Keywords

1 Introduction

The concept of blind signatures [22] dates back to the beginning of the 1980s. A blind signature scheme is an interactive protocol where a user (or obtainer) requests a signature on a message which the signer (or issuer) must not learn. In particular, the signer must not be able to link a signature to the execution of the issuing protocol in which it was produced (blindness). Furthermore, it should even for adaptive adversaries be infeasible to produce a valid blind signature without the signing key (unforgeability). Blind signatures have proven to be an important building block for cryptographic protocols, most prominently for e-cash, e-voting and one-show anonymous credentials. In more than 30 years of research, many different (\(> 50\)) blind signature schemes have been proposed. The spectrum ranges from RSA-based (e.g., [19, 22]) over DL-based (e.g., [2, 41]) and pairing-based (e.g., [12, 14]) to lattice-based (e.g., [44]) constructions, as well as constructions from general assumptions (e.g., [25, 35, 36]).

Blind Signatures and Their Round Complexity. Two distinguishing features of blind signatures are whether they assume a common reference string (CRS) set up by a trusted party to which everyone has access; and the number of rounds in the signing protocol. Schemes which require only one round of interaction (two moves) are called round-optimal [25]. Besides improving efficiency, round optimality also directly yields concurrent security (which otherwise has to be dealt with explicitly; e.g., [35, 37]). There are very efficient round-optimal schemes [11, 14, 23] under interactive assumptions (chosen target one more RSA inversion and chosen target CDH, respectively) in the random oracle model (ROM), as well as under the interactive LRSW [39] assumption in the CRS model [32]. All these schemes are in the honest-key model, where blindness only holds against signers whose keys are generated by the experiment.

Fischlin [25] proposed a generic framework for constructing round-optimal blind signatures in the CRS model with blindness under malicious keys: the signer signs a commitment to the message and the blind signature is a non-interactive zero-knowledge (NIZK) proof of a signed commitment which opens to the message. Using structure-preserving signatures (SPS) [3] and the Groth-Sahai (GS) proof system [33] instead of general NIZKs, this framework was efficiently instantiated in [3]. In [12, 13], Blazy et al. gave alternative approaches to compact round-optimal blind signatures in the CRS model which avoid including a GS proof in the final blind signature. Another round-optimal solution with comparable computational costs was proposed by Seo and Cheon [46] building on work by Meiklejohn et al. [40].

Removing the CRS. Known impossibility results indicate that the design of round-optimal blind signatures in the standard model has some limitations. Lindell [38] showed that concurrently secure (and consequently also round-optimal) blind signatures are impossible in the standard model when using simulation-based security notions. This can however be bypassed via game-based security notions, as shown by Hazay et al. [35] for non-round-optimal constructions.

Fischlin and Schröder [27] showed that black-box reductions of blind-signature unforgeability to non-interactive assumptions in the standard model are impossible if the scheme has three moves or less, blindness holds statistically (or computationally if unforgeability and blindness are unrelated) and protocol transcripts allow to verify whether the user is able to derive a signature. Existing constructions [30, 31] bypass these results by making non-black-box use of the underlying primitives (and preventing signature-derivation checks in [31]).

Garg et al. [31] proposed the first round-optimal generic construction in the standard model, which can only be considered as a theoretical feasibility result. Using fully homomorphic encryption, the user encrypts the message sent to the signer, who evaluates the signing circuit on the ciphertext. To remove the CRS, they use two-round witness-indistinguishable proofs (ZAPs) to let the parties prove honest behavior; to preserve round-optimality, they include the first fixed round of the ZAP in the signer’s public key.

Garg and Gupta [30] proposed the first efficient round-optimal blind signature constructions in the standard model. They build on Fischlin’s framework using SPS. To remove a trusted setup, they use a two-CRS NIZK proof system based on GS proofs, include the CRSs in the public key while forcing the signer to honestly generate the CRS. Their construction, however, requires complexity leveraging (the reduction for unforgeability needs to solve a subexponential DL instance for every signing query) and is proven secure with respect to non-uniform adversaries. Consequently, communication complexity is in the order of hundreds of KB (even at a 80-bit security level) and the computational costs (not considered by the authors) seem to limit their practical application even more significantly.

Partially Blind Signatures. Partially blind signatures are an extension of blind signatures, which additionally allow to include common information in a signature. Many non-round-optimal partially blind signature schemes in the ROM are based on a technique by Abe and Okamoto [7]. The latter [42] proposed an efficient construction for non-round-optimal blind as well as partially blind signatures in the standard model. Round-optimal partially blind signatures in the CRS model can again be obtained from Fischlin’s framework [25]. Round-optimal partially blind signatures in the CRS model are constructed in [13, 40, 46]. To date, there is—to the best of our knowledge—no round-optimal partially blind signature scheme that is secure in the standard model.

One-Show Anonymous Credentials Systems. Such systems allow a user to obtain a credential on several attributes from an issuer. The user can later selectively show attributes (or prove relations about attributes) to a verifier without revealing any information about undisclosed attributes. No party (including the issuer) can link the issuing of a credential to any of its showings, yet different showings of the same credential are linkable. An efficient implementation of one-show anonymous credentials is Microsoft’s U-Prove [16].

Baldimtsi and Lysyanskaya [9] showed that the underlying signature scheme [15] cannot be proven secure using known techniques. To mitigate this problem, in [8] they presented a generic construction of one-show anonymous credentials in the vein of Brands’ [15] approach from so-called blind signatures with attributes. They also present a scheme based on a non-round-optimal blind signature scheme by Abe [2] and prove their construction secure in the ROM.

Our Contribution

Blind Signatures and Anonymous Credentials. Besides Fischlin’s generic commit-prove paradigm [25], there are other classes of schemes. For instance, RSA and BLS blind signatures [11, 14, 23] follow a randomize-derandomize approach, which exploits the homomorphic property of the respective signature scheme. Other approaches follow the commit-rerandomize-transform paradigm, where a signature on a commitment to a message can be transformed into a rerandomized (unlinkable) signature on the original message [12, 32]. Our construction is based on a new concept, which one may call commit-randomize-derandomize-open approach. It does not use non-interactive proofs at all and is solely based on the recent concept of structure-preserving signature schemes on equivalence classes (SPS-EQ) [34] and commitments. As we also avoid a trusted setup of the commitment parameters, we do not require a CRS. We do however prove our scheme secure under interactive hardness assumptions.

In SPS-EQ the message space is partitioned into equivalence classes and given a signature on a message anyone can adapt the signature to a different representative of the same class. SPS-EQ requires that after signing a representative a signer cannot distinguish between an adapted signature for a new representative of the same class and a fresh signature on a completely random message.

