This Journal Version appears
in Journal of Computer Security, Volume 21, Number 5, pages 627–661. 2013.
Short Blind Signatures
Olivier Blazy1 , Georg Fuchsbauer2 , David Pointcheval3 , and Damien Vergnaud3
1
2
Ruhr-Universität Bochum, Germany
Institute of Science and Technology, Austria
3
École normale supérieure, Paris, France †
Abstract Blind signatures allow users to obtain signatures on messages hidden from the signer; moreover,
the signer cannot link the resulting message/signature pair to the signing session. This paper presents blind
signature schemes, in which the number of interactions between the user and the signer is minimal and
whose blind signatures are short. Our schemes are defined over bilinear groups and are proved secure in the
common-reference-string model without random oracles and under standard assumptions: CDH and the
decision-linear assumption. (We also give variants over asymmetric groups based on similar assumptions.)
The blind signatures are Waters signatures, which consist of 2 group elements.
Moreover, we instantiate partially blind signatures, where the message consists of a part hidden from the
signer and a commonly known public part, and schemes achieving perfect blindness. We propose new
variants of blind signatures, such as signer-friendly partially blind signatures, where the public part can
be chosen by the signer without prior agreement, 3-party blind signatures, as well as blind signatures on
multiple aggregated messages provided by independent sources.
We also extend Waters signatures to non-binary alphabets by proving a new result on the underlying hash
function.
Keywords. Blind Signatures, E-Cash, WSN, Mixed Commitments.
1
Introduction
Blind signature schemes were proposed by Chaum in 1982 [10]. They define an interactive signature
protocol between a user and a signer, guaranteeing that the signed message, and even the resulting
signature, are unknown to the signer; this property is called blindness. More precisely, if the signer
runs several executions of the protocol leading to several message/signature pairs, he cannot link a
pair to a specific execution: the view of the signer is unlinkable to the resulting message/signature pair.
This unlinkability can be either computational, in which case we talk about computational blindness,
or information-theoretic, we then talk about perfect blindness. The second security property for blind
signatures is a notion of unforgeability, which has been formalized by Pointcheval and Stern [25]
motivated by the use of blind signatures for e-cash: a user should not be able to produce more
message/signature pairs (coins) than the number of signing executions with the bank (withdrawals).
More recently, Schröder and Unruh [26] revisited the security model for other contexts.
There have been several constructions with highly interactive blind-signing protocols (like [24]),
before Fischlin [15] gave a generic construction of round-optimal blind signature schemes, where there
is only one round of communication between the user and the signer. Abe et al. [1] have efficiently
instantiated his blueprint, in which the user obtains a signature on the blinded message from the signer,
but in order to achieve unlinkability, a blind signature is defined as a non-interactive zero-knowledge
proof of knowledge of this signature, leading to an increase of the signature size.
In [5, 6], we presented a new approach, where instead of proving knowledge of it, the user merely
randomizes the signature, which suffices to achieve unlinkability. Blind signatures are thus signatures of
the underlying scheme, which are much shorter than proofs of knowledge thereof. In our construction,
the underlying (and thus the blind) signatures are Waters signatures [28], which consist of 2 elements
from a bilinear group, while the message is a scalar. In comparison, the most efficient scheme by
Abe et al. [1] has messages consisting of two group elements, while a signature consists of 18+16 (in
G1 and G2 ) group elements. Furthermore, our schemes are secure under the, meanwhile standard,
“decision linear” (DLin) [8] assumption, while the schemes in [1] are based on newly introduced “qtype” assumptions. The drawback of our scheme is that, while being round-optimal, the user must
send much more information to the signer during the blind signature-issuing protocol. While all roundoptimal schemes mentioned so far are proven secure in the Common Reference String (CRS) model,
†
DI/ENS (CNRS, ENS, INRIA)
c IOS Press 2013.
2
round-optimal blind signatures without CRS have been proposed by Garg et al. [17], who however
only give impractical generic constructions.
A loophole in standard blind signatures was first identified by Abe and Okamoto [3]: the signer
has no control at all over which messages are signed. In classical e-cash schemes, unforgeability, which
restricts a user’s number of coins to the number of withdrawals, was sufficient. For the case that the
bank wants to include an expiration date in the message (in addition to the user-chosen serial number),
Abe and Fujisaki [2] propose partially blind signatures, where the user and the signer agree on part of
the message before running the blind signing protocol.
The above-mentioned scheme from [1] was extended to partially blind signature scheme in [16].
More recently, Seo and Cheon [27] presented a construction leading to (partially) blind-signature
schemes in the CRS model. However, their construction relies on a trick consisting in starting from
prime-order groups G1 , G2 , G3 and considering group elements in G = G1 ⊕ G2 ⊕ G3 . While their
approach provides nice theoretical tools, the resulting signatures lie in G 2 and are therefore three
times longer than our proposal.
Our contributions. In this paper, we extend our earlier results from [5] in several directions. Instead
of using an encryption scheme to blind the message to be signed, we use a mixed commitment scheme
[13] in which commitments can be set up to either be perfectly binding (like encryption) or perfectly
hiding.
We first present a blind signature scheme with perfect blindness, using the perfectly hiding setup
of Groth-Sahai commitments [20]. We then extend the model of partially blind signatures to avoid
prior agreement on the public part of the message between signer and user: signers can decide on
its content only before sending their message in the signature-issuing protocol. (If the user does not
agree with the public part, they can simply discard the signature and start anew.) We call this new
primitive signer-friendly partially blind signatures. While of course not forbidding any prior agreement
on the public part, this primitive offers an effectively round-optimal protocol (as there need not be
any communication between the user and signer before running the protocol itself).
Using perfectly hiding commitments, we present a round-optimal signer-friendly partially blind
signature with perfect blindness. Again, instead of having a computational overhead for the agreement,
both signer and user can simply choose their contribution on the fly. The signer can always refuse to
sign when the user’s public information does not suit him, and the user can always choose to discard
irrelevant signatures.
Using the perfectly binding setting for the mixed commitment (and thus discarding perfect blindness) we take advantage of the fact that user and signer can independently choose their inputs and
consider a new context: the message to be signed is an aggregation of inputs that come from several
independent sources which cannot communicate with each other. We consider several aggregation procedures. First we present a way to obtain a signature on the concatenation of the inputs and then
present a shorter instantiation yielding a signature on the sum of the inputs messages. Addition of
messages in often used, e.g. when counting votes, or aggregating sensor information, etc.
All our constructions are based on the Waters signature [28], which signs messages that are binary
strings. We reconsider the programmable hash function used for these signatures over a non-binary
alphabet, in a similar way to what Hofheinz and Kiltz [21] did for the binary case. We prove a negative
result on the (2, 1)-programmability, but a positive one on the (1, poly)-programmability of this hash
function. The latter result immediately yields Waters signatures over a non-binary alphabet, which in
turn leads to a reduction in the number of public-key elements.
Instantiations. We give several instantiations of our different blind-signature schemes, all of which
are based on weak assumptions. Our constructions mainly use the following two building blocks, from
which they inherit their security: Groth-Sahai proofs for languages over pairing-friendly groups [20] and
Waters signatures derived from the scheme in [28] and first used in [9]. Since verification of the revisited
Waters signatures from [5] is a statement of the language for Groth-Sahai proofs, these two building
blocks combine smoothly. Moreover, Waters signatures (and its variant) are fully randomizable thanks
to the homomorphic property of its random coins. The first instantiations are over pairing-friendly
elliptic curves and use linear commitments. Both unforgeability and blindness of these constructions
rely solely on the decision linear assumption. An instantiation with improved efficiency, in asymmetric
3
bilinear groups, using the SXDH variant of Groth-Sahai proofs and commitments, is drafted in the
Appendix A. This setting requires Waters signatures over asymmetric groups, which in [5] we proved
secure under a slightly stronger assumption, termed CDH+ , which in symmetric groups is identical to
CDH.
Applications. The properties of our blind signature schemes find various kinds of applications for
anonymity:
E-voting. The security of several e-voting protocols (see [4, 11, 12]) relies on the fact that each ballot
is certified by an election authority. Since this authority should not learn the votes, a blind signature
scheme (or a partially blind one, if for example the authority wants to specify the election in the ballot)
is usually used to achieve this property. Using a perfectly blind scheme, privacy is even achieved in an
information-theoretic sense. Our scheme is the first to achieve this property without random oracles
and under standard complexity assumptions.
E-cash. As mentioned above, partially blind signatures play an important role in many electroniccommerce applications. In e-cash systems, for instance, the bank issuing coins must ensure that the
message contains accurate information such as the face value of the e-coin without seeing it. Moreover,
in order to prevent double-spending, the bank’s database has to record all spent coins. Partially blind
signatures can cope with these requirements, since the bank can explicitly include some information
such as the face value or the expiration date in the coin. The latter, for example, can be included in
the coin by the bank without prior agreement with the client.
Data aggregation in networks. A wireless (ad hoc) sensor network (WSN) consists of many sensor
nodes that are deployed for sensing the environment and collecting data from it. Since transmitting
and receiving data are the most energy-consuming operations, data aggregation has been put forward
as an essential paradigm in these networks. The idea is to combine the data coming from different
sources, minimizing thus the number of transmissions and saving energy. In this setting a WSN usually
consists of three types of nodes:
– sensor nodes, which are small devices equipped with one or more sensors, a processor and a radio
transceiver for wireless communication;
– aggregation nodes (or aggregators) performing the data aggregation (e.g. average, sum, minimum
or maximum of data); and
– base stations, responsible for querying the nodes and gathering the data collected by them.
WSNs are at high security risk and two important security goals when doing in-network data aggregation are data confidentiality and data integrity. When homomorphic encryption is used for data
aggregation, end-to-end encryption allows aggregation of the encrypted data and thus end-to-end data
confidentiality, as aggregators never decrypt any data. Achieving data integrity is a harder problem
and the attack where a sensor node reports a false reading value is typically not considered (the impact
of such an attack being usually limited). The main security threat is a data-pollution attack in which
an attacker tampers with an aggregation node to make the base station receive wrong aggregated
results.
While in most conventional data-aggregation protocols, data integrity and privacy are not preserved
at the same time, our multi-source blind signature primitive yields data confidentiality and prevents
data-pollution attacks simultaneously by using the following simple protocol:
1. Data aggregation is initiated by a base station, which broadcasts a query to the whole network.
2. Sensor nodes then report values of their readings which are encrypted under base station’s public
key to their aggregators.
3. The aggregators perform data aggregation via the homomorphic properties of the encryption
scheme, (blindly) sign the result and route the aggregated results back to the base station.
4. The base station decrypts the aggregated data and the signature, which proves the validity of the
gathered information to the base station (but also to any other third party).
4
2
Definitions
This section presents successively the various tools we need to describe the global framework and the
security model for partially blind signature schemes. There are two different layers for the construction,
one relying on commitments and the other on signatures.
