Without Random Oracles
TatsuakiOkamoto
NTTLab oratories,Nipp onTelegraphandTelephoneCorp oration
1-1 Hikarino-oka,Yokosuka,239-0847Japan
March17,2006
Abstract. Thispap erprop osesanewecientsignatureschemefrombilinearmapsthatis
secureinthestandardmo del(i.e.,withouttherandomoraclemo del).Oursignaturescheme
is moreeectiveinmanyapplications (e.g.,blindsignatures,groupsignatures,anonymous
credentialsetc.)thantheexistingsecuresignatureschemesinthestandardmo del.Astypical
applicationsofoursignaturescheme,thispap erpresents ecientblindsignaturesand
par-tiallyblindsignaturesthataresecureinthestandardmo del.Here,partiallyblindsignatures
are ageneralizationofblindsignatures(i.e.,blindsignaturesareasp ecialcaseofpartially
blindsignatures)andhavemanyapplicationsincludingelectroniccashandvoting.Ourblind
signature schemeis more ecientthanthe existingsecure blindsignature schemesinthe
standard mo del suchas theCamenisch-Koprowski-Warinsch[9]andJuels-Luby-Ostrovsky
[24]schemes.Ourpartiallyblindsignatureschemeistherstonethatissecureinthe
stan-dardmo delanditisalsoecient(asecientasourblindsignatures).Thesecuritypro ofof
our blindandpartially blindsignature schemesrequires the2SDHassumption, astronger
variantoftheSDHassumptionintroducedbyBonehandBoyen[7].Thispap eralsopresents
anecientwaytoconvertour(partially)blindsignatureschemeinthe standardmodelto
aschemesecureforaconcurrentrunofusersinthecommonreferencestring(CRS)mo del.
Finally,wepresentablindsignatureschemebasedontheWaterssignaturescheme.
1 Intro duction
1.1 Background
Digital Signatures: Theconceptof digitalsignatures wasinventedbyDieand Hellman[18],
andtheirsecuritywasformalizedbyGoldwasser,MicalandRivest[23].Asecuresignaturescheme
exists if and only if a one-way function exists [28,36]. However, thegeneral solutionis far from
yieldinganypractical applications.
Using therandom oraclemo del,muchmore ecientsecuresignature schemeshaveb een
pre-sentedsuch as RSA-FDH, RSA-PSS, Fiat-Shamir and Schnorrsignature schemes. However,the
randomoraclemo delcannotb erealizedinthestandard(plain)mo del.Inaddition,signatureswith
hashfunctions(randomoracles)arelesssuitableforseveralapplications(e.g., groupsignatures).
Severalecientschemesthat aresecure in thestandard mo del haverecentlybeenpresented.
Therearetwoclassesofsuchschemes,some arebasedonthestrongRSAassumption(i.e.,based
on the integer factoring (IF) problem), while the others are based on bilinear maps (i.e., based
on the discrete logarithm (DL) problem).The Camenisch-Lysyanskaya [11], Cramer-Shoup [16],
Fischlin [20] and Gennaro-Halevi-Rabin [22] schemes are based on the strong RSAassumption.
TheBoneh-Boyen[7],Camenisch-Lysyanskaya[11],andWaters[37]schemesarebasedonbilinear
blo cksformany applicationssuch as blind signatures(for electronicvoting andelectronic cash),
groupsignaturesandcredentials.Inthelightoftheseapplications,theschemesbasedonbilinear
maps (i.e., based on the discrete logarithm problem) are b etter than those basedon the strong
RSA assumption (i.e., based on the integer factoring problem), since we can often more easily
constructecientproto colsbasedontheDLproblem(b ecausetheorderofa DL-basedgroupcan
b epublishedbuttheorderofanIF-basedmultiplicativegroupcannot),andthedatasizeisshorter
withbilinearmapsthanwithIFproblems.
Among the bilinear-map-based schemes, the Boneh-Boyen scheme is not suitable for many
applications suchas blindsignaturesand credentials,sincethesignatureforms g
1=(x+m+sy )
,
where (x;y ) isthesecret key,misa message and(;s)isthesignature, soit ishardto separate
anop eration(blinding,encryptionetc.)withmfrom anotherop erationthat usesthesecret key.
TheWatersschemeisb etterthantheBoneh-Boyenscheme,sinceamessageop eration,through
form Q
i2M u
i
,canb eseparatedfromanotherop erationthatusesthesecretkey.However,asshown
inSection 10theproto colofprovingtheknowledgeofamessage isnotsoecient.
Blind Signatures: Since theconcept ofblind signatureswas introducedby Chaum [14], ithas
b een used in numerous applications, most prominently in electronic voting and electronic cash.
Informally, blind signaturesallow a user to obtainsignatures from a signer onanydo cument in
suchamannerthatthesignerlearnsnothingab outthemessagethatisbeingsigned.Thesecurity
ofblindsignatureswasformalizedby[24,31].
Evenintherandomoraclemo del,onlyafewsecureblindsignatureschemeshaveb eenproposed
[2,5,30{33];[5]requiresa non-standard strongassumption and[31{33]onlyallowauser tomake
a p oly-logarithmically(not p olynomially)b oundednumberofinteractionswitha signer,while[2,
30]aresecureforap olynomiallynumberofinteractions.
Only two secure blind signature schemes haveb een presented in the standard mo del [9,24].
However,theconstructionof [24] isbasedon ageneraltwo-partyproto coland isthus extremely
inecient.Thesolutionof[9]ismuchmoreecientthanthatof[24],butitisstillmuchlessecient
thanthesecureblindsignatureschemesintherandomoraclemo del[2,5,30{33].Forexample,the
proto colof[9]is muchmorecomplicated (whereproofsof knowledgeforat least40variablesare
requiredforauser)thanthatof[5,31,32],andrequiresmanyinteractionsb etweenuserandsigner.
Recently, a new blind signature schemethat is concurrently secure without random oracles has
b een presented[25], but it is in the commonreference string (CRS)mo del, notin thestandard
mo del.
Partially Blind Signatures: Oneparticular shortcomingof the conceptof blind signatures is
that,sincethesigner's view ofthemessage to b e signediscompletely blo cked,thesigner hasno
controlover theattributesexceptforthoseb ound bythepublickey.Forexample,a shortcoming
canb eseeninasimpleelectroniccashsystemwhereabankissuesablindsignatureasanelectronic
coin.Sincethebankcannotset thevalueonanyblindlyissued coin,ithastousedierentpublic
keysfordierentcoinvalues.Hencetheshopsandcustomersmustalwayscarryalistofthosepublic
keysintheirelectronicwallet,whichistypicallyasmartcardwhosememoryisverylimited.Some
electronicvotingschemesalsofacethesame problem.
A partial ly blindsignatureschemeallowsthesigner toexplicitlyinclude commoninformation
intheblindsignatureunder someagreementwiththereceiver.Thisconceptisageneralizationof
blindsignaturessincethe(normal)blindsignaturesarea sp ecialcaseofpartial lyblindsignatures
and a securepartially blind signatureschemein the randomoracle mo del werepresentedby [4].
However,nopartiallyblind signatureschemesecurein thestandardmo del hasb een prop osed.
1.2 Our Result
Thispap erprop osesnewdigitalsignatures,blind signatures,andpartiallyblindsignatures:
{ (Digitalsignatures:)
Weproposeanewecientsignatureschemesecureinthestandardmo delthatismoresuitable
formanyapplicationsincludingblindsignaturesthantheexistingsignatureschemessecurein
thestandard model [7,11,16,37]. Thesecurity ofourbasic signature schemedep endsonthe
strongDie-Hellman (SDH)assumption introduced by[7], and itsvariantsignature scheme
dep endsonthe2SDHassumption,a variantoftheSDHassumption.
{ (Blindsignatures:)
Weprop osea secureblindsignatureschemein thestandardmodelwhoseeciencyis
compa-rabletothatofexistingblindsignatureschemeswhosesecurityhasbeenanalyzedheuristically
or in the random oracle model. The security pro of of our schemedep ends on the 2SDH
as-sumption.
{ (Partiallyblindsignatures:)
Weprop osetherstsecurepartiallyblindsignatureschemeinthestandardmo del.Thisscheme
isas ecientasourblindsignaturesandsecureunderthe2SDHassumptions.
{ (Conversiontoconcurrentsecurity:)
Theprop osed(partially)blindsignatureschemeissecureforp olynomiallymanysynchronized
(orconstant-depthconcurrent)runsof users,butthesecuritypro ofdo esnotworkforgeneral
concurrentruns.Thispap erpresentsanecientwaytoconvertour(partially)blindsignature
schemeinthestandard mo delto a schemesecurefora generalconcurrentrun ofusersinthe
commonreferencestring(CRS)mo del.
{ (Blindsignaturesfrom Waters:)
Thispap er alsopresents (partially)blind signaturesfrom theWatersschemethat are secure
inthestandardmo del under theBDH assumption.The(partially)blind signaturesaremuch
lesspracticalthantheab ove-mentionedproposedscheme.
2 Preliminaries
2.1 Denition ofSecureSignature Schemes
Inthissectionwerecallthestandardnotionofsecurity,existentialunforgeability(againstchosen
messageattacks)[23]aswellas aslightlystrongernotionofsecurityforasignaturescheme,strong
existentialunforgeability(against chosenmessageattacks)[7].
A signature schemeis made up of three algorithms (machines) (G;S;V), for key generation,
signing and verication. Here we omit the description of these algorithms except the minimum
syntax description, G(1 n
) = (pk ;sk ), S(sk;m) = and V(pk;m;) = accept=reject. For a
detailed description,see[23]).