In our blind-signature scheme the obtainer combines a commitment to the message with a normalization element yielding a representative of an equivalence class (commit). She chooses a random representative of the same class (randomize), on which the signer produces a signature. She then adapts the signature to the original representative containing the commitment (derandomize), which can be done without requiring the signing key. The blind signature is the rerandomized (unlinkable) signature for the original representative plus an opening for the commitment (open). Our contributions to blind signatures are the following:

  • We propose a new approach to constructing blind signatures in the standard model based on SPS-EQ. It yields conceptually simple and compact constructions and does not rely on techniques such as complexity leveraging. Our blind signatures are practical in terms of key size, signature size, communication and computational effort (when implemented with known instantiations of SPS-EQ  [29], a blind signature consists of 5 bilinear-group elements).

  • We provide the first construction of round-optimal partially blind signatures in the standard model, which follow straightforwardly from our blind signatures and are almost as efficient.

  • We generalize our blind signature scheme to message vectors, which yields one-show anonymous credentials à la “anonymous credentials light” [8]. We thus obtain one-show anonymous credentials secure in the standard model (whereas all previous ones have either no security proof or ones in the ROM).

SPS-EQ. We give the first structure-preserving signatures on equivalence classes satisfying all security notions from [34] under non-interactive assumptions. (Unfortunately, the scheme does not have all the properties required for building blind signatures from it, for which we strengthen the notions from [34].)

Moreover, we show how any SPS-EQ scheme can be turned into a standard structure-preserving signature scheme. This transformation allows us to apply the optimality criteria by Abe et al. [4, 5] to SPS-EQ. We conclude that the scheme from [29] is optimal in terms of signature size and verification complexity and that it cannot be proven unforgeable under non-interactive assumptions.

2 Preliminaries

A function \(\epsilon :\mathbb {N}\rightarrow \mathbb {R}^+\) is negligible if \(\forall \,c > 0\ \exists \,k_0\ \forall \,k > k_0 : \epsilon (k) < 1/k^c\). By we denote that a is chosen uniformly at random from a set S. We write \(\mathsf{A}(a_1,\dots ,a_n; r)\) to make the randomness r used by a probabilistic algorithm \(\mathsf{A}(a_1,\dots ,a_n)\) explicit. If \(\mathbb {G}\) is an (additive) group then \(\mathbb {G}^*\) denotes \(\mathbb {G}\setminus \{0_\mathbb {G}\}\).

Definition 1

(Bilinear Map). Let \((\mathbb {G}_1,+)\), \((\mathbb {G}_2,+)\), generated by P and \(\hat{P}\), resp., and \((\mathbb {G}_T,\cdot )\) be cyclic groups of prime order p. We call \(e:\mathbb {G}_1\times \mathbb {G}_2 \rightarrow \mathbb {G}_T\) a bilinear map (pairing) if it is efficiently computable and the following holds:

  • Bilinearity: \(e(aP, b\hat{P}) = e(P,\hat{P})^{ab} = e(bP,a\hat{P}) ~~~ \forall \, a,b\in \mathbb {Z}_p\).

  • Non-degeneracy: \(e(P,\hat{P}) \ne 1_{\mathbb {G}_T}\), i.e., \(e(P,\hat{P})\) generates \(\mathbb {G}_T\).

If \(\mathbb {G}_1 = \mathbb {G}_2\), then e is symmetric (Type-1) and asymmetric (Type-2 or 3) otherwise. For Type-2 pairings there is an efficiently computable isomorphism \(\Psi :\mathbb {G}_2 \rightarrow \mathbb {G}_1\); for Type-3 pairings no such isomorphism is known. Type-3 pairings are currently the optimal choice in terms of efficiency and security trade-off [21].

Definition 2

(Bilinear-Group Generator). A bilinear-group generator is a polynomial-time algorithm \(\mathsf BGGen\) that takes a security parameter \(1^\kappa \) and outputs a bilinear group \(\mathsf{BG}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P,\hat{P})\) consisting of groups \(\mathbb {G}_1 = \langle P \rangle \), \(\mathbb {G}_2 = \langle \hat{P} \rangle \) and \(\mathbb {G}_T\) of prime order p with \(\log _2 p = \kappa \) and a pairing \(e:\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). In this work we assume that \(\mathsf BGGen\) is a deterministic algorithm.Footnote 1

Definition 3

(Decisional Diffie-Hellman Assumption). Let \(\mathsf BGGen\) be a bilinear-group generator that outputs \(\mathsf{BG}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P_1 = P,P_2 = \hat{P})\). The DDH assumption holds in \(\mathbb {G}_i\) for \(\mathsf BGGen\) if for all probabilistic polynomial-time (PPT) adversaries \(\mathcal {A}\) there is a negligible function \(\epsilon (\cdot )\) such that

Definition 4

((Symmetric) External Diffie-Hellman Assumption). The XDH and SXDH assumptions hold for \(\mathsf BGGen\) if the DDH assumption holds in \(\mathbb {G}_1\) and holds in both \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively.

The next assumption is a static computational assumption derived from the SXDH version of the q-Diffie-Hellman inversion assumption [21].

Definition 5

(Co-Diffie-Hellman Inversion Assumption). Let \(\mathsf BGGen\) be a bilinear-group generator that outputs \(\mathsf{BG}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P_1 = P,P_2 = \hat{P})\). The co-DHI\(^*_i\) assumption holds for \(\mathsf BGGen\) if for every PPT adversary \(\mathcal {A}\) there is a negligible function \(\epsilon (\cdot )\) such that

co-DHI\(^*_1\) is implied by a variant of the decision linear assumption in asymmetric groups stating that given \((\mathsf{BG},(aP_j,bP_j)_{j\in [2]},raP_{2},sbP_{2})\) for it is hard to distinguish \(T=(r+s)P_{2}\) from a random \(\mathbb {G}_2\) element. (A co-DHI\(^*_i\) solver could be used to compute \(\frac{1}{a} P_1\) and \(\frac{1}{b} P_1\), which enables to check whether \(e(\frac{1}{a} P_1,raP_2)\,e(\frac{1}{b} P_1,sb P_2)=e(P_1,T)\).) This holds analogously for co-DHI\(^*_2\).

Generalized Pedersen Commitments. These are commitments to a vector of messages \(\mathbf {m} = (m_i)_{i\in [n]}\in \mathbb {Z}_p^{\,n}\) that consist of one group element. They are perfectly hiding and computationally binding under the discrete-log assumption.

  • \(\mathsf{Setup}_\mathsf{P}(1^\kappa ,n)\) : Choose a group \(\mathbb {G}\) of prime order p with \(\log _2 p = \kappa \) and \(n+1\) distinct generators \((P_i)_{i \in [n]},Q\) and output parameters \(\mathsf{cpp}\leftarrow (\mathbb {G},p,(P_i)_{i \in [n]},Q)\) (which is an implicit input to the following algorithms).

  • \(\mathsf{Commit}_\mathsf{P}(\mathbf {m};r)\) : On input a vector \(\mathbf {m} \in \mathbb {Z}_p^{\,n}\) and randomness \(r\in \mathbb {Z}_p\), output a commitment \(C \leftarrow \sum _{i \in [n]} m_iP_i+rQ\) and an opening \(O \leftarrow (\mathbf {m},r)\).

