Threshold Structure-Preserving Signatures with Randomizable Key
Ahmet Ramazan A
˘
gırtas¸
1 a
, Emircan C¸ elik
2 b
, Sermin Kocaman
3 c
, Fatih Sulak
4 d
and O
˘
guz Yayla
2 e
1
Nethermind Research, London, U.K.
2
Middle East Technical University, Ankara, Turkey
3
FAME Crypt, Ankara, Turkey
4
Atilim University, Ankara, Turkey
Keywords:
Structure-Preserving Signatures, Threshold Signatures, Randomizable Keys, Privacy.
Abstract:
Digital signatures confirm message integrity and signer identity, but linking public keys to identities can cause
privacy concerns in anonymized settings. Signatures with randomizable keys can break this link, preserving
verifiability without revealing the signer. While effective for privacy, complex cryptographic systems need
to be modular structured for efficient implementation. Threshold structure-preserving signatures enable mod-
ular, privacy-friendly protocols. This work combines randomizable keys with threshold structure-preserving
signatures to create a valid, modular, and unlinkable foundation for privacy-preserving applications.
1 INTRODUCTION
Digital signatures are cryptographic techniques that
provide a method to authenticate the integrity of the
message and the identity of the signer. The mes-
sage, once signed by the signer, can be verified us-
ing the signer’s public key. However, in some certain
scenarios, such as anonymized networks or privacy-
preserving applications, the inherent connection be-
tween the public key and the signer’s identity poses a
problem (Balumuri et al., 2024). Revealing this infor-
mation conflicts with preserving anonymity. In such
situations, balancing authenticity with anonymity be-
comes a challenging task. To tackle this issue, Signa-
tures with Randomizable Keys (SwRK) have drawn
most of the attention to dissociate the signer’s identity
from their public key. In this scheme, the signer signs
a message under the randomized secret signing key
while ensuring that the signature remains valid. Al-
though different terminology is employed throughout
the literature, a comprehensive overview of previous
work on this topic, connecting key-homomorphic sig-
a
https://orcid.org/0000-0002-4574-0067
b
https://orcid.org/0009-0007-9707-2199
c
https://orcid.org/0000-0001-8334-8587
d
https://orcid.org/0000-0002-5220-3630
e
https://orcid.org/0000-0001-8945-2780
natures, signatures with re-randomizable keys, signa-
tures with key blinding, and key-updatable signatures,
can be found in (Celi et al., 2023). While SwRK is
useful for privacy-preserving protocols, it is also im-
portant for the protocol to be structured in a modular
design to allow for the simple implementation of com-
plex primitives. Fortunately, the concept of Structure
Preserving Signatures (SPS) offers a way to construct
modular protocols. SPS are signatures based on pair-
ings, wherein verification keys, signatures, and mes-
sages are elements in a bilinear group, and the ver-
ification equation is derived from a pairing-product
equation (Abe et al., 2010)
Related Work. In 2014, Abe et al. (Abe et al.,
2014) proposed a re-randomizable SPS scheme that
enables the randomization of both the signature and
key after generation, while still preserving the struc-
ture of the signature. This scheme achieves direct ran-
domization of the signature without the necessity of a
message. In 2016, Ghadafi (Ghadafi, 2016) proposed
shorter SPS than existing SPS schemes.
Many SPS in the literature are inadequate for
thresholding due to nonlinear processes or even re-
quire significant overhead. However, in 2023, Crites
et al. (Crites et al., 2023) proposed a Threshold
Structure-Preserving Signature (TSPS) by defining
indexed Diffie-Hellman message space. They address
632
A
ˇ
gırta ¸s, A. R., Çelik, E., Kocaman, S., Sulak, F. and Yayla, O.
Threshold Structure-Preserving Signatures with Randomizable Key.
