Signer and Message Ambiguity from a Variety of Keys
George Te¸seleanu
1,2 a
1
Advanced Technologies Institute, 10 Dinu Vintil˘a, Bucharest, Romania
2
Simion Stoilow Institute of Mathematics of the Romanian Academy, 21 Calea Grivitei, Bucharest, Romania
Keywords:
Signer and Message Ambiguity, 1-out-of-n Signature, Oblivious Signature.
Abstract:
A signer and message ambiguous signature enables a recipient to request a signer to sign a sensible message
such that the signer cannot guess what message he signed and the receiver cannot deduce the signer’s iden-
tity. In this work, we formalize this type of signature, introduce the corresponding security requirements and
describe two instantions. The first one assumes that the signer hides his identity in n independently generated
public keys, while the second one assumes that all n public keys share the same public parameters.
1 INTRODUCTION
In order to address the increasing interest in privacy
protection, Chen (Chen, 1994) introduced the con-
cept of oblivious signatures. He considered two such
classes. The first one is an oblivious signature scheme
with n keys, while the second one is an oblivious sig-
nature with n messages.
In the case of oblivious signatures with n keys, we
have n signers S
0
,. .. ,S
n−1
(or a signer with n differ-
ent keys) and a recipient R . A high level description
of the protocol is the following:
• the recipient chooses a message m and can get it
signed with one of the n keys;
• the signers, even the holder of the accepted key,
do not have an idea on who really signed m;
• when necessary, R can show that he received a
valid signature from one of the n signers.
On the other hand, in the version of oblivious signa-
tures with n messages we have only one signer S and
the main features are the following:
• the recipient chooses n messages m
0
,. .. ,m
n−1
and can get only one signed;
• the signer cannot deduce which message he actu-
ally signed;
• when necessary, R can show that he received a
valid signature on one of the n messages.
Remark that in both cases the signer(s) can read the
received message(s) and decide if he(they) agree(s)
a
https://orcid.org/0000-0003-3953-2744
with the content before signing it. The two concepts
can also be mixed and thus obtain an oblivious proto-
col with n
1
messages and n
2
keys. Some examples of
oblivious protocols can be found in (Chen, 1994, Tso
et al., 2008, Tso, 2016, Tso, 2019).
Blind signatures (Chaum, 1982, Juels et al., 1997)
share the same privacy goal as oblivious signatures
with n messages. More precisely, both signatures al-
low users to request a signature without revealing the
exact message to the signer. The main difference is
that in the case of blind signature the signer is not
aware of the message’s content, while in the case of
oblivious signatures the signer sees a message pool
that contains n messages. Hence, oblivious signatures
offer a guarantee to the signer that no message outside
the pool will be signed and thus can be considered an
improvement of blind signatures.
In contrast to oblivious signatures with n keys,
an 1-out-of-n signature convinces a verifier that a
message was signed by one of n possible indepen-
dent signers without allowing the verifier to deduce
which signer it was. Hence, the privacy requirement
is shifted from the signers to the verifier. Also, in this
case, only the actual signer decides if he agrees to the
message’s content, while the remaining n − 1 signers
have access to the message only after the signing pro-
cess is over. Some examples can be found in (Abe
et al., 2002, Cramer et al., 1994, Rivest et al., 2001).
In some applications we encounter situations
where a mixture of oblivious signatures with n
2
mes-
sages and 1-out-of-n
1
signatures is required. Hence,
a receiver wants to hide his request, while the signer
wants to keep its anonymity. We further call this type
Te¸seleanu, G.
Signer and Message Ambiguity from a Variety of Keys.
DOI: 10.5220/0010502903950402
In Proceedings of the 18th International Conference on Security and Cryptography (SECRYPT 2021), pages 395-402
ISBN: 978-989-758-524-1
Copyright
c
2021 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
395
of signatures as signer and message ambiguous signa-
tures.
A possible usage for these signatures is the fol-
lowing. Multiple small companies
1
contribute with
servers to a storage pool and split the profits according
the contributed storage space. A client wants to make
a query to this cluster, but wants to be able to prove to
a third party that the answer is authentic. Therefore,
the cluster has to sign the answer. But the customer
must be oblivious of which company is hosting the
corresponding data. Hence, the cluster can use an 1-
out-of-n
1
signature to hide the exact location of the
data. On the other hand, the client wants to hide the
exact content of his query. Thus, he can hide his query
into n
2
− 1 unrelated queries. In this case, we can see
that a mixture of an 1-out-of-n
1
signature and an n
2
message oblivious signature can offer a possible solu-
tion.
In this paper, we propose the first signer and mes-
sage ambiguous signatures, one in the key separa-
ble model (i.e. the users’ use independently gener-
ated public parameters) and one in the non-separable
model (i.e. the users’ public parameters are identical).
