Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials

  • 480 Accesses

  • 4 Citations

Abstract

Structure-preserving signatures (SPS) are a powerful building block for cryptographic protocols. We introduce SPS on equivalence classes (SPS-EQ), which allow joint randomization of messages and signatures. Messages are projective equivalence classes defined on group-element vectors, so multiplying a vector by a scalar yields a different representative of the same class. Our scheme lets one adapt a signature for one representative to a signature for another representative without knowledge of any secret. Moreover, given a signature, an adapted signature for a different representative is indistinguishable from a fresh signature on a random message. We propose a definitional framework for SPS-EQ and an efficient construction in Type-3 bilinear groups, which we prove secure against generic forgers. We also introduce set-commitment schemes that let one open subsets of the committed set. From this and SPS-EQ, we then build an efficient multi-show attribute-based anonymous credential system for an arbitrary number of attributes. Our ABC system avoids costly zero-knowledge proofs and only requires a short interactive proof to thwart replay attacks. It is the first credential system whose bandwidth required for credential showing is independent of the number of its attributes, i.e., constant-size. We propose strengthened game-based security definitions for ABC and prove our scheme anonymous against malicious organizations in the standard model; finally, we discuss a concurrently secure variant in the CRS model.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2

Notes

  1. 1.

    More generally, the user could prove knowledge of a signature without revealing it. Although this can be a significant performance bottleneck, this allows for using ABCs with conventional signatures such as ECDSA, as in [36].

  2. 2.

    As already mentioned earlier, there are independently (and subsequently) developed very strong simulation-based models in [31, 37].

  3. 3.

    We use this as a shorthand for “appends i to \(\mathtt{OWNR}\), \(\mathsf{cred}\) to \(\mathtt{CRED}\) and \(\mathtt {A}\) to \(\mathtt{ATTR}\).

  4. 4.

    This assumption was also made by Bellare et al. [23] and is justified by actual implementations. For example, BN-curves [25], the most common choice for Type-3 pairings, are generated deterministically.

  5. 5.

    Hence, the only random choice made by the set-commitment setup algorithm is picking the commitment trapdoor a. Inside \(\mathsf {OrgKeyGen}\), we will make this randomness explicit.

  6. 6.

    For instance, the approach in [35] for CL credentials in the RSA setting (encoding attributes as prime numbers) or in a pairing-based setting using BBS\(^+\) credentials [85] (encoding attributes using accumulators) where the latter additionally requires very large public parameters (one F-secure BB signature [19] for every possible attribute value).

  7. 7.

    In ABC schemes, one can add interactive proofs of knowledge of the logarithms when obtaining a signature; the reduction can then make signing queries using the logarithms instead of the group elements itself, as required by the security model in [52]. However, round-optimality of blind signatures precludes adding interaction; it is also not possible to add NIZKs of knowledge, as they require a CRS, which is not compatible with the strong security model (malicious-signer anonymity) for blind signatures considered in [55].

References

  1. 1.

    J.H. Ahn, D. Boneh, J. Camenisch, S. Hohenberger, A. Shelat, B. Waters, Computing on authenticated data, in Ronald Cramer, editor, TCC 2012, volume 7194 of LNCS. (Springer, Heidelberg, March 2012), pp. 1–20

  2. 2.

    M. Abe, M. Chase, B. David, M. K., R. Nishimaki, M. Ohkubo, Constant-size structure-preserving signatures: Generic constructions and simple assumptions, in Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS. (Springer, Heidelberg, 2012), pp. 4–24

  3. 3.

    M. Abe, G. Fuchsbauer, J. Groth, K. Haralambiev, M. Ohkubo, Structure-preserving signatures and commitments to group elements, in Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS. (Springer, Heidelberg, August 2010), pp. 209–236

  4. 4.

    M. Abe, J. Groth, K. Haralambiev, M. Ohkubo, Optimal structure-preserving signatures in asymmetric bilinear groups, in Phillip Rogaway, editor, CRYPTO 2011, volume 6841 of LNCS. (Springer, Heidelberg, August 2011), pp. 649–666

  5. 5.

    M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Structure-preserving signatures from type II pairings, in Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS. (Springer, Heidelberg, August 2014), pp. 390–407

  6. 6.

    M. Abe, J. Groth, M. Ohkubo, M. Tibouchi, Unified, minimal and selectively randomizable structure-preserving signatures, in Yehuda Lindell, editor, TCC 2014, volume 8349 of LNCS. (Springer, Heidelberg, February 2014), pp. 688–712

  7. 7.

