and unlinkability across different scopes. Decentralized accountability is provided thanks to two ELGamal components deeply embedded in the signature, and a decentralized deanonymization network of k-of-N nodes that can collaboratively extract the signer's public key. DSLRS scheme is defined and proved under the ECDLP and DDH hardness assumptions in the Random Oracle Model (ROM). Formal security definitions and formal reduction proofs are provided before introducing a blockchain-based instantiation for a consent management application using DSLRS.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

DSLRS combines scoped linkability via dynamic key images with embedded ElGamal for decentralized k-of-N deanonymization in one ring signature, with ROM proofs under ECDLP and DDH for the signature itself, but the network's security is left unmodeled.

read the letter

The main takeaway is that this paper gives a concrete construction for Deanonymizable Scoped Linkable Ring Signatures that puts scoped linkability and decentralized accountability into the same primitive without a central opener or extra commitments. Scopes and dynamic key images handle the linkability part so that signatures link only inside the same context, while two embedded ElGamal components let a threshold network of nodes extract the signer's public key on demand. They define the scheme, state the security notions, and supply reduction proofs under ECDLP and DDH in the random oracle model, then show a blockchain-based consent-management example. That integration and the formal treatment of the signature core are the parts that actually move the needle. The proofs look standard and cover the usual unforgeability, anonymity, and linkability properties for the ring signature operations. The blockchain sketch is straightforward and illustrates a plausible regulated use case. The soft spot is exactly where the stress-test note points: the k-of-N deanonymization network is presented as an operational component but receives no game-based definition, ideal functionality, or reduction that accounts for malicious or colluding nodes. The claim of decentralized accountability therefore rests on the assumption that the network can be run securely in practice, without new collusion or availability attacks. That gap is real but contained; it does not break the signature proofs themselves. This work is aimed at cryptographers who build privacy tools for regulated settings such as healthcare or compliance on blockchains. Anyone looking for a native way to add on-demand deanonymization to scoped linkable rings will get a usable starting point. It is worth sending to peer review because the formal core is there and the combination is new enough to merit referee scrutiny, even if the network modeling needs tightening in revision.

Referee Report

1 major / 1 minor

Summary. The paper introduces Deanonymizable Scoped Linkable Ring Signatures (DSLRS), extending ring signatures with scoped linkability (via context scopes and dynamic key images) and decentralized accountability (via two embedded ElGamal components and a k-of-N deanonymization network that collaboratively extracts the signer's public key). Formal security definitions and reduction proofs are given for the signature scheme under ECDLP and DDH in the ROM; a blockchain-based instantiation for consent management is then presented.

Significance. If the core signature results hold, the work provides a useful primitive that natively combines anonymity, scoped linkability, and on-demand decentralized deanonymization without separate commitments or a centralized opener. The formal definitions and reductions under standard assumptions (ECDLP, DDH, ROM) are a clear strength and support the signature-level claims. However, the overall significance for applications such as healthcare consent management is reduced because the decentralized accountability claim rests on an unmodeled operational assumption about the k-of-N network.

major comments (1)

[Security definitions and proofs] Security definitions and reduction proofs (as described in the abstract and skeptic analysis): formal game-based definitions and reductions are supplied only for the signature scheme under ECDLP and DDH in ROM. No corresponding definition, ideal functionality, or reduction is given for the k-of-N deanonymization extraction protocol, leaving the central claim of 'decentralized accountability' dependent on the unproven premise that the network can be instantiated without introducing new collusion or availability attacks.

minor comments (1)

[Abstract and construction] The abstract refers to 'two ELGamal components' (capitalization inconsistent with standard 'ElGamal'); the full construction section should explicitly state the precise embedding and how the two components interact with the ring signature and dynamic key images.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their thorough review and constructive feedback. We address the major comment regarding the scope of the security definitions and proofs below, and we are prepared to revise the manuscript accordingly to strengthen the presentation of decentralized accountability.

read point-by-point responses

Referee: Security definitions and reduction proofs (as described in the abstract and skeptic analysis): formal game-based definitions and reductions are supplied only for the signature scheme under ECDLP and DDH in ROM. No corresponding definition, ideal functionality, or reduction is given for the k-of-N deanonymization extraction protocol, leaving the central claim of 'decentralized accountability' dependent on the unproven premise that the network can be instantiated without introducing new collusion or availability attacks.

