Skip to main content
SpringerLink
Log in

Short Pairing-Free Blind Signatures with Exponential Security

  • Conference paper
  • First Online:
Advances in Cryptology – EUROCRYPT 2022 (EUROCRYPT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13276))

Abstract

This paper proposes the first practical pairing-free three-move blind signature schemes that (1) are concurrently secure, (2) produce short signatures (i.e., three or four group elements/scalars), and (3) are provably secure either in the generic group model (GGM) or the algebraic group model (AGM) under the (plain or one-more) discrete logarithm assumption (beyond additionally assuming random oracles). We also propose a partially blind version of one of our schemes.

Our schemes do not rely on the hardness of the ROS problem (which can be broken in polynomial time) or of the mROS problem (which admits sub-exponential attacks). The only prior work with these properties is Abe’s signature scheme (EUROCRYPT ’02), which was recently proved to be secure in the AGM by Kastner et al. (PKC ’22), but which also produces signatures twice as long as those from our scheme.

The core of our proofs of security is a new problem, called weighted fractional ROS (WFROS), for which we prove (unconditional) exponential lower bounds.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The best known attack against mROS [18] runs in time \(2^{\ell + \log (\ell + 1) + \lambda /(1 + \log (\ell + 1))}\), where \(\lambda \) is the security parameter and \(\ell \) corresponds to the number of concurrent sessions. The worst \(\ell \) gives a \(2^{O(\lambda /\log \lambda )}\) attack, and in practice, this suggests a choice of \(\lambda = 512\) to achieve 128-bit security for all \(\ell \)’s.

  2. 2.

    Many envisioned implementations allow for \(\ell > \log (p)\). Still, is worth noting that the scheme retains some security for \(\ell < \log (p)\) even in the standard model [16].

  3. 3.

    mROS depends on a parameter \(\ell \), with a similar role as in ROS – sub-exponential attacks require \(\ell < \log (p)\), but a one-more unforgeability attack for a small \(\ell \) implies one for any \(\ell ' > \ell \) simply by generating \((\ell ' - \ell )\) additional valid signatures.

  4. 4.

    Note that this only superficially resembles key-blinding for Schnorr signatures [39]. Here, the “blinding” y is actually public and part of the signature.

  5. 5.

    For \(|\mathcal {I}_{\mathrm {unk}}^{(j)}| + 1 <k \le n\), \(D_k, X_k\) act as placeholders so that we can apply Lemma 4 for an a priori fixed value n instead of a random variable \(|\mathcal {I}_{\mathrm {unk}}^{(j)}| + 1\).

  6. 6.

    Note that Lemma 4 cannot be directly derived from the Schwartz-Zippel lemma by viewing \(D_0 + \sum _{j=1}^n D_j X_j = 0\) as a polynomial of \(X_1,\dots ,X_n\), since we cover for example the case where \(D_0, D_1,\dots ,D_n\) are adaptively chosen, i.e., each \(D_i\) can depend on \(X_1 \ldots , X_{i-1}\).

  7. 7.

    Here, \(\mathrm {Hid}(\mathrm {str}^*_k)\) must be defined since a query \(\mathrm {str}^*_k\) is made to \(\textsc {H}\) when checking the validity of the output \((m^*_k, \sigma ^*_k)\).

References

  1. Chaum, D.: Verification by anonymous monitors. In: Gersho, A. (ed.) CRYPTO 1981, volume ECE Report 82–04, pp. 138–139. U.C. Santa Barbara, Department of Electrical and Computer Engineering (1981)

    Google Scholar 

  2. Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_25

    Chapter  Google Scholar 

  3. Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_4

    Chapter  Google Scholar 

  4. PCM: Click fraud prevention and attribution sent to advertiser. https://webkit.org/blog/11940/pcm-click-fraud-prevention-and-attribution-sent-to-advertiser/, Accessed 30 Sept 2021

  5. Hendrickson, S., Iyengar, J., Pauly, T., Valdez, S., Wood, C.A.: Private Access Tokens. Internet-Draft draft-private-access-tokens-01, Internet Engineering Task Force (2021). Work in Progress

