Practical RoundOptimal Blind Signatures in the Standard Model
 26 Citations
 2.8k Downloads
Abstract
Roundoptimal blind signatures are notoriously hard to construct in the standard model, especially in the malicioussigner model, where blindness must hold under adversarially chosen keys. This is substantiated by several impossibility results. The only construction that can be termed theoretically efficient, by Garg and Gupta (Eurocrypt’14), requires complexity leveraging, inducing an exponential security loss.
We present a construction of practically efficient roundoptimal blind signatures in the standard model. It is conceptually simple and builds on the recent structurepreserving signatures on equivalence classes (SPSEQ) from Asiacrypt’14. While the traditional notion of blindness follows from standard assumptions, we prove blindness under adversarially chosen keys under an interactive variant of DDH. However, we neither require nonuniform assumptions nor complexity leveraging.
We then show how to extend our construction to partially blind signatures and to blind signatures on message vectors, which yield a construction of oneshow anonymous credentials à la “anonymous credentials light” (CCS’13) in the standard model.
Furthermore, we give the first SPSEQ construction under noninteractive assumptions and show how SPSEQ schemes imply conventional structurepreserving signatures, which allows us to apply optimality results for the latter to SPSEQ.
Keywords
(Partially) Blind signatures Standard model SPSEQ Oneshow anonymous credentials1 Introduction
The concept of blind signatures [22] dates back to the beginning of the 1980s. A blind signature scheme is an interactive protocol where a user (or obtainer) requests a signature on a message which the signer (or issuer) must not learn. In particular, the signer must not be able to link a signature to the execution of the issuing protocol in which it was produced (blindness). Furthermore, it should even for adaptive adversaries be infeasible to produce a valid blind signature without the signing key (unforgeability). Blind signatures have proven to be an important building block for cryptographic protocols, most prominently for ecash, evoting and oneshow anonymous credentials. In more than 30 years of research, many different (\(> 50\)) blind signature schemes have been proposed. The spectrum ranges from RSAbased (e.g., [19, 22]) over DLbased (e.g., [2, 41]) and pairingbased (e.g., [12, 14]) to latticebased (e.g., [44]) constructions, as well as constructions from general assumptions (e.g., [25, 35, 36]).
Blind Signatures and Their Round Complexity. Two distinguishing features of blind signatures are whether they assume a common reference string (CRS) set up by a trusted party to which everyone has access; and the number of rounds in the signing protocol. Schemes which require only one round of interaction (two moves) are called roundoptimal [25]. Besides improving efficiency, round optimality also directly yields concurrent security (which otherwise has to be dealt with explicitly; e.g., [35, 37]). There are very efficient roundoptimal schemes [11, 14, 23] under interactive assumptions (chosen target one more RSA inversion and chosen target CDH, respectively) in the random oracle model (ROM), as well as under the interactive LRSW [39] assumption in the CRS model [32]. All these schemes are in the honestkey model, where blindness only holds against signers whose keys are generated by the experiment.
Fischlin [25] proposed a generic framework for constructing roundoptimal blind signatures in the CRS model with blindness under malicious keys: the signer signs a commitment to the message and the blind signature is a noninteractive zeroknowledge (NIZK) proof of a signed commitment which opens to the message. Using structurepreserving signatures (SPS) [3] and the GrothSahai (GS) proof system [33] instead of general NIZKs, this framework was efficiently instantiated in [3]. In [12, 13], Blazy et al. gave alternative approaches to compact roundoptimal blind signatures in the CRS model which avoid including a GS proof in the final blind signature. Another roundoptimal solution with comparable computational costs was proposed by Seo and Cheon [46] building on work by Meiklejohn et al. [40].
Removing the CRS. Known impossibility results indicate that the design of roundoptimal blind signatures in the standard model has some limitations. Lindell [38] showed that concurrently secure (and consequently also roundoptimal) blind signatures are impossible in the standard model when using simulationbased security notions. This can however be bypassed via gamebased security notions, as shown by Hazay et al. [35] for nonroundoptimal constructions.
Fischlin and Schröder [27] showed that blackbox reductions of blindsignature unforgeability to noninteractive assumptions in the standard model are impossible if the scheme has three moves or less, blindness holds statistically (or computationally if unforgeability and blindness are unrelated) and protocol transcripts allow to verify whether the user is able to derive a signature. Existing constructions [30, 31] bypass these results by making nonblackbox use of the underlying primitives (and preventing signaturederivation checks in [31]).
Garg et al. [31] proposed the first roundoptimal generic construction in the standard model, which can only be considered as a theoretical feasibility result. Using fully homomorphic encryption, the user encrypts the message sent to the signer, who evaluates the signing circuit on the ciphertext. To remove the CRS, they use tworound witnessindistinguishable proofs (ZAPs) to let the parties prove honest behavior; to preserve roundoptimality, they include the first fixed round of the ZAP in the signer’s public key.
Garg and Gupta [30] proposed the first efficient roundoptimal blind signature constructions in the standard model. They build on Fischlin’s framework using SPS. To remove a trusted setup, they use a twoCRS NIZK proof system based on GS proofs, include the CRSs in the public key while forcing the signer to honestly generate the CRS. Their construction, however, requires complexity leveraging (the reduction for unforgeability needs to solve a subexponential DL instance for every signing query) and is proven secure with respect to nonuniform adversaries. Consequently, communication complexity is in the order of hundreds of KB (even at a 80bit security level) and the computational costs (not considered by the authors) seem to limit their practical application even more significantly.
Partially Blind Signatures. Partially blind signatures are an extension of blind signatures, which additionally allow to include common information in a signature. Many nonroundoptimal partially blind signature schemes in the ROM are based on a technique by Abe and Okamoto [7]. The latter [42] proposed an efficient construction for nonroundoptimal blind as well as partially blind signatures in the standard model. Roundoptimal partially blind signatures in the CRS model can again be obtained from Fischlin’s framework [25]. Roundoptimal partially blind signatures in the CRS model are constructed in [13, 40, 46]. To date, there is—to the best of our knowledge—no roundoptimal partially blind signature scheme that is secure in the standard model.
OneShow Anonymous Credentials Systems. Such systems allow a user to obtain a credential on several attributes from an issuer. The user can later selectively show attributes (or prove relations about attributes) to a verifier without revealing any information about undisclosed attributes. No party (including the issuer) can link the issuing of a credential to any of its showings, yet different showings of the same credential are linkable. An efficient implementation of oneshow anonymous credentials is Microsoft’s UProve [16].
Baldimtsi and Lysyanskaya [9] showed that the underlying signature scheme [15] cannot be proven secure using known techniques. To mitigate this problem, in [8] they presented a generic construction of oneshow anonymous credentials in the vein of Brands’ [15] approach from socalled blind signatures with attributes. They also present a scheme based on a nonroundoptimal blind signature scheme by Abe [2] and prove their construction secure in the ROM.
Our Contribution
Blind Signatures and Anonymous Credentials. Besides Fischlin’s generic commitprove paradigm [25], there are other classes of schemes. For instance, RSA and BLS blind signatures [11, 14, 23] follow a randomizederandomize approach, which exploits the homomorphic property of the respective signature scheme. Other approaches follow the commitrerandomizetransform paradigm, where a signature on a commitment to a message can be transformed into a rerandomized (unlinkable) signature on the original message [12, 32]. Our construction is based on a new concept, which one may call commitrandomizederandomizeopen approach. It does not use noninteractive proofs at all and is solely based on the recent concept of structurepreserving signature schemes on equivalence classes (SPSEQ) [34] and commitments. As we also avoid a trusted setup of the commitment parameters, we do not require a CRS. We do however prove our scheme secure under interactive hardness assumptions.
In SPSEQ the message space is partitioned into equivalence classes and given a signature on a message anyone can adapt the signature to a different representative of the same class. SPSEQ requires that after signing a representative a signer cannot distinguish between an adapted signature for a new representative of the same class and a fresh signature on a completely random message.

