This is the Full Version of the Extended Abstract that appears in the Proceedings of 8th Conference on Security and Cryptography for Networks (SCN 2012) (5 – 7 september 2012, Amalfi, Italy) I. Visconti and R. De Prisco Eds., Springer-Verlag, LNCS 7485, pages 95–112. Compact Round-Optimal Partially-Blind Signatures Olivier Blazy, David Pointcheval, and Damien Vergnaud {olivier.blazy, david.pointcheval, damien.vergnaud}@ens.fr ENS, Paris, France ⋆ Abstract Partially-blind signatures find many applications in the area of anonymity, such as in e-cash or e-voting systems. They extend classical blind signatures, with a signed message composed of two parts: a public one (common to the user and the signer) and a private one (chosen by the user, and blindly signed). The signer cannot link later the message-signature to the initial interaction with the user, among other signatures on messages with the same public part. This paper presents a one-round partially-blind signature which achieves perfect blindness in the standard model using a Common Reference String, under classical assumptions: CDH and DLin assumptions in symmetric groups, and similar ones in asymmetric groups. This scheme is more efficient than the previous ones: reduced round complexity and communication complexity, but still weaker complexity assumptions. A great advantage is also to end up with a standard Waters signature, which is quite short. In addition, in all the previous schemes, the public part required a prior agreement between the parties on the public part of the message before running the blind signature protocol. Our protocol does not require such pre-processing: the public part can be chosen by the signer only. Our scheme even allows multiple messages provided from independent sources to be blindly signed. These messages can either be concatenated or aggregated by the signer, without learning any information about them, before returning the blind signature to the recipient. For the aggregation (addition of the messages), we provide a new result, of independent interest, about the Waters hash function over non binary-alphabets. 1 Introduction Blind signatures were proposed by Chaum in 1982 [8]: they are an interactive signature scheme between a user and a signer, in a way that the signed message, and even the resulting signature, are unknown to the signer, this is the blindness property. More precisely, if the signer runs several executions of the protocol that led to several message-signature pairs, he cannot link back any pair to a specific execution: the view of the signer is unlinkable to the resulting message-signature pair. This unlinkability can either be computational, we then talk about computational blindness, or perfect, we then talk about perfect blindness. In addition, they guarantee some kind of unforgeability for the signer, which has been formalized in [18] to cope with e-cash properties: the user cannot produce more message-signature pairs (coins) than the number of interactions (withdrawals). There have been several highly interactive schemes (like [17]), but Fischlin [10] gave a generic construction of round-optimal blind signatures. Recent schemes have instantiated this construction, the user obtains an actual signature on the message, of which he proves knowledge [1, 11] or can simply randomize it to make it unlinkable [4,5]. In the latter case, the blind signature has the same format as the underlying signatures and, in addition to being round-optimal, is thus short. Our construction, like this last one produced a simple (randomized) Waters signature on the message m so two group elements and a scalar m under basic assumptions DLin, where [1] uses less standard assumption SXDH and ADH-CDH, and around 38 elements in G1 and 34 in G2 for the final signature because of the required proofs of knowledge. [12] presented a round-optimal blind signature without CRS but less efficient than the construction relying on the Common Reference String. A loophole in standard blind signatures was detailed by Abe and Okamoto [3]: the signer has no control over the signed messages (except in some sense the unforgeability which limits their number). In e-cash schemes, we want the bank to sign a coin (a random, and thus unknown, serial number), but with a specific expiration date. Partially-Blind Signatures proposed by Abe and Fujisaki [2] solve this problem, by allowing ⋆ CNRS – UMR 8548 and INRIA – EPI Cascade, Université Paris Diderot c Springer 2012. 2 the user and the signer to agree on a predetermined piece of information which must be included in the final signed message. Recently, in [19], Seo and Cheon presented a construction leading to (Partially) Blind-Signatures in the standard model. However their construction relies on a trick consisting in starting from prime order groups G1 , G2 , G3 and considering group elements in G = G1 ⊕G2 ⊕G3 . While their approach provides nice theoretical tools, the resulting signatures lies in G 2 and are therefore three times longer than our proposal. Our contributions. In this paper, we go one step further, improving [4] in several directions. We first present a blind signature scheme with perfect blindness, using the perfectly hiding instantiation of Groth-Sahai commitments [13]. We also widen the model of partially-blind signatures to supplement the predetermined communication with an on-the-fly public information generated by the signer: the signer can simply include it during the signing process, even if the user does not want this extra information. In the latter case, the user can simply discard the signature and start anew. We call this new primitive signer-friendly partially-blind signatures. This new notion allows to skip the prior agreement and allow the public information to be set on-the fly. Of course this new notion does not forbid any kind of prior agreement on the public part, it just strengthens the existing notion. It is now possible to get rid of the prior agreement on the common piece of information in the signed message and our instantiation allows the signer to do so in a round-optimal way. These two constructions being compatible, we can present a round-optimal partially-blind signature with perfect blindness. Our protocol does not need any pre-processing for the public part of the message. Basically both the user and the signer can choose a piece of the public part, but instead of having a computational overhead for the agreement both can simply choose during the 2 flows interaction what they want. The signer can always refuse to sign something where the user’s public information doesn’t suit him and the user can always choose not to exploit an uninteresting signature, so a protocol should avoid to waste communication costs when one can manage without any security loss to stay in a two-flows protocol. Eventually, discarding the perfect blindness, we take advantage of this asynchronous property (the user and the signer can independently choose their inputs) and we consider the new context where the message to be signed comes from several independent sources that cannot communicate together. We first present a way to obtain a signature on the concatenation of the input messages. We also present a shorter instantiation which gives a signature on the sum of the input messages. Such a sum can be useful when working on ballots, sensor information, etc. Since we still apply the Waters signature, this led us to consider the Waters function programmability over a non-binary alphabet, in a similar way as it was done in [14] for the binary alphabet. We prove a negative result on the (2, 1)-programmability, but a nice positive one on the (1, poly)-programmability, which is of independent interest. Instantiations. We give several instantiations of our different blind signatures, all of which are based on weak assumptions. Our constructions mainly use the two following building blocks, from which they inherit their security: Groth-Sahai proofs for languages over pairing-friendly groups [13] and Waters signatures derived from the scheme in [20] and used