Advertisement

Efficient Fully Structure-Preserving Signatures and Shrinking Commitments

  • Masayuki Abe
  • Jens Groth
  • Markulf Kohlweiss
  • Miyako Ohkubo
  • Mehdi Tibouchi
Article

Abstract

In structure-preserving signatures, public keys, messages, and signatures are all collections of source group elements of some bilinear groups. In this paper, we introduce fully structure-preserving signature schemes, with the additional requirement that even secret keys are group elements. This strong property allows efficient non-interactive proofs of knowledge of the secret key, which is useful in designing cryptographic protocols under simulation-based security where online extraction of the secret key is needed. We present efficient constructions under simple standard assumptions and pursue even more efficient constructions with the extra property of randomizability based on the generic bilinear group model. An essential building block for our efficient standard model construction is a shrinking structure-preserving trapdoor commitment scheme, which is by itself an important primitive and of independent interest as it appears to contradict a known impossibility result that structure-preserving commitments cannot be shrinking. We argue that a relaxed binding property lets us circumvent the impossibility while still retaining the usefulness of the primitive in important applications as mentioned above.

Keywords

Structure-preserving signatures Structure-preserving commitments Secret key extraction Randomizability 

Notes

References

  1. 1.
    M. Abe, J. Camenisch, R. Dowsley, M. Dubovitskaya, On the impossibility of structure-preserving deterministic primitives, in Proceedings of Theory of Cryptography—11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24–26, 2014 (2014), pp. 713–738Google Scholar
  2. 2.
    M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions. J. Cryptology 29(4), 833–878 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements. J. Cryptology 29(2), 363–421 (2016)MathSciNetCrossRefzbMATHGoogle Scholar
  4. 4.
    M. Abe, J. Groth, K. Haralambiev, M. Ohkubo. Optimal structure-preserving signatures in asymmetric bilinear groups, in Advances in Cryptology—CRYPTO 2011, volume 6841 of LNCS (Springer, 2011), pp. 649–666Google Scholar
  5. 5.
    M. Abe, J. Groth, M. Ohkubo, Separating short structure-preserving signatures from non-interactive assumptions, in Advances in Cryptology—ASIACRYPT 2011, volume 7073 of LNCS (Springer, 2011), pp. 628–646Google Scholar
  6. 6.
    M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Structure-preserving signatures from type II pairings, in J. A. Garay, R. Gennaro, editors, Advances in Cryptology—CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I, volume 8616 of Lecture Notes in Computer Science (Springer, 2014), pp. 390–407Google Scholar
  7. 7.
    M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Unified, minimal and selectively randomizable structure-preserving signatures, in Theory of Cryptography—11th Theory of Cryptography Conference, volume 8349 of LNCS (Springer, 2014), pp. 688–712Google Scholar
  8. 8.
    M. Abe, K. Haralambiev, M. Ohkubo, Group to group commitments do not shrink, in D. Pointcheval, T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS (Springer, 2012), pp. 301–317Google Scholar
  9. 9.
    M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments, in Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26—30, 2015, Proceedings, Part II (2015), pp. 35–65Google Scholar
  10. 10.
    M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments. IACR ePrint Archive, Report 2015/076 (2015). http://eprint.iacr.org/2015/076. Accessed 2 Feb 2015
  11. 11.
    M. Abe, M. Ohkubo, A framework for universally composable non-committing blind signatures. IJACT 2(3), 229–249 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type II pairings: synthesis and lower bounds, in J. Katz, editor, PKC 2015, Lecture Notes in Computer Science (Springer, 2015) to appearGoogle Scholar
  13. 13.
    M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, H. Shacham, Randomizable proofs and delegatable anonymous credentials, in S. Halevi, editor, Advances in Cryptology—CRYPTO, volume 5677 of LNCS (Springer, 2009), pp. 108–125Google Scholar
  14. 14.
    M. Bellare, A. Palacio, The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols, in M. K. Franklin, editor, CRYPTO, volume 3152 of LNCS (Springer, 2004), pp. 273–289Google Scholar
  15. 15.
    M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: The case of dynamic groups, in Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings (2005), pp. 136–153Google Scholar
  16. 16.
    M. Bellare, S. Shoup, Two-tier signatures, strongly unforgeable signatures, and Fiat-Shamir without random oracles, in Public-Key Cryptography, volume 4450 of LNCS (2007), pp. 201–216Google Scholar
  17. 17.
    A. Bender, J. Katz, R. Morselli, Ring signatures: Stronger definitions, and constructions without random oracles. J. Cryptology 22(1), 114–138 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    D. Boneh, X. Boyen, Short signatures without random oracles and the sdh assumption in bilinear groups. J. Cryptology 21(2), 149–177 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  19. 19.
    D. Boneh, X. Boyen, E. Goh, Hierarchical identity based encryption with constant size ciphertext. in Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings (2005), pp. 440–456Google Scholar
  20. 20.
    J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in A. Joux, editor, Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings, volume 5479 of Lecture Notes in Computer Science (Springer, 2009), pp. 351–368Google Scholar
  21. 21.
    J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions. in T. Iwata and J. H. Cheon, editors, Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, volume 9453 of Lecture Notes in Computer Science (Springer, 2015), pp. 262–288Google Scholar
  22. 22.
    J. Camenisch, K. Haralambiev, M. Kohlweiss, J. Lapon, V. Naessens, Structure preserving CCA secure encryption and applications. in D. H. Lee and X. Wang, editors, Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, volume 7073 of Lecture Notes in Computer Science (Springer, 2011), pp. 89–106Google Scholar
  23. 23.
    J. Camenisch, S. Krenn, V. Shoup, A framework for practical universally composable zero-knowledge protocols, in Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4–8, 2011. Proceedings (2011), pp. 449–467Google Scholar
  24. 24.
    J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6–10, 2001, Proceeding (2001), pp. 93–118Google Scholar
  25. 25.
    D. Catalano, M. D. Raimondo, D. Fiore, R. Gennaro, Off-line/on-line signatures: Theoretical aspects and experimental results. in Public Key Cryptography—PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9–12, 2008. Proceedings, volume 4939 of LNCS (Springer, 2008), pp. 101–120Google Scholar
  26. 26.
    M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn, Malleable signatures: New definitions and delegatable anonymous credentials, in 2013 IEEE 27th Computer Security Foundations Symposium (2014)Google Scholar
  27. 27.
    S. Chatterjee, A. Menezes, Type 2 structure-preserving signature schemes revisited. IACR ePrint Archive, Report 2014/635 (2014). http://eprint.iacr.org/2014/635. Accessed 10 Sept 2015.
  28. 28.
    I. Damgård, J. Groth, Non-interactive and reusable non-malleable commitment schemes, in L. L. Larmore and M. X. Goemans, editors, Proceedings of the 35th Annual ACM Symposium on Theory of Computing, June 9–11, 2003, San Diego, CA, USA (ACM, 2003), pp. 426–437Google Scholar
  29. 29.
    A. Escala, J. Groth, Fine-tuning groth-sahai proofs, in Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014. Proceedings (2014), pp. 630–649Google Scholar
  30. 30.
    S. Even, O. Goldreich, S. Micali, On-line/off-line digital signatures. J. Cryptology 9(1), 35–67 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    M. Fischlin, Communication-efficient non-interactive proofs of knowledge with online extractors, in V. Shoup, editor, Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science (Springer, 2005), pp. 152–168Google Scholar
