# Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials

## Abstract

Structure-preserving signatures (SPS) are a powerful building block for cryptographic protocols. We introduce SPS on equivalence classes (SPS-EQ), which allow joint randomization of messages and signatures. Messages are projective equivalence classes defined on group-element vectors, so multiplying a vector by a scalar yields a different representative of the same class. Our scheme lets one adapt a signature for one representative to a signature for another representative without knowledge of any secret. Moreover, given a signature, an adapted signature for a different representative is indistinguishable from a fresh signature on a random message. We propose a definitional framework for SPS-EQ and an efficient construction in Type-3 bilinear groups, which we prove secure against generic forgers. We also introduce set-commitment schemes that let one open subsets of the committed set. From this and SPS-EQ, we then build an efficient multi-show attribute-based anonymous credential system for an arbitrary number of attributes. Our ABC system avoids costly zero-knowledge proofs and only requires a short interactive proof to thwart replay attacks. It is the first credential system whose bandwidth required for credential showing is independent of the number of its attributes, i.e., constant-size. We propose strengthened game-based security definitions for ABC and prove our scheme anonymous against malicious organizations in the standard model; finally, we discuss a concurrently secure variant in the CRS model.

## Keywords

Public-key cryptography Pairing-based cryptography Structure-preserving signatures Attribute-based anonymous credentials Set commitments## Notes

### Acknowledgements

Work started while the first author was at IST Austria and supported by the European Research Council, ERC Starting Grant (259668-PSPC); now supported by the French ANR EfTrEC project (ANR-16-CE39-0002). Work has been done while the second and third authors were at IAIK, Graz University of Technology. The second author has been supported by the European Commission through projects FP7-MATTHEW (GA No. 610436) and FP7-FutureID (GA No. 318424). The work of the last author has been supported by the European Commission through project FP7-FutureID (GA No. 318424) and by EU Horizon 2020 through project Prismacloud (GA No. 644962).

## References

- 1.J.H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, A. Shelat, B. Waters, Computing on authenticated data, in Ronald Cramer, editor,
*TCC 2012*, volume 7194 of*LNCS*. (Springer, Heidelberg, March 2012), pp. 1–20Google Scholar - 2.M. Abe, M. Chase, B. David, M. K., R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions, in Xiaoyun Wang and Kazue Sako, editors,
*ASIACRYPT 2012*, volume 7658 of*LNCS*. (Springer, Heidelberg, 2012), pp. 4–24Google Scholar - 3.M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements, in Tal Rabin, editor,
*CRYPTO 2010*, volume 6223 of*LNCS*. (Springer, Heidelberg, August 2010), pp. 209–236Google Scholar - 4.M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups, in Phillip Rogaway, editor,
*CRYPTO 2011*, volume 6841 of*LNCS*. (Springer, Heidelberg, August 2011), pp. 649–666Google Scholar - 5.M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Structure-preserving signatures from type II pairings, in Juan A. Garay and Rosario Gennaro, editors,
*CRYPTO 2014, Part I*, volume 8616 of*LNCS*. (Springer, Heidelberg, August 2014), pp. 390–407Google Scholar - 6.M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Unified, minimal and selectively randomizable structure-preserving signatures, in Yehuda Lindell, editor,
*TCC 2014*, volume 8349 of*LNCS*. (Springer, Heidelberg, February 2014), pp. 688–712Google Scholar - 7.M. Abe, D. Hofheinz, R. Nishimaki, M. Ohkubo, J. Pan, Compact structure-preserving signatures with almost tight security, in Jonathan Katz and Hovav Shacham, editors,