We propose a new approach to constructing blind signatures in the standard model based on SPSEQ. It yields conceptually simple and compact constructions and does not rely on techniques such as complexity leveraging. Our blind signatures are practical in terms of key size, signature size, communication and computational effort (when implemented with known instantiations of SPSEQ [29], a blind signature consists of 5 bilineargroup elements).

We provide the first construction of roundoptimal partially blind signatures in the standard model, which follow straightforwardly from our blind signatures and are almost as efficient.

We generalize our blind signature scheme to message vectors, which yields oneshow anonymous credentials à la “anonymous credentials light” [8]. We thus obtain oneshow anonymous credentials secure in the standard model (whereas all previous ones have either no security proof or ones in the ROM).
Moreover, we show how any SPSEQ scheme can be turned into a standard structurepreserving signature scheme. This transformation allows us to apply the optimality criteria by Abe et al. [4, 5] to SPSEQ. We conclude that the scheme from [29] is optimal in terms of signature size and verification complexity and that it cannot be proven unforgeable under noninteractive assumptions.
2 Preliminaries
A function \(\epsilon :\mathbb {N}\rightarrow \mathbb {R}^+\) is negligible if \(\forall \,c > 0\ \exists \,k_0\ \forall \,k > k_0 : \epsilon (k) < 1/k^c\). By Open image in new window we denote that a is chosen uniformly at random from a set S. We write \(\mathsf{A}(a_1,\dots ,a_n; r)\) to make the randomness r used by a probabilistic algorithm \(\mathsf{A}(a_1,\dots ,a_n)\) explicit. If \(\mathbb {G}\) is an (additive) group then \(\mathbb {G}^*\) denotes \(\mathbb {G}\setminus \{0_\mathbb {G}\}\).
Definition 1

Bilinearity: \(e(aP, b\hat{P}) = e(P,\hat{P})^{ab} = e(bP,a\hat{P}) ~~~ \forall \, a,b\in \mathbb {Z}_p\).

Nondegeneracy: \(e(P,\hat{P}) \ne 1_{\mathbb {G}_T}\), i.e., \(e(P,\hat{P})\) generates \(\mathbb {G}_T\).
If \(\mathbb {G}_1 = \mathbb {G}_2\), then e is symmetric (Type1) and asymmetric (Type2 or 3) otherwise. For Type2 pairings there is an efficiently computable isomorphism \(\Psi :\mathbb {G}_2 \rightarrow \mathbb {G}_1\); for Type3 pairings no such isomorphism is known. Type3 pairings are currently the optimal choice in terms of efficiency and security tradeoff [21].
Definition 2
(BilinearGroup Generator). A bilineargroup generator is a polynomialtime algorithm \(\mathsf BGGen\) that takes a security parameter \(1^\kappa \) and outputs a bilinear group \(\mathsf{BG}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P,\hat{P})\) consisting of groups \(\mathbb {G}_1 = \langle P \rangle \), \(\mathbb {G}_2 = \langle \hat{P} \rangle \) and \(\mathbb {G}_T\) of prime order p with \(\log _2 p = \kappa \) and a pairing \(e:\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). In this work we assume that \(\mathsf BGGen\) is a deterministic algorithm.^{1}
Definition 3
Definition 4
((Symmetric) External DiffieHellman Assumption). The XDH and SXDH assumptions hold for \(\mathsf BGGen\) if the DDH assumption holds in \(\mathbb {G}_1\) and holds in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively.
The next assumption is a static computational assumption derived from the SXDH version of the qDiffieHellman inversion assumption [21].
Definition 5
coDHI\(^*_1\) is implied by a variant of the decision linear assumption in asymmetric groups stating that given \((\mathsf{BG},(aP_j,bP_j)_{j\in [2]},raP_{2},sbP_{2})\) for Open image in new window it is hard to distinguish \(T=(r+s)P_{2}\) from a random \(\mathbb {G}_2\) element. (A coDHI\(^*_i\) solver could be used to compute \(\frac{1}{a} P_1\) and \(\frac{1}{b} P_1\), which enables to check whether \(e(\frac{1}{a} P_1,raP_2)\,e(\frac{1}{b} P_1,sb P_2)=e(P_1,T)\).) This holds analogously for coDHI\(^*_2\).
Generalized Pedersen Commitments. These are commitments to a vector of messages \(\mathbf {m} = (m_i)_{i\in [n]}\in \mathbb {Z}_p^{\,n}\) that consist of one group element. They are perfectly hiding and computationally binding under the discretelog assumption.

\(\mathsf{Setup}_\mathsf{P}(1^\kappa ,n)\) : Choose a group \(\mathbb {G}\) of prime order p with \(\log _2 p = \kappa \) and \(n+1\) distinct generators \((P_i)_{i \in [n]},Q\) and output parameters \(\mathsf{cpp}\leftarrow (\mathbb {G},p,(P_i)_{i \in [n]},Q)\) (which is an implicit input to the following algorithms).

