Cryptology ePrint Archive: Report 2010/474

Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures

Sarah Meiklejohn and Hovav Shacham and David Mandell Freeman

Abstract: Beginning with the work of Groth and Sahai, there has been much interest in transforming pairing-based schemes in composite-order groups to equivalent ones in prime-order groups. A method for achieving such transformations has recently been proposed by Freeman, who identified two properties of pairings using composite-order groups--"cancelling" and "projecting"--on which many schemes rely, and showed how either of these properties can be obtained using prime-order groups.

In this paper, we give evidence for the existence of limits to such transformations. Specifically, we show that a pairing generated in a natural way from the Decision Linear assumption in prime-order groups can be simultaneously cancelling and projecting only with negligible probability. As evidence that these properties can be helpful together as well as individually, we present a cryptosystem whose proof of security makes use of a pairing that is both cancelling and projecting.

Our example cryptosystem is a simple round-optimal blind signature scheme that is secure in the common reference string model, without random oracles, and based on mild assumptions; it is of independent interest.

Category / Keywords: cryptographic protocols / blind signatures, pairings, composite-order groups

Publication Info: To appear at Asiacrypt 2010; this is the full version.

Date: received 6 Sep 2010, last revised 20 Sep 2010

Contact author: smeiklej at cs ucsd edu

Available formats: PDF | BibTeX Citation

Note: Fixed a bug in the proof of Proposition 6.4.

Version: 20100920:191008 (All versions of this report)

Discussion forum: Show discussion | Start new discussion