  • \(\mathsf{Open}_\mathsf{P}(C,O)\) : On input \(C\in \mathbb {G}\) and \(O = (\mathbf {m},r)\), if \(C=\sum _{i \in [n]} m_iP_i+rQ\) then output \(\mathbf {m} = (m_i)_{i\in [n]}\); else output \(\bot \).

Remark 1

\(\mathsf{Setup}_\mathsf{P}\) is typically run by a trusted party; it can however also be run by the receiver since commitments are perfectly hiding.

2.1 Structure-Preserving Signatures on Equivalence Classes

Structure-preserving signatures (SPS) [3, 4, 6, 18] can sign elements of a bilinear group without requiring any prior encoding. In such a scheme public keys, messages and signatures consist of group elements only and the verification algorithm evaluates a signature by deciding group membership and evaluating pairing-product equations (PPEs).

The notion of SPS on equivalence classes (SPS-EQ) was introduced by Hanser and Slamanig [34]. Their initial instantiation turned out to only be secure against random-message attacks (cf. [28] and the updated full version of [34]), but together with Fuchsbauer [29] they subsequently presented a scheme that is unforgeable under chosen-message attack (EUF-CMA) in the generic group model.

The concept of SPS-EQ is as follows. Let p be a prime and \(\ell > 1\); then \({\mathbb {Z}_p}^{\ell }\) is a vector space and we can define a projective equivalence relation on it, which propagates to \({\mathbb {G}_i}^{\ell }\) and partitions \({\mathbb {G}_i}^{\ell }\) into equivalence classes. Let \(\sim _\mathcal {R}\) be this relation, i.e., for \(M, N \in {\mathbb {G}_i}^{\ell }: M \sim _\mathcal {R}N \,\Leftrightarrow \,\exists \, s\in \mathbb {Z}_{p}^* : M = s N\). An SPS-EQ scheme signs an equivalence class \([M]_\mathcal{R}\) for \(M \in (\mathbb {G}_i^*)^\ell \) by signing a representative M of \([M]_\mathcal {R}\). It then allows for switching to other representatives of \([M]_\mathcal {R}\) and updating the signature without access to the secret key. An important property of SPS-EQ is class-hiding, which roughly means that two message-signature pairs corresponding to the same class should be unlinkable.

Here, we discuss the abstract model and the security model of such a signature scheme, as introduced in [34].

Definition 6

(Structure-Preserving Signatures on Equivalence Classes). An SPS-EQ scheme SPS-EQ on \((\mathbb {G}_i^*)^\ell \) (for \(i\in \{1,2\}\)) consists of the following PPT algorithms:

  • \(\mathsf{BGGen}_\mathcal {R}(1^\kappa )\), a bilinear-group generation algorithm, which on input a security parameter \(\kappa \) outputs an asymmetric bilinear group \(\mathsf BG\).

  • \(\mathsf{KeyGen_\mathcal {R}}(\mathsf{BG},\ell )\), on input \(\mathsf{BG}\) and vector length \(\ell >1\), outputs a key pair \((\mathsf{sk},\mathsf{pk})\).

  • \(\mathsf{Sign_\mathcal {R}}(M,\mathsf{sk})\), given a representative \(M \in (\mathbb {G}_i^*)^\ell \) and a secret key \(\mathsf{sk}\), outputs a signature \(\sigma \) for the equivalence class \([M]_\mathcal {R}\).

  • \(\mathsf{ChgRep_\mathcal {R}}(M, \sigma , \mu , \mathsf{pk})\), on input a representative \(M \in (\mathbb {G}_i^*)^\ell \) of class \([M]_\mathcal {R}\), a signature \(\sigma \) on M, a scalar \(\mu \) and a public key \(\mathsf{pk}\), returns an updated message-signature pair \((M', \sigma ')\), where \(M'=\mu \cdot M\) is the new representative and \(\sigma '\) its updated signature.

  • \(\mathsf{Verify_\mathcal {R}}(M,\sigma ,\mathsf{pk})\) is deterministic and, on input a representative \(M \in (\mathbb {G}_i^*)^\ell \), a signature \(\sigma \) and a public key \(\mathsf{pk}\), outputs \(1\) if \(\sigma \) is valid for M under \(\mathsf{pk}\) and \(0\) otherwise.

  • \(\mathsf{VKey_\mathcal {R}}(\mathsf{sk},\mathsf{pk})\) is a deterministic algorithm, which given a secret key \(\mathsf{sk}\) and a public key \(\mathsf{pk}\) outputs \(1\) if the keys are consistent and \(0\) otherwise.

An SPS-EQ scheme must satisfy correctness, EUF-CMA security and class-hiding.

Definition 7

(Correctness). An SPS-EQ scheme SPS-EQ on \((\mathbb {G}_i^*)^\ell \) is correct if for all \(\kappa \in \mathbb {N}\), all \(\ell >1\), all key pairs \((\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{KeyGen_\mathcal {R}}(\mathsf{BGGen_\mathcal {R}(1^\kappa )},\ell )\), all messages \(M \in (\mathbb {G}_i^*)^\ell \) and all \(\mu \in {\mathbb {Z}_p}^{*}\): \(\mathsf{VKey}_\mathcal {R}(\mathsf{sk},\mathsf{pk}) = 1\),

$$\begin{aligned}&\Pr \big [\mathsf{Verify_\mathcal {R}}(M, \mathsf{Sign_\mathcal {R}}(M,\mathsf{sk}),\mathsf{pk})=1\big ] = 1 \quad \text {and}\\&\Pr \big [\mathsf{Verify_\mathcal {R}}(\mathsf{ChgRep_\mathcal {R}}(M, \mathsf{Sign_\mathcal {R}}(M,\mathsf{sk}), \mu , \mathsf{pk}),\mathsf{pk})=1\big ] = 1.\end{aligned}$$

In contrast to standard signatures, EUF-CMA security is defined with respect to equivalence classes, i.e., a forgery is a signature on a message from an equivalence class from which no message has been signed.

Definition 8

(EUF-CMA). An SPS-EQ scheme SPS-EQ is existentially unforgeable under adaptively chosen-message attacks, if for all PPT algorithms \(\mathcal {A}\) with access to a signing oracle \(\mathcal {O}\), there is a negligible function \(\epsilon (\cdot )\) such that:

$$\Pr \left[ \begin{array}{l} \mathsf{BG}\leftarrow \mathsf{BGGen}_\mathcal {R}(1^\kappa ), \\ (\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{KeyGen}_\mathcal {R}(\mathsf{BG}, \ell ), \\ (M^*,\sigma ^*)\leftarrow \mathcal {A}^{\mathcal {O}(\cdot , \mathsf{sk})}(\mathsf{pk}) \end{array} \ :\ \begin{array}{l} [M^*]_\mathcal {R}\ne [M]_\mathcal {R}~~\forall M \in \mathcal {Q}~~\wedge \\ \mathsf{Verify}_\mathcal {R}(M^*,\sigma ^*,\mathsf{pk}) = 1\end{array}\right] \le \epsilon (\kappa ),$$

where \(\mathcal {Q}\) is the set of queries that \(\mathcal {A}\) has issued to the signing oracle \(\mathcal {O}\).

