Abstract
Motivated by the application of anonymous petitions, we formalize a new primitive called “graded signatures”, which enables a user to consolidate a set of signatures on a message m originating from l different signers that are members of a PKI. We call the value \(l \in \mathbb {N}\), the grade of the consolidated signature. The resulting consolidated signature object on m reveals nothing more than the grade and the validity of the original signatures without leaking the identity of the signers. Further, we require that the signature consolidation is taken place in an unlinkable fashion so that neither the signer nor the CA of the PKI can tell whether a signature is used in a consolidation action. Beyond petitions, we demonstrate the usefulness of the new primitive by providing several other applications including delegation of signing rights adhering to dynamic threshold policies and issuing graded certificates in a multi-CA PKI setting.
We present an efficient construction for graded signatures that relies on Groth-Sahai proofs and efficient arguments for showing that an integer belongs to a specified range. We achieve a linear in the grade signature size and verification time in this setting. Besides, we propose some extension that can support the certificate revocation by utilizing efficient non-membership proofs.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
It is actually quite surprising that many seemingly related notions exist, however none of them satisfy all the natural requirements; we elaborate more on this below.
- 2.
It is possible that we may simplify the model by categorizing some of the queries into one, and argue the equivalence. Due to lack of space, we do not discuss this improvement and refer to the full version.
- 3.
In order to simplify the game definition, we assume the sets \(S_0,S_1\) differ only by one index, i.e., \(S_0 \setminus S_1 ={i_0}\) and \(S_1 \setminus S_0 ={i_1}\).
- 4.
Using different instantiations of parameters, they obtain suitable communication and verification complexity for different scenarios. In our case, adding CRS with \(O(log^{1+\epsilon } n)\)-length to the public parameters will be enough to achieve constant size range proof and verification time.
- 5.
Instead of certifications, it would be enough to keep only the indices of the revoked signers in the revocation list.
- 6.
A straightforward way to show that the committed value does not equal to any of the set element is highly inefficient due to the inequality proof and the AND proof.
References
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)
Au, M.H., Chow, S.S.M., Susilo, W., Tsang, P.P.: Short linkable ring signatures revisited. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 101–115. Springer, Heidelberg (2006)
Bellare, M., Neven, G.: Multi-signatures in the plain public-key model and a general forking lemma. In: ACM CCS, pp. 390–399 (2006)
Ben-Sasson, E., Chiesa, A., Tromer, E., Virza, M.: Succinct non-interactive zero knowledge for a von neumann architecture. In: USENIX 2014, pp. 781–796 (2014)
Bethencourt, J., Shi, E., Song, D.: Signatures of reputation. In: Financial Cryptography, pp. 400–407 (2010)
Blazy, O., Chevalier, C., Vergnaud, D.: Non-interactive zero-knowledge proofs of non-membership. In: Nyberg, K. (ed.) CT-RSA 2015. LNCS, vol. 9048, pp. 145–164. Springer, Heidelberg (2015)
Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. J. Cryptology 25(1), 57–115 (2012)
Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)
Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)
Bresson, E., Stern, J., Szydlo, M.: Threshold ring signatures and applications to ad-hoc groups. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 465–480. Springer, Heidelberg (2002)
Chaabouni, R., Lipmaa, H., Zhang, B.: A non-interactive range proof with constant communication. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 179–199. Springer, Heidelberg (2012)
Chow, S.S.M., Susilo, W., Yuen, T.H.: Escrowed linkability of ring signatures and its applications. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 175–192. Springer, Heidelberg (2006)
Damgård, I.B., Koprowski, M.: Practical threshold RSA signatures without a trusted dealer. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 152–165. Springer, Heidelberg (2001)
Desmedt, Y.G.: Society and group oriented cryptography: A new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988)
Fuchsbauer, G., Pointcheval, D.: Anonymous proxy signatures. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 201–217. Springer, Heidelberg (2008)
Gennaro, R., Halevi, S., Krawczyk, H., Rabin, T.: Threshold RSA for dynamic and ad-hoc groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 88–107. Springer, Heidelberg (2008)
Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)
Groth, J., Sahai, A.: Efficient noninteractive proof systems for bilinear groups. SIAM J. Comput. 41(5), 1193–1232 (2012)
Hohenberger, S., Koppula, V., Waters, B.: Universal signature aggregators. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 3–34. Springer, Heidelberg (2015)