\(\mathsf{Commit}_\mathsf{P}(\mathbf {m};r)\) : On input a vector \(\mathbf {m} \in \mathbb {Z}_p^{\,n}\) and randomness \(r\in \mathbb {Z}_p\), output a commitment \(C \leftarrow \sum _{i \in [n]} m_iP_i+rQ\) and an opening \(O \leftarrow (\mathbf {m},r)\).

\(\mathsf{Open}_\mathsf{P}(C,O)\) : On input \(C\in \mathbb {G}\) and \(O = (\mathbf {m},r)\), if \(C=\sum _{i \in [n]} m_iP_i+rQ\) then output \(\mathbf {m} = (m_i)_{i\in [n]}\); else output \(\bot \).
Remark 1
\(\mathsf{Setup}_\mathsf{P}\) is typically run by a trusted party; it can however also be run by the receiver since commitments are perfectly hiding.
2.1 StructurePreserving Signatures on Equivalence Classes
Structurepreserving signatures (SPS) [3, 4, 6, 18] can sign elements of a bilinear group without requiring any prior encoding. In such a scheme public keys, messages and signatures consist of group elements only and the verification algorithm evaluates a signature by deciding group membership and evaluating pairingproduct equations (PPEs).
The notion of SPS on equivalence classes (SPSEQ) was introduced by Hanser and Slamanig [34]. Their initial instantiation turned out to only be secure against randommessage attacks (cf. [28] and the updated full version of [34]), but together with Fuchsbauer [29] they subsequently presented a scheme that is unforgeable under chosenmessage attack (EUFCMA) in the generic group model.
The concept of SPSEQ is as follows. Let p be a prime and \(\ell > 1\); then \({\mathbb {Z}_p}^{\ell }\) is a vector space and we can define a projective equivalence relation on it, which propagates to \({\mathbb {G}_i}^{\ell }\) and partitions \({\mathbb {G}_i}^{\ell }\) into equivalence classes. Let \(\sim _\mathcal {R}\) be this relation, i.e., for \(M, N \in {\mathbb {G}_i}^{\ell }: M \sim _\mathcal {R}N \,\Leftrightarrow \,\exists \, s\in \mathbb {Z}_{p}^* : M = s N\). An SPSEQ scheme signs an equivalence class \([M]_\mathcal{R}\) for \(M \in (\mathbb {G}_i^*)^\ell \) by signing a representative M of \([M]_\mathcal {R}\). It then allows for switching to other representatives of \([M]_\mathcal {R}\) and updating the signature without access to the secret key. An important property of SPSEQ is classhiding, which roughly means that two messagesignature pairs corresponding to the same class should be unlinkable.
Here, we discuss the abstract model and the security model of such a signature scheme, as introduced in [34].
Definition 6

\(\mathsf{BGGen}_\mathcal {R}(1^\kappa )\), a bilineargroup generation algorithm, which on input a security parameter \(\kappa \) outputs an asymmetric bilinear group \(\mathsf BG\).

\(\mathsf{KeyGen_\mathcal {R}}(\mathsf{BG},\ell )\), on input \(\mathsf{BG}\) and vector length \(\ell >1\), outputs a key pair \((\mathsf{sk},\mathsf{pk})\).

\(\mathsf{Sign_\mathcal {R}}(M,\mathsf{sk})\), given a representative \(M \in (\mathbb {G}_i^*)^\ell \) and a secret key \(\mathsf{sk}\), outputs a signature \(\sigma \) for the equivalence class \([M]_\mathcal {R}\).

\(\mathsf{ChgRep_\mathcal {R}}(M, \sigma , \mu , \mathsf{pk})\), on input a representative \(M \in (\mathbb {G}_i^*)^\ell \) of class \([M]_\mathcal {R}\), a signature \(\sigma \) on M, a scalar \(\mu \) and a public key \(\mathsf{pk}\), returns an updated messagesignature pair \((M', \sigma ')\), where \(M'=\mu \cdot M\) is the new representative and \(\sigma '\) its updated signature.

\(\mathsf{Verify_\mathcal {R}}(M,\sigma ,\mathsf{pk})\) is deterministic and, on input a representative \(M \in (\mathbb {G}_i^*)^\ell \), a signature \(\sigma \) and a public key \(\mathsf{pk}\), outputs \(1\) if \(\sigma \) is valid for M under \(\mathsf{pk}\) and \(0\) otherwise.

\(\mathsf{VKey_\mathcal {R}}(\mathsf{sk},\mathsf{pk})\) is a deterministic algorithm, which given a secret key \(\mathsf{sk}\) and a public key \(\mathsf{pk}\) outputs \(1\) if the keys are consistent and \(0\) otherwise.
An SPSEQ scheme must satisfy correctness, EUFCMA security and classhiding.
Definition 7
In contrast to standard signatures, EUFCMA security is defined with respect to equivalence classes, i.e., a forgery is a signature on a message from an equivalence class from which no message has been signed.
Definition 8
Classhiding is defined in [34] and uses the following oracles and a list \(\mathcal {Q}\) to keep track of queried messages M.

\(\mathcal {O}^{RM}\): Pick a message Open image in new window , append it to \(\mathcal {Q}\) and return M.

