Snowblind: A Threshold Blind Signature in Pairing-Free Groups

Both threshold and blind signatures have, individually, received a considerable amount of attention. However little is known about their combination, i.e., a threshold signature which is also blind, in that no coalition of signers learns anything about the message being signed or the signature being produced. Several applications of blind signatures (e.g., anonymous tokens) would benefit from distributed signing as a means to increase trust in the service and hence reduce the risks of key compromise. This paper builds the first blind threshold signatures in pairing-free groups. Our main contribution is a construction that transforms an underlying blind non-threshold signature scheme with a suitable structure into a threshold scheme, preserving its blindness. The resulting signing protocol proceeds in three rounds, and produces signatures consisting of one group element and two scalars. The underlying non-threshold blind signature schemes are of independent interest, and improve upon the current state of the art (Tessaro and Zhu, EUROCRYPT ’22) with shorter signatures (three elements, instead of four) and simpler proofs of security. All of our schemes are proved secure in the Random Oracle and Algebraic Group Models, assuming the hardness of the discrete logarithm problem

Identity based cryptography from pairings.

Yuen Tsz Hon.Thesis (M.Phil.)--Chinese University of Hong Kong, 2006.Includes bibliographical references (leaves 109-122).Abstracts in English and Chinese.Abstract --- p.iAcknowledgement --- p.iiiList of Notations --- p.viiiChapter 1 --- Introduction --- p.1Chapter 1.1 --- Identity Based Cryptography --- p.3Chapter 1.2 --- Hierarchical Identity Based Cryptosystem --- p.4Chapter 1.3 --- Our contributions --- p.5Chapter 1.4 --- Publications --- p.5Chapter 1.4.1 --- Publications Produced from This Thesis --- p.5Chapter 1.4.2 --- Publications During Author's Study in the Degree --- p.6Chapter 1.5 --- Thesis Organization --- p.6Chapter 2 --- Background --- p.8Chapter 2.1 --- Complexity Theory --- p.8Chapter 2.1.1 --- Order Notation --- p.8Chapter 2.1.2 --- Algorithms and Protocols --- p.9Chapter 2.1.3 --- Relations and Languages --- p.11Chapter 2.2 --- Algebra and Number Theory --- p.12Chapter 2.2.1 --- Groups --- p.12Chapter 2.2.2 --- Elliptic Curve --- p.13Chapter 2.2.3 --- Pairings --- p.14Chapter 2.3 --- Intractability Assumptions --- p.15Chapter 2.4 --- Cryptographic Primitives --- p.18Chapter 2.4.1 --- Public Key Encryption --- p.18Chapter 2.4.2 --- Digital Signature --- p.19Chapter 2.4.3 --- Zero Knowledge --- p.21Chapter 2.5 --- Hash Functions --- p.23Chapter 2.6 --- Random Oracle Model --- p.24Chapter 3 --- Literature Review --- p.26Chapter 3.1 --- Identity Based Signatures --- p.26Chapter 3.2 --- Identity Based Encryption --- p.27Chapter 3.3 --- Identity Based Signcryption --- p.27Chapter 3.4 --- Identity Based Blind Signatures --- p.28Chapter 3.5 --- Identity Based Group Signatures --- p.28Chapter 3.6 --- Hierarchical Identity Based Cryptography --- p.29Chapter 4 --- Blind Identity Based Signcryption --- p.30Chapter 4.1 --- Schnorr's ROS problem --- p.31Chapter 4.2 --- BIBSC and Enhanced IBSC Security Model --- p.32Chapter 4.2.1 --- Enhanced IBSC Security Model --- p.33Chapter 4.2.2 --- BIBSC Security Model --- p.36Chapter 4.3 --- Efficient and Secure BIBSC and IBSC Schemes --- p.38Chapter 4.3.1 --- Efficient and Secure IBSC Scheme --- p.38Chapter 4.3.2 --- The First BIBSC Scheme --- p.43Chapter 4.4 --- Generic Group and Pairing Model --- p.47Chapter 4.5 --- Comparisons --- p.52Chapter 4.5.1 --- Comment for IND-B --- p.52Chapter 4.5.2 --- Comment for IND-C --- p.54Chapter 4.5.3 --- Comment for EU --- p.55Chapter 4.6 --- Additional Functionality of Our Scheme --- p.56Chapter 4.6.1 --- TA Compatibility --- p.56Chapter 4.6.2 --- Forward Secrecy --- p.57Chapter 4.7 --- Chapter Conclusion --- p.57Chapter 5 --- Identity Based Group Signatures --- p.59Chapter 5.1 --- New Intractability Assumption --- p.61Chapter 5.2 --- Security Model --- p.62Chapter 5.2.1 --- Syntax --- p.63Chapter 5.2.2 --- Security Notions --- p.64Chapter 5.3 --- Constructions --- p.68Chapter 5.3.1 --- Generic Construction --- p.68Chapter 5.3.2 --- An Instantiation: IBGS-SDH --- p.69Chapter 5.4 --- Security Theorems --- p.73Chapter 5.5 --- Discussions --- p.81Chapter 5.5.1 --- Other Instantiations --- p.81Chapter 5.5.2 --- Short Ring Signatures --- p.82Chapter 5.6 --- Chapter Conclusion --- p.82Chapter 6 --- Hierarchical IBS without Random Oracles --- p.83Chapter 6.1 --- New Intractability Assumption --- p.87Chapter 6.2 --- Security Model: HIBS and HIBSC --- p.89Chapter 6.2.1 --- HIBS Security Model --- p.89Chapter 6.2.2 --- Hierarchical Identity Based Signcryption (HIBSC) --- p.92Chapter 6.3 --- Efficient Instantiation of HIBS --- p.95Chapter 6.3.1 --- Security Analysis --- p.96Chapter 6.3.2 --- Ordinary Signature from HIBS --- p.101Chapter 6.4 --- Plausibility Arguments for the Intractability of the OrcYW Assumption --- p.102Chapter 6.5 --- Efficient HIBSC without Random Oracles --- p.103Chapter 6.5.1 --- Generic Composition from HIBE and HIBS --- p.104Chapter 6.5.2 --- Concrete Instantiation --- p.105Chapter 6.6 --- Chapter Conclusion --- p.107Chapter 7 --- Conclusion --- p.108Bibliography --- p.10

