Signer and Message Ambiguity from a Variety of Keys

George Te¸seleanu

1,2 a

Advanced Technologies Institute, 10 Dinu Vintil˘a, Bucharest, Romania

Simion Stoilow Institute of Mathematics of the Romanian Academy, 21 Calea Grivitei, Bucharest, Romania

Keywords:

Signer and Message Ambiguity, 1-out-of-n Signature, Oblivious Signature.

Abstract:

A signer and message ambiguous signature enables a recipient to request a signer to sign a sensible message

such that the signer cannot guess what message he signed and the receiver cannot deduce the signer’s iden-

tity. In this work, we formalize this type of signature, introduce the corresponding security requirements and

describe two instantions. The ﬁrst one assumes that the signer hides his identity in n independently generated

public keys, while the second one assumes that all n public keys share the same public parameters.

1 INTRODUCTION

In order to address the increasing interest in privacy

protection, Chen (Chen, 1994) introduced the con-

cept of oblivious signatures. He considered two such

classes. The ﬁrst one is an oblivious signature scheme

with n keys, while the second one is an oblivious sig-

nature with n messages.

In the case of oblivious signatures with n keys, we

have n signers S

,. .. ,S

n−1

(or a signer with n differ-

ent keys) and a recipient R . A high level description

of the protocol is the following:

• the recipient chooses a message m and can get it

signed with one of the n keys;

• the signers, even the holder of the accepted key,

do not have an idea on who really signed m;

• when necessary, R can show that he received a

valid signature from one of the n signers.

On the other hand, in the version of oblivious signa-

tures with n messages we have only one signer S and

the main features are the following:

• the recipient chooses n messages m

,. .. ,m

n−1

and can get only one signed;

• the signer cannot deduce which message he actu-

ally signed;

• when necessary, R can show that he received a

valid signature on one of the n messages.

Remark that in both cases the signer(s) can read the

received message(s) and decide if he(they) agree(s)

https://orcid.org/0000-0003-3953-2744

with the content before signing it. The two concepts

can also be mixed and thus obtain an oblivious proto-

col with n

messages and n

keys. Some examples of

oblivious protocols can be found in (Chen, 1994, Tso

et al., 2008, Tso, 2016, Tso, 2019).

Blind signatures (Chaum, 1982, Juels et al., 1997)

share the same privacy goal as oblivious signatures

with n messages. More precisely, both signatures al-

low users to request a signature without revealing the

exact message to the signer. The main difference is

that in the case of blind signature the signer is not

aware of the message’s content, while in the case of

oblivious signatures the signer sees a message pool

that contains n messages. Hence, oblivious signatures

offer a guarantee to the signer that no message outside

the pool will be signed and thus can be considered an

improvement of blind signatures.

In contrast to oblivious signatures with n keys,

an 1-out-of-n signature convinces a veriﬁer that a

message was signed by one of n possible indepen-

dent signers without allowing the veriﬁer to deduce

which signer it was. Hence, the privacy requirement

is shifted from the signers to the veriﬁer. Also, in this

case, only the actual signer decides if he agrees to the

message’s content, while the remaining n − 1 signers

have access to the message only after the signing pro-

cess is over. Some examples can be found in (Abe

et al., 2002, Cramer et al., 1994, Rivest et al., 2001).

In some applications we encounter situations

where a mixture of oblivious signatures with n

mes-

sages and 1-out-of-n

signatures is required. Hence,

a receiver wants to hide his request, while the signer

wants to keep its anonymity. We further call this type

Te¸seleanu, G.

Signer and Message Ambiguity from a Variety of Keys.

DOI: 10.5220/0010502903950402

In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 395-402

ISBN: 978-989-758-524-1

395

of signatures as signer and message ambiguous signa-

tures.

A possible usage for these signatures is the fol-

lowing. Multiple small companies

contribute with

servers to a storage pool and split the proﬁts according

the contributed storage space. A client wants to make

a query to this cluster, but wants to be able to prove to

a third party that the answer is authentic. Therefore,

the cluster has to sign the answer. But the customer

must be oblivious of which company is hosting the

corresponding data. Hence, the cluster can use an 1-

out-of-n

signature to hide the exact location of the

data. On the other hand, the client wants to hide the

exact content of his query. Thus, he can hide his query

into n

− 1 unrelated queries. In this case, we can see

that a mixture of an 1-out-of-n

signature and an n

message oblivious signature can offer a possible solu-

tion.