2.1
Commitments
The original construction from [5] uses an encryption scheme E described via four polynomial-time
algorithms (Setup, KeyGen, Encrypt, Decrypt):
– Setup(1λ ), where λ is the security parameter, generates the global parameters param of the scheme;
– KeyGen(param) outputs a pair of keys, a (public) encryption key ek and a (private) decryption
key dk;
– Encrypt(ek, m; ρ) outputs an encryption c of the message m under the encryption key ek with
randomness ρ ∈ Re ;
– Decrypt(dk, c) outputs the plaintext m, encrypted in the ciphertext c or ⊥ in case of an invalid
ciphertext.
Such an encryption scheme is required to have the following security properties:
– Correctness: For every key pair (ek, dk) generated by KeyGen, every message m, and every random
ρ, we should have
Decrypt(dk, Encrypt(ek, m; ρ)) = m .
– Indistinguishability under Chosen-Plaintext Attack [18] : This notion, formalized by the adjacent
game, states that an adversary should not be able to
efficiently guess which message has been encrypted
even if he chooses the two candidate messages.
ind−b
ExpE,A
(λ)
1. param ← Setup(1λ )
2. (ek, dk) ← KeyGen(param)
3. (m0 , m1 ) ← A(FIND, ek)
4. c∗ ← Encrypt(ek, mb )
5. b′ ← A(GUESS, c∗ )
6. RETURN b′
We define the adversary’s advantage as:
ind−1
ind−0
Advind
E,A (λ) = Pr[ExpE,A (λ) = 1] − Pr[ExpE,A (λ) = 1] .
To generalize the original construction from [5], we will replace encryption by a mixed commitment
scheme [13]. A commitment scheme allows anyone to commit to a message m by running Commit on a
key ck, m and some randomness ρ. The resulting commitment c should not reveal anything about the
committed message, i.e., the commitment is hiding. By revealing the randomness ρ, the commitment
can be opened, as anyone can run c′ ← Commit(ck, m; ρ) and check whether c′ = c. However, the
commitment should be binding, in that for every c there is only a single m to which c can be opened
(in that for all m 6= m′ , ρ, ρ′ : Commit(ck, m; ρ) 6= Commit(ck, m′ ; ρ′ )).
In a mixed commitment scheme, the commitment keys ck can be set up in two ways, which are
computationally indistinguishable. One type leads to perfectly hiding commitments, that is, the commitment does not contain any information about the committed value; whereas the second type leads
to perfectly binding commitments, that is, not even an unbounded adversary can find a commitment
and two different openings for it. We moreover require that there be a trapdoor which enables efficient
extraction of the committed value.
Of course, when applied, one will use only one kind of setup depending on the main security goal
or the properties demanded of the final scheme.
Definition 1 (Mixed Commitment Scheme [13]). A mixed commitment scheme C is a 5-tuple
of polynomial-time algorithms (Setup, WISetup, ExSetup, Commit, Extract):
– Setup(1λ ), where λ is the security parameter, generates the global parameters param of the scheme,
and more specifically the commitment key ck by running one of the following algorithms:
5
• WISetup(1λ ), outputs a perfectly hiding commitment key ck;
• ExSetup(1λ ), outputs a perfectly binding commitment key ck and an extraction key xk (to be
kept secret);
– Commit(ck, m; ρ), outputs a commitment c of a message m under a commitment key ck and a
$
random ρ ← Z;
– Extract(xk, c), if c is a commitment under a binding key ck, created together with xk, it outputs
m.
We sometimes write Decommit(ck, c, m; ρ), which verifies correct opening of a commitment by checking
whether c = Commit(ck, m; ρ).
We require that the two setups be indistinguishable, that is, given a commitment key ck, it should
be hard to decide whether the key has been generated by WISetup or ExSetup: for any polynomialtime adversary A receiving a key ck from either distribution, its advantage in distinguishing which
distribution it was should be negligible in λ.
Note that by indistinguishability of the setups, perfectly hiding commitments are automatically
computationally binding and perfectly binding commitments are automatically computationally hiding.
2.2
Signatures
We now review several signature primitives, from classical to blind signatures.
Definition 2 (Signature Scheme). A signature scheme Sig is a 4-tuple of polynomial-time algorithms (Setup, SKeyGen, Sign, Verify):
– Setup(1λ ), where λ is the security parameter, generates the global parameters param of the scheme;
– KeyGen(param) generates a pair of keys, the public (verification) key vk and the private (signing)
key sk;
– Sign(sk, m; s) on input a signing key sk, a message m from the message space M and random
coins s ∈ Rs , produces a signature σ.
– Verify(vk, m, σ) checks whether σ is a valid signature on m, w.r.t. the public key vk; it outputs 1
if the signature is valid, and 0 otherwise.
We expect signatures to be existentially unforgeable under chosen-message attacks [19]: even after querying n valid signatures on chosen messages
{mi }ni=1 , an adversary should not be able to output
a valid signature on a new message.
Expeuf
Sig,A (λ)
1. param ← Setup(1λ )
2. (vk, sk) ← KeyGen(param)
3. (m∗ , σ ∗ ) ← A(vk : OSign(sk, ·))
4. b ← Verify(vk, m∗ , σ ∗ )
5. IF m∗ ∈ SM THEN RETURN 0
6. ELSE RETURN b
In Expeuf
Sig,A , the adversary has access to the following oracle:
$
– OSign(sk, m) chooses s ← Rs and returns Sign(sk, m; s), after adding m to the set of signed
messages SM.
The probability of success in this game is denoted by
euf
Succeuf
Sig,A (λ) = Pr[ExpSig,A (λ) = 1] .
Definition 3 (Randomizable Signature Scheme). Let Sig = (Setup, SKeyGen, Sign, Verify) be a
signature scheme with the following additional algorithm:
– Random(vk, m, σ; s′ ), on input a valid signature σ on a message m under vk, produces a new
signature σ ′ , again valid under vk on m, using the additional random coins s′ ∈ Rs .
6
Expuf
BS,U ∗ (λ)
param ← Setup(1λ );
(vk, sk) ← KeyGen(param);
(m1 , σ1 ), . . . , (mqs +1 , σqs +1 ) ← U ∗ (vk : hS(sk, ·), ·i≤qs );
IF ∃i 6= j : mi = mj OR ∃i : Verify(vk, mi , σi ) = 0 THEN RETURN 0
ELSE RETURN 1
bl-b
ExpBS,S
∗ (λ)
param ← Setup(1λ );
(vk, m0 , m1 , stFIND ) ← S ∗ (FIND, 1λ );
b ← {0, 1};
stISSUE ← S ∗ (ISSUE, stFIND : h·, U (vk, mb )i≤1 , h·, U (vk, m1−b )i≤1 );
IF σ0 = ⊥ OR σ1 = ⊥ THEN (σ0 , σ1 ) ← (⊥, ⊥);
b∗ ← S ∗ (GUESS, σ0 , σ1 , stISSUE );
IF b = b∗ THEN RETURN 1 ELSE RETURN 0.
Figure 1. Unforgeability and blindness for blind signatures
A
signature
scheme
is
called
randomizable
if
for
any
param ← Setup(1λ ),
(vk, sk) ← SKeyGen(param), any message m ∈ M, any random coins s ∈ Rs , and σ = Sign(sk, m; s),
the following two distributions are statistically indistinguishable:
D0 = {s′ ← Rs : Sign(sk, m; s′ )}
$
D1 = {s′ ← Rs : Random(vk, m, σ; s′ )}
$
The usual unforgeability notions apply (except strong unforgeability, since the signature is malleable,
by definition).
Definition 4 (Blind Signature Scheme). A blind signature scheme BS is a 4-tuple of polynomialtime algorithms/protocols (Setup, KeyGen, hS, Ui, Verify):
– Setup(1λ ), where λ is the security parameter, generates the global parameters param.
– KeyGen(param) generates a pair of keys (vk, sk);
– Signature Issuing is an interactive protocol between the algorithms S(sk) and U (vk, m), for a
message m ∈ M. It generates an output σ for the user: σ ← hS(sk), U (vk, m)i.
– Verify(vk, m, σ) outputs 1 if the signature σ is valid w.r.t. m and vk, 0 otherwise.
The security of a blind signature scheme is defined through two different notions [25], unforgeability
and blindness (see Figure 1). An adversary U ∗ against the unforgeability tries to generate qs + 1
valid signatures after at most qs complete interactions with the honest signer. The blindness condition
protects, on the other hand, against malicious signers. It states that a malicious signer S ∗ should be
unable to decide which of two messages m0 , m1 has been signed first in two executions (one for each
message, hence the superscript “≤ 1” in Expbl-b
BS,S ∗ in Figure 1) with an honest user U . Let σb be the
signature on mb . Note that the malicious signer S ∗ can choose the keys and thus the verification key
vk given to users. However, if S ∗ refuses to sign one of the inputs (i.e. σi = ⊥) then the two resulting
signatures are set to ⊥; the adversary therefore does not gain any advantage if he decides to prevent
the normal game execution.
Our unforgeability notion slightly differs from the original one [25], in that we do not exclude
malleability, as this could not be satisfied by the randomizable signatures we use. We thus count the
number of distinct signed messages, which should not be larger than the number of interactions with
the signer, whereas the original definition counted the number of distinct message/signature pairs:
BS is unforgeable if, for any polynomial adversary U ∗ (malicious user), the advantage Succuf
BS,U ∗ (λ)
uf
uf
is negligible, where SuccBS,U ∗ (λ) = Pr[ExpBS,U ∗ (λ) = 1], in the security game presented in Figure 1.
In this experiment, the adversary U ∗ can interact qs times with the signing oracle S(sk, ·) (hence the
notation U ∗ (vk : hS(sk, ·), ·i≤qs )) to execute the blind signature protocol: the adversary should not be
able to produce more signatures on distinct messages than interactions with the signer. Our relaxation
from the original One-More Forgery security is to accommodate randomizable signatures, for which
from a message/ signature pair one can generate many signatures on the same message. This is the
same difference as between classical and strong existential unforgeability for signatures.
7
Definition 5 (Partially Blind Signature Scheme). A partially blind signature scheme PBS is a
4-tuple of polynomial-time algorithms and protocols (Setup, KeyGen, hS, Ui, Verify):
– Setup(1λ ) generates the global parameters param of the system;
– KeyGen(param) generates a pair of keys (vk, sk);
– Signature Issuing: this is an interactive protocol between S(sk, info) and U (vk, m, info), for a message m ∈ M and shared information info. It generates an output σ for the user:
σ ← hS(sk, info), U (vk, m, info)i .
– Verify(vk, m, info, σ) outputs 1 if the signature σ is valid with respect to the message mkinfo and
vk, and 0 otherwise.
The security requirements are a direct extension of the classical ones: for unforgeability, we consider
mkinfo instead of m, and for blindness, we condition the unlinkability between signatures with the
same public part info. Without the latter restriction, the signer could simply distinguish which message
was signed by comparing the public information. The unforgeability is strengthened by considering
also the public information so that the signer can be sure that the user will not be able to exploit his
signature in another context.
