Skip to main content
SpringerLink
Log in

Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

Key-homomorphic properties of cryptographic objects, i.e., homomorphisms on their key space, have proven to be useful, both from a theoretical as well as a practical perspective. Important cryptographic objects such as pseudorandom functions or (public key) encryption have been studied previously with respect to key-homomorphisms. Interestingly, however, signature schemes have not been explicitly investigated in this context so far. We close this gap and initiate the study of key-homomorphic signatures, which turns out to be an interesting and versatile concept. In doing so, we firstly propose a definitional framework for key-homomorphic signatures distilling various natural flavours of key-homomorphic properties. Those properties aim to classify existing signature schemes and thus allow to infer general statements about signature schemes from those classes by simply making black-box use of the respective properties. We apply our definitional framework to show elegant and simple compilers from classes of signature schemes admitting different types of key-homomorphisms to a number of other interesting primitives such as ring signature schemes, (universal) designated verifier signature schemes, simulation-sound extractable non-interactive zero-knowledge arguments, and multisignature schemes. Additionally, using the formalisms provided by our framework, we can prove a tight implication from single-user security to key-prefixed multi-user security for a class of schemes admitting a certain key-homomorphism.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Scheme 1
Scheme 2
Scheme 3
Scheme 4
Scheme 5
Scheme 6
Scheme 7
Scheme 8
Scheme 9
Scheme 10
Scheme 11
Scheme 12
Fig. 1

Similar content being viewed by others

Notes

  1. In such schemes the \(\textsf {EUF}\)-\(\textsf {CMA}\) security notion is slightly modified, by additionally allowing the adversary to see signatures under re-randomized keys.

  2. We can use witness-indistinguishable Groth–Sahai [53] proofs as argument system and for instance the strong one-time signatures under standard assumptions from Groth [51].

  3. We note that the first parts (up to Definition 16) are more general versions of definitions that we earlier have used for constructing specific redactable signatures [31].

  4. This is analogous to the use in context of bounded-collusion identity-based encryption (IBE) in [78].

  5. SPS [2] are signatures defined over two groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\), equipped with a bilinear map (pairing), and messages are vectors of group elements (from either \(\mathbb {G}_1\) or, \(\mathbb {G}_2\), or both). Public keys and signatures also consist of group elements only and signatures are verified by deciding group membership of their elements and evaluating the pairing on elements from the public key, the message and the signature. They are an important tool for protocol design due to their interoperability with the NIZK proof system by Groth and Sahai [53].

  6. While our focus is on signature schemes in classic algebraic settings, it is clearly also interesting to look at instantiations of signature schemes in other settings regarding their key-homomorphic properties. A prime example in this context is the lattice setting. Unfortunately, we are not aware of any classical lattice-based signatures scheme (e.g., hash-the-sign signatures [45] or Fiat–Shamir transformed identification schemes [64]) which exhibits key-homomorphic properties that make it at least adaptable. Thus lattice-based schemes do not seem suitable for our applications. Nevertheless, we consider it as an interesting future work to study lattice-based signatures, or, more generally, the entire zoo of post-quantum signature schemes with respect to key-homomorphisms.

  7. In case the statement is included in the Fiat–Shamir transform, then the scheme is clearly not adaptable.

  8. https://getmonero.org/resources/moneropedia/ringCT.html.

  9. For technical reasons we need an additional public key \(\mathsf {cpk}\) in the public parameters.

  10. We also note that [75] informally mention that their approach is also useful to construct what they call hierarchical ring signatures. However their paradigm is not useful to construct ring signatures as we did in the previous section.

  11. We, however, note that an extension of the \(\textsf {UDVS}\) model to universal designated verifier ring signatures would be straight forward and also our scheme is extensible using the same techniques as in Scheme 9.

  12. We note that our construction is inspired by earlier work of us on a variant of redactable signatures [31].

  13. is only required as the signatures produced by may be malleable on their own.

  14. The actual statement can of course be different if one chooses to use techniques to achieve more compact ring signatures or in case one simply requires a different statement when using SSE NIZKs in other applications.

  15. What they call unbounded simulation-sound extractability is equivalent to our notion of simulation-sound extractability.