    M. Abe, D. Hofheinz, R. Nishimaki, M. Ohkubo, J. Pan, Compact structure-preserving signatures with almost tight security, in Jonathan Katz and Hovav Shacham, editors, CRYPTO 2017, Part II, volume 10402 of LNCS. (Springer, Heidelberg, August 2017), pp. 548–580

  8. 8.

    M. Abe, K. Haralambiev, M. Ohkubo, Signing on elements in bilinear groups for modular protocol design. Cryptology ePrint Archive, Report 2010/133, (2010). http://eprint.iacr.org/2010/133

  9. 9.

    M. Abe, M. Kohlweiss, M. Ohkubo, M. Tibouchi, Fully structure-preserving signatures and shrinking commitments, in Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS. (Springer, Heidelberg, April 2015), pp. 35–65

  10. 10.

    N. Attrapadung, B. Libert, T. Peters, Computing on authenticated data: New privacy definitions and constructions, in Xiaoyun Wang and Kazue Sako, editors, ASIACRYPT 2012, volume 7658 of LNCS. (Springer, Heidelberg, December 2012), pp. 367–385

  11. 11.

    N. Attrapadung, B. Libert, T. Peters, Efficient completely context-hiding quotable and linearly homomorphic signatures, in K. Kurosawa and G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS. (Springer, Heidelberg, February/March 2013), pp. 386–404

  12. 12.

    N. Akagi, Y. Manabe, T. Okamoto, An efficient anonymous credential system, in G. Tsudik, editor, FC 2008, volume 5143 of LNCS. (Springer, Heidelberg, January 2008), pp. 272–286

  13. 13.

    M.H. Au, W. Susilo, Y. Mu, Constant-size dynamic k-TAA, in R. De Prisco and M. Yung, editors, SCN 06, volume 4116 of LNCS. (Springer, Heidelberg, September 2006), pp. 111–125

  14. 14.

    D. Boneh, X. Boyen, Short signatures without random oracles, in C. Cachin and J. Camenisch, editors, EUROCRYPT 2004, volume 3027 of LNCS. (Springer, Heidelberg, May 2004), pp. 56–73

  15. 15.

    D. Boneh, X. Boyen, E.-J. Goh, Hierarchical identity based encryption with constant size ciphertext, in R. Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS. (Springer, Heidelberg, May 2005), pp. 440–456

  16. 16.

    D. Boneh, X. Boyen, H. Shacham, Short group signatures, in M. Franklin, editor, CRYPTO 2004, volume 3152 of LNCS. (Springer, Heidelberg, August 2004), pp. 41–55

  17. 17.

    D. Boneh, H. Corrigan-Gibbs, Bivariate polynomials modulo composites and their applications, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS. (Springer, Heidelberg, December 2014), pp. 42–62

  18. 18.

    M. Belenkiy, J. Camenisch, M. Chase, M. Kohlweiss, A. Lysyanskaya, H. Shacham, Randomizable proofs and delegatable anonymous credentials, in S. Halevi, editor, CRYPTO 2009, volume 5677 of LNCS. (Springer, Heidelberg, August 2009), pp. 108–125

  19. 19.

    M. Belenkiy, M. Chase, M. Kohlweiss, A. Lysyanskaya, P-signatures and noninteractive anonymous credentials, in R. Canetti, editor, TCC 2008, volume 4948 of LNCS. (Springer, Heidelberg, March 2008), pp. 356–374

  20. 20.

    G. Barthe, E. Fagerholm, D. Fiore, A. Scedrov, B. Schmidt, M. Tibouchi, Strongly-optimal structure preserving signatures from type II pairings: Synthesis and lower bounds, in J. Katz, editor, PKC 2015, volume 9020 of LNCS. (Springer, Heidelberg, March/April 2015), pp. 355–376

  21. 21.

    D. Boneh, D. Freeman, J. Katz, B. Waters, Signing a linear subspace: Signature schemes for network coding, in S. Jarecki and G. Tsudik, editors, PKC 2009, volume 5443 of LNCS. (Springer, Heidelberg, March 2009), pp. 68–87

  22. 22.

