To fill this gap, we consider the question of what is the minimal number of pairings that one needs to compute in the verification of structure-preserving signatures. First, we prove lower bounds for schemes in the Type~II setting that are secure under chosen message attacks in the generic group model, and we show that three pairings are necessary and that at most one of these pairings can be precomputed. We also extend our lower bound proof to schemes secure under random message attacks and show that in this case two pairings are still necessary. Second, we build an automated tool to search for schemes matching our lower bounds. The tool can generate automatically and exhaustively all valid structure-preserving signatures within a user-specified search space, and analyze their (bounded) security in the generic group model. Interestingly, using this tool, we find a new randomizable structure-preserving signature scheme in the Type~II setting that is optimal with respect to the lower bound on the number of pairings, and also minimal with respect to the number of group operations that have to be computed during verification.
Category / Keywords: public-key cryptography / Structure-Preserving Signatures, Generic Group Model, Bilinear Groups, Formal Methods Original Publication (with major differences): IACR-PKC-2015 Date: received 11 Jan 2015 Contact author: dario fiore at imdea org Available format(s): PDF | BibTeX Citation Version: 20150112:072525 (All versions of this report) Short URL: ia.cr/2015/019 Discussion forum: Show discussion | Start new discussion