Abstract
Generic constructions of blind signature schemes have been studied since its appearance. Several constructions were made leading to generic blind signatures and achieving other properties such as identity-based blind signature and partially blind signature. We propose a generic construction for identity-based Proxy Blind Signature (\(\mathsf {IDPBS}\)). This combination of properties has several applications in the real world, in particularly in e-voting or e-cash systems and it has never been achieved before with a generic construction. Our construction only requires two classical signatures schemes: a blind EUF-CMA blind signature and a SUF-CMA unique signature. The security of our generic identity-based proxy blind signature is proven under these assumptions.
This study was partially supported by the French ANR, grants 18-CE39-0019 (MobiS5), the French government research program “Investissements d’Avenir” through the IDEX-ISITE initiative 16-IDEX-0001 (CAP 20-25), the IMobS3 Laboratory of Excellence (ANR-10-LABX-16-01), the French ANR project DECRYPT (ANR-18-CE39-0007) and SEVERITAS (ANR-20-CE39-0009).
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
1 Introduction
Designed in 1982 by D. Chaum [7], blind signatures are well known primitives, enabling anonymous system for banking and electronic voting. The end of the twentieth century and the beginning of the twenty-first was a golden age for blind signatures. Multiple improvements were made, e.g., a scheme based on discrete logarithm proposed by J. L. Camenisch [6]. Several new properties were developed such as proxy blind signature [27], partially blind signature [2], or fair blind signature [25].
At the same time, identity-based cryptography has been introduced by A. Shamir in 1985 [23]. It took until 2002 to produce the first identity-based blind signature [34].
Recently, with the development of cryptocurrency and practical e-voting systems, blind signature returns to the centre of the attention. For instance self-sovereign identity is a new approach to digital identity. It gives an independent control of the identity information that are given by people when certified information needs to be provided. In particularly, it addresses the difficulty of establishing trust in an interaction. Another application can be found in digital cash. In July 2021 was launch by the European Central Bank a project for digital euro to issue a new means of payment through electronic money. In order to be competitive with existing cryptocurrencies this digital euro should allow anonymity of payments. Identity-based blind signature could be the solution to facilitate the adoption of citizens. Moreover, the proxy property is needed to fit properly with the real world structure. In the case of the banks, they might want to distribute to several agencies located in different countries the ability to sign. In the case of e-voting, multiple polls are needed to organize an election. The delegation in several local pools is needed in order to distribute the election in each states or cities. In such a setup, identity-based proxy blind signature (\(\mathsf {IDPBS}\)) is the solution for a secure voting protocol. There exist 14 \(\mathsf {IDPBS}\) in the literature, 10 schemes use pairing [12, 13, 16, 22, 28,29,30,31, 33, 35] and the four others are paring free [15, 19, 20, 26].
Concerning generic constructions, D. Galindo et al. [10] shown that only a EUF-CMA (Existential UnForgeability under Chosen Message Attack) signature scheme and a EUF-CMA blind signature scheme are necessary to achieve an Identity-based Blind Signature (\(\mathsf {IDBS}\)). Hence our aim is to design a generic construction for an \(\mathsf {IDBS}\) but with an additional property: ability to delegates right to sign messages (i.e., proxy).
Contributions: We first define the security notions of \(\mathsf {IDPBS}\) that are not completely formalised in the literature. In order to prove our construction we need to have clear security experiments for all required properties.
We then propose the first generic construction for Identity-based Proxy Blind Signature. Our construction uses two building blocks:
-
a SUF-CMA (Strong Existential Unforgeability under Chosen Message Attack) unique signature scheme \({\mathsf {S}}=(\mathsf {KeyGen}_{\mathsf {S}}, \mathsf {Sign}_{\mathsf {S}},\mathsf {Verif}_{\mathsf {S}})\)
-
a EUF-CMA blind signature scheme \({\mathsf {BS}}=(\mathsf {KeyGen}_{\mathsf {BS}}, \mathsf {Protocol}_{\mathsf {BS}}, \mathsf {Verif}_{\mathsf {BS}})\).
We combine these two primitives in order to design a blind signature. In the literature there exist several SUF-CMA unique signature schemes, also known as Verifiable Unpredictable Functions (VUFs). For instance RSA-FDH [3] or [18] are unique signature schemes. There are also other unique signature schemes based on Diffie-Hellman assumption in bilinear groups [1, 8, 14, 17].
We formally prove the security of our construction that only relies on the security properties of the two primitives used. Our construction can be instantiated with any unique signature such as BLS [5] and any blind signature e.g., a blind ECDSA [21, 32].
Related Work: Since blind signature exists, numerous generic constructions are investigated. When they can be achieved, they allow to directly adapt new advances on more basic primitives. Few generic constructions have been presented for blind signatures. In [9], Fischlin et al. proved that blind signatures can be constructed by assembling a signature scheme with a zero-knowledge proof and an encryption scheme. The same year, another construction of identity-based (partially) blind signature was proposed by D. Galindo et al. [10]. This construction consists in two building blocks, a SUF-CMA signature scheme and a EUF-CMA blind signature scheme. They were all proved secure under some basic assumptions such as reliability of the underlying scheme in their respective settings.
Outline: In Sect. 2, we introduce the cryptographic material and notations for all building blocks of our construction. We also formally define the models of all the security properties of \(\mathsf {IDPBS}\). In Sect. 3, we present our main result i.e., the generic construction for \(\mathsf {IDPBS}\). In Sect. 4 we propose the security of our construction. Analysis of the efficiency is considered in Sect. 5. The conclusion is given in Sect. 6.
Notations: In this paper we will be using the following notations. Take \(\mathcal {D}\) and \(\mathcal {E}\) two algorithms, \(\langle \mathcal {D}, \mathcal {E} \rangle \) will correspond to an interactive protocol in between both algorithms. We will also denotes by \([\mathcal {D}]\) the set of all possible outputs of the specified algorithm. We will refer to the set of all values returned by an algorithm \(\mathcal {D}\) using \(Out(\mathcal {D})\).
2 Formal Security Definitions and Properties for \(\mathsf {IDPBS}\)
The definition of identity-based proxy blind signature varies in the literature. We give a definition based on [35] since it is the most generic one if we do not specify the ability to the original signer to actually sign messages (this ability is held to the proxy only). This feature could be added to the definition but there is no relevance for it. Note that our choice of definition is arbitrary yet we believe to be best suited.
Definition 1
(Identity-Based Proxy Blind Signature - \({\mathsf {IDPBS}}\)). An \(\mathsf {IDPBS}\) with security parameter \(\mathfrak {K}\) is a 5-tuple of polynomial-time algorithms and protocols (\(\mathsf {Setup}\), \(\mathsf {Extract}\), \(\langle \mathcal {S}, \mathcal {P} \rangle \), \(\langle \mathcal {P},\mathcal {U}\rangle \), \(\mathsf {PBVerif}\)) involving a public key generator \(\mathsf {PKG}\), an original signer \(\mathcal {S}\), a proxy signer \(\mathcal {P}\) and a user \(\mathcal {U}\). Algorithms work as follows:
-
\(\mathsf {Setup}(1^\mathfrak {K})\): this protocol is run by \(\mathsf {PKG}\). It calls \(\mathfrak {K}\) to generate the global parameters \(\mathsf {params}\) of the system and a master key-pair (mpk, msk).