  32. 32.
    G. Fuchsbauer, Commuting signatures and verifiable encryption, in Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Proceedings (2011), pp. 224–245Google Scholar
  33. 33.
    G. Fuchsbauer, C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. Cryptology ePrint Archive, Report 2014/944 (2014). http://eprint.iacr.org/2014/944. Accessed 20 Mar 2016
  34. 34.
    S. D. Galbraith, K. G. Paterson, N. P. Smart, Pairings for cryptographers. Discrete Applied Mathematics 156(16), 3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing. 17(2), 281–308 (April 1988)MathSciNetCrossRefzbMATHGoogle Scholar
  36. 36.
    J. Groth, Fully anonymous group signatures without random oracles, in Advances in Cryptology—ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2–6, 2007, Proceedings (2007), pp. 164–180Google Scholar
  37. 37.
    J. Groth, Efficient fully structure-preserving signatures for large messages, in Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I (2015), pp. 239–259Google Scholar
  38. 38.
    J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
  39. 39.
    S. Hada, T. Tanaka, On the existence of 3-round zero-knowledge protocols, in H. Krawczyk, editor, Advances in Cryptology—CRYPTO ’98, volume 1462 of LNCS (Springer, 1998), pp. 354–369. Full version available from IACR e-print archive 1999/009Google Scholar
  40. 40.
    T. Jager, F. Kohlar, S. Schäge, J. Schwenk, Generic compilers for authenticated key exchange, in Advances in Cryptology—ASIACRYPT 2010—16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5–9, 2010. Proceedings (2010), pp. 232–249Google Scholar
  41. 41.
    B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J. Garay, editors, Advances in Cryptology—CRYPTO, LNCS (Springer, 2013)Google Scholar
  42. 42.
    U. M. Maurer, Abstract models of computation in cryptography, in N. P. Smart, editor, Cryptography and Coding, 10th IMA International Conference, Cirencester, UK, December 19–21, 2005, Proceedings, volume 3796 of Lecture Notes in Computer Science (Springer, 2005), pp. 1–12Google Scholar
  43. 43.
    S. Meiklejohn, An extension of the Groth-Sahai proof system, in Brown University Masters thesis (2009)Google Scholar
  44. 44.
    S. Micali, K. Ohta, L. Reyzin, Accountable-subgroup multisignatures: extended abstract, in CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6–8, 2001 (2001), pp. 245–254Google Scholar
  45. 45.
    V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm. Mat. Zametki 55(2), 91–101 (1994)zbMATHGoogle Scholar
  46. 46.
    T. Ristenpart, S. Yilek, The power of proofs-of-possession: Securing multiparty signatures against rogue-key attacks, in Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings (2007), pp. 228–245Google Scholar
  47. 47.
    R. L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in Advances in Cryptology—ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, December 9–13, 2001, Proceedings (2001), pp. 552–565Google Scholar
  48. 48.
    V. Shoup, Lower bounds for discrete logarithms and related problems, in EUROCRYPT, volume 1233 of LNCS (1997), pp. 256–266Google Scholar
  49. 49.
    N. Smart, F. Vercauteren, On computable isomorphisms in efficient asymmetric pairing-based systems. Discrete Applied Mathematics 155(4), 538 – 547 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  50. 50.
    Y. Wang, Z. Zhang, T. Matsuda, G. Hanaoka, K. Tanaka, How to obtain fully structure-preserving (automorphic) signatures from structure-preserving ones. in J. H. Cheon and T. Takagi, editors, Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II, volume 10032 of Lecture Notes in Computer Science (2016), pp. 465–495Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Masayuki Abe
    • 1
  • Jens Groth
    • 2
  • Markulf Kohlweiss
    • 3
  • Miyako Ohkubo
    • 4
  • Mehdi Tibouchi
    • 1
  1. 1.Secure Platform LaboratoriesNTT CorporationTokyoJapan
  2. 2.Department of Computer ScienceUniversity College LondonLondonUK
  3. 3.School of InformaticsUniversity of EdinburghEdinburghUK
  4. 4.Security Fundamentals LaboratoryCSRI, NICTTokyoJapan

Personalised recommendations