\(\mathcal {O}^{RoR}(M, \mathsf{sk}, \mathsf{pk},b)\): Given message M, key pair \((\mathsf{sk},\mathsf{pk})\) and bit b, return \(\bot \) if \(M \not \in \mathcal {Q}\). On the first valid call, record M and \(\sigma \leftarrow \mathsf{Sign_\mathcal {R}}(M,\mathsf{sk})\); if later called on \(M'\ne M\), return \(\bot \). Pick Open image in new window and Open image in new window , set \((M_0,\sigma _0) \leftarrow \mathsf{ChgRep_\mathcal {R}}(M,\sigma ,\mu ,\mathsf{pk})\) and \((M_1,\sigma _1) \leftarrow (R, \mathsf{Sign}_\mathcal {R}(R,\mathsf{sk}))\) and return \((M_b,\sigma _b)\).
Definition 9
Fuchsbauer, Hanser and Slamanig [29] present an EUFCMAsecure scheme, which we give as Scheme 1, and prove the following.
Theorem 1
Scheme 1 is EUFCMA secure against generic forgers and classhiding under the DDH assumption.
3 New Results on SPSEQ
In the following, we present the first standardmodel construction of SPSEQ as modeled in [34]. We then introduce new properties to characterize SPSEQ constructions, strengthening the notion of classhiding. Finally, we show how to turn any SPSEQ construction into an SPS construction. This does not only provide a new, efficient standardmodel SPS scheme derived from our SPSEQ scheme; it also allows us to infer optimality of the SPSEQ scheme from [29], (Scheme 1) and the impossibility of basing its EUFCMA security on noninteractive assumptions.
3.1 A StandardModel SPSEQ Construction
Following the approach by Abe et al. [4], we construct from scheme SPSEQ, given as Scheme 1, an SPSEQ scheme SPSEQ \('\), given as Scheme 2, and prove that it satisfies EUFCMA and classhiding, both under noninteractive assumptions.
The scheme for \(\ell \)length messages is simply Scheme 1 with message space \((\mathbb {G}_1^*)^{\ell +2}\), where before each signing two random group elements are appended to the message. Scheme 2 features constantsize signatures (\(4~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements), has public keys of size \(\ell + 2\) and still uses 2 PPEs for verification.
Unforgeability follows from a qtype assumption that states that Scheme 1 for \(\ell = 2\) is secure against randommessage attacks. (That is, no PPT adversary, given the public key and signatures on q random messages, can, with nonnegligible probability, output a messagesignature pair for an equivalence class that was not signed.) Classhiding follows from classhiding of Scheme 1. Both proofs can be found in the full version.
3.2 Perfect Adaption of Signatures
We now introduce new definitions characterizing the output distribution of \(\mathsf ChgRep_\mathcal {R}\), which lead to stronger notions than classhiding. The latter only guarantees that given an honestly generated signature \(\sigma \) on M, the output \((\mu M,\sigma ')\) of \(\mathsf{ChgRep_\mathcal {R}}\) for a random \(\mu \) looks like a random messagesignature pair. This however does not protect a user against a signer when the user randomizes a pair obtained from the signer. We thus explicitly require that an adaption of any valid (not necessarily honestly generated) signature is distributed like a fresh signature.
Definition 10
We now show the relation between Definitions 9 and 10. The following is proven analogously to the proof of classhiding of Scheme 1 in [29].
Proposition 1
Let SPSEQ be an SPSEQ scheme on \((\mathbb {G}_i^*)^\ell \), \(\ell > 1\), with perfect adaption of signatures. If Open image in new window is computationally indistinguishable from Open image in new window then SPSEQ is classhiding.
Corollary 1
If the DDH assumption holds in \(\mathbb {G}_i\) then any SPSEQ scheme on \((\mathbb {G}_i^*)^\ell \) satisfying Definition 10 is classhiding (Definition 9).
We note that the converse is not true, as witnessed by Scheme 2: it satisfies classhiding, but the discrete logs of \((R_1,R_2)\) contained in a signature \(\sigma \) have the same ratio as those of \((\tilde{R}_1,\tilde{R}_2)\) from the output of \(\mathsf{ChgRep_\mathcal {R}}\).
Maliciously Chosen Keys. Whereas Definition 10 strengthens Definition 9 in that it considers maliciously generated signatures, the next definition strengthens this further by considering maliciously generated public keys. As there might not even be a corresponding signing key, we cannot compare the outputs of \(\mathsf{ChgRep_\mathcal {R}}\) to those of \(\mathsf{Sign_\mathcal {R}}\). We therefore require that \(\mathsf{ChgRep_\mathcal {R}}\) outputs a random element that satisfies verification.
Definition 11
Proof (sketch)
For any \(M\in (\mathbb {G}_1^*)^\ell \) and \(\mathsf{pk}\in (\mathbb {G}_2^*)^\ell \), let \((x_i)_{i\in [\ell ]}\) be s.t. \(\mathsf{pk}=(x_i \hat{P})_{i\in [\ell ]}\). A signature \((Z, Y, \hat{Y}) \in \mathbb {G}_1 \times \mathbb {G}_1^* \times \mathbb {G}_2^*\) satisfying \(\mathsf{Verify_\mathcal {R}}(M,(Z, Y, \hat{Y}),\mathsf{pk})=1\) must be of the form \((Z =y \sum x_i M_i,Y =\frac{1}{y} P,\hat{Y} = \frac{1}{y} \hat{P})\) for some \(y\in {\mathbb {Z}_p}^{*}\). \(\mathsf{ChgRep_\mathcal {R}}\) outputs \(\sigma '=(y\psi \sum x_i \mu M_i,\frac{1}{y\psi } P,\frac{1}{y\psi } \hat{P})\), which is a random element in \(\mathbb {G}_1 \times \mathbb {G}_1^* \times \mathbb {G}_2^*\) satisfying \(\mathsf{Verify_\mathcal {R}}(M,\sigma ',\mathsf{pk})=1\). \(\square \)
3.3 From SPSEQ to (Rerandomizable) SPS Schemes
We now show how any EUFCMAsecure SPSEQ scheme that signs equivalence classes of \((\mathbb {G}_i^*)^{\ell + 1}\) with \(\ell > 0\) can be turned into an EUFCMAsecure SPS scheme signing vectors of \((\mathbb {G}_i^*)^\ell \). (We note that SPS schemes typically allow messages from \(\mathbb {G}_1\) and/or \(\mathbb {G}_2\), which is preferable when used in combination with GrothSahai proofs.) The transformation works by embedding messages \((M_i)_{i \in [\ell ]} \in (\mathbb {G}_i^*)^\ell \) into \((\mathbb {G}_i^*)^{\ell + 1}\) as \(M' = ((M_i)_{i \in [\ell ]}, P)\) and signing \(M'\). To verify a signature \(\sigma \) on a message \((M_i)_{i \in [\ell ]} \in (\mathbb {G}_i^*)^\ell \) under key \(\mathsf{pk}\), one checks whether \(\mathsf{Verify_\mathcal {R}}(((M_i)_{i \in [\ell ]},P), \sigma , \mathsf{pk}) =1\).
What we have done is to allow only one single representative of each class, namely the one with P as its last element, a procedure we call normalization. EUFCMA of the SPSEQ states that no adversary can produce a signature on a message from an unqueried class, which therefore implies EUFCMA of the resulting SPS scheme.
Moreover, from any SPSEQ with perfect adaption of signatures the above transformation yields a rerandomizable SPS scheme, since signatures can be rerandomized by running \(\mathsf{ChgRep_\mathcal {R}}\) for \(\mu =1\) (Definition 10 guarantees that this outputs a random signature). This also means that the lower bounds for SPS over Type3 groups given by Abe et al. in [4, 5] carry over to SPSEQ: any SPS must use at least 2 PPEs for verification and must have at least 3 signature elements, which cannot be from the same group. Moreover, EUFCMA security of optimal (that is, 3elementsignature) SPSEQ schemes cannot be reduced to noninteractive assumptions.
Finally, let us investigate the possibility of SPSEQ in the Type1 and Type2 pairing setting and implied lower bounds. Classhiding requires the DDH assumption to hold on the message space. This excludes the Type1 setting, while in Type2 settings the message space must be \((\mathbb {G}_1^*)^\ell \). In [6] Abe et al. identified the following lower bounds for Type2 SPS schemes with messages in \(\mathbb {G}_1\): 2 PPEs for verification and 3 group elements for signatures. The above transformation converts a Type2 SPSEQ into a Type2 SPS, hence these optimality criteria apply to Type2 SPSEQ schemes as well.
Implications. Applying the above transformation to the SPSEQ scheme from [29] (Scheme 1) yields a perfectly rerandomizable SPS scheme in Type3 groups with constantsize signatures of unilateral length\(\ell \) message vectors and public keys of size \(\ell + 1\). Scheme 1 is optimal as it only uses 2 PPEs and its signatures consist of 3 bilateral group elements. Hence, by [5] there is no reduction of its EUFCMA security to a noninteractive assumption and the generic group model proof in [29] is the best one can achieve.
Applying our transformation to Scheme 2 yields a new standardmodel SPS construction for unilateral length\(\ell \) message vectors in Type3 groups. It has constantsize signatures (\(4~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements), a public key of size \(\ell + 3\) and uses 2 PPEs for verification; it is therefore almost as efficient as the best known direct SPS construction from noninteractive assumptions in [4], whose signatures consist of \(3~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements. Scheme 2 is partially rerandomizable [3], whereas the scheme in [4] is not.
4 Blind Signatures from SPSEQ
We first present the abstract model for blind signature schemes. Security is defined by unforgeability and blindness and was initially studied in [36, 43] and then strengthened in [26, 45].
Definition 12