In the separable model, we used the zero-knowledge
version of Abe et. al signature (Abe et al., 2002) in
conjunction with a generalized and modified Tso et.
al signature (Tso et al., 2008). In the non-separable
model, we used the same signature based on Tso et.
al, but we combined it with a generalized version of
Abe et. al signature (Abe et al., 2002). The formal-
ization method used for generalizing the signatures is
similar to the approach described in (Maurer, 2009).
Structure of the Paper. We introduce notations and
definitions used throughout the paper in Section 2. In
Sections 3 and 4 we present our main results, namely
two signer and message ambiguous signatures, one
in the separable model and one in the non-separable
model. Their performance is analysed in Section 5.
We conclude in Section 6.
2 PRELIMINARIES
Notations. Throughout the paper, the notation |S| de-
notes the cardinality of a set S. The action of select-
ing a random element x from a sample space X is de-
noted by x
$
←− X, while x ← y represents the assign-
ment of value y to variable x. The probability of the
event E to happen is denoted by Pr[E]. The subset
{0,. .. ,s − 1} ∈ N is denoted by [0,s). Note we fur-
ther consider that all of N ’s subsets are of the form
1
Each with its unique public certificate.
[0,s) and n
2
≤ s. A vector v of length n is denoted ei-
ther v = (v
0
,. .. ,v
n−1
) or v = {v
i
}
i∈[0,n)
. Also, we use
the notations C
n
k
to denote binomial coefficients and
exp to denote Euler’s constant.
2.1 Groups
Let (G, ?) and (H, ⊗) be two groups. We assume
that the group operations ? and ⊗ are efficiently com-
putable.
Let f : G → H be a function (not necessarily
one-to-one). We say that f is a homomorphism if
f (x ? y) = f (x) ⊗ f (y). Throughout the paper we
consider f to be a one-way function, i.e. it is in-
feasible to compute x from f (x). To be consistent
with (Maurer, 2009), we denote by [x] the value f (x).
Note that given [x] and [y] we can efficiently compute
[x ? y] = [x] ⊗ [y], due to the fact that f is a homomor-
phism.
2.2 Signer and Message Ambiguous
Signatures
Based on the formal models defined in (Abe et al.,
2002,Tso et al., 2008,Tso, 2016), we introduce signer
and message ambiguous signatures (SMAS) and their
corresponding security models. Hence, a SMAS in-
volves three types of entities:
• A signature requester R . For any list of public
keys L and any list of messages M, R can choose
any message from M to get signed by any of the
signers from L. Note that R is not able to learn
which signer from L actually signed the message.
• An ambiguous signer S. One of the signers from
L proceeds to sign the message chosen by R , but
he is not able to learn which message from M has
actually been signed.
• A verifier V . R converts the SMAS into a signer
ambiguous signature σ and transmits σ to V . The
verifier is able to check the validity of σ without
modifying the verification algorithm of the origi-
nal signer ambiguous signature.
Definition 2.1 (Signer and Message Ambiguous Sig-
nature). A signer and message ambiguous signature
scheme is a digital signature comprised of the follow-
ing algorithms:
Setup(λ): On input a security parameter λ, this algo-
rithm outputs the private and public keys (sk
i
, pk
i
)
of all the participants and the public parameters
pp = (M , S), where M is the message space and
S is the signature space.
SECRYPT 2021 - 18th International Conference on Security and Cryptography
396
Signature Generation(): An interactive protocol be-
tween R and S . In the first step, the recipient
takes as input a list of public keys L and sends
to the signer a list of messages M and some ad-
ditional information A. Then, S takes as input
a list of messages M, the information A, the pri-
vate key sk
k
and a list of public keys L such that
pk
k
∈ L and sends a list of signatures W to R .
After receiving W , the recipient uses A to convert
the SMAS into a signer ambiguous signature σ for
a message m ∈ M and then outputs (m,σ,L).
Verify(m, σ,L): An algorithm that on input a mes-
sage m, a signature σ and a list of public keys L
outputs either true or false.
The following definitions capture the intuitive notions
of signer and message ambiguity. In Definitions 2.2
and 2.3 we assume that the attacker is R and, respec-
tively, S .
Definition 2.2 (Signer Ambiguity). Let
L = {pk
i
}
i∈[0,n
1
)
, where pk
i
are generated by the
Setup algorithm. Also, for a set L ⊆ L we define
˜
L =
{sk
k
| sk
k
is the secret key corresponding to pk
k
∈ L}.
A SMAS is perfectly signer ambiguous if for any list
of messages M and their corresponding additional
information A, any L ⊆ L, any sk
k
∈
˜
L and any signa-
ture W generated by S(M, A,sk
k
,L), any unbounded
adversary A outputs an sk such that sk = sk
k
with
probability exactly 1/|L|.
Definition 2.3 (Message Ambiguity). A SMAS is
perfectly message ambiguous if for any list of mes-
sages M and their corresponding additional informa-
tion A and for any message m
`
∈ M chosen by R to
be signed, any unbounded adversary A outputs an m
such that m = m
`
with probability exactly 1/|M|.