  16. https://www.ietf.org/mail-archive/web/cfrg/current/maillist.html.

  17. For instance, assuming \(2^{30}\) keys in a system, such a reduction loss requires to significantly increase the parameters.

References

  1. Abe M., David B., Kohlweiss M., Nishimaki R., Ohkubo M.: Tagged one-time signatures: tight security and optimal tag size. In: PKC, pp. 312–331 (2013). https://doi.org/10.1007/978-3-642-36362-7_20.

  2. Abe M., Fuchsbauer G., Groth J., Haralambiev K., Ohkubo M.: Structure-preserving signatures and commitments to group elements. In: CRYPTO (2010).

  3. Abe M., Groth J., Ohkubo M., Tibouchi M.: Structure-preserving signatures from type II pairings. In: Advances in Cryptology—CRYPTO 2014, pp. 390–407 (2014).

  4. Ahn J.H., Boneh D., Camenisch J., Hohenberger S., Shelat A., Waters B.: Computing on authenticated data. In: TCC (2012). https://doi.org/10.1007/978-3-642-28914-9_1.

  5. Applebaum B., Harnik D., Ishai Y.: Semantic security under related-key attacks and applications. In: ICS (2011).

  6. Attrapadung N., Libert B., Peters T.: Computing on authenticated data: new privacy definitions and constructions. In: ASIACRYPT (2012). https://doi.org/10.1007/978-3-642-34961-4_23.

  7. Bader C., Jager T., Li Y., Schäge S.: On the impossibility of tight cryptographic reductions. In: EUROCRYPT (2016). https://doi.org/10.1007/978-3-662-49896-5_10.

  8. Bagherzandi A., Jarecki S.: Multisignatures using proofs of secret key possession, as secure as the diffie-hellman problem. In: SCN (2008). https://doi.org/10.1007/978-3-540-85855-3_15.

  9. Banerjee A., Fuchsbauer G., Peikert C., Pietrzak K., Stevens S.: Key-homomorphic constrained pseudorandom functions. In: TCC (2015). https://doi.org/10.1007/978-3-662-46497-7_2.

  10. Banerjee A., Peikert C.: New and improved key-homomorphic pseudorandom functions. In: CRYPTO (2014). https://doi.org/10.1007/978-3-662-44371-2_20.

  11. Bellare M., Cash D., Miller R.: Cryptography secure against related-key attacks and tampering. In: ASIACRYPT (2011). https://doi.org/10.1007/978-3-642-25385-0_26.

  12. Bellare M., Paterson K.G., Thomson S.: RKA security beyond the linear barrier: Ibe, encryption and signatures. In: ASIACRYPT (2012). https://doi.org/10.1007/978-3-642-34961-4_21.

  13. Bender A., Katz J., Morselli R.: Ring signatures: stronger definitions, and constructions without random oracles. J. Cryptol. (2009). https://doi.org/10.1007/s00145-007-9011-9.

  14. Benhamouda F., Bourse F., Lipmaa H.: CCA-secure inner-product functional encryption from projective hash functions, PKC. Springer, New York (2017).

    MATH  Google Scholar 

  15. Benhamouda F., Joye M., Libert B.: A new framework for privacy-preserving aggregation of time-series data. ACM Trans. Inf. Syst. Secur. (2016). https://doi.org/10.1145/2873069.

  16. Bernhard D., Fuchsbauer G., Ghadafi E.: Efficient signatures of knowledge and DAA in the standard model. In: ACNS (2013). https://doi.org/10.1007/978-3-642-38980-1_33.

  17. Bernstein D.J.: Multi-user schnorr security, revisited. IACR Cryptology ePrint Archive (2015).

  18. Boldyreva A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: PKC (2003). https://doi.org/10.1007/3-540-36288-6_3.

  19. Boneh D., Gentry C., Gorbunov S., Halevi S., Nikolaenko V., Segev G., Vaikuntanathan V., Vinayagamurthy D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: EUROCRYPT (2014). https://doi.org/10.1007/978-3-642-55220-5_30.

  20. Boneh D., Gentry C., Lynn B., Shacham H.: Aggregate and verifiably encrypted signatures from bilinear maps. In: EUROCRYPT (2003). https://doi.org/10.1007/3-540-39200-9_26.