Signer-Friendly Partially Blind Signatures. An agreement on info can be a long and tedious process
allowing both participant to launch a denial-of-service attack. Instead of considering a global info, we
will split it into two parts infoc , infos , one chosen by the user and one by the signer. While we dismiss
the agreement part, we stress that a signer can refuse to sign a public information he does not like,
and a user can refuse to use a signature on a public information he did not agree with, so this division
does not weaken the requirement on the scheme.
Definition 6 (Signer-Friendly Partially Blind Signature Scheme). A signer-friendly partially
blind signature scheme PBS is a 4-tuple of polynomial-time algorithms and protocols (Setup, KeyGen, hS, Ui,
Verify):
– Setup(1λ ) generates the global parameters param of the system;
– KeyGen(param) generates a pair of keys (vk, sk);
– Signature Issuing is an interactive protocol between S(sk, infoc , infos ) and U (vk, m, infoc ), for a
message m ∈ M, signer information infos and common information infoc . It generates an output
σ for the user: σ ← hS(sk, infoc , infos ), U (vk, m, infoc )i.
– Verify(vk, m, infoc , infos , σ) outputs 1 if the signature σ is valid with respect to the message
mkinfoc kinfos and vk, and 0 otherwise.
We note that setting infoc := info and infos := ⊥ leads to a standard partially blind signature; whereas
setting infoc = infos = ⊥ is the case of a standard blind signature. The signer always performs the
last action in the signing protocol, and so if he does not want to sign a specific info, he can simply
abort the protocol several times until the shared part suits his will, hence the name signer-friendly.
This is why in the following we simply let him choose this input. If the user wants a specific word
in the final message he can always add it to the blinded message. Intuitively this strengthens the
unforgeability notion as the adversary (the user in this case) will not be able to choose the whole
messages to be signed because of infos . This is ensured in the security game, because the adversary
must output valid signatures, therefore they should be done with the chosen infos . For the blindness
property, the adversary must choose two messages with the same public infoc kinfos component.
Security Games for Signer-Friendly Partially Blind Signatures. PBS satisfies blindness if, for any
polynomial adversary S ∗ (malicious signer), the advantage Succbl-b
PBS,S ∗ (λ) is negligible, where
bl
Succbl
PBS,S ∗ (λ) = | Pr[ExpPBS,S ∗ (λ) = 1] − 1/2| ,
in the security game presented in Figure 2. If S ∗ refuses to sign one of the inputs (i.e. σi = ⊥) then the
two resulting signatures are set to ⊥, therefore S ∗ does not gain any advantage if he decides to prevent
the game execution. We let S ∗ choose both pieces of the public information, which corresponds to
8
Expbl-b
PBS,S ∗ (λ)
param ← Setup(1λ );
(vk, m0 , m1 , stFIND , infoc , infos ) ← S ∗ (FIND, 1λ );
b ← {0, 1};
stISSUE ← S ∗ (ISSUE, stFIND : h · , U (vk, mb , infoc )i≤1 , h · , U (vk, m1−b , infoc )i≤1 );
IF σ0 = ⊥ OR σ1 = ⊥, (σ0 , σ1 ) ← (⊥, ⊥);
b∗ ← S ∗ (GUESS, σ0 , σ1 , stISSUE );
IF b = b∗ THEN RETURN 1 ELSE RETURN 0.
Figure 2. Blindness for Signer-Friendly Partially Blind Signatures
Expuf
PBS,U ∗ (λ)
(param) ← Setup(1λ );
(vk, sk) ← KeyGen(param);
(mi , infoc,i , infos,i , σi ) i∈{1,...,q +1} ← U ∗ (vk : hS(sk, ·), ·i≤qs );
s
IF ∃i 6= j : (mi , infoc,i , infos,i ) = (mj , infoc,j , infos,j )
OR ∃i : Verify(vk, mi , infoc,i , infos,i , σi ) = 0 THEN RETURN 0
ELSE RETURN 1
Figure 3. Unforgeability for Signer-Friendly Partially Blind Signatures
the case where, in the real world, the signer aborts as long as the user’s public information does not
suit him. As with regular partially blind signatures, the public information must be the same in both
challenge messages to avoid a trivial attack. PBS is unforgeable if, for any polynomial adversary U ∗
(malicious user), the advantage Succuf
PBS,U ∗ (λ) is negligible, where
uf
Succuf
PBS,U ∗ (λ) = Pr[ExpPBS,U ∗ (λ) = 1] ,
in the security game presented in Figure 3.
2.3
Efficient Instantiations of the Building Blocks
First, let us briefly sketch the basic building blocks: Groth-Sahai commitments, and a variation of the
Waters signature. They both need a pairing-friendly environment (p, G, GT , e, g), where e : G×G → GT
is an admissible, non-degenerated, bilinear map, for two groups G and GT , of prime order p, generated
by g and gt = e(g, g) respectively. From the following descriptions, it is easily seen that both schemes
are randomizable.
Groth-Sahai Commitments. Groth and Sahai [20] proposed non-interactive zero-knowledge proofs of
satisfiability of certain equations over bilinear groups. Using as witness group elements (and scalars)
which satisfy the equation, the prover starts with making commitments on them. The commitment key
is of the form (u1 = (u1,1 = g x1 , 1, g), u2 = (1, u2,2 = g x2 , g), u3 = (u3,1 , u3,2 , u3,3 )) ∈ (G3 )3 . Depending
on the definition of u3 , this commitment can be either perfectly hiding or perfectly binding.
– To commit a group element X ∈ G, one chooses three random scalars r1 , r2 , r3 ∈ Zp and sets
(where ⊙ denotes component-wise multiplication)
C(X) := (1, 1, X) ⊙ ur11 ⊙ ur12 ⊙ ur33
1
3
2
3
3
= (c1 = ur1,1
· ur3,1
, c2 = ur2,2
· ur3,2
, c3 = X · g r1 +r2 · ur3,3
)
3
3
3
= (c1 = g x1 r1 · ur3,1
, c2 = g x2 r2 · ur3,2
, c3 = X · g r1 +r2 · ur3,3
)
– To commit a scalar x ∈ Zp , one chooses two random scalars γ1 , γ2 ∈ Zp and sets
2
C ′ (x) := (1, 1, g)x ⊙ uγ11 ⊙ ux+γ
3
x+γ2
′
2
1
2
= (c′1 = ux+γ
· uγ1,1
, c′2 = ux+γ
· g x+γ1 )
3,1
3,2 , c3 = u3,3
x+γ2
′
2
2
· g x+γ1 ).
· g x1 γ1 , c′2 = ux+γ
= (c′1 = ux+γ
3,2 , c3 = u3,3
3,1
9
The idea is that with a regular initialization of the commitment parameters (u3 = uν1 ⊙ uµ2 , for two
random scalars ν, µ ∈ Zp ), these commitments are perfectly binding. The committed group elements
1/x 1/x
can even be extracted if one knows x1 , x2 : c3 /(c1 1 c2 2 ) = X, and c′3 /(c′1 1/x1 c′2 1/x2 ) = g x .
µ
However, if u3 is defined as u3 = uν1 ⊙u2 ⊙(1, 1, g −1 ) = (u3,1 = uν1,1 , u3,2 = uµ2,2 , u3,3 = g ν+µ−1 ), for
two random scalars ν, µ ∈ Zp , the commitments are perfectly hiding. In addition, the two parameter
initializations are indistinguishable under the DLin assumption. This is thus a mixed commitment.
To prove satisfiability of an equation (which is the statement of the proof), a Groth-Sahai proof
uses these commitments and shows that the committed values satisfy the equation. The proof consists
again of group elements and is verified by a pairing equation derived from the statement. In the
perfectly binding setting the proof is perfectly sound, whereas in the perfectly hiding setting the proof
perfectly hides the used witness.
Waters Signature. The Waters signature scheme was formally described in [28]. It was proved existentially unforgeable against chosen-message attacks under the CDH assumption.
– Setup(1λ ): The scheme is defined over a bilinear group (p, G, GT , e, g). The parameters are a
$
$
randomly chosen generator Q
h ← G and a vector (u0 , . . . , uk ) ← Gk+1 defining the function
i
F : {0, 1}k → G, F(M ) = u0 uM
i . We set param := (p, G, GT , e, g, h, (u0 , . . . , uk ));
$
– KeyGen(param): Choose a random scalar y ← Zp , which defines vk = Y = g y , and sk = Z = hy .
$
– Sign(sk,
M ; s): To sign a message M ∈ {0, 1}k , choose s ← Zp and define σ = σ1 = Z·F(M )s , σ2 =
gs ;
?
– Verify(vk = Y, M, σ): Check whether e(g, σ1 ) = e(Y, h) · e(F(M ), σ2 ).
We also use another useful result on the Waters signature (as used in [22]):
Property 7 (Randomizability). The Waters signature scheme is randomizable: for a valid pair (M, σ),
′
′
if we define σ ′ = (σ1 · F(M )s , σ2 · g s ) for a random scalar s′ then σ ′ is a random signature on M .
Proof. If the initial signature was generated with randomness s, the modified signature corresponds
to the signature on M with random coins s + s′ . Since this is perfectly random in group Zp , it leads
to a random signature on M .
Suffixed Waters Signatures. Instead of signing one message, we will sign, with some additional parameters, a concatenation of 3 messages using Waters signatures:
m = M ||infoc ||infos = (M1 , . . . , Mℓ , info1 , . . . , infok−ℓ ) ∈ {0, 1}k
3
Signatures and Mixed Commitments
In [5] we presented a general framework for building extractable signatures on randomizable ciphertexts. Once a user has sent a ciphertext of a message m, and received a signature on this ciphertext,
the framework proposes an algorithm SigExt which allows to recover the signature on the plaintext m,
when one knows the decryption key. This property has also been strengthened to strong extractability
where the initial user can recover the signature without possessing the decryption key if he has kept
the randomness used in the initial ciphertext.
To achieve perfect blindness, we need to discard encryption and use a perfectly hiding commitment
instead. This is where strong extractability becomes interesting, as we want the user to be able to
recover the signature on the plaintext even when no decryption key exists.
3.1
Signatures on Mixed Commitments
We now define a scheme of signatures on mixed commitments. Note that this generalizes the existing
definition of signatures on ciphertexts from [5].
