1 Introduction

David Chaum introduced blind signatures almost four decades ago [6], as the fundamental building block to implement a form of untraceable digital cash. His proposal was to represent each digital coin as a unique serial number blindly signed by the issuing bank. The unique serial number embedded in the coin would prevent double spending, while the blind signature over the coin would guarantee both untraceability (by not knowing which coin was signed) and unforgeability (by signing the coins in the first place).

Chaum explained blind signatures intuitively by showing how a blind signature could be implemented in a traditional, non digital, setting using carbon paper inside paper envelopes. To obtain a blind signature on a secret message, a user could send the message inside a sealed envelope to the signer, with the inside of the envelope covered with carbon paper. The carbon paper ensures that if the signer signs the envelope from the outside, the carbon paper transfers this signature to the secret message inside the envelope. When the signer returns the still sealed envelope (proving it didn’t see the message) all the user needs to do is to open the envelope to obtain the blindly signed message.

This intuitive explanation clearly shows that the message stays hidden from the signer. But this by itself is not enough to prevent a bank from tracing a digital coin signed this way, even if it prevents the bank from learning its serial number. In fact, if the bank signs each envelope in a slightly different way, and remembers which way of signing it used to sign each envelope, it can link actual signatures on messages to the particular envelope on which it put the exact same signature. In other words, in order to guarantee all the desired security and privacy properties, blind signatures need to guarantee the following two separate properties.

“Hiding the message”:

The message to be signed is hidden from the signer.

Signature unlinkability:

Given a final blind signature on a message, the signer cannot determine when it generated that particular signature.

Perhaps due to Chaum’s metaphor, blind signatures have always informally been explained as signatures where the message to be signed is hidden from the signer. But as the above example shows, blind signatures need to guarantee two separate faces of blindness. The question is: how exactly should these properties be defined, and can they be defined in a natural way such that they are mutually independent yet together imply blindness?

Although in the particular case of signing digital coins signing messages without knowing their contents is a desirable feature, in general this is irresponsible: who would sign a contract without knowing its terms? Therefore, in many applications partially blind signatures, where the signer may need to know (at least part of) the message before signing it, do serve an important purpose. Such partially blind signatures have been introduced by Abe and Fujisaki [1], and have applications in scenarios where a user wants to prove that a certain condition has been met, without revealing when or where that condition was met. Blind signatures can for example be used to issue a unique and unforgeable token or receipt whenever a user has performed a certain action (like paying a bill, visiting a checkpoint, entering or leaving a certain location, completing some task, or satisfying any other predetermined requirement). This token can then later be used to prove that this particular action was performed or requirement was satisfied. This approach has been used, for example, to construct a privacy friendly form of ticketing for public transport [7]. Blind signatures have also been used to implement attribute based credentials [4, 5, 8].

In this paper we explore the different faces of blindness in depth, in the more general setting of partially blind signatures. We note that our results also apply to normal blind signatures as such signatures are equivalent to partially blind signatures where the public message equals the empty string. In a way this paper is a dual to the paper of Schröder and Unruh [15] that reexamines the definition of security of blind signature schemes, discovering that the messages and their resulting signatures have some independent influence on the overall security of the scheme.

We first define partially blind signatures and their completeness and unforgeability properties in Sect. 2. We then study the two faces of blindness (message indistinguishability and signature unlinkability) and their relationships in Sect. 3. This section also discusses message hiding, and why message indistinguishability is the more appropriate notion to study in this context. We show that message indistinguishability and signature unlinkability are both implied by a partially blind signature scheme, but that they are indeed two separate notions (in the sense that there are signature schemes that satisfy one of the two requirements, but bot both). Unfortunately, in pathological cases the union of these two properties does not imply blindness. We summarise and discuss our results in Fig.  and Sect. 4. Figure 1 is also useful as a ‘cheat-sheet’ to keep track of the different properties defined throughout the paper.

2 Completeness and unforgeability

We start with the basics: the definition of completeness and unforgeability of (partially blind) signatures. We follow the framework for defining blind signatures provided by Juels et al.  [10] and generalised and refined for partially blind signatures by Abe and Okamoto [2, 12, 13]). In this setting a (partially blind) signature scheme is defined as follows (where \(\lambda \) is the security parameter of the scheme).Footnote 1

Definition 2.1

(Signature scheme) A signature scheme \(\Sigma \) consists of four probabilistic polynomial-time algorithms \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \).

  • \({\mathcal {G}}\) takes security parameter \(1^\lambda \) as input, and returns a secret key \(\text {sk}\) (to be given to the signer only) and a corresponding public key \(\text {PK}\) (known to all parties in the system).

  • \({\mathcal {S}}\) and \({\mathcal {U}}\) are in fact interactive algorithms where signer \({\mathcal {S}}\) has private input \(\text {sk}\) and public input the public message \({\overline{m}}\) (with length polynomial in the security parameter \(\lambda \)), while user \({\mathcal {U}}\) has private input message \(m\) (also with length polynomial in the security parameter \(\lambda \)) and public input \(\text {PK}\) and \({\overline{m}}\). \({\mathcal {S}}\) and \({\mathcal {U}}\) interact with each other over a public communication channel. After the interaction, \({\mathcal {S}}\) outputs either \(\textsf {success}\) or \(\textsf {fail}\), and \({\mathcal {U}}\) outputs either a signature \(\sigma \) or \(\bot \). \({\mathcal {U}}\)’s output is private. \({\mathcal {S}}\)’s output is public.

  • \({\mathcal {V}}\) takes as input a public key \(\text {PK}\), public message \({\overline{m}}\), a message \(m\) and a signature \(\sigma \), and outputs either \(\textsf {accept}\) or \(\textsf {reject}\). This verification can be performed by any party.

We write \(\textit{out}_{\mathcal {S}} \leftarrow {\mathcal {S}}(\text {sk},{\overline{m}}) \Leftrightarrow {\mathcal {U}}(\text {PK},{\overline{m}},m) \rightarrow \textit{out}_{\mathcal {U}}\) for an interaction between a signer and a user with the specified inputs, with \(\textit{out}_{\mathcal {S}}\) as the output of the signer and \(\textit{out}_{\mathcal {U}}\) as the output of the user.

Definition 2.2

(Completeness) A signature scheme \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) is complete when for every interaction

$$\begin{aligned} \begin{aligned} \textsf {success} \leftarrow {\mathcal {S}}(\text {sk},{\overline{m}}) \Leftrightarrow {\mathcal {U}}(\text {PK},{\overline{m}},m) \rightarrow \sigma \\ \hbox { such that}\ {\mathcal {V}}(\text {PK},{\overline{m}},m,\sigma ) = \textsf {accept}\end{aligned} \end{aligned}$$

holds with overwhelming probability (i.e., with probability \(1-2^{-\lambda }\)), where this probability is computed over the private coin-flips of \({\mathcal {G}}, {\mathcal {S}}, {\mathcal {U}}\) and \({\mathcal {V}}\).