in [7]. Since verification of the revisited Waters signatures [4] is a statement of the language for Groth-Sahai proofs, these two building blocks combine smoothly. The first instantiations are in symmetric pairing-friendly elliptic curves and additionally use linear commitments [6]. Both unforgeability and semantic security of these constructions rely solely on the decision linear assumption (DLin). The blindness property is easily achieved granted the homomorphic property of the Waters signature. An instantiation with improved efficiency, in asymmetric bilinear groups, using the SXDH variant of Groth-Sahai proofs and commitments is drafted in the Appendix E. This setting requires an asymmetric Waters signature scheme secure under a slightly stronger assumption, called CDH+ , where some additional elements in the second group are given to the adversary. Applications. Our blind signature schemes find various kinds of applications: 3 E-voting. The security of several e-voting protocols relies on the fact that each ballot is certified by an election authority. Since this authority should not learn the voter’s choice, a blind signature scheme (or even partiallyblind, if the authority wants to specify the election in the ballot) is usually used to achieve this property. In order to achieve privacy of the ballot in an information-theoretic sense, it is necessary to use a signature scheme that achieves perfect blindness. Our scheme is the first to achieve this property in the standard model and under classical complexity assumptions. E-cash. As mentioned above, partially-blind signatures played an important role in many electronic commerce applications. In e-cash systems, for instance, the bank issuing coins must ensure that the message contains accurate information such as the face value of the e-cash without seeing it and moreover in order to prevent double-spending, the bank’s database has to record all spent coins. Partially-blind signatures can cope with these problems, since the bank can explicitly include some information such as the expiration date and the face value in the coin. Thanks to our proposal, the coin issuing protocol can be done without prior agreement between the bank and the client. Data aggregation in networks. A wireless (ad hoc) sensor network (WSN) consists of many sensor nodes that are deployed for sensing the environment and collecting data from it. Since transmitting and receiving data are the most energy consuming operations, data aggregation has been put forward as an essential paradigm in these networks. The idea is to combine the data coming from different sources – minimizing the number of transmissions and thus saving energy. In this setting, a WSN consists usually of three types of nodes: – sensor nodes that are small devices equipped with one or more sensors, a processor and a radio transceiver for wireless communication. – aggregation nodes (or aggregators) performing the data aggregation (e.g. average, sum, minimum or maximum of data). – base stations responsible for querying the nodes and gathering the data collected by them. WSNs are at high security risk and two important security goals when doing in-network data aggregation are data confidentiality and data integrity. When homomorphic encryption is used for data aggregation, endto-end encryption allows aggregation of the encrypted data so that the aggregators do not need to decrypt and get access to the data and thus provides end-to-end data confidentiality. Achieving data integrity is a harder problem and usually we do not consider the attack where a sensor node reports a false reading value (the impact of such an attack being usually limited). The main security flaw is a data pollution attack in which an attacker tampers with the intermediate aggregation result at an aggregation node. The purpose of the attack is to make the base station receive the wrong aggregation result, and thus make the improper or wrong decisions. While in most conventional data aggregation protocols, data integrity and privacy are not preserved at the same time, our multi-source blind signature primitive permits to achieve data confidentiality and to prevent data pollution attacks simultaneously by using the following simple protocol: 1. Data aggregation is initiated by a base station, which broadcasts a query to the whole network. 2. Upon receiving the query, sensor nodes report encrypted values of their readings (for the base station public key) to their aggregators 3. The aggregators check the validity of the received values, perform data aggregation via the homomorphic properties of the encryption scheme, (blindly) sign the result and route the aggregated results back to the base station. 4. The base station decrypts the aggregated data and the signature which proves the validity of the gathered information to the base station (but also to any other third party). 4 2 Definition This section presents the global framework and the security model for partially-blind signature schemes. A reminder of standard definition and security notions on Blind Signature can be found in the Appendix A. Blind signatures introduced a nice feature, however it may be undesirable that requesters can ask the signer to blindly sign any message. For example, in an e-cash scheme, some expiration date information should be embedded in the e-coin, to avoid the bank’s database an uncontrolled growth when storing information for double-spending checking. Partially-blind signatures are thus a natural extension of blind signatures: instead of signing an unknown message, the signer signs a message which contains a shared piece of information in addition to the hidden part. This piece is called info and, in the standard definition, is expected to have been defined before the execution of the protocol. But since our schemes will not require the public part to be agreed on by the two players before the protocol execution (as opposed to all the previous schemes from the literature), we extend the usual partially-blind signature scheme with two public parts in the message, in addition to the hidden part: info = infoc kinfos , where infoc is the common public part with prior agreement, and infos is set on-the-fly by the signer. This provides a more flexible scheme, and this definition generalizes all the above ones. If infos = ⊥, we are in the regular case of partially blind signature, whereas in case of regular blind signature both parts are empty ⊥. Definition 1 (Partially-Blind Signature Scheme). A PBS scheme is defined by 4 algorithms or protocols (SetupPBS , KeyGenPBS , hS, Ui, Verif PBS ) where – SetupPBS (1λ ) generates the global parameters parampbs of the system; – KeyGenPBS (parampbs ) generates a pair of keys (pkPBS , skPBS ); – Signature Issuing: this is an interactive protocol between S(skPBS , info = infoc kinfos ) and U (pkPBS , m, info), for a message m ∈ {0, 1}n and shared information info. It generates an output σ for the user: σ ← hS(skPBS , info), U (pkPBS , m, info)i. – Verif PBS (pkPBS , m, info, σ) outputs 1 if the signature σ is valid with respect to the message mkinfo and pkPBS , 0 otherwise. Quick note on security: The security requirements are a direct extension of the classical ones: for unforgeability, we consider mkinfo instead of m, and for the blindness, we condition the unlinkability between signatures with the same public part info. Without the latter restriction, anyone can simply distinguish which message was signed by comparing the public information. The unforgeability is strengthened by considering also the public information so that the signer can be sure that the user won’t be able to exploit his signature in another context. Definition 2 (Signer-Friendly Partially-Blind Signature Scheme). A signer-friendly partially-blind signature scheme PBS is defined by 4 algorithms or protocols (SetupPBS , KeyGenPBS , hS, Ui, Verif PBS ) where – Setup(1λ ) generates the global parameters parampbs of the system; – KeyGen(parampbs ) generates a pair of keys (pkPBS , skPBS ); – Signature Issuing: this is an interactive protocol