Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge

  • David DerlerEmail author
  • Daniel Slamanig


Key-homomorphic properties of cryptographic objects, i.e., homomorphisms on their key space, have proven to be useful, both from a theoretical as well as a practical perspective. Important cryptographic objects such as pseudorandom functions or (public key) encryption have been studied previously with respect to key-homomorphisms. Interestingly, however, signature schemes have not been explicitly investigated in this context so far. We close this gap and initiate the study of key-homomorphic signatures, which turns out to be an interesting and versatile concept. In doing so, we firstly propose a definitional framework for key-homomorphic signatures distilling various natural flavours of key-homomorphic properties. Those properties aim to classify existing signature schemes and thus allow to infer general statements about signature schemes from those classes by simply making black-box use of the respective properties. We apply our definitional framework to show elegant and simple compilers from classes of signature schemes admitting different types of key-homomorphisms to a number of other interesting primitives such as ring signature schemes, (universal) designated verifier signature schemes, simulation-sound extractable non-interactive zero-knowledge arguments, and multisignature schemes. Additionally, using the formalisms provided by our framework, we can prove a tight implication from single-user security to key-prefixed multi-user security for a class of schemes admitting a certain key-homomorphism.


Key-homomorphic signatures Ring signatures (Universal) designated verifier signatures Simulation-sound extractable non-interactive zero-knowledge Multisignatures Multi-user signatures 

Mathematics Subject Classification




The authors have been supported by EU H2020 project Prismacloud, Grant Agreement No. 644962. We thank various anonymous referees for their valuable comments.