Class-hiding is defined in [34] and uses the following oracles and a list \(\mathcal {Q}\) to keep track of queried messages M.

  • \(\mathcal {O}^{RM}\): Pick a message , append it to \(\mathcal {Q}\) and return M.

  • \(\mathcal {O}^{RoR}(M, \mathsf{sk}, \mathsf{pk},b)\): Given message M, key pair \((\mathsf{sk},\mathsf{pk})\) and bit b, return \(\bot \) if \(M \not \in \mathcal {Q}\). On the first valid call, record M and \(\sigma \leftarrow \mathsf{Sign_\mathcal {R}}(M,\mathsf{sk})\); if later called on \(M'\ne M\), return \(\bot \). Pick and , set \((M_0,\sigma _0) \leftarrow \mathsf{ChgRep_\mathcal {R}}(M,\sigma ,\mu ,\mathsf{pk})\) and \((M_1,\sigma _1) \leftarrow (R, \mathsf{Sign}_\mathcal {R}(R,\mathsf{sk}))\) and return \((M_b,\sigma _b)\).

Definition 9

(Class-Hiding). An SPS-EQ scheme SPS-EQ on \((\mathbb {G}_i^*)^\ell \) is called class-hiding if for all \(\ell >1\) and PPT adversaries \(\mathcal {A}\) with oracle access to \(\mathcal {O}\leftarrow \{\mathcal {O}^{RM},\mathcal {O}^{RoR}(\cdot , \mathsf{sk}, \mathsf{pk}, b)\}\) there is a negligible function \(\epsilon (\cdot )\) such that

Scheme 1.
scheme 1

EUF-CMA-secure construction of an SPS-EQ scheme

Full size image

Fuchsbauer, Hanser and Slamanig [29] present an EUF-CMA-secure scheme, which we give as Scheme 1, and prove the following.

Theorem 1

Scheme 1 is EUF-CMA secure against generic forgers and class-hiding under the DDH assumption.

3 New Results on SPS-EQ

In the following, we present the first standard-model construction of SPS-EQ as modeled in [34]. We then introduce new properties to characterize SPS-EQ constructions, strengthening the notion of class-hiding. Finally, we show how to turn any SPS-EQ construction into an SPS construction. This does not only provide a new, efficient standard-model SPS scheme derived from our SPS-EQ scheme; it also allows us to infer optimality of the SPS-EQ scheme from [29], (Scheme 1) and the impossibility of basing its EUF-CMA security on non-interactive assumptions.

3.1 A Standard-Model SPS-EQ Construction

Following the approach by Abe et al. [4], we construct from scheme SPS-EQ, given as Scheme 1, an SPS-EQ scheme SPS-EQ \('\), given as Scheme 2, and prove that it satisfies EUF-CMA and class-hiding, both under non-interactive assumptions.

The scheme for \(\ell \)-length messages is simply Scheme 1 with message space \((\mathbb {G}_1^*)^{\ell +2}\), where before each signing two random group elements are appended to the message. Scheme 2 features constant-size signatures (\(4~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements), has public keys of size \(\ell + 2\) and still uses 2 PPEs for verification.

Scheme 2.
scheme 2

Standard-model SPS-EQ construction from Scheme 1

Full size image

Unforgeability follows from a q-type assumption that states that Scheme 1 for \(\ell = 2\) is secure against random-message attacks. (That is, no PPT adversary, given the public key and signatures on q random messages, can, with non-negligible probability, output a message-signature pair for an equivalence class that was not signed.) Class-hiding follows from class-hiding of Scheme 1. Both proofs can be found in the full version.

3.2 Perfect Adaption of Signatures

We now introduce new definitions characterizing the output distribution of \(\mathsf ChgRep_\mathcal {R}\), which lead to stronger notions than class-hiding. The latter only guarantees that given an honestly generated signature \(\sigma \) on M, the output \((\mu M,\sigma ')\) of \(\mathsf{ChgRep_\mathcal {R}}\) for a random \(\mu \) looks like a random message-signature pair. This however does not protect a user against a signer when the user randomizes a pair obtained from the signer. We thus explicitly require that an adaption of any valid (not necessarily honestly generated) signature is distributed like a fresh signature.

Definition 10

(Perfect Adaption of Signatures). SPS-EQ on \((\mathbb {G}_i^*)^\ell \) perfectly adapts signatures if for all tuples \((\mathsf{sk},\mathsf{pk},M,\sigma ,\mu )\) with

$$\begin{aligned} \mathsf{VKey}_\mathcal {R}(\mathsf{sk},\mathsf{pk})&=1&\mathsf{Verify}_\mathcal {R}(M,\sigma ,\mathsf{pk})&= 1&M&\in (\mathbb {G}_i^*)^\ell&\mu&\in {\mathbb {Z}_p}^{*}\end{aligned}$$

\(\mathsf{ChgRep_\mathcal {R}}(M,\sigma ,\mu ,\mathsf{pk})\) and \((\mu M, \mathsf{Sign_\mathcal {R}}(\mu M,\mathsf{sk}))\) are identically distributed.

We now show the relation between Definitions  9 and 10. The following is proven analogously to the proof of class-hiding of Scheme 1 in [29].

Proposition 1

Let SPS-EQ be an SPS-EQ scheme on \((\mathbb {G}_i^*)^\ell \), \(\ell > 1\), with perfect adaption of signatures. If is computationally indistinguishable from then SPS-EQ is class-hiding.

Corollary 1

If the DDH assumption holds in \(\mathbb {G}_i\) then any SPS-EQ scheme on \((\mathbb {G}_i^*)^\ell \) satisfying Definition 10 is class-hiding (Definition 9).

We note that the converse is not true, as witnessed by Scheme 2: it satisfies class-hiding, but the discrete logs of \((R_1,R_2)\) contained in a signature \(\sigma \) have the same ratio as those of \((\tilde{R}_1,\tilde{R}_2)\) from the output of \(\mathsf{ChgRep_\mathcal {R}}\).

Maliciously Chosen Keys. Whereas Definition 10 strengthens Definition 9 in that it considers maliciously generated signatures, the next definition strengthens this further by considering maliciously generated public keys. As there might not even be a corresponding signing key, we cannot compare the outputs of \(\mathsf{ChgRep_\mathcal {R}}\) to those of \(\mathsf{Sign_\mathcal {R}}\). We therefore require that \(\mathsf{ChgRep_\mathcal {R}}\) outputs a random element that satisfies verification.