We return to this somewhat peculiar definition of completeness (that subsumes correctness) in the next section.

We now define the unforgeability property.

Definition 2.3

(Unforgeability) Let \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) be a signature scheme and consider the following game between an adversarial user \({\mathcal {U}}^*\) and a honest signer \({\mathcal {S}}\) and honest verifier \({\mathcal {V}}\).

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}\) and \(\text {PK}\) to \({\mathcal {U}}^*\).

  2. 2.

    Let \({\mathcal {U}}^*\) engage in polynomially (in \(\lambda \)) many adaptive, parallel and arbitrarily interleaved interactions with polynomially many copies of the signer \({\mathcal {S}}\) (knowing \(\text {sk}\)). Let j be the number of such interactions that return \(\textsf {success}\) for the signer.

  3. 3.

    Let \({\mathcal {U}}^*\) return a list of k signatures \(\sigma _1,\ldots ,\sigma _k\) for k distinct combinations of public messages and private messages \(({\overline{m}}_i,m_1),\ldots ,({\overline{m}}_k,m_k)\) such that \({\mathcal {V}}(\text {PK},{\overline{m}}_i,m_i,\sigma _i)=\textsf {accept}\) for all \(i \in \{1,\ldots ,k\}\).

Adversary \({\mathcal {U}}^*\) wins this game whenever \(k > j\).

The signature scheme is unforgeable when every possible adversary \({\mathcal {U}}^*\) wins this game with at most negligible probability (i.e., probability \(2^{-\lambda }\)), where this probability is computed over the private coin-flips of \({\mathcal {G}}\), \({\mathcal {U}}^*\), \({\mathcal {V}}\) and all signers \({\mathcal {S}}\).

3 The two faces of blindness

With the above definitions for a correct and unforgeable signature scheme given we are now ready to study the two different faces of blindness of such signature schemes.

We start with the definition of blindness itself. After that we study message indistinguishability in Sect. 3.2. This notion is somewhat stronger than message hiding (discussed in Sect. 3.3). We finish with the definition of signature unlinkability in Sect. 3.4. It turns out that it is more appropriate to focus on message indistinguishability rather than message hiding, because the latter notion is actually implied by signature unlinkability. Throughout this section we establish relationships between the different notions we define.

3.1 Blindness

The following definition of partial blindness is due to Abe and Okamoto [2, 13] that extends the original defintion of blind signatures from Juels et al.  [10] by allowing part of the message to be signed to be public.

Definition 3.1

(Blindness) Consider a signature scheme \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) and the following game between an adversarial signer \({\mathcal {S}}^*\) and two honest users \({\mathcal {U}}_0\) and \({\mathcal {U}}_1\), mediated by a challenger.

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}^*\).

  2. 2.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\), two private messagesFootnote 2\(m_0,m_1\), and public message \({\overline{m}}\), and gives them to the challenger.

  3. 3.

    The challenger randomly selects \(b \in \{0,1\}\) and sets \({\bar{b}}=1-b\). It sets up user \({\mathcal {U}}_0\) with input \((\text {PK},{\overline{m}},m_b)\) and user \({\mathcal {U}}_1\) with input \((\text {PK},{\overline{m}},m_{{\bar{b}}})\).

  4. 4.

    \({\mathcal {S}}^*\) is given oracle access to each of these users to engage in the blind signature protocol with each of them, mediated by the challenger.Footnote 3

  5. 5.

    Let \(\sigma _b\) be the result returned by \({\mathcal {U}}_0\) and \(\sigma _{{\bar{b}}}\) be the result returned by \({\mathcal {U}}_1\). If both signatures are valid, the challenger gives \((\sigma _0,\sigma _1)\) to \({\mathcal {S}}^*\), in that fixed order. Give \(\bot \) to \({\mathcal {S}}^*\) otherwise.

  6. 6.

    \({\mathcal {S}}^*\) outputs \(b' \in \{0,1\}\).

Adversary \({\mathcal {S}}^*\) wins this game whenever \(b' = b\). The signature scheme is blind when every possible adversary \({\mathcal {S}}^*\) wins this game with at most negligible advantage (i.e. probability \(1/2 \pm 2^{-\lambda }\)), where the probability is computed over the coin-flips of \({\mathcal {S}}^*\) and the private coin-flips of \({\mathcal {U}}_0\) and \({\mathcal {U}}_1\).

Note that in this definition, as well as the ones that follow, we assume that the adversarial signer knows which of the users (\({\mathcal {U}}_0\) or \({\mathcal {U}}_1\)) it is interacting with during the protocol.

The above definition is taken from [13], which differs in one significant aspect from [12] (the published conference version that precedes the full paper [13]) as follows. Step 5 in the game above originally read:

  1. 5’

    Let \(\sigma _b\) be the result returned by \({\mathcal {U}}_0\) and \(\sigma _{{\bar{b}}}\) be the result returned by \({\mathcal {U}}_1\). If both signatures are valid, the challenger gives \(({\overline{m}},m_b,\sigma _b)\) and \(({\overline{m}},m_{{\bar{b}}},\sigma _{{\bar{b}}})\) to \({\mathcal {S}}^*\) in arbitrary order. If only one of the signatures is valid, the challenger gives that signature and the corresponding message to \({\mathcal {S}}^*\). Give \(\bot \) to \({\mathcal {S}}^*\) otherwise.

In other words: the original game allows that even if only one of the signatures is valid, the challenger gives that signature and the corresponding message to \({\mathcal {S}}^*\). This leaves a blind signature scheme open to the following generic attack.

  1. 1.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\) and two private messages \(m_0,m_1\), and public message \({\overline{m}}\), and gives them to the challenger.

  2. 2.

    The challenger randomly selects \(b \in \{0,1\}\) and sets \({\bar{b}}=1-b\). It sets up user \({\mathcal {U}}_0\) with input \((\text {PK},{\overline{m}},m_b)\) and user \({\mathcal {U}}_1\) with input \((\text {PK},{\overline{m}},m_{{\bar{b}}})\).

  3. 3.

    \({\mathcal {S}}^*\) engages in the blind signature protocol, but only with \({\mathcal {U}}_0\). It aborts its interaction with \({\mathcal {U}}_1\) which therefore returns \(\bot \). (Note: \({\mathcal {U}}_1\) can also return a random value, but definitely not a valid signature as this requires the cooperation of \({\mathcal {S}}^*\), so this is easily detected in the next step.)

  4. 4.

    Let \(\sigma _b\) be the result returned by \({\mathcal {U}}_0\). As the other signature equals \(\bot \) the challenger therefore gives \((m_b,\sigma _b)\) to \({\mathcal {S}}^*\) as its challenge.

  5. 5.

    This is no game for \({\mathcal {S}}^*\): using its knowledge of \(m_0\) and \(m_1\) it quickly sees which of the two was given to \({\mathcal {U}}_0\) to sign. \({\mathcal {S}}^*\) outputs \(b \in \{0,1\}\) and wins.