    O. Blazy, G. Fuchsbauer, D. Pointcheval, D. Vergnaud, Signatures on randomizable ciphertexts, in D. Catalano, N. Fazio, R. Gennaro, and A. Nicolosi, editors, PKC 2011, volume 6571 of LNCS. (Springer, Heidelberg, March 2011), pp. 403–422

  23. 23.

    M. Bellare, G. Fuchsbauer, A. Scafuro, NIZKs with an untrusted CRS: Security in the face of parameter subversion, in J. H. Cheon and T. Takagi, editors, ASIACRYPT 2016, Part II, volume 10032 of LNCS. (Springer, Heidelberg, December 2016), pp. 777–804

  24. 24.

    F. Baldimtsi, A. Lysyanskaya, Anonymous credentials light, in A.-R. Sadeghi, V.D. Gligor, and M. Yung, editors, ACM CCS 13. (ACM Press, November 2013), pp. 1087–1098

  25. 25.

    P.S.L.M. Barreto, M. Naehrig, Pairing-friendly elliptic curves of prime order, in B. Preneel and S. Tavares, editors, SAC 2005, volume 3897 of LNCS. (Springer, Heidelberg, August 2006), pp. 319–331

  26. 26.

    X. Boyen, The uber-assumption family (invited talk), in S.D. Galbraith and K.G. Paterson, editors, PAIRING 2008, volume 5209 of LNCS. (Springer, Heidelberg, 2008), pp. 39–56

  27. 27.

    N. Bari, B. Pfitzmann, Collision-free accumulators and fail-stop signature schemes without trees, in W. Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS. (Springer, Heidelberg, May 1997), pp. 480–494

  28. 28.

    S. Brands, Rethinking public-key Infrastructures and Digital Certificates: Building in Privacy. (MIT Press, 2000)

  29. 29.

    M. Bellare, H. Shi, C. Zhang, Foundations of group signatures: The case of dynamic groups, in A. Menezes, editor, CT-RSA 2005, volume 3376 of LNCS. (Springer, Heidelberg, February 2005), pp. 136–153

  30. 30.

    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd FOCS. IEEE Computer Society Press, (October 2001), pp. 136–145

  31. 31.

    J. Camenisch, M. Dubovitskaya, K. Haralambiev, M. Kohlweiss, Composable and modular anonymous credentials: definitions and practical constructions, in T. Iwata and J.H. Cheon, editors, ASIACRYPT 2015, Part II, volume 9453 of LNCS. (Springer, Heidelberg, November/December 2015), pp. 262–288

  32. 32.

    R. Cramer, I. Damgård, P.D. MacKenzie, Efficient zero-knowledge proofs of knowledge without intractability assumptions, in H. Imai and Y. Zheng, editors, PKC 2000, volume 1751 of LNCS. (Springer, Heidelberg, January 2000), pp. 354–372

  33. 33.

    D. Catalano, D. Fiore, Vector commitments and their applications. In K. Kurosawa and G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS. (Springer, Heidelberg, February / March 2013), pp. 55–72

  34. 34.

    D. Catalano, D. Fiore, B. Warinschi, Efficient network coding signatures in the standard model, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS. (Springer, Heidelberg, 2012), pp. 680–696

  35. 35.

    J. Camenisch, T. Groß, Efficient attributes for anonymous credentials. ACM Transactions on Information and System Security, 15(1), 4, (2012)

  36. 36.

    M. Chase, C. Ganesh, P. Mohassel, Efficient zero-knowledge proof of algebraic and non-algebraic statements with applications to privacy preserving credentials, in M. Robshaw and J. Katz, editors, CRYPTO 2016, Part III, volume 9816 of LNCS. (Springer, Heidelberg, 2016), pp. 499–530

  37. 37.

    J. Camenisch, S. Krenn, A. Lehmann, G.L. Mikkelsen, G. Neven, M.Ø. Pedersen, Formal treatment of privacy-enhancing credential systems, in O. Dunkelman and L. Keliher, editors, SAC 2015, volume 9566 of LNCS. (Springer, Heidelberg, August 2016), pp. 3–24

  38. 38.

    M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable proof systems and applications, in D. Pointcheval and T. Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS. (Springer, Heidelberg, April 2012), pp. 281–300

  39. 39.

    M. Chase, M. Kohlweiss, A. Lysyanskaya, S. Meiklejohn. Malleable signatures: New definitions and delegatable anonymous credentials, in IEEE 27th Computer Security Foundations Symposium, CSF 2014, (2014), pp. 199–213

  40. 40.