  1. 1.
    Abe M., David B., Kohlweiss M., Nishimaki R., Ohkubo M.: Tagged one-time signatures: tight security and optimal tag size. In: PKC, pp. 312–331 (2013).
  2. 2.
    Abe M., Fuchsbauer G., Groth J., Haralambiev K., Ohkubo M.: Structure-preserving signatures and commitments to group elements. In: CRYPTO (2010).Google Scholar
  3. 3.
    Abe M., Groth J., Ohkubo M., Tibouchi M.: Structure-preserving signatures from type II pairings. In: Advances in Cryptology—CRYPTO 2014, pp. 390–407 (2014).Google Scholar
  4. 4.
    Ahn J.H., Boneh D., Camenisch J., Hohenberger S., Shelat A., Waters B.: Computing on authenticated data. In: TCC (2012).
  5. 5.
    Applebaum B., Harnik D., Ishai Y.: Semantic security under related-key attacks and applications. In: ICS (2011).Google Scholar
  6. 6.
    Attrapadung N., Libert B., Peters T.: Computing on authenticated data: new privacy definitions and constructions. In: ASIACRYPT (2012).
  7. 7.
    Bader C., Jager T., Li Y., Schäge S.: On the impossibility of tight cryptographic reductions. In: EUROCRYPT (2016).
  8. 8.
    Bagherzandi A., Jarecki S.: Multisignatures using proofs of secret key possession, as secure as the diffie-hellman problem. In: SCN (2008).
  9. 9.
    Banerjee A., Fuchsbauer G., Peikert C., Pietrzak K., Stevens S.: Key-homomorphic constrained pseudorandom functions. In: TCC (2015).
  10. 10.
    Banerjee A., Peikert C.: New and improved key-homomorphic pseudorandom functions. In: CRYPTO (2014).
  11. 11.
    Bellare M., Cash D., Miller R.: Cryptography secure against related-key attacks and tampering. In: ASIACRYPT (2011).
  12. 12.
    Bellare M., Paterson K.G., Thomson S.: RKA security beyond the linear barrier: Ibe, encryption and signatures. In: ASIACRYPT (2012).
  13. 13.
    Bender A., Katz J., Morselli R.: Ring signatures: stronger definitions, and constructions without random oracles. J. Cryptol. (2009).
  14. 14.
    Benhamouda F., Bourse F., Lipmaa H.: CCA-secure inner-product functional encryption from projective hash functions, PKC. Springer, New York (2017).zbMATHGoogle Scholar
  15. 15.
    Benhamouda F., Joye M., Libert B.: A new framework for privacy-preserving aggregation of time-series data. ACM Trans. Inf. Syst. Secur. (2016).
  16. 16.
    Bernhard D., Fuchsbauer G., Ghadafi E.: Efficient signatures of knowledge and DAA in the standard model. In: ACNS (2013).
  17. 17.
    Bernstein D.J.: Multi-user schnorr security, revisited. IACR Cryptology ePrint Archive (2015).Google Scholar
  18. 18.
    Boldyreva A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: PKC (2003).
  19. 19.
    Boneh D., Gentry C., Gorbunov S., Halevi S., Nikolaenko V., Segev G., Vaikuntanathan V., Vinayagamurthy D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: EUROCRYPT (2014).
  20. 20.
    Boneh D., Gentry C., Lynn B., Shacham H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: EUROCRYPT (2003).
  21. 21.
    Boneh D., Lewi K., Montgomery H.W., Raghunathan A.: Key homomorphic PRFs and their applications. In: CRYPTO (2013).
  22. 22.
    Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. J. Cryptol. (2004).
  23. 23.
    Bootle J., Cerulli A., Chaidos P., Ghadafi E., Groth J., Petit C.: Short accountable ring signatures based on DDH. In: ESORICS (2015).
  24. 24.
    Boyen X., Fan X., Shi E.: Adaptively secure fully homomorphic signatures based on lattices. Cryptology ePrint Archive, Report 2014/916 (2014).Google Scholar
  25. 25.
    Brakerski Z., Kalai Y.T.: A framework for efficient signatures, ring signatures and identity based encryption in the standard model. IACR Cryptology ePrint Archive (2010).Google Scholar
  26. 26.
    Catalano D.: Homomorphic signatures and message authentication codes. In: SCN (2014).
  27. 27.
    Chandran N., Groth J., Sahai A.: Ring signatures of sub-linear size without random oracles. In: ICALP (2007).
  28. 28.
    Chase M., Lysyanskaya A.: On signatures of knowledge. In: CRYPTO (2006).
  29. 29.
    Chatterjee S., Hankerson D., Knapp E., Menezes A.: Comparing two pairing-based aggregate signature schemes. Des. Codes Cryptogr. (2010).
  30. 30.
    Cramer R., Damgård I., Schoenmakers B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: CRYPTO (1994).
  31. 31.
    Derler D., Krenn S., Slamanig D.: Signer-anonymous designated-verifier redactable signatures for cloud-based data sharing. In: CANS (2016).Google Scholar
  32. 32.
    Dodis Y., Haralambiev K., López-Alt A., Wichs D.: Efficient public-key cryptography in the presence of key leakage. In: ASIACRYPT, pp. 613–631 (2010).
  33. 33.
    Dodis Y., Kiayias A., Nicolosi A., Shoup V.: Anonymous identification in ad hoc groups. In: EUROCRYPT (2004).
  34. 34.
    Dodis Y., Mironov I., Stephens-Davidowitz N.: Message transmission with reverse firewalls—secure communication on corrupted machines. In: CRYPTO (2016).
  35. 35.
    Escala A., Groth J.: Fine-tuning groth-sahai proofs. In: PKC (2014).Google Scholar
  36. 36.
    Fiat A., Shamir A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO (1986).
  37. 37.
    Fischlin M., Fleischhacker N.: Limitations of the meta-reduction technique: the case of schnorr signatures. In: EUROCRYPT (2013).
  38. 38.
    Fleischhacker N., Krupp J., Malavolta G., Schneider J., Schröder D., Simkin M.: Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. In: PKC (2016).
  39. 39.
    Fuchsbauer G., Hanser C., Slamanig D.: Practical round-optimal blind signatures in the standard model. In: CRYPTO (2015).