Existentialunforgeability: Todeneexistentialunforgeability,weintroducethefollowinggame
Runkeygenerationalgorithm G(1 n
)toobtainapairofpublic-keyandsecret-key,(pk ;sk ).pk
isgivento adversaryA,and (pk;sk )isgiventosigner S.
2. (Queriesto signingoracle:)
A adaptively requests S (or signing oracle) to sign on at most q
S
messages of his choice
m
1 ;:::;m
q
S
.S resp onds tom
i
witha signature
i
=S(sk;m
i ).
3. (Output:)
Eventually,Aoutputspair(m;).Awinsthegameif
(a) misnotanyofm
i
(i=1;:::;q
S ).
(b) V(pk;m;)=accept.
Wedene Adv unforge
Sig
to b e theprobability that A wins the ab ovegame, taken over the coin
tossesmadebyA,G andS.
Denition1. (Existential Unforgeability)Adversary A (t;q
S
;)-forges a signature scheme if A
runsintimeatmostt, Amakesatmostq
S
queriestoS,andAdv unforge
Sig
isatleast.A signature
schemeis(t;q
S
;)-existentially-unforgeableunderadaptivechosenmessageattacksifnoadversary
A(t;q
S
;)-forgesthe scheme.
Remark: (Strong Existential Unforgeability) If the conditionin Step 3a in the ab ovegame is
changedto\(m;)isnotanyof(m
i ;
i
)"(insteadthat \misnotanyofm
i
")(i=1;:::;q
S ),we
obtainastrongernotionofunforgeability.Ifaschemesatisestheab ovedenitionof
unforgeabil-ity under this stronger notion, we say that it is (t;q
S
;)-strongly-existentially-unforgeableunder
adaptivechosenmessage attacks.
2.2 Denition ofSecure(Partially)Blind Signature Scheme
Inthis sectionwerecallthedenitionofasecurepartial ly blindsignaturescheme[4,9].Notethat
thisdenitionincludesthatofasecureblindsignaturescheme[24]asasp ecialcasewherethepiece
ofinformationshared bythesigneranduser,info,is anullstring,?(i.e.,info=?).
Although ourdenition isbasedon [4,9],ourblindness denitionis slightlystrongerthan [4,
9]asfollows 1
:
{ SignerS 3
can arbitrarilychoose pkin ours,whilepkmust b ehonestlygeneratedin [4,9].
Partially blind signature scheme: In the scenario of issuing a partially blind signature, the
signer and theuser areassumed to agree ona pieceof common information, denoted as info. In
some applications, info may bedecided bythe signer, while in other applications it mayjustb e
sentfromtheusertothesigner.Anyway,thisnegotiationisdoneoutsideofthesignaturescheme,
andwewantthesignatureschemeto b esecureregardlessofthepro cessofagreement.
Denition2. (PartiallyBlindSignatureScheme)APartiallyblind signatureschemeismadeup
of four(interactive)algorithms(machines)(G;S;U;V).
1
Thestronger denition isalso introducedin[1]. Thedenition showninourpreliminaryversion[29]
hasa trivialawintheblindness denition,where evenifonlyoneoftwousers, U0 or U1,outputs a
validsignature, S 3
is allowedto obtain the validsignature. Then, ifS 3
interacts incorrectlywith U
0
andcorrectlywithU
1
inthesigningproto col, S 3
canidentifym
b
(i.e.,b)forU
0
bycheckingU
1 'svalid
publicandsecretkey pair(pk;sk ).
{ SandU areapairofprobabilisticinteractiveTuringmachineseachofwhichhasapublicinput
tape,aprivateinputtape,aprivaterandomtape,aprivateworktape,aprivateoutputtape,a
publicoutputtape,andinputandoutputcommunicationtapes.Therandomtapeandtheinput
tapes are read-only,and the output tapes are write-only.The private work tape isread-write.
The publicinputtapeof U containspk generatedbyG(1 n
) andinfo. The publicinput tape of
S containsinfo. Theprivate inputtapeof S containssk ,andthat forU containsmessagem.
S andU engagein thesignatureissuingprotocolandstopinpolynomial-timeinn.Whenthey
stop,thepublic outputtapeofS containseither completedornot-completed.Similarly,the
privateoutput tapeof U containseither?or (m;).
{ V is a (probabilistic) polynomial-time algorithm that takes (pk;info;m; ) and outputs either
acceptorreject.
Denition3. (Completeness)IfS andU followthesignatureissuingprotocolwithcommoninput
(pk ;info),then,with probabilityof atleast101=n c
forsucientlylargenandsomeconstantc,S
outputscompleted, andU outputs (m; )thatsatisesV(pk ;info;m; )=accept.Theprobability
istakenoverthe coinips ofG,S andU.
Wesaymessage-signaturetuple(info;m; )isvalidwithregardtopk ifitleads V toaccept.
Partialblindness: Todenetheblindnessprop erty,letusintroduce thefollowinggameamong
adversarialsignerS 3
andtwohonest usersU
0 andU
1 .
1. AdversaryS 3
(1 n
;info)outputspk and(m
0 ;m
1 ).
2. Setuptheinputtap es ofU
0 ,U
1
asfollows:
{ Randomly selectb2f0;1gand put m
b
andm
b
ontheprivateinput tap es of U
0 and U
1 ,
resp ectively(
bdenotes10b hereafter).
{ Put(info;pk )onthepublicinputtap esofU
0 andU
1 .
{ Randomlyselectthecontentsoftheprivaterandomtap es.
3. AdversaryS 3
engagesinthesignatureissuingproto colwithU
0 andU
1 .
4. If U
0 and U
1
output valid signatures (info;m
b ;
b
) and (info;m
b ;
b
), resp ectively, then give
(
0 ;
1 )to S
3
. Give?toS 3
otherwise.
5. S 3
outputsb 0
2f0;1g.
Wedene
Adv blind
PBS
=21Pr[b 0
=b]01;
wheretheprobabilityistakenoverthecointossesmadebyS 3
,U
0 andU
1 .
Denition4. (PartialBlindness)AdversaryS 3
(t;)-breakstheblindnessof apartial ly blind
sig-natureschemeif S 3
runsin timeat mostt, andAdv blind
PBS
isatleast. Apartial ly blind signature
schemeis(t;)-blindifno adversaryS 3
(t;)-breaksthe blindness ofthe scheme.
Remark: (PartiallyPerfectBlindness) As usual, one can go fora stronger notionof blindness
dep endingonthep oweroftheadversaryand itssuccessprobability.A schemeprovidespartially
userU 3
andanhonest signerS.
1. (pk;sk )isgeneratedbyG(1 n
),pkisput onthepublicinputtap esofU 3
andS,andskisput
ontheprivateinputtap eofS.
2. Foreachrunofthesignatureissuingproto colwithS,adversaryU 3
outputsinfo, whichisput
onthepublicinputtap eofS. Then,U 3
engagesinthesignatureissuingproto colwithS ina
concurrentandinterleavingway.
3. For eachinfo, let`
info
b e thenumber ofexecutionsof thesignature issuing proto colwhere S
outputscompleted,giveninfoonitsinputtap e.(Forinfothathasneverappearedontheinput
tap eofS,dene`
info
=0.)Wheninfo=?,`
?
isalsodenedin thesamemanner.
4. U 3
winsthegameifU 3
outputs`validsignatures(info;m
1 ;
1
);:::;(info;m
` ;
`
)forsome info
suchthat
(a) m
i 6=m
j
foranypair(i;j)with i6=j (i;j2f1;:::;`g).
(b) `>`
info .
Wedene Adv unforge
PBS
to b e theprobability that U 3
wins the ab ovegame,taken over thecoin
tossesmadebyU 3
,G andS.
Denition5. (Unforgeability)AnadversaryU 3
(t;q
S
;)-forgesapartial lyblindsignaturescheme
if U 3
runs in time at most t, U 3
executes at most q
S
times the signature issuing protocol, and
Adv unforge
PBS
is atleast .A partial ly blind signature schemeis (t;q
S
;)-unforgeable if no adversary
U 3
(t;q
S
;)-forgesthe scheme.
2.3 Bilinear Groups
Thispaperfollowsthenotationregardingbilineargroupsin[8,7].Let(G
1 ;G
2
)b ebilineargroups
asfollows:
1. G
1 andG
2
aretwocyclicgroups ofprimeorderp,wherep ossiblyG
1 =G
2 ,
2. g
1
isa generatorofG
1 andg
2
is ageneratorofG
2 ,
3. isanisomorphism fromG
2 to G
1
,with (g
2 )=g
1 ,
4. eisa non-degeneratebilinearmap e:G
1 2G
2 !G
T
, wherejG
1 j=jG
2 j=jG
T
j=p,i.e.,
(a) Bilinear:forallu2G
1 ,v2G
2
and a;b2Z,e(u a
;v b
)=e(u;v ) ab
;
(b) Non-degenerate:e(g
1 ;g
2
)6=1(i.e.,e(g
1 ;g
2
)isageneratorofG
T ),
5. e; andthegroupactionin G
1 ,G
2 andG
T
canbecomputedeciently.
3 Assumptions
Here we rst recall the denition of the strong Die-Hellman (SDH) assumption intro ducedin
[7],onwhichthesecurityofoursignatureschemeis based,andthenintroduce newassumptions,
the 2-variable strong Die-Hellman(2SDH), on whichthe securityof a variantof oursignature
Let(G
1 ;G
2
)b ebilineargroupsasshowninSection2.3.Theq-SDHproblemin(G
1 ;G
2
)isdened
asfollows:giventhe(q+2)-tuple (g
1 ;g 2 ;g x 2 ;:::;g
x q
2
)asinput,outputpair(g 1
x+c
1
;c)wherec2Z 3
p .