\(\mathsf{KeyGen}_\mathsf{BS}(1^\kappa )\), on input \(\kappa \), returns a key pair \((\mathsf{sk}, \mathsf{pk})\). The security parameter \(\kappa \) is also an (implicit) input to the following algorithms.

\(({\mathcal {U}}_\mathsf{BS}(m, \mathsf{pk}), \mathcal {S}_\mathsf{BS}(\mathsf{sk}))\) are run by a user and a signer, who interact during execution. \({\mathcal {U}}_\mathsf{BS}\) gets input a message m and a public key \(\mathsf{pk}\) and \(\mathcal {S}_\mathsf{BS}\) has input a secret key \(\mathsf{sk}\). At the end \( {\mathcal {U}}_\mathsf{BS}\) outputs \(\sigma \), a signature on m, or \(\bot \) if the interaction was not successful.

\(\mathsf{Verify}_\mathsf{BS}(m, \sigma , \mathsf{pk})\) is deterministic and given a messagesignature pair \((m, \sigma )\) and a public key \(\mathsf{pk}\) outputs \(1\) if \(\sigma \) is valid on m under \(\mathsf{pk}\) and \(0\) otherwise.
A blind signature scheme \(\mathsf{BS}\) must satisfy correctness, unforgeability and blindness.
Definition 13
(Correctness). A blind signature scheme \(\mathsf{BS}\) is correct if for all \(\kappa \in \mathbb {N}\), all \((\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{KeyGen_\mathsf{BS}}(1^\kappa )\), all messages m and \(\sigma \leftarrow ({{\mathcal {U}}_\mathsf{BS}}(m, \mathsf{pk}), {\mathcal {S}_\mathsf{BS}}(\mathsf{sk}))\) it holds that \(\mathsf{Verify_\mathsf{BS}}(m,\sigma ,\mathsf{pk})=1\).
Definition 14
There are several flavors of blindness. The strongest definition is blindness in the malicious signer model [1, 42], which allows the adversary to create \(\mathsf{pk}\), whereas in the honestsigner model the key pair is set up by the experiment. We prove our construction secure under the stronger notion, which was also considered by the recent roundoptimal standardmodel constructions [30, 31].
Definition 15
4.1 Construction
Our construction uses commitments to the messages and SPSEQ to sign these commitments and to perform blinding and unblinding. Signing an equivalence class with an SPSEQ scheme lets one derive a signature for arbitrary representatives of this class without knowing the private signing key. This concept provides an elegant way to realize a blind signing process as follows.
The signer’s key contains an element Q under which the obtainer makes a Pedersen commitment \(C=mP+rQ\) to the message m. (Since the commitment is perfectly hiding, the signer can be aware of q with \(Q=qP\).) The obtainer then forms a vector (C, P), which can be seen as the canonical representative of equivalence class \([(C,P)]_\mathcal {R}\). Next, she picks Open image in new window and moves (C, P) to a random representative (sC, sP), which hides C. She sends (sC, sP) to the signer and receives an SPSEQ signature on it, from which she can derive a signature on the original message (C, P), which she can publish together with an opening of C. As verification will check validity of the SPSEQ signature on a message ending with P, the unblinding is unambiguous.
Let us now discuss how the user opens the Pedersen commitment \(C=mP+rQ\). Publishing (m, r) directly would break blindness of the scheme (a signer could link a pair \(M=(D,S)\), received during signing, to a signature by checking whether \(D=mS+rqS\)). We therefore define a tweaked opening, for which we include \(\hat{Q}=q\hat{P}\) in addition to \(Q=qP\) in the signer’s public key. We define the opening as (m, rP), which can be checked via the pairing equation \(e(C  mP, \hat{P}) =e(rP, \ Q)\). This opening is still computationally binding under the coDHI\(_1^*\) assumption (in contrast to standard Pedersen commitments, which are binding under the discretelog assumption). Hiding of the commitment still holds unconditionally, and we will prove the constructed blindsignature scheme secure in the malicioussigner model without requiring a trusted setup.
The scheme is presented as Scheme 3. (Note that for simplicity the blind signature contains \(T=rQ\) instead of C.) Correctness follows by inspection.
4.2 Security
Theorem 2
If the underlying SPSEQ scheme is EUFCMA secure and the coDHI\(_1^*\) assumption holds then Scheme 3 is unforgeable.
The proof, which is given in the full version, follows the intuition that a forger must either forge an SPSEQ signature on a new commitment or open a commitment in two different ways. The reduction has a natural security loss proportional to the number of signing queries.
Blindness. For the honestsigner model, blindness follows from the DDH assumption and perfect adaption of signatures (Definition 10) of the underlying SPSEQ scheme. Let \(Q \leftarrow qP\) and let q be part of the signing key, and let (P, rP, sP, tP) be a DDH instance. In the blindness game we compute M as \((m\cdot sP + q\cdot tP, sP)\). When the adversary returns a signature on M, we must adapt it to the unblinded message—which we cannot do as we do not know the blinding factor s. By perfect adaption however, an adapted signature is distributed as a fresh signature on the unblinded message, so, knowing the secret key, we can compute a signature \(\sigma \) on \((m\cdot P + q\cdot rP, P)\) and return the blind signature \((\sigma ,rP,q\cdot rP)\). If the DDH instance was real, i.e., \(t=s\cdot r\), then we perfectly simulated the game; if t was random then the adversary’s view during issuing was independent of m.
For blindness in the malicioussigner model, we have to deal with two obstacles. (1) We do not have access to the adversarially generated signing key, meaning we cannot recompute the signature on the unblinded message. (2) The adversarially generated publickey values \(Q, \hat{Q}\) do not allow us to embed a DDH instance for blinding and unblinding.
We overcome (1) by using the adversary \(\mathcal {A}\) itself as a signing oracle by rewinding it. We first run \(\mathcal {A}\) to obtain a signature on \((s'(mP+rQ),s'P)\), which, knowing \(s'\), we can transform into a signature on \((mP+rQ,P)\). We then rewind \(\mathcal {A}\) to the point after outputting its public key and run it again, this time embedding our challenge. In the second run we cannot transform the received signature, instead we use the signature from the first run, which is distributed identically, due to perfect adaption under malicious keys (Definition 11) of the SPSEQ scheme.
To deal with the second obstacle, we use an interactive variant of the DDH assumption: Instead of being given P, rP, sP and having to distinguish rsP from random, the adversary, for some Q of its choice, is given rP, rQ, sP and must distinguish rsQ from random.