DOI: 10.5220/0013528900003979
In Proceedings of the 22nd International Conference on Security and Cryptography (SECRYPT 2025), pages 632-637
ISBN: 978-989-758-760-3; ISSN: 2184-7711
Copyright © 2025 by Paper published under CC license (CC BY-NC-ND 4.0)
thresholdizing by employing indexing that converts
each scalar message m into an index id to generate
partial signatures in a compatible format for aggrega-
tion in a threshold scheme.
Our Contribution. In this paper, we propose a
novel structure preserving signature scheme with key
randomization property. We also propose it’s thresh-
old variant. Additionally we present cost analysis of
our proposed schemes. Finally we provide a proof of
concept implementation of our schemes with experi-
mental results.
Paper Organization. This paper is organized as
follows: Section 2 provides the necessary building
blocks for our construction. Section 3 introduces
our proposed Threshold Structure-Preserving Signa-
ture with Randomizable Keys (TSPSwRK) and its
non-threshold counterpart IM-SPSwRK, followed by
a performance analysis in Section 4. Finally, Section
5 offers the conclusion of the paper and future work.
2 NOTATION AND
BACKGROUND
For the syntax, λ is the security parameter 1
λ
is its
unary representation, and negl(λ) denotes negligible
function. While x
$
← X is utilized to indicate that x
is uniformly sampled from the set X, the cardinality
of a set X is represented by the symbol |X|. Also,
A(x) → y denotes that y is an output of the algorithm
A on input x, whereas x ← y denotes the straightfor-
ward assignment process. We denote linear pairing
function e(.,.) as described in (Galbraith et al., 2008).
Signatures with Randomizable Keys. Signature
with Randomizable Keys (SwRK) consists of eight-
tuple algorithms, namely PPGen, KGen, SignGen,
Verify, RandPK, RandSK, Adapt, and VerKey, which
was defined in (Celi et al., 2023).
Indexed-Message Structure-Preserving Signature.
Indexed-Message Structure-Preserving Signature
(IM-SPS) over the indexed Diffie-Hellman message
space (Crites et al., 2023) builds four-tuple algorithms
Setup, KGen, SignGen, and Verify, which can be
described as follows.
1. Setup(1
λ
) → pp: This PPT algorithm takes the
security parameter 1
λ
as input, and it outputs pub-
lic parameters pp = ((G
1
,G
2
,G
T
, p,e,g
1
,g
2
),H),
where G
1
,G
2
,G
T
are groups of order p utilized in
bilinear map e, g
1
and g
2
are generators of G
1
and
G
2
, respectively. Also, H : {0,1}
∗
→ G
1
is a hash
function that maps arbitrary length binary inputs
to the group G
1
.
2. KGen(pp) → (sk, vk):
(a) Sample sk = (sk
0
,sk
1
) = (x,y)
$
← Z
∗
p
(b) Compute vk = (vk
0
,vk
1
) = (g
x
2
,g
y
2
)
3. SignGen(pp,sk, (id,M
1
,M
2
)) → σ:
(a) (id,M
1
,M
2
) = (id,H(id)
m
,g
m
2
) ∈ M
H
iDH
as de-
fined in (Crites et al., 2023), where m ∈ Z
p
(b) Check e(h, M
2
) = e(M
1
,g
2
), where h ← H(id).
If this is not the case, abort.
(c) Compute the signature σ = (h,s) = (h,h
x
·M
y
1
).
4. Verify(pp,vk, (M
1
,M
2
),σ) → 0/1:
(a) Accept if all the following conditions hold:
i. h ̸= 1
G
1
,
ii. M
1
̸= 1
G
1
,
iii. e(h, M
2
) = e(M
1
,g
2
),
iv. e(h,vk
0
)e(M
1
,vk
1
) = e(s,g
2
).
(b) Reject, otherwise.
Threshold SPS. Threshold Structure-Preserving
Signatures (TSPS) for indexed message spaces (Crites
et al., 2023) builds six-tuple algorithms Setup, KGen,
PSignGen, PSignVerify, Reconst, and Verify,
which can be described as follows.
