Advances in Cryptology – CRYPTO 2010

Volume 6223 of the series Lecture Notes in Computer Science pp 209-236

Structure-Preserving Signatures and Commitments to Group Elements

  • Masayuki AbeAffiliated withInformation Sharing Platform Laboratories, NTT Corporation
  • , Georg FuchsbauerAffiliated withÉcole normale supérieure, CNRS - INRIA, Paris
  • , Jens GrothAffiliated withUniversity College London
  • , Kristiyan HaralambievAffiliated withComputer Science Department, New York University
  • , Miyako OhkuboAffiliated withNational Institute of Information and Communications Technology


A modular approach for cryptographic protocols leads to a simple design but often inefficient constructions. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest structure-preserving commitments and signatures to overcome this dilemma and provide a way to construct modular protocols with reasonable efficiency, while retaining conceptual simplicity.

We focus on schemes in bilinear groups that preserve parts of the group structure, which makes it easy to combine them with other primitives such as non-interactive zero-knowledge proofs for bilinear groups.

We say that a signature scheme is structure-preserving if its verification keys, signatures, and messages are elements in a bilinear group, and the verification equation is a conjunction of pairing-product equations. If moreover the verification keys lie in the message space, we call them automorphic. We present several efficient instantiations of automorphic and structure-preserving signatures, enjoying various other additional properties, such as simulatability. Among many applications, we give three examples: adaptively secure round-optimal blind signature schemes, a group signature scheme with efficient concurrent join, and an efficient instantiation of anonymous proxy signatures.

A further contribution is homomorphic trapdoor commitments to group elements which are also length reducing. In contrast, the messages of previous homomorphic trapdoor commitment schemes are exponents.