Definition 11

(Perfect Adaption Under Malicious Keys). SPS-EQ on \((\mathbb {G}_i^*)^\ell \) perfectly adapts signatures under malicious keys if for all tuples \((\mathsf{pk},M,\sigma ,\mu )\) with

$$\begin{aligned} \mathsf{Verify}_\mathcal {R}(M,\sigma ,\mathsf{pk})&= 1&M&\in (\mathbb {G}_i^*)^\ell&\mu&\in {\mathbb {Z}_p}^{*}\end{aligned}$$

we have that \(\mathsf{ChgRep_\mathcal {R}}(M,\sigma ,\mu ,\mathsf{pk})\) outputs \((\mu M,\sigma ')\) such that \(\sigma '\) is a random element in the space of signatures, conditioned on \(\mathsf{Verify_\mathcal {R}}(\mu M,\sigma ',\mathsf{pk}) =1\).

Proposition 2

Scheme 1, from [29], satisfies both Definitions 10 and 11.

Proof (sketch)

For any \(M\in (\mathbb {G}_1^*)^\ell \) and \(\mathsf{pk}\in (\mathbb {G}_2^*)^\ell \), let \((x_i)_{i\in [\ell ]}\) be s.t. \(\mathsf{pk}=(x_i \hat{P})_{i\in [\ell ]}\). A signature \((Z, Y, \hat{Y}) \in \mathbb {G}_1 \times \mathbb {G}_1^* \times \mathbb {G}_2^*\) satisfying \(\mathsf{Verify_\mathcal {R}}(M,(Z, Y, \hat{Y}),\mathsf{pk})=1\) must be of the form \((Z =y \sum x_i M_i,Y =\frac{1}{y} P,\hat{Y} = \frac{1}{y} \hat{P})\) for some \(y\in {\mathbb {Z}_p}^{*}\). \(\mathsf{ChgRep_\mathcal {R}}\) outputs \(\sigma '=(y\psi \sum x_i \mu M_i,\frac{1}{y\psi } P,\frac{1}{y\psi } \hat{P})\), which is a random element in \(\mathbb {G}_1 \times \mathbb {G}_1^* \times \mathbb {G}_2^*\) satisfying \(\mathsf{Verify_\mathcal {R}}(M,\sigma ',\mathsf{pk})=1\).   \(\square \)

3.3 From SPS-EQ to (Rerandomizable) SPS Schemes

We now show how any EUF-CMA-secure SPS-EQ scheme that signs equivalence classes of \((\mathbb {G}_i^*)^{\ell + 1}\) with \(\ell > 0\) can be turned into an EUF-CMA-secure SPS scheme signing vectors of \((\mathbb {G}_i^*)^\ell \). (We note that SPS schemes typically allow messages from \(\mathbb {G}_1\) and/or \(\mathbb {G}_2\), which is preferable when used in combination with Groth-Sahai proofs.) The transformation works by embedding messages \((M_i)_{i \in [\ell ]} \in (\mathbb {G}_i^*)^\ell \) into \((\mathbb {G}_i^*)^{\ell + 1}\) as \(M' = ((M_i)_{i \in [\ell ]}, P)\) and signing \(M'\). To verify a signature \(\sigma \) on a message \((M_i)_{i \in [\ell ]} \in (\mathbb {G}_i^*)^\ell \) under key \(\mathsf{pk}\), one checks whether \(\mathsf{Verify_\mathcal {R}}(((M_i)_{i \in [\ell ]},P), \sigma , \mathsf{pk}) =1\).

What we have done is to allow only one single representative of each class, namely the one with P as its last element, a procedure we call normalization. EUF-CMA of the SPS-EQ states that no adversary can produce a signature on a message from an unqueried class, which therefore implies EUF-CMA of the resulting SPS scheme.

Moreover, from any SPS-EQ with perfect adaption of signatures the above transformation yields a rerandomizable SPS scheme, since signatures can be rerandomized by running \(\mathsf{ChgRep_\mathcal {R}}\) for \(\mu =1\) (Definition 10 guarantees that this outputs a random signature). This also means that the lower bounds for SPS over Type-3 groups given by Abe et al. in [4, 5] carry over to SPS-EQ: any SPS must use at least 2 PPEs for verification and must have at least 3 signature elements, which cannot be from the same group. Moreover, EUF-CMA security of optimal (that is, 3-element-signature) SPS-EQ schemes cannot be reduced to non-interactive assumptions.

Finally, let us investigate the possibility of SPS-EQ in the Type-1 and Type-2 pairing setting and implied lower bounds. Class-hiding requires the DDH assumption to hold on the message space. This excludes the Type-1 setting, while in Type-2 settings the message space must be \((\mathbb {G}_1^*)^\ell \). In [6] Abe et al. identified the following lower bounds for Type-2 SPS schemes with messages in \(\mathbb {G}_1\): 2 PPEs for verification and 3 group elements for signatures. The above transformation converts a Type-2 SPS-EQ into a Type-2 SPS, hence these optimality criteria apply to Type-2 SPS-EQ schemes as well.

Implications. Applying the above transformation to the SPS-EQ scheme from [29] (Scheme 1) yields a perfectly rerandomizable SPS scheme in Type-3 groups with constant-size signatures of unilateral length-\(\ell \) message vectors and public keys of size \(\ell + 1\). Scheme 1 is optimal as it only uses 2 PPEs and its signatures consist of 3 bilateral group elements. Hence, by [5] there is no reduction of its EUF-CMA security to a non-interactive assumption and the generic group model proof in [29] is the best one can achieve.

Applying our transformation to Scheme 2 yields a new standard-model SPS construction for unilateral length-\(\ell \) message vectors in Type-3 groups. It has constant-size signatures (\(4~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements), a public key of size \(\ell + 3\) and uses 2 PPEs for verification; it is therefore almost as efficient as the best known direct SPS construction from non-interactive assumptions in [4], whose signatures consist of \(3~\mathbb {G}_1 + 1~\mathbb {G}_2\) elements. Scheme 2 is partially rerandomizable [3], whereas the scheme in [4] is not.

4 Blind Signatures from SPS-EQ

We first present the abstract model for blind signature schemes. Security is defined by unforgeability and blindness and was initially studied in [36, 43] and then strengthened in [26, 45].

Definition 12

(Blind Signature Scheme). A blind signature scheme \(\mathsf{BS}\) consists of the following PPT algorithms:

  • \(\mathsf{KeyGen}_\mathsf{BS}(1^\kappa )\), on input \(\kappa \), returns a key pair \((\mathsf{sk}, \mathsf{pk})\). The security parameter \(\kappa \) is also an (implicit) input to the following algorithms.

  • \(({\mathcal {U}}_\mathsf{BS}(m, \mathsf{pk}), \mathcal {S}_\mathsf{BS}(\mathsf{sk}))\) are run by a user and a signer, who interact during execution. \({\mathcal {U}}_\mathsf{BS}\) gets input a message m and a public key \(\mathsf{pk}\) and \(\mathcal {S}_\mathsf{BS}\) has input a secret key \(\mathsf{sk}\). At the end \( {\mathcal {U}}_\mathsf{BS}\) outputs \(\sigma \), a signature on m, or \(\bot \) if the interaction was not successful.