*CRYPTO 2017, Part II*, volume 10402 of*LNCS*. (Springer, Heidelberg, August 2017), pp. 548–580Google Scholar - 8.M. Abe, K. Haralambiev, M. Ohkubo, Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive, Report 2010/133, (2010). http://eprint.iacr.org/2010/133
- 9.M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments, in Elisabeth Oswald and Marc Fischlin, editors,
*EUROCRYPT 2015, Part II*, volume 9057 of*LNCS*. (Springer, Heidelberg, April 2015), pp. 35–65Google Scholar - 10.N. Attrapadung, B. Libert, T. Peters, Computing on authenticated data: New privacy definitions and constructions, in Xiaoyun Wang and Kazue Sako, editors,
*ASIACRYPT 2012*, volume 7658 of*LNCS*. (Springer, Heidelberg, December 2012), pp. 367–385Google Scholar - 11.N. Attrapadung, B. Libert, T. Peters, Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa and G. Hanaoka, editors,
*PKC 2013*, volume 7778 of*LNCS*. (Springer, Heidelberg, February/March 2013), pp. 386–404Google Scholar - 12.N. Akagi, Y. Manabe, T. Okamoto, An efficient anonymous credential system, in G. Tsudik, editor,
*FC 2008*, volume 5143 of*LNCS*. (Springer, Heidelberg, January 2008), pp. 272–286Google Scholar - 13.M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-TAA, in R. De Prisco and M. Yung, editors,
*SCN 06*, volume 4116 of*LNCS*. (Springer, Heidelberg, September 2006), pp. 111–125Google Scholar - 14.D. Boneh, X. Boyen, Short signatures without random oracles, in C. Cachin and J. Camenisch, editors,
*EUROCRYPT 2004*, volume 3027 of*LNCS*. (Springer, Heidelberg, May 2004), pp. 56–73Google Scholar - 15.D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in R. Cramer, editor,
*EUROCRYPT 2005*, volume 3494 of*LNCS*. (Springer, Heidelberg, May 2005), pp. 440–456Google Scholar - 16.D. Boneh, X. Boyen, H. Shacham, Short group signatures, in M. Franklin, editor,
*CRYPTO 2004*, volume 3152 of*LNCS*. (Springer, Heidelberg, August 2004), pp. 41–55Google Scholar - 17.D. Boneh, H. Corrigan-Gibbs, Bivariate polynomials modulo composites and their applications, in P. Sarkar and T. Iwata, editors,
*ASIACRYPT 2014, Part I*, volume 8873 of*LNCS*. (Springer, Heidelberg, December 2014), pp. 42–62Google Scholar - 18.M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, H. Shacham, Randomizable proofs and delegatable anonymous credentials, in S. Halevi, editor,
*CRYPTO 2009*, volume 5677 of*LNCS*. (Springer, Heidelberg, August 2009), pp. 108–125Google Scholar - 19.M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, P-signatures and noninteractive anonymous credentials, in R. Canetti, editor,
*TCC 2008*, volume 4948 of*LNCS*. (Springer, Heidelberg, March 2008), pp. 356–374Google Scholar - 20.G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type II pairings: Synthesis and lower bounds, in J. Katz, editor,
*PKC 2015*, volume 9020 of*LNCS*. (Springer, Heidelberg, March/April 2015), pp. 355–376Google Scholar - 21.D. Boneh, D. Freeman, J. Katz, B. Waters, Signing a linear subspace: Signature schemes for network coding, in S. Jarecki and G. Tsudik, editors,
*PKC 2009*, volume 5443 of*LNCS*. (Springer, Heidelberg, March 2009), pp. 68–87Google Scholar - 22.O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Signatures on randomizable ciphertexts, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors,
*PKC 2011*, volume 6571 of*LNCS*. (Springer, Heidelberg, March 2011), pp. 403–422Google Scholar - 23.M. Bellare, G. Fuchsbauer, A. Scafuro, NIZKs with an untrusted CRS: Security in the face of parameter subversion, in J. H. Cheon and T. Takagi, editors,
*ASIACRYPT 2016, Part II*, volume 10032 of*LNCS*. (Springer, Heidelberg, December 2016), pp. 777–804Google Scholar - 24.F. Baldimtsi, A. Lysyanskaya, Anonymous credentials light, in A.-R. Sadeghi, V.D. Gligor, and M. Yung, editors,
*ACM CCS 13*. (ACM Press, November 2013), pp. 1087–1098Google Scholar - 25.P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in B. Preneel and S. Tavares, editors,
*SAC 2005*, volume 3897 of*LNCS*. (Springer, Heidelberg, August 2006), pp. 319–331Google Scholar - 26.X. Boyen, The uber-assumption family (invited talk), in S.D. Galbraith and K.G. Paterson, editors,