1. Setup(1
λ
) → pp: This PPT algorithm takes the
security parameter 1
λ
as input, and outputs pub-
lic parameters pp = ((G
1
,G
2
,G
T
, p,e,g
1
,g
2
),H),
where G
1
,G
2
,G
T
are groups of prime order p,
utilized in an efficient bilinear map e, g
1
,g
2
are generators of G
1
,G
2
, respectively, and H :
{0,1}
∗
→ G
1
is a hash function that maps arbi-
trary length binary inputs to the group G
1
.
2. KGen(pp,n,t) → (
⃗
sk,
⃗
vk, vk):
(a) Run Pedersen’s Distributed Key Generation
(PedDKG) protocol (Pedersen, 1991) as fol-
lows:
• Each node N
i
samples random two integers
(x
i0
,y
i0
)
$
← Z
∗
p
for i ∈ [1,n], and forms two
polynomials with degree t by sampling 2t ran-
dom integer coefficient {x
iℓ
,y
iℓ
}
t
ℓ=1
$
← Z
∗
p
:
f
i
(X) = x
i0
+ x
i1
X +.. . + x
it
X
t
∈ Z
p
[x]
g
i
(X) = y
i0
+ y
i1
Y + .. . + y
it
Y
t
∈ Z
p
[x]
Each N
i
commits the coefficients by broad-
casting B
iℓ
= g
x
iℓ
2
, C
iℓ
= g
y
iℓ
2
∀ℓ ∈ [0,t]. Then,
Threshold Structure-Preserving Signatures with Randomizable Key
633
N
i
sends f
i
( j), g
i
( j) to N
j
, such that j ∈ [1, n]\
{i}.
• Node N
i
confirms the consistency of the re-
ceived shares f
j
(i),g
j
(i) from N
j
by calcu-
lating g
f
j
(i)
2
=
∏
t
ℓ=0
B
i
ℓ
jℓ
and g
g
j
(i)
2
=
∏
t
ℓ=0
C
i
ℓ
jℓ
.
If these conditions are met, N
i
accepts the
shares; otherwise, it rejects them and com-
plaints against malicious node N
j
.
• A node is deemed disqualified if it receives at
least t of complaints. At the conclusion of this
phase, at least t nodes from the set of qualified
nodes Q proceed to the following steps.
• The global verification key vk is determined as
follows:
vk :=(vk
00
,vk
01
) = (
∏
i∈Q
B
i0
,
∏
i∈Q
C
i0
)
=(g
∑
i∈Q
x
i0
2
,g
∑
i∈Q
y
i0
2
) = (g
x
2
,g
y
2
)
Also, its corresponding secret key will be
sk := (
∑
i∈Q
x
i0
,
∑
i∈Q
y
i0
)
• Each qualified node N
i
defines its secret key
sk
i
and its corresponding verification key vk
i
as follows:
sk
i
:=(sk
i0
,sk
i1
) = (
∑
j∈Q
f
j
(i),
∑
j∈Q
g
j
(i)) = (x
i
,y
i
)
vk
i
:=(vk
i0
,vk
i1
) = (
∏
j∈Q
t
∏
ℓ=0
(B
jℓ
)
i
ℓ
,
∏
j∈Q
t
∏
ℓ=0
(C
jℓ
)
i
ℓ
)
=(g
f
j
(i)
2
,g
g
j
(i)
2
),
where f (X) =
∑
j∈Q
f
j
(X) and g(X) =
∑
j∈Q
g
j
(X).
(b) Set two vectors of size n of signing keys
⃗
sk ←
(sk
1
,sk
2
,. .. ,sk
n
), and verification keys
⃗
vk ←
(vk
1
,vk
2
,. .. ,vk
n
)
3. PSignGen(pp,sk
i
,(id,M
1
,M
2
)) → (σ
i
,⊥):
(a) (id,M
1
,M
2
) = (id,H(id)
m
,g
m
2
) ∈ M
H
iDH
, where
m ∈ Z
p
(b) Check e(h, M
2
) = e(M
1
,g
2
), where h ← H(id).
