Abstract
This paper formalizes the concept of threshold blind signatures (TBS) that bridges together properties of the two well-known signature flavors, blind signatures and threshold signatures. Using TBS users can obtain signatures through interaction with t-out-of-n signers without disclosing the corresponding message to any of them. Our construction is the first TBS scheme that achieves security in the standard model and enjoys the property of being rerandomizable. The security of our construction holds according to most recent security definitions for blind signatures by Schröder and Unruh (PKC 2012) that are extended in this work to the threshold setting.
Rerandomizable TBS schemes enable constructions of distributed e-voting and e-cash systems. We highlight how TBS can be used to construct the first e-voting scheme that simultaneously achieves privacy, soundness, public verifiability in the presence of distributed registration authorities, following the general approach by Koenig, Dubuis, and Haenni (Electronic Voting 2010), where existence of TBS schemes was assumed but no construction given. As a second application, we discuss how TBS can be used to distribute the currency issuer role amongst multiple parties in a decentralized e-cash system proposed by Miers et al.(IEEE S&P 2013).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abe, M.: A secure three-move blind signature scheme for polynomially many signatures. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 136–151. Springer, Heidelberg (2001)
Abe, M., Fehr, S.: Adaptively secure Feldman VSS and applications to universally-composable threshold cryptography. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 317–334. Springer, Heidelberg (2004)
Abe, M., Fuchsbauer, G., Groth, J., Haralambiev, K., Ohkubo, M.: Structure-preserving signatures and commitments to group elements. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 209–236. Springer, Heidelberg (2010)
Abe, M., Ohkubo, M.: A framework for universally composable non-committing blind signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 435–450. Springer, Heidelberg (2009)
Abe, M., Okamoto, T.: Provably secure partially blind signatures. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 271–286. Springer, Heidelberg (2000)
Baudron, O., Fouque, P., Pointcheval, D., Stern, J., Poupard, G.: Practical multi-candidate election system. In: Proceedings of the Twentieth Annual ACM Symposium on Principles of Distributed Computing, PODC 2001, pp. 274–283. ACM (2001)
Bellare, M., Namprempre, C., Pointcheval, D., Semanko, M.: The power of RSA inversion oracles and the security of Chaum’s RSA-based blind signature scheme. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 309–328. Springer, Heidelberg (2002)
Benaloh, J.C., Tuinstra, D.: Receipt-free secret-ballot elections (extended abstract). In: Proceedings of the 26th Annual ACM Symposium on Theory of Computing, pp. 544–553. ACM (1994)
Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Signatures on randomizable ciphertexts. In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A. (eds.) PKC 2011. LNCS, vol. 6571, pp. 403–422. Springer, Heidelberg (2011)
Blazy, O., Fuchsbauer, G., Pointcheval, D., Vergnaud, D.: Short blind signatures. J. Comput. Secur. 21(5), 627–661 (2013)
Boldyreva, A.: Threshold signatures, multisignatures and blind signatures based on the gap-diffie-hellman-group signature scheme. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 31–46. Springer, Heidelberg (2002)
Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)
Brands, S.: Untraceable off-line cash in wallets with observers. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 302–318. Springer, Heidelberg (1994)
Brands, S.A.: An efficient off-line electronic cash system based on the representation problem. Technical report, Amsterdam, The Netherlands (1993)
Camenisch, J., Groß, T.: Efficient attributes for anonymous credentials. In: Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008, pp. 345–356. ACM (2008)
Camenisch, J.L., Hohenberger, S., Lysyanskaya, A.: Compact e-Cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005)
Camenisch, J.L., Koprowski, M., Warinschi, B.: Efficient blind signatures without random oracles. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 134–148. Springer, Heidelberg (2005)
Camenisch, J., Lysyanskaya, A., Meyerovich, M.: Endorsed e-cash. In: 2007 IEEE Symposium on Security and Privacy (S&P 2007), pp. 101–115. IEEE Computer Society (2007)
Camenisch, J.L., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007)