In this paper, we propose the ﬁrst signer and mes-

sage ambiguous signatures, one in the key separa-

ble model (i.e. the users’ use independently gener-

ated public parameters) and one in the non-separable

model (i.e. the users’ public parameters are identical).

In the separable model, we used the zero-knowledge

version of Abe et. al signature (Abe et al., 2002) in

conjunction with a generalized and modiﬁed Tso et.

al signature (Tso et al., 2008). In the non-separable

model, we used the same signature based on Tso et.

al, but we combined it with a generalized version of

Abe et. al signature (Abe et al., 2002). The formal-

ization method used for generalizing the signatures is

similar to the approach described in (Maurer, 2009).

Structure of the Paper. We introduce notations and

deﬁnitions used throughout the paper in Section 2. In

Sections 3 and 4 we present our main results, namely

two signer and message ambiguous signatures, one

in the separable model and one in the non-separable

model. Their performance is analysed in Section 5.

We conclude in Section 6.

2 PRELIMINARIES

Notations. Throughout the paper, the notation |S| de-

notes the cardinality of a set S. The action of select-

ing a random element x from a sample space X is de-

noted by x

←− X, while x ← y represents the assign-

ment of value y to variable x. The probability of the

event E to happen is denoted by Pr[E]. The subset

{0,. .. ,s − 1} ∈ N is denoted by [0,s). Note we fur-

ther consider that all of N ’s subsets are of the form

Each with its unique public certiﬁcate.

[0,s) and n

≤ s. A vector v of length n is denoted ei-

ther v = (v

,. .. ,v

n−1

) or v = {v

}

i∈[0,n)

. Also, we use

the notations C

to denote binomial coefﬁcients and

exp to denote Euler’s constant.

2.1 Groups

Let (G, ?) and (H, ⊗) be two groups. We assume

that the group operations ? and ⊗ are efﬁciently com-

putable.

Let f : G → H be a function (not necessarily

one-to-one). We say that f is a homomorphism if

f (x ? y) = f (x) ⊗ f (y). Throughout the paper we

consider f to be a one-way function, i.e. it is in-

feasible to compute x from f (x). To be consistent

with (Maurer, 2009), we denote by [x] the value f (x).

Note that given [x] and [y] we can efﬁciently compute

[x ? y] = [x] ⊗ [y], due to the fact that f is a homomor-

phism.

2.2 Signer and Message Ambiguous

Signatures

Based on the formal models deﬁned in (Abe et al.,

2002,Tso et al., 2008,Tso, 2016), we introduce signer

and message ambiguous signatures (SMAS) and their

corresponding security models. Hence, a SMAS in-

volves three types of entities:

• A signature requester R . For any list of public

keys L and any list of messages M, R can choose

any message from M to get signed by any of the

signers from L. Note that R is not able to learn

which signer from L actually signed the message.

• An ambiguous signer S. One of the signers from

L proceeds to sign the message chosen by R , but

he is not able to learn which message from M has

actually been signed.

• A veriﬁer V . R converts the SMAS into a signer

ambiguous signature σ and transmits σ to V . The

veriﬁer is able to check the validity of σ without

modifying the veriﬁcation algorithm of the origi-

nal signer ambiguous signature.

Deﬁnition 2.1 (Signer and Message Ambiguous Sig-

nature). A signer and message ambiguous signature

scheme is a digital signature comprised of the follow-

ing algorithms:

Setup(λ): On input a security parameter λ, this algo-

rithm outputs the private and public keys (sk

, pk

)

of all the participants and the public parameters

pp = (M , S), where M is the message space and

S is the signature space.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

396

Signature Generation(): An interactive protocol be-

tween R and S . In the ﬁrst step, the recipient

takes as input a list of public keys L and sends

to the signer a list of messages M and some ad-

ditional information A. Then, S takes as input

a list of messages M, the information A, the pri-

vate key sk

and a list of public keys L such that

∈ L and sends a list of signatures W to R .

After receiving W , the recipient uses A to convert

the SMAS into a signer ambiguous signature σ for

a message m ∈ M and then outputs (m,σ,L).

Verify(m, σ,L): An algorithm that on input a mes-

sage m, a signature σ and a list of public keys L

outputs either true or false.

The following deﬁnitions capture the intuitive notions

of signer and message ambiguity. In Deﬁnitions 2.2

and 2.3 we assume that the attacker is R and, respec-

tively, S .