Definition 8 (Signatures on Mixed Commitments). A signature scheme on a mixed commitment SC is a 7-tuple of polynomial-time algorithms (Setup, SKeyGen, CKeyGen, Commit, Sign, Decommit, Verify):
10
Expuf
SC,A (λ)
(param) ← Setup(1λ ); SM := ∅
n
{(cki , xki )}n
i=1 ← CKeyGen (param); (vk, sk) ← SKeyGen(param)
(c, σ) ← A(param, vk, ck : sign(sk, ·, ·));
m ← Decommit(xk, vk, c)
IF m = ⊥ OR m ∈ SM OR Verify(vk, ck, c, σ) = 0 THEN RETURN 0
RETURN 1
Figure 4. Unforgeability of Signatures on Mixed Commitments
– Setup(1λ ), where λ is the security parameter, generates the global parameters param for the
associated encryption and signature schemes;
– CKeyGen(param) generates a commitment key ck and possibly the associated extraction key xk
(according to the setting, i.e. whether WISetup or ExSetup was used);
– SKeyGen(param) generates a pair of keys, the verification key vk and the signing key sk;
– Commit(ck, vk, m; r) produces a commitment c of m ∈ M under ck, using the random coins r ∈ Rc .
This commitment is intended to be later signed under the signing key associated to the verification
key vk (the argument vk can be empty if the signing algorithm is universal and does not require
a ciphertext specific to the signer);
– CSign(sk, ck, c; s), produces a signature σ on a commitment c and a signing key sk, using the
random coins s ∈ Rs , or ⊥ if c is not valid (w.r.t. ck, and possibly vk associated to sk);
– Decommit(ck, c, r, m) decommits c into a plaintext m, by showing that c is a valid commitment to
m under ck with randomness r.
– Verify(vk, ck, c, σ) checks whether σ is a valid signature on c, w.r.t. the public key vk. It outputs
1 if the signature is valid, and 0 otherwise (possibly because of an invalid commitment c, with
respect to ck, and possibly vk);
– Recover(vk, ck, c, σ, r) recovers a signature on the initial plaintext m committed in c, valid under
vk using randomness r used in the commitment c.
One could have additionally defined an Extract algorithm to recover the signature on the initial plaintext, or even the initial plaintext itself from the commitment, using the extraction key. But the latter
will not always exist, whereas the random coins used for the commitment always exist.
Strong security notions for signatures on ciphertexts are not meaningful in our context, as we
want signatures to be efficiently malleable, as long as the plaintext is not affected. Hence we further
weaken the original definition of existential unforgeability (EUF) [19], where a new signature on an
already signed message is not considered a forgery: In our definition a signature on a new ciphertext
is not a forgery, if another ciphertext of the same plaintext has already been signed. Moreover, we
require that the two setups for the mixed commitment be computationally indistinguishable. Under
this assumption unforgeability in the perfectly binding setup also implies unforgeability in the perfectly
hiding setting (in which we could not define the game).
We now define the unforgeability (UF) notion for signatures on mixed commitments, which makes
sense in the perfectly binding setting only, but will help to prove some other security notions in any
setting: SC is unforgeable if, for any polynomial-time adversary A, the advantage Succuf
SC,A (λ) :=
uf
uf
Pr[ExpSC,A (λ) = 1] is negligible, with ExpSC,A defined in Figure 4. In this experiment sign(sk, ·, ·) is
an oracle that takes as input a previously generated commitment key cki and a commitment c, runs
CSign on it, and returns its output σ. It also adds to the set SM of signed plaintexts the plaintext
m = Extract(xki , vk, c).
Unforgeability in the above sense thus states that no adversary is able to generate a new valid
commitment-signature pair for a commitment to new message, i.e. different to those contained in
commitments that were queried to the signing oracle.
A signature on mixed commitments with recovery provides the following: a user can commit to a
message m and obtain a signature σ on the commitment c. Knowing the randomness used to compute
c, from (c, σ) one can not only recover the committed message m, but also a signature σ ′ on the
message m, using the functionality Recover. The signature σ on the commitment c could thus be
interpreted as a commitment to a signature on the message m. Commitment and signing can thus
11
M
Commit
ck, vk, r
r
C
s′
σ(M )
Recover
r
CSign
sk; s
Sign
sk, ck, c; s
xk
Extract
A message M can be committed using random coins r.
The signer can sign this ciphertext.
A signature on the plaintext can be obtained using either
the coins r (Recover), or with the extraction key xk if we
are in the perfectly binding setup; the result is the same as
a signature of M by the signer (Sign). This final signature
can be randomized.
σ(C)
xk
Random
Figure 5. Recoverable Signatures on Mixed Commitments
be seen as commutative (see Figure 5). For completeness, we also define the Random algorithm for
signatures, which we could also extend to signatures on committed values, but this is out of the scope
of the applications this paper targets. Moreover, commitments must not be randomized if they are to
be recovered later.
Figure 5 makes sense for any setup of the mixed commitment, while the unforgeability game in
Figure 4 makes sense for the binding setup only.
Intuitively, the notion of blindness for our signatures comes from the hiding property of the commitment, because if the adversary can manage to find the order in which the message were signed
then he has a bias in guessing which message is committed in each commitment (think of the final
signature as a signature of a commitment). On the other hand, unforgeability of the blind signature
is implied by unforgeability of the underlying signature, as we can recover the signature under the
extraction property (now the final signature is a commitment to a signature), which relies on the
binding property of the commitment.
3.2
Our Construction
Our approach combines Groth-Sahai commitments [20] and the Waters signature [28].
Assumptions. We rely on classical assumptions only: CDH for the unforgeability of signatures and
DLin for the indistinguishability of the two commitment setups, which implies soundness of the proofs:
Definition 9 (The Computational Diffie-Hellman problem (CDH)). The CDH assumption, in
a cyclic group G of prime order p, states that for a generator g ∈ G and random a, b ∈ Zp , given
(g, g a , g b ), it is hard to compute g ab .
Definition 10 (Decision Linear Assumption (DLin)). The DLin assumption, in a cyclic group
G of prime order p, states that given (g, g x , g y , g xa , g yb , g c ) for random a, b, x, y ∈ Zp , it is hard to
determine whether c = a + b or a random value. When (g, u = g x , v = g y ) is fixed, a tuple (ua , v b , g a+b )
is called a linear tuple w.r.t. (u, v, g), whereas a tuple (ua , v b , g c ) for a random and independent c is
called a random tuple.
One can easily see that if an adversary is able to solve a CDH challenge, then he can solve a DLin one.
So the DLin assumption implies the CDH assumption.
Scheme. Let us now describe our signature on Groth-Sahai commitments:
$
– Setup(1λ ) chooses a bilinear group (p, G, GT , e, g). Moreover, it chooses an extra generator h ← G
$
and a vector u = (u0 , . . . , uk ) ← Gk+1 , which defines the function F. Setup returns param =
(p, G, GT , e, g, h, F).
12
– CKeyGen(param) generates Groth-Sahai parameters ck = (u1 , u2 , u3 ) in one of the two settings,
and possibly the extraction key xk corresponding to the respective discrete logarithm in the binding
setting.
$
– SKeyGen(param) chooses a random scalar y ← Zp , which defines the public key as vk = Y = g y
y
and the secret key as sk = Z = h .
$
– Commit(ck, vk, m; r): For a message M ∈ {0, 1}k and random scalars r = (r1 , r2 , r3 ) ← Z3p , defines
the commitment as
3
1
3
2
3
· F(M )
c = c1 = ur1,1
ur3,1
, c2 = ur2,2
ur3,2
, c3 = g r1 +r2 ur3,3
–
–
–
–
and computes Y1,2 = Y r1 +r2 , Y3 = Y r3 . It moreover generates Groth-Sahai proofs of consistency
of the commitment:
• A proof ΠM of knowledge of M in c, which consists of a bit-by-bit commitment CM =
(C ′ (M1 ), . . . , C ′ (Mk )) and proofs that each committed value is a bit, as well as a proof that c
is a commitment to F(M ). ΠM is composed of 9k + 3 group elements.
• A proof Πr containing the commitments Cr = (C(Y1,2 ), C(Y3 )) asserting that they are correctly
generated. This requires 9 group elements.
Π thus consists of 9k + 12 group elements.
CSign(sk, ck, (c, Π); s): To sign the commitment c, this first checks if the proof Π is valid. If so, it
outputs σ = (Z · c3 s , us3,3 , g s ), for a random scalar s ∈ Zp .
Decommit(ck, c, r, m): Decommits c to m by simply showing that a commitment to m using ck
and r is equal to c.
Verify(vk, ck, c, σ): Checks whether the following pairing equations are verified: e(σ1 , g) = e(h, vk) ·
e(c3 , σ3 ) and e(σ2 , g) = e(u3,3 , σ3 ).
Recover(vk, ck, c, σ, r): If Verify is positive, one can use the randomness r to retrieve M and a valid
signature on M :
σ ′ = (σ1′ = σ1 /(σ3r1 +r2 σ2r3 ), σ2′ = σ3 ) ,
which is a valid Waters signature.
Security Properties. In the next section, we generalize this construction to partially blind signatures
and provide a security proof in any setting for the mixed commitment. Depending on the setting, we
get either fair blind signatures (in the binding setting) or perfectly blind signatures when there is no
shared public information.
Note that it suffices to do a security proof in one setting because of the indistinguishability of
the two commitment setups. However, according to the setting, one will get perfect blindness or
computational blindness.
4
Partially Blind Signatures
As in the previous section, our constructions will combine Groth-Sahai commitments [20] and Waters
signatures [28] as follows: given a commitment on the “Waters hash” F(M ) (and some additional values
proving knowledge of the message M and the randomness used) and a public shared information infoc ,
the signer can make a partially blind signature on M, infoc and an extra piece of public information
infos .
4.1
Partially Blind Signatures with Perfect Blindness
With those building blocks, we design a partially blind signature scheme, where the user sends a
commitment to the message and gets back a signature on it by the signer. Thanks to the random coins
of the commitment, the user can “unblind” the received Waters signature. Finally, by randomizing it,
the user breaks all links between the message/signature pair and the transaction.
Our protocol proceeds as follows, on a commitment of F = F(M ), a public common message
infoc , and a public message infos chosen by the signer. It is split into five steps, that correspond to an
optimal 2-flow protocol: Blind, which is first run by the user, CSign, which is then run by the signer,
and Verify, Unblind, Random, which are successively run by the user to generate the final signature.
We thus have U = (Blind; Verify, Unblind, Random) and S = CSign:
13
$
– Setup(1λ ) first chooses a bilinear group (p, G, GT , e, g) and an additional generator h ← G. It
$
generates a vector u = (u0 , . . . , uk ) ← Gk+1 , which, for messages M ∈ {0, 1}ℓ and with k being
the overall length of M ||infoc ||infos , defines
Q
Q
i
i
F1 (M ) = u0 ℓi=1 uM
F2 (info) = ki=ℓ+1 uinfo
i
i
Moreover, it chooses Groth-Sahai parameters (u1 , u2 , u3 ) in the perfectly hiding setting and outputs param = (p, G, GT , e, g, h, F, u1 , u2 , u3 ).
$
– KeyGen(param) chooses a random scalar y ← Zp , which defines the public key as vk = Y = g y and
the secret key as sk = Z = hy .