Cetinkaya, O., Cetinkaya, D.: Verification and validation issues in electronic voting. Electron. J. e-Government 5, 117–126 (2007)
Chaum, D.: Blind signatures for untraceable payments. CRYPTO 1982, pp. 199–203. Springer, Heidelberg (1982)
Chaum, D.: Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In: Günther, C.G. (ed.) EUROCRYPT 1988. LNCS, vol. 330, pp. 177–182. Springer, Heidelberg (1988)
Chaum, D., Fiat, A., Naor, M.: Untraceable electronic cash. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 319–327. Springer, Heidelberg (1990)
Cramer, R., Damgård, I.B., Schoenmakers, B.: Proof of partial knowledge and simplified design of witness hiding protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)
Cramer, R., Gennaro, R., Schoenmakers, B.: A secure and optimally efficient multi-authority election scheme. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 103–118. Springer, Heidelberg (1997)
Desmedt, Y.G.: Society and group oriented cryptography: a new concept. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 120–127. Springer, Heidelberg (1988)
Desmedt, Y.G., Frankel, Y.: Shared generation of authenticators and signatures. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 457–469. Springer, Heidelberg (1992)
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th Annual Symposium on Foundations of Computer Science, pp. 427–437. IEEE Computer Society (1987)
Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006)
Franklin, M., Yung, M.: Towards provably secure efficient electronic cash. Technical report TR CUSC-018-92, Columbia University, Department of Computer Science (1993). Also in: Lingas, A., Carlsson, S., Karlsson, R. (eds.): ICALP 1993. LNCS, vol. 700. Springer, Heidelberg (1993)
Fujioka, A., Okamoto, T., Ohta, K.: A practical secret voting scheme for large scale elections. In: Zheng, Y., Seberry, J. (eds.) AUSCRYPT 1992. LNCS, vol. 718, pp. 244–251. Springer, Heidelberg (1993)
Garg, S., Rao, V., Sahai, A., Schröder, D., Unruh, D.: Round optimal blind signatures. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 630–648. Springer, Heidelberg (2011)
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 354–371. Springer, Heidelberg (1996)
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Secure distributed key generation for discrete-log based cryptosystems. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 295–310. Springer, Heidelberg (1999)
Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)
Groth, J.: Short pairing-based non-interactive zero-knowledge arguments. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 321–340. Springer, Heidelberg (2010)
Groth, J., Ostrovsky, R., Sahai, A.: Non-interactive Zaps and New Techniques for NIZK. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 97–111. Springer, Heidelberg (2006)
Hofheinz, D., Jager, T., Knapp, E.: Waters Signatures with Optimal Security Reduction. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 66–83. Springer, Heidelberg (2012)
Horvitz, O., Katz, J.: Universally-composable two-party computation in two rounds. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 111–129. Springer, Heidelberg (2007)
Juels, A., Catalano, D., Jakobsson, M.: Coercion-resistant electronic elections. In: Proceedings of the 2005 ACM Workshop on Privacy in the Electronic Society, WPES 2005, pp. 61–70. ACM (2005)
Juels, A., Luby, M., Ostrovsky, R.: Security of blind digital signatures. In: Kaliski Jr, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 150–164. Springer, Heidelberg (1997)
Kiayias, A., Zhou, H.-S.: Equivocal blind signatures and adaptive UC- security. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 340–355. Springer, Heidelberg (2008)
Kim, J.-H., Kim, K., Lee, C.S.: An efficient and provably secure threshold blind signature. In: Kim, K. (ed.) ICISC 2001. LNCS, vol. 2288, pp. 318–327. Springer, Heidelberg (2002)
Koenig, R.E., Dubuis, Haenni, R.: Why public registration boards are required in e-voting systems based on threshold blind signature protocols. In: Electronic Voting 2010, EVOTE 2010, 4th International Conference, Co-organized by Council of Europe, Gesellschaft für Informatik and E-Voting.CC, vol. 167 LNI, pp. 255–266. GI (2010)
Lee, B., Kim, K.: Receipt-free electronic voting scheme through collaborationf of voter and honest verifier. In: Proceeding of JW-ISC 2000, pp. 101–108 (2000)
Li, J., Yuen, T.H., Kim, K.: Practical threshold signatures without random oracles. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 198–207. Springer, Heidelberg (2007)