The security requirement for S is unforgeability
of signatures, even when the signature receiver is the
adversary.
Definition 2.4 (Existential Unforgeability against
Adaptive Chosen Message and Chosen Public Key
Attacks - EUF-CMCPA). The notion of unforgeabil-
ity for signatures is defined in terms of the following
security game between the adversary A and a chal-
lenger:
1. The Setup algorithm is run and all the public pa-
rameters are provided to A.
2. For any list of messages M and any subset of
L = {pk
i
}
i∈[0,n
1
)
, A can fix a message m
`
∈ M
and request the signature associated to m
`
to the
challenger.
3. Finally, A outputs a signature (m,σ, L), where
L ⊆ L.
A wins the game if Verify(m,σ, L) = true, L ⊆ L and
A did not query the challenger on any pair (M, L) such
that m
`
= m. We say that a signature scheme is un-
forgeable when the success probability of A in this
game is negligible.
We further introduce the notions of a Boolean ma-
trix and of a heavy row in such a matrix (Ohta and
Okamoto, 1998). These definitions are then used in
stating the heavy row lemma (Ohta and Okamoto,
1998).
Definition 2.5 (Boolean Matrix of Random Tapes).
Let us consider a matrix M whose rows consist of
all possible random choices of an adversary and the
columns consist of all possible random choices of a
challenger. Its entries are 0 if the adversary fails the
game and 1 otherwise.
Definition 2.6 (Heavy Row). A row of M is heavy if
the fraction of 1’s along the row is at least ε/2, where
ε is the adversary’s success probability.
Lemma 2.1 (Heavy Row Lemma). The 1’s in M are
located in heavy rows with a probability of at least
1/2.
3 SMAS WITH KEY SEPARATION
3.1 Description
By modifying the protocol from (Tso et al., 2008)
and endowing it with the technique described in (Abe
et al., 2002) we developed a SMAS in the separable
model. Note that in a separable scheme each key pair
can be generated by a different scheme, under a dif-
ferent hardness assumption. In practice, each user can
use different trusted third parties (TTP) to generate
their public parameters and key pair. To simplify de-
scription we present the Setup algorithm as a central-
ized algorithm. We will denote the following signa-
ture with SMAS-KSS.
Setup(λ): Let i ∈ [0,n
1
). Choose for each user two
groups G
i
, H
i
, a homomorphism [·]
i
: G
i
→ H
i
and
a hash function H
i
: {0,1}
∗
→ C
i
⊆ N. Note that
we require that |G
i
| ≥ 2
λ
. Choose a
i
,x
i
$
←− G
i
and
compute y
i
← [x
i
]
i
and b
i
← [a
i
]
i
. Output the pub-
lic key pk
i
= y
i
. The secret key is sk
i
= x
i
. The
elements b
i
are known to all participants, but the
a
i
’s are used only once and are discarded after-
wards.
Listing(): Collect the public keys and randomly
shuffle them. Store the result into a list L =
{y
j
}
j∈[0,n
1
)
and output L.
2
2
Note that L can be fixed or periodically updated.
Signer and Message Ambiguity from a Variety of Keys
397
Signature Generation(): Assume that recipient R
would like to get a signature from signer S on a
message m
`
∈ {m
t
}
t∈[0,n
2
)
. To compute the am-
biguous signature the following protocol is exe-
cuted:
Step 1: For j ∈ [0,n
1
), R selects α
j
$
←− G
j
and
computes c
j
← [α
j
]
j
⊗
j
b
`
j
. Then, R sends C =
{c
j
}
j∈[0,n
1
)
and M = {m
t
}
t∈[0,n
2
)
to S.
Step 2: For t ∈ [0,n
2
), S (with access to x
k
) does
the following:
a) Generate an element β
t
$
←− G
k
and com-
pute z
k,t
← c
k
⊗
k
b
−t
k
⊗
k
[β
t
]
k
and d
k+1,t
←
H
k+1
(L,m
t
,z
k,t
).
b) For j ∈ [k + 1, n
1
) ∪ [0,k), randomly se-
lect s
j,t
$
←− G
j
and then compute z
j,t
←
c
j
⊗
j
b
−t
j
⊗
j
[s
j,t
]
j
⊗
j
y
d
j,t
j
and d
j+1,t
←
H
j+1
(L,m
t
,z
j,t
)
3
.
c) Compute s
k,t
← β
t
?
k
x
−d
k,t
k
.
d) Send to R the signature (d
0,t
,W
t
), where
W
t
= {s
j,t
}
j∈[0,n
1
)
.
Step 3: For j ∈ [0,n
1
) and t ∈ [0,n
2
),
R computes δ
j,t
← [α
j
]
j
⊗
j
b
`−t
j
,
e
j,t
← δ
j,t
⊗
j
[s
j,t
]
j
⊗
j
y
d
j,t
j
and then
d
j+1,t
← H
j+1
(L,m
t
,e
j,t
) if j 6= n
1
− 1.
