Practical Round-Optimal Blind Signatures in theStandard Model from Weaker Assumptions
G. Fuchsbauer∗, C. Hanser† C. Kamath‡, and D. Slamanig†
∗Ecole Normale Superieure, Paris†IAIK, Graz University of Technology, Austria‡Institute of Science and Technology Austria
September 2, 2016
1 / 22
Overview
I Desiderata:
1. Round-optimality (hence efficiency and composability)2. No heuristic assumptions3. No set-up assumptions
I Hard to construct: [FS10]
I Possibility: [GG14,GRS+11]
I First practical scheme: [FHS15]I SPS-EQ + commitmentsI CDH, EUF-CMA =⇒ UnforgeabilityI Interactive variant of DDH =⇒ Blindness
I Our contribution: weaker assumptions!
3 / 22
Preliminaries
I Asymmetric pairing e : G1 ×G2 → GT
I Bilinearity: e(aP, bP) = e(P, P)ab
I Non-degeneracy: e(P, P) 6= 1GT
I Efficiency: e(·, ·) efficiently computable
I Structure-Preserving Signatures [AFG+10]I Signing vector of group elementsI Signatures and PKs consist only of group elementsI Verification via
1. pairing-product equations2. group membership tests
4 / 22
SPS on Equivalence Classes
[(1, 1
)]
M
N
[(2, 1)]
Q
σM
SignR
σN
ChgRep R
I Equivalence relation ∼R on G`: M ∼R N ⇔ ∃µ ∈ Z∗p : N = µ ·MI SPS-EQ := SPS + “change representative” functionality
5 / 22
SPS-EQ: Security
[(1, 1
)]
M
N
σM
σN
ChgRep R
SignR
SignR
≈
I Class-hiding: ChgRepR(M , σ, µ, pk)≈SignR(µM , sk)I Malicious keys: ChgRepR(M , σ, µ, pk) uniform in space of
signatures on µMUnforgeability: EUF-CMA w.r.t ∼R
6 / 22
SPS-EQ: Security
[(1, 1
)]
[(2, 1)]
[(1,
2)]
[(1,
4)]
[(4, 1)]
I Class-hiding: ChgRepR(M , σ, µ, pk)≈SignR(µM , sk)I Malicious keys: ChgRepR(M , σ, µ, pk) uniform in space of
signatures on µMI Unforgeability: EUF-CMA w.r.t ∼R
7 / 22
FHS Blind SignatureI Bob:
1. Commits to m using Pedersen commitment C = mP + rQ2. Obtains signature π from Alice on random M ∼ [(C ,P)]R3. Derives σ on (C ,P) using ChgRepR4. Outputs τ = (σ, opening of C ) to Charlie
[(C,P
)]
m
1
(C ,P)
2
M
π
2
σ
3
9 / 22
sk = (skR, q)
pk = (pkR, (Q, Q) = q · (P, P))
m ∈ Z∗pr , s ∈ Z∗p
M = s · (mP + rQ,P)
π ← SignR(M , sk)
Pedersen Commitment
σ ← ChgRepR(M , π, 1/s, pkR)τ ← (σ,R = rP,T = rQ)
Opening
(m, τ)
VerifyR((mP + T ,P), σ, pkR)?= 1
e(R, Q)?= e(T , P)
10 / 22
Blindness: Honest-Key Model
(pk, sk)(m0,m1)
b ∼ {0, 1}
〈U(mb, pk), ·〉
〈U(mb, pk), ·〉
(τ0, τ1)
b∗
11 / 22
Blindness: Honest-Key Model...
((pkR, (Q, Q)), (skR, q))(m0,m1)
· · · (mb(sbP) + q(rbsbP),P) · · ·
· · · (mb(sbP) + q(rbsbP),P) · · ·
(τ0, τ1)
b ∼ {0, 1}rb, sb ∼ Z∗prb, sb ∼ Z∗p
b∗
Embed DDH instance (P, rP, sP, tP)
τ = (σ,R,T ) : σ = ChgRepR(·, ·, 1/s, ·)
SignR instead of ChgRepR
12 / 22
Blindness: Malicious-Key Model
〈U(mb, pk), ·〉
〈U(mb, pk), ·〉
(τ0, τ1)
b ∼ {0, 1}
(m0,m1)b∗(pk, sk)
pk
sk
13 / 22
Blindness: Malicious-Key Model...
