CryptoDB
On Security Proofs of Existing Equivalence Class Signature Schemes
Authors: |
|
---|---|
Download: | |
Conference: | ASIACRYPT 2024 |
Abstract: | Equivalence class signatures (EQS; Asiacrypt '14), sign vectors of elements from a bilinear group. Anyone can transform a signature on a vector to a signature on any multiple of that vector; signatures thus authenticate equivalence classes. A transformed signature/message pair is indistinguishable from a random signature on a random message. EQS have been used to efficiently instantiate (delegatable) anonymous credentials, (round-optimal) blind signatures, ring and group signatures, anonymous tokens and contact-tracing schemes, to name a few. The original EQS construction (J. Crypto '19) is proven secure in the generic group model, and the first scheme from standard assumptions (PKC '18) satisfies a weaker model insufficient for most applications. Two works (Asiacrypt '19, PKC '22) propose applicable schemes that assume trusted parameters. Their unforgeability is argued via a security proof from standard (or non-interactive) assumptions. We show that their security proofs are flawed and explain the subtle issue. While the schemes might be provable in the algebraic group model (AGM), we instead show that the original construction, which is more efficient and has found applications in many works, is secure in the AGM under a parametrized non-interactive hardness assumption. |
BibTeX
@inproceedings{asiacrypt-2024-34714, title={On Security Proofs of Existing Equivalence Class Signature Schemes}, publisher={Springer-Verlag}, author={Balthazar Bauer and Georg Fuchsbauer and Fabian Regen}, year=2024 }