If it does not hold, abort.
(c) Compute the partial signatures σ
i
= (h
i
,s
i
) =
(h,h
sk
i0
· M
sk
i1
1
).
4. PSignVerify(pp,vk
i
,(M
1
,M
2
),σ
i
= (h
i
,s
i
)) →
(0/1):
(a) Accept if all the following conditions hold:
i. h
i
̸= 1
G
1
,
ii. M
1
̸= 1
G
1
,
iii. e(h
i
,M
2
) = e(M
1
,g
2
),
iv. e(h
i
,vk
i0
)e(M
1
,vk
i1
) = e(s
i
,g
2
).
(b) Reject, otherwise.
5. Reconst(pp,
⃗
vk, (M
1
,M
2
),{i, σ
i
}
i∈T
) → (σ,⊥):
(a) Abort if at least one of the following conditions
holds:
i. ∃i ∈ T |
PSignVerify(pp, vk
i
,(M
1
,M
2
),σ
i
) = 0,
ii. ∃i, j ∈ T ,i ̸= j | h
i
̸= h
j
.
(b) Otherwise, set h ← h
i
and compute the signa-
ture σ = (h,s) = (h,
∏
i∈T
s
λ
i
i
), where λ
i
is an
appropriate Lagrange coefficient.
6. Verify(pp,vk, (M
1
,M
2
),σ) → (0/1):
(a) Accept, if all of the following conditions hold:
i. h ̸= 1
G
1
ii. M
1
̸= 1
G
1
iii. e(h, M
2
) = e(M
1
,g
2
)
iv. e(h,vk
00
)e(M
1
,vk
01
) = e(s,g
2
),
(b) Reject, otherwise.
The three primary security properties for TSPS
defined over indexed message spaces are partial
verification correctness, evaluation correctness, and
threshold existential unforgeability against chosen in-
dexed message attacks. (Threshold EUF-CiMA)2
3 SPS AND THRESHOLD SPS
WITH RANDOMIZABLE KEYS
Now, we introduce the randomizable key-enabled
variant of the SPS and TSPS schemes.
To clarify the foundational structure of our proto-
col, we initially present its non-threshold version, the
IM-SPS scheme in Section 2. We give the details of
IM-SPS with a randomizable key, IM-SPSwRK in the
following. It is equivalent to IM-SPS, with the added
specification of SwRK algorithms RandPK, RandSK,
and Adapt. While RandSK introduces randomness to
the secret key, RandPK applies same randomness to
the public key. Furthermore, Adapt modifies an exist-
ing signature to align with the randomized key, while
keeping the original signing key confidential.
1. Setup(1
λ
)
(a) (G
1
,G
2
,G
T
, p,e,g
1
,g
2
) ← Gen(1
λ
)
(b) H : {0,1}
∗
→ G
1
(c) pp ← ((G
1
,G
2
,G
T
, p,e,g
1
,g
2
), H)
(d) return pp
2. KeyGen(pp,n,t)
(a) sk ← (sk
0
,sk
1
) = (x,y)
$
← Z
∗
p
(b) vk ← (vk
0
,vk
1
) = (g
x
2
,g
y
2
)
(c) return (sk,vk)
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
634
3. RandSK(pp,sk, ρ = (r
0
,r
1
))
(a) sk
′
= (sk
′
0
,sk
′
1
) =(x+r
0
, y+r
1
)
(b) return sk
′
4. RandPK(pp,vk, ρ = (r
0
,r
1
))
(a) vk
′
= (vk
′
0
,vk
′
1
) =(g
x
2
·g
r
0
2
, g
y
2
·g
r
1
2
)
(b) return vk
′
5. SignGen(pp,sk, (id, M
1
,M
2
))
(a) (id,M
1
,M
2
) = (id,H(id)
m
,g
m
2
), h ← H(id)
(b) If e(h,M
2
) ̸= e(M
1
,g
2
): return ⊥
(c) Else: σ = (h,s) = (h,h
x
· M
y
1
)
(d) return σ
6. Adapt(pp,(id, M
1
,M
2
),σ, ρ,sk)
(a) σ
′
= (h,s
′
) = (h,h
sk
′
0
· M
sk
′
1
1
)
= (h,h
x+r
0
· H(id)
m·(y+r
1
)
)
(b) return σ
′
7. Verify(pp,vk
′
,(M
1
,M
2
),σ
′
)
(a) Parse σ
′
= (h,s
′
)
(b) If h ̸= 1
G
1
∧ M
1
̸= 1
G
1
∧ e(h,M
2
) = e(M
1
,g
2
)
∧ e(h,vk
′
0
)e(M
1
,vk
′
1
) = e(s
′
,g
2
)
(c) return 1
(d) Else: return 0
3.1 Threshold SPSwRK
In this section we give the details of our proposed
Threshold Structure-Preserving Signatures with Ran-
domizable Keys (TSPSwRK). TSPSwRK is equiva-
lent to TSPS, with the added specification of SwRK
algorithms RandPK, and Adapt. In addition, the
threshold version requires RandGen, RandSKShare,
and RandPKShare algorithms.