R accepts the ambiguous signature if and only
if d
0,t
= H
0
(L,m
t
,e
n
1
−1,t
), where t ∈ [0,n
2
).
Otherwise, output false.
Step 4: To convert the signer and message am-
biguous signature into a signer ambiguous sig-
nature, R sets d
0
← d
0,`
and computes s
j
←
α
j
?
j
s
j,`
, where j ∈ [0,n
1
). Output the signa-
ture (d
0
,W ), where W = {s
j
}
j∈[0,n
1
)
.
Verify(m, d
0
,W ,L): For j ∈ [0,n
1
), compute e
j
←
[s
j
]
j
⊗
j
y
d
j
j
and then d
j+1
← H
j+1
(L,m, e
j
) if
j 6= n
1
− 1. Output true if and only if d
0
=
H
0
(L,m, e
n
1
−1
). Otherwise, output false.
Remark. In the Setup phase, the b
i
elements can be
generated for each user after they receive their pub-
lic parameters and key-pairs, and by a TTP different
from the one generating the initial system’s parame-
ters. Thus, our scheme is compatible with preexisting
signature certificates and can be seen as adding an ex-
tra functionality to existing systems.
Correctness. First we need to check that R accepts
a genuine signature. Thus, if (c
0,t
,W
t
) is generated
3
When j = n
1
− 1 we abuse notation and consider j +
1 = 0.
according to the scheme, then for j 6= k we have
e
j,t
= δ
j,t
⊗
j
[s
j,t
]
j
⊗
j
y
d
j,t
j
= c
j
⊗
j
b
−t
j
⊗
j
[s
j,t
]
j
⊗
j
y
d
j,t
j
= z
j,t
and for j = k we have
e
k,t
= δ
j,t
⊗
k
[s
k,t
]
k
⊗
k
y
d
k,t
k
= c
k
⊗
k
b
−t
k
⊗
k
[β
t
?
k
x
−d
k,t
k
]
k
⊗
k
y
d
k,t
k
= c
k
⊗
k
b
−t
k
⊗
k
[β
t
]
k
⊗
k
[x
k
]
−d
k,t
k
⊗
k
y
d
k,t
k
= c
k
⊗
k
b
−t
k
⊗
k
[β
t
]
k
= z
k,t
.
Now we need to check if the verification process re-
turns true. Hence, if the pair (d
0
,W ) is generated
according to the scheme, then we have
e
j
= [s
j
]
j
⊗
j
y
d
j
j
= [α
j
?
j
s
j,`
]
j
⊗
j
y
d
j
j
= δ
j,`
⊗
j
[s
j,`
]
j
⊗
j
y
d
j
j
= e
j,`
.
3.2 Security Analysis
Theorem 3.1. The SMAS-KSS scheme is perfectly
signer ambiguous.
Proof. Note that all s
j,t
are taken randomly from G
j
,
except for s
k,t
. Since β
t
is a random element from G
k
,
then s
k,t
is also randomly distributed in G
k
. Hence,
for a fixed (m
t
,L) the probability of W
t
is always
1/
∏
|G
i
|, regardless of the closing point s
k,t
and index
t. The remaining c
0,t
are uniquely determined from
(m
t
,L) and W
t
.
Theorem 3.2. The SMAS-KSS scheme is perfectly
message ambiguous.
Proof. All the information regarding ` is contained
in the c
j
elements. Since α
j
is random, then c
j
is
also random. Thus, for a fixed M the probability of
{c
j
}
j∈[0,|M|)
is always 1/
∏
|G
i
|. So, no information
about ` is leaked to S .
Theorem 3.3. If the following statements are true
• an EUF-CMCPA attack on the SMAS-KSS has
non-negligible probability of success in the ROM,
• for all i values, f
i
∈ Z are known such that
gcd(d
0
− d
1
, f
i
) = 1 for all d
0
,d
1
∈ C
i
with d
0
6=
d
1
,
SECRYPT 2021 - 18th International Conference on Security and Cryptography
398
• for all i values, u
i
∈ G
i
are known such that [u
i
]
i
=
y
f
i
i
,
then at least a homomorphism [·]
i
can be inverted in
polynomial time.
Proof. Let A be an efficient EUF-CMCPA attacker for
SMAS-KSS that requests at most q
s
and q
h
signing
and, respectively, random oracle queries. Also, let ε
be its success probability and τ its running time. By
q
m
we denote the total number of messages sent to S
for signing.
In order to make A work properly we simulate the
random oracles that correspond to each hash function
(see Algorithm 1) and the signing oracle (see Algo-
rithm 2). For simplicity we treat all the random or-
acles as one big random oracle O
H
that takes as in-
put the j-th query (i, L
j
,m
j
,r
j
) and returns a random
value corresponding to H
i
(L
j
,m
j
,r
j
). To avoid com-
plicated suffixes y
0
and m
0
, for example, refer to the
first public key and the first message from the current
L
j
and, respectively, M
j
. Hence, y
0
∈ L
j
and y
0
∈ L
j
0
could differ. The same is also true for m
0
.