Authors: We acknowledge that the formal game-based definitions and reductions (Sections 3–4) are provided exclusively for the DSLRS signature scheme itself, establishing unforgeability, anonymity, scoped linkability, and unlinkability under ECDLP and DDH in the ROM. The decentralized accountability mechanism is realized by embedding two ElGamal ciphertexts directly into the signature, enabling collaborative threshold decryption by a k-of-N network to recover the signer's public key. We did not supply a separate ideal functionality or reduction for the k-of-N extraction protocol, as it relies on standard threshold ElGamal techniques whose security is established in the literature under the honest-majority and secure-channels assumptions. The manuscript's primary contribution is the novel signature primitive that natively integrates these features. To address the concern, we will revise the paper to (i) explicitly articulate the operational assumptions on the deanonymization network (honest majority, collusion resistance below threshold k, and availability), (ii) reference established results on secure threshold decryption, and (iii) clarify that the 'decentralized accountability' claim holds relative to these standard assumptions rather than introducing new proofs for the network layer. revision: yes

Circularity Check

0 steps flagged

No circularity: security reductions to external ECDLP/DDH assumptions

full rationale

The paper defines the DSLRS scheme and supplies formal security definitions plus reduction proofs under the ECDLP and DDH assumptions in the ROM. These are standard, externally verifiable hardness assumptions independent of the scheme's own outputs or parameters. No equations or claims reduce the central result to a fitted input, self-definition, or self-citation chain. The k-of-N deanonymization network is described as an operational component of the blockchain instantiation rather than part of the proven core signature security; its lack of formal modeling is a completeness issue, not a circularity in the derivation. The provided text contains no self-referential definitions, ansatzes smuggled via citation, or renamings of known results that would force the claimed properties by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 2 invented entities

The central claim rests on two standard cryptographic hardness assumptions plus the introduction of new scheme components whose security is claimed to follow from those assumptions.

axioms (2)

domain assumption Hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP)
Invoked as the basis for the security of the signature scheme and its components.
domain assumption Hardness of the Decisional Diffie-Hellman (DDH) problem
Invoked for the security proofs in the Random Oracle Model.

invented entities (2)

Dynamic key images no independent evidence
purpose: Enable scoped linkability and cross-scope unlinkability
New mechanism introduced in the DSLRS construction.
Decentralized deanonymization network of k-of-N nodes no independent evidence
purpose: Collaboratively extract the signer's public key for on-demand accountability
New network component for decentralized accountability.

pith-pipeline@v0.9.0 · 5483 in / 1626 out tokens · 37916 ms · 2026-05-13T05:55:25.528874+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

DSLRS scheme is defined and proved under the ECDLP and DDH hardness assumptions in the Random Oracle Model (ROM).
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

two ELGamal components deeply embedded in the signature, and a decentralized deanonymization network of k-of-N nodes

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

19 extracted references · 19 canonical work pages

[1]

Rivest, R.L., Shamir, A., Tauman, Y . (2001). How to Leak a Secret. In: Boyd, C. (eds) Advances in Cryptology — ASIACRYPT 2001. ASIACRYPT 2001. Lecture Notes in Computer Science, vol 2248. Springer, Berlin, Heidelberg.https://doi.org/10.1007/3-540-45682-1_32

work page doi:10.1007/3-540-45682-1_32 2001
[2]

Liu, J.K., Wei, V .K., Wong, D.S. (2004). Linkable Spontaneous Anonymous Group Signature for Ad Hoc Groups. In: Wang, H., Pieprzyk, J., Varadharajan, V . (eds) Information Security and Privacy. ACISP 2004. Lecture Notes in Computer Science, vol 3108. Springer, Berlin, Heidelberg.https://doi.org/10.1007/ 978-3-540-27800-9_28

work page 2004
[3]

Monero blockchainhttps://www.getmonero.org/[last accessed: 24/02/2026]

work page 2026
[4]

Ring Signature Confidential Transactions for Monero

Shen Noether (2015). Ring Signature Confidential Transactions for Monero. In Cryptology ePrint Archive. https://eprint.iacr.org/2015/1098

work page 2015
[5]

Xu, S., Yung, M. (2004). Accountable Ring Signatures: A Smart Card Approach. In: Quisquater, JJ., Paradinas, P., Deswarte, Y ., El Kalam, A.A. (eds) Smart Card Research and Advanced Applications VI. IFIP Interna- tional Federation for Information Processing, vol 153. Springer, Boston, MA.https://doi.org/10.1007/ 1-4020-8147-2_18

work page 2004
[6]