– Signature Issuing hS(sk, infoc , infos ), U (vk, M, infoc )i is split into several steps:
$
• Blind(M, vk; (r1 , r2 , r3 )): For a message M ∈ {0, 1}ℓ and random scalars (r1 , r2 , r3 ) ← Zp ,
defines the commitment as
1
3
2
3
3
c = c1 = ur1,1
ur3,1
, c2 = ur2,2
ur3,2
, c3 = g r1 +r2 ur3,3
· F(M )
and computes Y1,2 = Y r1 +r2 , Y3 = Y r3 . It also generates proofs of consistency:
∗ A proof ΠM of knowledge of M in c, consisting of a bit-by-bit commitment CM =
(C ′ (M1 ), . . . , C ′ (Mℓ )), proofs that each committed value is a bit, and a proof that c commits to F(M ). ΠM consists of 9ℓ + 9 group elements, as we have ℓ commitments, ℓ
quadratic equations in Zp of the type Mi · (1 − Mi ) = 1, and one quadratic multiscalar
Q i
multiplication u0 uM
i = F(M ).
∗ A proof Πr containing the commitments Cr = (C(Y1,2 ), C(Y3 )) asserting that they are
consistent with c and CM , i.e., e(c3 , Y ) = e(g, Y1,2 ) · e(u3,3 , Y3 ) · e(F(M ), Y ). This requires
9 additional group elements (6 for the commitments, and 3 for the Groth-Sahai proof).
Π thus consists of 9ℓ + 18 group elements (when M = {0, 1}ℓ ).
• CSign(sk, (c, Π), infoc , infos ; s): To sign the commitment c, first check if the proof Π is valid.
Then append the public message info = infoc kinfos to c3 to create c′3 = c3 ·F2 (info), which thus
yields a commitment of the function evaluation on M kinfoc kinfos of global length k. Finally,
output σ = (Z ·(c′3 )s , us3,3 , g s ), for a random scalar s ← Zp , together with the additional public
information infos .
• Verify(vk, (c, infoc , infos ), (σ1 , σ2 , σ3 )): To check the validity of the signature, first compute
c′3 = c3 · F2 (info) and then check whether the following pairing equations are satisfied:
e(σ1 , g) = e(h, vk) · e(c′3 , σ3 )
e(σ2 , g) = e(u3,3 , σ3 )
If not then σ is not a valid signature, and the user sets the blind signature as Σ = ⊥.
• Unblind((r1 , r2 , r3 ), vk, (c, infoc , infos ), σ): If the previous verification is successful, use the random coins r1 , r2 , r3 to recover a Waters signature on M kinfoc kinfos : σ ′ = (σ1′ = σ1 /(σ3r1 +r2 σ2r3 ), σ2′ =
σ3 ).
′
• Random(vk, (c, infoc , infos ), σ ′ ; s′ ): Randomize σ ′ to get the signature Σ = (σ1′ ·F(M ||infoc ||infos )s ,
′
σ2′ · g s ).
Note that Σ is a random Waters signature on M ||infoc ||infos , where we denote F = F(M ||infoc ||infos ):
′
′
′
′
Σ = (σ1′ · F s , σ2′ · g s ) = (F s · σ1 /(σ3r1 +r2 σ2r3 ), g s · σ3 )
′
′
s
s+s
3
= (F s · Z · c′3 /(g s(r1 +r2 ) usr
)
3,3 ), g
′
′
s
s(r1 +r2 ) sr3
3
u3,3 ), g s+s )
= (F s · Z · g s(r1 +r2 ) usr
3,3 · F /(g
′
′
= (F s+s · Z, g s+s ) = Sign(Z, M ||infoc ||infos ; s + s′ )
– Verify(vk, (M, infoc , infos ), Σ = (Σ1 , Σ2 )), is defined as Waters signature verification by checking
that the following holds:
e(Σ1 , g) = e(h, vk) · e(F(M ||infoc ||infos ), Σ2 ) .
Theorem 11. This signer-friendly partially blind signature scheme is unforgeable under the DLin
assumption in G.
14
Signer
C info
C′
sk, C ′ , infos ; s
F(M )
Blind
vk, r
r
s′
σ(F ′ )
σ(C ′ )
infos
r
Unblind
Random
Blind hides a message M using random coins r. The signer
can concatenate public messages infoc and infos to the
original commitment, which yields a commitment C ′ on
F = F (M ||infoc ||infos ).
Using randomness r, Unblind recovers a signature on the
plaintext, which is the same as a direct signature on
M ||infoc ||infos by the signer.
Randomizing this signature prevents the signer to link
the transaction to a signature.
CSign
User
Verify
Figure 6. Partially Blind Signatures with Perfect Blindness
Proof. Let us denote PBS our partially blind signature above. Assuming there is an adversary A
against unforgeability that succeeds with probability ǫ, we build an adversary B against CDH, whose
hardness is implied by that of DLin.
DLin Assumption. Breaking unforgeability means that after qs interactions with the signer, the adversary manages to output qs + 1 valid message/signature pairs on distinct messages. If the adversary A
succeeds with probability ǫ when the commitment key is perfectly hiding, then A also succeeds with
a probability negligibly close to ǫ when the commitment key is perfectly hiding. Otherwise A could
be used to distinguish the two types of commitment keys, which are indistinguishable under DLin.
Signer simulation. Let us thus consider PBS but with a commitment scheme using the binding setting,
say PBS ′ . Our simulator B can thus extract values from the commitments since it will know the
extraction key. We assume that A is able to break the unforgeability of PBS ′ with probability ǫ′ after
qs interactions with the signer, based on which we build an adversary B against the CDH problem. (We
basically follow Waters’ original proof, but adapt it, since we need to simulate signatures (σ1 , σ2 , σ3 )
on commitments, rather than plain Waters signatures.)
Let (A = g a , B = g b ) be a challenge CDH-instance in a bilinear group (p, G, GT , e, g). We generate
$
the global parameters using this instance: for simulating Setup/KeyGen, B picks a random position j ←
$
$
{0, . . . , k}, chooses random indices y0 , y1 , . . . , yk ← {0, . . . , 2qs −1}, and random scalars z0 , z1 , . . . , zk ←
a
b
y
−2jq
z
y
z
s g 0 , and u = h i g i for i = 1, . . . , k. B also picks
Zp . Define Y = A = g , h = B = g , u0 = h 0
i
random scalars ν, µ, x1 , x2 , and generates binding Groth-Sahai parameters (u1 , u2 , u3 ) with (u1 =
(u1,1 = g x1 , 1, g), u2 = (1, u2,2 = g x2 , g), u3 = uν1 ⊙ uµ2 ). Note that u3,3 = g ν+µ . It outputs param =
(p, G, GT , e, g, h, F, u1 , u2 , u3 ). (The signing key is implicitly defined as Z = ha = B a = g ab , which is
the solution to our Diffie-Hellman instance.)
To answer a signing query for (c = (c1 , c2 , c3 ), Π), B first checks the proof Π = (ΠM , Πr ). Using
the commitment extraction key (x1 , x2 ), it extracts M from the bit-by-bit commitments in ΠM and
Y1,2 = Y r1 +r2 , Y3 = Y r3 from Πr (where r1 , r2 , r3 are the random coins of c). Furthermore, we can
3
compute c′3 = g r1 +r2 ur3,3
· F , where we denote M ′ = M ||infoc ||infos and F = F(M ||infoc ||infos ). B
defines
P
P
F = hH g J
J = z0 + i zi Mi′
H = −2jqs + y0 + i yi Mi′
If H ≡ 0 (mod p) then B aborts, otherwise it sets
1/x1 1/x2 s
c2 )) , (Y −1/H g s )ν+µ , Y −1/H g s ).
σ = (Y −J/H (Y1,2 Y3ν+µ )−1/H (F (c1
15
Defining s̃ = s − a/H, we have
1/x1 1/x2 s
c2 ))
σ1 =Y −J/H (Y1,2 Y3ν+µ )−1/H (hH g J (c1
σ3 =Y −1/H g s = Y −1/H g s̃+a/H = g s̃
= Z · (c′3 )s̃
σ2 =(σ3 )ν+µ = g (ν+µ)s̃ = us̃3,3
This thus exactly looks like a real signature sent by the signer.
Diffie-Hellman extraction. After at most qs signing queries A outputs qs + 1 valid Waters signatures.
Since these are more than the number of signing queries, there is a least one message M ∗ that is
different from all the messages M ||infoc ||infos involved in the signing queries. We define
P
P
∗
∗
F(M ∗ ) = hH g J
J ∗ = z0 + i zi Mi∗
H ∗ = −2jqs + y0 + i yi Mi∗ ,
∗
∗
If H ∗ 6≡ 0 (mod p) then B aborts, otherwise, for some s∗ , we have σ ∗ = (ha F(M ∗ )s , g s ) =
∗ ∗
∗
∗
(ha g s J , g s ). Then, σ1∗ /(σ2∗ )J = ha = g ab , which is a solution for the CDH problem.
Success probability. (this is based on [21]) The Waters hash function is (1, qs )-programmable (i.e., we
can find with non negligible probability a case where qs intermediate hashes H are non zero, and
√ the
last one is); therefore the previous simulation succeeds with non negligible probability (Θ(ǫ/qs k)),
with which B then breaks CDH.
Theorem 12. This signer-friendly partially blind signature scheme achieves perfect blindness.
Proof. Since the commitment key is perfectly hiding, the transcript sent to the signer contains a
commitment on the message to be signed which leaks no information about M . The additional proofs
are perfectly witness-indistinguishable and thus do not provide any additional information about M .
(For Groth-Sahai proofs in the perfectly hiding setting, for any M , committed with randomness r and
any message M ′ , there exists a random r′ such that both commitment values collide.) Moreover, due
to the perfect randomizability of Waters signatures, the output blind signature is uniformly random
in the set of signatures on M ||infoc ||infos , on which no information leaked. So the resulting signature
is independent from the transcript seen by the signer.
5
Multi-Source Blind Signatures
5.1
Concatenation
The previous constructions enables a user to obtain a signature on a plaintext without revealing it
to the signer. But what if the original message is coming from various users? We now present a new
way to obtain a blind signature without requiring multiple users to combine their messages, providing
once again a round-optimal way to achieve our goal.
We thus consider another variant of our blind signature scheme. Setup no longer creates perfectly
hiding parameters, but perfectly binding parameters. We therefore need not compute us3,3 to run
Unblind, since we can use the extraction key instead of the coins. In addition, in this scenario we do
not consider a unique user providing a blinded message, but several users. The signer will produce
a signature on a multi-source message, provided as different commitments. The signature and the
messages will actually be committed under a key from a third party, which will be the only one able
to extract the message and the signature.
