On Pairing-Free Blind Signature Schemes in the Algebraic Group Model

Studying the security and efficiency of blind signatures is an important goal for privacy sensitive applications. In particular, for large-scale settings (e.g. cryptocurrency tumblers), it is important for schemes to scale well with the number of users in the system. Unfortunately, all practical, group-based schemes either 1) rely on (very strong) number theoretic hardness assumptions and computationally expensive pairing operations over bilinear groups or 2) support only a polylogarithmic number of concurrent (i.e., arbitrarily interleaved) signing sessions per public key. Following the recent work of Fuchsbauer et al. (EUROCRYPT ‘20), we revisit the security of two pairing-free blind signature schemes in the algebraic group model (AGM) + Random Oracle Model (ROM). First, we prove that the popular blind Schnorr scheme is secure under the one-more discrete logarithm assumption if (polynomially many) signatures are issued sequentially. This stands in stark contrast to the results of Fuchsbauer et al. and Benhamouda et al. (EPRINT ‘20). Under the same assumptions, their (combined) results imply security against a polynomial time attacker iff the signer opens at most polylogarithmically many concurrent signing sessions. We then reconsider the security of Abe’s scheme (EUROCRYPT ‘01), which is known to have a flawed proof in the plain ROM. We give a proof under the discrete logarithm assumption in the AGM+ROM, even for (polynomially many) concurrent signing sessions. Finally, we demonstrate that these pairing-free signature schemes are immediately usable in a real-world setting. Using a cryptocurrency tumbling service as a model, we benchmark the Schnorr and Abe schemes under different workloads and degrees of parallelism and conclude that they can both handle large workloads at reasonable security levels, and have distinct optimal use cases.

[1]  Amit Sahai,et al.  Round Optimal Blind Signatures , 2011, CRYPTO.

[2]  Marc Fischlin,et al.  Round-Optimal Composable Blind Signatures in the Common Reference String Model , 2006, CRYPTO.

[3]  Eike Kiltz,et al.  A Modular Treatment of Blind Signatures from Identification Schemes , 2019, IACR Cryptol. ePrint Arch..

[4]  Jacques Stern,et al.  Security Arguments for Digital Signatures and Blind Signatures , 2015, Journal of Cryptology.

[5]  Anna Lysyanskaya,et al.  On the Security of One-Witness Blind Signature Schemes , 2013, ASIACRYPT.

[6]  Georg Fuchsbauer,et al.  Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model , 2020, EUROCRYPT.

[7]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[8]  Sanjam Garg,et al.  Efficient Round Optimal Blind Signatures , 2014, IACR Cryptol. ePrint Arch..

[9]  Ethan Heilman,et al.  Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions , 2016, Financial Cryptography Workshops.

[10]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[11]  Masayuki Abe,et al.  A Secure Three-Move Blind Signature Scheme for Polynomially Many Signatures , 2001, EUROCRYPT.

[12]  Eike Kiltz,et al.  Lattice-Based Blind Signatures, Revisited , 2020, IACR Cryptol. ePrint Arch..

[13]  Victor Shoup,et al.  Sequences of games: a tool for taming complexity in security proofs , 2004, IACR Cryptol. ePrint Arch..

[14]  Claus-Peter Schnorr,et al.  Security of Blind Discrete Log Signatures against Interactive Attacks , 2001, ICICS.

[15]  Eike Kiltz,et al.  The Algebraic Group Model and its Applications , 2018, IACR Cryptol. ePrint Arch..

[16]  Tancrède Lepoint,et al.  On the (in)Security of ROS , 2022, Journal of Cryptology.

[17]  Practical Round-Optimal Blind Signatures in the Standard Model , 2015, IACR Cryptol. ePrint Arch..

[18]  David Pointcheval,et al.  Strengthened Security for Blind Signatures , 1998, EUROCRYPT.

[19]  Jack Grigg,et al.  The ristretto255 Group , 2019 .

[20]  Anna Lysyanskaya,et al.  Anonymous credentials light , 2013, IACR Cryptol. ePrint Arch..

[21]  Jacques Stern,et al.  New blind signatures equivalent to factorization (extended abstract) , 1997, CCS '97.

[22]  David A. Wagner,et al.  A Generalized Birthday Problem , 2002, CRYPTO.

[23]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[24]  Mihir Bellare,et al.  Code-Based Game-Playing Proofs and the Security of Triple Encryption , 2004, IACR Cryptol. ePrint Arch..

[25]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..

[26]  Jacques Stern,et al.  Provably Secure Blind Signature Schemes , 1996, ASIACRYPT.

[27]  Dennis Hofheinz,et al.  On Instantiating the Algebraic Group Model from Falsifiable Assumptions , 2020, IACR Cryptol. ePrint Arch..