Paper 2024/183

On Security Proofs of Existing Equivalence Class Signature Schemes

Balthazar Bauer, Versailles Saint-Quentin-en-Yvelines University
Georg Fuchsbauer, TU Wien

Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC'14), sign vectors of elements from a bilinear group. Signatures can be ``adapted'', meaning that anyone can transform a signature on a vector to a (random) signature on any multiple of that vector. (Signatures thus authenticate equivalence classes.) A transformed signature/message pair is then indistinguishable from a random signature on a random message. EQS have been used to efficiently instantiate (delegatable) anonymous credentials, (round-optimal) blind signatures, ring and group signatures and anonymous tokens. The original EQS construction (J.Crypto'19) is only proven in the generic group model, while the first construction from standard assumptions (PKC'18) only yields security guarantees insufficient for most applications. Two works (AC'19, PKC'22) propose applicable schemes which assume the existence of a common reference string for the anonymity notion. Their unforgeability is argued via a security proof from standard (or non-interactive) assumptions. In this work we show that their security proof is flawed and explain the subtle issue.

Available format(s)
Public-key cryptography
Publication info
Equivalence class signaturessecurity proofs
Contact author(s)
balthazar bauer @ ens fr
georg fuchsbauer @ tuwien ac at
2024-02-09: approved
2024-02-07: received
See all versions
Short URL
Creative Commons Attribution


      author = {Balthazar Bauer and Georg Fuchsbauer},
      title = {On Security Proofs of Existing Equivalence Class Signature Schemes},
      howpublished = {Cryptology ePrint Archive, Paper 2024/183},
      year = {2024},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.