  21. Boneh D., Lewi K., Montgomery H.W., Raghunathan A.: Key homomorphic PRFs and their applications. In: CRYPTO (2013). https://doi.org/10.1007/978-3-642-40041-4_23.

  22. Boneh D., Lynn B., Shacham H.: Short signatures from the Weil pairing. J. Cryptol. (2004). https://doi.org/10.1007/s00145-004-0314-9.

  23. Bootle J., Cerulli A., Chaidos P., Ghadafi E., Groth J., Petit C.: Short accountable ring signatures based on DDH. In: ESORICS (2015). https://doi.org/10.1007/978-3-319-24174-6_13.

  24. Boyen X., Fan X., Shi E.: Adaptively secure fully homomorphic signatures based on lattices. Cryptology ePrint Archive, Report 2014/916 (2014).

  25. Brakerski Z., Kalai Y.T.: A framework for efficient signatures, ring signatures and identity based encryption in the standard model. IACR Cryptology ePrint Archive (2010).

  26. Catalano D.: Homomorphic signatures and message authentication codes. In: SCN (2014). https://doi.org/10.1007/978-3-319-10879-7_29.

  27. Chandran N., Groth J., Sahai A.: Ring signatures of sub-linear size without random oracles. In: ICALP (2007). https://doi.org/10.1007/978-3-540-73420-8_38.

  28. Chase M., Lysyanskaya A.: On signatures of knowledge. In: CRYPTO (2006). https://doi.org/10.1007/11818175_5.

  29. Chatterjee S., Hankerson D., Knapp E., Menezes A.: Comparing two pairing-based aggregate signature schemes. Des. Codes Cryptogr. (2010). https://doi.org/10.1007/s10623-009-9334-7.

  30. Cramer R., Damgård I., Schoenmakers B.: Proofs of partial knowledge and simplified design of witness hiding protocols. In: CRYPTO (1994). https://doi.org/10.1007/3-540-48658-5_19.

  31. Derler D., Krenn S., Slamanig D.: Signer-anonymous designated-verifier redactable signatures for cloud-based data sharing. In: CANS (2016).

  32. Dodis Y., Haralambiev K., López-Alt A., Wichs D.: Efficient public-key cryptography in the presence of key leakage. In: ASIACRYPT, pp. 613–631 (2010). https://doi.org/10.1007/978-3-642-17373-8_35.

  33. Dodis Y., Kiayias A., Nicolosi A., Shoup V.: Anonymous identification in ad hoc groups. In: EUROCRYPT (2004). https://doi.org/10.1007/978-3-540-24676-3_36.

  34. Dodis Y., Mironov I., Stephens-Davidowitz N.: Message transmission with reverse firewalls—secure communication on corrupted machines. In: CRYPTO (2016). https://doi.org/10.1007/978-3-662-53018-4_13.

  35. Escala A., Groth J.: Fine-tuning groth-sahai proofs. In: PKC (2014).

  36. Fiat A., Shamir A.: How to prove yourself: Practical solutions to identification and signature problems. In: CRYPTO (1986). https://doi.org/10.1007/3-540-47721-7_12.

  37. Fischlin M., Fleischhacker N.: Limitations of the meta-reduction technique: the case of schnorr signatures. In: EUROCRYPT (2013). https://doi.org/10.1007/978-3-642-38348-9_27.

  38. Fleischhacker N., Krupp J., Malavolta G., Schneider J., Schröder D., Simkin M.: Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. In: PKC (2016). https://doi.org/10.1007/978-3-662-49384-7_12.

  39. Fuchsbauer G., Hanser C., Slamanig D.: Practical round-optimal blind signatures in the standard model. In: CRYPTO (2015). https://doi.org/10.1007/978-3-662-48000-7_12.

  40. Galbraith S.D., Malone-Lee J., Smart N.P.: Public key signatures in the multi-user setting. Inf. Process. Lett. (2002). https://doi.org/10.1016/S0020-0190(01)00338-6.

  41. Garay J.A., MacKenzie P.D., Yang K.: Strengthening zero-knowledge protocols using signatures. In: EUROCRYPT (2003). https://doi.org/10.1007/3-540-39200-9_11.