Definition 16
Proposition 3
The assumption in Definition 16 holds in generic groups and reaches the optimal, quadratic simulationerror bound.
Theorem 3
If the underlying SPSEQ scheme has perfect adaption of signatures under malicious keys and Assumption 1 holds then Scheme 3 is blind.
The proofs can be found in the full version.
4.3 Discussion
Basing Our Scheme on Noninteractive Assumptions. Fischlin and Schröder [27] show that the unforgeability of a blindsignature scheme cannot be based on noninteractive hardness assumptions if (1) the scheme has 3 moves or less, (2) its blindness holds statistically and (3) from a transcript one can efficiently decide whether the interaction yielded a valid blind signature. Our scheme satisfies (1) and (3), whereas blindness only holds computationally.
They extend their result in [27] to computationally blind schemes that meet the following conditions: (4) One can efficiently check whether a public key has a matching secret key; this is the case in our setting because of groupmembership tests and pairings. (5) Blindness needs to hold relative to a forgery oracle. As written in [27], this does e.g. not hold for Abe’s scheme [2], where unforgeability is based on the discretelog problem and blindness on the DDH problem.
This is the case in our construction too (as one can forge signatures by solving discrete logarithms), hence the impossibility result does not apply to our scheme. Our blind signature construction is blackbox from any SPSEQ with perfect adaption under malicious keys (Definition 11). However, the only known such scheme is the one from [29], which is EUFCMA secure in the genericgroup model, that is, it is based on an interactive assumption. Plugging this scheme into Scheme 3 yields a roundoptimal blind signature scheme with unforgeability under this interactive assumption and coDHI\(^*_1\), and blindness (under adversarially chosen keys) under Assumption 1 (Definition 16), which is also interactive.
To construct a scheme under noninteractive assumptions, we would thus have to base blindness on a noninteractive assumption; and find an SPSEQ scheme satisfying Definition 11 whose unforgeability is proven under a noninteractive assumption.
Efficiency of the Construction. When instantiating our blindsignature construction with the SPSEQ scheme from [29] (given as Scheme 1), which we showed optimal, this yields a public key size of \(1~\mathbb {G}_1+3~\mathbb {G}_2\), a communication complexity of \(4~\mathbb {G}_1+1~\mathbb {G}_2\) and a signature size of \(4~\mathbb {G}_1+1~\mathbb {G}_2\) elements. For a 80bit security setting, a blind signature has thus 120 Bytes.
The most efficient scheme from standard assumptions is based on DLIN [30]. Ignoring the increase of the security parameter due to complexity leveraging, their scheme has a public key size of \(43~\mathbb {G}_1\) elements, communication complexity \(18\log _2 q +41\) \(\mathbb {G}_1\) elements (where, e.g., we have \(\log _2 q=155\) when assuming that the adversary runs in \(\le 2^{80}\) steps) and a signature size of \(183~\mathbb {G}_1\) elements.
4.4 RoundOptimal Partially Blind Signatures
Partially blind signatures are an extension of blind signatures, where messages contain common information \(\gamma \), which is agreed between the user and the signer. This requires slight modifications to the unforgeability and blindness notions: An adversary breaks unforgeability if after k signing queries it outputs \(k+1\) distinct valid messagesignature pairs for the same common information \(\gamma ^*\). In the partialblindness game \(m_0\) and \(m_1\) must have the same common information \(\gamma \) to prevent the adversary from trivially winning the game. (Formal definitions for partially blind signatures can be found in the full version.)
Construction. We construct a roundoptimal partially blind signature scheme \(\mathsf{PBS}= (\mathsf KeyGen_{\mathsf{{\tiny PBS}}},({\mathcal {U}}_{\mathsf{{\tiny PBS}}}, \mathcal {S}_{\mathsf{{\tiny PBS}}}),Verify_{\mathsf{{\tiny PBS}}})\) secure in the standard model from an SPSEQ scheme SPSEQ by modifying Scheme 3 as follows. To include common information \(\gamma \in {\mathbb {Z}_p}^{*}\), SPSEQ is set up for \(\ell = 3\). On input \(M\leftarrow (s(mP+rQ),sP)\), \({\mathcal {S}_{\mathsf{{\tiny PBS}}}}\) returns a signature for \(M\leftarrow (s(mP+rQ), \gamma \cdot sP ,sP)\) and \({{\mathcal {U}}^{(2)}_{\mathsf{{\tiny PBS}}}}\) additionally checks correctness of the included \(\gamma \) and returns \(\bot \) if this is not the case. Otherwise, it runs \(((mP+rQ,\gamma P, P),\sigma )\leftarrow \mathsf{ChgRep_\mathcal {R}}(M, \pi , \frac{1}{s}, \mathsf{pk})\) and outputs signature \(\tau \leftarrow (\sigma ,rP,rQ)\) for message m and common information \(\gamma \). For this construction we obtain the following, whose proofs are analogous to those for Scheme 3.
Theorem 4
If SPSEQ is EUFCMA secure and the coDHI\(_1^*\) assumption holds, then the resulting partially blind signature scheme is unforgeable.
Theorem 5
If SPSEQ has perfect adaption under malicious keys and Assumption 1 holds, then the resulting partially blind signature scheme is partially blind.
5 OneShow Anonymous Credentials from SPSEQ
Baldimtsi and Lysyanskaya [8] introduced blind signatures with attributes and show that they directly yield a oneshow anonymous credential system in the vein of Brands [15]. In contrast to Brands’ original construction, their construction relies on a provably secure threemove blind signature scheme (in the ROM). In this section we show how to construct twomove blind signatures on message vectors, which straightforwardly yield anonymous oneshow credentials that are secure in the standard model.
5.1 Blind Signatures on Message Vectors
Our construction \(\mathsf{BSV}\) of roundoptimal blind signatures on message vectors \(\mathbf {m} \in \mathbb {Z}_p^{\,n}\) simply replaces the Pedersen commitment \(mP+rQ\) in Scheme 3 with a generalized Pedersen commitment \(\sum _{i \in [n]} m_i P_i + rQ\). Thus, \(\mathsf{KeyGen_{\mathsf{{\tiny BSV}}}}\), on input \(1^\kappa ,n\), additionally outputs generators \((P_i)_{i\in [n]}\) and \(\mathsf{Verify_{\mathsf{{\tiny BSV}}}}(\mathbf {m},(\sigma ,R,T),\mathsf{pk})\) checks \(\mathsf{Verify_\mathcal {R}}((\textstyle \sum _{i \in [n]} m_i P_i + T,P),\sigma ,\mathsf{pk}_\mathcal {R}) =1\) and \(e(T,\hat{P}) =e(R,\hat{Q})\). Due to space constraints, the construction \({\mathsf{BSV}}\) is detailed in the full version, where we also show the following.