Kaminsky, D., Patterson, M.L., Sassaman, L.: PKI layer cake: new collision attacks against the global x.509 infrastructure. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 289–303. Springer, Heidelberg (2010)
Kiayias, A., Osmanoglu, M., Tang, Q.: Graded Encryption, or how to play “Who wants to be a millionaire?” distributively. In: Chow, S.S.M., Camenisch, J., Hui, L.C.K., Yiu, S.M. (eds.) ISC 2014. LNCS, vol. 8783, pp. 377–387. Springer, Heidelberg (2014)
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004)
Mambo, M., Usuda, K., Okamoto, E.: Proxy signatures for delegating signing operation. In: CCS 1996, pp. 48–57 (1996)
Pedersen, T.P.: A threshold cryptosystem without a trusted party. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 522–526. Springer, Heidelberg (1991)
Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001)
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC 2014, pp. 475–484 (2014)
Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)
Tsang, P.P., Wei, V.K.: Short linkable ring signatures for e-voting, e-cash and attestation. In: Deng, R.H., Bao, F., Pang, H.H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 48–60. Springer, Heidelberg (2005)
Zhang, K.: Threshold proxy signature schemes. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 282–290. Springer, Heidelberg (1998)
Acknowledgment
The first author was supported by the ERC project CODAMODA and the project FINER of the Greek Secretariat of Research and Technology.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Preliminaries
A Preliminaries
Non-Interactive Zero-Knowledge (NIZK) Proof: Let \(R=\lbrace (x,w)\rbrace \) be an efficiently computational binary relation, where we call x the statement and w the witness. Let L be the language which consists of the statements from R. A non-interactive argument for a relation R consists of a key generation algorithm G, which creates a common reference string crs, a prover P and a verifier V. The prover generates a non-interactive argument \(\pi \) for an input (crs, x, w). The verifier outputs 1 if the proof is valid; otherwise, outputs 0. Suppose \(\epsilon _1,\epsilon _2\) are negligible functions,
-
A non-interactive argument (G, P, V) is perfectly complete if:
$$\Pr [crs\leftarrow G, \forall (x,w)\in R, V(crs,x,P(crs,x,w))]=1.$$ -
We say (G, P, V) is sound, if \(\forall \mathcal {A}\),
$$Pr[crs\leftarrow G; (x,\pi )\leftarrow \mathcal {A}(crs), x\not \in L\wedge V(crs,x,\pi )=1]\le \epsilon .$$ -
(G, P, V) is zero knowledge, if there exists a simulator \((S_{1},S_{2})\) such that for all non-uniform ppt adversaries \(\mathcal {A}\), \(\forall (x,w)\in R\)
$$\begin{aligned} |\Pr [crs\leftarrow G, \mathcal {A}^{P(crs,x,w)}(crs)=1]- Pr[(crs,t)\leftarrow S_{1},\mathcal {A}^{S_{2}(crs,t,x)}(crs)=1]|<\epsilon \end{aligned}$$
Extractable Commitments: An extractable commitment scheme consists of five algorithms: Setup, Com, ExtGen, Ext. Gen algorithm outputs a commitment key ck, and ExtGen outputs \((ck',td)\), where \(ck'\) is indistinguishable with ck, and td is an extraction key. Com outputs a commitment c on ck, a message m, and randomness r.
-
It is perfectly binding if for any commitment c there exists exactly one m satisfying \(c=Com(ck,m,r)\) for some r, further, \(Ext(td,c)=m\).
-
It is computationally hiding if for any messages \(m,m'\), Com(ck, m, r) is indistinguishable with \(Com(ck,m',r')\).
Automorphic Signatures: An automorphic signature over a bilinear group is an existentially unforgeable signature scheme whose verification keys lie in the same space with message, and the verification predicate is conjunction of pairing-product equations over the verification key, the message and the signature [1]. We can apply Groth-Sahai proof to such signature scheme to instantiate efficient NIZK proofs. Furthermore, their construction enables signing on message vectors as well which we will use for the Register algorithm to sign on (pk, i).
Constant Size Range Proof: A prover with the range proof given by [12] convinces a verifier that a number in a commitment belongs to the interval [0, k]. Setup algorithm just outputs a common reference string crs for the commitment and the public parameters for BBS encryption [8]. The common input for the range proof consists of a BBS encryption \((A_{g},A_{f},A_{h}) = (g_{1}^{r+i}, f^{r_{1}},h^{r_{2}})\) and a commitment \((A_{c},\hat{A}_{c})=(g_{1}^{r}g_{11}^{a} , \hat{g_{1}}^{r}\hat{g_{11}}^{a})\) where \(r=r_{1}+r_{2}\). They propose an efficient NIZK argument which convinces a verifier that the key committed in \((A_{c},\hat{A}_{c})\) and encrypted as \(A_{g}\) belongs to [0,H]. We leave the details to the paper [12]. Also, note that BBS encryption type of commitment is compatible with Groth-Sahai proof.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kiayias, A., Osmanoglu, M., Tang, Q. (2015). Graded Signatures. In: Lopez, J., Mitchell, C. (eds) Information Security. ISC 2015. Lecture Notes in Computer Science(), vol 9290. Springer, Cham. https://doi.org/10.1007/978-3-319-23318-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-23318-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23317-8
Online ISBN: 978-3-319-23318-5
eBook Packages: Computer ScienceComputer Science (R0)