AlgorithmAhasadvantage,Adv
SDH
(q),insolvingq-SDHin(G
1 ;G 2 )if Adv SDH
(q) Pr[A(g
1 ;g 2 ;g x 2 ;:::;g
x q
2 )=(g
1
x+c
1 ;c) ];
where theprobabilityistaken over therandomchoicesofg
2 2G
2
,x;y2Z 3
p
,andthecointosses
ofA.
Denition6. Adversary A (t;)-breaks the q -SDH problem if A runs in time at most t and
Adv
SDH
(q) is at least . The (q;t;)-SDH assumption holds if no adversary A (t;)-breaks the
q -SDH problem.
3.2 2-Variable StrongDie-Hellman (2SDH) Assumption:
Theq -2SDHproblemin(G
1 ;G
2
)isdenedasfollows:givena(3q+4)-tuple(g
1 ;g 2 ;w 2 g x 2 ;u 2 g y 2 ;g y+b 1 x+a 1 2
;:::;g y +bq x+a q 2 ;a 1 ;:::; a
q ;b
1 ;:::;b
q
)as input,output( g y +d
x+
1
; g x+
2
;d)as wellas
Test() (U;V), where a
1 ;:::; a
q ;b
1 ;:::;b
q
;d;;2 Z 3 p ; w 1 (w 2
);;U 2 G
1
; ;V 2 G
2 ;
and
e(;)=e(g
1 ;u 2 g d 2
); e(U;)=e(w
1 ;w
2 )1e(g
1
;V); d62fb
1 ;:::;b
q
g: (1)
AlgorithmAhasadvantage,Adv
2SDH
(q),insolving q-2SDH in(G
1 ;G 2 )if Adv 2SDH (q) Pr[ A(g 1 ;g 2 ;w 2 ;u 2 ;g y +b 1 x+a 1 2
;:::;g y+b q x+a q 2 ;a 1 ;:::;a
q ;b
1 ;:::;b
q )
=(;;d;Test()); (2)
whereEq.(1)holds.Theprobabilityistakenovertherandomchoicesofg
2 2G
2 ,x;y;a
1 ;b
1 ;:::;a
q ; b q 2Z 3 p
,andthecointossesofA.
Denition7. Adversary A (t;)-breaks the q -2SDH problem if A runs in time at most t and
Adv
2SDH
(q ) is at least . The (q ;t;)-2SDH assumption holds if no adversary A (t;)-breaksthe
q -2SDHproblem.
Lemma 1. Assume thateachvariableX of f;Test()ginG
i
(i=1;2) correspondstoaunique
index value, (
X ;
X ) 2 (Z
3
p )
2
, such that X = w X i g X i
. For two variables, X and Y, we also
assumethate(X ;Y)correspondstoauniqueindexvalue,(!
1 ;!
2 ;!
3 )2(Z
3
p )
4
,suchthate(X ;Y)=
e(w 1 ;w 2 ) !1 1e(g 1 ;w 2 ) !2 1e(g 1 ;g 2 ) !3
.Here,(!
1 ;!
2 ;!
3
)isconsistentwith(
X ;
X
)and(
Y ;
Y )with
respecttothepairingoperation,andtheindexof avariableisalso consistentwithotherindexes of
other variableswithrespecttothe groupoperationin G
1 andG
2 .
Then, thereexistsTest() satisfyingEq.(1), if and only if correspondsto( ;)with 6=0
suchthat =w 2 g 2 .
Remark: To break the assumption in this lemma (i.e., to nd index values,(
X ;
X
)'s, of X,
or indexvalues,(!
1 ;!
2 ;!
3
)'s,ofe(X ;Y))impliesto computex(in Eq.(2))eciently.Therefore,
ifadversary A cannot correctly computeX ;Y satisfyingthe form e(X ;Y)=c without knowing
(extracting)thevalueof(
X ; X ; Y ; Y
),thenAcanoutput( ;)satisfying=w
2 g
2
with60
(mo dp), ifAprovidesa validanswerofthe2SDH problem,assumingthat Acannotcomputex.
Then,Acan breakthe2SDH +
Let X 2 f;U;Vg and X =w X i g X i
. For two variables, X =w X
1 g
X
1
and Y =w Y 2 g Y 2 , of
f;Test()g,ife(X ;Y)=e(w
1 ;w 2 ) ! 1 e(g 1 ;w 2 ) ! 2 e(g 1 ;g 2 ) ! 3
holds, then!
1 = X Y ;! 2 = X Y + X Y ;! 3 = X Y :
Supp oseTest()holds.Frome(U;)=e(w
1 ;w
2 )e(g
1 ;V),
e(U;) =e(w U 1 g U 1 ;w 2 g 2
)=e(w
1 ;w 2 ) U e(g 1 ;w 2 ) U+U e(g 1 ;g 2 ) U =e(w 1 ;w 2 )e(g 1 ;w 2 ) V e(g 1 ;g 2 ) V : Therefore, U
1 (mo dp);
U + U V
(mo d p);
U
V
(mo d p):
Then,
60 (mo dp).
(Onlyifpart:)
If w
2 g
2
( 6= 0), (U;V) satisfying Eq.(1) can b e computed such that U w 1= 1 g 1 , V w += 2 g 2
, whereisrandomlyselectedfromZ 3
p
. a
Lemma 2. Given(;U;V)withe(U; )=e(w
1 ;w
2 )1e(g
1
;V),foranyvalueof2Z 3 p thereexists 2Z 3 p
suchthat =g x+
2 .
Proof. Given ( ;U;V) with e(U; ) = e(w
1 ;w
2 )1e(g
1
;V), for any value of 2 Z 3
p
there exists
(;)2(Z 3 p ) 2 suchthat log g 2
= x+mo dp; log
g
2
U =x=+mo dp; log
g
2
V =( += )x+:
a
Remark1: ThecheckforTest()isintroducedtoavoidatrivialattack[35]suchthatrandomly
select 2 Z 3
p
, compute g
2
, where corresponds to g x+c
, and g y +d x+c 1 = (u 1 g d 1 ) 1= for an
arbitraryd 2Z 3
p
, and output (g y +d
x+c
1
;;d). Clearly this isa valid outputof the2SDH problem if
Eq.(1) is not tested. The output in this trivial attack, where = 0 with = w
2 g
2
, should b e
rejectedbytestingEq.(1),as shownin Prop osition1.
Remark2: Weoccasionallydroptandandrefertotheq-SDH(orq -2SDH)assumptionrather
thanthe(q ;t;)-SDH(or (q ;t;)-2SDH) assumption.Wealso sometimesdrop q-andreferto the
SDH(or2SDH)assumptionratherthantheq -SDH(q-2SDH)assumption.
The2SDHassumptionwithoutexplicitquantities(q;t;)denotesthe(q;t;)-2SDHassumption
withp olynomial-time quantitiesfor(q;t;),i.e., a p olynomial numb erof q,polynomial-timeoft,
andnegligible probabilityofinsecurityparametern.
Remark3: (Relationb etweentheSDHand2SDHassumptions)
Wenowconsideravariantofthe2SDHproblem,the2SDH +
problem,asfollows:givena(3q+
4)-tuple (g 1 ;g 2 ;g x 2 ;g y 2 ;g y +b 1 x+a 1 2
;:::;g y +bq
x+aq
2 ; a
1 ;:::;a
q ;b
1 ;:::;b
q
) as input, output a pair(g y +d
x+c
1
;c;d),
where(c;d)6=(a
i ;b
i
)foralli=1;:::;q .Wecanthendenethe2SDH +
assumption.
Clearlythe2SDH assumptionsisstronger thanthe2SDH +
assumptions.
The 2SDH +
assumptionand theSDH assumption canbereduced to eachother in a manner
similartothereductioninTheorem1(c
type
=1and2)aswellastheequivalenceof(q01)-wDHA
assumption and q-CAA assumption [27], where theq-wDHAproblem is to compute g 1
x
1
(q+2)-tuple (g
1 ;g
2 ;g
x
2 ;:::;g
x q
2
) as input, and the q -CAA problem is to computepair (g x+c
1 ;c)
where c2Z 3
p
and c62fa
1 ;:::;a
q
g,given a(2q+3)-tuple(g
1 ;g
2 ;g
x
2 ;g
1
x+a
1
2
;:::; g 1
x+aq
2 ; a
1 ;:::;a
q )
asinput.
4 The Prop osed Signature Scheme
ThissectionpresentstheproposedsecuresignatureschemeinthestandardmodelundertheSDH
assumption 2
Let (G
1 ;G
2
) b e bilinear groups as shownin Section 2.3. Here, we assume that the message,
m, tob e signedisanelementin Z 3
p
,but thedomaincan b e extendedto alloff0;1g 3
byusinga
collisionresistanthashfunctionH :f0;1g 3
!Z 3
p
,asmentionedinSection 3.5in[7].
4.1 Signature Scheme
Key generation: Randomly selectgenerators g
2 ;u
2 ;v
2 2G
2
and set g
1 (g
2 ), u
1
(u
2 ),
andv
1 (v
2
).Randomlyselectx2Z 3
p
andcomputew
2 g
x
2 2G
2
.Thepublicand secretkeys
are:
Public key: g
1 ;g
2 ;w
2 ,u
2 ,v
2
Secretkey: x
Signature generation: Let m2 Z 3
p
b e the message to b e signed. SignerS randomly selects r
andsfrom Z 3
p
,and computes
(g
m
1 u
1 v
s
1 )
1=(x+r )
:
Here 1=(x+r )mo dp(andm=(x+r)mo dpands=(x+r )mo dp)arecomputed. Intheunlikely
eventthatx+r0 modp,wetryagainwithadierentrandomr .(;r;s)isthesignatureofm.