  42. Garay J.A., MacKenzie P.D., Yang K.: Strengthening zero-knowledge protocols using signatures. J. Cryptol. (2006). https://doi.org/10.1007/s00145-005-0307-3.

  43. Gay R., Hofheinz D., Kiltz E., Wee H.: Tightly cca-secure encryption without pairings. In: EUROCRYPT (2016). https://doi.org/10.1007/978-3-662-49890-3_1.

  44. Gentry C.: Fully homomorphic encryption using ideal lattices. In: STOC (2009).

  45. Gentry C., Peikert C., Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions. In: STOC, pp. 197–206 (2008).

  46. Ghadafi E.: Short structure-preserving signatures. In: CT-RSA 2016, pp. 305–321 (2016). https://doi.org/10.1007/978-3-319-29485-8_18.

  47. Goh E., Jarecki S., Katz J., Wang N.: Efficient signature schemes with tight reductions to the diffie-hellman problems. J. Cryptol. (2007). https://doi.org/10.1007/s00145-007-0549-3.

  48. Goldwasser S., Kalai Y.T.: Cryptographic assumptions: a position paper. In: Theory of Cryptography—13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part I, pp. 505–522 (2016). https://doi.org/10.1007/978-3-662-49096-9_21.

  49. Goldwasser S., Lewko A.B., Wilson D.A.: Bounded-collusion IBE from key homomorphism. In: TCC (2012). https://doi.org/10.1007/978-3-642-28914-9_32.

  50. Gorbunov S., Vaikuntanathan V., Wichs D.: Leveled fully homomorphic signatures from standard lattices. In: STOC (2015). https://doi.org/10.1145/2746539.2746576.

  51. Groth J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: ASIACRYPT (2006). https://doi.org/10.1007/11935230_29.

  52. Groth J., Kohlweiss M.: One-out-of-many proofs: or how to leak a secret and spend a coin. In: EUROCRYPT (2015). https://doi.org/10.1007/978-3-662-46803-6_9.

  53. Groth J., Sahai A.: Efficient non-interactive proof systems for bilinear groups. In: EUROCRYPT (2008). https://doi.org/10.1007/978-3-540-78967-3_24.

  54. Guillou L.C., Quisquater J.: A paradoxical indentity-based signature scheme resulting from zero-knowledge. In: CRYPTO, pp. 216–231 (1988). https://doi.org/10.1007/0-387-34799-2_16.

  55. Hanser C., Slamanig D.: Structure-preserving signatures on equivalence classes and their application to anonymous credentials. In: ASIACRYPT (2014). https://doi.org/10.1007/978-3-662-45611-8_26.

  56. Itakura K., Nakamura K.: A public-key cryptosystem suitable for digital multisignatures. NEC Res. Dev. 71, 177–186 (1983).

    Google Scholar 

  57. Jakobsson M., Sako K., Impagliazzo R.: Designated verifier proofs and their applications. In: EUROCRYPT (1996). https://doi.org/10.1007/3-540-68339-9_13.

  58. Johnson R., Molnar D., Song D.X., Wagner D.: Homomorphic signature schemes. In: CT-RSA (2002). https://doi.org/10.1007/3-540-45760-7_17.

  59. Katz J.: Digital Signatures. Springer, New York (2010). https://doi.org/10.1007/978-0-387-27712-7.

  60. Katz J., Wang N.: Efficiency improvements for signature schemes with tight security reductions. In: CCS (2003). https://doi.org/10.1145/948109.948132.

  61. Kiltz E., Masny D., Pan J.: Optimal security proofs for signatures from identification schemes. In: CRYPTO (2016). https://doi.org/10.1007/978-3-662-53008-5_2.

  62. Lacharité M.: Security of BLS and BGLS signatures in a multi-user setting. Cryptogr. Commun. 10(1), 41–58 (2018). https://doi.org/10.1007/s12095-017-0253-6.

    Article  MathSciNet  MATH  Google Scholar 

  63. Lu S., Ostrovsky R., Sahai A., Shacham H., Waters B.: Sequential aggregate signatures and multisignatures without random oracles. In: EUROCRYPT (2006). https://doi.org/10.1007/11761679_28.