Clearly this is not desirable, which probably explains why the definition is amended in the full paper.

3.2 Message indistinguishability

We now turn our attention to the message indistinguishability property, stating that the adversary cannot distinguish which of two known messages it is actually asked to sign by a user.

Definition 3.2

(Message indistinguishability) Let \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) be a signature scheme and consider the following game between an adversarial signer \({\mathcal {S}}^*\) and a honest user \({\mathcal {U}}\), mediated by a challenger.

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}^*\).

  2. 2.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\) and two private messages \(m_0,m_1\), and public message \({\overline{m}}\), and gives them to the challenger.

  3. 3.

    The challenger randomly selects \(b \in \{0,1\}\). It sets up user \({\mathcal {U}}\) with input \(\text {PK},{\overline{m}},m_b\).

  4. 4.

    \({\mathcal {S}}^*\) is given oracle access to the user to engage in the blind signature protocol with it, mediated by the challenger.

  5. 5.

    Let \(\sigma \) be the result returned by \({\mathcal {U}}\). This is hidden from \({\mathcal {S}}^*\).Footnote 4

  6. 6.

    \({\mathcal {S}}^*\) outputs \(b' \in \{0,1\}\).

Adversary \({\mathcal {S}}^*\) wins this game whenever \(b' = b\).

The signature scheme is message indistinguishable when every possible adversary \({\mathcal {S}}^*\) wins this game with at most negligible advantage (i.e., probability \(1/2 \pm 2^{-\lambda }\)), where the probability is computed over the coin-flips of \({\mathcal {S}}^*\) and the private coin-flips of \({\mathcal {U}}\).

We first offer an example of a signature scheme that is message indistinguishable, as this is useful in the proofs that follow. This signature scheme requires a semantically secure encryption scheme \(\{\}_{{k_{ }}}\) that satisfies the following property.

Property 3.1

Given c, m and \({k_{ }}\) such that \(c = \{m\}_{{k_{ }}}\), the probability to find \(m' \ne m\) and a potentially different key \({k_{ x }}\) such that \(c = \{m'\}_{{k_{ x }}}\) is negligible.

One might think that an authenticated encryption scheme perhaps fits the bill [3]. Unfortunately this is in general not the case.Footnote 5 Luckily, a special mode of authenticated encryption called CCM (that combines CTR encryption with a CBC-MAC using the same key \({k_{ }}\)) satisfies this property. CCM is a stream cipher that roughly works as follows (see [9] for details).

  • Let \(E_{{k_{ }}}()\) be a pseudo-random function (it could be a block cipher or a hash function keyed by \({k_{ }}\)).

  • Let m be a message whose length is a multiple of the block length of this underlying block cipher, and write \(m = m_1 \,\Vert \,\ldots \,\Vert \,m_z\).

  • Compute the tag t for message m by using \(E_{{k_{ }}}()\) in CBC mode: define \(t_1 = E_{{k_{ }}}(m_1)\), let \(t_{i+1} = E_{{k_{ }}}(m_{i+1} \oplus t_i)\) and let \(t = t_z\). We write \(t = T_{{k_{ }}}(m)\) Again (for simplicity) tags are assumed to be exactly as long as a single block.

  • Compute the key stream blocks \(A_i\) by encrypting a counter with \({k_{ }}\), i.e., \(A_i =E_{{k_{ }}}(i)\).

  • The full CCM ciphertext is obtained by XOR-ing \(m \,\Vert \,t\) with \(A_0 \,\Vert \,\ldots \,\Vert \,A_z\).

CCM is known to be semantically secure [9]. We show it also satisfies property 3.1.

Lemma 3.1

Let \(\{m\}_{{k_{ }}}\) be the CCM authenticated encryption scheme described above. Such a scheme satisfies property 3.1.

Proof

Suppose we have \(c = (m \,\Vert \,t) \oplus ( A_0 \,\Vert \,\ldots \,\Vert \,A_z )\), where \(A_i = E_{{k_{ }}}(i)\) and \(t = T_{{k_{ }}}(m)\). Let \(c = c_0 \,\Vert \,\ldots \,\Vert \,c_z\). If we focus on the tag part, then to break the property we need to find \(m'\) and \({k_{ x }}\) such that \(c = (m' \,\Vert \,t') \oplus ( A'_0 \,\Vert \,\ldots \,\Vert \,A'_z )\), where \(A'_i = E_{{k_{ x }}}(i)\) and \(t' = T_{{k_{ x }}}(m')\). This entails finding \(m'\) and \({k_{ x }}\) such that \(c_z = t'\oplus A'_z = T_{{k_{ x }}}(m') \oplus E_{{k_{ x }}}(z)\). In this equation \(c_z\) and z are fixed. The adversary is free to choose \({k_{ x }}\) but this fixes \(m'\) as well as it needs to match c when xor-ed with \((A'_0 \,\Vert \,\ldots \,\Vert \,A'_{z-1})\). If we model the pseudo-random function \(E_{{k_{ }}}()\) as a random oracle [11], it is extremely unlikely that it is possible to meet these constraints: for every possible choice of \({k_{ }}\) there is exactly one possible mapping of the random oracle for \(E_{{k_{ x }}}(z)\) that satisfies the equation, which only happens with negligible probability. \(\square \)

Construction 3.1

(Message indistinguishable signature scheme) Let \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) be any ordinary unforgeable and complete signature scheme (where \({\mathcal {U}}\) submits the message \(m\) to be signed in plaintext to \({\mathcal {S}}\); we are abusing notation somewhat). Let \(\{m\}_{{k_{ U }}}\) be the CCM authenticated encryption scheme discussed above.

Define the message indistinguishable signature scheme \(\Sigma ' = \langle {\mathcal {G}}',{\mathcal {S}}',{\mathcal {U}}',{\mathcal {V}}' \rangle \) as follows. \({\mathcal {G}}'\) equals \({\mathcal {G}}\) creating signing key \({k_{ {\mathcal {S}} }}\) and verification key \({K_{ {\mathcal {S}} }}\).

User \({\mathcal {U}}'\), before submitting a message m to be signed, generates a key \({k_{ {\mathcal {U}}' }}\). It encrypts the message m as \(c = \{m\}_{{k_{ {\mathcal {U}}' }}}\) using the CCM encryption scheme and sends this to the signer who creates the intermediate signature \(\sigma ' = [c \,\Vert \,{\overline{m}}]_{{k_{ {\mathcal {S}} }}}\) (using its knowledge of \({k_{ {\mathcal {S}} }}\) and public parameter \({\overline{m}}\)). It returns this to \({\mathcal {U}}\) who adds \({k_{ {\mathcal {U}}' }}\) to create the final signature \(\sigma = (\sigma ',{k_{ {\mathcal {U}}' }})\). \({\mathcal {U}}'\) outputs \(\sigma \) and \({\mathcal {S}}'\) outputs \(\textsf {success}\). This describes \({\mathcal {S}}'\) and \({\mathcal {U}}'\).