Our instantiation is similar to the previous ones in the perfectly binding setting. For simplicity, we
remove the partially blind part, but of course it could be adapted in the same way. With the previous
building blocks, we will sign several commitments of Fi = Fi (Mi ), and instead of the protocol hU , Si,
we now have one with three kind of participants: users Ui will blind a commitments on Fi (Mi ), signer
S signs the blinded message, and T , the tallier, will verify, unblind and randomize this signature:
$
– Setup(1λ ): In a bilinear group (p, G, GT , e, g) the algorithm outputs a generator h ← G and a
vector
$
u = u0 , (ui,1 , . . . , ui,ℓ )ni=1 ← Gnℓ+1 ,
Q m
where ℓ is a polynomial in λ. We define Fi (Mi ) = ℓ ui,ℓi,ℓ .
16
Blind
vk, ri
ri
Ci
sk, C1 , . . . , Cn ; s
Fi
Signer
T
s′ σ(
Q
F)
Random
xk
σ(
Unblind
Q
CSign
User i
Different users can hide messages Mi using random coins
ri (Blind).
The signer can concatenate the messages Q
inside the commitments, creating a commitment on F = Fi .
Using the extraction key xk in Unblind, the tallier T can
recover a signature on the plaintext, which is the same as
a signature by the signer on the concatenation of all the
messages Mi .
Randomizing this signature prevents the signer from linking
the signature to a transaction.
Ci )
Verify
Figure 7. Multi-Source Blind Signature on Concatenation
$
– KeyGen(param): Choose y ← Zp , which defines vk = Y = g y and sk = Z = hy , and generate a
perfectly binding Groth-Sahai commitment key ck together with an extraction key xk = (x1 , x2 ) ∈
Z2p .
– (Ui , S, T ):
• Blind(M, vk; (r1 , r2 , r3 )) (we omit the subscripts i): For a message M ∈ {0, 1}ℓ and random
scalars in Zp , define the commitment c = C(F(M )) = (c1 , c2 , c3 ). As before, we add proofs to
this commitment:
∗ A proof ΠM of knowledge of M , such that c commits to F(M ), which consists of a bitby-bit commitment CM = (C ′ (M1 ), . . . , C ′ (Mk )) and proofs that each committed value is
a bit.
∗ A proof Πr containing the commitments (C(Y r1 +r2 ), C(Y r3 )) together with proofs of consistency with c and CM .
that all
• CSign(sk, (c = (c1,i , c2,i , c3,i ), Πi )ni=1 ; s): To sign n commitments, first check Q
Q Πi ’s are
Q
valid; after randomizing these commitments, compute the commitment C = ( c1,i , c2,i , u0 c3,i )
and output C = (C1 , C2 , C3 ) and σ = (C1s , C2s , Z · C3s , g s ).
• Verify(vk, (C1 , C2 , C3 ), (σ1 , σ2 , σ3 , σ4 )): In order to check validity of the signature, verify the
following equations: e(σ1 , g) = e(C1 , σ4 ), e(σ2 , g) = e(C2 , σ4 ), and e(σ3 , g) = e(h, vk)·e(C3 , σ4 ).
• Unblind(xk, vk, c = (C1 , C2 , C3 ), Π = (Πi )ni=1 , σ): From a valid signature σ on c, knowing the
extraction key (x1 , x2 ), one can extract the message M from the bit-by-bit commitments in
1/x 1/x
Π. One can also extract the corresponding signature σ ′ as: σ1′ = σ3 /(σ1 1 σ2 2 ), σ2′ = σ4 ,
which is a Waters signature on M , the concatenation of all the messages.
• Random(vk, M, σ ′ ; s′ ): The signature σ ′ is randomized to get the blind signature Σ = (σ1′ ·
′
′
F(M )s , σ2′ · g s ).
– Verify(vk, M, σ = (σ1 , σ2 )): In order to check the validity of the signature, one checks whether:
?
e(σ1 , g) = e(h, vk) · e(F(M ), σ2 ).
Theorem 13. The above multi-source blind signature scheme for concatenation is blind and unforgeable under the DLin and CDH assumptions, respectively: no adversary can generate more message/signature pairs on distinct messages than the number of interactions with the signer.
The theorem follows from the previous result, as the combination of the different partial Waters
hashes can be seen as one global hash (note that we have independent generators for each index). The
perfectly binding Groth-Sahai proofs guarantee that each user outputs a Waters hash of their message
under their generators.
17
5.2
Linear Operations
The previous scheme presents a way to combine multiple blind messages into one by concatenation.
One drawback is that every bit in every one of the concatenated messages requires a generator in
the setup. Let us now assume all that is required is a signature on the sum of the messages (or the
mean, or any other linear operation). Concatenation could still be used, as the verifier could perform
the linear operation at the end, but all individual messages are signed, requiring a long public key.
We improve the construction, reducing the public key size and the information leaked about the
individual messages when one only requires a signature on the sum or the mean of the individual
messages. Instead of signing the concatenation of the messages, we now consider the sum of messages,
for which we can allow every user to use the same generators for the function F, which reduces the
public key by a factor of the number of aggregated messages.
$
The resulting scheme is the same as before except
for Setup we have u = (u0 ,Q
. . . , uk ) ← Gk+1 .
Q that
mi,ℓ
We then proceed as before considering F(Mi ) = ℓ uℓ , which are aggregated to i F(Mi ), which
is F evaluated on the sum of all messages. However, the exponents in the Waters hash function are no
longer bits but belong to a larger alphabet (e.g. {0, . . . , t} if t users participate and send bit strings).
Following the work done in [21], we will show in the next section that over a non-binary alphabet the
Waters function remains (1, poly)-programmable as long as the size of the alphabet is a polynomial
in the security parameter. This result readily implies the security of the multi-source blind signature
scheme for addition, but also any linear combination.
Theorem 14. This multi-source blind signature scheme for addition is blind and unforgeable under
the DLin assumption as long the alphabet size and the number of sources are polynomial in the security
parameter.
Note however that more than just the sum is leaked since carries are not propagated, but accumulated in each digit. Hence, the value of the sum in one digit leaks some information on the same digits
on individual messages. Anyway, our goal is to authenticate the result with minimal communication.
6
Waters Function and Non-binary Alphabets
In this section we prove that for a polynomial-size alphabet, the Waters function remains programmable. We recall some notations introduced in [21] and show our result, which can be seen as an
improvement over that presented by Naccache [23], who considered a variant of Waters identity-based
encryption [28] with shorter public parameters.
6.1
Definitions
Let us recall some basic definitions. Considering a cyclic group G, for some security parameter λ, we
define a group hash function H for G, an alphabet Σ = Σ(λ) and an input length ℓ = ℓ(λ) as a pair
of probabilistic polynomial-time algorithms (PHF.Gen, PHF.Eval) such that:
– PHF.Gen takes as input a security parameter λ and outputs a key κ
– PHF.Eval takes as input a key κ output by PHF.Gen and a string X ∈ Σ ℓ and outputs an element
of Gλ .
Definition 15 ([21]). A group hash function (PHF.Gen, PHF.Eval) is (m, n, δ)-programmable, if there
exist two PPT algorithms (PHF.TrapGen, PHF.TrapEval) such that:
– Syntax: For g, h ∈ G, PHF.TrapGen(1λ , g, h) generates a key κ′ and a trapdoor t such that
PHF.TrapEval(t, X) produces integers aX , bX for any X ∈ Σ ℓ .
– Correctness: For all g, h ∈ G, all (κ′ , t) ← PHF.TrapGen(1λ , g, h) and all X ∈ Σ ℓ , Hκ′ (X) :=
PHF.Eval(κ′ , X) satisfies Hκ′ (X) = g aX hbX where (aX , bX ) := PHF.TrapEval(t, X).
– Statistically close trapdoor keys: For all generators g, h ∈ G2 , the functions PHF.Gen(1λ ) and
PHF.TrapGen(1λ , g, h) output keys κ and κ′ statistically close.
– Well-distributed logarithms: For all generators g, h ∈ G, all (κ′ , t) output by PHF.TrapGen(1λ , g, h)
and all bit-strings (Xi )1,...,m , (Zi )1,...,n ∈ Σ ℓ such that ∀i, j, Xi 6= Zj , we have Pr[aX1 = . . . , aXm =
0∧aZ1 ·. . .·aZn 6= 0] ≥ δ, where the probability is taken over the random coins used by PHF.TrapGen
and (aXi , bXi ) := PHF.TrapEval(t, Xi ) and (aZi , bZi ) := PHF.TrapEval(t, Zi ).
18
6.2
Instantiation with Waters Function
Let us consider the Waters function presented in [28].
Definition 16 (Multi-Generator PHF). Let G = (Gλ ) be a group family, and ℓ = ℓ(λ) a polynomial. We define F = (PHF.Gen, PHF.Eval) as the following group hash function:
$
– PHF.Gen(1λ ) outputs κ = (h0 , . . . , hℓ ) ← Gℓ+1 ;
Q
– PHF.Eval(κ, X) parses κ and X = (x1 , . . . , xℓ ) ∈ {0, 1}ℓ and then outputs Fκ (X) = h0 ℓi=1 hxi i .
√
This function was shown to be (1, q, δ)-programmable with δ = O(1/(q ℓ)) and (2, 1, δ)-programmable
with δ = O(1/ℓ) (cf. [21]). However, this definition requires to generate and store ℓ+1 group generators
where ℓ is the bit-length of the messages one wants to hash. We consider a more general case where
instead of hashing bit-per-bit we hash blocks of bits.
Definition 17 (Improved Multi-Generator PHF). Let G = (Gλ ) be a group family, Σ =
{0, . . . , τ } a finite alphabet and ℓ = ℓ(λ) a polynomial. We define F = (PHF.Gen, PHF.Eval) as the
following group hash function:
$
– PHF.Gen(1λ ) returns κ = (h0 , . . . , hℓ ) ← Gℓ+1 ;
Q
– PHF.Eval(κ, X) parses κ and X = (x1 , . . . , xℓ ) ∈ Σ ℓ and then outputs F + κ (X) = h0 ℓi=1 hxi i .
Using a larger alphabet allows to hash from a larger domain with a smaller hash key, but it comes at a
price: we show that the function is no longer (2, 1)-programmable (i.e., no longer (2, 1, δ) programmable
for a non-negligible δ).
Theorem 18 ((2,1)-Programmability). For any group family G with known order and τ > 1, the
function F + is not a (2,1)-programmable hash function if the discrete logarithm problem is hard in G.
Proof. Consider a discrete logarithm challenge (g, h) in a group Gλ and suppose by contradiction that
the function F + is (2, 1)-programmable with τ ≥ 2 (i.e., we suppose that there exist two probabilistic
polynomial-time algorithms (PHF.TrapGen, PHF.TrapEval) satisfying Definition 15 for a non-negligible
δ).
For any hash key κ′ and trapdoor t generated by PHF.TrapGen(1λ , g, h), we can consider the
messages X1 = (2, 0), X2 = (1, 1), Z = (0, 2).