*PAIRING 2008*, volume 5209 of*LNCS*. (Springer, Heidelberg, 2008), pp. 39–56Google Scholar - 27.N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in W. Fumy, editor,
*EUROCRYPT’97*, volume 1233 of*LNCS*. (Springer, Heidelberg, May 1997), pp. 480–494Google Scholar - 28.S. Brands,
*Rethinking public-key Infrastructures and Digital Certificates: Building in Privacy*. (MIT Press, 2000)Google Scholar - 29.M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: The case of dynamic groups, in A. Menezes, editor,
*CT-RSA 2005*, volume 3376 of*LNCS*. (Springer, Heidelberg, February 2005), pp. 136–153Google Scholar - 30.R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in
*42nd FOCS*. IEEE Computer Society Press, (October 2001), pp. 136–145Google Scholar - 31.J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: definitions and practical constructions, in T. Iwata and J.H. Cheon, editors,
*ASIACRYPT 2015, Part II*, volume 9453 of*LNCS*. (Springer, Heidelberg, November/December 2015), pp. 262–288Google Scholar - 32.R. Cramer, I. Damgård, P.D. MacKenzie, Efficient zero-knowledge proofs of knowledge without intractability assumptions, in H. Imai and Y. Zheng, editors,
*PKC 2000*, volume 1751 of*LNCS*. (Springer, Heidelberg, January 2000), pp. 354–372Google Scholar - 33.D. Catalano, D. Fiore, Vector commitments and their applications. In K. Kurosawa and G. Hanaoka, editors,
*PKC 2013*, volume 7778 of*LNCS*. (Springer, Heidelberg, February / March 2013), pp. 55–72Google Scholar - 34.D. Catalano, D. Fiore, B. Warinschi, Efficient network coding signatures in the standard model, in M. Fischlin, J. Buchmann, and M. Manulis, editors,
*PKC 2012*, volume 7293 of*LNCS*. (Springer, Heidelberg, 2012), pp. 680–696Google Scholar - 35.J. Camenisch, T. Groß, Efficient attributes for anonymous credentials.
*ACM Transactions on Information and System Security*,**15**(1), 4, (2012)Google Scholar - 36.M. Chase, C. Ganesh, P. Mohassel, Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials, in M. Robshaw and J. Katz, editors,
*CRYPTO 2016, Part III*, volume 9816 of*LNCS*. (Springer, Heidelberg, 2016), pp. 499–530Google Scholar - 37.J. Camenisch, S. Krenn, A. Lehmann, G.L. Mikkelsen, G. Neven, M.Ø. Pedersen, Formal treatment of privacy-enhancing credential systems, in O. Dunkelman and L. Keliher, editors,
*SAC 2015*, volume 9566 of*LNCS*. (Springer, Heidelberg, August 2016), pp. 3–24Google Scholar - 38.M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable proof systems and applications, in D. Pointcheval and T. Johansson, editors,
*EUROCRYPT 2012*, volume 7237 of*LNCS*. (Springer, Heidelberg, April 2012), pp. 281–300Google Scholar - 39.M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable signatures: New definitions and delegatable anonymous credentials, in
*IEEE 27th Computer Security Foundations Symposium, CSF 2014*, (2014), pp. 199–213Google Scholar - 40.J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in B. Pfitzmann, editor,
*EUROCRYPT 2001*, volume 2045 of*LNCS*. (Springer, Heidelberg, May 2001), pp. 93–118Google Scholar - 41.J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in S. Cimato, C. Galdi, and G. Persiano, editors,
*SCN 02*, volume 2576 of*LNCS*. (Springer, Heidelberg, September 2003), pp. 268–289Google Scholar - 42.J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in M. Franklin, editor,
*CRYPTO 2004*, volume 3152 of*LNCS*. (Springer, Heidelberg, August 2004), pp. 56–72Google Scholar - 43.S. Canard, R. Lescuyer, Anonymous credentials from (indexed) aggregate signatures, in
*DIM’11, Proceedings of the 2013 ACM Workshop on Digital Identity Management, Chicago, IL, USA - October 21, 2011*, (2011), pp. 53–62Google Scholar - 44.S. Canard, R. Lescuyer, Protecting privacy by sanitizing personal data: a new approach to anonymous credentials, in K. Chen, Q. Xie, W. Qiu, N. Li, and W.-G. Tzeng, editors,
*ASIACCS 13*. (ACM Press, May 2013), pp. 381–392Google Scholar - 45.S. Chatterjee, A. Menezes, On cryptographic protocols employing asymmetric pairings - the role of \(\varPsi \) revisited.
