Structure-Preserving Signatures on Equivalence Classes and Their Application to Anonymous Credentials [chapter]

Christian Hanser, Daniel Slamanig
2014 Lecture Notes in Computer Science  
Structure-preserving signatures are a quite recent but important building block for many cryptographic protocols. In this paper, we introduce a new type of structure-preserving signatures, which allows to sign group element vectors and to consistently randomize signatures and messages without knowledge of any secret. More precisely, we consider messages to be (representatives of) equivalence classes on vectors of group elements (coming from a single prime order group), which are determined by
more » ... e mutual ratios of the discrete logarithms of the representative's vector components. By multiplying each component with the same scalar, a different representative of the same equivalence class is obtained. We propose a definition of such a signature scheme, a security model and give an efficient construction, which we prove secure in the SXDH setting where EUF-CMA security is proven against generic forgers in the generic group model and the so called class hiding property is proven under the DDH assumption. As a second contribution, we use the proposed signature scheme to build an efficient multi-show attributebased anonymous credential (ABC) system that allows to encode an arbitrary number of attributes. This is -to the best of our knowledge -the first ABC system that provides constant-size credentials and constant-size showings. To allow an efficient construction in combination with the proposed signature scheme, we also introduce a new, efficient, randomizable polynomial commitment scheme. Aside from these two building blocks, the credential system requires a very short and constant-size proof of knowledge to provide freshness in the showing protocol. We present our ABC system along with a suitable security model and rigorously prove its security. This is an updated version of the paper in response to the paper [38] by Fuchsbauer. He provides an attack which invalidates the claimed EUF-CMA security of the candidate construction of an SPS-EQ-R scheme included in the proceedings version of ASIACRYPT 2014 (and also in this extended version). Subsequently, we discuss the implications and updates in this version. 1. For our original candidate construction of an SPS-EQ-R we falsely claimed EUF-CMA security (as shown in [38]). In this paper we show that the original construction at least provides unforgeability against random message attacks (RMA) (however, due to 3) we consider the original candidate construction as obsolete). 2. The attack does not affect the multi-show attribute-based anonymous credential (ABC) system construction, as it can be instantiated in a black-box way from any EUF-CMA secure SPS-EQ-R scheme. 3. In a recent work [39], together with Fuchsbauer, we present an EUF-CMA secure SPS-EQ-R scheme, which is even more efficient than the original construction in every respect. As a consequence, our ABC system can be efficiently instantiated. hash function is usually required to be modeled as a random oracle (thus, one signs random group elements). In contrast, structure-preserving signatures [36,6, 1, 2, 23, 5, 4] can handle messages which are elements of two groups G 1 and G 2 equipped with a bilinear map, without requiring any prior encoding. Basically, in a structurepreserving signature scheme the public key, the messages and the signatures consist only of group elements and the verification algorithm evaluates a signature by deciding group membership of elements in the signature and by evaluating pairing product equations. Such signature schemes typically allow to sign vectors of group elements (from one of the two groups G 1 and G 2 , or mixed) and also support some types of randomization (inner, sequential, etc., cf. [1, 5] ). Randomization is one interesting feature of signatures, as a given signature can be randomized to another unlinkable version of the signature for the same message. Besides randomizable structure-preserving signatures, there are various other constructions of such signature schemes [26,27,20,49]. We emphasize that although these schemes are randomizable, they are still secure digital signatures in the standard sense (EUF-CMA security). We are interested in constructions of structure-preserving signature schemes that do not only allow randomization of the signature, but also allow to randomize the signed message in particular ways. Such signature schemes are particularly interesting for applications in privacy-enhancing cryptographic protocols. Contribution This paper has three contributions: A novel type of structure-preserving signatures defined on equivalence classes on group element vectors, a novel randomizable polynomial commitment scheme, which allows to open factors of the polynomial committed to, and a new construction (type) of multi-show attribute-based anonymous credentials (ABCs), which is instantiated from the first two contributions. Structure-Preserving Signature Scheme on Equivalence Classes: Inspired by randomizable signatures, we introduce a novel variant of structure-preserving signatures. Instead of signing particular message vectors as in other schemes, the scheme produces signatures on classes of an equivalence relation R defined on (G * 1 ) with > 1 (where we use G * 1 to denote G 1 \ {0 G1 }). More precisely, we consider messages to be (representatives of) equivalence classes on (G * 1 ) , which are determined by the mutual ratios of the discrete logarithms of the representative's vector components. By multiplying each component with the same scalar, a different representative of the same equivalence class is obtained. Initially, an equivalence class is signed by signing an arbitrary representative. Later, one can obtain a valid signature for every other representative of this class, without having access to the secret key. Furthermore, we require two representatives of the same class with corresponding signatures to be unlinkable, which we call class hiding. We present a definition of such a signature scheme along with game based notions of security and present an efficient construction, which produces short and constant-size signatures that are independent of the message vector length . We prove the security of our construction in the generic group model against generic forgers and the DDH assumption, respectively. Polynomial Commitments with Factor Openings: We propose a new, efficient, randomizable polynomial commitment scheme. It is computationally binding, unconditionally hiding, allows to commit to monic, reducible polynomials and is represented by an element of a bilinear group. It allows to open factors of committed polynomials and re-randomization (i.e., multiplication with a scalar) does not change the polynomial committed to, but requires only a consistent randomization of the witnesses involved in the factor openings. We present a definition as well as a construction of such a polynomial commitment scheme along with a security model in which we prove the construction secure. A Multi-Show Attribute-Based Anonymous Credential (ABC) System: We describe a new way to build multi-show ABCs (henceforth, we will only write ABCs) as an application of the first two contributions. From another perspective, the signature scheme allows to consistently randomize a vector of group elements and its signature. So, it seems natural to use this property to achieve unlinkability during the showings of an ABC system. To enable a compact attribute representation, which is compatible with the randomization property of the signature scheme, we encode the attributes to polynomials and commit to them using the introduced polynomial commitment scheme. During the issuing, the obtainer is, then, given a set of attributes and the credential, which is a message (vector) consisting of the polynomial commitment and the generator of the group plus the corresponding signature. During a showing, a subset of the issued attributes can be shown by opening the corresponding factors of the committed polynomial. The unlinkability of showings is achieved through the inherent re-randomization properties of the signature scheme and the polynomial commitment scheme, which are compatible to each other. Furthermore, to provide freshness during a showing, we require
doi:10.1007/978-3-662-45611-8_26 fatcat:s4hwcekdevbfpaaylgdhp6264a