Lysyanskaya, A., Peikert, C.: Adaptive security in the threshold setting: from cryptosystems to signature schemes. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 331–350. Springer, Heidelberg (2001)
Meiklejohn, S., Shacham, H., Freeman, D.M.: Limitations on transformations from composite-order to prime-order groups: the case of round-optimal blind signatures. In: Abe, M. (ed.) ASIACRYPT 2010. LNCS, vol. 6477, pp. 519–538. Springer, Heidelberg (2010)
Miers, I., Garman, C., Green, M., Rubin, A.D. : Zerocoin: Anonymous distributed e-cash from bitcoin. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, pp. 397–411. IEEE Computer Society (2013)
Okamoto, T.: An electronic voting scheme. In: Terashima, N., Altman, E. (eds.) Advanced IT Tools. IFIP, pp. 21–30. Springer, Heidelberg (1996)
Okamoto, T.: Efficient blind and partially blind signatures without random oracles. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 80–99. Springer, Heidelberg (2006)
Pointcheval, D., Stern, J.: Provably secure blind signature schemes. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 252–265. Springer, Heidelberg (1996)
Pointcheval, D., Stern, J.: New blind signatures equivalent to factorization (extended abstract). In: Proceedings of the 4th ACM Conference on Computer and Communications Security CCS 1997, pp. 92–99. ACM (1997)
Schröder, D., Unruh, D.: Security of blind signatures revisited. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 662–679. Springer, Heidelberg (2012)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Shoup, V.: Practical threshold signatures. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 207–220. Springer, Heidelberg (2000)
Vo, D.L., Zhang, F., Kim, K.: A new threshold blind signature scheme from pairings (2003)
Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005)
Zhou, X.:Threshold cryptosystem based fair off-line e-cash. In: Proceedings on the 2nd International Symposium on Intelligent Information Technology, pp. 692–696 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Blind Signature Scheme by Okamoto [51]
Our construction is influenced by the techniques underlying the following blind signature scheme from [51].
-
\(\mathtt {BParGen}(1^\lambda )\) : Generate the public bilinear group parameters \(I=(\mathbb {G},\mathbb {G}_T,q,g,e)\).
-
\(\mathtt {KGen}(I)\) : Pick \(x\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{q}^{*}\) and generators \(g_2,u',u_1,\ldots ,u_n\mathop {\leftarrow }\limits ^{r}\mathbb {G}\) and set \(g_1\leftarrow g^{x}\). Output \(pk=(g,g_1,g_2,u',u_1,\ldots ,u_n)\) and \(sk=g_{2}^{x}\).
-
\(\mathtt {BSign}(\cdot )\) : Let \(m\in \{0,1\}^{n}\) be a message and \(\mu _i\) the i-th bit of m. User U selects \(r\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\) and computes \(X\leftarrow \left( u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^r\) and sends X to the signer S. U additionally provides to S that it knows \((r,\mu _1,\ldots ,\mu _n)\) with \(\mu _i\in \{0,1\}\) for X using the following witness indistinguishable \(\Sigma \) protocol:
-
U selects \(\delta _1,\ldots ,\delta _n\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\), computes \(M_i=u_{i}^{\mu _i}(u')^{\delta _i}\), \((i=1,\ldots ,n)\) and sends \((M_1,\ldots ,M_n)\) to S.
-
U proves to S that U knows \(\delta _i\) such that \(M_i=(u')^{\delta _i}\) for \(\mu _i=0\) or \(M_i=u_i(u')^{\delta _i}\) for \(\mu _i=1\), where \(i\in \left[ 1,n\right] \). This proof can be realized by a \(\Sigma \) protocol which was described in [5].
-
U proves to S that U knows \((t,\beta ,\gamma _1,\ldots ,\gamma _n)\) such that \(X=\left( \prod \limits _{i=1}^{n}M_i\right) ^t\cdot (u')^{\beta }\), and \(X=(u')^t\prod \limits _{i=1}^{n}u_{i}^{\gamma _i}\), where \(\beta \leftarrow t-t(\sum \limits _{i=1}^{n}\delta _i)\mod p\) and \(\gamma _i\leftarrow t\mu _i\).
If S accepts in the above protocol then it selects \(d\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\), computes \(Y_1\leftarrow g_{2}^{x}X^{d},\quad Y_2\leftarrow g^d\), and sends \((Y_1,Y_2)\) to U. U eventually selects \(s\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\) and computes a blind signature \(\sigma =(\sigma _1,\sigma _2)\), where
$$\begin{aligned} \sigma _1\leftarrow Y_1\left( u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^s\quad \text { and }\quad \sigma _2\leftarrow Y_{2}^{r}g^s. \end{aligned}$$ -
-
\(\mathtt {BVerify}(pk, m, \sigma )\) : Parse pk as \((g,g_1,g_2,u',u_1,\ldots ,u_n)\) and \(\sigma \) as \((\sigma _1,\sigma _2)\). If \(e(\sigma _1,g)=e(g_1,g_2)e\left( \sigma _2,u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^{-1}\) output 1; otherwise output 0.