  • \(\mathsf{Verify}_\mathsf{BS}(m, \sigma , \mathsf{pk})\) is deterministic and given a message-signature pair \((m, \sigma )\) and a public key \(\mathsf{pk}\) outputs \(1\) if \(\sigma \) is valid on m under \(\mathsf{pk}\) and \(0\) otherwise.

A blind signature scheme \(\mathsf{BS}\) must satisfy correctness, unforgeability and blindness.

Definition 13

(Correctness). A blind signature scheme \(\mathsf{BS}\) is correct if for all \(\kappa \in \mathbb {N}\), all \((\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{KeyGen_\mathsf{BS}}(1^\kappa )\), all messages m and \(\sigma \leftarrow ({{\mathcal {U}}_\mathsf{BS}}(m, \mathsf{pk}), {\mathcal {S}_\mathsf{BS}}(\mathsf{sk}))\) it holds that \(\mathsf{Verify_\mathsf{BS}}(m,\sigma ,\mathsf{pk})=1\).

Definition 14

(Unforgeability). \(\mathsf{BS}\) is unforgeable if for all PPT algorithms \(\mathcal {A}\) having access to a signer oracle, there is a negligible function \(\epsilon (\cdot )\) such that:

$$\Pr \!\left[ \! \begin{array}{l} (\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{KeyGen_\mathsf{BS}}(1^\kappa ), \\ (m_i^*, \sigma _i^*)_{i=1}^{k+1} \!\leftarrow \! \mathcal {A}^\mathsf{(\cdot , \mathcal {S}_\mathsf{BS}(\mathsf{sk}))}(\mathsf{pk}) \end{array} : \begin{array}{c} m_i^* \ne m_j^* ~ \forall i,j \in [k\!+\!1], i \ne j ~~ \wedge \\ \mathsf{Verify_\mathsf{BS}}(m_i^*,\sigma _i^*, \mathsf{pk}) \!=\! 1~ \forall i \in [k\!+\!1] \end{array} \right] \le \epsilon (\kappa ),$$

where k is the number of completed interactions with the oracle.

There are several flavors of blindness. The strongest definition is blindness in the malicious signer model [1, 42], which allows the adversary to create \(\mathsf{pk}\), whereas in the honest-signer model the key pair is set up by the experiment. We prove our construction secure under the stronger notion, which was also considered by the recent round-optimal standard-model constructions [30, 31].

Definition 15

(Blindness). \(\mathsf{BS}\) is called blind if for all PPT algorithms \(\mathcal {A}\) with one-time access to two user oracles, there is a negligible function \(\epsilon (\cdot )\) such that:

4.1 Construction

Our construction uses commitments to the messages and SPS-EQ to sign these commitments and to perform blinding and unblinding. Signing an equivalence class with an SPS-EQ scheme lets one derive a signature for arbitrary representatives of this class without knowing the private signing key. This concept provides an elegant way to realize a blind signing process as follows.

The signer’s key contains an element Q under which the obtainer makes a Pedersen commitment \(C=mP+rQ\) to the message m. (Since the commitment is perfectly hiding, the signer can be aware of q with \(Q=qP\).) The obtainer then forms a vector (CP), which can be seen as the canonical representative of equivalence class \([(C,P)]_\mathcal {R}\). Next, she picks and moves (CP) to a random representative (sCsP), which hides C. She sends (sCsP) to the signer and receives an SPS-EQ signature on it, from which she can derive a signature on the original message (CP), which she can publish together with an opening of C. As verification will check validity of the SPS-EQ signature on a message ending with P, the unblinding is unambiguous.

Let us now discuss how the user opens the Pedersen commitment \(C=mP+rQ\). Publishing (mr) directly would break blindness of the scheme (a signer could link a pair \(M=(D,S)\), received during signing, to a signature by checking whether \(D=mS+rqS\)). We therefore define a tweaked opening, for which we include \(\hat{Q}=q\hat{P}\) in addition to \(Q=qP\) in the signer’s public key. We define the opening as (mrP), which can be checked via the pairing equation \(e(C - mP, \hat{P}) =e(rP, \ Q)\). This opening is still computationally binding under the co-DHI\(_1^*\) assumption (in contrast to standard Pedersen commitments, which are binding under the discrete-log assumption). Hiding of the commitment still holds unconditionally, and we will prove the constructed blind-signature scheme secure in the malicious-signer model without requiring a trusted setup.

The scheme is presented as Scheme 3. (Note that for simplicity the blind signature contains \(T=rQ\) instead of C.) Correctness follows by inspection.

Scheme 3.
scheme 3

Blind signature scheme from SPS-EQ

Full size image

4.2 Security

Theorem 2

If the underlying SPS-EQ scheme is EUF-CMA secure and the co-DHI\(_1^*\) assumption holds then Scheme 3 is unforgeable.

The proof, which is given in the full version, follows the intuition that a forger must either forge an SPS-EQ signature on a new commitment or open a commitment in two different ways. The reduction has a natural security loss proportional to the number of signing queries.

Blindness. For the honest-signer model, blindness follows from the DDH assumption and perfect adaption of signatures (Definition 10) of the underlying SPS-EQ scheme. Let \(Q \leftarrow qP\) and let q be part of the signing key, and let (PrPsPtP) be a DDH instance. In the blindness game we compute M as \((m\cdot sP + q\cdot tP, sP)\). When the adversary returns a signature on M, we must adapt it to the unblinded message—which we cannot do as we do not know the blinding factor s. By perfect adaption however, an adapted signature is distributed as a fresh signature on the unblinded message, so, knowing the secret key, we can compute a signature \(\sigma \) on \((m\cdot P + q\cdot rP, P)\) and return the blind signature \((\sigma ,rP,q\cdot rP)\). If the DDH instance was real, i.e., \(t=s\cdot r\), then we perfectly simulated the game; if t was random then the adversary’s view during issuing was independent of m.

For blindness in the malicious-signer model, we have to deal with two obstacles. (1) We do not have access to the adversarially generated signing key, meaning we cannot recompute the signature on the unblinded message. (2) The adversarially generated public-key values \(Q, \hat{Q}\) do not allow us to embed a DDH instance for blinding and unblinding.

We overcome (1) by using the adversary \(\mathcal {A}\) itself as a signing oracle by rewinding it. We first run \(\mathcal {A}\) to obtain a signature on \((s'(mP+rQ),s'P)\), which, knowing \(s'\), we can transform into a signature on \((mP+rQ,P)\). We then rewind \(\mathcal {A}\) to the point after outputting its public key and run it again, this time embedding our challenge. In the second run we cannot transform the received signature, instead we use the signature from the first run, which is distributed identically, due to perfect adaption under malicious keys (Definition 11) of the SPS-EQ scheme.