Lattice-Based Blind Signatures, Revisited

We observe that all previously known lattice-based blind signature schemes contain subtle flaws in their security proofs (e.g., Rückert, ASIACRYPT \u2708) or can be attacked (e.g., BLAZE by Alkadri et al., FC \u2720). Motivated by this, we revisit the problem of constructing blind signatures from standard lattice assumptions. We propose a new three-round lattice-based blind signature scheme whose security can be proved, in the random oracle model, from the standard SIS assumption. Our starting point is a modified version of the (insecure) BLAZE scheme, which itself is based Lyubashevsky\u27s three-round identification scheme combined with a new aborting technique to reduce the correctness error. Our proof builds upon and extends the recent modular framework for blind signatures of Hauck, Kiltz, and Loss (EUROCRYPT \u2719). It also introduces several new techniques to overcome the additional challenges posed by the correctness error which is inherent to all lattice-based constructions. While our construction is mostly of theoretical interest, we believe it to be an important stepping stone for future works in this area

Pairing-Based Cryptographic Protocols : A Survey

The bilinear pairing such as Weil pairing or Tate pairing on elliptic and hyperelliptic curves have recently been found applications in design of cryptographic protocols. In this survey, we have tried to cover different cryptographic protocols based on bilinear pairings which possess, to the best of our knowledge, proper security proofs in the existing security models

SoK: Privacy-Preserving Signatures

Modern security systems depend fundamentally on the ability of users to authenticate their communications to other parties in a network. Unfortunately, cryptographic authentication can substantially undermine the privacy of users. One possible solution to this problem is to use privacy-preserving cryptographic authentication. These protocols allow users to authenticate their communications without revealing their identity to the verifier. In the non-interactive setting, the most common protocols include blind, ring, and group signatures, each of which has been the subject of enormous research in the security and cryptography literature. These primitives are now being deployed at scale in major applications, including Intel\u27s SGX software attestation framework. The depth of the research literature and the prospect of large-scale deployment motivate us to systematize our understanding of the research in this area. This work provides an overview of these techniques, focusing on applications and efficiency

On Pairing-Free Blind Signature Schemes in the Algebraic Group Model

Studying the security and efficiency of blind signatures is an important goal for privacy sensitive applications. In particular, for large-scale settings (e.g., cryptocurrency tumblers), it is important for schemes to scale well with the number of users in the system. Unfortunately, all practical schemes either 1) rely on (very strong) number theoretic hardness assumptions and/or computationally expensive pairing operations over bilinear groups, or 2) support only a polylogarithmic number of concurrent (i.e., arbitrarily interleaved) signing sessions per public key. In this work, we revisit the security of two pairing-free blind signature schemes in the Algebraic Group Model (AGM) + Random Oracle Model (ROM). Concretely, 1. We consider the security of Abe’s scheme (EUROCRYPT ‘01), which is known to have a flawed proof in the plain ROM. We adapt the scheme to allow a partially blind variant and give a proof of the new scheme under the discrete logarithm assumption in the AGM+ROM, even for (polynomially many) concurrent signing sessions. 2. We then prove that the popular blind Schnorr scheme is secure under the one-more discrete logarithm assumption if the signatures are issued sequentially. While the work of Fuchsbauer et al. (EUROCRYPT ‘20) proves the security of the blind Schnorr scheme for concurrent signing sessions in the AGM+ROM, its underlying assumption, ROS, is proven false by Benhamouda et al. (EUROCRYPT‘21) when more than polylogarithmically many signatures are issued. Given the recent progress, we present the first security analysis of the blind Schnorr scheme in the slightly weaker sequential setting. We also show that our security proof reduces from the weakest possible assumption, with respect to known reduction techniques

Concurrent Security of Anonymous Credentials Light, Revisited

We revisit the concurrent security guarantees of the well-known Anonymous Credentials Light (ACL) scheme (Baldimtsi and Lysyanskaya, CCS\u2713). This scheme was originally proven secure when executed sequentially, and its concurrent security was left as an open problem. A later work of Benhamouda et al. (EUROCRYPT\u2721) gave an efficient attack on ACL when executed concurrently, seemingly resolving this question once and for all. In this work, we point out a subtle flaw in the attack of Benhamouda et al. on ACL and show, in spite of popular opinion, that it can be proven concurrently secure. Our modular proof in the algebraic group model uses an ID scheme as an intermediate step and leads to a major simplification of the complex security argument for Abe\u27s Blind Signature scheme by Kastner et al. (PKC\u2722)