-
\(\mathsf {Extract}({\mathsf {params}}, msk, ID)\): this protocol is run by the \(\mathsf {PKG}\). It takes as input an identity ID and a master key msk and return the corresponding secret key sk[ID] via a secure channel.
-
\(\langle \mathcal {S}, \mathcal {P} \rangle \) is the proxy-designation protocol between \(\mathcal {S}\) and \(\mathcal {P}\). The inputs are the two identities \(ID_\mathcal {S}\) and \(ID_\mathcal {P}\) of the signers, their respective secret keys (query to \(\mathsf {PKG}\) via \(\mathsf {Extract}\)) and a delegation warrant \(m_w\). As a result of the interaction, the expected local output of \(\mathcal {P}\) is a secret key \(sk_\mathcal {P}\) and a public agreement \(w_{\mathcal {S}\xrightarrow {}{} \mathcal {P}}\) that can be verified by any user. Formally \((sk_\mathcal {P},w_{\mathcal {S}\xrightarrow {}{} \mathcal {P}} )\xleftarrow {}\langle \mathcal {S}(ID_\mathcal {S}, ID_\mathcal {P}, sk[ID_\mathcal {S}],m_w),\mathcal {P}(ID_\mathcal {S}, ID_\mathcal {P}, sk[ID_\mathcal {P}]) \rangle \).
-
Signature issuing is an interactive protocol between the proxy signer \(\mathcal {P}(sk_\mathcal {P})\) with its secret key and the user \(\mathcal {U}(mpk, ID_\mathcal {S}, ID_{\mathcal {P}},m)\) knowing a message \(m \in \{0,1\}^*\) and both identities \(ID_\mathcal {P}\) and \(ID_\mathcal {S}\). It generates the signature for the user \(\sigma \xleftarrow []{} \langle \mathcal {P}(sk_\mathcal {P}),\ \mathcal {U}(mpk, ID_\mathcal {S}, ID_{\mathcal {P}},m)\rangle \).
-
\(\mathsf {Verif}(mpk, ID_{\mathcal {S}}, ID_{\mathcal {P}}, w_{\mathcal {S}\xrightarrow {}{} \mathcal {P}}, m, \sigma )\) it outputs 1 if the signature \(\sigma \) is valid with respect to m, \(ID_{\mathcal {S}}\), \(ID_{\mathcal {P}}\), \(w_{\mathcal {S}\xrightarrow {}{} \mathcal {P}}\) and mpk, otherwise 0.
The security of proxy signature has been defined in [4]. For this type of schemes, the adversary is allowed to corrupt an arbitrary number of users and learn their secret keys. Moreover, the adversary can register public keys on behalf of new users, possibly obtained otherwise than running the key-generation algorithm, and possibly depending on the public keys of already registered users. The adversary is also allowed to interact with honest users playing the role of a original signer or of a proxy signer.
Oracles. The adversary has access to oracles during this process. Elements returned by the adversary should not have been received from an oracle’s query.
-
Query of Extraction: \(\mathcal {O}_\mathsf {Extract}(msk, \cdot ) \xrightarrow {} (sk[ID_i], {\mathsf {cert}}_{ID_i})\)
\(\mathcal {A}\) request extraction for an identity \(ID_i\), he sends \(ID_i\) to the PKG and receive the consistent answer \(sk[ID_i]\) with the certificate \({\mathsf {cert}}_{ID_i}\).
-
Query of Keys Delegation: \(\mathcal {O}_{ID \xrightarrow {} \mathcal {A}}(ID, sk[ID], m_w, ID_i)\)
The adversary produces an identity \(ID_i\), a warrant \(m_w\) and request to the user with identity ID a delegation. The following protocol is executed \(\langle \mathcal {A}(ID_i, ID, m_w),\mathcal {C}(ID, sk[ID])\rangle \xrightarrow {} (sk_{ID_i}, w_{ID \xrightarrow {} ID_i})\)
-
Query of Issuing Delegation: \(\mathcal {O}_{\mathcal {A} \xrightarrow {} ID}(ID_i, sk[ID_i], m_w, ID)\)
For an already existing identity ID, \(\mathcal {A}\) asks to delegate to an user with identity \(ID_i\) chosen by himself. The protocol \(\langle \mathcal {A}(ID,sk[ID], ID_i, m_w), \mathcal {C}(ID_i, ID)\rangle \xrightarrow {} (sk_{ID_i}, w_{ID \xrightarrow {} ID_i})\) is executed. The transcript of the interactions is given to \(\mathcal {A}\) but he does not learn the secret key.
-
Query of Secret Key: \(\mathcal {O}_\mathsf {Exposure}(ID_i) \xrightarrow {} sk[ID_i]\)
For any already existing \(ID_i\) different to the identity of the user under attack, \(\mathcal {A}\) can request a secret key to \(\mathcal {S}\).
-
Query of Proxy Secret Key: \(\mathcal {O}_\mathsf {PExposure}(ID_i) \xrightarrow {} sk_{ID_i}\)
For any already existing \(ID_i\) different to identity of the user under attack, \(\mathcal {A}\) can request a proxy secret key.
-
Query of Transcript of Delegation: \(\mathcal {O}_{ID_i \rightarrow {} ID_j}\)
\(\mathcal {A}\) chooses two identities \(ID_i\) and \(ID_j\) with \(ID_i\) already extracted. Then \(\langle \mathcal {C}(ID_i),\mathcal {P}(ID_j)\rangle \) is executed and the adversary gets the transcript of the interactions. The identities \(ID_i\) and \(ID_j\) are not necessarily different.
-
Query of signature: \(\mathcal {O}_\mathsf {S}(ID_i, m) \xrightarrow {} \sigma _m\)
\(\mathcal {A}\) can ask for a blind signature from \(ID_i\) (an already claimed identity). \(\mathcal {A}\) chooses the message and a signature \(\sigma \) is produced and returned to him.
-
Query of proxy signature: \(\mathcal {O}_\mathsf {PS}(ID_i, m) \xrightarrow {} \sigma _m\)
\(\mathcal {A}\) chooses a message m and two identities \(ID_i\), \(ID_j\) with \(ID_i\) already extracted and \(ID_j\) provided with a delegation from \(ID_i\). The proxy signature protocol is run with \(\mathcal {A}\) playing the role of the user and the user associated to \(ID_j\) the proxy signer.