between S(skPBS , infoc , infos ) and U (pkPBS , m, infoc ), for a message m ∈ {0, 1}n , signer information infos and common information infoc . It generates an output σ for the user: σ ← hS(skPBS , infoc , infos ), U (pkPBS , m, infoc )i. – Verif(pkPBS , m, infoc , infos , σ) outputs 1 if the signature σ is valid with respect to the message mkinfoc kinfos and pkPBS , 0 otherwise. One notes that infoc = info and infos = ⊥ lead to a standard partially-blind signature; whereas the case infoc = infos = ⊥ is the standard blind signature. The signer always has the last word in the process, and so if he does not want to sign a specific info, he will simply abort the protocol several times until the shared part suits his will. So, in the following, we 5 decided that it was wiser to let him choose this input. If the user wants a specific word in the final message he can always add it to the blinded message. Intuitively this strengthens the unforgeability notion as the adversary (the user in this case) won’t be able to chose the whole message to be signed because of infos . This is ensured in the security game, because the adversary should outputs valid signatures, therefore they should be done with the chosen infos . For the blindness property, the adversary should guess on signatures with the same public infoc kinfos component, if it is not the case we answer with a blind-signature ⊥. The complete security games can be found in the Appendix B. 3 Partially-Blind Signature Our constructions will combine Groth-Sahai Linear Commitments [13] and the Waters signature [20] as follows: given a commitment on the “Waters hash” F(M ) (and some additional values proving we know the message M and the randomness used), a pre-agreed shared information infoc , the signer can make a partiallyblind signature on M, infoc and an extra piece of public information infos . This construction makes use of a symmetric pairing, but we extend it to asymmetric pairings in the Appendix E. 3.1 Assumptions We rely on classical assumptions only: CDH for the unforgeability of signatures and DLin for the blindness property (when not perfect), and also for soundness of the proofs: Definition 3 (The Computational Diffie-Hellman problem (CDH)). The CDH assumption, in a cyclic group G of prime order p, states that for a generator g ∈ G and random a, b ∈ Zp , given (g, g a , g b ) it is hard to compute g ab . Definition 4 (Decision Linear Assumption (DLin)). The DLin assumption, in a cyclic group G of prime order p, states that given (g, g x , g y , g xa , g yb , g c ) for random a, b, x, y ∈ Zp , it is hard to determine whether c = a + b or a random value. When (g, u = g x , v = g y ) is fixed, a tuple (ua , v b , g a+b ) is called a linear tuple w.r.t. (u, v, g), whereas a tuple (ua , v b , g c ) for a random and independent c is called a random tuple. One can easily see that if an adversary is able to solve a CDH challenge, then he can easily solve a DLin one. So the DLin assumption implies the CDH assumption. Some reminders on Groth-Sahai Commitments and Waters function can be found in the Appendix C as those are the main building blocks of our construction. 3.2 Partially-Blind Signature with Perfect Blindness With those building blocks, we design a partially-blind signature scheme, which basically consists in committing the message to be signed. And granted the random coins of the commitment, the user can unblind the signature sent by the signer. Eventually, using the randomizability of the Waters signature, the user breaks all the links that could remain between the message-signature pair and the transaction. Our protocol proceeds as follows, on a commitment of F = F(M ), a public common message infoc , and a public message infos chosen by the signer. It is split into five steps, that correspond to an optimal 2-flow protocol: BlindBS , which is first run by the user, SignBS , which is thereafter run by the signer, and Verif BS , UnblindBS , RandomBS that are eventually successively run by the user to generate the final signature. We thus have U = (BlindBS ; Verif BS , UnblindBS , RandomBS ) and S = SignBS : $ – SetupBS (1λ ) first chooses a bilinear group (p, G, GT , e, g). We need an additional vector u = (u0 , . . . , uk ) ← Gk+1 which defines the Waters function F (where k is the global length of M ||infoc ||infos ), a gen$ erator h ← G, and a tuple of Groth-Sahai parameters (u1 , u2 , u3 ) in the perfectly hiding setting: parambs = (p, G, GT , e, g, h, F, u1 , u2 , u3 ); 6 $ – KeyGenBS (parambs ) chooses a random scalar x ← Zp , which defines the public key as pkBS = Y = g x , and the secret key as skBS = Z = hx ; – Signature Issuing (S(skBS , infoc , infos ), U (pkBS , M, infoc )), which is split in several steps: $ • BlindBS (M, pkBS ; (r1 , r2 , r3 )): For a message M ∈ {0, 1}ℓ and random scalars (r
1 , r2 , r3 ) ← Zp , define 3 1 3 2 3 the commitment as c = c1 = ur1,1 ur3,1 , c2 = ur2,2 ur3,2 , c3 = g r1 +r2 ur3,3 · F(M ) and compute Y1,2 = Y r1 +r2 , Y3 = Y r3 . One also generates additional proofs of validity of the commitment: ∗ A proof ΠM of knowledge of M in c, the encrypted F(M ), which consists of a bit-by-bit commitment CM = (C ′ (M1 ), . . . , C ′ (Mℓ )) and proofs that each committed value is a bit, and a proof that c3 is well-formed. ΠM is therefore composed of 9ℓ + 3 group elements. ∗ A proof Πr containing the commitments Cr = (C(Y1,2 ), C(Y3 )) and proofs asserting that they are correctly generated. It requires 9 additional group elements. Π thus consists of 9ℓ + 12 group elements, where ℓ is the bit-length of the message M • SignBS (skBS , (c, Π), infoc , infos ; s): To sign the commitment c, one first checks if the Π is valid. Q proof i It then appends the public message info = infoc kinfos to c3 to create c′3 = c3 · uinfo , which thus i+ℓ becomes a commitment of the Waters function evaluation on M kinfoc kinfos of global length k. It eventually outputs σ = (Z · c′3 s , us3,3 , g s ) together with the additional public information infos , for a random scalar s ∈ Zp . • Verif(pkBS , (c, infoc , infos ), σ = (σ1 , σ2 , σ3 )): In order to check the validity of the signature, one first computes c′3 as above, and then checks whether the following pairing equations are verified: e(σ1 , g) = e(h, pkBS ) · e(c′3 , σ3 ) and e(σ2 , g) = e(u3,3 , σ3 ). If it is not the case, then this is not a valid signature on the original ciphertext, and the blind signature is set as Σ = ⊥. • UnblindBS ((r1 , r2 , r3 ), pkBS , (c, infoc , infos ), σ): If the previous tests are positive, one can use the random coins r1 , r2 , r3 to get back a valid signature on M kinfoc kinfos : σ ′ = (σ1′ = σ1 /(σ3r1 +r2 σ2r3 ), σ2′ = σ3 ), which is a valid Waters signature. • RandomBS (pkBS , (c, infoc , infos ), σ ′ ; s′ ): The latter can eventually be rerandomized to get Σ = (σ1′ · ′ ′ F(M ||infoc ||infos )s , σ2′ · g s ). One can note that Σ is a random Waters signature on M ||infoc ||infos , where we denote F = F(M ||infoc ||infos ): ′ ′ ′ ′ Σ = (σ1′ · F s , σ2′ · g s ) = (F s · σ1 /(σ3r1 +r2 σ2r3 ), g s · σ3 ) ′ s ′ s+s 3 ) = (F s · Z · c′3 /(g s(r1 +r2 ) usr 3,3 ), g ′ ′ ′ ′ s s(r1 +r2 ) sr3 3 = (F s · Z · g s(r1 +r2 ) usr u3,3 ), g s+s ) = (M s+s · Z, g s+s ) 3,3 · F /(g – Verif BS (pkBS , (M, infoc , infos ), Σ = (Σ1 , Σ2 )): One checks whether the following pairing equations holds (Waters signature): e(Σ1 , g) = e(h, pkBS ) · e(F(M ||infoc ||infos ), Σ2 ). Theorem 5. This signer-friendly partially-blind signature scheme is unforgeable under the CDH assumption in G. Proof. Let us denote PBS our above partially-blind signature (but omit it in the subscripts for clarity). Let us assume there is an adversary A against the unforgeability that succeeds within probability ǫ, we will build an adversary B against the CDH problem. DLin Assumption. The unforgeability means that after qs interactions with the signer, the adversary manages to output qs + 1 valid message-signature pairs on distinct messages. If the adversary A can do that with probability ǫ with the above commitment scheme using a perfectly hiding setting, under the DLin assumption, A can also generate qs + 1 valid message-signature pairs in a perfectly binding setting, with not too small probability ǫ′ . 