To deal with the second obstacle, we use an interactive variant of the DDH assumption: Instead of being given PrPsP and having to distinguish rsP from random, the adversary, for some Q of its choice, is given rPrQsP and must distinguish rsQ from random.

Definition 16

(Assumption 1). Let \(\mathsf BGGen\) be a bilinear-group generator that outputs \(\mathsf{BG}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,P_1 = P,P_2 = \hat{P})\). We assume that for all PPT algorithms \(\mathcal {A}\) there is a negligible function \(\epsilon (\cdot )\) such that:

Proposition 3

The assumption in Definition 16 holds in generic groups and reaches the optimal, quadratic simulation-error bound.

Theorem 3

If the underlying SPS-EQ scheme has perfect adaption of signatures under malicious keys and Assumption 1 holds then Scheme 3 is blind.

The proofs can be found in the full version.

4.3 Discussion

Basing Our Scheme on Non-interactive Assumptions. Fischlin and Schröder [27] show that the unforgeability of a blind-signature scheme cannot be based on non-interactive hardness assumptions if (1) the scheme has 3 moves or less, (2) its blindness holds statistically and (3) from a transcript one can efficiently decide whether the interaction yielded a valid blind signature. Our scheme satisfies (1) and (3), whereas blindness only holds computationally.

They extend their result in [27] to computationally blind schemes that meet the following conditions: (4) One can efficiently check whether a public key has a matching secret key; this is the case in our setting because of group-membership tests and pairings. (5) Blindness needs to hold relative to a forgery oracle. As written in [27], this does e.g. not hold for Abe’s scheme [2], where unforgeability is based on the discrete-log problem and blindness on the DDH problem.

This is the case in our construction too (as one can forge signatures by solving discrete logarithms), hence the impossibility result does not apply to our scheme. Our blind signature construction is black-box from any SPS-EQ with perfect adaption under malicious keys (Definition 11). However, the only known such scheme is the one from [29], which is EUF-CMA secure in the generic-group model, that is, it is based on an interactive assumption. Plugging this scheme into Scheme 3 yields a round-optimal blind signature scheme with unforgeability under this interactive assumption and co-DHI\(^*_1\), and blindness (under adversarially chosen keys) under Assumption 1 (Definition 16), which is also interactive.

To construct a scheme under non-interactive assumptions, we would thus have to base blindness on a non-interactive assumption; and find an SPS-EQ scheme satisfying Definition 11 whose unforgeability is proven under a non-interactive assumption.

Efficiency of the Construction. When instantiating our blind-signature construction with the SPS-EQ scheme from [29] (given as Scheme 1), which we showed optimal, this yields a public key size of \(1~\mathbb {G}_1+3~\mathbb {G}_2\), a communication complexity of \(4~\mathbb {G}_1+1~\mathbb {G}_2\) and a signature size of \(4~\mathbb {G}_1+1~\mathbb {G}_2\) elements. For a 80-bit security setting, a blind signature has thus 120 Bytes.

The most efficient scheme from standard assumptions is based on DLIN [30]. Ignoring the increase of the security parameter due to complexity leveraging, their scheme has a public key size of \(43~\mathbb {G}_1\) elements, communication complexity \(18\log _2 q +41\) \(\mathbb {G}_1\) elements (where, e.g., we have \(\log _2 q=155\) when assuming that the adversary runs in \(\le 2^{80}\) steps) and a signature size of \(183~\mathbb {G}_1\) elements.

4.4 Round-Optimal Partially Blind Signatures

Partially blind signatures are an extension of blind signatures, where messages contain common information \(\gamma \), which is agreed between the user and the signer. This requires slight modifications to the unforgeability and blindness notions: An adversary breaks unforgeability if after k signing queries it outputs \(k+1\) distinct valid message-signature pairs for the same common information \(\gamma ^*\). In the partial-blindness game \(m_0\) and \(m_1\) must have the same common information \(\gamma \) to prevent the adversary from trivially winning the game. (Formal definitions for partially blind signatures can be found in the full version.)

Construction. We construct a round-optimal partially blind signature scheme \(\mathsf{PBS}= (\mathsf KeyGen_{\mathsf{{\tiny PBS}}},({\mathcal {U}}_{\mathsf{{\tiny PBS}}}, \mathcal {S}_{\mathsf{{\tiny PBS}}}),Verify_{\mathsf{{\tiny PBS}}})\) secure in the standard model from an SPS-EQ scheme SPS-EQ by modifying Scheme 3 as follows. To include common information \(\gamma \in {\mathbb {Z}_p}^{*}\), SPS-EQ is set up for \(\ell = 3\). On input \(M\leftarrow (s(mP+rQ),sP)\), \({\mathcal {S}_{\mathsf{{\tiny PBS}}}}\) returns a signature for \(M\leftarrow (s(mP+rQ), \gamma \cdot sP ,sP)\) and \({{\mathcal {U}}^{(2)}_{\mathsf{{\tiny PBS}}}}\) additionally checks correctness of the included \(\gamma \) and returns \(\bot \) if this is not the case. Otherwise, it runs \(((mP+rQ,\gamma P, P),\sigma )\leftarrow \mathsf{ChgRep_\mathcal {R}}(M, \pi , \frac{1}{s}, \mathsf{pk})\) and outputs signature \(\tau \leftarrow (\sigma ,rP,rQ)\) for message m and common information \(\gamma \). For this construction we obtain the following, whose proofs are analogous to those for Scheme 3.

Theorem 4

If SPS-EQ is EUF-CMA secure and the co-DHI\(_1^*\) assumption holds, then the resulting partially blind signature scheme is unforgeable.

Theorem 5

If SPS-EQ has perfect adaption under malicious keys and Assumption 1 holds, then the resulting partially blind signature scheme is partially blind.

5 One-Show Anonymous Credentials from SPS-EQ

Baldimtsi and Lysyanskaya [8] introduced blind signatures with attributes and show that they directly yield a one-show anonymous credential system in the vein of Brands [15]. In contrast to Brands’ original construction, their construction relies on a provably secure three-move blind signature scheme (in the ROM). In this section we show how to construct two-move blind signatures on message vectors, which straightforwardly yield anonymous one-show credentials that are secure in the standard model.

5.1 Blind Signatures on Message Vectors

Our construction \(\mathsf{BSV}\) of round-optimal blind signatures on message vectors \(\mathbf {m} \in \mathbb {Z}_p^{\,n}\) simply replaces the Pedersen commitment \(mP+rQ\) in Scheme 3 with a generalized Pedersen commitment \(\sum _{i \in [n]} m_i P_i + rQ\). Thus, \(\mathsf{KeyGen_{\mathsf{{\tiny BSV}}}}\), on input \(1^\kappa ,n\), additionally outputs generators \((P_i)_{i\in [n]}\) and \(\mathsf{Verify_{\mathsf{{\tiny BSV}}}}(\mathbf {m},(\sigma ,R,T),\mathsf{pk})\) checks \(\mathsf{Verify_\mathcal {R}}((\textstyle \sum _{i \in [n]} m_i P_i + T,P),\sigma ,\mathsf{pk}_\mathcal {R}) =1\) and \(e(T,\hat{P}) =e(R,\hat{Q})\). Due to space constraints, the construction \({\mathsf{BSV}}\) is detailed in the full version, where we also show the following.

