Beyond the Limitation of Prime-Order Bilinear Groups, and Round Optimal Blind Signatures

At Eurocrypt 2010, Freeman proposed a transformation from pairing-based schemes in composite-order bilinear groups to equivalent ones in prime-order bilinear groups. His transformation can be applied to pairing-based cryptosystems exploiting only one of two properties of composite-order bilinear groups: cancelling and projecting. At Asiacrypt 2010, Meiklejohn, Shacham, and Freeman showed that prime-order bilinear groups according to Freeman's construction cannot have two properties simultaneously except negligible probability and, as an instance of implausible conversion, proposed a (partially) blind signature scheme whose security proof exploits both the cancelling and projecting properties of composite-order bilinear groups. In this paper, we invalidate their evidence by presenting a security proof of the prime-order version of their blind signature scheme. Our security proof follows a different strategy and exploits only the projecting property. Instead of the cancelling property, a new property, that we call translating, on prime-order bilinear groups plays an important role in the security proof, whose existence was not known in composite-order bilinear groups. With this proof, we obtain a 2-move (i.e., round optimal) (partially) blind signature scheme (without random oracle) based on the decisional linear assumption in the common reference string model, which is of independent interest. As the second contribution of this paper, we construct prime-order bilinear groups that possess both the cancelling and projecting properties at the same time by considering more general base groups. That is, we take a rank n ℤp-submodule of ℤ p n2, instead of ℤ p n, to be a base group G, and consider the projections into its rank 1 submodules. We show that the subgroup decision assumption on this base group G holds in the generic bilinear group model for n=2, and provide an efficient membership-checking algorithm to G, which was trivial in the previous setting. Consequently, it is still open whether there exists a cryptosystem on composite-order bilinear groups that cannot be constructed on prime-order bilinear groups.

[1]  Rafail Ostrovsky,et al.  Non-interactive Zaps and New Techniques for NIZK , 2006, CRYPTO.

[2]  Tatsuaki Okamoto,et al.  Hierarchical Predicate Encryption for Inner-Products , 2009, ASIACRYPT.

[3]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[4]  David Chaum,et al.  Elections with Unconditionally-Secret Ballots and Disruption Equivalent to Breaking RSA , 1988, EUROCRYPT.

[5]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[6]  Masayuki Abe,et al.  Signing on Elements in Bilinear Groups for Modular Protocol Design , 2010, IACR Cryptol. ePrint Arch..

[7]  Dan Boneh,et al.  Evaluating 2-DNF Formulas on Ciphertexts , 2005, TCC.

[8]  Rafail Ostrovsky,et al.  Security of Blind Digital Signatures (Extended Abstract) , 1997, CRYPTO.

[9]  Masayuki Abe,et al.  A Framework for Universally Composable Non-committing Blind Signatures , 2009, ASIACRYPT.

[10]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[11]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[12]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..

[13]  Jung Hee Cheon,et al.  Discrete Logarithm Problems with Auxiliary Inputs , 2010, Journal of Cryptology.

[14]  Aggelos Kiayias,et al.  Concurrent Blind Signatures Without Random Oracles , 2006, SCN.

[15]  Amit Sahai,et al.  Round Optimal Blind Signatures , 2011, CRYPTO.

[16]  Marc Fischlin,et al.  Round-Optimal Composable Blind Signatures in the Common Reference String Model , 2006, CRYPTO.

[17]  Brent Waters,et al.  Building efficient fully collusion-resilient traitor tracing and revocation schemes , 2010, CCS '10.

[18]  Brent Waters,et al.  Efficient Identity-Based Encryption Without Random Oracles , 2005, EUROCRYPT.

[19]  Eike Kiltz,et al.  Secure Hybrid Encryption from Weakened Key Encapsulation , 2007, CRYPTO.

[20]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[21]  Tatsuaki Okamoto,et al.  Homomorphic Encryption and Signatures from Vector Decomposition , 2008, Pairing.

[22]  Georg Fuchsbauer,et al.  Automorphic Signatures in Bilinear Groups and an Application to Round-Optimal Blind Signatures , 2009, IACR Cryptol. ePrint Arch..

[23]  Tatsuaki Okamoto,et al.  Provably Secure Partially Blind Signatures , 2000, CRYPTO.

[24]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[25]  Masayuki Abe,et al.  A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures , 2001, EUROCRYPT.

[26]  A. Lewko,et al.  Fully Secure HIBE with Short Ciphertexts , 2009 .

[27]  Rafail Ostrovsky,et al.  Perfect Non-Interactive Zero Knowledge for NP , 2006, IACR Cryptol. ePrint Arch..

[28]  Hovav Shacham,et al.  A Cramer-Shoup Encryption Scheme from the Linear Assumption and from Progressively Weaker Linear Variants , 2007, IACR Cryptol. ePrint Arch..

[29]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[30]  Hovav Shacham,et al.  Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures , 2010, ASIACRYPT.

[31]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[32]  Georg Fuchsbauer,et al.  Structure-Preserving Signatures and Commitments to Group Elements , 2010, CRYPTO.

[33]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[34]  Jens Groth Optimal Structure-Preserving Signatures , 2011, ProvSec.

[35]  David Mandell Freeman,et al.  Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups , 2010, EUROCRYPT.

[36]  David Chaum,et al.  Blind Signature System , 1983, CRYPTO.

[37]  Yehuda Lindell,et al.  Concurrently-Secure Blind Signatures Without Random Oracles or Setup Assumptions , 2007, TCC.

[38]  Nigel P. Smart,et al.  Efficient Two-Move Blind Signatures in the Common Reference String Model , 2012, ISC.