    Google Scholar 

  6. Trust tokens. https://developer.chrome.com/docs/privacy-sandbox/trust-tokens/, Accessed 11 Jan 2022

  7. Denis, F., Jacobs, F., Wood, C.A.: RSA Blind Signatures. Internet-Draft draft-irtf-cfrg-rsa-blind-signatures-02, Internet Engineering Task Force (2021). Work in Progress

    Google Scholar 

  8. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  9. Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1

    Chapter  MATH  Google Scholar 

  10. Fuchsbauer, G., Kiltz, E., Loss, J.: The algebraic group model and its applications. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 33–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_2

    Chapter  Google Scholar 

  11. Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (1993)

    Google Scholar 

  12. Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851

    Chapter  Google Scholar 

  13. Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_17

    Chapter  Google Scholar 

  14. Chaum, D., Pedersen, T.P.: Wallet databases with observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_7

    Chapter  Google Scholar 

  15. Pointcheval, D., Stern, J.: Security arguments for digital signatures and blind signatures. J. Cryptol. 13(3), 361–396 (2000)

    Article  Google Scholar 

  16. Hauck, E., Kiltz, E., Loss, J.: A modular treatment of blind signatures from identification schemes. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 345–375. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_12

    Chapter  Google Scholar 

  17. Benhamouda, F., Lepoint, T., Loss, J., Orrù, M., Raykova, M.: On the (in)security of ros. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 33–53. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_2

    Chapter  MATH  Google Scholar 

  18. Fuchsbauer, G., Plouviez, A., Seurin, Y.: Blind schnorr signatures and signed elgamal encryption in the algebraic group model. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12106, pp. 63–95. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45724-2_3

    Chapter  MATH  Google Scholar 

  19. Abe, M.: A secure three-move blind signature scheme for polynomially many signatures. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136–151. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_9

    Chapter  Google Scholar 

  20. Ohkubo, M., Abe, M.: Security of some three-move blind signature schemes reconsidered. In: The 2003 Symposium on Cryptography and Information Security (2003)

    Google Scholar 

  21. Kastner, J., Loss, J., Rosenberg, M., Xu, J.: On pairing-free blind signature schemes in the algebraic group model. In: PKC 2022 (2022). to appear

    Google Scholar 

  22. Baldimtsi, F., Lysyanskaya, A.: Anonymous credentials light. In: Sadeghi, A.R., Gligor,V.D., Yung, M. (eds.) ACM CCS 2013, pp. 1087–1098. ACM Press (2013)

    Google Scholar 

  23. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30

    Chapter  Google Scholar 

  24. Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_3

    Chapter  Google Scholar 

  25. Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22

    Chapter  Google Scholar 

  26. Schnorr, C.P.: Efficient signature generation by smart cards. J. Cryptol. 4(3), 161–174 (1991). https://doi.org/10.1007/BF00196725

    Article  MathSciNet  MATH  Google Scholar 

  27. Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. J. Cryptogr. Eng. 2(2), 77–89 (2012)

    Article  Google Scholar 

  28. Katz, J., Loss, J., Rosenberg, M.: Boosting the security of blind signature schemes. In: Tibouchi, M., Wang, H. (eds.) ASIACRYPT 2021. LNCS, vol. 13093, pp. 468–492. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92068-5_16

    Chapter  Google Scholar 

  29. Chairattana-Apirom, R., Lysyanskaya, A.: Compact cut-and-choose: boosting the security of blind signature schemes, compactly. Cryptology ePrint Archive, Report 2022/003 (2022). https://ia.cr/2022/003

  30. Wagner, B., Hanzlik, L., Loss, J.: Pi-cut-choo! parallel instance cut and choose for practical blind signatures. Cryptology ePrint Archive, Report 2022/007 (2022). https://ia.cr/2022/007

  31. Garg, S., Rao, V., Sahai, A., Schröder, D., Unruh, D.: Round optimal blind signatures. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 630–648. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22792-9_36