Signature verication: Givenpublic-key(g
1 ;g
2 ;w
2 ;u
2 ;v
2
),message m, andsignature(;r;s),
checkthat m;r;s2Z 3
p ,2G
1
, 6=1,and
e(;w
2 g
r
2 )=e(g
1 ;g
m
2 u
2 v
s
2 ):
Iftheyhold,thevericationresultisvalid;otherwisetheresultisinvalid.
Remark: Hereweassumethatg
1 = (g
2
)hasb een conrmedwhenthepublic-keyisregistered.
Alternatively, g
1 = (g
2
) can b e conrmed in the signature vericationpro cedure, or g
1 is not
includedinthepublic-keyandg
1 = (g
2
)iscalculatedinthesignaturevericationpro cess.
4.2 Performance
Signaturelength: Asignaturecontainsthreeelements(;r;s),eachofwhichisaroundjpjbits,
so the signature length is around 3jpj bits. It is 1.5 times longer than that of the Boneh-Boyen
scheme[7].Forexample, ifweuse anelliptic curvedescrib ed in [8],and jpj=250,thesignature
length is 750 bits, which is still less than that of RSA based signatures with the same level of
security.
2
Inour preliminaryversion[29],avariantofthe 2SDHassumption,whichisequivalenttotheSDH
as-sumption,wasusedtoprovethesecurityofthisscheme.Thissignatureschemewasimplicitlyintroduced
Boneh-Boyen[7]andBLS[8].Signaturevericationtimeiscomparableto thatof[8],butaround
twiceasslowasthat of[7].
APerformance ImprovementTechnique (Precomputation) Byintroducingadditional
se-cretkeyy ;z2Z 3
p
suchthat u
2 =g
y
2 andv
2 =g
z
2
,wecan applytheprecomputationtechniquefor
signaturegeneration.
Beforegettingmessagem, signerS randomlyselectsr;fromZ 3
p
,andcomputes g =(x+r )
1
as the precomputationof a signature. Givenmessage m, S computes s suchthat s (0m0
y )=zmo dp;where1=zmo dpand(0y )=zmo dpcanb e alsoprecomputed.
4.3 Security
Theorem 1. Ifthe(q
S + 1;t
0
; 0
)-SDHassumptionholdsin(G
1 ;G
2
),theproposedsignaturescheme
is(t;q
S
;)-strongly-existentially-unforgeableagainstadaptivechosenmessageattacks,providedthat
3q
S
0
; and tt 0
02 (q 2
S T);
whereT isthe maximumtimeforasingleexponentiationin G
1 andG
2 .
Proof. AssumeAisanadversarythat(t;q
S
;)-forgesthesignaturescheme.Wewillthenconstruct
algorithmBthatbreaksthe(q
S
+ 1)-SDHassumptionwith(t 0
; 0
).Hereafter,weoftenuseq q
S + 1
(aswellasq
S ).
Aninformal outlineof ourpro of isas follows:Firstwe classifytheoutput(forgery) ofAinto
threetypes(Types-1,2,3).WewillthenshowthatanytypeofoutputallowsBtobreaktheq-SDH
assumption. Type-1forgeryleads tobreaking theq-SDHassumptionin a mannersimilar tothat
in [7].Type-2 forgeryleads to breakingtheq -SDH assumption.Type-3 forgeryleads to breaking
thediscretelogarithm(towhichq-SDHisreducible).
First,weintroducethreetypesofforgers,A.Let(g
1 ;g
2 ;w
2 ;u
2 ;v
2
)b egiventoAasapublic-key,
andz log
g2 v
2 2Z
3
p (i.e.,v
2 =g
z
2
).Supp oseAasksforsignaturesonmessagesm
1 ;:::;m
q
S 2Z
3
p
and is givensignatures (
i ;r
i ;s
i
)for i =1;:::;q
S
onthese messages.Thethree typesof forgers
areasfollows:
Type-1 forger outputsforgedsignature(m3; 3
;r 3
;s 3
)suchthat r 3
62fr
1 ;r
2 ;:::;r
q
S g.
Type-2 forger outputs forged signature (m 3
; 3
;r 3
;s 3
) such that r 3
2 fr
1 ;r
2 ; :::; r
q
S g (i.e.,
r 3
=r
k
forsome k2f1;:::;q
S
g)andm 3
+s 3
z6m
k +s
k
z (mo d p).
Type-3 forger outputs forged signature (m3; 3
;r 3
;s 3
) such that r 3
1 2 fr
1 ;r
2 ;:::; r
q
S g (i.e.,
r 3
=r
k
forsome k 2f1;:::;q
S
g) and m 3
+s 3
zm
k +s
k
z (mo d p). Note thatin thiscase
s 3
6=s
k
, sinces 3
=s
k
impliesm 3
=m
k and
3
=
k .
AlgorithmBis constructedas follows:
1. (Input:)
(g
1 ;A
0 ;A
1 ;:::;A
q
),whereA
i =g
x i
2
,fori=0;1;:::;q .
2. (Coinip:)
AlgorithmBrstpicksa randomvaluec
type
2f1;2;3gthatindicatesitsguessforthetypeof
forgerthatAwillemulate.Thesubsequentactionsp erformedbyBdierwithc
type
2f1;2;3g
asfollows:
3. (Ifc
Brandomlyselectsy ;z;r
i
(i=1;:::;q01) fromZ 3
p .
Let f(X) b e a p olynomial of variable X such that f(X) Q
q01
i=1
(X +r
i
)mo dp =
P q 01 i=0 i X i
.(HerenotethatxisavalueinZ 3
p
determinedbytheinputtoBsuchasA
1 =g
x
2 ,
while X is just a variable.) Clearly B can ecientlycalculate
i 2Z
3
p
(i =0;:::;q01)
fromr
i
(i=1;:::;q01).
Bcomputes g 0 2 q 01 Y i=0 A i i =g f(x) 2 ; w 0 2 q 01 Y i=0 A i i+1 =g xf(x) 2 =(g 0 2 ) x ; u 0 2 (g 0 2 ) y ; v 0 2 (g 0 2 ) z : Letg 0 1 (g 0 2 ),u 0 1 (u 0 2 )andv
0 1 (v 0 2 ).
Bgives(g 0 1 ;g 0 2 ;w 0 2 ;u 0 2 ;v 0 2
)toAas apublic-keyofthesignaturescheme.
(b) (Simulationofsigningoracle)
Up onreceivinga querytothesigningoracle,B simulatesthereplyto Aasfollows:
Let f
i
(X) f(X)=(X +r
i
)mo dp = Q
q 01
j =1;j6=i (X +r
j
)mo dp = P q 02 j=0 j X j
. B can
ecientlycalculate
j 2Z
3
p
(j=0;:::;q02) fromr
l
(l6=i ^ l =1;:::;q01).
Foreachqueryi(i=1;:::;q0 1)withmessagem
i
fromAtothesigningoracle,Brandomly
selectss
i 2Z
3
p
,andcomputes
i q 02 Y j=0 (A j ) j mi+y +siz = g fi(x) 1 mi+y +siz = g f(x)=(x+ri) 1 mi+y +siz =(g 0 1 ) (m i +y +s i z )=(x+r i ) = 0 (g 0 1 ) m i (u 0 1 )(v 0 1 ) s i 1 1=(x+r i ) :
B returns (
i ;r
i ;s
i
) to A as the reply to the query. Clearly this is a valid signature for
public-key(g 0 1 ;g 0 2 ;w 0 2 ;u 0 2 ;v 0 2
)andthedistributionisexactlythesame asthatgivenbythe
signingoracle.
(c) (Output)
WhenAoutputsa(valid)forgery(m 3 ; 3 ;r 3 ;s 3
),Bcheckswhetherr 3
2fr
1 ;:::;r
q 01 g.If r 3 2fr 1 ;:::;r
q 01
g,Bthenoutputsfailureand ab orts.Otherwise, 3 shouldsatisfy 3 =(g 0 1 ) (m 3 +y +s 3 z )=(x+r 3 ) ; since e( 3 ;w 0 2 (g 0 2 ) r 3
) = e(g 0 1 ;(g 0 2 ) m 3 (u 0 2 )(v 0 2 ) s 3 ), w 0 = (g 0 2 ) x , u 0 2 = (g 0 2 ) y ;v 0 2 = (g 0 2 ) z (i.e., e( 3 ;(g 0 2 ) x+r 3
)=e(g 0 1 ;(g 0 2 ) m 3 +y +s 3 z .) Letc(X) P q 02 i=0 ! i X i
andd2Z 3
p
suchthat f(X)c(X)(X+r 3
)+d (mo d p). Bcan
ecientlycalculate!
i ;d2Z
3
p
(i=0;:::;q02)from f(X)andr 3
.