Algorithm 1: Hashing oracle O
H
simulation for
all H
i
.
Input: A hashing query (i,L
j
,m
j
,r
j
) from A
1 if ∃h
j
such that {L
j
,m
j
,r
j
,h
j
} ∈ T
i
then
2 e ← h
j
3 else
4 e
$
←− C
i
5 Append {L
j
,m
j
,r
j
,e} to T
i
6 end if
7 return e
The signing oracle O
S
fails and returns ⊥ only if we
cannot assign d
0,t
to (L
j
,m
j
,e
|L
j
|−1,t
) without caus-
ing an inconsistency in T
0
. This event happens with
probability at most q
h
/q, where q = 2
λ
. Thus, O
S
is
successful with probability at least (1 − q
h
/q)
q
s
q
m
≥
1 − q
h
q
s
q
m
/q.
Let Θ and Ω be the random tapes given to O
S
and
A. The adversary’s success probability is taken over
the space defined by Θ, Ω and O
H
. Let Σ be the
set of (Θ,Ω,O
H
) with which A successfully creates
a forgery, while having access to a real signing ora-
cle. Let (m,d
0
,{s
i
}
i∈[0,n
0
)
,L) be A’s forgery, where
|L| = n
0
. Then, T
i+1
contains a query for (L,m,e
i
)
for all i ∈ [0, n
0
) with probability at least 1−1/|C
i+1
|,
due to the ideal randomness of O
H
. Let Σ
0
⊆ Σ be the
set of (Θ,Ω,O
H
) with which A successfully creates
a forgery, while having access only to the simulated
oracle O
S
. Then, Pr[(Θ,Ω,O
H
) ∈ Σ
0
] ≥ ε
0
, where
Algorithm 2: Signing oracle O
S
simulation.
Input: A signature query (M
j
,C
j
,L
j
) from A
1 for t ∈ [0,|M
j
|) do
2 d
0,t
$
←− C
0
3 for i ∈ [0, |L
j
|) do
4 s
i,t
$
←− G
i
5 e
i,t
← c
i
⊗
i
b
−t
i
⊗
i
[s
i,t
]
i
⊗
i
y
d
i,t
i
6 if i 6= |L
j
| − 1 then
7 d
i+1,t
← H
i+1
(L
j
,m
t
,e
i,t
)
8 end if
9 end for
10 if @h
t
such that {L
j
,m
t
,e
|L
j
|−1,t
,h
t
} ∈ T
0
then
11 Append {L
j
,m
t
,e
|L
j
|−1,t
,d
0,t
} to T
0
12 Sent to A the signature
(d
0,t
,{s
i,t
}
i∈[0,|L
j
|)
)
13 else
14 return ⊥
15 end if
16 end for
ε
0
= (1 − q
h
q
s
q
m
/q)(1 − 1/w)ε and w is the smallest
|C
i
|.
Since the queries form a ring, there exists at least
an index k ∈ [0,n
0
) such that the u query Q
u
= (k +
1,L, m,e
k
) and the v query Q
v
= (k,L, m,e
k−1
) satisfy
u ≤ v. Such a pair (u, v) is called a gap index. Re-
mark that u = v only when n
0
= 1. If there are two or
more gap indices with regard to a signature, we only
consider the smallest one.
We denote by Σ
0
u,v
the set of (Θ,Ω,O
H
) that yield
the gap index (u,v). There are at most C
q
h
2
+C
q
h
1
=
q
h
(q
h
+ 1)/2 such sets. If we invoke A with ran-
domly chosen (Θ,Ω, O
H
) at most 1/ε
0
times, then
we will find at least one (Θ,Ω, O
H
) ∈ Σ
0
u,v
for some
gap index (u, v) with probability 1 − (1 − ε
0
)
1/ε
0
>
1 − exp(−1) > 3/5.
We define the sets GI = {(u,v) | |Σ
0
u,v
|/|Σ
0
| ≥
1/(q
h
(q
h
+ 1))} and B = {(Θ, Ω,O
H
) ∈ Σ
0
u,v
| (u,v) ∈
GI}. Then, we have Pr[B|Σ
0
] ≥ 1/2. Using the heavy
row lemma we obtain that a triplet (Θ,Ω, O
H
) that
yields a successful run of A is in B with probability at
least 1/2.