The Setup algorithm of TSPSwRK accepts the se-
curity parameter 1
λ
and outputs the public parameters
pp for the TSPS. The public parameters consist of
groups G
1
,G
2
,G
T
of orders p used in bilinear map
e, along with the generators g
1
and g
2
for G
1
, and
G
2
, respectively. Additionally, there is a hash func-
tion that maps to G
1
allowing messages to be securely
represented as elements within the group.
KeyGen algorithm allows to each node N
i
to in-
dependently generate its secret key sk
i
and its cor-
responding verification key vk
i
. After the generation
of individual secret keys
⃗
sk = (sk
1
,. .. ,sk
n
) and their
corresponding verification keys
⃗
vk = (vk
1
,. .. ,vk
n
),
the algorithm generates the main verification key vk.
RandGen algorithm is run with a Distributed Key
Generation (DKG) protocol without the involvement
of a trusted entity. Even though Pedersen DKG is
used in (Crites et al., 2023), in scenarios where a
trusted authority is responsible for randomizing the
signature and public key, a Verifiable Random Func-
tion (VRF) (Micali et al., 1999) can be employed. Al-
ternatively, a Distributed Verifiable Random Function
(DVRF) (A
˘
gırtas¸ et al., 2025) can be also utilized by
the signers to achieve the same purpose.
RandSKShare and RandPKShare algorithm are
executed by each node to randomize its secret key
as sk
′
i
and its corresponding public verification key
vk
′
i
, respectively. Also, RandPK algorithm generates
the randomized main verification key vk
′
. Further-
more, since the Pedersen Distributed Key Genera-
tion (DKG) algorithm intrinsically includes its own
proofs, a distinct VerKey algorithm is not established
to validate correctness of the randomization process.
PSignGen algorithm generates the partial signa-
tures σ
i
on the indexed message (id,M
1
,M
2
) under
the node’s secret key sk
i
, while Adapt algorithm out-
puts the randomized partial signature σ
′
i
under the
node’s randomized secret key sk
′
i
.
Reconst algorithm generates the randomized
main signature σ aggregating threshold t randomized
partial signatures σ
′
i
after verifying the correctness of
them via PSignVerify. At the end of the scheme, the
randomized main signature σ
′
is verified under ran-
domized main verification key vk
′
.