Signature verification \({\mathcal {V}}'\) then runs as follows. Given \({K_{ {\mathcal {S}} }}\), \(\sigma \), \({\overline{m}}\), and \(m\), the verifier first uses \({k_{ {\mathcal {U}} }}\) embedded in \(\sigma \) to reconstruct \(c = \{m\}_{{k_{ {\mathcal {U}} }}}\). It then verifies that indeed \(\sigma = [c \,\Vert \,{\overline{m}}]_{{k_{ {\mathcal {S}} }}}\) using the public key \({K_{ {\mathcal {S}} }}\) and the original signature verification function \({\mathcal {V}}\).

Lemma 3.2

The signature scheme in construction 3.1 is message indistinguishable according to definition 3.2.

Proof

The construction matches the (syntactic) constraints of Definition 2.1, and it is easily seen to be complete as defined in 2.2.

We rely on Property 3.1 to prove unforgeability (Definition 2.3). If the blind signature scheme would be forgeable, a user \({\mathcal {U}}^*\) would be able to return k signatures \(\sigma _1,\ldots ,\sigma _k\) for k distinct messages \(({\overline{m}}_1,m_1),\ldots ,({\overline{m}}_k,m_k)\) such that \({\mathcal {V}}(\text {PK},{\overline{m}}_i,m_i,\sigma _i)=\textsf {accept}\) for all \(i \in \{1,\ldots ,k\}\), when given only \(j < k\) such message/signature pairs. By definition, the underlying standard signature scheme is not forgeable. By the pigeonhole principle then there should be two signatures \(\sigma _i = (\sigma '_i,{k_{ i }})\) and \(\sigma _j = (\sigma '_j,{k_{ j }})\) such that \(\sigma '_i\) and \(\sigma '_j\) are signatures over the equal strings \(c_i \,\Vert \,{\overline{m}}_i\) and \(c_j \,\Vert \,{\overline{m}}_j\). Then \({\overline{m}}_i = {\overline{m}}_j\) and \(c_i = \{m_i\}_{{k_{ i }}} = \{m_j\}_{{k_{ j }}} = c_j\) while \(({\overline{m}}_i,m_i) \ne ({\overline{m}}_j,m_j)\) by assumption. This contradicts property 3.1.

Because the encryption scheme is semantically secure, this signature scheme is message indistinguishable according to definition 3.2. \(\square \)

We first show that blindness implies message indistinguishability.

Theorem 3.1

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is blind according to Definition 3.1. Then \(\Sigma \) is message indistinguishable according to Definition 3.2.

Proof

Intuitively the argument runs as follows. Because the signer knows that b selects which message user \({\mathcal {U}}_0\) will offer for signing, if the signature scheme were not message indistinguishable, the signer could trivially guess b correctly (even when not given \(m_b\)). The formal proof requires a bit more work.

Suppose not. So there is an adversarial signer \({\mathcal {S}}^*\) for the game defined in Definition 3.2. We turn it into an adversarial signer \({\mathcal {S}}^{**}\) for the game defined in Definition 3.1 as follows.

  1. 1.

    \({\mathcal {S}}^{**}\) starts \({\mathcal {S}}^*\), which returns \(\text {PK}\) and two private messages \(m_0,m_1\), and public message \({\overline{m}}\).

  2. 2.

    \({\mathcal {S}}^{**}\) forwards these to the challenger from Definition 3.1.

  3. 3.

    Let this challenger randomly select \(b \in \{0,1\}\), set \({\bar{b}}=1-b\), giving user \({\mathcal {U}}_0\) the input \((\text {PK},{\overline{m}},m_b)\) and user \({\mathcal {U}}_1\) the input \((\text {PK},{\overline{m}},m_{{\bar{b}}})\).

  4. 4.

    Set up both users to be ready to engage with \({\mathcal {S}}^{**}\) in the blind signature protocol (according to the game defined in 3.1).

  5. 5.

    \({\mathcal {S}}^{**}\) is merely a mediator now, relaying messages between the users and \({\mathcal {S}}^*\). It actually runs the interactive blind signing protocol only between user \({\mathcal {U}}_0\) and \({\mathcal {S}}^*\). (It aborts the other instance.) Observe how this corresponds to the challenge that \({\mathcal {S}}^*\) is supposed to get according to Definition 3.2.

  6. 6.

    Let \(\sigma _b\) be the result returned by \({\mathcal {U}}_0\). (The other user returns \(\bot \).)

  7. 7.

    Because one of the signatures fails to be created, according to the blindness game defined for Definition 3.1, the challenger gives \(\bot \) to \({\mathcal {S}}^{**}\), who simply discards it.

  8. 8.

    \({\mathcal {S}}^*\) outputs \(b' \in \{0,1\}\), which \({\mathcal {S}}^{**}\) forwards as its own output for this challenge.

The output \(b'\) of \({\mathcal {S}}^*\) corresponds to the challenge \({\mathcal {U}}_0,\text {PK},{\overline{m}},m_b\). If \(b=b'\), then by construction \(b'\) is also the correct response to the challenge given to \({\mathcal {S}}^{**}\). This shows that advantage of \({\mathcal {S}}^{**}\) the same of that of \({\mathcal {S}}^{*}\), i.e., non-negligible, contradicting the premise of the theorem. \(\square \)

The converse does not hold however: there are message indistinguishable signature schemes that are not blind as the following theorem demonstrates. This shows that message indistinguishability is a strictly weaker notion.

Theorem 3.2

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message indistinguishable according to Definition 3.2. This does not imply that \(\Sigma \) is blind according to Definition 3.1.

Proof

Let \(\Sigma \) be the signature scheme from Construction 3.1. This is message indistinguishable according to Lemma 3.2.

Clearly this signature scheme is not really blind: a malicious signer can record for each run the signature \(\sigma '\) it generated. It can then always win the game in Definition 3.1: it now knows the \(\sigma '_b\) it created while interacting with \({\mathcal {U}}_0\), which it can match to \((\sigma _0,\sigma _1) = ((\sigma '_0,{k_{ {\mathcal {U}}_b }}),(\sigma '_1,{k_{ {\mathcal {U}}_{{\bar{b}}} }}))\) (where \(\sigma '_b\) is the signature over \(m_b\)). This reveals b.

We conclude that message indistinguishability does not imply blindness, and thus the theorem follows. \(\square \)

3.3 Message hiding

Message indistinguishability is a very strong property (it is in fact very similar to semantic security definitions for encryption schemes [11]), but perhaps this property is somewhat counter intuitive and perhaps even stronger than needed for the typical scenario where blind signatures are used: there we typically want to prevent the signer from learning a random message (think a random sequence number) someone else submits for signing. This notion is captured in the following definition of message hiding.

Definition 3.3

(Message hiding, strong version) Let \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) be a signature scheme and consider the following game between an adversarial signer \({\mathcal {S}}^*\) and an honest user \({\mathcal {U}}\), mediated by a challenger.

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}^*\).