Let O
H
0
be the identical to O
H
except for the
Q
v
query to which O
H
0
responds with a random
element d
0
k
6= d
k
. Then according to the heavy
row lemma, with probability 1/2, (Θ, Ω,O
H
0
) sat-
isfies Pr[(Θ,Ω, O
H
0
) ∈ Σ
0
u,v
] = ε
00
/2, where ε
00
=
ε
0
/(2q
h
(q
h
+ 1)). Hence, if we run A at most
2/ε
00
times, then with probability 1/2 · [1 − (1 −
ε
00
/2)
2/ε
00
] > 1/2 · (1 − exp(−1)) > 3/10 we will find
Signer and Message Ambiguity from a Variety of Keys
399
at least one d
0
k
such that (Θ,Ω,O
H
0
) ∈ Σ
0
u,v
. Since Q
u
is queried before Q
v
, e
k
remains unchanged. There-
fore we can compute
˜x
k
= u
a
k
?
k
(s
0
k
−1
?
k
s
k
)
b
,
where a and b are computed using Euclid’s algorithm
such that f
k
a + (d
0
k
− d
k
)b = 1. Note that for some β
[s
0
k
−1
?
k
s
k
]
k
= [s
0
k
−1
]
k
⊗
k
[s
k
]
k
= y
d
0
k
k
⊗
k
([β]
k
)
−1
⊗ c
−1
k
⊗ c
k
⊗
k
[β]
k
⊗
k
y
−d
k
k
= y
d
0
k
−d
k
k
and thus
[ ˜x
k
]
k
= [u
a
k
?
k
(s
0
k
−1
?
k
s
k
)
b
]
k
= ([u
k
]
k
)
a
⊗
k
([s
0
k
−1
?
k
s
k
]
k
)
b
= (y
f
k
k
)
a
⊗
k
(y
d
0
k
−d
k
k
)
b
= y
k
.
The overall success probability is 9/100 = 3/5 ·
1/2·3/10 and A is invoked at most 1/ε
0
+2/ε
00
times.
3.3 Concrete Examples
In this subsection we present a few concrete exam-
ples of the SMAS in order to help readers who are
familiar with Schnorr or Guillou-Quisquater type sig-
natures. The reader can easily infer more examples
from the unified zero-knowledge protocol’s instantia-
tions described in (Maurer, 2009, Te¸seleanu, 2018).
All Discrete Logarithm Case. Let p and q be two
prime numbers such that q|p − 1. Select an element
h ∈ H
p
of order q in some multiplicative group of or-
der p−1. The discrete logarithm of an element z ∈ H
p
is an exponent x such that z = h
x
. We further describe
the parameters of the all discrete logarithm signature.
Define (G
i
,?
i
) = (Z
q
i
,+) and H
i
= hh
i
i. The one-
way group homomorphism is defined by [x
i
]
i
= h
x
i
i
and the challenge space C
i
can be any arbitrary subset
of [0,q
i
). Let 1
i
be the neutral element of H
i
. Then the
conditions of Theorem 3.3 are satisfied for f
i
= q
i
and
u
i
= 0. Note that we have [u]
i
= [0]
i
= 1
i
= y
f
i
i
= y
q
i
i
since every element of H
i
raised to the group order q
i
is the neutral element 1
i
.
All e
th
-root Case. Let p and q be two safe prime
numbers such that (p − 1)/2 and (q − 1)/2 are also
prime. Compute N = pq and choose a prime e such
that gcd(e,ϕ(N)) = 1. An e
th
-root of an element z ∈
Z
∗
N
is a base x such that z = x
e
. Note that the e
th
-root
is not unique. We further describe the parameters of
the all e
th
-root signature.
Define (G
i
,?
i
) = (H
i
,⊗
i
) = (Z
∗
N
i
,·). The one-way
group homomorphism is defined by [x
i
]
i
= x
e
i
i
and
the challenge space C
i
can be any arbitrary subset of
[0,e
i
). The conditions of Theorem 3.3 are satisfied for
f
i
= e
i
and u
i
= y
i
.
Mixture of Discrete Logarithm and e
th
-root. For
simplicity, we consider the case n = 2. Let (G
0
,?
0
) =
(Z
q
,+), H
0
= hhi and (G
1
,?
1
) = (H
1
,⊗
1
) = (Z
∗
N
,·).
The one-way group homomorphisms are defined by
[x
0
]
0
= h
x
0
and [x
1
]
1
= x
e
1
. The corresponding chal-
lenge spaces C
0
and C
1
can be any arbitrary subset of
[0,q) and, respectively, [0, e). Finally, the conditions
of Theorem 3.3 are satisfied for f
0
= q, f
1
= e, u
0
= 0
and u
1
= y
1
.
4 SMAS WITHOUT KEY
SEPARATION
4.1 Description
In this section we present a more efficient SMAS sig-
nature. This signature only works when all the partici-
pants use the same underlying commutative group. To
achieve our goal, we used a generalized version of the
technique developed in (Abe et al., 2002). We further
denote the following signature with SMAS-NKSS.
Setup(λ): Choose two commutative groups G, H, a
homomorphism [·] : G → H and a hash function
H : {0, 1}
∗
→ C ⊆ N. Note that we require that
|G| ≥ 2
λ
. Choose a
$
←− G and compute b ← [a].
For each user, choose x
i
$
←− G and compute y
i
←
[x
i
]. Output the public key pk
i
= y
i
. The secret
key is sk
i
= x
i
. The element b is known to all par-
ticipants, but a is used only once and is discarded
afterwards.
