Rerandomizable Threshold Blind Signatures

Abstract

This paper formalizes the concept of threshold blind signatures (TBS) that bridges together properties of the two well-known signature flavors, blind signatures and threshold signatures. Using TBS users can obtain signatures through interaction with t-out-of-n signers without disclosing the corresponding message to any of them. Our construction is the first TBS scheme that achieves security in the standard model and enjoys the property of being rerandomizable. The security of our construction holds according to most recent security definitions for blind signatures by Schröder and Unruh (PKC 2012) that are extended in this work to the threshold setting.

Rerandomizable TBS schemes enable constructions of distributed e-voting and e-cash systems. We highlight how TBS can be used to construct the first e-voting scheme that simultaneously achieves privacy, soundness, public verifiability in the presence of distributed registration authorities, following the general approach by Koenig, Dubuis, and Haenni (Electronic Voting 2010), where existence of TBS schemes was assumed but no construction given. As a second application, we discuss how TBS can be used to distribute the currency issuer role amongst multiple parties in a decentralized e-cash system proposed by Miers et al.(IEEE S&P 2013).

Appendices

A Blind Signature Scheme by Okamoto [51]

Our construction is influenced by the techniques underlying the following blind signature scheme from [51].

• \(\mathtt {BParGen}(1^\lambda )\) : Generate the public bilinear group parameters \(I=(\mathbb {G},\mathbb {G}_T,q,g,e)\).

• \(\mathtt {KGen}(I)\) : Pick \(x\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{q}^{*}\) and generators \(g_2,u',u_1,\ldots ,u_n\mathop {\leftarrow }\limits ^{r}\mathbb {G}\) and set \(g_1\leftarrow g^{x}\). Output \(pk=(g,g_1,g_2,u',u_1,\ldots ,u_n)\) and \(sk=g_{2}^{x}\).

• \(\mathtt {BSign}(\cdot )\) : Let \(m\in \{0,1\}^{n}\) be a message and \(\mu _i\) the i-th bit of m. User U selects \(r\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\) and computes \(X\leftarrow \left( u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^r\) and sends X to the signer S. U additionally provides to S that it knows \((r,\mu _1,\ldots ,\mu _n)\) with \(\mu _i\in \{0,1\}\) for X using the following witness indistinguishable \(\Sigma \) protocol:

  • U selects \(\delta _1,\ldots ,\delta _n\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\), computes \(M_i=u_{i}^{\mu _i}(u')^{\delta _i}\), \((i=1,\ldots ,n)\) and sends \((M_1,\ldots ,M_n)\) to S.

  • U proves to S that U knows \(\delta _i\) such that \(M_i=(u')^{\delta _i}\) for \(\mu _i=0\) or \(M_i=u_i(u')^{\delta _i}\) for \(\mu _i=1\), where \(i\in \left[ 1,n\right] \). This proof can be realized by a \(\Sigma \) protocol which was described in [5].

  • U proves to S that U knows \((t,\beta ,\gamma _1,\ldots ,\gamma _n)\) such that \(X=\left( \prod \limits _{i=1}^{n}M_i\right) ^t\cdot (u')^{\beta }\), and \(X=(u')^t\prod \limits _{i=1}^{n}u_{i}^{\gamma _i}\), where \(\beta \leftarrow t-t(\sum \limits _{i=1}^{n}\delta _i)\mod p\) and \(\gamma _i\leftarrow t\mu _i\).

  If S accepts in the above protocol then it selects \(d\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\), computes \(Y_1\leftarrow g_{2}^{x}X^{d},\quad Y_2\leftarrow g^d\), and sends \((Y_1,Y_2)\) to U. U eventually selects \(s\mathop {\leftarrow }\limits ^{r}\mathbb {Z}_{p}^{*}\) and computes a blind signature \(\sigma =(\sigma _1,\sigma _2)\), where

  $$\begin{aligned} \sigma _1\leftarrow Y_1\left( u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^s\quad \text { and }\quad \sigma _2\leftarrow Y_{2}^{r}g^s. \end{aligned}$$

• \(\mathtt {BVerify}(pk, m, \sigma )\) : Parse pk as \((g,g_1,g_2,u',u_1,\ldots ,u_n)\) and \(\sigma \) as \((\sigma _1,\sigma _2)\). If \(e(\sigma _1,g)=e(g_1,g_2)e\left( \sigma _2,u'\prod \limits _{i=1}^{n}u_{i}^{\mu _i}\right) ^{-1}\) output 1; otherwise output 0.