1. Setup(1
λ
)
(a) (G
1
,G
2
,G
T
, p,e,g
1
,g
2
) ← Gen(1
λ
)
(b) H : {0,1}
∗
→ G
1
(c) pp ← ((G
1
,G
2
,G
T
, p,e,g
1
,g
2
),H)
(d) return pp
2. KeyGen(pp,n,t)
(a) Run PedDKG
(b) for i ∈ [1,n] :
• sk
i
← (sk
i0
,sk
i1
) = (x
i
,y
i
)
• vk
i
← (vk
i0
,vk
i1
) = (g
x
i
2
,g
y
i
2
)
(c) end for
(d)
⃗
sk ← (sk
1
,. .. ,sk
n
);
⃗
vk ← (vk
1
,. .. ,vk
n
)
(e) vk ← (vk
00
,vk
01
) = (g
x
2
,g
y
2
)
(f) return (
⃗
sk,
⃗
vk, vk)
3. RandGen()
(a) Run PedDKG
(b) for i ∈ [1,n] :
• ρ
i
= (r
i0
,r
i1
);
• (g
2
)
ρ
i
= (g
2
r
i0
,g
2
r
i1
)
(c) end for
(d) (g
2
)
ρ
= (g
2
r
0
,g
2
r
1
)
(e) return (g
2
)
ρ
4. RandSKShare(pp,sk
i
,ρ)
Threshold Structure-Preserving Signatures with Randomizable Key
635
(a) sk
′
i
= (sk
′
i0
,sk
′
i1
) = (sk
i0
+ r
i0
,sk
i1
+ r
i1
)
(b) return sk
′
i
5. RandPKShare(pp,vk
i
,ρ)
(a) vk
′
i
= (vk
′
i0
,vk
′
i1
) =(g
2
x
i
·g
2
r
i0
, g
2
y
i
·g
2
r
i1
)
(b) return vk
′
i
6. RandPK(pp,vk, ρ)
(a) vk
′
= (vk
′
00
,vk
′
01
) =(g
x
2
·g
r
0
2
, g
y
2
·g
r
1
2
)
(b) return vk
′
7. PSignGen(pp,sk
i
,(id,M
1
,M
2
))
(a) (id,M
1
,M
2
) = (id,H(id)
m
,g
m
2
), h ← H(id)
(b) If e(h,M
2
) ̸= e(M
1
,g
2
): return ⊥
(c) Else: σ
i
= (h,s
i
) = (h,h
sk
i0
· M
sk
i1
1
)
(d) return σ
i
8. Adapt(pp,(id, M
1
,M
2
),σ
i
,ρ
i
,sk
i
)
(a) σ
′
i
= (h,s
′
i
) = (h,h
sk
′
i0
· M
sk
′
i1
1
)
= (h,h
x
i
+r
i0
· H(id)
m·(y
i
+r
i1
)
)
(b) return σ
′
i
9. PSignVerify(pp,vk
′
i
,(M
1
,M
2
),σ
′
i
)
(a) Parse σ
′
i
= (h
i
,s
′
i
)
(b) If h
i
̸= 1
G
1
∧ M
1
̸= 1
G
1
∧ e(h
i
,M
2
) = e(M
1
,g
2
)
∧ e(h
i
,vk
′
i0
) e(M
1
, vk
′
i1
)=e(s
′
i
,g
2
)
(c) return 1
(d) else: return 0
10. Reconst(pp,{vk
i
}
i∈T
,(M
1
,M
2
),{i, σ
′
i
}
i∈T
)
(a) Parse σ
′
i
= (h
i
,s
′
i
)
(b) If ∃ i, j ∈ T , i ̸= j | h
i
̸= h
j
∨ ∃ i ∈ T |
PSignVerify(pp,vk
′
i
,(M
1
,M
2
),σ
′
i
) = 0
return ⊥
(c) else: h ← h
i
(d) return σ
′
← (h,s) = (h,
∏
i∈T
s
′
i
λ
i
)
11. Verify(pp,vk
′
,(M
1
,M
2
),σ
′
)
(a) Parse σ
′
= (h,s
′
)
(b) If h ̸= 1
G
1
∧ M
1
̸= 1
G
1
∧ e(h,M
2
) = e(M
1
,g
2
)
∧ e(h,vk
′
00
)e(M
1
,vk
′
01
) = e(s
′
,g
2
)
(c) return 1
(d) Else: return 0
Correctness. First, we demonstrate that it ful-
fills the criteria for partial evaluation correctness, en-
suring that a correctly created partial signature via
the PSignGen successfully passes the PSignVerfiy
checks after Adapt algorithm. Indeed, for all i ∈ [1,n]
and correctly indexed message (id,M