  40. 40.
    Galbraith S.D., Malone-Lee J., Smart N.P.: Public key signatures in the multi-user setting. Inf. Process. Lett. (2002).
  41. 41.
    Garay J.A., MacKenzie P.D., Yang K.: Strengthening zero-knowledge protocols using signatures. In: EUROCRYPT (2003).
  42. 42.
    Garay J.A., MacKenzie P.D., Yang K.: Strengthening zero-knowledge protocols using signatures. J. Cryptol. (2006).
  43. 43.
    Gay R., Hofheinz D., Kiltz E., Wee H.: Tightly cca-secure encryption without pairings. In: EUROCRYPT (2016).
  44. 44.
    Gentry C.: Fully homomorphic encryption using ideal lattices. In: STOC (2009).Google Scholar
  45. 45.
    Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008).Google Scholar
  46. 46.
    Ghadafi E.: Short structure-preserving signatures. In: CT-RSA 2016, pp. 305–321 (2016).
  47. 47.
    Goh E., Jarecki S., Katz J., Wang N.: Efficient signature schemes with tight reductions to the diffie-hellman problems. J. Cryptol. (2007).
  48. 48.
    Goldwasser S., Kalai Y.T.: Cryptographic assumptions: a position paper. In: Theory of Cryptography—13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I, pp. 505–522 (2016).
  49. 49.
    Goldwasser S., Lewko A.B., Wilson D.A.: Bounded-collusion IBE from key homomorphism. In: TCC (2012).
  50. 50.
    Gorbunov S., Vaikuntanathan V., Wichs D.: Leveled fully homomorphic signatures from standard lattices. In: STOC (2015).
  51. 51.
    Groth J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: ASIACRYPT (2006).
  52. 52.
    Groth J., Kohlweiss M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: EUROCRYPT (2015).
  53. 53.
    Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT (2008).
  54. 54.
    Guillou L.C., Quisquater J.: A paradoxical indentity-based signature scheme resulting from zero-knowledge. In: CRYPTO, pp. 216–231 (1988).
  55. 55.
    Hanser C., Slamanig D.: Structure-preserving signatures on equivalence classes and their application to anonymous credentials. In: ASIACRYPT (2014).
  56. 56.
    Itakura K., Nakamura K.: A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 71, 177–186 (1983).Google Scholar
  57. 57.
    Jakobsson M., Sako K., Impagliazzo R.: Designated verifier proofs and their applications. In: EUROCRYPT (1996).
  58. 58.
    Johnson R., Molnar D., Song D.X., Wagner D.: Homomorphic signature schemes. In: CT-RSA (2002).
  59. 59.
    Katz J.: Digital Signatures. Springer, New York (2010).
  60. 60.
    Katz J., Wang N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS (2003).
  61. 61.
    Kiltz E., Masny D., Pan J.: Optimal security proofs for signatures from identification schemes. In: CRYPTO (2016).
  62. 62.
    Lacharité M.: Security of BLS and BGLS signatures in a multi-user setting. Cryptogr. Commun. 10(1), 41–58 (2018). Scholar
  63. 63.
    Lu S., Ostrovsky R., Sahai A., Shacham H., Waters B.: Sequential aggregate signatures and multisignatures without random oracles. In: EUROCRYPT (2006).
  64. 64.
    Lyubashevsky V.: Lattice-based identification schemes secure under active attacks. In: Public Key Cryptography—PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9–12, 2008. Proceedings, pp. 162–179 (2008).
  65. 65.
    Malavolta G., Schröder D.: Efficient ring signatures in the standard model. Advances in Cryptology—ASIACRYPT 2017, pp. 128–157 (2017).
  66. 66.
    Menezes A., Smart N.P.: Security of signature schemes in a multi-user setting. Des. Codes Cryptogr. (2004).
  67. 67.
    Morita H., Schuldt J.C.N., Matsuda T., Hanaoka G., Iwata T.: On the security of the schnorr signature scheme and DSA against related-key attacks. In: ICISC (2015).
  68. 68.
    Naor M.: On cryptographic assumptions and challenges. In: Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, pp. 96–109 (2003).
  69. 69.
    Pagnin E., Mitrokotsa A., Tanaka K.: Anonymous single-round server-aided verification. Cryptology ePrint Archive, Report 2017/794 (2017). (to appear at Latincrypt 2017).Google Scholar
  70. 70.
    Pointcheval D., Sanders O.: Short randomizable signatures. In: CT-RSA (2016).
  71. 71.
    Ristenpart T., Yilek S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: EUROCRYPT (2007).
  72. 72.
    Rivest R.L., Shamir A., Tauman Y.: How to leak a secret. In: ASIACRYPT (2001).
  73. 73.
    Rothblum R.: Homomorphic encryption: from private-key to public-key. In: TCC (2011).
  74. 74.
    Schnorr C.: Efficient signature generation by smart cards. J. Cryptol. (1991).
  75. 75.
    Shahandashti S.F., Safavi-Naini R.: Construction of universal designated-verifier signatures and identity-based signatures from standard signatures. In: PKC (2008).
  76. 76.
    Shamir A., Tauman Y.: Improved online/offline signature schemes. In: CRYPTO, pp. 355–367 (2001).
  77. 77.
    Steinfeld R., Bull L., Wang H., Pieprzyk J.: Universal designated-verifier signatures. In: ASIACRYPT (2003).
  78. 78.
    Tessaro S., Wilson D.A.: Bounded-collusion identity-based encryption from semantically-secure public-key encryption: generic constructions with short ciphertexts. In: PKC (2014).
  79. 79.
    Waters B.: Efficient identity-based encryption without random oracles. In: EUROCRYPT (2005).

Copyright information

© Springer Science+Business Media, LLC, part of Springer Nature 2018

Authors and Affiliations

  1. 1.IAIK, Graz University of TechnologyGrazAustria
  2. 2.AIT Austrian Institute of TechnologyViennaAustria

Personalised recommendations