Abstract
Partially blind signatures, an extension of ordinary blind signatures, are a primitive with wide applications in e-cash and electronic voting. One of the most efficient schemes to date is the one by Abe and Okamoto (CRYPTO 2000), whose underlying idea—the OR-proof technique—has served as the basis for several works.
We point out several subtle flaws in the original proof of security, and provide a new detailed and rigorous proof, achieving similar bounds as the original work. We believe our insights on the proof strategy will find useful in the security analyses of other OR-proof-based schemes.
J. Kastner—Work done while supported by ERC Project PREP-CRYPTO 724307.
J. Loss—Work done while at University of Maryland.
J. Xu—Work done while at George Mason University.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Due to the WI property of the scheme, for any \((\textbf{I},\textsf{rand},\overrightarrow{h})\), there exists a corresponding triple \((\textbf{I}',\textsf{rand},\overrightarrow{h})\) that contains the other witness and produces the same transcript as \((\textbf{I},\textsf{rand},\overrightarrow{h})\). This means that the same witness w could have been extracted from a pair of partnering runs \((\textbf{I},\textsf{rand},\overrightarrow{h})\), \((\textbf{I},\textsf{rand},\overrightarrow{h}')\), or from \((\textbf{I}',\textsf{rand},\overrightarrow{h})\), \((\textbf{I}',\textsf{rand},\overrightarrow{h}')\), where one of \(\textbf{I}\) and \(\textbf{I}'\) contains w, and the other instance does not.
- 2.
We stress that simply replacing a triple \((\textbf{I},\textsf{rand},\overrightarrow{h})\) with an indistinguishable triple \((\textbf{I}',\textsf{rand},\overrightarrow{h})\) is not sufficient to solve this problem. Indeed, one might hope that since the adversary can not detect this change, an unsuccessful side may become successful when switching from \(\textbf{I}\) to \(\textbf{I}'\), as the desired witness would flip. However, a successful forking pair \(((\textbf{I}',\textsf{rand},\overrightarrow{h}),(\textbf{I}',\textsf{rand},\overrightarrow{h}'))\) need only exist if \(((\textbf{I},\textsf{rand},\overrightarrow{h}),(\textbf{I},\textsf{rand},\overrightarrow{h}'))\) is a base. The same is not true, in general, for sides, as their endpoints may not (and generally do not) yield the same transcript. Because of this, an unsuccessful side \(((\textbf{I},\textsf{rand},\overrightarrow{h}),(\textbf{I},\textsf{rand},\overrightarrow{h}'))\) might not even be part of a triangle side when switching witnesses from \(\textbf{I}\) to \(\textbf{I}'\).
- 3.
See the top of [4, p. 285], where the reduction’s advantage includes a term \(\eta _1^2\), where \(\eta _1 = \eta /2Q_h^{\ell +1}\) and \(\eta \) is the adversary’s advantage.
- 4.
This is because \(E(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) \cap E(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2) \ne \emptyset \) implies that \(\textbf{I}_1 = \textbf{I}_2\), \(\textsf{rand}_1 = \textsf{rand}_2\), and \(\overrightarrow{e}(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) = \overrightarrow{e}(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2)\), which in turn implies that \(E(\textbf{I}_1,\textsf{rand}_1,\overrightarrow{h}_1) = E(\textbf{I}_2,\textsf{rand}_2,\overrightarrow{h}_2)\).