With non-negligible probability over the random coins used by PHF.TrapGen we have aX1 =
aX2 = 0 and aZ 6= 0 where (aX1 , bX1 ) := PHF.TrapEval(t, X1 ), (aX2 , bX2 ) := PHF.TrapEval(t, X2 )
and (aZ , bZ ) := PHF.TrapEval(t, Z). By the correctness property, we have
g aZ hbZ = F(Z) = h0 h22 = (F(X2 ))2 /F(X1 ) = h2bX2 /hbX1
and we can extract the discrete logarithm of g in base h as follows:
logh (g) =
2bX2 − bX1 − bZ
aZ
mod |Gλ | .
However we still have the following interesting property:
Theorem 19 ((1,poly)-Programmability). For any polynomial q and a group family G with
√
groups of known order, the function F + is a (1, q, δ)-programmable hash function with a δ = Ω(1/τ q ℓ).
Remark 20. This theorem improves the result presented by Naccache in [23] where the lower bound
on the (1, q, δ)-programmability was only δ = Ω(1/τ qℓ).
Remark 21. In order to be able to sign all messages in a set M, we have to consider parameters τ and
ℓ such that τ ℓ ≥ #M, but the security is proved only if the value δ is non-negligible (i.e. if ℓ = λO(1)
and τ = λO(1) ). In particular if M is of polynomial size in λ (which is the case in our WSN application
with data aggregation), one can use τ = #M and ℓ = 1 (namely, the Boneh-Boyen hash function [7]),
and therefore get data confidentiality.
Proof. Let us first introduce some notation. Let n ∈ N∗ ; for j ∈ {1, . . . , n}, let Aj be independent and
uniform random variables in {−1, 0, 1}. If we denote 2σj2 their quadratic moment, we have 2σj2 = 2/3
p
P
and σj = 1/3. We note s2n = nj=1 σj2 = n/3.
19
The Local Central Limit Theorem. Our analysis relies on a classical result onPrandom walks, called the
Local Central Limit Theorem 1 . It basically provides an approximation of Pr[ Aj = a] for independent
random variables Aj . This is a version of the Central Limit Theorem in which the conclusion is
strengthened from convergence of the law to locally uniform pointwise convergence of the densities.
It is worded as follows in [14, Theorem 1.1 ], where φ and Φ are the standard normal density and
distribution functions:
Theorem 22. Let Aj be independent, integer-valued random
variables where Aj has probability
Pn mass
P
∗
∗
function fj (for j ∈ N ). For each j, n ∈ N , let q(fj ) = k min(fj (k), fj (k+1)) and Qn = j=1 q(fj ).
Denote Sn = A1 + · · · + An . Suppose that there are sequences of numbers (αn ), (βn ) such that
1. limn→∞ Pr[((Sn − αn )/βn ) < t] = Φ(t), −∞ < t < ∞,
2. βn → ∞,
3. and lim sup βn2 /Qn < ∞,
then2 supk |βn Pr[Sn = k] − φ((k − αn )/βn )| → 0 as n → ∞.
While those notations may seem a little overwhelming, this can be easily explained in our case. With
Aj ∈ {−1, 0, 1} with probability 1/3 for each value.
1. It requires the variables to verify the Lindeberg-Feller theorem. However as long as the variables
verify Lindeberg’s condition3 , p
this is true for βn = sn and αn = 0.
2. In our application, βn = sn = n/3, so again we comply with the condition.
3. Since fj (k) is simply the probability that Aj equals k, then q(fj ) = 2/3. This leads to Qn = 2n/3.
As a consequence, βn2 /Qn = 1/2.
So we have: supk |βn Pr[Sn = k] − φ((k − αn )/βn )| → 0, that is, in our case
p
p
sup | n/3 Pr[Sn = k] − φ(k/ n/3)| → 0 .
k
√
√
We solely focus on the case k = 0: since φ(0) = 1/ 2π, Pr[Sn = 0] = Θ(1/ n). In addition, it is clear
that Pr[Sn = k] ≤ Pr[Sn = 0] for any k 6= 0 (cf. [21]).
Lemma 23. Let (Aij )[[1,n]]×[[1,J]] be independent, integer-valued random variables in {−1, 0, 1}, then
√
P P
∀X ∈ [[1, τ ]]n , Pr[ ni=1 Jj=1 Xi Aij = 0] = Ω(1/τ nJ), where the probability distribution is over the
Aij .
This lemma will be useful to prove the lower bound in the following, we only consider word with no
null coefficient Xi , if a Xi is null, we simply work with a shorter random walk of length J · (n − 1)
instead of Jn.
Proof. Let us denote dij , the random variable defined as Xi Aij : they are independent, integer-valued
P P
P
random variables. As above, s2n = ni=1 Jj=1 σj2 = ni=1 JXi2 /3. So nJ/3 ≤ s2n ≤ nτ 2 J/3.
1. Lindeberg’s condition is verified. As soon as n > 3τ /Jǫ2 we have ǫsn > τ and so |dij | < sn , and
so once again the sum is null.
2. sn → ∞.
P
3. Each dij ∈ {−Xi , 0, Xi } with probability 1/3 for each value, so q(fij ) = 2/3 and Qn = i,j q(fij ) =
2nJ/3. So βn2 /Qn ≤ (nτ J/3)/(2nJ/3) ≤ τ /2 < ∞.
P P
Then we can apply the Local Central Limit Theorem to the dij ’s, and conclude: Pr[ ni=1 Jj=1 Xi Aij =
√
0] = Θ(1/sn ) = Θ(1/τ nJ).
1
2
3
The main idea here is to show that even if the probability that the studied random walks end in 0 is maximal, this
probability in neither negligible nor overwhelming.
The so-called Berry-Esseen theorem gives the rate of convergence of this supremum.
Lindeberg’s condition is a sufficient criteria
value
P of the2 Lindeberg-Feller theorem, for variables with a null expected
2
it requires that ∀ǫ > 0, limn→∞ 1/s2n n
E[A
·
1
]
→
0.
In
our
case,
as
soon
as
n
>
3/ǫ
,
we
have
{|A
|>ǫs
}
j
n
j
j=1
p
|Aj | ≤ 1 ≤ ǫ n/3 ≤ ǫsn , so the sum is zero. (1{|Aj |>ǫsn } is the indicator function of variables greater that ǫsn )
20
P
In the following, we will denote a(X) = ni=1 ai Xi , where X ∈ {0, . . . , τ }n . The probabilities will be
over the aij ’s variables while X and Y are assumed to be chosen by the adversary. Our goal is to show
that even for bad choices of X and Y , a random draw of aij ’s provides enough freedom.
Let J = J(λ) be a positive function. We define the following two probabilistic polynomial-time
algorithms (PHF.TrapGen, PHF.TrapEval):
– PHF.TrapGen(1λ , g, h): which chooses some independent and uniform elements (aij )(0,...,ℓ),(1,...,J) in
P
{−1, 0, 1}, and random exponents (bi )(0,...,ℓ) . It sets ai = Jj=1 aij and hi = g ai hbi for i ∈ {0, . . . , ℓ}.
It then outputs the hash key κ = (h0 , . . . , hℓ ) and the trapdoor t = (a0 , b0 , . . . , aℓ , bℓ ).
ℓ
ℓ
– P
PHF.TrapEval(t, X): which
P parses X = (X1 , . . . , Xℓ ) ∈ Σ = {0, . . . , τ } and outputs aX = a0 +
ai Xi and bX = b0 + bi Xi .
As this definition verifies readily the syntactic and correctness requirements, we only have to prove the
two other ones. We stress the importance of the hardwired 1 in front of a0 this allows us to consider
′
′
′
′
multisets
PJ X = 1 :: X and Y = 1 :: Y , and so there is no k such that X = kY . And we also stress that
ai = j=1 aij is already a random walk of length J (described by the aij ), on which we can apply the
√
Local Central Limit Theorem and so Pr[ai = 0] = Θ(1/ J). By noticing that summing independent
random walks is equivalent to a longer one and applying the Local Central Limit Theorem, we have:
p
√
Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0] ≤ Θ(1/ J) .
To explain further the two bounds:
P
– For the upper bound: we consider X fixed, and note t = ℓi=1 ai Xi , by construction ai are independent, so a0 is independent from t then
√
Pr[a(X ′ ) = 0] = Pr[a0 = −t] ≤ Pr[a0 = 0] ≤ Θ(1/ J)
using the above remark that a random walk is more likely to reach 0 than any other value, and
a0 is a random walk of length J.
– For the lower bound, we proceed by recurrence on ℓ, to show
p
Hℓ : Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0] (where X ′ ∈ 1 :: [[0, τ ]]ℓ ).
√
√
For ℓ = 0, we consider X ′ = 1, we have a random walk of length J, so Θ(1/τ J) ≤ Θ(1/ J) ≤
Pr[a(X ′ ) = 0]. We note X0 = 1 for the hardwired 1 in X ′ . Let us suppose the property true at
rank k, let us prove it at rank k + 1:
• If ∃i0 , Xi0 = 0 then we can consider
a random walk
p
√ of length k and apply the previous step,
and conclude because Θ(1/τ (k + 1)J) ≤ Θ(1/τ kJ)
• Else, one can apply Lemma 23 to p
conclude.
′
ℓ
Therefore, ∀ℓ, ∀X ∈ 1 :: [[0, τ ]] , Θ(1/τ (ℓ + 1)J) ≤ Pr[a(X ′ ) = 0].
√
We can now deduce that ∀X, Y ∈ [[0, τ ]]ℓ with X 6= Y : Pr[a(Y ′ ) = 0|a(X ′ ) = 0] ≤ Θ(1/ J). This can
easily be seen by noting i0 the first index where Yi 6= Xi . We will note X̄ ′ = X ′ − Xi0 , in the following
we will use the fact that a(X ′ ) = 0 ⇔ a(X̄ ′ ) = −ai0 Xi0 .4
Pr[a(Y ′ ) = 0|a(X ′ ) = 0] ≤ Pr[a(Y ′ ) = a(X ′ )|a(X ′ ) = 0]
≤ Pr[Yi ai + a(Y¯′ ) = Xi ai + a(X̄ ′ )|a(X ′ ) = 0]
0
0
0
0
≤ max Pr[(Yi0 − Xi0 )ai0 = t|a(X̄ ′ ) = −Xi0 ai0 ]
(1)
≤ max
Pr[ai0 = t′ |a(X̄ ′ ) = s]
′
(2)
≤ max
Pr[ai0 = t′ ]
′
(3)
t
s,t
t
√
≤ Pr[ai0 = 0] ≤ Θ(1/ J)
(1) We start with (Yi0 − Xi0 )ai0 = a(X̄ ′ ) − a(Y¯′ ), and then consider the maximum probability for all
values a(X̄ ′ ) − a(Y¯′ ).
4
X 6= Y so i0 exists, and thanks to the hardwired 1 we do not have to worry about Y ′ being a multiple of X ′
21
(2) We consider the maximum probability for all values of −Xi0 ai0 .
(3) ai0 and a(X̄ ′ ) are independent.