    J. Camenisch, A. Lysyanskaya, An efficient system for non-transferable anonymous credentials with optional anonymity revocation, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS. (Springer, Heidelberg, May 2001), pp. 93–118

  41. 41.

    J. Camenisch, A. Lysyanskaya, A signature scheme with efficient protocols, in S. Cimato, C. Galdi, and G. Persiano, editors, SCN 02, volume 2576 of LNCS. (Springer, Heidelberg, September 2003), pp. 268–289

  42. 42.

    J. Camenisch, A. Lysyanskaya, Signature schemes and anonymous credentials from bilinear maps, in M. Franklin, editor, CRYPTO 2004, volume 3152 of LNCS. (Springer, Heidelberg, August 2004), pp. 56–72

  43. 43.

    S. Canard, R. Lescuyer, Anonymous credentials from (indexed) aggregate signatures, in DIM’11, Proceedings of the 2013 ACM Workshop on Digital Identity Management, Chicago, IL, USA - October 21, 2011, (2011), pp. 53–62

  44. 44.

    S. Canard, R. Lescuyer, Protecting privacy by sanitizing personal data: a new approach to anonymous credentials, in K. Chen, Q. Xie, W. Qiu, N. Li, and W.-G. Tzeng, editors, ASIACCS 13. (ACM Press, May 2013), pp. 381–392

  45. 45.

    S. Chatterjee, A. Menezes, On cryptographic protocols employing asymmetric pairings - the role of \(\varPsi \) revisited. Discrete Applied Mathematics 159(13), 1311–1322, (2011)

  46. 46.

    D. Chaum, T.P. Pedersen, Wallet databases with observers, in E.F. Brickell, editor, CRYPTO’92, volume 740 of LNCS. (Springer, Heidelberg, 1993), pp. 89–105

  47. 47.

    I. Damgård, Efficient concurrent zero-knowledge in the auxiliary string model, in B. Preneel, editor, EUROCRYPT 2000, volume 1807 of LNCS. (Springer, Heidelberg, May 2000), pp. 418–430

  48. 48.

    I. Damgård, H. Haagh, C. Orlandi, Access control encryption: Enforcing information flow with cryptography, in M. Hirt and A.D. Smith, editors, TCC 2016-B, Part II, volume 9986 of LNCS. (Springer, Heidelberg, October/November 2016), pp. 547–576

  49. 49.

    D. Derler, C. Hanser, D. Slamanig, A new approach to efficient revocable attribute-based anonymous credentials, in J. Groth, editor, 15th IMA International Conference on Cryptography and Coding, volume 9496 of LNCS. (Springer, Heidelberg, 2015), pp. 57–74

  50. 50.

    D. Derler, C. Hanser, D. Slamanig, Revisiting cryptographic accumulators, additional properties and relations to other primitives, in K. Nyberg, editor, CT-RSA 2015, volume 9048 of LNCS. (Springer, Heidelberg, April 2015), pp. 127–144

  51. 51.

    D. Derler, D. Slamanig, Fully-anonymous short dynamic group signatures without encryption. IACR Cryptology ePrint Archive, 2016:154, (2016)

  52. 52.

    G. Fuchsbauer, R. Gay, Weakly secure equivalence-class signatures from standard assumptions, in M. Abdalla, editor, PKC 2018, LNCS. (Springer, 2018)

  53. 53.

    G. Fuchsbauer, R. Gay, L. Kowalczyk, C. Orlandi, Access control encryption for equality, comparison, and more, in S. Fehr, editor, PKC 2017, Part II, volume 10175 of LNCS. (Springer, Heidelberg, 2017), pp. 88–118

  54. 54.

    G. Fuchsbauer, C. Hanser, C. Kamath, D. Slamanig, Practical round-optimal blind signatures in the standard model from weaker assumptions, in V. Zikas and R. De Prisco, editors, SCN 16, volume 9841 of LNCS. (Springer, Heidelberg, August/September 2016), pp. 391–408

  55. 55.

    G. Fuchsbauer, C. Hanser, D. Slamanig, Practical round-optimal blind signatures in the standard model, in R. Gennaro and M.J.B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS, pp. 233–253. (Springer, Heidelberg, August 2015)

  56. 56.

    E. Fujisaki, T. Okamoto, A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In K. Nyberg, editor, EUROCRYPT’98, volume 1403 of LNCS. (Springer, Heidelberg, May/June 1998), pp. 32–46

  57. 57.