The unforgeability and blindness of the scheme were proven in [51] based on the unforgeability of the Waters scheme [58] and the security of “OR” proofs [24].

B Proof of Theorem 2 (Blindness)

Proof

We assume that the proposed signature scheme is not blind. That means the existence of a dishonest signer \(\mathcal { S}^{*}\), which can guess b correctly with a non-negligible advantage \(1/2+\epsilon \). We construct an algorithm \(\mathcal { C}\) which can break the security of the DLIN assumption as follows. Given the public parameters \(pp=(\mathbb {G},\mathbb {G}_T,q,e,g)\), the DLIN problem instance \((g^a,g^b,g^c)=(u_{1}^{'},u_{2}^{'},u_{3}^{'})\) the challenger \(\mathcal { C}\) computes \((u_{1,j},u_{2,j},u_{3,j})=\left( \left( u_{1}^{'}\right) ^{\xi _{1,j}},\left( u_{2}^{'}\right) ^{\xi _2,j},\left( u_{3}^{'}\right) ^{\xi _{3,j}}\right) \), with \(\xi _{1,j},\xi _{2,j},\xi _{3,j}\in \mathbb {Z}_{q}^{*}\), and \(\xi _{3,j}=\xi _{1,j}+\xi _{2,j}\), \(j\in \{1,\ldots ,\ell \}\). \(\mathcal { C}\) gives \((pp,pk,u_{1}^{'},u_{2}^{'},u_{3}^{'},u_{1,j},u_{2,j},u_{3,j})\) to \(\mathcal { S}^{*}\) as CRS. \(\mathcal { S}^{*}\) gives \(\mathcal { C}\) a public key \(pk=(g_1,g_2,\mathbf{vk})\) and two messages \(m_0,m_1\in \mathbb {Z}_{q}^{*}\). The challenger \(\mathcal { C}\) checks if \(pk\in \mathbb {G}\) and \(m_0,m_1\in \mathbb {Z}_{q}^{*}\). If it holds \(\mathcal { C}\) picks a random bit \(b\in \{0,1\}\). \(\mathcal { C}\) chooses \(r_i\in \mathbb {Z}_{q}^{*}\) and computes \(X_{i,0}=(u_{1}^{'}\prod _{j=1}^{\ell }u_{1,j}^{\mu _{j,0}})^{r_i}\) and \(X_{i,1}=(u_{1}^{'}\prod _{j=1}^{\ell }u_{1,j}^{\mu _{j,1}})^{r_i}\) for \(m_b=(\mu _{1,b},\ldots ,\mu _{\ell ,b}),b\in \{0,1\}\). \(\mathcal { C}\) executes the both NIZK protocols from Sect. 4.1 to prove \(\mathcal { S}^{*}\) that \(\mathcal { C}\) knows \((r_i,\mu _{1,b},\ldots ,\mu _{\ell ,b})\) for both messages \(m_b=\{m_0,m_1\}\). From the proofs in [35, 37] follows that for \(u_{3,j}=\left( u_{3}^{'}\right) ^{\xi _{1,j}+\xi _{2,j}}\) the commitments are perfect hiding and the two parameter initializations are indistinguishable under the DLIN assumption. Therefore the commitments on the messages \(m_b\) and \(m_{1-b}\) leak no information about the message. The perfect hiding property of commitments allows to simulate NIZK proofs \((\pi _{i,0}^{(1)},\pi _{i,0}^{(2)})\) and \((\pi _{i,1}^{(1)},\pi _{i,1}^{(2)})\), that remain indistinguishable from real proofs as shown in Sect. 4.4, [35]. \(\mathcal { C}\) outputs \(X_{i,b}X_{i,1-b}\) and the simulated NIZK proofs \((\pi _{i,b}^{(1)},\pi _{i,b}^{(2)})\) and \((\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\), where \(\pi _{i,b}^{(1)}\) is the first part of NIZK proof, which is built to the commitment \(X_{i,b}\) and \(\pi _{i,b}^{(2)}\) is the corresponding second part of NIZK proof to the commitment \(X_{i,b}\). Analogously are defined the proofs \((\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\). After completing the NIZK protocol the challenger \(\mathcal { C}\) acts as a honest user and proceeds in the same manner as the real one. \(\mathcal { C}\) sends his outputs to the dishonest signer \(\mathcal { S}^{*}\). The challenger \(\mathcal { C}\) executes the signing process first on behalf of \(\mathcal { U}_b\) on input \((pk,X_{i,b},\pi _{i,b}^{(1)},\pi _{i,b}^{(2)})\) and then on behalf of \(\mathcal { U}_{1-b}\) on input \(pk,X_{i,1-b},\pi _{i,1-b}^{(1)},\pi _{i,1-b}^{(2)})\). Since the commitments and the proofs do not leak any information about the message, the output \(\sigma _{i,b}\) of the signing protocol on behalf of \(\mathcal { U}_b\) is indistinguishable from the output \(\sigma _{i,1-b}\) of the protocol on behalf of \(\mathcal { U}_{1-b}\). If \(\mathcal { S}^{*}\) rejects to sign one of the inputs \((X_{i,b},\pi _{i,b}^{(2)})\) or \((X_{i,1-b},\pi _{i,1-b}^{(2)})\), then for the corresponding output holds \(\sigma _{b}=\bot \) or \(\sigma _{1-b}=\bot \). This means that the both resulting signatures are set to \(\bot \), and \(\mathcal { S}^{*}\), does not gain any advantage if he would try to hinder the game execution. Otherwise, after finishing the signing phase of the blind signature for \(\mathcal { U}_b\) and \(\mathcal { U}_{1-b}\), \(\mathcal { C}\) checks the validity of the obtained signatures for \(\mathcal { U}_0\), \(\mathcal { U}_1\) by computing the follows \(e(Y_{i,b,1},g)=e(g_2,vk_i)e(X_{i,b},Y_{i,b,2})\). If both of the signatures \(\sigma _{i,b},\sigma _{i,1-b}\) are valid, \(\mathcal { C}\) gives them to \(\mathcal { S}^{*}\). If only one of them is valid, \(\mathcal { C}\) outputs \(\bot \). \(\mathcal { C}\) obtains then the output \(b'\) of \(\mathcal { S}^{*}\). If \(b=b'\), \(\mathcal { C}\) outputs \(\beta \leftarrow 0\), otherwise it outputs \(\beta \leftarrow 1\).