*Discrete Applied Mathematics***159**(13), 1311–1322, (2011)Google Scholar - 46.D. Chaum, T.P. Pedersen, Wallet databases with observers, in E.F. Brickell, editor,
*CRYPTO’92*, volume 740 of*LNCS*. (Springer, Heidelberg, 1993), pp. 89–105Google Scholar - 47.I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, in B. Preneel, editor,
*EUROCRYPT 2000*, volume 1807 of*LNCS*. (Springer, Heidelberg, May 2000), pp. 418–430Google Scholar - 48.I. Damgård, H. Haagh, C. Orlandi, Access control encryption: Enforcing information flow with cryptography, in M. Hirt and A.D. Smith, editors,
*TCC 2016-B, Part II*, volume 9986 of*LNCS*. (Springer, Heidelberg, October/November 2016), pp. 547–576Google Scholar - 49.D. Derler, C. Hanser, D. Slamanig, A new approach to efficient revocable attribute-based anonymous credentials, in J. Groth, editor,
*15th IMA International Conference on Cryptography and Coding*, volume 9496 of*LNCS*. (Springer, Heidelberg, 2015), pp. 57–74Google Scholar - 50.D. Derler, C. Hanser, D. Slamanig, Revisiting cryptographic accumulators, additional properties and relations to other primitives, in K. Nyberg, editor,
*CT-RSA 2015*, volume 9048 of*LNCS*. (Springer, Heidelberg, April 2015), pp. 127–144Google Scholar - 51.D. Derler, D. Slamanig, Fully-anonymous short dynamic group signatures without encryption.
*IACR Cryptology ePrint Archive*, 2016:154, (2016)Google Scholar - 52.G. Fuchsbauer, R. Gay, Weakly secure equivalence-class signatures from standard assumptions, in M. Abdalla, editor,
*PKC 2018*, LNCS. (Springer, 2018)Google Scholar - 53.G. Fuchsbauer, R. Gay, L. Kowalczyk, C. Orlandi, Access control encryption for equality, comparison, and more, in S. Fehr, editor,
*PKC 2017, Part II*, volume 10175 of*LNCS*. (Springer, Heidelberg, 2017), pp. 88–118Google Scholar - 54.G. Fuchsbauer, C. Hanser, C. Kamath, D. Slamanig, Practical round-optimal blind signatures in the standard model from weaker assumptions, in V. Zikas and R. De Prisco, editors,
*SCN 16*, volume 9841 of*LNCS*. (Springer, Heidelberg, August/September 2016), pp. 391–408Google Scholar - 55.G. Fuchsbauer, C. Hanser, D. Slamanig, Practical round-optimal blind signatures in the standard model, in R. Gennaro and M.J.B. Robshaw, editors,
*CRYPTO 2015, Part II*, volume 9216 of*LNCS*, pp. 233–253. (Springer, Heidelberg, August 2015)Google Scholar - 56.E. Fujisaki, T. Okamoto, A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor,
*EUROCRYPT’98*, volume 1403 of*LNCS*. (Springer, Heidelberg, May/June 1998), pp. 32–46Google Scholar - 57.D.M. Freeman, Improved security for linearly homomorphic signatures: A generic framework, in M. Fischlin, J. Buchmann, and M. Manulis, editors,
*PKC 2012*, volume 7293 of*LNCS*. (Springer, Heidelberg, May 2012), pp. 697–714Google Scholar - 58.G. Fuchsbauer, Automorphic signatures in bilinear groups and an application to round-optimal blind signatures. Cryptology ePrint Archive, Report 2009/320 (2009). http://eprint.iacr.org/2009/320.