7 BlindBS pkBS , r r s′ σ(C ′ ) infos r σ(F ′ ) UnblindBS RandomBS A message M can be hidden using random coins r (BlindBS ). The signer can adapt this commitment and concatenate a public message infos into the original commitment, with also the common public information infos , creating a commitment C ′ on F = F (M ||infoc ||infos ). A signature on the plaintext can be obtained using the randomness r (for UnblindBS ); the result is the same as a direct signature on M ||infoc ||infos by the signer. Randomizing this signature is easy, and prevents the signer to actually know which ciphertext was the one involved. C′ skBS , C ′ , infos ; s F(M ) Signer C info SignBS User Verif Figure 1. Partially-Blind Signatures with Perfect Blindness Signer Simulation. Let us thus now consider the above blind signature scheme with a commitment scheme using a perfectly binding setting (named PBS ′ ), and our simulator B can extract values from the commitments since it knows ν and µ. We thus now assume that A is able to break the unforgeability of PBS ′ with probability ǫ′ after qs interactions with the signer. And we build an adversary B against the CDH problem: Let (A = g a , B = g b ) be a CDH-instance in a bilinear group (p, G, GT , e, g). We now generate the global parameters using this instance: for simulating SetupBS /KeyGenBS , B picks a $ $ random position j ← {0, . . . , k}, chooses random indexes y0 , y1 , . . . , yk ← {0, . . . , 2qs −1}, and random scalars $ z0 , z1 , . . . , zk ← Zp . One defines Y = A = g a , h = B = g b , u0 = hy0 −2jqs g z0 , and ui = hyi g zi for i = 1, . . . , k. B also picks two random scalars ν, µ,and generates the Groth-Sahai parameters (u1 , u2 , u3 ) in the perfectly binding setting, and thus with (u1 = (u1,1 = g x1 , 1, g), u2 = (1, u2,2 = g x2 , g), u3 = uν1 ⊙ uµ2 ), for two random scalars x1 , x2 . Note that u3,3 = g ν+µ . It outputs parambs = (p, G, GT , e, g, h, F, u1 , u2 , u3 ); one can note that the signing key is implicitly defined as Z = ha = B a = g ab , and is thus the expected Diffie-Hellman value. To answer a signing query on ciphertext c = (c1 , c2 , c3 ), with the additional proofs, one first checks the proof Π. From the proof Π and the commitment secret parameters x1 , x2 , B can extract M from the bit-by-bit 1 3 2 3 commitments in ΠM , and Y1,2 = Y r1 +r2 , Y3 = Y r3 , from Πr , where c1 = ur1,1 ur3,1 and c2 = ur2,2 ur3,2 . Furtherr3 ′ r +r ′ 1 2 more, we can compute c3 = g u3,3 · F , where we denote M = M ||infoc ||infos and F = F(M ||infoc ||infos ). B defines X X H = −2jqs + y0 + yi Mi′ , J = z0 + zi Mi′ : F = hH g J . i If H ≡ 0 (mod p) then B aborts, otherwise it sets i 1/x1 1/x2 s c2 )) , (Y −1/H g s )ν+µ , Y −1/H g s ). σ = (Y −J/H (Y1,2 Y3ν+µ )−1/H (F (c1 Defining s̃ = s − a/H, we have 1/x1 1/x2 s c2 )) σ1 =Y −J/H (Y1,2 Y3ν+µ )−1/H (hH g J (c1 σ3 =Y −1/H g s = Y −1/H g s̃+a/H = g s̃ σ2 =(σ3 )ν+µ = g (ν+µ)s̃ = us̃3,3 It thus exactly looks like a real signature sent by the signer. = Z · (c′3 )s̃ 8 Diffie-Hellman Extraction. After at most qs signing queries A outputs qs + 1 valid Waters signatures. Since there are more than the number of signing queries, there is a least one message M ∗ that is different from all the messages M ||infoc ||infos involved in the signing queries. We define X X ∗ ∗ H ∗ = −2jqs + y0 + yi Mi∗ , J ∗ = z0 + zi Mi∗ : F(M ∗ ) = hH g J . i i ∗ ∗ If H ∗ 6≡ 0 (mod p) then B abort, otherwise, for some s∗ , σ ∗ = (ha F(M ∗ )s , g s ) = (ha g s ∗ σ1∗ /(σ2∗ )J = ha = g ab : one has solved the CDH problem. ∗J ∗ ∗ , g s ). Then, Success Probability. (Based on [14]) The Waters hash function is (1, qs )-programmable (i.e., we can find with non negligible probability a case where qs intermediate hashes are not√null, and the last one is), therefore the ⊔ ⊓ previous simulation succeeds with non negligible probability (Θ(ǫ/qs k)), and so B breaks CDH. Theorem 6. This signer-friendly partially-blind signature scheme achieves perfect blindness. Proof. The transcript sent to the signer contains a commitment on the message to be signed, but in a perfectly hiding setting: no information leaks about M . The additional proofs are perfectly witness-indistinguishable and thus do not provide any additional information about M . This is due to the fact that in the Groth Sahai framework in the perfectly hiding setting, for any message M , committed with randomness r and a message M ′ , one can find random r′ such that c(M, r) = c(M ′ , r′ ). Granted the randomizability of the Waters signature, the final output signature is a random signature on M ||infoc ||infos , on which no information leaked, and so the resulting signature is perfectly independent from the transcript seen by the signer, and any adversary. ⊔ ⊓ 4 4.1 Multi-Source Blind Signature Concatenation The previous constructions lead to a good way to allow a user to obtain a signature on a plaintext without revealing it to the signer. But what happens when the original message is in fact coming from various users? We now present a new way to obtain a blind signature without requiring multiple users to combine their messages, providing once again a round-optimal way to achieve our goal. We thus consider a variation of our blind signature scheme. In the Setup phase we no longer create perfectly hiding Groth-Sahai generators, but perfectly binding parameters, so we do not need to compute us3,3 to run Unblind, since it will be performed with the decryption key and not the random coins. In addition, in this scenario, we do not consider a unique user providing a ciphertext, but several users. As a consequence, the signer will have to produce a signature on a multi-source message, provided as ciphertexts. The signature and the messages will actually be encrypted under a third-party key. The third-party only will be able to extract the message and the signature. Basically the instantiation is similar to the previous ones in the perfectly binding setting. For the sake of clarity, we remove the partially-blind part, but of course it could be adapted in the same way. A full instantiation of such protocol and its security analysis can be found in the Appendix D. One can see that it can be efficiently instantiated under DLin assumption. 4.2 Addition The previous scheme presents a way to combine multiple blind messages into one in order to sign it. However it requires a huge number of generators and the final unblinded signature gives a lot of information on the repartition of the original messages, since they are simply concatenated. We now want to improve the previous 9 BlindBS pkBS , ri ri Signer Ci skBS , C1 , . . . , Cn ; s Fi T s′ σ( Q F) dkBS σ( UnblindBS RandomBS Q SignBS User i Ci ) Several messages Mi can be hidden using random coins ri (BlindBS ) by different users. The signer can adapt these commitments and concatenate the Q messages inside them, creating a commitment on F = Fi . A signature on the plaintext can be obtained by the tallier using the decryption key dkBS (for UnblindBS ); the result is the same as a direct signature on ||Mi by the signer. Randomizing this signature is easy, and prevent the signer from knowing which ciphertexts were involved. Verif Figure 2. Multi-Source Blind Signature on Concatenation scheme to drastically reduce the public key size, and the information leaked about the individual messages when one would like a signature on some computation on these messages, such as the addition or the mean. Instead of signing the concatenation of the messages, we now allow the users to use the same generators, and thus the messages will add together instead of concatenating. $ The resulting algorithm is the same as before except the Setup phase where u = (u0 , . . . , uk ) ← Qduring m Gk+1 . We then proceed as before considering F(Mi ) = ℓ uℓ i,ℓ . The Unblind algorithm now returns a valid signature on the sum of the messages. The various Groth-Sahai proofs help to ensure that the messages given to the Waters hash function are of reasonable size. With this construction, the exponents in the Waters hash function are not longer bits but belong to a larger alphabet (e.g. {0, . . . , t} if t users sign only bit strings). Following the work done in [14], we will show in the next section that over a non-binary alphabet the Waters function remains (1, poly)-programmable as long as the size of the alphabet a polynomial in the security parameter. This result readily implies the security of the multi-source blind signature scheme for addition: Theorem 7. This multi-source blind signature scheme for addition is blind and unforgeable under the DLin assumption as long the alphabet size and the number of sources are polynomial in the security parameter. 