Deﬁnition 2.2 (Signer Ambiguity). Let

L = {pk

}

i∈[0,n

)

, where pk

are generated by the

Setup algorithm. Also, for a set L ⊆ L we deﬁne

L =

{sk

| sk

is the secret key corresponding to pk

∈ L}.

A SMAS is perfectly signer ambiguous if for any list

of messages M and their corresponding additional

information A, any L ⊆ L, any sk

∈

L and any signa-

ture W generated by S(M, A,sk

,L), any unbounded

adversary A outputs an sk such that sk = sk

with

probability exactly 1/|L|.

Deﬁnition 2.3 (Message Ambiguity). A SMAS is

perfectly message ambiguous if for any list of mes-

sages M and their corresponding additional informa-

tion A and for any message m

∈ M chosen by R to

be signed, any unbounded adversary A outputs an m

such that m = m

with probability exactly 1/|M|.

The security requirement for S is unforgeability

of signatures, even when the signature receiver is the

adversary.

Deﬁnition 2.4 (Existential Unforgeability against

Adaptive Chosen Message and Chosen Public Key

Attacks - EUF-CMCPA). The notion of unforgeabil-

ity for signatures is deﬁned in terms of the following

security game between the adversary A and a chal-

lenger:

1. The Setup algorithm is run and all the public pa-

rameters are provided to A.

2. For any list of messages M and any subset of

L = {pk

}

i∈[0,n

)

, A can ﬁx a message m

∈ M

and request the signature associated to m

to the

challenger.

3. Finally, A outputs a signature (m,σ, L), where

L ⊆ L.

A wins the game if Verify(m,σ, L) = true, L ⊆ L and

A did not query the challenger on any pair (M, L) such

that m

= m. We say that a signature scheme is un-

forgeable when the success probability of A in this

game is negligible.

We further introduce the notions of a Boolean ma-

trix and of a heavy row in such a matrix (Ohta and

Okamoto, 1998). These deﬁnitions are then used in

stating the heavy row lemma (Ohta and Okamoto,

1998).

Deﬁnition 2.5 (Boolean Matrix of Random Tapes).

Let us consider a matrix M whose rows consist of

all possible random choices of an adversary and the

columns consist of all possible random choices of a

challenger. Its entries are 0 if the adversary fails the

game and 1 otherwise.

Deﬁnition 2.6 (Heavy Row). A row of M is heavy if

the fraction of 1’s along the row is at least ε/2, where

ε is the adversary’s success probability.

Lemma 2.1 (Heavy Row Lemma). The 1’s in M are

located in heavy rows with a probability of at least

1/2.

3 SMAS WITH KEY SEPARATION

3.1 Description

By modifying the protocol from (Tso et al., 2008)

and endowing it with the technique described in (Abe

et al., 2002) we developed a SMAS in the separable

model. Note that in a separable scheme each key pair

can be generated by a different scheme, under a dif-

ferent hardness assumption. In practice, each user can

use different trusted third parties (TTP) to generate

their public parameters and key pair. To simplify de-

scription we present the Setup algorithm as a central-

ized algorithm. We will denote the following signa-

ture with SMAS-KSS.

Setup(λ): Let i ∈ [0,n

). Choose for each user two

groups G

, H

, a homomorphism [·]

: G

→ H

and

a hash function H

: {0,1}

∗

→ C

⊆ N. Note that

we require that |G

| ≥ 2

. Choose a

←− G

and

compute y

← [x

]

and b

← [a

]

. Output the pub-

lic key pk

= y

. The secret key is sk

= x

. The

elements b

are known to all participants, but the

’s are used only once and are discarded after-

wards.

Listing(): Collect the public keys and randomly

shufﬂe them. Store the result into a list L =

}

j∈[0,n

)

and output L.

Note that L can be ﬁxed or periodically updated.

Signer and Message Ambiguity from a Variety of Keys

397

Signature Generation(): Assume that recipient R

would like to get a signature from signer S on a

message m

∈ {m

}

t∈[0,n

)

. To compute the am-

biguous signature the following protocol is exe-

cuted:

Step 1: For j ∈ [0,n

), R selects α

←− G

and

computes c

← [α

]

⊗

. Then, R sends C =

}

j∈[0,n

)

and M = {m

}

t∈[0,n

)

to S.