Bthencomputes
( 3 ) 1=(m 3 +y +s 3 z ) q 02 Y i=0 (A i ) 0! i 1=d = (g f(x) 1 ) 1=(x+r 3 ) g 0c(x) 1 1=d = g (c(x)(x+r 3 )+d)=(x+r 3 )0c(x) 1 1=d = g c(x)+d=(x+r 3 )0c(x) 1 1=d =g 1=(x+r 3 ) 1 :
Boutputs(;r 3
type
(a) (Keysetup)
Brandomlyselectsz;a;b;r
i
(i=1;:::;q01)fromZ 3
p
,andrandomlyselectsk2f1;:::;q0
1g. Let f(X) Q
q 01
i=1 (X +r
i
)mo dp = P q 01 i=0 i X i , f i
(X) f(X)=(X +r
i
)mo dp =
Q
q 01
j=1;j6=i (X+r
j
)mo dp = P q 02 j=0 (i) j X j , f k;i
(X) f(X)=((X +r
k
)(X+r
i
))mo dp =
Q
q 01
j=1;j6=i;j 6=k (X+r
j
)mo dp= P q 03 l=0 l X l
, B can eciently calculate
i ; j ; l 2 Z 3 p (i =
0;:::;q01,j =0;:::;q02,l=0;:::;q03).
Bcomputes g 0 2 q 02 Y i=0 A (k) i i =g f k (x) 2 ; w 0 2 q 02 Y i=0 A (k) i i+1 =g xf k (x) 2 =(g 0 2 ) x ; u 0 2 ( q 01 Y i=0 A i i ) a ( q 02 Y i=0 A (k) i i ) b =g af(x) 2 g 0bf k (x) 2 ; v 0 2 (g 0 2 ) z : Letg 0 1 (g 0 2 ),u 0 1 (u 0 2 )andv
0 1 (v 0 2 ).
Bgives(g 0 1 ;g 0 2 ;w 0 2 ;u 0 2 ;v 0 2
)toAas apublic-keyofthesignaturescheme.
(b) (Simulationofsigningoracle)
Up onreceivinga querytothesigningoracle,B simulatesthereplyto Aasfollows:
Foreachqueryi2f1;2;:::;k01;k+1;q01g(i.e.,i6=k)withmessagem
i
fromAtothe
signingoracle,Brandomlyselectss
i 2Z
3
p
,andcomputes
i q 02 Y j=0 (A j ) j mi+siz q 02 Y j =0 (A j ) (i) j a q 02 Y j=0 (A j ) j 0b =(g f k ;i (x) 1 ) mi+siz (g af i (x) 1 g 0bf k;i (x) 1 ); =(g 0 1 )
(mi+y +siz )=(x+ri)
:
B returns (
i ;r
i ;s
i
) to A as the reply to the query. Clearly this is a valid signature for
public-key(g 0 1 ;g 0 2 ;w 0 2 ;u 0 2 ;v 0 2 ).
For the k -th query with message m
k
from A to the signing oracle, B computes s
k
(b0m
k
)=zmo dp,and
k q 02 Y i=0 (A i ) (k) i a =g af k (x) 1 =(g fk(x)(mk+skz ) 1 g af(x) 1 g 0bfk(x) 2 ) 1=(x+r k ) =((g 0 1 ) m k (v 0 1 ) s k u 0 1 ) 1=(x+r k ) : Therefore,( k ;r k ;s k
)isa validsignatureforpublic-key(g 0 1 ;g 0 2 ;w 0 2 ;u 0 2 ;v 0 2 ).
Breturns(
k ;r
k ;s
k
)toAas thereplytothequery.
(c) (Output)WhenAoutputsa(valid)forgery(m 3 ; 3 ;r 3 ;s 3
),Bcheckswhetherr 3 =r k and m 3 +s 3
z 6m
k +s
k
z (mo dp). If r 3 6=r k or m 3 +s 3
z m
k +s
k
z (mo d p), B outputs
failureandaborts.Otherwise,m 3
+s 3
z6m
k +s
k
z (mo dp).Letb 3
m 3
+s 3
zmo dp.
(Here b = m
k +s
k
zmo dp). Let h(X) P q 03 i=0 i X i
and d 2 Z 3
p
such that f
k (X)
h(X)(X+r
k
)+e (mo d p).Sinceb 3
6=b,Bcancompute
( 3
=
k )
1=(b 3
0b)
Q
q 03
i=0 (A
i )
i !
1=e
= g
fk(x)=(x+rk)
1
g h(x)
1
!
1=e
=g (f
k (x)=(x+r
k
)0h(x))=e
1
=g
(e=(x+rk)+h(x)0h(x))=e
1
=g
1=(x+rk)
1
Boutputs(;r
k ).
5. (Ifc
type =3;)
(a) (Keysetup)
Brandomlyselectsx 0
;y 0
fromZ 3
p .
Bcomputes
g 0
2 A
0 =g
2 ; w
0
2 (g
0
2 )
x 0
; u 0
2 (g
0
2 )
y 0
; v 0
2 A
1 =g
x
2 :
Herewerenamexasz 0
justforeaseofrepresentation,so
v 0
2 =(g
0
2 )
z 0
:
Letg 0
1 g
1 .
Bgives(g 0
1 ;g
0
2 ;w
0
2 ;u
0
2 ;v
0
2
)toAas apublic-keyofthesignaturescheme.
(b) (Simulationofsigningoracle)SinceBknowsx 0
,thesimulationofthesigningoracleexactly
replicatesthesigningoracle.
(c) (Output)WhenAoutputsa(valid)forgery(m 3
; 3
;r 3
;s 3
),Bcheckswhetherr 3
2fr
1 ;:::;r
qS g
(i.e.,r 3
=r
k
forsome k2f1;:::;q
S
g)ands 3
6=s
k . Ifr
3
62fr
1 ;:::;r
qS g ors
3
6=s
k , then
Boutputsfailureandab orts.Otherwise,Bcomputes
z 3
(m
k 0m
3
)=(s 3
0s
k
)modp;
andcheckswhetherA
1 =A
z 3
0
.Ifitholds,z 3
=z 0
=x.Bthenrandomlyselectsc2Z 3
p and
cancompute g 1=(z
3
+c)
1
=g 1=(x+c)
1 :
Boutputs(;c).
Note that if the forgery (m 3
; 3
;r 3
;s 3
) is Type-3, m 3
+s 3
z 0
m
k +s
k z
0
(mo dp) and
s 3
6=s
k ,so z
0
=(m
k 0m
3
)=(s 3
0s
k
)modp.
ThiscompletesthedescriptionofalgorithmB.Foranyvalueofc
type
2f1;2;3g,thedistribution
ofthesimulation(public-keygeneration andsigningoraclesimulation)byBisexactly equivalent
to that ofthe realattackscenario. Therefore,regardless ofthe valueof c
type
inside B , adversary
Apro ducesavalidforgeryintime twithprobabilityat least.
Wethenobtaintheprobability 0
thatB breakstheq-SDHassumptionas follows:
{ (Whenc
type =1;)
IfType-1forgeryo ccurs,B do esnotab ort(i.e.,breaks theq-SDHassumption).
{ (Whenc
type =2;)
IfType-2forgeryo ccurs,Bdo esnotab ort(i.e.,breakstheq-SDHassumption)withprobability
1=q
S .
{ (Whenc
type =3;)
IfType-3forgeryo ccurs,B do esnotab ort(i.e.,breaks theq-SDHassumption).
Sincethevalueofc
type
isindep endentofthetypeofforgery,Bbreakstheq -SDHassumptionwith
probabilityatleast=(3q
S
This section presents a variant of the prop osedsignature schemeshownin theprevious section.
Thisvariantisusedbyourblindsignatures.
5.1 Signature Scheme
Thekeygenerationisthesameasthat fortheprop osedsignaturescheme.
Thesignature,(;;s;Test()),ofmessage,m2Z 3
p
,isgenerated asfollows:
(g
m
1 u
1 v
s
1 )
1=( x+)
; g
x+
2
; Test() (U;V);
U w
1=
1 g
1
; V w
+=
2 g
2
; (3)
where ;;s;2Z 3
p
arerandomlychosen.
Thesignaturevericationis:
m;s2Z 3
p
; ;U 2G
1
; ;V 2G
2
; 6=1; 6=1
e(;)=e(g
1 ;g
m
2 u
2 v
s
2
); e(U;)=e(w
1 ;w
2 )1e(g
1
;V): (4)
5.2 Security
The followingtheorem shows that this variant of the prop osed signature schemeis existentially
unforgeable againstadaptive chosenmessage attacks, providedthat the 2SDH assumption holds
in(G
1 ;G
2 ).
Wenowintroduce a strongadaptive chosen message attack in this signature scheme,where,
given adversary's query, message m, the signing oracle returns to the adversary the signature,
(;r;s),ofthebasicsignatureschemepresentedinSection4,inplaceofthesignature,(;;s;Test()),
ofthe variant signatureschemeintroducedin thissection.
Ifanadversarycanforgethevariantsignatureschemeagainstadaptivechosenmessageattacks
(CMA), the adversary can also forge the variant signature schemeagainst strong adaptive
cho-sen messageattacks (S-CMA),sincea replyfrom thesigning oracle in S-CMA canb e eciently
transformedintoareplyfromthesigningoracle inCMA.Thatis,ifthevariantsignaturescheme
is secureagainst S-CMA,the variantsignatureschemeis alsosecure againstCMA.Thus, in the
followingtheorem, weshowthat thevariantsignatureschemeissecureagainstS-CMA.
Theorem 2. Ifthe (q
S ;t
0
; 0
)-2SDHassumptionholds in(G
1 ;G
2
),the proposedsignaturescheme
is (t;q
S
;)-existentially-unforgeable against \strong" adaptive chosen message attacks (S-CMA),
providedthat
2
0
; and tt 0
0O (q
S T);
where T is the maximum time for a single exponentiation in G
1
and G
2
and a single pairing
operation.
Proof. AssumeAisanadversarythat(t;q
S
;)-forgesthesignatureschemeinthesenseof\strong"
adaptivechosenmessageattacks.WewillthenconstructanalgorithmBthatbreakstheq
S -2SDH
assumptionwith(t 0
; 0
).
An informal outline of our pro of is as follows: First we classify the output (forgery) of A
into two types (Types-1,2). We will then show that any typ e of output allows B to break the
2SDH assumption. Typ e-1forgeryleads to breaking the2SDH assumption. Typ e-2forgeryleads
1 2 2 2 2
andz log
g2 v 2 2Z 3 p (i.e.,v 2 =g z 2
).Supp oseAasksforsignaturesonmessagesm
1 ;:::;m
q
S 2Z
3
p
andisgivensignatures(
i ;r
i ;s
i
)fori=1;:::;q
S
onthesemessages.Thetwotypesofforgersare
asfollows:
Type-1 forger outputsforgedsignature(m 3 ; 3 ; 3 ;s 3
)suchthatm 3
+s 3
z6m
i +s
i
z (mo d p)
foralli2f1;:::;q
S g.
Type-2 forger outputsforgedsignature(m3; 3
; 3
;s 3
)suchthatm 3
+s 3
zm
k +s
k
z (mo d p)
forsome k2f1;:::;q
S
g.Inthis case,s 3
6=s
k
,sinces 3 =s k impliesm 3 =m k and m 3 6=m k .
(Notethat weonlyconsiderstandardunforgeability,notstrongunforgeability,here.)
AlgorithmBis constructedas follows:
1. (Input:)
(g
1 ;g
2
;A;B;C
1 ;:::;C
qS ;a
1 ;:::;a
qS ;b
1 ;:::;b
qS
), where A = g x
2
, B = g y 2 , C i = g y +b i x+a i 2 (i =
1;:::;q
S ).
2. (Coinip:)
Algorithm B rst picks random value c
type
2 f1;2g that indicates its guess for the type of
forgerthat Awill emulate.Thesubsequentactionsp erformed by Bdier withc
type
2f1;2g
asfollows:
3. (Ifc
type =1;)
(a) (Keysetup)
Brandomlyselectsz2Z 3
p
,andB sets
w
2
A=g x
2
; u
2
B=g y 2 ; v 2 g z 2 :
Bgives(g
1 ;g 2 ;w 2 ;u 2 ;v 2
)toAas apublic-keyofthesignaturescheme.
(b) (Simulationofsigningoracle)
Up onreceivinga querytothesigningoracle,B simulatesthereplyto Aasfollows:
Foreachqueryi2f1;2;:::;q
S
gwithmessagem
i
fromAtothesigningoracle,Bcomputes
s i (b i 0m i
)=zmo dp; r
i a i i (C i )=g
(y +b i )=(x+a i ) 1 =g (m i +y +s i z)=(x+r i ) 1 :
Breturns(
i ;r
i ;s
i
)toAasthereplytothequery.Clearlythisisa validsignatureofthe
basicsignatureschemeforpublic-key(g
1 ;g 2 ;w 2 ;u 2 ;v 2 ).
(c) (Output) When A outputs a (valid) forgery (m 3 ; 3 ; 3 ;s 3
;Test()), B checkswhether
m 3
+s 3
z6m
i +s
i
z (mo dp)foralli2f1;:::;q
S
g.(Hereb
i =m
i +s
i
z (mo d p)fori2
f1;:::;q
S
g.)Ifm 3
+s 3
zm
k +s
k
z (mo d p)forsomek2f1;:::;q
S
g,Boutputsfailure
andab orts.Otherwise,Bsets b 3
m 3
+s 3
zmo dp,andoutputs( 3 ; 3 ;b 3 ;Test()).
4. (Ifc
type =2;)
(a) (Keysetup)
Brandomlyselectsx 0 ;y 0 fromZ 3 p . Bcomputes w 2 g x 0 2 ; u 2 g y 0 2 ; v 2
A=g x
2 :
Herewerenamexasz 0
justforeaseofrepresentation,so
v 2 =g z 0 2 :
Bgives(g
1 ;g 2 ;w 2 ;u 2 ;v 2
(b) (Simulationofsigningoracle)SinceBknowsx,thesimulationofthesigningoracleexactly
replicatesthesigningoracle.
(c) (Output)WhenAoutputsa (valid)forgery(m 3
; 3
; 3
;s 3
),Bcomputes
z 3
(m
i 0m
3
)=(s 3
0s
i
)mo dp;
for all if1;:::;q
S
g such that s
i 6= s
3
, and checks whether A = g z
3
2
. If it holds, z 3
=
z 0
= x. B then randomly selects c;d 2 Z 3
p
and computesg
(y +d)=(x+c)
1
and g c
2
. B outputs
(g
(y +d)=(x+c)
1
;g x+c
2
;d;Test()).
Notethatifforgery(m 3
; 3
; 3
;s 3
)isType-2,m 3
+s 3
z 0
m
k +s
k z
0
(mo dp)ands 3
6=s
k
forsomek2f1;:::;q
S
g.Then,z 0
=(m
k 0m
3
)=(s 3
0s
k
)mo dp.
ThiscompletesthedescriptionofalgorithmB.Foranyvalueofc
type
2f1;2g,thedistribution
ofthesimulation(public-keygeneration andsigningoraclesimulation)byBisexactly equivalent
tothatoftherealattackscenario.Therefore,indep endentlyofthevalueofc
type
insideB,adversary
Apro ducesavalidforgeryintime twithprobabilityat least.
Wethenobtaintheprobability 0
thatB breaksthe2SDH assumptionasfollows:
{ (Whenc
type =1;)
IfType-1forgeryo ccurs,B do esnotab ort(i.e.,breaks the2SDHassumption).
{ (Whenc
type =2;)
IfType-2forgeryo ccurs,B do esnotab ort(i.e.,breaks the2SDHassumption).
Since thevalueof c
type
is indep endentof the typ e offorgery, Bbreaks the q
S
-2SDH assumption
withprobabilityatleast. a
6 The Prop osed Blind Signature Scheme
Thissectionshowstheapplicationoftheprop osedsignatureschemetoblindsignatures.Wepresent
a secureblindsignatureschemeinthestandardmo del underthe2SDHand2SDH assumptions.
6.1 Blind Signature Scheme
Let(G
1 ;G
2
) b e bilineargroups as shownin Section 2.3. Here,we also assumethat themessage,
m, tob e blindly signedis anelementin Z 3
p
, but thedomaincan b e extendedtoall off0;1g 3
by
usinga collisionresistanthashfunctionH :f0;1g 3
!Z 3
p
,as mentionedinSection3.5in [7].
Key generation: Randomly selectgenerators g
2 ;u
2 ;v
2 2G
2
and set g
1 (g
2 ), u
1
(u
2 ),
andv
1 (v
2
).Randomlyselectx2Z 3
p
,andcomputew
2 g
x
2 2G
2 .
Thepublicandsecret keysare:
Public key: g
1 ;g
2 ;w
2 ,u
2 ,v
2
1. U checks whether g
2 ;w
2 , u
2 , v
2 2 G
2 and g
1 = (g
2
). If they hold, U pro ceeds with the
followingsignaturegeneration proto col.
2. U randomlyselectss;t2Z 3
p
,computes
X g
mt
1 u
t
1 v
st
1 ;
andsends X to S. Here m 2 Z 3
p
is the message to beblindly signed. In addition, U proves
toS that U knows(mtmo dp;t;stmodp) forX usingthewitness indistinguishablepro ofas
follows:
(a) U randomlyselectsa
1 ;a
2 ;a
3
fromZ 3
p
,computes
W g
a1
1 u
a2
1 v
a3
1 ;
andsendsW toS.
(b) S randomlyselects 2Z 3
p
andsends toU.
(c) U computes
b
1 a
1
+mtmo dp; b
2 a
2
+ tmo dp; b
3 a
3
+ stmo dp;
andsends(b
1 ;b
2 ;b
3 )toS.
(d) S checkswhetherthefollowingequationholdsornot:
g b
1
1 u
b
2
1 v
b
3
1
=WX
: (5)
Ifitholds,S accepts.Otherwise,S rejects andaborts.
3. IfSacceptstheab oveproto col,Srandomlyselectsr2Z 3
p
.Intheunlikelyeventthatx+r0
mo dp,S triesagainwithadierentrandomr.S alsorandomlyselects`2Z 3
p
, computes
Y (Xv `
1 )
1=(x+r)
;
andsends(Y;r;`)to U.
Here,Y =(Xv `
1 )
1=(x+r)
=(g m
1 u
1 v
s+`=t
1 )
t=(x+r )
.
4. U randomlyselectsf;2Z 3
p
,and computes
(ft) 01
mo dp; Y
; w
f
2 g
fr
2
; s+`=tmo dp:
ComputeTest( ) (U;V)asfollows:
U w
1=f
1 g
1
; V w
f+r
2 g
fr
2
; (6)
Here,=(g m
1 u
1 v
s+`=t
1 )
1=(fx+fr )
=(g m
1 u
1 v
1 )
1=(fx+fr )
,and =w f
2 g
fr
2 =g
fx+fr
2 .
5. (; ;;Test()) isablindsignatureofm.
Signature verication: Givenpublic-key(g
1 ;g
2 ;w
2 ;u
2 ;v
2
),message m, andsignature(;;;
Test()),check
m;2Z 3
p
; ;U 2G
1
; ;V 2G
2
; 6=1; 6=1;
e(;)=e(g
1 ;g
m
2 u
2 v
2
); e(U;)=e(w
1 ;w
2 )1e(g
1
;V): (7)
The following theorems show that the prop osed blind signature scheme is p erfectly blind and
unforgeableprovidedthatthe2SDHassumptionholdin (G
1 ;G
2 ).
