Graded Signatures

Abstract

Motivated by the application of anonymous petitions, we formalize a new primitive called “graded signatures”, which enables a user to consolidate a set of signatures on a message m originating from l different signers that are members of a PKI. We call the value \(l \in \mathbb {N}\), the grade of the consolidated signature. The resulting consolidated signature object on m reveals nothing more than the grade and the validity of the original signatures without leaking the identity of the signers. Further, we require that the signature consolidation is taken place in an unlinkable fashion so that neither the signer nor the CA of the PKI can tell whether a signature is used in a consolidation action. Beyond petitions, we demonstrate the usefulness of the new primitive by providing several other applications including delegation of signing rights adhering to dynamic threshold policies and issuing graded certificates in a multi-CA PKI setting.

We present an efficient construction for graded signatures that relies on Groth-Sahai proofs and efficient arguments for showing that an integer belongs to a specified range. We achieve a linear in the grade signature size and verification time in this setting. Besides, we propose some extension that can support the certificate revocation by utilizing efficient non-membership proofs.

A Preliminaries

Non-Interactive Zero-Knowledge (NIZK) Proof: Let \(R=\lbrace (x,w)\rbrace \) be an efficiently computational binary relation, where we call x the statement and w the witness. Let L be the language which consists of the statements from R. A non-interactive argument for a relation R consists of a key generation algorithm G, which creates a common reference string crs, a prover P and a verifier V. The prover generates a non-interactive argument \(\pi \) for an input (crs, x, w). The verifier outputs 1 if the proof is valid; otherwise, outputs 0. Suppose \(\epsilon _1,\epsilon _2\) are negligible functions,

• A non-interactive argument (G, P, V) is perfectly complete if:

  $$\Pr [crs\leftarrow G, \forall (x,w)\in R, V(crs,x,P(crs,x,w))]=1.$$

• We say (G, P, V) is sound, if \(\forall \mathcal {A}\),

  $$Pr[crs\leftarrow G; (x,\pi )\leftarrow \mathcal {A}(crs), x\not \in L\wedge V(crs,x,\pi )=1]\le \epsilon .$$

• (G, P, V) is zero knowledge, if there exists a simulator \((S_{1},S_{2})\) such that for all non-uniform ppt adversaries \(\mathcal {A}\), \(\forall (x,w)\in R\)

  $$\begin{aligned} |\Pr [crs\leftarrow G, \mathcal {A}^{P(crs,x,w)}(crs)=1]- Pr[(crs,t)\leftarrow S_{1},\mathcal {A}^{S_{2}(crs,t,x)}(crs)=1]|<\epsilon \end{aligned}$$

Extractable Commitments: An extractable commitment scheme consists of five algorithms: Setup, Com, ExtGen, Ext. Gen algorithm outputs a commitment key ck, and ExtGen outputs \((ck',td)\), where \(ck'\) is indistinguishable with ck, and td is an extraction key. Com outputs a commitment c on ck, a message m, and randomness r.

• It is perfectly binding if for any commitment c there exists exactly one m satisfying \(c=Com(ck,m,r)\) for some r, further, \(Ext(td,c)=m\).

• It is computationally hiding if for any messages \(m,m'\), Com(ck, m, r) is indistinguishable with \(Com(ck,m',r')\).

Automorphic Signatures: An automorphic signature over a bilinear group is an existentially unforgeable signature scheme whose verification keys lie in the same space with message, and the verification predicate is conjunction of pairing-product equations over the verification key, the message and the signature [1]. We can apply Groth-Sahai proof to such signature scheme to instantiate efficient NIZK proofs. Furthermore, their construction enables signing on message vectors as well which we will use for the Register algorithm to sign on (pk, i).

Constant Size Range Proof: A prover with the range proof given by  [12] convinces a verifier that a number in a commitment belongs to the interval [0, k]. Setup algorithm just outputs a common reference string crs for the commitment and the public parameters for BBS encryption [8]. The common input for the range proof consists of a BBS encryption \((A_{g},A_{f},A_{h}) = (g_{1}^{r+i}, f^{r_{1}},h^{r_{2}})\) and a commitment \((A_{c},\hat{A}_{c})=(g_{1}^{r}g_{11}^{a} , \hat{g_{1}}^{r}\hat{g_{11}}^{a})\) where \(r=r_{1}+r_{2}\). They propose an efficient NIZK argument which convinces a verifier that the key committed in \((A_{c},\hat{A}_{c})\) and encrypted as \(A_{g}\) belongs to [0,H]. We leave the details to the paper  [12]. Also, note that BBS encryption type of commitment is compatible with Groth-Sahai proof.