# Efficient Fully Structure-Preserving Signatures and Shrinking Commitments

## Abstract

In structure-preserving signatures, public keys, messages, and signatures are all collections of source group elements of some bilinear groups. In this paper, we introduce fully structure-preserving signature schemes, with the additional requirement that even secret keys are group elements. This strong property allows efficient non-interactive proofs of knowledge of the secret key, which is useful in designing cryptographic protocols under simulation-based security where online extraction of the secret key is needed. We present efficient constructions under simple standard assumptions and pursue even more efficient constructions with the extra property of randomizability based on the generic bilinear group model. An essential building block for our efficient standard model construction is a shrinking structure-preserving trapdoor commitment scheme, which is by itself an important primitive and of independent interest as it appears to contradict a known impossibility result that structure-preserving commitments cannot be shrinking. We argue that a relaxed binding property lets us circumvent the impossibility while still retaining the usefulness of the primitive in important applications as mentioned above.

## Keywords

Structure-preserving signatures Structure-preserving commitments Secret key extraction Randomizability## Notes

## References

- 1.M. Abe, J. Camenisch, R. Dowsley, M. Dubovitskaya, On the impossibility of structure-preserving deterministic primitives, in
*Proceedings of Theory of Cryptography—11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24–26, 2014*(2014), pp. 713–738Google Scholar - 2.M. Abe, M. Chase, B. David, M. Kohlweiss, R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions.
*J. Cryptology***29**(4), 833–878 (2016)MathSciNetCrossRefzbMATHGoogle Scholar - 3.M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements.
*J. Cryptology***29**(2), 363–421 (2016)MathSciNetCrossRefzbMATHGoogle Scholar - 4.M. Abe, J. Groth, K. Haralambiev, M. Ohkubo. Optimal structure-preserving signatures in asymmetric bilinear groups, in
*Advances in Cryptology—CRYPTO 2011, volume 6841 of LNCS*(Springer, 2011), pp. 649–666Google Scholar - 5.M. Abe, J. Groth, M. Ohkubo, Separating short structure-preserving signatures from non-interactive assumptions, in
*Advances in Cryptology—ASIACRYPT 2011, volume 7073 of LNCS*(Springer, 2011), pp. 628–646Google Scholar - 6.M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Structure-preserving signatures from type II pairings, in J. A. Garay, R. Gennaro, editors,
*Advances in Cryptology—CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I, volume 8616 of Lecture Notes in Computer Science*(Springer, 2014), pp. 390–407Google Scholar - 7.M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Unified, minimal and selectively randomizable structure-preserving signatures, in
*Theory of Cryptography—11th Theory of Cryptography Conference, volume 8349 of LNCS*(Springer, 2014), pp. 688–712Google Scholar - 8.M. Abe, K. Haralambiev, M. Ohkubo, Group to group commitments do not shrink, in D. Pointcheval, T. Johansson, editors,
*EUROCRYPT 2012, volume 7237 of LNCS*(Springer, 2012), pp. 301–317Google Scholar - 9.M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments, in
*Advances in Cryptology—EUROCRYPT 2015—34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26—30, 2015, Proceedings, Part II*(2015), pp. 35–65Google Scholar - 10.M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments. IACR ePrint Archive, Report 2015/076 (2015). http://eprint.iacr.org/2015/076. Accessed 2 Feb 2015
- 11.M. Abe, M. Ohkubo, A framework for universally composable non-committing blind signatures.
*IJACT***2**(3), 229–249 (2012)MathSciNetCrossRefzbMATHGoogle Scholar - 12.G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type II pairings: synthesis and lower bounds, in J. Katz, editor,
*PKC 2015, Lecture Notes in Computer Science*(Springer, 2015) to appearGoogle Scholar - 13.M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, H. Shacham, Randomizable proofs and delegatable anonymous credentials, in S. Halevi, editor,
*Advances in Cryptology—CRYPTO, volume 5677 of LNCS*(Springer, 2009), pp. 108–125Google Scholar - 14.M. Bellare, A. Palacio, The knowledge-of-exponent assumptions and 3-round zero-knowledge protocols, in M. K. Franklin, editor,