  64. Lyubashevsky V.: Lattice-based identification schemes secure under active attacks. In: Public Key Cryptography—PKC 2008, 11th International Workshop on Practice and Theory in Public-Key Cryptography, Barcelona, Spain, March 9–12, 2008. Proceedings, pp. 162–179 (2008). https://doi.org/10.1007/978-3-540-78440-1_10.

  65. Malavolta G., Schröder D.: Efficient ring signatures in the standard model. Advances in Cryptology—ASIACRYPT 2017, pp. 128–157 (2017). https://doi.org/10.1007/978-3-319-70697-9_5.

  66. Menezes A., Smart N.P.: Security of signature schemes in a multi-user setting. Des. Codes Cryptogr. (2004). https://doi.org/10.1023/B:DESI.0000036250.18062.3f.

  67. Morita H., Schuldt J.C.N., Matsuda T., Hanaoka G., Iwata T.: On the security of the schnorr signature scheme and DSA against related-key attacks. In: ICISC (2015). https://doi.org/10.1007/978-3-319-30840-1_2.

  68. Naor M.: On cryptographic assumptions and challenges. In: Advances in Cryptology—CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17–21, 2003, Proceedings, pp. 96–109 (2003). https://doi.org/10.1007/978-3-540-45146-4_6.

  69. Pagnin E., Mitrokotsa A., Tanaka K.: Anonymous single-round server-aided verification. Cryptology ePrint Archive, Report 2017/794 (2017). (to appear at Latincrypt 2017).

  70. Pointcheval D., Sanders O.: Short randomizable signatures. In: CT-RSA (2016). https://doi.org/10.1007/978-3-319-29485-8_7.

  71. Ristenpart T., Yilek S.: The power of proofs-of-possession: securing multiparty signatures against rogue-key attacks. In: EUROCRYPT (2007). https://doi.org/10.1007/978-3-540-72540-4_13.

  72. Rivest R.L., Shamir A., Tauman Y.: How to leak a secret. In: ASIACRYPT (2001). https://doi.org/10.1007/3-540-45682-1_32.

  73. Rothblum R.: Homomorphic encryption: from private-key to public-key. In: TCC (2011). https://doi.org/10.1007/978-3-642-19571-6_14.

  74. Schnorr C.: Efficient signature generation by smart cards. J. Cryptol. (1991). https://doi.org/10.1007/BF00196725.

  75. Shahandashti S.F., Safavi-Naini R.: Construction of universal designated-verifier signatures and identity-based signatures from standard signatures. In: PKC (2008). https://doi.org/10.1007/978-3-540-78440-1_8.

  76. Shamir A., Tauman Y.: Improved online/offline signature schemes. In: CRYPTO, pp. 355–367 (2001). https://doi.org/10.1007/3-540-44647-8_21.

  77. Steinfeld R., Bull L., Wang H., Pieprzyk J.: Universal designated-verifier signatures. In: ASIACRYPT (2003). https://doi.org/10.1007/978-3-540-40061-5_33.

  78. Tessaro S., Wilson D.A.: Bounded-collusion identity-based encryption from semantically-secure public-key encryption: generic constructions with short ciphertexts. In: PKC (2014). https://doi.org/10.1007/978-3-642-54631-0_15.

  79. Waters B.: Efficient identity-based encryption without random oracles. In: EUROCRYPT (2005). https://doi.org/10.1007/11426639_7.

Download references

Acknowledgements

The authors have been supported by EU H2020 project Prismacloud, Grant Agreement No. 644962. We thank various anonymous referees for their valuable comments.

Author information

Authors and Affiliations

  1. IAIK, Graz University of Technology, Graz, Austria

    David Derler

  2. AIT Austrian Institute of Technology, Vienna, Austria

    Daniel Slamanig

Authors
  1. David Derler
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniel Slamanig
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to David Derler.

Additional information

Communicated by S. D. Galbraith.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Derler, D., Slamanig, D. Key-homomorphic signatures: definitions and applications to multiparty signatures and non-interactive zero-knowledge. Des. Codes Cryptogr. 87, 1373–1413 (2019). https://doi.org/10.1007/s10623-018-0535-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-018-0535-9

Keywords

Mathematics Subject Classification

Search

Navigation