Abstract
Subset signatures are a variant of malleable signatures which allow anyone to derive signatures on any subset of previously signed sets in such a way that derived signatures are indistinguishable from new signatures on the subset (i.e. context-hiding). Such a primitive has many applications. In some scenarios, it might be desirable to restrict some elements in the set from preserving the context-hiding property. In other words, it might be desirable to allow the signer, at the time of the signing, to mark specific elements (which we refer to hereafter as the restricted subset) such that the inclusion of any elements from the restricted subset in any derived signatures would violate the context-hiding property and make the derived signature linkable to the original signature. In this paper, we put forward the notion of subset signatures with controlled context-hiding. We propose a security model and a generic construction as well as efficient instantiations which do not rely on random oracles. Our instantiations are structure-preserving and therefore could be useful for other applications. As a special case of our constructions when the restricted subset is empty, we obtain more efficient constructions of standard subset signatures. Our constructions, which satisfy the strongest existing security definitions, have constant-size keys and outperform existing constructions in every respect.
As part of our contribution, we construct a structure-preserving signature scheme with combined unforgeability that signs a vector of group elements while maintaining constant-size signatures. The scheme has some desirable properties and combines nicely with Groth-Sahai proofs, and thus could be of independent interest.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_12
Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structure-preserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_37
Belenkiy, M., Camenisch, J., Chase, M., Kohlweiss, M., Lysyanskaya, A., Shacham, H.: Randomizable proofs and delegatable anonymous credentials. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 108–125. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_7
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: S&P 2007, pp. 321–334. IEEE (2007)
Ahn, J.H., Boneh, D., Camenisch, J., Hohenberger, S., shelat, A., Waters, B.: Computing on authenticated data. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 1–20. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_1
Attrapadung, N., Libert, B.: Homomorphic network coding signatures in the standard model. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 17–34. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_2
Attrapadung, N., Libert, B., Peters, T.: Computing on authenticated data: new privacy definitions and constructions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 367–385. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_23
Attrapadung, N., Libert, B., Peters, T.: Efficient completely context-hiding quotable and linearly homomorphic signatures. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 386–404. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36362-7_24
Barbulescu, R., Gaudry, P., Joux, A., Thomé, E.: A heuristic quasi-polynomial algorithm for discrete logarithm in finite fields of small characteristic. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 1–16. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_1
Bellare, M., Neven, G.: Transitive signatures based on factoring and RSA. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 397–414. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_25
Bellare, M., Rogaway, P.: Random oracles are practical: a Paradigm for Designing Efficient Protocols. In: ACM-CCS 1993, pp. 62–73. ACM (1993)
Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC 1988, pp. 103–112 (1988)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Boneh, D., Freeman, D.M.: Linearly homomorphic signatures over binary fields and new tools for lattice-based signatures. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 1–16. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_1
Boneh, D., Freeman, D.M.: Homomorphic signatures for polynomial functions. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 149–168. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_10
Boneh, D., Freeman, D., Katz, J., Waters, B.: Signing a linear subspace: signature schemes for network coding. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 68–87. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_5
Brzuska, C., Busch, H., Dagdelen, O., Fischlin, M., Franz, M., Katzenbeisser, S., Manulis, M., Onete, C., Peter, A., Poettering, B., Schröder, D.: Redactable signatures for tree-structured data: definitions and constructions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 87–104. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_6
Brzuska, C., Fischlin, M., Freudenreich, T., Lehmann, A., Page, M., Schelbert, J., Schröder, D., Volk, F.: Security of sanitizable signatures revisited. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 317–336. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_18
