International Conference on the Theory and Application of Cryptology and Information Security

ASIACRYPT 2010: Advances in Cryptology - ASIACRYPT 2010 pp 519-538

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

  • Sarah Meiklejohn
  • Hovav Shacham
  • David Mandell Freeman
Conference paper

DOI: 10.1007/978-3-642-17373-8_30

Volume 6477 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Meiklejohn S., Shacham H., Freeman D.M. (2010) Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures. In: Abe M. (eds) Advances in Cryptology - ASIACRYPT 2010. ASIACRYPT 2010. Lecture Notes in Computer Science, vol 6477. Springer, Berlin, Heidelberg


Beginning with the work of Groth and Sahai, there has been much interest in transforming pairing-based schemes in composite-order groups to equivalent ones in prime-order groups. A method for achieving such transformations has recently been proposed by Freeman, who identified two properties of pairings using composite-order groups—“cancelling” and “projecting”—on which many schemes rely, and showed how either of these properties can be obtained using prime-order groups.

In this paper, we give evidence for the existence of limits to such transformations. Specifically, we show that a pairing generated in a natural way from the Decision Linear assumption in prime-order groups can be simultaneously cancelling and projecting only with negligible probability.

As evidence that these properties can be helpful together as well as individually, we present a cryptosystem whose proof of security makes use of a pairing that is both cancelling and projecting. Our example cryptosystem is a simple round-optimal blind signature scheme that is secure in the common reference string model, without random oracles, and based on mild assumptions; it is of independent interest.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2010

Authors and Affiliations

  • Sarah Meiklejohn
    • 1
  • Hovav Shacham
    • 1
  • David Mandell Freeman
    • 2
  1. 1.University of CaliforniaSan Diego, La JollaUSA
  2. 2.Stanford UniversityStanfordUSA