Theorem 6
If the underlying SPSEQ scheme is EUFCMA secure and the coDHI\(_1^*\) assumption holds then \(\mathsf{BSV}\) is unforgeable.
Theorem 7
If the underlying SPSEQ scheme has perfect adaption under malicious keys and Assumption 1 holds then \(\mathsf{BSV}\) is blind.
5.2 Anonymous Credentials Light
The intuition behind our construction is comparable to [8], which roughly works as follows. In the registration phase, a user registers (once) a generalized Pedersen commitment C to her attributes and gives a zeroknowledge (ZK) proof of the opening (some attributes may be opened and some may remain concealed). In the preparation and validation phase, the user engages in a blindsignaturewithattributes protocol for some message m (which is considered the credential serial number) and another commitment \(C'\). \(C'\) is a socalled combined commitment obtained from C and a second credentialspecific commitment provided by the user. Finally, the credential is the user output of a blindsignaturewithattributes protocol resulting in a signature on message m and a socalled blinded Pedersen commitment \(C''\). The latter contains the same attributes as C, but is unlinkable to C and \(C'\). Showing a credential amounts to presenting \(C''\) along with the blind signature and proving in ZK a desired relation about attributes within \(C''\).
Our construction combines \(\mathsf{BSV}\) with efficient ZK proofs and is conceptually simpler than the one in [8]. For issuing, the user sends the issuer a blinded version \(M \leftarrow (sC, sP)\) of a commitment C to the user’s attributes (M corresponds to the blinded generalized Pedersen commitment in [8]). In addition, the user engages in a ZK proof (denoted \(\mathsf PoK\)) proving knowledge of an opening of C (potentially revealing some of the committed attributes). The user obtains a \(\mathsf{BSV}\)signature \(\pi \) on M and turns it into a blind signature \(\sigma \) for commitment C by running \(((C, P), \sigma ) \leftarrow \mathsf{ChgRep}_\mathcal {R}(M, \pi , \frac{1}{s}, \mathsf{pk})\). The credential consists of C, \(\sigma \) and the randomness r used to produce the commitment. It is showed by sending C and \(\sigma \) and proving in ZK a desired relation about attributes within C.
Construction. As we combine scheme \(\mathsf{BSV}\) with ZK proofs, we need the following conceptual modifications. The signature \(\tau \leftarrow (\sigma ,R,T)\) reduces to \(\tau \leftarrow \sigma \), since the user provides a ZKPoK proving knowledge of the randomness r in C. Moreover, verification takes C instead of \(\mathbf {m}\) as verifiers have only access to the commitment. Consequently, \(\mathsf{Verify}_{{\mathsf{{\tiny BSV}}}}\) of scheme \(\mathsf{BSV}\) only runs Verify \(_\mathcal {R}\).
Setup. The issuer runs \((\mathsf{sk}, \mathsf{pk}) \leftarrow \mathsf{KeyGen}_{\mathsf{{\tiny BSV}}}(1^\kappa , n)\), where n is the number of attributes in the system, and publishes \(\mathsf{pk}\) as her public key.
Issuing. A user with attribute values \(\mathbf {m}\) runs \((M,\mathsf{st}) \leftarrow {{\mathcal {U}}^{_{(1)}}_{\mathsf{{\tiny BSV}}}}(\mathbf {m}, \mathsf{pk};(s,r))\) (where (s, r) is the chosen randomness), sends the blinded commitment \(M=(sC,sP)\) to the issuer and gives a proof \(\mathsf{PoK_{BP}}\) from (2) that M commits to \(\mathbf {m}\) (where the sets U and S depend on the application). The issuer returns \(\pi \leftarrow \mathcal {S}_{\mathsf{{\tiny BSV}}}(M,\mathsf{sk})\) and after running \(\sigma \leftarrow {{\mathcal {U}}^{_{(2)}}_{\mathsf{{\tiny BSV}}}}(\mathsf{st},\pi )\) (the outputs rP and rQ are not needed), the user holds a credential \((C,\sigma ,r)\).
Showing. Assume a user with credential \((C,\sigma ,r)\) to the attributes \(\mathbf {m} = (m_i)_{i \in [n]}\) wants to conduct a selective showing of attributes with a verifier who holds the issuer’s public key \(\mathsf{pk}\). They engage in a proof \(\mathsf{PoK_{P}}\) from (1) and the verifier additionally checks the signature for the credential by running \(\mathsf{Verify_{\mathsf{{\tiny BSV}}}}(C, \sigma , \mathsf{pk})\). If both verifications succeed, the verifier accepts the showing.
Let us finally note that there is no formal security model for oneshow credentials. Theorem 2 in [8] informally states that a secure commitment scheme together with a blind signature scheme with attributes implies a oneshow credential system. Using the same argumentation as [8], our construction yields a oneshow credential system in the standard model.
Footnotes
 1.
This is e.g. the case for BNcurves [10]; the most common choice for Type3 pairings.
 2.
In the blindness game, given \(B=sP\) from a DDH instance, these bases are simulated as \(H_j\leftarrow p_j B\) and \(H_Q \leftarrow q B\). We can even prove security in the malicioussigner model by extending the assumption from Definition 16: in addition to Q the adversary outputs \((P_i)_{i\in [n]}\) and receives \((sP_i)_{i\in [n]}\) and sQ.
Notes
Acknowledgements
We would like to thank the anonymous reviewers for their valuable comments.
References
 1.Abdalla, M., Namprempre, C., Neven, G.: On the (im)possibility of blind message authentication codes. In: Pointcheval, D. (ed.) CT–RSA 2006. LNCS, vol. 3860, pp. 262–279. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 2.Abe, M.: A secure threemove blind signature scheme for polynomially many signatures. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136–151. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 3.Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structurepreserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 4.Abe, M., Groth, J., Haralambiev, K., Ohkubo, M.: Optimal structurepreserving signatures in asymmetric bilinear groups. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 649–666. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 5.Abe, M., Groth, J., Ohkubo, M.: Separating short structurepreserving signatures from noninteractive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 6.Abe, M., Groth, J., Ohkubo, M., Tibouchi, M.: Structurepreserving signatures from type II pairings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 390–407. Springer, Heidelberg (2014) Google Scholar
 7.Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 8.Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: CCS. ACM (2013)Google Scholar
