One-more Unforgeability of Blind ECDSA

In this paper, we give the first formal security analysis on the one-more unforgeability of blind ECDSA. We start with giving a general attack on blind ECDSA, which is similar to the ROS attack on the blind Schnorr signature. We formulate the ECDSA-ROS problem to capture this attack. Next, we give a generic construction of blind ECDSA based on an additive homomorphic encryption and a corresponding zero-knowledge proof. Our concrete instantiation is about 40 times more bandwidth efficient than the blind ECDSA in AsiaCCS 2019. After that, we give the first formal proof of one-more unforgeability for blind ECDSA, under a new model called algebraic bijective random oracle. The security of our generic blind ECDSA relies on the hardness of a discrete logarithm-based interactive assumption and an assumption of the underlying elliptic curve. Finally, we analyze the hardness of the ECDSA-ROS problem in the algebraic bijective random oracle model

On Central Bank Digital Currency: A composable treatment

Central Bank Digital Currency (CBDC) is in the phase of discussion in most of countries. In this paper, we consider the security issues of centralized retail CBDC. Our focus is on the design and analysis of the underlying cryptographic protocol. The main security requirements against the protocol are transaction anonymity and protection against tax evasion. The protocol provides security guarantees in case of the strongest model of an execution environment which is the general concurrent environment. We apply the Universal Composition (UC) methodology of Canetti [3],[4]. At the time of this writing, we are not aware of any published CBDC protocol with an aim to provide secure compositional guarantees

A Framework for Universally Composable Non-Committing Blind Signatures

A universally composable (UC) blind signature functionality requres users to commit to the message to be blindly signed. It is thereby impossible to realize in the plain model. This paper shows that even non-committing variants of UC blind signature functionality can not be realized in the plain model. We characterize UC non-committing blind signatures in the common reference string model by presenting equivalent stand-alone security notions under static corruption. Usefulness of the characterization is demonstrated by showing that Fischlin\u27s basic stand-alone blind signature scheme can be transformed into a UC non-committing blind signature protocol without using extra cryptographic components. We extend the results to the adaptive corruption model and present analogous notions, theorems, and constructions both in the erasure model and the non-erasure model

Signing on Elements in Bilinear Groups for Modular Protocol Design

A signature scheme is called structure-preserving if its verification keys, messages, and signatures are group elements and the verification predicate is a conjunction of pairing product equations. We answer to the open problem of constructing a constant-size structure-preserving signature scheme. The security is proven in the standard model based on a novel non-interactive assumption that can be justified and has an optimal bound in the generic bilinear group model. We also present efficient structure-preserving signature schemes with advanced properties including signing unbounded number of group elements, allowing simulation in the common reference string model, signing messages from mixed groups in the asymmetric bilinear group setting, and strong unforgeability. Among many applications, we show two examples; an adaptively secure round optimal blind signature scheme and a group signature scheme with efficient concurrent join. As a bi-product, several homomorphic trapdoor commitment schemes and one-time signature schemes are presented, too. In combination with the Groth-Sahai non-interactive proof system, these schemes contribute to give efficient instantiations to modular constructions of cryptographic protocols

Composable & Modular Anonymous Credentials: Definitions and Practical Constructions

It takes time for theoretical advances to get used in practical schemes. Anonymous credential schemes are no exception. For instance, existing schemes suited for real-world use lack formal, composable definitions, partly because they do not support straight-line extraction and rely on random oracles for their security arguments. To address this gap, we propose unlinkable redactable signatures (URS), a new building block for privacy-enhancing protocols, which we use to construct the first efficient UC-secure anonymous credential system that supports multiple issuers, selective disclosure of attributes, and pseudonyms. Our scheme is one of the first such systems for which both the size of a credential and its presentation proof are independent of the number of attributes issued in a credential. Moreover, our new credential scheme does not rely on random oracles. As an important intermediary step, we address the problem of building a functionality for a complex credential system that can cover many different features. Namely, we design a core building block for a single issuer that supports credential issuance and presentation with respect to pseudonyms and then show how to construct a full-fledged credential system with multiple issuers in a modular way. We expect this flexible definitional approach to be of independent interest

Equivocal Blind Signatures and Adaptive UC-Security

We study the design of practical blind signatures in the universal composability (UC) setting against adaptive adversaries. We introduce a new property for blind signature schemes that is fundamental for managing adaptive adversaries: an equivocal blind signature is a blind signature protocol where a simulator can construct the internal state of the client so that it matches a simulated transcript even after a signature was released. We present a general construction methodology for building practical adaptively secure blind signatures: the starting point is a 2-move “lite blind signature”, a lightweight 2-party signature protocol that we formalize and implement both generically as well as number theoretically: formalizing a primitive as “lite ” means that the adversary is required to show all private tapes of adversarially controlled parties; this enables us to conveniently separate zero-knowledge (ZK) related security requirements from the remaining security properties in the primitive’s design methodology. We then focus on the exact ZK requirements for building blind signatures. To this effect, we formalize two special ZK ideal functionalities, single-verifier-ZK (SVZK) and single-prover-ZK (SPZK) and we investigate the requirements for realizing them in a commit-and-prove fashion as building blocks for adaptively secure UC blind signatures. SVZK can be realized without relying on a multi-session UC commitment; a