Non-Interactive Threshold BBS+ From Pseudorandom Correlations

Sebastian Faust; Carmit Hazay; David Kretzler; Leandro Rometsch; Benjamin Schlosser

Paper 2023/1076

Non-Interactive Threshold BBS+ From Pseudorandom Correlations

Sebastian Faust

, Technical University of Darmstadt

Carmit Hazay

, Bar-Ilan University

David Kretzler

, Technical University of Darmstadt

Leandro Rometsch

, Hamburg University of Technology

Benjamin Schlosser

, Technical University of Darmstadt

Abstract

The BBS+ signature scheme is one of the most prominent solutions for realizing anonymous credentials. Its prominence is due to properties like selective disclosure and efficient protocols for creating and showing possession of credentials. Traditionally, a single credential issuer produces BBS+ signatures, which poses significant risks due to a single point of failure. In this work, we address this threat via a novel $t$-out-of-$n$ threshold BBS+ protocol. Our protocol supports an arbitrary security threshold $t \leq n$ and works in the so-called preprocessing setting. In this setting, we achieve non-interactive signing in the online phase and sublinear communication complexity in the number of signatures in the offline phase, which, as we show in this work, are important features from a practical point of view. As it stands today, none of the widely studied signature schemes, such as threshold ECDSA and threshold Schnorr, achieve both properties simultaneously. In this work, we make the observation that presignatures can be directly computed from pseudorandom correlations which allows servers to create signatures shares without additional cross-server communication. Both our offline and online protocols are actively secure in the Universal Composability model. Finally, we evaluate the concrete efficiency of our protocol, including an implementation of the online phase and the expansion algorithm of the pseudorandom correlation generator (PCG) used during the offline phase. The online protocol without network latency takes less than $14 ms$ for $t \leq 30$ and credentials sizes up to $10$. Further, our results indicate that the influence of $t$ on the online signing is insignificant, $\leq 6 \%$ for $t \leq 30$, and the overhead of the thresholdization occurs almost exclusively in the offline phase. Our implementation of the PCG expansion shows that even for a committee size of $10$ servers, each server can expand a correlation of up to $2^{17}$ presignatures in less than $100$ ms per presignature.

Note: This is the full version of the paper of the same name to be published in Topics in Cryptology – CT-RSA 2025.

Metadata

Available format(s): PDF
Category: Public-key cryptography
Publication info: Published elsewhere. Major revision. CT-RSA 2025
Keywords: Threshold Signature BBS+Pseudorandom Correlation Functions Pseudorandom Correlation Generators
Contact author(s): sebastian faust @ tu-darmstadt de
carmit hazay @ biu ac il
david kretzler @ tu-darmstadt de
leandro rometsch @ tuhh de
benjamin schlosser @ tu-darmstadt de
History: 2025-01-22: last of 7 revisions; 2023-07-11: received; See all versions
Short URL: https://ia.cr/2023/1076
License: CC BY

BibTeX

@misc{cryptoeprint:2023/1076,
      author = {Sebastian Faust and Carmit Hazay and David Kretzler and Leandro Rometsch and Benjamin Schlosser},
      title = {Non-Interactive Threshold {BBS}+ From Pseudorandom Correlations},
      howpublished = {Cryptology {ePrint} Archive, Paper 2023/1076},
      year = {2023},
      url = {https://eprint.iacr.org/2023/1076}
}