5 Non-Binary Waters Function Programmability In this section, we prove that for a polynomial-size alphabet, the Waters function remains programmable. We recall some notations introduced in [14] and show our result which can be seen as an improvement over the result presented by Naccache [16] where he considered a variant of Waters identity-based encryption [20] with shorter public parameters. 5.1 Definitions Let us recall some basic definitions. A family of cyclic groups G = (Gλ )λ∈N , indexed by a security parameter λ, is called a group family. A group hash function H for G, an alphabet Σ = Σ(λ) and an input length ℓ = ℓ(λ) is a pair of probabilistic polynomial-time algorithms (PHF.Gen, PHF.Eval) such that: – PHF.Gen takes as input a security parameter λ and outputs a key κ – PHF.Eval takes as input a key κ output by PHF.Gen and a string X ∈ Σ ℓ and outputs an element of Gλ . 10 Definition 8 (cf. [14]). A group hash function (PHF.Gen, PHF.Eval) is (m, n, δ)-programmable, if there exist two PPT algorithms (PHF.TrapGen, PHF.TrapEval) such that – Syntactics: For g, h ∈ G, PHF.TrapGen(1λ , g, h) generates a key κ′ and a trapdoor t such that PHF.TrapEval(t, X) produces integers aX , bX for any X ∈ Σ ℓ – Correctness: For all generators g, h ∈ G, all (κ′ , t) ← PHF.TrapGen(1λ , g, h) and all X ∈ Σ ℓ , Hκ′ (X) := PHF.Eval(κ′ , X) satisfies Hκ′ (X) = g aX hbX where (aX , bX ) := PHF.TrapEval(t, X). – Statistically close trapdoor keys: For all generators g, h ∈ G2 , the functions PHF.Gen(1λ ) and PHF.TrapGen(1λ , g, h) output keys κ and κ′ statistically close. – Well-distributed logarithms: For all generators g, h ∈ G, all (κ′ , t) output by PHF.TrapGen(1λ , g, h) and all bit-strings (Xi )1,...,m , (Zi )1,...,n ∈ Σ ℓ such that ∀i, j, Xi 6= Zj , we have Pr[aX1 = . . . , aXm = 0 ∧ aZ1 · . . . · aZn 6= 0] ≥ δ, where the probability is taken over the random coins used by PHF.TrapGen and (aXi , bXi ) := PHF.TrapEval(t, Xi ) and (aZi , bZi ) := PHF.TrapEval(t, Zi ). 5.2 Instantiation with Waters function Let us consider the Waters function presented in [20]. Definition 9 (Multi-Generator PHF). Let G = (Gλ ) be a group family, and ℓ = ℓ(λ) a polynomial. We define F = (PHF.Gen, PHF.Eval) as the following group hash function: $ – PHF.Gen(1λ ) outputs κ = (h0 , . . . , hℓ ) ← Gℓ+1 ; Q – PHF.Eval(κ, X) parses κ and X = (x1 , . . . , xℓ ) ∈ {0, 1}ℓ and outputs Fκ (X) = h0 ℓi=1 hxi i . √ This function was shown to be (1, q, δ)-programmable with a δ = O(1/(q ℓ)) and (2, 1, δ)-programmable with a δ = O(1/ℓ) (cf. [14]). However this definition requires to generate and store n + 1 group generators where n is the bit-length of the messages one wants to hash. We consider a more general case where instead of hashing bit-per-bit we decide to hash blocks of bits. Definition 10 (Improved Multi-Generator PHF). Let G = (Gλ ) be a group family, Σ = {0, . . . , τ } a finite alphabet and ℓ = ℓ(λ) a polynomial. We define F = (PHF.Gen, PHF.Eval) as the following group hash function: $ – PHF.Gen(1λ ) returns κ = (h0 , . . . , hℓ ) ← Gℓ+1 ; Q – PHF.Eval(κ, X) parses κ and X = (x1 , . . . , xℓ ) ∈ Σ ℓ and returns F + κ (X) = h0 ℓi=1 hxi i . Using a larger alphabet allows to hash from a larger domain with a smaller hash key, but it comes at a price since one can easily prove that the function is no longer (2, 1)-programmable (i.e., no longer (2, 1, δ) programmable for a non-negligible δ): Theorem 11 ((2,1)-Programmability). For any group family G with known order and τ > 1, the function F + is not a (2,1)-programmable hash function if the discrete logarithm problem is hard in G. Proof. Consider a discrete logarithm challenge (g, h) in a group Gλ and suppose by contradiction that the function F + is (2, 1)-programmable with τ ≥ 2 (i.e., we suppose that there exist two probabilistic polynomialtime algorithms (PHF.TrapGen, PHF.TrapEval) satisfying the definition 8 for a non-negligible δ). For any hash key κ′ and trapdoor t generated by PHF.TrapGen(1λ , g, h), we can consider the messages X1 = (2, 0), X2 = (1, 1), Z = (0, 2) and with non-negligible probability over the random coins used by PHF.TrapGen we have aX1 = aX2 = 0 and aZ 6= 0 where (aX1 , bX1 ) := PHF.TrapEval(t, X1 ), (aX2 , bX2 ) := PHF.TrapEval(t, X2 ) and (aZ , bZ ) := PHF.TrapEval(t, Z). By the correctness property, we have g aZ hbZ = h0 h22 = h2bX2 /hbX1 and we can extract the discrete logarithm of g in base h as follows: logh (g) = 2bX2 − bX1 − bZ aZ mod |Gλ |. ⊔ ⊓ 11 However we still have the interesting property: Theorem 12 ((1,poly)-Programmability). For any polynomial q and a group family √ G with groups of known order, the function F + is a (1, q, δ)-programmable hash function with a δ = Ω(1/τ q ℓ). Remark 13. This theorem improves the result presented by Naccache in [16] where the lower bound on the (1, q, δ)-programmability was only δ = Ω(1/τ qℓ). Remark 14. In order to be able to sign all messages in a set M, we have to consider parameters τ and ℓ such that τ ℓ ≥ #M, but the security is proved only if the value δ is non-negligible (i.e. if ℓ = λO(1) and τ = λO(1) ). In particular if M is of polynomial size in λ (which is the case in our WSN application with data aggregation), one can use τ = #M and ℓ = 1 (namely, the Boneh-Boyen hash function), and therefore get data confidentiality. Proof. Let us first introduce some notations. Let n ∈ N∗ , let Aj be independent and uniform random variables p in {−1, 0, 1} (for j ∈ {1, . . . , n}). If we denote 2σj2 their quadratic moment, we have 2σj2 = 2/3 and σj = 1/3. P We note s2n = nj=1 σj2 = n/3. The Local Central Limit Theorem. Our analysis relies on a classical result P on random walks, called the Local Central Limit Theorem. It basically provides an approximation of Pr[ Aj = a] for independent random variables Aj . This is a version of the Central Limit Theorem in which the conclusion is strengthened from convergence of the law to locally uniform pointwise convergence of the densities. It is worded as follows in [9, Theorem 1.1 ], where φ and Φ are the standard normal density and distribution functions: Theorem 15. Let Aj be independent, integer-valuedPrandom variables where Aj has probability Pn mass function min(f (k), f (k + 1)) and Q = fj (for j ∈ N∗ ). For each j, n ∈ N∗ , let q(fj ) = j j n k j=1 q(fj ). Denote Sn = A1 + · · · + An . Suppose that there are sequences of numbers (αn ), (βn ) such that 1. limn→∞ Pr[(Sn − αn )/βn ) < t] = Φ(t), −∞ < t < ∞, 2. βn → ∞, 3. and lim sup βn2 /Qn < ∞, then supk |βn Pr[Sn = k] − φ((k − αn )/βn )| → 0 as n → ∞1 . While those notations may seem a little overwhelming, this can be easily explained in our case. With Aj ∈ {−1, 0, 1} with probability 1/3 for each value. 1. It requires the variables to verify the Lindeberg-Feller theorem. However as long as the variables verify the Lindeberg’s condition2 , this pis true for βn = sn and αn = 0. 2. In our application, βn = sn = n/3, so again we comply with the condition. 3. Since fj (k) is simply the probability that Aj equals k, then q(fj ) = 2/3. This leads to Qn = 2n/3. As a consequence, βn2 /Qn = 1/2. So we have: supk |βn Pr[Sn = k] − φ((k − αn )/βn )| → 0, that is, in our case p p sup | n/3 Pr[Sn = k] − φ(k/ n/3)| → 0. k √ √ We solely focus on the case k = 0: since φ(0) = 1/ 2π, Pr[Sn = 0] = Θ(1/ n). In addition, it is clear that Pr[Sn = k] ≤ Pr[Sn = 0] for any k 6= 0 (c.f. [14]). 