Type 2 Structure-Preserving Signature Schemes Revisited
At CRYPTO 2014, Abe et al. presented generic-signer structure-preserving signature schemes using Type 2 pairings. According to the authors, the proposed constructions are optimal with only two group elements in each signature and just one verification equation. The schemes beat the known lower bounds in the Type 3 setting and thereby establish that the Type 2 setting permits construction of cryptographic schemes with unique properties not achievable in Type 3.
In this paper we undertake a concrete analysis of the Abe et al. claims. By properly accounting for the actual structure of the underlying groups and subgroup membership testing of group elements in signatures, we show that the schemes are not as efficient as claimed. We present natural Type 3 analogues of the Type 2 schemes, and show that the Type 3 schemes are superior to their Type 2 counterparts in every aspect. We also formally establish that in the concrete mathematical structure of asymmetric pairing, all Type 2 structure-preserving signature schemes can be converted to the Type 3 setting without any penalty in security or efficiency, and show that the converse is false. Furthermore, we prove that the Type 2 setting does not allow one to circumvent the known lower bound result for the Type 3 setting. Our analysis puts the optimality claims for Type 2 structure-preserving signature in a concrete perspective and indicates an incompleteness in the definition of a generic bilinear group in the Type 2 setting.
KeywordsGroup Element Signature Scheme Signed Message Cryptographic Protocol Security Proof
We thank Jens Groth and Francisco Rodríguez-Henríquez for their comments on an earlier draft of the paper. We also thank the Asiacrypt reviewers for their helpful feedback.
- 5.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structure-preserving signatures from type II pairings, full version of  (2014). http://eprint.iacr.org/2014/312
- 9.Barthe, G., Fagerholm, E., Fiore, D., Scedrov, A., Schmidt, B., Tibouchi, M.: Strongly-optimal structure preserving signatures from type II pairings: synthesis and lower bounds. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 355–376. Springer, Heidelberg (2015) Google Scholar
- 11.Chase, M.: Efficient non-interactive zero-knowledge proofs for privacy applications. Ph.D. thesis, Brown University (2008)Google Scholar
- 20.Hanser, C., Slamanig, D.: Structure-preserving signatures on equivalence classes and their application to anonymous credentials. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 491–511. Springer, Heidelberg (2014) Google Scholar
- 23.Miyaji, A., Nakabayashi, M., Tanako, S.: New explicit condition of elliptic curve trace for FR-reduction. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E84–A, 1234–1243 (2001)Google Scholar