Theorem 3. The proposedblind signatureschemeisperfectlyblind.
Proof. Wewill show that A'sview isp erfectly indep endent from the valueof b in the blindness
denition(exp eriment)showninSection 2.2.
EvenifdishonestsignerS 3
outputsanypublic-key,(g
2 ;w
2 ,u
2 ,v
2 )2(G
2 )
4
andg
1 = (g
2 ),the
view of S 3
, (X ;W; ;b
1 ;b
2 ;b
3
) as well as S's randomnessin thesignature generation proto col is
p erfectly(informationtheoretically)indep endentfromthevalueof(m;s;f),sinceX =(g m
1 u
1 v
s
1 )
t
isp erfectlyindependentfrom(m;s),theproto coliswitnessindistinguishablewithresp ectto(m;s)
againstanydishonestS 3
,andf isnotusedin theproto colwithS 3
.
Hence, the value of (m;;) is p erfectly indep endent from the view of S 3
, where = (x+
r )f mo dp and s+`=tmo dp. Here, = (g m
1 u
1 v
1 )
1=
, = g
2
, and (;;) is the (blind)
signatureof m. Therefore,the signaturealong withm, (m;;;), isalso p erfectlyindep endent
from theview of S 3
,since andare p erfectlydep endenton (m;;). Inaddition, (;U;V)is
p erfectlyindep endentfrom(f;fr )(i.e.,r ).
That is,thedistributionoftheviewofS 3
forU
0 andU
1
in theblindnessdenition inSection
2.2areequivalent.
Intheblindnessdenition (exp eriment),whether S 3
nallyreceives?ortwo validsignatures
dep endsonlyonwhetherS 3
'sreply(Y;R;`)toBsatisese(Y;w
2
R)=e(X
i v
`
1 ;g
2
)(i=0;1)ornot,
andisindep endentfromb,sincethedistributionsofX
0 andX
1
areequivalentandthedistribution
of(X
0 ;X
1
)isindep endentfromb. a
Denition8. Letsupposeaprotocolbetweentwoparities,AliceandBob.Inaroundofthe
proto-col,AliceandBobexchangemessages,a;b;c;:::;d,wheretherstmoveisAlice(i.e.,Alicesendsa
andBobreturnsbetc.).Wenowconsiderqroundsoftheprotocolexecution.Here(a
i ;b
i ;c
i ;:::;d
i )
is the exchanged messagesin the i-th round(i =1;:::;q). We say that a protocol betweenAlice
andBobisexecutedinasynchronizedrunofqroundsoftheprotocol,iftheqroundsoftheprotocol
consists of L sequential intervals and each interval, or the j-th interval (j = 1;:::;L), consists
of the paral lel run of q
j (q
j
2 f1;:::;q g rounds of the protocol. q = q
1 +111q
L
. Therefore, the
rst interval consistsof: the rst movefromAliceis (a
1 ;a
2 ;:::;a
q
1
), the secondmove from Bob
is (b
1 ;a
2 ;:::;b
q1
), and so on. After completing the rst interval, the second interval starts and
consists of: the rst move from Alice is (a
q1+1 ;a
q1+2 ;:::;a
q1+q2
), the second move from Bob is
(b
q1+1 ;b
q1+2 ;:::;b
q1+q2
), andso on.
Clearlythesynchronizedrun isa generalizationoftheparallelandsequentialruns.
Theorem 4. If the (q
S ;t
0
; 0
)-2SDH assumption holds in (G
1 ;G
2
), the proposed blind signature
scheme is (t;q
S
;)-unforgeable against an L-interval synchronized run of adversaries, provided
that
0
101=(L+1)
16
1; and t 0
O
24Lln(L+1)
1t
+2 (q
S T);
whereT isthe maximumtimeforasingleexponentiationin G
1 andG
2 .
Proof. Assume A is an adversary that (t;q
S
;)-forges the blind signature scheme.Wewill then
constructalgorithmBthat(t 00
;q
S ;
00
)-forgestheproposedsignaturescheme(thevariantsignature
scheme:Section 5)withstrongchosenmessage attacks(S-CMA).This leadstoanalgorithmthat
breaksthe2SDHassumptionwith(q
S ;t
00
+O (q
S T);
00
1 2 2 2 2
asa publickeyforblind signatures.
B is allowed to access the signing oracle of the basic signature scheme (Section 4) q
S times.
Here note that we assumeS-CMA, where the signingoracle return a signaturewith the form of
(;r;). By using this signing oracle, B playsthe role of an honest signer against A (dishonest
user).
First,ArequestsBtosignXalongwiththewitnessindistinguishable(WI)proto colonwitness
(mtmo dp;t;stmo dp) againstB 's random challenge 2Z 3
p
. After completing the WIprotocol,
B resets A to the initial state of the WI proto coland runs the same pro cedure with the same
commitmentvalueofW andanotherrandomchallenge 0
2Z 3
p (6=
0
).IfBsucceedsincompleting
theWIproto coltwicewithdierentchallenges and 0
suchthat
g b
1
1 u
b
2
1 v
b
3
1
=WX
; g b
0
1
1 u
b 0
2
1 v
b 0
3
1
=WX
0
; (8)
Bcan compute
m 0
(b
1 0b
0
1
)=(0 0
)mo dp;
t (b
2 0b
0
2
)=(0 0
)mo dp; (9)
s 0
(b
3 0b
0
3
)=(0 0
)mo dp;
suchthat
X =g m
0
1 u
t
1 v
s 0
1 :
Bcomputes
m m
0
=tmo dp; s s 0
=tmo dp: (10)
Bthenresumestheproto coljustaftertheWIproto col,andsendsmtothesigningoracle.The
signingoraclereturnstoB(;r;)suchthat (g m
1 u
1 v
1 )
1=(x+r )
.Bcomputes
Y
t
; ` t(0s)mo dp; (11)
andreturnsA(Y;r;`).
B repeatsthe abovepro cedures (at therequest of A)q
S
times. If allq
S
rounds of theab ove
pro cedures are completed, A nally outputs the at least q
S
+1 valid signatures with distinct
messages. From the pigeon-hole principle, among at least q
S
+1 distinct messages with valid
signatures that A outputs, at least one message with valid signature is dierent from the q
S
messageswith validsignaturesgivenbythesigningoracle. Thiscontradictstheq
S
-unforgeability
ofthebasicsignaturescheme.
The remaining problem in this strategy is howto execute all q
S
rounds of the WI protocol
twicewithdistinctchallenges and 0
ina synchronizedrunwithA.
Supp ose that thesynchronized run of blind signature generation proto col (includingthe WI
proto col) consistsof Lsequential intervals,thej-thof whichconsistsof theparallel executionof
q
j
roundsoftheprotocol,where q
S =q
1
+111+q
L .
B thenb ehavesin asynchronizedrun ofAasfollows:
1. TherandomnessofG,AandBisrandomlyxed.Then,q
S
randomchallengesofB ,(
1 ;:::;
qS ),
are also xed. Hereafterin this pro cedure, therandomness except B 's random challenges is
xed.
2. In thej-th intervalof thesynchronized run (j =1;:::;L), using(
Q
j +1
;:::;
Q
j +q
j ) (Q
j =
q
1 +111q
j01 and Q
1
= 0), B runs the blind signature generation protocol, and obtains A's
resp onses,(b
1 ;b
2 ;b
3 )
Qj+1
;:::;(b
1 ;b
2 ;b
3 )
Qj+qj
, forB 'schallenges,(
Qj+1 ;:::;
thej-thinterval(i.e.,justafterA'ssendingthecommitments,(X ;W)
Q
j +1
;:::;(X ;W)
Q
j +q
j ,
tosigner,B).Otherwise,Bhalts.
Bthenrandomlyselectschallenges,( 0 Q j +1 ;:::; 0 Q j +q j )( 0 Q j +1 6= Qj+1 ,:::; 0 Q j +q j 6= Qj+qj ),
andsendsthemtoA.B obtainsA'sresp onses, (b
1 ;b 2 ;b 3 ) 0 Q j +1
; :::;(b
1 ;b 2 ;b 3 ) 0 Q j +q j
.Bchecks
thevalidity, and ifall responses are valid, computes (m;t;s)
Q
j +1
;:::;(m;t;s)
Q
j +q
j
by Eqs.
(8),(9) and(10).Otherwise,B returnto thebeginningofthisstep.
4. With thehelp ofthe signingoracle, B thencomputes (Y;`)
Q
j +1
;:::;(Y;`)
Q
j +q
j
byEq. (11),
andsendsthem toA.
5. Moveto thenextinterval.
6. Ifallintervalsarecompletedsuccessfully,Aprovidesanoutput.
Wenowconsiderthegamescenariousedin Denition5.Inthegamescenario,letassumethat
therandomnessofG,U 3
(hereA)andSexceptS'srandomchallenges,(
1 ;:::;
qS
),isxed.Thus
valueof(
1 ;:::;
qS
)chosenleads totheresultofthegame,U 3
'swinor not.