1 2 The so-called Berry-Esseen theorem gives the rate of convergence of this supremum. Lindeberg’s condition is a P sufficient criteria of the Lindeberg-Feller theorem, for variables with a null expected value it requires p 2 2 that ∀ǫ > 0, limn→∞ 1/s2n n E[A · 1 ] → 0. In our case, as soon as n > 3/ǫ , we have |A | ≤ 1 ≤ ǫ n/3 ≤ ǫsn , so j {|A |>ǫs } j n j j=1 the sum is null. (1{|Aj |>ǫsn } is the indicator function of variables greater that ǫsn ) 12 Lemma 16. Let (Aij )[[1,n]]×[[1,J]] be independent, integer-valued random variables in {−1, 0, 1}, then ∀X ∈ √ P P [[1, τ ]]n , Pr[ ni=1 Jj=1 Xi Aij = 0] = Ω(1/τ nJ), where the probability distribution is over the Aij . This lemma will be useful to prove the lower bound in the following, we only consider word with no null coefficient Xi , if a Xi is null, we simply work with a shorter random walk of length J · (n − 1) instead of Jn. Proof. Let us denote dij , the random variable defined as Xi Aij : they are independent, integer-valued random P P P variables. As above, s2n = ni=1 Jj=1 σj2 = ni=1 JXi2 /3. So nJ/3 ≤ s2n ≤ nτ 2 J/3. 1. The Lindeberg’s condition is verified. As soon as n > 3τ /Jǫ2 we have ǫsn > τ and so |dij | < sn , and so once again the sum is null. 2. sn → ∞. P 3. Each dij ∈ {−Xi , 0, Xi } with probability 1/3 for each value, so q(fij ) = 2/3 and Qn = i,j q(fij ) = 2nJ/3. So βn2 /Qn ≤ (nτ J/3)/(2nJ/3) ≤ τ /2 < ∞. P P Then we can apply the Local Central Limit Theorem to the dij ’s, and conclude: Pr[ ni=1 Jj=1 Xi Aij = 0] = p Θ(1/sn ) = Θ(1/τ (nJ). ⊔ ⊓ P In the following, we will denote a(X) = ni=1 ai Xi , where X ∈ {0, . . . , τ }n . The probabilities will be over the aij ’s variables while X and Y are assumed to be chosen by the adversary. Our goal is to show that even for bad choices of X and Y , a random draw of aij ’s provides enough freedom. Let J = J(λ) be a positive function. We define the following two probabilistic polynomial-time algorithms (PHF.TrapGen, PHF.TrapEval): – PHF.TrapGen(1λ , g, h): which chooses some independent and uniform elements (aij )(0,...,ℓ),(1,...,J) in {−1, 0, 1}, P and random group exponents (bi )(0,...,ℓ) . It sets ai = Jj=1 aij and hi = g ai hbi for i ∈ {0, . . . , ℓ}. It then outputs the hash key κ = (h0 , . . . , hℓ ) and the trapdoor t = (a0 , b0 , . . . , aℓ , bℓ ). P – PHF.TrapEval(t,PX): which parses X = (X1 , . . . , Xℓ ) ∈ Σ ℓ = {0, . . . , τ }ℓ and outputs aX = a0 + ai Xi and bX = b0 + bi Xi . As this definition verifies readily the syntactic and correctness requirements, we only have to prove the two other ones. We stress the importance of the hardwired 1 in front of a0 this allows us to consider multisets P X ′ = 1 :: X and Y ′ = 1 :: Y , and so there is no k such that X ′ = kY ′ . And we also stress that ai = Jj=1 aij is already a random walk of length √ J (described by the aij ), on which we can apply the Local Central Limit Theorem and so Pr[ai = 0] = Θ(1/ J). By noticing that summing independent random walks is equivalent to a longer one and applying the Local Central Limit Theorem, we have: p √ Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0] ≤ Θ(1/ J). To explain further the two bounds: P – For the upper bound: we consider X fixed, and note t = ℓi=1 ai Xi , by construction ai are independent, so a0 is independent from t then √ Pr[a(X ′ ) = 0] = Pr[a0 = −t] ≤ Pr[a0 = 0] ≤ Θ(1/ J) using the above remark that a random walk is more likely to reach 0 than any other value, and a0 is a random walk of length J. – For the lower bound, we proceed by recurrence on ℓ, to show p Hℓ : Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0] (where X ′ ∈ 1 :: [[0, τ ]]ℓ ). √ √ For ℓ = 0, we consider X ′ = 1, we have a random walk of length J, so Θ(1/τ J) ≤ Θ(1/ J) ≤ Pr[a(X ′ ) = 0]. We note X0 = 1 for the hardwired 1 in X ′ . Let us suppose the property true at rank k, let us prove it at rank k + 1: 13 • If ∃i0 , Xi0 = 0 then we p can consider a random √ walk of length k and apply the previous step, and conclude because Θ(1/τ (k + 1)J) ≤ Θ(1/τ kJ) • Else, one can apply Lemma 16 to p conclude. Therefore, ∀ℓ, ∀X ′ ∈ 1 :: [[0, τ ]]ℓ , Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0]. √ We can now deduce that ∀X, Y ∈ [[0, τ ]]ℓ with X 6= Y : Pr[a(Y ′ ) = 0|a(X ′ ) = 0] ≤ Θ(1/ J). This can easily be seen by noting i0 the first index where Yi 6= Xi . We will note X̄ ′ = X ′ − Xi0 , in the following we will use the fact that a(X ′ ) = 0 ⇔ a(X̄ ′ ) = −ai0 Xi0 .3 Pr[a(Y ′ ) = 0|a(X ′ ) = 0] ≤ Pr[a(Y ′ ) = a(X ′ )|a(X ′ ) = 0] ≤ Pr[Yi ai + a(Y¯′ ) = Xi ai + a(X̄ ′ )|a(X ′ ) = 0] 0 0 0 0 ≤ max Pr[(Yi0 − Xi0 )ai0 = t|a(X̄ ′ ) = −Xi0 ai0 ] (1) ≤ max Pr[ai0 = t′ |a(X̄ ′ ) = s] ′ (2) ≤ max Pr[ai0 = t′ ] ′ (3) t s,t t √ ≤ Pr[ai0 = 0] ≤ Θ(1/ J) (1) we start with (Yi0 − Xi0 )ai0 = a(X̄ ′ ) − a(Y¯′ ), and then consider the maximum probability for all values a(X̄ ′ ) − a(Y¯′ ). (2) We consider the maximum probability for all values of −Xi0 ai0 . (3) ai0 and a(X̄ ′ ) are independent. Hence, for all X1 , Y1 , . . . , Yq , we have Pr[aX1 = 0 ∧ aY1 , . . . , aYq 6= 0] = Pr[aX1 = 0] Pr[aY1 , . . . , aYq 6= 0|aX1 = 0] √ ≥ Θ(1/τ ℓJ) 1 − q X i=1 Pr[aYi = 0|aX1 = 0] √ √ ≥ Θ(1/τ ℓ + 1J)(1 − qΘ(1/ J)). ! 2 Now we set J = √ q , to obtain the result. In that case the experiment success is lower-bounded by something ⊔ ⊓ linear in 1/(qτ ℓ + 1). Acknowledgments This work was supported in part by the European Commission through the ICT Program under Contract ICT-2007-216676 ECRYPT II. References 1. Masayuki Abe, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. Structure-preserving signatures and commitments to group elements. In CRYPTO 2010, LNCS, pages 209–236. Springer, August 2010. 2. Masayuki Abe and Eiichiro Fujisaki. How to date blind signatures. In ASIACRYPT 1996, volume 1163 of LNCS, pages 244–251. Springer, November 1996. 3. Masayuki Abe and Tatsuaki Okamoto. Provably secure partially blind signatures. In CRYPTO 2000, volume 1880 of LNCS, pages 271–286. Springer, August 2000. 4. Olivier Blazy, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. Signatures on randomizable ciphertexts. In PKC 2011, volume 6571 of LNCS. pages 403–422, Springer, 2010. 3 X 6= Y so i0 exists, and thanks to the hardwired 1 we do not have to worry about Y ′ being a multiple of X ′ 14 5. Olivier Blazy, David Pointcheval, and Damien Vergnaud. Round-optimal privacy-preserving protocols with smooth projective hash functions. In TCC 2012, volume 7194 of LNCS, pages 94–111, Springer, 2012. 6. Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO 2004, volume 3152 of LNCS, pages 41–55. Springer, August 2004. 7. Xavier Boyen and Brent Waters. Compact group signatures without random oracles. In EUROCRYPT 2006, volume 4004 of LNCS, pages 427–444. Springer, May / June 2006. 8. David Chaum. Blind signatures for untraceable payments. In CRYPTO 1982, pages 199–203. Plenum Press, New York, USA, 1983. 9. Burgess Davis and David McDonald. An elementary proof of the local central limit theorem. Journal of Theoretical Probability, 8(3), jul 1995. 10. Marc Fischlin. Round-optimal composable blind signatures in the common reference string model. In CRYPTO 2006, volume 4117 of LNCS, pages 60–77. Springer, August 2006. 11. Georg Fuchsbauer. Commuting signatures and verifiable encryption and an application to non-interactively delegatable credentials. Cryptology ePrint Archive, Report 2010/233, 2010. 12. Sanjam Garg, Vanishree Rao, Amit Sahai, Dominique Schröder, and Dominique Unruh. Round optimal blind signatures. In CRYPTO 2011, pages 630–648. Springer, August 2011. 13. Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In EUROCRYPT 2008, volume 4965 of LNCS, pages 415–432. Springer, April 2008. 14. Dennis Hofheinz and Eike Kiltz. Programmable hash functions and their applications. In CRYPTO 2008, volume 5157 of LNCS, pages 21–38. Springer, August 2008. 15. Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Sequential aggregate signatures and multisignatures without random oracles. In EUROCRYPT 2006, volume 4004 of LNCS, pages 465–485. Springer, 2006. 16. David Naccache. Secure and practical identity-based encryption. Cryptology ePrint Archive, Report 2005/369, 2005. 