Abstract
Partially blind signatures, an extension of ordinary blind signatures, are a primitive with wide applications in e-cash and electronic voting. One of the most efficient schemes to date is the one by Abe and Okamoto (CRYPTO 2000), whose underlying idea—the OR-proof technique—has served as the basis for several works.
We point out several subtle flaws in the original proof of security, and provide a new detailed and rigorous proof, achieving similar bounds as the original work. We believe our insights on the proof strategy will find useful in the security analyses of other OR-proof-based schemes.
J. Kastner—Work done while supported by ERC Project PREP-CRYPTO 724307.
J. Loss—Work done while at University of Maryland.
J. Xu—Work done while at George Mason University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Due to the WI property of the scheme, for any \((\textbf{I},\textsf{rand},\overrightarrow{h})\), there exists a corresponding triple \((\textbf{I}',\textsf{rand},\overrightarrow{h})\) that contains the other witness and produces the same transcript as \((\textbf{I},\textsf{rand},\overrightarrow{h})\). This means that the same witness w could have been extracted from a pair of partnering runs \((\textbf{I},\textsf{rand},\overrightarrow{h})\), \((\textbf{I},\textsf{rand},\overrightarrow{h}')\), or from \((\textbf{I}',\textsf{rand},\overrightarrow{h})\), \((\textbf{I}',\textsf{rand},\overrightarrow{h}')\), where one of \(\textbf{I}\) and \(\textbf{I}'\) contains w, and the other instance does not.
- 2.
We stress that simply replacing a triple \((\textbf{I},\textsf{rand},\overrightarrow{h})\) with an indistinguishable triple \((\textbf{I}',\textsf{rand},\overrightarrow{h})\) is not sufficient to solve this problem. Indeed, one might hope that since the adversary can not detect this change, an unsuccessful side may become successful when switching from \(\textbf{I}\) to \(\textbf{I}'\), as the desired witness would flip. However, a successful forking pair \(((\textbf{I}',\textsf{rand},\overrightarrow{h}),(\textbf{I}',\textsf{rand},\overrightarrow{h}'))\) need only exist if \(((\textbf{I},\textsf{rand},\overrightarrow{h}),(\textbf{I},\textsf{rand},\overrightarrow{h}'))\) is a base. The same is not true, in general, for sides, as their endpoints may not (and generally do not) yield the same transcript. Because of this, an unsuccessful side \(((\textbf{I},\textsf{rand},\overrightarrow{h}),(\textbf{I},\textsf{rand},\overrightarrow{h}'))\) might not even be part of a triangle side when switching witnesses from \(\textbf{I}\) to \(\textbf{I}'\).
- 3.
See the top of [4, p. 285], where the reduction’s advantage includes a term \(\eta _1^2\), where \(\eta _1 = \eta /2Q_h^{\ell +1}\) and \(\eta \) is the adversary’s advantage.
- 4.
This is because \(E(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) \cap E(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2) \ne \emptyset \) implies that \(\textbf{I}_1 = \textbf{I}_2\), \(\textsf{rand}_1 = \textsf{rand}_2\), and \(\overrightarrow{e}(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) = \overrightarrow{e}(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2)\), which in turn implies that \(E(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) = E(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2)\).
References
Abe, M.: A secure three-move blind signature scheme for polynomially many signatures. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136–151. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_9
Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851
Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_26
Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_17
Alkeilani Alkadri, N., Harasser, P., Janson, C.: BlindOR: an efficient lattice-based blind signature scheme from OR-proofs. In: Conti, M., Stevens, M., Krenn, S. (eds.) CANS 2021. LNCS, vol. 13099, pp. 95–115. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92548-2_6
Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: ACM CCS 2013 (2013)
Benhamouda, F., Lepoint, T., Loss, J., Orrù, M., Raykova, M.: On the (in)security of ROS. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 33–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_2
Camenisch, J.L., Piveteau, J.-M., Stadler, M.A.: Blind signatures based on the discrete logarithm problem (rump session). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 428–432. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053458
Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_33
Cao, T., Lin, D., Xue, R.: A randomized RSA-based partially blind signature scheme for electronic cash. Comput. Secur. 24, 44–49 (2005)
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_15
Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_25
Chow, S.S.M., Hui, L.C.K., Yiu, S.M., Chow, K.P.: Two improved partially blind signature schemes from bilinear pairings. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 316–328. Springer, Heidelberg (2005). https://doi.org/10.1007/11506157_27
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_4
Fischlin, M., Schröder, D.: Security of blind signatures under aborts. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 297–316. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_17
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_66
Hanatani, Y., Komano, Y., Ohta, K., Kunihiro, N.: Provably secure electronic cash based on blind multisignature schemes. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 236–250. Springer, Heidelberg (2006). https://doi.org/10.1007/11889663_20
Hauck, E., Kiltz, E., Loss, J., Nguyen, N.K.: Lattice-based blind signatures, revisited. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 500–529. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_18
Hazay, C., Katz, J., Koo, C.-Y., Lindell, Y.: Concurrently-secure blind signatures without random oracles or setup assumptions. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_18
Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures (extended abstract). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052233
Kastner, J., Loss, J., Xu, J.: On pairing-free blind signature schemes in the algebraic group model. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13178, pp. 468–497. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_16
Kastner, J., Loss, J., Xu, J.: The Abe-Okamoto partially blind signature scheme revisited cryptology. ePrint Archive, Paper 2022/1232 (2022)
Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Round-optimal blind signatures in the plain model from classical and quantum standard assumptions. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 404–434. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_15
Maitland, G., Boyd, C.: A provably secure restrictive partially blind signature scheme. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 99–114. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_7
Martinet, G., Poupard, G., Sola, P.: Cryptanalysis of a partially blind signature scheme or \(how\,to\,make\,\$100\,bills\,with\,\$1\,and\,\$2\,ones\). In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 171–176. Springer, Heidelberg (2006). https://doi.org/10.1007/11889663_15
Okamoto, T.: Efficient blind and partially blind signatures without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 80–99. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_5
Papachristoudis, D., Hristu-Varsakelis, D., Baldimtsi, F., Stephanides, G.: Leakage-resilient lattice-based partially blind signatures (2019)
Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 252–265. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034852
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)
Rückert, M.: Lattice-based blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_24
Schnorr, C.P.: Security of blind discrete log signatures against interactive attacks. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 1–12. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45600-7_1
Schröder, D., Unruh, D.: Security of blind signatures revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 662–679. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_39
Tessaro, S., Zhu, C.: Short Pairing-free blind signatures with exponential security. Cryptology ePrint Archive, Report 2022/047 (2022)
Tyagi, N., et al.: A fast and simple partially oblivious PRF, with applications. Cryptology ePrint Archive, Report 2021/864 (2021)
Yi, X., Lam, K.-Y.: A new blind ECDSA scheme for bitcoin transaction anonymity. In: ASIACCS 2019 (2019)
Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature and partially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 191–204. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Kastner, J., Loss, J., Xu, J. (2022). The Abe-Okamoto Partially Blind Signature Scheme Revisited. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13794. Springer, Cham. https://doi.org/10.1007/978-3-031-22972-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-22972-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22971-8
Online ISBN: 978-3-031-22972-5
eBook Packages: Computer ScienceComputer Science (R0)