Step 2: For t ∈ [0,n

), S (with access to x

) does

the following:

a) Generate an element β

←− G

and com-

pute z

k,t

← c

⊗

−t

⊗

[β

]

and d

k+1,t

←

k+1

(L,m

k,t

b) For j ∈ [k + 1, n

) ∪ [0,k), randomly se-

lect s

j,t

←− G

and then compute z

j,t

←

⊗

−t

⊗

j,t

]

⊗

j,t

and d

j+1,t

←

j+1

(L,m

j,t

)

c) Compute s

k,t

← β

−d

k,t

d) Send to R the signature (d

0,t

), where

= {s

j,t

}

j∈[0,n

)

Step 3: For j ∈ [0,n

) and t ∈ [0,n

R computes δ

j,t

← [α

]

⊗

`−t

j,t

← δ

j,t

⊗

j,t

]

⊗

j,t

and then

j+1,t

← H

j+1

(L,m

j,t

) if j 6= n

− 1.

R accepts the ambiguous signature if and only

if d

0,t

= H

(L,m

−1,t

), where t ∈ [0,n

Otherwise, output false.

Step 4: To convert the signer and message am-

biguous signature into a signer ambiguous sig-

nature, R sets d

← d

0,`

and computes s

←

j,`

, where j ∈ [0,n

). Output the signa-

ture (d

,W ), where W = {s

}

j∈[0,n

)

Verify(m, d

,W ,L): For j ∈ [0,n

), compute e

←

]

⊗

and then d

j+1

← H

j+1

(L,m, e

) if

j 6= n

− 1. Output true if and only if d

(L,m, e

−1

). Otherwise, output false.

Remark. In the Setup phase, the b

elements can be

generated for each user after they receive their pub-

lic parameters and key-pairs, and by a TTP different

from the one generating the initial system’s parame-

ters. Thus, our scheme is compatible with preexisting

signature certiﬁcates and can be seen as adding an ex-

tra functionality to existing systems.

Correctness. First we need to check that R accepts

a genuine signature. Thus, if (c

0,t

) is generated

When j = n

− 1 we abuse notation and consider j +

1 = 0.

according to the scheme, then for j 6= k we have

j,t

= δ

j,t

⊗

j,t

]

⊗

j,t

= c

⊗

−t

⊗

j,t

]

⊗

j,t

= z

j,t

and for j = k we have

k,t

= δ

j,t

⊗

k,t

]

⊗

k,t

= c

⊗

−t

⊗

[β

−d

k,t

]

⊗

k,t

= c

⊗

−t

⊗

[β

]

⊗

]

−d

k,t

⊗

k,t

= c

⊗

−t

⊗

[β

]

= z

k,t

Now we need to check if the veriﬁcation process re-

turns true. Hence, if the pair (d

,W ) is generated

according to the scheme, then we have

= [s

]

⊗

= [α

j,`

]

⊗

= δ

j,`

⊗

j,`

]

⊗

= e

j,`

3.2 Security Analysis

Theorem 3.1. The SMAS-KSS scheme is perfectly

signer ambiguous.

Proof. Note that all s

j,t

are taken randomly from G

except for s

k,t

. Since β

is a random element from G

then s

k,t

is also randomly distributed in G

. Hence,

for a ﬁxed (m

,L) the probability of W

is always

∏

|, regardless of the closing point s

k,t

and index

t. The remaining c

0,t

are uniquely determined from

,L) and W

Theorem 3.2. The SMAS-KSS scheme is perfectly

message ambiguous.

Proof. All the information regarding ` is contained

in the c

elements. Since α

is random, then c

also random. Thus, for a ﬁxed M the probability of

}

j∈[0,|M|)

is always 1/

∏

|. So, no information

about ` is leaked to S .

Theorem 3.3. If the following statements are true

• an EUF-CMCPA attack on the SMAS-KSS has

non-negligible probability of success in the ROM,

• for all i values, f

∈ Z are known such that

gcd(d

− d

, f

) = 1 for all d

∈ C

with d

SECRYPT 2021 - 18th International Conference on Security and Cryptography

398

• for all i values, u

∈ G

are known such that [u

]

then at least a homomorphism [·]

can be inverted in

polynomial time.

Proof. Let A be an efﬁcient EUF-CMCPA attacker for

SMAS-KSS that requests at most q

and q

signing

and, respectively, random oracle queries. Also, let ε

be its success probability and τ its running time. By

we denote the total number of messages sent to S

for signing.