Brzuska, C., Fischlin, M., Lehmann, A., Schröder, D.: Unlinkability of sanitizable signatures. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 444–461. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_26
Camacho, P., Hevia, A.: Short transitive signatures for directed trees. In: Dunkelman, O. (ed.) CT-RSA 2012. LNCS, vol. 7178, pp. 35–50. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-27954-6_3
Catalano, D., Fiore, D., Warinschi, B.: Adaptive pseudo-free groups and applications. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 207–223. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20465-4_13
Catalano, D., Fiore, D., Warinschi, B.: Efficient network coding signatures in the standard model. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 680–696. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_40
Chatterjee, S., Menezes, A.: Type 2 structure-preserving signature schemes revisited. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 286–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_13
De Santis, A., Di Crescenzo, G., Persiano, G.: Necessary and sufficient assumptions for non-interactive zero-knowledge proofs of knowledge for all NP relations. In: Montanari, U., Rolim, J.D.P., Welzl, E. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 451–462. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45022-X_38
Desmedt, Y.: Computer security by redefining what a computer is. In: NSPW 1993, pp. 160–166 (1993)
El Kaafarani, A., Ghadafi, E., Khader, D.: Decentralized traceable attribute-based signatures. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 327–348. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_17
Fiat, A., Shamir, A.: Witness indistinguishable and witness hiding protocols. In: STOC 1990, pp. 416–426 (1990)
Freeman, D.M.: Improved security for linearly homomorphic signatures: a generic framework. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 697–714. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30057-8_41
Galbraith, S., Paterson, K., Smart, N.P.: Pairings for cryptographers. Discrete Appl. Math. 156, 3113–3121 (2008)
Gennaro, R., Katz, J., Krawczyk, H., Rabin, T.: Secure network coding over the integers. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 142–160. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_9
Gentry, C.: Fully homomorphic encryption using ideal lattices In: STOC 2009, pp. 169–178. ACM (2009)
Ghadafi, E., Smart, N.P., Warinschi, B.: Groth–Sahai proofs revisited. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 177–192. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_11
Granger, R., Kleinjung, T., Zumbrägel, J.: Breaking ‘128-bit Secure’ Supersingular Binary Curves (or how to solve discrete logarithms in \({\mathbb{F}}_{2^{4 \cdot 1223}}\) and \({\mathbb{F}}_{2^{12 \cdot 367}}\)). In: Cryptology ePrint Archive, Report 2014/119, http://eprint.iacr.org/2014/119.pdf
Groth, J.: Efficient fully structure-preserving signatures for large messages. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 239–259. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_11
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Hevia, A., Micciancio, D.: The provable security of graph-based one-time signatures and extensions to algebraic signature schemes. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 379–396. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_24
Johnson, R., Molnar, D., Song, D., Wagner, D.: Homomorphic signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 244–262. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_17
Kiltz, E., Mityagin, A., Panjwani, S., Raghavan, B.: Append-only signatures. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 434–445. Springer, Heidelberg (2005). https://doi.org/10.1007/11523468_36
Libert, B., Joye, M., Yung, M., Peters, T.: Secure efficient history-hiding append-only signatures in the standard model. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 450–473. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_20
Micali, S., Rivest, R.L.: Transitive signature schemes. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 236–243. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_16
Miyazaki, K., Hanaoka, G., Imai, H.: Digitally signed document sanitizing scheme based on bilinear maps. In: ASIACCS 2006, pp. 343–354. ACM (2006)
Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A SXDH-Based Groth-Sahai Proofs
Here we give the SXDH-instantiation of Groth-Sahai proofs [32, 35].
Let \(\mathbb {B}:=\mathbb {G}^2\), \(\tilde{\mathbb {B}}:=\tilde{\mathbb {G}}^2\) and \(\mathbb {H}:=\mathbb {T}^4\), with all operations performed componentwise. Define
We will use the \(\bullet \) notation instead of F for vectors. To generate the \({\mathsf {crs}}\), the trusted party randomly chooses \(a_i, t_i \xleftarrow {~\$~}\mathbb {Z}_p^\times \) for \(i=1,2\) and computes \(Q :=G^{a_1}\), \(U :=G^{t_1}\), \(V :=Q^{t_1}\), \(\tilde{Q} :=\tilde{G}^{a_2}\), \(\tilde{U} :=\tilde{G}^{t_2}\), \(\tilde{V} :=\tilde{Q}^{t_2}\). We now set
The \({\mathsf {crs}}\) is then the set where and . Under the SXDH assumption, one cannot tell a binding key from a hiding key.