· · · (mb(sbP) + q(rbsbP),P) · · ·
· · · (mb(sbP) + q(rbsbP),P) · · ·
(τ0, τ1)
b ∼ {0, 1}rb, sb ∼ Z∗prb, sb ∼ Z∗p
(pkR, (Q, Q)) (m0,m1)
b∗
(skR, q)
Unknown to Bob
τ cannot be computed without sk
I Solution:1. Interactive variant of DDH needed2. Rewind Alice to generate signatures (ChgRepR uniform)
14 / 22
Our construction
I Idea: Bob chooses parameters for commitmentI Must be perfectly binding
I Bob:
1. Chooses “one-time” keys (P,Q) for El-Gamal encryption2. Commits to m using C = mP + rQ3. Obtains signature π from Alice on M ∼ [(C , rP,Q,P)]R4. Derives σ on (C , rP,Q,P) using ChgRepR5. Outputs τ = (σ, opening of C ) to Charlie
15 / 22
pk = pkR
sk = skR
m ∈ Z∗pr , s ∈ Z∗p ,R = rPq ∈ Z∗p ,Q := qP
M = s · (mP + rQ,R,Q,P)
π ← SignR(M , sk)
σ ← ChgRepR(M , π, 1/s, pkR)
τ ← (σ,R,Q,Z = rQ, Q = qP)
(m, τ)
VerifyR((mP + Z ,R,Q,P), σ, pkR)?= 1
e(Q, P)?= e(P, Q), e(Z , P)
?= e(R, Q)
sR allows verification!
e(M1 −mM4)?= e(M2, Q)
Solution: split q
16 / 22
m ∈ Z∗pr, s ∈ Z∗p , R = rP
u, v ∈ Z∗p ,Q := uvP
pk = pkR
sk = skR
M = s · (mP + rQ, R,Q, P)
π ← SignR(M, sk)
σ ← ChgRepR(M, π, 1/s, pkR)
τ ← (σ, R,Q, Y = rQ,U = uP, X = ruP, U = uP, V = vP)
(m, τ)
VerifyR((mP + Y , R,Q, P), σ, pkR)?= 1
e(Q, P)?= e(U, V ), e(U, P)
?= e(P, U)
e(X , P)?= e(R, U), e(Y , P)
?= e(X , V )
17 / 22
Blindness: Malicious-Key Model
(mb(sP) + rsuvP, rsP, suvP, sP)
〈U(mb, pk), ·〉
(τ0, τ1)
b ∼ {0, 1}r , s ∼ Z∗pu, v ∼ Z∗p
pkR (m0,m1)b∗
skR
Embed ABDDH+ instance
Compute τ by rewinding
I ABDDH+ assumption: hard to distinguish ruvP from randomgiven: rP, uP, uvP, uP, vP
I ABDDH+ =⇒ DDHI Hard in generic group model
18 / 22
Blindness: Malicious-Key Model...
pk (m0,m1)
c ∼ {0, 1}
〈U(mc, pk), ·〉
〈U(mc, pk), ·〉
No embedding
(σ00, σ
01)
∗
pk (m0,m1)
b ∼ {0, 1}〈U(m
b , pk), ·〉〈U(mb , pk), ·〉
Embed(τ0 , τ1)
ChgRepR(∗)
b∗
I Multiple rewinds required: fails for single rewind!19 / 22
Comparison
[GG14] [FHS15] This work
Assumption DLIN Interactive DDH ABDDH+
Public-key 43G 1G1 + 3G2 4G2
Communication > 41G 4G1 + 1G2 6G1 + 1G2
Signatures 183G 4G1 + 1G2 7G1 + 3G2
Computation 9e 7e 14e
20 / 22
References
AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. OhkuboStructure-Preserving Signatures and Commitments to Group Elements.
FHS15 G. Fuchsbauer, C. Hanser and D. Slamanig. Practical Round-OptimalBlind Signatures in the Standard Model. CRYPTO 2015
FS10 M. Fischlin and D. Schroder. On the Impossibility of Three-Move BlindSignature Schemes. EUROCRYPT 2010
GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures.EUROCRYPT 2014
GRS+11 S. Garg, V. Rao, A. Sahai, D. Schroder and D. Unruh. Round OptimalBlind Signatures. CRYPTO 2011
21 / 22