  2. 2.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\) and public message \({\overline{m}}\), and gives them to the challenger.

  3. 3.

    The challenger randomly selects a private message \(m \in \{0,1\}^{\lambda }\), and sets up an instance of a user \({\mathcal {U}}\) with input \(\text {PK},{\overline{m}},m\).

  4. 4.

    \({\mathcal {S}}^*\) is given oracle access to user \({\mathcal {U}}\) to engage in the blind signature protocol with it, mediated by the challenger.

  5. 5.

    Let \(\sigma \) be the signature returned by \({\mathcal {U}}\). The challenger gives \(\sigma \) to \({\mathcal {S}}^*\).

  6. 6.

    \({\mathcal {S}}^*\) outputs \(m' \in \{0,1\}^{\lambda }\).

Adversary \({\mathcal {S}}^*\) wins this game whenever \(m' = m\).

The signature scheme is message hiding when every possible adversary \({\mathcal {S}}^*\) wins this game with at most negligible probability (i.e., probability at most \(2^{-\lambda }\)), where the probability is computed over the coin-flips of \({\mathcal {S}}^*\) and the private coin-flips of \({\mathcal {U}}\).

Blind signature schemes that only offer message hiding are for instance used in the Idemix attribute based credential system to hide the master secret \(m_1\) from the credential issuer [8]. A trivial implementation of such a blind signature scheme in the random oracle model would be one where the message \(m\) to be signed is first hashed using a cryptographic hash function h and subsequently sending the resulting hash h(m) to the signer to be signed with an arbitrary traditional (non-blind) signature scheme.Footnote 6

This shows that message hiding is a strictly weaker notion than (general) blindness. But does message indistinguishability imply message hiding, or the other way around? In fact not when we define message hiding as above.

Theorem 3.3

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message hiding according to Definition 3.3. This does not imply that \(\Sigma \) is message indistinguishable according to Definition 3.2.

Proof

Consider the basic message hiding signature scheme above. Let h be a hash function modelled as a random oracle. This guarantees that no adversary is able to recover m given h(m).

Let the signer use an ordinary signature scheme with signing key \({k_{ S }}\) and verification key \({K_{ S }}\) to compute the signature \(\sigma \) on a string s as \([s]_{{k_{ S }}}\). A message hiding signature scheme is one where the user, wishing to compute a signature on a public message \({\overline{m}}\) and a private message \(m\) computes \({\overline{m}}\,\Vert \,h(m)\) and sends this to the signer to sign. The signature then equals \([{\overline{m}}\,\Vert \,h(m)]_{{k_{ S }}}\). To verify such a signature, the verifier is given \({\overline{m}}\) and \(m\), computes \({\overline{m}}\,\Vert \,h(m)\) and uses checks the signature \(\sigma \) using the underlying traditional signature verification function.

The construction matches the (syntactic) constraints of Definition 2.1, and it is easily seen to be complete as defined in 2.2.

The construction is also (strongly) message hiding according to Definition 3.3. Suppose the challenger returns a signature \(\sigma \) after the query phase. If the adversary is able to successfully guess \(m'\) such that \(\sigma = [{\overline{m}}\,\Vert \,h(m')]_{{k_{ S }}}\) then this essentially means the adversary was able to compute \(m'=m\) while observing the hashes \(h(m)\) sent during the signing process. This is contrary to the assumption on h.

The thus constructed signature scheme is clearly not message indistinguishable according to Definition 3.2. If the adversary selects \({\overline{m}},m_0,m_1\) and receives \({\overline{m}}\,\Vert \,h(m_b)\) for signing, it easily checks which of the two \(m_0\) and \(m_1\) matches \(h(m_b)\) to correctly guess b. \(\square \)

Theorem 3.4

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message indistinguishable according to Definition 3.2. This does not imply that \(\Sigma \) is message hiding according to Definition 3.3.

Proof

Let \(\Sigma \) be the message indistinguishable signature scheme from Construction 3.1. Suppose we tweak it a bit such that the signature returned by the user equals \(\sigma = (\sigma ',{k_{ {\mathcal {U}} }},{\overline{m}},m)\). This tweak does not affect message indistinguishability, for in that game \(\sigma \) is not given to the adversary as part of the challenge. However, in the message hiding game as defined in Definition 3.3, the adversary does get \(\sigma \) and thus trivially wins that game. The result follows. \(\square \)

So message indistinguishability and strong message hiding are incomparable notions. However, a weaker notion of message hiding (that does not give the adversary access to the generated signatures) does follow from message indistinguishability. For that we have to weaken the definition a bit by not giving the adversarial signer the set of final signatures obtained by the user(s). The formal definition is as follows.

Definition 3.4

(Message hiding) Let \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) be a signature scheme and consider the following game between an adversarial signer \({\mathcal {S}}^*\) and a honest user \({\mathcal {U}}\), mediated by a challenger.

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}^*\).

  2. 2.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\) and public message \({\overline{m}}\), and gives them to the challenger.

  3. 3.

    The challenger randomly selects a private message \(m \in \{0,1\}^{\lambda }\), and sets up an instance of a user \({\mathcal {U}}\) with input \(\text {PK},{\overline{m}},m\).

  4. 4.

    \({\mathcal {S}}^*\) is given oracle access to user \({\mathcal {U}}\) to engage in the blind signature protocol with it, mediated by the challenger.

  5. 5.

    Let \(\sigma \) be the signature returned by \({\mathcal {U}}\). \(\sigma \) is hidden from \({\mathcal {S}}^*\)

  6. 6.

    \({\mathcal {S}}^*\) outputs \(m' \in \{0,1\}^{\lambda }\).

Adversary \({\mathcal {S}}^*\) wins this game whenever \(m' = m\).

The signature scheme is message hiding when every possible adversary \({\mathcal {S}}^*\) wins this game with at most negligible probability (i.e., probability at most \(2^{-\lambda }\)), where the probability is computed over the coin-flips of \({\mathcal {S}}^*\) and the private coin-flips of \({\mathcal {U}}\).

Theorem 3.5

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message indistinguishable according to Definition 3.2. Then \(\Sigma \) is message hiding according to Defintion 3.4.

Proof

Suppose not. So there is an adversarial signer \({\mathcal {S}}^*\) for the game defined in Definition 3.4. We turn it into an adversarial signer \({\mathcal {S}}^{**}\) for the game defined in Definition 3.2 as follows.

  1. 1.

    \({\mathcal {S}}^{**}\) starts \({\mathcal {S}}^*\), which returns \(\text {PK}\) and \({\overline{m}}\).

  2. 2.

    \({\mathcal {S}}^{**}\) essentially operates as the challenger for \({\mathcal {S}}^*\) using whatever it learns in the process to solve its own challenge.

  3. 3.