*CRYPTO, volume 3152 of LNCS*(Springer, 2004), pp. 273–289Google Scholar - 15.M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: The case of dynamic groups, in
*Topics in Cryptology—CT-RSA 2005, The Cryptographers’ Track at the RSA Conference 2005, San Francisco, CA, USA, February 14–18, 2005, Proceedings*(2005), pp. 136–153Google Scholar - 16.M. Bellare, S. Shoup, Two-tier signatures, strongly unforgeable signatures, and Fiat-Shamir without random oracles, in
*Public-Key Cryptography, volume 4450 of LNCS*(2007), pp. 201–216Google Scholar - 17.A. Bender, J. Katz, R. Morselli, Ring signatures: Stronger definitions, and constructions without random oracles.
*J. Cryptology***22**(1), 114–138 (2009)MathSciNetCrossRefzbMATHGoogle Scholar - 18.D. Boneh, X. Boyen, Short signatures without random oracles and the sdh assumption in bilinear groups.
*J. Cryptology***21**(2), 149–177 (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 19.D. Boneh, X. Boyen, E. Goh, Hierarchical identity based encryption with constant size ciphertext. in
*Advances in Cryptology—EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22–26, 2005, Proceedings*(2005), pp. 440–456Google Scholar - 20.J. Camenisch, N. Chandran, V. Shoup, A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks, in A. Joux, editor,
*Advances in Cryptology—EUROCRYPT 2009, 28th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Cologne, Germany, April 26–30, 2009. Proceedings, volume 5479 of Lecture Notes in Computer Science*(Springer, 2009), pp. 351–368Google Scholar - 21.J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: Definitions and practical constructions. in T. Iwata and J. H. Cheon, editors,
*Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part II, volume 9453 of Lecture Notes in Computer Science*(Springer, 2015), pp. 262–288Google Scholar - 22.J. Camenisch, K. Haralambiev, M. Kohlweiss, J. Lapon, V. Naessens, Structure preserving CCA secure encryption and applications. in D. H. Lee and X. Wang, editors,
*Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings*, volume 7073 of*Lecture Notes in Computer Science*(Springer, 2011), pp. 89–106Google Scholar - 23.J. Camenisch, S. Krenn, V. Shoup, A framework for practical universally composable zero-knowledge protocols, in
*Advances in Cryptology—ASIACRYPT 2011—17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4–8, 2011. Proceedings*(2011), pp. 449–467Google Scholar - 24.J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in
*Advances in Cryptology—EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6–10, 2001, Proceeding*(2001), pp. 93–118Google Scholar - 25.D. Catalano, M. D. Raimondo, D. Fiore, R. Gennaro, Off-line/on-line signatures: Theoretical aspects and experimental results. in
*Public Key Cryptography—PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9–12, 2008. Proceedings, volume 4939 of LNCS*(Springer, 2008), pp. 101–120Google Scholar - 26.M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn, Malleable signatures: New definitions and delegatable anonymous credentials, in
*2013 IEEE 27th Computer Security Foundations Symposium*(2014)Google Scholar - 27.S. Chatterjee, A. Menezes, Type 2 structure-preserving signature schemes revisited. IACR ePrint Archive, Report 2014/635 (2014). http://eprint.iacr.org/2014/635. Accessed 10 Sept 2015.
- 28.I. Damgård, J. Groth, Non-interactive and reusable non-malleable commitment schemes, in L. L. Larmore and M. X. Goemans, editors,
*Proceedings of the 35th Annual ACM Symposium on Theory of Computing, June 9–11, 2003, San Diego, CA, USA*(ACM, 2003), pp. 426–437Google Scholar - 29.A. Escala, J. Groth, Fine-tuning groth-sahai proofs, in
*Public-Key Cryptography—PKC 2014—17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014. Proceedings*(2014), pp. 630–649Google Scholar - 30.S. Even, O. Goldreich, S. Micali, On-line/off-line digital signatures.
*J. Cryptology***9**(1), 35–67 (1996)MathSciNetCrossRefzbMATHGoogle Scholar - 31.M. Fischlin, Communication-efficient non-interactive proofs of knowledge with online extractors, in V. Shoup, editor,
*Advances in Cryptology—CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14–18, 2005, Proceedings, volume 3621 of Lecture Notes in Computer Science*(Springer, 2005), pp. 152–168Google Scholar - 32.G. Fuchsbauer, Commuting signatures and verifiable encryption, in