 9.Baldimtsi, F., Lysyanskaya, A.: On the security of onewitness blind signature schemes. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 82–99. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 10.Barreto, P.S.L.M., Naehrig, M.: Pairingfriendly elliptic curves of prime order. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 319–331. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 11.Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The onemoreRSAinversion problems and the security of chaum’s blind signature scheme. J. Cryptology 16(3), 185–215 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 12.Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Signatures on randomizable ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 403–422. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 13.Blazy, O., Pointcheval, D., Vergnaud, D.: Compact roundoptimal partiallyblind signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 95–112. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 14.Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gapdiffiehellmangroup signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003)Google Scholar
 15.Brands, S.: Rethinking publickey infrastructures and digital certificates: building in privacy. MIT Press (2000)Google Scholar
 16.Brands, S., Paquin, C.: UProve Cryptographic Specification v1 (2010)Google Scholar
 17.Bresson, E., Stern, J.: Proofs of knowledge for nonmonotone discretelog formulae and applications. In: Chan, A.H., Gligor, V.D. (eds.) ISC 2002. LNCS, vol. 2433, pp. 272–288. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 18.Camenisch, J., Dubovitskaya, M., Haralambiev, K.: Efficient structurepreserving signature scheme from standard assumptions. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 76–94. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 19.Camenisch, J.L., Koprowski, M., Warinschi, B.: Efficient blind signatures without random oracles. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 134–148. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 20.Camenisch, J.L., Michels, M.: Proving in zeroknowledge that a number is the product of two safe primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999) CrossRefGoogle Scholar
 21.Chatterjee, S., Menezes, A.: On cryptographic protocols employing asymmetric pairings  the role of \(\psi \) revisited. Discrete Appl. Math. 159(13), 1311–1322 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 22.Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203. Plenum Press (1982)Google Scholar
 23.Chaum, D.: Blind signature system. In: Chaum, D. (ed.) CRYPTO 1983, p. 153. Springer, New York (1983) CrossRefGoogle Scholar
 24.Cramer, R., Damgård, I., Schoenmakers, B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
 25.Fischlin, M.: Roundoptimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 26.Fischlin, M., Schröder, D.: Security of blind signatures under aborts. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 297–316. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 27.Fischlin, M., Schröder, D.: On the impossibility of threemove blind signature schemes. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 197–215. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 28.Fuchsbauer, G.: Breaking existential unforgeability of a signature scheme from asiacrypt 2014. Cryptology ePrint Archive, report 2014/892 (2014)Google Scholar
 29.Fuchsbauer, G., Hanser, C., Slamanig, D.: EUFCMAsecure structurepreserving signatures on equivalence classes. Cryptology ePrint Archive, report 2014/944 (2014)Google Scholar
 30.Garg, S., Gupta, D.: Efficient round optimal blind signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 477–495. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 31.Garg, S., Rao, V., Sahai, A., Schröder, D., Unruh, D.: Round optimal blind signatures. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 630–648. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 32.Ghadafi, E., Smart, N.P.: Efficient twomove blind signatures in the common reference string model. In: Gollmann, D., Freiling, F.C. (eds.) ISC 2012. LNCS, vol. 7483, pp. 274–289. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 33.Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 34.Hanser, C., Slamanig, D.: Structurepreserving signatures on equivalence classes and their application to anonymous credentials. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8873, pp. 491–511. Springer, Heidelberg (2014) Google Scholar
 35.Hazay, C., Katz, J., Koo, C.Y., Lindell, Y.: Concurrentlysecure blind signatures without random oracles or setup assumptions. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 323–341. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 36.Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997) CrossRefGoogle Scholar
 37.Kiayias, A., Zhou, H.S.: Concurrent blind signatures without random oracles. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 49–62. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 38.Lindell, Y.: Boundedconcurrent secure twoparty computation without setup assumptions. In: STOC, pp. 683–692. ACM (2003)Google Scholar
 39.Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. In: Heys, H., Adams, C. (eds.) SAC 2000. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)Google Scholar
 40.Meiklejohn, S., Shacham, H., Freeman, D.M.: Limitations on transformations from compositeorder to primeorder groups: the case of roundoptimal blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 519–538. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 41.Okamoto, T.: Provably secure and practical identification schemes and corresponding signature schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 31–53. Springer, Heidelberg (1993) CrossRefGoogle Scholar
 42.Okamoto, T.: Efficient blind and partially blind signatures without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 80–99. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 43.Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptology 13(3), 361–396 (2000)CrossRefzbMATHGoogle Scholar
 44.Rückert, M.: Latticebased blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 413–430. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 45.Schröder, D., Unruh, D.: Security of blind signatures revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 662–679. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 46.Seo, J.H., Cheon, J.H.: Beyond the limitation of primeorder bilinear groups, and round optimal blind signatures. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 133–150. Springer, Heidelberg (2012) CrossRefGoogle Scholar