In order to make A work properly we simulate the

random oracles that correspond to each hash function

(see Algorithm 1) and the signing oracle (see Algo-

rithm 2). For simplicity we treat all the random or-

acles as one big random oracle O

that takes as in-

put the j-th query (i, L

) and returns a random

value corresponding to H

). To avoid com-

plicated sufﬁxes y

and m

, for example, refer to the

ﬁrst public key and the ﬁrst message from the current

and, respectively, M

. Hence, y

∈ L

and y

∈ L

could differ. The same is also true for m

Algorithm 1: Hashing oracle O

simulation for

all H

Input: A hashing query (i,L

) from A

1 if ∃h

such that {L

} ∈ T

then

2 e ← h

3 else

4 e

←− C

5 Append {L

,e} to T

6 end if

7 return e

The signing oracle O

fails and returns ⊥ only if we

cannot assign d

0,t

to (L

|−1,t

) without caus-

ing an inconsistency in T

. This event happens with

probability at most q

/q, where q = 2

. Thus, O

successful with probability at least (1 − q

/q)

≥

1 − q

/q.

Let Θ and Ω be the random tapes given to O

and

A. The adversary’s success probability is taken over

the space deﬁned by Θ, Ω and O

. Let Σ be the

set of (Θ,Ω,O

) with which A successfully creates

a forgery, while having access to a real signing ora-

cle. Let (m,d

,{s

}

i∈[0,n

)

,L) be A’s forgery, where

|L| = n

. Then, T

i+1

contains a query for (L,m,e

)

for all i ∈ [0, n

) with probability at least 1−1/|C

i+1

due to the ideal randomness of O

. Let Σ

⊆ Σ be the

set of (Θ,Ω,O

) with which A successfully creates

a forgery, while having access only to the simulated

oracle O

. Then, Pr[(Θ,Ω,O

) ∈ Σ

] ≥ ε

, where

Algorithm 2: Signing oracle O

simulation.

Input: A signature query (M

) from A

1 for t ∈ [0,|M

|) do

2 d

0,t

←− C

3 for i ∈ [0, |L

|) do

4 s

i,t

←− G

5 e

i,t

← c

⊗

−t

⊗

i,t

]

⊗

i,t

6 if i 6= |L

| − 1 then

7 d

i+1,t

← H

i+1

i,t

)

8 end if

9 end for

10 if @h

such that {L

|−1,t

} ∈ T

then

11 Append {L

|−1,t

0,t

} to T

12 Sent to A the signature

0,t

,{s

i,t

}

i∈[0,|L

)

13 else

14 return ⊥

15 end if

16 end for

= (1 − q

/q)(1 − 1/w)ε and w is the smallest

Since the queries form a ring, there exists at least

an index k ∈ [0,n

) such that the u query Q

= (k +

1,L, m,e

) and the v query Q

= (k,L, m,e

k−1

) satisfy

u ≤ v. Such a pair (u, v) is called a gap index. Re-

mark that u = v only when n

= 1. If there are two or

more gap indices with regard to a signature, we only

consider the smallest one.

We denote by Σ

u,v

the set of (Θ,Ω,O

) that yield

the gap index (u,v). There are at most C

+ 1)/2 such sets. If we invoke A with ran-

domly chosen (Θ,Ω, O

) at most 1/ε

times, then

we will ﬁnd at least one (Θ,Ω, O

) ∈ Σ

u,v

for some

gap index (u, v) with probability 1 − (1 − ε

)

1/ε

1 − exp(−1) > 3/5.

We deﬁne the sets GI = {(u,v) | |Σ

u,v

|/|Σ

| ≥

1/(q

+ 1))} and B = {(Θ, Ω,O

) ∈ Σ

u,v

| (u,v) ∈

GI}. Then, we have Pr[B|Σ

] ≥ 1/2. Using the heavy

row lemma we obtain that a triplet (Θ,Ω, O

) that

yields a successful run of A is in B with probability at

least 1/2.