*Advances in Cryptology—EUROCRYPT 2011—30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15–19, 2011. Proceedings*(2011), pp. 224–245Google Scholar - 33.G. Fuchsbauer, C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and constant-size anonymous credentials. Cryptology ePrint Archive, Report 2014/944 (2014). http://eprint.iacr.org/2014/944. Accessed 20 Mar 2016
- 34.S. D. Galbraith, K. G. Paterson, N. P. Smart, Pairings for cryptographers.
*Discrete Applied Mathematics***156**(16), 3113–3121 (2008)MathSciNetCrossRefzbMATHGoogle Scholar - 35.S. Goldwasser, S. Micali, R. Rivest, A digital signature scheme secure against adaptive chosen-message attacks.
*SIAM Journal on Computing*.**17**(2), 281–308 (April 1988)MathSciNetCrossRefzbMATHGoogle Scholar - 36.J. Groth, Fully anonymous group signatures without random oracles, in
*Advances in Cryptology—ASIACRYPT 2007, 13th International Conference on the Theory and Application of Cryptology and Information Security, Kuching, Malaysia, December 2–6, 2007, Proceedings*(2007), pp. 164–180Google Scholar - 37.J. Groth, Efficient fully structure-preserving signatures for large messages, in
*Advances in Cryptology—ASIACRYPT 2015—21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I*(2015), pp. 239–259Google Scholar - 38.J. Groth, A. Sahai, Efficient noninteractive proof systems for bilinear groups.
*SIAM J. Comput.***41**(5), 1193–1232 (2012)MathSciNetCrossRefzbMATHGoogle Scholar - 39.S. Hada, T. Tanaka, On the existence of 3-round zero-knowledge protocols, in H. Krawczyk, editor,
*Advances in Cryptology—CRYPTO ’98, volume 1462 of LNCS*(Springer, 1998), pp. 354–369. Full version available from IACR e-print archive 1999/009Google Scholar - 40.T. Jager, F. Kohlar, S. Schäge, J. Schwenk, Generic compilers for authenticated key exchange, in
*Advances in Cryptology—ASIACRYPT 2010—16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5–9, 2010. Proceedings*(2010), pp. 232–249Google Scholar - 41.B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J. Garay, editors,
*Advances in Cryptology—CRYPTO, LNCS*(Springer, 2013)Google Scholar - 42.U. M. Maurer, Abstract models of computation in cryptography, in N. P. Smart, editor,
*Cryptography and Coding, 10th IMA International Conference, Cirencester, UK, December 19–21, 2005, Proceedings, volume 3796 of Lecture Notes in Computer Science*(Springer, 2005), pp. 1–12Google Scholar - 43.S. Meiklejohn, An extension of the Groth-Sahai proof system, in
*Brown University Masters thesis*(2009)Google Scholar - 44.S. Micali, K. Ohta, L. Reyzin, Accountable-subgroup multisignatures: extended abstract, in
*CCS 2001, Proceedings of the 8th ACM Conference on Computer and Communications Security, Philadelphia, Pennsylvania, USA, November 6–8, 2001*(2001), pp. 245–254Google Scholar - 45.V. I. Nechaev, Complexity of a determinate algorithm for the discrete logarithm.
*Mat. Zametki***55**(2), 91–101 (1994)zbMATHGoogle Scholar - 46.T. Ristenpart, S. Yilek, The power of proofs-of-possession: Securing multiparty signatures against rogue-key attacks, in
*Advances in Cryptology—EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20–24, 2007, Proceedings*(2007), pp. 228–245Google Scholar - 47.R. L. Rivest, A. Shamir, Y. Tauman, How to leak a secret, in
*Advances in Cryptology—ASIACRYPT 2001, 7th International Conference on the Theory and Application of Cryptology and Information Security, Gold Coast, Australia, December 9–13, 2001, Proceedings*(2001), pp. 552–565Google Scholar - 48.V. Shoup, Lower bounds for discrete logarithms and related problems, in
*EUROCRYPT, volume 1233 of LNCS*(1997), pp. 256–266Google Scholar - 49.N. Smart, F. Vercauteren, On computable isomorphisms in efficient asymmetric pairing-based systems.
*Discrete Applied Mathematics***155**(4), 538 – 547 (2007)MathSciNetCrossRefzbMATHGoogle Scholar - 50.Y. Wang, Z. Zhang, T. Matsuda, G. Hanaoka, K. Tanaka, How to obtain fully structure-preserving (automorphic) signatures from structure-preserving ones. in J. H. Cheon and T. Takagi, editors,
*Advances in Cryptology—ASIACRYPT 2016—22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4–8, 2016, Proceedings, Part II, volume 10032 of Lecture Notes in Computer Science*(2016), pp. 465–495Google Scholar