The unforgeability and blindness of the scheme were proven in [51] based on the unforgeability of the Waters scheme [58] and the security of “OR” proofs [24].
B Proof of Theorem 2 (Blindness)
Proof
We assume that the proposed signature scheme is not blind. That means the existence of a dishonest signer \(\mathcal { S}^{*}\), which can guess b correctly with a non-negligible advantage \(1/2+\epsilon \). We construct an algorithm \(\mathcal { C}\) which can break the security of the DLIN assumption as follows. Given the public parameters \(pp=(\mathbb {G},\mathbb {G}_T,q,e,g)\), the DLIN problem instance \((g^a,g^b,g^c)=(u_{1}^{'},u_{2}^{'},u_{3}^{'})\) the challenger \(\mathcal { C}\) computes \((u_{1,j},u_{2,j},u_{3,j})=\left( \left( u_{1}^{'}\right) ^{\xi _{1,j}},\left( u_{2}^{'}\right) ^{\xi _2,j},\left( u_{3}^{'}\right) ^{\xi _{3,j}}\right) \), with \(\xi _{1,j},\xi _{2,j},\xi _{3,j}\in \mathbb {Z}_{q}^{*}\), and \(\xi _{3,j}=\xi _{1,j}+\xi _{2,j}\), \(j\in \{1,\ldots ,\ell \}\). \(\mathcal { C}\) gives \((pp,pk,u_{1}^{'},u_{2}^{'},u_{3}^{'},u_{1,j},u_{2,j},u_{3,j})\) to \(\mathcal { S}^{*}\) as CRS. \(\mathcal { S}^{*}\) gives \(\mathcal { C}\) a public key \(pk=(g_1,g_2,\mathbf{vk})\) and two messages \(m_0,m_1\in \mathbb {Z}_{q}^{*}\). The challenger \(\mathcal { C}\) checks if \(pk\in \mathbb {G}\) and \(m_0,m_1\in \mathbb {Z}_{q}^{*}\). If it holds \(\mathcal { C}\) picks a random bit \(b\in \{0,1\}\). \(\mathcal { C}\) chooses \(r_i\in \mathbb {Z}_{q}^{*}\) and computes \(X_{i,0}=(u_{1}^{'}\prod _{j=1}^{\ell }u_{1,j}^{\mu _{j,0}})^{r_i}\) and \(X_{i,1}=(u_{1}^{'}\prod _{j=1}^{\ell }u_{1,j}^{\mu _{j,1}})^{r_i}\) for \(m_b=(\mu _{1,b},\ldots ,\mu _{\ell ,b}),b\in \{0,1\}\). \(\mathcal { C}\) executes the both NIZK protocols from Sect. 4.1 to prove \(\mathcal { S}^{*}\) that \(\mathcal { C}\) knows \((r_i,\mu _{1,b},\ldots ,\mu _{\ell ,b})\) for both messages \(m_b=\{m_0,m_1\}\). From the proofs in [35, 37] follows that for \(u_{3,j}=\left( u_{3}^{'}\right) ^{\xi _{1,j}+\xi _{2,j}}\) the commitments are perfect hiding and the two parameter initializations are indistinguishable under the DLIN assumption. Therefore the commitments on the messages \(m_b\) and \(m_{1-b}\) leak no information about the message. The perfect hiding property of commitments allows to simulate NIZK proofs \((\pi _{i,0}^{(1)},\pi _{i,0}^{(2)})\) and \((\pi _{i,1}^{(1)},\pi _{i,1}^{(2)})\), that remain indistinguishable from real proofs as shown in Sect. 4.4, [35]. \(\mathcal { C}\) outputs \(X_{i,b}X_{i,1-b}\) and the simulated NIZK proofs \((\pi _{i,b}^{(1)},\pi _{i,b}^{(2)})\) and \((\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\), where \(\pi _{i,b}^{(1)}\) is the first part of NIZK proof, which is built to the commitment \(X_{i,b}\) and \(\pi _{i,b}^{(2)}\) is the corresponding second part of NIZK proof to the commitment \(X_{i,b}\). Analogously are defined the proofs \((\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\). After completing the NIZK protocol the challenger \(\mathcal { C}\) acts as a honest user and proceeds in the same manner as the real one. \(\mathcal { C}\) sends his outputs to the dishonest signer \(\mathcal { S}^{*}\). The challenger \(\mathcal { C}\) executes