Let O

be the identical to O

except for the

query to which O

responds with a random

element d

6= d

. Then according to the heavy

row lemma, with probability 1/2, (Θ, Ω,O

) sat-

isﬁes Pr[(Θ,Ω, O

) ∈ Σ

u,v

] = ε

/2, where ε

/(2q

+ 1)). Hence, if we run A at most

2/ε

times, then with probability 1/2 · [1 − (1 −

/2)

2/ε

] > 1/2 · (1 − exp(−1)) > 3/10 we will ﬁnd

Signer and Message Ambiguity from a Variety of Keys

399

at least one d

such that (Θ,Ω,O

) ∈ Σ

u,v

. Since Q

is queried before Q

, e

remains unchanged. There-

fore we can compute

˜x

= u

−1

)

where a and b are computed using Euclid’s algorithm

such that f

a + (d

− d

)b = 1. Note that for some β

−1

]

= [s

−1

]

⊗

]

= y

⊗

([β]

)

−1

⊗ c

−1

⊗ c

⊗

[β]

⊗

−d

= y

−d

and thus

[ ˜x

]

= [u

−1

)

]

= ([u

]

)

⊗

([s

−1

]

)

= (y

)

⊗

−d

)

= y

The overall success probability is 9/100 = 3/5 ·

1/2·3/10 and A is invoked at most 1/ε

+2/ε

times.

3.3 Concrete Examples

In this subsection we present a few concrete exam-

ples of the SMAS in order to help readers who are

familiar with Schnorr or Guillou-Quisquater type sig-

natures. The reader can easily infer more examples

from the uniﬁed zero-knowledge protocol’s instantia-

tions described in (Maurer, 2009, Te¸seleanu, 2018).

All Discrete Logarithm Case. Let p and q be two

prime numbers such that q|p − 1. Select an element

h ∈ H

of order q in some multiplicative group of or-

der p−1. The discrete logarithm of an element z ∈ H

is an exponent x such that z = h

. We further describe

the parameters of the all discrete logarithm signature.

Deﬁne (G

) = (Z

,+) and H

= hh

i. The one-

way group homomorphism is deﬁned by [x

]

= h

and the challenge space C

can be any arbitrary subset

of [0,q

). Let 1

be the neutral element of H

. Then the

conditions of Theorem 3.3 are satisﬁed for f

= q

and

= 0. Note that we have [u]

= [0]

= 1

= y

since every element of H

raised to the group order q

is the neutral element 1

All e

-root Case. Let p and q be two safe prime

numbers such that (p − 1)/2 and (q − 1)/2 are also

prime. Compute N = pq and choose a prime e such

that gcd(e,ϕ(N)) = 1. An e

-root of an element z ∈

∗

is a base x such that z = x

. Note that the e

-root

is not unique. We further describe the parameters of

the all e

-root signature.

Deﬁne (G

) = (H

,⊗

) = (Z

∗

,·). The one-way

group homomorphism is deﬁned by [x

]

= x

and

the challenge space C

can be any arbitrary subset of

[0,e

). The conditions of Theorem 3.3 are satisﬁed for

= e

and u

= y

Mixture of Discrete Logarithm and e

-root. For

simplicity, we consider the case n = 2. Let (G

) =

,+), H

= hhi and (G

) = (H

,⊗

) = (Z

∗

,·).

The one-way group homomorphisms are deﬁned by

]

= h

and [x

]

= x

. The corresponding chal-

lenge spaces C

and C

can be any arbitrary subset of

[0,q) and, respectively, [0, e). Finally, the conditions

of Theorem 3.3 are satisﬁed for f

= q, f

= e, u

= 0

and u

= y

4 SMAS WITHOUT KEY

SEPARATION

4.1 Description

In this section we present a more efﬁcient SMAS sig-

nature. This signature only works when all the partici-

pants use the same underlying commutative group. To

achieve our goal, we used a generalized version of the

technique developed in (Abe et al., 2002). We further

denote the following signature with SMAS-NKSS.

Setup(λ): Choose two commutative groups G, H, a

homomorphism [·] : G → H and a hash function

H : {0, 1}

∗

→ C ⊆ N. Note that we require that

|G| ≥ 2

. Choose a

←− G and compute b ← [a].

For each user, choose x

←− G and compute y

←

]. Output the public key pk

= y

. The secret

key is sk

= x

. The element b is known to all par-

ticipants, but a is used only once and is discarded

afterwards.

Listing(): Collect the public keys and randomly

shufﬂe them. Store the result into a list L =

}

j∈[0,n

)

and output L.