    D.M. Freeman, Improved security for linearly homomorphic signatures: A generic framework, in M. Fischlin, J. Buchmann, and M. Manulis, editors, PKC 2012, volume 7293 of LNCS. (Springer, Heidelberg, May 2012), pp. 697–714

  58. 58.

    G. Fuchsbauer, Automorphic signatures in bilinear groups and an application to round-optimal blind signatures. Cryptology ePrint Archive, Report 2009/320 (2009). http://eprint.iacr.org/2009/320.

  59. 59.

    G. Fuchsbauer, Commuting signatures and verifiable encryption, in K.G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS. (Springer, Heidelberg, May 2011), pp. 224–245

  60. 60.

    G. Fuchsbauer, Breaking existential unforgeability of a signature scheme from asiacrypt 2014. Cryptology ePrint Archive, Report 2014/892, (2014). http://eprint.iacr.org/2014/892

  61. 61.

    E. Ghadafi, Short structure-preserving signatures, in K. Sako, editor, CT-RSA 2016, volume 9610 of LNCS. (Springer, Heidelberg, February / March 2016), pp. 305–321

  62. 62.

    S. Goldwasser, S. Micali, R.L. Rivest, A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308, (1988)

  63. 63.

    O. Goldreich, The Foundations of Cryptography - Volume 1, Basic Techniques. (Cambridge University Press, 2001)

  64. 64.

    V. Goyal, Reducing trust in the PKG in identity based cryptosystems, in A. Menezes, editor, CRYPTO 2007, volume 4622 of LNCS. (Springer, Heidelberg, August 2007), pp. 430–447

  65. 65.

    J. Groth, Short pairing-based non-interactive zero-knowledge arguments, in M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS. (Springer, Heidelberg, December 2010), pp. 321–340

  66. 66.

    J. Groth, Efficient fully structure-preserving signatures for large messages, in T. Iwata and J.H. Cheon, editors, ASIACRYPT 2015, Part I, volume 9452 of LNCS. (Springer, Heidelberg, November / December 2015), pp. 239–259

  67. 67.

    J. Groth, A. Sahai, Efficient non-interactive proof systems for bilinear groups, in N.P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS. (Springer, Heidelberg, 2008), pp. 415–432

  68. 68.

    C. Hanser, M. Rabkin, D. Schröder, Verifiably encrypted signatures: Security revisited and a new construction, in G. Pernul, P.Y.A. Ryan, and E.R. Weippl, editors, ESORICS 2015, Part I, volume 9326 of LNCS. (Springer, Heidelberg, September 2015), pp. 146–164

  69. 69.

    C. Hanser, D. Slamanig, Structure-preserving signatures on equivalence classes and their application to anonymous credentials, in P. Sarkar and T. Iwata, editors, ASIACRYPT 2014, Part I, volume 8873 of LNCS. (Springer, Heidelberg, December 2014), pp. 491–511

  70. 70.

    M. Izabachène, B. Libert, D. Vergnaud, Block-wise P-signatures and non-interactive anonymous credentials with efficient attributes, in L. Chen, editor, 13th IMA International Conference on Cryptography and Coding, volume 7089 of LNCS. (Springer, Heidelberg, December 2011), pp. 431–450

  71. 71.

    R. Johnson, D. Molnar, D.X. Song, D. Wagner, Homomorphic signature schemes, in B. Preneel, editor, CT-RSA 2002, volume 2271 of LNCS. (Springer, Heidelberg, February 2002), pp. 244–262

  72. 72.

    C.S. Jutla, A. Roy, Improved structure preserving signatures under standard bilinear assumptions, in S. Fehr, editor, PKC 2017, Part II, volume 10175 of LNCS. (Springer, Heidelberg, March 2017), pp. 183–209

  73. 73.

    E. Kiltz, J. Pan, H. Wee, Structure-preserving signatures from standard assumptions, revisited, in R. Gennaro and M.J.B. Robshaw, editors, CRYPTO 2015, Part II, volume 9216 of LNCS. (Springer, Heidelberg, August 2015), pp. 275–295

  74. 74.

    A. Kate, G.M. Zaverucha, I. Goldberg, Constant-size commitments to polynomials and their applications, in M. Abe, editor, ASIACRYPT 2010, volume 6477 of LNCS. (Springer, Heidelberg, December 2010), pp. 177–194

  75. 75.