To characterizeallchoicesofthevalueof(
1 ;:::;
qS
)thatleadtowin ornot,weconsideran
L layer tree from its ro ot no de (the 0-thlayer), in which all no des in the (j01)-th layer have
n
j
(p01) q
j
sons(j =1;:::;L). Thus, in totalthere are n
1 n
2 111n
L
leafs atthe b ottom(the
L-thlayer). Apathislab elledby(p
1 ;p
2 ;:::;p
L
),wherep
j
2f1;:::;n
j
g (j=1;:::;L),identies
a j-th layer node on the path. So, each no de can b e identiedby the corresp onding path, i.e.,
(p
1 ;p
2 ;:::;p
j
)denotesthej-thlayernodeonpath(p
1 ;p
2 ;:::;p
L
),andaleafnode(theL-thlayer
no de)hasthesame lab elasthecorresp ondingpath. Thero otno deisidentiedby?.Eachpath
leads to thegameresult,`win'or not(`lose'), andtheleafis lab elled by`win'or`lose'.If a no de
leads to game ab ort, then the no deis lab elled by `lose'.Wesay that a no de survivesif itis not
lab elledas `lose'.
Let
j01;(p1;:::;pj01)
b etheratioofsonsof(j01)-thno de(p
1 ;:::;p
j 01
)thatsurviveinthej-th
layeramong then
j
sonsof no de(p
1 ;:::;p
j01 ).Let
3
b e Adv unforge
PBS
withthexedrandomnessof
G,U 3
(A)andS exceptS'srandomchallenges,(
1 ;:::; q S ). Therefore, 3 = X (p 1 ;p 2 ;:::;p L01 ) ( 0;? 1;p1 2;(p 1 ;p 2 )
111
L01;(p 1 ;p 2 ;:::;p L01 ) )=(n 1 n 2 111n
L01 );
whereifL=1, 3
=
0;? .
We call path (p
1 ;p
2 ;:::;p
L
) heavy if (
0;? 111
L01;(p 1 ;p 2 ;:::;p L01 ) ) 3
=2. This leads to the
followingclaim:
Claim. Atleasthalf ofall`win'pathsareheavy.
Proof. Let's assume that more than half of all `win' paths are not heavy. That is, more than
3 (n 1 n 2 111n
L
)=2`win'pathsarenotheavy.Each `lose'pathcan b ecorresp ondedto a`win'path
disjointly(in the mannershown b elow),andthere are(1=(
0;? 111
L01;(p1;p2;:::;pL01)
)01) `lose'
pathsthatcorresp ondtoa single`win'path(p
1 ;p
2 ;:::;p
L
)disjointly.
This corresp ondence is made as follows: (1 0
j01;(p 1 ;p 2 ;:::;p j 01 ) )n j
`lose' sons of (j 01)-th
no de(p
1 ;:::;p
j01
)andalltheirdescendantpathscanb ecorrespondedtothe
j01;(p1;p2;:::;pj 01) n
j
`win'sonsof no de(p
1 ;:::;p
j 01
).That is,(1=
j 01;(p1;p2;:::;pj01)
01) `lose'sonsof (j01)-th no de
(p
1 ;:::;p
j 01
) and theirall descendantpaths can b e disjointlycorresponded to each`win'son of
no de (p
1 ;:::;p
j 01
). By rep eating this corresp ondence for all layers (j = 1;:::;L), (1=(
0;? 111
L01;(p 1 ;p 2 ;:::;p L01 )
)01)`lose'pathsaredisjointlycorresp ondedtoeach`win'path(p
1 ;p
2 ;:::;p
Therefore, if a `win'path is not heavy, there are more than 2= (`lose' or `win') paths that
corresp ond to the path. Sincethere are more than 3
(n
1 n
2 111n
L
)=2`not-heavywin' paths from
the assumption, there must b e more than n
1 n
2 111n
L
(= (2= 3
)( 3
(n
1 n
2 111n
L
)=2)) paths. This
contradictsthatthetotalnumberofpathsisn
1 n
2 111n
L
. a
Whenpath(p
1 ;p
2 ;:::;p
L
)isheavy,
j01;(p
1 ;p
2 ;:::;p
j 01 )
3
=2forallj=1;:::;L.Therefore,ifB
tries12ln(L+1)= 3
rewindingchallengesinthej-thinterval,theprobabilitythatBcancompute
(m;t;s)
Q
j +1
;:::;(m;t;s)
Q
j +q
j
isat least(10(L+1) 02
) (byChernob ound). (Note thatmore
preciselywehavetoconsidertheprobabilitythat 0
Q
j +i
=
Q
j +i
forsomei2f1;:::;q
j
g.However,
since the probability is negligible in n, around q
j
=(p01), we ignore it in this evaluation (i.e.,
preciselywehavetouse 3
=20q
j
=(p01)inplace of 3
=2,butthedierenceisnegligiblein n).)
Tosummariseintotal,Bbreakstheq
S
-unforgeabilityofthebasicsignatureschemewith
prob-abilityatleast(10(L+1) 02
) L
3
=2(i.e.,atleast(10(L+1) 01
) 3
=2)under theconditionthatB
rewindsrandomchallengesatmost12Lln(L+1)= 3
timesin Lintervals.
The ab ove-mentioned evaluation is basedon 3
as Adv unforge
PBS
under the xed randomness of
G,U 3
(here A)andS except S'srandomchallenges.Finally,givenas Adv unforge
PBS
overthewhole
randomspace,weevaluatethesuccessprobability.LetR
0
bethexedpartofrandomnessandR
1
b e S's randomnessfor challenges,(
1 ;:::;
qS
).Wesaythat avalueofR
0
is heavy,if Adv unforge
PBS
underthevalueofR
0
isatleast=2.Thisyieldsthefollowingclaimbyasimplecountingargument:
Claim. Morethanhalf of`win'valuesof(R
0 ;R
1
)haveheavyvaluesofR
0 .
Thus, B breaks the q
S
-unforgeability of the basic signature scheme with probabilityat least
(101=(L+1))=8undertheconditionthatBrewindsrandomchallengesatmost24Lln(L+1)=
timesintotal.By combiningthis resultwithTheorem2 weobtaintheclaimofthistheorem. a
Remark:(Constant-depthconcurrency)Wecandeneasp ecictypeofconcurrentruns,
constant-depthconcurrentruns,inwhich,informallyspeaking,onlyaconstantdepthofpurelyinnerrounds
is allowed in all paths. A synchronized run is a sp ecic type of depth-1 concurrent runs. We
can show thatourblind signature schemeis still secureagainsta constant-depthconcurrentrun
of adversariesunder the same assumption and mo del. The result is presented in the full paper
version.
7 The Prop osed Partially Blind Signature Scheme
Thissectionshowstheapplication oftheprop osedsignatureschemetopartially blindsignatures.
We present a secure partially blind signature scheme in the standard mo del under the 2SDH
assumption.
7.1 PartiallyBlind SignatureScheme
Let(G
1 ;G
2
) b e bilineargroups as shownin Section 2.3. Here,we also assumethat themessage,
m, to b e partially blindly signed is anelementin Z 3
p
, but the domain can b e extendedto all of
f0;1g 3
byusinga collision resistanthashfunctionH :f0;1g 3
!Z 3
p
,as mentionedin Section 3.5
2 2 2 2 2 1 2 1 2
v
1 (v
2
), and h
1
(h
2
). Randomlyselect x2Z 3
p
andcomputew
2 g
x
2 2G
2
.The public
andsecret keysare:
Public key: g
1 ;g
2 ;w
2 ;u
2 ;v
2 ;h
2
Secretkey: x
Partiallyblind signature generation:
1. Signer S and user U agree on common information m
0
(which is info in Section 2.2) in a
predeterminedway.
2. U randomlyselectss;t2Z 3
p
,computes
X h
m0t
1 g
m1t
1 u
t
1 v
st
1 ;
andsendsX toS.Here,m
1
isthemessagetob eblindlysignedalongwithcommoninformation
m
0
.Inaddition,U provestoS thatU knows(t;m
1
t;t;st)forX=(h m0
1 )
t
g m1t
1 u
t
1 v
st
1
usingthe
witnessindistinguishablepro ofasfollows:
(a) U randomlyselectsa
1 ;a
2 ;a
3
fromZ 3
p
,computes
W (h
m
0
1 )
a2
g a
1
1 u
a
2
1 v
a
3
1 ;
andsendsW toS.
(b) S randomlyselects 2Z 3
p
andsends toU.
(c) U computes
b
1 a
1 + m
1
tmo dp; b
2 a
2
+ tmo dp; b
3 a
3
+ stmo dp;
andsends(b
1 ;b
2 ;b
3 )toS.
(d) S checkswhetherthefollowingequationholdsornot:
(h m
0
1 )
b2
g b
1
1 u
b
2
1 v
b
3
1
=WX
:
Ifitholds,S accepts.Otherwise,S rejects andaborts.
3. IfSacceptstheab oveproto col,Srandomlyselectsr2Z 3
p
.Intheunlikelyeventthatx+r0
mo dp,S triesagainwithadierentrandomr.S alsorandomlyselects`2Z 3
p
, computes
Y (Xv `
1 )
1=(x+r)
;
andsends(Y;r;`)to U.
Here,Y =(Xv `
1 )
1=(x+r)
=(h m0
1 g
m1
1 u
1 v
s+`=t
1 )
t=(x+r )
.
4. U randomlyselectsf 2Z 3
p
,andcomputes
=(ft) 01
mo dp; Y
; w
f
2 g
fr
2
; s+`=tmo dp:
ComputeTest( ) (U;V)asfollows:
U w
1=f
1 g
1
; V w
f+r
2 g
fr
2
; (12)
Here,=(h m0
1 g
m1
1 u
1 v
s+`=t
1 )
1=(fx+fr )
=(h m0
1 g
m1
1 u
1 v
1 )
1=(fx+fr )
,and=w f
2 g
fr
2 =g
fx+fr
2 .
5. (; ;;Test())isthepartiallyblindsignatureof(m
0 ;m
1
),wherem
0
iscommoninformation
b etweenS andU,andm
1