Signature Generation(): Assume that recipient R

would like to get a signature from signer S on a

message m

∈ {m

}

t∈[0,n

)

. To compute the am-

biguous signature the following protocol is exe-

cuted:

Step 1: R selects α

←− G and computes c ← [α]⊗

. Then, R sends c and M = {m

}

t∈[0,n

)

to S.

Step 2: For t ∈ [0,n

), S generates a random ele-

ment β

←− G and d

j,t

←− C , where j ∈ [0, n

) \

SECRYPT 2021 - 18th International Conference on Security and Cryptography

400

{k}. Then computes the following:

← c ⊗ b

−t

⊗ [β

] ⊗ y

0,t

⊗ ... ⊗ y

k−1,t

k−1

← z ⊗ y

k+1,t

k+1

⊗ ... ⊗ y

−1,t

−1

← H(L,m

)

k,t

← d

− d

0,t

− ... − d

k−1,t

mod |C |

k,t

← d

k,t

− d

k+1,t

− ... − d

−1,t

mod |C |

← β

? x

−d

k,t

Send to R the signature (s

), where W

j,t

}

j∈[0,n

)

Step 3: For t ∈ [0,n

), R computes δ

← [α] ⊗

`−t

, u

←

∑

−1

j=0

j,t

mod |C | and v

← δ

⊗

] ⊗ (⊗

−1

j=0

j,t

). R accepts the ambiguous

signature if and only if u

≡ H(L,m

) mod

|C |, where t ∈ [0,n

). Otherwise, output

false.

Step 4: To convert the signer and message am-

biguous signature into a signer ambiguous sig-

nature, R computes s ← α ? s

and sets d

←

j,`

, where j ∈ [0,n

). Output the signature

(s,W ), where W = {d

}

j∈[0,n

)

Verify(m, s,W ,L): Compute the intermediary val-

ues u ←

∑

−1

j=0

mod c and v ← [s]⊗(⊗

−1

j=0

Output true if and only if u = H(L,m,v). Other-

wise, output false.

Correctness. First we need to check that R accepts

a genuine signature. Thus, if (s

) is generated ac-

cording to the scheme, then we have

= δ

⊗ [s

] ⊗ (⊗

n−1

j=0

j,t

)

= c ⊗ b

−t

⊗ [β

] ⊗ [x

]

−d

k,t

⊗ (⊗

n−1

j=0

j,t

)

= z

Now we need to check if the veriﬁcation process re-

turns true. Hence, if the pair (s, W ) is generated

according to the scheme, then we have

v = [s] ⊗ (⊗

n−1

j=0

)

= [α ? s

] ⊗ (⊗

n−1

j=0

j,`

)

= δ

⊗ [s

] ⊗ (⊗

n−1

j=0

j,`

)

= v

4.2 Security Analysis

Theorems 4.1 and 4.2’s proofs are similar to Theo-

rems 3.1 and 3.2’s proofs and thus are omitted. The-

orem 4.3’s proof is provided in the full version of the

paper and is omitted due to space limitations.

Theorem 4.1. The SMAS-NKSS scheme is perfectly

signer ambiguous.

Theorem 4.2. The SMAS-NKSS scheme is perfectly

message ambiguous.

Theorem 4.3. If the following statements are true

• an EUF-CMCPA attack on the SMAS-NKSS has

non-negligible probability of success in the ROM,

• an f ∈ Z is known such that gcd(d

− d

, f ) = 1

for all d

∈ C with d

6= d

• for all i values, u

∈ G are known such that [u

] =

then the homomorphism [·] can be inverted in polyno-

mial time.

5 PERFORMANCE ANALYSIS

When n

= 1 and n

= n both SMAS schemes become

an oblivious signature with n messages (denoted sim-

ply as SMAS). Two such signatures are described in

(Tso et al., 2008, Chen, 1994) for G = Z

∗

. In ??

and table 1 we provide the reader with the perfor-

mance analysis of our scheme. In ?? the communi-

cation overhead is measured in bits, while in Table 1

the computation cost is measured in exponentiations.

We consider |p| = 3072 and |q| = 256, which accord-

ing to (Elaine, 2020) offers a security strength of 128

bits.

Table 1: Computation cost comparison.