Analysis: Observe that if \(b=b'\) then \((u_{1,j},u_{2,j},u_{3,j})\) for \(j=\{1,\ldots ,\ell \}\) are DLIN tuples with \((u_{1,j},u_{2,j},u_{3,j})=\left( \left( u_{1}^{'}\right) ^{\xi _{1,j}},\left( u_{2}^{'}\right) ^{\xi _2,j},\left( u_{3}^{'}\right) ^{\xi _{3,j}}\right) \), with \(\xi _{3,j}=\xi _{1,j}+\xi _{2,j}\) and \((u_{1}^{'},u_{2}^{'},u_{3}^{'})=(g^a,g^b,b^c)\). In this case the challenger outputs \(b_{DLIN}=1\) and \(\sigma _{b},\sigma _{1-b}\) are perfectly simulated. Therefore \(Pr[b_{DLIN}=1|b=b']=1/2\) Whether the challenger \(\mathcal { C}\) outputs \(\bot \) or two valid signatures \(\sigma _0,\sigma _1\) depends only the adversary’s reply, i.e. whether its reply \(\sigma _i\) satisfies the verification process or not. Therefore it is completely independent from b, since the distribution of \(X_0\) and \(X_1\) are indistinguishable from each other. Hence \(Pr[b_{DLIN}=0|b\ne b']=1/2+\epsilon \). Eventually it follows that the success probability in DLIN problem is \(1/2(1/2)+1/2(1/2+\epsilon )=1/2+\epsilon /2\), which contradicts the DLIN assumption, for negligible \(\epsilon \).    \(\square \)