Journal of Cryptology

, Volume 29, Issue 2, pp 363–421 | Cite as

Structure-Preserving Signatures and Commitments to Group Elements

  • Masayuki Abe
  • Georg Fuchsbauer
  • Jens Groth
  • Kristiyan Haralambiev
  • Miyako Ohkubo
Article

Abstract

A modular approach to constructing cryptographic protocols leads to simple designs but often inefficient instantiations. On the other hand, ad hoc constructions may yield efficient protocols at the cost of losing conceptual simplicity. We suggest a new design paradigm, structure-preserving cryptography, that provides a way to construct modular protocols with reasonable efficiency while retaining conceptual simplicity. A cryptographic scheme over a bilinear group is called structure-preserving if its public inputs and outputs consist of elements from the bilinear groups and their consistency can be verified by evaluating pairing-product equations. As structure-preserving schemes smoothly interoperate with each other, they are useful as building blocks in modular design of cryptographic applications. This paper introduces structure-preserving commitment and signature schemes over bilinear groups with several desirable properties. The commitment schemes include homomorphic, trapdoor and length-reducing commitments to group elements, and the structure-preserving signature schemes are the first ones that yield constant-size signatures on multiple group elements. A structure-preserving signature scheme is called automorphic if the public keys lie in the message space, which cannot be achieved by compressing inputs via a cryptographic hash function, as this would destroy the mathematical structure we are trying to preserve. Automorphic signatures can be used for building certification chains underlying privacy-preserving protocols. Among a vast number of applications of structure-preserving protocols, we present an efficient round-optimal blind-signature scheme and a group signature scheme with an efficient and concurrently secure protocol for enrolling new members.

Keywords

Structure-preserving cryptography Structure-preserving signatures  Automorphic signatures Homomorphic commitments Groth–Sahai proofs  Group signatures Blind signatures 

References

  1. 1.
    M. Abe, J. Camenisch, M. Dubovitskaya, R. Nishimaki, Universally composable adaptive oblivious transfer (with access control) from standard assumptions, in Digital Identity Management, pp. 1–12 (2013)Google Scholar
  2. 2.
    M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures generic constructions and simple assumptions, in X. Wang and K. Sako, editors, Advances in Cryptology—ASIACRYPT 2012. LNCS, vol. 7658 (Springer, Berlin, 2012), pp. 4–24.Google Scholar
  3. 3.
    M. Abe, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Tagged one-time signatures: tight security and optimal tag size, in K. Kurosawa, G. Hanaoka, editors, Public Key Cryptography—PKC 2013. LNCS, vol. 7778 (Springer, Berlin, 2013), pp. 312–331Google Scholar
  4. 4.
    M. Abe, S, Fehr, Perfect NIZK with adaptive soundness, in S. P. Vadhan, editor, Theory of Cryptography–TCC2007. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 118–136Google Scholar
  5. 5.
    M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements, in T. Rabin, editor, Advances in Cryptology—CRYPTO 2010. LNCS, vol. 6223, pp. 209–237 (2010)Google Scholar
  6. 6.
    M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups, in P. Rogaway, editor, Advances in Cryptology—CRYPTO ’11. LNCS, vol. 6841 (Springer, Berlin, 2011), pp. 649–666Google Scholar
  7. 7.
    M. Abe, K. Haralambiev, M. Ohkubo, Signing on group elements for modular protocol designs. IACR ePrint Archive, Report 2010/133, (2010). http://eprint.iacr.org
  8. 8.
    M. Abe, K. Haralambiev, M. Ohkubo, Efficient message space extension for automorphic signatures, in Information Security–ISC 2010. LNCS, vol. 6531 (Springer, Berlin, 2011), pp. 319–330Google Scholar
  9. 9.
    M. Abe, K. Haralambiev, M. Ohkubo, Group to group commitments do not shrink, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Berlin, 2012), pp. 301–317Google Scholar
  10. 10.
    M. Abe, M. Ohkubo, A framework for universally composable non-committing blind signatures. IJACT 2(3), 229–249 (2012)Google Scholar
  11. 11.
    J. Alwen, Y. Dodis, D. Wichs, Survey: leakage resilience and the bounded retrieval model, in K. Kurosawa, editor, Information Theoretic Security. LNCS, vol. 5973 (Springer, Berlin, 2010), pp. 1–18Google Scholar
  12. 12.
    G. Ateniese, J. Camenisch, S. Hohenberger, B. de Medeiros, Practical group signatures without random oracles. IACRePrint Archive, Report 2005/385 (2005). http://eprint.iacr.org
  13. 13.
    N. Attrapadung, B. Libert, T. Peters, Computing on authenticated data: new privacy definitions and constructions, in X. Wang, K. Sako, editors, Advances in Cryptology—ASIACRYPT 2012. LNCS, vol. 7658 (Springer, Berlin, 2012), pp. 367–385Google Scholar
  14. 14.
    N. Attrapadung, B. Libert, T. Peters, Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa, G. Hanaoka, editors, Public Key Cryptography—PKC 2013. LNCS, vol. 7778 (Springer, Berlin, 2013) pp. 386–404Google Scholar
  15. 15.
    M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, P-signatures and noninteractive anonymous credentials, in R. Canetti, editor, Theory of Cryptography—TCC 2008. LNCS, vol. 4948, (Springer, Berlin, 2008), pp. 356–374Google Scholar
  16. 16.
    M. Bellare, D. Micciancio, B. Warinschi, Foundations of group signatures: formal definitions, simplified requirements and a construction based on general assumptions, in E. Biham, editor, Advances in Cryptology—EUROCRPYT ’03, LNCS, vol. 2656, pp. 614–629 (2003)Google Scholar
  17. 17.
    M. Bellare, C. Namprempre, D. Pointcheval, M. Eko, Theone-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)Google Scholar
  18. 18.
    M. Bellare, P. Rogaway, Random oracles are practical: a paradigm for designing efficient protocols, in First ACM Conference on Computer and Communication Security. (Association for Computing Machinery, 1993), pp. 62–73Google Scholar
  19. 19.
    M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: the case of dynamic groups, in A. Menezes, editor, Topics in Cryptology—CT-RSA 2005. LNCS, vol. 3376 (Springer, Berlin, 2005), pp. 154Google Scholar
  20. 20.
    D. Bernhard, G. Fuchsbauer, E. Ghadafi, Efficient signatures of knowledge and DAA in the standard model, in M.J. Jacobson Jr., M.E. Locasto, P. Mohassel, R. Safavi-Naini, editors, Applied Cryptography and Network Security—ACNS 2013. LNCS, vol. 7954. (Springer, Berlin, 2013), pp. 518–533Google Scholar
  21. 21.
    O. Blazy, S. Canard, G. Fuchsbauer, A. Gouget, H. Sibert, J. Traoré, Achieving optimal anonymity in transferable e-cash with a judge, in A. Nitaj, D. Pointcheval, editors, Progress in Cryptology—AFRICACRYPT 2011. LNCS, vol. 6737 (Springer, Berlin, 2011), pp. 206–223Google Scholar
  22. 22.
    D. Boneh, X. Boyen. Short signatures without random oracles, in C. Cachin, J. Camenisch, editors, Advances in Cryptology—EUROCRYPT 2004. LNCS, vol. 3027 (Springer, Berlin, 2004), pp. 56–73.Google Scholar
  23. 23.
    D. Boneh, X. Boyen, H. Shacham, Short group signatures, in M. Franklin, editor, Advances in Cryptology—CRYPTO ’04. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 41–55Google Scholar
  24. 24.
    D. Boneh, M. Franklin, Identity-based encryption from the Weil pairing, in J. Kilian, editor, Advances in Cryptology—Crypto 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 213–229Google Scholar
  25. 25.
    D. Boneh, B. Lynn, H. Shacham, Short signatures from the Weil pairing, in C. Boyd, editor, Advances in Cryptology—ASIACRYPT 2001. LNCS, vol. 2248 (Springer, Berlin, 2001), pp. 514–532Google Scholar
  26. 26.
    D. Boneh, C. Gentry, B. Lynn, H. Shacham, Aggregate and verifiably encrypted signatures from bilinear maps, in E. Biham, editor, Advances in Cryptology—EUROCRYPT 2003, LNCS, vol. 2656 (Springer, Berlin, 2003), pp. 416–432Google Scholar
  27. 27.
    D. Boneh, E.-J. Goh, K. Nissim, Evaluating 2-DNF formulas on ciphertexts, in J. Kilian, editor, Theory of Cryptography Conference—TCC’2005. LNCS, vol. 3378 (Springer, Berlin, 2005), pp. 325–341Google Scholar
  28. 28.
    X. Boyen, B. Waters, Compact group signatures without random oracles, in Advances in Cryptology—EUROCRYPT 2006. LNCS, vol. 4004 (Springer, Berlin, 2006), pp. 427–444Google Scholar
  29. 29.
    X. Boyen, B. Waters, Full-domain subgroup hiding and constant-size group signatures, in Public Key Cryptography—PKC 2007, LNCS, vol. 4450 (Springer, Berlin, 2007), pp. 1–15Google Scholar
  30. 30.
    S. Brands, Rethinking public key infrastructure and digital certificates—building privacy. Ph.D. thesis, (Eindhoven Institute of Technology, The Netherlands, 1999)Google Scholar
  31. 31.
    J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in Advances in Cryptology—CRYPTO ’04. LNCS, vol. 3152 (Springer, Berlin, 2004), pp. 56–72Google Scholar
  32. 32.
    J. Camenisch, M. Stadler. Efficient group signature schemes for large groups, in B.S. Kaliski Jr., editor, Advances in Cryptology—CRYPTO’97. LNCS, vol. 1294 (Springer, Berlin, 1997), pp. 410–424Google Scholar
  33. 33.
    J. Camenisch, M. Dubovitskaya, R.R. Enderlein, G. Neven. Oblivious transfer with hidden access control from attribute-based encryption, in I. Visconti, R. De Prisco, editors, SCN. LNCS, vol. 7485 (Springer, Berlin, 2012), pp. 559–579Google Scholar
  34. 34.
    J. Camenisch, K. Haralambiev, M. Kohlweiss, J. Lapon, V. Naessens, Structure preserving CCA secure encryption and applications, in D. H. Lee, X. Wang, editors, Advances in Cryptology—ASIACRYPT 2011. LNCS, vol. 7073 (Springer, Berlin, 2011), pp. 89–106Google Scholar
  35. 35.
    J. Camenisch, M. Kohlweiss, C. Soriente, An accumulator based on bilinear maps and efficient revocation for anonymous credentials, in Public Key Cryptography—PKC2009. LNCS, vol. 5443. (Springer, Berlin, 2009), pp. 481–500Google Scholar
