The search functionality is under construction.

The search functionality is under construction.

In a 1-out-of-*n* oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-*n* oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-*n* oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-*n* oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-*n* oblivious signature schemes based on the standard model.

- Publication
- IEICE TRANSACTIONS on Information Vol.E105-D No.11 pp.1836-1844

- Publication Date
- 2022/11/01

- Publicized
- 2022/07/15

- Online ISSN
- 1745-1361

- DOI
- 10.1587/transinf.2022NGI0001

- Type of Manuscript
- Special Section INVITED PAPER (Special Section on Next-generation Security Applications and Practice)

- Category

Yu ZHOU

Shanghai Jiao Tong University,State Key Laboratory of Cryptology

Shengli LIU

Shanghai Jiao Tong University,State Key Laboratory of Cryptology,Westone Cryptologic Research Center

Shuai HAN

Shanghai Jiao Tong University

The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.

Copy

Yu ZHOU, Shengli LIU, Shuai HAN, "Generic Construction of 1-out-of-n Oblivious Signatures" in IEICE TRANSACTIONS on Information,
vol. E105-D, no. 11, pp. 1836-1844, November 2022, doi: 10.1587/transinf.2022NGI0001.

Abstract: In a 1-out-of-*n* oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-*n* oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-*n* oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-*n* oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-*n* oblivious signature schemes based on the standard model.

URL: https://global.ieice.org/en_transactions/information/10.1587/transinf.2022NGI0001/_p

Copy

@ARTICLE{e105-d_11_1836,

author={Yu ZHOU, Shengli LIU, Shuai HAN, },

journal={IEICE TRANSACTIONS on Information},

title={Generic Construction of 1-out-of-n Oblivious Signatures},

year={2022},

volume={E105-D},

number={11},

pages={1836-1844},

abstract={In a 1-out-of-*n* oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-*n* oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-*n* oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-*n* oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-*n* oblivious signature schemes based on the standard model.},

keywords={},

doi={10.1587/transinf.2022NGI0001},

ISSN={1745-1361},

month={November},}

Copy

TY - JOUR

TI - Generic Construction of 1-out-of-n Oblivious Signatures

T2 - IEICE TRANSACTIONS on Information

SP - 1836

EP - 1844

AU - Yu ZHOU

AU - Shengli LIU

AU - Shuai HAN

PY - 2022

DO - 10.1587/transinf.2022NGI0001

JO - IEICE TRANSACTIONS on Information

SN - 1745-1361

VL - E105-D

IS - 11

JA - IEICE TRANSACTIONS on Information

Y1 - November 2022

AB - In a 1-out-of-*n* oblivious signature scheme, a user provides a set of messages to a signer for signatures but he/she can only obtain a valid signature for a specific message chosen from the message set. There are two security requirements for 1-out-of-*n* oblivious signature. The first is ambiguity, which requires that the signer is not aware which message among the set is signed. The other one is unforgeability which requires that the user is not able to derive any other valid signature for any messages beyond the one that he/she has chosen. In this paper, we provide a generic construction of 1-out-of-*n* oblivious signature. Our generic construction consists of two building blocks, a commitment scheme and a standard signature scheme. Our construction is round efficient since it only asks one interaction (i.e., two rounds) between the user and signer. Meanwhile, in our construction, the ambiguity of the 1-out-of-*n* oblivious signature scheme is based on the hiding property of the underlying commitment, while the unforgeability is based on the binding property of the underlying commitment scheme and the unforgeability of the underlying signature scheme. Moreover, our construction can also enjoy strong unforgeability as long as the underlying building blocks have strong binding property and strong unforgeability respectively. Given the fact that commitment and digital signature are well-studied topics in cryptography and numerous concrete schemes have been proposed in the standard model, our generic construction immediately yields a bunch of instantiations in the standard model based on well-known assumptions, including not only traditional assumptions like Decision Diffie-Hellman (DDH), Decision Composite Residue (DCR), etc., but also some post-quantum assumption like Learning with Errors (LWE). As far as we know, our construction admits the first 1-out-of-*n* oblivious signature schemes based on the standard model.

ER -