Listing(): Collect the public keys and randomly
shuffle them. Store the result into a list L =
{y
j
}
j∈[0,n
1
)
and output L.
Signature Generation(): Assume that recipient R
would like to get a signature from signer S on a
message m
`
∈ {m
t
}
t∈[0,n
2
)
. To compute the am-
biguous signature the following protocol is exe-
cuted:
Step 1: R selects α
$
←− G and computes c ← [α]⊗
b
`
. Then, R sends c and M = {m
t
}
t∈[0,n
2
)
to S.
Step 2: For t ∈ [0,n
2
), S generates a random ele-
ment β
t
$
←− G and d
j,t
$
←− C , where j ∈ [0, n
1
) \
SECRYPT 2021 - 18th International Conference on Security and Cryptography
400
{k}. Then computes the following:
z
t
← c ⊗ b
−t
⊗ [β
t
] ⊗ y
d
0,t
0
⊗ ... ⊗ y
d
k−1,t
k−1
z
t
← z ⊗ y
d
k+1,t
k+1
⊗ ... ⊗ y
d
n
1
−1,t
n
1
−1
d
t
← H(L,m
t
,z
t
)
d
k,t
← d
t
− d
0,t
− ... − d
k−1,t
mod |C |
d
k,t
← d
k,t
− d
k+1,t
− ... − d
n
1
−1,t
mod |C |
s
t
← β
t
? x
−d
k,t
k
.
Send to R the signature (s
t
,W
t
), where W
t
=
{d
j,t
}
j∈[0,n
1
)
.
Step 3: For t ∈ [0,n
2
), R computes δ
t
← [α] ⊗
b
`−t
, u
t
←
∑
n
1
−1
j=0
d
j,t
mod |C | and v
t
← δ
t
⊗
[s
t
] ⊗ (⊗
n
1
−1
j=0
y
d
j,t
j
). R accepts the ambiguous
signature if and only if u
t
≡ H(L,m
t
,v
t
) mod
|C |, where t ∈ [0,n
2
). Otherwise, output
false.
Step 4: To convert the signer and message am-
biguous signature into a signer ambiguous sig-
nature, R computes s ← α ? s
`
and sets d
j
←
d
j,`
, where j ∈ [0,n
1
). Output the signature
(s,W ), where W = {d
j
}
j∈[0,n
1
)
.
Verify(m, s,W ,L): Compute the intermediary val-
ues u ←
∑
n
1
−1
j=0
d
j
mod c and v ← [s]⊗(⊗
n
1
−1
j=0
y
d
j
j
).
Output true if and only if u = H(L,m,v). Other-
wise, output false.
Correctness. First we need to check that R accepts
a genuine signature. Thus, if (s
t
,W
t
) is generated ac-
cording to the scheme, then we have
v
t
= δ
t
⊗ [s
t
] ⊗ (⊗
n−1
j=0
y
d
j,t
j
)
= c ⊗ b
−t
⊗ [β
t
] ⊗ [x
k
]
−d
k,t
⊗ (⊗
n−1
j=0
y
d
j,t
j
)
= z
t
.
Now we need to check if the verification process re-
turns true. Hence, if the pair (s, W ) is generated
according to the scheme, then we have
v = [s] ⊗ (⊗
n−1
j=0
y
d
j
j
)
= [α ? s
`
] ⊗ (⊗
n−1
j=0
y
d
j,`
j
)
= δ
`
⊗ [s
`
] ⊗ (⊗
n−1
j=0
y
d
j,`
j
)
= v
`
.
4.2 Security Analysis
Theorems 4.1 and 4.2’s proofs are similar to Theo-
rems 3.1 and 3.2’s proofs and thus are omitted. The-
orem 4.3’s proof is provided in the full version of the
paper and is omitted due to space limitations.
Theorem 4.1. The SMAS-NKSS scheme is perfectly
signer ambiguous.
Theorem 4.2. The SMAS-NKSS scheme is perfectly
message ambiguous.
Theorem 4.3. If the following statements are true
• an EUF-CMCPA attack on the SMAS-NKSS has
non-negligible probability of success in the ROM,
• an f ∈ Z is known such that gcd(d
0
− d
1
, f ) = 1
for all d
0
,d
1
∈ C with d
0
6= d
1
,
• for all i values, u
i
∈ G are known such that [u
i
] =
y
f
i
,
then the homomorphism [·] can be inverted in polyno-
mial time.
5 PERFORMANCE ANALYSIS
When n
1
= 1 and n
2
= n both SMAS schemes become
an oblivious signature with n messages (denoted sim-
ply as SMAS). Two such signatures are described in
(Tso et al., 2008, Chen, 1994) for G = Z
∗
p
. In ??
and table 1 we provide the reader with the perfor-
mance analysis of our scheme. In ?? the communi-
cation overhead is measured in bits, while in Table 1
the computation cost is measured in exponentiations.
We consider |p| = 3072 and |q| = 256, which accord-
ing to (Elaine, 2020) offers a security strength of 128
bits.