  36. 36.
    J. Camenisch, M. Koprowski, B. Warinschi, Efficient blind signatures without random oracles, in C. Blundo, S. Cimato, editors, Security in Communication Networks—SCN 2004. LNCS, vol. 3352. (Springer, Berlin, 2005), pp. 134–148Google Scholar
  37. 37.
    R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited, in Proceedings of the 30th Annual ACM Symposium on Theory of Computing, pp. 209–218 (1998)Google Scholar
  38. 38.
    J. Cathalo, B. Libert, M. Yung, Group encryption: Non-interactive realization in the standard model, in M. Matsui, editor, Advances in Cryptology—ASIACRYPT 2009. LNCS, vol. 5912, pp. 179–196 (2009)Google Scholar
  39. 39.
    M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn, Malleable proof systems and applications, in D. Pointcheval, T. Johansson, editors, Advances in Cryptology—EUROCRYPT 2012. LNCS, vol. 7237 (Springer, Berlin, 2012), pp. 281–300Google Scholar
  40. 40.
    D. Chaum, Blind signatures for untraceable payments, in D. Chaum, R. Rivest, A. Sherman, editors, Advances in Cryptology—Proceedings of Crypto’82. (Prenum Publishing Corporation, 1982), pp. 199–204Google Scholar
  41. 41.
    D. Chaum, E. Van Heyst, Group signatures, in D.W. Davies, editor, Advances in Cryptology—EUROCRYPT ’91. LNCS, vol. 547 (Springer, Berlin, 1991), pp. 257–265Google Scholar
  42. 42.
    S. Chow, Real traceable signatures, in Selected Areas in Cryptography—SAC ’09. LNCS, vol. 5867 (Springer, Berlin, 2009), pp. 92–107Google Scholar
  43. 43.
    M. Fischlin, Round-optimal composable blind signatures in the common reference model, in C. Dwork, editor, Advances in Cryptology—CRYPTO 2006. LNCS, vol. 4117 pp. 60–77 (2006)Google Scholar
  44. 44.
    M. Fischlin, D. Schröder, Security of blind signatures under aborts, in Public Key Cryptography—PKC2009. LNCS, vol. 5443 (Springer, Berlin, 2009), pp. 297–316Google Scholar
  45. 45.
    G. Fuchsbauer, Automorphic signatures in bilinear groups. Cryptology ePrint Archive, Report 2009/320 (2009). http://eprint.iacr.org/
  46. 46.
    G. Fuchsbauer. Commuting signatures and verifiable encryption, in K.G. Paterson, editor, Advances in Cryptology—EUROCRYPT 2011. LNCS, vol. 6632 (Springer, Berlin, 2011), pp. 224–245Google Scholar
  47. 47.
    G. Fuchsbauer, D. Pointcheval, Anonymous proxy signatures, in R. Ostrovsky, R. De Prisco, I. Visconti, editors, Security in Communication Networks—SCN 2008. LNCS, vol. 5229 (Springer, Berlin, 2008), pp. 201–217Google Scholar
  48. 48.
    G. Fuchsbauer, D. Pointcheval, D. Vergnaud. Transferable constant-size fair e-cash, in J.A. Garay, A. Miyaji, A. Otsuka, editors, Cryptology and Network Security—CANS 2009. LNCS, vol. 5888 (Springer, Berlin, 2009), pp. 226–247Google Scholar
  49. 49.
    G. Fuchsbauer, D. Vergnaud, Fair blind signatures without random oracles, in D.J. Bernstein, T. Lange, editors, Progress in Cryptology—AFRICACRYPT 2010. LNCS, vol. 6055 (Springer, Berlin, 2010), pp. 16–33Google Scholar
  50. 50.
    J. Furukawa, K. Sako, An efficient scheme for proving a shuffle, in J. Kilian, editor, Advances in Cryptology—CRYPTO 2001. LNCS, vol. 2139 (Springer, Berlin, 2001), pp. 368–387Google Scholar
  51. 51.
    S.D. Galbraith, K.G. Paterson, N.P. Smart, Pairings for cryptographers. Discrete Appl. Math. 156(16), 3113–3121 (2008)Google Scholar
  52. 52.
    S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)Google Scholar
  53. 53.
    M. Green, S. Hohenberger, Universally composable adaptive oblivious transfer, in J. Pieprzyk, editor, Advances in Cryptology—ASIACRYPT. LNCS, vol. 5350, pp. 179–197 (2008)Google Scholar
  54. 54.
    J. Groth, Simulation-sound NIZK proofs for a practical language and constant size group signatures, in X. Lai, K. Chen, editors, Advances in Cryptology—ASIACRYPT 2006. LNCS, vol. 4284 (Springer, Berlin, 2006), pp. 444–459Google Scholar
