Weakly Secure Equivalence-Class Signatures from Standard Assumptions [chapter]

Georg Fuchsbauer, Romain Gay
<span title="">2018</span> <i title="Springer International Publishing"> <a target="_blank" rel="noopener" href="https://fatcat.wiki/container/2w3awgokqne6te4nvlofavy5a4" style="color: black;">Lecture Notes in Computer Science</a> </i> &nbsp;
Structure-preserving signatures on equivalence classes, or equivalence-class signatures for short (EQS), are signature schemes defined over bilinear groups whose messages are vectors of group elements. Signatures are perfectly randomizable and given a signature on a vector, anyone can derive a signature on any multiple of the vector; EQS thus sign projective equivalence classes. Applications of EQS include the first constant-size anonymous attribute-based credentials, efficient round-optimal
more &raquo; ... nd signatures without random oracles and efficient access-control encryption. To date, the only existing instantiation of EQS is proven secure in the generic-group model. In this work we show that by relaxing the definition of unforgeability, which makes it efficiently verifiable, we can construct EQS from standard assumptions, namely the Matrix-Diffie-Hellman assumptions. We then show that our unforgeability notion is sufficient for most applications. [AGHO11] allow for more efficient schemes in that parts of the signature can, after randomization, be given in the clear. However, for privacy-preserving applications, they still inherently require hiding the message and using NIZK proofs. EQS. Structure-preserving signatures on equivalence classes, or equivalenceclass signatures (EQS) for short, allow similar applications to SPS. Unlike the latter, they achieve them without requiring any NIZK proofs on top, thereby yielding more efficient schemes. Intuitively, this is because not only their signatures but also the messages can be randomized. Equivalence-class signatures were introduced by Hanser and Slamanig [HS14]. Their initial instantiation was only secure against random-message attacks [Fuc14] , which is insufficient for the intended applications. With Fuchsbauer [FHS14] they subsequently presented a scheme that satisfies the stronger notion of unforgeability under chosen-message attacks (EUF-CMA) in the generic group model. They also strengthened the model of EQS, which later enabled further applications [FHS15]. As for regular SPS, the messages in an EQS system are vectors of group elements [m] 1 ∈ G 1 (which in our notation stands for (m 1 · P 1 , . . . , m · P 1 ) with P 1 being a generator of G 1 ). EQS provide an additional algorithm that, given a signature σ for message [m] 1 , allows to adapt σ to a signature for the message [µ · m] 1 for any µ ∈ Z * p without access to the signing key. A signature therefore actually signs all multiples of a message at once (as a signature can be adapted to any of them). In other words, signatures or on equivalence classes of the equivalence relation "∼" on the message space ( The definition of EQS moreover requires that signatures are randomizable, in that adaptation to a new representative leads to a signature that is distributed like a fresh signature for the new representative. The DDH assumption in group G 1 implies that given a message [m] 1 ∈ (G * 1 ) , then [µ · m] 1 for a random µ is indistinguishable from [m ] 1 for a random m . For EQS signatures DDH thus implies that given a message signature pair ([m] 1 , σ), an adapted signature on a random representative ([µ · m] 1 , σ ) looks like a fresh signature on a random message. It is the latter property that is central in applications that use EQS instead of SPS+GS-proofs. Instead of having users give (costly) zero-knowledge proofs that they possess a signature to protect their privacy, it suffices to use an EQS scheme and have the user randomize the message and adapt the signature every time they show it. (We discuss applications of EQS in more detail below.) Existential unforgeability under chosen-message attacks (EUF-CMA) for EQS is defined with respect to equivalence classes: an adversary that can query signatures for messages [m i ] 1 of its choice should be incapable of returning a signature for a message [m * ] 1 such that [m * ] 1 is not a multiple of any [m i ] 1 . (Note that this winning condition cannot be efficiently decided, as this would amount to breaking DDH.) The first EQS scheme by FHS [FHS14] signs messages from (G * 1 ) and signatures consist of 3 group elements. The authors show that this size is optimal by relying on an impossibility result [AGO11] for SPS. Security of the FHS
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-319-76581-5_6">doi:10.1007/978-3-319-76581-5_6</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/focajfokmjdprekbaj3g23ucjy">fatcat:focajfokmjdprekbaj3g23ucjy</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20190221032316/http://pdfs.semanticscholar.org/2de5/e07eec0f75ba9e90317e9b9d096c1788c262.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/2d/e5/2de5e07eec0f75ba9e90317e9b9d096c1788c262.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href="https://doi.org/10.1007/978-3-319-76581-5_6"> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> springer.com </button> </a>