    \({\mathcal {S}}^{**}\) does the following. It generates two fresh private messages \(m_{0},m_{1}\) and uses the public message \({\overline{m}}\) it got from \(S^*\) and forwards these together with \(\text {PK}\) received from \({\mathcal {S}}^*\) to its own challenger in Definition 3.2. This challenger sets up a user with input \(\text {PK},{\overline{m}}_1,m_{b}\) (depending on its hidden coin flip b) to which \({\mathcal {S}}^{**}\) is given oracle access to, to engage in the blind signature protocol. \({\mathcal {S}}^{**}\) forwards this oracle access to \({\mathcal {S}}^*\).

  4. 4.

    After \({\mathcal {S}}^*\) has finished interacting with its oracles, is outputs a guess \(m'\) (to \(S^{**}\)). When \(m' = m_{b'}\) as in step 3 for \(b' \in {0,1}\), \({\mathcal {S}}^{**}\) returns \(b'\) otherwise it returns a random bit.

If \({\mathcal {S}}^*\) guesses \(m'\) correctly, then \(m'= m_{b}\) given to user \({\mathcal {U}}\) as part of \({\mathcal {S}}^{**}\) challenge in step 3. The probability that this happens is non-negligible. We conclude that the advantage of \({\mathcal {S}}^{**}\) guessing b is also non-negligible.

\(\square \)

3.4 Signature unlinkability

We now turn to the definition of signature unlinkability. The challenge is to define it in such a way that it does not immediately imply the message indistinguishability property (and thus would be almost equivalent to the general blindness property). We solve this by letting the challenger generate the messages to be signed and giving the signer only the resulting signatures in random order.

Definition 3.5

(Signature unlinkability) Consider a signature scheme \(\langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) and the following game between an adversarial signer \({\mathcal {S}}^*\) and two honest users \({\mathcal {U}}_0\) and \({\mathcal {U}}_1\).

  1. 1.

    Run \({\mathcal {G}}(1^\lambda )\) to generate \(\text {sk}\) and \(\text {PK}\). Give \(\text {sk},\text {PK}\) to \({\mathcal {S}}^*\).

  2. 2.

    Adversary \({\mathcal {S}}^*\) outputs \(\text {PK}\), and a public message \({\overline{m}}\), and gives them to the challenger.

  3. 3.

    The challenger generates two messagesFootnote 7\(m_0,m_1\) and sets up user \({\mathcal {U}}_0\) with input \((\text {PK},{\overline{m}},m_0)\) and user \({\mathcal {U}}_1\) with input \((\text {PK},{\overline{m}},m_1)\).

  4. 4.

    \({\mathcal {S}}^*\) is given oracle access to both users to engage in the blind signature protocol with both of them, mediated by the challenger.

  5. 5.

    Let \(\sigma _0\) be the result returned by \({\mathcal {U}}_0\) and \(\sigma _1\) be the result returned by \({\mathcal {U}}_1\).

  6. 6.

    If any of the signatures is invalid, the challenger gives \(\bot \) to \({\mathcal {S}}^*\).Footnote 8 Otherwise the challenger randomly selects \(b \in \{0,1\}\) and sets \({\bar{b}}=1-b\). The challenger gives \(\sigma _b\) and \(\sigma _{{\bar{b}}}\) to \({\mathcal {S}}^*\) in that order.

  7. 7.

    \({\mathcal {S}}^*\) outputs \(b' \in \{0,1\}\).

Adversary \({\mathcal {S}}^*\) wins this game whenever \(b' = b\). The signature scheme is signature unlinkable when every possible adversary \({\mathcal {S}}^*\) wins this game with at most negligible advantage (i.e., probability \(1/2 \pm 2^{-\lambda }\)), where the probability is computed over the coin-flips of \({\mathcal {S}}^*\) and the private coin-flips of \({\mathcal {U}}_0\) and \({\mathcal {U}}_1\).

We note that Chaum’s untraceable payment scheme [6] uses a blind signature scheme that is strongly message hiding and is signature unlinkable as well.

The following signature unlinkable signature scheme (which is a slight modification of Chaum’s blind signature scheme) is useful in the proofs of some of the following theorems. We omit the public message \({\overline{m}}\) for simplicity.

Construction 3.2

(Signature unlinkable signature scheme) Define a signature unlinkable signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) as follows. Let \(h_1,h_2\) be two cryptographic hash functions.

\({\mathcal {G}}\) generates a RSA key pair, and publishes the public key (ne) while giving the corresponding private key (dn) to the signer.

A user submitting \(m\) for signing first computes \(r = h_1(m)\) and then sends \(m' = h_2(m) r^e \bmod n\) to the signer. The signer computes \(\sigma ' = m'^d \bmod n\) and returns it to the user. The user computes \(\sigma = \sigma ' / r\) as the final signature. This defines \({\mathcal {S}}\) and \({\mathcal {U}}\).

\({\mathcal {V}}\) takes as input \(m\) and \(\sigma \) and returns whether \(\sigma ^e \bmod n = h_2(m)\).

The careful observer will have noted that this is essentially Chaum’s blind signature protocol with r derived from \(m\) (making it no longer blind as we shall see shortly) while \(m\) cannot be recovered from the signature by hiding it using \(h_2\).

Lemma 3.3

The signature scheme from Construction 3.2 is signature unlinkable according to Definition 3.5.

Proof

The construction matches the (syntactic) constraints of Definition 2.1 (disregarding the public message \({\overline{m}}\)), and it is easily seen to be complete as defined in 2.2 using the fact that we have \((r^e)^d \bmod n = 1\) in RSA, and the result \(\sigma = h_2(m)^d \bmod n\) is a traditional RSA signature over \(h(m')\).

This signature scheme is signature unlinkable. As in the game defined in Definition 3.5 the challenger generates \(m_0\) and \(m_1\), the adversarial signer \({\mathcal {S}}^*\) does not know them. By playing the game \({\mathcal {S}}^*\) learns:

  • \(m_0' = h_2(m_0) r_0^e \bmod n\) (and that it is computed by \({\mathcal {U}}_0\)),

  • \(m_1' = h_2(m_1) r_1^e \bmod n\) (and that it is computed by \({\mathcal {U}}_1\)),

  • \(\sigma _0 = h_2(m_0)^d \bmod n\) and \(\sigma _1 = h_2(m_1)^d \bmod n\) given in the order defined by a random bit b.

\({\mathcal {S}}^*\) needs to guess b based on this information (and its knowledge of the public key (ne)).

As \(h_1\) and \(h_2\) are random oracles, the value \({\mathcal {S}}^*\) learns for \(m_0'\) could actually correspond to \(h_2(m_1) r_1^e \bmod n\) (and vice versa). So the information it relies on to decide on the value for b could just as well be used to argue for the opposite value.

\(\square \)

We first show that blindness implies signature unlinkability.

Theorem 3.6

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is blind according to Definition 3.1. Then \(\Sigma \) is signature unlinkable according to Definition 3.5.

Proof

Suppose not. So there is an adversarial signer \({\mathcal {S}}^*\) for the game defined in Definition 3.5. We turn it into an adversarial signer \({\mathcal {S}}^{**}\) for the game defined in Definition 3.1 as follows.

