In this paper, we give evidence for the existence of limits to such transformations. Specifically, we show that a pairing generated in a natural way from the Decision Linear assumption in prime-order groups can be simultaneously cancelling and projecting only with negligible probability. As evidence that these properties can be helpful together as well as individually, we present a cryptosystem whose proof of security makes use of a pairing that is both cancelling and projecting.
Our example cryptosystem is a simple round-optimal blind signature scheme that is secure in the common reference string model, without random oracles, and based on mild assumptions; it is of independent interest.Category / Keywords: cryptographic protocols / blind signatures, pairings, composite-order groups Publication Info: To appear at Asiacrypt 2010; this is the full version. Date: received 6 Sep 2010, last revised 20 Sep 2010 Contact author: smeiklej at cs ucsd edu Available formats: PDF | BibTeX Citation Note: Fixed a bug in the proof of Proposition 6.4. Version: 20100920:191008 (All versions of this report) Discussion forum: Show discussion | Start new discussion