    Chapter  Google Scholar 

  32. Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Short blind signatures. J. Comput. Secur. 21(5), 627–661 (2013)

    Article  Google Scholar 

  33. Garg, S., Gupta, D.: Efficient round optimal blind signatures. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 477–495. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_27

    Chapter  Google Scholar 

  34. Fuchsbauer, G., Hanser, C., Slamanig, D.: Practical round-optimal blind signatures in the standard model. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 233–253. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_12

    Chapter  MATH  Google Scholar 

  35. Fuchsbauer, G., Hanser, C., Kamath, C., Slamanig, D.: Practical round-optimal blind signatures in the standard model from weaker assumptions. In: Zikas, V., De Prisco, R. (eds.) SCN 2016. LNCS, vol. 9841, pp. 391–408. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-44618-9_21

    Chapter  Google Scholar 

  36. Ghadafi, E.: Efficient round-optimal blind signatures in the standard model. In: Kiayias, A. (ed.) FC 2017. LNCS, vol. 10322, pp. 455–473. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70972-7_26

    Chapter  Google Scholar 

  37. Katsumata, S., Nishimaki, R., Yamada, S., Yamakawa, T.: Round-optimal blind signatures in the plain model from classical and quantum standard assumptions. In: Canteaut, A., Standaert, F.-X. (eds.) EUROCRYPT 2021. LNCS, vol. 12696, pp. 404–434. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77870-5_15

    Chapter  MATH  Google Scholar 

  38. Schnorr, C.P.: Security of blind discrete log signatures against interactive attacks. In: Qing, S., Okamoto, T., Zhou, J. (eds.) ICICS 2001. LNCS, vol. 2229, pp. 1–12. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45600-7_1

    Chapter  Google Scholar 

  39. Hopper, N.: Proving security of tor’s hidden service identity blinding protocol (2013). https://www-users.cse.umn.edu/~hoppernj/basic-proof.pdf

  40. Bauer, B., Fuchsbauer, G., Plouviez, A.: The one-more discrete logarithm assumption in the generic group model. Cryptology ePrint Archive, Report 2021/866 (2021). https://ia.cr/2021/866

  41. Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The one-more-RSA-inversion problems and the security of Chaum’s blind signature scheme. J. Cryptol. 16(3), 185–215 (2003)

    Article  MathSciNet  Google Scholar 

  42. Bellare, M., Rogaway, P.: The security of triple encryption and a framework for code-based game-playing proofs. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 409–426. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_25

    Chapter  Google Scholar 

  43. Koblitz, N., Menezes, A.: Another look at non-standard discrete log and diffie-hellman problems. J. Math. Cryptol. 2(4), 311–326 (2008)

    Article  MathSciNet  Google Scholar 

Download references

Acknowledgments

The authors wish to thank Christopher A. Wood for extensive discussions. Both authors were partially supported by NSF grants CNS-1930117 (CAREER), CNS-1926324, CNS-2026774, a Sloan Research Fellowship, and a JP Morgan Faculty Award.

Author information

Authors and Affiliations

  1. Paul G. Allen School of Computer Science & Engineering, University of Washington, Seattle, USA

    Stefano Tessaro & Chenzhi Zhu

Authors
  1. Stefano Tessaro
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chenzhi Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Chenzhi Zhu .

Editor information

Editors and Affiliations

  1. University of Haifa, Haifa, Haifa, Israel

    Orr Dunkelman

  2. University of Warsaw, Warsaw, Poland

    Stefan Dziembowski

Rights and permissions

Reprints and permissions

Copyright information

© 2022 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Tessaro, S., Zhu, C. (2022). Short Pairing-Free Blind Signatures with Exponential Security. In: Dunkelman, O., Dziembowski, S. (eds) Advances in Cryptology – EUROCRYPT 2022. EUROCRYPT 2022. Lecture Notes in Computer Science, vol 13276. Springer, Cham. https://doi.org/10.1007/978-3-031-07085-3_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07085-3_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07084-6

  • Online ISBN: 978-3-031-07085-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation