Skip to main content
SpringerLink
Log in

Round-Optimal Blind Signatures in the Plain Model from Classical and Quantum Standard Assumptions

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2021 (EUROCRYPT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12696))

Abstract

Blind signatures, introduced by Chaum (Crypto’82), allows a user to obtain a signature on a message without revealing the message itself to the signer. Thus far, all existing constructions of round-optimal blind signatures are known to require one of the following: a trusted setup, an interactive assumption, or complexity leveraging. This state-of-the-affair is somewhat justified by the few known impossibility results on constructions of round-optimal blind signatures in the plain model (i.e., without trusted setup) from standard assumptions. However, since all of these impossibility results only hold under some conditions, fully (dis)proving the existence of such round-optimal blind signatures has remained open.

In this work, we provide an affirmative answer to this problem and construct the first round-optimal blind signature scheme in the plain model from standard polynomial-time assumptions. Our construction is based on various standard cryptographic primitives and also on new primitives that we introduce in this work, all of which are instantiable from classical and post-quantum standard polynomial-time assumptions. The main building block of our scheme is a new primitive called a blind-signature-conforming zero-knowledge (ZK) argument system. The distinguishing feature is that the ZK property holds by using a quantum polynomial-time simulator against non-uniform classical polynomial-time adversaries. Syntactically one can view this as a delayed-input three-move ZK argument with a reusable first message, and we believe it would be of independent interest.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 139.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We count one move when an entity sends information to the other entity.

  2. 2.

    An adversary may have the flexibility to choose a problem instance or obtain auxiliary information related to a problem instance.

  3. 3.

    A super-polynomial-time assumption means that a hard problem cannot be broken even by super-polynomial-time adversaries. This is stronger than a standard polynomial-time assumption, where adversaries are restricted to run in polynomial-time.

  4. 4.

    The learning with errors (LWE) assumption against quantum polynomial time adversaries and one of the following assumptions against (non-uniform) classical polynomial time adversaries: quadratic residuosity (QR), decisional composite residuosity (DCR), symmetric external Diffie-Hellman (SXDH) over pairing group, or decisional linear (DLIN) over pairing groups.

  5. 5.

    Though Garg et al. [GRS+11] does not explicitly state that they use the zero-knowledge argument of [Pas03], we observe that their construction can be viewed in this way.

  6. 6.

    A reader might consider starting from the blind signature scheme by Garg and Gupta [GG14] instead since their security proof uses complexity leveraging only once. However, their construction may not be compatible with our idea of using quantum simulation since it is heavily dependent on a specific structure of the Groth-Sahai proofs [GS08], which is quantumly insecure.

  7. 7.

    Though one-way functions with efficiently decidable images suffice, we use OWP in this overview for simplicity. In our construction, we rely on a slightly generalized notion of hard problem generators which we introduce in Sect. 3.1.

  8. 8.

    We need security against QPT adversaries for the PKE scheme because its security is used to prove zero-knowledge property, where the simulator is a QPT algorithm. Recall that the simulator needs quantum power to invert the OWP. One may try to show that non-uniform security instead of quantum security is enough for the PKE by using the pre-computation trick we mentioned. However, this does not seem possible because the inversion should be done after the public key is chosen.

  9. 9.

    Actually, the public verifiability is not needed in the construction of our blind signatures. We only require this because our construction satisfies this.

  10. 10.

    We can also view it as a three-move protocol by considering the setup as the prover’s first message. However, since the first message is reusable, we view the protocol as a two-move protocol with reusable setup.

  11. 11.

    Strictly speaking, since the event that the cheating prover wins is not efficiently checkable, a more careful analysis is needed.

  12. 12.

    Note that there is no known ZAP with witness indistinguishability against QPT adversaries based on (quantum) polynomial hardness of standard assumptions.

References

  1. Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. J. Cryptol. 29(2), 363–421 (2016). https://doi.org/10.1007/s00145-014-9196-7

    Article  MathSciNet  MATH  Google Scholar 

  2. Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. Int. J. Appl. Cryptogr. 2(3), 229–249 (2012)

    Article  MathSciNet  Google Scholar 

  3. Aharonov, D., Regev, O.: Lattice problems in NP cap coNP. In: 45th FOCS, pp. 362–371. IEEE Computer Society Press, October 2004

    Google Scholar 

  4. Aharonov, D., Regev, O.: Lattice problems in NP cap coNP. J. ACM 52(5), 749–765 (2005)

    Article  MathSciNet  Google Scholar 

  5. Brickell, E.F., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Atluri, V., Pfitzmann, B., McDaniel, P. (eds.) ACM CCS 2004, pp. 132–145. ACM Press, October 2004

    Google Scholar 

  6. Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Signatures on randomizable ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 403–422. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19379-8_25

    Chapter  Google Scholar 

  7. Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1

    Chapter  Google Scholar 

  8. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 319–338. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46088-8_25

    Chapter  Google Scholar 

  9. Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-Diffie-Hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3

    Chapter  Google Scholar 

  10. Blazy, O., Pointcheval, D., Vergnaud, D.: Compact round-optimal partially-blind signatures. In: Visconti, I., De Prisco, R. (eds.) SCN 2012. LNCS, vol. 7485, pp. 95–112. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32928-9_6

    Chapter  Google Scholar 

  11. Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO’82, pp. 199–203. Plenum Press, New York (1982)

    Google Scholar 

  12. Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Barstow, D., et al. (eds.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-45961-8_15

    Chapter  Google Scholar 

  13. Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_7

    Chapter  Google Scholar 

  14. Dwork, C., Naor, M.: Zaps and their applications. In: 41st FOCS, pp. 283–293. IEEE Computer Society Press, November 2000

