Abstract
In PKC 2014, Boyle, Goldwasser, and Ivan introduced a cryptographic primitive called functional signatures. In a functional signature scheme, in addition to a master key that can be used to sign any message, there are signing keys for a function f, which allow one to sign any message in the range of f. In the same paper, Boyle et al. pointed out that in order to obtain a functional signature scheme with short signatures, we must either rely on non-falsifiable assumptions (as in their succinct non-interactive arguments of knowledge construction) or make use of non black-box techniques.
In this paper, we diverge from succinct non-interactive arguments of knowledge (SNARKs). We provide a construction of functional signature scheme satisfying both function privacy and succinctness under the existence of indistinguishability obfuscation for all polynomial-size circuits and one-way functions for the first time. Additionally, our scheme is under weaker assumption than SNARK-type assumptions for a class of functions and the size of signatures are independent of f, f(m), and m.
This research is supported by the National Natural Science Foundation of China (Grant No. 60970139) and the Strategic Priority Program of Chinese Academy of Sciences (Grant No. XDA06010702).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Boyle, E., Chung, K.-M., Pass, R.: On extractability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 52–73. Springer, Heidelberg (2014)
Bitansky, N., Canetti, R., Paneth, O., Rosen, A.: Indistinguishability obfuscation vs. auxiliary-input extractable functions: one must fall. Technical report, Cryptology ePrint Archive, Report 2013/641 (2013)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 1. Springer, Heidelberg (2001)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)
Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 501–519. Springer, Heidelberg (2014)
Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 221–238. Springer, Heidelberg (2014)
Boyle, E., Pass, R.: Limits of extractability assumptions with distributional auxiliary input. IACR Cryptology ePrint Archive, p. 703 (2013)
Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 1–25. Springer, Heidelberg (2014)
Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 280–300. Springer, Heidelberg (2013)
Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. Technical report, Cryptology ePrint Archive, Report 2013/642, 2013 (2013). http://eprint.iacr.org
Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013)
Canetti, R., Vaikuntanathan, V.: Obfuscating branching programs using black-box pseudo-free groups. IACR Cryptology ePrint Archive, p. 500 (2013)
Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS, pp. 40–49 (2013)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. Cryptology ePrint Archive, Report 2013/128 (2013). http://eprint.iacr.org/
Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014)
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: FOCS, pp. 464–479 (1984)
Gentry, C., Lewko, A., Sahai, A., Waters, B.: Indistinguishability obfuscation from the multilinear subgroup elimination assumption. Cryptology ePrint Archive, Report 2014/309 (2014)
Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)
Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108. ACM (2011)
Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: full domain hash from indistinguishability obfuscation. Technical report, Cryptology ePrint Archive, Report 2013/509, 2013 (2013). http://eprint.iacr.org
Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. IACRCryptology ePrint Archive, p. 379 (2013)
Pass, R., Seth, K., Telang, S.: Indistinguishability obfuscation from semantically-secure multilinear encodings. Cryptology ePrint Archive, Report 2013/781 (2013). http://eprint.iacr.org/
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: STOC, pp 387–394 (1990)
Silvio, M.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)
Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. IACR Cryptology ePrint Archive, p. 454 (2013)
Acknowledgements
The authors would like to thank anonymous reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Signature Schemes
Definition 4
A signature scheme for a message space \(\mathcal {M}\) is a tuple \(\mathsf {(Gen,~Sign,}~\mathsf {Verify):}\)
-
\(\mathsf {Gen(1}^k)\rightarrow \mathsf {(sk,vk)}\): the key generation algorithm is a probabilistic, polynomial-time algorithm which takes as input a security parameter \(1^k\), and outputs a signing and verification key pair \(\mathsf {(sk,vk)}\).
-
\(\mathsf {Sign(sk},m)\rightarrow \sigma \): the signing algorithm is a probabilistic polynomial time algorithm which is given the signing key \(\mathsf {sk}\) and a message \(m\in \mathcal {M}\) and outputs a string \(\sigma \) which we call the signature of m.
-
\(\mathsf {Verify(vk},m,\sigma ) \rightarrow \{0,1\}\): the verification algorithm is a polynomial time algorithm which, given the verification key \(\mathsf {vk}\), a message m, and signature \(\sigma \), return 1 or 0 indicating whether the signature is valid.
Correctness: We call a signature scheme correct if
\(\forall (\mathsf {sk,vk})\leftarrow \mathsf {Gen}(1^k),\forall m\in \mathcal {M},\forall \sigma \leftarrow \mathsf {Sign(sk,}m), \mathsf {Verify(vk,}m,\sigma )\rightarrow 1\)
Unforgeability Under Chosen Message Attack:
A signature scheme is unforgeable under chosen message attack if the winning probability of any probabilistic polynomial time adversary in the following game is negligible in the security parameter:
-
The challenger samples a signing, verification key pair \(\mathsf {(sk,vk)}\leftarrow \mathsf {Gen}(1^k)\) and gives \(\mathsf {vk}\) to the adversary.
-
The adversary requests signatures from the challenger for a polynomial number of messages. In round i, the adversary chooses \(m_i\) based on \(m_1,\sigma _1,\ldots ,m_{i-1},\sigma _{i-1}\), and receives \(\sigma _i\leftarrow \mathsf {Sig(sk,}m_i).\)
-
The adversary outputs a signature \(\sigma ^{*}\) and a message \(m^{*}\) and wins if \(\mathsf {Verify(vk,}m^{*},\sigma ^{*})\rightarrow 1\) and the adversary has not previously received a signature of \(m^{*}\) from the challenger.
B The Proof of Theorem 3
Proof
In our functional signature scheme, we use indistinguishability obfuscation, signature scheme, one-way functions, puncturable PRFs. In the follow, we prove signature scheme and puncturable PRFs can be constructed if one-way function exists.
Lemma 1
[24] Under the assumption that one-way functions exist, there exists a signature scheme which is secure against existential forgery under adaptive chosen message attacks by polynomial-time algorithms.
Lemma 2
[5, 9, 17, 22] If one-way functions exist, then for all efficiently computable functions \(\ell (\lambda )\) and \(n(\lambda )\), there exists a puncturable PRF family that maps \(\ell (\lambda )\) bits to \(n(\lambda )\) bits.
Based on \(\mathsf {lemmas}\) 1, 2, we can conclude that our functional signature scheme is under the assumptions of indistinguishability obfuscation and one-way functions. And if exists a PPT algorithm \(\mathrm {D}\) , \(\forall f\in \mathcal {F},m^{*} \in \mathcal {M}\), \(\mathrm {D}\) can decide whether \(m^{*}\) is in the range of f, then in the proof of selective unforgeability, the verification time is polynomial time. Therefore, if there exists a PPT algorithm \(\mathrm {D}\), given the message \(m^{*} \in \mathcal {M}\), \(f\in \mathcal {F}\) and the domain of f, \(\mathrm {D}\) can decide whether \(m^{*}\) is in the range of f, then our functional signature scheme verification time is under falsifiable assumptions.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, L., Li, H., Tang, F. (2015). Functional Signatures from Indistinguishability Obfuscation. In: Yung, M., Zhu, L., Yang, Y. (eds) Trusted Systems. INTRUST 2014. Lecture Notes in Computer Science(), vol 9473. Springer, Cham. https://doi.org/10.1007/978-3-319-27998-5_14
Download citation
DOI: https://doi.org/10.1007/978-3-319-27998-5_14
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27997-8
Online ISBN: 978-3-319-27998-5
eBook Packages: Computer ScienceComputer Science (R0)