Practical Round-Optimal Blind Signatures in theStandard Model from Weaker Assumptions

G. Fuchsbauer∗, C. Hanser† C. Kamath‡, and D. Slamanig†

∗Ecole Normale Superieure, Paris†IAIK, Graz University of Technology, Austria‡Institute of Science and Technology Austria

September 2, 2016

1 / 22

Blind Signatures

Blindness! Unforgeability!

xkcd.com2 / 22

Overview

I Desiderata:

1. Round-optimality (hence efficiency and composability)2. No heuristic assumptions3. No set-up assumptions

I Hard to construct: [FS10]

I Possibility: [GG14,GRS+11]

I First practical scheme: [FHS15]I SPS-EQ + commitmentsI CDH, EUF-CMA =⇒ UnforgeabilityI Interactive variant of DDH =⇒ Blindness

I Our contribution: weaker assumptions!

3 / 22

Preliminaries

I Asymmetric pairing e : G1 ×G2 → GT

I Bilinearity: e(aP, bP) = e(P, P)ab

I Non-degeneracy: e(P, P) 6= 1GT

I Efficiency: e(·, ·) efficiently computable

I Structure-Preserving Signatures [AFG+10]I Signing vector of group elementsI Signatures and PKs consist only of group elementsI Verification via

1. pairing-product equations2. group membership tests

4 / 22

SPS on Equivalence Classes

[(1, 1

)]

M

N

[(2, 1)]

Q

σM

SignR

σN

ChgRep R

I Equivalence relation ∼R on G`: M ∼R N ⇔ ∃µ ∈ Z∗p : N = µ ·MI SPS-EQ := SPS + “change representative” functionality

5 / 22

SPS-EQ: Security

[(1, 1

)]

M

N

σM

σN

ChgRep R

SignR

SignR

≈

I Class-hiding: ChgRepR(M , σ, µ, pk)≈SignR(µM , sk)I Malicious keys: ChgRepR(M , σ, µ, pk) uniform in space of

signatures on µMUnforgeability: EUF-CMA w.r.t ∼R

6 / 22

SPS-EQ: Security

[(1, 1

)]

[(2, 1)]

[(1,

2)]

[(1,

4)]

[(4, 1)]

I Class-hiding: ChgRepR(M , σ, µ, pk)≈SignR(µM , sk)I Malicious keys: ChgRepR(M , σ, µ, pk) uniform in space of

signatures on µMI Unforgeability: EUF-CMA w.r.t ∼R

7 / 22

Blind Signatures from SPS-EQ

8 / 22

FHS Blind SignatureI Bob:

1. Commits to m using Pedersen commitment C = mP + rQ2. Obtains signature π from Alice on random M ∼ [(C ,P)]R3. Derives σ on (C ,P) using ChgRepR4. Outputs τ = (σ, opening of C ) to Charlie

[(C,P

)]

m

1

(C ,P)

2

M

π

2

σ

3

9 / 22

sk = (skR, q)

pk = (pkR, (Q, Q) = q · (P, P))

m ∈ Z∗pr , s ∈ Z∗p

M = s · (mP + rQ,P)

π ← SignR(M , sk)

Pedersen Commitment

σ ← ChgRepR(M , π, 1/s, pkR)τ ← (σ,R = rP,T = rQ)

Opening

(m, τ)

VerifyR((mP + T ,P), σ, pkR)?= 1

e(R, Q)?= e(T , P)

10 / 22

Blindness: Honest-Key Model

(pk, sk)(m0,m1)

b ∼ {0, 1}

〈U(mb, pk), ·〉

〈U(mb, pk), ·〉

(τ0, τ1)

b∗

11 / 22

Blindness: Honest-Key Model...

((pkR, (Q, Q)), (skR, q))(m0,m1)

· · · (mb(sbP) + q(rbsbP),P) · · ·

· · · (mb(sbP) + q(rbsbP),P) · · ·

(τ0, τ1)

b ∼ {0, 1}rb, sb ∼ Z∗prb, sb ∼ Z∗p

b∗

Embed DDH instance (P, rP, sP, tP)

τ = (σ,R,T ) : σ = ChgRepR(·, ·, 1/s, ·)

SignR instead of ChgRepR

12 / 22

Blindness: Malicious-Key Model

〈U(mb, pk), ·〉

〈U(mb, pk), ·〉

(τ0, τ1)

b ∼ {0, 1}

(m0,m1)b∗(pk, sk)

pk

sk

13 / 22

Blindness: Malicious-Key Model...