the signing process first on behalf of \(\mathcal { U}_b\) on input \((pk,X_{i,b},\pi _{i,b}^{(1)},\pi _{i,b}^{(2)})\) and then on behalf of \(\mathcal { U}_{1-b}\) on input \(pk,X_{i,1-b},\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\). Since the commitments and the proofs do not leak any information about the message, the output \(\sigma _{i,b}\) of the signing protocol on behalf of \(\mathcal { U}_b\) is indistinguishable from the output \(\sigma _{i,1-b}\) of the protocol on behalf of \(\mathcal { U}_{1-b}\). If \(\mathcal { S}^{*}\) rejects to sign one of the inputs \((X_{i,b},\pi _{i,b}^{(2)})\) or \((X_{i,1-b},\pi _{i,1-b}^{(2)})\), then for the corresponding output holds \(\sigma _{b}=\bot \) or \(\sigma _{1-b}=\bot \). This means that the both resulting signatures are set to \(\bot \), and \(\mathcal { S}^{*}\), does not gain any advantage if he would try to hinder the game execution. Otherwise, after finishing the signing phase of the blind signature for \(\mathcal { U}_b\) and \(\mathcal { U}_{1-b}\), \(\mathcal { C}\) checks the validity of the obtained signatures for \(\mathcal { U}_0\), \(\mathcal { U}_1\) by computing the follows \(e(Y_{i,b,1},g)=e(g_2,vk_i)e(X_{i,b},Y_{i,b,2})\). If both of the signatures \(\sigma _{i,b},\sigma _{i,1-b}\) are valid, \(\mathcal { C}\) gives them to \(\mathcal { S}^{*}\). If only one of them is valid, \(\mathcal { C}\) outputs \(\bot \). \(\mathcal { C}\) obtains then the output \(b'\) of \(\mathcal { S}^{*}\). If \(b=b'\), \(\mathcal { C}\) outputs \(\beta \leftarrow 0\), otherwise it outputs \(\beta \leftarrow 1\).
Analysis: Observe that if \(b=b'\) then \((u_{1,j},u_{2,j},u_{3,j})\) for \(j=\{1,\ldots ,\ell \}\) are DLIN tuples with \((u_{1,j},u_{2,j},u_{3,j})=\left( \left( u_{1}^{'}\right) ^{\xi _{1,j}},\left( u_{2}^{'}\right) ^{\xi _2,j},\left( u_{3}^{'}\right) ^{\xi _{3,j}}\right) \), with \(\xi _{3,j}=\xi _{1,j}+\xi _{2,j}\) and \((u_{1}^{'},u_{2}^{'},u_{3}^{'})=(g^a,g^b,b^c)\). In this case the challenger outputs \(b_{DLIN}=1\) and \(\sigma _{b},\sigma _{1-b}\) are perfectly simulated. Therefore \(Pr[b_{DLIN}=1|b=b']=1/2\) Whether the challenger \(\mathcal { C}\) outputs \(\bot \) or two valid signatures \(\sigma _0,\sigma _1\) depends only the adversary’s reply, i.e. whether its reply \(\sigma _i\) satisfies the verification process or not. Therefore it is completely independent from b, since the distribution of \(X_0\) and \(X_1\) are indistinguishable from each other. Hence \(Pr[b_{DLIN}=0|b\ne b']=1/2+\epsilon \). Eventually it follows that the success probability in DLIN problem is \(1/2(1/2)+1/2(1/2+\epsilon )=1/2+\epsilon /2\), which contradicts the DLIN assumption, for negligible \(\epsilon \). \(\square \)
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kuchta, V., Manulis, M. (2015). Rerandomizable Threshold Blind Signatures. In: Yung, M., Zhu, L., Yang, Y. (eds) Trusted Systems. INTRUST 2014. Lecture Notes in Computer Science(), vol 9473. Springer, Cham. https://doi.org/10.1007/978-3-319-27998-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-27998-5_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27997-8
Online ISBN: 978-3-319-27998-5
eBook Packages: Computer ScienceComputer Science (R0)