  1. 1.

    \({\mathcal {S}}^{**}\) starts \({\mathcal {S}}^*\), which returns \(\text {PK}\) and \({\overline{m}}\).

  2. 2.

    \({\mathcal {S}}^{**}\) generates two distinct messages \(m_0,m_1\) and sends them to the challenger along with \(\text {PK}\) and \({\overline{m}}\).

  3. 3.

    The challenger randomly selects \(b \in \{0,1\}\) and sets \({\bar{b}}=1-b\). It sets up user \({\mathcal {U}}_0\) with input \((\text {PK},{\overline{m}},m_b)\) and user \({\mathcal {U}}_1\) with input \((\text {PK},{\overline{m}},m_{{\bar{b}}})\).

  4. 4.

    \({\mathcal {S}}^{**}\) engages in the blind signature protocol with both users, mediated by the challenger. It does so by relaying all messages to and from \({\mathcal {S}}^*\).Footnote 9

  5. 5.

    Let \(\sigma _b\) be the result returned by \({\mathcal {U}}_0\) and \(\sigma _{{\bar{b}}}\) be the result returned by \({\mathcal {U}}_1\). If both signatures are valid, then the challenger gives \((\sigma _0,\sigma _1)\) to \({\mathcal {S}}^{**}\) in that order by definition.Footnote 10 Otherwise it returns \(\bot \) to \({\mathcal {S}}^{**}\).

  6. 6.

    \({\mathcal {S}}^{**}\) forwards \(\sigma _0\) and \(\sigma _1\) in that order to \({\mathcal {S}}^*\) as the challenge.

  7. 7.

    \({\mathcal {S}}^*\) outputs \(b' \in \{0,1\}\), which \({\mathcal {S}}^{**}\) forwards as its own output for this challenge.

We observe that if \({\mathcal {S}}^*\) outputs \(b'\) it believes the first signature (\(\sigma _0\), corresponding to \(m_0\)) given as a challenge was generated while interacting with user \({\mathcal {U}}_{b'}\). Which is the case if \(b'\) equals b generated by the challenger for the game defined in Definition 3.1. This means that \(b'\) is also the correct response to the challenge given to \({\mathcal {S}}^{**}\). This shows that the advantage of \({\mathcal {S}}^{**}\) is the same of that of \({\mathcal {S}}^{*}\), i.e., non-negligible, contradicting the premise of the theorem. \(\square \)

The signature scheme from Construction 3.2 allows us to prove that the converse does not hold: there are signature unlinkable signature schemes that are not blind as the following theorem demonstrates. This shows that also signature unlinkability (like message indistinguishability) is a strictly weaker notion.

Theorem 3.7

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is signature unlinkable according to Definition 3.5. This does not imply that \(\Sigma \) is blind according to Definition 3.1.

Proof

Consider the signature scheme from Construction 3.2, which is signature unlinkable according to Lemma 3.3.

This scheme is clearly not blind: using its knowledge of \(m_0\) (that the adversary chooses according to Definition 3.1) the adversarial signer \({\mathcal {S}}^*\) can compute \(r_0 = h_1(m_0)\) and hence \(m_0' = h_2(m_0) r_0^e \bmod n\) that either user \({\mathcal {U}}_0\) or user \({\mathcal {U}}_1\) will submit for signing. This allows \({\mathcal {S}}^*\) to tell which of two users was given \(m_0\) as input by the challenger, and therefore allows \({\mathcal {S}}^*\) to correctly guess b. \(\square \)

A very similar proof can be used to prove the following theorem.

Theorem 3.8

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is signature unlinkable according to Definition 3.5. This does not imply that \(\Sigma \) is message indistinguishable according to Definition 3.2.

Proof

Again consider the signature scheme from Construction 3.2, which is signature unlinkable according to Lemma 3.3.

This signature scheme is not message indistinguishable according to Definition 3.2 however. In the message indistinguishability game the adversarial signer knows \(m_0\) and \(m_1\) and therefore can compute \(r_b =h_1(m_b)\) and \(m_b'=h_2(m_b) r_b^e \bmod n\) for \(b \in \{0,1\}\). It can therefore tell which of the two messages the challenger submits for signing and hence can always correctly guess b and win the game.

\(\square \)

The reverse is also true.

Theorem 3.9

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message indistinguishable according to Definition 3.2. This does not imply that \(\Sigma \) is signature unlinkable according to Definition 3.5.

Proof

Consider the message indistinguishable signature scheme in Construction 3.1, where the message to be signed is first CCM encrypted as \(c = \{m\}_{{k_{ {\mathcal {U}} }}}\) under a random key \({k_{ {\mathcal {U}} }}\). The signer creates the intermediate signature \(\sigma ' = [c \,\Vert \,{\overline{m}}]_{{k_{ {\mathcal {S}} }}}\). It returns this to \({\mathcal {U}}\) who adds \({k_{ {\mathcal {U}} }}\) to create the final signature \(\sigma = (\sigma ',{k_{ {\mathcal {U}} }})\).

This scheme is however not signature unlinkable according to Definition 3.5. Suppose the adversarial signer keeps the intermediate signatures \(\sigma _0'\) and \(\sigma _1'\) it generated while interacting with user \({\mathcal {U}}_0\) and user \({\mathcal {U}}_1\) respectively. As in the proof of theorem 3.2 it can match these with \(\sigma _b = (\sigma _b',{k_{ {\mathcal {U}}_b }})\) and \(\sigma _{{\bar{b}}} = (\sigma _{{\bar{b}}}',{k_{ {\mathcal {U}}_{{\bar{b}}} }})\) and hence guess b correctly. \(\square \)

This shows that message indistinguishability and signature unlinkability are indeed separate notions.

We will now explore the relationship between signature unlinkability and other notions defined in this paper. For example, what is the relationship between signature unlinkability and message hiding? The blind signature scheme underlying the Idemix attribute based credential scheme [5, 8] is in fact only strongly message hiding but not signature unlinkable.Footnote 11 This proves the following theorem.

Theorem 3.10

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is strongly message hiding according to Definition 3.3. This does not imply that \(\Sigma \) is signature unlinkable according to Definition 3.5.

The other way around, signature unlinkability does imply (weak) message hiding (which explains why we need the slightly stronger notion of message indistinguishability).

Theorem 3.11

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is signature unlinkable according to Definition 3.5. Then \(\Sigma \) is message hiding according to Definition 3.4.

Proof

The proof is very similar to the proof of theorem 3.5.

Suppose not. So there is an adversarial signer \({\mathcal {S}}^*\) for the game defined in Definition 3.4. We turn it into an adversarial signer \({\mathcal {S}}^{**}\) for the game defined in Definition 3.5 as follows.

  1. 1.

    \({\mathcal {S}}^{**}\) starts \({\mathcal {S}}^*\), which returns \(\text {PK}\) and \({\overline{m}}\).

  2. 2.