  55. 55.
    J. Groth, Fully anonymous group signatures without random oracles, in Advances in Cryptology–ASIACRYPT 2007. LNCS, vol. 4833. (Springer, Berlin, 2007), pp. 164–180Google Scholar
  56. 56.
    J. Groth, Homomorphic trapdoor commitments to group elements. IACR ePrint Archive, Report 2009/007, January 2009. Update version available from the author’s homepageGoogle Scholar
  57. 57.
    J. Groth, Linear algebra with sub-linear zero-knowledge arguments, in Advances in Cryptology—CRYPTO 2009. LNCS, vol. 5677, pp. 192–208 (2009)Google Scholar
  58. 58.
    J. Groth, Efficient zero-knowledge arguments from two-tiered homomorphic commitments, in Advances in Cryptology—ASIACRYPT 2011. LNCS (Springer, Berlin, 2011)Google Scholar
  59. 59.
    J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in N.P. Smart, editor, Advances in Cryptology—EUROCRYPT 2008. LNCS, vol. 4965 (Springer, Berlin, 2008), pp. 415–432Google Scholar
  60. 60.
    L.C. Guillou, J.-J. Quisquater, A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory, in C.G. Günther, editor, Advances in Cryptology—EUROCRYPT ’88. LNCS, vol. 330 (Springer, Berlin, 1988), pp. 123–128Google Scholar
  61. 61.
    C. Hazay, J. Katz, C. Koo, and Y. Lindell, Concurrently-secure blind signatures without random oracles or setup assumptions, in Theory of Cryptography Conference—TCC 2007. LNCS, vol. 4392 (Springer, Berlin, 2007), pp. 323–341Google Scholar
  62. 62.
    D. Hofheinz, T. Jager, Tightly secure signatures and public-key encryption, in Advances in Cryptology—CRYPTO 2012. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 590–607Google Scholar
  63. 63.
    A. Joux, A one round protocol for tripartite Diffie–Hellman, in W. Bosma, editor, Algorithmic Number Theory—ANTS-IV 2000. LNCS, vol. 1838 (Springer, Berlin, 2000), pp. 385–394Google Scholar
  64. 64.
    A. Juels, M. Luby, R. Ostrovsky, Security of blind digital signatures, in B.S. Kaliski Jr., editor, Advances in Cryptology—CRYPTO ’97. LNCS, vol. 1294. (Springer, Berlin, 1997), pp. 150–164Google Scholar
  65. 65.
    J. Katz, Digital Signatures, (Springer, Berlin, 2010)Google Scholar
  66. 66.
    A. Kiayias, H. Zhou, Concurrent blind signatures without random oracles, in Security in Communication Networks—SCN 2006. LNCS, vol. 4116 (Springer, Berlin, 2006), pp. 49–62Google Scholar
  67. 67.
    A. Kiayias, H. Zhou. Equivocal blind signatures and adaptive UC-security, in R. Canetti, editor, Theory of Cryptography Conference—TCC 2008. LNCS, vol. 4948 (Springer, Berlin, 2008), pp. 340–355Google Scholar
  68. 68.
    A. Kiayias, M. Yung, Group signatures with efficient concurrent join, in R. Cramer, editor, Advances in Cryptology—EUROCRYPT 2005. LNCS, vol. 3494 (Springer, Berlin, 2005), pp. 198–214Google Scholar
  69. 69.
    H. Krawczyk, T. Rabin, Chameleon Hashing and Signatures. Technical Report 1998/010, IACR ePrint archive (1998)Google Scholar
  70. 70.
    S. Kunz-Jacques, D. Pointcheval, About the security of MTI/C0 and MQV, in R. De Prisco, M. Yung, editors, Security in Communication Networks—SCN 2006. LNCS, vol. 4116 (Springer, Berlin, 2006), pp. 156–172Google Scholar
  71. 71.
    B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti, J. Garay, editors, Advances in Cryptology—CRYPTO 2013. LNCS (Springer, Berlin, 2013)Google Scholar
  72. 72.
    B. Libert, T. Peters, M. Yung, Group signatures with almost-for-free revocation, in R. Safavi-Naini, R. Canetti, editors, Advances in Cryptology—CRYPTO 2012. LNCS, vol. 7417 (Springer, Berlin, 2012), pp. 571–589Google Scholar
  73. 73.
    B. Libert, T. Peters, M. Yung, Scalable group signatures with revocation, in Advances in Cryptology—EUROCRYPT 2012. LNCS (Springer, Berlin, 2012)Google Scholar
  74. 74.