1
,M
2
) ∈ M
H
iDH
,
it holds that:
e(h
i
,vk
′
i0
)e(M
1
,vk
′
i1
) =e(h
i
,g
x
i
+r
i0
2
)e(h
m
i
,g
y
i
+r
i1
2
)
=e(s
′
i
,g
2
)
Next, we show that it satisfies evaluation cor-
rectness, ensuring that for a set of partial signatures
{i,σ
′
i
}
i∈T
,T ⊂ [1,n], |T | = t on an indexed message
(id,M
1
,M
2
) = (id, H(id)
m
,g
m
2
) ∈ M
H
iDH
with the same
h ← H(id), Reconst algorithm successfully generates
the valid aggregated signature σ = (h,s) as follows:
s =
∏
i∈T
s
′
i
λ
i
=
∏
i∈T
(h
sk
′
i0
M
sk
′
i1
1
)
λ
i
= h
∑
i∈T
(x
i
·λ
i
+r
i0
·λ
i
)
M
∑
i∈T
(y
i
·λ
i
+r
i1
·λ
i
)
1
= h
(
∑
i∈T
(x
i
·λ
i
)+
∑
i∈T
(r
i0
·λ
i
))
M
(
∑
i∈T
(y
i
·λ
i
)+
∑
i∈T
(r
i1
·λ
i
))
1
= h
x+r
0
M
y+r
1
1
4 ANALYSIS
4.1 Computational Cost Analysis
Let the setup be same as in the 3.1. Since our scheme
relies on bilinear maps, our computations are per-
formed over the groups G
1
,G
2
,G
T
, with pairing op-
eration e : G
1
× G
2
→ G
T
. Table 1 shows the de-
tailed computational cost of each phase in our pro-
posed TSPSwRK scheme relative to a standard TSPS.
We also provide a comparison with its non-threshold
variant, IM-SPSwRK, with the original IM-SPS. In
this table, while Exp
G
i
represents the exponentiation
in the Group G
i
, Mul
G
i
denotes the multiplication in
the Group G
i
, where i ∈ {1,2,T }. Also, pairing rep-
resents the pairing operation e : G
1
× G
2
→ G
T
, and
Hash represents the hash operation in G
1
.
4.2 Implementation and Evaluation
The PoC implementation of the TSPSwRK procotol
can be found on
1
. All experiments were carried out
on a 64-bit operating system with a 6-core CPU run-
ning at approximately 3.2 GHz and 16 GB of RAM.
The system did not have any specialized hardware
acceleration. The protocol was executed at least 10
times for each configuration, parameterized by the to-
tal number of participants (n) and the threshold (t).
For each run, the execution time of protocol phases
was recorded. The mean execution time for each com-
ponent was then computed for each (n,t) configura-
tion. Since the complexity of distributed key gener-
ation is O(n
2
), a large number of participants would
not be practical. Figure 1 shows these results.
1
https://github.com/emir0x1/tsps wrk/
SECRYPT 2025 - 22nd International Conference on Security and Cryptography
636
Table 1: The Computational Cost Analysis.