Hence, for all X1 , Y1 , . . . , Yq , we have
Pr[aX1 = 0 ∧ aY1 , . . . , aYq 6= 0] = Pr[aX1 = 0] Pr[aY1 , . . . , aYq 6= 0|aX1 = 0]
√
≥ Θ(1/τ ℓJ) 1 −
≥ Θ(1/τ
p
q
X
i=1
Pr[aYi = 0|aX1 = 0]
√
(ℓ + 1)J)(1 − qΘ(1/ J)) .
!
Now we set J = q 2 , to obtain
the result. In that case the experiment success is lower-bounded by
√
something linear in 1/(qτ ℓ + 1).
Studying the programmability of such functions is important. Having a (q, 1)-programmable hash
is a sufficient condition to instantiate a BLS-like signature scheme. Our result on the non-(2, 1) programmability over a non-binary alphabet while non-discarding the possibility says that it is probably
not a good idea to try to instantiate such a scheme using Waters PHF. The (1, q)-programmability
says that the Programmable Hash Function can be used in a signature scheme / IBE scheme, where we
need to simulate q queries and use one challenge, this paper proposes a construction of such signature
scheme and presents various applications.
References
1. Masayuki Abe, Georg Fuchsbauer, Jens Groth, Kristiyan Haralambiev, and Miyako Ohkubo. Structure-preserving
signatures and commitments to group elements. In CRYPTO 2010, volume 6223 of LNCS, pages 209–236. Springer,
August 2010.
2. Masayuki Abe and Eiichiro Fujisaki. How to date blind signatures. In ASIACRYPT 1996, volume 1163 of LNCS,
pages 244–251. Springer, November 1996.
3. Masayuki Abe and Tatsuaki Okamoto. Provably secure partially blind signatures. In CRYPTO 2000, volume 1880
of LNCS, pages 271–286. Springer, August 2000.
4. Josh Cohen Benaloh and Dwight Tuinstra. Receipt-free secret-ballot elections (extended abstract). In 26th Annual
ACM Symposium on Theory of Computing, pages 544–553. ACM Press, May 1994.
5. Olivier Blazy, Georg Fuchsbauer, David Pointcheval, and Damien Vergnaud. Signatures on randomizable ciphertexts.
In PKC 2011, volume 6571 of LNCS. pages 403–422, Springer, May 2010.
6. Olivier Blazy, David Pointcheval, and Damien Vergnaud. Round-optimal privacy-preserving protocols with smooth
projective hash functions. In TCC 2012, volume 7194 of LNCS, pages 94–111, Springer, March 2012.
7. Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity-based encryption without random oracles. In
EUROCRYPT 2004, volume 3027 of LNCS, pages 223–238. Springer, May 2004.
8. Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO 2004, volume 3152 of LNCS,
pages 41–55. Springer, August 2004.
9. Xavier Boyen and Brent Waters. Compact group signatures without random oracles. In EUROCRYPT 2006, volume
4004 of LNCS, page 427–444. Springer, May / June 2006.
10. David Chaum. Blind signatures for untraceable payments. In CRYPTO 1982, pages 199–203. Plenum Press, New
York, USA, 1983.
11. Benoı̂t Chevallier-Mames, Pierre-Alain Fouque, Julien P. Stern, David Pointcheval, and Jacques Traoré. On Some
Incompatible Properties of Voting Schemes. In Actes du IAVoSS Workshop On Trustworthy Elections (WOTE 2006),
Cambridge, UK, 2006.
12. Stéphanie Delaune and Steve Kremer. Formalising security properties in electronic voting protocols. Deliverable
AVOTE 1.2, (ANR-07-SESU-002), April 2010. 17 pages.
13. Ivan Damgård and Jesper Buus Nielsen Perfect Hiding and Perfect Binding Universally Composable Commitment
Schemes with Constant Expansion Factor. In Crypto 2002, volume 2442 of LNCS, page 581–596. Springer, August
2002.
14. Burgess Davis and David McDonald. An elementary proof of the local central limit theorem. Journal of Theoretical
Probability, 8(3), pages 693–701, jul 1995.
15. Marc Fischlin. Round-optimal composable blind signatures in the common reference string model. In CRYPTO 2006,
volume 4117 of LNCS, pages 60–77. Springer, August 2006.
16. Georg Fuchsbauer. Commuting signatures and verifiable encryption. In EUROCRYPT 2011, volume 6632 of LNCS,
pages 224–245. Springer, May 2011.
17. Sanjam Garg, Vanishree Rao, Amit Sahai, Dominique Schröder, and Dominique Unruh. Round optimal blind
signatures. In CRYPTO 2011, volume 6841 of LNCS, pages 630–648. Springer, August 2011.
18. Shafi Goldwasser and Silvio Micali, Probabilistic Encryption. J. Comput. Syst. Sci., 28(2):270–299,1984.
19. Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosenmessage attacks. SIAM Journal on Computing, 17(2):281–308, Apr. 1988.
22
20. Jens Groth and Amit Sahai. Efficient non-interactive proof systems for bilinear groups. In EUROCRYPT 2008,
volume 4965 of LNCS, pages 415–432. Springer, April 2008.
21. Dennis Hofheinz and Eike Kiltz. Programmable hash functions and their applications. In CRYPTO 2008, volume
5157 of LNCS, pages 21–38. Springer, August 2008.
22. Steve Lu, Rafail Ostrovsky, Amit Sahai, Hovav Shacham, and Brent Waters. Sequential aggregate signatures and
multisignatures without random oracles. In EUROCRYPT 2006, volume 4004 of LNCS, pages 465–485. Springer,
2006.
23. David Naccache. Secure and practical identity-based encryption. Cryptology ePrint Archive, Report 2005/369, 2005.
24. Tatsuaki Okamoto. Efficient blind and partially blind signatures without random oracles. In TCC 2006, volume
3876 of LNCS, pages 80–99. Springer, March 2006.
25. David Pointcheval and Jacques Stern. Security arguments for digital signatures and blind signatures. Journal of
Cryptology, 13(3):361–396, 2000.
26. Dominique Schröder and Dominique Unruh. Security of Blind Signatures Revisited, In PKC 2012, volume 7293 of
LNCS, pages 662–679. Springer, May 2012.
27. Jae Hong Seo and Jung Hee Cheon. Beyond the limitation of prime-order bilinear groups, and round optimal blind
signatures. In TCC 2012, volume 7194 of LNCS, pages 133–150. Springer, 2012.
28. Brent R. Waters. Efficient identity-based encryption without random oracles. In EUROCRYPT 2005, volume 3494
of LNCS, pages 114–127. Springer, May 2005.
A
Asymmetric Version
All the schemes presented so far can be adapted for asymmetric groups. The main, and only difference,
comes from the Groth-Sahai commitments. As symmetric bilinear groups are in general less efficient
than asymmetric groups, we show how to instantiate our primitive with Groth-Sahai commitments in
an asymmetric pairing-friendly group setting, relying on the SXDH assumption.
A.1
Assumptions
The security of Waters signatures in asymmetric bilinear groups was proven in [5] under the following
variant of the CDH assumption, which states that CDH is hard in G1 when one of the random scalars
is also given as an exponentiation in G2 .
Definition 24 (Advanced Computational Diffie-Hellman problem (CDH+ )). Let (G1 , G2 )
be groups of prime order p with (g1 , g2 ) as respective generators and e an admissible bilinear map
G1 × G2 → GT . The CDH+ assumption states that given (g1 , g2 , g1a , g2a , g1b ), for random a, b ∈ Zp , it is
hard to compute g1ab .
ElGamal encryption is secure under the DDH assumption, which should hold in both G1 and G2 for
a more efficient variant of Groth-Sahai proofs to be secure.
Definition 25 (Decisional Diffie-Hellman Assumption (DDH)). Let G be a cyclic group of
prime order p. The DDH assumption states that given a 4-tuple (g, g a , g b , g c ) ∈ G, it is hard to
determine whether c = ab.
Definition 26 (Symmetric external Diffie-Hellman Assumption (SXDH) [8]). Let G1 , G2 be
cyclic groups of prime order, e : G1 × G2 → GT be a bilinear map. The SXDH assumption states that
DDH holds in both G1 and G2 .
A.2
Groth-Sahai Commitments
We will use SXDH-based Groth-Sahai commitments, which are a direct transposition of the previous
ones in an asymmetric setting and replace double linear encryption by a double ElGamal encryption
in a pairing friendly environment (p, G1 , G2 , GT , e, g1 , g2 ), where e : G1 × G2 → GT is an admissible
bilinear map, for three groups G1 , G2 and GT , of prime order p, generated by g1 , g2 and gt = e(g1 , g2 )
respectively.
The commitment key consists of u1 = (u1,1 , u1,2 ) , u2 = (u2,1 , u2,2 ) ∈ G12 and v1 = (v1,1 , v1,2 ) , v2 =
(v2,1 , v2,2 ) ∈ G22 . We write
v1,1 v1,2
v1
u1,1 u1,2
u1
.
=
and v =
=
u=
v2,1 v2,2
v2
u2,1 u2,2
u2
23
$
– Binding initialization of the parameters is: u1 = (g1 , u) with u = g1λ and u2 = u1 µ with λ, µ ← Z∗p ,
which means that u is a Diffie-Hellman tuple in G1 , since u1 = (g1 , g1λ ) and u2 = (g1µ , g1λµ ).
– Hiding initialization: we will use instead u2 = u1 µ ⊙ (1, g1 )−1 : u1 = (g1 , g1λ ) and u2 = (g1µ , g1λµ−1 ),
and analogously for in G2 for v.
Under the SXDH assumption, the two initializations are indistinguishable.
Commitments to Group Elements. To commit to X ∈ G1 , one chooses randomness s1 , s2 ∈ Zp and
sets
2
1
2
1
· us2,2
) .
C(X) = (1, X) ⊙ us11 ⊙ us22 = (us1,1
· us2,1
, X · us1,2
A simulator that knows the discrete logarithm λ of u in basis g1 can extract X in the perfectly binding
setting. The commitment in G2 follows the same rules, with v and g2 instead of u and g1 .
Commitments to Scalars. One actually commits to g1x , from which x can be extracted if this is a bit.
Proofs. This time, a Groth-Sahai proof is a pair of elements (π, θ) ∈ G2×2
× G2×2
1
2 . One has to pay
attention to the fact that Groth-Sahai bit-by-bit proofs in SXDH require bits to be committed both
in G1 and G2 and thus require to use 2 quadratic equations by bit.
A.3
Partially Blind Signatures with Perfect Blindness
The construction is completely straightforward. If we follow the steps from the DLin-version: We will
need 2 group elements for the commitment to M in G1 , 4 group elements to commit Y1 , Y2 in G1 ,
the proofs will require 4 group elements in G2 . We will need 6ℓ elements in each group to commit
to M and prove we indeed committed it bit-by-bit, and 2 extra group elements in G2 to prove c2 is
well-formed. The signatures on the committed elements will require 3 groups elements in G1 and one
in G2 . Therefore the overall scheme will require (6ℓ + 9, 6ℓ + 7) group elements communication.