    B. Libert, D. Vergnaud, Multi-use unidirectional proxy re-signatures, in P. Ning, P. F. Syverson, S. Jha, editors, ACM Conference on Computer and Communications Security (ACM, 2008), pp. 511–520Google Scholar
  75. 75.
    B. Libert, D. Vergnaud, Group signatures with verifier-local revocation and backward unlinkability in the standard model, in Cryptology and Network Security—CANS 2009 (Springer, Berlin, 2009), pp. 498–517Google Scholar
  76. 76.
    B. Libert, D. Vergnaud, Group signatures with verifier-local revocation and backward unlinkability in the standard model, in Cryptology and Network Security—CANS 2009. (Springer, Berlin, 2009), pp. 498–517Google Scholar
  77. 77.
    H. Lipmaa, Verifiable homomorphic oblivious transfer and private equality test, in C.-S. Laih, editor, Advances in Cryptology—ASIACRYPT 2003, LNCS, vol. 2894 (Springer, Berlin, 2003), pp. 416–433Google Scholar
  78. 78.
    A. Lysyanskaya, R.L. Rivest, A. Sahai, S. Wolf, Pseudonym systems, in Selected Areas in Cryptography—SAC ’99. LNCS, vol. 1758 (Springer, Berlin, 2000), pp. 184–199Google Scholar
  79. 79.
    P. Mohassel, One-time signatures and chameleon hash functions, in A. Biryukov, G. Gong, D.R. Stinson, editors, Selected Areas in Cryptography—SAC 2010. LNCS, vol. 6544 (Springer, Berlin, 2011), pp. 302–319Google Scholar
  80. 80.
    M. Naor. On cryptographic assumptions and challenges, in D. Boneh, editor, Advances in Cryptology—CRYPTO 2003. LNCS, vol. 2729 (Springer, Berlin, 2003), pp. 96–109Google Scholar
  81. 81.
    C.A. Neff, A verifiable secret shuffle and its application toe-voting, in M.K. Reiter, P. Samarati, editors, ACM Conference on Computer and Communications Security—CCS 2001 (ACM, 2001), pp. 116–125Google Scholar
  82. 82.
    T. Okamoto, Efficient blind and partially blind signatures without random oracles, in S. Halevi, T. Rabin, editors, Theory of Cryptography Conference—TCC 2006. LNCS, vol. 3876 (Springer, Berlin, 2006), pp. 80–99. Full version available onePrint archiveGoogle Scholar
  83. 83.
    T.P. Pedersen, A threshold cryptosystem without a trusted party, in D.W. Davies, editor, Advances in Cryptology—EUROCRYPT’91. LNCS, vol. 547 (Springer, Berlin, 1991), pp. 522–526Google Scholar
  84. 84.
    D. Pointcheval, J. Stern, Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 339–360 (2000)Google Scholar
  85. 85.
    M. Rückert, D. Schröder, Security of verifiably encrypted signatures and a construction without random oracles, in H. Shacham, B. Waters, editors, Pairing-Based Cryptography—PAIRING 2009. LNCS, vol. 5671 (Springer, Berlin, 2009), pp. 17–34Google Scholar
  86. 86.
    R. Sakai, M. Kasahara, Cryptosystems based on pairing over elliptic curve (in japanese), in Symposium on Cryptography and Information Security. SCIS, vol. SCIS00-C20 (2000)Google Scholar
  87. 87.
    J.T. Schwartz, Fast probabilistic algorithms for verification of polynomial identities. J. ACM  27(4) (1980)Google Scholar
  88. 88.
    V. Shoup. Lower bounds for discrete logarithms and related problems, in W. Fumy, editor, Advances in Cryptology—EUROCRYPT ’97. LNCS, vol. 1233 (Springer, Berlin, 1997), pp. 256–266Google Scholar
  89. 89.
    J. Zhang, Z. Li, H. Guo. Anonymous transferable conditional e-cash, in A.D. Keromytis, R. Di Pietro, editors, Secure Comm. LNICST. vol. 106 (Springer, Berlin, 2012), pp. 45–60Google Scholar

Copyright information

© International Association for Cryptologic Research 2015

Authors and Affiliations

  • Masayuki Abe
    • 1
  • Georg Fuchsbauer
    • 2
  • Jens Groth
    • 3
  • Kristiyan Haralambiev
    • 4
  • Miyako Ohkubo
    • 5
  1. 1.NTT Secure Platform LaboratoriesMusashino-shiJapan
  2. 2.Institute of Science and Technology AustriaKlosterneuburgAustria
  3. 3.Department of Computer ScienceUniversity College LondonLondonUK
  4. 4.IBM Research - ZurichZurichSwitzerland
  5. 5.Security Fundamentals Laboratory, NSRNICTKoganeiJapan

Personalised recommendations