Phases IM-SPS IM-SPSwRK TSPS TSPSwRK
Key Generation 2 Exp
G
2
4t + 2 Exp
G
2
,
4t − 4 Mul
G
2
n + 1Exp
G
2
4t + 2 Exp
G
2
,
4t − 4 Mul
G
2
RandGen
4t + 4 Exp
G
2
,
4t − 4 Mul
G
2
RandPKShare
2Exp
G
2
,
2Mul
G
2
RandPK
2Exp
G
2
,
2Mul
G
2
2Exp
G
2
,
2Mul
G
2
SignGen,
PSignGen
2pairing,
2Exp
G
1
,
1Mul
G
1
3Exp
G
1
,
1Mul
G
1
,
1Exp
G
2
,
1Hash(H
1
),
1pairing
2pairing,
1Mul
G
1
,
1Mul
G
1
3Exp
G
1
,
1Mul
G
1
,
1Exp
G
2
,
1Hash(H
1
),
1pairing
Adapt
2Exp
G
1
,
1Mul
G
1
2Exp
G
1
,
1Mul
G
1
PSignVerify
5pairing,
1Mul
G
1
5pairing
1Mul
G
1
Reconst
5pairing,
t − 1 Mul
G
1
,
t Exp
G
1
,
t Exp
G
1
5 pairing,
t Exp
G
1
,
t Mul
G
1
Verify
5pairing,
1Mul
G
1
5 pairing
5pairing,
1Mul
G
1
5 pairing
Figure 1: Performance metrics of TSPSwRK.
5 CONCLUSION AND FUTURE
WORK
In this study, we proposed threshold structure pre-
serving signatures with randomization property and
also it’s threshold variant TSPSwRK. Additionaly,
cost analysis comparision of the protocols are pre-
sented. Further, proof of concept implementation of
TSPSwRK protocol and performance analysis of the
protocol is presented. We plan to improve the perfor-
mance of the TSPSwRK by reducing the size of the
shares (Krawczyk, 1994). Exploring the hierarchical
threshold (Tassa, 2007) variant of TSPSwRK and ap-
plication of Nested Shamir Secret sharing is also left
for future work.
REFERENCES
Abe, M., Groth, J., Ohkubo, M., and Tibouchi, M. (2014).
Structure-preserving signatures from type II pairings.
In Advances in Cryptology–CRYPTO 2014: 34th An-
nual Cryptology Conference, Santa Barbara, CA,
USA, August 17-21, 2014, Proceedings, Part I 34,
pages 390–407. Springer.
A
˘
gırtas¸, A. R.,
¨
Ozer, A. B., Saygı, Z., and Yayla, O. (2025).
Distributed verifiable random function with compact
proof. In Dolev, S., Elhadad, M., Kutyłowski, M., and
Persiano, G., editors, Cyber Security, Cryptology, and
Machine Learning, pages 119–134, Cham. Springer
Nature Switzerland.
Balumuri, S., Eaton, E., and Lamontagne, P. (2024).
Quantum-safe public key blinding from MPC-in-the-
head signature schemes. Cryptology ePrint Archive.
Celi, S., Griffy, S., Hanzlik, L., Kempner, O. P., and Sla-
manig, D. (2023). Sok: Signatures with randomizable
keys. Cryptology ePrint Archive.
Crites, E., Kohlweiss, M., Preneel, B., Sedaghat, M., and
Slamanig, D. (2023). Threshold structure-preserving
signatures. In International Conference on the Theory
and Application of Cryptology and Information Secu-
rity, pages 348–382. Springer.
Galbraith, S. D., Paterson, K. G., and Smart, N. P. (2008).
Pairings for cryptographers. Discrete Applied Mathe-
matics, 156(16):3113–3121. Applications of Algebra
to Cryptography.
Ghadafi, E. (2016). Short structure-preserving signatures.
In Cryptographers’ Track at the RSA Conference,
pages 305–321. Springer.
Krawczyk, H. (1994). Secret sharing made short. In
Stinson, D. R., editor, Advances in Cryptology —
CRYPTO’ 93, pages 136–146, Berlin, Heidelberg.
Springer Berlin Heidelberg.
Micali, S., Rabin, M., and Vadhan, S. (1999). Verifiable
random functions. In 40th annual symposium on foun-
dations of computer science (cat. No. 99CB37039),
pages 120–130. IEEE.
Pedersen, T. P. (1991). Non-interactive and information-
theoretic secure verifiable secret sharing. In Annual
international cryptology conference, pages 129–140.
Springer.
Tassa, T. (2007). Hierarchical threshold secret sharing. J.
Cryptol., 20(2):237–264.
Threshold Structure-Preserving Signatures with Randomizable Key
637