Theorem 6

If the underlying SPS-EQ scheme is EUF-CMA secure and the co-DHI\(_1^*\) assumption holds then \(\mathsf{BSV}\) is unforgeable.

Theorem 7

If the underlying SPS-EQ scheme has perfect adaption under malicious keys and Assumption 1 holds then \(\mathsf{BSV}\) is blind.

5.2 Anonymous Credentials Light

The intuition behind our construction is comparable to [8], which roughly works as follows. In the registration phase, a user registers (once) a generalized Pedersen commitment C to her attributes and gives a zero-knowledge (ZK) proof of the opening (some attributes may be opened and some may remain concealed). In the preparation and validation phase, the user engages in a blind-signature-with-attributes protocol for some message m (which is considered the credential serial number) and another commitment \(C'\). \(C'\) is a so-called combined commitment obtained from C and a second credential-specific commitment provided by the user. Finally, the credential is the user output of a blind-signature-with-attributes protocol resulting in a signature on message m and a so-called blinded Pedersen commitment \(C''\). The latter contains the same attributes as C, but is unlinkable to C and \(C'\). Showing a credential amounts to presenting \(C''\) along with the blind signature and proving in ZK a desired relation about attributes within \(C''\).

Our construction combines \(\mathsf{BSV}\) with efficient ZK proofs and is conceptually simpler than the one in [8]. For issuing, the user sends the issuer a blinded version \(M \leftarrow (sC, sP)\) of a commitment C to the user’s attributes (M corresponds to the blinded generalized Pedersen commitment in [8]). In addition, the user engages in a ZK proof (denoted \(\mathsf PoK\)) proving knowledge of an opening of C (potentially revealing some of the committed attributes). The user obtains a \(\mathsf{BSV}\)-signature \(\pi \) on M and turns it into a blind signature \(\sigma \) for commitment C by running \(((C, P), \sigma ) \leftarrow \mathsf{ChgRep}_\mathcal {R}(M, \pi , \frac{1}{s}, \mathsf{pk})\). The credential consists of C, \(\sigma \) and the randomness r used to produce the commitment. It is showed by sending C and \(\sigma \) and proving in ZK a desired relation about attributes within C.

For ease of presentation, we only consider selective attribute disclosure below. We note that proofs for a rich class of relations [17, 20, 24] w.r.t. generalized Pederson commitments, as used by our scheme, could be used instead. Henceforth, we denote by S the index set of attributes to be shown and by U those to be withheld. During a showing, a ZK proof of knowledge for a commitment \(C=\sum _{i \in [n]} m_iP_i+ r Q\) to attributes \((m_i)_{i\in [n]}\) amounts to proving

$$\begin{aligned} \textstyle \mathsf{PoK_P}\big \{\big ((\alpha _j)_{j\in U},\beta \big ): C=\sum _{i\in S} m_i P_i + \sum _{j\in U} \alpha _j P_j + \beta Q \big \}\!\!\!.\end{aligned}$$
(1)

The proof for a blinded commitment \((A, B) = (sC, sP)\) during the obtain phase is done as follows.

$$\begin{aligned} \mathsf{PoK_{BP}}\left\{ \big ((\alpha _j)_{j\in U},\beta ,\gamma \big ):~~ \begin{array}{l}\textstyle A= \sum _{i\in S} m_i H_i + \sum _{j\in U} \alpha _j H_j + \beta H_Q ~~\wedge ~~ \\ \textstyle \bigwedge _{i \in [n]} (H_i=\gamma P_i) \wedge H_Q=\gamma Q \wedge B=\gamma P \end{array}\right\} \!\!\!\!.\end{aligned}$$
(2)

Here the representation is with respect to bases \(H_i=s P_i\), \(H_Q = sQ\), which are published and guaranteed to be correctly formed by \(\mathsf{PoK_{BP}}\).Footnote 2

Construction. As we combine scheme \(\mathsf{BSV}\) with ZK proofs, we need the following conceptual modifications. The signature \(\tau \leftarrow (\sigma ,R,T)\) reduces to \(\tau \leftarrow \sigma \), since the user provides a ZK-PoK proving knowledge of the randomness r in C. Moreover, verification takes C instead of \(\mathbf {m}\) as verifiers have only access to the commitment. Consequently, \(\mathsf{Verify}_{{\mathsf{{\tiny BSV}}}}\) of scheme \(\mathsf{BSV}\) only runs Verify \(_\mathcal {R}\).

Setup. The issuer runs \((\mathsf{sk}, \mathsf{pk}) \leftarrow \mathsf{KeyGen}_{\mathsf{{\tiny BSV}}}(1^\kappa , n)\), where n is the number of attributes in the system, and publishes \(\mathsf{pk}\) as her public key.

Issuing. A user with attribute values \(\mathbf {m}\) runs \((M,\mathsf{st}) \leftarrow {{\mathcal {U}}^{_{(1)}}_{\mathsf{{\tiny BSV}}}}(\mathbf {m}, \mathsf{pk};(s,r))\) (where (sr) is the chosen randomness), sends the blinded commitment \(M=(sC,sP)\) to the issuer and gives a proof \(\mathsf{PoK_{BP}}\) from (2) that M commits to \(\mathbf {m}\) (where the sets U and S depend on the application). The issuer returns \(\pi \leftarrow \mathcal {S}_{\mathsf{{\tiny BSV}}}(M,\mathsf{sk})\) and after running \(\sigma \leftarrow {{\mathcal {U}}^{_{(2)}}_{\mathsf{{\tiny BSV}}}}(\mathsf{st},\pi )\) (the outputs rP and rQ are not needed), the user holds a credential \((C,\sigma ,r)\).

Showing. Assume a user with credential \((C,\sigma ,r)\) to the attributes \(\mathbf {m} = (m_i)_{i \in [n]}\) wants to conduct a selective showing of attributes with a verifier who holds the issuer’s public key \(\mathsf{pk}\). They engage in a proof \(\mathsf{PoK_{P}}\) from (1) and the verifier additionally checks the signature for the credential by running \(\mathsf{Verify_{\mathsf{{\tiny BSV}}}}(C, \sigma , \mathsf{pk})\). If both verifications succeed, the verifier accepts the showing.

Let us finally note that there is no formal security model for one-show credentials. Theorem 2 in [8] informally states that a secure commitment scheme together with a blind signature scheme with attributes implies a one-show credential system. Using the same argumentation as [8], our construction yields a one-show credential system in the standard model.