Fujisaki, E., Suzuki, K. (2007). Traceable Ring Signature. In: Okamoto, T., Wang, X. (eds) Public Key Cryp- tography – PKC 2007. PKC 2007. Lecture Notes in Computer Science, vol 4450. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71677-8_13

work page doi:10.1007/978-3-540-71677-8_13 2007
[7]

Bootle, J., Cerulli, A., Chaidos, P., Ghadafi, E., Groth, J., Petit, C. (2015). Short Accountable Ring Signatures Based on DDH. In: Pernul, G., Y A Ryan, P., Weippl, E. (eds) Computer Security – ESORICS 2015. ES- ORICS 2015. Lecture Notes in Computer Science(), vol 9326. Springer, Cham.https://doi.org/10.1007/ 978-3-319-24174-6_13 8

work page 2015
[8]

Gennaro, R., Jarecki, S., Krawczyk, H. et al. Secure Distributed Key Generation for Discrete-Log Based Cryp- tosystems. J Cryptology 20, 51–83 (2007).https://doi.org/10.1007/s00145-006-0347-3

work page doi:10.1007/s00145-006-0347-3 2007
[9]

Pedersen, T. P. (1991). A threshold cryptosystem without a trusted party (pp. 522–526). Springer-Verlag.https: //doi.org/10.1007/3-540-46416-6_47

work page doi:10.1007/3-540-46416-6_47 1991
[10]

Adi Shamir. (1979). How to share a secret. Commun. ACM 22, 11 (Nov. 1979), 612–613.https://doi.org/ 10.1145/359168.359176

work page doi:10.1145/359168.359176 1979
[11]

(2026) Scalable Distributed Key Generation for Blockchains

Aniket Kate and Pratyay Mukherjee and Pratik Sarkar and Hamza Saleem and Nibesh Shrestha and David Yang. (2026) Scalable Distributed Key Generation for Blockchains. In Cryptology ePrint Archive.https://eprint. iacr.org/2026/072

work page 2026
[12]

Daniel R. L. Brown, SEC 1: Elliptic Curve Cryptography (2009). Section 2.2.1 page 6 of 138https://www. secg.org/sec1-v2.pdf

work page 2009
[13]

Schnorr Non-interactive Zero-Knowledge Proofhttps://datatracker.ietf.org/doc/html/rfc8235

work page
[14]

Herranz, J., S ´aez, G. (2003). Forking Lemmas for Ring Signature Schemes. In: Johansson, T., Maitra, S. (eds) Progress in Cryptology - INDOCRYPT 2003. INDOCRYPT 2003. Lecture Notes in Computer Science, vol 2904. Springer, Berlin, Heidelberg.https://doi.org/10.1007/978-3-540-24582-7_20 A Formal proofs A.1 Proof of Lemma 1 (Perfect correctness) Proof for V...

work page doi:10.1007/978-3-540-24582-7_20 2003
[15]

=r·G;r R ← −Zq known toB –H p(Pu||SID ∗

work page
[16]

=x −1 ·Z; Signature generation: Bgeneratesσ 1 forP u in scopeSID ∗ 0.I σ1 scope is computed asS u ·H p(Pu||SID ∗

work page
[17]

SinceBknowsr, Ait can successfully compute this without knowinga

=a·r·G= r·A. SinceBknowsr, Ait can successfully compute this without knowinga. The remaining signature items ({Li, Ri, Ai, Bi, xi, zi}n i=1, C1, C2)are faked by back-patching the random oracleHto correctly close the loop. The 2Bcan reduce the number of keys inLton min to maximize the chances ofApicking the needed keys. 11 simulated components are uniforml...

work page
[18]

IfAoutputsb ′ = 0,Boutputs 1 indicating it is a valid tuple

= a·B=ab·G. IfAoutputsb ′ = 0,Boutputs 1 indicating it is a valid tuple. 2.b ′ = 1⇒σ 2 is evaluated as a valid signature fromP v, the key image isI σ2 scope =S v ·H p(Pv||SID ∗

work page
[19]

IfAoutputsb ′ = 1,Boutputs 0 indicating it is a random tuple

= x·x −1 ·Z=Z. IfAoutputsb ′ = 1,Boutputs 0 indicating it is a random tuple. We noteAdv DDH B ≥ 2 K(K−1) ·Adv CSU A . SinceAdv DDH B ≈0⇒Adv CSU A ≈0 A.6 Proof of Lemma 6 (Accountability) Assume thatAgenerated a valid signatureσ ∗ with(C 1, C2)using a false identityP ∗ f ake whereC 1 =r dean ·Gand C2 =P ∗ f ake +r dean ·P net. DuringV erif y,B ′ s is const...

work page