· · · (mb(sbP) + q(rbsbP),P) · · ·

· · · (mb(sbP) + q(rbsbP),P) · · ·

(τ0, τ1)

b ∼ {0, 1}rb, sb ∼ Z∗prb, sb ∼ Z∗p

(pkR, (Q, Q)) (m0,m1)

b∗

(skR, q)

Unknown to Bob

τ cannot be computed without sk

I Solution:1. Interactive variant of DDH needed2. Rewind Alice to generate signatures (ChgRepR uniform)

14 / 22

Our construction

I Idea: Bob chooses parameters for commitmentI Must be perfectly binding

I Bob:

1. Chooses “one-time” keys (P,Q) for El-Gamal encryption2. Commits to m using C = mP + rQ3. Obtains signature π from Alice on M ∼ [(C , rP,Q,P)]R4. Derives σ on (C , rP,Q,P) using ChgRepR5. Outputs τ = (σ, opening of C ) to Charlie

15 / 22

pk = pkR

sk = skR

m ∈ Z∗pr , s ∈ Z∗p ,R = rPq ∈ Z∗p ,Q := qP

M = s · (mP + rQ,R,Q,P)

π ← SignR(M , sk)

σ ← ChgRepR(M , π, 1/s, pkR)

τ ← (σ,R,Q,Z = rQ, Q = qP)

(m, τ)

VerifyR((mP + Z ,R,Q,P), σ, pkR)?= 1

e(Q, P)?= e(P, Q), e(Z , P)

?= e(R, Q)

sR allows verification!

e(M1 −mM4)?= e(M2, Q)

Solution: split q

16 / 22

m ∈ Z∗pr, s ∈ Z∗p , R = rP

u, v ∈ Z∗p ,Q := uvP

pk = pkR

sk = skR

M = s · (mP + rQ, R,Q, P)

π ← SignR(M, sk)

σ ← ChgRepR(M, π, 1/s, pkR)

τ ← (σ, R,Q, Y = rQ,U = uP, X = ruP, U = uP, V = vP)

(m, τ)

VerifyR((mP + Y , R,Q, P), σ, pkR)?= 1

e(Q, P)?= e(U, V ), e(U, P)

?= e(P, U)

e(X , P)?= e(R, U), e(Y , P)

?= e(X , V )

17 / 22

Blindness: Malicious-Key Model

(mb(sP) + rsuvP, rsP, suvP, sP)

〈U(mb, pk), ·〉

(τ0, τ1)

b ∼ {0, 1}r , s ∼ Z∗pu, v ∼ Z∗p

pkR (m0,m1)b∗

skR

Embed ABDDH+ instance

Compute τ by rewinding

I ABDDH+ assumption: hard to distinguish ruvP from randomgiven: rP, uP, uvP, uP, vP

I ABDDH+ =⇒ DDHI Hard in generic group model

18 / 22

Blindness: Malicious-Key Model...

pk (m0,m1)

c ∼ {0, 1}

〈U(mc, pk), ·〉

〈U(mc, pk), ·〉

No embedding

(σ00, σ

01)

∗

pk (m0,m1)

b ∼ {0, 1}〈U(m

b , pk), ·〉〈U(mb , pk), ·〉

Embed(τ0 , τ1)

ChgRepR(∗)

b∗

I Multiple rewinds required: fails for single rewind!19 / 22

Comparison

[GG14] [FHS15] This work

Assumption DLIN Interactive DDH ABDDH+

Public-key 43G 1G1 + 3G2 4G2

Communication > 41G 4G1 + 1G2 6G1 + 1G2

Signatures 183G 4G1 + 1G2 7G1 + 3G2

Computation 9e 7e 14e

20 / 22

References

AFG+10 M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. OhkuboStructure-Preserving Signatures and Commitments to Group Elements.

FHS15 G. Fuchsbauer, C. Hanser and D. Slamanig. Practical Round-OptimalBlind Signatures in the Standard Model. CRYPTO 2015

FS10 M. Fischlin and D. Schroder. On the Impossibility of Three-Move BlindSignature Schemes. EUROCRYPT 2010

GG14 S. Garg and D. Gupta. Efficient Round Optimal Blind Signatures.EUROCRYPT 2014

GRS+11 S. Garg, V. Rao, A. Sahai, D. Schroder and D. Unruh. Round OptimalBlind Signatures. CRYPTO 2011

21 / 22