    H. Lipmaa, Progression-free sets and sublinear pairing-based non-interactive zero-knowledge arguments, in R. Cramer, editor, TCC 2012, volume 7194 of LNCS. (Springer, Heidelberg, March 2012), pp. 169–189

  76. 76.

    B. Libert, T. Peters, M. Joye, M. Yung, Linearly homomorphic structure-preserving signatures and their applications, in R. Canetti and J.A. Garay, editors, CRYPTO 2013, Part II, volume 8043 of LNCS. (Springer, Heidelberg, August 2013), pp. 289–307

  77. 77.

    A. Lysyanskaya, R.L. Rivest, A. Sahai, S. Wolf, Pseudonym systems, in H.M. Heys and C.M. Adams, editors, SAC 1999, volume 1758 of LNCS. (Springer, Heidelberg, August 1999), pp. 184–199

  78. 78.

    R.C. Merkle, A digital signature based on a conventional encryption function, in C. Pomerance, editor, CRYPTO’87, volume 293 of LNCS. (Springer, Heidelberg, August 1988), pp. 369–378

  79. 79.

    S. Micali, M.O. Rabin, J. Kilian, Zero-knowledge sets. In 44th FOCS. (IEEE Computer Society Press, October 2003), pp. 80–91

  80. 80.

    T.P. Pedersen, Non-interactive and information-theoretic secure verifiable secret sharing, in J. Feigenbaum, editor, CRYPTO’91, volume 576 of LNCS. (Springer, Heidelberg, 1992), pp. 129–140

  81. 81.

    D. Pointcheval, O. Sanders, Short randomizable signatures, in K. Sako, editor, CT-RSA 2016, volume 9610 of LNCS. (Springer, Heidelberg, February / March 2016), pp. 111–126

  82. 82.

    S. Ringers, E.R. Verheul, J.-H. Hoepman, An efficient self-blindable attribute-based credential scheme. IACR Cryptology ePrint Archive, 2017, 115, (2017). (to appear at Financial Crypto 2017)

  83. 83.

    R. Steinfeld, L. Bull, Y. Zheng, Content extraction signatures, in K. Kim, editor, ICISC 01, volume 2288 of LNCS. (Springer, Heidelberg, December 2002), pp. 285–304

  84. 84.

    V. Shoup, Lower bounds for discrete logarithms and related problems, in W. Fumy, editor, EUROCRYPT’97, volume 1233 of LNCS. (Springer, Heidelberg, May 1997), pp. 256–266

  85. 85.

    A. Sudarsono, T. Nakanishi, N. Funabiki, Efficient proofs of attributes in pairing-based anonymous credential system, in Privacy Enhancing Technologies - 11th International Symposium, PETS 2011, Waterloo, ON, Canada, July 27-29, 2011. Proceedings, pp. 246–263 (2011)

  86. 86.

    E.R. Verheul, Self-blindable credential certificates from the Weil pairing, in C. Boyd, editor, ASIACRYPT 2001, volume 2248 of LNCS. (Springer, Heidelberg, December 2001), pp. 533–551

  87. 87.

    B.R. Waters, Efficient identity-based encryption without random oracles, in R. Cramer, editor, EUROCRYPT 2005, volume 3494 of LNCS. (Springer, Heidelberg, May 2005), pp. 114–127

Download references

Acknowledgements

Work started while the first author was at IST Austria and supported by the European Research Council, ERC Starting Grant (259668-PSPC); now supported by the French ANR EfTrEC project (ANR-16-CE39-0002). Work has been done while the second and third authors were at IAIK, Graz University of Technology. The second author has been supported by the European Commission through projects FP7-MATTHEW (GA No. 610436) and FP7-FutureID (GA No. 318424). The work of the last author has been supported by the European Commission through project FP7-FutureID (GA No. 318424) and by EU Horizon 2020 through project Prismacloud (GA No. 644962).

Author information

Correspondence to Georg Fuchsbauer.

Additional information

Communicated by Nigel Smart.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Fuchsbauer, G., Hanser, C. & Slamanig, D. Structure-Preserving Signatures on Equivalence Classes and Constant-Size Anonymous Credentials. J Cryptol 32, 498–546 (2019). https://doi.org/10.1007/s00145-018-9281-4

Download citation

Keywords

  • Public-key cryptography
  • Pairing-based cryptography
  • Structure-preserving signatures
  • Attribute-based anonymous credentials
  • Set commitments