17. Tatsuaki Okamoto. Efficient blind and partially blind signatures without random oracles. In TCC 2006, volume 3876 of LNCS, pages 80–99. Springer, March 2006. 18. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of Cryptology, 13(3):361–396, 2000. 19. Jae Hong Seo and Jung Hee Cheon. Beyond the limitation of prime-order bilinear groups, and round optimal blind signatures. In TCC 2012, volume 7194 of LNCS, pages 133–150. Springer, 2012. 20. Brent R. Waters. Efficient identity-based encryption without random oracles. In EUROCRYPT 2005, volume 3494 of LNCS, pages 114–127. Springer, May 2005. A Blind Signatures Definition 17 (Blind Signature Scheme). BS = (SetupBS , KeyGenBS , hS, Ui, Verif BS (pkBS , m, σ)) where – SetupBS (1λ ), where λ is the security parameter, generates the global parameters parambs of the system; – KeyGenBS (parambs ) generates a pair of keys (pkBS , skBS ); – Signature Issuing: this is an interactive protocol between the algorithms S(skBS ) and U (pkBS , m), for a message m ∈ {0, 1}n . It generates an output σ for the user: σ ← hS(skBS ), U (pkBS , m)i. – Verif BS (pkBS , m, σ) outputs 1 if the signature σ is valid with respect to m and pkBS , 0 otherwise. The security of a blind signature scheme is defined through two different notions, blindness and unforgeability. An adversary U against the unforgeability tries to generate qs + 1 valid signatures after at most qs complete interactions with the honest signer. The blindness condition is, on the other hand, linked to the signer. It states that a malicious signer S ∗ should be unable to decide which of two messages m0 , m1 has been signed first in two executions with an honest user U . In the following we note σb the signature on mb . If S ∗ refuses to sign one of the input (i.e. σi = ⊥), then the two resulting signatures are set to ⊥, therefore he cannot have any advantage if he decides to prevent the normal game execution and he has to sign both inputs. We also define an unforgeability notion, which slightly differs from the original one [18], in the sense that we do not exclude malleability since we will eventually use randomizable signature. We thus count the number of distinct signed messages, which should not be larger than the number of interactions with the signer, whereas the initial definition counted the number of distinct message-signature pairs: BS is unforgeable if, for any polynomial adversary U ∗ (malicious user), the advantage Succuf BS,U ∗ (λ) is negligible, 15 bl b ExpBS,S ∗ (λ) (pkBS , m0 , m1 , stFIND ) ← S ∗ (FIND, 1λ ); b ← {0, 1}; 1 1 stISSUE ← S ∗h·,U (pkBS ,mb )i ,h·,U (pkBS ,m1−b )i (ISSUE, stFIND ); IF σ0 = ⊥ OR σ1 = ⊥, (σ0 , σ1 ) ← (⊥, ⊥); b∗ ← S ∗ (GUESS, σ0 , σ1 , stISSUE ); IF b = b∗ RETURN 1 ELSE RETURN 0. Figure 3. Blindness for blind signatures Expuf BS,U ∗ (λ) (parambs ) ← SetupBS (1λ ); (pkBS , skBS ) ← KeyGenBS (parambs );
qs (m1 , σ1 ), . . . , (mqs +1 , σqs +1 ) ← U ∗S (skBS ,·) (pkBS ); IF ∃i 6= j, mi = mj OR ∃i, Verif BS (pkBS , mi , σi ) = 0 RETURN 0 ELSE RETURN 1 Figure 4. Unforgeability for blind signatures (One-More Forgery) uf where Succuf BS,U ∗ (λ) = Pr[ExpBS,U ∗ (λ) = 1], in the security game presented in Figure 4. In this experiment, the qs adversary U ∗ can interact qs times with the signing oracle S(skBS , ·) (hence the notation U ∗ S (skBS ,·) (pkBS )) to execute the blind signature protocol: the adversary should not be able to produce more signatures on distinct messages than interactions with the signer. Our relaxation from the original One-More Forgery security comes from the fact that we will come up with randomizable signatures: from a message-signature pair, one can generate many signatures on the same message. B Security Games of User-Friendly Partially Blind Signatures bl b ExpPBS,S ∗ (λ) (pkBS , m0 , m1 , stFIND , infoc , infos ) ← S ∗ (FIND, 1λ ); b ← {0, 1}; 1 1 stISSUE ← S ∗h·,U (pkBS ,mb )i ,h·,U (pkBS ,m1−b ,infoc ,infos )i (ISSUE, stFIND ); IF σ0 = ⊥ OR σ1 = ⊥, (σ0 , σ1 ) ← (⊥, ⊥); b∗ ← S ∗ (GUESS, σ0 , σ1 , stISSUE ); IF b = b∗ RETURN 1 ELSE RETURN 0. Figure 5. Blindness for User-Friendly Partially Blind signatures b PBS is blind if, for any polynomial adversary S ∗ (malicious signer), the advantage Succbl PBS,S ∗ (k) is bl negligible, where Succbl PBS,S ∗ (k) = | Pr[ExpPBS,S ∗ (k) = 1] − 1/2|, in the security game presented in Figure 5. If S ∗ refuses to sign one of the input (i.e. σi = ⊥), then the two resulting signatures are set to ⊥, therefore he cannot have any advantage if he decides to prevent the normal game execution and he has to sign both inputs. S ∗ is able to chose both pieces of the public information, in the real case the signer can abort as long as the user’s public information doesn’t suit him, however the public information should be the same on both challenged message. 16 Expuf PBS,U ∗ (λ) (parambs ) ← SetupBS (1λ ); (pkBS , skBS ) ← KeyGenBS (parambs );
qs (m1 , infoc,1 , infos,1 , σ1 ), . . . , (mqs +1 , infoc,qs +1 , infos,qs +1 , σqs +1 ) ← U ∗S (skBS ,·) (pkBS ); IF ∃i 6= j, (mi , infoc,i , infos,i ) = (mj , infoc,j , infos,j ) OR ∃i, Verif BS (pkBS , mi , infoc,i , infos,i , σi ) = 0 RETURN 0 ELSE RETURN 1 Figure 6. Unforgeability for User-Friendly Partially Blind signatures (One-More Forgery) PBS is unforgeable if, for any polynomial adversary U ∗ (malicious user), the advantage Succuf PBS,U ∗ (λ) uf uf is negligible, where SuccPBS,U ∗ (λ) = Pr[ExpPBS,U ∗ (λ) = 1], in the security game presented in Figure 6. In this experiment, the adversary U ∗ can interact qs times with the signing oracle S(skBS , ·) (hence the notation qs U ∗ S (skBS ,·) (pkBS )) to execute the user-friendly partially blind signature protocol: the adversary should not be able to produce more signatures on distinct tuple (m, infoc , infos ) than interactions with the signer. Once again we consider the adversary has full control over the public information. C Building Blocks First, let us briefly sketch the basic building blocks: Groth-Sahai commitments, and a variation of the Waters signature. They both need a pairing-friendly environment (p, G, GT , e, g), where e : G × G → GT is an admissible, non-degenerated, bilinear map, for two groups G and GT , of prime order p, generated by g and gt = e(g, g) respectively. From the following descriptions, it is clear that the different primitives are randomizable. Groth-Sahai Commitments. In the following, several group elements will have to be committed so that proofs can be done on them. We will use perfectly hiding Groth-Sahai commitments: The commitment parameter is of the form (u1 = (u1,1 = g x1 , 1, g), u2 = (1, u2,2 = g x2 , g), u3 = (u3,1 , u3,2 , u3,3 )) ∈ (G3 )3 . – To commit a group element X ∈ G, one chooses three random scalars r1 , r2 , r3 ∈ Zp and sets C(X) := 2 3 3 1 3 · ur3,1 , c2 = ur2,2 · ur3,2 , c3 = X · g r1 +r2 · ur3,3 (c1 = ur1,1 ). – To commit a scalar x ∈ Zp , one chooses two random scalars γ1 , γ2 ∈ Zp and sets (where ⊙ is the 2 1 · uγ1,1 , c′2 = component-wise multiplication) C ′ (x) := (ux3,1 , ux3,2 , (u3,3 g)x ) ⊙ uγ11 ⊙ u3γ2 = (c′1 = ux+γ 3,1 x+γ2 2 ′ · g x+γ1 ). ux+γ 3,2 , c3 = u3,3 A Groth Sahai proof will be a vector of group elements constructed to help the commitments to verify a pairing equation derived from the one verified by the associated plaintext. The idea is that with a regular initialization of the commitment parameters (u3 = uν1 ⊙ uµ2 , for two random scalars ν, µ ∈ Zp ), these commitments are perfectly binding and thus the proofs will be perfectly sound. The committed group elements can even be ′ 1/x 1/x extracted if one knows x1 , x2 : c3 /(c1 1 c2 2 ) = X, and c′3 /(c′1 1/x1 c′2 1/x2 ) = g x . However, if u3 is defined as u3 = uν1 ⊙ uµ2 ⊙ (1, 1, g −1 ) = (u3,1 = uν1,1 , u3,2 = uµ2,2 , u3,3 = g ν+µ−1 ), for two random scalars ν, µ ∈ Zp , the commitments are perfectly hiding and thus the proofs will perfectly hide the witnesses used in the instantiations. However the two parameter initializations being indistinguishable under the DLin assumptions, we will be able to use the perfectly binding setting in some simulations for the security proofs, whereas the real situation will use the perfectly hiding setting. Waters Signature. The Waters signature scheme was formally described in [20]. It has been proven existentially unforgeable against chosen-message attacks under the CDH assumption. 17 – Setup(1λ ): The scheme is defined over a bilinear group (p, G, GT , e, g). The parameters are a randomly $ $ k+1 chosen generator h ← G, and a vector Q Mi(u0 , . . . , uk ) ← G , those define the Waters function F such that for a message M, F(M ) = u0 ui . We set param := (p, G, GT , e, g, h, (u0 , . . . , uk )). $ – SKeyGen(param): Choose a random scalar y ← Zp , which defines vk = Y = g y , and sk = Z = hy . $ – Sign(sk, M ; s): To sign a message M = (M1 , . . . , Mk ) ∈ {0, 1}k , choose s ← Zp and define σ = σ1 =
