Paper 2024/183
On Security Proofs of Existing Equivalence Class Signature Schemes
Abstract
Equivalence class signatures (EQS), introduced by Hanser and Slamanig (AC'14), sign vectors of elements from a bilinear group. Signatures can be ``adapted'', meaning that anyone can transform a signature on a vector to a (random) signature on any multiple of that vector. (Signatures thus authenticate equivalence classes.) A transformed signature/message pair is then indistinguishable from a random signature on a random message. EQS have been used to efficiently instantiate (delegatable) anonymous credentials, (round-optimal) blind signatures, ring and group signatures and anonymous tokens. The original EQS construction (J.Crypto'19) is only proven in the generic group model, while the first construction from standard assumptions (PKC'18) only yields security guarantees insufficient for most applications. Two works (AC'19, PKC'22) propose applicable schemes which assume the existence of a common reference string for the anonymity notion. Their unforgeability is argued via a security proof from standard (or non-interactive) assumptions. In this work we show that their security proof is flawed and explain the subtle issue.
Metadata
- Available format(s)
- Category
- Public-key cryptography
- Publication info
- Preprint.
- Keywords
- Equivalence class signaturessecurity proofs
- Contact author(s)
-
balthazar bauer @ ens fr
georg fuchsbauer @ tuwien ac at - History
- 2024-02-09: approved
- 2024-02-07: received
- See all versions
- Short URL
- https://ia.cr/2024/183
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2024/183, author = {Balthazar Bauer and Georg Fuchsbauer}, title = {On Security Proofs of Existing Equivalence Class Signature Schemes}, howpublished = {Cryptology ePrint Archive, Paper 2024/183}, year = {2024}, note = {\url{https://eprint.iacr.org/2024/183}}, url = {https://eprint.iacr.org/2024/183} }