Security Properties. We formally defined all security properties that a \(\mathsf {IDPBS}\) scheme should satisfy as follows:
-
Blindness has to be consider from two points of view since attackers could be either \(\mathcal {S}^*\) or \(\mathcal {P}^*\). Both are still required to win the experiment \(\mathsf {Exp}_{\mathsf {IDPBS}, \mathcal {*}}^{bl} (\mathfrak {K})\) of the game defined in Fig. 1. A proxy blind signature achieves blindness if for any polynomial time adversary \(\mathcal {A}\), \(Adv^{bl}_{{\mathsf {IDPBS}},\mathcal {A}}(\mathfrak {K}) =|\mathsf {Exp}_{{\mathsf {IDPBS}}, \mathcal {A}}^{bl}(\mathfrak {K})-1/2|\) is negligible.
-
Unforgeability is quite similar to the context of identity-based proxy signature schemes defined in [4]. The experiment is given in Fig. 2.
-
Verifiability means that the verifier \(\mathcal {V}\) can always be convinced of the original signer’s agreement on the signed message. We formalise this property thanks to the experiment of Fig. 3.
-
Prevention of misuse requires that the proxy signer cannot use the proxy key for other purposes than generating proxy signatures within the terms of a delegation made by \(\mathcal {S}\) to \(\mathcal {P}\). In case of misuse, the responsibility of the proxy signer should be determined explicitly. This is formalized in Fig. 4.
-
Strong Identifiability requires anyone to be able to determine the identity of the corresponding proxy signer from the signature as described by the experiment of Fig. 5. This is to allow linkability of a signature to a proxy signer in case of a fraud. In the context of identity-based proxy signature, it is straight forward achieved.
-
Strong Undeniability. Once a proxy signer creates a valid proxy signature with the delegation of an original signer, it cannot repudiate the produced signature. Here the validity of the signature holds as a proof against deniability of the proxy user as we can see in the experiment of Fig. 6.
An adversary breaks an identity-based proxy blind signature if for any of these experiments he has non negligible probabilities of winning the corresponding game.
3 Our \(\mathsf {IDPBS}\) Construction
A general idea of the interactions of our construction is given in Fig. 7. \(\mathcal {S}\) and \(\mathcal {P}\) both start with their respective identities \(ID_\mathcal {S}\) and \(ID_\mathcal {P}\). We suppose them known by the user. A message m is generated by \(\mathcal {U}\) prior to the signature protocol.
We now give the description of each step of the issuing of a new signature. The algorithms are presented in Fig. 8.
Key Generation. \(\mathsf {KeyGen}\) is executed first and retruns the keys for the PKG.
Extraction. The private key generator (PKG) produces a signing key for \(\mathcal {S}\) and the associated certificate \({\mathsf {cert}}_{\mathcal {S}}\) following algorithm \(\mathsf {Extract}\). The PKG sends the User Secret Key associated to the identify \(ID_\mathcal {S}\), \(USK[ID_\mathcal {S}]=({\mathsf {cert}}_\mathcal {S}, vk^{\mathsf {S}}_\mathcal {S}, sk^{\mathsf {S}}_\mathcal {S})\) to \(\mathcal {S}\) via a secure channel and \(\mathcal {S}\) verifies the signature \({\mathsf {cert}}_\mathcal {S}\).
At the end of this phase, \(\mathcal {S}\) is provided with public/private keys \((vk^{\mathsf {S}}_\mathcal {S}, sk^{\mathsf {S}}_\mathcal {S})\) and a certificate \({\mathsf {cert}}_\mathcal {S}\) linking the public key to its identity. Later, the user is able to verify this certificate with the master public key mpk. \(\mathcal {U}\) can thus be convinced that this key was produced by a private key generator.
Delegation. Proceeding to the delegation from the signer \(\mathcal {S}\) to the proxy signer \(\mathcal {P}\) is generally described as an interactive protocol. Here, we chose to proceed as follows. Let \(m_w\) be a contract produced after a negotiation prior to that step. The signer produces a link in between the contract \(m_w\), a blind signature public key \(vk^{\mathsf {BS}}_\mathcal {P}\) and both identities \(ID_\mathcal {S}\) and \(ID_\mathcal {P}\). For the creation of the proxy signer, \(\mathcal {S}\) only has to be in procession of its identity \(ID_\mathcal {P}\). The procedure is described in algorithm \(\mathsf {DelGen}\).
After running the algorithm \(\mathcal {S}\) sends \((w_{\mathcal {S} \xrightarrow {} \mathcal {P}}, {\mathsf {cert}}_\mathcal {S}, vk^{\mathsf {S}}_\mathcal {S})\) to \(\mathcal {P}\). It is also necessary to send information through a secure channel \(USK[ID_\mathcal {P}]=(vk^{\mathsf {BS}}_\mathcal {P}, sk^{\mathsf {BS}}_\mathcal {P})\).
When receiving this information, the proxy \(\mathcal {P}\) runs the mandatory verification of certificates \({\mathsf {cert}}_\mathcal {S}\) and \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\). If both pass, \(\mathcal {P}\) accepts the keys and the certificates.
Signature Issuing. At this point \(\mathcal {P}\) is in possession of: \(mpk, ID_\mathcal {S},ID_\mathcal {P},vk^{\mathsf {S}}_\mathcal {S},{\mathsf {cert}}_\mathcal {S},(vk^{\mathsf {BS}}_\mathcal {P},sk^{\mathsf {BS}}_\mathcal {P}),m_w,w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\). He now interacts with \(\mathcal {U}\) in possession of a message m in order to issue a blind signature on m. The final signature is composed of \(\sigma = (vk^{\mathsf {S}}_\mathcal {S}, vk^{\mathsf {BS}}_\mathcal {P}, {\mathsf {cert}}_\mathcal {S}, \sigma ^{\mathsf {BS}})\), where \(\sigma ^{\mathsf {BS}}\) is the signature obtained from the blind signature scheme. Figure 9 describes these interactions. Note that the two first steps can be combined with the upcoming ones if the user speaks first in the blind signature protocol. Thus, it is possible to achieve the round optimal property with this construction i.e., reaching the minimum of two communications in the issuing of an \(\mathsf {IDPBS}\) signature.
Verification. \(\mathcal {U}\) transmits the inputs of the algorithm to the verifier. The validity of the signature is assessed by running \(\mathsf {Verif}\).
As we can see in algorithm \(\mathsf {Verif}\) of Fig. 8 the verification process implies to attest the validity of all certificates and adding to that checking the final signature. It needs 2 executions of \(Verif_{\mathsf {S}}()\) and 1 execution of \(Verif_{\mathsf {BS}}()\), thus leading to a relatively long process of verification compare to other blind signatures (see Sect. 5).
4 Security of the Proposed Scheme
We can now study the security of our construction, assuming that the chosen schemes do not have serious security issues. Correctness and unforgeability of both schemes are taken as granted, blindness of the blind signature scheme is also required. The rest of this paper is dedicated to the security properties, we are recalling there description and proving that they are fulfilled by our construction. Our proofs involves reduction of games, we will consider various scenarios \(S_i\) and the probability that a polynomial time adversary \(\mathcal {A}\) allows the associated experiment to return 1. We use \(\Pr [S_i]\) as the probability of such an outcome.
Correctness. This property is straightforward if both signature meet this basic property.