Z · F(M )s , σ2 = g s . ? – Verif(vk = Y, M, σ): Check whether e(g, σ1 ) = e(Y, h) · e(F(M ), σ2 ). We also use another useful result on the Waters signature (like used in [15]): Property 18 (Randomizability). The Waters signature scheme is randomizable: for a valid pair (M, σ), if we ′ ′ define σ ′ = (σ1 · F(M )s , σ2 · g s ), for a random scalar s′ , σ ′ is a random signature of M . Proof. If the initial signature has been generated with s as random, the modified signature corresponds to the signature of M with s + s′ as random coins. Since this scalar lies in the group Zp , it leads to a perfectly random signature of M . ⊔ ⊓ Suffixed Waters Signatures. We will use Waters signatures, however instead of signing one message, we will sign, with the same additional parameters, a concatenation of 3 messages: m = M ||infoc ||infos = (M1 , . . . , Mℓ , info1 , . . . , infof ) ∈ {0, 1}k D Multi-Blind Signature: Concatenation With the previous building blocks, we will sign several commitments of Fi = Fi (Mi ), instead of the standard (U , S) interactions we now have three main kind of users, Ui , the user i will blind a commitment on Fi (Mi ), S who signs the blinded message, and T the tallier who will verify/unblind/randomize this signature: – SetupBS (1λ ): In a pairing-friendly environment (p, G, GT , e, g), the algorithm outputs a vector $ u = (u0 , (ui,1 , . . . , ui,λ )1≤i≤j ) ← Gjk+1 $ where k is a polynomial in λ, and a generator h ← G. We define Fi (Mi ) = $ Q mi,ℓ ℓ ui,ℓ . – KeyGenBS (parambs ): Choose x ← Zp , which defines pkBS = Y = g x , and skBS = Z = hx and generates a pair of perfectly-binding Groth-Sahai generators, which define a decryption key dkBS = (x1 , x2 ) composed of two scalars. – (Ui , S, T ): • BlindBS (M, pkBS ; (r1 , r2 , r3 )) (where we omit the subscripts i): For a message M ∈ {0, 1}k and random scalars in Zp , define the commitment c = C(F(M )) = (c1 , c2 , c3 ). We also add, as before, proofs of validity of this commitment: ∗ A proof ΠM of knowledge of M in c, the encrypted F(M ), which consists of a bit-by-bit commitment CM = (C ′ (M1 ), . . . , C ′ (Mk )) and proofs that each committed value is a bit. A proof that c3 is well-formed i.e.c is a double linear encryption of the message M committed in CM . ∗ A proof Πr containing the commitments Cr = (C(Y r1 +r2 ), C(Y r3 )) together with proofs asserting that they are well-formed. • SignBS (skBS , (c = (c1,i , c2,i , c3,i ), Πi )1≤i≤j ; s): To sign several commitments, first check if they are valid with respect to the proofs and afterQ some randomization of those commitments, compute QΠ’s, Q the global commitment C = ( c1,i , c2,i , u0 c3,i ) which is still verifiable thanks to the previous (randomized) proofs, and then output C = (C1 , C2 , C3 ) and σ = (C1s , C2s , Z · C3s ; g s ). 18 • Verif(pkBS , (C = (C1 , C2 , C3 )), σ = (σ1 , σ2 , σ3 ; σ4 )): In order to check the validity of the signature, one checks whether the following equations are verified: e(σ1 , g) = e(C1 , σ4 ), e(σ2 , g) = e(C2 , σ4 ), and e(σ3 , g) = e(h, pkBS ) · e(C3 , σ4 ) • UnblindBS (dkBS , pkBS , (c = (C1 , C2 , C3 ), Π, σ)): On a valid signature, knowing the decryption key (x1 , x2 ), one can obtain F = F(M ), and extract the message M from the bit-by-bit commitments. 1/x 1/x One can also extract the corresponding valid signature: σ ′ = (σ1′ = σ3 /(σ1 1 σ2 2 ), σ2′ = σ4 ), which is a valid Waters signature on the concatenation of the messages. ′ ′ • RandomBS (pkBS , M, σ ′ ; s′ ): The latter can eventually be rerandomized to get Σ = (σ1′ ·F(M )s , σ2′ ·g s ). – Verif BS (pkBS , M, σ = (σ1 , σ2 )): In order to check the validity of the signature, one checks whether: ? e(σ1 , g) = e(h, pkBS )e(F(M ), σ2 ). Theorem 19. This multi-source blind signature scheme for concatenation is blind and unforgeable under the CDH and DLin assumptions: no adversary can generate more message-signature pairs on distinct messages, than the number of interactions with the signer. It directly follows from the previous result, combining the different partial Waters hashes into a global one does not weaken the security as we are still using single exponents on the ui elements. Groth-Sahai proofs are in the perfectly binding setting to guarantee that each user really outputs Waters hash of their message on their generators and so no strange collision may occur and alter the final message. E Asymmetric Version All the previous schemes can be updated to work in asymmetric groups. The main, and only difference, comes from the Groth-Sahai commitments. As symmetric bilinear groups are in general less efficient than asymmetric groups, we show how to instantiate our primitive with Groth-Sahai commitments in an asymmetric pairing-friendly group setting, relying on the SXDH assumption. E.1 Assumptions The security of Waters signatures in asymmetric bilinear groups was proven under the following variant of the CDH assumption, which states that CDH is hard in G1 when one of the random scalars is also given as an exponentiation in G2 . Definition 20 (The Advanced Computational Diffie-Hellman problem (CDH+ )). Let us be given two (multiplicative) groups (G1 , G2 ) of prime order p with (g1 , g2 ) as respective generators and e an admissible bilinear map G1 × G2 → GT . The CDH+ assumption states that given (g1 , g2 , g1a , g2a , g1b ), for random a, b ∈ Zp , it is hard to compute g1ab . ElGamal encryption is secure under the DDH assumption. Since Groth-Sahai commitments are basically double ElGamal encryption, we assume SXDH, defined below. Definition 21 (Decisional Diffie-Hellman Assumption (DDH)). Let G be a cyclic group of prime order p. The DDH assumption states that given (g, g a , g b , g c ) ∈ G, it is hard to determine whether c = ab. Definition 22 (Symmetric external Diffie-Hellman Assumption (SXDH) [6]). Let G1 , G2 be cyclic groups of prime order, e : G1 × G2 → GT be a bilinear map. The SXDH assumption states that the DDH assumption holds in both G1 and G2 . 19 E.2 Groth-Sahai Commitments As above, several elements will have to be committed so that proofs can be done on them. We will use SXDHbased Groth-Sahai commitments, which are a direct transposition of the previous ones in an asymmetric setting and replace double linear encryption by a double ElGamal one. Proofs. This time, a Groth-Sahai proof, is a pair of elements (π, θ) ∈ G12×2 ×G2×2 2 . As above, we will note hxi1 for a committed scalar x in G1 , hxi2 for a committed scalar x in G2 ,or hXi for a committed group element X. One has to pay attention to the fact that Groth-Sahai bit-by-bit proofs in SXDH require bits to be committed both in G1 and G2 and thus require to use 2 quadratic equations by bit. E.3 Asymmetric Partially-Blind Signature with Perfect Blindness The construction is really straightforward. If we follow the steps from the DLin-version: We will need 2 group elements for the commitment of M in G1 , 4 group elements to commit Y1 , Y2 in G1 , the proofs will require 4 group elements in G2 . We will need 6ℓ elements in each group to commit M and prove we indeed committed it bit-by-bit, and 2 extra group elements in G2 to prove c2 is well-formed. The signatures on the committed elements will require 3 groups elements in G1 and one in G2 . Therefore the overall scheme will require (6ℓ + 9, 6ℓ + 7) group elements communication.