Scheme S R V

SMAS 2n 3n + 2 2

Tso et. al (Tso et al., 2008) 2n 3n + 2 2

Chen (Chen, 1994) 3n 2n + 10 8

In order to measure the efﬁciency of our SMAS

schemes, we compare them to the protocol described

in (Tso, 2016). Although the philosophy of this

scheme is a little bit different than ours, it is the clos-

est one. Again, let G = Z

∗

. The results are presented

in Tables 2 and 3. Note that in Tso’s protocol, the

receiver transforms the signature into a Schnorr sig-

nature

(Schnorr, 1989), while we transform it into

an Abe et.al signature (Abe et al., 2002). Hence, the

larger communication and computational overhead on

V ’s side.

i.e. n

= 1

Signer and Message Ambiguity from a Variety of Keys

401

Table 2: Communication cost comparison.

Scheme Steps R → S S → R R → V

SMAS-KSS 2 n

|q| (n

+ 1)n

|q| (n

+ 1)|q|

SMAS-NKSS 2 |q| (n

+ 1)n

|q| (n

+ 1)|q|

Tso (Tso, 2016) 2 |q| 2n

|q| 2|q|

Table 3: Computation cost comparison.

Scheme S R V

SMAS-KSS 3n

− n

+ 2n

SMAS-NKSS (n

+ 1)n

+ 2)n

+ 2 n

+ 1

Tso (Tso, 2016) 2n

+ 2 2

6 CONCLUSION

Our SMAS protocols are the abstraction of a large

class of protocols that allow users to sign sensible in-

formation, while maintaining the signers anonymity.

We introduced two versions, one with independently

selected public parameters and one with common

public parameters. We managed to relate the pre-

sented protocols’ security to the hardness of inverting

one-way homomorphisms.

REFERENCES

Abe, M., Ohkubo, M., and Suzuki, K. (2002). 1-out-of-n

Signatures from a Variety of Keys. In ASIACRYPT

2002, volume 2501 of Lecture Notes in Computer Sci-

ence, pages 415–432. Springer.

Chaum, D. (1982). Blind Signatures for Untraceable Pay-

ments. In CRYPTO 1982, pages 199–203. Plenum

Press, New York.

Chen, L. (1994). Oblivious Signatures. In ESORICS 1994,

volume 875 of Lecture Notes in Computer Science,

pages 161–172. Springer.

Cramer, R., Damgård, I., and Schoenmakers, B. (1994).

Proofs of Partial Knowledge and Simpliﬁed Design of

Witness Hiding Protocolss. In CRYPTO 1994, vol-

ume 839 of Lecture Notes in Computer Science, pages

174–187. Springer.

Elaine, B. (2020). NIST Special Publication 800-57 Part 1

Revision 5 - Recommendation for Key Management:

Part 1 – General. Technical report, NIST.

Juels, A., Luby, M., and Ostrovsky, R. (1997). Security of

Blind Digital Signatures. In CRYPTO 1997, volume

1294 of Lecture Notes in Computer Science, pages

150–164. Springer.

Maurer, U. (2009). Unifying Zero-Knowledge Proofs of

Knowledge. In AFRICACRYPT 2009, volume 5580 of

Lecture Notes in Computer Science, pages 272–286.

Springer.

Ohta, K. and Okamoto, T. (1998). On Concrete Security

Treatment of Signatures Derived from Identiﬁcation.

In CRYPTO 1998, volume 1462 of Lecture Notes in

Computer Science, pages 354–369. Springer.

Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How to

Leak a Secret. In ASIACRYPT 2001, volume 2248 of

Lecture Notes in Computer Science, pages 552–565.

Springer.

Schnorr, C.-P. (1989). Efﬁcient Identiﬁcation and Signa-

tures For Smart Cards. In CRYPTO 1989, volume 435

of Lecture Notes in Computer Science, pages 239–

252. Springer.

Te¸seleanu, G. (2018). Unifying Kleptographic Attacks.

In NordSec 2018, volume 11252 of Lecture Notes in

Computer Science, pages 73–87. Springer.

Tso, R. (2016). Two-in-One Oblivious Signatures Secure

in the Random Oracle Model. In NSS 2016, volume

9955 of Lecture Notes in Computer Science, pages

143–155. Springer.

Tso, R. (2019). Two-in-One Oblivious Signatures. Future

Generation Computer Systems, 101:467–475.

Tso, R., Okamoto, T., and Okamoto, E. (2008). 1-out-of-n

Oblivious Signatures. In ISPEC 2008, volume 4991

of Lecture Notes in Computer Science, pages 45–55.

Springer.

SECRYPT 2021 - 18th International Conference on Security and Cryptography

402