Blindness. The blindness of the scheme require a unique signature scheme. The notion of unique signature was introduced by S. Goldwasser and R. Ostrovsky [11].
Let \({\mathsf {S}}=(\mathsf {KeyGen}_{\mathsf {S}}, \mathsf {Sign}_{\mathsf {S}},\mathsf {Verif}_{\mathsf {S}})\) be a signature scheme. To be a unique signature, the algorithms must satisfy the following requirements of uniqueness: For every public parameter of the scheme, every key pair (sk, pk) produced by algorithm \(\mathsf {KeyGen}_{\mathsf {S}}\), every message m, and every pair of signatures \(\sigma _1\) and \(\sigma _2\), if we have \(\mathsf {Verif}_{\mathsf {S}}(pk,m,\sigma _1) = \mathsf {Verif}_{\mathsf {S}}(pk,m,\sigma _2) = 1\), then it must imply \(\sigma _1= \sigma _2\). In our case it is sufficient to have negligible probability to output two signatures verifying for the same message even with the secret key. We define \(\mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uni}\) as the advantage of an adversary against it.
Lemma 1
(Blindness). Given \(\mathsf {S}\) a unique signature scheme and \(\mathsf {BS}\) a blind signature scheme with blindness, our construction gives rise to a blind identity-based proxy blind signature scheme. In particular, we show that: \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{bl} \le \mathsf {Adv}_{{\mathsf {BS}}, \mathcal {A}_{\mathsf {BS}}}^{bl} + 3\cdot \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uni}.\)
Proof
Fix \(\mathcal {A}\), a polynomial time adversary. Let us define Game 0 to be the security game against for blindness of our scheme. The game can be described as follows.
\(\underline{\mathrm{{Game}}~0_1}\):
-
1.
\((mpk, msk) \xleftarrow {}{}\mathsf {KeyGen}_{\mathsf {S}}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_0, m_1, m_w) \xleftarrow {}{} \mathcal {A}(mpk)\)
-
3.
\(b \xleftarrow {\$}{} \{0,1\}\)
-
4.
\(\sigma _b, w_{\mathcal {S} \xrightarrow {} \mathcal {P},b} \xleftarrow {}{} \mathsf {Protocol} \langle \mathcal {A}, \mathcal {C}(ID_\mathcal {S}, ID_\mathcal {P},m_b)\rangle \)
-
5.
\(\sigma _{1-b}, w_{\mathcal {S} \xrightarrow {} \mathcal {P},1-b} \xleftarrow {}{} \mathsf {Protocol} \langle \mathcal {A}, \mathcal {C}(ID_\mathcal {S}, ID_\mathcal {P},m_{1-b})\rangle \)
-
6.
\(b^* \xleftarrow {}{} \mathcal {A}((m_0, \sigma _0), (m_1, \sigma _1))\)
If we define \(S_0\) to be the event that \(b = b^*\) in Game \(0_1\), then the adversary’s advantage is \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathsf {B}}^{bl}=|\mathsf {Pr}[S_0] -1/2|\). First we need to investigate more in depth the interactive protocol of the proxy blind signing. For that we consider lines 4 and 5 and put forward their description in Game \(0_2\). For each \(i \in \{0,1\}\),
\(\underline{\mathrm{{Game}}~0_2}\):
-
1.
\(vk^{\mathsf {S}}_\mathcal {S}, {\mathsf {cert}}_{\mathcal {S},i},vk^{\mathsf {BS}}_\mathcal {S}, w_{\mathcal {S} \xrightarrow {} \mathcal {P},i} \xleftarrow {} \mathcal {A}\)
-
2.
If \((\mathsf {Verif}_{\mathsf {S}}({\mathsf {cert}}_{{\mathsf {S}},i})\ne 1)\) or \((\mathsf {Verif}_{\mathsf {S}}(w_{\mathcal {S} \xrightarrow {} \mathcal {P},i})\ne 1)\), Abort
-
3.
\(\sigma _i^{\mathsf {BS}}\xleftarrow {} \mathsf {Protocol}_{\mathsf {BS}}\langle \mathcal {A}, \mathcal {C}(vk^{\mathsf {BS}}_\mathcal {S}, m_i)\rangle \)
-
4.
\( \sigma _i \xleftarrow {} (vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S},i}, \sigma _i^{\mathsf {BS}})\)
We now make one small change to the underlying Game \(0_2\). The warrant \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\) will be fixed for both execution of the protocol and produced by \(\mathcal {A}\) in the second step. Line 2 of Game \(0_1\) becomes \((ID_\mathcal {S}, ID_\mathcal {P}, m_0, m_1, m_w, w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathcal {A}(mpk)\) in Game \(1_1\). Let \(S_1\) be the event that \(b=b^*\) in Game 1. Here the difference between \(S_0\) and \(S_1\) correspond to the event \(F=\) “non unique determination of the signature \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\) of a warrant \(m_w\)”. Thus \(|\mathsf {Pr}[S_0]-\mathsf {Pr}[S_1]| \le 2 \cdot \mathsf {Adv}_{{\mathsf {S}}}^{uni}(k)\) by the difference lemma [24]; this probability is considered negligible by hypothesis.
\(\underline{\mathrm{{Game}}~2_1}\):
-
1.
\((mpk, msk) \xleftarrow {}{}\mathsf {KeyGen}_{\mathsf {S}}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_0, m_1, m_w, w_{\mathcal {S} \xrightarrow {} \mathcal {P}},{\mathsf {cert}}_\mathcal {S}) \xleftarrow {}{} \mathcal {A}(mpk)\)
-
3.
\(b \xleftarrow {\$}{} \{0,1\}\)
-
4.
\(\sigma _b, w_{\mathcal {S} \xrightarrow {} \mathcal {P},b} \xleftarrow {}{} \mathsf {Protocol} \langle \mathcal {A}, \mathcal {C}(ID_\mathcal {S}, ID_\mathcal {P},m_b)\rangle \)
-
5.
\(\sigma _{1-b}, w_{\mathcal {S} \xrightarrow {} \mathcal {P},1-b} \xleftarrow {}{} \mathsf {Protocol} \langle \mathcal {A}, \mathcal {C}(ID_\mathcal {S}, ID_\mathcal {P},m_{1-b})\rangle \)
-
6.
\(b^* \xleftarrow {}{} \mathcal {A}((m_0, \sigma _0), (m_1, \sigma _1))\)
\(\underline{Game~2_2}\):
-
1.
\(vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S}, w_{\mathcal {S} \xrightarrow {} \mathcal {P}} \xleftarrow {} \mathcal {A}\)
-
2.
If \((\mathsf {Verif}_{\mathsf {S}}({\mathsf {cert}}_{{\mathsf {S}}})\ne 1)\) or \((\mathsf {Verif}_{\mathsf {S}}(w_{\mathcal {S} \xrightarrow {} \mathcal {P}})\ne 1)\), Abort
-
3.
\(\sigma _i^{\mathsf {BS}}\xleftarrow {} \mathsf {Protocol}_{\mathsf {BS}}\langle \mathcal {A}, \mathcal {C}(vk^{\mathsf {BS}}_\mathcal {S}, m_i)\rangle \)
-
4.
\( \sigma _i \xleftarrow {} (vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S}}, \sigma _i^{\mathsf {BS}})\)
Just like we did for certificate \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\), we restrict our adversary to output an unique \({\mathsf {cert}}_\mathcal {S}\) at the beginning of the game. Only signature containing this certificate are accepted, otherwise the procedure fails. After changing Game 1 into Game 2 as described, we can define an event \(S_2\) representing the event \(b=b^*\) after Game 2. \({\mathsf {cert}}_\mathcal {S}\) is supposed to be fixed at the beginning of the session. Applying the difference lemma a second time, we obtain a difference of happening between the two game with an upper bound \(|\mathsf {Pr}[S_0]-\mathsf {Pr}[S_1]| \le \mathsf {Adv}_{{\mathsf {S}}}^{uni}(k)\). This step has the same consequences as for the previous one and \(\mathcal {A}\) gained the same advantage.
Our thirds step consist of neutralising the ability \(\mathcal {A}\) has to distinguish in between \(\sigma _0^{\mathsf {BS}}\) and \(\sigma _1^{\mathsf {BS}}\). Let us restate the games and draw a random value from the possibles outputs of the blind signature protocol without executing it. Hence, the adversary obtains no information from the element \(\sigma _i^{\mathsf {BS}}\) he receives at the last step. We have assumed blindness of the blind signature scheme, thus the gained advantage is negligible.
\(\underline{\mathrm{{Game}}~3_2}\):
-
1.
\(vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S}, w_{\mathcal {S} \xrightarrow {} \mathcal {P}} \xleftarrow {} \mathcal {A}\)
-
2.
If \((\mathsf {Verif}_{\mathsf {S}}({\mathsf {cert}}_{{\mathsf {S}}})\ne 1)\) or \((\mathsf {Verif}_{\mathsf {S}}(w_{\mathcal {S} \xrightarrow {} \mathcal {P}})\ne 1)\), Abort
-
3.
\(\sigma _i^{\mathsf {BS}}\xleftarrow {\$} [\mathsf {Protocol}_{\mathsf {BS}}\langle \cdot , \cdot \rangle ] \)
-
4.
\( \sigma _i \xleftarrow {} (vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S}}, \sigma _i^{\mathsf {BS}})\)
An extra bridging steps would be to reformulate line 4 of Game 3,2 to ignore this random value that has no impact on the choice of \(\mathcal {A}\) and set \(\sigma _i \xleftarrow {} (vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S}})\) in line 4 of Game \(4_2\). This formulation leads to a complete incapability of the adversary to decide anything as all of its input are produced directly by himself. Therefore, by the triangular inequality, \( \mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{bl} = |\mathsf {Pr}[S_0]-\mathsf {Pr}[S_3]| \le \mathsf {Adv}_{{\mathsf {BS}}, \mathcal {A}_{\mathsf {BS}}}^{bl} + 3\cdot \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uni}. \)
Unforgeability. The unforgeability of our construction relies on this theorem.
Lemma 2
(Unforgeability). Given a signature scheme \(\mathsf {S}\) and a blind signature scheme \(\mathsf {BS}\) both with unforgeability, our construction has unforgeability. In particular, we show that: \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{uf} \le q \cdot (\mathsf {Adv}_{{\mathsf {BS}}, \mathcal {A}_{\mathsf {BS}}}^{uf} + \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uf}).\)
Proof
Fix an adversary \(\mathcal {A}\) against the unforgeability of our scheme given access to the previously described oracles. \(\mathcal {A}\) is allowed to make any number of queries to each of them, but the final outputs of the game should be no element obtained from an oracle. We may write the security game as follows.
Game 0:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\(\{(ID_{\mathcal {P}_i}, m_i, \sigma _i)\}_{1\le i \le l'} \xleftarrow {}{} \mathcal {A}\)
-
6.
If \(\exists i \ne j, m_i=m_j\) or \(\exists i\), \(\mathsf {Verify}(ID_{\mathcal {P}_i}, m_i, \sigma _i)=0{:}\) Return 0
-
7.
Else Return 1
We can define the event \(S_0\) corresponding to Game 0 outputting 1. If such an outputs happens this would be considered as a valid forgery, thus \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{uf} = \mathsf {Pr}(S_0)\). Let l be the number of proxy blind signature queries that are successfully completed. With probability \(\mathsf {Adv}_{{\mathsf {IDPBS}},\mathcal {A}}^{uf}(\mathfrak {K})\), the adversary \(\mathcal {A}\) succeeds and outputs a valid forgery i.e., a list of \(l'\) tuples \(\{(ID_{\mathcal {P}_i}, m_i, \sigma _i)\}_{1\le i \le l'}\) with \(l<l'\). Since \(l<l'\), there exists at least some identity \(ID_i\) in the output list such that the number \(l(ID_i)\) of completed blind signature queries during the attack involving \(ID_i\) is strictly less than the number \(l'(ID_i)\) of tuples involving identity \(ID_i\) in the output list. This has to hold by the pigeonhole principal. If we outputted a forgery for the right identity \(ID=ID_{\mathcal {P}_*}\), then we have completed l(ID) executions of the blind signature protocol during our attack \(\mathsf {F}_\mathcal {BS}\) against the blind signature scheme \(\mathsf {BS}\), with public key \(vk^{\mathsf {BS}}_{\mathcal {P}_*}\) and we can easily obtain \(l'(ID)\) valid signatures under the same public key from the list output by \(\mathcal {A}\) satisfying \(l(ID)<l'(ID)\) for that identity. Hence, we can modify our game to restrict our adversary to output a forgery on a specified identity. He has probability 1/q to get a forgery for the right identity. Game 1 is modified accordingly. This gives the relation \(1/q \cdot \mathsf {Pr}[S_0] = \mathsf {Pr}[S_1]\) between the probability of the two events \(S_0\) and \(S_1\).
Game 1:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\(\{(m_i, \sigma _i)\}_{1\le i \le l'} \xleftarrow {}{} \mathcal {A}\)
-
6.
If \(\exists i \ne j, m_i=m_j\) or \(\exists i\), \(\mathsf {Verify}(ID_\mathcal {P}, m_i, \sigma _i)=0{:}\) Return 0
-
7.
Else Return 1
\(\mathcal {A}\) has the capability to forge new signatures \({\mathsf {cert}}_\mathcal {S}\) embedded proxy blind signature, leading to new signature. In Game 2, we will ask \(\mathcal {A}\) to output \({\mathsf {cert}}_\mathcal {S}\) at the beginning. As a consequence, modification of the key \(vk^{{\mathsf {S}}*}_\mathcal {S}\) will lead to failure. Define event \(S_2\) as “\(\mathcal {A}\) wins the Game 2”, the probability of realisation of these event only differ by \(\mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\) from \(\mathsf {Pr}[S_1]\), which is supposed negligible.
Game 2:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\({\mathsf {cert}}_\mathcal {S} \xleftarrow {} \mathsf {Sign}_{{\mathsf {S}},msk}(ID_\mathcal {S}||vk^{\mathsf {S}}_\mathcal {S})\)
-
6.
\(\{(m_i, \sigma _i=(vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S}}, \sigma _i^{\mathsf {BS}})\}_{1\le i \le l'} \xleftarrow {}{} \mathcal {A}\)
-
7.
If \(\exists i \ne j, m_i=m_j\) or \(\exists i\), \(\mathsf {Verify}(ID_\mathcal {P}, m_i, \sigma _i)=0{:}\) Return 0
-
8.
Else Return 1
A second restriction can now be put forward: inability to forge blind signatures on scheme \(\mathsf {BS}\). In Game 3, \(\sigma ^{\mathsf {BS}}_{m_i}\) is the blind signature given by a legit execution of the blind signature scheme for the key pair \((vk^{\mathsf {BS}}_\mathcal {S}, sk^{\mathsf {BS}}_\mathcal {S})\). This time we have have \(|\mathsf {Pr}[S_2]-\mathsf {Pr}[S_3]| \le \mathsf {Adv}_{{\mathsf {BS}}}^{uf}(k)\).
Game 3:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\({\mathsf {cert}}_\mathcal {S} \xleftarrow {} \mathsf {Sign}_{{\mathsf {S}},msk}(ID_\mathcal {S}||vk^{\mathsf {S}}_\mathcal {S})\)
-
6.
\(\{(m_i, \sigma _i=(vk^{\mathsf {S}}_\mathcal {S},vk^{\mathsf {BS}}_\mathcal {S},{\mathsf {cert}}_{\mathcal {S}}, \sigma _{m_i}^{\mathsf {BS}})\}_{1\le i \le l'} \xleftarrow {} \mathcal {A}\)
-
7.
If \(\exists i \ne j, m_i=m_j\) or \(\exists i\), \(\mathsf {Verify}(ID_\mathcal {P}, m_i, \sigma _i)=0{:}\) Return 0
-
8.
Else Return 1
All part of each signature have to be legit, thus the adversary is totally unable to conduct any action that could lead to a new signature. We conclude that \(l=l'\). In that Game 3, any signature outputted by \(\mathcal {A}\) was produced directly by the proxy signer. We observe a total advantage of an adversary against the generic \(\mathsf {IDPBS}\) scheme of \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{uf} \le q \cdot (\mathsf {Adv}_{{\mathsf {BS}}, \mathcal {A}_{\mathsf {BS}}}^{uf} + \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uf}).\)
Verifiability. From a proxy signature, a verifier can be convinced of the original signer’s agreement on the signed message.
Lemma 3
(Verifiability). The adversary’s advantage against the verifiability of the generic \(\mathsf {IDPBS}\) scheme is \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{veri}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uf}.\)
Proof
It is possible for an adversary \(\mathcal {A}\) against verifiability to issue any blind signature by executing the protocol with himself. Thus any \(\mathcal {A}\) is able to produced proxy signature under warrant \(m_w\) due to the settings of that game. Modifying Game 0 into Game 1, changes correspond to the inability of the adversary to forge a new certificate \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\).
Game 1:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\((m, \sigma , m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}') \xleftarrow {} \mathcal {A}(sk_\mathcal {P}, w_{\mathcal {S} \xrightarrow {} \mathcal {P}})\),
with \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}' \in Out(\mathcal {O}_\mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w'))\)
-
6.
If \(\mathsf {Verif}(mpk, ID_\mathcal {S}, ID_\mathcal {P}, m, \sigma , m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}')=1\), \(m_w'\ne m_w\)
and \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}' \notin Out(\mathcal {O}_\mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w')){:}\) Return 1
-
7.
Else Return 0
Let \(S_0\) and \(S_1\) by the respective event “Game i returns 1”. By the difference lemma, we can conclude that \(|\mathsf {Pr}[S_0]-\mathsf {Pr}[S_1]| \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\). Differences in the games would directly lead to another adversary exploiting it to forge new signatures.
Note that, in Game 1 lines 5 and 6 contradict themselves, hence it is impossible for the adversary to win Game 1. We conclude that \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{veri}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}, \mathcal {A}_{\mathsf {S}}}^{uf}.\)
Prevention of Misuse. Relatively similar to verifiability, prevention of misuse require that a proxy signing key cannot be used for purposes other than generating valid proxy signatures. In such a case of fraud it should be possible to identify the proxy signer.
Lemma 4
(Prevention of misuse). The advantage of an adversary against prevention of misuse is \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{PoM}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k).\)
Proof
Start with Game 0 being the experiment \(\mathsf {Exp}_{{\mathsf {IDPBS}}, \mathcal {P}^*}^{st-id}\).
Adversary \(\mathcal {A}\) receives a warrant \(m_w\) with certificate \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\). If he wants to use his keys for an unauthorised message, \(\mathcal {A}\) has to produce a fake warrant and its associated certificate, otherwise the signature would not verify. But latter he could be identify as the cheater and be reprimand. In order not to be identify, \(\mathcal {A}\) has to produced this certificate of delegation for another identity. We introduce change in our previous experiment and obtain Game 1.
Game 1:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\((ID, m, \sigma , m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}') \xleftarrow {} \mathcal {A}(sk_\mathcal {P}, w_{\mathcal {S} \xrightarrow {} \mathcal {P}})\),
with \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}' \notin Out(\mathcal {O}_\mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w'))\)
-
6.
If \(\mathsf {Verif}(mpk, ID_\mathcal {S}, ID, m, \sigma , m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}')=1\) with \(ID\ne ID_\mathcal {P}\), \( m_w'\ne m_w\) and \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}' \notin Out(\mathcal {O}_\mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w')) {:}\) Return 1
-
7.
Else Return 0
In Game 0, \(\mathcal {A}\) was able to output a forgery of a signature, this not the case in Game 1. We consider the adversary’s advantage \(\mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\) as negligible. We obtain \(|\mathsf {Pr}[S_0]-\mathsf {Pr}[S_1]| \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\). In Game 1, condition of lines 5 and 6 of Game 1 cannot be fulfilled both at the time, we conclude to \(\mathsf {Pr}[S_1]=0\), from this fact we can conclude to the upper bound \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{PoM}(\mathfrak {K}) = \mathsf {Pr}[S_0] \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\).
Strong Identifiability. Anyone can determine the identity of the corresponding proxy signer from a proxy signature. Let now be \(\mathcal {A}\) an adversary against strong identifiability of the \(\mathsf {IDPBS}\). Set Game 0 as the experiment \(\mathsf {Exp}_{{\mathsf {IDPBS}}, \mathcal {P}^*}^{st-id} (\mathfrak {K})\) for this scheme.
Lemma 5
(Strong Identifiability). The advantage of an adversary \({\mathcal {A}}\) against strong identifiability is \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{st-id}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k).\)
Proof
In order to win the experiment \(\mathsf {Exp}_{{\mathsf {IDPBS}}, \mathcal {P}^*}^{st-id} (\mathfrak {K})\) an adversary \(\mathcal {A}\) has to outputs a second identity ID such that \(ID_\mathcal {P}\) and ID verifies:
If this equality holds, even if \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\) was given to \(\mathcal {A}\) during the game, it is clear that \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{st-id}(\mathfrak {K}) = \mathsf {Pr}[(m, m') \xleftarrow {} \mathcal {A} |Sign_{{\mathsf {S}},sk^{\mathsf {S}}_{\mathcal {S}}}(m)=Sign_{{\mathsf {S}},sk^{\mathsf {S}}_{\mathcal {S}}}(m')] \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\).
Strong Undeniability. A proxy signer cannot repudiate a proxy signature it created. Given the information that \(\mathcal {U}\) has at the end of a blind signing session, he has enough knowledge to expose \(\mathcal {P}\). This would lead to ability to revoke the signature \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}\) of \(\mathcal {S}\).
Lemma 6
(Strong Undeniability). Strong undeniability of our scheme holds. The adversary’s advantage against this property is \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{st-und}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k) + \mathsf {Adv}_{{\mathsf {S}}}^{uni}(k)\).
Proof
Let Game 0 be the experiment associated to strong undeniability. Once published a signature cannot be repudiated as all information were revealed to the public, in particularly, in an identity-based setup \(ID_\mathcal {S}\) and \(ID_\mathcal {P}\) were transited. Using the \(\mathsf {Verif}\) algorithm we will output 1 if the signature is valid. Thus \(\mathcal {A}\) as to trick around this and propose an alternative possibility. \(\mathcal {A}\) can output a second ID that could work for the same setup and thus causing doubts. We have modify our experiment in Game 1.
Game 1:
-
1.
\((mpk, msk) \xleftarrow {}{} \mathsf {Setup}(1^\mathfrak {K})\)
-
2.
\((ID_\mathcal {S}, ID_\mathcal {P}, m_w) \xleftarrow {} \mathcal {A} (mpk)\)
-
3.
\(sk[ID_\mathcal {S}] \xleftarrow {}{} \mathsf {Extract}(msk, ID_\mathcal {S})\)
-
4.
\((sk_\mathcal {P},w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) \xleftarrow {}{} \mathsf {DelGen}(ID_\mathcal {S},ID_\mathcal {P}, sk[ID_\mathcal {S}], m_w)\)
-
5.
\((Id, (m, \sigma ), m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}') \xleftarrow {} \mathcal {A}(sk_\mathcal {P}, w_{\mathcal {S} \xrightarrow {} \mathcal {P}})\),
with \(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}' \in Out(\mathcal {O}_\mathsf {DelGen}(ID_\mathcal {S},ID, sk[ID_\mathcal {S}], m_w')) {:}\)
-
6.
If \(\mathsf {Verif}(mpk, ID_\mathcal {S}, ID_\mathcal {P}, m, \sigma , m_w, w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) = 1\),
\(\mathsf {Verif}(mpk, ID_\mathcal {S}, ID, m, \sigma , m_w', w_{\mathcal {S} \xrightarrow {} \mathcal {P}}') = 1\) with \(ID\ne ID_\mathcal {P} {:}\) Return 1
-
7.
Else Return 0
The difference in between our games 0 and 1 is the ability of the adversary to forge new delegations. It would lead to a forgery against the scheme \(\mathsf {S}\) if \(\mathcal {A}\) was able to outputs such a certificate. Hence \(|\mathsf {Pr}[S_0]-\mathsf {Pr}[S_1]| \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k)\). We can now consider the probability such that \(\mathsf {Verif}(mpk, ID_\mathcal {S}, ID_\mathcal {P}, m, \sigma , m_w, w_{\mathcal {S} \xrightarrow {} \mathcal {P}}) = \mathsf {Verif}(mpk, ID_\mathcal {S},ID,m,\sigma ,m_w',w_{\mathcal {S} \xrightarrow {} \mathcal {P}}')=1\) for \(ID \ne ID_\mathcal {P}\). From the steps of the \(\mathsf {Verif}\) algorithm, it is equivalent to \(\mathsf {Verif}_{{\mathsf {S}},vk^{\mathsf {S}}_{\mathcal {S}}}(w_{\mathcal {S} \xrightarrow {} \mathcal {P}},ID_\mathcal {S}||ID_\mathcal {P}||vk^{\mathsf {BS}}_\mathcal {P}||m_w) = \mathsf {Verif}_{{\mathsf {S}},vk^{\mathsf {S}}_{\mathcal {S}}}(w_{\mathcal {S} \xrightarrow {} \mathcal {P}}',ID_\mathcal {S}||ID||vk^{{\mathsf {BS}}'}_\mathcal {P}||m_w')=1\). But \(\mathsf {S}\) is an unique signature scheme and thus this advantage is negligible. We directly conclude that \(\mathsf {Adv}_{{\mathsf {IDPBS}}, \mathcal {A}}^{st-und}(\mathfrak {K}) \le \mathsf {Adv}_{{\mathsf {S}}}^{uf}(k) + \mathsf {Adv}_{{\mathsf {S}}}^{uni}(k)\).
5 Analysis of the Construction
Warrant Modification. The type of delegation used for our scheme implies to generates a new key pair to issued or change the contract \(m_w\) for a proxy user. Otherwise anyone getting a signature for the first contract could easily get a forgery for the new contract. This specificity requires a new communication with the signer when the warrant is changed and the issue of new keys for the proxy. This is similar to most \(\mathsf {IDPBS}\) schemes.
Efficiency. Let \({\mathsf {S}}=(\mathsf {KeyGen}_{\mathsf {S}},\mathsf {Sign}_{\mathsf {S}},\mathsf {Verif}_{\mathsf {S}})\) and \({\mathsf {BS}}=(\mathsf {Commit}_{\mathsf {BS}},\mathsf {Blind}_{\mathsf {BS}},\mathsf {Sign}_{\mathsf {BS}},\mathsf {Unblind}_{\mathsf {BS}},\mathsf {Verif}_{\mathsf {BS}})\) respectively be a unique signature scheme and a blind signature scheme with the desired properties to assemble them and get a generic \(\mathsf {IDPBS}\) as it is described above. For any \(\mathsf {IDPBS}\) signature issuing in between a proxy signer \(\mathcal {P}\) and a user \(\mathcal {U}\) algorithm that need to be executed are reported in Table 1. The efficiency of this generic construction is not competitive with the best \(\mathsf {IDPBS}\) schemes of the literature (see Sect. 1 for an exhaustive list), this is mostly due to the multiple sub-signature verifications that have to be processed during the verification of the signature.
Communication Efficiency. Both communications specified in protocol Fig. 9 (i.e., between the user and the proxy signer) can be merged into the first interaction of the blind signature scheme to obtain a round optimal blind signature. The number of communications can thus be reduced to the minimum as long as round optimal signature scheme is used in the generic construction.
6 Conclusion
We propose a new generic construction for identity-based proxy blind signature, based on two basic primitives, namely a unique signature scheme and blind signature scheme. The purpose of such generic construction is to reunite fundamental, “low level” primitives with blind signature construction with additional properties. Another contribution is a formalisation of the security for identity-based proxy blind signature based on the 6 usual statements of security property that are proposed in numerous articles. We formally prove that our construction is secure. For this, we only require blindness and unforgeability of the blind signature and unforgeability and hardness to determined two different signatures for the same message. The latest property is clearly achieved by some existing schemes such as the well known BLS signature. Adding up this result with the previous literature, it is now possible to construct a secure identity-based proxy blind signature from only a few building blocks such as a signature scheme, a zero-knowledge proof, a commitment and an encryption scheme.
References
Abdalla, M., Catalano, D., Fiore, D.: Verifiable random functions: relations to identity-based key encapsulation and new constructions. J. Cryptol. 27(3), 544–593 (2013). https://doi.org/10.1007/s00145-013-9153-x
Abe, M., Fujisaki, E.: How to date blind signatures. In: Kim, K., Matsumoto, T. (eds.) ASIACRYPT 1996. LNCS, vol. 1163, pp. 244–251. Springer, Heidelberg (1996). https://doi.org/10.1007/BFb0034851
Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_34
Boldyreva, A., Palacio, A., Warinschi, B.: Secure proxy signature schemes for delegation of signing rights. J. Cryptol. 25(1), 57–115 (2010). https://doi.org/10.1007/s00145-010-9082-x
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Camenisch, J.L., Piveteau, J.-M., Stadler, M.A.: Blind signatures based on the discrete logarithm problem. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 428–432. Springer, Heidelberg (1995). https://doi.org/10.1007/BFb0053458
Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, Boston, MA (1983). https://doi.org/10.1007/978-1-4757-0602-4_18
Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1
Fischlin, M.: Round-optimal composable blind signatures in the common reference string model. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 60–77. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_4
Galindo, D., Herranz, J., Kiltz, E.: On the generic construction of identity-based signatures with additional properties. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 178–193. Springer, Heidelberg (2006). https://doi.org/10.1007/11935230_12
Goldwasser, S., Ostrovsky, R.: Invariant signatures and non-interactive zero-knowledge proofs are equivalent. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 228–245. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_16
He, J., Qi, C., Sun, F.: A new identity-based proxy blind signature scheme. In: 2012 IEEE International Conference on Information Science and Technology (2012)
Heng, P., Ke, K., Gu, C.: Efficienct ID-based proxy blind signature schemes from pairings. In: 2008 International Conference on Computational Intelligence and Security (2008)
Jager, T.: Verifiable random functions from weaker assumptions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 121–143. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46497-7_5
James, S., Thumbur, G., Reddy, P.: An efficient pairing-free identity based proxy blind signature scheme with message recovery. ISC Int. J. Inf. Secur. 13(1), 59–72 (2021)
Lang, W., Tan, Y., Yang, Z., Liu, G., Peng, B.: A new efficient ID-based proxy blind signature scheme. In: ISCC 2004 (2004)
Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_38
Micali, S., Rabin, M., Vadhan, S.: Verifiable random functions. In: 40th Annual Symposium on Foundations of Computer Science (Cat. No. 99CB37039), pp. 120–130. IEEE (1999)
Padhye, S., Tiwari, N.: An efficient ID-based proxy blind signature with pairing-free realization. In: ICIET 2016 (2016)
Prabhadevi, S., Natarajan, A.: Utilization of ID-based proxy blind signature based on ECDLP in secure vehicular communications. IJEIT 3(5), 55–60 (2013)
Qin, X., Cai, C., Yuen, T.H.: One-more unforgeability of blind ECDSA. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12973, pp. 313–331. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88428-4_16
Sarde, P., Banerjee, A.: A secure ID-based blind and proxy blind signature scheme from bilinear pairings. J. Appl. Secur. Res. 12(2), 276–286 (2017)
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Shoup, V.: Sequences of games: a tool for taming complexity in security proofs. IACR Cryptology ePrint Archive 2004/332 (2004)
Stadler, M., Piveteau, J.-M., Camenisch, J.: Fair blind signatures. In: Guillou, L.C., Quisquater, J.-J. (eds.) EUROCRYPT 1995. LNCS, vol. 921, pp. 209–219. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-49264-X_17
Tan, Z.: Efficient pairing-free provably secure identity-based proxy blind signature scheme. Secur. Commun. Netw. 6(5), 593–601 (2013)
Tan, Z., Liu, Z., Tang, C.: Digital proxy blind signature schemes based on DLP and ECDLP. MM Res. Prepr. 21(7), 212–217 (2002)
Wang, B., Liu, W., Wang, C.: ID-based proxy blind signature scheme with proxy revocation. In: 2nd International Workshop on Computer Science and Engineering, WCSE (2009)
Wang, C.H., Fan, J.-Y.: The design of ID-based fair proxy blind signature scheme with weak linkability. In: ISIC (2012)
Wei-min, L., Zong-kai, Y., Wen-qing, C., Yun-meng, T.: A new ID-based proxy blind signature scheme. Wuhan Univ. J. Nat. Sci. 10(3), 555–558 (2005). https://doi.org/10.1007/BF02831144
Yang, M., Wang, Y.: A new efficient ID-based proxy blind signature scheme. J. Electron. 25(2), 226–231 (2008). https://doi.org/10.1007/s11767-006-0146-x
Yi, X., Lam, K.-Y., Gollmann, D.: A new blind ECDSA scheme for bitcoin transaction anonymity. Cryptology ePrint Archive Report 2018/660 (2018)
Yu, Y., Zheng, S., Yang, Y.: ID-based blind signature and proxy blind signature without trusted PKG. In: Sarbazi-Azad, H., Parhami, B., Miremadi, S.-G., Hessabi, S. (eds.) CSICC 2008. CCIS, vol. 6, pp. 821–824. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89985-3_111
Zhang, F., Kim, K.: ID-based blind signature and ring signature from pairings. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS, vol. 2501, pp. 533–547. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36178-2_33
Zhang, F., Kim, K.: Efficient ID-based blind signature and proxy signature from bilinear pairings. In: Safavi-Naini, R., Seberry, J. (eds.) ACISP 2003. LNCS, vol. 2727, pp. 312–323. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-45067-X_27
Zhu, H., Tan, Y.-A., Zhu, L., Zhang, Q., Li, Y.: An efficient identity-based proxy blind signature for semioffline services. Wirel. Commun. Mob. Comput. 2018, 1–9 (2018). https://doi.org/10.1155/2018/5401890
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Bultel, X., Lafourcade, P., Olivier-Anclin, C., Robert, L. (2022). Generic Construction for Identity-Based Proxy Blind Signature. In: Aïmeur, E., Laurent, M., Yaich, R., Dupont, B., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2021. Lecture Notes in Computer Science, vol 13291. Springer, Cham. https://doi.org/10.1007/978-3-031-08147-7_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-08147-7_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-08146-0
Online ISBN: 978-3-031-08147-7
eBook Packages: Computer ScienceComputer Science (R0)