Table 1: Computation cost comparison.
Scheme S R V
SMAS 2n 3n + 2 2
Tso et. al (Tso et al., 2008) 2n 3n + 2 2
Chen (Chen, 1994) 3n 2n + 10 8
In order to measure the efficiency of our SMAS
schemes, we compare them to the protocol described
in (Tso, 2016). Although the philosophy of this
scheme is a little bit different than ours, it is the clos-
est one. Again, let G = Z
∗
p
. The results are presented
in Tables 2 and 3. Note that in Tso’s protocol, the
receiver transforms the signature into a Schnorr sig-
nature
4
(Schnorr, 1989), while we transform it into
an Abe et.al signature (Abe et al., 2002). Hence, the
larger communication and computational overhead on
V ’s side.
4
i.e. n
1
= 1
Signer and Message Ambiguity from a Variety of Keys
401
Table 2: Communication cost comparison.
Scheme Steps R → S S → R R → V
SMAS-KSS 2 n
1
|q| (n
1
+ 1)n
2
|q| (n
1
+ 1)|q|
SMAS-NKSS 2 |q| (n
1
+ 1)n
2
|q| (n
1
+ 1)|q|
Tso (Tso, 2016) 2 |q| 2n
1
n
2
|q| 2|q|
Table 3: Computation cost comparison.
Scheme S R V
SMAS-KSS 3n
1
n
2
− n
2
3n
1
n
2
+ 2n
1
2n
1
SMAS-NKSS (n
1
+ 1)n
2
(n
1
+ 2)n
2
+ 2 n
1
+ 1
Tso (Tso, 2016) 2n
1
n
2
3n
1
n
2
+ 2 2
6 CONCLUSION
Our SMAS protocols are the abstraction of a large
class of protocols that allow users to sign sensible in-
formation, while maintaining the signers anonymity.
We introduced two versions, one with independently
selected public parameters and one with common
public parameters. We managed to relate the pre-
sented protocols’ security to the hardness of inverting
one-way homomorphisms.
REFERENCES
Abe, M., Ohkubo, M., and Suzuki, K. (2002). 1-out-of-n
Signatures from a Variety of Keys. In ASIACRYPT
2002, volume 2501 of Lecture Notes in Computer Sci-
ence, pages 415–432. Springer.
Chaum, D. (1982). Blind Signatures for Untraceable Pay-
ments. In CRYPTO 1982, pages 199–203. Plenum
Press, New York.
Chen, L. (1994). Oblivious Signatures. In ESORICS 1994,
volume 875 of Lecture Notes in Computer Science,
pages 161–172. Springer.
Cramer, R., Damgård, I., and Schoenmakers, B. (1994).
Proofs of Partial Knowledge and Simplified Design of
Witness Hiding Protocolss. In CRYPTO 1994, vol-
ume 839 of Lecture Notes in Computer Science, pages
174–187. Springer.
Elaine, B. (2020). NIST Special Publication 800-57 Part 1
Revision 5 - Recommendation for Key Management:
Part 1 – General. Technical report, NIST.
Juels, A., Luby, M., and Ostrovsky, R. (1997). Security of
Blind Digital Signatures. In CRYPTO 1997, volume
1294 of Lecture Notes in Computer Science, pages
150–164. Springer.
Maurer, U. (2009). Unifying Zero-Knowledge Proofs of
Knowledge. In AFRICACRYPT 2009, volume 5580 of
Lecture Notes in Computer Science, pages 272–286.
Springer.
Ohta, K. and Okamoto, T. (1998). On Concrete Security
Treatment of Signatures Derived from Identification.
In CRYPTO 1998, volume 1462 of Lecture Notes in
Computer Science, pages 354–369. Springer.
Rivest, R. L., Shamir, A., and Tauman, Y. (2001). How to
Leak a Secret. In ASIACRYPT 2001, volume 2248 of
Lecture Notes in Computer Science, pages 552–565.
Springer.
Schnorr, C.-P. (1989). Efficient Identification and Signa-
tures For Smart Cards. In CRYPTO 1989, volume 435
of Lecture Notes in Computer Science, pages 239–
252. Springer.
Te¸seleanu, G. (2018). Unifying Kleptographic Attacks.
In NordSec 2018, volume 11252 of Lecture Notes in
Computer Science, pages 73–87. Springer.
Tso, R. (2016). Two-in-One Oblivious Signatures Secure
in the Random Oracle Model. In NSS 2016, volume
9955 of Lecture Notes in Computer Science, pages
143–155. Springer.
Tso, R. (2019). Two-in-One Oblivious Signatures. Future
Generation Computer Systems, 101:467–475.
Tso, R., Okamoto, T., and Okamoto, E. (2008). 1-out-of-n
Oblivious Signatures. In ISPEC 2008, volume 4991
of Lecture Notes in Computer Science, pages 45–55.
Springer.
SECRYPT 2021 - 18th International Conference on Security and Cryptography
402
