It’s intended for situations where Alice and Bob wish to communicate digitally with some degree of privacy and authenticity. At the moment, using software like GnuPG (which is a free and open source implementation of OpenPGP), Alice can encrypt her messages to Bob to provide privacy, and she can also digitally sign her messages to provide authenticity (i.e., a cryptographic proof that she wrote the message).
Unfortunately, using such a system, Alice might worry that Bob could show others her messages and signatures, thus proving to others that she wrote and signed them. Such worries are not unusual if someone goes to the trouble of encrypting and signing their messages. For instance, if Alice is in a price negotiation with Bob, she might not want Bob to be able to prove to competitors that she offered a certain price.
By using a ring signature instead of a standard signature, Alice can alleviate such worries. When she signs a message using a ring signature, Bob can be sure that Alice signed the message, but it only proves to everyone else that either Alice or Bob signed the message. Thus Bob is unable to prove to others what Alice said to him, because he could have forged the ring signature himself!
Of course, Bob can still tell everyone what Alice said—using ring signatures instead of standard signatures only removes his ability to cryptographically prove to everyone what Alice said. This becomes a “he said she said” situation rather than a “she said this and here’s the proof” situation. From Alice’s point of view, the first situation is better than the second, so she would prefer to use ring signatures.
More generally, I hope for ring signatures to become easy enough to use that a typical user can use it for normal emails. Right now, it is not advisable for the average user to sign their emails simply because it is often a bad idea to give recipients the ability to prove to others what they said.
Unfortunately, using such a system, Alice might worry that Bob could show others her messages and signatures, thus proving to others that she wrote and signed them. Such worries are not unusual if someone goes to the trouble of encrypting and signing their messages.
Incidentally, this has actually been a practical concern on the black-markets: there have been occasional attempts to break pseudonyms by sending them messages encrypted to other pseudonyms’ keys, and the initial proof that Dread Pirate Robert 2 was StExo come from DPR2 accidentally releasing a message signed by StExo’s key.
What are the use cases of a ring signature? What does Alice hope to accomplish by arranging for only Bob to be able to verify a thing?
It’s intended for situations where Alice and Bob wish to communicate digitally with some degree of privacy and authenticity. At the moment, using software like GnuPG (which is a free and open source implementation of OpenPGP), Alice can encrypt her messages to Bob to provide privacy, and she can also digitally sign her messages to provide authenticity (i.e., a cryptographic proof that she wrote the message).
Unfortunately, using such a system, Alice might worry that Bob could show others her messages and signatures, thus proving to others that she wrote and signed them. Such worries are not unusual if someone goes to the trouble of encrypting and signing their messages. For instance, if Alice is in a price negotiation with Bob, she might not want Bob to be able to prove to competitors that she offered a certain price.
By using a ring signature instead of a standard signature, Alice can alleviate such worries. When she signs a message using a ring signature, Bob can be sure that Alice signed the message, but it only proves to everyone else that either Alice or Bob signed the message. Thus Bob is unable to prove to others what Alice said to him, because he could have forged the ring signature himself!
Of course, Bob can still tell everyone what Alice said—using ring signatures instead of standard signatures only removes his ability to cryptographically prove to everyone what Alice said. This becomes a “he said she said” situation rather than a “she said this and here’s the proof” situation. From Alice’s point of view, the first situation is better than the second, so she would prefer to use ring signatures.
More generally, I hope for ring signatures to become easy enough to use that a typical user can use it for normal emails. Right now, it is not advisable for the average user to sign their emails simply because it is often a bad idea to give recipients the ability to prove to others what they said.
Incidentally, this has actually been a practical concern on the black-markets: there have been occasional attempts to break pseudonyms by sending them messages encrypted to other pseudonyms’ keys, and the initial proof that Dread Pirate Robert 2 was StExo come from DPR2 accidentally releasing a message signed by StExo’s key.