    Google Scholar 

  15. Dwork, C., Naor, M.: Zaps and their applications. SIAM J. Comput. 36(6), 1513–1543 (2007)

    Article  MathSciNet  Google Scholar 

  16. Fuchsbauer, G., Hanser, C., Kamath, C., Slamanig, D.: Practical round-optimal blind signatures in the standard model from weaker assumptions. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 391–408. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_21

    Chapter  Google Scholar 

  17. Fuchsbauer, G., Hanser, C., Slamanig, D.: Practical round-optimal blind signatures in the standard model. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. Part II. LNCS, vol. 9216, pp. 233–253. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_12

    Chapter  MATH  Google Scholar 

  18. Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_4

    Chapter  Google Scholar 

  19. Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, pp. 308–317. IEEE Computer Society Press, October 1990

    Google Scholar 

  20. Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)

    Article  MathSciNet  Google Scholar 

  21. Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Seberry, J., Zheng, Y. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-57220-1_66

    Chapter  Google Scholar 

  22. Fischlin, M., Schröder, D.: On the impossibility of three-move blind signature schemes. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 197–215. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_10

    Chapter  Google Scholar 

  23. Garg, S., Gupta, D.: Efficient round optimal blind signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 477–495. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_27

    Chapter  Google Scholar 

  24. Ghadafi, E.: Efficient round-optimal blind signatures in the standard model. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 455–473. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_26

    Chapter  Google Scholar 

  25. Goldreich, O., Levin, L.A., Nisan, N.: On constructing 1-1 one-way functions. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 13–25. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22670-0_3

    Chapter  Google Scholar 

  26. Goldreich, O., Oren, Y.: Definitions and properties of zero-knowledge proof systems. J. Cryptol. 7(1), 1–32 (1994). https://doi.org/10.1007/BF00195207

    Article  MathSciNet  MATH  Google Scholar 

  27. Garg, S., Rao, V., Sahai, A., Schröder, D., Unruh, D.: Round optimal blind signatures. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 630–648. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_36

    Chapter  Google Scholar 

  28. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_24

    Chapter  Google Scholar 

  29. Halevi, S., Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. J. Cryptol. 25(1), 158–193 (2010). https://doi.org/10.1007/s00145-010-9092-8

    Article  MathSciNet  MATH  Google Scholar 

  30. Hazay, C., Katz, J., Koo, C.-Y., Lindell, Y.: Concurrently-secure blind signatures without random oracles or setup assumptions. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 323–341. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_18

    Chapter  Google Scholar 

  31. Kalai, Y.T., Khurana, D.: Non-interactive non-malleability from quantum supremacy. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. Part III. LNCS, vol. 11694, pp. 552–582. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_18

    Chapter  Google Scholar 

  32. Lindell, Y.: Lower bounds and impossibility results for concurrent self composition. J. Cryptol. 21(2), 200–249 (2007). https://doi.org/10.1007/s00145-007-9015-5

    Article  MathSciNet  MATH  Google Scholar 

  33. Meiklejohn, S., Shacham, H., Freeman, D.M.: Limitations on transformations from composite-order to prime-order groups: the case of round-optimal blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 519–538. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17373-8_30

    Chapter  Google Scholar 

  34. Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Rao Kosaraju, S. (ed.) 12th SODA, pp. 448–457. ACM-SIAM, January 2001

    Google Scholar 

  35. Pass, R.: Simulation in quasi-polynomial time, and its application to protocol composition. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 160–176. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_10

    Chapter  Google Scholar 

  36. Pass, R.: Limits of provable security from standard assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, pp. 109–118. ACM Press, June 2011

    Google Scholar 

  37. Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31

    Chapter  Google Scholar 

  38. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 84–93. ACM Press, May 2005

    Google Scholar 

  39. Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)

    Article  MathSciNet  Google Scholar 

  40. Seo, J.H., Cheon, J.H.: Beyond the limitation of prime-order bilinear groups, and round optimal blind signatures. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 133–150. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_8

    Chapter  MATH  Google Scholar 

  41. Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: 35th FOCS, pp. 124–134. IEEE Computer Society Press, November 1994

    Google Scholar 

Download references

Acknowledgement

We thank anonymous reviewers of Eurocrypt 2021 for their helpful comments. The first and third authors were supported by JST CREST Grant Number JPMJCR19F6. The third author is also supported by JSPS KAKENHI Grant Number 19H01109.

Author information

Authors and Affiliations

  1. AIST, Tokyo, Japan

    Shuichi Katsumata & Shota Yamada

  2. NTT Secure Platform Laboratories, Tokyo, Japan

    Ryo Nishimaki & Takashi Yamakawa

Authors
  1. Shuichi Katsumata
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ryo Nishimaki
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shota Yamada
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Takashi Yamakawa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shuichi Katsumata .

Editor information

Editors and Affiliations

  1. Inria, Paris, France

    Anne Canteaut

  2. UCLouvain, Louvain-la-Neuve, Belgium

    François-Xavier Standaert

Rights and permissions

Reprints and permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T. (2021). Round-Optimal Blind Signatures in the Plain Model from Classical and Quantum Standard Assumptions. In: Canteaut, A., Standaert, FX. (eds) Advances in Cryptology – EUROCRYPT 2021. EUROCRYPT 2021. Lecture Notes in Computer Science(), vol 12696. Springer, Cham. https://doi.org/10.1007/978-3-030-77870-5_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77870-5_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77869-9

  • Online ISBN: 978-3-030-77870-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation