In a 1-out-of-n oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-n oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-n oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-n oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-n oblivious signature schemes based on the standard model.
Yu ZHOU
Shanghai Jiao Tong University,State Key Laboratory of Cryptology
Shengli LIU
Shanghai Jiao Tong University,State Key Laboratory of Cryptology,Westone Cryptologic Research Center
Shuai HAN
Shanghai Jiao Tong University
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
Yu ZHOU, Shengli LIU, Shuai HAN, "Generic Construction of 1-out-of-n Oblivious Signatures" in IEICE TRANSACTIONS on Information,
vol. E105-D, no. 11, pp. 1836-1844, November 2022, doi: 10.1587/transinf.2022NGI0001.
Abstract: In a 1-out-of-n oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-n oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-n oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-n oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-n oblivious signature schemes based on the standard model.
URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2022NGI0001/_p
Copy
@ARTICLE{e105-d_11_1836,
author={Yu ZHOU, Shengli LIU, Shuai HAN, },
journal={IEICE TRANSACTIONS on Information},
title={Generic Construction of 1-out-of-n Oblivious Signatures},
year={2022},
volume={E105-D},
number={11},
pages={1836-1844},
abstract={In a 1-out-of-n oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-n oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-n oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-n oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-n oblivious signature schemes based on the standard model.},
keywords={},
doi={10.1587/transinf.2022NGI0001},
ISSN={1745-1361},
month={November},}
Copy
TY - JOUR
TI - Generic Construction of 1-out-of-n Oblivious Signatures
T2 - IEICE TRANSACTIONS on Information
SP - 1836
EP - 1844
AU - Yu ZHOU
AU - Shengli LIU
AU - Shuai HAN
PY - 2022
DO - 10.1587/transinf.2022NGI0001
JO - IEICE TRANSACTIONS on Information
SN - 1745-1361
VL - E105-D
IS - 11
JA - IEICE TRANSACTIONS on Information
Y1 - November 2022
AB - In a 1-out-of-n oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-n oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-n oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-n oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-n oblivious signature schemes based on the standard model.
ER -