Formalizing group blind signatures and practical constructions without random oracles

Group blind signatures combine anonymity properties of both group signatures and blind signatures and offer privacy for both the message to be signed and the signer. The primitive has been introduced with only informal definitions for its required security properties. In this paper, we offer two main contributions: first, we provide foundations for the primitive and present formal security definitions. In the process, we identify and address some subtle issues which were not considered by previous constructions and (informal) security definitions. Our second main contribution is a generic construction that yields practical schemes with a round-optimal signing protocol and constant-size signatures. Our constructions permit dynamic and concurrent enrollment of new members and satisfy strong security requirements. To the best of our knowledge, our schemes are the first provably secure constructions in the standard model. In addition, we introduce some new building blocks which may be of independent interest. © 2013 Springer-Verlag

Fair Multiple-bank E-cash in the Standard Model

Multiple-bank e-cash (electronic cash) model allows users and merchants to open their accounts at different banks which are monitored by the Center Bank. Some multiple-bank e-cash systems were proposed in recent years. However, prior implementations of multiple-bank e-cash all require the random oracle model idealization in their security analysis. We know some schemes are secure in the random oracle model, but are trivially insecure under any instantiation of the oracle. In this paper, based on the automorphic blind signature, the Groth-Sahai proof system and a new group blind signature, we construct a fair multiple-bank e-cash scheme. The new scheme is proved secure in the standard model and provides the following functionalities, such as owner tracing, coin tracing, identification of the double spender and signer tracing. In order to sign two messages at once, we extend Ghadafi\u27s group blind signature to a new group blind signature. The new signature scheme may be of independent interest

More Efficient Structure-Preserving Signatures - Or: Bypassing the Type-III Lower Bounds

Structure-preserving signatures are an important cryptographic primitive that is useful for the design of modular cryptographic protocols. It has been proven that structure-preserving signatures (in the most efficient Type-III bilinear group setting) have a lower bound of 3 group elements in the signature (which must include elements from both source groups) and require at least 2 pairing-product equations for verification. In this paper, we show that such lower bounds can be circumvented. In particular, we define the notion of Unilateral Structure-Preserving Signatures on Diffie-Hellman pairs (USPSDH) which are structure-preserving signatures in the efficient Type-III bilinear group setting with the message space being the set of Diffie-Hellman pairs, in the terminology of Abe et al. (Crypto 2010). The signatures in these schemes are elements of one of the source groups, i.e. unilateral, whereas the verification key elements\u27 are from the other source group. We construct a number of new structure-preserving signature schemes which bypass the Type-III lower bounds and hence they are much more efficient than all existing structure-preserving signature schemes. We also prove optimality of our constructions by proving lower bounds and giving some impossibility results. Our contribution can be summarized as follows: \begin{itemize} \item We construct two optimal randomizable CMA-secure schemes with signatures consisting of only 2 group elements from the first short source group and therefore our signatures are at least half the size of the best existing structure-preserving scheme for unilateral messages in the (most efficient) Type-III setting. Verifying signatures in our schemes requires, besides checking the well-formedness of the message, the evaluation of a single Pairing-Product Equation (PPE) and requires a fewer pairing evaluations than all existing structure-preserving signature schemes in the Type-III setting. Our first scheme has a feature that permits controlled randomizability (combined unforgeability) where the signer can restrict some messages such that signatures on those cannot be re-randomized which might be useful for some applications. \item We construct optimal strongly unforgeable CMA-secure one-time schemes with signatures consisting of 1 group element, and which can also sign a vector of messages while maintaining the same signature size. \item We give a one-time strongly unforgeable CMA-secure structure-preserving scheme that signs unilateral messages, i.e. messages in one of the source groups, whose efficiency matches the best existing optimal one-time scheme in every respect. \item We investigate some lower bounds and prove some impossibility results regarding this variant of structure-preserving signatures. \item We give an optimal (with signatures consisting of 2 group elements and verification requiring 1 pairing-product equation) fully randomizable CMA-secure partially structure-preserving scheme that simultaneously signs a Diffie-Hellman pair and a vector in $\Z^k_p$. \item As an example application of one of our schemes, we obtain efficient instantiations of randomizable weakly blind signatures which do not rely on random oracles. The latter is a building block that is used, for instance, in constructing Direct Anonymous Attestation (DAA) protocols, which are protocols deployed in practice. \end{itemize} Our results offer value along two fronts: On the practical side, our constructions are more efficient than existing ones and thus could lead to more efficient instantiations of many cryptographic protocols. On the theoretical side, our results serve as a proof that many of the lower bounds for the Type-III setting can be circumvented

How to Obtain Fully Structure-Preserving (Automorphic) Signatures from Structure-Preserving Ones

In this paper, we bridge the gap between structure-preserving signatures (SPSs) and fully structure-preserving signatures (FSPSs). In SPSs, all the messages, signatures, and verification keys consist only of group elements, while in FSPSs, even signing keys are required to be a collection of group elements. To achieve our goal, we introduce two new primitives called trapdoor signature and signature with auxiliary key, both of which can be derived from SPSs. By carefully combining both primitives, we obtain generic constructions of FSPSs from SPSs. Upon instantiating the above two primitives, we get many instantiations of FSPS with unilateral and bilateral message spaces. Different from previously proposed FSPSs, many of our instantiations also have the automorphic property, i.e., a signer can sign his own verification key. As by-product results, one of our instantiations has the shortest verification key size, signature size, and lowest verification cost among all previous constructions based on standard assumptions, and one of them is the first FSPS scheme in the type I bilinear groups

Matters of Coercion-Resistance in Cryptographic Voting Schemes

This work addresses coercion-resistance in cryptographic voting schemes. It focuses on three particularly challenging cases: write-in candidates, internet elections and delegated voting. Furthermore, this work presents a taxonomy for analyzing and comparing a huge variety of voting schemes, and presents practical experiences with the voting scheme Bingo Voting