- 59.G. Fuchsbauer, Commuting signatures and verifiable encryption, in K.G. Paterson, editor,
*EUROCRYPT 2011*, volume 6632 of*LNCS*. (Springer, Heidelberg, May 2011), pp. 224–245Google Scholar - 60.G. Fuchsbauer, Breaking existential unforgeability of a signature scheme from asiacrypt 2014. Cryptology ePrint Archive, Report 2014/892, (2014). http://eprint.iacr.org/2014/892
- 61.E. Ghadafi, Short structure-preserving signatures, in K. Sako, editor,
*CT-RSA 2016*, volume 9610 of*LNCS*. (Springer, Heidelberg, February / March 2016), pp. 305–321Google Scholar - 62.S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.
*SIAM Journal on Computing***17**(2), 281–308, (1988)Google Scholar - 63.O. Goldreich,
*The Foundations of Cryptography - Volume 1, Basic Techniques*. (Cambridge University Press, 2001)Google Scholar - 64.V. Goyal, Reducing trust in the PKG in identity based cryptosystems, in A. Menezes, editor,
*CRYPTO 2007*, volume 4622 of*LNCS*. (Springer, Heidelberg, August 2007), pp. 430–447Google Scholar - 65.J. Groth, Short pairing-based non-interactive zero-knowledge arguments, in M. Abe, editor,
*ASIACRYPT 2010*, volume 6477 of*LNCS*. (Springer, Heidelberg, December 2010), pp. 321–340Google Scholar - 66.J. Groth, Efficient fully structure-preserving signatures for large messages, in T. Iwata and J.H. Cheon, editors,
*ASIACRYPT 2015, Part I*, volume 9452 of*LNCS*. (Springer, Heidelberg, November / December 2015), pp. 239–259Google Scholar - 67.J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in N.P. Smart, editor,
*EUROCRYPT 2008*, volume 4965 of*LNCS*. (Springer, Heidelberg, 2008), pp. 415–432Google Scholar - 68.C. Hanser, M. Rabkin, D. Schröder, Verifiably encrypted signatures: Security revisited and a new construction, in G. Pernul, P.Y.A. Ryan, and E.R. Weippl, editors,
*ESORICS 2015, Part I*, volume 9326 of*LNCS*. (Springer, Heidelberg, September 2015), pp. 146–164Google Scholar - 69.C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and their application to anonymous credentials, in P. Sarkar and T. Iwata, editors,
*ASIACRYPT 2014, Part I*, volume 8873 of*LNCS*. (Springer, Heidelberg, December 2014), pp. 491–511Google Scholar - 70.M. Izabachène, B. Libert, D. Vergnaud, Block-wise P-signatures and non-interactive anonymous credentials with efficient attributes, in L. Chen, editor,
*13th IMA International Conference on Cryptography and Coding*, volume 7089 of*LNCS*. (Springer, Heidelberg, December 2011), pp. 431–450Google Scholar - 71.R. Johnson, D. Molnar, D.X. Song, D. Wagner, Homomorphic signature schemes, in B. Preneel, editor,
*CT-RSA 2002*, volume 2271 of*LNCS*. (Springer, Heidelberg, February 2002), pp. 244–262Google Scholar - 72.C.S. Jutla, A. Roy, Improved structure preserving signatures under standard bilinear assumptions, in S. Fehr, editor,
*PKC 2017, Part II*, volume 10175 of*LNCS*. (Springer, Heidelberg, March 2017), pp. 183–209Google Scholar - 73.E. Kiltz, J. Pan, H. Wee, Structure-preserving signatures from standard assumptions, revisited, in R. Gennaro and M.J.B. Robshaw, editors,