    \({\mathcal {S}}^{**}\) essentially operates as the challenger for \({\mathcal {S}}^*\) using whatever it learns in the process to solve its own challenge.

  3. 3.

    \({\mathcal {S}}^{**}\) forwards \({\overline{m}}\) to its own challenger. This challenger generates two messages \(m_{0}\) and \(m_{1}\) and sets up a user \({\mathcal {U}}_0\) with input \((\text {PK},{\overline{m}}_i,m_{0})\) and a user \({\mathcal {U}}_1\) with input \((\text {PK},{\overline{m}},m_{1})\). \({\mathcal {S}}^{**}\) is given oracle access to both users to engage in the blind signature protocol with both of them, mediated by the challenger. For \({\mathcal {U}}_0\) it forwards oracle access to \({\mathcal {S}}^*\). For \({\mathcal {U}}_1\), \({\mathcal {S}}^{**}\) interacts with this oracle itself. This way \({\mathcal {S}}^*\) is set up exactly as in the definition of the game in 3.4

  4. 4.

    After \({\mathcal {S}}^*\) has finished interacting with its oracles, it outputs a guess \(m'\) (to \(S^{**}\)). For the signature unlinkability game \(S^{**}\) is playing, \(S^{**}\) asks for its challenge. If both signatures (\(\sigma _0\) generated by \({\mathcal {U}}_0\) and \(\sigma _1\) generated by \({\mathcal {U}}_1\)) in step 3 are valid it receives \(\sigma _b\) and \(\sigma _{{\bar{b}}}\) (depending on the private coin flip b of its challenger) in that order. It then checks whether \(\sigma _b\) or \(\sigma _{{\bar{b}}}\) is a valid signature over \(m'\) (the guess returned by \({\mathcal {S}}^*\)). In the first case it returns \(b'=0\), in the second case it returns \(b'=1\). If neither is the case it returns a random bit \(b'\).

By assumption with some non-negligible probability, \(m'\) returned by \({\mathcal {S}}^*\) corresponds to the oracle set up by \({\mathcal {S}}^{**}\) in step 3. Then \(m'=m_{0}\) (as \({\mathcal {S}}^*\) never interacted with \({\mathcal {U}}_1\)). So if \(m'\) matches \(\sigma _b\) (the first signature in its challenge), \(\sigma _b\) must be a signature over \(m_{0}\) and hence \(b=0\). And if it matches \(\sigma _{{\bar{b}}}\), then \(b=1\) instead. We see that in this case \(b'=b\) and hence the adversary wins. As we already concluded that this case happens with non-negligible probability, the conclusion follows. \(\square \)

The reverse of this theorem does not hold, by 3.9 and 3.5.

3.5 Message indistinguishability and signature unlinkability

We have so far shown that signature blindness can be separated into two separate properties, message indistinguishability and signature unlinkability, that are indeed independent: one does not imply the other, and neither on its own implies blindness. The natural question to ask is whether message indistinguishability and signature unlinkability together do imply blindness. That would be a nice conclusion, as it would show that the proposed separation is ideal in the sense that both properties capture all what makes a signature scheme blind. Unfortunately, this is not the case if we do not rule out pathological cases of misbehaving users, as the following theorem shows.

Theorem 3.12

Consider a signature scheme \(\Sigma = \langle {\mathcal {G}},{\mathcal {S}},{\mathcal {U}},{\mathcal {V}} \rangle \) that is message indistinguishable according to Definition 3.2 and signature unlinkable according to Definition 3.5. This does not (in general) imply that \(\Sigma \) is blind according to Definition 3.1.

Proof

Let \(\Sigma \) be a blind signature scheme according to  3.1. Modify \(\Sigma \) as follows to create a new signature scheme \(\Sigma '\). Pick a particular message \({\widetilde{m}}\). If \(\sigma \) is the signature returned by user \({\mathcal {U}}\) when interacting with \({\mathcal {S}}\), define \({\mathcal {U}}'\) to return the tuple \((\sigma ,\beta )\) where \(\beta \) is a random identity except when \({\mathcal {U}}'\) wants a signature on message \({\widetilde{m}}\). In that case \(\beta \) equals the identity of \({\mathcal {U}}\).

Clearly, \(\Sigma '\) is no longer blind. The adversarial signer can always commit to messages \(m_0={\widetilde{m}}\) and \(m_1\) to the challenger. Depending on its private bit b, the challenger gives \({\widetilde{m}}\) to either \({\mathcal {U}}_0\) or \({\mathcal {U}}_1\). Whichever it is, it will return a signature \((\sigma _0,b)\) over \({\widetilde{m}}\) while the other returns \((\sigma _1,\beta )\) over \(m_1\) where \(\beta \) is random.

When challenged, the adversary receives \((\sigma _0,b),(\sigma _1,\beta )\) in that order. It returns the b it finds in the first signature which by construction is always equal to the private bit chosen by the challenger. In other words, the adversary wins.

In the message indistinguishability game of Definition 3.2, the adversary doesn’t receive the final signatures. Therefore its view when interacting with \({\mathcal {S}}'\) is exactly the same as when interacting with \({\mathcal {S}}\). We conclude that \(\Sigma '\) is also message indistinguishable.

In the signature unlinkability game of Definition 3.5, the adversary does not get to pick the messages to be signed. Instead, the challenger does. With overwhelming probability, \({\widetilde{m}}\) is not among the messages chosen by the adversary. As a result, the \(\beta \) component of both challenge signatures is random and can be ignored, i.e. the advantage of the adversary against \(\Sigma '\) is no better than against \(\Sigma \). We conclude that \(\Sigma '\) is signature unlinkable. \(\square \)

4 Conclusions

Fig. 1
figure 1

Summary of relations

Full size image

A summary of our results is presented in Fig. 1, where we write \(A \rightarrow B\) when A implies B. And we write \(A \mid \!\!\!-\;B\) when \(B \not \rightarrow A\), i.e., if A does not logically follow from B (or, B does not imply A).

Compiling this figure, we made use of the following transitivity rules governing the relationships among the several notions we defined in this paper.

  • \(A \rightarrow B\) and \(B \rightarrow C\) implies \(A \rightarrow C\).

  • \(A \mid \!\!\!-\;B\) and \(B \rightarrow C\) implies \(A \mid \!\!\!-\;C\).

  • \(A \rightarrow B\) and \(B \mid \!\!\!-\;C\) implies \(A \mid \!\!\!-\;C\).

As can be seen from the picture, this paper shows that signature blindness can be decomposed into two separate and indeed independent properties: message indistinguishability and signature unlinkability. The more natural notion of message hiding cannot be used for this purpose as it is implied by signature unlinkability.

Unfortunately combining signature unlinkability and message indistinguishability does not give back blindness, although this appears to be the case only in pathological cases. We have so far been unable to prove a restricted version of such a theorem ruling out certain classes of users, and neither did we find a less pathological counterexample. This is left for further research.

I am grateful to the anonymous reviewers for their comments and suggestions that really helped improve the paper.