References
Abe, M.: A secure three-move blind signature scheme for polynomially many signatures. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136–151. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_9
Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851
Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_26
Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_17
Alkeilani Alkadri, N., Harasser, P., Janson, C.: BlindOR: an efficient lattice-based blind signature scheme from OR-proofs. In: Conti, M., Stevens, M., Krenn, S. (eds.) CANS 2021. LNCS, vol. 13099, pp. 95–115. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92548-2_6
Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: ACM CCS 2013 (2013)
Benhamouda, F., Lepoint, T., Loss, J., Orrù, M., Raykova, M.: On the (in)security of ROS. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 33–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_2
Camenisch, J.L., Piveteau, J.-M., Stadler, M.A.: Blind signatures based on the discrete logarithm problem (rump session). In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 428–432. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053458
Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_33
Cao, T., Lin, D., Xue, R.: A randomized RSA-based partially blind signature scheme for electronic cash. Comput. Secur. 24, 44–49 (2005)
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_15
Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_25
Chow, S.S.M., Hui, L.C.K., Yiu, S.M., Chow, K.P.: Two improved partially blind signature schemes from bilinear pairings. In: Boyd, C., González Nieto, J.M. (eds.) ACISP 2005. LNCS, vol. 3574, pp. 316–328. Springer, Heidelberg (2005). https://doi.org/10.1007/11506157_27
Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_19
Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_4
Fischlin, M., Schröder, D.: Security of blind signatures under aborts. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 297–316. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_17
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_66
Hanatani, Y., Komano, Y., Ohta, K., Kunihiro, N.: Provably secure electronic cash based on blind multisignature schemes. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 236–250. Springer, Heidelberg (2006). https://doi.org/10.1007/11889663_20
Hauck, E., Kiltz, E., Loss, J., Nguyen, N.K.: Lattice-based blind signatures, revisited. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020, Part II. LNCS, vol. 12171, pp. 500–529. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56880-1_18
Hazay, C., Katz, J., Koo, C.-Y., Lindell, Y.: Concurrently-secure blind signatures without random oracles or setup assumptions. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_18
Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures (extended abstract). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997). https://doi.org/10.1007/BFb0052233
Kastner, J., Loss, J., Xu, J.: On pairing-free blind signature schemes in the algebraic group model. In: Hanaoka, G., Shikata, J., Watanabe, Y. (eds.) PKC 2022. LNCS, vol. 13178, pp. 468–497. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-97131-1_16
Kastner, J., Loss, J., Xu, J.: The Abe-Okamoto partially blind signature scheme revisited cryptology. ePrint Archive, Paper 2022/1232 (2022)
Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Round-optimal blind signatures in the plain model from classical and quantum standard assumptions. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021, Part I. LNCS, vol. 12696, pp. 404–434. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_15
Maitland, G., Boyd, C.: A provably secure restrictive partially blind signature scheme. In: Naccache, D., Paillier, P. (eds.) PKC 2002. LNCS, vol. 2274, pp. 99–114. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45664-3_7
Martinet, G., Poupard, G., Sola, P.: Cryptanalysis of a partially blind signature scheme or \(how\,to\,make\,\$100\,bills\,with\,\$1\,and\,\$2\,ones\). In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 171–176. Springer, Heidelberg (2006). https://doi.org/10.1007/11889663_15
Okamoto, T.: Efficient blind and partially blind signatures without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 80–99. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_5
Papachristoudis, D., Hristu-Varsakelis, D., Baldimtsi, F., Stephanides, G.: Leakage-resilient lattice-based partially blind signatures (2019)
Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 252–265. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034852
Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13, 361–396 (2000)
Rückert, M.: Lattice-based blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_24
Schnorr, C.P.: Security of blind discrete log signatures against interactive attacks. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 1–12. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45600-7_1
Schröder, D., Unruh, D.: Security of blind signatures revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 662–679. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_39
Tessaro, S., Zhu, C.: Short Pairing-free blind signatures with exponential security. Cryptology ePrint Archive, Report 2022/047 (2022)
Tyagi, N., et al.: A fast and simple partially oblivious PRF, with applications. Cryptology ePrint Archive, Report 2021/864 (2021)
Yi, X., Lam, K.-Y.: A new blind ECDSA scheme for bitcoin transaction anonymity. In: ASIACCS 2019 (2019)
Zhang, F., Safavi-Naini, R., Susilo, W.: Efficient verifiably encrypted signature and partially blind signature from bilinear pairings. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 191–204. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-24582-7_14
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Kastner, J., Loss, J., Xu, J. (2022). The Abe-Okamoto Partially Blind Signature Scheme Revisited. In: Agrawal, S., Lin, D. (eds) Advances in Cryptology – ASIACRYPT 2022. ASIACRYPT 2022. Lecture Notes in Computer Science, vol 13794. Springer, Cham. https://doi.org/10.1007/978-3-031-22972-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-22972-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-22971-8
Online ISBN: 978-3-031-22972-5
eBook Packages: Computer ScienceComputer Science (R0)