*CRYPTO 2015, Part II*, volume 9216 of*LNCS*. (Springer, Heidelberg, August 2015), pp. 275–295Google Scholar - 74.A. Kate, G.M. Zaverucha, I. Goldberg, Constant-size commitments to polynomials and their applications, in M. Abe, editor,
*ASIACRYPT 2010*, volume 6477 of*LNCS*. (Springer, Heidelberg, December 2010), pp. 177–194Google Scholar - 75.H. Lipmaa, Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments, in R. Cramer, editor,
*TCC 2012*, volume 7194 of*LNCS*. (Springer, Heidelberg, March 2012), pp. 169–189Google Scholar - 76.B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J.A. Garay, editors,
*CRYPTO 2013, Part II*, volume 8043 of*LNCS*. (Springer, Heidelberg, August 2013), pp. 289–307Google Scholar - 77.A. Lysyanskaya, R.L. Rivest, A. Sahai, S. Wolf, Pseudonym systems, in H.M. Heys and C.M. Adams, editors,
*SAC 1999*, volume 1758 of*LNCS*. (Springer, Heidelberg, August 1999), pp. 184–199Google Scholar - 78.R.C. Merkle, A digital signature based on a conventional encryption function, in C. Pomerance, editor,
*CRYPTO’87*, volume 293 of*LNCS*. (Springer, Heidelberg, August 1988), pp. 369–378Google Scholar - 79.S. Micali, M.O. Rabin, J. Kilian, Zero-knowledge sets. In
*44th FOCS*. (IEEE Computer Society Press, October 2003), pp. 80–91Google Scholar - 80.T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in J. Feigenbaum, editor,
*CRYPTO’91*, volume 576 of*LNCS*. (Springer, Heidelberg, 1992), pp. 129–140Google Scholar - 81.D. Pointcheval, O. Sanders, Short randomizable signatures, in K. Sako, editor,
*CT-RSA 2016*, volume 9610 of*LNCS*. (Springer, Heidelberg, February / March 2016), pp. 111–126Google Scholar - 82.S. Ringers, E.R. Verheul, J.-H. Hoepman, An efficient self-blindable attribute-based credential scheme.
*IACR Cryptology ePrint Archive*,**2017**, 115, (2017). (to appear at Financial Crypto 2017)Google Scholar - 83.R. Steinfeld, L. Bull, Y. Zheng, Content extraction signatures, in K. Kim, editor,
*ICISC 01*, volume 2288 of*LNCS*. (Springer, Heidelberg, December 2002), pp. 285–304Google Scholar - 84.V. Shoup, Lower bounds for discrete logarithms and related problems, in W. Fumy, editor,
*EUROCRYPT’97*, volume 1233 of*LNCS*. (Springer, Heidelberg, May 1997), pp. 256–266Google Scholar - 85.A. Sudarsono, T. Nakanishi, N. Funabiki, Efficient proofs of attributes in pairing-based anonymous credential system, in
*Privacy Enhancing Technologies - 11th International Symposium, PETS 2011, Waterloo, ON, Canada, July 27-29, 2011. Proceedings*, pp. 246–263 (2011)Google Scholar - 86.E.R. Verheul, Self-blindable credential certificates from the Weil pairing, in C. Boyd, editor,
*ASIACRYPT 2001*, volume 2248 of*LNCS*. (Springer, Heidelberg, December 2001), pp. 533–551Google Scholar - 87.B.R. Waters, Efficient identity-based encryption without random oracles, in R. Cramer, editor,
*EUROCRYPT 2005*, volume 3494 of*LNCS*. (Springer, Heidelberg, May 2005), pp. 114–127Google Scholar