To define the commitment schemes used by the proof system, we need the two maps \(\iota : \mathbb {G}\rightarrow \mathbb {B}\) and \(\tilde{\iota }: \tilde{\mathbb {G}}\rightarrow \tilde{\mathbb {B}}\) which are defined as follows:
To commit to a group element \(X\in \mathbb {G}\), the commitment algorithm \(\mathsf {GSCommit}_{\mathbb {G}}\) chooses \({\varvec{r}}=(r_1,r_2) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and computes . We have
Similarly, to commit to a group element \(\tilde{X}\in \tilde{\mathbb {G}}\), the commitment algorithm \(\mathsf {GSCommit}_{\tilde{\mathbb {G}}}\) chooses \({\varvec{s}}=(s_1,s_2) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and computes . We have
We now define the map \(\iota _T\) as follows:
The equations we prove are pairing-product equations of the form:
In fact, all the equations we prove are linear equations (Eq. 5) where \(\alpha _{i,j}=0\) for all i, j.
B More Details of the Instantiation
Each signature in the set contains a proof for the following linear equation
We have
The proof for the above linear equation is given by
As noted in [35], we can omit the \(1_{\tilde{\mathbb {G}}}\) components from the proof which halves the size of the proof into \(\tilde{\mathbb {G}}^2\). To verify the proof, one needs to check the following equation:
We show now how to randomize the public components of the signature, i.e. \(R_i\) and \(\tilde{R}_i\) (which are part of the statement) and the Groth-Sahai commitments and proof accordingly. One chooses \(\gamma _i \xleftarrow {~\$~}\mathbb {Z}_p\) and sets \(R^\prime _i:={R_i} \cdot G^{\gamma _i}\) and \(\tilde{R}_i^\prime :=\tilde{R}_i \cdot \tilde{G}^{\gamma _i}\). We also randomize the (committed) signature component \(S_i\) using the same randomness \(\gamma _i\) as follows:
We now re-randomize the Groth-Sahai commitments and proofs to make them unlinkable to the original ones. We choose \({\varvec{r}}^\prime _{\mathbf {0}}=(r^{\prime }_{0,1},r^{\prime }_{0,2}) \xleftarrow {~\$~}\mathbb {Z}^2_p\) and \({\varvec{r}}^\prime _{{\varvec{i}}}=(r^{\prime }_{i,1},r^{\prime }_{i,2}) \xleftarrow {~\$~}\mathbb {Z}^2_p\) for \(i=1,\ldots , |\mathcal {S}|\) and compute
Providing that all \({\varvec{r}}^\prime _i\) for \(i=0,\ldots ,|\mathcal {S}|\) are chosen at random, the new commitments are uniformly distributed over \(\mathbb {B}\) and are thus independent of the original ones. We now show how to re-randomize proof \(\tilde{\varvec{\pi }_i}\) into \(\tilde{\varvec{\pi }}^\prime _i\) accordingly.
Since \({\varvec{r}}^\prime _i\) for \(i=0,\ldots ,|\mathcal {S}|\) are chosen at random, the new proof is uniformly distributed and is thus independent of the original one. To verify the proof, one needs to check the following equation:
We now show that the new proofs will be accepted by the verify algorithm.
Lemma 4
The randomized proof \(\tilde{\varvec{\pi }}^\prime _i\) verifies correctly.
Proof
Our proof is for a binding CRS. The proof for a hiding CRS is very similar.
By expanding the left-hand side of the verification equation (Eq. 8), we have
Similarly, by expanding the right-hand side of Eq. 8, we have
It is clear both sides equate and hence the proof \(\tilde{\pi }^\prime _i\) verifies correctly.
This concludes the proof. \(\square \)
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Ghadafi, E. (2017). Subset Signatures with Controlled Context-Hiding. In: O'Neill, M. (eds) Cryptography and Coding. IMACC 2017. Lecture Notes in Computer Science(), vol 10655. Springer, Cham. https://doi.org/10.1007/978-3-319-71045-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-71045-7_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71044-0
Online ISBN: 978-3-319-71045-7
eBook Packages: Computer ScienceComputer Science (R0)