Paper 2007/132
Equivocal Blind Signatures and Adaptive UC-Security
Aggelos Kiayias and Hong-Sheng Zhou
Abstract
We study the design of practical blind signatures in the universal
composability (UC) setting against adaptive adversaries. We
introduce a new property for blind signature schemes that is
fundamental for managing adaptive adversaries: an {\em equivocal
blind signature} is a blind signature protocol where a simulator
can construct the internal state of the client so that it matches
a simulated transcript even after a signature was released.
%
We present a general construction methodology for building
practical adaptively secure blind signatures: the starting point
is a 2-move ``lite blind signature'', a lightweight 2-party
signature protocol that we formalize and implement both
generically as well as number theoretically: formalizing a
primitive as ``lite'' means that the adversary is required to show
all private tapes of adversarially controlled parties; this
enables us to conveniently separate zero-knowledge (ZK) related
security requirements from the remaining security properties in
the primitive's design methodology.
%
We then focus on the exact ZK requirements for building blind
signatures. To this effect, we formalize two special ZK ideal
functionalities, single-verifier-ZK (SVZK) and single-prover-ZK
(SPZK) and we investigate the requirements for realizing them in a
commit-and-prove fashion as building blocks for adaptively secure
UC blind signatures. SVZK can be realized without relying on a
multi-session UC commitment; as a result, we realize SVZK in a
very efficient manner using number theoretic mixed commitments
while employing a constant size common reference string and
without the need to satisfy non-malleability. Regarding SPZK we
find the rather surprising result that realizing it only for
static adversaries is sufficient to obtain adaptive security for
UC blind signatures. This important observation simplifies blind
signature design substantially as one can realize SPZK very
efficiently in a commit-and-prove fashion using merely an
extractable commitment.
We instantiate all the building blocks of our design methodology
efficiently thus presenting the first practical UC blind signature
that is secure against adaptive adversaries in the common
reference string model. In particular, we present (1) a lite
equivocal blind signature protocol that is based on elliptic
curves and the 2SDH assumption of Okamoto, (2) efficient
implementations of SPZK, SVZK for the required relations.
%
Our construction also takes advantage of a round optimization
method we discuss and it results in a protocol that has an overall
communication overhead of as little as 3Kbytes, employing six
communication moves and a constant length common reference string.
We also present alternative implementations for our equivocal lite
blind signature thus demonstrating the generality of our approach.
Finally we count the exact cost of realizing blind signatures
with our protocol design by presenting the distance between the
Note: Presented by Aggelos Kiayias at Workshop on Cryptographic Protocols (WCP'07) and U. Maryland; Slides are available at http://www.cse.uconn.edu/~akiayias/talks/
Metadata
- Available format(s)
-
PDF
- Publication info
- Published elsewhere. Unknown where it was published
- Keywords
- Blind SignaturesUC
- Contact author(s)
- hszhou @ cse uconn edu
- History
- 2007-04-24: last of 2 revisions
- 2007-04-18: received
- See all versions
- Short URL
- https://ia.cr/2007/132
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2007/132, author = {Aggelos Kiayias and Hong-Sheng Zhou}, title = {Equivocal Blind Signatures and Adaptive {UC}-Security}, howpublished = {Cryptology {ePrint} Archive, Paper 2007/132}, year = {2007}, url = {https://eprint.iacr.org/2007/132} }